mmckinnon/IntunePolicies
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

chore: MDM wins over GPO

Browse Source
This commit is contained in:
Matthew McKinnon
2025-08-16 10:02:53 +10:00
parent b3002ab608
commit 48848aa767
2 changed files with 40 additions and 91 deletions
Download Patch File Download Diff File Expand all files Collapse all files

94
ImportPolicies.ps1
View File

@ -44,7 +44,7 @@ $dynamicRule = '(device.deviceOSType -eq "Windows") and (device.accountEnabled -
# Create the security group with dynamic membership # Create the security group with dynamic membership
$groupBody = @{ $groupBody = @{
displayName = "Intune - All Windows Workstations MDM" displayName = "Intune - All Windows Workstations"
mailEnabled = $false mailEnabled = $false
mailNickname = "IntuneWindowsDevices" mailNickname = "IntuneWindowsDevices"
securityEnabled = $true securityEnabled = $true
@ -86,29 +86,6 @@ $groupBodyJson = $groupBody | ConvertTo-Json -Depth 100
$null = Invoke-MgGraphRequest -Method POST -Uri "https://graph.microsoft.com/beta/groups" -Body $groupBodyJson -ContentType "application/json" $null = Invoke-MgGraphRequest -Method POST -Uri "https://graph.microsoft.com/beta/groups" -Body $groupBodyJson -ContentType "application/json"
Write-Host "✅ Successfully created group $group" Write-Host "✅ Successfully created group $group"
# Define the dynamic membership rule
$dynamicRule = '(device.deviceOSVersion -startsWith "10") and (device.deviceOSType -eq "Windows")'
# Create the security group with dynamic membership
$groupBody = @{
displayName = "Intune - All Windows Computers"
mailEnabled = $false
mailNickname = "IntuneWindowsDevices"
securityEnabled = $true
groupTypes = @("DynamicMembership")
membershipRule = $dynamicRule
membershipRuleProcessingState = "On"
}
$group = $groupBody.displayname
# Convert the body to JSON
$groupBodyJson = $groupBody | ConvertTo-Json -Depth 100
# Create the group using Invoke-MgGraphRequest
$null = Invoke-MgGraphRequest -Method POST -Uri "https://graph.microsoft.com/beta/groups" -Body $groupBodyJson -ContentType "application/json"
Write-Host "✅ Successfully created group $group"
$policies = Get-ChildItem ./policies/settingscatalog $policies = Get-ChildItem ./policies/settingscatalog
ForEach ($policy in $policies) { ForEach ($policy in $policies) {
@ -207,53 +184,9 @@ $params = @{
$ring = $params.displayName $ring = $params.displayName
# Create the update ring policy in Intune
$null = New-MgDeviceManagementDeviceConfiguration -BodyParameter $params
Write-Host "✅ Successfully created $ring"
$params = @{ $params = @{
"@odata.type"= "#microsoft.graph.windowsUpdateForBusinessConfiguration" "@odata.type"= "#microsoft.graph.windowsUpdateForBusinessConfiguration"
"displayName"= "Win - Windows Updates - Ring 2 - UAT" "displayName"= "Win - Windows Updates - Ring 2 - Production"
"description"= "Devices in this ring receive updates 3 days after release and have a 0-day deadline on install with 2 day grace period before a forced reboot."
"version"= 1
"deliveryOptimizationMode"= "userDefined"
"prereleaseFeatures"= "userDefined"
"automaticUpdateMode"= "windowsDefault"
"microsoftUpdateServiceAllowed"= $true
"driversExcluded"= $false
"qualityUpdatesDeferralPeriodInDays"= 3
"featureUpdatesDeferralPeriodInDays"= 0
"qualityUpdatesPaused"= $false
"featureUpdatesPaused"= $false
"businessReadyUpdatesOnly"= "userDefined"
"skipChecksBeforeRestart"= $false
"featureUpdatesRollbackWindowInDays"= 30
"qualityUpdatesWillBeRolledBack"= $false
"featureUpdatesWillBeRolledBack"= $false
"deadlineForFeatureUpdatesInDays"= 0
"deadlineForQualityUpdatesInDays"= 0
"deadlineGracePeriodInDays"= 2
"postponeRebootUntilAfterDeadline"= $true
"autoRestartNotificationDismissal"= "notConfigured"
"userPauseAccess"= "disabled"
"userWindowsUpdateScanAccess"= "enabled"
"updateNotificationLevel"= "defaultNotifications"
"allowWindows11Upgrade"= $false
"roleScopeTagIds"= @("0")
"supportsScopeTags"= $true
"createdDateTime"= "2023-10-27T15:13:33.3648624Z"
"lastModifiedDateTime"= "2023-10-27T15:13:33.3648624Z"
}
$ring = $params.displayName
# Create the update ring policy in Intune
$null = New-MgDeviceManagementDeviceConfiguration -BodyParameter $params
Write-Host "✅ Successfully created $ring"
$params = @{
"@odata.type"= "#microsoft.graph.windowsUpdateForBusinessConfiguration"
"displayName"= "Win - Windows Updates - Ring 3 - Production"
"description"= "Devices in this ring receive updates 10 days after release and have a 2-day deadline on install with 1 day grace period before a forced reboot." "description"= "Devices in this ring receive updates 10 days after release and have a 2-day deadline on install with 1 day grace period before a forced reboot."
"version"= 1 "version"= 1
"deliveryOptimizationMode"= "userDefined" "deliveryOptimizationMode"= "userDefined"
@ -311,32 +244,11 @@ $groupBodyJson = $Body | ConvertTo-Json -Depth 100
$null = Invoke-MgGraphRequest -Method POST -Uri $uri -Body $groupBodyJson -ContentType "application/json" $null = Invoke-MgGraphRequest -Method POST -Uri $uri -Body $groupBodyJson -ContentType "application/json"
Write-Host "✅ Successfully created group $ring" Write-Host "✅ Successfully created group $ring"
$uri = "https://graph.microsoft.com/beta/deviceManagement/windowsDriverUpdateProfiles" $uri = "https://graph.microsoft.com/beta/deviceManagement/windowsDriverUpdateProfiles"
# Define the JSON body for the new driver update profile # Define the JSON body for the new driver update profile
$body = @{ $body = @{
"displayName" = "Win - Drivers - Ring 2 - UAT" "displayName" = "Win - Drivers - Ring 2 - Production"
"description" = "" # Empty description field from original JSON
"approvalType" = "automatic" # "automatic" from the original JSON
"deploymentDeferralInDays" = 3 # "3" from the original JSON
"newUpdates" = 0 # "0" from the original JSON
"roleScopeTagIds" = @("0") # Role Scope Tag ID from the original JSON
}
$ring = $body.displayName
$groupBodyJson = $Body | ConvertTo-Json -Depth 100
# Send the POST request to create the Driver Update Profile
$null = Invoke-MgGraphRequest -Method POST -Uri $uri -Body $groupBodyJson -ContentType "application/json"
Write-Host "✅ Successfully created group $ring"
$uri = "https://graph.microsoft.com/beta/deviceManagement/windowsDriverUpdateProfiles"
# Define the JSON body for the new driver update profile
$body = @{
"displayName" = "Win - Drivers - Ring 3 - Production"
"description" = "" # Empty description field from original JSON "description" = "" # Empty description field from original JSON
"approvalType" = "automatic" # "automatic" from the original JSON "approvalType" = "automatic" # "automatic" from the original JSON
"deploymentDeferralInDays" = 10 # "10" from the original JSON "deploymentDeferralInDays" = 10 # "10" from the original JSON

37
policies/settingscatalog/MDM-wins-over-GPO.json Normal file
View File

@ -0,0 +1,37 @@
{
"@odata.context": "https://graph.microsoft.com/beta/$metadata#deviceManagement/configurationPolicies/$entity",
"createdDateTime": "2025-04-04T00:36:55.1118677Z",
"creationSource": null,
"description": "",
"lastModifiedDateTime": "2025-04-04T00:36:55.1118677Z",
"name": "MDM Wins over GPO",
"platforms": "windows10",
"priorityMetaData": null,
"roleScopeTagIds": [
"0"
],
"settingCount": 1,
"technologies": "mdm",
"id": "9e16633f-6c86-4157-9134-0453df90989c",
"templateReference": {
"templateId": "",
"templateFamily": "none",
"templateDisplayName": null,
"templateDisplayVersion": null
},
"settings": [
{
"id": "0",
"settingInstance": {
"@odata.type": "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance",
"settingDefinitionId": "device_vendor_msft_policy_config_controlpolicyconflict_mdmwinsovergp",
"settingInstanceTemplateReference": null,
"choiceSettingValue": {
"settingValueTemplateReference": null,
"value": "device_vendor_msft_policy_config_controlpolicyconflict_mdmwinsovergp_1",
"children": []
}
}
}
]
}