How to Align Client Policies with CIS Controls Using Intune Configuration Profiles 

Security is far from the only challenge for MSPs handling multiple tenants; consistency, audit preparedness, and risk reduction are equally crucial. Aligning policies with Intune is one way IT teams complete these objectives and meet important standards set by the Center for Internet Security. That said, IT professionals looking to align Windows security policies with CIS Controls can use this guide as a starting point.

Guide for using Intune to align policies with CIS Controls

Use the table to choose and quickly navigate to your preferred activation steps.

📌 Prerequisites:

• Microsoft 365 Business Premium or Enterprise license
• Microsoft Intune licensing and enrollment completed
• Global Administrator or Intune Admin roles
• PowerShell 5.1+ installed with administrative privileges (Check your PowerShell Version)
• Familiarity with CIS Benchmarks (Level 1/2)
• Azure AD-joined or hybrid-joined Windows 10/11 endpoints
• A working knowledge of CIS Benchmarks (Level 1 & Level 2)

👉 Reminder: Some steps may vary depending on system defaults or active settings.

💡 Tip: Check out the Things to look out for section for tips on managing potential risks.

Method 1: Review and map CIS controls to Intune settings catalog

The Intune Settings Catalog is the fastest way to enforce most CIS Controls without scripting.

📌 Use cases: General configuration, enterprise-level deployment

1. Download the latest CIS Benchmark for Windows 10/11.
2. Identify the relevant controls based on Level 1 or Level 2 benchmarks.
3. Open Microsoft Intune Admin Center → Devices → Configuration profiles.
4. Create a profile:
   • Platform: Windows 10 and later
   • Profile type: Settings catalog
5. Search and apply settings that match controls, such as:
   • Account lockout policy
   • BitLocker encryption enforcement
   • Windows Defender settings
   • Remote Desktop restriction
   • Application install restrictions
6. Document each mapping for audit readiness.

Method 2: Apply configuration profiles across multiple tenants

Exporting and importing profiles can boost your deployment strategy, especially in keeping policies consistent and updated across multiple tenants.

📌 Use cases: MSPs, enterprise, multi-tenant deployment

You can use Microsoft Lighthouse (preview) for cross-tenant deployment of shared security templates or export and import JSON profiles using PowerShell or Graph API.

Export-IntuneConfigurationPolicy -PolicyName “CIS-Level1-Profile” -Path “C:\IntunePolicies\CIS_Level1.json”

Import-IntuneConfigurationPolicy -Path “C:\IntunePolicies\CIS_Level1.json”

💡 Note: This script may run or fail without displaying any confirmation or prompt. To confirm if changes have been applied successfully, check the corresponding registry keys or system settings.

Method 3: Using PowerShell for CIS policies not in Intune

Use PowerShell when the Intune settings catalog lacks a direct control mapping.

📌 Use cases: CIS policies not covered in Intune catalog

1. Download the latest CIS Benchmark for your target OS (Windows 10 or 11).
2. Review your existing Intune settings profiles to see which CIS recommendations have already been enforced.
3. Highlight any controls you can’t find in the Settings Catalog or through Intune’s built-in CSPs (Configuration Service Providers).

Example: Disabling SMBv1 protocol (CIS Control 4.4.1) isn’t exposed in Settings Catalog but can be configured with PowerShell.

4. For each missing control, write a PowerShell command or script that changes the Windows configuration accordingly.

💡 Tip: CIS Benchmarks provides a list of the recommended settings, and Intune’s documentation includes which settings are available natively. Anything missing (e.g., configure NTP client settings, disable anonymous SID enumeration) is a candidate for PowerShell scripting.

Method 4: Use Group Policy as a reference or backup for non-Intune clients

For clients still using on-prem Active Directory, use GPO to apply similar CIS-aligned controls.

📌 Use case: Non-Intune clients

1. Press Win + R, type gpmc.msc, and tap OK to open GPMC.
2. Navigate to Computer Configuration → Administrative Templates → System → Device Guard.

• • Enable Turn on Virtualization Based Security
  • Configure Credential Guard and Secure Boot

If some clients aren’t fully cloud-managed at the start of a campaign, Group Policy can be a bridge or fallback for enforcing CIS-aligned settings on hybrid or on-prem devices. Lastly, you may export GPO settings for reference when converting to Intune equivalents.

You can run the gpupdate /force command to apply the changes immediately. Otherwise, the new settings will be applied on the next update interval.

👉 Watch this GPUpdate video demonstration for a visual reference.

Validate policy application and confirm enforcement

Auditors and security teams expect clear evidence of compliance. To simplify this verification process, it’s important to self-audit beforehand whenever you add a new policy or adjust existing configurations.

Validate policy application using Registry Editor

Many Windows security settings are found in the registry. Checking these values confirms whether Intune or PowerShell policies have actually been written to the system. Check out some examples:

Check SmartScreen preferences:

1. Navigate to or copy and paste the following path to the Registry address bar.

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System

2. The feature is enabled if the value of EnableSmartScreen (DWORD) is set to 1.

Check if Microsoft Defender Antivirus is enabled or disabled:

1. Navigate to or copy and paste the following path to the Registry address bar.

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender

2. The feature is disabled if the value of DisableAntiSpyware (DWORD) is set to 1.

These steps can be included as part of compliance validation or post-deployment review.

Use CMD to confirm enforcement or support logging

CMD-based utilities let you confirm high-level security features are active. These are simultaneously useful for remote troubleshooting or quick spot checks.

Here are some example commands:

• Check BitLocker status: manage-bde -status
• Validate firewall profile: netsh advfirewall show allprofiles
• Confirm Defender active status: sc query WinDefend

These outputs can be incorporated into onboarding scripts, saved in compliance logs, or attached to client security reports.

⚠️ Things to look out for when aligning policies

This table outlines common issues, their likely causes, and some quick ways to audit and troubleshoot such conflicts.

Skipping or delaying fixes to deployment problems risks leaving critical CIS Controls unenforced. Consider automating auditing and validation to ensure policies are consistent and applied as intended across your IT environment.

Get better visibility and control over policy application and validation with NinjaOne

NinjaOne complements Intune by adding continuous monitoring, cross-tenant reporting, and automated remediation. Here are some of the capabilities and services that can be used to align your policies with CIS Controls.

• Run verification scripts for registry, CMD, and service checks
• Display policy audit dashboards
• Automate Intune + PowerShell onboarding templates
• Provide cross-tenant Secure Score comparisons
• Trigger remediation alerts when controls drift out of compliance

Pairing Intune’s policy deployment with NinjaOne Endpoint Management®’s real-time monitoring and automation provides MSPs and IT teams with unified capabilities to enforce standards and optimize IT operations in a single dashboard.

Proactive policy alignment across managed environments

Aligning Windows endpoints with CIS Controls through Intune creates a consistent and enforceable standard for controlled IT environments. By combining Intune’s deployment capabilities, PowerShell’s flexibility, and NinjaOne’s continuous auditing and validation, MSPs can both enforce and prove compliance at scale.

A proactive approach to IT security and management not only hardens IT defense against threats but also supports regulatory alignment, which is ultimately crucial to building client trust and industry credibility.

Related topics:

• Security Configuration Management
• Complete Guide to Systems Hardening [Checklist]
• IT Compliance: Definition, Standards, and Risks