mmckinnon/IntunePolicies
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

chore: add multiple new policies.

Browse Source
This commit is contained in:
Matthew McKinnon
2025-03-16 22:39:48 +10:00
parent 104b34de50
commit dce88deb1b
51 changed files with 11136 additions and 26 deletions
Download Patch File Download Diff File Expand all files Collapse all files

208
ImportPolicies.ps1
View File

@ -16,25 +16,6 @@ Connect-MgGraph -Scopes "DeviceManagementConfiguration.ReadWrite.All", "Organiza
$tenant = Get-MgOrganization
$tenantId = $tenant.Id
$policies = Get-ChildItem ./policies
ForEach ($policie in $policies) {
$PolicieName = $policie.name
$JsonData = Get-Content -Path ./policies/$PolicieName -Raw
$JsonDataUpdated = $JsonData -replace '\$tenantId', $tenantId
$PolicyObject = $JsonDataUpdated | ConvertFrom-Json
try {
$uri = "https://graph.microsoft.com/beta/deviceManagement/configurationPolicies" # Using the beta version
$response = Invoke-MgGraphRequest -Method POST -Uri $uri -Body ($PolicyObject | ConvertTo-Json -Depth 10)
Write-Host "$PolicieName - successfully imported!"
#$response
} catch {
Write-Error "❌ An error occurred while importing the policy: $_"
}
}
# Define the dynamic membership rule
$dynamicRule = '(device.deviceOSType -eq "Windows") and (device.accountEnabled -eq true) and (device.managementType -eq "MDM")'
@ -82,6 +63,24 @@ $groupBodyJson = $groupBody | ConvertTo-Json -Depth 10
$null = Invoke-MgGraphRequest -Method POST -Uri "https://graph.microsoft.com/beta/groups" -Body $groupBodyJson -ContentType "application/json"
Write-Host "✅ Successfully created group $group"
$policies = Get-ChildItem ./policies/settingscatalog
ForEach ($policie in $policies) {
$PolicyName = $policie.name
$JsonData = Get-Content -Path ./policies/settingscatalog/$PolicieName -Raw
$JsonDataUpdated = $JsonData -replace '\$tenantId', $tenantId
$PolicyObject = $JsonDataUpdated | ConvertFrom-Json
try {
$uri = "https://graph.microsoft.com/beta/deviceManagement/configurationPolicies" # Using the beta version
$null = Invoke-MgGraphRequest -Method POST -Uri $uri -Body ($PolicyObject | ConvertTo-Json -Depth 10)
Write-Host "$PolicyName - successfully imported!"
} catch {
Write-Error "❌ An error occurred while importing the policy: $_"
}
}
# Create Windows Update Ring Policies
# Create a baseline policy using web interface
@ -94,19 +93,178 @@ Write-Host "✅ Successfully created group $group"
# Define the update ring configuration with Microsoft product updates enabled
$params = @{
"@odata.type"= "#microsoft.graph.windowsUpdateForBusinessConfiguration"
"displayName"= "Windows 11 Update Ring"
"description"= "Update ring for Windows 11 devices"
"automaticUpdateMode"= "autoInstallAndRebootAtMaintenanceTime"
"qualityUpdatesDeferralPeriodInDays"= 7
"featureUpdatesDeferralPeriodInDays"= 30
"allowMicrosoftUpdate"= $true # Enables updates for Microsoft products
"displayName"= "Win - Windows Updates - Ring 1 - Pilot"
"description"= "Devices in this ring receive updates immediately after release with 1 day grace period before a forced reboot."
"automaticUpdateMode"= "windowsDefault"
"deliveryOptimizationMode"= "userDefined"
"prereleaseFeatures"= "userDefined"
"microsoftUpdateServiceAllowed"= $true # Enables updates for Microsoft products
"driversExcluded"= $false
"qualityUpdatesDeferralPeriodInDays"= 0
"featureUpdatesDeferralPeriodInDays"= 0
"qualityUpdatesPaused"= $false
"featureUpdatesPaused"= $false
"businessReadyUpdatesOnly"= "userDefined"
"skipChecksBeforeRestart"= $false
"featureUpdatesRollbackWindowInDays"= 30
"qualityUpdatesWillBeRolledBack"= $false
"featureUpdatesWillBeRolledBack"= $false
"deadlineForFeatureUpdatesInDays"= 0
"deadlineForQualityUpdatesInDays"= 0
"deadlineGracePeriodInDays"= 1
"postponeRebootUntilAfterDeadline"= $true
"autoRestartNotificationDismissal"= "notConfigured"
"userPauseAccess"= "disabled"
"userWindowsUpdateScanAccess"= "enabled"
"updateNotificationLevel"= "defaultNotifications"
"allowWindows11Upgrade"= $false
"roleScopeTagIds"= @("0") # Scope tags (use appropriate scope tags as needed)
"supportsScopeTags"= $true
}
$ring = $params.displayName
# Create the update ring policy in Intune
$null = New-MgDeviceManagementDeviceConfiguration -BodyParameter $params
Write-Host "✅ Successfully created $ring"
$params = @{
"@odata.type"= "#microsoft.graph.windowsUpdateForBusinessConfiguration"
"displayName"= "Win - Windows Updates - Ring 2 - UAT"
"description"= "Devices in this ring receive updates 3 days after release and have a 0-day deadline on install with 2 day grace period before a forced reboot."
"version"= 1
"deliveryOptimizationMode"= "userDefined"
"prereleaseFeatures"= "userDefined"
"automaticUpdateMode"= "windowsDefault"
"microsoftUpdateServiceAllowed"= $true
"driversExcluded"= $false
"qualityUpdatesDeferralPeriodInDays"= 3
"featureUpdatesDeferralPeriodInDays"= 0
"qualityUpdatesPaused"= $false
"featureUpdatesPaused"= $false
"businessReadyUpdatesOnly"= "userDefined"
"skipChecksBeforeRestart"= $false
"featureUpdatesRollbackWindowInDays"= 30
"qualityUpdatesWillBeRolledBack"= $false
"featureUpdatesWillBeRolledBack"= $false
"deadlineForFeatureUpdatesInDays"= 0
"deadlineForQualityUpdatesInDays"= 0
"deadlineGracePeriodInDays"= 2
"postponeRebootUntilAfterDeadline"= $true
"autoRestartNotificationDismissal"= "notConfigured"
"userPauseAccess"= "disabled"
"userWindowsUpdateScanAccess"= "enabled"
"updateNotificationLevel"= "defaultNotifications"
"allowWindows11Upgrade"= $false
"roleScopeTagIds"= @("0")
"supportsScopeTags"= $true
"createdDateTime"= "2023-10-27T15:13:33.3648624Z"
"lastModifiedDateTime"= "2023-10-27T15:13:33.3648624Z"
}
$ring = $params.displayName
# Create the update ring policy in Intune
$null = New-MgDeviceManagementDeviceConfiguration -BodyParameter $params
Write-Host "✅ Successfully created $ring"
$params = @{
"@odata.type"= "#microsoft.graph.windowsUpdateForBusinessConfiguration"
"displayName"= "Win - Windows Updates - Ring 3 - Production"
"description"= "Devices in this ring receive updates 10 days after release and have a 2-day deadline on install with 1 day grace period before a forced reboot."
"version"= 1
"deliveryOptimizationMode"= "userDefined"
"prereleaseFeatures"= "userDefined"
"automaticUpdateMode"= "windowsDefault"
"microsoftUpdateServiceAllowed"= $true
"driversExcluded"= $false
"qualityUpdatesDeferralPeriodInDays"= 10
"featureUpdatesDeferralPeriodInDays"= 0
"qualityUpdatesPaused"= $false
"featureUpdatesPaused"= $false
"businessReadyUpdatesOnly"= "userDefined"
"skipChecksBeforeRestart"= $false
"featureUpdatesRollbackWindowInDays"= 30
"qualityUpdatesWillBeRolledBack"= $false
"featureUpdatesWillBeRolledBack"= $false
"deadlineForFeatureUpdatesInDays"= 2
"deadlineForQualityUpdatesInDays"= 2
"deadlineGracePeriodInDays"= 1
"postponeRebootUntilAfterDeadline"= $true
"autoRestartNotificationDismissal"= "notConfigured"
"userPauseAccess"= "disabled"
"userWindowsUpdateScanAccess"= "enabled"
"updateNotificationLevel"= "defaultNotifications"
"allowWindows11Upgrade"= $false
"roleScopeTagIds"= @("0")
"supportsScopeTags"= $true
"createdDateTime"= "2023-10-27T15:13:33.5897267Z"
"lastModifiedDateTime"= "2023-10-27T15:13:33.5897267Z"
}
$ring = $params.displayName
# Create the update ring policy in Intune
$null = New-MgDeviceManagementDeviceConfiguration -BodyParameter $params
Write-Host "✅ Successfully created $ring"
$uri = "https://graph.microsoft.com/beta/deviceManagement/windowsDriverUpdateProfiles"
# Define the JSON body for the new driver update profile
$body = @{
"displayName" = "Win - Drivers - Ring 1 - Pilot"
"description" = "" # Empty description field from original JSON
"approvalType" = "automatic" # "automatic" from the original JSON
"deploymentDeferralInDays" = 0 # "0" from the original JSON
"newUpdates" = 0 # "0" from the original JSON
"roleScopeTagIds" = @("0") # Role Scope Tag ID from the original JSON
}
$ring = $body.displayName
$groupBodyJson = $Body | ConvertTo-Json -Depth 10
# Send the POST request to create the Driver Update Profile
$response = Invoke-MgGraphRequest -Method POST -Uri $uri -Body $groupBodyJson -ContentType "application/json"
Write-Host "✅ Successfully created group $ring"
$uri = "https://graph.microsoft.com/beta/deviceManagement/windowsDriverUpdateProfiles"
# Define the JSON body for the new driver update profile
$body = @{
"displayName" = "Win - Drivers - Ring 2 - UAT"
"description" = "" # Empty description field from original JSON
"approvalType" = "automatic" # "automatic" from the original JSON
"deploymentDeferralInDays" = 3 # "3" from the original JSON
"newUpdates" = 0 # "0" from the original JSON
"roleScopeTagIds" = @("0") # Role Scope Tag ID from the original JSON
}
$ring = $body.displayName
$groupBodyJson = $Body | ConvertTo-Json -Depth 10
# Send the POST request to create the Driver Update Profile
$response = Invoke-MgGraphRequest -Method POST -Uri $uri -Body $groupBodyJson -ContentType "application/json"
Write-Host "✅ Successfully created group $ring"
$uri = "https://graph.microsoft.com/beta/deviceManagement/windowsDriverUpdateProfiles"
# Define the JSON body for the new driver update profile
$body = @{
"displayName" = "Win - Drivers - Ring 3 - Production"
"description" = "" # Empty description field from original JSON
"approvalType" = "automatic" # "automatic" from the original JSON
"deploymentDeferralInDays" = 10 # "10" from the original JSON
"newUpdates" = 0 # "0" from the original JSON
"roleScopeTagIds" = @("0") # Role Scope Tag ID from the original JSON
}
$ring = $body.displayName
$groupBodyJson = $Body | ConvertTo-Json -Depth 10
# Send the POST request to create the Driver Update Profile
$response = Invoke-MgGraphRequest -Method POST -Uri $uri -Body $groupBodyJson -ContentType "application/json"
Write-Host "✅ Successfully created group $ring"
$null = Disconnect-Graph -ErrorAction SilentlyContinue