Endpoint Services, MECM, CIS Windows 11 benchmarks
Overview
This document summarizes how to deploy the CIS (Center for Internet Security) Windows 11 benchmarks in MECM.
Systems
Microsoft Endpoint Configuration Manager (MECM)
Intended Audience
University of Illinois IT Pros leveraging MECM, hosted by Technology Services' Endpoint Services team
General Information
As a part of the ongoing CII effort, EPS have built several CIS Windows 11 benchmarks as configuration baselines in MECM. Read the CIS benchmarks FAQ for more information about the benchmarks. In the MECM console, the baselines are located at \Assets and Compliance\Overview\Compliance Settings\Configuration Baselines\.CIS WIN11 BENCHMARKS. Refer to this guide on how configuration items and baselines work.
The individual configuration items have been grouped into six categories of baselines: Account, Firewall, MSS (Legacy), Network, Services and System. To view the individual configuration items, right-click each baseline and select ‘Show Members’.
These benchmarks are designed for Windows 11, so it is recommended to deploy these baselines only to Windows 11 PCs; deploying these baselines to out-of-scope PCs results in additional policy processing time that is unnecessary.
Deploy and monitor the CIS baselines
- Follow this guide to create a device collection of Windows 11 PCs (e.g. UIUC-YourUnit-Windows11) and use the query below:
- select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System inner join SMS_G_System_OPERATING_SYSTEM on SMS_G_System_OPERATING_SYSTEM.ResourceID = SMS_R_System.ResourceId where SMS_G_System_OPERATING_SYSTEM.Caption like "%Windows 11%"
- select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System inner join SMS_G_System_OPERATING_SYSTEM on SMS_G_System_OPERATING_SYSTEM.ResourceID = SMS_R_System.ResourceId where SMS_G_System_OPERATING_SYSTEM.Caption like "%Windows 11%"
- Create a device collection for the CIS benchmarks (e.g. UIUC-YourUnit-CIS Win11 Benchmarks) and use the ‘Include Collections’ membership rule to add the newly created Windows 11 device collection.
- Follow this guide to deploy the baselines to the CIS benchmarks collection. The baselines are located at \Assets and Compliance\Overview\Compliance Settings\Configuration Baselines\.CIS WIN11 BENCHMARKS. Decide if the baselines should only evaluate compliance or if they should also remediate non-compliant devices.
- Prior to selecting ‘Remediate noncompliant rules when supported’, ensure your unit understands the remediation being implemented in each configuration item.
- Units have the option to leave the ‘Remediate noncompliant rules…’ unchecked on the initial deployment, and once they are ready, enable the remediation option in the deployment properties.
- Follow this guide to view compliance results
- If desired, follow this guide to create collections based on compliance