Seeing an alarming trend of agent-based CIS policies not being updated in InsightVM and was curious if this feature is planned to be maintained in an ongoing basis.
This is a relatively newer feature and has potential to be great, but Rapid7 has not been maintaining the updates to CIS policies. In fact, I am not sure if any are up to date at least in the Microsoft world.
For example,
Google Chrome’s CIS policies are only version 2.1 in InsightVM - 3.0 was released on Jan 29, 2024.
Microsoft Edge’s latest CIS policies are version 2.0, 3.0 was released on July 19, 2024
Windows 11 CIS Enterprise is 2.0 - 3.0 was released on Feb 22, 2024.
Windows 11 CIS Stand-alone is still on 1.0 (!), 3.0 was released on May 24, 2024 and 2.0 was released on Oct 20, 2023
Windows 11 InTune is on 1.0(!), 3.0.1 was released on March 1 2024, 3.0 on Feb 23, 2024, and 2.0 was released on Oct 20, 2023,
They only update them when enough of their customers put a request for it. I think this module of Insight VM is perhaps not used by many customers, so R7 may have axed the dept last year when they did their 10% workforce reduction
Been banging our head against the wall for a couple of works trying to get consistent agent based CIS scans on the Windows11 Intune policies.
Multiple cases logged, the upshot being, it just doesnt work very well and there are Engineering tickets logged.
Wrong reg keys being checked, or reg keys with GUIDS not been queried correctly and fail, random failing of checks which report ok one day then all begin failing the next (section 5 Audit especially bad for this).
All confirmed with CIS CAT Pro on the devices that the keys and settings are correct and pass ok.
Not happy to hear others are sharing in our frustration, but glad you’ve been able to log some cases.
We’ve pretty much “given up” on this feature. The engine/on-prem InsightVM scans work better, but the benefit of the agent-based policies would be great.
CIS-CAT tool seems to pretty much be the best way to validate.
August 2025 - Microsoft Edge CIS benchmark is still on version 2.0. Was hoping to pivot from Tenable to Rapid7 for CIS scanning, but it looks like that may not be happening anytime soon.
Just wanted to echo the frustration shared here regarding the CIS Microsoft Intune for Windows 11 policy in agent-based scans on InsightVM.
We’re experiencing the same issue,numerous false positives, especially around registry checks that are clearly misinterpreted or not read correctly by the agent. We reported this to Rapid7 support a couple of weeks ago, and their response was that it’s a known issue with CIS policies for Intune, but unfortunately, there’s no ETA for a fix.
It’s disappointing that such a widely used policy is still unreliable, especially when it’s part of a compliance framework many of us depend on. I understand the complexity of CIS benchmarks, but if they’re offered as part of the platform, they should be accurate and actionable.
