112 lines
4.2 KiB
PowerShell
112 lines
4.2 KiB
PowerShell
# Check if the Microsoft Graph PowerShell SDK is installed
|
|
if (-not (Get-Module -ListAvailable -Name Microsoft.Graph)) {
|
|
Install-Module -Name Microsoft.Graph -Scope CurrentUser -Force
|
|
}
|
|
|
|
# Check if the Microsoft Graph PowerShell SDK is installed
|
|
if (-not (Get-Module -ListAvailable -Name Microsoft.Graph.Beta)) {
|
|
Install-Module -Name Microsoft.Graph.Beta -Scope CurrentUser -Force
|
|
}
|
|
|
|
|
|
# Connect to Microsoft Graph
|
|
Connect-MgGraph -Scopes "DeviceManagementConfiguration.ReadWrite.All", "Organization.Read.All", "Group.ReadWrite.All", "Directory.ReadWrite.All" -NoWelcome
|
|
|
|
# Get Tenant ID
|
|
$tenant = Get-MgOrganization
|
|
$tenantId = $tenant.Id
|
|
|
|
$policies = Get-ChildItem ./policies
|
|
|
|
ForEach ($policie in $policies) {
|
|
$PolicieName = $policie.name
|
|
|
|
$JsonData = Get-Content -Path ./policies/$PolicieName -Raw
|
|
$JsonDataUpdated = $JsonData -replace '\$tenantId', $tenantId
|
|
$PolicyObject = $JsonDataUpdated | ConvertFrom-Json
|
|
|
|
try {
|
|
$uri = "https://graph.microsoft.com/beta/deviceManagement/configurationPolicies" # Using the beta version
|
|
$response = Invoke-MgGraphRequest -Method POST -Uri $uri -Body ($PolicyObject | ConvertTo-Json -Depth 10)
|
|
Write-Host "✅ $PolicieName - successfully imported!"
|
|
#$response
|
|
} catch {
|
|
Write-Error "❌ An error occurred while importing the policy: $_"
|
|
}
|
|
}
|
|
|
|
|
|
# Define the dynamic membership rule
|
|
$dynamicRule = '(device.deviceOSType -eq "Windows") and (device.accountEnabled -eq true) and (device.managementType -eq "MDM")'
|
|
|
|
# Create the security group with dynamic membership
|
|
$groupBody = @{
|
|
displayName = "Intune - All Windows Workstations MDM"
|
|
mailEnabled = $false
|
|
mailNickname = "IntuneWindowsDevices"
|
|
securityEnabled = $true
|
|
groupTypes = @("DynamicMembership")
|
|
membershipRule = $dynamicRule
|
|
membershipRuleProcessingState = "On"
|
|
}
|
|
|
|
$group = $groupBody.displayname
|
|
|
|
# Convert the body to JSON
|
|
$groupBodyJson = $groupBody | ConvertTo-Json -Depth 10
|
|
|
|
# Create the group using Invoke-MgGraphRequest
|
|
$null = Invoke-MgGraphRequest -Method POST -Uri "https://graph.microsoft.com/beta/groups" -Body $groupBodyJson -ContentType "application/json"
|
|
Write-Host "✅ Successfully created group $group"
|
|
|
|
# Define the dynamic membership rule
|
|
$dynamicRule = '(device.deviceOSVersion -startsWith "10") and (device.deviceOSType -eq "Windows")'
|
|
|
|
# Create the security group with dynamic membership
|
|
$groupBody = @{
|
|
displayName = "Intune - All Windows Computers"
|
|
mailEnabled = $false
|
|
mailNickname = "IntuneWindowsDevices"
|
|
securityEnabled = $true
|
|
groupTypes = @("DynamicMembership")
|
|
membershipRule = $dynamicRule
|
|
membershipRuleProcessingState = "On"
|
|
}
|
|
|
|
$group = $groupBody.displayname
|
|
|
|
# Convert the body to JSON
|
|
$groupBodyJson = $groupBody | ConvertTo-Json -Depth 10
|
|
|
|
# Create the group using Invoke-MgGraphRequest
|
|
$null = Invoke-MgGraphRequest -Method POST -Uri "https://graph.microsoft.com/beta/groups" -Body $groupBodyJson -ContentType "application/json"
|
|
Write-Host "✅ Successfully created group $group"
|
|
|
|
|
|
# Create Windows Update Ring Policies
|
|
# Create a baseline policy using web interface
|
|
# Extract the JSON Data to build paramters
|
|
# - Get-MgDeviceManagementDeviceConfiguration | Select-Object displayName, id, @{Name="JSON"; Expression={ $_ | ConvertTo-Json -Depth 10 }}
|
|
# Get the ID of the policy you created and get the JSON structure
|
|
# - Get-MgDeviceManagementDeviceConfiguration -DeviceConfigurationId "<YOUR_POLICY_ID>" | ConvertTo-Json -Depth 10
|
|
|
|
|
|
# Define the update ring configuration with Microsoft product updates enabled
|
|
$params = @{
|
|
"@odata.type"= "#microsoft.graph.windowsUpdateForBusinessConfiguration"
|
|
"displayName"= "Windows 11 Update Ring"
|
|
"description"= "Update ring for Windows 11 devices"
|
|
"automaticUpdateMode"= "autoInstallAndRebootAtMaintenanceTime"
|
|
"qualityUpdatesDeferralPeriodInDays"= 7
|
|
"featureUpdatesDeferralPeriodInDays"= 30
|
|
"allowMicrosoftUpdate"= $true # Enables updates for Microsoft products
|
|
}
|
|
|
|
$ring = $params.displayName
|
|
|
|
# Create the update ring policy in Intune
|
|
$null = New-MgDeviceManagementDeviceConfiguration -BodyParameter $params
|
|
Write-Host "✅ Successfully created group $ring"
|
|
|
|
|
|
$null = Disconnect-Graph -ErrorAction SilentlyContinue |