diff --git a/CHANGELOG.md b/CHANGELOG.md index 6845ab5c9e..5576768136 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,50 @@ # Change log for Microsoft365DSC +# UNRELEASED + +* AADConditionalAccessPolicy + * Fixed bug where an empty value was passed in the request for the + insiderRiskLevels parameter, which throws an error. + FIXES [#5389](https://github.com/microsoft/Microsoft365DSC/issues/5389) + * Fixes a bug where 3P apps could not be assigned by DisplayName for both + IncludeApplications and ExcludeApplications + FIXES [#5390](https://github.com/microsoft/Microsoft365DSC/issues/5390) +* AADRoleEligibilityScheduleRequest + * FIXES [#3787](https://github.com/microsoft/Microsoft365DSC/issues/3787) + * FIXES [#5089](https://github.com/microsoft/Microsoft365DSC/issues/5089) +* EXOATPBuiltInProtectionRule, EXOEOPProtectionRule + * Fixed issue where empty arrays were being compared incorrectly to null + strings + FIXES [#5394](https://github.com/microsoft/Microsoft365DSC/issues/5394) +* IntuneAccountProtectionLocalAdministratorPasswordSolutionPolicy + * Update property `PasswordAgeDays_AAD` to be lower-case. + FIXES [#5378](https://github.com/microsoft/Microsoft365DSC/issues/5378) (1/2) +* IntuneAntivirusExclusionsPolicyMacOS + * Initial release. +* IntuneAntivirusPolicyWindows10SettingCatalog + * Update properties to be upper-case. + Fixes [#5373](https://github.com/microsoft/Microsoft365DSC/issues/5373) +* IntuneDeviceConfigurationCustomPolicyWindows10 + * Fixed issue where `Value`, from `OmaSettings`, could not be compared + correctly if it was boolean and set to `$False` + FIXES [#5384](https://github.com/microsoft/Microsoft365DSC/issues/5384) +* IntuneEndpointDetectionAndResponsePolicyWindows10 + * Remove changed property name from export. + FIXES [#5300](https://github.com/microsoft/Microsoft365DSC/issues/5300) +* IntuneSecurityBaselineMicrosoftEdge + * Deprecate property `authschemes` and replace with `AuthSchemes_AuthSchemes` +* M365DSCDRGUtil + * Restrict CIM instance access to properties that appear multiple times. + * Switch log type for not found Intune assignments to `Warning`. +* M365DSCIntuneSettingsCatalogUtil + * Add ADMX handling for `edge~httpauthentication_`. + FIXES [#5378](https://github.com/microsoft/Microsoft365DSC/issues/5378) (2/2) +* TeamsUpgradePolicy + * Changes to how we are retrieving the users to improve performance. +* DEPENDENCIES + * Updated DSCParser to version 2.0.0.12. + * Updated MSCloudLoginAssistant to version 1.1.28. + # 1.24.1106.3 * AzureBillingAccountScheduledAction @@ -19,7 +64,6 @@ * MISC * Fixed issues with API Url's parsing. - # 1.24.1106.1 * AADAccessReviewDefinition @@ -116,13 +160,13 @@ * EXOArcConfig * Fixed `Test-TargetResource` to correctly check property `ArcTrustedSealers` when it has an array -* EXOM365DataAtRestEncryptionPolicy - * Initial release. * EXOMailboxAuditBypassAssociation * Initial release. * EXOMailboxSettings * Added support for AddressBookPolicy, RetentionPolicy, RoleAssignmentPolicy and SharingPolicy. +* EXOMigration + * Initial release. * EXOServicePrincipal * Initial release. * EXOTenantAllowBlockListItems diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADConditionalAccessPolicy/MSFT_AADConditionalAccessPolicy.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_AADConditionalAccessPolicy/MSFT_AADConditionalAccessPolicy.psm1 index 2c043c8613..efa3b783bb 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_AADConditionalAccessPolicy/MSFT_AADConditionalAccessPolicy.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADConditionalAccessPolicy/MSFT_AADConditionalAccessPolicy.psm1 @@ -220,6 +220,7 @@ function Get-TargetResource $TransferMethods, [Parameter()] + [ValidateSet('minor', 'moderate', 'elevated', 'unknownFutureValue')] [System.String] $InsiderRiskLevels, @@ -949,6 +950,7 @@ function Set-TargetResource $TransferMethods, [Parameter()] + [ValidateSet('minor', 'moderate', 'elevated', 'unknownFutureValue')] [System.String] $InsiderRiskLevels, @@ -1029,11 +1031,54 @@ function Set-TargetResource Write-Verbose -Message 'Set-Targetresource: create Application Condition object' if ($currentParameters.ContainsKey('IncludeApplications')) { - $conditions.Applications.Add('includeApplications', $IncludeApplications) + $IncludeApplicationsValue = @() + foreach ($app in $IncludeApplications) + { + $ObjectGuid = [System.Guid]::empty + if ([System.Guid]::TryParse($app, [System.Management.Automation.PSReference]$ObjectGuid)) + { + $IncludeApplicationsValue += $app + } + else + { + $appInfo = Get-MgApplication -Filter "DisplayName eq '$app'" -ErrorAction SilentlyContinue + if ($null -ne $appInfo) + { + $IncludeApplicationsValue += $appInfo.AppId + } + else + { + $IncludeApplicationsValue += $app + } + } + } + + $conditions.Applications.Add('includeApplications', $IncludeApplicationsValue) } if ($currentParameters.ContainsKey('excludeApplications')) { - $conditions.Applications.Add('excludeApplications', $ExcludeApplications) + $ExcludeApplicationsValue = @() + foreach ($app in $ExcludeApplications) + { + $ObjectGuid = [System.Guid]::empty + if ([System.Guid]::TryParse($app, [System.Management.Automation.PSReference]$ObjectGuid)) + { + $ExcludeApplicationsValue += $app + } + else + { + $appInfo = Get-MgApplication -Filter "DisplayName eq '$app'" -ErrorAction SilentlyContinue + if ($null -ne $appInfo) + { + $ExcludeApplicationsValue += $appInfo.AppId + } + else + { + $ExcludeApplicationsValue += $app + } + } + } + $conditions.Applications.Add('excludeApplications', $ExcludeApplicationsValue) } if ($ApplicationsFilter -and $ApplicationsFilterMode) { @@ -1586,7 +1631,7 @@ function Set-TargetResource } } - if ($null -ne $InsiderRiskLevels) + if ([String]::IsNullOrEmpty($InsiderRiskLevels) -eq $false) { $conditions.Add("insiderRiskLevels", $InsiderRiskLevels) } @@ -2059,6 +2104,7 @@ function Test-TargetResource $TransferMethods, [Parameter()] + [ValidateSet('minor', 'moderate', 'elevated', 'unknownFutureValue')] [System.String] $InsiderRiskLevels, diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADConditionalAccessPolicy/MSFT_AADConditionalAccessPolicy.schema.mof b/Modules/Microsoft365DSC/DSCResources/MSFT_AADConditionalAccessPolicy/MSFT_AADConditionalAccessPolicy.schema.mof index 14e50047dc..a58e7239c3 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_AADConditionalAccessPolicy/MSFT_AADConditionalAccessPolicy.schema.mof +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADConditionalAccessPolicy/MSFT_AADConditionalAccessPolicy.schema.mof @@ -50,7 +50,7 @@ class MSFT_AADConditionalAccessPolicy : OMI_BaseResource [Write, Description("Name of the associated authentication strength policy.")] String AuthenticationStrength; [Write, Description("Names of the associated authentication flow transfer methods. Possible values are '', 'deviceCodeFlow', 'authenticationTransfer', or 'deviceCodeFlow,authenticationTransfer'.")] String TransferMethods; [Write, Description("Authentication context class references.")] String AuthenticationContexts[]; - [Write, Description("Insider risk levels conditions.")] String InsiderRiskLevels; + [Write, Description("Insider risk levels conditions."), ValueMap{"minor", "moderate", "elevated", "unknownFutureValue"}, Values{"minor", "moderate", "elevated", "unknownFutureValue"}] String InsiderRiskLevels; [Write, Description("Specify if the Azure AD CA Policy should exist or not."), ValueMap{"Present","Absent"}, Values{"Present","Absent"}] String Ensure; [Write, Description("Credentials for the Microsoft Graph delegated permissions."), EmbeddedInstance("MSFT_Credential")] string Credential; [Write, Description("Id of the Azure Active Directory application to authenticate with.")] String ApplicationId; @@ -60,3 +60,4 @@ class MSFT_AADConditionalAccessPolicy : OMI_BaseResource [Write, Description("Managed ID being used for authentication.")] Boolean ManagedIdentity; [Write, Description("Access token used for authentication.")] String AccessTokens[]; }; + diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADRoleEligibilityScheduleRequest/MSFT_AADRoleEligibilityScheduleRequest.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_AADRoleEligibilityScheduleRequest/MSFT_AADRoleEligibilityScheduleRequest.psm1 index 41aa9c982a..c6b343d7b6 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_AADRoleEligibilityScheduleRequest/MSFT_AADRoleEligibilityScheduleRequest.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADRoleEligibilityScheduleRequest/MSFT_AADRoleEligibilityScheduleRequest.psm1 @@ -190,7 +190,7 @@ $schedule = $instance } } - [Array]$request = Get-MgBetaRoleManagementDirectoryRoleEligibilityScheduleRequest -Filter "PrincipalId eq '$PrincipalId' and RoleDefinitionId eq '$($schedule.RoleDefinitionId)'" | Sort-Object -Property CompletedDateTime -Descending + [Array]$request = Get-MgBetaRoleManagementDirectoryRoleEligibilityScheduleRequest -Filter "PrincipalId eq '$PrincipalId'" | Where-Object -FilterScript {$_.RoleDefinitionId -eq $schedule.RoleDefinitionId} | Sort-Object -Property CompletedDateTime -Descending ` if ($request.Length -gt 1) { diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_EXOATPBuiltInProtectionRule/MSFT_EXOATPBuiltInProtectionRule.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_EXOATPBuiltInProtectionRule/MSFT_EXOATPBuiltInProtectionRule.psm1 index 81087e37ee..8deb5252dc 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_EXOATPBuiltInProtectionRule/MSFT_EXOATPBuiltInProtectionRule.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_EXOATPBuiltInProtectionRule/MSFT_EXOATPBuiltInProtectionRule.psm1 @@ -249,6 +249,21 @@ function Test-TargetResource Write-Verbose -Message "Current Values: $(Convert-M365DscHashtableToString -Hashtable $CurrentValues)" Write-Verbose -Message "Target Values: $(Convert-M365DscHashtableToString -Hashtable $ValuesToCheck)" + foreach ($key in $ValuesToCheck.Keys) + { + if ($null -eq $CurrentValues[$key]) + { + switch -regex ($key) + { + "^ExceptIf\w+$" + { + $CurrentValues[$key] = @() + break + } + } + } + } + $testResult = Test-M365DSCParameterState -CurrentValues $CurrentValues ` -Source $($MyInvocation.MyCommand.Source) ` -DesiredValues $PSBoundParameters ` diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_EXOEOPProtectionPolicyRule/MSFT_EXOEOPProtectionPolicyRule.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_EXOEOPProtectionPolicyRule/MSFT_EXOEOPProtectionPolicyRule.psm1 index 2ae3854191..b2fd449dd0 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_EXOEOPProtectionPolicyRule/MSFT_EXOEOPProtectionPolicyRule.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_EXOEOPProtectionPolicyRule/MSFT_EXOEOPProtectionPolicyRule.psm1 @@ -374,13 +374,26 @@ function Test-TargetResource Write-Verbose -Message "Current Values: $(Convert-M365DscHashtableToString -Hashtable $CurrentValues)" Write-Verbose -Message "Target Values: $(Convert-M365DscHashtableToString -Hashtable $ValuesToCheck)" - #Convert any DateTime to String foreach ($key in $ValuesToCheck.Keys) { + # Convert any DateTime to String if (($null -ne $CurrentValues[$key]) ` -and ($CurrentValues[$key].GetType().Name -eq 'DateTime')) { $CurrentValues[$key] = $CurrentValues[$key].toString() + continue + } + + if ($null -eq $CurrentValues[$key]) + { + switch -regex ($key) + { + "^ExceptIf\w+$|^RecipientDomainIs$|^SentTo(\w+)?$" + { + $CurrentValues[$key] = @() + break + } + } } } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_EXOM365DataAtRestEncryptionPolicy/MSFT_EXOM365DataAtRestEncryptionPolicy.schema.mof b/Modules/Microsoft365DSC/DSCResources/MSFT_EXOM365DataAtRestEncryptionPolicy/MSFT_EXOM365DataAtRestEncryptionPolicy.schema.mof deleted file mode 100644 index d790e46f09..0000000000 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_EXOM365DataAtRestEncryptionPolicy/MSFT_EXOM365DataAtRestEncryptionPolicy.schema.mof +++ /dev/null @@ -1,16 +0,0 @@ -[ClassVersion("1.0.0.0"), FriendlyName("EXOM365DataAtRestEncryptionPolicy")] -class MSFT_EXOM365DataAtRestEncryptionPolicy : OMI_BaseResource -{ - [Key, Description("The Identity parameter specifies the data-at-rest encryption policy that you want to modify.")] String Identity; - [Write, Description("The Name parameter specifies a unique name for the Microsoft 365 data-at-rest encryption policy.")] String Name; - [Write, Description("The Description parameter specifies an optional description for the policy.")] String Description; - [Write, Description("The Enabled parameter specifies whether the policy is enabled or disabled. ")] Boolean Enabled; - [Write, Description("The AzureKeyIDs parameter specifies the URL of the encryption key in the Azure Key Vault that's used for encryption.")] String AzureKeyIDs[]; - [Write, Description("Present ensures the instance exists, absent ensures it is removed."), ValueMap{"Absent","Present"}, Values{"Absent","Present"}] string Ensure; - [Write, Description("Credentials of the workload's Admin"), EmbeddedInstance("MSFT_Credential")] string Credential; - [Write, Description("Id of the Azure Active Directory application to authenticate with.")] String ApplicationId; - [Write, Description("Id of the Azure Active Directory tenant used for authentication.")] String TenantId; - [Write, Description("Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication.")] String CertificateThumbprint; - [Write, Description("Managed ID being used for authentication.")] Boolean ManagedIdentity; - [Write, Description("Access token used for authentication.")] String AccessTokens[]; -}; diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_EXOM365DataAtRestEncryptionPolicy/readme.md b/Modules/Microsoft365DSC/DSCResources/MSFT_EXOM365DataAtRestEncryptionPolicy/readme.md deleted file mode 100644 index 77f3d11aeb..0000000000 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_EXOM365DataAtRestEncryptionPolicy/readme.md +++ /dev/null @@ -1,5 +0,0 @@ -# EXOM365DataAtRestEncryptionPolicy - -## Description - -Microsoft 365 data-at-rest encryption policy for multi-workload usage. diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_EXOM365DataAtRestEncryptionPolicy/MSFT_EXOM365DataAtRestEncryptionPolicy.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_EXOMigration/MSFT_EXOMigration.psm1 similarity index 52% rename from Modules/Microsoft365DSC/DSCResources/MSFT_EXOM365DataAtRestEncryptionPolicy/MSFT_EXOM365DataAtRestEncryptionPolicy.psm1 rename to Modules/Microsoft365DSC/DSCResources/MSFT_EXOMigration/MSFT_EXOMigration.psm1 index 47e321452c..7eccbcb0c8 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_EXOM365DataAtRestEncryptionPolicy/MSFT_EXOM365DataAtRestEncryptionPolicy.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_EXOMigration/MSFT_EXOMigration.psm1 @@ -8,21 +8,57 @@ function Get-TargetResource [System.String] $Identity, + [Parameter()] + [System.String[]] + $NotificationEmails, + + [Parameter()] + [System.String] + $CompleteAfter, + + [Parameter()] + [System.Boolean] + $AddUsers, + + [Parameter()] + [System.String] + $BadItemLimit, + + [Parameter()] + [System.String] + $LargeItemLimit, + + [Parameter()] + [System.String[]] + $MoveOptions, + + [Parameter()] + [System.String[]] + $SkipMerging, + [Parameter()] [System.String] - $Description, + $StartAfter, [Parameter()] [System.Boolean] - $Enabled, + $Update, [Parameter()] [System.String] - $Name, + $Status, + + [Parameter()] + [System.String] + $TargetDeliveryDomain, + + [Parameter()] + [System.String] + $SourceEndpoint, [Parameter()] [System.String[]] - $AzureKeyIDs, + $MigrationUsers, [Parameter()] [ValidateSet('Present', 'Absent')] @@ -76,19 +112,25 @@ function Get-TargetResource } else { - $instance = Get-M365DataAtRestEncryptionPolicy -Identity $Identity -ErrorAction Stop + $instance = Get-MigrationBatch -Identity $Identity -ErrorAction SilentlyContinue } if ($null -eq $instance) { return $nullResult } + $Users = Get-MigrationUser -BatchId $Identity + $UserEmails = $Users | ForEach-Object { $_.Identity } + $results = @{ Identity = $Identity - Description = [System.String]$instance.Description - Enabled = [System.Boolean]$instance.Enabled - Name = [System.String]$instance.Name - AzureKeyIDs = [System.String[]]$instance.AzureKeyIDs + NotificationEmails = [System.String[]]$instance.NotificationEmails + AddUsers = [System.Boolean]$instance.AddUsers + BadItemLimit = [System.String]$instance.BadItemLimit + LargeItemLimit = [System.String]$instance.LargeItemLimit + MoveOptions = [System.String[]]$instance.MoveOptions + SkipMerging = [System.String[]]$instance.SkipMerging + Update = [System.Boolean]$instance.Update Ensure = 'Present' Credential = $Credential ApplicationId = $ApplicationId @@ -96,11 +138,27 @@ function Get-TargetResource CertificateThumbprint = $CertificateThumbprint ManagedIdentity = $ManagedIdentity.IsPresent AccessTokens = $AccessTokens + Status = $instance.Status.Value + MigrationUsers = $UserEmails + SourceEndpoint = $instance.SourceEndpoint.Identity.Id + TargetDeliveryDomain = $instance.TargetDeliveryDomain + } + + if ($instance.CompleteAfter -ne $null) + { + $results.Add('CompleteAfter', $instance.CompleteAfter.ToString("MM/dd/yyyy hh:mm tt")) + } + + if ($instance.StartAfter -ne $null) + { + $results.Add('StartAfter', $instance.CompleteAfter.ToString("MM/dd/yyyy hh:mm tt")) } + return [System.Collections.Hashtable] $results } catch { + Write-Verbose $_ New-M365DSCLogEntry -Message 'Error retrieving data:' ` -Exception $_ ` -Source $($MyInvocation.MyCommand.Source) ` @@ -110,7 +168,6 @@ function Get-TargetResource return $nullResult } } - function Set-TargetResource { [CmdletBinding()] @@ -120,21 +177,57 @@ function Set-TargetResource [System.String] $Identity, + [Parameter()] + [System.String[]] + $NotificationEmails, + + [Parameter()] + [System.String] + $CompleteAfter, + + [Parameter()] + [System.Boolean] + $AddUsers, + [Parameter()] [System.String] - $Description, + $BadItemLimit, + + [Parameter()] + [System.String] + $LargeItemLimit, + + [Parameter()] + [System.String[]] + $MoveOptions, + + [Parameter()] + [System.String[]] + $SkipMerging, + + [Parameter()] + [System.String] + $StartAfter, [Parameter()] [System.Boolean] - $Enabled, + $Update, + + [Parameter()] + [System.String] + $Status, [Parameter()] [System.String] - $Name, + $TargetDeliveryDomain, + + [Parameter()] + [System.String] + $SourceEndpoint, [Parameter()] [System.String[]] - $AzureKeyIDs, + $MigrationUsers, [Parameter()] [ValidateSet('Present', 'Absent')] @@ -166,41 +259,117 @@ function Set-TargetResource $AccessTokens ) - #Ensure the proper dependencies are installed in the current environment. Confirm-M365DSCDependencies - #region Telemetry $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') $CommandName = $MyInvocation.MyCommand $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` -CommandName $CommandName ` -Parameters $PSBoundParameters Add-M365DSCTelemetryEvent -Data $data - #endregion $currentInstance = Get-TargetResource @PSBoundParameters $setParameters = Remove-M365DSCAuthenticationParameter -BoundParameters $PSBoundParameters - # CREATE if ($Ensure -eq 'Present' -and $currentInstance.Ensure -eq 'Absent') { - $setParameters.Remove('Identity') - New-M365DataAtRestEncryptionPolicy @SetParameters + # Convert the list of users to CSV format + $csvContent = @('"EmailAddress"') + ($MigrationUsers | ForEach-Object { "`"$_`"" }) + + # Join the results into a single string with new lines + $csvContent = $csvContent -join "`r`n" + + # Convert the CSV content to bytes directly without saving to a file + $csvBytes = [System.Text.Encoding]::UTF8.GetBytes($csvContent -join "`r`n") + + $BatchParams = @{ + Name = $Identity # Use the existing Identity as the new batch name + CSVData = $csvBytes # Directly use the byte array + NotificationEmails = $NotificationEmails # Use the same notification emails if provided + CompleteAfter = $CompleteAfter + StartAfter = $StartAfter + BadItemLimit = [System.String]$BadItemLimit + LargeItemLimit = $LargeItemLimit + SkipMerging = $SkipMerging + SourceEndpoint = $SourceEndpoint + TargetDeliveryDomain = $TargetDeliveryDomain + } + + # Create a new migration batch with the specified parameters + New-MigrationBatch @BatchParams + Write-Host "A new migration batch named '$($currentInstance.Identity)' has been created with the specified parameters." } - # UPDATE - elseif ($Ensure -eq 'Present' -and $currentInstance.Ensure -eq 'Present') + + elseif ($Ensure -eq 'Absent' -and $currentInstance.Ensure -eq 'Present') { - $setParameters.Remove('AzureKeyIDs') - $setParameters.Remove('Name') - Set-M365DataAtRestEncryptionPolicy @SetParameters + # Retrieve the migration batch + $migrationBatch = Get-MigrationBatch -Identity $currentInstance.Identity -ErrorAction Stop + + if ($migrationBatch.Status.Value -in @('Completed', 'CompletedWithErrors', 'Stopped', 'Failed', 'SyncedWithErrors')) + { + # If the migration batch is in a final state, remove it directly + Remove-MigrationBatch -Identity $currentInstance.Identity -Confirm:$false + Write-Host "Migration batch '$($currentInstance.Identity)' has been removed as it was in a completed or stopped state." + } + elseif ($migrationBatch.Status.Value -in @('InProgress', 'Syncing', 'Queued', 'Completing')) + { + # If the migration batch is in progress, stop it first + Stop-MigrationBatch -Identity $currentInstance.Identity -Confirm:$false + Write-Host "Migration batch '$($currentInstance.Identity)' was in progress and has been stopped." + + # Now remove the migration batch + Remove-MigrationBatch -Identity $currentInstance.Identity -Confirm:$false + Write-Host "Migration batch '$($currentInstance.Identity)' has been removed after stopping." + } + else + { + Write-Host "Migration batch '$($currentInstance.Identity)' is in an unexpected status: $($migrationBatch.Status.Value). Manual intervention may be required." + } } - elseif ($Ensure -eq 'Absent' -and $currentInstance.Ensure -eq 'Present') + + elseif ($Ensure -eq 'Present' -and $currentInstance.Ensure -eq 'Present') { - Write-Warning "Removal of EXOM365DataAtRestEncryptionPolicy is not supported." + # Define the path for the CSV file to store the migration users + $csvFilePath = "$env:TEMP\MigrationUsers.csv" + + # Convert each item in the array to a custom object with an EmailAddress property + $csvContent = $MigrationUsers | ForEach-Object { [PSCustomObject]@{EmailAddress = $_} } + + # Export to CSV with the header "EmailAddress" + $csvContent | Export-Csv -Path $csvFilePath -NoTypeInformation -Force + + $BatchParams = @{ + Identity = $Identity # Use the existing Identity as the new batch name + CSVData = [System.IO.File]::ReadAllBytes($csvFilePath) # Load the CSV as byte array + NotificationEmails = $NotificationEmails # Use the same notification emails if provided + CompleteAfter = $CompleteAfter + StartAfter = $StartAfter + BadItemLimit = [System.String]$BadItemLimit + LargeItemLimit = $LargeItemLimit + SkipMerging = $SkipMerging + Update = $Update + AddUsers = $AddUsers + } + + Set-MigrationBatch @BatchParams + + $migrationBatch = Get-MigrationBatch -Identity $currentInstance.Identity -ErrorAction Stop + + if ($currentInstance.Status -eq 'Stopped' -and $migrationBatch.Status -eq 'Started') + { + # If currentInstance is stopped but migrationBatch is started, stop the migration batch + Stop-MigrationBatch -Identity $currentInstance.Identity -Confirm:$false + Write-Host "Migration batch '$($currentInstance.Identity)' was running and has been stopped to match the current instance status." + } + elseif ($currentInstance.Status -eq 'Started' -and $migrationBatch.Status -eq 'Stopped') + { + # If currentInstance is started but migrationBatch is stopped, start the migration batch + Start-MigrationBatch -Identity $currentInstance.Identity -Confirm:$false + Write-Host "Migration batch '$($currentInstance.Identity)' was stopped and has been started to match the current instance status." + } } } - function Test-TargetResource { [CmdletBinding()] @@ -211,21 +380,57 @@ function Test-TargetResource [System.String] $Identity, + [Parameter()] + [System.String[]] + $NotificationEmails, + + [Parameter()] + [System.String] + $CompleteAfter, + + [Parameter()] + [System.Boolean] + $AddUsers, + + [Parameter()] + [System.String] + $BadItemLimit, + + [Parameter()] + [System.String] + $LargeItemLimit, + + [Parameter()] + [System.String[]] + $MoveOptions, + + [Parameter()] + [System.String[]] + $SkipMerging, + [Parameter()] [System.String] - $Description, + $StartAfter, [Parameter()] [System.Boolean] - $Enabled, + $Update, [Parameter()] [System.String] - $Name, + $TargetDeliveryDomain, + + [Parameter()] + [System.String] + $Status, + + [Parameter()] + [System.String] + $SourceEndpoint, [Parameter()] [System.String[]] - $AzureKeyIDs, + $MigrationUsers, [Parameter()] [ValidateSet('Present', 'Absent')] @@ -284,7 +489,6 @@ function Test-TargetResource return $testResult } - function Export-TargetResource { [CmdletBinding()] @@ -337,7 +541,7 @@ function Export-TargetResource try { $Script:ExportMode = $true - [array] $Script:exportedInstances = Get-M365DataAtRestEncryptionPolicy -ErrorAction Stop + [array] $Script:exportedInstances = Get-MigrationBatch -ErrorAction Stop $i = 1 $dscContent = '' diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_EXOMigration/MSFT_EXOMigration.schema.mof b/Modules/Microsoft365DSC/DSCResources/MSFT_EXOMigration/MSFT_EXOMigration.schema.mof new file mode 100644 index 0000000000..03eae75eed --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_EXOMigration/MSFT_EXOMigration.schema.mof @@ -0,0 +1,26 @@ +[ClassVersion("1.0.0.0"), FriendlyName("EXOMigration")] +class MSFT_EXOMigration : OMI_BaseResource +{ + [Key, Description("The Identity parameter identifies the name of the current migration batch.")] String Identity; + [Write, Description("The NotificationEmails parameter specifies one or more email addresses that migration status reports are sent to.")] String NotificationEmails[]; + [Write, Description("The CompleteAfter parameter specifies a delay before the batch is completed.")] String CompleteAfter; + [Write, Description("The AddUsers parameter controls whether additional users can be dynamically added to an existing migration batch after it has been created.")] Boolean AddUsers; + [Write, Description("The BadItemLimit parameter specifies the maximum number of bad items that are allowed before the migration request fails.")] String BadItemLimit; + [Write, Description("The LargeItemLimit parameter specifies the maximum number of large items that are allowed before the migration request fails.")] String LargeItemLimit; + [Write, Description("The MoveOptions parameter specifies the stages of the migration that you want to skip for debugging purposes.")] String MoveOptions[]; + [Write, Description("The SkipMerging parameter specifies the stages of the migration that you want to skip for debugging purposes.")] String SkipMerging[]; + [Write, Description("The StartAfter parameter specifies a delay before the data migration for the users within the batch is started.")] String StartAfter; + [Write, Description("The Update switch sets the Update flag on the migration batch.")] Boolean Update; + [Write, Description("The Status parameter returns information about migration users that have the specified status state.")] String Status; + [Write, Description("Migration Users states the list of the users/mailboxes that are part of a migration batch that are to be migrated.")] String MigrationUsers[]; + [Write, Description("The SourceEndpoint parameter specifies the migration endpoint to use for the source of the migration batch.")] String SourceEndpoint; + [Write, Description("The TargetDeliveryDomain parameter specifies the FQDN of the external email address created in the source forest for the mail-enabled user when the migration batch is complete.")] String TargetDeliveryDomain; + + [Write, Description("Specifies if the migration endpoint should exist or not."), ValueMap{"Present","Absent"}, Values{"Present","Absent"}] String Ensure; + [Write, Description("Credentials of the workload's Admin"), EmbeddedInstance("MSFT_Credential")] string Credential; + [Write, Description("Id of the Azure Active Directory application to authenticate with.")] String ApplicationId; + [Write, Description("Id of the Azure Active Directory tenant used for authentication.")] String TenantId; + [Write, Description("Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication.")] String CertificateThumbprint; + [Write, Description("Managed ID being used for authentication.")] Boolean ManagedIdentity; + [Write, Description("Access token used for authentication.")] String AccessTokens[]; +}; diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_EXOMigration/readme.md b/Modules/Microsoft365DSC/DSCResources/MSFT_EXOMigration/readme.md new file mode 100644 index 0000000000..fbfbeca943 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_EXOMigration/readme.md @@ -0,0 +1,5 @@ +# EXOMigrationBatch + +## Description + +Use the MigrationBatch cmdlets to create and update a migration request for a batch of users. diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_EXOM365DataAtRestEncryptionPolicy/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_EXOMigration/settings.json similarity index 68% rename from Modules/Microsoft365DSC/DSCResources/MSFT_EXOM365DataAtRestEncryptionPolicy/settings.json rename to Modules/Microsoft365DSC/DSCResources/MSFT_EXOMigration/settings.json index 0e930a6e20..aa620cf7fc 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_EXOM365DataAtRestEncryptionPolicy/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_EXOMigration/settings.json @@ -1,6 +1,6 @@ -{ - "resourceName": "EXOM365DataAtRestEncryptionPolicy", - "description": "Microsoft 365 data-at-rest encryption policy for multi-workload usage.", +{ + "resourceName": "EXOMigration", + "description": "", "roles": { "read": [ "Global Reader" @@ -22,7 +22,11 @@ }, "exchange": { "requiredroles": [ - "Compliance Admin" + "User Options", + "Data Loss Prevention", + "Transport Rules", + "View-Only Configuration", + "Mail Recipients" ], "requiredrolegroups": "Organization Management" } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAccountProtectionLocalAdministratorPasswordSolutionPolicy/MSFT_IntuneAccountProtectionLocalAdministratorPasswordSolutionPolicy.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAccountProtectionLocalAdministratorPasswordSolutionPolicy/MSFT_IntuneAccountProtectionLocalAdministratorPasswordSolutionPolicy.psm1 index 9a6140387a..b9fc29e2af 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAccountProtectionLocalAdministratorPasswordSolutionPolicy/MSFT_IntuneAccountProtectionLocalAdministratorPasswordSolutionPolicy.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAccountProtectionLocalAdministratorPasswordSolutionPolicy/MSFT_IntuneAccountProtectionLocalAdministratorPasswordSolutionPolicy.psm1 @@ -24,7 +24,7 @@ function Get-TargetResource [Parameter()] [System.Int32] [ValidateRange(7, 365)] - $PasswordAgeDays_AAD, + $passwordagedays_aad, [Parameter()] [System.Int32] @@ -118,7 +118,7 @@ function Get-TargetResource -ErrorAction Stop #Ensure the proper dependencies are installed in the current environment. - Confirm-M365DSCDependencies + #Confirm-M365DSCDependencies #region Telemetry $ResourceName = $MyInvocation.MyCommand.ModuleName -replace 'MSFT_', '' @@ -237,7 +237,7 @@ function Set-TargetResource [Parameter()] [System.Int32] [ValidateRange(7, 365)] - $PasswordAgeDays_AAD, + $passwordagedays_aad, [Parameter()] [System.Int32] @@ -324,7 +324,7 @@ function Set-TargetResource ) #Ensure the proper dependencies are installed in the current environment. - Confirm-M365DSCDependencies + #Confirm-M365DSCDependencies #region Telemetry $ResourceName = $MyInvocation.MyCommand.ModuleName -replace 'MSFT_', '' @@ -433,7 +433,7 @@ function Test-TargetResource [Parameter()] [System.Int32] [ValidateRange(7, 365)] - $PasswordAgeDays_AAD, + $passwordagedays_aad, [Parameter()] [System.Int32] diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAccountProtectionLocalAdministratorPasswordSolutionPolicy/MSFT_IntuneAccountProtectionLocalAdministratorPasswordSolutionPolicy.schema.mof b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAccountProtectionLocalAdministratorPasswordSolutionPolicy/MSFT_IntuneAccountProtectionLocalAdministratorPasswordSolutionPolicy.schema.mof index 33aeb469d7..a3eb529bec 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAccountProtectionLocalAdministratorPasswordSolutionPolicy/MSFT_IntuneAccountProtectionLocalAdministratorPasswordSolutionPolicy.schema.mof +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAccountProtectionLocalAdministratorPasswordSolutionPolicy/MSFT_IntuneAccountProtectionLocalAdministratorPasswordSolutionPolicy.schema.mof @@ -17,7 +17,7 @@ class MSFT_IntuneAccountProtectionLocalAdministratorPasswordSolutionPolicy : OMI [Write, Description("Description of the account protection local administrator password solution policy.")] String Description; [Write, Description("Assignments of the account protection local administrator password solution policy."), EmbeddedInstance("MSFT_IntuneAccountProtectionLocalAdministratorPasswordSolutionPolicyAssignments")] String Assignments[]; [Write, Description("Configures which directory the local admin account password is backed up to. 0 - Disabled, 1 - Azure AD, 2 - AD"), ValueMap{"0", "1", "2"}, Values{"0", "1", "2"}] UInt32 BackupDirectory; - [Write, Description("Configures the maximum password age of the managed local administrator account for Azure AD. Minimum - 7, Maximum - 365")] UInt32 PasswordAgeDays_AAD; + [Write, Description("Configures the maximum password age of the managed local administrator account for Azure AD. Minimum - 7, Maximum - 365")] UInt32 passwordagedays_aad; [Write, Description("Configures the maximum password age of the managed local administrator account for Active Directory. Minimum - 1, Maximum - 365")] UInt32 PasswordAgeDays; [Write, Description("Configures additional enforcement of maximum password age for the managed local administrator account.")] Boolean PasswordExpirationProtectionEnabled; [Write, Description("Configures how many previous encrypted passwords will be remembered in Active Directory. Minimum - 0, Maximum - 12")] UInt32 AdEncryptedPasswordHistorySize; diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAntivirusExclusionsPolicyMacOS/MSFT_IntuneAntivirusExclusionsPolicyMacOS.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAntivirusExclusionsPolicyMacOS/MSFT_IntuneAntivirusExclusionsPolicyMacOS.psm1 new file mode 100644 index 0000000000..8875f95e1d --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAntivirusExclusionsPolicyMacOS/MSFT_IntuneAntivirusExclusionsPolicyMacOS.psm1 @@ -0,0 +1,657 @@ +function Get-TargetResource +{ + [CmdletBinding()] + [OutputType([System.Collections.Hashtable])] + param + ( + #region resource generator code + [Parameter()] + [System.String] + $Description, + + [Parameter(Mandatory = $true)] + [System.String] + $DisplayName, + + [Parameter()] + [System.String[]] + $RoleScopeTagIds, + + [Parameter()] + [System.String] + $Id, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $Exclusions, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $Assignments, + #endregion + + [Parameter()] + [System.String] + [ValidateSet('Absent', 'Present')] + $Ensure = 'Present', + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + try + { + $ConnectionMode = New-M365DSCConnection -Workload 'MicrosoftGraph' ` + -InboundParameters $PSBoundParameters + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $nullResult = $PSBoundParameters + $nullResult.Ensure = 'Absent' + + $getValue = $null + #region resource generator code + $getValue = Get-MgBetaDeviceManagementConfigurationPolicy -DeviceManagementConfigurationPolicyId $Id -ErrorAction SilentlyContinue + + if ($null -eq $getValue) + { + Write-Verbose -Message "Could not find an Intune Antivirus Exclusions Policy for macOS with Id {$Id}" + + if (-not [System.String]::IsNullOrEmpty($DisplayName)) + { + $getValue = Get-MgBetaDeviceManagementConfigurationPolicy ` + -Filter "Name eq '$DisplayName'" ` + -All ` + -ErrorAction SilentlyContinue + } + } + #endregion + if ($null -eq $getValue) + { + Write-Verbose -Message "Could not find an Intune Antivirus Exclusions Policy for macOS with Name {$DisplayName}." + return $nullResult + } + $Id = $getValue.Id + Write-Verbose -Message "An Intune Antivirus Exclusions Policy for macOS with Id {$Id} and Name {$DisplayName} was found" + + # Retrieve policy specific settings + [array]$settings = Get-MgBetaDeviceManagementConfigurationPolicySetting ` + -DeviceManagementConfigurationPolicyId $Id ` + -ExpandProperty 'settingDefinitions' ` + -All ` + -ErrorAction Stop + + $policySettings = @{} + $policySettings = Export-IntuneSettingCatalogPolicySettings -Settings $settings -ReturnHashtable $policySettings + + #region resource generator code + $complexExclusions = @() + foreach ($currentExclusions in $policySettings.exclusions) + { + $myExclusions = @{} + if ($null -ne $currentExclusions.exclusions_item_type) + { + $myExclusions.Add('Exclusions_item_type', $currentExclusions.exclusions_item_type) + } + if ($null -ne $currentExclusions.exclusions_item_extension) + { + $myExclusions.Add('Exclusions_item_extension', $currentExclusions.exclusions_item_extension) + } + if ($null -ne $currentExclusions.exclusions_item_isDirectory) + { + $myExclusions.Add('Exclusions_item_isDirectory', $currentExclusions.exclusions_item_isDirectory) + } + if ($null -ne $currentExclusions.exclusions_item_name) + { + $myExclusions.Add('Exclusions_item_name', $currentExclusions.exclusions_item_name) + } + if ($null -ne $currentExclusions.exclusions_item_path) + { + $myExclusions.Add('Exclusions_item_path', $currentExclusions.exclusions_item_path) + } + if ($myExclusions.values.Where({$null -ne $_}).Count -gt 0) + { + $complexExclusions += $myExclusions + } + } + $policySettings.Remove('exclusions') | Out-Null + #endregion + + $results = @{ + #region resource generator code + Description = $getValue.Description + DisplayName = $getValue.Name + RoleScopeTagIds = $getValue.RoleScopeTagIds + Id = $getValue.Id + Exclusions = $complexExclusions + Ensure = 'Present' + Credential = $Credential + ApplicationId = $ApplicationId + TenantId = $TenantId + ApplicationSecret = $ApplicationSecret + CertificateThumbprint = $CertificateThumbprint + ManagedIdentity = $ManagedIdentity.IsPresent + #endregion + } + $results += $policySettings + + $assignmentsValues = Get-MgBetaDeviceManagementConfigurationPolicyAssignment -DeviceManagementConfigurationPolicyId $Id + $assignmentResult = @() + if ($assignmentsValues.Count -gt 0) + { + $assignmentResult += ConvertFrom-IntunePolicyAssignment -Assignments $assignmentsValues -IncludeDeviceFilter $true + } + $results.Add('Assignments', $assignmentResult) + + return [System.Collections.Hashtable] $results + } + catch + { + New-M365DSCLogEntry -Message 'Error retrieving data:' ` + -Exception $_ ` + -Source $($MyInvocation.MyCommand.Source) ` + -TenantId $TenantId ` + -Credential $Credential + + return $nullResult + } +} + +function Set-TargetResource +{ + [CmdletBinding()] + param + ( + #region resource generator code + [Parameter()] + [System.String] + $Description, + + [Parameter(Mandatory = $true)] + [System.String] + $DisplayName, + + [Parameter()] + [System.String[]] + $RoleScopeTagIds, + + [Parameter()] + [System.String] + $Id, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $Exclusions, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $Assignments, + #endregion + [Parameter()] + [System.String] + [ValidateSet('Absent', 'Present')] + $Ensure = 'Present', + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $currentInstance = Get-TargetResource @PSBoundParameters + + $BoundParameters = Remove-M365DSCAuthenticationParameter -BoundParameters $PSBoundParameters + + $templateReferenceId = '43397174-2244-4006-b5ad-421b369e90d4_1' + $platforms = 'macOS' + $technologies = 'mdm,appleRemoteManagement,microsoftSense' + + if ($Ensure -eq 'Present' -and $currentInstance.Ensure -eq 'Absent') + { + Write-Verbose -Message "Creating an Intune Antivirus Exclusions Policy for macOS with Name {$DisplayName}" + $BoundParameters.Remove("Assignments") | Out-Null + + $settings = Get-IntuneSettingCatalogPolicySetting ` + -DSCParams ([System.Collections.Hashtable]$BoundParameters) ` + -TemplateId $templateReferenceId + + $createParameters = @{ + Name = $DisplayName + Description = $Description + TemplateReference = @{ templateId = $templateReferenceId } + Platforms = $platforms + Technologies = $technologies + Settings = $settings + } + + #region resource generator code + $policy = New-MgBetaDeviceManagementConfigurationPolicy -BodyParameter $createParameters + + if ($policy.Id) + { + $assignmentsHash = ConvertTo-IntunePolicyAssignment -IncludeDeviceFilter:$true -Assignments $Assignments + Update-DeviceConfigurationPolicyAssignment ` + -DeviceConfigurationPolicyId $policy.Id ` + -Targets $assignmentsHash ` + -Repository 'deviceManagement/configurationPolicies' + } + #endregion + } + elseif ($Ensure -eq 'Present' -and $currentInstance.Ensure -eq 'Present') + { + Write-Verbose -Message "Updating the Intune Antivirus Exclusions Policy for macOS with Id {$($currentInstance.Id)}" + $BoundParameters.Remove("Assignments") | Out-Null + + $settings = Get-IntuneSettingCatalogPolicySetting ` + -DSCParams ([System.Collections.Hashtable]$BoundParameters) ` + -TemplateId $templateReferenceId + + Update-IntuneDeviceConfigurationPolicy ` + -DeviceConfigurationPolicyId $currentInstance.Id ` + -Name $DisplayName ` + -Description $Description ` + -TemplateReferenceId $templateReferenceId ` + -Platforms $platforms ` + -Technologies $technologies ` + -Settings $settings + + #region resource generator code + $assignmentsHash = ConvertTo-IntunePolicyAssignment -IncludeDeviceFilter:$true -Assignments $Assignments + Update-DeviceConfigurationPolicyAssignment ` + -DeviceConfigurationPolicyId $currentInstance.Id ` + -Targets $assignmentsHash ` + -Repository 'deviceManagement/configurationPolicies' + #endregion + } + elseif ($Ensure -eq 'Absent' -and $currentInstance.Ensure -eq 'Present') + { + Write-Verbose -Message "Removing the Intune Antivirus Exclusions Policy for macOS with Id {$($currentInstance.Id)}" + #region resource generator code + Remove-MgBetaDeviceManagementConfigurationPolicy -DeviceManagementConfigurationPolicyId $currentInstance.Id + #endregion + } +} + +function Test-TargetResource +{ + [CmdletBinding()] + [OutputType([System.Boolean])] + param + ( + #region resource generator code + [Parameter()] + [System.String] + $Description, + + [Parameter(Mandatory = $true)] + [System.String] + $DisplayName, + + [Parameter()] + [System.String[]] + $RoleScopeTagIds, + + [Parameter()] + [System.String] + $Id, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $Exclusions, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $Assignments, + #endregion + + [Parameter()] + [System.String] + [ValidateSet('Absent', 'Present')] + $Ensure = 'Present', + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + Write-Verbose -Message "Testing configuration of the Intune Antivirus Exclusions Policy for macOS with Id {$Id} and Name {$DisplayName}" + + $CurrentValues = Get-TargetResource @PSBoundParameters + [Hashtable]$ValuesToCheck = @{} + $MyInvocation.MyCommand.Parameters.GetEnumerator() | ForEach-Object { + if ($_.Key -notlike '*Variable' -or $_.Key -notin @('Verbose', 'Debug', 'ErrorAction', 'WarningAction', 'InformationAction')) + { + if ($null -ne $CurrentValues[$_.Key] -or $null -ne $PSBoundParameters[$_.Key]) + { + $ValuesToCheck.Add($_.Key, $null) + if (-not $PSBoundParameters.ContainsKey($_.Key)) + { + $PSBoundParameters.Add($_.Key, $null) + } + } + } + } + + if ($CurrentValues.Ensure -ne $Ensure) + { + Write-Verbose -Message "Test-TargetResource returned $false" + return $false + } + $testResult = $true + + #Compare Cim instances + foreach ($key in $PSBoundParameters.Keys) + { + $source = $PSBoundParameters.$key + $target = $CurrentValues.$key + if ($null -ne $source -and $source.GetType().Name -like '*CimInstance*') + { + $testResult = Compare-M365DSCComplexObject ` + -Source ($source) ` + -Target ($target) + + if (-not $testResult) + { + break + } + + $ValuesToCheck.Remove($key) | Out-Null + } + } + + $ValuesToCheck.Remove('Id') | Out-Null + $ValuesToCheck = Remove-M365DSCAuthenticationParameter -BoundParameters $ValuesToCheck + + Write-Verbose -Message "Current Values: $(Convert-M365DscHashtableToString -Hashtable $CurrentValues)" + Write-Verbose -Message "Target Values: $(Convert-M365DscHashtableToString -Hashtable $PSBoundParameters)" + + if ($testResult) + { + $testResult = Test-M365DSCParameterState -CurrentValues $CurrentValues ` + -Source $($MyInvocation.MyCommand.Source) ` + -DesiredValues $PSBoundParameters ` + -ValuesToCheck $ValuesToCheck.Keys + } + + Write-Verbose -Message "Test-TargetResource returned $testResult" + + return $testResult +} + +function Export-TargetResource +{ + [CmdletBinding()] + [OutputType([System.String])] + param + ( + [Parameter()] + [System.String] + $Filter, + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + $ConnectionMode = New-M365DSCConnection -Workload 'MicrosoftGraph' ` + -InboundParameters $PSBoundParameters + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + try + { + #region resource generator code + $policyTemplateID = "43397174-2244-4006-b5ad-421b369e90d4_1" + [array]$getValue = Get-MgBetaDeviceManagementConfigurationPolicy ` + -Filter $Filter ` + -All ` + -ErrorAction Stop | Where-Object ` + -FilterScript { + $_.TemplateReference.TemplateId -eq $policyTemplateID + } + #endregion + + $i = 1 + $dscContent = '' + if ($getValue.Length -eq 0) + { + Write-Host $Global:M365DSCEmojiGreenCheckMark + } + else + { + Write-Host "`r`n" -NoNewline + } + foreach ($config in $getValue) + { + $displayedKey = $config.Id + if (-not [String]::IsNullOrEmpty($config.displayName)) + { + $displayedKey = $config.displayName + } + elseif (-not [string]::IsNullOrEmpty($config.name)) + { + $displayedKey = $config.name + } + Write-Host " |---[$i/$($getValue.Count)] $displayedKey" -NoNewline + $params = @{ + Id = $config.Id + DisplayName = $config.Name + Ensure = 'Present' + Credential = $Credential + ApplicationId = $ApplicationId + TenantId = $TenantId + ApplicationSecret = $ApplicationSecret + CertificateThumbprint = $CertificateThumbprint + ManagedIdentity = $ManagedIdentity.IsPresent + AccessTokens = $AccessTokens + } + + $Results = Get-TargetResource @Params + $Results = Update-M365DSCExportAuthenticationResults -ConnectionMode $ConnectionMode ` + -Results $Results + if ($null -ne $Results.Exclusions) + { + $complexTypeStringResult = Get-M365DSCDRGComplexTypeToString ` + -ComplexObject $Results.Exclusions ` + -CIMInstanceName 'MicrosoftGraphIntuneSettingsCatalogExclusions' + if (-not [String]::IsNullOrWhiteSpace($complexTypeStringResult)) + { + $Results.Exclusions = $complexTypeStringResult + } + else + { + $Results.Remove('Exclusions') | Out-Null + } + } + + if ($Results.Assignments) + { + $complexTypeStringResult = Get-M365DSCDRGComplexTypeToString -ComplexObject $Results.Assignments -CIMInstanceName DeviceManagementConfigurationPolicyAssignments + if ($complexTypeStringResult) + { + $Results.Assignments = $complexTypeStringResult + } + else + { + $Results.Remove('Assignments') | Out-Null + } + } + + $currentDSCBlock = Get-M365DSCExportContentForResource -ResourceName $ResourceName ` + -ConnectionMode $ConnectionMode ` + -ModulePath $PSScriptRoot ` + -Results $Results ` + -Credential $Credential + if ($Results.Exclusions) + { + $currentDSCBlock = Convert-DSCStringParamToVariable -DSCBlock $currentDSCBlock -ParameterName "Exclusions" -IsCIMArray:$True + } + + if ($Results.Assignments) + { + $currentDSCBlock = Convert-DSCStringParamToVariable -DSCBlock $currentDSCBlock -ParameterName "Assignments" -IsCIMArray:$true + } + + $dscContent += $currentDSCBlock + Save-M365DSCPartialExport -Content $currentDSCBlock ` + -FileName $Global:PartialExportFileName + $i++ + Write-Host $Global:M365DSCEmojiGreenCheckMark + } + return $dscContent + } + catch + { + Write-Host $Global:M365DSCEmojiRedX + + New-M365DSCLogEntry -Message 'Error during Export:' ` + -Exception $_ ` + -Source $($MyInvocation.MyCommand.Source) ` + -TenantId $TenantId ` + -Credential $Credential + + return '' + } +} + +Export-ModuleMember -Function *-TargetResource diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAntivirusExclusionsPolicyMacOS/MSFT_IntuneAntivirusExclusionsPolicyMacOS.schema.mof b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAntivirusExclusionsPolicyMacOS/MSFT_IntuneAntivirusExclusionsPolicyMacOS.schema.mof new file mode 100644 index 0000000000..61692545e8 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAntivirusExclusionsPolicyMacOS/MSFT_IntuneAntivirusExclusionsPolicyMacOS.schema.mof @@ -0,0 +1,39 @@ +[ClassVersion("1.0.0.0")] +class MSFT_DeviceManagementConfigurationPolicyAssignments +{ + [Write, Description("The type of the target assignment."), ValueMap{"#microsoft.graph.groupAssignmentTarget","#microsoft.graph.allLicensedUsersAssignmentTarget","#microsoft.graph.allDevicesAssignmentTarget","#microsoft.graph.exclusionGroupAssignmentTarget","#microsoft.graph.configurationManagerCollectionAssignmentTarget"}, Values{"#microsoft.graph.groupAssignmentTarget","#microsoft.graph.allLicensedUsersAssignmentTarget","#microsoft.graph.allDevicesAssignmentTarget","#microsoft.graph.exclusionGroupAssignmentTarget","#microsoft.graph.configurationManagerCollectionAssignmentTarget"}] String dataType; + [Write, Description("The type of filter of the target assignment i.e. Exclude or Include. Possible values are:none, include, exclude."), ValueMap{"none","include","exclude"}, Values{"none","include","exclude"}] String deviceAndAppManagementAssignmentFilterType; + [Write, Description("The Id of the filter for the target assignment.")] String deviceAndAppManagementAssignmentFilterId; + [Write, Description("The group Id that is the target of the assignment.")] String groupId; + [Write, Description("The group Display Name that is the target of the assignment.")] String groupDisplayName; + [Write, Description("The collection Id that is the target of the assignment.(ConfigMgr)")] String collectionId; +}; + +[ClassVersion("1.0.0.0")] +class MSFT_MicrosoftGraphIntuneSettingsCatalogExclusions +{ + [Write, Description("Type - Depends on exclusions (0: Path, 1: File extension, 2: Process name)"), ValueMap{"0", "1", "2"}, Values{"0", "1", "2"}] String exclusions_item_type; + [Write, Description("File extension - Depends on exclusions_item_type=1")] String exclusions_item_extension; + [Write, Description("File name - exclusions_item_type=2")] String exclusions_item_name; + [Write, Description("Path - exclusions_item_type=0")] String exclusions_item_path; + [Write, Description("Is directory (false: Disabled, true: Enabled) - Depends on exclusions_item_type=0"), ValueMap{"false", "true"}, Values{"false", "true"}] String exclusions_item_isDirectory; +}; + +[ClassVersion("1.0.0.0"), FriendlyName("IntuneAntivirusExclusionsPolicyMacOS")] +class MSFT_IntuneAntivirusExclusionsPolicyMacOS : OMI_BaseResource +{ + [Write, Description("Policy description")] String Description; + [Key, Description("Policy name")] String DisplayName; + [Write, Description("List of Scope Tags for this Entity instance.")] String RoleScopeTagIds[]; + [Write, Description("The unique identifier for an entity. Read-only.")] String Id; + [Write, Description("Scan exclusions"), EmbeddedInstance("MSFT_MicrosoftGraphIntuneSettingsCatalogexclusions")] String Exclusions[]; + [Write, Description("Represents the assignment to the Intune policy."), EmbeddedInstance("MSFT_DeviceManagementConfigurationPolicyAssignments")] String Assignments[]; + [Write, Description("Present ensures the policy exists, absent ensures it is removed."), ValueMap{"Present","Absent"}, Values{"Present","Absent"}] string Ensure; + [Write, Description("Credentials of the Admin"), EmbeddedInstance("MSFT_Credential")] string Credential; + [Write, Description("Id of the Azure Active Directory application to authenticate with.")] String ApplicationId; + [Write, Description("Id of the Azure Active Directory tenant used for authentication.")] String TenantId; + [Write, Description("Secret of the Azure Active Directory tenant used for authentication."), EmbeddedInstance("MSFT_Credential")] String ApplicationSecret; + [Write, Description("Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication.")] String CertificateThumbprint; + [Write, Description("Managed ID being used for authentication.")] Boolean ManagedIdentity; + [Write, Description("Access token used for authentication.")] String AccessTokens[]; +}; diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAntivirusExclusionsPolicyMacOS/readme.md b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAntivirusExclusionsPolicyMacOS/readme.md new file mode 100644 index 0000000000..3cc0102f6b --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAntivirusExclusionsPolicyMacOS/readme.md @@ -0,0 +1,6 @@ + +# IntuneAntivirusExclusionsPolicyMacOS + +## Description + +Intune Antivirus Exclusions Policy for macOS diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAntivirusExclusionsPolicyMacOS/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAntivirusExclusionsPolicyMacOS/settings.json new file mode 100644 index 0000000000..d32d971b67 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAntivirusExclusionsPolicyMacOS/settings.json @@ -0,0 +1,45 @@ +{ + "resourceName": "IntuneAntivirusExclusionsPolicyMacOS", + "description": "This resource configures an Intune Antivirus Exclusions Policy for macOS.", + "permissions": { + "graph": { + "delegated": { + "read": [ + { + "name": "DeviceManagementConfiguration.Read.All" + }, + { + "name": "Group.Read.All" + } + ], + "update": [ + { + "name": "DeviceManagementConfiguration.ReadWrite.All" + }, + { + "name": "Group.Read.All" + } + ] + }, + "application": { + "read": [ + { + "name": "DeviceManagementConfiguration.Read.All" + }, + { + "name": "Group.Read.All" + } + ], + "update": [ + { + "name": "DeviceManagementConfiguration.ReadWrite.All" + }, + { + "name": "Group.Read.All" + } + ] + } + } +} + +} diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAntivirusPolicyLinux/MSFT_IntuneAntivirusPolicyLinux.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAntivirusPolicyLinux/MSFT_IntuneAntivirusPolicyLinux.psm1 index 3dd9f006c1..72565b2ca6 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAntivirusPolicyLinux/MSFT_IntuneAntivirusPolicyLinux.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAntivirusPolicyLinux/MSFT_IntuneAntivirusPolicyLinux.psm1 @@ -201,7 +201,7 @@ function Get-TargetResource if ($null -eq $getValue) { - Write-Verbose -Message "Could not find an Intune Antivirus Policy Linux with Id {$Id}" + Write-Verbose -Message "Could not find an Intune Antivirus Policy for Linux with Id {$Id}" if (-not [System.String]::IsNullOrEmpty($DisplayName)) { @@ -213,11 +213,11 @@ function Get-TargetResource #endregion if ($null -eq $getValue) { - Write-Verbose -Message "Could not find an Intune Antivirus Policy Linux with Name {$DisplayName}." + Write-Verbose -Message "Could not find an Intune Antivirus Policy for Linux with Name {$DisplayName}." return $nullResult } $Id = $getValue.Id - Write-Verbose -Message "An Intune Antivirus Policy Linux with Id {$Id} and Name {$DisplayName} was found" + Write-Verbose -Message "An Intune Antivirus Policy for Linux with Id {$Id} and Name {$DisplayName} was found" # Retrieve policy specific settings [array]$settings = Get-MgBetaDeviceManagementConfigurationPolicySetting ` @@ -526,7 +526,7 @@ function Set-TargetResource if ($Ensure -eq 'Present' -and $currentInstance.Ensure -eq 'Absent') { - Write-Verbose -Message "Creating an Intune Antivirus Policy Linux with Name {$DisplayName}" + Write-Verbose -Message "Creating an Intune Antivirus Policy for Linux with Name {$DisplayName}" $BoundParameters.Remove("Assignments") | Out-Null $settings = Get-IntuneSettingCatalogPolicySetting ` @@ -557,7 +557,7 @@ function Set-TargetResource } elseif ($Ensure -eq 'Present' -and $currentInstance.Ensure -eq 'Present') { - Write-Verbose -Message "Updating the Intune Antivirus Policy Linux with Id {$($currentInstance.Id)}" + Write-Verbose -Message "Updating the Intune Antivirus Policy for Linux with Id {$($currentInstance.Id)}" $BoundParameters.Remove("Assignments") | Out-Null $settings = Get-IntuneSettingCatalogPolicySetting ` @@ -583,7 +583,7 @@ function Set-TargetResource } elseif ($Ensure -eq 'Absent' -and $currentInstance.Ensure -eq 'Present') { - Write-Verbose -Message "Removing the Intune Antivirus Policy Linux with Id {$($currentInstance.Id)}" + Write-Verbose -Message "Removing the Intune Antivirus Policy for Linux with Id {$($currentInstance.Id)}" #region resource generator code Remove-MgBetaDeviceManagementConfigurationPolicy -DeviceManagementConfigurationPolicyId $currentInstance.Id #endregion @@ -779,7 +779,7 @@ function Test-TargetResource Add-M365DSCTelemetryEvent -Data $data #endregion - Write-Verbose -Message "Testing configuration of the Intune Antivirus Policy Linux with Id {$Id} and Name {$DisplayName}" + Write-Verbose -Message "Testing configuration of the Intune Antivirus Policy for Linux with Id {$Id} and Name {$DisplayName}" $CurrentValues = Get-TargetResource @PSBoundParameters [Hashtable]$ValuesToCheck = @{} diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAntivirusPolicyLinux/readme.md b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAntivirusPolicyLinux/readme.md index d8060ea61a..eb17dbff4f 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAntivirusPolicyLinux/readme.md +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAntivirusPolicyLinux/readme.md @@ -3,4 +3,4 @@ ## Description -Intune Antivirus Policy Linux +Intune Antivirus Policy for Linux diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAntivirusPolicyWindows10SettingCatalog/MSFT_IntuneAntivirusPolicyWindows10SettingCatalog.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAntivirusPolicyWindows10SettingCatalog/MSFT_IntuneAntivirusPolicyWindows10SettingCatalog.psm1 index 79cd8949f8..b4835676ce 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAntivirusPolicyWindows10SettingCatalog/MSFT_IntuneAntivirusPolicyWindows10SettingCatalog.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAntivirusPolicyWindows10SettingCatalog/MSFT_IntuneAntivirusPolicyWindows10SettingCatalog.psm1 @@ -19,151 +19,156 @@ function Get-TargetResource [Parameter()] [ValidateSet('0', '1')] [System.String] - $allowarchivescanning, + $AllowArchiveScanning, [Parameter()] [ValidateSet('0', '1')] [System.String] - $allowbehaviormonitoring, + $AllowBehaviorMonitoring, [Parameter()] [ValidateSet('0', '1')] [System.String] - $allowcloudprotection, + $AllowCloudProtection, [Parameter()] [ValidateSet('0', '1')] [System.String] - $allowdatagramprocessingonwinserver, + $AllowDatagramProcessingOnWinServer, [Parameter()] [ValidateSet('0', '1')] [System.String] - $allowemailscanning, + $AllowEmailScanning, [Parameter()] [ValidateSet('0', '1')] [System.String] - $allowfullscanonmappednetworkdrives, + $AllowFullScanOnMappedNetworkDrives, [Parameter()] [ValidateSet('0', '1')] [System.String] - $allowfullscanremovabledrivescanning, + $AllowFullScanRemovableDriveScanning, [Parameter()] [ValidateSet('0', '1')] [System.String] - $allowintrusionpreventionsystem, + $AllowIntrusionPreventionSystem, [Parameter()] [ValidateSet('0', '1')] [System.String] - $allowioavprotection, + $AllowIOAVProtection, [Parameter()] [ValidateSet('0', '1')] [System.String] - $allownetworkprotectiondownlevel, + $AllowNetworkProtectionDownLevel, [Parameter()] [ValidateSet('0', '1')] [System.String] - $allowrealtimemonitoring, + $AllowOnAccessProtection, [Parameter()] [ValidateSet('0', '1')] [System.String] - $allowscanningnetworkfiles, + $AllowRealtimeMonitoring, [Parameter()] [ValidateSet('0', '1')] [System.String] - $allowscriptscanning, + $AllowScanningNetworkFiles, [Parameter()] [ValidateSet('0', '1')] [System.String] - $allowuseruiaccess, + $AllowScriptScanning, + + [Parameter()] + [ValidateSet('0', '1')] + [System.String] + $AllowUserUIAccess, [Parameter()] [System.int32] - $avgcpuloadfactor, + $AvgCPULoadFactor, [Parameter()] [System.Int32] - $archivemaxdepth, + $ArchiveMaxDepth, [Parameter()] [System.Int32] - $archivemaxsize, + $ArchiveMaxSize, [Parameter()] [ValidateSet('0', '1')] [System.String] - $checkforsignaturesbeforerunningscan, + $CheckForSignaturesBeforeRunningScan, [Parameter()] [ValidateSet('0', '2', '4', '6')] [System.String] - $cloudblocklevel, + $CloudBlockLevel, [Parameter()] [System.Int32] - $cloudextendedtimeout, + $CloudExtendedTimeout, [Parameter()] [System.String] - $companyname, + $CompanyName, [Parameter()] [System.Int32] - $daystoretaincleanedmalware, + $DaysToRetainCleanedMalware, [Parameter()] [ValidateSet('0', '1')] [System.String] - $disableaccountprotectionui, + $DisableAccountProtectionUI, [Parameter()] [ValidateSet('0', '1')] [System.String] - $disableappbrowserui, + $DisableAppBrowserUI, [Parameter()] [ValidateSet('0', '1')] [System.String] - $disablecleartpmbutton, + $DisableClearTpmButton, [Parameter()] [ValidateSet('0', '1')] [System.String] - $disabledevicesecurityui, + $DisableDeviceSecurityUI, [Parameter()] [ValidateSet('0', '1')] [System.String] - $disablednsovertcpparsing, + $DisableDnsOverTcpParsing, [Parameter()] [ValidateSet('0', '1')] [System.String] - $disableenhancednotifications, + $DisableEnhancedNotifications, [Parameter()] [ValidateSet('0', '1')] [System.String] - $disablefamilyui, + $DisableFamilyUI, [Parameter()] [ValidateSet('0', '1')] [System.String] - $disablehealthui, + $DisableHealthUI, [Parameter()] [ValidateSet('0', '1')] [System.String] - $disablehttpparsing, + $DisableHttpParsing, [Parameter()] [ValidateSet('1', '0')] @@ -173,203 +178,208 @@ function Get-TargetResource [Parameter()] [ValidateSet('0', '1')] [System.String] - $disablenetworkui, + $DisableNetworkUI, [Parameter()] [ValidateSet('0', '1')] [System.String] - $disabletpmfirmwareupdatewarning, + $DisableTpmFirmwareUpdateWarning, [Parameter()] [ValidateSet('0', '1')] [System.String] - $disablevirusui, + $DisableVirusUI, [Parameter()] [ValidateSet('0', '1')] [System.String] - $disablecatchupfullscan, + $DisableCatchupFullScan, [Parameter()] [ValidateSet('0', '1')] [System.String] - $disablecatchupquickscan, + $DisableCatchupQuickScan, [Parameter()] + [ValidateSet('0', '1')] [System.String] - $email, + $DisableCoreServiceECSIntegration, [Parameter()] [ValidateSet('0', '1')] [System.String] - $enablecustomizedtoasts, + $DisableCoreServiceTelemetry, + + [Parameter()] + [System.String] + $Email, [Parameter()] [ValidateSet('0', '1')] [System.String] - $enableinappcustomization, + $EnableCustomizedToasts, [Parameter()] [ValidateSet('0', '1')] [System.String] - $enablelowcpupriority, + $EnableInAppCustomization, + + [Parameter()] + [ValidateSet('0', '1')] + [System.String] + $EnableLowCPUPriority, [Parameter()] [ValidateSet('0', '1', '2')] [System.String] - $enablenetworkprotection, + $EnableNetworkProtection, [Parameter()] [System.String[]] - $excludedextensions, + $ExcludedExtensions, [Parameter()] [System.String[]] - $excludedpaths, + $ExcludedPaths, [Parameter()] [System.String[]] - $excludedprocesses, + $ExcludedProcesses, [Parameter()] [ValidateSet('0', '1')] [System.String] - $hideransomwaredatarecovery, + $HideRansomwareDataRecovery, [Parameter()] [ValidateSet('0', '1')] [System.String] - $hidewindowssecuritynotificationareacontrol, + $HideWindowsSecurityNotificationAreaControl, [Parameter()] [System.String] - $phone, + $Phone, [Parameter()] [ValidateSet('0', '1', '2')] [System.String] - $puaprotection, + $PUAProtection, [Parameter()] [ValidateSet('0', '2', '3', '4', '5', '6')] [System.String] - $engineupdateschannel, + $EngineUpdatesChannel, [Parameter()] [ValidateSet('0', '1')] [System.String] - $meteredconnectionupdates, + $MeteredConnectionUpdates, [Parameter()] [ValidateSet('0', '2', '3', '4', '5', '6')] [System.String] - $platformupdateschannel, + $PlatformUpdatesChannel, [Parameter()] [ValidateSet('0', '4', '5')] [System.String] - $securityintelligenceupdateschannel, + $SecurityIntelligenceUpdatesChannel, [Parameter()] [ValidateSet('0', '1', '2')] [System.String] - $realtimescandirection, + $RealTimeScanDirection, [Parameter()] [ValidateSet('1', '2')] [System.String] - $scanparameter, + $ScanParameter, [Parameter()] [System.Int32] - $schedulequickscantime, + $ScheduleQuickScanTime, [Parameter()] [ValidateSet('0', '1', '2', '3', '4', '5', '6', '7', '8')] [System.String] - $schedulescanday, + $ScheduleScanDay, [Parameter()] [ValidateRange(0, 1380)] [System.Int32] - $schedulescantime, + $ScheduleScanTime, [Parameter()] [ValidateSet('0', '1')] [System.String] - $disabletlsparsing, + $DisableTlsParsing, [Parameter()] [ValidateSet('0', '1')] [System.String] - $randomizescheduletasktimes, + $RandomizeScheduleTaskTimes, [Parameter()] [ValidateRange(1,23)] [System.Int32] - $schedulerrandomizationtime, + $SchedulerRandomizationTime, [Parameter()] [System.String[]] - $signatureupdatefallbackorder, + $SignatureUpdateFallbackOrder, [Parameter()] [System.String[]] - $signatureupdatefilesharessources, + $SignatureUpdateFileSharesSources, [Parameter()] [ValidateRange(0, 24)] [System.Int32] - $signatureupdateinterval, + $SignatureUpdateInterval, [Parameter()] [ValidateSet('0', '1', '2', '3')] [System.String] - $submitsamplesconsent, + $SubmitSamplesConsent, [Parameter()] [ValidateSet('0', '1')] [System.String] - $tamperprotection, - - [Parameter()] - [System.String] - $url, + $TamperProtection, [Parameter()] - [ValidateSet('0', '1')] [System.String] - $disablelocaladminmerge, + $URL, [Parameter()] [ValidateSet('0', '1')] [System.String] - $allowonaccessprotection, + $DisableLocalAdminMerge, [Parameter()] [ValidateSet('clean', 'quarantine', 'remove', 'allow', 'userdefined', 'block')] [System.String] - $lowseveritythreats, + $LowSeverityThreats, [Parameter()] [ValidateSet('clean', 'quarantine', 'remove', 'allow', 'userdefined', 'block')] [System.String] - $moderateseveritythreats, + $ModerateSeverityThreats, [Parameter()] [ValidateSet('clean', 'quarantine', 'remove', 'allow', 'userdefined', 'block')] [System.String] - $severethreats, + $SevereThreats, [Parameter()] [ValidateSet('clean', 'quarantine', 'remove', 'allow', 'userdefined', 'block')] [System.String] - $highseveritythreats, + $HighSeverityThreats, [Parameter()] [ValidateSet('d948ff9b-99cb-4ee0-8012-1fbc09685377_1', 'e3f74c5a-a6de-411d-aef6-eb15628f3a0a_1', '45fea5e9-280d-4da1-9792-fb5736da0ca9_1', '804339ad-1553-4478-a742-138fb5807418_1')] [System.String] - $templateId, + $TemplateId, [Parameter()] [Microsoft.Management.Infrastructure.CimInstance[]] @@ -473,7 +483,28 @@ function Get-TargetResource $returnHashtable.Add('Identity', $Identity) $returnHashtable.Add('DisplayName', $policy.name) $returnHashtable.Add('Description', $policy.description) - $returnHashtable.Add('templateId', $policy.templateReference.templateId) + $returnHashtable.Add('TemplateId', $policy.templateReference.TemplateId) + + if ($null -ne $policySettings.SevereThreatDefaultAction) + { + $returnHashtable.Add('SevereThreats', $policySettings.SevereThreatDefaultAction) + $policySettings.Remove('SevereThreatDefaultAction') + } + if ($null -ne $policySettings.HighSeverityThreatDefaultAction) + { + $returnHashtable.Add('HighSeverityThreats', $policySettings.HighSeverityThreatDefaultAction) + $policySettings.Remove('HighSeverityThreatDefaultAction') + } + if ($null -ne $policySettings.ModerateSeverityThreatDefaultAction) + { + $returnHashtable.Add('ModerateSeverityThreats', $policySettings.ModerateSeverityThreatDefaultAction) + $policySettings.Remove('ModerateSeverityThreatDefaultAction') + } + if ($null -ne $policySettings.LowSeverityThreatDefaultAction) + { + $returnHashtable.Add('LowSeverityThreats', $policySettings.LowSeverityThreatDefaultAction) + $policySettings.Remove('LowSeverityThreatDefaultAction') + } $returnHashtable += $policySettings $returnAssignments = @() @@ -530,151 +561,156 @@ function Set-TargetResource [Parameter()] [ValidateSet('0', '1')] [System.String] - $allowarchivescanning, + $AllowArchiveScanning, [Parameter()] [ValidateSet('0', '1')] [System.String] - $allowbehaviormonitoring, + $AllowBehaviorMonitoring, [Parameter()] [ValidateSet('0', '1')] [System.String] - $allowcloudprotection, + $AllowCloudProtection, [Parameter()] [ValidateSet('0', '1')] [System.String] - $allowdatagramprocessingonwinserver, + $AllowDatagramProcessingOnWinServer, [Parameter()] [ValidateSet('0', '1')] [System.String] - $allowemailscanning, + $AllowEmailScanning, [Parameter()] [ValidateSet('0', '1')] [System.String] - $allowfullscanonmappednetworkdrives, + $AllowFullScanOnMappedNetworkDrives, [Parameter()] [ValidateSet('0', '1')] [System.String] - $allowfullscanremovabledrivescanning, + $AllowFullScanRemovableDriveScanning, [Parameter()] [ValidateSet('0', '1')] [System.String] - $allowintrusionpreventionsystem, + $AllowIntrusionPreventionSystem, [Parameter()] [ValidateSet('0', '1')] [System.String] - $allowioavprotection, + $AllowIOAVProtection, [Parameter()] [ValidateSet('0', '1')] [System.String] - $allownetworkprotectiondownlevel, + $AllowNetworkProtectionDownLevel, [Parameter()] [ValidateSet('0', '1')] [System.String] - $allowrealtimemonitoring, + $AllowOnAccessProtection, [Parameter()] [ValidateSet('0', '1')] [System.String] - $allowscanningnetworkfiles, + $AllowRealtimeMonitoring, [Parameter()] [ValidateSet('0', '1')] [System.String] - $allowscriptscanning, + $AllowScanningNetworkFiles, [Parameter()] [ValidateSet('0', '1')] [System.String] - $allowuseruiaccess, + $AllowScriptScanning, + + [Parameter()] + [ValidateSet('0', '1')] + [System.String] + $AllowUserUIAccess, [Parameter()] [System.int32] - $avgcpuloadfactor, + $AvgCPULoadFactor, [Parameter()] [System.Int32] - $archivemaxdepth, + $ArchiveMaxDepth, [Parameter()] [System.Int32] - $archivemaxsize, + $ArchiveMaxSize, [Parameter()] [ValidateSet('0', '1')] [System.String] - $checkforsignaturesbeforerunningscan, + $CheckForSignaturesBeforeRunningScan, [Parameter()] [ValidateSet('0', '2', '4', '6')] [System.String] - $cloudblocklevel, + $CloudBlockLevel, [Parameter()] [System.Int32] - $cloudextendedtimeout, + $CloudExtendedTimeout, [Parameter()] [System.String] - $companyname, + $CompanyName, [Parameter()] [System.Int32] - $daystoretaincleanedmalware, + $DaysToRetainCleanedMalware, [Parameter()] [ValidateSet('0', '1')] [System.String] - $disableaccountprotectionui, + $DisableAccountProtectionUI, [Parameter()] [ValidateSet('0', '1')] [System.String] - $disableappbrowserui, + $DisableAppBrowserUI, [Parameter()] [ValidateSet('0', '1')] [System.String] - $disablecleartpmbutton, + $DisableClearTpmButton, [Parameter()] [ValidateSet('0', '1')] [System.String] - $disabledevicesecurityui, + $DisableDeviceSecurityUI, [Parameter()] [ValidateSet('0', '1')] [System.String] - $disablednsovertcpparsing, + $DisableDnsOverTcpParsing, [Parameter()] [ValidateSet('0', '1')] [System.String] - $disableenhancednotifications, + $DisableEnhancedNotifications, [Parameter()] [ValidateSet('0', '1')] [System.String] - $disablefamilyui, + $DisableFamilyUI, [Parameter()] [ValidateSet('0', '1')] [System.String] - $disablehealthui, + $DisableHealthUI, [Parameter()] [ValidateSet('0', '1')] [System.String] - $disablehttpparsing, + $DisableHttpParsing, [Parameter()] [ValidateSet('1', '0')] @@ -684,203 +720,208 @@ function Set-TargetResource [Parameter()] [ValidateSet('0', '1')] [System.String] - $disablenetworkui, + $DisableNetworkUI, + + [Parameter()] + [ValidateSet('0', '1')] + [System.String] + $DisableTpmFirmwareUpdateWarning, [Parameter()] [ValidateSet('0', '1')] [System.String] - $disabletpmfirmwareupdatewarning, + $DisableVirusUI, [Parameter()] [ValidateSet('0', '1')] [System.String] - $disablevirusui, + $DisableCatchupFullScan, [Parameter()] [ValidateSet('0', '1')] [System.String] - $disablecatchupfullscan, + $DisableCatchupQuickScan, [Parameter()] [ValidateSet('0', '1')] [System.String] - $disablecatchupquickscan, + $DisableCoreServiceECSIntegration, [Parameter()] + [ValidateSet('0', '1')] [System.String] - $email, + $DisableCoreServiceTelemetry, + + [Parameter()] + [System.String] + $Email, [Parameter()] [ValidateSet('0', '1')] [System.String] - $enablecustomizedtoasts, + $EnableCustomizedToasts, [Parameter()] [ValidateSet('0', '1')] [System.String] - $enableinappcustomization, + $EnableInAppCustomization, [Parameter()] [ValidateSet('0', '1')] [System.String] - $enablelowcpupriority, + $EnableLowCPUPriority, [Parameter()] [ValidateSet('0', '1', '2')] [System.String] - $enablenetworkprotection, + $EnableNetworkProtection, [Parameter()] [System.String[]] - $excludedextensions, + $ExcludedExtensions, [Parameter()] [System.String[]] - $excludedpaths, + $ExcludedPaths, [Parameter()] [System.String[]] - $excludedprocesses, + $ExcludedProcesses, [Parameter()] [ValidateSet('0', '1')] [System.String] - $hideransomwaredatarecovery, + $HideRansomwareDataRecovery, [Parameter()] [ValidateSet('0', '1')] [System.String] - $hidewindowssecuritynotificationareacontrol, + $HideWindowsSecurityNotificationAreaControl, [Parameter()] [System.String] - $phone, + $Phone, [Parameter()] [ValidateSet('0', '1', '2')] [System.String] - $puaprotection, + $PUAProtection, [Parameter()] [ValidateSet('0', '2', '3', '4', '5', '6')] [System.String] - $engineupdateschannel, + $EngineUpdatesChannel, [Parameter()] [ValidateSet('0', '1')] [System.String] - $meteredconnectionupdates, + $MeteredConnectionUpdates, [Parameter()] [ValidateSet('0', '2', '3', '4', '5', '6')] [System.String] - $platformupdateschannel, + $PlatformUpdatesChannel, [Parameter()] [ValidateSet('0', '4', '5')] [System.String] - $securityintelligenceupdateschannel, + $SecurityIntelligenceUpdatesChannel, [Parameter()] [ValidateSet('0', '1', '2')] [System.String] - $realtimescandirection, + $RealTimeScanDirection, [Parameter()] [ValidateSet('1', '2')] [System.String] - $scanparameter, + $ScanParameter, [Parameter()] [System.Int32] - $schedulequickscantime, + $ScheduleQuickScanTime, [Parameter()] [ValidateSet('0', '1', '2', '3', '4', '5', '6', '7', '8')] [System.String] - $schedulescanday, + $ScheduleScanDay, [Parameter()] [ValidateRange(0, 1380)] [System.Int32] - $schedulescantime, + $ScheduleScanTime, [Parameter()] [ValidateSet('0', '1')] [System.String] - $disabletlsparsing, + $DisableTlsParsing, [Parameter()] [ValidateSet('0', '1')] [System.String] - $randomizescheduletasktimes, + $RandomizeScheduleTaskTimes, [Parameter()] [ValidateRange(1,23)] [System.Int32] - $schedulerrandomizationtime, + $SchedulerRandomizationTime, [Parameter()] [System.String[]] - $signatureupdatefallbackorder, + $SignatureUpdateFallbackOrder, [Parameter()] [System.String[]] - $signatureupdatefilesharessources, + $SignatureUpdateFileSharesSources, [Parameter()] [ValidateRange(0, 24)] [System.Int32] - $signatureupdateinterval, + $SignatureUpdateInterval, [Parameter()] [ValidateSet('0', '1', '2', '3')] [System.String] - $submitsamplesconsent, + $SubmitSamplesConsent, [Parameter()] [ValidateSet('0', '1')] [System.String] - $tamperprotection, + $TamperProtection, [Parameter()] [System.String] - $url, + $URL, [Parameter()] [ValidateSet('0', '1')] [System.String] - $disablelocaladminmerge, - - [Parameter()] - [ValidateSet('0', '1')] - [System.String] - $allowonaccessprotection, + $DisableLocalAdminMerge, [Parameter()] [ValidateSet('clean', 'quarantine', 'remove', 'allow', 'userdefined', 'block')] [System.String] - $lowseveritythreats, + $LowSeverityThreats, [Parameter()] [ValidateSet('clean', 'quarantine', 'remove', 'allow', 'userdefined', 'block')] [System.String] - $moderateseveritythreats, + $ModerateSeverityThreats, [Parameter()] [ValidateSet('clean', 'quarantine', 'remove', 'allow', 'userdefined', 'block')] [System.String] - $severethreats, + $SevereThreats, [Parameter()] [ValidateSet('clean', 'quarantine', 'remove', 'allow', 'userdefined', 'block')] [System.String] - $highseveritythreats, + $HighSeverityThreats, [Parameter()] [ValidateSet('d948ff9b-99cb-4ee0-8012-1fbc09685377_1', 'e3f74c5a-a6de-411d-aef6-eb15628f3a0a_1', '45fea5e9-280d-4da1-9792-fb5736da0ca9_1', '804339ad-1553-4478-a742-138fb5807418_1')] [System.String] - $templateId, + $TemplateId, [Parameter()] [Microsoft.Management.Infrastructure.CimInstance[]] @@ -938,7 +979,28 @@ function Set-TargetResource $currentPolicy = Get-TargetResource @PSBoundParameters $BoundParameters = Remove-M365DSCAuthenticationParameter -BoundParameters $PSBoundParameters - $templateReferenceId = $templateId + if ($BoundParameters.ContainsKey('SevereThreats')) + { + $BoundParameters.Add('SevereThreatDefaultAction', $BoundParameters['SevereThreats']) + $BoundParameters.Remove('SevereThreats') + } + if ($BoundParameters.ContainsKey('HighSeverityThreats')) + { + $BoundParameters.Add('HighSeverityThreatDefaultAction', $BoundParameters['HighSeverityThreats']) + $BoundParameters.Remove('HighSeverityThreats') + } + if ($BoundParameters.ContainsKey('ModerateSeverityThreats')) + { + $BoundParameters.Add('ModerateSeverityThreatDefaultAction', $BoundParameters['ModerateSeverityThreats']) + $BoundParameters.Remove('ModerateSeverityThreats') + } + if ($BoundParameters.ContainsKey('LowSeverityThreats')) + { + $BoundParameters.Add('LowSeverityThreatDefaultAction', $BoundParameters['LowSeverityThreats']) + $BoundParameters.Remove('LowSeverityThreats') + } + + $templateReferenceId = $TemplateId $platforms = 'windows10' $technologies = 'mdm,microsoftSense' @@ -976,6 +1038,7 @@ function Set-TargetResource Write-Verbose -Message "Updating existing Endpoint Protection Policy {$($currentPolicy.DisplayName)}" $BoundParameters.Remove('Identity') | Out-Null $BoundParameters.Remove('Assignments') | Out-Null + $BoundParameters.Remove('TemplateId') | Out-Null $settings = Get-IntuneSettingCatalogPolicySetting ` -DSCParams ([System.Collections.Hashtable]$BoundParameters) ` @@ -1024,151 +1087,156 @@ function Test-TargetResource [Parameter()] [ValidateSet('0', '1')] [System.String] - $allowarchivescanning, + $AllowArchiveScanning, [Parameter()] [ValidateSet('0', '1')] [System.String] - $allowbehaviormonitoring, + $AllowBehaviorMonitoring, [Parameter()] [ValidateSet('0', '1')] [System.String] - $allowcloudprotection, + $AllowCloudProtection, [Parameter()] [ValidateSet('0', '1')] [System.String] - $allowdatagramprocessingonwinserver, + $AllowDatagramProcessingOnWinServer, [Parameter()] [ValidateSet('0', '1')] [System.String] - $allowemailscanning, + $AllowEmailScanning, [Parameter()] [ValidateSet('0', '1')] [System.String] - $allowfullscanonmappednetworkdrives, + $AllowFullScanOnMappedNetworkDrives, [Parameter()] [ValidateSet('0', '1')] [System.String] - $allowfullscanremovabledrivescanning, + $AllowFullScanRemovableDriveScanning, [Parameter()] [ValidateSet('0', '1')] [System.String] - $allowintrusionpreventionsystem, + $AllowIntrusionPreventionSystem, [Parameter()] [ValidateSet('0', '1')] [System.String] - $allowioavprotection, + $AllowIOAVProtection, [Parameter()] [ValidateSet('0', '1')] [System.String] - $allownetworkprotectiondownlevel, + $AllowNetworkProtectionDownLevel, [Parameter()] [ValidateSet('0', '1')] [System.String] - $allowrealtimemonitoring, + $AllowOnAccessProtection, [Parameter()] [ValidateSet('0', '1')] [System.String] - $allowscanningnetworkfiles, + $AllowRealtimeMonitoring, [Parameter()] [ValidateSet('0', '1')] [System.String] - $allowscriptscanning, + $AllowScanningNetworkFiles, [Parameter()] [ValidateSet('0', '1')] [System.String] - $allowuseruiaccess, + $AllowScriptScanning, + + [Parameter()] + [ValidateSet('0', '1')] + [System.String] + $AllowUserUIAccess, [Parameter()] [System.int32] - $avgcpuloadfactor, + $AvgCPULoadFactor, [Parameter()] [System.Int32] - $archivemaxdepth, + $ArchiveMaxDepth, [Parameter()] [System.Int32] - $archivemaxsize, + $ArchiveMaxSize, [Parameter()] [ValidateSet('0', '1')] [System.String] - $checkforsignaturesbeforerunningscan, + $CheckForSignaturesBeforeRunningScan, [Parameter()] [ValidateSet('0', '2', '4', '6')] [System.String] - $cloudblocklevel, + $CloudBlockLevel, [Parameter()] [System.Int32] - $cloudextendedtimeout, + $CloudExtendedTimeout, [Parameter()] [System.String] - $companyname, + $CompanyName, [Parameter()] [System.Int32] - $daystoretaincleanedmalware, + $DaysToRetainCleanedMalware, [Parameter()] [ValidateSet('0', '1')] [System.String] - $disableaccountprotectionui, + $DisableAccountProtectionUI, [Parameter()] [ValidateSet('0', '1')] [System.String] - $disableappbrowserui, + $DisableAppBrowserUI, [Parameter()] [ValidateSet('0', '1')] [System.String] - $disablecleartpmbutton, + $DisableClearTpmButton, [Parameter()] [ValidateSet('0', '1')] [System.String] - $disabledevicesecurityui, + $DisableDeviceSecurityUI, [Parameter()] [ValidateSet('0', '1')] [System.String] - $disablednsovertcpparsing, + $DisableDnsOverTcpParsing, [Parameter()] [ValidateSet('0', '1')] [System.String] - $disableenhancednotifications, + $DisableEnhancedNotifications, [Parameter()] [ValidateSet('0', '1')] [System.String] - $disablefamilyui, + $DisableFamilyUI, [Parameter()] [ValidateSet('0', '1')] [System.String] - $disablehealthui, + $DisableHealthUI, [Parameter()] [ValidateSet('0', '1')] [System.String] - $disablehttpparsing, + $DisableHttpParsing, [Parameter()] [ValidateSet('1', '0')] @@ -1178,203 +1246,208 @@ function Test-TargetResource [Parameter()] [ValidateSet('0', '1')] [System.String] - $disablenetworkui, + $DisableNetworkUI, + + [Parameter()] + [ValidateSet('0', '1')] + [System.String] + $DisableTpmFirmwareUpdateWarning, [Parameter()] [ValidateSet('0', '1')] [System.String] - $disabletpmfirmwareupdatewarning, + $DisableVirusUI, [Parameter()] [ValidateSet('0', '1')] [System.String] - $disablevirusui, + $DisableCatchupFullScan, [Parameter()] [ValidateSet('0', '1')] [System.String] - $disablecatchupfullscan, + $DisableCatchupQuickScan, [Parameter()] [ValidateSet('0', '1')] [System.String] - $disablecatchupquickscan, + $DisableCoreServiceECSIntegration, + + [Parameter()] + [ValidateSet('0', '1')] + [System.String] + $DisableCoreServiceTelemetry, [Parameter()] [System.String] - $email, + $Email, [Parameter()] [ValidateSet('0', '1')] [System.String] - $enablecustomizedtoasts, + $EnableCustomizedToasts, [Parameter()] [ValidateSet('0', '1')] [System.String] - $enableinappcustomization, + $EnableInAppCustomization, [Parameter()] [ValidateSet('0', '1')] [System.String] - $enablelowcpupriority, + $EnableLowCPUPriority, [Parameter()] [ValidateSet('0', '1', '2')] [System.String] - $enablenetworkprotection, + $EnableNetworkProtection, [Parameter()] [System.String[]] - $excludedextensions, + $ExcludedExtensions, [Parameter()] [System.String[]] - $excludedpaths, + $ExcludedPaths, [Parameter()] [System.String[]] - $excludedprocesses, + $ExcludedProcesses, [Parameter()] [ValidateSet('0', '1')] [System.String] - $hideransomwaredatarecovery, + $HideRansomwareDataRecovery, [Parameter()] [ValidateSet('0', '1')] [System.String] - $hidewindowssecuritynotificationareacontrol, + $HideWindowsSecurityNotificationAreaControl, [Parameter()] [System.String] - $phone, + $Phone, [Parameter()] [ValidateSet('0', '1', '2')] [System.String] - $puaprotection, + $PUAProtection, [Parameter()] [ValidateSet('0', '2', '3', '4', '5', '6')] [System.String] - $engineupdateschannel, + $EngineUpdatesChannel, [Parameter()] [ValidateSet('0', '1')] [System.String] - $meteredconnectionupdates, + $MeteredConnectionUpdates, [Parameter()] [ValidateSet('0', '2', '3', '4', '5', '6')] [System.String] - $platformupdateschannel, + $PlatformUpdatesChannel, [Parameter()] [ValidateSet('0', '4', '5')] [System.String] - $securityintelligenceupdateschannel, + $SecurityIntelligenceUpdatesChannel, [Parameter()] [ValidateSet('0', '1', '2')] [System.String] - $realtimescandirection, + $RealTimeScanDirection, [Parameter()] [ValidateSet('1', '2')] [System.String] - $scanparameter, + $ScanParameter, [Parameter()] [System.Int32] - $schedulequickscantime, + $ScheduleQuickScanTime, [Parameter()] [ValidateSet('0', '1', '2', '3', '4', '5', '6', '7', '8')] [System.String] - $schedulescanday, + $ScheduleScanDay, [Parameter()] [ValidateRange(0, 1380)] [System.Int32] - $schedulescantime, + $ScheduleScanTime, [Parameter()] [ValidateSet('0', '1')] [System.String] - $disabletlsparsing, + $DisableTlsParsing, [Parameter()] [ValidateSet('0', '1')] [System.String] - $randomizescheduletasktimes, + $RandomizeScheduleTaskTimes, [Parameter()] [ValidateRange(1,23)] [System.Int32] - $schedulerrandomizationtime, + $SchedulerRandomizationTime, [Parameter()] [System.String[]] - $signatureupdatefallbackorder, + $SignatureUpdateFallbackOrder, [Parameter()] [System.String[]] - $signatureupdatefilesharessources, + $SignatureUpdateFileSharesSources, [Parameter()] [ValidateRange(0, 24)] [System.Int32] - $signatureupdateinterval, + $SignatureUpdateInterval, [Parameter()] [ValidateSet('0', '1', '2', '3')] [System.String] - $submitsamplesconsent, + $SubmitSamplesConsent, [Parameter()] [ValidateSet('0', '1')] [System.String] - $tamperprotection, + $TamperProtection, [Parameter()] [System.String] - $url, - - [Parameter()] - [ValidateSet('0', '1')] - [System.String] - $disablelocaladminmerge, + $URL, [Parameter()] [ValidateSet('0', '1')] [System.String] - $allowonaccessprotection, + $DisableLocalAdminMerge, [Parameter()] [ValidateSet('clean', 'quarantine', 'remove', 'allow', 'userdefined', 'block')] [System.String] - $lowseveritythreats, + $LowSeverityThreats, [Parameter()] [ValidateSet('clean', 'quarantine', 'remove', 'allow', 'userdefined', 'block')] [System.String] - $moderateseveritythreats, + $ModerateSeverityThreats, [Parameter()] [ValidateSet('clean', 'quarantine', 'remove', 'allow', 'userdefined', 'block')] [System.String] - $severethreats, + $SevereThreats, [Parameter()] [ValidateSet('clean', 'quarantine', 'remove', 'allow', 'userdefined', 'block')] [System.String] - $highseveritythreats, + $HighSeverityThreats, [Parameter()] [ValidateSet('d948ff9b-99cb-4ee0-8012-1fbc09685377_1', 'e3f74c5a-a6de-411d-aef6-eb15628f3a0a_1', '45fea5e9-280d-4da1-9792-fb5736da0ca9_1', '804339ad-1553-4478-a742-138fb5807418_1')] [System.String] - $templateId, + $TemplateId, [Parameter()] [Microsoft.Management.Infrastructure.CimInstance[]] diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAntivirusPolicyWindows10SettingCatalog/MSFT_IntuneAntivirusPolicyWindows10SettingCatalog.schema.mof b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAntivirusPolicyWindows10SettingCatalog/MSFT_IntuneAntivirusPolicyWindows10SettingCatalog.schema.mof index da964ec534..c41a78c5df 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAntivirusPolicyWindows10SettingCatalog/MSFT_IntuneAntivirusPolicyWindows10SettingCatalog.schema.mof +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAntivirusPolicyWindows10SettingCatalog/MSFT_IntuneAntivirusPolicyWindows10SettingCatalog.schema.mof @@ -15,80 +15,82 @@ class MSFT_IntuneAntivirusPolicyWindows10SettingCatalog : OMI_BaseResource [Key, Description("Display name of the endpoint protection policy for Windows 10.")] String DisplayName; [Write, Description("Identity of the endpoint protection policy for Windows 10.")] String Identity; [Write, Description("Description of the endpoint protection policy for Windows 10.")] String Description; - [Write, Description("Allows or disallows scanning of archives. (0: enable feature. 1: disable feature)"), ValueMap{"0","1"}, Values{"0","1"}] String tamperprotection; - [Write, Description("Use this policy setting to specify if to display the Account protection area in Windows Defender Security Center. (0: disable feature. 1: enable feature)"), ValueMap{"0","1"}, Values{"0","1"}] String disableaccountprotectionui; - [Write, Description("Use this policy setting if you want to disable the display of the app and browser protection area in Windows Defender Security Center. (0: disable feature. 1: enable feature)"), ValueMap{"0","1"}, Values{"0","1"}] String disableappbrowserui; - [Write, Description("Disable the Clear TPM button in Windows Security. (0: disable feature. 1: enable feature)"), ValueMap{"0","1"}, Values{"0","1"}] String disablecleartpmbutton; - [Write, Description("Use this policy setting if you want to disable the display of the Device security area in the Windows Defender Security Center. (0: disable feature. 1: enable feature)"), ValueMap{"0","1"}, Values{"0","1"}] String disabledevicesecurityui; - [Write, Description("Use this policy setting if you want to disable the display of the family options area in Windows Defender Security Center. (0: disable feature. 1: enable feature)"), ValueMap{"0","1"}, Values{"0","1"}] String disablefamilyui; - [Write, Description("Use this policy setting if you want to disable the display of the device performance and health area in Windows Defender Security Center. (0: disable feature. 1: enable feature)"), ValueMap{"0","1"}, Values{"0","1"}] String disablehealthui; - [Write, Description("Use this policy setting if you want to disable the display of the firewall and network protection area in Windows Defender Security Center. (0: disable feature. 1: enable feature)"), ValueMap{"0","1"}, Values{"0","1"}] String disablenetworkui; - [Write, Description("Use this policy setting if you want to disable the display of Windows Defender Security Center notifications. (0: disable feature. 1: enable feature)"), ValueMap{"0","1"}, Values{"0","1"}] String disableenhancednotifications; - [Write, Description("Hide the recommendation to update TPM Firmware when a vulnerable firmware is detected. (0: disable feature. 1: enable feature)"), ValueMap{"0","1"}, Values{"0","1"}] String disabletpmfirmwareupdatewarning; - [Write, Description("Use this policy setting if you want to disable the display of the virus and threat protection area in Windows Defender Security Center. (0: disable feature. 1: enable feature)"), ValueMap{"0","1"}, Values{"0","1"}] String disablevirusui; - [Write, Description("Use this policy setting to hide the Ransomware data recovery area in Windows Defender Security Center. (0: disable feature. 1: enable feature)"), ValueMap{"0","1"}, Values{"0","1"}] String hideransomwaredatarecovery; - [Write, Description("This policy setting hides the Windows Security notification area control. (0: disable feature. 1: enable feature)"), ValueMap{"0","1"}, Values{"0","1"}] String hidewindowssecuritynotificationareacontrol; - [Write, Description("Enable this policy to display your company name and contact options in the notifications. (0: disable feature. 1: enable feature)"), ValueMap{"0","1"}, Values{"0","1"}] String enablecustomizedtoasts; - [Write, Description("Enable this policy to have your company name and contact options displayed in a contact card fly out in Windows Defender Security Center. (0: disable feature. 1: enable feature)"), ValueMap{"0","1"}, Values{"0","1"}] String enableinappcustomization; - [Write, Description("The company name that is displayed to the users. CompanyName is required for both EnableCustomizedToasts and EnableInAppCustomization.")] String companyname; - [Write, Description("The email address that is displayed to users. The default mail application is used to initiate email actions.")] String email; - [Write, Description("The phone number or Skype ID that is displayed to users. Skype is used to initiate the call.")] String phone; - [Write, Description("The help portal URL that is displayed to users. The default browser is used to initiate this action.")] String url; - [Write, Description("Allows or disallows scanning of archives. (0: disable feature. 1: enable feature)"), ValueMap{"0","1"}, Values{"0","1"}] String allowarchivescanning; - [Write, Description("Allows or disallows Windows Defender Behavior Monitoring functionality. (0: disable feature. 1: enable feature)"), ValueMap{"0","1"}, Values{"0","1"}] String allowbehaviormonitoring; - [Write, Description("To best protect your PC, Windows Defender will send information to Microsoft about any problems it finds. Microsoft will analyze that information, learn more about problems affecting you and other customers, and offer improved solutions. (0: disable feature. 1: enable feature)"), ValueMap{"0","1"}, Values{"0","1"}] String allowcloudprotection; - [Write, Description("Allows or disallows Network Protection to enable datagram processing on Windows Server. (0: disable feature. 1: enable feature)"), ValueMap{"0","1"}, Values{"0","1"}] String allowdatagramprocessingonwinserver; - [Write, Description("Allows or disallows scanning of email. (0: disable feature. 1: enable feature)"), ValueMap{"0","1"}, Values{"0","1"}] String allowemailscanning; - [Write, Description("Allows or disallows a full scan of mapped network drives. (0: disable feature. 1: enable feature)"), ValueMap{"0","1"}, Values{"0","1"}] String allowfullscanonmappednetworkdrives; - [Write, Description("Allows or disallows a full scan of removable drives. During a quick scan, removable drives may still be scanned. (0: disable feature. 1: enable feature)"), ValueMap{"0","1"}, Values{"0","1"}] String allowfullscanremovabledrivescanning; - [Write, Description("https://github.com/MicrosoftDocs/memdocs/issues/2250 (0: disable feature. 1: enable feature)"), ValueMap{"0","1"}, Values{"0","1"}] String allowintrusionpreventionsystem; - [Write, Description("Allows or disallows Windows Defender IOAVP Protection functionality. (0: disable feature. 1: enable feature)"), ValueMap{"0","1"}, Values{"0","1"}] String allowioavprotection; - [Write, Description("Allows or disallows Network Protection to be configured into block or audit mode on windows downlevel of RS3. (0: disable feature. 1: enable feature)"), ValueMap{"0","1"}, Values{"0","1"}] String allownetworkprotectiondownlevel; - [Write, Description("Allows or disallows Windows Defender real-time Monitoring functionality. (0: disable feature. 1: enable feature)"), ValueMap{"0","1"}, Values{"0","1"}] String allowrealtimemonitoring; - [Write, Description("Allows or disallows a scanning of network files. (0: disable feature. 1: enable feature)"), ValueMap{"0","1"}, Values{"0","1"}] String allowscanningnetworkfiles; - [Write, Description("Allows or disallows Windows Defender Script Scanning functionality. (0: disable feature. 1: enable feature)"), ValueMap{"0","1"}, Values{"0","1"}] String allowscriptscanning; - [Write, Description("Allows or disallows user access to the Windows Defender UI. I disallowed, all Windows Defender notifications will also be suppressed. (0: Prevents users from accessing UI. 1: Lets users access UI)"), ValueMap{"0","1"}, Values{"0","1"}] String allowuseruiaccess; - [Write, Description("Represents the average CPU load factor for the Windows Defender scan (in percent).")] sInt32 avgcpuloadfactor; - [Write, Description("Specify the maximum folder depth to extract from archive files for scanning.")] sInt32 archivemaxdepth; - [Write, Description("Specify the maximum size, in KB, of archive files to be extracted and scanned.")] sInt32 archivemaxsize; - [Write, Description("This policy setting allows you to manage whether a check for new virus and spyware definitions will occur before running a scan. (0: disable feature. 1: enable feature)"), ValueMap{"0","1"}, Values{"0","1"}] String checkforsignaturesbeforerunningscan; - [Write, Description("This policy setting determines how aggressive Microsoft Defender Antivirus will be in blocking and scanning suspicious files. Value type is integer.(0: Default windows defender blocking level, 2: High blocking level, 4:High+ blocking level, 6:Zero tolerance blocking level)"), ValueMap{"0","2","4","6"}, Values{"0","2","4","6"}] String cloudblocklevel; - [Write, Description("This feature allows Microsoft Defender Antivirus to block a suspicious file for up to 60 seconds, and scan it in the cloud to make sure it's safe. Value type is integer, range is 0 - 50.")] sInt32 cloudextendedtimeout; - [Write, Description("Time period (in days) that quarantine items will be stored on the system.")] sInt32 daystoretaincleanedmalware; - [Write, Description("This policy setting allows you to configure catch-up scans for scheduled full scans. (1: disabled, 0: enabled)"), ValueMap{"0","1"}, Values{"0","1"}] String disablecatchupfullscan; - [Write, Description("This policy setting allows you to configure catch-up scans for scheduled quick scans. (1: disabled, 0: enabled)"), ValueMap{"0","1"}, Values{"0","1"}] String disablecatchupquickscan; - [Write, Description("Disables or enables DNS over TCP Parsing for Network Protection. (0: enable feature. 1: disable feature)"), ValueMap{"0","1"}, Values{"0","1"}] String disablednsovertcpparsing; - [Write, Description("Disables or enables HTTP Parsing for Network Protection. (0: enable feature. 1: disable feature)"), ValueMap{"0","1"}, Values{"0","1"}] String disablehttpparsing; + [Write, Description("Allows or disallows scanning of archives. (0: enable feature. 1: disable feature)"), ValueMap{"0","1"}, Values{"0","1"}] String TamperProtection; + [Write, Description("Use this policy setting to specify if to display the Account protection area in Windows Defender Security Center. (0: disable feature. 1: enable feature)"), ValueMap{"0","1"}, Values{"0","1"}] String DisableAccountProtectionUI; + [Write, Description("Use this policy setting if you want to disable the display of the app and browser protection area in Windows Defender Security Center. (0: disable feature. 1: enable feature)"), ValueMap{"0","1"}, Values{"0","1"}] String DisableAppBrowserUI; + [Write, Description("Disable the Clear TPM button in Windows Security. (0: disable feature. 1: enable feature)"), ValueMap{"0","1"}, Values{"0","1"}] String DisableClearTpmButton; + [Write, Description("Use this policy setting if you want to disable the display of the Device security area in the Windows Defender Security Center. (0: disable feature. 1: enable feature)"), ValueMap{"0","1"}, Values{"0","1"}] String DisableDeviceSecurityUI; + [Write, Description("Use this policy setting if you want to disable the display of the family options area in Windows Defender Security Center. (0: disable feature. 1: enable feature)"), ValueMap{"0","1"}, Values{"0","1"}] String DisableFamilyUI; + [Write, Description("Use this policy setting if you want to disable the display of the device performance and health area in Windows Defender Security Center. (0: disable feature. 1: enable feature)"), ValueMap{"0","1"}, Values{"0","1"}] String DisableHealthUI; + [Write, Description("Use this policy setting if you want to disable the display of the firewall and network protection area in Windows Defender Security Center. (0: disable feature. 1: enable feature)"), ValueMap{"0","1"}, Values{"0","1"}] String DisableNetworkUI; + [Write, Description("Use this policy setting if you want to disable the display of Windows Defender Security Center notifications. (0: disable feature. 1: enable feature)"), ValueMap{"0","1"}, Values{"0","1"}] String DisableEnhancedNotifications; + [Write, Description("Hide the recommendation to update TPM Firmware when a vulnerable firmware is detected. (0: disable feature. 1: enable feature)"), ValueMap{"0","1"}, Values{"0","1"}] String DisableTpmFirmwareUpdateWarning; + [Write, Description("Use this policy setting if you want to disable the display of the virus and threat protection area in Windows Defender Security Center. (0: disable feature. 1: enable feature)"), ValueMap{"0","1"}, Values{"0","1"}] String DisableVirusUI; + [Write, Description("Use this policy setting to hide the Ransomware data recovery area in Windows Defender Security Center. (0: disable feature. 1: enable feature)"), ValueMap{"0","1"}, Values{"0","1"}] String HideRansomwareDataRecovery; + [Write, Description("This policy setting hides the Windows Security notification area control. (0: disable feature. 1: enable feature)"), ValueMap{"0","1"}, Values{"0","1"}] String HideWindowsSecurityNotificationAreaControl; + [Write, Description("Enable this policy to display your company name and contact options in the notifications. (0: disable feature. 1: enable feature)"), ValueMap{"0","1"}, Values{"0","1"}] String EnableCustomizedToasts; + [Write, Description("Enable this policy to have your company name and contact options displayed in a contact card fly out in Windows Defender Security Center. (0: disable feature. 1: enable feature)"), ValueMap{"0","1"}, Values{"0","1"}] String EnableInAppCustomization; + [Write, Description("The company name that is displayed to the users. CompanyName is required for both EnableCustomizedToasts and EnableInAppCustomization.")] String CompanyName; + [Write, Description("The email address that is displayed to users. The default mail application is used to initiate email actions.")] String Email; + [Write, Description("The phone number or Skype ID that is displayed to users. Skype is used to initiate the call.")] String Phone; + [Write, Description("The help portal URL that is displayed to users. The default browser is used to initiate this action.")] String URL; + [Write, Description("Allows or disallows scanning of archives. (0: disable feature. 1: enable feature)"), ValueMap{"0","1"}, Values{"0","1"}] String AllowArchiveScanning; + [Write, Description("Allows or disallows Windows Defender Behavior Monitoring functionality. (0: disable feature. 1: enable feature)"), ValueMap{"0","1"}, Values{"0","1"}] String AllowBehaviorMonitoring; + [Write, Description("To best protect your PC, Windows Defender will send information to Microsoft about any problems it finds. Microsoft will analyze that information, learn more about problems affecting you and other customers, and offer improved solutions. (0: disable feature. 1: enable feature)"), ValueMap{"0","1"}, Values{"0","1"}] String AllowCloudProtection; + [Write, Description("Allows or disallows Network Protection to enable datagram processing on Windows Server. (0: disable feature. 1: enable feature)"), ValueMap{"0","1"}, Values{"0","1"}] String AllowDatagramProcessingOnWinServer; + [Write, Description("Allows or disallows scanning of email. (0: disable feature. 1: enable feature)"), ValueMap{"0","1"}, Values{"0","1"}] String AllowEmailScanning; + [Write, Description("Allows or disallows a full scan of mapped network drives. (0: disable feature. 1: enable feature)"), ValueMap{"0","1"}, Values{"0","1"}] String AllowFullScanOnMappedNetworkDrives; + [Write, Description("Allows or disallows a full scan of removable drives. During a quick scan, removable drives may still be scanned. (0: disable feature. 1: enable feature)"), ValueMap{"0","1"}, Values{"0","1"}] String AllowFullScanRemovableDriveScanning; + [Write, Description("https://github.com/MicrosoftDocs/memdocs/issues/2250 (0: disable feature. 1: enable feature)"), ValueMap{"0","1"}, Values{"0","1"}] String AllowIntrusionPreventionSystem; + [Write, Description("Allows or disallows Windows Defender IOAVP Protection functionality. (0: disable feature. 1: enable feature)"), ValueMap{"0","1"}, Values{"0","1"}] String AllowIOAVProtection; + [Write, Description("Allows or disallows Network Protection to be configured into block or audit mode on windows downlevel of RS3. (0: disable feature. 1: enable feature)"), ValueMap{"0","1"}, Values{"0","1"}] String AllowNetworkProtectionDownLevel; + [Write, Description("Allows or disallows Windows Defender real-time Monitoring functionality. (0: disable feature. 1: enable feature)"), ValueMap{"0","1"}, Values{"0","1"}] String AllowRealtimeMonitoring; + [Write, Description("Allows or disallows a scanning of network files. (0: disable feature. 1: enable feature)"), ValueMap{"0","1"}, Values{"0","1"}] String AllowScanningNetworkFiles; + [Write, Description("Allows or disallows Windows Defender Script Scanning functionality. (0: disable feature. 1: enable feature)"), ValueMap{"0","1"}, Values{"0","1"}] String AllowScriptScanning; + [Write, Description("Allows or disallows user access to the Windows Defender UI. I disallowed, all Windows Defender notifications will also be suppressed. (0: Prevents users from accessing UI. 1: Lets users access UI)"), ValueMap{"0","1"}, Values{"0","1"}] String AllowUserUIAccess; + [Write, Description("Represents the average CPU load factor for the Windows Defender scan (in percent).")] sInt32 AvgCPULoadFactor; + [Write, Description("Specify the maximum folder depth to extract from archive files for scanning.")] sInt32 ArchiveMaxDepth; + [Write, Description("Specify the maximum size, in KB, of archive files to be extracted and scanned.")] sInt32 ArchiveMaxSize; + [Write, Description("This policy setting allows you to manage whether a check for new virus and spyware definitions will occur before running a scan. (0: disable feature. 1: enable feature)"), ValueMap{"0","1"}, Values{"0","1"}] String CheckForSignaturesBeforeRunningScan; + [Write, Description("This policy setting determines how aggressive Microsoft Defender Antivirus will be in blocking and scanning suspicious files. Value type is integer.(0: Default windows defender blocking level, 2: High blocking level, 4:High+ blocking level, 6:Zero tolerance blocking level)"), ValueMap{"0","2","4","6"}, Values{"0","2","4","6"}] String CloudBlockLevel; + [Write, Description("This feature allows Microsoft Defender Antivirus to block a suspicious file for up to 60 seconds, and scan it in the cloud to make sure it's safe. Value type is integer, range is 0 - 50.")] sInt32 CloudExtendedTimeout; + [Write, Description("Time period (in days) that quarantine items will be stored on the system.")] sInt32 DaysToRetainCleanedMalware; + [Write, Description("This policy setting allows you to configure catch-up scans for scheduled full scans. (1: disabled, 0: enabled)"), ValueMap{"0","1"}, Values{"0","1"}] String DisableCatchupFullScan; + [Write, Description("This policy setting allows you to configure catch-up scans for scheduled quick scans. (1: disabled, 0: enabled)"), ValueMap{"0","1"}, Values{"0","1"}] String DisableCatchupQuickScan; + [Write, Description("Disable Core Service ECS Integration. (0: disabled, 1: enabled)"), ValueMap{"0","1"}, Values{"0","1"}] String DisableCoreServiceECSIntegration; + [Write, Description("Disable Core Service Telemetry. (1: disabled, 0: enabled)"), ValueMap{"0","1"}, Values{"0","1"}] String DisableCoreServiceTelemetry; + [Write, Description("Disables or enables DNS over TCP Parsing for Network Protection. (0: enable feature. 1: disable feature)"), ValueMap{"0","1"}, Values{"0","1"}] String DisableDnsOverTcpParsing; + [Write, Description("Disables or enables HTTP Parsing for Network Protection. (0: enable feature. 1: disable feature)"), ValueMap{"0","1"}, Values{"0","1"}] String DisableHttpParsing; [Write, Description("Disable Ssh Parsing (1: SSH parsing is disabled, 0: SSH parsing is enabled)"), ValueMap{"1", "0"}, Values{"1", "0"}] String DisableSshParsing; - [Write, Description("This policy setting allows you to enable or disable low CPU priority for scheduled scans. (0: disable feature. 1: enable feature)"), ValueMap{"0","1"}, Values{"0","1"}] String enablelowcpupriority; - [Write, Description("This policy allows you to turn on network protection (block/audit) or off. (0: disabled, 1: block mode, 2: audit mode)"), ValueMap{"0", "1", "2"}, Values{"0", "1", "2"}] String enablenetworkprotection; - [Write, Description("Allows an administrator to specify a list of file type extensions to ignore during a scan.")] String excludedextensions[]; - [Write, Description("Allows an administrator to specify a list of directory paths to ignore during a scan.")] String excludedpaths[]; - [Write, Description("Allows an administrator to specify a list of files opened by processes to ignore during a scan.")] String excludedprocesses[]; - [Write, Description("Specifies the level of detection for potentially unwanted applications (PUAs). (0: disabled, 1: block mode, 2: audit mode)"), ValueMap{"0", "1", "2"}, Values{"0", "1", "2"}] String puaprotection; - [Write, Description("Enable this policy to specify when devices receive Microsoft Defender engine updates during the monthly gradual rollout. (0: Not configured, 2: Beta Channel, 3: Current Channel (Preview), 4: Current Channel (Staged), 5: Current Channel (Broad), 6: Critical)"), ValueMap{"0", "2", "3", "4", "5", "6"}, Values{"0", "2", "3", "4", "5", "6"}] String engineupdateschannel; - [Write, Description("Allow managed devices to update through metered connections. (0: disabled, 1: enabled)")] String meteredconnectionupdates; - [Write, Description("Enable this policy to specify when devices receive Microsoft Defender platform updates during the monthly gradual rollout. (0: Not configured, 2: Beta Channel, 3: Current Channel (Preview), 4: Current Channel (Staged), 5: Current Channel (Broad), 6: Critical)"), ValueMap{"0", "2", "3", "4", "5", "6"}, Values{"0", "2", "3", "4", "5", "6"}] String platformupdateschannel; - [Write, Description("Enable this policy to specify when devices receive Microsoft Defender security intelligence updates during the daily gradual rollout. (0: Not configured, 4: Current Channel (Staged), 5: Current Channel (Broad))"), ValueMap{"0", "4", "5"}, Values{"0", "4", "5"}] String securityintelligenceupdateschannel; - [Write, Description("Controls which sets of files should be monitored. (0: Monitor all files (bi-directional), 1: Monitor incoming files, 2: Monitor outgoing files)"), ValueMap{"0", "1", "2"}, Values{"0", "1", "2"}] String realtimescandirection; - [Write, Description("Selects whether to perform a quick scan or full scan. (1: Quick scan, 2: Full scan)"), ValueMap{"1","2"}, Values{"1","2"}] String scanparameter; - [Write, Description("Selects the time of day that the Windows Defender quick scan should run.")] sInt32 schedulequickscantime; - [Write, Description("Selects the day that the Windows Defender scan should run. (0: Every day, 1: Sunday, 2: Monday, 3: Tuesday, 4: Wednesday, 5: Thursday, 6: Friday, 7: Saturday, 8: No scheduled scan)"), ValueMap{"0","1","2","3","4","5","6","7","8"}, Values{"0","1","2","3","4","5","6","7","8"}] String schedulescanday; - [Write, Description("Selects the time of day that the Windows Defender scan should run. Must be between 0 and 1380 minutes.")] sInt32 schedulescantime; - [Write, Description("This setting disables TLS Parsing for Network Protection. (0: enabled, 1: disabled)"), ValueMap{"0","1"}, Values{"0","1"}] String disabletlsparsing; - [Write, Description("Specifies if the start time of the scan is randomized. (0: no randomization, 1: randomized)"), ValueMap{"0","1"}, Values{"0","1"}] String randomizescheduletasktimes; - [Write, Description("This setting allows you to configure the scheduler randomization in hours. The randomization interval is [1 - 23] hours.")] sInt32 schedulerrandomizationtime; - [Write, Description("This policy setting allows you to define the order in which different definition update sources should be contacted.")] String signatureupdatefallbackorder[]; - [Write, Description("This policy setting allows you to configure UNC file share sources for downloading definition updates.")] String signatureupdatefilesharessources[]; - [Write, Description("Specifies the interval (in hours) that will be used to check for signatures, so instead of using the ScheduleDay and ScheduleTime the check for new signatures will be set according to the interval. Must be between 0 and 24 hours.")] sInt32 signatureupdateinterval; - [Write, Description("Checks for the user consent level in Windows Defender to send data. (0: Always prompt, 1: Send safe samples automatically, 2: Never send, 3: Send all samples automatically)"), ValueMap{"0","1","2","3"}, Values{"0","1","2","3"}] String submitsamplesconsent; - [Write, Description("This policy setting controls whether or not complex list settings configured by a local administrator are merged with managed settings. (0: enable local admin merge, 1: disable local admin merge)"), ValueMap{"0","1"}, Values{"0","1"}] String disablelocaladminmerge; - [Write, Description("Allows or disallows Windows Defender On Access Protection functionality. (0: disable feature. 1: enable feature)"), ValueMap{"0","1"}, Values{"0","1"}] String allowonaccessprotection; - [Write, Description("Allows an administrator to specify low severity threats corresponding action ID to take."),ValueMap{"clean", "quarantine","remove", "allow", "userdefined","block"}, Values{"clean", "quarantine","remove", "allow", "userdefined","block"}] String lowseveritythreats; - [Write, Description("Allows an administrator to specify moderate severity threats corresponding action ID to take."),ValueMap{"clean", "quarantine","remove", "allow", "userdefined","block"}, Values{"clean", "quarantine","remove", "allow", "userdefined","block"}] String moderateseveritythreats; - [Write, Description("Allows an administrator to specify high severity threats corresponding action ID to take."),ValueMap{"clean", "quarantine","remove", "allow", "userdefined","block"}, Values{"clean", "quarantine","remove", "allow", "userdefined","block"}] String severethreats; - [Write, Description("Allows an administrator to specify severe threats corresponding action ID to take."),ValueMap{"clean", "quarantine","remove", "allow", "userdefined","block"}, Values{"clean", "quarantine","remove", "allow", "userdefined","block"}] String highseveritythreats; - [Write, Description("Template Id of the policy. 0: Windows Security Experience, 1: Defender Update controls, 2: Microsoft Defender Antivirus exclusions, 3: Microsoft Defender Antivirus"),ValueMap{"d948ff9b-99cb-4ee0-8012-1fbc09685377_1", "e3f74c5a-a6de-411d-aef6-eb15628f3a0a_1", "45fea5e9-280d-4da1-9792-fb5736da0ca9_1","804339ad-1553-4478-a742-138fb5807418_1"}, Values{"d948ff9b-99cb-4ee0-8012-1fbc09685377_1", "e3f74c5a-a6de-411d-aef6-eb15628f3a0a_1", "45fea5e9-280d-4da1-9792-fb5736da0ca9_1","804339ad-1553-4478-a742-138fb5807418_1"}] String templateId; + [Write, Description("This policy setting allows you to enable or disable low CPU priority for scheduled scans. (0: disable feature. 1: enable feature)"), ValueMap{"0","1"}, Values{"0","1"}] String EnableLowCPUPriority; + [Write, Description("This policy allows you to turn on network protection (block/audit) or off. (0: disabled, 1: block mode, 2: audit mode)"), ValueMap{"0", "1", "2"}, Values{"0", "1", "2"}] String EnableNetworkProtection; + [Write, Description("Allows an administrator to specify a list of file type extensions to ignore during a scan.")] String ExcludedExtensions[]; + [Write, Description("Allows an administrator to specify a list of directory paths to ignore during a scan.")] String ExcludedPaths[]; + [Write, Description("Allows an administrator to specify a list of files opened by processes to ignore during a scan.")] String ExcludedProcesses[]; + [Write, Description("Specifies the level of detection for potentially unwanted applications (PUAs). (0: disabled, 1: block mode, 2: audit mode)"), ValueMap{"0", "1", "2"}, Values{"0", "1", "2"}] String PUAProtection; + [Write, Description("Enable this policy to specify when devices receive Microsoft Defender engine updates during the monthly gradual rollout. (0: Not configured, 2: Beta Channel, 3: Current Channel (Preview), 4: Current Channel (Staged), 5: Current Channel (Broad), 6: Critical)"), ValueMap{"0", "2", "3", "4", "5", "6"}, Values{"0", "2", "3", "4", "5", "6"}] String EngineUpdatesChannel; + [Write, Description("Allow managed devices to update through metered connections. (0: disabled, 1: enabled)")] String MeteredConnectionUpdates; + [Write, Description("Enable this policy to specify when devices receive Microsoft Defender platform updates during the monthly gradual rollout. (0: Not configured, 2: Beta Channel, 3: Current Channel (Preview), 4: Current Channel (Staged), 5: Current Channel (Broad), 6: Critical)"), ValueMap{"0", "2", "3", "4", "5", "6"}, Values{"0", "2", "3", "4", "5", "6"}] String PlatformUpdatesChannel; + [Write, Description("Enable this policy to specify when devices receive Microsoft Defender security intelligence updates during the daily gradual rollout. (0: Not configured, 4: Current Channel (Staged), 5: Current Channel (Broad))"), ValueMap{"0", "4", "5"}, Values{"0", "4", "5"}] String SecurityIntelligenceUpdatesChannel; + [Write, Description("Controls which sets of files should be monitored. (0: Monitor all files (bi-directional), 1: Monitor incoming files, 2: Monitor outgoing files)"), ValueMap{"0", "1", "2"}, Values{"0", "1", "2"}] String RealTimeScanDirection; + [Write, Description("Selects whether to perform a quick scan or full scan. (1: Quick scan, 2: Full scan)"), ValueMap{"1","2"}, Values{"1","2"}] String ScanParameter; + [Write, Description("Selects the time of day that the Windows Defender quick scan should run.")] sInt32 ScheduleQuickScanTime; + [Write, Description("Selects the day that the Windows Defender scan should run. (0: Every day, 1: Sunday, 2: Monday, 3: Tuesday, 4: Wednesday, 5: Thursday, 6: Friday, 7: Saturday, 8: No scheduled scan)"), ValueMap{"0","1","2","3","4","5","6","7","8"}, Values{"0","1","2","3","4","5","6","7","8"}] String ScheduleScanDay; + [Write, Description("Selects the time of day that the Windows Defender scan should run. Must be between 0 and 1380 minutes.")] sInt32 ScheduleScanTime; + [Write, Description("This setting disables TLS Parsing for Network Protection. (0: enabled, 1: disabled)"), ValueMap{"0","1"}, Values{"0","1"}] String DisableTlsParsing; + [Write, Description("Specifies if the start time of the scan is randomized. (0: no randomization, 1: randomized)"), ValueMap{"0","1"}, Values{"0","1"}] String RandomizeScheduleTaskTimes; + [Write, Description("This setting allows you to configure the scheduler randomization in hours. The randomization interval is [1 - 23] hours.")] sInt32 SchedulerRandomizationTime; + [Write, Description("This policy setting allows you to define the order in which different definition update sources should be contacted.")] String SignatureUpdateFallbackOrder[]; + [Write, Description("This policy setting allows you to configure UNC file share sources for downloading definition updates.")] String SignatureUpdateFileSharesSources[]; + [Write, Description("Specifies the interval (in hours) that will be used to check for signatures, so instead of using the ScheduleDay and ScheduleTime the check for new signatures will be set according to the interval. Must be between 0 and 24 hours.")] sInt32 SignatureUpdateInterval; + [Write, Description("Checks for the user consent level in Windows Defender to send data. (0: Always prompt, 1: Send safe samples automatically, 2: Never send, 3: Send all samples automatically)"), ValueMap{"0","1","2","3"}, Values{"0","1","2","3"}] String SubmitSamplesConsent; + [Write, Description("This policy setting controls whether or not complex list settings configured by a local administrator are merged with managed settings. (0: enable local admin merge, 1: disable local admin merge)"), ValueMap{"0","1"}, Values{"0","1"}] String DisableLocalAdminMerge; + [Write, Description("Allows or disallows Windows Defender On Access Protection functionality. (0: disable feature. 1: enable feature)"), ValueMap{"0","1"}, Values{"0","1"}] String AllowOnAccessProtection; + [Write, Description("Allows an administrator to specify low severity threats corresponding action ID to take."),ValueMap{"clean", "quarantine","remove", "allow", "userdefined","block"}, Values{"clean", "quarantine","remove", "allow", "userdefined","block"}] String LowSeverityThreats; + [Write, Description("Allows an administrator to specify moderate severity threats corresponding action ID to take."),ValueMap{"clean", "quarantine","remove", "allow", "userdefined","block"}, Values{"clean", "quarantine","remove", "allow", "userdefined","block"}] String ModerateSeverityThreats; + [Write, Description("Allows an administrator to specify high severity threats corresponding action ID to take."),ValueMap{"clean", "quarantine","remove", "allow", "userdefined","block"}, Values{"clean", "quarantine","remove", "allow", "userdefined","block"}] String SevereThreats; + [Write, Description("Allows an administrator to specify severe threats corresponding action ID to take."),ValueMap{"clean", "quarantine","remove", "allow", "userdefined","block"}, Values{"clean", "quarantine","remove", "allow", "userdefined","block"}] String HighSeverityThreats; + [Write, Description("Template Id of the policy. 0: Windows Security Experience, 1: Defender Update controls, 2: Microsoft Defender Antivirus exclusions, 3: Microsoft Defender Antivirus"),ValueMap{"d948ff9b-99cb-4ee0-8012-1fbc09685377_1", "e3f74c5a-a6de-411d-aef6-eb15628f3a0a_1", "45fea5e9-280d-4da1-9792-fb5736da0ca9_1","804339ad-1553-4478-a742-138fb5807418_1"}, Values{"d948ff9b-99cb-4ee0-8012-1fbc09685377_1", "e3f74c5a-a6de-411d-aef6-eb15628f3a0a_1", "45fea5e9-280d-4da1-9792-fb5736da0ca9_1","804339ad-1553-4478-a742-138fb5807418_1"}] String TemplateId; [Write, Description("Represents the assignment to the Intune policy."), EmbeddedInstance("MSFT_DeviceManagementConfigurationPolicyAssignments")] String Assignments[]; [Write, Description("Present ensures the policy exists, absent ensures it is removed"), ValueMap{"Present","Absent"}, Values{"Present","Absent"}] string Ensure; [Write, Description("Credentials of the Intune Admin"), EmbeddedInstance("MSFT_Credential")] string Credential; diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationCustomPolicyWindows10/MSFT_IntuneDeviceConfigurationCustomPolicyWindows10.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationCustomPolicyWindows10/MSFT_IntuneDeviceConfigurationCustomPolicyWindows10.psm1 index 3585277caf..daa9bb00c1 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationCustomPolicyWindows10/MSFT_IntuneDeviceConfigurationCustomPolicyWindows10.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationCustomPolicyWindows10/MSFT_IntuneDeviceConfigurationCustomPolicyWindows10.psm1 @@ -125,7 +125,6 @@ function Get-TargetResource if ($currentomaSettings.isEncrypted -eq $true) { - write-verbose ("IsEncrypted = true -- $($currentomaSettings.displayName)") $SecretReferenceValueId = $currentomaSettings.secretReferenceValueId $OmaSettingPlainTextValue = Get-OmaSettingPlainTextValue -SecretReferenceValueId $SecretReferenceValueId if (![String]::IsNullOrEmpty($OmaSettingPlainTextValue)) @@ -144,7 +143,7 @@ function Get-TargetResource $myomaSettings.Add('IsEncrypted', $currentomaSettings.isEncrypted) $myomaSettings.Add('OmaUri', $currentomaSettings.omaUri) $myomaSettings.Add('FileName', $currentomaSettings.fileName) - $myomaSettings.Add('Value', $currentomaSettings.value) + $myomaSettings.Add('Value', [System.String]$currentomaSettings.value) if ($currentomaSettings.'@odata.type' -eq '#microsoft.graph.omaSettingInteger') { $myomaSettings.Add('IsReadOnly', $currentomaSettings.isReadOnly) diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneEndpointDetectionAndResponsePolicyWindows10/MSFT_IntuneEndpointDetectionAndResponsePolicyWindows10.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneEndpointDetectionAndResponsePolicyWindows10/MSFT_IntuneEndpointDetectionAndResponsePolicyWindows10.psm1 index 987f41812b..4508e66dd0 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneEndpointDetectionAndResponsePolicyWindows10/MSFT_IntuneEndpointDetectionAndResponsePolicyWindows10.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneEndpointDetectionAndResponsePolicyWindows10/MSFT_IntuneEndpointDetectionAndResponsePolicyWindows10.psm1 @@ -122,6 +122,7 @@ function Get-TargetResource [array]$settings = Get-MgBetaDeviceManagementConfigurationPolicySetting ` -DeviceManagementConfigurationPolicyId $Identity ` -ExpandProperty 'settingDefinitions' ` + -All ` -ErrorAction Stop $policySettings = @{} @@ -130,7 +131,7 @@ function Get-TargetResource $policySettings.Remove('ClientConfigurationPackageType') $policySettings.Remove('onboarding') $policySettings.Remove('offboarding') - $policySettings.Remove('autofromconnector') + $policySettings.Remove('onboarding_fromconnector') # Removing TelemetryReportingFrequency because it's deprecated and doesn't need to be evaluated and enforced $policySettings.Remove('telemetryreportingfrequency') diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneSecurityBaselineMicrosoftEdge/MSFT_IntuneSecurityBaselineMicrosoftEdge.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneSecurityBaselineMicrosoftEdge/MSFT_IntuneSecurityBaselineMicrosoftEdge.psm1 index c3b6e71fd2..35d258852e 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneSecurityBaselineMicrosoftEdge/MSFT_IntuneSecurityBaselineMicrosoftEdge.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneSecurityBaselineMicrosoftEdge/MSFT_IntuneSecurityBaselineMicrosoftEdge.psm1 @@ -80,6 +80,10 @@ function Get-TargetResource [System.String] $authschemes, + [Parameter()] + [System.String] + $AuthSchemes_AuthSchemes, + [Parameter()] [ValidateSet('0', '1')] [System.String] @@ -338,6 +342,10 @@ function Set-TargetResource [System.String] $authschemes, + [Parameter()] + [System.String] + $AuthSchemes_AuthSchemes, + [Parameter()] [ValidateSet('0', '1')] [System.String] @@ -441,6 +449,13 @@ function Set-TargetResource $platforms = 'windows10' $technologies = 'mdm' + if ($BoundParameters.ContainsKey('authschemes')) + { + Write-Warning -Message "The parameter 'authschemes' is deprecated. Please use 'AuthSchemes_AuthSchemes' instead." + $BoundParameters['AuthSchemes_AuthSchemes'] = $BoundParameters['authschemes'] + $BoundParameters.Remove('authschemes') | Out-Null + } + if ($Ensure -eq 'Present' -and $currentInstance.Ensure -eq 'Absent') { Write-Verbose -Message "Creating an Intune Security Baseline Microsoft Edge with Name {$DisplayName}" @@ -589,6 +604,10 @@ function Test-TargetResource [System.String] $authschemes, + [Parameter()] + [System.String] + $AuthSchemes_AuthSchemes, + [Parameter()] [ValidateSet('0', '1')] [System.String] @@ -730,6 +749,17 @@ function Test-TargetResource } } + if ($PSBoundParameters.ContainsKey('authschemes')) + { + Write-Warning -Message "The parameter 'authschemes' is deprecated. Please use 'AuthSchemes_AuthSchemes' instead." + if ($PSBoundParameters['authschemes'] -ne $CurrentValues['AuthSchemes_AuthSchemes']) + { + $testResult = $false + } + $ValuesToCheck.Remove('authschemes') | Out-Null + $ValuesToCheck.Remove('AuthSchemes_AuthSchemes') | Out-Null + } + $ValuesToCheck.Remove('Id') | Out-Null $ValuesToCheck = Remove-M365DSCAuthenticationParameter -BoundParameters $ValuesToCheck diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneSecurityBaselineMicrosoftEdge/MSFT_IntuneSecurityBaselineMicrosoftEdge.schema.mof b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneSecurityBaselineMicrosoftEdge/MSFT_IntuneSecurityBaselineMicrosoftEdge.schema.mof index 8a9515e3d3..d8a2607bcb 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneSecurityBaselineMicrosoftEdge/MSFT_IntuneSecurityBaselineMicrosoftEdge.schema.mof +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneSecurityBaselineMicrosoftEdge/MSFT_IntuneSecurityBaselineMicrosoftEdge.schema.mof @@ -28,7 +28,8 @@ class MSFT_IntuneSecurityBaselineMicrosoftEdge : OMI_BaseResource [Write, Description("Force WebSQL to be enabled (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String WebSQLAccess; [Write, Description("Allow Basic authentication for HTTP (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String BasicAuthOverHttpEnabled; [Write, Description("Supported authentication schemes (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String MicrosoftEdge_HTTPAuthentication_AuthSchemes; - [Write, Description("Supported authentication schemes (Device) - Depends on MicrosoftEdge_HTTPAuthentication_AuthSchemes")] String authschemes; + [Write, Description("(Deprecated) - Supported authentication schemes (Device) - Depends on MicrosoftEdge_HTTPAuthentication_AuthSchemes")] String authschemes; + [Write, Description("Supported authentication schemes (Device) - Depends on MicrosoftEdge_HTTPAuthentication_AuthSchemes")] String AuthSchemes_AuthSchemes; [Write, Description("Allow user-level native messaging hosts (installed without admin permissions) (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String NativeMessagingUserLevelHosts; [Write, Description("Specifies whether to allow insecure websites to make requests to more-private network endpoints (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String InsecurePrivateNetworkRequestsAllowed; [Write, Description("Show the Reload in Internet Explorer mode button in the toolbar (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String InternetExplorerModeToolbarButtonEnabled; diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_TeamsOrgWideAppSettings/MSFT_TeamsOrgWideAppSettings.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_TeamsOrgWideAppSettings/MSFT_TeamsOrgWideAppSettings.psm1 index 6038452294..2f032f78bd 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_TeamsOrgWideAppSettings/MSFT_TeamsOrgWideAppSettings.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_TeamsOrgWideAppSettings/MSFT_TeamsOrgWideAppSettings.psm1 @@ -25,7 +25,7 @@ function Get-TargetResource [Switch] $ManagedIdentity ) - Write-Verbose -Message 'Checking the Teams Upgrade Configuration' + Write-Verbose -Message 'Checking the Teams Org Wide App Settings' $ConnectionMode = New-M365DSCConnection -Workload 'MicrosoftTeams' ` -InboundParameters $PSBoundParameters @@ -105,7 +105,7 @@ function Set-TargetResource $ManagedIdentity ) - Write-Verbose -Message 'Setting Teams Upgrade Configuration' + Write-Verbose -Message 'Setting the Teams Org Wide App Settings' #Ensure the proper dependencies are installed in the current environment. Confirm-M365DSCDependencies @@ -169,7 +169,7 @@ function Test-TargetResource Add-M365DSCTelemetryEvent -Data $data #endregion - Write-Verbose -Message 'Testing configuration of Team Upgrade Settings' + Write-Verbose -Message 'Testing configuration for the Teams Org Wide App Settings' $CurrentValues = Get-TargetResource @PSBoundParameters diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_TeamsUpgradePolicy/MSFT_TeamsUpgradePolicy.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_TeamsUpgradePolicy/MSFT_TeamsUpgradePolicy.psm1 index 20ecfd0716..e845b47cb9 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_TeamsUpgradePolicy/MSFT_TeamsUpgradePolicy.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_TeamsUpgradePolicy/MSFT_TeamsUpgradePolicy.psm1 @@ -68,13 +68,13 @@ function Get-TargetResource if ($Identity -eq 'Global') { - [array]$users = Get-CsOnlineUser | Where-Object -Filter { $_.TeamsUpgradePolicy -eq $null } + [array]$users = Get-CsOnlineUser -Filter "TeamsUpgradePolicy eq null" } else { try { - [array]$users = Get-CsOnlineUser -Filter "TeamsUpgradePolicy -eq '$Identity'" + [array]$users = Get-CsOnlineUser -Filter "TeamsUpgradePolicy eq '$Identity'" } catch { diff --git a/Modules/Microsoft365DSC/Dependencies/Manifest.psd1 b/Modules/Microsoft365DSC/Dependencies/Manifest.psd1 index 8cf9012973..42d1488d67 100644 --- a/Modules/Microsoft365DSC/Dependencies/Manifest.psd1 +++ b/Modules/Microsoft365DSC/Dependencies/Manifest.psd1 @@ -18,7 +18,7 @@ }, @{ ModuleName = 'DSCParser' - RequiredVersion = '2.0.0.11' + RequiredVersion = '2.0.0.12' }, @{ ModuleName = 'ExchangeOnlineManagement' @@ -122,7 +122,7 @@ }, @{ ModuleName = "MSCloudLoginAssistant" - RequiredVersion = "1.1.27" + RequiredVersion = "1.1.28" }, @{ ModuleName = 'PnP.PowerShell' diff --git a/Modules/Microsoft365DSC/Examples/Resources/EXOM365DataAtRestEncryptionPolicy/1-Create.ps1 b/Modules/Microsoft365DSC/Examples/Resources/EXOMigration/1-Create.ps1 similarity index 59% rename from Modules/Microsoft365DSC/Examples/Resources/EXOM365DataAtRestEncryptionPolicy/1-Create.ps1 rename to Modules/Microsoft365DSC/Examples/Resources/EXOMigration/1-Create.ps1 index cd20934197..0680924ff4 100644 --- a/Modules/Microsoft365DSC/Examples/Resources/EXOM365DataAtRestEncryptionPolicy/1-Create.ps1 +++ b/Modules/Microsoft365DSC/Examples/Resources/EXOMigration/1-Create.ps1 @@ -22,14 +22,19 @@ Configuration Example node localhost { - EXOM365DataAtRestEncryptionPolicy "M365DataAtRestEncryptionPolicy-Riyansh_Policy" + EXOMigration "EXOMigration-test" { - AzureKeyIDs = @("https://m365dataatrestencryption.vault.azure.net/keys/EncryptionKey","https://m365datariyansh.vault.azure.net/keys/EncryptionRiyansh"); - Description = "Tenant default policy 1"; - Enabled = $True; + AddUsers = $False; + BadItemLimit = ""; + CompleteAfter = "12/31/9999 11:59:59 PM"; Ensure = "Present"; - Identity = "Riyansh_Policy"; - Name = "Riyansh_Policy"; + Identity = "test"; + LargeItemLimit = ""; + MoveOptions = @(); + NotificationEmails = @("eac_admin@bellred.org"); + SkipMerging = @(); + Status = "Completed"; + Update = $False; ApplicationId = $ApplicationId; TenantId = $TenantId; CertificateThumbprint = $CertificateThumbprint; diff --git a/Modules/Microsoft365DSC/Examples/Resources/EXOM365DataAtRestEncryptionPolicy/2-Update.ps1 b/Modules/Microsoft365DSC/Examples/Resources/EXOMigration/2-Update.ps1 similarity index 58% rename from Modules/Microsoft365DSC/Examples/Resources/EXOM365DataAtRestEncryptionPolicy/2-Update.ps1 rename to Modules/Microsoft365DSC/Examples/Resources/EXOMigration/2-Update.ps1 index a2b808a007..58d163d6b3 100644 --- a/Modules/Microsoft365DSC/Examples/Resources/EXOM365DataAtRestEncryptionPolicy/2-Update.ps1 +++ b/Modules/Microsoft365DSC/Examples/Resources/EXOMigration/2-Update.ps1 @@ -22,14 +22,19 @@ Configuration Example node localhost { - EXOM365DataAtRestEncryptionPolicy "M365DataAtRestEncryptionPolicy-Riyansh_Policy" + EXOMigration "EXOMigration-test" { - AzureKeyIDs = @("https://m365dataatrestencryption.vault.azure.net/keys/EncryptionKey","https://m365datariyansh.vault.azure.net/keys/EncryptionRiyansh"); - Description = "Tenant default policy 2"; # drift - Enabled = $True; + AddUsers = $True; #Updated Property + BadItemLimit = ""; + CompleteAfter = "12/31/9999 11:59:59 PM"; Ensure = "Present"; - Identity = "Riyansh_Policy"; - Name = "Riyansh_Policy"; + Identity = "test"; + LargeItemLimit = ""; + MoveOptions = @(); + NotificationEmails = @("eac_admin@bellred.org"); + SkipMerging = @(); + Status = "Completed"; + Update = $False; ApplicationId = $ApplicationId; TenantId = $TenantId; CertificateThumbprint = $CertificateThumbprint; diff --git a/Modules/Microsoft365DSC/Examples/Resources/EXOMigration/3-Remove.ps1 b/Modules/Microsoft365DSC/Examples/Resources/EXOMigration/3-Remove.ps1 new file mode 100644 index 0000000000..c208922010 --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/EXOMigration/3-Remove.ps1 @@ -0,0 +1,43 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + + node localhost + { + EXOMigration "EXOMigration-test" + { + AddUsers = $False; + BadItemLimit = ""; + CompleteAfter = "12/31/9999 11:59:59 PM"; + Ensure = "Absent"; + Identity = "test"; + LargeItemLimit = ""; + MoveOptions = @(); + NotificationEmails = @("eac_admin@bellred.org"); + SkipMerging = @(); + Status = "Completed"; + Update = $False; + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + } + } +} diff --git a/Modules/Microsoft365DSC/Examples/Resources/IntuneAccountProtectionLocalAdministratorPasswordSolutionPolicy/1-Create.ps1 b/Modules/Microsoft365DSC/Examples/Resources/IntuneAccountProtectionLocalAdministratorPasswordSolutionPolicy/1-Create.ps1 index 0e1d844cfc..6018fdbd85 100644 --- a/Modules/Microsoft365DSC/Examples/Resources/IntuneAccountProtectionLocalAdministratorPasswordSolutionPolicy/1-Create.ps1 +++ b/Modules/Microsoft365DSC/Examples/Resources/IntuneAccountProtectionLocalAdministratorPasswordSolutionPolicy/1-Create.ps1 @@ -34,7 +34,7 @@ Configuration Example } ); BackupDirectory = "1"; - PasswordAgeDays_AAD = 10; + passwordagedays_aad = 10; AdministratorAccountName = "Administrator"; PasswordAgeDays = 20; ApplicationId = $ApplicationId; diff --git a/Modules/Microsoft365DSC/Examples/Resources/IntuneAccountProtectionLocalAdministratorPasswordSolutionPolicy/2-Update.ps1 b/Modules/Microsoft365DSC/Examples/Resources/IntuneAccountProtectionLocalAdministratorPasswordSolutionPolicy/2-Update.ps1 index 08d2c88584..c67e11eee7 100644 --- a/Modules/Microsoft365DSC/Examples/Resources/IntuneAccountProtectionLocalAdministratorPasswordSolutionPolicy/2-Update.ps1 +++ b/Modules/Microsoft365DSC/Examples/Resources/IntuneAccountProtectionLocalAdministratorPasswordSolutionPolicy/2-Update.ps1 @@ -34,7 +34,7 @@ Configuration Example } ); BackupDirectory = "1"; - PasswordAgeDays_AAD = 15; # Updated Property + passwordagedays_aad = 15; # Updated Property AdministratorAccountName = "Administrator"; PasswordAgeDays = 20; ApplicationId = $ApplicationId; diff --git a/Modules/Microsoft365DSC/Examples/Resources/IntuneAntivirusExclusionsPolicyMacOS/1-Create.ps1 b/Modules/Microsoft365DSC/Examples/Resources/IntuneAntivirusExclusionsPolicyMacOS/1-Create.ps1 new file mode 100644 index 0000000000..8d1e5f3825 --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/IntuneAntivirusExclusionsPolicyMacOS/1-Create.ps1 @@ -0,0 +1,47 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + + node localhost + { + IntuneAntivirusExclusionsPolicyMacOS 'myIntuneAntivirusExclusionsPolicyMacOS' + { + Assignments = @(); + Description = ""; + DisplayName = "Test"; + Ensure = "Present"; + Exclusions = @( + MSFT_MicrosoftGraphIntuneSettingsCatalogExclusions{ + Exclusions_item_extension = '.dmg' + Exclusions_item_type = '1' + } + MSFT_MicrosoftGraphIntuneSettingsCatalogExclusions{ + Exclusions_item_name = 'process1' + Exclusions_item_type = '2' + } + ); + RoleScopeTagIds = @("0"); + ApplicationId = $ApplicationId; + TenantId = $TenantId; + CertificateThumbprint = $CertificateThumbprint; + } + } +} \ No newline at end of file diff --git a/Modules/Microsoft365DSC/Examples/Resources/IntuneAntivirusExclusionsPolicyMacOS/2-Update.ps1 b/Modules/Microsoft365DSC/Examples/Resources/IntuneAntivirusExclusionsPolicyMacOS/2-Update.ps1 new file mode 100644 index 0000000000..4fc62dc9b7 --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/IntuneAntivirusExclusionsPolicyMacOS/2-Update.ps1 @@ -0,0 +1,47 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + + node localhost + { + IntuneAntivirusExclusionsPolicyMacOS 'myIntuneAntivirusExclusionsPolicyMacOS' + { + Assignments = @(); + Description = ""; + DisplayName = "Test"; + Ensure = "Present"; + Exclusions = @( + MSFT_MicrosoftGraphIntuneSettingsCatalogExclusions{ + Exclusions_item_extension = '.xcode' # Updated property + Exclusions_item_type = '1' + } + MSFT_MicrosoftGraphIntuneSettingsCatalogExclusions{ + Exclusions_item_name = 'process1' + Exclusions_item_type = '2' + } + ); + RoleScopeTagIds = @("0"); + ApplicationId = $ApplicationId; + TenantId = $TenantId; + CertificateThumbprint = $CertificateThumbprint; + } + } +} \ No newline at end of file diff --git a/Modules/Microsoft365DSC/Examples/Resources/EXOM365DataAtRestEncryptionPolicy/3-Remove.ps1 b/Modules/Microsoft365DSC/Examples/Resources/IntuneAntivirusExclusionsPolicyMacOS/3-Remove.ps1 similarity index 56% rename from Modules/Microsoft365DSC/Examples/Resources/EXOM365DataAtRestEncryptionPolicy/3-Remove.ps1 rename to Modules/Microsoft365DSC/Examples/Resources/IntuneAntivirusExclusionsPolicyMacOS/3-Remove.ps1 index 2fb04326d1..d89bdb52e9 100644 --- a/Modules/Microsoft365DSC/Examples/Resources/EXOM365DataAtRestEncryptionPolicy/3-Remove.ps1 +++ b/Modules/Microsoft365DSC/Examples/Resources/IntuneAntivirusExclusionsPolicyMacOS/3-Remove.ps1 @@ -22,14 +22,10 @@ Configuration Example node localhost { - EXOM365DataAtRestEncryptionPolicy "M365DataAtRestEncryptionPolicy-Riyansh_Policy" + IntuneAntivirusExclusionsPolicyMacOS 'myIntuneAntivirusPolicyMacOS' { - AzureKeyIDs = @("https://m365dataatrestencryption.vault.azure.net/keys/EncryptionKey","https://m365datariyansh.vault.azure.net/keys/EncryptionRiyansh"); - Description = "Tenant default policy 1"; - Enabled = $True; - Ensure = "Absent"; - Identity = "Riyansh_Policy"; - Name = "Riyansh_Policy"; + DisplayName = 'test' + Ensure = 'Absent' ApplicationId = $ApplicationId; TenantId = $TenantId; CertificateThumbprint = $CertificateThumbprint; diff --git a/Modules/Microsoft365DSC/Microsoft365DSC.psd1 b/Modules/Microsoft365DSC/Microsoft365DSC.psd1 index fa43f229f6..1c924e4bb9 100644 --- a/Modules/Microsoft365DSC/Microsoft365DSC.psd1 +++ b/Modules/Microsoft365DSC/Microsoft365DSC.psd1 @@ -3,7 +3,7 @@ # # Generated by: Microsoft Corporation # -# Generated on: 2024-11-08 +# Generated on: 2024-11-13 @{ @@ -11,7 +11,7 @@ # RootModule = '' # Version number of this module. - ModuleVersion = '1.24.1106.3' + ModuleVersion = '1.24.1113.1' # Supported PSEditions # CompatiblePSEditions = @() @@ -147,220 +147,48 @@ IconUri = 'https://github.com/microsoft/Microsoft365DSC/blob/Dev/Modules/Microsoft365DSC/Dependencies/Images/Logo.png?raw=true' # ReleaseNotes of this module - ReleaseNotes = '* AADAccessReviewDefinition - * Initial release. -* AADAccessReviewPolicy - * Initial release. -* AADAuthenticationMethodPolicyExternal - * Initial release. -* AADClaimsMappingPolicy - * Initial release. -* AADConditionalAccessPolicy - * FIXES [#5282](https://github.com/microsoft/Microsoft365DSC/issues/5282) - * Added support for InsiderRiskLevels. -* AADCustomSecurityAttributeDefinition - * Fixed missing permissions in settings.json -* AADEnrichedAuditLogs - * Initial release. -* AADFederationConfiguration - * Initial release. -* AADFilteringPolicy - * Initial release. -* AADFilteringPolicyRule - * Initial release. -* AADFilteringProfile - * Initial release. -* AADGroup - * Added support for custom roles assignment. - FIXES [#5322](https://github.com/microsoft/Microsoft365DSC/issues/5322) -* AADHomeRealmDiscoveryPolicy - * Initial Release -* AADIdentityAPIConnector - * Initial release. -* AADIdentityB2XUserFlow - * Initial release. -* AADIdentityGovernanceLifecycleWorkflowCustomTaskExtension - * Initial release. -* AADIdentityGovernanceProgram - * Initial release. -* AADIdentityProtectionPolicySettings - * Initial release. -* AADNamedLocationPolicy - * Fixed issue where duplicate names were not detected correctly. -* AADNetworkAccessForwardingPolicy - * Initial release. -* AADNetworkAccessForwardingProfile - * Initial release. -* AADNetworkAccessSettingConditionalAccess - * Initial release. -* AADNetworkAccessSettingCrossTenantAccess - * Initial release. -* AADOnPremisesPublishingProfilesSettings - * Initial release. -* AADOrganizationCertificateBasedAuthConfiguration - * Initial release. -* AADRemoteNetwork - * Initial release. + ReleaseNotes = '* AADConditionalAccessPolicy + * Fixed bug where an empty value was passed in the request for the + insiderRiskLevels parameter, which throws an error. + FIXES [#5389](https://github.com/microsoft/Microsoft365DSC/issues/5389) + * Fixes a bug where 3P apps could not be assigned by DisplayName for both + IncludeApplications and ExcludeApplications + FIXES [#5390](https://github.com/microsoft/Microsoft365DSC/issues/5390) * AADRoleEligibilityScheduleRequest - * Fixes for Custom roles. - FIXES [#5330](https://github.com/microsoft/Microsoft365DSC/issues/5330) - * Fixes to remove elegibility schedule for custom roles. - FIXES [#5331](https://github.com/microsoft/Microsoft365DSC/issues/5331) -* AADRoleManagementPolicyRule - * Initial release. -* AADServicePrincipal - * Added the notes field. - FIXES [#5312](https://github.com/microsoft/Microsoft365DSC/issues/5312) - * Added support for KeyCredentials and PasswordCredentials. - * Added support for SAML. - * Fixed issue with Owners. -* AADSocialIdentityProvider - * Fixed missing permissions in settings.json -* AADUserFlowAttribute - * Initial Release -* AADVerifiedIdAuthority - * Initial release. -* AADVerifiedIdAuthorityContract - * Initial release. -* AzureBillingAccountsAssociatedTenant - * Initial release. -* AzureBillingAccountsRoleAssignment - * Initial release. -* AzureDiagnosticSettings - * Initial release. -* AzureDiagnosticSettingsCustomSecurityAttribute - * Initial release. -* AzureSubscription - * Renamed parameters and added logic flow to create new subscriptions. -* AzureVerifiedIdFaceCheck - * Initial release. -* DefenderDeviceAuthenticatedScanDefinition - * Initial release. -* EXOActiveSyncMailboxPolicy - * Initial release. -* EXOArcConfig - * Fixed `Test-TargetResource` to correctly check property `ArcTrustedSealers` - when it has an array -* EXOMailboxAuditBypassAssociation - * Initial release. -* EXOMailboxSettings - * Added support for AddressBookPolicy, RetentionPolicy, RoleAssignmentPolicy - and SharingPolicy. -* EXOServicePrincipal - * Initial release. -* EXOTenantAllowBlockListItems - * Fixed `Test-TargetResource` to correctly mark when this resource is removed -* EXOTenantAllowBlockListSpoofItems - * Initial release. -* IntuneAccountProtectionLocalUserGroupMembershipPolicy - * Updates values in `UserSelectionType`. - FIXES [#5318](https://github.com/microsoft/Microsoft365DSC/issues/5318) -* IntuneAntivirusPolicyLinux - * Initial release. -* IntuneAppAndBrowserIsolationPolicyWindows10ConfigMgr - * Initial release. -* IntuneAppCategory - * Fixed retrieval of resource which could then result in multiple categories - being created with same name. -* IntuneAppleMDMPushNotificationCertificate - * Initial release. -* IntuneAppProtectionPolicyiOS - * Fixes an issue that could cause multiple instances to be created when multiple - instances with the same display name exist. -* IntuneDerivedCredential - * Fixed export and deployment when `NotificationType` had more than one option - selected - * Fixed retrieval of resource when it cannot be found by `Id` - * Added a few verbose messages -* IntuneDeviceManagmentAndroidDeviceOwnerEnrollmentProfile - * Initial release. + * FIXES [#3787](https://github.com/microsoft/Microsoft365DSC/issues/3787) + * FIXES [#5089](https://github.com/microsoft/Microsoft365DSC/issues/5089) +* EXOATPBuiltInProtectionRule, EXOEOPProtectionRule + * Fixed issue where empty arrays were being compared incorrectly to null + strings + FIXES [#5394](https://github.com/microsoft/Microsoft365DSC/issues/5394) +* IntuneAccountProtectionLocalAdministratorPasswordSolutionPolicy + * Update property `PasswordAgeDays_AAD` to be lower-case. + FIXES [#5378](https://github.com/microsoft/Microsoft365DSC/issues/5378) (1/2) +* IntuneAntivirusExclusionsPolicyMacOS + * Initial release. +* IntuneAntivirusPolicyWindows10SettingCatalog + * Update properties to be upper-case. + Fixes [#5373](https://github.com/microsoft/Microsoft365DSC/issues/5373) +* IntuneDeviceConfigurationCustomPolicyWindows10 + * Fixed issue where `Value`, from `OmaSettings`, could not be compared + correctly if it was boolean and set to `$False` + FIXES [#5384](https://github.com/microsoft/Microsoft365DSC/issues/5384) * IntuneEndpointDetectionAndResponsePolicyWindows10 - * Fixes an issue with `AutoFromConnector` as the Configuration package type. - FIXES [#5246](https://github.com/microsoft/Microsoft365DSC/issues/5246) -* IntuneMobileThreatDefenseConnector - * Initial release. -* IntuneSecurityBaselineDefenderForEndpoint - * Initial release. -* IntuneSettingCatalogCustomPolicyWindows10 - * Fixes an issue with limited results when more than 25 results are present. -* Intune workload - * Fixed missing permissions in settings.json -* M365DSCRuleEvaluation - * Changed the name of the Key property from ResourceName to ResourceTypeName. - While this is considered a breaking change, the old property name was - breaking the DSCParser process. The impact of this breaking the parsing - process is important enough to justify an out-of-band breaking change of - this resource. -* ODSettings - * Deprecated property NotifyOwnersWhenInvitationsAccepted. - FIXES [#4979](https://github.com/microsoft/Microsoft365DSC/issues/4979) -* PPPowerAppsEnvironment - * Add ProvisionDatabase attribute - FIXES [#5207](https://github.com/microsoft/Microsoft365DSC/issues/5207) -* PPTenantSettings - * Updated to support latest settings. -* SCInsiderRiskPolicy - * Added support for property MDATPTriageStatus. - * Added support for GPUUtilizationLimit and CPUUtilizationLimit. -* SCPolicyConfig - * Initial release. -* SCSensitivityLabel - * Fixed issue with setting label priority - FIXES [#5266](https://github.com/microsoft/Microsoft365DSC/issues/5266) -* SentinelAlertRule - * Initial release. -* SentinelThreatIntelligenceIndicator - * Initial release. -* SPOSharingSettings - * Deprecated property RequireAcceptingAccountMatchInvitedAccount. - FIXES [#4979](https://github.com/microsoft/Microsoft365DSC/issues/4979) -* SPOTenantSettings - * Added support for AllowSelectSGsInODBListInTenant, - DenySelectSGsInODBListInTenant, DenySelectSecurityGroupsInSPSitesList, - AllowSelectSecurityGroupsInSPSitesList, - ExemptNativeUsersFromTenantLevelRestricedAccessControl properties. - * TenantDefaultTimezone changed to String instead of Array. -* TeamsMeetingPolicy - * Added new parameters: AllowExternalNonTrustedMeetingChat, AttendeeIdentityMasking, - AutomaticallyStartCopilot, AutoRecording, ConnectToMeetingControls, - ContentSharingInExternalMeetings, Copilot, CopyRestriction, - DetectSensitiveContentDuringScreenSharing, ExternalMeetingJoin, ParticipantNameChange, - VoiceIsolation -* TeamsOrgWideAppSettings - * Fixed an issue where ManagedIdentity was not define in the methods signatures. - FIXES [#5188](https://github.com/microsoft/Microsoft365DSC/issues/5188) + * Remove changed property name from export. + FIXES [#5300](https://github.com/microsoft/Microsoft365DSC/issues/5300) +* IntuneSecurityBaselineMicrosoftEdge + * Deprecate property `authschemes` and replace with `AuthSchemes_AuthSchemes` * M365DSCDRGUtil - * Fixes an issue where non-unique properties were not combined - properly with their respective parent setting. -* MISC - * Fixed references to graph.microsoft.com with dynamic domain name based on target cloud. - Impacted AADAdminConsentRequestPolicy, AADApplication, AADConditionalAccessPolicy, AADGroup, - AADNamedLocationPolicy, AADServiePrincipal, IntuneASRRulesPolicyWindows10, - IntuneAccountProtectionLocalUsersGroupMembershipPolicy, IntuneAccountProtectionPolicy, - IntuneAppProtectionPolicyiOS,IntuneDeviceConfigurationAdministrativeTemplatePolicyWindows10, - IntuneDeviceConfigurationSCEPCertificatePolicyWindows10, IntuneDeviceConfigurationWiredNetworkPolicyWindows10, - IntuneDeviceEnrollmentStatusPageWindows10, IntuneDiskEncryptionMacOS, IntunePolicySets, - IntuneSettingCatalogCustomPolicyWindows10, M365DSCRGUtil - * Exponential performance improvements by reducing complexity and roundtrips. - * Changed the logic that appends GUID in the resource name when primary key is not found during an - export. We will only append a GUID if the IsSingleInstance property is not found on the resource. - * Add check in AADGroupSettings for NewUnifiedGroupWritebackDefault not existing in Government by default - FIXES [#5213](https://github.com/microsoft/Microsoft365DSC/issues/5213) - * Fix static refrences to graph.microsoft.com - FIXES [#5339](https://github.com/microsoft/Microsoft365DSC/issues/5339) - AADNetworkAccessForwardingPolicy. AADOrganizationCertificateBasedAuthConfiguration, - AADAuthenticationMethodPolicyExternal, AADEnrichedAuditLogs - FIXES [#5340](https://github.com/microsoft/Microsoft365DSC/issues/5340) - IntuneDeviceManagementEnrollmentAndroidGooglePlay, IntuneAppleMDMPushNotificationCertificate - * Fixes static OData refrences to graph.microsoft.com - AADApplication, AADEntitlementManagementAccessPackage, AADEntitlementManagementConnectedOrganization - AADServicePrincipal - FIXES [#5342](https://github.com/microsoft/Microsoft365DSC/issues/5342) + * Restrict CIM instance access to properties that appear multiple times. + * Switch log type for not found Intune assignments to `Warning`. +* M365DSCIntuneSettingsCatalogUtil + * Add ADMX handling for `edge~httpauthentication_`. + FIXES [#5378](https://github.com/microsoft/Microsoft365DSC/issues/5378) (2/2) +* TeamsUpgradePolicy + * Changes to how we are retrieving the users to improve performance. * DEPENDENCIES - * Updated Microsoft.Graph to version 2.24.0. - * Updated Microsoft.PowerApps.Administration.PowerShell to version 2.0.199. - * Updated MSCloudLoginAssistant to version 1.1.27 - * Updated MicrosoftTeams to version 6.6.0.' + * Updated DSCParser to version 2.0.0.12. + * Updated MSCloudLoginAssistant to version 1.1.28.' # Flag to indicate whether the module requires explicit user acceptance for install/update # RequireLicenseAcceptance = $false diff --git a/Modules/Microsoft365DSC/Modules/M365DSCDRGUtil.psm1 b/Modules/Microsoft365DSC/Modules/M365DSCDRGUtil.psm1 index c6ac727450..9e9392dc88 100644 --- a/Modules/Microsoft365DSC/Modules/M365DSCDRGUtil.psm1 +++ b/Modules/Microsoft365DSC/Modules/M365DSCDRGUtil.psm1 @@ -992,14 +992,14 @@ function ConvertTo-IntunePolicyAssignment { $message = "Skipping assignment for the group with DisplayName {$($assignment.groupDisplayName)} as it could not be found in the directory.`r`n" $message += "Please update your DSC resource extract with the correct groupId or groupDisplayName." - Write-Verbose -Message $message + Write-Warning -Message $message $target = $null } if ($group -and $group.Count -gt 1) { $message = "Skipping assignment for the group with DisplayName {$($assignment.groupDisplayName)} as it is not unique in the directory.`r`n" $message += "Please update your DSC resource extract with the correct groupId or a unique group DisplayName." - Write-Verbose -Message $message + Write-Warning -Message $message $group = $null $target = $null } @@ -1008,7 +1008,7 @@ function ConvertTo-IntunePolicyAssignment { $message = "Skipping assignment for the group with Id {$($assignment.groupId)} as it could not be found in the directory.`r`n" $message += "Please update your DSC resource extract with the correct groupId or a unique group DisplayName." - Write-Verbose -Message $message + Write-Warning -Message $message $target = $null } } @@ -1165,14 +1165,14 @@ function ConvertTo-IntuneMobileAppAssignment { $message = "Skipping assignment for the group with DisplayName {$($assignment.groupDisplayName)} as it could not be found in the directory.`r`n" $message += "Please update your DSC resource extract with the correct groupId or groupDisplayName." - Write-Verbose -Message $message + Write-Warning -Message $message $target = $null } if ($group -and $group.Count -gt 1) { $message = "Skipping assignment for the group with DisplayName {$($assignment.groupDisplayName)} as it is not unique in the directory.`r`n" $message += "Please update your DSC resource extract with the correct groupId or a unique group DisplayName." - Write-Verbose -Message $message + Write-Warning -Message $message $group = $null $target = $null } @@ -1181,7 +1181,7 @@ function ConvertTo-IntuneMobileAppAssignment { $message = "Skipping assignment for the group with Id {$($assignment.groupId)} as it could not be found in the directory.`r`n" $message += "Please update your DSC resource extract with the correct groupId or a unique group DisplayName." - Write-Verbose -Message $message + Write-Warning -Message $message $target = $null } } @@ -1329,14 +1329,14 @@ function Update-DeviceConfigurationPolicyAssignment { $message = "Skipping assignment for the group with DisplayName {$($target.groupDisplayName)} as it could not be found in the directory.`r`n" $message += "Please update your DSC resource extract with the correct groupId or groupDisplayName." - Write-Verbose -Message $message + Write-Warning -Message $message $target = $null } if ($group -and $group.count -gt 1) { $message = "Skipping assignment for the group with DisplayName {$($target.groupDisplayName)} as it is not unique in the directory.`r`n" $message += "Please update your DSC resource extract with the correct groupId or a unique group DisplayName." - Write-Verbose -Message $message + Write-Warning -Message $message $group = $null $target = $null } @@ -1345,7 +1345,7 @@ function Update-DeviceConfigurationPolicyAssignment { $message = "Skipping assignment for the group with Id {$($target.groupId)} as it could not be found in the directory.`r`n" $message += "Please update your DSC resource extract with the correct groupId or a unique group DisplayName." - Write-Verbose -Message $message + Write-Warning -Message $message $target = $null } } @@ -1452,14 +1452,14 @@ function Update-DeviceAppManagementPolicyAssignment { $message = "Skipping assignment for the group with DisplayName {$($target.groupDisplayName)} as it could not be found in the directory.`r`n" $message += "Please update your DSC resource extract with the correct groupId or groupDisplayName." - Write-Verbose -Message $message + Write-Warning -Message $message $target = $null } if ($group -and $group.count -gt 1) { $message = "Skipping assignment for the group with DisplayName {$($target.groupDisplayName)} as it is not unique in the directory.`r`n" $message += "Please update your DSC resource extract with the correct groupId or a unique group DisplayName." - Write-Verbose -Message $message + Write-Warning -Message $message $group = $null $target = $null } @@ -1468,7 +1468,7 @@ function Update-DeviceAppManagementPolicyAssignment { $message = "Skipping assignment for the group with Id {$($target.groupId)} as it could not be found in the directory.`r`n" $message += "Please update your DSC resource extract with the correct groupId or a unique group DisplayName." - Write-Verbose -Message $message + Write-Warning -Message $message $target = $null } } @@ -1775,7 +1775,7 @@ function Get-IntuneSettingCatalogPolicySettingInstanceValue $instanceCount = 1 if (($Level -gt 1 -and $groupSettingCollectionDefinitionChildren.Count -gt 1) -or - ($Level -eq 1 -and $groupSettingCollectionDefinitionChildren.Count -ge 1 -and $groupSettingCollectionDefinitionChildren.AdditionalProperties.'@odata.type' -notcontains "#microsoft.graph.deviceManagementConfigurationSettingGroupCollectionDefinition")) + ($Level -eq 1 -and $SettingDefinition.AdditionalProperties.maximumCount -gt 1 -and $groupSettingCollectionDefinitionChildren.Count -ge 1 -and $groupSettingCollectionDefinitionChildren.AdditionalProperties.'@odata.type' -notcontains "#microsoft.graph.deviceManagementConfigurationSettingGroupCollectionDefinition")) { $SettingInstanceName += Get-SettingsCatalogSettingName -SettingDefinition $SettingDefinition -AllSettingDefinitions $AllSettingDefinitions $cimDSCParams = @() @@ -2480,7 +2480,7 @@ function Update-IntuneDeviceConfigurationPolicy 'settings' = $Settings } $body = $policy | ConvertTo-Json -Depth 20 - #Write-Verbose -Message $body + # Write-Verbose -Message $body -Verbose Invoke-MgGraphRequest -Method PUT -Uri $Uri -Body $body -ErrorAction Stop } catch diff --git a/Modules/Microsoft365DSC/Modules/M365DSCIntuneSettingsCatalogUtil.psm1 b/Modules/Microsoft365DSC/Modules/M365DSCIntuneSettingsCatalogUtil.psm1 index 2888ff7ad7..465189fd7a 100644 --- a/Modules/Microsoft365DSC/Modules/M365DSCIntuneSettingsCatalogUtil.psm1 +++ b/Modules/Microsoft365DSC/Modules/M365DSCIntuneSettingsCatalogUtil.psm1 @@ -67,7 +67,7 @@ } # When there is no parent, we can't use the parent setting name to make the setting name unique - # Instead, we traverse up the OffsetUri. + # Instead, we traverse up the OffsetUri. if ($null -eq $parentSetting) { $settingResult = Get-UniqueSettingDefinitionNameFromMultipleMatches -SettingDefinition $SettingDefinition -SettingName $settingName -SettingsWithSameName $settingsWithSameName @@ -98,6 +98,7 @@ 'pub16v2~Policy~L_MicrosoftOfficePublisher~*' { $settingName = $settingName.Replace('pub16v2~Policy~L_MicrosoftOfficePublisher', 'MicrosoftPublisherV2_') } 'pub16v3~Policy~L_MicrosoftOfficePublisher~*' { $settingName = $settingName.Replace('pub16v3~Policy~L_MicrosoftOfficePublisher', 'MicrosoftPublisherV3_') } 'microsoft_edge~Policy~microsoft_edge~*' { $settingName = $settingName.Replace('microsoft_edge~Policy~microsoft_edge', 'MicrosoftEdge_') } + 'edge~httpauthentication*' { $settingName = $settingName.Replace('edge~httpauthentication', 'MicrosoftEdge_HTTPAuthentication') } '*~L_Security~*' { $settingName = $settingName.Replace('~L_Security', 'Security') } '*~L_TrustCenter*' { $settingName = $settingName.Replace('~L_TrustCenter', '_TrustCenter') } '*~L_ProtectedView_*' { $settingName = $settingName.Replace('~L_ProtectedView', 'ProtectedView') } diff --git a/Modules/Microsoft365DSC/SchemaDefinition.json b/Modules/Microsoft365DSC/SchemaDefinition.json index 03cf064c2c..3e7a22c247 100644 --- a/Modules/Microsoft365DSC/SchemaDefinition.json +++ b/Modules/Microsoft365DSC/SchemaDefinition.json @@ -15735,71 +15735,6 @@ } ] }, - { - "ClassName": "MSFT_EXOM365DataAtRestEncryptionPolicy", - "Parameters": [ - { - "CIMType": "String", - "Name": "Identity", - "Option": "Key" - }, - { - "CIMType": "String", - "Name": "Name", - "Option": "Write" - }, - { - "CIMType": "String", - "Name": "Description", - "Option": "Write" - }, - { - "CIMType": "Boolean", - "Name": "Enabled", - "Option": "Write" - }, - { - "CIMType": "String[]", - "Name": "AzureKeyIDs", - "Option": "Write" - }, - { - "CIMType": "string", - "Name": "Ensure", - "Option": "Write" - }, - { - "CIMType": "MSFT_Credential", - "Name": "Credential", - "Option": "Write" - }, - { - "CIMType": "String", - "Name": "ApplicationId", - "Option": "Write" - }, - { - "CIMType": "String", - "Name": "TenantId", - "Option": "Write" - }, - { - "CIMType": "String", - "Name": "CertificateThumbprint", - "Option": "Write" - }, - { - "CIMType": "Boolean", - "Name": "ManagedIdentity", - "Option": "Write" - }, - { - "CIMType": "String[]", - "Name": "AccessTokens", - "Option": "Write" - } - ] - }, { "ClassName": "MSFT_EXOMailboxAuditBypassAssociation", "Parameters": [ @@ -17655,6 +17590,116 @@ } ] }, + { + "ClassName": "MSFT_EXOMigration", + "Parameters": [ + { + "CIMType": "String", + "Name": "Identity", + "Option": "Key" + }, + { + "CIMType": "String[]", + "Name": "NotificationEmails", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "CompleteAfter", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "AddUsers", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "BadItemLimit", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "LargeItemLimit", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "MoveOptions", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "SkipMerging", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "StartAfter", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "Update", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "Status", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "MigrationUsers", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "SourceEndpoint", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "TargetDeliveryDomain", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "Ensure", + "Option": "Write" + }, + { + "CIMType": "MSFT_Credential", + "Name": "Credential", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "ApplicationId", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "TenantId", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "CertificateThumbprint", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "ManagedIdentity", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "AccessTokens", + "Option": "Write" + } + ] + }, { "ClassName": "MSFT_EXOMigrationEndpoint", "Parameters": [ @@ -23855,7 +23900,7 @@ }, { "CIMType": "UInt32", - "Name": "PasswordAgeDays_AAD", + "Name": "passwordagedays_aad", "Option": "Write" }, { @@ -24600,6 +24645,81 @@ } ] }, + { + "ClassName": "MSFT_IntuneAntivirusExclusionsPolicyMacOS", + "Parameters": [ + { + "CIMType": "String", + "Name": "Description", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "DisplayName", + "Option": "Key" + }, + { + "CIMType": "String[]", + "Name": "RoleScopeTagIds", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "Id", + "Option": "Write" + }, + { + "CIMType": "MSFT_MicrosoftGraphIntuneSettingsCatalogexclusions[]", + "Name": "Exclusions", + "Option": "Write" + }, + { + "CIMType": "MSFT_DeviceManagementConfigurationPolicyAssignments[]", + "Name": "Assignments", + "Option": "Write" + }, + { + "CIMType": "string", + "Name": "Ensure", + "Option": "Write" + }, + { + "CIMType": "MSFT_Credential", + "Name": "Credential", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "ApplicationId", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "TenantId", + "Option": "Write" + }, + { + "CIMType": "MSFT_Credential", + "Name": "ApplicationSecret", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "CertificateThumbprint", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "ManagedIdentity", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "AccessTokens", + "Option": "Write" + } + ] + }, { "ClassName": "MSFT_MicrosoftGraphIntuneSettingsCatalogthreatTypeSettings", "Parameters": [ @@ -25015,222 +25135,232 @@ }, { "CIMType": "String", - "Name": "tamperprotection", + "Name": "TamperProtection", "Option": "Write" }, { "CIMType": "String", - "Name": "disableaccountprotectionui", + "Name": "DisableAccountProtectionUI", "Option": "Write" }, { "CIMType": "String", - "Name": "disableappbrowserui", + "Name": "DisableAppBrowserUI", "Option": "Write" }, { "CIMType": "String", - "Name": "disablecleartpmbutton", + "Name": "DisableClearTpmButton", "Option": "Write" }, { "CIMType": "String", - "Name": "disabledevicesecurityui", + "Name": "DisableDeviceSecurityUI", "Option": "Write" }, { "CIMType": "String", - "Name": "disablefamilyui", + "Name": "DisableFamilyUI", "Option": "Write" }, { "CIMType": "String", - "Name": "disablehealthui", + "Name": "DisableHealthUI", "Option": "Write" }, { "CIMType": "String", - "Name": "disablenetworkui", + "Name": "DisableNetworkUI", "Option": "Write" }, { "CIMType": "String", - "Name": "disableenhancednotifications", + "Name": "DisableEnhancedNotifications", "Option": "Write" }, { "CIMType": "String", - "Name": "disabletpmfirmwareupdatewarning", + "Name": "DisableTpmFirmwareUpdateWarning", "Option": "Write" }, { "CIMType": "String", - "Name": "disablevirusui", + "Name": "DisableVirusUI", "Option": "Write" }, { "CIMType": "String", - "Name": "hideransomwaredatarecovery", + "Name": "HideRansomwareDataRecovery", "Option": "Write" }, { "CIMType": "String", - "Name": "hidewindowssecuritynotificationareacontrol", + "Name": "HideWindowsSecurityNotificationAreaControl", "Option": "Write" }, { "CIMType": "String", - "Name": "enablecustomizedtoasts", + "Name": "EnableCustomizedToasts", "Option": "Write" }, { "CIMType": "String", - "Name": "enableinappcustomization", + "Name": "EnableInAppCustomization", "Option": "Write" }, { "CIMType": "String", - "Name": "companyname", + "Name": "CompanyName", "Option": "Write" }, { "CIMType": "String", - "Name": "email", + "Name": "Email", "Option": "Write" }, { "CIMType": "String", - "Name": "phone", + "Name": "Phone", "Option": "Write" }, { "CIMType": "String", - "Name": "url", + "Name": "URL", "Option": "Write" }, { "CIMType": "String", - "Name": "allowarchivescanning", + "Name": "AllowArchiveScanning", "Option": "Write" }, { "CIMType": "String", - "Name": "allowbehaviormonitoring", + "Name": "AllowBehaviorMonitoring", "Option": "Write" }, { "CIMType": "String", - "Name": "allowcloudprotection", + "Name": "AllowCloudProtection", "Option": "Write" }, { "CIMType": "String", - "Name": "allowdatagramprocessingonwinserver", + "Name": "AllowDatagramProcessingOnWinServer", "Option": "Write" }, { "CIMType": "String", - "Name": "allowemailscanning", + "Name": "AllowEmailScanning", "Option": "Write" }, { "CIMType": "String", - "Name": "allowfullscanonmappednetworkdrives", + "Name": "AllowFullScanOnMappedNetworkDrives", "Option": "Write" }, { "CIMType": "String", - "Name": "allowfullscanremovabledrivescanning", + "Name": "AllowFullScanRemovableDriveScanning", "Option": "Write" }, { "CIMType": "String", - "Name": "allowintrusionpreventionsystem", + "Name": "AllowIntrusionPreventionSystem", "Option": "Write" }, { "CIMType": "String", - "Name": "allowioavprotection", + "Name": "AllowIOAVProtection", "Option": "Write" }, { "CIMType": "String", - "Name": "allownetworkprotectiondownlevel", + "Name": "AllowNetworkProtectionDownLevel", "Option": "Write" }, { "CIMType": "String", - "Name": "allowrealtimemonitoring", + "Name": "AllowRealtimeMonitoring", "Option": "Write" }, { "CIMType": "String", - "Name": "allowscanningnetworkfiles", + "Name": "AllowScanningNetworkFiles", "Option": "Write" }, { "CIMType": "String", - "Name": "allowscriptscanning", + "Name": "AllowScriptScanning", "Option": "Write" }, { "CIMType": "String", - "Name": "allowuseruiaccess", + "Name": "AllowUserUIAccess", "Option": "Write" }, { "CIMType": "sInt32", - "Name": "avgcpuloadfactor", + "Name": "AvgCPULoadFactor", "Option": "Write" }, { "CIMType": "sInt32", - "Name": "archivemaxdepth", + "Name": "ArchiveMaxDepth", "Option": "Write" }, { "CIMType": "sInt32", - "Name": "archivemaxsize", + "Name": "ArchiveMaxSize", "Option": "Write" }, { "CIMType": "String", - "Name": "checkforsignaturesbeforerunningscan", + "Name": "CheckForSignaturesBeforeRunningScan", "Option": "Write" }, { "CIMType": "String", - "Name": "cloudblocklevel", + "Name": "CloudBlockLevel", "Option": "Write" }, { "CIMType": "sInt32", - "Name": "cloudextendedtimeout", + "Name": "CloudExtendedTimeout", "Option": "Write" }, { "CIMType": "sInt32", - "Name": "daystoretaincleanedmalware", + "Name": "DaysToRetainCleanedMalware", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "DisableCatchupFullScan", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "DisableCatchupQuickScan", "Option": "Write" }, { "CIMType": "String", - "Name": "disablecatchupfullscan", + "Name": "DisableCoreServiceECSIntegration", "Option": "Write" }, { "CIMType": "String", - "Name": "disablecatchupquickscan", + "Name": "DisableCoreServiceTelemetry", "Option": "Write" }, { "CIMType": "String", - "Name": "disablednsovertcpparsing", + "Name": "DisableDnsOverTcpParsing", "Option": "Write" }, { "CIMType": "String", - "Name": "disablehttpparsing", + "Name": "DisableHttpParsing", "Option": "Write" }, { @@ -25240,147 +25370,147 @@ }, { "CIMType": "String", - "Name": "enablelowcpupriority", + "Name": "EnableLowCPUPriority", "Option": "Write" }, { "CIMType": "String", - "Name": "enablenetworkprotection", + "Name": "EnableNetworkProtection", "Option": "Write" }, { "CIMType": "String[]", - "Name": "excludedextensions", + "Name": "ExcludedExtensions", "Option": "Write" }, { "CIMType": "String[]", - "Name": "excludedpaths", + "Name": "ExcludedPaths", "Option": "Write" }, { "CIMType": "String[]", - "Name": "excludedprocesses", + "Name": "ExcludedProcesses", "Option": "Write" }, { "CIMType": "String", - "Name": "puaprotection", + "Name": "PUAProtection", "Option": "Write" }, { "CIMType": "String", - "Name": "engineupdateschannel", + "Name": "EngineUpdatesChannel", "Option": "Write" }, { "CIMType": "String", - "Name": "meteredconnectionupdates", + "Name": "MeteredConnectionUpdates", "Option": "Write" }, { "CIMType": "String", - "Name": "platformupdateschannel", + "Name": "PlatformUpdatesChannel", "Option": "Write" }, { "CIMType": "String", - "Name": "securityintelligenceupdateschannel", + "Name": "SecurityIntelligenceUpdatesChannel", "Option": "Write" }, { "CIMType": "String", - "Name": "realtimescandirection", + "Name": "RealTimeScanDirection", "Option": "Write" }, { "CIMType": "String", - "Name": "scanparameter", + "Name": "ScanParameter", "Option": "Write" }, { "CIMType": "sInt32", - "Name": "schedulequickscantime", + "Name": "ScheduleQuickScanTime", "Option": "Write" }, { "CIMType": "String", - "Name": "schedulescanday", + "Name": "ScheduleScanDay", "Option": "Write" }, { "CIMType": "sInt32", - "Name": "schedulescantime", + "Name": "ScheduleScanTime", "Option": "Write" }, { "CIMType": "String", - "Name": "disabletlsparsing", + "Name": "DisableTlsParsing", "Option": "Write" }, { "CIMType": "String", - "Name": "randomizescheduletasktimes", + "Name": "RandomizeScheduleTaskTimes", "Option": "Write" }, { "CIMType": "sInt32", - "Name": "schedulerrandomizationtime", + "Name": "SchedulerRandomizationTime", "Option": "Write" }, { "CIMType": "String[]", - "Name": "signatureupdatefallbackorder", + "Name": "SignatureUpdateFallbackOrder", "Option": "Write" }, { "CIMType": "String[]", - "Name": "signatureupdatefilesharessources", + "Name": "SignatureUpdateFileSharesSources", "Option": "Write" }, { "CIMType": "sInt32", - "Name": "signatureupdateinterval", + "Name": "SignatureUpdateInterval", "Option": "Write" }, { "CIMType": "String", - "Name": "submitsamplesconsent", + "Name": "SubmitSamplesConsent", "Option": "Write" }, { "CIMType": "String", - "Name": "disablelocaladminmerge", + "Name": "DisableLocalAdminMerge", "Option": "Write" }, { "CIMType": "String", - "Name": "allowonaccessprotection", + "Name": "AllowOnAccessProtection", "Option": "Write" }, { "CIMType": "String", - "Name": "lowseveritythreats", + "Name": "LowSeverityThreats", "Option": "Write" }, { "CIMType": "String", - "Name": "moderateseveritythreats", + "Name": "ModerateSeverityThreats", "Option": "Write" }, { "CIMType": "String", - "Name": "severethreats", + "Name": "SevereThreats", "Option": "Write" }, { "CIMType": "String", - "Name": "highseveritythreats", + "Name": "HighSeverityThreats", "Option": "Write" }, { "CIMType": "String", - "Name": "templateId", + "Name": "TemplateId", "Option": "Write" }, { @@ -45423,6 +45553,11 @@ "Name": "authschemes", "Option": "Write" }, + { + "CIMType": "String", + "Name": "AuthSchemes_AuthSchemes", + "Option": "Write" + }, { "CIMType": "String", "Name": "NativeMessagingUserLevelHosts", diff --git a/ResourceGenerator/M365DSCResourceGenerator.psm1 b/ResourceGenerator/M365DSCResourceGenerator.psm1 index 085b2decca..546378e4ee 100644 --- a/ResourceGenerator/M365DSCResourceGenerator.psm1 +++ b/ResourceGenerator/M365DSCResourceGenerator.psm1 @@ -497,6 +497,7 @@ $($userDefinitionSettings.MOF -join "`r`n") 'Mac O S' = 'for macOS' 'I O S' = 'for iOS' 'A A D' = 'Azure AD' + 'Linux' = 'for Linux' } $resourceDescription = ($ResourceName -split '_')[0] -creplace '(?<=\w)([A-Z])', ' $1' foreach ($platform in $platforms.keys) diff --git a/Tests/Integration/Microsoft365DSC/M365DSCIntegration.EXO.Create.Tests.ps1 b/Tests/Integration/Microsoft365DSC/M365DSCIntegration.EXO.Create.Tests.ps1 index 598715487f..77a1ddefe0 100644 --- a/Tests/Integration/Microsoft365DSC/M365DSCIntegration.EXO.Create.Tests.ps1 +++ b/Tests/Integration/Microsoft365DSC/M365DSCIntegration.EXO.Create.Tests.ps1 @@ -483,18 +483,6 @@ TenantId = $TenantId CertificateThumbprint = $CertificateThumbprint } - EXOM365DataAtRestEncryptionPolicy 'M365DataAtRestEncryptionPolicy-Riyansh_Policy' - { - AzureKeyIDs = @("https://m365dataatrestencryption.vault.azure.net/keys/EncryptionKey","https://m365datariyansh.vault.azure.net/keys/EncryptionRiyansh"); - Description = "Tenant default policy 1"; - Enabled = $True; - Ensure = "Present"; - Identity = "Riyansh_Policy"; - Name = "Riyansh_Policy"; - ApplicationId = $ApplicationId; - TenantId = $TenantId; - CertificateThumbprint = $CertificateThumbprint; - } EXOMailboxFolderPermission 'EXOMailboxFolderPermission-admin:\Calendar' { ApplicationId = $ApplicationId @@ -622,6 +610,23 @@ TenantId = $TenantId CertificateThumbprint = $CertificateThumbprint } + EXOMigration 'EXOMigration-test' + { + AddUsers = $False; + BadItemLimit = ""; + CompleteAfter = "12/31/9999 11:59:59 PM"; + Ensure = "Present"; + Identity = "test"; + LargeItemLimit = ""; + MoveOptions = @(); + NotificationEmails = @("eac_admin@bellred.org"); + SkipMerging = @(); + Status = "Completed"; + Update = $False; + ApplicationId = $ApplicationId; + TenantId = $TenantId; + CertificateThumbprint = $CertificateThumbprint; + } EXOMigrationEndpoint 'EXOMigrationEndpoint-testIMAP' { AcceptUntrustedCertificates = $True; diff --git a/Tests/Integration/Microsoft365DSC/M365DSCIntegration.EXO.Remove.Tests.ps1 b/Tests/Integration/Microsoft365DSC/M365DSCIntegration.EXO.Remove.Tests.ps1 index e51daed2ea..d25fc939b0 100644 --- a/Tests/Integration/Microsoft365DSC/M365DSCIntegration.EXO.Remove.Tests.ps1 +++ b/Tests/Integration/Microsoft365DSC/M365DSCIntegration.EXO.Remove.Tests.ps1 @@ -359,18 +359,6 @@ TenantId = $TenantId CertificateThumbprint = $CertificateThumbprint } - EXOM365DataAtRestEncryptionPolicy 'M365DataAtRestEncryptionPolicy-Riyansh_Policy' - { - AzureKeyIDs = @("https://m365dataatrestencryption.vault.azure.net/keys/EncryptionKey","https://m365datariyansh.vault.azure.net/keys/EncryptionRiyansh"); - Description = "Tenant default policy 1"; - Enabled = $True; - Ensure = "Absent"; - Identity = "Riyansh_Policy"; - Name = "Riyansh_Policy"; - ApplicationId = $ApplicationId; - TenantId = $TenantId; - CertificateThumbprint = $CertificateThumbprint; - } EXOMailContact 'TestMailContact' { Alias = 'TestMailContact' @@ -445,6 +433,23 @@ TenantId = $TenantId CertificateThumbprint = $CertificateThumbprint } + EXOMigration 'EXOMigration-test' + { + AddUsers = $False; + BadItemLimit = ""; + CompleteAfter = "12/31/9999 11:59:59 PM"; + Ensure = "Absent"; + Identity = "test"; + LargeItemLimit = ""; + MoveOptions = @(); + NotificationEmails = @("eac_admin@bellred.org"); + SkipMerging = @(); + Status = "Completed"; + Update = $False; + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + } EXOMigrationEndpoint 'EXOMigrationEndpoint-testIMAP' { AcceptUntrustedCertificates = $True; diff --git a/Tests/Integration/Microsoft365DSC/M365DSCIntegration.EXO.Update.Tests.ps1 b/Tests/Integration/Microsoft365DSC/M365DSCIntegration.EXO.Update.Tests.ps1 index cf8e6c6efb..dc71c9229f 100644 --- a/Tests/Integration/Microsoft365DSC/M365DSCIntegration.EXO.Update.Tests.ps1 +++ b/Tests/Integration/Microsoft365DSC/M365DSCIntegration.EXO.Update.Tests.ps1 @@ -689,18 +689,6 @@ TenantId = $TenantId CertificateThumbprint = $CertificateThumbprint } - EXOM365DataAtRestEncryptionPolicy 'M365DataAtRestEncryptionPolicy-Riyansh_Policy' - { - AzureKeyIDs = @("https://m365dataatrestencryption.vault.azure.net/keys/EncryptionKey","https://m365datariyansh.vault.azure.net/keys/EncryptionRiyansh"); - Description = "Tenant default policy 2"; # drift - Enabled = $True; - Ensure = "Present"; - Identity = "Riyansh_Policy"; - Name = "Riyansh_Policy"; - ApplicationId = $ApplicationId; - TenantId = $TenantId; - CertificateThumbprint = $CertificateThumbprint; - } EXOMailboxAuditBypassAssociation 'EXOMailboxAuditBypassAssociation-Test' { AuditBypassEnabled = $True; #Updated Property @@ -961,6 +949,23 @@ TenantId = $TenantId CertificateThumbprint = $CertificateThumbprint } + EXOMigration 'EXOMigration-test' + { + AddUsers = $True; #Updated Property + BadItemLimit = ""; + CompleteAfter = "12/31/9999 11:59:59 PM"; + Ensure = "Present"; + Identity = "test"; + LargeItemLimit = ""; + MoveOptions = @(); + NotificationEmails = @("eac_admin@bellred.org"); + SkipMerging = @(); + Status = "Completed"; + Update = $False; + ApplicationId = $ApplicationId; + TenantId = $TenantId; + CertificateThumbprint = $CertificateThumbprint; + } EXOMigrationEndpoint 'EXOMigrationEndpoint-testIMAP' { AcceptUntrustedCertificates = $True; diff --git a/Tests/Integration/Microsoft365DSC/M365DSCIntegration.INTUNE.Create.Tests.ps1 b/Tests/Integration/Microsoft365DSC/M365DSCIntegration.INTUNE.Create.Tests.ps1 index 97fbc9a505..a68b840aa5 100644 --- a/Tests/Integration/Microsoft365DSC/M365DSCIntegration.INTUNE.Create.Tests.ps1 +++ b/Tests/Integration/Microsoft365DSC/M365DSCIntegration.INTUNE.Create.Tests.ps1 @@ -46,7 +46,7 @@ } ); BackupDirectory = "1"; - PasswordAgeDays_AAD = 10; + passwordagedays_aad = 10; AdministratorAccountName = "Administrator"; PasswordAgeDays = 20; ApplicationId = $ApplicationId; @@ -127,6 +127,27 @@ TenantId = $TenantId; CertificateThumbprint = $CertificateThumbprint; } + IntuneAntivirusExclusionsPolicyMacOS 'myIntuneAntivirusExclusionsPolicyMacOS' + { + Assignments = @(); + Description = ""; + DisplayName = "Test"; + Ensure = "Present"; + Exclusions = @( + MSFT_MicrosoftGraphIntuneSettingsCatalogExclusions{ + Exclusions_item_extension = '.dmg' + Exclusions_item_type = '1' + } + MSFT_MicrosoftGraphIntuneSettingsCatalogExclusions{ + Exclusions_item_name = 'process1' + Exclusions_item_type = '2' + } + ); + RoleScopeTagIds = @("0"); + ApplicationId = $ApplicationId; + TenantId = $TenantId; + CertificateThumbprint = $CertificateThumbprint; + } IntuneAntivirusPolicyLinux 'myIntuneAntivirusPolicyLinux' { allowedThreats = @("Threat 1"); diff --git a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADRoleEligibilityScheduleRequest.Tests.ps1 b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADRoleEligibilityScheduleRequest.Tests.ps1 index 82499a07f7..be713c3108 100644 --- a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADRoleEligibilityScheduleRequest.Tests.ps1 +++ b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADRoleEligibilityScheduleRequest.Tests.ps1 @@ -55,6 +55,7 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { Mock -CommandName Get-MgBetaRoleManagementDirectoryRoleEligibilitySchedule -MockWith { return @{ Id = '12345-12345-12345-12345-12345' + RoleDefinitionId = "12345" } } diff --git a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.EXOM365DataAtRestEncryptionPolicy.Tests.ps1 b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.EXOM365DataAtRestEncryptionPolicy.Tests.ps1 deleted file mode 100644 index 9969ea0126..0000000000 --- a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.EXOM365DataAtRestEncryptionPolicy.Tests.ps1 +++ /dev/null @@ -1,207 +0,0 @@ -[CmdletBinding()] -param( -) -$M365DSCTestFolder = Join-Path -Path $PSScriptRoot ` - -ChildPath '..\..\Unit' ` - -Resolve -$CmdletModule = (Join-Path -Path $M365DSCTestFolder ` - -ChildPath '\Stubs\Microsoft365.psm1' ` - -Resolve) -$GenericStubPath = (Join-Path -Path $M365DSCTestFolder ` - -ChildPath '\Stubs\Generic.psm1' ` - -Resolve) -Import-Module -Name (Join-Path -Path $M365DSCTestFolder ` - -ChildPath '\UnitTestHelper.psm1' ` - -Resolve) - -$CurrentScriptPath = $PSCommandPath.Split('\') -$CurrentScriptName = $CurrentScriptPath[$CurrentScriptPath.Length -1] -$ResourceName = $CurrentScriptName.Split('.')[1] -$Global:DscHelper = New-M365DscUnitTestHelper -StubModule $CmdletModule ` - -DscResource $ResourceName -GenericStubModule $GenericStubPath - -Describe -Name $Global:DscHelper.DescribeHeader -Fixture { - InModuleScope -ModuleName $Global:DscHelper.ModuleName -ScriptBlock { - Invoke-Command -ScriptBlock $Global:DscHelper.InitializeScript -NoNewScope - BeforeAll { - - $secpasswd = ConvertTo-SecureString (New-Guid | Out-String) -AsPlainText -Force - $Credential = New-Object System.Management.Automation.PSCredential ('tenantadmin@mydomain.com', $secpasswd) - - Mock -CommandName Confirm-M365DSCDependencies -MockWith { - } - - Mock -CommandName New-M365DSCConnection -MockWith { - return "Credentials" - } - - Mock -CommandName Set-M365DataAtRestEncryptionPolicy -MockWith { - return $null - } - - Mock -CommandName New-M365DataAtRestEncryptionPolicy -MockWith { - return $null - } - - # Mock Write-Host to hide output during the tests - Mock -CommandName Write-Host -MockWith { - } - $Script:exportedInstances =$null - $Script:ExportMode = $false - } - # Test contexts - Context -Name "The instance should exist but it DOES NOT" -Fixture { - BeforeAll { - $testParams = @{ - Identity = 'FakeStringValue' - Name = 'FakeStringValue' - Description = 'FakeStringValue' - Enabled = $true - AzureKeyIDs = @('FakeStringValue1', 'FakeStringValue2') - Ensure = 'Present' - Credential = $Credential; - } - - Mock -CommandName Get-M365DataAtRestEncryptionPolicy -MockWith { - return $null - } - } - It 'Should return Values from the Get method' { - (Get-TargetResource @testParams).Ensure | Should -Be 'Absent' - } - It 'Should return false from the Test method' { - Test-TargetResource @testParams | Should -Be $false - } - - It 'Should create a new instance from the Set method' { - Set-TargetResource @testParams - Should -Invoke -CommandName New-M365DataAtRestEncryptionPolicy -Exactly 1 - } - } - - Context -Name "The instance exists but it SHOULD NOT" -Fixture { - BeforeAll { - $testParams = @{ - Identity = 'FakeStringValue' - Name = 'FakeStringValue' - Description = 'FakeStringValue' - Enabled = $true - AzureKeyIDs = @('FakeStringValue1', 'FakeStringValue2') - Ensure = 'Absent' - Credential = $Credential; - } - - Mock -CommandName Get-M365DataAtRestEncryptionPolicy -MockWith { - return @{ - Identity = 'FakeStringValue' - Name = 'FakeStringValue' - Description = 'FakeStringValue' - Enabled = $true - AzureKeyIDs = @('FakeStringValue1', 'FakeStringValue2') - } - } - } - It 'Should return Values from the Get method' { - (Get-TargetResource @testParams).Ensure | Should -Be 'Present' - } - It 'Should return false from the Test method' { - Test-TargetResource @testParams | Should -Be $false - } - - It 'Should remove the instance from the Set method' { - Set-TargetResource @testParams - } - } - - Context -Name "The instance exists and values are already in the desired state" -Fixture { - BeforeAll { - $testParams = @{ - Identity = 'FakeStringValue' - Name = 'FakeStringValue' - Description = 'FakeStringValue' - Enabled = $true - AzureKeyIDs = @('FakeStringValue1', 'FakeStringValue2') - Ensure = 'Present' - Credential = $Credential; - } - - Mock -CommandName Get-M365DataAtRestEncryptionPolicy -MockWith { - return @{ - Identity = 'FakeStringValue' - Name = 'FakeStringValue' - Description = 'FakeStringValue' - Enabled = $true - AzureKeyIDs = @('FakeStringValue1', 'FakeStringValue2') - } - } - } - - It 'Should return true from the Test method' { - Test-TargetResource @testParams | Should -Be $true - } - } - - Context -Name "The instance exists and values are NOT in the desired state" -Fixture { - BeforeAll { - $testParams = @{ - Identity = 'FakeStringValue' - Name = 'FakeStringValue' - Description = 'FakeStringValue' - Enabled = $true - AzureKeyIDs = @('FakeStringValue1', 'FakeStringValue2') - Ensure = 'Present' - Credential = $Credential; - } - - Mock -CommandName Get-M365DataAtRestEncryptionPolicy -MockWith { - return @{ - Identity = 'FakeStringValue' - Name = 'FakeStringValue' - Description = 'FakeStringValue2' #drift - Enabled = $true - AzureKeyIDs = @('FakeStringValue1', 'FakeStringValue2') - } - } - } - - It 'Should return Values from the Get method' { - (Get-TargetResource @testParams).Ensure | Should -Be 'Present' - } - - It 'Should return false from the Test method' { - Test-TargetResource @testParams | Should -Be $false - } - - It 'Should call the Set method' { - Set-TargetResource @testParams - Should -Invoke -CommandName Set-M365DataAtRestEncryptionPolicy -Exactly 1 - } - } - - Context -Name 'ReverseDSC Tests' -Fixture { - BeforeAll { - $Global:CurrentModeIsExport = $true - $Global:PartialExportFileName = "$(New-Guid).partial.ps1" - $testParams = @{ - Credential = $Credential; - } - - Mock -CommandName Get-M365DataAtRestEncryptionPolicy -MockWith { - return @{ - Identity = 'FakeStringValue' - Name = 'FakeStringValue' - Description = 'FakeStringValue2' #drift - Enabled = $true - AzureKeyIDs = @('FakeStringValue1', 'FakeStringValue2') - } - } - } - It 'Should Reverse Engineer resource from the Export method' { - $result = Export-TargetResource @testParams - $result | Should -Not -BeNullOrEmpty - } - } - } -} - -Invoke-Command -ScriptBlock $Global:DscHelper.CleanupScript -NoNewScope diff --git a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.EXOMigration.Tests.ps1 b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.EXOMigration.Tests.ps1 new file mode 100644 index 0000000000..3e7e4c3adb --- /dev/null +++ b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.EXOMigration.Tests.ps1 @@ -0,0 +1,379 @@ +[CmdletBinding()] +param( +) +$M365DSCTestFolder = Join-Path -Path $PSScriptRoot ` + -ChildPath '..\..\Unit' ` + -Resolve +$CmdletModule = (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\Stubs\Microsoft365.psm1' ` + -Resolve) +$GenericStubPath = (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\Stubs\Generic.psm1' ` + -Resolve) +Import-Module -Name (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\UnitTestHelper.psm1' ` + -Resolve) + +$CurrentScriptPath = $PSCommandPath.Split('\') +$CurrentScriptName = $CurrentScriptPath[$CurrentScriptPath.Length -1] +$ResourceName = $CurrentScriptName.Split('.')[1] +$Global:DscHelper = New-M365DscUnitTestHelper -StubModule $CmdletModule ` + -DscResource $ResourceName -GenericStubModule $GenericStubPath + +Describe -Name $Global:DscHelper.DescribeHeader -Fixture { + InModuleScope -ModuleName $Global:DscHelper.ModuleName -ScriptBlock { + Invoke-Command -ScriptBlock $Global:DscHelper.InitializeScript -NoNewScope + BeforeAll { + + $secpasswd = ConvertTo-SecureString (New-Guid | Out-String) -AsPlainText -Force + $Credential = New-Object System.Management.Automation.PSCredential ('tenantadmin@mydomain.com', $secpasswd) + + Mock -CommandName Confirm-M365DSCDependencies -MockWith { + } + + Mock -CommandName New-M365DSCConnection -MockWith { + return "Credentials" + } + + Mock -CommandName Get-MigrationBatch -MockWith { + } + + Mock -CommandName Set-MigrationBatch -MockWith { + } + + Mock -CommandName New-MigrationBatch -MockWith { + } + + Mock -CommandName Remove-MigrationBatch -MockWith { + } + + Mock -CommandName Stop-MigrationBatch -MockWith { + } + + Mock -CommandName Get-MigrationUser -MockWith { + } + + # Mock Write-Host to hide output during the tests + Mock -CommandName Write-Host -MockWith { + } + $Script:exportedInstances =$null + $Script:ExportMode = $false + } + # Test contexts + Context -Name "The instance should exist but it DOES NOT" -Fixture { + BeforeAll { + $testParams = @{ + AddUsers = $False; + BadItemLimit = "Unlimited"; + CompleteAfter = "07/30/2020 9:00:00 PM"; + Credential = $Credscredential; + Ensure = "Present"; + Identity = "Arpita"; + LargeItemLimit = "Unlimited"; + MigrationUsers = @("peixintest1@bellred.org","akstest39@bellred.org"); + MoveOptions = @(); + NotificationEmails = @("eac_admin@bellred.org","abc@bellred.org"); + SkipMerging = @("abc"); + SourceEndpoint = "gmailCalendar"; + StartAfter = "07/30/2020 9:00:00 PM"; + Status = "Completing"; + TargetDeliveryDomain = "O365InsightsView.mail.onmicrosoft.com"; + Update = $False; + } + + Mock -CommandName Get-MigrationBatch -MockWith { + return $null + } + } + It 'Should return Values from the Get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Absent' + } + It 'Should return false from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + + It 'Should create a new instance from the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName New-MigrationBatch -Exactly 1 + } + } + + Context -Name "The instance exists but it SHOULD NOT but in progress state" -Fixture { + BeforeAll { + $testParams = @{ + AddUsers = $False; + BadItemLimit = "Unlimited"; + CompleteAfter = "07/30/2020 9:00:00 PM"; + Credential = $Credscredential; + Ensure = "Absent"; + Identity = "Arpita"; + LargeItemLimit = "Unlimited"; + MigrationUsers = @("peixintest1@bellred.org","akstest39@bellred.org"); + MoveOptions = @(); + NotificationEmails = @("eac_admin@bellred.org","abc@bellred.org"); + SkipMerging = @("abc"); + SourceEndpoint = "gmailCalendar"; + StartAfter = "07/30/2020 9:00:00 PM"; + Status = "Completing"; + TargetDeliveryDomain = "O365InsightsView.mail.onmicrosoft.com"; + Update = $False; + } + + Mock -CommandName Get-MigrationBatch -MockWith { + return @{ + AddUsers = $False; + BadItemLimit = "Unlimited"; + CompleteAfter = [DateTime]::ParseExact("07/30/2020 9:00:00 PM", "MM/dd/yyyy h:mm:ss tt", $null) + Credential = $Credscredential; + Ensure = "Present"; + Identity = "Arpita"; + LargeItemLimit = "Unlimited"; + MigrationUsers = @("peixintest1@bellred.org","akstest39@bellred.org"); + MoveOptions = @(); + NotificationEmails = @("eac_admin@bellred.org","abc@bellred.org"); + SkipMerging = @("abc"); + SourceEndpoint = @{Identity = @{Id = "gmailCalendar"}}; + StartAfter = [DateTime]::ParseExact("07/30/2020 9:00:00 PM", "MM/dd/yyyy h:mm:ss tt", $null) + Status = @{Value = "Completing"}; + TargetDeliveryDomain = "O365InsightsView.mail.onmicrosoft.com"; + Update = $False; + } + } + Mock -CommandName Get-MigrationUser -MockWith { + return @( + @{ + Identity = "peixintest1@bellred.org" + }, + @{ + Identity = "akstest39@bellred.org" + } + ) + } + } + It 'Should return Values from the Get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Present' + } + It 'Should return false from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + + It 'Should remove the instance from the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName Stop-MigrationBatch -Exactly 1 + Should -Invoke -CommandName Remove-MigrationBatch -Exactly 1 + } + } + + Context -Name "The instance exists but it SHOULD NOT but in completion state" -Fixture { + BeforeAll { + $testParams = @{ + AddUsers = $False; + BadItemLimit = "Unlimited"; + CompleteAfter = "07/30/2020 9:00:00 PM"; + Credential = $Credscredential; + Ensure = "Absent"; + Identity = "Arpita"; + LargeItemLimit = "Unlimited"; + MigrationUsers = @("peixintest1@bellred.org","akstest39@bellred.org"); + MoveOptions = @(); + NotificationEmails = @("eac_admin@bellred.org","abc@bellred.org"); + SkipMerging = @("abc"); + SourceEndpoint = "gmailCalendar"; + StartAfter = "07/30/2020 9:00:00 PM"; + Status = "Completed"; + TargetDeliveryDomain = "O365InsightsView.mail.onmicrosoft.com"; + Update = $False; + } + + Mock -CommandName Get-MigrationBatch -MockWith { + return @{ + AddUsers = $False; + BadItemLimit = "Unlimited"; + CompleteAfter = [DateTime]::ParseExact("07/30/2020 9:00:00 PM", "MM/dd/yyyy h:mm:ss tt", $null) + Credential = $Credscredential; + Ensure = "Present"; + Identity = "Arpita"; + LargeItemLimit = "Unlimited"; + MoveOptions = @(); + NotificationEmails = @("eac_admin@bellred.org","abc@bellred.org"); + SkipMerging = @("abc"); + SourceEndpoint = @{Identity = @{Id = "gmailCalendar"}}; + StartAfter = [DateTime]::ParseExact("07/30/2020 9:00:00 PM", "MM/dd/yyyy h:mm:ss tt", $null) + Status = @{Value = "Completed"}; + TargetDeliveryDomain = "O365InsightsView.mail.onmicrosoft.com"; + Update = $False; + } + } + Mock -CommandName Get-MigrationUser -MockWith { + return @( + @{ + Identity = "peixintest1@bellred.org" + }, + @{ + Identity = "akstest39@bellred.org" + } + ) + } + } + It 'Should return Values from the Get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Present' + } + It 'Should return false from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + + It 'Should remove the instance from the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName Remove-MigrationBatch -Exactly 1 + } + } + + Context -Name "The instance exists and values are already in the desired state" -Fixture { + BeforeAll { + $testParams = @{ + AddUsers = $False; + BadItemLimit = "Unlimited"; + Credential = $Credscredential; + Ensure = "Present"; + Identity = "Arpita"; + LargeItemLimit = "Unlimited"; + MigrationUsers = @("peixintest1@bellred.org","akstest39@bellred.org"); + MoveOptions = @(); + NotificationEmails = @("eac_admin@bellred.org","abc@bellred.org"); + SkipMerging = @("abc"); + SourceEndpoint = "gmailCalendar"; + Status = "Completing"; + TargetDeliveryDomain = "O365InsightsView.mail.onmicrosoft.com"; + Update = $False; + } + + Mock -CommandName Get-MigrationBatch -MockWith { + return @{ + AddUsers = $False; + BadItemLimit = "Unlimited"; + Credential = $Credscredential; + Ensure = "Present"; + Identity = "Arpita"; + LargeItemLimit = "Unlimited"; + MoveOptions = @(); + NotificationEmails = @("eac_admin@bellred.org","abc@bellred.org"); + SkipMerging = @("abc"); + SourceEndpoint = @{Identity = @{Id = "gmailCalendar"}}; + Status = @{Value = "Completing"}; + TargetDeliveryDomain = "O365InsightsView.mail.onmicrosoft.com"; + Update = $False; + } + } + + Mock -CommandName Get-MigrationUser -MockWith { + return @( + @{ + Identity = "peixintest1@bellred.org" + }, + @{ + Identity = "akstest39@bellred.org" + } + ) + } + } + + It 'Should return true from the Test method' { + Test-TargetResource @testParams -Verbose | Should -Be $true + } + } + + Context -Name "The instance exists and values are NOT in the desired state" -Fixture { + BeforeAll { + $testParams = @{ + AddUsers = $False; + BadItemLimit = "Unlimited"; + CompleteAfter = "07/30/2020 9:00:00 PM" + Credential = $Credscredential; + Ensure = "Present"; + Identity = "Arpita"; + LargeItemLimit = "Unlimited"; + MigrationUsers = @("peixintest1@bellred.org","akstest39@bellred.org"); + MoveOptions = @(); + NotificationEmails = @("eac_admin@bellred.org","abc@bellred.org"); + SkipMerging = @("abc"); + SourceEndpoint = "gmailCalendar"; + StartAfter = "07/30/2020 9:00:00 PM" + Status = @{Value = "Completing"}; + TargetDeliveryDomain = "O365InsightsView.mail.onmicrosoft.com"; + Update = $False; + } + + Mock -CommandName Get-MigrationBatch -MockWith { + return @{ + AddUsers = $False; + BadItemLimit = "Unlimited"; + CompleteAfter = [DateTime]::ParseExact("07/30/2020 9:00:00 PM", "MM/dd/yyyy h:mm:ss tt", $null) + Credential = $Credscredential; + Ensure = "Present"; + Identity = "Arpita"; + LargeItemLimit = "Unlimited"; + MigrationUsers = @("peixintest1@bellred.org","akstest39@bellred.org"); + MoveOptions = @(); + NotificationEmails = @("eac_admin@bellred.org","abc@bellred.org"); + SkipMerging = @(); + SourceEndpoint = "gmailCalendar"; + StartAfter = [DateTime]::ParseExact("07/30/2020 9:00:00 PM", "MM/dd/yyyy h:mm:ss tt", $null) + Status = @{Value = "Completing"}; + TargetDeliveryDomain = "O365InsightsView.mail.onmicrosoft.com"; + Update = $False; + } + } + } + + It 'Should return Values from the Get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Present' + } + + It 'Should return false from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + + It 'Should call the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName Set-MigrationBatch -Exactly 1 + } + } + + Context -Name 'ReverseDSC Tests' -Fixture { + BeforeAll { + $Global:CurrentModeIsExport = $true + $Global:PartialExportFileName = "$(New-Guid).partial.ps1" + $testParams = @{ + Credential = $Credential; + } + + Mock -CommandName Get-MigrationBatch -MockWith { + return @{ + AddUsers = $False; + BadItemLimit = "Unlimited"; + CompleteAfter = "07/30/2020 21:00:00"; + Credential = $Credscredential; + Ensure = "Present"; + Identity = "Arpita"; + LargeItemLimit = "Unlimited"; + MigrationUsers = @("peixintest1@bellred.org","akstest39@bellred.org"); + MoveOptions = @(); + NotificationEmails = @("eac_admin@bellred.org","abc@bellred.org"); + SkipMerging = @(); + SourceEndpoint = "gmailCalendar"; + StartAfter = "07/30/2020 21:00:00"; + Status = @{Value = "Completing"}; + TargetDeliveryDomain = "O365InsightsView.mail.onmicrosoft.com"; + Update = $False; + } + } + } + It 'Should Reverse Engineer resource from the Export method' { + $result = Export-TargetResource @testParams + $result | Should -Not -BeNullOrEmpty + } + } + } +} + +Invoke-Command -ScriptBlock $Global:DscHelper.CleanupScript -NoNewScope diff --git a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneAntivirusExclusionsPolicyMacOS.Tests.ps1 b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneAntivirusExclusionsPolicyMacOS.Tests.ps1 new file mode 100644 index 0000000000..2abd4aed6e --- /dev/null +++ b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneAntivirusExclusionsPolicyMacOS.Tests.ps1 @@ -0,0 +1,404 @@ +[CmdletBinding()] +param( +) +$M365DSCTestFolder = Join-Path -Path $PSScriptRoot ` + -ChildPath '..\..\Unit' ` + -Resolve +$CmdletModule = (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\Stubs\Microsoft365.psm1' ` + -Resolve) +$GenericStubPath = (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\Stubs\Generic.psm1' ` + -Resolve) +Import-Module -Name (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\UnitTestHelper.psm1' ` + -Resolve) + +$Global:DscHelper = New-M365DscUnitTestHelper -StubModule $CmdletModule ` + -DscResource "IntuneAntivirusExclusionsPolicyMacOS" -GenericStubModule $GenericStubPath +Describe -Name $Global:DscHelper.DescribeHeader -Fixture { + InModuleScope -ModuleName $Global:DscHelper.ModuleName -ScriptBlock { + Invoke-Command -ScriptBlock $Global:DscHelper.InitializeScript -NoNewScope + BeforeAll { + + $secpasswd = ConvertTo-SecureString (New-Guid | Out-String) -AsPlainText -Force + $Credential = New-Object System.Management.Automation.PSCredential ('tenantadmin@mydomain.com', $secpasswd) + + Mock -CommandName Confirm-M365DSCDependencies -MockWith { + } + + Mock -CommandName Get-PSSession -MockWith { + } + + Mock -CommandName Remove-PSSession -MockWith { + } + + Mock -CommandName Update-MgBetaDeviceManagementConfigurationPolicy -MockWith { + } + + Mock -CommandName New-MgBetaDeviceManagementConfigurationPolicy -MockWith { + return @{ + Id = '12345-12345-12345-12345-12345' + } + } + + Mock -CommandName Get-MgBetaDeviceManagementConfigurationPolicy -MockWith { + return @{ + Id = '12345-12345-12345-12345-12345' + Description = 'My Test' + Name = 'My Test' + RoleScopeTagIds = @("FakeStringValue") + TemplateReference = @{ + TemplateId = '43397174-2244-4006-b5ad-421b369e90d4_1' + } + } + } + + Mock -CommandName Remove-MgBetaDeviceManagementConfigurationPolicy -MockWith { + } + + Mock -CommandName Update-IntuneDeviceConfigurationPolicy -MockWith { + } + + Mock -CommandName Get-IntuneSettingCatalogPolicySetting -MockWith { + } + + Mock -CommandName Get-MgBetaDeviceManagementConfigurationPolicySetting -MockWith { + return @( + @{ + Id = 0 + SettingDefinitions = @( + @{ + Id = 'com.apple.managedclient.preferences_exclusions' + Name = 'exclusions' + OffsetUri = 'exclusions' + AdditionalProperties = @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationSettingGroupCollectionDefinition' + maximumCount = 600 + minimumCount = 0 + childIds = @( + 'com.apple.managedclient.preferences_exclusions_item_$type', + 'com.apple.managedclient.preferences_exclusions_item_extension', + 'com.apple.managedclient.preferences_exclusions_item_name' + ) + } + }, + @{ + Id = 'com.apple.managedclient.preferences_exclusions_item_$type' + Name = 'exclusions_item_$type' + OffsetUri = 'exclusions_item_$type' + AdditionalProperties = @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingDefinition' + options = @( + @{ + itemId = 'com.apple.managedclient.preferences_exclusions_item_$type_1' + name = 'Path' + dependentOn = @( + @{ + dependentOn = 'com.apple.managedclient.preferences_exclusions' + parentSettingId = 'com.apple.managedclient.preferences_exclusions' + } + ) + } + ) + } + }, + @{ + Id = 'com.apple.managedclient.preferences_exclusions_item_extension' + Name = 'exclusions_item_extension' + OffsetUri = 'exclusions/[{0}]/extension' + AdditionalProperties = @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationSimpleSettingDefinition' + dependentOn = @( + @{ + dependentOn = 'com.apple.managedclient.preferences_exclusions_item_$type_1' + parentSettingId = 'com.apple.managedclient.preferences_exclusions_item_$type' + } + ) + } + }, + @{ + Id = 'com.apple.managedclient.preferences_exclusions_item_name' + Name = 'exclusions_item_name' + OffsetUri = 'exclusions/[{0}]/name' + AdditionalProperties = @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationSimpleSettingDefinition' + dependentOn = @( + @{ + dependentOn = 'com.apple.managedclient.preferences_exclusions_item_$type_2' + parentSettingId = 'com.apple.managedclient.preferences_exclusions_item_$type' + } + ) + } + } + ) + SettingInstance = @{ + SettingDefinitionId = 'com.apple.managedclient.preferences_exclusions' + SettingInstanceTemplateReference = @{ + SettingInstanceTemplateId = 'e2d557ab-357e-4727-978e-0d655facbb23' + } + AdditionalProperties = @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationGroupSettingCollectionInstance' + groupSettingCollectionValue = @( + @{ + children = @( + @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance' + settingDefinitionId = 'com.apple.managedclient.preferences_exclusions_item_$type' + choiceSettingValue = @{ + children = @( + @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationSimpleSettingInstance' + settingDefinitionId = 'com.apple.managedclient.preferences_exclusions_item_extension' + simpleSettingValue = @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationStringSettingValue' + value = '.dmg' + } + } + ) + value = 'com.apple.managedclient.preferences_exclusions_item_$type_1' + } + } + ) + }, + @{ + children = @( + @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance' + settingDefinitionId = 'com.apple.managedclient.preferences_exclusions_item_$type' + choiceSettingValue = @{ + children = @( + @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationSimpleSettingInstance' + settingDefinitionId = 'com.apple.managedclient.preferences_exclusions_item_name' + simpleSettingValue = @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationStringSettingValue' + value = 'Test' + } + } + ) + value = 'com.apple.managedclient.preferences_exclusions_item_$type_2' + } + } + ) + } + ) + } + } + } + ) + } + + Mock -CommandName Update-DeviceConfigurationPolicyAssignment -MockWith { + } + + Mock -CommandName New-M365DSCConnection -MockWith { + return "Credentials" + } + + # Mock Write-Host to hide output during the tests + Mock -CommandName Write-Host -MockWith { + } + $Script:exportedInstances =$null + $Script:ExportMode = $false + + Mock -CommandName Get-MgBetaDeviceManagementConfigurationPolicyAssignment -MockWith { + return @(@{ + Id = '12345-12345-12345-12345-12345' + Source = 'direct' + SourceId = '12345-12345-12345-12345-12345' + Target = @{ + DeviceAndAppManagementAssignmentFilterId = '12345-12345-12345-12345-12345' + DeviceAndAppManagementAssignmentFilterType = 'none' + AdditionalProperties = @( + @{ + '@odata.type' = '#microsoft.graph.exclusionGroupAssignmentTarget' + groupId = '26d60dd1-fab6-47bf-8656-358194c1a49d' + } + ) + } + }) + } + } + # Test contexts + Context -Name "The IntuneAntivirusExclusionsPolicyMacOS should exist but it DOES NOT" -Fixture { + BeforeAll { + $testParams = @{ + Assignments = [CimInstance[]]@( + (New-CimInstance -ClassName MSFT_DeviceManagementConfigurationPolicyAssignments -Property @{ + DataType = '#microsoft.graph.exclusionGroupAssignmentTarget' + groupId = '26d60dd1-fab6-47bf-8656-358194c1a49d' + deviceAndAppManagementAssignmentFilterType = 'none' + } -ClientOnly) + ) + Description = "My Test" + Exclusions = [CimInstance[]]@( + (New-CimInstance -ClassName MSFT_MicrosoftGraphIntuneSettingsCatalogExclusions -Property @{ + Exclusions_item_extension = '.dmg' + Exclusions_item_type = '1' + } -ClientOnly) + (New-CimInstance -ClassName MSFT_MicrosoftGraphIntuneSettingsCatalogExclusions -Property @{ + Exclusions_item_name = 'Test' + Exclusions_item_type = '2' + } -ClientOnly) + ); + Id = "12345-12345-12345-12345-12345" + DisplayName = "My Test" + RoleScopeTagIds = @("FakeStringValue") + Ensure = "Present" + Credential = $Credential; + } + + Mock -CommandName Get-MgBetaDeviceManagementConfigurationPolicy -MockWith { + return $null + } + } + It 'Should return Values from the Get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Absent' + } + It 'Should return false from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + It 'Should Create the group from the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName New-MgBetaDeviceManagementConfigurationPolicy -Exactly 1 + } + } + + Context -Name "The IntuneAntivirusExclusionsPolicyMacOS exists but it SHOULD NOT" -Fixture { + BeforeAll { + $testParams = @{ + Assignments = [CimInstance[]]@( + (New-CimInstance -ClassName MSFT_DeviceManagementConfigurationPolicyAssignments -Property @{ + DataType = '#microsoft.graph.exclusionGroupAssignmentTarget' + groupId = '26d60dd1-fab6-47bf-8656-358194c1a49d' + deviceAndAppManagementAssignmentFilterType = 'none' + } -ClientOnly) + ) + Description = "My Test" + Exclusions = [CimInstance[]]@( + (New-CimInstance -ClassName MSFT_MicrosoftGraphIntuneSettingsCatalogExclusions -Property @{ + Exclusions_item_extension = '.dmg' + Exclusions_item_type = '1' + } -ClientOnly) + (New-CimInstance -ClassName MSFT_MicrosoftGraphIntuneSettingsCatalogExclusions -Property @{ + Exclusions_item_name = 'Test' + Exclusions_item_type = '2' + } -ClientOnly) + ); + Id = "12345-12345-12345-12345-12345" + DisplayName = "My Test" + RoleScopeTagIds = @("FakeStringValue") + Ensure = "Absent" + Credential = $Credential; + } + } + + It 'Should return Values from the Get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Present' + } + + It 'Should return true from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + + It 'Should Remove the group from the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName Remove-MgBetaDeviceManagementConfigurationPolicy -Exactly 1 + } + } + Context -Name "The IntuneAntivirusExclusionsPolicyMacOS Exists and Values are already in the desired state" -Fixture { + BeforeAll { + $testParams = @{ + Assignments = [CimInstance[]]@( + (New-CimInstance -ClassName MSFT_DeviceManagementConfigurationPolicyAssignments -Property @{ + DataType = '#microsoft.graph.exclusionGroupAssignmentTarget' + groupId = '26d60dd1-fab6-47bf-8656-358194c1a49d' + deviceAndAppManagementAssignmentFilterType = 'none' + } -ClientOnly) + ) + Description = "My Test" + Exclusions = [CimInstance[]]@( + (New-CimInstance -ClassName MSFT_MicrosoftGraphIntuneSettingsCatalogExclusions -Property @{ + Exclusions_item_extension = '.dmg' + Exclusions_item_type = '1' + } -ClientOnly) + (New-CimInstance -ClassName MSFT_MicrosoftGraphIntuneSettingsCatalogExclusions -Property @{ + Exclusions_item_name = 'Test' + Exclusions_item_type = '2' + } -ClientOnly) + ); + Id = "12345-12345-12345-12345-12345" + DisplayName = "My Test" + RoleScopeTagIds = @("FakeStringValue") + Ensure = "Present" + Credential = $Credential; + } + } + + It 'Should return true from the Test method' { + Test-TargetResource @testParams | Should -Be $true + } + } + + Context -Name "The IntuneAntivirusExclusionsPolicyMacOS exists and values are NOT in the desired state" -Fixture { + BeforeAll { + $testParams = @{ + Assignments = [CimInstance[]]@( + (New-CimInstance -ClassName MSFT_DeviceManagementConfigurationPolicyAssignments -Property @{ + DataType = '#microsoft.graph.exclusionGroupAssignmentTarget' + groupId = '26d60dd1-fab6-47bf-8656-358194c1a49d' + deviceAndAppManagementAssignmentFilterType = 'none' + } -ClientOnly) + ) + Description = "My Test" + Exclusions = [CimInstance[]]@( + (New-CimInstance -ClassName MSFT_MicrosoftGraphIntuneSettingsCatalogExclusions -Property @{ + Exclusions_item_extension = '.xcode' # Drift + Exclusions_item_type = '1' + } -ClientOnly) + (New-CimInstance -ClassName MSFT_MicrosoftGraphIntuneSettingsCatalogExclusions -Property @{ + Exclusions_item_name = 'Test' + Exclusions_item_type = '2' + } -ClientOnly) + ); + Id = "12345-12345-12345-12345-12345" + DisplayName = "My Test" + RoleScopeTagIds = @("FakeStringValue") + Ensure = "Present" + Credential = $Credential; + } + } + + It 'Should return Values from the Get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Present' + } + + It 'Should return false from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + + It 'Should call the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName Update-IntuneDeviceConfigurationPolicy -Exactly 1 + } + } + + Context -Name 'ReverseDSC Tests' -Fixture { + BeforeAll { + $Global:CurrentModeIsExport = $true + $Global:PartialExportFileName = "$(New-Guid).partial.ps1" + $testParams = @{ + Credential = $Credential + } + } + + It 'Should Reverse Engineer resource from the Export method' { + $result = Export-TargetResource @testParams + $result | Should -Not -BeNullOrEmpty + } + } + } +} + +Invoke-Command -ScriptBlock $Global:DscHelper.CleanupScript -NoNewScope diff --git a/Tests/Unit/Stubs/Microsoft365.psm1 b/Tests/Unit/Stubs/Microsoft365.psm1 index bf64f68f7a..ac7c4b04d9 100644 --- a/Tests/Unit/Stubs/Microsoft365.psm1 +++ b/Tests/Unit/Stubs/Microsoft365.psm1 @@ -103971,3 +103971,448 @@ function Set-TenantAllowBlockListSpoofItems } #endregion + +#region Microsoft.Graph.Authentication +function Stop-MigrationBatch +{ + [CmdletBinding()] + param( + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Confirm, + + [Parameter()] + [System.Object] + $Identity, + + [Parameter()] + [System.Object] + $Partition + ) +} +function Start-MigrationBatch +{ + [CmdletBinding()] + param( + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Confirm, + + [Parameter()] + [System.Object] + $Identity, + + [Parameter()] + [System.Object] + $Partition + ) +} +function Set-MigrationBatch +{ + [CmdletBinding()] + param( + [Parameter()] + [System.Byte[]] + $CSVData, + + [Parameter()] + [System.Object] + $ReportInterval, + + [Parameter()] + [System.Object] + $Identity, + + [Parameter()] + [System.Object] + $MoveOptions, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Update, + + [Parameter()] + [System.Object] + $NotificationEmails, + + [Parameter()] + [System.Boolean] + $SkipReports, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $ApproveSkippedItems, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $SyncNow, + + [Parameter()] + [System.Object] + $SkipMerging, + + [Parameter()] + [System.Object] + $SkipMoving, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $AddUsers, + + [Parameter()] + [System.Object] + $CompleteAfter, + + [Parameter()] + [System.Object] + $Partition, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Confirm, + + [Parameter()] + [System.Object] + $BadItemLimit, + + [Parameter()] + [System.Boolean] + $AllowUnknownColumnsInCSV, + + [Parameter()] + [System.Object] + $StartAfter, + + [Parameter()] + [System.Object] + $LargeItemLimit + ) +} +function New-MigrationBatch +{ + [CmdletBinding()] + param( + [Parameter()] + [System.Object] + $Partition, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $SkipRules, + + [Parameter()] + [System.Object] + $TargetDatabases, + + [Parameter()] + [System.Byte[]] + $CSVData, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $SkipDelegates, + + [Parameter()] + [System.Object] + $Users, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $SkipMail, + + [Parameter()] + [System.Globalization.CultureInfo] + $ContentFilterLanguage, + + [Parameter()] + [System.Object] + $TimeZone, + + [Parameter()] + [System.Object] + $NotificationEmails, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $SkipCalendar, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $AutoStart, + + [Parameter()] + [System.Boolean] + $AllowUnknownColumnsInCSV, + + [Parameter()] + [System.Object] + $MoveOptions, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $AdoptPreexisting, + + [Parameter()] + [System.Object] + $TargetEndpoint, + + [Parameter()] + [System.Object] + $SkipMoving, + + [Parameter()] + [System.Object] + $StartAfter, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $RemoveOnCopy, + + [Parameter()] + [System.Byte[]] + $XMLData, + + [Parameter()] + [System.Object] + $UserIds, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $PublicFolderToUnifiedGroup, + + [Parameter()] + [System.Object] + $ReportInterval, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $AutoProvisioning, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $DisableOnCopy, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $ArchiveOnly, + + [Parameter()] + [System.Object] + $SkipMerging, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $MigrateTasks, + + [Parameter()] + [System.Object] + $CompleteAfter, + + [Parameter()] + [System.Object] + $ExcludeFolders, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $GoogleResource, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Analyze, + + [Parameter()] + [System.Guid] + $SourcePFPrimaryMailboxGuid, + + [Parameter()] + [System.Object] + $TargetDeliveryDomain, + + [Parameter()] + [System.String] + $ArchiveDomain, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $PrimaryOnly, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $SkipProvisioning, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $SimplifiedSwitchOver, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Restore, + + [Parameter()] + [System.Object] + $IncludeFolders, + + [Parameter()] + [System.String] + $ContentFilter, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $ManagedGmailTeams, + + [Parameter()] + [System.String] + $WorkflowTemplate, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Confirm, + + [Parameter()] + [System.Object] + $SourceEndpoint, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $AvoidMergeOverlap, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $SkipReports, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $SkipContacts, + + [Parameter()] + [System.Object] + $BadItemLimit, + + [Parameter()] + [System.Object] + $TargetArchiveDatabases, + + [Parameter()] + [System.Object] + $WorkflowControlFlags, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $AutoComplete, + + [Parameter()] + [System.Object] + $LargeItemLimit, + + [Parameter()] + [System.String] + $Name, + + [Parameter()] + [System.Object] + $ForwardingDisposition, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $ExcludeDumpsters, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $RenamePrimaryCalendar + ) +} +function Get-MigrationBatch +{ + [CmdletBinding()] + param( + [Parameter()] + [System.String] + $DiagnosticInfo, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $IncludeReport, + + [Parameter()] + [System.Object] + $Identity, + + [Parameter()] + [System.Object] + $Partition, + + [Parameter()] + [System.Object] + $ResultSize, + + [Parameter()] + [System.Object] + $Status, + + [Parameter()] + [System.Object] + $Endpoint + ) +} +function Remove-MigrationBatch +{ + [CmdletBinding()] + param( + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Confirm, + + [Parameter()] + [System.Object] + $Identity, + + [Parameter()] + [System.Object] + $Partition + ) +} +#endregion + +#region Microsoft.Graph.Authentication +function Get-MigrationUser +{ + [CmdletBinding()] + param( + [Parameter()] + [System.Object] + $EmailAddress, + + [Parameter()] + [System.Object] + $MailboxGuid, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $IncludeAssociatedUsers, + + [Parameter()] + [System.Object] + $Identity, + + [Parameter()] + [System.Object] + $BatchId, + + [Parameter()] + [System.Object] + $Partition, + + [Parameter()] + [System.Object] + $ResultSize, + + [Parameter()] + [System.Object] + $Status, + + [Parameter()] + [System.Object] + $StatusSummary + ) +} +#endregion diff --git a/docs/docs/resources/azure-ad/AADConditionalAccessPolicy.md b/docs/docs/resources/azure-ad/AADConditionalAccessPolicy.md index 6906b3619d..90b5dd515f 100644 --- a/docs/docs/resources/azure-ad/AADConditionalAccessPolicy.md +++ b/docs/docs/resources/azure-ad/AADConditionalAccessPolicy.md @@ -53,7 +53,7 @@ | **AuthenticationStrength** | Write | String | Name of the associated authentication strength policy. | | | **TransferMethods** | Write | String | Names of the associated authentication flow transfer methods. Possible values are '', 'deviceCodeFlow', 'authenticationTransfer', or 'deviceCodeFlow,authenticationTransfer'. | | | **AuthenticationContexts** | Write | StringArray[] | Authentication context class references. | | -| **InsiderRiskLevels** | Write | String | Insider risk levels conditions. | | +| **InsiderRiskLevels** | Write | String | Insider risk levels conditions. | `minor`, `moderate`, `elevated`, `unknownFutureValue` | | **Ensure** | Write | String | Specify if the Azure AD CA Policy should exist or not. | `Present`, `Absent` | | **Credential** | Write | PSCredential | Credentials for the Microsoft Graph delegated permissions. | | | **ApplicationId** | Write | String | Id of the Azure Active Directory application to authenticate with. | | diff --git a/docs/docs/resources/exchange/EXOMigration.md b/docs/docs/resources/exchange/EXOMigration.md new file mode 100644 index 0000000000..4eb00e13eb --- /dev/null +++ b/docs/docs/resources/exchange/EXOMigration.md @@ -0,0 +1,188 @@ +# EXOMigration + +## Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **Identity** | Key | String | The Identity parameter identifies the name of the current migration batch. | | +| **NotificationEmails** | Write | StringArray[] | The NotificationEmails parameter specifies one or more email addresses that migration status reports are sent to. | | +| **CompleteAfter** | Write | String | The CompleteAfter parameter specifies a delay before the batch is completed. | | +| **AddUsers** | Write | Boolean | The AddUsers parameter controls whether additional users can be dynamically added to an existing migration batch after it has been created. | | +| **BadItemLimit** | Write | String | The BadItemLimit parameter specifies the maximum number of bad items that are allowed before the migration request fails. | | +| **LargeItemLimit** | Write | String | The LargeItemLimit parameter specifies the maximum number of large items that are allowed before the migration request fails. | | +| **MoveOptions** | Write | StringArray[] | The MoveOptions parameter specifies the stages of the migration that you want to skip for debugging purposes. | | +| **SkipMerging** | Write | StringArray[] | The SkipMerging parameter specifies the stages of the migration that you want to skip for debugging purposes. | | +| **StartAfter** | Write | String | The StartAfter parameter specifies a delay before the data migration for the users within the batch is started. | | +| **Update** | Write | Boolean | The Update switch sets the Update flag on the migration batch. | | +| **Status** | Write | String | The Status parameter returns information about migration users that have the specified status state. | | +| **MigrationUsers** | Write | StringArray[] | Migration Users states the list of the users/mailboxes that are part of a migration batch that are to be migrated. | | +| **SourceEndpoint** | Write | String | The SourceEndpoint parameter specifies the migration endpoint to use for the source of the migration batch. | | +| **TargetDeliveryDomain** | Write | String | The TargetDeliveryDomain parameter specifies the FQDN of the external email address created in the source forest for the mail-enabled user when the migration batch is complete. | | +| **Ensure** | Write | String | Specifies if the migration endpoint should exist or not. | `Present`, `Absent` | +| **Credential** | Write | PSCredential | Credentials of the workload's Admin | | +| **ApplicationId** | Write | String | Id of the Azure Active Directory application to authenticate with. | | +| **TenantId** | Write | String | Id of the Azure Active Directory tenant used for authentication. | | +| **CertificateThumbprint** | Write | String | Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication. | | +| **ManagedIdentity** | Write | Boolean | Managed ID being used for authentication. | | +| **AccessTokens** | Write | StringArray[] | Access token used for authentication. | | + +# EXOMigrationBatch + +## Description + +Use the MigrationBatch cmdlets to create and update a migration request for a batch of users. + +## Permissions + +### Exchange + +To authenticate with Microsoft Exchange, this resource required the following permissions: + +#### Roles + +- User Options, Data Loss Prevention, Transport Rules, View-Only Configuration, Mail Recipients + +#### Role Groups + +- Organization Management + +## Examples + +### Example 1 + +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. + +```powershell +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + + node localhost + { + EXOMigration "EXOMigration-test" + { + AddUsers = $False; + BadItemLimit = ""; + CompleteAfter = "12/31/9999 11:59:59 PM"; + Ensure = "Present"; + Identity = "test"; + LargeItemLimit = ""; + MoveOptions = @(); + NotificationEmails = @("eac_admin@bellred.org"); + SkipMerging = @(); + Status = "Completed"; + Update = $False; + ApplicationId = $ApplicationId; + TenantId = $TenantId; + CertificateThumbprint = $CertificateThumbprint; + } + } +} +``` + +### Example 2 + +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. + +```powershell +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + + node localhost + { + EXOMigration "EXOMigration-test" + { + AddUsers = $True; #Updated Property + BadItemLimit = ""; + CompleteAfter = "12/31/9999 11:59:59 PM"; + Ensure = "Present"; + Identity = "test"; + LargeItemLimit = ""; + MoveOptions = @(); + NotificationEmails = @("eac_admin@bellred.org"); + SkipMerging = @(); + Status = "Completed"; + Update = $False; + ApplicationId = $ApplicationId; + TenantId = $TenantId; + CertificateThumbprint = $CertificateThumbprint; + } + } +} +``` + +### Example 3 + +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. + +```powershell +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + + node localhost + { + EXOMigration "EXOMigration-test" + { + AddUsers = $False; + BadItemLimit = ""; + CompleteAfter = "12/31/9999 11:59:59 PM"; + Ensure = "Absent"; + Identity = "test"; + LargeItemLimit = ""; + MoveOptions = @(); + NotificationEmails = @("eac_admin@bellred.org"); + SkipMerging = @(); + Status = "Completed"; + Update = $False; + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + } + } +} +``` + diff --git a/docs/docs/resources/intune/IntuneAccountProtectionLocalAdministratorPasswordSolutionPolicy.md b/docs/docs/resources/intune/IntuneAccountProtectionLocalAdministratorPasswordSolutionPolicy.md index 7f39e3c94a..432220a768 100644 --- a/docs/docs/resources/intune/IntuneAccountProtectionLocalAdministratorPasswordSolutionPolicy.md +++ b/docs/docs/resources/intune/IntuneAccountProtectionLocalAdministratorPasswordSolutionPolicy.md @@ -9,7 +9,7 @@ | **Description** | Write | String | Description of the account protection local administrator password solution policy. | | | **Assignments** | Write | MSFT_IntuneAccountProtectionLocalAdministratorPasswordSolutionPolicyAssignments[] | Assignments of the account protection local administrator password solution policy. | | | **BackupDirectory** | Write | UInt32 | Configures which directory the local admin account password is backed up to. 0 - Disabled, 1 - Azure AD, 2 - AD | `0`, `1`, `2` | -| **PasswordAgeDays_AAD** | Write | UInt32 | Configures the maximum password age of the managed local administrator account for Azure AD. Minimum - 7, Maximum - 365 | | +| **passwordagedays_aad** | Write | UInt32 | Configures the maximum password age of the managed local administrator account for Azure AD. Minimum - 7, Maximum - 365 | | | **PasswordAgeDays** | Write | UInt32 | Configures the maximum password age of the managed local administrator account for Active Directory. Minimum - 1, Maximum - 365 | | | **PasswordExpirationProtectionEnabled** | Write | Boolean | Configures additional enforcement of maximum password age for the managed local administrator account. | | | **AdEncryptedPasswordHistorySize** | Write | UInt32 | Configures how many previous encrypted passwords will be remembered in Active Directory. Minimum - 0, Maximum - 12 | | @@ -112,7 +112,7 @@ Configuration Example } ); BackupDirectory = "1"; - PasswordAgeDays_AAD = 10; + passwordagedays_aad = 10; AdministratorAccountName = "Administrator"; PasswordAgeDays = 20; ApplicationId = $ApplicationId; @@ -160,7 +160,7 @@ Configuration Example } ); BackupDirectory = "1"; - PasswordAgeDays_AAD = 15; # Updated Property + passwordagedays_aad = 15; # Updated Property AdministratorAccountName = "Administrator"; PasswordAgeDays = 20; ApplicationId = $ApplicationId; diff --git a/docs/docs/resources/intune/IntuneAntivirusExclusionsPolicyMacOS.md b/docs/docs/resources/intune/IntuneAntivirusExclusionsPolicyMacOS.md new file mode 100644 index 0000000000..9667f39dcc --- /dev/null +++ b/docs/docs/resources/intune/IntuneAntivirusExclusionsPolicyMacOS.md @@ -0,0 +1,216 @@ +# IntuneAntivirusExclusionsPolicyMacOS + +## Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **Description** | Write | String | Policy description | | +| **DisplayName** | Key | String | Policy name | | +| **RoleScopeTagIds** | Write | StringArray[] | List of Scope Tags for this Entity instance. | | +| **Id** | Write | String | The unique identifier for an entity. Read-only. | | +| **Exclusions** | Write | MSFT_MicrosoftGraphIntuneSettingsCatalogexclusions[] | Scan exclusions | | +| **Assignments** | Write | MSFT_DeviceManagementConfigurationPolicyAssignments[] | Represents the assignment to the Intune policy. | | +| **Ensure** | Write | String | Present ensures the policy exists, absent ensures it is removed. | `Present`, `Absent` | +| **Credential** | Write | PSCredential | Credentials of the Admin | | +| **ApplicationId** | Write | String | Id of the Azure Active Directory application to authenticate with. | | +| **TenantId** | Write | String | Id of the Azure Active Directory tenant used for authentication. | | +| **ApplicationSecret** | Write | PSCredential | Secret of the Azure Active Directory tenant used for authentication. | | +| **CertificateThumbprint** | Write | String | Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication. | | +| **ManagedIdentity** | Write | Boolean | Managed ID being used for authentication. | | +| **AccessTokens** | Write | StringArray[] | Access token used for authentication. | | + +### MSFT_DeviceManagementConfigurationPolicyAssignments + +#### Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **dataType** | Write | String | The type of the target assignment. | `#microsoft.graph.groupAssignmentTarget`, `#microsoft.graph.allLicensedUsersAssignmentTarget`, `#microsoft.graph.allDevicesAssignmentTarget`, `#microsoft.graph.exclusionGroupAssignmentTarget`, `#microsoft.graph.configurationManagerCollectionAssignmentTarget` | +| **deviceAndAppManagementAssignmentFilterType** | Write | String | The type of filter of the target assignment i.e. Exclude or Include. Possible values are:none, include, exclude. | `none`, `include`, `exclude` | +| **deviceAndAppManagementAssignmentFilterId** | Write | String | The Id of the filter for the target assignment. | | +| **groupId** | Write | String | The group Id that is the target of the assignment. | | +| **groupDisplayName** | Write | String | The group Display Name that is the target of the assignment. | | +| **collectionId** | Write | String | The collection Id that is the target of the assignment.(ConfigMgr) | | + +### MSFT_MicrosoftGraphIntuneSettingsCatalogExclusions + +#### Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **exclusions_item_type** | Write | String | Type - Depends on exclusions (0: Path, 1: File extension, 2: Process name) | `0`, `1`, `2` | +| **exclusions_item_extension** | Write | String | File extension - Depends on exclusions_item_type=1 | | +| **exclusions_item_name** | Write | String | File name - exclusions_item_type=2 | | +| **exclusions_item_path** | Write | String | Path - exclusions_item_type=0 | | +| **exclusions_item_isDirectory** | Write | String | Is directory (false: Disabled, true: Enabled) - Depends on exclusions_item_type=0 | `false`, `true` | + + +## Description + +Intune Antivirus Exclusions Policy for macOS + +## Permissions + +### Microsoft Graph + +To authenticate with the Microsoft Graph API, this resource required the following permissions: + +#### Delegated permissions + +- **Read** + + - DeviceManagementConfiguration.Read.All, Group.Read.All + +- **Update** + + - DeviceManagementConfiguration.ReadWrite.All, Group.Read.All + +#### Application permissions + +- **Read** + + - DeviceManagementConfiguration.Read.All, Group.Read.All + +- **Update** + + - DeviceManagementConfiguration.ReadWrite.All, Group.Read.All + +## Examples + +### Example 1 + +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. + +```powershell +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + + node localhost + { + IntuneAntivirusExclusionsPolicyMacOS 'myIntuneAntivirusExclusionsPolicyMacOS' + { + Assignments = @(); + Description = ""; + DisplayName = "Test"; + Ensure = "Present"; + Exclusions = @( + MSFT_MicrosoftGraphIntuneSettingsCatalogExclusions{ + Exclusions_item_extension = '.dmg' + Exclusions_item_type = '1' + } + MSFT_MicrosoftGraphIntuneSettingsCatalogExclusions{ + Exclusions_item_name = 'process1' + Exclusions_item_type = '2' + } + ); + RoleScopeTagIds = @("0"); + ApplicationId = $ApplicationId; + TenantId = $TenantId; + CertificateThumbprint = $CertificateThumbprint; + } + } +} +``` + +### Example 2 + +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. + +```powershell +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + + node localhost + { + IntuneAntivirusExclusionsPolicyMacOS 'myIntuneAntivirusExclusionsPolicyMacOS' + { + Assignments = @(); + Description = ""; + DisplayName = "Test"; + Ensure = "Present"; + Exclusions = @( + MSFT_MicrosoftGraphIntuneSettingsCatalogExclusions{ + Exclusions_item_extension = '.xcode' # Updated property + Exclusions_item_type = '1' + } + MSFT_MicrosoftGraphIntuneSettingsCatalogExclusions{ + Exclusions_item_name = 'process1' + Exclusions_item_type = '2' + } + ); + RoleScopeTagIds = @("0"); + ApplicationId = $ApplicationId; + TenantId = $TenantId; + CertificateThumbprint = $CertificateThumbprint; + } + } +} +``` + +### Example 3 + +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. + +```powershell +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + + node localhost + { + IntuneAntivirusExclusionsPolicyMacOS 'myIntuneAntivirusPolicyMacOS' + { + DisplayName = 'test' + Ensure = 'Absent' + ApplicationId = $ApplicationId; + TenantId = $TenantId; + CertificateThumbprint = $CertificateThumbprint; + } + } +} +``` + diff --git a/docs/docs/resources/intune/IntuneAntivirusPolicyLinux.md b/docs/docs/resources/intune/IntuneAntivirusPolicyLinux.md index 390afdcdb4..c551920908 100644 --- a/docs/docs/resources/intune/IntuneAntivirusPolicyLinux.md +++ b/docs/docs/resources/intune/IntuneAntivirusPolicyLinux.md @@ -79,7 +79,7 @@ ## Description -Intune Antivirus Policy Linux +Intune Antivirus Policy for Linux ## Permissions diff --git a/docs/docs/resources/intune/IntuneAntivirusPolicyWindows10SettingCatalog.md b/docs/docs/resources/intune/IntuneAntivirusPolicyWindows10SettingCatalog.md index 83653bc0e8..afe2de1dda 100644 --- a/docs/docs/resources/intune/IntuneAntivirusPolicyWindows10SettingCatalog.md +++ b/docs/docs/resources/intune/IntuneAntivirusPolicyWindows10SettingCatalog.md @@ -7,80 +7,82 @@ | **DisplayName** | Key | String | Display name of the endpoint protection policy for Windows 10. | | | **Identity** | Write | String | Identity of the endpoint protection policy for Windows 10. | | | **Description** | Write | String | Description of the endpoint protection policy for Windows 10. | | -| **tamperprotection** | Write | String | Allows or disallows scanning of archives. (0: enable feature. 1: disable feature) | `0`, `1` | -| **disableaccountprotectionui** | Write | String | Use this policy setting to specify if to display the Account protection area in Windows Defender Security Center. (0: disable feature. 1: enable feature) | `0`, `1` | -| **disableappbrowserui** | Write | String | Use this policy setting if you want to disable the display of the app and browser protection area in Windows Defender Security Center. (0: disable feature. 1: enable feature) | `0`, `1` | -| **disablecleartpmbutton** | Write | String | Disable the Clear TPM button in Windows Security. (0: disable feature. 1: enable feature) | `0`, `1` | -| **disabledevicesecurityui** | Write | String | Use this policy setting if you want to disable the display of the Device security area in the Windows Defender Security Center. (0: disable feature. 1: enable feature) | `0`, `1` | -| **disablefamilyui** | Write | String | Use this policy setting if you want to disable the display of the family options area in Windows Defender Security Center. (0: disable feature. 1: enable feature) | `0`, `1` | -| **disablehealthui** | Write | String | Use this policy setting if you want to disable the display of the device performance and health area in Windows Defender Security Center. (0: disable feature. 1: enable feature) | `0`, `1` | -| **disablenetworkui** | Write | String | Use this policy setting if you want to disable the display of the firewall and network protection area in Windows Defender Security Center. (0: disable feature. 1: enable feature) | `0`, `1` | -| **disableenhancednotifications** | Write | String | Use this policy setting if you want to disable the display of Windows Defender Security Center notifications. (0: disable feature. 1: enable feature) | `0`, `1` | -| **disabletpmfirmwareupdatewarning** | Write | String | Hide the recommendation to update TPM Firmware when a vulnerable firmware is detected. (0: disable feature. 1: enable feature) | `0`, `1` | -| **disablevirusui** | Write | String | Use this policy setting if you want to disable the display of the virus and threat protection area in Windows Defender Security Center. (0: disable feature. 1: enable feature) | `0`, `1` | -| **hideransomwaredatarecovery** | Write | String | Use this policy setting to hide the Ransomware data recovery area in Windows Defender Security Center. (0: disable feature. 1: enable feature) | `0`, `1` | -| **hidewindowssecuritynotificationareacontrol** | Write | String | This policy setting hides the Windows Security notification area control. (0: disable feature. 1: enable feature) | `0`, `1` | -| **enablecustomizedtoasts** | Write | String | Enable this policy to display your company name and contact options in the notifications. (0: disable feature. 1: enable feature) | `0`, `1` | -| **enableinappcustomization** | Write | String | Enable this policy to have your company name and contact options displayed in a contact card fly out in Windows Defender Security Center. (0: disable feature. 1: enable feature) | `0`, `1` | -| **companyname** | Write | String | The company name that is displayed to the users. CompanyName is required for both EnableCustomizedToasts and EnableInAppCustomization. | | -| **email** | Write | String | The email address that is displayed to users. The default mail application is used to initiate email actions. | | -| **phone** | Write | String | The phone number or Skype ID that is displayed to users. Skype is used to initiate the call. | | -| **url** | Write | String | The help portal URL that is displayed to users. The default browser is used to initiate this action. | | -| **allowarchivescanning** | Write | String | Allows or disallows scanning of archives. (0: disable feature. 1: enable feature) | `0`, `1` | -| **allowbehaviormonitoring** | Write | String | Allows or disallows Windows Defender Behavior Monitoring functionality. (0: disable feature. 1: enable feature) | `0`, `1` | -| **allowcloudprotection** | Write | String | To best protect your PC, Windows Defender will send information to Microsoft about any problems it finds. Microsoft will analyze that information, learn more about problems affecting you and other customers, and offer improved solutions. (0: disable feature. 1: enable feature) | `0`, `1` | -| **allowdatagramprocessingonwinserver** | Write | String | Allows or disallows Network Protection to enable datagram processing on Windows Server. (0: disable feature. 1: enable feature) | `0`, `1` | -| **allowemailscanning** | Write | String | Allows or disallows scanning of email. (0: disable feature. 1: enable feature) | `0`, `1` | -| **allowfullscanonmappednetworkdrives** | Write | String | Allows or disallows a full scan of mapped network drives. (0: disable feature. 1: enable feature) | `0`, `1` | -| **allowfullscanremovabledrivescanning** | Write | String | Allows or disallows a full scan of removable drives. During a quick scan, removable drives may still be scanned. (0: disable feature. 1: enable feature) | `0`, `1` | -| **allowintrusionpreventionsystem** | Write | String | https://github.com/MicrosoftDocs/memdocs/issues/2250 (0: disable feature. 1: enable feature) | `0`, `1` | -| **allowioavprotection** | Write | String | Allows or disallows Windows Defender IOAVP Protection functionality. (0: disable feature. 1: enable feature) | `0`, `1` | -| **allownetworkprotectiondownlevel** | Write | String | Allows or disallows Network Protection to be configured into block or audit mode on windows downlevel of RS3. (0: disable feature. 1: enable feature) | `0`, `1` | -| **allowrealtimemonitoring** | Write | String | Allows or disallows Windows Defender real-time Monitoring functionality. (0: disable feature. 1: enable feature) | `0`, `1` | -| **allowscanningnetworkfiles** | Write | String | Allows or disallows a scanning of network files. (0: disable feature. 1: enable feature) | `0`, `1` | -| **allowscriptscanning** | Write | String | Allows or disallows Windows Defender Script Scanning functionality. (0: disable feature. 1: enable feature) | `0`, `1` | -| **allowuseruiaccess** | Write | String | Allows or disallows user access to the Windows Defender UI. I disallowed, all Windows Defender notifications will also be suppressed. (0: Prevents users from accessing UI. 1: Lets users access UI) | `0`, `1` | -| **avgcpuloadfactor** | Write | SInt32 | Represents the average CPU load factor for the Windows Defender scan (in percent). | | -| **archivemaxdepth** | Write | SInt32 | Specify the maximum folder depth to extract from archive files for scanning. | | -| **archivemaxsize** | Write | SInt32 | Specify the maximum size, in KB, of archive files to be extracted and scanned. | | -| **checkforsignaturesbeforerunningscan** | Write | String | This policy setting allows you to manage whether a check for new virus and spyware definitions will occur before running a scan. (0: disable feature. 1: enable feature) | `0`, `1` | -| **cloudblocklevel** | Write | String | This policy setting determines how aggressive Microsoft Defender Antivirus will be in blocking and scanning suspicious files. Value type is integer.(0: Default windows defender blocking level, 2: High blocking level, 4:High+ blocking level, 6:Zero tolerance blocking level) | `0`, `2`, `4`, `6` | -| **cloudextendedtimeout** | Write | SInt32 | This feature allows Microsoft Defender Antivirus to block a suspicious file for up to 60 seconds, and scan it in the cloud to make sure it's safe. Value type is integer, range is 0 - 50. | | -| **daystoretaincleanedmalware** | Write | SInt32 | Time period (in days) that quarantine items will be stored on the system. | | -| **disablecatchupfullscan** | Write | String | This policy setting allows you to configure catch-up scans for scheduled full scans. (1: disabled, 0: enabled) | `0`, `1` | -| **disablecatchupquickscan** | Write | String | This policy setting allows you to configure catch-up scans for scheduled quick scans. (1: disabled, 0: enabled) | `0`, `1` | -| **disablednsovertcpparsing** | Write | String | Disables or enables DNS over TCP Parsing for Network Protection. (0: enable feature. 1: disable feature) | `0`, `1` | -| **disablehttpparsing** | Write | String | Disables or enables HTTP Parsing for Network Protection. (0: enable feature. 1: disable feature) | `0`, `1` | +| **TamperProtection** | Write | String | Allows or disallows scanning of archives. (0: enable feature. 1: disable feature) | `0`, `1` | +| **DisableAccountProtectionUI** | Write | String | Use this policy setting to specify if to display the Account protection area in Windows Defender Security Center. (0: disable feature. 1: enable feature) | `0`, `1` | +| **DisableAppBrowserUI** | Write | String | Use this policy setting if you want to disable the display of the app and browser protection area in Windows Defender Security Center. (0: disable feature. 1: enable feature) | `0`, `1` | +| **DisableClearTpmButton** | Write | String | Disable the Clear TPM button in Windows Security. (0: disable feature. 1: enable feature) | `0`, `1` | +| **DisableDeviceSecurityUI** | Write | String | Use this policy setting if you want to disable the display of the Device security area in the Windows Defender Security Center. (0: disable feature. 1: enable feature) | `0`, `1` | +| **DisableFamilyUI** | Write | String | Use this policy setting if you want to disable the display of the family options area in Windows Defender Security Center. (0: disable feature. 1: enable feature) | `0`, `1` | +| **DisableHealthUI** | Write | String | Use this policy setting if you want to disable the display of the device performance and health area in Windows Defender Security Center. (0: disable feature. 1: enable feature) | `0`, `1` | +| **DisableNetworkUI** | Write | String | Use this policy setting if you want to disable the display of the firewall and network protection area in Windows Defender Security Center. (0: disable feature. 1: enable feature) | `0`, `1` | +| **DisableEnhancedNotifications** | Write | String | Use this policy setting if you want to disable the display of Windows Defender Security Center notifications. (0: disable feature. 1: enable feature) | `0`, `1` | +| **DisableTpmFirmwareUpdateWarning** | Write | String | Hide the recommendation to update TPM Firmware when a vulnerable firmware is detected. (0: disable feature. 1: enable feature) | `0`, `1` | +| **DisableVirusUI** | Write | String | Use this policy setting if you want to disable the display of the virus and threat protection area in Windows Defender Security Center. (0: disable feature. 1: enable feature) | `0`, `1` | +| **HideRansomwareDataRecovery** | Write | String | Use this policy setting to hide the Ransomware data recovery area in Windows Defender Security Center. (0: disable feature. 1: enable feature) | `0`, `1` | +| **HideWindowsSecurityNotificationAreaControl** | Write | String | This policy setting hides the Windows Security notification area control. (0: disable feature. 1: enable feature) | `0`, `1` | +| **EnableCustomizedToasts** | Write | String | Enable this policy to display your company name and contact options in the notifications. (0: disable feature. 1: enable feature) | `0`, `1` | +| **EnableInAppCustomization** | Write | String | Enable this policy to have your company name and contact options displayed in a contact card fly out in Windows Defender Security Center. (0: disable feature. 1: enable feature) | `0`, `1` | +| **CompanyName** | Write | String | The company name that is displayed to the users. CompanyName is required for both EnableCustomizedToasts and EnableInAppCustomization. | | +| **Email** | Write | String | The email address that is displayed to users. The default mail application is used to initiate email actions. | | +| **Phone** | Write | String | The phone number or Skype ID that is displayed to users. Skype is used to initiate the call. | | +| **URL** | Write | String | The help portal URL that is displayed to users. The default browser is used to initiate this action. | | +| **AllowArchiveScanning** | Write | String | Allows or disallows scanning of archives. (0: disable feature. 1: enable feature) | `0`, `1` | +| **AllowBehaviorMonitoring** | Write | String | Allows or disallows Windows Defender Behavior Monitoring functionality. (0: disable feature. 1: enable feature) | `0`, `1` | +| **AllowCloudProtection** | Write | String | To best protect your PC, Windows Defender will send information to Microsoft about any problems it finds. Microsoft will analyze that information, learn more about problems affecting you and other customers, and offer improved solutions. (0: disable feature. 1: enable feature) | `0`, `1` | +| **AllowDatagramProcessingOnWinServer** | Write | String | Allows or disallows Network Protection to enable datagram processing on Windows Server. (0: disable feature. 1: enable feature) | `0`, `1` | +| **AllowEmailScanning** | Write | String | Allows or disallows scanning of email. (0: disable feature. 1: enable feature) | `0`, `1` | +| **AllowFullScanOnMappedNetworkDrives** | Write | String | Allows or disallows a full scan of mapped network drives. (0: disable feature. 1: enable feature) | `0`, `1` | +| **AllowFullScanRemovableDriveScanning** | Write | String | Allows or disallows a full scan of removable drives. During a quick scan, removable drives may still be scanned. (0: disable feature. 1: enable feature) | `0`, `1` | +| **AllowIntrusionPreventionSystem** | Write | String | https://github.com/MicrosoftDocs/memdocs/issues/2250 (0: disable feature. 1: enable feature) | `0`, `1` | +| **AllowIOAVProtection** | Write | String | Allows or disallows Windows Defender IOAVP Protection functionality. (0: disable feature. 1: enable feature) | `0`, `1` | +| **AllowNetworkProtectionDownLevel** | Write | String | Allows or disallows Network Protection to be configured into block or audit mode on windows downlevel of RS3. (0: disable feature. 1: enable feature) | `0`, `1` | +| **AllowRealtimeMonitoring** | Write | String | Allows or disallows Windows Defender real-time Monitoring functionality. (0: disable feature. 1: enable feature) | `0`, `1` | +| **AllowScanningNetworkFiles** | Write | String | Allows or disallows a scanning of network files. (0: disable feature. 1: enable feature) | `0`, `1` | +| **AllowScriptScanning** | Write | String | Allows or disallows Windows Defender Script Scanning functionality. (0: disable feature. 1: enable feature) | `0`, `1` | +| **AllowUserUIAccess** | Write | String | Allows or disallows user access to the Windows Defender UI. I disallowed, all Windows Defender notifications will also be suppressed. (0: Prevents users from accessing UI. 1: Lets users access UI) | `0`, `1` | +| **AvgCPULoadFactor** | Write | SInt32 | Represents the average CPU load factor for the Windows Defender scan (in percent). | | +| **ArchiveMaxDepth** | Write | SInt32 | Specify the maximum folder depth to extract from archive files for scanning. | | +| **ArchiveMaxSize** | Write | SInt32 | Specify the maximum size, in KB, of archive files to be extracted and scanned. | | +| **CheckForSignaturesBeforeRunningScan** | Write | String | This policy setting allows you to manage whether a check for new virus and spyware definitions will occur before running a scan. (0: disable feature. 1: enable feature) | `0`, `1` | +| **CloudBlockLevel** | Write | String | This policy setting determines how aggressive Microsoft Defender Antivirus will be in blocking and scanning suspicious files. Value type is integer.(0: Default windows defender blocking level, 2: High blocking level, 4:High+ blocking level, 6:Zero tolerance blocking level) | `0`, `2`, `4`, `6` | +| **CloudExtendedTimeout** | Write | SInt32 | This feature allows Microsoft Defender Antivirus to block a suspicious file for up to 60 seconds, and scan it in the cloud to make sure it's safe. Value type is integer, range is 0 - 50. | | +| **DaysToRetainCleanedMalware** | Write | SInt32 | Time period (in days) that quarantine items will be stored on the system. | | +| **DisableCatchupFullScan** | Write | String | This policy setting allows you to configure catch-up scans for scheduled full scans. (1: disabled, 0: enabled) | `0`, `1` | +| **DisableCatchupQuickScan** | Write | String | This policy setting allows you to configure catch-up scans for scheduled quick scans. (1: disabled, 0: enabled) | `0`, `1` | +| **DisableCoreServiceECSIntegration** | Write | String | Disable Core Service ECS Integration. (0: disabled, 1: enabled) | `0`, `1` | +| **DisableCoreServiceTelemetry** | Write | String | Disable Core Service Telemetry. (1: disabled, 0: enabled) | `0`, `1` | +| **DisableDnsOverTcpParsing** | Write | String | Disables or enables DNS over TCP Parsing for Network Protection. (0: enable feature. 1: disable feature) | `0`, `1` | +| **DisableHttpParsing** | Write | String | Disables or enables HTTP Parsing for Network Protection. (0: enable feature. 1: disable feature) | `0`, `1` | | **DisableSshParsing** | Write | String | Disable Ssh Parsing (1: SSH parsing is disabled, 0: SSH parsing is enabled) | `1`, `0` | -| **enablelowcpupriority** | Write | String | This policy setting allows you to enable or disable low CPU priority for scheduled scans. (0: disable feature. 1: enable feature) | `0`, `1` | -| **enablenetworkprotection** | Write | String | This policy allows you to turn on network protection (block/audit) or off. (0: disabled, 1: block mode, 2: audit mode) | `0`, `1`, `2` | -| **excludedextensions** | Write | StringArray[] | Allows an administrator to specify a list of file type extensions to ignore during a scan. | | -| **excludedpaths** | Write | StringArray[] | Allows an administrator to specify a list of directory paths to ignore during a scan. | | -| **excludedprocesses** | Write | StringArray[] | Allows an administrator to specify a list of files opened by processes to ignore during a scan. | | -| **puaprotection** | Write | String | Specifies the level of detection for potentially unwanted applications (PUAs). (0: disabled, 1: block mode, 2: audit mode) | `0`, `1`, `2` | -| **engineupdateschannel** | Write | String | Enable this policy to specify when devices receive Microsoft Defender engine updates during the monthly gradual rollout. (0: Not configured, 2: Beta Channel, 3: Current Channel (Preview), 4: Current Channel (Staged), 5: Current Channel (Broad), 6: Critical) | `0`, `2`, `3`, `4`, `5`, `6` | -| **meteredconnectionupdates** | Write | String | Allow managed devices to update through metered connections. (0: disabled, 1: enabled) | | -| **platformupdateschannel** | Write | String | Enable this policy to specify when devices receive Microsoft Defender platform updates during the monthly gradual rollout. (0: Not configured, 2: Beta Channel, 3: Current Channel (Preview), 4: Current Channel (Staged), 5: Current Channel (Broad), 6: Critical) | `0`, `2`, `3`, `4`, `5`, `6` | -| **securityintelligenceupdateschannel** | Write | String | Enable this policy to specify when devices receive Microsoft Defender security intelligence updates during the daily gradual rollout. (0: Not configured, 4: Current Channel (Staged), 5: Current Channel (Broad)) | `0`, `4`, `5` | -| **realtimescandirection** | Write | String | Controls which sets of files should be monitored. (0: Monitor all files (bi-directional), 1: Monitor incoming files, 2: Monitor outgoing files) | `0`, `1`, `2` | -| **scanparameter** | Write | String | Selects whether to perform a quick scan or full scan. (1: Quick scan, 2: Full scan) | `1`, `2` | -| **schedulequickscantime** | Write | SInt32 | Selects the time of day that the Windows Defender quick scan should run. | | -| **schedulescanday** | Write | String | Selects the day that the Windows Defender scan should run. (0: Every day, 1: Sunday, 2: Monday, 3: Tuesday, 4: Wednesday, 5: Thursday, 6: Friday, 7: Saturday, 8: No scheduled scan) | `0`, `1`, `2`, `3`, `4`, `5`, `6`, `7`, `8` | -| **schedulescantime** | Write | SInt32 | Selects the time of day that the Windows Defender scan should run. Must be between 0 and 1380 minutes. | | -| **disabletlsparsing** | Write | String | This setting disables TLS Parsing for Network Protection. (0: enabled, 1: disabled) | `0`, `1` | -| **randomizescheduletasktimes** | Write | String | Specifies if the start time of the scan is randomized. (0: no randomization, 1: randomized) | `0`, `1` | -| **schedulerrandomizationtime** | Write | SInt32 | This setting allows you to configure the scheduler randomization in hours. The randomization interval is [1 - 23] hours. | | -| **signatureupdatefallbackorder** | Write | StringArray[] | This policy setting allows you to define the order in which different definition update sources should be contacted. | | -| **signatureupdatefilesharessources** | Write | StringArray[] | This policy setting allows you to configure UNC file share sources for downloading definition updates. | | -| **signatureupdateinterval** | Write | SInt32 | Specifies the interval (in hours) that will be used to check for signatures, so instead of using the ScheduleDay and ScheduleTime the check for new signatures will be set according to the interval. Must be between 0 and 24 hours. | | -| **submitsamplesconsent** | Write | String | Checks for the user consent level in Windows Defender to send data. (0: Always prompt, 1: Send safe samples automatically, 2: Never send, 3: Send all samples automatically) | `0`, `1`, `2`, `3` | -| **disablelocaladminmerge** | Write | String | This policy setting controls whether or not complex list settings configured by a local administrator are merged with managed settings. (0: enable local admin merge, 1: disable local admin merge) | `0`, `1` | -| **allowonaccessprotection** | Write | String | Allows or disallows Windows Defender On Access Protection functionality. (0: disable feature. 1: enable feature) | `0`, `1` | -| **lowseveritythreats** | Write | String | Allows an administrator to specify low severity threats corresponding action ID to take. | `clean`, `quarantine`, `remove`, `allow`, `userdefined`, `block` | -| **moderateseveritythreats** | Write | String | Allows an administrator to specify moderate severity threats corresponding action ID to take. | `clean`, `quarantine`, `remove`, `allow`, `userdefined`, `block` | -| **severethreats** | Write | String | Allows an administrator to specify high severity threats corresponding action ID to take. | `clean`, `quarantine`, `remove`, `allow`, `userdefined`, `block` | -| **highseveritythreats** | Write | String | Allows an administrator to specify severe threats corresponding action ID to take. | `clean`, `quarantine`, `remove`, `allow`, `userdefined`, `block` | -| **templateId** | Write | String | Template Id of the policy. 0: Windows Security Experience, 1: Defender Update controls, 2: Microsoft Defender Antivirus exclusions, 3: Microsoft Defender Antivirus | `d948ff9b-99cb-4ee0-8012-1fbc09685377_1`, `e3f74c5a-a6de-411d-aef6-eb15628f3a0a_1`, `45fea5e9-280d-4da1-9792-fb5736da0ca9_1`, `804339ad-1553-4478-a742-138fb5807418_1` | +| **EnableLowCPUPriority** | Write | String | This policy setting allows you to enable or disable low CPU priority for scheduled scans. (0: disable feature. 1: enable feature) | `0`, `1` | +| **EnableNetworkProtection** | Write | String | This policy allows you to turn on network protection (block/audit) or off. (0: disabled, 1: block mode, 2: audit mode) | `0`, `1`, `2` | +| **ExcludedExtensions** | Write | StringArray[] | Allows an administrator to specify a list of file type extensions to ignore during a scan. | | +| **ExcludedPaths** | Write | StringArray[] | Allows an administrator to specify a list of directory paths to ignore during a scan. | | +| **ExcludedProcesses** | Write | StringArray[] | Allows an administrator to specify a list of files opened by processes to ignore during a scan. | | +| **PUAProtection** | Write | String | Specifies the level of detection for potentially unwanted applications (PUAs). (0: disabled, 1: block mode, 2: audit mode) | `0`, `1`, `2` | +| **EngineUpdatesChannel** | Write | String | Enable this policy to specify when devices receive Microsoft Defender engine updates during the monthly gradual rollout. (0: Not configured, 2: Beta Channel, 3: Current Channel (Preview), 4: Current Channel (Staged), 5: Current Channel (Broad), 6: Critical) | `0`, `2`, `3`, `4`, `5`, `6` | +| **MeteredConnectionUpdates** | Write | String | Allow managed devices to update through metered connections. (0: disabled, 1: enabled) | | +| **PlatformUpdatesChannel** | Write | String | Enable this policy to specify when devices receive Microsoft Defender platform updates during the monthly gradual rollout. (0: Not configured, 2: Beta Channel, 3: Current Channel (Preview), 4: Current Channel (Staged), 5: Current Channel (Broad), 6: Critical) | `0`, `2`, `3`, `4`, `5`, `6` | +| **SecurityIntelligenceUpdatesChannel** | Write | String | Enable this policy to specify when devices receive Microsoft Defender security intelligence updates during the daily gradual rollout. (0: Not configured, 4: Current Channel (Staged), 5: Current Channel (Broad)) | `0`, `4`, `5` | +| **RealTimeScanDirection** | Write | String | Controls which sets of files should be monitored. (0: Monitor all files (bi-directional), 1: Monitor incoming files, 2: Monitor outgoing files) | `0`, `1`, `2` | +| **ScanParameter** | Write | String | Selects whether to perform a quick scan or full scan. (1: Quick scan, 2: Full scan) | `1`, `2` | +| **ScheduleQuickScanTime** | Write | SInt32 | Selects the time of day that the Windows Defender quick scan should run. | | +| **ScheduleScanDay** | Write | String | Selects the day that the Windows Defender scan should run. (0: Every day, 1: Sunday, 2: Monday, 3: Tuesday, 4: Wednesday, 5: Thursday, 6: Friday, 7: Saturday, 8: No scheduled scan) | `0`, `1`, `2`, `3`, `4`, `5`, `6`, `7`, `8` | +| **ScheduleScanTime** | Write | SInt32 | Selects the time of day that the Windows Defender scan should run. Must be between 0 and 1380 minutes. | | +| **DisableTlsParsing** | Write | String | This setting disables TLS Parsing for Network Protection. (0: enabled, 1: disabled) | `0`, `1` | +| **RandomizeScheduleTaskTimes** | Write | String | Specifies if the start time of the scan is randomized. (0: no randomization, 1: randomized) | `0`, `1` | +| **SchedulerRandomizationTime** | Write | SInt32 | This setting allows you to configure the scheduler randomization in hours. The randomization interval is [1 - 23] hours. | | +| **SignatureUpdateFallbackOrder** | Write | StringArray[] | This policy setting allows you to define the order in which different definition update sources should be contacted. | | +| **SignatureUpdateFileSharesSources** | Write | StringArray[] | This policy setting allows you to configure UNC file share sources for downloading definition updates. | | +| **SignatureUpdateInterval** | Write | SInt32 | Specifies the interval (in hours) that will be used to check for signatures, so instead of using the ScheduleDay and ScheduleTime the check for new signatures will be set according to the interval. Must be between 0 and 24 hours. | | +| **SubmitSamplesConsent** | Write | String | Checks for the user consent level in Windows Defender to send data. (0: Always prompt, 1: Send safe samples automatically, 2: Never send, 3: Send all samples automatically) | `0`, `1`, `2`, `3` | +| **DisableLocalAdminMerge** | Write | String | This policy setting controls whether or not complex list settings configured by a local administrator are merged with managed settings. (0: enable local admin merge, 1: disable local admin merge) | `0`, `1` | +| **AllowOnAccessProtection** | Write | String | Allows or disallows Windows Defender On Access Protection functionality. (0: disable feature. 1: enable feature) | `0`, `1` | +| **LowSeverityThreats** | Write | String | Allows an administrator to specify low severity threats corresponding action ID to take. | `clean`, `quarantine`, `remove`, `allow`, `userdefined`, `block` | +| **ModerateSeverityThreats** | Write | String | Allows an administrator to specify moderate severity threats corresponding action ID to take. | `clean`, `quarantine`, `remove`, `allow`, `userdefined`, `block` | +| **SevereThreats** | Write | String | Allows an administrator to specify high severity threats corresponding action ID to take. | `clean`, `quarantine`, `remove`, `allow`, `userdefined`, `block` | +| **HighSeverityThreats** | Write | String | Allows an administrator to specify severe threats corresponding action ID to take. | `clean`, `quarantine`, `remove`, `allow`, `userdefined`, `block` | +| **TemplateId** | Write | String | Template Id of the policy. 0: Windows Security Experience, 1: Defender Update controls, 2: Microsoft Defender Antivirus exclusions, 3: Microsoft Defender Antivirus | `d948ff9b-99cb-4ee0-8012-1fbc09685377_1`, `e3f74c5a-a6de-411d-aef6-eb15628f3a0a_1`, `45fea5e9-280d-4da1-9792-fb5736da0ca9_1`, `804339ad-1553-4478-a742-138fb5807418_1` | | **Assignments** | Write | MSFT_DeviceManagementConfigurationPolicyAssignments[] | Represents the assignment to the Intune policy. | | | **Ensure** | Write | String | Present ensures the policy exists, absent ensures it is removed | `Present`, `Absent` | | **Credential** | Write | PSCredential | Credentials of the Intune Admin | | diff --git a/docs/docs/resources/intune/IntuneSecurityBaselineMicrosoftEdge.md b/docs/docs/resources/intune/IntuneSecurityBaselineMicrosoftEdge.md index 858d62840b..b841315513 100644 --- a/docs/docs/resources/intune/IntuneSecurityBaselineMicrosoftEdge.md +++ b/docs/docs/resources/intune/IntuneSecurityBaselineMicrosoftEdge.md @@ -19,7 +19,8 @@ | **WebSQLAccess** | Write | String | Force WebSQL to be enabled (0: Disabled, 1: Enabled) | `0`, `1` | | **BasicAuthOverHttpEnabled** | Write | String | Allow Basic authentication for HTTP (0: Disabled, 1: Enabled) | `0`, `1` | | **MicrosoftEdge_HTTPAuthentication_AuthSchemes** | Write | String | Supported authentication schemes (0: Disabled, 1: Enabled) | `0`, `1` | -| **authschemes** | Write | String | Supported authentication schemes (Device) - Depends on MicrosoftEdge_HTTPAuthentication_AuthSchemes | | +| **authschemes** | Write | String | (Deprecated) - Supported authentication schemes (Device) - Depends on MicrosoftEdge_HTTPAuthentication_AuthSchemes | | +| **AuthSchemes_AuthSchemes** | Write | String | Supported authentication schemes (Device) - Depends on MicrosoftEdge_HTTPAuthentication_AuthSchemes | | | **NativeMessagingUserLevelHosts** | Write | String | Allow user-level native messaging hosts (installed without admin permissions) (0: Disabled, 1: Enabled) | `0`, `1` | | **InsecurePrivateNetworkRequestsAllowed** | Write | String | Specifies whether to allow insecure websites to make requests to more-private network endpoints (0: Disabled, 1: Enabled) | `0`, `1` | | **InternetExplorerModeToolbarButtonEnabled** | Write | String | Show the Reload in Internet Explorer mode button in the toolbar (0: Disabled, 1: Enabled) | `0`, `1` |