DoD Compliance · STIG

Microsoft Intune MDM Service Desktop & Mobile Security Technical Implementation Guide

V1R2 · · · Released 01 Jul 2026 · 3 rules
Compare

Pick two releases to diff their requirements.

View

Open a previous version of this STIG.

This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.
Digest of Updates vs. V1R1 · 22 Apr 2025 +1

Comparison against the immediately-prior release (V1R1). Rule matching uses the Group Vuln ID. Content-change detection compares the rule’s description, check, and fix text after stripping inline markup — cosmetic-only edits aren’t flagged.

Added rules 1

  • V-285327 High The Intune service must be configured to implement Multi-Admin Approval (MAA) for wiping managed devices.
Sort by
b
Microsoft Intune service must initiate a session lock after a 15-minute period of inactivity.
AC-11 - Medium - CCI-000057 - V-273867 - SV-273867r1207980_rule
RMF Control
AC-11
Severity
M
CCI
CCI-000057
Version
MSIN-25-000030
Vuln IDs
  • V-273867
Rule IDs
  • SV-273867r1207980_rule
A session time-out lock is a temporary action taken when a user stops work and moves away from the immediate physical vicinity of the information system but does not log out because of the temporary nature of the absence. Rather than relying on the user to manually lock their application session prior to vacating the vicinity, applications need to be able to identify when a user's application session has idled and take action to initiate the session lock. The session lock is implemented at the point where session activity can be determined and/or controlled. This is typically at the operating system level and results in a system lock but may be at the application level where the application interface window is secured instead. Satisfies: SRG-APP-000003-UEM-000003, SRG-APP-000295-UEM-000169
Checks: C-77958r1101446_chk

To verify the inactivity timeout is configured for 15 minutes or less, follow the steps outlined below: 1. Sign in to portal.office365.com (or .us if the user is a GCCH or DOD tenant). 2. Navigate to Admin >> Settings >> Org Settings >> Security and Privacy (tab on top of page) >> Idle Session Timeout. 3. Select the check box to enable "Turn on to set the period of inactivity". 4. Select custom option, then verify it has been set to 15. If the inactivity timeout is not set to 15 minutes or less, this is a finding.

Fix: F-77863r1101447_fix

Sign in to portal.office365.com (or .us if the user is a GCCH or DOD tenant). 1. Navigate to Admin >> Settings >> Org Settings >> Security and Privacy (tab on top of page) >> Idle Session Timeout. 2. Select the check box to enable "Turn on to set the period of inactivity". 3. Select custom option, then enter "15". 4. Select "Save".

b
Microsoft Intune service must be configured to transfer Intune logs to another server for storage, analysis, and reporting at least every seven days.
AU-9 - Medium - CCI-001348 - V-273868 - SV-273868r1208024_rule
RMF Control
AU-9
Severity
M
CCI
CCI-001348
Version
MSIN-25-000370
Vuln IDs
  • V-273868
Rule IDs
  • SV-273868r1208024_rule
Note: UEM server logs include logs of UEM events and logs transferred to Microsoft Intune service by UEM agents of managed devices. Protection of log data includes ensuring log data is not accidentally lost or deleted. Backing up audit records to a different system or onto separate media than the system being audited on an organizationally defined frequency helps ensure, in the event of a catastrophic system failure, the audit records will be retained. This helps to ensure a compromise of the information system being audited does not also result in a compromise of the audit records. This requirement only applies to applications that have a native backup capability for audit records. Operating system backup requirements cover applications that do not provide native backup functions. Satisfies: SRG-APP-000125-UEM-000074, SRG-APP-000275-UEM-000157, SRG-APP-000358-UEM-000228
Checks: C-77959r1101586_chk

Verify the site has configured Intune to off-load Intune logs to a third-party log management server or to an Azure log storage and monitoring service like Azure monitor. Verification procedures are determined by the method used at the site. Ask the site Intune Administrator how logs are managed by the site and demonstrate that Intune logs are being off-loaded. If site is off-loading Intune logs to the Azure monitor, do the following (refer to https://learn.microsoft.com/en-us/mem/intune-service/fundamentals/review-logs-using-azure-monitor): 1. Sign in to the Microsoft Intune admin center. 2. Select Reports >> Diagnostics settings. 3. Verify logs are being sent to the Azure monitor: a. A storage account has been configured. b. A Stream has been configured to stream logs to the Azure Event Hubs. c. Intune logs have been configured to be sent to Log Analytics. If the site is not transferring Intune audit logs to a third-party audit log management server or to an Azure audit log storage and monitoring service, this is a finding.

Fix: F-77864r1101587_fix

There are many methods for off-loading Intune logs, including downloading to a third-party log management server and sending logs to Azure Storage, Event Hubs, or Log Analytics, which are all part of Diagnostics Settings in Intune. Procedures will vary depending on which log management process is used at the site. If the site is sending logs to Azure Monitor, follow the setup procedures found here: https://learn.microsoft.com/en-us/mem/intune-service/fundamentals/review-logs-using-azure-monitor 1. Sign in to the Microsoft Intune admin center. 2. Select Reports >> Diagnostics settings. The first time opening it, turn it on. Otherwise, add a setting. If the Azure subscription is not shown, navigate to the top right corner, select the signed in account, and choose "Switch directory". Enter the Azure subscription account, if necessary. 3. Enter the following properties: - Name: Enter a name for the diagnostic settings. This setting includes all the properties entered. For example, enter Route audit logs to storage account. - Archive to a storage account: Saves the log data to an Azure Storage account. To save or archive the data, choose this option, then select "Configure". Choose an existing storage account from the list, then click "OK". - Stream to an event hub: Streams the logs to Azure Event Hubs. To have analytics on log data using SIEM tools such as Splunk and QRadar, choose this option, then select "Configure". Choose an existing Event Hubs namespace and policy from the list, then click "OK". - Send to Log Analytics: Sends the data to Azure Log Analytics. To use visualizations, monitoring and alerting for logs, choose this option, then select "Configure". Create a new workspace and enter the workspace details or choose an existing workspace from the list, then click "OK". - LOG > AuditLogs: Choose this option to send the Intune audit logs to the storage account, Event Hubs, or Log Analytics. The audit logs show the history of every task that generates a change in Intune, including who did it and when. For more information, go to IntuneAuditLogs. Note: If using a storage account, enter how many days to keep the data (retention). To keep data forever, set Retention (days) to "0". - LOG > OperationalLogs: Operational logs show the success or failure of users and devices that enroll in Intune, and details on noncompliant devices. Choose this option to send the enrollment logs to the storage account, Event Hubs, or Log Analytics. For more information, go to IntuneOperationalLogs. To use a storage account, enter how many days to keep the data (retention). To keep data forever, set Retention (days) to "0". - LOG > DeviceComplianceOrg: Device compliance organizational logs show the organizational report for Device Compliance in Intune and details of noncompliant devices. Choose this option to send the compliance logs to the storage account, Event Hubs, or Log Analytics. For more information, go to IntuneDeviceComplianceOrg. To use a storage account, enter how many days to keep the data (retention). To keep data forever, set Retention (days) to "0". - LOG > IntuneDevices: The Intune Device log shows device inventory and status information for Intune enrolled and managed devices. Choose this option to send the IntuneDevices logs to your storage account, Event Hubs, or Log Analytics. For more reference information, go to IntuneDevices. Note: To use a storage account, enter how many days to keep the data (retention). To keep data forever, set Retention (days) to "0". 4. Save the changes. The setting is shown in the list. Once the settings are created, settings can be changed by selecting Edit setting >> Save.

c
The Intune service must be configured to implement Multi-Admin Approval (MAA) for wiping managed devices.
CM-6 - High - CCI-000366 - V-285327 - SV-285327r1211999_rule
RMF Control
CM-6
Severity
H
CCI
CCI-000366
Version
MSIN-25-002000
Vuln IDs
  • V-285327
Rule IDs
  • SV-285327r1211999_rule
High-risk administrative actions, such as managed device wipe, should be configured to require dual authentication to mitigate the risk of an attacker that has bypassed malware protections and obtained legitimate Intune access. Satisfies: SRG-APP-000516-UEM-000391
Checks: C-89897r1211997_chk

Use the following procedure to verify MAA has been set up for managed device wipe on the Intune service. 1. Verify a Microsoft 365 security group has been set up for device-wipe approval Administrators. - Sign in to Intune Admin Center: Navigate to Tenant administration >> Multi Admin Approval. - Verify the assigned "Approval Group" is in the access policy. 2. Verify an Access Policy has been created for "Device Wipe". - Verify Access Policies: Click on "Access policies" to view the policies created. - Check Policy Details: Select the policy created for device wipes to verify: - Policy Type: Must be set to Device Wipe. - Approver Group: Verify the correct Microsoft Entra security group is selected as the approver group. - Confirm Active Status: Verify the policy is active and not pending further approval of the policy itself. If the Intune service is not configured with a Microsoft 365 security group for device-wipe approval Administrators or is not configured with a device-wipe Access Policy, this is a finding.

Fix: F-89802r1211998_fix

Note: All device-wipe processes and procedures must be compliant with DOD data retention policies for mobile devices. Note: This procedure requires two separate groups: one group of Administrators that request a managed device be wiped (requestor group) and one Administrator group that approves the request (approver group). Note: Two administrators are needed to set up MAA for managed device-wipe: one to set up the required approver group and the MAA device-wipe policy and one to approve the new policy. Implementing dual authorization in Intune for device wipes is achieved using MAA, which enforces a "four-eyes" policy, requiring a second admin to approve wipe requests. This process, found under Tenant Administration >> Multi Admin Approval, requires creating an access policy, assigning an approver group, and justifying the action. Steps to Implement Multi-Admin Approval for Wipes: 1. Prepare Groups: Create a Microsoft 365 security group containing the administrators allowed to approve requests, excluding the user who initiates the wipe. 2. Create Access Policy: - Sign in to the Microsoft Intune admin center. - Navigate to Tenant administration >> Multi Admin Approval >> Access policies. - Click "Create" and select "Device wipe" as the profile type. - Assign the approver group and complete the wizard. 3. Approve Policy: A second administrator must approve the newly created Access Policy before it becomes active. 4. Execute Wipe: When a device is wiped, the initiating admin provides a justification, and an approver approves it under Tenant administration >> Multi Admin Approval >> All requests. Key Considerations: - Approval Workflow: The requester must return to the Multi Admin Approval portal to "Complete request" after the second admin approves it. - License: Requires Microsoft Intune Plan 1. - Notifications: There is no built-in notification system; reviewers must check the console manually. A workflow should be created for the "requestor" Admin to notify the "approver" Admin that a device wipe request is ready for approval. - Limitation: The policy covers managed device wipes and is a best practice for preventing accidental data loss.