Skip to Content
All Blog Posts

What's New - CIS Microsoft Intune for Windows 11 Benchmark v4.0.0

 — #Intune#Security#Windows 11

Security threats in the digital world constantly evolve, and staying ahead requires organisations to adapt their systems and configurations rapidly. On 25th April 2025, the latest iteration of the CIS Microsoft Intune for Windows 11 Benchmark — version 4.0.0 — was released. It's a major update, introducing new policies, enhancing usability, and aligning with the latest security practices.

What is the CIS Microsoft Intune for Windows 11 Benchmark?

CIS (Center for Internet Security) benchmarks are essential guidelines for establishing and maintaining security configurations. The CIS Microsoft Intune for Windows 11 Benchmark (v4.0.0), released on 25th April 2025, reflects evolving security practices, new Windows 11 policies, and enhancements to streamline the benchmark's usability.

Version 4.0.0 is a major update on version 3.0.1, which hadn't seen an update in over a year. It includes 27 new controls, 26 updated controls and 14 removed controls.

Key updates in version 4.0.0

1. New controls

Version 4.0.0 introduces 27 new controls focused on areas like BitLocker encryption, device lock policies, password requirements, and configurations for enhanced collaboration. Key highlights include:

  • BitLocker enhancements: New controls enforce stronger encryption protocols, such as requiring device encryption and user permissions for encryption activities.
  • Configuration refresh: New measures ensure devices regularly refresh configurations, improving compliance with security policies.
  • Password policies: Updated policies mandate robust password requirements, including maximum failed attempts and inactivity time before automatic lock.
  • Windows Defender updates: Enhanced settings for aggressive scanning and ransomware protection ensure endpoints remain safeguarded against emerging threats.

2. Updated controls

Among the 26 updated controls, changes to Attack Surface Reduction (ASR) rules stand out. These rules strengthen protection against ransomware and malicious scripts by revising their minimum settings, although organisations are advised to configure them at the stricter "Blocked" level for optimal security.

3. Removed controls

14 outdated controls were eliminated, reflecting advancements in Windows 11 and Intune capabilities. Certain legacy antivirus settings and device management rules were retired, simplifying the benchmark and reducing complexity for administrators.

4. Profile level shifts

Some controls were moved from Level 1 (default recommendations) to Level 2, which prioritises security over performance. Controls like PowerShell script logging now require stricter monitoring, ensuring more secure environments.

Why these changes matter

  1. Improved protection against modern threats: New requirements, such as advanced ransomware protection and stricter password policies, directly combat evolving cyber risks.
  2. Enhanced compliance: By incorporating security best practices for Windows 11 and Intune, organisations are better equipped to comply with regulatory standards and industry frameworks.
  3. Streamlined management: The removal of legacy and redundant controls simplifies compliance efforts and makes managing security configurations more efficient.
  4. Future-proofing security: The new benchmark incorporates AI-driven dynamics and cloud-based functionalities, ensuring that today's investments in security hold strong against tomorrow's challenges.

What's next for organisations?

If you're currently operating on version 3.0.1, review these changes and begin updating your configurations to meet the new benchmark. Implementing these changes helps organisations stay ahead of potential threats, particularly in a world where cyber risks continue to evolve.

Resources