A logistics company, roughly 500 Windows 11 endpoints, 98% managed through Microsoft Intune. They had done a CIS benchmark assessment the year before. The scores came back badly – 40 to 60 percent compliance across the fleet. The internal team looked at those results, looked at their Intune console, and didn’t believe them. Their devices were configured. They could see the policies. Something wasn’t adding up.
They were right not to believe it. But nobody could tell them exactly why the numbers were wrong, and by the time we got involved, trust in the whole process had quietly collapsed. The engagement wasn’t just a technical re-run. It was a situation where the methodology had to be credible before the results could be.
Project Details
A Methodology Reset in Four Decisions
The re-run wasn’t a repeat scan with a better tool. Each decision in the approach was a direct response to what had gone wrong the year before and starting from first principles rather than inheriting the assumptions that had caused the problem in the first place.
Correct Benchmark
The environment was confirmed as Intune-managed, and the CIS Microsoft Intune for Windows 11 benchmark was selected as the baseline and not the default Enterprise benchmark built for GPO. That single decision was the difference between measuring the right thing and measuring nothing at all.
Intune-Native Deployment
The scanner was packaged as a Win32 app and deployed through Intune in device context, the same way every other managed software runs on these endpoints. No WinRM, no firewall changes, no new network paths carved out for the assessment. The tool worked with the environment’s existing management model rather than around it.
Pre-Production Testing
The full deployment package including scanner, Java runtime, PowerShell wrapper, benchmark file was tested end-to-end in a separate, controlled tenant before touching the client environment. Issues were found and resolved at this stage, not during the live rollout across 500 production machines.
Independent Validation
Every failed control was cross-referenced against Microsoft Defender Vulnerability Management data before going anywhere near the report. Confirmed by both tools: finding. Flagged by one only: manual review. Nothing went in unvalidated and the step that ensured the client received a findings list they could act on, not one they’d quietly distrust.
The Impact
The actual picture was almost the inverse of what the prior assessment had suggested, a well-managed fleet, a handful of devices needing local attention, and one specific configuration gap that had been hiding behind a year’s worth of phantom findings.
The prior assessment left the client with results they couldn’t trust and no clear path forward. What they got this time was the opposite: a credible, evidence-backed picture of where they actually stood — strong across the board, with two concrete gaps that had clear owners and clear fixes.
