New CIS Microsoft Intune for Windows 10 Release 2004 v1.0.1 audit files and compliance plugin updates

Summary

This release covers both the compliance plugin update to support detecting and using InTune GUID registry based checks, and the release of CIS Microsoft Intune for Windows 10 Release 2004 v1.0.1 audits.

Compliance Plugin Updates

Similar to the existing REGISTRY_SETTING check type, a new GUID_REGISTRY_SETTING type is being released that supports the use of a new field: guid_reg_key

This field is used to specify the location the plugin can find the GUID that associates InTune assigned registry values to local target values. Please see https://docs.tenable.com/nessus/compliancechecksreference/Content/GUID_REGISTRY_SETTING.htm for more information.

CIS Audits

Maintaining consistency with other CIS Windows content, the following profile based audits are being released:

• CIS Microsoft Intune for Windows 10 Release 2004 v1.0.1 L1
• CIS Microsoft Intune for Windows 10 Release 2004 v1.0.1 L2
• CIS Microsoft Intune for Windows 10 Release 2004 v1.0.1 NG
• CIS Microsoft Intune for Windows 10 Release 2004 v1.0.1 Bitlocker

Additionally, the following combination profile audits will be released as well.

• CIS Microsoft Intune for Windows 10 Release 2004 v1.0.1 L1 + NG
• CIS Microsoft Intune for Windows 10 Release 2004 v1.0.1 L1 + BL
• CIS Microsoft Intune for Windows 10 Release 2004 v1.0.1 L1 + BL + NG
• CIS Microsoft Intune for Windows 10 Release 2004 v1.0.1 L2 + NG
• CIS Microsoft Intune for Windows 10 Release 2004 v1.0.1 L2 + BL
• CIS Microsoft Intune for Windows 10 Release 2004 v1.0.1 L2 + BL + NG
• NG is for "Next Generation Windows Security" and BL is for "Bitlocker" in the combination profile audits.

Target Release Date

August 5th, 2022

Additional Notes:

Please take careful consideration when implementing the CIS guidelines for InTune in your environment. The syntax of some registry values require custom delimiting characters in place of traditional commas, and can render a target inaccessible. Review the CIS benchmark closely for every control, as well as the CIS Workbench for InTune when implementing this guidance.

Additional reading for the delimiting character (0xF000) can be seen in this Microsoft example, https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-userrights.