Skip to content
Support
  • There are no suggestions because the search field is empty.

ACSC E8 Nov 2023-ML2 User app hardening-ACSC Office Hardening Guidance 2023.7.0 (Custom)

Overview:

The Devicie Essential Eight Maturity Level 2 User Application Hardening (Nov 2023) Office Guidance (Custom) configuration is to meet the Australian Cyber Security Centre’s guidance for this mitigation strategy. This configuration is specifically for the vendors (Microsoft Office) guidance, released in July 2023 for Office applications.

Intune Description:

E8 ML2 User App Hardening (Nov 2023) - ACSC Office Guidance 2023.7 (Custom)

Scope:

This baseline should be applied to Windows devices. Must be deployed with “ACSC E8 Nov 2023-ML1 User app hardening” & all additional “ACSC E8 Nov 2023-ML2 User app hardening” add on items.

Policy Impact Areas:

When deployed, this policy will impact:

  • Enable additional Defender Attack Surface Reduction Rules

  • Require that application add-ins are signed by Trusted Publisher

  • Additional security controls, specifically for Office applications

Deployment Notes

  1. Pre-Deployment Considerations:

    • Review if unsigned add-ins are used in the environment

  2. Post-Deployment Validation:

    • Review Defender for Endpoint configuration. Check Attack Surface Reduction rule has been enabled to block executable content from email client and webmail.

Known Issues and Resolutions

  • Issue 1: None at this time

    • Resolution: N/A 

Configuration Settings:

Name

Value

OMA-URI Settings

Reg ADMX Ingestion

Name

Reg ADMX Ingestion

Description

 

OMA-URI

./Device/Vendor/MSFT/Policy/ConfigOperations/ADMXInstall/CustomReg/Policy/RegPolicy_e66e35c5-89ac-4594-b279-0c49d518c81d

Data type

String

Value

<policyDefinitions revision="1.0" schemaVersion="1.0">\r\n <categories>\r\n   <category name="RegImport_e66e35c5-89ac-4594-b279-0c49d518c81d" />\r\n </categories>\r\n <policies>\r\n   <policy name="EnableLogging" class="User" displayName="$(string.EnableLogging)" explainText="" presentation="$(presentation.EnableLogging)" key="SOFTWARE\\Microsoft\\Office\\16.0\\common\\TrustCenter" valueName="EnableLogging">\r\n     <parentCategory ref="RegImport_e66e35c5-89ac-4594-b279-0c49d518c81d" />\r\n     <supportedOn ref="windows:SUPPORTED_Windows7" />\r\n     <enabledValue>\r\n       <decimal value="1" />\r\n       </enabledValue>\r\n       <disabledValue>\r\n         <decimal value="0" />\r\n     </disabledValue>\r\n   </policy>\r\n   <policy name="Excel_DataConnectionWarnings" class="User" displayName="$(string.Excel_DataConnectionWarnings)" explainText="" presentation="$(presentation.Excel_DataConnectionWarnings)" key="Software\\Microsoft\\Office\\16.0\\Excel\\Security" valueName="DataConnectionWarnings">\r\n     <parentCategory ref="RegImport_e66e35c5-89ac-4594-b279-0c49d518c81d" />\r\n     <supportedOn ref="windows:SUPPORTED_Windows7" />\r\n     <enabledValue>\r\n       <decimal value="2" />\r\n       </enabledValue>\r\n       <disabledValue>\r\n         <decimal value="0" />\r\n     </disabledValue>\r\n   </policy>\r\n   <policy name="Excel_RichDataConnectionWarnings" class="User" displayName="$(string.Excel_RichDataConnectionWarnings)" explainText="" presentation="$(presentation.Excel_RichDataConnectionWarnings)" key="Software\\Microsoft\\Office\\16.0\\Excel\\Security" valueName="RichDataConnectionWarnings">\r\n     <parentCategory ref="RegImport_e66e35c5-89ac-4594-b279-0c49d518c81d" />\r\n     <supportedOn ref="windows:SUPPORTED_Windows7" />\r\n     <enabledValue>\r\n       <decimal value="2" />\r\n       </enabledValue>\r\n       <disabledValue>\r\n         <decimal value="0" />\r\n     </disabledValue>\r\n   </policy>\r\n   <policy name="Excel_WorkbookLinkWarnings" class="User" displayName="$(string.Excel_WorkbookLinkWarnings)" explainText="" presentation="$(presentation.Excel_WorkbookLinkWarnings)" key="Software\\Microsoft\\Office\\16.0\\Excel\\Security" valueName="WorkbookLinkWarnings">\r\n     <parentCategory ref="RegImport_e66e35c5-89ac-4594-b279-0c49d518c81d" />\r\n     <supportedOn ref="windows:SUPPORTED_Windows7" />\r\n     <enabledValue>\r\n       <decimal value="2" />\r\n       </enabledValue>\r\n       <disabledValue>\r\n         <decimal value="0" />\r\n     </disabledValue>\r\n   </policy>\r\n   <policy name="Word_AllowDDE" class="User" displayName="$(string.Word_AllowDDE)" explainText="" presentation="$(presentation.Word_AllowDDE)" key="Software\\Microsoft\\Office\\16.0\\Word\\Security" valueName="AllowDDE">\r\n       <parentCategory ref="RegImport_e66e35c5-89ac-4594-b279-0c49d518c81d" />\r\n     <supportedOn ref="windows:SUPPORTED_Windows7" />\r\n     <enabledValue>\r\n       <decimal value="1" />\r\n       </enabledValue>\r\n       <disabledValue>\r\n         <decimal value="0" />\r\n     </disabledValue>\r\n   </policy>\r\n   <policy name="Excel_PackagerPrompt" class="User" displayName="$(string.Excel_PackagerPrompt)" explainText="" presentation="$(presentation.Excel_PackagerPrompt)" key="Software\\Microsoft\\Office\\16.0\\Excel\\Security" valueName="PackagerPrompt">\r\n     <parentCategory ref="RegImport_e66e35c5-89ac-4594-b279-0c49d518c81d" />\r\n     <supportedOn ref="windows:SUPPORTED_Windows7" />\r\n     <enabledValue>\r\n       <decimal value="2" />\r\n     </enabledValue>\r\n     <disabledValue>\r\n       <decimal value="0" />\r\n       </disabledValue>\r\n     </policy>\r\n     <policy name="PowerPoint_PackagerPrompt" class="User" displayName="$(string.PowerPoint_PackagerPrompt)" explainText="" presentation="$(presentation.PowerPoint_PackagerPrompt)" key="Software\\Microsoft\\Office\\16.0\\Excel\\Security" valueName="PackagerPrompt">\r\n     <parentCategory ref="RegImport_e66e35c5-89ac-4594-b279-0c49d518c81d" />\r\n     <supportedOn ref="windows:SUPPORTED_Windows7" />\r\n     <enabledValue>\r\n       <decimal value="2" />\r\n       </enabledValue>\r\n       <disabledValue>\r\n         <decimal value="0" />\r\n     </disabledValue>\r\n   </policy>\r\n   <policy name="Word_PackagerPrompt" class="User" displayName="$(string.Word_PackagerPrompt)" explainText="" presentation="$(presentation.Word_PackagerPrompt)" key="Software\\Microsoft\\Office\\16.0\\Word\\Security" valueName="PackagerPrompt">\r\n     <parentCategory ref="RegImport_e66e35c5-89ac-4594-b279-0c49d518c81d" />\r\n     <supportedOn ref="windows:SUPPORTED_Windows7" />\r\n     <enabledValue>\r\n       <decimal value="2" />\r\n       </enabledValue>\r\n       <disabledValue>\r\n         <decimal value="0" />\r\n     </disabledValue>\r\n   </policy>\r\n   </policies>\r\n</policyDefinitions>

Set Excel_DataConnectionWarnings

Name

Set Excel_DataConnectionWarnings

Description

 

OMA-URI

./User/Vendor/MSFT/Policy/Config/CustomReg~Policy~RegImport_e66e35c5-89ac-4594-b279-0c49d518c81d/Excel_DataConnectionWarnings

Data type

String

Value

<enabled />

Set Excel_RichDataConnectionWarnings

Name

Set Excel_RichDataConnectionWarnings

Description

 

OMA-URI

./User/Vendor/MSFT/Policy/Config/CustomReg~Policy~RegImport_e66e35c5-89ac-4594-b279-0c49d518c81d/Excel_RichDataConnectionWarnings

Data type

String

Value

<enabled />

Set Excel_WorkbookLinkWarnings

Name

Set Excel_WorkbookLinkWarnings

Description

 

OMA-URI

./User/Vendor/MSFT/Policy/Config/CustomReg~Policy~RegImport_e66e35c5-89ac-4594-b279-0c49d518c81d/Excel_WorkbookLinkWarnings

Data type

String

Value

<enabled />

Set Word_AllowDDE

Name

Set Word_AllowDDE

Description

 

OMA-URI

./User/Vendor/MSFT/Policy/Config/CustomReg~Policy~RegImport_e66e35c5-89ac-4594-b279-0c49d518c81d/Word_AllowDDE

Data type

String

Value

<disabled />

Set Excel_PackagerPrompt

Name

Set Excel_PackagerPrompt

Description

 

OMA-URI

./User/Vendor/MSFT/Policy/Config/CustomReg~Policy~RegImport_e66e35c5-89ac-4594-b279-0c49d518c81d/Excel_PackagerPrompt

Data type

String

Value

<enabled />

Set PowerPoint_PackagerPrompt

Name

Set PowerPoint_PackagerPrompt

Description

 

OMA-URI

./User/Vendor/MSFT/Policy/Config/CustomReg~Policy~RegImport_e66e35c5-89ac-4594-b279-0c49d518c81d/PowerPoint_PackagerPrompt

Data type

String

Value

<enabled />

Set Word_PackagerPrompt

Name

Set Word_PackagerPrompt

Description

 

OMA-URI

./User/Vendor/MSFT/Policy/Config/CustomReg~Policy~RegImport_e66e35c5-89ac-4594-b279-0c49d518c81d/Word_PackagerPrompt

Data type

String

Value

<enabled />

Set EnableLogging

Name

Set EnableLogging

Description

 

OMA-URI

./User/Vendor/MSFT/Policy/Config/CustomReg~Policy~RegImport_e66e35c5-89ac-4594-b279-0c49d518c81d/EnableLogging

Data type

String

Value

<enabled />
 

Devicie Template Name

ACSC E8 Nov 2023 - ML2 User app hardening - ACSC Office Guidance (custom)

Default Intune Deployed Name

Devicie - ACSC E8 Nov 2023 - ML2 User app hardening - ACSC Office Guidance (custom)

Version

1.0

Template Last Updated

Nov 18, 2024

Document Last Updated:

Jul 24, 2025