mmckinnon/IntunePolicies
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Initial Commit

Browse Source
This commit is contained in:
Matthew McKinnon
2025-02-04 19:23:56 +10:00
commit ac08902f9f
13 changed files with 809 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
.gitignore vendored Normal file
View File

@ -0,0 +1,5 @@
*.json
*.terraform
*.tfstate*
terraform.auto.tfvars
.terraform.lock.hcl

104
ASR_Rules.tf Normal file
View File

@ -0,0 +1,104 @@
resource "microsoft365wp_device_management_configuration_policy" "asr_rules" {
name = "ASR Rules"
template_reference = { id = "e8c053d6-9f95-42b1-a7f1-ebfd71c67a4b_1" }
technologies = "mdm,microsoftSense"
settings = [
{ instance = {
definition_id = "device_vendor_msft_policy_config_defender_attacksurfacereductionrules"
template_reference = { id = "19600663-e264-4c02-8f55-f2983216d6d7" }
group_collection = { values = [
{
children = [
{
definition_id = "device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockabuseofexploitedvulnerablesigneddrivers"
choice = { value = { value = "device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockabuseofexploitedvulnerablesigneddrivers_block" } }
},
{
definition_id = "device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockadobereaderfromcreatingchildprocesses"
choice = { value = { value = "device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockadobereaderfromcreatingchildprocesses_block" } }
},
{
definition_id = "device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockofficeapplicationsfrominjectingcodeintootherprocesses"
choice = { value = { value = "device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockofficeapplicationsfrominjectingcodeintootherprocesses_block" } }
},
{
definition_id = "device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockallofficeapplicationsfromcreatingchildprocesses"
choice = { value = { value = "device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockallofficeapplicationsfromcreatingchildprocesses_block" } }
},
{
definition_id = "device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockcredentialstealingfromwindowslocalsecurityauthoritysubsystem"
choice = { value = { value = "device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockcredentialstealingfromwindowslocalsecurityauthoritysubsystem_block" } }
},
{
definition_id = "device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockexecutablecontentfromemailclientandwebmail"
choice = { value = { value = "device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockexecutablecontentfromemailclientandwebmail_block" } }
},
{
definition_id = "device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockexecutablefilesrunningunlesstheymeetprevalenceagetrustedlistcriterion"
choice = { value = { value = "device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockexecutablefilesrunningunlesstheymeetprevalenceagetrustedlistcriterion_block" } }
},
{
definition_id = "device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockexecutionofpotentiallyobfuscatedscripts"
choice = { value = { value = "device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockexecutionofpotentiallyobfuscatedscripts_block" } }
},
{
definition_id = "device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockjavascriptorvbscriptfromlaunchingdownloadedexecutablecontent"
choice = { value = { value = "device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockjavascriptorvbscriptfromlaunchingdownloadedexecutablecontent_block" } }
},
{
definition_id = "device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockofficeapplicationsfromcreatingexecutablecontent"
choice = { value = { value = "device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockofficeapplicationsfromcreatingexecutablecontent_block" } }
},
{
definition_id = "device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockofficecommunicationappfromcreatingchildprocesses"
choice = { value = { value = "device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockofficecommunicationappfromcreatingchildprocesses_block" } }
},
{
definition_id = "device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockpersistencethroughwmieventsubscription"
choice = { value = { value = "device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockpersistencethroughwmieventsubscription_block" } }
},
{
definition_id = "device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockprocesscreationsfrompsexecandwmicommands"
choice = { value = { value = "device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockprocesscreationsfrompsexecandwmicommands_block" } }
},
{
definition_id = "device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockuntrustedunsignedprocessesthatrunfromusb"
choice = { value = { value = "device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockuntrustedunsignedprocessesthatrunfromusb_block" } }
},
{
definition_id = "device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockjavascriptorvbscriptfromlaunchingdownloadedexecutablecontent"
choice = { value = { value = "device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockjavascriptorvbscriptfromlaunchingdownloadedexecutablecontent_block" } }
},
{
definition_id = "device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockwebshellcreationforservers"
choice = { value = { value = "device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockwebshellcreationforservers_block" } }
},
{
definition_id = "device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockwin32apicallsfromofficemacros"
choice = { value = { value = "device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockwin32apicallsfromofficemacros_block" } }
},
{
definition_id = "device_vendor_msft_policy_config_defender_attacksurfacereductionrules_useadvancedprotectionagainstransomware"
choice = { value = { value = "device_vendor_msft_policy_config_defender_attacksurfacereductionrules_useadvancedprotectionagainstransomware_block" } }
}
]
}
]
}
}
}
]
depends_on = [azuread_group.mem_windows_devices]
assignments = [
for x in [
"${data.azuread_group.mem_windows_devices.object_id}"
] :
{ target = { group = { group_id = x } } }
]
}

18
AzureAD_Group_MEM_Windows_workstations.tf Normal file
View File

@ -0,0 +1,18 @@
data "azuread_client_config" "current" {}
resource "azuread_group" "mem_windows_devices" {
display_name = "MEM - Devices - All Windows Computers"
owners = [data.azuread_client_config.current.object_id]
security_enabled = true
types = ["DynamicMembership"]
dynamic_membership {
enabled = true
rule = "(device.deviceOSVersion -startsWith \"10.0\") and (device.deviceOSType -eq \"Windows\")"
}
}
data "azuread_group" "mem_windows_devices" {
depends_on = [azuread_group.mem_windows_devices]
display_name = "MEM - Devices - All Windows Computers"
}

227
Bitlocker_Security_Baseline.tf Normal file
View File

@ -0,0 +1,227 @@
resource "microsoft365wp_device_management_configuration_policy" "enable_bitlocker" {
name = "Bitlocker"
template_reference = { id = "46ddfc50-d10f-4867-b852-9434254b3bff_1" }
settings = [
{ instance = {
definition_id = "device_vendor_msft_bitlocker_encryptionmethodbydrivetype"
template_reference = { id = "d1625438-8db8-424f-b605-cf001b7a2f97" }
choice = {
value = {
value = "device_vendor_msft_bitlocker_encryptionmethodbydrivetype_1"
template_reference = { id = "7cd99564-6bd0-42c8-be6a-5d92c6c1faaf" }
children = [
{
definition_id = "device_vendor_msft_bitlocker_encryptionmethodbydrivetype_encryptionmethodwithxtsfdvdropdown_name"
choice = { value = { value = "device_vendor_msft_bitlocker_encryptionmethodbydrivetype_encryptionmethodwithxtsfdvdropdown_name_6" } }
},
{
definition_id = "device_vendor_msft_bitlocker_encryptionmethodbydrivetype_encryptionmethodwithxtsosdropdown_name"
choice = { value = { value = "device_vendor_msft_bitlocker_encryptionmethodbydrivetype_encryptionmethodwithxtsosdropdown_name_6" } }
},
{
definition_id = "device_vendor_msft_bitlocker_encryptionmethodbydrivetype_encryptionmethodwithxtsrdvdropdown_name"
choice = { value = { value = "device_vendor_msft_bitlocker_encryptionmethodbydrivetype_encryptionmethodwithxtsrdvdropdown_name_6" } }
}
]
}
}
} },
{ instance = {
definition_id = "device_vendor_msft_bitlocker_fixeddrivesrecoveryoptions"
template_reference = { id = "ad21af4f-e42f-4870-85d8-1949e9adfad7" }
choice = {
value = {
value = "device_vendor_msft_bitlocker_fixeddrivesrecoveryoptions_1"
template_reference = { id = "2159ffae-55e2-406b-98b4-2ecdd9452c68" }
children = [
{
definition_id = "device_vendor_msft_bitlocker_fixeddrivesrecoveryoptions_fdvrecoverykeyusagedropdown_name"
choice = { value = { value = "device_vendor_msft_bitlocker_fixeddrivesrecoveryoptions_fdvrecoverykeyusagedropdown_name_2" } }
},
{
definition_id = "device_vendor_msft_bitlocker_fixeddrivesrecoveryoptions_fdvrecoverypasswordusagedropdown_name"
choice = { value = { value = "device_vendor_msft_bitlocker_fixeddrivesrecoveryoptions_fdvrecoverypasswordusagedropdown_name_2" } }
},
{
definition_id = "device_vendor_msft_bitlocker_fixeddrivesrecoveryoptions_fdvallowdra_name"
choice = { value = { value = "device_vendor_msft_bitlocker_fixeddrivesrecoveryoptions_fdvallowdra_name_0" } }
},
{
definition_id = "device_vendor_msft_bitlocker_fixeddrivesrecoveryoptions_fdvactivedirectorybackupdropdown_name"
choice = { value = { value = "device_vendor_msft_bitlocker_fixeddrivesrecoveryoptions_fdvactivedirectorybackupdropdown_name_1" } }
},
{
definition_id = "device_vendor_msft_bitlocker_fixeddrivesrecoveryoptions_fdvrequireactivedirectorybackup_name"
choice = { value = { value = "device_vendor_msft_bitlocker_fixeddrivesrecoveryoptions_fdvrequireactivedirectorybackup_name_1" } }
},
{
definition_id = "device_vendor_msft_bitlocker_fixeddrivesrecoveryoptions_fdvhiderecoverypage_name"
choice = { value = { value = "device_vendor_msft_bitlocker_fixeddrivesrecoveryoptions_fdvhiderecoverypage_name_0" } }
}
,
{
definition_id = "device_vendor_msft_bitlocker_fixeddrivesrecoveryoptions_fdvactivedirectorybackup_name"
choice = { value = { value = "device_vendor_msft_bitlocker_fixeddrivesrecoveryoptions_fdvactivedirectorybackup_name_1" } }
}
]
}
}
} },
{ instance = {
definition_id = "device_vendor_msft_bitlocker_fixeddrivesencryptiontype"
template_reference = { id = "85a47676-5027-4b14-9f99-e4625728244a" }
choice = {
value = {
value = "device_vendor_msft_bitlocker_fixeddrivesencryptiontype_1"
template_reference = { id = "bdc82022-1c59-49a3-ac69-50e329650297" }
children = [
{
definition_id = "device_vendor_msft_bitlocker_fixeddrivesencryptiontype_fdvencryptiontypedropdown_name"
choice = { value = { value = "device_vendor_msft_bitlocker_fixeddrivesencryptiontype_fdvencryptiontypedropdown_name_1" } }
}
]
}
}
} },
{ instance = {
definition_id = "device_vendor_msft_bitlocker_systemdrivesrecoveryoptions"
template_reference = { id = "5a350519-4bc6-4443-9c4b-6859a054ff83" }
choice = {
value = {
value = "device_vendor_msft_bitlocker_systemdrivesrecoveryoptions_1"
template_reference = { id = "2a756c45-f135-442f-9c01-829a9c9b5407" }
children = [
{
definition_id = "device_vendor_msft_bitlocker_systemdrivesrecoveryoptions_osrecoverykeyusagedropdown_name"
choice = { value = { value = "device_vendor_msft_bitlocker_systemdrivesrecoveryoptions_osrecoverykeyusagedropdown_name_2" } }
},
{
definition_id = "device_vendor_msft_bitlocker_systemdrivesrecoveryoptions_osrecoverypasswordusagedropdown_name"
choice = { value = { value = "device_vendor_msft_bitlocker_systemdrivesrecoveryoptions_osrecoverypasswordusagedropdown_name_2" } }
},
{
definition_id = "device_vendor_msft_bitlocker_systemdrivesrecoveryoptions_osallowdra_name"
choice = { value = { value = "device_vendor_msft_bitlocker_systemdrivesrecoveryoptions_osallowdra_name_0" } }
},
{
definition_id = "device_vendor_msft_bitlocker_systemdrivesrecoveryoptions_osactivedirectorybackupdropdown_name"
choice = { value = { value = "device_vendor_msft_bitlocker_systemdrivesrecoveryoptions_osactivedirectorybackupdropdown_name_1" } }
},
{
definition_id = "device_vendor_msft_bitlocker_systemdrivesrecoveryoptions_osrequireactivedirectorybackup_name"
choice = { value = { value = "device_vendor_msft_bitlocker_systemdrivesrecoveryoptions_osrequireactivedirectorybackup_name_1" } }
},
{
definition_id = "device_vendor_msft_bitlocker_systemdrivesrecoveryoptions_oshiderecoverypage_name"
choice = { value = { value = "device_vendor_msft_bitlocker_systemdrivesrecoveryoptions_oshiderecoverypage_name_1" } }
}
,
{
definition_id = "device_vendor_msft_bitlocker_systemdrivesrecoveryoptions_osactivedirectorybackup_name"
choice = { value = { value = "device_vendor_msft_bitlocker_systemdrivesrecoveryoptions_osactivedirectorybackup_name_1" } }
}
]
}
}
} },
{ instance = {
definition_id = "device_vendor_msft_bitlocker_systemdrivesencryptiontype"
template_reference = { id = "d3e31794-1ce6-4572-ab0c-0c0f9200a509" }
choice = {
value = {
value = "device_vendor_msft_bitlocker_systemdrivesencryptiontype_1"
template_reference = { id = "54f346c7-008f-421c-bcb5-40f822bb97fe" }
children = [
{
definition_id = "device_vendor_msft_bitlocker_systemdrivesencryptiontype_osencryptiontypedropdown_name"
choice = { value = { value = "device_vendor_msft_bitlocker_systemdrivesencryptiontype_osencryptiontypedropdown_name_1" } }
}
]
}
}
} },
{ instance = {
definition_id = "device_vendor_msft_bitlocker_systemdrivesrequirestartupauthentication"
template_reference = { id = "a5673a18-196d-49a0-a460-a8f35b807b45" }
choice = {
value = {
value = "device_vendor_msft_bitlocker_systemdrivesrequirestartupauthentication_1"
template_reference = { id = "f742e25d-2f09-41f7-9556-6af75960f42b" }
children = [
{
definition_id = "device_vendor_msft_bitlocker_systemdrivesrequirestartupauthentication_configurenontpmstartupkeyusage_name"
choice = { value = { value = "device_vendor_msft_bitlocker_systemdrivesrequirestartupauthentication_configurenontpmstartupkeyusage_name_0" } }
},
{
definition_id = "device_vendor_msft_bitlocker_systemdrivesrequirestartupauthentication_configuretpmpinkeyusagedropdown_name"
choice = { value = { value = "device_vendor_msft_bitlocker_systemdrivesrequirestartupauthentication_configuretpmpinkeyusagedropdown_name_0" } }
},
{
definition_id = "device_vendor_msft_bitlocker_systemdrivesrequirestartupauthentication_configuretpmstartupkeyusagedropdown_name"
choice = { value = { value = "device_vendor_msft_bitlocker_systemdrivesrequirestartupauthentication_configuretpmstartupkeyusagedropdown_name_0" } }
},
{
definition_id = "device_vendor_msft_bitlocker_systemdrivesrequirestartupauthentication_configurepinusagedropdown_name"
choice = { value = { value = "device_vendor_msft_bitlocker_systemdrivesrequirestartupauthentication_configurepinusagedropdown_name_0" } }
},
{
definition_id = "device_vendor_msft_bitlocker_systemdrivesrequirestartupauthentication_configuretpmusagedropdown_name"
choice = { value = { value = "device_vendor_msft_bitlocker_systemdrivesrequirestartupauthentication_configuretpmusagedropdown_name_1" } }
}
]
}
}
} },
{ instance = {
definition_id = "device_vendor_msft_bitlocker_allowwarningforotherdiskencryption"
template_reference = { id = "e40531ee-2225-406b-b07b-1c17186c088c" }
choice = {
value = {
value = "device_vendor_msft_bitlocker_allowwarningforotherdiskencryption_0"
template_reference = { id = "7d348597-0f2a-43db-9fad-8b55c4f89bfe" }
children = [
{
definition_id = "device_vendor_msft_bitlocker_allowstandarduserencryption"
choice = { value = { value = "device_vendor_msft_bitlocker_allowstandarduserencryption_1" } }
}
]
}
}
} },
{ instance = {
definition_id = "device_vendor_msft_bitlocker_configurerecoverypasswordrotation"
template_reference = { id = "48c938a7-afa0-40ef-914f-40b5da5735b4" }
choice = {
value = {
value = "device_vendor_msft_bitlocker_configurerecoverypasswordrotation_2"
template_reference = { id = "48278072-3b30-48e9-b654-ad683fdb9aae" }
}
}
} },
{ instance = {
definition_id = "device_vendor_msft_bitlocker_requiredeviceencryption"
template_reference = { id = "20ec1f6e-0d7a-4b6f-9a4f-9ed33e69ce51" }
choice = {
value = {
value = "device_vendor_msft_bitlocker_requiredeviceencryption_1"
template_reference = { id = "86da5fa5-67cf-48d1-8215-8787a9900ae6" }
}
}
} }
]
depends_on = [azuread_group.mem_windows_devices]
assignments = [
for x in [
"${data.azuread_group.mem_windows_devices.object_id}"
] :
{ target = { group = { group_id = x } } }
]
}

24
Disable_Enumeration_of_SAM_Accounts_and_Shares.tf Normal file
View File

@ -0,0 +1,24 @@
resource "microsoft365wp_device_management_configuration_policy" "disable_enumeration" {
name = "Disable Enumeration of SAM Accounts and Shares"
settings = [
{ instance = {
definition_id = "device_vendor_msft_policy_config_localpoliciessecurityoptions_networkaccess_donotallowanonymousenumerationofsamaccountsandshares"
choice = {
value = {
value = "device_vendor_msft_policy_config_localpoliciessecurityoptions_networkaccess_donotallowanonymousenumerationofsamaccountsandshares_1"
}
}
}
}
]
depends_on = [azuread_group.mem_windows_devices]
assignments = [
for x in [
"${data.azuread_group.mem_windows_devices.object_id}"
] :
{ target = { group = { group_id = x } } }
]
}

183
Edge_Security_Baseline.tf Normal file
View File

@ -0,0 +1,183 @@
resource "microsoft365wp_device_management_configuration_policy" "beaseline_edge" {
name = "Baseline Edge"
technologies = "mdm"
template_reference = { id = "c66347b7-8325-4954-a235-3bf2233dfbfd_2" }
settings = [
{ instance = {
definition_id = "device_vendor_msft_policy_config_microsoft_edge~policy~microsoft_edge~extensions_extensioninstallblocklist"
template_reference = { id = "2a951e8f-db16-4124-90a8-445e0a38a427" }
choice = { value = {
value = "device_vendor_msft_policy_config_microsoft_edge~policy~microsoft_edge~extensions_extensioninstallblocklist_1"
template_reference = { id = "18412879-4a2a-4327-bc4d-7ceefd11c1b4" }
children = [
{
definition_id = "device_vendor_msft_policy_config_microsoft_edge~policy~microsoft_edge~extensions_extensioninstallblocklist_extensioninstallblocklistdesc"
template_reference = { id = "e4890359-0b4a-4de3-a253-3afd395d83ef" }
simple_collection = { values = [
{ string = { value = "*" } }
] }
}
]
} }
} },
{ instance = {
definition_id = "device_vendor_msft_policy_config_microsoft_edgev88.0.705.23~policy~microsoft_edge~httpauthentication_basicauthoverhttpenabled"
template_reference = { id = "0731cb20-670c-4098-828c-4e4fcd6a6564" }
choice = { value = {
value = "device_vendor_msft_policy_config_microsoft_edgev88.0.705.23~policy~microsoft_edge~httpauthentication_basicauthoverhttpenabled_0"
template_reference = { id = "af096427-add6-49e9-9f77-14473775f719" }
} }
} },
{ instance = {
definition_id = "device_vendor_msft_policy_config_microsoft_edge~policy~microsoft_edge~httpauthentication_authschemes"
template_reference = { id = "ff2dc16a-351f-4951-8797-7e2c7c9aac8d" }
choice = { value = {
value = "device_vendor_msft_policy_config_microsoft_edge~policy~microsoft_edge~httpauthentication_authschemes_1"
template_reference = { id = "043f5d07-08f0-4ed2-8411-0e67ccd4f2d8" }
children = [
{
definition_id = "device_vendor_msft_policy_config_microsoft_edge~policy~microsoft_edge~httpauthentication_authschemes_authschemes"
template_reference = { id = "0cf2d402-7e71-47d9-9c20-b5de2ce906da" }
simple = { value = {
string = {
value = "ntlm,negotiate"
}
} }
}
]
} }
} },
{ instance = {
definition_id = "device_vendor_msft_policy_config_microsoft_edge~policy~microsoft_edge~nativemessaging_nativemessaginguserlevelhosts"
template_reference = { id = "1e9bfcff-625a-4a1f-8953-afc350005704" }
choice = { value = {
value = "device_vendor_msft_policy_config_microsoft_edge~policy~microsoft_edge~nativemessaging_nativemessaginguserlevelhosts_0"
template_reference = { id = "809f5c33-a7f3-45d7-9b47-ff70a768922d" }
} }
} },
{ instance = {
definition_id = "device_vendor_msft_policy_config_microsoft_edgev92~policy~microsoft_edge~privatenetworkrequestsettings_insecureprivatenetworkrequestsallowed"
template_reference = { id = "c6dec9f2-a235-4878-8462-e88569b47e0b" }
choice = { value = {
value = "device_vendor_msft_policy_config_microsoft_edgev92~policy~microsoft_edge~privatenetworkrequestsettings_insecureprivatenetworkrequestsallowed_0"
template_reference = { id = "88dd6607-2b2d-4597-8757-ada32300b42b" }
} }
} },
{ instance = {
definition_id = "device_vendor_msft_policy_config_microsoft_edge~policy~microsoft_edge~smartscreen_smartscreenenabled"
template_reference = { id = "413019e3-9d1f-412d-9902-1dcd01b2ea80" }
choice = { value = {
value = "device_vendor_msft_policy_config_microsoft_edge~policy~microsoft_edge~smartscreen_smartscreenenabled_1"
template_reference = { id = "31be30c0-581d-40b9-97bf-cfd8848966a8" }
} }
} },
{ instance = {
definition_id = "device_vendor_msft_policy_config_microsoft_edgev80diff~policy~microsoft_edge~smartscreen_smartscreenpuaenabled"
template_reference = { id = "12ff32ac-8899-4936-8ce1-206d6df0eca6" }
choice = { value = {
value = "device_vendor_msft_policy_config_microsoft_edgev80diff~policy~microsoft_edge~smartscreen_smartscreenpuaenabled_1"
template_reference = { id = "859e84af-0450-47b9-921c-f48fb1eec3fe" }
} }
} },
{ instance = {
definition_id = "device_vendor_msft_policy_config_microsoft_edge~policy~microsoft_edge~smartscreen_preventsmartscreenpromptoverride"
template_reference = { id = "90dd2915-f1d5-4ce1-a4ae-2e32055df32f" }
choice = { value = {
value = "device_vendor_msft_policy_config_microsoft_edge~policy~microsoft_edge~smartscreen_preventsmartscreenpromptoverride_1"
template_reference = { id = "e4d533d7-3afb-4fc1-a751-c1036fe6c5b4" }
} }
} },
{ instance = {
definition_id = "device_vendor_msft_policy_config_microsoft_edge~policy~microsoft_edge~smartscreen_preventsmartscreenpromptoverrideforfiles"
template_reference = { id = "5b7881b3-e97f-4df3-85f4-d702876edf6a" }
choice = { value = {
value = "device_vendor_msft_policy_config_microsoft_edge~policy~microsoft_edge~smartscreen_preventsmartscreenpromptoverrideforfiles_1"
template_reference = { id = "7dbbe40c-e0ec-4db7-a27e-aab277299f9d" }
} }
} },
{ instance = {
definition_id = "device_vendor_msft_policy_config_microsoft_edgev92~policy~microsoft_edge_internetexplorerintegrationreloadiniemodeallowed"
template_reference = { id = "fd416796-3442-405c-9f9e-e1ca3c0b9e3f" }
choice = { value = {
value = "device_vendor_msft_policy_config_microsoft_edgev92~policy~microsoft_edge_internetexplorerintegrationreloadiniemodeallowed_0"
template_reference = { id = "f4bf8e1d-2c11-42dc-b3b1-7039987bf59c" }
} }
} },
{ instance = {
definition_id = "device_vendor_msft_policy_config_microsoft_edge~policy~microsoft_edge_sslerroroverrideallowed"
template_reference = { id = "f4f34d05-9bbd-48a4-aa86-84add2b23657" }
choice = { value = {
value = "device_vendor_msft_policy_config_microsoft_edge~policy~microsoft_edge_sslerroroverrideallowed_0"
template_reference = { id = "6bdff043-f16a-48b9-94ed-06d35e049a0a" }
} }
} },
{ instance = {
definition_id = "device_vendor_msft_policy_config_microsoft_edgev117~policy~microsoft_edge_internetexplorerintegrationzoneidentifiermhtfileallowed"
template_reference = { id = "ba15aa09-ea95-49bd-92bf-de9cec9c1146" }
choice = { value = {
value = "device_vendor_msft_policy_config_microsoft_edgev117~policy~microsoft_edge_internetexplorerintegrationzoneidentifiermhtfileallowed_0"
template_reference = { id = "1272fcf1-de3d-433a-985c-7fd930c31259" }
} }
} },
{ instance = {
definition_id = "device_vendor_msft_policy_config_microsoft_edgev95~policy~microsoft_edge_browserlegacyextensionpointsblockingenabled"
template_reference = { id = "244ad831-d65d-414b-bcd7-7cc7065d93c0" }
choice = { value = {
value = "device_vendor_msft_policy_config_microsoft_edgev95~policy~microsoft_edge_browserlegacyextensionpointsblockingenabled_1"
template_reference = { id = "33d6a543-7052-4c54-93f0-5dee3ab4b78a" }
} }
} },
{ instance = {
definition_id = "device_vendor_msft_policy_config_microsoft_edge~policy~microsoft_edge_siteperprocess"
template_reference = { id = "3d1b6b01-aa72-42a5-bb9e-1425a5289973" }
choice = { value = {
value = "device_vendor_msft_policy_config_microsoft_edge~policy~microsoft_edge_siteperprocess_1"
template_reference = { id = "035b8874-3758-47d5-94d5-2c24893ef7f8" }
} }
} },
{ instance = {
definition_id = "device_vendor_msft_policy_config_microsoft_edgev97~policy~microsoft_edge_edgeenhanceimagesenabled"
template_reference = { id = "9d1101a5-870a-4cab-bdcf-09ffd5475d50" }
choice = { value = {
value = "device_vendor_msft_policy_config_microsoft_edgev97~policy~microsoft_edge_edgeenhanceimagesenabled_0"
template_reference = { id = "916e4429-a9a0-4b75-9288-ff66feca858d" }
} }
} },
{ instance = {
definition_id = "device_vendor_msft_policy_config_microsoft_edgev107~policy~microsoft_edge_websqlaccess"
template_reference = { id = "e74a4383-7069-4381-a4ba-4a56b5f7b85c" }
choice = { value = {
value = "device_vendor_msft_policy_config_microsoft_edgev107~policy~microsoft_edge_websqlaccess_0"
template_reference = { id = "776df7ac-010d-4ca7-8e4f-7ec80bba01c0" }
} }
} },
{ instance = {
definition_id = "device_vendor_msft_policy_config_microsoft_edgev96~policy~microsoft_edge_internetexplorermodetoolbarbuttonenabled"
template_reference = { id = "40b5a825-fbda-41c2-a00f-162139d8cd25" }
choice = { value = {
value = "device_vendor_msft_policy_config_microsoft_edgev96~policy~microsoft_edge_internetexplorermodetoolbarbuttonenabled_0"
template_reference = { id = "91ed9f9c-14b9-4c72-88d5-45ebfa4378ca" }
} }
} },
{ instance = {
definition_id = "device_vendor_msft_policy_config_microsoft_edgev111~policy~microsoft_edge_sharedarraybufferunrestrictedaccessallowed"
template_reference = { id = "65f6b4ba-d54a-439a-8fe9-1b2e7eb2eb9f" }
choice = { value = {
value = "device_vendor_msft_policy_config_microsoft_edgev111~policy~microsoft_edge_sharedarraybufferunrestrictedaccessallowed_0"
template_reference = { id = "867dfba5-2de2-4a4a-b37e-49b46f92825b" }
} }
} }
]
depends_on = [azuread_group.mem_windows_devices]
assignments = [
for x in [
"${data.azuread_group.mem_windows_devices.object_id}"
] :
{ target = { group = { group_id = x } } }
]
}

20
Enable_Local_Security_Authority_Protection_Mode.tf Normal file
View File

@ -0,0 +1,20 @@
resource "microsoft365wp_device_configuration_custom" "enable_lsa" {
display_name = "Enable Local Security Authority Protection Mode"
windows10 = {
oma_settings = [
{
display_name = "Enable Local Security Authority Protection Mode"
oma_uri = "./Device/Vendor/MSFT/Policy/Config/LocalSecurityAuthority/ConfigureLsaProtectedProcess"
integer = { value = 1 }
}
]
}
depends_on = [azuread_group.mem_windows_devices]
assignments = [
for x in [
"${data.azuread_group.mem_windows_devices.object_id}"
] :
{ target = { group = { group_id = x } } }
]
}

33
Enforce_password_age_history.tf Normal file
View File

@ -0,0 +1,33 @@
resource "microsoft365wp_device_management_configuration_policy" "password_history" {
name = "Enforce password age & history"
settings = [
{ instance = {
definition_id = "device_vendor_msft_policy_config_devicelock_devicepasswordenabled"
choice = {
value = {
value = "device_vendor_msft_policy_config_devicelock_devicepasswordenabled_0"
children = [
{
definition_id = "device_vendor_msft_policy_config_devicelock_devicepasswordhistory"
simple = { value = { integer = { value = "24" } } }
}
]
}
}
} },
{ instance = {
definition_id = "device_vendor_msft_policy_config_devicelock_minimumpasswordage"
simple = { value = { integer = { value = "1" } } }
} }
]
depends_on = [azuread_group.mem_windows_devices]
assignments = [
for x in [
"${data.azuread_group.mem_windows_devices.object_id}"
] :
{ target = { group = { group_id = x } } }
]
}

42
LAPS.tf Normal file
View File

@ -0,0 +1,42 @@
resource "microsoft365wp_device_management_configuration_policy" "enable_laps" {
name = "LAPS"
settings = [
{ instance = {
definition_id = "device_vendor_msft_policy_config_admx_admpwd_pol_admpwd"
choice = {
value = {
value = "device_vendor_msft_policy_config_admx_admpwd_pol_admpwd_1"
children = [
{
definition_id = "device_vendor_msft_policy_config_admx_admpwd_pol_admpwd_elm_admpwd_passwordagedays"
simple = { value = { integer = { value = "14" } } }
},
{
definition_id = "device_vendor_msft_policy_config_admx_admpwd_pol_admpwd_elm_admpwd_passwordcomplexity"
choice = { value = { value = "device_vendor_msft_policy_config_admx_admpwd_pol_admpwd_elm_admpwd_passwordcomplexity_4" } }
},
{
definition_id = "device_vendor_msft_policy_config_admx_admpwd_pol_admpwd_elm_admpwd_passwordlength"
simple = { value = { integer = { value = "14" } } }
}
]
}
}
} },
{ instance = {
definition_id = "device_vendor_msft_policy_config_localpoliciessecurityoptions_accounts_enableadministratoraccountstatus"
choice = { value = { value = "device_vendor_msft_policy_config_localpoliciessecurityoptions_accounts_enableadministratoraccountstatus_1" } }
} }
]
depends_on = [azuread_group.mem_windows_devices]
assignments = [
for x in [
"${data.azuread_group.mem_windows_devices.object_id}"
] :
{ target = { group = { group_id = x } } }
]
}

47
OneDrive.tf Normal file
View File

@ -0,0 +1,47 @@
resource "microsoft365wp_device_management_configuration_policy" "onedrive_policy" {
name = "OneDrive Policy"
settings = [
{ instance = {
definition_id = "device_vendor_msft_policy_config_onedrivengscv2~policy~onedrivengsc_allowtenantlist"
choice = {
value = {
value = "device_vendor_msft_policy_config_onedrivengscv2~policy~onedrivengsc_allowtenantlist_1"
children = [
{
definition_id = "device_vendor_msft_policy_config_onedrivengscv2~policy~onedrivengsc_allowtenantlist_allowtenantlistbox"
simple_collection = { values = [
{ string = { value = var.tenant_id } }
] }
}
]
}
}
} },
{ instance = {
definition_id = "device_vendor_msft_policy_config_onedrivengscv2~policy~onedrivengsc_blockexternalsync"
choice = { value = { value = "device_vendor_msft_policy_config_onedrivengscv2~policy~onedrivengsc_blockexternalsync_1" } }
} },
{ instance = {
definition_id = "user_vendor_msft_policy_config_onedrivengscv2~policy~onedrivengsc_disablepersonalsync"
choice = { value = { value = "user_vendor_msft_policy_config_onedrivengscv2~policy~onedrivengsc_disablepersonalsync_1" } }
} },
{ instance = {
definition_id = "device_vendor_msft_policy_config_onedrivengscv2~policy~onedrivengsc_silentaccountconfig"
choice = { value = { value = "device_vendor_msft_policy_config_onedrivengscv2~policy~onedrivengsc_silentaccountconfig_1" } }
} },
{ instance = {
definition_id = "device_vendor_msft_policy_config_onedrivengscv2~policy~onedrivengsc_filesondemandenabled"
choice = { value = { value = "device_vendor_msft_policy_config_onedrivengscv2~policy~onedrivengsc_filesondemandenabled_1" } }
} }
]
depends_on = [azuread_group.mem_windows_devices]
assignments = [
for x in [
"${data.azuread_group.mem_windows_devices.object_id}"
] :
{ target = { group = { group_id = x } } }
]
}

33
PUA_Block.tf Normal file
View File

@ -0,0 +1,33 @@
resource "microsoft365wp_device_management_configuration_policy" "pua_block" {
name = "Disable PUA"
settings = [
{ instance = {
definition_id = "user_vendor_msft_policy_config_microsoft_edgev80diff~policy~microsoft_edge~smartscreen_smartscreenpuaenabled"
choice = {
value = {
value = "user_vendor_msft_policy_config_microsoft_edgev80diff~policy~microsoft_edge~smartscreen_smartscreenpuaenabled_1"
}
}
}
},
{ instance = {
definition_id = "device_vendor_msft_policy_config_defender_puaprotection"
choice = {
value = {
value = "device_vendor_msft_policy_config_defender_puaprotection_1"
}
}
}
}
]
depends_on = [azuread_group.mem_windows_devices]
assignments = [
for x in [
"${data.azuread_group.mem_windows_devices.object_id}"
] :
{ target = { group = { group_id = x } } }
]
}

25
README.md Normal file
View File

@ -0,0 +1,25 @@
# Intune Configuration Policies
This repository contains terraform files that will auto provision Intune Policies that will help lift Microsoft Secure Score and apply Security settings across the tenant.
## Azure AD Group
* AzureAD_Group_MEM_Windows_workstations - Create a Dynamic Azure AD Group with rule to add all Windows Workstations running Windows 10 or higher.
```PowerShell
(device.deviceOSVersion -startsWith \"10.0\") and (device.deviceOSType -eq \"Windows\")
```
## Policies
* Defender ASR Rules - Set to Block
* Bitlocker - Enabled
* PUA (Potentially Unwanted Apps) Blocked
* Disable Enumeration of SAM Accounts and Shares
* Microsoft Edge Security Baseline
* Enable Local Security Authority Protection Mode
* Enforce Password History - 24 Password, 1 Password Age
* LAPS - Enable Local Administrator Account and turn on LAPS
* OneDrive

48
profider.tf Normal file
View File

@ -0,0 +1,48 @@
# We strongly recommend using the required_providers block to set the
# Workplace Provider source and version being used
terraform {
required_providers {
azuread = {
source = "hashicorp/azuread"
version = "~> 2.15.0"
}
microsoft365wp = {
source = "terraprovider/microsoft365wp"
version = "0.15.1"
}
}
}
variable "client_id" {
type = string
sensitive = true
}
variable "client_secret" {
type = string
sensitive = true
}
variable "tenant_id" {
type = string
sensitive = true
}
# Configure the Azure Active Directory Provider
provider "azuread" {
client_id = var.client_id
client_secret = var.client_secret
tenant_id = var.tenant_id
}
# Configure the Workplace Provider
provider "microsoft365wp" {
client_id = var.client_id
client_secret = var.client_secret
tenant_id = var.tenant_id
}