Maturity Level 2 Policies are still currently under-construction

Granular Intune ACSC Windows Hardening Guidelines

These Microsoft Intune policies were put together to help organisations comply with the Australian Cyber Security Centre's (ACSC) Windows 10 Hardening Guidance. These policies were originally provided by the ACSC as Group Policy Objects. This repository will provide exports of Intune policies that organisations will be able to import into their Intune tenant for deployment to their Windows devices.

Additional Intune policies have been provided for organisations who are also required to comply with the ACSC's Office Hardening Guidance and the ACSC's Office Macro Security publication.

While the intent of these policies is to assist in an organisations compliance efforts, Microsoft does not represent that use of these policies will create compliance with the Australian Cyber Security Centre's guidance.

What's included?

Windows

There are multiple levels of Windows hardening policies for the various maturity levels of the Essential 8.

Generally - there may be, upto four Windows hardening policies and a script contained within each maturity level sub-folder of this repository.

1. ACSC Windows Hardening Guidelines
   • This Settings Catalog policy contains all currently available settings recommended by the ACSC for hardening Windows.

Important: some settings are not be available for configuration via Settings Catalog. Ensure that you verify this representation of the hardening guidance meets your requirements.

2. Windows Security Baseline (for use with ACSC Windows Hardening Guidelines)
   • Microsoft provides a Windows Security Baseline, which is comprised of groups of pre-configured Windows settings that help you apply and enforce granular security settings that are recommended by the relevant security teams within Microsoft. The Microsoft Security Baseline can be deployed with Intune.
   • This Microsoft Security Baseline has been modified so that its settings do not conflict with those of the ACSC Windows Hardening Guidelines. All non-conflicting settings have been left as-is.
3. ACSC Windows Hardening Guidelines-Attack Surface Reduction
   • This Attack Surface Reduction (ASR) policy configures each of the ASR rules recommended by the ACSC in audit mode. ASR rules should be tested for compatibility issues in any environment before enforcement.
4. ACSC Windows Hardening Guidelines-User Rights Assignment
   • This Custom configuration profile configures specific User Rights Assignments to be blank, as recommended by the ACSC.
5. UserApplicationHardening-RemoveFeatures
   • This PowerShell script removes PowerShell v2.0, .NET Framework 3.5 (and below) and Internet Explorer 11 (if on Windows 10).

If there are no policies applicable to the desired maturity level contained within a file, that file has been removed completely to avoid ambiguity. Maturity levels may be mixed and matched as required.

Supplementary documentation has been provided for the ACSC Windows Hardening Guidelines policy, detailing each configured setting, description of the setting and a link to the corresponding Microsoft Docs page.

• ACSC Windows Hardening Guidelines documentation

Microsoft 365 Apps for Enterprise

Organisations that are required to harden Microsoft 365 Apps for Enterprise (formerly known as Office 365 ProPlus) with the ACSC recommended hardening policies, including limiting the execution of macros to Trusted Publishers can use the supplied policies. See the Microsoft 365 Apps for Enterprise README for additional information and steps to import the policies.

Microsoft Edge

Organisations that are looking to harden only Microsoft Edge, without applying all additional Windows hardening recommended by the ACSC can use the supplied policy. See Microsoft Edge README for additional information and steps to import the policy.

What's not included?

Although the below settings are configured as a part of the ACSC Windows Hardening Guidelines, they have not been included in this version of the guidelines. It is still recommended to configure each of the settings below as a part of an end to end security strategy.

• AppLocker
  • Organisations have unique Application Whitelisting requirements. Apply your organisations AppLocker policy via the AppLocker CSP. Consider the use of AaronLocker, which aims to make application control using AppLocker and Windows Defender Application Control (WDAC) as easy and practical as possible.
• BitLocker
  • Manage disk encryption with a Disk Encryption Endpoint Security policy.
• Controlled Folder Access
  • The configuration for Controlled Folder Access requires input that is unique to each organisation.
  • Configure Controlled Folder Access by creating an Attack surface reduction policy in the Microsoft Endpoint Manager Admin Center, under Endpoint Security > Attack surface reduction
• Microsoft Defender Application Guard
  • Intune provides the ability to enable and configure Microsoft Defender Application Guard. The configuration of Application Guard requires additional input from the organisation, such as a Windows network isolation policy.
• Windows Update
  • Organisations typically standardise on a management platform that provides patching capabilities. Microsoft's recommendation is to move to Windows Update for Business.
• Settings that are not available via Settings Catalog, Endpoint Security or device configuration.
  • If a setting does not have a corresponding Settings Catalog, Endpoint Security or device configuration setting, it was not configured.
  • A possible way to implement these settings would be with a PowerShell script, deployed via Intune.

Requirements

These policies were developed on Azure AD Joined Windows 10 & Windows 11 devices and can be deployed to either Operating System where Intune is providing the device configuration workload, regardless of join type. Ensure that devices are currently supported and the appropriate Microsoft Endpoint Manager licences have been assigned.

Ensure that KB5005565 has been installed, which was released as a part of the September 14th, 2021 quality updates. This KB contains updated Mobile Device Management policies. Without this update, the policies provided will not be applied successfully.

How to import the policies

To import the policies, use Graph Explorer. After running through the import instructions below, the following policies and profiles will be imported into the organisations Intune tenant.

Note: After importing the policies, the policies will need to be assigned to a group.

1. A Settings Catalog policy, named: ACSC Windows Hardening Guidelines
   • This Settings Catalog policy will be found in the Microsoft Endpoint Manager Admin Center, under: Devices > Windows > Configuration profiles
2. A Security Baseline, named: Windows Security Baseline (for use with ACSC Windows Hardening Guidelines)
   • This Security Baseline will be found in the Microsoft Endpoint Manager Admin Center, under: Endpoint Security > Security Baselines > Security Baseline for Windows 10 and later
3. An Attack surface reduction policy, named: ACSC Windows Hardening Guidelines-Attack Surface Reduction
   • This Attack surface reduction policy will be found in the Microsoft Endpoint Manager Admin Center, under: Endpoint Security > Attack surface reduction
4. A Custom configuration profile, named: ACSC Windows Hardening Guidelines-User Rights Assignment
   • This Custom configuration profile will be found in the Microsoft Endpoint Manager Admin Center, under: Devices > Windows > Configuration profiles
5. A PowerShell script, named: *UserApplic