Public/TenantConfiguration/Baseline/Add-ConfigurationPolicies.ps1
|
function Add-ConfigurationPolicies { param( [Parameter(Mandatory)] [string]$TenantId ) try { Connect-CustomerGraph -CustomerTenantId $TenantId $ConfigurationPolicies = (Invoke-GraphRequest -Method GET -Uri 'https://graph.microsoft.com/beta/deviceManagement/configurationPolicies?$filter=%28platforms%20eq%20%27windows10%27%20or%20platforms%20eq%20%27macOS%27%20or%20platforms%20eq%20%27iOS%27%29%20and%20%28technologies%20has%20%27mdm%27%20or%20technologies%20has%20%27windows10XManagement%27%20or%20technologies%20has%20%27appleRemoteManagement%27%29').value $ConfigurationPoliciesFiles = Get-ChildItem -Path "$PSScriptRoot\ConfigurationPolicies" -Filter *.json foreach($ConfigurationPolicyFile in $ConfigurationPoliciesFiles) { $ConfigurationPolicy = Get-Content -Path $ConfigurationPolicyFile.FullName | ConvertFrom-Json -AsHashtable -Depth 100 if($ConfigurationPolicies.name -notcontains $ConfigurationPolicy.name) { Write-Host "Configuration policy '$($ConfigurationPolicy.name)' already exists, not creating.." -ForegroundColor Yellow } else { # Manually replace group in JyskIT-Baseline-SEC-LocalUserGroupMembership # TODO: Find a way to dynamically create groups for use inside configuration policies, and not just assigned ones.. if($ConfigurationPolicy.name -eq "JyskIT-Baseline-SEC-LocalUserGroupMembership") { $GroupName = $ConfigurationPolicy.settings.settingInstance.groupSettingCollectionValue[0].children[0].groupSettingCollectionValue.children[0].choiceSettingValue.children[0].simpleSettingCollectionValue[0].value $Group = Get-MgGroup -Filter "displayName eq '$GroupName'" if($Group -eq $null) { Write-Host "Group '$GroupName' does not exist, creating.." -ForegroundColor Yellow $Group = New-MgGroup -DisplayName $GroupName -MailEnabled $false -MailNickname $GroupName -SecurityEnabled $true Write-Host "Created group '$GroupName'." -ForegroundColor Green } $SID = Convert-EntraIDObjectIDToSid -ObjectId $Group.id $ConfigurationPolicy.settings.settingInstance.groupSettingCollectionValue[0].children[0].groupSettingCollectionValue.children[0].choiceSettingValue.children[0].simpleSettingCollectionValue[0].value = $SID Write-Host "Replaced group SID in configuration policy '$($ConfigurationPolicy.name)' with SID $($SID)." -ForegroundColor Green } $ConfigurationPolicy = Invoke-GraphRequest -Method POST -Uri "https://graph.microsoft.com/beta/deviceManagement/configurationPolicies" -Body $ConfigurationPolicy Write-Host "Created configuration policy '$($ConfigurationPolicy.name)'." -ForegroundColor Green <# We handle this after the fact instead of interrupting the flow. if($ConfigurationPolicy.templateReference.templateFamily -eq "endpointSecurityEndpointDetectionAndResponse") { Write-Host "You have created an EDR Policy. Make sure to visit https://security.microsoft.com/securitysettings/endpoints/integration and 'Microsoft Intune connection'." -ForegroundColor Yellow Write-Host "After this, " } #> Invoke-MgGraphRequest -Method POST -Uri "https://graph.microsoft.com/beta/deviceManagement/configurationPolicies/$($ConfigurationPolicy.id)/assign" -Body @{ "assignments" = @( @{ "target" = @{ "@odata.type" = "#microsoft.graph.allDevicesAssignmentTarget" } } ) } Write-Host "Assigned configuration policy '$($ConfigurationPolicy.name)' to all devices." -ForegroundColor Green } } } catch { throw "Failed to create configuration policies: $_" } } |