diff --git a/CHANGELOG.md b/CHANGELOG.md index 8e1b7d6bcd..a3fd1ff83a 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -10,9 +10,16 @@ * Initial release. * EXOMigrationEndpoint * Initial Release +* IntuneAppAndBrowserIsolationPolicyWindows10 + * Initial release. + FIXES [#3028](https://github.com/microsoft/Microsoft365DSC/issues/3028) +* IntuneEndpointDetectionAndResponsePolicyWindows10 + * Migrate to new Settings Catalog cmdlets. * M365DSCDRGUtil * Fixes an issue for the handling of skipped one-property elements in the Settings Catalog. FIXES [#5086](https://github.com/microsoft/Microsoft365DSC/issues/5086) + * Add Set support for secret Settings Catalog values + * Removed unused functions * DEPENDENCIES * Updated DSCParser to version 2.0.0.11 * Updated ReverseDSC to version 2.0.0.21 diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAppAndBrowserIsolationPolicyWindows10/MSFT_IntuneAppAndBrowserIsolationPolicyWindows10.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAppAndBrowserIsolationPolicyWindows10/MSFT_IntuneAppAndBrowserIsolationPolicyWindows10.psm1 new file mode 100644 index 0000000000..01d7114e5a --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAppAndBrowserIsolationPolicyWindows10/MSFT_IntuneAppAndBrowserIsolationPolicyWindows10.psm1 @@ -0,0 +1,855 @@ +function Get-TargetResource +{ + [CmdletBinding()] + [OutputType([System.Collections.Hashtable])] + param + ( + #region resource generator code + [Parameter()] + [System.String] + $Description, + + [Parameter(Mandatory = $true)] + [System.String] + $DisplayName, + + [Parameter()] + [System.String[]] + $RoleScopeTagIds, + + [Parameter()] + [System.String] + $Id, + + [Parameter()] + [ValidateSet('0', '1', '2', '3')] + [System.String] + $AllowWindowsDefenderApplicationGuard, + + [Parameter()] + [ValidateSet('0', '1', '2', '3')] + [System.String] + $ClipboardSettings, + + [Parameter()] + [ValidateSet('0', '1')] + [System.String] + $SaveFilesToHost, + + [Parameter()] + [ValidateSet('install')] + [System.String] + $InstallWindowsDefenderApplicationGuard, + + [Parameter()] + [ValidateSet('1', '2', '3')] + [System.String] + $ClipboardFileType, + + [Parameter()] + [ValidateSet('0', '1')] + [System.String] + $AllowPersistence, + + [Parameter()] + [ValidateSet('0', '1')] + [System.String] + $AllowVirtualGPU, + + [Parameter()] + [ValidateSet('0', '1', '2', '4', '8')] + [System.Int32[]] + $PrintingSettings, + + [Parameter()] + [ValidateSet('0', '1')] + [System.String] + $AllowCameraMicrophoneRedirection, + + [Parameter()] + [ValidateSet('0', '1')] + [System.String] + $AuditApplicationGuard, + + [Parameter()] + [System.String[]] + $CertificateThumbprints, + + [Parameter()] + [System.String[]] + $EnterpriseIPRange, + + [Parameter()] + [System.String[]] + $EnterpriseCloudResources, + + [Parameter()] + [System.String[]] + $EnterpriseNetworkDomainNames, + + [Parameter()] + [System.String[]] + $EnterpriseProxyServers, + + [Parameter()] + [System.String[]] + $EnterpriseInternalProxyServers, + + [Parameter()] + [System.String[]] + $NeutralResources, + + [Parameter()] + [ValidateSet('1', '0')] + [System.String] + $EnterpriseProxyServersAreAuthoritative, + + [Parameter()] + [ValidateSet('1', '0')] + [System.String] + $EnterpriseIPRangesAreAuthoritative, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $Assignments, + #endregion + + [Parameter()] + [System.String] + [ValidateSet('Absent', 'Present')] + $Ensure = 'Present', + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + try + { + $ConnectionMode = New-M365DSCConnection -Workload 'MicrosoftGraph' ` + -InboundParameters $PSBoundParameters + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $nullResult = $PSBoundParameters + $nullResult.Ensure = 'Absent' + + $getValue = $null + #region resource generator code + $getValue = Get-MgBetaDeviceManagementConfigurationPolicy -DeviceManagementConfigurationPolicyId $Id -ErrorAction SilentlyContinue + + if ($null -eq $getValue) + { + Write-Verbose -Message "Could not find an Intune App And Browser Isolation Policy for Windows10 with Id {$Id}" + + if (-not [System.String]::IsNullOrEmpty($DisplayName)) + { + $getValue = Get-MgBetaDeviceManagementConfigurationPolicy ` + -Filter "Name eq '$DisplayName'" ` + -ErrorAction SilentlyContinue + } + } + #endregion + if ($null -eq $getValue) + { + Write-Verbose -Message "Could not find an Intune App And Browser Isolation Policy for Windows10 with Name {$DisplayName}." + return $nullResult + } + $Id = $getValue.Id + Write-Verbose -Message "An Intune App And Browser Isolation Policy for Windows10 with Id {$Id} and Name {$DisplayName} was found" + + # Retrieve policy specific settings + [array]$settings = Get-MgBetaDeviceManagementConfigurationPolicySetting ` + -DeviceManagementConfigurationPolicyId $Id ` + -ExpandProperty 'settingDefinitions' ` + -ErrorAction Stop + + $policySettings = @{} + $policySettings = Export-IntuneSettingCatalogPolicySettings -Settings $settings -ReturnHashtable $policySettings + + $results = @{ + #region resource generator code + Description = $getValue.Description + DisplayName = $getValue.Name + RoleScopeTagIds = $getValue.RoleScopeTagIds + Id = $getValue.Id + Ensure = 'Present' + Credential = $Credential + ApplicationId = $ApplicationId + TenantId = $TenantId + ApplicationSecret = $ApplicationSecret + CertificateThumbprint = $CertificateThumbprint + ManagedIdentity = $ManagedIdentity.IsPresent + #endregion + } + $results += $policySettings + + $assignmentsValues = Get-MgBetaDeviceManagementConfigurationPolicyAssignment -DeviceManagementConfigurationPolicyId $Id + $assignmentResult = @() + if ($assignmentsValues.Count -gt 0) + { + $assignmentResult += ConvertFrom-IntunePolicyAssignment -Assignments $assignmentsValues -IncludeDeviceFilter $true + } + $results.Add('Assignments', $assignmentResult) + + return [System.Collections.Hashtable] $results + } + catch + { + New-M365DSCLogEntry -Message 'Error retrieving data:' ` + -Exception $_ ` + -Source $($MyInvocation.MyCommand.Source) ` + -TenantId $TenantId ` + -Credential $Credential + + return $nullResult + } +} + +function Set-TargetResource +{ + [CmdletBinding()] + param + ( + #region resource generator code + [Parameter()] + [System.String] + $Description, + + [Parameter(Mandatory = $true)] + [System.String] + $DisplayName, + + [Parameter()] + [System.String[]] + $RoleScopeTagIds, + + [Parameter()] + [System.String] + $Id, + + [Parameter()] + [ValidateSet('0', '1', '2', '3')] + [System.String] + $AllowWindowsDefenderApplicationGuard, + + [Parameter()] + [ValidateSet('0', '1', '2', '3')] + [System.String] + $ClipboardSettings, + + [Parameter()] + [ValidateSet('0', '1')] + [System.String] + $SaveFilesToHost, + + [Parameter()] + [ValidateSet('install')] + [System.String] + $InstallWindowsDefenderApplicationGuard, + + [Parameter()] + [ValidateSet('1', '2', '3')] + [System.String] + $ClipboardFileType, + + [Parameter()] + [ValidateSet('0', '1')] + [System.String] + $AllowPersistence, + + [Parameter()] + [ValidateSet('0', '1')] + [System.String] + $AllowVirtualGPU, + + [Parameter()] + [ValidateSet('0', '1', '2', '4', '8')] + [System.Int32[]] + $PrintingSettings, + + [Parameter()] + [ValidateSet('0', '1')] + [System.String] + $AllowCameraMicrophoneRedirection, + + [Parameter()] + [ValidateSet('0', '1')] + [System.String] + $AuditApplicationGuard, + + [Parameter()] + [System.String[]] + $CertificateThumbprints, + + [Parameter()] + [System.String[]] + $EnterpriseIPRange, + + [Parameter()] + [System.String[]] + $EnterpriseCloudResources, + + [Parameter()] + [System.String[]] + $EnterpriseNetworkDomainNames, + + [Parameter()] + [System.String[]] + $EnterpriseProxyServers, + + [Parameter()] + [System.String[]] + $EnterpriseInternalProxyServers, + + [Parameter()] + [System.String[]] + $NeutralResources, + + [Parameter()] + [ValidateSet('1', '0')] + [System.String] + $EnterpriseProxyServersAreAuthoritative, + + [Parameter()] + [ValidateSet('1', '0')] + [System.String] + $EnterpriseIPRangesAreAuthoritative, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $Assignments, + #endregion + [Parameter()] + [System.String] + [ValidateSet('Absent', 'Present')] + $Ensure = 'Present', + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $currentInstance = Get-TargetResource @PSBoundParameters + + $BoundParameters = Remove-M365DSCAuthenticationParameter -BoundParameters $PSBoundParameters + + $templateReferenceId = '9f667e40-8f3c-4f88-80d8-457f16906315_1' + $platforms = 'windows10' + $technologies = 'mdm' + + if ($Ensure -eq 'Present' -and $currentInstance.Ensure -eq 'Absent') + { + Write-Verbose -Message "Creating an Intune App And Browser Isolation Policy for Windows10 with Name {$DisplayName}" + $BoundParameters.Remove("Assignments") | Out-Null + + $settings = Get-IntuneSettingCatalogPolicySetting ` + -DSCParams ([System.Collections.Hashtable]$BoundParameters) ` + -TemplateId $templateReferenceId + + $createParameters = @{ + Name = $DisplayName + Description = $Description + TemplateReference = @{ templateId = $templateReferenceId } + Platforms = $platforms + Technologies = $technologies + Settings = $settings + } + + #region resource generator code + $policy = New-MgBetaDeviceManagementConfigurationPolicy -BodyParameter $createParameters + + if ($policy.Id) + { + $assignmentsHash = ConvertTo-IntunePolicyAssignment -IncludeDeviceFilter:$true -Assignments $Assignments + Update-DeviceConfigurationPolicyAssignment ` + -DeviceConfigurationPolicyId $policy.Id ` + -Targets $assignmentsHash ` + -Repository 'deviceManagement/configurationPolicies' + } + #endregion + } + elseif ($Ensure -eq 'Present' -and $currentInstance.Ensure -eq 'Present') + { + Write-Verbose -Message "Updating the Intune App And Browser Isolation Policy for Windows10 with Id {$($currentInstance.Id)}" + $BoundParameters.Remove("Assignments") | Out-Null + + $settings = Get-IntuneSettingCatalogPolicySetting ` + -DSCParams ([System.Collections.Hashtable]$BoundParameters) ` + -TemplateId $templateReferenceId + + Update-IntuneDeviceConfigurationPolicy ` + -DeviceConfigurationPolicyId $currentInstance.Id ` + -Name $DisplayName ` + -Description $Description ` + -TemplateReferenceId $templateReferenceId ` + -Platforms $platforms ` + -Technologies $technologies ` + -Settings $settings + + #region resource generator code + $assignmentsHash = ConvertTo-IntunePolicyAssignment -IncludeDeviceFilter:$true -Assignments $Assignments + Update-DeviceConfigurationPolicyAssignment ` + -DeviceConfigurationPolicyId $currentInstance.Id ` + -Targets $assignmentsHash ` + -Repository 'deviceManagement/configurationPolicies' + #endregion + } + elseif ($Ensure -eq 'Absent' -and $currentInstance.Ensure -eq 'Present') + { + Write-Verbose -Message "Removing the Intune App And Browser Isolation Policy for Windows10 with Id {$($currentInstance.Id)}" + #region resource generator code + Remove-MgBetaDeviceManagementConfigurationPolicy -DeviceManagementConfigurationPolicyId $currentInstance.Id + #endregion + } +} + +function Test-TargetResource +{ + [CmdletBinding()] + [OutputType([System.Boolean])] + param + ( + #region resource generator code + [Parameter()] + [System.String] + $Description, + + [Parameter(Mandatory = $true)] + [System.String] + $DisplayName, + + [Parameter()] + [System.String[]] + $RoleScopeTagIds, + + [Parameter()] + [System.String] + $Id, + + [Parameter()] + [ValidateSet('0', '1', '2', '3')] + [System.String] + $AllowWindowsDefenderApplicationGuard, + + [Parameter()] + [ValidateSet('0', '1', '2', '3')] + [System.String] + $ClipboardSettings, + + [Parameter()] + [ValidateSet('0', '1')] + [System.String] + $SaveFilesToHost, + + [Parameter()] + [ValidateSet('install')] + [System.String] + $InstallWindowsDefenderApplicationGuard, + + [Parameter()] + [ValidateSet('1', '2', '3')] + [System.String] + $ClipboardFileType, + + [Parameter()] + [ValidateSet('0', '1')] + [System.String] + $AllowPersistence, + + [Parameter()] + [ValidateSet('0', '1')] + [System.String] + $AllowVirtualGPU, + + [Parameter()] + [ValidateSet('0', '1', '2', '4', '8')] + [System.Int32[]] + $PrintingSettings, + + [Parameter()] + [ValidateSet('0', '1')] + [System.String] + $AllowCameraMicrophoneRedirection, + + [Parameter()] + [ValidateSet('0', '1')] + [System.String] + $AuditApplicationGuard, + + [Parameter()] + [System.String[]] + $CertificateThumbprints, + + [Parameter()] + [System.String[]] + $EnterpriseIPRange, + + [Parameter()] + [System.String[]] + $EnterpriseCloudResources, + + [Parameter()] + [System.String[]] + $EnterpriseNetworkDomainNames, + + [Parameter()] + [System.String[]] + $EnterpriseProxyServers, + + [Parameter()] + [System.String[]] + $EnterpriseInternalProxyServers, + + [Parameter()] + [System.String[]] + $NeutralResources, + + [Parameter()] + [ValidateSet('1', '0')] + [System.String] + $EnterpriseProxyServersAreAuthoritative, + + [Parameter()] + [ValidateSet('1', '0')] + [System.String] + $EnterpriseIPRangesAreAuthoritative, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $Assignments, + #endregion + + [Parameter()] + [System.String] + [ValidateSet('Absent', 'Present')] + $Ensure = 'Present', + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + Write-Verbose -Message "Testing configuration of the Intune App And Browser Isolation Policy for Windows10 with Id {$Id} and Name {$DisplayName}" + + $CurrentValues = Get-TargetResource @PSBoundParameters + [Hashtable]$ValuesToCheck = @{} + $MyInvocation.MyCommand.Parameters.GetEnumerator() | ForEach-Object { + if ($_.Key -notlike '*Variable' -or $_.Key -notin @('Verbose', 'Debug', 'ErrorAction', 'WarningAction', 'InformationAction')) + { + if ($null -ne $CurrentValues[$_.Key] -or $null -ne $PSBoundParameters[$_.Key]) + { + $ValuesToCheck.Add($_.Key, $null) + if (-not $PSBoundParameters.ContainsKey($_.Key)) + { + $PSBoundParameters.Add($_.Key, $null) + } + } + } + } + + if ($CurrentValues.Ensure -ne $Ensure) + { + Write-Verbose -Message "Test-TargetResource returned $false" + return $false + } + $testResult = $true + + #Compare Cim instances + foreach ($key in $PSBoundParameters.Keys) + { + $source = $PSBoundParameters.$key + $target = $CurrentValues.$key + if ($null -ne $source -and $source.GetType().Name -like '*CimInstance*') + { + $testResult = Compare-M365DSCComplexObject ` + -Source ($source) ` + -Target ($target) + + if (-not $testResult) + { + break + } + + $ValuesToCheck.Remove($key) | Out-Null + } + } + + $ValuesToCheck.Remove('Id') | Out-Null + $ValuesToCheck = Remove-M365DSCAuthenticationParameter -BoundParameters $ValuesToCheck + + Write-Verbose -Message "Current Values: $(Convert-M365DscHashtableToString -Hashtable $CurrentValues)" + Write-Verbose -Message "Target Values: $(Convert-M365DscHashtableToString -Hashtable $PSBoundParameters)" + + if ($testResult) + { + $testResult = Test-M365DSCParameterState -CurrentValues $CurrentValues ` + -Source $($MyInvocation.MyCommand.Source) ` + -DesiredValues $PSBoundParameters ` + -ValuesToCheck $ValuesToCheck.Keys + } + + Write-Verbose -Message "Test-TargetResource returned $testResult" + + return $testResult +} + +function Export-TargetResource +{ + [CmdletBinding()] + [OutputType([System.String])] + param + ( + [Parameter()] + [System.String] + $Filter, + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + $ConnectionMode = New-M365DSCConnection -Workload 'MicrosoftGraph' ` + -InboundParameters $PSBoundParameters + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + try + { + #region resource generator code + $policyTemplateID = "9f667e40-8f3c-4f88-80d8-457f16906315_1" + [array]$getValue = Get-MgBetaDeviceManagementConfigurationPolicy ` + -Filter $Filter ` + -All ` + -ErrorAction Stop | Where-Object ` + -FilterScript { + $_.TemplateReference.TemplateId -eq $policyTemplateID + } + #endregion + + $i = 1 + $dscContent = '' + if ($getValue.Length -eq 0) + { + Write-Host $Global:M365DSCEmojiGreenCheckMark + } + else + { + Write-Host "`r`n" -NoNewline + } + foreach ($config in $getValue) + { + $displayedKey = $config.Id + if (-not [String]::IsNullOrEmpty($config.displayName)) + { + $displayedKey = $config.displayName + } + elseif (-not [string]::IsNullOrEmpty($config.name)) + { + $displayedKey = $config.name + } + Write-Host " |---[$i/$($getValue.Count)] $displayedKey" -NoNewline + $params = @{ + Id = $config.Id + DisplayName = $config.Name + Ensure = 'Present' + Credential = $Credential + ApplicationId = $ApplicationId + TenantId = $TenantId + ApplicationSecret = $ApplicationSecret + CertificateThumbprint = $CertificateThumbprint + ManagedIdentity = $ManagedIdentity.IsPresent + AccessTokens = $AccessTokens + } + + $Results = Get-TargetResource @Params + $Results = Update-M365DSCExportAuthenticationResults -ConnectionMode $ConnectionMode ` + -Results $Results + + if ($Results.Assignments) + { + $complexTypeStringResult = Get-M365DSCDRGComplexTypeToString -ComplexObject $Results.Assignments -CIMInstanceName DeviceManagementConfigurationPolicyAssignments + if ($complexTypeStringResult) + { + $Results.Assignments = $complexTypeStringResult + } + else + { + $Results.Remove('Assignments') | Out-Null + } + } + + $currentDSCBlock = Get-M365DSCExportContentForResource -ResourceName $ResourceName ` + -ConnectionMode $ConnectionMode ` + -ModulePath $PSScriptRoot ` + -Results $Results ` + -Credential $Credential + + if ($Results.Assignments) + { + $currentDSCBlock = Convert-DSCStringParamToVariable -DSCBlock $currentDSCBlock -ParameterName "Assignments" -IsCIMArray:$true + } + + $dscContent += $currentDSCBlock + Save-M365DSCPartialExport -Content $currentDSCBlock ` + -FileName $Global:PartialExportFileName + $i++ + Write-Host $Global:M365DSCEmojiGreenCheckMark + } + return $dscContent + } + catch + { + Write-Host $Global:M365DSCEmojiRedX + + New-M365DSCLogEntry -Message 'Error during Export:' ` + -Exception $_ ` + -Source $($MyInvocation.MyCommand.Source) ` + -TenantId $TenantId ` + -Credential $Credential + + return '' + } +} + +Export-ModuleMember -Function *-TargetResource diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAppAndBrowserIsolationPolicyWindows10/MSFT_IntuneAppAndBrowserIsolationPolicyWindows10.schema.mof b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAppAndBrowserIsolationPolicyWindows10/MSFT_IntuneAppAndBrowserIsolationPolicyWindows10.schema.mof new file mode 100644 index 0000000000..834c947e27 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAppAndBrowserIsolationPolicyWindows10/MSFT_IntuneAppAndBrowserIsolationPolicyWindows10.schema.mof @@ -0,0 +1,48 @@ +[ClassVersion("1.0.0.0")] +class MSFT_DeviceManagementConfigurationPolicyAssignments +{ + [Write, Description("The type of the target assignment."), ValueMap{"#microsoft.graph.groupAssignmentTarget","#microsoft.graph.allLicensedUsersAssignmentTarget","#microsoft.graph.allDevicesAssignmentTarget","#microsoft.graph.exclusionGroupAssignmentTarget","#microsoft.graph.configurationManagerCollectionAssignmentTarget"}, Values{"#microsoft.graph.groupAssignmentTarget","#microsoft.graph.allLicensedUsersAssignmentTarget","#microsoft.graph.allDevicesAssignmentTarget","#microsoft.graph.exclusionGroupAssignmentTarget","#microsoft.graph.configurationManagerCollectionAssignmentTarget"}] String dataType; + [Write, Description("The type of filter of the target assignment i.e. Exclude or Include. Possible values are:none, include, exclude."), ValueMap{"none","include","exclude"}, Values{"none","include","exclude"}] String deviceAndAppManagementAssignmentFilterType; + [Write, Description("The Id of the filter for the target assignment.")] String deviceAndAppManagementAssignmentFilterId; + [Write, Description("The group Id that is the target of the assignment.")] String groupId; + [Write, Description("The group Display Name that is the target of the assignment.")] String groupDisplayName; + [Write, Description("The collection Id that is the target of the assignment.(ConfigMgr)")] String collectionId; +}; + + +[ClassVersion("1.0.0.0"), FriendlyName("IntuneAppAndBrowserIsolationPolicyWindows10")] +class MSFT_IntuneAppAndBrowserIsolationPolicyWindows10 : OMI_BaseResource +{ + [Write, Description("Policy description")] String Description; + [Key, Description("Policy name")] String DisplayName; + [Write, Description("List of Scope Tags for this Entity instance.")] String RoleScopeTagIds[]; + [Write, Description("The unique identifier for an entity. Read-only.")] String Id; + [Write, Description("Turn on Microsoft Defender Application Guard (0: Disable Microsoft Defender Application Guard, 1: Enable Microsoft Defender Application Guard for Microsoft Edge ONLY, 2: Enable Microsoft Defender Application Guard for isolated Windows environments ONLY, 3: Enable Microsoft Defender Application Guard for Microsoft Edge AND isolated Windows environments)"), ValueMap{"0", "1", "2", "3"}, Values{"0", "1", "2", "3"}] String AllowWindowsDefenderApplicationGuard; + [Write, Description("Clipboard behavior settings (0: Completely turns Off the clipboard functionality for the Application Guard., 1: Turns On clipboard operation from an isolated session to the host., 2: Turns On clipboard operation from the host to an isolated session., 3: Turns On clipboard operation in both the directions.)"), ValueMap{"0", "1", "2", "3"}, Values{"0", "1", "2", "3"}] String ClipboardSettings; + [Write, Description("Allow files to download and save to the host operating system (0: The user cannot download files from Edge in the container to the host file system. When the policy is not configured, it is the same as disabled (0)., 1: Turns on the functionality to allow users to download files from Edge in the container to the host file system.)"), ValueMap{"0", "1"}, Values{"0", "1"}] String SaveFilesToHost; + [Write, Description("Install Windows defender application guard (install: Install)"), ValueMap{"install"}, Values{"install"}] String InstallWindowsDefenderApplicationGuard; + [Write, Description("Clipboard content options (1: Allow text copying., 2: Allow image copying., 3: Allow text and image copying.)"), ValueMap{"1", "2", "3"}, Values{"1", "2", "3"}] String ClipboardFileType; + [Write, Description("Allow data persistence (0: Application Guard discards user-downloaded files and other items (such as, cookies, Favorites, and so on) during machine restart or user log-off., 1: Application Guard saves user-downloaded files and other items (such as, cookies, Favorites, and so on) for use in future Application Guard sessions.)"), ValueMap{"0", "1"}, Values{"0", "1"}] String AllowPersistence; + [Write, Description("Allow hardware-accelerated rendering (0: Cannot access the vGPU and uses the CPU to support rendering graphics. When the policy is not configured, it is the same as disabled (0)., 1: Turns on the functionality to access the vGPU offloading graphics rendering from the CPU. This can create a faster experience when working with graphics intense websites or watching video within the container.)"), ValueMap{"0", "1"}, Values{"0", "1"}] String AllowVirtualGPU; + [Write, Description("Print Settings (0: Disables all print functionality., 1: Enables only XPS printing., 2: Enables only PDF printing., 4: Enables only local printing., 8: Enables only network printing.)"), ValueMap{"0", "1", "2", "4", "8"}, Values{"0", "1", "2", "4", "8"}] SInt32 PrintingSettings[]; + [Write, Description("Allow camera and microphone access (0: Microsoft Defender Application Guard cannot access the device's camera and microphone. When the policy is not configured, it is the same as disabled (0)., 1: Turns on the functionality to allow Microsoft Defender Application Guard to access the device's camera and microphone.)"), ValueMap{"0", "1"}, Values{"0", "1"}] String AllowCameraMicrophoneRedirection; + [Write, Description("Audit Application Guard (0: Audit event logs aren't collected for Application Guard., 1: Application Guard inherits its auditing policies from system and starts to audit security events for Application Guard container.)"), ValueMap{"0", "1"}, Values{"0", "1"}] String AuditApplicationGuard; + [Write, Description("Certificate Thumbprints")] String CertificateThumbprints[]; + [Write, Description("Enterprise IP Range")] String EnterpriseIPRange[]; + [Write, Description("Enterprise Cloud Resources")] String EnterpriseCloudResources[]; + [Write, Description("Enterprise Network Domain Names")] String EnterpriseNetworkDomainNames[]; + [Write, Description("Enterprise Proxy Servers")] String EnterpriseProxyServers[]; + [Write, Description("Enterprise Internal Proxy Servers")] String EnterpriseInternalProxyServers[]; + [Write, Description("Neutral Resources")] String NeutralResources[]; + [Write, Description("Enterprise Proxy Servers Are Authoritative (1: Enable, 0: Disable)"), ValueMap{"1", "0"}, Values{"1", "0"}] String EnterpriseProxyServersAreAuthoritative; + [Write, Description("Enterprise IP Ranges Are Authoritative (1: Enable, 0: Disable)"), ValueMap{"1", "0"}, Values{"1", "0"}] String EnterpriseIPRangesAreAuthoritative; + [Write, Description("Represents the assignment to the Intune policy."), EmbeddedInstance("MSFT_DeviceManagementConfigurationPolicyAssignments")] String Assignments[]; + [Write, Description("Present ensures the policy exists, absent ensures it is removed."), ValueMap{"Present","Absent"}, Values{"Present","Absent"}] string Ensure; + [Write, Description("Credentials of the Admin"), EmbeddedInstance("MSFT_Credential")] string Credential; + [Write, Description("Id of the Azure Active Directory application to authenticate with.")] String ApplicationId; + [Write, Description("Id of the Azure Active Directory tenant used for authentication.")] String TenantId; + [Write, Description("Secret of the Azure Active Directory tenant used for authentication."), EmbeddedInstance("MSFT_Credential")] String ApplicationSecret; + [Write, Description("Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication.")] String CertificateThumbprint; + [Write, Description("Managed ID being used for authentication.")] Boolean ManagedIdentity; + [Write, Description("Access token used for authentication.")] String AccessTokens[]; +}; diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAppAndBrowserIsolationPolicyWindows10/readme.md b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAppAndBrowserIsolationPolicyWindows10/readme.md new file mode 100644 index 0000000000..311864ce6b --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAppAndBrowserIsolationPolicyWindows10/readme.md @@ -0,0 +1,6 @@ + +# IntuneAppAndBrowserIsolationPolicyWindows10 + +## Description + +Intune App And Browser Isolation Policy for Windows10 diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAppAndBrowserIsolationPolicyWindows10/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAppAndBrowserIsolationPolicyWindows10/settings.json new file mode 100644 index 0000000000..fe0c097e79 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAppAndBrowserIsolationPolicyWindows10/settings.json @@ -0,0 +1,33 @@ +{ + "resourceName": "IntuneAppAndBrowserIsolationPolicyWindows10", + "description": "This resource configures an Intune App And Browser Isolation Policy for Windows10.", + "permissions": { + "graph": { + "application": { + "read": [ + { + "name": "DeviceManagementConfiguration.Read.All" + } + ], + "update": [ + { + "name": "DeviceManagementConfiguration.ReadWrite.All" + } + ] + }, + "delegated": { + "read": [ + { + "name": "DeviceManagementConfiguration.Read.All" + } + ], + "update": [ + { + "name": "DeviceManagementConfiguration.ReadWrite.All" + } + ] + } + } +} + +} diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneEndpointDetectionAndResponsePolicyWindows10/MSFT_IntuneEndpointDetectionAndResponsePolicyWindows10.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneEndpointDetectionAndResponsePolicyWindows10/MSFT_IntuneEndpointDetectionAndResponsePolicyWindows10.psm1 index 047fb4e9e6..a7a6ad3a6e 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneEndpointDetectionAndResponsePolicyWindows10/MSFT_IntuneEndpointDetectionAndResponsePolicyWindows10.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneEndpointDetectionAndResponsePolicyWindows10/MSFT_IntuneEndpointDetectionAndResponsePolicyWindows10.psm1 @@ -12,6 +12,10 @@ function Get-TargetResource [System.String] $DisplayName, + [Parameter()] + [System.String[]] + $RoleScopeTagIds, + [Parameter()] [System.String] $Description, @@ -96,106 +100,74 @@ function Get-TargetResource if ($null -eq $policy) { - Write-Verbose -Message "No Endpoint Detection And Response Policy with Id {$Identity} was found" - $policyTemplateID = '0385b795-0f2f-44ac-8602-9f65bf6adede_1' - $filter = "name eq '$DisplayName' and templateReference/TemplateId eq '$policyTemplateID'" - $policy = Get-MgBetaDeviceManagementConfigurationPolicy -Filter $filter -ErrorAction SilentlyContinue - if ($null -eq $policy) + Write-Verbose -Message "Could not find an Intune Endpoint Detection And Response Policy for Windows10 with Id {$Identity}" + + if (-not [System.String]::IsNullOrEmpty($DisplayName)) { - Write-Verbose -Message "No Endpoint Detection And Response Policy with displayName {$DisplayName} was found" - return $nullResult + $policy = Get-MgBetaDeviceManagementConfigurationPolicy ` + -Filter "Name eq '$DisplayName'" ` + -ErrorAction SilentlyContinue } } - $policy = Get-MgBetaDeviceManagementConfigurationPolicy -DeviceManagementConfigurationPolicyId $policy.Id -ExpandProperty 'settings' -ErrorAction SilentlyContinue - + if ($null -eq $policy) + { + Write-Verbose -Message "Could not find an Intune Endpoint Detection And Response Policy for Windows10 with Name {$DisplayName}." + return $nullResult + } $Identity = $policy.Id + Write-Verbose -Message "An Intune Endpoint Detection And Response Policy for Windows10 with Id {$Identity} and Name {$DisplayName} was found" - Write-Verbose -Message "Found Endpoint Detection And Response Policy with Id {$($policy.id)} and displayName {$($policy.Name)}" - - #Retrieve policy specific settings - $settings = @() - $settings += $policy.settings + # Retrieve policy specific settings + [array]$settings = Get-MgBetaDeviceManagementConfigurationPolicySetting ` + -DeviceManagementConfigurationPolicyId $Identity ` + -ExpandProperty 'settingDefinitions' ` + -ErrorAction Stop - $returnHashtable = @{} - $returnHashtable.Add('Identity', $Identity) - $returnHashtable.Add('DisplayName', $policy.name) - $returnHashtable.Add('Description', $policy.description) - - foreach ($setting in $settings.settingInstance) + $policySettings = @{} + $policySettings = Export-IntuneSettingCatalogPolicySettings -Settings $settings -ReturnHashtable $policySettings + if ($policySettings.ClientConfigurationPackageType -eq 'onboarding_fromconnector') { - $addToParameters = $true - $settingName = $setting.settingDefinitionId.Split('_') | Select-Object -Last 1 - - switch ($setting.AdditionalProperties.'@odata.type') - { - - '#microsoft.graph.deviceManagementConfigurationSimpleSettingInstance' - { - $settingValue = $setting.AdditionalProperties.simpleSettingValue.value - } - '#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance' - { - $settingValue = $setting.AdditionalProperties.choiceSettingValue.value.split('_') | Select-Object -Last 1 - } - '#microsoft.graph.deviceManagementConfigurationGroupSettingCollectionInstance' - { - $values = @() - foreach ($value in $setting.AdditionalProperties.groupSettingCollectionValue.children) - { - $settingName = $value.settingDefinitionId.split('_') | Select-Object -Last 1 - $settingValue = $value.choiceSettingValue.value.split('_') | Select-Object -Last 1 - $returnHashtable.Add($settingName, $settingValue) - $addToParameters = $false - } - } - '#microsoft.graph.deviceManagementConfigurationSimpleSettingCollectionInstance' - { - $values = @() - foreach ($value in $setting.AdditionalProperties.simpleSettingCollectionValue.value) - { - $values += $value - } - $settingValue = $values - } - Default - { - $settingValue = $setting.value - } - } - - if ($addToParameters) - { - $returnHashtable.Add($settingName, $settingValue) - } - + $policySettings.Add('ConfigurationType', 'AutoFromConnector') } - - #Removing telemetryreportingfrequency as deprecated and doen't need to be evaluated adn enforced - $returnHashtable.Remove('telemetryreportingfrequency') - - $returnAssignments = @() - $currentAssignments = Get-MgBetaDeviceManagementConfigurationPolicyAssignment -DeviceManagementConfigurationPolicyId $Identity -All - - if ($null -ne $currentAssignments -and $currentAssignments.count -gt 0 ) + else { - $returnAssignments += ConvertFrom-IntunePolicyAssignment -Assignments ($currentAssignments) + $policySettings.Add('ConfigurationType', $policySettings.ClientConfigurationPackageType) } + $policySettings.Remove('ClientConfigurationPackageType') + $policySettings.Remove('onboarding') + $policySettings.Remove('offboarding') + $policySettings.Remove('onboarding_fromconnector') + + # Removing TelemetryReportingFrequency because it's deprecated and doesn't need to be evaluated and enforced + $policySettings.Remove('telemetryreportingfrequency') + + $results = @{ + #region resource generator code + Description = $policy.Description + DisplayName = $policy.Name + RoleScopeTagIds = $policy.RoleScopeTagIds + Identity = $policy.Id + Ensure = 'Present' + Credential = $Credential + ApplicationId = $ApplicationId + TenantId = $TenantId + ApplicationSecret = $ApplicationSecret + CertificateThumbprint = $CertificateThumbprint + ManagedIdentity = $ManagedIdentity.IsPresent + #endregion + } + $results += $policySettings - $returnHashtable.Add('Assignments', $returnAssignments) - - Write-Verbose -Message "Found Endpoint Protection Policy {$($policy.name)}" - - $returnHashtable.Add('Ensure', 'Present') - $returnHashtable.Add('Credential', $Credential) - $returnHashtable.Add('ApplicationId', $ApplicationId) - $returnHashtable.Add('TenantId', $TenantId) - $returnHashtable.Add('ApplicationSecret', $ApplicationSecret) - $returnHashtable.Add('CertificateThumbprint', $CertificateThumbprint) - $returnHashtable.Add('ManagedIdentity', $ManagedIdentity.IsPresent) - $returnHashtable.Add("AccessTokens", $AccessTokens) + $assignmentsValues = Get-MgBetaDeviceManagementConfigurationPolicyAssignment -DeviceManagementConfigurationPolicyId $Identity + $assignmentResult = @() + if ($assignmentsValues.Count -gt 0) + { + $assignmentResult += ConvertFrom-IntunePolicyAssignment -Assignments $assignmentsValues -IncludeDeviceFilter $true + } + $results.Add('Assignments', $assignmentResult) - return $returnHashtable + return $results } catch { @@ -222,6 +194,10 @@ function Set-TargetResource [System.String] $DisplayName, + [Parameter()] + [System.String[]] + $RoleScopeTagIds, + [Parameter()] [System.String] $Description, @@ -291,14 +267,35 @@ function Set-TargetResource #endregion $currentPolicy = Get-TargetResource @PSBoundParameters - $PSBoundParameters.Remove('Ensure') | Out-Null - $PSBoundParameters.Remove('Credential') | Out-Null - $PSBoundParameters.Remove('ApplicationId') | Out-Null - $PSBoundParameters.Remove('TenantId') | Out-Null - $PSBoundParameters.Remove('ApplicationSecret') | Out-Null - $PSBoundParameters.Remove('CertificateThumbprint') | Out-Null - $PSBoundParameters.Remove('ManagedIdentity') | Out-Null - $PSBoundParameters.Remove('AccessTokens') | Out-Null + $BoundParameters = Remove-M365DSCAuthenticationParameter -BoundParameters $PSBoundParameters + + switch ($ConfigurationType) + { + 'AutoFromConnector' + { + $BoundParameters.Add('ClientConfigurationPackageType', 'onboarding_fromconnector') + $BoundParameters.Add('onboarding_fromconnector', $ConfigurationBlob) + $BoundParameters.Remove('ConfigurationBlob') | Out-Null + } + 'Onboard' + { + $BoundParameters.Add('ClientConfigurationPackageType', 'onboard') + $BoundParameters.Add('onboarding', $ConfigurationBlob) + $BoundParameters.Remove('ConfigurationBlob') | Out-Null + } + 'Offboard' + { + $BoundParameters.Add('ClientConfigurationPackageType', 'offboard') + $BoundParameters.Add('offboarding', $ConfigurationBlob) + $BoundParameters.Remove('ConfigurationBlob') | Out-Null + } + } + + if ([System.String]::IsNullOrEmpty($ConfigurationBlob)) + { + throw "ConfigurationBlob is required for configurationType '$($DSCParams.ConfigurationType)'" + } + $BoundParameters.Remove('ConfigurationType') | Out-Null $templateReferenceId = '0385b795-0f2f-44ac-8602-9f65bf6adede_1' $platforms = 'windows10' @@ -306,82 +303,64 @@ function Set-TargetResource if ($Ensure -eq 'Present' -and $currentPolicy.Ensure -eq 'Absent') { - Write-Verbose -Message "Creating new Endpoint Protection Policy {$DisplayName}" - $PSBoundParameters.Remove('Assignments') | Out-Null + Write-Verbose -Message "Creating an Intune Endpoint Protection And Response Policy for Windows10 with Name {$DisplayName}" + $BoundParameters.Remove('Assignments') | Out-Null - $settings = @() - $formattedSettings = Get-IntuneSettingCatalogPolicySetting ` - -DSCParams ([System.Collections.Hashtable]$PSBoundParameters) ` + $settings = Get-IntuneSettingCatalogPolicySetting ` + -DSCParams ([System.Collections.Hashtable]$BoundParameters) ` -TemplateId $templateReferenceId - if ($null -ne $formattedSettings) - { - $settings += $formattedSettings - } - $createParameters = @{ - name = $DisplayName - description = $Description - templateReference = @{templateId = $templateReferenceId } - platforms = $platforms - technologies = $technologies - settings = $settings + Name = $DisplayName + Description = $Description + TemplateReference = @{ templateId = $templateReferenceId } + Platforms = $platforms + Technologies = $technologies + Settings = $settings } - write-verbose ($createParameters|convertto-json -depth 100) + #region resource generator code $policy = New-MgBetaDeviceManagementConfigurationPolicy -bodyParameter $createParameters - $assignmentsHash = @() - if ($null -ne $Assignments -and $Assignments.count -gt 0 ) + if ($policy.Id) { - $assignmentsHash += ConvertTo-IntunePolicyAssignment -IncludeDeviceFilter:$true -Assignments $Assignments + $assignmentsHash = ConvertTo-IntunePolicyAssignment -IncludeDeviceFilter:$true -Assignments $Assignments + Update-DeviceConfigurationPolicyAssignment ` + -DeviceConfigurationPolicyId $policy.Id ` + -Targets $assignmentsHash ` + -Repository 'deviceManagement/configurationPolicies' } - - Update-DeviceConfigurationPolicyAssignment ` - -DeviceConfigurationPolicyId $policy.id ` - -Targets $assignmentsHash - + #endregion } elseif ($Ensure -eq 'Present' -and $currentPolicy.Ensure -eq 'Present') { - Write-Verbose -Message "Updating existing Endpoint Protection Policy {$($currentPolicy.DisplayName)}" - $PSBoundParameters.Remove('Assignments') | Out-Null + Write-Verbose -Message "Updating the Intune Endpoint Protection And Response Policy for Windows10 {$($currentPolicy.DisplayName)}" + $BoundParameters.Remove('Assignments') | Out-Null - #format settings from PSBoundParameters for update - $settings = @() - $formattedSettings = Get-IntuneSettingCatalogPolicySetting ` - -DSCParams ([System.Collections.Hashtable]$PSBoundParameters) ` + $settings = Get-IntuneSettingCatalogPolicySetting ` + -DSCParams ([System.Collections.Hashtable]$BoundParameters) ` -TemplateId $templateReferenceId - if ($null -ne $formattedSettings) - { - $settings += $formattedSettings - } - - Update-DeviceManagementConfigurationPolicy ` - -DeviceManagementConfigurationPolicyId $currentPolicy.Identity ` - -DisplayName $DisplayName ` + Update-IntuneDeviceConfigurationPolicy ` + -DeviceConfigurationPolicyId $currentPolicy.Identity ` + -Name $DisplayName ` -Description $Description ` - -TemplateReference $templateReferenceId ` + -TemplateReferenceId $templateReferenceId ` -Platforms $platforms ` -Technologies $technologies ` -Settings $settings - #region update policy assignments - $assignmentsHash = @() - if ($null -ne $Assignments -and $Assignments.count -gt 0 ) - { - $assignmentsHash += ConvertTo-IntunePolicyAssignment -IncludeDeviceFilter:$true -Assignments $Assignments - } - + #region resource generator code + $assignmentsHash = ConvertTo-IntunePolicyAssignment -IncludeDeviceFilter:$true -Assignments $Assignments Update-DeviceConfigurationPolicyAssignment ` -DeviceConfigurationPolicyId $currentPolicy.Identity ` - -Targets $assignmentsHash + -Targets $assignmentsHash ` + -Repository 'deviceManagement/configurationPolicies' #endregion } elseif ($Ensure -eq 'Absent' -and $currentPolicy.Ensure -eq 'Present') { - Write-Verbose -Message "Removing Endpoint Protection Policy {$($currentPolicy.DisplayName)}" + Write-Verbose -Message "Removing the Intune Endpoint Protection And Response Policy for Windows 10 with Id {$($currentPolicy.Identity)}" Remove-MgBetaDeviceManagementConfigurationPolicy -DeviceManagementConfigurationPolicyId $currentPolicy.Identity } } @@ -400,6 +379,10 @@ function Test-TargetResource [System.String] $DisplayName, + [Parameter()] + [System.String[]] + $RoleScopeTagIds, + [Parameter()] [System.String] $Description, @@ -467,34 +450,69 @@ function Test-TargetResource -Parameters $PSBoundParameters Add-M365DSCTelemetryEvent -Data $data #endregion - Write-Verbose -Message "Testing configuration of Endpoint Protection Policy {$DisplayName}" + Write-Verbose -Message "Testing configuration of the Intune Endpoint Protection And Response Policy for Windows10 with Id {$Identity} and Name {$DisplayName}" $CurrentValues = Get-TargetResource @PSBoundParameters + [Hashtable]$ValuesToCheck = @{} + $MyInvocation.MyCommand.Parameters.GetEnumerator() | ForEach-Object { + if ($_.Key -notlike '*Variable' -or $_.Key -notin @('Verbose', 'Debug', 'ErrorAction', 'WarningAction', 'InformationAction')) + { + if ($null -ne $CurrentValues[$_.Key] -or $null -ne $PSBoundParameters[$_.Key]) + { + $ValuesToCheck.Add($_.Key, $null) + if (-not $PSBoundParameters.ContainsKey($_.Key)) + { + $PSBoundParameters.Add($_.Key, $null) + } + } + } + } - Write-Verbose -Message "Current Values: $(Convert-M365DscHashtableToString -Hashtable $CurrentValues)" - Write-Verbose -Message "Target Values: $(Convert-M365DscHashtableToString -Hashtable $PSBoundParameters)" + if ($CurrentValues.Ensure -ne $Ensure) + { + Write-Verbose -Message "Test-TargetResource returned $false" + return $false + } + $testResult = $true + + #Compare Cim instances + foreach ($key in $PSBoundParameters.Keys) + { + $source = $PSBoundParameters.$key + $target = $CurrentValues.$key + if ($null -ne $source -and $source.GetType().Name -like '*CimInstance*') + { + $testResult = Compare-M365DSCComplexObject ` + -Source ($source) ` + -Target ($target) + + if (-not $testResult) + { + break + } + + $ValuesToCheck.Remove($key) | Out-Null + } + } - $ValuesToCheck = ([hashtable]$PSBoundParameters).clone() $ValuesToCheck.Remove('Identity') | Out-Null $ValuesToCheck.Remove('ConfigurationBlob') | Out-Null + $ValuesToCheck = Remove-M365DSCAuthenticationParameter -BoundParameters $ValuesToCheck - $source = $PSBoundParameters.Assignments - $target = $CurrentValues.Assignments - $ValuesToCheck.Remove('Assignments') | Out-Null - - $testResult = Compare-M365DSCIntunePolicyAssignment -Source $source -Target $target + Write-Verbose -Message "Current Values: $(Convert-M365DscHashtableToString -Hashtable $CurrentValues)" + Write-Verbose -Message "Target Values: $(Convert-M365DscHashtableToString -Hashtable $PSBoundParameters)" if ($testResult) { - $TestResult = Test-M365DSCParameterState -CurrentValues $CurrentValues ` + $testResult = Test-M365DSCParameterState -CurrentValues $CurrentValues ` -Source $($MyInvocation.MyCommand.Source) ` -DesiredValues $PSBoundParameters ` -ValuesToCheck $ValuesToCheck.Keys } - Write-Verbose -Message "Test-TargetResource returned $TestResult" + Write-Verbose -Message "Test-TargetResource returned $testResult" - return $TestResult + return $testResult } function Export-TargetResource @@ -558,9 +576,12 @@ function Export-TargetResource { $policyTemplateID = '0385b795-0f2f-44ac-8602-9f65bf6adede_1' [array]$policies = Get-MgBetaDeviceManagementConfigurationPolicy ` - -All:$true ` + -All ` -Filter $Filter ` - -ErrorAction Stop | Where-Object -FilterScript { $_.TemplateReference.TemplateId -eq $policyTemplateID } ` + -ErrorAction Stop | Where-Object ` + -FilterScript { + $_.TemplateReference.TemplateId -eq $policyTemplateID + } if ($policies.Length -eq 0) { @@ -593,48 +614,38 @@ function Export-TargetResource } $Results = Get-TargetResource @params + $Results = Update-M365DSCExportAuthenticationResults -ConnectionMode $ConnectionMode ` + -Results $Results - if ($Results.Ensure -eq 'Present') + if ($Results.Assignments) { - $Results = Update-M365DSCExportAuthenticationResults -ConnectionMode $ConnectionMode ` - -Results $Results - - if ($Results.Assignments) + $complexTypeStringResult = Get-M365DSCDRGComplexTypeToString -ComplexObject ([Array]$Results.Assignments) -CIMInstanceName DeviceManagementConfigurationPolicyAssignments + if ($complexTypeStringResult) { - $complexTypeStringResult = Get-M365DSCDRGComplexTypeToString -ComplexObject ([Array]$Results.Assignments) -CIMInstanceName DeviceManagementConfigurationPolicyAssignments - if ($complexTypeStringResult) - { - $Results.Assignments = $complexTypeStringResult - } - else - { - $Results.Remove('Assignments') | Out-Null - } + $Results.Assignments = $complexTypeStringResult } - - $currentDSCBlock = Get-M365DSCExportContentForResource -ResourceName $ResourceName ` - -ConnectionMode $ConnectionMode ` - -ModulePath $PSScriptRoot ` - -Results $Results ` - -Credential $Credential - - if ($Results.Assignments) + else { - $isCIMArray = $false - if ($Results.Assignments.getType().Fullname -like '*[[\]]') - { - $isCIMArray = $true - } - $currentDSCBlock = Convert-DSCStringParamToVariable -DSCBlock $currentDSCBlock -ParameterName 'Assignments' -IsCIMArray:$isCIMArray + $Results.Remove('Assignments') | Out-Null } + } - $dscContent += $currentDSCBlock - Save-M365DSCPartialExport -Content $currentDSCBlock ` - -FileName $Global:PartialExportFileName + $currentDSCBlock = Get-M365DSCExportContentForResource -ResourceName $ResourceName ` + -ConnectionMode $ConnectionMode ` + -ModulePath $PSScriptRoot ` + -Results $Results ` + -Credential $Credential - Write-Host $Global:M365DSCEmojiGreenCheckMark - $i++ + if ($Results.Assignments) + { + $currentDSCBlock = Convert-DSCStringParamToVariable -DSCBlock $currentDSCBlock -ParameterName "Assignments" -IsCIMArray:$true } + + $dscContent += $currentDSCBlock + Save-M365DSCPartialExport -Content $currentDSCBlock ` + -FileName $Global:PartialExportFileName + $i++ + Write-Host $Global:M365DSCEmojiGreenCheckMark } return $dscContent } @@ -661,278 +672,4 @@ function Export-TargetResource } } -function Get-IntuneSettingCatalogPolicySetting -{ - [CmdletBinding()] - [OutputType([System.Array])] - param( - [Parameter(Mandatory = 'true')] - [System.Collections.Hashtable] - $DSCParams, - [Parameter(Mandatory = 'true')] - [System.String] - $TemplateId - ) - - $DSCParams.Remove('Identity') | Out-Null - $DSCParams.Remove('DisplayName') | Out-Null - $DSCParams.Remove('Description') | Out-Null - - #Prepare setting definitions mapping - $settingDefinitions = Get-MgBetaDeviceManagementConfigurationPolicyTemplateSettingTemplate -DeviceManagementConfigurationPolicyTemplateId $TemplateId - $settingInstances = @() - foreach ($settingDefinition in $settingDefinitions.SettingInstanceTemplate) - { - - $settingInstance = @{} - $settingName = $settingDefinition.SettingDefinitionId.split('_') | Select-Object -Last 1 - $settingType = $settingDefinition.AdditionalProperties.'@odata.type'.replace('InstanceTemplate', 'Instance') - $settingInstance.Add('settingDefinitionId', $settingDefinition.settingDefinitionId) - $settingInstance.Add('@odata.type', $settingType) - if (-Not [string]::IsNullOrEmpty($settingDefinition.settingInstanceTemplateId)) - { - $settingInstance.Add('settingInstanceTemplateReference', @{'settingInstanceTemplateId' = $settingDefinition.settingInstanceTemplateId }) - } - $settingValueName = $settingType.replace('#microsoft.graph.deviceManagementConfiguration', '').replace('Instance', 'Value') - $settingValueName = $settingValueName.Substring(0, 1).ToLower() + $settingValueName.Substring(1, $settingValueName.length - 1 ) - $settingValueType = $settingDefinition.AdditionalProperties."$($settingValueName)Template".'@odata.type' - if ($null -ne $settingValueType) - { - $settingValueType = $settingValueType.replace('ValueTemplate', 'Value') - } - $settingValueTemplateId = $settingDefinition.AdditionalProperties."$($settingValueName)Template".settingValueTemplateId - $settingValue = Get-IntuneSettingCatalogPolicySettingInstanceValue ` - -DSCParams $DSCParams ` - -SettingDefinition $settingDefinition ` - -SettingName $settingName ` - -SettingType $settingType ` - -SettingValueName $settingValueName ` - -SettingValueType $settingValueType ` - -SettingValueTemplateId $settingValueTemplateId - - if ($null -ne $settingValue) { - $childSettingType = "" - switch ($DSCParams['ConfigurationType']) - { - 'AutoFromConnector' - { - $childSettingType = 'onboarding_fromconnector' - } - 'Onboard' - { - $childSettingType = 'onboarding' - } - 'Offboard' - { - $childSettingType = 'offboarding' - } - } - - if ($settingName -eq 'configurationType') - { - if ([System.String]::IsNullOrEmpty($DSCParams['ConfigurationBlob'])) - { - throw "ConfigurationBlob is required for configurationType '$($DSCParams['ConfigurationType'])'" - } - - $children = @() - $children += @{ - '@odata.type' = "#microsoft.graph.deviceManagementConfigurationSimpleSettingInstance" - settingDefinitionId = "device_vendor_msft_windowsadvancedthreatprotection_$($childSettingType)" - simpleSettingValue = @{ - '@odata.type' = "#microsoft.graph.deviceManagementConfigurationSecretSettingValue" - value = $DSCParams['ConfigurationBlob'] - valueState = "NotEncrypted" - } - } - $settingValue.choiceSettingValue.Add("children", $children) - } - $settingInstance += ($settingValue) - $settingInstances += @{ - '@odata.type' = '#microsoft.graph.deviceManagementConfigurationSetting' - 'settingInstance' = $settingInstance - } - } else { - Continue - } - } - - return $settingInstances -} - -function Get-IntuneSettingCatalogPolicySettingInstanceValue -{ - [CmdletBinding()] - [OutputType([System.Collections.Hashtable])] - param( - [Parameter(Mandatory = 'true')] - [System.Collections.Hashtable] - $DSCParams, - - [Parameter()] - $SettingDefinition, - - [Parameter()] - [System.String] - $SettingType, - - [Parameter()] - [System.String] - $SettingName, - - [Parameter()] - [System.String] - $SettingValueName, - - [Parameter()] - [System.String] - $SettingValueType, - - [Parameter()] - [System.String] - $SettingValueTemplateId - ) - - $settingValueReturn = @{} - switch ($settingType) - { - '#microsoft.graph.deviceManagementConfigurationGroupSettingCollectionInstance' - { - $groupSettingCollectionValue = @{} - $groupSettingCollectionValueChildren = @() - - $groupSettingCollectionDefinitionChildren = $SettingDefinition.AdditionalProperties.groupSettingCollectionValueTemplate.children - foreach ($childDefinition in $groupSettingCollectionDefinitionChildren) - { - $childSettingName = $childDefinition.settingDefinitionId.split('_') | Select-Object -Last 1 - $childSettingType = $childDefinition.'@odata.type'.replace('InstanceTemplate', 'Instance') - $childSettingValueName = $childSettingType.replace('#microsoft.graph.deviceManagementConfiguration', '').replace('Instance', 'Value') - $childSettingValueType = "#microsoft.graph.deviceManagementConfiguration$($childSettingValueName)" - $childSettingValueName = $childSettingValueName.Substring(0, 1).ToLower() + $childSettingValueName.Substring(1, $childSettingValueName.length - 1 ) - $childSettingValueTemplateId = $childDefinition.$childSettingValueName.settingValueTemplateId - $childSettingValue = Get-IntuneSettingCatalogPolicySettingInstanceValue ` - -DSCParams $DSCParams ` - -SettingDefinition $childDefinition ` - -SettingName $childSettingName ` - -SettingType $childDefinition.'@odata.type' ` - -SettingValueName $childSettingValueName ` - -SettingValueType $childSettingValueType ` - -SettingValueTemplateId $childSettingValueTemplateId - - if ($null -ne $childSettingValue) - { - $childSettingValue.add('settingDefinitionId', $childDefinition.settingDefinitionId) - $childSettingValue.add('@odata.type', $childSettingType ) - $groupSettingCollectionValueChildren += $childSettingValue - } - } - $groupSettingCollectionValue.add('children', $groupSettingCollectionValueChildren) - $settingValueReturn.Add('groupSettingCollectionValue', @($groupSettingCollectionValue)) - } - '#microsoft.graph.deviceManagementConfigurationSimpleSettingCollectionInstance' - { - $values = @() - foreach ( $key in $DSCParams.Keys) - { - if ($settingName -eq ($key.tolower())) - { - $values = $DSCParams[$key] - break - } - } - $settingValueCollection = @() - foreach ($v in $values) - { - $settingValueCollection += @{ - value = $v - '@odata.type' = $settingValueType - } - } - $settingValueReturn.Add($settingValueName, $settingValueCollection) - } - Default - { - $value = $null - foreach ( $key in $DSCParams.Keys) - { - if ($settingName -eq ($key.tolower())) - { - $value = "$($SettingDefinition.settingDefinitionId)_$($DSCParams[$key])" - break - } - } - $settingValue = @{} - - if (-Not [string]::IsNullOrEmpty($settingValueType)) - { - $settingValue.add('@odata.type', $settingValueType) - } - if (-Not [string]::IsNullOrEmpty($settingValueTemplateId)) - { - $settingValue.Add('settingValueTemplateReference', @{'settingValueTemplateId' = $settingValueTemplateId }) - } - $settingValue.add('value', $value) - if ($null -eq $value) - { - return $null - } - $settingValueReturn.Add($settingValueName, $settingValue) - } - } - return $settingValueReturn -} - -function Update-DeviceManagementConfigurationPolicy -{ - [CmdletBinding()] - param ( - [Parameter(Mandatory = 'true')] - [System.String] - $DeviceManagementConfigurationPolicyId, - - [Parameter(Mandatory = 'true')] - [System.String] - $DisplayName, - - [Parameter()] - [System.String] - $Description, - - [Parameter()] - [System.String] - $TemplateReferenceId, - - [Parameter()] - [System.String] - $Platforms, - - [Parameter()] - [System.String] - $Technologies, - - [Parameter()] - [System.Array] - $Settings - ) - - $templateReference = @{ - 'templateId' = $TemplateReferenceId - } - - $Uri = "https://graph.microsoft.com/beta/deviceManagement/ConfigurationPolicies/$DeviceManagementConfigurationPolicyId" - $policy = [ordered]@{ - 'name' = $DisplayName - 'description' = $Description - 'platforms' = $Platforms - 'technologies' = $Technologies - 'templateReference' = $templateReference - 'settings' = $Settings - } - #write-verbose (($policy|ConvertTo-Json -Depth 20)) - Invoke-MgGraphRequest -Method PUT ` - -Uri $Uri ` - -ContentType 'application/json' ` - -Body ($policy | ConvertTo-Json -Depth 20) 4> $null -} - Export-ModuleMember -Function *-TargetResource diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneEndpointDetectionAndResponsePolicyWindows10/MSFT_IntuneEndpointDetectionAndResponsePolicyWindows10.schema.mof b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneEndpointDetectionAndResponsePolicyWindows10/MSFT_IntuneEndpointDetectionAndResponsePolicyWindows10.schema.mof index 6b2b758d61..f4dc9d7295 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneEndpointDetectionAndResponsePolicyWindows10/MSFT_IntuneEndpointDetectionAndResponsePolicyWindows10.schema.mof +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneEndpointDetectionAndResponsePolicyWindows10/MSFT_IntuneEndpointDetectionAndResponsePolicyWindows10.schema.mof @@ -14,6 +14,7 @@ class MSFT_IntuneEndpointDetectionAndResponsePolicyWindows10 : OMI_BaseResource { [Write, Description("Identity of the endpoint detection and response policy for Windows 10.")] String Identity; [Key, Description("Display name of the endpoint detection and response policy for Windows 10.")] String DisplayName; + [Write, Description("List of Scope Tags for this Entity instance.")] String RoleScopeTagIds[]; [Write, Description("Description of the endpoint detection and response policy for Windows 10.")] String Description; [Write, Description("Assignments of the endpoint detection and response policy for Windows 10."), EmbeddedInstance("MSFT_DeviceManagementConfigurationPolicyAssignments")] String Assignments[]; [Write, Description("Return or set Windows Defender Advanced Threat Protection Sample Sharing configuration parameter: 0 - none, 1 - All"), ValueMap{"0", "1"}, Values{"0", "1"}] String SampleSharing; diff --git a/Modules/Microsoft365DSC/Examples/Resources/IntuneAppAndBrowserIsolationPolicyWindows10/1-Create.ps1 b/Modules/Microsoft365DSC/Examples/Resources/IntuneAppAndBrowserIsolationPolicyWindows10/1-Create.ps1 new file mode 100644 index 0000000000..b985c55712 --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/IntuneAppAndBrowserIsolationPolicyWindows10/1-Create.ps1 @@ -0,0 +1,51 @@ +<# +This example creates a new Device Remediation. +#> + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + + node localhost + { + IntuneAppAndBrowserIsolationPolicyWindows10 'ConfigureAppAndBrowserIsolationPolicyWindows10' + { + Assignments = @( + MSFT_DeviceManagementConfigurationPolicyAssignments{ + deviceAndAppManagementAssignmentFilterType = 'none' + dataType = '#microsoft.graph.groupAssignmentTarget' + groupId = '11111111-1111-1111-1111-111111111111' + } + ); + AllowCameraMicrophoneRedirection = "1"; + AllowPersistence = "0"; + AllowVirtualGPU = "0"; + AllowWindowsDefenderApplicationGuard = "1"; + ClipboardFileType = "1"; + ClipboardSettings = "0"; + Description = 'Description' + DisplayName = "App and Browser Isolation"; + Ensure = "Present"; + Id = '00000000-0000-0000-0000-000000000000' + InstallWindowsDefenderApplicationGuard = "install"; + SaveFilesToHost = "0"; + RoleScopeTagIds = @("0"); + ApplicationId = $ApplicationId; + TenantId = $TenantId; + CertificateThumbprint = $CertificateThumbprint; + } + } +} diff --git a/Modules/Microsoft365DSC/Examples/Resources/IntuneAppAndBrowserIsolationPolicyWindows10/2-Update.ps1 b/Modules/Microsoft365DSC/Examples/Resources/IntuneAppAndBrowserIsolationPolicyWindows10/2-Update.ps1 new file mode 100644 index 0000000000..8f3133d7cf --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/IntuneAppAndBrowserIsolationPolicyWindows10/2-Update.ps1 @@ -0,0 +1,51 @@ +<# +This example updates a new Device Remediation. +#> + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + + node localhost + { + IntuneAppAndBrowserIsolationPolicyWindows10 'ConfigureAppAndBrowserIsolationPolicyWindows10' + { + Assignments = @( + MSFT_DeviceManagementConfigurationPolicyAssignments{ + deviceAndAppManagementAssignmentFilterType = 'none' + dataType = '#microsoft.graph.groupAssignmentTarget' + groupId = '11111111-1111-1111-1111-111111111111' + } + ); + AllowCameraMicrophoneRedirection = "0"; # Updated property + AllowPersistence = "0"; + AllowVirtualGPU = "0"; + AllowWindowsDefenderApplicationGuard = "1"; + ClipboardFileType = "1"; + ClipboardSettings = "0"; + Description = 'Description' + DisplayName = "App and Browser Isolation"; + Ensure = "Present"; + Id = '00000000-0000-0000-0000-000000000000' + InstallWindowsDefenderApplicationGuard = "install"; + SaveFilesToHost = "0"; + RoleScopeTagIds = @("0"); + ApplicationId = $ApplicationId; + TenantId = $TenantId; + CertificateThumbprint = $CertificateThumbprint; + } + } +} diff --git a/Modules/Microsoft365DSC/Examples/Resources/IntuneAppAndBrowserIsolationPolicyWindows10/3-Remove.ps1 b/Modules/Microsoft365DSC/Examples/Resources/IntuneAppAndBrowserIsolationPolicyWindows10/3-Remove.ps1 new file mode 100644 index 0000000000..a6a52ed29b --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/IntuneAppAndBrowserIsolationPolicyWindows10/3-Remove.ps1 @@ -0,0 +1,34 @@ +<# +This example removes a Device Remediation. +#> + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + + node localhost + { + IntuneAppAndBrowserIsolationPolicyWindows10 'ConfigureAppAndBrowserIsolationPolicyWindows10' + { + Id = '00000000-0000-0000-0000-000000000000' + DisplayName = 'App and Browser Isolation' + Ensure = 'Absent' + ApplicationId = $ApplicationId; + TenantId = $TenantId; + CertificateThumbprint = $CertificateThumbprint; + } + } +} diff --git a/Modules/Microsoft365DSC/Examples/Resources/IntuneEndpointDetectionAndResponsePolicyWindows10/1-Create.ps1 b/Modules/Microsoft365DSC/Examples/Resources/IntuneEndpointDetectionAndResponsePolicyWindows10/1-Create.ps1 index 2cf142bdf2..85a7af0f70 100644 --- a/Modules/Microsoft365DSC/Examples/Resources/IntuneEndpointDetectionAndResponsePolicyWindows10/1-Create.ps1 +++ b/Modules/Microsoft365DSC/Examples/Resources/IntuneEndpointDetectionAndResponsePolicyWindows10/1-Create.ps1 @@ -31,6 +31,9 @@ Configuration Example ApplicationId = $ApplicationId; TenantId = $TenantId; CertificateThumbprint = $CertificateThumbprint; + ConfigurationBlob = "Blob" + ConfigurationType = "onboard" + SampleSharing = 1 } } } diff --git a/Modules/Microsoft365DSC/Examples/Resources/IntuneEndpointDetectionAndResponsePolicyWindows10/2-Update.ps1 b/Modules/Microsoft365DSC/Examples/Resources/IntuneEndpointDetectionAndResponsePolicyWindows10/2-Update.ps1 index 21679df4b0..e68894c238 100644 --- a/Modules/Microsoft365DSC/Examples/Resources/IntuneEndpointDetectionAndResponsePolicyWindows10/2-Update.ps1 +++ b/Modules/Microsoft365DSC/Examples/Resources/IntuneEndpointDetectionAndResponsePolicyWindows10/2-Update.ps1 @@ -31,6 +31,9 @@ Configuration Example ApplicationId = $ApplicationId; TenantId = $TenantId; CertificateThumbprint = $CertificateThumbprint; + ConfigurationBlob = "Blob" + ConfigurationType = "onboard" + SampleSharing = 1 } } } diff --git a/Modules/Microsoft365DSC/Modules/M365DSCDRGUtil.psm1 b/Modules/Microsoft365DSC/Modules/M365DSCDRGUtil.psm1 index 962544bf28..8d1e1f69d7 100644 --- a/Modules/Microsoft365DSC/Modules/M365DSCDRGUtil.psm1 +++ b/Modules/Microsoft365DSC/Modules/M365DSCDRGUtil.psm1 @@ -501,7 +501,6 @@ function Get-M365DSCDRGSimpleObjectTypeToString [Parameter()] [System.String] $Space = ' ' - ) $returnValue = '' @@ -837,250 +836,6 @@ function Convert-M365DSCDRGComplexTypeToHashtable return [hashtable]$results } -function Get-SettingCatalogSettingValue -{ - [CmdletBinding()] - [OutputType([System.Collections.Hashtable],[System.Collections.Hashtable[]])] - param ( - [Parameter()] - $SettingValue, - [Parameter()] - $SettingValueType - - ) - - switch -Wildcard ($SettingValueType) - { - '*ChoiceSettingInstance' - { - $complexValue = @{} - $complexValue.Add('odataType',$SettingValue.'@odata.type') - $complexValue.Add('Value',$SettingValue.value) - $children = @() - foreach($child in $SettingValue.children) - { - $complexChild = @{} - $complexChild.Add('SettingDefinitionId', $child.settingDefinitionId) - $complexChild.Add('odataType', $child.'@odata.type') - $valueName = $child.'@odata.type'.replace('#microsoft.graph.deviceManagementConfiguration', '').replace('Instance', 'Value') - $valueName = Get-StringFirstCharacterToLower -Value $valueName - $rawValue = $child.$valueName - $childSettingValue = Get-SettingCatalogSettingValue -SettingValue $rawValue -SettingValueType $child.'@odata.type' - $complexChild.Add($valueName,$childSettingValue) - $children += $complexChild - } - $complexValue.Add('Children',$children) - } - '*ChoiceSettingCollectionInstance' - { - $complexCollection = @() - foreach($item in $SettingValue) - { - $complexValue = @{} - $complexValue.Add('Value',$item.value) - $children = @() - foreach($child in $item.children) - { - $complexChild = @{} - $complexChild.Add('SettingDefinitionId', $child.settingDefinitionId) - $complexChild.Add('odataType', $child.'@odata.type') - $valueName = $child.'@odata.type'.replace('#microsoft.graph.deviceManagementConfiguration', '').replace('Instance', 'Value') - $valueName = Get-StringFirstCharacterToLower -Value $valueName - $rawValue = $child.$valueName - $childSettingValue = Get-SettingCatalogSettingValue -SettingValue $rawValue -SettingValueType $child.'@odata.type' - $complexChild.Add($valueName,$childSettingValue) - $children += $complexChild - } - $complexValue.Add('Children',$children) - $complexCollection += $complexValue - } - return ,([hashtable[]]$complexCollection) - } - '*SimpleSettingInstance' - { - $complexValue = @{} - $complexValue.Add('odataType',$SettingValue.'@odata.type') - $valueName = 'IntValue' - $value = $SettingValue.value - if($SettingValue.'@odata.type' -ne '#microsoft.graph.deviceManagementConfigurationIntegerSettingValue') - { - $valueName = 'StringValue' - } - $complexValue.Add($valueName,$value) - if($SettingValue.'@odata.type' -eq '#microsoft.graph.deviceManagementConfigurationSecretSettingValue') - { - $complexValue.Add('ValueState',$SettingValue.valueState) - } - } - '*SimpleSettingCollectionInstance' - { - $complexCollection = @() - - foreach($item in $SettingValue) - { - $complexValue = @{} - $complexValue.Add('odataType',$item.'@odata.type') - $valueName = 'IntValue' - $value = $item.value - if($item.'@odata.type' -ne '#microsoft.graph.deviceManagementConfigurationIntegerSettingValue') - { - $valueName = 'StringValue' - } - $complexValue.Add($valueName,$value) - if($item.'@odata.type' -eq '#microsoft.graph.deviceManagementConfigurationSecretSettingValue') - { - $complexValue.Add('ValueState',$item.valueState) - } - $complexCollection += $complexValue - } - return ,([hashtable[]]$complexCollection) - } - '*GroupSettingInstance' - { - $complexValue = @{} - $complexValue.Add('odataType',$SettingValue.'@odata.type') - $children = @() - foreach($child in $SettingValue.children) - { - $complexChild = @{} - $complexChild.Add('SettingDefinitionId', $child.settingDefinitionId) - $complexChild.Add('odataType', $child.'@odata.type') - $valueName = $child.'@odata.type'.replace('#microsoft.graph.deviceManagementConfiguration', '').replace('Instance', 'Value') - $valueName = Get-StringFirstCharacterToLower -Value $valueName - $rawValue = $child.$valueName - $settingValue = Get-SettingCatalogSettingValue -SettingValue $rawValue -SettingValueType $child.'@odata.type' - $complexChild.Add($valueName,$settingValue) - $children += $complexChild - } - $complexValue.Add('Children',$children) - } - '*GroupSettingCollectionInstance' - { - $complexCollection = @() - foreach($groupSettingValue in $SettingValue) - { - $complexValue = @{} - #$complexValue.Add('odataType',$SettingValue.'@odata.type') - $children = @() - foreach($child in $groupSettingValue.children) - { - $complexChild = @{} - $complexChild.Add('SettingDefinitionId', $child.settingDefinitionId) - $complexChild.Add('odataType', $child.'@odata.type') - $valueName = $child.'@odata.type'.replace('#microsoft.graph.deviceManagementConfiguration', '').replace('Instance', 'Value') - $valueName = Get-StringFirstCharacterToLower -Value $valueName - $rawValue = $child.$valueName - $settingValue = Get-SettingCatalogSettingValue -SettingValue $rawValue -SettingValueType $child.'@odata.type' - $complexChild.Add($valueName,$settingValue) - $children += $complexChild - } - $complexValue.Add('Children',$children) - $complexCollection += $complexValue - } - return ,([hashtable[]]$complexCollection) - } - } - return $complexValue -} - -function Get-SettingCatalogPolicySettingsFromTemplate -{ - [CmdletBinding()] - [OutputType([System.Array])] - param - ( - [Parameter(Mandatory = $true)] - [System.Collections.Hashtable] - $DSCParams, - - [Parameter(Mandatory = $true)] - [System.String] - $templateReferenceId - ) - - $DSCParams.Remove('Identity') | Out-Null - $DSCParams.Remove('DisplayName') | Out-Null - $DSCParams.Remove('Description') | Out-Null - - $settings = @() - - $templateSettings = Get-MgDeviceManagementConfigurationPolicyTemplateSettingTemplate -DeviceManagementConfigurationPolicyTemplateId $templateReferenceId - - $simpleSettings = @() - $simpleSettings += $templateSettings.SettingInstanceTemplate | Where-Object -FilterScript ` - { $_.AdditionalProperties.'@odata.type' -ne '#microsoft.graph.deviceManagementConfigurationGroupSettingCollectionInstanceTemplate' } - foreach ($templateSetting in $simpleSettings) - { - $setting = @{} - $settingKey = $DSCParams.keys | Where-Object -FilterScript { $templateSetting.settingDefinitionId -like "*$($_)" } - if ((-not [String]::IsNullOrEmpty($settingKey)) -and $DSCParams."$settingKey") - { - $setting.Add('@odata.type', '#microsoft.graph.deviceManagementConfigurationSetting') - $myFormattedSetting = Format-M365DSCParamsToSettingInstance -DSCParams @{$settingKey = $DSCParams."$settingKey" } ` - -TemplateSetting $templateSetting - - $setting.Add('settingInstance', $myFormattedSetting) - $settings += $setting - $DSCParams.Remove($settingKey) | Out-Null - } - } - - #Prepare attacksurfacereductionrules groupCollectionTemplateSettings - $groupCollectionTemplateSettings = @() - $groupCollectionTemplateSettings += $templateSettings.SettingInstanceTemplate | Where-Object -FilterScript ` - { $_.AdditionalProperties.'@odata.type' -eq '#microsoft.graph.deviceManagementConfigurationGroupSettingCollectionInstanceTemplate' } - - foreach ($groupCollectionTemplateSetting in $groupCollectionTemplateSettings) - { - $setting = @{} - $setting.Add('@odata.type', '#microsoft.graph.deviceManagementConfigurationSetting') - $settingInstance = [ordered]@{} - $settingInstance.Add('@odata.type', '#microsoft.graph.deviceManagementConfigurationGroupSettingCollectionInstance') - $settingInstance.Add('settingDefinitionId', $groupCollectionTemplateSetting.settingDefinitionId) - $settingInstance.Add('settingInstanceTemplateReference', @{ - '@odata.type' = '#microsoft.graph.deviceManagementConfigurationSettingInstanceTemplateReference' - 'settingInstanceTemplateId' = $groupCollectionTemplateSetting.settingInstanceTemplateId - }) - $groupSettingCollectionValues = @() - $groupSettingCollectionValueChildren = @() - $groupSettingCollectionValue = @{} - $groupSettingCollectionValue.Add('@odata.type', '#microsoft.graph.deviceManagementConfigurationGroupSettingValue') - - $settingValueTemplateId = $groupCollectionTemplateSetting.AdditionalProperties.groupSettingCollectionValueTemplate.settingValueTemplateId - if (-Not [string]::IsNullOrEmpty($settingValueTemplateId)) - { - $groupSettingCollectionValue.Add('settingValueTemplateReference', @{'settingValueTemplateId' = $SettingValueTemplateId }) - } - - foreach ($key in $DSCParams.keys) - { - $templateValue = $groupCollectionTemplateSetting.AdditionalProperties.groupSettingCollectionValueTemplate.children | Where-Object ` - -FilterScript { $_.settingDefinitionId -like "*$key" } - if ($templateValue) - { - $groupSettingCollectionValueChild = Format-M365DSCParamsToSettingInstance ` - -DSCParams @{$key = $DSCParams."$key" } ` - -TemplateSetting $templateValue ` - -IncludeSettingValueTemplateId $false ` - -IncludeSettingInstanceTemplateId $false - - $groupSettingCollectionValueChildren += $groupSettingCollectionValueChild - } - } - $groupSettingCollectionValue.Add('children', $groupSettingCollectionValueChildren) - $groupSettingCollectionValues += $groupSettingCollectionValue - $settingInstance.Add('groupSettingCollectionValue', $groupSettingCollectionValues) - $setting.Add('settingInstance', $settingInstance) - - if ($setting.settingInstance.groupSettingCollectionValue.children.count -gt 0) - { - $settings += $setting - } - } - - return $settings -} - function ConvertFrom-IntunePolicyAssignment { [CmdletBinding()] @@ -1965,6 +1720,11 @@ function Get-IntuneSettingCatalogPolicySettingInstanceValue $settingValue = @{} if (-not [string]::IsNullOrEmpty($SettingValueType)) { + if ($SettingDefinition.AdditionalProperties.valueDefinition.isSecret) + { + $SettingValueType = "#microsoft.graph.deviceManagementConfigurationSecretSettingValue" + $settingValue.Add('valueState', 'NotEncrypted') + } $settingValue.Add('@odata.type', $SettingValueType) } if (-not [string]::IsNullOrEmpty($settingValueTemplateId)) diff --git a/Modules/Microsoft365DSC/SchemaDefinition.json b/Modules/Microsoft365DSC/SchemaDefinition.json index 7bbcdaf2d8..3945eb3cd8 100644 --- a/Modules/Microsoft365DSC/SchemaDefinition.json +++ b/Modules/Microsoft365DSC/SchemaDefinition.json @@ -19429,6 +19429,171 @@ } ] }, + { + "ClassName": "MSFT_IntuneAppAndBrowserIsolationPolicyWindows10", + "Parameters": [ + { + "CIMType": "String", + "Name": "Description", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "DisplayName", + "Option": "Key" + }, + { + "CIMType": "String[]", + "Name": "RoleScopeTagIds", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "Id", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "AllowWindowsDefenderApplicationGuard", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "ClipboardSettings", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "SaveFilesToHost", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "InstallWindowsDefenderApplicationGuard", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "ClipboardFileType", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "AllowPersistence", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "AllowVirtualGPU", + "Option": "Write" + }, + { + "CIMType": "SInt32[]", + "Name": "PrintingSettings", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "AllowCameraMicrophoneRedirection", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "AuditApplicationGuard", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "CertificateThumbprints", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "EnterpriseIPRange", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "EnterpriseCloudResources", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "EnterpriseNetworkDomainNames", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "EnterpriseProxyServers", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "EnterpriseInternalProxyServers", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "NeutralResources", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "EnterpriseProxyServersAreAuthoritative", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "EnterpriseIPRangesAreAuthoritative", + "Option": "Write" + }, + { + "CIMType": "MSFT_DeviceManagementConfigurationPolicyAssignments[]", + "Name": "Assignments", + "Option": "Write" + }, + { + "CIMType": "string", + "Name": "Ensure", + "Option": "Write" + }, + { + "CIMType": "MSFT_Credential", + "Name": "Credential", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "ApplicationId", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "TenantId", + "Option": "Write" + }, + { + "CIMType": "MSFT_Credential", + "Name": "ApplicationSecret", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "CertificateThumbprint", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "ManagedIdentity", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "AccessTokens", + "Option": "Write" + } + ] + }, { "ClassName": "MSFT_IntuneAppCategory", "Parameters": [ @@ -33907,6 +34072,11 @@ "Name": "DisplayName", "Option": "Key" }, + { + "CIMType": "String[]", + "Name": "RoleScopeTagIds", + "Option": "Write" + }, { "CIMType": "String", "Name": "Description", diff --git a/Tests/Integration/Microsoft365DSC/M365DSCIntegration.INTUNE.Create.Tests.ps1 b/Tests/Integration/Microsoft365DSC/M365DSCIntegration.INTUNE.Create.Tests.ps1 index f60efd6f58..4a7a92a437 100644 --- a/Tests/Integration/Microsoft365DSC/M365DSCIntegration.INTUNE.Create.Tests.ps1 +++ b/Tests/Integration/Microsoft365DSC/M365DSCIntegration.INTUNE.Create.Tests.ps1 @@ -106,6 +106,32 @@ TenantId = $TenantId; CertificateThumbprint = $CertificateThumbprint; } + IntuneAppAndBrowserIsolationPolicyWindows10 'ConfigureAppAndBrowserIsolationPolicyWindows10' + { + Assignments = @( + MSFT_DeviceManagementConfigurationPolicyAssignments{ + deviceAndAppManagementAssignmentFilterType = 'none' + dataType = '#microsoft.graph.groupAssignmentTarget' + groupId = '11111111-1111-1111-1111-111111111111' + } + ); + AllowCameraMicrophoneRedirection = "1"; + AllowPersistence = "0"; + AllowVirtualGPU = "0"; + AllowWindowsDefenderApplicationGuard = "1"; + ClipboardFileType = "1"; + ClipboardSettings = "0"; + Description = 'Description' + DisplayName = "App and Browser Isolation"; + Ensure = "Present"; + Id = '00000000-0000-0000-0000-000000000000' + InstallWindowsDefenderApplicationGuard = "install"; + SaveFilesToHost = "0"; + RoleScopeTagIds = @("0"); + ApplicationId = $ApplicationId; + TenantId = $TenantId; + CertificateThumbprint = $CertificateThumbprint; + } IntuneAppCategory 'IntuneAppCategory-Data Management' { Id = "a1fc9fe2-728d-4867-9a72-a61e18f8c606"; @@ -2288,6 +2314,9 @@ ApplicationId = $ApplicationId; TenantId = $TenantId; CertificateThumbprint = $CertificateThumbprint; + ConfigurationBlob = "Blob" + ConfigurationType = "onboard" + SampleSharing = 1 } IntuneExploitProtectionPolicyWindows10SettingCatalog 'myWindows10ExploitProtectionPolicy' { diff --git a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneAppAndBrowserIsolationPolicyWindows10.Tests.ps1 b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneAppAndBrowserIsolationPolicyWindows10.Tests.ps1 new file mode 100644 index 0000000000..c72f26f30e --- /dev/null +++ b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneAppAndBrowserIsolationPolicyWindows10.Tests.ps1 @@ -0,0 +1,347 @@ +[CmdletBinding()] +param( +) +$M365DSCTestFolder = Join-Path -Path $PSScriptRoot ` + -ChildPath '..\..\Unit' ` + -Resolve +$CmdletModule = (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\Stubs\Microsoft365.psm1' ` + -Resolve) +$GenericStubPath = (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\Stubs\Generic.psm1' ` + -Resolve) +Import-Module -Name (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\UnitTestHelper.psm1' ` + -Resolve) + +$Global:DscHelper = New-M365DscUnitTestHelper -StubModule $CmdletModule ` + -DscResource "IntuneAppAndBrowserIsolationPolicyWindows10" -GenericStubModule $GenericStubPath +Describe -Name $Global:DscHelper.DescribeHeader -Fixture { + InModuleScope -ModuleName $Global:DscHelper.ModuleName -ScriptBlock { + Invoke-Command -ScriptBlock $Global:DscHelper.InitializeScript -NoNewScope + BeforeAll { + + $secpasswd = ConvertTo-SecureString (New-Guid | Out-String) -AsPlainText -Force + $Credential = New-Object System.Management.Automation.PSCredential ('tenantadmin@mydomain.com', $secpasswd) + + Mock -CommandName Confirm-M365DSCDependencies -MockWith { + } + + Mock -CommandName Get-PSSession -MockWith { + } + + Mock -CommandName Remove-PSSession -MockWith { + } + + Mock -CommandName Update-MgBetaDeviceManagementConfigurationPolicy -MockWith { + } + + Mock -CommandName New-MgBetaDeviceManagementConfigurationPolicy -MockWith { + } + + Mock -CommandName Remove-MgBetaDeviceManagementConfigurationPolicy -MockWith { + } + + Mock -CommandName Update-IntuneDeviceConfigurationPolicy -MockWith { + } + + Mock -CommandName Get-MgBetaDeviceManagementConfigurationPolicy -MockWith { + return @{ + Id = '12345-12345-12345-12345-12345' + Description = 'My Test' + Name = 'Test' + RoleScopeTagIds = @("FakeStringValue") + TemplateReference = @{ + TemplateId = '9f667e40-8f3c-4f88-80d8-457f16906315_1' + } + } + } + + Mock -CommandName Get-IntuneSettingCatalogPolicySetting -MockWith { + } + + Mock -CommandName Get-MgBetaDeviceManagementConfigurationPolicySetting -MockWith { + return @( + @{ + Id = '0' + SettingDefinitions = @( + @{ + Id = 'device_vendor_msft_windowsdefenderapplicationguard_installwindowsdefenderapplicationguard' + Name = 'InstallWindowsDefenderApplicationGuard' + AdditionalProperties = @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingDefinition' + } + }, + @{ + Id = 'device_vendor_msft_windowsdefenderapplicationguard_settings_allowwindowsdefenderapplicationguard' + Name = 'AllowWindowsDefenderApplicationGuard' + AdditionalProperties = @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingDefinition' + } + }, + @{ + Id = 'device_vendor_msft_windowsdefenderapplicationguard_settings_allowpersistence' + Name = 'AllowPersistence' + AdditionalProperties = @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingDefinition' + } + }, + @{ + Id = 'device_vendor_msft_windowsdefenderapplicationguard_settings_allowvirtualgpu' + Name = 'AllowVirtualGPU' + AdditionalProperties = @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingDefinition' + } + }, + @{ + Id = 'device_vendor_msft_windowsdefenderapplicationguard_settings_allowcameramicrophoneredirection' + Name = 'AllowCameraMicrophoneRedirection' + AdditionalProperties = @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingDefinition' + } + } + ) + Settinginstance = @{ + SettingDefinitionId = 'device_vendor_msft_windowsdefenderapplicationguard_settings_allowwindowsdefenderapplicationguard' + SettingInstanceTemplateReference = @{ + SettingInstanceTemplateId = '1f2529c7-4b06-4ae6-bebc-210f7135676f' + } + AdditionalProperties = @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance' + choiceSettingValue = @{ + children = @( + @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance' + settingDefinitionId = 'device_vendor_msft_windowsdefenderapplicationguard_settings_allowpersistence' + choiceSettingValue = @{ + children = @() + value = 'device_vendor_msft_windowsdefenderapplicationguard_settings_allowpersistence_0' + } + }, + @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance' + settingDefinitionId = 'device_vendor_msft_windowsdefenderapplicationguard_settings_allowvirtualgpu' + choiceSettingValue = @{ + children = @() + value = 'device_vendor_msft_windowsdefenderapplicationguard_settings_allowvirtualgpu_0' + } + }, + @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance' + settingDefinitionId = 'device_vendor_msft_windowsdefenderapplicationguard_settings_allowcameramicrophoneredirection' + choiceSettingValue = @{ + children = @() + value = 'device_vendor_msft_windowsdefenderapplicationguard_settings_allowcameramicrophoneredirection_1' + } + }, + @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance' + settingDefinitionId = 'device_vendor_msft_windowsdefenderapplicationguard_installwindowsdefenderapplicationguard' + choiceSettingValue = @{ + children = @() + value = 'device_vendor_msft_windowsdefenderapplicationguard_installwindowsdefenderapplicationguard_install' + } + } + ) + value = 'device_vendor_msft_windowsdefenderapplicationguard_settings_allowwindowsdefenderapplicationguard_1' + } + } + } + } + ) + } + + Mock -CommandName Update-DeviceConfigurationPolicyAssignment -MockWith { + } + + Mock -CommandName New-M365DSCConnection -MockWith { + return "Credentials" + } + + # Mock Write-Host to hide output during the tests + Mock -CommandName Write-Host -MockWith { + } + $Script:exportedInstances =$null + $Script:ExportMode = $false + + Mock -CommandName Get-MgBetaDeviceManagementConfigurationPolicyAssignment -MockWith { + return @(@{ + Id = '12345-12345-12345-12345-12345' + Source = 'direct' + SourceId = '12345-12345-12345-12345-12345' + Target = @{ + DeviceAndAppManagementAssignmentFilterId = '12345-12345-12345-12345-12345' + DeviceAndAppManagementAssignmentFilterType = 'none' + AdditionalProperties = @( + @{ + '@odata.type' = '#microsoft.graph.exclusionGroupAssignmentTarget' + groupId = '26d60dd1-fab6-47bf-8656-358194c1a49d' + } + ) + } + }) + } + + } + # Test contexts + Context -Name "The IntuneAppAndBrowserIsolationPolicyWindows10 should exist but it DOES NOT" -Fixture { + BeforeAll { + $testParams = @{ + Assignments = [CimInstance[]]@( + (New-CimInstance -ClassName MSFT_DeviceManagementConfigurationPolicyAssignments -Property @{ + DataType = '#microsoft.graph.exclusionGroupAssignmentTarget' + groupId = '26d60dd1-fab6-47bf-8656-358194c1a49d' + deviceAndAppManagementAssignmentFilterType = 'none' + } -ClientOnly) + ) + AllowCameraMicrophoneRedirection = "1"; + AllowPersistence = "0"; + AllowVirtualGPU = "0"; + AllowWindowsDefenderApplicationGuard = "1"; + InstallWindowsDefenderApplicationGuard = "install"; + Description = "My Test" + Id = "12345-12345-12345-12345-12345" + DisplayName = "Test" + RoleScopeTagIds = @("FakeStringValue") + Ensure = "Present" + Credential = $Credential; + } + + Mock -CommandName Get-MgBetaDeviceManagementConfigurationPolicy -MockWith { + return $null + } + } + It 'Should return Values from the Get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Absent' + } + It 'Should return false from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + It 'Should Create the group from the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName New-MgBetaDeviceManagementConfigurationPolicy -Exactly 1 + } + } + + Context -Name "The IntuneAppAndBrowserIsolationPolicyWindows10 exists but it SHOULD NOT" -Fixture { + BeforeAll { + $testParams = @{ + Assignments = [CimInstance[]]@( + (New-CimInstance -ClassName MSFT_DeviceManagementConfigurationPolicyAssignments -Property @{ + DataType = '#microsoft.graph.exclusionGroupAssignmentTarget' + groupId = '26d60dd1-fab6-47bf-8656-358194c1a49d' + deviceAndAppManagementAssignmentFilterType = 'none' + } -ClientOnly) + ) + AllowCameraMicrophoneRedirection = "1"; + AllowPersistence = "0"; + AllowVirtualGPU = "0"; + AllowWindowsDefenderApplicationGuard = "1"; + InstallWindowsDefenderApplicationGuard = "install"; + Description = "My Test" + Id = "12345-12345-12345-12345-12345" + DisplayName = "Test" + RoleScopeTagIds = @("FakeStringValue") + Ensure = 'Absent' + Credential = $Credential; + } + } + + It 'Should return Values from the Get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Present' + } + + It 'Should return true from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + + It 'Should Remove the group from the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName Remove-MgBetaDeviceManagementConfigurationPolicy -Exactly 1 + } + } + Context -Name "The IntuneAppAndBrowserIsolationPolicyWindows10 Exists and Values are already in the desired state" -Fixture { + BeforeAll { + $testParams = @{ + Assignments = [CimInstance[]]@( + (New-CimInstance -ClassName MSFT_DeviceManagementConfigurationPolicyAssignments -Property @{ + DataType = '#microsoft.graph.exclusionGroupAssignmentTarget' + groupId = '26d60dd1-fab6-47bf-8656-358194c1a49d' + deviceAndAppManagementAssignmentFilterType = 'none' + } -ClientOnly) + ) + AllowCameraMicrophoneRedirection = "1"; + AllowPersistence = "0"; + AllowVirtualGPU = "0"; + AllowWindowsDefenderApplicationGuard = "1"; + InstallWindowsDefenderApplicationGuard = "install"; + Description = "My Test" + Id = "12345-12345-12345-12345-12345" + DisplayName = "Test" + RoleScopeTagIds = @("FakeStringValue") + Ensure = 'Present' + Credential = $Credential; + } + } + + + It 'Should return true from the Test method' { + Test-TargetResource @testParams | Should -Be $true + } + } + + Context -Name "The IntuneAppAndBrowserIsolationPolicyWindows10 exists and values are NOT in the desired state" -Fixture { + BeforeAll { + $testParams = @{ + Assignments = [CimInstance[]]@( + (New-CimInstance -ClassName MSFT_DeviceManagementConfigurationPolicyAssignments -Property @{ + DataType = '#microsoft.graph.exclusionGroupAssignmentTarget' + groupId = '26d60dd1-fab6-47bf-8656-358194c1a49d' + deviceAndAppManagementAssignmentFilterType = 'none' + } -ClientOnly) + ) + AllowCameraMicrophoneRedirection = "0"; # Updated property + AllowPersistence = "0"; + AllowVirtualGPU = "0"; + AllowWindowsDefenderApplicationGuard = "1"; + InstallWindowsDefenderApplicationGuard = "install"; + Description = "My Test" + Id = "12345-12345-12345-12345-12345" + DisplayName = "Test" + RoleScopeTagIds = @("FakeStringValue") + Ensure = 'Present' + Credential = $Credential; + } + } + + It 'Should return Values from the Get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Present' + } + + It 'Should return false from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + + It 'Should call the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName Update-IntuneDeviceConfigurationPolicy -Exactly 1 + } + } + + Context -Name 'ReverseDSC Tests' -Fixture { + BeforeAll { + $Global:CurrentModeIsExport = $true + $Global:PartialExportFileName = "$(New-Guid).partial.ps1" + $testParams = @{ + Credential = $Credential + } + } + It 'Should Reverse Engineer resource from the Export method' { + $result = Export-TargetResource @testParams + $result | Should -Not -BeNullOrEmpty + } + } + } +} + +Invoke-Command -ScriptBlock $Global:DscHelper.CleanupScript -NoNewScope diff --git a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneEndpointDetectionAndResponsePolicyWindows10.Tests.ps1 b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneEndpointDetectionAndResponsePolicyWindows10.Tests.ps1 index fc863b5c09..e9801b6c53 100644 --- a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneEndpointDetectionAndResponsePolicyWindows10.Tests.ps1 +++ b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneEndpointDetectionAndResponsePolicyWindows10.Tests.ps1 @@ -44,12 +44,101 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { Mock -CommandName Remove-MgBetaDeviceManagementConfigurationPolicy -MockWith { } - Mock -CommandName Get-MgBetaDeviceManagementConfigurationPolicyTemplate -MockWith { + Mock -CommandName Update-IntuneDeviceConfigurationPolicy -MockWith { + } + + Mock -CommandName Get-IntuneSettingCatalogPolicySetting -MockWith { + } + + Mock -CommandName Get-MgBetaDeviceManagementConfigurationPolicy -MockWith { return @{ - TemplateId = '0385b795-0f2f-44ac-8602-9f65bf6adede_1' + Id = '619bd4a4-3b3b-4441-bd6f-3f4c0c444870' + Description = 'My Test Description' + Name = 'My Test' + Platforms = "windows10" + Technologies = "mdm,microsoftSense" + TemplateReference = @{ + TemplateId = '0385b795-0f2f-44ac-8602-9f65bf6adede_1' + } } } + Mock -CommandName Get-MgBetaDeviceManagementConfigurationPolicySetting -MockWith { + return @( + @{ + Id = 0 + SettingDefinitions = @( + @{ + Id = 'device_vendor_msft_windowsadvancedthreatprotection_onboarding' + Name = 'Onboarding' + AdditionalProperties = @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationSimpleSettingDefinition' + valueDefinition = @{ + isSecret = $true + } + } + } + @{ + Id = 'device_vendor_msft_windowsadvancedthreatprotection_configurationtype' + Name = 'ClientConfigurationPackageType' + AdditionalProperties = @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingDefinition' + } + } + ) + SettingInstance = @{ + SettingDefinitionId = 'device_vendor_msft_windowsadvancedthreatprotection_configurationtype' + SettingInstanceTemplateReference = @{ + SettingInstanceTemplateId = '23ab0ea3-1b12-429a-8ed0-7390cf699160' + } + AdditionalProperties = @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance' + choiceSettingValue = @{ + children = @( + @{ + settingDefinitionId = 'device_vendor_msft_windowsadvancedthreatprotection_onboarding' + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationSimpleSettingInstance' + simpleSettingValue = @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationSecretSettingValue' + value = '84db67dd-caf8-4f86-bf00-b8897972d51f' + valueState = 'encryptedValueToken' + } + } + ) + value = 'device_vendor_msft_windowsadvancedthreatprotection_configurationtype_onboard' + } + value = "TEST" + } + } + } + @{ + Id = 1 + SettingDefinitions = @( + @{ + Id = 'device_vendor_msft_windowsadvancedthreatprotection_configuration_samplesharing' + Name = 'SampleSharing' + AdditionalProperties = @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingDefinition' + } + } + ) + SettingInstance = @{ + SettingDefinitionId = 'device_vendor_msft_windowsadvancedthreatprotection_configuration_samplesharing' + SettingInstanceTemplateReference = @{ + SettingInstanceTemplateId = '6998c81e-2814-4f5e-b492-a6159128a97b' + } + AdditionalProperties = @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance' + choiceSettingValue = @{ + children = @() + value = "device_vendor_msft_windowsadvancedthreatprotection_configuration_samplesharing_0" + } + } + } + } + ) + } + Mock -CommandName Get-MgBetaDeviceManagementConfigurationPolicyAssignment -MockWith { return @(@{ Id = '12345-12345-12345-12345-12345' @@ -69,18 +158,6 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { } Mock -CommandName Update-DeviceConfigurationPolicyAssignment -MockWith { } - Mock -CommandName Get-MgBetaDeviceManagementConfigurationPolicyTemplateSettingTemplate -MockWith { - return @{ - Id = '12345-12345-12345-12345-12345' - SettingInstanceTemplate = @{ - settingDefinitionId = 'device_vendor_msft_windowsadvancedthreatprotection_configuration_samplesharing' - settingInstanceTemplateId = '6998c81e-2814-4f5e-b492-a6159128a97b' - AdditionalProperties = @{ - '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingDefinition' - } - } - } - } # Mock Write-Host to hide output during the tests Mock -CommandName Write-Host -MockWith { @@ -105,6 +182,8 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { DisplayName = 'My Test' Ensure = 'Present' Identity = '619bd4a4-3b3b-4441-bd6f-3f4c0c444870' + ConfigurationBlob = "FakeValue" + ConfigurationType = "onboard" sampleSharing = "0" } @@ -141,39 +220,9 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { DisplayName = 'My Test' Ensure = 'Present' Identity = '619bd4a4-3b3b-4441-bd6f-3f4c0c444870' - sampleSharing = "0" - } - - Mock -CommandName Get-MgBetaDeviceManagementConfigurationPolicy -MockWith { - return @{ - Id = '619bd4a4-3b3b-4441-bd6f-3f4c0c444870' - Description = 'My Test Description' - Name = 'My Test' - } - } - - Mock -CommandName Get-MgBetaDeviceManagementConfigurationPolicySetting -MockWith { - return @{ - Id = 0 - SettingDefinitions = $null - SettingInstance = @{ - SettingDefinitionId = 'device_vendor_msft_windowsadvancedthreatprotection_configuration_samplesharing' - SettingInstanceTemplateReference = @{ - SettingInstanceTemplateId = '6998c81e-2814-4f5e-b492-a6159128a97b' - } - AdditionalProperties = @{ - '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance' - choiceSettingValue = @{ - children = @() - value = "device_vendor_msft_windowsadvancedthreatprotection_configuration_samplesharing_1" - } - } - - } - AdditionalProperties = $null - } - } - Mock -CommandName Update-DeviceManagementConfigurationPolicy -MockWith { + ConfigurationBlob = "FakeValue" + ConfigurationType = "onboard" + sampleSharing = "1" # Drift } } @@ -187,7 +236,7 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { It 'Should update the instance from the Set method' { Set-TargetResource @testParams - Should -Invoke -CommandName Update-DeviceManagementConfigurationPolicy -Exactly 1 + Should -Invoke -CommandName Update-IntuneDeviceConfigurationPolicy -Exactly 1 } } @@ -206,32 +255,9 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { DeviceAndAppManagementAssignmentFilterType = 'none' } -ClientOnly) ) - } - - Mock -CommandName Get-MgBetaDeviceManagementConfigurationPolicy -MockWith { - return @{ - Id = '619bd4a4-3b3b-4441-bd6f-3f4c0c444870' - Description = 'My Test Description' - Name = 'My Test' - Settings = @{ - Id = 0 - SettingDefinitions = $null - SettingInstance = @{ - SettingDefinitionId = 'device_vendor_msft_windowsadvancedthreatprotection_configuration_samplesharing' - SettingInstanceTemplateReference = @{ - SettingInstanceTemplateId = '6998c81e-2814-4f5e-b492-a6159128a97b' - } - AdditionalProperties = @{ - '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance' - choiceSettingValue = @{ - children = @() - value = "device_vendor_msft_windowsadvancedthreatprotection_configuration_samplesharing_0" - } - } - } - AdditionalProperties = $null - } - } + ConfigurationBlob = "FakeValue" + ConfigurationType = "onboard" + sampleSharing = "0" } } @@ -254,35 +280,9 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { DisplayName = 'My Test' Ensure = 'Absent' Identity = '619bd4a4-3b3b-4441-bd6f-3f4c0c444870' - } - - Mock -CommandName Get-MgBetaDeviceManagementConfigurationPolicy -MockWith { - return @{ - Id = '619bd4a4-3b3b-4441-bd6f-3f4c0c444870' - Description = 'My Test Description' - Name = 'My Test' - } - } - - Mock -CommandName Get-MgBetaDeviceManagementConfigurationPolicySetting -MockWith { - return @{ - Id = 0 - SettingDefinitions = $null - SettingInstance = @{ - SettingDefinitionId = 'device_vendor_msft_windowsadvancedthreatprotection_configuration_samplesharing' - SettingInstanceTemplateReference = @{ - SettingInstanceTemplateId = '6998c81e-2814-4f5e-b492-a6159128a97b' - } - AdditionalProperties = @{ - '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance' - choiceSettingValue = @{ - children = @() - value = "device_vendor_msft_windowsadvancedthreatprotection_configuration_samplesharing_0" - } - } - } - AdditionalProperties = $null - } + ConfigurationBlob = "FakeValue" + ConfigurationType = "onboard" + sampleSharing = "1" } } @@ -307,38 +307,6 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { $testParams = @{ Credential = $Credential } - - Mock -CommandName Get-MgBetaDeviceManagementConfigurationPolicy -MockWith { - return @{ - Id = '619bd4a4-3b3b-4441-bd6f-3f4c0c444870' - Description = 'My Test Description' - Name = 'My Test' - TemplateReference = @{ - TemplateId = '0385b795-0f2f-44ac-8602-9f65bf6adede_1' - } - } - } - - Mock -CommandName Get-MgBetaDeviceManagementConfigurationPolicySetting -MockWith { - return @{ - Id = 0 - SettingDefinitions = $null - SettingInstance = @{ - SettingDefinitionId = 'device_vendor_msft_windowsadvancedthreatprotection_configuration_samplesharing' - SettingInstanceTemplateReference = @{ - SettingInstanceTemplateId = '6998c81e-2814-4f5e-b492-a6159128a97b' - } - AdditionalProperties = @{ - '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance' - choiceSettingValue = @{ - children = @() - value = "device_vendor_msft_windowsadvancedthreatprotection_configuration_samplesharing_0" - } - } - } - AdditionalProperties = $null - } - } } It 'Should Reverse Engineer resource from the Export method' { diff --git a/docs/docs/resources/intune/IntuneAppAndBrowserIsolationPolicyWindows10.md b/docs/docs/resources/intune/IntuneAppAndBrowserIsolationPolicyWindows10.md new file mode 100644 index 0000000000..31b41d628a --- /dev/null +++ b/docs/docs/resources/intune/IntuneAppAndBrowserIsolationPolicyWindows10.md @@ -0,0 +1,230 @@ +# IntuneAppAndBrowserIsolationPolicyWindows10 + +## Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **Description** | Write | String | Policy description | | +| **DisplayName** | Key | String | Policy name | | +| **RoleScopeTagIds** | Write | StringArray[] | List of Scope Tags for this Entity instance. | | +| **Id** | Write | String | The unique identifier for an entity. Read-only. | | +| **AllowWindowsDefenderApplicationGuard** | Write | String | Turn on Microsoft Defender Application Guard (0: Disable Microsoft Defender Application Guard, 1: Enable Microsoft Defender Application Guard for Microsoft Edge ONLY, 2: Enable Microsoft Defender Application Guard for isolated Windows environments ONLY, 3: Enable Microsoft Defender Application Guard for Microsoft Edge AND isolated Windows environments) | `0`, `1`, `2`, `3` | +| **ClipboardSettings** | Write | String | Clipboard behavior settings (0: Completely turns Off the clipboard functionality for the Application Guard., 1: Turns On clipboard operation from an isolated session to the host., 2: Turns On clipboard operation from the host to an isolated session., 3: Turns On clipboard operation in both the directions.) | `0`, `1`, `2`, `3` | +| **SaveFilesToHost** | Write | String | Allow files to download and save to the host operating system (0: The user cannot download files from Edge in the container to the host file system. When the policy is not configured, it is the same as disabled (0)., 1: Turns on the functionality to allow users to download files from Edge in the container to the host file system.) | `0`, `1` | +| **InstallWindowsDefenderApplicationGuard** | Write | String | Install Windows defender application guard (install: Install) | `install` | +| **ClipboardFileType** | Write | String | Clipboard content options (1: Allow text copying., 2: Allow image copying., 3: Allow text and image copying.) | `1`, `2`, `3` | +| **AllowPersistence** | Write | String | Allow data persistence (0: Application Guard discards user-downloaded files and other items (such as, cookies, Favorites, and so on) during machine restart or user log-off., 1: Application Guard saves user-downloaded files and other items (such as, cookies, Favorites, and so on) for use in future Application Guard sessions.) | `0`, `1` | +| **AllowVirtualGPU** | Write | String | Allow hardware-accelerated rendering (0: Cannot access the vGPU and uses the CPU to support rendering graphics. When the policy is not configured, it is the same as disabled (0)., 1: Turns on the functionality to access the vGPU offloading graphics rendering from the CPU. This can create a faster experience when working with graphics intense websites or watching video within the container.) | `0`, `1` | +| **PrintingSettings** | Write | SInt32Array[] | Print Settings (0: Disables all print functionality., 1: Enables only XPS printing., 2: Enables only PDF printing., 4: Enables only local printing., 8: Enables only network printing.) | `0`, `1`, `2`, `4`, `8` | +| **AllowCameraMicrophoneRedirection** | Write | String | Allow camera and microphone access (0: Microsoft Defender Application Guard cannot access the device's camera and microphone. When the policy is not configured, it is the same as disabled (0)., 1: Turns on the functionality to allow Microsoft Defender Application Guard to access the device's camera and microphone.) | `0`, `1` | +| **AuditApplicationGuard** | Write | String | Audit Application Guard (0: Audit event logs aren't collected for Application Guard., 1: Application Guard inherits its auditing policies from system and starts to audit security events for Application Guard container.) | `0`, `1` | +| **CertificateThumbprints** | Write | StringArray[] | Certificate Thumbprints | | +| **EnterpriseIPRange** | Write | StringArray[] | Enterprise IP Range | | +| **EnterpriseCloudResources** | Write | StringArray[] | Enterprise Cloud Resources | | +| **EnterpriseNetworkDomainNames** | Write | StringArray[] | Enterprise Network Domain Names | | +| **EnterpriseProxyServers** | Write | StringArray[] | Enterprise Proxy Servers | | +| **EnterpriseInternalProxyServers** | Write | StringArray[] | Enterprise Internal Proxy Servers | | +| **NeutralResources** | Write | StringArray[] | Neutral Resources | | +| **EnterpriseProxyServersAreAuthoritative** | Write | String | Enterprise Proxy Servers Are Authoritative (1: Enable, 0: Disable) | `1`, `0` | +| **EnterpriseIPRangesAreAuthoritative** | Write | String | Enterprise IP Ranges Are Authoritative (1: Enable, 0: Disable) | `1`, `0` | +| **Assignments** | Write | MSFT_DeviceManagementConfigurationPolicyAssignments[] | Represents the assignment to the Intune policy. | | +| **Ensure** | Write | String | Present ensures the policy exists, absent ensures it is removed. | `Present`, `Absent` | +| **Credential** | Write | PSCredential | Credentials of the Admin | | +| **ApplicationId** | Write | String | Id of the Azure Active Directory application to authenticate with. | | +| **TenantId** | Write | String | Id of the Azure Active Directory tenant used for authentication. | | +| **ApplicationSecret** | Write | PSCredential | Secret of the Azure Active Directory tenant used for authentication. | | +| **CertificateThumbprint** | Write | String | Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication. | | +| **ManagedIdentity** | Write | Boolean | Managed ID being used for authentication. | | +| **AccessTokens** | Write | StringArray[] | Access token used for authentication. | | + +### MSFT_DeviceManagementConfigurationPolicyAssignments + +#### Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **dataType** | Write | String | The type of the target assignment. | `#microsoft.graph.groupAssignmentTarget`, `#microsoft.graph.allLicensedUsersAssignmentTarget`, `#microsoft.graph.allDevicesAssignmentTarget`, `#microsoft.graph.exclusionGroupAssignmentTarget`, `#microsoft.graph.configurationManagerCollectionAssignmentTarget` | +| **deviceAndAppManagementAssignmentFilterType** | Write | String | The type of filter of the target assignment i.e. Exclude or Include. Possible values are:none, include, exclude. | `none`, `include`, `exclude` | +| **deviceAndAppManagementAssignmentFilterId** | Write | String | The Id of the filter for the target assignment. | | +| **groupId** | Write | String | The group Id that is the target of the assignment. | | +| **groupDisplayName** | Write | String | The group Display Name that is the target of the assignment. | | +| **collectionId** | Write | String | The collection Id that is the target of the assignment.(ConfigMgr) | | + + +## Description + +Intune App And Browser Isolation Policy for Windows10 + +## Permissions + +### Microsoft Graph + +To authenticate with the Microsoft Graph API, this resource required the following permissions: + +#### Delegated permissions + +- **Read** + + - DeviceManagementConfiguration.Read.All + +- **Update** + + - DeviceManagementConfiguration.ReadWrite.All + +#### Application permissions + +- **Read** + + - DeviceManagementConfiguration.Read.All + +- **Update** + + - DeviceManagementConfiguration.ReadWrite.All + +## Examples + +### Example 1 + +This example creates a new Device Remediation. + +```powershell +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + + node localhost + { + IntuneAppAndBrowserIsolationPolicyWindows10 'ConfigureAppAndBrowserIsolationPolicyWindows10' + { + Assignments = @( + MSFT_DeviceManagementConfigurationPolicyAssignments{ + deviceAndAppManagementAssignmentFilterType = 'none' + dataType = '#microsoft.graph.groupAssignmentTarget' + groupId = '11111111-1111-1111-1111-111111111111' + } + ); + AllowCameraMicrophoneRedirection = "1"; + AllowPersistence = "0"; + AllowVirtualGPU = "0"; + AllowWindowsDefenderApplicationGuard = "1"; + ClipboardFileType = "1"; + ClipboardSettings = "0"; + Description = 'Description' + DisplayName = "App and Browser Isolation"; + Ensure = "Present"; + Id = '00000000-0000-0000-0000-000000000000' + InstallWindowsDefenderApplicationGuard = "install"; + SaveFilesToHost = "0"; + RoleScopeTagIds = @("0"); + ApplicationId = $ApplicationId; + TenantId = $TenantId; + CertificateThumbprint = $CertificateThumbprint; + } + } +} +``` + +### Example 2 + +This example updates a new Device Remediation. + +```powershell +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + + node localhost + { + IntuneAppAndBrowserIsolationPolicyWindows10 'ConfigureAppAndBrowserIsolationPolicyWindows10' + { + Assignments = @( + MSFT_DeviceManagementConfigurationPolicyAssignments{ + deviceAndAppManagementAssignmentFilterType = 'none' + dataType = '#microsoft.graph.groupAssignmentTarget' + groupId = '11111111-1111-1111-1111-111111111111' + } + ); + AllowCameraMicrophoneRedirection = "0"; # Updated property + AllowPersistence = "0"; + AllowVirtualGPU = "0"; + AllowWindowsDefenderApplicationGuard = "1"; + ClipboardFileType = "1"; + ClipboardSettings = "0"; + Description = 'Description' + DisplayName = "App and Browser Isolation"; + Ensure = "Present"; + Id = '00000000-0000-0000-0000-000000000000' + InstallWindowsDefenderApplicationGuard = "install"; + SaveFilesToHost = "0"; + RoleScopeTagIds = @("0"); + ApplicationId = $ApplicationId; + TenantId = $TenantId; + CertificateThumbprint = $CertificateThumbprint; + } + } +} +``` + +### Example 3 + +This example removes a Device Remediation. + +```powershell +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + + node localhost + { + IntuneAppAndBrowserIsolationPolicyWindows10 'ConfigureAppAndBrowserIsolationPolicyWindows10' + { + Id = '00000000-0000-0000-0000-000000000000' + DisplayName = 'App and Browser Isolation' + Ensure = 'Absent' + ApplicationId = $ApplicationId; + TenantId = $TenantId; + CertificateThumbprint = $CertificateThumbprint; + } + } +} +``` + diff --git a/docs/docs/resources/intune/IntuneEndpointDetectionAndResponsePolicyWindows10.md b/docs/docs/resources/intune/IntuneEndpointDetectionAndResponsePolicyWindows10.md index 9893c32f98..92a2428a6d 100644 --- a/docs/docs/resources/intune/IntuneEndpointDetectionAndResponsePolicyWindows10.md +++ b/docs/docs/resources/intune/IntuneEndpointDetectionAndResponsePolicyWindows10.md @@ -6,6 +6,7 @@ | --- | --- | --- | --- | --- | | **Identity** | Write | String | Identity of the endpoint detection and response policy for Windows 10. | | | **DisplayName** | Key | String | Display name of the endpoint detection and response policy for Windows 10. | | +| **RoleScopeTagIds** | Write | StringArray[] | List of Scope Tags for this Entity instance. | | | **Description** | Write | String | Description of the endpoint detection and response policy for Windows 10. | | | **Assignments** | Write | MSFT_DeviceManagementConfigurationPolicyAssignments[] | Assignments of the endpoint detection and response policy for Windows 10. | | | **SampleSharing** | Write | String | Return or set Windows Defender Advanced Threat Protection Sample Sharing configuration parameter: 0 - none, 1 - All | `0`, `1` | @@ -100,6 +101,9 @@ Configuration Example ApplicationId = $ApplicationId; TenantId = $TenantId; CertificateThumbprint = $CertificateThumbprint; + ConfigurationBlob = "Blob" + ConfigurationType = "onboard" + SampleSharing = 1 } } } @@ -139,6 +143,9 @@ Configuration Example ApplicationId = $ApplicationId; TenantId = $TenantId; CertificateThumbprint = $CertificateThumbprint; + ConfigurationBlob = "Blob" + ConfigurationType = "onboard" + SampleSharing = 1 } } }