Mobile & Endpoint Security

To achieve CMMC Level 2 compliance without policy overlaps and conflicts common with built-in "Security Baselines," we use the Open Intune Baseline (OIB) as a robust, granular configuration starting point. We then modify this baseline for Microsoft 365 GCC High and NIST SP 800-171.

This hybrid approach satisfies all requirements for a baseline Intune deployment while ensuring defensibility for C3PAO assessments and operational stability.

Architectural Decision

For the reasoning behind replacing generic Microsoft Security Baselines with community-vetted, granular OIB JSON imports, refer to Chapter 9: Foundational Architecture and Design.

Open Intune Baseline (OIB)

OIB aggregates best practices into a unified set of granular JSON files deployable using the IntuneManagement tool by Mikael Karlsson.

Downloading the IntuneManagement Tool

The IntuneManagement tool is a collection of graphical PowerShell scripts rather than a traditional .exe installer.

How to Install and Run:

1. Download: Go to the Micke-K/IntuneManagement GitHub repository. Click the green Code button and select Download ZIP.

2. Extract: Extract the downloaded ZIP file and move the inner IntuneManagement-master folder to a permanent location on your drive (e.g., C:\IT_Tools\IntuneManagement).

3. Unblock: Windows will block downloaded PowerShell scripts by default. Open PowerShell as Administrator and run the following command to prevent execution errors:

   Get-ChildItem -Path "C:\IT_Tools\IntuneManagement" -Recurse | Unblock-File

4. Launch: Run .\"Start _PS7.cmd" (if running PowerShell 7) or .\Start.cmd** (for PowerShell 5.1).

5. GCC High Setup: Before signing in, you must expose the sovereign cloud login options:

   • Click File | Settings in the top left.
   • Look under the MSAL section and check the box for Show Azure AD login menu.
   • Click Save.
   • Now, click the Profile icon to sign in. A pre-login window will appear. Select Azure US Government.

GCC High Critical Modifications

OIB is designed for the Commercial cloud, we must apply the following changes for GCC High and CMMC compliance.

Telemetry & Reporting

OIB enables deep Windows diagnostic data and Defender telemetry which are not supported in GCC High, leading to "Error" states in Intune profiles.

• Action: Edit the imported OIB EDR and Windows Data Collection profiles. Set Expedite telemetry reporting frequency to Not Configured. Ensure diagnostic data is limited to "Required" (Basic) to prevent data spill risks.

Cryptography & FIPS Compliance

OIB establishes strong BitLocker defaults, but CMMC/DoD assessments often scrutinize cryptographic modules strictly.

• Action: Verify the OIB Disk Encryption profile enforces XTS-AES 256-bit encryption. If your specific contract requires strict FIPS 140-2 validation, ensure the local security policy for "System cryptography: Use FIPS compliant algorithms" is enabled (Note: test thoroughly as it can break apps).

Identity Routing

OIB will provision standard Windows Hello for Business (WHfB) settings, but it does not account for sovereign cloud routing.

• Action: Ensure the Entra ID Connect sync and Kerberos routing for Cloud Trust point specifically to US Government endpoints (e.g., *.login.microsoftonline.us).

CMMC Control Mapping Matrix

Here are the baseline profiles mapped to their corresponding NIST SP 800-171 controls for your System Security Plan (SSP). Note that some controls utilize the Open Intune Baseline (OIB) JSON files, while others require manual configuration or custom XML to meet strict GCC High requirements.

Deliverable Scope	Profile Source / Filename	Critical Setting Verification	NIST 800-171 Control	Audit Method
Attack Surface Reduction	Win - OIB - ES - Attack Surface Reduction - D - ASR Rules (L2) - v3.7	Ensure "Block Office apps from creating child processes" and "Block credential stealing" set to Block.	3.1.1, 3.14.1 (Limit system access; Flaw remediation)	MDE Advanced Hunting KQL (DeviceEvents); Intune ASR Report.
Exploit Protection	Manual Creation: Custom ASR XML Profile	Verify custom XML enables DEP, ASLR, and SEHOP system-wide.	3.14.1 (Identify and correct system flaws)	PowerShell Get-ProcessMitigation; Windows Security App.
Defender for Endpoint (EDR)	Manual Creation: Intune Endpoint Security Profile	Verify Auto-onboard via Intune Connector is active.	3.14.3 (Monitor system security alerts and advisories)	MDE Device Inventory; Intune EDR Onboarding Status.
BitLocker (OS Disk)	Win - OIB - ES - Encryption - D - BitLocker (OS Disk) - v3.7	Verify XTS-AES 256-bit encryption is enforced for OS and fixed drives. Note: Windows may attempt to independently enable encryption.	3.13.11, 3.8.6 (FIPS 140-2 would require additional configuration and testing; Protect CUI on mobile devices)	Intune Encryption Report; Local manage-bde -status.
Windows Hello for Business - D	Win - OIB - ES - Windows Hello for Business - D - WHfB Configuration - v3.2 Win - OIB - SC - Windows Hello for Business - D - Cloud Kerberos Trust - v3.5	Verify Require TPM, Minimum PIN: 6, and US Gov routing URLs.	3.5.3 (Use multifactor authentication for local and network access)	Entra ID Sign-in Logs (Auth Requirement: MFA); Local dsregcmd /status.
Windows LAPS	Win - OIB - ES - Windows LAPS - D - LAPS Configuration - v3.1	Configure Windows LAPS. Enable backup to Entra ID, enforce 14+ characters, and set rotation to 30 days.	3.1.1, 3.1.5 (Limit access; Least privilege)	Entra ID LAPS Audit Logs; Intune Device Local Admin status.
Local Security	Win - OIB - SC - Device Security - D - Local Security Policies - v3.0	Edit profile to add Interactive Logon Message Text and Interactive Logon Message Title. Replace with your Banner Text.	3.1.9 (Provide privacy and security notices)	Local Registry: HKLM\SOFTWARE\...\Policies\System\LegalNoticeText.
Security Experience	Win - OIB - ES - Defender Antivirus - D - Security Experience - v3.3	Ensure Hide Windows Security Notification Area and Enable Tamper Protection are enforced.	3.4.5 (Restrict nonessential programs)	MDE Security Center (Tamper Protection status).
Removable Media	Manual Creation: Custom ASR Device Control XML	Verify XML policies deny all write access while allowing approved hardware IDs.	3.8.1, 3.8.7 (Control removable media)	MDE Advanced Hunting KQL (RemovableStoragePolicyTriggered).
Login and Lock Screen	Win - OIB - SC - Device Security - U - Power and Device Lock - v3.6 Win - OIB - SC - Device Security - D - Login and Lock Screen - v3.1	Adjust the OIB default to ensure Max Inactivity Time Device Lock is 15 Minutes (900 seconds) or less.	3.1.10 (Session lock)	Intune Profile Status.
Reports and Telemetry	Win - OIB - SC - Windows Update for Business - D - Reports and Telemetry - v3.0	Set "Allow Telemetry" to Basic/Security and completely remove "Expedite telemetry reporting frequency".	3.1.3 (Control the flow of CUI)	Intune Profile Status.

Transitioning Existing MDE Deployments

Clients often worry that pushing the Defender for Endpoint (MDE) onboarding policy via Intune will break existing standalone MDE installations. It will not.

• MDE is Built-In: On Windows 10/11, MDE is not a separately installed application; it is a dormant sensor built into the OS. The Intune policy simply passes a configuration file pointing that sensor to your GCC High tenant.
• No Interruption: If the device is already reporting to your tenant (e.g., previously onboarded via local script or GPO), Intune simply detects the active sensor, registers a "Success" state, and continues without interrupting protection. (Note: If the device is reporting to a completely different company's tenant, it must be offboarded first).
• Configuration Takeover: While the onboarding itself is harmless, Intune will immediately overwrite legacy local or GPO security configurations (like AV scans and ASR rules). This is the desired behavior, as Intune must become the single, authoritative source of truth for your CMMC System Security Plan.

Why hide the Windows Security Notification Area?

Clients often worry that hiding the security notification area means turning off their antivirus. It does not. Hiding this area simply removes the Windows Security "shield" icon from the user's taskbar and suppresses local pop-up alerts. The underlying protections (Defender AV, ASR, Exploit Protection) remain fully active in the background. In a CMMC and Zero Trust architecture, this is enforced for two reasons:

1. Preventing Tampering: It removes the user interface, preventing standard users from attempting to pause real-time protection, add exclusions for risky files, or bypass SmartScreen blocks.
2. Centralizing Operations: Security alerts are routed silently to the Microsoft Defender portal for the IT/SOC team to investigate, rather than causing user panic or generating unnecessary helpdesk tickets for routine background scans.

Intune Endpoint Privilege Management (EPM)

EPM is an add-on license that allows standard users to elevate specific, approved applications without needing IT to type in the LAPS password. While LAPS is practically mandatory for CMMC to secure the default admin account, EPM is highly recommended for operational sanity so your helpdesk isn't overwhelmed with UAC elevation requests for legacy DoD apps. EPM is being included in the Microsoft 365 E5/G5 SKUs starting July 1, 2026.

USB Device Control & SOC Alerting

In high-security GCC High environments, simply blocking write access via the Settings Catalog may not be enough. To mirror the capabilities of tools like McAfee HBSS, you can whitelist specific, company-approved USB drives (e.g., a SanDisk Cruzer) while generating real-time SOC alerts when unapproved devices are plugged in.

This requires splitting the workload: Intune acts as the enforcement engine, while Defender for Endpoint acts as the auditor.

Intune

Instead of basic Administrative Templates, use Endpoint Security > Attack Surface Reduction > Device Control. This relies on XML-based rule sets.

Step 1: The Approved Hardware XML Create an XML file to define your approved USB model using its Vendor ID (VID) and Product ID (PID). Here is an example targeting a common SanDisk Cruzer (VID: 0781, PID: 5567).

Note: In XML, the ampersand connecting the VID and PID must be escaped as &.

<Group Id="{aaa512fa-275f-40e2-a39c-b92c08b3e352}">
    <MatchType>MatchAny</MatchType>
    <DescriptorIdList>
        <HardwareId>USB\VID_0781&amp;PID_5567</HardwareId>
    </DescriptorIdList>
</Group>

Step 2: The Policy Rule XML Create a second XML file that blocks write/execute access for all removable media, but explicitly excludes the SanDisk group you just created. Crucially, it sets the block action to AuditDenied, which tells Defender to generate an alert.

<PolicyRule Id="{c544a991-5786-2819-949e-a032cb790d0e}">
    <Name>Block USB Writes, Allow SanDisk Cruzer</Name>
    <IncludedIdList>
        <GroupId>{9b28fae8-72f7-4267-a1a5-685f747a4345}</GroupId>
    </IncludedIdList>
    <ExcludedIdList>
        <GroupId>{aaa512fa-275f-40e2-a39c-b92c08b3e352}</GroupId>
    </ExcludedIdList>
    
    <Entry Id="{f8ddbbc5-8855-4776-a9f4-ee58c3a21414}">
        <Type>Deny</Type>
        <Options>0</Options>
        <AccessMask>6</AccessMask> 
    </Entry>
    
    <Entry Id="{7c518c86-38e5-40a9-86ee-e9f79f136817}">
        <Type>AuditDenied</Type>
        <Options>3</Options> 
        <AccessMask>6</AccessMask>
    </Entry>
</PolicyRule>

Step 3: Deployment Upload the Approved Hardware XML to the Reusable Settings tab in Intune. Then, create a new ASR policy (Profile: Device Control) and link your Policy Rule XML.

Defender for Endpoint

Intune does not send real-time alerts. To get the HBSS-style popup for the security team, you must configure a Custom Detection Rule in Microsoft Defender.

Navigate to Hunting > Advanced hunting and run the following KQL query:

// Detect blocked Removable Storage devices
DeviceEvents 
| where ActionType == "RemovableStoragePolicyTriggered" 
| extend parsed=parse_json(AdditionalFields) 
| extend RemovableStorageAccess = tostring(parsed.RemovableStorageAccess) 
| extend RemovableStoragePolicyVerdict = tostring(parsed.RemovableStoragePolicyVerdict) 
| extend MediaDescription = tostring(parsed.DeviceDescription)
| where RemovableStoragePolicyVerdict == "Deny"
| project Timestamp, DeviceName, InitiatingProcessAccountName, ActionType, RemovableStorageAccess, MediaDescription

Click Create detection rule in the top right corner and set the severity to Medium or High. This will automatically open an incident in your SOC dashboard whenever a user attempts to write to an unapproved USB drive.

Intune Compliance Policy

While OIB configures the device, it does not include a Compliance Policy. The Compliance Policy must be built manually to validate the device state. This policy acts as the signal used by Entra ID Conditional Access to block non-compliant devices from accessing GCC High CUI data.

Policy Type: Windows 10 and later

Policy Section	Setting Name	Required Value	Non-Compliance Action
Device Health	Require BitLocker	Require	Mark non-compliant immediately. (Blocks access to CUI instantly)
Device Health	Require Secure Boot	Require	Mark non-compliant immediately.
System Security	Minimum OS version	10.0.22631.xxxx (Current - 2 N)	Grace period: 3 days. (Allows time for patching)
System Security	Firewall	Require	Mark non-compliant immediately.
System Security	Antivirus / Antispyware	Require	Mark non-compliant immediately.
System Security	Require a password to unlock mobile devices	Require (Minimum length: 8, Block simple passwords)	Mark non-compliant immediately. (Enforces NIST 3.5.7 & 3.5.8)
Defender for Endpoint	Machine Risk Score	Medium or lower	Mark non-compliant immediately. (Reacts to active threats)

Password Policy Changes Force Password Resets

Since your machine has no way to know if your local account existing password is compliant, you will be forced to change your password the next time you login.

Windows Hello for Business in GCC High

Deploying Windows Hello for Business (WHfB) via OIB profiles requires careful attention to the Cloud Trust model to minimize on-premises infrastructure.

Cloud Trust Requirements

• Azure AD Kerberos Object: You must deploy the Azure AD Kerberos object to your on-premises Domain Controllers.
• Intune Configuration: In the imported OIB Account Protection policy, explicitly set "Use Cloud Trust for On-Prem Auth" to Yes.

US Government Endpoint URLs

When configuring the Entra ID Connect sync and Kerberos routing for Cloud Trust, ensure you are using the specific US Government endpoints (e.g., *.login.microsoftonline.us) rather than commercial URLs. Mismatched endpoints will cause WHfB provisioning to fail during the user's initial logon.