From 4cd0393a388828798d4273fc15031431a4f075df Mon Sep 17 00:00:00 2001
From: Matthew McKinnon <mmckinnon@comprofix.com>
Date: Wed, 12 Mar 2025 23:46:21 +1000
Subject: [PATCH] chore: add section to build windows update rings

---
 ImportPolicies.ps1 | 35 +++++++++++++++++++++++++++++++++--
 policies/LAPS.json |  2 +-
 2 files changed, 34 insertions(+), 3 deletions(-)

diff --git a/ImportPolicies.ps1 b/ImportPolicies.ps1
index fb273eb..3ea8ee6 100644
--- a/ImportPolicies.ps1
+++ b/ImportPolicies.ps1
@@ -50,11 +50,14 @@ $groupBody = @{
     membershipRuleProcessingState = "On"
 }
 
+$group = $groupBody.displayname
+
 # Convert the body to JSON
 $groupBodyJson = $groupBody | ConvertTo-Json -Depth 10
 
 # Create the group using Invoke-MgGraphRequest
-Invoke-MgGraphRequest -Method POST -Uri "https://graph.microsoft.com/beta/groups" -Body $groupBodyJson -ContentType "application/json"
+$null = Invoke-MgGraphRequest -Method POST -Uri "https://graph.microsoft.com/beta/groups" -Body $groupBodyJson -ContentType "application/json"
+Write-Host "✅ Successfully created group $group"
 
 # Define the dynamic membership rule
 $dynamicRule = '(device.deviceOSVersion -startsWith "10") and (device.deviceOSType -eq "Windows")'
@@ -70,12 +73,40 @@ $groupBody = @{
     membershipRuleProcessingState = "On"
 }
 
+$group = $groupBody.displayname
+
 # Convert the body to JSON
 $groupBodyJson = $groupBody | ConvertTo-Json -Depth 10
 
 # Create the group using Invoke-MgGraphRequest
-Invoke-MgGraphRequest -Method POST -Uri "https://graph.microsoft.com/beta/groups" -Body $groupBodyJson -ContentType "application/json"
+$null = Invoke-MgGraphRequest -Method POST -Uri "https://graph.microsoft.com/beta/groups" -Body $groupBodyJson -ContentType "application/json"
+Write-Host "✅ Successfully created group $group"
 
 
+# Create Windows Update Ring Policies
+# Create a baseline policy using web interface
+# Extract the JSON Data to build paramters
+# - Get-MgDeviceManagementDeviceConfiguration | Select-Object displayName, id, @{Name="JSON"; Expression={ $_ | ConvertTo-Json -Depth 10 }}
+# Get the ID of the policy you created and get the JSON structure
+# - Get-MgDeviceManagementDeviceConfiguration -DeviceConfigurationId "<YOUR_POLICY_ID>" | ConvertTo-Json -Depth 10
+
+
+# Define the update ring configuration with Microsoft product updates enabled
+$params = @{
+    "@odata.type"= "#microsoft.graph.windowsUpdateForBusinessConfiguration"
+    "displayName"= "Windows 11 Update Ring"
+    "description"= "Update ring for Windows 11 devices"
+    "automaticUpdateMode"= "autoInstallAndRebootAtMaintenanceTime"
+    "qualityUpdatesDeferralPeriodInDays"= 7
+    "featureUpdatesDeferralPeriodInDays"= 30
+    "allowMicrosoftUpdate"= $true  # Enables updates for Microsoft products
+}
+
+$ring = $params.displayName
+
+# Create the update ring policy in Intune
+$null = New-MgDeviceManagementDeviceConfiguration -BodyParameter $params
+Write-Host "✅ Successfully created group $ring"
+
 
 $null = Disconnect-Graph -ErrorAction SilentlyContinue
\ No newline at end of file
diff --git a/policies/LAPS.json b/policies/LAPS.json
index f0b5527..9c71aa8 100644
--- a/policies/LAPS.json
+++ b/policies/LAPS.json
@@ -1,6 +1,6 @@
 {
   "name": "Windows LAPS",
-  "description": "created by ourcloudnetwork.com",
+  "description": "",
   "platforms": "windows10",
   "technologies": "mdm",
   "roleScopeTagIds": [