Automating Essential Eight Compliance Checks with PowerShell

Version 1.0.0

If you work in Australian IT, cybersecurity, or digital forensics, you've encountered the Essential Eight. It's referenced in government procurement requirements, security assessments, incident response frameworks, and organisational policies across both public and private sectors.

The Australian Signals Directorate's Essential Eight is a set of eight baseline mitigation strategies designed to protect Windows environments against cyber threats. Checking compliance manually is time-consuming and error-prone. In this tutorial, you'll build a PowerShell script that automates Essential Eight audits, produces colour-coded console output, and writes detailed compliance reports to timestamped files.

What You'll Build

A PowerShell script called essential_eight.ps1 that checks a Windows system against all eight ASD mitigation strategies and produces a comprehensive audit report showing PASS/FAIL/WARN/INFO status for each control.

Prerequisites

• PowerShell 5.1 or later (Windows 10+)
• Administrator privileges recommended (some checks require elevated access)
• No external modules or dependencies

Understanding the Essential Eight

Before building the script, it's worth understanding what each strategy actually checks. The ASD publishes detailed guidance, but the practical questions are:

1. Application Control — Is there a mechanism (AppLocker, Windows Defender Application Control) preventing unauthorised executables from running?

2. Patch Applications — Are third-party applications kept up to date? Is Windows Update active?

3. Configure Microsoft Office Macro Settings — Are macros restricted to prevent malicious Office documents from executing code?

4. User Application Hardening — Are legacy and high-risk features (Internet Explorer, Windows Script Host, PowerShell v2) disabled or restricted?

5. Restrict Administrative Privileges — Are admin accounts limited? Is UAC enabled? Are standard users running with least privilege?

6. Patch Operating Systems — Is the OS on a supported and current build?

7. Multi-Factor Authentication — Is MFA enforced, especially for privileged access?

8. Regular Backups — Are backups in place and recent? Are they protected from modification?

Each strategy has Maturity Levels (ML1, ML2, ML3) in the full ASD framework. This script focuses on ML1 baseline checks — the foundation that must exist before maturity level progression begins.

The Complete Script

Here's the full implementation (condensed for readability - full version on GitHub):

# Essential Eight Compliance Checker
# Author: ShadowStrike (Strategos)

param(
    [Parameter(Mandatory=$false)]
    [string]$OutputDir = ".",

    [Parameter(Mandatory=$false)]
    [switch]$Verbose
)

# Initialise report
$timestamp = Get-Date -Format "yyyyMMdd_HHmmss"
$outputFile = Join-Path $OutputDir "EssentialEight_Audit_$timestamp.txt"
$report = @()

# Track results
$passCount = 0
$failCount = 0
$warnCount = 0

function Write-Check {
    param([string]$Strategy, [string]$Check, [string]$Status, [string]$Detail = "")

    $color = switch ($Status) {
        "PASS" { "Green"; $script:passCount++ }
        "FAIL" { "Red"; $script:failCount++ }
        "WARN" { "Yellow"; $script:warnCount++ }
        "INFO" { "Cyan" }
    }

    $line = "[$Status] $Strategy - $Check"
    if ($Detail) { $line += ": $Detail" }

    Write-Host $line -ForegroundColor $color
    $script:report += $line
}

# STRATEGY 1: APPLICATION CONTROL
try {
    $appLockerPolicy = Get-AppLockerPolicy -Effective -ErrorAction Stop
    if ($appLockerPolicy.RuleCollections.Count -gt 0) {
        Write-Check "AppControl" "AppLocker Policy" "PASS" "Effective rules configured"
    } else {
        Write-Check "AppControl" "AppLocker Policy" "FAIL" "No effective rules"
    }
} catch {
    Write-Check "AppControl" "AppLocker Policy" "FAIL" "Not configured"
}

# STRATEGY 2: PATCH APPLICATIONS
$wuService = Get-Service -Name wuauserv -ErrorAction SilentlyContinue
if ($wuService -and $wuService.Status -eq "Running") {
    Write-Check "Patching" "Windows Update Service" "PASS" "Running"
} else {
    Write-Check "Patching" "Windows Update Service" "FAIL" "Not running"
}

# Check last update date
$session = New-Object -ComObject Microsoft.Update.Session
$searcher = $session.CreateUpdateSearcher()
$history = $searcher.QueryHistory(0, 1) | Select-Object -First 1
$lastUpdate = $history.Date
$daysSince = (Get-Date) - $lastUpdate

if ($daysSince.Days -le 30) {
    Write-Check "Patching" "Last Update" "PASS" "$([math]::Round($daysSince.TotalDays)) days ago"
} else {
    Write-Check "Patching" "Last Update" "FAIL" "$([math]::Round($daysSince.TotalDays)) days ago (outdated)"
}

# STRATEGY 3: OFFICE MACRO SETTINGS
$excelPath = "HKCU:\Software\Microsoft\Office\16.0\Excel\Security"
if (Test-Path $excelPath) {
    $vbaWarnings = (Get-ItemProperty -Path $excelPath -Name VBAWarnings).VBAWarnings
    if ($vbaWarnings -eq 3 -or $vbaWarnings -eq 4) {
        Write-Check "MacroSettings" "Excel VBA" "PASS" "Restricted"
    } else {
        Write-Check "MacroSettings" "Excel VBA" "FAIL" "Unrestricted"
    }
}

# STRATEGY 4: USER APPLICATION HARDENING
$psv2 = Get-WindowsOptionalFeature -Online -FeatureName MicrosoftWindowsPowerShellV2Root
if ($psv2.State -eq "Disabled") {
    Write-Check "Hardening" "PowerShell v2" "PASS" "Disabled"
} else {
    Write-Check "Hardening" "PowerShell v2" "FAIL" "Enabled (should be removed)"
}

$langMode = $ExecutionContext.SessionState.LanguageMode
if ($langMode -eq "ConstrainedLanguage") {
    Write-Check "Hardening" "PS Language Mode" "PASS" "ConstrainedLanguage"
} else {
    Write-Check "Hardening" "PS Language Mode" "WARN" "FullLanguage (unrestricted)"
}

# STRATEGY 5: RESTRICT ADMIN PRIVILEGES
$uacPath = "HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System"
$uacEnabled = (Get-ItemProperty -Path $uacPath -Name EnableLUA).EnableLUA
if ($uacEnabled -eq 1) {
    Write-Check "Privileges" "UAC" "PASS" "Enabled"
} else {
    Write-Check "Privileges" "UAC" "FAIL" "Disabled"
}

# STRATEGY 6: PATCH OPERATING SYSTEMS
$os = Get-CimInstance Win32_OperatingSystem
$osBuild = $os.BuildNumber
if ([int]$osBuild -ge 19041) {
    Write-Check "OS Patching" "OS Support" "PASS" "Supported build"
} else {
    Write-Check "OS Patching" "OS Support" "FAIL" "Legacy build"
}

# STRATEGY 7: MULTI-FACTOR AUTHENTICATION
# Note: Full MFA assessment requires Azure AD audit
Write-Check "MFA" "Assessment" "INFO" "Requires directory-level audit"

# STRATEGY 8: REGULAR BACKUPS
$vssService = Get-Service -Name VSS
if ($vssService.Status -eq "Running") {
    Write-Check "Backups" "Volume Shadow Copy" "PASS" "Running"
} else {
    Write-Check "Backups" "Volume Shadow Copy" "WARN" "Not running"
}

# Write summary
Write-Host "`n[AUDIT SUMMARY]"
Write-Host "  PASS: $passCount" -ForegroundColor Green
Write-Host "  FAIL: $failCount" -ForegroundColor Red
Write-Host "  WARN: $warnCount" -ForegroundColor Yellow

$report | Out-File -FilePath $outputFile -Encoding UTF8

How to Use It

Troubleshooting: Execution Policy

If you see an error about scripts being disabled or not digitally signed:

Step 1: Set execution policy

Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Scope CurrentUser

Step 2: Unblock the file if downloaded

Unblock-File .\essential_eight.ps1

Windows marks files downloaded from GitHub with Zone.Identifier metadata. Even with RemoteSigned policy, these files are blocked unless digitally signed or explicitly unblocked.

Check your current policy with Get-ExecutionPolicy -List.

Security Note: Read the Code Before You Run It

This script is not digitally signed. Code signing certificates cost $200-500/year and are unnecessary for open-source scripts where you can read the source code yourself.

Before running this or any PowerShell script:

1. Read it completely — every line, every function, every registry path
2. Understand what it does — does it match the stated purpose?
3. Check for risks — network calls, file deletions, credential access

Apply the ABC principle:

• Assume nothing
• Believe nothing
• Check everything

A digital signature tells you WHO wrote code, not WHETHER it's safe. You are the final security control. Never execute code you haven't personally reviewed and understood.

---

Basic Audit

.\essential_eight.ps1

Runs the audit and writes report to EssentialEight_Audit_[timestamp].txt in the current directory.

Specify Output Directory

.\essential_eight.ps1 -OutputDir "C:\Compliance\Reports"

Run as Administrator

Some checks require elevated privileges. Right-click PowerShell → "Run as Administrator", then:

.\essential_eight.ps1

Understanding the Output

The script produces colour-coded console output:

• [PASS] (green) - Control meets baseline requirements
• [FAIL] (red) - Control does not meet requirements
• [WARN] (yellow) - Partial compliance or requires manual review
• [INFO] (cyan) - Informational finding, not a compliance check

Sample output (example system for demonstration - not real audit data):

[ESSENTIAL EIGHT COMPLIANCE AUDIT]
System: WORKSTATION-01

[STRATEGY 1: APPLICATION CONTROL]
[PASS] AppControl - AppLocker Policy: Effective rules configured
[INFO] AppControl - WDAC Policy: Not deployed (AppLocker in use)

[STRATEGY 2: PATCH APPLICATIONS]
[PASS] Patching - Windows Update Service: Running
[PASS] Patching - Last Update: 2026-04-18 - 6 days ago

[STRATEGY 3: OFFICE MACRO SETTINGS]
[PASS] MacroSettings - Excel VBA Warnings: Macros disabled (Value: 3)
[PASS] MacroSettings - Word VBA Warnings: Notification enabled (Value: 4)

[STRATEGY 4: USER APPLICATION HARDENING]
[PASS] Hardening - PowerShell v2: Disabled
[PASS] Hardening - PowerShell Version: v5.1
[WARN] Hardening - PowerShell Language Mode: FullLanguage (unrestricted)
[PASS] Hardening - Script Block Logging: Enabled

[STRATEGY 5: RESTRICT ADMINISTRATIVE PRIVILEGES]
[PASS] Privileges - Current User Role: Running as standard user
[PASS] Privileges - UAC Status: Enabled
[PASS] Privileges - Local Administrators: 2 account(s) - acceptable range

[STRATEGY 6: PATCH OPERATING SYSTEMS]
[INFO] OS Patching - Operating System: Microsoft Windows 10 Pro (Build 19045)
[PASS] OS Patching - OS Support Status: Windows 10 version 2004+ (supported)

[STRATEGY 7: MULTI-FACTOR AUTHENTICATION]
[INFO] MFA - Windows Hello: Credential provider detected
[INFO] MFA - Credential Providers: 3 provider(s) registered
[INFO] MFA - Note: Full MFA assessment requires Azure AD / Active Directory audit

[STRATEGY 8: REGULAR BACKUPS]
[INFO] Backups - Windows Backup Service: Not active (may use third-party)
[PASS] Backups - Volume Shadow Copy: Running
[PASS] Backups - Latest Shadow Copy: 2026-04-23 - 1 days ago

[AUDIT SUMMARY]
  PASS: 15
  FAIL: 0
  WARN: 1

The timestamped report file contains the same information in plain text format for archiving.

Code Walkthrough

Strategy 1: Application Control

Checks for AppLocker or Windows Defender Application Control (WDAC):

$appLockerPolicy = Get-AppLockerPolicy -Effective
if ($appLockerPolicy.RuleCollections.Count -gt 0) {
    Write-Check "AppControl" "AppLocker Policy" "PASS" "Effective rules configured"
}

AppLocker policies can be deployed via Group Policy or locally. The -Effective parameter returns the combined result of all policies affecting the system.

For WDAC, the script checks for policy files in C:\Windows\System32\CodeIntegrity\CiPolicies\Active\.

Strategy 2: Patch Applications

Verifies Windows Update service is running and checks last update date:

$session = New-Object -ComObject Microsoft.Update.Session
$searcher = $session.CreateUpdateSearcher()
$history = $searcher.QueryHistory(0, 1) | Select-Object -First 1
$lastUpdate = $history.Date
$daysSince = (Get-Date) - $lastUpdate

The Windows Update COM API provides detailed patch history. This check flags systems where the last update was >30 days ago as outdated.

Strategy 3: Office Macro Settings

Checks registry settings for Excel and Word macro behaviour:

$excelPath = "HKCU:\Software\Microsoft\Office\16.0\Excel\Security"
$vbaWarnings = (Get-ItemProperty -Path $excelPath -Name VBAWarnings).VBAWarnings

VBAWarnings values:

• 1 = Enable all macros (dangerous)
• 2 = Disable all with notification
• 3 = Disable all except digitally signed
• 4 = Disable all without notification (most secure)

Values 3 and 4 meet Essential Eight ML1 baseline.

Strategy 4: User Application Hardening

Multiple checks including PowerShell v2 removal and script block logging:

$psv2 = Get-WindowsOptionalFeature -Online -FeatureName MicrosoftWindowsPowerShellV2Root
if ($psv2.State -eq "Disabled") {
    Write-Check "Hardening" "PowerShell v2" "PASS" "Disabled"
}

PowerShell v2 lacks modern security features (script block logging, Constrained Language Mode support) and should be removed from all systems.

Script block logging check:

$scriptBlockPath = "HKLM:\Software\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging"
$scriptBlockEnabled = (Get-ItemProperty -Path $scriptBlockPath -Name EnableScriptBlockLogging).EnableScriptBlockLogging

When enabled (value = 1), all PowerShell script execution is logged to Windows Event Log, providing audit trails for forensic investigation.

Strategy 5: Restrict Administrative Privileges

Checks UAC status and local administrator count:

$uacPath = "HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System"
$uacEnabled = (Get-ItemProperty -Path $uacPath -Name EnableLUA).EnableLUA

$admins = Get-LocalGroupMember -Group "Administrators"

UAC (User Account Control) prompts for elevation when administrative actions are attempted. Disabling UAC is a common misconfiguration that violates Essential Eight requirements.

The administrator count check flags systems with excessive admin accounts. Typically, only built-in Administrator and one domain admin account should exist on workstations.

Strategy 6: Patch Operating Systems

Verifies OS is on a supported build:

$os = Get-CimInstance Win32_OperatingSystem
$osBuild = $os.BuildNumber

if ([int]$osBuild -ge 19041) {
    Write-Check "OS Patching" "OS Support" "PASS" "Supported build"
}

Build 19041 = Windows 10 version 2004, the minimum currently-supported consumer version. Enterprise LTSC versions may have different support timelines.

Strategy 7: Multi-Factor Authentication

MFA assessment requires directory-level audit (Azure AD, Active Directory):

$credProviders = Get-ChildItem "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers"

The script checks for Windows Hello and registered credential providers, but full MFA enforcement validation requires checking conditional access policies in Azure AD or examining GPO settings for smart card requirements.

Strategy 8: Regular Backups

Checks Volume Shadow Copy Service and recent shadow copies:

$shadows = Get-CimInstance Win32_ShadowCopy | Where-Object { $_.VolumeName -like "*C:*" }
$latestShadow = $shadows | Sort-Object InstallDate -Descending | Select-Object -First 1
$daysSince = (Get-Date) - $latestShadow.InstallDate

Shadow copies are point-in-time snapshots used for System Restore and file recovery. The script flags systems where the latest shadow copy is >7 days old.

Real-World Use Cases

Pre-audit preparation: Run this script on sample systems before formal compliance assessments to identify gaps early.

Continuous monitoring: Schedule the script as a daily task and email the report to security teams. Track compliance drift over time.

Incident response baseline: After a security incident, run the script on affected systems to document Essential Eight posture at the time of compromise.

Procurement verification: When deploying new workstations, run the audit to verify vendor configuration meets baseline requirements before acceptance.

Maturity level progression: Use the baseline audit results to identify systems ready for ML2/ML3 implementation.

Extending the Script

HTML report generation: Replace the plain-text output with an HTML file including coloured tables and charts.

Email integration: Add Send-MailMessage to automatically email reports to compliance teams.

Remote execution: Wrap the script in Invoke-Command to audit multiple systems from a central management workstation.

SIEM integration: Parse the output and send findings to a SIEM platform for centralised compliance monitoring.

Remediation actions: Add a -Remediate switch that automatically fixes common failures (enable UAC, remove PowerShell v2, enable script block logging).

Maturity Levels Beyond ML1

This script focuses on ML1 (baseline) checks. The ASD Essential Eight Maturity Model has three levels:

Maturity Level 1: Partly aligned with intent. Baseline controls exist but may not be comprehensive.

Maturity Level 2: Mostly aligned with intent. Controls cover most assets and attack vectors.

Maturity Level 3: Fully aligned with intent. Comprehensive controls across all assets with robust monitoring.

Progression from ML1 → ML2 → ML3 requires increasingly stringent technical controls and centralised management. For example:

• Application Control ML1: AppLocker with basic rules
• Application Control ML2: Centralised AppLocker or WDAC with allow-listing
• Application Control ML3: WDAC with cryptographic verification of all executables

This script provides the ML1 foundation. Assessing ML2/ML3 compliance requires additional checks beyond what local PowerShell can determine (requires SCCM, Intune, or GPO reporting).

GitHub Repository

The complete script, sample reports, and this tutorial are available on GitHub:

ShadowStrike-CTF / essential-eight-checklist

PowerShell scripts for practical Essential Eight compliance checking on Windows systems.

essential-eight-checklist

PowerShell scripts for practical Essential Eight compliance checking on Windows systems.

View on GitHub

Conclusion

Essential Eight compliance doesn't require expensive enterprise tools. PowerShell provides native cmdlets for checking application control, patching status, user hardening, privilege restrictions, and backup configurations.

This script packages those checks into a practical audit workflow that runs on any Windows 10/11 system without dependencies. For IT security professionals, compliance teams, and system administrators working in Australian government or enterprise environments, automated Essential Eight auditing is a fundamental operational requirement.

The value isn't just in the compliance report — it's in the velocity. Running this audit manually would take an experienced admin 30-60 minutes per system. The script completes it in seconds and produces consistent, auditable results.

---

Built by ShadowStrike (Strategos) — where we build actual security tools instead of theatre 🎃.