Challenge

Project Details

A Methodology Reset in Four Decisions

The re-run wasn’t a repeat scan with a better tool. Each decision in the approach was a direct response to what had gone wrong the year before and starting from first principles rather than inheriting the assumptions that had caused the problem in the first place.

Correct Benchmark

The environment was confirmed as Intune-managed, and the CIS Microsoft Intune for Windows 11 benchmark was selected as the baseline and not the default Enterprise benchmark built for GPO. That single decision was the difference between measuring the right thing and measuring nothing at all.

Intune-Native Deployment

The scanner was packaged as a Win32 app and deployed through Intune in device context, the same way every other managed software runs on these endpoints. No WinRM, no firewall changes, no new network paths carved out for the assessment. The tool worked with the environment’s existing management model rather than around it.

Pre-Production Testing

The full deployment package including scanner, Java runtime, PowerShell wrapper, benchmark file was tested end-to-end in a separate, controlled tenant before touching the client environment. Issues were found and resolved at this stage, not during the live rollout across 500 production machines.

Independent Validation

Every failed control was cross-referenced against Microsoft Defender Vulnerability Management data before going anywhere near the report. Confirmed by both tools: finding. Flagged by one only: manual review. Nothing went in unvalidated and the step that ensured the client received a findings list they could act on, not one they’d quietly distrust.

The Impact