andrewamason/Intune
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
49ba2521cffc57ae34ce381f5c5ae2e3153690df
Intune/intune/Device Management/WIndows/Baselines/OpenIntuneBaseline/WINDOWS/OIBvsCIS-Rationale.csv
Andrew Amason ec2b22290a Module Consolidation
2025-05-19 15:02:55 -04:00

78 lines
12 KiB
CSV
Raw Blame History

This file contains invisible Unicode characters
This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
CIS Ref,Setting Name,OIB Rationale for Non-Implementation,Notes
3.1.3.1,(L1) Ensure 'Enable screen saver (User)' is set to 'Enabled',Default screensaver behaviour. Additional mitigations in place.,Win - OIB - SC - Device Security - U - Power and Device Lock
3.5.1,(L1) Ensure 'MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended)' is set to 'Disabled',Breaks Autopilot.,
3.5.9,(L1) Ensure 'MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended)' is set to 'Enabled',Enforces default behaviour.,
3.5.13,(L1) Ensure 'MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning' is set to 'Enabled: 90% or less',Auditing configured to rotate logs.,Win - OIB - SC - Device Security - D - Audit and Event Logging
3.6.4.1,(L1) Ensure 'Turn off multicast name resolution' is set to 'Enabled',Breaks DNS-SD used in Delivery Optimization.,
3.6.9.2,(L1) Ensure 'Prohibit use of Internet Connection Sharing on your DNS domain network' is set to 'Enabled',Alternative mitigation in place.,Win - OIB - SC - Device Security - D - Security Hardening
3.6.11.1,"(L1) Ensure 'Hardened UNC Paths' is set to 'Enabled, with Require Mutual Authentication and Require Integrity set for all NETLOGON and SYSVOL shares'",Not relevant for Entra joined devices.,
3.9.1.1,(L1) Ensure 'Turn off toast notifications on the lock screen (User)' is set to 'Enabled',Alternative mitigation in place.,
3.10.4.1,(L1) Ensure 'Include command line in process creation events' is set to 'Enabled',"Sensitive information could be gathered and viewed by standard users, as documented by CIS.",Use an appropriate EDR which would capture this securely.
3.10.9.2,(L1) Ensure 'Prevent device metadata retrieval from the Internet' is set to 'Enabled',Standard users can already not install software that requires elevation.,
3.10.19.1,(L1) Ensure 'Configure registry policy processing: Do not apply during periodic background processing' is set to 'Enabled: FALSE',Not relevant for Entra joined devices. Being removed in next CIS benchmark.,
3.10.19.2,(L1) Ensure 'Configure registry policy processing: Process even if the Group Policy objects have not changed' is set to 'Enabled: TRUE',Not relevant for Entra joined devices. Being removed in next CIS benchmark.,
3.10.19.3,(L1) Ensure 'Configure security policy processing: Do not apply during periodic background processing' is set to 'Enabled: FALSE',Not relevant for Entra joined devices. Being removed in next CIS benchmark.,
3.10.19.4,(L1) Ensure 'Configure security policy processing: Process even if the Group Policy objects have not changed' is set to 'Enabled: TRUE',Not relevant for Entra joined devices. Being removed in next CIS benchmark.,
3.10.19.5,(L1) Ensure 'Continue experiences on this device' is set to 'Disabled',Alternative mitigation in place.,
3.10.25.1,(L1) Ensure 'Block user from showing account details on sign-in' is set to 'Enabled',Significantly impacts WHfB experience.,
3.10.25.2,(L1) Ensure 'Do not display network selection UI' is set to 'Enabled',Potentially impacts user experience. Dubious security value. Requires physical device access.,
3.10.25.3,(L1) Ensure 'Do not enumerate connected users on domain-joined computers' is set to 'Enabled',Not relevant for Entra joined devices.,
3.10.25.4,(L1) Ensure 'Enumerate local users on domain-joined computers' is set to 'Disabled',Not relevant for Entra joined devices.,
3.10.25.6,(L1) Ensure 'Turn off picture password sign-in' is set to 'Enabled',"Functionality not available by default, superceded by Windows Hello.",
3.10.25.7,(L1) Ensure 'Turn on convenience PIN sign-in' is set to 'Disabled',"Functionality not available by default, superceded by Windows Hello.",
3.10.28.5.1,(L1) Ensure 'Allow network connectivity during connected-standby (on battery)' is set to 'Disabled',Being removed in next CIS benchmark.,
3.10.28.5.2,(L1) Ensure 'Allow network connectivity during connected-standby (plugged in)' is set to 'Disabled',Being removed in next CIS benchmark.,
3.10.42.1.2,(L1) Ensure 'Enable Windows NTP Server' is set to 'Disabled',Functionality not available by default. Standard users cannot enable NTP server capabilities.,
3.11.5.1,(L1) Ensure 'Do not preserve zone information in file attachments (User)' is set to 'Disabled',Enforces default behaviour.,
3.11.5.2,(L1) Ensure 'Notify antivirus programs when opening attachments (User)' is set to 'Enabled',Responsibility of AV/EDR Product.,
3.11.8.3,(L1) Ensure 'Prevent the use of security questions for local accounts' is set to 'Enabled',The only local account available is managed via LAPS.,
3.11.18.4,(L1) Ensure 'Turn off shell protocol protected mode' is set to 'Disabled',Enforces default behaviour.,
3.11.28.3.1,(L1) Ensure 'Configure local setting override for reporting to Microsoft MAPS' is set to 'Disabled',Enforces default behaviour.,
3.11.28.11,(L1) Ensure 'Turn off Microsoft Defender Antivirus' is set to 'Disabled',Enforces default behaviour. Being removed in next CIS benchmark.,
3.11.31.1,(L1) Ensure 'Prevent users from sharing files within their profile. (User)' is set to 'Enabled',Functionality no longer exists.,
3.11.36.4.11.1,(L1) Ensure 'Do not delete temp folders upon exit' is set to 'Disabled',Enforces default behaviour.,
3.11.42.1,(L1) Ensure 'Turn off the offer to update to the latest version of Windows' is set to 'Enabled',Managed via Autopatch/WUfB rings.,
3.11.50.1,(L1) Ensure 'Sign-in and lock last interactive user automatically after a restart' is set to 'Disabled',Net positive on user experience and benefits patch compliance without user interruption. Only enabled when BitLocker is on and not suspended.,Win - OIB - SC - Device Security - D - Login and Lock Screen 
3.11.54.2,(L1) Ensure 'Turn on PowerShell Transcription' is set to 'Enabled',"Sensitive information could be gathered and viewed by standard users, as documented by CIS.",
24.1,"(L1) Ensure 'Alphanumeric Device Password Required' is set to 'Password, Numeric PIN, or Alphanumeric PIN required'",Password policy managed by Entra. Negatively impacts WHfB PIN creation. Being removed in next CIS benchmark.,
24.2,"(L1) Ensure 'Device Password Expiration' is set to '365 or fewer days, but not 0'",Password policy managed by Entra. Negatively impacts WHfB PIN creation. Being removed in next CIS benchmark.,
24.3,(L1) Ensure 'Device Password History' is set to '24 or more password(s)',Password policy managed by Entra. Negatively impacts WHfB PIN creation. Being removed in next CIS benchmark.,
24.4,(L1) Ensure 'Min Device Password Complex Characters' is set to 'Digits lowercase letters and uppercase letters are required',Password policy managed by Entra. Negatively impacts WHfB PIN creation. Being removed in next CIS benchmark.,
24.5,(L1) Ensure 'Min Device Password Length' is set to '14 or more character(s)',Password policy managed by Entra. Negatively impacts WHfB PIN creation. Being removed in next CIS benchmark.,
24.6,(L1) Ensure 'Minimum Password Age' is set to '1 or more day(s)',Password policy managed by Entra. Negatively impacts WHfB PIN creation. Being removed in next CIS benchmark.,
30.4,(L1) Ensure 'Disable Consumer Account State Content' is set to 'Enabled',Alternative mitigation in place.,
30.5,(L1) Ensure 'Do not show feedback notifications' is set to 'Feedback notifications are disabled',https://learn.microsoft.com/en-gb/microsoft-365/admin/misc/feedback-user-control,
45.4,(L1) Configure 'Accounts: Rename administrator account',Security by obscurity. https://skiptotheendpoint.co.uk/dot-slash-administrator-a-security-risk-analysis/,
45.5,(L1) Configure 'Accounts: Rename guest account',Guest account is disabled and disallowed for login by policy.,
45.7,(L1) Ensure 'Interactive logon: Do not display last signed-in' is set to 'Enabled',Breaks Windows Hello by causing the user to always have to enter their credentials.,
45.8,(L1) Ensure 'Interactive logon: Do not require CTRL+ALT+DEL' is set to 'Disabled',Significantly impacts WHfB experience.,
45.9,"(L1) Ensure 'Interactive logon: Machine inactivity limit' is set to '900 or fewer second(s), but not 0'",Setting deprecated. Mitigated elsewhere.,
45.1,(L1) Configure 'Interactive logon: Message text for users attempting to log on',Can break Autopilot and preprovisioning. Unnecessary extra steps for users when they don't read it anyway.,Organisation Acceptable Use Policy signed to get an account.
45.11,(L1) Configure 'Interactive logon: Message title for users attempting to log on',Can break Autopilot and preprovisioning. Unnecessary extra steps for users when they don't read it anyway.,Organisation Acceptable Use Policy signed to get an account.
45.17,(L1) Ensure 'Microsoft network server: Digitally sign communications (if client agrees)' is set to 'Enabled',LEGACY POLICY,
45.21,(L1) Ensure 'Network access: Restrict clients allowed to make remote calls to SAM' is set to 'Administrators: Remote Access: Allow',Enforces default behaviour.,
45.22,(L1) Ensure 'Network security: Allow Local System to use computer identity for NTLM' is set to 'Allow',Not relevant for Entra joined devices.,
45.23,(L1) Ensure 'Network Security: Allow PKU2U authentication requests' is set to 'Block',Enforces default behaviour. Not relevant for Entra joined devices.,
45.28,(L1) Ensure 'Network security: Restrict NTLM: Audit Incoming NTLM Traffic' is set to 'Enable auditing for all accounts',Not relevant for Entra joined devices.,
45.3,(L1) Ensure 'User Account Control: Behavior of the elevation prompt for standard users' is set to 'Automatically deny elevation requests',Negatively impacts most Helpdesk BAU activities and remote support and troubleshooting.,
48.7,(L1) Ensure 'Require Private Store Only' is set to 'Only Private store is enabled',Being removed in next CIS benchmark.,
58.2,(L1) Ensure 'Allow Input Personalization' is set to 'Block',Negatively impacts users with accessibility needs.,
60.3,(L1) Ensure 'Allow Search To Use Location' is set to 'Block',Negatively impacts user experience. Location & Privacy permissions managed separately.,
67.1,(L1) Ensure 'Allow Telemetry' is set to 'Basic',Telemetry is not scary.,
67.4,(L1) Ensure 'Enable OneSettings Auditing' is set to 'Enabled',Enforces default behaviour.,Use an appropriate EDR which would capture this securely.
67.5,(L1) Ensure 'Limit Diagnostic Log Collection' is set to 'Enabled',Diagnostics and telemetry already being collected by Intune.,
67.6,(L1) Ensure 'Limit Dump Collection' is set to 'Enabled',Telemetry is not scary.,
69.8,(L1) Ensure 'Internet Connection Sharing (ICS) (SharedAccess)' is set to 'Disabled',Service disabling not available via policy.,Win - OIB - SC - Device Security - D - Security Hardening
69.24,(L1) Ensure 'Remote Procedure Call (RPC) Locator (RpcLocator)' is set to 'Disabled',Service disabling not available via policy.,
69.31,(L1) Ensure 'SSDP Discovery (SSDPSRV)' is set to 'Disabled',Service disabling not available via policy.,
69.32,(L1) Ensure 'UPnP Device Host (upnphost)' is set to 'Disabled',Service disabling not available via policy.,
69.36,(L1) Ensure 'Windows Media Player Network Sharing Service (WMPNetworkSvc)' is set to 'Disabled' or 'Not Installed',Service disabling not available via policy.,
69.37,(L1) Ensure 'Windows Mobile Hotspot Service (icssvc)' is set to 'Disabled',Service disabling not available via policy.,
75.1,(L1) Ensure 'Hypervisor Enforced Code Integrity' is set to 'Enabled with UEFI lock',Enabled Without UEFI Lock which is default behaviour on Win11 22H2 and above. Being changed in next CIS benchmark.,
78.1,(L1) Ensure 'Disallow Exploit Protection Override' is set to '(Enable)',Standard users cannot edit/remove Exploit Protection settings.,
83.2,(L1) Ensure 'Defer Feature Updates Period in Days' is set to 'Enabled: 180 or more days',Managed via Autopatch/WUfB rings.,
83.3,(L1) Ensure 'Defer Quality Updates Period (Days)' is set to 'Enabled: 0 days',Managed via Autopatch/WUfB rings.,
83.4,(L1) Ensure 'Manage preview builds' is set to 'Disable Preview builds',Managed via Autopatch/WUfB rings.,
83.5,(L1) Ensure 'Scheduled Install Day' is set to 'Every day',Managed via Autopatch/WUfB rings.,
85.3,(L1) Ensure 'Password Complexity' is set to 'Large letters + small letters + numbers + special characters',Password policy managed by Entra. Negatively impacts WHfB PIN creation.,
Reference in New Issue View Git Blame Copy Permalink