Event details
31 Comments
- Can you advise what support Intune has for implementing https://www.cisecurity.org/cis-benchmarks?
- Mike-Danoski
Microsoft
We are working with our friends in Windows to add support for some of the settings previously only available via GPO. Once we have these added, we are exploring ways to make this a streamlined experience for admins. I don't have additional details to share now. Also see part of Julia's comment below: "[...]We are planning to support the STIG baseline in Intune eventually, but it’ll be alongside other 3rd party security baselines which are in the backlog, but no concrete timelines that I can share just yet. Right now, our main priority is getting all the existing baselines updated & released before we look at supporting 3rd party baselines."
Thanks for joining us! We hope you enjoyed this session. If you missed the live broadcast, don’t worry – you can watch it on demand. And we’ll continue to answer questions here in the chat through the end of the week. There's more great content in store at the Microsoft Technical Takeoff! What do you like about the event so far? Share your feedback and help shape the direction of future events on the Tech Community!
- The ASR reusable features is way better then using the custom profile OMA-URI solution.
- Mike-DanoskiWe're glad you like it!
Hello. Excellent presentation. When we used ASR Device Control policy, the deployment was fine, but removing the policy from a device, by excluding, the removal worked fine, however, we needed to manually fix the registry to fully remove the policy settings as the removal by Intune ASR succeeded but there were left-over configs on the local computers' registry that still blocked USB storage or printing access, which was unexpected as the policy was no longer applied (as verified by the Intune console). The policy was to disable access to local USB Storage on select computers. It looks like exclusion in ASR worked and was applied, but we needed to manually clear the registry settings which was painful...deploying a ASR policy with opposite configs worked, but was not as successful as the manual registry "clean up". Thoughts? Thank you.
We have seen this happen with a lot of Intune policies - you revoke the policy or exclude from it and the settings have tattoo-ed. Would be great if there could be a perm fix for this. Group policy did tattoo a few things but not to this extent. It's logged in the Feedback portal here: https://feedbackportal.microsoft.com/feedback/idea/c636d31c-e398-ee11-a81c-0022484f9f6d
- Mike-DanoskiI've heard this before, and while I don't have much to share at the moment, this is something we are looking into.
- Can this be done with a Configuration Profile outside of ASR or can only be done with Device Control in ASR?
- Mike-DanoskiThe reusable group for Device Control is available in the Endpoint Security template under ASR.
- Can we set LAPS passwords to not use i or l and O and 0 for easier readability?
- Mike-DanoskiThanks for your question Jere, I don't think this is currently configurable, or set by default. I will take this as feedback as I can certainly relate to the issue you raise 🙂
- Will the stream stay available as a recording on YouTube?
Quoc LaiYes, the Live stream sessions will be available post-event on demand via our Windows IT Pro channel. https://www.youtube.com/@WindowsITProOnYouTube/streams
You can also save the Technical Takeoff playlist that combines the 2022 event with this 2023 event sessions combined.
Microsoft Technical Takeoff - YouTube
- MichaelHildebrandAlso, as an FYI, the LAPS pwd can also be obtained via the Entra ID 'devices' page for a given device... 🙂
- Additional Question. Can that be hidden for specific roles?
- MichaelHildebrandThere are RBAC controls for LAPS in Intune and Entra ID. I'm not sure if it would 'hide' the UI element or only gray it out. https://learn.microsoft.com/en-us/mem/intune/protect/windows-laps-overview#role-based-access-controls-for-laps AND/OR https://learn.microsoft.com/en-us/mem/intune/protect/windows-laps-overview#role-based-access-controls-for-laps
- Joe_LurieBONUS TIP for the bonus tip!
- We have a need to implement Defense Information Systems Agency's Security Technical Implementation Guide (STIG). This has been made a requirement before we can upgrade to Windows 11. Does Microsoft have guidance or a simplified method to "STIG" Windows 11? Security Baselines look related, but would require a lot of research to determine where there is a union between the two.
- Julia_IdaeworHi Nathan, thanks for your feedback! We are planning to support the STIG baseline in Intune eventually, but it’ll be alongside other 3rd party security baselines which are in the backlog, but no concrete timelines that I can share just yet. Right now, our main priority is getting all the existing baselines updated & released before we look at supporting 3rd party baselines.
I am curious if there has been any update on this?
We have yet to move to Windows 11. 😟
- Something I am missing in securing devices of our customers is AppLocker or WDAC without the difficult configuration of it in Intune. I hope it will get easier to configure.
- Quoc LaiWe recently made preview App Control for Business that support a more simplified UI way of applying WDAC and Managed Installers. Refer to docs for more details: https://learn.microsoft.com/en-us/mem/intune/protect/endpoint-security-app-control-policy
