From 08ba97058fe095444f28e837fcb41d52e729ef21 Mon Sep 17 00:00:00 2001 From: Matthew McKinnon Date: Tue, 4 Mar 2025 13:07:40 +1000 Subject: [PATCH] chore: migrated to json and powershell --- .gitignore | 5 - ASR_Rules.tf | 102 ----- AzureAD_Group_MEM_Windows_workstations.tf | 18 - Bitlocker_Security_Baseline.tf | 208 --------- ..._Enumeration_of_SAM_Accounts_and_Shares.tf | 24 -- Edge_Security_Baseline.tf | 149 ------- ...ocal_Security_Authority_Protection_Mode.tf | 20 - Enforce_password_age_history.tf | 33 -- FormatPolicies.ps1 | 25 ++ ImportPolicies.ps1 | 28 ++ LAPS.tf | 42 -- OneDrive.tf | 47 --- PUA_Block.tf | 33 -- README.md | 48 ++- policies/ASRRules.json | 219 ++++++++++ policies/LAPS.json | 81 ++++ policies/OneDrive.json | 102 +++++ policies/bitlocker.json | 398 ++++++++++++++++++ policies/disableenumerationsam.json | 37 ++ policies/disablepua.json | 50 +++ policies/edge.json | 295 +++++++++++++ policies/passwordhistory.json | 61 +++ profider.tf | 48 --- 23 files changed, 1328 insertions(+), 745 deletions(-) delete mode 100644 .gitignore delete mode 100644 ASR_Rules.tf delete mode 100644 AzureAD_Group_MEM_Windows_workstations.tf delete mode 100644 Bitlocker_Security_Baseline.tf delete mode 100644 Disable_Enumeration_of_SAM_Accounts_and_Shares.tf delete mode 100644 Edge_Security_Baseline.tf delete mode 100644 Enable_Local_Security_Authority_Protection_Mode.tf delete mode 100644 Enforce_password_age_history.tf create mode 100644 FormatPolicies.ps1 create mode 100644 ImportPolicies.ps1 delete mode 100644 LAPS.tf delete mode 100644 OneDrive.tf delete mode 100644 PUA_Block.tf create mode 100644 policies/ASRRules.json create mode 100644 policies/LAPS.json create mode 100644 policies/OneDrive.json create mode 100644 policies/bitlocker.json create mode 100644 policies/disableenumerationsam.json create mode 100644 policies/disablepua.json create mode 100644 policies/edge.json create mode 100644 policies/passwordhistory.json delete mode 100644 profider.tf diff --git a/.gitignore b/.gitignore deleted file mode 100644 index 632e705..0000000 --- a/.gitignore +++ /dev/null @@ -1,5 +0,0 @@ -*.json -*.terraform -*.tfstate* -terraform.auto.tfvars -.terraform.lock.hcl \ No newline at end of file diff --git a/ASR_Rules.tf b/ASR_Rules.tf deleted file mode 100644 index 012747f..0000000 --- a/ASR_Rules.tf +++ /dev/null @@ -1,102 +0,0 @@ -resource "microsoft365wp_device_management_configuration_policy" "asr_rules" { - name = "ASR Rules" - technologies = "mdm,microsoftSense" - - settings = [ - { instance = { - - definition_id = "device_vendor_msft_policy_config_defender_attacksurfacereductionrules" - group_collection = { values = [ - { - children = [ - { - definition_id = "device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockabuseofexploitedvulnerablesigneddrivers" - choice = { value = { value = "device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockabuseofexploitedvulnerablesigneddrivers_block" } } - }, - { - definition_id = "device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockadobereaderfromcreatingchildprocesses" - choice = { value = { value = "device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockadobereaderfromcreatingchildprocesses_block" } } - }, - { - definition_id = "device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockofficeapplicationsfrominjectingcodeintootherprocesses" - choice = { value = { value = "device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockofficeapplicationsfrominjectingcodeintootherprocesses_block" } } - }, - { - definition_id = "device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockallofficeapplicationsfromcreatingchildprocesses" - choice = { value = { value = "device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockallofficeapplicationsfromcreatingchildprocesses_block" } } - }, - { - definition_id = "device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockcredentialstealingfromwindowslocalsecurityauthoritysubsystem" - choice = { value = { value = "device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockcredentialstealingfromwindowslocalsecurityauthoritysubsystem_block" } } - }, - { - definition_id = "device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockexecutablecontentfromemailclientandwebmail" - choice = { value = { value = "device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockexecutablecontentfromemailclientandwebmail_block" } } - }, - { - definition_id = "device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockexecutablefilesrunningunlesstheymeetprevalenceagetrustedlistcriterion" - choice = { value = { value = "device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockexecutablefilesrunningunlesstheymeetprevalenceagetrustedlistcriterion_block" } } - }, - { - definition_id = "device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockexecutionofpotentiallyobfuscatedscripts" - choice = { value = { value = "device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockexecutionofpotentiallyobfuscatedscripts_block" } } - }, - { - definition_id = "device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockjavascriptorvbscriptfromlaunchingdownloadedexecutablecontent" - choice = { value = { value = "device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockjavascriptorvbscriptfromlaunchingdownloadedexecutablecontent_block" } } - }, - { - definition_id = "device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockofficeapplicationsfromcreatingexecutablecontent" - choice = { value = { value = "device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockofficeapplicationsfromcreatingexecutablecontent_block" } } - }, - { - definition_id = "device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockofficecommunicationappfromcreatingchildprocesses" - choice = { value = { value = "device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockofficecommunicationappfromcreatingchildprocesses_block" } } - }, - { - definition_id = "device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockpersistencethroughwmieventsubscription" - choice = { value = { value = "device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockpersistencethroughwmieventsubscription_block" } } - }, - { - definition_id = "device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockprocesscreationsfrompsexecandwmicommands" - choice = { value = { value = "device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockprocesscreationsfrompsexecandwmicommands_block" } } - }, - { - definition_id = "device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockuntrustedunsignedprocessesthatrunfromusb" - choice = { value = { value = "device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockuntrustedunsignedprocessesthatrunfromusb_block" } } - }, - { - definition_id = "device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockjavascriptorvbscriptfromlaunchingdownloadedexecutablecontent" - choice = { value = { value = "device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockjavascriptorvbscriptfromlaunchingdownloadedexecutablecontent_block" } } - }, - { - definition_id = "device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockwebshellcreationforservers" - choice = { value = { value = "device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockwebshellcreationforservers_block" } } - }, - { - definition_id = "device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockwin32apicallsfromofficemacros" - choice = { value = { value = "device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockwin32apicallsfromofficemacros_block" } } - }, - { - definition_id = "device_vendor_msft_policy_config_defender_attacksurfacereductionrules_useadvancedprotectionagainstransomware" - choice = { value = { value = "device_vendor_msft_policy_config_defender_attacksurfacereductionrules_useadvancedprotectionagainstransomware_block" } } - } - - ] - } - ] - } - } - } - ] - - depends_on = [azuread_group.mem_windows_devices] - assignments = [ - for x in [ - "${data.azuread_group.mem_windows_devices.object_id}" - ] : - { target = { group = { group_id = x } } } - ] - -} - diff --git a/AzureAD_Group_MEM_Windows_workstations.tf b/AzureAD_Group_MEM_Windows_workstations.tf deleted file mode 100644 index 36889c8..0000000 --- a/AzureAD_Group_MEM_Windows_workstations.tf +++ /dev/null @@ -1,18 +0,0 @@ -data "azuread_client_config" "current" {} - -resource "azuread_group" "mem_windows_devices" { - display_name = "MEM - Devices - All Windows Computers" - owners = [data.azuread_client_config.current.object_id] - security_enabled = true - types = ["DynamicMembership"] - - dynamic_membership { - enabled = true - rule = "(device.deviceOSVersion -startsWith \"10.0\") and (device.deviceOSType -eq \"Windows\")" - } -} - -data "azuread_group" "mem_windows_devices" { - depends_on = [azuread_group.mem_windows_devices] - display_name = "MEM - Devices - All Windows Computers" -} diff --git a/Bitlocker_Security_Baseline.tf b/Bitlocker_Security_Baseline.tf deleted file mode 100644 index 96959d2..0000000 --- a/Bitlocker_Security_Baseline.tf +++ /dev/null @@ -1,208 +0,0 @@ -resource "microsoft365wp_device_management_configuration_policy" "enable_bitlocker" { - name = "Bitlocker" - settings = [ - { instance = { - definition_id = "device_vendor_msft_bitlocker_encryptionmethodbydrivetype" - choice = { - value = { - value = "device_vendor_msft_bitlocker_encryptionmethodbydrivetype_1" - children = [ - { - definition_id = "device_vendor_msft_bitlocker_encryptionmethodbydrivetype_encryptionmethodwithxtsfdvdropdown_name" - choice = { value = { value = "device_vendor_msft_bitlocker_encryptionmethodbydrivetype_encryptionmethodwithxtsfdvdropdown_name_6" } } - }, - { - definition_id = "device_vendor_msft_bitlocker_encryptionmethodbydrivetype_encryptionmethodwithxtsosdropdown_name" - choice = { value = { value = "device_vendor_msft_bitlocker_encryptionmethodbydrivetype_encryptionmethodwithxtsosdropdown_name_6" } } - }, - { - definition_id = "device_vendor_msft_bitlocker_encryptionmethodbydrivetype_encryptionmethodwithxtsrdvdropdown_name" - choice = { value = { value = "device_vendor_msft_bitlocker_encryptionmethodbydrivetype_encryptionmethodwithxtsrdvdropdown_name_6" } } - } - - ] - } - } - } }, - { instance = { - definition_id = "device_vendor_msft_bitlocker_fixeddrivesrecoveryoptions" - choice = { - value = { - value = "device_vendor_msft_bitlocker_fixeddrivesrecoveryoptions_1" - children = [ - { - definition_id = "device_vendor_msft_bitlocker_fixeddrivesrecoveryoptions_fdvrecoverykeyusagedropdown_name" - choice = { value = { value = "device_vendor_msft_bitlocker_fixeddrivesrecoveryoptions_fdvrecoverykeyusagedropdown_name_2" } } - }, - { - definition_id = "device_vendor_msft_bitlocker_fixeddrivesrecoveryoptions_fdvrecoverypasswordusagedropdown_name" - choice = { value = { value = "device_vendor_msft_bitlocker_fixeddrivesrecoveryoptions_fdvrecoverypasswordusagedropdown_name_2" } } - }, - { - definition_id = "device_vendor_msft_bitlocker_fixeddrivesrecoveryoptions_fdvallowdra_name" - choice = { value = { value = "device_vendor_msft_bitlocker_fixeddrivesrecoveryoptions_fdvallowdra_name_0" } } - }, - { - definition_id = "device_vendor_msft_bitlocker_fixeddrivesrecoveryoptions_fdvactivedirectorybackupdropdown_name" - choice = { value = { value = "device_vendor_msft_bitlocker_fixeddrivesrecoveryoptions_fdvactivedirectorybackupdropdown_name_1" } } - }, - { - definition_id = "device_vendor_msft_bitlocker_fixeddrivesrecoveryoptions_fdvrequireactivedirectorybackup_name" - choice = { value = { value = "device_vendor_msft_bitlocker_fixeddrivesrecoveryoptions_fdvrequireactivedirectorybackup_name_1" } } - }, - { - definition_id = "device_vendor_msft_bitlocker_fixeddrivesrecoveryoptions_fdvhiderecoverypage_name" - choice = { value = { value = "device_vendor_msft_bitlocker_fixeddrivesrecoveryoptions_fdvhiderecoverypage_name_0" } } - } - , - { - definition_id = "device_vendor_msft_bitlocker_fixeddrivesrecoveryoptions_fdvactivedirectorybackup_name" - choice = { value = { value = "device_vendor_msft_bitlocker_fixeddrivesrecoveryoptions_fdvactivedirectorybackup_name_1" } } - } - - ] - } - } - } }, - { instance = { - definition_id = "device_vendor_msft_bitlocker_fixeddrivesencryptiontype" - choice = { - value = { - value = "device_vendor_msft_bitlocker_fixeddrivesencryptiontype_1" - children = [ - { - definition_id = "device_vendor_msft_bitlocker_fixeddrivesencryptiontype_fdvencryptiontypedropdown_name" - choice = { value = { value = "device_vendor_msft_bitlocker_fixeddrivesencryptiontype_fdvencryptiontypedropdown_name_1" } } - } - ] - } - } - } }, - { instance = { - definition_id = "device_vendor_msft_bitlocker_systemdrivesrecoveryoptions" - choice = { - value = { - value = "device_vendor_msft_bitlocker_systemdrivesrecoveryoptions_1" - children = [ - { - definition_id = "device_vendor_msft_bitlocker_systemdrivesrecoveryoptions_osrecoverykeyusagedropdown_name" - choice = { value = { value = "device_vendor_msft_bitlocker_systemdrivesrecoveryoptions_osrecoverykeyusagedropdown_name_2" } } - }, - { - definition_id = "device_vendor_msft_bitlocker_systemdrivesrecoveryoptions_osrecoverypasswordusagedropdown_name" - choice = { value = { value = "device_vendor_msft_bitlocker_systemdrivesrecoveryoptions_osrecoverypasswordusagedropdown_name_2" } } - }, - { - definition_id = "device_vendor_msft_bitlocker_systemdrivesrecoveryoptions_osallowdra_name" - choice = { value = { value = "device_vendor_msft_bitlocker_systemdrivesrecoveryoptions_osallowdra_name_0" } } - }, - { - definition_id = "device_vendor_msft_bitlocker_systemdrivesrecoveryoptions_osactivedirectorybackupdropdown_name" - choice = { value = { value = "device_vendor_msft_bitlocker_systemdrivesrecoveryoptions_osactivedirectorybackupdropdown_name_1" } } - }, - { - definition_id = "device_vendor_msft_bitlocker_systemdrivesrecoveryoptions_osrequireactivedirectorybackup_name" - choice = { value = { value = "device_vendor_msft_bitlocker_systemdrivesrecoveryoptions_osrequireactivedirectorybackup_name_1" } } - }, - { - definition_id = "device_vendor_msft_bitlocker_systemdrivesrecoveryoptions_oshiderecoverypage_name" - choice = { value = { value = "device_vendor_msft_bitlocker_systemdrivesrecoveryoptions_oshiderecoverypage_name_1" } } - } - , - { - definition_id = "device_vendor_msft_bitlocker_systemdrivesrecoveryoptions_osactivedirectorybackup_name" - choice = { value = { value = "device_vendor_msft_bitlocker_systemdrivesrecoveryoptions_osactivedirectorybackup_name_1" } } - } - - ] - } - } - } }, - { instance = { - definition_id = "device_vendor_msft_bitlocker_systemdrivesencryptiontype" - choice = { - value = { - value = "device_vendor_msft_bitlocker_systemdrivesencryptiontype_1" - children = [ - { - definition_id = "device_vendor_msft_bitlocker_systemdrivesencryptiontype_osencryptiontypedropdown_name" - choice = { value = { value = "device_vendor_msft_bitlocker_systemdrivesencryptiontype_osencryptiontypedropdown_name_1" } } - } - ] - } - } - } }, - { instance = { - definition_id = "device_vendor_msft_bitlocker_systemdrivesrequirestartupauthentication" - choice = { - value = { - value = "device_vendor_msft_bitlocker_systemdrivesrequirestartupauthentication_1" - children = [ - { - definition_id = "device_vendor_msft_bitlocker_systemdrivesrequirestartupauthentication_configurenontpmstartupkeyusage_name" - choice = { value = { value = "device_vendor_msft_bitlocker_systemdrivesrequirestartupauthentication_configurenontpmstartupkeyusage_name_0" } } - }, - { - definition_id = "device_vendor_msft_bitlocker_systemdrivesrequirestartupauthentication_configuretpmpinkeyusagedropdown_name" - choice = { value = { value = "device_vendor_msft_bitlocker_systemdrivesrequirestartupauthentication_configuretpmpinkeyusagedropdown_name_0" } } - }, - { - definition_id = "device_vendor_msft_bitlocker_systemdrivesrequirestartupauthentication_configuretpmstartupkeyusagedropdown_name" - choice = { value = { value = "device_vendor_msft_bitlocker_systemdrivesrequirestartupauthentication_configuretpmstartupkeyusagedropdown_name_0" } } - }, - { - definition_id = "device_vendor_msft_bitlocker_systemdrivesrequirestartupauthentication_configurepinusagedropdown_name" - choice = { value = { value = "device_vendor_msft_bitlocker_systemdrivesrequirestartupauthentication_configurepinusagedropdown_name_0" } } - }, - { - definition_id = "device_vendor_msft_bitlocker_systemdrivesrequirestartupauthentication_configuretpmusagedropdown_name" - choice = { value = { value = "device_vendor_msft_bitlocker_systemdrivesrequirestartupauthentication_configuretpmusagedropdown_name_1" } } - } - - ] - } - } - } }, - { instance = { - definition_id = "device_vendor_msft_bitlocker_allowwarningforotherdiskencryption" - choice = { - value = { - value = "device_vendor_msft_bitlocker_allowwarningforotherdiskencryption_0" - children = [ - { - definition_id = "device_vendor_msft_bitlocker_allowstandarduserencryption" - choice = { value = { value = "device_vendor_msft_bitlocker_allowstandarduserencryption_1" } } - } - ] - } - } - } }, - { instance = { - definition_id = "device_vendor_msft_bitlocker_configurerecoverypasswordrotation" - choice = { - value = { - value = "device_vendor_msft_bitlocker_configurerecoverypasswordrotation_2" - } - } - } }, - { instance = { - definition_id = "device_vendor_msft_bitlocker_requiredeviceencryption" - choice = { - value = { - value = "device_vendor_msft_bitlocker_requiredeviceencryption_1" - } - } - } } - ] - - depends_on = [azuread_group.mem_windows_devices] - assignments = [ - for x in [ - "${data.azuread_group.mem_windows_devices.object_id}" - ] : - { target = { group = { group_id = x } } } - ] - -} - - diff --git a/Disable_Enumeration_of_SAM_Accounts_and_Shares.tf b/Disable_Enumeration_of_SAM_Accounts_and_Shares.tf deleted file mode 100644 index 499942c..0000000 --- a/Disable_Enumeration_of_SAM_Accounts_and_Shares.tf +++ /dev/null @@ -1,24 +0,0 @@ -resource "microsoft365wp_device_management_configuration_policy" "disable_enumeration" { - name = "Disable Enumeration of SAM Accounts and Shares" - settings = [ - { instance = { - definition_id = "device_vendor_msft_policy_config_localpoliciessecurityoptions_networkaccess_donotallowanonymousenumerationofsamaccountsandshares" - choice = { - value = { - value = "device_vendor_msft_policy_config_localpoliciessecurityoptions_networkaccess_donotallowanonymousenumerationofsamaccountsandshares_1" - } - } - } - } - ] - depends_on = [azuread_group.mem_windows_devices] - assignments = [ - for x in [ - "${data.azuread_group.mem_windows_devices.object_id}" - ] : - { target = { group = { group_id = x } } } - ] - -} - - diff --git a/Edge_Security_Baseline.tf b/Edge_Security_Baseline.tf deleted file mode 100644 index cc232be..0000000 --- a/Edge_Security_Baseline.tf +++ /dev/null @@ -1,149 +0,0 @@ -resource "microsoft365wp_device_management_configuration_policy" "beaseline_edge" { - - name = "Edge" - technologies = "mdm" - settings = [ - { instance = { - definition_id = "device_vendor_msft_policy_config_defender_enablenetworkprotection" - choice = { value = { - value = "device_vendor_msft_policy_config_defender_enablenetworkprotection_1" - } } - } }, - { instance = { - definition_id = "device_vendor_msft_policy_config_microsoft_edge~policy~microsoft_edge~extensions_extensioninstallblocklist" - choice = { value = { - value = "device_vendor_msft_policy_config_microsoft_edge~policy~microsoft_edge~extensions_extensioninstallblocklist_1" - children = [ - { - definition_id = "device_vendor_msft_policy_config_microsoft_edge~policy~microsoft_edge~extensions_extensioninstallblocklist_extensioninstallblocklistdesc" - simple_collection = { values = [ - { string = { value = "*" } } - ] } - } - ] - } } - } }, - { instance = { - definition_id = "device_vendor_msft_policy_config_microsoft_edgev88.0.705.23~policy~microsoft_edge~httpauthentication_basicauthoverhttpenabled" - choice = { value = { - value = "device_vendor_msft_policy_config_microsoft_edgev88.0.705.23~policy~microsoft_edge~httpauthentication_basicauthoverhttpenabled_0" - } } - } }, - { instance = { - definition_id = "device_vendor_msft_policy_config_microsoft_edge~policy~microsoft_edge~httpauthentication_authschemes" - choice = { value = { - value = "device_vendor_msft_policy_config_microsoft_edge~policy~microsoft_edge~httpauthentication_authschemes_1" - children = [ - { - definition_id = "device_vendor_msft_policy_config_microsoft_edge~policy~microsoft_edge~httpauthentication_authschemes_authschemes" - simple = { value = { - string = { - value = "ntlm,negotiate" - } - } } - } - ] - } } - } }, - { instance = { - definition_id = "device_vendor_msft_policy_config_microsoft_edge~policy~microsoft_edge~nativemessaging_nativemessaginguserlevelhosts" - choice = { value = { - value = "device_vendor_msft_policy_config_microsoft_edge~policy~microsoft_edge~nativemessaging_nativemessaginguserlevelhosts_0" - } } - } }, - { instance = { - definition_id = "device_vendor_msft_policy_config_microsoft_edgev92~policy~microsoft_edge~privatenetworkrequestsettings_insecureprivatenetworkrequestsallowed" - choice = { value = { - value = "device_vendor_msft_policy_config_microsoft_edgev92~policy~microsoft_edge~privatenetworkrequestsettings_insecureprivatenetworkrequestsallowed_0" - } } - } }, - { instance = { - definition_id = "device_vendor_msft_policy_config_microsoft_edge~policy~microsoft_edge~smartscreen_smartscreenenabled" - choice = { value = { - value = "device_vendor_msft_policy_config_microsoft_edge~policy~microsoft_edge~smartscreen_smartscreenenabled_1" - } } - } }, - { instance = { - definition_id = "device_vendor_msft_policy_config_microsoft_edgev80diff~policy~microsoft_edge~smartscreen_smartscreenpuaenabled" - choice = { value = { - value = "device_vendor_msft_policy_config_microsoft_edgev80diff~policy~microsoft_edge~smartscreen_smartscreenpuaenabled_1" - } } - } }, - { instance = { - definition_id = "device_vendor_msft_policy_config_microsoft_edge~policy~microsoft_edge~smartscreen_preventsmartscreenpromptoverride" - choice = { value = { - value = "device_vendor_msft_policy_config_microsoft_edge~policy~microsoft_edge~smartscreen_preventsmartscreenpromptoverride_1" - } } - } }, - { instance = { - definition_id = "device_vendor_msft_policy_config_microsoft_edge~policy~microsoft_edge~smartscreen_preventsmartscreenpromptoverrideforfiles" - choice = { value = { - value = "device_vendor_msft_policy_config_microsoft_edge~policy~microsoft_edge~smartscreen_preventsmartscreenpromptoverrideforfiles_1" - } } - } }, - { instance = { - definition_id = "device_vendor_msft_policy_config_microsoft_edgev92~policy~microsoft_edge_internetexplorerintegrationreloadiniemodeallowed" - choice = { value = { - value = "device_vendor_msft_policy_config_microsoft_edgev92~policy~microsoft_edge_internetexplorerintegrationreloadiniemodeallowed_0" - } } - } }, - { instance = { - definition_id = "device_vendor_msft_policy_config_microsoft_edge~policy~microsoft_edge_sslerroroverrideallowed" - choice = { value = { - value = "device_vendor_msft_policy_config_microsoft_edge~policy~microsoft_edge_sslerroroverrideallowed_0" - } } - } }, - { instance = { - definition_id = "device_vendor_msft_policy_config_microsoft_edgev117~policy~microsoft_edge_internetexplorerintegrationzoneidentifiermhtfileallowed" - choice = { value = { - value = "device_vendor_msft_policy_config_microsoft_edgev117~policy~microsoft_edge_internetexplorerintegrationzoneidentifiermhtfileallowed_0" - } } - } }, - { instance = { - definition_id = "device_vendor_msft_policy_config_microsoft_edgev95~policy~microsoft_edge_browserlegacyextensionpointsblockingenabled" - choice = { value = { - value = "device_vendor_msft_policy_config_microsoft_edgev95~policy~microsoft_edge_browserlegacyextensionpointsblockingenabled_1" - } } - } }, - { instance = { - definition_id = "device_vendor_msft_policy_config_microsoft_edge~policy~microsoft_edge_siteperprocess" - choice = { value = { - value = "device_vendor_msft_policy_config_microsoft_edge~policy~microsoft_edge_siteperprocess_1" - } } - } }, - { instance = { - definition_id = "device_vendor_msft_policy_config_microsoft_edgev97~policy~microsoft_edge_edgeenhanceimagesenabled" - choice = { value = { - value = "device_vendor_msft_policy_config_microsoft_edgev97~policy~microsoft_edge_edgeenhanceimagesenabled_0" - } } - } }, - { instance = { - definition_id = "device_vendor_msft_policy_config_microsoft_edgev107~policy~microsoft_edge_websqlaccess" - choice = { value = { - value = "device_vendor_msft_policy_config_microsoft_edgev107~policy~microsoft_edge_websqlaccess_0" - } } - } }, - { instance = { - definition_id = "device_vendor_msft_policy_config_microsoft_edgev96~policy~microsoft_edge_internetexplorermodetoolbarbuttonenabled" - choice = { value = { - value = "device_vendor_msft_policy_config_microsoft_edgev96~policy~microsoft_edge_internetexplorermodetoolbarbuttonenabled_0" - } } - } }, - { instance = { - definition_id = "device_vendor_msft_policy_config_microsoft_edgev111~policy~microsoft_edge_sharedarraybufferunrestrictedaccessallowed" - choice = { value = { - value = "device_vendor_msft_policy_config_microsoft_edgev111~policy~microsoft_edge_sharedarraybufferunrestrictedaccessallowed_0" - } } - } } - - ] - - depends_on = [azuread_group.mem_windows_devices] - assignments = [ - for x in [ - "${data.azuread_group.mem_windows_devices.object_id}" - ] : - { target = { group = { group_id = x } } } - ] - -} \ No newline at end of file diff --git a/Enable_Local_Security_Authority_Protection_Mode.tf b/Enable_Local_Security_Authority_Protection_Mode.tf deleted file mode 100644 index ecfa4e7..0000000 --- a/Enable_Local_Security_Authority_Protection_Mode.tf +++ /dev/null @@ -1,20 +0,0 @@ -resource "microsoft365wp_device_configuration_custom" "enable_lsa" { - display_name = "Enable Local Security Authority Protection Mode" - windows10 = { - oma_settings = [ - { - display_name = "Enable Local Security Authority Protection Mode" - oma_uri = "./Device/Vendor/MSFT/Policy/Config/LocalSecurityAuthority/ConfigureLsaProtectedProcess" - integer = { value = 1 } - } - ] - } - depends_on = [azuread_group.mem_windows_devices] - assignments = [ - for x in [ - "${data.azuread_group.mem_windows_devices.object_id}" - ] : - { target = { group = { group_id = x } } } - ] - -} diff --git a/Enforce_password_age_history.tf b/Enforce_password_age_history.tf deleted file mode 100644 index e0bd7e1..0000000 --- a/Enforce_password_age_history.tf +++ /dev/null @@ -1,33 +0,0 @@ -resource "microsoft365wp_device_management_configuration_policy" "password_history" { - name = "Enforce password age & history" - settings = [ - { instance = { - definition_id = "device_vendor_msft_policy_config_devicelock_devicepasswordenabled" - choice = { - value = { - value = "device_vendor_msft_policy_config_devicelock_devicepasswordenabled_0" - children = [ - { - definition_id = "device_vendor_msft_policy_config_devicelock_devicepasswordhistory" - simple = { value = { integer = { value = "24" } } } - } - ] - } - } - } }, - { instance = { - definition_id = "device_vendor_msft_policy_config_devicelock_minimumpasswordage" - simple = { value = { integer = { value = "1" } } } - } } - ] - depends_on = [azuread_group.mem_windows_devices] - assignments = [ - for x in [ - "${data.azuread_group.mem_windows_devices.object_id}" - ] : - { target = { group = { group_id = x } } } - ] - -} - - diff --git a/FormatPolicies.ps1 b/FormatPolicies.ps1 new file mode 100644 index 0000000..9432885 --- /dev/null +++ b/FormatPolicies.ps1 @@ -0,0 +1,25 @@ +param ( + [Parameter(Mandatory=$true)] + [string]$jsonfile, + + [Parameter(Mandatory=$true)] + [string]$export + +) + +# Read the original JSON data from the file +$JsonData = Get-Content -Path $jsonfile -Raw + +# Convert JSON string to a PowerShell object +$JsonObject = $JsonData | ConvertFrom-Json + +# Convert back to JSON with indentation and formatting +$FormattedJson = $JsonObject | ConvertTo-Json -Depth 10 + +# Write the formatted JSON string to the output file +Set-Content -Path $output -Value $FormattedJson + +remove-item $jsonfile -Force -Verbose + +Write-Host "✅ JSON reformatted with line breaks and saved to: $export" + diff --git a/ImportPolicies.ps1 b/ImportPolicies.ps1 new file mode 100644 index 0000000..24b8119 --- /dev/null +++ b/ImportPolicies.ps1 @@ -0,0 +1,28 @@ +# Connect to Microsoft Graph +Connect-MgGraph -Scopes "DeviceManagementConfiguration.ReadWrite.All" -NoWelcome + +# Get Tenant ID +$tenant = Get-MgOrganization +$tenantId = $tenant.Id + +$policies = Get-ChildItem ./policies + +ForEach ($policie in $policies) { + $PolicieName = $policie.name + + $JsonData = Get-Content -Path ./policies/$PolicieName -Raw + $JsonDataUpdated = $JsonData -replace '\$tenantId', $tenantId + $PolicyObject = $JsonDataUpdated | ConvertFrom-Json + + try { + $uri = "https://graph.microsoft.com/beta/deviceManagement/configurationPolicies" # Using the beta version + $response = Invoke-MgGraphRequest -Method POST -Uri $uri -Body ($PolicyObject | ConvertTo-Json -Depth 10) + Write-Host "✅ $PolicieName - successfully imported!" + #$response + } catch { + Write-Error "❌ An error occurred while importing the policy: $_" + } +} + + +$null = Disconnect-Graph -ErrorAction SilentlyContinue diff --git a/LAPS.tf b/LAPS.tf deleted file mode 100644 index 34b395b..0000000 --- a/LAPS.tf +++ /dev/null @@ -1,42 +0,0 @@ -resource "microsoft365wp_device_management_configuration_policy" "enable_laps" { - name = "LAPS" - settings = [ - { instance = { - definition_id = "device_vendor_msft_policy_config_admx_admpwd_pol_admpwd" - choice = { - value = { - value = "device_vendor_msft_policy_config_admx_admpwd_pol_admpwd_1" - children = [ - { - definition_id = "device_vendor_msft_policy_config_admx_admpwd_pol_admpwd_elm_admpwd_passwordagedays" - simple = { value = { integer = { value = "14" } } } - }, - { - definition_id = "device_vendor_msft_policy_config_admx_admpwd_pol_admpwd_elm_admpwd_passwordcomplexity" - choice = { value = { value = "device_vendor_msft_policy_config_admx_admpwd_pol_admpwd_elm_admpwd_passwordcomplexity_4" } } - }, - { - definition_id = "device_vendor_msft_policy_config_admx_admpwd_pol_admpwd_elm_admpwd_passwordlength" - simple = { value = { integer = { value = "14" } } } - } - - ] - } - } - } }, - { instance = { - definition_id = "device_vendor_msft_policy_config_localpoliciessecurityoptions_accounts_enableadministratoraccountstatus" - choice = { value = { value = "device_vendor_msft_policy_config_localpoliciessecurityoptions_accounts_enableadministratoraccountstatus_1" } } - } } - ] - depends_on = [azuread_group.mem_windows_devices] - assignments = [ - for x in [ - "${data.azuread_group.mem_windows_devices.object_id}" - ] : - { target = { group = { group_id = x } } } - ] - -} - - diff --git a/OneDrive.tf b/OneDrive.tf deleted file mode 100644 index 136cdd2..0000000 --- a/OneDrive.tf +++ /dev/null @@ -1,47 +0,0 @@ -resource "microsoft365wp_device_management_configuration_policy" "onedrive_policy" { - name = "OneDrive Policy" - settings = [ - { instance = { - definition_id = "device_vendor_msft_policy_config_onedrivengscv2~policy~onedrivengsc_allowtenantlist" - choice = { - value = { - value = "device_vendor_msft_policy_config_onedrivengscv2~policy~onedrivengsc_allowtenantlist_1" - children = [ - { - definition_id = "device_vendor_msft_policy_config_onedrivengscv2~policy~onedrivengsc_allowtenantlist_allowtenantlistbox" - simple_collection = { values = [ - { string = { value = var.tenant_id } } - ] } - } - ] - } - } - } }, - { instance = { - definition_id = "device_vendor_msft_policy_config_onedrivengscv2~policy~onedrivengsc_blockexternalsync" - choice = { value = { value = "device_vendor_msft_policy_config_onedrivengscv2~policy~onedrivengsc_blockexternalsync_1" } } - } }, - { instance = { - definition_id = "user_vendor_msft_policy_config_onedrivengscv2~policy~onedrivengsc_disablepersonalsync" - choice = { value = { value = "user_vendor_msft_policy_config_onedrivengscv2~policy~onedrivengsc_disablepersonalsync_1" } } - } }, - { instance = { - definition_id = "device_vendor_msft_policy_config_onedrivengscv2~policy~onedrivengsc_silentaccountconfig" - choice = { value = { value = "device_vendor_msft_policy_config_onedrivengscv2~policy~onedrivengsc_silentaccountconfig_1" } } - } }, - { instance = { - definition_id = "device_vendor_msft_policy_config_onedrivengscv2~policy~onedrivengsc_filesondemandenabled" - choice = { value = { value = "device_vendor_msft_policy_config_onedrivengscv2~policy~onedrivengsc_filesondemandenabled_1" } } - } } - ] - depends_on = [azuread_group.mem_windows_devices] - assignments = [ - for x in [ - "${data.azuread_group.mem_windows_devices.object_id}" - ] : - { target = { group = { group_id = x } } } - ] - -} - - diff --git a/PUA_Block.tf b/PUA_Block.tf deleted file mode 100644 index d80b245..0000000 --- a/PUA_Block.tf +++ /dev/null @@ -1,33 +0,0 @@ -resource "microsoft365wp_device_management_configuration_policy" "pua_block" { - name = "Disable PUA" - settings = [ - { instance = { - definition_id = "user_vendor_msft_policy_config_microsoft_edgev80diff~policy~microsoft_edge~smartscreen_smartscreenpuaenabled" - choice = { - value = { - value = "user_vendor_msft_policy_config_microsoft_edgev80diff~policy~microsoft_edge~smartscreen_smartscreenpuaenabled_1" - } - } - } - }, - { instance = { - definition_id = "device_vendor_msft_policy_config_defender_puaprotection" - choice = { - value = { - value = "device_vendor_msft_policy_config_defender_puaprotection_1" - } - } - } - } - ] - depends_on = [azuread_group.mem_windows_devices] - assignments = [ - for x in [ - "${data.azuread_group.mem_windows_devices.object_id}" - ] : - { target = { group = { group_id = x } } } - ] - -} - - diff --git a/README.md b/README.md index 03465d8..084db2a 100644 --- a/README.md +++ b/README.md @@ -1,25 +1,41 @@ -# Intune Configuration Policies +![Header Image](https://legitit.com.au/wp-content/uploads/2021/11/logo.jpg) -This repository contains terraform files that will auto provision Intune Policies that will help lift Microsoft Secure Score and apply Security settings across the tenant. +# Intune Policies for Business Premium -## Azure AD Group +This reposigotry contains exported JSON formatted Intune Device Management Configuration Policies. -* AzureAD_Group_MEM_Windows_workstations - Create a Dynamic Azure AD Group with rule to add all Windows Workstations running Windows 10 or higher. +For more details information and use, please see the internal LegitiIT guides. -```PowerShell -(device.deviceOSVersion -startsWith \"10.0\") and (device.deviceOSType -eq \"Windows\") +## Running + +***IMPORTANT*** - These scripts are designed to run under PowerShell 7 (Core). They will not run with the in-built PowerShell 5.1. You can install PowerShell using the following command. + +``` +winget install --id Microsoft.PowerShell --source winget ``` -## Policies +### FormatPolicies.ps1 -* Defender ASR Rules - Set to Block -* Bitlocker - Enabled -* PUA (Potentially Unwanted Apps) Blocked -* Disable Enumeration of SAM Accounts and Shares -* Microsoft Edge Security Baseline -* Enable Local Security Authority Protection Mode -* Enforce Password History - 24 Password, 1 Password Age -* LAPS - Enable Local Administrator Account and turn on LAPS -* OneDrive +FormatPolicies.ps1 is used to reformat a downloaded JSON Intune Policie into a human readable format. +``` +.\FormatPolicies.ps1 -jsonfile -output ./policies/policiename.json +``` +### ImportPolicies.ps1 + +ImportPolicies.ps1 is used to import the policies from the policies folder. + +When you run the script it will ask you to sign into the tenant. Once signed in it will then crycle through the policies in the policies folder and import them. + +``` +pwsh> .\ImportPolicies.ps1 +✅ ASRRules.json - successfully imported! +✅ bitlocker.json - successfully imported! +✅ disableenumerationsam.json - successfully imported! +✅ disablepua.json - successfully imported! +✅ edge.json - successfully imported! +✅ LAPS.json - successfully imported! +✅ OneDrive.json - successfully imported! +✅ passwordhistory.json - successfully imported! +``` diff --git a/policies/ASRRules.json b/policies/ASRRules.json new file mode 100644 index 0000000..2b3c660 --- /dev/null +++ b/policies/ASRRules.json @@ -0,0 +1,219 @@ +{ + "@odata.context": "https://graph.microsoft.com/beta/$metadata#deviceManagement/configurationPolicies/$entity", + "createdDateTime": "2025-03-03T10:40:18.2339119Z", + "creationSource": null, + "description": "", + "lastModifiedDateTime": "2025-03-03T10:40:18.2339119Z", + "name": "ASR Rules", + "platforms": "windows10", + "priorityMetaData": null, + "roleScopeTagIds": [ + "0" + ], + "settingCount": 1, + "technologies": "mdm,microsoftSense", + "id": "f1060289-5cc1-4c41-8a43-b9dc9032cfc3", + "templateReference": { + "templateId": "", + "templateFamily": "none", + "templateDisplayName": null, + "templateDisplayVersion": null + }, + "settings": [ + { + "id": "0", + "settingInstance": { + "@odata.type": "#microsoft.graph.deviceManagementConfigurationGroupSettingCollectionInstance", + "settingDefinitionId": "device_vendor_msft_policy_config_defender_attacksurfacereductionrules", + "settingInstanceTemplateReference": null, + "groupSettingCollectionValue": [ + { + "settingValueTemplateReference": null, + "children": [ + { + "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance", + "settingDefinitionId": "device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockabuseofexploitedvulnerablesigneddrivers", + "settingInstanceTemplateReference": null, + "choiceSettingValue": { + "settingValueTemplateReference": null, + "value": "device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockabuseofexploitedvulnerablesigneddrivers_block", + "children": [] + } + }, + { + "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance", + "settingDefinitionId": "device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockadobereaderfromcreatingchildprocesses", + "settingInstanceTemplateReference": null, + "choiceSettingValue": { + "settingValueTemplateReference": null, + "value": "device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockadobereaderfromcreatingchildprocesses_block", + "children": [] + } + }, + { + "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance", + "settingDefinitionId": "device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockofficeapplicationsfrominjectingcodeintootherprocesses", + "settingInstanceTemplateReference": null, + "choiceSettingValue": { + "settingValueTemplateReference": null, + "value": "device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockofficeapplicationsfrominjectingcodeintootherprocesses_block", + "children": [] + } + }, + { + "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance", + "settingDefinitionId": "device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockallofficeapplicationsfromcreatingchildprocesses", + "settingInstanceTemplateReference": null, + "choiceSettingValue": { + "settingValueTemplateReference": null, + "value": "device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockallofficeapplicationsfromcreatingchildprocesses_block", + "children": [] + } + }, + { + "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance", + "settingDefinitionId": "device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockcredentialstealingfromwindowslocalsecurityauthoritysubsystem", + "settingInstanceTemplateReference": null, + "choiceSettingValue": { + "settingValueTemplateReference": null, + "value": "device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockcredentialstealingfromwindowslocalsecurityauthoritysubsystem_block", + "children": [] + } + }, + { + "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance", + "settingDefinitionId": "device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockexecutablecontentfromemailclientandwebmail", + "settingInstanceTemplateReference": null, + "choiceSettingValue": { + "settingValueTemplateReference": null, + "value": "device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockexecutablecontentfromemailclientandwebmail_block", + "children": [] + } + }, + { + "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance", + "settingDefinitionId": "device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockexecutablefilesrunningunlesstheymeetprevalenceagetrustedlistcriterion", + "settingInstanceTemplateReference": null, + "choiceSettingValue": { + "settingValueTemplateReference": null, + "value": "device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockexecutablefilesrunningunlesstheymeetprevalenceagetrustedlistcriterion_block", + "children": [] + } + }, + { + "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance", + "settingDefinitionId": "device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockexecutionofpotentiallyobfuscatedscripts", + "settingInstanceTemplateReference": null, + "choiceSettingValue": { + "settingValueTemplateReference": null, + "value": "device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockexecutionofpotentiallyobfuscatedscripts_block", + "children": [] + } + }, + { + "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance", + "settingDefinitionId": "device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockjavascriptorvbscriptfromlaunchingdownloadedexecutablecontent", + "settingInstanceTemplateReference": null, + "choiceSettingValue": { + "settingValueTemplateReference": null, + "value": "device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockjavascriptorvbscriptfromlaunchingdownloadedexecutablecontent_block", + "children": [] + } + }, + { + "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance", + "settingDefinitionId": "device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockofficeapplicationsfromcreatingexecutablecontent", + "settingInstanceTemplateReference": null, + "choiceSettingValue": { + "settingValueTemplateReference": null, + "value": "device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockofficeapplicationsfromcreatingexecutablecontent_block", + "children": [] + } + }, + { + "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance", + "settingDefinitionId": "device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockofficecommunicationappfromcreatingchildprocesses", + "settingInstanceTemplateReference": null, + "choiceSettingValue": { + "settingValueTemplateReference": null, + "value": "device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockofficecommunicationappfromcreatingchildprocesses_block", + "children": [] + } + }, + { + "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance", + "settingDefinitionId": "device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockpersistencethroughwmieventsubscription", + "settingInstanceTemplateReference": null, + "choiceSettingValue": { + "settingValueTemplateReference": null, + "value": "device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockpersistencethroughwmieventsubscription_block", + "children": [] + } + }, + { + "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance", + "settingDefinitionId": "device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockprocesscreationsfrompsexecandwmicommands", + "settingInstanceTemplateReference": null, + "choiceSettingValue": { + "settingValueTemplateReference": null, + "value": "device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockprocesscreationsfrompsexecandwmicommands_block", + "children": [] + } + }, + { + "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance", + "settingDefinitionId": "device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockuntrustedunsignedprocessesthatrunfromusb", + "settingInstanceTemplateReference": null, + "choiceSettingValue": { + "settingValueTemplateReference": null, + "value": "device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockuntrustedunsignedprocessesthatrunfromusb_block", + "children": [] + } + }, + { + "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance", + "settingDefinitionId": "device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockjavascriptorvbscriptfromlaunchingdownloadedexecutablecontent", + "settingInstanceTemplateReference": null, + "choiceSettingValue": { + "settingValueTemplateReference": null, + "value": "device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockjavascriptorvbscriptfromlaunchingdownloadedexecutablecontent_block", + "children": [] + } + }, + { + "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance", + "settingDefinitionId": "device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockwebshellcreationforservers", + "settingInstanceTemplateReference": null, + "choiceSettingValue": { + "settingValueTemplateReference": null, + "value": "device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockwebshellcreationforservers_block", + "children": [] + } + }, + { + "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance", + "settingDefinitionId": "device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockwin32apicallsfromofficemacros", + "settingInstanceTemplateReference": null, + "choiceSettingValue": { + "settingValueTemplateReference": null, + "value": "device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockwin32apicallsfromofficemacros_block", + "children": [] + } + }, + { + "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance", + "settingDefinitionId": "device_vendor_msft_policy_config_defender_attacksurfacereductionrules_useadvancedprotectionagainstransomware", + "settingInstanceTemplateReference": null, + "choiceSettingValue": { + "settingValueTemplateReference": null, + "value": "device_vendor_msft_policy_config_defender_attacksurfacereductionrules_useadvancedprotectionagainstransomware_block", + "children": [] + } + } + ] + } + ] + } + } + ] +} diff --git a/policies/LAPS.json b/policies/LAPS.json new file mode 100644 index 0000000..a831922 --- /dev/null +++ b/policies/LAPS.json @@ -0,0 +1,81 @@ +{ + "@odata.context": "https://graph.microsoft.com/beta/$metadata#deviceManagement/configurationPolicies/$entity", + "createdDateTime": "2025-03-03T10:40:15.8588089Z", + "creationSource": null, + "description": "", + "lastModifiedDateTime": "2025-03-03T10:40:15.8588089Z", + "name": "LAPS", + "platforms": "windows10", + "priorityMetaData": null, + "roleScopeTagIds": [ + "0" + ], + "settingCount": 2, + "technologies": "mdm", + "id": "e7c1fcf8-13fb-42c7-a09a-3f43d7bd5cc9", + "templateReference": { + "templateId": "", + "templateFamily": "none", + "templateDisplayName": null, + "templateDisplayVersion": null + }, + "settings": [ + { + "id": "0", + "settingInstance": { + "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance", + "settingDefinitionId": "device_vendor_msft_policy_config_admx_admpwd_pol_admpwd", + "settingInstanceTemplateReference": null, + "choiceSettingValue": { + "settingValueTemplateReference": null, + "value": "device_vendor_msft_policy_config_admx_admpwd_pol_admpwd_1", + "children": [ + { + "@odata.type": "#microsoft.graph.deviceManagementConfigurationSimpleSettingInstance", + "settingDefinitionId": "device_vendor_msft_policy_config_admx_admpwd_pol_admpwd_elm_admpwd_passwordagedays", + "settingInstanceTemplateReference": null, + "simpleSettingValue": { + "@odata.type": "#microsoft.graph.deviceManagementConfigurationIntegerSettingValue", + "settingValueTemplateReference": null, + "value": 14 + } + }, + { + "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance", + "settingDefinitionId": "device_vendor_msft_policy_config_admx_admpwd_pol_admpwd_elm_admpwd_passwordcomplexity", + "settingInstanceTemplateReference": null, + "choiceSettingValue": { + "settingValueTemplateReference": null, + "value": "device_vendor_msft_policy_config_admx_admpwd_pol_admpwd_elm_admpwd_passwordcomplexity_4", + "children": [] + } + }, + { + "@odata.type": "#microsoft.graph.deviceManagementConfigurationSimpleSettingInstance", + "settingDefinitionId": "device_vendor_msft_policy_config_admx_admpwd_pol_admpwd_elm_admpwd_passwordlength", + "settingInstanceTemplateReference": null, + "simpleSettingValue": { + "@odata.type": "#microsoft.graph.deviceManagementConfigurationIntegerSettingValue", + "settingValueTemplateReference": null, + "value": 14 + } + } + ] + } + } + }, + { + "id": "1", + "settingInstance": { + "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance", + "settingDefinitionId": "device_vendor_msft_policy_config_localpoliciessecurityoptions_accounts_enableadministratoraccountstatus", + "settingInstanceTemplateReference": null, + "choiceSettingValue": { + "settingValueTemplateReference": null, + "value": "device_vendor_msft_policy_config_localpoliciessecurityoptions_accounts_enableadministratoraccountstatus_1", + "children": [] + } + } + } + ] +} diff --git a/policies/OneDrive.json b/policies/OneDrive.json new file mode 100644 index 0000000..37a5ac3 --- /dev/null +++ b/policies/OneDrive.json @@ -0,0 +1,102 @@ +{ + "@odata.context": "https://graph.microsoft.com/beta/$metadata#deviceManagement/configurationPolicies/$entity", + "createdDateTime": "2025-03-03T10:40:16.5122859Z", + "creationSource": null, + "description": "", + "lastModifiedDateTime": "2025-03-03T10:40:16.5122859Z", + "name": "OneDrive Policy", + "platforms": "windows10", + "priorityMetaData": null, + "roleScopeTagIds": [ + "0" + ], + "settingCount": 5, + "technologies": "mdm", + "id": "35fdb839-79c6-4806-8dda-cf292462a4d8", + "templateReference": { + "templateId": "", + "templateFamily": "none", + "templateDisplayName": null, + "templateDisplayVersion": null + }, + "settings": [ + { + "id": "0", + "settingInstance": { + "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance", + "settingDefinitionId": "device_vendor_msft_policy_config_onedrivengscv2~policy~onedrivengsc_allowtenantlist", + "settingInstanceTemplateReference": null, + "choiceSettingValue": { + "settingValueTemplateReference": null, + "value": "device_vendor_msft_policy_config_onedrivengscv2~policy~onedrivengsc_allowtenantlist_1", + "children": [ + { + "@odata.type": "#microsoft.graph.deviceManagementConfigurationSimpleSettingCollectionInstance", + "settingDefinitionId": "device_vendor_msft_policy_config_onedrivengscv2~policy~onedrivengsc_allowtenantlist_allowtenantlistbox", + "settingInstanceTemplateReference": null, + "simpleSettingCollectionValue": [ + { + "@odata.type": "#microsoft.graph.deviceManagementConfigurationStringSettingValue", + "settingValueTemplateReference": null, + "value": "$tenantid" + } + ] + } + ] + } + } + }, + { + "id": "1", + "settingInstance": { + "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance", + "settingDefinitionId": "device_vendor_msft_policy_config_onedrivengscv2~policy~onedrivengsc_blockexternalsync", + "settingInstanceTemplateReference": null, + "choiceSettingValue": { + "settingValueTemplateReference": null, + "value": "device_vendor_msft_policy_config_onedrivengscv2~policy~onedrivengsc_blockexternalsync_1", + "children": [] + } + } + }, + { + "id": "2", + "settingInstance": { + "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance", + "settingDefinitionId": "user_vendor_msft_policy_config_onedrivengscv2~policy~onedrivengsc_disablepersonalsync", + "settingInstanceTemplateReference": null, + "choiceSettingValue": { + "settingValueTemplateReference": null, + "value": "user_vendor_msft_policy_config_onedrivengscv2~policy~onedrivengsc_disablepersonalsync_1", + "children": [] + } + } + }, + { + "id": "3", + "settingInstance": { + "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance", + "settingDefinitionId": "device_vendor_msft_policy_config_onedrivengscv2~policy~onedrivengsc_silentaccountconfig", + "settingInstanceTemplateReference": null, + "choiceSettingValue": { + "settingValueTemplateReference": null, + "value": "device_vendor_msft_policy_config_onedrivengscv2~policy~onedrivengsc_silentaccountconfig_1", + "children": [] + } + } + }, + { + "id": "4", + "settingInstance": { + "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance", + "settingDefinitionId": "device_vendor_msft_policy_config_onedrivengscv2~policy~onedrivengsc_filesondemandenabled", + "settingInstanceTemplateReference": null, + "choiceSettingValue": { + "settingValueTemplateReference": null, + "value": "device_vendor_msft_policy_config_onedrivengscv2~policy~onedrivengsc_filesondemandenabled_1", + "children": [] + } + } + } + ] +} diff --git a/policies/bitlocker.json b/policies/bitlocker.json new file mode 100644 index 0000000..915bb88 --- /dev/null +++ b/policies/bitlocker.json @@ -0,0 +1,398 @@ +{ + "@odata.context": "https://graph.microsoft.com/beta/$metadata#deviceManagement/configurationPolicies/$entity", + "createdDateTime": "2025-03-03T10:40:20.9003455Z", + "creationSource": null, + "description": "", + "lastModifiedDateTime": "2025-03-03T10:40:20.9003455Z", + "name": "Bitlocker", + "platforms": "windows10", + "priorityMetaData": null, + "roleScopeTagIds": [ + "0" + ], + "settingCount": 9, + "technologies": "mdm", + "id": "8193519b-7e1c-45c9-ad7d-3b552a38c031", + "templateReference": { + "templateId": "", + "templateFamily": "none", + "templateDisplayName": null, + "templateDisplayVersion": null + }, + "settings": [ + { + "id": "0", + "settingInstance": { + "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance", + "settingDefinitionId": "device_vendor_msft_bitlocker_encryptionmethodbydrivetype", + "settingInstanceTemplateReference": null, + "choiceSettingValue": { + "settingValueTemplateReference": null, + "value": "device_vendor_msft_bitlocker_encryptionmethodbydrivetype_1", + "children": [ + { + "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance", + "settingDefinitionId": "device_vendor_msft_bitlocker_encryptionmethodbydrivetype_encryptionmethodwithxtsfdvdropdown_name", + "settingInstanceTemplateReference": null, + "choiceSettingValue": { + "settingValueTemplateReference": null, + "value": "device_vendor_msft_bitlocker_encryptionmethodbydrivetype_encryptionmethodwithxtsfdvdropdown_name_6", + "children": [] + } + }, + { + "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance", + "settingDefinitionId": "device_vendor_msft_bitlocker_encryptionmethodbydrivetype_encryptionmethodwithxtsosdropdown_name", + "settingInstanceTemplateReference": null, + "choiceSettingValue": { + "settingValueTemplateReference": null, + "value": "device_vendor_msft_bitlocker_encryptionmethodbydrivetype_encryptionmethodwithxtsosdropdown_name_6", + "children": [] + } + }, + { + "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance", + "settingDefinitionId": "device_vendor_msft_bitlocker_encryptionmethodbydrivetype_encryptionmethodwithxtsrdvdropdown_name", + "settingInstanceTemplateReference": null, + "choiceSettingValue": { + "settingValueTemplateReference": null, + "value": "device_vendor_msft_bitlocker_encryptionmethodbydrivetype_encryptionmethodwithxtsrdvdropdown_name_6", + "children": [] + } + } + ] + } + } + }, + { + "id": "1", + "settingInstance": { + "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance", + "settingDefinitionId": "device_vendor_msft_bitlocker_fixeddrivesrecoveryoptions", + "settingInstanceTemplateReference": null, + "choiceSettingValue": { + "settingValueTemplateReference": null, + "value": "device_vendor_msft_bitlocker_fixeddrivesrecoveryoptions_1", + "children": [ + { + "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance", + "settingDefinitionId": "device_vendor_msft_bitlocker_fixeddrivesrecoveryoptions_fdvrecoverykeyusagedropdown_name", + "settingInstanceTemplateReference": null, + "choiceSettingValue": { + "settingValueTemplateReference": null, + "value": "device_vendor_msft_bitlocker_fixeddrivesrecoveryoptions_fdvrecoverykeyusagedropdown_name_2", + "children": [] + } + }, + { + "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance", + "settingDefinitionId": "device_vendor_msft_bitlocker_fixeddrivesrecoveryoptions_fdvrecoverypasswordusagedropdown_name", + "settingInstanceTemplateReference": null, + "choiceSettingValue": { + "settingValueTemplateReference": null, + "value": "device_vendor_msft_bitlocker_fixeddrivesrecoveryoptions_fdvrecoverypasswordusagedropdown_name_2", + "children": [] + } + }, + { + "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance", + "settingDefinitionId": "device_vendor_msft_bitlocker_fixeddrivesrecoveryoptions_fdvallowdra_name", + "settingInstanceTemplateReference": null, + "choiceSettingValue": { + "settingValueTemplateReference": null, + "value": "device_vendor_msft_bitlocker_fixeddrivesrecoveryoptions_fdvallowdra_name_0", + "children": [] + } + }, + { + "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance", + "settingDefinitionId": "device_vendor_msft_bitlocker_fixeddrivesrecoveryoptions_fdvactivedirectorybackupdropdown_name", + "settingInstanceTemplateReference": null, + "choiceSettingValue": { + "settingValueTemplateReference": null, + "value": "device_vendor_msft_bitlocker_fixeddrivesrecoveryoptions_fdvactivedirectorybackupdropdown_name_1", + "children": [] + } + }, + { + "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance", + "settingDefinitionId": "device_vendor_msft_bitlocker_fixeddrivesrecoveryoptions_fdvrequireactivedirectorybackup_name", + "settingInstanceTemplateReference": null, + "choiceSettingValue": { + "settingValueTemplateReference": null, + "value": "device_vendor_msft_bitlocker_fixeddrivesrecoveryoptions_fdvrequireactivedirectorybackup_name_1", + "children": [] + } + }, + { + "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance", + "settingDefinitionId": "device_vendor_msft_bitlocker_fixeddrivesrecoveryoptions_fdvhiderecoverypage_name", + "settingInstanceTemplateReference": null, + "choiceSettingValue": { + "settingValueTemplateReference": null, + "value": "device_vendor_msft_bitlocker_fixeddrivesrecoveryoptions_fdvhiderecoverypage_name_0", + "children": [] + } + }, + { + "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance", + "settingDefinitionId": "device_vendor_msft_bitlocker_fixeddrivesrecoveryoptions_fdvactivedirectorybackup_name", + "settingInstanceTemplateReference": null, + "choiceSettingValue": { + "settingValueTemplateReference": null, + "value": "device_vendor_msft_bitlocker_fixeddrivesrecoveryoptions_fdvactivedirectorybackup_name_1", + "children": [] + } + } + ] + } + } + }, + { + "id": "2", + "settingInstance": { + "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance", + "settingDefinitionId": "device_vendor_msft_bitlocker_fixeddrivesencryptiontype", + "settingInstanceTemplateReference": null, + "choiceSettingValue": { + "settingValueTemplateReference": null, + "value": "device_vendor_msft_bitlocker_fixeddrivesencryptiontype_1", + "children": [ + { + "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance", + "settingDefinitionId": "device_vendor_msft_bitlocker_fixeddrivesencryptiontype_fdvencryptiontypedropdown_name", + "settingInstanceTemplateReference": null, + "choiceSettingValue": { + "settingValueTemplateReference": null, + "value": "device_vendor_msft_bitlocker_fixeddrivesencryptiontype_fdvencryptiontypedropdown_name_1", + "children": [] + } + } + ] + } + } + }, + { + "id": "3", + "settingInstance": { + "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance", + "settingDefinitionId": "device_vendor_msft_bitlocker_systemdrivesrecoveryoptions", + "settingInstanceTemplateReference": null, + "choiceSettingValue": { + "settingValueTemplateReference": null, + "value": "device_vendor_msft_bitlocker_systemdrivesrecoveryoptions_1", + "children": [ + { + "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance", + "settingDefinitionId": "device_vendor_msft_bitlocker_systemdrivesrecoveryoptions_osrecoverykeyusagedropdown_name", + "settingInstanceTemplateReference": null, + "choiceSettingValue": { + "settingValueTemplateReference": null, + "value": "device_vendor_msft_bitlocker_systemdrivesrecoveryoptions_osrecoverykeyusagedropdown_name_2", + "children": [] + } + }, + { + "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance", + "settingDefinitionId": "device_vendor_msft_bitlocker_systemdrivesrecoveryoptions_osrecoverypasswordusagedropdown_name", + "settingInstanceTemplateReference": null, + "choiceSettingValue": { + "settingValueTemplateReference": null, + "value": "device_vendor_msft_bitlocker_systemdrivesrecoveryoptions_osrecoverypasswordusagedropdown_name_2", + "children": [] + } + }, + { + "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance", + "settingDefinitionId": "device_vendor_msft_bitlocker_systemdrivesrecoveryoptions_osallowdra_name", + "settingInstanceTemplateReference": null, + "choiceSettingValue": { + "settingValueTemplateReference": null, + "value": "device_vendor_msft_bitlocker_systemdrivesrecoveryoptions_osallowdra_name_0", + "children": [] + } + }, + { + "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance", + "settingDefinitionId": "device_vendor_msft_bitlocker_systemdrivesrecoveryoptions_osactivedirectorybackupdropdown_name", + "settingInstanceTemplateReference": null, + "choiceSettingValue": { + "settingValueTemplateReference": null, + "value": "device_vendor_msft_bitlocker_systemdrivesrecoveryoptions_osactivedirectorybackupdropdown_name_1", + "children": [] + } + }, + { + "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance", + "settingDefinitionId": "device_vendor_msft_bitlocker_systemdrivesrecoveryoptions_osrequireactivedirectorybackup_name", + "settingInstanceTemplateReference": null, + "choiceSettingValue": { + "settingValueTemplateReference": null, + "value": "device_vendor_msft_bitlocker_systemdrivesrecoveryoptions_osrequireactivedirectorybackup_name_1", + "children": [] + } + }, + { + "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance", + "settingDefinitionId": "device_vendor_msft_bitlocker_systemdrivesrecoveryoptions_oshiderecoverypage_name", + "settingInstanceTemplateReference": null, + "choiceSettingValue": { + "settingValueTemplateReference": null, + "value": "device_vendor_msft_bitlocker_systemdrivesrecoveryoptions_oshiderecoverypage_name_1", + "children": [] + } + }, + { + "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance", + "settingDefinitionId": "device_vendor_msft_bitlocker_systemdrivesrecoveryoptions_osactivedirectorybackup_name", + "settingInstanceTemplateReference": null, + "choiceSettingValue": { + "settingValueTemplateReference": null, + "value": "device_vendor_msft_bitlocker_systemdrivesrecoveryoptions_osactivedirectorybackup_name_1", + "children": [] + } + } + ] + } + } + }, + { + "id": "4", + "settingInstance": { + "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance", + "settingDefinitionId": "device_vendor_msft_bitlocker_systemdrivesencryptiontype", + "settingInstanceTemplateReference": null, + "choiceSettingValue": { + "settingValueTemplateReference": null, + "value": "device_vendor_msft_bitlocker_systemdrivesencryptiontype_1", + "children": [ + { + "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance", + "settingDefinitionId": "device_vendor_msft_bitlocker_systemdrivesencryptiontype_osencryptiontypedropdown_name", + "settingInstanceTemplateReference": null, + "choiceSettingValue": { + "settingValueTemplateReference": null, + "value": "device_vendor_msft_bitlocker_systemdrivesencryptiontype_osencryptiontypedropdown_name_1", + "children": [] + } + } + ] + } + } + }, + { + "id": "5", + "settingInstance": { + "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance", + "settingDefinitionId": "device_vendor_msft_bitlocker_systemdrivesrequirestartupauthentication", + "settingInstanceTemplateReference": null, + "choiceSettingValue": { + "settingValueTemplateReference": null, + "value": "device_vendor_msft_bitlocker_systemdrivesrequirestartupauthentication_1", + "children": [ + { + "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance", + "settingDefinitionId": "device_vendor_msft_bitlocker_systemdrivesrequirestartupauthentication_configurenontpmstartupkeyusage_name", + "settingInstanceTemplateReference": null, + "choiceSettingValue": { + "settingValueTemplateReference": null, + "value": "device_vendor_msft_bitlocker_systemdrivesrequirestartupauthentication_configurenontpmstartupkeyusage_name_0", + "children": [] + } + }, + { + "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance", + "settingDefinitionId": "device_vendor_msft_bitlocker_systemdrivesrequirestartupauthentication_configuretpmpinkeyusagedropdown_name", + "settingInstanceTemplateReference": null, + "choiceSettingValue": { + "settingValueTemplateReference": null, + "value": "device_vendor_msft_bitlocker_systemdrivesrequirestartupauthentication_configuretpmpinkeyusagedropdown_name_0", + "children": [] + } + }, + { + "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance", + "settingDefinitionId": "device_vendor_msft_bitlocker_systemdrivesrequirestartupauthentication_configuretpmstartupkeyusagedropdown_name", + "settingInstanceTemplateReference": null, + "choiceSettingValue": { + "settingValueTemplateReference": null, + "value": "device_vendor_msft_bitlocker_systemdrivesrequirestartupauthentication_configuretpmstartupkeyusagedropdown_name_0", + "children": [] + } + }, + { + "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance", + "settingDefinitionId": "device_vendor_msft_bitlocker_systemdrivesrequirestartupauthentication_configurepinusagedropdown_name", + "settingInstanceTemplateReference": null, + "choiceSettingValue": { + "settingValueTemplateReference": null, + "value": "device_vendor_msft_bitlocker_systemdrivesrequirestartupauthentication_configurepinusagedropdown_name_0", + "children": [] + } + }, + { + "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance", + "settingDefinitionId": "device_vendor_msft_bitlocker_systemdrivesrequirestartupauthentication_configuretpmusagedropdown_name", + "settingInstanceTemplateReference": null, + "choiceSettingValue": { + "settingValueTemplateReference": null, + "value": "device_vendor_msft_bitlocker_systemdrivesrequirestartupauthentication_configuretpmusagedropdown_name_1", + "children": [] + } + } + ] + } + } + }, + { + "id": "6", + "settingInstance": { + "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance", + "settingDefinitionId": "device_vendor_msft_bitlocker_allowwarningforotherdiskencryption", + "settingInstanceTemplateReference": null, + "choiceSettingValue": { + "settingValueTemplateReference": null, + "value": "device_vendor_msft_bitlocker_allowwarningforotherdiskencryption_0", + "children": [ + { + "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance", + "settingDefinitionId": "device_vendor_msft_bitlocker_allowstandarduserencryption", + "settingInstanceTemplateReference": null, + "choiceSettingValue": { + "settingValueTemplateReference": null, + "value": "device_vendor_msft_bitlocker_allowstandarduserencryption_1", + "children": [] + } + } + ] + } + } + }, + { + "id": "7", + "settingInstance": { + "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance", + "settingDefinitionId": "device_vendor_msft_bitlocker_configurerecoverypasswordrotation", + "settingInstanceTemplateReference": null, + "choiceSettingValue": { + "settingValueTemplateReference": null, + "value": "device_vendor_msft_bitlocker_configurerecoverypasswordrotation_2", + "children": [] + } + } + }, + { + "id": "8", + "settingInstance": { + "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance", + "settingDefinitionId": "device_vendor_msft_bitlocker_requiredeviceencryption", + "settingInstanceTemplateReference": null, + "choiceSettingValue": { + "settingValueTemplateReference": null, + "value": "device_vendor_msft_bitlocker_requiredeviceencryption_1", + "children": [] + } + } + } + ] +} diff --git a/policies/disableenumerationsam.json b/policies/disableenumerationsam.json new file mode 100644 index 0000000..a6fb0e7 --- /dev/null +++ b/policies/disableenumerationsam.json @@ -0,0 +1,37 @@ +{ + "@odata.context": "https://graph.microsoft.com/beta/$metadata#deviceManagement/configurationPolicies/$entity", + "createdDateTime": "2025-03-03T10:40:14.9626923Z", + "creationSource": null, + "description": "", + "lastModifiedDateTime": "2025-03-03T10:40:14.9626923Z", + "name": "Disable Enumeration of SAM Accounts and Shares", + "platforms": "windows10", + "priorityMetaData": null, + "roleScopeTagIds": [ + "0" + ], + "settingCount": 1, + "technologies": "mdm", + "id": "716171c5-c2ed-4646-8ff6-1a6c3a023c7b", + "templateReference": { + "templateId": "", + "templateFamily": "none", + "templateDisplayName": null, + "templateDisplayVersion": null + }, + "settings": [ + { + "id": "0", + "settingInstance": { + "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance", + "settingDefinitionId": "device_vendor_msft_policy_config_localpoliciessecurityoptions_networkaccess_donotallowanonymousenumerationofsamaccountsandshares", + "settingInstanceTemplateReference": null, + "choiceSettingValue": { + "settingValueTemplateReference": null, + "value": "device_vendor_msft_policy_config_localpoliciessecurityoptions_networkaccess_donotallowanonymousenumerationofsamaccountsandshares_1", + "children": [] + } + } + } + ] +} diff --git a/policies/disablepua.json b/policies/disablepua.json new file mode 100644 index 0000000..28b0844 --- /dev/null +++ b/policies/disablepua.json @@ -0,0 +1,50 @@ +{ + "@odata.context": "https://graph.microsoft.com/beta/$metadata#deviceManagement/configurationPolicies/$entity", + "createdDateTime": "2025-03-03T10:40:15.2243333Z", + "creationSource": null, + "description": "", + "lastModifiedDateTime": "2025-03-03T10:40:15.2243333Z", + "name": "Disable PUA", + "platforms": "windows10", + "priorityMetaData": null, + "roleScopeTagIds": [ + "0" + ], + "settingCount": 2, + "technologies": "mdm", + "id": "8cc8e5e5-a37c-4897-a59d-912b13d446f6", + "templateReference": { + "templateId": "", + "templateFamily": "none", + "templateDisplayName": null, + "templateDisplayVersion": null + }, + "settings": [ + { + "id": "0", + "settingInstance": { + "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance", + "settingDefinitionId": "user_vendor_msft_policy_config_microsoft_edgev80diff~policy~microsoft_edge~smartscreen_smartscreenpuaenabled", + "settingInstanceTemplateReference": null, + "choiceSettingValue": { + "settingValueTemplateReference": null, + "value": "user_vendor_msft_policy_config_microsoft_edgev80diff~policy~microsoft_edge~smartscreen_smartscreenpuaenabled_1", + "children": [] + } + } + }, + { + "id": "1", + "settingInstance": { + "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance", + "settingDefinitionId": "device_vendor_msft_policy_config_defender_puaprotection", + "settingInstanceTemplateReference": null, + "choiceSettingValue": { + "settingValueTemplateReference": null, + "value": "device_vendor_msft_policy_config_defender_puaprotection_1", + "children": [] + } + } + } + ] +} diff --git a/policies/edge.json b/policies/edge.json new file mode 100644 index 0000000..6b04a93 --- /dev/null +++ b/policies/edge.json @@ -0,0 +1,295 @@ +{ + "@odata.context": "https://graph.microsoft.com/beta/$metadata#deviceManagement/configurationPolicies/$entity", + "createdDateTime": "2025-03-03T10:40:19.7812969Z", + "creationSource": null, + "description": "", + "lastModifiedDateTime": "2025-03-03T10:40:19.7812969Z", + "name": "Edge", + "platforms": "windows10", + "priorityMetaData": null, + "roleScopeTagIds": [ + "0" + ], + "settingCount": 19, + "technologies": "mdm", + "id": "4480cbff-40b6-46ca-a87d-f22d8c61748f", + "templateReference": { + "templateId": "", + "templateFamily": "none", + "templateDisplayName": null, + "templateDisplayVersion": null + }, + "settings": [ + { + "id": "0", + "settingInstance": { + "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance", + "settingDefinitionId": "device_vendor_msft_policy_config_defender_enablenetworkprotection", + "settingInstanceTemplateReference": null, + "choiceSettingValue": { + "settingValueTemplateReference": null, + "value": "device_vendor_msft_policy_config_defender_enablenetworkprotection_1", + "children": [] + } + } + }, + { + "id": "1", + "settingInstance": { + "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance", + "settingDefinitionId": "device_vendor_msft_policy_config_microsoft_edge~policy~microsoft_edge~extensions_extensioninstallblocklist", + "settingInstanceTemplateReference": null, + "choiceSettingValue": { + "settingValueTemplateReference": null, + "value": "device_vendor_msft_policy_config_microsoft_edge~policy~microsoft_edge~extensions_extensioninstallblocklist_1", + "children": [ + { + "@odata.type": "#microsoft.graph.deviceManagementConfigurationSimpleSettingCollectionInstance", + "settingDefinitionId": "device_vendor_msft_policy_config_microsoft_edge~policy~microsoft_edge~extensions_extensioninstallblocklist_extensioninstallblocklistdesc", + "settingInstanceTemplateReference": null, + "simpleSettingCollectionValue": [ + { + "@odata.type": "#microsoft.graph.deviceManagementConfigurationStringSettingValue", + "settingValueTemplateReference": null, + "value": "*" + } + ] + } + ] + } + } + }, + { + "id": "2", + "settingInstance": { + "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance", + "settingDefinitionId": "device_vendor_msft_policy_config_microsoft_edgev88.0.705.23~policy~microsoft_edge~httpauthentication_basicauthoverhttpenabled", + "settingInstanceTemplateReference": null, + "choiceSettingValue": { + "settingValueTemplateReference": null, + "value": "device_vendor_msft_policy_config_microsoft_edgev88.0.705.23~policy~microsoft_edge~httpauthentication_basicauthoverhttpenabled_0", + "children": [] + } + } + }, + { + "id": "3", + "settingInstance": { + "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance", + "settingDefinitionId": "device_vendor_msft_policy_config_microsoft_edge~policy~microsoft_edge~httpauthentication_authschemes", + "settingInstanceTemplateReference": null, + "choiceSettingValue": { + "settingValueTemplateReference": null, + "value": "device_vendor_msft_policy_config_microsoft_edge~policy~microsoft_edge~httpauthentication_authschemes_1", + "children": [ + { + "@odata.type": "#microsoft.graph.deviceManagementConfigurationSimpleSettingInstance", + "settingDefinitionId": "device_vendor_msft_policy_config_microsoft_edge~policy~microsoft_edge~httpauthentication_authschemes_authschemes", + "settingInstanceTemplateReference": null, + "simpleSettingValue": { + "@odata.type": "#microsoft.graph.deviceManagementConfigurationStringSettingValue", + "settingValueTemplateReference": null, + "value": "ntlm,negotiate" + } + } + ] + } + } + }, + { + "id": "4", + "settingInstance": { + "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance", + "settingDefinitionId": "device_vendor_msft_policy_config_microsoft_edge~policy~microsoft_edge~nativemessaging_nativemessaginguserlevelhosts", + "settingInstanceTemplateReference": null, + "choiceSettingValue": { + "settingValueTemplateReference": null, + "value": "device_vendor_msft_policy_config_microsoft_edge~policy~microsoft_edge~nativemessaging_nativemessaginguserlevelhosts_0", + "children": [] + } + } + }, + { + "id": "5", + "settingInstance": { + "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance", + "settingDefinitionId": "device_vendor_msft_policy_config_microsoft_edgev92~policy~microsoft_edge~privatenetworkrequestsettings_insecureprivatenetworkrequestsallowed", + "settingInstanceTemplateReference": null, + "choiceSettingValue": { + "settingValueTemplateReference": null, + "value": "device_vendor_msft_policy_config_microsoft_edgev92~policy~microsoft_edge~privatenetworkrequestsettings_insecureprivatenetworkrequestsallowed_0", + "children": [] + } + } + }, + { + "id": "6", + "settingInstance": { + "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance", + "settingDefinitionId": "device_vendor_msft_policy_config_microsoft_edge~policy~microsoft_edge~smartscreen_smartscreenenabled", + "settingInstanceTemplateReference": null, + "choiceSettingValue": { + "settingValueTemplateReference": null, + "value": "device_vendor_msft_policy_config_microsoft_edge~policy~microsoft_edge~smartscreen_smartscreenenabled_1", + "children": [] + } + } + }, + { + "id": "7", + "settingInstance": { + "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance", + "settingDefinitionId": "device_vendor_msft_policy_config_microsoft_edgev80diff~policy~microsoft_edge~smartscreen_smartscreenpuaenabled", + "settingInstanceTemplateReference": null, + "choiceSettingValue": { + "settingValueTemplateReference": null, + "value": "device_vendor_msft_policy_config_microsoft_edgev80diff~policy~microsoft_edge~smartscreen_smartscreenpuaenabled_1", + "children": [] + } + } + }, + { + "id": "8", + "settingInstance": { + "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance", + "settingDefinitionId": "device_vendor_msft_policy_config_microsoft_edge~policy~microsoft_edge~smartscreen_preventsmartscreenpromptoverride", + "settingInstanceTemplateReference": null, + "choiceSettingValue": { + "settingValueTemplateReference": null, + "value": "device_vendor_msft_policy_config_microsoft_edge~policy~microsoft_edge~smartscreen_preventsmartscreenpromptoverride_1", + "children": [] + } + } + }, + { + "id": "9", + "settingInstance": { + "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance", + "settingDefinitionId": "device_vendor_msft_policy_config_microsoft_edge~policy~microsoft_edge~smartscreen_preventsmartscreenpromptoverrideforfiles", + "settingInstanceTemplateReference": null, + "choiceSettingValue": { + "settingValueTemplateReference": null, + "value": "device_vendor_msft_policy_config_microsoft_edge~policy~microsoft_edge~smartscreen_preventsmartscreenpromptoverrideforfiles_1", + "children": [] + } + } + }, + { + "id": "10", + "settingInstance": { + "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance", + "settingDefinitionId": "device_vendor_msft_policy_config_microsoft_edgev92~policy~microsoft_edge_internetexplorerintegrationreloadiniemodeallowed", + "settingInstanceTemplateReference": null, + "choiceSettingValue": { + "settingValueTemplateReference": null, + "value": "device_vendor_msft_policy_config_microsoft_edgev92~policy~microsoft_edge_internetexplorerintegrationreloadiniemodeallowed_0", + "children": [] + } + } + }, + { + "id": "11", + "settingInstance": { + "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance", + "settingDefinitionId": "device_vendor_msft_policy_config_microsoft_edge~policy~microsoft_edge_sslerroroverrideallowed", + "settingInstanceTemplateReference": null, + "choiceSettingValue": { + "settingValueTemplateReference": null, + "value": "device_vendor_msft_policy_config_microsoft_edge~policy~microsoft_edge_sslerroroverrideallowed_0", + "children": [] + } + } + }, + { + "id": "12", + "settingInstance": { + "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance", + "settingDefinitionId": "device_vendor_msft_policy_config_microsoft_edgev117~policy~microsoft_edge_internetexplorerintegrationzoneidentifiermhtfileallowed", + "settingInstanceTemplateReference": null, + "choiceSettingValue": { + "settingValueTemplateReference": null, + "value": "device_vendor_msft_policy_config_microsoft_edgev117~policy~microsoft_edge_internetexplorerintegrationzoneidentifiermhtfileallowed_0", + "children": [] + } + } + }, + { + "id": "13", + "settingInstance": { + "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance", + "settingDefinitionId": "device_vendor_msft_policy_config_microsoft_edgev95~policy~microsoft_edge_browserlegacyextensionpointsblockingenabled", + "settingInstanceTemplateReference": null, + "choiceSettingValue": { + "settingValueTemplateReference": null, + "value": "device_vendor_msft_policy_config_microsoft_edgev95~policy~microsoft_edge_browserlegacyextensionpointsblockingenabled_1", + "children": [] + } + } + }, + { + "id": "14", + "settingInstance": { + "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance", + "settingDefinitionId": "device_vendor_msft_policy_config_microsoft_edge~policy~microsoft_edge_siteperprocess", + "settingInstanceTemplateReference": null, + "choiceSettingValue": { + "settingValueTemplateReference": null, + "value": "device_vendor_msft_policy_config_microsoft_edge~policy~microsoft_edge_siteperprocess_1", + "children": [] + } + } + }, + { + "id": "15", + "settingInstance": { + "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance", + "settingDefinitionId": "device_vendor_msft_policy_config_microsoft_edgev97~policy~microsoft_edge_edgeenhanceimagesenabled", + "settingInstanceTemplateReference": null, + "choiceSettingValue": { + "settingValueTemplateReference": null, + "value": "device_vendor_msft_policy_config_microsoft_edgev97~policy~microsoft_edge_edgeenhanceimagesenabled_0", + "children": [] + } + } + }, + { + "id": "16", + "settingInstance": { + "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance", + "settingDefinitionId": "device_vendor_msft_policy_config_microsoft_edgev107~policy~microsoft_edge_websqlaccess", + "settingInstanceTemplateReference": null, + "choiceSettingValue": { + "settingValueTemplateReference": null, + "value": "device_vendor_msft_policy_config_microsoft_edgev107~policy~microsoft_edge_websqlaccess_0", + "children": [] + } + } + }, + { + "id": "17", + "settingInstance": { + "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance", + "settingDefinitionId": "device_vendor_msft_policy_config_microsoft_edgev96~policy~microsoft_edge_internetexplorermodetoolbarbuttonenabled", + "settingInstanceTemplateReference": null, + "choiceSettingValue": { + "settingValueTemplateReference": null, + "value": "device_vendor_msft_policy_config_microsoft_edgev96~policy~microsoft_edge_internetexplorermodetoolbarbuttonenabled_0", + "children": [] + } + } + }, + { + "id": "18", + "settingInstance": { + "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance", + "settingDefinitionId": "device_vendor_msft_policy_config_microsoft_edgev111~policy~microsoft_edge_sharedarraybufferunrestrictedaccessallowed", + "settingInstanceTemplateReference": null, + "choiceSettingValue": { + "settingValueTemplateReference": null, + "value": "device_vendor_msft_policy_config_microsoft_edgev111~policy~microsoft_edge_sharedarraybufferunrestrictedaccessallowed_0", + "children": [] + } + } + } + ] +} diff --git a/policies/passwordhistory.json b/policies/passwordhistory.json new file mode 100644 index 0000000..613f896 --- /dev/null +++ b/policies/passwordhistory.json @@ -0,0 +1,61 @@ +{ + "@odata.context": "https://graph.microsoft.com/beta/$metadata#deviceManagement/configurationPolicies/$entity", + "createdDateTime": "2025-03-03T10:40:15.4158052Z", + "creationSource": null, + "description": "", + "lastModifiedDateTime": "2025-03-03T10:40:15.4158052Z", + "name": "Enforce password age & history", + "platforms": "windows10", + "priorityMetaData": null, + "roleScopeTagIds": [ + "0" + ], + "settingCount": 2, + "technologies": "mdm", + "id": "294af4d8-dbeb-47c3-ac75-9d7b0e1e8361", + "templateReference": { + "templateId": "", + "templateFamily": "none", + "templateDisplayName": null, + "templateDisplayVersion": null + }, + "settings": [ + { + "id": "0", + "settingInstance": { + "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance", + "settingDefinitionId": "device_vendor_msft_policy_config_devicelock_devicepasswordenabled", + "settingInstanceTemplateReference": null, + "choiceSettingValue": { + "settingValueTemplateReference": null, + "value": "device_vendor_msft_policy_config_devicelock_devicepasswordenabled_0", + "children": [ + { + "@odata.type": "#microsoft.graph.deviceManagementConfigurationSimpleSettingInstance", + "settingDefinitionId": "device_vendor_msft_policy_config_devicelock_devicepasswordhistory", + "settingInstanceTemplateReference": null, + "simpleSettingValue": { + "@odata.type": "#microsoft.graph.deviceManagementConfigurationIntegerSettingValue", + "settingValueTemplateReference": null, + "value": 24 + } + } + ] + } + } + }, + { + "id": "1", + "settingInstance": { + "@odata.type": "#microsoft.graph.deviceManagementConfigurationSimpleSettingInstance", + "settingDefinitionId": "device_vendor_msft_policy_config_devicelock_minimumpasswordage", + "settingInstanceTemplateReference": null, + "simpleSettingValue": { + "@odata.type": "#microsoft.graph.deviceManagementConfigurationIntegerSettingValue", + "settingValueTemplateReference": null, + "value": 1 + } + } + } + ] +} diff --git a/profider.tf b/profider.tf deleted file mode 100644 index 529bb2f..0000000 --- a/profider.tf +++ /dev/null @@ -1,48 +0,0 @@ -# We strongly recommend using the required_providers block to set the -# Workplace Provider source and version being used -terraform { - required_providers { - - azuread = { - source = "hashicorp/azuread" - version = "~> 2.15.0" - } - - microsoft365wp = { - source = "terraprovider/microsoft365wp" - version = "0.15.1" - } - - - } -} - -variable "client_id" { - type = string - sensitive = true -} - -variable "client_secret" { - type = string - sensitive = true -} - -variable "tenant_id" { - type = string - sensitive = true -} - -# Configure the Azure Active Directory Provider -provider "azuread" { - client_id = var.client_id - client_secret = var.client_secret - tenant_id = var.tenant_id -} - -# Configure the Workplace Provider -provider "microsoft365wp" { - client_id = var.client_id - client_secret = var.client_secret - tenant_id = var.tenant_id -} -