Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[HardeningKitty] Intune Configuration Settings #22

Open
0x6d69636b opened this issue Mar 26, 2021 · 2 comments
Open

[HardeningKitty] Intune Configuration Settings #22

0x6d69636b opened this issue Mar 26, 2021 · 2 comments

Comments

@0x6d69636b
Copy link
Owner

Microsoft also offers the possibility to configure a client via Azure using Intune. Intune sometimes uses different registry paths than the traditional GPO method.

However, the Microsoft Security Baseline does not provide any information on the path of Intune but only the "old" GPO paths. In a first research I found that Intune values are stored under HKLM:\SOFTWARE\Microsoft\PolicyManager\current\device. The registry keys and values do not match the traditional values.

Presumably, the finding lists will have to be maintained twice with GPO and Intune paths in the future.

@0x6d69636b
Copy link
Owner Author

@designatedsuccessor
Copy link

Just my two cents: checking Intune/CSP keys would be extremely helpful in my environment. We have now migrated about 20% of our environment to native Azure AD and manage those devices with Intune, and we expect that percentage to climb over the next 18 months.

Example: HardeningKitty basically says we have configured Windows Firewall none, even though have almost no inbound ports open at all. I know this cannot be done all at once, so my personal opinion is this it would be best to start with Windows Firewall, and then move to Attack Surface Reduction (ASR) rules. Just having those two areas would make a big dent in Intune policies.

HardeningKitty is not alone in not checking Intune policies. If HardeningKitty were to add CSP support in the short-term, it would be among the first verifiers with CSP support.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

2 participants