Intune ACSC Windows Hardening Guidelines

These Microsoft Intune policies were put together to help organisations comply with the Australian Cyber Security Centre's (ACSC) Windows 10 Hardening Guidance. These policies were originally provided by the ACSC as Group Policy Objects. This repository will provide exports of Intune policies that organisations will be able to import into their Intune tenant for deployment to their Windows devices.

Additional Intune policies have been provided for organisations who are also required to comply with the ACSC's Office Hardening Guidance and the ACSC's Office Macro Security publication.

While the intent of these policies is to assist in an organisations compliance efforts, Microsoft does not represent that use of these policies will create compliance with the Australian Cyber Security Centre's guidance.

What's included?

Windows

There are four Windows hardening policies and a script contained within this repository.

1. ACSC Windows Hardening Guidelines
   • This Settings Catalog policy contains all currently available settings recommended by the ACSC for hardening Windows.

Important: some settings are not be available for configuration via Settings Catalog. Ensure that you verify this representation of the hardening guidance meets your requirements.

2. Windows Security Baseline (for use with ACSC Windows Hardening Guidelines)
   • Microsoft provides a Windows Security Baseline, which is comprised of groups of pre-configured Windows settings that help you apply and enforce granular security settings that are recommended by the relevant security teams within Microsoft. The Microsoft Security Baseline can be deployed with Intune.
   • This Microsoft Security Baseline has been modified so that its settings do not conflict with those of the ACSC Windows Hardening Guidelines. All non-conflicting settings have been left as-is.
3. ACSC Windows Hardening Guidelines-Attack Surface Reduction
   • This Attack Surface Reduction (ASR) policy configures each of the ASR rules recommended by the ACSC in audit mode. ASR rules should be tested for compatibility issues in any environment before enforcement.
4. ACSC Windows Hardening Guidelines-User Rights Assignment
   • This Custom configuration profile configures specific User Rights Assignments to be blank, as recommended by the ACSC.
5. UserApplicationHardening-RemoveFeatures
   • This PowerShell script removes PowerShell v2.0, .NET Framework 3.5 (and below) and Internet Explorer 11 (if on Windows 10).

Supplementary documentation has been provided for the ACSC Windows Hardening Guidelines policy, detailing each configured setting, description of the setting and a link to the corresponding Microsoft Docs page.

• ACSC Windows Hardening Guidelines documentation

Microsoft 365 Apps for Enterprise

Organisations that are required to harden Microsoft 365 Apps for Enterprise (formerly known as Office 365 ProPlus) with the ACSC recommended hardening policies, including limiting the execution of macros to Trusted Publishers can use the supplied policies. See the Microsoft 365 Apps for Enterprise README for additional information and steps to import the policies.

Microsoft Edge

Organisations that are looking to harden only Microsoft Edge, without applying all additional Windows hardening recommended by the ACSC can use the supplied policy. See Microsoft Edge README for additional information and steps to import the policy.

What's not included?

Although the below settings are configured as a part of the ACSC Windows Hardening Guidelines, they have not been included in this version of the guidelines. It is still recommended to configure each of the settings below as a part of an end to end security strategy.

• AppLocker
  • Organisations have unique Application Whitelisting requirements. Apply your organisations AppLocker policy via the AppLocker CSP. Consider the use of AaronLocker, which aims to make application control using AppLocker and Windows Defender Application Control (WDAC) as easy and practical as possible.
• BitLocker
  • Manage disk encryption with a Disk Encryption Endpoint Security policy.
• Controlled Folder Access
  • The configuration for Controlled Folder Access requires input that is unique to each organisation.
  • Configure Controlled Folder Access by creating an Attack surface reduction policy in the Microsoft Endpoint Manager Admin Center, under Endpoint Security > Attack surface reduction
• Microsoft Defender Application Guard
  • Intune provides the ability to enable and configure Microsoft Defender Application Guard. The configuration of Application Guard requires additional input from the organisation, such as a Windows network isolation policy.
• Windows Update
  • Organisations typically standardise on a management platform that provides patching capabilities. Microsoft's recommendation is to move to Windows Update for Business.
• Settings that are not available via Settings Catalog, Endpoint Security or device configuration.
  • If a setting does not have a corresponding Settings Catalog, Endpoint Security or device configuration setting, it was not configured.
  • A possible way to implement these settings would be with a PowerShell script, deployed via Intune.

Requirements

These policies were developed on Azure AD Joined Windows 10 & Windows 11 devices and can be deployed to either Operating System where Intune is providing the device configuration workload, regardless of join type. Ensure that devices are currently supported and the appropriate Microsoft Endpoint Manager licences have been assigned.

Ensure that KB5005565 has been installed, which was released as a part of the September 14th, 2021 quality updates. This KB contains updated Mobile Device Management policies. Without this update, the policies provided will not be applied successfully.

How to import the policies

To import the policies, use Graph Explorer. After running through the import instructions below, the following policies and profiles will be imported into the organisations Intune tenant.

Note: After importing the policies, the policies will need to be assigned to a group.

1. A Settings Catalog policy, named: ACSC Windows Hardening Guidelines
   • This Settings Catalog policy will be found in the Microsoft Endpoint Manager Admin Center, under: Devices > Windows > Configuration profiles
2. A Security Baseline, named: Windows Security Baseline (for use with ACSC Windows Hardening Guidelines)
   • This Security Baseline will be found in the Microsoft Endpoint Manager Admin Center, under: Endpoint Security > Security Baselines > Security Baseline for Windows 10 and later
3. An Attack surface reduction policy, named: ACSC Windows Hardening Guidelines-Attack Surface Reduction
   • This Attack surface reduction policy will be found in the Microsoft Endpoint Manager Admin Center, under: Endpoint Security > Attack surface reduction
4. A Custom configuration profile, named: ACSC Windows Hardening Guidelines-User Rights Assignment
   • This Custom configuration profile will be found in the Microsoft Endpoint Manager Admin Center, under: Devices > Windows > Configuration profiles
5. A PowerShell script, named: UserApplicationHardening-RemoveFeatures
   • This PowerShell script will be found in the Microsoft Endpoint Manager Admin Center, under: Devices > Windows > PowerShell scripts

Note: When using Graph Explorer, you may need to consent to permissions if you have not done so before. For more information, please see Working with Graph Explorer.

ACSC Windows Hardening Guidelines (Settings Catalog)

1. Navigate to Graph Explorer and authenticate
2. Create a POST request, using the beta schema to the configuration policies endpoint: https://graph.microsoft.com/beta/deviceManagement/configurationPolicies
3. Copy the JSON in the ACSC Windows Hardening Guidelines policy and paste it in the request body
4. (Optional) modify the name value if required

Windows Security Baseline (for use with ACSC Windows Hardening Guidelines) (Windows Security Baseline)

1. Navigate to Graph Explorer and authenticate
2. Create a POST request, using the beta schema to the Windows Security Baseline policy endpoint: https://graph.microsoft.com/beta/deviceManagement/templates/034ccd46-190c-4afc-adf1-ad7cc11262eb/createInstance
3. Copy the JSON in the Windows Security Baseline (for use with ACSC Windows Hardening Guidelines) policy and paste it in the request body
4. (Optional) modify the name value if required

ACSC Windows Hardening Guidelines - Attack Surface Reduction Rules (Endpoint Security)

1. Navigate to Graph Explorer and authenticate
2. Create a POST request, using the beta schema to the Attack Surface Reduction policy endpoint: https://graph.microsoft.com/beta/deviceManagement/templates/0e237410-1367-4844-bd7f-15fb0f08943b/createInstance
3. Copy the JSON in the ACSC Windows Hardening Guidelines-Attack Surface Reduction policy and paste it in the request body
4. (Optional) modify the name value if required

ACSC Windows Hardening Guidelines - User Rights Assignment (Custom Configuration Profile)

1. Navigate to Graph Explorer and authenticate
2. Create a POST request, using the beta schema to the device configuration endpoint: https://graph.microsoft.com/beta/deviceManagement/deviceConfigurations
3. Copy the JSON in the ACSC Windows Hardening Guidelines-User Rights Assignment and paste it in the request body
4. (Optional) modify the name value if required

UserApplicationHardening-RemoveFeatures (PowerShell script)

1. Navigate to the Microsoft Endpoint Manager Admin Center
2. Add a new PowerShell script, under Devices > Windows > Powershell scripts
   • Name: UserApplicationHardening-RemoveFeatures
3. Upload UserApplicationHardening-RemoveFeatures.ps1
   • Run this script using the logged on credentials: No
   • Enforce script signature check: No
   • Run script in 64 bit PowerShell Host: No

Additional Considerations

• The setting 'Allow Telemetry' has been configured to: 'Security'. Keep in mind that other services require different telemetry settings, such as Update Compliance, which requires Basic telemetry.
• The setting 'Disable One Drive File Sync' has been configured to: 'disable sync'. This disables OneDrive. Modify this setting to 'sync enabled' to enable OneDrive.

Support

For help and questions about using this project, please reach out to [email protected]. If you notice any discrepancies in the policies provided, please raise an issue as described in SUPPORT.

Contributing

This project welcomes contributions and suggestions. Most contributions require you to agree to a Contributor License Agreement (CLA) declaring that you have the right to, and actually do, grant us the rights to use your contribution. For details, visit https://cla.opensource.microsoft.com.

When you submit a pull request, a CLA bot will automatically determine whether you need to provide a CLA and decorate the PR appropriately (e.g., status check, comment). Simply follow the instructions provided by the bot. You will only need to do this once across all repos using our CLA.

This project has adopted the Microsoft Open Source Code of Conduct. For more information see the Code of Conduct FAQ or contact [email protected] with any additional questions or comments.

Trademarks

This project may contain trademarks or logos for projects, products, or services. Authorized use of Microsoft trademarks or logos is subject to and must follow Microsoft's Trademark & Brand Guidelines. Use of Microsoft trademarks or logos in modified versions of this project must not cause confusion or imply Microsoft sponsorship. Any use of third-party trademarks or logos are subject to those third-party's policies.