ASD Blueprint Configuration Tool v2.0

Build a deployment package for ASD Essential Eight and ISM compliance on your Windows 365 Cloud PCs.

1

Quick Start

Select ML1, ML2, or ML3 to pre-fill your cart with all required policies for that maturity level.

2

Policy Catalog

Browse all 77 policies organized by E8 pillar. Read what each policy does and its implications.

3

Generate Package

Generate downloadable JSON files and a step-by-step deployment guide from your cart.

IMPORTANT: OS HARDENING VS. ESSENTIAL EIGHT MATURITY

IMPORTANT: OS HARDENING VS. ESSENTIAL EIGHT MATURITY

Importing the ACSC Windows Hardening JSON addresses endpoint configuration only (E4 — User Application Hardening). It does not satisfy the full requirements for any maturity level on its own. Each level requires additional controls:

ML1 requires all of the following beyond endpoint hardening:

  • AppLocker (E1) — path-based application control on user profiles and temp folders
  • MFA for all users (E7) — any MFA method (authenticator app, phone, OATH token)
  • Macros disabled (E3) — block macros from internet, disable for non-macro users
  • Dedicated admin accounts (E5) — separate privileged accounts, no internet/email access
  • Patching within 2 weeks (E2, E6) — applications and OS patched, update rings configured
  • Backups (E8) — OneDrive KFM, W365 point-in-time restore, M365 retention policies
  • W365 provisioning — Cloud PCs provisioned with security baseline, RDP redirections configured

ML2 adds on top of ML1:

  • WDAC (E1) — replaces AppLocker with Windows Defender Application Control (audit then enforce)
  • Phishing-resistant MFA (E7) — only FIDO2, Windows Hello for Business, or certificate-based auth
  • LAPS + admin hardening (E5) — local admin password rotation, privileged access event logging, no internet for admin accounts
  • Trusted Publisher macros (E3) — only digitally signed macros from approved publishers
  • 48-hour critical patching (E6) — critical OS/app vulnerabilities patched within 48 hours

ML3 adds on top of ML2:

  • WDAC Enforce + HVCI (E1) — hypervisor-protected code integrity, vulnerable driver blocklist
  • Credential Guard + Remote Credential Guard (E5) — virtualisation-based credential isolation
  • PIM (E5) — just-in-time privileged access with approval workflows
  • Driver/firmware patching (E6) — drivers and firmware patched within 48 hours (critical)
  • Preservation Lock (E8) — irreversible retention policy protection

This tool maps every ISM control to its maturity level and deployment method, ensuring nothing is missed. Use the Quick Start to select your target level, then review the full list in the Policy Catalog.

Prerequisites Before Deploying

  • Licensing: Microsoft 365 E3 or E5 (includes Intune + Defender for Endpoint) + Windows 365 Enterprise
  • Admin roles: Global Administrator or Intune Administrator + Conditional Access Administrator + Security Administrator
  • Break-glass accounts: At least 2 cloud-only Global Admin accounts, excluded from all CA policies — created BEFORE any CA policies go live
  • Microsoft Defender for Endpoint: Onboarded and reporting before deploying ASR rules or Network Protection
  • Azure AD / Entra Join: Devices enrolled in Intune (W365 Cloud PCs are always Entra Join + Intune enrolled automatically)
  • Test group: Create a pilot AAD group (5–10 users) for initial policy targeting before broad rollout
  • Backup of current policies: Export existing Intune configurations via Devices → Configuration → Export before importing new policies

Disclaimers

Not an official Microsoft or ASD product. This tool is an implementation aid built from publicly available ASD Essential Eight guidance and the Microsoft ACSC Intune Hardening Guidelines repository. It is not endorsed, certified, or supported by the Australian Signals Directorate, the Australian Cyber Security Centre, or Microsoft.

No guarantee of compliance. Use of this tool does not constitute or guarantee compliance with the ASD Essential Eight, the Information Security Manual (ISM), or any other regulatory framework. Compliance requires formal assessment by an IRAP (Infosec Registered Assessors Program) assessor or equivalent authority. This tool assists with configuration — it does not replace professional security assessment.

Test before deploying to production. All generated configurations should be tested in a non-production environment or on a pilot group before broad deployment. Some configurations (Conditional Access, WDAC, ASR rules) can lock out users or prevent device access if misconfigured. The tool provides phased deployment guidance, but the deploying organisation assumes all risk.

Point-in-time accuracy. This tool is based on ASD Essential Eight guidance, ISM controls, and the ASD Blueprint for Windows 365 as published on learn.microsoft.com as of February 2026. ISM control numbers, maturity level definitions, and recommended configurations may change. Verify against current ASD publications before deploying.

JSON policy templates are samples. The Settings Catalog JSON templates contain representative settings from the ACSC hardening guidelines. They may not include all settings from the full ACSC JSON policies available on GitHub. For comprehensive hardening, download the complete policies from the official Microsoft ACSC repository and import them directly.

Quick Start — Configure Your W365 Deployment

Answer a few questions about your environment, select your target maturity level, and choose your Cloud PC user scenarios.

Step 1: Your Environment

Preview: ASD-E4-ML1-Windows Hardening W365

Format: {Prefix}-{Pillar}-{ML}-{Name}. Helps identify ASD Blueprint policies in your Intune tenant.

Step 2: Select Maturity Level

ML1

Essential Eight — Maturity Level 1

Basic cyber hygiene. Suitable for most organisations starting their ASD compliance journey.

ML2

Essential Eight — Maturity Level 2

Substantially hardened. Includes WDAC, phishing-resistant MFA, and stricter CA policies.

ML3

Essential Eight — Maturity Level 3

Fully aligned. Includes Credential Guard, PAWs guidance, and advanced controls.

Step 3: Cloud PC User Scenarios

Select which user populations will access Windows 365 Cloud PCs. Each scenario adds the appropriate RDP redirection profile. You can select multiple — they target different Azure AD groups.

Select a maturity level and at least one deployment scenario to continue.

HIGH-RISK POLICIES ARE INCLUDED

All maturity presets include Conditional Access policies (marked High Risk). These are included in the cart but will not generate importable JSON. Instead, the tool generates a phased deployment guide with warnings, prerequisites, and rollback procedures. Start with CA policies in Report-only mode. Monitor for 2–4 weeks before enabling enforcement.

What Each Level Includes

Control AreaML1ML2ML3
E1 — Application ControlAppLocker path rulesWDAC Audit + Enforce HRSame + HVCI + vulnerable driver blocklist
E2 — Patch ApplicationsMonthly Enterprise channelSame (48h critical SLA)Same
E3 — Office Macro SettingsAll macros disabled + Office hardeningTrusted publisher macros onlySame
E4 — Application HardeningACSC Windows + Edge + Office hardeningSame + ASR Block mode HRSame
E5 — Admin PrivilegesDedicated accounts + EPM + login restrictions+ LAPS + no internet for admins + audit logging+ PIM + Credential Guard + PAW
E6 — Patch OSUpdate rings (28d deferral)Update rings (14d critical)Update rings (48h critical) + driver patching
E7 — MFAMFA required (authenticator app) HRPhishing-resistant MFA (FIDO2/WHfB) HRSame
E8 — BackupsOneDrive KFM + W365 restore+ M365 retention + verified restore testing+ Preservation Lock
ISM — Endpoint Sec.Defender AV + Firewall + Compliance+ Defender EDR full config + BitLocker (physical only)+ TLS enforcement + advanced audit

Policy Catalog

Browse all ASD Blueprint configurations. Expand any item to review details, implications, and configurable settings before adding to your cart.

Generate Deployment Package

Overview
Download JSON
Manual Config
High-Risk Setup
Monitor & Enforce

Add configurations to your cart, then click Generate Package.

Deployment Checklist

A phased, sequenced checklist for deploying your selected configurations. Check items off as you complete them — progress is saved in your browser.

Generate a package first to see the deployment checklist.

Reference Materials

ISM Control Mapping

Complete mapping of ISM controls referenced by policies in this tool.

Loading ISM control mapping...

Glossary

Settings Catalog

Intune feature for granular device configuration. Supports JSON export/import. Used for the majority of E8 endpoint hardening settings.

WDAC

Windows Defender Application Control. Enterprise-grade application whitelisting. Replaces AppLocker at ML2+. Policies deployed as .BIN files via Custom OMA-URI.

ASR Rules

Attack Surface Reduction. Defender rules blocking common attack vectors (Office child processes, credential theft, script execution). Deploy in audit mode first.

Conditional Access

Entra ID policy engine controlling access based on user, device, location, and risk. Cannot be imported via JSON — requires manual portal or Graph API configuration.

Graph Explorer

Microsoft's API testing tool (graph.microsoft.com). Used to import Security Baselines and ASR policies that can't be imported through the Intune portal UI.

W365 Provisioning Policy

Intune policy defining how Cloud PCs are created, including network type, OS image, and assigned user groups.

LAPS

Local Administrator Password Solution. Auto-rotates and escrows local admin passwords to Entra ID. Prevents shared admin credentials.

PIM

Privileged Identity Management. Just-in-time admin access in Entra ID. Admins activate roles only when needed, for a limited time.

WHfB

Windows Hello for Business. Phishing-resistant biometric/PIN auth bound to TPM. Required for ML2+ MFA compliance.

Windows App

The Microsoft native client for accessing Windows 365 and Azure Virtual Desktop (formerly Remote Desktop Client). Replaces browser-based access.

Official Resources

Frequently Asked Questions

Q: Does importing the ACSC Windows Hardening JSON achieve ML2?
A: No. The ACSC Windows Hardening JSON addresses application hardening (E4) at ML1. ML2 requires additional controls: WDAC enforcement (E1), phishing-resistant MFA (E7), admin privilege restrictions (E5), and 48-hour critical patching SLAs (E6). This tool categorises each requirement clearly.
Q: Can I import the generated JSON files directly into Intune?
A: Yes. Use Devices → Configuration → Policies → Import policy. The JSON files use the Settings Catalog format (@odata.type #microsoft.graph.deviceManagementConfigurationChoiceSettingInstance etc.) which is directly importable.

Important — Assignment scope matters: After import, assign each policy to the correct group type. Office and macro policies use user-scoped CSPs and should be assigned to Entra ID user groups. All other policies (Windows Hardening, Edge, Defender, ASR, Audit) use device-scoped CSPs and should be assigned to device groups containing your W365 Cloud PCs. Assigning a user-scoped policy to a device group will work but the System account row will show “Not applicable” in Intune reporting. The Generated Output tab shows the recommended scope for each policy.
Q: What happens if two policies define the same setting?
A: Intune reports a "Conflict" state for the affected devices and setting. The behaviour is unpredictable — Intune does not have a defined winner. The conflict detection engine in this tool prevents selecting policies that would cause this. If you see conflicts, remove one of the conflicting policies from your cart.
Q: Why are Conditional Access policies marked "High Risk" instead of providing a JSON?
A: Conditional Access policies use the Microsoft Entra policy engine (not Intune Settings Catalog) and cannot be imported via JSON. More importantly, CA policies that block access (Block Legacy Auth, Require Compliant Device) can lock users out if deployed incorrectly. The tool provides guided deployment steps with warnings and a phased approach instead.
Q: Do W365 Cloud PCs count as Intune-compliant devices automatically?
A: W365 Cloud PCs are Azure AD Joined and Intune-enrolled automatically during provisioning. However, they still need to satisfy your compliance policy requirements (Secure Boot, minimum OS version, Defender). Important: BitLocker is NOT supported on W365 Cloud PCs — they are virtual machines without physical TPM hardware. The “Require BitLocker” compliance check uses Device Health Attestation (DHA), which will always fail on Cloud PCs. Microsoft manages data-at-rest encryption at the hypervisor layer for W365. Create a separate compliance policy for Cloud PCs that does not require BitLocker.
Q: Why does this tool only include the W365 variant of ACSC Windows Hardening?
A: This tool is designed exclusively for Windows 365 Cloud PCs. The standard ACSC Windows Hardening policy disables Remote Desktop Services, which would make Cloud PCs inaccessible. The W365 variant enables RDP and removes network access restrictions needed for Cloud PC connectivity, while maintaining all other ACSC security settings.
Q: How do I know which ASR rule is causing a false positive?
A: Review the ASR report in the Defender portal: security.microsoft.com → Reports → Attack surface reduction → Audit events. Each event shows the rule that triggered, the process that was detected, and the file involved. Add specific exclusions (process or path) for legitimate false positives.
Q: What Graph API endpoints are used for importing policies?
A: Two endpoints are used:
• Security Baseline: POST to https://graph.microsoft.com/beta/deviceManagement/configurationPolicies
• ASR Rules: POST to https://graph.microsoft.com/beta/deviceManagement/templates/0e237410-1367-4844-bd7f-15fb0f08943b/createInstance
Use Graph Explorer to make these requests. You may need to consent to DeviceManagementConfiguration.ReadWrite.All permission.