Intune Baseline Assessment (86 controls)

Registry v2.1.0 — windows, macos, ios, android — corporate ownership

Job ID: demo-tune-0419

Generate Device-Compromise Tabletop

EnterpriseVeri-Tune

A facilitator-ready scenario, injects, and scoring rubric — composed from the device-compliance gaps in this scan.

Source: demo-tune-0419

Org-shape (per drill, demo only)

Veri-Tech sizes every drill around your actual team, not a generic enterprise template. The demo lets you nudge the shape with the controls below; the real product gives you the full freedom described in the callout.

You write your own role labels — not ours.

In your real tenant, you type the role names your team actually uses: M365 Admin, Service Manager, VP IT, External IR Retainer — whatever your lexicon is. The AI uses those exact labels in drill participants, IR-plan owners, AI Coaching recommendations, and the auditor manifest’s orgShape field.

You can also add roles for a specific drill on the fly — e.g. spin up an “Inland Energy AP Clerk” row before running a BEC scenario without touching tenant-wide settings. The demo simulates this with a curated roster + slider; real customers get the full custom-label form (60-char cap, name-detection guardrail, per-role headcount).

This drill will be sized for: Mid-market (50–500 staff) · 7 roles configured (demo)

Size bucket

Small business (5–50 staff)Mid-market (50–500 staff)Enterprise (500+ staff)

Roles in IR roster

74–7 for midmarket

Auditor-grade IR evidence in one click — satisfies HIPAA §164.308(a)(8), SOC 2 CC7.4, and ISO 27001 A.5.24 evaluation requirements.

Generation runs in ~3–5 minutes; output lands in Veri-Vault as a tabletop artifact.

Tabletop Guide — Start Here

How the drill runs, who needs portal access, what the artifact preserves, and how to share it with auditors.

Preview a sample tabletopbased on findings shape

Personal phone with no MAM policy leaks corporate Outlook cache

Veri-Tune · v1.0.0

Your scan flagged 38 personal devices accessing corporate mail without an App Protection Policy — this scenario walks through what happens when one is stolen.

NIST CSFSOC 2 CC6.1ISO 27001 A.8.1HIPAA §164.310(d)(1)

NIST CSF
Protect (PR.PT)

Duration
60 minutes

Injects
5 timed

Rubric
6 criteria

On a Friday evening, a senior engineer's personal Android phone is stolen at a transit station. The phone has Outlook for Android installed, signed in to corporate identity, with 14 days of cached mail including draft RFP responses and a board-deck PDF. The phone is unlocked when stolen (the engineer was actively using it). Your scan showed the device is enrolled in compliance reporting but has NO App Protection Policy applied — meaning the corporate data on the device is not encrypted at rest by the corporate-controlled key, and a remote wipe would only work if the device is online and we can locate it.

Threat actor: Opportunistic theft, low-skill. Phone may be wiped and resold OR data may be exfiltrated if the thief is more sophisticated than typical.

Attack chain

1
Initial access: Phone stolen unlocked at transit station. Outlook is the front-most app.
2
Data discovery: Thief (or buyer) explores the Outlook cache. 14 days of mail visible without re-authentication because session is active.
3
Exfiltration: Cached attachments (board deck PDF, RFP drafts) downloadable via 'Save to Photos' → uploaded to attacker cloud storage.
4
Persistence (optional): If thief is sophisticated: install a forwarding rule from the device, gaining persistent visibility into mail until detected.

Affected assets

Senior engineer's corporate mailbox (90 days mail history accessible via cache + reauth)
Board deck PDF (revenue projections + planned acquisitions)
RFP response drafts (competitive intelligence)
Cached calendar with attendee names + meeting subjects

Linked scan findings

Control ID	Severity	Finding
INT-AP-001	High	App Protection Policy not applied to BYOD Android devices accessing corporate Outlook
INT-CA-014	High	Conditional Access does not require app-protection state for Outlook mobile
INT-CMP-007	Medium	Device compliance reporting enabled but no policy enforcement

Generated from Veri-Tune scan demo-tune-0419 on 2026-05-07. This is facilitator material — verify scenario specifics against your tenant before use. Veri-Tech does not warrant scenario fitness for any specific audit framework; pair with the source scan job (which IS auditor evidence) and your own IR plan.

Policy Insights

We found 7 settings that exist in multiple Intune policies. Including 3 value conflicts where policies disagree on the correct setting. 3 redundant settings could be consolidated. 1 unassigned duplicates are inactive and can be cleaned up.

View Policy Insights

3 Conflicts3 Redundant1 Unassigned DuplicatesUnique settings in 2+ policies

View:

Remediation Planner

AI analyzes your assessment results and generates a remediation plan — classifying each control for auto-deployment, runbook generation, or risk exception.

Auto-deploy fixes for non-compliant Intune policies
Generate runbooks for manual remediation steps
Set risk exceptions and document justifications

Assessment Results

Assessment Score

Scanned: 4/22/2026, 3:06:12 PM — 132s

68%

Protection

Actively enforced

76%

Readiness

Configured correctly

Passing

Not Assigned

Report-Only

Misconfigured

Missing

68%protected

Score Breakdown

Protection68.0%

Readiness76.0%

86controls

Control Status

Passing60 (70%)

Not Assigned5 (6%)

Report-Only3 (3%)

Misconfigured14 (16%)

Missing4 (5%)

Platforms:🪟 windows🍎 macos📱 ios🤖 android

86 controls checked

8% gap from policies not enforced

5 controls correctly configured but not assigned to any device group. Assign these policies to close the gap.

Assign Existing Policies

JIT Active

5 controls across 5 policies are correctly configured but not assigned to any device or user group. Assigning them is a one-click fix that lifts your adjusted score immediately.

iOS2

Windows1

Android1

macOS1

⚠️

Enrollment Restriction Mismatches (1)

📱iOS

iOS personal enrollment is not blocked. Corporate devices ownership model is set but personal enrollments are accepted.

See how your protection score improves with each remediation step:

Current ScoreWhere you are now

68%

Enforce UnenforcedAssign 5 unenforced policies

76%

+8.2% gain

+ Auto-Fix Critical/HighDeploy 8 automatable fixes

90%

+13.7% gain

+ All Automatable FixesDeploy all 18 automatable fixes

98%

Control Results

86 of 86 controls

Platforms:

Showing 86 of 86 controls

SeverityControlActions

🔴 Misconfigured14

critical

ASR — Block credential stealing from LSASSVT-INTUNE-ES-001