CMMC Level 2 Intune Baseline for Windows 11 Hardening (Intune-First)

If you handle CUI on Windows 11 endpoints, you already know the hard part is consistency. One laptop that drifts from standard can undo months of good work. That’s why I build a CMMC Level 2 Intune baseline that’s simple to deploy, easy to report on, and tough to bypass.

In this post, I’ll walk through the Windows 11 hardening baseline I use in Intune for CMMC Level 2 alignment with NIST SP 800-171. I’ll call out the exact Intune locations, prerequisites, and the mistakes that slow teams down.

Start with the right baseline sources (so you’re not guessing)

I don’t start from scratch. I start from vetted benchmarks, then tune them to the business.

Two references keep my baseline grounded:

• The CIS Microsoft Intune for Windows 11 Benchmark helps me validate policy intent and coverage.
• Microsoft’s policy examples in the Intune Windows hardening guidelines repo are useful when I need a known-good policy shape and naming.

CMMC Level 2 is assessed against NIST 800-171 families. So my Windows 11 plan stays focused on: access control, identification, audit, configuration, communications protection, system integrity, and media protection. I treat Intune as the policy engine, Entra ID as the identity control plane, and Defender as the enforcement and visibility layer.

This is also where I connect the baseline back to real operations. My clients don’t just need compliance, they need uptime. I’m usually doing Small Business IT planning alongside Cloud Infrastructure work, Office 365 Migration projects, and Cloud Management. Some weeks I’m deep in Data Center Technology reviews, then I’m back on-site doing Restaurant POS Support or Kitchen Technology Solutions. The baseline has to support that reality, because I’m selling Cybersecurity Services that protect revenue, not paperwork.

If the baseline breaks printing, POS peripherals, or line-of-business apps, users will find workarounds. Hardening that people bypass isn’t hardening.

Prereqs I require before I push a CMMC Level 2 Intune baseline

Before I assign a single policy, I make sure the foundation won’t fight me later.

Identity and enrollment

• Prereq: Windows 11 devices must be Entra ID joined or Hybrid Entra ID joined, enrolled into Intune (MDM authority set).
• Pitfall: Mixed enrollment methods across the fleet create policy gaps. I standardize Autopilot for new devices whenever possible.

Compliance gates

• Where: Intune admin center, Devices > Compliance policies.
• I set: Require BitLocker, require Secure Boot, require TPM, and require a healthy Defender state.
• Pitfall: Teams rely on “compliant” without defining what compliant means. Then Conditional Access can’t do its job.

Conditional Access as enforcement

• Where: Microsoft Entra admin center, Conditional Access policies.
• I set: Require device to be marked compliant for Microsoft 365 and any CUI storage apps.
• Pitfall: Allowing browser-only access from unmanaged devices is a quiet failure. If CUI is in play, I lock it down.

This approach supports Endpoint Security and Device Hardening as part of a wider IT Strategy for SMBs. It also fits when I’m acting as a Business Technology Partner, providing Technology Consulting, Infrastructure Optimization, and Digital Transformation guidance that leadership can understand.

The Windows 11 settings I deploy in Intune (with locations and gotchas)

Below are the baseline components that show up in almost every CMMC Level 2 Intune rollout I do.

Encryption, Secure Boot, and TPM (protect CUI at rest)

BitLocker

• Where: Endpoint security > Disk encryption (BitLocker).
• Recommended: Encrypt OS and fixed drives, escrow recovery keys to Entra ID, require TPM 2.0, and enforce XTS-AES (use 256-bit where performance allows).
• Pitfall: Not testing silent encryption on older hardware. I pilot first, because firmware quirks still happen.

Secure Boot and TPM checks

• Where: Devices > Compliance policies (Device health).
• Recommended: Require Secure Boot and TPM for compliance.
• Pitfall: Some “almost-Windows-11-ready” devices pass basic use but fail compliance. I retire them early instead of arguing with physics.

Defender AV, tamper protection, and Attack Surface Reduction (stop common intrusion paths)

Microsoft Defender Antivirus

• Where: Endpoint security > Antivirus.
• Recommended: Real-time protection on, cloud-delivered protection on, automatic sample submission on (or controlled if policy requires), and scan removable media.
• Pitfall: Exclusions creep. I only allow documented exclusions, with ticket references.

Tamper protection

• Where: Usually managed through Defender security settings integration, confirm in Intune security settings where available.
• Prereq: Defender-managed endpoint security, consistent licensing.
• Pitfall: Local admins can weaken protections if tamper protection isn’t enforced.

ASR rules

• Where: Endpoint security > Attack surface reduction.
• Recommended: Start a pilot with a few rules in Audit, then move to Block. I prioritize rules that stop Office child processes, credential stealing from LSASS, and malicious script behaviors.
• Pitfall: Turning on every rule in Block on day one, then dealing with a flood of false positives. I stage it.

Firewall policies (reduce exposure and improve auditability)

Windows Defender Firewall

• Where: Endpoint security > Firewall.
• Recommended: Firewall on for Domain, Private, Public. Block inbound by default, allow only what you need. Enable logging for dropped packets and successful connections where appropriate.
• Pitfall: “Temporary” allow rules become permanent. I time-box exceptions and review them monthly.

Admin control, remote access, logging, updates, and application control

This is the part that makes audits smoother and incidents shorter.

Windows LAPS

• Where: Endpoint security > Account protection > Local admin password solution (Windows LAPS).
• Recommended: Rotate local admin passwords on a schedule, back up to Entra ID, and limit who can read passwords.
• Pitfall: Leaving multiple local admin accounts enabled. I standardize one managed local admin, then remove the rest.

Local admin restrictions

• Where: Endpoint security > Account protection (Local users and groups).
• Recommended: Control membership of the local Administrators group, avoid “everyone is admin” cultures.
• Pitfall: Help desk tools that require admin get blamed. I solve it with role-based access and, when needed, controlled elevation (not blanket admin).

RDP and Remote Assistance

• Where: Prefer Devices > Configuration profiles > Settings catalog (Remote Desktop settings), plus firewall rules.
• Recommended: Disable RDP if not required. If required, enforce NLA, restrict inbound scope, and monitor logons.
• Pitfall: RDP exposed to the internet. I don’t permit it, VPN or secure remote access only.

SMB hardening

• Where: Settings catalog (SMB and network security options).
• Recommended: Disable SMBv1, block guest access, require SMB signing where feasible.
• Pitfall: Old NAS devices and copier scan-to-share workflows. I plan upgrades or isolate them.

Removable storage controls

• Where: Endpoint security > Attack surface reduction (Device control) when available, otherwise Settings catalog for removable storage restrictions.
• Recommended: Block write access to unencrypted removable media, or block USB storage entirely for CUI groups.
• Pitfall: Teams forget about USB-to-ethernet and other “not-a-flash-drive” devices. I test common adapters.

Audit policy and log retention

• Where: Settings catalog (Advanced Audit Policy, Event Log settings).
• Recommended: Turn on audit categories for logon, account management, policy change, and process creation where appropriate. Increase Security log size, keep at least 90 days via forwarding to a SIEM or Defender.
• Pitfall: Small log sizes overwrite evidence. I raise sizes before the first incident happens.

Microsoft Defender for Endpoint (MDE) onboarding

• Where: Intune connector under tenant administration, then endpoint onboarding policies.
• Recommended: Auto-onboard devices, then use MDE reports for exposure management and alerting.
• Pitfall: Onboarding without alert routing and ownership. I assign who responds, and how fast.

Windows updates

• Where: Devices > Windows updates (Update rings, Feature updates, Quality updates, Driver updates).
• Recommended: Monthly quality updates with short deferrals, feature updates controlled by policy, and driver updates staged.
• Pitfall: Pausing updates “for stability” and forgetting to resume. I set clear maintenance windows.

Application control

• Where: Endpoint security > Application control (App Control for Business).
• Recommended: Start in Audit, then move to enforced allow rules for high-risk groups.
• Pitfall: Skipping the audit phase. Without it, you block a revenue app at the worst time.

Here’s a quick mapping I use to explain coverage during scoping and evidence reviews:

Baseline component	Key 800-171 families it supports
BitLocker, removable media controls	MP, SC, AC
Entra ID, Conditional Access, local admin control, LAPS	AC, IA
Defender AV, ASR, MDE onboarding	SI, SC
Firewall, SMB hardening, RDP restrictions	SC, AC
Security baselines, App Control for Business, configuration control	CM, SI
Advanced audit policy, event log sizing, forwarding	AU

When I package this as Tailored Technology Services, it becomes part of a Secure Cloud Architecture that supports Managed IT for Small Business outcomes, including Business Continuity & Security.

Conclusion

A strong CMMC Level 2 Intune baseline for Windows 11 isn’t just “turn on all the switches.” It’s a tested set of policies that users can live with, and auditors can verify. When I combine Intune baselines, Entra ID enforcement, and Defender visibility, I get better control of CUI and fewer surprises. If you want help turning these settings into a repeatable standard across your fleet, I can map it to your apps, your risk, and your day-to-day reality.