Azure
/
securedworkstation
зеркало из https://github.com/Azure/securedworkstation.git
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

New 2020 scripts 

Updated scripts for solution
This commit is contained in:
Frank Simorjay 2020-12-16 09:49:36 -08:00
Родитель 04b4cb6922
Коммит d483314ea3
50 изменённых файлов: 16463 добавлений и 1 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

635
ENT/Import-ENT-DeviceCompliancePolicies.ps1 Normal file
Просмотреть файл

@ -0,0 +1,635 @@
<#
.COPYRIGHT
Copyright (c) Microsoft Corporation. All rights reserved. Licensed under the MIT license.
See LICENSE in the project root for license information.
#>
$ScriptDir = Split-Path $script:MyInvocation.MyCommand.Path
$ImportPath = $ScriptDir+"\JSON\DeviceCompliance"
####################################################
function Get-AuthToken {
<#
.SYNOPSIS
This function is used to authenticate with the Graph API REST interface
.DESCRIPTION
The function authenticate with the Graph API Interface with the tenant name
.EXAMPLE
Get-AuthToken
Authenticates you with the Graph API interface
.NOTES
NAME: Get-AuthToken
#>
[cmdletbinding()]
param
(
[Parameter(Mandatory=$true)]
$User
)
$userUpn = New-Object "System.Net.Mail.MailAddress" -ArgumentList $User
$tenant = $userUpn.Host
Write-Host "Checking for AzureAD module..."
$AadModule = Get-Module -Name "AzureAD" -ListAvailable
if ($AadModule -eq $null) {
Write-Host "AzureAD PowerShell module not found, looking for AzureADPreview"
$AadModule = Get-Module -Name "AzureADPreview" -ListAvailable
}
if ($AadModule -eq $null) {
write-host
write-host "AzureAD Powershell module not installed..." -f Red
write-host "Install by running 'Install-Module AzureAD' or 'Install-Module AzureADPreview' from an elevated PowerShell prompt" -f Yellow
write-host "Script can't continue..." -f Red
write-host
exit
}
# Getting path to ActiveDirectory Assemblies
# If the module count is greater than 1 find the latest version
if($AadModule.count -gt 1){
$Latest_Version = ($AadModule | select version | Sort-Object)[-1]
$aadModule = $AadModule | ? { $_.version -eq $Latest_Version.version }
# Checking if there are multiple versions of the same module found
if($AadModule.count -gt 1){
$aadModule = $AadModule | select -Unique
}
$adal = Join-Path $AadModule.ModuleBase "Microsoft.IdentityModel.Clients.ActiveDirectory.dll"
$adalforms = Join-Path $AadModule.ModuleBase "Microsoft.IdentityModel.Clients.ActiveDirectory.Platform.dll"
}
else {
$adal = Join-Path $AadModule.ModuleBase "Microsoft.IdentityModel.Clients.ActiveDirectory.dll"
$adalforms = Join-Path $AadModule.ModuleBase "Microsoft.IdentityModel.Clients.ActiveDirectory.Platform.dll"
}
[System.Reflection.Assembly]::LoadFrom($adal) | Out-Null
[System.Reflection.Assembly]::LoadFrom($adalforms) | Out-Null
$clientId = "d1ddf0e4-d672-4dae-b554-9d5bdfd93547"
$redirectUri = "urn:ietf:wg:oauth:2.0:oob"
$resourceAppIdURI = "https://graph.microsoft.com"
$authority = "https://login.microsoftonline.com/$Tenant"
try {
$authContext = New-Object "Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext" -ArgumentList $authority
# https://msdn.microsoft.com/en-us/library/azure/microsoft.identitymodel.clients.activedirectory.promptbehavior.aspx
# Change the prompt behaviour to force credentials each time: Auto, Always, Never, RefreshSession
$platformParameters = New-Object "Microsoft.IdentityModel.Clients.ActiveDirectory.PlatformParameters" -ArgumentList "Auto"
$userId = New-Object "Microsoft.IdentityModel.Clients.ActiveDirectory.UserIdentifier" -ArgumentList ($User, "OptionalDisplayableId")
$authResult = $authContext.AcquireTokenAsync($resourceAppIdURI,$clientId,$redirectUri,$platformParameters,$userId).Result
# If the accesstoken is valid then create the authentication header
if($authResult.AccessToken){
# Creating header for Authorization token
$authHeader = @{
'Content-Type'='application/json'
'Authorization'="Bearer " + $authResult.AccessToken
'ExpiresOn'=$authResult.ExpiresOn
}
return $authHeader
}
else {
Write-Host
Write-Host "Authorization Access Token is null, please re-run authentication..." -ForegroundColor Red
Write-Host
break
}
}
catch {
write-host $_.Exception.Message -f Red
write-host $_.Exception.ItemName -f Red
write-host
break
}
}
####################################################
Function Add-DeviceCompliancePolicy(){
<#
.SYNOPSIS
This function is used to add a device compliance policy using the Graph API REST interface
.DESCRIPTION
The function connects to the Graph API Interface and adds a device compliance policy
.EXAMPLE
Add-DeviceCompliancePolicy -JSON $JSON
Adds an iOS device compliance policy in Intune
.NOTES
NAME: Add-DeviceCompliancePolicy
#>
[cmdletbinding()]
param
(
$JSON
)
$graphApiVersion = "Beta"
$Resource = "deviceManagement/deviceCompliancePolicies"
try {
if($JSON -eq "" -or $JSON -eq $null){
write-host "No JSON specified, please specify valid JSON for the iOS Policy..." -f Red
}
else {
Test-JSON -JSON $JSON
$uri = "https://graph.microsoft.com/$graphApiVersion/$($Resource)"
Invoke-RestMethod -Uri $uri -Headers $authToken -Method Post -Body $JSON -ContentType "application/json"
}
}
catch {
$ex = $_.Exception
$errorResponse = $ex.Response.GetResponseStream()
$reader = New-Object System.IO.StreamReader($errorResponse)
$reader.BaseStream.Position = 0
$reader.DiscardBufferedData()
$responseBody = $reader.ReadToEnd();
Write-Host "Response content:`n$responseBody" -f Red
Write-Error "Request to $Uri failed with HTTP Status $($ex.Response.StatusCode) $($ex.Response.StatusDescription)"
write-host
break
}
}
####################################################
Function Get-AADGroup(){
<#
.SYNOPSIS
This function is used to get AAD Groups from the Graph API REST interface
.DESCRIPTION
The function connects to the Graph API Interface and gets any Groups registered with AAD
.EXAMPLE
Get-AADGroup
Returns all users registered with Azure AD
.NOTES
NAME: Get-AADGroup
#>
[cmdletbinding()]
param
(
$GroupName,
$id,
[switch]$Members
)
# Defining Variables
$graphApiVersion = "v1.0"
$Group_resource = "groups"
# pseudo-group identifiers for all users and all devices
[string]$AllUsers = "acacacac-9df4-4c7d-9d50-4ef0226f57a9"
[string]$AllDevices = "adadadad-808e-44e2-905a-0b7873a8a531"
try {
if($id){
$uri = "https://graph.microsoft.com/$graphApiVersion/$($Group_resource)?`$filter=id eq '$id'"
switch ( $id ) {
$AllUsers { $grp = [PSCustomObject]@{ displayName = "All users"}; $grp }
$AllDevices { $grp = [PSCustomObject]@{ displayName = "All devices"}; $grp }
default { (Invoke-RestMethod -Uri $uri -Headers $authToken -Method Get).Value }
}
}
elseif($GroupName -eq "" -or $GroupName -eq $null){
$uri = "https://graph.microsoft.com/$graphApiVersion/$($Group_resource)"
(Invoke-RestMethod -Uri $uri -Headers $authToken -Method Get).Value
}
else {
if(!$Members){
$uri = "https://graph.microsoft.com/$graphApiVersion/$($Group_resource)?`$filter=displayname eq '$GroupName'"
(Invoke-RestMethod -Uri $uri -Headers $authToken -Method Get).Value
}
elseif($Members){
$uri = "https://graph.microsoft.com/$graphApiVersion/$($Group_resource)?`$filter=displayname eq '$GroupName'"
$Group = (Invoke-RestMethod -Uri $uri -Headers $authToken -Method Get).Value
if($Group){
$GID = $Group.id
$Group.displayName
write-host
$uri = "https://graph.microsoft.com/$graphApiVersion/$($Group_resource)/$GID/Members"
(Invoke-RestMethod -Uri $uri -Headers $authToken -Method Get).Value
}
}
}
}
catch {
$ex = $_.Exception
$errorResponse = $ex.Response.GetResponseStream()
$reader = New-Object System.IO.StreamReader($errorResponse)
$reader.BaseStream.Position = 0
$reader.DiscardBufferedData()
$responseBody = $reader.ReadToEnd();
Write-Host "Response content:`n$responseBody" -f Red
Write-Error "Request to $Uri failed with HTTP Status $($ex.Response.StatusCode) $($ex.Response.StatusDescription)"
write-host
break
}
}
####################################################
Function Get-DeviceCompliancePolicy(){
<#
.SYNOPSIS
This function is used to get device compliance policies from the Graph API REST interface
.DESCRIPTION
The function connects to the Graph API Interface and gets any device compliance policies
.EXAMPLE
Get-DeviceCompliancePolicy
Returns any device compliance policies configured in Intune
.EXAMPLE
Get-DeviceCompliancePolicy -Name
Returns any device compliance policies with specific display name
.NOTES
NAME: Get-DeviceCompliancePolicy
#>
[cmdletbinding()]
param
(
$Name
)
$graphApiVersion = "Beta"
$Resource = "deviceManagement/deviceCompliancePolicies"
try {
$uri = "https://graph.microsoft.com/$graphApiVersion/$($Resource)"
(Invoke-RestMethod -Uri $uri -Headers $authToken -Method Get).Value | Where-Object { ($_.'@odata.type').contains("windows10CompliancePolicy") -and ($_.'displayName').contains($Name) }
}
catch {
$ex = $_.Exception
$errorResponse = $ex.Response.GetResponseStream()
$reader = New-Object System.IO.StreamReader($errorResponse)
$reader.BaseStream.Position = 0
$reader.DiscardBufferedData()
$responseBody = $reader.ReadToEnd();
Write-Host "Response content:`n$responseBody" -f Red
Write-Error "Request to $Uri failed with HTTP Status $($ex.Response.StatusCode) $($ex.Response.StatusDescription)"
write-host
break
}
}
####################################################
Function Add-DeviceCompliancePolicyAssignment(){
<#
.SYNOPSIS
This function is used to add a device compliance policy assignment using the Graph API REST interface
.DESCRIPTION
The function connects to the Graph API Interface and adds a device compliance policy assignment
.EXAMPLE
Add-DeviceCompliancePolicyAssignment -ComplianceAssignments $ComplianceAssignments -CompliancePolicyId $CompliancePolicyId
Adds a device compliance policy assignment in Intune
.NOTES
NAME: Add-DeviceCompliancePolicyAssignment
#>
[cmdletbinding()]
param
(
$CompliancePolicyId,
$ComplianceAssignments
)
$graphApiVersion = "v1.0"
$Resource = "deviceManagement/deviceCompliancePolicies/$CompliancePolicyId/assign"
try {
if(!$CompliancePolicyId){
write-host "No Compliance Policy Id specified, specify a valid Compliance Policy Id" -f Red
break
}
if(!$ComplianceAssignments){
write-host "No Target Group Id specified, specify a valid Target Group Id" -f Red
break
}
$JSON = @"
{
"Assignments": [
$ComplianceAssignments
]
}
"@
Write-Output $JSON
$uri = "https://graph.microsoft.com/$graphApiVersion/$($Resource)"
Invoke-RestMethod -Uri $uri -Headers $authToken -Method Post -Body $JSON -ContentType "application/json"
}
catch {
$ex = $_.Exception
$errorResponse = $ex.Response.GetResponseStream()
$reader = New-Object System.IO.StreamReader($errorResponse)
$reader.BaseStream.Position = 0
$reader.DiscardBufferedData()
$responseBody = $reader.ReadToEnd();
Write-Host "Response content:`n$responseBody" -f Red
Write-Error "Request to $Uri failed with HTTP Status $($ex.Response.StatusCode) $($ex.Response.StatusDescription)"
write-host
break
}
}
####################################################
Function Test-JSON(){
<#
.SYNOPSIS
This function is used to test if the JSON passed to a REST Post request is valid
.DESCRIPTION
The function tests if the JSON passed to the REST Post is valid
.EXAMPLE
Test-JSON -JSON $JSON
Test if the JSON is valid before calling the Graph REST interface
.NOTES
NAME: Test-AuthHeader
#>
param (
$JSON
)
try {
$TestJSON = ConvertFrom-Json $JSON -ErrorAction Stop
$validJson = $true
}
catch {
$validJson = $false
$_.Exception
}
if (!$validJson){
Write-Host "Provided JSON isn't in valid JSON format" -f Red
break
}
}
####################################################
#region Authentication
write-host
# Checking if authToken exists before running authentication
if($global:authToken){
# Setting DateTime to Universal time to work in all timezones
$DateTime = (Get-Date).ToUniversalTime()
# If the authToken exists checking when it expires
$TokenExpires = ($authToken.ExpiresOn.datetime - $DateTime).Minutes
if($TokenExpires -le 0){
write-host "Authentication Token expired" $TokenExpires "minutes ago" -ForegroundColor Yellow
write-host
# Defining User Principal Name if not present
if($User -eq $null -or $User -eq ""){
$User = Read-Host -Prompt "Please specify your user principal name for Azure Authentication"
Write-Host
}
$global:authToken = Get-AuthToken -User $User
}
}
# Authentication doesn't exist, calling Get-AuthToken function
else {
if($User -eq $null -or $User -eq ""){
$User = Read-Host -Prompt "Please specify your user principal name for Azure Authentication"
Write-Host
}
# Getting the authorization token
$global:authToken = Get-AuthToken -User $User
}
#endregion
####################################################
# Replacing quotes for Test-Path
$ImportPath = $ImportPath.replace('"','')
if(!(Test-Path "$ImportPath")){
Write-Host "Import Path for JSON file doesn't exist..." -ForegroundColor Red
Write-Host "Script can't continue..." -ForegroundColor Red
Write-Host
break
}
####################################################
Get-ChildItem $ImportPath -filter *.json |
Foreach-object {
$JSON_Data = Get-Content $_.FullName | where { $_ -notmatch "scheduledActionConfigurations@odata.context"}
# Excluding entries that are not required - id,createdDateTime,lastModifiedDateTime,version
$JSON_Convert = $JSON_Data | ConvertFrom-Json | Select-Object -Property * -ExcludeProperty id,createdDateTime,lastModifiedDateTime,scheduledActionsForRule@odata.context
$DisplayName = $JSON_Convert.displayName
$DuplicateDCP = Get-DeviceCompliancePolicy -Name $JSON_Convert.displayName
#write-host $DuplicateCA
If ($DuplicateDCP -eq $null) {
$JSON_Output = $JSON_Convert | ConvertTo-Json -Depth 10
# Adding Scheduled Actions Rule to JSON
#$scheduledActionsForRule = '"scheduledActionsForRule":[{"ruleName":"PasswordRequired","scheduledActionConfigurations":[{"actionType":"block","gracePeriodHours":0,"notificationTemplateId":"","notificationMessageCCList":[]}]}]'
#$JSON_Output = $JSON_Output.trimend("}")
#$JSON_Output = $JSON_Output.TrimEnd() + "," + "`r`n"
# Joining the JSON together
#$JSON_Output = $JSON_Output + $scheduledActionsForRule + "`r`n" + "}"
write-host
write-host "Device Configuration Policy '$DisplayName' Found..." -ForegroundColor Yellow
write-host
$JSON_Output
write-host
Write-Host "Adding Device Configuration Policy '$DisplayName'" -ForegroundColor Yellow
Add-DeviceCompliancePolicy -JSON $JSON_Output
$DCPProfile = Get-DeviceCompliancePolicy -name $DisplayName
$CompliancePolicyId = $DCPProfile.id
Write-Host "Device Configuration Policy ID '$CompliancePolicyId'" -ForegroundColor Yellow
Write-Host
$AADGroups = $JSON_Convert.assignments.target
$ComplianceAssignments = @()
foreach ($AADGroup in $AADGroups )
{
Write-Host "AAD Group Name:" $AADGroup.groupId -ForegroundColor Yellow
Write-Host "Assignment Type:" $AADGroup."@OData.type" -ForegroundColor Yellow
$TargetGroupId = (Get-AADGroup -GroupName $AADGroup.groupid)
$TargetGroupId = $TargetGroupId.id
Write-Host "Included Group ID:" $TargetGroupID -ForegroundColor Yellow
$Assignment = $AADGroup."@OData.type"
$GroupAdd = @"
{
"target": {
"@odata.type": "#microsoft.graph.$Assignment",
"groupId": "$TargetGroupId"
}
},
"@
$ComplianceAssignments += $GroupAdd
}
Add-DeviceCompliancePolicyAssignment -ComplianceAssignments $ComplianceAssignments -CompliancePolicyId $CompliancePolicyId
}
else
{
write-host "Device Compliance Policy:" $JSON_Convert.displayName "has already been created" -ForegroundColor Yellow
}
}

503
ENT/Import-ENT-DeviceConfigScript.ps1 Normal file
Просмотреть файл

@ -0,0 +1,503 @@
<#
.COPYRIGHT
Copyright (c) Microsoft Corporation. All rights reserved. Licensed under the MIT license.
See LICENSE in the project root for license information.
#>
$ScriptDir = Split-Path $script:MyInvocation.MyCommand.Path
$ImportPath = $ScriptDir+"\Scripts\ENT-DeviceConfig.ps1"
####################################################
function Get-AuthToken {
<#
.SYNOPSIS
This function is used to authenticate with the Graph API REST interface
.DESCRIPTION
The function authenticate with the Graph API Interface with the tenant name
.EXAMPLE
Get-AuthToken
Authenticates you with the Graph API interface
.NOTES
NAME: Get-AuthToken
#>
[cmdletbinding()]
param
(
[Parameter(Mandatory = $true)]
$User
)
$userUpn = New-Object "System.Net.Mail.MailAddress" -ArgumentList $User
$tenant = $userUpn.Host
Write-Host "Checking for AzureADPreview module..."
$AadModule = Get-Module -Name "AzureADPreview" -ListAvailable
if ($AadModule -eq $null) {
Write-Host "AzureAD PowerShell module not found, looking for AzureADPreview"
$AadModule = Get-Module -Name "AzureADPreview" -ListAvailable
}
if ($AadModule -eq $null) {
write-host
write-host "AzureAD Powershell module not installed..." -f Red
write-host "Install by running 'Install-Module AzureAD' or 'Install-Module AzureADPreview' from an elevated PowerShell prompt" -f Yellow
write-host "Script can't continue..." -f Red
write-host
exit
}
# Getting path to ActiveDirectory Assemblies
# If the module count is greater than 1 find the latest version
if ($AadModule.count -gt 1) {
$Latest_Version = ($AadModule | select version | Sort-Object)[-1]
$aadModule = $AadModule | ? { $_.version -eq $Latest_Version.version }
# Checking if there are multiple versions of the same module found
if ($AadModule.count -gt 1) {
$aadModule = $AadModule | select -Unique
}
$adal = Join-Path $AadModule.ModuleBase "Microsoft.IdentityModel.Clients.ActiveDirectory.dll"
$adalforms = Join-Path $AadModule.ModuleBase "Microsoft.IdentityModel.Clients.ActiveDirectory.Platform.dll"
}
else {
$adal = Join-Path $AadModule.ModuleBase "Microsoft.IdentityModel.Clients.ActiveDirectory.dll"
$adalforms = Join-Path $AadModule.ModuleBase "Microsoft.IdentityModel.Clients.ActiveDirectory.Platform.dll"
}
[System.Reflection.Assembly]::LoadFrom($adal) | Out-Null
[System.Reflection.Assembly]::LoadFrom($adalforms) | Out-Null
$clientId = "d1ddf0e4-d672-4dae-b554-9d5bdfd93547"
$redirectUri = "urn:ietf:wg:oauth:2.0:oob"
$resourceAppIdURI = "https://graph.microsoft.com"
$authority = "https://login.microsoftonline.com/$Tenant"
try {
$authContext = New-Object "Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext" -ArgumentList $authority
# https://msdn.microsoft.com/en-us/library/azure/microsoft.identitymodel.clients.activedirectory.promptbehavior.aspx
# Change the prompt behaviour to force credentials each time: Auto, Always, Never, RefreshSession
$platformParameters = New-Object "Microsoft.IdentityModel.Clients.ActiveDirectory.PlatformParameters" -ArgumentList "Auto"
$userId = New-Object "Microsoft.IdentityModel.Clients.ActiveDirectory.UserIdentifier" -ArgumentList ($User, "OptionalDisplayableId")
$authResult = $authContext.AcquireTokenAsync($resourceAppIdURI, $clientId, $redirectUri, $platformParameters, $userId).Result
# If the accesstoken is valid then create the authentication header
if ($authResult.AccessToken) {
# Creating header for Authorization token
$authHeader = @{
'Content-Type' = 'application/json'
'Authorization' = "Bearer " + $authResult.AccessToken
'ExpiresOn' = $authResult.ExpiresOn
}
return $authHeader
}
else {
Write-Host
Write-Host "Authorization Access Token is null, please re-run authentication..." -ForegroundColor Red
Write-Host
break
}
}
catch {
write-host $_.Exception.Message -f Red
write-host $_.Exception.ItemName -f Red
write-host
break
}
}
####################################################
Function Add-DeviceManagementScript() {
<#
.SYNOPSIS
This function is used to add a device management script using the Graph API REST interface
.DESCRIPTION
The function connects to the Graph API Interface and adds a device management script
.EXAMPLE
Add-DeviceManagementScript -File "path to powershell-script file"
Adds a device management script from a File in Intune
Add-DeviceManagementScript -File "URL to powershell-script file" -URL
Adds a device management script from a URL in Intune
.NOTES
NAME: Add-DeviceManagementScript
#>
[cmdletbinding()]
Param (
# Path or URL to Powershell-script to add to Intune
[Parameter(Mandatory = $true)]
[string]$File,
# PowerShell description in Intune
[Parameter(Mandatory = $false)]
[string]$Description,
# Set to true if it is a URL
[Parameter(Mandatory = $false)]
[switch][bool]$URL = $false
)
if ($URL -eq $true) {
$FileName = $File -split "/"
$FileName = $FileName[-1]
$OutFile = "$env:TEMP\$FileName"
try {
Invoke-WebRequest -Uri $File -UseBasicParsing -OutFile $OutFile
}
catch {
Write-Host "Could not download file from URL: $File" -ForegroundColor Red
break
}
$File = $OutFile
if (!(Test-Path $File)) {
Write-Host "$File could not be located." -ForegroundColor Red
break
}
}
elseif ($URL -eq $false) {
if (!(Test-Path $File)) {
Write-Host "$File could not be located." -ForegroundColor Red
break
}
$FileName = Get-Item $File | Select-Object -ExpandProperty Name
}
$B64File = [System.Convert]::ToBase64String([System.IO.File]::ReadAllBytes("$File"));
if ($URL -eq $true) {
Remove-Item $File -Force
}
$JSON = @"
{
"@odata.type": "#microsoft.graph.deviceManagementScript",
"displayName": "$FileName",
"description": "$Description",
"runSchedule": {
"@odata.type": "microsoft.graph.runSchedule"
},
"scriptContent": "$B64File",
"runAsAccount": "system",
"enforceSignatureCheck": "false",
"fileName": "$FileName"
"runAs32Bit": "true"
}
"@
$graphApiVersion = "Beta"
$DMS_resource = "deviceManagement/deviceManagementScripts"
Write-Verbose "Resource: $DMS_resource"
try {
$uri = "https://graph.microsoft.com/$graphApiVersion/$DMS_resource"
Invoke-RestMethod -Uri $uri -Headers $authToken -Method Post -Body $JSON -ContentType "application/json"
}
catch {
$ex = $_.Exception
$errorResponse = $ex.Response.GetResponseStream()
$reader = New-Object System.IO.StreamReader($errorResponse)
$reader.BaseStream.Position = 0
$reader.DiscardBufferedData()
$responseBody = $reader.ReadToEnd();
Write-Host "Response content:`n$responseBody" -f Red
Write-Error "Request to $Uri failed with HTTP Status $($ex.Response.StatusCode) $($ex.Response.StatusDescription)"
write-host
break
}
}
####################################################
Function Add-DeviceManagementScriptAssignment() {
<#
.SYNOPSIS
This function is used to add a device configuration policy assignment using the Graph API REST interface
.DESCRIPTION
The function connects to the Graph API Interface and adds a device configuration policy assignment
.EXAMPLE
Add-DeviceConfigurationPolicyAssignment -ConfigurationPolicyId $ConfigurationPolicyId -TargetGroupId $TargetGroupId
Adds a device configuration policy assignment in Intune
.NOTES
NAME: Add-DeviceConfigurationPolicyAssignment
#>
[cmdletbinding()]
param
(
$ScriptId,
$TargetGroupId
)
$graphApiVersion = "Beta"
$Resource = "deviceManagement/deviceManagementScripts/$ScriptId/assign"
try {
if (!$ScriptId) {
write-host "No Script Policy Id specified, specify a valid Script Policy Id" -f Red
break
}
if (!$TargetGroupId) {
write-host "No Target Group Id specified, specify a valid Target Group Id" -f Red
break
}
$JSON = @"
{
"deviceManagementScriptGroupAssignments": [
{
"@odata.type": "#microsoft.graph.deviceManagementScriptGroupAssignment",
"targetGroupId": "$TargetGroupId",
"id": "$ScriptId"
}
]
}
"@
$uri = "https://graph.microsoft.com/$graphApiVersion/$Resource"
Invoke-RestMethod -Uri $uri -Headers $authToken -Method Post -Body $JSON -ContentType "application/json"
}
catch {
$ex = $_.Exception
$errorResponse = $ex.Response.GetResponseStream()
$reader = New-Object System.IO.StreamReader($errorResponse)
$reader.BaseStream.Position = 0
$reader.DiscardBufferedData()
$responseBody = $reader.ReadToEnd();
Write-Host "Response content:`n$responseBody" -f Red
Write-Error "Request to $Uri failed with HTTP Status $($ex.Response.StatusCode) $($ex.Response.StatusDescription)"
write-host
break
}
}
####################################################
Function Get-AADGroup() {
<#
.SYNOPSIS
This function is used to get AAD Groups from the Graph API REST interface
.DESCRIPTION
The function connects to the Graph API Interface and gets any Groups registered with AAD
.EXAMPLE
Get-AADGroup
Returns all users registered with Azure AD
.NOTES
NAME: Get-AADGroup
#>
[cmdletbinding()]
param
(
$GroupName,
$id,
[switch]$Members
)
# Defining Variables
$graphApiVersion = "v1.0"
$Group_resource = "groups"
try {
if ($id) {
$uri = "https://graph.microsoft.com/$graphApiVersion/$($Group_resource)?`$filter=id eq '$id'"
(Invoke-RestMethod -Uri $uri -Headers $authToken -Method Get).Value
}
elseif ($GroupName -eq "" -or $GroupName -eq $null) {
$uri = "https://graph.microsoft.com/$graphApiVersion/$($Group_resource)"
(Invoke-RestMethod -Uri $uri -Headers $authToken -Method Get).Value
}
else {
if (!$Members) {
$uri = "https://graph.microsoft.com/$graphApiVersion/$($Group_resource)?`$filter=displayname eq '$GroupName'"
(Invoke-RestMethod -Uri $uri -Headers $authToken -Method Get).Value
}
elseif ($Members) {
$uri = "https://graph.microsoft.com/$graphApiVersion/$($Group_resource)?`$filter=displayname eq '$GroupName'"
$Group = (Invoke-RestMethod -Uri $uri -Headers $authToken -Method Get).Value
if ($Group) {
$GID = $Group.id
$Group.displayName
write-host
$uri = "https://graph.microsoft.com/$graphApiVersion/$($Group_resource)/$GID/Members"
(Invoke-RestMethod -Uri $uri -Headers $authToken -Method Get).Value
}
}
}
}
catch {
$ex = $_.Exception
$errorResponse = $ex.Response.GetResponseStream()
$reader = New-Object System.IO.StreamReader($errorResponse)
$reader.BaseStream.Position = 0
$reader.DiscardBufferedData()
$responseBody = $reader.ReadToEnd();
Write-Host "Response content:`n$responseBody" -f Red
Write-Error "Request to $Uri failed with HTTP Status $($ex.Response.StatusCode) $($ex.Response.StatusDescription)"
write-host
break
}
}
####################################################
#region Authentication
write-host
# Checking if authToken exists before running authentication
if ($global:authToken) {
# Setting DateTime to Universal time to work in all timezones
$DateTime = (Get-Date).ToUniversalTime()
# If the authToken exists checking when it expires
$TokenExpires = ($authToken.ExpiresOn.datetime - $DateTime).Minutes
if ($TokenExpires -le 0) {
write-host "Authentication Token expired" $TokenExpires "minutes ago" -ForegroundColor Yellow
write-host
# Defining User Principal Name if not present
if ($User -eq $null -or $User -eq "") {
$User = Read-Host -Prompt "Please specify your user principal name for Azure Authentication"
Write-Host
}
$global:authToken = Get-AuthToken -User $User
}
}
# Authentication doesn't exist, calling Get-AuthToken function
else {
if ($User -eq $null -or $User -eq "") {
$User = Read-Host -Prompt "Please specify your user principal name for Azure Authentication"
Write-Host
}
# Getting the authorization token
$global:authToken = Get-AuthToken -User $User
}
#endregion
####################################################
# Setting application AAD Group to assign PowerShell scripts
#$AADGroup = Read-Host -Prompt "Enter the Azure AD Group name where PowerShell scripts will be assigned"
$AADGroup = "Enterprise Workstations"
$TargetGroupId = (Get-AADGroup -GroupName "$AADGroup").id
if ($TargetGroupId -eq $null -or $TargetGroupId -eq "") {
Write-Host "AAD Group - '$AADGroup' doesn't exist, please specify a valid AAD Group..." -ForegroundColor Red
Write-Host
exit
}
####################################################
Write-Host "Adding Device Configuration Script from " $ImportPath -ForegroundColor Green
$Create_Local_Script = Add-DeviceManagementScript -File $ImportPath -Description "Enterprise Device Config script"
Write-Host "Device Management Script created as" $Create_Local_Script.id
write-host
write-host "Assigning Device Management Script to AAD Group '$AADGroup'" -f Cyan
$Assign_Local_Script = Add-DeviceManagementScriptAssignment -ScriptId $Create_Local_Script.id -TargetGroupId $TargetGroupId
Write-Host "Assigned '$AADGroup' to $($Create_Local_Script.displayName)/$($Create_Local_Script.id)"
Write-Host

675
ENT/Import-ENT-DeviceConfiguration.ps1 Normal file
Просмотреть файл

@ -0,0 +1,675 @@
<#
.COPYRIGHT
Copyright (c) Microsoft Corporation. All rights reserved. Licensed under the MIT license.
See LICENSE in the project root for license information.
#>
$ScriptDir = Split-Path $script:MyInvocation.MyCommand.Path
$ImportPath = $ScriptDir+"\JSON\DeviceConfiguration"
####################################################
function Get-AuthToken {
<#
.SYNOPSIS
This function is used to authenticate with the Graph API REST interface
.DESCRIPTION
The function authenticate with the Graph API Interface with the tenant name
.EXAMPLE
Get-AuthToken
Authenticates you with the Graph API interface
.NOTES
NAME: Get-AuthToken
#>
[cmdletbinding()]
param
(
[Parameter(Mandatory=$true)]
$User
)
$userUpn = New-Object "System.Net.Mail.MailAddress" -ArgumentList $User
$tenant = $userUpn.Host
Write-Host "Checking for AzureAD module..."
$AadModule = Get-Module -Name "AzureAD" -ListAvailable
if ($AadModule -eq $null) {
Write-Host "AzureAD PowerShell module not found, looking for AzureADPreview"
$AadModule = Get-Module -Name "AzureADPreview" -ListAvailable
}
if ($AadModule -eq $null) {
write-host
write-host "AzureAD Powershell module not installed..." -f Red
write-host "Install by running 'Install-Module AzureAD' or 'Install-Module AzureADPreview' from an elevated PowerShell prompt" -f Yellow
write-host "Script can't continue..." -f Red
write-host
exit
}
# Getting path to ActiveDirectory Assemblies
# If the module count is greater than 1 find the latest version
if($AadModule.count -gt 1){
$Latest_Version = ($AadModule | select version | Sort-Object)[-1]
$aadModule = $AadModule | ? { $_.version -eq $Latest_Version.version }
# Checking if there are multiple versions of the same module found
if($AadModule.count -gt 1){
$aadModule = $AadModule | select -Unique
}
$adal = Join-Path $AadModule.ModuleBase "Microsoft.IdentityModel.Clients.ActiveDirectory.dll"
$adalforms = Join-Path $AadModule.ModuleBase "Microsoft.IdentityModel.Clients.ActiveDirectory.Platform.dll"
}
else {
$adal = Join-Path $AadModule.ModuleBase "Microsoft.IdentityModel.Clients.ActiveDirectory.dll"
$adalforms = Join-Path $AadModule.ModuleBase "Microsoft.IdentityModel.Clients.ActiveDirectory.Platform.dll"
}
[System.Reflection.Assembly]::LoadFrom($adal) | Out-Null
[System.Reflection.Assembly]::LoadFrom($adalforms) | Out-Null
$clientId = "d1ddf0e4-d672-4dae-b554-9d5bdfd93547"
$redirectUri = "urn:ietf:wg:oauth:2.0:oob"
$resourceAppIdURI = "https://graph.microsoft.com"
$authority = "https://login.microsoftonline.com/$Tenant"
try {
$authContext = New-Object "Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext" -ArgumentList $authority
# https://msdn.microsoft.com/en-us/library/azure/microsoft.identitymodel.clients.activedirectory.promptbehavior.aspx
# Change the prompt behaviour to force credentials each time: Auto, Always, Never, RefreshSession
$platformParameters = New-Object "Microsoft.IdentityModel.Clients.ActiveDirectory.PlatformParameters" -ArgumentList "Auto"
$userId = New-Object "Microsoft.IdentityModel.Clients.ActiveDirectory.UserIdentifier" -ArgumentList ($User, "OptionalDisplayableId")
$authResult = $authContext.AcquireTokenAsync($resourceAppIdURI,$clientId,$redirectUri,$platformParameters,$userId).Result
# If the accesstoken is valid then create the authentication header
if($authResult.AccessToken){
# Creating header for Authorization token
$authHeader = @{
'Content-Type'='application/json'
'Authorization'="Bearer " + $authResult.AccessToken
'ExpiresOn'=$authResult.ExpiresOn
}
return $authHeader
}
else {
Write-Host
Write-Host "Authorization Access Token is null, please re-run authentication..." -ForegroundColor Red
Write-Host
break
}
}
catch {
write-host $_.Exception.Message -f Red
write-host $_.Exception.ItemName -f Red
write-host
break
}
}
####################################################
Function Add-DeviceConfigurationPolicy(){
<#
.SYNOPSIS
This function is used to add an device configuration policy using the Graph API REST interface
.DESCRIPTION
The function connects to the Graph API Interface and adds a device configuration policy
.EXAMPLE
Add-DeviceConfigurationPolicy -JSON $JSON
Adds a device configuration policy in Intune
.NOTES
NAME: Add-DeviceConfigurationPolicy
#>
[cmdletbinding()]
param
(
$JSON
)
$graphApiVersion = "Beta"
$DCP_resource = "deviceManagement/deviceConfigurations"
Write-Verbose "Resource: $DCP_resource"
try {
if($JSON -eq "" -or $JSON -eq $null){
write-host "No JSON specified, please specify valid JSON for the Android Policy..." -f Red
}
else {
Test-JSON -JSON $JSON
$uri = "https://graph.microsoft.com/$graphApiVersion/$($DCP_resource)"
Invoke-RestMethod -Uri $uri -Headers $authToken -Method Post -Body $JSON -ContentType "application/json"
}
}
catch {
$ex = $_.Exception
$errorResponse = $ex.Response.GetResponseStream()
$reader = New-Object System.IO.StreamReader($errorResponse)
$reader.BaseStream.Position = 0
$reader.DiscardBufferedData()
$responseBody = $reader.ReadToEnd();
Write-Host "Response content:`n$responseBody" -f Red
Write-Error "Request to $Uri failed with HTTP Status $($ex.Response.StatusCode) $($ex.Response.StatusDescription)"
write-host
break
}
}
####################################################
Function Add-DeviceConfigurationPolicyAssignment(){
<#
.SYNOPSIS
This function is used to add a device configuration policy assignment using the Graph API REST interface
.DESCRIPTION
The function connects to the Graph API Interface and adds a device configuration policy assignment
.EXAMPLE
Add-DeviceConfigurationPolicyAssignment -ConfigurationPolicyId $ConfigurationPolicyId -TargetGroupId $TargetGroupId
Adds a device configuration policy assignment in Intune
.NOTES
NAME: Add-DeviceConfigurationPolicyAssignment
#>
[cmdletbinding()]
param
(
$ConfigurationPolicyId,
$TargetGroupId,
$Assignment
)
$graphApiVersion = "Beta"
$Resource = "deviceManagement/deviceConfigurations/$ConfigurationPolicyId/assignments"
try {
if(!$ConfigurationPolicyId){
write-host "No Configuration Policy Id specified, specify a valid Configuration Policy Id" -f Red
break
}
if(!$TargetGroupId){
write-host "No Target Group Id specified, specify a valid Target Group Id" -f Red
break
}
if(!$Assignment){
write-host "No Assignment Type specified, specify a valid Assignment Type" -f Red
break
}
$ConfPolAssign = "$ConfigurationPolicyId" + "_" + "$TargetGroupId"
$JSON = @"
{
"target": {
"@odata.type": "#microsoft.graph.$Assignment",
"groupId": "$TargetGroupId"
}
}
"@
$uri = "https://graph.microsoft.com/$graphApiVersion/$($Resource)"
Invoke-RestMethod -Uri $uri -Headers $authToken -Method Post -Body $JSON -ContentType "application/json"
}
catch {
$ex = $_.Exception
$errorResponse = $ex.Response.GetResponseStream()
$reader = New-Object System.IO.StreamReader($errorResponse)
$reader.BaseStream.Position = 0
$reader.DiscardBufferedData()
$responseBody = $reader.ReadToEnd();
Write-Host "Response content:`n$responseBody" -f Red
Write-Error "Request to $Uri failed with HTTP Status $($ex.Response.StatusCode) $($ex.Response.StatusDescription)"
write-host
break
}
}
####################################################
Function Get-DeviceConfigurationPolicy(){
<#
.SYNOPSIS
This function is used to get device configuration policies from the Graph API REST interface
.DESCRIPTION
The function connects to the Graph API Interface and gets any device configuration policies
.EXAMPLE
Get-DeviceConfigurationPolicy
Returns any device configuration policies configured in Intune
.NOTES
NAME: Get-DeviceConfigurationPolicy
#>
[cmdletbinding()]
param
(
$name
)
$graphApiVersion = "Beta"
$DCP_resource = "deviceManagement/deviceConfigurations"
try {
if($Name){
$uri = "https://graph.microsoft.com/$graphApiVersion/$($DCP_resource)"
(Invoke-RestMethod -Uri $uri -Headers $authToken -Method Get).Value | Where-Object { ($_.'displayName').contains("$Name") }
}
else {
$uri = "https://graph.microsoft.com/$graphApiVersion/$($DCP_resource)"
(Invoke-RestMethod -Uri $uri -Headers $authToken -Method Get).Value
}
}
catch {
$ex = $_.Exception
$errorResponse = $ex.Response.GetResponseStream()
$reader = New-Object System.IO.StreamReader($errorResponse)
$reader.BaseStream.Position = 0
$reader.DiscardBufferedData()
$responseBody = $reader.ReadToEnd();
Write-Host "Response content:`n$responseBody" -f Red
Write-Error "Request to $Uri failed with HTTP Status $($ex.Response.StatusCode) $($ex.Response.StatusDescription)"
write-host
break
}
}
####################################################
Function Get-AADGroup(){
<#
.SYNOPSIS
This function is used to get AAD Groups from the Graph API REST interface
.DESCRIPTION
The function connects to the Graph API Interface and gets any Groups registered with AAD
.EXAMPLE
Get-AADGroup
Returns all users registered with Azure AD
.NOTES
NAME: Get-AADGroup
#>
[cmdletbinding()]
param
(
$GroupName,
$id,
[switch]$Members
)
# Defining Variables
$graphApiVersion = "v1.0"
$Group_resource = "groups"
# pseudo-group identifiers for all users and all devices
[string]$AllUsers = "acacacac-9df4-4c7d-9d50-4ef0226f57a9"
[string]$AllDevices = "adadadad-808e-44e2-905a-0b7873a8a531"
try {
if($id){
$uri = "https://graph.microsoft.com/$graphApiVersion/$($Group_resource)?`$filter=id eq '$id'"
switch ( $id ) {
$AllUsers { $grp = [PSCustomObject]@{ displayName = "All users"}; $grp }
$AllDevices { $grp = [PSCustomObject]@{ displayName = "All devices"}; $grp }
default { (Invoke-RestMethod -Uri $uri -Headers $authToken -Method Get).Value }
}
}
elseif($GroupName -eq "" -or $GroupName -eq $null){
$uri = "https://graph.microsoft.com/$graphApiVersion/$($Group_resource)"
(Invoke-RestMethod -Uri $uri -Headers $authToken -Method Get).Value
}
else {
if(!$Members){
$uri = "https://graph.microsoft.com/$graphApiVersion/$($Group_resource)?`$filter=displayname eq '$GroupName'"
(Invoke-RestMethod -Uri $uri -Headers $authToken -Method Get).Value
}
elseif($Members){
$uri = "https://graph.microsoft.com/$graphApiVersion/$($Group_resource)?`$filter=displayname eq '$GroupName'"
$Group = (Invoke-RestMethod -Uri $uri -Headers $authToken -Method Get).Value
if($Group){
$GID = $Group.id
$Group.displayName
write-host
$uri = "https://graph.microsoft.com/$graphApiVersion/$($Group_resource)/$GID/Members"
(Invoke-RestMethod -Uri $uri -Headers $authToken -Method Get).Value
}
}
}
}
catch {
$ex = $_.Exception
$errorResponse = $ex.Response.GetResponseStream()
$reader = New-Object System.IO.StreamReader($errorResponse)
$reader.BaseStream.Position = 0
$reader.DiscardBufferedData()
$responseBody = $reader.ReadToEnd();
Write-Host "Response content:`n$responseBody" -f Red
Write-Error "Request to $Uri failed with HTTP Status $($ex.Response.StatusCode) $($ex.Response.StatusDescription)"
write-host
break
}
}
####################################################
Function Test-JSON(){
<#
.SYNOPSIS
This function is used to test if the JSON passed to a REST Post request is valid
.DESCRIPTION
The function tests if the JSON passed to the REST Post is valid
.EXAMPLE
Test-JSON -JSON $JSON
Test if the JSON is valid before calling the Graph REST interface
.NOTES
NAME: Test-AuthHeader
#>
param (
$JSON
)
try {
$TestJSON = ConvertFrom-Json $JSON -ErrorAction Stop
$validJson = $true
}
catch {
$validJson = $false
$_.Exception
}
if (!$validJson){
Write-Host "Provided JSON isn't in valid JSON format" -f Red
break
}
}
####################################################
#region Authentication
write-host
# Checking if authToken exists before running authentication
if($global:authToken){
# Setting DateTime to Universal time to work in all timezones
$DateTime = (Get-Date).ToUniversalTime()
# If the authToken exists checking when it expires
$TokenExpires = ($authToken.ExpiresOn.datetime - $DateTime).Minutes
if($TokenExpires -le 0){
write-host "Authentication Token expired" $TokenExpires "minutes ago" -ForegroundColor Yellow
write-host
# Defining User Principal Name if not present
if($User -eq $null -or $User -eq ""){
$User = Read-Host -Prompt "Please specify your user principal name for Azure Authentication"
Write-Host
}
$global:authToken = Get-AuthToken -User $User
}
}
# Authentication doesn't exist, calling Get-AuthToken function
else {
if($User -eq $null -or $User -eq ""){
$User = Read-Host -Prompt "Please specify your user principal name for Azure Authentication"
Write-Host
}
# Getting the authorization token
$global:authToken = Get-AuthToken -User $User
}
#endregion
####################################################
# Setting application AAD Group to assign Policy
#$AADGroup = Read-Host -Prompt "Enter the Azure AD Group name where policies will be assigned"
#$TargetGroupId = (Get-AADGroup | Where-Object {$_.displayName -eq $AADGroup}).id
#
# if($TargetGroupId -eq $null -or $TargetGroupId -eq ""){
#
# Write-Host "AAD Group - '$AADGroup' doesn't exist, please specify a valid AAD Group..." -ForegroundColor Red
# Write-Host
# exit
# }
# Replacing quotes for Test-Path
$ImportPath = $ImportPath.replace('"','')
if(!(Test-Path "$ImportPath")){
Write-Host "Import Path for JSON file doesn't exist..." -ForegroundColor Red
Write-Host "Script can't continue..." -ForegroundColor Red
Write-Host
break
}
####################################################
Get-ChildItem $ImportPath -filter *.json |
Foreach-object {
$JSON_Data = Get-Content $_.FullName
# Excluding entries that are not required - id,createdDateTime,lastModifiedDateTime,version
$JSON_Convert = $JSON_Data | ConvertFrom-Json | Select-Object -Property * -ExcludeProperty id,createdDateTime,lastModifiedDateTime,version,supportsScopeTags
$DisplayName = $JSON_Convert.displayName
$DuplicateDCP = Get-DeviceConfigurationPolicy -Name $JSON_Convert.displayName
If ($DuplicateDCP -eq $null)
{
$JSON_Output = $JSON_Convert | ConvertTo-Json -Depth 5
write-host
write-host "Device Configuration Policy '$DisplayName' Found..." -ForegroundColor Yellow
write-host
$JSON_Output
write-host
Write-Host "Adding Device Configuration Policy '$DisplayName'" -ForegroundColor Yellow
Add-DeviceConfigurationPolicy -JSON $JSON_Output
$DeviceConfigs = Get-DeviceConfigurationPolicy -name $DisplayName
$DeviceConfigID = $DeviceConfigs.id
Write-Host "Device ConfigID '$DeviceConfigID'" -ForegroundColor Yellow
Write-Host
$AADGroups = $JSON_Convert.assignments.target
foreach ($AADGroup in $AADGroups )
{
Write-Host "AAD Group Name:" $AADGroup.groupId -ForegroundColor Yellow
Write-Host "Assignment Type:" $AADGroup."@OData.type" -ForegroundColor Yellow
$TargetGroupId = (Get-AADGroup -GroupName $AADGroup.groupid)
Write-Host "Included Group ID:" $TargetGroupID.Id -ForegroundColor Yellow
Add-DeviceConfigurationPolicyAssignment -ConfigurationPolicyId $DeviceConfigID -TargetGroupId $TargetGroupId.id -Assignment $AADGroup."@OData.type"
}
# Create exclude Group
<#$ShortName = $JSON_Convert.displayName -replace "PAW-Global-2009-Intune-Configuration-", ''
$ExcludeGroup = "PAW-"+$ShortName+"-Exclude-Device"
If (Get-AzureADGroup -SearchString $ExcludeGroup) {
Write-Host
Write-Host "AAD group" $ExcludeGroup "already exists!" -f Yellow
Write-Host
}
Else {
$MailNickName = $ShortName+"-G"
try
{
$ExcludeTargetGroup = New-AzureADGroup -DisplayName $ExcludeGroup -Description $ExcludeGroup"-Group" -MailEnabled $false -SecurityEnabled $true -MailNickName $MailNickName
sleep 5
}
catch
{
Write-Host
Write-Host "Error creating AAD group" $ExcludeGroup -f Red
Write-Host
}
}
Write-Host "Excluded Group ID" $ExcludeTargetGroup.objectid
Add-DeviceConfigurationPolicyAssignment -ConfigurationPolicyId $DeviceConfigID -TargetGroupId $ExcludeTargetGroup.objectid -Assignment "exclusionGroupAssignmentTarget"
#>
}
else
{
write-host "Device Configuration Profile:" $JSON_Convert.displayName "has already been created" -ForegroundColor Yellow
}
}

714
ENT/Import-ENT-DeviceConfigurationADMX.ps1 Normal file
Просмотреть файл

@ -0,0 +1,714 @@
<#
.COPYRIGHT
Copyright (c) Microsoft Corporation. All rights reserved. Licensed under the MIT license.
See LICENSE in the project root for license information.
#>
param (
#Change Conditional Access State, default is disabled
#Options: enabled, disabled, enabledForReportingButNotEnforced
[String]$AADGroup = "Privileged Workstations"
)
#$AADGroup = "PAW-Global-Devices"
$ScriptDir = Split-Path $script:MyInvocation.MyCommand.Path
$ImportPath = $ScriptDir+"\JSON\DeviceConfigurationADMX"
function Get-AuthToken
{
<#
.SYNOPSIS
This function is used to authenticate with the Graph API REST interface
.DESCRIPTION
The function authenticate with the Graph API Interface with the tenant name
.EXAMPLE
Get-AuthToken
Authenticates you with the Graph API interface
.NOTES
NAME: Get-AuthToken
#>
[cmdletbinding()]
param
(
[Parameter(Mandatory = $true)]
$User
)
$userUpn = New-Object "System.Net.Mail.MailAddress" -ArgumentList $User
$tenant = $userUpn.Host
Write-Host "Checking for AzureAD module..."
$AadModule = Get-Module -Name "AzureAD" -ListAvailable
if ($AadModule -eq $null)
{
Write-Host "AzureAD PowerShell module not found, looking for AzureADPreview"
$AadModule = Get-Module -Name "AzureADPreview" -ListAvailable
}
if ($AadModule -eq $null)
{
write-host
write-host "AzureAD Powershell module not installed..." -f Red
write-host "Install by running 'Install-Module AzureAD' or 'Install-Module AzureADPreview' from an elevated PowerShell prompt" -f Yellow
write-host "Script can't continue..." -f Red
write-host
exit
}
# Getting path to ActiveDirectory Assemblies
# If the module count is greater than 1 find the latest version
if ($AadModule.count -gt 1)
{
$Latest_Version = ($AadModule | select version | Sort-Object)[-1]
$aadModule = $AadModule | ? { $_.version -eq $Latest_Version.version }
# Checking if there are multiple versions of the same module found
if ($AadModule.count -gt 1)
{
$aadModule = $AadModule | select -Unique
}
$adal = Join-Path $AadModule.ModuleBase "Microsoft.IdentityModel.Clients.ActiveDirectory.dll"
$adalforms = Join-Path $AadModule.ModuleBase "Microsoft.IdentityModel.Clients.ActiveDirectory.Platform.dll"
}
else
{
$adal = Join-Path $AadModule.ModuleBase "Microsoft.IdentityModel.Clients.ActiveDirectory.dll"
$adalforms = Join-Path $AadModule.ModuleBase "Microsoft.IdentityModel.Clients.ActiveDirectory.Platform.dll"
}
[System.Reflection.Assembly]::LoadFrom($adal) | Out-Null
[System.Reflection.Assembly]::LoadFrom($adalforms) | Out-Null
$clientId = "d1ddf0e4-d672-4dae-b554-9d5bdfd93547"
$redirectUri = "urn:ietf:wg:oauth:2.0:oob"
$resourceAppIdURI = "https://graph.microsoft.com"
$authority = "https://login.microsoftonline.com/$Tenant"
try
{
$authContext = New-Object "Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext" -ArgumentList $authority
# https://msdn.microsoft.com/en-us/library/azure/microsoft.identitymodel.clients.activedirectory.promptbehavior.aspx
# Change the prompt behaviour to force credentials each time: Auto, Always, Never, RefreshSession
$platformParameters = New-Object "Microsoft.IdentityModel.Clients.ActiveDirectory.PlatformParameters" -ArgumentList "Auto"
$userId = New-Object "Microsoft.IdentityModel.Clients.ActiveDirectory.UserIdentifier" -ArgumentList ($User, "OptionalDisplayableId")
$authResult = $authContext.AcquireTokenAsync($resourceAppIdURI, $clientId, $redirectUri, $platformParameters, $userId).Result
# If the accesstoken is valid then create the authentication header
if ($authResult.AccessToken)
{
# Creating header for Authorization token
$authHeader = @{
'Content-Type' = 'application/json'
'Authorization' = "Bearer " + $authResult.AccessToken
'ExpiresOn' = $authResult.ExpiresOn
}
return $authHeader
}
else
{
Write-Host
Write-Host "Authorization Access Token is null, please re-run authentication..." -ForegroundColor Red
Write-Host
break
}
}
catch
{
write-host $_.Exception.Message -f Red
write-host $_.Exception.ItemName -f Red
write-host
break
}
}
####################################################
Function Create-GroupPolicyConfigurations()
{
<#
.SYNOPSIS
This function is used to add an device configuration policy using the Graph API REST interface
.DESCRIPTION
The function connects to the Graph API Interface and adds a device configuration policy
.EXAMPLE
Add-DeviceConfigurationPolicy -JSON $JSON
Adds a device configuration policy in Intune
.NOTES
NAME: Add-DeviceConfigurationPolicy
#>
[cmdletbinding()]
param
(
$DisplayName
)
$jsonCode = @"
{
"description":"",
"displayName":"$($DisplayName)"
}
"@
$graphApiVersion = "Beta"
$DCP_resource = "deviceManagement/groupPolicyConfigurations"
Write-Verbose "Resource: $DCP_resource"
try
{
$uri = "https://graph.microsoft.com/$graphApiVersion/$($DCP_resource)"
$responseBody = Invoke-RestMethod -Uri $uri -Headers $authToken -Method Post -Body $jsonCode -ContentType "application/json"
}
catch
{
$ex = $_.Exception
$errorResponse = $ex.Response.GetResponseStream()
$reader = New-Object System.IO.StreamReader($errorResponse)
$reader.BaseStream.Position = 0
$reader.DiscardBufferedData()
$responseBody = $reader.ReadToEnd();
Write-Host "Response content:`n$responseBody" -f Red
Write-Error "Request to $Uri failed with HTTP Status $($ex.Response.StatusCode) $($ex.Response.StatusDescription)"
write-host
break
}
$responseBody.id
}
Function Create-GroupPolicyConfigurationsDefinitionValues()
{
<#
.SYNOPSIS
This function is used to get device configuration policies from the Graph API REST interface
.DESCRIPTION
The function connects to the Graph API Interface and gets any device configuration policies
.EXAMPLE
Get-DeviceConfigurationPolicy
Returns any device configuration policies configured in Intune
.NOTES
NAME: Get-GroupPolicyConfigurations
#>
[cmdletbinding()]
Param (
[string]$GroupPolicyConfigurationID,
$JSON
)
$graphApiVersion = "Beta"
$DCP_resource = "deviceManagement/groupPolicyConfigurations/$($GroupPolicyConfigurationID)/definitionValues"
write-host $DCP_resource
try
{
if ($JSON -eq "" -or $JSON -eq $null)
{
write-host "No JSON specified, please specify valid JSON for the Device Configuration Policy..." -f Red
}
else
{
Test-JSON -JSON $JSON
$uri = "https://graph.microsoft.com/$graphApiVersion/$($DCP_resource)"
Invoke-RestMethod -Uri $uri -Headers $authToken -Method Post -Body $JSON -ContentType "application/json"
}
}
catch
{
$ex = $_.Exception
$errorResponse = $ex.Response.GetResponseStream()
$reader = New-Object System.IO.StreamReader($errorResponse)
$reader.BaseStream.Position = 0
$reader.DiscardBufferedData()
$responseBody = $reader.ReadToEnd();
Write-Host "Response content:`n$responseBody" -f Red
Write-Error "Request to $Uri failed with HTTP Status $($ex.Response.StatusCode) $($ex.Response.StatusDescription)"
write-host
break
}
}
####################################################
Function Get-GroupPolicyConfigurations()
{
<#
.SYNOPSIS
This function is used to get device configuration policies from the Graph API REST interface
.DESCRIPTION
The function connects to the Graph API Interface and gets any device configuration policies
.EXAMPLE
Get-DeviceConfigurationPolicy
Returns any device configuration policies configured in Intune
.NOTES
NAME: Get-GroupPolicyConfigurations
#>
[cmdletbinding()]
param
(
$name
)
$graphApiVersion = "Beta"
$DCP_resource = "deviceManagement/groupPolicyConfigurations"
try
{
$uri = "https://graph.microsoft.com/$graphApiVersion/$($DCP_resource)"
(Invoke-RestMethod -Uri $uri -Headers $authToken -Method Get).Value | Where-Object { ($_.'displayName') -eq ("$Name") }
}
catch
{
$ex = $_.Exception
$errorResponse = $ex.Response.GetResponseStream()
$reader = New-Object System.IO.StreamReader($errorResponse)
$reader.BaseStream.Position = 0
$reader.DiscardBufferedData()
$responseBody = $reader.ReadToEnd();
Write-Host "Response content:`n$responseBody" -f Red
Write-Error "Request to $Uri failed with HTTP Status $($ex.Response.StatusCode) $($ex.Response.StatusDescription)"
write-host
break
}
}
####################################################
Function Add-GroupPolicyConfigurationPolicyAssignment(){
<#
.SYNOPSIS
This function is used to add a device configuration policy assignment using the Graph API REST interface
.DESCRIPTION
The function connects to the Graph API Interface and adds a device configuration policy assignment
.EXAMPLE
Add-DeviceConfigurationPolicyAssignment -ConfigurationPolicyId $ConfigurationPolicyId -TargetGroupId $TargetGroupId
Adds a device configuration policy assignment in Intune
.NOTES
NAME: Add-DeviceConfigurationPolicyAssignment
#>
[cmdletbinding()]
param
(
$ConfigurationPolicyId,
$TargetGroupId,
$Assignment
)
$graphApiVersion = "Beta"
$Resource = "deviceManagement/groupPolicyConfigurations/$ConfigurationPolicyId/assignments"
try {
if(!$ConfigurationPolicyId){
write-host "No Configuration Policy Id specified, specify a valid Configuration Policy Id" -f Red
break
}
if(!$TargetGroupId){
write-host "No Target Group Id specified, specify a valid Target Group Id" -f Red
break
}
if(!$Assignment){
write-host "No Assignment Type specified, specify a valid Assignment Type" -f Red
break
}
# $ConfPolAssign = "$ConfigurationPolicyId" + "_" + "$TargetGroupId"
$JSON = @"
{
"target": {
"@odata.type": "#microsoft.graph.$Assignment",
"groupId": "$TargetGroupId"
}
}
"@
$uri = "https://graph.microsoft.com/$graphApiVersion/$($Resource)"
Invoke-RestMethod -Uri $uri -Headers $authToken -Method Post -Body $JSON -ContentType "application/json"
}
catch {
$ex = $_.Exception
$errorResponse = $ex.Response.GetResponseStream()
$reader = New-Object System.IO.StreamReader($errorResponse)
$reader.BaseStream.Position = 0
$reader.DiscardBufferedData()
$responseBody = $reader.ReadToEnd();
Write-Host "Response content:`n$responseBody" -f Red
Write-Error "Request to $Uri failed with HTTP Status $($ex.Response.StatusCode) $($ex.Response.StatusDescription)"
write-host
break
}
}
####################################################
Function Get-AADGroup(){
<#
.SYNOPSIS
This function is used to get AAD Groups from the Graph API REST interface
.DESCRIPTION
The function connects to the Graph API Interface and gets any Groups registered with AAD
.EXAMPLE
Get-AADGroup
Returns all users registered with Azure AD
.NOTES
NAME: Get-AADGroup
#>
[cmdletbinding()]
param
(
$GroupName,
$id,
[switch]$Members
)
# Defining Variables
$graphApiVersion = "v1.0"
$Group_resource = "groups"
# pseudo-group identifiers for all users and all devices
[string]$AllUsers = "acacacac-9df4-4c7d-9d50-4ef0226f57a9"
[string]$AllDevices = "adadadad-808e-44e2-905a-0b7873a8a531"
try {
if($id){
$uri = "https://graph.microsoft.com/$graphApiVersion/$($Group_resource)?`$filter=id eq '$id'"
switch ( $id ) {
$AllUsers { $grp = [PSCustomObject]@{ displayName = "All users"}; $grp }
$AllDevices { $grp = [PSCustomObject]@{ displayName = "All devices"}; $grp }
default { (Invoke-RestMethod -Uri $uri -Headers $authToken -Method Get).Value }
}
}
elseif($GroupName -eq "" -or $GroupName -eq $null){
$uri = "https://graph.microsoft.com/$graphApiVersion/$($Group_resource)"
(Invoke-RestMethod -Uri $uri -Headers $authToken -Method Get).Value
}
else {
if(!$Members){
$uri = "https://graph.microsoft.com/$graphApiVersion/$($Group_resource)?`$filter=displayname eq '$GroupName'"
(Invoke-RestMethod -Uri $uri -Headers $authToken -Method Get).Value
}
elseif($Members){
$uri = "https://graph.microsoft.com/$graphApiVersion/$($Group_resource)?`$filter=displayname eq '$GroupName'"
$Group = (Invoke-RestMethod -Uri $uri -Headers $authToken -Method Get).Value
if($Group){
$GID = $Group.id
$Group.displayName
write-host
$uri = "https://graph.microsoft.com/$graphApiVersion/$($Group_resource)/$GID/Members"
(Invoke-RestMethod -Uri $uri -Headers $authToken -Method Get).Value
}
}
}
}
catch {
$ex = $_.Exception
$errorResponse = $ex.Response.GetResponseStream()
$reader = New-Object System.IO.StreamReader($errorResponse)
$reader.BaseStream.Position = 0
$reader.DiscardBufferedData()
$responseBody = $reader.ReadToEnd();
Write-Host "Response content:`n$responseBody" -f Red
Write-Error "Request to $Uri failed with HTTP Status $($ex.Response.StatusCode) $($ex.Response.StatusDescription)"
write-host
break
}
}
####################################################
Function Test-JSON()
{
<#
.SYNOPSIS
This function is used to test if the JSON passed to a REST Post request is valid
.DESCRIPTION
The function tests if the JSON passed to the REST Post is valid
.EXAMPLE
Test-JSON -JSON $JSON
Test if the JSON is valid before calling the Graph REST interface
.NOTES
NAME: Test-AuthHeader
#>
param (
$JSON
)
try
{
$TestJSON = ConvertFrom-Json $JSON -ErrorAction Stop
$validJson = $true
}
catch
{
$validJson = $false
$_.Exception
}
if (!$validJson)
{
Write-Host "Provided JSON isn't in valid JSON format" -f Red
break
}
}
####################################################
#region Authentication
write-host
# Checking if authToken exists before running authentication
if ($global:authToken)
{
# Setting DateTime to Universal time to work in all timezones
$DateTime = (Get-Date).ToUniversalTime()
# If the authToken exists checking when it expires
$TokenExpires = ($authToken.ExpiresOn.datetime - $DateTime).Minutes
if ($TokenExpires -le 0)
{
write-host "Authentication Token expired" $TokenExpires "minutes ago" -ForegroundColor Yellow
write-host
# Defining User Principal Name if not present
if ($User -eq $null -or $User -eq "")
{
$User = Read-Host -Prompt "Please specify your user principal name for Azure Authentication"
Write-Host
}
$global:authToken = Get-AuthToken -User $User
}
}
# Authentication doesn't exist, calling Get-AuthToken function
else
{
if ($User -eq $null -or $User -eq "")
{
$User = Read-Host -Prompt "Please specify your user principal name for Azure Authentication"
Write-Host
}
# Getting the authorization token
$global:authToken = Get-AuthToken -User $User
}
#endregion
####################################################
# Replacing quotes for Test-Path
$ImportPath = $ImportPath.replace('"','')
if(!(Test-Path "$ImportPath")){
Write-Host "Import Path for JSON file doesn't exist..." -ForegroundColor Red
Write-Host "Script can't continue..." -ForegroundColor Red
Write-Host
break
}
####################################################
$TargetGroupId = (Get-AADGroup | Where-Object {$_.displayName -eq $AADGroup}).id
if($TargetGroupId -eq $null -or $TargetGroupId -eq ""){
Write-Host "AAD Group - '$AADGroup' doesn't exist, please specify a valid AAD Group..." -ForegroundColor Red
Write-Host
exit
}
####################################################
Get-ChildItem $ImportPath -filter *.json |
ForEach-Object {
$Policy_Name = $_.Name
$Policy_Name = $Policy_Name.Substring(0,$Policy_Name.Length-5)
$DuplicateDCP = Get-GroupPolicyConfigurations -Name $Policy_Name
If ($DuplicateDCP -eq $null)
{
$GroupPolicyConfigurationID = Create-GroupPolicyConfigurations -DisplayName $Policy_Name
$JSON_Data = Get-Content $_.FullName
$JSON_Convert = $JSON_Data | ConvertFrom-Json
$JSON_Convert | ForEach-Object { $_
$JSON_Output = Convertto-Json -Depth 5 $_
Write-Host $JSON_Output
Create-GroupPolicyConfigurationsDefinitionValues -JSON $JSON_Output -GroupPolicyConfigurationID $GroupPolicyConfigurationID
}
Write-Host "####################################################################################################" -ForegroundColor Green
Write-Host "Policy: " $Policy_Name "created" -ForegroundColor Green
Write-Host "####################################################################################################" -ForegroundColor Green
$DeviceConfigs = Get-GroupPolicyConfigurations -name $Policy_Name
$DeviceConfigID = $DeviceConfigs.id
Add-GroupPolicyConfigurationPolicyAssignment -ConfigurationPolicyId $DeviceConfigID -TargetGroupId $TargetGroupId -Assignment "groupAssignmentTarget"
}
else
{
write-host "Device Configuration ADMX Profile:" $Policy_Name "has already been created" -ForegroundColor Yellow
}
}

88
ENT/JSON/DeviceCompliance/ENT-Compliance-ATP.json Normal file
Просмотреть файл

@ -0,0 +1,88 @@
{
"@odata.type": "#microsoft.graph.windows10CompliancePolicy",
"roleScopeTagIds": [
"0"
],
"id": "a8994b69-5205-4614-ae3e-150c2d4f2c5d",
"createdDateTime": "2020-11-30T15:27:50.8972649Z",
"description": "Defender ATP-specific compliance settings to apply after 24 hours\n",
"lastModifiedDateTime": "2020-11-30T15:27:50.8972649Z",
"displayName": "Enterprise-Compliance-ATP",
"version": 1,
"passwordRequired": false,
"passwordBlockSimple": false,
"passwordRequiredToUnlockFromIdle": false,
"passwordMinutesOfInactivityBeforeLock": null,
"passwordExpirationDays": null,
"passwordMinimumLength": null,
"passwordMinimumCharacterSetCount": null,
"passwordRequiredType": "deviceDefault",
"passwordPreviousPasswordBlockCount": null,
"requireHealthyDeviceReport": false,
"osMinimumVersion": "10.0.18363.476",
"osMaximumVersion": null,
"mobileOsMinimumVersion": null,
"mobileOsMaximumVersion": null,
"earlyLaunchAntiMalwareDriverEnabled": false,
"bitLockerEnabled": false,
"secureBootEnabled": false,
"codeIntegrityEnabled": false,
"storageRequireEncryption": false,
"activeFirewallRequired": false,
"defenderEnabled": false,
"defenderVersion": null,
"signatureOutOfDate": false,
"rtpEnabled": false,
"antivirusRequired": false,
"antiSpywareRequired": false,
"deviceThreatProtectionEnabled": true,
"deviceThreatProtectionRequiredSecurityLevel": "secured",
"configurationManagerComplianceRequired": false,
"tpmRequired": false,
"deviceCompliancePolicyScript": null,
"validOperatingSystemBuildRanges": [
],
"assignments": [
{
"id": "a8994b69-5205-4614-ae3e-150c2d4f2c5d_add56c8b-3fb1-43c8-a7d8-3abcc9f9ac64",
"source": "direct",
"sourceId": "a8994b69-5205-4614-ae3e-150c2d4f2c5d",
"target": {
"@odata.type": "#microsoft.graph.exclusionGroupAssignmentTarget",
"deviceAndAppManagementAssignmentFilterId": null,
"deviceAndAppManagementAssignmentFilterType": "none",
"groupId": "Emergency Breakglass"
}
},
{
"id": "a8994b69-5205-4614-ae3e-150c2d4f2c5d_af977e97-e18b-4272-bb63-81fb28204780",
"source": "direct",
"sourceId": "a8994b69-5205-4614-ae3e-150c2d4f2c5d",
"target": {
"@odata.type": "#microsoft.graph.groupAssignmentTarget",
"deviceAndAppManagementAssignmentFilterId": null,
"deviceAndAppManagementAssignmentFilterType": "none",
"groupId": "Enterprise Workstation Users"
}
}
],
"scheduledActionsForRule": [
{
"id": "a8994b69-5205-4614-ae3e-150c2d4f2c5d",
"ruleName": null,
"scheduledActionConfigurations@odata.context": "https://graph.microsoft.com/beta/$metadata#deviceManagement/deviceCompliancePolicies(\u0027a8994b69-5205-4614-ae3e-150c2d4f2c5d\u0027)/microsoft.graph.windows10CompliancePolicy/microsoft.graph.windows10CompliancePolicy/microsoft.graph.windows10CompliancePolicy/microsoft.graph.windows10CompliancePolicy/microsoft.graph.windows10CompliancePolicy/microsoft.graph.windows10CompliancePolicy/scheduledActionsForRule(\u0027a8994b69-5205-4614-ae3e-150c2d4f2c5d\u0027)/scheduledActionConfigurations",
"scheduledActionConfigurations": [
{
"id": "44bd1593-f79a-4a98-8acf-f20b496c621d",
"gracePeriodHours": 24,
"actionType": "block",
"notificationTemplateId": "00000000-0000-0000-0000-000000000000",
"notificationMessageCCList": [
]
}
]
}
]
}

88
ENT/JSON/DeviceCompliance/ENT-Compliance-Delayed.json Normal file
Просмотреть файл

@ -0,0 +1,88 @@
{
"@odata.type": "#microsoft.graph.windows10CompliancePolicy",
"roleScopeTagIds": [
"0"
],
"id": "070e9f28-9bf1-41cc-b5bb-77229343d3b9",
"createdDateTime": "2020-11-30T15:27:52.1330905Z",
"description": "Intune compliance settings to apply after 24 hours\n",
"lastModifiedDateTime": "2020-11-30T15:27:52.1330905Z",
"displayName": "Enterprise-Compliance-Delayed",
"version": 1,
"passwordRequired": false,
"passwordBlockSimple": false,
"passwordRequiredToUnlockFromIdle": false,
"passwordMinutesOfInactivityBeforeLock": null,
"passwordExpirationDays": null,
"passwordMinimumLength": null,
"passwordMinimumCharacterSetCount": null,
"passwordRequiredType": "deviceDefault",
"passwordPreviousPasswordBlockCount": null,
"requireHealthyDeviceReport": false,
"osMinimumVersion": "10.0.18363.476",
"osMaximumVersion": null,
"mobileOsMinimumVersion": null,
"mobileOsMaximumVersion": null,
"earlyLaunchAntiMalwareDriverEnabled": false,
"bitLockerEnabled": true,
"secureBootEnabled": true,
"codeIntegrityEnabled": true,
"storageRequireEncryption": false,
"activeFirewallRequired": true,
"defenderEnabled": true,
"defenderVersion": null,
"signatureOutOfDate": true,
"rtpEnabled": true,
"antivirusRequired": true,
"antiSpywareRequired": true,
"deviceThreatProtectionEnabled": false,
"deviceThreatProtectionRequiredSecurityLevel": "unavailable",
"configurationManagerComplianceRequired": false,
"tpmRequired": true,
"deviceCompliancePolicyScript": null,
"validOperatingSystemBuildRanges": [
],
"assignments": [
{
"id": "070e9f28-9bf1-41cc-b5bb-77229343d3b9_add56c8b-3fb1-43c8-a7d8-3abcc9f9ac64",
"source": "direct",
"sourceId": "070e9f28-9bf1-41cc-b5bb-77229343d3b9",
"target": {
"@odata.type": "#microsoft.graph.exclusionGroupAssignmentTarget",
"deviceAndAppManagementAssignmentFilterId": null,
"deviceAndAppManagementAssignmentFilterType": "none",
"groupId": "Emergency Breakglass"
}
},
{
"id": "070e9f28-9bf1-41cc-b5bb-77229343d3b9_af977e97-e18b-4272-bb63-81fb28204780",
"source": "direct",
"sourceId": "070e9f28-9bf1-41cc-b5bb-77229343d3b9",
"target": {
"@odata.type": "#microsoft.graph.groupAssignmentTarget",
"deviceAndAppManagementAssignmentFilterId": null,
"deviceAndAppManagementAssignmentFilterType": "none",
"groupId": "Enterprise Workstation Users"
}
}
],
"scheduledActionsForRule": [
{
"id": "070e9f28-9bf1-41cc-b5bb-77229343d3b9",
"ruleName": null,
"scheduledActionConfigurations@odata.context": "https://graph.microsoft.com/beta/$metadata#deviceManagement/deviceCompliancePolicies(\u0027070e9f28-9bf1-41cc-b5bb-77229343d3b9\u0027)/microsoft.graph.windows10CompliancePolicy/microsoft.graph.windows10CompliancePolicy/scheduledActionsForRule(\u0027070e9f28-9bf1-41cc-b5bb-77229343d3b9\u0027)/scheduledActionConfigurations",
"scheduledActionConfigurations": [
{
"id": "cab389d9-845f-4d0a-a9cd-e64abbcbd859",
"gracePeriodHours": 24,
"actionType": "block",
"notificationTemplateId": "00000000-0000-0000-0000-000000000000",
"notificationMessageCCList": [
]
}
]
}
]
}

88
ENT/JSON/DeviceCompliance/ENT-Compliance-Immediate.json Normal file
Просмотреть файл

@ -0,0 +1,88 @@
{
"@odata.type": "#microsoft.graph.windows10CompliancePolicy",
"roleScopeTagIds": [
"0"
],
"id": "56454fb5-78ae-4489-a4de-c60aeeb4bb8b",
"createdDateTime": "2020-11-30T15:27:53.2888215Z",
"description": "Intune compliance settings to apply immediately\n",
"lastModifiedDateTime": "2020-11-30T15:27:53.2888215Z",
"displayName": "Enterprise-Compliance-Immediate",
"version": 1,
"passwordRequired": false,
"passwordBlockSimple": false,
"passwordRequiredToUnlockFromIdle": false,
"passwordMinutesOfInactivityBeforeLock": null,
"passwordExpirationDays": null,
"passwordMinimumLength": null,
"passwordMinimumCharacterSetCount": null,
"passwordRequiredType": "deviceDefault",
"passwordPreviousPasswordBlockCount": null,
"requireHealthyDeviceReport": false,
"osMinimumVersion": "10.0.18363.476",
"osMaximumVersion": null,
"mobileOsMinimumVersion": null,
"mobileOsMaximumVersion": null,
"earlyLaunchAntiMalwareDriverEnabled": false,
"bitLockerEnabled": false,
"secureBootEnabled": false,
"codeIntegrityEnabled": false,
"storageRequireEncryption": false,
"activeFirewallRequired": false,
"defenderEnabled": true,
"defenderVersion": null,
"signatureOutOfDate": false,
"rtpEnabled": true,
"antivirusRequired": true,
"antiSpywareRequired": false,
"deviceThreatProtectionEnabled": false,
"deviceThreatProtectionRequiredSecurityLevel": "unavailable",
"configurationManagerComplianceRequired": false,
"tpmRequired": false,
"deviceCompliancePolicyScript": null,
"validOperatingSystemBuildRanges": [
],
"assignments": [
{
"id": "56454fb5-78ae-4489-a4de-c60aeeb4bb8b_add56c8b-3fb1-43c8-a7d8-3abcc9f9ac64",
"source": "direct",
"sourceId": "56454fb5-78ae-4489-a4de-c60aeeb4bb8b",
"target": {
"@odata.type": "#microsoft.graph.exclusionGroupAssignmentTarget",
"deviceAndAppManagementAssignmentFilterId": null,
"deviceAndAppManagementAssignmentFilterType": "none",
"groupId": "Emergency Breakglass"
}
},
{
"id": "56454fb5-78ae-4489-a4de-c60aeeb4bb8b_af977e97-e18b-4272-bb63-81fb28204780",
"source": "direct",
"sourceId": "56454fb5-78ae-4489-a4de-c60aeeb4bb8b",
"target": {
"@odata.type": "#microsoft.graph.groupAssignmentTarget",
"deviceAndAppManagementAssignmentFilterId": null,
"deviceAndAppManagementAssignmentFilterType": "none",
"groupId": "Enterprise Workstation Users"
}
}
],
"scheduledActionsForRule": [
{
"id": "56454fb5-78ae-4489-a4de-c60aeeb4bb8b",
"ruleName": null,
"scheduledActionConfigurations@odata.context": "https://graph.microsoft.com/beta/$metadata#deviceManagement/deviceCompliancePolicies(\u002756454fb5-78ae-4489-a4de-c60aeeb4bb8b\u0027)/microsoft.graph.windows10CompliancePolicy/microsoft.graph.windows10CompliancePolicy/microsoft.graph.windows10CompliancePolicy/microsoft.graph.windows10CompliancePolicy/scheduledActionsForRule(\u002756454fb5-78ae-4489-a4de-c60aeeb4bb8b\u0027)/scheduledActionConfigurations",
"scheduledActionConfigurations": [
{
"id": "59ae4e45-6495-4d33-b943-1bb01554bc6f",
"gracePeriodHours": 0,
"actionType": "block",
"notificationTemplateId": "00000000-0000-0000-0000-000000000000",
"notificationMessageCCList": [
]
}
]
}
]
}

497
ENT/JSON/DeviceConfiguration/Enterprise-Config-Win10-Custom-CSP_17-11-2020-17-00-43.json Normal file
Просмотреть файл

@ -0,0 +1,497 @@
{
"@odata.type": "#microsoft.graph.windows10CustomConfiguration",
"id": "a1184c0e-3171-4718-aefa-02cbb40c0224",
"lastModifiedDateTime": "2020-11-17T16:58:14.2282724Z",
"roleScopeTagIds": [
"0"
],
"supportsScopeTags": true,
"deviceManagementApplicabilityRuleOsEdition": null,
"deviceManagementApplicabilityRuleOsVersion": null,
"deviceManagementApplicabilityRuleDeviceMode": null,
"createdDateTime": "2020-11-17T16:32:11.7841379Z",
"description": "",
"displayName": "Enterprise-Config-Win10-Custom-CSP",
"version": 3,
"omaSettings": [
{
"@odata.type": "#microsoft.graph.omaSettingInteger",
"displayName": "NetworkIsolation/EnterpriseProxyServersAreAuthoritative",
"description": "EnterpriseProxyServersAreAuthoritative",
"omaUri": "./Device/Vendor/MSFT/Policy/Config/NetworkIsolation/EnterpriseProxyServersAreAuthoritative",
"isEncrypted": false,
"value": 1,
"isReadOnly": false
},
{
"@odata.type": "#microsoft.graph.omaSettingInteger",
"displayName": "NetworkIsolation/EnterpriseIPRangesAreAuthoritative",
"description": "EnterpriseIPRangesAreAuthoritative",
"omaUri": "./Device/Vendor/MSFT/Policy/Config/NetworkIsolation/EnterpriseIPRangesAreAuthoritative",
"isEncrypted": false,
"value": 1,
"isReadOnly": false
},
{
"@odata.type": "#microsoft.graph.omaSettingInteger",
"displayName": "Search/AllowIndexingEncryptedStoresOrItems",
"description": "AllowIndexingEncryptedStoresOrItems",
"omaUri": "./Device/Vendor/MSFT/Policy/Config/Search/AllowIndexingEncryptedStoresOrItems",
"isEncrypted": false,
"value": 0,
"isReadOnly": false
},
{
"@odata.type": "#microsoft.graph.omaSettingInteger",
"displayName": "LanmanWorkstation/EnableInsecureGuestLogons",
"description": "EnableInsecureGuestLogons",
"omaUri": "./Device/Vendor/MSFT/Policy/Config/LanmanWorkstation/EnableInsecureGuestLogons",
"isEncrypted": false,
"value": 0,
"isReadOnly": false
},
{
"@odata.type": "#microsoft.graph.omaSettingInteger",
"displayName": "Games/AllowAdvancedGamingServices",
"description": "AllowAdvancedGamingServices",
"omaUri": "./Device/Vendor/MSFT/Policy/Config/Games/AllowAdvancedGamingServices",
"isEncrypted": false,
"value": 0,
"isReadOnly": false
},
{
"@odata.type": "#microsoft.graph.omaSettingInteger",
"displayName": "ControlPolicyConflict/MDMWinsOverGP",
"description": "MDMWinsOverGP",
"omaUri": "./Device/Vendor/MSFT/Policy/Config/ControlPolicyConflict/MDMWinsOverGP",
"isEncrypted": false,
"value": 1,
"isReadOnly": false
},
{
"@odata.type": "#microsoft.graph.omaSettingInteger",
"displayName": "SystemServices/ConfigureHomeGroupListenerServiceStartupMode",
"description": "ConfigureHomeGroupListenerServiceStartupMode",
"omaUri": "./Device/Vendor/MSFT/Policy/Config/SystemServices/ConfigureHomeGroupListenerServiceStartupMode",
"isEncrypted": false,
"value": 4,
"isReadOnly": false
},
{
"@odata.type": "#microsoft.graph.omaSettingInteger",
"displayName": "SystemServices/ConfigureHomeGroupProviderServiceStartupMode",
"description": "ConfigureHomeGroupProviderServiceStartupMode",
"omaUri": "./Device/Vendor/MSFT/Policy/Config/SystemServices/ConfigureHomeGroupProviderServiceStartupMode",
"isEncrypted": false,
"value": 4,
"isReadOnly": false
},
{
"@odata.type": "#microsoft.graph.omaSettingString",
"displayName": "ErrorReporting/DisableWindowsErrorReporting",
"description": "DisableWindowsErrorReporting",
"omaUri": "./Device/Vendor/MSFT/Policy/Config/ErrorReporting/DisableWindowsErrorReporting",
"isEncrypted": false,
"value": " \u003cenabled/\u003e"
},
{
"@odata.type": "#microsoft.graph.omaSettingString",
"displayName": "Power/AllowStandbyWhenSleepingPluggedIn",
"description": "AllowStandbyWhenSleepingPluggedIn",
"omaUri": "./Device/Vendor/MSFT/Policy/Config/Power/AllowStandbyWhenSleepingPluggedIn",
"isEncrypted": false,
"value": "\u003cdisabled/\u003e"
},
{
"@odata.type": "#microsoft.graph.omaSettingString",
"displayName": "Power/RequirePasswordWhenComputerWakesOnBattery",
"description": "RequirePasswordWhenComputerWakesOnBattery",
"omaUri": "./Device/Vendor/MSFT/Policy/Config/Power/RequirePasswordWhenComputerWakesOnBattery",
"isEncrypted": false,
"value": " \u003cenabled/\u003e"
},
{
"@odata.type": "#microsoft.graph.omaSettingString",
"displayName": "Power/RequirePasswordWhenComputerWakesPluggedIn",
"description": "RequirePasswordWhenComputerWakesPluggedIn",
"omaUri": "./Device/Vendor/MSFT/Policy/Config/Power/RequirePasswordWhenComputerWakesPluggedIn",
"isEncrypted": false,
"value": "\u003cenabled/\u003e"
},
{
"@odata.type": "#microsoft.graph.omaSettingString",
"displayName": "RemoteAssistance/SolicitedRemoteAssistance",
"description": "SolicitedRemoteAssistance",
"omaUri": "./Device/Vendor/MSFT/Policy/Config/RemoteAssistance/SolicitedRemoteAssistance",
"isEncrypted": false,
"value": "\u003cdisabled/\u003e"
},
{
"@odata.type": "#microsoft.graph.omaSettingString",
"displayName": "AutoPlay/DisallowAutoplayForNonVolumeDevices",
"description": "DisallowAutoplayForNonVolumeDevices",
"omaUri": "./Device/Vendor/MSFT/Policy/Config/AutoPlay/DisallowAutoplayForNonVolumeDevices",
"isEncrypted": false,
"value": "\u003cenabled/\u003e"
},
{
"@odata.type": "#microsoft.graph.omaSettingString",
"displayName": "RemoteDesktopServices/DoNotAllowDriveRedirection",
"description": "DoNotAllowDriveRedirection",
"omaUri": "./Device/Vendor/MSFT/Policy/Config/RemoteDesktopServices/DoNotAllowDriveRedirection",
"isEncrypted": false,
"value": "\u003cenabled/\u003e"
},
{
"@odata.type": "#microsoft.graph.omaSettingString",
"displayName": "RemoteDesktopServices/PromptForPasswordUponConnection",
"description": "PromptForPasswordUponConnection",
"omaUri": "./Device/Vendor/MSFT/Policy/Config/RemoteDesktopServices/PromptForPasswordUponConnection",
"isEncrypted": false,
"value": "\u003cenabled/\u003e"
},
{
"@odata.type": "#microsoft.graph.omaSettingString",
"displayName": "RemoteDesktopServices/RequireSecureRPCCommunication",
"description": "RequireSecureRPCCommunication",
"omaUri": "./Device/Vendor/MSFT/Policy/Config/RemoteDesktopServices/RequireSecureRPCCommunication",
"isEncrypted": false,
"value": "\u003cenabled/\u003e"
},
{
"@odata.type": "#microsoft.graph.omaSettingString",
"displayName": "DeviceLock/PreventLockScreenSlideShow",
"description": "PreventLockScreenSlideShow",
"omaUri": "./Device/Vendor/MSFT/Policy/Config/DeviceLock/PreventLockScreenSlideShow",
"isEncrypted": false,
"value": "\u003cenabled/\u003e"
},
{
"@odata.type": "#microsoft.graph.omaSettingString",
"displayName": "MSSecurityGuide/EnableStructuredExceptionHandlingOverwriteProtection",
"description": "EnableStructuredExceptionHandlingOverwriteProtection",
"omaUri": "./Device/Vendor/MSFT/Policy/Config/MSSecurityGuide/EnableStructuredExceptionHandlingOverwriteProtection",
"isEncrypted": false,
"value": "\u003cenabled/\u003e"
},
{
"@odata.type": "#microsoft.graph.omaSettingString",
"displayName": "MSSLegacy/AllowICMPRedirectsToOverrideOSPFGeneratedRoutes",
"description": "AllowICMPRedirectsToOverrideOSPFGeneratedRoutes",
"omaUri": "./Device/Vendor/MSFT/Policy/Config/MSSLegacy/AllowICMPRedirectsToOverrideOSPFGeneratedRoutes",
"isEncrypted": false,
"value": "\u003cdisabled/\u003e"
},
{
"@odata.type": "#microsoft.graph.omaSettingString",
"displayName": "MSSLegacy/AllowTheComputerToIgnoreNetBIOSNameReleaseRequestsExceptFromWINSServers",
"description": "AllowTheComputerToIgnoreNetBIOSNameReleaseRequestsExceptFromWINSServers",
"omaUri": "./Device/Vendor/MSFT/Policy/Config/MSSLegacy/AllowTheComputerToIgnoreNetBIOSNameReleaseRequestsExceptFromWINSServers",
"isEncrypted": false,
"value": "\u003cenabled/\u003e"
},
{
"@odata.type": "#microsoft.graph.omaSettingInteger",
"displayName": "WindowsDefenderApplicationGuard/Audit/AuditApplicationGuard",
"description": "AuditApplicationGuard",
"omaUri": "./Device/Vendor/MSFT/WindowsDefenderApplicationGuard/Audit/AuditApplicationGuard",
"isEncrypted": false,
"value": 1,
"isReadOnly": false
},
{
"@odata.type": "#microsoft.graph.omaSettingInteger",
"displayName": "DeviceLock/MaxDevicePasswordFailedAttempts",
"description": "MaxDevicePasswordFailedAttempts",
"omaUri": "./Device/Vendor/MSFT/Policy/Config/DeviceLock/MaxDevicePasswordFailedAttempts",
"isEncrypted": false,
"value": 9,
"isReadOnly": false
},
{
"@odata.type": "#microsoft.graph.omaSettingInteger",
"displayName": "Start/HidePeopleBar",
"description": "HidePeopleBar ",
"omaUri": "./User/Vendor/MSFT/Policy/Config/Start/HidePeopleBar",
"isEncrypted": false,
"value": 1,
"isReadOnly": false
},
{
"@odata.type": "#microsoft.graph.omaSettingInteger",
"displayName": "Browser/AllowFlash",
"description": "AllowFlash",
"omaUri": "./Vendor/MSFT/Policy/Config/Browser/AllowFlash",
"isEncrypted": false,
"value": 0,
"isReadOnly": false
},
{
"@odata.type": "#microsoft.graph.omaSettingInteger",
"displayName": "Privacy/AllowCrossDeviceClipboard",
"description": "AllowCrossDeviceClipboard",
"omaUri": "./Vendor/MSFT/Policy/Config/Privacy/AllowCrossDeviceClipboard",
"isEncrypted": false,
"value": 0,
"isReadOnly": false
},
{
"@odata.type": "#microsoft.graph.omaSettingInteger",
"displayName": "Experience/DoNotShowFeedbackNotifications",
"description": "HideFeedbackNotifications",
"omaUri": "./Vendor/MSFT/Policy/Config/Experience/DoNotShowFeedbackNotifications",
"isEncrypted": false,
"value": 1,
"isReadOnly": false
},
{
"@odata.type": "#microsoft.graph.omaSettingString",
"displayName": "MSSecurityGuide/ApplyUACRestrictionsToLocalAccountsOnNetworkLogon",
"description": "ApplyUACRestrictionsToLocalAccountsOnNetworkLogon",
"omaUri": "./Device/Vendor/MSFT/Policy/Config/MSSecurityGuide/ApplyUACRestrictionsToLocalAccountsOnNetworkLogon",
"isEncrypted": false,
"value": "\u003cEnabled/\u003e"
},
{
"@odata.type": "#microsoft.graph.omaSettingString",
"displayName": "Connectivity/ProhibitInstallationAndConfigurationOfNetworkBridge",
"description": "ProhibitInstallationAndConfigurationOfNetworkBridge",
"omaUri": "./Device/Vendor/MSFT/Policy/Config/Connectivity/ProhibitInstallationAndConfigurationOfNetworkBridge",
"isEncrypted": false,
"value": "\u003cEnabled/\u003e"
},
{
"@odata.type": "#microsoft.graph.omaSettingString",
"displayName": "RemoteAssistance/UnsolicitedRemoteAssistance",
"description": "UnsolicitedRemoteAssistance",
"omaUri": "./Device/Vendor/MSFT/Policy/Config/RemoteAssistance/UnsolicitedRemoteAssistance",
"isEncrypted": false,
"value": "\u003cDisabled/\u003e"
},
{
"@odata.type": "#microsoft.graph.omaSettingInteger",
"displayName": "ApplicationManagement/MSIAlwaysInstallWithElevatedPrivileges",
"description": "MSIAlwaysInstallWithElevatedPrivileges",
"omaUri": "./Device/Vendor/MSFT/Policy/Config/ApplicationManagement/MSIAlwaysInstallWithElevatedPrivileges",
"isEncrypted": false,
"value": 0,
"isReadOnly": false
},
{
"@odata.type": "#microsoft.graph.omaSettingString",
"displayName": "RemoteManagement/AllowBasicAuthentication_Client",
"description": "AllowBasicAuthentication_Client",
"omaUri": "./Device/Vendor/MSFT/Policy/Config/RemoteManagement/AllowBasicAuthentication_Client",
"isEncrypted": false,
"value": "\u003cDisabled/\u003e"
},
{
"@odata.type": "#microsoft.graph.omaSettingString",
"displayName": "RemoteManagement/AllowBasicAuthentication_Service",
"description": "AllowBasicAuthentication_Service",
"omaUri": "./Device/Vendor/MSFT/Policy/Config/RemoteManagement/AllowBasicAuthentication_Service",
"isEncrypted": false,
"value": "\u003cDisabled/\u003e"
},
{
"@odata.type": "#microsoft.graph.omaSettingString",
"displayName": "MSSLegacy/IPv6SourceRoutingProtectionLevel",
"description": "IPv6SourceRoutingProtectionLevel",
"omaUri": "./Device/Vendor/MSFT/Policy/Config/MSSLegacy/IPv6SourceRoutingProtectionLevel",
"isEncrypted": false,
"value": "\u003cenabled/\u003e\u003cdata id=\"DisableIPSourceRoutingIPv6\" value=\"2\"/\u003e"
},
{
"@odata.type": "#microsoft.graph.omaSettingString",
"displayName": "CredentialsUI/EnumerateAdministrators",
"description": "EnumerateAdministrators",
"omaUri": "./Device/Vendor/MSFT/Policy/Config/CredentialsUI/EnumerateAdministrators",
"isEncrypted": false,
"value": "\u003cdisabled/\u003e"
},
{
"@odata.type": "#microsoft.graph.omaSettingString",
"displayName": "Autoplay/TurnOffAutoPlay",
"description": "TurnOffAutoPlay",
"omaUri": "./Device/Vendor/MSFT/Policy/Config/Autoplay/TurnOffAutoPlay",
"isEncrypted": false,
"value": "\u003cenabled/\u003e\u003cdata id=\"Autorun_Box\" value=\"255\"/\u003e"
},
{
"@odata.type": "#microsoft.graph.omaSettingString",
"displayName": "Autoplay/SetDefaultAutoRunBehavior",
"description": "SetDefaultAutoRunBehavior",
"omaUri": "./Device/Vendor/MSFT/Policy/Config/Autoplay/SetDefaultAutoRunBehavior",
"isEncrypted": false,
"value": "\u003cenabled/\u003e\u003cdata id=\"NoAutorun_Dropdown\" value=\"1\"/\u003e"
},
{
"@odata.type": "#microsoft.graph.omaSettingString",
"displayName": "MSSecurityGuide/ConfigureSMBV1ClientDriver",
"description": "ConfigureSMBV1ClientDriver",
"omaUri": "./Device/Vendor/MSFT/Policy/Config/MSSecurityGuide/ConfigureSMBV1ClientDriver",
"isEncrypted": false,
"value": "\u003cenabled/\u003e \n\u003cdata id=\"Pol_SecGuide_SMB1ClientDriver\" value=\"4\"/\u003e"
},
{
"@odata.type": "#microsoft.graph.omaSettingString",
"displayName": "MSSLegacy/IPSourceRoutingProtectionLevel",
"description": "IPSourceRoutingProtectionLevel",
"omaUri": "./Device/Vendor/MSFT/Policy/Config/MSSLegacy/IPSourceRoutingProtectionLevel",
"isEncrypted": false,
"value": "\u003cenabled/\u003e\u003cdata id=\"DisableIPSourceRouting\" value=\"2\"/\u003e"
},
{
"@odata.type": "#microsoft.graph.omaSettingInteger",
"displayName": "DeviceGuard/EnableVirtualizationBasedSecurity",
"description": "EnableVirtualizationBasedSecurity",
"omaUri": "./Vendor/MSFT/Policy/Config/DeviceGuard/EnableVirtualizationBasedSecurity",
"isEncrypted": false,
"value": 1,
"isReadOnly": false
},
{
"@odata.type": "#microsoft.graph.omaSettingInteger",
"displayName": "DeviceGuard/LSACfgFlags",
"description": "LSACfgFlags",
"omaUri": "./Vendor/MSFT/Policy/Config/DeviceGuard/LsaCfgFlags",
"isEncrypted": false,
"value": 1,
"isReadOnly": false
},
{
"@odata.type": "#microsoft.graph.omaSettingInteger",
"displayName": "DeviceGuard/PlatformSecurityFeatures",
"description": "PlatformSecurityFeatures",
"omaUri": "./Vendor/MSFT/Policy/Config/DeviceGuard/RequirePlatformSecurityFeatures",
"isEncrypted": false,
"value": 3,
"isReadOnly": false
},
{
"@odata.type": "#microsoft.graph.omaSettingInteger",
"displayName": "DeviceGuard/ConfigureSystemGuardLaunch",
"description": "ConfigureSystemGuardLaunch",
"omaUri": "./Vendor/MSFT/Policy/Config/DeviceGuard/ConfigureSystemGuardLaunch",
"isEncrypted": false,
"value": 1,
"isReadOnly": false
},
{
"@odata.type": "#microsoft.graph.omaSettingInteger",
"displayName": "Start/HideSleep",
"description": "HideSleep",
"omaUri": "./Device/Vendor/MSFT/Policy/Config/Start/HideSleep",
"isEncrypted": false,
"value": 1,
"isReadOnly": false
},
{
"@odata.type": "#microsoft.graph.omaSettingInteger",
"displayName": "Start/HideHibernate",
"description": "HideHibernate",
"omaUri": "./Device/Vendor/MSFT/Policy/Config/Start/HideHibernate",
"isEncrypted": false,
"value": 0,
"isReadOnly": false
},
{
"@odata.type": "#microsoft.graph.omaSettingString",
"displayName": "Power/StandbyTimeoutPluggedIn",
"description": "StandbyTimeoutPluggedIn",
"omaUri": "./Device/Vendor/MSFT/Policy/Config/Power/StandbyTimeoutPluggedIn",
"isEncrypted": false,
"value": "\u003cenabled/\u003e\u003cdata id=\"EnterACStandbyTimeOut\" value=\"1800\"/\u003e"
},
{
"@odata.type": "#microsoft.graph.omaSettingString",
"displayName": "Power/HibernateTimeoutPluggedIn",
"description": "HibernateTimeoutPluggedIn",
"omaUri": "./Device/Vendor/MSFT/Policy/Config/Power/HibernateTimeoutPluggedIn",
"isEncrypted": false,
"value": "\u003cenabled/\u003e\u003cdata id=\"EnterACHibernateTimeOut\" value=\"3600\"/\u003e"
},
{
"@odata.type": "#microsoft.graph.omaSettingString",
"displayName": "Power/HibernateTimeoutOnBattery",
"description": "HibernateTimeoutOnBattery",
"omaUri": "./Device/Vendor/MSFT/Policy/Config/Power/HibernateTimeoutOnBattery",
"isEncrypted": false,
"value": "\u003cenabled/\u003e\u003cdata id=\"EnterDCHibernateTimeOut\" value=\"3600\"/\u003e"
},
{
"@odata.type": "#microsoft.graph.omaSettingString",
"displayName": "RemovableStroageDevices/CDDenyWrite",
"description": "CDDenyWrite",
"omaUri": "./Device/Vendor/MSFT/Policy/Config/RemovableStorageDevices\\{53f56308-b6bf-11d0-94f2-00a0c91efb8b}/CDandDVD_DenyWrite_Access_2",
"isEncrypted": false,
"value": "\u003cenabled/\u003e"
},
{
"@odata.type": "#microsoft.graph.omaSettingString",
"displayName": "CredentialsUI/DisablePasswordReveal",
"description": "DisablePasswordReveal",
"omaUri": "./Device/Vendor/MSFT/Policy/Config/CredentialsUI/DisablePasswordReveal",
"isEncrypted": false,
"value": "\u003cenabled/\u003e"
},
{
"@odata.type": "#microsoft.graph.omaSettingString",
"displayName": "MS DM Server/CommercialID",
"description": "CommercialID",
"omaUri": "./Vendor/MSFT/DMClient/Provider/MS DM Server/CommercialID",
"isEncrypted": false,
"value": "11111111-1111-1111-1111-111111111111"
},
{
"@odata.type": "#microsoft.graph.omaSettingInteger",
"displayName": "System/AllowDeviceNameInDiagnosticData",
"description": "AllowDeviceNameInDiagnosticData",
"omaUri": "./Vendor/MSFT/Policy/Config/System/AllowDeviceNameInDiagnosticData",
"isEncrypted": false,
"value": 1,
"isReadOnly": false
},
{
"@odata.type": "#microsoft.graph.omaSettingInteger",
"displayName": "System/ConfigureTelemetryOptInSettingsUx",
"description": "ConfigureTelemetryOptInSettingsUx",
"omaUri": "./Vendor/MSFT/Policy/Config/System/ConfigureTelemetryOptInSettingsUx",
"isEncrypted": false,
"value": 1,
"isReadOnly": false
},
{
"@odata.type": "#microsoft.graph.omaSettingInteger",
"displayName": "System/LimitEnhancedDiagnosticDataWindowsAnalytics",
"description": "LimitEnhancedDiagnosticDataWindowsAnalytics",
"omaUri": "./Vendor/MSFT/Policy/Config/System/LimitEnhancedDiagnosticDataWindowsAnalytics",
"isEncrypted": false,
"value": 1,
"isReadOnly": false
},
{
"@odata.type": "#microsoft.graph.omaSettingInteger",
"displayName": "System/ConfigureTelemetryOptInChangeNotification",
"description": "ConfigureTelemetryOptInChangeNotification",
"omaUri": "./Vendor/MSFT/Policy/Config/System/ConfigureTelemetryOptInChangeNotification",
"isEncrypted": false,
"value": 1,
"isReadOnly": false
}
],
"assignments@odata.context": "https://graph.microsoft.com/beta/$metadata#deviceManagement/deviceConfigurations(\u0027a1184c0e-3171-4718-aefa-02cbb40c0224\u0027)/microsoft.graph.windows10CustomConfiguration/microsoft.graph.windows10CustomConfiguration/microsoft.graph.windows10EndpointProtectionConfiguration/microsoft.graph.windows10CustomConfiguration/microsoft.graph.windows10GeneralConfiguration/microsoft.graph.windows10GeneralConfiguration/microsoft.graph.windows10CustomConfiguration/microsoft.graph.windowsIdentityProtectionConfiguration/microsoft.graph.windows10CustomConfiguration/microsoft.graph.windows10GeneralConfiguration/microsoft.graph.windows10EndpointProtectionConfiguration/microsoft.graph.windows10EndpointProtectionConfiguration/microsoft.graph.windows10CustomConfiguration/microsoft.graph.windows10CustomConfiguration/assignments",
"assignments": [
{
"id": "a1184c0e-3171-4718-aefa-02cbb40c0224_82852fee-f2a0-44cf-b5b8-8db17c72a037",
"source": "direct",
"sourceId": "a1184c0e-3171-4718-aefa-02cbb40c0224",
"target": {
"@odata.type": "#microsoft.graph.groupAssignmentTarget",
"deviceAndAppManagementAssignmentFilterId": null,
"deviceAndAppManagementAssignmentFilterType": "none",
"groupId": "Enterprise Workstations"
}
}
]
}

340
ENT/JSON/DeviceConfiguration/Enterprise-Config-Win10-Device-Restrictions-UI_17-11-2020-17-00-43.json Normal file
Просмотреть файл

@ -0,0 +1,340 @@
{
"@odata.type": "#microsoft.graph.windows10GeneralConfiguration",
"id": "608773ad-12f0-4cb2-be95-5cf34d77b916",
"lastModifiedDateTime": "2020-11-17T16:51:04.2701729Z",
"roleScopeTagIds": [
"0"
],
"supportsScopeTags": true,
"deviceManagementApplicabilityRuleOsEdition": null,
"deviceManagementApplicabilityRuleOsVersion": null,
"deviceManagementApplicabilityRuleDeviceMode": null,
"createdDateTime": "2020-11-17T16:32:30.2313945Z",
"description": "",
"displayName": "Enterprise-Config-Win10-Device-Restrictions-UI",
"version": 7,
"taskManagerBlockEndTask": false,
"energySaverOnBatteryThresholdPercentage": null,
"energySaverPluggedInThresholdPercentage": null,
"powerLidCloseActionOnBattery": "notConfigured",
"powerLidCloseActionPluggedIn": "notConfigured",
"powerButtonActionOnBattery": "notConfigured",
"powerButtonActionPluggedIn": "notConfigured",
"powerSleepButtonActionOnBattery": "notConfigured",
"powerSleepButtonActionPluggedIn": "notConfigured",
"powerHybridSleepOnBattery": "enabled",
"powerHybridSleepPluggedIn": "enabled",
"windows10AppsForceUpdateSchedule": null,
"enableAutomaticRedeployment": true,
"microsoftAccountSignInAssistantSettings": "notConfigured",
"authenticationAllowSecondaryDevice": true,
"authenticationWebSignIn": "notConfigured",
"authenticationPreferredAzureADTenantDomainName": null,
"cryptographyAllowFipsAlgorithmPolicy": false,
"displayAppListWithGdiDPIScalingTurnedOn": [
],
"displayAppListWithGdiDPIScalingTurnedOff": [
],
"enterpriseCloudPrintDiscoveryEndPoint": null,
"enterpriseCloudPrintOAuthAuthority": null,
"enterpriseCloudPrintOAuthClientIdentifier": null,
"enterpriseCloudPrintResourceIdentifier": null,
"enterpriseCloudPrintDiscoveryMaxLimit": null,
"enterpriseCloudPrintMopriaDiscoveryResourceIdentifier": null,
"experienceDoNotSyncBrowserSettings": "blocked",
"messagingBlockSync": false,
"messagingBlockMMS": false,
"messagingBlockRichCommunicationServices": false,
"printerNames": [
],
"printerDefaultName": null,
"printerBlockAddition": false,
"searchBlockDiacritics": false,
"searchDisableAutoLanguageDetection": false,
"searchDisableIndexingEncryptedItems": false,
"searchEnableRemoteQueries": false,
"searchDisableUseLocation": false,
"searchDisableLocation": false,
"searchDisableIndexerBackoff": false,
"searchDisableIndexingRemovableDrive": false,
"searchEnableAutomaticIndexSizeManangement": false,
"searchBlockWebResults": false,
"findMyFiles": "notConfigured",
"securityBlockAzureADJoinedDevicesAutoEncryption": false,
"diagnosticsDataSubmissionMode": "enhanced",
"oneDriveDisableFileSync": false,
"systemTelemetryProxyServer": null,
"edgeTelemetryForMicrosoft365Analytics": "notConfigured",
"inkWorkspaceAccess": "disabled",
"inkWorkspaceAccessState": "blocked",
"inkWorkspaceBlockSuggestedApps": false,
"smartScreenEnableAppInstallControl": false,
"smartScreenAppInstallControl": "notConfigured",
"personalizationDesktopImageUrl": null,
"personalizationLockScreenImageUrl": null,
"bluetoothAllowedServices": [
],
"bluetoothBlockAdvertising": false,
"bluetoothBlockPromptedProximalConnections": false,
"bluetoothBlockDiscoverableMode": false,
"bluetoothBlockPrePairing": false,
"edgeBlockAutofill": false,
"edgeBlocked": false,
"edgeCookiePolicy": "userDefined",
"edgeBlockDeveloperTools": true,
"edgeBlockSendingDoNotTrackHeader": true,
"edgeBlockExtensions": false,
"edgeBlockInPrivateBrowsing": true,
"edgeBlockJavaScript": false,
"edgeBlockPasswordManager": false,
"edgeBlockAddressBarDropdown": false,
"edgeBlockCompatibilityList": false,
"edgeClearBrowsingDataOnExit": true,
"edgeAllowStartPagesModification": false,
"edgeDisableFirstRunPage": false,
"edgeBlockLiveTileDataCollection": true,
"edgeSyncFavoritesWithInternetExplorer": false,
"edgeFavoritesListLocation": null,
"edgeBlockEditFavorites": false,
"edgeNewTabPageURL": null,
"edgeHomeButtonConfiguration": null,
"edgeHomeButtonConfigurationEnabled": false,
"edgeOpensWith": "notConfigured",
"edgeBlockSideloadingExtensions": false,
"edgeRequiredExtensionPackageFamilyNames": [
],
"edgeBlockPrinting": false,
"edgeFavoritesBarVisibility": "notConfigured",
"edgeBlockSavingHistory": true,
"edgeBlockFullScreenMode": false,
"edgeBlockWebContentOnNewTabPage": false,
"edgeBlockTabPreloading": false,
"edgeBlockPrelaunch": false,
"edgeShowMessageWhenOpeningInternetExplorerSites": "notConfigured",
"edgePreventCertificateErrorOverride": true,
"edgeKioskModeRestriction": "notConfigured",
"edgeKioskResetAfterIdleTimeInMinutes": null,
"cellularBlockDataWhenRoaming": false,
"cellularBlockVpn": false,
"cellularBlockVpnWhenRoaming": false,
"cellularData": "allowed",
"defenderRequireRealTimeMonitoring": true,
"defenderRequireBehaviorMonitoring": true,
"defenderRequireNetworkInspectionSystem": true,
"defenderScanDownloads": true,
"defenderScheduleScanEnableLowCpuPriority": false,
"defenderDisableCatchupQuickScan": false,
"defenderDisableCatchupFullScan": false,
"defenderScanScriptsLoadedInInternetExplorer": true,
"defenderBlockEndUserAccess": false,
"defenderSignatureUpdateIntervalInHours": 1,
"defenderMonitorFileActivity": "userDefined",
"defenderDaysBeforeDeletingQuarantinedMalware": null,
"defenderScanMaxCpu": null,
"defenderScanArchiveFiles": true,
"defenderScanIncomingMail": true,
"defenderScanRemovableDrivesDuringFullScan": true,
"defenderScanMappedNetworkDrivesDuringFullScan": false,
"defenderScanNetworkFiles": true,
"defenderRequireCloudProtection": true,
"defenderCloudBlockLevel": "high",
"defenderCloudExtendedTimeout": 50,
"defenderCloudExtendedTimeoutInSeconds": 50,
"defenderPromptForSampleSubmission": "sendAllDataWithoutPrompting",
"defenderScheduledQuickScanTime": "18:00:00.0000000",
"defenderScanType": "full",
"defenderSystemScanSchedule": "saturday",
"defenderScheduledScanTime": "18:00:00.0000000",
"defenderPotentiallyUnwantedAppAction": "block",
"defenderPotentiallyUnwantedAppActionSetting": "userDefined",
"defenderSubmitSamplesConsentType": "sendSafeSamplesAutomatically",
"defenderBlockOnAccessProtection": false,
"defenderFileExtensionsToExclude": [
],
"defenderFilesAndFoldersToExclude": [
],
"defenderProcessesToExclude": [
],
"lockScreenAllowTimeoutConfiguration": false,
"lockScreenBlockActionCenterNotifications": false,
"lockScreenBlockCortana": true,
"lockScreenBlockToastNotifications": true,
"lockScreenTimeoutInSeconds": null,
"lockScreenActivateAppsWithVoice": "notConfigured",
"passwordBlockSimple": true,
"passwordExpirationDays": null,
"passwordMinimumLength": 9,
"passwordMinutesOfInactivityBeforeScreenTimeout": 30,
"passwordMinimumCharacterSetCount": 2,
"passwordPreviousPasswordBlockCount": null,
"passwordRequired": true,
"passwordRequireWhenResumeFromIdleState": true,
"passwordRequiredType": "alphanumeric",
"passwordSignInFailureCountBeforeFactoryReset": 9,
"passwordMinimumAgeInDays": null,
"privacyAdvertisingId": "notConfigured",
"privacyAutoAcceptPairingAndConsentPrompts": false,
"privacyDisableLaunchExperience": false,
"privacyBlockInputPersonalization": false,
"privacyBlockPublishUserActivities": true,
"privacyBlockActivityFeed": true,
"activateAppsWithVoice": "notConfigured",
"startBlockUnpinningAppsFromTaskbar": false,
"startMenuAppListVisibility": "userDefined",
"startMenuHideChangeAccountSettings": false,
"startMenuHideFrequentlyUsedApps": false,
"startMenuHideHibernate": false,
"startMenuHideLock": false,
"startMenuHidePowerButton": false,
"startMenuHideRecentJumpLists": false,
"startMenuHideRecentlyAddedApps": false,
"startMenuHideRestartOptions": false,
"startMenuHideShutDown": false,
"startMenuHideSignOut": false,
"startMenuHideSleep": true,
"startMenuHideSwitchAccount": true,
"startMenuHideUserTile": false,
"startMenuLayoutEdgeAssetsXml": null,
"startMenuLayoutXml": "PExheW91dE1vZGlmaWNhdGlvblRlbXBsYXRlIHhtbG5zOmRlZmF1bHRsYXlvdXQ9Imh0dHA6Ly9zY2hlbWFzLm1pY3Jvc29mdC5jb20vU3RhcnQvMjAxNC9GdWxsRGVmYXVsdExheW91dCIgeG1sbnM6c3RhcnQ9Imh0dHA6Ly9zY2hlbWFzLm1pY3Jvc29mdC5jb20vU3RhcnQvMjAxNC9TdGFydExheW91dCIgVmVyc2lvbj0iMSIgeG1sbnM9Imh0dHA6Ly9zY2hlbWFzLm1pY3Jvc29mdC5jb20vU3RhcnQvMjAxNC9MYXlvdXRNb2RpZmljYXRpb24iIHhtbG5zOnRhc2tiYXI9Imh0dHA6Ly9zY2hlbWFzLm1pY3Jvc29mdC5jb20vU3RhcnQvMjAxNC9UYXNrYmFyTGF5b3V0Ij4NCiAgPExheW91dE9wdGlvbnMgU3RhcnRUaWxlR3JvdXBDZWxsV2lkdGg9IjYiIC8+DQoJPERlZmF1bHRMYXlvdXRPdmVycmlkZSBMYXlvdXRDdXN0b21pemF0aW9uUmVzdHJpY3Rpb25UeXBlPSJPbmx5U3BlY2lmaWVkR3JvdXBzIj4NCiAgICA8U3RhcnRMYXlvdXRDb2xsZWN0aW9uPg0KICAgICAgPGRlZmF1bHRsYXlvdXQ6U3RhcnRMYXlvdXQgR3JvdXBDZWxsV2lkdGg9IjYiPg0KICAgICAgICA8c3RhcnQ6R3JvdXAgTmFtZT0iQ29yZSBBcHBsaWNhdGlvbnMiPg0KICAgICAgICAgIDxzdGFydDpEZXNrdG9wQXBwbGljYXRpb25UaWxlIFNpemU9IjJ4MiIgQ29sdW1uPSIwIiBSb3c9IjAiIERlc2t0b3BBcHBsaWNhdGlvbklEPSJ7MUFDMTRFNzctMDJFNy00RTVELUI3NDQtMkVCMUFFNTE5OEI3fVxXaW5kb3dzUG93ZXJTaGVsbFx2MS4wXHBvd2Vyc2hlbGwuZXhlIiAvPg0KICAgICAgICAgIDxzdGFydDpUaWxlIFNpemU9IjJ4MiIgQ29sdW1uPSIyIiBSb3c9IjIiIEFwcFVzZXJNb2RlbElEPSJNaWNyb3NvZnQuQ29tcGFueVBvcnRhbF84d2VreWIzZDhiYndlIUFwcCIgLz4NCiAgICAgICAgICA8c3RhcnQ6RGVza3RvcEFwcGxpY2F0aW9uVGlsZSBTaXplPSIyeDIiIENvbHVtbj0iMiIgUm93PSIwIiBEZXNrdG9wQXBwbGljYXRpb25JRD0iezFBQzE0RTc3LTAyRTctNEU1RC1CNzQ0LTJFQjFBRTUxOThCN31cV2luZG93c1Bvd2VyU2hlbGxcdjEuMFxQb3dlclNoZWxsX0lTRS5leGUiIC8+DQogICAgICAgICAgPHN0YXJ0OkRlc2t0b3BBcHBsaWNhdGlvblRpbGUgU2l6ZT0iMngyIiBDb2x1bW49IjAiIFJvdz0iMiIgRGVza3RvcEFwcGxpY2F0aW9uSUQ9Ik1TRWRnZSIgLz4NCiAgICAgICAgPC9zdGFydDpHcm91cD4NCiAgICAgIDwvZGVmYXVsdGxheW91dDpTdGFydExheW91dD4NCiAgICA8L1N0YXJ0TGF5b3V0Q29sbGVjdGlvbj4NCiAgPC9EZWZhdWx0TGF5b3V0T3ZlcnJpZGU+DQoJPEN1c3RvbVRhc2tiYXJMYXlvdXRDb2xsZWN0aW9uIFBpbkxpc3RQbGFjZW1lbnQ9IlJlcGxhY2UiPg0KCQk8ZGVmYXVsdGxheW91dDpUYXNrYmFyTGF5b3V0Pg0KCQkJPHRhc2tiYXI6VGFza2JhclBpbkxpc3Q+DQoJCQkJPHRhc2tiYXI6VVdBIEFwcFVzZXJNb2RlbElEPSJNU0VkZ2UiIC8+DQoJCQkJPHRhc2tiYXI6RGVza3RvcEFwcCBEZXNrdG9wQXBwbGljYXRpb25MaW5rUGF0aD0iJUFQUERBVEElXE1pY3Jvc29mdFxXaW5kb3dzXFN0YXJ0IE1lbnVcUHJvZ3JhbXNcU3lzdGVtIFRvb2xzXEZpbGUgRXhwbG9yZXIubG5rIiAvPg0KCQkJPC90YXNrYmFyOlRhc2tiYXJQaW5MaXN0Pg0KCQk8L2RlZmF1bHRsYXlvdXQ6VGFza2JhckxheW91dD4NCgk8L0N1c3RvbVRhc2tiYXJMYXlvdXRDb2xsZWN0aW9uPg0KPC9MYXlvdXRNb2RpZmljYXRpb25UZW1wbGF0ZT4=",
"startMenuMode": "userDefined",
"startMenuPinnedFolderDocuments": "notConfigured",
"startMenuPinnedFolderDownloads": "notConfigured",
"startMenuPinnedFolderFileExplorer": "notConfigured",
"startMenuPinnedFolderHomeGroup": "hide",
"startMenuPinnedFolderMusic": "hide",
"startMenuPinnedFolderNetwork": "hide",
"startMenuPinnedFolderPersonalFolder": "notConfigured",
"startMenuPinnedFolderPictures": "notConfigured",
"startMenuPinnedFolderSettings": "notConfigured",
"startMenuPinnedFolderVideos": "notConfigured",
"settingsBlockSettingsApp": false,
"settingsBlockSystemPage": false,
"settingsBlockDevicesPage": false,
"settingsBlockNetworkInternetPage": false,
"settingsBlockPersonalizationPage": false,
"settingsBlockAccountsPage": false,
"settingsBlockTimeLanguagePage": false,
"settingsBlockEaseOfAccessPage": false,
"settingsBlockPrivacyPage": true,
"settingsBlockUpdateSecurityPage": false,
"settingsBlockAppsPage": false,
"settingsBlockGamingPage": true,
"windowsSpotlightBlockConsumerSpecificFeatures": false,
"windowsSpotlightBlocked": false,
"windowsSpotlightBlockOnActionCenter": false,
"windowsSpotlightBlockTailoredExperiences": false,
"windowsSpotlightBlockThirdPartyNotifications": false,
"windowsSpotlightBlockWelcomeExperience": false,
"windowsSpotlightBlockWindowsTips": false,
"windowsSpotlightConfigureOnLockScreen": "notConfigured",
"networkProxyApplySettingsDeviceWide": false,
"networkProxyDisableAutoDetect": false,
"networkProxyAutomaticConfigurationUrl": null,
"networkProxyServer": null,
"accountsBlockAddingNonMicrosoftAccountEmail": true,
"antiTheftModeBlocked": false,
"bluetoothBlocked": false,
"cameraBlocked": false,
"connectedDevicesServiceBlocked": true,
"certificatesBlockManualRootCertificateInstallation": false,
"copyPasteBlocked": false,
"cortanaBlocked": false,
"deviceManagementBlockFactoryResetOnMobile": false,
"deviceManagementBlockManualUnenroll": true,
"safeSearchFilter": "userDefined",
"edgeBlockPopups": false,
"edgeBlockSearchSuggestions": false,
"edgeBlockSearchEngineCustomization": false,
"edgeBlockSendingIntranetTrafficToInternetExplorer": false,
"edgeSendIntranetTrafficToInternetExplorer": false,
"edgeRequireSmartScreen": true,
"edgeEnterpriseModeSiteListLocation": null,
"edgeFirstRunUrl": null,
"edgeHomepageUrls": [
],
"edgeBlockAccessToAboutFlags": false,
"smartScreenBlockPromptOverride": true,
"smartScreenBlockPromptOverrideForFiles": true,
"webRtcBlockLocalhostIpAddress": true,
"internetSharingBlocked": true,
"settingsBlockAddProvisioningPackage": true,
"settingsBlockRemoveProvisioningPackage": true,
"settingsBlockChangeSystemTime": true,
"settingsBlockEditDeviceName": false,
"settingsBlockChangeRegion": false,
"settingsBlockChangeLanguage": false,
"settingsBlockChangePowerSleep": false,
"locationServicesBlocked": false,
"microsoftAccountBlocked": false,
"microsoftAccountBlockSettingsSync": true,
"nfcBlocked": false,
"resetProtectionModeBlocked": false,
"screenCaptureBlocked": false,
"storageBlockRemovableStorage": false,
"storageRequireMobileDeviceEncryption": false,
"usbBlocked": false,
"voiceRecordingBlocked": false,
"wiFiBlockAutomaticConnectHotspots": false,
"wiFiBlocked": false,
"wiFiBlockManualConfiguration": false,
"wiFiScanInterval": null,
"wirelessDisplayBlockProjectionToThisDevice": false,
"wirelessDisplayBlockUserInputFromReceiver": false,
"wirelessDisplayRequirePinForPairing": true,
"windowsStoreBlocked": false,
"appsAllowTrustedAppsSideloading": "allowed",
"windowsStoreBlockAutoUpdate": false,
"developerUnlockSetting": "blocked",
"sharedUserAppDataAllowed": true,
"appsBlockWindowsStoreOriginatedApps": false,
"windowsStoreEnablePrivateStoreOnly": true,
"storageRestrictAppDataToSystemVolume": false,
"storageRestrictAppInstallToSystemVolume": false,
"gameDvrBlocked": true,
"experienceBlockDeviceDiscovery": false,
"experienceBlockErrorDialogWhenNoSIM": false,
"experienceBlockTaskSwitcher": false,
"logonBlockFastUserSwitching": true,
"tenantLockdownRequireNetworkDuringOutOfBoxExperience": true,
"appManagementMSIAllowUserControlOverInstall": false,
"appManagementMSIAlwaysInstallWithElevatedPrivileges": false,
"dataProtectionBlockDirectMemoryAccess": true,
"appManagementPackageFamilyNamesToLaunchAfterLogOn": [
],
"uninstallBuiltInApps": false,
"configureTimeZone": null,
"defenderDetectedMalwareActions": {
"lowSeverity": "quarantine",
"moderateSeverity": "quarantine",
"highSeverity": "quarantine",
"severeSeverity": "quarantine"
},
"edgeSearchEngine": {
"@odata.type": "#microsoft.graph.edgeSearchEngine",
"edgeSearchEngineType": "default"
},
"assignments@odata.context": "https://graph.microsoft.com/beta/$metadata#deviceManagement/deviceConfigurations(\u0027608773ad-12f0-4cb2-be95-5cf34d77b916\u0027)/microsoft.graph.windows10CustomConfiguration/microsoft.graph.windows10CustomConfiguration/microsoft.graph.windows10EndpointProtectionConfiguration/microsoft.graph.windows10CustomConfiguration/microsoft.graph.windows10GeneralConfiguration/microsoft.graph.windows10GeneralConfiguration/microsoft.graph.windows10CustomConfiguration/microsoft.graph.windowsIdentityProtectionConfiguration/microsoft.graph.windows10CustomConfiguration/microsoft.graph.windows10GeneralConfiguration/microsoft.graph.windows10EndpointProtectionConfiguration/microsoft.graph.windows10EndpointProtectionConfiguration/microsoft.graph.windows10CustomConfiguration/microsoft.graph.windows10CustomConfiguration/microsoft.graph.windows10GeneralConfiguration/assignments",
"assignments": [
{
"id": "608773ad-12f0-4cb2-be95-5cf34d77b916_82852fee-f2a0-44cf-b5b8-8db17c72a037",
"source": "direct",
"sourceId": "608773ad-12f0-4cb2-be95-5cf34d77b916",
"target": {
"@odata.type": "#microsoft.graph.groupAssignmentTarget",
"deviceAndAppManagementAssignmentFilterId": null,
"deviceAndAppManagementAssignmentFilterType": "none",
"groupId": "Enterprise Workstations"
}
}
]
}

521
ENT/JSON/DeviceConfiguration/Enterprise-Config-Win10-Endpoint-Protection-UI_17-11-2020-17-00-43.json Normal file
Просмотреть файл

@ -0,0 +1,521 @@
{
"@odata.type": "#microsoft.graph.windows10EndpointProtectionConfiguration",
"id": "9606034c-0c52-482b-afb0-816f090dec95",
"lastModifiedDateTime": "2020-11-17T16:55:07.2895696Z",
"roleScopeTagIds": [
"0"
],
"supportsScopeTags": true,
"deviceManagementApplicabilityRuleOsEdition": null,
"deviceManagementApplicabilityRuleOsVersion": null,
"deviceManagementApplicabilityRuleDeviceMode": null,
"createdDateTime": "2020-11-17T16:32:40.300804Z",
"description": "",
"displayName": "Enterprise-Config-Win10-Endpoint-Protection-UI",
"version": 3,
"dmaGuardDeviceEnumerationPolicy": "deviceDefault",
"xboxServicesEnableXboxGameSaveTask": false,
"xboxServicesAccessoryManagementServiceStartupMode": "disabled",
"xboxServicesLiveAuthManagerServiceStartupMode": "disabled",
"xboxServicesLiveGameSaveServiceStartupMode": "disabled",
"xboxServicesLiveNetworkingServiceStartupMode": "disabled",
"localSecurityOptionsBlockMicrosoftAccounts": true,
"localSecurityOptionsBlockRemoteLogonWithBlankPassword": true,
"localSecurityOptionsDisableAdministratorAccount": true,
"localSecurityOptionsAdministratorAccountName": null,
"localSecurityOptionsDisableGuestAccount": true,
"localSecurityOptionsGuestAccountName": null,
"localSecurityOptionsAllowUndockWithoutHavingToLogon": true,
"localSecurityOptionsBlockUsersInstallingPrinterDrivers": false,
"localSecurityOptionsBlockRemoteOpticalDriveAccess": true,
"localSecurityOptionsFormatAndEjectOfRemovableMediaAllowedUser": "administrators",
"localSecurityOptionsMachineInactivityLimit": 5,
"localSecurityOptionsMachineInactivityLimitInMinutes": 5,
"localSecurityOptionsDoNotRequireCtrlAltDel": false,
"localSecurityOptionsHideLastSignedInUser": false,
"localSecurityOptionsHideUsernameAtSignIn": false,
"localSecurityOptionsLogOnMessageTitle": null,
"localSecurityOptionsLogOnMessageText": null,
"localSecurityOptionsAllowPKU2UAuthenticationRequests": true,
"localSecurityOptionsAllowRemoteCallsToSecurityAccountsManagerHelperBool": false,
"localSecurityOptionsAllowRemoteCallsToSecurityAccountsManager": null,
"localSecurityOptionsMinimumSessionSecurityForNtlmSspBasedClients": "ntlmV2And128BitEncryption",
"localSecurityOptionsMinimumSessionSecurityForNtlmSspBasedServers": "ntlmV2And128BitEncryption",
"lanManagerAuthenticationLevel": "lmNtlmV2AndNotLmOrNtm",
"lanManagerWorkstationDisableInsecureGuestLogons": true,
"localSecurityOptionsClearVirtualMemoryPageFile": false,
"localSecurityOptionsAllowSystemToBeShutDownWithoutHavingToLogOn": false,
"localSecurityOptionsAllowUIAccessApplicationElevation": true,
"localSecurityOptionsVirtualizeFileAndRegistryWriteFailuresToPerUserLocations": true,
"localSecurityOptionsOnlyElevateSignedExecutables": true,
"localSecurityOptionsAdministratorElevationPromptBehavior": "promptForCredentialsOnTheSecureDesktop",
"localSecurityOptionsStandardUserElevationPromptBehavior": "promptForCredentialsOnTheSecureDesktop",
"localSecurityOptionsSwitchToSecureDesktopWhenPromptingForElevation": false,
"localSecurityOptionsDetectApplicationInstallationsAndPromptForElevation": true,
"localSecurityOptionsAllowUIAccessApplicationsForSecureLocations": false,
"localSecurityOptionsUseAdminApprovalMode": false,
"localSecurityOptionsUseAdminApprovalModeForAdministrators": false,
"localSecurityOptionsInformationShownOnLockScreen": "notConfigured",
"localSecurityOptionsInformationDisplayedOnLockScreen": "notConfigured",
"localSecurityOptionsDisableClientDigitallySignCommunicationsIfServerAgrees": false,
"localSecurityOptionsClientDigitallySignCommunicationsAlways": true,
"localSecurityOptionsClientSendUnencryptedPasswordToThirdPartySMBServers": true,
"localSecurityOptionsDisableServerDigitallySignCommunicationsAlways": false,
"localSecurityOptionsDisableServerDigitallySignCommunicationsIfClientAgrees": false,
"localSecurityOptionsRestrictAnonymousAccessToNamedPipesAndShares": true,
"localSecurityOptionsDoNotAllowAnonymousEnumerationOfSAMAccounts": true,
"localSecurityOptionsAllowAnonymousEnumerationOfSAMAccountsAndShares": true,
"localSecurityOptionsDoNotStoreLANManagerHashValueOnNextPasswordChange": true,
"localSecurityOptionsSmartCardRemovalBehavior": "lockWorkstation",
"defenderSecurityCenterDisableAppBrowserUI": false,
"defenderSecurityCenterDisableFamilyUI": true,
"defenderSecurityCenterDisableHealthUI": false,
"defenderSecurityCenterDisableNetworkUI": false,
"defenderSecurityCenterDisableVirusUI": false,
"defenderSecurityCenterDisableAccountUI": false,
"defenderSecurityCenterDisableClearTpmUI": true,
"defenderSecurityCenterDisableHardwareUI": false,
"defenderSecurityCenterDisableNotificationAreaUI": false,
"defenderSecurityCenterDisableRansomwareUI": false,
"defenderSecurityCenterDisableSecureBootUI": false,
"defenderSecurityCenterDisableTroubleshootingUI": false,
"defenderSecurityCenterDisableVulnerableTpmFirmwareUpdateUI": true,
"defenderSecurityCenterOrganizationDisplayName": null,
"defenderSecurityCenterHelpEmail": null,
"defenderSecurityCenterHelpPhone": null,
"defenderSecurityCenterHelpURL": null,
"defenderSecurityCenterNotificationsFromApp": "notConfigured",
"defenderSecurityCenterITContactDisplay": "notConfigured",
"windowsDefenderTamperProtection": "enable",
"firewallBlockStatefulFTP": true,
"firewallIdleTimeoutForSecurityAssociationInSeconds": null,
"firewallPreSharedKeyEncodingMethod": "deviceDefault",
"firewallIPSecExemptionsNone": false,
"firewallIPSecExemptionsAllowNeighborDiscovery": false,
"firewallIPSecExemptionsAllowICMP": false,
"firewallIPSecExemptionsAllowRouterDiscovery": false,
"firewallIPSecExemptionsAllowDHCP": false,
"firewallCertificateRevocationListCheckMethod": "deviceDefault",
"firewallMergeKeyingModuleSettings": false,
"firewallPacketQueueingMethod": "deviceDefault",
"defenderAdobeReaderLaunchChildProcess": "enable",
"defenderAttackSurfaceReductionExcludedPaths": [
],
"defenderOfficeAppsOtherProcessInjectionType": "block",
"defenderOfficeAppsOtherProcessInjection": "enable",
"defenderOfficeCommunicationAppsLaunchChildProcess": "enable",
"defenderOfficeAppsExecutableContentCreationOrLaunchType": "block",
"defenderOfficeAppsExecutableContentCreationOrLaunch": "enable",
"defenderOfficeAppsLaunchChildProcessType": "block",
"defenderOfficeAppsLaunchChildProcess": "enable",
"defenderOfficeMacroCodeAllowWin32ImportsType": "block",
"defenderOfficeMacroCodeAllowWin32Imports": "enable",
"defenderScriptObfuscatedMacroCodeType": "block",
"defenderScriptObfuscatedMacroCode": "enable",
"defenderScriptDownloadedPayloadExecutionType": "block",
"defenderScriptDownloadedPayloadExecution": "enable",
"defenderPreventCredentialStealingType": "enable",
"defenderProcessCreationType": "block",
"defenderProcessCreation": "enable",
"defenderUntrustedUSBProcessType": "block",
"defenderUntrustedUSBProcess": "enable",
"defenderUntrustedExecutableType": "block",
"defenderUntrustedExecutable": "enable",
"defenderEmailContentExecutionType": "block",
"defenderEmailContentExecution": "enable",
"defenderAdvancedRansomewareProtectionType": "enable",
"defenderGuardMyFoldersType": "enable",
"defenderGuardedFoldersAllowedAppPaths": [
],
"defenderAdditionalGuardedFolders": [
],
"defenderNetworkProtectionType": "enable",
"defenderExploitProtectionXml": null,
"defenderExploitProtectionXmlFileName": null,
"defenderSecurityCenterBlockExploitProtectionOverride": true,
"appLockerApplicationControl": "notConfigured",
"deviceGuardLocalSystemAuthorityCredentialGuardSettings": "enableWithUEFILock",
"deviceGuardEnableVirtualizationBasedSecurity": true,
"deviceGuardEnableSecureBootWithDMA": true,
"deviceGuardSecureBootWithDMA": "notConfigured",
"deviceGuardLaunchSystemGuard": "notConfigured",
"smartScreenEnableInShell": true,
"smartScreenBlockOverrideForFiles": true,
"applicationGuardEnabled": false,
"applicationGuardEnabledOptions": "notConfigured",
"applicationGuardBlockFileTransfer": "notConfigured",
"applicationGuardBlockNonEnterpriseContent": false,
"applicationGuardAllowPersistence": false,
"applicationGuardForceAuditing": false,
"applicationGuardBlockClipboardSharing": "notConfigured",
"applicationGuardAllowPrintToPDF": false,
"applicationGuardAllowPrintToXPS": false,
"applicationGuardAllowPrintToLocalPrinters": false,
"applicationGuardAllowPrintToNetworkPrinters": false,
"applicationGuardAllowVirtualGPU": false,
"applicationGuardAllowFileSaveOnHost": false,
"bitLockerAllowStandardUserEncryption": true,
"bitLockerDisableWarningForOtherDiskEncryption": true,
"bitLockerEnableStorageCardEncryptionOnMobile": false,
"bitLockerEncryptDevice": true,
"bitLockerRecoveryPasswordRotation": "enabledForAzureAd",
"defenderDisableScanArchiveFiles": null,
"defenderAllowScanArchiveFiles": null,
"defenderDisableBehaviorMonitoring": null,
"defenderAllowBehaviorMonitoring": null,
"defenderDisableCloudProtection": null,
"defenderAllowCloudProtection": null,
"defenderEnableScanIncomingMail": null,
"defenderEnableScanMappedNetworkDrivesDuringFullScan": null,
"defenderDisableScanRemovableDrivesDuringFullScan": null,
"defenderAllowScanRemovableDrivesDuringFullScan": null,
"defenderDisableScanDownloads": null,
"defenderAllowScanDownloads": null,
"defenderDisableIntrusionPreventionSystem": null,
"defenderAllowIntrusionPreventionSystem": null,
"defenderDisableOnAccessProtection": null,
"defenderAllowOnAccessProtection": null,
"defenderDisableRealTimeMonitoring": null,
"defenderAllowRealTimeMonitoring": null,
"defenderDisableScanNetworkFiles": null,
"defenderAllowScanNetworkFiles": null,
"defenderDisableScanScriptsLoadedInInternetExplorer": null,
"defenderAllowScanScriptsLoadedInInternetExplorer": null,
"defenderBlockEndUserAccess": null,
"defenderAllowEndUserAccess": null,
"defenderScanMaxCpuPercentage": null,
"defenderCheckForSignaturesBeforeRunningScan": null,
"defenderCloudBlockLevel": null,
"defenderCloudExtendedTimeoutInSeconds": null,
"defenderDaysBeforeDeletingQuarantinedMalware": null,
"defenderDisableCatchupFullScan": null,
"defenderDisableCatchupQuickScan": null,
"defenderEnableLowCpuPriority": null,
"defenderFileExtensionsToExclude": [
],
"defenderFilesAndFoldersToExclude": [
],
"defenderProcessesToExclude": [
],
"defenderPotentiallyUnwantedAppAction": null,
"defenderScanDirection": null,
"defenderScanType": null,
"defenderScheduledQuickScanTime": null,
"defenderScheduledScanDay": null,
"defenderScheduledScanTime": null,
"defenderSignatureUpdateIntervalInHours": null,
"defenderSubmitSamplesConsentType": null,
"defenderDetectedMalwareActions": null,
"firewallRules": [
],
"userRightsAccessCredentialManagerAsTrustedCaller": {
"state": "notConfigured",
"localUsersOrGroups": [
]
},
"userRightsAllowAccessFromNetwork": {
"state": "notConfigured",
"localUsersOrGroups": [
]
},
"userRightsBlockAccessFromNetwork": {
"state": "notConfigured",
"localUsersOrGroups": [
]
},
"userRightsActAsPartOfTheOperatingSystem": {
"state": "notConfigured",
"localUsersOrGroups": [
]
},
"userRightsLocalLogOn": {
"state": "notConfigured",
"localUsersOrGroups": [
]
},
"userRightsDenyLocalLogOn": {
"state": "notConfigured",
"localUsersOrGroups": [
]
},
"userRightsBackupData": {
"state": "notConfigured",
"localUsersOrGroups": [
]
},
"userRightsChangeSystemTime": {
"state": "notConfigured",
"localUsersOrGroups": [
]
},
"userRightsCreateGlobalObjects": {
"state": "notConfigured",
"localUsersOrGroups": [
]
},
"userRightsCreatePageFile": {
"state": "notConfigured",
"localUsersOrGroups": [
]
},
"userRightsCreatePermanentSharedObjects": {
"state": "notConfigured",
"localUsersOrGroups": [
]
},
"userRightsCreateSymbolicLinks": {
"state": "notConfigured",
"localUsersOrGroups": [
]
},
"userRightsCreateToken": {
"state": "notConfigured",
"localUsersOrGroups": [
]
},
"userRightsDebugPrograms": {
"state": "notConfigured",
"localUsersOrGroups": [
]
},
"userRightsRemoteDesktopServicesLogOn": {
"state": "notConfigured",
"localUsersOrGroups": [
]
},
"userRightsDelegation": {
"state": "notConfigured",
"localUsersOrGroups": [
]
},
"userRightsGenerateSecurityAudits": {
"state": "notConfigured",
"localUsersOrGroups": [
]
},
"userRightsImpersonateClient": {
"state": "notConfigured",
"localUsersOrGroups": [
]
},
"userRightsIncreaseSchedulingPriority": {
"state": "notConfigured",
"localUsersOrGroups": [
]
},
"userRightsLoadUnloadDrivers": {
"state": "notConfigured",
"localUsersOrGroups": [
]
},
"userRightsLockMemory": {
"state": "notConfigured",
"localUsersOrGroups": [
]
},
"userRightsManageAuditingAndSecurityLogs": {
"state": "notConfigured",
"localUsersOrGroups": [
]
},
"userRightsManageVolumes": {
"state": "notConfigured",
"localUsersOrGroups": [
]
},
"userRightsModifyFirmwareEnvironment": {
"state": "notConfigured",
"localUsersOrGroups": [
]
},
"userRightsModifyObjectLabels": {
"state": "notConfigured",
"localUsersOrGroups": [
]
},
"userRightsProfileSingleProcess": {
"state": "notConfigured",
"localUsersOrGroups": [
]
},
"userRightsRemoteShutdown": {
"state": "notConfigured",
"localUsersOrGroups": [
]
},
"userRightsRestoreData": {
"state": "notConfigured",
"localUsersOrGroups": [
]
},
"userRightsTakeOwnership": {
"state": "notConfigured",
"localUsersOrGroups": [
]
},
"firewallProfileDomain": {
"firewallEnabled": "allowed",
"stealthModeRequired": false,
"stealthModeBlocked": false,
"incomingTrafficRequired": false,
"incomingTrafficBlocked": false,
"unicastResponsesToMulticastBroadcastsRequired": false,
"unicastResponsesToMulticastBroadcastsBlocked": false,
"inboundNotificationsRequired": false,
"inboundNotificationsBlocked": true,
"authorizedApplicationRulesFromGroupPolicyMerged": false,
"authorizedApplicationRulesFromGroupPolicyNotMerged": true,
"globalPortRulesFromGroupPolicyMerged": false,
"globalPortRulesFromGroupPolicyNotMerged": true,
"connectionSecurityRulesFromGroupPolicyMerged": false,
"connectionSecurityRulesFromGroupPolicyNotMerged": true,
"outboundConnectionsRequired": true,
"outboundConnectionsBlocked": false,
"inboundConnectionsRequired": false,
"inboundConnectionsBlocked": true,
"securedPacketExemptionAllowed": false,
"securedPacketExemptionBlocked": false,
"policyRulesFromGroupPolicyMerged": false,
"policyRulesFromGroupPolicyNotMerged": true
},
"firewallProfilePublic": {
"firewallEnabled": "allowed",
"stealthModeRequired": false,
"stealthModeBlocked": false,
"incomingTrafficRequired": false,
"incomingTrafficBlocked": false,
"unicastResponsesToMulticastBroadcastsRequired": false,
"unicastResponsesToMulticastBroadcastsBlocked": false,
"inboundNotificationsRequired": false,
"inboundNotificationsBlocked": true,
"authorizedApplicationRulesFromGroupPolicyMerged": true,
"authorizedApplicationRulesFromGroupPolicyNotMerged": false,
"globalPortRulesFromGroupPolicyMerged": true,
"globalPortRulesFromGroupPolicyNotMerged": false,
"connectionSecurityRulesFromGroupPolicyMerged": true,
"connectionSecurityRulesFromGroupPolicyNotMerged": false,
"outboundConnectionsRequired": true,
"outboundConnectionsBlocked": false,
"inboundConnectionsRequired": false,
"inboundConnectionsBlocked": true,
"securedPacketExemptionAllowed": false,
"securedPacketExemptionBlocked": false,
"policyRulesFromGroupPolicyMerged": true,
"policyRulesFromGroupPolicyNotMerged": false
},
"firewallProfilePrivate": {
"firewallEnabled": "allowed",
"stealthModeRequired": false,
"stealthModeBlocked": false,
"incomingTrafficRequired": false,
"incomingTrafficBlocked": false,
"unicastResponsesToMulticastBroadcastsRequired": false,
"unicastResponsesToMulticastBroadcastsBlocked": false,
"inboundNotificationsRequired": false,
"inboundNotificationsBlocked": true,
"authorizedApplicationRulesFromGroupPolicyMerged": false,
"authorizedApplicationRulesFromGroupPolicyNotMerged": true,
"globalPortRulesFromGroupPolicyMerged": false,
"globalPortRulesFromGroupPolicyNotMerged": true,
"connectionSecurityRulesFromGroupPolicyMerged": false,
"connectionSecurityRulesFromGroupPolicyNotMerged": true,
"outboundConnectionsRequired": true,
"outboundConnectionsBlocked": false,
"inboundConnectionsRequired": false,
"inboundConnectionsBlocked": true,
"securedPacketExemptionAllowed": false,
"securedPacketExemptionBlocked": false,
"policyRulesFromGroupPolicyMerged": false,
"policyRulesFromGroupPolicyNotMerged": true
},
"bitLockerSystemDrivePolicy": {
"encryptionMethod": "xtsAes128",
"startupAuthenticationRequired": true,
"startupAuthenticationBlockWithoutTpmChip": true,
"startupAuthenticationTpmUsage": "allowed",
"startupAuthenticationTpmPinUsage": "allowed",
"startupAuthenticationTpmKeyUsage": "blocked",
"startupAuthenticationTpmPinAndKeyUsage": "blocked",
"minimumPinLength": 9,
"prebootRecoveryEnableMessageAndUrl": false,
"prebootRecoveryMessage": null,
"prebootRecoveryUrl": null,
"recoveryOptions": {
"blockDataRecoveryAgent": false,
"recoveryPasswordUsage": "allowed",
"recoveryKeyUsage": "blocked",
"hideRecoveryOptions": true,
"enableRecoveryInformationSaveToStore": true,
"recoveryInformationToStore": "passwordAndKey",
"enableBitLockerAfterRecoveryInformationToStore": true
}
},
"bitLockerFixedDrivePolicy": {
"encryptionMethod": "xtsAes128",
"requireEncryptionForWriteAccess": false,
"recoveryOptions": {
"blockDataRecoveryAgent": true,
"recoveryPasswordUsage": "allowed",
"recoveryKeyUsage": "blocked",
"hideRecoveryOptions": true,
"enableRecoveryInformationSaveToStore": true,
"recoveryInformationToStore": "passwordAndKey",
"enableBitLockerAfterRecoveryInformationToStore": true
}
},
"bitLockerRemovableDrivePolicy": {
"encryptionMethod": "aesCbc128",
"requireEncryptionForWriteAccess": true,
"blockCrossOrganizationWriteAccess": true
},
"assignments@odata.context": "https://graph.microsoft.com/beta/$metadata#deviceManagement/deviceConfigurations(\u00279606034c-0c52-482b-afb0-816f090dec95\u0027)/microsoft.graph.windows10CustomConfiguration/microsoft.graph.windows10CustomConfiguration/microsoft.graph.windows10EndpointProtectionConfiguration/microsoft.graph.windows10CustomConfiguration/microsoft.graph.windows10GeneralConfiguration/microsoft.graph.windows10GeneralConfiguration/microsoft.graph.windows10CustomConfiguration/microsoft.graph.windowsIdentityProtectionConfiguration/microsoft.graph.windows10CustomConfiguration/microsoft.graph.windows10GeneralConfiguration/microsoft.graph.windows10EndpointProtectionConfiguration/microsoft.graph.windows10EndpointProtectionConfiguration/microsoft.graph.windows10CustomConfiguration/microsoft.graph.windows10CustomConfiguration/microsoft.graph.windows10GeneralConfiguration/microsoft.graph.windows10EndpointProtectionConfiguration/assignments",
"assignments": [
{
"id": "9606034c-0c52-482b-afb0-816f090dec95_82852fee-f2a0-44cf-b5b8-8db17c72a037",
"source": "direct",
"sourceId": "9606034c-0c52-482b-afb0-816f090dec95",
"target": {
"@odata.type": "#microsoft.graph.groupAssignmentTarget",
"deviceAndAppManagementAssignmentFilterId": null,
"deviceAndAppManagementAssignmentFilterType": "none",
"groupId": "Enterprise Workstations"
}
}
]
}

44
ENT/JSON/DeviceConfiguration/Enterprise-Config-Win10-Identity-Protection-UI_17-11-2020-17-00-43.json Normal file
Просмотреть файл

@ -0,0 +1,44 @@
{
"@odata.type": "#microsoft.graph.windowsIdentityProtectionConfiguration",
"id": "a8a104c0-bf28-478a-a665-8fb513649406",
"lastModifiedDateTime": "2020-11-17T16:56:18.7871406Z",
"roleScopeTagIds": [
"0"
],
"supportsScopeTags": true,
"deviceManagementApplicabilityRuleOsEdition": null,
"deviceManagementApplicabilityRuleOsVersion": null,
"deviceManagementApplicabilityRuleDeviceMode": null,
"createdDateTime": "2020-11-17T16:32:50.1110084Z",
"description": "",
"displayName": "Enterprise-Config-Win10-Identity-Protection-UI",
"version": 2,
"useSecurityKeyForSignin": true,
"enhancedAntiSpoofingForFacialFeaturesEnabled": true,
"pinMinimumLength": 8,
"pinMaximumLength": 100,
"pinUppercaseCharactersUsage": "blocked",
"pinLowercaseCharactersUsage": "blocked",
"pinSpecialCharactersUsage": "blocked",
"pinExpirationInDays": null,
"pinPreviousBlockCount": null,
"pinRecoveryEnabled": true,
"securityDeviceRequired": true,
"unlockWithBiometricsEnabled": true,
"useCertificatesForOnPremisesAuthEnabled": false,
"windowsHelloForBusinessBlocked": false,
"assignments@odata.context": "https://graph.microsoft.com/beta/$metadata#deviceManagement/deviceConfigurations(\u0027a8a104c0-bf28-478a-a665-8fb513649406\u0027)/microsoft.graph.windows10CustomConfiguration/microsoft.graph.windows10CustomConfiguration/microsoft.graph.windows10EndpointProtectionConfiguration/microsoft.graph.windows10CustomConfiguration/microsoft.graph.windows10GeneralConfiguration/microsoft.graph.windows10GeneralConfiguration/microsoft.graph.windows10CustomConfiguration/microsoft.graph.windowsIdentityProtectionConfiguration/microsoft.graph.windows10CustomConfiguration/microsoft.graph.windows10GeneralConfiguration/microsoft.graph.windows10EndpointProtectionConfiguration/microsoft.graph.windows10EndpointProtectionConfiguration/microsoft.graph.windows10CustomConfiguration/microsoft.graph.windows10CustomConfiguration/microsoft.graph.windows10GeneralConfiguration/microsoft.graph.windows10EndpointProtectionConfiguration/microsoft.graph.windowsIdentityProtectionConfiguration/assignments",
"assignments": [
{
"id": "a8a104c0-bf28-478a-a665-8fb513649406_82852fee-f2a0-44cf-b5b8-8db17c72a037",
"source": "direct",
"sourceId": "a8a104c0-bf28-478a-a665-8fb513649406",
"target": {
"@odata.type": "#microsoft.graph.groupAssignmentTarget",
"deviceAndAppManagementAssignmentFilterId": null,
"deviceAndAppManagementAssignmentFilterType": "none",
"groupId": "Enterprise Workstations"
}
}
]
}

83
ENT/JSON/DeviceConfigurationADMX/Enterprise-Edge Version 85 - Computer.json Normal file
Просмотреть файл

@ -0,0 +1,83 @@
[
{
"definition@odata.bind": "https://graph.microsoft.com/beta/deviceManagement/groupPolicyDefinitions('06b9c400-f1ed-4046-b8cb-02af3ae8e38d')",
"enabled": "true"
},
{
"definition@odata.bind": "https://graph.microsoft.com/beta/deviceManagement/groupPolicyDefinitions('75c20a0b-f76e-4131-892a-1f47dd6534e4')",
"enabled": "true",
"presentationValues": [
{
"@odata.type": "#microsoft.graph.groupPolicyPresentationValueText",
"value": "2",
"presentation@odata.bind": "https://graph.microsoft.com/beta/deviceManagement/groupPolicyDefinitions('75c20a0b-f76e-4131-892a-1f47dd6534e4')/presentations('6f605b7e-ca35-4f6a-b616-0cf85f5e9580')"
}
]
},
{
"definition@odata.bind": "https://graph.microsoft.com/beta/deviceManagement/groupPolicyDefinitions('59922037-5107-4eaf-a72f-249a73c08d16')",
"enabled": "true"
},
{
"definition@odata.bind": "https://graph.microsoft.com/beta/deviceManagement/groupPolicyDefinitions('6189eace-13bd-435e-b438-2f38495bf9cc')",
"enabled": "false"
},
{
"definition@odata.bind": "https://graph.microsoft.com/beta/deviceManagement/groupPolicyDefinitions('1a52c714-6ece-45d2-a8a9-505f97bdec1b')",
"enabled": "true",
"presentationValues": [
{
"@odata.type": "#microsoft.graph.groupPolicyPresentationValueList",
"values": [
{
"name": "*",
"value": null
}
],
"presentation@odata.bind": "https://graph.microsoft.com/beta/deviceManagement/groupPolicyDefinitions('1a52c714-6ece-45d2-a8a9-505f97bdec1b')/presentations('75f2a4b4-fa3d-4acc-bbba-6a120e2ef96e')"
}
]
},
{
"definition@odata.bind": "https://graph.microsoft.com/beta/deviceManagement/groupPolicyDefinitions('270e643f-a1dd-49eb-8365-8292e9d6c7f7')",
"enabled": "true"
},
{
"definition@odata.bind": "https://graph.microsoft.com/beta/deviceManagement/groupPolicyDefinitions('fdfedea9-c9d1-4109-9b59-883cfe2d861a')",
"enabled": "true",
"presentationValues": [
{
"@odata.type": "#microsoft.graph.groupPolicyPresentationValueText",
"value": "ntlm,negotiate",
"presentation@odata.bind": "https://graph.microsoft.com/beta/deviceManagement/groupPolicyDefinitions('fdfedea9-c9d1-4109-9b59-883cfe2d861a')/presentations('e6b8ffac-8e06-4a30-95c6-cec2dfc1a08f')"
}
]
},
{
"definition@odata.bind": "https://graph.microsoft.com/beta/deviceManagement/groupPolicyDefinitions('bc6a79f3-77d4-462c-9924-8ea74dc34386')",
"enabled": "false"
},
{
"definition@odata.bind": "https://graph.microsoft.com/beta/deviceManagement/groupPolicyDefinitions('ccfd2123-ff05-4680-a4eb-ab2790b6d6ed')",
"enabled": "false"
},
{
"definition@odata.bind": "https://graph.microsoft.com/beta/deviceManagement/groupPolicyDefinitions('6f317cd9-3683-476b-adea-b93eb74e07c1')",
"enabled": "true"
},
{
"definition@odata.bind": "https://graph.microsoft.com/beta/deviceManagement/groupPolicyDefinitions('7f7e757c-1137-4e59-8cd1-cb51ca6896c0')",
"enabled": "true",
"presentationValues": [
{
"@odata.type": "#microsoft.graph.groupPolicyPresentationValueText",
"value": "tls1.2",
"presentation@odata.bind": "https://graph.microsoft.com/beta/deviceManagement/groupPolicyDefinitions('7f7e757c-1137-4e59-8cd1-cb51ca6896c0')/presentations('10ecdc74-5985-4f1e-9308-ceadffe422ff')"
}
]
},
{
"definition@odata.bind": "https://graph.microsoft.com/beta/deviceManagement/groupPolicyDefinitions('f9de5937-2ff5-4c34-a5ec-d0d997787b68')",
"enabled": "true"
}
]

81
ENT/MasterScript-ENT.ps1 Normal file
Просмотреть файл

@ -0,0 +1,81 @@
<#
.COPYRIGHT
Copyright (c) Microsoft Corporation. All rights reserved. Licensed under the MIT license.
See LICENSE in the project root for license information.
#>
# Determine script location for PowerShell
$ScriptDir = Split-Path $script:MyInvocation.MyCommand.Path
Function Set-AADAuth {
<#
.SYNOPSIS
This function is used to authenticate with the Azure AD interface
.DESCRIPTION
The function authenticate with the Azure AD Interface with the tenant name
.EXAMPLE
Set-AADAuth
Authenticates you with the Azure AD interface
.NOTES
NAME: Set-AADAuth
#>
[cmdletbinding()]
param
(
#[Parameter(Mandatory=$true)]
$User
)
Write-Host "Checking for AzureAD module..."
$AadModule = Get-Module -Name "AzureADPreview" -ListAvailable
if ($AadModule -eq $null) {
write-host
write-host "AzureAD Powershell module not installed..." -f Red
write-host "Attempting module install now" -f Red
Install-Module -Name AzureADPreview -AllowClobber -Force
#write-host "Install by running 'Install-Module AzureAD' or 'Install-Module AzureADPreview' from an elevated PowerShell prompt" -f Yellow
#write-host "Script can't continue..." -f Red
write-host
#exit
}
Connect-AzureAD -AccountId $user | Out-Null
}
####################################################
$User = Read-Host -Prompt "Please specify your user principal name for Azure Authentication"
Set-AADAuth -user $user
####################################################
write-host "Adding Device Configuration Profiles"
. $ScriptDir/Import-ENT-DeviceConfiguration.ps1
Start-Sleep -s 5
write-host "Adding Device Compliance Policies"
. $ScriptDir/Import-ENT-DeviceCompliancePolicies.ps1
Start-Sleep -s 5
write-host "Adding Edge Browser Policy"
. $ScriptDir/Import-ENT-DeviceConfigurationADMX.ps1
Start-Sleep -s 5
#Write-host "Importing Device Config PowerShell script"
#. $ScriptDir/Import-SPE-DeviceConfigScript.ps1

48
ENT/Readme.md Normal file
Просмотреть файл

@ -0,0 +1,48 @@
# Enterprise Profile configuration
The scripts for configuring the Enterprise security baseline are located in this folder.
Before the scripts can be run install Azure AD powershell module on your device
```powershell
Import-Module AzureAD -force
```
and allow scripts to run on your device;
```powershell
Set-ExecutionPolicy remotesigned
```
[**MasterScript_ENT.PS1**](MasterScript-ENT.ps1) - This script is used to import the Compliance policies, Configuration profiles used to apply the Enterprise Profile settings
To import the Enterprise Profile configuration settings into your tenant
Open powershell comsole
Navigate to ENT folder in Repo
```powershell
.\MasterScript-ENT.ps1
```
Enter **username** and **password** of an account that has Intune Administrator (preferred) or Global Admin privilege
Wait for the import process to complete.
The MasterScript_ENT.ps1 file calls the following scripts to import the Compliance Policies, Configuration Profiles
[**Import-ENT-DeviceCompliancePolicies.ps1**](Import-ENT-DeviceCompliancePolicies.ps1) - This scripts imports the three device compliance policies for the Enterprise profile. Three policies are used to ensure that Conditional Access does not prevent a user from being able to access resources. Refer to [Windows 10 and later settings to mark devices as compliant or not compliant using Intune](https://docs.microsoft.com/en-us/mem/intune/protect/compliance-policy-create-windows)
1. [Enterprise Compliance ATP](JSON/DeviceCompliance/ENT-Compliance-ATP.json) policy is used to feed the Threat Intelligence data from Microsoft Defender for Endpoint into the devices compliance state so its signals can be used as part of the Conditional Access evaluation process.
2. [Enterprise Compliance Delayed](JSON/DeviceCompliance/ENT-Compliance-Delayed.json) policy applies a more complete set of compliance settings to the device but its application is delayed by 24 hours. this is because the device health attestation that is required to assess policies like BitLocker and Secure Boot is only calculated once a device has rebooted and then might take a number of hours to process whether the device is compliant or not.
3. [ENT-Compliance-Immediate](JSON/DeviceCompliance/ENT-Compliance-Immediate.json) policy is used to apply a minimum level of compliance to users and is configured to apply immediately.
[**Import-ENT-DeviceConfiguration.ps1**](Import-ENT-DeviceConfiguration.ps1) - this script is used to import the Device Configuration profiles that harden the Operating System. there are five profiles used:
1. [Enterprise-Config-Win10-Custom-CSP](JSON/DeviceConfiguration/Enterprise-Config-Win10-Custom-CSP_17-11-2020-17-00-43.json) Applies configuration service provider (CSP) settings that are not available in the Endpoint Manager UI, refer to [Configuration service provider reference](https://docs.microsoft.com/en-us/windows/client-management/mdm/configuration-service-provider-reference) for the complete list of the CSP settings available.
2. [Enterprise-Config-Win10-Device-Restrictions-UI](JSON/DeviceConfiguration/Enterprise-Config-Win10-Device-Restrictions-UI_17-11-2020-17-00-43.json) applies settings that restrict cloud account use, configure password policy, Microsoft Defender SmartScreen, Microsoft Defender Antivirus. Refer to [Windows 10 (and newer) device settings to allow or restrict features using Intune](https://docs.microsoft.com/en-us/mem/intune/configuration/device-restrictions-windows-10) for more details of the settings applied using the profile.
3. [Enterprise-Config-Win10-Endpoint-Protection-UI](JSON/DeviceConfiguration/Enterprise-Config-Win10-Endpoint-Protection-UI_17-11-2020-17-00-43.json) applies settings that are used to protect devices in endpoint protection configuration profiles including BitLocker, Device Guard, Microsoft Defender Firewall, Microsoft Defender Exploit Guard, refer to [Windows 10 (and later) settings to protect devices using Intune](https://docs.microsoft.com/en-us/mem/intune/protect/endpoint-protection-windows-10?toc=/intune/configuration/toc.json&bc=/intune/configuration/breadcrumb/toc.json) for more details of the settings applied using the profile.
4. [Enterprise-Config-Win10-Identity-Protection-UI](JSON/DeviceConfiguration/Enterprise-Config-Win10-Identity-Protection-UI_17-11-2020-17-00-43.json) applies the Windows Hello for Business settings to devices, refer to [Windows 10 device settings to enable Windows Hello for Business in Intune](https://docs.microsoft.com/en-us/mem/intune/protect/identity-protection-windows-settings?toc=/intune/configuration/toc.json&bc=/intune/configuration/breadcrumb/toc.json) for more details of the settings applied using the profile.
[**Import-ENT-DeviceConfigurationADMX.ps1**](JSON/DeviceConfigurationADMX/Enterprise-Edge%20Version%2085%20-%20Computer.json) this script is used to import the Device Configuration ADMX Template profile that configures Microsoft Edge security settings.
1. [Enterprise-Edge Version 85 - Computer](JSON/DeviceConfigurationADMX/Enterprise-Edge%20Version%2085%20-%20Computer.json) applies administrative policies that control features in Microsoft Edge version 77 and later, refer to [Microsoft Edge - Policies](https://docs.microsoft.com/en-us/DeployEdge/microsoft-edge-policies) or more details of the settings applied using the profile.

385
ENT/Scripts/ENT-DeviceConfig.ps1 Normal file
Просмотреть файл

@ -0,0 +1,385 @@
<#
.COPYRIGHT
Copyright (c) Microsoft Corporation. All rights reserved. Licensed under the MIT license.
See LICENSE in the project root for license information.
#>
$script:ScriptName = $myInvocation.MyCommand.Name
$script:ScriptName = $scriptName.Substring(0, $scriptName.Length - 4)
$script:LogName = $scriptName + "_" + (Get-Date -UFormat "%d-%m-%Y")
$script:logFile = "$env:Temp\$LogName.log"
Function Start-Log {
param (
[string]$FilePath,
[Parameter(HelpMessage = 'Deletes existing file if used with the -DeleteExistingFile switch')]
[switch]$DeleteExistingFile
)
Try {
If (!(Test-Path $FilePath)) {
## Create the log file
New-Item $FilePath -Type File -Force | Out-Null
}
If ($DeleteExistingFile) {
Remove-Item $FilePath -Force
}
## Set the global variable to be used as the FilePath for all subsequent Write-Log
## calls in this session
$script:ScriptLogFilePath = $FilePath
}
Catch {
Write-Error $_.Exception.Message
}
}
####################################################
Function Write-Log {
#Write-Log -Message 'warning' -LogLevel 2
#Write-Log -Message 'Error' -LogLevel 3
param (
[Parameter(Mandatory = $true)]
[string]$Message,
[Parameter()]
[ValidateSet(1, 2, 3)]
[int]$LogLevel = 1,
[Parameter(HelpMessage = 'Outputs message to Event Log,when used with -WriteEventLog')]
[switch]$WriteEventLog
)
Write-Host
Write-Host $Message
Write-Host
$TimeGenerated = "$(Get-Date -Format HH:mm:ss).$((Get-Date).Millisecond)+000"
$Line = '<![LOG[{0}]LOG]!><time="{1}" date="{2}" component="{3}" context="" type="{4}" thread="" file="">'
$LineFormat = $Message, $TimeGenerated, (Get-Date -Format MM-dd-yyyy), "$($MyInvocation.ScriptName | Split-Path -Leaf):$($MyInvocation.ScriptLineNumber)", $LogLevel
$Line = $Line -f $LineFormat
Add-Content -Value $Line -Path $ScriptLogFilePath
If ($WriteEventLog) { Write-EventLog -LogName $EventLogName -Source $EventLogSource -Message $Message -Id 100 -Category 0 -EntryType Information }
}
Function Is-VM {
<#
.SYNOPSIS
This function checks WMI to determine if the device is a VM
.DESCRIPTION
This function checks WMI to determine if the device is a VM
.EXAMPLE
Is-VM
This function checks WMI to determine if the device is a VM
.NOTES
NAME: Is-VM
#>
[CmdletBinding()]
Param ()
Begin {
Write-Log -Message "$($MyInvocation.InvocationName) function..."
}
Process {
Write-Log -Message "Checking WMI class: Win32_ComputerSystem for string: *virtual*"
Try {
$ComputerSystemInfo = Get-CIMInstance -ClassName Win32_ComputerSystem -ErrorAction Stop
#$ComputerSystemInfo
if ($ComputerSystemInfo.Model -like "*virtual*") {
Write-Log -Message "Virtual string detected"
$True
}
else {
Write-Log -Message "Virtual string not found"
$False
}
}
Catch [Exception] {
Write-Log -Message "Error occurred: $($_.Exception.message)"
Write-Warning "$($env:computername.ToUpper()) : $($_.Exception.message)"
}
}
End {
Write-Log -Message "Ending: $($MyInvocation.Mycommand)"
}
}
Start-Log -FilePath $logFile -DeleteExistingFile
Write-Host
Write-Host "Script log file path is [$logFile]" -ForegroundColor Cyan
Write-Host
#region IsVM
If (Is-VM) {
Write-Log -Message "Machine is a VM"
}
Else {
Write-Host "Machine is a physical device"
#Enable Hibernate
Write-Log -Message "Enabling Hibernation"
$command = "C:\Windows\System32\PowerCfg.exe"
$args = "/HIBERNATE"
$workDir = "C:\Windows\System32"
Try {
Start-Process -FilePath $command -WorkingDirectory $workDir -ArgumentList $args -Wait -WindowStyle Hidden -ErrorAction Stop
}
Catch {
Write-Log -Message "Error occurred trying to enable hibernate: $($_.Exception.message)"
#Write-Warning "$($env:computername.ToUpper()) : $($_.Exception.message)"
#Exit
}
Try {
New-ItemProperty -Path HKLM:\Software\Policies\Microsoft\Windows\Explorer -Name ShowHibernateOption -Value 1 -PropertyType DWORD -ErrorAction Stop
}
Catch {
Write-Log -Message "Error occurred trying to apply ShowHibernate regkey: $($_.Exception.message)"
#Write-Warning "$($env:computername.ToUpper()) : $($_.Exception.message)"
#Exit
}
$command = "C:\Windows\System32\PowerCfg.exe"
$args = "/Change hibernate-timeout-ac 300"
$workDir = "C:\Windows\System32"
Try {
Start-Process -FilePath $command -WorkingDirectory $workDir -ArgumentList $args -Wait -WindowStyle Hidden -ErrorAction Stop
}
Catch {
Write-Log -Message "Error occurred trying to enable hibernate ac timeout: $($_.Exception.message)"
#Write-Warning "$($env:computername.ToUpper()) : $($_.Exception.message)"
#Exit
}
$command = "C:\Windows\System32\PowerCfg.exe"
$args = "/Change hibernate-timeout-dc 30"
$workDir = "C:\Windows\System32"
Try {
Start-Process -FilePath $command -WorkingDirectory $workDir -ArgumentList $args -Wait -WindowStyle Hidden -ErrorAction Stop
}
Catch {
Write-Log -Message "Error occurred trying to enable hibernate dc timeout: $($_.Exception.message)"
#Write-Warning "$($env:computername.ToUpper()) : $($_.Exception.message)"
#Exit
}
$command = "C:\Windows\System32\PowerCfg.exe"
$args = "/Change standby-timeout-ac 60"
$workDir = "C:\Windows\System32"
Try {
Start-Process -FilePath $command -WorkingDirectory $workDir -ArgumentList $args -Wait -WindowStyle Hidden -ErrorAction Stop
}
Catch {
Write-Log -Message "Error occurred trying to enable standby ac timeout: $($_.Exception.message)"
#Write-Warning "$($env:computername.ToUpper()) : $($_.Exception.message)"
#Exit
}
Write-Log -Message 'Show Hibernate option in Shutdown Menu'
$registryPath = "HKLM:\Software\Policies\Microsoft\Windows\Explorer"
$regProperties = @{
Name = 'ShowHibernateOption'
Value = '1'
PropertyType = 'DWORD'
ErrorAction = 'Stop'
}
Try {
$Null = New-ItemProperty -Path $registryPath @regProperties -Force
}
Catch [System.Management.Automation.ItemNotFoundException] {
Write-Log -Message "Error: $registryPath path not found, attempting to create..."
$Null = New-Item -Path $registryPath -Force
$Null = New-ItemProperty -Path $registryPath @regProperties -Force
}
Catch {
Write-Log -Message "Error changing registry: $($_.Exception.message)"
Write-Warning "Error: $($_.Exception.message)"
Exit
}
Finally {
Write-Log -Message "Finished changing registry"
}
}
#endregion IsVM
#region Configure AppLocker DLL rule registry key
#Handle registry changes
$registryPath = "HKLM:\SYSTEM\CurrentControlSet\Control\Srp\Gp\DLL\2"
Write-Log -Message "Create registry path: $registryPath"
Try {
$Null = New-Item -Path $registryPath -Force
}
Catch {
Write-Log -Message "Error changing AppLocker DLL rule registry key: $($_.Exception.message)"
Write-Warning "Error: $($_.Exception.message)"
Exit
}
Finally {
Write-Log -Message "Finished changing AppLocker DLL rule registry key"
}
#endregion Configure AppLocker DLL rule registry key
#region Configure additional Defender for Endpoint security recommendations that cannot be set in Configuration Profiles
#Handle registry changes
Write-Log -Message "Configuring additional Defender for Endpoint security recommendations that cannot be set in Configuration Profiles"
# Require users to elevate when setting a network's location - prevent changing from Public to Private firewall profile
New-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\Network Connections" -Name NC_StdDomainUserSetLocation -Value 1 -PropertyType DWORD -Force
Write-Log -Message "Require users to elevate when setting a network's location - prevent changing from Public to Private firewall profile registry update successfully applied"
# Prevent saving of network credentials
New-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Control\Lsa -Name DisableDomainCreds -Value 1 -PropertyType DWORD -Force
Write-Log -Message "Prevent saving of network credentials registry update successfully applied"
# Prevent changing proxy config
#region Disable Network Location Wizard - prevents users from setting network location as Private and therefore increasing the attack surface exposed in Windows Firewall
#region Disable Network Location Wizard
#Handle registry changes
$registryPath = "HKLM:\SYSTEM\CurrentControlSet\Control\Network"
$regProperties = @{
Name = "NewNetworkWindowOff"
ErrorAction = "Stop"
}
Try {
$Null = New-ItemProperty -Path $registryPath @regProperties -Force
}
Catch [System.Management.Automation.ItemNotFoundException] {
Write-Log -Message "Error: $registryPath path not found, attempting to create..."
$Null = New-Item -Path $registryPath -Force
$Null = New-ItemProperty -Path $registryPath @regProperties -Force
}
Catch {
Write-Log -Message "Error changing registry: $($_.Exception.message)"
Write-Warning "Error: $($_.Exception.message)"
Exit
}
Finally {
Write-Host "Finished Disable Network Location Wizard in registry"
}
#endregion Disable Network Location Wizard
#region Remove Powershell 2.0
try {
Disable-WindowsOptionalFeature -Online -FeatureName MicrosoftWindowsPowerShellV2Root -ErrorAction Stop
Write-Log -Message "Removed Powershell v2.0"
}
catch {
Write-Log -Message "Error occurred trying to remove Powershell v2.0: $($_.Exception.message)"
}
#endregion Remove Powershell 2.0
#region Remove WorkFolders-Client
try {
Disable-WindowsOptionalFeature -Online -FeatureName WorkFolders-Client -ErrorAction Stop
Write-Log -Message "Removed WorkFolders"
}
catch {
Write-Log -Message "Failed to remove WorkFolders"
Write-Log -Message "Error occurred trying to remove Powershell v2.0: $($_.Exception.message)"
}
#endregion Remove WorkFolders-Client
#region Remove XPS Printing
try {
Disable-WindowsOptionalFeature -Online -FeatureName Printing-XPSServices-Features -ErrorAction Stop
Write-Log -Message "Removed XPS Printing"
}
catch {
Write-Log -Message "Error occurred trying to remove XPS Printing: $($_.Exception.message)"
}
#endregion Remove XPS Printing
#region Remove WindowsMediaPlayer
try {
Disable-WindowsOptionalFeature -Online -FeatureName WindowsMediaPlayer -ErrorAction Stop
Write-Log -Message "Removed Windows Media Player"
}
catch {
Write-Log -Message "Error occurred trying to remove Windows Media Player: $($_.Exception.message)"
}
#endregion Remove WindowsMediaPlayer
#region RegistryChanges - Set W32Time Parameter Type to NTP
#Handle registry changes
$registryPath = "HKLM:\SYSTEM\CurrentControlSet\Services\W32Time\Parameters"
$regProperties = @{
Name = "Type"
Value = "NTP"
PropertyType = "String"
ErrorAction = "Stop"
}
Try {
$Null = New-ItemProperty -Path $registryPath @regProperties -Force
Write-Log -Message "Updated Set W32Time Parameter Type to NTP in registry"
}
Catch [System.Management.Automation.ItemNotFoundException] {
Write-Log -Message "Error: $registryPath path not found, attempting to create..."
$Null = New-Item -Path $registryPath -Force
$Null = New-ItemProperty -Path $registryPath @regProperties -Force
}
Catch {
Write-Log -Message "Error changing registry: $($_.Exception.message)"
Write-Warning "Error: $($_.Exception.message)"
Exit
}
Finally {
Write-Log -Message "Finished Set W32Time Parameter Type to NTP"
}
#endregion RegistryChanges - Set W32Time Parameter Type to NTP
#region RegistryChanges - Set Auto Time Sync Service to Automatic start
#Handle registry changes
$registryPath = "HKLM:\SYSTEM\CurrentControlSet\Services\tzautoupdate"
$regProperties = @{
Name = "Start"
Value = "3"
PropertyType = "DWORD"
ErrorAction = "Stop"
}
Try {
$Null = New-ItemProperty -Path $registryPath @regProperties -Force
Write-Log -Message "Set Auto Time Sync Service to Automatic start in registry"
}
Catch [System.Management.Automation.ItemNotFoundException] {
Write-Log -Message "Error: $registryPath path not found, attempting to create..."
$Null = New-Item -Path $registryPath -Force
$Null = New-ItemProperty -Path $registryPath @regProperties -Force
}
Catch {
Write-Log -Message "Error changing registry: $($_.Exception.message)"
Write-Warning "Error: $($_.Exception.message)"
Exit
}
Finally {
Write-Log -Message "Set Auto Time Sync Service to Automatic start"
}
#endregion RegistryChanges - Set Auto Time Sync Service to Automatic start
#region Remove Internet Explorer 11
<#try {
Disable-WindowsOptionalFeature -Online -FeatureName Internet-Explorer-Optional-amd64 -NoRestart #-ErrorAction Stop
Write-Log -Message "Removed Internet Explorer 11"
}
catch {
Write-Log -Message "Error occurred trying to remove Internet Explorer 11: $($_.Exception.message)"
}
Finally {
Write-Log -Message "Finished removing Internet Explorer"
}#>
#endregion Remove Internet Explorer 11

4
Legacy/README.md
Просмотреть файл

@ -1,5 +1,7 @@
# Secure Workstation configuration and policy baselines for Microsoft Intune and Windows RS5
# LEGACY V1 - Secure Workstation configuration and policy baselines for Microsoft Intune and Windows RS5
**Content of this folder is provided as solution history...**
Supporting document - https://aka.ms/securedworkstation

503
PAW/Import-DeviceConfigScript.ps1 Normal file
Просмотреть файл

@ -0,0 +1,503 @@
<#
.COPYRIGHT
Copyright (c) Microsoft Corporation. All rights reserved. Licensed under the MIT license.
See LICENSE in the project root for license information.
#>
$ScriptDir = Split-Path $script:MyInvocation.MyCommand.Path
$ImportPath = $ScriptDir+"\Scripts\PAW-DeviceConfig.ps1"
####################################################
function Get-AuthToken {
<#
.SYNOPSIS
This function is used to authenticate with the Graph API REST interface
.DESCRIPTION
The function authenticate with the Graph API Interface with the tenant name
.EXAMPLE
Get-AuthToken
Authenticates you with the Graph API interface
.NOTES
NAME: Get-AuthToken
#>
[cmdletbinding()]
param
(
[Parameter(Mandatory = $true)]
$User
)
$userUpn = New-Object "System.Net.Mail.MailAddress" -ArgumentList $User
$tenant = $userUpn.Host
Write-Host "Checking for AzureADPreview module..."
$AadModule = Get-Module -Name "AzureADPreview" -ListAvailable
if ($AadModule -eq $null) {
Write-Host "AzureAD PowerShell module not found, looking for AzureADPreview"
$AadModule = Get-Module -Name "AzureADPreview" -ListAvailable
}
if ($AadModule -eq $null) {
write-host
write-host "AzureAD Powershell module not installed..." -f Red
write-host "Install by running 'Install-Module AzureAD' or 'Install-Module AzureADPreview' from an elevated PowerShell prompt" -f Yellow
write-host "Script can't continue..." -f Red
write-host
exit
}
# Getting path to ActiveDirectory Assemblies
# If the module count is greater than 1 find the latest version
if ($AadModule.count -gt 1) {
$Latest_Version = ($AadModule | select version | Sort-Object)[-1]
$aadModule = $AadModule | ? { $_.version -eq $Latest_Version.version }
# Checking if there are multiple versions of the same module found
if ($AadModule.count -gt 1) {
$aadModule = $AadModule | select -Unique
}
$adal = Join-Path $AadModule.ModuleBase "Microsoft.IdentityModel.Clients.ActiveDirectory.dll"
$adalforms = Join-Path $AadModule.ModuleBase "Microsoft.IdentityModel.Clients.ActiveDirectory.Platform.dll"
}
else {
$adal = Join-Path $AadModule.ModuleBase "Microsoft.IdentityModel.Clients.ActiveDirectory.dll"
$adalforms = Join-Path $AadModule.ModuleBase "Microsoft.IdentityModel.Clients.ActiveDirectory.Platform.dll"
}
[System.Reflection.Assembly]::LoadFrom($adal) | Out-Null
[System.Reflection.Assembly]::LoadFrom($adalforms) | Out-Null
$clientId = "d1ddf0e4-d672-4dae-b554-9d5bdfd93547"
$redirectUri = "urn:ietf:wg:oauth:2.0:oob"
$resourceAppIdURI = "https://graph.microsoft.com"
$authority = "https://login.microsoftonline.com/$Tenant"
try {
$authContext = New-Object "Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext" -ArgumentList $authority
# https://msdn.microsoft.com/en-us/library/azure/microsoft.identitymodel.clients.activedirectory.promptbehavior.aspx
# Change the prompt behaviour to force credentials each time: Auto, Always, Never, RefreshSession
$platformParameters = New-Object "Microsoft.IdentityModel.Clients.ActiveDirectory.PlatformParameters" -ArgumentList "Auto"
$userId = New-Object "Microsoft.IdentityModel.Clients.ActiveDirectory.UserIdentifier" -ArgumentList ($User, "OptionalDisplayableId")
$authResult = $authContext.AcquireTokenAsync($resourceAppIdURI, $clientId, $redirectUri, $platformParameters, $userId).Result
# If the accesstoken is valid then create the authentication header
if ($authResult.AccessToken) {
# Creating header for Authorization token
$authHeader = @{
'Content-Type' = 'application/json'
'Authorization' = "Bearer " + $authResult.AccessToken
'ExpiresOn' = $authResult.ExpiresOn
}
return $authHeader
}
else {
Write-Host
Write-Host "Authorization Access Token is null, please re-run authentication..." -ForegroundColor Red
Write-Host
break
}
}
catch {
write-host $_.Exception.Message -f Red
write-host $_.Exception.ItemName -f Red
write-host
break
}
}
####################################################
Function Add-DeviceManagementScript() {
<#
.SYNOPSIS
This function is used to add a device management script using the Graph API REST interface
.DESCRIPTION
The function connects to the Graph API Interface and adds a device management script
.EXAMPLE
Add-DeviceManagementScript -File "path to powershell-script file"
Adds a device management script from a File in Intune
Add-DeviceManagementScript -File "URL to powershell-script file" -URL
Adds a device management script from a URL in Intune
.NOTES
NAME: Add-DeviceManagementScript
#>
[cmdletbinding()]
Param (
# Path or URL to Powershell-script to add to Intune
[Parameter(Mandatory = $true)]
[string]$File,
# PowerShell description in Intune
[Parameter(Mandatory = $false)]
[string]$Description,
# Set to true if it is a URL
[Parameter(Mandatory = $false)]
[switch][bool]$URL = $false
)
if ($URL -eq $true) {
$FileName = $File -split "/"
$FileName = $FileName[-1]
$OutFile = "$env:TEMP\$FileName"
try {
Invoke-WebRequest -Uri $File -UseBasicParsing -OutFile $OutFile
}
catch {
Write-Host "Could not download file from URL: $File" -ForegroundColor Red
break
}
$File = $OutFile
if (!(Test-Path $File)) {
Write-Host "$File could not be located." -ForegroundColor Red
break
}
}
elseif ($URL -eq $false) {
if (!(Test-Path $File)) {
Write-Host "$File could not be located." -ForegroundColor Red
break
}
$FileName = Get-Item $File | Select-Object -ExpandProperty Name
}
$B64File = [System.Convert]::ToBase64String([System.IO.File]::ReadAllBytes("$File"));
if ($URL -eq $true) {
Remove-Item $File -Force
}
$JSON = @"
{
"@odata.type": "#microsoft.graph.deviceManagementScript",
"displayName": "$FileName",
"description": "$Description",
"runSchedule": {
"@odata.type": "microsoft.graph.runSchedule"
},
"scriptContent": "$B64File",
"runAsAccount": "system",
"enforceSignatureCheck": "false",
"fileName": "$FileName"
"runAs32Bit": "true"
}
"@
$graphApiVersion = "Beta"
$DMS_resource = "deviceManagement/deviceManagementScripts"
Write-Verbose "Resource: $DMS_resource"
try {
$uri = "https://graph.microsoft.com/$graphApiVersion/$DMS_resource"
Invoke-RestMethod -Uri $uri -Headers $authToken -Method Post -Body $JSON -ContentType "application/json"
}
catch {
$ex = $_.Exception
$errorResponse = $ex.Response.GetResponseStream()
$reader = New-Object System.IO.StreamReader($errorResponse)
$reader.BaseStream.Position = 0
$reader.DiscardBufferedData()
$responseBody = $reader.ReadToEnd();
Write-Host "Response content:`n$responseBody" -f Red
Write-Error "Request to $Uri failed with HTTP Status $($ex.Response.StatusCode) $($ex.Response.StatusDescription)"
write-host
break
}
}
####################################################
Function Add-DeviceManagementScriptAssignment() {
<#
.SYNOPSIS
This function is used to add a device configuration policy assignment using the Graph API REST interface
.DESCRIPTION
The function connects to the Graph API Interface and adds a device configuration policy assignment
.EXAMPLE
Add-DeviceConfigurationPolicyAssignment -ConfigurationPolicyId $ConfigurationPolicyId -TargetGroupId $TargetGroupId
Adds a device configuration policy assignment in Intune
.NOTES
NAME: Add-DeviceConfigurationPolicyAssignment
#>
[cmdletbinding()]
param
(
$ScriptId,
$TargetGroupId
)
$graphApiVersion = "Beta"
$Resource = "deviceManagement/deviceManagementScripts/$ScriptId/assign"
try {
if (!$ScriptId) {
write-host "No Script Policy Id specified, specify a valid Script Policy Id" -f Red
break
}
if (!$TargetGroupId) {
write-host "No Target Group Id specified, specify a valid Target Group Id" -f Red
break
}
$JSON = @"
{
"deviceManagementScriptGroupAssignments": [
{
"@odata.type": "#microsoft.graph.deviceManagementScriptGroupAssignment",
"targetGroupId": "$TargetGroupId",
"id": "$ScriptId"
}
]
}
"@
$uri = "https://graph.microsoft.com/$graphApiVersion/$Resource"
Invoke-RestMethod -Uri $uri -Headers $authToken -Method Post -Body $JSON -ContentType "application/json"
}
catch {
$ex = $_.Exception
$errorResponse = $ex.Response.GetResponseStream()
$reader = New-Object System.IO.StreamReader($errorResponse)
$reader.BaseStream.Position = 0
$reader.DiscardBufferedData()
$responseBody = $reader.ReadToEnd();
Write-Host "Response content:`n$responseBody" -f Red
Write-Error "Request to $Uri failed with HTTP Status $($ex.Response.StatusCode) $($ex.Response.StatusDescription)"
write-host
break
}
}
####################################################
Function Get-AADGroup() {
<#
.SYNOPSIS
This function is used to get AAD Groups from the Graph API REST interface
.DESCRIPTION
The function connects to the Graph API Interface and gets any Groups registered with AAD
.EXAMPLE
Get-AADGroup
Returns all users registered with Azure AD
.NOTES
NAME: Get-AADGroup
#>
[cmdletbinding()]
param
(
$GroupName,
$id,
[switch]$Members
)
# Defining Variables
$graphApiVersion = "v1.0"
$Group_resource = "groups"
try {
if ($id) {
$uri = "https://graph.microsoft.com/$graphApiVersion/$($Group_resource)?`$filter=id eq '$id'"
(Invoke-RestMethod -Uri $uri -Headers $authToken -Method Get).Value
}
elseif ($GroupName -eq "" -or $GroupName -eq $null) {
$uri = "https://graph.microsoft.com/$graphApiVersion/$($Group_resource)"
(Invoke-RestMethod -Uri $uri -Headers $authToken -Method Get).Value
}
else {
if (!$Members) {
$uri = "https://graph.microsoft.com/$graphApiVersion/$($Group_resource)?`$filter=displayname eq '$GroupName'"
(Invoke-RestMethod -Uri $uri -Headers $authToken -Method Get).Value
}
elseif ($Members) {
$uri = "https://graph.microsoft.com/$graphApiVersion/$($Group_resource)?`$filter=displayname eq '$GroupName'"
$Group = (Invoke-RestMethod -Uri $uri -Headers $authToken -Method Get).Value
if ($Group) {
$GID = $Group.id
$Group.displayName
write-host
$uri = "https://graph.microsoft.com/$graphApiVersion/$($Group_resource)/$GID/Members"
(Invoke-RestMethod -Uri $uri -Headers $authToken -Method Get).Value
}
}
}
}
catch {
$ex = $_.Exception
$errorResponse = $ex.Response.GetResponseStream()
$reader = New-Object System.IO.StreamReader($errorResponse)
$reader.BaseStream.Position = 0
$reader.DiscardBufferedData()
$responseBody = $reader.ReadToEnd();
Write-Host "Response content:`n$responseBody" -f Red
Write-Error "Request to $Uri failed with HTTP Status $($ex.Response.StatusCode) $($ex.Response.StatusDescription)"
write-host
break
}
}
####################################################
#region Authentication
write-host
# Checking if authToken exists before running authentication
if ($global:authToken) {
# Setting DateTime to Universal time to work in all timezones
$DateTime = (Get-Date).ToUniversalTime()
# If the authToken exists checking when it expires
$TokenExpires = ($authToken.ExpiresOn.datetime - $DateTime).Minutes
if ($TokenExpires -le 0) {
write-host "Authentication Token expired" $TokenExpires "minutes ago" -ForegroundColor Yellow
write-host
# Defining User Principal Name if not present
if ($User -eq $null -or $User -eq "") {
$User = Read-Host -Prompt "Please specify your user principal name for Azure Authentication"
Write-Host
}
$global:authToken = Get-AuthToken -User $User
}
}
# Authentication doesn't exist, calling Get-AuthToken function
else {
if ($User -eq $null -or $User -eq "") {
$User = Read-Host -Prompt "Please specify your user principal name for Azure Authentication"
Write-Host
}
# Getting the authorization token
$global:authToken = Get-AuthToken -User $User
}
#endregion
####################################################
# Setting application AAD Group to assign PowerShell scripts
#$AADGroup = Read-Host -Prompt "Enter the Azure AD Group name where PowerShell scripts will be assigned"
$AADGroup = "Privileged Workstations"
$TargetGroupId = (Get-AADGroup -GroupName "$AADGroup").id
if ($TargetGroupId -eq $null -or $TargetGroupId -eq "") {
Write-Host "AAD Group - '$AADGroup' doesn't exist, please specify a valid AAD Group..." -ForegroundColor Red
Write-Host
exit
}
####################################################
Write-Host "Adding Device Configuration Script from " $ImportPath -ForegroundColor Green
$Create_Local_Script = Add-DeviceManagementScript -File $ImportPath -Description "PAW Device Config script"
Write-Host "Device Management Script created as" $Create_Local_Script.id
write-host
write-host "Assigning Device Management Script to AAD Group '$AADGroup'" -f Cyan
$Assign_Local_Script = Add-DeviceManagementScriptAssignment -ScriptId $Create_Local_Script.id -TargetGroupId $TargetGroupId
Write-Host "Assigned '$AADGroup' to $($Create_Local_Script.displayName)/$($Create_Local_Script.id)"
Write-Host

635
PAW/Import-PAW-DeviceCompliancePolicies.ps1 Normal file
Просмотреть файл

@ -0,0 +1,635 @@
<#
.COPYRIGHT
Copyright (c) Microsoft Corporation. All rights reserved. Licensed under the MIT license.
See LICENSE in the project root for license information.
#>
$ScriptDir = Split-Path $script:MyInvocation.MyCommand.Path
$ImportPath = $ScriptDir+"\JSON\DeviceCompliance"
####################################################
function Get-AuthToken {
<#
.SYNOPSIS
This function is used to authenticate with the Graph API REST interface
.DESCRIPTION
The function authenticate with the Graph API Interface with the tenant name
.EXAMPLE
Get-AuthToken
Authenticates you with the Graph API interface
.NOTES
NAME: Get-AuthToken
#>
[cmdletbinding()]
param
(
[Parameter(Mandatory=$true)]
$User
)
$userUpn = New-Object "System.Net.Mail.MailAddress" -ArgumentList $User
$tenant = $userUpn.Host
Write-Host "Checking for AzureAD module..."
$AadModule = Get-Module -Name "AzureAD" -ListAvailable
if ($AadModule -eq $null) {
Write-Host "AzureAD PowerShell module not found, looking for AzureADPreview"
$AadModule = Get-Module -Name "AzureADPreview" -ListAvailable
}
if ($AadModule -eq $null) {
write-host
write-host "AzureAD Powershell module not installed..." -f Red
write-host "Install by running 'Install-Module AzureAD' or 'Install-Module AzureADPreview' from an elevated PowerShell prompt" -f Yellow
write-host "Script can't continue..." -f Red
write-host
exit
}
# Getting path to ActiveDirectory Assemblies
# If the module count is greater than 1 find the latest version
if($AadModule.count -gt 1){
$Latest_Version = ($AadModule | select version | Sort-Object)[-1]
$aadModule = $AadModule | ? { $_.version -eq $Latest_Version.version }
# Checking if there are multiple versions of the same module found
if($AadModule.count -gt 1){
$aadModule = $AadModule | select -Unique
}
$adal = Join-Path $AadModule.ModuleBase "Microsoft.IdentityModel.Clients.ActiveDirectory.dll"
$adalforms = Join-Path $AadModule.ModuleBase "Microsoft.IdentityModel.Clients.ActiveDirectory.Platform.dll"
}
else {
$adal = Join-Path $AadModule.ModuleBase "Microsoft.IdentityModel.Clients.ActiveDirectory.dll"
$adalforms = Join-Path $AadModule.ModuleBase "Microsoft.IdentityModel.Clients.ActiveDirectory.Platform.dll"
}
[System.Reflection.Assembly]::LoadFrom($adal) | Out-Null
[System.Reflection.Assembly]::LoadFrom($adalforms) | Out-Null
$clientId = "d1ddf0e4-d672-4dae-b554-9d5bdfd93547"
$redirectUri = "urn:ietf:wg:oauth:2.0:oob"
$resourceAppIdURI = "https://graph.microsoft.com"
$authority = "https://login.microsoftonline.com/$Tenant"
try {
$authContext = New-Object "Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext" -ArgumentList $authority
# https://msdn.microsoft.com/en-us/library/azure/microsoft.identitymodel.clients.activedirectory.promptbehavior.aspx
# Change the prompt behaviour to force credentials each time: Auto, Always, Never, RefreshSession
$platformParameters = New-Object "Microsoft.IdentityModel.Clients.ActiveDirectory.PlatformParameters" -ArgumentList "Auto"
$userId = New-Object "Microsoft.IdentityModel.Clients.ActiveDirectory.UserIdentifier" -ArgumentList ($User, "OptionalDisplayableId")
$authResult = $authContext.AcquireTokenAsync($resourceAppIdURI,$clientId,$redirectUri,$platformParameters,$userId).Result
# If the accesstoken is valid then create the authentication header
if($authResult.AccessToken){
# Creating header for Authorization token
$authHeader = @{
'Content-Type'='application/json'
'Authorization'="Bearer " + $authResult.AccessToken
'ExpiresOn'=$authResult.ExpiresOn
}
return $authHeader
}
else {
Write-Host
Write-Host "Authorization Access Token is null, please re-run authentication..." -ForegroundColor Red
Write-Host
break
}
}
catch {
write-host $_.Exception.Message -f Red
write-host $_.Exception.ItemName -f Red
write-host
break
}
}
####################################################
Function Add-DeviceCompliancePolicy(){
<#
.SYNOPSIS
This function is used to add a device compliance policy using the Graph API REST interface
.DESCRIPTION
The function connects to the Graph API Interface and adds a device compliance policy
.EXAMPLE
Add-DeviceCompliancePolicy -JSON $JSON
Adds an iOS device compliance policy in Intune
.NOTES
NAME: Add-DeviceCompliancePolicy
#>
[cmdletbinding()]
param
(
$JSON
)
$graphApiVersion = "Beta"
$Resource = "deviceManagement/deviceCompliancePolicies"
try {
if($JSON -eq "" -or $JSON -eq $null){
write-host "No JSON specified, please specify valid JSON for the iOS Policy..." -f Red
}
else {
Test-JSON -JSON $JSON
$uri = "https://graph.microsoft.com/$graphApiVersion/$($Resource)"
Invoke-RestMethod -Uri $uri -Headers $authToken -Method Post -Body $JSON -ContentType "application/json"
}
}
catch {
$ex = $_.Exception
$errorResponse = $ex.Response.GetResponseStream()
$reader = New-Object System.IO.StreamReader($errorResponse)
$reader.BaseStream.Position = 0
$reader.DiscardBufferedData()
$responseBody = $reader.ReadToEnd();
Write-Host "Response content:`n$responseBody" -f Red
Write-Error "Request to $Uri failed with HTTP Status $($ex.Response.StatusCode) $($ex.Response.StatusDescription)"
write-host
break
}
}
####################################################
Function Get-AADGroup(){
<#
.SYNOPSIS
This function is used to get AAD Groups from the Graph API REST interface
.DESCRIPTION
The function connects to the Graph API Interface and gets any Groups registered with AAD
.EXAMPLE
Get-AADGroup
Returns all users registered with Azure AD
.NOTES
NAME: Get-AADGroup
#>
[cmdletbinding()]
param
(
$GroupName,
$id,
[switch]$Members
)
# Defining Variables
$graphApiVersion = "v1.0"
$Group_resource = "groups"
# pseudo-group identifiers for all users and all devices
[string]$AllUsers = "acacacac-9df4-4c7d-9d50-4ef0226f57a9"
[string]$AllDevices = "adadadad-808e-44e2-905a-0b7873a8a531"
try {
if($id){
$uri = "https://graph.microsoft.com/$graphApiVersion/$($Group_resource)?`$filter=id eq '$id'"
switch ( $id ) {
$AllUsers { $grp = [PSCustomObject]@{ displayName = "All users"}; $grp }
$AllDevices { $grp = [PSCustomObject]@{ displayName = "All devices"}; $grp }
default { (Invoke-RestMethod -Uri $uri -Headers $authToken -Method Get).Value }
}
}
elseif($GroupName -eq "" -or $GroupName -eq $null){
$uri = "https://graph.microsoft.com/$graphApiVersion/$($Group_resource)"
(Invoke-RestMethod -Uri $uri -Headers $authToken -Method Get).Value
}
else {
if(!$Members){
$uri = "https://graph.microsoft.com/$graphApiVersion/$($Group_resource)?`$filter=displayname eq '$GroupName'"
(Invoke-RestMethod -Uri $uri -Headers $authToken -Method Get).Value
}
elseif($Members){
$uri = "https://graph.microsoft.com/$graphApiVersion/$($Group_resource)?`$filter=displayname eq '$GroupName'"
$Group = (Invoke-RestMethod -Uri $uri -Headers $authToken -Method Get).Value
if($Group){
$GID = $Group.id
$Group.displayName
write-host
$uri = "https://graph.microsoft.com/$graphApiVersion/$($Group_resource)/$GID/Members"
(Invoke-RestMethod -Uri $uri -Headers $authToken -Method Get).Value
}
}
}
}
catch {
$ex = $_.Exception
$errorResponse = $ex.Response.GetResponseStream()
$reader = New-Object System.IO.StreamReader($errorResponse)
$reader.BaseStream.Position = 0
$reader.DiscardBufferedData()
$responseBody = $reader.ReadToEnd();
Write-Host "Response content:`n$responseBody" -f Red
Write-Error "Request to $Uri failed with HTTP Status $($ex.Response.StatusCode) $($ex.Response.StatusDescription)"
write-host
break
}
}
####################################################
Function Get-DeviceCompliancePolicy(){
<#
.SYNOPSIS
This function is used to get device compliance policies from the Graph API REST interface
.DESCRIPTION
The function connects to the Graph API Interface and gets any device compliance policies
.EXAMPLE
Get-DeviceCompliancePolicy
Returns any device compliance policies configured in Intune
.EXAMPLE
Get-DeviceCompliancePolicy -Name
Returns any device compliance policies with specific display name
.NOTES
NAME: Get-DeviceCompliancePolicy
#>
[cmdletbinding()]
param
(
$Name
)
$graphApiVersion = "Beta"
$Resource = "deviceManagement/deviceCompliancePolicies"
try {
$uri = "https://graph.microsoft.com/$graphApiVersion/$($Resource)"
(Invoke-RestMethod -Uri $uri -Headers $authToken -Method Get).Value | Where-Object { ($_.'@odata.type').contains("windows10CompliancePolicy") -and ($_.'displayName').contains($Name) }
}
catch {
$ex = $_.Exception
$errorResponse = $ex.Response.GetResponseStream()
$reader = New-Object System.IO.StreamReader($errorResponse)
$reader.BaseStream.Position = 0
$reader.DiscardBufferedData()
$responseBody = $reader.ReadToEnd();
Write-Host "Response content:`n$responseBody" -f Red
Write-Error "Request to $Uri failed with HTTP Status $($ex.Response.StatusCode) $($ex.Response.StatusDescription)"
write-host
break
}
}
####################################################
Function Add-DeviceCompliancePolicyAssignment(){
<#
.SYNOPSIS
This function is used to add a device compliance policy assignment using the Graph API REST interface
.DESCRIPTION
The function connects to the Graph API Interface and adds a device compliance policy assignment
.EXAMPLE
Add-DeviceCompliancePolicyAssignment -ComplianceAssignments $ComplianceAssignments -CompliancePolicyId $CompliancePolicyId
Adds a device compliance policy assignment in Intune
.NOTES
NAME: Add-DeviceCompliancePolicyAssignment
#>
[cmdletbinding()]
param
(
$CompliancePolicyId,
$ComplianceAssignments
)
$graphApiVersion = "v1.0"
$Resource = "deviceManagement/deviceCompliancePolicies/$CompliancePolicyId/assign"
try {
if(!$CompliancePolicyId){
write-host "No Compliance Policy Id specified, specify a valid Compliance Policy Id" -f Red
break
}
if(!$ComplianceAssignments){
write-host "No Target Group Id specified, specify a valid Target Group Id" -f Red
break
}
$JSON = @"
{
"Assignments": [
$ComplianceAssignments
]
}
"@
Write-Output $JSON
$uri = "https://graph.microsoft.com/$graphApiVersion/$($Resource)"
Invoke-RestMethod -Uri $uri -Headers $authToken -Method Post -Body $JSON -ContentType "application/json"
}
catch {
$ex = $_.Exception
$errorResponse = $ex.Response.GetResponseStream()
$reader = New-Object System.IO.StreamReader($errorResponse)
$reader.BaseStream.Position = 0
$reader.DiscardBufferedData()
$responseBody = $reader.ReadToEnd();
Write-Host "Response content:`n$responseBody" -f Red
Write-Error "Request to $Uri failed with HTTP Status $($ex.Response.StatusCode) $($ex.Response.StatusDescription)"
write-host
break
}
}
####################################################
Function Test-JSON(){
<#
.SYNOPSIS
This function is used to test if the JSON passed to a REST Post request is valid
.DESCRIPTION
The function tests if the JSON passed to the REST Post is valid
.EXAMPLE
Test-JSON -JSON $JSON
Test if the JSON is valid before calling the Graph REST interface
.NOTES
NAME: Test-AuthHeader
#>
param (
$JSON
)
try {
$TestJSON = ConvertFrom-Json $JSON -ErrorAction Stop
$validJson = $true
}
catch {
$validJson = $false
$_.Exception
}
if (!$validJson){
Write-Host "Provided JSON isn't in valid JSON format" -f Red
break
}
}
####################################################
#region Authentication
write-host
# Checking if authToken exists before running authentication
if($global:authToken){
# Setting DateTime to Universal time to work in all timezones
$DateTime = (Get-Date).ToUniversalTime()
# If the authToken exists checking when it expires
$TokenExpires = ($authToken.ExpiresOn.datetime - $DateTime).Minutes
if($TokenExpires -le 0){
write-host "Authentication Token expired" $TokenExpires "minutes ago" -ForegroundColor Yellow
write-host
# Defining User Principal Name if not present
if($User -eq $null -or $User -eq ""){
$User = Read-Host -Prompt "Please specify your user principal name for Azure Authentication"
Write-Host
}
$global:authToken = Get-AuthToken -User $User
}
}
# Authentication doesn't exist, calling Get-AuthToken function
else {
if($User -eq $null -or $User -eq ""){
$User = Read-Host -Prompt "Please specify your user principal name for Azure Authentication"
Write-Host
}
# Getting the authorization token
$global:authToken = Get-AuthToken -User $User
}
#endregion
####################################################
# Replacing quotes for Test-Path
$ImportPath = $ImportPath.replace('"','')
if(!(Test-Path "$ImportPath")){
Write-Host "Import Path for JSON file doesn't exist..." -ForegroundColor Red
Write-Host "Script can't continue..." -ForegroundColor Red
Write-Host
break
}
####################################################
Get-ChildItem $ImportPath -filter *.json |
Foreach-object {
$JSON_Data = Get-Content $_.FullName | where { $_ -notmatch "scheduledActionConfigurations@odata.context"}
# Excluding entries that are not required - id,createdDateTime,lastModifiedDateTime,version
$JSON_Convert = $JSON_Data | ConvertFrom-Json | Select-Object -Property * -ExcludeProperty id,createdDateTime,lastModifiedDateTime,scheduledActionsForRule@odata.context
$DisplayName = $JSON_Convert.displayName
$DuplicateDCP = Get-DeviceCompliancePolicy -Name $JSON_Convert.displayName
#write-host $DuplicateCA
If ($DuplicateDCP -eq $null) {
$JSON_Output = $JSON_Convert | ConvertTo-Json -Depth 10
# Adding Scheduled Actions Rule to JSON
#$scheduledActionsForRule = '"scheduledActionsForRule":[{"ruleName":"PasswordRequired","scheduledActionConfigurations":[{"actionType":"block","gracePeriodHours":0,"notificationTemplateId":"","notificationMessageCCList":[]}]}]'
#$JSON_Output = $JSON_Output.trimend("}")
#$JSON_Output = $JSON_Output.TrimEnd() + "," + "`r`n"
# Joining the JSON together
#$JSON_Output = $JSON_Output + $scheduledActionsForRule + "`r`n" + "}"
write-host
write-host "Device Configuration Policy '$DisplayName' Found..." -ForegroundColor Yellow
write-host
$JSON_Output
write-host
Write-Host "Adding Device Configuration Policy '$DisplayName'" -ForegroundColor Yellow
Add-DeviceCompliancePolicy -JSON $JSON_Output
$DCPProfile = Get-DeviceCompliancePolicy -name $DisplayName
$CompliancePolicyId = $DCPProfile.id
Write-Host "Device Configuration Policy ID '$CompliancePolicyId'" -ForegroundColor Yellow
Write-Host
$AADGroups = $JSON_Convert.assignments.target
$ComplianceAssignments = @()
foreach ($AADGroup in $AADGroups )
{
Write-Host "AAD Group Name:" $AADGroup.groupId -ForegroundColor Yellow
Write-Host "Assignment Type:" $AADGroup."@OData.type" -ForegroundColor Yellow
$TargetGroupId = (Get-AADGroup -GroupName $AADGroup.groupid)
$TargetGroupId = $TargetGroupId.id
Write-Host "Included Group ID:" $TargetGroupID -ForegroundColor Yellow
$Assignment = $AADGroup."@OData.type"
$GroupAdd = @"
{
"target": {
"@odata.type": "#microsoft.graph.$Assignment",
"groupId": "$TargetGroupId"
}
},
"@
$ComplianceAssignments += $GroupAdd
}
Add-DeviceCompliancePolicyAssignment -ComplianceAssignments $ComplianceAssignments -CompliancePolicyId $CompliancePolicyId
}
else
{
write-host "Device Compliance Policy:" $JSON_Convert.displayName "has already been created" -ForegroundColor Yellow
}
}

675
PAW/Import-PAW-DeviceConfiguration.ps1 Normal file
Просмотреть файл

@ -0,0 +1,675 @@
<#
.COPYRIGHT
Copyright (c) Microsoft Corporation. All rights reserved. Licensed under the MIT license.
See LICENSE in the project root for license information.
#>
$ScriptDir = Split-Path $script:MyInvocation.MyCommand.Path
$ImportPath = $ScriptDir+"\JSON\DeviceConfiguration"
####################################################
function Get-AuthToken {
<#
.SYNOPSIS
This function is used to authenticate with the Graph API REST interface
.DESCRIPTION
The function authenticate with the Graph API Interface with the tenant name
.EXAMPLE
Get-AuthToken
Authenticates you with the Graph API interface
.NOTES
NAME: Get-AuthToken
#>
[cmdletbinding()]
param
(
[Parameter(Mandatory=$true)]
$User
)
$userUpn = New-Object "System.Net.Mail.MailAddress" -ArgumentList $User
$tenant = $userUpn.Host
Write-Host "Checking for AzureAD module..."
$AadModule = Get-Module -Name "AzureAD" -ListAvailable
if ($AadModule -eq $null) {
Write-Host "AzureAD PowerShell module not found, looking for AzureADPreview"
$AadModule = Get-Module -Name "AzureADPreview" -ListAvailable
}
if ($AadModule -eq $null) {
write-host
write-host "AzureAD Powershell module not installed..." -f Red
write-host "Install by running 'Install-Module AzureAD' or 'Install-Module AzureADPreview' from an elevated PowerShell prompt" -f Yellow
write-host "Script can't continue..." -f Red
write-host
exit
}
# Getting path to ActiveDirectory Assemblies
# If the module count is greater than 1 find the latest version
if($AadModule.count -gt 1){
$Latest_Version = ($AadModule | select version | Sort-Object)[-1]
$aadModule = $AadModule | ? { $_.version -eq $Latest_Version.version }
# Checking if there are multiple versions of the same module found
if($AadModule.count -gt 1){
$aadModule = $AadModule | select -Unique
}
$adal = Join-Path $AadModule.ModuleBase "Microsoft.IdentityModel.Clients.ActiveDirectory.dll"
$adalforms = Join-Path $AadModule.ModuleBase "Microsoft.IdentityModel.Clients.ActiveDirectory.Platform.dll"
}
else {
$adal = Join-Path $AadModule.ModuleBase "Microsoft.IdentityModel.Clients.ActiveDirectory.dll"
$adalforms = Join-Path $AadModule.ModuleBase "Microsoft.IdentityModel.Clients.ActiveDirectory.Platform.dll"
}
[System.Reflection.Assembly]::LoadFrom($adal) | Out-Null
[System.Reflection.Assembly]::LoadFrom($adalforms) | Out-Null
$clientId = "d1ddf0e4-d672-4dae-b554-9d5bdfd93547"
$redirectUri = "urn:ietf:wg:oauth:2.0:oob"
$resourceAppIdURI = "https://graph.microsoft.com"
$authority = "https://login.microsoftonline.com/$Tenant"
try {
$authContext = New-Object "Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext" -ArgumentList $authority
# https://msdn.microsoft.com/en-us/library/azure/microsoft.identitymodel.clients.activedirectory.promptbehavior.aspx
# Change the prompt behaviour to force credentials each time: Auto, Always, Never, RefreshSession
$platformParameters = New-Object "Microsoft.IdentityModel.Clients.ActiveDirectory.PlatformParameters" -ArgumentList "Auto"
$userId = New-Object "Microsoft.IdentityModel.Clients.ActiveDirectory.UserIdentifier" -ArgumentList ($User, "OptionalDisplayableId")
$authResult = $authContext.AcquireTokenAsync($resourceAppIdURI,$clientId,$redirectUri,$platformParameters,$userId).Result
# If the accesstoken is valid then create the authentication header
if($authResult.AccessToken){
# Creating header for Authorization token
$authHeader = @{
'Content-Type'='application/json'
'Authorization'="Bearer " + $authResult.AccessToken
'ExpiresOn'=$authResult.ExpiresOn
}
return $authHeader
}
else {
Write-Host
Write-Host "Authorization Access Token is null, please re-run authentication..." -ForegroundColor Red
Write-Host
break
}
}
catch {
write-host $_.Exception.Message -f Red
write-host $_.Exception.ItemName -f Red
write-host
break
}
}
####################################################
Function Add-DeviceConfigurationPolicy(){
<#
.SYNOPSIS
This function is used to add an device configuration policy using the Graph API REST interface
.DESCRIPTION
The function connects to the Graph API Interface and adds a device configuration policy
.EXAMPLE
Add-DeviceConfigurationPolicy -JSON $JSON
Adds a device configuration policy in Intune
.NOTES
NAME: Add-DeviceConfigurationPolicy
#>
[cmdletbinding()]
param
(
$JSON
)
$graphApiVersion = "Beta"
$DCP_resource = "deviceManagement/deviceConfigurations"
Write-Verbose "Resource: $DCP_resource"
try {
if($JSON -eq "" -or $JSON -eq $null){
write-host "No JSON specified, please specify valid JSON for the Android Policy..." -f Red
}
else {
Test-JSON -JSON $JSON
$uri = "https://graph.microsoft.com/$graphApiVersion/$($DCP_resource)"
Invoke-RestMethod -Uri $uri -Headers $authToken -Method Post -Body $JSON -ContentType "application/json"
}
}
catch {
$ex = $_.Exception
$errorResponse = $ex.Response.GetResponseStream()
$reader = New-Object System.IO.StreamReader($errorResponse)
$reader.BaseStream.Position = 0
$reader.DiscardBufferedData()
$responseBody = $reader.ReadToEnd();
Write-Host "Response content:`n$responseBody" -f Red
Write-Error "Request to $Uri failed with HTTP Status $($ex.Response.StatusCode) $($ex.Response.StatusDescription)"
write-host
break
}
}
####################################################
Function Add-DeviceConfigurationPolicyAssignment(){
<#
.SYNOPSIS
This function is used to add a device configuration policy assignment using the Graph API REST interface
.DESCRIPTION
The function connects to the Graph API Interface and adds a device configuration policy assignment
.EXAMPLE
Add-DeviceConfigurationPolicyAssignment -ConfigurationPolicyId $ConfigurationPolicyId -TargetGroupId $TargetGroupId
Adds a device configuration policy assignment in Intune
.NOTES
NAME: Add-DeviceConfigurationPolicyAssignment
#>
[cmdletbinding()]
param
(
$ConfigurationPolicyId,
$TargetGroupId,
$Assignment
)
$graphApiVersion = "Beta"
$Resource = "deviceManagement/deviceConfigurations/$ConfigurationPolicyId/assignments"
try {
if(!$ConfigurationPolicyId){
write-host "No Configuration Policy Id specified, specify a valid Configuration Policy Id" -f Red
break
}
if(!$TargetGroupId){
write-host "No Target Group Id specified, specify a valid Target Group Id" -f Red
break
}
if(!$Assignment){
write-host "No Assignment Type specified, specify a valid Assignment Type" -f Red
break
}
$ConfPolAssign = "$ConfigurationPolicyId" + "_" + "$TargetGroupId"
$JSON = @"
{
"target": {
"@odata.type": "#microsoft.graph.$Assignment",
"groupId": "$TargetGroupId"
}
}
"@
$uri = "https://graph.microsoft.com/$graphApiVersion/$($Resource)"
Invoke-RestMethod -Uri $uri -Headers $authToken -Method Post -Body $JSON -ContentType "application/json"
}
catch {
$ex = $_.Exception
$errorResponse = $ex.Response.GetResponseStream()
$reader = New-Object System.IO.StreamReader($errorResponse)
$reader.BaseStream.Position = 0
$reader.DiscardBufferedData()
$responseBody = $reader.ReadToEnd();
Write-Host "Response content:`n$responseBody" -f Red
Write-Error "Request to $Uri failed with HTTP Status $($ex.Response.StatusCode) $($ex.Response.StatusDescription)"
write-host
break
}
}
####################################################
Function Get-DeviceConfigurationPolicy(){
<#
.SYNOPSIS
This function is used to get device configuration policies from the Graph API REST interface
.DESCRIPTION
The function connects to the Graph API Interface and gets any device configuration policies
.EXAMPLE
Get-DeviceConfigurationPolicy
Returns any device configuration policies configured in Intune
.NOTES
NAME: Get-DeviceConfigurationPolicy
#>
[cmdletbinding()]
param
(
$name
)
$graphApiVersion = "Beta"
$DCP_resource = "deviceManagement/deviceConfigurations"
try {
if($Name){
$uri = "https://graph.microsoft.com/$graphApiVersion/$($DCP_resource)"
(Invoke-RestMethod -Uri $uri -Headers $authToken -Method Get).Value | Where-Object { ($_.'displayName').contains("$Name") }
}
else {
$uri = "https://graph.microsoft.com/$graphApiVersion/$($DCP_resource)"
(Invoke-RestMethod -Uri $uri -Headers $authToken -Method Get).Value
}
}
catch {
$ex = $_.Exception
$errorResponse = $ex.Response.GetResponseStream()
$reader = New-Object System.IO.StreamReader($errorResponse)
$reader.BaseStream.Position = 0
$reader.DiscardBufferedData()
$responseBody = $reader.ReadToEnd();
Write-Host "Response content:`n$responseBody" -f Red
Write-Error "Request to $Uri failed with HTTP Status $($ex.Response.StatusCode) $($ex.Response.StatusDescription)"
write-host
break
}
}
####################################################
Function Get-AADGroup(){
<#
.SYNOPSIS
This function is used to get AAD Groups from the Graph API REST interface
.DESCRIPTION
The function connects to the Graph API Interface and gets any Groups registered with AAD
.EXAMPLE
Get-AADGroup
Returns all users registered with Azure AD
.NOTES
NAME: Get-AADGroup
#>
[cmdletbinding()]
param
(
$GroupName,
$id,
[switch]$Members
)
# Defining Variables
$graphApiVersion = "v1.0"
$Group_resource = "groups"
# pseudo-group identifiers for all users and all devices
[string]$AllUsers = "acacacac-9df4-4c7d-9d50-4ef0226f57a9"
[string]$AllDevices = "adadadad-808e-44e2-905a-0b7873a8a531"
try {
if($id){
$uri = "https://graph.microsoft.com/$graphApiVersion/$($Group_resource)?`$filter=id eq '$id'"
switch ( $id ) {
$AllUsers { $grp = [PSCustomObject]@{ displayName = "All users"}; $grp }
$AllDevices { $grp = [PSCustomObject]@{ displayName = "All devices"}; $grp }
default { (Invoke-RestMethod -Uri $uri -Headers $authToken -Method Get).Value }
}
}
elseif($GroupName -eq "" -or $GroupName -eq $null){
$uri = "https://graph.microsoft.com/$graphApiVersion/$($Group_resource)"
(Invoke-RestMethod -Uri $uri -Headers $authToken -Method Get).Value
}
else {
if(!$Members){
$uri = "https://graph.microsoft.com/$graphApiVersion/$($Group_resource)?`$filter=displayname eq '$GroupName'"
(Invoke-RestMethod -Uri $uri -Headers $authToken -Method Get).Value
}
elseif($Members){
$uri = "https://graph.microsoft.com/$graphApiVersion/$($Group_resource)?`$filter=displayname eq '$GroupName'"
$Group = (Invoke-RestMethod -Uri $uri -Headers $authToken -Method Get).Value
if($Group){
$GID = $Group.id
$Group.displayName
write-host
$uri = "https://graph.microsoft.com/$graphApiVersion/$($Group_resource)/$GID/Members"
(Invoke-RestMethod -Uri $uri -Headers $authToken -Method Get).Value
}
}
}
}
catch {
$ex = $_.Exception
$errorResponse = $ex.Response.GetResponseStream()
$reader = New-Object System.IO.StreamReader($errorResponse)
$reader.BaseStream.Position = 0
$reader.DiscardBufferedData()
$responseBody = $reader.ReadToEnd();
Write-Host "Response content:`n$responseBody" -f Red
Write-Error "Request to $Uri failed with HTTP Status $($ex.Response.StatusCode) $($ex.Response.StatusDescription)"
write-host
break
}
}
####################################################
Function Test-JSON(){
<#
.SYNOPSIS
This function is used to test if the JSON passed to a REST Post request is valid
.DESCRIPTION
The function tests if the JSON passed to the REST Post is valid
.EXAMPLE
Test-JSON -JSON $JSON
Test if the JSON is valid before calling the Graph REST interface
.NOTES
NAME: Test-AuthHeader
#>
param (
$JSON
)
try {
$TestJSON = ConvertFrom-Json $JSON -ErrorAction Stop
$validJson = $true
}
catch {
$validJson = $false
$_.Exception
}
if (!$validJson){
Write-Host "Provided JSON isn't in valid JSON format" -f Red
break
}
}
####################################################
#region Authentication
write-host
# Checking if authToken exists before running authentication
if($global:authToken){
# Setting DateTime to Universal time to work in all timezones
$DateTime = (Get-Date).ToUniversalTime()
# If the authToken exists checking when it expires
$TokenExpires = ($authToken.ExpiresOn.datetime - $DateTime).Minutes
if($TokenExpires -le 0){
write-host "Authentication Token expired" $TokenExpires "minutes ago" -ForegroundColor Yellow
write-host
# Defining User Principal Name if not present
if($User -eq $null -or $User -eq ""){
$User = Read-Host -Prompt "Please specify your user principal name for Azure Authentication"
Write-Host
}
$global:authToken = Get-AuthToken -User $User
}
}
# Authentication doesn't exist, calling Get-AuthToken function
else {
if($User -eq $null -or $User -eq ""){
$User = Read-Host -Prompt "Please specify your user principal name for Azure Authentication"
Write-Host
}
# Getting the authorization token
$global:authToken = Get-AuthToken -User $User
}
#endregion
####################################################
# Setting application AAD Group to assign Policy
#$AADGroup = Read-Host -Prompt "Enter the Azure AD Group name where policies will be assigned"
#$TargetGroupId = (Get-AADGroup | Where-Object {$_.displayName -eq $AADGroup}).id
#
# if($TargetGroupId -eq $null -or $TargetGroupId -eq ""){
#
# Write-Host "AAD Group - '$AADGroup' doesn't exist, please specify a valid AAD Group..." -ForegroundColor Red
# Write-Host
# exit
# }
# Replacing quotes for Test-Path
$ImportPath = $ImportPath.replace('"','')
if(!(Test-Path "$ImportPath")){
Write-Host "Import Path for JSON file doesn't exist..." -ForegroundColor Red
Write-Host "Script can't continue..." -ForegroundColor Red
Write-Host
break
}
####################################################
Get-ChildItem $ImportPath -filter *.json |
Foreach-object {
$JSON_Data = Get-Content $_.FullName
# Excluding entries that are not required - id,createdDateTime,lastModifiedDateTime,version
$JSON_Convert = $JSON_Data | ConvertFrom-Json | Select-Object -Property * -ExcludeProperty id,createdDateTime,lastModifiedDateTime,version,supportsScopeTags
$DisplayName = $JSON_Convert.displayName
$DuplicateDCP = Get-DeviceConfigurationPolicy -Name $JSON_Convert.displayName
If ($DuplicateDCP -eq $null)
{
$JSON_Output = $JSON_Convert | ConvertTo-Json -Depth 5
write-host
write-host "Device Configuration Policy '$DisplayName' Found..." -ForegroundColor Yellow
write-host
$JSON_Output
write-host
Write-Host "Adding Device Configuration Policy '$DisplayName'" -ForegroundColor Yellow
Add-DeviceConfigurationPolicy -JSON $JSON_Output
$DeviceConfigs = Get-DeviceConfigurationPolicy -name $DisplayName
$DeviceConfigID = $DeviceConfigs.id
Write-Host "Device ConfigID '$DeviceConfigID'" -ForegroundColor Yellow
Write-Host
$AADGroups = $JSON_Convert.assignments.target
foreach ($AADGroup in $AADGroups )
{
Write-Host "AAD Group Name:" $AADGroup.groupId -ForegroundColor Yellow
Write-Host "Assignment Type:" $AADGroup."@OData.type" -ForegroundColor Yellow
$TargetGroupId = (Get-AADGroup -GroupName $AADGroup.groupid)
Write-Host "Included Group ID:" $TargetGroupID.Id -ForegroundColor Yellow
Add-DeviceConfigurationPolicyAssignment -ConfigurationPolicyId $DeviceConfigID -TargetGroupId $TargetGroupId.id -Assignment $AADGroup."@OData.type"
}
# Create exclude Group
<#$ShortName = $JSON_Convert.displayName -replace "PAW-Global-2009-Intune-Configuration-", ''
$ExcludeGroup = "PAW-"+$ShortName+"-Exclude-Device"
If (Get-AzureADGroup -SearchString $ExcludeGroup) {
Write-Host
Write-Host "AAD group" $ExcludeGroup "already exists!" -f Yellow
Write-Host
}
Else {
$MailNickName = $ShortName+"-G"
try
{
$ExcludeTargetGroup = New-AzureADGroup -DisplayName $ExcludeGroup -Description $ExcludeGroup"-Group" -MailEnabled $false -SecurityEnabled $true -MailNickName $MailNickName
sleep 5
}
catch
{
Write-Host
Write-Host "Error creating AAD group" $ExcludeGroup -f Red
Write-Host
}
}
Write-Host "Excluded Group ID" $ExcludeTargetGroup.objectid
Add-DeviceConfigurationPolicyAssignment -ConfigurationPolicyId $DeviceConfigID -TargetGroupId $ExcludeTargetGroup.objectid -Assignment "exclusionGroupAssignmentTarget"
#>
}
else
{
write-host "Device Configuration Profile:" $JSON_Convert.displayName "has already been created" -ForegroundColor Yellow
}
}

714
PAW/Import-PAW-DeviceConfigurationADMX.ps1 Normal file
Просмотреть файл

@ -0,0 +1,714 @@
<#
.COPYRIGHT
Copyright (c) Microsoft Corporation. All rights reserved. Licensed under the MIT license.
See LICENSE in the project root for license information.
#>
param (
#Change Conditional Access State, default is disabled
#Options: enabled, disabled, enabledForReportingButNotEnforced
[String]$AADGroup = "Privileged Workstations"
)
#$AADGroup = "PAW-Global-Devices"
$ScriptDir = Split-Path $script:MyInvocation.MyCommand.Path
$ImportPath = $ScriptDir+"\JSON\DeviceConfigurationADMX"
function Get-AuthToken
{
<#
.SYNOPSIS
This function is used to authenticate with the Graph API REST interface
.DESCRIPTION
The function authenticate with the Graph API Interface with the tenant name
.EXAMPLE
Get-AuthToken
Authenticates you with the Graph API interface
.NOTES
NAME: Get-AuthToken
#>
[cmdletbinding()]
param
(
[Parameter(Mandatory = $true)]
$User
)
$userUpn = New-Object "System.Net.Mail.MailAddress" -ArgumentList $User
$tenant = $userUpn.Host
Write-Host "Checking for AzureAD module..."
$AadModule = Get-Module -Name "AzureAD" -ListAvailable
if ($AadModule -eq $null)
{
Write-Host "AzureAD PowerShell module not found, looking for AzureADPreview"
$AadModule = Get-Module -Name "AzureADPreview" -ListAvailable
}
if ($AadModule -eq $null)
{
write-host
write-host "AzureAD Powershell module not installed..." -f Red
write-host "Install by running 'Install-Module AzureAD' or 'Install-Module AzureADPreview' from an elevated PowerShell prompt" -f Yellow
write-host "Script can't continue..." -f Red
write-host
exit
}
# Getting path to ActiveDirectory Assemblies
# If the module count is greater than 1 find the latest version
if ($AadModule.count -gt 1)
{
$Latest_Version = ($AadModule | select version | Sort-Object)[-1]
$aadModule = $AadModule | ? { $_.version -eq $Latest_Version.version }
# Checking if there are multiple versions of the same module found
if ($AadModule.count -gt 1)
{
$aadModule = $AadModule | select -Unique
}
$adal = Join-Path $AadModule.ModuleBase "Microsoft.IdentityModel.Clients.ActiveDirectory.dll"
$adalforms = Join-Path $AadModule.ModuleBase "Microsoft.IdentityModel.Clients.ActiveDirectory.Platform.dll"
}
else
{
$adal = Join-Path $AadModule.ModuleBase "Microsoft.IdentityModel.Clients.ActiveDirectory.dll"
$adalforms = Join-Path $AadModule.ModuleBase "Microsoft.IdentityModel.Clients.ActiveDirectory.Platform.dll"
}
[System.Reflection.Assembly]::LoadFrom($adal) | Out-Null
[System.Reflection.Assembly]::LoadFrom($adalforms) | Out-Null
$clientId = "d1ddf0e4-d672-4dae-b554-9d5bdfd93547"
$redirectUri = "urn:ietf:wg:oauth:2.0:oob"
$resourceAppIdURI = "https://graph.microsoft.com"
$authority = "https://login.microsoftonline.com/$Tenant"
try
{
$authContext = New-Object "Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext" -ArgumentList $authority
# https://msdn.microsoft.com/en-us/library/azure/microsoft.identitymodel.clients.activedirectory.promptbehavior.aspx
# Change the prompt behaviour to force credentials each time: Auto, Always, Never, RefreshSession
$platformParameters = New-Object "Microsoft.IdentityModel.Clients.ActiveDirectory.PlatformParameters" -ArgumentList "Auto"
$userId = New-Object "Microsoft.IdentityModel.Clients.ActiveDirectory.UserIdentifier" -ArgumentList ($User, "OptionalDisplayableId")
$authResult = $authContext.AcquireTokenAsync($resourceAppIdURI, $clientId, $redirectUri, $platformParameters, $userId).Result
# If the accesstoken is valid then create the authentication header
if ($authResult.AccessToken)
{
# Creating header for Authorization token
$authHeader = @{
'Content-Type' = 'application/json'
'Authorization' = "Bearer " + $authResult.AccessToken
'ExpiresOn' = $authResult.ExpiresOn
}
return $authHeader
}
else
{
Write-Host
Write-Host "Authorization Access Token is null, please re-run authentication..." -ForegroundColor Red
Write-Host
break
}
}
catch
{
write-host $_.Exception.Message -f Red
write-host $_.Exception.ItemName -f Red
write-host
break
}
}
####################################################
Function Create-GroupPolicyConfigurations()
{
<#
.SYNOPSIS
This function is used to add an device configuration policy using the Graph API REST interface
.DESCRIPTION
The function connects to the Graph API Interface and adds a device configuration policy
.EXAMPLE
Add-DeviceConfigurationPolicy -JSON $JSON
Adds a device configuration policy in Intune
.NOTES
NAME: Add-DeviceConfigurationPolicy
#>
[cmdletbinding()]
param
(
$DisplayName
)
$jsonCode = @"
{
"description":"",
"displayName":"$($DisplayName)"
}
"@
$graphApiVersion = "Beta"
$DCP_resource = "deviceManagement/groupPolicyConfigurations"
Write-Verbose "Resource: $DCP_resource"
try
{
$uri = "https://graph.microsoft.com/$graphApiVersion/$($DCP_resource)"
$responseBody = Invoke-RestMethod -Uri $uri -Headers $authToken -Method Post -Body $jsonCode -ContentType "application/json"
}
catch
{
$ex = $_.Exception
$errorResponse = $ex.Response.GetResponseStream()
$reader = New-Object System.IO.StreamReader($errorResponse)
$reader.BaseStream.Position = 0
$reader.DiscardBufferedData()
$responseBody = $reader.ReadToEnd();
Write-Host "Response content:`n$responseBody" -f Red
Write-Error "Request to $Uri failed with HTTP Status $($ex.Response.StatusCode) $($ex.Response.StatusDescription)"
write-host
break
}
$responseBody.id
}
Function Create-GroupPolicyConfigurationsDefinitionValues()
{
<#
.SYNOPSIS
This function is used to get device configuration policies from the Graph API REST interface
.DESCRIPTION
The function connects to the Graph API Interface and gets any device configuration policies
.EXAMPLE
Get-DeviceConfigurationPolicy
Returns any device configuration policies configured in Intune
.NOTES
NAME: Get-GroupPolicyConfigurations
#>
[cmdletbinding()]
Param (
[string]$GroupPolicyConfigurationID,
$JSON
)
$graphApiVersion = "Beta"
$DCP_resource = "deviceManagement/groupPolicyConfigurations/$($GroupPolicyConfigurationID)/definitionValues"
write-host $DCP_resource
try
{
if ($JSON -eq "" -or $JSON -eq $null)
{
write-host "No JSON specified, please specify valid JSON for the Device Configuration Policy..." -f Red
}
else
{
Test-JSON -JSON $JSON
$uri = "https://graph.microsoft.com/$graphApiVersion/$($DCP_resource)"
Invoke-RestMethod -Uri $uri -Headers $authToken -Method Post -Body $JSON -ContentType "application/json"
}
}
catch
{
$ex = $_.Exception
$errorResponse = $ex.Response.GetResponseStream()
$reader = New-Object System.IO.StreamReader($errorResponse)
$reader.BaseStream.Position = 0
$reader.DiscardBufferedData()
$responseBody = $reader.ReadToEnd();
Write-Host "Response content:`n$responseBody" -f Red
Write-Error "Request to $Uri failed with HTTP Status $($ex.Response.StatusCode) $($ex.Response.StatusDescription)"
write-host
break
}
}
####################################################
Function Get-GroupPolicyConfigurations()
{
<#
.SYNOPSIS
This function is used to get device configuration policies from the Graph API REST interface
.DESCRIPTION
The function connects to the Graph API Interface and gets any device configuration policies
.EXAMPLE
Get-DeviceConfigurationPolicy
Returns any device configuration policies configured in Intune
.NOTES
NAME: Get-GroupPolicyConfigurations
#>
[cmdletbinding()]
param
(
$name
)
$graphApiVersion = "Beta"
$DCP_resource = "deviceManagement/groupPolicyConfigurations"
try
{
$uri = "https://graph.microsoft.com/$graphApiVersion/$($DCP_resource)"
(Invoke-RestMethod -Uri $uri -Headers $authToken -Method Get).Value | Where-Object { ($_.'displayName') -eq ("$Name") }
}
catch
{
$ex = $_.Exception
$errorResponse = $ex.Response.GetResponseStream()
$reader = New-Object System.IO.StreamReader($errorResponse)
$reader.BaseStream.Position = 0
$reader.DiscardBufferedData()
$responseBody = $reader.ReadToEnd();
Write-Host "Response content:`n$responseBody" -f Red
Write-Error "Request to $Uri failed with HTTP Status $($ex.Response.StatusCode) $($ex.Response.StatusDescription)"
write-host
break
}
}
####################################################
Function Add-GroupPolicyConfigurationPolicyAssignment(){
<#
.SYNOPSIS
This function is used to add a device configuration policy assignment using the Graph API REST interface
.DESCRIPTION
The function connects to the Graph API Interface and adds a device configuration policy assignment
.EXAMPLE
Add-DeviceConfigurationPolicyAssignment -ConfigurationPolicyId $ConfigurationPolicyId -TargetGroupId $TargetGroupId
Adds a device configuration policy assignment in Intune
.NOTES
NAME: Add-DeviceConfigurationPolicyAssignment
#>
[cmdletbinding()]
param
(
$ConfigurationPolicyId,
$TargetGroupId,
$Assignment
)
$graphApiVersion = "Beta"
$Resource = "deviceManagement/groupPolicyConfigurations/$ConfigurationPolicyId/assignments"
try {
if(!$ConfigurationPolicyId){
write-host "No Configuration Policy Id specified, specify a valid Configuration Policy Id" -f Red
break
}
if(!$TargetGroupId){
write-host "No Target Group Id specified, specify a valid Target Group Id" -f Red
break
}
if(!$Assignment){
write-host "No Assignment Type specified, specify a valid Assignment Type" -f Red
break
}
# $ConfPolAssign = "$ConfigurationPolicyId" + "_" + "$TargetGroupId"
$JSON = @"
{
"target": {
"@odata.type": "#microsoft.graph.$Assignment",
"groupId": "$TargetGroupId"
}
}
"@
$uri = "https://graph.microsoft.com/$graphApiVersion/$($Resource)"
Invoke-RestMethod -Uri $uri -Headers $authToken -Method Post -Body $JSON -ContentType "application/json"
}
catch {
$ex = $_.Exception
$errorResponse = $ex.Response.GetResponseStream()
$reader = New-Object System.IO.StreamReader($errorResponse)
$reader.BaseStream.Position = 0
$reader.DiscardBufferedData()
$responseBody = $reader.ReadToEnd();
Write-Host "Response content:`n$responseBody" -f Red
Write-Error "Request to $Uri failed with HTTP Status $($ex.Response.StatusCode) $($ex.Response.StatusDescription)"
write-host
break
}
}
####################################################
Function Get-AADGroup(){
<#
.SYNOPSIS
This function is used to get AAD Groups from the Graph API REST interface
.DESCRIPTION
The function connects to the Graph API Interface and gets any Groups registered with AAD
.EXAMPLE
Get-AADGroup
Returns all users registered with Azure AD
.NOTES
NAME: Get-AADGroup
#>
[cmdletbinding()]
param
(
$GroupName,
$id,
[switch]$Members
)
# Defining Variables
$graphApiVersion = "v1.0"
$Group_resource = "groups"
# pseudo-group identifiers for all users and all devices
[string]$AllUsers = "acacacac-9df4-4c7d-9d50-4ef0226f57a9"
[string]$AllDevices = "adadadad-808e-44e2-905a-0b7873a8a531"
try {
if($id){
$uri = "https://graph.microsoft.com/$graphApiVersion/$($Group_resource)?`$filter=id eq '$id'"
switch ( $id ) {
$AllUsers { $grp = [PSCustomObject]@{ displayName = "All users"}; $grp }
$AllDevices { $grp = [PSCustomObject]@{ displayName = "All devices"}; $grp }
default { (Invoke-RestMethod -Uri $uri -Headers $authToken -Method Get).Value }
}
}
elseif($GroupName -eq "" -or $GroupName -eq $null){
$uri = "https://graph.microsoft.com/$graphApiVersion/$($Group_resource)"
(Invoke-RestMethod -Uri $uri -Headers $authToken -Method Get).Value
}
else {
if(!$Members){
$uri = "https://graph.microsoft.com/$graphApiVersion/$($Group_resource)?`$filter=displayname eq '$GroupName'"
(Invoke-RestMethod -Uri $uri -Headers $authToken -Method Get).Value
}
elseif($Members){
$uri = "https://graph.microsoft.com/$graphApiVersion/$($Group_resource)?`$filter=displayname eq '$GroupName'"
$Group = (Invoke-RestMethod -Uri $uri -Headers $authToken -Method Get).Value
if($Group){
$GID = $Group.id
$Group.displayName
write-host
$uri = "https://graph.microsoft.com/$graphApiVersion/$($Group_resource)/$GID/Members"
(Invoke-RestMethod -Uri $uri -Headers $authToken -Method Get).Value
}
}
}
}
catch {
$ex = $_.Exception
$errorResponse = $ex.Response.GetResponseStream()
$reader = New-Object System.IO.StreamReader($errorResponse)
$reader.BaseStream.Position = 0
$reader.DiscardBufferedData()
$responseBody = $reader.ReadToEnd();
Write-Host "Response content:`n$responseBody" -f Red
Write-Error "Request to $Uri failed with HTTP Status $($ex.Response.StatusCode) $($ex.Response.StatusDescription)"
write-host
break
}
}
####################################################
Function Test-JSON()
{
<#
.SYNOPSIS
This function is used to test if the JSON passed to a REST Post request is valid
.DESCRIPTION
The function tests if the JSON passed to the REST Post is valid
.EXAMPLE
Test-JSON -JSON $JSON
Test if the JSON is valid before calling the Graph REST interface
.NOTES
NAME: Test-AuthHeader
#>
param (
$JSON
)
try
{
$TestJSON = ConvertFrom-Json $JSON -ErrorAction Stop
$validJson = $true
}
catch
{
$validJson = $false
$_.Exception
}
if (!$validJson)
{
Write-Host "Provided JSON isn't in valid JSON format" -f Red
break
}
}
####################################################
#region Authentication
write-host
# Checking if authToken exists before running authentication
if ($global:authToken)
{
# Setting DateTime to Universal time to work in all timezones
$DateTime = (Get-Date).ToUniversalTime()
# If the authToken exists checking when it expires
$TokenExpires = ($authToken.ExpiresOn.datetime - $DateTime).Minutes
if ($TokenExpires -le 0)
{
write-host "Authentication Token expired" $TokenExpires "minutes ago" -ForegroundColor Yellow
write-host
# Defining User Principal Name if not present
if ($User -eq $null -or $User -eq "")
{
$User = Read-Host -Prompt "Please specify your user principal name for Azure Authentication"
Write-Host
}
$global:authToken = Get-AuthToken -User $User
}
}
# Authentication doesn't exist, calling Get-AuthToken function
else
{
if ($User -eq $null -or $User -eq "")
{
$User = Read-Host -Prompt "Please specify your user principal name for Azure Authentication"
Write-Host
}
# Getting the authorization token
$global:authToken = Get-AuthToken -User $User
}
#endregion
####################################################
# Replacing quotes for Test-Path
$ImportPath = $ImportPath.replace('"','')
if(!(Test-Path "$ImportPath")){
Write-Host "Import Path for JSON file doesn't exist..." -ForegroundColor Red
Write-Host "Script can't continue..." -ForegroundColor Red
Write-Host
break
}
####################################################
$TargetGroupId = (Get-AADGroup | Where-Object {$_.displayName -eq $AADGroup}).id
if($TargetGroupId -eq $null -or $TargetGroupId -eq ""){
Write-Host "AAD Group - '$AADGroup' doesn't exist, please specify a valid AAD Group..." -ForegroundColor Red
Write-Host
exit
}
####################################################
Get-ChildItem $ImportPath -filter *.json |
ForEach-Object {
$Policy_Name = $_.Name
$Policy_Name = $Policy_Name.Substring(0,$Policy_Name.Length-5)
$DuplicateDCP = Get-GroupPolicyConfigurations -Name $Policy_Name
If ($DuplicateDCP -eq $null)
{
$GroupPolicyConfigurationID = Create-GroupPolicyConfigurations -DisplayName $Policy_Name
$JSON_Data = Get-Content $_.FullName
$JSON_Convert = $JSON_Data | ConvertFrom-Json
$JSON_Convert | ForEach-Object { $_
$JSON_Output = Convertto-Json -Depth 5 $_
Write-Host $JSON_Output
Create-GroupPolicyConfigurationsDefinitionValues -JSON $JSON_Output -GroupPolicyConfigurationID $GroupPolicyConfigurationID
}
Write-Host "####################################################################################################" -ForegroundColor Green
Write-Host "Policy: " $Policy_Name "created" -ForegroundColor Green
Write-Host "####################################################################################################" -ForegroundColor Green
$DeviceConfigs = Get-GroupPolicyConfigurations -name $Policy_Name
$DeviceConfigID = $DeviceConfigs.id
Add-GroupPolicyConfigurationPolicyAssignment -ConfigurationPolicyId $DeviceConfigID -TargetGroupId $TargetGroupId -Assignment "groupAssignmentTarget"
}
else
{
write-host "Device Configuration ADMX Profile:" $Policy_Name "has already been created" -ForegroundColor Yellow
}
}

88
PAW/JSON/DeviceCompliance/PAW-Compliance-ATP.json Normal file
Просмотреть файл

@ -0,0 +1,88 @@
{
"@odata.type": "#microsoft.graph.windows10CompliancePolicy",
"roleScopeTagIds": [
"0"
],
"id": "a8994b69-5205-4614-ae3e-150c2d4f2c5d",
"createdDateTime": "2020-11-30T15:27:50.8972649Z",
"description": "Defender ATP-specific compliance settings to apply after 24 hours\n",
"lastModifiedDateTime": "2020-11-30T15:27:50.8972649Z",
"displayName": "PAW-Compliance-ATP",
"version": 1,
"passwordRequired": false,
"passwordBlockSimple": false,
"passwordRequiredToUnlockFromIdle": false,
"passwordMinutesOfInactivityBeforeLock": null,
"passwordExpirationDays": null,
"passwordMinimumLength": null,
"passwordMinimumCharacterSetCount": null,
"passwordRequiredType": "deviceDefault",
"passwordPreviousPasswordBlockCount": null,
"requireHealthyDeviceReport": false,
"osMinimumVersion": "10.0.18363.476",
"osMaximumVersion": null,
"mobileOsMinimumVersion": null,
"mobileOsMaximumVersion": null,
"earlyLaunchAntiMalwareDriverEnabled": false,
"bitLockerEnabled": false,
"secureBootEnabled": false,
"codeIntegrityEnabled": false,
"storageRequireEncryption": false,
"activeFirewallRequired": false,
"defenderEnabled": false,
"defenderVersion": null,
"signatureOutOfDate": false,
"rtpEnabled": false,
"antivirusRequired": false,
"antiSpywareRequired": false,
"deviceThreatProtectionEnabled": true,
"deviceThreatProtectionRequiredSecurityLevel": "secured",
"configurationManagerComplianceRequired": false,
"tpmRequired": false,
"deviceCompliancePolicyScript": null,
"validOperatingSystemBuildRanges": [
],
"assignments": [
{
"id": "a8994b69-5205-4614-ae3e-150c2d4f2c5d_add56c8b-3fb1-43c8-a7d8-3abcc9f9ac64",
"source": "direct",
"sourceId": "a8994b69-5205-4614-ae3e-150c2d4f2c5d",
"target": {
"@odata.type": "#microsoft.graph.exclusionGroupAssignmentTarget",
"deviceAndAppManagementAssignmentFilterId": null,
"deviceAndAppManagementAssignmentFilterType": "none",
"groupId": "Emergency Breakglass"
}
},
{
"id": "a8994b69-5205-4614-ae3e-150c2d4f2c5d_af977e97-e18b-4272-bb63-81fb28204780",
"source": "direct",
"sourceId": "a8994b69-5205-4614-ae3e-150c2d4f2c5d",
"target": {
"@odata.type": "#microsoft.graph.groupAssignmentTarget",
"deviceAndAppManagementAssignmentFilterId": null,
"deviceAndAppManagementAssignmentFilterType": "none",
"groupId": "Privileged Workstation Users"
}
}
],
"scheduledActionsForRule": [
{
"id": "a8994b69-5205-4614-ae3e-150c2d4f2c5d",
"ruleName": null,
"scheduledActionConfigurations@odata.context": "https://graph.microsoft.com/beta/$metadata#deviceManagement/deviceCompliancePolicies(\u0027a8994b69-5205-4614-ae3e-150c2d4f2c5d\u0027)/microsoft.graph.windows10CompliancePolicy/microsoft.graph.windows10CompliancePolicy/microsoft.graph.windows10CompliancePolicy/microsoft.graph.windows10CompliancePolicy/microsoft.graph.windows10CompliancePolicy/microsoft.graph.windows10CompliancePolicy/scheduledActionsForRule(\u0027a8994b69-5205-4614-ae3e-150c2d4f2c5d\u0027)/scheduledActionConfigurations",
"scheduledActionConfigurations": [
{
"id": "44bd1593-f79a-4a98-8acf-f20b496c621d",
"gracePeriodHours": 24,
"actionType": "block",
"notificationTemplateId": "00000000-0000-0000-0000-000000000000",
"notificationMessageCCList": [
]
}
]
}
]
}

88
PAW/JSON/DeviceCompliance/PAW-Compliance-Delayed.json Normal file
Просмотреть файл

@ -0,0 +1,88 @@
{
"@odata.type": "#microsoft.graph.windows10CompliancePolicy",
"roleScopeTagIds": [
"0"
],
"id": "070e9f28-9bf1-41cc-b5bb-77229343d3b9",
"createdDateTime": "2020-11-30T15:27:52.1330905Z",
"description": "Intune compliance settings to apply after 24 hours\n",
"lastModifiedDateTime": "2020-11-30T15:27:52.1330905Z",
"displayName": "PAW-Compliance-Delayed",
"version": 1,
"passwordRequired": false,
"passwordBlockSimple": false,
"passwordRequiredToUnlockFromIdle": false,
"passwordMinutesOfInactivityBeforeLock": null,
"passwordExpirationDays": null,
"passwordMinimumLength": null,
"passwordMinimumCharacterSetCount": null,
"passwordRequiredType": "deviceDefault",
"passwordPreviousPasswordBlockCount": null,
"requireHealthyDeviceReport": false,
"osMinimumVersion": "10.0.18363.476",
"osMaximumVersion": null,
"mobileOsMinimumVersion": null,
"mobileOsMaximumVersion": null,
"earlyLaunchAntiMalwareDriverEnabled": false,
"bitLockerEnabled": true,
"secureBootEnabled": true,
"codeIntegrityEnabled": true,
"storageRequireEncryption": false,
"activeFirewallRequired": true,
"defenderEnabled": true,
"defenderVersion": null,
"signatureOutOfDate": true,
"rtpEnabled": true,
"antivirusRequired": true,
"antiSpywareRequired": true,
"deviceThreatProtectionEnabled": false,
"deviceThreatProtectionRequiredSecurityLevel": "unavailable",
"configurationManagerComplianceRequired": false,
"tpmRequired": true,
"deviceCompliancePolicyScript": null,
"validOperatingSystemBuildRanges": [
],
"assignments": [
{
"id": "070e9f28-9bf1-41cc-b5bb-77229343d3b9_add56c8b-3fb1-43c8-a7d8-3abcc9f9ac64",
"source": "direct",
"sourceId": "070e9f28-9bf1-41cc-b5bb-77229343d3b9",
"target": {
"@odata.type": "#microsoft.graph.exclusionGroupAssignmentTarget",
"deviceAndAppManagementAssignmentFilterId": null,
"deviceAndAppManagementAssignmentFilterType": "none",
"groupId": "Emergency Breakglass"
}
},
{
"id": "070e9f28-9bf1-41cc-b5bb-77229343d3b9_af977e97-e18b-4272-bb63-81fb28204780",
"source": "direct",
"sourceId": "070e9f28-9bf1-41cc-b5bb-77229343d3b9",
"target": {
"@odata.type": "#microsoft.graph.groupAssignmentTarget",
"deviceAndAppManagementAssignmentFilterId": null,
"deviceAndAppManagementAssignmentFilterType": "none",
"groupId": "Privileged Workstation Users"
}
}
],
"scheduledActionsForRule": [
{
"id": "070e9f28-9bf1-41cc-b5bb-77229343d3b9",
"ruleName": null,
"scheduledActionConfigurations@odata.context": "https://graph.microsoft.com/beta/$metadata#deviceManagement/deviceCompliancePolicies(\u0027070e9f28-9bf1-41cc-b5bb-77229343d3b9\u0027)/microsoft.graph.windows10CompliancePolicy/microsoft.graph.windows10CompliancePolicy/scheduledActionsForRule(\u0027070e9f28-9bf1-41cc-b5bb-77229343d3b9\u0027)/scheduledActionConfigurations",
"scheduledActionConfigurations": [
{
"id": "cab389d9-845f-4d0a-a9cd-e64abbcbd859",
"gracePeriodHours": 24,
"actionType": "block",
"notificationTemplateId": "00000000-0000-0000-0000-000000000000",
"notificationMessageCCList": [
]
}
]
}
]
}

88
PAW/JSON/DeviceCompliance/PAW-Compliance-Immediate.json Normal file
Просмотреть файл

@ -0,0 +1,88 @@
{
"@odata.type": "#microsoft.graph.windows10CompliancePolicy",
"roleScopeTagIds": [
"0"
],
"id": "56454fb5-78ae-4489-a4de-c60aeeb4bb8b",
"createdDateTime": "2020-11-30T15:27:53.2888215Z",
"description": "Intune compliance settings to apply immediately\n",
"lastModifiedDateTime": "2020-11-30T15:27:53.2888215Z",
"displayName": "PAW-Compliance-Immediate",
"version": 1,
"passwordRequired": false,
"passwordBlockSimple": false,
"passwordRequiredToUnlockFromIdle": false,
"passwordMinutesOfInactivityBeforeLock": null,
"passwordExpirationDays": null,
"passwordMinimumLength": null,
"passwordMinimumCharacterSetCount": null,
"passwordRequiredType": "deviceDefault",
"passwordPreviousPasswordBlockCount": null,
"requireHealthyDeviceReport": false,
"osMinimumVersion": "10.0.18363.476",
"osMaximumVersion": null,
"mobileOsMinimumVersion": null,
"mobileOsMaximumVersion": null,
"earlyLaunchAntiMalwareDriverEnabled": false,
"bitLockerEnabled": false,
"secureBootEnabled": false,
"codeIntegrityEnabled": false,
"storageRequireEncryption": false,
"activeFirewallRequired": false,
"defenderEnabled": true,
"defenderVersion": null,
"signatureOutOfDate": false,
"rtpEnabled": true,
"antivirusRequired": true,
"antiSpywareRequired": false,
"deviceThreatProtectionEnabled": false,
"deviceThreatProtectionRequiredSecurityLevel": "unavailable",
"configurationManagerComplianceRequired": false,
"tpmRequired": false,
"deviceCompliancePolicyScript": null,
"validOperatingSystemBuildRanges": [
],
"assignments": [
{
"id": "56454fb5-78ae-4489-a4de-c60aeeb4bb8b_add56c8b-3fb1-43c8-a7d8-3abcc9f9ac64",
"source": "direct",
"sourceId": "56454fb5-78ae-4489-a4de-c60aeeb4bb8b",
"target": {
"@odata.type": "#microsoft.graph.exclusionGroupAssignmentTarget",
"deviceAndAppManagementAssignmentFilterId": null,
"deviceAndAppManagementAssignmentFilterType": "none",
"groupId": "Emergency Breakglass"
}
},
{
"id": "56454fb5-78ae-4489-a4de-c60aeeb4bb8b_af977e97-e18b-4272-bb63-81fb28204780",
"source": "direct",
"sourceId": "56454fb5-78ae-4489-a4de-c60aeeb4bb8b",
"target": {
"@odata.type": "#microsoft.graph.groupAssignmentTarget",
"deviceAndAppManagementAssignmentFilterId": null,
"deviceAndAppManagementAssignmentFilterType": "none",
"groupId": "Privileged Workstation Users"
}
}
],
"scheduledActionsForRule": [
{
"id": "56454fb5-78ae-4489-a4de-c60aeeb4bb8b",
"ruleName": null,
"scheduledActionConfigurations@odata.context": "https://graph.microsoft.com/beta/$metadata#deviceManagement/deviceCompliancePolicies(\u002756454fb5-78ae-4489-a4de-c60aeeb4bb8b\u0027)/microsoft.graph.windows10CompliancePolicy/microsoft.graph.windows10CompliancePolicy/microsoft.graph.windows10CompliancePolicy/microsoft.graph.windows10CompliancePolicy/scheduledActionsForRule(\u002756454fb5-78ae-4489-a4de-c60aeeb4bb8b\u0027)/scheduledActionConfigurations",
"scheduledActionConfigurations": [
{
"id": "59ae4e45-6495-4d33-b943-1bb01554bc6f",
"gracePeriodHours": 0,
"actionType": "block",
"notificationTemplateId": "00000000-0000-0000-0000-000000000000",
"notificationMessageCCList": [
]
}
]
}
]
}

77
PAW/JSON/DeviceConfiguration/PAW-Win10-AppLocker-Custom-CSP_25-11-2020-17-42-11.json Normal file
Просмотреть файл

Различия файлов скрыты, потому что одна или несколько строк слишком длинны

497
PAW/JSON/DeviceConfiguration/PAW-Win10-Config-Custom-CSP_25-11-2020-17-42-11.json Normal file
Просмотреть файл

@ -0,0 +1,497 @@
{
"@odata.type": "#microsoft.graph.windows10CustomConfiguration",
"id": "b1c0ca02-47f4-48b4-ae4c-1a6e4c060f6c",
"lastModifiedDateTime": "2020-11-25T05:34:32.8509909Z",
"roleScopeTagIds": [
"0"
],
"supportsScopeTags": true,
"deviceManagementApplicabilityRuleOsEdition": null,
"deviceManagementApplicabilityRuleOsVersion": null,
"deviceManagementApplicabilityRuleDeviceMode": null,
"createdDateTime": "2020-11-16T17:58:05.7350473Z",
"description": "",
"displayName": "PAW-Win10-Config-Custom-CSP",
"version": 6,
"omaSettings": [
{
"@odata.type": "#microsoft.graph.omaSettingInteger",
"displayName": "NetworkIsolation/EnterpriseProxyServersAreAuthoritative",
"description": "EnterpriseProxyServersAreAuthoritative",
"omaUri": "./Device/Vendor/MSFT/Policy/Config/NetworkIsolation/EnterpriseProxyServersAreAuthoritative",
"isEncrypted": false,
"value": 1,
"isReadOnly": false
},
{
"@odata.type": "#microsoft.graph.omaSettingInteger",
"displayName": "NetworkIsolation/EnterpriseIPRangesAreAuthoritative",
"description": "EnterpriseIPRangesAreAuthoritative",
"omaUri": "./Device/Vendor/MSFT/Policy/Config/NetworkIsolation/EnterpriseIPRangesAreAuthoritative",
"isEncrypted": false,
"value": 1,
"isReadOnly": false
},
{
"@odata.type": "#microsoft.graph.omaSettingInteger",
"displayName": "Search/AllowIndexingEncryptedStoresOrItems",
"description": "AllowIndexingEncryptedStoresOrItems",
"omaUri": "./Device/Vendor/MSFT/Policy/Config/Search/AllowIndexingEncryptedStoresOrItems",
"isEncrypted": false,
"value": 0,
"isReadOnly": false
},
{
"@odata.type": "#microsoft.graph.omaSettingInteger",
"displayName": "LanmanWorkstation/EnableInsecureGuestLogons",
"description": "EnableInsecureGuestLogons",
"omaUri": "./Device/Vendor/MSFT/Policy/Config/LanmanWorkstation/EnableInsecureGuestLogons",
"isEncrypted": false,
"value": 0,
"isReadOnly": false
},
{
"@odata.type": "#microsoft.graph.omaSettingInteger",
"displayName": "Games/AllowAdvancedGamingServices",
"description": "AllowAdvancedGamingServices",
"omaUri": "./Device/Vendor/MSFT/Policy/Config/Games/AllowAdvancedGamingServices",
"isEncrypted": false,
"value": 0,
"isReadOnly": false
},
{
"@odata.type": "#microsoft.graph.omaSettingInteger",
"displayName": "ControlPolicyConflict/MDMWinsOverGP",
"description": "MDMWinsOverGP",
"omaUri": "./Device/Vendor/MSFT/Policy/Config/ControlPolicyConflict/MDMWinsOverGP",
"isEncrypted": false,
"value": 1,
"isReadOnly": false
},
{
"@odata.type": "#microsoft.graph.omaSettingInteger",
"displayName": "SystemServices/ConfigureHomeGroupListenerServiceStartupMode",
"description": "ConfigureHomeGroupListenerServiceStartupMode",
"omaUri": "./Device/Vendor/MSFT/Policy/Config/SystemServices/ConfigureHomeGroupListenerServiceStartupMode",
"isEncrypted": false,
"value": 4,
"isReadOnly": false
},
{
"@odata.type": "#microsoft.graph.omaSettingInteger",
"displayName": "SystemServices/ConfigureHomeGroupProviderServiceStartupMode",
"description": "ConfigureHomeGroupProviderServiceStartupMode",
"omaUri": "./Device/Vendor/MSFT/Policy/Config/SystemServices/ConfigureHomeGroupProviderServiceStartupMode",
"isEncrypted": false,
"value": 4,
"isReadOnly": false
},
{
"@odata.type": "#microsoft.graph.omaSettingString",
"displayName": "ErrorReporting/DisableWindowsErrorReporting",
"description": "DisableWindowsErrorReporting",
"omaUri": "./Device/Vendor/MSFT/Policy/Config/ErrorReporting/DisableWindowsErrorReporting",
"isEncrypted": false,
"value": " \u003cenabled/\u003e"
},
{
"@odata.type": "#microsoft.graph.omaSettingString",
"displayName": "Power/AllowStandbyWhenSleepingPluggedIn",
"description": "AllowStandbyWhenSleepingPluggedIn",
"omaUri": "./Device/Vendor/MSFT/Policy/Config/Power/AllowStandbyWhenSleepingPluggedIn",
"isEncrypted": false,
"value": "\u003cdisabled/\u003e"
},
{
"@odata.type": "#microsoft.graph.omaSettingString",
"displayName": "Power/RequirePasswordWhenComputerWakesOnBattery",
"description": "RequirePasswordWhenComputerWakesOnBattery",
"omaUri": "./Device/Vendor/MSFT/Policy/Config/Power/RequirePasswordWhenComputerWakesOnBattery",
"isEncrypted": false,
"value": " \u003cenabled/\u003e"
},
{
"@odata.type": "#microsoft.graph.omaSettingString",
"displayName": "Power/RequirePasswordWhenComputerWakesPluggedIn",
"description": "RequirePasswordWhenComputerWakesPluggedIn",
"omaUri": "./Device/Vendor/MSFT/Policy/Config/Power/RequirePasswordWhenComputerWakesPluggedIn",
"isEncrypted": false,
"value": "\u003cenabled/\u003e"
},
{
"@odata.type": "#microsoft.graph.omaSettingString",
"displayName": "RemoteAssistance/SolicitedRemoteAssistance",
"description": "SolicitedRemoteAssistance",
"omaUri": "./Device/Vendor/MSFT/Policy/Config/RemoteAssistance/SolicitedRemoteAssistance",
"isEncrypted": false,
"value": "\u003cdisabled/\u003e"
},
{
"@odata.type": "#microsoft.graph.omaSettingString",
"displayName": "AutoPlay/DisallowAutoplayForNonVolumeDevices",
"description": "DisallowAutoplayForNonVolumeDevices",
"omaUri": "./Device/Vendor/MSFT/Policy/Config/AutoPlay/DisallowAutoplayForNonVolumeDevices",
"isEncrypted": false,
"value": "\u003cenabled/\u003e"
},
{
"@odata.type": "#microsoft.graph.omaSettingString",
"displayName": "RemoteDesktopServices/DoNotAllowDriveRedirection",
"description": "DoNotAllowDriveRedirection",
"omaUri": "./Device/Vendor/MSFT/Policy/Config/RemoteDesktopServices/DoNotAllowDriveRedirection",
"isEncrypted": false,
"value": "\u003cenabled/\u003e"
},
{
"@odata.type": "#microsoft.graph.omaSettingString",
"displayName": "RemoteDesktopServices/PromptForPasswordUponConnection",
"description": "PromptForPasswordUponConnection",
"omaUri": "./Device/Vendor/MSFT/Policy/Config/RemoteDesktopServices/PromptForPasswordUponConnection",
"isEncrypted": false,
"value": "\u003cenabled/\u003e"
},
{
"@odata.type": "#microsoft.graph.omaSettingString",
"displayName": "RemoteDesktopServices/RequireSecureRPCCommunication",
"description": "RequireSecureRPCCommunication",
"omaUri": "./Device/Vendor/MSFT/Policy/Config/RemoteDesktopServices/RequireSecureRPCCommunication",
"isEncrypted": false,
"value": "\u003cenabled/\u003e"
},
{
"@odata.type": "#microsoft.graph.omaSettingString",
"displayName": "DeviceLock/PreventLockScreenSlideShow",
"description": "PreventLockScreenSlideShow",
"omaUri": "./Device/Vendor/MSFT/Policy/Config/DeviceLock/PreventLockScreenSlideShow",
"isEncrypted": false,
"value": "\u003cenabled/\u003e"
},
{
"@odata.type": "#microsoft.graph.omaSettingString",
"displayName": "MSSecurityGuide/EnableStructuredExceptionHandlingOverwriteProtection",
"description": "EnableStructuredExceptionHandlingOverwriteProtection",
"omaUri": "./Device/Vendor/MSFT/Policy/Config/MSSecurityGuide/EnableStructuredExceptionHandlingOverwriteProtection",
"isEncrypted": false,
"value": "\u003cenabled/\u003e"
},
{
"@odata.type": "#microsoft.graph.omaSettingString",
"displayName": "MSSLegacy/AllowICMPRedirectsToOverrideOSPFGeneratedRoutes",
"description": "AllowICMPRedirectsToOverrideOSPFGeneratedRoutes",
"omaUri": "./Device/Vendor/MSFT/Policy/Config/MSSLegacy/AllowICMPRedirectsToOverrideOSPFGeneratedRoutes",
"isEncrypted": false,
"value": "\u003cdisabled/\u003e"
},
{
"@odata.type": "#microsoft.graph.omaSettingString",
"displayName": "MSSLegacy/AllowTheComputerToIgnoreNetBIOSNameReleaseRequestsExceptFromWINSServers",
"description": "AllowTheComputerToIgnoreNetBIOSNameReleaseRequestsExceptFromWINSServers",
"omaUri": "./Device/Vendor/MSFT/Policy/Config/MSSLegacy/AllowTheComputerToIgnoreNetBIOSNameReleaseRequestsExceptFromWINSServers",
"isEncrypted": false,
"value": "\u003cenabled/\u003e"
},
{
"@odata.type": "#microsoft.graph.omaSettingInteger",
"displayName": "WindowsDefenderApplicationGuard/Audit/AuditApplicationGuard",
"description": "AuditApplicationGuard",
"omaUri": "./Device/Vendor/MSFT/WindowsDefenderApplicationGuard/Audit/AuditApplicationGuard",
"isEncrypted": false,
"value": 1,
"isReadOnly": false
},
{
"@odata.type": "#microsoft.graph.omaSettingInteger",
"displayName": "DeviceLock/MaxDevicePasswordFailedAttempts",
"description": "MaxDevicePasswordFailedAttempts",
"omaUri": "./Device/Vendor/MSFT/Policy/Config/DeviceLock/MaxDevicePasswordFailedAttempts",
"isEncrypted": false,
"value": 9,
"isReadOnly": false
},
{
"@odata.type": "#microsoft.graph.omaSettingInteger",
"displayName": "Start/HidePeopleBar",
"description": "HidePeopleBar ",
"omaUri": "./User/Vendor/MSFT/Policy/Config/Start/HidePeopleBar",
"isEncrypted": false,
"value": 1,
"isReadOnly": false
},
{
"@odata.type": "#microsoft.graph.omaSettingInteger",
"displayName": "Browser/AllowFlash",
"description": "AllowFlash",
"omaUri": "./Vendor/MSFT/Policy/Config/Browser/AllowFlash",
"isEncrypted": false,
"value": 0,
"isReadOnly": false
},
{
"@odata.type": "#microsoft.graph.omaSettingInteger",
"displayName": "Privacy/AllowCrossDeviceClipboard",
"description": "AllowCrossDeviceClipboard",
"omaUri": "./Vendor/MSFT/Policy/Config/Privacy/AllowCrossDeviceClipboard",
"isEncrypted": false,
"value": 0,
"isReadOnly": false
},
{
"@odata.type": "#microsoft.graph.omaSettingInteger",
"displayName": "Experience/DoNotShowFeedbackNotifications",
"description": "HideFeedbackNotifications",
"omaUri": "./Vendor/MSFT/Policy/Config/Experience/DoNotShowFeedbackNotifications",
"isEncrypted": false,
"value": 1,
"isReadOnly": false
},
{
"@odata.type": "#microsoft.graph.omaSettingString",
"displayName": "MSSecurityGuide/ApplyUACRestrictionsToLocalAccountsOnNetworkLogon",
"description": "ApplyUACRestrictionsToLocalAccountsOnNetworkLogon",
"omaUri": "./Device/Vendor/MSFT/Policy/Config/MSSecurityGuide/ApplyUACRestrictionsToLocalAccountsOnNetworkLogon",
"isEncrypted": false,
"value": "\u003cEnabled/\u003e"
},
{
"@odata.type": "#microsoft.graph.omaSettingString",
"displayName": "Connectivity/ProhibitInstallationAndConfigurationOfNetworkBridge",
"description": "ProhibitInstallationAndConfigurationOfNetworkBridge",
"omaUri": "./Device/Vendor/MSFT/Policy/Config/Connectivity/ProhibitInstallationAndConfigurationOfNetworkBridge",
"isEncrypted": false,
"value": "\u003cEnabled/\u003e"
},
{
"@odata.type": "#microsoft.graph.omaSettingString",
"displayName": "RemoteAssistance/UnsolicitedRemoteAssistance",
"description": "UnsolicitedRemoteAssistance",
"omaUri": "./Device/Vendor/MSFT/Policy/Config/RemoteAssistance/UnsolicitedRemoteAssistance",
"isEncrypted": false,
"value": "\u003cDisabled/\u003e"
},
{
"@odata.type": "#microsoft.graph.omaSettingInteger",
"displayName": "ApplicationManagement/MSIAlwaysInstallWithElevatedPrivileges",
"description": "MSIAlwaysInstallWithElevatedPrivileges",
"omaUri": "./Device/Vendor/MSFT/Policy/Config/ApplicationManagement/MSIAlwaysInstallWithElevatedPrivileges",
"isEncrypted": false,
"value": 0,
"isReadOnly": false
},
{
"@odata.type": "#microsoft.graph.omaSettingString",
"displayName": "RemoteManagement/AllowBasicAuthentication_Client",
"description": "AllowBasicAuthentication_Client",
"omaUri": "./Device/Vendor/MSFT/Policy/Config/RemoteManagement/AllowBasicAuthentication_Client",
"isEncrypted": false,
"value": "\u003cDisabled/\u003e"
},
{
"@odata.type": "#microsoft.graph.omaSettingString",
"displayName": "RemoteManagement/AllowBasicAuthentication_Service",
"description": "AllowBasicAuthentication_Service",
"omaUri": "./Device/Vendor/MSFT/Policy/Config/RemoteManagement/AllowBasicAuthentication_Service",
"isEncrypted": false,
"value": "\u003cDisabled/\u003e"
},
{
"@odata.type": "#microsoft.graph.omaSettingString",
"displayName": "MSSLegacy/IPv6SourceRoutingProtectionLevel",
"description": "IPv6SourceRoutingProtectionLevel",
"omaUri": "./Device/Vendor/MSFT/Policy/Config/MSSLegacy/IPv6SourceRoutingProtectionLevel",
"isEncrypted": false,
"value": "\u003cenabled/\u003e\u003cdata id=\"DisableIPSourceRoutingIPv6\" value=\"2\"/\u003e"
},
{
"@odata.type": "#microsoft.graph.omaSettingString",
"displayName": "CredentialsUI/EnumerateAdministrators",
"description": "EnumerateAdministrators",
"omaUri": "./Device/Vendor/MSFT/Policy/Config/CredentialsUI/EnumerateAdministrators",
"isEncrypted": false,
"value": "\u003cdisabled/\u003e"
},
{
"@odata.type": "#microsoft.graph.omaSettingString",
"displayName": "Autoplay/TurnOffAutoPlay",
"description": "TurnOffAutoPlay",
"omaUri": "./Device/Vendor/MSFT/Policy/Config/Autoplay/TurnOffAutoPlay",
"isEncrypted": false,
"value": "\u003cenabled/\u003e\u003cdata id=\"Autorun_Box\" value=\"255\"/\u003e"
},
{
"@odata.type": "#microsoft.graph.omaSettingString",
"displayName": "Autoplay/SetDefaultAutoRunBehavior",
"description": "SetDefaultAutoRunBehavior",
"omaUri": "./Device/Vendor/MSFT/Policy/Config/Autoplay/SetDefaultAutoRunBehavior",
"isEncrypted": false,
"value": "\u003cenabled/\u003e\u003cdata id=\"NoAutorun_Dropdown\" value=\"1\"/\u003e"
},
{
"@odata.type": "#microsoft.graph.omaSettingString",
"displayName": "MSSecurityGuide/ConfigureSMBV1ClientDriver",
"description": "ConfigureSMBV1ClientDriver",
"omaUri": "./Device/Vendor/MSFT/Policy/Config/MSSecurityGuide/ConfigureSMBV1ClientDriver",
"isEncrypted": false,
"value": "\u003cenabled/\u003e \n\u003cdata id=\"Pol_SecGuide_SMB1ClientDriver\" value=\"4\"/\u003e"
},
{
"@odata.type": "#microsoft.graph.omaSettingString",
"displayName": "MSSLegacy/IPSourceRoutingProtectionLevel",
"description": "IPSourceRoutingProtectionLevel",
"omaUri": "./Device/Vendor/MSFT/Policy/Config/MSSLegacy/IPSourceRoutingProtectionLevel",
"isEncrypted": false,
"value": "\u003cenabled/\u003e\u003cdata id=\"DisableIPSourceRouting\" value=\"2\"/\u003e"
},
{
"@odata.type": "#microsoft.graph.omaSettingString",
"displayName": "DeviceInstallation/PreventInstallationOfMatchingDeviceSetupClasses",
"description": "PreventInstallationOfMatchingDeviceSetupClasses",
"omaUri": "./Device/Vendor/MSFT/Policy/Config/DeviceInstallation/PreventInstallationOfMatchingDeviceSetupClasses",
"isEncrypted": false,
"value": "\u003cenabled/\u003e\n\u003cdata id=\"DeviceInstall_Classes_Deny_Retroactive\" value=\"true\"/\u003e\n\u003cData id=\"DeviceInstall_Classes_Deny_List\" value=\"1\u0026#xF000;{d48179be-ec20-11d1-b6b8-00c04fa372a7}\u0026#xF000;2\u0026#xF000;{7ebefbc0-3200-11d2-b4c2-00a0C9697d07}\u0026#xF000;3\u0026#xF000;{c06ff265-ae09-48f0-812c-16753d7cba83}\u0026#xF000;4\u0026#xF000;{6bdd1fc1-810f-11d0-bec7-08002be2092f}\"/\u003e"
},
{
"@odata.type": "#microsoft.graph.omaSettingString",
"displayName": "DeviceInstallation/PreventInstallationOfMatchingDeviceIDs",
"description": "PreventInstallationOfMatchingDeviceIDs",
"omaUri": "./Device/Vendor/MSFT/Policy/Config/DeviceInstallation/PreventInstallationOfMatchingDeviceIDs",
"isEncrypted": false,
"value": "\u003cenabled/\u003e\n\u003cdata id=\"DeviceInstall_IDs_Deny_Retroactive\" value=\"true\"/\u003e\n\u003cData id=\"DeviceInstall_IDs_Deny_List\" value=\"1\u0026#xF000;PCI\\CC_0C0A\"/\u003e"
},
{
"@odata.type": "#microsoft.graph.omaSettingInteger",
"displayName": "DeviceGuard/EnableVirtualizationBasedSecurity",
"description": "EnableVirtualizationBasedSecurity",
"omaUri": "./Vendor/MSFT/Policy/Config/DeviceGuard/EnableVirtualizationBasedSecurity",
"isEncrypted": false,
"value": 1,
"isReadOnly": false
},
{
"@odata.type": "#microsoft.graph.omaSettingInteger",
"displayName": "DeviceGuard/LSACfgFlags",
"description": "LSACfgFlags",
"omaUri": "./Vendor/MSFT/Policy/Config/DeviceGuard/LsaCfgFlags",
"isEncrypted": false,
"value": 1,
"isReadOnly": false
},
{
"@odata.type": "#microsoft.graph.omaSettingInteger",
"displayName": "DeviceGuard/PlatformSecurityFeatures",
"description": "PlatformSecurityFeatures",
"omaUri": "./Vendor/MSFT/Policy/Config/DeviceGuard/RequirePlatformSecurityFeatures",
"isEncrypted": false,
"value": 3,
"isReadOnly": false
},
{
"@odata.type": "#microsoft.graph.omaSettingInteger",
"displayName": "DeviceGuard/ConfigureSystemGuardLaunch",
"description": "ConfigureSystemGuardLaunch",
"omaUri": "./Vendor/MSFT/Policy/Config/DeviceGuard/ConfigureSystemGuardLaunch",
"isEncrypted": false,
"value": 1,
"isReadOnly": false
},
{
"@odata.type": "#microsoft.graph.omaSettingInteger",
"displayName": "Start/HideSleep",
"description": "HideSleep",
"omaUri": "./Device/Vendor/MSFT/Policy/Config/Start/HideSleep",
"isEncrypted": false,
"value": 1,
"isReadOnly": false
},
{
"@odata.type": "#microsoft.graph.omaSettingInteger",
"displayName": "Start/HideHibernate",
"description": "HideHibernate",
"omaUri": "./Device/Vendor/MSFT/Policy/Config/Start/HideHibernate",
"isEncrypted": false,
"value": 0,
"isReadOnly": false
},
{
"@odata.type": "#microsoft.graph.omaSettingString",
"displayName": "Power/StandbyTimeoutPluggedIn",
"description": "StandbyTimeoutPluggedIn",
"omaUri": "./Device/Vendor/MSFT/Policy/Config/Power/StandbyTimeoutPluggedIn",
"isEncrypted": false,
"value": "\u003cenabled/\u003e\u003cdata id=\"EnterACStandbyTimeOut\" value=\"1800\"/\u003e"
},
{
"@odata.type": "#microsoft.graph.omaSettingString",
"displayName": "Power/HibernateTimeoutPluggedIn",
"description": "HibernateTimeoutPluggedIn",
"omaUri": "./Device/Vendor/MSFT/Policy/Config/Power/HibernateTimeoutPluggedIn",
"isEncrypted": false,
"value": "\u003cenabled/\u003e\u003cdata id=\"EnterACHibernateTimeOut\" value=\"3600\"/\u003e"
},
{
"@odata.type": "#microsoft.graph.omaSettingString",
"displayName": "Power/HibernateTimeoutOnBattery",
"description": "HibernateTimeoutOnBattery",
"omaUri": "./Device/Vendor/MSFT/Policy/Config/Power/HibernateTimeoutOnBattery",
"isEncrypted": false,
"value": "\u003cenabled/\u003e\u003cdata id=\"EnterDCHibernateTimeOut\" value=\"3600\"/\u003e"
},
{
"@odata.type": "#microsoft.graph.omaSettingString",
"displayName": "CredentialsUI/DisablePasswordReveal",
"description": "DisablePasswordReveal",
"omaUri": "./Device/Vendor/MSFT/Policy/Config/CredentialsUI/DisablePasswordReveal",
"isEncrypted": false,
"value": "\u003cenabled/\u003e"
},
{
"@odata.type": "#microsoft.graph.omaSettingInteger",
"displayName": "System/AllowDeviceNameInDiagnosticData",
"description": "AllowDeviceNameInDiagnosticData",
"omaUri": "./Vendor/MSFT/Policy/Config/System/AllowDeviceNameInDiagnosticData",
"isEncrypted": false,
"value": 1,
"isReadOnly": false
},
{
"@odata.type": "#microsoft.graph.omaSettingInteger",
"displayName": "System/ConfigureTelemetryOptInSettingsUx",
"description": "ConfigureTelemetryOptInSettingsUx",
"omaUri": "./Vendor/MSFT/Policy/Config/System/ConfigureTelemetryOptInSettingsUx",
"isEncrypted": false,
"value": 1,
"isReadOnly": false
},
{
"@odata.type": "#microsoft.graph.omaSettingInteger",
"displayName": "System/LimitEnhancedDiagnosticDataWindowsAnalytics",
"description": "LimitEnhancedDiagnosticDataWindowsAnalytics",
"omaUri": "./Vendor/MSFT/Policy/Config/System/LimitEnhancedDiagnosticDataWindowsAnalytics",
"isEncrypted": false,
"value": 1,
"isReadOnly": false
},
{
"@odata.type": "#microsoft.graph.omaSettingInteger",
"displayName": "System/ConfigureTelemetryOptInChangeNotification",
"description": "ConfigureTelemetryOptInChangeNotification",
"omaUri": "./Vendor/MSFT/Policy/Config/System/ConfigureTelemetryOptInChangeNotification",
"isEncrypted": false,
"value": 1,
"isReadOnly": false
}
],
"assignments@odata.context": "https://graph.microsoft.com/beta/$metadata#deviceManagement/deviceConfigurations(\u0027b1c0ca02-47f4-48b4-ae4c-1a6e4c060f6c\u0027)/microsoft.graph.windows10CustomConfiguration/microsoft.graph.windows10CustomConfiguration/microsoft.graph.windows10EndpointProtectionConfiguration/microsoft.graph.windows10CustomConfiguration/microsoft.graph.windows10GeneralConfiguration/microsoft.graph.windows10GeneralConfiguration/microsoft.graph.windows10CustomConfiguration/microsoft.graph.windowsIdentityProtectionConfiguration/microsoft.graph.windows10CustomConfiguration/microsoft.graph.windows10GeneralConfiguration/microsoft.graph.windows10EndpointProtectionConfiguration/microsoft.graph.windows10EndpointProtectionConfiguration/microsoft.graph.windows10CustomConfiguration/microsoft.graph.windows10CustomConfiguration/microsoft.graph.windows10GeneralConfiguration/microsoft.graph.windows10EndpointProtectionConfiguration/microsoft.graph.windowsIdentityProtectionConfiguration/microsoft.graph.windows10CustomConfiguration/microsoft.graph.windows10CustomConfiguration/assignments",
"assignments": [
{
"id": "b1c0ca02-47f4-48b4-ae4c-1a6e4c060f6c_bd1f65b9-891f-40ed-89c2-22433a98ea02",
"source": "direct",
"sourceId": "b1c0ca02-47f4-48b4-ae4c-1a6e4c060f6c",
"target": {
"@odata.type": "#microsoft.graph.groupAssignmentTarget",
"deviceAndAppManagementAssignmentFilterId": null,
"deviceAndAppManagementAssignmentFilterType": "none",
"groupId": "Privileged Workstations"
}
}
]
}

340
PAW/JSON/DeviceConfiguration/PAW-Win10-Config-Device-Restrictions-UI_25-11-2020-17-42-11.json Normal file
Просмотреть файл

@ -0,0 +1,340 @@
{
"@odata.type": "#microsoft.graph.windows10GeneralConfiguration",
"id": "f164e4d2-cd49-47da-bf8c-4cbfbf0773d8",
"lastModifiedDateTime": "2020-11-25T05:28:24.7522228Z",
"roleScopeTagIds": [
"0"
],
"supportsScopeTags": true,
"deviceManagementApplicabilityRuleOsEdition": null,
"deviceManagementApplicabilityRuleOsVersion": null,
"deviceManagementApplicabilityRuleDeviceMode": null,
"createdDateTime": "2020-11-16T17:58:19.5635557Z",
"description": "",
"displayName": "PAW-Win10-Config-Device-Restrictions-UI",
"version": 9,
"taskManagerBlockEndTask": false,
"energySaverOnBatteryThresholdPercentage": null,
"energySaverPluggedInThresholdPercentage": null,
"powerLidCloseActionOnBattery": "notConfigured",
"powerLidCloseActionPluggedIn": "notConfigured",
"powerButtonActionOnBattery": "notConfigured",
"powerButtonActionPluggedIn": "notConfigured",
"powerSleepButtonActionOnBattery": "notConfigured",
"powerSleepButtonActionPluggedIn": "notConfigured",
"powerHybridSleepOnBattery": "enabled",
"powerHybridSleepPluggedIn": "enabled",
"windows10AppsForceUpdateSchedule": null,
"enableAutomaticRedeployment": false,
"microsoftAccountSignInAssistantSettings": "notConfigured",
"authenticationAllowSecondaryDevice": true,
"authenticationWebSignIn": "notConfigured",
"authenticationPreferredAzureADTenantDomainName": null,
"cryptographyAllowFipsAlgorithmPolicy": false,
"displayAppListWithGdiDPIScalingTurnedOn": [
],
"displayAppListWithGdiDPIScalingTurnedOff": [
],
"enterpriseCloudPrintDiscoveryEndPoint": null,
"enterpriseCloudPrintOAuthAuthority": null,
"enterpriseCloudPrintOAuthClientIdentifier": null,
"enterpriseCloudPrintResourceIdentifier": null,
"enterpriseCloudPrintDiscoveryMaxLimit": null,
"enterpriseCloudPrintMopriaDiscoveryResourceIdentifier": null,
"experienceDoNotSyncBrowserSettings": "blocked",
"messagingBlockSync": false,
"messagingBlockMMS": false,
"messagingBlockRichCommunicationServices": false,
"printerNames": [
],
"printerDefaultName": null,
"printerBlockAddition": false,
"searchBlockDiacritics": false,
"searchDisableAutoLanguageDetection": false,
"searchDisableIndexingEncryptedItems": false,
"searchEnableRemoteQueries": false,
"searchDisableUseLocation": false,
"searchDisableLocation": false,
"searchDisableIndexerBackoff": false,
"searchDisableIndexingRemovableDrive": false,
"searchEnableAutomaticIndexSizeManangement": false,
"searchBlockWebResults": false,
"findMyFiles": "notConfigured",
"securityBlockAzureADJoinedDevicesAutoEncryption": false,
"diagnosticsDataSubmissionMode": "enhanced",
"oneDriveDisableFileSync": true,
"systemTelemetryProxyServer": null,
"edgeTelemetryForMicrosoft365Analytics": "notConfigured",
"inkWorkspaceAccess": "disabled",
"inkWorkspaceAccessState": "blocked",
"inkWorkspaceBlockSuggestedApps": false,
"smartScreenEnableAppInstallControl": false,
"smartScreenAppInstallControl": "notConfigured",
"personalizationDesktopImageUrl": "https://i.imgur.com/OAJ28zO.png",
"personalizationLockScreenImageUrl": null,
"bluetoothAllowedServices": [
],
"bluetoothBlockAdvertising": true,
"bluetoothBlockPromptedProximalConnections": true,
"bluetoothBlockDiscoverableMode": true,
"bluetoothBlockPrePairing": true,
"edgeBlockAutofill": false,
"edgeBlocked": false,
"edgeCookiePolicy": "userDefined",
"edgeBlockDeveloperTools": false,
"edgeBlockSendingDoNotTrackHeader": true,
"edgeBlockExtensions": false,
"edgeBlockInPrivateBrowsing": true,
"edgeBlockJavaScript": false,
"edgeBlockPasswordManager": false,
"edgeBlockAddressBarDropdown": false,
"edgeBlockCompatibilityList": false,
"edgeClearBrowsingDataOnExit": true,
"edgeAllowStartPagesModification": false,
"edgeDisableFirstRunPage": false,
"edgeBlockLiveTileDataCollection": true,
"edgeSyncFavoritesWithInternetExplorer": false,
"edgeFavoritesListLocation": null,
"edgeBlockEditFavorites": false,
"edgeNewTabPageURL": null,
"edgeHomeButtonConfiguration": null,
"edgeHomeButtonConfigurationEnabled": false,
"edgeOpensWith": "notConfigured",
"edgeBlockSideloadingExtensions": false,
"edgeRequiredExtensionPackageFamilyNames": [
],
"edgeBlockPrinting": false,
"edgeFavoritesBarVisibility": "notConfigured",
"edgeBlockSavingHistory": true,
"edgeBlockFullScreenMode": false,
"edgeBlockWebContentOnNewTabPage": false,
"edgeBlockTabPreloading": false,
"edgeBlockPrelaunch": false,
"edgeShowMessageWhenOpeningInternetExplorerSites": "notConfigured",
"edgePreventCertificateErrorOverride": true,
"edgeKioskModeRestriction": "notConfigured",
"edgeKioskResetAfterIdleTimeInMinutes": null,
"cellularBlockDataWhenRoaming": false,
"cellularBlockVpn": false,
"cellularBlockVpnWhenRoaming": false,
"cellularData": "allowed",
"defenderRequireRealTimeMonitoring": true,
"defenderRequireBehaviorMonitoring": true,
"defenderRequireNetworkInspectionSystem": true,
"defenderScanDownloads": true,
"defenderScheduleScanEnableLowCpuPriority": false,
"defenderDisableCatchupQuickScan": false,
"defenderDisableCatchupFullScan": false,
"defenderScanScriptsLoadedInInternetExplorer": true,
"defenderBlockEndUserAccess": false,
"defenderSignatureUpdateIntervalInHours": 1,
"defenderMonitorFileActivity": "userDefined",
"defenderDaysBeforeDeletingQuarantinedMalware": null,
"defenderScanMaxCpu": null,
"defenderScanArchiveFiles": true,
"defenderScanIncomingMail": true,
"defenderScanRemovableDrivesDuringFullScan": true,
"defenderScanMappedNetworkDrivesDuringFullScan": false,
"defenderScanNetworkFiles": true,
"defenderRequireCloudProtection": true,
"defenderCloudBlockLevel": "high",
"defenderCloudExtendedTimeout": 50,
"defenderCloudExtendedTimeoutInSeconds": 50,
"defenderPromptForSampleSubmission": "sendAllDataWithoutPrompting",
"defenderScheduledQuickScanTime": "18:00:00.0000000",
"defenderScanType": "full",
"defenderSystemScanSchedule": "saturday",
"defenderScheduledScanTime": "18:00:00.0000000",
"defenderPotentiallyUnwantedAppAction": "block",
"defenderPotentiallyUnwantedAppActionSetting": "userDefined",
"defenderSubmitSamplesConsentType": "sendSafeSamplesAutomatically",
"defenderBlockOnAccessProtection": false,
"defenderFileExtensionsToExclude": [
],
"defenderFilesAndFoldersToExclude": [
],
"defenderProcessesToExclude": [
],
"lockScreenAllowTimeoutConfiguration": false,
"lockScreenBlockActionCenterNotifications": false,
"lockScreenBlockCortana": true,
"lockScreenBlockToastNotifications": true,
"lockScreenTimeoutInSeconds": null,
"lockScreenActivateAppsWithVoice": "notConfigured",
"passwordBlockSimple": true,
"passwordExpirationDays": null,
"passwordMinimumLength": 9,
"passwordMinutesOfInactivityBeforeScreenTimeout": 30,
"passwordMinimumCharacterSetCount": 2,
"passwordPreviousPasswordBlockCount": null,
"passwordRequired": true,
"passwordRequireWhenResumeFromIdleState": true,
"passwordRequiredType": "alphanumeric",
"passwordSignInFailureCountBeforeFactoryReset": 9,
"passwordMinimumAgeInDays": null,
"privacyAdvertisingId": "notConfigured",
"privacyAutoAcceptPairingAndConsentPrompts": false,
"privacyDisableLaunchExperience": false,
"privacyBlockInputPersonalization": false,
"privacyBlockPublishUserActivities": true,
"privacyBlockActivityFeed": true,
"activateAppsWithVoice": "notConfigured",
"startBlockUnpinningAppsFromTaskbar": false,
"startMenuAppListVisibility": "userDefined",
"startMenuHideChangeAccountSettings": false,
"startMenuHideFrequentlyUsedApps": false,
"startMenuHideHibernate": false,
"startMenuHideLock": false,
"startMenuHidePowerButton": false,
"startMenuHideRecentJumpLists": false,
"startMenuHideRecentlyAddedApps": false,
"startMenuHideRestartOptions": false,
"startMenuHideShutDown": false,
"startMenuHideSignOut": false,
"startMenuHideSleep": true,
"startMenuHideSwitchAccount": true,
"startMenuHideUserTile": false,
"startMenuLayoutEdgeAssetsXml": null,
"startMenuLayoutXml": "PExheW91dE1vZGlmaWNhdGlvblRlbXBsYXRlIHhtbG5zOmRlZmF1bHRsYXlvdXQ9Imh0dHA6Ly9zY2hlbWFzLm1pY3Jvc29mdC5jb20vU3RhcnQvMjAxNC9GdWxsRGVmYXVsdExheW91dCIgeG1sbnM6c3RhcnQ9Imh0dHA6Ly9zY2hlbWFzLm1pY3Jvc29mdC5jb20vU3RhcnQvMjAxNC9TdGFydExheW91dCIgVmVyc2lvbj0iMSIgeG1sbnM9Imh0dHA6Ly9zY2hlbWFzLm1pY3Jvc29mdC5jb20vU3RhcnQvMjAxNC9MYXlvdXRNb2RpZmljYXRpb24iIHhtbG5zOnRhc2tiYXI9Imh0dHA6Ly9zY2hlbWFzLm1pY3Jvc29mdC5jb20vU3RhcnQvMjAxNC9UYXNrYmFyTGF5b3V0Ij4NCiAgPExheW91dE9wdGlvbnMgU3RhcnRUaWxlR3JvdXBDZWxsV2lkdGg9IjYiIC8+DQoJPERlZmF1bHRMYXlvdXRPdmVycmlkZSBMYXlvdXRDdXN0b21pemF0aW9uUmVzdHJpY3Rpb25UeXBlPSJPbmx5U3BlY2lmaWVkR3JvdXBzIj4NCiAgICA8U3RhcnRMYXlvdXRDb2xsZWN0aW9uPg0KICAgICAgPGRlZmF1bHRsYXlvdXQ6U3RhcnRMYXlvdXQgR3JvdXBDZWxsV2lkdGg9IjYiPg0KICAgICAgICA8c3RhcnQ6R3JvdXAgTmFtZT0iQ29yZSBBcHBsaWNhdGlvbnMiPg0KICAgICAgICAgIDxzdGFydDpEZXNrdG9wQXBwbGljYXRpb25UaWxlIFNpemU9IjJ4MiIgQ29sdW1uPSIwIiBSb3c9IjAiIERlc2t0b3BBcHBsaWNhdGlvbklEPSJ7MUFDMTRFNzctMDJFNy00RTVELUI3NDQtMkVCMUFFNTE5OEI3fVxXaW5kb3dzUG93ZXJTaGVsbFx2MS4wXHBvd2Vyc2hlbGwuZXhlIiAvPg0KICAgICAgICAgIDxzdGFydDpUaWxlIFNpemU9IjJ4MiIgQ29sdW1uPSIyIiBSb3c9IjIiIEFwcFVzZXJNb2RlbElEPSJNaWNyb3NvZnQuQ29tcGFueVBvcnRhbF84d2VreWIzZDhiYndlIUFwcCIgLz4NCiAgICAgICAgICA8c3RhcnQ6RGVza3RvcEFwcGxpY2F0aW9uVGlsZSBTaXplPSIyeDIiIENvbHVtbj0iMiIgUm93PSIwIiBEZXNrdG9wQXBwbGljYXRpb25JRD0iezFBQzE0RTc3LTAyRTctNEU1RC1CNzQ0LTJFQjFBRTUxOThCN31cV2luZG93c1Bvd2VyU2hlbGxcdjEuMFxQb3dlclNoZWxsX0lTRS5leGUiIC8+DQogICAgICAgICAgPHN0YXJ0OkRlc2t0b3BBcHBsaWNhdGlvblRpbGUgU2l6ZT0iMngyIiBDb2x1bW49IjAiIFJvdz0iMiIgRGVza3RvcEFwcGxpY2F0aW9uSUQ9Ik1TRWRnZSIgLz4NCiAgICAgICAgPC9zdGFydDpHcm91cD4NCiAgICAgIDwvZGVmYXVsdGxheW91dDpTdGFydExheW91dD4NCiAgICA8L1N0YXJ0TGF5b3V0Q29sbGVjdGlvbj4NCiAgPC9EZWZhdWx0TGF5b3V0T3ZlcnJpZGU+DQoJPEN1c3RvbVRhc2tiYXJMYXlvdXRDb2xsZWN0aW9uIFBpbkxpc3RQbGFjZW1lbnQ9IlJlcGxhY2UiPg0KCQk8ZGVmYXVsdGxheW91dDpUYXNrYmFyTGF5b3V0Pg0KCQkJPHRhc2tiYXI6VGFza2JhclBpbkxpc3Q+DQoJCQkJPHRhc2tiYXI6VVdBIEFwcFVzZXJNb2RlbElEPSJNU0VkZ2UiIC8+DQoJCQkJPHRhc2tiYXI6RGVza3RvcEFwcCBEZXNrdG9wQXBwbGljYXRpb25MaW5rUGF0aD0iJUFQUERBVEElXE1pY3Jvc29mdFxXaW5kb3dzXFN0YXJ0IE1lbnVcUHJvZ3JhbXNcU3lzdGVtIFRvb2xzXEZpbGUgRXhwbG9yZXIubG5rIiAvPg0KCQkJPC90YXNrYmFyOlRhc2tiYXJQaW5MaXN0Pg0KCQk8L2RlZmF1bHRsYXlvdXQ6VGFza2JhckxheW91dD4NCgk8L0N1c3RvbVRhc2tiYXJMYXlvdXRDb2xsZWN0aW9uPg0KPC9MYXlvdXRNb2RpZmljYXRpb25UZW1wbGF0ZT4=",
"startMenuMode": "userDefined",
"startMenuPinnedFolderDocuments": "hide",
"startMenuPinnedFolderDownloads": "notConfigured",
"startMenuPinnedFolderFileExplorer": "notConfigured",
"startMenuPinnedFolderHomeGroup": "hide",
"startMenuPinnedFolderMusic": "hide",
"startMenuPinnedFolderNetwork": "hide",
"startMenuPinnedFolderPersonalFolder": "hide",
"startMenuPinnedFolderPictures": "hide",
"startMenuPinnedFolderSettings": "notConfigured",
"startMenuPinnedFolderVideos": "hide",
"settingsBlockSettingsApp": false,
"settingsBlockSystemPage": false,
"settingsBlockDevicesPage": false,
"settingsBlockNetworkInternetPage": false,
"settingsBlockPersonalizationPage": false,
"settingsBlockAccountsPage": false,
"settingsBlockTimeLanguagePage": false,
"settingsBlockEaseOfAccessPage": false,
"settingsBlockPrivacyPage": true,
"settingsBlockUpdateSecurityPage": false,
"settingsBlockAppsPage": false,
"settingsBlockGamingPage": true,
"windowsSpotlightBlockConsumerSpecificFeatures": false,
"windowsSpotlightBlocked": false,
"windowsSpotlightBlockOnActionCenter": false,
"windowsSpotlightBlockTailoredExperiences": false,
"windowsSpotlightBlockThirdPartyNotifications": false,
"windowsSpotlightBlockWelcomeExperience": false,
"windowsSpotlightBlockWindowsTips": false,
"windowsSpotlightConfigureOnLockScreen": "notConfigured",
"networkProxyApplySettingsDeviceWide": false,
"networkProxyDisableAutoDetect": false,
"networkProxyAutomaticConfigurationUrl": null,
"networkProxyServer": null,
"accountsBlockAddingNonMicrosoftAccountEmail": true,
"antiTheftModeBlocked": false,
"bluetoothBlocked": true,
"cameraBlocked": false,
"connectedDevicesServiceBlocked": true,
"certificatesBlockManualRootCertificateInstallation": false,
"copyPasteBlocked": false,
"cortanaBlocked": true,
"deviceManagementBlockFactoryResetOnMobile": false,
"deviceManagementBlockManualUnenroll": true,
"safeSearchFilter": "userDefined",
"edgeBlockPopups": false,
"edgeBlockSearchSuggestions": false,
"edgeBlockSearchEngineCustomization": false,
"edgeBlockSendingIntranetTrafficToInternetExplorer": false,
"edgeSendIntranetTrafficToInternetExplorer": false,
"edgeRequireSmartScreen": true,
"edgeEnterpriseModeSiteListLocation": null,
"edgeFirstRunUrl": null,
"edgeHomepageUrls": [
],
"edgeBlockAccessToAboutFlags": false,
"smartScreenBlockPromptOverride": true,
"smartScreenBlockPromptOverrideForFiles": true,
"webRtcBlockLocalhostIpAddress": true,
"internetSharingBlocked": true,
"settingsBlockAddProvisioningPackage": true,
"settingsBlockRemoveProvisioningPackage": true,
"settingsBlockChangeSystemTime": true,
"settingsBlockEditDeviceName": false,
"settingsBlockChangeRegion": false,
"settingsBlockChangeLanguage": false,
"settingsBlockChangePowerSleep": false,
"locationServicesBlocked": true,
"microsoftAccountBlocked": true,
"microsoftAccountBlockSettingsSync": true,
"nfcBlocked": true,
"resetProtectionModeBlocked": false,
"screenCaptureBlocked": false,
"storageBlockRemovableStorage": false,
"storageRequireMobileDeviceEncryption": false,
"usbBlocked": false,
"voiceRecordingBlocked": false,
"wiFiBlockAutomaticConnectHotspots": false,
"wiFiBlocked": false,
"wiFiBlockManualConfiguration": false,
"wiFiScanInterval": null,
"wirelessDisplayBlockProjectionToThisDevice": false,
"wirelessDisplayBlockUserInputFromReceiver": false,
"wirelessDisplayRequirePinForPairing": true,
"windowsStoreBlocked": false,
"appsAllowTrustedAppsSideloading": "allowed",
"windowsStoreBlockAutoUpdate": false,
"developerUnlockSetting": "blocked",
"sharedUserAppDataAllowed": true,
"appsBlockWindowsStoreOriginatedApps": false,
"windowsStoreEnablePrivateStoreOnly": true,
"storageRestrictAppDataToSystemVolume": false,
"storageRestrictAppInstallToSystemVolume": false,
"gameDvrBlocked": true,
"experienceBlockDeviceDiscovery": true,
"experienceBlockErrorDialogWhenNoSIM": false,
"experienceBlockTaskSwitcher": false,
"logonBlockFastUserSwitching": true,
"tenantLockdownRequireNetworkDuringOutOfBoxExperience": true,
"appManagementMSIAllowUserControlOverInstall": false,
"appManagementMSIAlwaysInstallWithElevatedPrivileges": false,
"dataProtectionBlockDirectMemoryAccess": true,
"appManagementPackageFamilyNamesToLaunchAfterLogOn": [
],
"uninstallBuiltInApps": false,
"configureTimeZone": null,
"defenderDetectedMalwareActions": {
"lowSeverity": "quarantine",
"moderateSeverity": "quarantine",
"highSeverity": "quarantine",
"severeSeverity": "quarantine"
},
"edgeSearchEngine": {
"@odata.type": "#microsoft.graph.edgeSearchEngine",
"edgeSearchEngineType": "default"
},
"assignments@odata.context": "https://graph.microsoft.com/beta/$metadata#deviceManagement/deviceConfigurations(\u0027f164e4d2-cd49-47da-bf8c-4cbfbf0773d8\u0027)/microsoft.graph.windows10CustomConfiguration/microsoft.graph.windows10CustomConfiguration/microsoft.graph.windows10EndpointProtectionConfiguration/microsoft.graph.windows10CustomConfiguration/microsoft.graph.windows10GeneralConfiguration/microsoft.graph.windows10GeneralConfiguration/microsoft.graph.windows10CustomConfiguration/microsoft.graph.windowsIdentityProtectionConfiguration/microsoft.graph.windows10CustomConfiguration/microsoft.graph.windows10GeneralConfiguration/microsoft.graph.windows10EndpointProtectionConfiguration/microsoft.graph.windows10EndpointProtectionConfiguration/microsoft.graph.windows10CustomConfiguration/microsoft.graph.windows10CustomConfiguration/microsoft.graph.windows10GeneralConfiguration/microsoft.graph.windows10EndpointProtectionConfiguration/microsoft.graph.windowsIdentityProtectionConfiguration/microsoft.graph.windows10CustomConfiguration/microsoft.graph.windows10CustomConfiguration/microsoft.graph.windows10GeneralConfiguration/assignments",
"assignments": [
{
"id": "f164e4d2-cd49-47da-bf8c-4cbfbf0773d8_bd1f65b9-891f-40ed-89c2-22433a98ea02",
"source": "direct",
"sourceId": "f164e4d2-cd49-47da-bf8c-4cbfbf0773d8",
"target": {
"@odata.type": "#microsoft.graph.groupAssignmentTarget",
"deviceAndAppManagementAssignmentFilterId": null,
"deviceAndAppManagementAssignmentFilterType": "none",
"groupId": "Privileged Workstations"
}
}
]
}

988
PAW/JSON/DeviceConfiguration/PAW-Win10-Config-Endpoint-Protection-UI_25-11-2020-17-42-12.json Normal file
Просмотреть файл

@ -0,0 +1,988 @@
{
"@odata.type": "#microsoft.graph.windows10EndpointProtectionConfiguration",
"id": "05efdfd5-286c-446a-987d-e739991a6ea7",
"lastModifiedDateTime": "2020-11-25T08:37:02.6481924Z",
"roleScopeTagIds": [
"0"
],
"supportsScopeTags": true,
"deviceManagementApplicabilityRuleOsEdition": null,
"deviceManagementApplicabilityRuleOsVersion": null,
"deviceManagementApplicabilityRuleDeviceMode": null,
"createdDateTime": "2020-11-16T17:58:28.8574013Z",
"description": "",
"displayName": "PAW-Win10-Config-Endpoint-Protection-UI",
"version": 5,
"dmaGuardDeviceEnumerationPolicy": "deviceDefault",
"xboxServicesEnableXboxGameSaveTask": false,
"xboxServicesAccessoryManagementServiceStartupMode": "disabled",
"xboxServicesLiveAuthManagerServiceStartupMode": "disabled",
"xboxServicesLiveGameSaveServiceStartupMode": "disabled",
"xboxServicesLiveNetworkingServiceStartupMode": "disabled",
"localSecurityOptionsBlockMicrosoftAccounts": true,
"localSecurityOptionsBlockRemoteLogonWithBlankPassword": true,
"localSecurityOptionsDisableAdministratorAccount": true,
"localSecurityOptionsAdministratorAccountName": null,
"localSecurityOptionsDisableGuestAccount": true,
"localSecurityOptionsGuestAccountName": null,
"localSecurityOptionsAllowUndockWithoutHavingToLogon": true,
"localSecurityOptionsBlockUsersInstallingPrinterDrivers": false,
"localSecurityOptionsBlockRemoteOpticalDriveAccess": true,
"localSecurityOptionsFormatAndEjectOfRemovableMediaAllowedUser": "administrators",
"localSecurityOptionsMachineInactivityLimit": 5,
"localSecurityOptionsMachineInactivityLimitInMinutes": 5,
"localSecurityOptionsDoNotRequireCtrlAltDel": false,
"localSecurityOptionsHideLastSignedInUser": false,
"localSecurityOptionsHideUsernameAtSignIn": false,
"localSecurityOptionsLogOnMessageTitle": null,
"localSecurityOptionsLogOnMessageText": null,
"localSecurityOptionsAllowPKU2UAuthenticationRequests": true,
"localSecurityOptionsAllowRemoteCallsToSecurityAccountsManagerHelperBool": false,
"localSecurityOptionsAllowRemoteCallsToSecurityAccountsManager": null,
"localSecurityOptionsMinimumSessionSecurityForNtlmSspBasedClients": "ntlmV2And128BitEncryption",
"localSecurityOptionsMinimumSessionSecurityForNtlmSspBasedServers": "ntlmV2And128BitEncryption",
"lanManagerAuthenticationLevel": "lmNtlmV2AndNotLmOrNtm",
"lanManagerWorkstationDisableInsecureGuestLogons": true,
"localSecurityOptionsClearVirtualMemoryPageFile": false,
"localSecurityOptionsAllowSystemToBeShutDownWithoutHavingToLogOn": false,
"localSecurityOptionsAllowUIAccessApplicationElevation": true,
"localSecurityOptionsVirtualizeFileAndRegistryWriteFailuresToPerUserLocations": true,
"localSecurityOptionsOnlyElevateSignedExecutables": true,
"localSecurityOptionsAdministratorElevationPromptBehavior": "promptForCredentialsOnTheSecureDesktop",
"localSecurityOptionsStandardUserElevationPromptBehavior": "automaticallyDenyElevationRequests",
"localSecurityOptionsSwitchToSecureDesktopWhenPromptingForElevation": false,
"localSecurityOptionsDetectApplicationInstallationsAndPromptForElevation": true,
"localSecurityOptionsAllowUIAccessApplicationsForSecureLocations": false,
"localSecurityOptionsUseAdminApprovalMode": false,
"localSecurityOptionsUseAdminApprovalModeForAdministrators": false,
"localSecurityOptionsInformationShownOnLockScreen": "notConfigured",
"localSecurityOptionsInformationDisplayedOnLockScreen": "notConfigured",
"localSecurityOptionsDisableClientDigitallySignCommunicationsIfServerAgrees": false,
"localSecurityOptionsClientDigitallySignCommunicationsAlways": true,
"localSecurityOptionsClientSendUnencryptedPasswordToThirdPartySMBServers": true,
"localSecurityOptionsDisableServerDigitallySignCommunicationsAlways": false,
"localSecurityOptionsDisableServerDigitallySignCommunicationsIfClientAgrees": false,
"localSecurityOptionsRestrictAnonymousAccessToNamedPipesAndShares": true,
"localSecurityOptionsDoNotAllowAnonymousEnumerationOfSAMAccounts": true,
"localSecurityOptionsAllowAnonymousEnumerationOfSAMAccountsAndShares": true,
"localSecurityOptionsDoNotStoreLANManagerHashValueOnNextPasswordChange": true,
"localSecurityOptionsSmartCardRemovalBehavior": "lockWorkstation",
"defenderSecurityCenterDisableAppBrowserUI": false,
"defenderSecurityCenterDisableFamilyUI": true,
"defenderSecurityCenterDisableHealthUI": false,
"defenderSecurityCenterDisableNetworkUI": false,
"defenderSecurityCenterDisableVirusUI": false,
"defenderSecurityCenterDisableAccountUI": false,
"defenderSecurityCenterDisableClearTpmUI": true,
"defenderSecurityCenterDisableHardwareUI": false,
"defenderSecurityCenterDisableNotificationAreaUI": false,
"defenderSecurityCenterDisableRansomwareUI": false,
"defenderSecurityCenterDisableSecureBootUI": false,
"defenderSecurityCenterDisableTroubleshootingUI": false,
"defenderSecurityCenterDisableVulnerableTpmFirmwareUpdateUI": true,
"defenderSecurityCenterOrganizationDisplayName": null,
"defenderSecurityCenterHelpEmail": null,
"defenderSecurityCenterHelpPhone": null,
"defenderSecurityCenterHelpURL": null,
"defenderSecurityCenterNotificationsFromApp": "notConfigured",
"defenderSecurityCenterITContactDisplay": "notConfigured",
"windowsDefenderTamperProtection": "enable",
"firewallBlockStatefulFTP": true,
"firewallIdleTimeoutForSecurityAssociationInSeconds": null,
"firewallPreSharedKeyEncodingMethod": "deviceDefault",
"firewallIPSecExemptionsNone": false,
"firewallIPSecExemptionsAllowNeighborDiscovery": false,
"firewallIPSecExemptionsAllowICMP": false,
"firewallIPSecExemptionsAllowRouterDiscovery": false,
"firewallIPSecExemptionsAllowDHCP": false,
"firewallCertificateRevocationListCheckMethod": "deviceDefault",
"firewallMergeKeyingModuleSettings": false,
"firewallPacketQueueingMethod": "deviceDefault",
"defenderAdobeReaderLaunchChildProcess": "enable",
"defenderAttackSurfaceReductionExcludedPaths": [
],
"defenderOfficeAppsOtherProcessInjectionType": "block",
"defenderOfficeAppsOtherProcessInjection": "enable",
"defenderOfficeCommunicationAppsLaunchChildProcess": "enable",
"defenderOfficeAppsExecutableContentCreationOrLaunchType": "block",
"defenderOfficeAppsExecutableContentCreationOrLaunch": "enable",
"defenderOfficeAppsLaunchChildProcessType": "block",
"defenderOfficeAppsLaunchChildProcess": "enable",
"defenderOfficeMacroCodeAllowWin32ImportsType": "block",
"defenderOfficeMacroCodeAllowWin32Imports": "enable",
"defenderScriptObfuscatedMacroCodeType": "block",
"defenderScriptObfuscatedMacroCode": "enable",
"defenderScriptDownloadedPayloadExecutionType": "block",
"defenderScriptDownloadedPayloadExecution": "enable",
"defenderPreventCredentialStealingType": "enable",
"defenderProcessCreationType": "block",
"defenderProcessCreation": "enable",
"defenderUntrustedUSBProcessType": "block",
"defenderUntrustedUSBProcess": "enable",
"defenderUntrustedExecutableType": "block",
"defenderUntrustedExecutable": "enable",
"defenderEmailContentExecutionType": "block",
"defenderEmailContentExecution": "enable",
"defenderAdvancedRansomewareProtectionType": "enable",
"defenderGuardMyFoldersType": "enable",
"defenderGuardedFoldersAllowedAppPaths": [
],
"defenderAdditionalGuardedFolders": [
],
"defenderNetworkProtectionType": "enable",
"defenderExploitProtectionXml": null,
"defenderExploitProtectionXmlFileName": null,
"defenderSecurityCenterBlockExploitProtectionOverride": true,
"appLockerApplicationControl": "notConfigured",
"deviceGuardLocalSystemAuthorityCredentialGuardSettings": "notConfigured",
"deviceGuardEnableVirtualizationBasedSecurity": false,
"deviceGuardEnableSecureBootWithDMA": false,
"deviceGuardSecureBootWithDMA": "notConfigured",
"deviceGuardLaunchSystemGuard": "notConfigured",
"smartScreenEnableInShell": true,
"smartScreenBlockOverrideForFiles": true,
"applicationGuardEnabled": false,
"applicationGuardEnabledOptions": "notConfigured",
"applicationGuardBlockFileTransfer": "notConfigured",
"applicationGuardBlockNonEnterpriseContent": false,
"applicationGuardAllowPersistence": false,
"applicationGuardForceAuditing": false,
"applicationGuardBlockClipboardSharing": "notConfigured",
"applicationGuardAllowPrintToPDF": false,
"applicationGuardAllowPrintToXPS": false,
"applicationGuardAllowPrintToLocalPrinters": false,
"applicationGuardAllowPrintToNetworkPrinters": false,
"applicationGuardAllowVirtualGPU": false,
"applicationGuardAllowFileSaveOnHost": false,
"bitLockerAllowStandardUserEncryption": true,
"bitLockerDisableWarningForOtherDiskEncryption": true,
"bitLockerEnableStorageCardEncryptionOnMobile": false,
"bitLockerEncryptDevice": true,
"bitLockerRecoveryPasswordRotation": "enabledForAzureAd",
"defenderDisableScanArchiveFiles": null,
"defenderAllowScanArchiveFiles": null,
"defenderDisableBehaviorMonitoring": null,
"defenderAllowBehaviorMonitoring": null,
"defenderDisableCloudProtection": null,
"defenderAllowCloudProtection": null,
"defenderEnableScanIncomingMail": null,
"defenderEnableScanMappedNetworkDrivesDuringFullScan": null,
"defenderDisableScanRemovableDrivesDuringFullScan": null,
"defenderAllowScanRemovableDrivesDuringFullScan": null,
"defenderDisableScanDownloads": null,
"defenderAllowScanDownloads": null,
"defenderDisableIntrusionPreventionSystem": null,
"defenderAllowIntrusionPreventionSystem": null,
"defenderDisableOnAccessProtection": null,
"defenderAllowOnAccessProtection": null,
"defenderDisableRealTimeMonitoring": null,
"defenderAllowRealTimeMonitoring": null,
"defenderDisableScanNetworkFiles": null,
"defenderAllowScanNetworkFiles": null,
"defenderDisableScanScriptsLoadedInInternetExplorer": null,
"defenderAllowScanScriptsLoadedInInternetExplorer": null,
"defenderBlockEndUserAccess": null,
"defenderAllowEndUserAccess": null,
"defenderScanMaxCpuPercentage": null,
"defenderCheckForSignaturesBeforeRunningScan": null,
"defenderCloudBlockLevel": null,
"defenderCloudExtendedTimeoutInSeconds": null,
"defenderDaysBeforeDeletingQuarantinedMalware": null,
"defenderDisableCatchupFullScan": null,
"defenderDisableCatchupQuickScan": null,
"defenderEnableLowCpuPriority": null,
"defenderFileExtensionsToExclude": [
],
"defenderFilesAndFoldersToExclude": [
],
"defenderProcessesToExclude": [
],
"defenderPotentiallyUnwantedAppAction": null,
"defenderScanDirection": null,
"defenderScanType": null,
"defenderScheduledQuickScanTime": null,
"defenderScheduledScanDay": null,
"defenderScheduledScanTime": null,
"defenderSignatureUpdateIntervalInHours": null,
"defenderSubmitSamplesConsentType": null,
"defenderDetectedMalwareActions": null,
"firewallRules": [
{
"displayName": "World Wide Web Services (HTTPS Traffic-out)",
"description": "An outbound rule to allow HTTPS traffic for Internet traffic",
"packageFamilyName": null,
"filePath": null,
"serviceName": null,
"protocol": 6,
"localPortRanges": [
],
"remotePortRanges": [
"443"
],
"localAddressRanges": [
],
"remoteAddressRanges": [
],
"profileTypes": "public",
"action": "allowed",
"trafficDirection": "out",
"interfaceTypes": "notConfigured",
"edgeTraversal": "notConfigured",
"localUserAuthorizations": null
},
{
"displayName": "World Wide Web Services (HTTP Traffic-out)",
"description": "An outbound rule to allow HTTPS traffic for Internet traffic",
"packageFamilyName": null,
"filePath": null,
"serviceName": null,
"protocol": 6,
"localPortRanges": [
],
"remotePortRanges": [
"80"
],
"localAddressRanges": [
],
"remoteAddressRanges": [
],
"profileTypes": "public",
"action": "allowed",
"trafficDirection": "out",
"interfaceTypes": "notConfigured",
"edgeTraversal": "notConfigured",
"localUserAuthorizations": null
},
{
"displayName": "Core Networking - Dynamic Host Configuration Protocol for IPv6(DHCPV6-Out)",
"description": "Allows DHCPV6 (Dynamic Host Configuration Protocol for IPv6) messages for stateful and stateless configuration.",
"packageFamilyName": null,
"filePath": "%SystemRoot%\\system32\\svchost.exe",
"serviceName": null,
"protocol": 17,
"localPortRanges": [
"546"
],
"remotePortRanges": [
"547"
],
"localAddressRanges": [
],
"remoteAddressRanges": [
],
"profileTypes": "notConfigured",
"action": "allowed",
"trafficDirection": "out",
"interfaceTypes": "notConfigured",
"edgeTraversal": "notConfigured",
"localUserAuthorizations": null
},
{
"displayName": "Core Networking - Dynamic Host Configuration Protocol for IPv6(DHCPV6-Out)",
"description": "Allows DHCPV6 (Dynamic Host Configuration Protocol for IPv6) messages for stateful and stateless configuration.",
"packageFamilyName": null,
"filePath": null,
"serviceName": "Dhcp",
"protocol": 17,
"localPortRanges": [
"546"
],
"remotePortRanges": [
"547"
],
"localAddressRanges": [
],
"remoteAddressRanges": [
],
"profileTypes": "notConfigured",
"action": "allowed",
"trafficDirection": "out",
"interfaceTypes": "notConfigured",
"edgeTraversal": "notConfigured",
"localUserAuthorizations": null
},
{
"displayName": "Core Networking - Dynamic Host Configuration Protocol (DHCP-Out)",
"description": "Allows DHCP (Dynamic Host Configuration Protocol) messages for stateful auto-configuration.",
"packageFamilyName": null,
"filePath": "%SystemRoot%\\system32\\svchost.exe",
"serviceName": null,
"protocol": 17,
"localPortRanges": [
"68"
],
"remotePortRanges": [
"67"
],
"localAddressRanges": [
],
"remoteAddressRanges": [
],
"profileTypes": "notConfigured",
"action": "allowed",
"trafficDirection": "out",
"interfaceTypes": "notConfigured",
"edgeTraversal": "notConfigured",
"localUserAuthorizations": null
},
{
"displayName": "Core Networking - Dynamic Host Configuration Protocol (DHCP-Out)",
"description": "Allows DHCP (Dynamic Host Configuration Protocol) messages for stateful auto-configuration.",
"packageFamilyName": null,
"filePath": null,
"serviceName": "Dhcp",
"protocol": 17,
"localPortRanges": [
"68"
],
"remotePortRanges": [
"67"
],
"localAddressRanges": [
],
"remoteAddressRanges": [
],
"profileTypes": "notConfigured",
"action": "allowed",
"trafficDirection": "out",
"interfaceTypes": "notConfigured",
"edgeTraversal": "notConfigured",
"localUserAuthorizations": null
},
{
"displayName": "Core Networking - DNS (UDP-Out)",
"description": "An outbound rule to allow DNS traffic for name resolution",
"packageFamilyName": null,
"filePath": "%SystemRoot%\\system32\\svchost.exe",
"serviceName": null,
"protocol": 17,
"localPortRanges": [
],
"remotePortRanges": [
"53"
],
"localAddressRanges": [
],
"remoteAddressRanges": [
],
"profileTypes": "notConfigured",
"action": "allowed",
"trafficDirection": "out",
"interfaceTypes": "notConfigured",
"edgeTraversal": "notConfigured",
"localUserAuthorizations": null
},
{
"displayName": "Core Networking - DNS (UDP-Out)",
"description": "An outbound rule to allow DNS traffic for name resolution",
"packageFamilyName": null,
"filePath": null,
"serviceName": "Dnscache",
"protocol": 17,
"localPortRanges": [
],
"remotePortRanges": [
"53"
],
"localAddressRanges": [
],
"remoteAddressRanges": [
],
"profileTypes": "notConfigured",
"action": "allowed",
"trafficDirection": "out",
"interfaceTypes": "notConfigured",
"edgeTraversal": "notConfigured",
"localUserAuthorizations": null
},
{
"displayName": "NCSI Probe (HTTP-Out)",
"description": "NCSI Probe for network type determination",
"packageFamilyName": null,
"filePath": "%SystemRoot%\\system32\\svchost.exe",
"serviceName": null,
"protocol": 6,
"localPortRanges": [
],
"remotePortRanges": [
"80"
],
"localAddressRanges": [
],
"remoteAddressRanges": [
],
"profileTypes": "notConfigured",
"action": "allowed",
"trafficDirection": "out",
"interfaceTypes": "notConfigured",
"edgeTraversal": "notConfigured",
"localUserAuthorizations": null
},
{
"displayName": "NCSI Probe (HTTP-Out)",
"description": "NCSI Probe for network type determination",
"packageFamilyName": null,
"filePath": null,
"serviceName": "NlaSvc",
"protocol": 6,
"localPortRanges": [
],
"remotePortRanges": [
"80"
],
"localAddressRanges": [
],
"remoteAddressRanges": [
],
"profileTypes": "notConfigured",
"action": "allowed",
"trafficDirection": "out",
"interfaceTypes": "notConfigured",
"edgeTraversal": "notConfigured",
"localUserAuthorizations": null
},
{
"displayName": "Windows Time (UDP-Out)",
"description": null,
"packageFamilyName": null,
"filePath": "%SystemRoot%\\system32\\svchost.exe",
"serviceName": null,
"protocol": 17,
"localPortRanges": [
],
"remotePortRanges": [
"123"
],
"localAddressRanges": [
],
"remoteAddressRanges": [
],
"profileTypes": "notConfigured",
"action": "allowed",
"trafficDirection": "out",
"interfaceTypes": "notConfigured",
"edgeTraversal": "notConfigured",
"localUserAuthorizations": null
},
{
"displayName": "Windows Time (UDP-Out)",
"description": null,
"packageFamilyName": null,
"filePath": null,
"serviceName": "W32Time",
"protocol": 17,
"localPortRanges": [
],
"remotePortRanges": [
"123"
],
"localAddressRanges": [
],
"remoteAddressRanges": [
],
"profileTypes": "notConfigured",
"action": "allowed",
"trafficDirection": "out",
"interfaceTypes": "notConfigured",
"edgeTraversal": "notConfigured",
"localUserAuthorizations": null
},
{
"displayName": "Delivery Optimization (TCP-In)",
"description": "Inbound rule to allow Delivery Optimization to connect to remote endpoints",
"packageFamilyName": null,
"filePath": "%SystemRoot%\\system32\\svchost.exe",
"serviceName": null,
"protocol": 6,
"localPortRanges": [
"7680"
],
"remotePortRanges": [
],
"localAddressRanges": [
],
"remoteAddressRanges": [
],
"profileTypes": "notConfigured",
"action": "allowed",
"trafficDirection": "in",
"interfaceTypes": "notConfigured",
"edgeTraversal": "notConfigured",
"localUserAuthorizations": null
},
{
"displayName": "Delivery Optimization (TCP-In)",
"description": "Inbound rule to allow Delivery Optimization to connect to remote endpoints",
"packageFamilyName": null,
"filePath": null,
"serviceName": "DoSvc",
"protocol": 6,
"localPortRanges": [
"7680"
],
"remotePortRanges": [
],
"localAddressRanges": [
],
"remoteAddressRanges": [
],
"profileTypes": "notConfigured",
"action": "allowed",
"trafficDirection": "in",
"interfaceTypes": "notConfigured",
"edgeTraversal": "notConfigured",
"localUserAuthorizations": null
},
{
"displayName": "Core Networking - DNS (TCP-Out)",
"description": null,
"packageFamilyName": null,
"filePath": "%SystemRoot%\\system32\\svchost.exe",
"serviceName": null,
"protocol": 6,
"localPortRanges": [
],
"remotePortRanges": [
"53"
],
"localAddressRanges": [
],
"remoteAddressRanges": [
],
"profileTypes": "notConfigured",
"action": "allowed",
"trafficDirection": "out",
"interfaceTypes": "notConfigured",
"edgeTraversal": "notConfigured",
"localUserAuthorizations": null
},
{
"displayName": "Core Networking - DNS (TCP-Out)",
"description": null,
"packageFamilyName": null,
"filePath": null,
"serviceName": "DNSCache",
"protocol": 6,
"localPortRanges": [
],
"remotePortRanges": [
"53"
],
"localAddressRanges": [
],
"remoteAddressRanges": [
],
"profileTypes": "notConfigured",
"action": "allowed",
"trafficDirection": "out",
"interfaceTypes": "notConfigured",
"edgeTraversal": "notConfigured",
"localUserAuthorizations": null
},
{
"displayName": "Delivery Optimization (UDP-In)",
"description": null,
"packageFamilyName": null,
"filePath": "%SystemRoot%\\system32\\svchost.exe",
"serviceName": null,
"protocol": 17,
"localPortRanges": [
"7680"
],
"remotePortRanges": [
],
"localAddressRanges": [
],
"remoteAddressRanges": [
],
"profileTypes": "notConfigured",
"action": "allowed",
"trafficDirection": "in",
"interfaceTypes": "notConfigured",
"edgeTraversal": "notConfigured",
"localUserAuthorizations": null
},
{
"displayName": "Delivery Optimization (UDP-In)",
"description": null,
"packageFamilyName": null,
"filePath": null,
"serviceName": "DoSvc",
"protocol": 17,
"localPortRanges": [
"7680"
],
"remotePortRanges": [
],
"localAddressRanges": [
],
"remoteAddressRanges": [
],
"profileTypes": "notConfigured",
"action": "allowed",
"trafficDirection": "in",
"interfaceTypes": "notConfigured",
"edgeTraversal": "notConfigured",
"localUserAuthorizations": null
}
],
"userRightsAccessCredentialManagerAsTrustedCaller": {
"state": "notConfigured",
"localUsersOrGroups": [
]
},
"userRightsAllowAccessFromNetwork": {
"state": "notConfigured",
"localUsersOrGroups": [
]
},
"userRightsBlockAccessFromNetwork": {
"state": "notConfigured",
"localUsersOrGroups": [
]
},
"userRightsActAsPartOfTheOperatingSystem": {
"state": "notConfigured",
"localUsersOrGroups": [
]
},
"userRightsLocalLogOn": {
"state": "notConfigured",
"localUsersOrGroups": [
]
},
"userRightsDenyLocalLogOn": {
"state": "notConfigured",
"localUsersOrGroups": [
]
},
"userRightsBackupData": {
"state": "notConfigured",
"localUsersOrGroups": [
]
},
"userRightsChangeSystemTime": {
"state": "notConfigured",
"localUsersOrGroups": [
]
},
"userRightsCreateGlobalObjects": {
"state": "notConfigured",
"localUsersOrGroups": [
]
},
"userRightsCreatePageFile": {
"state": "notConfigured",
"localUsersOrGroups": [
]
},
"userRightsCreatePermanentSharedObjects": {
"state": "notConfigured",
"localUsersOrGroups": [
]
},
"userRightsCreateSymbolicLinks": {
"state": "notConfigured",
"localUsersOrGroups": [
]
},
"userRightsCreateToken": {
"state": "notConfigured",
"localUsersOrGroups": [
]
},
"userRightsDebugPrograms": {
"state": "notConfigured",
"localUsersOrGroups": [
]
},
"userRightsRemoteDesktopServicesLogOn": {
"state": "notConfigured",
"localUsersOrGroups": [
]
},
"userRightsDelegation": {
"state": "notConfigured",
"localUsersOrGroups": [
]
},
"userRightsGenerateSecurityAudits": {
"state": "notConfigured",
"localUsersOrGroups": [
]
},
"userRightsImpersonateClient": {
"state": "notConfigured",
"localUsersOrGroups": [
]
},
"userRightsIncreaseSchedulingPriority": {
"state": "notConfigured",
"localUsersOrGroups": [
]
},
"userRightsLoadUnloadDrivers": {
"state": "notConfigured",
"localUsersOrGroups": [
]
},
"userRightsLockMemory": {
"state": "notConfigured",
"localUsersOrGroups": [
]
},
"userRightsManageAuditingAndSecurityLogs": {
"state": "notConfigured",
"localUsersOrGroups": [
]
},
"userRightsManageVolumes": {
"state": "notConfigured",
"localUsersOrGroups": [
]
},
"userRightsModifyFirmwareEnvironment": {
"state": "notConfigured",
"localUsersOrGroups": [
]
},
"userRightsModifyObjectLabels": {
"state": "notConfigured",
"localUsersOrGroups": [
]
},
"userRightsProfileSingleProcess": {
"state": "notConfigured",
"localUsersOrGroups": [
]
},
"userRightsRemoteShutdown": {
"state": "notConfigured",
"localUsersOrGroups": [
]
},
"userRightsRestoreData": {
"state": "notConfigured",
"localUsersOrGroups": [
]
},
"userRightsTakeOwnership": {
"state": "notConfigured",
"localUsersOrGroups": [
]
},
"firewallProfileDomain": {
"firewallEnabled": "allowed",
"stealthModeRequired": false,
"stealthModeBlocked": false,
"incomingTrafficRequired": false,
"incomingTrafficBlocked": false,
"unicastResponsesToMulticastBroadcastsRequired": false,
"unicastResponsesToMulticastBroadcastsBlocked": false,
"inboundNotificationsRequired": false,
"inboundNotificationsBlocked": true,
"authorizedApplicationRulesFromGroupPolicyMerged": false,
"authorizedApplicationRulesFromGroupPolicyNotMerged": true,
"globalPortRulesFromGroupPolicyMerged": false,
"globalPortRulesFromGroupPolicyNotMerged": true,
"connectionSecurityRulesFromGroupPolicyMerged": false,
"connectionSecurityRulesFromGroupPolicyNotMerged": true,
"outboundConnectionsRequired": false,
"outboundConnectionsBlocked": true,
"inboundConnectionsRequired": false,
"inboundConnectionsBlocked": true,
"securedPacketExemptionAllowed": false,
"securedPacketExemptionBlocked": false,
"policyRulesFromGroupPolicyMerged": false,
"policyRulesFromGroupPolicyNotMerged": true
},
"firewallProfilePublic": {
"firewallEnabled": "allowed",
"stealthModeRequired": false,
"stealthModeBlocked": false,
"incomingTrafficRequired": false,
"incomingTrafficBlocked": false,
"unicastResponsesToMulticastBroadcastsRequired": false,
"unicastResponsesToMulticastBroadcastsBlocked": false,
"inboundNotificationsRequired": false,
"inboundNotificationsBlocked": true,
"authorizedApplicationRulesFromGroupPolicyMerged": false,
"authorizedApplicationRulesFromGroupPolicyNotMerged": true,
"globalPortRulesFromGroupPolicyMerged": false,
"globalPortRulesFromGroupPolicyNotMerged": true,
"connectionSecurityRulesFromGroupPolicyMerged": false,
"connectionSecurityRulesFromGroupPolicyNotMerged": true,
"outboundConnectionsRequired": false,
"outboundConnectionsBlocked": true,
"inboundConnectionsRequired": false,
"inboundConnectionsBlocked": true,
"securedPacketExemptionAllowed": false,
"securedPacketExemptionBlocked": false,
"policyRulesFromGroupPolicyMerged": false,
"policyRulesFromGroupPolicyNotMerged": true
},
"firewallProfilePrivate": {
"firewallEnabled": "allowed",
"stealthModeRequired": false,
"stealthModeBlocked": false,
"incomingTrafficRequired": false,
"incomingTrafficBlocked": false,
"unicastResponsesToMulticastBroadcastsRequired": false,
"unicastResponsesToMulticastBroadcastsBlocked": false,
"inboundNotificationsRequired": false,
"inboundNotificationsBlocked": true,
"authorizedApplicationRulesFromGroupPolicyMerged": false,
"authorizedApplicationRulesFromGroupPolicyNotMerged": true,
"globalPortRulesFromGroupPolicyMerged": false,
"globalPortRulesFromGroupPolicyNotMerged": true,
"connectionSecurityRulesFromGroupPolicyMerged": false,
"connectionSecurityRulesFromGroupPolicyNotMerged": true,
"outboundConnectionsRequired": false,
"outboundConnectionsBlocked": true,
"inboundConnectionsRequired": false,
"inboundConnectionsBlocked": true,
"securedPacketExemptionAllowed": false,
"securedPacketExemptionBlocked": false,
"policyRulesFromGroupPolicyMerged": false,
"policyRulesFromGroupPolicyNotMerged": true
},
"bitLockerSystemDrivePolicy": {
"encryptionMethod": "xtsAes128",
"startupAuthenticationRequired": true,
"startupAuthenticationBlockWithoutTpmChip": true,
"startupAuthenticationTpmUsage": "allowed",
"startupAuthenticationTpmPinUsage": "allowed",
"startupAuthenticationTpmKeyUsage": "blocked",
"startupAuthenticationTpmPinAndKeyUsage": "blocked",
"minimumPinLength": 9,
"prebootRecoveryEnableMessageAndUrl": false,
"prebootRecoveryMessage": null,
"prebootRecoveryUrl": null,
"recoveryOptions": {
"blockDataRecoveryAgent": false,
"recoveryPasswordUsage": "allowed",
"recoveryKeyUsage": "blocked",
"hideRecoveryOptions": true,
"enableRecoveryInformationSaveToStore": true,
"recoveryInformationToStore": "passwordAndKey",
"enableBitLockerAfterRecoveryInformationToStore": true
}
},
"bitLockerFixedDrivePolicy": {
"encryptionMethod": "xtsAes128",
"requireEncryptionForWriteAccess": false,
"recoveryOptions": {
"blockDataRecoveryAgent": true,
"recoveryPasswordUsage": "allowed",
"recoveryKeyUsage": "blocked",
"hideRecoveryOptions": true,
"enableRecoveryInformationSaveToStore": true,
"recoveryInformationToStore": "passwordAndKey",
"enableBitLockerAfterRecoveryInformationToStore": true
}
},
"bitLockerRemovableDrivePolicy": {
"encryptionMethod": "aesCbc128",
"requireEncryptionForWriteAccess": true,
"blockCrossOrganizationWriteAccess": true
},
"assignments@odata.context": "https://graph.microsoft.com/beta/$metadata#deviceManagement/deviceConfigurations(\u002705efdfd5-286c-446a-987d-e739991a6ea7\u0027)/microsoft.graph.windows10CustomConfiguration/microsoft.graph.windows10CustomConfiguration/microsoft.graph.windows10EndpointProtectionConfiguration/microsoft.graph.windows10CustomConfiguration/microsoft.graph.windows10GeneralConfiguration/microsoft.graph.windows10GeneralConfiguration/microsoft.graph.windows10CustomConfiguration/microsoft.graph.windowsIdentityProtectionConfiguration/microsoft.graph.windows10CustomConfiguration/microsoft.graph.windows10GeneralConfiguration/microsoft.graph.windows10EndpointProtectionConfiguration/microsoft.graph.windows10EndpointProtectionConfiguration/microsoft.graph.windows10CustomConfiguration/microsoft.graph.windows10CustomConfiguration/microsoft.graph.windows10GeneralConfiguration/microsoft.graph.windows10EndpointProtectionConfiguration/microsoft.graph.windowsIdentityProtectionConfiguration/microsoft.graph.windows10CustomConfiguration/microsoft.graph.windows10CustomConfiguration/microsoft.graph.windows10GeneralConfiguration/microsoft.graph.windows10EndpointProtectionConfiguration/assignments",
"assignments": [
{
"id": "05efdfd5-286c-446a-987d-e739991a6ea7_bd1f65b9-891f-40ed-89c2-22433a98ea02",
"source": "direct",
"sourceId": "05efdfd5-286c-446a-987d-e739991a6ea7",
"target": {
"@odata.type": "#microsoft.graph.groupAssignmentTarget",
"deviceAndAppManagementAssignmentFilterId": null,
"deviceAndAppManagementAssignmentFilterType": "none",
"groupId": "Privileged Workstations"
}
}
]
}

44
PAW/JSON/DeviceConfiguration/PAW-Win10-Config-Identity-Protection-UI_25-11-2020-17-42-13.json Normal file
Просмотреть файл

@ -0,0 +1,44 @@
{
"@odata.type": "#microsoft.graph.windowsIdentityProtectionConfiguration",
"id": "9218cdda-e28d-451e-96c6-1e6b9a9f292d",
"lastModifiedDateTime": "2020-11-16T18:06:54.6907925Z",
"roleScopeTagIds": [
"0"
],
"supportsScopeTags": true,
"deviceManagementApplicabilityRuleOsEdition": null,
"deviceManagementApplicabilityRuleOsVersion": null,
"deviceManagementApplicabilityRuleDeviceMode": null,
"createdDateTime": "2020-11-16T17:58:38.498837Z",
"description": "",
"displayName": "PAW-Win10-Config-Identity-Protection-UI",
"version": 2,
"useSecurityKeyForSignin": true,
"enhancedAntiSpoofingForFacialFeaturesEnabled": true,
"pinMinimumLength": 8,
"pinMaximumLength": 100,
"pinUppercaseCharactersUsage": "blocked",
"pinLowercaseCharactersUsage": "blocked",
"pinSpecialCharactersUsage": "blocked",
"pinExpirationInDays": null,
"pinPreviousBlockCount": null,
"pinRecoveryEnabled": true,
"securityDeviceRequired": true,
"unlockWithBiometricsEnabled": true,
"useCertificatesForOnPremisesAuthEnabled": false,
"windowsHelloForBusinessBlocked": false,
"assignments@odata.context": "https://graph.microsoft.com/beta/$metadata#deviceManagement/deviceConfigurations(\u00279218cdda-e28d-451e-96c6-1e6b9a9f292d\u0027)/microsoft.graph.windows10CustomConfiguration/microsoft.graph.windows10CustomConfiguration/microsoft.graph.windows10EndpointProtectionConfiguration/microsoft.graph.windows10CustomConfiguration/microsoft.graph.windows10GeneralConfiguration/microsoft.graph.windows10GeneralConfiguration/microsoft.graph.windows10CustomConfiguration/microsoft.graph.windowsIdentityProtectionConfiguration/microsoft.graph.windows10CustomConfiguration/microsoft.graph.windows10GeneralConfiguration/microsoft.graph.windows10EndpointProtectionConfiguration/microsoft.graph.windows10EndpointProtectionConfiguration/microsoft.graph.windows10CustomConfiguration/microsoft.graph.windows10CustomConfiguration/microsoft.graph.windows10GeneralConfiguration/microsoft.graph.windows10EndpointProtectionConfiguration/microsoft.graph.windowsIdentityProtectionConfiguration/microsoft.graph.windows10CustomConfiguration/microsoft.graph.windows10CustomConfiguration/microsoft.graph.windows10GeneralConfiguration/microsoft.graph.windows10EndpointProtectionConfiguration/microsoft.graph.windowsIdentityProtectionConfiguration/assignments",
"assignments": [
{
"id": "9218cdda-e28d-451e-96c6-1e6b9a9f292d_bd1f65b9-891f-40ed-89c2-22433a98ea02",
"source": "direct",
"sourceId": "9218cdda-e28d-451e-96c6-1e6b9a9f292d",
"target": {
"@odata.type": "#microsoft.graph.groupAssignmentTarget",
"deviceAndAppManagementAssignmentFilterId": null,
"deviceAndAppManagementAssignmentFilterType": "none",
"groupId": "Privileged Workstations"
}
}
]
}

399
PAW/JSON/DeviceConfiguration/PAW-Win10-URLLockProxy-UI_25-11-2020-17-42-13.json Normal file
Просмотреть файл

@ -0,0 +1,399 @@
{
"@odata.type": "#microsoft.graph.windows10GeneralConfiguration",
"id": "b9672ea4-0ec3-40da-a911-65a554a75047",
"lastModifiedDateTime": "2020-11-25T09:28:47.7676881Z",
"roleScopeTagIds": [
"0"
],
"supportsScopeTags": true,
"deviceManagementApplicabilityRuleOsEdition": null,
"deviceManagementApplicabilityRuleOsVersion": null,
"deviceManagementApplicabilityRuleDeviceMode": null,
"createdDateTime": "2020-11-25T05:27:51.0856011Z",
"description": null,
"displayName": "PAW-Win10-URLLockProxy-UI",
"version": 4,
"taskManagerBlockEndTask": false,
"energySaverOnBatteryThresholdPercentage": null,
"energySaverPluggedInThresholdPercentage": null,
"powerLidCloseActionOnBattery": "notConfigured",
"powerLidCloseActionPluggedIn": "notConfigured",
"powerButtonActionOnBattery": "notConfigured",
"powerButtonActionPluggedIn": "notConfigured",
"powerSleepButtonActionOnBattery": "notConfigured",
"powerSleepButtonActionPluggedIn": "notConfigured",
"powerHybridSleepOnBattery": "notConfigured",
"powerHybridSleepPluggedIn": "notConfigured",
"windows10AppsForceUpdateSchedule": null,
"enableAutomaticRedeployment": false,
"microsoftAccountSignInAssistantSettings": "notConfigured",
"authenticationAllowSecondaryDevice": false,
"authenticationWebSignIn": "notConfigured",
"authenticationPreferredAzureADTenantDomainName": null,
"cryptographyAllowFipsAlgorithmPolicy": false,
"displayAppListWithGdiDPIScalingTurnedOn": [
],
"displayAppListWithGdiDPIScalingTurnedOff": [
],
"enterpriseCloudPrintDiscoveryEndPoint": null,
"enterpriseCloudPrintOAuthAuthority": null,
"enterpriseCloudPrintOAuthClientIdentifier": null,
"enterpriseCloudPrintResourceIdentifier": null,
"enterpriseCloudPrintDiscoveryMaxLimit": null,
"enterpriseCloudPrintMopriaDiscoveryResourceIdentifier": null,
"experienceDoNotSyncBrowserSettings": "notConfigured",
"messagingBlockSync": false,
"messagingBlockMMS": false,
"messagingBlockRichCommunicationServices": false,
"printerNames": [
],
"printerDefaultName": null,
"printerBlockAddition": false,
"searchBlockDiacritics": false,
"searchDisableAutoLanguageDetection": false,
"searchDisableIndexingEncryptedItems": false,
"searchEnableRemoteQueries": false,
"searchDisableUseLocation": false,
"searchDisableLocation": false,
"searchDisableIndexerBackoff": false,
"searchDisableIndexingRemovableDrive": false,
"searchEnableAutomaticIndexSizeManangement": false,
"searchBlockWebResults": false,
"findMyFiles": "notConfigured",
"securityBlockAzureADJoinedDevicesAutoEncryption": false,
"diagnosticsDataSubmissionMode": "userDefined",
"oneDriveDisableFileSync": false,
"systemTelemetryProxyServer": null,
"edgeTelemetryForMicrosoft365Analytics": "notConfigured",
"inkWorkspaceAccess": "notConfigured",
"inkWorkspaceAccessState": "notConfigured",
"inkWorkspaceBlockSuggestedApps": false,
"smartScreenEnableAppInstallControl": false,
"smartScreenAppInstallControl": "notConfigured",
"personalizationDesktopImageUrl": null,
"personalizationLockScreenImageUrl": null,
"bluetoothAllowedServices": [
],
"bluetoothBlockAdvertising": false,
"bluetoothBlockPromptedProximalConnections": false,
"bluetoothBlockDiscoverableMode": false,
"bluetoothBlockPrePairing": false,
"edgeBlockAutofill": false,
"edgeBlocked": false,
"edgeCookiePolicy": "userDefined",
"edgeBlockDeveloperTools": false,
"edgeBlockSendingDoNotTrackHeader": false,
"edgeBlockExtensions": false,
"edgeBlockInPrivateBrowsing": false,
"edgeBlockJavaScript": false,
"edgeBlockPasswordManager": false,
"edgeBlockAddressBarDropdown": false,
"edgeBlockCompatibilityList": false,
"edgeClearBrowsingDataOnExit": false,
"edgeAllowStartPagesModification": false,
"edgeDisableFirstRunPage": false,
"edgeBlockLiveTileDataCollection": false,
"edgeSyncFavoritesWithInternetExplorer": false,
"edgeFavoritesListLocation": null,
"edgeBlockEditFavorites": false,
"edgeNewTabPageURL": null,
"edgeHomeButtonConfiguration": null,
"edgeHomeButtonConfigurationEnabled": false,
"edgeOpensWith": "notConfigured",
"edgeBlockSideloadingExtensions": false,
"edgeRequiredExtensionPackageFamilyNames": [
],
"edgeBlockPrinting": false,
"edgeFavoritesBarVisibility": "notConfigured",
"edgeBlockSavingHistory": false,
"edgeBlockFullScreenMode": false,
"edgeBlockWebContentOnNewTabPage": false,
"edgeBlockTabPreloading": false,
"edgeBlockPrelaunch": false,
"edgeShowMessageWhenOpeningInternetExplorerSites": "notConfigured",
"edgePreventCertificateErrorOverride": false,
"edgeKioskModeRestriction": "notConfigured",
"edgeKioskResetAfterIdleTimeInMinutes": null,
"cellularBlockDataWhenRoaming": false,
"cellularBlockVpn": false,
"cellularBlockVpnWhenRoaming": false,
"cellularData": "allowed",
"defenderRequireRealTimeMonitoring": false,
"defenderRequireBehaviorMonitoring": false,
"defenderRequireNetworkInspectionSystem": false,
"defenderScanDownloads": false,
"defenderScheduleScanEnableLowCpuPriority": false,
"defenderDisableCatchupQuickScan": false,
"defenderDisableCatchupFullScan": false,
"defenderScanScriptsLoadedInInternetExplorer": false,
"defenderBlockEndUserAccess": false,
"defenderSignatureUpdateIntervalInHours": null,
"defenderMonitorFileActivity": "userDefined",
"defenderDaysBeforeDeletingQuarantinedMalware": null,
"defenderScanMaxCpu": null,
"defenderScanArchiveFiles": false,
"defenderScanIncomingMail": false,
"defenderScanRemovableDrivesDuringFullScan": false,
"defenderScanMappedNetworkDrivesDuringFullScan": false,
"defenderScanNetworkFiles": false,
"defenderRequireCloudProtection": false,
"defenderCloudBlockLevel": "notConfigured",
"defenderCloudExtendedTimeout": null,
"defenderCloudExtendedTimeoutInSeconds": null,
"defenderPromptForSampleSubmission": "userDefined",
"defenderScheduledQuickScanTime": null,
"defenderScanType": "userDefined",
"defenderSystemScanSchedule": "userDefined",
"defenderScheduledScanTime": null,
"defenderPotentiallyUnwantedAppAction": null,
"defenderPotentiallyUnwantedAppActionSetting": "userDefined",
"defenderSubmitSamplesConsentType": "sendSafeSamplesAutomatically",
"defenderBlockOnAccessProtection": false,
"defenderDetectedMalwareActions": null,
"defenderFileExtensionsToExclude": [
],
"defenderFilesAndFoldersToExclude": [
],
"defenderProcessesToExclude": [
],
"lockScreenAllowTimeoutConfiguration": false,
"lockScreenBlockActionCenterNotifications": false,
"lockScreenBlockCortana": false,
"lockScreenBlockToastNotifications": false,
"lockScreenTimeoutInSeconds": null,
"lockScreenActivateAppsWithVoice": "notConfigured",
"passwordBlockSimple": false,
"passwordExpirationDays": null,
"passwordMinimumLength": null,
"passwordMinutesOfInactivityBeforeScreenTimeout": null,
"passwordMinimumCharacterSetCount": null,
"passwordPreviousPasswordBlockCount": null,
"passwordRequired": false,
"passwordRequireWhenResumeFromIdleState": false,
"passwordRequiredType": "deviceDefault",
"passwordSignInFailureCountBeforeFactoryReset": null,
"passwordMinimumAgeInDays": null,
"privacyAdvertisingId": "notConfigured",
"privacyAutoAcceptPairingAndConsentPrompts": false,
"privacyDisableLaunchExperience": false,
"privacyBlockInputPersonalization": false,
"privacyBlockPublishUserActivities": false,
"privacyBlockActivityFeed": false,
"activateAppsWithVoice": "notConfigured",
"startBlockUnpinningAppsFromTaskbar": false,
"startMenuAppListVisibility": "userDefined",
"startMenuHideChangeAccountSettings": false,
"startMenuHideFrequentlyUsedApps": false,
"startMenuHideHibernate": false,
"startMenuHideLock": false,
"startMenuHidePowerButton": false,
"startMenuHideRecentJumpLists": false,
"startMenuHideRecentlyAddedApps": false,
"startMenuHideRestartOptions": false,
"startMenuHideShutDown": false,
"startMenuHideSignOut": false,
"startMenuHideSleep": false,
"startMenuHideSwitchAccount": false,
"startMenuHideUserTile": false,
"startMenuLayoutEdgeAssetsXml": null,
"startMenuLayoutXml": null,
"startMenuMode": "userDefined",
"startMenuPinnedFolderDocuments": "notConfigured",
"startMenuPinnedFolderDownloads": "notConfigured",
"startMenuPinnedFolderFileExplorer": "notConfigured",
"startMenuPinnedFolderHomeGroup": "notConfigured",
"startMenuPinnedFolderMusic": "notConfigured",
"startMenuPinnedFolderNetwork": "notConfigured",
"startMenuPinnedFolderPersonalFolder": "notConfigured",
"startMenuPinnedFolderPictures": "notConfigured",
"startMenuPinnedFolderSettings": "notConfigured",
"startMenuPinnedFolderVideos": "notConfigured",
"settingsBlockSettingsApp": false,
"settingsBlockSystemPage": false,
"settingsBlockDevicesPage": false,
"settingsBlockNetworkInternetPage": false,
"settingsBlockPersonalizationPage": false,
"settingsBlockAccountsPage": false,
"settingsBlockTimeLanguagePage": false,
"settingsBlockEaseOfAccessPage": false,
"settingsBlockPrivacyPage": false,
"settingsBlockUpdateSecurityPage": false,
"settingsBlockAppsPage": false,
"settingsBlockGamingPage": false,
"windowsSpotlightBlockConsumerSpecificFeatures": false,
"windowsSpotlightBlocked": false,
"windowsSpotlightBlockOnActionCenter": false,
"windowsSpotlightBlockTailoredExperiences": false,
"windowsSpotlightBlockThirdPartyNotifications": false,
"windowsSpotlightBlockWelcomeExperience": false,
"windowsSpotlightBlockWindowsTips": false,
"windowsSpotlightConfigureOnLockScreen": "notConfigured",
"networkProxyApplySettingsDeviceWide": false,
"networkProxyDisableAutoDetect": false,
"networkProxyAutomaticConfigurationUrl": null,
"accountsBlockAddingNonMicrosoftAccountEmail": false,
"antiTheftModeBlocked": false,
"bluetoothBlocked": false,
"cameraBlocked": false,
"connectedDevicesServiceBlocked": false,
"certificatesBlockManualRootCertificateInstallation": false,
"copyPasteBlocked": false,
"cortanaBlocked": false,
"deviceManagementBlockFactoryResetOnMobile": false,
"deviceManagementBlockManualUnenroll": false,
"safeSearchFilter": "userDefined",
"edgeBlockPopups": false,
"edgeBlockSearchSuggestions": false,
"edgeBlockSearchEngineCustomization": false,
"edgeBlockSendingIntranetTrafficToInternetExplorer": false,
"edgeSendIntranetTrafficToInternetExplorer": false,
"edgeRequireSmartScreen": false,
"edgeEnterpriseModeSiteListLocation": null,
"edgeFirstRunUrl": null,
"edgeSearchEngine": null,
"edgeHomepageUrls": [
],
"edgeBlockAccessToAboutFlags": false,
"smartScreenBlockPromptOverride": false,
"smartScreenBlockPromptOverrideForFiles": false,
"webRtcBlockLocalhostIpAddress": false,
"internetSharingBlocked": false,
"settingsBlockAddProvisioningPackage": false,
"settingsBlockRemoveProvisioningPackage": false,
"settingsBlockChangeSystemTime": false,
"settingsBlockEditDeviceName": false,
"settingsBlockChangeRegion": false,
"settingsBlockChangeLanguage": false,
"settingsBlockChangePowerSleep": false,
"locationServicesBlocked": false,
"microsoftAccountBlocked": false,
"microsoftAccountBlockSettingsSync": false,
"nfcBlocked": false,
"resetProtectionModeBlocked": false,
"screenCaptureBlocked": false,
"storageBlockRemovableStorage": false,
"storageRequireMobileDeviceEncryption": false,
"usbBlocked": false,
"voiceRecordingBlocked": false,
"wiFiBlockAutomaticConnectHotspots": false,
"wiFiBlocked": false,
"wiFiBlockManualConfiguration": false,
"wiFiScanInterval": null,
"wirelessDisplayBlockProjectionToThisDevice": false,
"wirelessDisplayBlockUserInputFromReceiver": false,
"wirelessDisplayRequirePinForPairing": false,
"windowsStoreBlocked": false,
"appsAllowTrustedAppsSideloading": "notConfigured",
"windowsStoreBlockAutoUpdate": false,
"developerUnlockSetting": "notConfigured",
"sharedUserAppDataAllowed": false,
"appsBlockWindowsStoreOriginatedApps": false,
"windowsStoreEnablePrivateStoreOnly": false,
"storageRestrictAppDataToSystemVolume": false,
"storageRestrictAppInstallToSystemVolume": false,
"gameDvrBlocked": false,
"experienceBlockDeviceDiscovery": false,
"experienceBlockErrorDialogWhenNoSIM": false,
"experienceBlockTaskSwitcher": false,
"logonBlockFastUserSwitching": false,
"tenantLockdownRequireNetworkDuringOutOfBoxExperience": false,
"appManagementMSIAllowUserControlOverInstall": false,
"appManagementMSIAlwaysInstallWithElevatedPrivileges": false,
"dataProtectionBlockDirectMemoryAccess": false,
"appManagementPackageFamilyNamesToLaunchAfterLogOn": [
],
"uninstallBuiltInApps": false,
"configureTimeZone": null,
"networkProxyServer": {
"address": "127.0.0.2:8080",
"exceptions": [
"account.live.com",
"*.msft.net",
"*.msauth.net",
"*.msauthimages.net",
"*.msftauthimages.net",
"*.msftauth.net",
"*.azure.com",
"*.azure.net",
"*.azureedge.net",
"*.azurewebsites.net",
"*.microsoft.com",
"microsoft.com",
"*.windowsupdate.com",
"*.microsoftonline.com",
"*.microsoftonline.cn",
"*.microsoftonline-p.net",
"*.microsoftonline-p.com",
"*.windows.net",
"*.windows.com",
"*.windowsazure.com",
"*.windowsazure.cn",
"*.azure.cn",
"*.loganalytics.io",
"*.applicationinsights.io",
"*.vsassets.io",
"*.azure-automation.net",
"*.azure-api.net",
"*.azure-devices.net",
"*.visualstudio.com",
"portal.office.com",
"*.aspnetcdn.com",
"*.sharepointonline.com",
"*.msecnd.net",
"*.msocdn.com",
"*.webtrends.com",
"*.aka.ms",
"*.digicert.com",
"*.w3.org",
"*.phonefactor.net",
"*.nuget.org",
"*.cloudapp.net",
"*.trafficmanager.net",
"login.live.com",
"clientconfig.passport.net",
"windowsphone.com",
"*.wns.windows.com",
"*.s-microsoft.com",
"www.msftconnecttest.com",
"graph.windows.net",
"*.manage.microsoft.com",
"*.aadcdn.microsoftonline-p.com",
"*.azureafd.net",
"*.azuredatalakestore.net",
"*.windows-int.net",
"*.msocdn.com",
"*.msecnd.net",
"*.onestore.ms",
"*.aspnetcdn.com",
"*.office.net",
"*.officeapps.live.com",
"aka.ms",
"*.powershellgallery.com,i.imgur.com"
],
"useForLocalAddresses": false
},
"assignments@odata.context": "https://graph.microsoft.com/beta/$metadata#deviceManagement/deviceConfigurations(\u0027b9672ea4-0ec3-40da-a911-65a554a75047\u0027)/microsoft.graph.windows10CustomConfiguration/microsoft.graph.windows10CustomConfiguration/microsoft.graph.windows10EndpointProtectionConfiguration/microsoft.graph.windows10CustomConfiguration/microsoft.graph.windows10GeneralConfiguration/microsoft.graph.windows10GeneralConfiguration/microsoft.graph.windows10CustomConfiguration/microsoft.graph.windowsIdentityProtectionConfiguration/microsoft.graph.windows10CustomConfiguration/microsoft.graph.windows10GeneralConfiguration/microsoft.graph.windows10EndpointProtectionConfiguration/microsoft.graph.windows10EndpointProtectionConfiguration/microsoft.graph.windows10CustomConfiguration/microsoft.graph.windows10CustomConfiguration/microsoft.graph.windows10GeneralConfiguration/microsoft.graph.windows10EndpointProtectionConfiguration/microsoft.graph.windowsIdentityProtectionConfiguration/microsoft.graph.windows10CustomConfiguration/microsoft.graph.windows10CustomConfiguration/microsoft.graph.windows10GeneralConfiguration/microsoft.graph.windows10EndpointProtectionConfiguration/microsoft.graph.windowsIdentityProtectionConfiguration/microsoft.graph.windows10GeneralConfiguration/assignments",
"assignments": [
{
"id": "b9672ea4-0ec3-40da-a911-65a554a75047_bd1f65b9-891f-40ed-89c2-22433a98ea02",
"source": "direct",
"sourceId": "b9672ea4-0ec3-40da-a911-65a554a75047",
"target": {
"@odata.type": "#microsoft.graph.groupAssignmentTarget",
"deviceAndAppManagementAssignmentFilterId": null,
"deviceAndAppManagementAssignmentFilterType": "none",
"groupId": "Privileged Workstations"
}
}
]
}

972
PAW/JSON/DeviceConfiguration/PAW-Win10-Windows-Defender-Firewall-UI_29-09-2020-9-50-21.json Normal file
Просмотреть файл

@ -0,0 +1,972 @@
{
"@odata.type": "#microsoft.graph.windows10EndpointProtectionConfiguration",
"id": "8de02515-78a7-4f98-9e0e-b5476228d2a3",
"lastModifiedDateTime": "2020-09-29T08:17:15.9268195Z",
"roleScopeTagIds": [
"0"
],
"supportsScopeTags": true,
"deviceManagementApplicabilityRuleOsEdition": null,
"deviceManagementApplicabilityRuleOsVersion": null,
"deviceManagementApplicabilityRuleDeviceMode": null,
"createdDateTime": "2020-08-24T07:48:54.3302264Z",
"description": "Defender Firewall ruleset - including limited outbound ruleset",
"displayName": "PAW-Win10-Windows-Defender-Firewall-UI",
"version": 8,
"dmaGuardDeviceEnumerationPolicy": "deviceDefault",
"xboxServicesEnableXboxGameSaveTask": false,
"xboxServicesAccessoryManagementServiceStartupMode": "manual",
"xboxServicesLiveAuthManagerServiceStartupMode": "manual",
"xboxServicesLiveGameSaveServiceStartupMode": "manual",
"xboxServicesLiveNetworkingServiceStartupMode": "manual",
"localSecurityOptionsBlockMicrosoftAccounts": false,
"localSecurityOptionsBlockRemoteLogonWithBlankPassword": false,
"localSecurityOptionsDisableAdministratorAccount": false,
"localSecurityOptionsAdministratorAccountName": null,
"localSecurityOptionsDisableGuestAccount": false,
"localSecurityOptionsGuestAccountName": null,
"localSecurityOptionsAllowUndockWithoutHavingToLogon": false,
"localSecurityOptionsBlockUsersInstallingPrinterDrivers": false,
"localSecurityOptionsBlockRemoteOpticalDriveAccess": false,
"localSecurityOptionsFormatAndEjectOfRemovableMediaAllowedUser": "notConfigured",
"localSecurityOptionsMachineInactivityLimit": null,
"localSecurityOptionsMachineInactivityLimitInMinutes": null,
"localSecurityOptionsDoNotRequireCtrlAltDel": false,
"localSecurityOptionsHideLastSignedInUser": false,
"localSecurityOptionsHideUsernameAtSignIn": false,
"localSecurityOptionsLogOnMessageTitle": null,
"localSecurityOptionsLogOnMessageText": null,
"localSecurityOptionsAllowPKU2UAuthenticationRequests": false,
"localSecurityOptionsAllowRemoteCallsToSecurityAccountsManagerHelperBool": false,
"localSecurityOptionsAllowRemoteCallsToSecurityAccountsManager": null,
"localSecurityOptionsMinimumSessionSecurityForNtlmSspBasedClients": "none",
"localSecurityOptionsMinimumSessionSecurityForNtlmSspBasedServers": "none",
"lanManagerAuthenticationLevel": "lmAndNltm",
"lanManagerWorkstationDisableInsecureGuestLogons": false,
"localSecurityOptionsClearVirtualMemoryPageFile": false,
"localSecurityOptionsAllowSystemToBeShutDownWithoutHavingToLogOn": false,
"localSecurityOptionsAllowUIAccessApplicationElevation": false,
"localSecurityOptionsVirtualizeFileAndRegistryWriteFailuresToPerUserLocations": false,
"localSecurityOptionsOnlyElevateSignedExecutables": false,
"localSecurityOptionsAdministratorElevationPromptBehavior": "notConfigured",
"localSecurityOptionsStandardUserElevationPromptBehavior": "notConfigured",
"localSecurityOptionsSwitchToSecureDesktopWhenPromptingForElevation": false,
"localSecurityOptionsDetectApplicationInstallationsAndPromptForElevation": false,
"localSecurityOptionsAllowUIAccessApplicationsForSecureLocations": false,
"localSecurityOptionsUseAdminApprovalMode": false,
"localSecurityOptionsUseAdminApprovalModeForAdministrators": false,
"localSecurityOptionsInformationShownOnLockScreen": "notConfigured",
"localSecurityOptionsInformationDisplayedOnLockScreen": "notConfigured",
"localSecurityOptionsDisableClientDigitallySignCommunicationsIfServerAgrees": false,
"localSecurityOptionsClientDigitallySignCommunicationsAlways": false,
"localSecurityOptionsClientSendUnencryptedPasswordToThirdPartySMBServers": false,
"localSecurityOptionsDisableServerDigitallySignCommunicationsAlways": false,
"localSecurityOptionsDisableServerDigitallySignCommunicationsIfClientAgrees": false,
"localSecurityOptionsRestrictAnonymousAccessToNamedPipesAndShares": false,
"localSecurityOptionsDoNotAllowAnonymousEnumerationOfSAMAccounts": false,
"localSecurityOptionsAllowAnonymousEnumerationOfSAMAccountsAndShares": false,
"localSecurityOptionsDoNotStoreLANManagerHashValueOnNextPasswordChange": false,
"localSecurityOptionsSmartCardRemovalBehavior": "lockWorkstation",
"defenderSecurityCenterDisableAppBrowserUI": false,
"defenderSecurityCenterDisableFamilyUI": false,
"defenderSecurityCenterDisableHealthUI": false,
"defenderSecurityCenterDisableNetworkUI": false,
"defenderSecurityCenterDisableVirusUI": false,
"defenderSecurityCenterDisableAccountUI": false,
"defenderSecurityCenterDisableClearTpmUI": false,
"defenderSecurityCenterDisableHardwareUI": false,
"defenderSecurityCenterDisableNotificationAreaUI": false,
"defenderSecurityCenterDisableRansomwareUI": false,
"defenderSecurityCenterDisableSecureBootUI": false,
"defenderSecurityCenterDisableTroubleshootingUI": false,
"defenderSecurityCenterDisableVulnerableTpmFirmwareUpdateUI": false,
"defenderSecurityCenterOrganizationDisplayName": null,
"defenderSecurityCenterHelpEmail": null,
"defenderSecurityCenterHelpPhone": null,
"defenderSecurityCenterHelpURL": null,
"defenderSecurityCenterNotificationsFromApp": "notConfigured",
"defenderSecurityCenterITContactDisplay": "notConfigured",
"windowsDefenderTamperProtection": "notConfigured",
"firewallBlockStatefulFTP": true,
"firewallIdleTimeoutForSecurityAssociationInSeconds": null,
"firewallPreSharedKeyEncodingMethod": "deviceDefault",
"firewallIPSecExemptionsNone": false,
"firewallIPSecExemptionsAllowNeighborDiscovery": false,
"firewallIPSecExemptionsAllowICMP": false,
"firewallIPSecExemptionsAllowRouterDiscovery": false,
"firewallIPSecExemptionsAllowDHCP": false,
"firewallCertificateRevocationListCheckMethod": "deviceDefault",
"firewallMergeKeyingModuleSettings": null,
"firewallPacketQueueingMethod": "deviceDefault",
"defenderAdobeReaderLaunchChildProcess": "userDefined",
"defenderAttackSurfaceReductionExcludedPaths": [
],
"defenderOfficeAppsOtherProcessInjectionType": "userDefined",
"defenderOfficeAppsOtherProcessInjection": "userDefined",
"defenderOfficeCommunicationAppsLaunchChildProcess": "userDefined",
"defenderOfficeAppsExecutableContentCreationOrLaunchType": "userDefined",
"defenderOfficeAppsExecutableContentCreationOrLaunch": "userDefined",
"defenderOfficeAppsLaunchChildProcessType": "userDefined",
"defenderOfficeAppsLaunchChildProcess": "userDefined",
"defenderOfficeMacroCodeAllowWin32ImportsType": "userDefined",
"defenderOfficeMacroCodeAllowWin32Imports": "userDefined",
"defenderScriptObfuscatedMacroCodeType": "userDefined",
"defenderScriptObfuscatedMacroCode": "userDefined",
"defenderScriptDownloadedPayloadExecutionType": "userDefined",
"defenderScriptDownloadedPayloadExecution": "userDefined",
"defenderPreventCredentialStealingType": "userDefined",
"defenderProcessCreationType": "userDefined",
"defenderProcessCreation": "userDefined",
"defenderUntrustedUSBProcessType": "userDefined",
"defenderUntrustedUSBProcess": "userDefined",
"defenderUntrustedExecutableType": "userDefined",
"defenderUntrustedExecutable": "userDefined",
"defenderEmailContentExecutionType": "userDefined",
"defenderEmailContentExecution": "userDefined",
"defenderAdvancedRansomewareProtectionType": "userDefined",
"defenderGuardMyFoldersType": "userDefined",
"defenderGuardedFoldersAllowedAppPaths": [
],
"defenderAdditionalGuardedFolders": [
],
"defenderNetworkProtectionType": "userDefined",
"defenderExploitProtectionXml": null,
"defenderExploitProtectionXmlFileName": null,
"defenderSecurityCenterBlockExploitProtectionOverride": false,
"appLockerApplicationControl": "notConfigured",
"deviceGuardLocalSystemAuthorityCredentialGuardSettings": "notConfigured",
"deviceGuardEnableVirtualizationBasedSecurity": false,
"deviceGuardEnableSecureBootWithDMA": false,
"deviceGuardSecureBootWithDMA": "notConfigured",
"deviceGuardLaunchSystemGuard": "notConfigured",
"smartScreenEnableInShell": false,
"smartScreenBlockOverrideForFiles": false,
"applicationGuardEnabled": false,
"applicationGuardEnabledOptions": "notConfigured",
"applicationGuardBlockFileTransfer": "notConfigured",
"applicationGuardBlockNonEnterpriseContent": false,
"applicationGuardAllowPersistence": false,
"applicationGuardForceAuditing": false,
"applicationGuardBlockClipboardSharing": "notConfigured",
"applicationGuardAllowPrintToPDF": false,
"applicationGuardAllowPrintToXPS": false,
"applicationGuardAllowPrintToLocalPrinters": false,
"applicationGuardAllowPrintToNetworkPrinters": false,
"applicationGuardAllowVirtualGPU": false,
"applicationGuardAllowFileSaveOnHost": false,
"bitLockerAllowStandardUserEncryption": false,
"bitLockerDisableWarningForOtherDiskEncryption": false,
"bitLockerEnableStorageCardEncryptionOnMobile": false,
"bitLockerEncryptDevice": false,
"bitLockerRecoveryPasswordRotation": "notConfigured",
"defenderDisableScanArchiveFiles": null,
"defenderAllowScanArchiveFiles": null,
"defenderDisableBehaviorMonitoring": null,
"defenderAllowBehaviorMonitoring": null,
"defenderDisableCloudProtection": null,
"defenderAllowCloudProtection": null,
"defenderEnableScanIncomingMail": null,
"defenderEnableScanMappedNetworkDrivesDuringFullScan": null,
"defenderDisableScanRemovableDrivesDuringFullScan": null,
"defenderAllowScanRemovableDrivesDuringFullScan": null,
"defenderDisableScanDownloads": null,
"defenderAllowScanDownloads": null,
"defenderDisableIntrusionPreventionSystem": null,
"defenderAllowIntrusionPreventionSystem": null,
"defenderDisableOnAccessProtection": null,
"defenderAllowOnAccessProtection": null,
"defenderDisableRealTimeMonitoring": null,
"defenderAllowRealTimeMonitoring": null,
"defenderDisableScanNetworkFiles": null,
"defenderAllowScanNetworkFiles": null,
"defenderDisableScanScriptsLoadedInInternetExplorer": null,
"defenderAllowScanScriptsLoadedInInternetExplorer": null,
"defenderBlockEndUserAccess": null,
"defenderAllowEndUserAccess": null,
"defenderScanMaxCpuPercentage": null,
"defenderCheckForSignaturesBeforeRunningScan": null,
"defenderCloudBlockLevel": null,
"defenderCloudExtendedTimeoutInSeconds": null,
"defenderDaysBeforeDeletingQuarantinedMalware": null,
"defenderDisableCatchupFullScan": null,
"defenderDisableCatchupQuickScan": null,
"defenderEnableLowCpuPriority": null,
"defenderFileExtensionsToExclude": [
],
"defenderFilesAndFoldersToExclude": [
],
"defenderProcessesToExclude": [
],
"defenderPotentiallyUnwantedAppAction": null,
"defenderScanDirection": null,
"defenderScanType": null,
"defenderScheduledQuickScanTime": null,
"defenderScheduledScanDay": null,
"defenderScheduledScanTime": null,
"defenderSignatureUpdateIntervalInHours": null,
"defenderSubmitSamplesConsentType": null,
"defenderDetectedMalwareActions": null,
"firewallRules": [
{
"displayName": "World Wide Web Services (HTTPS Traffic-out)",
"description": "An outbound rule to allow HTTPS traffic for Internet traffic",
"packageFamilyName": null,
"filePath": null,
"serviceName": null,
"protocol": 6,
"localPortRanges": [
],
"remotePortRanges": [
"443"
],
"localAddressRanges": [
],
"remoteAddressRanges": [
],
"profileTypes": "public",
"action": "allowed",
"trafficDirection": "out",
"interfaceTypes": "notConfigured",
"edgeTraversal": "notConfigured",
"localUserAuthorizations": null
},
{
"displayName": "World Wide Web Services (HTTP Traffic-out)",
"description": "An outbound rule to allow HTTPS traffic for Internet traffic",
"packageFamilyName": null,
"filePath": null,
"serviceName": null,
"protocol": 6,
"localPortRanges": [
],
"remotePortRanges": [
"80"
],
"localAddressRanges": [
],
"remoteAddressRanges": [
],
"profileTypes": "public",
"action": "allowed",
"trafficDirection": "out",
"interfaceTypes": "notConfigured",
"edgeTraversal": "notConfigured",
"localUserAuthorizations": null
},
{
"displayName": "Core Networking - Dynamic Host Configuration Protocol for IPv6(DHCPV6-Out)",
"description": "Allows DHCPV6 (Dynamic Host Configuration Protocol for IPv6) messages for stateful and stateless configuration.",
"packageFamilyName": null,
"filePath": "%SystemRoot%\\system32\\svchost.exe",
"serviceName": null,
"protocol": 17,
"localPortRanges": [
"546"
],
"remotePortRanges": [
"547"
],
"localAddressRanges": [
],
"remoteAddressRanges": [
],
"profileTypes": "notConfigured",
"action": "allowed",
"trafficDirection": "out",
"interfaceTypes": "notConfigured",
"edgeTraversal": "notConfigured",
"localUserAuthorizations": null
},
{
"displayName": "Core Networking - Dynamic Host Configuration Protocol for IPv6(DHCPV6-Out)",
"description": "Allows DHCPV6 (Dynamic Host Configuration Protocol for IPv6) messages for stateful and stateless configuration.",
"packageFamilyName": null,
"filePath": null,
"serviceName": "Dhcp",
"protocol": 17,
"localPortRanges": [
"546"
],
"remotePortRanges": [
"547"
],
"localAddressRanges": [
],
"remoteAddressRanges": [
],
"profileTypes": "notConfigured",
"action": "allowed",
"trafficDirection": "out",
"interfaceTypes": "notConfigured",
"edgeTraversal": "notConfigured",
"localUserAuthorizations": null
},
{
"displayName": "Core Networking - Dynamic Host Configuration Protocol (DHCP-Out)",
"description": "Allows DHCP (Dynamic Host Configuration Protocol) messages for stateful auto-configuration.",
"packageFamilyName": null,
"filePath": "%SystemRoot%\\system32\\svchost.exe",
"serviceName": null,
"protocol": 17,
"localPortRanges": [
"68"
],
"remotePortRanges": [
"67"
],
"localAddressRanges": [
],
"remoteAddressRanges": [
],
"profileTypes": "notConfigured",
"action": "allowed",
"trafficDirection": "out",
"interfaceTypes": "notConfigured",
"edgeTraversal": "notConfigured",
"localUserAuthorizations": null
},
{
"displayName": "Core Networking - Dynamic Host Configuration Protocol (DHCP-Out)",
"description": "Allows DHCP (Dynamic Host Configuration Protocol) messages for stateful auto-configuration.",
"packageFamilyName": null,
"filePath": null,
"serviceName": "Dhcp",
"protocol": 17,
"localPortRanges": [
"68"
],
"remotePortRanges": [
"67"
],
"localAddressRanges": [
],
"remoteAddressRanges": [
],
"profileTypes": "notConfigured",
"action": "allowed",
"trafficDirection": "out",
"interfaceTypes": "notConfigured",
"edgeTraversal": "notConfigured",
"localUserAuthorizations": null
},
{
"displayName": "Core Networking - DNS (UDP-Out)",
"description": "An outbound rule to allow DNS traffic for name resolution",
"packageFamilyName": null,
"filePath": "%SystemRoot%\\system32\\svchost.exe",
"serviceName": null,
"protocol": 17,
"localPortRanges": [
],
"remotePortRanges": [
"53"
],
"localAddressRanges": [
],
"remoteAddressRanges": [
],
"profileTypes": "notConfigured",
"action": "allowed",
"trafficDirection": "out",
"interfaceTypes": "notConfigured",
"edgeTraversal": "notConfigured",
"localUserAuthorizations": null
},
{
"displayName": "Core Networking - DNS (UDP-Out)",
"description": "An outbound rule to allow DNS traffic for name resolution",
"packageFamilyName": null,
"filePath": null,
"serviceName": "Dnscache",
"protocol": 17,
"localPortRanges": [
],
"remotePortRanges": [
"53"
],
"localAddressRanges": [
],
"remoteAddressRanges": [
],
"profileTypes": "notConfigured",
"action": "allowed",
"trafficDirection": "out",
"interfaceTypes": "notConfigured",
"edgeTraversal": "notConfigured",
"localUserAuthorizations": null
},
{
"displayName": "NCSI Probe (HTTP-Out)",
"description": "NCSI Probe for network type determination",
"packageFamilyName": null,
"filePath": "%SystemRoot%\\system32\\svchost.exe",
"serviceName": null,
"protocol": 6,
"localPortRanges": [
],
"remotePortRanges": [
"80"
],
"localAddressRanges": [
],
"remoteAddressRanges": [
],
"profileTypes": "notConfigured",
"action": "allowed",
"trafficDirection": "out",
"interfaceTypes": "notConfigured",
"edgeTraversal": "notConfigured",
"localUserAuthorizations": null
},
{
"displayName": "NCSI Probe (HTTP-Out)",
"description": "NCSI Probe for network type determination",
"packageFamilyName": null,
"filePath": null,
"serviceName": "NlaSvc",
"protocol": 6,
"localPortRanges": [
],
"remotePortRanges": [
"80"
],
"localAddressRanges": [
],
"remoteAddressRanges": [
],
"profileTypes": "notConfigured",
"action": "allowed",
"trafficDirection": "out",
"interfaceTypes": "notConfigured",
"edgeTraversal": "notConfigured",
"localUserAuthorizations": null
},
{
"displayName": "Windows Time (UDP-Out)",
"description": null,
"packageFamilyName": null,
"filePath": "%SystemRoot%\\system32\\svchost.exe",
"serviceName": null,
"protocol": 17,
"localPortRanges": [
],
"remotePortRanges": [
"123"
],
"localAddressRanges": [
],
"remoteAddressRanges": [
],
"profileTypes": "notConfigured",
"action": "allowed",
"trafficDirection": "out",
"interfaceTypes": "notConfigured",
"edgeTraversal": "notConfigured",
"localUserAuthorizations": null
},
{
"displayName": "Windows Time (UDP-Out)",
"description": null,
"packageFamilyName": null,
"filePath": null,
"serviceName": "W32Time",
"protocol": 17,
"localPortRanges": [
],
"remotePortRanges": [
"123"
],
"localAddressRanges": [
],
"remoteAddressRanges": [
],
"profileTypes": "notConfigured",
"action": "allowed",
"trafficDirection": "out",
"interfaceTypes": "notConfigured",
"edgeTraversal": "notConfigured",
"localUserAuthorizations": null
},
{
"displayName": "Delivery Optimization (TCP-In)",
"description": "Inbound rule to allow Delivery Optimization to connect to remote endpoints",
"packageFamilyName": null,
"filePath": "%SystemRoot%\\system32\\svchost.exe",
"serviceName": null,
"protocol": 6,
"localPortRanges": [
"7680"
],
"remotePortRanges": [
],
"localAddressRanges": [
],
"remoteAddressRanges": [
],
"profileTypes": "notConfigured",
"action": "allowed",
"trafficDirection": "in",
"interfaceTypes": "notConfigured",
"edgeTraversal": "notConfigured",
"localUserAuthorizations": null
},
{
"displayName": "Delivery Optimization (TCP-In)",
"description": "Inbound rule to allow Delivery Optimization to connect to remote endpoints",
"packageFamilyName": null,
"filePath": null,
"serviceName": "DoSvc",
"protocol": 6,
"localPortRanges": [
"7680"
],
"remotePortRanges": [
],
"localAddressRanges": [
],
"remoteAddressRanges": [
],
"profileTypes": "notConfigured",
"action": "allowed",
"trafficDirection": "in",
"interfaceTypes": "notConfigured",
"edgeTraversal": "notConfigured",
"localUserAuthorizations": null
},
{
"displayName": "Core Networking - DNS (TCP-Out)",
"description": null,
"packageFamilyName": null,
"filePath": "%SystemRoot%\\system32\\svchost.exe",
"serviceName": null,
"protocol": 6,
"localPortRanges": [
],
"remotePortRanges": [
"53"
],
"localAddressRanges": [
],
"remoteAddressRanges": [
],
"profileTypes": "notConfigured",
"action": "allowed",
"trafficDirection": "out",
"interfaceTypes": "notConfigured",
"edgeTraversal": "notConfigured",
"localUserAuthorizations": null
},
{
"displayName": "Core Networking - DNS (TCP-Out)",
"description": null,
"packageFamilyName": null,
"filePath": null,
"serviceName": "DNSCache",
"protocol": 6,
"localPortRanges": [
],
"remotePortRanges": [
"53"
],
"localAddressRanges": [
],
"remoteAddressRanges": [
],
"profileTypes": "notConfigured",
"action": "allowed",
"trafficDirection": "out",
"interfaceTypes": "notConfigured",
"edgeTraversal": "notConfigured",
"localUserAuthorizations": null
},
{
"displayName": "Delivery Optimization (UDP-In)",
"description": null,
"packageFamilyName": null,
"filePath": "%SystemRoot%\\system32\\svchost.exe",
"serviceName": null,
"protocol": 17,
"localPortRanges": [
"7680"
],
"remotePortRanges": [
],
"localAddressRanges": [
],
"remoteAddressRanges": [
],
"profileTypes": "notConfigured",
"action": "allowed",
"trafficDirection": "in",
"interfaceTypes": "notConfigured",
"edgeTraversal": "notConfigured",
"localUserAuthorizations": null
},
{
"displayName": "Delivery Optimization (UDP-In)",
"description": null,
"packageFamilyName": null,
"filePath": null,
"serviceName": "DoSvc",
"protocol": 17,
"localPortRanges": [
"7680"
],
"remotePortRanges": [
],
"localAddressRanges": [
],
"remoteAddressRanges": [
],
"profileTypes": "notConfigured",
"action": "allowed",
"trafficDirection": "in",
"interfaceTypes": "notConfigured",
"edgeTraversal": "notConfigured",
"localUserAuthorizations": null
}
],
"userRightsAccessCredentialManagerAsTrustedCaller": {
"state": "notConfigured",
"localUsersOrGroups": [
]
},
"userRightsAllowAccessFromNetwork": {
"state": "notConfigured",
"localUsersOrGroups": [
]
},
"userRightsBlockAccessFromNetwork": {
"state": "notConfigured",
"localUsersOrGroups": [
]
},
"userRightsActAsPartOfTheOperatingSystem": {
"state": "notConfigured",
"localUsersOrGroups": [
]
},
"userRightsLocalLogOn": {
"state": "notConfigured",
"localUsersOrGroups": [
]
},
"userRightsDenyLocalLogOn": {
"state": "notConfigured",
"localUsersOrGroups": [
]
},
"userRightsBackupData": {
"state": "notConfigured",
"localUsersOrGroups": [
]
},
"userRightsChangeSystemTime": {
"state": "notConfigured",
"localUsersOrGroups": [
]
},
"userRightsCreateGlobalObjects": {
"state": "notConfigured",
"localUsersOrGroups": [
]
},
"userRightsCreatePageFile": {
"state": "notConfigured",
"localUsersOrGroups": [
]
},
"userRightsCreatePermanentSharedObjects": {
"state": "notConfigured",
"localUsersOrGroups": [
]
},
"userRightsCreateSymbolicLinks": {
"state": "notConfigured",
"localUsersOrGroups": [
]
},
"userRightsCreateToken": {
"state": "notConfigured",
"localUsersOrGroups": [
]
},
"userRightsDebugPrograms": {
"state": "notConfigured",
"localUsersOrGroups": [
]
},
"userRightsRemoteDesktopServicesLogOn": {
"state": "notConfigured",
"localUsersOrGroups": [
]
},
"userRightsDelegation": {
"state": "notConfigured",
"localUsersOrGroups": [
]
},
"userRightsGenerateSecurityAudits": {
"state": "notConfigured",
"localUsersOrGroups": [
]
},
"userRightsImpersonateClient": {
"state": "notConfigured",
"localUsersOrGroups": [
]
},
"userRightsIncreaseSchedulingPriority": {
"state": "notConfigured",
"localUsersOrGroups": [
]
},
"userRightsLoadUnloadDrivers": {
"state": "notConfigured",
"localUsersOrGroups": [
]
},
"userRightsLockMemory": {
"state": "notConfigured",
"localUsersOrGroups": [
]
},
"userRightsManageAuditingAndSecurityLogs": {
"state": "notConfigured",
"localUsersOrGroups": [
]
},
"userRightsManageVolumes": {
"state": "notConfigured",
"localUsersOrGroups": [
]
},
"userRightsModifyFirmwareEnvironment": {
"state": "notConfigured",
"localUsersOrGroups": [
]
},
"userRightsModifyObjectLabels": {
"state": "notConfigured",
"localUsersOrGroups": [
]
},
"userRightsProfileSingleProcess": {
"state": "notConfigured",
"localUsersOrGroups": [
]
},
"userRightsRemoteShutdown": {
"state": "notConfigured",
"localUsersOrGroups": [
]
},
"userRightsRestoreData": {
"state": "notConfigured",
"localUsersOrGroups": [
]
},
"userRightsTakeOwnership": {
"state": "notConfigured",
"localUsersOrGroups": [
]
},
"firewallProfileDomain": {
"firewallEnabled": "allowed",
"stealthModeRequired": false,
"stealthModeBlocked": false,
"incomingTrafficRequired": false,
"incomingTrafficBlocked": false,
"unicastResponsesToMulticastBroadcastsRequired": false,
"unicastResponsesToMulticastBroadcastsBlocked": false,
"inboundNotificationsRequired": false,
"inboundNotificationsBlocked": true,
"authorizedApplicationRulesFromGroupPolicyMerged": false,
"authorizedApplicationRulesFromGroupPolicyNotMerged": true,
"globalPortRulesFromGroupPolicyMerged": false,
"globalPortRulesFromGroupPolicyNotMerged": true,
"connectionSecurityRulesFromGroupPolicyMerged": false,
"connectionSecurityRulesFromGroupPolicyNotMerged": true,
"outboundConnectionsRequired": true,
"outboundConnectionsBlocked": false,
"inboundConnectionsRequired": false,
"inboundConnectionsBlocked": true,
"securedPacketExemptionAllowed": false,
"securedPacketExemptionBlocked": false,
"policyRulesFromGroupPolicyMerged": false,
"policyRulesFromGroupPolicyNotMerged": true
},
"firewallProfilePublic": {
"firewallEnabled": "allowed",
"stealthModeRequired": false,
"stealthModeBlocked": false,
"incomingTrafficRequired": false,
"incomingTrafficBlocked": false,
"unicastResponsesToMulticastBroadcastsRequired": false,
"unicastResponsesToMulticastBroadcastsBlocked": false,
"inboundNotificationsRequired": false,
"inboundNotificationsBlocked": true,
"authorizedApplicationRulesFromGroupPolicyMerged": false,
"authorizedApplicationRulesFromGroupPolicyNotMerged": true,
"globalPortRulesFromGroupPolicyMerged": false,
"globalPortRulesFromGroupPolicyNotMerged": true,
"connectionSecurityRulesFromGroupPolicyMerged": false,
"connectionSecurityRulesFromGroupPolicyNotMerged": true,
"outboundConnectionsRequired": false,
"outboundConnectionsBlocked": true,
"inboundConnectionsRequired": false,
"inboundConnectionsBlocked": true,
"securedPacketExemptionAllowed": false,
"securedPacketExemptionBlocked": false,
"policyRulesFromGroupPolicyMerged": false,
"policyRulesFromGroupPolicyNotMerged": true
},
"firewallProfilePrivate": {
"firewallEnabled": "allowed",
"stealthModeRequired": false,
"stealthModeBlocked": false,
"incomingTrafficRequired": false,
"incomingTrafficBlocked": false,
"unicastResponsesToMulticastBroadcastsRequired": false,
"unicastResponsesToMulticastBroadcastsBlocked": false,
"inboundNotificationsRequired": false,
"inboundNotificationsBlocked": true,
"authorizedApplicationRulesFromGroupPolicyMerged": false,
"authorizedApplicationRulesFromGroupPolicyNotMerged": true,
"globalPortRulesFromGroupPolicyMerged": false,
"globalPortRulesFromGroupPolicyNotMerged": true,
"connectionSecurityRulesFromGroupPolicyMerged": false,
"connectionSecurityRulesFromGroupPolicyNotMerged": true,
"outboundConnectionsRequired": false,
"outboundConnectionsBlocked": true,
"inboundConnectionsRequired": false,
"inboundConnectionsBlocked": true,
"securedPacketExemptionAllowed": false,
"securedPacketExemptionBlocked": false,
"policyRulesFromGroupPolicyMerged": false,
"policyRulesFromGroupPolicyNotMerged": true
},
"bitLockerSystemDrivePolicy": {
"encryptionMethod": null,
"startupAuthenticationRequired": false,
"startupAuthenticationBlockWithoutTpmChip": false,
"startupAuthenticationTpmUsage": "blocked",
"startupAuthenticationTpmPinUsage": "blocked",
"startupAuthenticationTpmKeyUsage": "blocked",
"startupAuthenticationTpmPinAndKeyUsage": "blocked",
"minimumPinLength": null,
"recoveryOptions": null,
"prebootRecoveryEnableMessageAndUrl": false,
"prebootRecoveryMessage": null,
"prebootRecoveryUrl": null
},
"bitLockerFixedDrivePolicy": {
"encryptionMethod": null,
"requireEncryptionForWriteAccess": false,
"recoveryOptions": null
},
"bitLockerRemovableDrivePolicy": {
"encryptionMethod": null,
"requireEncryptionForWriteAccess": false,
"blockCrossOrganizationWriteAccess": false
},
"assignments@odata.context": "https://graph.microsoft.com/beta/$metadata#deviceManagement/deviceConfigurations(\u00279218cdda-e28d-451e-96c6-1e6b9a9f292d\u0027)/microsoft.graph.windows10CustomConfiguration/microsoft.graph.windows10CustomConfiguration/microsoft.graph.windows10EndpointProtectionConfiguration/microsoft.graph.windows10CustomConfiguration/microsoft.graph.windows10GeneralConfiguration/microsoft.graph.windows10GeneralConfiguration/microsoft.graph.windows10CustomConfiguration/microsoft.graph.windowsIdentityProtectionConfiguration/microsoft.graph.windows10CustomConfiguration/microsoft.graph.windows10GeneralConfiguration/microsoft.graph.windows10EndpointProtectionConfiguration/microsoft.graph.windows10EndpointProtectionConfiguration/microsoft.graph.windows10CustomConfiguration/microsoft.graph.windows10CustomConfiguration/microsoft.graph.windows10GeneralConfiguration/microsoft.graph.windows10EndpointProtectionConfiguration/microsoft.graph.windowsIdentityProtectionConfiguration/microsoft.graph.windows10CustomConfiguration/microsoft.graph.windows10CustomConfiguration/microsoft.graph.windows10GeneralConfiguration/microsoft.graph.windows10EndpointProtectionConfiguration/microsoft.graph.windowsIdentityProtectionConfiguration/assignments",
"assignments": [
{
"id": "9218cdda-e28d-451e-96c6-1e6b9a9f292d_bd1f65b9-891f-40ed-89c2-22433a98ea02",
"source": "direct",
"sourceId": "9218cdda-e28d-451e-96c6-1e6b9a9f292d",
"target": {
"@odata.type": "#microsoft.graph.groupAssignmentTarget",
"deviceAndAppManagementAssignmentFilterId": null,
"deviceAndAppManagementAssignmentFilterType": "none",
"groupId": "Privileged Workstations"
}
}
]
}

83
PAW/JSON/DeviceConfigurationADMX/PAW-Edge Version 85 - Computer.json Normal file
Просмотреть файл

@ -0,0 +1,83 @@
[
{
"definition@odata.bind": "https://graph.microsoft.com/beta/deviceManagement/groupPolicyDefinitions('06b9c400-f1ed-4046-b8cb-02af3ae8e38d')",
"enabled": "true"
},
{
"definition@odata.bind": "https://graph.microsoft.com/beta/deviceManagement/groupPolicyDefinitions('75c20a0b-f76e-4131-892a-1f47dd6534e4')",
"enabled": "true",
"presentationValues": [
{
"@odata.type": "#microsoft.graph.groupPolicyPresentationValueText",
"value": "2",
"presentation@odata.bind": "https://graph.microsoft.com/beta/deviceManagement/groupPolicyDefinitions('75c20a0b-f76e-4131-892a-1f47dd6534e4')/presentations('6f605b7e-ca35-4f6a-b616-0cf85f5e9580')"
}
]
},
{
"definition@odata.bind": "https://graph.microsoft.com/beta/deviceManagement/groupPolicyDefinitions('59922037-5107-4eaf-a72f-249a73c08d16')",
"enabled": "true"
},
{
"definition@odata.bind": "https://graph.microsoft.com/beta/deviceManagement/groupPolicyDefinitions('6189eace-13bd-435e-b438-2f38495bf9cc')",
"enabled": "false"
},
{
"definition@odata.bind": "https://graph.microsoft.com/beta/deviceManagement/groupPolicyDefinitions('1a52c714-6ece-45d2-a8a9-505f97bdec1b')",
"enabled": "true",
"presentationValues": [
{
"@odata.type": "#microsoft.graph.groupPolicyPresentationValueList",
"values": [
{
"name": "*",
"value": null
}
],
"presentation@odata.bind": "https://graph.microsoft.com/beta/deviceManagement/groupPolicyDefinitions('1a52c714-6ece-45d2-a8a9-505f97bdec1b')/presentations('75f2a4b4-fa3d-4acc-bbba-6a120e2ef96e')"
}
]
},
{
"definition@odata.bind": "https://graph.microsoft.com/beta/deviceManagement/groupPolicyDefinitions('270e643f-a1dd-49eb-8365-8292e9d6c7f7')",
"enabled": "true"
},
{
"definition@odata.bind": "https://graph.microsoft.com/beta/deviceManagement/groupPolicyDefinitions('fdfedea9-c9d1-4109-9b59-883cfe2d861a')",
"enabled": "true",
"presentationValues": [
{
"@odata.type": "#microsoft.graph.groupPolicyPresentationValueText",
"value": "ntlm,negotiate",
"presentation@odata.bind": "https://graph.microsoft.com/beta/deviceManagement/groupPolicyDefinitions('fdfedea9-c9d1-4109-9b59-883cfe2d861a')/presentations('e6b8ffac-8e06-4a30-95c6-cec2dfc1a08f')"
}
]
},
{
"definition@odata.bind": "https://graph.microsoft.com/beta/deviceManagement/groupPolicyDefinitions('bc6a79f3-77d4-462c-9924-8ea74dc34386')",
"enabled": "false"
},
{
"definition@odata.bind": "https://graph.microsoft.com/beta/deviceManagement/groupPolicyDefinitions('ccfd2123-ff05-4680-a4eb-ab2790b6d6ed')",
"enabled": "false"
},
{
"definition@odata.bind": "https://graph.microsoft.com/beta/deviceManagement/groupPolicyDefinitions('6f317cd9-3683-476b-adea-b93eb74e07c1')",
"enabled": "true"
},
{
"definition@odata.bind": "https://graph.microsoft.com/beta/deviceManagement/groupPolicyDefinitions('7f7e757c-1137-4e59-8cd1-cb51ca6896c0')",
"enabled": "true",
"presentationValues": [
{
"@odata.type": "#microsoft.graph.groupPolicyPresentationValueText",
"value": "tls1.2",
"presentation@odata.bind": "https://graph.microsoft.com/beta/deviceManagement/groupPolicyDefinitions('7f7e757c-1137-4e59-8cd1-cb51ca6896c0')/presentations('10ecdc74-5985-4f1e-9308-ceadffe422ff')"
}
]
},
{
"definition@odata.bind": "https://graph.microsoft.com/beta/deviceManagement/groupPolicyDefinitions('f9de5937-2ff5-4c34-a5ec-d0d997787b68')",
"enabled": "true"
}
]

126
PAW/MasterScript PAW.ps1 Normal file
Просмотреть файл

@ -0,0 +1,126 @@
<#
.COPYRIGHT
Copyright (c) Microsoft Corporation. All rights reserved. Licensed under the MIT license.
See LICENSE in the project root for license information.
#>
# Determine script location for PowerShell
$ScriptDir = Split-Path $script:MyInvocation.MyCommand.Path
Function Set-AADAuth {
<#
.SYNOPSIS
This function is used to authenticate with the Azure AD interface
.DESCRIPTION
The function authenticate with the Azure AD Interface with the tenant name
.EXAMPLE
Set-AADAuth
Authenticates you with the Azure AD interface
.NOTES
NAME: Set-AADAuth
#>
[cmdletbinding()]
param
(
#[Parameter(Mandatory=$true)]
$User
)
Write-Host "Checking for AzureAD module..."
$AadModule = Get-Module -Name "AzureADPreview" -ListAvailable
if ($AadModule -eq $null) {
write-host
write-host "AzureAD Powershell module not installed..." -f Red
write-host "Attempting module install now" -f Red
Install-Module -Name AzureADPreview -AllowClobber -Force
#write-host "Install by running 'Install-Module AzureAD' or 'Install-Module AzureADPreview' from an elevated PowerShell prompt" -f Yellow
#write-host "Script can't continue..." -f Red
write-host
#exit
}
Connect-AzureAD -AccountId $user | Out-Null
}
####################################################
$User = Read-Host -Prompt "Please specify your user principal name for Azure Authentication"
Set-AADAuth -user $user
####################################################
#write-host "Adding App Registrtion"
#. $ScriptDir/AppRegistration_Create.ps1
#Start-Sleep -s 5
#write-host "Adding required AAD Groups"
# . $ScriptDir/AADGroups_Create.ps1
#write-host "Adding AAD Group Membership"
# . $ScriptDir/AADGroupMemberships_Add.ps1
# Start-Sleep -s 5
#write-host "Adding Named Locations"
#. $ScriptDir/NamedLocations_Import.ps1 -user $user
#Start-Sleep -s 5
#write-host "Adding Conditional Access Policies"
#. $ScriptDir/CA-Policies-Import_PAW.ps1 -State "Disabled"
#Start-Sleep -s 5
write-host "Adding Device Configuration Profiles"
. $ScriptDir/Import-PAW-DeviceConfiguration.ps1
#Start-Sleep -s 5
write-host "Adding Device Compliance Policies"
. $ScriptDir/Import-PAW-DeviceCompliancePolicies.ps1
Start-Sleep -s 5
write-host "Adding Update Rings Policy"
. $ScriptDir/Import-PAW-DeviceConfigurationADMX.ps1
Start-Sleep -s 5
#write-host "Adding Enrollment Status Page"
#. $ScriptDir/ESP_Import.ps1
#Start-Sleep -s 5
#write-host "Adding AutoPilot Profile"
#. $ScriptDir/AutoPilot_Import.ps1
#Start-Sleep -s 5
#write-host "Adding Device Enrollment Restrictions"
#. $ScriptDir/DER-Import_PAW.ps1
#Start-Sleep -s 5

80
PAW/Readme.md Normal file
Просмотреть файл

@ -0,0 +1,80 @@
# Privileged Profile configuration
The scripts for configuring the Privileged security baseline are located in this folder.
Before the scripts can be run install Azure AD powershell module on your device
```powershell
Import-Module AzureAD -force
```
and allow scripts to run on your device;
```powershell
Set-ExecutionPolicy remotesigned
```
[**MasterScript_PAW.PS1**](MasterScript-PAW.ps1) - This script is used to import the Compliance policies, Configuration profiles used to apply the Privileged Profile settings
To import the Privileged Profile configuration settings into your tenant
Open powershell console
Navigate to PAW folder in Repo
```powershell
.\MasterScript-PAW.ps1
```
PAWer **username** and **password** of an account that has Intune Administrator (preferred) or Global Admin privilege
Wait for the import process to complete.
The MasterScript_PAW.ps1 file calls the following scripts to import the Compliance Policies, Configuration Profiles
[**Import-PAW-DeviceCompliancePolicies.ps1**](Import-PAW-DeviceCompliancePolicies.ps1) - This scripts imports the three device compliance policies for the Privileged profile. Three policies are used to ensure that Conditional Access does not prevent a user from being able to access resources. Refer to [Windows 10 and later settings to mark devices as compliant or not compliant using Intune](https://docs.microsoft.com/en-us/mem/intune/protect/compliance-policy-create-windows)
1. [Privileged Compliance ATP](JSON/DeviceCompliance/PAW-Compliance-ATP.json) policy is used to feed the Threat Intelligence data from Microsoft Defender for Endpoint into the devices compliance state so its signals can be used as part of the Conditional Access evaluation process.
2. [Privileged Compliance Delayed](JSON/DeviceCompliance/PAW-Compliance-Delayed.json) policy applies a more complete set of compliance settings to the device but its application is delayed by 24 hours. this is because the device health attestation that is required to assess policies like BitLocker and Secure Boot is only calculated once a device has rebooted and then might take a number of hours to process whether the device is compliant or not.
3. [Privileged-Compliance-Immediate](JSON/DeviceCompliance/PAW-Compliance-Immediate.json) policy is used to apply a minimum level of compliance to users and is configured to apply immediately.
[**Import-PAW-DeviceConfiguration.ps1**](Import-PAW-DeviceConfiguration.ps1) - this script is used to import the Device Configuration profiles that harden the Operating System. there are five profiles used:
1. [Privileged-Config-Win10-Custom-CSP](JSON/DeviceConfiguration/Privileged-Config-Win10-Custom-CSP_17-11-2020-17-00-43.json) Applies configuration service provider (CSP) settings that are not available in the Endpoint Manager UI, refer to [Configuration service provider reference](https://docs.microsoft.com/en-us/windows/client-management/mdm/configuration-service-provider-reference) for the complete list of the CSP settings available.
2. [Privileged-Config-Win10-Device-Restrictions-UI](JSON/DeviceConfiguration/Privileged-Config-Win10-Device-Restrictions-UI_17-11-2020-17-00-43.json) applies settings that restrict cloud account use, configure password policy, Microsoft Defender SmartScreen, Microsoft Defender Antivirus. Refer to [Windows 10 (and newer) device settings to allow or restrict features using Intune](https://docs.microsoft.com/en-us/mem/intune/configuration/device-restrictions-windows-10) for more details of the settings applied using the profile.
3. [Privileged-Config-Win10-Endpoint-Protection-UI](JSON/DeviceConfiguration/Privileged-Config-Win10-Endpoint-Protection-UI_17-11-2020-17-00-43.json) applies settings that are used to protect devices in endpoint protection configuration profiles including BitLocker, Device Guard, Microsoft Defender Firewall, Microsoft Defender Exploit Guard, refer to [Windows 10 (and later) settings to protect devices using Intune](https://docs.microsoft.com/en-us/mem/intune/protect/endpoint-protection-windows-10?toc=/intune/configuration/toc.json&bc=/intune/configuration/breadcrumb/toc.json) for more details of the settings applied using the profile.
4. [Privileged-Config-Win10-Identity-Protection-UI](JSON/DeviceConfiguration/Privileged-Config-Win10-Identity-Protection-UI_17-11-2020-17-00-43.json) applies the Windows Hello for Business settings to devices, refer to [Windows 10 device settings to enable Windows Hello for Business in Intune](https://docs.microsoft.com/en-us/mem/intune/protect/identity-protection-windows-settings?toc=/intune/configuration/toc.json&bc=/intune/configuration/breadcrumb/toc.json) for more details of the settings applied using the profile.
5. [PAW-Win10-URLLockProxy-UI](JSON/DeviceConfiguration/PAW-Win10-URLLockProxy-UI_25-11-2020-17-42-13.json) applies the restrictive URL Lock policy to limit the web sites that PAW devices can connect to.
6. [PAW-Win10-AppLocker-Custom-CSP](JSON/DeviceConfiguration/PAW-Win10-AppLocker-Custom-CSP_25-11-2020-17-42-11.json) applies the Restricted Execution Model policies in enforced mode. The AppLocker configuration is configured to allow applications to run under C:\Program Files, C:\Program Files (x86) and C:\Windows, with user writable paths under blocked. the characteristics for the AppLocker approach is:
* Assumption is that users are non-privileged users.
* Wherever a user can write they are blocked from executing
* Wherever a user can execute they are blocked from writing
7. [PAW-Win10-Windows-Defender-Firewall-UI](JSON/DeviceConfiguration/PAW-Win10-Windows-Defender-Firewall-UI_29-09-2020-9-50-21.json) applies a Firewall policy that has the following characteristics - all inbound traffic is blocked including locally defined rules the policy includes two rules to allow Delivery Optimization to function as designed. Outbound traffic is also blocked apart from explicit rules that allow DNS, DHCP, NTP, NSCI, HTTP, and HTTPS traffic. This configuration not only reduces the attack surface presented by the device to the network it limits the outbound connections that the device can establish to only those connections required to administer cloud services.
| Rule | Direction | Action | Application / Service | Protocol | Local Ports | Remote Ports |
| --- | --- | --- | --- | --- | --- | --- |
| World Wide Web Services (HTTP Traffic-out) | Outbound | Allow | All | TCP | All ports | 80 |
| World Wide Web Services (HTTPS Traffic-out) | Outbound | Allow | All | TCP | All ports | 443 |
| Core Networking - Dynamic Host Configuration Protocol for IPv6(DHCPV6-Out) | Outbound | Allow | %SystemRoot%\system32\svchost.exe | TCP | 546| 547 |
| Core Networking - Dynamic Host Configuration Protocol for IPv6(DHCPV6-Out) | Outbound | Allow | Dhcp | TCP | 546| 547 |
| Core Networking - Dynamic Host Configuration Protocol for IPv6(DHCP-Out) | Outbound | Allow | %SystemRoot%\system32\svchost.exe | TCP | 68 | 67 |
| Core Networking - Dynamic Host Configuration Protocol for IPv6(DHCP-Out) | Outbound | Allow | Dhcp | TCP | 68 | 67 |
| Core Networking - DNS (UDP-Out) | Outbound | Allow | %SystemRoot%\system32\svchost.exe | UDP | All Ports | 53 |
| Core Networking - DNS (UDP-Out) | Outbound | Allow | Dnscache | UDP | All Ports | 53 |
| Core Networking - DNS (TCP-Out) | Outbound | Allow | %SystemRoot%\system32\svchost.exe | TCP | All Ports | 53 |
| Core Networking - DNS (TCP-Out) | Outbound | Allow | Dnscache | TCP | All Ports | 53 |
| NSCI Probe (TCP-Out) | Outbound | Allow | %SystemRoot%\system32\svchost.exe | TCP | All ports | 80 |
| NSCI Probe - DNS (TCP-Out) | Outbound | Allow | NlaSvc | TCP | All ports | 80 |
| Windows Time (UDP-Out) | Outbound | Allow | %SystemRoot%\system32\svchost.exe | TCP | All ports | 80 |
| Windows Time Probe - DNS (UDP-Out) | Outbound | Allow | W32Time | UDP | All ports | 123 |
| Delivery Optimization (TCP-In) | Inbound | Allow | %SystemRoot%\system32\svchost.exe | TCP | 7680 | All ports |
| Delivery Optimization (TCP-In) | Inbound | Allow | DoSvc | TCP | 7680 | All ports |
| Delivery Optimization (UDP-In) | Inbound | Allow | %SystemRoot%\system32\svchost.exe | UDP | 7680 | All ports |
| Delivery Optimization (UDP-In) | Inbound | Allow | DoSvc | UDP | 7680 | All ports |
> [!NOTE]
> There are two rules defined for each rule in the Microsoft Defender Firewall configuration. To restrict the inbound and outbound rules to Windows Services, e.g. DNS Client, both the service name, DNSCache, and the executable path, C:\Windows\System32\svchost.exe, need to be defined as separate rule rather than a single rule that is possible using Group Policy.
[**Import-PAW-DeviceConfigurationADMX.ps1**](JSON/DeviceConfigurationADMX/Privileged-Edge%20Version%2085%20-%20Computer.json) this script is used to import the Device Configuration ADMX Template profile that configures Microsoft Edge security settings.
1. [Privileged-Edge Version 85 - Computer](JSON/DeviceConfigurationADMX/Privileged-Edge%20Version%2085%20-%20Computer.json) applies administrative policies that control features in Microsoft Edge version 77 and later, refer to [Microsoft Edge - Policies](https://docs.microsoft.com/en-us/DeployEdge/microsoft-edge-policies) or more details of the settings applied using the profile.

385
PAW/Scripts/PAW-DeviceConfig.ps1 Normal file
Просмотреть файл

@ -0,0 +1,385 @@
<#
.COPYRIGHT
Copyright (c) Microsoft Corporation. All rights reserved. Licensed under the MIT license.
See LICENSE in the project root for license information.
#>
$script:ScriptName = $myInvocation.MyCommand.Name
$script:ScriptName = $scriptName.Substring(0, $scriptName.Length - 4)
$script:LogName = $scriptName + "_" + (Get-Date -UFormat "%d-%m-%Y")
$script:logFile = "$env:Temp\$LogName.log"
Function Start-Log {
param (
[string]$FilePath,
[Parameter(HelpMessage = 'Deletes existing file if used with the -DeleteExistingFile switch')]
[switch]$DeleteExistingFile
)
Try {
If (!(Test-Path $FilePath)) {
## Create the log file
New-Item $FilePath -Type File -Force | Out-Null
}
If ($DeleteExistingFile) {
Remove-Item $FilePath -Force
}
## Set the global variable to be used as the FilePath for all subsequent Write-Log
## calls in this session
$script:ScriptLogFilePath = $FilePath
}
Catch {
Write-Error $_.Exception.Message
}
}
####################################################
Function Write-Log {
#Write-Log -Message 'warning' -LogLevel 2
#Write-Log -Message 'Error' -LogLevel 3
param (
[Parameter(Mandatory = $true)]
[string]$Message,
[Parameter()]
[ValidateSet(1, 2, 3)]
[int]$LogLevel = 1,
[Parameter(HelpMessage = 'Outputs message to Event Log,when used with -WriteEventLog')]
[switch]$WriteEventLog
)
Write-Host
Write-Host $Message
Write-Host
$TimeGenerated = "$(Get-Date -Format HH:mm:ss).$((Get-Date).Millisecond)+000"
$Line = '<![LOG[{0}]LOG]!><time="{1}" date="{2}" component="{3}" context="" type="{4}" thread="" file="">'
$LineFormat = $Message, $TimeGenerated, (Get-Date -Format MM-dd-yyyy), "$($MyInvocation.ScriptName | Split-Path -Leaf):$($MyInvocation.ScriptLineNumber)", $LogLevel
$Line = $Line -f $LineFormat
Add-Content -Value $Line -Path $ScriptLogFilePath
If ($WriteEventLog) { Write-EventLog -LogName $EventLogName -Source $EventLogSource -Message $Message -Id 100 -Category 0 -EntryType Information }
}
Function Is-VM {
<#
.SYNOPSIS
This function checks WMI to determine if the device is a VM
.DESCRIPTION
This function checks WMI to determine if the device is a VM
.EXAMPLE
Is-VM
This function checks WMI to determine if the device is a VM
.NOTES
NAME: Is-VM
#>
[CmdletBinding()]
Param ()
Begin {
Write-Log -Message "$($MyInvocation.InvocationName) function..."
}
Process {
Write-Log -Message "Checking WMI class: Win32_ComputerSystem for string: *virtual*"
Try {
$ComputerSystemInfo = Get-CIMInstance -ClassName Win32_ComputerSystem -ErrorAction Stop
#$ComputerSystemInfo
if ($ComputerSystemInfo.Model -like "*virtual*") {
Write-Log -Message "Virtual string detected"
$True
}
else {
Write-Log -Message "Virtual string not found"
$False
}
}
Catch [Exception] {
Write-Log -Message "Error occurred: $($_.Exception.message)"
Write-Warning "$($env:computername.ToUpper()) : $($_.Exception.message)"
}
}
End {
Write-Log -Message "Ending: $($MyInvocation.Mycommand)"
}
}
Start-Log -FilePath $logFile -DeleteExistingFile
Write-Host
Write-Host "Script log file path is [$logFile]" -ForegroundColor Cyan
Write-Host
#region IsVM
If (Is-VM) {
Write-Log -Message "Machine is a VM"
}
Else {
Write-Host "Machine is a physical device"
#Enable Hibernate
Write-Log -Message "Enabling Hibernation"
$command = "C:\Windows\System32\PowerCfg.exe"
$args = "/HIBERNATE"
$workDir = "C:\Windows\System32"
Try {
Start-Process -FilePath $command -WorkingDirectory $workDir -ArgumentList $args -Wait -WindowStyle Hidden -ErrorAction Stop
}
Catch {
Write-Log -Message "Error occurred trying to enable hibernate: $($_.Exception.message)"
#Write-Warning "$($env:computername.ToUpper()) : $($_.Exception.message)"
#Exit
}
Try {
New-ItemProperty -Path HKLM:\Software\Policies\Microsoft\Windows\Explorer -Name ShowHibernateOption -Value 1 -PropertyType DWORD -ErrorAction Stop
}
Catch {
Write-Log -Message "Error occurred trying to apply ShowHibernate regkey: $($_.Exception.message)"
#Write-Warning "$($env:computername.ToUpper()) : $($_.Exception.message)"
#Exit
}
$command = "C:\Windows\System32\PowerCfg.exe"
$args = "/Change hibernate-timeout-ac 300"
$workDir = "C:\Windows\System32"
Try {
Start-Process -FilePath $command -WorkingDirectory $workDir -ArgumentList $args -Wait -WindowStyle Hidden -ErrorAction Stop
}
Catch {
Write-Log -Message "Error occurred trying to enable hibernate ac timeout: $($_.Exception.message)"
#Write-Warning "$($env:computername.ToUpper()) : $($_.Exception.message)"
#Exit
}
$command = "C:\Windows\System32\PowerCfg.exe"
$args = "/Change hibernate-timeout-dc 30"
$workDir = "C:\Windows\System32"
Try {
Start-Process -FilePath $command -WorkingDirectory $workDir -ArgumentList $args -Wait -WindowStyle Hidden -ErrorAction Stop
}
Catch {
Write-Log -Message "Error occurred trying to enable hibernate dc timeout: $($_.Exception.message)"
#Write-Warning "$($env:computername.ToUpper()) : $($_.Exception.message)"
#Exit
}
$command = "C:\Windows\System32\PowerCfg.exe"
$args = "/Change standby-timeout-ac 60"
$workDir = "C:\Windows\System32"
Try {
Start-Process -FilePath $command -WorkingDirectory $workDir -ArgumentList $args -Wait -WindowStyle Hidden -ErrorAction Stop
}
Catch {
Write-Log -Message "Error occurred trying to enable standby ac timeout: $($_.Exception.message)"
#Write-Warning "$($env:computername.ToUpper()) : $($_.Exception.message)"
#Exit
}
Write-Log -Message 'Show Hibernate option in Shutdown Menu'
$registryPath = "HKLM:\Software\Policies\Microsoft\Windows\Explorer"
$regProperties = @{
Name = 'ShowHibernateOption'
Value = '1'
PropertyType = 'DWORD'
ErrorAction = 'Stop'
}
Try {
$Null = New-ItemProperty -Path $registryPath @regProperties -Force
}
Catch [System.Management.Automation.ItemNotFoundException] {
Write-Log -Message "Error: $registryPath path not found, attempting to create..."
$Null = New-Item -Path $registryPath -Force
$Null = New-ItemProperty -Path $registryPath @regProperties -Force
}
Catch {
Write-Log -Message "Error changing registry: $($_.Exception.message)"
Write-Warning "Error: $($_.Exception.message)"
Exit
}
Finally {
Write-Log -Message "Finished changing registry"
}
}
#endregion IsVM
#region Configure AppLocker DLL rule registry key
#Handle registry changes
$registryPath = "HKLM:\SYSTEM\CurrentControlSet\Control\Srp\Gp\DLL\2"
Write-Log -Message "Create registry path: $registryPath"
Try {
$Null = New-Item -Path $registryPath -Force
}
Catch {
Write-Log -Message "Error changing AppLocker DLL rule registry key: $($_.Exception.message)"
Write-Warning "Error: $($_.Exception.message)"
Exit
}
Finally {
Write-Log -Message "Finished changing AppLocker DLL rule registry key"
}
#endregion Configure AppLocker DLL rule registry key
#region Configure additional Defender for Endpoint security recommendations that cannot be set in Configuration Profiles
#Handle registry changes
Write-Log -Message "Configuring additional Defender for Endpoint security recommendations that cannot be set in Configuration Profiles"
# Require users to elevate when setting a network's location - prevent changing from Public to Private firewall profile
New-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\Network Connections" -Name NC_StdDomainUserSetLocation -Value 1 -PropertyType DWORD -Force
Write-Log -Message "Require users to elevate when setting a network's location - prevent changing from Public to Private firewall profile registry update successfully applied"
# Prevent saving of network credentials
New-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Control\Lsa -Name DisableDomainCreds -Value 1 -PropertyType DWORD -Force
Write-Log -Message "Prevent saving of network credentials registry update successfully applied"
# Prevent changing proxy config
#region Disable Network Location Wizard - prevents users from setting network location as Private and therefore increasing the attack surface exposed in Windows Firewall
#region Disable Network Location Wizard
#Handle registry changes
$registryPath = "HKLM:\SYSTEM\CurrentControlSet\Control\Network"
$regProperties = @{
Name = "NewNetworkWindowOff"
ErrorAction = "Stop"
}
Try {
$Null = New-ItemProperty -Path $registryPath @regProperties -Force
}
Catch [System.Management.Automation.ItemNotFoundException] {
Write-Log -Message "Error: $registryPath path not found, attempting to create..."
$Null = New-Item -Path $registryPath -Force
$Null = New-ItemProperty -Path $registryPath @regProperties -Force
}
Catch {
Write-Log -Message "Error changing registry: $($_.Exception.message)"
Write-Warning "Error: $($_.Exception.message)"
Exit
}
Finally {
Write-Host "Finished Disable Network Location Wizard in registry"
}
#endregion Disable Network Location Wizard
#region Remove Powershell 2.0
try {
Disable-WindowsOptionalFeature -Online -FeatureName MicrosoftWindowsPowerShellV2Root -ErrorAction Stop
Write-Log -Message "Removed Powershell v2.0"
}
catch {
Write-Log -Message "Error occurred trying to remove Powershell v2.0: $($_.Exception.message)"
}
#endregion Remove Powershell 2.0
#region Remove WorkFolders-Client
try {
Disable-WindowsOptionalFeature -Online -FeatureName WorkFolders-Client -ErrorAction Stop
Write-Log -Message "Removed WorkFolders"
}
catch {
Write-Log -Message "Failed to remove WorkFolders"
Write-Log -Message "Error occurred trying to remove Powershell v2.0: $($_.Exception.message)"
}
#endregion Remove WorkFolders-Client
#region Remove XPS Printing
try {
Disable-WindowsOptionalFeature -Online -FeatureName Printing-XPSServices-Features -ErrorAction Stop
Write-Log -Message "Removed XPS Printing"
}
catch {
Write-Log -Message "Error occurred trying to remove XPS Printing: $($_.Exception.message)"
}
#endregion Remove XPS Printing
#region Remove WindowsMediaPlayer
try {
Disable-WindowsOptionalFeature -Online -FeatureName WindowsMediaPlayer -ErrorAction Stop
Write-Log -Message "Removed Windows Media Player"
}
catch {
Write-Log -Message "Error occurred trying to remove Windows Media Player: $($_.Exception.message)"
}
#endregion Remove WindowsMediaPlayer
#region RegistryChanges - Set W32Time Parameter Type to NTP
#Handle registry changes
$registryPath = "HKLM:\SYSTEM\CurrentControlSet\Services\W32Time\Parameters"
$regProperties = @{
Name = "Type"
Value = "NTP"
PropertyType = "String"
ErrorAction = "Stop"
}
Try {
$Null = New-ItemProperty -Path $registryPath @regProperties -Force
Write-Log -Message "Updated Set W32Time Parameter Type to NTP in registry"
}
Catch [System.Management.Automation.ItemNotFoundException] {
Write-Log -Message "Error: $registryPath path not found, attempting to create..."
$Null = New-Item -Path $registryPath -Force
$Null = New-ItemProperty -Path $registryPath @regProperties -Force
}
Catch {
Write-Log -Message "Error changing registry: $($_.Exception.message)"
Write-Warning "Error: $($_.Exception.message)"
Exit
}
Finally {
Write-Log -Message "Finished Set W32Time Parameter Type to NTP"
}
#endregion RegistryChanges - Set W32Time Parameter Type to NTP
#region RegistryChanges - Set Auto Time Sync Service to Automatic start
#Handle registry changes
$registryPath = "HKLM:\SYSTEM\CurrentControlSet\Services\tzautoupdate"
$regProperties = @{
Name = "Start"
Value = "3"
PropertyType = "DWORD"
ErrorAction = "Stop"
}
Try {
$Null = New-ItemProperty -Path $registryPath @regProperties -Force
Write-Log -Message "Set Auto Time Sync Service to Automatic start in registry"
}
Catch [System.Management.Automation.ItemNotFoundException] {
Write-Log -Message "Error: $registryPath path not found, attempting to create..."
$Null = New-Item -Path $registryPath -Force
$Null = New-ItemProperty -Path $registryPath @regProperties -Force
}
Catch {
Write-Log -Message "Error changing registry: $($_.Exception.message)"
Write-Warning "Error: $($_.Exception.message)"
Exit
}
Finally {
Write-Log -Message "Set Auto Time Sync Service to Automatic start"
}
#endregion RegistryChanges - Set Auto Time Sync Service to Automatic start
#region Remove Internet Explorer 11
try {
Disable-WindowsOptionalFeature -Online -FeatureName Internet-Explorer-Optional-amd64 -NoRestart #-ErrorAction Stop
Write-Log -Message "Removed Internet Explorer 11"
}
catch {
Write-Log -Message "Error occurred trying to remove Internet Explorer 11: $($_.Exception.message)"
}
Finally {
Write-Log -Message "Finished removing Internet Explorer"
}
#endregion Remove Internet Explorer 11

635
SPE/Import-SPE-DeviceCompliancePolicies.ps1 Normal file
Просмотреть файл

@ -0,0 +1,635 @@
<#
.COPYRIGHT
Copyright (c) Microsoft Corporation. All rights reserved. Licensed under the MIT license.
See LICENSE in the project root for license information.
#>
$ScriptDir = Split-Path $script:MyInvocation.MyCommand.Path
$ImportPath = $ScriptDir+"\JSON\DeviceCompliance"
####################################################
function Get-AuthToken {
<#
.SYNOPSIS
This function is used to authenticate with the Graph API REST interface
.DESCRIPTION
The function authenticate with the Graph API Interface with the tenant name
.EXAMPLE
Get-AuthToken
Authenticates you with the Graph API interface
.NOTES
NAME: Get-AuthToken
#>
[cmdletbinding()]
param
(
[Parameter(Mandatory=$true)]
$User
)
$userUpn = New-Object "System.Net.Mail.MailAddress" -ArgumentList $User
$tenant = $userUpn.Host
Write-Host "Checking for AzureAD module..."
$AadModule = Get-Module -Name "AzureAD" -ListAvailable
if ($AadModule -eq $null) {
Write-Host "AzureAD PowerShell module not found, looking for AzureADPreview"
$AadModule = Get-Module -Name "AzureADPreview" -ListAvailable
}
if ($AadModule -eq $null) {
write-host
write-host "AzureAD Powershell module not installed..." -f Red
write-host "Install by running 'Install-Module AzureAD' or 'Install-Module AzureADPreview' from an elevated PowerShell prompt" -f Yellow
write-host "Script can't continue..." -f Red
write-host
exit
}
# Getting path to ActiveDirectory Assemblies
# If the module count is greater than 1 find the latest version
if($AadModule.count -gt 1){
$Latest_Version = ($AadModule | select version | Sort-Object)[-1]
$aadModule = $AadModule | ? { $_.version -eq $Latest_Version.version }
# Checking if there are multiple versions of the same module found
if($AadModule.count -gt 1){
$aadModule = $AadModule | select -Unique
}
$adal = Join-Path $AadModule.ModuleBase "Microsoft.IdentityModel.Clients.ActiveDirectory.dll"
$adalforms = Join-Path $AadModule.ModuleBase "Microsoft.IdentityModel.Clients.ActiveDirectory.Platform.dll"
}
else {
$adal = Join-Path $AadModule.ModuleBase "Microsoft.IdentityModel.Clients.ActiveDirectory.dll"
$adalforms = Join-Path $AadModule.ModuleBase "Microsoft.IdentityModel.Clients.ActiveDirectory.Platform.dll"
}
[System.Reflection.Assembly]::LoadFrom($adal) | Out-Null
[System.Reflection.Assembly]::LoadFrom($adalforms) | Out-Null
$clientId = "d1ddf0e4-d672-4dae-b554-9d5bdfd93547"
$redirectUri = "urn:ietf:wg:oauth:2.0:oob"
$resourceAppIdURI = "https://graph.microsoft.com"
$authority = "https://login.microsoftonline.com/$Tenant"
try {
$authContext = New-Object "Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext" -ArgumentList $authority
# https://msdn.microsoft.com/en-us/library/azure/microsoft.identitymodel.clients.activedirectory.promptbehavior.aspx
# Change the prompt behaviour to force credentials each time: Auto, Always, Never, RefreshSession
$platformParameters = New-Object "Microsoft.IdentityModel.Clients.ActiveDirectory.PlatformParameters" -ArgumentList "Auto"
$userId = New-Object "Microsoft.IdentityModel.Clients.ActiveDirectory.UserIdentifier" -ArgumentList ($User, "OptionalDisplayableId")
$authResult = $authContext.AcquireTokenAsync($resourceAppIdURI,$clientId,$redirectUri,$platformParameters,$userId).Result
# If the accesstoken is valid then create the authentication header
if($authResult.AccessToken){
# Creating header for Authorization token
$authHeader = @{
'Content-Type'='application/json'
'Authorization'="Bearer " + $authResult.AccessToken
'ExpiresOn'=$authResult.ExpiresOn
}
return $authHeader
}
else {
Write-Host
Write-Host "Authorization Access Token is null, please re-run authentication..." -ForegroundColor Red
Write-Host
break
}
}
catch {
write-host $_.Exception.Message -f Red
write-host $_.Exception.ItemName -f Red
write-host
break
}
}
####################################################
Function Add-DeviceCompliancePolicy(){
<#
.SYNOPSIS
This function is used to add a device compliance policy using the Graph API REST interface
.DESCRIPTION
The function connects to the Graph API Interface and adds a device compliance policy
.EXAMPLE
Add-DeviceCompliancePolicy -JSON $JSON
Adds an iOS device compliance policy in Intune
.NOTES
NAME: Add-DeviceCompliancePolicy
#>
[cmdletbinding()]
param
(
$JSON
)
$graphApiVersion = "Beta"
$Resource = "deviceManagement/deviceCompliancePolicies"
try {
if($JSON -eq "" -or $JSON -eq $null){
write-host "No JSON specified, please specify valid JSON for the iOS Policy..." -f Red
}
else {
Test-JSON -JSON $JSON
$uri = "https://graph.microsoft.com/$graphApiVersion/$($Resource)"
Invoke-RestMethod -Uri $uri -Headers $authToken -Method Post -Body $JSON -ContentType "application/json"
}
}
catch {
$ex = $_.Exception
$errorResponse = $ex.Response.GetResponseStream()
$reader = New-Object System.IO.StreamReader($errorResponse)
$reader.BaseStream.Position = 0
$reader.DiscardBufferedData()
$responseBody = $reader.ReadToEnd();
Write-Host "Response content:`n$responseBody" -f Red
Write-Error "Request to $Uri failed with HTTP Status $($ex.Response.StatusCode) $($ex.Response.StatusDescription)"
write-host
break
}
}
####################################################
Function Get-AADGroup(){
<#
.SYNOPSIS
This function is used to get AAD Groups from the Graph API REST interface
.DESCRIPTION
The function connects to the Graph API Interface and gets any Groups registered with AAD
.EXAMPLE
Get-AADGroup
Returns all users registered with Azure AD
.NOTES
NAME: Get-AADGroup
#>
[cmdletbinding()]
param
(
$GroupName,
$id,
[switch]$Members
)
# Defining Variables
$graphApiVersion = "v1.0"
$Group_resource = "groups"
# pseudo-group identifiers for all users and all devices
[string]$AllUsers = "acacacac-9df4-4c7d-9d50-4ef0226f57a9"
[string]$AllDevices = "adadadad-808e-44e2-905a-0b7873a8a531"
try {
if($id){
$uri = "https://graph.microsoft.com/$graphApiVersion/$($Group_resource)?`$filter=id eq '$id'"
switch ( $id ) {
$AllUsers { $grp = [PSCustomObject]@{ displayName = "All users"}; $grp }
$AllDevices { $grp = [PSCustomObject]@{ displayName = "All devices"}; $grp }
default { (Invoke-RestMethod -Uri $uri -Headers $authToken -Method Get).Value }
}
}
elseif($GroupName -eq "" -or $GroupName -eq $null){
$uri = "https://graph.microsoft.com/$graphApiVersion/$($Group_resource)"
(Invoke-RestMethod -Uri $uri -Headers $authToken -Method Get).Value
}
else {
if(!$Members){
$uri = "https://graph.microsoft.com/$graphApiVersion/$($Group_resource)?`$filter=displayname eq '$GroupName'"
(Invoke-RestMethod -Uri $uri -Headers $authToken -Method Get).Value
}
elseif($Members){
$uri = "https://graph.microsoft.com/$graphApiVersion/$($Group_resource)?`$filter=displayname eq '$GroupName'"
$Group = (Invoke-RestMethod -Uri $uri -Headers $authToken -Method Get).Value
if($Group){
$GID = $Group.id
$Group.displayName
write-host
$uri = "https://graph.microsoft.com/$graphApiVersion/$($Group_resource)/$GID/Members"
(Invoke-RestMethod -Uri $uri -Headers $authToken -Method Get).Value
}
}
}
}
catch {
$ex = $_.Exception
$errorResponse = $ex.Response.GetResponseStream()
$reader = New-Object System.IO.StreamReader($errorResponse)
$reader.BaseStream.Position = 0
$reader.DiscardBufferedData()
$responseBody = $reader.ReadToEnd();
Write-Host "Response content:`n$responseBody" -f Red
Write-Error "Request to $Uri failed with HTTP Status $($ex.Response.StatusCode) $($ex.Response.StatusDescription)"
write-host
break
}
}
####################################################
Function Get-DeviceCompliancePolicy(){
<#
.SYNOPSIS
This function is used to get device compliance policies from the Graph API REST interface
.DESCRIPTION
The function connects to the Graph API Interface and gets any device compliance policies
.EXAMPLE
Get-DeviceCompliancePolicy
Returns any device compliance policies configured in Intune
.EXAMPLE
Get-DeviceCompliancePolicy -Name
Returns any device compliance policies with specific display name
.NOTES
NAME: Get-DeviceCompliancePolicy
#>
[cmdletbinding()]
param
(
$Name
)
$graphApiVersion = "Beta"
$Resource = "deviceManagement/deviceCompliancePolicies"
try {
$uri = "https://graph.microsoft.com/$graphApiVersion/$($Resource)"
(Invoke-RestMethod -Uri $uri -Headers $authToken -Method Get).Value | Where-Object { ($_.'@odata.type').contains("windows10CompliancePolicy") -and ($_.'displayName').contains($Name) }
}
catch {
$ex = $_.Exception
$errorResponse = $ex.Response.GetResponseStream()
$reader = New-Object System.IO.StreamReader($errorResponse)
$reader.BaseStream.Position = 0
$reader.DiscardBufferedData()
$responseBody = $reader.ReadToEnd();
Write-Host "Response content:`n$responseBody" -f Red
Write-Error "Request to $Uri failed with HTTP Status $($ex.Response.StatusCode) $($ex.Response.StatusDescription)"
write-host
break
}
}
####################################################
Function Add-DeviceCompliancePolicyAssignment(){
<#
.SYNOPSIS
This function is used to add a device compliance policy assignment using the Graph API REST interface
.DESCRIPTION
The function connects to the Graph API Interface and adds a device compliance policy assignment
.EXAMPLE
Add-DeviceCompliancePolicyAssignment -ComplianceAssignments $ComplianceAssignments -CompliancePolicyId $CompliancePolicyId
Adds a device compliance policy assignment in Intune
.NOTES
NAME: Add-DeviceCompliancePolicyAssignment
#>
[cmdletbinding()]
param
(
$CompliancePolicyId,
$ComplianceAssignments
)
$graphApiVersion = "v1.0"
$Resource = "deviceManagement/deviceCompliancePolicies/$CompliancePolicyId/assign"
try {
if(!$CompliancePolicyId){
write-host "No Compliance Policy Id specified, specify a valid Compliance Policy Id" -f Red
break
}
if(!$ComplianceAssignments){
write-host "No Target Group Id specified, specify a valid Target Group Id" -f Red
break
}
$JSON = @"
{
"Assignments": [
$ComplianceAssignments
]
}
"@
Write-Output $JSON
$uri = "https://graph.microsoft.com/$graphApiVersion/$($Resource)"
Invoke-RestMethod -Uri $uri -Headers $authToken -Method Post -Body $JSON -ContentType "application/json"
}
catch {
$ex = $_.Exception
$errorResponse = $ex.Response.GetResponseStream()
$reader = New-Object System.IO.StreamReader($errorResponse)
$reader.BaseStream.Position = 0
$reader.DiscardBufferedData()
$responseBody = $reader.ReadToEnd();
Write-Host "Response content:`n$responseBody" -f Red
Write-Error "Request to $Uri failed with HTTP Status $($ex.Response.StatusCode) $($ex.Response.StatusDescription)"
write-host
break
}
}
####################################################
Function Test-JSON(){
<#
.SYNOPSIS
This function is used to test if the JSON passed to a REST Post request is valid
.DESCRIPTION
The function tests if the JSON passed to the REST Post is valid
.EXAMPLE
Test-JSON -JSON $JSON
Test if the JSON is valid before calling the Graph REST interface
.NOTES
NAME: Test-AuthHeader
#>
param (
$JSON
)
try {
$TestJSON = ConvertFrom-Json $JSON -ErrorAction Stop
$validJson = $true
}
catch {
$validJson = $false
$_.Exception
}
if (!$validJson){
Write-Host "Provided JSON isn't in valid JSON format" -f Red
break
}
}
####################################################
#region Authentication
write-host
# Checking if authToken exists before running authentication
if($global:authToken){
# Setting DateTime to Universal time to work in all timezones
$DateTime = (Get-Date).ToUniversalTime()
# If the authToken exists checking when it expires
$TokenExpires = ($authToken.ExpiresOn.datetime - $DateTime).Minutes
if($TokenExpires -le 0){
write-host "Authentication Token expired" $TokenExpires "minutes ago" -ForegroundColor Yellow
write-host
# Defining User Principal Name if not present
if($User -eq $null -or $User -eq ""){
$User = Read-Host -Prompt "Please specify your user principal name for Azure Authentication"
Write-Host
}
$global:authToken = Get-AuthToken -User $User
}
}
# Authentication doesn't exist, calling Get-AuthToken function
else {
if($User -eq $null -or $User -eq ""){
$User = Read-Host -Prompt "Please specify your user principal name for Azure Authentication"
Write-Host
}
# Getting the authorization token
$global:authToken = Get-AuthToken -User $User
}
#endregion
####################################################
# Replacing quotes for Test-Path
$ImportPath = $ImportPath.replace('"','')
if(!(Test-Path "$ImportPath")){
Write-Host "Import Path for JSON file doesn't exist..." -ForegroundColor Red
Write-Host "Script can't continue..." -ForegroundColor Red
Write-Host
break
}
####################################################
Get-ChildItem $ImportPath -filter *.json |
Foreach-object {
$JSON_Data = Get-Content $_.FullName | where { $_ -notmatch "scheduledActionConfigurations@odata.context"}
# Excluding entries that are not required - id,createdDateTime,lastModifiedDateTime,version
$JSON_Convert = $JSON_Data | ConvertFrom-Json | Select-Object -Property * -ExcludeProperty id,createdDateTime,lastModifiedDateTime,scheduledActionsForRule@odata.context
$DisplayName = $JSON_Convert.displayName
$DuplicateDCP = Get-DeviceCompliancePolicy -Name $JSON_Convert.displayName
#write-host $DuplicateCA
If ($DuplicateDCP -eq $null) {
$JSON_Output = $JSON_Convert | ConvertTo-Json -Depth 10
# Adding Scheduled Actions Rule to JSON
#$scheduledActionsForRule = '"scheduledActionsForRule":[{"ruleName":"PasswordRequired","scheduledActionConfigurations":[{"actionType":"block","gracePeriodHours":0,"notificationTemplateId":"","notificationMessageCCList":[]}]}]'
#$JSON_Output = $JSON_Output.trimend("}")
#$JSON_Output = $JSON_Output.TrimEnd() + "," + "`r`n"
# Joining the JSON together
#$JSON_Output = $JSON_Output + $scheduledActionsForRule + "`r`n" + "}"
write-host
write-host "Device Configuration Policy '$DisplayName' Found..." -ForegroundColor Yellow
write-host
$JSON_Output
write-host
Write-Host "Adding Device Configuration Policy '$DisplayName'" -ForegroundColor Yellow
Add-DeviceCompliancePolicy -JSON $JSON_Output
$DCPProfile = Get-DeviceCompliancePolicy -name $DisplayName
$CompliancePolicyId = $DCPProfile.id
Write-Host "Device Configuration Policy ID '$CompliancePolicyId'" -ForegroundColor Yellow
Write-Host
$AADGroups = $JSON_Convert.assignments.target
$ComplianceAssignments = @()
foreach ($AADGroup in $AADGroups )
{
Write-Host "AAD Group Name:" $AADGroup.groupId -ForegroundColor Yellow
Write-Host "Assignment Type:" $AADGroup."@OData.type" -ForegroundColor Yellow
$TargetGroupId = (Get-AADGroup -GroupName $AADGroup.groupid)
$TargetGroupId = $TargetGroupId.id
Write-Host "Included Group ID:" $TargetGroupID -ForegroundColor Yellow
$Assignment = $AADGroup."@OData.type"
$GroupAdd = @"
{
"target": {
"@odata.type": "#microsoft.graph.$Assignment",
"groupId": "$TargetGroupId"
}
},
"@
$ComplianceAssignments += $GroupAdd
}
Add-DeviceCompliancePolicyAssignment -ComplianceAssignments $ComplianceAssignments -CompliancePolicyId $CompliancePolicyId
}
else
{
write-host "Device Compliance Policy:" $JSON_Convert.displayName "has already been created" -ForegroundColor Yellow
}
}

503
SPE/Import-SPE-DeviceConfigScript.ps1 Normal file
Просмотреть файл

@ -0,0 +1,503 @@
<#
.COPYRIGHT
Copyright (c) Microsoft Corporation. All rights reserved. Licensed under the MIT license.
See LICENSE in the project root for license information.
#>
$ScriptDir = Split-Path $script:MyInvocation.MyCommand.Path
$ImportPath = $ScriptDir+"\Scripts\SPE-DeviceConfig.ps1"
####################################################
function Get-AuthToken {
<#
.SYNOPSIS
This function is used to authenticate with the Graph API REST interface
.DESCRIPTION
The function authenticate with the Graph API Interface with the tenant name
.EXAMPLE
Get-AuthToken
Authenticates you with the Graph API interface
.NOTES
NAME: Get-AuthToken
#>
[cmdletbinding()]
param
(
[Parameter(Mandatory = $true)]
$User
)
$userUpn = New-Object "System.Net.Mail.MailAddress" -ArgumentList $User
$tenant = $userUpn.Host
Write-Host "Checking for AzureADPreview module..."
$AadModule = Get-Module -Name "AzureADPreview" -ListAvailable
if ($AadModule -eq $null) {
Write-Host "AzureAD PowerShell module not found, looking for AzureADPreview"
$AadModule = Get-Module -Name "AzureADPreview" -ListAvailable
}
if ($AadModule -eq $null) {
write-host
write-host "AzureAD Powershell module not installed..." -f Red
write-host "Install by running 'Install-Module AzureAD' or 'Install-Module AzureADPreview' from an elevated PowerShell prompt" -f Yellow
write-host "Script can't continue..." -f Red
write-host
exit
}
# Getting path to ActiveDirectory Assemblies
# If the module count is greater than 1 find the latest version
if ($AadModule.count -gt 1) {
$Latest_Version = ($AadModule | select version | Sort-Object)[-1]
$aadModule = $AadModule | ? { $_.version -eq $Latest_Version.version }
# Checking if there are multiple versions of the same module found
if ($AadModule.count -gt 1) {
$aadModule = $AadModule | select -Unique
}
$adal = Join-Path $AadModule.ModuleBase "Microsoft.IdentityModel.Clients.ActiveDirectory.dll"
$adalforms = Join-Path $AadModule.ModuleBase "Microsoft.IdentityModel.Clients.ActiveDirectory.Platform.dll"
}
else {
$adal = Join-Path $AadModule.ModuleBase "Microsoft.IdentityModel.Clients.ActiveDirectory.dll"
$adalforms = Join-Path $AadModule.ModuleBase "Microsoft.IdentityModel.Clients.ActiveDirectory.Platform.dll"
}
[System.Reflection.Assembly]::LoadFrom($adal) | Out-Null
[System.Reflection.Assembly]::LoadFrom($adalforms) | Out-Null
$clientId = "d1ddf0e4-d672-4dae-b554-9d5bdfd93547"
$redirectUri = "urn:ietf:wg:oauth:2.0:oob"
$resourceAppIdURI = "https://graph.microsoft.com"
$authority = "https://login.microsoftonline.com/$Tenant"
try {
$authContext = New-Object "Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext" -ArgumentList $authority
# https://msdn.microsoft.com/en-us/library/azure/microsoft.identitymodel.clients.activedirectory.promptbehavior.aspx
# Change the prompt behaviour to force credentials each time: Auto, Always, Never, RefreshSession
$platformParameters = New-Object "Microsoft.IdentityModel.Clients.ActiveDirectory.PlatformParameters" -ArgumentList "Auto"
$userId = New-Object "Microsoft.IdentityModel.Clients.ActiveDirectory.UserIdentifier" -ArgumentList ($User, "OptionalDisplayableId")
$authResult = $authContext.AcquireTokenAsync($resourceAppIdURI, $clientId, $redirectUri, $platformParameters, $userId).Result
# If the accesstoken is valid then create the authentication header
if ($authResult.AccessToken) {
# Creating header for Authorization token
$authHeader = @{
'Content-Type' = 'application/json'
'Authorization' = "Bearer " + $authResult.AccessToken
'ExpiresOn' = $authResult.ExpiresOn
}
return $authHeader
}
else {
Write-Host
Write-Host "Authorization Access Token is null, please re-run authentication..." -ForegroundColor Red
Write-Host
break
}
}
catch {
write-host $_.Exception.Message -f Red
write-host $_.Exception.ItemName -f Red
write-host
break
}
}
####################################################
Function Add-DeviceManagementScript() {
<#
.SYNOPSIS
This function is used to add a device management script using the Graph API REST interface
.DESCRIPTION
The function connects to the Graph API Interface and adds a device management script
.EXAMPLE
Add-DeviceManagementScript -File "path to powershell-script file"
Adds a device management script from a File in Intune
Add-DeviceManagementScript -File "URL to powershell-script file" -URL
Adds a device management script from a URL in Intune
.NOTES
NAME: Add-DeviceManagementScript
#>
[cmdletbinding()]
Param (
# Path or URL to Powershell-script to add to Intune
[Parameter(Mandatory = $true)]
[string]$File,
# PowerShell description in Intune
[Parameter(Mandatory = $false)]
[string]$Description,
# Set to true if it is a URL
[Parameter(Mandatory = $false)]
[switch][bool]$URL = $false
)
if ($URL -eq $true) {
$FileName = $File -split "/"
$FileName = $FileName[-1]
$OutFile = "$env:TEMP\$FileName"
try {
Invoke-WebRequest -Uri $File -UseBasicParsing -OutFile $OutFile
}
catch {
Write-Host "Could not download file from URL: $File" -ForegroundColor Red
break
}
$File = $OutFile
if (!(Test-Path $File)) {
Write-Host "$File could not be located." -ForegroundColor Red
break
}
}
elseif ($URL -eq $false) {
if (!(Test-Path $File)) {
Write-Host "$File could not be located." -ForegroundColor Red
break
}
$FileName = Get-Item $File | Select-Object -ExpandProperty Name
}
$B64File = [System.Convert]::ToBase64String([System.IO.File]::ReadAllBytes("$File"));
if ($URL -eq $true) {
Remove-Item $File -Force
}
$JSON = @"
{
"@odata.type": "#microsoft.graph.deviceManagementScript",
"displayName": "$FileName",
"description": "$Description",
"runSchedule": {
"@odata.type": "microsoft.graph.runSchedule"
},
"scriptContent": "$B64File",
"runAsAccount": "system",
"enforceSignatureCheck": "false",
"fileName": "$FileName"
"runAs32Bit": "true"
}
"@
$graphApiVersion = "Beta"
$DMS_resource = "deviceManagement/deviceManagementScripts"
Write-Verbose "Resource: $DMS_resource"
try {
$uri = "https://graph.microsoft.com/$graphApiVersion/$DMS_resource"
Invoke-RestMethod -Uri $uri -Headers $authToken -Method Post -Body $JSON -ContentType "application/json"
}
catch {
$ex = $_.Exception
$errorResponse = $ex.Response.GetResponseStream()
$reader = New-Object System.IO.StreamReader($errorResponse)
$reader.BaseStream.Position = 0
$reader.DiscardBufferedData()
$responseBody = $reader.ReadToEnd();
Write-Host "Response content:`n$responseBody" -f Red
Write-Error "Request to $Uri failed with HTTP Status $($ex.Response.StatusCode) $($ex.Response.StatusDescription)"
write-host
break
}
}
####################################################
Function Add-DeviceManagementScriptAssignment() {
<#
.SYNOPSIS
This function is used to add a device configuration policy assignment using the Graph API REST interface
.DESCRIPTION
The function connects to the Graph API Interface and adds a device configuration policy assignment
.EXAMPLE
Add-DeviceConfigurationPolicyAssignment -ConfigurationPolicyId $ConfigurationPolicyId -TargetGroupId $TargetGroupId
Adds a device configuration policy assignment in Intune
.NOTES
NAME: Add-DeviceConfigurationPolicyAssignment
#>
[cmdletbinding()]
param
(
$ScriptId,
$TargetGroupId
)
$graphApiVersion = "Beta"
$Resource = "deviceManagement/deviceManagementScripts/$ScriptId/assign"
try {
if (!$ScriptId) {
write-host "No Script Policy Id specified, specify a valid Script Policy Id" -f Red
break
}
if (!$TargetGroupId) {
write-host "No Target Group Id specified, specify a valid Target Group Id" -f Red
break
}
$JSON = @"
{
"deviceManagementScriptGroupAssignments": [
{
"@odata.type": "#microsoft.graph.deviceManagementScriptGroupAssignment",
"targetGroupId": "$TargetGroupId",
"id": "$ScriptId"
}
]
}
"@
$uri = "https://graph.microsoft.com/$graphApiVersion/$Resource"
Invoke-RestMethod -Uri $uri -Headers $authToken -Method Post -Body $JSON -ContentType "application/json"
}
catch {
$ex = $_.Exception
$errorResponse = $ex.Response.GetResponseStream()
$reader = New-Object System.IO.StreamReader($errorResponse)
$reader.BaseStream.Position = 0
$reader.DiscardBufferedData()
$responseBody = $reader.ReadToEnd();
Write-Host "Response content:`n$responseBody" -f Red
Write-Error "Request to $Uri failed with HTTP Status $($ex.Response.StatusCode) $($ex.Response.StatusDescription)"
write-host
break
}
}
####################################################
Function Get-AADGroup() {
<#
.SYNOPSIS
This function is used to get AAD Groups from the Graph API REST interface
.DESCRIPTION
The function connects to the Graph API Interface and gets any Groups registered with AAD
.EXAMPLE
Get-AADGroup
Returns all users registered with Azure AD
.NOTES
NAME: Get-AADGroup
#>
[cmdletbinding()]
param
(
$GroupName,
$id,
[switch]$Members
)
# Defining Variables
$graphApiVersion = "v1.0"
$Group_resource = "groups"
try {
if ($id) {
$uri = "https://graph.microsoft.com/$graphApiVersion/$($Group_resource)?`$filter=id eq '$id'"
(Invoke-RestMethod -Uri $uri -Headers $authToken -Method Get).Value
}
elseif ($GroupName -eq "" -or $GroupName -eq $null) {
$uri = "https://graph.microsoft.com/$graphApiVersion/$($Group_resource)"
(Invoke-RestMethod -Uri $uri -Headers $authToken -Method Get).Value
}
else {
if (!$Members) {
$uri = "https://graph.microsoft.com/$graphApiVersion/$($Group_resource)?`$filter=displayname eq '$GroupName'"
(Invoke-RestMethod -Uri $uri -Headers $authToken -Method Get).Value
}
elseif ($Members) {
$uri = "https://graph.microsoft.com/$graphApiVersion/$($Group_resource)?`$filter=displayname eq '$GroupName'"
$Group = (Invoke-RestMethod -Uri $uri -Headers $authToken -Method Get).Value
if ($Group) {
$GID = $Group.id
$Group.displayName
write-host
$uri = "https://graph.microsoft.com/$graphApiVersion/$($Group_resource)/$GID/Members"
(Invoke-RestMethod -Uri $uri -Headers $authToken -Method Get).Value
}
}
}
}
catch {
$ex = $_.Exception
$errorResponse = $ex.Response.GetResponseStream()
$reader = New-Object System.IO.StreamReader($errorResponse)
$reader.BaseStream.Position = 0
$reader.DiscardBufferedData()
$responseBody = $reader.ReadToEnd();
Write-Host "Response content:`n$responseBody" -f Red
Write-Error "Request to $Uri failed with HTTP Status $($ex.Response.StatusCode) $($ex.Response.StatusDescription)"
write-host
break
}
}
####################################################
#region Authentication
write-host
# Checking if authToken exists before running authentication
if ($global:authToken) {
# Setting DateTime to Universal time to work in all timezones
$DateTime = (Get-Date).ToUniversalTime()
# If the authToken exists checking when it expires
$TokenExpires = ($authToken.ExpiresOn.datetime - $DateTime).Minutes
if ($TokenExpires -le 0) {
write-host "Authentication Token expired" $TokenExpires "minutes ago" -ForegroundColor Yellow
write-host
# Defining User Principal Name if not present
if ($User -eq $null -or $User -eq "") {
$User = Read-Host -Prompt "Please specify your user principal name for Azure Authentication"
Write-Host
}
$global:authToken = Get-AuthToken -User $User
}
}
# Authentication doesn't exist, calling Get-AuthToken function
else {
if ($User -eq $null -or $User -eq "") {
$User = Read-Host -Prompt "Please specify your user principal name for Azure Authentication"
Write-Host
}
# Getting the authorization token
$global:authToken = Get-AuthToken -User $User
}
#endregion
####################################################
# Setting application AAD Group to assign PowerShell scripts
#$AADGroup = Read-Host -Prompt "Enter the Azure AD Group name where PowerShell scripts will be assigned"
$AADGroup = "Specialized Workstations"
$TargetGroupId = (Get-AADGroup -GroupName "$AADGroup").id
if ($TargetGroupId -eq $null -or $TargetGroupId -eq "") {
Write-Host "AAD Group - '$AADGroup' doesn't exist, please specify a valid AAD Group..." -ForegroundColor Red
Write-Host
exit
}
####################################################
Write-Host "Adding Device Configuration Script from " $ImportPath -ForegroundColor Green
$Create_Local_Script = Add-DeviceManagementScript -File $ImportPath -Description "Specialized Device Config script"
Write-Host "Device Management Script created as" $Create_Local_Script.id
write-host
write-host "Assigning Device Management Script to AAD Group '$AADGroup'" -f Cyan
$Assign_Local_Script = Add-DeviceManagementScriptAssignment -ScriptId $Create_Local_Script.id -TargetGroupId $TargetGroupId
Write-Host "Assigned '$AADGroup' to $($Create_Local_Script.displayName)/$($Create_Local_Script.id)"
Write-Host

675
SPE/Import-SPE-DeviceConfiguration.ps1 Normal file
Просмотреть файл

@ -0,0 +1,675 @@
<#
.COPYRIGHT
Copyright (c) Microsoft Corporation. All rights reserved. Licensed under the MIT license.
See LICENSE in the project root for license information.
#>
$ScriptDir = Split-Path $script:MyInvocation.MyCommand.Path
$ImportPath = $ScriptDir+"\JSON\DeviceConfiguration"
####################################################
function Get-AuthToken {
<#
.SYNOPSIS
This function is used to authenticate with the Graph API REST interface
.DESCRIPTION
The function authenticate with the Graph API Interface with the tenant name
.EXAMPLE
Get-AuthToken
Authenticates you with the Graph API interface
.NOTES
NAME: Get-AuthToken
#>
[cmdletbinding()]
param
(
[Parameter(Mandatory=$true)]
$User
)
$userUpn = New-Object "System.Net.Mail.MailAddress" -ArgumentList $User
$tenant = $userUpn.Host
Write-Host "Checking for AzureAD module..."
$AadModule = Get-Module -Name "AzureAD" -ListAvailable
if ($AadModule -eq $null) {
Write-Host "AzureAD PowerShell module not found, looking for AzureADPreview"
$AadModule = Get-Module -Name "AzureADPreview" -ListAvailable
}
if ($AadModule -eq $null) {
write-host
write-host "AzureAD Powershell module not installed..." -f Red
write-host "Install by running 'Install-Module AzureAD' or 'Install-Module AzureADPreview' from an elevated PowerShell prompt" -f Yellow
write-host "Script can't continue..." -f Red
write-host
exit
}
# Getting path to ActiveDirectory Assemblies
# If the module count is greater than 1 find the latest version
if($AadModule.count -gt 1){
$Latest_Version = ($AadModule | select version | Sort-Object)[-1]
$aadModule = $AadModule | ? { $_.version -eq $Latest_Version.version }
# Checking if there are multiple versions of the same module found
if($AadModule.count -gt 1){
$aadModule = $AadModule | select -Unique
}
$adal = Join-Path $AadModule.ModuleBase "Microsoft.IdentityModel.Clients.ActiveDirectory.dll"
$adalforms = Join-Path $AadModule.ModuleBase "Microsoft.IdentityModel.Clients.ActiveDirectory.Platform.dll"
}
else {
$adal = Join-Path $AadModule.ModuleBase "Microsoft.IdentityModel.Clients.ActiveDirectory.dll"
$adalforms = Join-Path $AadModule.ModuleBase "Microsoft.IdentityModel.Clients.ActiveDirectory.Platform.dll"
}
[System.Reflection.Assembly]::LoadFrom($adal) | Out-Null
[System.Reflection.Assembly]::LoadFrom($adalforms) | Out-Null
$clientId = "d1ddf0e4-d672-4dae-b554-9d5bdfd93547"
$redirectUri = "urn:ietf:wg:oauth:2.0:oob"
$resourceAppIdURI = "https://graph.microsoft.com"
$authority = "https://login.microsoftonline.com/$Tenant"
try {
$authContext = New-Object "Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext" -ArgumentList $authority
# https://msdn.microsoft.com/en-us/library/azure/microsoft.identitymodel.clients.activedirectory.promptbehavior.aspx
# Change the prompt behaviour to force credentials each time: Auto, Always, Never, RefreshSession
$platformParameters = New-Object "Microsoft.IdentityModel.Clients.ActiveDirectory.PlatformParameters" -ArgumentList "Auto"
$userId = New-Object "Microsoft.IdentityModel.Clients.ActiveDirectory.UserIdentifier" -ArgumentList ($User, "OptionalDisplayableId")
$authResult = $authContext.AcquireTokenAsync($resourceAppIdURI,$clientId,$redirectUri,$platformParameters,$userId).Result
# If the accesstoken is valid then create the authentication header
if($authResult.AccessToken){
# Creating header for Authorization token
$authHeader = @{
'Content-Type'='application/json'
'Authorization'="Bearer " + $authResult.AccessToken
'ExpiresOn'=$authResult.ExpiresOn
}
return $authHeader
}
else {
Write-Host
Write-Host "Authorization Access Token is null, please re-run authentication..." -ForegroundColor Red
Write-Host
break
}
}
catch {
write-host $_.Exception.Message -f Red
write-host $_.Exception.ItemName -f Red
write-host
break
}
}
####################################################
Function Add-DeviceConfigurationPolicy(){
<#
.SYNOPSIS
This function is used to add an device configuration policy using the Graph API REST interface
.DESCRIPTION
The function connects to the Graph API Interface and adds a device configuration policy
.EXAMPLE
Add-DeviceConfigurationPolicy -JSON $JSON
Adds a device configuration policy in Intune
.NOTES
NAME: Add-DeviceConfigurationPolicy
#>
[cmdletbinding()]
param
(
$JSON
)
$graphApiVersion = "Beta"
$DCP_resource = "deviceManagement/deviceConfigurations"
Write-Verbose "Resource: $DCP_resource"
try {
if($JSON -eq "" -or $JSON -eq $null){
write-host "No JSON specified, please specify valid JSON for the Android Policy..." -f Red
}
else {
Test-JSON -JSON $JSON
$uri = "https://graph.microsoft.com/$graphApiVersion/$($DCP_resource)"
Invoke-RestMethod -Uri $uri -Headers $authToken -Method Post -Body $JSON -ContentType "application/json"
}
}
catch {
$ex = $_.Exception
$errorResponse = $ex.Response.GetResponseStream()
$reader = New-Object System.IO.StreamReader($errorResponse)
$reader.BaseStream.Position = 0
$reader.DiscardBufferedData()
$responseBody = $reader.ReadToEnd();
Write-Host "Response content:`n$responseBody" -f Red
Write-Error "Request to $Uri failed with HTTP Status $($ex.Response.StatusCode) $($ex.Response.StatusDescription)"
write-host
break
}
}
####################################################
Function Add-DeviceConfigurationPolicyAssignment(){
<#
.SYNOPSIS
This function is used to add a device configuration policy assignment using the Graph API REST interface
.DESCRIPTION
The function connects to the Graph API Interface and adds a device configuration policy assignment
.EXAMPLE
Add-DeviceConfigurationPolicyAssignment -ConfigurationPolicyId $ConfigurationPolicyId -TargetGroupId $TargetGroupId
Adds a device configuration policy assignment in Intune
.NOTES
NAME: Add-DeviceConfigurationPolicyAssignment
#>
[cmdletbinding()]
param
(
$ConfigurationPolicyId,
$TargetGroupId,
$Assignment
)
$graphApiVersion = "Beta"
$Resource = "deviceManagement/deviceConfigurations/$ConfigurationPolicyId/assignments"
try {
if(!$ConfigurationPolicyId){
write-host "No Configuration Policy Id specified, specify a valid Configuration Policy Id" -f Red
break
}
if(!$TargetGroupId){
write-host "No Target Group Id specified, specify a valid Target Group Id" -f Red
break
}
if(!$Assignment){
write-host "No Assignment Type specified, specify a valid Assignment Type" -f Red
break
}
$ConfPolAssign = "$ConfigurationPolicyId" + "_" + "$TargetGroupId"
$JSON = @"
{
"target": {
"@odata.type": "#microsoft.graph.$Assignment",
"groupId": "$TargetGroupId"
}
}
"@
$uri = "https://graph.microsoft.com/$graphApiVersion/$($Resource)"
Invoke-RestMethod -Uri $uri -Headers $authToken -Method Post -Body $JSON -ContentType "application/json"
}
catch {
$ex = $_.Exception
$errorResponse = $ex.Response.GetResponseStream()
$reader = New-Object System.IO.StreamReader($errorResponse)
$reader.BaseStream.Position = 0
$reader.DiscardBufferedData()
$responseBody = $reader.ReadToEnd();
Write-Host "Response content:`n$responseBody" -f Red
Write-Error "Request to $Uri failed with HTTP Status $($ex.Response.StatusCode) $($ex.Response.StatusDescription)"
write-host
break
}
}
####################################################
Function Get-DeviceConfigurationPolicy(){
<#
.SYNOPSIS
This function is used to get device configuration policies from the Graph API REST interface
.DESCRIPTION
The function connects to the Graph API Interface and gets any device configuration policies
.EXAMPLE
Get-DeviceConfigurationPolicy
Returns any device configuration policies configured in Intune
.NOTES
NAME: Get-DeviceConfigurationPolicy
#>
[cmdletbinding()]
param
(
$name
)
$graphApiVersion = "Beta"
$DCP_resource = "deviceManagement/deviceConfigurations"
try {
if($Name){
$uri = "https://graph.microsoft.com/$graphApiVersion/$($DCP_resource)"
(Invoke-RestMethod -Uri $uri -Headers $authToken -Method Get).Value | Where-Object { ($_.'displayName').contains("$Name") }
}
else {
$uri = "https://graph.microsoft.com/$graphApiVersion/$($DCP_resource)"
(Invoke-RestMethod -Uri $uri -Headers $authToken -Method Get).Value
}
}
catch {
$ex = $_.Exception
$errorResponse = $ex.Response.GetResponseStream()
$reader = New-Object System.IO.StreamReader($errorResponse)
$reader.BaseStream.Position = 0
$reader.DiscardBufferedData()
$responseBody = $reader.ReadToEnd();
Write-Host "Response content:`n$responseBody" -f Red
Write-Error "Request to $Uri failed with HTTP Status $($ex.Response.StatusCode) $($ex.Response.StatusDescription)"
write-host
break
}
}
####################################################
Function Get-AADGroup(){
<#
.SYNOPSIS
This function is used to get AAD Groups from the Graph API REST interface
.DESCRIPTION
The function connects to the Graph API Interface and gets any Groups registered with AAD
.EXAMPLE
Get-AADGroup
Returns all users registered with Azure AD
.NOTES
NAME: Get-AADGroup
#>
[cmdletbinding()]
param
(
$GroupName,
$id,
[switch]$Members
)
# Defining Variables
$graphApiVersion = "v1.0"
$Group_resource = "groups"
# pseudo-group identifiers for all users and all devices
[string]$AllUsers = "acacacac-9df4-4c7d-9d50-4ef0226f57a9"
[string]$AllDevices = "adadadad-808e-44e2-905a-0b7873a8a531"
try {
if($id){
$uri = "https://graph.microsoft.com/$graphApiVersion/$($Group_resource)?`$filter=id eq '$id'"
switch ( $id ) {
$AllUsers { $grp = [PSCustomObject]@{ displayName = "All users"}; $grp }
$AllDevices { $grp = [PSCustomObject]@{ displayName = "All devices"}; $grp }
default { (Invoke-RestMethod -Uri $uri -Headers $authToken -Method Get).Value }
}
}
elseif($GroupName -eq "" -or $GroupName -eq $null){
$uri = "https://graph.microsoft.com/$graphApiVersion/$($Group_resource)"
(Invoke-RestMethod -Uri $uri -Headers $authToken -Method Get).Value
}
else {
if(!$Members){
$uri = "https://graph.microsoft.com/$graphApiVersion/$($Group_resource)?`$filter=displayname eq '$GroupName'"
(Invoke-RestMethod -Uri $uri -Headers $authToken -Method Get).Value
}
elseif($Members){
$uri = "https://graph.microsoft.com/$graphApiVersion/$($Group_resource)?`$filter=displayname eq '$GroupName'"
$Group = (Invoke-RestMethod -Uri $uri -Headers $authToken -Method Get).Value
if($Group){
$GID = $Group.id
$Group.displayName
write-host
$uri = "https://graph.microsoft.com/$graphApiVersion/$($Group_resource)/$GID/Members"
(Invoke-RestMethod -Uri $uri -Headers $authToken -Method Get).Value
}
}
}
}
catch {
$ex = $_.Exception
$errorResponse = $ex.Response.GetResponseStream()
$reader = New-Object System.IO.StreamReader($errorResponse)
$reader.BaseStream.Position = 0
$reader.DiscardBufferedData()
$responseBody = $reader.ReadToEnd();
Write-Host "Response content:`n$responseBody" -f Red
Write-Error "Request to $Uri failed with HTTP Status $($ex.Response.StatusCode) $($ex.Response.StatusDescription)"
write-host
break
}
}
####################################################
Function Test-JSON(){
<#
.SYNOPSIS
This function is used to test if the JSON passed to a REST Post request is valid
.DESCRIPTION
The function tests if the JSON passed to the REST Post is valid
.EXAMPLE
Test-JSON -JSON $JSON
Test if the JSON is valid before calling the Graph REST interface
.NOTES
NAME: Test-AuthHeader
#>
param (
$JSON
)
try {
$TestJSON = ConvertFrom-Json $JSON -ErrorAction Stop
$validJson = $true
}
catch {
$validJson = $false
$_.Exception
}
if (!$validJson){
Write-Host "Provided JSON isn't in valid JSON format" -f Red
break
}
}
####################################################
#region Authentication
write-host
# Checking if authToken exists before running authentication
if($global:authToken){
# Setting DateTime to Universal time to work in all timezones
$DateTime = (Get-Date).ToUniversalTime()
# If the authToken exists checking when it expires
$TokenExpires = ($authToken.ExpiresOn.datetime - $DateTime).Minutes
if($TokenExpires -le 0){
write-host "Authentication Token expired" $TokenExpires "minutes ago" -ForegroundColor Yellow
write-host
# Defining User Principal Name if not present
if($User -eq $null -or $User -eq ""){
$User = Read-Host -Prompt "Please specify your user principal name for Azure Authentication"
Write-Host
}
$global:authToken = Get-AuthToken -User $User
}
}
# Authentication doesn't exist, calling Get-AuthToken function
else {
if($User -eq $null -or $User -eq ""){
$User = Read-Host -Prompt "Please specify your user principal name for Azure Authentication"
Write-Host
}
# Getting the authorization token
$global:authToken = Get-AuthToken -User $User
}
#endregion
####################################################
# Setting application AAD Group to assign Policy
#$AADGroup = Read-Host -Prompt "Enter the Azure AD Group name where policies will be assigned"
#$TargetGroupId = (Get-AADGroup | Where-Object {$_.displayName -eq $AADGroup}).id
#
# if($TargetGroupId -eq $null -or $TargetGroupId -eq ""){
#
# Write-Host "AAD Group - '$AADGroup' doesn't exist, please specify a valid AAD Group..." -ForegroundColor Red
# Write-Host
# exit
# }
# Replacing quotes for Test-Path
$ImportPath = $ImportPath.replace('"','')
if(!(Test-Path "$ImportPath")){
Write-Host "Import Path for JSON file doesn't exist..." -ForegroundColor Red
Write-Host "Script can't continue..." -ForegroundColor Red
Write-Host
break
}
####################################################
Get-ChildItem $ImportPath -filter *.json |
Foreach-object {
$JSON_Data = Get-Content $_.FullName
# Excluding entries that are not required - id,createdDateTime,lastModifiedDateTime,version
$JSON_Convert = $JSON_Data | ConvertFrom-Json | Select-Object -Property * -ExcludeProperty id,createdDateTime,lastModifiedDateTime,version,supportsScopeTags
$DisplayName = $JSON_Convert.displayName
$DuplicateDCP = Get-DeviceConfigurationPolicy -Name $JSON_Convert.displayName
If ($DuplicateDCP -eq $null)
{
$JSON_Output = $JSON_Convert | ConvertTo-Json -Depth 5
write-host
write-host "Device Configuration Policy '$DisplayName' Found..." -ForegroundColor Yellow
write-host
$JSON_Output
write-host
Write-Host "Adding Device Configuration Policy '$DisplayName'" -ForegroundColor Yellow
Add-DeviceConfigurationPolicy -JSON $JSON_Output
$DeviceConfigs = Get-DeviceConfigurationPolicy -name $DisplayName
$DeviceConfigID = $DeviceConfigs.id
Write-Host "Device ConfigID '$DeviceConfigID'" -ForegroundColor Yellow
Write-Host
$AADGroups = $JSON_Convert.assignments.target
foreach ($AADGroup in $AADGroups )
{
Write-Host "AAD Group Name:" $AADGroup.groupId -ForegroundColor Yellow
Write-Host "Assignment Type:" $AADGroup."@OData.type" -ForegroundColor Yellow
$TargetGroupId = (Get-AADGroup -GroupName $AADGroup.groupid)
Write-Host "Included Group ID:" $TargetGroupID.Id -ForegroundColor Yellow
Add-DeviceConfigurationPolicyAssignment -ConfigurationPolicyId $DeviceConfigID -TargetGroupId $TargetGroupId.id -Assignment $AADGroup."@OData.type"
}
# Create exclude Group
<#$ShortName = $JSON_Convert.displayName -replace "PAW-Global-2009-Intune-Configuration-", ''
$ExcludeGroup = "PAW-"+$ShortName+"-Exclude-Device"
If (Get-AzureADGroup -SearchString $ExcludeGroup) {
Write-Host
Write-Host "AAD group" $ExcludeGroup "already exists!" -f Yellow
Write-Host
}
Else {
$MailNickName = $ShortName+"-G"
try
{
$ExcludeTargetGroup = New-AzureADGroup -DisplayName $ExcludeGroup -Description $ExcludeGroup"-Group" -MailEnabled $false -SecurityEnabled $true -MailNickName $MailNickName
sleep 5
}
catch
{
Write-Host
Write-Host "Error creating AAD group" $ExcludeGroup -f Red
Write-Host
}
}
Write-Host "Excluded Group ID" $ExcludeTargetGroup.objectid
Add-DeviceConfigurationPolicyAssignment -ConfigurationPolicyId $DeviceConfigID -TargetGroupId $ExcludeTargetGroup.objectid -Assignment "exclusionGroupAssignmentTarget"
#>
}
else
{
write-host "Device Configuration Profile:" $JSON_Convert.displayName "has already been created" -ForegroundColor Yellow
}
}

714
SPE/Import-SPE-DeviceConfigurationADMX.ps1 Normal file
Просмотреть файл

@ -0,0 +1,714 @@
<#
.COPYRIGHT
Copyright (c) Microsoft Corporation. All rights reserved. Licensed under the MIT license.
See LICENSE in the project root for license information.
#>
param (
#Change Conditional Access State, default is disabled
#Options: enabled, disabled, enabledForReportingButNotEnforced
[String]$AADGroup = "Privileged Workstations"
)
#$AADGroup = "PAW-Global-Devices"
$ScriptDir = Split-Path $script:MyInvocation.MyCommand.Path
$ImportPath = $ScriptDir+"\JSON\DeviceConfigurationADMX"
function Get-AuthToken
{
<#
.SYNOPSIS
This function is used to authenticate with the Graph API REST interface
.DESCRIPTION
The function authenticate with the Graph API Interface with the tenant name
.EXAMPLE
Get-AuthToken
Authenticates you with the Graph API interface
.NOTES
NAME: Get-AuthToken
#>
[cmdletbinding()]
param
(
[Parameter(Mandatory = $true)]
$User
)
$userUpn = New-Object "System.Net.Mail.MailAddress" -ArgumentList $User
$tenant = $userUpn.Host
Write-Host "Checking for AzureAD module..."
$AadModule = Get-Module -Name "AzureAD" -ListAvailable
if ($AadModule -eq $null)
{
Write-Host "AzureAD PowerShell module not found, looking for AzureADPreview"
$AadModule = Get-Module -Name "AzureADPreview" -ListAvailable
}
if ($AadModule -eq $null)
{
write-host
write-host "AzureAD Powershell module not installed..." -f Red
write-host "Install by running 'Install-Module AzureAD' or 'Install-Module AzureADPreview' from an elevated PowerShell prompt" -f Yellow
write-host "Script can't continue..." -f Red
write-host
exit
}
# Getting path to ActiveDirectory Assemblies
# If the module count is greater than 1 find the latest version
if ($AadModule.count -gt 1)
{
$Latest_Version = ($AadModule | select version | Sort-Object)[-1]
$aadModule = $AadModule | ? { $_.version -eq $Latest_Version.version }
# Checking if there are multiple versions of the same module found
if ($AadModule.count -gt 1)
{
$aadModule = $AadModule | select -Unique
}
$adal = Join-Path $AadModule.ModuleBase "Microsoft.IdentityModel.Clients.ActiveDirectory.dll"
$adalforms = Join-Path $AadModule.ModuleBase "Microsoft.IdentityModel.Clients.ActiveDirectory.Platform.dll"
}
else
{
$adal = Join-Path $AadModule.ModuleBase "Microsoft.IdentityModel.Clients.ActiveDirectory.dll"
$adalforms = Join-Path $AadModule.ModuleBase "Microsoft.IdentityModel.Clients.ActiveDirectory.Platform.dll"
}
[System.Reflection.Assembly]::LoadFrom($adal) | Out-Null
[System.Reflection.Assembly]::LoadFrom($adalforms) | Out-Null
$clientId = "d1ddf0e4-d672-4dae-b554-9d5bdfd93547"
$redirectUri = "urn:ietf:wg:oauth:2.0:oob"
$resourceAppIdURI = "https://graph.microsoft.com"
$authority = "https://login.microsoftonline.com/$Tenant"
try
{
$authContext = New-Object "Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext" -ArgumentList $authority
# https://msdn.microsoft.com/en-us/library/azure/microsoft.identitymodel.clients.activedirectory.promptbehavior.aspx
# Change the prompt behaviour to force credentials each time: Auto, Always, Never, RefreshSession
$platformParameters = New-Object "Microsoft.IdentityModel.Clients.ActiveDirectory.PlatformParameters" -ArgumentList "Auto"
$userId = New-Object "Microsoft.IdentityModel.Clients.ActiveDirectory.UserIdentifier" -ArgumentList ($User, "OptionalDisplayableId")
$authResult = $authContext.AcquireTokenAsync($resourceAppIdURI, $clientId, $redirectUri, $platformParameters, $userId).Result
# If the accesstoken is valid then create the authentication header
if ($authResult.AccessToken)
{
# Creating header for Authorization token
$authHeader = @{
'Content-Type' = 'application/json'
'Authorization' = "Bearer " + $authResult.AccessToken
'ExpiresOn' = $authResult.ExpiresOn
}
return $authHeader
}
else
{
Write-Host
Write-Host "Authorization Access Token is null, please re-run authentication..." -ForegroundColor Red
Write-Host
break
}
}
catch
{
write-host $_.Exception.Message -f Red
write-host $_.Exception.ItemName -f Red
write-host
break
}
}
####################################################
Function Create-GroupPolicyConfigurations()
{
<#
.SYNOPSIS
This function is used to add an device configuration policy using the Graph API REST interface
.DESCRIPTION
The function connects to the Graph API Interface and adds a device configuration policy
.EXAMPLE
Add-DeviceConfigurationPolicy -JSON $JSON
Adds a device configuration policy in Intune
.NOTES
NAME: Add-DeviceConfigurationPolicy
#>
[cmdletbinding()]
param
(
$DisplayName
)
$jsonCode = @"
{
"description":"",
"displayName":"$($DisplayName)"
}
"@
$graphApiVersion = "Beta"
$DCP_resource = "deviceManagement/groupPolicyConfigurations"
Write-Verbose "Resource: $DCP_resource"
try
{
$uri = "https://graph.microsoft.com/$graphApiVersion/$($DCP_resource)"
$responseBody = Invoke-RestMethod -Uri $uri -Headers $authToken -Method Post -Body $jsonCode -ContentType "application/json"
}
catch
{
$ex = $_.Exception
$errorResponse = $ex.Response.GetResponseStream()
$reader = New-Object System.IO.StreamReader($errorResponse)
$reader.BaseStream.Position = 0
$reader.DiscardBufferedData()
$responseBody = $reader.ReadToEnd();
Write-Host "Response content:`n$responseBody" -f Red
Write-Error "Request to $Uri failed with HTTP Status $($ex.Response.StatusCode) $($ex.Response.StatusDescription)"
write-host
break
}
$responseBody.id
}
Function Create-GroupPolicyConfigurationsDefinitionValues()
{
<#
.SYNOPSIS
This function is used to get device configuration policies from the Graph API REST interface
.DESCRIPTION
The function connects to the Graph API Interface and gets any device configuration policies
.EXAMPLE
Get-DeviceConfigurationPolicy
Returns any device configuration policies configured in Intune
.NOTES
NAME: Get-GroupPolicyConfigurations
#>
[cmdletbinding()]
Param (
[string]$GroupPolicyConfigurationID,
$JSON
)
$graphApiVersion = "Beta"
$DCP_resource = "deviceManagement/groupPolicyConfigurations/$($GroupPolicyConfigurationID)/definitionValues"
write-host $DCP_resource
try
{
if ($JSON -eq "" -or $JSON -eq $null)
{
write-host "No JSON specified, please specify valid JSON for the Device Configuration Policy..." -f Red
}
else
{
Test-JSON -JSON $JSON
$uri = "https://graph.microsoft.com/$graphApiVersion/$($DCP_resource)"
Invoke-RestMethod -Uri $uri -Headers $authToken -Method Post -Body $JSON -ContentType "application/json"
}
}
catch
{
$ex = $_.Exception
$errorResponse = $ex.Response.GetResponseStream()
$reader = New-Object System.IO.StreamReader($errorResponse)
$reader.BaseStream.Position = 0
$reader.DiscardBufferedData()
$responseBody = $reader.ReadToEnd();
Write-Host "Response content:`n$responseBody" -f Red
Write-Error "Request to $Uri failed with HTTP Status $($ex.Response.StatusCode) $($ex.Response.StatusDescription)"
write-host
break
}
}
####################################################
Function Get-GroupPolicyConfigurations()
{
<#
.SYNOPSIS
This function is used to get device configuration policies from the Graph API REST interface
.DESCRIPTION
The function connects to the Graph API Interface and gets any device configuration policies
.EXAMPLE
Get-DeviceConfigurationPolicy
Returns any device configuration policies configured in Intune
.NOTES
NAME: Get-GroupPolicyConfigurations
#>
[cmdletbinding()]
param
(
$name
)
$graphApiVersion = "Beta"
$DCP_resource = "deviceManagement/groupPolicyConfigurations"
try
{
$uri = "https://graph.microsoft.com/$graphApiVersion/$($DCP_resource)"
(Invoke-RestMethod -Uri $uri -Headers $authToken -Method Get).Value | Where-Object { ($_.'displayName') -eq ("$Name") }
}
catch
{
$ex = $_.Exception
$errorResponse = $ex.Response.GetResponseStream()
$reader = New-Object System.IO.StreamReader($errorResponse)
$reader.BaseStream.Position = 0
$reader.DiscardBufferedData()
$responseBody = $reader.ReadToEnd();
Write-Host "Response content:`n$responseBody" -f Red
Write-Error "Request to $Uri failed with HTTP Status $($ex.Response.StatusCode) $($ex.Response.StatusDescription)"
write-host
break
}
}
####################################################
Function Add-GroupPolicyConfigurationPolicyAssignment(){
<#
.SYNOPSIS
This function is used to add a device configuration policy assignment using the Graph API REST interface
.DESCRIPTION
The function connects to the Graph API Interface and adds a device configuration policy assignment
.EXAMPLE
Add-DeviceConfigurationPolicyAssignment -ConfigurationPolicyId $ConfigurationPolicyId -TargetGroupId $TargetGroupId
Adds a device configuration policy assignment in Intune
.NOTES
NAME: Add-DeviceConfigurationPolicyAssignment
#>
[cmdletbinding()]
param
(
$ConfigurationPolicyId,
$TargetGroupId,
$Assignment
)
$graphApiVersion = "Beta"
$Resource = "deviceManagement/groupPolicyConfigurations/$ConfigurationPolicyId/assignments"
try {
if(!$ConfigurationPolicyId){
write-host "No Configuration Policy Id specified, specify a valid Configuration Policy Id" -f Red
break
}
if(!$TargetGroupId){
write-host "No Target Group Id specified, specify a valid Target Group Id" -f Red
break
}
if(!$Assignment){
write-host "No Assignment Type specified, specify a valid Assignment Type" -f Red
break
}
# $ConfPolAssign = "$ConfigurationPolicyId" + "_" + "$TargetGroupId"
$JSON = @"
{
"target": {
"@odata.type": "#microsoft.graph.$Assignment",
"groupId": "$TargetGroupId"
}
}
"@
$uri = "https://graph.microsoft.com/$graphApiVersion/$($Resource)"
Invoke-RestMethod -Uri $uri -Headers $authToken -Method Post -Body $JSON -ContentType "application/json"
}
catch {
$ex = $_.Exception
$errorResponse = $ex.Response.GetResponseStream()
$reader = New-Object System.IO.StreamReader($errorResponse)
$reader.BaseStream.Position = 0
$reader.DiscardBufferedData()
$responseBody = $reader.ReadToEnd();
Write-Host "Response content:`n$responseBody" -f Red
Write-Error "Request to $Uri failed with HTTP Status $($ex.Response.StatusCode) $($ex.Response.StatusDescription)"
write-host
break
}
}
####################################################
Function Get-AADGroup(){
<#
.SYNOPSIS
This function is used to get AAD Groups from the Graph API REST interface
.DESCRIPTION
The function connects to the Graph API Interface and gets any Groups registered with AAD
.EXAMPLE
Get-AADGroup
Returns all users registered with Azure AD
.NOTES
NAME: Get-AADGroup
#>
[cmdletbinding()]
param
(
$GroupName,
$id,
[switch]$Members
)
# Defining Variables
$graphApiVersion = "v1.0"
$Group_resource = "groups"
# pseudo-group identifiers for all users and all devices
[string]$AllUsers = "acacacac-9df4-4c7d-9d50-4ef0226f57a9"
[string]$AllDevices = "adadadad-808e-44e2-905a-0b7873a8a531"
try {
if($id){
$uri = "https://graph.microsoft.com/$graphApiVersion/$($Group_resource)?`$filter=id eq '$id'"
switch ( $id ) {
$AllUsers { $grp = [PSCustomObject]@{ displayName = "All users"}; $grp }
$AllDevices { $grp = [PSCustomObject]@{ displayName = "All devices"}; $grp }
default { (Invoke-RestMethod -Uri $uri -Headers $authToken -Method Get).Value }
}
}
elseif($GroupName -eq "" -or $GroupName -eq $null){
$uri = "https://graph.microsoft.com/$graphApiVersion/$($Group_resource)"
(Invoke-RestMethod -Uri $uri -Headers $authToken -Method Get).Value
}
else {
if(!$Members){
$uri = "https://graph.microsoft.com/$graphApiVersion/$($Group_resource)?`$filter=displayname eq '$GroupName'"
(Invoke-RestMethod -Uri $uri -Headers $authToken -Method Get).Value
}
elseif($Members){
$uri = "https://graph.microsoft.com/$graphApiVersion/$($Group_resource)?`$filter=displayname eq '$GroupName'"
$Group = (Invoke-RestMethod -Uri $uri -Headers $authToken -Method Get).Value
if($Group){
$GID = $Group.id
$Group.displayName
write-host
$uri = "https://graph.microsoft.com/$graphApiVersion/$($Group_resource)/$GID/Members"
(Invoke-RestMethod -Uri $uri -Headers $authToken -Method Get).Value
}
}
}
}
catch {
$ex = $_.Exception
$errorResponse = $ex.Response.GetResponseStream()
$reader = New-Object System.IO.StreamReader($errorResponse)
$reader.BaseStream.Position = 0
$reader.DiscardBufferedData()
$responseBody = $reader.ReadToEnd();
Write-Host "Response content:`n$responseBody" -f Red
Write-Error "Request to $Uri failed with HTTP Status $($ex.Response.StatusCode) $($ex.Response.StatusDescription)"
write-host
break
}
}
####################################################
Function Test-JSON()
{
<#
.SYNOPSIS
This function is used to test if the JSON passed to a REST Post request is valid
.DESCRIPTION
The function tests if the JSON passed to the REST Post is valid
.EXAMPLE
Test-JSON -JSON $JSON
Test if the JSON is valid before calling the Graph REST interface
.NOTES
NAME: Test-AuthHeader
#>
param (
$JSON
)
try
{
$TestJSON = ConvertFrom-Json $JSON -ErrorAction Stop
$validJson = $true
}
catch
{
$validJson = $false
$_.Exception
}
if (!$validJson)
{
Write-Host "Provided JSON isn't in valid JSON format" -f Red
break
}
}
####################################################
#region Authentication
write-host
# Checking if authToken exists before running authentication
if ($global:authToken)
{
# Setting DateTime to Universal time to work in all timezones
$DateTime = (Get-Date).ToUniversalTime()
# If the authToken exists checking when it expires
$TokenExpires = ($authToken.ExpiresOn.datetime - $DateTime).Minutes
if ($TokenExpires -le 0)
{
write-host "Authentication Token expired" $TokenExpires "minutes ago" -ForegroundColor Yellow
write-host
# Defining User Principal Name if not present
if ($User -eq $null -or $User -eq "")
{
$User = Read-Host -Prompt "Please specify your user principal name for Azure Authentication"
Write-Host
}
$global:authToken = Get-AuthToken -User $User
}
}
# Authentication doesn't exist, calling Get-AuthToken function
else
{
if ($User -eq $null -or $User -eq "")
{
$User = Read-Host -Prompt "Please specify your user principal name for Azure Authentication"
Write-Host
}
# Getting the authorization token
$global:authToken = Get-AuthToken -User $User
}
#endregion
####################################################
# Replacing quotes for Test-Path
$ImportPath = $ImportPath.replace('"','')
if(!(Test-Path "$ImportPath")){
Write-Host "Import Path for JSON file doesn't exist..." -ForegroundColor Red
Write-Host "Script can't continue..." -ForegroundColor Red
Write-Host
break
}
####################################################
$TargetGroupId = (Get-AADGroup | Where-Object {$_.displayName -eq $AADGroup}).id
if($TargetGroupId -eq $null -or $TargetGroupId -eq ""){
Write-Host "AAD Group - '$AADGroup' doesn't exist, please specify a valid AAD Group..." -ForegroundColor Red
Write-Host
exit
}
####################################################
Get-ChildItem $ImportPath -filter *.json |
ForEach-Object {
$Policy_Name = $_.Name
$Policy_Name = $Policy_Name.Substring(0,$Policy_Name.Length-5)
$DuplicateDCP = Get-GroupPolicyConfigurations -Name $Policy_Name
If ($DuplicateDCP -eq $null)
{
$GroupPolicyConfigurationID = Create-GroupPolicyConfigurations -DisplayName $Policy_Name
$JSON_Data = Get-Content $_.FullName
$JSON_Convert = $JSON_Data | ConvertFrom-Json
$JSON_Convert | ForEach-Object { $_
$JSON_Output = Convertto-Json -Depth 5 $_
Write-Host $JSON_Output
Create-GroupPolicyConfigurationsDefinitionValues -JSON $JSON_Output -GroupPolicyConfigurationID $GroupPolicyConfigurationID
}
Write-Host "####################################################################################################" -ForegroundColor Green
Write-Host "Policy: " $Policy_Name "created" -ForegroundColor Green
Write-Host "####################################################################################################" -ForegroundColor Green
$DeviceConfigs = Get-GroupPolicyConfigurations -name $Policy_Name
$DeviceConfigID = $DeviceConfigs.id
Add-GroupPolicyConfigurationPolicyAssignment -ConfigurationPolicyId $DeviceConfigID -TargetGroupId $TargetGroupId -Assignment "groupAssignmentTarget"
}
else
{
write-host "Device Configuration ADMX Profile:" $Policy_Name "has already been created" -ForegroundColor Yellow
}
}

88
SPE/JSON/DeviceCompliance/SPE-Compliance-ATP.json Normal file
Просмотреть файл

@ -0,0 +1,88 @@
{
"@odata.type": "#microsoft.graph.windows10CompliancePolicy",
"roleScopeTagIds": [
"0"
],
"id": "a8994b69-5205-4614-ae3e-150c2d4f2c5d",
"createdDateTime": "2020-11-30T15:27:50.8972649Z",
"description": "Defender ATP-specific compliance settings to apply after 24 hours\n",
"lastModifiedDateTime": "2020-11-30T15:27:50.8972649Z",
"displayName": "Specialized-Compliance-ATP",
"version": 1,
"passwordRequired": false,
"passwordBlockSimple": false,
"passwordRequiredToUnlockFromIdle": false,
"passwordMinutesOfInactivityBeforeLock": null,
"passwordExpirationDays": null,
"passwordMinimumLength": null,
"passwordMinimumCharacterSetCount": null,
"passwordRequiredType": "deviceDefault",
"passwordPreviousPasswordBlockCount": null,
"requireHealthyDeviceReport": false,
"osMinimumVersion": "10.0.18363.476",
"osMaximumVersion": null,
"mobileOsMinimumVersion": null,
"mobileOsMaximumVersion": null,
"earlyLaunchAntiMalwareDriverEnabled": false,
"bitLockerEnabled": false,
"secureBootEnabled": false,
"codeIntegrityEnabled": false,
"storageRequireEncryption": false,
"activeFirewallRequired": false,
"defenderEnabled": false,
"defenderVersion": null,
"signatureOutOfDate": false,
"rtpEnabled": false,
"antivirusRequired": false,
"antiSpywareRequired": false,
"deviceThreatProtectionEnabled": true,
"deviceThreatProtectionRequiredSecurityLevel": "secured",
"configurationManagerComplianceRequired": false,
"tpmRequired": false,
"deviceCompliancePolicyScript": null,
"validOperatingSystemBuildRanges": [
],
"assignments": [
{
"id": "a8994b69-5205-4614-ae3e-150c2d4f2c5d_add56c8b-3fb1-43c8-a7d8-3abcc9f9ac64",
"source": "direct",
"sourceId": "a8994b69-5205-4614-ae3e-150c2d4f2c5d",
"target": {
"@odata.type": "#microsoft.graph.exclusionGroupAssignmentTarget",
"deviceAndAppManagementAssignmentFilterId": null,
"deviceAndAppManagementAssignmentFilterType": "none",
"groupId": "Emergency Breakglass"
}
},
{
"id": "a8994b69-5205-4614-ae3e-150c2d4f2c5d_af977e97-e18b-4272-bb63-81fb28204780",
"source": "direct",
"sourceId": "a8994b69-5205-4614-ae3e-150c2d4f2c5d",
"target": {
"@odata.type": "#microsoft.graph.groupAssignmentTarget",
"deviceAndAppManagementAssignmentFilterId": null,
"deviceAndAppManagementAssignmentFilterType": "none",
"groupId": "Specialized Workstation Users"
}
}
],
"scheduledActionsForRule": [
{
"id": "a8994b69-5205-4614-ae3e-150c2d4f2c5d",
"ruleName": null,
"scheduledActionConfigurations@odata.context": "https://graph.microsoft.com/beta/$metadata#deviceManagement/deviceCompliancePolicies(\u0027a8994b69-5205-4614-ae3e-150c2d4f2c5d\u0027)/microsoft.graph.windows10CompliancePolicy/microsoft.graph.windows10CompliancePolicy/microsoft.graph.windows10CompliancePolicy/microsoft.graph.windows10CompliancePolicy/microsoft.graph.windows10CompliancePolicy/microsoft.graph.windows10CompliancePolicy/scheduledActionsForRule(\u0027a8994b69-5205-4614-ae3e-150c2d4f2c5d\u0027)/scheduledActionConfigurations",
"scheduledActionConfigurations": [
{
"id": "44bd1593-f79a-4a98-8acf-f20b496c621d",
"gracePeriodHours": 24,
"actionType": "block",
"notificationTemplateId": "00000000-0000-0000-0000-000000000000",
"notificationMessageCCList": [
]
}
]
}
]
}

88
SPE/JSON/DeviceCompliance/SPE-Compliance-Delayed.json Normal file
Просмотреть файл

@ -0,0 +1,88 @@
{
"@odata.type": "#microsoft.graph.windows10CompliancePolicy",
"roleScopeTagIds": [
"0"
],
"id": "070e9f28-9bf1-41cc-b5bb-77229343d3b9",
"createdDateTime": "2020-11-30T15:27:52.1330905Z",
"description": "Intune compliance settings to apply after 24 hours\n",
"lastModifiedDateTime": "2020-11-30T15:27:52.1330905Z",
"displayName": "Specialized-Compliance-Delayed",
"version": 1,
"passwordRequired": false,
"passwordBlockSimple": false,
"passwordRequiredToUnlockFromIdle": false,
"passwordMinutesOfInactivityBeforeLock": null,
"passwordExpirationDays": null,
"passwordMinimumLength": null,
"passwordMinimumCharacterSetCount": null,
"passwordRequiredType": "deviceDefault",
"passwordPreviousPasswordBlockCount": null,
"requireHealthyDeviceReport": false,
"osMinimumVersion": "10.0.18363.476",
"osMaximumVersion": null,
"mobileOsMinimumVersion": null,
"mobileOsMaximumVersion": null,
"earlyLaunchAntiMalwareDriverEnabled": false,
"bitLockerEnabled": true,
"secureBootEnabled": true,
"codeIntegrityEnabled": true,
"storageRequireEncryption": false,
"activeFirewallRequired": true,
"defenderEnabled": true,
"defenderVersion": null,
"signatureOutOfDate": true,
"rtpEnabled": true,
"antivirusRequired": true,
"antiSpywareRequired": true,
"deviceThreatProtectionEnabled": false,
"deviceThreatProtectionRequiredSecurityLevel": "unavailable",
"configurationManagerComplianceRequired": false,
"tpmRequired": true,
"deviceCompliancePolicyScript": null,
"validOperatingSystemBuildRanges": [
],
"assignments": [
{
"id": "070e9f28-9bf1-41cc-b5bb-77229343d3b9_add56c8b-3fb1-43c8-a7d8-3abcc9f9ac64",
"source": "direct",
"sourceId": "070e9f28-9bf1-41cc-b5bb-77229343d3b9",
"target": {
"@odata.type": "#microsoft.graph.exclusionGroupAssignmentTarget",
"deviceAndAppManagementAssignmentFilterId": null,
"deviceAndAppManagementAssignmentFilterType": "none",
"groupId": "Emergency Breakglass"
}
},
{
"id": "070e9f28-9bf1-41cc-b5bb-77229343d3b9_af977e97-e18b-4272-bb63-81fb28204780",
"source": "direct",
"sourceId": "070e9f28-9bf1-41cc-b5bb-77229343d3b9",
"target": {
"@odata.type": "#microsoft.graph.groupAssignmentTarget",
"deviceAndAppManagementAssignmentFilterId": null,
"deviceAndAppManagementAssignmentFilterType": "none",
"groupId": "Specialized Workstation Users"
}
}
],
"scheduledActionsForRule": [
{
"id": "070e9f28-9bf1-41cc-b5bb-77229343d3b9",
"ruleName": null,
"scheduledActionConfigurations@odata.context": "https://graph.microsoft.com/beta/$metadata#deviceManagement/deviceCompliancePolicies(\u0027070e9f28-9bf1-41cc-b5bb-77229343d3b9\u0027)/microsoft.graph.windows10CompliancePolicy/microsoft.graph.windows10CompliancePolicy/scheduledActionsForRule(\u0027070e9f28-9bf1-41cc-b5bb-77229343d3b9\u0027)/scheduledActionConfigurations",
"scheduledActionConfigurations": [
{
"id": "cab389d9-845f-4d0a-a9cd-e64abbcbd859",
"gracePeriodHours": 24,
"actionType": "block",
"notificationTemplateId": "00000000-0000-0000-0000-000000000000",
"notificationMessageCCList": [
]
}
]
}
]
}

88
SPE/JSON/DeviceCompliance/SPE-Compliance-Immediate.json Normal file
Просмотреть файл

@ -0,0 +1,88 @@
{
"@odata.type": "#microsoft.graph.windows10CompliancePolicy",
"roleScopeTagIds": [
"0"
],
"id": "56454fb5-78ae-4489-a4de-c60aeeb4bb8b",
"createdDateTime": "2020-11-30T15:27:53.2888215Z",
"description": "Intune compliance settings to apply immediately\n",
"lastModifiedDateTime": "2020-11-30T15:27:53.2888215Z",
"displayName": "Specialized-Compliance-Immediate",
"version": 1,
"passwordRequired": false,
"passwordBlockSimple": false,
"passwordRequiredToUnlockFromIdle": false,
"passwordMinutesOfInactivityBeforeLock": null,
"passwordExpirationDays": null,
"passwordMinimumLength": null,
"passwordMinimumCharacterSetCount": null,
"passwordRequiredType": "deviceDefault",
"passwordPreviousPasswordBlockCount": null,
"requireHealthyDeviceReport": false,
"osMinimumVersion": "10.0.18363.476",
"osMaximumVersion": null,
"mobileOsMinimumVersion": null,
"mobileOsMaximumVersion": null,
"earlyLaunchAntiMalwareDriverEnabled": false,
"bitLockerEnabled": false,
"secureBootEnabled": false,
"codeIntegrityEnabled": false,
"storageRequireEncryption": false,
"activeFirewallRequired": false,
"defenderEnabled": true,
"defenderVersion": null,
"signatureOutOfDate": false,
"rtpEnabled": true,
"antivirusRequired": true,
"antiSpywareRequired": false,
"deviceThreatProtectionEnabled": false,
"deviceThreatProtectionRequiredSecurityLevel": "unavailable",
"configurationManagerComplianceRequired": false,
"tpmRequired": false,
"deviceCompliancePolicyScript": null,
"validOperatingSystemBuildRanges": [
],
"assignments": [
{
"id": "56454fb5-78ae-4489-a4de-c60aeeb4bb8b_add56c8b-3fb1-43c8-a7d8-3abcc9f9ac64",
"source": "direct",
"sourceId": "56454fb5-78ae-4489-a4de-c60aeeb4bb8b",
"target": {
"@odata.type": "#microsoft.graph.exclusionGroupAssignmentTarget",
"deviceAndAppManagementAssignmentFilterId": null,
"deviceAndAppManagementAssignmentFilterType": "none",
"groupId": "Emergency Breakglass"
}
},
{
"id": "56454fb5-78ae-4489-a4de-c60aeeb4bb8b_af977e97-e18b-4272-bb63-81fb28204780",
"source": "direct",
"sourceId": "56454fb5-78ae-4489-a4de-c60aeeb4bb8b",
"target": {
"@odata.type": "#microsoft.graph.groupAssignmentTarget",
"deviceAndAppManagementAssignmentFilterId": null,
"deviceAndAppManagementAssignmentFilterType": "none",
"groupId": "Specialized Workstation Users"
}
}
],
"scheduledActionsForRule": [
{
"id": "56454fb5-78ae-4489-a4de-c60aeeb4bb8b",
"ruleName": null,
"scheduledActionConfigurations@odata.context": "https://graph.microsoft.com/beta/$metadata#deviceManagement/deviceCompliancePolicies(\u002756454fb5-78ae-4489-a4de-c60aeeb4bb8b\u0027)/microsoft.graph.windows10CompliancePolicy/microsoft.graph.windows10CompliancePolicy/microsoft.graph.windows10CompliancePolicy/microsoft.graph.windows10CompliancePolicy/scheduledActionsForRule(\u002756454fb5-78ae-4489-a4de-c60aeeb4bb8b\u0027)/scheduledActionConfigurations",
"scheduledActionConfigurations": [
{
"id": "59ae4e45-6495-4d33-b943-1bb01554bc6f",
"gracePeriodHours": 0,
"actionType": "block",
"notificationTemplateId": "00000000-0000-0000-0000-000000000000",
"notificationMessageCCList": [
]
}
]
}
]
}

505
SPE/JSON/DeviceConfiguration/Specialized-Config-Win10-Custom-CSP_30-11-2020-18-11-51.json Normal file
Просмотреть файл

@ -0,0 +1,505 @@
{
"@odata.type": "#microsoft.graph.windows10CustomConfiguration",
"id": "d214ac01-db86-4c5c-a2ed-05732d8875c3",
"lastModifiedDateTime": "2020-11-20T15:59:47.646572Z",
"roleScopeTagIds": [
"0"
],
"supportsScopeTags": true,
"deviceManagementApplicabilityRuleOsEdition": null,
"deviceManagementApplicabilityRuleOsVersion": null,
"deviceManagementApplicabilityRuleDeviceMode": null,
"createdDateTime": "2020-11-20T15:48:26.5136512Z",
"description": "",
"displayName": "Specialized-Config-Win10-Custom-CSP",
"version": 3,
"omaSettings": [
{
"@odata.type": "#microsoft.graph.omaSettingInteger",
"displayName": "NetworkIsolation/EnterpriseProxyServersAreAuthoritative",
"description": "EnterpriseProxyServersAreAuthoritative",
"omaUri": "./Device/Vendor/MSFT/Policy/Config/NetworkIsolation/EnterpriseProxyServersAreAuthoritative",
"isEncrypted": false,
"value": 1,
"isReadOnly": false
},
{
"@odata.type": "#microsoft.graph.omaSettingInteger",
"displayName": "NetworkIsolation/EnterpriseIPRangesAreAuthoritative",
"description": "EnterpriseIPRangesAreAuthoritative",
"omaUri": "./Device/Vendor/MSFT/Policy/Config/NetworkIsolation/EnterpriseIPRangesAreAuthoritative",
"isEncrypted": false,
"value": 1,
"isReadOnly": false
},
{
"@odata.type": "#microsoft.graph.omaSettingInteger",
"displayName": "Search/AllowIndexingEncryptedStoresOrItems",
"description": "AllowIndexingEncryptedStoresOrItems",
"omaUri": "./Device/Vendor/MSFT/Policy/Config/Search/AllowIndexingEncryptedStoresOrItems",
"isEncrypted": false,
"value": 0,
"isReadOnly": false
},
{
"@odata.type": "#microsoft.graph.omaSettingInteger",
"displayName": "LanmanWorkstation/EnableInsecureGuestLogons",
"description": "EnableInsecureGuestLogons",
"omaUri": "./Device/Vendor/MSFT/Policy/Config/LanmanWorkstation/EnableInsecureGuestLogons",
"isEncrypted": false,
"value": 0,
"isReadOnly": false
},
{
"@odata.type": "#microsoft.graph.omaSettingInteger",
"displayName": "Games/AllowAdvancedGamingServices",
"description": "AllowAdvancedGamingServices",
"omaUri": "./Device/Vendor/MSFT/Policy/Config/Games/AllowAdvancedGamingServices",
"isEncrypted": false,
"value": 0,
"isReadOnly": false
},
{
"@odata.type": "#microsoft.graph.omaSettingInteger",
"displayName": "ControlPolicyConflict/MDMWinsOverGP",
"description": "MDMWinsOverGP",
"omaUri": "./Device/Vendor/MSFT/Policy/Config/ControlPolicyConflict/MDMWinsOverGP",
"isEncrypted": false,
"value": 1,
"isReadOnly": false
},
{
"@odata.type": "#microsoft.graph.omaSettingInteger",
"displayName": "SystemServices/ConfigureHomeGroupListenerServiceStartupMode",
"description": "ConfigureHomeGroupListenerServiceStartupMode",
"omaUri": "./Device/Vendor/MSFT/Policy/Config/SystemServices/ConfigureHomeGroupListenerServiceStartupMode",
"isEncrypted": false,
"value": 4,
"isReadOnly": false
},
{
"@odata.type": "#microsoft.graph.omaSettingInteger",
"displayName": "SystemServices/ConfigureHomeGroupProviderServiceStartupMode",
"description": "ConfigureHomeGroupProviderServiceStartupMode",
"omaUri": "./Device/Vendor/MSFT/Policy/Config/SystemServices/ConfigureHomeGroupProviderServiceStartupMode",
"isEncrypted": false,
"value": 4,
"isReadOnly": false
},
{
"@odata.type": "#microsoft.graph.omaSettingString",
"displayName": "ErrorReporting/DisableWindowsErrorReporting",
"description": "DisableWindowsErrorReporting",
"omaUri": "./Device/Vendor/MSFT/Policy/Config/ErrorReporting/DisableWindowsErrorReporting",
"isEncrypted": false,
"value": " \u003cenabled/\u003e"
},
{
"@odata.type": "#microsoft.graph.omaSettingString",
"displayName": "Power/AllowStandbyWhenSleepingPluggedIn",
"description": "AllowStandbyWhenSleepingPluggedIn",
"omaUri": "./Device/Vendor/MSFT/Policy/Config/Power/AllowStandbyWhenSleepingPluggedIn",
"isEncrypted": false,
"value": "\u003cdisabled/\u003e"
},
{
"@odata.type": "#microsoft.graph.omaSettingString",
"displayName": "Power/RequirePasswordWhenComputerWakesOnBattery",
"description": "RequirePasswordWhenComputerWakesOnBattery",
"omaUri": "./Device/Vendor/MSFT/Policy/Config/Power/RequirePasswordWhenComputerWakesOnBattery",
"isEncrypted": false,
"value": " \u003cenabled/\u003e"
},
{
"@odata.type": "#microsoft.graph.omaSettingString",
"displayName": "Power/RequirePasswordWhenComputerWakesPluggedIn",
"description": "RequirePasswordWhenComputerWakesPluggedIn",
"omaUri": "./Device/Vendor/MSFT/Policy/Config/Power/RequirePasswordWhenComputerWakesPluggedIn",
"isEncrypted": false,
"value": "\u003cenabled/\u003e"
},
{
"@odata.type": "#microsoft.graph.omaSettingString",
"displayName": "RemoteAssistance/SolicitedRemoteAssistance",
"description": "SolicitedRemoteAssistance",
"omaUri": "./Device/Vendor/MSFT/Policy/Config/RemoteAssistance/SolicitedRemoteAssistance",
"isEncrypted": false,
"value": "\u003cdisabled/\u003e"
},
{
"@odata.type": "#microsoft.graph.omaSettingString",
"displayName": "AutoPlay/DisallowAutoplayForNonVolumeDevices",
"description": "DisallowAutoplayForNonVolumeDevices",
"omaUri": "./Device/Vendor/MSFT/Policy/Config/AutoPlay/DisallowAutoplayForNonVolumeDevices",
"isEncrypted": false,
"value": "\u003cenabled/\u003e"
},
{
"@odata.type": "#microsoft.graph.omaSettingString",
"displayName": "RemoteDesktopServices/DoNotAllowDriveRedirection",
"description": "DoNotAllowDriveRedirection",
"omaUri": "./Device/Vendor/MSFT/Policy/Config/RemoteDesktopServices/DoNotAllowDriveRedirection",
"isEncrypted": false,
"value": "\u003cenabled/\u003e"
},
{
"@odata.type": "#microsoft.graph.omaSettingString",
"displayName": "RemoteDesktopServices/PromptForPasswordUponConnection",
"description": "PromptForPasswordUponConnection",
"omaUri": "./Device/Vendor/MSFT/Policy/Config/RemoteDesktopServices/PromptForPasswordUponConnection",
"isEncrypted": false,
"value": "\u003cenabled/\u003e"
},
{
"@odata.type": "#microsoft.graph.omaSettingString",
"displayName": "RemoteDesktopServices/RequireSecureRPCCommunication",
"description": "RequireSecureRPCCommunication",
"omaUri": "./Device/Vendor/MSFT/Policy/Config/RemoteDesktopServices/RequireSecureRPCCommunication",
"isEncrypted": false,
"value": "\u003cenabled/\u003e"
},
{
"@odata.type": "#microsoft.graph.omaSettingString",
"displayName": "DeviceLock/PreventLockScreenSlideShow",
"description": "PreventLockScreenSlideShow",
"omaUri": "./Device/Vendor/MSFT/Policy/Config/DeviceLock/PreventLockScreenSlideShow",
"isEncrypted": false,
"value": "\u003cenabled/\u003e"
},
{
"@odata.type": "#microsoft.graph.omaSettingString",
"displayName": "MSSecurityGuide/EnableStructuredExceptionHandlingOverwriteProtection",
"description": "EnableStructuredExceptionHandlingOverwriteProtection",
"omaUri": "./Device/Vendor/MSFT/Policy/Config/MSSecurityGuide/EnableStructuredExceptionHandlingOverwriteProtection",
"isEncrypted": false,
"value": "\u003cenabled/\u003e"
},
{
"@odata.type": "#microsoft.graph.omaSettingString",
"displayName": "MSSLegacy/AllowICMPRedirectsToOverrideOSPFGeneratedRoutes",
"description": "AllowICMPRedirectsToOverrideOSPFGeneratedRoutes",
"omaUri": "./Device/Vendor/MSFT/Policy/Config/MSSLegacy/AllowICMPRedirectsToOverrideOSPFGeneratedRoutes",
"isEncrypted": false,
"value": "\u003cdisabled/\u003e"
},
{
"@odata.type": "#microsoft.graph.omaSettingString",
"displayName": "MSSLegacy/AllowTheComputerToIgnoreNetBIOSNameReleaseRequestsExceptFromWINSServers",
"description": "AllowTheComputerToIgnoreNetBIOSNameReleaseRequestsExceptFromWINSServers",
"omaUri": "./Device/Vendor/MSFT/Policy/Config/MSSLegacy/AllowTheComputerToIgnoreNetBIOSNameReleaseRequestsExceptFromWINSServers",
"isEncrypted": false,
"value": "\u003cenabled/\u003e"
},
{
"@odata.type": "#microsoft.graph.omaSettingInteger",
"displayName": "WindowsDefenderApplicationGuard/Audit/AuditApplicationGuard",
"description": "AuditApplicationGuard",
"omaUri": "./Device/Vendor/MSFT/WindowsDefenderApplicationGuard/Audit/AuditApplicationGuard",
"isEncrypted": false,
"value": 1,
"isReadOnly": false
},
{
"@odata.type": "#microsoft.graph.omaSettingInteger",
"displayName": "DeviceLock/MaxDevicePasswordFailedAttempts",
"description": "MaxDevicePasswordFailedAttempts",
"omaUri": "./Device/Vendor/MSFT/Policy/Config/DeviceLock/MaxDevicePasswordFailedAttempts",
"isEncrypted": false,
"value": 9,
"isReadOnly": false
},
{
"@odata.type": "#microsoft.graph.omaSettingInteger",
"displayName": "Start/HidePeopleBar",
"description": "HidePeopleBar ",
"omaUri": "./User/Vendor/MSFT/Policy/Config/Start/HidePeopleBar",
"isEncrypted": false,
"value": 1,
"isReadOnly": false
},
{
"@odata.type": "#microsoft.graph.omaSettingInteger",
"displayName": "Browser/AllowFlash",
"description": "AllowFlash",
"omaUri": "./Vendor/MSFT/Policy/Config/Browser/AllowFlash",
"isEncrypted": false,
"value": 0,
"isReadOnly": false
},
{
"@odata.type": "#microsoft.graph.omaSettingInteger",
"displayName": "Privacy/AllowCrossDeviceClipboard",
"description": "AllowCrossDeviceClipboard",
"omaUri": "./Vendor/MSFT/Policy/Config/Privacy/AllowCrossDeviceClipboard",
"isEncrypted": false,
"value": 0,
"isReadOnly": false
},
{
"@odata.type": "#microsoft.graph.omaSettingInteger",
"displayName": "Experience/DoNotShowFeedbackNotifications",
"description": "HideFeedbackNotifications",
"omaUri": "./Vendor/MSFT/Policy/Config/Experience/DoNotShowFeedbackNotifications",
"isEncrypted": false,
"value": 1,
"isReadOnly": false
},
{
"@odata.type": "#microsoft.graph.omaSettingString",
"displayName": "MSSecurityGuide/ApplyUACRestrictionsToLocalAccountsOnNetworkLogon",
"description": "ApplyUACRestrictionsToLocalAccountsOnNetworkLogon",
"omaUri": "./Device/Vendor/MSFT/Policy/Config/MSSecurityGuide/ApplyUACRestrictionsToLocalAccountsOnNetworkLogon",
"isEncrypted": false,
"value": "\u003cEnabled/\u003e"
},
{
"@odata.type": "#microsoft.graph.omaSettingString",
"displayName": "Connectivity/ProhibitInstallationAndConfigurationOfNetworkBridge",
"description": "ProhibitInstallationAndConfigurationOfNetworkBridge",
"omaUri": "./Device/Vendor/MSFT/Policy/Config/Connectivity/ProhibitInstallationAndConfigurationOfNetworkBridge",
"isEncrypted": false,
"value": "\u003cEnabled/\u003e"
},
{
"@odata.type": "#microsoft.graph.omaSettingString",
"displayName": "RemoteAssistance/UnsolicitedRemoteAssistance",
"description": "UnsolicitedRemoteAssistance",
"omaUri": "./Device/Vendor/MSFT/Policy/Config/RemoteAssistance/UnsolicitedRemoteAssistance",
"isEncrypted": false,
"value": "\u003cDisabled/\u003e"
},
{
"@odata.type": "#microsoft.graph.omaSettingInteger",
"displayName": "ApplicationManagement/MSIAlwaysInstallWithElevatedPrivileges",
"description": "MSIAlwaysInstallWithElevatedPrivileges",
"omaUri": "./Device/Vendor/MSFT/Policy/Config/ApplicationManagement/MSIAlwaysInstallWithElevatedPrivileges",
"isEncrypted": false,
"value": 0,
"isReadOnly": false
},
{
"@odata.type": "#microsoft.graph.omaSettingString",
"displayName": "RemoteManagement/AllowBasicAuthentication_Client",
"description": "AllowBasicAuthentication_Client",
"omaUri": "./Device/Vendor/MSFT/Policy/Config/RemoteManagement/AllowBasicAuthentication_Client",
"isEncrypted": false,
"value": "\u003cDisabled/\u003e"
},
{
"@odata.type": "#microsoft.graph.omaSettingString",
"displayName": "RemoteManagement/AllowBasicAuthentication_Service",
"description": "AllowBasicAuthentication_Service",
"omaUri": "./Device/Vendor/MSFT/Policy/Config/RemoteManagement/AllowBasicAuthentication_Service",
"isEncrypted": false,
"value": "\u003cDisabled/\u003e"
},
{
"@odata.type": "#microsoft.graph.omaSettingString",
"displayName": "MSSLegacy/IPv6SourceRoutingProtectionLevel",
"description": "IPv6SourceRoutingProtectionLevel",
"omaUri": "./Device/Vendor/MSFT/Policy/Config/MSSLegacy/IPv6SourceRoutingProtectionLevel",
"isEncrypted": false,
"value": "\u003cenabled/\u003e\u003cdata id=\"DisableIPSourceRoutingIPv6\" value=\"2\"/\u003e"
},
{
"@odata.type": "#microsoft.graph.omaSettingString",
"displayName": "CredentialsUI/EnumerateAdministrators",
"description": "EnumerateAdministrators",
"omaUri": "./Device/Vendor/MSFT/Policy/Config/CredentialsUI/EnumerateAdministrators",
"isEncrypted": false,
"value": "\u003cdisabled/\u003e"
},
{
"@odata.type": "#microsoft.graph.omaSettingString",
"displayName": "Autoplay/TurnOffAutoPlay",
"description": "TurnOffAutoPlay",
"omaUri": "./Device/Vendor/MSFT/Policy/Config/Autoplay/TurnOffAutoPlay",
"isEncrypted": false,
"value": "\u003cenabled/\u003e\u003cdata id=\"Autorun_Box\" value=\"255\"/\u003e"
},
{
"@odata.type": "#microsoft.graph.omaSettingString",
"displayName": "Autoplay/SetDefaultAutoRunBehavior",
"description": "SetDefaultAutoRunBehavior",
"omaUri": "./Device/Vendor/MSFT/Policy/Config/Autoplay/SetDefaultAutoRunBehavior",
"isEncrypted": false,
"value": "\u003cenabled/\u003e\u003cdata id=\"NoAutorun_Dropdown\" value=\"1\"/\u003e"
},
{
"@odata.type": "#microsoft.graph.omaSettingString",
"displayName": "MSSecurityGuide/ConfigureSMBV1ClientDriver",
"description": "ConfigureSMBV1ClientDriver",
"omaUri": "./Device/Vendor/MSFT/Policy/Config/MSSecurityGuide/ConfigureSMBV1ClientDriver",
"isEncrypted": false,
"value": "\u003cenabled/\u003e \n\u003cdata id=\"Pol_SecGuide_SMB1ClientDriver\" value=\"4\"/\u003e"
},
{
"@odata.type": "#microsoft.graph.omaSettingString",
"displayName": "MSSLegacy/IPSourceRoutingProtectionLevel",
"description": "IPSourceRoutingProtectionLevel",
"omaUri": "./Device/Vendor/MSFT/Policy/Config/MSSLegacy/IPSourceRoutingProtectionLevel",
"isEncrypted": false,
"value": "\u003cenabled/\u003e\u003cdata id=\"DisableIPSourceRouting\" value=\"2\"/\u003e"
},
{
"@odata.type": "#microsoft.graph.omaSettingString",
"displayName": "DeviceInstallation/PreventInstallationOfMatchingDeviceSetupClasses",
"description": "PreventInstallationOfMatchingDeviceSetupClasses",
"omaUri": "./Device/Vendor/MSFT/Policy/Config/DeviceInstallation/PreventInstallationOfMatchingDeviceSetupClasses",
"isEncrypted": false,
"value": "\u003cenabled/\u003e\n\u003cdata id=\"DeviceInstall_Classes_Deny_Retroactive\" value=\"true\"/\u003e\n\u003cData id=\"DeviceInstall_Classes_Deny_List\" value=\"1\u0026#xF000;{d48179be-ec20-11d1-b6b8-00c04fa372a7}\u0026#xF000;2\u0026#xF000;{7ebefbc0-3200-11d2-b4c2-00a0C9697d07}\u0026#xF000;3\u0026#xF000;{c06ff265-ae09-48f0-812c-16753d7cba83}\u0026#xF000;4\u0026#xF000;{6bdd1fc1-810f-11d0-bec7-08002be2092f}\"/\u003e"
},
{
"@odata.type": "#microsoft.graph.omaSettingString",
"displayName": "DeviceInstallation/PreventInstallationOfMatchingDeviceIDs",
"description": "PreventInstallationOfMatchingDeviceIDs",
"omaUri": "./Device/Vendor/MSFT/Policy/Config/DeviceInstallation/PreventInstallationOfMatchingDeviceIDs",
"isEncrypted": false,
"value": "\u003cenabled/\u003e\n\u003cdata id=\"DeviceInstall_IDs_Deny_Retroactive\" value=\"true\"/\u003e\n\u003cData id=\"DeviceInstall_IDs_Deny_List\" value=\"1\u0026#xF000;PCI\\CC_0C0A\"/\u003e"
},
{
"@odata.type": "#microsoft.graph.omaSettingInteger",
"displayName": "DeviceGuard/EnableVirtualizationBasedSecurity",
"description": "EnableVirtualizationBasedSecurity",
"omaUri": "./Vendor/MSFT/Policy/Config/DeviceGuard/EnableVirtualizationBasedSecurity",
"isEncrypted": false,
"value": 1,
"isReadOnly": false
},
{
"@odata.type": "#microsoft.graph.omaSettingInteger",
"displayName": "DeviceGuard/LSACfgFlags",
"description": "LSACfgFlags",
"omaUri": "./Vendor/MSFT/Policy/Config/DeviceGuard/LsaCfgFlags",
"isEncrypted": false,
"value": 1,
"isReadOnly": false
},
{
"@odata.type": "#microsoft.graph.omaSettingInteger",
"displayName": "DeviceGuard/PlatformSecurityFeatures",
"description": "PlatformSecurityFeatures",
"omaUri": "./Vendor/MSFT/Policy/Config/DeviceGuard/RequirePlatformSecurityFeatures",
"isEncrypted": false,
"value": 3,
"isReadOnly": false
},
{
"@odata.type": "#microsoft.graph.omaSettingInteger",
"displayName": "DeviceGuard/ConfigureSystemGuardLaunch",
"description": "ConfigureSystemGuardLaunch",
"omaUri": "./Vendor/MSFT/Policy/Config/DeviceGuard/ConfigureSystemGuardLaunch",
"isEncrypted": false,
"value": 1,
"isReadOnly": false
},
{
"@odata.type": "#microsoft.graph.omaSettingInteger",
"displayName": "Start/HideSleep",
"description": "HideSleep",
"omaUri": "./Device/Vendor/MSFT/Policy/Config/Start/HideSleep",
"isEncrypted": false,
"value": 1,
"isReadOnly": false
},
{
"@odata.type": "#microsoft.graph.omaSettingInteger",
"displayName": "Start/HideHibernate",
"description": "HideHibernate",
"omaUri": "./Device/Vendor/MSFT/Policy/Config/Start/HideHibernate",
"isEncrypted": false,
"value": 0,
"isReadOnly": false
},
{
"@odata.type": "#microsoft.graph.omaSettingString",
"displayName": "Power/StandbyTimeoutPluggedIn",
"description": "StandbyTimeoutPluggedIn",
"omaUri": "./Device/Vendor/MSFT/Policy/Config/Power/StandbyTimeoutPluggedIn",
"isEncrypted": false,
"value": "\u003cenabled/\u003e\u003cdata id=\"EnterACStandbyTimeOut\" value=\"1800\"/\u003e"
},
{
"@odata.type": "#microsoft.graph.omaSettingString",
"displayName": "Power/HibernateTimeoutPluggedIn",
"description": "HibernateTimeoutPluggedIn",
"omaUri": "./Device/Vendor/MSFT/Policy/Config/Power/HibernateTimeoutPluggedIn",
"isEncrypted": false,
"value": "\u003cenabled/\u003e\u003cdata id=\"EnterACHibernateTimeOut\" value=\"3600\"/\u003e"
},
{
"@odata.type": "#microsoft.graph.omaSettingString",
"displayName": "Power/HibernateTimeoutOnBattery",
"description": "HibernateTimeoutOnBattery",
"omaUri": "./Device/Vendor/MSFT/Policy/Config/Power/HibernateTimeoutOnBattery",
"isEncrypted": false,
"value": "\u003cenabled/\u003e\u003cdata id=\"EnterDCHibernateTimeOut\" value=\"3600\"/\u003e"
},
{
"@odata.type": "#microsoft.graph.omaSettingString",
"displayName": "RemovableStroageDevices/CDDenyWrite",
"description": "CDDenyWrite",
"omaUri": "./Device/Vendor/MSFT/Policy/Config/RemovableStorageDevices\\{53f56308-b6bf-11d0-94f2-00a0c91efb8b}/CDandDVD_DenyWrite_Access_2",
"isEncrypted": false,
"value": "\u003cenabled/\u003e"
},
{
"@odata.type": "#microsoft.graph.omaSettingString",
"displayName": "CredentialsUI/DisablePasswordReveal",
"description": "DisablePasswordReveal",
"omaUri": "./Device/Vendor/MSFT/Policy/Config/CredentialsUI/DisablePasswordReveal",
"isEncrypted": false,
"value": "\u003cenabled/\u003e"
},
{
"@odata.type": "#microsoft.graph.omaSettingInteger",
"displayName": "System/AllowDeviceNameInDiagnosticData",
"description": "AllowDeviceNameInDiagnosticData",
"omaUri": "./Vendor/MSFT/Policy/Config/System/AllowDeviceNameInDiagnosticData",
"isEncrypted": false,
"value": 1,
"isReadOnly": false
},
{
"@odata.type": "#microsoft.graph.omaSettingInteger",
"displayName": "System/ConfigureTelemetryOptInSettingsUx",
"description": "ConfigureTelemetryOptInSettingsUx",
"omaUri": "./Vendor/MSFT/Policy/Config/System/ConfigureTelemetryOptInSettingsUx",
"isEncrypted": false,
"value": 1,
"isReadOnly": false
},
{
"@odata.type": "#microsoft.graph.omaSettingInteger",
"displayName": "System/LimitEnhancedDiagnosticDataWindowsAnalytics",
"description": "LimitEnhancedDiagnosticDataWindowsAnalytics",
"omaUri": "./Vendor/MSFT/Policy/Config/System/LimitEnhancedDiagnosticDataWindowsAnalytics",
"isEncrypted": false,
"value": 1,
"isReadOnly": false
},
{
"@odata.type": "#microsoft.graph.omaSettingInteger",
"displayName": "System/ConfigureTelemetryOptInChangeNotification",
"description": "ConfigureTelemetryOptInChangeNotification",
"omaUri": "./Vendor/MSFT/Policy/Config/System/ConfigureTelemetryOptInChangeNotification",
"isEncrypted": false,
"value": 1,
"isReadOnly": false
}
],
"assignments@odata.context": "https://graph.microsoft.com/beta/$metadata#deviceManagement/deviceConfigurations(\u0027d214ac01-db86-4c5c-a2ed-05732d8875c3\u0027)/microsoft.graph.windows10CustomConfiguration/microsoft.graph.windows10CustomConfiguration/microsoft.graph.windows10EndpointProtectionConfiguration/microsoft.graph.windows10CustomConfiguration/microsoft.graph.windows10GeneralConfiguration/microsoft.graph.windows10GeneralConfiguration/microsoft.graph.windows10CustomConfiguration/microsoft.graph.windowsIdentityProtectionConfiguration/microsoft.graph.windows10CustomConfiguration/microsoft.graph.windows10GeneralConfiguration/microsoft.graph.windows10EndpointProtectionConfiguration/microsoft.graph.windows10EndpointProtectionConfiguration/microsoft.graph.windows10CustomConfiguration/microsoft.graph.windows10CustomConfiguration/microsoft.graph.windows10GeneralConfiguration/microsoft.graph.windows10EndpointProtectionConfiguration/microsoft.graph.windowsIdentityProtectionConfiguration/microsoft.graph.windows10CustomConfiguration/microsoft.graph.windows10CustomConfiguration/microsoft.graph.windows10GeneralConfiguration/microsoft.graph.windows10EndpointProtectionConfiguration/microsoft.graph.windowsIdentityProtectionConfiguration/microsoft.graph.windows10GeneralConfiguration/microsoft.graph.windows10EndpointProtectionConfiguration/microsoft.graph.windows10CustomConfiguration/assignments",
"assignments": [
{
"id": "d214ac01-db86-4c5c-a2ed-05732d8875c3_c99ee281-71f3-457b-9bcf-41f710263994",
"source": "direct",
"sourceId": "d214ac01-db86-4c5c-a2ed-05732d8875c3",
"target": {
"@odata.type": "#microsoft.graph.groupAssignmentTarget",
"deviceAndAppManagementAssignmentFilterId": null,
"deviceAndAppManagementAssignmentFilterType": "none",
"groupId": "Specialized Workstations"
}
}
]
}

77
SPE/JSON/DeviceConfiguration/Specialized-Win10-AppLocker-Custom-CSP_25-11-2020-17-42-11.json Normal file
Просмотреть файл

Различия файлов скрыты, потому что одна или несколько строк слишком длинны

340
SPE/JSON/DeviceConfiguration/Specialized-Win10-Device-Restrictions-UI_30-11-2020-18-11-51.json Normal file
Просмотреть файл

@ -0,0 +1,340 @@
{
"@odata.type": "#microsoft.graph.windows10GeneralConfiguration",
"id": "74feb0b5-58c1-4a6e-b488-af80336bdf99",
"lastModifiedDateTime": "2020-11-20T15:56:15.0576476Z",
"roleScopeTagIds": [
"0"
],
"supportsScopeTags": true,
"deviceManagementApplicabilityRuleOsEdition": null,
"deviceManagementApplicabilityRuleOsVersion": null,
"deviceManagementApplicabilityRuleDeviceMode": null,
"createdDateTime": "2020-11-20T15:41:05.3222358Z",
"description": "",
"displayName": "Specialized-Win10-Device-Restrictions-UI",
"version": 7,
"taskManagerBlockEndTask": false,
"energySaverOnBatteryThresholdPercentage": null,
"energySaverPluggedInThresholdPercentage": null,
"powerLidCloseActionOnBattery": "notConfigured",
"powerLidCloseActionPluggedIn": "notConfigured",
"powerButtonActionOnBattery": "notConfigured",
"powerButtonActionPluggedIn": "notConfigured",
"powerSleepButtonActionOnBattery": "notConfigured",
"powerSleepButtonActionPluggedIn": "notConfigured",
"powerHybridSleepOnBattery": "enabled",
"powerHybridSleepPluggedIn": "enabled",
"windows10AppsForceUpdateSchedule": null,
"enableAutomaticRedeployment": false,
"microsoftAccountSignInAssistantSettings": "notConfigured",
"authenticationAllowSecondaryDevice": true,
"authenticationWebSignIn": "notConfigured",
"authenticationPreferredAzureADTenantDomainName": null,
"cryptographyAllowFipsAlgorithmPolicy": false,
"displayAppListWithGdiDPIScalingTurnedOn": [
],
"displayAppListWithGdiDPIScalingTurnedOff": [
],
"enterpriseCloudPrintDiscoveryEndPoint": null,
"enterpriseCloudPrintOAuthAuthority": null,
"enterpriseCloudPrintOAuthClientIdentifier": null,
"enterpriseCloudPrintResourceIdentifier": null,
"enterpriseCloudPrintDiscoveryMaxLimit": null,
"enterpriseCloudPrintMopriaDiscoveryResourceIdentifier": null,
"experienceDoNotSyncBrowserSettings": "blocked",
"messagingBlockSync": false,
"messagingBlockMMS": false,
"messagingBlockRichCommunicationServices": false,
"printerNames": [
],
"printerDefaultName": null,
"printerBlockAddition": false,
"searchBlockDiacritics": false,
"searchDisableAutoLanguageDetection": false,
"searchDisableIndexingEncryptedItems": false,
"searchEnableRemoteQueries": false,
"searchDisableUseLocation": false,
"searchDisableLocation": false,
"searchDisableIndexerBackoff": false,
"searchDisableIndexingRemovableDrive": false,
"searchEnableAutomaticIndexSizeManangement": false,
"searchBlockWebResults": false,
"findMyFiles": "notConfigured",
"securityBlockAzureADJoinedDevicesAutoEncryption": false,
"diagnosticsDataSubmissionMode": "enhanced",
"oneDriveDisableFileSync": false,
"systemTelemetryProxyServer": null,
"edgeTelemetryForMicrosoft365Analytics": "notConfigured",
"inkWorkspaceAccess": "disabled",
"inkWorkspaceAccessState": "blocked",
"inkWorkspaceBlockSuggestedApps": true,
"smartScreenEnableAppInstallControl": false,
"smartScreenAppInstallControl": "notConfigured",
"personalizationDesktopImageUrl": null,
"personalizationLockScreenImageUrl": null,
"bluetoothAllowedServices": [
],
"bluetoothBlockAdvertising": true,
"bluetoothBlockPromptedProximalConnections": true,
"bluetoothBlockDiscoverableMode": true,
"bluetoothBlockPrePairing": true,
"edgeBlockAutofill": false,
"edgeBlocked": false,
"edgeCookiePolicy": "userDefined",
"edgeBlockDeveloperTools": false,
"edgeBlockSendingDoNotTrackHeader": true,
"edgeBlockExtensions": false,
"edgeBlockInPrivateBrowsing": true,
"edgeBlockJavaScript": false,
"edgeBlockPasswordManager": false,
"edgeBlockAddressBarDropdown": false,
"edgeBlockCompatibilityList": false,
"edgeClearBrowsingDataOnExit": true,
"edgeAllowStartPagesModification": false,
"edgeDisableFirstRunPage": false,
"edgeBlockLiveTileDataCollection": true,
"edgeSyncFavoritesWithInternetExplorer": false,
"edgeFavoritesListLocation": null,
"edgeBlockEditFavorites": false,
"edgeNewTabPageURL": null,
"edgeHomeButtonConfiguration": null,
"edgeHomeButtonConfigurationEnabled": false,
"edgeOpensWith": "notConfigured",
"edgeBlockSideloadingExtensions": false,
"edgeRequiredExtensionPackageFamilyNames": [
],
"edgeBlockPrinting": false,
"edgeFavoritesBarVisibility": "notConfigured",
"edgeBlockSavingHistory": true,
"edgeBlockFullScreenMode": false,
"edgeBlockWebContentOnNewTabPage": false,
"edgeBlockTabPreloading": false,
"edgeBlockPrelaunch": false,
"edgeShowMessageWhenOpeningInternetExplorerSites": "notConfigured",
"edgePreventCertificateErrorOverride": true,
"edgeKioskModeRestriction": "notConfigured",
"edgeKioskResetAfterIdleTimeInMinutes": null,
"cellularBlockDataWhenRoaming": false,
"cellularBlockVpn": false,
"cellularBlockVpnWhenRoaming": false,
"cellularData": "allowed",
"defenderRequireRealTimeMonitoring": true,
"defenderRequireBehaviorMonitoring": true,
"defenderRequireNetworkInspectionSystem": true,
"defenderScanDownloads": true,
"defenderScheduleScanEnableLowCpuPriority": false,
"defenderDisableCatchupQuickScan": false,
"defenderDisableCatchupFullScan": false,
"defenderScanScriptsLoadedInInternetExplorer": true,
"defenderBlockEndUserAccess": false,
"defenderSignatureUpdateIntervalInHours": 1,
"defenderMonitorFileActivity": "userDefined",
"defenderDaysBeforeDeletingQuarantinedMalware": null,
"defenderScanMaxCpu": null,
"defenderScanArchiveFiles": true,
"defenderScanIncomingMail": true,
"defenderScanRemovableDrivesDuringFullScan": true,
"defenderScanMappedNetworkDrivesDuringFullScan": false,
"defenderScanNetworkFiles": true,
"defenderRequireCloudProtection": true,
"defenderCloudBlockLevel": "high",
"defenderCloudExtendedTimeout": 50,
"defenderCloudExtendedTimeoutInSeconds": 50,
"defenderPromptForSampleSubmission": "sendAllDataWithoutPrompting",
"defenderScheduledQuickScanTime": "18:00:00.0000000",
"defenderScanType": "full",
"defenderSystemScanSchedule": "saturday",
"defenderScheduledScanTime": "18:00:00.0000000",
"defenderPotentiallyUnwantedAppAction": "block",
"defenderPotentiallyUnwantedAppActionSetting": "userDefined",
"defenderSubmitSamplesConsentType": "sendSafeSamplesAutomatically",
"defenderBlockOnAccessProtection": false,
"defenderFileExtensionsToExclude": [
],
"defenderFilesAndFoldersToExclude": [
],
"defenderProcessesToExclude": [
],
"lockScreenAllowTimeoutConfiguration": false,
"lockScreenBlockActionCenterNotifications": false,
"lockScreenBlockCortana": true,
"lockScreenBlockToastNotifications": true,
"lockScreenTimeoutInSeconds": null,
"lockScreenActivateAppsWithVoice": "notConfigured",
"passwordBlockSimple": true,
"passwordExpirationDays": null,
"passwordMinimumLength": 9,
"passwordMinutesOfInactivityBeforeScreenTimeout": 30,
"passwordMinimumCharacterSetCount": 2,
"passwordPreviousPasswordBlockCount": null,
"passwordRequired": true,
"passwordRequireWhenResumeFromIdleState": true,
"passwordRequiredType": "alphanumeric",
"passwordSignInFailureCountBeforeFactoryReset": 9,
"passwordMinimumAgeInDays": null,
"privacyAdvertisingId": "notConfigured",
"privacyAutoAcceptPairingAndConsentPrompts": false,
"privacyDisableLaunchExperience": false,
"privacyBlockInputPersonalization": false,
"privacyBlockPublishUserActivities": true,
"privacyBlockActivityFeed": true,
"activateAppsWithVoice": "notConfigured",
"startBlockUnpinningAppsFromTaskbar": false,
"startMenuAppListVisibility": "userDefined",
"startMenuHideChangeAccountSettings": false,
"startMenuHideFrequentlyUsedApps": false,
"startMenuHideHibernate": false,
"startMenuHideLock": false,
"startMenuHidePowerButton": false,
"startMenuHideRecentJumpLists": false,
"startMenuHideRecentlyAddedApps": false,
"startMenuHideRestartOptions": false,
"startMenuHideShutDown": false,
"startMenuHideSignOut": false,
"startMenuHideSleep": true,
"startMenuHideSwitchAccount": true,
"startMenuHideUserTile": false,
"startMenuLayoutEdgeAssetsXml": null,
"startMenuLayoutXml": "",
"startMenuMode": "userDefined",
"startMenuPinnedFolderDocuments": "hide",
"startMenuPinnedFolderDownloads": "show",
"startMenuPinnedFolderFileExplorer": "show",
"startMenuPinnedFolderHomeGroup": "hide",
"startMenuPinnedFolderMusic": "hide",
"startMenuPinnedFolderNetwork": "hide",
"startMenuPinnedFolderPersonalFolder": "hide",
"startMenuPinnedFolderPictures": "hide",
"startMenuPinnedFolderSettings": "show",
"startMenuPinnedFolderVideos": "hide",
"settingsBlockSettingsApp": false,
"settingsBlockSystemPage": false,
"settingsBlockDevicesPage": false,
"settingsBlockNetworkInternetPage": false,
"settingsBlockPersonalizationPage": false,
"settingsBlockAccountsPage": false,
"settingsBlockTimeLanguagePage": false,
"settingsBlockEaseOfAccessPage": false,
"settingsBlockPrivacyPage": true,
"settingsBlockUpdateSecurityPage": false,
"settingsBlockAppsPage": false,
"settingsBlockGamingPage": true,
"windowsSpotlightBlockConsumerSpecificFeatures": false,
"windowsSpotlightBlocked": true,
"windowsSpotlightBlockOnActionCenter": false,
"windowsSpotlightBlockTailoredExperiences": false,
"windowsSpotlightBlockThirdPartyNotifications": false,
"windowsSpotlightBlockWelcomeExperience": false,
"windowsSpotlightBlockWindowsTips": false,
"windowsSpotlightConfigureOnLockScreen": "notConfigured",
"networkProxyApplySettingsDeviceWide": false,
"networkProxyDisableAutoDetect": false,
"networkProxyAutomaticConfigurationUrl": null,
"networkProxyServer": null,
"accountsBlockAddingNonMicrosoftAccountEmail": true,
"antiTheftModeBlocked": false,
"bluetoothBlocked": true,
"cameraBlocked": false,
"connectedDevicesServiceBlocked": true,
"certificatesBlockManualRootCertificateInstallation": false,
"copyPasteBlocked": false,
"cortanaBlocked": false,
"deviceManagementBlockFactoryResetOnMobile": false,
"deviceManagementBlockManualUnenroll": true,
"safeSearchFilter": "userDefined",
"edgeBlockPopups": false,
"edgeBlockSearchSuggestions": false,
"edgeBlockSearchEngineCustomization": false,
"edgeBlockSendingIntranetTrafficToInternetExplorer": false,
"edgeSendIntranetTrafficToInternetExplorer": false,
"edgeRequireSmartScreen": true,
"edgeEnterpriseModeSiteListLocation": null,
"edgeFirstRunUrl": null,
"edgeHomepageUrls": [
],
"edgeBlockAccessToAboutFlags": false,
"smartScreenBlockPromptOverride": true,
"smartScreenBlockPromptOverrideForFiles": true,
"webRtcBlockLocalhostIpAddress": true,
"internetSharingBlocked": true,
"settingsBlockAddProvisioningPackage": true,
"settingsBlockRemoveProvisioningPackage": true,
"settingsBlockChangeSystemTime": true,
"settingsBlockEditDeviceName": false,
"settingsBlockChangeRegion": false,
"settingsBlockChangeLanguage": false,
"settingsBlockChangePowerSleep": false,
"locationServicesBlocked": true,
"microsoftAccountBlocked": true,
"microsoftAccountBlockSettingsSync": true,
"nfcBlocked": true,
"resetProtectionModeBlocked": false,
"screenCaptureBlocked": false,
"storageBlockRemovableStorage": false,
"storageRequireMobileDeviceEncryption": false,
"usbBlocked": false,
"voiceRecordingBlocked": false,
"wiFiBlockAutomaticConnectHotspots": false,
"wiFiBlocked": false,
"wiFiBlockManualConfiguration": false,
"wiFiScanInterval": null,
"wirelessDisplayBlockProjectionToThisDevice": false,
"wirelessDisplayBlockUserInputFromReceiver": false,
"wirelessDisplayRequirePinForPairing": true,
"windowsStoreBlocked": false,
"appsAllowTrustedAppsSideloading": "allowed",
"windowsStoreBlockAutoUpdate": false,
"developerUnlockSetting": "blocked",
"sharedUserAppDataAllowed": true,
"appsBlockWindowsStoreOriginatedApps": false,
"windowsStoreEnablePrivateStoreOnly": true,
"storageRestrictAppDataToSystemVolume": false,
"storageRestrictAppInstallToSystemVolume": false,
"gameDvrBlocked": true,
"experienceBlockDeviceDiscovery": false,
"experienceBlockErrorDialogWhenNoSIM": false,
"experienceBlockTaskSwitcher": false,
"logonBlockFastUserSwitching": true,
"tenantLockdownRequireNetworkDuringOutOfBoxExperience": true,
"appManagementMSIAllowUserControlOverInstall": false,
"appManagementMSIAlwaysInstallWithElevatedPrivileges": false,
"dataProtectionBlockDirectMemoryAccess": true,
"appManagementPackageFamilyNamesToLaunchAfterLogOn": [
],
"uninstallBuiltInApps": false,
"configureTimeZone": null,
"defenderDetectedMalwareActions": {
"lowSeverity": "quarantine",
"moderateSeverity": "quarantine",
"highSeverity": "quarantine",
"severeSeverity": "quarantine"
},
"edgeSearchEngine": {
"@odata.type": "#microsoft.graph.edgeSearchEngine",
"edgeSearchEngineType": "default"
},
"assignments@odata.context": "https://graph.microsoft.com/beta/$metadata#deviceManagement/deviceConfigurations(\u002774feb0b5-58c1-4a6e-b488-af80336bdf99\u0027)/microsoft.graph.windows10CustomConfiguration/microsoft.graph.windows10CustomConfiguration/microsoft.graph.windows10EndpointProtectionConfiguration/microsoft.graph.windows10CustomConfiguration/microsoft.graph.windows10GeneralConfiguration/microsoft.graph.windows10GeneralConfiguration/microsoft.graph.windows10CustomConfiguration/microsoft.graph.windowsIdentityProtectionConfiguration/microsoft.graph.windows10CustomConfiguration/microsoft.graph.windows10GeneralConfiguration/microsoft.graph.windows10EndpointProtectionConfiguration/microsoft.graph.windows10EndpointProtectionConfiguration/microsoft.graph.windows10CustomConfiguration/microsoft.graph.windows10CustomConfiguration/microsoft.graph.windows10GeneralConfiguration/microsoft.graph.windows10EndpointProtectionConfiguration/microsoft.graph.windowsIdentityProtectionConfiguration/microsoft.graph.windows10CustomConfiguration/microsoft.graph.windows10CustomConfiguration/microsoft.graph.windows10GeneralConfiguration/microsoft.graph.windows10EndpointProtectionConfiguration/microsoft.graph.windowsIdentityProtectionConfiguration/microsoft.graph.windows10GeneralConfiguration/microsoft.graph.windows10EndpointProtectionConfiguration/microsoft.graph.windows10CustomConfiguration/microsoft.graph.windows10GeneralConfiguration/assignments",
"assignments": [
{
"id": "74feb0b5-58c1-4a6e-b488-af80336bdf99_c99ee281-71f3-457b-9bcf-41f710263994",
"source": "direct",
"sourceId": "74feb0b5-58c1-4a6e-b488-af80336bdf99",
"target": {
"@odata.type": "#microsoft.graph.groupAssignmentTarget",
"deviceAndAppManagementAssignmentFilterId": null,
"deviceAndAppManagementAssignmentFilterType": "none",
"groupId": "Specialized Workstations"
}
}
]
}

521
SPE/JSON/DeviceConfiguration/Specialized-Win10-Endpoint-Protection-UI_30-11-2020-18-11-52.json Normal file
Просмотреть файл

@ -0,0 +1,521 @@
{
"@odata.type": "#microsoft.graph.windows10EndpointProtectionConfiguration",
"id": "79a4ae59-5dce-4e5e-9331-fafe87d211ca",
"lastModifiedDateTime": "2020-11-20T16:06:01.6048672Z",
"roleScopeTagIds": [
"0"
],
"supportsScopeTags": true,
"deviceManagementApplicabilityRuleOsEdition": null,
"deviceManagementApplicabilityRuleOsVersion": null,
"deviceManagementApplicabilityRuleDeviceMode": null,
"createdDateTime": "2020-11-20T15:41:15.8661567Z",
"description": "",
"displayName": "Specialized-Win10-Endpoint-Protection-UI",
"version": 2,
"dmaGuardDeviceEnumerationPolicy": "deviceDefault",
"xboxServicesEnableXboxGameSaveTask": false,
"xboxServicesAccessoryManagementServiceStartupMode": "disabled",
"xboxServicesLiveAuthManagerServiceStartupMode": "disabled",
"xboxServicesLiveGameSaveServiceStartupMode": "disabled",
"xboxServicesLiveNetworkingServiceStartupMode": "disabled",
"localSecurityOptionsBlockMicrosoftAccounts": true,
"localSecurityOptionsBlockRemoteLogonWithBlankPassword": true,
"localSecurityOptionsDisableAdministratorAccount": true,
"localSecurityOptionsAdministratorAccountName": null,
"localSecurityOptionsDisableGuestAccount": true,
"localSecurityOptionsGuestAccountName": null,
"localSecurityOptionsAllowUndockWithoutHavingToLogon": true,
"localSecurityOptionsBlockUsersInstallingPrinterDrivers": false,
"localSecurityOptionsBlockRemoteOpticalDriveAccess": true,
"localSecurityOptionsFormatAndEjectOfRemovableMediaAllowedUser": "administrators",
"localSecurityOptionsMachineInactivityLimit": 5,
"localSecurityOptionsMachineInactivityLimitInMinutes": 5,
"localSecurityOptionsDoNotRequireCtrlAltDel": false,
"localSecurityOptionsHideLastSignedInUser": false,
"localSecurityOptionsHideUsernameAtSignIn": false,
"localSecurityOptionsLogOnMessageTitle": null,
"localSecurityOptionsLogOnMessageText": null,
"localSecurityOptionsAllowPKU2UAuthenticationRequests": true,
"localSecurityOptionsAllowRemoteCallsToSecurityAccountsManagerHelperBool": false,
"localSecurityOptionsAllowRemoteCallsToSecurityAccountsManager": null,
"localSecurityOptionsMinimumSessionSecurityForNtlmSspBasedClients": "ntlmV2And128BitEncryption",
"localSecurityOptionsMinimumSessionSecurityForNtlmSspBasedServers": "ntlmV2And128BitEncryption",
"lanManagerAuthenticationLevel": "lmNtlmV2AndNotLmOrNtm",
"lanManagerWorkstationDisableInsecureGuestLogons": true,
"localSecurityOptionsClearVirtualMemoryPageFile": false,
"localSecurityOptionsAllowSystemToBeShutDownWithoutHavingToLogOn": false,
"localSecurityOptionsAllowUIAccessApplicationElevation": true,
"localSecurityOptionsVirtualizeFileAndRegistryWriteFailuresToPerUserLocations": true,
"localSecurityOptionsOnlyElevateSignedExecutables": true,
"localSecurityOptionsAdministratorElevationPromptBehavior": "promptForCredentialsOnTheSecureDesktop",
"localSecurityOptionsStandardUserElevationPromptBehavior": "promptForCredentialsOnTheSecureDesktop",
"localSecurityOptionsSwitchToSecureDesktopWhenPromptingForElevation": false,
"localSecurityOptionsDetectApplicationInstallationsAndPromptForElevation": true,
"localSecurityOptionsAllowUIAccessApplicationsForSecureLocations": false,
"localSecurityOptionsUseAdminApprovalMode": false,
"localSecurityOptionsUseAdminApprovalModeForAdministrators": false,
"localSecurityOptionsInformationShownOnLockScreen": "notConfigured",
"localSecurityOptionsInformationDisplayedOnLockScreen": "notConfigured",
"localSecurityOptionsDisableClientDigitallySignCommunicationsIfServerAgrees": false,
"localSecurityOptionsClientDigitallySignCommunicationsAlways": true,
"localSecurityOptionsClientSendUnencryptedPasswordToThirdPartySMBServers": true,
"localSecurityOptionsDisableServerDigitallySignCommunicationsAlways": false,
"localSecurityOptionsDisableServerDigitallySignCommunicationsIfClientAgrees": false,
"localSecurityOptionsRestrictAnonymousAccessToNamedPipesAndShares": true,
"localSecurityOptionsDoNotAllowAnonymousEnumerationOfSAMAccounts": true,
"localSecurityOptionsAllowAnonymousEnumerationOfSAMAccountsAndShares": true,
"localSecurityOptionsDoNotStoreLANManagerHashValueOnNextPasswordChange": true,
"localSecurityOptionsSmartCardRemovalBehavior": "lockWorkstation",
"defenderSecurityCenterDisableAppBrowserUI": false,
"defenderSecurityCenterDisableFamilyUI": true,
"defenderSecurityCenterDisableHealthUI": false,
"defenderSecurityCenterDisableNetworkUI": false,
"defenderSecurityCenterDisableVirusUI": false,
"defenderSecurityCenterDisableAccountUI": false,
"defenderSecurityCenterDisableClearTpmUI": true,
"defenderSecurityCenterDisableHardwareUI": false,
"defenderSecurityCenterDisableNotificationAreaUI": false,
"defenderSecurityCenterDisableRansomwareUI": false,
"defenderSecurityCenterDisableSecureBootUI": false,
"defenderSecurityCenterDisableTroubleshootingUI": false,
"defenderSecurityCenterDisableVulnerableTpmFirmwareUpdateUI": true,
"defenderSecurityCenterOrganizationDisplayName": null,
"defenderSecurityCenterHelpEmail": null,
"defenderSecurityCenterHelpPhone": null,
"defenderSecurityCenterHelpURL": null,
"defenderSecurityCenterNotificationsFromApp": "notConfigured",
"defenderSecurityCenterITContactDisplay": "notConfigured",
"windowsDefenderTamperProtection": "enable",
"firewallBlockStatefulFTP": true,
"firewallIdleTimeoutForSecurityAssociationInSeconds": null,
"firewallPreSharedKeyEncodingMethod": "deviceDefault",
"firewallIPSecExemptionsNone": false,
"firewallIPSecExemptionsAllowNeighborDiscovery": false,
"firewallIPSecExemptionsAllowICMP": false,
"firewallIPSecExemptionsAllowRouterDiscovery": false,
"firewallIPSecExemptionsAllowDHCP": false,
"firewallCertificateRevocationListCheckMethod": "deviceDefault",
"firewallMergeKeyingModuleSettings": false,
"firewallPacketQueueingMethod": "deviceDefault",
"defenderAdobeReaderLaunchChildProcess": "enable",
"defenderAttackSurfaceReductionExcludedPaths": [
],
"defenderOfficeAppsOtherProcessInjectionType": "block",
"defenderOfficeAppsOtherProcessInjection": "enable",
"defenderOfficeCommunicationAppsLaunchChildProcess": "enable",
"defenderOfficeAppsExecutableContentCreationOrLaunchType": "block",
"defenderOfficeAppsExecutableContentCreationOrLaunch": "enable",
"defenderOfficeAppsLaunchChildProcessType": "block",
"defenderOfficeAppsLaunchChildProcess": "enable",
"defenderOfficeMacroCodeAllowWin32ImportsType": "block",
"defenderOfficeMacroCodeAllowWin32Imports": "enable",
"defenderScriptObfuscatedMacroCodeType": "block",
"defenderScriptObfuscatedMacroCode": "enable",
"defenderScriptDownloadedPayloadExecutionType": "block",
"defenderScriptDownloadedPayloadExecution": "enable",
"defenderPreventCredentialStealingType": "enable",
"defenderProcessCreationType": "block",
"defenderProcessCreation": "enable",
"defenderUntrustedUSBProcessType": "block",
"defenderUntrustedUSBProcess": "enable",
"defenderUntrustedExecutableType": "block",
"defenderUntrustedExecutable": "enable",
"defenderEmailContentExecutionType": "block",
"defenderEmailContentExecution": "enable",
"defenderAdvancedRansomewareProtectionType": "enable",
"defenderGuardMyFoldersType": "enable",
"defenderGuardedFoldersAllowedAppPaths": [
],
"defenderAdditionalGuardedFolders": [
],
"defenderNetworkProtectionType": "enable",
"defenderExploitProtectionXml": null,
"defenderExploitProtectionXmlFileName": null,
"defenderSecurityCenterBlockExploitProtectionOverride": true,
"appLockerApplicationControl": "notConfigured",
"deviceGuardLocalSystemAuthorityCredentialGuardSettings": "notConfigured",
"deviceGuardEnableVirtualizationBasedSecurity": false,
"deviceGuardEnableSecureBootWithDMA": false,
"deviceGuardSecureBootWithDMA": "notConfigured",
"deviceGuardLaunchSystemGuard": "notConfigured",
"smartScreenEnableInShell": true,
"smartScreenBlockOverrideForFiles": true,
"applicationGuardEnabled": false,
"applicationGuardEnabledOptions": "notConfigured",
"applicationGuardBlockFileTransfer": "notConfigured",
"applicationGuardBlockNonEnterpriseContent": false,
"applicationGuardAllowPersistence": false,
"applicationGuardForceAuditing": false,
"applicationGuardBlockClipboardSharing": "notConfigured",
"applicationGuardAllowPrintToPDF": false,
"applicationGuardAllowPrintToXPS": false,
"applicationGuardAllowPrintToLocalPrinters": false,
"applicationGuardAllowPrintToNetworkPrinters": false,
"applicationGuardAllowVirtualGPU": false,
"applicationGuardAllowFileSaveOnHost": false,
"bitLockerAllowStandardUserEncryption": true,
"bitLockerDisableWarningForOtherDiskEncryption": true,
"bitLockerEnableStorageCardEncryptionOnMobile": false,
"bitLockerEncryptDevice": true,
"bitLockerRecoveryPasswordRotation": "enabledForAzureAd",
"defenderDisableScanArchiveFiles": null,
"defenderAllowScanArchiveFiles": null,
"defenderDisableBehaviorMonitoring": null,
"defenderAllowBehaviorMonitoring": null,
"defenderDisableCloudProtection": null,
"defenderAllowCloudProtection": null,
"defenderEnableScanIncomingMail": null,
"defenderEnableScanMappedNetworkDrivesDuringFullScan": null,
"defenderDisableScanRemovableDrivesDuringFullScan": null,
"defenderAllowScanRemovableDrivesDuringFullScan": null,
"defenderDisableScanDownloads": null,
"defenderAllowScanDownloads": null,
"defenderDisableIntrusionPreventionSystem": null,
"defenderAllowIntrusionPreventionSystem": null,
"defenderDisableOnAccessProtection": null,
"defenderAllowOnAccessProtection": null,
"defenderDisableRealTimeMonitoring": null,
"defenderAllowRealTimeMonitoring": null,
"defenderDisableScanNetworkFiles": null,
"defenderAllowScanNetworkFiles": null,
"defenderDisableScanScriptsLoadedInInternetExplorer": null,
"defenderAllowScanScriptsLoadedInInternetExplorer": null,
"defenderBlockEndUserAccess": null,
"defenderAllowEndUserAccess": null,
"defenderScanMaxCpuPercentage": null,
"defenderCheckForSignaturesBeforeRunningScan": null,
"defenderCloudBlockLevel": null,
"defenderCloudExtendedTimeoutInSeconds": null,
"defenderDaysBeforeDeletingQuarantinedMalware": null,
"defenderDisableCatchupFullScan": null,
"defenderDisableCatchupQuickScan": null,
"defenderEnableLowCpuPriority": null,
"defenderFileExtensionsToExclude": [
],
"defenderFilesAndFoldersToExclude": [
],
"defenderProcessesToExclude": [
],
"defenderPotentiallyUnwantedAppAction": null,
"defenderScanDirection": null,
"defenderScanType": null,
"defenderScheduledQuickScanTime": null,
"defenderScheduledScanDay": null,
"defenderScheduledScanTime": null,
"defenderSignatureUpdateIntervalInHours": null,
"defenderSubmitSamplesConsentType": null,
"defenderDetectedMalwareActions": null,
"firewallRules": [
],
"userRightsAccessCredentialManagerAsTrustedCaller": {
"state": "notConfigured",
"localUsersOrGroups": [
]
},
"userRightsAllowAccessFromNetwork": {
"state": "notConfigured",
"localUsersOrGroups": [
]
},
"userRightsBlockAccessFromNetwork": {
"state": "notConfigured",
"localUsersOrGroups": [
]
},
"userRightsActAsPartOfTheOperatingSystem": {
"state": "notConfigured",
"localUsersOrGroups": [
]
},
"userRightsLocalLogOn": {
"state": "notConfigured",
"localUsersOrGroups": [
]
},
"userRightsDenyLocalLogOn": {
"state": "notConfigured",
"localUsersOrGroups": [
]
},
"userRightsBackupData": {
"state": "notConfigured",
"localUsersOrGroups": [
]
},
"userRightsChangeSystemTime": {
"state": "notConfigured",
"localUsersOrGroups": [
]
},
"userRightsCreateGlobalObjects": {
"state": "notConfigured",
"localUsersOrGroups": [
]
},
"userRightsCreatePageFile": {
"state": "notConfigured",
"localUsersOrGroups": [
]
},
"userRightsCreatePermanentSharedObjects": {
"state": "notConfigured",
"localUsersOrGroups": [
]
},
"userRightsCreateSymbolicLinks": {
"state": "notConfigured",
"localUsersOrGroups": [
]
},
"userRightsCreateToken": {
"state": "notConfigured",
"localUsersOrGroups": [
]
},
"userRightsDebugPrograms": {
"state": "notConfigured",
"localUsersOrGroups": [
]
},
"userRightsRemoteDesktopServicesLogOn": {
"state": "notConfigured",
"localUsersOrGroups": [
]
},
"userRightsDelegation": {
"state": "notConfigured",
"localUsersOrGroups": [
]
},
"userRightsGenerateSecurityAudits": {
"state": "notConfigured",
"localUsersOrGroups": [
]
},
"userRightsImpersonateClient": {
"state": "notConfigured",
"localUsersOrGroups": [
]
},
"userRightsIncreaseSchedulingPriority": {
"state": "notConfigured",
"localUsersOrGroups": [
]
},
"userRightsLoadUnloadDrivers": {
"state": "notConfigured",
"localUsersOrGroups": [
]
},
"userRightsLockMemory": {
"state": "notConfigured",
"localUsersOrGroups": [
]
},
"userRightsManageAuditingAndSecurityLogs": {
"state": "notConfigured",
"localUsersOrGroups": [
]
},
"userRightsManageVolumes": {
"state": "notConfigured",
"localUsersOrGroups": [
]
},
"userRightsModifyFirmwareEnvironment": {
"state": "notConfigured",
"localUsersOrGroups": [
]
},
"userRightsModifyObjectLabels": {
"state": "notConfigured",
"localUsersOrGroups": [
]
},
"userRightsProfileSingleProcess": {
"state": "notConfigured",
"localUsersOrGroups": [
]
},
"userRightsRemoteShutdown": {
"state": "notConfigured",
"localUsersOrGroups": [
]
},
"userRightsRestoreData": {
"state": "notConfigured",
"localUsersOrGroups": [
]
},
"userRightsTakeOwnership": {
"state": "notConfigured",
"localUsersOrGroups": [
]
},
"firewallProfileDomain": {
"firewallEnabled": "allowed",
"stealthModeRequired": false,
"stealthModeBlocked": false,
"incomingTrafficRequired": false,
"incomingTrafficBlocked": false,
"unicastResponsesToMulticastBroadcastsRequired": false,
"unicastResponsesToMulticastBroadcastsBlocked": false,
"inboundNotificationsRequired": false,
"inboundNotificationsBlocked": true,
"authorizedApplicationRulesFromGroupPolicyMerged": false,
"authorizedApplicationRulesFromGroupPolicyNotMerged": true,
"globalPortRulesFromGroupPolicyMerged": false,
"globalPortRulesFromGroupPolicyNotMerged": true,
"connectionSecurityRulesFromGroupPolicyMerged": false,
"connectionSecurityRulesFromGroupPolicyNotMerged": true,
"outboundConnectionsRequired": true,
"outboundConnectionsBlocked": false,
"inboundConnectionsRequired": false,
"inboundConnectionsBlocked": true,
"securedPacketExemptionAllowed": false,
"securedPacketExemptionBlocked": false,
"policyRulesFromGroupPolicyMerged": false,
"policyRulesFromGroupPolicyNotMerged": true
},
"firewallProfilePublic": {
"firewallEnabled": "allowed",
"stealthModeRequired": false,
"stealthModeBlocked": false,
"incomingTrafficRequired": false,
"incomingTrafficBlocked": false,
"unicastResponsesToMulticastBroadcastsRequired": false,
"unicastResponsesToMulticastBroadcastsBlocked": false,
"inboundNotificationsRequired": false,
"inboundNotificationsBlocked": true,
"authorizedApplicationRulesFromGroupPolicyMerged": false,
"authorizedApplicationRulesFromGroupPolicyNotMerged": true,
"globalPortRulesFromGroupPolicyMerged": false,
"globalPortRulesFromGroupPolicyNotMerged": true,
"connectionSecurityRulesFromGroupPolicyMerged": false,
"connectionSecurityRulesFromGroupPolicyNotMerged": true,
"outboundConnectionsRequired": true,
"outboundConnectionsBlocked": false,
"inboundConnectionsRequired": false,
"inboundConnectionsBlocked": true,
"securedPacketExemptionAllowed": false,
"securedPacketExemptionBlocked": false,
"policyRulesFromGroupPolicyMerged": false,
"policyRulesFromGroupPolicyNotMerged": true
},
"firewallProfilePrivate": {
"firewallEnabled": "allowed",
"stealthModeRequired": false,
"stealthModeBlocked": false,
"incomingTrafficRequired": false,
"incomingTrafficBlocked": false,
"unicastResponsesToMulticastBroadcastsRequired": false,
"unicastResponsesToMulticastBroadcastsBlocked": false,
"inboundNotificationsRequired": false,
"inboundNotificationsBlocked": true,
"authorizedApplicationRulesFromGroupPolicyMerged": false,
"authorizedApplicationRulesFromGroupPolicyNotMerged": true,
"globalPortRulesFromGroupPolicyMerged": false,
"globalPortRulesFromGroupPolicyNotMerged": true,
"connectionSecurityRulesFromGroupPolicyMerged": false,
"connectionSecurityRulesFromGroupPolicyNotMerged": true,
"outboundConnectionsRequired": true,
"outboundConnectionsBlocked": false,
"inboundConnectionsRequired": false,
"inboundConnectionsBlocked": true,
"securedPacketExemptionAllowed": false,
"securedPacketExemptionBlocked": false,
"policyRulesFromGroupPolicyMerged": false,
"policyRulesFromGroupPolicyNotMerged": true
},
"bitLockerSystemDrivePolicy": {
"encryptionMethod": "xtsAes128",
"startupAuthenticationRequired": true,
"startupAuthenticationBlockWithoutTpmChip": true,
"startupAuthenticationTpmUsage": "allowed",
"startupAuthenticationTpmPinUsage": "allowed",
"startupAuthenticationTpmKeyUsage": "blocked",
"startupAuthenticationTpmPinAndKeyUsage": "blocked",
"minimumPinLength": 9,
"prebootRecoveryEnableMessageAndUrl": false,
"prebootRecoveryMessage": null,
"prebootRecoveryUrl": null,
"recoveryOptions": {
"blockDataRecoveryAgent": false,
"recoveryPasswordUsage": "allowed",
"recoveryKeyUsage": "blocked",
"hideRecoveryOptions": true,
"enableRecoveryInformationSaveToStore": true,
"recoveryInformationToStore": "passwordAndKey",
"enableBitLockerAfterRecoveryInformationToStore": true
}
},
"bitLockerFixedDrivePolicy": {
"encryptionMethod": "xtsAes128",
"requireEncryptionForWriteAccess": false,
"recoveryOptions": {
"blockDataRecoveryAgent": true,
"recoveryPasswordUsage": "allowed",
"recoveryKeyUsage": "blocked",
"hideRecoveryOptions": true,
"enableRecoveryInformationSaveToStore": true,
"recoveryInformationToStore": "passwordAndKey",
"enableBitLockerAfterRecoveryInformationToStore": true
}
},
"bitLockerRemovableDrivePolicy": {
"encryptionMethod": "aesCbc128",
"requireEncryptionForWriteAccess": true,
"blockCrossOrganizationWriteAccess": true
},
"assignments@odata.context": "https://graph.microsoft.com/beta/$metadata#deviceManagement/deviceConfigurations(\u002779a4ae59-5dce-4e5e-9331-fafe87d211ca\u0027)/microsoft.graph.windows10CustomConfiguration/microsoft.graph.windows10CustomConfiguration/microsoft.graph.windows10EndpointProtectionConfiguration/microsoft.graph.windows10CustomConfiguration/microsoft.graph.windows10GeneralConfiguration/microsoft.graph.windows10GeneralConfiguration/microsoft.graph.windows10CustomConfiguration/microsoft.graph.windowsIdentityProtectionConfiguration/microsoft.graph.windows10CustomConfiguration/microsoft.graph.windows10GeneralConfiguration/microsoft.graph.windows10EndpointProtectionConfiguration/microsoft.graph.windows10EndpointProtectionConfiguration/microsoft.graph.windows10CustomConfiguration/microsoft.graph.windows10CustomConfiguration/microsoft.graph.windows10GeneralConfiguration/microsoft.graph.windows10EndpointProtectionConfiguration/microsoft.graph.windowsIdentityProtectionConfiguration/microsoft.graph.windows10CustomConfiguration/microsoft.graph.windows10CustomConfiguration/microsoft.graph.windows10GeneralConfiguration/microsoft.graph.windows10EndpointProtectionConfiguration/microsoft.graph.windowsIdentityProtectionConfiguration/microsoft.graph.windows10GeneralConfiguration/microsoft.graph.windows10EndpointProtectionConfiguration/microsoft.graph.windows10CustomConfiguration/microsoft.graph.windows10GeneralConfiguration/microsoft.graph.windows10EndpointProtectionConfiguration/assignments",
"assignments": [
{
"id": "79a4ae59-5dce-4e5e-9331-fafe87d211ca_c99ee281-71f3-457b-9bcf-41f710263994",
"source": "direct",
"sourceId": "79a4ae59-5dce-4e5e-9331-fafe87d211ca",
"target": {
"@odata.type": "#microsoft.graph.groupAssignmentTarget",
"deviceAndAppManagementAssignmentFilterId": null,
"deviceAndAppManagementAssignmentFilterType": "none",
"groupId": "Specialized Workstations"
}
}
]
}

44
SPE/JSON/DeviceConfiguration/Specialized-Win10-Identity-Protection-UI_30-11-2020-18-11-53.json Normal file
Просмотреть файл

@ -0,0 +1,44 @@
{
"@odata.type": "#microsoft.graph.windowsIdentityProtectionConfiguration",
"id": "eeb1c9fd-5cce-4037-9d52-2f51bbc54b2b",
"lastModifiedDateTime": "2020-11-20T15:49:24.9795839Z",
"roleScopeTagIds": [
"0"
],
"supportsScopeTags": true,
"deviceManagementApplicabilityRuleOsEdition": null,
"deviceManagementApplicabilityRuleOsVersion": null,
"deviceManagementApplicabilityRuleDeviceMode": null,
"createdDateTime": "2020-11-20T15:41:25.9064811Z",
"description": "",
"displayName": "Specialized-Win10-Identity-Protection-UI",
"version": 2,
"useSecurityKeyForSignin": true,
"enhancedAntiSpoofingForFacialFeaturesEnabled": true,
"pinMinimumLength": 8,
"pinMaximumLength": 100,
"pinUppercaseCharactersUsage": "blocked",
"pinLowercaseCharactersUsage": "blocked",
"pinSpecialCharactersUsage": "blocked",
"pinExpirationInDays": null,
"pinPreviousBlockCount": null,
"pinRecoveryEnabled": true,
"securityDeviceRequired": true,
"unlockWithBiometricsEnabled": true,
"useCertificatesForOnPremisesAuthEnabled": false,
"windowsHelloForBusinessBlocked": false,
"assignments@odata.context": "https://graph.microsoft.com/beta/$metadata#deviceManagement/deviceConfigurations(\u0027eeb1c9fd-5cce-4037-9d52-2f51bbc54b2b\u0027)/microsoft.graph.windows10CustomConfiguration/microsoft.graph.windows10CustomConfiguration/microsoft.graph.windows10EndpointProtectionConfiguration/microsoft.graph.windows10CustomConfiguration/microsoft.graph.windows10GeneralConfiguration/microsoft.graph.windows10GeneralConfiguration/microsoft.graph.windows10CustomConfiguration/microsoft.graph.windowsIdentityProtectionConfiguration/microsoft.graph.windows10CustomConfiguration/microsoft.graph.windows10GeneralConfiguration/microsoft.graph.windows10EndpointProtectionConfiguration/microsoft.graph.windows10EndpointProtectionConfiguration/microsoft.graph.windows10CustomConfiguration/microsoft.graph.windows10CustomConfiguration/microsoft.graph.windows10GeneralConfiguration/microsoft.graph.windows10EndpointProtectionConfiguration/microsoft.graph.windowsIdentityProtectionConfiguration/microsoft.graph.windows10CustomConfiguration/microsoft.graph.windows10CustomConfiguration/microsoft.graph.windows10GeneralConfiguration/microsoft.graph.windows10EndpointProtectionConfiguration/microsoft.graph.windowsIdentityProtectionConfiguration/microsoft.graph.windows10GeneralConfiguration/microsoft.graph.windows10EndpointProtectionConfiguration/microsoft.graph.windows10CustomConfiguration/microsoft.graph.windows10GeneralConfiguration/microsoft.graph.windows10EndpointProtectionConfiguration/microsoft.graph.windowsIdentityProtectionConfiguration/assignments",
"assignments": [
{
"id": "eeb1c9fd-5cce-4037-9d52-2f51bbc54b2b_c99ee281-71f3-457b-9bcf-41f710263994",
"source": "direct",
"sourceId": "eeb1c9fd-5cce-4037-9d52-2f51bbc54b2b",
"target": {
"@odata.type": "#microsoft.graph.groupAssignmentTarget",
"deviceAndAppManagementAssignmentFilterId": null,
"deviceAndAppManagementAssignmentFilterType": "none",
"groupId": "Specialized Workstations"
}
}
]
}

83
SPE/JSON/DeviceConfigurationADMX/Specialized-Edge Version 85 - Computer.json Normal file
Просмотреть файл

@ -0,0 +1,83 @@
[
{
"definition@odata.bind": "https://graph.microsoft.com/beta/deviceManagement/groupPolicyDefinitions('06b9c400-f1ed-4046-b8cb-02af3ae8e38d')",
"enabled": "true"
},
{
"definition@odata.bind": "https://graph.microsoft.com/beta/deviceManagement/groupPolicyDefinitions('75c20a0b-f76e-4131-892a-1f47dd6534e4')",
"enabled": "true",
"presentationValues": [
{
"@odata.type": "#microsoft.graph.groupPolicyPresentationValueText",
"value": "2",
"presentation@odata.bind": "https://graph.microsoft.com/beta/deviceManagement/groupPolicyDefinitions('75c20a0b-f76e-4131-892a-1f47dd6534e4')/presentations('6f605b7e-ca35-4f6a-b616-0cf85f5e9580')"
}
]
},
{
"definition@odata.bind": "https://graph.microsoft.com/beta/deviceManagement/groupPolicyDefinitions('59922037-5107-4eaf-a72f-249a73c08d16')",
"enabled": "true"
},
{
"definition@odata.bind": "https://graph.microsoft.com/beta/deviceManagement/groupPolicyDefinitions('6189eace-13bd-435e-b438-2f38495bf9cc')",
"enabled": "false"
},
{
"definition@odata.bind": "https://graph.microsoft.com/beta/deviceManagement/groupPolicyDefinitions('1a52c714-6ece-45d2-a8a9-505f97bdec1b')",
"enabled": "true",
"presentationValues": [
{
"@odata.type": "#microsoft.graph.groupPolicyPresentationValueList",
"values": [
{
"name": "*",
"value": null
}
],
"presentation@odata.bind": "https://graph.microsoft.com/beta/deviceManagement/groupPolicyDefinitions('1a52c714-6ece-45d2-a8a9-505f97bdec1b')/presentations('75f2a4b4-fa3d-4acc-bbba-6a120e2ef96e')"
}
]
},
{
"definition@odata.bind": "https://graph.microsoft.com/beta/deviceManagement/groupPolicyDefinitions('270e643f-a1dd-49eb-8365-8292e9d6c7f7')",
"enabled": "true"
},
{
"definition@odata.bind": "https://graph.microsoft.com/beta/deviceManagement/groupPolicyDefinitions('fdfedea9-c9d1-4109-9b59-883cfe2d861a')",
"enabled": "true",
"presentationValues": [
{
"@odata.type": "#microsoft.graph.groupPolicyPresentationValueText",
"value": "ntlm,negotiate",
"presentation@odata.bind": "https://graph.microsoft.com/beta/deviceManagement/groupPolicyDefinitions('fdfedea9-c9d1-4109-9b59-883cfe2d861a')/presentations('e6b8ffac-8e06-4a30-95c6-cec2dfc1a08f')"
}
]
},
{
"definition@odata.bind": "https://graph.microsoft.com/beta/deviceManagement/groupPolicyDefinitions('bc6a79f3-77d4-462c-9924-8ea74dc34386')",
"enabled": "false"
},
{
"definition@odata.bind": "https://graph.microsoft.com/beta/deviceManagement/groupPolicyDefinitions('ccfd2123-ff05-4680-a4eb-ab2790b6d6ed')",
"enabled": "false"
},
{
"definition@odata.bind": "https://graph.microsoft.com/beta/deviceManagement/groupPolicyDefinitions('6f317cd9-3683-476b-adea-b93eb74e07c1')",
"enabled": "true"
},
{
"definition@odata.bind": "https://graph.microsoft.com/beta/deviceManagement/groupPolicyDefinitions('7f7e757c-1137-4e59-8cd1-cb51ca6896c0')",
"enabled": "true",
"presentationValues": [
{
"@odata.type": "#microsoft.graph.groupPolicyPresentationValueText",
"value": "tls1.2",
"presentation@odata.bind": "https://graph.microsoft.com/beta/deviceManagement/groupPolicyDefinitions('7f7e757c-1137-4e59-8cd1-cb51ca6896c0')/presentations('10ecdc74-5985-4f1e-9308-ceadffe422ff')"
}
]
},
{
"definition@odata.bind": "https://graph.microsoft.com/beta/deviceManagement/groupPolicyDefinitions('f9de5937-2ff5-4c34-a5ec-d0d997787b68')",
"enabled": "true"
}
]

87
SPE/MasterScript-SPE.ps1 Normal file
Просмотреть файл

@ -0,0 +1,87 @@
<#
.COPYRIGHT
Copyright (c) Microsoft Corporation. All rights reserved. Licensed under the MIT license.
See LICENSE in the project root for license information.
#>
# Determine script location for PowerShell
$ScriptDir = Split-Path $script:MyInvocation.MyCommand.Path
Function Set-AADAuth {
<#
.SYNOPSIS
This function is used to authenticate with the Azure AD interface
.DESCRIPTION
The function authenticate with the Azure AD Interface with the tenant name
.EXAMPLE
Set-AADAuth
Authenticates you with the Azure AD interface
.NOTES
NAME: Set-AADAuth
#>
[cmdletbinding()]
param
(
#[Parameter(Mandatory=$true)]
$User
)
Write-Host "Checking for AzureAD Preview module..."
$AadModule = Get-Module -Name "AzureADPreview" -ListAvailable
if ($AadModule -eq $null) {
write-host
write-host "AzureAD Powershell module not installed..." -f Red
write-host "Attempting module install now" -f Red
Install-Module -Name AzureADPreview -AllowClobber -Force
#write-host "Install by running 'Install-Module AzureAD' or 'Install-Module AzureADPreview' from an elevated PowerShell prompt" -f Yellow
#write-host "Script can't continue..." -f Red
write-host
#exit
}
Connect-AzureAD -AccountId $user | Out-Null
}
####################################################
$User = Read-Host -Prompt "Please specify your user principal name for Azure Authentication"
Set-AADAuth -user $user
####################################################
write-host "Adding Device Configuration Profiles"
. $ScriptDir/Import-SPE-DeviceConfiguration.ps1
Start-Sleep -s 5
write-host "Adding Device Compliance Policies"
. $ScriptDir/Import-SPE-DeviceCompliancePolicies.ps1
Start-Sleep -s 5
write-host "Adding Edge Browser Policy"
. $ScriptDir/Import-SPE-DeviceConfigurationADMX.ps1
Start-Sleep -s 5
#Write-host "Importing Device Config PowerShell script"
#. $ScriptDir/Import-SPE-DeviceConfigScript.ps1

55
SPE/Readme.md Normal file
Просмотреть файл

@ -0,0 +1,55 @@
# Specialized Profile configuration
The scripts for configuring the Specialized security baseline are located in this folder.
Before the scripts can be run install Azure AD powershell module on your device
```powershell
Import-Module AzureAD -force
```
and allow scripts to run on your device;
```powershell
Set-ExecutionPolicy remotesigned
```
[**MasterScript_SPE.PS1**](MasterScript-SPE.ps1) - This script is used to import the Compliance policies, Configuration profiles used to apply the Specialized Profile settings
To import the Specialized Profile configuration settings into your tenant
Open powershell console
Navigate to SPE folder in Repo
```powershell
.\MasterScript-SPE.ps1
```
Enter **username** and **password** of an account that has Intune Administrator (preferred) or Global Admin privilege
Wait for the import process to complete.
The MasterScript_SPE.ps1 file calls the following scripts to import the Compliance Policies, Configuration Profiles
[**Import-SPE-DeviceCompliancePolicies.ps1**](Import-SPE-DeviceCompliancePolicies.ps1) - This scripts imports the three device compliance policies for the Specialized profile. Three policies are used to ensure that Conditional Access does not prevent a user from being able to access resources. Refer to [Windows 10 and later settings to mark devices as compliant or not compliant using Intune](https://docs.microsoft.com/en-us/mem/intune/protect/compliance-policy-create-windows)
1. [Specialized Compliance ATP](JSON/DeviceCompliance/SPE-Compliance-ATP.json) policy is used to feed the Threat Intelligence data from Microsoft Defender for Endpoint into the devices compliance state so its signals can be used as part of the Conditional Access evaluation process.
2. [Specialized Compliance Delayed](JSON/DeviceCompliance/SPE-Compliance-Delayed.json) policy applies a more complete set of compliance settings to the device but its application is delayed by 24 hours. this is because the device health attestation that is required to assess policies like BitLocker and Secure Boot is only calculated once a device has rebooted and then might take a number of hours to process whether the device is compliant or not.
3. [Specialized-Compliance-Immediate](JSON/DeviceCompliance/SPE-Compliance-Immediate.json) policy is used to apply a minimum level of compliance to users and is configured to apply immediately.
[**Import-SPE-DeviceConfiguration.ps1**](Import-SPE-DeviceConfiguration.ps1) - this script is used to import the Device Configuration profiles that harden the Operating System. there are five profiles used:
1. [Specialized-Config-Win10-Custom-CSP](JSON/DeviceConfiguration/Specialized-Config-Win10-Custom-CSP_17-11-2020-17-00-43.json) Applies configuration service provider (CSP) settings that are not available in the Endpoint Manager UI, refer to [Configuration service provider reference](https://docs.microsoft.com/en-us/windows/client-management/mdm/configuration-service-provider-reference) for the complete list of the CSP settings available.
2. [Specialized-Config-Win10-Device-Restrictions-UI](JSON/DeviceConfiguration/Specialized-Config-Win10-Device-Restrictions-UI_17-11-2020-17-00-43.json) applies settings that restrict cloud account use, configure password policy, Microsoft Defender SmartScreen, Microsoft Defender Antivirus. Refer to [Windows 10 (and newer) device settings to allow or restrict features using Intune](https://docs.microsoft.com/en-us/mem/intune/configuration/device-restrictions-windows-10) for more details of the settings applied using the profile.
3. [Specialized-Config-Win10-Endpoint-Protection-UI](JSON/DeviceConfiguration/Specialized-Config-Win10-Endpoint-Protection-UI_17-11-2020-17-00-43.json) applies settings that are used to protect devices in endpoint protection configuration profiles including BitLocker, Device Guard, Microsoft Defender Firewall, Microsoft Defender Exploit Guard, refer to [Windows 10 (and later) settings to protect devices using Intune](https://docs.microsoft.com/en-us/mem/intune/protect/endpoint-protection-windows-10?toc=/intune/configuration/toc.json&bc=/intune/configuration/breadcrumb/toc.json) for more details of the settings applied using the profile.
4. [Specialized-Config-Win10-Identity-Protection-UI](JSON/DeviceConfiguration/Specialized-Config-Win10-Identity-Protection-UI_17-11-2020-17-00-43.json) applies the Windows Hello for Business settings to devices, refer to [Windows 10 device settings to enable Windows Hello for Business in Intune](https://docs.microsoft.com/en-us/mem/intune/protect/identity-protection-windows-settings?toc=/intune/configuration/toc.json&bc=/intune/configuration/breadcrumb/toc.json) for more details of the settings applied using the profile.
5. [SPE-Win10-AppLocker-Custom-CSP](JSON/DeviceConfiguration/SPE-Win10-AppLocker-Custom-CSP_25-11-2020-17-42-11.json) applies the Restricted Execution Model policies in audit mode. The AppLocker configuration is configured to allow applications to run under C:\Program Files, C:\Program Files (x86) and C:\Windows, with user writable paths under blocked. the characteristics for the AppLocker approach is:
* Assumption is that users are non-privileged users.
* Wherever a user can write they are blocked from executing
* Wherever a user can execute they are blocked from writing
The Specialized policy also includes rules to allow OneDrive and Microsoft Teams clients to run under the user's profile directory
[**Import-SPE-DeviceConfigurationADMX.ps1**](JSON/DeviceConfigurationADMX/Specialized-Edge%20Version%2085%20-%20Computer.json) this script is used to import the Device Configuration ADMX Template profile that configures Microsoft Edge security settings.
1. [Specialized-Edge Version 85 - Computer](JSON/DeviceConfigurationADMX/Specialized-Edge%20Version%2085%20-%20Computer.json) applies administrative policies that control features in Microsoft Edge version 77 and later, refer to [Microsoft Edge - Policies](https://docs.microsoft.com/en-us/DeployEdge/microsoft-edge-policies) or more details of the settings applied using the profile.

385
SPE/Scripts/SPE-DeviceConfig.ps1 Normal file
Просмотреть файл

@ -0,0 +1,385 @@
<#
.COPYRIGHT
Copyright (c) Microsoft Corporation. All rights reserved. Licensed under the MIT license.
See LICENSE in the project root for license information.
#>
$script:ScriptName = $myInvocation.MyCommand.Name
$script:ScriptName = $scriptName.Substring(0, $scriptName.Length - 4)
$script:LogName = $scriptName + "_" + (Get-Date -UFormat "%d-%m-%Y")
$script:logFile = "$env:Temp\$LogName.log"
Function Start-Log {
param (
[string]$FilePath,
[Parameter(HelpMessage = 'Deletes existing file if used with the -DeleteExistingFile switch')]
[switch]$DeleteExistingFile
)
Try {
If (!(Test-Path $FilePath)) {
## Create the log file
New-Item $FilePath -Type File -Force | Out-Null
}
If ($DeleteExistingFile) {
Remove-Item $FilePath -Force
}
## Set the global variable to be used as the FilePath for all subsequent Write-Log
## calls in this session
$script:ScriptLogFilePath = $FilePath
}
Catch {
Write-Error $_.Exception.Message
}
}
####################################################
Function Write-Log {
#Write-Log -Message 'warning' -LogLevel 2
#Write-Log -Message 'Error' -LogLevel 3
param (
[Parameter(Mandatory = $true)]
[string]$Message,
[Parameter()]
[ValidateSet(1, 2, 3)]
[int]$LogLevel = 1,
[Parameter(HelpMessage = 'Outputs message to Event Log,when used with -WriteEventLog')]
[switch]$WriteEventLog
)
Write-Host
Write-Host $Message
Write-Host
$TimeGenerated = "$(Get-Date -Format HH:mm:ss).$((Get-Date).Millisecond)+000"
$Line = '<![LOG[{0}]LOG]!><time="{1}" date="{2}" component="{3}" context="" type="{4}" thread="" file="">'
$LineFormat = $Message, $TimeGenerated, (Get-Date -Format MM-dd-yyyy), "$($MyInvocation.ScriptName | Split-Path -Leaf):$($MyInvocation.ScriptLineNumber)", $LogLevel
$Line = $Line -f $LineFormat
Add-Content -Value $Line -Path $ScriptLogFilePath
If ($WriteEventLog) { Write-EventLog -LogName $EventLogName -Source $EventLogSource -Message $Message -Id 100 -Category 0 -EntryType Information }
}
Function Is-VM {
<#
.SYNOPSIS
This function checks WMI to determine if the device is a VM
.DESCRIPTION
This function checks WMI to determine if the device is a VM
.EXAMPLE
Is-VM
This function checks WMI to determine if the device is a VM
.NOTES
NAME: Is-VM
#>
[CmdletBinding()]
Param ()
Begin {
Write-Log -Message "$($MyInvocation.InvocationName) function..."
}
Process {
Write-Log -Message "Checking WMI class: Win32_ComputerSystem for string: *virtual*"
Try {
$ComputerSystemInfo = Get-CIMInstance -ClassName Win32_ComputerSystem -ErrorAction Stop
#$ComputerSystemInfo
if ($ComputerSystemInfo.Model -like "*virtual*") {
Write-Log -Message "Virtual string detected"
$True
}
else {
Write-Log -Message "Virtual string not found"
$False
}
}
Catch [Exception] {
Write-Log -Message "Error occurred: $($_.Exception.message)"
Write-Warning "$($env:computername.ToUpper()) : $($_.Exception.message)"
}
}
End {
Write-Log -Message "Ending: $($MyInvocation.Mycommand)"
}
}
Start-Log -FilePath $logFile -DeleteExistingFile
Write-Host
Write-Host "Script log file path is [$logFile]" -ForegroundColor Cyan
Write-Host
#region IsVM
If (Is-VM) {
Write-Log -Message "Machine is a VM"
}
Else {
Write-Host "Machine is a physical device"
#Enable Hibernate
Write-Log -Message "Enabling Hibernation"
$command = "C:\Windows\System32\PowerCfg.exe"
$args = "/HIBERNATE"
$workDir = "C:\Windows\System32"
Try {
Start-Process -FilePath $command -WorkingDirectory $workDir -ArgumentList $args -Wait -WindowStyle Hidden -ErrorAction Stop
}
Catch {
Write-Log -Message "Error occurred trying to enable hibernate: $($_.Exception.message)"
#Write-Warning "$($env:computername.ToUpper()) : $($_.Exception.message)"
#Exit
}
Try {
New-ItemProperty -Path HKLM:\Software\Policies\Microsoft\Windows\Explorer -Name ShowHibernateOption -Value 1 -PropertyType DWORD -ErrorAction Stop
}
Catch {
Write-Log -Message "Error occurred trying to apply ShowHibernate regkey: $($_.Exception.message)"
#Write-Warning "$($env:computername.ToUpper()) : $($_.Exception.message)"
#Exit
}
$command = "C:\Windows\System32\PowerCfg.exe"
$args = "/Change hibernate-timeout-ac 300"
$workDir = "C:\Windows\System32"
Try {
Start-Process -FilePath $command -WorkingDirectory $workDir -ArgumentList $args -Wait -WindowStyle Hidden -ErrorAction Stop
}
Catch {
Write-Log -Message "Error occurred trying to enable hibernate ac timeout: $($_.Exception.message)"
#Write-Warning "$($env:computername.ToUpper()) : $($_.Exception.message)"
#Exit
}
$command = "C:\Windows\System32\PowerCfg.exe"
$args = "/Change hibernate-timeout-dc 30"
$workDir = "C:\Windows\System32"
Try {
Start-Process -FilePath $command -WorkingDirectory $workDir -ArgumentList $args -Wait -WindowStyle Hidden -ErrorAction Stop
}
Catch {
Write-Log -Message "Error occurred trying to enable hibernate dc timeout: $($_.Exception.message)"
#Write-Warning "$($env:computername.ToUpper()) : $($_.Exception.message)"
#Exit
}
$command = "C:\Windows\System32\PowerCfg.exe"
$args = "/Change standby-timeout-ac 60"
$workDir = "C:\Windows\System32"
Try {
Start-Process -FilePath $command -WorkingDirectory $workDir -ArgumentList $args -Wait -WindowStyle Hidden -ErrorAction Stop
}
Catch {
Write-Log -Message "Error occurred trying to enable standby ac timeout: $($_.Exception.message)"
#Write-Warning "$($env:computername.ToUpper()) : $($_.Exception.message)"
#Exit
}
Write-Log -Message 'Show Hibernate option in Shutdown Menu'
$registryPath = "HKLM:\Software\Policies\Microsoft\Windows\Explorer"
$regProperties = @{
Name = 'ShowHibernateOption'
Value = '1'
PropertyType = 'DWORD'
ErrorAction = 'Stop'
}
Try {
$Null = New-ItemProperty -Path $registryPath @regProperties -Force
}
Catch [System.Management.Automation.ItemNotFoundException] {
Write-Log -Message "Error: $registryPath path not found, attempting to create..."
$Null = New-Item -Path $registryPath -Force
$Null = New-ItemProperty -Path $registryPath @regProperties -Force
}
Catch {
Write-Log -Message "Error changing registry: $($_.Exception.message)"
Write-Warning "Error: $($_.Exception.message)"
Exit
}
Finally {
Write-Log -Message "Finished changing registry"
}
}
#endregion IsVM
#region Configure AppLocker DLL rule registry key
#Handle registry changes
$registryPath = "HKLM:\SYSTEM\CurrentControlSet\Control\Srp\Gp\DLL\2"
Write-Log -Message "Create registry path: $registryPath"
Try {
$Null = New-Item -Path $registryPath -Force
}
Catch {
Write-Log -Message "Error changing AppLocker DLL rule registry key: $($_.Exception.message)"
Write-Warning "Error: $($_.Exception.message)"
Exit
}
Finally {
Write-Log -Message "Finished changing AppLocker DLL rule registry key"
}
#endregion Configure AppLocker DLL rule registry key
#region Configure additional Defender for Endpoint security recommendations that cannot be set in Configuration Profiles
#Handle registry changes
Write-Log -Message "Configuring additional Defender for Endpoint security recommendations that cannot be set in Configuration Profiles"
# Require users to elevate when setting a network's location - prevent changing from Public to Private firewall profile
New-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\Network Connections" -Name NC_StdDomainUserSetLocation -Value 1 -PropertyType DWORD -Force
Write-Log -Message "Require users to elevate when setting a network's location - prevent changing from Public to Private firewall profile registry update successfully applied"
# Prevent saving of network credentials
New-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Control\Lsa -Name DisableDomainCreds -Value 1 -PropertyType DWORD -Force
Write-Log -Message "Prevent saving of network credentials registry update successfully applied"
# Prevent changing proxy config
#region Disable Network Location Wizard - prevents users from setting network location as Private and therefore increasing the attack surface exposed in Windows Firewall
#region Disable Network Location Wizard
#Handle registry changes
$registryPath = "HKLM:\SYSTEM\CurrentControlSet\Control\Network"
$regProperties = @{
Name = "NewNetworkWindowOff"
ErrorAction = "Stop"
}
Try {
$Null = New-ItemProperty -Path $registryPath @regProperties -Force
}
Catch [System.Management.Automation.ItemNotFoundException] {
Write-Log -Message "Error: $registryPath path not found, attempting to create..."
$Null = New-Item -Path $registryPath -Force
$Null = New-ItemProperty -Path $registryPath @regProperties -Force
}
Catch {
Write-Log -Message "Error changing registry: $($_.Exception.message)"
Write-Warning "Error: $($_.Exception.message)"
Exit
}
Finally {
Write-Host "Finished Disable Network Location Wizard in registry"
}
#endregion Disable Network Location Wizard
#region Remove Powershell 2.0
try {
Disable-WindowsOptionalFeature -Online -FeatureName MicrosoftWindowsPowerShellV2Root -ErrorAction Stop
Write-Log -Message "Removed Powershell v2.0"
}
catch {
Write-Log -Message "Error occurred trying to remove Powershell v2.0: $($_.Exception.message)"
}
#endregion Remove Powershell 2.0
#region Remove WorkFolders-Client
try {
Disable-WindowsOptionalFeature -Online -FeatureName WorkFolders-Client -ErrorAction Stop
Write-Log -Message "Removed WorkFolders"
}
catch {
Write-Log -Message "Failed to remove WorkFolders"
Write-Log -Message "Error occurred trying to remove Powershell v2.0: $($_.Exception.message)"
}
#endregion Remove WorkFolders-Client
#region Remove XPS Printing
try {
Disable-WindowsOptionalFeature -Online -FeatureName Printing-XPSServices-Features -ErrorAction Stop
Write-Log -Message "Removed XPS Printing"
}
catch {
Write-Log -Message "Error occurred trying to remove XPS Printing: $($_.Exception.message)"
}
#endregion Remove XPS Printing
#region Remove WindowsMediaPlayer
try {
Disable-WindowsOptionalFeature -Online -FeatureName WindowsMediaPlayer -ErrorAction Stop
Write-Log -Message "Removed Windows Media Player"
}
catch {
Write-Log -Message "Error occurred trying to remove Windows Media Player: $($_.Exception.message)"
}
#endregion Remove WindowsMediaPlayer
#region RegistryChanges - Set W32Time Parameter Type to NTP
#Handle registry changes
$registryPath = "HKLM:\SYSTEM\CurrentControlSet\Services\W32Time\Parameters"
$regProperties = @{
Name = "Type"
Value = "NTP"
PropertyType = "String"
ErrorAction = "Stop"
}
Try {
$Null = New-ItemProperty -Path $registryPath @regProperties -Force
Write-Log -Message "Updated Set W32Time Parameter Type to NTP in registry"
}
Catch [System.Management.Automation.ItemNotFoundException] {
Write-Log -Message "Error: $registryPath path not found, attempting to create..."
$Null = New-Item -Path $registryPath -Force
$Null = New-ItemProperty -Path $registryPath @regProperties -Force
}
Catch {
Write-Log -Message "Error changing registry: $($_.Exception.message)"
Write-Warning "Error: $($_.Exception.message)"
Exit
}
Finally {
Write-Log -Message "Finished Set W32Time Parameter Type to NTP"
}
#endregion RegistryChanges - Set W32Time Parameter Type to NTP
#region RegistryChanges - Set Auto Time Sync Service to Automatic start
#Handle registry changes
$registryPath = "HKLM:\SYSTEM\CurrentControlSet\Services\tzautoupdate"
$regProperties = @{
Name = "Start"
Value = "3"
PropertyType = "DWORD"
ErrorAction = "Stop"
}
Try {
$Null = New-ItemProperty -Path $registryPath @regProperties -Force
Write-Log -Message "Set Auto Time Sync Service to Automatic start in registry"
}
Catch [System.Management.Automation.ItemNotFoundException] {
Write-Log -Message "Error: $registryPath path not found, attempting to create..."
$Null = New-Item -Path $registryPath -Force
$Null = New-ItemProperty -Path $registryPath @regProperties -Force
}
Catch {
Write-Log -Message "Error changing registry: $($_.Exception.message)"
Write-Warning "Error: $($_.Exception.message)"
Exit
}
Finally {
Write-Log -Message "Set Auto Time Sync Service to Automatic start"
}
#endregion RegistryChanges - Set Auto Time Sync Service to Automatic start
<#region Remove Internet Explorer 11
try {
Disable-WindowsOptionalFeature -Online -FeatureName Internet-Explorer-Optional-amd64 -NoRestart #-ErrorAction Stop
Write-Log -Message "Removed Internet Explorer 11"
}
catch {
Write-Log -Message "Error occurred trying to remove Internet Explorer 11: $($_.Exception.message)"
}
Finally {
Write-Log -Message "Finished removing Internet Explorer"
}#>
#endregion Remove Internet Explorer 11