So we hired a vendor to, among a number of things, configure the latest CIS benchmarks for Windows 11 deployed via Intune. These are windows 365 computers.

We got into an odd back and forth. He was initially suggesting configuring all of the computers via local group policy. In essence, his plan was to deploy a script as a win32 app that would apply a local policy on the computer that had all of the CIS settings in it.

We hired them do to configure the devices via Intune. I personally have a lot of Intune experience and have configured the CIS benchmarks a number of times in the past. I thought it was odd that this was his approach. My opinion is that everything should be configured via a settings catalog device config policy, and anything that cant go in there should be a remediation script with a proper detection and remediation script. I assumed he was going his route due to some personal habit. Maybe that's how he just always did it in the past.

When I asked why he would do this, his response was that "he sees DoD and CMMC audits all the time. Auditors are trained to only look at local group policy when they run their assessments/scans. If they don't see the settings via local policy, then they will automatically fail you." And then he also suggested configuring everything both ways... so via device config policies AND via local group policy.

All of this seems like a horrible practice to suggest... to me. I can't imagine the hell of configuring devices with 2 completely separated approaches at the same time on every device. Plus, if an auditor only looked at local group policy... that suggestion boggles my mind. How has anyone ever passed an audit if they have an AD managed or Entra ID managed environment?

Anyway, was just looking to hear what others think, because it seemed like such a weird thing to me that I didn't even know how to respond.