From 48848aa767d8a7392078bc73a1ec0c9651c32084 Mon Sep 17 00:00:00 2001 From: Matthew McKinnon Date: Sat, 16 Aug 2025 10:02:53 +1000 Subject: [PATCH] chore: MDM wins over GPO --- ImportPolicies.ps1 | 94 +------------------ .../settingscatalog/MDM-wins-over-GPO.json | 37 ++++++++ 2 files changed, 40 insertions(+), 91 deletions(-) create mode 100644 policies/settingscatalog/MDM-wins-over-GPO.json diff --git a/ImportPolicies.ps1 b/ImportPolicies.ps1 index a206384..6bf5f0e 100644 --- a/ImportPolicies.ps1 +++ b/ImportPolicies.ps1 @@ -44,7 +44,7 @@ $dynamicRule = '(device.deviceOSType -eq "Windows") and (device.accountEnabled - # Create the security group with dynamic membership $groupBody = @{ - displayName = "Intune - All Windows Workstations MDM" + displayName = "Intune - All Windows Workstations" mailEnabled = $false mailNickname = "IntuneWindowsDevices" securityEnabled = $true @@ -86,29 +86,6 @@ $groupBodyJson = $groupBody | ConvertTo-Json -Depth 100 $null = Invoke-MgGraphRequest -Method POST -Uri "https://graph.microsoft.com/beta/groups" -Body $groupBodyJson -ContentType "application/json" Write-Host "✅ Successfully created group $group" -# Define the dynamic membership rule -$dynamicRule = '(device.deviceOSVersion -startsWith "10") and (device.deviceOSType -eq "Windows")' - -# Create the security group with dynamic membership -$groupBody = @{ - displayName = "Intune - All Windows Computers" - mailEnabled = $false - mailNickname = "IntuneWindowsDevices" - securityEnabled = $true - groupTypes = @("DynamicMembership") - membershipRule = $dynamicRule - membershipRuleProcessingState = "On" -} - -$group = $groupBody.displayname - -# Convert the body to JSON -$groupBodyJson = $groupBody | ConvertTo-Json -Depth 100 - -# Create the group using Invoke-MgGraphRequest -$null = Invoke-MgGraphRequest -Method POST -Uri "https://graph.microsoft.com/beta/groups" -Body $groupBodyJson -ContentType "application/json" -Write-Host "✅ Successfully created group $group" - $policies = Get-ChildItem ./policies/settingscatalog ForEach ($policy in $policies) { @@ -207,53 +184,9 @@ $params = @{ $ring = $params.displayName -# Create the update ring policy in Intune -$null = New-MgDeviceManagementDeviceConfiguration -BodyParameter $params -Write-Host "✅ Successfully created $ring" - $params = @{ "@odata.type"= "#microsoft.graph.windowsUpdateForBusinessConfiguration" - "displayName"= "Win - Windows Updates - Ring 2 - UAT" - "description"= "Devices in this ring receive updates 3 days after release and have a 0-day deadline on install with 2 day grace period before a forced reboot." - "version"= 1 - "deliveryOptimizationMode"= "userDefined" - "prereleaseFeatures"= "userDefined" - "automaticUpdateMode"= "windowsDefault" - "microsoftUpdateServiceAllowed"= $true - "driversExcluded"= $false - "qualityUpdatesDeferralPeriodInDays"= 3 - "featureUpdatesDeferralPeriodInDays"= 0 - "qualityUpdatesPaused"= $false - "featureUpdatesPaused"= $false - "businessReadyUpdatesOnly"= "userDefined" - "skipChecksBeforeRestart"= $false - "featureUpdatesRollbackWindowInDays"= 30 - "qualityUpdatesWillBeRolledBack"= $false - "featureUpdatesWillBeRolledBack"= $false - "deadlineForFeatureUpdatesInDays"= 0 - "deadlineForQualityUpdatesInDays"= 0 - "deadlineGracePeriodInDays"= 2 - "postponeRebootUntilAfterDeadline"= $true - "autoRestartNotificationDismissal"= "notConfigured" - "userPauseAccess"= "disabled" - "userWindowsUpdateScanAccess"= "enabled" - "updateNotificationLevel"= "defaultNotifications" - "allowWindows11Upgrade"= $false - "roleScopeTagIds"= @("0") - "supportsScopeTags"= $true - "createdDateTime"= "2023-10-27T15:13:33.3648624Z" - "lastModifiedDateTime"= "2023-10-27T15:13:33.3648624Z" -} - -$ring = $params.displayName - -# Create the update ring policy in Intune -$null = New-MgDeviceManagementDeviceConfiguration -BodyParameter $params -Write-Host "✅ Successfully created $ring" - -$params = @{ - "@odata.type"= "#microsoft.graph.windowsUpdateForBusinessConfiguration" - "displayName"= "Win - Windows Updates - Ring 3 - Production" + "displayName"= "Win - Windows Updates - Ring 2 - Production" "description"= "Devices in this ring receive updates 10 days after release and have a 2-day deadline on install with 1 day grace period before a forced reboot." "version"= 1 "deliveryOptimizationMode"= "userDefined" @@ -311,32 +244,11 @@ $groupBodyJson = $Body | ConvertTo-Json -Depth 100 $null = Invoke-MgGraphRequest -Method POST -Uri $uri -Body $groupBodyJson -ContentType "application/json" Write-Host "✅ Successfully created group $ring" - $uri = "https://graph.microsoft.com/beta/deviceManagement/windowsDriverUpdateProfiles" # Define the JSON body for the new driver update profile $body = @{ - "displayName" = "Win - Drivers - Ring 2 - UAT" - "description" = "" # Empty description field from original JSON - "approvalType" = "automatic" # "automatic" from the original JSON - "deploymentDeferralInDays" = 3 # "3" from the original JSON - "newUpdates" = 0 # "0" from the original JSON - "roleScopeTagIds" = @("0") # Role Scope Tag ID from the original JSON -} - -$ring = $body.displayName -$groupBodyJson = $Body | ConvertTo-Json -Depth 100 - -# Send the POST request to create the Driver Update Profile -$null = Invoke-MgGraphRequest -Method POST -Uri $uri -Body $groupBodyJson -ContentType "application/json" -Write-Host "✅ Successfully created group $ring" - - -$uri = "https://graph.microsoft.com/beta/deviceManagement/windowsDriverUpdateProfiles" - -# Define the JSON body for the new driver update profile -$body = @{ - "displayName" = "Win - Drivers - Ring 3 - Production" + "displayName" = "Win - Drivers - Ring 2 - Production" "description" = "" # Empty description field from original JSON "approvalType" = "automatic" # "automatic" from the original JSON "deploymentDeferralInDays" = 10 # "10" from the original JSON diff --git a/policies/settingscatalog/MDM-wins-over-GPO.json b/policies/settingscatalog/MDM-wins-over-GPO.json new file mode 100644 index 0000000..c4b43c6 --- /dev/null +++ b/policies/settingscatalog/MDM-wins-over-GPO.json @@ -0,0 +1,37 @@ +{ + "@odata.context": "https://graph.microsoft.com/beta/$metadata#deviceManagement/configurationPolicies/$entity", + "createdDateTime": "2025-04-04T00:36:55.1118677Z", + "creationSource": null, + "description": "", + "lastModifiedDateTime": "2025-04-04T00:36:55.1118677Z", + "name": "MDM Wins over GPO", + "platforms": "windows10", + "priorityMetaData": null, + "roleScopeTagIds": [ + "0" + ], + "settingCount": 1, + "technologies": "mdm", + "id": "9e16633f-6c86-4157-9134-0453df90989c", + "templateReference": { + "templateId": "", + "templateFamily": "none", + "templateDisplayName": null, + "templateDisplayVersion": null + }, + "settings": [ + { + "id": "0", + "settingInstance": { + "@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance", + "settingDefinitionId": "device_vendor_msft_policy_config_controlpolicyconflict_mdmwinsovergp", + "settingInstanceTemplateReference": null, + "choiceSettingValue": { + "settingValueTemplateReference": null, + "value": "device_vendor_msft_policy_config_controlpolicyconflict_mdmwinsovergp_1", + "children": [] + } + } + } + ] +}