hey all! I found the CIS benchmark policies in the github repo here: https://github.com/fleetdm/fleet/tree/main/ee/cis The windows CIS benchmarks seem to only check the settings if they are applied via a group policy, but Fleet's custom settings page for deploying settings to windows is implemented using the Windows MDM protocol (CSP). I started working on a couple myself and found that they use different registry entries so the osquery checks need to be adapted. Although I stopped because I remembered that there are over 500 CIS policies in that YML file 😅 Does anyone know if anyone has adapted those CIS benchmark policies for checking if the settings are applied via MDM CSP?

Hey @Billy H, Thanks for bringing this up. I think with how fast things move here, the CIS policies were on the roadmap before Windows MDM was part of the Fleet product. These were also written when might be using Fleet alongside something like AD. Brought this up during our product meeting and we will be folding this into the Fleet GitOps workflow and working on the Windows CIS (also found while Dogfooding them, there is a spec to them that is dated).

Awesome! thanks for addressing this so quick, let know if I can help at all. I've been working on converting a handful so far

Hey @Billy H, Following up here that this has been brought into the sprint. 👨‍💻 Issue to track fleet

Woo! Thanks Grant. Love how responsive you guys are