# Intune Configuration Policies

This repository contains terraform files that will auto provision Intune Policies that will help lift Microsoft Secure Score and apply Security settings across the tenant.

## Azure AD Group 

* AzureAD_Group_MEM_Windows_workstations - Create a Dynamic Azure AD Group with rule to add all Windows Workstations running Windows 10 or higher.

```PowerShell
(device.deviceOSVersion -startsWith \"10.0\") and (device.deviceOSType -eq \"Windows\")
```

## Policies

* Defender ASR Rules - Set to Block
* Bitlocker - Enabled
* PUA (Potentially Unwanted Apps) Blocked
* Disable Enumeration of SAM Accounts and Shares
* Microsoft Edge Security Baseline
* Enable Local Security Authority Protection Mode
* Enforce Password History - 24 Password, 1 Password Age
* LAPS - Enable Local Administrator Account and turn on LAPS
* OneDrive