CIS.M365.4.1 - Ensure devices without a compliance policy are marked
Overviewβ
4.1 (L2) Ensure devices without a compliance policy are marked 'not compliant'
Compliance policies are sets of rules and conditions that are used to evaluate the configuration of managed devices. These policies can help secure organizational data and resources from devices that don't meet those configuration requirements. Managed devices must satisfy the conditions you set in your policies to be considered compliant by Intune. When combined with conditional access, this allows more control over how non-compliant devices are treated.
The recommended state is Mark devices with no compliance policy assigned as Not compliant
Rationaleβ
Implementing this setting is a first step in adopting compliance policies for devices. When used in together with Conditional Access policies the attack surface can be reduced by forcing an action to be taken for non-compliant devices.
Note: This section does not focus on which compliance policies to use, only that an organization should adopt and enforce them to their needs.
Impactβ
Any devices without a compliance policy will be marked not compliant. Care should be taken to first deploy any new compliance policies with a Conditional Access (CA) policy that is in the Report-only state. After the environment's device compliance is better understood it is then appropriate to finally align with Mark devices with no compliance policy assigned as and enable any CA policies that enforce actions based on device compliance.
If a mature environment already has an existing device compliance CA policy and a large number of devices without an assigned compliance policy, this could cause disruption as those devices would then be suddenly considered not compliant.
Remediation action:β
- Navigate to Microsoft Intune admin center.
- Click on Devices and then under Managed devices on Compliance.
- Click Compliance settings.
- Ensure Mark devices with no compliance policy assigned as set to Not compliant
PowerShellβ
- Connect to Microsoft Graph using
Connect-MgGraph -Scopes "DeviceManagementConfiguration.ReadWrite.All" - Run the following commands:
$Uri = 'https://graph.microsoft.com/v1.0/deviceManagement'
$Body = @{
settings = @{
secureByDefault = $true
}
} | ConvertTo-Json
Invoke-MgGraphRequest -Uri $Uri -Method PATCH -Body $Body
Related linksβ
- Microsoft Intune admin center
- Use compliance policies to set rules for devices you manage with Intune
- CIS Microsoft 365 Foundations Benchmark v6.0.1 - Page 162
Test Metadataβ
| Field | Value |
|---|---|
| Test ID | CIS.M365.4.1 |
| Severity | Unknown |
| Suite | CIS |
| Category | CIS E3 Level 2 |
| PowerShell test | Test-MtCisDevicesWithoutCompliancePolicyMarked |
| Tags | CIS, CIS E3, CIS E3 Level 2, CIS E5, CIS E5 Level 2, CIS M365 v6.0.1, CIS.M365.4.1, L2, Security |
Sourceβ
- Pester test:
tests/cis/Test-MtCisDevicesWithoutCompliancePolicyMarked.Tests.ps1 - PowerShell source:
powershell/public/cis/Test-MtCisDevicesWithoutCompliancePolicyMarked.ps1