These Microsoft Intune policies were put together to help organisations comply with the Australian Cyber Security Centre's (ACSC) Hardening Microsoft 365, Office 2021, Office 2019 and Office 2016 Guidance and ACSC Guidance for Microsoft Office Macro Security. These policies were originally provided by the ACSC as Group Policy Objects. This repository will provide exports of Intune policies that organisations will be able to import into their Intune tenant for deployment to their Windows devices.
While the intent of these policies is to assist in an organisations compliance efforts, Microsoft does not represent that use of these policies will create compliance with the Australian Cyber Security Centre's guidance.
- ACSC Office Hardening Guidelines
- This Settings Catalog policy contains all currently available settings recommended by the ACSC for hardening Microsoft 365 Apps for Enterprise.
- All Macros Disabled
- This Settings Catalog policy disables all macros from executing for Microsoft 365 Apps for Enterprise.
- Macros Enabled for Trusted Publishers
- This Settings Catalog policy configures macros to be enabled for Trusted Publishers in Microsoft 365 Apps for Enterprise. Trusted Publishers will need to be deployed via a separate policy.
- OfficeMacroHardening-PreventActivationofOLE
- This PowerShell script will set the required registry keys to prevent the activation of Object Linking and Embedding (OLE) packages.
- [Block certificates from trusted publishers that are only installed in the current user certificate store](scripts/Block certificates from trusted publishers that are only installed in the current user certificate store.ps1)
- This PowerShell script will block certificates from trusted publishers that are only installed in the current user certificate store.
Supplementary documentation has been provided for the each policy, detailing each configured setting, description of the setting and a link to the corresponding Microsoft Docs page.
These policies were developed on Azure AD Joined Windows 10 & Windows 11 devices and can be deployed to either Operating System where Intune is providing the device configuration workload, regardless of join type. Ensure that devices are currently supported and the appropriate Microsoft Endpoint Manager licences have been assigned.
These policies were tested on 64-bit Microsoft 365 Apps for Enterprise on the Monthly Enterprise Channel, version 2205 at the time of release.
Ensure that KB5005565 has been installed, which was released as a part of the September 14th, 2021 quality updates. This KB contains updated Mobile Device Management policies. Without this update, the policies provided will not be applied successfully.
To import the policies, use Graph Explorer. After running through the import instructions below, the following policies and profiles will be imported into the organisations Intune tenant.
Note: After importing the policies, the policies will need to be assigned to a group.
- A Settings Catalog policy, named: ACSC Office Hardening Guidelines
- This Settings Catalog policy will be found in the Microsoft Intune console, under: Devices > Windows > Configuration profiles
- A Settings Catalog policy, named: All Macros Disabled
- This Settings Catalog policy will be found in the Microsoft Intune console, under: Devices > Windows > Configuration profiles
- A Settings Catalog policy, named: Macros Enabled for Trusted Publishers
- This Settings Catalog policy will be found in the Microsoft Intune console, under: Devices > Windows > Configuration profiles
- A PowerShell script, named: OfficeMacroHardening-PreventActivationofOLE
- This PowerShell script will be found in the Microsoft Intune console, under: Devices > Windows > PowerShell scripts
- A PowerShell script, named: Block certificates from trusted publishers that are only installed in the current user certificate store
- This PowerShell script will be found in the Microsoft Intune console, under: Devices > Windows > PowerShell scripts
Note: When using Graph Explorer, you may need to consent to permissions if you have not done so before. For more information, please see Working with Graph Explorer.
- Save the ACSC Office Hardening Guidelines policy to your local device
- Navigate to the Microsoft Intune console
- Import a policy, under Devices > Windows > Configuration profiles > Create > Import Policy
- Name the policy, select Browse for files under Policy file and navigate to the saved policy from step 1
- Click Save
- Save the All Macros Disabled policy to your local device
- Navigate to the Microsoft Intune console
- Import a policy, under Devices > Windows > Configuration profiles > Create > Import Policy
- Name the policy, select Browse for files under Policy file and navigate to the saved policy from step 1
- Click Save
- Save the Macros Enabled for Trusted Publishers policy to your local device
- Navigate to the Microsoft Intune console
- Import a policy, under Devices > Windows > Configuration profiles > Create > Import Policy
- Name the policy, select Browse for files under Policy file and navigate to the saved policy from step 1
- Click Save
- Navigate to the Microsoft Intune console
- Add a new PowerShell script, under Devices > Windows > Powershell scripts
- Name: OfficeMacroHardening-PreventActivationofOLE
- Upload OfficeMacroHardening-PreventActivationofOLE.ps1
- Run this script using the logged on credentials: Yes
- Enforce script signature check: No
- Run script in 64 bit PowerShell Host: No
Block certificates from trusted publishers that are only installed in the current user certificate store (PowerShell script)
- Navigate to the Microsoft Intune console
- Add a new PowerShell script, under Devices > Windows > Powershell scripts
- Name: Block certificates from trusted publishers that are only installed in the current user certificate store
- Upload Block certificates from trusted publishers that are only installed in the current user certificate store.ps1
- Run this script using the logged on credentials: No
- Enforce script signature check: No
- Run script in 64 bit PowerShell Host: No