Import ACSC Windows Hardening Policies in Intune - Step by Step Instructions

Step by Step instructions to create ACSC Windows 10 hardening settings in Intune using Graph API

Microsoft have published Intune policies to comply with Australian Cyber Security Centre's (ACSC) Windows 10 Hardening Guidance 

This policies are quite easy to import using graph explorer using official instruction provided at https://github.com/microsoft/Intune-ACSC-Windows-Hardening-Guidelines. 

However, this guide provides detailed steps by step instructions and screenshots to simply this process. 

To import these settings in Intune follow these steps

1. Navigate to  Microsoft Graph Explorer.



2. Click on Sign in, login using authorised privileges in respective tenant i.e. Global Administrator

 3. You may get a prompt to accept the consent,  select Consent on behalf of your organization then click Accept.


4. Create a post request using Beta schema and type following query as shown in the screenshot,
https://graph.microsoft.com/beta/deviceManagement/configurationPolicies 
5. Open new browser and go to ACSC Windows Hardening Guidelines policy and paste it in the request body

6.  Go back to Graph Explorer and Paste the content in request body, modify the name value if required.


7. Go to Modify permissions(preview) and click Consent.
8. You will get a prompt to accept the consent,  select Consent on behalf of your organization then click Accept.

You will receive the error if permissions are not granted.

9. Click Run Query to create the configuration profile in Intune tenant. You will notice green tick in  couple few seconds. 



10. You can to to Intune Portal  to see the newly created ACSC Windows Hardening Configuration profile and you may complete the assignment to apply this policy to Windows device.

11. You may open the settings and make changes as per your requirements. 

12. Copy/Paste other ACSC JSON policies and paste in Graph Explorer to complete creation of policies in Intune.

13. Once you complete the policies import, you will see following setting are enabled in the Intune tenant.
  • Configuration Profiles
  • Powershell Script
  • Security Baselines

  • Attack surface reduction rules

Check out following link for more information. 








Comments

Post a Comment

Popular posts from this blog

How to enable iOS unmanaged apps to read managed contacts & write unmanaged contacts without compromising security using Microsoft Intune

Image
The contacts saved in Exchange is considered managed contacts. with iOS 12 onwards managed contacts are not visible from unmanaged Apps. As stated in Apple Article (https://support.apple.com/en-au/HT208749)  iOS 12, you can use MDM to make the following exceptions to this policy: Allow unmanaged apps to access managed contacts Allow managed apps to save contacts to the local Contacts app Microsoft Intune have introduced new feature, but it has pre-requisite to "Viewing corporate documents in unmanaged apps" to write contact to unmanaged app and "Viewing non-corporate documents in corporate apps" to read managed contacts in unmanaged app.  This can be security issue for many organisations. However, you can enable this without changing the parent policy by following trick! Go to iOS restriction settings in Intune, go to 'App Store, Doc Viewing, Gaming controls'. As highlighted above 'Allow managed apps to write contacts
Read more

How to deploy Application (offline installer DMG) on Apple MacOS Devices using Microsoft Intune

Image
Microsoft Intune does not support deployment of DMG file. As per the  Microsoft documentation   : " Only  .pkg files may be used to upload macOS LOB apps to Microsoft Intune. Conversion of other formats, such as .dmg to .pkg is not supported." Microsoft Intune have provided support to deploy shell script to macOS. In the example below, I will deploy Adobe Acrobat Reader DC 2020.009.20063 DMG file on MacOS Device. Save following script as .sh package i.e.  InstallAdobeReader.sh #! /bin/sh url=https://ardownload2.adobe.com/pub/adobe/reader/mac/AcrobatDC/2000920063/AcroRdrDC_2000920063_MUI.dmg   set -x tempd=$(mktemp -d) curl $url > $tempd/AdobeReaderDC.dmg listing=$(sudo hdiutil attach $tempd/AdobeReaderDC.dmg | grep Volumes) volume=$(echo "$listing" | cut -f 3) package=$(ls -1 "$volume" | grep .pkg | head -1) sudo installer -pkg "$volume"/"$package" -target / sudo hdiutil detach "$(echo "$volume" | cut -f 1)" rm -r
Read more

ConfigMgr CB Backup Failing

Image
SCCM site backup was failing with following error,  smsbkup.log showing following error. Cannot find the dependent writer. The dependant component cannot be backed up. AddDependentComponent(pDependency) failed. Error code = 0x80,004,005.Error description = . Error: GatherWriterMetadata failed. 1. To fix this issue  Run 'VSSAdmin list writers' command. 2. Ensure following writers listed. 3. If you identify these two writers are not listed, restart 'SQL Server VSS Writer' if SQLServierWriter' is missing or 'SMS_Site_VSS_Writer' if SMS writer is missing. 4. 'VSSAdmin list writers', ensure both services are listed. 5. start sms_site_backup service to start backup, monitor smsbkup.log, ensure backup completed successfully.
Read more