From c8f55404c1b646686acd2ba3b6059e0a484f1758 Mon Sep 17 00:00:00 2001 From: Matthew McKinnon Date: Tue, 13 May 2025 15:39:45 +1000 Subject: [PATCH] chore: update password compliance policy to minimum length 6 --- ImportPolicies.ps1 | 362 ++++++++++-------- .../Win - Compliance - U - Password.json | 2 +- 2 files changed, 195 insertions(+), 169 deletions(-) diff --git a/ImportPolicies.ps1 b/ImportPolicies.ps1 index 0d82dc4..a206384 100644 --- a/ImportPolicies.ps1 +++ b/ImportPolicies.ps1 @@ -39,6 +39,8 @@ Write-Host "✅ Successfully created static group '$group - $groupid'" # Define the dynamic membership rule $dynamicRule = '(device.deviceOSType -eq "Windows") and (device.accountEnabled -eq true) and (device.managementType -eq "MDM")' +#(device.devicePhysicalIDs -any (_ -startsWith "[ZTDid]")) + # Create the security group with dynamic membership $groupBody = @{ @@ -60,6 +62,30 @@ $groupBodyJson = $groupBody | ConvertTo-Json -Depth 100 $null = Invoke-MgGraphRequest -Method POST -Uri "https://graph.microsoft.com/beta/groups" -Body $groupBodyJson -ContentType "application/json" Write-Host "✅ Successfully created group $group" +# Define the dynamic membership rule +$dynamicRule = '(device.devicePhysicalIDs -any (_ -startsWith "[ZTDid]"))' + + +# Create the security group with dynamic membership +$groupBody = @{ + displayName = "Intune - AutoPilot Devices" + mailEnabled = $false + mailNickname = "IntuneWindowsDevices" + securityEnabled = $true + groupTypes = @("DynamicMembership") + membershipRule = $dynamicRule + membershipRuleProcessingState = "On" +} + +$group = $groupBody.displayname + +# Convert the body to JSON +$groupBodyJson = $groupBody | ConvertTo-Json -Depth 100 + +# Create the group using Invoke-MgGraphRequest +$null = Invoke-MgGraphRequest -Method POST -Uri "https://graph.microsoft.com/beta/groups" -Body $groupBodyJson -ContentType "application/json" +Write-Host "✅ Successfully created group $group" + # Define the dynamic membership rule $dynamicRule = '(device.deviceOSVersion -startsWith "10") and (device.deviceOSType -eq "Windows")' @@ -120,23 +146,23 @@ ForEach ($policy in $policies) { } } -# $policies = Get-ChildItem ./policies/compliance +$policies = Get-ChildItem ./policies/compliance -# ForEach ($policy in $policies) { -# $PolicyName = $policy.name +ForEach ($policy in $policies) { + $PolicyName = $policy.name -# $JsonData = Get-Content -Path ./policies/compliance/$PolicyName -Raw -# $JsonDataUpdated = $JsonData -replace '\$tenantId', $tenantId -# $PolicyObject = $JsonDataUpdated | ConvertFrom-Json + $JsonData = Get-Content -Path ./policies/compliance/$PolicyName -Raw + $JsonDataUpdated = $JsonData -replace '\$tenantId', $tenantId + $PolicyObject = $JsonDataUpdated | ConvertFrom-Json -# try { -# $uri = "https://graph.microsoft.com/beta/deviceManagement/deviceCompliancePolicies" # Using the beta version -# $null = Invoke-MgGraphRequest -Method POST -Uri $uri -Body ($PolicyObject | ConvertTo-Json -Depth 100) -# Write-Host "✅ $PolicyName - successfully imported!" -# } catch { -# Write-Error "❌ An error occurred while importing the policy: $_" -# } -# } + try { + $uri = "https://graph.microsoft.com/beta/deviceManagement/deviceCompliancePolicies" # Using the beta version + $null = Invoke-MgGraphRequest -Method POST -Uri $uri -Body ($PolicyObject | ConvertTo-Json -Depth 100) + Write-Host "✅ $PolicyName - successfully imported!" + } catch { + Write-Error "❌ An error occurred while importing the policy: $_" + } +} # Create Windows Update Ring Policies @@ -147,181 +173,181 @@ ForEach ($policy in $policies) { # - Get-MgDeviceManagementDeviceConfiguration -DeviceConfigurationId "" | ConvertTo-Json -Depth 10 -# # Define the update ring configuration with Microsoft product updates enabled -# $params = @{ -# "@odata.type"= "#microsoft.graph.windowsUpdateForBusinessConfiguration" -# "displayName"= "Win - Windows Updates - Ring 1 - Pilot" -# "description"= "Devices in this ring receive updates immediately after release with 1 day grace period before a forced reboot." -# "automaticUpdateMode"= "windowsDefault" -# "deliveryOptimizationMode"= "userDefined" -# "prereleaseFeatures"= "userDefined" -# "microsoftUpdateServiceAllowed"= $true # Enables updates for Microsoft products -# "driversExcluded"= $false -# "qualityUpdatesDeferralPeriodInDays"= 0 -# "featureUpdatesDeferralPeriodInDays"= 0 -# "qualityUpdatesPaused"= $false -# "featureUpdatesPaused"= $false -# "businessReadyUpdatesOnly"= "userDefined" -# "skipChecksBeforeRestart"= $false -# "featureUpdatesRollbackWindowInDays"= 30 -# "qualityUpdatesWillBeRolledBack"= $false -# "featureUpdatesWillBeRolledBack"= $false -# "deadlineForFeatureUpdatesInDays"= 0 -# "deadlineForQualityUpdatesInDays"= 0 -# "deadlineGracePeriodInDays"= 1 -# "postponeRebootUntilAfterDeadline"= $true -# "autoRestartNotificationDismissal"= "notConfigured" -# "userPauseAccess"= "disabled" -# "userWindowsUpdateScanAccess"= "enabled" -# "updateNotificationLevel"= "defaultNotifications" -# "allowWindows11Upgrade"= $false -# "roleScopeTagIds"= @("0") # Scope tags (use appropriate scope tags as needed) -# "supportsScopeTags"= $true -# } +# Define the update ring configuration with Microsoft product updates enabled +$params = @{ + "@odata.type"= "#microsoft.graph.windowsUpdateForBusinessConfiguration" + "displayName"= "Win - Windows Updates - Ring 1 - Pilot" + "description"= "Devices in this ring receive updates immediately after release with 1 day grace period before a forced reboot." + "automaticUpdateMode"= "windowsDefault" + "deliveryOptimizationMode"= "userDefined" + "prereleaseFeatures"= "userDefined" + "microsoftUpdateServiceAllowed"= $true # Enables updates for Microsoft products + "driversExcluded"= $false + "qualityUpdatesDeferralPeriodInDays"= 0 + "featureUpdatesDeferralPeriodInDays"= 0 + "qualityUpdatesPaused"= $false + "featureUpdatesPaused"= $false + "businessReadyUpdatesOnly"= "userDefined" + "skipChecksBeforeRestart"= $false + "featureUpdatesRollbackWindowInDays"= 30 + "qualityUpdatesWillBeRolledBack"= $false + "featureUpdatesWillBeRolledBack"= $false + "deadlineForFeatureUpdatesInDays"= 0 + "deadlineForQualityUpdatesInDays"= 0 + "deadlineGracePeriodInDays"= 1 + "postponeRebootUntilAfterDeadline"= $true + "autoRestartNotificationDismissal"= "notConfigured" + "userPauseAccess"= "disabled" + "userWindowsUpdateScanAccess"= "enabled" + "updateNotificationLevel"= "defaultNotifications" + "allowWindows11Upgrade"= $false + "roleScopeTagIds"= @("0") # Scope tags (use appropriate scope tags as needed) + "supportsScopeTags"= $true +} -# $ring = $params.displayName +$ring = $params.displayName -# # Create the update ring policy in Intune -# $null = New-MgDeviceManagementDeviceConfiguration -BodyParameter $params -# Write-Host "✅ Successfully created $ring" +# Create the update ring policy in Intune +$null = New-MgDeviceManagementDeviceConfiguration -BodyParameter $params +Write-Host "✅ Successfully created $ring" -# $params = @{ -# "@odata.type"= "#microsoft.graph.windowsUpdateForBusinessConfiguration" -# "displayName"= "Win - Windows Updates - Ring 2 - UAT" -# "description"= "Devices in this ring receive updates 3 days after release and have a 0-day deadline on install with 2 day grace period before a forced reboot." -# "version"= 1 -# "deliveryOptimizationMode"= "userDefined" -# "prereleaseFeatures"= "userDefined" -# "automaticUpdateMode"= "windowsDefault" -# "microsoftUpdateServiceAllowed"= $true -# "driversExcluded"= $false -# "qualityUpdatesDeferralPeriodInDays"= 3 -# "featureUpdatesDeferralPeriodInDays"= 0 -# "qualityUpdatesPaused"= $false -# "featureUpdatesPaused"= $false -# "businessReadyUpdatesOnly"= "userDefined" -# "skipChecksBeforeRestart"= $false -# "featureUpdatesRollbackWindowInDays"= 30 -# "qualityUpdatesWillBeRolledBack"= $false -# "featureUpdatesWillBeRolledBack"= $false -# "deadlineForFeatureUpdatesInDays"= 0 -# "deadlineForQualityUpdatesInDays"= 0 -# "deadlineGracePeriodInDays"= 2 -# "postponeRebootUntilAfterDeadline"= $true -# "autoRestartNotificationDismissal"= "notConfigured" -# "userPauseAccess"= "disabled" -# "userWindowsUpdateScanAccess"= "enabled" -# "updateNotificationLevel"= "defaultNotifications" -# "allowWindows11Upgrade"= $false -# "roleScopeTagIds"= @("0") -# "supportsScopeTags"= $true -# "createdDateTime"= "2023-10-27T15:13:33.3648624Z" -# "lastModifiedDateTime"= "2023-10-27T15:13:33.3648624Z" -# } +$params = @{ + "@odata.type"= "#microsoft.graph.windowsUpdateForBusinessConfiguration" + "displayName"= "Win - Windows Updates - Ring 2 - UAT" + "description"= "Devices in this ring receive updates 3 days after release and have a 0-day deadline on install with 2 day grace period before a forced reboot." + "version"= 1 + "deliveryOptimizationMode"= "userDefined" + "prereleaseFeatures"= "userDefined" + "automaticUpdateMode"= "windowsDefault" + "microsoftUpdateServiceAllowed"= $true + "driversExcluded"= $false + "qualityUpdatesDeferralPeriodInDays"= 3 + "featureUpdatesDeferralPeriodInDays"= 0 + "qualityUpdatesPaused"= $false + "featureUpdatesPaused"= $false + "businessReadyUpdatesOnly"= "userDefined" + "skipChecksBeforeRestart"= $false + "featureUpdatesRollbackWindowInDays"= 30 + "qualityUpdatesWillBeRolledBack"= $false + "featureUpdatesWillBeRolledBack"= $false + "deadlineForFeatureUpdatesInDays"= 0 + "deadlineForQualityUpdatesInDays"= 0 + "deadlineGracePeriodInDays"= 2 + "postponeRebootUntilAfterDeadline"= $true + "autoRestartNotificationDismissal"= "notConfigured" + "userPauseAccess"= "disabled" + "userWindowsUpdateScanAccess"= "enabled" + "updateNotificationLevel"= "defaultNotifications" + "allowWindows11Upgrade"= $false + "roleScopeTagIds"= @("0") + "supportsScopeTags"= $true + "createdDateTime"= "2023-10-27T15:13:33.3648624Z" + "lastModifiedDateTime"= "2023-10-27T15:13:33.3648624Z" +} -# $ring = $params.displayName +$ring = $params.displayName -# # Create the update ring policy in Intune -# $null = New-MgDeviceManagementDeviceConfiguration -BodyParameter $params -# Write-Host "✅ Successfully created $ring" +# Create the update ring policy in Intune +$null = New-MgDeviceManagementDeviceConfiguration -BodyParameter $params +Write-Host "✅ Successfully created $ring" -# $params = @{ -# "@odata.type"= "#microsoft.graph.windowsUpdateForBusinessConfiguration" -# "displayName"= "Win - Windows Updates - Ring 3 - Production" -# "description"= "Devices in this ring receive updates 10 days after release and have a 2-day deadline on install with 1 day grace period before a forced reboot." -# "version"= 1 -# "deliveryOptimizationMode"= "userDefined" -# "prereleaseFeatures"= "userDefined" -# "automaticUpdateMode"= "windowsDefault" -# "microsoftUpdateServiceAllowed"= $true -# "driversExcluded"= $false -# "qualityUpdatesDeferralPeriodInDays"= 10 -# "featureUpdatesDeferralPeriodInDays"= 0 -# "qualityUpdatesPaused"= $false -# "featureUpdatesPaused"= $false -# "businessReadyUpdatesOnly"= "userDefined" -# "skipChecksBeforeRestart"= $false -# "featureUpdatesRollbackWindowInDays"= 30 -# "qualityUpdatesWillBeRolledBack"= $false -# "featureUpdatesWillBeRolledBack"= $false -# "deadlineForFeatureUpdatesInDays"= 2 -# "deadlineForQualityUpdatesInDays"= 2 -# "deadlineGracePeriodInDays"= 1 -# "postponeRebootUntilAfterDeadline"= $true -# "autoRestartNotificationDismissal"= "notConfigured" -# "userPauseAccess"= "disabled" -# "userWindowsUpdateScanAccess"= "enabled" -# "updateNotificationLevel"= "defaultNotifications" -# "allowWindows11Upgrade"= $false -# "roleScopeTagIds"= @("0") -# "supportsScopeTags"= $true -# "createdDateTime"= "2023-10-27T15:13:33.5897267Z" -# "lastModifiedDateTime"= "2023-10-27T15:13:33.5897267Z" -# } +$params = @{ + "@odata.type"= "#microsoft.graph.windowsUpdateForBusinessConfiguration" + "displayName"= "Win - Windows Updates - Ring 3 - Production" + "description"= "Devices in this ring receive updates 10 days after release and have a 2-day deadline on install with 1 day grace period before a forced reboot." + "version"= 1 + "deliveryOptimizationMode"= "userDefined" + "prereleaseFeatures"= "userDefined" + "automaticUpdateMode"= "windowsDefault" + "microsoftUpdateServiceAllowed"= $true + "driversExcluded"= $false + "qualityUpdatesDeferralPeriodInDays"= 10 + "featureUpdatesDeferralPeriodInDays"= 0 + "qualityUpdatesPaused"= $false + "featureUpdatesPaused"= $false + "businessReadyUpdatesOnly"= "userDefined" + "skipChecksBeforeRestart"= $false + "featureUpdatesRollbackWindowInDays"= 30 + "qualityUpdatesWillBeRolledBack"= $false + "featureUpdatesWillBeRolledBack"= $false + "deadlineForFeatureUpdatesInDays"= 2 + "deadlineForQualityUpdatesInDays"= 2 + "deadlineGracePeriodInDays"= 1 + "postponeRebootUntilAfterDeadline"= $true + "autoRestartNotificationDismissal"= "notConfigured" + "userPauseAccess"= "disabled" + "userWindowsUpdateScanAccess"= "enabled" + "updateNotificationLevel"= "defaultNotifications" + "allowWindows11Upgrade"= $false + "roleScopeTagIds"= @("0") + "supportsScopeTags"= $true + "createdDateTime"= "2023-10-27T15:13:33.5897267Z" + "lastModifiedDateTime"= "2023-10-27T15:13:33.5897267Z" +} -# $ring = $params.displayName +$ring = $params.displayName -# # Create the update ring policy in Intune -# $null = New-MgDeviceManagementDeviceConfiguration -BodyParameter $params -# Write-Host "✅ Successfully created $ring" +# Create the update ring policy in Intune +$null = New-MgDeviceManagementDeviceConfiguration -BodyParameter $params +Write-Host "✅ Successfully created $ring" -# $uri = "https://graph.microsoft.com/beta/deviceManagement/windowsDriverUpdateProfiles" +$uri = "https://graph.microsoft.com/beta/deviceManagement/windowsDriverUpdateProfiles" -# # Define the JSON body for the new driver update profile -# $body = @{ -# "displayName" = "Win - Drivers - Ring 1 - Pilot" -# "description" = "" # Empty description field from original JSON -# "approvalType" = "automatic" # "automatic" from the original JSON -# "deploymentDeferralInDays" = 0 # "0" from the original JSON -# "newUpdates" = 0 # "0" from the original JSON -# "roleScopeTagIds" = @("0") # Role Scope Tag ID from the original JSON -# } +# Define the JSON body for the new driver update profile +$body = @{ + "displayName" = "Win - Drivers - Ring 1 - Pilot" + "description" = "" # Empty description field from original JSON + "approvalType" = "automatic" # "automatic" from the original JSON + "deploymentDeferralInDays" = 0 # "0" from the original JSON + "newUpdates" = 0 # "0" from the original JSON + "roleScopeTagIds" = @("0") # Role Scope Tag ID from the original JSON +} -# $ring = $body.displayName -# $groupBodyJson = $Body | ConvertTo-Json -Depth 100 +$ring = $body.displayName +$groupBodyJson = $Body | ConvertTo-Json -Depth 100 -# # Send the POST request to create the Driver Update Profile -# $null = Invoke-MgGraphRequest -Method POST -Uri $uri -Body $groupBodyJson -ContentType "application/json" -# Write-Host "✅ Successfully created group $ring" +# Send the POST request to create the Driver Update Profile +$null = Invoke-MgGraphRequest -Method POST -Uri $uri -Body $groupBodyJson -ContentType "application/json" +Write-Host "✅ Successfully created group $ring" -# $uri = "https://graph.microsoft.com/beta/deviceManagement/windowsDriverUpdateProfiles" +$uri = "https://graph.microsoft.com/beta/deviceManagement/windowsDriverUpdateProfiles" -# # Define the JSON body for the new driver update profile -# $body = @{ -# "displayName" = "Win - Drivers - Ring 2 - UAT" -# "description" = "" # Empty description field from original JSON -# "approvalType" = "automatic" # "automatic" from the original JSON -# "deploymentDeferralInDays" = 3 # "3" from the original JSON -# "newUpdates" = 0 # "0" from the original JSON -# "roleScopeTagIds" = @("0") # Role Scope Tag ID from the original JSON -# } +# Define the JSON body for the new driver update profile +$body = @{ + "displayName" = "Win - Drivers - Ring 2 - UAT" + "description" = "" # Empty description field from original JSON + "approvalType" = "automatic" # "automatic" from the original JSON + "deploymentDeferralInDays" = 3 # "3" from the original JSON + "newUpdates" = 0 # "0" from the original JSON + "roleScopeTagIds" = @("0") # Role Scope Tag ID from the original JSON +} -# $ring = $body.displayName -# $groupBodyJson = $Body | ConvertTo-Json -Depth 100 +$ring = $body.displayName +$groupBodyJson = $Body | ConvertTo-Json -Depth 100 -# # Send the POST request to create the Driver Update Profile -# $null = Invoke-MgGraphRequest -Method POST -Uri $uri -Body $groupBodyJson -ContentType "application/json" -# Write-Host "✅ Successfully created group $ring" +# Send the POST request to create the Driver Update Profile +$null = Invoke-MgGraphRequest -Method POST -Uri $uri -Body $groupBodyJson -ContentType "application/json" +Write-Host "✅ Successfully created group $ring" -# $uri = "https://graph.microsoft.com/beta/deviceManagement/windowsDriverUpdateProfiles" +$uri = "https://graph.microsoft.com/beta/deviceManagement/windowsDriverUpdateProfiles" -# # Define the JSON body for the new driver update profile -# $body = @{ -# "displayName" = "Win - Drivers - Ring 3 - Production" -# "description" = "" # Empty description field from original JSON -# "approvalType" = "automatic" # "automatic" from the original JSON -# "deploymentDeferralInDays" = 10 # "10" from the original JSON -# "newUpdates" = 0 # "0" from the original JSON -# "roleScopeTagIds" = @("0") # Role Scope Tag ID from the original JSON -# } -# $ring = $body.displayName -# $groupBodyJson = $Body | ConvertTo-Json -Depth 100 +# Define the JSON body for the new driver update profile +$body = @{ + "displayName" = "Win - Drivers - Ring 3 - Production" + "description" = "" # Empty description field from original JSON + "approvalType" = "automatic" # "automatic" from the original JSON + "deploymentDeferralInDays" = 10 # "10" from the original JSON + "newUpdates" = 0 # "0" from the original JSON + "roleScopeTagIds" = @("0") # Role Scope Tag ID from the original JSON +} +$ring = $body.displayName +$groupBodyJson = $Body | ConvertTo-Json -Depth 100 -# # Send the POST request to create the Driver Update Profile -# $null = Invoke-MgGraphRequest -Method POST -Uri $uri -Body $groupBodyJson -ContentType "application/json" -# Write-Host "✅ Successfully created group $ring" +# Send the POST request to create the Driver Update Profile +$null = Invoke-MgGraphRequest -Method POST -Uri $uri -Body $groupBodyJson -ContentType "application/json" +Write-Host "✅ Successfully created group $ring" $null = Disconnect-Graph -ErrorAction SilentlyContinue \ No newline at end of file diff --git a/policies/compliance/Win - Compliance - U - Password.json b/policies/compliance/Win - Compliance - U - Password.json index 6e65458..578185b 100644 --- a/policies/compliance/Win - Compliance - U - Password.json +++ b/policies/compliance/Win - Compliance - U - Password.json @@ -6,7 +6,7 @@ "passwordBlockSimple": true, "passwordRequiredToUnlockFromIdle": false, "passwordRequiredType": "numeric", - "passwordMinimumLength": 8, + "passwordMinimumLength": 6, "passwordExpirationDays": null, "passwordPreviousPasswordBlockCount": null, "passwordMinimumCharacterSetCount": null,