☁️ Microsoft 365 & Intune Configurations

Enterprise security configurations for Microsoft 365 and Intune environments, focusing on Essential 8 compliance.

🔒 Essential 8 Compliance

Office Macro Security Policies

Implementation of Australian Cyber Security Centre's Essential 8 framework for Office application security.

Trusted Locations Configuration

File: Essential 8 - Office - Macros from Trusted Locations.json

json

{
  "displayName": "Essential 8 - Office - Macros from Trusted Locations",
  "description": "Allow macros only from trusted locations",
  "platforms": "windows10",
  "technologies": "mdm",
  "settings": {
    "macroSettings": {
      "trustedLocationsOnly": true,
      "disableVBAMacros": false,
      "trustedLocations": [
        "%PROGRAMFILES%\\Microsoft Office\\Templates",
        "%APPDATA%\\Microsoft\\Templates",
        "\\\\trusted-server\\shared\\templates"
      ]
    }
  }
}

Trusted Publishers Configuration

File: Essential 8 - Office - Macros from Trusted Publishers.json

json

{
  "displayName": "Essential 8 - Office - Macros from Trusted Publishers",
  "description": "Allow macros only from digitally signed trusted publishers",
  "platforms": "windows10", 
  "technologies": "mdm",
  "settings": {
    "macroSettings": {
      "trustedPublishersOnly": true,
      "requireSignedMacros": true,
      "blockUnsignedMacros": true,
      "trustedPublishers": [
        "Microsoft Corporation",
        "Your Organization Name"
      ]
    }
  }
}

🛡️ Security Benefits

Macro Protection

🚫 Blocks unsigned macros - Prevents malware execution
✅ Allows trusted sources - Maintains productivity for legitimate use
📝 Enforces digital signing - Verifies macro authenticity
📍 Restricts locations - Limits macro execution to approved paths

Compliance Framework

Essential 8 Alignment - Meets Australian Cyber Security Centre requirements
Zero Trust Architecture - Assumes breach mentality
Defense in Depth - Multiple security layers
Risk Mitigation - Reduces attack surface

🚀 Deployment via Intune

Step 1: Import Configuration

Sign in to Microsoft Endpoint Manager admin center
Navigate to Devices > Configuration profiles
Click Create profile
Select Windows 10 and later platform
Choose Custom profile type

Step 2: Configure Settings

powershell

# PowerShell commands for manual configuration
# Trusted Locations Only
Set-ItemProperty -Path "HKCU:\Software\Microsoft\Office\16.0\Word\Security" -Name "VBAWarnings" -Value 3
Set-ItemProperty -Path "HKCU:\Software\Microsoft\Office\16.0\Excel\Security" -Name "VBAWarnings" -Value 3
Set-ItemProperty -Path "HKCU:\Software\Microsoft\Office\16.0\PowerPoint\Security" -Name "VBAWarnings" -Value 3

# Trusted Publishers Only  
Set-ItemProperty -Path "HKCU:\Software\Microsoft\Office\16.0\Word\Security" -Name "VBAWarnings" -Value 2
Set-ItemProperty -Path "HKCU:\Software\Microsoft\Office\16.0\Excel\Security" -Name "VBAWarnings" -Value 2
Set-ItemProperty -Path "HKCU:\Software\Microsoft\Office\16.0\PowerPoint\Security" -Name "VBAWarnings" -Value 2

Step 3: Assign to Groups

Select target Azure AD groups
Configure applicability rules
Set deployment schedule
Monitor compliance status

📊 Monitoring & Compliance

Intune Reporting

kusto

// KQL query for compliance monitoring
IntuneDeviceComplianceOrg
| where PolicyName contains "Essential 8"
| summarize 
    TotalDevices = dcount(DeviceId),
    CompliantDevices = dcountif(DeviceId, ComplianceState == "Compliant"),
    NonCompliantDevices = dcountif(DeviceId, ComplianceState == "NonCompliant")
| extend CompliancePercentage = (CompliantDevices * 100.0) / TotalDevices

PowerShell Validation

powershell

# Check macro security settings
$wordSecurity = Get-ItemProperty -Path "HKCU:\Software\Microsoft\Office\16.0\Word\Security" -Name "VBAWarnings"
$excelSecurity = Get-ItemProperty -Path "HKCU:\Software\Microsoft\Office\16.0\Excel\Security" -Name "VBAWarnings"

Write-Host "Word VBA Warnings: $($wordSecurity.VBAWarnings)"
Write-Host "Excel VBA Warnings: $($excelSecurity.VBAWarnings)"

# Values: 1=Enable all, 2=Disable unsigned, 3=Disable except trusted locations, 4=Disable all

⚠️ Implementation Notes

Testing Required

Test configurations in a pilot group before organization-wide deployment. Some line-of-business applications may require allowlisting.

Gradual Rollout

Implement in phases:

Trusted Publishers first (less restrictive)
Trusted Locations second (more restrictive)
Monitor user feedback and adjust accordingly

Registry Impact

These configurations modify Windows Registry settings. Ensure you have appropriate backup and rollback procedures.

☁️ Microsoft 365 & Intune Configurations ​

🔒 Essential 8 Compliance ​

Office Macro Security Policies ​

Trusted Locations Configuration ​

Trusted Publishers Configuration ​

🛡️ Security Benefits ​

Macro Protection ​

Compliance Framework ​

🚀 Deployment via Intune ​

Step 1: Import Configuration ​

Step 2: Configure Settings ​

Step 3: Assign to Groups ​

📊 Monitoring & Compliance ​

Intune Reporting ​

PowerShell Validation ​

⚠️ Implementation Notes ​

🔗 Additional Resources ​