Merge pull request #5448 from nee-source/feat/windows-10-baseline

Feat/windows 10 baseline
microsoft · Dec 16, 2024 · 18e460c · 18e460c
2 parents c02b763 + b2348c3
commit 18e460c
Show file tree

Hide file tree

Showing 12 changed files with 3,458 additions and 15 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -27,6 +27,8 @@
   * Fixing issue with the way the QrCodeImage property was exported and handled.
 * IntuneFirewallPolicyWindows10
   * Fix export of properties that appear multiple times in subsections.
+* IntuneSecurityBaselineWindows10
+  * Initial release.
 * M365DSCDRGUtil
   * Improve settings catalog handling for nested objects.
 * M365DSCResourceGenerator

diff --git a/...Microsoft365DSC/DSCResources/MSFT_IntuneSecurityBaselineDefenderForEndpoint/settings.json b/...Microsoft365DSC/DSCResources/MSFT_IntuneSecurityBaselineDefenderForEndpoint/settings.json
@@ -1,29 +1,41 @@
 {
-    "resourceName": "IntuneSecurityBaselineDefenderForEndpoint",
-    "description": "This resource configures an Test Intune Security Baseline Defender For Endpoint.",
-    "permissions": {
-        "graph": {
-            "delegated": {
-                "read": [
-                    {
-                        "name": "DeviceManagementConfiguration.Read.All"
+    "resourceName":"IntuneSecurityBaselineDefenderForEndpoint",
+    "description":"This resource configures an Test Intune Security Baseline Defender For Endpoint.",
+    "permissions":{
+        "graph":{
+            "delegated":{
+                "read":[
+                    {
+                        "name":"Group.Read.All"
+                    },
+                    {
+                        "name":"DeviceManagementConfiguration.Read.All"
                     }
                 ],
-                "update": [
+                "update":[
+                    {
+                        "name":"Group.Read.All"
+                    },
                     {
-                        "name": "DeviceManagementConfiguration.ReadWrite.All"
+                        "name":"DeviceManagementConfiguration.ReadWrite.All"
                     }
                 ]
             },
-            "application": {
-                "read": [
+            "application":{
+                "read":[
                     {
-                        "name": "DeviceManagementConfiguration.Read.All"
+                        "name":"Group.Read.All"
+                    },
+                    {
+                        "name":"DeviceManagementConfiguration.Read.All"
                     }
                 ],
-                "update": [
+                "update":[
+                    {
+                        "name":"Group.Read.All"
+                    },
                     {
-                        "name": "DeviceManagementConfiguration.ReadWrite.All"
+                        "name":"DeviceManagementConfiguration.ReadWrite.All"
                     }
                 ]
             }

diff --git a/...CResources/MSFT_IntuneSecurityBaselineWindows10/MSFT_IntuneSecurityBaselineWindows10.psm1 b/...CResources/MSFT_IntuneSecurityBaselineWindows10/MSFT_IntuneSecurityBaselineWindows10.psm1
diff --git a/...rces/MSFT_IntuneSecurityBaselineWindows10/MSFT_IntuneSecurityBaselineWindows10.schema.mof b/...rces/MSFT_IntuneSecurityBaselineWindows10/MSFT_IntuneSecurityBaselineWindows10.schema.mof
diff --git a/...les/Microsoft365DSC/DSCResources/MSFT_IntuneSecurityBaselineWindows10/readme.md b/...les/Microsoft365DSC/DSCResources/MSFT_IntuneSecurityBaselineWindows10/readme.md
@@ -0,0 +1,6 @@
+
+# IntuneSecurityBaselineWindows10
+
+## Description
+
+Intune Security Baseline for Windows10
diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneSecurityBaselineWindows10/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneSecurityBaselineWindows10/settings.json
@@ -0,0 +1,44 @@
+{
+    "resourceName":"IntuneSecurityBaselineWindows10",
+    "description":"This resource configures an Intune Security Baseline for Windows10.",
+    "permissions":{
+        "graph":{
+            "delegated":{
+                "read":[
+                                                 {
+                        "name":"DeviceManagementConfiguration.Read.All"
+                                                 },
+                                                 {
+                        "name":"Group.Read.All"
+                                                 }
+                                             ],
+                "update":[
+                                                   {
+                        "name":"Group.Read.All"
+                    },
+                    {
+                        "name":"DeviceManagementConfiguration.ReadWrite.All"
+                                                   }
+                                               ]
+                                },
+            "application":{
+                "read":[
+                                                   {
+                        "name":"DeviceManagementConfiguration.Read.All"
+                                                   },
+                                                   {
+                        "name":"Group.Read.All"
+                                                   }
+                                               ],
+                "update":[
+                                                     {
+                        "name":"Group.Read.All"
+                    },
+                    {
+                        "name":"DeviceManagementConfiguration.ReadWrite.All"
+                                                     }
+                                                 ]
+                                  }
+              }
+}
+}
diff --git a/Modules/Microsoft365DSC/Examples/Resources/IntuneSecurityBaselineWindows10/1-Create.ps1 b/Modules/Microsoft365DSC/Examples/Resources/IntuneSecurityBaselineWindows10/1-Create.ps1
@@ -0,0 +1,51 @@
+<#
+This example is used to test new resources and showcase the usage of new resources being worked on.
+It is not meant to use as a production baseline.
+#>
+
+Configuration Example
+{
+    param(
+        [Parameter()]
+        [System.String]
+        $ApplicationId,
+
+        [Parameter()]
+        [System.String]
+        $TenantId,
+
+        [Parameter()]
+        [System.String]
+        $CertificateThumbprint
+    )
+    Import-DscResource -ModuleName Microsoft365DSC
+
+    node localhost
+    {
+        IntuneSecurityBaselineWindows10 'mySecurityBaselineWindows10'
+        {
+            DisplayName           = 'test'
+            DeviceSettings = MSFT_MicrosoftGraphIntuneSettingsCatalogDeviceSettings_IntuneSecurityBaselineWindows10
+            {
+                Pol_MSS_DisableIPSourceRoutingIPv6 = '1'
+                DisableIPSourceRoutingIPv6 = '0'
+                BlockExecutionOfPotentiallyObfuscatedScripts = 'block'                             
+                HardenedUNCPaths_Pol_HardenedPaths = '1'
+                pol_hardenedPaths = @(
+                    MSFT_MicrosoftGraphIntuneSettingsCatalogpol_hardenedpaths{
+                        Key = '\\*\SYSVOL'
+                        Value = 'RequireMutualAuthentication=1,RequireIntegrity=1'
+                    }
+                )
+            }
+            UserSettings = MSFT_MicrosoftGraphIntuneSettingsCatalogUserSettings_IntuneSecurityBaselineWindows10
+            {
+                AllowWindowsSpotlight = '1'
+            }
+            Ensure                = 'Present'
+            ApplicationId         = $ApplicationId;
+            TenantId              = $TenantId;
+            CertificateThumbprint = $CertificateThumbprint;
+        }
+    }
+}
diff --git a/Modules/Microsoft365DSC/Examples/Resources/IntuneSecurityBaselineWindows10/2-Update.ps1 b/Modules/Microsoft365DSC/Examples/Resources/IntuneSecurityBaselineWindows10/2-Update.ps1
@@ -0,0 +1,51 @@
+<#
+This example is used to test new resources and showcase the usage of new resources being worked on.
+It is not meant to use as a production baseline.
+#>
+
+Configuration Example
+{
+    param(
+        [Parameter()]
+        [System.String]
+        $ApplicationId,
+
+        [Parameter()]
+        [System.String]
+        $TenantId,
+
+        [Parameter()]
+        [System.String]
+        $CertificateThumbprint
+    )
+    Import-DscResource -ModuleName Microsoft365DSC
+
+    node localhost
+    {
+        IntuneSecurityBaselineWindows10 'mySecurityBaselineWindows10'
+        {
+            DisplayName           = 'test'
+            DeviceSettings = MSFT_MicrosoftGraphIntuneSettingsCatalogDeviceSettings_IntuneSecurityBaselineWindows10
+            {
+                Pol_MSS_DisableIPSourceRoutingIPv6 = '1'
+                DisableIPSourceRoutingIPv6 = '0'
+                BlockExecutionOfPotentiallyObfuscatedScripts = 'block'                         
+                HardenedUNCPaths_Pol_HardenedPaths = '1'
+                pol_hardenedPaths = @(
+                    MSFT_MicrosoftGraphIntuneSettingsCatalogpol_hardenedpaths{
+                        Key = '\\*\SYSVOL'
+                        Value = 'RequireMutualAuthentication=1,RequireIntegrity=1'
+                    }
+                )
+            }
+            UserSettings = MSFT_MicrosoftGraphIntuneSettingsCatalogUserSettings_IntuneSecurityBaselineWindows10
+            {
+                AllowWindowsSpotlight = '1' #drift
+            }
+            Ensure                = 'Present'
+            ApplicationId         = $ApplicationId;
+            TenantId              = $TenantId;
+            CertificateThumbprint = $CertificateThumbprint;
+        }
+    }
+}
diff --git a/Modules/Microsoft365DSC/Examples/Resources/IntuneSecurityBaselineWindows10/3-Remove.ps1 b/Modules/Microsoft365DSC/Examples/Resources/IntuneSecurityBaselineWindows10/3-Remove.ps1
@@ -0,0 +1,34 @@
+<#
+This example is used to test new resources and showcase the usage of new resources being worked on.
+It is not meant to use as a production baseline.
+#>
+
+Configuration Example
+{
+    param(
+        [Parameter()]
+        [System.String]
+        $ApplicationId,
+
+        [Parameter()]
+        [System.String]
+        $TenantId,
+
+        [Parameter()]
+        [System.String]
+        $CertificateThumbprint
+    )
+    Import-DscResource -ModuleName Microsoft365DSC
+
+    node localhost
+    {
+        IntuneSecurityBaselineWindows10 'mySecurityBaselineWindows10'
+        {
+            DisplayName           = 'test'
+            Ensure                = 'Absent'
+            ApplicationId         = $ApplicationId;
+            TenantId              = $TenantId;
+            CertificateThumbprint = $CertificateThumbprint;
+        }
+    }
+}
diff --git a/Modules/Microsoft365DSC/Modules/M365DSCDRGUtil.psm1 b/Modules/Microsoft365DSC/Modules/M365DSCDRGUtil.psm1
@@ -2032,6 +2032,10 @@ function Get-IntuneSettingCatalogPolicySettingInstanceValue
                     {
                         $childSettingValue.Add('settingInstanceTemplateReference', @{'settingInstanceTemplateId' = $childSettingInstanceTemplate.settingInstanceTemplateId })
                     }
+                    if ($childSettingType -eq '#microsoft.graph.deviceManagementConfigurationSettingGroupCollectionInstance')
+                    {
+                        $childSettingType = '#microsoft.graph.deviceManagementConfigurationGroupSettingCollectionInstance'
+                    } 
                     $childSettingValue.Add('@odata.type', $childSettingType)
                     $choiceSettingValueChildren += $childSettingValue
                 }

diff --git a/Modules/Microsoft365DSC/Modules/M365DSCIntuneSettingsCatalogUtil.psm1 b/Modules/Microsoft365DSC/Modules/M365DSCIntuneSettingsCatalogUtil.psm1
@@ -100,6 +100,7 @@
             'microsoft_edge~Policy~microsoft_edge~*' { $settingName = $settingName.Replace('microsoft_edge~Policy~microsoft_edge', 'MicrosoftEdge_') }
             'edge~httpauthentication*' { $settingName = $settingName.Replace('edge~httpauthentication', 'MicrosoftEdge_HTTPAuthentication') }
             'edge~contentsettings*' { $settingName = $settingName.Replace('edge~contentsettings', 'MicrosoftEdge_ContentSettings') }
+            '*~SmartScreen_*' { $settingName = $settingName.Replace('~SmartScreen', 'SmartScreen') }
             '*~L_Security~*' { $settingName = $settingName.Replace('~L_Security', 'Security') }
             '*~L_TrustCenter*' { $settingName = $settingName.Replace('~L_TrustCenter', '_TrustCenter') }
             '*~L_ProtectedView_*' { $settingName = $settingName.Replace('~L_ProtectedView', 'ProtectedView') }