The CIS benchmarked policies (baseline policies) were downloaded from GitHub and imported into Microsoft Intune using PowerShell with the help of an Intune management script. Once imported, the policies were assigned to Windows devices within the organization to enhance security. This approach ensured that all systems aligned with industry-recommended configurations, thereby strengthening the organization's overall security posture.

Policy Section Explanations:

Windows Section:

Configuration:

This section allows administrators to define device settings such as password policies, lock screen behavior, update settings, and system restrictions, aligning with organizational security standards.

Compliance:

Compliance policies define the rules a device must meet to be considered compliant, such as requiring BitLocker encryption, setting password strength, and ensuring the device is not jailbroken or rooted.

Endpoint Security Section:

Antivirus:

Manages antivirus settings like real-time protection, scan schedules, and cloud-based protection to ensure devices are actively protected from malware and other threats.

Disk Encryption:

Focuses on enforcing encryption policies using BitLocker to protect data on the device in case of theft or unauthorized access.

Firewall:

Allows administrators to configure and enforce Windows Defender Firewall settings, helping control inbound and outbound network traffic.

Attack Surface Reduction (ASR):

Helps minimize the device’s vulnerability to threats by reducing exploitable entry points, like blocking Office macro execution or suspicious scripts.

Account Protection:

Ensures Windows Hello, Credential Guard, and other identity protection measures are configured to secure user credentials.

Device Compliance:

Evaluates whether a device meets the defined compliance policies and reports its status for conditional access decisions.

Conditional Access:

Uses compliance data and other conditions (like user risk or location) to enforce access control decisions, ensuring only trusted and compliant devices can access corporate resources.