Create a Windows 10 settings catalog from group policies using CIS Benchmark for Windows 10, Edge or Chrome

Microsoft have released new feature in Intune Service release 2204 (April 2022) that allows to create a settings Catalog policy using imported GPOs from Intune Group Policy Analytics, please note that this feature is in public preview so it can only get better from here ! you can learn more about functionality and official announcement here link.

In this blog, we will import the CIS Benchmark for Windows 10 21H2 Group Policies settings in Intune then covert to Settings Catalog. CIS Secure Suite membership is required to download automated build kits make it fast and easy to configure your systems in accordance with a CIS Benchmark. You can also download sample build Kit for free from here.

About CIS

As per the official Microsoft Document - CISbenchmarks are internationally recognized as security standards for defendingIT systems and data against cyberattacks. Used by thousands of businesses, theyoffer prescriptive guidance for establishing a secure baseline configuration.

You can download the latest CIS Windows Desktop Build Kit. (You will require CIS Workbench Membership). Alternatively, you can download the latest CIS Benchmark for free and configure manually configure settings in Intune using Administrative Templates or using Group Policies. To download free benchmark visit CIS Website here

1.Login to CIS Workbench Account and Download latest Windows 10 Desktop Build Kit.

2.Import the Group Policies to Intune GPO Analytics i.e browse to gpreport.xml within Group Policy.


3.The GPO will be imported within a seconds with status message - Import Completed. You may import all other GPOs.


4. You will notice all import Group Policies, please note that not all settings are supported by Intune. Also, some of the settings are not imported from the GPO that set the services state. You can click on MDM Support link to identify supported settings.

5. To import this in Intune,  Select the Group Policy and Click on Migrate.

6.You can click on Select all on this page or select the required settings, click on Next to visit next page. Then click next.

   

7.On Configuration tab, review all settings and  Click Next.

   

8.       On Profile Info Tab, enter the meaningful name and description as per your organisation standard and click Next.

   

9.On Assignments tab, select existing group to assign policy.

10.On Review + Deploy tab, verify all details, and click Deploy.

 

11.  You will be redirected to Configuration Profiles tab, search for the Settings Catalog by entering name in the search bar.

12.   After assigning policy to the group, you will see how many devices have succeeded that policy to be deployed in their devices. You can click on Device assignment status or per setting status to view more details.

    

Further Reading

 

Comments

Post a Comment

Popular posts from this blog

How to enable iOS unmanaged apps to read managed contacts & write unmanaged contacts without compromising security using Microsoft Intune

Image
The contacts saved in Exchange is considered managed contacts. with iOS 12 onwards managed contacts are not visible from unmanaged Apps. As stated in Apple Article (https://support.apple.com/en-au/HT208749)  iOS 12, you can use MDM to make the following exceptions to this policy: Allow unmanaged apps to access managed contacts Allow managed apps to save contacts to the local Contacts app Microsoft Intune have introduced new feature, but it has pre-requisite to "Viewing corporate documents in unmanaged apps" to write contact to unmanaged app and "Viewing non-corporate documents in corporate apps" to read managed contacts in unmanaged app.  This can be security issue for many organisations. However, you can enable this without changing the parent policy by following trick! Go to iOS restriction settings in Intune, go to 'App Store, Doc Viewing, Gaming controls'. As highlighted above 'Allow managed apps to write contacts
Read more

How to deploy Application (offline installer DMG) on Apple MacOS Devices using Microsoft Intune

Image
Microsoft Intune does not support deployment of DMG file. As per the  Microsoft documentation   : " Only  .pkg files may be used to upload macOS LOB apps to Microsoft Intune. Conversion of other formats, such as .dmg to .pkg is not supported." Microsoft Intune have provided support to deploy shell script to macOS. In the example below, I will deploy Adobe Acrobat Reader DC 2020.009.20063 DMG file on MacOS Device. Save following script as .sh package i.e.  InstallAdobeReader.sh #! /bin/sh url=https://ardownload2.adobe.com/pub/adobe/reader/mac/AcrobatDC/2000920063/AcroRdrDC_2000920063_MUI.dmg   set -x tempd=$(mktemp -d) curl $url > $tempd/AdobeReaderDC.dmg listing=$(sudo hdiutil attach $tempd/AdobeReaderDC.dmg | grep Volumes) volume=$(echo "$listing" | cut -f 3) package=$(ls -1 "$volume" | grep .pkg | head -1) sudo installer -pkg "$volume"/"$package" -target / sudo hdiutil detach "$(echo "$volume" | cut -f 1)" rm -r
Read more

ConfigMgr CB Backup Failing

Image
SCCM site backup was failing with following error,  smsbkup.log showing following error. Cannot find the dependent writer. The dependant component cannot be backed up. AddDependentComponent(pDependency) failed. Error code = 0x80,004,005.Error description = . Error: GatherWriterMetadata failed. 1. To fix this issue  Run 'VSSAdmin list writers' command. 2. Ensure following writers listed. 3. If you identify these two writers are not listed, restart 'SQL Server VSS Writer' if SQLServierWriter' is missing or 'SMS_Site_VSS_Writer' if SMS writer is missing. 4. 'VSSAdmin list writers', ensure both services are listed. 5. start sms_site_backup service to start backup, monitor smsbkup.log, ensure backup completed successfully.
Read more