Implementation guidance for Australian Essential Eight controls in Microsoft environments - ISM controls with PSPF mappings
| Property | Value |
|---|---|
| ISM Control | ISM-1823 |
| Revision | 0 |
| Updated | Mar-23 |
| Guideline | Not provided |
| Section | User application hardening |
| Topic | Hardening user application configurations |
| Essential Eight | ML2, ML3 |
| PSPF Levels | NC, OS, P, S, TS |
This ISM control ensures that Office productivity suite security settings cannot be changed by users, reducing the risk of insecure configurations. Deploying Intune Office hardening policies enforces these settings and prevents user-initiated modifications, strengthening the organization’s security posture.1
Allowing users to modify Office security settings undermines the effectiveness of every other Office hardening control. For example, if a user can change the VBAWarnings registry value from 4 (block all macros) to 1 (enable all macros without notification), all macro controls (ISM-1671, ISM-1674) are bypassed at the endpoint level regardless of policy intent.
Intune-deployed Settings Catalog policies write to the HKLM hive and/or use an MDM lock mechanism, meaning the setting is enforced by the Intune Management Extension and cannot be overridden by user-level registry writes to HKCU. This is the key difference between a recommended setting and an enforced setting under the ISM model.
The Microsoft 365 Apps for Enterprise security baseline (published by Microsoft via Intune) provides a curated set of pre-configured hardening settings aligned to ACSC recommendations — including macro controls, Protected View enforcement, ActiveX blocking, and DDE disablement — reducing the configuration burden for security teams and ensuring consistency across the fleet.
| Attack surface | User-modifiable if not locked | Intune enforcement mechanism |
|---|---|---|
| VBA macro execution | Yes — HKCU VBAWarnings | Settings Catalog (HKLM write) |
| Protected View (Internet) | Yes — Office Trust Center | Settings Catalog / ADMX Office |
| ActiveX controls | Yes — Trust Center | Settings Catalog |
| External content (DDE) | Yes — per-app Trust Center | ADMX-backed policy |
| OLE package activation | Yes — via Registry | PowerShell script deployment |
Deploying the ACSC Office Hardening Guidelines JSON via Intune import policy provides a single, auditable enforcement artefact that can be verified in Intune compliance reports and exported for IRAP assessment evidence.
[!NOTE] The Intune Office hardening policies will be deployed to enforce Office security settings and prevent users from changing them. The control description will be satisfied by implementing these policies to ensure that Office productivity suite security settings cannot be changed by users.
Sign in to the Microsoft Intune admin center and create a new policy: Devices > Manage devices > Configuration > Create > New policy. Platform: Windows 10 and later. Profile type: Settings catalog.2
In Basics, provide a name and a description for the policy. This helps identify the policy later.2
In Configuration settings, select Add settings. In the settings picker, choose a category that contains Office hardening controls and select the desired Office security settings to enforce.2
If you do not want to configure a setting, leave it not configured by selecting the minus sign (-). After configuring the desired settings, close the picker. The defaults shown reflect OS defaults.2
In Scope tags (optional), assign a tag to filter the profile to specific IT groups. Then in Assignments, select the users or groups that will receive the profile.2
In Review + create, review your settings. When you select Create, the policy is saved and the profile is assigned. The next time the device checks for configuration updates, the settings are applied.2
Enforcement note: Office security settings deployed via Intune are enforced and cannot be changed by standard users. This behavior is part of the Intune-based hardening approach.1
Create a group that contains users who are able to run Office macros if they’re signed by a Trusted Publisher. This group is referred to as Allow macro execution - Trusted Publisher. 3
Save the policy to your local device with the name All Macros Disabled policy. 3
Open the Microsoft Intune console. Navigate to Devices > Windows > Configuration profiles > Import Policy. 3
Import the saved policy, name the policy appropriately, and click Save. 3
Assign the All Macros Disabled policy to All Office Users by default. Exclude the Allow macro execution - Trusted Publisher group from this policy. 3
Outcome: Microsoft Office macros are blocked for users that do not have a demonstrated business requirement. The policy targets All Office users by default, with exceptions for the Trusted Publisher group. 3
ASD Blueprint: User application hardening provides guidance on hardening user applications and macros on Windows endpoints ASD Blueprint: User application hardening
Microsoft 365 Apps for Enterprise security baseline settings reference for Microsoft Intune provides the security baseline settings including Office and macro controls Microsoft 365 Apps for Enterprise security baseline settings reference for Microsoft Intune
ACSC Essential Eight overview outlines the baseline pillars and guidance for implementing essential mitigations including application control and hardening ACSC Essential Eight
Manage Office Scripts settings provides admin controls for enabling or disabling Office Scripts and sharing of scripts Manage Office Scripts settings