Do You Know Your Essential Eight Maturity Level? ACT Not-for-Profit Gets Its Answer
Company:
An ACT Not-for-Profit Organisation
Industry:
Not-for-Profit
Location:
Australian Capital Territory, Australia
Services Offered:
Essential Eight Maturity Assessment
Essential Eight Baseline for a 20‑Person ACT Not‑for‑Profit
An ACT-based community services not‑for‑profit with ~20 staff runs well-managed Windows 11 Pro endpoints, but had never been formally assessed against the Australian Signals Directorate’s (ASD) Essential Eight. As government grants and procurement increasingly require Essential Eight maturity declarations, the organisation needed a defensible, evidence‑based answer — not an educated guess.
Technowand delivered a formal Essential Eight baseline assessment using the ASD ACSC’s official Essential Eight Maturity Verification Tool (E8MVT v2.1.0), run locally on a representative Windows 11 Pro 24H2 endpoint. The process took under an hour, required no software installation or network changes, and had no impact on day‑to‑day operations.
---
Assessment Outcomes
All six directly assessable controls were reviewed using E8MVT:
| Control | Maturity Level | Status |
| — | — | — |
| Application Control | 1 of 3 | ML1 passing · ML2 gap: WDAC bypass rules missing |
| Patch Applications | 3 of 3 | Fully compliant — no vulnerable apps found |
| Patch Operating Systems | Pending verification | Windows 11 24H2 within support · patch history inconclusive on new device |
| Restrict Administrative Privileges | 1 of 3 | ML1 passing · ML3 gap: Credential Guard not enabled |
| Restrict Office Macros | 3 of 3 | Fully compliant — Office not installed |
| User Application Hardening | 1 of 3 | ML1 passing · ML2 gap: PowerShell logging disabled |
Overall posture: Maturity Level 1 across active controls — a solid, evidence‑backed foundation.
What’s Already Working
The assessment confirmed several strong controls already in place:
- Application Control ML1 confirmed — high‑risk file types (.bat, .chm, .dll, .exe, .hta, .msi, .ps1) are blocked from executing in user temp directories via WDAC.
- Memory Integrity (HVCI) enabled — advanced kernel protection active.
- LSA protection enabled — mitigates credential theft from LSASS.
- User application hardening in place — Java disabled in browsers and Internet Explorer disabled via Group Policy.
- Legacy components removed — legacy .NET frameworks removed and PowerShell 2.0 absent (an ML3 hardening requirement already met).
- OS lifecycle current — Windows 11 Pro 24H2 (Build 26100) within Microsoft’s support window.
---
The Three Gaps to Maturity Level 2
The E8MVT results highlighted three specific, actionable changes required to move from ML1 to ML2 (and one ML3 uplift) without major infrastructure work:
- Add WDAC Microsoft‑Recommended Block Rules (Application Control → ML2)
- Current state: 0 of 45 filename block rules and 0 of 518 file hash block rules from Microsoft’s WDAC bypass list are present.
- Impact: These rules block known WDAC bypass tools and techniques.
- Action: Update the WDAC policy to include Microsoft’s recommended block rules, closing the ML2 gap for Application Control.
- Enable PowerShell Logging (User Application Hardening → ML2)
- Current state: Script block logging, module logging, and transcription logging are all disabled.
- Impact: Without logging, potentially malicious PowerShell activity is harder to detect and investigate.
- Action: Configure all three logging modes via Group Policy. This is a low‑disruption, high‑value change that completes ML2 for User Application Hardening.
- Enable Credential Guard (Restrict Administrative Privileges → ML3)
- Current state: Credential Guard and Remote Credential Guard are disabled, though HVCI (the hardware prerequisite) is already enabled.
- Impact: Credential Guard helps prevent credential theft from memory (e.g. pass‑the‑hash attacks).
- Action: Enable Credential Guard (and, where appropriate, Remote Credential Guard) via Group Policy and/or device configuration to close the ML3 gap for Restrict Administrative Privileges.
---
What Technowand Delivered
Technowand’s Essential Eight Maturity Assessment is tailored for small organisations that need clarity without disruption:
- Local, low‑impact assessment
- Rapid execution
- Formal written report
- Control‑by‑control findings
- Evidence of existing protections
- Identified configuration gaps
- Maturity scorecard
- Grant and funding applications
- Government tender responses
- Internal governance and board reporting
- Prioritised remediation roadmap
- Enable PowerShell logging via Group Policy (ML2 – User Application Hardening)
- Add Microsoft‑recommended WDAC block rules (ML2 – Application Control)
- Enable Credential Guard (ML3 – Restrict Administrative Privileges)
Technowand then works alongside the organisation to implement each remediation, primarily through Group Policy and WDAC policy updates, ensuring changes are tested and rolled out with minimal disruption.
---
The Impact for the Organisation
The organisation now has a documented, defensible Essential Eight baseline, produced using the ASD’s own tooling and structured as a formal assessment report. Practically, this means:
- They can state with confidence: “We are at Essential Eight Maturity Level 1.”
- They know exactly which three changes are required to reach Maturity Level 2.
- Two of the three remediations are straightforward Group Policy changes; none require major infrastructure projects or significant staff disruption.
For a 20‑person not‑for‑profit, this turns a vague compliance concern into a clear, manageable plan — and provides the documentation needed to answer grant and procurement questions with confidence.
“We’d been asked a few times by grant bodies whether we were Essential Eight compliant, and honestly we didn’t know how to answer. The assessment gave us a clear, documented baseline — we’re at Level 1, we know exactly what three things we need to fix to get to Level 2, and we have the report to show people. For a small team, that clarity is everything.”
— Operations Lead, ACT Not‑for‑Profit Organisation
---
Don't Let Your Tech Hold You Back!
If your systems are struggling and your team's feeling it, you don't have to settle. Let Technowand help you modernize, secure, and scale without the stress.
Let's Talk