[HardeningKitty] Intune Configuration Settings

[0x6d69636b]

Microsoft also offers the possibility to configure a client via Azure using Intune. Intune sometimes uses different registry paths than the traditional GPO method.

However, the Microsoft Security Baseline does not provide any information on the path of Intune but only the "old" GPO paths. In a first research I found that Intune values are stored under HKLM:\SOFTWARE\Microsoft\PolicyManager\current\device. The registry keys and values do not match the traditional values.

Presumably, the finding lists will have to be maintained twice with GPO and Intune paths in the future.

[0x6d69636b]

This might be a useful resource: https://oliverkieselbach.com/2019/07/18/intune-policy-processing-on-windows-10-explained/

[loosus]

Just my two cents: checking Intune/CSP keys would be extremely helpful in my environment. We have now migrated about 20% of our environment to native Azure AD and manage those devices with Intune, and we expect that percentage to climb over the next 18 months.

Example: HardeningKitty basically says we have configured Windows Firewall none, even though have almost no inbound ports open at all. I know this cannot be done all at once, so my personal opinion is this it would be best to start with Windows Firewall, and then move to Attack Surface Reduction (ASR) rules. Just having those two areas would make a big dent in Intune policies.

HardeningKitty is not alone in not checking Intune policies. If HardeningKitty were to add CSP support in the short-term, it would be among the first verifiers with CSP support.