Src/Compliance/ACSC.E8.json
|
{ "_meta": { "framework": "ACSC Essential Eight", "version": "2025-01", "reference": "https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/essential-eight", "lastReviewed": "2025-01-01", "notes": "Maturity Levels: ML1 = partially aligned, ML2 = mostly aligned, ML3 = fully aligned. Status tokens: [OK] [WARN] [FAIL] [INFO]. Applies to Microsoft Intune (Endpoint Manager) configuration." }, "DeviceCompliance": { "_section": "Patch Applications / Patch Operating Systems -- Device Compliance", "_reference": "Essential Eight Strategy: Patch Applications, Patch Operating Systems", "checks": [ { "id": "E8-INTUNE-COMP-1", "ML": "ML1", "control": "Device compliance policies exist for all managed platforms", "staticStatus": null, "statusExpression": "if ($TotalCompliancePolicies -ge 1) { '[OK]' } else { '[FAIL]' }", "detailTemplate": "{TotalCompliancePolicies} compliance policy/policies configured across all platforms. At least one policy per managed platform is required.", "remediation": "Create device compliance policies for each managed platform (Windows, iOS, Android, macOS) in Intune > Devices > Compliance Policies.", "tags": ["compliance", "patch", "ml1"] }, { "id": "E8-INTUNE-COMP-2", "ML": "ML1", "control": "All compliance policies are assigned to groups", "staticStatus": null, "statusExpression": "if ($UnassignedPolicies -eq 0) { '[OK]' } elseif ($UnassignedPolicies -le 2) { '[WARN]' } else { '[FAIL]' }", "detailTemplate": "{UnassignedPolicies} compliance policy/policies are not assigned to any group. Unassigned policies have no effect.", "remediation": "Assign all compliance policies to the appropriate Azure AD groups via Intune > Devices > Compliance Policies > [Policy] > Assignments.", "tags": ["compliance", "assignment", "ml1"] }, { "id": "E8-INTUNE-COMP-3", "ML": "ML1", "control": "Non-compliant device count is minimal", "staticStatus": null, "statusExpression": "if ($NonCompliantDevices -eq 0) { '[OK]' } elseif ($NonCompliantPct -le 5) { '[WARN]' } else { '[FAIL]' }", "detailTemplate": "{NonCompliantDevices} device(s) ({NonCompliantPct}% of managed fleet) are non-compliant. Non-compliant devices should be remediated or retired.", "remediation": "Review non-compliant devices in Intune > Devices > Monitor > Noncompliant Devices and remediate or retire as appropriate.", "tags": ["compliance", "device-health", "ml1"] }, { "id": "E8-INTUNE-COMP-4", "ML": "ML2", "control": "Windows compliance policy requires OS minimum version", "staticStatus": null, "statusExpression": "if ($WindowsOsMinVersionConfigured) { '[OK]' } else { '[WARN]' }", "detailTemplate": "Windows compliance policy OS minimum version requirement: {WindowsOsMinVersionConfigured}. Enforcing a minimum OS version ensures devices run a supported, patched OS build.", "remediation": "Configure the 'Minimum OS version' field in all Windows compliance policies to the current supported minimum (e.g. 10.0.22621 for Windows 11 22H2).", "tags": ["compliance", "patch-os", "windows", "ml2"] }, { "id": "E8-INTUNE-COMP-5", "ML": "ML2", "control": "Windows compliance policy requires BitLocker", "staticStatus": null, "statusExpression": "if ($WindowsBitLockerRequired) { '[OK]' } else { '[WARN]' }", "detailTemplate": "BitLocker enforcement in Windows compliance policy: {WindowsBitLockerRequired}. BitLocker protects data at rest on managed Windows devices (aligns with E8 Restrict Admin Privileges and data protection goals).", "remediation": "Enable 'Require BitLocker' in all Windows compliance policies under Device Health settings.", "tags": ["compliance", "bitlocker", "encryption", "windows", "ml2"] }, { "id": "E8-INTUNE-COMP-6", "ML": "ML2", "control": "Windows compliance policy requires Defender / antivirus", "staticStatus": null, "statusExpression": "if ($WindowsDefenderRequired) { '[OK]' } else { '[WARN]' }", "detailTemplate": "Microsoft Defender antivirus required in Windows compliance: {WindowsDefenderRequired}. Antivirus is an Essential Eight application control complement.", "remediation": "Enable 'Require Microsoft Defender Antimalware' and 'Require real-time protection' in Windows compliance policies.", "tags": ["compliance", "antivirus", "defender", "windows", "ml2"] }, { "id": "E8-INTUNE-COMP-7", "ML": "ML2", "control": "Stale devices (>90 days no check-in) are minimal", "staticStatus": null, "statusExpression": "if ($StaleDevices -eq 0) { '[OK]' } elseif ($StaleDevicePct -le 5) { '[WARN]' } else { '[FAIL]' }", "detailTemplate": "{StaleDevices} device(s) ({StaleDevicePct}%) have not checked in for >90 days. Stale devices may have outdated patches and policies.", "remediation": "Review and retire stale devices via Intune > Devices > All Devices. Consider implementing automatic device cleanup rules in Intune.", "tags": ["compliance", "stale-devices", "patch", "ml2"] }, { "id": "E8-INTUNE-COMP-8", "ML": "ML3", "control": "iOS / Android compliance policy enforces OS minimum version", "staticStatus": null, "statusExpression": "if ($MobileOsMinVersionConfigured) { '[OK]' } else { '[WARN]' }", "detailTemplate": "Mobile platform (iOS/Android) OS minimum version configured: {MobileOsMinVersionConfigured}. Mobile devices without OS version enforcement may run vulnerable OS versions.", "remediation": "Configure minimum OS version in iOS and Android compliance policies to the latest supported major version.", "tags": ["compliance", "patch-os", "mobile", "ml3"] } ] }, "ConfigurationProfiles": { "_section": "Application Control / User Application Hardening -- Configuration Profiles", "_reference": "Essential Eight Strategy: Application Control, User Application Hardening", "checks": [ { "id": "E8-INTUNE-CFG-1", "ML": "ML1", "control": "Configuration profiles exist for managed platforms", "staticStatus": null, "statusExpression": "if ($TotalConfigProfiles -ge 1) { '[OK]' } else { '[WARN]' }", "detailTemplate": "{TotalConfigProfiles} device configuration profile(s) found. Configuration profiles enforce security baselines and application hardening settings.", "remediation": "Create configuration profiles for each managed platform to enforce security settings (password policy, encryption, application restrictions).", "tags": ["configuration", "application-control", "ml1"] }, { "id": "E8-INTUNE-CFG-2", "ML": "ML1", "control": "All configuration profiles are assigned", "staticStatus": null, "statusExpression": "if ($UnassignedConfigProfiles -eq 0) { '[OK]' } elseif ($UnassignedConfigProfiles -le 2) { '[WARN]' } else { '[FAIL]' }", "detailTemplate": "{UnassignedConfigProfiles} configuration profile(s) are not assigned to any group. Unassigned profiles provide no protection.", "remediation": "Assign all configuration profiles to the appropriate device or user groups.", "tags": ["configuration", "assignment", "ml1"] }, { "id": "E8-INTUNE-CFG-3", "ML": "ML2", "control": "Settings Catalog or Admin Template policies deployed", "staticStatus": null, "statusExpression": "if ($TotalSettingsCatalog -ge 1 -or $TotalAdminTemplates -ge 1) { '[OK]' } else { '[WARN]' }", "detailTemplate": "Settings Catalog policies: {TotalSettingsCatalog}. Administrative Templates: {TotalAdminTemplates}. These policy types enable granular, GPO-equivalent enforcement of application and OS hardening settings.", "remediation": "Deploy Settings Catalog or Administrative Template policies to enforce application hardening (e.g., disable macros, restrict Office, harden Edge/Chrome).", "tags": ["configuration", "application-hardening", "settings-catalog", "ml2"] }, { "id": "E8-INTUNE-CFG-4", "ML": "ML3", "control": "Security Baselines deployed for Windows", "staticStatus": null, "statusExpression": "if ($TotalSecurityBaselines -ge 1) { '[OK]' } else { '[WARN]' }", "detailTemplate": "{TotalSecurityBaselines} security baseline profile(s) deployed. Microsoft Security Baselines represent pre-configured ML3-aligned settings for Windows hardening.", "remediation": "Deploy Microsoft Security Baseline for Windows 10/11 and Microsoft Defender for Endpoint Security Baseline via Intune > Endpoint Security > Security Baselines.", "tags": ["configuration", "security-baseline", "windows", "ml3"] } ] }, "AppManagement": { "_section": "Application Control -- App Management", "_reference": "Essential Eight Strategy: Application Control, Restrict Microsoft Office Macros", "checks": [ { "id": "E8-INTUNE-APP-1", "ML": "ML1", "control": "App Protection Policies (MAM) deployed for iOS and Android", "staticStatus": null, "statusExpression": "if ($TotalAppProtectionPolicies -ge 2) { '[OK]' } elseif ($TotalAppProtectionPolicies -ge 1) { '[WARN]' } else { '[FAIL]' }", "detailTemplate": "{TotalAppProtectionPolicies} App Protection Policy/Policies deployed. MAM policies enforce data loss prevention controls on managed apps (copy/paste restrictions, PIN, wipe).", "remediation": "Create App Protection Policies for both iOS and Android covering Microsoft 365 apps (Outlook, Teams, OneDrive, Word, Excel, PowerPoint).", "tags": ["app-management", "mam", "application-control", "ml1"] }, { "id": "E8-INTUNE-APP-2", "ML": "ML1", "control": "All App Protection Policies are assigned", "staticStatus": null, "statusExpression": "if ($UnassignedAppPolicies -eq 0) { '[OK]' } else { '[WARN]' }", "detailTemplate": "{UnassignedAppPolicies} App Protection Policy/Policies are not assigned to any group.", "remediation": "Assign App Protection Policies to all user groups who use managed mobile devices.", "tags": ["app-management", "assignment", "ml1"] }, { "id": "E8-INTUNE-APP-3", "ML": "ML2", "control": "App Protection Policies block data transfer to unmanaged apps", "staticStatus": "[INFO]", "detailTemplate": "Verify App Protection Policies restrict 'Send org data to other apps' to Policy managed apps only. This prevents data exfiltration from managed apps to personal/unmanaged apps.", "remediation": "Set 'Send org data to other apps' to 'Policy managed apps' in all iOS and Android App Protection Policies.", "tags": ["app-management", "data-protection", "ml2"] }, { "id": "E8-INTUNE-APP-4", "ML": "ML2", "control": "App Protection Policies require PIN / biometric", "staticStatus": "[INFO]", "detailTemplate": "Verify App Protection Policies require PIN or biometric authentication before accessing managed apps. This enforces ML2 access control at the application layer.", "remediation": "Enable 'Require PIN for access' and 'Allow fingerprint instead of PIN' in all App Protection Policies.", "tags": ["app-management", "pin", "authentication", "ml2"] } ] }, "EnrollmentRestrictions": { "_section": "Patch Operating Systems / Application Control -- Enrollment Restrictions", "_reference": "Essential Eight Strategy: Patch Operating Systems, Application Control", "checks": [ { "id": "E8-INTUNE-ENROLL-1", "ML": "ML1", "control": "Device enrollment restrictions are configured", "staticStatus": null, "statusExpression": "if ($TotalEnrollmentRestrictions -ge 1) { '[OK]' } else { '[WARN]' }", "detailTemplate": "{TotalEnrollmentRestrictions} enrollment restriction configuration(s) found. Enrollment restrictions control which device types and platforms can enrol into Intune.", "remediation": "Review and configure Device Type Restrictions to block unsupported or personally-owned platforms where not required.", "tags": ["enrollment", "application-control", "ml1"] }, { "id": "E8-INTUNE-ENROLL-2", "ML": "ML2", "control": "Windows Autopilot profiles deployed for corporate devices", "staticStatus": null, "statusExpression": "if ($TotalAutopilotProfiles -ge 1) { '[OK]' } else { '[INFO]' }", "detailTemplate": "{TotalAutopilotProfiles} Autopilot deployment profile(s) found. Autopilot enables zero-touch provisioning of Windows devices with security policy applied at first boot.", "remediation": "Register corporate Windows devices in Windows Autopilot and create deployment profiles to enforce Azure AD Join and automatic Intune enrolment.", "tags": ["enrollment", "autopilot", "windows", "ml2"] }, { "id": "E8-INTUNE-ENROLL-3", "ML": "ML2", "control": "Enrollment Status Page (ESP) deployed for Windows", "staticStatus": null, "statusExpression": "if ($TotalESPProfiles -ge 1) { '[OK]' } else { '[INFO]' }", "detailTemplate": "{TotalESPProfiles} Enrollment Status Page profile(s) found. ESP blocks device use until required apps and policies are applied, ensuring devices are secure before first user login.", "remediation": "Create an Enrollment Status Page profile and assign to Autopilot device groups. Configure to track app and policy installation.", "tags": ["enrollment", "esp", "windows", "ml2"] } ] }, "EndpointSecurity": { "_section": "Patch Applications / Application Control / Restrict Admin Privileges -- Endpoint Security", "_reference": "Essential Eight Strategy: Patch Applications, Application Control, Restrict Admin Privileges", "checks": [ { "id": "E8-INTUNE-ES-1", "ML": "ML1", "control": "Antivirus endpoint security policies deployed", "staticStatus": null, "statusExpression": "if ($TotalAntivirusPolicies -ge 1) { '[OK]' } else { '[WARN]' }", "detailTemplate": "{TotalAntivirusPolicies} Antivirus endpoint security policy/policies deployed. Antivirus policies ensure Microsoft Defender is correctly configured on all managed devices.", "remediation": "Create an Antivirus policy in Intune > Endpoint Security > Antivirus targeting all Windows devices. Enable real-time protection, cloud-delivered protection, and automatic sample submission.", "tags": ["endpoint-security", "antivirus", "application-control", "ml1"] }, { "id": "E8-INTUNE-ES-2", "ML": "ML1", "control": "Firewall endpoint security policies deployed", "staticStatus": null, "statusExpression": "if ($TotalFirewallPolicies -ge 1) { '[OK]' } else { '[WARN]' }", "detailTemplate": "{TotalFirewallPolicies} Firewall endpoint security policy/policies deployed. Firewall policies ensure Windows Firewall is enabled on all managed devices.", "remediation": "Create a Firewall policy in Intune > Endpoint Security > Firewall targeting all Windows devices. Enable firewall for domain, private, and public network profiles.", "tags": ["endpoint-security", "firewall", "ml1"] }, { "id": "E8-INTUNE-ES-3", "ML": "ML2", "control": "Disk Encryption policies deployed", "staticStatus": null, "statusExpression": "if ($TotalDiskEncryptionPolicies -ge 1) { '[OK]' } else { '[WARN]' }", "detailTemplate": "{TotalDiskEncryptionPolicies} Disk Encryption endpoint security policy/policies deployed. BitLocker encryption protects data at rest and is required for ML2 alignment.", "remediation": "Create a Disk Encryption policy in Intune > Endpoint Security > Disk Encryption targeting all Windows devices. Require BitLocker with TPM-based encryption.", "tags": ["endpoint-security", "bitlocker", "encryption", "ml2"] }, { "id": "E8-INTUNE-ES-4", "ML": "ML2", "control": "Attack Surface Reduction (ASR) policies deployed", "staticStatus": null, "statusExpression": "if ($TotalASRPolicies -ge 1) { '[OK]' } else { '[WARN]' }", "detailTemplate": "{TotalASRPolicies} Attack Surface Reduction policy/policies deployed. ASR rules block common attack techniques including Office macro abuse, script execution, and credential theft.", "remediation": "Create an Attack Surface Reduction policy in Intune > Endpoint Security > Attack Surface Reduction. Enable key rules in Audit mode first, then Block mode after validation.", "tags": ["endpoint-security", "asr", "application-control", "ml2"] }, { "id": "E8-INTUNE-ES-5", "ML": "ML3", "control": "Endpoint Detection and Response (EDR) policies deployed", "staticStatus": null, "statusExpression": "if ($TotalEDRPolicies -ge 1) { '[OK]' } else { '[WARN]' }", "detailTemplate": "{TotalEDRPolicies} EDR policy/policies deployed. EDR policies onboard managed Windows devices to Microsoft Defender for Endpoint for ML3 threat detection and response.", "remediation": "Create an Endpoint Detection and Response policy in Intune > Endpoint Security > Endpoint Detection and Response to onboard devices to Microsoft Defender for Endpoint.", "tags": ["endpoint-security", "edr", "defender-for-endpoint", "ml3"] } ] }, "Scripts": { "_section": "Patch Applications / Application Control -- Scripts and Remediations", "_reference": "Essential Eight Strategy: Patch Applications, Application Control", "checks": [ { "id": "E8-INTUNE-SCRIPT-1", "ML": "ML2", "control": "Proactive Remediations deployed for patch compliance monitoring", "staticStatus": null, "statusExpression": "if ($TotalRemediations -ge 1) { '[OK]' } else { '[INFO]' }", "detailTemplate": "{TotalRemediations} Proactive Remediation(s) deployed. Proactive Remediations enable automated detection and remediation of patch compliance gaps and configuration drift.", "remediation": "Deploy Proactive Remediations to detect and remediate common patch compliance gaps (e.g., Windows Update compliance, pending reboots, disabled Windows Defender).", "tags": ["scripts", "remediations", "patch", "ml2"] }, { "id": "E8-INTUNE-SCRIPT-2", "ML": "ML2", "control": "PowerShell scripts enforce signature checking", "staticStatus": null, "statusExpression": "if ($UnsignedScripts -eq 0) { '[OK]' } elseif ($UnsignedScripts -le 2) { '[WARN]' } else { '[FAIL]' }", "detailTemplate": "{UnsignedScripts} PowerShell script(s) do not enforce signature checking. Unsigned scripts weaken application control and should be reviewed.", "remediation": "Enable 'Enforce script signature check' on all PowerShell scripts deployed via Intune, or sign all scripts with a trusted code-signing certificate.", "tags": ["scripts", "application-control", "ml2"] } ] }, "Devices": { "_section": "Patch Operating Systems -- Managed Devices", "_reference": "Essential Eight Strategy: Patch Operating Systems", "checks": [ { "id": "E8-INTUNE-DEV-1", "ML": "ML1", "control": "Managed device fleet is predominantly compliant", "staticStatus": null, "statusExpression": "if ($CompliantPct -ge 90) { '[OK]' } elseif ($CompliantPct -ge 70) { '[WARN]' } else { '[FAIL]' }", "detailTemplate": "{CompliantDevices} of {TotalManagedDevices} devices ({CompliantPct}%) are compliant. ML1 target: at least 70% of devices are compliant with defined compliance policies.", "remediation": "Investigate non-compliant devices using Intune > Devices > Monitor > Noncompliant Devices. Remediate or retire devices that cannot achieve compliance.", "tags": ["devices", "compliance", "patch-os", "ml1"] }, { "id": "E8-INTUNE-DEV-2", "ML": "ML2", "control": "Stale devices are minimal (<5% of fleet)", "staticStatus": null, "statusExpression": "if ($StaleDevicePct -eq 0) { '[OK]' } elseif ($StaleDevicePct -le 5) { '[WARN]' } else { '[FAIL]' }", "detailTemplate": "{StaleDevices} device(s) ({StaleDevicePct}%) have not checked in for >90 days. Stale devices likely have unpatched vulnerabilities.", "remediation": "Configure Intune Device Cleanup Rules to automatically retire devices that have not checked in for 90 days. Review stale devices manually and retire or reset as appropriate.", "tags": ["devices", "stale", "patch-os", "ml2"] }, { "id": "E8-INTUNE-DEV-3", "ML": "ML3", "control": "Corporate devices outnumber personal devices", "staticStatus": null, "statusExpression": "if ($PersonalDevicePct -le 20) { '[OK]' } elseif ($PersonalDevicePct -le 40) { '[WARN]' } else { '[INFO]' }", "detailTemplate": "{CorporateDevices} corporate vs {PersonalDevices} personal devices ({PersonalDevicePct}% personal). ML3 prefers corporate-owned devices where full MDM control can be enforced.", "remediation": "Implement a BYOD policy that limits personal devices to MAM-only (App Protection Policies) rather than full MDM enrolment where corporate devices are available.", "tags": ["devices", "corporate-owned", "ml3"] } ] } } |