Hi, I am currently running into an issue where we have Intune GPO policies that we created not being detected by Rapid 7’s agent scans. I’ve verified the Intune policies did apply to our endpoint registry settings but Rapid 7 is not detecting these device hardening changes. I know the setup is configured correctly as SOME CIS Benchmarks are being detected by R7 but not all policies I’ve configured are being detected by the agent-based scans. Any advisement would be helpful!!
Have you tried running the “Policy Details” report to see the reasons the rules failed? not all CIS rules have checks for the presence of group policies. For example, in the rule below from the level 1 server 2012 benchmark it is actually preforming an audit of all accounts on the system to see which ones have the user right “Adjust memory quotas for a process”. There are 3 different accounts in this rule that are considered acceptable to have this user right (Administrators, LOCAL SERVICE, or NETWORK SERVICE). If a different account is found to have user right then the rule is failed. These benchmarks can be tailored to match what is acceptable on your systems by editing the rule and check in IVM. For example, the account names may need to be changed in the rule.
2.2.6. (L1) Ensure ‘Adjust memory quotas for a process’ is set to ‘Administrators, LOCAL SERVICE, NETWORK SERVICE’