Cyber Trackr - Free Compliance Library
Cyber Trackr
The Free Compliance Library

Microsoft Intune MDM Service Desktop & Mobile Security Technical Implementation Guide - V1R1

  • Version/Release: V1R1
  • Published: 2025-05-08
  • Released: 2025-04-22
  • Expand All:
  • Severity:
  • Sort:
Compare

Select any two versions of this STIG to compare the individual requirements

View

Select any old version/release of this STIG to view the previous requirements

This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.
b
Microsoft Intune service must initiate a session lock after a 15-minute period of inactivity.
AC-11 - Medium - CCI-000057 - V-273867 - SV-273867r1101448_rule
RMF Control
AC-11
Severity
Medium
CCI
CCI-000057
Version
MSIN-25-000030
Vuln IDs
  • V-273867
Rule IDs
  • SV-273867r1101448_rule
A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature of the absence. Rather than relying on the user to manually lock their application session prior to vacating the vicinity, applications need to be able to identify when a user's application session has idled and take action to initiate the session lock. The session lock is implemented at the point where session activity can be determined and/or controlled. This is typically at the operating system level and results in a system lock but may be at the application level where the application interface window is secured instead. Satisfies: SRG-APP-000003-UEM-000003, SRG-APP-000295-UEM-000169
Checks: C-77958r1101446_chk

To verify the inactivity timeout is configured for 15 minutes or less, follow the steps outlined below: 1. Sign in to portal.office365.com (or .us if the user is a GCCH or DOD tenant). 2. Navigate to Admin >> Settings >> Org Settings >> Security and Privacy (tab on top of page) >> Idle Session Timeout. 3. Select the check box to enable "Turn on to set the period of inactivity". 4. Select custom option, then verify it has been set to 15. If the inactivity timeout is not set to 15 minutes or less, this is a finding.

Fix: F-77863r1101447_fix

Sign in to portal.office365.com (or .us if the user is a GCCH or DOD tenant). 1. Navigate to Admin >> Settings >> Org Settings >> Security and Privacy (tab on top of page) >> Idle Session Timeout. 2. Select the check box to enable "Turn on to set the period of inactivity". 3. Select custom option, then enter "15". 4. Select "Save".

b
Microsoft Intune service must be configured to transfer Intune logs to another server for storage, analysis, and reporting at least every seven days.
AU-9 - Medium - CCI-001348 - V-273868 - SV-273868r1101588_rule
RMF Control
AU-9
Severity
Medium
CCI
CCI-001348
Version
MSIN-25-000370
Vuln IDs
  • V-273868
Rule IDs
  • SV-273868r1101588_rule
Note: UEM server logs include logs of UEM events and logs transferred to Microsoft Intune service by UEM agents of managed devices. Protection of log data includes ensuring log data is not accidentally lost or deleted. Backing up audit records to a different system or onto separate media than the system being audited on an organizationally defined frequency helps ensure, in the event of a catastrophic system failure, the audit records will be retained. This helps to ensure a compromise of the information system being audited does not also result in a compromise of the audit records. This requirement only applies to applications that have a native backup capability for audit records. Operating system backup requirements cover applications that do not provide native backup functions. Satisfies: SRG-APP-000125-UEM-000074, SRG-APP-000275-UEM-000157, SRG-APP-000358-UEM-000228
Checks: C-77959r1101586_chk

Verify the site has configured Intune to off-load Intune logs to a third-party log management server or to an Azure log storage and monitoring service like Azure monitor. Verification procedures are determined by the method used at the site. Ask the site Intune Administrator how logs are managed by the site and demonstrate that Intune logs are being off-loaded. If site is off-loading Intune logs to the Azure monitor, do the following (refer to https://learn.microsoft.com/en-us/mem/intune-service/fundamentals/review-logs-using-azure-monitor): 1. Sign in to the Microsoft Intune admin center. 2. Select Reports >> Diagnostics settings. 3. Verify logs are being sent to the Azure monitor: a. A storage account has been configured. b. A Stream has been configured to stream logs to the Azure Event Hubs. c. Intune logs have been configured to be sent to Log Analytics. If the site is not transferring Intune audit logs to a third-party audit log management server or to an Azure audit log storage and monitoring service, this is a finding.

Fix: F-77864r1101587_fix

There are many methods for off-loading Intune logs, including downloading to a third-party log management server and sending logs to Azure Storage, Event Hubs, or Log Analytics, which are all part of Diagnostics Settings in Intune. Procedures will vary depending on which log management process is used at the site. If the site is sending logs to Azure Monitor, follow the setup procedures found here: https://learn.microsoft.com/en-us/mem/intune-service/fundamentals/review-logs-using-azure-monitor 1. Sign in to the Microsoft Intune admin center. 2. Select Reports >> Diagnostics settings. The first time opening it, turn it on. Otherwise, add a setting. If the Azure subscription is not shown, navigate to the top right corner, select the signed in account, and choose "Switch directory". Enter the Azure subscription account, if necessary. 3. Enter the following properties: - Name: Enter a name for the diagnostic settings. This setting includes all the properties entered. For example, enter Route audit logs to storage account. - Archive to a storage account: Saves the log data to an Azure Storage account. To save or archive the data, choose this option, then select "Configure". Choose an existing storage account from the list, then click "OK". - Stream to an event hub: Streams the logs to Azure Event Hubs. To have analytics on log data using SIEM tools such as Splunk and QRadar, choose this option, then select "Configure". Choose an existing Event Hubs namespace and policy from the list, then click "OK". - Send to Log Analytics: Sends the data to Azure Log Analytics. To use visualizations, monitoring and alerting for logs, choose this option, then select "Configure". Create a new workspace and enter the workspace details or choose an existing workspace from the list, then click "OK". - LOG > AuditLogs: Choose this option to send the Intune audit logs to the storage account, Event Hubs, or Log Analytics. The audit logs show the history of every task that generates a change in Intune, including who did it and when. For more information, go to IntuneAuditLogs. Note: If using a storage account, enter how many days to keep the data (retention). To keep data forever, set Retention (days) to "0". - LOG > OperationalLogs: Operational logs show the success or failure of users and devices that enroll in Intune, and details on noncompliant devices. Choose this option to send the enrollment logs to the storage account, Event Hubs, or Log Analytics. For more information, go to IntuneOperationalLogs. To use a storage account, enter how many days to keep the data (retention). To keep data forever, set Retention (days) to "0". - LOG > DeviceComplianceOrg: Device compliance organizational logs show the organizational report for Device Compliance in Intune and details of noncompliant devices. Choose this option to send the compliance logs to the storage account, Event Hubs, or Log Analytics. For more information, go to IntuneDeviceComplianceOrg. To use a storage account, enter how many days to keep the data (retention). To keep data forever, set Retention (days) to "0". - LOG > IntuneDevices: The Intune Device log shows device inventory and status information for Intune enrolled and managed devices. Choose this option to send the IntuneDevices logs to your storage account, Event Hubs, or Log Analytics. For more reference information, go to IntuneDevices. Note: To use a storage account, enter how many days to keep the data (retention). To keep data forever, set Retention (days) to "0". 4. Save the changes. The setting is shown in the list. Once the settings are created, settings can be changed by selecting Edit setting >> Save.