🎯 Purpose
✅ Enforce Essential Eight – User Application Hardening by removing legacy and insecure Windows features.
👥 Who is affected
✅ Devices: All Windows devices
🚫 Exclusions: None
➡️ All targeted devices will have legacy features removed.
☁️ What access is protected
✅ Operating system features:
PowerShell 2.0
.NET Framework 3.5 and earlier
Internet Explorer (Windows 10 only)
➡️ Reduces legacy attack surface across the OS.
🔐 How hardening is enforced
✅ Executed via an Intune device management script
✅ Runs as SYSTEM
✅ Uses built‑in Windows feature removal commands
➡️ Legacy components are disabled or removed at the OS level.
ℹ️ Note:
Internet Explorer is only removed on Windows 10. Windows 11 does not include IE.
⚙️ What this policy does NOT enforce
🚫 User authentication controls
🚫 Application allow/block rules
🚫 Browser configuration settings
🚫 Device compliance checks
➡️ This policy focuses solely on feature removal.
🟢 Policy status
✅ Enabled
✅ Enforced via Intune script execution
📘 Essential Eight alignment
✅ Supports User Application Hardening
✅ Removes legacy runtimes commonly abused by malware
ℹ️ Applies across all maturity levels as a hardening control
📘 Practical interpretation (Executive‑friendly)
This policy ensures that:
✅ Legacy Windows features are removed
✅ Common attack surfaces are eliminated
✅ Devices are hardened against outdated exploit techniques
This strengthens the baseline security posture and complements browser and application hardening controls across the environment.