Is a review of the MDM/Intune overdue?

[TechsUK]

Windows 11
Do NCSC up to date recommendations align with these 2 year old ones? If yea/nay can you state on readme?
My problem is that I don't know if after apply 2 year old JSON if there are new settings in Endpoint that are unutilised

[steve-prentice]

I'd second this. All the Windows templates are based on Intune "Templates" rather than Intune "Settings Catalog"... a review and migration would be much appreciated so that we know we're implementing something that's up to date and still shown some love.

[petecog]

another idea might be to liase with MS and publish an NCSC "Security Baselines" (under the endpoint security section). But agreed, a refresh is probably needed.

[doug-fitzmaurice-rowden]

This would be great. We've tried to apply some of the Intune templates to Azure VMs and they stick in a "Not applicable" state.

From trying to create a Settings Catalog alternative I can see that lots of the settings have moved or been renamed, but once you find the equivalent the policies will apply successfully.

[steve-prentice]

I emailed NCSC to ask for some comments and had a one line reply back...

"This guidance is currently being reviewed/updated and a new version will be issued shortly. "

Which, if I'm honest, I felt was a brush off considering these Issue threads in GitHub appear to be abandoned by NCSC at the moment.

[Ironised]

NCSC also need to be aware that while they may publish guidance, other UK gov agencies then treat them as standards.

Leaving these configs to drift for two years is a burden on UK gov suppliers (and presumably much of the public sector too.)

For example, Crown Commerical Service Call Off Schedule 9 Part B - Annex 1 clause 2.2 includes the following text "all Supplier devices are expected to meet the set of security requirements set out in the End User Devices Security Guidance (https://www.ncsc.gov.uk/guidance/enduser-device-security)" which includes links to these config files.

Given CCS are turning guidance into "requirements" and contractual obligations, NCSC need to either actively manage their EUD guidance, or perhaps CCS' expectations of NCSC guidance.

[aps-gilberts]

[like] Andrew Sowden reacted to your message:

…

________________________________ From: Ironised ***@***.***> Sent: Thursday, May 11, 2023 1:28:49 PM To: ukncsc/Device-Security-Guidance-Configuration-Packs ***@***.***> Cc: Subscribed ***@***.***> Subject: Re: [ukncsc/Device-Security-Guidance-Configuration-Packs] Is a review of the MDM/Intune overdue? (Issue #27) NCSC also need to be aware that while they may publish guidance, other UK gov agencies then treat them as standards. Leaving these configs to drfit for two years is a burden on UK gov suppliers (and presumably much of the public sector too.) For example, Crown Commerical Service Call Off Schedule 9 Part B - Annex 1 clause 2.2 includes the following text "all Supplier devices are expected to meet the set of security requirements set out in the End User Devices Security Guidance (https://www.ncsc.gov.uk/guidance/enduser-device-security)" which includes links to these config files. Given CCS are turning guidance into "requirements", and contractual obligations, NCSC need to either actively manage their EUD guidance, or perhaps CCS' expectations of NCSC guidance. — Reply to this email directly, view it on GitHub<#27 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AYLSAXRL7JXXRQ2FZK5QVBDXFTSRDANCNFSM6AAAAAAWK2SCRI>. You are receiving this because you are subscribed to this thread.Message ID: ***@***.***>

[koff75]

Any scheduled update about this Windows 10/11 configuration file for InTune ?

[steve-prentice]

Well. in May they said "shortly", so don't hold your breath it seems.

We've given up waiting, the world moves on and NCSC in this space has become less relevant due to their lack of involvement. We've gone with the MS baselines and will work from those.

[humphreysl]

We're now not far from 2025 and still no update. My organisation is trying to implement some of the baselines stated here but the installation instructions alone are way out of date (a load of DLL errors in PS so can't import them - can't even import them via the Azure Portal). Can we get an update on these so they are fit for purpose in 2024/2025?