We still need Java for one internal app. What then?

That app gets a scoped exception: Java is enabled for that specific application via a per-app Intune profile, not globally in the browser. Users who don't need Java don't have it; users who do get it only for that one use.

Does this affect how Chrome or Edge feel for users?

Not measurably. Hardening removes rarely-used or deprecated features (Flash, Java applets, unusual file handlers) and enforces protective defaults. Day-to-day browsing, Microsoft 365 in the browser, Teams, all work as normal.

What's PowerShell Constrained Language Mode?

It's a Windows feature that restricts what PowerShell can do when run by a non-admin. Attackers love PowerShell because it's a full scripting environment present on every Windows machine. Constrained Language Mode reduces the attack surface without stopping legitimate use by administrators.

Essential Eight · Control 04 of 08

User application hardening

Turning off features in web browsers and Office that attackers commonly abuse.

Why this control matters

Flash is gone, but Office still embeds OLE objects, browsers still run unnecessary add-ons, and PDFs still launch things they shouldn't. Hardening strips out the stuff that's historically been attack surface without providing day-to-day value to business users.

The three maturity levels

User application hardening at Essential Eight ML1, ML2 and ML3.

These are the published ACSC requirements for this specific control at each maturity level. Your overall Essential Eight maturity is scored against your weakest control, not averaged, so a gap here pulls down the whole score.

ML1 The 2026 baseline

Web browsers don't process Java or web advertisements. Microsoft Office, web browsers and PDF readers run in environments with security configurations applied.

ML2 Regulated or under audit

Web browsers and Office have hardened configurations via policy. PowerShell's Constrained Language Mode is enforced. Unrequired .NET Framework versions are removed.

ML3 Defence or sensitive

PowerShell module logging, script block logging, and transcription are enabled and forwarded to centralised logging. Hardened configurations are validated annually.

Not sure which level you should aim for?

The three-question picker on the Essential Eight hub will point you at the right target based on your regulatory position and the kind of data you hold.

Take the maturity picker

How we run it

The way CCP implements user application hardening for clients.

We apply Microsoft and ACSC-published security baselines to web browsers, Office, and PDF readers via Intune configuration profiles. Java is blocked in browsers, unneeded .NET versions are removed, PowerShell runs in Constrained Language Mode for non-admins, and PowerShell logging is enabled and forwarded centrally. The configuration is delivered as policy, not a one-time runbook someone has to remember to re-apply.

Talk to a tech about this control See which plan includes it

Free self-assessment

No email required.

Score yourself on all eight controls, get a branded PDF.

Eight questions, your estimated Essential Eight maturity level, and a branded PDF report you can share with your board, insurer, broker or auditor. Runs entirely in your browser. Nothing is sent to us unless you choose to book a call.

Take the self-assessment

Common questions

What people actually ask about user application hardening.

We still need Java for one internal app. What then?: That app gets a scoped exception: Java is enabled for that specific application via a per-app Intune profile, not globally in the browser. Users who don't need Java don't have it; users who do get it only for that one use.
Does this affect how Chrome or Edge feel for users?: Not measurably. Hardening removes rarely-used or deprecated features (Flash, Java applets, unusual file handlers) and enforces protective defaults. Day-to-day browsing, Microsoft 365 in the browser, Teams, all work as normal.
What's PowerShell Constrained Language Mode?: It's a Windows feature that restricts what PowerShell can do when run by a non-admin. Attackers love PowerShell because it's a full scripting environment present on every Windows machine. Constrained Language Mode reduces the attack surface without stopping legitimate use by administrators.

Related controls

Related Essential Eight controls that work alongside this one.

See all eight

Control 03

Configure Microsoft Office macro settings

Stopping the little automation scripts inside Word and Excel from running unless they're from a trusted source.

Read the control

Control 01

Application control

Only letting approved programs run on your computers. Everything else is blocked by default.

Read the control

Control 02

Patch applications

Keeping your software up to date so it has the latest security fixes.

Read the control

These ML1 / ML2 / ML3 summaries distil the ACSC's published Essential Eight Maturity Model. For the full, authoritative text, see the ACSC Essential Eight Maturity Model .

The qualifier

Let's see if we're a fit.

Seven questions, one moment of your time. We'd rather tell you now than three months in.