Skip to main content

Intune configuration for GCC High and CMMC compliance

Secureframe Defense Navigator can automatically create a baseline set of Microsoft Intune device compliance policies and configuration profiles in your government tenant. This article explains how to decide and exactly what we configure if you say yes.

S
Written by Secureframe Engineering

Intune configuration for GCC High and CMMC compliance

Before you decide:

  • Nothing is destructive. Secureframe never deletes or overwrites your existing policies. We create policies under our own clearly named entries (every name begins with "Secureframe CMMC"), so they are easy to identify and they sit alongside anything you already have.

  • Policies are assigned to All Devices. Each policy we create is assigned to the All Devices group in your tenant so newly enrolled devices are covered automatically.

  • You own these policies. You can edit, scope, or remove any of them from the Intune admin center.

  • Choosing No does not block the rest of your GCC High setup. Only creating Intune policies is skipped.

Should I say yes to Automatic Intune configuration?

Pick YES if you do not actively manage Microsoft Intune today.


If you do not have an existing set of Intune policies, or you are not comfortable managing your own device policies, we recommend choosing Yes.

Secureframe's automatic Intune configuration will create a set of policies that map to the device-hardening controls that CMMC expects e.g. disk encryption, screen lock, firewall, minimum OS version. You can review and adjust these policies in the Microsoft Intune admin center after they are created.

Pick NO and review this documentation later if you already use Microsoft Intune.


If you already run Intune in your Microsoft tenant and have your own device compliance policies and configuration profiles, we recommend choosing No.

This avoids creating overlapping or conflicting policies with what you already enforce. You can review the "What we configure" section for items to incorporate into your existing policies as you see fit.

What we configure

When you choose Yes, Secureframe creates 8 policies total: 4 for Windows and 4 for macOS. We do not currently create policies for iOS, Android, or Linux.

Each operating system gets two kinds of policies:

  • Compliance policies report whether a device meets your security bar (compliant vs. non-compliant). Conditional Access uses that signal to decide whether a device may access controlled unclassified information (CUI). A compliance policy reports status; it does not push settings to the device.

  • Configuration profiles actively push and enforce settings onto enrolled devices

    • For example: turning on disk encryption or the firewall.

Windows policies

Secureframe CMMC Compliance Policy - Windows (compliance policy)
Reports a Windows device as compliant only when it meets all of these:

  • Minimum OS version: Windows 11 23H2 (by default)

  • Secure Boot enabled

  • Code integrity enabled

  • Storage (disk) encryption required

  • Password required: alphanumeric, at least 8 characters

  • Screen locks after 15 minutes of inactivity

  • Active firewall required

  • Microsoft Defender enabled and antivirus required

  • Devices that fall out of compliance are blocked from access after a 24-hour grace period

Secureframe CMMC Device Restrictions - Windows (configuration profile)
Enforces on the device:

  • Password: alphanumeric, at least 8 characters, using at least 3 character types

  • Screen locks after 15 minutes of inactivity

  • Microsoft Defender real-time monitoring, behavior monitoring, and download scanning enabled

  • Defender monitors file activity across all files

Secureframe CMMC Endpoint Protection - Windows (configuration profile)
Enforces the Windows Defender Firewall:

  • Firewall enabled for the Domain, Private, and Public network profiles

Secureframe CMMC Disk Encryption - Windows (configuration profile)

  • Turns on BitLocker device encryption

macOS policies

Secureframe CMMC Compliance Policy - Mac (compliance policy)
Reports a Mac as compliant only when it meets all of these:

  • Minimum OS version: macOS 14 (Sonoma) (by default)

  • Password required: alphanumeric, at least 8 characters, no simple passwords

  • Screen locks after 15 minutes of inactivity

  • Firewall enabled

  • System Integrity Protection (SIP) enabled

  • Devices that fall out of compliance are blocked from access after a 24-hour grace period

Secureframe CMMC Device Restrictions - Mac (configuration profile)
Enforces on the device:

  • Password: alphanumeric, at least 8 characters, no simple passwords

  • Screen locks after 15 minutes of inactivity

Secureframe CMMC Endpoint Protection - Mac (configuration profile)
Enforces:

  • Firewall enabled

  • Gatekeeper restricted to apps from the Mac App Store and identified developers

Secureframe CMMC Disk Encryption - Mac (configuration profile)

  • Turns on FileVault disk encryption, using a personal recovery key

After setup

You can find every policy above in the Microsoft Intune admin center under Devices > Compliance policies and Devices > Configuration profiles. They are all named with the "Secureframe CMMC" prefix shown above.

From there you can review the enforced settings, adjust assignments, or make changes to fit your environment.

If you have questions about any of these policies or how they map to your CMMC controls, reach out to Secureframe support.

Related Articles
Secureframe Federal MDM
Secureframe Defense for CMMC - Get started with CMMC Navigator
FAQs: FedRAMP, CMMC, and DFARS: readiness, scope, and evidence
Microsoft Intune
Why are the Conditional Access tests failing after Azure GCC High setup (report-only policies)
Did this answer your question?