Getting Started¶
Before you begin building a CMMC Level 2 GCC-High environment, ensure you have all the necessary resources and access ready.
Pre-Build Checklist¶
Complete these steps before starting Task 01:
- Download Build Resources - Download and extract the Enclave Build Resources.zip file
- Verify Environment Provisioning - Ensure the client's M365 GCC-High tenant is fully provisioned and accessible
- Confirm License Allocation - Verify M365 G5 GCC-High and Windows 365 licenses are available
- Obtain Admin Access - Confirm Global Administrator access to the tenant
Build Resources Package¶
Download: Enclave Build Resources.zip
This package contains all files referenced throughout the build guide:
📦 What's Included¶
Entra ID Resources:
- Add Service Principals.ps1 - PowerShell script to enable service principals for Conditional Access (Task 01)
Intune Resources: - Configuration Profiles - JSON files for import into Intune (Task 02) - Platform Scripts - PowerShell scripts for device management (Task 02) - Proactive Remediation Scripts - Detection and remediation scripts (Task 02) - Adobe STIG Configuration - OMA-URI Excel file and ADMX template (Task 02)
SharePoint Resources:
- sharepoint-home-banner.jpg - DOD logo banner for homepage customization (Task 16)
Intune Configuration Profiles Reference¶
Use the following names and descriptions when importing Intune configuration profiles during Task 02.
⚠️ Policies Requiring Variable Updates¶
The following policies contain placeholder values that must be updated after import:
| Policy Name | Variable to Update | Details |
|---|---|---|
| Cloud PC - Interactive Logon Message | --PLACEHOLDER-- |
Replace with client company name (appears in 2 locations) |
| Cloud PC - OneDrive Folder Mapping and Sign-In | Tenant ID | Replace with client's Microsoft Entra Tenant ID |
| Cloud PC - Microsoft Edge Homepage | Homepage URL | Replace with client's SharePoint homepage URL (may appear in multiple locations) |
📋 Configuration Profile Catalog¶
Cloud PC - Adobe Acrobat - STIG¶
Applies a STIG policy on Adobe Acrobat to ensure FIPS mode is enabled within the application, along with other security hardening benefits.
NOTE: This is an OMA-URI policy requiring the
AdobeAcrobatDCSTIG-OMA-URI.xlsxspreadsheet andAcrobatDCContinuous.admxfile from the build resources package.
App Control Policy XML¶
The AppControlBusinessXML.xml file is for creating the App Control for Business policy. Refer to HaloPSA for implementation details.
Cloud PC - Advanced Audit Logs¶
Enables all relevant 'success + failure' audit logs capable within a Windows environment for advanced level of footprinting.
Cloud PC - App Control¶
Restricts applications which can launch or install to those that are on a trusted/whitelist and/or installed as an Intune Managed Application.
Cloud PC - Block Device and Clipboard and File Redirection¶
Restricts the ability to transfer Clipboard, local devices, and files between Client and Cloud PC.
Cloud PC - Block Snipping Tool¶
Blocks the built-in Snipping Tool to counter screen capturing content within the Cloud PCs.
Cloud PC - System and Outlook FIPS¶
Ensures FIPS options are enabled within the System as well as Outlook.
Cloud PC - General Security & Timezone Settings¶
Applies a mix of general security hardening configurations and sets the timezone to EST.
Cloud PC - Session Inactivity Timeout¶
Times the user session out after 15 minutes of inactivity, then logs the user out of the Cloud PC after a further 1 hour of disconnection.
Cloud PC - Interactive Logon Message¶
Prompts the user logging in via a pop-up prior to Windows logon finishing which informs the user of the environment they are accessing and the usage of CUI within this environment.
Cloud PC - M365 Apps Security Baseline¶
Applies a standard M365 Application Security Baseline, tightening some of the settings.
Cloud PC - Microsoft 365 Update Policy¶
Applies Monthly Enterprise Channel and Automatic Updates to the M365 Applications.
Cloud PC - Microsoft Defender - MAPS¶
Configures Defender MAPS to be enabled, allowing advanced Cloud Protection Features.
Cloud PC - Microsoft Edge Homepage¶
Configures the Microsoft Edge Homepage to go to the client's SharePoint site by default.
Cloud PC - Microsoft Edge Security Baseline¶
Applies a security baseline to Microsoft Edge ensuring it's hardened.
Cloud PC - Network Time Protocol (NTP) Configuration¶
Applies a specific Windows NTP Server to ensure consistency and security.
Cloud PC - Prevent User Restart Action¶
Prevents users from controlling the power state of the Windows 365 Cloud PC. This policy removes the options from the start menu.
Cloud PC - OneDrive Folder Mapping and Sign-In¶
Automatically maps users Documents, Desktop, Pictures, etc. (Known Folders) to their OneDrive for backup purposes. OneDrive is also set to silently sign-in upon logon.
Cloud PC - Screen Capture Protection¶
Blocks all external screen capture capability. Stops external/local software from capturing the screen within the RDP session.
NOTE: This blocks Web Browser access for Cloud PC as a result. Windows App becomes the required method of access.
Cloud PC - Windows 11 - STIG¶
Applies a tailored set of policies to STIG the Windows 11 Cloud PC, ensuring the highest level of defensive measures are employed on the OS-level at all times.
Microsoft GCC-High Administrative Portals¶
Quick reference for all portals you'll use during the build:
| Portal | URL | Primary Use |
|---|---|---|
| Microsoft Intune | https://intune.microsoft.us | Device management, compliance, configuration profiles |
| Microsoft Entra | https://entra.microsoft.us | Identity management, groups, PIM, Conditional Access |
| Security/Defender | https://security.microsoft.us | Threat protection, endpoint security, security policies |
| Purview/Compliance | https://purview.microsoft.us | DLP policies, compliance management |
| Microsoft Azure | https://portal.azure.us | Azure subscription, Log Analytics Workspace |
| Microsoft 365 Admin Center | https://portal.office365.us/adminportal | License management, user administration |
TIP: Bookmark these portals before starting the build for quick access throughout the process.