What's New - CIS Microsoft Intune for Windows 11 Benchmark v4.0.0

Security threats in the digital world constantly evolve, and staying ahead requires organisations to adapt their systems and configurations rapidly. Enter the CIS Microsoft Intune for Windows 11 Benchmark, an essential guideline designed to strengthen security configurations and ensure robust endpoint protection.

On 25th April 2025, the latest iteration of this benchmark, version 4.0.0, was released. It’s a major update, introducing new policies, enhancing usability, and aligning with the latest security practices. Below, we’ll explore what this update entails and why it’s vital for bolstering your organisation’s security.

What is the CIS Microsoft Intune for Windows 11 Benchmark?

CIS (Center for Internet Security) benchmarks are essential guidelines for establishing and maintaining security configurations. The recent update to the CIS Microsoft Intune for Windows 11 Benchmark (v4.0.0), released on 25^th April 2025 reflects evolving security practices, new Windows 11 policies, and enhancements to streamline the benchmark’s usability.  

Version 4.0.0 is a major update on version 3.0.1 which hasn’t seen an update in over a year. It includes 27 new controls, 26 updated controls and 14 removed controls. Below, we’ll dive into the most significant updates and what they mean for your endpoint security. 

Key updates in version 4.0.0

Here’s a summary of the significant changes in the new benchmark version:

1. New controls

Version 4.0.0 introduces 27 new controls focused on areas like BitLocker encryption, device lock policies, password requirements, and configurations for enhanced collaboration. Key highlights include:

• BitLocker enhancements: New controls enforce stronger encryption protocols, such as requiring device encryption and user permissions for encryption activities.
• Configuration refresh: New measures ensure devices regularly refresh configurations, improving compliance with security policies.
• Password policies: Updated policies mandate robust password requirements, including maximum failed attempts and inactivity time before automatic lock.
• Windows defender updates: Enhanced settings for aggressive scanning and ransomware protection ensure endpoints remain safeguarded against emerging threats.

2. Updated controls

Among the 26 updated controls, changes to Attack Surface Reduction (ASR) rules stand out. These rules strengthen protection against ransomware and malicious scripts by revising their minimum settings, although organisations are advised to configure them at the stricter “Blocked” level for optimal security.

3. Removed controls

14 outdated controls were eliminated, reflecting advancements in Windows 11 and Intune capabilities. For example, certain legacy antivirus settings and device management rules were retired, simplifying the benchmark and reducing complexity for administrators.

4. Profile level shifts

Some controls were moved from Level 1 (default recommendations) to Level 2, which prioritises security over performance. Controls like PowerShell script logging now require stricter monitoring, ensuring more secure environments.

Why these changes matter

Keeping systems aligned with the updated benchmark is critical for strengthening an organisation’s endpoint security posture. Here’s why these changes are significant:

1. Improved protection against modern threats: New requirements, such as advanced ransomware protection and stricter password policies, directly combat evolving cyber risks. Organisations that adopt these measures can mitigate vulnerabilities before they are exploited.
2. Enhanced compliance: By incorporating security best practices for Windows 11 and Intune, organisations are better equipped to comply with regulatory standards and industry frameworks. This is particularly important for businesses in highly regulated sectors.
3. Streamlined management: The removal of legacy and redundant controls simplifies compliance efforts and makes managing security configurations more efficient. Administrators can focus on more impactful updates without being overwhelmed by obsolete settings.
4. Future-proofing security: The new benchmark incorporates AI-driven dynamics and cloud-based functionalities, ensuring that today’s investments in security hold strong against tomorrow’s challenges.

What's next for organisations?

Version 4.0.0 of the CIS Microsoft Intune for Windows 11 Benchmark introduces significant changes in administrative identity protection, collaboration security, and data compliance. With these updates, CIS strengthens its guidance to keep up with an evolving cybersecurity landscape, making it critical for organisations to adopt these practices promptly to maintain a robust security posture in their endpoint environment. 

Implementing these changes can help organisations stay ahead of potential threats, particularly in a world where cyber risks continue to evolve. If you’re currently operating on version 3.0.1, review these changes and begin updating your configurations to meet the new benchmarks. 

Need additional support? 

OneAdvanced's relationship with Microsoft goes back over 30 years, over which our Modern Workplace experts have helped numerous organisations digitally transform and embrace a better way of working. Get in touch with our team today to see how we can help!