Blueprint

The Protected Utility blueprint is a design to secure Microsoft 365 desktops, developed with Microsoft and tested with independent security assessors.

The blueprint offers 4 main artefacts to support agencies with implementation.

  • The Solution overview provides a non-technical overview of the blueprint and maps blueprint solutions to the Essential Eight security strategies.
  • The Platform design covers all supporting components for the Windows 10, iOS and Office 365 (including Microsoft Endpoint Manager).
  • The Client devices design includes Windows 10 and iOS components only.
  • The Office 365 design includes Exchange Online, SharePoint Online, OneDrive for Business and Teams.

Other blueprint artefacts include configuration guides and security documentation. They are designed to meet Australian Cyber Security Centre (ACSC) requirements for systems that handle and manage information classfied as Protected.

All artefacts provide a standard and proven approach for Microsoft 365. They aim to fast track the adoption of the Microsoft Modern Workplace experience.

The blueprint contains guidance for best practice deployment. It incorporates advice from:

  • the Australian Government Information Security Manual (ISM)
  • Microsoft
  • the ACSC Essential Eight
  • ACSC hardening guidelines for Microsoft Windows 10 and iOS.

There are 2 deployment types covered in this blueprint:

  • cloud native – where an agency assumes an architecture that is based on consuming the Microsoft 365 offerings as a service, with no additional investment in on-premises infrastructure
  • hybrid – where an agency adopts the Microsoft 365 offerings, while continuing to leverage some new or existing on-premises infrastructure in a ‘hybrid’ configuration.

In many cases, design decisions are common across both deployment methods. Where specific elements differ for cloud and hybrid deployments, the blueprint provides the common components applicable to all deployments. It then offers further guidance for each deployment type.

For adoptors, practitioners, and other interested parties, DTA manages a Protected Utility Program community of practice. The community provides a direct channel to DTA and encourages discussion between community members.

Found an issue with the material above or have general feedback? Let us know over on Github.