CIS baseline in combination with Intune

[kuipers250]

Our machines are deployed with Intune. Checking the baseline with hardeningkitty reports that the firewall is OFF.
This is done by checking the registry hive under ..\Policies.
But this is only set when its controlled by GPO. When done with Intune there is no ..\WindowsFirewall..

You can check it by NETSH or other functions.

But the first thing I would like to see is : When a registry key is not readable, don't assume its 0. Report it as not available.

10501,"Windows Firewall","EnableFirewall (Domain Profile, Policy)",Registry,,HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile,EnableFirewall,,,,0,1,=,Medium

Hope you are willing to help and improve.

Best regards,
Gert

[kuipers250]

Using -backup gives me about 280 entries with -NODATA when I compare against the CIS baseline. This is not workable.

I think we have to modernize that also Intune managed devices can be checked.
For the firewall settings they can be found in: (instead of ..\policies\ that is based on grouppolicy)

Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile

[0x6d69636b]

I'm aware of the missing Intune checks, this is work in progress and any help is welcome, see in the dev repo: 0x6d69636b/windows_hardening#22

Unfortunately, neither CIS nor Microsoft publish the Intune registry path in their policies