Windows 11 systems must use either Group Policy or an approved Mobile Device Management (MDM) product to enforce STIG compliance.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-268318 | WN11-CC-000063 | SV-268318r1135322_rule | CCI-000366 | medium |
| Description | ||||
| Without Windows 11 systems being managed, devices could be rogue and become targets of an attacker. | ||||
| STIG | Date | |||
| Microsoft Windows 11 Security Technical Implementation Guide | 2026-02-12 | |||
Details
Check Text (C-268318r1135322_chk)
Verify the Windows 11 system is receiving policy from either group Policy or an MDM with the following steps:
From a command line or PowerShell:
gpresult /R
OS Configuration: Member Workstation
If the system is not being managed by GPO, ask the administrator to indicate which MDM is managing the device.
From PowerShell: Get-Service -Name "IntuneManagementExtension"
If the Windows 11 system is not receiving policy from either group Policy or an MDM, this is a finding.
This is NA for standalone, nondomain-joined systems.
Fix Text (F-72242r1028259_fix)
Configure the Windows 11 system to use either Group Policy or an approved MDM product to enforce STIG compliance.