CIS Intune Baselines - What do they break?
(And yes I know…. AI Generated blog post images are beginning to get a bit cringe… but I actually liked this one so I rolled with it)
Hello again folks, today we’re talking CIS. What is it and more specifically what does it break? Here in the UK, everyone talks about NCSC baselines and adhering to Cyber Essentials or Cyber Essentials Plus and for both of these there is some guidance you can follow with suggestions that help you improve your security posture. NCSC even provide some (old) JSON files for Windows Configuration for configuration profiles you can download and import to Intune to get you started. Great!
With Center for Internet Security (CIS), however, the settings (as far as I know) are non-negotiable. You cant tweak them. Its a fixed configuration, and you either are or are not CIS compliant. So it got me thinking, “but what if I don’t agree with the settings you mandate? What if, I put this into my organisation and its too restrictive?” Where do we draw the line? There is a fine line between security and productivity, I suppose.
Silly Example, my car is safer if I take all four wheels off. It wont crash. I wont get injured and it wont get stolen. This makes the security team happy! But if I need to deliver a pizza before it gets cold and the destination is 10 miles away, this isn’t helpful. Staff and customers will be unhappy with this situation.
You get the idea.
Looking on the CIS website (at the time I was investigating this) there was a lovely (horrible) spreadsheet you could download with hundreds of settings in it that you would have to configure in Microsoft Intune and deploy to your managed devices, should you want to become CIS compliant. There are now downloadable benchmark policies you can go get and import, wonderful (more on this later).
I did however, discover this community post: https://www.everything365.online/2023/09/18/cis-microsoft-intune-for-windows-11-benchmark-in-settings-catalog-json/. Here, the author has taken the time to go through that spreadsheet I mentioned earlier and create policies that are available for you to go grab. I decided to go grab these and merge them into 6 policies as I wasn’t a fan of the separation.
Great! Now they are condensed, I was ready to test what works. The ones I used are on my GitHub
CIS has levels, the idea is that in order to be level two you have level one and two policies together, layered. You may notice I’ve named two of my condensed policies level zero, this is because there were two profiles that were not marked as having a level, but seem to contain some basic security. Level zero covers technology like BitLocker, System Guard, Credential Guard Virtualization based security and platform security such as Direct Memory Access (DMA) protection. All these are pretty standard things so level zero should be your baseline, then layer on Level one and two respectively to achieve your desired security posture strength. This is my interpretation, I’m not 100% on whether you can be level one compliant, if you don’t use level zero but given they are pretty basic, I see no harm in drawing this conclusion.
The following isn’t comprehensive its just what I noticed. There might be other settings that break something important to you so I am going to disclaimer this with do your own testing please and to state that I don’t work in security. I am happy to take advice from anyone working in this area if they have improvement suggestions for this post.
Level 0 - Issues
During my testing, the following items were discovered to potentially cause problems to someone who manages Intune Devices;
Policy - CIS L0 BitLocker
This policy does not silently encrypt the device. By default this policy requires manual effort from the end user to set a PIN before the device will encrypt. You cannot automate the PIN either, perhaps by setting as the device serial number as per this post, and this is because enhanced PINs are not enabled. Now, to me this is a problem, I dont want my end users to have to do something I can automate. It is however, procedural over technical. There will be arguments for and against any automation of BitLocker PINs I’m sure, people will not want a pattern that could be worked out, but some folks will not want their end users to take full control because they will forget their PIN, lose their data and hold technical staff responsible. You can fight amongst yourselves on that one.
Policy - CIS L0 NextGeneration
From the Next Generation Policy, the settings in here mostly trigger reboots during the enrollment status page in Autopilot, evidenced by searching out event ID 2800 from the event viewer. Here is a useful reference for this https://techcommunity.microsoft.com/t5/intune-customer-success/support-tip-troubleshooting-unexpected-reboots-during-new-pc/ba-p/3896960.
Info
Reboot trigger images from Event Viewer are linked to a CSP so I have made these images clickable.
./Device/Vendor/MSFT/Policy/Config/DeviceGuard/ConfigureSystemGuardLaunch
./Device/Vendor/MSFT/Policy/Config/DeviceGuard/LsaCfgFlag
./Device/Vendor/MSFT/Policy/Config/DeviceGuard/RequirePlatformSecurityFeatures
./Device/Vendor/MSFT/Policy/Config/DeviceGuard/EnableVirtualizationBasedSecurity
Despite the number of reboots triggered here however, I did not experience any issues with these. The reboots are triggered and recorded but there are no negative affects.
Level 1 - Issues
This level includes the base form of security and is rather comprehensive on its own (that is Level 0 and Level 1). During testing, the following items were discovered to potentially cause problems;Policy - CIS L1 Computer
Setting - Require Private Store Only
Blocks Microsoft store from working, however, it did not block the deployment of Company Portal and a UWP apps used during testing. This might be historical from the WSfB set up and could be a cause for concern as it has the potential to cause issues. The end user experience was that as soon as you loaded the Microsoft Store, you received a blocked message.
Setting - Disable One Drive File Sync
Blocks Microsoft OneDrive from launching or syncing. Clearly this poses an issue because a lot of customers are using OneDrive to store data, and if they are paying for it via their license agreement it seems wasteful to turn it off. Removing this configuration or setting it to Sync Enabled, allows the OneDrive app to launch and silently log in after a reboot.
Setting - Manage Preview Builds
This triggers a reboot during ESP.
Setting - MSS: (AutoAdminLogon) Enable Automatic Logon
This one did break autopilot and after a very very long battle, I asked online and got help from the community (shout out to Radu Bogdan) who pointed me in the direction of this setting which, once removed, seems to have cured the DefaultUser0 Problem during autopilot. Even thought the setting is disabled, even having it in your configuration causes autopilot to crap itself half way through a provision and just stop - displaying defaultUser0.
I believe this is going to be a huge cause for concern, so watch out.
Level 2 - Issues
Policy - CIS L2 Computer
Setting - Turn off access to the store
Blocks Microsoft store from working, completely. Users will receive the following message whether they try to launch the store or install an app from the store in a web console
Setting - Disallow Cloud Notification
Triggers a reboot during Autopilot, which may or may not cause issues. Interesting then that this is called out on the documentation as No reboots or service restarts are required for this policy to take effect, however, the reboot trigger is recorded in the event viewer. One to watch out for.
Setting - Disable Store Originated Apps
Causes Company Portal to not load for available apps and as the above image shows a “The app has been blocked by your administrator” message is displayed when trying to launch the app. Stopping this from loading prevents the user from launching any store originated app, including the Company Portal app so if using the Company Portal is important to you, one to look out for if you stick rigidly to the settings here in CIS
Conclusion
In the UK, the uptake for CIS (from my own consultancy experience at least) is rare. If you are considering adhering to CIS I would advise rigorous testing before you jump in. Before I finished my testing and pain with the community policies above, CIS released the CIS Microsoft Intune for Windows 11 Benchmark - Build Kit (thanks for this!). The downloadable ZIP contains settings catalog JSON files you can import to Intune to become CIS compliant. I will need to do some further testing on this but will look out for the settings I mentioned above to ensure things can continue to run smoothly in my environment.
There are lots of conflicts between NCSC and/or Cyber Essentials Security baselines too, so if you’re switching from one to the other, time will need to be spent comparing the two and seeking out the differences. I have noted the conflicts between the CIS baselines above and the baselines used at my place of work and found several differences.
Additional Work
Update 26/06/2024 The above study is part of an initial run at testing CIS and what it offers and breaks in the process. In this particular study, community interpretations of CIS at the time were used, deployed and tested. Since writing this article, however, CIS have released their own benchmarks which I have examined along with, Nick Benton. Nick and I examined the gaps in the official baselines, luckily most of the findings are similar but Nick does a great job at explaining them in detail specifically surrounding the gaps and mitigation’s you could consider. I highly recommend you read these also. Find them here:
Your interest and support keep me motivated to create more content.
If you think others might benefit from this content, please consider sharing it
... Jonathan
Links and References
Location | Link |
---|---|
CIS | CIS Workbench |
NCSC | Device Security Guidance Configuration Packs |
NCSC | Cyber Essentials: Requirements for IT Infrastructure v3.1 - Apr-23 |
Everything365 | CIS Benchmark |
Katys Tech Blog | Set BitLocker PIN to Serial Number during Autopilot |