Seeing an alarming trend of agent-based CIS policies not being updated in InsightVM and was curious if this feature is planned to be maintained in an ongoing basis.
This is a relatively newer feature and has potential to be great, but Rapid7 has not been maintaining the updates to CIS policies. In fact, I am not sure if any are up to date at least in the Microsoft world.
For example,
Google Chrome’s CIS policies are only version 2.1 in InsightVM - 3.0 was released on Jan 29, 2024.
Microsoft Edge’s latest CIS policies are version 2.0, 3.0 was released on July 19, 2024
Windows 11 CIS Enterprise is 2.0 - 3.0 was released on Feb 22, 2024.
Windows 11 CIS Stand-alone is still on 1.0 (!), 3.0 was released on May 24, 2024 and 2.0 was released on Oct 20, 2023
Windows 11 InTune is on 1.0(!), 3.0.1 was released on March 1 2024, 3.0 on Feb 23, 2024, and 2.0 was released on Oct 20, 2023,
They only update them when enough of their customers put a request for it. I think this module of Insight VM is perhaps not used by many customers, so R7 may have axed the dept last year when they did their 10% workforce reduction
Been banging our head against the wall for a couple of works trying to get consistent agent based CIS scans on the Windows11 Intune policies.
Multiple cases logged, the upshot being, it just doesnt work very well and there are Engineering tickets logged.
Wrong reg keys being checked, or reg keys with GUIDS not been queried correctly and fail, random failing of checks which report ok one day then all begin failing the next (section 5 Audit especially bad for this).
All confirmed with CIS CAT Pro on the devices that the keys and settings are correct and pass ok.
Not happy to hear others are sharing in our frustration, but glad you’ve been able to log some cases.
We’ve pretty much “given up” on this feature. The engine/on-prem InsightVM scans work better, but the benefit of the agent-based policies would be great.
CIS-CAT tool seems to pretty much be the best way to validate.
