Overview
The Devicie Essential Eight Maturity Level 2 User Application Hardening (Nov 2023) configuration is to meet the Australian Cyber Security Centre’s guidance for this mitigation strategy. This configuration is specifically for the vendors (Microsoft) guidance released for Edge (version 127).
Intune Description:
E8 ML2 User App Hardening (Nov 2023) - MS Edge Security Baseline v127
Scope:
This baseline should be applied to Windows devices. Must be deployed with “DEVICIE-PROD-ACSC E8 Nov 2023-ML1 User app hardening” & all additional “DEVICIE-PROD-ACSC E8 Nov 2023-ML2 User app hardening” add on items.
Policy Impact Areas:
When deployed, this policy will impact:
-
Additional security controls, specifically for Microsoft Edge.
-
Office Add-on Management controls
-
Block Trusted Locations on the network
Deployment Notes
-
Pre-Deployment Considerations:
-
Review if Microsoft Edge is being utilised within the environment.
-
-
Post-Deployment Validation:
-
Review ability to change Trusted Network Location is configured.
-
Configuration Settings:
|
Name |
Value |
|
Administrative Templates |
|
|
MS Security Guide |
|
|
Block Flash activation in Office documents |
Enabled |
|
Block Flash player in Office (Device) |
Block all activation |
|
Restrict legacy JScript execution for Office |
Enabled |
|
Access: (Device) |
69632 |
|
Excel: (Device) |
69632 |
|
OneNote: (Device) |
69632 |
|
Outlook: (Device) |
69632 |
|
PowerPoint: (Device) |
69632 |
|
Project: (Device) |
69632 |
|
Publisher: (Device) |
69632 |
|
Visio: (Device) |
69632 |
|
Word: (Device) |
69632 |
|
Microsoft Access 2016 |
|
|
Trust Center |
|
|
Block macros from running in Office files from the Internet (User) |
Enabled |
|
Trusted Locations |
|
|
Allow Trusted Locations on the network (User) |
Disabled |
|
Microsoft Excel 2016 |
|
|
Data Recovery |
|
|
Do not show data extraction options when opening corrupt workbooks (User) |
Enabled |
|
Advanced |
|
|
Ask to update automatic links (User) |
Enabled |
|
General |
|
|
Load pictures from Web pages not created in Excel (User) |
Disabled |
|
Save |
|
|
Disable AutoRepublish (User) |
Enabled |
|
Do not show AutoRepublish warning alert (User) |
Disabled |
|
Security |
|
|
Force file extension to match file type (User) |
Enabled |
|
|
Always match file type |
|
Scan encrypted macros in Excel Open XML workbooks (User) |
Enabled |
|
|
Scan encrypted macros (default) |
|
Turn off file validation (User) |
Disabled |
|
WEBSERVICE Function Notification Settings (User) |
Enabled |
|
|
Disable all with notification |
|
Trust Center |
|
|
Block macros from running in Office files from the Internet (User) |
Enabled |
|
Prevent Excel from running XLM macros (User) |
Enabled |
|
External Content |
|
|
Always prevent untrusted Microsoft Query files from opening (User) |
Enabled |
|
Don’t allow Dynamic Data Exchange (DDE) server launch in Excel (User) |
Enabled |
|
Don’t allow Dynamic Data Exchange (DDE) server lookup in Excel (User) |
Enabled |
|
File Block Settings |
|
|
dBase III / IV files (User) |
Enabled |
|
File block setting: (User) |
Open/Save blocked, use open policy |
|
Dif and Sylk files (User) |
Enabled |
|
File block setting: (User) |
Open/Save blocked, use open policy |
|
Excel 2 macrosheets and add-in files (User) |
Enabled |
|
File block setting: (User) |
Open/Save blocked, use open policy |
|
Excel 2 worksheets (User) |
Enabled |
|
File block setting: (User) |
Open/Save blocked, use open policy |
|
Excel 3 macrosheets and add-in files (User) |
Enabled |
|
File block setting: (User) |
Open/Save blocked, use open policy |
|
Excel 3 worksheets (User) |
Enabled |
|
File block setting: (User) |
Open/Save blocked, use open policy |
|
Excel 4 macrosheets and add-in files (User) |
Enabled |
|
File block setting: (User) |
Open/Save blocked, use open policy |
|
Excel 4 workbooks (User) |
Enabled |
|
File block setting: (User) |
Open/Save blocked, use open policy |
|
Excel 4 worksheets (User) |
Enabled |
|
File block setting: (User) |
Open/Save blocked, use open policy |
|
Excel 95 workbooks (User) |
Enabled |
|
File block setting: (User) |
Open/Save blocked, use open policy |
|
Excel 95-97 workbooks and templates (User) |
Enabled |
|
File block setting: (User) |
Open/Save blocked, use open policy |
|
Excel 97-2003 workbooks and templates (User) |
Enabled |
|
File block setting: (User) |
Open/Save blocked, use open policy |
|
Set default file block behavior (User) |
Enabled |
|
|
Blocked files are not opened |
|
Web pages and Excel 2003 XML spreadsheets (User) |
Enabled |
|
File block setting: (User) |
Open/Save blocked, use open policy |
|
Protected View |
|
|
Always open untrusted database files in Protected View (User) |
Enabled |
|
Do not open files from the Internet zone in Protected View (User) |
Disabled |
|
Do not open files in unsafe locations in Protected View (User) |
Disabled |
|
Turn off Protected View for attachments opened from Outlook (User) |
Disabled |
|
Trusted Locations |
|
|
Allow Trusted Locations on the network (User) |
Disabled |
|
Microsoft Lync Feature Policies |
|
|
Configure SIP security mode |
Enabled |
|
Disable HTTP fallback for SIP connection |
Enabled |
|
Microsoft Office 2016 |
|
|
Customize |
|
|
Disable UI extending from documents and templates (User) |
Enabled |
|
Disallow in Access (User) |
True |
|
Disallow in Excel (User) |
True |
|
Disallow in InfoPath (User) |
True |
|
Disallow in Outlook (User) |
True |
|
Disallow in PowerPoint (User) |
True |
|
Disallow in Project (User) |
True |
|
Disallow in Publisher (User) |
True |
|
Disallow in Visio (User) |
True |
|
Disallow in Word (User) |
True |
|
Security Settings |
|
|
ActiveX Control Initialization (User) |
Enabled |
|
ActiveX Control Initialization: (User) |
6 |
|
Allow VBA to load typelib references by path from untrusted intranet locations (User) |
Disabled |
|
Control how Office handles form-based sign-in prompts (User) |
Enabled |
|
Behavior: (User) |
Block all prompts |
|
Specify hosts allowed to show form-based sign-in prompts to users: (User) |
|
|
Disable additional security checks on VBA library references that may refer to unsafe locations on the local machine (User) |
Disabled |
|
Encryption mode for Information Rights Management (IRM) (User) |
Enabled |
|
IRM Encryption Mode: (User) |
Cipher Block Chaining (CBC) |
|
Encryption type for password protected Office 97-2003 files (User) |
Enabled |
|
Encryption type: (User) |
Microsoft Enhanced RSA and AES Cryptographic Provider,AES 256,256 |
|
Encryption type for password protected Office Open XML files (User) |
Enabled |
|
Encryption type: (User) |
Microsoft Enhanced RSA and AES Cryptographic Provider,AES 256,256 |
|
Load Controls in Forms3 (User) |
Enabled |
|
Load Controls in Forms3: (User) |
1 |
|
Macro Runtime Scan Scope (User) |
Enabled |
|
|
Enable for all documents |
|
Protect document metadata for rights managed Office Open XML Files (User) |
Enabled |
|
Trust Center |
|
|
Allow mix of policy and user locations (User) |
Disabled |
|
Server Settings |
|
|
Disable the Office client from polling the SharePoint Server for published links (User) |
Enabled |
|
Smart Documents (Word, Excel) |
|
|
Disable Smart Document's use of manifests (User) |
Enabled |
|
Microsoft Office 2016 (Machine) |
|
|
IE Security |
|
|
Add-on Management |
Enabled |
|
excel.exe (Device) |
True |
|
exprwd.exe (Device) |
True |
|
groove.exe (Device) |
True |
|
msaccess.exe (Device) |
True |
|
mse7.exe (Device) |
True |
|
mspub.exe (Device) |
True |
|
onent.exe (Device) |
True |
|
outlook.exe (Device) |
True |
|
powerpnt.exe (Device) |
True |
|
pptview.exe (Device) |
True |
|
spDesign.exe (Device) |
True |
|
visio.exe (Device) |
True |
|
winproj.exe (Device) |
True |
|
winword.exe (Device) |
True |
|
Consistent Mime Handling |
Enabled |
|
excel.exe (Device) |
True |
|
exprwd.exe (Device) |
True |
|
groove.exe (Device) |
True |
|
msaccess.exe (Device) |
True |
|
mse7.exe (Device) |
True |
|
mspub.exe (Device) |
True |
|
onent.exe (Device) |
True |
|
outlook.exe (Device) |
True |
|
powerpnt.exe (Device) |
True |
|
pptview.exe (Device) |
True |
|
spDesign.exe (Device) |
True |
|
visio.exe (Device) |
True |
|
winproj.exe (Device) |
True |
|
winword.exe (Device) |
True |
|
Disable user name and password |
Enabled |
|
excel.exe (Device) |
True |
|
exprwd.exe (Device) |
True |
|
groove.exe (Device) |
True |
|
msaccess.exe (Device) |
True |
|
mse7.exe (Device) |
True |
|
mspub.exe (Device) |
True |
|
onent.exe (Device) |
True |
|
outlook.exe (Device) |
True |
|
powerpnt.exe (Device) |
True |
|
pptview.exe (Device) |
True |
|
spDesign.exe (Device) |
True |
|
visio.exe (Device) |
True |
|
winproj.exe (Device) |
True |
|
winword.exe (Device) |
True |
|
Information Bar |
Enabled |
|
excel.exe (Device) |
True |
|
exprwd.exe (Device) |
True |
|
groove.exe (Device) |
True |
|
msaccess.exe (Device) |
True |
|
mse7.exe (Device) |
True |
|
mspub.exe (Device) |
True |
|
onent.exe (Device) |
True |
|
outlook.exe (Device) |
True |
|
powerpnt.exe (Device) |
True |
|
pptview.exe (Device) |
True |
|
spDesign.exe (Device) |
True |
|
visio.exe (Device) |
True |
|
winproj.exe (Device) |
True |
|
winword.exe (Device) |
True |
|
Local Machine Zone Lockdown Security |
Enabled |
|
excel.exe (Device) |
True |
|
exprwd.exe (Device) |
True |
|
groove.exe (Device) |
True |
|
msaccess.exe (Device) |
True |
|
mse7.exe (Device) |
True |
|
mspub.exe (Device) |
True |
|
onent.exe (Device) |
True |
|
outlook.exe (Device) |
True |
|
powerpnt.exe (Device) |
True |
|
pptview.exe (Device) |
True |
|
spDesign.exe (Device) |
True |
|
visio.exe (Device) |
True |
|
winproj.exe (Device) |
True |
|
winword.exe (Device) |
True |
|
Mime Sniffing Safety Feature |
Enabled |
|
excel.exe (Device) |
True |
|
exprwd.exe (Device) |
True |
|
groove.exe (Device) |
True |
|
msaccess.exe (Device) |
True |
|
mse7.exe (Device) |
True |
|
mspub.exe (Device) |
True |
|
onent.exe (Device) |
True |
|
outlook.exe (Device) |
True |
|
powerpnt.exe (Device) |
True |
|
pptview.exe (Device) |
True |
|
spDesign.exe (Device) |
True |
|
visio.exe (Device) |
True |
|
winproj.exe (Device) |
True |
|
winword.exe (Device) |
True |
|
Navigate URL |
Enabled |
|
excel.exe (Device) |
True |
|
exprwd.exe (Device) |
True |
|
groove.exe (Device) |
True |
|
msaccess.exe (Device) |
True |
|
mse7.exe (Device) |
True |
|
mspub.exe (Device) |
True |
|
onent.exe (Device) |
True |
|
outlook.exe (Device) |
True |
|
powerpnt.exe (Device) |
True |
|
pptview.exe (Device) |
True |
|
spDesign.exe (Device) |
True |
|
visio.exe (Device) |
True |
|
winproj.exe (Device) |
True |
|
winword.exe (Device) |
True |
|
Object Caching Protection |
Enabled |
|
excel.exe (Device) |
True |
|
exprwd.exe (Device) |
True |
|
groove.exe (Device) |
True |
|
msaccess.exe (Device) |
True |
|
mse7.exe (Device) |
True |
|
mspub.exe (Device) |
True |
|
onent.exe (Device) |
True |
|
outlook.exe (Device) |
True |
|
powerpnt.exe (Device) |
True |
|
pptview.exe (Device) |
True |
|
spDesign.exe (Device) |
True |
|
visio.exe (Device) |
True |
|
winproj.exe (Device) |
True |
|
winword.exe (Device) |
True |
|
Protection From Zone Elevation |
Enabled |
|
excel.exe (Device) |
True |
|
exprwd.exe (Device) |
True |
|
groove.exe (Device) |
True |
|
msaccess.exe (Device) |
True |
|
mse7.exe (Device) |
True |
|
mspub.exe (Device) |
True |
|
onent.exe (Device) |
True |
|
outlook.exe (Device) |
True |
|
powerpnt.exe (Device) |
True |
|
pptview.exe (Device) |
True |
|
spDesign.exe (Device) |
True |
|
visio.exe (Device) |
True |
|
winproj.exe (Device) |
True |
|
winword.exe (Device) |
True |
|
Restrict ActiveX Install |
Enabled |
|
excel.exe (Device) |
True |
|
exprwd.exe (Device) |
True |
|
groove.exe (Device) |
True |
|
msaccess.exe (Device) |
True |
|
mse7.exe (Device) |
True |
|
mspub.exe (Device) |
True |
|
onent.exe (Device) |
True |
|
outlook.exe (Device) |
True |
|
powerpnt.exe (Device) |
True |
|
pptview.exe (Device) |
True |
|
spDesign.exe (Device) |
True |
|
visio.exe (Device) |
True |
|
winproj.exe (Device) |
True |
|
winword.exe (Device) |
True |
|
Restrict File Download |
Enabled |
|
excel.exe (Device) |
True |
|
exprwd.exe (Device) |
True |
|
groove.exe (Device) |
True |
|
msaccess.exe (Device) |
True |
|
mse7.exe (Device) |
True |
|
mspub.exe (Device) |
True |
|
onent.exe (Device) |
True |
|
outlook.exe (Device) |
True |
|
powerpnt.exe (Device) |
True |
|
pptview.exe (Device) |
True |
|
spDesign.exe (Device) |
True |
|
visio.exe (Device) |
True |
|
winproj.exe (Device) |
True |
|
winword.exe (Device) |
True |
|
Saved from URL |
Enabled |
|
excel.exe (Device) |
True |
|
exprwd.exe (Device) |
True |
|
groove.exe (Device) |
True |
|
msaccess.exe (Device) |
True |
|
mse7.exe (Device) |
True |
|
mspub.exe (Device) |
True |
|
onent.exe (Device) |
True |
|
outlook.exe (Device) |
True |
|
powerpnt.exe (Device) |
True |
|
pptview.exe (Device) |
True |
|
spDesign.exe (Device) |
True |
|
visio.exe (Device) |
True |
|
winproj.exe (Device) |
True |
|
winword.exe (Device) |
True |
|
Scripted Window Security Restrictions |
Enabled |
|
excel.exe (Device) |
True |
|
exprwd.exe (Device) |
True |
|
groove.exe (Device) |
True |
|
msaccess.exe (Device) |
True |
|
mse7.exe (Device) |
True |
|
mspub.exe (Device) |
True |
|
onent.exe (Device) |
True |
|
outlook.exe (Device) |
True |
|
powerpnt.exe (Device) |
True |
|
pptview.exe (Device) |
True |
|
spDesign.exe (Device) |
True |
|
visio.exe (Device) |
True |
|
winproj.exe (Device) |
True |
|
winword.exe (Device) |
True |
|
Microsoft Outlook 2016 |
|
|
Exchange |
|
|
Authentication with Exchange Server (User) (Deprecated) |
Enabled |
|
Select the authentication with Exchange server. (User) |
Kerberos Password Authentication |
|
Enable RPC encryption (User) (Deprecated) |
Enabled |
|
Advanced |
|
|
Do not allow Outlook object model scripts to run for public folders (User) (Deprecated) |
Enabled |
|
Do not allow Outlook object model scripts to run for shared folders (User) (Deprecated) |
Enabled |
|
Use Unicode format when dragging e-mail message to file system (User) (Deprecated) |
Disabled |
|
Security |
|
|
Allow Active X One Off Forms (User) (Deprecated) |
Enabled |
|
|
Load only Outlook Controls |
|
Prevent users from customizing attachment security settings (User) (Deprecated) |
Enabled |
|
Automatic Picture Download Settings |
|
|
Include Internet in Safe Zones for Automatic Picture Download (User) (Deprecated) |
Disabled |
|
Cryptography |
|
|
Minimum encryption settings (User) (Deprecated) |
Enabled |
|
Minimum key size (in bits): (User) |
168 |
|
Signature Warning (User) (Deprecated) |
Enabled |
|
Signature Warning (User) |
Always warn about invalid signatures |
|
Signature Status dialog box |
|
|
Retrieving CRLs (Certificate Revocation Lists) (User) (Deprecated) |
Enabled |
|
|
When online always retreive the CRL |
|
Attachment Security |
|
|
Allow users to demote attachments to Level 2 (User) (Deprecated) |
Disabled |
|
Display Level 1 attachments (User) (Deprecated) |
Disabled |
|
Remove file extensions blocked as Level 1 (User) (Deprecated) |
Enabled |
|
Removed Extensions: (User) |
; |
|
Remove file extensions blocked as Level 2 (User) (Deprecated) |
Enabled |
|
Removed Extensions: (User) |
; |
|
Custom Form Security |
|
|
Allow scripts in one-off Outlook forms (User) (Deprecated) |
Disabled |
|
Set Outlook object model custom actions execution prompt (User) (Deprecated) |
Enabled |
|
When executing a custom action: (User) |
Automatically Deny |
|
Security Form Settings |
|
|
Outlook Security Mode (User) |
Enabled |
|
Outlook Security Policy: (User) |
Use Outlook Security Group Policy |
|
Programmatic Security |
|
|
Configure Outlook object model prompt when accessing an address book (User) (Deprecated) |
Enabled |
|
Guard behavior: (User) |
Automatically Deny |
|
Configure Outlook object model prompt When accessing the Formula property of a UserProperty object (User) (Deprecated) |
Enabled |
|
Guard behavior: (User) |
Automatically Deny |
|
Configure Outlook object model prompt when executing Save As (User) (Deprecated) |
Enabled |
|
Guard behavior: (User) |
Automatically Deny |
|
Configure Outlook object model prompt when reading address information (User) (Deprecated) |
Enabled |
|
Guard behavior: (User) |
Automatically Deny |
|
Configure Outlook object model prompt when responding to meeting and task requests (User) (Deprecated) |
Enabled |
|
Guard behavior: (User) |
Automatically Deny |
|
Configure Outlook object model prompt when sending mail (User) (Deprecated) |
Enabled |
|
Guard behavior: (User) |
Automatically Deny |
|
Trust Center |
|
|
Allow hyperlinks in suspected phishing e-mail messages (User) (Deprecated) |
Disabled |
|
Microsoft PowerPoint 2016 |
|
|
Security |
|
|
Run Programs (User) |
Enabled |
|
|
disable (don't run any programs) |
|
Scan encrypted macros in PowerPoint Open XML presentations (User) |
Enabled |
|
|
Scan encrypted macros (default) |
|
Turn off file validation (User) |
Disabled |
|
Trust Center |
|
|
Block macros from running in Office files from the Internet (User) |
Enabled |
|
File Block Settings |
|
|
PowerPoint 97-2003 presentations, shows, templates and add-in files (User) |
Enabled |
|
File block setting: (User) |
Open/Save blocked, use open policy |
|
Set default file block behavior (User) |
Enabled |
|
|
Blocked files are not opened |
|
Protected View |
|
|
Do not open files from the Internet zone in Protected View (User) |
Disabled |
|
Do not open files in unsafe locations in Protected View (User) |
Disabled |
|
Turn off Protected View for attachments opened from Outlook (User) |
Disabled |
|
Trusted Locations |
|
|
Allow Trusted Locations on the network (User) |
Disabled |
|
Microsoft Project 2016 |
|
|
Trust Center |
|
|
Allow Trusted Locations on the network (User) |
Disabled |
|
Microsoft Publisher 2016 |
|
|
Trust Center |
|
|
Block macros from running in Office files from the internet (User) |
Enabled |
|
Microsoft Visio 2016 |
|
|
Trust Center |
|
|
Allow Trusted Locations on the network (User) |
Disabled |
|
File Block Settings |
|
|
Visio 2000-2002 Binary Drawings, Templates and Stencils (User) |
Enabled |
|
File block setting: (User) |
Open/Save blocked |
|
Visio 2003-2010 Binary Drawings, Templates and Stencils (User) |
Enabled |
|
File block setting: (User) |
Open/Save blocked |
|
Visio 5.0 or earlier Binary Drawings, Templates and Stencils (User) |
Enabled |
|
File block setting: (User) |
Open/Save blocked |
|
Microsoft Word 2016 |
|
|
Trust Center |
|
|
Block macros from running in Office files from the Internet (User) |
Enabled |
|
Dynamic Data Exchange (User) |
Disabled |
|
Scan encrypted macros in Word Open XML documents (User) |
Enabled |
|
|
Scan encrypted macros (default) |
|
File Block Settings |
|
|
Set default file block behavior (User) |
Enabled |
|
|
Blocked files are not opened |
|
Word 2 and earlier binary documents and templates (User) |
Enabled |
|
File block setting: (User) |
Open/Save blocked, use open policy |
|
Word 2000 binary documents and templates (User) |
Enabled |
|
File block setting: (User) |
Open/Save blocked, use open policy |
|
Word 2003 binary documents and templates (User) |
Enabled |
|
File block setting: (User) |
Open/Save blocked, use open policy |
|
Word 2007 and later binary documents and templates (User) |
Enabled |
|
File block setting: (User) |
Open/Save blocked, use open policy |
|
Word 6.0 binary documents and templates (User) |
Enabled |
|
File block setting: (User) |
Open/Save blocked, use open policy |
|
Word 95 binary documents and templates (User) |
Enabled |
|
File block setting: (User) |
Open/Save blocked, use open policy |
|
Word 97 binary documents and templates (User) |
Enabled |
|
File block setting: (User) |
Open/Save blocked, use open policy |
|
Word XP binary documents and templates (User) |
Enabled |
|
File block setting: (User) |
Open/Save blocked, use open policy |
|
Protected View |
|
|
Do not open files from the Internet zone in Protected View (User) |
Disabled |
|
Do not open files in unsafe locations in Protected View (User) |
Disabled |
|
Turn off Protected View for attachments opened from Outlook (User) |
Disabled |
|
Trusted Locations |
|
|
Allow Trusted Locations on the network (User) |
Disabled |
|
Security |
|
|
Turn off file validation (User) |
Disabled |
|
Devicie Template Name |
ACSC E8 Nov 2023-ML2 User app hardening-MS Edge Security Baseline v127 |
|
Default Intune Deployed Name |
DEVICIE-PROD-ACSC E8 Nov 2023-ML2 User app hardening-MS Edge Security Baseline v127 |
|
Version |
1.0 |
|
Template Last Updated |
Nov 18, 2024 |
|
Document Last Updated: |
Jun 12, 2025 |