L1 BIO 11.01.05 CIS Windows - Cortana lock screen

Intune: Block Cortana Above Lock Screen

📅 2025-10-30

•

⏱️ 3 minuten lezen

•

🔴 Must-Have

💼 Management Samenvatting

Block Cortana above lock screen - prevents voice assistant access WITHOUT authentication (information disclosure + privacy).

Aanbeveling

IMPLEMENT

Risico zonder

Medium

Risk Score

6/10

Implementatie

2u (tech: 1u)

Van toepassing op:

✓ Windows 10
✓ Windows 11

Cortana above lock = unauthenticated access: Lock screen Cortana: Voice commands WITHOUT login (no password/PIN needed), Information disclosure: 'Hey Cortana, read my emails' (lock screen) → Cortana reads emails aloud (bypasses authentication), 'Show my calendar' → calendar displayed (confidential meetings visible), 'Send message' → Cortana sends (no authentication). Attack: Physical access → locked laptop → 'Hey Cortana' → information extraction (no password cracking needed). Defense: Block Cortana above lock → authentication REQUIRED.

PowerShell Modules Vereist

Primary API: Microsoft Graph API
Connection: Connect-MgGraph
Required Modules: Microsoft.Graph.DeviceManagement

Implementatie

Block Cortana above lock: Policy: Allow Cortana above lock screen: Block, Effect: Lock screen: Cortana disabled (voice commands don't work), Logged in: Cortana works (normal - IF Cortana enabled at all), Best practice: Disable Cortana entirely (separate policy - 'allow-cortana-is-set-to-block').

Vereisten

Windows 10/11
Intune subscription

Implementatie

Intune Settings Catalog: Experience → Allow Cortana above lock screen: Block. Best practice: Also disable Cortana entirely (allow-cortana-is-set-to-block).

Compliance

CIS Windows Benchmark L1, BIO 11.01 (Physical security), AVG Art. 32 (Access control).

Monitoring

Gebruik PowerShell-script allow-cortana-above-lock-is-set-to-block.ps1 (functie Invoke-Monitoring) – Controleren.

Remediatie

Gebruik PowerShell-script allow-cortana-above-lock-is-set-to-block.ps1 (functie Invoke-Remediation) – Herstellen.

Compliance & Frameworks

CIS M365: Control Windows - Cortana lock screen (L1) -
BIO: 11.01.05 -

Automation

Gebruik het onderstaande PowerShell script om deze security control te monitoren en te implementeren. Het script bevat functies voor zowel monitoring (-Monitoring) als remediation (-Remediation).

PowerShell

<#
.SYNOPSIS
    Intune Security Options: Cortana Above Lock Blocked
.DESCRIPTION
    CIS - Cortana op lock screen moet blocked.
.NOTES
    Filename: cortana-lock.ps1|Author: Nederlandse Baseline voor Veilige Cloud|Registry: HKLM:\SOFTWARE\Policies\Microsoft\Windows\Windows Search\AllowCortanaAboveLock|Expected: 0
#>
#Requires -Version 5.1
#Requires -RunAsAdministrator
[CmdletBinding()]param([switch]$WhatIf, [switch]$Monitoring, [switch]$Remediation, [switch]$Revert)
$ErrorActionPreference = 'Stop'; $RegPath = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\Windows Search"; $RegName = "AllowCortanaAboveLock"; $ExpectedValue = 0
function Connect-RequiredServices { $p = New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent()); return $p.IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator) }
function Test-Compliance {
    $r = [PSCustomObject]@{ScriptName = "cortana-lock.ps1"; PolicyName = "Cortana Lock Screen"; IsCompliant = $false; CurrentValue = $null; ExpectedValue = "Blocked"; Details = @() }; function Invoke-Revert { Remove-ItemProperty -Path $RegPath -Name $RegName -ErrorAction SilentlyContinue }
    try { if (Test-Path $RegPath) { $v = Get-ItemProperty -Path $RegPath -Name $RegName -ErrorAction SilentlyContinue; if ($v -and $v.$RegName -eq $ExpectedValue) { $r.IsCompliant = $true; $r.Details += "Cortana lock blocked" }else { $r.Details += "Cortana lock allowed" } }else { $r.IsCompliant = $true; $r.Details += "Default" } }catch { $r.Details += "Error: $($_.Exception.Message)" }; return $r
}
function Invoke-Remediation { if (-not(Test-Path $RegPath)) { New-Item -Path $RegPath -Force | Out-Null }; Set-ItemProperty -Path $RegPath -Name $RegName -Value $ExpectedValue -Type DWord -Force; Write-Host "Cortana above lock blocked" -ForegroundColor Green }
function Invoke-Monitoring { $r = Test-Compliance; Write-Host "`n$($r.PolicyName): $(if($r.IsCompliant){'COMPLIANT'}else{'NON-COMPLIANT'})" -ForegroundColor $(if ($r.IsCompliant) { 'Green' }else { 'Red' }); return $r }
function Invoke-Revert { Remove-ItemProperty -Path $RegPath -Name $RegName -ErrorAction SilentlyContinue }
try { if (-not(Connect-RequiredServices)) { exit 1 }; if ($Monitoring) { $r = Invoke-Monitoring; exit $(if ($r.IsCompliant) { 0 }else { 1 }) }elseif ($Remediation) { if (-not $WhatIf) { Invoke-Remediation } }elseif ($Revert) { Invoke-Revert }else { $r = Test-Compliance; exit $(if ($r.IsCompliant) { 0 }else { 1 }) } }catch { Write-Error $_; exit 1 }

Risico zonder implementatie

Medium: Medium: Cortana above lock = unauthenticated information disclosure (emails, calendar).

Management Samenvatting

Block Cortana above lock screen. Authentication required. Information disclosure prevention. Best: Disable Cortana entirely. Implementatie: 1-2 uur.

Implementatietijd: 2 uur
FTE required: 0.01 FTE

Intune: Block Cortana Above Lock Screen

💼 Management Samenvatting

Implementatie

Vereisten

Implementatie

Compliance

Monitoring

Remediatie

Compliance & Frameworks

Automation

Risico zonder implementatie

Management Samenvatting

Share artikel