These Microsoft Intune policies were put together to help organisations comply with the Australian Cyber Security Centre's (ACSC) Windows 10 Hardening Guidance. These policies were originally provided by the ACSC as Group Policy Objects. This repository will provide exports of Intune policies that organisations will be able to import into their Intune tenant for deployment to their Windows devices.
Additional Intune policies have been provided for organisations who are also required to comply with the ACSC's Office Hardening Guidance and the ACSC's Office Macro Security publication.
While the intent of these policies is to assist in an organisations compliance efforts, Microsoft does not represent that use of these policies will create compliance with the Australian Cyber Security Centre's guidance.
There are three Windows hardening policies and a collection of scripts contained within this repository.
- ACSC Windows Hardening Guidelines
- This Settings Catalog policy contains all currently available settings recommended by the ACSC for hardening Windows.
Important: some settings are not be available for configuration via Settings Catalog. Ensure that you verify this representation of the hardening guidance meets your requirements.
- Windows Security Baseline (for use with ACSC Windows Hardening Guidelines)
- Microsoft provides a Windows Security Baseline (currently version 23H2), which is comprised of groups of pre-configured Windows settings that help you apply and enforce granular security settings that are recommended by the relevant security teams within Microsoft. The Microsoft Security Baseline can be deployed with Intune.
- This Microsoft Security Baseline has been modified so that its settings do not conflict with those of the ACSC Windows Hardening Guidelines. All non-conflicting settings have been left as-is.
- ACSC Windows Hardening Guidelines-Attack Surface Reduction
- This Attack Surface Reduction (ASR) policy configures each of the ASR rules recommended by the ACSC in audit mode. ASR rules should be tested for compatibility issues in any environment before enforcement.
- UserApplicationHardening-RemoveFeatures
- This PowerShell script removes PowerShell v2.0, .NET Framework 3.5 (and below) and Internet Explorer 11 (if on Windows 10).
- A collection of PowerShell scripts that configures registry keys for settings that are currently unavailable to be configured via Settings Catalog.
Supplementary documentation has been provided for the ACSC Windows Hardening Guidelines policy, detailing each configured setting, description of the setting and a link to the corresponding Microsoft Docs page.
Organisations that are required to harden Microsoft 365 Apps for Enterprise (formerly known as Office 365 ProPlus) with the ACSC recommended hardening policies, including limiting the execution of macros to Trusted Publishers can use the supplied policies. See the Microsoft 365 Apps for Enterprise README for additional information and steps to import the policies.
Organisations that are looking to harden only Microsoft Edge, without applying all additional Windows hardening recommended by the ACSC can use the supplied policy. See Microsoft Edge README for additional information and steps to import the policy.
Although the below settings are configured as a part of the ACSC Windows Hardening Guidelines, they have not been included in this version of the guidelines. It is still recommended to configure each of the settings below as a part of an end to end security strategy.
- AppLocker
- Organisations have unique Application Whitelisting requirements. Apply your organisations AppLocker policy via the AppLocker CSP. Consider the use of AaronLocker, which aims to make application control using AppLocker and Windows Defender Application Control (WDAC) as easy and practical as possible.
- BitLocker
- Manage disk encryption with a Disk Encryption Endpoint Security policy.
- Controlled Folder Access
- The configuration for Controlled Folder Access requires input that is unique to each organisation.
- Configure Controlled Folder Access by creating an Attack surface reduction policy in the Microsoft Intune console, under Endpoint Security > Attack surface reduction
- Microsoft Defender Application Guard
- Intune provides the ability to enable and configure Microsoft Defender Application Guard. The configuration of Application Guard requires additional input from the organisation, such as a Windows network isolation policy.
- Windows Update
- Organisations typically standardise on a management platform that provides patching capabilities. Microsoft's recommendation is to move to Windows Update for Business.
- Settings that are not available via Settings Catalog, Endpoint Security or device configuration.
- If a setting does not have a corresponding Settings Catalog, Endpoint Security or device configuration setting, it was not configured.
- A possible way to implement these settings would be with a PowerShell script, deployed via Intune.
These policies were developed on Azure AD Joined Windows 10 & Windows 11 devices and can be deployed to either Operating System where Intune is providing the device configuration workload, regardless of join type. Ensure that devices are currently supported and the appropriate Microsoft Endpoint Manager licences have been assigned.
Ensure that KB5005565 has been installed, which was released as a part of the September 14th, 2021 quality updates. This KB contains updated Mobile Device Management policies. Without this update, the policies provided will not be applied successfully.
To import the policies, use Graph Explorer. After running through the import instructions below, the following policies and profiles will be imported into the organisations Intune tenant.
Note: After importing the policies, the policies will need to be assigned to a group.
- A Settings Catalog policy, named: ACSC Windows Hardening Guidelines
- This Settings Catalog policy will be found in the Microsoft Intune console, under: Devices > Windows > Configuration profiles
- A Security Baseline, named: Windows Security Baseline (for use with ACSC Windows Hardening Guidelines)
- This Security Baseline will be found in the Microsoft Intune console, under: Endpoint Security > Security Baselines > Security Baseline for Windows 10 and later
- An Attack surface reduction policy, named: ACSC Windows Hardening Guidelines-Attack Surface Reduction
- This Attack surface reduction policy will be found in the Microsoft Intune console, under: Endpoint Security > Attack surface reduction
- A PowerShell script, named: UserApplicationHardening-RemoveFeatures
- This PowerShell script will be found in the Microsoft Intune console, under: Devices > Windows > PowerShell scripts
- Multiple PowerShell scripts, each corresponding to the name of the registry key they configure
Note: When using Graph Explorer, you may need to consent to permissions if you have not done so before. For more information, please see Working with Graph Explorer.
- Save the ACSC Windows Hardening Guidelines policy to your local device
- Navigate to the Microsoft Intune console
- Import a policy, under Devices > Windows > Configuration profiles > Create > Import Policy
- Name the policy, select Browse for files under Policy file and navigate to the saved policy from step 1
- Click Save
Windows Security Baseline (for use with ACSC Windows Hardening Guidelines) (Windows Security Baseline)
- Navigate to Graph Explorer and authenticate
- Create a POST request, using the beta schema to the Windows Security Baseline policy endpoint: https://graph.microsoft.com/beta/deviceManagement/configurationPolicies
- Copy the JSON in the Windows Security Baseline (for use with ACSC Windows Hardening Guidelines) policy and paste it in the request body
- (Optional) modify the name value if required
- Navigate to Graph Explorer and authenticate
- Create a POST request, using the beta schema to the Attack Surface Reduction policy endpoint: https://graph.microsoft.com/beta/deviceManagement/templates/0e237410-1367-4844-bd7f-15fb0f08943b/createInstance
- Copy the JSON in the ACSC Windows Hardening Guidelines-Attack Surface Reduction policy and paste it in the request body
- (Optional) modify the name value if required
- Navigate to the Microsoft Intune console
- Add a new PowerShell script, under Devices > Windows > Powershell scripts
- Name: UserApplicationHardening-RemoveFeatures
- Upload UserApplicationHardening-RemoveFeatures.ps1
- Run this script using the logged on credentials: No
- Enforce script signature check: No
- Run script in 64 bit PowerShell Host: No
For each PowerShell script in scripts:
- Navigate to the Microsoft Intune console
- Add a new PowerShell script, under Devices > Windows > Powershell scripts
- Name: < name of the corresponding PowerShell script >
- Upload the corresponding PowerShell script
- Run this script using the logged on credentials: No
- Enforce script signature check: No
- Run script in 64 bit PowerShell Host: No
- The setting 'Allow Telemetry' has been configured to: 'Security'. Keep in mind that other services require different telemetry settings, such as Update Compliance, which requires Basic telemetry.
- The setting 'Disable One Drive File Sync' has been configured to: 'disable sync'. This disables OneDrive. Modify this setting to 'sync enabled' to enable OneDrive.
As both Windows 365 and Azure Virtual Desktop rely on remote desktop connectivity to the endpoint, you will need to modify the following settings from the ACSC Windows Hardening Guidelines policy to enable remote connectivity.
- Modify Windows Components > Remote Desktop Services > Remote Desktop Session Host > Connections > Allow users to connect remotely by using Remote Desktop Services from Disabled to Enabled
- Remove the setting "Deny Access From Network"
- Remove the setting "Deny Remote Desktop Services Log On"
Remote Help requires the following modifications in the ACSC Windows Hardening Guidelines policy:
- Modify User Account Control Behavior Of The Elevation Prompt for Standard Users from Automatically deny elevation requests to Prompt for credentials on the secure desktop
- Modify Require trusted path for credential entry from Enabled to Disabled
For help and questions about using this project, please reach out to intuneaugov@microsoft.com. If you notice any discrepancies in the policies provided, please raise an issue as described in SUPPORT.
This project welcomes contributions and suggestions. Most contributions require you to agree to a Contributor License Agreement (CLA) declaring that you have the right to, and actually do, grant us the rights to use your contribution. For details, visit https://cla.opensource.microsoft.com.
When you submit a pull request, a CLA bot will automatically determine whether you need to provide a CLA and decorate the PR appropriately (e.g., status check, comment). Simply follow the instructions provided by the bot. You will only need to do this once across all repos using our CLA.
This project has adopted the Microsoft Open Source Code of Conduct. For more information see the Code of Conduct FAQ or contact opencode@microsoft.com with any additional questions or comments.
This project may contain trademarks or logos for projects, products, or services. Authorized use of Microsoft trademarks or logos is subject to and must follow Microsoft's Trademark & Brand Guidelines. Use of Microsoft trademarks or logos in modified versions of this project must not cause confusion or imply Microsoft sponsorship. Any use of third-party trademarks or logos are subject to those third-party's policies.
