From 104b34de509e9affdeeb495557406ed87336e9f8 Mon Sep 17 00:00:00 2001
From: Matthew McKinnon <mmckinnon@comprofix.com>
Date: Sun, 16 Mar 2025 13:55:59 +1000
Subject: [PATCH] chore: add compliance policies

---
 CompliancePolicy.ps1                          |  25 ++++++++++
 ...ompliance - U - Defender for Endpoint.json |  43 ++++++++++++++++
 .../Win - Compliance - U - Device Health.json | Bin 0 -> 3054 bytes
 ...in - Compliance - U - Device Security.json |  43 ++++++++++++++++
 .../Win - Compliance - U - Password.json      |  46 ++++++++++++++++++
 5 files changed, 157 insertions(+)
 create mode 100644 CompliancePolicy.ps1
 create mode 100644 policies/compliance/Win - Compliance - U - Defender for Endpoint.json
 create mode 100644 policies/compliance/Win - Compliance - U - Device Health.json
 create mode 100644 policies/compliance/Win - Compliance - U - Device Security.json
 create mode 100644 policies/compliance/Win - Compliance - U - Password.json

diff --git a/CompliancePolicy.ps1 b/CompliancePolicy.ps1
new file mode 100644
index 0000000..8aa9be1
--- /dev/null
+++ b/CompliancePolicy.ps1
@@ -0,0 +1,25 @@
+# Connect to Microsoft Graph
+Connect-MgGraph -Scopes "DeviceManagementConfiguration.ReadWrite.All", "Organization.Read.All", "Group.ReadWrite.All", "Directory.ReadWrite.All" -NoWelcome
+
+$policies = Get-ChildItem ./policies/compliance
+
+ForEach ($policie in $policies) {
+    $PolicieName = $policie.name
+    
+    $JsonData = Get-Content -Path ./policies/compliance/$PolicieName -Raw
+    $JsonDataUpdated = $JsonData -replace '\$tenantId', $tenantId
+    $PolicyObject = $JsonDataUpdated  | ConvertFrom-Json
+
+    try {
+        $uri = "https://graph.microsoft.com/beta/deviceManagement/deviceCompliancePolicies"  # Using the beta version
+        $response = Invoke-MgGraphRequest -Method POST -Uri $uri -Body ($PolicyObject | ConvertTo-Json -Depth 10)
+        Write-Host "✅ $PolicieName - successfully imported!"
+        #$response
+    } catch {
+        Write-Error "❌ An error occurred while importing the policy: $_"
+    }
+}
+
+
+# Disconnect from Graph
+$null = Disconnect-Graph -ErrorAction SilentlyContinue
diff --git a/policies/compliance/Win - Compliance - U - Defender for Endpoint.json b/policies/compliance/Win - Compliance - U - Defender for Endpoint.json
new file mode 100644
index 0000000..e70e951
--- /dev/null
+++ b/policies/compliance/Win - Compliance - U - Defender for Endpoint.json	
@@ -0,0 +1,43 @@
+{
+    "@odata.type": "#microsoft.graph.windows10CompliancePolicy",
+    "displayName": "Win - Compliance - U - Defender for Endpoint",
+    "description": null,
+    "passwordRequired": false,
+    "passwordBlockSimple": false,
+    "passwordRequiredToUnlockFromIdle": false,
+    "passwordRequiredType": "deviceDefault",
+    "requireHealthyDeviceReport": false,
+    "earlyLaunchAntiMalwareDriverEnabled": false,
+    "bitLockerEnabled": false,
+    "secureBootEnabled": false,
+    "codeIntegrityEnabled": false,
+    "memoryIntegrityEnabled": false,
+    "kernelDmaProtectionEnabled": false,
+    "virtualizationBasedSecurityEnabled": false,
+    "firmwareProtectionEnabled": false,
+    "storageRequireEncryption": false,
+    "activeFirewallRequired": false,
+    "defenderEnabled": true,
+    "signatureOutOfDate": true,
+    "rtpEnabled": true,
+    "antivirusRequired": false,
+    "antiSpywareRequired": false,
+    "deviceThreatProtectionEnabled": false,
+    "deviceThreatProtectionRequiredSecurityLevel": "unavailable",
+    "configurationManagerComplianceRequired": false,
+    "tpmRequired": false,
+    "validOperatingSystemBuildRanges": [],
+    
+    // Scheduled Actions (MUST be included in the initial policy creation)
+    "scheduledActionsForRule": [
+        {
+            "ruleName": null,
+            "scheduledActionConfigurations": [
+                {
+                    "actionType": "block",
+                    "gracePeriodHours": 6
+                }
+            ]
+        }
+    ]
+}
\ No newline at end of file
diff --git a/policies/compliance/Win - Compliance - U - Device Health.json b/policies/compliance/Win - Compliance - U - Device Health.json
new file mode 100644
index 0000000000000000000000000000000000000000..60ec39248251f1c068b56b5097566e3835ff5392
GIT binary patch
literal 3054
zcmbuB%}?7v5XI-*zru1at<*y4v8R%zs7SO_B&Y|(!Nd+kB!t=yD6RO{+y34<i$Aaf
zDT*9>zuvx?H#56`|NOQW7OZ}ueYCm77Fo`-#sAW-EwRu(Fe9{=HnWM1EM->4GiJt?
zozsq(cft29<5wWe`O0j^-q|O<XN*o6i5MG!_nkhqN8pF{rp6$qKXdaVM!&IUR$=hN
z;Rp5>K5fXw$T6du(P!n2+b5y*g;vDAIZPk!ny{-Zo3MAz{~WH~?qXMORp9IjnElYQ
zfYqgK0Unxz8Q_sBlZy(Itp{ALVVUu}b!%fgV)jp4z$xV`Ua=ZGTQYj;{%fx8VeuTU
zmo@;QP{J$vRE#ErA&AHL$0P5-OupEM-4sTJ-~J!H9(7gUNm1c0oQ_Qu<)6}1RlS$B
zSdcx^DMjh^Too}XdoAt2?W*{_uw86djC^$(+`2glJ1BZ?z)tNmGa@^4-gr#0Ggjr`
z7b<nF&Ou#(T~}NBkLZ`>JrL#~we8)$S`jSo?mK%Dm&xL?+yFz_IRhtU)zfgg;^Gpd
z6ebB?>w_6lClpsXJtO{$oNTkM3sJc*jTcU*iT&d3ae92qdog+8eb{Y#*A8R1!;D;2
zoT#!rk8uV+`7%O_q>=fuTop>$;jLI7z0t~Vipf34G;vI)cvv}5=E`F+swf%rsJ3@S
zXqS&Nc0OmNd|yQBA@AG{LF~KU$0~+2yl#!ju03_q$VWv4EKqtgd;R(W`!4U*-3&vX
z@~6*`s-gIh51tz%o8UGXH)H+4aa6|nvu@#(x`FA0USGqSl~$GG3jL(4G%fQ=HBnkC
ze$&=7y2)vM3`_ahhU$sE?iVpJru&QMcLl2fdMe9QwR&)ul{#a^TAZ_$Cr<3NR%^>!
z(zb1Lq7TR|o#QbWI`d-sb}Mx%qy35#;+UC3zR#Ewu$yvt${MMtHR=iABdnsODx|y8
zly?0#q3kbWsHlanYd0s|U+RqNeD+*rIa={8yna$a@VCI~jnMb`cL;;R-sa7$4>M(B
z+sW)#`*(<!*KyU&u06U+bxJ)vYV*C$j^^AD=H(ePbT!sjrO=(@#pztngC<I|9THKB
mz2eTRIFxQNH_<tMO7CNB$KJQ-&_ugiGv~BrtU6!gclHn8)ZzR9

literal 0
HcmV?d00001

diff --git a/policies/compliance/Win - Compliance - U - Device Security.json b/policies/compliance/Win - Compliance - U - Device Security.json
new file mode 100644
index 0000000..1b12132
--- /dev/null
+++ b/policies/compliance/Win - Compliance - U - Device Security.json	
@@ -0,0 +1,43 @@
+{
+    "@odata.type": "#microsoft.graph.windows10CompliancePolicy",
+    "displayName": "Win - Compliance - U - Device Security",
+    "description": null,
+    "passwordRequired": false,
+    "passwordBlockSimple": false,
+    "passwordRequiredToUnlockFromIdle": false,
+    "passwordRequiredType": "deviceDefault",
+    "requireHealthyDeviceReport": false,
+    "earlyLaunchAntiMalwareDriverEnabled": false,
+    "bitLockerEnabled": false,
+    "secureBootEnabled": false,
+    "codeIntegrityEnabled": false,
+    "memoryIntegrityEnabled": false,
+    "kernelDmaProtectionEnabled": false,
+    "virtualizationBasedSecurityEnabled": false,
+    "firmwareProtectionEnabled": false,
+    "storageRequireEncryption": false,
+    "activeFirewallRequired": true,
+    "defenderEnabled": false,
+    "signatureOutOfDate": false,
+    "rtpEnabled": false,
+    "antivirusRequired": true,
+    "antiSpywareRequired": true,
+    "deviceThreatProtectionEnabled": false,
+    "deviceThreatProtectionRequiredSecurityLevel": "unavailable",
+    "configurationManagerComplianceRequired": false,
+    "tpmRequired": true,
+    "validOperatingSystemBuildRanges": [],
+    
+    // Scheduled Actions (MUST be included in the initial policy creation)
+    "scheduledActionsForRule": [
+        {
+            "ruleName": null,
+            "scheduledActionConfigurations": [
+                {
+                    "actionType": "block",
+                    "gracePeriodHours": 6
+                }
+            ]
+        }
+    ]
+}
diff --git a/policies/compliance/Win - Compliance - U - Password.json b/policies/compliance/Win - Compliance - U - Password.json
new file mode 100644
index 0000000..6e65458
--- /dev/null
+++ b/policies/compliance/Win - Compliance - U - Password.json	
@@ -0,0 +1,46 @@
+{
+    "@odata.type": "#microsoft.graph.windows10CompliancePolicy",
+    "displayName": "Win - Compliance - U - Password",
+    "description": null,
+    "passwordRequired": true,
+    "passwordBlockSimple": true,
+    "passwordRequiredToUnlockFromIdle": false,
+    "passwordRequiredType": "numeric",
+    "passwordMinimumLength": 8,
+    "passwordExpirationDays": null,
+    "passwordPreviousPasswordBlockCount": null,
+    "passwordMinimumCharacterSetCount": null,
+    "passwordMinutesOfInactivityBeforeLock": 15,
+    "requireHealthyDeviceReport": false,
+    "earlyLaunchAntiMalwareDriverEnabled": false,
+    "bitLockerEnabled": false,
+    "secureBootEnabled": false,
+    "codeIntegrityEnabled": false,
+    "memoryIntegrityEnabled": false,
+    "kernelDmaProtectionEnabled": false,
+    "virtualizationBasedSecurityEnabled": false,
+    "firmwareProtectionEnabled": false,
+    "storageRequireEncryption": false,
+    "activeFirewallRequired": false,
+    "defenderEnabled": false,
+    "signatureOutOfDate": false,
+    "rtpEnabled": false,
+    "antivirusRequired": false,
+    "antiSpywareRequired": false,
+    "deviceThreatProtectionEnabled": false,
+    "deviceThreatProtectionRequiredSecurityLevel": "unavailable",
+    "configurationManagerComplianceRequired": false,
+    "tpmRequired": false,
+    "validOperatingSystemBuildRanges": [],
+    "scheduledActionsForRule": [
+        {
+            "ruleName": "PasswordRequired",
+            "scheduledActionConfigurations": [
+                {
+                    "actionType": "block",
+                    "gracePeriodHours": 0
+                }
+            ]
+        }
+    ]
+}