mmckinnon/IntunePolicies
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

chore: migrated to json and powershell

Browse Source
This commit is contained in:
Matthew McKinnon
2025-03-04 13:07:40 +10:00
parent bbca330631
commit 08ba97058f
23 changed files with 1328 additions and 745 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
.gitignore vendored
View File

@ -1,5 +0,0 @@
*.json
*.terraform
*.tfstate*
terraform.auto.tfvars
.terraform.lock.hcl

102
ASR_Rules.tf
View File

@ -1,102 +0,0 @@
resource "microsoft365wp_device_management_configuration_policy" "asr_rules" {
name = "ASR Rules"
technologies = "mdm,microsoftSense"
settings = [
{ instance = {
definition_id = "device_vendor_msft_policy_config_defender_attacksurfacereductionrules"
group_collection = { values = [
{
children = [
{
definition_id = "device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockabuseofexploitedvulnerablesigneddrivers"
choice = { value = { value = "device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockabuseofexploitedvulnerablesigneddrivers_block" } }
},
{
definition_id = "device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockadobereaderfromcreatingchildprocesses"
choice = { value = { value = "device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockadobereaderfromcreatingchildprocesses_block" } }
},
{
definition_id = "device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockofficeapplicationsfrominjectingcodeintootherprocesses"
choice = { value = { value = "device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockofficeapplicationsfrominjectingcodeintootherprocesses_block" } }
},
{
definition_id = "device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockallofficeapplicationsfromcreatingchildprocesses"
choice = { value = { value = "device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockallofficeapplicationsfromcreatingchildprocesses_block" } }
},
{
definition_id = "device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockcredentialstealingfromwindowslocalsecurityauthoritysubsystem"
choice = { value = { value = "device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockcredentialstealingfromwindowslocalsecurityauthoritysubsystem_block" } }
},
{
definition_id = "device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockexecutablecontentfromemailclientandwebmail"
choice = { value = { value = "device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockexecutablecontentfromemailclientandwebmail_block" } }
},
{
definition_id = "device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockexecutablefilesrunningunlesstheymeetprevalenceagetrustedlistcriterion"
choice = { value = { value = "device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockexecutablefilesrunningunlesstheymeetprevalenceagetrustedlistcriterion_block" } }
},
{
definition_id = "device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockexecutionofpotentiallyobfuscatedscripts"
choice = { value = { value = "device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockexecutionofpotentiallyobfuscatedscripts_block" } }
},
{
definition_id = "device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockjavascriptorvbscriptfromlaunchingdownloadedexecutablecontent"
choice = { value = { value = "device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockjavascriptorvbscriptfromlaunchingdownloadedexecutablecontent_block" } }
},
{
definition_id = "device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockofficeapplicationsfromcreatingexecutablecontent"
choice = { value = { value = "device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockofficeapplicationsfromcreatingexecutablecontent_block" } }
},
{
definition_id = "device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockofficecommunicationappfromcreatingchildprocesses"
choice = { value = { value = "device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockofficecommunicationappfromcreatingchildprocesses_block" } }
},
{
definition_id = "device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockpersistencethroughwmieventsubscription"
choice = { value = { value = "device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockpersistencethroughwmieventsubscription_block" } }
},
{
definition_id = "device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockprocesscreationsfrompsexecandwmicommands"
choice = { value = { value = "device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockprocesscreationsfrompsexecandwmicommands_block" } }
},
{
definition_id = "device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockuntrustedunsignedprocessesthatrunfromusb"
choice = { value = { value = "device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockuntrustedunsignedprocessesthatrunfromusb_block" } }
},
{
definition_id = "device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockjavascriptorvbscriptfromlaunchingdownloadedexecutablecontent"
choice = { value = { value = "device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockjavascriptorvbscriptfromlaunchingdownloadedexecutablecontent_block" } }
},
{
definition_id = "device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockwebshellcreationforservers"
choice = { value = { value = "device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockwebshellcreationforservers_block" } }
},
{
definition_id = "device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockwin32apicallsfromofficemacros"
choice = { value = { value = "device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockwin32apicallsfromofficemacros_block" } }
},
{
definition_id = "device_vendor_msft_policy_config_defender_attacksurfacereductionrules_useadvancedprotectionagainstransomware"
choice = { value = { value = "device_vendor_msft_policy_config_defender_attacksurfacereductionrules_useadvancedprotectionagainstransomware_block" } }
}
]
}
]
}
}
}
]
depends_on = [azuread_group.mem_windows_devices]
assignments = [
for x in [
"${data.azuread_group.mem_windows_devices.object_id}"
] :
{ target = { group = { group_id = x } } }
]
}

18
AzureAD_Group_MEM_Windows_workstations.tf
View File

@ -1,18 +0,0 @@
data "azuread_client_config" "current" {}
resource "azuread_group" "mem_windows_devices" {
display_name = "MEM - Devices - All Windows Computers"
owners = [data.azuread_client_config.current.object_id]
security_enabled = true
types = ["DynamicMembership"]
dynamic_membership {
enabled = true
rule = "(device.deviceOSVersion -startsWith \"10.0\") and (device.deviceOSType -eq \"Windows\")"
}
}
data "azuread_group" "mem_windows_devices" {
depends_on = [azuread_group.mem_windows_devices]
display_name = "MEM - Devices - All Windows Computers"
}

208
Bitlocker_Security_Baseline.tf
View File

@ -1,208 +0,0 @@
resource "microsoft365wp_device_management_configuration_policy" "enable_bitlocker" {
name = "Bitlocker"
settings = [
{ instance = {
definition_id = "device_vendor_msft_bitlocker_encryptionmethodbydrivetype"
choice = {
value = {
value = "device_vendor_msft_bitlocker_encryptionmethodbydrivetype_1"
children = [
{
definition_id = "device_vendor_msft_bitlocker_encryptionmethodbydrivetype_encryptionmethodwithxtsfdvdropdown_name"
choice = { value = { value = "device_vendor_msft_bitlocker_encryptionmethodbydrivetype_encryptionmethodwithxtsfdvdropdown_name_6" } }
},
{
definition_id = "device_vendor_msft_bitlocker_encryptionmethodbydrivetype_encryptionmethodwithxtsosdropdown_name"
choice = { value = { value = "device_vendor_msft_bitlocker_encryptionmethodbydrivetype_encryptionmethodwithxtsosdropdown_name_6" } }
},
{
definition_id = "device_vendor_msft_bitlocker_encryptionmethodbydrivetype_encryptionmethodwithxtsrdvdropdown_name"
choice = { value = { value = "device_vendor_msft_bitlocker_encryptionmethodbydrivetype_encryptionmethodwithxtsrdvdropdown_name_6" } }
}
]
}
}
} },
{ instance = {
definition_id = "device_vendor_msft_bitlocker_fixeddrivesrecoveryoptions"
choice = {
value = {
value = "device_vendor_msft_bitlocker_fixeddrivesrecoveryoptions_1"
children = [
{
definition_id = "device_vendor_msft_bitlocker_fixeddrivesrecoveryoptions_fdvrecoverykeyusagedropdown_name"
choice = { value = { value = "device_vendor_msft_bitlocker_fixeddrivesrecoveryoptions_fdvrecoverykeyusagedropdown_name_2" } }
},
{
definition_id = "device_vendor_msft_bitlocker_fixeddrivesrecoveryoptions_fdvrecoverypasswordusagedropdown_name"
choice = { value = { value = "device_vendor_msft_bitlocker_fixeddrivesrecoveryoptions_fdvrecoverypasswordusagedropdown_name_2" } }
},
{
definition_id = "device_vendor_msft_bitlocker_fixeddrivesrecoveryoptions_fdvallowdra_name"
choice = { value = { value = "device_vendor_msft_bitlocker_fixeddrivesrecoveryoptions_fdvallowdra_name_0" } }
},
{
definition_id = "device_vendor_msft_bitlocker_fixeddrivesrecoveryoptions_fdvactivedirectorybackupdropdown_name"
choice = { value = { value = "device_vendor_msft_bitlocker_fixeddrivesrecoveryoptions_fdvactivedirectorybackupdropdown_name_1" } }
},
{
definition_id = "device_vendor_msft_bitlocker_fixeddrivesrecoveryoptions_fdvrequireactivedirectorybackup_name"
choice = { value = { value = "device_vendor_msft_bitlocker_fixeddrivesrecoveryoptions_fdvrequireactivedirectorybackup_name_1" } }
},
{
definition_id = "device_vendor_msft_bitlocker_fixeddrivesrecoveryoptions_fdvhiderecoverypage_name"
choice = { value = { value = "device_vendor_msft_bitlocker_fixeddrivesrecoveryoptions_fdvhiderecoverypage_name_0" } }
}
,
{
definition_id = "device_vendor_msft_bitlocker_fixeddrivesrecoveryoptions_fdvactivedirectorybackup_name"
choice = { value = { value = "device_vendor_msft_bitlocker_fixeddrivesrecoveryoptions_fdvactivedirectorybackup_name_1" } }
}
]
}
}
} },
{ instance = {
definition_id = "device_vendor_msft_bitlocker_fixeddrivesencryptiontype"
choice = {
value = {
value = "device_vendor_msft_bitlocker_fixeddrivesencryptiontype_1"
children = [
{
definition_id = "device_vendor_msft_bitlocker_fixeddrivesencryptiontype_fdvencryptiontypedropdown_name"
choice = { value = { value = "device_vendor_msft_bitlocker_fixeddrivesencryptiontype_fdvencryptiontypedropdown_name_1" } }
}
]
}
}
} },
{ instance = {
definition_id = "device_vendor_msft_bitlocker_systemdrivesrecoveryoptions"
choice = {
value = {
value = "device_vendor_msft_bitlocker_systemdrivesrecoveryoptions_1"
children = [
{
definition_id = "device_vendor_msft_bitlocker_systemdrivesrecoveryoptions_osrecoverykeyusagedropdown_name"
choice = { value = { value = "device_vendor_msft_bitlocker_systemdrivesrecoveryoptions_osrecoverykeyusagedropdown_name_2" } }
},
{
definition_id = "device_vendor_msft_bitlocker_systemdrivesrecoveryoptions_osrecoverypasswordusagedropdown_name"
choice = { value = { value = "device_vendor_msft_bitlocker_systemdrivesrecoveryoptions_osrecoverypasswordusagedropdown_name_2" } }
},
{
definition_id = "device_vendor_msft_bitlocker_systemdrivesrecoveryoptions_osallowdra_name"
choice = { value = { value = "device_vendor_msft_bitlocker_systemdrivesrecoveryoptions_osallowdra_name_0" } }
},
{
definition_id = "device_vendor_msft_bitlocker_systemdrivesrecoveryoptions_osactivedirectorybackupdropdown_name"
choice = { value = { value = "device_vendor_msft_bitlocker_systemdrivesrecoveryoptions_osactivedirectorybackupdropdown_name_1" } }
},
{
definition_id = "device_vendor_msft_bitlocker_systemdrivesrecoveryoptions_osrequireactivedirectorybackup_name"
choice = { value = { value = "device_vendor_msft_bitlocker_systemdrivesrecoveryoptions_osrequireactivedirectorybackup_name_1" } }
},
{
definition_id = "device_vendor_msft_bitlocker_systemdrivesrecoveryoptions_oshiderecoverypage_name"
choice = { value = { value = "device_vendor_msft_bitlocker_systemdrivesrecoveryoptions_oshiderecoverypage_name_1" } }
}
,
{
definition_id = "device_vendor_msft_bitlocker_systemdrivesrecoveryoptions_osactivedirectorybackup_name"
choice = { value = { value = "device_vendor_msft_bitlocker_systemdrivesrecoveryoptions_osactivedirectorybackup_name_1" } }
}
]
}
}
} },
{ instance = {
definition_id = "device_vendor_msft_bitlocker_systemdrivesencryptiontype"
choice = {
value = {
value = "device_vendor_msft_bitlocker_systemdrivesencryptiontype_1"
children = [
{
definition_id = "device_vendor_msft_bitlocker_systemdrivesencryptiontype_osencryptiontypedropdown_name"
choice = { value = { value = "device_vendor_msft_bitlocker_systemdrivesencryptiontype_osencryptiontypedropdown_name_1" } }
}
]
}
}
} },
{ instance = {
definition_id = "device_vendor_msft_bitlocker_systemdrivesrequirestartupauthentication"
choice = {
value = {
value = "device_vendor_msft_bitlocker_systemdrivesrequirestartupauthentication_1"
children = [
{
definition_id = "device_vendor_msft_bitlocker_systemdrivesrequirestartupauthentication_configurenontpmstartupkeyusage_name"
choice = { value = { value = "device_vendor_msft_bitlocker_systemdrivesrequirestartupauthentication_configurenontpmstartupkeyusage_name_0" } }
},
{
definition_id = "device_vendor_msft_bitlocker_systemdrivesrequirestartupauthentication_configuretpmpinkeyusagedropdown_name"
choice = { value = { value = "device_vendor_msft_bitlocker_systemdrivesrequirestartupauthentication_configuretpmpinkeyusagedropdown_name_0" } }
},
{
definition_id = "device_vendor_msft_bitlocker_systemdrivesrequirestartupauthentication_configuretpmstartupkeyusagedropdown_name"
choice = { value = { value = "device_vendor_msft_bitlocker_systemdrivesrequirestartupauthentication_configuretpmstartupkeyusagedropdown_name_0" } }
},
{
definition_id = "device_vendor_msft_bitlocker_systemdrivesrequirestartupauthentication_configurepinusagedropdown_name"
choice = { value = { value = "device_vendor_msft_bitlocker_systemdrivesrequirestartupauthentication_configurepinusagedropdown_name_0" } }
},
{
definition_id = "device_vendor_msft_bitlocker_systemdrivesrequirestartupauthentication_configuretpmusagedropdown_name"
choice = { value = { value = "device_vendor_msft_bitlocker_systemdrivesrequirestartupauthentication_configuretpmusagedropdown_name_1" } }
}
]
}
}
} },
{ instance = {
definition_id = "device_vendor_msft_bitlocker_allowwarningforotherdiskencryption"
choice = {
value = {
value = "device_vendor_msft_bitlocker_allowwarningforotherdiskencryption_0"
children = [
{
definition_id = "device_vendor_msft_bitlocker_allowstandarduserencryption"
choice = { value = { value = "device_vendor_msft_bitlocker_allowstandarduserencryption_1" } }
}
]
}
}
} },
{ instance = {
definition_id = "device_vendor_msft_bitlocker_configurerecoverypasswordrotation"
choice = {
value = {
value = "device_vendor_msft_bitlocker_configurerecoverypasswordrotation_2"
}
}
} },
{ instance = {
definition_id = "device_vendor_msft_bitlocker_requiredeviceencryption"
choice = {
value = {
value = "device_vendor_msft_bitlocker_requiredeviceencryption_1"
}
}
} }
]
depends_on = [azuread_group.mem_windows_devices]
assignments = [
for x in [
"${data.azuread_group.mem_windows_devices.object_id}"
] :
{ target = { group = { group_id = x } } }
]
}

24
Disable_Enumeration_of_SAM_Accounts_and_Shares.tf
View File

@ -1,24 +0,0 @@
resource "microsoft365wp_device_management_configuration_policy" "disable_enumeration" {
name = "Disable Enumeration of SAM Accounts and Shares"
settings = [
{ instance = {
definition_id = "device_vendor_msft_policy_config_localpoliciessecurityoptions_networkaccess_donotallowanonymousenumerationofsamaccountsandshares"
choice = {
value = {
value = "device_vendor_msft_policy_config_localpoliciessecurityoptions_networkaccess_donotallowanonymousenumerationofsamaccountsandshares_1"
}
}
}
}
]
depends_on = [azuread_group.mem_windows_devices]
assignments = [
for x in [
"${data.azuread_group.mem_windows_devices.object_id}"
] :
{ target = { group = { group_id = x } } }
]
}

149
Edge_Security_Baseline.tf
View File

@ -1,149 +0,0 @@
resource "microsoft365wp_device_management_configuration_policy" "beaseline_edge" {
name = "Edge"
technologies = "mdm"
settings = [
{ instance = {
definition_id = "device_vendor_msft_policy_config_defender_enablenetworkprotection"
choice = { value = {
value = "device_vendor_msft_policy_config_defender_enablenetworkprotection_1"
} }
} },
{ instance = {
definition_id = "device_vendor_msft_policy_config_microsoft_edge~policy~microsoft_edge~extensions_extensioninstallblocklist"
choice = { value = {
value = "device_vendor_msft_policy_config_microsoft_edge~policy~microsoft_edge~extensions_extensioninstallblocklist_1"
children = [
{
definition_id = "device_vendor_msft_policy_config_microsoft_edge~policy~microsoft_edge~extensions_extensioninstallblocklist_extensioninstallblocklistdesc"
simple_collection = { values = [
{ string = { value = "*" } }
] }
}
]
} }
} },
{ instance = {
definition_id = "device_vendor_msft_policy_config_microsoft_edgev88.0.705.23~policy~microsoft_edge~httpauthentication_basicauthoverhttpenabled"
choice = { value = {
value = "device_vendor_msft_policy_config_microsoft_edgev88.0.705.23~policy~microsoft_edge~httpauthentication_basicauthoverhttpenabled_0"
} }
} },
{ instance = {
definition_id = "device_vendor_msft_policy_config_microsoft_edge~policy~microsoft_edge~httpauthentication_authschemes"
choice = { value = {
value = "device_vendor_msft_policy_config_microsoft_edge~policy~microsoft_edge~httpauthentication_authschemes_1"
children = [
{
definition_id = "device_vendor_msft_policy_config_microsoft_edge~policy~microsoft_edge~httpauthentication_authschemes_authschemes"
simple = { value = {
string = {
value = "ntlm,negotiate"
}
} }
}
]
} }
} },
{ instance = {
definition_id = "device_vendor_msft_policy_config_microsoft_edge~policy~microsoft_edge~nativemessaging_nativemessaginguserlevelhosts"
choice = { value = {
value = "device_vendor_msft_policy_config_microsoft_edge~policy~microsoft_edge~nativemessaging_nativemessaginguserlevelhosts_0"
} }
} },
{ instance = {
definition_id = "device_vendor_msft_policy_config_microsoft_edgev92~policy~microsoft_edge~privatenetworkrequestsettings_insecureprivatenetworkrequestsallowed"
choice = { value = {
value = "device_vendor_msft_policy_config_microsoft_edgev92~policy~microsoft_edge~privatenetworkrequestsettings_insecureprivatenetworkrequestsallowed_0"
} }
} },
{ instance = {
definition_id = "device_vendor_msft_policy_config_microsoft_edge~policy~microsoft_edge~smartscreen_smartscreenenabled"
choice = { value = {
value = "device_vendor_msft_policy_config_microsoft_edge~policy~microsoft_edge~smartscreen_smartscreenenabled_1"
} }
} },
{ instance = {
definition_id = "device_vendor_msft_policy_config_microsoft_edgev80diff~policy~microsoft_edge~smartscreen_smartscreenpuaenabled"
choice = { value = {
value = "device_vendor_msft_policy_config_microsoft_edgev80diff~policy~microsoft_edge~smartscreen_smartscreenpuaenabled_1"
} }
} },
{ instance = {
definition_id = "device_vendor_msft_policy_config_microsoft_edge~policy~microsoft_edge~smartscreen_preventsmartscreenpromptoverride"
choice = { value = {
value = "device_vendor_msft_policy_config_microsoft_edge~policy~microsoft_edge~smartscreen_preventsmartscreenpromptoverride_1"
} }
} },
{ instance = {
definition_id = "device_vendor_msft_policy_config_microsoft_edge~policy~microsoft_edge~smartscreen_preventsmartscreenpromptoverrideforfiles"
choice = { value = {
value = "device_vendor_msft_policy_config_microsoft_edge~policy~microsoft_edge~smartscreen_preventsmartscreenpromptoverrideforfiles_1"
} }
} },
{ instance = {
definition_id = "device_vendor_msft_policy_config_microsoft_edgev92~policy~microsoft_edge_internetexplorerintegrationreloadiniemodeallowed"
choice = { value = {
value = "device_vendor_msft_policy_config_microsoft_edgev92~policy~microsoft_edge_internetexplorerintegrationreloadiniemodeallowed_0"
} }
} },
{ instance = {
definition_id = "device_vendor_msft_policy_config_microsoft_edge~policy~microsoft_edge_sslerroroverrideallowed"
choice = { value = {
value = "device_vendor_msft_policy_config_microsoft_edge~policy~microsoft_edge_sslerroroverrideallowed_0"
} }
} },
{ instance = {
definition_id = "device_vendor_msft_policy_config_microsoft_edgev117~policy~microsoft_edge_internetexplorerintegrationzoneidentifiermhtfileallowed"
choice = { value = {
value = "device_vendor_msft_policy_config_microsoft_edgev117~policy~microsoft_edge_internetexplorerintegrationzoneidentifiermhtfileallowed_0"
} }
} },
{ instance = {
definition_id = "device_vendor_msft_policy_config_microsoft_edgev95~policy~microsoft_edge_browserlegacyextensionpointsblockingenabled"
choice = { value = {
value = "device_vendor_msft_policy_config_microsoft_edgev95~policy~microsoft_edge_browserlegacyextensionpointsblockingenabled_1"
} }
} },
{ instance = {
definition_id = "device_vendor_msft_policy_config_microsoft_edge~policy~microsoft_edge_siteperprocess"
choice = { value = {
value = "device_vendor_msft_policy_config_microsoft_edge~policy~microsoft_edge_siteperprocess_1"
} }
} },
{ instance = {
definition_id = "device_vendor_msft_policy_config_microsoft_edgev97~policy~microsoft_edge_edgeenhanceimagesenabled"
choice = { value = {
value = "device_vendor_msft_policy_config_microsoft_edgev97~policy~microsoft_edge_edgeenhanceimagesenabled_0"
} }
} },
{ instance = {
definition_id = "device_vendor_msft_policy_config_microsoft_edgev107~policy~microsoft_edge_websqlaccess"
choice = { value = {
value = "device_vendor_msft_policy_config_microsoft_edgev107~policy~microsoft_edge_websqlaccess_0"
} }
} },
{ instance = {
definition_id = "device_vendor_msft_policy_config_microsoft_edgev96~policy~microsoft_edge_internetexplorermodetoolbarbuttonenabled"
choice = { value = {
value = "device_vendor_msft_policy_config_microsoft_edgev96~policy~microsoft_edge_internetexplorermodetoolbarbuttonenabled_0"
} }
} },
{ instance = {
definition_id = "device_vendor_msft_policy_config_microsoft_edgev111~policy~microsoft_edge_sharedarraybufferunrestrictedaccessallowed"
choice = { value = {
value = "device_vendor_msft_policy_config_microsoft_edgev111~policy~microsoft_edge_sharedarraybufferunrestrictedaccessallowed_0"
} }
} }
]
depends_on = [azuread_group.mem_windows_devices]
assignments = [
for x in [
"${data.azuread_group.mem_windows_devices.object_id}"
] :
{ target = { group = { group_id = x } } }
]
}

20
Enable_Local_Security_Authority_Protection_Mode.tf
View File

@ -1,20 +0,0 @@
resource "microsoft365wp_device_configuration_custom" "enable_lsa" {
display_name = "Enable Local Security Authority Protection Mode"
windows10 = {
oma_settings = [
{
display_name = "Enable Local Security Authority Protection Mode"
oma_uri = "./Device/Vendor/MSFT/Policy/Config/LocalSecurityAuthority/ConfigureLsaProtectedProcess"
integer = { value = 1 }
}
]
}
depends_on = [azuread_group.mem_windows_devices]
assignments = [
for x in [
"${data.azuread_group.mem_windows_devices.object_id}"
] :
{ target = { group = { group_id = x } } }
]
}

33
Enforce_password_age_history.tf
View File

@ -1,33 +0,0 @@
resource "microsoft365wp_device_management_configuration_policy" "password_history" {
name = "Enforce password age & history"
settings = [
{ instance = {
definition_id = "device_vendor_msft_policy_config_devicelock_devicepasswordenabled"
choice = {
value = {
value = "device_vendor_msft_policy_config_devicelock_devicepasswordenabled_0"
children = [
{
definition_id = "device_vendor_msft_policy_config_devicelock_devicepasswordhistory"
simple = { value = { integer = { value = "24" } } }
}
]
}
}
} },
{ instance = {
definition_id = "device_vendor_msft_policy_config_devicelock_minimumpasswordage"
simple = { value = { integer = { value = "1" } } }
} }
]
depends_on = [azuread_group.mem_windows_devices]
assignments = [
for x in [
"${data.azuread_group.mem_windows_devices.object_id}"
] :
{ target = { group = { group_id = x } } }
]
}

25
FormatPolicies.ps1 Normal file
View File

@ -0,0 +1,25 @@
param (
[Parameter(Mandatory=$true)]
[string]$jsonfile,
[Parameter(Mandatory=$true)]
[string]$export
)
# Read the original JSON data from the file
$JsonData = Get-Content -Path $jsonfile -Raw
# Convert JSON string to a PowerShell object
$JsonObject = $JsonData | ConvertFrom-Json
# Convert back to JSON with indentation and formatting
$FormattedJson = $JsonObject | ConvertTo-Json -Depth 10
# Write the formatted JSON string to the output file
Set-Content -Path $output -Value $FormattedJson
remove-item $jsonfile -Force -Verbose
Write-Host "✅ JSON reformatted with line breaks and saved to: $export"

28
ImportPolicies.ps1 Normal file
View File

@ -0,0 +1,28 @@
# Connect to Microsoft Graph
Connect-MgGraph -Scopes "DeviceManagementConfiguration.ReadWrite.All" -NoWelcome
# Get Tenant ID
$tenant = Get-MgOrganization
$tenantId = $tenant.Id
$policies = Get-ChildItem ./policies
ForEach ($policie in $policies) {
$PolicieName = $policie.name
$JsonData = Get-Content -Path ./policies/$PolicieName -Raw
$JsonDataUpdated = $JsonData -replace '\$tenantId', $tenantId
$PolicyObject = $JsonDataUpdated | ConvertFrom-Json
try {
$uri = "https://graph.microsoft.com/beta/deviceManagement/configurationPolicies" # Using the beta version
$response = Invoke-MgGraphRequest -Method POST -Uri $uri -Body ($PolicyObject | ConvertTo-Json -Depth 10)
Write-Host "$PolicieName - successfully imported!"
#$response
} catch {
Write-Error "❌ An error occurred while importing the policy: $_"
}
}
$null = Disconnect-Graph -ErrorAction SilentlyContinue

42
LAPS.tf
View File

@ -1,42 +0,0 @@
resource "microsoft365wp_device_management_configuration_policy" "enable_laps" {
name = "LAPS"
settings = [
{ instance = {
definition_id = "device_vendor_msft_policy_config_admx_admpwd_pol_admpwd"
choice = {
value = {
value = "device_vendor_msft_policy_config_admx_admpwd_pol_admpwd_1"
children = [
{
definition_id = "device_vendor_msft_policy_config_admx_admpwd_pol_admpwd_elm_admpwd_passwordagedays"
simple = { value = { integer = { value = "14" } } }
},
{
definition_id = "device_vendor_msft_policy_config_admx_admpwd_pol_admpwd_elm_admpwd_passwordcomplexity"
choice = { value = { value = "device_vendor_msft_policy_config_admx_admpwd_pol_admpwd_elm_admpwd_passwordcomplexity_4" } }
},
{
definition_id = "device_vendor_msft_policy_config_admx_admpwd_pol_admpwd_elm_admpwd_passwordlength"
simple = { value = { integer = { value = "14" } } }
}
]
}
}
} },
{ instance = {
definition_id = "device_vendor_msft_policy_config_localpoliciessecurityoptions_accounts_enableadministratoraccountstatus"
choice = { value = { value = "device_vendor_msft_policy_config_localpoliciessecurityoptions_accounts_enableadministratoraccountstatus_1" } }
} }
]
depends_on = [azuread_group.mem_windows_devices]
assignments = [
for x in [
"${data.azuread_group.mem_windows_devices.object_id}"
] :
{ target = { group = { group_id = x } } }
]
}

47
OneDrive.tf
View File

@ -1,47 +0,0 @@
resource "microsoft365wp_device_management_configuration_policy" "onedrive_policy" {
name = "OneDrive Policy"
settings = [
{ instance = {
definition_id = "device_vendor_msft_policy_config_onedrivengscv2~policy~onedrivengsc_allowtenantlist"
choice = {
value = {
value = "device_vendor_msft_policy_config_onedrivengscv2~policy~onedrivengsc_allowtenantlist_1"
children = [
{
definition_id = "device_vendor_msft_policy_config_onedrivengscv2~policy~onedrivengsc_allowtenantlist_allowtenantlistbox"
simple_collection = { values = [
{ string = { value = var.tenant_id } }
] }
}
]
}
}
} },
{ instance = {
definition_id = "device_vendor_msft_policy_config_onedrivengscv2~policy~onedrivengsc_blockexternalsync"
choice = { value = { value = "device_vendor_msft_policy_config_onedrivengscv2~policy~onedrivengsc_blockexternalsync_1" } }
} },
{ instance = {
definition_id = "user_vendor_msft_policy_config_onedrivengscv2~policy~onedrivengsc_disablepersonalsync"
choice = { value = { value = "user_vendor_msft_policy_config_onedrivengscv2~policy~onedrivengsc_disablepersonalsync_1" } }
} },
{ instance = {
definition_id = "device_vendor_msft_policy_config_onedrivengscv2~policy~onedrivengsc_silentaccountconfig"
choice = { value = { value = "device_vendor_msft_policy_config_onedrivengscv2~policy~onedrivengsc_silentaccountconfig_1" } }
} },
{ instance = {
definition_id = "device_vendor_msft_policy_config_onedrivengscv2~policy~onedrivengsc_filesondemandenabled"
choice = { value = { value = "device_vendor_msft_policy_config_onedrivengscv2~policy~onedrivengsc_filesondemandenabled_1" } }
} }
]
depends_on = [azuread_group.mem_windows_devices]
assignments = [
for x in [
"${data.azuread_group.mem_windows_devices.object_id}"
] :
{ target = { group = { group_id = x } } }
]
}

33
PUA_Block.tf
View File

@ -1,33 +0,0 @@
resource "microsoft365wp_device_management_configuration_policy" "pua_block" {
name = "Disable PUA"
settings = [
{ instance = {
definition_id = "user_vendor_msft_policy_config_microsoft_edgev80diff~policy~microsoft_edge~smartscreen_smartscreenpuaenabled"
choice = {
value = {
value = "user_vendor_msft_policy_config_microsoft_edgev80diff~policy~microsoft_edge~smartscreen_smartscreenpuaenabled_1"
}
}
}
},
{ instance = {
definition_id = "device_vendor_msft_policy_config_defender_puaprotection"
choice = {
value = {
value = "device_vendor_msft_policy_config_defender_puaprotection_1"
}
}
}
}
]
depends_on = [azuread_group.mem_windows_devices]
assignments = [
for x in [
"${data.azuread_group.mem_windows_devices.object_id}"
] :
{ target = { group = { group_id = x } } }
]
}

48
README.md
View File

@ -1,25 +1,41 @@
# Intune Configuration Policies
![Header Image](https://legitit.com.au/wp-content/uploads/2021/11/logo.jpg)
This repository contains terraform files that will auto provision Intune Policies that will help lift Microsoft Secure Score and apply Security settings across the tenant.
# Intune Policies for Business Premium
## Azure AD Group
This reposigotry contains exported JSON formatted Intune Device Management Configuration Policies.
* AzureAD_Group_MEM_Windows_workstations - Create a Dynamic Azure AD Group with rule to add all Windows Workstations running Windows 10 or higher.
For more details information and use, please see the internal LegitiIT guides.
```PowerShell
(device.deviceOSVersion -startsWith \"10.0\") and (device.deviceOSType -eq \"Windows\")
## Running
***IMPORTANT*** - These scripts are designed to run under PowerShell 7 (Core). They will not run with the in-built PowerShell 5.1. You can install PowerShell using the following command.
```
winget install --id Microsoft.PowerShell --source winget
```
## Policies
### FormatPolicies.ps1
* Defender ASR Rules - Set to Block
* Bitlocker - Enabled
* PUA (Potentially Unwanted Apps) Blocked
* Disable Enumeration of SAM Accounts and Shares
* Microsoft Edge Security Baseline
* Enable Local Security Authority Protection Mode
* Enforce Password History - 24 Password, 1 Password Age
* LAPS - Enable Local Administrator Account and turn on LAPS
* OneDrive
FormatPolicies.ps1 is used to reformat a downloaded JSON Intune Policie into a human readable format.
```
.\FormatPolicies.ps1 -jsonfile <NAMEOFFILE> -output ./policies/policiename.json
```
### ImportPolicies.ps1
ImportPolicies.ps1 is used to import the policies from the policies folder.
When you run the script it will ask you to sign into the tenant. Once signed in it will then crycle through the policies in the policies folder and import them.
```
pwsh> .\ImportPolicies.ps1
✅ ASRRules.json - successfully imported!
✅ bitlocker.json - successfully imported!
✅ disableenumerationsam.json - successfully imported!
✅ disablepua.json - successfully imported!
✅ edge.json - successfully imported!
✅ LAPS.json - successfully imported!
✅ OneDrive.json - successfully imported!
✅ passwordhistory.json - successfully imported!
```

219
policies/ASRRules.json Normal file
View File

@ -0,0 +1,219 @@
{
"@odata.context": "https://graph.microsoft.com/beta/$metadata#deviceManagement/configurationPolicies/$entity",
"createdDateTime": "2025-03-03T10:40:18.2339119Z",
"creationSource": null,
"description": "",
"lastModifiedDateTime": "2025-03-03T10:40:18.2339119Z",
"name": "ASR Rules",
"platforms": "windows10",
"priorityMetaData": null,
"roleScopeTagIds": [
"0"
],
"settingCount": 1,
"technologies": "mdm,microsoftSense",
"id": "f1060289-5cc1-4c41-8a43-b9dc9032cfc3",
"templateReference": {
"templateId": "",
"templateFamily": "none",
"templateDisplayName": null,
"templateDisplayVersion": null
},
"settings": [
{
"id": "0",
"settingInstance": {
"@odata.type": "#microsoft.graph.deviceManagementConfigurationGroupSettingCollectionInstance",
"settingDefinitionId": "device_vendor_msft_policy_config_defender_attacksurfacereductionrules",
"settingInstanceTemplateReference": null,
"groupSettingCollectionValue": [
{
"settingValueTemplateReference": null,
"children": [
{
"@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance",
"settingDefinitionId": "device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockabuseofexploitedvulnerablesigneddrivers",
"settingInstanceTemplateReference": null,
"choiceSettingValue": {
"settingValueTemplateReference": null,
"value": "device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockabuseofexploitedvulnerablesigneddrivers_block",
"children": []
}
},
{
"@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance",
"settingDefinitionId": "device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockadobereaderfromcreatingchildprocesses",
"settingInstanceTemplateReference": null,
"choiceSettingValue": {
"settingValueTemplateReference": null,
"value": "device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockadobereaderfromcreatingchildprocesses_block",
"children": []
}
},
{
"@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance",
"settingDefinitionId": "device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockofficeapplicationsfrominjectingcodeintootherprocesses",
"settingInstanceTemplateReference": null,
"choiceSettingValue": {
"settingValueTemplateReference": null,
"value": "device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockofficeapplicationsfrominjectingcodeintootherprocesses_block",
"children": []
}
},
{
"@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance",
"settingDefinitionId": "device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockallofficeapplicationsfromcreatingchildprocesses",
"settingInstanceTemplateReference": null,
"choiceSettingValue": {
"settingValueTemplateReference": null,
"value": "device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockallofficeapplicationsfromcreatingchildprocesses_block",
"children": []
}
},
{
"@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance",
"settingDefinitionId": "device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockcredentialstealingfromwindowslocalsecurityauthoritysubsystem",
"settingInstanceTemplateReference": null,
"choiceSettingValue": {
"settingValueTemplateReference": null,
"value": "device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockcredentialstealingfromwindowslocalsecurityauthoritysubsystem_block",
"children": []
}
},
{
"@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance",
"settingDefinitionId": "device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockexecutablecontentfromemailclientandwebmail",
"settingInstanceTemplateReference": null,
"choiceSettingValue": {
"settingValueTemplateReference": null,
"value": "device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockexecutablecontentfromemailclientandwebmail_block",
"children": []
}
},
{
"@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance",
"settingDefinitionId": "device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockexecutablefilesrunningunlesstheymeetprevalenceagetrustedlistcriterion",
"settingInstanceTemplateReference": null,
"choiceSettingValue": {
"settingValueTemplateReference": null,
"value": "device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockexecutablefilesrunningunlesstheymeetprevalenceagetrustedlistcriterion_block",
"children": []
}
},
{
"@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance",
"settingDefinitionId": "device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockexecutionofpotentiallyobfuscatedscripts",
"settingInstanceTemplateReference": null,
"choiceSettingValue": {
"settingValueTemplateReference": null,
"value": "device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockexecutionofpotentiallyobfuscatedscripts_block",
"children": []
}
},
{
"@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance",
"settingDefinitionId": "device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockjavascriptorvbscriptfromlaunchingdownloadedexecutablecontent",
"settingInstanceTemplateReference": null,
"choiceSettingValue": {
"settingValueTemplateReference": null,
"value": "device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockjavascriptorvbscriptfromlaunchingdownloadedexecutablecontent_block",
"children": []
}
},
{
"@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance",
"settingDefinitionId": "device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockofficeapplicationsfromcreatingexecutablecontent",
"settingInstanceTemplateReference": null,
"choiceSettingValue": {
"settingValueTemplateReference": null,
"value": "device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockofficeapplicationsfromcreatingexecutablecontent_block",
"children": []
}
},
{
"@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance",
"settingDefinitionId": "device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockofficecommunicationappfromcreatingchildprocesses",
"settingInstanceTemplateReference": null,
"choiceSettingValue": {
"settingValueTemplateReference": null,
"value": "device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockofficecommunicationappfromcreatingchildprocesses_block",
"children": []
}
},
{
"@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance",
"settingDefinitionId": "device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockpersistencethroughwmieventsubscription",
"settingInstanceTemplateReference": null,
"choiceSettingValue": {
"settingValueTemplateReference": null,
"value": "device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockpersistencethroughwmieventsubscription_block",
"children": []
}
},
{
"@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance",
"settingDefinitionId": "device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockprocesscreationsfrompsexecandwmicommands",
"settingInstanceTemplateReference": null,
"choiceSettingValue": {
"settingValueTemplateReference": null,
"value": "device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockprocesscreationsfrompsexecandwmicommands_block",
"children": []
}
},
{
"@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance",
"settingDefinitionId": "device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockuntrustedunsignedprocessesthatrunfromusb",
"settingInstanceTemplateReference": null,
"choiceSettingValue": {
"settingValueTemplateReference": null,
"value": "device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockuntrustedunsignedprocessesthatrunfromusb_block",
"children": []
}
},
{
"@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance",
"settingDefinitionId": "device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockjavascriptorvbscriptfromlaunchingdownloadedexecutablecontent",
"settingInstanceTemplateReference": null,
"choiceSettingValue": {
"settingValueTemplateReference": null,
"value": "device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockjavascriptorvbscriptfromlaunchingdownloadedexecutablecontent_block",
"children": []
}
},
{
"@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance",
"settingDefinitionId": "device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockwebshellcreationforservers",
"settingInstanceTemplateReference": null,
"choiceSettingValue": {
"settingValueTemplateReference": null,
"value": "device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockwebshellcreationforservers_block",
"children": []
}
},
{
"@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance",
"settingDefinitionId": "device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockwin32apicallsfromofficemacros",
"settingInstanceTemplateReference": null,
"choiceSettingValue": {
"settingValueTemplateReference": null,
"value": "device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockwin32apicallsfromofficemacros_block",
"children": []
}
},
{
"@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance",
"settingDefinitionId": "device_vendor_msft_policy_config_defender_attacksurfacereductionrules_useadvancedprotectionagainstransomware",
"settingInstanceTemplateReference": null,
"choiceSettingValue": {
"settingValueTemplateReference": null,
"value": "device_vendor_msft_policy_config_defender_attacksurfacereductionrules_useadvancedprotectionagainstransomware_block",
"children": []
}
}
]
}
]
}
}
]
}

81
policies/LAPS.json Normal file
View File

@ -0,0 +1,81 @@
{
"@odata.context": "https://graph.microsoft.com/beta/$metadata#deviceManagement/configurationPolicies/$entity",
"createdDateTime": "2025-03-03T10:40:15.8588089Z",
"creationSource": null,
"description": "",
"lastModifiedDateTime": "2025-03-03T10:40:15.8588089Z",
"name": "LAPS",
"platforms": "windows10",
"priorityMetaData": null,
"roleScopeTagIds": [
"0"
],
"settingCount": 2,
"technologies": "mdm",
"id": "e7c1fcf8-13fb-42c7-a09a-3f43d7bd5cc9",
"templateReference": {
"templateId": "",
"templateFamily": "none",
"templateDisplayName": null,
"templateDisplayVersion": null
},
"settings": [
{
"id": "0",
"settingInstance": {
"@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance",
"settingDefinitionId": "device_vendor_msft_policy_config_admx_admpwd_pol_admpwd",
"settingInstanceTemplateReference": null,
"choiceSettingValue": {
"settingValueTemplateReference": null,
"value": "device_vendor_msft_policy_config_admx_admpwd_pol_admpwd_1",
"children": [
{
"@odata.type": "#microsoft.graph.deviceManagementConfigurationSimpleSettingInstance",
"settingDefinitionId": "device_vendor_msft_policy_config_admx_admpwd_pol_admpwd_elm_admpwd_passwordagedays",
"settingInstanceTemplateReference": null,
"simpleSettingValue": {
"@odata.type": "#microsoft.graph.deviceManagementConfigurationIntegerSettingValue",
"settingValueTemplateReference": null,
"value": 14
}
},
{
"@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance",
"settingDefinitionId": "device_vendor_msft_policy_config_admx_admpwd_pol_admpwd_elm_admpwd_passwordcomplexity",
"settingInstanceTemplateReference": null,
"choiceSettingValue": {
"settingValueTemplateReference": null,
"value": "device_vendor_msft_policy_config_admx_admpwd_pol_admpwd_elm_admpwd_passwordcomplexity_4",
"children": []
}
},
{
"@odata.type": "#microsoft.graph.deviceManagementConfigurationSimpleSettingInstance",
"settingDefinitionId": "device_vendor_msft_policy_config_admx_admpwd_pol_admpwd_elm_admpwd_passwordlength",
"settingInstanceTemplateReference": null,
"simpleSettingValue": {
"@odata.type": "#microsoft.graph.deviceManagementConfigurationIntegerSettingValue",
"settingValueTemplateReference": null,
"value": 14
}
}
]
}
}
},
{
"id": "1",
"settingInstance": {
"@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance",
"settingDefinitionId": "device_vendor_msft_policy_config_localpoliciessecurityoptions_accounts_enableadministratoraccountstatus",
"settingInstanceTemplateReference": null,
"choiceSettingValue": {
"settingValueTemplateReference": null,
"value": "device_vendor_msft_policy_config_localpoliciessecurityoptions_accounts_enableadministratoraccountstatus_1",
"children": []
}
}
}
]
}

102
policies/OneDrive.json Normal file
View File

@ -0,0 +1,102 @@
{
"@odata.context": "https://graph.microsoft.com/beta/$metadata#deviceManagement/configurationPolicies/$entity",
"createdDateTime": "2025-03-03T10:40:16.5122859Z",
"creationSource": null,
"description": "",
"lastModifiedDateTime": "2025-03-03T10:40:16.5122859Z",
"name": "OneDrive Policy",
"platforms": "windows10",
"priorityMetaData": null,
"roleScopeTagIds": [
"0"
],
"settingCount": 5,
"technologies": "mdm",
"id": "35fdb839-79c6-4806-8dda-cf292462a4d8",
"templateReference": {
"templateId": "",
"templateFamily": "none",
"templateDisplayName": null,
"templateDisplayVersion": null
},
"settings": [
{
"id": "0",
"settingInstance": {
"@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance",
"settingDefinitionId": "device_vendor_msft_policy_config_onedrivengscv2~policy~onedrivengsc_allowtenantlist",
"settingInstanceTemplateReference": null,
"choiceSettingValue": {
"settingValueTemplateReference": null,
"value": "device_vendor_msft_policy_config_onedrivengscv2~policy~onedrivengsc_allowtenantlist_1",
"children": [
{
"@odata.type": "#microsoft.graph.deviceManagementConfigurationSimpleSettingCollectionInstance",
"settingDefinitionId": "device_vendor_msft_policy_config_onedrivengscv2~policy~onedrivengsc_allowtenantlist_allowtenantlistbox",
"settingInstanceTemplateReference": null,
"simpleSettingCollectionValue": [
{
"@odata.type": "#microsoft.graph.deviceManagementConfigurationStringSettingValue",
"settingValueTemplateReference": null,
"value": "$tenantid"
}
]
}
]
}
}
},
{
"id": "1",
"settingInstance": {
"@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance",
"settingDefinitionId": "device_vendor_msft_policy_config_onedrivengscv2~policy~onedrivengsc_blockexternalsync",
"settingInstanceTemplateReference": null,
"choiceSettingValue": {
"settingValueTemplateReference": null,
"value": "device_vendor_msft_policy_config_onedrivengscv2~policy~onedrivengsc_blockexternalsync_1",
"children": []
}
}
},
{
"id": "2",
"settingInstance": {
"@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance",
"settingDefinitionId": "user_vendor_msft_policy_config_onedrivengscv2~policy~onedrivengsc_disablepersonalsync",
"settingInstanceTemplateReference": null,
"choiceSettingValue": {
"settingValueTemplateReference": null,
"value": "user_vendor_msft_policy_config_onedrivengscv2~policy~onedrivengsc_disablepersonalsync_1",
"children": []
}
}
},
{
"id": "3",
"settingInstance": {
"@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance",
"settingDefinitionId": "device_vendor_msft_policy_config_onedrivengscv2~policy~onedrivengsc_silentaccountconfig",
"settingInstanceTemplateReference": null,
"choiceSettingValue": {
"settingValueTemplateReference": null,
"value": "device_vendor_msft_policy_config_onedrivengscv2~policy~onedrivengsc_silentaccountconfig_1",
"children": []
}
}
},
{
"id": "4",
"settingInstance": {
"@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance",
"settingDefinitionId": "device_vendor_msft_policy_config_onedrivengscv2~policy~onedrivengsc_filesondemandenabled",
"settingInstanceTemplateReference": null,
"choiceSettingValue": {
"settingValueTemplateReference": null,
"value": "device_vendor_msft_policy_config_onedrivengscv2~policy~onedrivengsc_filesondemandenabled_1",
"children": []
}
}
}
]
}

398
policies/bitlocker.json Normal file
View File

@ -0,0 +1,398 @@
{
"@odata.context": "https://graph.microsoft.com/beta/$metadata#deviceManagement/configurationPolicies/$entity",
"createdDateTime": "2025-03-03T10:40:20.9003455Z",
"creationSource": null,
"description": "",
"lastModifiedDateTime": "2025-03-03T10:40:20.9003455Z",
"name": "Bitlocker",
"platforms": "windows10",
"priorityMetaData": null,
"roleScopeTagIds": [
"0"
],
"settingCount": 9,
"technologies": "mdm",
"id": "8193519b-7e1c-45c9-ad7d-3b552a38c031",
"templateReference": {
"templateId": "",
"templateFamily": "none",
"templateDisplayName": null,
"templateDisplayVersion": null
},
"settings": [
{
"id": "0",
"settingInstance": {
"@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance",
"settingDefinitionId": "device_vendor_msft_bitlocker_encryptionmethodbydrivetype",
"settingInstanceTemplateReference": null,
"choiceSettingValue": {
"settingValueTemplateReference": null,
"value": "device_vendor_msft_bitlocker_encryptionmethodbydrivetype_1",
"children": [
{
"@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance",
"settingDefinitionId": "device_vendor_msft_bitlocker_encryptionmethodbydrivetype_encryptionmethodwithxtsfdvdropdown_name",
"settingInstanceTemplateReference": null,
"choiceSettingValue": {
"settingValueTemplateReference": null,
"value": "device_vendor_msft_bitlocker_encryptionmethodbydrivetype_encryptionmethodwithxtsfdvdropdown_name_6",
"children": []
}
},
{
"@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance",
"settingDefinitionId": "device_vendor_msft_bitlocker_encryptionmethodbydrivetype_encryptionmethodwithxtsosdropdown_name",
"settingInstanceTemplateReference": null,
"choiceSettingValue": {
"settingValueTemplateReference": null,
"value": "device_vendor_msft_bitlocker_encryptionmethodbydrivetype_encryptionmethodwithxtsosdropdown_name_6",
"children": []
}
},
{
"@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance",
"settingDefinitionId": "device_vendor_msft_bitlocker_encryptionmethodbydrivetype_encryptionmethodwithxtsrdvdropdown_name",
"settingInstanceTemplateReference": null,
"choiceSettingValue": {
"settingValueTemplateReference": null,
"value": "device_vendor_msft_bitlocker_encryptionmethodbydrivetype_encryptionmethodwithxtsrdvdropdown_name_6",
"children": []
}
}
]
}
}
},
{
"id": "1",
"settingInstance": {
"@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance",
"settingDefinitionId": "device_vendor_msft_bitlocker_fixeddrivesrecoveryoptions",
"settingInstanceTemplateReference": null,
"choiceSettingValue": {
"settingValueTemplateReference": null,
"value": "device_vendor_msft_bitlocker_fixeddrivesrecoveryoptions_1",
"children": [
{
"@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance",
"settingDefinitionId": "device_vendor_msft_bitlocker_fixeddrivesrecoveryoptions_fdvrecoverykeyusagedropdown_name",
"settingInstanceTemplateReference": null,
"choiceSettingValue": {
"settingValueTemplateReference": null,
"value": "device_vendor_msft_bitlocker_fixeddrivesrecoveryoptions_fdvrecoverykeyusagedropdown_name_2",
"children": []
}
},
{
"@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance",
"settingDefinitionId": "device_vendor_msft_bitlocker_fixeddrivesrecoveryoptions_fdvrecoverypasswordusagedropdown_name",
"settingInstanceTemplateReference": null,
"choiceSettingValue": {
"settingValueTemplateReference": null,
"value": "device_vendor_msft_bitlocker_fixeddrivesrecoveryoptions_fdvrecoverypasswordusagedropdown_name_2",
"children": []
}
},
{
"@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance",
"settingDefinitionId": "device_vendor_msft_bitlocker_fixeddrivesrecoveryoptions_fdvallowdra_name",
"settingInstanceTemplateReference": null,
"choiceSettingValue": {
"settingValueTemplateReference": null,
"value": "device_vendor_msft_bitlocker_fixeddrivesrecoveryoptions_fdvallowdra_name_0",
"children": []
}
},
{
"@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance",
"settingDefinitionId": "device_vendor_msft_bitlocker_fixeddrivesrecoveryoptions_fdvactivedirectorybackupdropdown_name",
"settingInstanceTemplateReference": null,
"choiceSettingValue": {
"settingValueTemplateReference": null,
"value": "device_vendor_msft_bitlocker_fixeddrivesrecoveryoptions_fdvactivedirectorybackupdropdown_name_1",
"children": []
}
},
{
"@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance",
"settingDefinitionId": "device_vendor_msft_bitlocker_fixeddrivesrecoveryoptions_fdvrequireactivedirectorybackup_name",
"settingInstanceTemplateReference": null,
"choiceSettingValue": {
"settingValueTemplateReference": null,
"value": "device_vendor_msft_bitlocker_fixeddrivesrecoveryoptions_fdvrequireactivedirectorybackup_name_1",
"children": []
}
},
{
"@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance",
"settingDefinitionId": "device_vendor_msft_bitlocker_fixeddrivesrecoveryoptions_fdvhiderecoverypage_name",
"settingInstanceTemplateReference": null,
"choiceSettingValue": {
"settingValueTemplateReference": null,
"value": "device_vendor_msft_bitlocker_fixeddrivesrecoveryoptions_fdvhiderecoverypage_name_0",
"children": []
}
},
{
"@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance",
"settingDefinitionId": "device_vendor_msft_bitlocker_fixeddrivesrecoveryoptions_fdvactivedirectorybackup_name",
"settingInstanceTemplateReference": null,
"choiceSettingValue": {
"settingValueTemplateReference": null,
"value": "device_vendor_msft_bitlocker_fixeddrivesrecoveryoptions_fdvactivedirectorybackup_name_1",
"children": []
}
}
]
}
}
},
{
"id": "2",
"settingInstance": {
"@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance",
"settingDefinitionId": "device_vendor_msft_bitlocker_fixeddrivesencryptiontype",
"settingInstanceTemplateReference": null,
"choiceSettingValue": {
"settingValueTemplateReference": null,
"value": "device_vendor_msft_bitlocker_fixeddrivesencryptiontype_1",
"children": [
{
"@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance",
"settingDefinitionId": "device_vendor_msft_bitlocker_fixeddrivesencryptiontype_fdvencryptiontypedropdown_name",
"settingInstanceTemplateReference": null,
"choiceSettingValue": {
"settingValueTemplateReference": null,
"value": "device_vendor_msft_bitlocker_fixeddrivesencryptiontype_fdvencryptiontypedropdown_name_1",
"children": []
}
}
]
}
}
},
{
"id": "3",
"settingInstance": {
"@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance",
"settingDefinitionId": "device_vendor_msft_bitlocker_systemdrivesrecoveryoptions",
"settingInstanceTemplateReference": null,
"choiceSettingValue": {
"settingValueTemplateReference": null,
"value": "device_vendor_msft_bitlocker_systemdrivesrecoveryoptions_1",
"children": [
{
"@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance",
"settingDefinitionId": "device_vendor_msft_bitlocker_systemdrivesrecoveryoptions_osrecoverykeyusagedropdown_name",
"settingInstanceTemplateReference": null,
"choiceSettingValue": {
"settingValueTemplateReference": null,
"value": "device_vendor_msft_bitlocker_systemdrivesrecoveryoptions_osrecoverykeyusagedropdown_name_2",
"children": []
}
},
{
"@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance",
"settingDefinitionId": "device_vendor_msft_bitlocker_systemdrivesrecoveryoptions_osrecoverypasswordusagedropdown_name",
"settingInstanceTemplateReference": null,
"choiceSettingValue": {
"settingValueTemplateReference": null,
"value": "device_vendor_msft_bitlocker_systemdrivesrecoveryoptions_osrecoverypasswordusagedropdown_name_2",
"children": []
}
},
{
"@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance",
"settingDefinitionId": "device_vendor_msft_bitlocker_systemdrivesrecoveryoptions_osallowdra_name",
"settingInstanceTemplateReference": null,
"choiceSettingValue": {
"settingValueTemplateReference": null,
"value": "device_vendor_msft_bitlocker_systemdrivesrecoveryoptions_osallowdra_name_0",
"children": []
}
},
{
"@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance",
"settingDefinitionId": "device_vendor_msft_bitlocker_systemdrivesrecoveryoptions_osactivedirectorybackupdropdown_name",
"settingInstanceTemplateReference": null,
"choiceSettingValue": {
"settingValueTemplateReference": null,
"value": "device_vendor_msft_bitlocker_systemdrivesrecoveryoptions_osactivedirectorybackupdropdown_name_1",
"children": []
}
},
{
"@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance",
"settingDefinitionId": "device_vendor_msft_bitlocker_systemdrivesrecoveryoptions_osrequireactivedirectorybackup_name",
"settingInstanceTemplateReference": null,
"choiceSettingValue": {
"settingValueTemplateReference": null,
"value": "device_vendor_msft_bitlocker_systemdrivesrecoveryoptions_osrequireactivedirectorybackup_name_1",
"children": []
}
},
{
"@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance",
"settingDefinitionId": "device_vendor_msft_bitlocker_systemdrivesrecoveryoptions_oshiderecoverypage_name",
"settingInstanceTemplateReference": null,
"choiceSettingValue": {
"settingValueTemplateReference": null,
"value": "device_vendor_msft_bitlocker_systemdrivesrecoveryoptions_oshiderecoverypage_name_1",
"children": []
}
},
{
"@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance",
"settingDefinitionId": "device_vendor_msft_bitlocker_systemdrivesrecoveryoptions_osactivedirectorybackup_name",
"settingInstanceTemplateReference": null,
"choiceSettingValue": {
"settingValueTemplateReference": null,
"value": "device_vendor_msft_bitlocker_systemdrivesrecoveryoptions_osactivedirectorybackup_name_1",
"children": []
}
}
]
}
}
},
{
"id": "4",
"settingInstance": {
"@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance",
"settingDefinitionId": "device_vendor_msft_bitlocker_systemdrivesencryptiontype",
"settingInstanceTemplateReference": null,
"choiceSettingValue": {
"settingValueTemplateReference": null,
"value": "device_vendor_msft_bitlocker_systemdrivesencryptiontype_1",
"children": [
{
"@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance",
"settingDefinitionId": "device_vendor_msft_bitlocker_systemdrivesencryptiontype_osencryptiontypedropdown_name",
"settingInstanceTemplateReference": null,
"choiceSettingValue": {
"settingValueTemplateReference": null,
"value": "device_vendor_msft_bitlocker_systemdrivesencryptiontype_osencryptiontypedropdown_name_1",
"children": []
}
}
]
}
}
},
{
"id": "5",
"settingInstance": {
"@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance",
"settingDefinitionId": "device_vendor_msft_bitlocker_systemdrivesrequirestartupauthentication",
"settingInstanceTemplateReference": null,
"choiceSettingValue": {
"settingValueTemplateReference": null,
"value": "device_vendor_msft_bitlocker_systemdrivesrequirestartupauthentication_1",
"children": [
{
"@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance",
"settingDefinitionId": "device_vendor_msft_bitlocker_systemdrivesrequirestartupauthentication_configurenontpmstartupkeyusage_name",
"settingInstanceTemplateReference": null,
"choiceSettingValue": {
"settingValueTemplateReference": null,
"value": "device_vendor_msft_bitlocker_systemdrivesrequirestartupauthentication_configurenontpmstartupkeyusage_name_0",
"children": []
}
},
{
"@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance",
"settingDefinitionId": "device_vendor_msft_bitlocker_systemdrivesrequirestartupauthentication_configuretpmpinkeyusagedropdown_name",
"settingInstanceTemplateReference": null,
"choiceSettingValue": {
"settingValueTemplateReference": null,
"value": "device_vendor_msft_bitlocker_systemdrivesrequirestartupauthentication_configuretpmpinkeyusagedropdown_name_0",
"children": []
}
},
{
"@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance",
"settingDefinitionId": "device_vendor_msft_bitlocker_systemdrivesrequirestartupauthentication_configuretpmstartupkeyusagedropdown_name",
"settingInstanceTemplateReference": null,
"choiceSettingValue": {
"settingValueTemplateReference": null,
"value": "device_vendor_msft_bitlocker_systemdrivesrequirestartupauthentication_configuretpmstartupkeyusagedropdown_name_0",
"children": []
}
},
{
"@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance",
"settingDefinitionId": "device_vendor_msft_bitlocker_systemdrivesrequirestartupauthentication_configurepinusagedropdown_name",
"settingInstanceTemplateReference": null,
"choiceSettingValue": {
"settingValueTemplateReference": null,
"value": "device_vendor_msft_bitlocker_systemdrivesrequirestartupauthentication_configurepinusagedropdown_name_0",
"children": []
}
},
{
"@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance",
"settingDefinitionId": "device_vendor_msft_bitlocker_systemdrivesrequirestartupauthentication_configuretpmusagedropdown_name",
"settingInstanceTemplateReference": null,
"choiceSettingValue": {
"settingValueTemplateReference": null,
"value": "device_vendor_msft_bitlocker_systemdrivesrequirestartupauthentication_configuretpmusagedropdown_name_1",
"children": []
}
}
]
}
}
},
{
"id": "6",
"settingInstance": {
"@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance",
"settingDefinitionId": "device_vendor_msft_bitlocker_allowwarningforotherdiskencryption",
"settingInstanceTemplateReference": null,
"choiceSettingValue": {
"settingValueTemplateReference": null,
"value": "device_vendor_msft_bitlocker_allowwarningforotherdiskencryption_0",
"children": [
{
"@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance",
"settingDefinitionId": "device_vendor_msft_bitlocker_allowstandarduserencryption",
"settingInstanceTemplateReference": null,
"choiceSettingValue": {
"settingValueTemplateReference": null,
"value": "device_vendor_msft_bitlocker_allowstandarduserencryption_1",
"children": []
}
}
]
}
}
},
{
"id": "7",
"settingInstance": {
"@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance",
"settingDefinitionId": "device_vendor_msft_bitlocker_configurerecoverypasswordrotation",
"settingInstanceTemplateReference": null,
"choiceSettingValue": {
"settingValueTemplateReference": null,
"value": "device_vendor_msft_bitlocker_configurerecoverypasswordrotation_2",
"children": []
}
}
},
{
"id": "8",
"settingInstance": {
"@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance",
"settingDefinitionId": "device_vendor_msft_bitlocker_requiredeviceencryption",
"settingInstanceTemplateReference": null,
"choiceSettingValue": {
"settingValueTemplateReference": null,
"value": "device_vendor_msft_bitlocker_requiredeviceencryption_1",
"children": []
}
}
}
]
}

37
policies/disableenumerationsam.json Normal file
View File

@ -0,0 +1,37 @@
{
"@odata.context": "https://graph.microsoft.com/beta/$metadata#deviceManagement/configurationPolicies/$entity",
"createdDateTime": "2025-03-03T10:40:14.9626923Z",
"creationSource": null,
"description": "",
"lastModifiedDateTime": "2025-03-03T10:40:14.9626923Z",
"name": "Disable Enumeration of SAM Accounts and Shares",
"platforms": "windows10",
"priorityMetaData": null,
"roleScopeTagIds": [
"0"
],
"settingCount": 1,
"technologies": "mdm",
"id": "716171c5-c2ed-4646-8ff6-1a6c3a023c7b",
"templateReference": {
"templateId": "",
"templateFamily": "none",
"templateDisplayName": null,
"templateDisplayVersion": null
},
"settings": [
{
"id": "0",
"settingInstance": {
"@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance",
"settingDefinitionId": "device_vendor_msft_policy_config_localpoliciessecurityoptions_networkaccess_donotallowanonymousenumerationofsamaccountsandshares",
"settingInstanceTemplateReference": null,
"choiceSettingValue": {
"settingValueTemplateReference": null,
"value": "device_vendor_msft_policy_config_localpoliciessecurityoptions_networkaccess_donotallowanonymousenumerationofsamaccountsandshares_1",
"children": []
}
}
}
]
}

50
policies/disablepua.json Normal file
View File

@ -0,0 +1,50 @@
{
"@odata.context": "https://graph.microsoft.com/beta/$metadata#deviceManagement/configurationPolicies/$entity",
"createdDateTime": "2025-03-03T10:40:15.2243333Z",
"creationSource": null,
"description": "",
"lastModifiedDateTime": "2025-03-03T10:40:15.2243333Z",
"name": "Disable PUA",
"platforms": "windows10",
"priorityMetaData": null,
"roleScopeTagIds": [
"0"
],
"settingCount": 2,
"technologies": "mdm",
"id": "8cc8e5e5-a37c-4897-a59d-912b13d446f6",
"templateReference": {
"templateId": "",
"templateFamily": "none",
"templateDisplayName": null,
"templateDisplayVersion": null
},
"settings": [
{
"id": "0",
"settingInstance": {
"@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance",
"settingDefinitionId": "user_vendor_msft_policy_config_microsoft_edgev80diff~policy~microsoft_edge~smartscreen_smartscreenpuaenabled",
"settingInstanceTemplateReference": null,
"choiceSettingValue": {
"settingValueTemplateReference": null,
"value": "user_vendor_msft_policy_config_microsoft_edgev80diff~policy~microsoft_edge~smartscreen_smartscreenpuaenabled_1",
"children": []
}
}
},
{
"id": "1",
"settingInstance": {
"@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance",
"settingDefinitionId": "device_vendor_msft_policy_config_defender_puaprotection",
"settingInstanceTemplateReference": null,
"choiceSettingValue": {
"settingValueTemplateReference": null,
"value": "device_vendor_msft_policy_config_defender_puaprotection_1",
"children": []
}
}
}
]
}

295
policies/edge.json Normal file
View File

@ -0,0 +1,295 @@
{
"@odata.context": "https://graph.microsoft.com/beta/$metadata#deviceManagement/configurationPolicies/$entity",
"createdDateTime": "2025-03-03T10:40:19.7812969Z",
"creationSource": null,
"description": "",
"lastModifiedDateTime": "2025-03-03T10:40:19.7812969Z",
"name": "Edge",
"platforms": "windows10",
"priorityMetaData": null,
"roleScopeTagIds": [
"0"
],
"settingCount": 19,
"technologies": "mdm",
"id": "4480cbff-40b6-46ca-a87d-f22d8c61748f",
"templateReference": {
"templateId": "",
"templateFamily": "none",
"templateDisplayName": null,
"templateDisplayVersion": null
},
"settings": [
{
"id": "0",
"settingInstance": {
"@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance",
"settingDefinitionId": "device_vendor_msft_policy_config_defender_enablenetworkprotection",
"settingInstanceTemplateReference": null,
"choiceSettingValue": {
"settingValueTemplateReference": null,
"value": "device_vendor_msft_policy_config_defender_enablenetworkprotection_1",
"children": []
}
}
},
{
"id": "1",
"settingInstance": {
"@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance",
"settingDefinitionId": "device_vendor_msft_policy_config_microsoft_edge~policy~microsoft_edge~extensions_extensioninstallblocklist",
"settingInstanceTemplateReference": null,
"choiceSettingValue": {
"settingValueTemplateReference": null,
"value": "device_vendor_msft_policy_config_microsoft_edge~policy~microsoft_edge~extensions_extensioninstallblocklist_1",
"children": [
{
"@odata.type": "#microsoft.graph.deviceManagementConfigurationSimpleSettingCollectionInstance",
"settingDefinitionId": "device_vendor_msft_policy_config_microsoft_edge~policy~microsoft_edge~extensions_extensioninstallblocklist_extensioninstallblocklistdesc",
"settingInstanceTemplateReference": null,
"simpleSettingCollectionValue": [
{
"@odata.type": "#microsoft.graph.deviceManagementConfigurationStringSettingValue",
"settingValueTemplateReference": null,
"value": "*"
}
]
}
]
}
}
},
{
"id": "2",
"settingInstance": {
"@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance",
"settingDefinitionId": "device_vendor_msft_policy_config_microsoft_edgev88.0.705.23~policy~microsoft_edge~httpauthentication_basicauthoverhttpenabled",
"settingInstanceTemplateReference": null,
"choiceSettingValue": {
"settingValueTemplateReference": null,
"value": "device_vendor_msft_policy_config_microsoft_edgev88.0.705.23~policy~microsoft_edge~httpauthentication_basicauthoverhttpenabled_0",
"children": []
}
}
},
{
"id": "3",
"settingInstance": {
"@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance",
"settingDefinitionId": "device_vendor_msft_policy_config_microsoft_edge~policy~microsoft_edge~httpauthentication_authschemes",
"settingInstanceTemplateReference": null,
"choiceSettingValue": {
"settingValueTemplateReference": null,
"value": "device_vendor_msft_policy_config_microsoft_edge~policy~microsoft_edge~httpauthentication_authschemes_1",
"children": [
{
"@odata.type": "#microsoft.graph.deviceManagementConfigurationSimpleSettingInstance",
"settingDefinitionId": "device_vendor_msft_policy_config_microsoft_edge~policy~microsoft_edge~httpauthentication_authschemes_authschemes",
"settingInstanceTemplateReference": null,
"simpleSettingValue": {
"@odata.type": "#microsoft.graph.deviceManagementConfigurationStringSettingValue",
"settingValueTemplateReference": null,
"value": "ntlm,negotiate"
}
}
]
}
}
},
{
"id": "4",
"settingInstance": {
"@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance",
"settingDefinitionId": "device_vendor_msft_policy_config_microsoft_edge~policy~microsoft_edge~nativemessaging_nativemessaginguserlevelhosts",
"settingInstanceTemplateReference": null,
"choiceSettingValue": {
"settingValueTemplateReference": null,
"value": "device_vendor_msft_policy_config_microsoft_edge~policy~microsoft_edge~nativemessaging_nativemessaginguserlevelhosts_0",
"children": []
}
}
},
{
"id": "5",
"settingInstance": {
"@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance",
"settingDefinitionId": "device_vendor_msft_policy_config_microsoft_edgev92~policy~microsoft_edge~privatenetworkrequestsettings_insecureprivatenetworkrequestsallowed",
"settingInstanceTemplateReference": null,
"choiceSettingValue": {
"settingValueTemplateReference": null,
"value": "device_vendor_msft_policy_config_microsoft_edgev92~policy~microsoft_edge~privatenetworkrequestsettings_insecureprivatenetworkrequestsallowed_0",
"children": []
}
}
},
{
"id": "6",
"settingInstance": {
"@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance",
"settingDefinitionId": "device_vendor_msft_policy_config_microsoft_edge~policy~microsoft_edge~smartscreen_smartscreenenabled",
"settingInstanceTemplateReference": null,
"choiceSettingValue": {
"settingValueTemplateReference": null,
"value": "device_vendor_msft_policy_config_microsoft_edge~policy~microsoft_edge~smartscreen_smartscreenenabled_1",
"children": []
}
}
},
{
"id": "7",
"settingInstance": {
"@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance",
"settingDefinitionId": "device_vendor_msft_policy_config_microsoft_edgev80diff~policy~microsoft_edge~smartscreen_smartscreenpuaenabled",
"settingInstanceTemplateReference": null,
"choiceSettingValue": {
"settingValueTemplateReference": null,
"value": "device_vendor_msft_policy_config_microsoft_edgev80diff~policy~microsoft_edge~smartscreen_smartscreenpuaenabled_1",
"children": []
}
}
},
{
"id": "8",
"settingInstance": {
"@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance",
"settingDefinitionId": "device_vendor_msft_policy_config_microsoft_edge~policy~microsoft_edge~smartscreen_preventsmartscreenpromptoverride",
"settingInstanceTemplateReference": null,
"choiceSettingValue": {
"settingValueTemplateReference": null,
"value": "device_vendor_msft_policy_config_microsoft_edge~policy~microsoft_edge~smartscreen_preventsmartscreenpromptoverride_1",
"children": []
}
}
},
{
"id": "9",
"settingInstance": {
"@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance",
"settingDefinitionId": "device_vendor_msft_policy_config_microsoft_edge~policy~microsoft_edge~smartscreen_preventsmartscreenpromptoverrideforfiles",
"settingInstanceTemplateReference": null,
"choiceSettingValue": {
"settingValueTemplateReference": null,
"value": "device_vendor_msft_policy_config_microsoft_edge~policy~microsoft_edge~smartscreen_preventsmartscreenpromptoverrideforfiles_1",
"children": []
}
}
},
{
"id": "10",
"settingInstance": {
"@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance",
"settingDefinitionId": "device_vendor_msft_policy_config_microsoft_edgev92~policy~microsoft_edge_internetexplorerintegrationreloadiniemodeallowed",
"settingInstanceTemplateReference": null,
"choiceSettingValue": {
"settingValueTemplateReference": null,
"value": "device_vendor_msft_policy_config_microsoft_edgev92~policy~microsoft_edge_internetexplorerintegrationreloadiniemodeallowed_0",
"children": []
}
}
},
{
"id": "11",
"settingInstance": {
"@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance",
"settingDefinitionId": "device_vendor_msft_policy_config_microsoft_edge~policy~microsoft_edge_sslerroroverrideallowed",
"settingInstanceTemplateReference": null,
"choiceSettingValue": {
"settingValueTemplateReference": null,
"value": "device_vendor_msft_policy_config_microsoft_edge~policy~microsoft_edge_sslerroroverrideallowed_0",
"children": []
}
}
},
{
"id": "12",
"settingInstance": {
"@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance",
"settingDefinitionId": "device_vendor_msft_policy_config_microsoft_edgev117~policy~microsoft_edge_internetexplorerintegrationzoneidentifiermhtfileallowed",
"settingInstanceTemplateReference": null,
"choiceSettingValue": {
"settingValueTemplateReference": null,
"value": "device_vendor_msft_policy_config_microsoft_edgev117~policy~microsoft_edge_internetexplorerintegrationzoneidentifiermhtfileallowed_0",
"children": []
}
}
},
{
"id": "13",
"settingInstance": {
"@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance",
"settingDefinitionId": "device_vendor_msft_policy_config_microsoft_edgev95~policy~microsoft_edge_browserlegacyextensionpointsblockingenabled",
"settingInstanceTemplateReference": null,
"choiceSettingValue": {
"settingValueTemplateReference": null,
"value": "device_vendor_msft_policy_config_microsoft_edgev95~policy~microsoft_edge_browserlegacyextensionpointsblockingenabled_1",
"children": []
}
}
},
{
"id": "14",
"settingInstance": {
"@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance",
"settingDefinitionId": "device_vendor_msft_policy_config_microsoft_edge~policy~microsoft_edge_siteperprocess",
"settingInstanceTemplateReference": null,
"choiceSettingValue": {
"settingValueTemplateReference": null,
"value": "device_vendor_msft_policy_config_microsoft_edge~policy~microsoft_edge_siteperprocess_1",
"children": []
}
}
},
{
"id": "15",
"settingInstance": {
"@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance",
"settingDefinitionId": "device_vendor_msft_policy_config_microsoft_edgev97~policy~microsoft_edge_edgeenhanceimagesenabled",
"settingInstanceTemplateReference": null,
"choiceSettingValue": {
"settingValueTemplateReference": null,
"value": "device_vendor_msft_policy_config_microsoft_edgev97~policy~microsoft_edge_edgeenhanceimagesenabled_0",
"children": []
}
}
},
{
"id": "16",
"settingInstance": {
"@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance",
"settingDefinitionId": "device_vendor_msft_policy_config_microsoft_edgev107~policy~microsoft_edge_websqlaccess",
"settingInstanceTemplateReference": null,
"choiceSettingValue": {
"settingValueTemplateReference": null,
"value": "device_vendor_msft_policy_config_microsoft_edgev107~policy~microsoft_edge_websqlaccess_0",
"children": []
}
}
},
{
"id": "17",
"settingInstance": {
"@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance",
"settingDefinitionId": "device_vendor_msft_policy_config_microsoft_edgev96~policy~microsoft_edge_internetexplorermodetoolbarbuttonenabled",
"settingInstanceTemplateReference": null,
"choiceSettingValue": {
"settingValueTemplateReference": null,
"value": "device_vendor_msft_policy_config_microsoft_edgev96~policy~microsoft_edge_internetexplorermodetoolbarbuttonenabled_0",
"children": []
}
}
},
{
"id": "18",
"settingInstance": {
"@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance",
"settingDefinitionId": "device_vendor_msft_policy_config_microsoft_edgev111~policy~microsoft_edge_sharedarraybufferunrestrictedaccessallowed",
"settingInstanceTemplateReference": null,
"choiceSettingValue": {
"settingValueTemplateReference": null,
"value": "device_vendor_msft_policy_config_microsoft_edgev111~policy~microsoft_edge_sharedarraybufferunrestrictedaccessallowed_0",
"children": []
}
}
}
]
}

61
policies/passwordhistory.json Normal file
View File

@ -0,0 +1,61 @@
{
"@odata.context": "https://graph.microsoft.com/beta/$metadata#deviceManagement/configurationPolicies/$entity",
"createdDateTime": "2025-03-03T10:40:15.4158052Z",
"creationSource": null,
"description": "",
"lastModifiedDateTime": "2025-03-03T10:40:15.4158052Z",
"name": "Enforce password age & history",
"platforms": "windows10",
"priorityMetaData": null,
"roleScopeTagIds": [
"0"
],
"settingCount": 2,
"technologies": "mdm",
"id": "294af4d8-dbeb-47c3-ac75-9d7b0e1e8361",
"templateReference": {
"templateId": "",
"templateFamily": "none",
"templateDisplayName": null,
"templateDisplayVersion": null
},
"settings": [
{
"id": "0",
"settingInstance": {
"@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance",
"settingDefinitionId": "device_vendor_msft_policy_config_devicelock_devicepasswordenabled",
"settingInstanceTemplateReference": null,
"choiceSettingValue": {
"settingValueTemplateReference": null,
"value": "device_vendor_msft_policy_config_devicelock_devicepasswordenabled_0",
"children": [
{
"@odata.type": "#microsoft.graph.deviceManagementConfigurationSimpleSettingInstance",
"settingDefinitionId": "device_vendor_msft_policy_config_devicelock_devicepasswordhistory",
"settingInstanceTemplateReference": null,
"simpleSettingValue": {
"@odata.type": "#microsoft.graph.deviceManagementConfigurationIntegerSettingValue",
"settingValueTemplateReference": null,
"value": 24
}
}
]
}
}
},
{
"id": "1",
"settingInstance": {
"@odata.type": "#microsoft.graph.deviceManagementConfigurationSimpleSettingInstance",
"settingDefinitionId": "device_vendor_msft_policy_config_devicelock_minimumpasswordage",
"settingInstanceTemplateReference": null,
"simpleSettingValue": {
"@odata.type": "#microsoft.graph.deviceManagementConfigurationIntegerSettingValue",
"settingValueTemplateReference": null,
"value": 1
}
}
}
]
}

48
profider.tf
View File

@ -1,48 +0,0 @@
# We strongly recommend using the required_providers block to set the
# Workplace Provider source and version being used
terraform {
required_providers {
azuread = {
source = "hashicorp/azuread"
version = "~> 2.15.0"
}
microsoft365wp = {
source = "terraprovider/microsoft365wp"
version = "0.15.1"
}
}
}
variable "client_id" {
type = string
sensitive = true
}
variable "client_secret" {
type = string
sensitive = true
}
variable "tenant_id" {
type = string
sensitive = true
}
# Configure the Azure Active Directory Provider
provider "azuread" {
client_id = var.client_id
client_secret = var.client_secret
tenant_id = var.tenant_id
}
# Configure the Workplace Provider
provider "microsoft365wp" {
client_id = var.client_id
client_secret = var.client_secret
tenant_id = var.tenant_id
}