CIS Intune Windows 11 Benchmark, continuously evidenced.
The CIS Intune Windows 11 Benchmark defines 457 controls calibrated for Microsoft Intune-managed Windows 11 endpoints. It differs from the standard Windows 11 benchmark in policy delivery: controls are validated against Intune device configuration profiles, compliance policies, and security baselines rather than legacy Group Policy. Critical for organizations running Microsoft Intune as the primary endpoint management plane.
Intune Windows 11 benchmark at a glance.
- Benchmark version
- v4.0.0
- Total controls
- 457
- Scan type
- Agent
- Available tier
- All plans
- Category
- Endpoint
- Drift detection
- Yes, between every scheduled scan
What this benchmark actually covers.
- Intune Device Configuration Profiles
- Intune Compliance Policies
- Intune Security Baselines
- Conditional Access integration
- Windows Defender via Intune
- BitLocker policy via Intune
- App Protection Policies
Intune Windows 11 questions, answered directly.
How is the Intune Windows 11 benchmark different from the standard Windows 11 benchmark?
Both benchmarks target Windows 11 endpoint hardening, but the Intune variant validates controls as delivered through Microsoft Intune policies rather than Group Policy. The control set is calibrated for the cloud-managed policy model, including conditional access integration, app protection policies, and Intune-specific compliance settings.
Does CISGuard integrate with Microsoft Intune?
CISGuard's endpoint agent runs on Intune-managed Windows 11 devices and validates effective configuration regardless of policy source. The platform does not require Intune API integration to function. For environments where Intune is the primary management plane, this benchmark provides Intune-specific evidence.
Can a mixed Intune + GPO environment use this benchmark?
Yes. Many enterprises operate hybrid Intune + GPO management. CISGuard can apply the Intune benchmark to Intune-primary endpoints and the standard Windows 11 benchmark to GPO-primary endpoints. Per-device tagging in CISGuard determines which benchmark profile applies.
Often deployed together with Intune Windows 11.
Want a Intune Windows 11 scan of your environment?
Our compliance engineers will scope your environment and quote within one business day of an initial briefing.