ASD's Blueprint for Secure Cloud

Microsoft Intune

This section describes the configuration of Microsoft Intune associated with systems built according to the guidance provided by ASD's Blueprint for Secure Cloud.

Estimated reading time: 3 minutes

Automated Configuration Deployment and Assessment

Overview

Some of the Intune configurations can be automatically deployed using Microsoft 365 Desired State Configuration (DSC).

Some of the Intune configurations cannot be assessed using a DSC blueprint. Please refer to those configuration pages to conduct a manual assessment.

ConfigurationBlueprint automation provided
Devices
- Configuration PoliciesYes (DSC, JSON)1,2
- Compliance PoliciesYes (DSC)
- ScriptsNo
- Apple updatesNo
AppsNo
Endpoint Security
- Security BaselinesNo
- Attack Surface ReductionYes (DSC)

1: The ASD iOS Hardening and iOS Microsoft Enterprise SSO Plugin configuration policy needs to be created manually.

2: The ASD Windows Hardening Guidelines - User Rights Assignment configuration policy needs to be created manually or or the corresponding JSON file imported.

Desired State Configuration

Before using the below DSC file, please refer to the automated deployment page for instructions.

Desired State Configuration file
Download Intune DSC (.ps1)
The linked .txt file must be renamed to .ps1
Configuration Data File:
The configuration data file can be found on the DSC setup page.
Service principal permissions

For organisations importing the DSC as per the instructions on the automated deployment page, the following permissions will need to be added to the M365DSC app:

"IntuneAccountProtectionPolicy", "IntuneAppConfigurationPolicy", "IntuneApplicationControlPolicyWindows10", "IntuneAppProtectionPolicyAndroid", "IntuneAppProtectionPolicyiOS", "IntuneASRRulesPolicyWindows10", "IntuneAttackSurfaceReductionRulesPolicyWindows10ConfigManager", "IntuneDeviceCompliancePolicyAndroid", "IntuneDeviceCompliancePolicyAndroidDeviceOwner", "IntuneDeviceCompliancePolicyAndroidWorkProfile", "IntuneDeviceCompliancePolicyiOs", "IntuneDeviceCompliancePolicyMacOS", "IntuneDeviceCompliancePolicyWindows10", "IntuneDeviceConfigurationCustomPolicyWindows10", "IntuneDeviceConfigurationDefenderForEndpointOnboardingPolicyWindows10", "IntuneDeviceConfigurationDeliveryOptimizationPolicyWindows10", "IntuneDeviceConfigurationDomainJoinPolicyWindows10", "IntuneDeviceConfigurationEmailProfilePolicyWindows10", "IntuneDeviceConfigurationEndpointProtectionPolicyWindows10", "IntuneDeviceConfigurationFirmwareInterfacePolicyWindows10", "IntuneDeviceConfigurationHealthMonitoringConfigurationPolicyWindows10", "IntuneDeviceConfigurationIdentityProtectionPolicyWindows10", "IntuneDeviceConfigurationImportedPfxCertificatePolicyWindows10", "IntuneDeviceConfigurationKioskPolicyWindows10", "IntuneDeviceConfigurationNetworkBoundaryPolicyWindows10", "IntuneDeviceConfigurationPkcsCertificatePolicyWindows10", "IntuneDeviceConfigurationPolicyAndroidDeviceAdministrator", "IntuneDeviceConfigurationPolicyAndroidDeviceOwner", "IntuneDeviceConfigurationPolicyAndroidOpenSourceProject", "IntuneDeviceConfigurationPolicyAndroidWorkProfile", "IntuneDeviceConfigurationPolicyiOS", "IntuneDeviceConfigurationPolicyMacOS", "IntuneDeviceConfigurationPolicyWindows10", "IntuneDeviceConfigurationSCEPCertificatePolicyWindows10", "IntuneDeviceConfigurationSecureAssessmentPolicyWindows10", "IntuneDeviceConfigurationSharedMultiDevicePolicyWindows10", "IntuneDeviceConfigurationTrustedCertificatePolicyWindows10", "IntuneDeviceConfigurationVpnPolicyWindows10", "IntuneDeviceConfigurationWindowsTeamPolicyWindows10", "IntuneDeviceConfigurationWiredNetworkPolicyWindows10", "IntuneDeviceEnrollmentPlatformRestriction", "IntuneExploitProtectionPolicyWindows10SettingCatalog", "IntuneSettingCatalogASRRulesPolicyWindows10", "IntuneSettingCatalogCustomPolicyWindows10", "IntuneWiFiConfigurationPolicyAndroidDeviceAdministrator", "IntuneWifiConfigurationPolicyAndroidEnterpriseDeviceOwner", "IntuneWifiConfigurationPolicyAndroidEnterpriseWorkProfile", "IntuneWifiConfigurationPolicyAndroidForWork", "IntuneWifiConfigurationPolicyAndroidOpenSourceProject", "IntuneWifiConfigurationPolicyIOS", "IntuneWifiConfigurationPolicyMacOS", "IntuneWifiConfigurationPolicyWindows10", "IntuneWindowsInformationProtectionPolicyWindows10MdmEnrolled"

Importing JSON configurations

Some Intune configurations can be set by importing a configuration policy in JSON format via the Intune admin center. The specific configuration policy pages have instructions where applicable.


Devices

This section describes the configuration of devices within Microsoft Intune associated with systems built according to the guidance provided by ASD's Blueprint for Secure Cloud.

Apps

This section describes the configuration of Microsoft Intune associated with systems built according to the guidance provided by ASD's Blueprint for Secure Cloud.

Endpoint Security

This section describes the configuration of endpoint security within Microsoft Intune associated with systems built according to the guidance provided by ASD's Blueprint for Secure Cloud.

Do you have a suggestion on how the above page could be improved? Get in touch! ASD's Blueprint for Secure Cloud is an open source project, and we would love to get your input. Submit an issue on our GitHub, or send us an email at blueprint@asd.gov.au

Acknowledgement of Country icon

Acknowledgement of Country
We acknowledge the Traditional Owners and Custodians of Country throughout Australia and their continuing connections to land, sea and communities. We pay our respects to them, their cultures and their Elders; past, present and emerging. We also recognise Australia's First Peoples' enduring contribution to Australia's national security.

Authorised by the Australian Government, Canberra