How to easily apply DISA STIGs with Intune
Introduction In today's digital landscape, ensuring the security and compliance of IT infrastructure is paramount. The Defense Information Systems Agency (DISA) provides Security Technical Implementation Guides (STIGs) to optimize security for various software and systems. Utilizing Microsoft Intune, administrators can create configuration profiles that adhere to these STIGs, thereby enhancing their organization's security posture. This blog will walk you through the process of creating Intune Configuration Profiles for DISA STIGs, complete with screenshots and detailed steps. Prerequisites Before diving into the configuration process, ensure you have the following: Access to the Intune admin center. Appropriate administrative privileges to create and manage configuration profiles. Familiarity with DISA STIGs and their requirements. Step-by-Step Guide Step 1: Access Intune Acquire DISA STIG Files: The first step in this process is to acquire the DISA STIG files from their official website (Group Policy Objects – DoD Cyber Exchange). These files contain the specific security guidelines and requirements you need to implement. Visit the DISA website, locate the relevant STIG files for your systems, and download them to your local machine. Prep files: Unzip the file you just downloaded then inside you should find another zipped file named like “Intune STIG Policy Baselines.” Unzip this file as well. Login to Intune with proper permissions: To begin, navigate to the Intune admin center at https://intune.microsoft.com or https://Intune.microsoft.us for Intune Government GCC-H/DoD (I am using a GCC-H instance of Intune, but these steps should be the same no matter what impact level you are using). Sign in with your administrator credentials: If you are using RBAC and least privilege you will need to have at least the “Policy and Profile Manager” role. Step 2: Create a New Configuration Profile Once logged in, follow these steps to create a new configuration profile: In the left-hand menu, select Devices -> Configuration profiles. Click on the Create profile button at the top, select “import policy” Select “Browse for files” and browse to the location where you unzipped the Intune STIG Policy Baselines, inside that folder go to the Intune Policies folder then Settings Catalog. Select your STIG of choice and provide a meaningful name and description for the profile and select save. Step 3: Configure Profile Settings Next, verify the profile settings align with the DISA STIG requirements: Once the profile has been created select view policy. Navigate through the settings and ensure every setting is meticulously configured to meet the STIG compliance guidelines. This may include settings such as password policies, encryption, and network security configurations. Ensure every setting meets the compliance standards of your organization. For example, Windows Spotlight is a feature that rotates the wallpaper and screensaver randomly if your organization uses custom wallpaper or screensavers you may want to have this completely disabled. Step 4: Assign the Profile and TEST, TEST, and TEST Again!! After configuring the profile settings, assign the profile to the appropriate groups: Next to Assignments select edit. Select the user or device groups that the profile should apply to, this should be a small but diverse group of devices or users that can provide feedback on the user experience of the settings being applied and or issues they cause because STIGS never break anything right!? Once you have assigned your groups click Review & Save then Save. Conclusion Creating Intune Configuration Profiles for DISA STIGs is a crucial step in maintaining robust security and compliance within your organization. By following this step-by-step guide, you can effectively configure and deploy profiles that adhere to stringent security standards, safeguarding your IT infrastructure. Stay vigilant and periodically review your profiles to ensure they remain compliant with evolving STIG requirements. Disclaimer While DISA has made this a fairly easy process with Microsoft Intune there are some caveats. In the folder where we found the Intune policies is a “Support files” folder which hold an excel spreadsheet with valuable information. There are still several STIG settings that are not natively set by Intune for various reasons (Not in Windows CSP, organization specific settings, etc.) They have also provided the Desired State Configuration (DSC) files to set a lot of these settings that will need to be deployed as a Win32_APP. This is outside the scope of this blog but stay tuned! Lastly, the spreadsheet provides STIG settings that will be a false positive when you use the Security Content Automation Protocol (SCAP) tool. This is due to the settings being set now through the Configuration Service Providers (CSP) and the tool is looking at the legacy registry locations. Unfortunately, until that tool gets updated to look in the new locations we will need to provide that to prove the settings have been configured. All screenshots and folder paths are from a non-production lab environment and can/will vary per environment. All processes and directions are of my own opinion and not of Microsoft and are from my years of experience with the Intune product in multiple customer environments Additional Resources Microsoft Intune Documentation: Microsoft Intune documentation | Microsoft Learn DISA STIGs: Security Technical Implementation Guides (STIGs) – DoD Cyber Exchange Intune Admin Center: intune.microsoft.com (Commercial/GCC) or Intune.microsoft.us for government (GCC-High/DoD) Stay tuned for future posts where we delve deeper into advanced configurations and best practices. Happy securing!Installing Offline Microsoft Store Apps with Intune for Intune Government Customers
Hey everyone, Chris Vetter Sr. Cloud Solution Architect at Microsoft. As organizations strive to enhance their digital workplace, the need for seamless app deployment and management becomes more critical. For government entities using an Intune Government Subscription, installing Offline Microsoft Store Apps can present unique challenges and opportunities. This blog post aims to provide a step-by-step guide to help you navigate this process efficiently. Why Choose Offline Microsoft Store Apps? Offline Microsoft Store Apps offer several benefits, especially for government entities that require stringent security and compliance measures: Enhanced Security: Offline apps are not dependent on an internet connection, significantly reducing the risk of external threats. Controlled Deployment: Admins have full control over the app versions being deployed, ensuring that all devices are running the same, tested software. Compliance: Many government organizations have policies that restrict internet access, making offline apps a viable solution. Prerequisites Before you begin, make sure you have the following prerequisites: An active Microsoft Intune subscription Administrative access to Microsoft Intune Access to the download offline apps with Windows Package Manager (Winget) Step-by-Step Guide Acquiring Offline Apps The Microsoft Store for Business/Education was officially retired on August 15 th , 2024, and can no longer be accessed for downloading the offline app packages and their dependencies. The current method to obtain the files is with Windows Package Manager (Winget tool). I am not covering this process in this blog as there are other helpful articles on this which I will link at the bottom of this blog. Downloading the App Package and License Download the app package (in .APPX or .MSIX format) and the corresponding license file. Make sure to store these files in a secure location, as they are required during the Intune deployment process. As of this writing Intune does not have any built-in method to deploy the license so your targeted endpoints will need to be able to reach out to the Microsoft license server to retrieve the license. For this article, I will be using “Company Portal” as the LOB App. Below is a sample of my Winget to download the files and what the downloaded files should look like after a successful download. "Winget download --name "Company Portal" --architecture x64 --accept-package-agreements --accept-source-agreements --authentication-account <Account with Proper Role Assigned>" As for this writing I know version 11.2.900.0 is the latest version for Windows 11 so that is the one I will be selecting. Uploading the App to Intune Now, log in to the Microsoft Intune admin portal. Navigate to Apps > Windows > Add. Select the option to add a Line-of-business app, as this is the category for offline Microsoft Store apps. Configuring the App Information Select the “.AppXBundle” from the downloaded content. You will see a list of dependencies that will need to be uploaded as well. These will be in the dependencies folder in the downloaded content. I specified x64 when I downloaded the content so those are the only dependencies I will have to upload. Fill in the necessary details such as the app name, publisher, and version. You can also add a description and logo to make the app easily identifiable for end users (*HINT: If you use the –show parameter with Winget it will provide most of the info just like from the store application). Assigning the App to Devices Next, assign the proper scope tag (scope tags are necessary for applying RBAC efficiently). Navigate to Assignments and choose the user or device groups that should receive the app. You can configure the deployment to install the app automatically. Monitoring the Deployment After assigning the app, monitor the deployment status in the Microsoft Endpoint Manager admin center. Navigate to Apps > Monitor to check the installation progress and troubleshoot any issues that may arise. Best Practices To ensure smooth deployment, here are some best practices: Test Before Deployment: Always test the app on a few devices before rolling it out organization wide. Regular Updates: Keep track of app updates and new versions to ensure your devices are running the most secure and efficient version. Documentation: Maintain detailed documentation of the deployment process and any issues encountered for future reference. Monitor for new version releases as you will have to repeat this process to update the application Conclusion Installing Offline Microsoft Store Apps with Intune for Intune Government customers can streamline app management and enhance security. By following the steps outlined in this guide, you can ensure a smooth and efficient deployment process. Stay proactive in monitoring and updating your apps to maintain a secure and productive digital environment. Thank you for reading, and happy deploying! Disclaimer The sample scripts are not supported by any Microsoft standard support program or service. The sample scripts are provided AS IS without warranty of any kind. Microsoft further disclaims all implied warranties including, without limitation, any implied warranties of merchantability or of fitness for a particular purpose. The entire risk arising out of the use or performance of the sample scripts and documentation remains with you. In no event shall Microsoft, its authors, or anyone else involved in the creation, production, or delivery of the scripts be liable for any damages whatsoever (including, without limitation, damages for loss of business profits, business interruption, loss of business information, or other pecuniary loss) arising out of the use of or inability to use the sample scripts or documentation, even if Microsoft has been advised of the possibility of such damages. All screenshots and folder paths are from a non-production lab environment and can/will vary per environment. All processes and directions are of my own opinion and not of Microsoft and are from my years of experience with the Intune product in multiple customer environments. References Distribute LOB apps to enterprises - Windows apps | Microsoft Learn Downloading Microsoft Store apps using Windows Package Manager - Microsoft Community Hub Windows Package Manager | Microsoft Learn
