Microsoft Intune MDM Service Desktop & Mobile Security Technical Implementation Guide
Pick two releases to diff their requirements.
Open a previous version of this STIG.
Digest of Updates +1
Comparison against the immediately-prior release (V1R1). Rule matching uses the Group Vuln ID. Content-change detection compares the rule’s description, check, and fix text after stripping inline markup — cosmetic-only edits aren’t flagged.
Added rules 1
- V-285327 High The Intune service must be configured to implement Multi-Admin Approval (MAA) for wiping managed devices.
- RMF Control
- AC-11
- Severity
- M
- CCI
- CCI-000057
- Version
- MSIN-25-000030
- Vuln IDs
-
- V-273867
- Rule IDs
-
- SV-273867r1207980_rule
Checks: C-77958r1101446_chk
To verify the inactivity timeout is configured for 15 minutes or less, follow the steps outlined below: 1. Sign in to portal.office365.com (or .us if the user is a GCCH or DOD tenant). 2. Navigate to Admin >> Settings >> Org Settings >> Security and Privacy (tab on top of page) >> Idle Session Timeout. 3. Select the check box to enable "Turn on to set the period of inactivity". 4. Select custom option, then verify it has been set to 15. If the inactivity timeout is not set to 15 minutes or less, this is a finding.
Fix: F-77863r1101447_fix
Sign in to portal.office365.com (or .us if the user is a GCCH or DOD tenant). 1. Navigate to Admin >> Settings >> Org Settings >> Security and Privacy (tab on top of page) >> Idle Session Timeout. 2. Select the check box to enable "Turn on to set the period of inactivity". 3. Select custom option, then enter "15". 4. Select "Save".
- RMF Control
- AU-9
- Severity
- M
- CCI
- CCI-001348
- Version
- MSIN-25-000370
- Vuln IDs
-
- V-273868
- Rule IDs
-
- SV-273868r1208024_rule
Checks: C-77959r1101586_chk
Verify the site has configured Intune to off-load Intune logs to a third-party log management server or to an Azure log storage and monitoring service like Azure monitor. Verification procedures are determined by the method used at the site. Ask the site Intune Administrator how logs are managed by the site and demonstrate that Intune logs are being off-loaded. If site is off-loading Intune logs to the Azure monitor, do the following (refer to https://learn.microsoft.com/en-us/mem/intune-service/fundamentals/review-logs-using-azure-monitor): 1. Sign in to the Microsoft Intune admin center. 2. Select Reports >> Diagnostics settings. 3. Verify logs are being sent to the Azure monitor: a. A storage account has been configured. b. A Stream has been configured to stream logs to the Azure Event Hubs. c. Intune logs have been configured to be sent to Log Analytics. If the site is not transferring Intune audit logs to a third-party audit log management server or to an Azure audit log storage and monitoring service, this is a finding.
Fix: F-77864r1101587_fix
There are many methods for off-loading Intune logs, including downloading to a third-party log management server and sending logs to Azure Storage, Event Hubs, or Log Analytics, which are all part of Diagnostics Settings in Intune. Procedures will vary depending on which log management process is used at the site. If the site is sending logs to Azure Monitor, follow the setup procedures found here: https://learn.microsoft.com/en-us/mem/intune-service/fundamentals/review-logs-using-azure-monitor 1. Sign in to the Microsoft Intune admin center. 2. Select Reports >> Diagnostics settings. The first time opening it, turn it on. Otherwise, add a setting. If the Azure subscription is not shown, navigate to the top right corner, select the signed in account, and choose "Switch directory". Enter the Azure subscription account, if necessary. 3. Enter the following properties: - Name: Enter a name for the diagnostic settings. This setting includes all the properties entered. For example, enter Route audit logs to storage account. - Archive to a storage account: Saves the log data to an Azure Storage account. To save or archive the data, choose this option, then select "Configure". Choose an existing storage account from the list, then click "OK". - Stream to an event hub: Streams the logs to Azure Event Hubs. To have analytics on log data using SIEM tools such as Splunk and QRadar, choose this option, then select "Configure". Choose an existing Event Hubs namespace and policy from the list, then click "OK". - Send to Log Analytics: Sends the data to Azure Log Analytics. To use visualizations, monitoring and alerting for logs, choose this option, then select "Configure". Create a new workspace and enter the workspace details or choose an existing workspace from the list, then click "OK". - LOG > AuditLogs: Choose this option to send the Intune audit logs to the storage account, Event Hubs, or Log Analytics. The audit logs show the history of every task that generates a change in Intune, including who did it and when. For more information, go to IntuneAuditLogs. Note: If using a storage account, enter how many days to keep the data (retention). To keep data forever, set Retention (days) to "0". - LOG > OperationalLogs: Operational logs show the success or failure of users and devices that enroll in Intune, and details on noncompliant devices. Choose this option to send the enrollment logs to the storage account, Event Hubs, or Log Analytics. For more information, go to IntuneOperationalLogs. To use a storage account, enter how many days to keep the data (retention). To keep data forever, set Retention (days) to "0". - LOG > DeviceComplianceOrg: Device compliance organizational logs show the organizational report for Device Compliance in Intune and details of noncompliant devices. Choose this option to send the compliance logs to the storage account, Event Hubs, or Log Analytics. For more information, go to IntuneDeviceComplianceOrg. To use a storage account, enter how many days to keep the data (retention). To keep data forever, set Retention (days) to "0". - LOG > IntuneDevices: The Intune Device log shows device inventory and status information for Intune enrolled and managed devices. Choose this option to send the IntuneDevices logs to your storage account, Event Hubs, or Log Analytics. For more reference information, go to IntuneDevices. Note: To use a storage account, enter how many days to keep the data (retention). To keep data forever, set Retention (days) to "0". 4. Save the changes. The setting is shown in the list. Once the settings are created, settings can be changed by selecting Edit setting >> Save.
- RMF Control
- CM-6
- Severity
- H
- CCI
- CCI-000366
- Version
- MSIN-25-002000
- Vuln IDs
-
- V-285327
- Rule IDs
-
- SV-285327r1211999_rule
Checks: C-89897r1211997_chk
Use the following procedure to verify MAA has been set up for managed device wipe on the Intune service. 1. Verify a Microsoft 365 security group has been set up for device-wipe approval Administrators. - Sign in to Intune Admin Center: Navigate to Tenant administration >> Multi Admin Approval. - Verify the assigned "Approval Group" is in the access policy. 2. Verify an Access Policy has been created for "Device Wipe". - Verify Access Policies: Click on "Access policies" to view the policies created. - Check Policy Details: Select the policy created for device wipes to verify: - Policy Type: Must be set to Device Wipe. - Approver Group: Verify the correct Microsoft Entra security group is selected as the approver group. - Confirm Active Status: Verify the policy is active and not pending further approval of the policy itself. If the Intune service is not configured with a Microsoft 365 security group for device-wipe approval Administrators or is not configured with a device-wipe Access Policy, this is a finding.
Fix: F-89802r1211998_fix
Note: All device-wipe processes and procedures must be compliant with DOD data retention policies for mobile devices. Note: This procedure requires two separate groups: one group of Administrators that request a managed device be wiped (requestor group) and one Administrator group that approves the request (approver group). Note: Two administrators are needed to set up MAA for managed device-wipe: one to set up the required approver group and the MAA device-wipe policy and one to approve the new policy. Implementing dual authorization in Intune for device wipes is achieved using MAA, which enforces a "four-eyes" policy, requiring a second admin to approve wipe requests. This process, found under Tenant Administration >> Multi Admin Approval, requires creating an access policy, assigning an approver group, and justifying the action. Steps to Implement Multi-Admin Approval for Wipes: 1. Prepare Groups: Create a Microsoft 365 security group containing the administrators allowed to approve requests, excluding the user who initiates the wipe. 2. Create Access Policy: - Sign in to the Microsoft Intune admin center. - Navigate to Tenant administration >> Multi Admin Approval >> Access policies. - Click "Create" and select "Device wipe" as the profile type. - Assign the approver group and complete the wizard. 3. Approve Policy: A second administrator must approve the newly created Access Policy before it becomes active. 4. Execute Wipe: When a device is wiped, the initiating admin provides a justification, and an approver approves it under Tenant administration >> Multi Admin Approval >> All requests. Key Considerations: - Approval Workflow: The requester must return to the Multi Admin Approval portal to "Complete request" after the second admin approves it. - License: Requires Microsoft Intune Plan 1. - Notifications: There is no built-in notification system; reviewers must check the console manually. A workflow should be created for the "requestor" Admin to notify the "approver" Admin that a device wipe request is ready for approval. - Limitation: The policy covers managed device wipes and is a best practice for preventing accidental data loss.