🛡️ Essential 8 Guide

Office productivity suites are hardened using ASD and vendor hardening guidance, with the most restrictive guidance taking precedence when conflicts occur.

Summary

ISM-1859 requires applying ACSC Office hardening policies via Intune configuration profiles to harden Office productivity suites. Implementation consolidates ACSC Office Hardening Guidelines in Intune and enforces the most restrictive guidance when conflicts occur.¹²

Justification

Hardening Office productivity suites directly reduces the initial access and execution capabilities available to attackers who deliver malicious documents via phishing — the most common initial access vector against Australian government and corporate targets according to ACSC Annual Cyber Threat Reports.

The ACSC Office Hardening Guidelines are derived from the vendor (Microsoft) security baseline for Microsoft 365 Apps for Enterprise plus ACSC-specific additions. Applying the most restrictive guidance when conflicts occur means the ACSC posture takes precedence over vendor-default settings that may be optimised for usability rather than security.

Key categories of Office hardening settings and their attack-surface impact:

The policy-set approach (Stage 3) ensures the ACSC hardening profile and the Microsoft 365 Apps deployment are linked in a single Intune Policy Set — simplifying assignment, reducing configuration drift, and providing a single compliance artefact for IRAP assessment.

Design Decision

[!NOTE] The ACSC Office Hardening policy will be applied via Intune configuration profiles to enforce the ACSC Office Hardening Guidelines across Office apps. The ACSC Office Hardening Guidelines.json policy file will be imported and deployed as the configuration profile.

Prerequisites

• Licensing
  • Microsoft Intune Plan 1 licensing is required for target devices.³
• Permissions/Roles
  • Access to the Microsoft Intune admin center with permissions to create configuration profiles and import policies.³
  • Access to Entra ID / Azure AD to enroll devices and support hybrid Azure AD join as appropriate.³
• Dependencies
  • Microsoft 365 Apps (Office) must be installed on target devices.
  • Import the ACSC Office Hardening Guidelines policy into Intune.²
  • Deploy the OfficeMacroHardening-PreventActivationofOLE.ps1 PowerShell script to block activation of OLE packages.¹
  • Import and apply the ACSC Windows Hardening Guidelines – Attack Surface Reduction policy.⁴
  • Enable or enforce the macro hardening policy to block macros from running in Office files from the Internet where appropriate.⁵
  • Create and utilize the deployment group named All Office Users in Intune for policy assignments during implementation.²

Implementation Steps

ACSC Office Hardening via Intune configuration profiles

1. Stage 1 – Prepare targeted policy and Office apps

• Create a policy to contain users targeted with Office apps and the Office hardening policies. This group is referred to as All Office Users. ²
• Create the Microsoft 365 Apps for Windows 10 or later app under Apps > Windows > Add > Microsoft 365 Apps. ²
• Include the Microsoft 365 Apps as required by the organization. ²
• Set the architecture to 64-bit (recommended). ²
• Set the Update Channel to Semi-Annual Enterprise Channel (recommended). ²
• Do not assign the application yet. This is done in a later step. ²

1. Stage 2 – Import ACSC Office Hardening policy and OLE prevention script

• Save the ACSC Office Hardening Guidelines.json policy to your local device. [^3]

• In the Intune console, import a policy under Devices > Windows > Configuration profiles > Create > Import Policy. Name the policy, select Browse for files under Policy file, and Save. [^3]

• Import the Office Macro Hardening prevention script
  • Navigate to Devices > Scripts and create a new PowerShell script. ¹
  • Import the OfficeMacroHardening-PreventActivationofOLE.ps1 policy to the script. ¹
  • Run this script using the logged on credentials: Yes. ¹
  • Enforce script signature check: No. ¹
  • Run script in 64-bit PowerShell Host: No. ¹
  • Assign the PowerShell script to All Office Users. ¹

1. Stage 3 – Create a configuration policy set combining Microsoft 365 Apps and ACSC Hardening

• Navigate to Devices > Policy sets > Create. [^3]
• Under Application Management > Apps, select Microsoft 365 Apps (for Windows 10 and later) (created in Stage 1). [^3]
• Under Device Management > Device Configuration Profiles, select ACSC Office Hardening (created in Stage 2).[^3]
• Under Application Management > Apps, confirm Microsoft 365 Apps is included.[^3]
• Assign the Policy Set to the All Office Users group.[^3]
• Select Review + Create, then Create to deploy the policy set.[^3]

Additional related information

• ASD Blueprint resources for user application hardening provide practical controls and considerations for applying Essential Eight to Office apps and macros ASD Blueprint: User application hardening

• System hardening guidance for Windows user apps and macros is documented in ASD’s blueprint system-hardening-user-apps, aligning with ACSC policies ASD Blueprint: System hardening user apps

• Microsoft 365 Apps for mobile management with Intune describes app protection and configuration policy best practices for Office apps on iOS and Android Manage Collaboration Experiences in Microsoft 365 (Office) for iOS and Android With Microsoft Intune

• Essential Eight patch applications guidance describes patch cadences and deployment approaches using Defender Vulnerability Management and Intune Essential Eight patch applications