Agent-Based CIS Policies Not Being Maintained

Seeing an alarming trend of agent-based CIS policies not being updated in InsightVM and was curious if this feature is planned to be maintained in an ongoing basis.

This is a relatively newer feature and has potential to be great, but Rapid7 has not been maintaining the updates to CIS policies. In fact, I am not sure if any are up to date at least in the Microsoft world.

For example,

  • Google Chrome’s CIS policies are only version 2.1 in InsightVM - 3.0 was released on Jan 29, 2024.

  • Microsoft Edge’s latest CIS policies are version 2.0, 3.0 was released on July 19, 2024

  • Windows 11 CIS Enterprise is 2.0 - 3.0 was released on Feb 22, 2024.

  • Windows 11 CIS Stand-alone is still on 1.0 (!), 3.0 was released on May 24, 2024 and 2.0 was released on Oct 20, 2023

  • Windows 11 InTune is on 1.0(!), 3.0.1 was released on March 1 2024, 3.0 on Feb 23, 2024, and 2.0 was released on Oct 20, 2023,

  • Windows 10 same deal…

4 Likes

I have encountered this same problem. We had to stop using InsightVM to do compliance assessments and switch to CIS cat pro.

1 Like

Yes I think I was able to find Debian 10 while we are at Deb12 now :slight_smile:

They only update them when enough of their customers put a request for it. I think this module of Insight VM is perhaps not used by many customers, so R7 may have axed the dept last year when they did their 10% workforce reduction

1 Like

we had to give up on agent based cis scans, they were reporting on the wrong registry key, and have no intention of fixing it.

not overly impressed

2 Likes

Any update on this topic? I am interested because CIS scans become more popular…

1 Like

Been banging our head against the wall for a couple of works trying to get consistent agent based CIS scans on the Windows11 Intune policies.

Multiple cases logged, the upshot being, it just doesnt work very well and there are Engineering tickets logged.

Wrong reg keys being checked, or reg keys with GUIDS not been queried correctly and fail, random failing of checks which report ok one day then all begin failing the next (section 5 Audit especially bad for this).

All confirmed with CIS CAT Pro on the devices that the keys and settings are correct and pass ok.

Shoddy mess

1 Like

Not happy to hear others are sharing in our frustration, but glad you’ve been able to log some cases.

We’ve pretty much “given up” on this feature. The engine/on-prem InsightVM scans work better, but the benefit of the agent-based policies would be great.

CIS-CAT tool seems to pretty much be the best way to validate.