diff --git a/CHANGELOG.md b/CHANGELOG.md index 2c3dd1fb84..182cbd2e9c 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,14 +2,14 @@ # UNRELEASED -* IntuneDerivedCredential - * Initial release. * AADAdminConsentRequestPolicy * Initial release. * AADApplication * Fixed an issue trying to retrieve the beta instance. * Added support for OnPremisesPublishing. * Added support for ApplicationTemplate. + * Fixes an issue where trying to apply permissions complained about + duplicate entries. * AADAuthenticationRequirement * Initial release. * AADConnectorGroupApplicationProxy @@ -24,6 +24,8 @@ * Initial release. * AADLifecycleWorkflowSettings * Initial release. +* AADServicePrincipal + * Adding Delegated Permission Classification Property * ADOPermissionGroupSettings * Initial release. * EXOATPBuiltInProtectionRule @@ -38,18 +40,33 @@ * IntuneAppAndBrowserIsolationPolicyWindows10 * Initial release. FIXES [#3028](https://github.com/microsoft/Microsoft365DSC/issues/3028) +* IntuneDerivedCredential + * Initial release. * IntuneDeviceConfigurationIdentityProtectionPolicyWindows10 * Added deprecation notice. * IntuneEndpointDetectionAndResponsePolicyWindows10 * Migrate to new Settings Catalog cmdlets. * IntuneMobileAppsMacOSLobApp * Initial release +* IntuneMobileAppsWindowsOfficeSuiteApp + * Initial release +* IntuneSecurityBaselineMicrosoft365AppsForEnterprise + * Initial release +* IntuneSecurityBaselineMicrosoftEdge + * Initial release * PPAdminDLPPolicy * Initial release. * PPDLPPolicyConnectorConfigurations * Initial release. * PPPowerAppPolicyUrlPatterns * Initial release. +* TeamsClientConfiguration + * Fixed bug where RestrictedSenderList was always empty in the MSFT_TeamsClientConfiguration resource + FIXES [#5190](https://github.com/microsoft/Microsoft365DSC/issues/5190) + * Changed Set-TargetResource to always use semicolon as separator as mentioned in the MS documentation +* TeamsUpgradePolicy + * Added support for tenant wide changes using the * value for users. + FIXES [#5174](https://github.com/microsoft/Microsoft365DSC/issues/5174) * TeamsGroupPolicyAssignments * FIXES [#5179](https://github.com/microsoft/Microsoft365DSC/issues/5179) * M365DSCDRGUtil diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADApplication/MSFT_AADApplication.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_AADApplication/MSFT_AADApplication.psm1 index 4b4c6f68e7..c8e33c5291 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_AADApplication/MSFT_AADApplication.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADApplication/MSFT_AADApplication.psm1 @@ -971,7 +971,7 @@ function Set-TargetResource if ($needToUpdatePermissions -and -not [System.String]::IsNullOrEmpty($Permissions) -and $Permissions.Length -gt 0) { Write-Verbose -Message "Will update permissions for Azure AD Application {$($currentAADApp.DisplayName)}" - $allSourceAPIs = $Permissions.SourceAPI | Get-Unique + $allSourceAPIs = $Permissions.SourceAPI | Select-Object -Unique $allRequiredAccess = @() foreach ($sourceAPI in $allSourceAPIs) diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADServicePrincipal/MSFT_AADServicePrincipal.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_AADServicePrincipal/MSFT_AADServicePrincipal.psm1 index a32fd0d623..5640892910 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_AADServicePrincipal/MSFT_AADServicePrincipal.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADServicePrincipal/MSFT_AADServicePrincipal.psm1 @@ -32,6 +32,10 @@ function Get-TargetResource [System.Boolean] $AppRoleAssignmentRequired, + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $DelegatedPermissionClassifications, + [Parameter()] [System.String] $ErrorUrl, @@ -212,32 +216,43 @@ function Get-TargetResource } } + [Array]$complexDelegatedPermissionClassifications = @() + $permissionClassifications = Invoke-MgGraphRequest -Uri "https://graph.microsoft.com/v1.0/servicePrincipals(appId='$AppId')/delegatedPermissionClassifications" -Method Get + foreach ($permissionClassification in $permissionClassifications.Value){ + $hashtable = @{ + classification = $permissionClassification.Classification + permissionName = $permissionClassification.permissionName + } + $complexDelegatedPermissionClassifications += $hashtable + } + $result = @{ - AppId = $AADServicePrincipal.AppId - AppRoleAssignedTo = $AppRoleAssignedToValues - ObjectID = $AADServicePrincipal.Id - DisplayName = $AADServicePrincipal.DisplayName - AlternativeNames = $AADServicePrincipal.AlternativeNames - AccountEnabled = [boolean]$AADServicePrincipal.AccountEnabled - AppRoleAssignmentRequired = $AADServicePrincipal.AppRoleAssignmentRequired - ErrorUrl = $AADServicePrincipal.ErrorUrl - Homepage = $AADServicePrincipal.Homepage - LogoutUrl = $AADServicePrincipal.LogoutUrl - Owners = $ownersValues - PublisherName = $AADServicePrincipal.PublisherName - ReplyURLs = $AADServicePrincipal.ReplyURLs - SamlMetadataURL = $AADServicePrincipal.SamlMetadataURL - ServicePrincipalNames = $AADServicePrincipal.ServicePrincipalNames - ServicePrincipalType = $AADServicePrincipal.ServicePrincipalType - Tags = $AADServicePrincipal.Tags - Ensure = 'Present' - Credential = $Credential - ApplicationId = $ApplicationId - ApplicationSecret = $ApplicationSecret - TenantId = $TenantId - CertificateThumbprint = $CertificateThumbprint - Managedidentity = $ManagedIdentity.IsPresent - AccessTokens = $AccessTokens + AppId = $AADServicePrincipal.AppId + AppRoleAssignedTo = $AppRoleAssignedToValues + ObjectID = $AADServicePrincipal.Id + DisplayName = $AADServicePrincipal.DisplayName + AlternativeNames = $AADServicePrincipal.AlternativeNames + AccountEnabled = [boolean]$AADServicePrincipal.AccountEnabled + AppRoleAssignmentRequired = $AADServicePrincipal.AppRoleAssignmentRequired + DelegatedPermissionClassifications = [Array]$complexDelegatedPermissionClassifications + ErrorUrl = $AADServicePrincipal.ErrorUrl + Homepage = $AADServicePrincipal.Homepage + LogoutUrl = $AADServicePrincipal.LogoutUrl + Owners = $ownersValues + PublisherName = $AADServicePrincipal.PublisherName + ReplyURLs = $AADServicePrincipal.ReplyURLs + SamlMetadataURL = $AADServicePrincipal.SamlMetadataURL + ServicePrincipalNames = $AADServicePrincipal.ServicePrincipalNames + ServicePrincipalType = $AADServicePrincipal.ServicePrincipalType + Tags = $AADServicePrincipal.Tags + Ensure = 'Present' + Credential = $Credential + ApplicationId = $ApplicationId + ApplicationSecret = $ApplicationSecret + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + Managedidentity = $ManagedIdentity.IsPresent + AccessTokens = $AccessTokens } Write-Verbose -Message "Get-TargetResource Result: `n $(Convert-M365DscHashtableToString -Hashtable $result)" return $result @@ -289,6 +304,10 @@ function Set-TargetResource [System.Boolean] $AppRoleAssignmentRequired, + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $DelegatedPermissionClassifications, + [Parameter()] [System.String] $ErrorUrl, @@ -398,6 +417,8 @@ function Set-TargetResource { $currentParameters.AppRoleAssignedTo = $AppRoleAssignedToValue } + # removing Delegated permission classifications from this new call, as adding below separately + $currentParameters.Remove('DelegatedPermissionClassifications') | Out-Null $ObjectGuid = [System.Guid]::empty if (-not [System.Guid]::TryParse($AppId, [System.Management.Automation.PSReference]$ObjectGuid)) { @@ -419,6 +440,17 @@ function Set-TargetResource Write-Verbose -Message "Adding new owner {$owner}" $newOwner = New-MgServicePrincipalOwnerByRef -ServicePrincipalId $newSP.Id -BodyParameter $body } + + #adding delegated permissions classifications + if($null -ne $DelegatedPermissionClassifications){ + foreach ($permissionClassification in $DelegatedPermissionClassifications){ + $params = @{ + classification = $permissionClassification.Classification + permissionName = $permissionClassification.permissionName + } + Invoke-MgGraphRequest -Uri "https://graph.microsoft.com/v1.0/servicePrincipals(appId='$($currentParameters.AppId)')/delegatedPermissionClassifications" -Method Post -Body $params + } + } } # ServicePrincipal should exist and will be configured to desired state elseif ($Ensure -eq 'Present' -and $currentAADServicePrincipal.Ensure -eq 'Present') @@ -434,6 +466,7 @@ function Set-TargetResource Write-Verbose -Message "ServicePrincipalID: $($currentAADServicePrincipal.ObjectID)" $currentParameters.Remove('AppRoleAssignedTo') | Out-Null $currentParameters.Remove('Owners') | Out-Null + $currentParameters.Remove('DelegatedPermissionClassifications') | Out-Null Update-MgServicePrincipal -ServicePrincipalId $currentAADServicePrincipal.ObjectID @currentParameters if ($AppRoleAssignedTo) @@ -546,6 +579,26 @@ function Set-TargetResource -DirectoryObjectId $userInfo.Id | Out-Null } } + + Write-Verbose -Message "Checking if DelegatedPermissionClassifications need to be updated..." + + if ($null -ne $DelegatedPermissionClassifications) + { + # removing old perm classifications + $permissionClassificationList = Invoke-MgGraphRequest -Uri "https://graph.microsoft.com/v1.0/servicePrincipals(appId='$($currentParameters.AppId)')/delegatedPermissionClassifications" -Method Get + foreach($permissionClassification in $permissionClassificationList.Value){ + Invoke-MgGraphRequest -Uri "https://graph.microsoft.com/v1.0/servicePrincipals(appId='$($currentParameters.AppId)')/delegatedPermissionClassifications/$($permissionClassification.Id)" -Method Delete + } + + # adding new perm classifications + foreach ($permissionClassification in $DelegatedPermissionClassifications){ + $params = @{ + classification = $permissionClassification.Classification + permissionName = $permissionClassification.permissionName + } + Invoke-MgGraphRequest -Uri "https://graph.microsoft.com/v1.0/servicePrincipals(appId='$($currentParameters.AppId)')/delegatedPermissionClassifications" -Method Post -Body $params + } + } } # ServicePrincipal exists but should not elseif ($Ensure -eq 'Absent' -and $currentAADServicePrincipal.Ensure -eq 'Present') @@ -589,6 +642,10 @@ function Test-TargetResource [System.Boolean] $AppRoleAssignmentRequired, + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $DelegatedPermissionClassifications, + [Parameter()] [System.String] $ErrorUrl, @@ -677,21 +734,48 @@ function Test-TargetResource Write-Verbose -Message 'Testing configuration of Azure AD ServicePrincipal' + $testTargetResource = $true $CurrentValues = Get-TargetResource @PSBoundParameters + $ValuesToCheck = ([Hashtable]$PSBoundParameters).Clone() + + #Compare Cim instances + foreach ($key in $PSBoundParameters.Keys) + { + $source = $PSBoundParameters.$key + $target = $CurrentValues.$key + if ($null -ne $source -and $source.GetType().Name -like '*CimInstance*') + { + $testResult = Compare-M365DSCComplexObject ` + -Source ($source) ` + -Target ($target) + + if (-not $testResult) + { + $testTargetResource = $false + } + else { + $ValuesToCheck.Remove($key) | Out-Null + } + } + } Write-Verbose -Message "Current Values: $(Convert-M365DscHashtableToString -Hashtable $CurrentValues)" Write-Verbose -Message "Target Values: $(Convert-M365DscHashtableToString -Hashtable $PSBoundParameters)" - $ValuesToCheck = $PSBoundParameters - $TestResult = Test-M365DSCParameterState -CurrentValues $CurrentValues ` - -Source $($MyInvocation.MyCommand.Source) ` - -DesiredValues $PSBoundParameters ` - -ValuesToCheck $ValuesToCheck.Keys + -Source $($MyInvocation.MyCommand.Source) ` + -DesiredValues $PSBoundParameters ` + -ValuesToCheck $ValuesToCheck.Keys ` + -IncludedDrifts $driftedParams + + if(-not $TestResult) + { + $testTargetResource = $false + } - Write-Verbose -Message "Test-TargetResource returned $TestResult" + Write-Verbose -Message "Test-TargetResource returned $testTargetResource" - return $TestResult + return $testTargetResource } function Export-TargetResource @@ -785,6 +869,10 @@ function Export-TargetResource { $Results.AppRoleAssignedTo = Get-M365DSCAzureADServicePrincipalAssignmentAsString -Assignments $Results.AppRoleAssignedTo } + if ($Results.DelegatedPermissionClassifications.Count -gt 0) + { + $Results.DelegatedPermissionClassifications = Get-M365DSCAzureADServicePrincipalDelegatedPermissionClassifications -PermissionClassifications $Results.DelegatedPermissionClassifications + } $currentDSCBlock = Get-M365DSCExportContentForResource -ResourceName $ResourceName ` -ConnectionMode $ConnectionMode ` -ModulePath $PSScriptRoot ` @@ -795,6 +883,11 @@ function Export-TargetResource $currentDSCBlock = Convert-DSCStringParamToVariable -DSCBlock $currentDSCBlock ` -ParameterName 'AppRoleAssignedTo' } + if ($null -ne $Results.DelegatedPermissionClassifications) + { + $currentDSCBlock = Convert-DSCStringParamToVariable -DSCBlock $currentDSCBlock ` + -ParameterName 'DelegatedPermissionClassifications' + } $dscContent += $currentDSCBlock Save-M365DSCPartialExport -Content $currentDSCBlock ` -FileName $Global:PartialExportFileName @@ -841,4 +934,26 @@ function Get-M365DSCAzureADServicePrincipalAssignmentAsString return $StringContent } +function Get-M365DSCAzureADServicePrincipalDelegatedPermissionClassifications +{ + [CmdletBinding()] + [OutputType([System.String])] + param( + [Parameter(Mandatory = $true)] + [System.Collections.ArrayList] + $PermissionClassifications + ) + + $StringContent = "@(`r`n" + foreach ($permissionClassification in $PermissionClassifications) + { + $StringContent += " MSFT_AADServicePrincipalDelegatedPermissionClassification {`r`n" + $StringContent += " Classification = '" + $PermissionClassification.Classification + "'`r`n" + $StringContent += " PermissionName = '" + $PermissionClassification.PermissionName + "'`r`n" + $StringContent += " }`r`n" + } + $StringContent += ' )' + return $StringContent +} + Export-ModuleMember -Function *-TargetResource diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADServicePrincipal/MSFT_AADServicePrincipal.schema.mof b/Modules/Microsoft365DSC/DSCResources/MSFT_AADServicePrincipal/MSFT_AADServicePrincipal.schema.mof index 3d4c507c12..717b2e569f 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_AADServicePrincipal/MSFT_AADServicePrincipal.schema.mof +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADServicePrincipal/MSFT_AADServicePrincipal.schema.mof @@ -5,6 +5,13 @@ class MSFT_AADServicePrincipalRoleAssignment [Write, Description("Unique identity representing the principal.")] String Identity; }; +[ClassVersion("1.0.0")] +class MSFT_AADServicePrincipalDelegatedPermissionClassification +{ + [Write, Description("Classification of the delegated permission"), ValueMap{"low", "medium", "high"}, Values{"low", "medium", "high"}] String Classification; + [Write, Description("Name of the permission")] String PermissionName; +}; + [ClassVersion("1.0.0.0"), FriendlyName("AADServicePrincipal")] class MSFT_AADServicePrincipal : OMI_BaseResource { @@ -25,6 +32,8 @@ class MSFT_AADServicePrincipal : OMI_BaseResource [Write, Description("Specifies an array of service principal names. Based on the identifierURIs collection, plus the application's appId property, these URIs are used to reference an application's service principal.")] String ServicePrincipalNames[]; [Write, Description("The type of the service principal.")] String ServicePrincipalType; [Write, Description("Tags linked to this service principal.Note that if you intend for this service principal to show up in the All Applications list in the admin portal, you need to set this value to {WindowsAzureActiveDirectoryIntegratedApp}")] String Tags[]; + [Write, Description("The permission classifications for delegated permissions exposed by the app that this service principal represents."), EmbeddedInstance("MSFT_AADServicePrincipalDelegatedPermissionClassification")] String DelegatedPermissionClassifications[]; + [Write, Description("Specify if the Azure AD App should exist or not."), ValueMap{"Present","Absent"}, Values{"Present","Absent"}] String Ensure; [Write, Description("Id of the Azure Active Directory application to authenticate with.")] String ApplicationId; [Write, Description("Id of the Azure Active Directory tenant used for authentication.")] String TenantId; diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAccountProtectionPolicyWindows10/MSFT_IntuneAccountProtectionPolicyWindows10.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAccountProtectionPolicyWindows10/MSFT_IntuneAccountProtectionPolicyWindows10.psm1 index 5188f9fe59..8f3496d87e 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAccountProtectionPolicyWindows10/MSFT_IntuneAccountProtectionPolicyWindows10.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAccountProtectionPolicyWindows10/MSFT_IntuneAccountProtectionPolicyWindows10.psm1 @@ -682,7 +682,7 @@ function Export-TargetResource { $complexTypeStringResult = Get-M365DSCDRGComplexTypeToString ` -ComplexObject $Results.DeviceSettings ` - -CIMInstanceName 'MicrosoftGraphIntuneSettingsCatalogDeviceSettings' + -CIMInstanceName 'MicrosoftGraphIntuneSettingsCatalogDeviceSettings_IntuneAccountProtectionPolicyWindows10' if (-not [String]::IsNullOrWhiteSpace($complexTypeStringResult)) { $Results.DeviceSettings = $complexTypeStringResult @@ -696,7 +696,7 @@ function Export-TargetResource { $complexTypeStringResult = Get-M365DSCDRGComplexTypeToString ` -ComplexObject $Results.UserSettings ` - -CIMInstanceName 'MicrosoftGraphIntuneSettingsCatalogUserSettings' + -CIMInstanceName 'MicrosoftGraphIntuneSettingsCatalogUserSettings_IntuneAccountProtectionPolicyWindows10' if (-not [String]::IsNullOrWhiteSpace($complexTypeStringResult)) { $Results.UserSettings = $complexTypeStringResult diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAccountProtectionPolicyWindows10/MSFT_IntuneAccountProtectionPolicyWindows10.schema.mof b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAccountProtectionPolicyWindows10/MSFT_IntuneAccountProtectionPolicyWindows10.schema.mof index 269777f6a7..47f1cc08cd 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAccountProtectionPolicyWindows10/MSFT_IntuneAccountProtectionPolicyWindows10.schema.mof +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneAccountProtectionPolicyWindows10/MSFT_IntuneAccountProtectionPolicyWindows10.schema.mof @@ -10,7 +10,7 @@ class MSFT_DeviceManagementConfigurationPolicyAssignments }; [ClassVersion("1.0.0.0")] -class MSFT_MicrosoftGraphIntuneSettingsCatalogDeviceSettings +class MSFT_MicrosoftGraphIntuneSettingsCatalogDeviceSettings_IntuneAccountProtectionPolicyWindows10 { [Write, Description("Credential Guard (0: (Disabled) Turns off Credential Guard remotely if configured previously without UEFI Lock., 1: (Enabled with UEFI lock) Turns on Credential Guard with UEFI lock., 2: (Enabled without lock) Turns on Credential Guard without UEFI lock.)"), ValueMap{"0", "1", "2"}, Values{"0", "1", "2"}] String LsaCfgFlags; [Write, Description("Facial Features Use Enhanced Anti Spoofing (false: Disabled, true: Enabled)"), ValueMap{"false", "true"}, Values{"false", "true"}] String FacialFeaturesUseEnhancedAntiSpoofing; @@ -28,7 +28,7 @@ class MSFT_MicrosoftGraphIntuneSettingsCatalogDeviceSettings }; [ClassVersion("1.0.0.0")] -class MSFT_MicrosoftGraphIntuneSettingsCatalogUserSettings +class MSFT_MicrosoftGraphIntuneSettingsCatalogUserSettings_IntuneAccountProtectionPolicyWindows10 { [Write, Description("Enable Pin Recovery (User) (false: Disabled, true: Enabled)"), ValueMap{"false", "true"}, Values{"false", "true"}] String EnablePinRecovery; [Write, Description("Expiration (User)")] SInt32 Expiration; @@ -49,8 +49,8 @@ class MSFT_IntuneAccountProtectionPolicyWindows10 : OMI_BaseResource [Key, Description("Policy name")] String DisplayName; [Write, Description("List of Scope Tags for this Entity instance.")] String RoleScopeTagIds[]; [Write, Description("The unique identifier for an entity. Read-only.")] String Id; - [Write, Description("The policy settings for the device scope."), EmbeddedInstance("MSFT_MicrosoftGraphIntuneSettingsCatalogDeviceSettings")] String DeviceSettings; - [Write, Description("The policy settings for the user scope"), EmbeddedInstance("MSFT_MicrosoftGraphIntuneSettingsCatalogUserSettings")] String UserSettings; + [Write, Description("The policy settings for the device scope."), EmbeddedInstance("MSFT_MicrosoftGraphIntuneSettingsCatalogDeviceSettings_IntuneAccountProtectionPolicyWindows10")] String DeviceSettings; + [Write, Description("The policy settings for the user scope"), EmbeddedInstance("MSFT_MicrosoftGraphIntuneSettingsCatalogUserSettings_IntuneAccountProtectionPolicyWindows10")] String UserSettings; [Write, Description("Represents the assignment to the Intune policy."), EmbeddedInstance("MSFT_DeviceManagementConfigurationPolicyAssignments")] String Assignments[]; [Write, Description("Present ensures the policy exists, absent ensures it is removed."), ValueMap{"Present","Absent"}, Values{"Present","Absent"}] string Ensure; [Write, Description("Credentials of the Admin"), EmbeddedInstance("MSFT_Credential")] string Credential; diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneMobileAppsMacOSLobApp/MSFT_IntuneMobileAppsMacOSLobApp.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneMobileAppsMacOSLobApp/MSFT_IntuneMobileAppsMacOSLobApp.psm1 index f0e7cd245e..739c2c80d7 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneMobileAppsMacOSLobApp/MSFT_IntuneMobileAppsMacOSLobApp.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneMobileAppsMacOSLobApp/MSFT_IntuneMobileAppsMacOSLobApp.psm1 @@ -450,7 +450,7 @@ function Set-TargetResource throw "Mobile App Category with DisplayName $($category.DisplayName) not found." } - Invoke-MgBetaGraphRequest -Uri "/beta/deviceAppManagement/mobileApps/$($app.Id)/categories/`$ref" -Method 'POST' -Body @{ + Invoke-MgGraphRequest -Uri "/beta/deviceAppManagement/mobileApps/$($app.Id)/categories/`$ref" -Method 'POST' -Body @{ '@odata.id' = "https://graph.microsoft.com/beta/deviceAppManagement/mobileAppCategories/$($currentCategory.Id)" } } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneMobileAppsWindowsOfficeSuiteApp/MSFT_IntuneMobileAppsWindowsOfficeSuiteApp.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneMobileAppsWindowsOfficeSuiteApp/MSFT_IntuneMobileAppsWindowsOfficeSuiteApp.psm1 new file mode 100644 index 0000000000..f10634ed10 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneMobileAppsWindowsOfficeSuiteApp/MSFT_IntuneMobileAppsWindowsOfficeSuiteApp.psm1 @@ -0,0 +1,1002 @@ +function Get-TargetResource +{ + [CmdletBinding()] + [OutputType([System.Collections.Hashtable])] + param + ( + #region Intune resource parameters + + [Parameter()] + [System.String] + $Id, + + [Parameter(Mandatory = $true)] + [System.String] + $DisplayName, + + [Parameter()] + [System.String] + $Description, + + [Parameter()] + [System.Boolean] + $IsFeatured, + + [Parameter()] + [System.String] + $PrivacyInformationUrl, + + [Parameter()] + [System.String] + $InformationUrl, + + [Parameter()] + [System.String] + $Notes, + + [Parameter()] + [System.String[]] + $RoleScopeTagIds, + + [Parameter()] + [System.Boolean] + $AutoAcceptEula, + + [Parameter()] + [System.String[]] + [ValidateSet('O365ProPlusRetail', 'O365BusinessRetail', 'VisioProRetail', 'ProjectProRetail')] + $ProductIds, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $ExcludedApps, + + [Parameter()] + [System.Boolean] + $UseSharedComputerActivation, + + [Parameter()] + [System.String] + [ValidateSet('None', 'Current', 'Deferred', 'FirstReleaseCurrent', 'FirstReleaseDeferred', 'MonthlyEnterprise')] + $UpdateChannel, + + [Parameter()] + [System.String] + [ValidateSet('NotConfigured', 'OfficeOpenXMLFormat', 'OfficeOpenDocumentFormat', 'UnknownFutureValue')] + $OfficeSuiteAppDefaultFileFormat, + + [Parameter()] + [System.String] + [ValidateSet('None', 'X86', 'X64', 'Arm', 'Neutral', 'Arm64')] + $OfficePlatformArchitecture, + + [Parameter()] + [System.String[]] + $LocalesToInstall, + + [Parameter()] + [System.String] + [ValidateSet('None', 'Full')] + $InstallProgressDisplayLevel, + + [Parameter()] + [System.Boolean] + $ShouldUninstallOlderVersionsOfOffice, + + [Parameter()] + [System.String] + $TargetVersion, + + [Parameter()] + [System.String] + $UpdateVersion, + + [Parameter()] + [System.Byte[]] + $OfficeConfigurationXml, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $Categories, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $Assignments, + + # [Parameter()] + # [Microsoft.Management.Infrastructure.CimInstance] + # $LargeIcon, + + #endregion + + [Parameter()] + [ValidateSet('Present', 'Absent')] + [System.String] + $Ensure = 'Present', + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + New-M365DSCConnection -Workload 'MicrosoftGraph' ` + -InboundParameters $PSBoundParameters | Out-Null + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $nullResult = $PSBoundParameters + $nullResult.Ensure = 'Absent' + try + { + $instance = Get-MgBetaDeviceAppManagementMobileApp -MobileAppId $Id ` + -ExpandProperty "categories" ` + -ErrorAction SilentlyContinue + + if ($null -eq $instance) + { + Write-Verbose -Message "Could not find an Intune Windows Office Suite App with Id {$Id}." + + if (-not [System.String]::IsNullOrEmpty($DisplayName)) + { + $instance = Get-MgBetaDeviceAppManagementMobileApp ` + -Filter "(isof('microsoft.graph.officeSuiteApp') and displayName eq '$DisplayName')" ` + -ErrorAction SilentlyContinue + } + + if ($null -ne $instance) + { + $instance = Get-MgBetaDeviceAppManagementMobileApp -MobileAppId $instance.Id ` + -ExpandProperty "categories" ` + -ErrorAction SilentlyContinue + $Id = $instance.Id + } + } + + if ($null -eq $instance) + { + Write-Verbose -Message "Could not find an Intune Windows Office Suite App with DisplayName {$DisplayName} was found." + return $nullResult + } + + Write-Verbose "An Intune Windows Office Suite App with Id {$Id} and DisplayName {$DisplayName} was found." + + #region complex types + $complexCategories = @() + foreach ($category in $instance.Categories) + { + $myCategory = @{} + $myCategory.Add('Id', $category.id) + $myCategory.Add('DisplayName', $category.displayName) + $complexCategories += $myCategory + } + + $complexExcludedApps = @{} + if ($null -ne $instance.AdditionalProperties.excludedApps) + { + $instance.AdditionalProperties.excludedApps.GetEnumerator() | Foreach-Object { + $complexExcludedApps.Add($_.Key, $_.Value) + } + } + + # $complexLargeIcon = @{} + # if ($null -ne $instance.LargeIcon.Value) + # { + # $complexLargeIcon.Add('Value', [System.Convert]::ToBase64String($instance.LargeIcon.Value)) + # $complexLargeIcon.Add('Type', $instance.LargeIcon.Type) + # } + + $results = @{ + Id = $instance.Id + DisplayName = $instance.DisplayName + Description = $instance.Description + IsFeatured = $instance.IsFeatured + PrivacyInformationUrl = $instance.PrivacyInformationUrl + InformationUrl = $instance.InformationUrl + Notes = $instance.Notes + RoleScopeTagIds = $instance.RoleScopeTagIds + AutoAcceptEula = $instance.AdditionalProperties.autoAcceptEula + ProductIds = $instance.AdditionalProperties.productIds + UseSharedComputerActivation = $instance.AdditionalProperties.useSharedComputerActivation + UpdateChannel = $instance.AdditionalProperties.updateChannel + OfficeSuiteAppDefaultFileFormat = $instance.AdditionalProperties.officeSuiteAppDefaultFileFormat + OfficePlatformArchitecture = $instance.AdditionalProperties.officePlatformArchitecture + LocalesToInstall = $instance.AdditionalProperties.localesToInstall + InstallProgressDisplayLevel = $instance.AdditionalProperties.installProgressDisplayLevel + ShouldUninstallOlderVersionsOfOffice = $instance.AdditionalProperties.shouldUninstallOlderVersionsOfOffice + TargetVersion = $instance.AdditionalProperties.targetVersion + UpdateVersion = $instance.AdditionalProperties.updateVersion + OfficeConfigurationXml = $instance.AdditionalProperties.officeConfigurationXml + # LargeIcon = $complexLargeIcon + ExcludedApps = $complexExcludedApps + Categories = $complexCategories + Ensure = 'Present' + Credential = $Credential + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + ApplicationSecret = $ApplicationSecret + ManagedIdentity = $ManagedIdentity.IsPresent + AccessTokens = $AccessTokens + } + + #Assignments + $resultAssignments = @() + $appAssignments = Get-MgBetaDeviceAppManagementMobileAppAssignment -MobileAppId $instance.Id + if ($null -ne $appAssignments -and $appAssignments.count -gt 0) + { + $convertedAssignments = ConvertFrom-IntuneMobileAppAssignment ` + -IncludeDeviceFilter:$true ` + -Assignments ($appAssignments) + + # Filter out 'source' from the assignment objects + foreach ($assignment in $convertedAssignments) { + if ($assignment.ContainsKey('source')) { + $assignment.Remove('source') + } + } + + $resultAssignments += $convertedAssignments + } + $results.Add('Assignments', $resultAssignments) + return [System.Collections.Hashtable] $results + } + catch + { + Write-Verbose -Message $_ + New-M365DSCLogEntry -Message 'Error retrieving data:' ` + -Exception $_ ` + -Source $($MyInvocation.MyCommand.Source) ` + -TenantId $TenantId ` + -Credential $Credential + + return $nullResult + } +} + +function Set-TargetResource +{ + [CmdletBinding()] + param + ( + #region Intune resource parameters + + [Parameter()] + [System.String] + $Id, + + [Parameter(Mandatory = $true)] + [System.String] + $DisplayName, + + [Parameter()] + [System.String] + $Description, + + [Parameter()] + [System.Boolean] + $IsFeatured, + + [Parameter()] + [System.String] + $PrivacyInformationUrl, + + [Parameter()] + [System.String] + $InformationUrl, + + [Parameter()] + [System.String] + $Notes, + + [Parameter()] + [System.String[]] + $RoleScopeTagIds, + + [Parameter()] + [System.Boolean] + $AutoAcceptEula, + + [Parameter()] + [System.String[]] + [ValidateSet('O365ProPlusRetail', 'O365BusinessRetail', 'VisioProRetail', 'ProjectProRetail')] + $ProductIds, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $ExcludedApps, + + [Parameter()] + [System.Boolean] + $UseSharedComputerActivation, + + [Parameter()] + [System.String] + [ValidateSet('None', 'Current', 'Deferred', 'FirstReleaseCurrent', 'FirstReleaseDeferred', 'MonthlyEnterprise')] + $UpdateChannel, + + [Parameter()] + [System.String] + [ValidateSet('NotConfigured', 'OfficeOpenXMLFormat', 'OfficeOpenDocumentFormat', 'UnknownFutureValue')] + $OfficeSuiteAppDefaultFileFormat, + + [Parameter()] + [System.String] + [ValidateSet('None', 'X86', 'X64', 'Arm', 'Neutral', 'Arm64')] + $OfficePlatformArchitecture, + + [Parameter()] + [System.String[]] + $LocalesToInstall, + + [Parameter()] + [System.String] + [ValidateSet('None', 'Full')] + $InstallProgressDisplayLevel, + + [Parameter()] + [System.Boolean] + $ShouldUninstallOlderVersionsOfOffice, + + [Parameter()] + [System.String] + $TargetVersion, + + [Parameter()] + [System.String] + $UpdateVersion, + + [Parameter()] + [System.Byte[]] + $OfficeConfigurationXml, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $Categories, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $Assignments, + + # [Parameter()] + # [Microsoft.Management.Infrastructure.CimInstance] + # $LargeIcon, + + #endregion + + [Parameter()] + [ValidateSet('Present', 'Absent')] + [System.String] + $Ensure = 'Present', + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $currentInstance = Get-TargetResource @PSBoundParameters + $BoundParameters = Remove-M365DSCAuthenticationParameter -BoundParameters $PSBoundParameters + + if ($Ensure -eq 'Present' -and $currentInstance.Ensure -eq 'Absent') + { + Write-Verbose -Message "Creating an Intune Windows Office Suite App with DisplayName {$DisplayName}" + $BoundParameters.Remove('Assignments') | Out-Null + + $CreateParameters = ([Hashtable]$BoundParameters).Clone() + $CreateParameters = Rename-M365DSCCimInstanceParameter -Properties $CreateParameters + $CreateParameters.Remove('Id') | Out-Null + $CreateParameters.Remove('Categories') | Out-Null + $CreateParameters.Add('Publisher', 'Microsoft') + $CreateParameters.Add('Developer', 'Microsoft') + $CreateParameters.Add('Owner', 'Microsoft') + + foreach ($key in ($CreateParameters.Clone()).Keys) + { + if ($null -ne $CreateParameters.$key -and $CreateParameters.$key.GetType().Name -like '*CimInstance*') + { + $CreateParameters.$key = Convert-M365DSCDRGComplexTypeToHashtable -ComplexObject $CreateParameters.$key + } + } + + $CreateParameters.Add('@odata.type', '#microsoft.graph.officeSuiteApp') + $app = New-MgBetaDeviceAppManagementMobileApp -BodyParameter $CreateParameters + + foreach ($category in $Categories) + { + if ($category.Id) + { + $currentCategory = Get-MgBetaDeviceAppManagementMobileAppCategory -MobileAppCategoryId $category.Id + } + else + { + $currentCategory = Get-MgBetaDeviceAppManagementMobileAppCategory -Filter "displayName eq '$($category.DisplayName)'" + } + + if ($null -eq $currentCategory) + { + throw "Mobile App Category with DisplayName $($category.DisplayName) not found." + } + + Invoke-MgGraphRequest -Uri "/beta/deviceAppManagement/mobileApps/$($app.Id)/categories/`$ref" -Method 'POST' -Body @{ + '@odata.id' = "https://graph.microsoft.com/beta/deviceAppManagement/mobileAppCategories/$($currentCategory.Id)" + } + } + + #Assignments + if ($app.Id) + { + $assignmentsHash = ConvertTo-IntuneMobileAppAssignment -IncludeDeviceFilter:$true -Assignments $Assignments + Update-DeviceAppManagementPolicyAssignment -AppManagementPolicyId $app.Id ` + -Assignments $assignmentsHash + } + } + elseif ($Ensure -eq 'Present' -and $currentInstance.Ensure -eq 'Present') + { + Write-Host "Updating the Intune Windows Office Suite App with DisplayName {$DisplayName}" + $BoundParameters.Remove('Assignments') | Out-Null + + $UpdateParameters = ([Hashtable]$BoundParameters).Clone() + $UpdateParameters = Rename-M365DSCCimInstanceParameter -Properties $UpdateParameters + $UpdateParameters.Remove('Id') | Out-Null + $UpdateParameters.Remove('Categories') | Out-Null + $UpdateParameters.Remove('OfficePlatformArchitecture') | Out-Null + + foreach ($key in ($UpdateParameters.Clone()).Keys) + { + if ($null -ne $UpdateParameters.$key -and $UpdateParameters.$key.GetType().Name -like '*CimInstance*') + { + $UpdateParameters.$key = Convert-M365DSCDRGComplexTypeToHashtable -ComplexObject $UpdateParameters.$key + } + } + + $UpdateParameters.Add('@odata.type', '#microsoft.graph.officeSuiteApp') + Update-MgBetaDeviceAppManagementMobileApp -MobileAppId $currentInstance.Id -BodyParameter $UpdateParameters + + [array]$referenceObject = if ($null -ne $currentInstance.Categories.DisplayName) { $currentInstance.Categories.DisplayName } else { ,@() } + [array]$differenceObject = if ($null -ne $Categories.DisplayName) { $Categories.DisplayName } else { ,@() } + $delta = Compare-Object -ReferenceObject $referenceObject -DifferenceObject $differenceObject -PassThru + foreach ($diff in $delta) + { + if ($diff.SideIndicator -eq '=>') + { + $category = $Categories | Where-Object { $_.DisplayName -eq $diff } + if ($category.Id) + { + $currentCategory = Get-MgBetaDeviceAppManagementMobileAppCategory -MobileAppCategoryId $category.Id + } + else + { + $currentCategory = Get-MgBetaDeviceAppManagementMobileAppCategory -Filter "displayName eq '$($category.DisplayName)'" + } + + if ($null -eq $currentCategory) + { + throw "Mobile App Category with DisplayName $($category.DisplayName) not found." + } + + Invoke-MgGraphRequest -Uri "/beta/deviceAppManagement/mobileApps/$($currentInstance.Id)/categories/`$ref" -Method 'POST' -Body @{ + '@odata.id' = "https://graph.microsoft.com/beta/deviceAppManagement/mobileAppCategories/$($currentCategory.Id)" + } + } + else + { + $category = $currentInstance.Categories | Where-Object { $_.DisplayName -eq $diff } + Invoke-MgGraphRequest -Uri "/beta/deviceAppManagement/mobileApps/$($currentInstance.Id)/categories/$($category.Id)/`$ref" -Method 'DELETE' + } + } + + #Assignments + $assignmentsHash = ConvertTo-IntuneMobileAppAssignment -IncludeDeviceFilter:$true -Assignments $Assignments + Update-DeviceAppManagementPolicyAssignment -AppManagementPolicyId $currentInstance.Id ` + -Assignments $assignmentsHash + } + elseif ($Ensure -eq 'Absent' -and $currentInstance.Ensure -eq 'Present') + { + Write-Host "Remove the Intune Windows Office Suite App with Id {$($currentInstance.Id)}" + Remove-MgBetaDeviceAppManagementMobileApp -MobileAppId $currentInstance.Id -Confirm:$false + } +} + +function Test-TargetResource +{ + [CmdletBinding()] + [OutputType([System.Boolean])] + param + ( + #region Intune resource parameters + + [Parameter()] + [System.String] + $Id, + + [Parameter(Mandatory = $true)] + [System.String] + $DisplayName, + + [Parameter()] + [System.String] + $Description, + + [Parameter()] + [System.Boolean] + $IsFeatured, + + [Parameter()] + [System.String] + $PrivacyInformationUrl, + + [Parameter()] + [System.String] + $InformationUrl, + + [Parameter()] + [System.String] + $Notes, + + [Parameter()] + [System.String[]] + $RoleScopeTagIds, + + [Parameter()] + [System.Boolean] + $AutoAcceptEula, + + [Parameter()] + [System.String[]] + [ValidateSet('O365ProPlusRetail', 'O365BusinessRetail', 'VisioProRetail', 'ProjectProRetail')] + $ProductIds, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $ExcludedApps, + + [Parameter()] + [System.Boolean] + $UseSharedComputerActivation, + + [Parameter()] + [System.String] + [ValidateSet('None', 'Current', 'Deferred', 'FirstReleaseCurrent', 'FirstReleaseDeferred', 'MonthlyEnterprise')] + $UpdateChannel, + + [Parameter()] + [System.String] + [ValidateSet('NotConfigured', 'OfficeOpenXMLFormat', 'OfficeOpenDocumentFormat', 'UnknownFutureValue')] + $OfficeSuiteAppDefaultFileFormat, + + [Parameter()] + [System.String] + [ValidateSet('None', 'X86', 'X64', 'Arm', 'Neutral', 'Arm64')] + $OfficePlatformArchitecture, + + [Parameter()] + [System.String[]] + $LocalesToInstall, + + [Parameter()] + [System.String] + [ValidateSet('None', 'Full')] + $InstallProgressDisplayLevel, + + [Parameter()] + [System.Boolean] + $ShouldUninstallOlderVersionsOfOffice, + + [Parameter()] + [System.String] + $TargetVersion, + + [Parameter()] + [System.String] + $UpdateVersion, + + [Parameter()] + [System.Byte[]] + $OfficeConfigurationXml, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $Categories, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $Assignments, + + # [Parameter()] + # [Microsoft.Management.Infrastructure.CimInstance] + # $LargeIcon, + + #endregion + + [Parameter()] + [ValidateSet('Present', 'Absent')] + [System.String] + $Ensure = 'Present', + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + Write-Verbose -Message "Testing configuration of the Intune Windows Suite App with Id {$Id} and DisplayName {$DisplayName}" + + $CurrentValues = Get-TargetResource @PSBoundParameters + $ValuesToCheck = ([Hashtable]$PSBoundParameters).Clone() + + if ($CurrentValues.Ensure -ne $Ensure) + { + Write-Verbose -Message "Test-TargetResource returned $false" + return $false + } + $testResult = $true + + #Compare Cim instances + foreach ($key in $PSBoundParameters.Keys) + { + $source = $PSBoundParameters.$key + $target = $CurrentValues.$key + if ($null -ne $source -and $source.GetType().Name -like '*CimInstance*') + { + $testResult = Compare-M365DSCComplexObject ` + -Source ($source) ` + -Target ($target) + + if (-not $testResult) + { + break + } + + $ValuesToCheck.Remove($key) | Out-Null + } + } + + # Prevent screen from filling up with the LargeIcon value + # Comparison will already be done because it's a CimInstance + # $CurrentValues.Remove('LargeIcon') | Out-Null + # $PSBoundParameters.Remove('LargeIcon') | Out-Null + + $ValuesToCheck.Remove('Id') | Out-Null + $ValuesToCheck.Remove('OfficePlatformArchitecture') | Out-Null # Cannot be changed after creation + $ValuesToCheck = Remove-M365DSCAuthenticationParameter -BoundParameters $ValuesToCheck + + Write-Verbose -Message "Current Values: $(Convert-M365DscHashtableToString -Hashtable $CurrentValues)" + Write-Verbose -Message "Target Values: $(Convert-M365DscHashtableToString -Hashtable $PSBoundParameters)" + + if ($testResult) + { + $TestResult = Test-M365DSCParameterState -CurrentValues $CurrentValues ` + -Source $($MyInvocation.MyCommand.Source) ` + -DesiredValues $PSBoundParameters ` + -ValuesToCheck $ValuesToCheck.Keys + } + + Write-Verbose -Message "Test-TargetResource returned $TestResult" + + return $TestResult +} + +function Export-TargetResource +{ + [CmdletBinding()] + [OutputType([System.String])] + param + ( + [Parameter()] + [System.String] + $Filter, + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + $ConnectionMode = New-M365DSCConnection -Workload 'MicrosoftGraph' ` + -InboundParameters $PSBoundParameters + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + try + { + $Script:ExportMode = $true + [array] $Script:getInstances = Get-MgBetaDeviceAppManagementMobileApp ` + -Filter "isof('microsoft.graph.officeSuiteApp')" ` + -ErrorAction Stop + + $i = 1 + $dscContent = '' + if ($Script:getInstances.Length -eq 0) + { + Write-Host $Global:M365DSCEmojiGreenCheckMark + } + else + { + Write-Host "`r`n" -NoNewline + } + + foreach ($config in $Script:getInstances) + { + if ($null -ne $Global:M365DSCExportResourceInstancesCount) + { + $Global:M365DSCExportResourceInstancesCount++ + } + + $displayedKey = $config.Id + Write-Host " |---[$i/$($Script:getInstances.Count)] $displayedKey" -NoNewline + + $params = @{ + Id = $config.Id + DisplayName = $config.DisplayName + Ensure = 'Present' + Credential = $Credential + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + ApplicationSecret = $ApplicationSecret + ManagedIdentity = $ManagedIdentity.IsPresent + AccessTokens = $AccessTokens + } + + $Results = Get-TargetResource @params + $Results = Update-M365DSCExportAuthenticationResults -ConnectionMode $ConnectionMode ` + -Results $Results + + #region complex types + if ($null -ne $Results.Categories) + { + $complexTypeStringResult = Get-M365DSCDRGComplexTypeToString ` + -ComplexObject $Results.Categories ` + -CIMInstanceName 'DeviceManagementMobileAppCategory' + + if (-not [System.String]::IsNullOrWhiteSpace($complexTypeStringResult)) + { + $Results.Categories = $complexTypeStringResult + } + else + { + $Results.Remove('Categories') | Out-Null + } + } + + if ($null -ne $Results.ExcludedApps) + { + $complexTypeStringResult = Get-M365DSCDRGComplexTypeToString ` + -ComplexObject $Results.ExcludedApps ` + -CIMInstanceName 'DeviceManagementMobileAppExcludedApp' + + if (-not [System.String]::IsNullOrWhiteSpace($complexTypeStringResult)) + { + $Results.ExcludedApps = $complexTypeStringResult + } + else + { + $Results.Remove('ExcludedApps') | Out-Null + } + } + + # if ($null -ne $Results.LargeIcon) + # { + # $complexTypeStringResult = Get-M365DSCDRGComplexTypeToString ` + # -ComplexObject $Results.LargeIcon ` + # -CIMInstanceName 'DeviceManagementMimeContent' + + # if (-not [System.String]::IsNullOrWhiteSpace($complexTypeStringResult)) + # { + # $Results.LargeIcon = $complexTypeStringResult + # } + # else + # { + # $Results.Remove('LargeIcon') | Out-Null + # } + # } + + if ($null -ne $Results.Assignments) + { + if ($Results.Assignments) + { + $complexTypeStringResult = Get-M365DSCDRGComplexTypeToString ` + -ComplexObject $Results.Assignments ` + -CIMInstanceName DeviceManagementMobileAppAssignment + + if ($complexTypeStringResult) + { + $Results.Assignments = $complexTypeStringResult + } + else + { + $Results.Remove('Assignments') | Out-Null + } + } + } + #endregion complex types + + $currentDSCBlock = Get-M365DSCExportContentForResource -ResourceName $ResourceName ` + -ConnectionMode $ConnectionMode ` + -ModulePath $PSScriptRoot ` + -Results $Results ` + -Credential $Credential + + #region complex types + if ($null -ne $Results.Categories) + { + $currentDSCBlock = Convert-DSCStringParamToVariable -DSCBlock $currentDSCBlock -ParameterName 'Categories' -IsCIMArray:$true + } + + if ($null -ne $Results.ExcludedApps) + { + $currentDSCBlock = Convert-DSCStringParamToVariable -DSCBlock $currentDSCBlock -ParameterName 'ExcludedApps' -IsCIMArray:$false + } + + # if ($null -ne $Results.LargeIcon) + # { + # $currentDSCBlock = Convert-DSCStringParamToVariable -DSCBlock $currentDSCBlock -ParameterName 'LargeIcon' -IsCIMArray:$false + # } + + if ($null -ne $Results.Assignments) + { + $currentDSCBlock = Convert-DSCStringParamToVariable -DSCBlock $currentDSCBlock -ParameterName 'Assignments' -IsCIMArray:$true + } + #endregion complex types + + $dscContent += $currentDSCBlock + Save-M365DSCPartialExport -Content $currentDSCBlock ` + -FileName $Global:PartialExportFileName + $i++ + Write-Host $Global:M365DSCEmojiGreenCheckMark + } + + return $dscContent + } + catch + { + Write-Host $Global:M365DSCEmojiRedX + + New-M365DSCLogEntry -Message 'Error during Export:' ` + -Exception $_ ` + -Source $($MyInvocation.MyCommand.Source) ` + -TenantId $TenantId ` + -Credential $Credential + + return '' + } +} + +Export-ModuleMember -Function *-TargetResource diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneMobileAppsWindowsOfficeSuiteApp/MSFT_IntuneMobileAppsWindowsOfficeSuiteApp.schema.mof b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneMobileAppsWindowsOfficeSuiteApp/MSFT_IntuneMobileAppsWindowsOfficeSuiteApp.schema.mof new file mode 100644 index 0000000000..9d07d216db --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneMobileAppsWindowsOfficeSuiteApp/MSFT_IntuneMobileAppsWindowsOfficeSuiteApp.schema.mof @@ -0,0 +1,78 @@ +class MSFT_DeviceManagementMobileAppAssignment +{ + [Write, Description("The type of the target assignment."), ValueMap{"#microsoft.graph.groupAssignmentTarget","#microsoft.graph.allLicensedUsersAssignmentTarget","#microsoft.graph.allDevicesAssignmentTarget","#microsoft.graph.exclusionGroupAssignmentTarget", "#microsoft.graph.mobileAppAssignment"}, Values{"#microsoft.graph.groupAssignmentTarget","#microsoft.graph.allLicensedUsersAssignmentTarget","#microsoft.graph.allDevicesAssignmentTarget","#microsoft.graph.exclusionGroupAssignmentTarget", "#microsoft.graph.mobileAppAssignment"}] String dataType; + [Write, Description("The Id of the filter for the target assignment.")] String deviceAndAppManagementAssignmentFilterId; + [Write, Description("The type of filter of the target assignment i.e. Exclude or Include. Possible values are: none, include, exclude."), ValueMap{"none", "include", "exclude"}, Values{"none", "include", "exclude"}] String deviceAndAppManagementAssignmentFilterType; + [Write, Description("The group Id that is the target of the assignment.")] String groupId; + [Write, Description("The group Display Name that is the target of the assignment.")] String groupDisplayName; + [Write, Description("Possible values for the install intent chosen by the admin."), ValueMap{"available", "required", "uninstall", "availableWithoutEnrollment"}, Values{"available", "required", "uninstall", "availableWithoutEnrollment"}] String intent; +}; + +class MSFT_DeviceManagementMimeContent +{ + [Write, Description("Indicates the type of content mime.")] String Type; + [Write, Description("The Base64 encoded string content.")] String Value; +}; + +class MSFT_DeviceManagementMobileAppCategory +{ + [Key, Description("The name of the app category.")] String DisplayName; + [Write, Description("The unique identifier for an entity. Read-only.")] String Id; +}; + +class MSFT_DeviceManagementMobileAppExcludedApp +{ + [Write, Description("Specifies whether to exclude Microsoft Office Access from the installation.")] Boolean Access; + [Write, Description("Specifies whether to exclude Microsoft Search (Bing) as the default from the installation.")] Boolean Bing; + [Write, Description("Specifies whether to exclude Microsoft Office Excel from the installation.")] Boolean Excel; + [Write, Description("Specifies whether to exclude Microsoft Office OneDrive for Business (Groove) from the installation.")] Boolean Groove; + [Write, Description("Specifies whether to exclude Microsoft Office InfoPath from the installation.")] Boolean InfoPath; + [Write, Description("Specifies whether to exclude Microsoft Office Skype for Business (Lync) from the installation.")] Boolean Lync; + [Write, Description("Specifies whether to exclude Microsoft Office OneDrive from the installation.")] Boolean OneDrive; + [Write, Description("Specifies whether to exclude Microsoft Office OneNote from the installation.")] Boolean OneNote; + [Write, Description("Specifies whether to exclude Microsoft Office Outlook from the installation.")] Boolean Outlook; + [Write, Description("Specifies whether to exclude Microsoft Office PowerPoint from the installation.")] Boolean PowerPoint; + [Write, Description("Specifies whether to exclude Microsoft Office Publisher from the installation.")] Boolean Publisher; + [Write, Description("Specifies whether to exclude Microsoft Office SharePoint Designer from the installation.")] Boolean SharePointDesigner; + [Write, Description("Specifies whether to exclude Microsoft Office Teams from the installation.")] Boolean Teams; + [Write, Description("Specifies whether to exclude Microsoft Office Visio from the installation.")] Boolean Visio; + [Write, Description("Specifies whether to exclude Microsoft Office Word from the installation.")] Boolean Word; +}; + +[ClassVersion("1.0.0"), FriendlyName("IntuneMobileAppsWindowsOfficeSuiteApp")] +class MSFT_IntuneMobileAppsWindowsOfficeSuiteApp : OMI_BaseResource +{ + [Key, Description("The admin provided or imported title of the app. Inherited from mobileApp.")] String DisplayName; + [Write, Description("The unique identifier for an entity. Read-only. Inherited from mobileApp object.")] String Id; + + [Write, Description("The description of the app. Inherited from mobileApp.")] String Description; + [Write, Description("The value indicating whether the app is marked as featured by the admin. Inherited from mobileApp.")] Boolean IsFeatured; + [Write, Description("The privacy statement Url. Inherited from mobileApp.")] String PrivacyInformationUrl; + [Write, Description("The InformationUrl of the app. Inherited from mobileApp.")] String InformationUrl; + [Write, Description("Notes for the app. Inherited from mobileApp.")] String Notes; + [Write, Description("List of Scope Tag IDs for mobile app.")] String RoleScopeTagIds[]; + [Write, Description("Specifies if the EULA is accepted automatically on the end user's device.")] Boolean AutoAcceptEula; + [Write, Description("The Product IDs that represent the Office 365 Suite SKU, such as 'O365ProPlusRetail' or 'VisioProRetail'.")] String ProductIds[]; + [Write, Description("Indicates whether shared computer activation is used for Office installations.")] Boolean UseSharedComputerActivation; + [Write, Description("Specifies the update channel for the Office 365 app suite, such as 'Current' or 'Deferred'.")] String UpdateChannel; + [Write, Description("Specifies the default file format type for Office apps, such as 'OfficeOpenXMLFormat' or 'OfficeOpenDocumentFormat'.")] String OfficeSuiteAppDefaultFileFormat; + [Write, Description("The architecture of the Office installation (e.g., 'X86', 'X64', or 'Arm64'). Cannot be changed after creation.")] String OfficePlatformArchitecture; + [Write, Description("Specifies the locales to be installed when the Office 365 apps are deployed. Uses the standard RFC 5646 format (e.g., 'en-US', 'fr-FR').")] String LocalesToInstall[]; + [Write, Description("Specifies the display level of the installation progress for Office apps. Use 'Full' to display the installation UI, or 'None' for a silent installation.")] String InstallProgressDisplayLevel; + [Write, Description("Indicates whether older versions of Office should be uninstalled when deploying the Office 365 app suite.")] Boolean ShouldUninstallOlderVersionsOfOffice; + [Write, Description("The specific target version of the Office 365 app suite to be deployed.")] String TargetVersion; + [Write, Description("The update version in which the target version is available for the Office 365 app suite.")] String UpdateVersion; + [Write, Description("A base64-encoded XML configuration file that specifies Office ProPlus installation settings. Takes precedence over all other properties. When present, this XML file will be used to create the app.")] String OfficeConfigurationXml; + [Write, Description("The list of categories for this app."), EmbeddedInstance("MSFT_DeviceManagementMobileAppCategory")] String Categories[]; + [Write, Description("The list of assignments for this app."), EmbeddedInstance("MSFT_DeviceManagementMobileAppAssignment")] String Assignments[]; + [Write, Description("The property that represents the apps excluded from the selected Office 365 Product ID."), EmbeddedInstance("MSFT_DeviceManagementMobileAppExcludedApp")] String ExcludedApps; + + [Write, Description("Present ensures the policy exists, absent ensures it is removed."), ValueMap{"Present", "Absent"}, Values{"Present", "Absent"}] String Ensure; + [Write, Description("Credentials of the Admin"), EmbeddedInstance("MSFT_Credential")] String Credential; + [Write, Description("Id of the Azure Active Directory application to authenticate with.")] String ApplicationId; + [Write, Description("Id of the Azure Active Directory tenant used for authentication.")] String TenantId; + [Write, Description("Secret of the Azure Active Directory tenant used for authentication."), EmbeddedInstance("MSFT_Credential")] String ApplicationSecret; + [Write, Description("Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication.")] String CertificateThumbprint; + [Write, Description("Managed ID being used for authentication.")] Boolean ManagedIdentity; + [Write, Description("Access token used for authentication.")] String AccessTokens[]; +}; diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneMobileAppsWindowsOfficeSuiteApp/readme.md b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneMobileAppsWindowsOfficeSuiteApp/readme.md new file mode 100644 index 0000000000..f35ec06360 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneMobileAppsWindowsOfficeSuiteApp/readme.md @@ -0,0 +1,6 @@ + +# IntuneMobileAppsWindowsOfficeSuiteApp + +## Description + +This resource configures an Intune mobile app of OfficeSuiteApp type for Windows devices. diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneMobileAppsWindowsOfficeSuiteApp/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneMobileAppsWindowsOfficeSuiteApp/settings.json new file mode 100644 index 0000000000..a9bd04b5fa --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneMobileAppsWindowsOfficeSuiteApp/settings.json @@ -0,0 +1,32 @@ +{ + "resourceName": "IntuneMobileAppsWindowsOfficeSuiteApp", + "description": "This resource configures an Intune mobile app.", + "permissions": { + "graph": { + "delegated": { + "read": [ + { + "name": "DeviceManagementApps.Read.All" + } + ], + "update": [ + { + "name": "DeviceManagementApps.ReadWrite.All" + } + ] + }, + "application": { + "read": [ + { + "name": "DeviceManagementApps.Read.All" + } + ], + "update": [ + { + "name": "DeviceManagementApps.ReadWrite.All" + } + ] + } + } + } +} diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneSecurityBaselineMicrosoft365AppsForEnterprise/MSFT_IntuneSecurityBaselineMicrosoft365AppsForEnterprise.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneSecurityBaselineMicrosoft365AppsForEnterprise/MSFT_IntuneSecurityBaselineMicrosoft365AppsForEnterprise.psm1 new file mode 100644 index 0000000000..9958ba28ca --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneSecurityBaselineMicrosoft365AppsForEnterprise/MSFT_IntuneSecurityBaselineMicrosoft365AppsForEnterprise.psm1 @@ -0,0 +1,1110 @@ +function Get-TargetResource +{ + [CmdletBinding()] + [OutputType([System.Collections.Hashtable])] + param + ( + #region resource generator code + [Parameter()] + [System.String] + $Description, + + [Parameter(Mandatory = $true)] + [System.String] + $DisplayName, + + [Parameter()] + [System.String[]] + $RoleScopeTagIds, + + [Parameter()] + [System.String] + $Id, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $DeviceSettings, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $UserSettings, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $Assignments, + #endregion + + [Parameter()] + [System.String] + [ValidateSet('Absent', 'Present')] + $Ensure = 'Present', + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + try + { + $ConnectionMode = New-M365DSCConnection -Workload 'MicrosoftGraph' ` + -InboundParameters $PSBoundParameters + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $nullResult = $PSBoundParameters + $nullResult.Ensure = 'Absent' + + $getValue = $null + #region resource generator code + $getValue = Get-MgBetaDeviceManagementConfigurationPolicy -DeviceManagementConfigurationPolicyId $Id -ErrorAction SilentlyContinue + + if ($null -eq $getValue) + { + Write-Verbose -Message "Could not find an Intune Security Baseline Microsoft365 Apps For Enterprise with Id {$Id}" + + if (-not [System.String]::IsNullOrEmpty($DisplayName)) + { + $getValue = Get-MgBetaDeviceManagementConfigurationPolicy ` + -Filter "Name eq '$DisplayName'" ` + -ErrorAction SilentlyContinue + } + } + #endregion + if ($null -eq $getValue) + { + Write-Verbose -Message "Could not find an Intune Security Baseline Microsoft365 Apps For Enterprise with Name {$DisplayName}." + return $nullResult + } + $Id = $getValue.Id + Write-Verbose -Message "An Intune Security Baseline Microsoft365 Apps For Enterprise with Id {$Id} and Name {$DisplayName} was found" + + # Retrieve policy specific settings + [array]$settings = Get-MgBetaDeviceManagementConfigurationPolicySetting ` + -DeviceManagementConfigurationPolicyId $Id ` + -ExpandProperty 'settingDefinitions' ` + -All ` + -ErrorAction Stop + + $policySettings = @{} + $policySettings = Export-IntuneSettingCatalogPolicySettings -Settings $settings -ReturnHashtable $policySettings -ContainsDeviceAndUserSettings + + #region resource generator code + $complexDeviceSettings = @{} + $complexDeviceSettings.Add('Pol_SecGuide_A001_Block_Flash', $policySettings.DeviceSettings.pol_SecGuide_A001_Block_Flash) + $complexDeviceSettings.Add('Pol_SecGuide_Block_Flash', $policySettings.DeviceSettings.pol_SecGuide_Block_Flash) + $complexDeviceSettings.Add('Pol_SecGuide_Legacy_JScript', $policySettings.DeviceSettings.pol_SecGuide_Legacy_JScript) + $complexDeviceSettings.Add('POL_SG_powerpnt', $policySettings.DeviceSettings.pOL_SG_powerpnt) + $complexDeviceSettings.Add('POL_SG_onenote', $policySettings.DeviceSettings.pOL_SG_onenote) + $complexDeviceSettings.Add('POL_SG_mspub', $policySettings.DeviceSettings.pOL_SG_mspub) + $complexDeviceSettings.Add('POL_SG_msaccess', $policySettings.DeviceSettings.pOL_SG_msaccess) + $complexDeviceSettings.Add('POL_SG_winproj', $policySettings.DeviceSettings.pOL_SG_winproj) + $complexDeviceSettings.Add('POL_SG_visio', $policySettings.DeviceSettings.pOL_SG_visio) + $complexDeviceSettings.Add('POL_SG_outlook', $policySettings.DeviceSettings.pOL_SG_outlook) + $complexDeviceSettings.Add('POL_SG_winword', $policySettings.DeviceSettings.pOL_SG_winword) + $complexDeviceSettings.Add('POL_SG_excel', $policySettings.DeviceSettings.pOL_SG_excel) + $complexDeviceSettings.Add('L_PolicyEnableSIPHighSecurityMode', $policySettings.DeviceSettings.l_PolicyEnableSIPHighSecurityMode) + $complexDeviceSettings.Add('L_PolicyDisableHttpConnect', $policySettings.DeviceSettings.l_PolicyDisableHttpConnect) + $complexDeviceSettings.Add('L_AddonManagement', $policySettings.DeviceSettings.l_AddonManagement) + $complexDeviceSettings.Add('L_powerpntexe17', $policySettings.DeviceSettings.l_powerpntexe17) + $complexDeviceSettings.Add('L_excelexe15', $policySettings.DeviceSettings.l_excelexe15) + $complexDeviceSettings.Add('L_visioexe19', $policySettings.DeviceSettings.l_visioexe19) + $complexDeviceSettings.Add('L_onenoteexe26', $policySettings.DeviceSettings.l_onenoteexe26) + $complexDeviceSettings.Add('L_outlookexe22', $policySettings.DeviceSettings.l_outlookexe22) + $complexDeviceSettings.Add('L_pptviewexe18', $policySettings.DeviceSettings.l_pptviewexe18) + $complexDeviceSettings.Add('L_winwordexe21', $policySettings.DeviceSettings.l_winwordexe21) + $complexDeviceSettings.Add('L_exprwdexe24', $policySettings.DeviceSettings.l_exprwdexe24) + $complexDeviceSettings.Add('L_spdesignexe23', $policySettings.DeviceSettings.l_spdesignexe23) + $complexDeviceSettings.Add('L_winprojexe20', $policySettings.DeviceSettings.l_winprojexe20) + $complexDeviceSettings.Add('L_grooveexe14', $policySettings.DeviceSettings.l_grooveexe14) + $complexDeviceSettings.Add('L_mspubexe16', $policySettings.DeviceSettings.l_mspubexe16) + $complexDeviceSettings.Add('L_mse7exe27', $policySettings.DeviceSettings.l_mse7exe27) + $complexDeviceSettings.Add('L_msaccessexe25', $policySettings.DeviceSettings.l_msaccessexe25) + $complexDeviceSettings.Add('L_ConsistentMimeHandling', $policySettings.DeviceSettings.l_ConsistentMimeHandling) + $complexDeviceSettings.Add('L_excelexe43', $policySettings.DeviceSettings.l_excelexe43) + $complexDeviceSettings.Add('L_spdesignexe51', $policySettings.DeviceSettings.l_spdesignexe51) + $complexDeviceSettings.Add('L_onenoteexe54', $policySettings.DeviceSettings.l_onenoteexe54) + $complexDeviceSettings.Add('L_outlookexe50', $policySettings.DeviceSettings.l_outlookexe50) + $complexDeviceSettings.Add('L_pptviewexe46', $policySettings.DeviceSettings.l_pptviewexe46) + $complexDeviceSettings.Add('L_mspubexe44', $policySettings.DeviceSettings.l_mspubexe44) + $complexDeviceSettings.Add('L_visioexe47', $policySettings.DeviceSettings.l_visioexe47) + $complexDeviceSettings.Add('L_winprojexe48', $policySettings.DeviceSettings.l_winprojexe48) + $complexDeviceSettings.Add('L_msaccessexe53', $policySettings.DeviceSettings.l_msaccessexe53) + $complexDeviceSettings.Add('L_powerpntexe45', $policySettings.DeviceSettings.l_powerpntexe45) + $complexDeviceSettings.Add('L_grooveexe42', $policySettings.DeviceSettings.l_grooveexe42) + $complexDeviceSettings.Add('L_mse7exe55', $policySettings.DeviceSettings.l_mse7exe55) + $complexDeviceSettings.Add('L_winwordexe49', $policySettings.DeviceSettings.l_winwordexe49) + $complexDeviceSettings.Add('L_exprwdexe52', $policySettings.DeviceSettings.l_exprwdexe52) + $complexDeviceSettings.Add('L_Disableusernameandpassword', $policySettings.DeviceSettings.l_Disableusernameandpassword) + $complexDeviceSettings.Add('L_excelexe127', $policySettings.DeviceSettings.l_excelexe127) + $complexDeviceSettings.Add('L_grooveexe126', $policySettings.DeviceSettings.l_grooveexe126) + $complexDeviceSettings.Add('L_onenoteexe138', $policySettings.DeviceSettings.l_onenoteexe138) + $complexDeviceSettings.Add('L_mse7exe139', $policySettings.DeviceSettings.l_mse7exe139) + $complexDeviceSettings.Add('L_mspubexe128', $policySettings.DeviceSettings.l_mspubexe128) + $complexDeviceSettings.Add('L_visioexe131', $policySettings.DeviceSettings.l_visioexe131) + $complexDeviceSettings.Add('L_exprwdexe136', $policySettings.DeviceSettings.l_exprwdexe136) + $complexDeviceSettings.Add('L_msaccessexe137', $policySettings.DeviceSettings.l_msaccessexe137) + $complexDeviceSettings.Add('L_spdesignexe135', $policySettings.DeviceSettings.l_spdesignexe135) + $complexDeviceSettings.Add('L_winwordexe133', $policySettings.DeviceSettings.l_winwordexe133) + $complexDeviceSettings.Add('L_powerpntexe129', $policySettings.DeviceSettings.l_powerpntexe129) + $complexDeviceSettings.Add('L_outlookexe134', $policySettings.DeviceSettings.l_outlookexe134) + $complexDeviceSettings.Add('L_winprojexe132', $policySettings.DeviceSettings.l_winprojexe132) + $complexDeviceSettings.Add('L_pptviewexe130', $policySettings.DeviceSettings.l_pptviewexe130) + $complexDeviceSettings.Add('L_Informationbar', $policySettings.DeviceSettings.l_Informationbar) + $complexDeviceSettings.Add('L_excelexe113', $policySettings.DeviceSettings.l_excelexe113) + $complexDeviceSettings.Add('L_mspubexe114', $policySettings.DeviceSettings.l_mspubexe114) + $complexDeviceSettings.Add('L_msaccessexe123', $policySettings.DeviceSettings.l_msaccessexe123) + $complexDeviceSettings.Add('L_onenoteexe124', $policySettings.DeviceSettings.l_onenoteexe124) + $complexDeviceSettings.Add('L_outlookexe120', $policySettings.DeviceSettings.l_outlookexe120) + $complexDeviceSettings.Add('L_winprojexe118', $policySettings.DeviceSettings.l_winprojexe118) + $complexDeviceSettings.Add('L_powerpntexe115', $policySettings.DeviceSettings.l_powerpntexe115) + $complexDeviceSettings.Add('L_spdesignexe121', $policySettings.DeviceSettings.l_spdesignexe121) + $complexDeviceSettings.Add('L_grooveexe112', $policySettings.DeviceSettings.l_grooveexe112) + $complexDeviceSettings.Add('L_visioexe117', $policySettings.DeviceSettings.l_visioexe117) + $complexDeviceSettings.Add('L_mse7exe125', $policySettings.DeviceSettings.l_mse7exe125) + $complexDeviceSettings.Add('L_winwordexe119', $policySettings.DeviceSettings.l_winwordexe119) + $complexDeviceSettings.Add('L_exprwdexe122', $policySettings.DeviceSettings.l_exprwdexe122) + $complexDeviceSettings.Add('L_pptviewexe116', $policySettings.DeviceSettings.l_pptviewexe116) + $complexDeviceSettings.Add('L_LocalMachineZoneLockdownSecurity', $policySettings.DeviceSettings.l_LocalMachineZoneLockdownSecurity) + $complexDeviceSettings.Add('L_mse7exe41', $policySettings.DeviceSettings.l_mse7exe41) + $complexDeviceSettings.Add('L_powerpntexe31', $policySettings.DeviceSettings.l_powerpntexe31) + $complexDeviceSettings.Add('L_mspubexe30', $policySettings.DeviceSettings.l_mspubexe30) + $complexDeviceSettings.Add('L_outlookexe36', $policySettings.DeviceSettings.l_outlookexe36) + $complexDeviceSettings.Add('L_pptviewexe32', $policySettings.DeviceSettings.l_pptviewexe32) + $complexDeviceSettings.Add('L_excelexe29', $policySettings.DeviceSettings.l_excelexe29) + $complexDeviceSettings.Add('L_exprwdexe38', $policySettings.DeviceSettings.l_exprwdexe38) + $complexDeviceSettings.Add('L_grooveexe28', $policySettings.DeviceSettings.l_grooveexe28) + $complexDeviceSettings.Add('L_winwordexe35', $policySettings.DeviceSettings.l_winwordexe35) + $complexDeviceSettings.Add('L_msaccessexe39', $policySettings.DeviceSettings.l_msaccessexe39) + $complexDeviceSettings.Add('L_spdesignexe37', $policySettings.DeviceSettings.l_spdesignexe37) + $complexDeviceSettings.Add('L_visioexe33', $policySettings.DeviceSettings.l_visioexe33) + $complexDeviceSettings.Add('L_onenoteexe40', $policySettings.DeviceSettings.l_onenoteexe40) + $complexDeviceSettings.Add('L_winprojexe34', $policySettings.DeviceSettings.l_winprojexe34) + $complexDeviceSettings.Add('L_MimeSniffingSafetyFature', $policySettings.DeviceSettings.l_MimeSniffingSafetyFature) + $complexDeviceSettings.Add('L_powerpntexe59', $policySettings.DeviceSettings.l_powerpntexe59) + $complexDeviceSettings.Add('L_exprwdexe66', $policySettings.DeviceSettings.l_exprwdexe66) + $complexDeviceSettings.Add('L_grooveexe56', $policySettings.DeviceSettings.l_grooveexe56) + $complexDeviceSettings.Add('L_visioexe61', $policySettings.DeviceSettings.l_visioexe61) + $complexDeviceSettings.Add('L_outlookexe64', $policySettings.DeviceSettings.l_outlookexe64) + $complexDeviceSettings.Add('L_mspubexe58', $policySettings.DeviceSettings.l_mspubexe58) + $complexDeviceSettings.Add('L_mse7exe69', $policySettings.DeviceSettings.l_mse7exe69) + $complexDeviceSettings.Add('L_msaccessexe67', $policySettings.DeviceSettings.l_msaccessexe67) + $complexDeviceSettings.Add('L_pptviewexe60', $policySettings.DeviceSettings.l_pptviewexe60) + $complexDeviceSettings.Add('L_winprojexe62', $policySettings.DeviceSettings.l_winprojexe62) + $complexDeviceSettings.Add('L_spdesignexe65', $policySettings.DeviceSettings.l_spdesignexe65) + $complexDeviceSettings.Add('L_onenoteexe68', $policySettings.DeviceSettings.l_onenoteexe68) + $complexDeviceSettings.Add('L_winwordexe63', $policySettings.DeviceSettings.l_winwordexe63) + $complexDeviceSettings.Add('L_excelexe57', $policySettings.DeviceSettings.l_excelexe57) + $complexDeviceSettings.Add('L_NavigateURL', $policySettings.DeviceSettings.l_NavigateURL) + $complexDeviceSettings.Add('L_spdesignexe177', $policySettings.DeviceSettings.l_spdesignexe177) + $complexDeviceSettings.Add('L_onenoteexe180', $policySettings.DeviceSettings.l_onenoteexe180) + $complexDeviceSettings.Add('L_pptviewexe172', $policySettings.DeviceSettings.l_pptviewexe172) + $complexDeviceSettings.Add('L_outlookexe176', $policySettings.DeviceSettings.l_outlookexe176) + $complexDeviceSettings.Add('L_winprojexe174', $policySettings.DeviceSettings.l_winprojexe174) + $complexDeviceSettings.Add('L_msaccessexe179', $policySettings.DeviceSettings.l_msaccessexe179) + $complexDeviceSettings.Add('L_winwordexe175', $policySettings.DeviceSettings.l_winwordexe175) + $complexDeviceSettings.Add('L_excelexe169', $policySettings.DeviceSettings.l_excelexe169) + $complexDeviceSettings.Add('L_mspubexe170', $policySettings.DeviceSettings.l_mspubexe170) + $complexDeviceSettings.Add('L_exprwdexe178', $policySettings.DeviceSettings.l_exprwdexe178) + $complexDeviceSettings.Add('L_powerpntexe171', $policySettings.DeviceSettings.l_powerpntexe171) + $complexDeviceSettings.Add('L_visioexe173', $policySettings.DeviceSettings.l_visioexe173) + $complexDeviceSettings.Add('L_mse7exe181', $policySettings.DeviceSettings.l_mse7exe181) + $complexDeviceSettings.Add('L_grooveexe168', $policySettings.DeviceSettings.l_grooveexe168) + $complexDeviceSettings.Add('L_ObjectCachingProtection', $policySettings.DeviceSettings.l_ObjectCachingProtection) + $complexDeviceSettings.Add('L_winwordexe77', $policySettings.DeviceSettings.l_winwordexe77) + $complexDeviceSettings.Add('L_powerpntexe73', $policySettings.DeviceSettings.l_powerpntexe73) + $complexDeviceSettings.Add('L_spdesignexe79', $policySettings.DeviceSettings.l_spdesignexe79) + $complexDeviceSettings.Add('L_mse7exe83', $policySettings.DeviceSettings.l_mse7exe83) + $complexDeviceSettings.Add('L_mspubexe72', $policySettings.DeviceSettings.l_mspubexe72) + $complexDeviceSettings.Add('L_msaccessexe81', $policySettings.DeviceSettings.l_msaccessexe81) + $complexDeviceSettings.Add('L_onenoteexe82', $policySettings.DeviceSettings.l_onenoteexe82) + $complexDeviceSettings.Add('L_outlookexe78', $policySettings.DeviceSettings.l_outlookexe78) + $complexDeviceSettings.Add('L_grooveexe70', $policySettings.DeviceSettings.l_grooveexe70) + $complexDeviceSettings.Add('L_excelexe71', $policySettings.DeviceSettings.l_excelexe71) + $complexDeviceSettings.Add('L_visioexe75', $policySettings.DeviceSettings.l_visioexe75) + $complexDeviceSettings.Add('L_pptviewexe74', $policySettings.DeviceSettings.l_pptviewexe74) + $complexDeviceSettings.Add('L_winprojexe76', $policySettings.DeviceSettings.l_winprojexe76) + $complexDeviceSettings.Add('L_exprwdexe80', $policySettings.DeviceSettings.l_exprwdexe80) + $complexDeviceSettings.Add('L_ProtectionFromZoneElevation', $policySettings.DeviceSettings.l_ProtectionFromZoneElevation) + $complexDeviceSettings.Add('L_mspubexe100', $policySettings.DeviceSettings.l_mspubexe100) + $complexDeviceSettings.Add('L_visioexe103', $policySettings.DeviceSettings.l_visioexe103) + $complexDeviceSettings.Add('L_powerpntexe101', $policySettings.DeviceSettings.l_powerpntexe101) + $complexDeviceSettings.Add('L_excelexe99', $policySettings.DeviceSettings.l_excelexe99) + $complexDeviceSettings.Add('L_mse7exe111', $policySettings.DeviceSettings.l_mse7exe111) + $complexDeviceSettings.Add('L_winwordexe105', $policySettings.DeviceSettings.l_winwordexe105) + $complexDeviceSettings.Add('L_exprwdexe108', $policySettings.DeviceSettings.l_exprwdexe108) + $complexDeviceSettings.Add('L_msaccessexe109', $policySettings.DeviceSettings.l_msaccessexe109) + $complexDeviceSettings.Add('L_spdesignexe107', $policySettings.DeviceSettings.l_spdesignexe107) + $complexDeviceSettings.Add('L_onenoteexe110', $policySettings.DeviceSettings.l_onenoteexe110) + $complexDeviceSettings.Add('L_pptviewexe102', $policySettings.DeviceSettings.l_pptviewexe102) + $complexDeviceSettings.Add('L_winprojexe104', $policySettings.DeviceSettings.l_winprojexe104) + $complexDeviceSettings.Add('L_grooveexe98', $policySettings.DeviceSettings.l_grooveexe98) + $complexDeviceSettings.Add('L_outlookexe106', $policySettings.DeviceSettings.l_outlookexe106) + $complexDeviceSettings.Add('L_RestrictActiveXInstall', $policySettings.DeviceSettings.l_RestrictActiveXInstall) + $complexDeviceSettings.Add('L_mse7exe', $policySettings.DeviceSettings.l_mse7exe) + $complexDeviceSettings.Add('L_powerpntexe', $policySettings.DeviceSettings.l_powerpntexe) + $complexDeviceSettings.Add('L_spDesignexe', $policySettings.DeviceSettings.l_spDesignexe) + $complexDeviceSettings.Add('L_onenoteexe', $policySettings.DeviceSettings.l_onenoteexe) + $complexDeviceSettings.Add('L_excelexe', $policySettings.DeviceSettings.l_excelexe) + $complexDeviceSettings.Add('L_mspubexe', $policySettings.DeviceSettings.l_mspubexe) + $complexDeviceSettings.Add('L_visioexe', $policySettings.DeviceSettings.l_visioexe) + $complexDeviceSettings.Add('L_exprwdexe', $policySettings.DeviceSettings.l_exprwdexe) + $complexDeviceSettings.Add('L_outlookexe', $policySettings.DeviceSettings.l_outlookexe) + $complexDeviceSettings.Add('L_pptviewexe', $policySettings.DeviceSettings.l_pptviewexe) + $complexDeviceSettings.Add('L_winprojexe', $policySettings.DeviceSettings.l_winprojexe) + $complexDeviceSettings.Add('L_winwordexe', $policySettings.DeviceSettings.l_winwordexe) + $complexDeviceSettings.Add('L_grooveexe', $policySettings.DeviceSettings.l_grooveexe) + $complexDeviceSettings.Add('L_msaccessexe', $policySettings.DeviceSettings.l_msaccessexe) + $complexDeviceSettings.Add('L_RestrictFileDownload', $policySettings.DeviceSettings.l_RestrictFileDownload) + $complexDeviceSettings.Add('L_visioexe5', $policySettings.DeviceSettings.l_visioexe5) + $complexDeviceSettings.Add('L_winprojexe6', $policySettings.DeviceSettings.l_winprojexe6) + $complexDeviceSettings.Add('L_msaccessexe11', $policySettings.DeviceSettings.l_msaccessexe11) + $complexDeviceSettings.Add('L_spdesignexe9', $policySettings.DeviceSettings.l_spdesignexe9) + $complexDeviceSettings.Add('L_excelexe1', $policySettings.DeviceSettings.l_excelexe1) + $complexDeviceSettings.Add('L_powerpntexe3', $policySettings.DeviceSettings.l_powerpntexe3) + $complexDeviceSettings.Add('L_mspubexe2', $policySettings.DeviceSettings.l_mspubexe2) + $complexDeviceSettings.Add('L_exprwdexe10', $policySettings.DeviceSettings.l_exprwdexe10) + $complexDeviceSettings.Add('L_outlookexe8', $policySettings.DeviceSettings.l_outlookexe8) + $complexDeviceSettings.Add('L_pptviewexe4', $policySettings.DeviceSettings.l_pptviewexe4) + $complexDeviceSettings.Add('L_winwordexe7', $policySettings.DeviceSettings.l_winwordexe7) + $complexDeviceSettings.Add('L_onenoteexe12', $policySettings.DeviceSettings.l_onenoteexe12) + $complexDeviceSettings.Add('L_mse7exe13', $policySettings.DeviceSettings.l_mse7exe13) + $complexDeviceSettings.Add('L_grooveexe0', $policySettings.DeviceSettings.l_grooveexe0) + $complexDeviceSettings.Add('L_SavedfromURL', $policySettings.DeviceSettings.l_SavedfromURL) + $complexDeviceSettings.Add('L_pptviewexe158', $policySettings.DeviceSettings.l_pptviewexe158) + $complexDeviceSettings.Add('L_exprwdexe164', $policySettings.DeviceSettings.l_exprwdexe164) + $complexDeviceSettings.Add('L_mse7exe167', $policySettings.DeviceSettings.l_mse7exe167) + $complexDeviceSettings.Add('L_spdesignexe163', $policySettings.DeviceSettings.l_spdesignexe163) + $complexDeviceSettings.Add('L_winprojexe160', $policySettings.DeviceSettings.l_winprojexe160) + $complexDeviceSettings.Add('L_mspubexe156', $policySettings.DeviceSettings.l_mspubexe156) + $complexDeviceSettings.Add('L_visioexe159', $policySettings.DeviceSettings.l_visioexe159) + $complexDeviceSettings.Add('L_winwordexe161', $policySettings.DeviceSettings.l_winwordexe161) + $complexDeviceSettings.Add('L_msaccessexe165', $policySettings.DeviceSettings.l_msaccessexe165) + $complexDeviceSettings.Add('L_onenoteexe166', $policySettings.DeviceSettings.l_onenoteexe166) + $complexDeviceSettings.Add('L_outlookexe162', $policySettings.DeviceSettings.l_outlookexe162) + $complexDeviceSettings.Add('L_grooveexe154', $policySettings.DeviceSettings.l_grooveexe154) + $complexDeviceSettings.Add('L_excelexe155', $policySettings.DeviceSettings.l_excelexe155) + $complexDeviceSettings.Add('L_powerpntexe157', $policySettings.DeviceSettings.l_powerpntexe157) + $complexDeviceSettings.Add('L_ScriptedWindowSecurityRestrictions', $policySettings.DeviceSettings.l_ScriptedWindowSecurityRestrictions) + $complexDeviceSettings.Add('L_exprwdexe94', $policySettings.DeviceSettings.l_exprwdexe94) + $complexDeviceSettings.Add('L_mse7exe97', $policySettings.DeviceSettings.l_mse7exe97) + $complexDeviceSettings.Add('L_mspubexe86', $policySettings.DeviceSettings.l_mspubexe86) + $complexDeviceSettings.Add('L_outlookexe92', $policySettings.DeviceSettings.l_outlookexe92) + $complexDeviceSettings.Add('L_msaccessexe95', $policySettings.DeviceSettings.l_msaccessexe95) + $complexDeviceSettings.Add('L_powerpntexe87', $policySettings.DeviceSettings.l_powerpntexe87) + $complexDeviceSettings.Add('L_grooveexe84', $policySettings.DeviceSettings.l_grooveexe84) + $complexDeviceSettings.Add('L_excelexe85', $policySettings.DeviceSettings.l_excelexe85) + $complexDeviceSettings.Add('L_pptviewexe88', $policySettings.DeviceSettings.l_pptviewexe88) + $complexDeviceSettings.Add('L_spdesignexe93', $policySettings.DeviceSettings.l_spdesignexe93) + $complexDeviceSettings.Add('L_visioexe89', $policySettings.DeviceSettings.l_visioexe89) + $complexDeviceSettings.Add('L_onenoteexe96', $policySettings.DeviceSettings.l_onenoteexe96) + $complexDeviceSettings.Add('L_winprojexe90', $policySettings.DeviceSettings.l_winprojexe90) + $complexDeviceSettings.Add('L_winwordexe91', $policySettings.DeviceSettings.l_winwordexe91) + if ($complexDeviceSettings.values.Where({$null -ne $_}).Count -eq 0) + { + $complexDeviceSettings = $null + } + $policySettings.Remove('DeviceSettings') | Out-Null + + $complexUserSettings = @{} + $complexUserSettings.Add('MicrosoftAccess_Security_TrustCenter_L_BlockMacroExecutionFromInternet', $policySettings.UserSettings.microsoftAccess_Security_TrustCenter_L_BlockMacroExecutionFromInternet) + $complexUserSettings.Add('MicrosoftAccess_Security_TrustCenter_L_DisableTrustBarNotificationforunsigned', $policySettings.UserSettings.microsoftAccess_Security_TrustCenter_L_DisableTrustBarNotificationforunsigned) + $complexUserSettings.Add('MicrosoftAccess_Security_TrustCenter_L_RequirethatApplicationExtensionsaresigned', $policySettings.UserSettings.microsoftAccess_Security_TrustCenter_L_RequirethatApplicationExtensionsaresigned) + $complexUserSettings.Add('MicrosoftAccess_Security_TrustCenterTrustedLocations_L_AllowTrustedLocationsOnTheNetwork', $policySettings.UserSettings.microsoftAccess_Security_TrustCenterTrustedLocations_L_AllowTrustedLocationsOnTheNetwork) + $complexUserSettings.Add('MicrosoftAccess_Security_TrustCenter_L_VBAWarningsPolicy', $policySettings.UserSettings.microsoftAccess_Security_TrustCenter_L_VBAWarningsPolicy) + $complexUserSettings.Add('MicrosoftAccess_Security_TrustCenter_L_VBAWarningsPolicy_L_Empty', $policySettings.UserSettings.microsoftAccess_Security_TrustCenter_L_VBAWarningsPolicy_L_Empty) + $complexUserSettings.Add('L_Donotshowdataextractionoptionswhenopeningcorruptworkbooks', $policySettings.UserSettings.l_Donotshowdataextractionoptionswhenopeningcorruptworkbooks) + $complexUserSettings.Add('L_Asktoupdateautomaticlinks', $policySettings.UserSettings.l_Asktoupdateautomaticlinks) + $complexUserSettings.Add('L_LoadpicturesfromWebpagesnotcreatedinExcel', $policySettings.UserSettings.l_LoadpicturesfromWebpagesnotcreatedinExcel) + $complexUserSettings.Add('L_DisableAutoRepublish', $policySettings.UserSettings.l_DisableAutoRepublish) + $complexUserSettings.Add('L_DoNotShowAutoRepublishWarningAlert', $policySettings.UserSettings.l_DoNotShowAutoRepublishWarningAlert) + $complexUserSettings.Add('L_Forcefileextenstionstomatch', $policySettings.UserSettings.l_Forcefileextenstionstomatch) + $complexUserSettings.Add('L_Forcefileextenstionstomatch_L_Empty', $policySettings.UserSettings.l_Forcefileextenstionstomatch_L_Empty) + $complexUserSettings.Add('L_DeterminewhethertoforceencryptedExcel', $policySettings.UserSettings.l_DeterminewhethertoforceencryptedExcel) + $complexUserSettings.Add('L_DeterminewhethertoforceencryptedExcelDropID', $policySettings.UserSettings.l_DeterminewhethertoforceencryptedExcelDropID) + $complexUserSettings.Add('L_BlockXLLFromInternet', $policySettings.UserSettings.l_BlockXLLFromInternet) + $complexUserSettings.Add('L_BlockXLLFromInternetEnum', $policySettings.UserSettings.l_BlockXLLFromInternetEnum) + $complexUserSettings.Add('MicrosoftExcel_Security_TrustCenter_L_BlockMacroExecutionFromInternet', $policySettings.UserSettings.microsoftExcel_Security_TrustCenter_L_BlockMacroExecutionFromInternet) + $complexUserSettings.Add('MicrosoftExcel_Security_TrustCenter_L_DisableTrustBarNotificationforunsigned', $policySettings.UserSettings.microsoftExcel_Security_TrustCenter_L_DisableTrustBarNotificationforunsigned) + $complexUserSettings.Add('L_EnableBlockUnsecureQueryFiles', $policySettings.UserSettings.l_EnableBlockUnsecureQueryFiles) + $complexUserSettings.Add('L_DBaseIIIANDIVFiles', $policySettings.UserSettings.l_DBaseIIIANDIVFiles) + $complexUserSettings.Add('L_DBaseIIIANDIVFilesDropID', $policySettings.UserSettings.l_DBaseIIIANDIVFilesDropID) + $complexUserSettings.Add('L_DifAndSylkFiles', $policySettings.UserSettings.l_DifAndSylkFiles) + $complexUserSettings.Add('L_DifAndSylkFilesDropID', $policySettings.UserSettings.l_DifAndSylkFilesDropID) + $complexUserSettings.Add('L_Excel2MacrosheetsAndAddInFiles', $policySettings.UserSettings.l_Excel2MacrosheetsAndAddInFiles) + $complexUserSettings.Add('L_Excel2MacrosheetsAndAddInFilesDropID', $policySettings.UserSettings.l_Excel2MacrosheetsAndAddInFilesDropID) + $complexUserSettings.Add('L_Excel2Worksheets', $policySettings.UserSettings.l_Excel2Worksheets) + $complexUserSettings.Add('L_Excel2WorksheetsDropID', $policySettings.UserSettings.l_Excel2WorksheetsDropID) + $complexUserSettings.Add('L_Excel3MacrosheetsAndAddInFiles', $policySettings.UserSettings.l_Excel3MacrosheetsAndAddInFiles) + $complexUserSettings.Add('L_Excel3MacrosheetsAndAddInFilesDropID', $policySettings.UserSettings.l_Excel3MacrosheetsAndAddInFilesDropID) + $complexUserSettings.Add('L_Excel3Worksheets', $policySettings.UserSettings.l_Excel3Worksheets) + $complexUserSettings.Add('L_Excel3WorksheetsDropID', $policySettings.UserSettings.l_Excel3WorksheetsDropID) + $complexUserSettings.Add('L_Excel4MacrosheetsAndAddInFiles', $policySettings.UserSettings.l_Excel4MacrosheetsAndAddInFiles) + $complexUserSettings.Add('L_Excel4MacrosheetsAndAddInFilesDropID', $policySettings.UserSettings.l_Excel4MacrosheetsAndAddInFilesDropID) + $complexUserSettings.Add('L_Excel4Workbooks', $policySettings.UserSettings.l_Excel4Workbooks) + $complexUserSettings.Add('L_Excel4WorkbooksDropID', $policySettings.UserSettings.l_Excel4WorkbooksDropID) + $complexUserSettings.Add('L_Excel4Worksheets', $policySettings.UserSettings.l_Excel4Worksheets) + $complexUserSettings.Add('L_Excel4WorksheetsDropID', $policySettings.UserSettings.l_Excel4WorksheetsDropID) + $complexUserSettings.Add('L_Excel95Workbooks', $policySettings.UserSettings.l_Excel95Workbooks) + $complexUserSettings.Add('L_Excel95WorkbooksDropID', $policySettings.UserSettings.l_Excel95WorkbooksDropID) + $complexUserSettings.Add('L_Excel9597WorkbooksAndTemplates', $policySettings.UserSettings.l_Excel9597WorkbooksAndTemplates) + $complexUserSettings.Add('L_Excel9597WorkbooksAndTemplatesDropID', $policySettings.UserSettings.l_Excel9597WorkbooksAndTemplatesDropID) + $complexUserSettings.Add('L_Excel972003WorkbooksAndTemplates', $policySettings.UserSettings.l_Excel972003WorkbooksAndTemplates) + $complexUserSettings.Add('L_Excel972003WorkbooksAndTemplatesDropID', $policySettings.UserSettings.l_Excel972003WorkbooksAndTemplatesDropID) + $complexUserSettings.Add('MicrosoftExcel_Security_TrustCenterFileBlockSettings_L_SetDefaultFileBlockBehavior', $policySettings.UserSettings.microsoftExcel_Security_TrustCenterFileBlockSettings_L_SetDefaultFileBlockBehavior) + $complexUserSettings.Add('MicrosoftExcel_Security_TrustCenterFileBlockSettings_L_SetDefaultFileBlockBehaviorDropID', $policySettings.UserSettings.microsoftExcel_Security_TrustCenterFileBlockSettings_L_SetDefaultFileBlockBehaviorDropID) + $complexUserSettings.Add('L_WebPagesAndExcel2003XMLSpreadsheets', $policySettings.UserSettings.l_WebPagesAndExcel2003XMLSpreadsheets) + $complexUserSettings.Add('L_WebPagesAndExcel2003XMLSpreadsheetsDropID', $policySettings.UserSettings.l_WebPagesAndExcel2003XMLSpreadsheetsDropID) + $complexUserSettings.Add('L_XL4KillSwitchPolicy', $policySettings.UserSettings.l_XL4KillSwitchPolicy) + $complexUserSettings.Add('L_EnableDataBaseFileProtectedView', $policySettings.UserSettings.l_EnableDataBaseFileProtectedView) + $complexUserSettings.Add('MicrosoftExcel_Security_TrustCenterProtectedView_L_DoNotOpenFilesFromTheInternetZoneInProtectedView', $policySettings.UserSettings.microsoftExcel_Security_TrustCenterProtectedView_L_DoNotOpenFilesFromTheInternetZoneInProtectedView) + $complexUserSettings.Add('MicrosoftExcel_Security_TrustCenterProtectedView_L_DoNotOpenFilesInUnsafeLocationsInProtectedView', $policySettings.UserSettings.microsoftExcel_Security_TrustCenterProtectedView_L_DoNotOpenFilesInUnsafeLocationsInProtectedView) + $complexUserSettings.Add('MicrosoftExcel_Security_TrustCenterProtectedView_L_SetDocumentBehaviorIfFileValidationFails', $policySettings.UserSettings.microsoftExcel_Security_TrustCenterProtectedView_L_SetDocumentBehaviorIfFileValidationFails) + $complexUserSettings.Add('MicrosoftExcel_Security_TrustCenterProtectedView_L_SetDocumentBehaviorIfFileValidationFailsStr3', $policySettings.UserSettings.microsoftExcel_Security_TrustCenterProtectedView_L_SetDocumentBehaviorIfFileValidationFailsStr3) + $complexUserSettings.Add('MicrosoftExcel_Security_TrustCenterProtectedView_L_SetDocumentBehaviorIfFileValidationFailsDropID', $policySettings.UserSettings.microsoftExcel_Security_TrustCenterProtectedView_L_SetDocumentBehaviorIfFileValidationFailsDropID) + $complexUserSettings.Add('MicrosoftExcel_Security_TrustCenterProtectedView_L_TurnOffProtectedViewForAttachmentsOpenedFromOutlook', $policySettings.UserSettings.microsoftExcel_Security_TrustCenterProtectedView_L_TurnOffProtectedViewForAttachmentsOpenedFromOutlook) + $complexUserSettings.Add('MicrosoftExcel_Security_TrustCenter_L_RequirethatApplicationExtensionsaresigned', $policySettings.UserSettings.microsoftExcel_Security_TrustCenter_L_RequirethatApplicationExtensionsaresigned) + $complexUserSettings.Add('MicrosoftExcel_Security_TrustCenter_L_DisableTrustBarNotificationforunsigned_v2', $policySettings.UserSettings.microsoftExcel_Security_TrustCenter_L_DisableTrustBarNotificationforunsigned_v2) + $complexUserSettings.Add('MicrosoftExcel_Security_TrustCenterTrustedLocations_L_AllowTrustedLocationsOnTheNetwork', $policySettings.UserSettings.microsoftExcel_Security_TrustCenterTrustedLocations_L_AllowTrustedLocationsOnTheNetwork) + $complexUserSettings.Add('MicrosoftExcel_Security_TrustCenter_L_VBAWarningsPolicy', $policySettings.UserSettings.microsoftExcel_Security_TrustCenter_L_VBAWarningsPolicy) + $complexUserSettings.Add('L_empty4', $policySettings.UserSettings.l_empty4) + $complexUserSettings.Add('MicrosoftExcel_Security_L_TurnOffFileValidation', $policySettings.UserSettings.microsoftExcel_Security_L_TurnOffFileValidation) + $complexUserSettings.Add('L_WebContentWarningLevel', $policySettings.UserSettings.l_WebContentWarningLevel) + $complexUserSettings.Add('L_WebContentWarningLevelValue', $policySettings.UserSettings.l_WebContentWarningLevelValue) + $complexUserSettings.Add('L_NoExtensibilityCustomizationFromDocumentPolicy', $policySettings.UserSettings.l_NoExtensibilityCustomizationFromDocumentPolicy) + $complexUserSettings.Add('L_NoExtensibilityCustomizationFromDocumentPolicyWord', $policySettings.UserSettings.l_NoExtensibilityCustomizationFromDocumentPolicyWord) + $complexUserSettings.Add('L_NoExtensibilityCustomizationFromDocumentPolicyExcel', $policySettings.UserSettings.l_NoExtensibilityCustomizationFromDocumentPolicyExcel) + $complexUserSettings.Add('L_NoExtensibilityCustomizationFromDocumentPolicyVisio', $policySettings.UserSettings.l_NoExtensibilityCustomizationFromDocumentPolicyVisio) + $complexUserSettings.Add('L_NoExtensibilityCustomizationFromDocumentPolicyPowerPoint', $policySettings.UserSettings.l_NoExtensibilityCustomizationFromDocumentPolicyPowerPoint) + $complexUserSettings.Add('L_NoExtensibilityCustomizationFromDocumentPolicyPublisher', $policySettings.UserSettings.l_NoExtensibilityCustomizationFromDocumentPolicyPublisher) + $complexUserSettings.Add('L_NoExtensibilityCustomizationFromDocumentPolicyOutlook', $policySettings.UserSettings.l_NoExtensibilityCustomizationFromDocumentPolicyOutlook) + $complexUserSettings.Add('L_NoExtensibilityCustomizationFromDocumentPolicyProject', $policySettings.UserSettings.l_NoExtensibilityCustomizationFromDocumentPolicyProject) + $complexUserSettings.Add('L_NoExtensibilityCustomizationFromDocumentPolicyAccess', $policySettings.UserSettings.l_NoExtensibilityCustomizationFromDocumentPolicyAccess) + $complexUserSettings.Add('L_NoExtensibilityCustomizationFromDocumentPolicyInfoPath', $policySettings.UserSettings.l_NoExtensibilityCustomizationFromDocumentPolicyInfoPath) + $complexUserSettings.Add('L_ActiveXControlInitialization', $policySettings.UserSettings.l_ActiveXControlInitialization) + $complexUserSettings.Add('L_ActiveXControlInitializationcolon', $policySettings.UserSettings.l_ActiveXControlInitializationcolon) + $complexUserSettings.Add('L_BasicAuthProxyBehavior', $policySettings.UserSettings.l_BasicAuthProxyBehavior) + $complexUserSettings.Add('L_AllowVbaIntranetRefs', $policySettings.UserSettings.l_AllowVbaIntranetRefs) + $complexUserSettings.Add('L_AutomationSecurity', $policySettings.UserSettings.l_AutomationSecurity) + $complexUserSettings.Add('L_SettheAutomationSecuritylevel', $policySettings.UserSettings.l_SettheAutomationSecuritylevel) + $complexUserSettings.Add('L_AuthenticationFBABehavior', $policySettings.UserSettings.l_AuthenticationFBABehavior) + $complexUserSettings.Add('L_AuthenticationFBAEnabledHostsID', $policySettings.UserSettings.l_AuthenticationFBAEnabledHostsID) + $complexUserSettings.Add('L_authenticationFBABehaviorEnum', $policySettings.UserSettings.l_authenticationFBABehaviorEnum) + $complexUserSettings.Add('L_DisableStrictVbaRefsSecurityPolicy', $policySettings.UserSettings.l_DisableStrictVbaRefsSecurityPolicy) + $complexUserSettings.Add('L_DisableallTrustBarnotificationsfor', $policySettings.UserSettings.l_DisableallTrustBarnotificationsfor) + $complexUserSettings.Add('L_Encryptiontypeforirm', $policySettings.UserSettings.l_Encryptiontypeforirm) + $complexUserSettings.Add('L_Encryptiontypeforirmcolon', $policySettings.UserSettings.l_Encryptiontypeforirmcolon) + $complexUserSettings.Add('L_Encryptiontypeforpasswordprotectedoffice972003', $policySettings.UserSettings.l_Encryptiontypeforpasswordprotectedoffice972003) + $complexUserSettings.Add('L_encryptiontypecolon318', $policySettings.UserSettings.l_encryptiontypecolon318) + $complexUserSettings.Add('L_Encryptiontypeforpasswordprotectedofficeopen', $policySettings.UserSettings.l_Encryptiontypeforpasswordprotectedofficeopen) + $complexUserSettings.Add('L_Encryptiontypecolon', $policySettings.UserSettings.l_Encryptiontypecolon) + $complexUserSettings.Add('L_LoadControlsinForms3', $policySettings.UserSettings.l_LoadControlsinForms3) + $complexUserSettings.Add('L_LoadControlsinForms3colon', $policySettings.UserSettings.l_LoadControlsinForms3colon) + $complexUserSettings.Add('L_MacroRuntimeScanScope', $policySettings.UserSettings.l_MacroRuntimeScanScope) + $complexUserSettings.Add('L_MacroRuntimeScanScopeEnum', $policySettings.UserSettings.l_MacroRuntimeScanScopeEnum) + $complexUserSettings.Add('L_Protectdocumentmetadataforrightsmanaged', $policySettings.UserSettings.l_Protectdocumentmetadataforrightsmanaged) + $complexUserSettings.Add('L_Allowmixofpolicyanduserlocations', $policySettings.UserSettings.l_Allowmixofpolicyanduserlocations) + $complexUserSettings.Add('L_DisabletheOfficeclientfrompolling', $policySettings.UserSettings.l_DisabletheOfficeclientfrompolling) + $complexUserSettings.Add('L_DisableSmartDocumentsuseofmanifests', $policySettings.UserSettings.l_DisableSmartDocumentsuseofmanifests) + $complexUserSettings.Add('L_OutlookSecurityMode', $policySettings.UserSettings.l_OutlookSecurityMode) + $complexUserSettings.Add('L_OOMAddressAccess', $policySettings.UserSettings.l_OOMAddressAccess) + $complexUserSettings.Add('L_OOMAddressAccess_Setting', $policySettings.UserSettings.l_OOMAddressAccess_Setting) + $complexUserSettings.Add('L_OOMMeetingTaskRequest', $policySettings.UserSettings.l_OOMMeetingTaskRequest) + $complexUserSettings.Add('L_OOMMeetingTaskRequest_Setting', $policySettings.UserSettings.l_OOMMeetingTaskRequest_Setting) + $complexUserSettings.Add('L_OOMSend', $policySettings.UserSettings.l_OOMSend) + $complexUserSettings.Add('L_OOMSend_Setting', $policySettings.UserSettings.l_OOMSend_Setting) + $complexUserSettings.Add('L_Preventusersfromcustomizingattachmentsecuritysettings', $policySettings.UserSettings.l_Preventusersfromcustomizingattachmentsecuritysettings) + $complexUserSettings.Add('L_RetrievingCRLsCertificateRevocationLists', $policySettings.UserSettings.l_RetrievingCRLsCertificateRevocationLists) + $complexUserSettings.Add('L_empty31', $policySettings.UserSettings.l_empty31) + $complexUserSettings.Add('L_OOMFormula', $policySettings.UserSettings.l_OOMFormula) + $complexUserSettings.Add('L_OOMFormula_Setting', $policySettings.UserSettings.l_OOMFormula_Setting) + $complexUserSettings.Add('L_AuthenticationwithExchangeServer', $policySettings.UserSettings.l_AuthenticationwithExchangeServer) + $complexUserSettings.Add('L_SelecttheauthenticationwithExchangeserver', $policySettings.UserSettings.l_SelecttheauthenticationwithExchangeserver) + $complexUserSettings.Add('L_EnableRPCEncryption', $policySettings.UserSettings.l_EnableRPCEncryption) + $complexUserSettings.Add('L_Enablelinksinemailmessages', $policySettings.UserSettings.l_Enablelinksinemailmessages) + $complexUserSettings.Add('L_OOMAddressBook', $policySettings.UserSettings.l_OOMAddressBook) + $complexUserSettings.Add('L_OOMAddressBook_Setting', $policySettings.UserSettings.l_OOMAddressBook_Setting) + $complexUserSettings.Add('L_OutlookSecurityPolicy', $policySettings.UserSettings.l_OutlookSecurityPolicy) + $complexUserSettings.Add('L_AllowUsersToLowerAttachments', $policySettings.UserSettings.l_AllowUsersToLowerAttachments) + $complexUserSettings.Add('L_AllowActiveXOneOffForms', $policySettings.UserSettings.l_AllowActiveXOneOffForms) + $complexUserSettings.Add('L_empty29', $policySettings.UserSettings.l_empty29) + $complexUserSettings.Add('L_EnableScriptsInOneOffForms', $policySettings.UserSettings.l_EnableScriptsInOneOffForms) + $complexUserSettings.Add('L_Level2RemoveFilePolicy', $policySettings.UserSettings.l_Level2RemoveFilePolicy) + $complexUserSettings.Add('L_removedextensions25', $policySettings.UserSettings.l_removedextensions25) + $complexUserSettings.Add('L_MSGUnicodeformatwhendraggingtofilesystem', $policySettings.UserSettings.l_MSGUnicodeformatwhendraggingtofilesystem) + $complexUserSettings.Add('L_OnExecuteCustomActionOOM', $policySettings.UserSettings.l_OnExecuteCustomActionOOM) + $complexUserSettings.Add('L_OnExecuteCustomActionOOM_Setting', $policySettings.UserSettings.l_OnExecuteCustomActionOOM_Setting) + $complexUserSettings.Add('L_DisableOutlookobjectmodelscriptsforpublicfolders', $policySettings.UserSettings.l_DisableOutlookobjectmodelscriptsforpublicfolders) + $complexUserSettings.Add('L_BlockInternet', $policySettings.UserSettings.l_BlockInternet) + $complexUserSettings.Add('L_SecurityLevelOutlook', $policySettings.UserSettings.l_SecurityLevelOutlook) + $complexUserSettings.Add('L_SecurityLevel', $policySettings.UserSettings.l_SecurityLevel) + $complexUserSettings.Add('L_Level1RemoveFilePolicy', $policySettings.UserSettings.l_Level1RemoveFilePolicy) + $complexUserSettings.Add('L_RemovedExtensions', $policySettings.UserSettings.l_RemovedExtensions) + $complexUserSettings.Add('L_SignatureWarning', $policySettings.UserSettings.l_SignatureWarning) + $complexUserSettings.Add('L_signaturewarning30', $policySettings.UserSettings.l_signaturewarning30) + $complexUserSettings.Add('L_Level1Attachments', $policySettings.UserSettings.l_Level1Attachments) + $complexUserSettings.Add('L_Minimumencryptionsettings', $policySettings.UserSettings.l_Minimumencryptionsettings) + $complexUserSettings.Add('L_Minimumkeysizeinbits', $policySettings.UserSettings.l_Minimumkeysizeinbits) + $complexUserSettings.Add('L_DisableOutlookobjectmodelscripts', $policySettings.UserSettings.l_DisableOutlookobjectmodelscripts) + $complexUserSettings.Add('L_OOMSaveAs', $policySettings.UserSettings.l_OOMSaveAs) + $complexUserSettings.Add('L_OOMSaveAs_Setting', $policySettings.UserSettings.l_OOMSaveAs_Setting) + $complexUserSettings.Add('L_JunkEmailprotectionlevel', $policySettings.UserSettings.l_JunkEmailprotectionlevel) + $complexUserSettings.Add('L_Selectlevel', $policySettings.UserSettings.l_Selectlevel) + $complexUserSettings.Add('L_RunPrograms', $policySettings.UserSettings.l_RunPrograms) + $complexUserSettings.Add('L_RunPrograms_L_Empty', $policySettings.UserSettings.l_RunPrograms_L_Empty) + $complexUserSettings.Add('L_Determinewhethertoforceencryptedppt', $policySettings.UserSettings.l_Determinewhethertoforceencryptedppt) + $complexUserSettings.Add('L_DeterminewhethertoforceencryptedpptDropID', $policySettings.UserSettings.l_DeterminewhethertoforceencryptedpptDropID) + $complexUserSettings.Add('MicrosoftPowerPoint_Security_TrustCenter_L_BlockMacroExecutionFromInternet', $policySettings.UserSettings.microsoftPowerPoint_Security_TrustCenter_L_BlockMacroExecutionFromInternet) + $complexUserSettings.Add('MicrosoftPowerPoint_Security_TrustCenter_L_DisableTrustBarNotificationforunsigned', $policySettings.UserSettings.microsoftPowerPoint_Security_TrustCenter_L_DisableTrustBarNotificationforunsigned) + $complexUserSettings.Add('L_PowerPoint972003PresentationsShowsTemplatesandAddInFiles', $policySettings.UserSettings.l_PowerPoint972003PresentationsShowsTemplatesandAddInFiles) + $complexUserSettings.Add('L_PowerPoint972003PresentationsShowsTemplatesandAddInFilesDropID', $policySettings.UserSettings.l_PowerPoint972003PresentationsShowsTemplatesandAddInFilesDropID) + $complexUserSettings.Add('MicrosoftPowerPoint_Security_TrustCenterFileBlockSettings_L_SetDefaultFileBlockBehavior', $policySettings.UserSettings.microsoftPowerPoint_Security_TrustCenterFileBlockSettings_L_SetDefaultFileBlockBehavior) + $complexUserSettings.Add('MicrosoftPowerPoint_Security_TrustCenterFileBlockSettings_L_SetDefaultFileBlockBehaviorDropID', $policySettings.UserSettings.microsoftPowerPoint_Security_TrustCenterFileBlockSettings_L_SetDefaultFileBlockBehaviorDropID) + $complexUserSettings.Add('MicrosoftPowerPoint_Security_TrustCenterProtectedView_L_DoNotOpenFilesFromTheInternetZoneInProtectedView', $policySettings.UserSettings.microsoftPowerPoint_Security_TrustCenterProtectedView_L_DoNotOpenFilesFromTheInternetZoneInProtectedView) + $complexUserSettings.Add('MicrosoftPowerPoint_Security_TrustCenterProtectedView_L_DoNotOpenFilesInUnsafeLocationsInProtectedView', $policySettings.UserSettings.microsoftPowerPoint_Security_TrustCenterProtectedView_L_DoNotOpenFilesInUnsafeLocationsInProtectedView) + $complexUserSettings.Add('MicrosoftPowerPoint_Security_TrustCenterProtectedView_L_SetDocumentBehaviorIfFileValidationFails', $policySettings.UserSettings.microsoftPowerPoint_Security_TrustCenterProtectedView_L_SetDocumentBehaviorIfFileValidationFails) + $complexUserSettings.Add('MicrosoftPowerPoint_Security_TrustCenterProtectedView_L_SetDocumentBehaviorIfFileValidationFailsStr3', $policySettings.UserSettings.microsoftPowerPoint_Security_TrustCenterProtectedView_L_SetDocumentBehaviorIfFileValidationFailsStr3) + $complexUserSettings.Add('MicrosoftPowerPoint_Security_TrustCenterProtectedView_L_SetDocumentBehaviorIfFileValidationFailsDropID', $policySettings.UserSettings.microsoftPowerPoint_Security_TrustCenterProtectedView_L_SetDocumentBehaviorIfFileValidationFailsDropID) + $complexUserSettings.Add('MicrosoftPowerPoint_Security_TrustCenterProtectedView_L_TurnOffProtectedViewForAttachmentsOpenedFromOutlook', $policySettings.UserSettings.microsoftPowerPoint_Security_TrustCenterProtectedView_L_TurnOffProtectedViewForAttachmentsOpenedFromOutlook) + $complexUserSettings.Add('MicrosoftPowerPoint_Security_TrustCenter_L_RequirethatApplicationExtensionsaresigned', $policySettings.UserSettings.microsoftPowerPoint_Security_TrustCenter_L_RequirethatApplicationExtensionsaresigned) + $complexUserSettings.Add('MicrosoftPowerPoint_Security_TrustCenter_L_DisableTrustBarNotificationforunsigned_v2', $policySettings.UserSettings.microsoftPowerPoint_Security_TrustCenter_L_DisableTrustBarNotificationforunsigned_v2) + $complexUserSettings.Add('MicrosoftPowerPoint_Security_TrustCenterTrustedLocations_L_AllowTrustedLocationsOnTheNetwork', $policySettings.UserSettings.microsoftPowerPoint_Security_TrustCenterTrustedLocations_L_AllowTrustedLocationsOnTheNetwork) + $complexUserSettings.Add('MicrosoftPowerPoint_Security_TrustCenter_L_VBAWarningsPolicy', $policySettings.UserSettings.microsoftPowerPoint_Security_TrustCenter_L_VBAWarningsPolicy) + $complexUserSettings.Add('L_empty3', $policySettings.UserSettings.l_empty3) + $complexUserSettings.Add('MicrosoftPowerPoint_Security_L_TurnOffFileValidation', $policySettings.UserSettings.microsoftPowerPoint_Security_L_TurnOffFileValidation) + $complexUserSettings.Add('MicrosoftProject_Security_TrustCenter_L_AllowTrustedLocationsOnTheNetwork', $policySettings.UserSettings.microsoftProject_Security_TrustCenter_L_AllowTrustedLocationsOnTheNetwork) + $complexUserSettings.Add('MicrosoftProject_Security_TrustCenter_L_DisableTrustBarNotificationforunsigned', $policySettings.UserSettings.microsoftProject_Security_TrustCenter_L_DisableTrustBarNotificationforunsigned) + $complexUserSettings.Add('MicrosoftProject_Security_TrustCenter_L_RequirethatApplicationExtensionsaresigned', $policySettings.UserSettings.microsoftProject_Security_TrustCenter_L_RequirethatApplicationExtensionsaresigned) + $complexUserSettings.Add('MicrosoftProject_Security_TrustCenter_L_DisableTrustBarNotificationforunsigned_v2', $policySettings.UserSettings.microsoftProject_Security_TrustCenter_L_DisableTrustBarNotificationforunsigned_v2) + $complexUserSettings.Add('MicrosoftProject_Security_TrustCenter_L_VBAWarningsPolicy', $policySettings.UserSettings.microsoftProject_Security_TrustCenter_L_VBAWarningsPolicy) + $complexUserSettings.Add('MicrosoftProject_Security_TrustCenter_L_VBAWarningsPolicy_L_Empty', $policySettings.UserSettings.microsoftProject_Security_TrustCenter_L_VBAWarningsPolicy_L_Empty) + $complexUserSettings.Add('L_PublisherAutomationSecurityLevel', $policySettings.UserSettings.l_PublisherAutomationSecurityLevel) + $complexUserSettings.Add('L_PublisherAutomationSecurityLevel_L_Empty', $policySettings.UserSettings.l_PublisherAutomationSecurityLevel_L_Empty) + $complexUserSettings.Add('MicrosoftPublisherV3_Security_TrustCenter_L_BlockMacroExecutionFromInternet', $policySettings.UserSettings.microsoftPublisherV3_Security_TrustCenter_L_BlockMacroExecutionFromInternet) + $complexUserSettings.Add('MicrosoftPublisherV2_Security_TrustCenter_L_DisableTrustBarNotificationforunsigned', $policySettings.UserSettings.microsoftPublisherV2_Security_TrustCenter_L_DisableTrustBarNotificationforunsigned) + $complexUserSettings.Add('MicrosoftPublisherV2_Security_TrustCenter_L_RequirethatApplicationExtensionsaresigned', $policySettings.UserSettings.microsoftPublisherV2_Security_TrustCenter_L_RequirethatApplicationExtensionsaresigned) + $complexUserSettings.Add('MicrosoftPublisherV2_Security_TrustCenter_L_DisableTrustBarNotificationforunsigned_v2', $policySettings.UserSettings.microsoftPublisherV2_Security_TrustCenter_L_DisableTrustBarNotificationforunsigned_v2) + $complexUserSettings.Add('MicrosoftPublisherV2_Security_TrustCenter_L_VBAWarningsPolicy', $policySettings.UserSettings.microsoftPublisherV2_Security_TrustCenter_L_VBAWarningsPolicy) + $complexUserSettings.Add('L_empty0', $policySettings.UserSettings.l_empty0) + $complexUserSettings.Add('MicrosoftVisio_Security_TrustCenter_L_AllowTrustedLocationsOnTheNetwork', $policySettings.UserSettings.microsoftVisio_Security_TrustCenter_L_AllowTrustedLocationsOnTheNetwork) + $complexUserSettings.Add('MicrosoftVisio_Security_TrustCenter_L_BlockMacroExecutionFromInternet', $policySettings.UserSettings.microsoftVisio_Security_TrustCenter_L_BlockMacroExecutionFromInternet) + $complexUserSettings.Add('MicrosoftVisio_Security_TrustCenter_L_DisableTrustBarNotificationforunsigned', $policySettings.UserSettings.microsoftVisio_Security_TrustCenter_L_DisableTrustBarNotificationforunsigned) + $complexUserSettings.Add('L_Visio2000Files', $policySettings.UserSettings.l_Visio2000Files) + $complexUserSettings.Add('L_Visio2000FilesDropID', $policySettings.UserSettings.l_Visio2000FilesDropID) + $complexUserSettings.Add('L_Visio2003Files', $policySettings.UserSettings.l_Visio2003Files) + $complexUserSettings.Add('L_Visio2003FilesDropID', $policySettings.UserSettings.l_Visio2003FilesDropID) + $complexUserSettings.Add('L_Visio50AndEarlierFiles', $policySettings.UserSettings.l_Visio50AndEarlierFiles) + $complexUserSettings.Add('L_Visio50AndEarlierFilesDropID', $policySettings.UserSettings.l_Visio50AndEarlierFilesDropID) + $complexUserSettings.Add('MicrosoftVisio_Security_TrustCenter_L_RequirethatApplicationExtensionsaresigned', $policySettings.UserSettings.microsoftVisio_Security_TrustCenter_L_RequirethatApplicationExtensionsaresigned) + $complexUserSettings.Add('MicrosoftVisio_Security_TrustCenter_L_DisableTrustBarNotificationforunsigned_v2', $policySettings.UserSettings.microsoftVisio_Security_TrustCenter_L_DisableTrustBarNotificationforunsigned_v2) + $complexUserSettings.Add('MicrosoftVisio_Security_TrustCenter_L_VBAWarningsPolicy', $policySettings.UserSettings.microsoftVisio_Security_TrustCenter_L_VBAWarningsPolicy) + $complexUserSettings.Add('MicrosoftVisio_Security_TrustCenter_L_VBAWarningsPolicy_L_Empty', $policySettings.UserSettings.microsoftVisio_Security_TrustCenter_L_VBAWarningsPolicy_L_Empty) + $complexUserSettings.Add('MicrosoftWord_Security_TrustCenter_L_BlockMacroExecutionFromInternet', $policySettings.UserSettings.microsoftWord_Security_TrustCenter_L_BlockMacroExecutionFromInternet) + $complexUserSettings.Add('MicrosoftWord_Security_TrustCenter_L_DisableTrustBarNotificationforunsigned', $policySettings.UserSettings.microsoftWord_Security_TrustCenter_L_DisableTrustBarNotificationforunsigned) + $complexUserSettings.Add('L_AllowDDE', $policySettings.UserSettings.l_AllowDDE) + $complexUserSettings.Add('L_AllowDDEDropID', $policySettings.UserSettings.l_AllowDDEDropID) + $complexUserSettings.Add('MicrosoftWord_Security_TrustCenterFileBlockSettings_L_SetDefaultFileBlockBehavior', $policySettings.UserSettings.microsoftWord_Security_TrustCenterFileBlockSettings_L_SetDefaultFileBlockBehavior) + $complexUserSettings.Add('MicrosoftWord_Security_TrustCenterFileBlockSettings_L_SetDefaultFileBlockBehaviorDropID', $policySettings.UserSettings.microsoftWord_Security_TrustCenterFileBlockSettings_L_SetDefaultFileBlockBehaviorDropID) + $complexUserSettings.Add('L_Word2AndEarlierBinaryDocumentsAndTemplates', $policySettings.UserSettings.l_Word2AndEarlierBinaryDocumentsAndTemplates) + $complexUserSettings.Add('L_Word2AndEarlierBinaryDocumentsAndTemplatesDropID', $policySettings.UserSettings.l_Word2AndEarlierBinaryDocumentsAndTemplatesDropID) + $complexUserSettings.Add('L_Word2000BinaryDocumentsAndTemplates', $policySettings.UserSettings.l_Word2000BinaryDocumentsAndTemplates) + $complexUserSettings.Add('L_Word2000BinaryDocumentsAndTemplatesDropID', $policySettings.UserSettings.l_Word2000BinaryDocumentsAndTemplatesDropID) + $complexUserSettings.Add('L_Word2003BinaryDocumentsAndTemplates', $policySettings.UserSettings.l_Word2003BinaryDocumentsAndTemplates) + $complexUserSettings.Add('L_Word2003BinaryDocumentsAndTemplatesDropID', $policySettings.UserSettings.l_Word2003BinaryDocumentsAndTemplatesDropID) + $complexUserSettings.Add('L_Word2007AndLaterBinaryDocumentsAndTemplates', $policySettings.UserSettings.l_Word2007AndLaterBinaryDocumentsAndTemplates) + $complexUserSettings.Add('L_Word2007AndLaterBinaryDocumentsAndTemplatesDropID', $policySettings.UserSettings.l_Word2007AndLaterBinaryDocumentsAndTemplatesDropID) + $complexUserSettings.Add('L_Word6Pt0BinaryDocumentsAndTemplates', $policySettings.UserSettings.l_Word6Pt0BinaryDocumentsAndTemplates) + $complexUserSettings.Add('L_Word6Pt0BinaryDocumentsAndTemplatesDropID', $policySettings.UserSettings.l_Word6Pt0BinaryDocumentsAndTemplatesDropID) + $complexUserSettings.Add('L_Word95BinaryDocumentsAndTemplates', $policySettings.UserSettings.l_Word95BinaryDocumentsAndTemplates) + $complexUserSettings.Add('L_Word95BinaryDocumentsAndTemplatesDropID', $policySettings.UserSettings.l_Word95BinaryDocumentsAndTemplatesDropID) + $complexUserSettings.Add('L_Word97BinaryDocumentsAndTemplates', $policySettings.UserSettings.l_Word97BinaryDocumentsAndTemplates) + $complexUserSettings.Add('L_Word97BinaryDocumentsAndTemplatesDropID', $policySettings.UserSettings.l_Word97BinaryDocumentsAndTemplatesDropID) + $complexUserSettings.Add('L_WordXPBinaryDocumentsAndTemplates', $policySettings.UserSettings.l_WordXPBinaryDocumentsAndTemplates) + $complexUserSettings.Add('L_WordXPBinaryDocumentsAndTemplatesDropID', $policySettings.UserSettings.l_WordXPBinaryDocumentsAndTemplatesDropID) + $complexUserSettings.Add('MicrosoftWord_Security_TrustCenterProtectedView_L_DoNotOpenFilesFromTheInternetZoneInProtectedView', $policySettings.UserSettings.microsoftWord_Security_TrustCenterProtectedView_L_DoNotOpenFilesFromTheInternetZoneInProtectedView) + $complexUserSettings.Add('MicrosoftWord_Security_TrustCenterProtectedView_L_DoNotOpenFilesInUnsafeLocationsInProtectedView', $policySettings.UserSettings.microsoftWord_Security_TrustCenterProtectedView_L_DoNotOpenFilesInUnsafeLocationsInProtectedView) + $complexUserSettings.Add('MicrosoftWord_Security_TrustCenterProtectedView_L_SetDocumentBehaviorIfFileValidationFails', $policySettings.UserSettings.microsoftWord_Security_TrustCenterProtectedView_L_SetDocumentBehaviorIfFileValidationFails) + $complexUserSettings.Add('MicrosoftWord_Security_TrustCenterProtectedView_L_SetDocumentBehaviorIfFileValidationFailsDropID', $policySettings.UserSettings.microsoftWord_Security_TrustCenterProtectedView_L_SetDocumentBehaviorIfFileValidationFailsDropID) + $complexUserSettings.Add('MicrosoftWord_Security_TrustCenterProtectedView_L_SetDocumentBehaviorIfFileValidationFailsStr3', $policySettings.UserSettings.microsoftWord_Security_TrustCenterProtectedView_L_SetDocumentBehaviorIfFileValidationFailsStr3) + $complexUserSettings.Add('MicrosoftWord_Security_TrustCenterProtectedView_L_TurnOffProtectedViewForAttachmentsOpenedFromOutlook', $policySettings.UserSettings.microsoftWord_Security_TrustCenterProtectedView_L_TurnOffProtectedViewForAttachmentsOpenedFromOutlook) + $complexUserSettings.Add('MicrosoftWord_Security_TrustCenter_L_RequirethatApplicationExtensionsaresigned', $policySettings.UserSettings.microsoftWord_Security_TrustCenter_L_RequirethatApplicationExtensionsaresigned) + $complexUserSettings.Add('MicrosoftWord_Security_TrustCenter_L_DisableTrustBarNotificationforunsigned_v2', $policySettings.UserSettings.microsoftWord_Security_TrustCenter_L_DisableTrustBarNotificationforunsigned_v2) + $complexUserSettings.Add('L_DeterminewhethertoforceencryptedWord', $policySettings.UserSettings.l_DeterminewhethertoforceencryptedWord) + $complexUserSettings.Add('L_DeterminewhethertoforceencryptedWordDropID', $policySettings.UserSettings.l_DeterminewhethertoforceencryptedWordDropID) + $complexUserSettings.Add('MicrosoftWord_Security_TrustCenter_L_VBAWarningsPolicy', $policySettings.UserSettings.microsoftWord_Security_TrustCenter_L_VBAWarningsPolicy) + $complexUserSettings.Add('L_empty19', $policySettings.UserSettings.l_empty19) + $complexUserSettings.Add('MicrosoftWord_Security_L_TurnOffFileValidation', $policySettings.UserSettings.microsoftWord_Security_L_TurnOffFileValidation) + $complexUserSettings.Add('MicrosoftWord_Security_TrustCenterTrustedLocations_L_AllowTrustedLocationsOnTheNetwork', $policySettings.UserSettings.microsoftWord_Security_TrustCenterTrustedLocations_L_AllowTrustedLocationsOnTheNetwork) + if ($complexUserSettings.values.Where({$null -ne $_}).Count -eq 0) + { + $complexUserSettings = $null + } + $policySettings.Remove('UserSettings') | Out-Null + #endregion + + $results = @{ + #region resource generator code + Description = $getValue.Description + DisplayName = $getValue.Name + RoleScopeTagIds = $getValue.RoleScopeTagIds + Id = $getValue.Id + DeviceSettings = $complexDeviceSettings + UserSettings = $complexUserSettings + Ensure = 'Present' + Credential = $Credential + ApplicationId = $ApplicationId + TenantId = $TenantId + ApplicationSecret = $ApplicationSecret + CertificateThumbprint = $CertificateThumbprint + ManagedIdentity = $ManagedIdentity.IsPresent + #endregion + } + $results += $policySettings + + $assignmentsValues = Get-MgBetaDeviceManagementConfigurationPolicyAssignment -DeviceManagementConfigurationPolicyId $Id + $assignmentResult = @() + if ($assignmentsValues.Count -gt 0) + { + $assignmentResult += ConvertFrom-IntunePolicyAssignment -Assignments $assignmentsValues -IncludeDeviceFilter $true + } + $results.Add('Assignments', $assignmentResult) + + return [System.Collections.Hashtable] $results + } + catch + { + New-M365DSCLogEntry -Message 'Error retrieving data:' ` + -Exception $_ ` + -Source $($MyInvocation.MyCommand.Source) ` + -TenantId $TenantId ` + -Credential $Credential + + return $nullResult + } +} + +function Set-TargetResource +{ + [CmdletBinding()] + param + ( + #region resource generator code + [Parameter()] + [System.String] + $Description, + + [Parameter(Mandatory = $true)] + [System.String] + $DisplayName, + + [Parameter()] + [System.String[]] + $RoleScopeTagIds, + + [Parameter()] + [System.String] + $Id, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $DeviceSettings, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $UserSettings, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $Assignments, + #endregion + [Parameter()] + [System.String] + [ValidateSet('Absent', 'Present')] + $Ensure = 'Present', + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $currentInstance = Get-TargetResource @PSBoundParameters + + $BoundParameters = Remove-M365DSCAuthenticationParameter -BoundParameters $PSBoundParameters + + $templateReferenceId = '90316f12-246d-44c6-a767-f87692e86083_2' + $platforms = 'windows10' + $technologies = 'mdm' + + if ($Ensure -eq 'Present' -and $currentInstance.Ensure -eq 'Absent') + { + Write-Verbose -Message "Creating an Intune Security Baseline Microsoft365 Apps For Enterprise with Name {$DisplayName}" + $BoundParameters.Remove("Assignments") | Out-Null + + $settings = Get-IntuneSettingCatalogPolicySetting ` + -DSCParams ([System.Collections.Hashtable]$BoundParameters) ` + -TemplateId $templateReferenceId ` + -ContainsDeviceAndUserSettings + + $createParameters = @{ + Name = $DisplayName + Description = $Description + TemplateReference = @{ templateId = $templateReferenceId } + Platforms = $platforms + Technologies = $technologies + Settings = $settings + } + + #region resource generator code + $policy = New-MgBetaDeviceManagementConfigurationPolicy -BodyParameter $createParameters + + if ($policy.Id) + { + $assignmentsHash = ConvertTo-IntunePolicyAssignment -IncludeDeviceFilter:$true -Assignments $Assignments + Update-DeviceConfigurationPolicyAssignment ` + -DeviceConfigurationPolicyId $policy.Id ` + -Targets $assignmentsHash ` + -Repository 'deviceManagement/configurationPolicies' + } + #endregion + } + elseif ($Ensure -eq 'Present' -and $currentInstance.Ensure -eq 'Present') + { + Write-Verbose -Message "Updating the Intune Security Baseline Microsoft365 Apps For Enterprise with Id {$($currentInstance.Id)}" + $BoundParameters.Remove("Assignments") | Out-Null + + $settings = Get-IntuneSettingCatalogPolicySetting ` + -DSCParams ([System.Collections.Hashtable]$BoundParameters) ` + -TemplateId $templateReferenceId ` + -ContainsDeviceAndUserSettings + + Update-IntuneDeviceConfigurationPolicy ` + -DeviceConfigurationPolicyId $currentInstance.Id ` + -Name $DisplayName ` + -Description $Description ` + -TemplateReferenceId $templateReferenceId ` + -Platforms $platforms ` + -Technologies $technologies ` + -Settings $settings + + #region resource generator code + $assignmentsHash = ConvertTo-IntunePolicyAssignment -IncludeDeviceFilter:$true -Assignments $Assignments + Update-DeviceConfigurationPolicyAssignment ` + -DeviceConfigurationPolicyId $currentInstance.Id ` + -Targets $assignmentsHash ` + -Repository 'deviceManagement/configurationPolicies' + #endregion + } + elseif ($Ensure -eq 'Absent' -and $currentInstance.Ensure -eq 'Present') + { + Write-Verbose -Message "Removing the Intune Security Baseline Microsoft365 Apps For Enterprise with Id {$($currentInstance.Id)}" + #region resource generator code + Remove-MgBetaDeviceManagementConfigurationPolicy -DeviceManagementConfigurationPolicyId $currentInstance.Id + #endregion + } +} + +function Test-TargetResource +{ + [CmdletBinding()] + [OutputType([System.Boolean])] + param + ( + #region resource generator code + [Parameter()] + [System.String] + $Description, + + [Parameter(Mandatory = $true)] + [System.String] + $DisplayName, + + [Parameter()] + [System.String[]] + $RoleScopeTagIds, + + [Parameter()] + [System.String] + $Id, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $DeviceSettings, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $UserSettings, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $Assignments, + #endregion + + [Parameter()] + [System.String] + [ValidateSet('Absent', 'Present')] + $Ensure = 'Present', + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + Write-Verbose -Message "Testing configuration of the Intune Security Baseline Microsoft365 Apps For Enterprise with Id {$Id} and Name {$DisplayName}" + + $CurrentValues = Get-TargetResource @PSBoundParameters + [Hashtable]$ValuesToCheck = @{} + $MyInvocation.MyCommand.Parameters.GetEnumerator() | ForEach-Object { + if ($_.Key -notlike '*Variable' -or $_.Key -notin @('Verbose', 'Debug', 'ErrorAction', 'WarningAction', 'InformationAction')) + { + if ($null -ne $CurrentValues[$_.Key] -or $null -ne $PSBoundParameters[$_.Key]) + { + $ValuesToCheck.Add($_.Key, $null) + if (-not $PSBoundParameters.ContainsKey($_.Key)) + { + $PSBoundParameters.Add($_.Key, $null) + } + } + } + } + + if ($CurrentValues.Ensure -ne $Ensure) + { + Write-Verbose -Message "Test-TargetResource returned $false" + return $false + } + $testResult = $true + + #Compare Cim instances + foreach ($key in $PSBoundParameters.Keys) + { + $source = $PSBoundParameters.$key + $target = $CurrentValues.$key + if ($null -ne $source -and $source.GetType().Name -like '*CimInstance*') + { + $testResult = Compare-M365DSCComplexObject ` + -Source ($source) ` + -Target ($target) -Verbose + + if (-not $testResult) + { + Write-Verbose "$key is different" -Verbose + break + } + + $ValuesToCheck.Remove($key) | Out-Null + } + } + + $ValuesToCheck.Remove('Id') | Out-Null + $ValuesToCheck = Remove-M365DSCAuthenticationParameter -BoundParameters $ValuesToCheck + + Write-Verbose -Message "Current Values: $(Convert-M365DscHashtableToString -Hashtable $CurrentValues)" + Write-Verbose -Message "Target Values: $(Convert-M365DscHashtableToString -Hashtable $PSBoundParameters)" + + if ($testResult) + { + $testResult = Test-M365DSCParameterState -CurrentValues $CurrentValues ` + -Source $($MyInvocation.MyCommand.Source) ` + -DesiredValues $PSBoundParameters ` + -ValuesToCheck $ValuesToCheck.Keys + } + + Write-Verbose -Message "Test-TargetResource returned $testResult" + + return $testResult +} + +function Export-TargetResource +{ + [CmdletBinding()] + [OutputType([System.String])] + param + ( + [Parameter()] + [System.String] + $Filter, + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + $ConnectionMode = New-M365DSCConnection -Workload 'MicrosoftGraph' ` + -InboundParameters $PSBoundParameters + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + try + { + #region resource generator code + $policyTemplateID = "90316f12-246d-44c6-a767-f87692e86083_2" + [array]$getValue = Get-MgBetaDeviceManagementConfigurationPolicy ` + -Filter $Filter ` + -All ` + -ErrorAction Stop | Where-Object ` + -FilterScript { + $_.TemplateReference.TemplateId -eq $policyTemplateID + } + #endregion + + $i = 1 + $dscContent = '' + if ($getValue.Length -eq 0) + { + Write-Host $Global:M365DSCEmojiGreenCheckMark + } + else + { + Write-Host "`r`n" -NoNewline + } + foreach ($config in $getValue) + { + $displayedKey = $config.Id + if (-not [String]::IsNullOrEmpty($config.displayName)) + { + $displayedKey = $config.displayName + } + elseif (-not [string]::IsNullOrEmpty($config.name)) + { + $displayedKey = $config.name + } + Write-Host " |---[$i/$($getValue.Count)] $displayedKey" -NoNewline + $params = @{ + Id = $config.Id + DisplayName = $config.Name + Ensure = 'Present' + Credential = $Credential + ApplicationId = $ApplicationId + TenantId = $TenantId + ApplicationSecret = $ApplicationSecret + CertificateThumbprint = $CertificateThumbprint + ManagedIdentity = $ManagedIdentity.IsPresent + AccessTokens = $AccessTokens + } + + $Results = Get-TargetResource @Params + $Results = Update-M365DSCExportAuthenticationResults -ConnectionMode $ConnectionMode ` + -Results $Results + if ($null -ne $Results.DeviceSettings) + { + $complexTypeStringResult = Get-M365DSCDRGComplexTypeToString ` + -ComplexObject $Results.DeviceSettings ` + -CIMInstanceName 'MicrosoftGraphIntuneSettingsCatalogDeviceSettings_IntuneSecurityBaselineMicrosoft365AppsForEnterprise' + if (-not [String]::IsNullOrWhiteSpace($complexTypeStringResult)) + { + $Results.DeviceSettings = $complexTypeStringResult + } + else + { + $Results.Remove('DeviceSettings') | Out-Null + } + } + if ($null -ne $Results.UserSettings) + { + $complexTypeStringResult = Get-M365DSCDRGComplexTypeToString ` + -ComplexObject $Results.UserSettings ` + -CIMInstanceName 'MicrosoftGraphIntuneSettingsCatalogUserSettings_IntuneSecurityBaselineMicrosoft365AppsForEnterprise' + if (-not [String]::IsNullOrWhiteSpace($complexTypeStringResult)) + { + $Results.UserSettings = $complexTypeStringResult + } + else + { + $Results.Remove('UserSettings') | Out-Null + } + } + + if ($Results.Assignments) + { + $complexTypeStringResult = Get-M365DSCDRGComplexTypeToString -ComplexObject $Results.Assignments -CIMInstanceName DeviceManagementConfigurationPolicyAssignments + if ($complexTypeStringResult) + { + $Results.Assignments = $complexTypeStringResult + } + else + { + $Results.Remove('Assignments') | Out-Null + } + } + + $currentDSCBlock = Get-M365DSCExportContentForResource -ResourceName $ResourceName ` + -ConnectionMode $ConnectionMode ` + -ModulePath $PSScriptRoot ` + -Results $Results ` + -Credential $Credential + if ($Results.DeviceSettings) + { + $currentDSCBlock = Convert-DSCStringParamToVariable -DSCBlock $currentDSCBlock -ParameterName "DeviceSettings" -IsCIMArray:$False + } + if ($Results.UserSettings) + { + $currentDSCBlock = Convert-DSCStringParamToVariable -DSCBlock $currentDSCBlock -ParameterName "UserSettings" -IsCIMArray:$False + } + + if ($Results.Assignments) + { + $currentDSCBlock = Convert-DSCStringParamToVariable -DSCBlock $currentDSCBlock -ParameterName "Assignments" -IsCIMArray:$true + } + + $dscContent += $currentDSCBlock + Save-M365DSCPartialExport -Content $currentDSCBlock ` + -FileName $Global:PartialExportFileName + $i++ + Write-Host $Global:M365DSCEmojiGreenCheckMark + } + return $dscContent + } + catch + { + Write-Host $Global:M365DSCEmojiRedX + + New-M365DSCLogEntry -Message 'Error during Export:' ` + -Exception $_ ` + -Source $($MyInvocation.MyCommand.Source) ` + -TenantId $TenantId ` + -Credential $Credential + + return '' + } +} + +Export-ModuleMember -Function *-TargetResource diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneSecurityBaselineMicrosoft365AppsForEnterprise/MSFT_IntuneSecurityBaselineMicrosoft365AppsForEnterprise.schema.mof b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneSecurityBaselineMicrosoft365AppsForEnterprise/MSFT_IntuneSecurityBaselineMicrosoft365AppsForEnterprise.schema.mof new file mode 100644 index 0000000000..a7811bfc7d --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneSecurityBaselineMicrosoft365AppsForEnterprise/MSFT_IntuneSecurityBaselineMicrosoft365AppsForEnterprise.schema.mof @@ -0,0 +1,476 @@ +[ClassVersion("1.0.0.0")] +class MSFT_DeviceManagementConfigurationPolicyAssignments +{ + [Write, Description("The type of the target assignment."), ValueMap{"#microsoft.graph.groupAssignmentTarget","#microsoft.graph.allLicensedUsersAssignmentTarget","#microsoft.graph.allDevicesAssignmentTarget","#microsoft.graph.exclusionGroupAssignmentTarget","#microsoft.graph.configurationManagerCollectionAssignmentTarget"}, Values{"#microsoft.graph.groupAssignmentTarget","#microsoft.graph.allLicensedUsersAssignmentTarget","#microsoft.graph.allDevicesAssignmentTarget","#microsoft.graph.exclusionGroupAssignmentTarget","#microsoft.graph.configurationManagerCollectionAssignmentTarget"}] String dataType; + [Write, Description("The type of filter of the target assignment i.e. Exclude or Include. Possible values are:none, include, exclude."), ValueMap{"none","include","exclude"}, Values{"none","include","exclude"}] String deviceAndAppManagementAssignmentFilterType; + [Write, Description("The Id of the filter for the target assignment.")] String deviceAndAppManagementAssignmentFilterId; + [Write, Description("The group Id that is the target of the assignment.")] String groupId; + [Write, Description("The group Display Name that is the target of the assignment.")] String groupDisplayName; + [Write, Description("The collection Id that is the target of the assignment.(ConfigMgr)")] String collectionId; +}; + +[ClassVersion("1.0.0.0")] +class MSFT_MicrosoftGraphIntuneSettingsCatalogDeviceSettings_IntuneSecurityBaselineMicrosoft365AppsForEnterprise +{ + [Write, Description("Block Flash activation in Office documents (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String Pol_SecGuide_A001_Block_Flash; + [Write, Description("Block Flash player in Office (Device) - Depends on Pol_SecGuide_A001_Block_Flash (block all flash activation: Block all activation, block embedded flash activation only: Block embedding/linking, allow other activation, allow all flash activation: Allow all activation)"), ValueMap{"block all flash activation", "block embedded flash activation only", "allow all flash activation"}, Values{"block all flash activation", "block embedded flash activation only", "allow all flash activation"}] String Pol_SecGuide_Block_Flash; + [Write, Description("Restrict legacy JScript execution for Office (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String Pol_SecGuide_Legacy_JScript; + [Write, Description("PowerPoint: (Device) - Depends on Pol_SecGuide_Legacy_JScript")] SInt32 POL_SG_powerpnt; + [Write, Description("OneNote: (Device) - Depends on Pol_SecGuide_Legacy_JScript")] SInt32 POL_SG_onenote; + [Write, Description("Publisher: (Device) - Depends on Pol_SecGuide_Legacy_JScript")] SInt32 POL_SG_mspub; + [Write, Description("Access: (Device) - Depends on Pol_SecGuide_Legacy_JScript")] SInt32 POL_SG_msaccess; + [Write, Description("Project: (Device) - Depends on Pol_SecGuide_Legacy_JScript")] SInt32 POL_SG_winproj; + [Write, Description("Visio: (Device) - Depends on Pol_SecGuide_Legacy_JScript")] SInt32 POL_SG_visio; + [Write, Description("Outlook: (Device) - Depends on Pol_SecGuide_Legacy_JScript")] SInt32 POL_SG_outlook; + [Write, Description("Word: (Device) - Depends on Pol_SecGuide_Legacy_JScript")] SInt32 POL_SG_winword; + [Write, Description("Excel: (Device) - Depends on Pol_SecGuide_Legacy_JScript")] SInt32 POL_SG_excel; + [Write, Description("Configure SIP security mode (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_PolicyEnableSIPHighSecurityMode; + [Write, Description("Disable HTTP fallback for SIP connection (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_PolicyDisableHttpConnect; + [Write, Description("Add-on Management (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_AddonManagement; + [Write, Description("powerpnt.exe (Device) - Depends on L_AddonManagement (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_powerpntexe17; + [Write, Description("excel.exe (Device) - Depends on L_AddonManagement (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_excelexe15; + [Write, Description("visio.exe (Device) - Depends on L_AddonManagement (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_visioexe19; + [Write, Description("onent.exe (Device) - Depends on L_AddonManagement (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_onenoteexe26; + [Write, Description("outlook.exe (Device) - Depends on L_AddonManagement (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_outlookexe22; + [Write, Description("pptview.exe (Device) - Depends on L_AddonManagement (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_pptviewexe18; + [Write, Description("winword.exe (Device) - Depends on L_AddonManagement (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_winwordexe21; + [Write, Description("exprwd.exe (Device) - Depends on L_AddonManagement (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_exprwdexe24; + [Write, Description("spDesign.exe (Device) - Depends on L_AddonManagement (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_spdesignexe23; + [Write, Description("winproj.exe (Device) - Depends on L_AddonManagement (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_winprojexe20; + [Write, Description("groove.exe (Device) - Depends on L_AddonManagement (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_grooveexe14; + [Write, Description("mspub.exe (Device) - Depends on L_AddonManagement (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_mspubexe16; + [Write, Description("mse7.exe (Device) - Depends on L_AddonManagement (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_mse7exe27; + [Write, Description("msaccess.exe (Device) - Depends on L_AddonManagement (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_msaccessexe25; + [Write, Description("Consistent Mime Handling (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_ConsistentMimeHandling; + [Write, Description("excel.exe (Device) - Depends on L_ConsistentMimeHandling (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_excelexe43; + [Write, Description("spDesign.exe (Device) - Depends on L_ConsistentMimeHandling (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_spdesignexe51; + [Write, Description("onent.exe (Device) - Depends on L_ConsistentMimeHandling (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_onenoteexe54; + [Write, Description("outlook.exe (Device) - Depends on L_ConsistentMimeHandling (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_outlookexe50; + [Write, Description("pptview.exe (Device) - Depends on L_ConsistentMimeHandling (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_pptviewexe46; + [Write, Description("mspub.exe (Device) - Depends on L_ConsistentMimeHandling (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_mspubexe44; + [Write, Description("visio.exe (Device) - Depends on L_ConsistentMimeHandling (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_visioexe47; + [Write, Description("winproj.exe (Device) - Depends on L_ConsistentMimeHandling (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_winprojexe48; + [Write, Description("msaccess.exe (Device) - Depends on L_ConsistentMimeHandling (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_msaccessexe53; + [Write, Description("powerpnt.exe (Device) - Depends on L_ConsistentMimeHandling (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_powerpntexe45; + [Write, Description("groove.exe (Device) - Depends on L_ConsistentMimeHandling (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_grooveexe42; + [Write, Description("mse7.exe (Device) - Depends on L_ConsistentMimeHandling (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_mse7exe55; + [Write, Description("winword.exe (Device) - Depends on L_ConsistentMimeHandling (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_winwordexe49; + [Write, Description("exprwd.exe (Device) - Depends on L_ConsistentMimeHandling (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_exprwdexe52; + [Write, Description("Disable user name and password (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_Disableusernameandpassword; + [Write, Description("excel.exe (Device) - Depends on L_Disableusernameandpassword (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_excelexe127; + [Write, Description("groove.exe (Device) - Depends on L_Disableusernameandpassword (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_grooveexe126; + [Write, Description("onent.exe (Device) - Depends on L_Disableusernameandpassword (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_onenoteexe138; + [Write, Description("mse7.exe (Device) - Depends on L_Disableusernameandpassword (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_mse7exe139; + [Write, Description("mspub.exe (Device) - Depends on L_Disableusernameandpassword (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_mspubexe128; + [Write, Description("visio.exe (Device) - Depends on L_Disableusernameandpassword (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_visioexe131; + [Write, Description("exprwd.exe (Device) - Depends on L_Disableusernameandpassword (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_exprwdexe136; + [Write, Description("msaccess.exe (Device) - Depends on L_Disableusernameandpassword (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_msaccessexe137; + [Write, Description("spDesign.exe (Device) - Depends on L_Disableusernameandpassword (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_spdesignexe135; + [Write, Description("winword.exe (Device) - Depends on L_Disableusernameandpassword (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_winwordexe133; + [Write, Description("powerpnt.exe (Device) - Depends on L_Disableusernameandpassword (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_powerpntexe129; + [Write, Description("outlook.exe (Device) - Depends on L_Disableusernameandpassword (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_outlookexe134; + [Write, Description("winproj.exe (Device) - Depends on L_Disableusernameandpassword (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_winprojexe132; + [Write, Description("pptview.exe (Device) - Depends on L_Disableusernameandpassword (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_pptviewexe130; + [Write, Description("Information Bar (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_Informationbar; + [Write, Description("excel.exe (Device) - Depends on L_Informationbar (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_excelexe113; + [Write, Description("mspub.exe (Device) - Depends on L_Informationbar (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_mspubexe114; + [Write, Description("msaccess.exe (Device) - Depends on L_Informationbar (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_msaccessexe123; + [Write, Description("onent.exe (Device) - Depends on L_Informationbar (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_onenoteexe124; + [Write, Description("outlook.exe (Device) - Depends on L_Informationbar (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_outlookexe120; + [Write, Description("winproj.exe (Device) - Depends on L_Informationbar (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_winprojexe118; + [Write, Description("powerpnt.exe (Device) - Depends on L_Informationbar (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_powerpntexe115; + [Write, Description("spDesign.exe (Device) - Depends on L_Informationbar (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_spdesignexe121; + [Write, Description("groove.exe (Device) - Depends on L_Informationbar (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_grooveexe112; + [Write, Description("visio.exe (Device) - Depends on L_Informationbar (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_visioexe117; + [Write, Description("mse7.exe (Device) - Depends on L_Informationbar (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_mse7exe125; + [Write, Description("winword.exe (Device) - Depends on L_Informationbar (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_winwordexe119; + [Write, Description("exprwd.exe (Device) - Depends on L_Informationbar (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_exprwdexe122; + [Write, Description("pptview.exe (Device) - Depends on L_Informationbar (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_pptviewexe116; + [Write, Description("Local Machine Zone Lockdown Security (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_LocalMachineZoneLockdownSecurity; + [Write, Description("mse7.exe (Device) - Depends on L_LocalMachineZoneLockdownSecurity (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_mse7exe41; + [Write, Description("powerpnt.exe (Device) - Depends on L_LocalMachineZoneLockdownSecurity (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_powerpntexe31; + [Write, Description("mspub.exe (Device) - Depends on L_LocalMachineZoneLockdownSecurity (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_mspubexe30; + [Write, Description("outlook.exe (Device) - Depends on L_LocalMachineZoneLockdownSecurity (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_outlookexe36; + [Write, Description("pptview.exe (Device) - Depends on L_LocalMachineZoneLockdownSecurity (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_pptviewexe32; + [Write, Description("excel.exe (Device) - Depends on L_LocalMachineZoneLockdownSecurity (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_excelexe29; + [Write, Description("exprwd.exe (Device) - Depends on L_LocalMachineZoneLockdownSecurity (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_exprwdexe38; + [Write, Description("groove.exe (Device) - Depends on L_LocalMachineZoneLockdownSecurity (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_grooveexe28; + [Write, Description("winword.exe (Device) - Depends on L_LocalMachineZoneLockdownSecurity (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_winwordexe35; + [Write, Description("msaccess.exe (Device) - Depends on L_LocalMachineZoneLockdownSecurity (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_msaccessexe39; + [Write, Description("spDesign.exe (Device) - Depends on L_LocalMachineZoneLockdownSecurity (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_spdesignexe37; + [Write, Description("visio.exe (Device) - Depends on L_LocalMachineZoneLockdownSecurity (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_visioexe33; + [Write, Description("onent.exe (Device) - Depends on L_LocalMachineZoneLockdownSecurity (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_onenoteexe40; + [Write, Description("winproj.exe (Device) - Depends on L_LocalMachineZoneLockdownSecurity (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_winprojexe34; + [Write, Description("Mime Sniffing Safety Feature (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_MimeSniffingSafetyFature; + [Write, Description("powerpnt.exe (Device) - Depends on L_MimeSniffingSafetyFature (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_powerpntexe59; + [Write, Description("exprwd.exe (Device) - Depends on L_MimeSniffingSafetyFature (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_exprwdexe66; + [Write, Description("groove.exe (Device) - Depends on L_MimeSniffingSafetyFature (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_grooveexe56; + [Write, Description("visio.exe (Device) - Depends on L_MimeSniffingSafetyFature (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_visioexe61; + [Write, Description("outlook.exe (Device) - Depends on L_MimeSniffingSafetyFature (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_outlookexe64; + [Write, Description("mspub.exe (Device) - Depends on L_MimeSniffingSafetyFature (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_mspubexe58; + [Write, Description("mse7.exe (Device) - Depends on L_MimeSniffingSafetyFature (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_mse7exe69; + [Write, Description("msaccess.exe (Device) - Depends on L_MimeSniffingSafetyFature (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_msaccessexe67; + [Write, Description("pptview.exe (Device) - Depends on L_MimeSniffingSafetyFature (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_pptviewexe60; + [Write, Description("winproj.exe (Device) - Depends on L_MimeSniffingSafetyFature (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_winprojexe62; + [Write, Description("spDesign.exe (Device) - Depends on L_MimeSniffingSafetyFature (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_spdesignexe65; + [Write, Description("onent.exe (Device) - Depends on L_MimeSniffingSafetyFature (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_onenoteexe68; + [Write, Description("winword.exe (Device) - Depends on L_MimeSniffingSafetyFature (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_winwordexe63; + [Write, Description("excel.exe (Device) - Depends on L_MimeSniffingSafetyFature (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_excelexe57; + [Write, Description("Navigate URL (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_NavigateURL; + [Write, Description("spDesign.exe (Device) - Depends on L_NavigateURL (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_spdesignexe177; + [Write, Description("onent.exe (Device) - Depends on L_NavigateURL (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_onenoteexe180; + [Write, Description("pptview.exe (Device) - Depends on L_NavigateURL (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_pptviewexe172; + [Write, Description("outlook.exe (Device) - Depends on L_NavigateURL (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_outlookexe176; + [Write, Description("winproj.exe (Device) - Depends on L_NavigateURL (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_winprojexe174; + [Write, Description("msaccess.exe (Device) - Depends on L_NavigateURL (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_msaccessexe179; + [Write, Description("winword.exe (Device) - Depends on L_NavigateURL (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_winwordexe175; + [Write, Description("excel.exe (Device) - Depends on L_NavigateURL (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_excelexe169; + [Write, Description("mspub.exe (Device) - Depends on L_NavigateURL (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_mspubexe170; + [Write, Description("exprwd.exe (Device) - Depends on L_NavigateURL (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_exprwdexe178; + [Write, Description("powerpnt.exe (Device) - Depends on L_NavigateURL (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_powerpntexe171; + [Write, Description("visio.exe (Device) - Depends on L_NavigateURL (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_visioexe173; + [Write, Description("mse7.exe (Device) - Depends on L_NavigateURL (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_mse7exe181; + [Write, Description("groove.exe (Device) - Depends on L_NavigateURL (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_grooveexe168; + [Write, Description("Object Caching Protection (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_ObjectCachingProtection; + [Write, Description("winword.exe (Device) - Depends on L_ObjectCachingProtection (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_winwordexe77; + [Write, Description("powerpnt.exe (Device) - Depends on L_ObjectCachingProtection (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_powerpntexe73; + [Write, Description("spDesign.exe (Device) - Depends on L_ObjectCachingProtection (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_spdesignexe79; + [Write, Description("mse7.exe (Device) - Depends on L_ObjectCachingProtection (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_mse7exe83; + [Write, Description("mspub.exe (Device) - Depends on L_ObjectCachingProtection (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_mspubexe72; + [Write, Description("msaccess.exe (Device) - Depends on L_ObjectCachingProtection (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_msaccessexe81; + [Write, Description("onent.exe (Device) - Depends on L_ObjectCachingProtection (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_onenoteexe82; + [Write, Description("outlook.exe (Device) - Depends on L_ObjectCachingProtection (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_outlookexe78; + [Write, Description("groove.exe (Device) - Depends on L_ObjectCachingProtection (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_grooveexe70; + [Write, Description("excel.exe (Device) - Depends on L_ObjectCachingProtection (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_excelexe71; + [Write, Description("visio.exe (Device) - Depends on L_ObjectCachingProtection (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_visioexe75; + [Write, Description("pptview.exe (Device) - Depends on L_ObjectCachingProtection (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_pptviewexe74; + [Write, Description("winproj.exe (Device) - Depends on L_ObjectCachingProtection (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_winprojexe76; + [Write, Description("exprwd.exe (Device) - Depends on L_ObjectCachingProtection (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_exprwdexe80; + [Write, Description("Protection From Zone Elevation (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_ProtectionFromZoneElevation; + [Write, Description("mspub.exe (Device) - Depends on L_ProtectionFromZoneElevation (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_mspubexe100; + [Write, Description("visio.exe (Device) - Depends on L_ProtectionFromZoneElevation (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_visioexe103; + [Write, Description("powerpnt.exe (Device) - Depends on L_ProtectionFromZoneElevation (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_powerpntexe101; + [Write, Description("excel.exe (Device) - Depends on L_ProtectionFromZoneElevation (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_excelexe99; + [Write, Description("mse7.exe (Device) - Depends on L_ProtectionFromZoneElevation (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_mse7exe111; + [Write, Description("winword.exe (Device) - Depends on L_ProtectionFromZoneElevation (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_winwordexe105; + [Write, Description("exprwd.exe (Device) - Depends on L_ProtectionFromZoneElevation (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_exprwdexe108; + [Write, Description("msaccess.exe (Device) - Depends on L_ProtectionFromZoneElevation (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_msaccessexe109; + [Write, Description("spDesign.exe (Device) - Depends on L_ProtectionFromZoneElevation (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_spdesignexe107; + [Write, Description("onent.exe (Device) - Depends on L_ProtectionFromZoneElevation (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_onenoteexe110; + [Write, Description("pptview.exe (Device) - Depends on L_ProtectionFromZoneElevation (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_pptviewexe102; + [Write, Description("winproj.exe (Device) - Depends on L_ProtectionFromZoneElevation (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_winprojexe104; + [Write, Description("groove.exe (Device) - Depends on L_ProtectionFromZoneElevation (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_grooveexe98; + [Write, Description("outlook.exe (Device) - Depends on L_ProtectionFromZoneElevation (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_outlookexe106; + [Write, Description("Restrict ActiveX Install (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_RestrictActiveXInstall; + [Write, Description("mse7.exe (Device) - Depends on L_RestrictActiveXInstall (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_mse7exe; + [Write, Description("powerpnt.exe (Device) - Depends on L_RestrictActiveXInstall (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_powerpntexe; + [Write, Description("spDesign.exe (Device) - Depends on L_RestrictActiveXInstall (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_spDesignexe; + [Write, Description("onent.exe (Device) - Depends on L_RestrictActiveXInstall (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_onenoteexe; + [Write, Description("excel.exe (Device) - Depends on L_RestrictActiveXInstall (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_excelexe; + [Write, Description("mspub.exe (Device) - Depends on L_RestrictActiveXInstall (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_mspubexe; + [Write, Description("visio.exe (Device) - Depends on L_RestrictActiveXInstall (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_visioexe; + [Write, Description("exprwd.exe (Device) - Depends on L_RestrictActiveXInstall (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_exprwdexe; + [Write, Description("outlook.exe (Device) - Depends on L_RestrictActiveXInstall (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_outlookexe; + [Write, Description("pptview.exe (Device) - Depends on L_RestrictActiveXInstall (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_pptviewexe; + [Write, Description("winproj.exe (Device) - Depends on L_RestrictActiveXInstall (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_winprojexe; + [Write, Description("winword.exe (Device) - Depends on L_RestrictActiveXInstall (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_winwordexe; + [Write, Description("groove.exe (Device) - Depends on L_RestrictActiveXInstall (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_grooveexe; + [Write, Description("msaccess.exe (Device) - Depends on L_RestrictActiveXInstall (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_msaccessexe; + [Write, Description("Restrict File Download (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_RestrictFileDownload; + [Write, Description("visio.exe (Device) - Depends on L_RestrictFileDownload (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_visioexe5; + [Write, Description("winproj.exe (Device) - Depends on L_RestrictFileDownload (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_winprojexe6; + [Write, Description("msaccess.exe (Device) - Depends on L_RestrictFileDownload (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_msaccessexe11; + [Write, Description("spDesign.exe (Device) - Depends on L_RestrictFileDownload (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_spdesignexe9; + [Write, Description("excel.exe (Device) - Depends on L_RestrictFileDownload (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_excelexe1; + [Write, Description("powerpnt.exe (Device) - Depends on L_RestrictFileDownload (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_powerpntexe3; + [Write, Description("mspub.exe (Device) - Depends on L_RestrictFileDownload (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_mspubexe2; + [Write, Description("exprwd.exe (Device) - Depends on L_RestrictFileDownload (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_exprwdexe10; + [Write, Description("outlook.exe (Device) - Depends on L_RestrictFileDownload (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_outlookexe8; + [Write, Description("pptview.exe (Device) - Depends on L_RestrictFileDownload (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_pptviewexe4; + [Write, Description("winword.exe (Device) - Depends on L_RestrictFileDownload (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_winwordexe7; + [Write, Description("onent.exe (Device) - Depends on L_RestrictFileDownload (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_onenoteexe12; + [Write, Description("mse7.exe (Device) - Depends on L_RestrictFileDownload (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_mse7exe13; + [Write, Description("groove.exe (Device) - Depends on L_RestrictFileDownload (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_grooveexe0; + [Write, Description("Saved from URL (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_SavedfromURL; + [Write, Description("pptview.exe (Device) - Depends on L_SavedfromURL (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_pptviewexe158; + [Write, Description("exprwd.exe (Device) - Depends on L_SavedfromURL (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_exprwdexe164; + [Write, Description("mse7.exe (Device) - Depends on L_SavedfromURL (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_mse7exe167; + [Write, Description("spDesign.exe (Device) - Depends on L_SavedfromURL (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_spdesignexe163; + [Write, Description("winproj.exe (Device) - Depends on L_SavedfromURL (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_winprojexe160; + [Write, Description("mspub.exe (Device) - Depends on L_SavedfromURL (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_mspubexe156; + [Write, Description("visio.exe (Device) - Depends on L_SavedfromURL (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_visioexe159; + [Write, Description("winword.exe (Device) - Depends on L_SavedfromURL (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_winwordexe161; + [Write, Description("msaccess.exe (Device) - Depends on L_SavedfromURL (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_msaccessexe165; + [Write, Description("onent.exe (Device) - Depends on L_SavedfromURL (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_onenoteexe166; + [Write, Description("outlook.exe (Device) - Depends on L_SavedfromURL (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_outlookexe162; + [Write, Description("groove.exe (Device) - Depends on L_SavedfromURL (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_grooveexe154; + [Write, Description("excel.exe (Device) - Depends on L_SavedfromURL (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_excelexe155; + [Write, Description("powerpnt.exe (Device) - Depends on L_SavedfromURL (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_powerpntexe157; + [Write, Description("Scripted Window Security Restrictions (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_ScriptedWindowSecurityRestrictions; + [Write, Description("exprwd.exe (Device) - Depends on L_ScriptedWindowSecurityRestrictions (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_exprwdexe94; + [Write, Description("mse7.exe (Device) - Depends on L_ScriptedWindowSecurityRestrictions (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_mse7exe97; + [Write, Description("mspub.exe (Device) - Depends on L_ScriptedWindowSecurityRestrictions (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_mspubexe86; + [Write, Description("outlook.exe (Device) - Depends on L_ScriptedWindowSecurityRestrictions (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_outlookexe92; + [Write, Description("msaccess.exe (Device) - Depends on L_ScriptedWindowSecurityRestrictions (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_msaccessexe95; + [Write, Description("powerpnt.exe (Device) - Depends on L_ScriptedWindowSecurityRestrictions (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_powerpntexe87; + [Write, Description("groove.exe (Device) - Depends on L_ScriptedWindowSecurityRestrictions (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_grooveexe84; + [Write, Description("excel.exe (Device) - Depends on L_ScriptedWindowSecurityRestrictions (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_excelexe85; + [Write, Description("pptview.exe (Device) - Depends on L_ScriptedWindowSecurityRestrictions (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_pptviewexe88; + [Write, Description("spDesign.exe (Device) - Depends on L_ScriptedWindowSecurityRestrictions (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_spdesignexe93; + [Write, Description("visio.exe (Device) - Depends on L_ScriptedWindowSecurityRestrictions (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_visioexe89; + [Write, Description("onent.exe (Device) - Depends on L_ScriptedWindowSecurityRestrictions (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_onenoteexe96; + [Write, Description("winproj.exe (Device) - Depends on L_ScriptedWindowSecurityRestrictions (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_winprojexe90; + [Write, Description("winword.exe (Device) - Depends on L_ScriptedWindowSecurityRestrictions (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_winwordexe91; +}; + +[ClassVersion("1.0.0.0")] +class MSFT_MicrosoftGraphIntuneSettingsCatalogUserSettings_IntuneSecurityBaselineMicrosoft365AppsForEnterprise +{ + [Write, Description("Block macros from running in Office files from the Internet (User) (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String MicrosoftAccess_Security_TrustCenter_L_BlockMacroExecutionFromInternet; + [Write, Description("Disable Trust Bar Notification for unsigned application add-ins and block them (User) (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String MicrosoftAccess_Security_TrustCenter_L_DisableTrustBarNotificationforunsigned; + [Write, Description("Require that application add-ins are signed by Trusted Publisher (User) (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String MicrosoftAccess_Security_TrustCenter_L_RequirethatApplicationExtensionsaresigned; + [Write, Description("Allow Trusted Locations on the network (User) (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String MicrosoftAccess_Security_TrustCenterTrustedLocations_L_AllowTrustedLocationsOnTheNetwork; + [Write, Description("VBA Macro Notification Settings (User) (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String MicrosoftAccess_Security_TrustCenter_L_VBAWarningsPolicy; + [Write, Description(" - Depends on MicrosoftAccess_Security_TrustCenter_L_VBAWarningsPolicy (2: Disable all with notification, 3: Disable all except digitally signed macros, 4: Disable all without notification, 1: Enable all macros (not recommended))"), ValueMap{"2", "3", "4", "1"}, Values{"2", "3", "4", "1"}] String MicrosoftAccess_Security_TrustCenter_L_VBAWarningsPolicy_L_Empty; + [Write, Description("Do not show data extraction options when opening corrupt workbooks (User) (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_Donotshowdataextractionoptionswhenopeningcorruptworkbooks; + [Write, Description("Ask to update automatic links (User) (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_Asktoupdateautomaticlinks; + [Write, Description("Load pictures from Web pages not created in Excel (User) (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_LoadpicturesfromWebpagesnotcreatedinExcel; + [Write, Description("Disable AutoRepublish (User) (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_DisableAutoRepublish; + [Write, Description("Do not show AutoRepublish warning alert (User) (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_DoNotShowAutoRepublishWarningAlert; + [Write, Description("Force file extension to match file type (User) (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_Forcefileextenstionstomatch; + [Write, Description(" - Depends on L_Forcefileextenstionstomatch (0: Allow different, 1: Allow different, but warn, 2: Always match file type)"), ValueMap{"0", "1", "2"}, Values{"0", "1", "2"}] String L_Forcefileextenstionstomatch_L_Empty; + [Write, Description("Scan encrypted macros in Excel Open XML workbooks (User) (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_DeterminewhethertoforceencryptedExcel; + [Write, Description(" - Depends on L_DeterminewhethertoforceencryptedExcel (0: Scan encrypted macros (default), 1: Scan if anti-virus software available, 2: Load macros without scanning)"), ValueMap{"0", "1", "2"}, Values{"0", "1", "2"}] String L_DeterminewhethertoforceencryptedExcelDropID; + [Write, Description("Block Excel XLL Add-ins that come from an untrusted source (User) (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_BlockXLLFromInternet; + [Write, Description(" - Depends on L_BlockXLLFromInternet (1: Block, 0: Show Additional Warning, 2: Allow)"), ValueMap{"1", "0", "2"}, Values{"1", "0", "2"}] String L_BlockXLLFromInternetEnum; + [Write, Description("Block macros from running in Office files from the Internet (User) (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String MicrosoftExcel_Security_TrustCenter_L_BlockMacroExecutionFromInternet; + [Write, Description("Disable Trust Bar Notification for unsigned application add-ins and block them (User) (Deprecated) (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String MicrosoftExcel_Security_TrustCenter_L_DisableTrustBarNotificationforunsigned; + [Write, Description("Always prevent untrusted Microsoft Query files from opening (User) (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_EnableBlockUnsecureQueryFiles; + [Write, Description("dBase III / IV files (User) (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_DBaseIIIANDIVFiles; + [Write, Description("File block setting: (User) - Depends on L_DBaseIIIANDIVFiles (0: Do not block, 2: Open/Save blocked, use open policy)"), ValueMap{"0", "2"}, Values{"0", "2"}] String L_DBaseIIIANDIVFilesDropID; + [Write, Description("Dif and Sylk files (User) (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_DifAndSylkFiles; + [Write, Description("File block setting: (User) - Depends on L_DifAndSylkFiles (0: Do not block, 1: Save blocked, 2: Open/Save blocked, use open policy)"), ValueMap{"0", "1", "2"}, Values{"0", "1", "2"}] String L_DifAndSylkFilesDropID; + [Write, Description("Excel 2 macrosheets and add-in files (User) (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_Excel2MacrosheetsAndAddInFiles; + [Write, Description("File block setting: (User) - Depends on L_Excel2MacrosheetsAndAddInFiles (0: Do not block, 2: Open/Save blocked, use open policy, 3: Block, 4: Open in Protected View, 5: Allow editing and open in Protected View)"), ValueMap{"0", "2", "3", "4", "5"}, Values{"0", "2", "3", "4", "5"}] String L_Excel2MacrosheetsAndAddInFilesDropID; + [Write, Description("Excel 2 worksheets (User) (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_Excel2Worksheets; + [Write, Description("File block setting: (User) - Depends on L_Excel2Worksheets (0: Do not block, 2: Open/Save blocked, use open policy, 3: Block, 4: Open in Protected View, 5: Allow editing and open in Protected View)"), ValueMap{"0", "2", "3", "4", "5"}, Values{"0", "2", "3", "4", "5"}] String L_Excel2WorksheetsDropID; + [Write, Description("Excel 3 macrosheets and add-in files (User) (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_Excel3MacrosheetsAndAddInFiles; + [Write, Description("File block setting: (User) - Depends on L_Excel3MacrosheetsAndAddInFiles (0: Do not block, 2: Open/Save blocked, use open policy, 3: Block, 4: Open in Protected View, 5: Allow editing and open in Protected View)"), ValueMap{"0", "2", "3", "4", "5"}, Values{"0", "2", "3", "4", "5"}] String L_Excel3MacrosheetsAndAddInFilesDropID; + [Write, Description("Excel 3 worksheets (User) (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_Excel3Worksheets; + [Write, Description("File block setting: (User) - Depends on L_Excel3Worksheets (0: Do not block, 2: Open/Save blocked, use open policy, 3: Block, 4: Open in Protected View, 5: Allow editing and open in Protected View)"), ValueMap{"0", "2", "3", "4", "5"}, Values{"0", "2", "3", "4", "5"}] String L_Excel3WorksheetsDropID; + [Write, Description("Excel 4 macrosheets and add-in files (User) (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_Excel4MacrosheetsAndAddInFiles; + [Write, Description("File block setting: (User) - Depends on L_Excel4MacrosheetsAndAddInFiles (0: Do not block, 2: Open/Save blocked, use open policy, 3: Block, 4: Open in Protected View, 5: Allow editing and open in Protected View)"), ValueMap{"0", "2", "3", "4", "5"}, Values{"0", "2", "3", "4", "5"}] String L_Excel4MacrosheetsAndAddInFilesDropID; + [Write, Description("Excel 4 workbooks (User) (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_Excel4Workbooks; + [Write, Description("File block setting: (User) - Depends on L_Excel4Workbooks (0: Do not block, 2: Open/Save blocked, use open policy, 3: Block, 4: Open in Protected View, 5: Allow editing and open in Protected View)"), ValueMap{"0", "2", "3", "4", "5"}, Values{"0", "2", "3", "4", "5"}] String L_Excel4WorkbooksDropID; + [Write, Description("Excel 4 worksheets (User) (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_Excel4Worksheets; + [Write, Description("File block setting: (User) - Depends on L_Excel4Worksheets (0: Do not block, 2: Open/Save blocked, use open policy, 3: Block, 4: Open in Protected View, 5: Allow editing and open in Protected View)"), ValueMap{"0", "2", "3", "4", "5"}, Values{"0", "2", "3", "4", "5"}] String L_Excel4WorksheetsDropID; + [Write, Description("Excel 95 workbooks (User) (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_Excel95Workbooks; + [Write, Description("File block setting: (User) - Depends on L_Excel95Workbooks (0: Do not block, 1: Save blocked, 2: Open/Save blocked, use open policy, 3: Block, 4: Open in Protected View, 5: Allow editing and open in Protected View)"), ValueMap{"0", "1", "2", "3", "4", "5"}, Values{"0", "1", "2", "3", "4", "5"}] String L_Excel95WorkbooksDropID; + [Write, Description("Excel 95-97 workbooks and templates (User) (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_Excel9597WorkbooksAndTemplates; + [Write, Description("File block setting: (User) - Depends on L_Excel9597WorkbooksAndTemplates (0: Do not block, 2: Open/Save blocked, use open policy, 3: Block, 4: Open in Protected View, 5: Allow editing and open in Protected View)"), ValueMap{"0", "2", "3", "4", "5"}, Values{"0", "2", "3", "4", "5"}] String L_Excel9597WorkbooksAndTemplatesDropID; + [Write, Description("Excel 97-2003 workbooks and templates (User) (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_Excel972003WorkbooksAndTemplates; + [Write, Description("File block setting: (User) - Depends on L_Excel972003WorkbooksAndTemplates (0: Do not block, 1: Save blocked, 2: Open/Save blocked, use open policy, 3: Block, 4: Open in Protected View, 5: Allow editing and open in Protected View)"), ValueMap{"0", "1", "2", "3", "4", "5"}, Values{"0", "1", "2", "3", "4", "5"}] String L_Excel972003WorkbooksAndTemplatesDropID; + [Write, Description("Set default file block behavior (User) (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String MicrosoftExcel_Security_TrustCenterFileBlockSettings_L_SetDefaultFileBlockBehavior; + [Write, Description(" - Depends on MicrosoftExcel_Security_TrustCenterFileBlockSettings_L_SetDefaultFileBlockBehavior (0: Blocked files are not opened, 1: Blocked files open in Protected View and can not be edited, 2: Blocked files open in Protected View and can be edited)"), ValueMap{"0", "1", "2"}, Values{"0", "1", "2"}] String MicrosoftExcel_Security_TrustCenterFileBlockSettings_L_SetDefaultFileBlockBehaviorDropID; + [Write, Description("Web pages and Excel 2003 XML spreadsheets (User) (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_WebPagesAndExcel2003XMLSpreadsheets; + [Write, Description("File block setting: (User) - Depends on L_WebPagesAndExcel2003XMLSpreadsheets (0: Do not block, 1: Save blocked, 2: Open/Save blocked, use open policy, 3: Block, 4: Open in Protected View, 5: Allow editing and open in Protected View)"), ValueMap{"0", "1", "2", "3", "4", "5"}, Values{"0", "1", "2", "3", "4", "5"}] String L_WebPagesAndExcel2003XMLSpreadsheetsDropID; + [Write, Description("Prevent Excel from running XLM macros (User) (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_XL4KillSwitchPolicy; + [Write, Description("Always open untrusted database files in Protected View (User) (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_EnableDataBaseFileProtectedView; + [Write, Description("Do not open files from the Internet zone in Protected View (User) (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String MicrosoftExcel_Security_TrustCenterProtectedView_L_DoNotOpenFilesFromTheInternetZoneInProtectedView; + [Write, Description("Do not open files in unsafe locations in Protected View (User) (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String MicrosoftExcel_Security_TrustCenterProtectedView_L_DoNotOpenFilesInUnsafeLocationsInProtectedView; + [Write, Description("Set document behavior if file validation fails (User) (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String MicrosoftExcel_Security_TrustCenterProtectedView_L_SetDocumentBehaviorIfFileValidationFails; + [Write, Description("Checked: Allow edit. Unchecked: Do not allow edit. (User) - Depends on MicrosoftExcel_Security_TrustCenterProtectedView_L_SetDocumentBehaviorIfFileValidationFails (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String MicrosoftExcel_Security_TrustCenterProtectedView_L_SetDocumentBehaviorIfFileValidationFailsStr3; + [Write, Description(" - Depends on MicrosoftExcel_Security_TrustCenterProtectedView_L_SetDocumentBehaviorIfFileValidationFails (0: Block files, 1: Open in Protected View)"), ValueMap{"0", "1"}, Values{"0", "1"}] String MicrosoftExcel_Security_TrustCenterProtectedView_L_SetDocumentBehaviorIfFileValidationFailsDropID; + [Write, Description("Turn off Protected View for attachments opened from Outlook (User) (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String MicrosoftExcel_Security_TrustCenterProtectedView_L_TurnOffProtectedViewForAttachmentsOpenedFromOutlook; + [Write, Description("Require that application add-ins are signed by Trusted Publisher (User) (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String MicrosoftExcel_Security_TrustCenter_L_RequirethatApplicationExtensionsaresigned; + [Write, Description("Disable Trust Bar Notification for unsigned application add-ins and block them (User) - Depends on MicrosoftExcel_Security_TrustCenter_L_RequirethatApplicationExtensionsaresigned (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String MicrosoftExcel_Security_TrustCenter_L_DisableTrustBarNotificationforunsigned_v2; + [Write, Description("Allow Trusted Locations on the network (User) (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String MicrosoftExcel_Security_TrustCenterTrustedLocations_L_AllowTrustedLocationsOnTheNetwork; + [Write, Description("VBA Macro Notification Settings (User) (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String MicrosoftExcel_Security_TrustCenter_L_VBAWarningsPolicy; + [Write, Description(" - Depends on MicrosoftExcel_Security_TrustCenter_L_VBAWarningsPolicy (2: Disable VBA macros with notification, 3: Disable VBA macros except digitally signed macros, 4: Disable VBA macros without notification, 1: Enable VBA macros (not recommended))"), ValueMap{"2", "3", "4", "1"}, Values{"2", "3", "4", "1"}] String L_empty4; + [Write, Description("Turn off file validation (User) (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String MicrosoftExcel_Security_L_TurnOffFileValidation; + [Write, Description("WEBSERVICE Function Notification Settings (User) (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_WebContentWarningLevel; + [Write, Description(" - Depends on L_WebContentWarningLevel (0: Enable all WEBSERVICE functions (not recommended), 1: Disable all with notification, 2: Disable all without notification)"), ValueMap{"0", "1", "2"}, Values{"0", "1", "2"}] String L_WebContentWarningLevelValue; + [Write, Description("Disable UI extending from documents and templates (User) (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_NoExtensibilityCustomizationFromDocumentPolicy; + [Write, Description("Disallow in Word (User) - Depends on L_NoExtensibilityCustomizationFromDocumentPolicy (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_NoExtensibilityCustomizationFromDocumentPolicyWord; + [Write, Description("Disallow in Excel (User) - Depends on L_NoExtensibilityCustomizationFromDocumentPolicy (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_NoExtensibilityCustomizationFromDocumentPolicyExcel; + [Write, Description("Disallow in Visio (User) - Depends on L_NoExtensibilityCustomizationFromDocumentPolicy (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_NoExtensibilityCustomizationFromDocumentPolicyVisio; + [Write, Description("Disallow in PowerPoint (User) - Depends on L_NoExtensibilityCustomizationFromDocumentPolicy (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_NoExtensibilityCustomizationFromDocumentPolicyPowerPoint; + [Write, Description("Disallow in Publisher (User) - Depends on L_NoExtensibilityCustomizationFromDocumentPolicy (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_NoExtensibilityCustomizationFromDocumentPolicyPublisher; + [Write, Description("Disallow in Outlook (User) - Depends on L_NoExtensibilityCustomizationFromDocumentPolicy (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_NoExtensibilityCustomizationFromDocumentPolicyOutlook; + [Write, Description("Disallow in Project (User) - Depends on L_NoExtensibilityCustomizationFromDocumentPolicy (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_NoExtensibilityCustomizationFromDocumentPolicyProject; + [Write, Description("Disallow in Access (User) - Depends on L_NoExtensibilityCustomizationFromDocumentPolicy (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_NoExtensibilityCustomizationFromDocumentPolicyAccess; + [Write, Description("Disallow in InfoPath (User) - Depends on L_NoExtensibilityCustomizationFromDocumentPolicy (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_NoExtensibilityCustomizationFromDocumentPolicyInfoPath; + [Write, Description("ActiveX Control Initialization (User) (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_ActiveXControlInitialization; + [Write, Description("ActiveX Control Initialization: (User) - Depends on L_ActiveXControlInitialization (1: 1, 2: 2, 3: 3, 4: 4, 5: 5, 6: 6)"), ValueMap{"1", "2", "3", "4", "5", "6"}, Values{"1", "2", "3", "4", "5", "6"}] String L_ActiveXControlInitializationcolon; + [Write, Description("Allow Basic Authentication prompts from network proxies (User) (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_BasicAuthProxyBehavior; + [Write, Description("Allow VBA to load typelib references by path from untrusted intranet locations (User) (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_AllowVbaIntranetRefs; + [Write, Description("Automation Security (User) (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_AutomationSecurity; + [Write, Description("Set the Automation Security level (User) - Depends on L_AutomationSecurity (3: Disable macros by default, 2: Use application macro security level, 1: Macros enabled (default))"), ValueMap{"3", "2", "1"}, Values{"3", "2", "1"}] String L_SettheAutomationSecuritylevel; + [Write, Description("Control how Office handles form-based sign-in prompts (User) (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_AuthenticationFBABehavior; + [Write, Description("Specify hosts allowed to show form-based sign-in prompts to users: (User) - Depends on L_AuthenticationFBABehavior")] String L_AuthenticationFBAEnabledHostsID; + [Write, Description("Behavior: (User) - Depends on L_AuthenticationFBABehavior (1: Block all prompts, 2: Ask the user what to do for each new host, 3: Show prompts only from allowed hosts)"), ValueMap{"1", "2", "3"}, Values{"1", "2", "3"}] String L_authenticationFBABehaviorEnum; + [Write, Description("Disable additional security checks on VBA library references that may refer to unsafe locations on the local machine (User) (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_DisableStrictVbaRefsSecurityPolicy; + [Write, Description("Disable all Trust Bar notifications for security issues (User) (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_DisableallTrustBarnotificationsfor; + [Write, Description("Encryption mode for Information Rights Management (IRM) (User) (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_Encryptiontypeforirm; + [Write, Description("IRM Encryption Mode: (User) - Depends on L_Encryptiontypeforirm (1: Cipher Block Chaining (CBC), 2: Electronic Codebook (ECB))"), ValueMap{"1", "2"}, Values{"1", "2"}] String L_Encryptiontypeforirmcolon; + [Write, Description("Encryption type for password protected Office 97-2003 files (User) (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_Encryptiontypeforpasswordprotectedoffice972003; + [Write, Description("Encryption type: (User) - Depends on L_Encryptiontypeforpasswordprotectedoffice972003")] String L_encryptiontypecolon318; + [Write, Description("Encryption type for password protected Office Open XML files (User) (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_Encryptiontypeforpasswordprotectedofficeopen; + [Write, Description("Encryption type: (User) - Depends on L_Encryptiontypeforpasswordprotectedofficeopen")] String L_Encryptiontypecolon; + [Write, Description("Load Controls in Forms3 (User) (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_LoadControlsinForms3; + [Write, Description("Load Controls in Forms3: (User) - Depends on L_LoadControlsinForms3 (1: 1, 2: 2, 3: 3, 4: 4)"), ValueMap{"1", "2", "3", "4"}, Values{"1", "2", "3", "4"}] String L_LoadControlsinForms3colon; + [Write, Description("Macro Runtime Scan Scope (User) (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_MacroRuntimeScanScope; + [Write, Description(" - Depends on L_MacroRuntimeScanScope (0: Disable for all documents, 1: Enable for low trust documents, 2: Enable for all documents)"), ValueMap{"0", "1", "2"}, Values{"0", "1", "2"}] String L_MacroRuntimeScanScopeEnum; + [Write, Description("Protect document metadata for rights managed Office Open XML Files (User) (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_Protectdocumentmetadataforrightsmanaged; + [Write, Description("Allow mix of policy and user locations (User) (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_Allowmixofpolicyanduserlocations; + [Write, Description("Disable the Office client from polling the SharePoint Server for published links (User) (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_DisabletheOfficeclientfrompolling; + [Write, Description("Disable Smart Document's use of manifests (User) (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_DisableSmartDocumentsuseofmanifests; + [Write, Description("Outlook Security Mode (User) (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_OutlookSecurityMode; + [Write, Description("Configure Outlook object model prompt when reading address information (User) - Depends on L_OutlookSecurityMode (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_OOMAddressAccess; + [Write, Description("Guard behavior: (User) (1: Prompt User, 2: Automatically Approve, 0: Automatically Deny, 3: Prompt user based on computer security)"), ValueMap{"1", "2", "0", "3"}, Values{"1", "2", "0", "3"}] String L_OOMAddressAccess_Setting; + [Write, Description("Configure Outlook object model prompt when responding to meeting and task requests (User) - Depends on L_OutlookSecurityMode (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_OOMMeetingTaskRequest; + [Write, Description("Guard behavior: (User) (1: Prompt User, 2: Automatically Approve, 0: Automatically Deny, 3: Prompt user based on computer security)"), ValueMap{"1", "2", "0", "3"}, Values{"1", "2", "0", "3"}] String L_OOMMeetingTaskRequest_Setting; + [Write, Description("Configure Outlook object model prompt when sending mail (User) - Depends on L_OutlookSecurityMode (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_OOMSend; + [Write, Description("Guard behavior: (User) (1: Prompt User, 2: Automatically Approve, 0: Automatically Deny, 3: Prompt user based on computer security)"), ValueMap{"1", "2", "0", "3"}, Values{"1", "2", "0", "3"}] String L_OOMSend_Setting; + [Write, Description("Prevent users from customizing attachment security settings (User) - Depends on L_OutlookSecurityMode (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_Preventusersfromcustomizingattachmentsecuritysettings; + [Write, Description("Retrieving CRLs (Certificate Revocation Lists) (User) - Depends on L_OutlookSecurityMode (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_RetrievingCRLsCertificateRevocationLists; + [Write, Description(" (0: Use system Default, 1: When online always retreive the CRL, 2: Never retreive the CRL)"), ValueMap{"0", "1", "2"}, Values{"0", "1", "2"}] String L_empty31; + [Write, Description("Configure Outlook object model prompt When accessing the Formula property of a UserProperty object (User) - Depends on L_OutlookSecurityMode (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_OOMFormula; + [Write, Description("Guard behavior: (User) (1: Prompt User, 2: Automatically Approve, 0: Automatically Deny, 3: Prompt user based on computer security)"), ValueMap{"1", "2", "0", "3"}, Values{"1", "2", "0", "3"}] String L_OOMFormula_Setting; + [Write, Description("Authentication with Exchange Server (User) - Depends on L_OutlookSecurityMode (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_AuthenticationwithExchangeServer; + [Write, Description("Select the authentication with Exchange server. (User) (9: Kerberos/NTLM Password Authentication, 16: Kerberos Password Authentication, 10: NTLM Password Authentication, 2147545088: Insert a smart card)"), ValueMap{"9", "16", "10", "2147545088"}, Values{"9", "16", "10", "2147545088"}] String L_SelecttheauthenticationwithExchangeserver; + [Write, Description("Enable RPC encryption (User) - Depends on L_OutlookSecurityMode (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_EnableRPCEncryption; + [Write, Description("Allow hyperlinks in suspected phishing e-mail messages (User) - Depends on L_OutlookSecurityMode (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_Enablelinksinemailmessages; + [Write, Description("Configure Outlook object model prompt when accessing an address book (User) - Depends on L_OutlookSecurityMode (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_OOMAddressBook; + [Write, Description("Guard behavior: (User) (1: Prompt User, 2: Automatically Approve, 0: Automatically Deny, 3: Prompt user based on computer security)"), ValueMap{"1", "2", "0", "3"}, Values{"1", "2", "0", "3"}] String L_OOMAddressBook_Setting; + [Write, Description("Outlook Security Policy: (User) - Depends on L_OutlookSecurityMode (0: Outlook Default Security, 1: Use Security Form from 'Outlook Security Settings' Public Folder, 2: Use Security Form from 'Outlook 10 Security Settings' Public Folder, 3: Use Outlook Security Group Policy)"), ValueMap{"0", "1", "2", "3"}, Values{"0", "1", "2", "3"}] String L_OutlookSecurityPolicy; + [Write, Description("Allow users to demote attachments to Level 2 (User) - Depends on L_OutlookSecurityMode (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_AllowUsersToLowerAttachments; + [Write, Description("Allow Active X One Off Forms (User) - Depends on L_OutlookSecurityMode (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_AllowActiveXOneOffForms; + [Write, Description("Sets which ActiveX controls to allow. (0: Load only Outlook Controls, 1: Allows only Safe Controls, 2: Allows all ActiveX Controls)"), ValueMap{"0", "1", "2"}, Values{"0", "1", "2"}] String L_empty29; + [Write, Description("Allow scripts in one-off Outlook forms (User) - Depends on L_OutlookSecurityMode (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_EnableScriptsInOneOffForms; + [Write, Description("Remove file extensions blocked as Level 2 (User) - Depends on L_OutlookSecurityMode (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_Level2RemoveFilePolicy; + [Write, Description("Removed Extensions: (User)")] String L_removedextensions25; + [Write, Description("Use Unicode format when dragging e-mail message to file system (User) - Depends on L_OutlookSecurityMode (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_MSGUnicodeformatwhendraggingtofilesystem; + [Write, Description("Set Outlook object model custom actions execution prompt (User) - Depends on L_OutlookSecurityMode (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_OnExecuteCustomActionOOM; + [Write, Description("When executing a custom action: (User) (1: Prompt User, 2: Automatically Approve, 0: Automatically Deny, 3: Prompt user based on computer security)"), ValueMap{"1", "2", "0", "3"}, Values{"1", "2", "0", "3"}] String L_OnExecuteCustomActionOOM_Setting; + [Write, Description("Do not allow Outlook object model scripts to run for public folders (User) - Depends on L_OutlookSecurityMode (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_DisableOutlookobjectmodelscriptsforpublicfolders; + [Write, Description("Include Internet in Safe Zones for Automatic Picture Download (User) - Depends on L_OutlookSecurityMode (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_BlockInternet; + [Write, Description("Security setting for macros (User) - Depends on L_OutlookSecurityMode (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_SecurityLevelOutlook; + [Write, Description("Security Level (User) (2: Always warn, 4: Never warn, disable all, 3: Warn for signed, disable unsigned, 1: No security check)"), ValueMap{"2", "4", "3", "1"}, Values{"2", "4", "3", "1"}] String L_SecurityLevel; + [Write, Description("Remove file extensions blocked as Level 1 (User) - Depends on L_OutlookSecurityMode (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_Level1RemoveFilePolicy; + [Write, Description("Removed Extensions: (User)")] String L_RemovedExtensions; + [Write, Description("Signature Warning (User) - Depends on L_OutlookSecurityMode (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_SignatureWarning; + [Write, Description("Signature Warning (User) (0: Let user decide if they want to be warned, 1: Always warn about invalid signatures, 2: Never warn about invalid signatures)"), ValueMap{"0", "1", "2"}, Values{"0", "1", "2"}] String L_signaturewarning30; + [Write, Description("Display Level 1 attachments (User) - Depends on L_OutlookSecurityMode (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_Level1Attachments; + [Write, Description("Minimum encryption settings (User) - Depends on L_OutlookSecurityMode (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_Minimumencryptionsettings; + [Write, Description("Minimum key size (in bits): (User)")] SInt32 L_Minimumkeysizeinbits; + [Write, Description("Do not allow Outlook object model scripts to run for shared folders (User) - Depends on L_OutlookSecurityMode (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_DisableOutlookobjectmodelscripts; + [Write, Description("Configure Outlook object model prompt when executing Save As (User) - Depends on L_OutlookSecurityMode (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_OOMSaveAs; + [Write, Description("Guard behavior: (User) (1: Prompt User, 2: Automatically Approve, 0: Automatically Deny, 3: Prompt user based on computer security)"), ValueMap{"1", "2", "0", "3"}, Values{"1", "2", "0", "3"}] String L_OOMSaveAs_Setting; + [Write, Description("Junk E-mail protection level (User) - Depends on L_OutlookSecurityMode (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_JunkEmailprotectionlevel; + [Write, Description("Select level: (User) (4294967295: No Protection, 6: Low (Default), 3: High, 2147483648: Trusted Lists Only)"), ValueMap{"4294967295", "6", "3", "2147483648"}, Values{"4294967295", "6", "3", "2147483648"}] String L_Selectlevel; + [Write, Description("Run Programs (User) (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_RunPrograms; + [Write, Description(" - Depends on L_RunPrograms (0: disable (don't run any programs), 1: enable (prompt user before running), 2: enable all (run without prompting))"), ValueMap{"0", "1", "2"}, Values{"0", "1", "2"}] String L_RunPrograms_L_Empty; + [Write, Description("Scan encrypted macros in PowerPoint Open XML presentations (User) (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_Determinewhethertoforceencryptedppt; + [Write, Description(" - Depends on L_Determinewhethertoforceencryptedppt (0: Scan encrypted macros (default), 1: Scan if anti-virus software available, 2: Load macros without scanning)"), ValueMap{"0", "1", "2"}, Values{"0", "1", "2"}] String L_DeterminewhethertoforceencryptedpptDropID; + [Write, Description("Block macros from running in Office files from the Internet (User) (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String MicrosoftPowerPoint_Security_TrustCenter_L_BlockMacroExecutionFromInternet; + [Write, Description("Disable Trust Bar Notification for unsigned application add-ins and block them (User) (Deprecated) (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String MicrosoftPowerPoint_Security_TrustCenter_L_DisableTrustBarNotificationforunsigned; + [Write, Description("PowerPoint 97-2003 presentations, shows, templates and add-in files (User) (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_PowerPoint972003PresentationsShowsTemplatesandAddInFiles; + [Write, Description("File block setting: (User) - Depends on L_PowerPoint972003PresentationsShowsTemplatesandAddInFiles (0: Do not block, 1: Save blocked, 2: Open/Save blocked, use open policy, 3: Block, 4: Open in Protected View, 5: Allow editing and open in Protected View)"), ValueMap{"0", "1", "2", "3", "4", "5"}, Values{"0", "1", "2", "3", "4", "5"}] String L_PowerPoint972003PresentationsShowsTemplatesandAddInFilesDropID; + [Write, Description("Set default file block behavior (User) (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String MicrosoftPowerPoint_Security_TrustCenterFileBlockSettings_L_SetDefaultFileBlockBehavior; + [Write, Description(" - Depends on MicrosoftPowerPoint_Security_TrustCenterFileBlockSettings_L_SetDefaultFileBlockBehavior (0: Blocked files are not opened, 1: Blocked files open in Protected View and can not be edited, 2: Blocked files open in Protected View and can be edited)"), ValueMap{"0", "1", "2"}, Values{"0", "1", "2"}] String MicrosoftPowerPoint_Security_TrustCenterFileBlockSettings_L_SetDefaultFileBlockBehaviorDropID; + [Write, Description("Do not open files from the Internet zone in Protected View (User) (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String MicrosoftPowerPoint_Security_TrustCenterProtectedView_L_DoNotOpenFilesFromTheInternetZoneInProtectedView; + [Write, Description("Do not open files in unsafe locations in Protected View (User) (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String MicrosoftPowerPoint_Security_TrustCenterProtectedView_L_DoNotOpenFilesInUnsafeLocationsInProtectedView; + [Write, Description("Set document behavior if file validation fails (User) (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String MicrosoftPowerPoint_Security_TrustCenterProtectedView_L_SetDocumentBehaviorIfFileValidationFails; + [Write, Description("Checked: Allow edit. Unchecked: Do not allow edit. (User) - Depends on MicrosoftPowerPoint_Security_TrustCenterProtectedView_L_SetDocumentBehaviorIfFileValidationFails (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String MicrosoftPowerPoint_Security_TrustCenterProtectedView_L_SetDocumentBehaviorIfFileValidationFailsStr3; + [Write, Description(" - Depends on MicrosoftPowerPoint_Security_TrustCenterProtectedView_L_SetDocumentBehaviorIfFileValidationFails (0: Block files, 1: Open in Protected View)"), ValueMap{"0", "1"}, Values{"0", "1"}] String MicrosoftPowerPoint_Security_TrustCenterProtectedView_L_SetDocumentBehaviorIfFileValidationFailsDropID; + [Write, Description("Turn off Protected View for attachments opened from Outlook (User) (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String MicrosoftPowerPoint_Security_TrustCenterProtectedView_L_TurnOffProtectedViewForAttachmentsOpenedFromOutlook; + [Write, Description("Require that application add-ins are signed by Trusted Publisher (User) (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String MicrosoftPowerPoint_Security_TrustCenter_L_RequirethatApplicationExtensionsaresigned; + [Write, Description("Disable Trust Bar Notification for unsigned application add-ins and block them (User) - Depends on MicrosoftPowerPoint_Security_TrustCenter_L_RequirethatApplicationExtensionsaresigned (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String MicrosoftPowerPoint_Security_TrustCenter_L_DisableTrustBarNotificationforunsigned_v2; + [Write, Description("Allow Trusted Locations on the network (User) (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String MicrosoftPowerPoint_Security_TrustCenterTrustedLocations_L_AllowTrustedLocationsOnTheNetwork; + [Write, Description("VBA Macro Notification Settings (User) (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String MicrosoftPowerPoint_Security_TrustCenter_L_VBAWarningsPolicy; + [Write, Description(" - Depends on MicrosoftPowerPoint_Security_TrustCenter_L_VBAWarningsPolicy (2: Disable all with notification, 3: Disable all except digitally signed macros, 4: Disable all without notification, 1: Enable all macros (not recommended))"), ValueMap{"2", "3", "4", "1"}, Values{"2", "3", "4", "1"}] String L_empty3; + [Write, Description("Turn off file validation (User) (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String MicrosoftPowerPoint_Security_L_TurnOffFileValidation; + [Write, Description("Allow Trusted Locations on the network (User) (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String MicrosoftProject_Security_TrustCenter_L_AllowTrustedLocationsOnTheNetwork; + [Write, Description("Disable Trust Bar Notification for unsigned application add-ins and block them (User) (Deprecated) (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String MicrosoftProject_Security_TrustCenter_L_DisableTrustBarNotificationforunsigned; + [Write, Description("Require that application add-ins are signed by Trusted Publisher (User) (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String MicrosoftProject_Security_TrustCenter_L_RequirethatApplicationExtensionsaresigned; + [Write, Description("Disable Trust Bar Notification for unsigned application add-ins and block them (User) - Depends on MicrosoftProject_Security_TrustCenter_L_RequirethatApplicationExtensionsaresigned (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String MicrosoftProject_Security_TrustCenter_L_DisableTrustBarNotificationforunsigned_v2; + [Write, Description("VBA Macro Notification Settings (User) (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String MicrosoftProject_Security_TrustCenter_L_VBAWarningsPolicy; + [Write, Description(" - Depends on MicrosoftProject_Security_TrustCenter_L_VBAWarningsPolicy (2: Disable all with notification, 3: Disable all except digitally signed macros, 4: Disable all without notification, 1: Enable all macros (not recommended))"), ValueMap{"2", "3", "4", "1"}, Values{"2", "3", "4", "1"}] String MicrosoftProject_Security_TrustCenter_L_VBAWarningsPolicy_L_Empty; + [Write, Description("Publisher Automation Security Level (User) (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_PublisherAutomationSecurityLevel; + [Write, Description(" - Depends on L_PublisherAutomationSecurityLevel (1: Low (enabled), 2: By UI (prompted), 3: High (disabled))"), ValueMap{"1", "2", "3"}, Values{"1", "2", "3"}] String L_PublisherAutomationSecurityLevel_L_Empty; + [Write, Description("Block macros from running in Office files from the internet (User) (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String MicrosoftPublisherV3_Security_TrustCenter_L_BlockMacroExecutionFromInternet; + [Write, Description("Disable Trust Bar Notification for unsigned application add-ins (User) (Deprecated) (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String MicrosoftPublisherV2_Security_TrustCenter_L_DisableTrustBarNotificationforunsigned; + [Write, Description("Require that application add-ins are signed by Trusted Publisher (User) (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String MicrosoftPublisherV2_Security_TrustCenter_L_RequirethatApplicationExtensionsaresigned; + [Write, Description("Disable Trust Bar Notification for unsigned application add-ins (User) - Depends on MicrosoftPublisherV2_Security_TrustCenter_L_RequirethatApplicationExtensionsaresigned (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String MicrosoftPublisherV2_Security_TrustCenter_L_DisableTrustBarNotificationforunsigned_v2; + [Write, Description("VBA Macro Notification Settings (User) (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String MicrosoftPublisherV2_Security_TrustCenter_L_VBAWarningsPolicy; + [Write, Description(" - Depends on MicrosoftPublisherV2_Security_TrustCenter_L_VBAWarningsPolicy (2: Disable all with notification, 3: Disable all except digitally signed macros, 4: Disable all without notification, 1: Enable all macros (not recommended))"), ValueMap{"2", "3", "4", "1"}, Values{"2", "3", "4", "1"}] String L_empty0; + [Write, Description("Allow Trusted Locations on the network (User) (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String MicrosoftVisio_Security_TrustCenter_L_AllowTrustedLocationsOnTheNetwork; + [Write, Description("Block macros from running in Office files from the Internet (User) (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String MicrosoftVisio_Security_TrustCenter_L_BlockMacroExecutionFromInternet; + [Write, Description("Disable Trust Bar Notification for unsigned application add-ins and block them (User) (Deprecated) (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String MicrosoftVisio_Security_TrustCenter_L_DisableTrustBarNotificationforunsigned; + [Write, Description("Visio 2000-2002 Binary Drawings, Templates and Stencils (User) (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_Visio2000Files; + [Write, Description("File block setting: (User) - Depends on L_Visio2000Files (0: Do not block, 2: Open/Save blocked)"), ValueMap{"0", "2"}, Values{"0", "2"}] String L_Visio2000FilesDropID; + [Write, Description("Visio 2003-2010 Binary Drawings, Templates and Stencils (User) (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_Visio2003Files; + [Write, Description("File block setting: (User) - Depends on L_Visio2003Files (0: Do not block, 1: Save blocked, 2: Open/Save blocked)"), ValueMap{"0", "1", "2"}, Values{"0", "1", "2"}] String L_Visio2003FilesDropID; + [Write, Description("Visio 5.0 or earlier Binary Drawings, Templates and Stencils (User) (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_Visio50AndEarlierFiles; + [Write, Description("File block setting: (User) - Depends on L_Visio50AndEarlierFiles (0: Do not block, 2: Open/Save blocked)"), ValueMap{"0", "2"}, Values{"0", "2"}] String L_Visio50AndEarlierFilesDropID; + [Write, Description("Require that application add-ins are signed by Trusted Publisher (User) (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String MicrosoftVisio_Security_TrustCenter_L_RequirethatApplicationExtensionsaresigned; + [Write, Description("Disable Trust Bar Notification for unsigned application add-ins and block them (User) - Depends on MicrosoftVisio_Security_TrustCenter_L_RequirethatApplicationExtensionsaresigned (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String MicrosoftVisio_Security_TrustCenter_L_DisableTrustBarNotificationforunsigned_v2; + [Write, Description("VBA Macro Notification Settings (User) (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String MicrosoftVisio_Security_TrustCenter_L_VBAWarningsPolicy; + [Write, Description(" - Depends on MicrosoftVisio_Security_TrustCenter_L_VBAWarningsPolicy (2: Disable all with notification, 3: Disable all except digitally signed macros, 4: Disable all without notification, 1: Enable all macros (not recommended))"), ValueMap{"2", "3", "4", "1"}, Values{"2", "3", "4", "1"}] String MicrosoftVisio_Security_TrustCenter_L_VBAWarningsPolicy_L_Empty; + [Write, Description("Block macros from running in Office files from the Internet (User) (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String MicrosoftWord_Security_TrustCenter_L_BlockMacroExecutionFromInternet; + [Write, Description("Disable Trust Bar Notification for unsigned application add-ins and block them (User) (Deprecated) (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String MicrosoftWord_Security_TrustCenter_L_DisableTrustBarNotificationforunsigned; + [Write, Description("Dynamic Data Exchange (User) (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_AllowDDE; + [Write, Description("Dynamic Data Exchange setting (User) - Depends on L_AllowDDE (1: Limited Dynamic Data Exchange, 2: Allow Dynamic Data Exchange)"), ValueMap{"1", "2"}, Values{"1", "2"}] String L_AllowDDEDropID; + [Write, Description("Set default file block behavior (User) (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String MicrosoftWord_Security_TrustCenterFileBlockSettings_L_SetDefaultFileBlockBehavior; + [Write, Description(" - Depends on MicrosoftWord_Security_TrustCenterFileBlockSettings_L_SetDefaultFileBlockBehavior (0: Blocked files are not opened, 1: Blocked files open in Protected View and can not be edited, 2: Blocked files open in Protected View and can be edited)"), ValueMap{"0", "1", "2"}, Values{"0", "1", "2"}] String MicrosoftWord_Security_TrustCenterFileBlockSettings_L_SetDefaultFileBlockBehaviorDropID; + [Write, Description("Word 2 and earlier binary documents and templates (User) (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_Word2AndEarlierBinaryDocumentsAndTemplates; + [Write, Description("File block setting: (User) - Depends on L_Word2AndEarlierBinaryDocumentsAndTemplates (0: Do not block, 2: Open/Save blocked, use open policy, 3: Block, 4: Open in Protected View, 5: Allow editing and open in Protected View)"), ValueMap{"0", "2", "3", "4", "5"}, Values{"0", "2", "3", "4", "5"}] String L_Word2AndEarlierBinaryDocumentsAndTemplatesDropID; + [Write, Description("Word 2000 binary documents and templates (User) (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_Word2000BinaryDocumentsAndTemplates; + [Write, Description("File block setting: (User) - Depends on L_Word2000BinaryDocumentsAndTemplates (0: Do not block, 2: Open/Save blocked, use open policy, 3: Block, 4: Open in Protected View, 5: Allow editing and open in Protected View)"), ValueMap{"0", "2", "3", "4", "5"}, Values{"0", "2", "3", "4", "5"}] String L_Word2000BinaryDocumentsAndTemplatesDropID; + [Write, Description("Word 2003 binary documents and templates (User) (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_Word2003BinaryDocumentsAndTemplates; + [Write, Description("File block setting: (User) - Depends on L_Word2003BinaryDocumentsAndTemplates (0: Do not block, 2: Open/Save blocked, use open policy, 3: Block, 4: Open in Protected View, 5: Allow editing and open in Protected View)"), ValueMap{"0", "2", "3", "4", "5"}, Values{"0", "2", "3", "4", "5"}] String L_Word2003BinaryDocumentsAndTemplatesDropID; + [Write, Description("Word 2007 and later binary documents and templates (User) (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_Word2007AndLaterBinaryDocumentsAndTemplates; + [Write, Description("File block setting: (User) - Depends on L_Word2007AndLaterBinaryDocumentsAndTemplates (0: Do not block, 1: Save blocked, 2: Open/Save blocked, use open policy, 3: Block, 4: Open in Protected View, 5: Allow editing and open in Protected View)"), ValueMap{"0", "1", "2", "3", "4", "5"}, Values{"0", "1", "2", "3", "4", "5"}] String L_Word2007AndLaterBinaryDocumentsAndTemplatesDropID; + [Write, Description("Word 6.0 binary documents and templates (User) (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_Word6Pt0BinaryDocumentsAndTemplates; + [Write, Description("File block setting: (User) - Depends on L_Word6Pt0BinaryDocumentsAndTemplates (0: Do not block, 2: Open/Save blocked, use open policy, 3: Block, 4: Open in Protected View, 5: Allow editing and open in Protected View)"), ValueMap{"0", "2", "3", "4", "5"}, Values{"0", "2", "3", "4", "5"}] String L_Word6Pt0BinaryDocumentsAndTemplatesDropID; + [Write, Description("Word 95 binary documents and templates (User) (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_Word95BinaryDocumentsAndTemplates; + [Write, Description("File block setting: (User) - Depends on L_Word95BinaryDocumentsAndTemplates (0: Do not block, 2: Open/Save blocked, use open policy, 3: Block, 4: Open in Protected View, 5: Allow editing and open in Protected View)"), ValueMap{"0", "2", "3", "4", "5"}, Values{"0", "2", "3", "4", "5"}] String L_Word95BinaryDocumentsAndTemplatesDropID; + [Write, Description("Word 97 binary documents and templates (User) (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_Word97BinaryDocumentsAndTemplates; + [Write, Description("File block setting: (User) - Depends on L_Word97BinaryDocumentsAndTemplates (0: Do not block, 2: Open/Save blocked, use open policy, 3: Block, 4: Open in Protected View, 5: Allow editing and open in Protected View)"), ValueMap{"0", "2", "3", "4", "5"}, Values{"0", "2", "3", "4", "5"}] String L_Word97BinaryDocumentsAndTemplatesDropID; + [Write, Description("Word XP binary documents and templates (User) (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_WordXPBinaryDocumentsAndTemplates; + [Write, Description("File block setting: (User) - Depends on L_WordXPBinaryDocumentsAndTemplates (0: Do not block, 2: Open/Save blocked, use open policy, 3: Block, 4: Open in Protected View, 5: Allow editing and open in Protected View)"), ValueMap{"0", "2", "3", "4", "5"}, Values{"0", "2", "3", "4", "5"}] String L_WordXPBinaryDocumentsAndTemplatesDropID; + [Write, Description("Do not open files from the Internet zone in Protected View (User) (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String MicrosoftWord_Security_TrustCenterProtectedView_L_DoNotOpenFilesFromTheInternetZoneInProtectedView; + [Write, Description("Do not open files in unsafe locations in Protected View (User) (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String MicrosoftWord_Security_TrustCenterProtectedView_L_DoNotOpenFilesInUnsafeLocationsInProtectedView; + [Write, Description("Set document behavior if file validation fails (User) (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String MicrosoftWord_Security_TrustCenterProtectedView_L_SetDocumentBehaviorIfFileValidationFails; + [Write, Description(" - Depends on MicrosoftWord_Security_TrustCenterProtectedView_L_SetDocumentBehaviorIfFileValidationFails (0: Block files, 1: Open in Protected View)"), ValueMap{"0", "1"}, Values{"0", "1"}] String MicrosoftWord_Security_TrustCenterProtectedView_L_SetDocumentBehaviorIfFileValidationFailsDropID; + [Write, Description("Checked: Allow edit. Unchecked: Do not allow edit. (User) - Depends on MicrosoftWord_Security_TrustCenterProtectedView_L_SetDocumentBehaviorIfFileValidationFails (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String MicrosoftWord_Security_TrustCenterProtectedView_L_SetDocumentBehaviorIfFileValidationFailsStr3; + [Write, Description("Turn off Protected View for attachments opened from Outlook (User) (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String MicrosoftWord_Security_TrustCenterProtectedView_L_TurnOffProtectedViewForAttachmentsOpenedFromOutlook; + [Write, Description("Require that application add-ins are signed by Trusted Publisher (User) (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String MicrosoftWord_Security_TrustCenter_L_RequirethatApplicationExtensionsaresigned; + [Write, Description("Disable Trust Bar Notification for unsigned application add-ins and block them (User) - Depends on MicrosoftWord_Security_TrustCenter_L_RequirethatApplicationExtensionsaresigned (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String MicrosoftWord_Security_TrustCenter_L_DisableTrustBarNotificationforunsigned_v2; + [Write, Description("Scan encrypted macros in Word Open XML documents (User) (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String L_DeterminewhethertoforceencryptedWord; + [Write, Description(" - Depends on L_DeterminewhethertoforceencryptedWord (0: Scan encrypted macros (default), 1: Scan if anti-virus software available, 2: Load macros without scanning)"), ValueMap{"0", "1", "2"}, Values{"0", "1", "2"}] String L_DeterminewhethertoforceencryptedWordDropID; + [Write, Description("VBA Macro Notification Settings (User) (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String MicrosoftWord_Security_TrustCenter_L_VBAWarningsPolicy; + [Write, Description(" - Depends on MicrosoftWord_Security_TrustCenter_L_VBAWarningsPolicy (2: Disable all with notification, 3: Disable all except digitally signed macros, 4: Disable all without notification, 1: Enable all macros (not recommended))"), ValueMap{"2", "3", "4", "1"}, Values{"2", "3", "4", "1"}] String L_empty19; + [Write, Description("Turn off file validation (User) (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String MicrosoftWord_Security_L_TurnOffFileValidation; + [Write, Description("Allow Trusted Locations on the network (User) (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String MicrosoftWord_Security_TrustCenterTrustedLocations_L_AllowTrustedLocationsOnTheNetwork; +}; +[ClassVersion("1.0.0.0"), FriendlyName("IntuneSecurityBaselineMicrosoft365AppsForEnterprise")] +class MSFT_IntuneSecurityBaselineMicrosoft365AppsForEnterprise : OMI_BaseResource +{ + [Write, Description("Policy description")] String Description; + [Key, Description("Policy name")] String DisplayName; + [Write, Description("List of Scope Tags for this Entity instance.")] String RoleScopeTagIds[]; + [Write, Description("The unique identifier for an entity. Read-only.")] String Id; + [Write, Description("The policy settings for the device scope"), EmbeddedInstance("MSFT_MicrosoftGraphIntuneSettingsCatalogDeviceSettings_IntuneSecurityBaselineMicrosoft365AppsForEnterprise")] String DeviceSettings; + [Write, Description("The policy settings for the user scope"), EmbeddedInstance("MSFT_MicrosoftGraphIntuneSettingsCatalogUserSettings_IntuneSecurityBaselineMicrosoft365AppsForEnterprise")] String UserSettings; + [Write, Description("Represents the assignment to the Intune policy."), EmbeddedInstance("MSFT_DeviceManagementConfigurationPolicyAssignments")] String Assignments[]; + [Write, Description("Present ensures the policy exists, absent ensures it is removed."), ValueMap{"Present","Absent"}, Values{"Present","Absent"}] string Ensure; + [Write, Description("Credentials of the Admin"), EmbeddedInstance("MSFT_Credential")] string Credential; + [Write, Description("Id of the Azure Active Directory application to authenticate with.")] String ApplicationId; + [Write, Description("Id of the Azure Active Directory tenant used for authentication.")] String TenantId; + [Write, Description("Secret of the Azure Active Directory tenant used for authentication."), EmbeddedInstance("MSFT_Credential")] String ApplicationSecret; + [Write, Description("Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication.")] String CertificateThumbprint; + [Write, Description("Managed ID being used for authentication.")] Boolean ManagedIdentity; + [Write, Description("Access token used for authentication.")] String AccessTokens[]; +}; diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneSecurityBaselineMicrosoft365AppsForEnterprise/readme.md b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneSecurityBaselineMicrosoft365AppsForEnterprise/readme.md new file mode 100644 index 0000000000..7e7218c244 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneSecurityBaselineMicrosoft365AppsForEnterprise/readme.md @@ -0,0 +1,6 @@ + +# IntuneSecurityBaselineMicrosoft365AppsForEnterprise + +## Description + +Intune Security Baseline Microsoft365 Apps For Enterprise diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneSecurityBaselineMicrosoft365AppsForEnterprise/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneSecurityBaselineMicrosoft365AppsForEnterprise/settings.json new file mode 100644 index 0000000000..4bda1f09ca --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneSecurityBaselineMicrosoft365AppsForEnterprise/settings.json @@ -0,0 +1,32 @@ +{ + "resourceName":"IntuneSecurityBaselineMicrosoft365AppsForEnterprise", + "description":"This resource configures an Intune Security Baseline Microsoft365 Apps For Enterprise.", + "permissions":{ + "graph":{ + "delegated":{ + "read":[ + { + "name":"DeviceManagementConfiguration.Read.All" + } + ], + "update":[ + { + "name":"DeviceManagementConfiguration.ReadWrite.All" + } + ] + }, + "application":{ + "read":[ + { + "name":"DeviceManagementConfiguration.Read.All" + } + ], + "update":[ + { + "name":"DeviceManagementConfiguration.ReadWrite.All" + } + ] + } + } + } +} diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneSecurityBaselineMicrosoftEdge/MSFT_IntuneSecurityBaselineMicrosoftEdge.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneSecurityBaselineMicrosoftEdge/MSFT_IntuneSecurityBaselineMicrosoftEdge.psm1 new file mode 100644 index 0000000000..c3b6e71fd2 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneSecurityBaselineMicrosoftEdge/MSFT_IntuneSecurityBaselineMicrosoftEdge.psm1 @@ -0,0 +1,904 @@ +function Get-TargetResource +{ + [CmdletBinding()] + [OutputType([System.Collections.Hashtable])] + param + ( + #region resource generator code + [Parameter()] + [System.String] + $Description, + + [Parameter(Mandatory = $true)] + [System.String] + $DisplayName, + + [Parameter()] + [System.String[]] + $RoleScopeTagIds, + + [Parameter()] + [System.String] + $Id, + + [Parameter()] + [ValidateSet('0', '1')] + [System.String] + $InternetExplorerIntegrationReloadInIEModeAllowed, + + [Parameter()] + [ValidateSet('0', '1')] + [System.String] + $SSLErrorOverrideAllowed, + + [Parameter()] + [ValidateSet('0', '1')] + [System.String] + $InternetExplorerIntegrationZoneIdentifierMhtFileAllowed, + + [Parameter()] + [ValidateSet('0', '1')] + [System.String] + $BrowserLegacyExtensionPointsBlockingEnabled, + + [Parameter()] + [ValidateSet('0', '1')] + [System.String] + $SitePerProcess, + + [Parameter()] + [ValidateSet('0', '1')] + [System.String] + $EdgeEnhanceImagesEnabled, + + [Parameter()] + [ValidateSet('0', '1')] + [System.String] + $ExtensionInstallBlocklist, + + [Parameter()] + [ValidateLength(0, 2048)] + [System.String[]] + $ExtensionInstallBlocklistDesc, + + [Parameter()] + [ValidateSet('0', '1')] + [System.String] + $WebSQLAccess, + + [Parameter()] + [ValidateSet('0', '1')] + [System.String] + $BasicAuthOverHttpEnabled, + + [Parameter()] + [ValidateSet('0', '1')] + [System.String] + $MicrosoftEdge_HTTPAuthentication_AuthSchemes, + + [Parameter()] + [System.String] + $authschemes, + + [Parameter()] + [ValidateSet('0', '1')] + [System.String] + $NativeMessagingUserLevelHosts, + + [Parameter()] + [ValidateSet('0', '1')] + [System.String] + $InsecurePrivateNetworkRequestsAllowed, + + [Parameter()] + [ValidateSet('0', '1')] + [System.String] + $InternetExplorerModeToolbarButtonEnabled, + + [Parameter()] + [ValidateSet('0', '1')] + [System.String] + $SmartScreenEnabled, + + [Parameter()] + [ValidateSet('0', '1')] + [System.String] + $SmartScreenPuaEnabled, + + [Parameter()] + [ValidateSet('0', '1')] + [System.String] + $PreventSmartScreenPromptOverride, + + [Parameter()] + [ValidateSet('0', '1')] + [System.String] + $PreventSmartScreenPromptOverrideForFiles, + + [Parameter()] + [ValidateSet('0', '1')] + [System.String] + $SharedArrayBufferUnrestrictedAccessAllowed, + + [Parameter()] + [ValidateSet('0', '1')] + [System.String] + $TyposquattingCheckerEnabled, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $Assignments, + #endregion + + [Parameter()] + [System.String] + [ValidateSet('Absent', 'Present')] + $Ensure = 'Present', + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + try + { + $ConnectionMode = New-M365DSCConnection -Workload 'MicrosoftGraph' ` + -InboundParameters $PSBoundParameters + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $nullResult = $PSBoundParameters + $nullResult.Ensure = 'Absent' + + $getValue = $null + #region resource generator code + $getValue = Get-MgBetaDeviceManagementConfigurationPolicy -DeviceManagementConfigurationPolicyId $Id -ErrorAction SilentlyContinue + + if ($null -eq $getValue) + { + Write-Verbose -Message "Could not find an Intune Security Baseline Microsoft Edge with Id {$Id}" + + if (-not [System.String]::IsNullOrEmpty($DisplayName)) + { + $getValue = Get-MgBetaDeviceManagementConfigurationPolicy ` + -Filter "Name eq '$DisplayName'" ` + -ErrorAction SilentlyContinue + } + } + #endregion + if ($null -eq $getValue) + { + Write-Verbose -Message "Could not find an Intune Security Baseline Microsoft Edge with Name {$DisplayName}." + return $nullResult + } + $Id = $getValue.Id + Write-Verbose -Message "An Intune Security Baseline Microsoft Edge with Id {$Id} and Name {$DisplayName} was found" + + # Retrieve policy specific settings + [array]$settings = Get-MgBetaDeviceManagementConfigurationPolicySetting ` + -DeviceManagementConfigurationPolicyId $Id ` + -ExpandProperty 'settingDefinitions' ` + -All ` + -ErrorAction Stop + + $policySettings = @{} + $policySettings = Export-IntuneSettingCatalogPolicySettings -Settings $settings -ReturnHashtable $policySettings + + $results = @{ + #region resource generator code + Description = $getValue.Description + DisplayName = $getValue.Name + RoleScopeTagIds = $getValue.RoleScopeTagIds + Id = $getValue.Id + Ensure = 'Present' + Credential = $Credential + ApplicationId = $ApplicationId + TenantId = $TenantId + ApplicationSecret = $ApplicationSecret + CertificateThumbprint = $CertificateThumbprint + ManagedIdentity = $ManagedIdentity.IsPresent + #endregion + } + $results += $policySettings + + $assignmentsValues = Get-MgBetaDeviceManagementConfigurationPolicyAssignment -DeviceManagementConfigurationPolicyId $Id + $assignmentResult = @() + if ($assignmentsValues.Count -gt 0) + { + $assignmentResult += ConvertFrom-IntunePolicyAssignment -Assignments $assignmentsValues -IncludeDeviceFilter $true + } + $results.Add('Assignments', $assignmentResult) + + return [System.Collections.Hashtable] $results + } + catch + { + New-M365DSCLogEntry -Message 'Error retrieving data:' ` + -Exception $_ ` + -Source $($MyInvocation.MyCommand.Source) ` + -TenantId $TenantId ` + -Credential $Credential + + return $nullResult + } +} + +function Set-TargetResource +{ + [CmdletBinding()] + param + ( + #region resource generator code + [Parameter()] + [System.String] + $Description, + + [Parameter(Mandatory = $true)] + [System.String] + $DisplayName, + + [Parameter()] + [System.String[]] + $RoleScopeTagIds, + + [Parameter()] + [System.String] + $Id, + + [Parameter()] + [ValidateSet('0', '1')] + [System.String] + $InternetExplorerIntegrationReloadInIEModeAllowed, + + [Parameter()] + [ValidateSet('0', '1')] + [System.String] + $SSLErrorOverrideAllowed, + + [Parameter()] + [ValidateSet('0', '1')] + [System.String] + $InternetExplorerIntegrationZoneIdentifierMhtFileAllowed, + + [Parameter()] + [ValidateSet('0', '1')] + [System.String] + $BrowserLegacyExtensionPointsBlockingEnabled, + + [Parameter()] + [ValidateSet('0', '1')] + [System.String] + $SitePerProcess, + + [Parameter()] + [ValidateSet('0', '1')] + [System.String] + $EdgeEnhanceImagesEnabled, + + [Parameter()] + [ValidateSet('0', '1')] + [System.String] + $ExtensionInstallBlocklist, + + [Parameter()] + [ValidateLength(0, 2048)] + [System.String[]] + $ExtensionInstallBlocklistDesc, + + [Parameter()] + [ValidateSet('0', '1')] + [System.String] + $WebSQLAccess, + + [Parameter()] + [ValidateSet('0', '1')] + [System.String] + $BasicAuthOverHttpEnabled, + + [Parameter()] + [ValidateSet('0', '1')] + [System.String] + $MicrosoftEdge_HTTPAuthentication_AuthSchemes, + + [Parameter()] + [System.String] + $authschemes, + + [Parameter()] + [ValidateSet('0', '1')] + [System.String] + $NativeMessagingUserLevelHosts, + + [Parameter()] + [ValidateSet('0', '1')] + [System.String] + $InsecurePrivateNetworkRequestsAllowed, + + [Parameter()] + [ValidateSet('0', '1')] + [System.String] + $InternetExplorerModeToolbarButtonEnabled, + + [Parameter()] + [ValidateSet('0', '1')] + [System.String] + $SmartScreenEnabled, + + [Parameter()] + [ValidateSet('0', '1')] + [System.String] + $SmartScreenPuaEnabled, + + [Parameter()] + [ValidateSet('0', '1')] + [System.String] + $PreventSmartScreenPromptOverride, + + [Parameter()] + [ValidateSet('0', '1')] + [System.String] + $PreventSmartScreenPromptOverrideForFiles, + + [Parameter()] + [ValidateSet('0', '1')] + [System.String] + $SharedArrayBufferUnrestrictedAccessAllowed, + + [Parameter()] + [ValidateSet('0', '1')] + [System.String] + $TyposquattingCheckerEnabled, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $Assignments, + #endregion + [Parameter()] + [System.String] + [ValidateSet('Absent', 'Present')] + $Ensure = 'Present', + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $currentInstance = Get-TargetResource @PSBoundParameters + + $BoundParameters = Remove-M365DSCAuthenticationParameter -BoundParameters $PSBoundParameters + + $templateReferenceId = 'c66347b7-8325-4954-a235-3bf2233dfbfd_2' + $platforms = 'windows10' + $technologies = 'mdm' + + if ($Ensure -eq 'Present' -and $currentInstance.Ensure -eq 'Absent') + { + Write-Verbose -Message "Creating an Intune Security Baseline Microsoft Edge with Name {$DisplayName}" + $BoundParameters.Remove("Assignments") | Out-Null + + $settings = Get-IntuneSettingCatalogPolicySetting ` + -DSCParams ([System.Collections.Hashtable]$BoundParameters) ` + -TemplateId $templateReferenceId + + $createParameters = @{ + Name = $DisplayName + Description = $Description + TemplateReference = @{ templateId = $templateReferenceId } + Platforms = $platforms + Technologies = $technologies + Settings = $settings + } + + #region resource generator code + $policy = New-MgBetaDeviceManagementConfigurationPolicy -BodyParameter $createParameters + + if ($policy.Id) + { + $assignmentsHash = ConvertTo-IntunePolicyAssignment -IncludeDeviceFilter:$true -Assignments $Assignments + Update-DeviceConfigurationPolicyAssignment ` + -DeviceConfigurationPolicyId $policy.Id ` + -Targets $assignmentsHash ` + -Repository 'deviceManagement/configurationPolicies' + } + #endregion + } + elseif ($Ensure -eq 'Present' -and $currentInstance.Ensure -eq 'Present') + { + Write-Verbose -Message "Updating the Intune Security Baseline Microsoft Edge with Id {$($currentInstance.Id)}" + $BoundParameters.Remove("Assignments") | Out-Null + + $settings = Get-IntuneSettingCatalogPolicySetting ` + -DSCParams ([System.Collections.Hashtable]$BoundParameters) ` + -TemplateId $templateReferenceId + + Update-IntuneDeviceConfigurationPolicy ` + -DeviceConfigurationPolicyId $currentInstance.Id ` + -Name $DisplayName ` + -Description $Description ` + -TemplateReferenceId $templateReferenceId ` + -Platforms $platforms ` + -Technologies $technologies ` + -Settings $settings + + #region resource generator code + $assignmentsHash = ConvertTo-IntunePolicyAssignment -IncludeDeviceFilter:$true -Assignments $Assignments + Update-DeviceConfigurationPolicyAssignment ` + -DeviceConfigurationPolicyId $currentInstance.Id ` + -Targets $assignmentsHash ` + -Repository 'deviceManagement/configurationPolicies' + #endregion + } + elseif ($Ensure -eq 'Absent' -and $currentInstance.Ensure -eq 'Present') + { + Write-Verbose -Message "Removing the Intune Security Baseline Microsoft Edge with Id {$($currentInstance.Id)}" + #region resource generator code + Remove-MgBetaDeviceManagementConfigurationPolicy -DeviceManagementConfigurationPolicyId $currentInstance.Id + #endregion + } +} + +function Test-TargetResource +{ + [CmdletBinding()] + [OutputType([System.Boolean])] + param + ( + #region resource generator code + [Parameter()] + [System.String] + $Description, + + [Parameter(Mandatory = $true)] + [System.String] + $DisplayName, + + [Parameter()] + [System.String[]] + $RoleScopeTagIds, + + [Parameter()] + [System.String] + $Id, + + [Parameter()] + [ValidateSet('0', '1')] + [System.String] + $InternetExplorerIntegrationReloadInIEModeAllowed, + + [Parameter()] + [ValidateSet('0', '1')] + [System.String] + $SSLErrorOverrideAllowed, + + [Parameter()] + [ValidateSet('0', '1')] + [System.String] + $InternetExplorerIntegrationZoneIdentifierMhtFileAllowed, + + [Parameter()] + [ValidateSet('0', '1')] + [System.String] + $BrowserLegacyExtensionPointsBlockingEnabled, + + [Parameter()] + [ValidateSet('0', '1')] + [System.String] + $SitePerProcess, + + [Parameter()] + [ValidateSet('0', '1')] + [System.String] + $EdgeEnhanceImagesEnabled, + + [Parameter()] + [ValidateSet('0', '1')] + [System.String] + $ExtensionInstallBlocklist, + + [Parameter()] + [ValidateLength(0, 2048)] + [System.String[]] + $ExtensionInstallBlocklistDesc, + + [Parameter()] + [ValidateSet('0', '1')] + [System.String] + $WebSQLAccess, + + [Parameter()] + [ValidateSet('0', '1')] + [System.String] + $BasicAuthOverHttpEnabled, + + [Parameter()] + [ValidateSet('0', '1')] + [System.String] + $MicrosoftEdge_HTTPAuthentication_AuthSchemes, + + [Parameter()] + [System.String] + $authschemes, + + [Parameter()] + [ValidateSet('0', '1')] + [System.String] + $NativeMessagingUserLevelHosts, + + [Parameter()] + [ValidateSet('0', '1')] + [System.String] + $InsecurePrivateNetworkRequestsAllowed, + + [Parameter()] + [ValidateSet('0', '1')] + [System.String] + $InternetExplorerModeToolbarButtonEnabled, + + [Parameter()] + [ValidateSet('0', '1')] + [System.String] + $SmartScreenEnabled, + + [Parameter()] + [ValidateSet('0', '1')] + [System.String] + $SmartScreenPuaEnabled, + + [Parameter()] + [ValidateSet('0', '1')] + [System.String] + $PreventSmartScreenPromptOverride, + + [Parameter()] + [ValidateSet('0', '1')] + [System.String] + $PreventSmartScreenPromptOverrideForFiles, + + [Parameter()] + [ValidateSet('0', '1')] + [System.String] + $SharedArrayBufferUnrestrictedAccessAllowed, + + [Parameter()] + [ValidateSet('0', '1')] + [System.String] + $TyposquattingCheckerEnabled, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $Assignments, + #endregion + + [Parameter()] + [System.String] + [ValidateSet('Absent', 'Present')] + $Ensure = 'Present', + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + Write-Verbose -Message "Testing configuration of the Intune Security Baseline Microsoft Edge with Id {$Id} and Name {$DisplayName}" + + $CurrentValues = Get-TargetResource @PSBoundParameters + [Hashtable]$ValuesToCheck = @{} + $MyInvocation.MyCommand.Parameters.GetEnumerator() | ForEach-Object { + if ($_.Key -notlike '*Variable' -or $_.Key -notin @('Verbose', 'Debug', 'ErrorAction', 'WarningAction', 'InformationAction')) + { + if ($null -ne $CurrentValues[$_.Key] -or $null -ne $PSBoundParameters[$_.Key]) + { + $ValuesToCheck.Add($_.Key, $null) + if (-not $PSBoundParameters.ContainsKey($_.Key)) + { + $PSBoundParameters.Add($_.Key, $null) + } + } + } + } + + if ($CurrentValues.Ensure -ne $Ensure) + { + Write-Verbose -Message "Test-TargetResource returned $false" + return $false + } + $testResult = $true + + #Compare Cim instances + foreach ($key in $PSBoundParameters.Keys) + { + $source = $PSBoundParameters.$key + $target = $CurrentValues.$key + if ($null -ne $source -and $source.GetType().Name -like '*CimInstance*') + { + $testResult = Compare-M365DSCComplexObject ` + -Source ($source) ` + -Target ($target) + + if (-not $testResult) + { + break + } + + $ValuesToCheck.Remove($key) | Out-Null + } + } + + $ValuesToCheck.Remove('Id') | Out-Null + $ValuesToCheck = Remove-M365DSCAuthenticationParameter -BoundParameters $ValuesToCheck + + Write-Verbose -Message "Current Values: $(Convert-M365DscHashtableToString -Hashtable $CurrentValues)" + Write-Verbose -Message "Target Values: $(Convert-M365DscHashtableToString -Hashtable $PSBoundParameters)" + + if ($testResult) + { + $testResult = Test-M365DSCParameterState -CurrentValues $CurrentValues ` + -Source $($MyInvocation.MyCommand.Source) ` + -DesiredValues $PSBoundParameters ` + -ValuesToCheck $ValuesToCheck.Keys + } + + Write-Verbose -Message "Test-TargetResource returned $testResult" + + return $testResult +} + +function Export-TargetResource +{ + [CmdletBinding()] + [OutputType([System.String])] + param + ( + [Parameter()] + [System.String] + $Filter, + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + $ConnectionMode = New-M365DSCConnection -Workload 'MicrosoftGraph' ` + -InboundParameters $PSBoundParameters + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + try + { + #region resource generator code + $policyTemplateID = "c66347b7-8325-4954-a235-3bf2233dfbfd_2" + [array]$getValue = Get-MgBetaDeviceManagementConfigurationPolicy ` + -Filter $Filter ` + -All ` + -ErrorAction Stop | Where-Object ` + -FilterScript { + $_.TemplateReference.TemplateId -eq $policyTemplateID + } + #endregion + + $i = 1 + $dscContent = '' + if ($getValue.Length -eq 0) + { + Write-Host $Global:M365DSCEmojiGreenCheckMark + } + else + { + Write-Host "`r`n" -NoNewline + } + foreach ($config in $getValue) + { + $displayedKey = $config.Id + if (-not [String]::IsNullOrEmpty($config.displayName)) + { + $displayedKey = $config.displayName + } + elseif (-not [string]::IsNullOrEmpty($config.name)) + { + $displayedKey = $config.name + } + Write-Host " |---[$i/$($getValue.Count)] $displayedKey" -NoNewline + $params = @{ + Id = $config.Id + DisplayName = $config.Name + Ensure = 'Present' + Credential = $Credential + ApplicationId = $ApplicationId + TenantId = $TenantId + ApplicationSecret = $ApplicationSecret + CertificateThumbprint = $CertificateThumbprint + ManagedIdentity = $ManagedIdentity.IsPresent + AccessTokens = $AccessTokens + } + + $Results = Get-TargetResource @Params + $Results = Update-M365DSCExportAuthenticationResults -ConnectionMode $ConnectionMode ` + -Results $Results + + if ($Results.Assignments) + { + $complexTypeStringResult = Get-M365DSCDRGComplexTypeToString -ComplexObject $Results.Assignments -CIMInstanceName DeviceManagementConfigurationPolicyAssignments + if ($complexTypeStringResult) + { + $Results.Assignments = $complexTypeStringResult + } + else + { + $Results.Remove('Assignments') | Out-Null + } + } + + $currentDSCBlock = Get-M365DSCExportContentForResource -ResourceName $ResourceName ` + -ConnectionMode $ConnectionMode ` + -ModulePath $PSScriptRoot ` + -Results $Results ` + -Credential $Credential + + if ($Results.Assignments) + { + $currentDSCBlock = Convert-DSCStringParamToVariable -DSCBlock $currentDSCBlock -ParameterName "Assignments" -IsCIMArray:$true + } + + $dscContent += $currentDSCBlock + Save-M365DSCPartialExport -Content $currentDSCBlock ` + -FileName $Global:PartialExportFileName + $i++ + Write-Host $Global:M365DSCEmojiGreenCheckMark + } + return $dscContent + } + catch + { + Write-Host $Global:M365DSCEmojiRedX + + New-M365DSCLogEntry -Message 'Error during Export:' ` + -Exception $_ ` + -Source $($MyInvocation.MyCommand.Source) ` + -TenantId $TenantId ` + -Credential $Credential + + return '' + } +} + +Export-ModuleMember -Function *-TargetResource diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneSecurityBaselineMicrosoftEdge/MSFT_IntuneSecurityBaselineMicrosoftEdge.schema.mof b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneSecurityBaselineMicrosoftEdge/MSFT_IntuneSecurityBaselineMicrosoftEdge.schema.mof new file mode 100644 index 0000000000..8a9515e3d3 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneSecurityBaselineMicrosoftEdge/MSFT_IntuneSecurityBaselineMicrosoftEdge.schema.mof @@ -0,0 +1,50 @@ +[ClassVersion("1.0.0.0")] +class MSFT_DeviceManagementConfigurationPolicyAssignments +{ + [Write, Description("The type of the target assignment."), ValueMap{"#microsoft.graph.groupAssignmentTarget","#microsoft.graph.allLicensedUsersAssignmentTarget","#microsoft.graph.allDevicesAssignmentTarget","#microsoft.graph.exclusionGroupAssignmentTarget","#microsoft.graph.configurationManagerCollectionAssignmentTarget"}, Values{"#microsoft.graph.groupAssignmentTarget","#microsoft.graph.allLicensedUsersAssignmentTarget","#microsoft.graph.allDevicesAssignmentTarget","#microsoft.graph.exclusionGroupAssignmentTarget","#microsoft.graph.configurationManagerCollectionAssignmentTarget"}] String dataType; + [Write, Description("The type of filter of the target assignment i.e. Exclude or Include. Possible values are:none, include, exclude."), ValueMap{"none","include","exclude"}, Values{"none","include","exclude"}] String deviceAndAppManagementAssignmentFilterType; + [Write, Description("The Id of the filter for the target assignment.")] String deviceAndAppManagementAssignmentFilterId; + [Write, Description("The group Id that is the target of the assignment.")] String groupId; + [Write, Description("The group Display Name that is the target of the assignment.")] String groupDisplayName; + [Write, Description("The collection Id that is the target of the assignment.(ConfigMgr)")] String collectionId; +}; + + +[ClassVersion("1.0.0.0"), FriendlyName("IntuneSecurityBaselineMicrosoftEdge")] +class MSFT_IntuneSecurityBaselineMicrosoftEdge : OMI_BaseResource +{ + [Write, Description("Policy description")] String Description; + [Key, Description("Policy name")] String DisplayName; + [Write, Description("List of Scope Tags for this Entity instance.")] String RoleScopeTagIds[]; + [Write, Description("The unique identifier for an entity. Read-only.")] String Id; + [Write, Description("Allow unconfigured sites to be reloaded in Internet Explorer mode (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String InternetExplorerIntegrationReloadInIEModeAllowed; + [Write, Description("Allow users to proceed from the HTTPS warning page (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String SSLErrorOverrideAllowed; + [Write, Description("Automatically open downloaded MHT or MHTML files from the web in Internet Explorer mode (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String InternetExplorerIntegrationZoneIdentifierMhtFileAllowed; + [Write, Description("Enable browser legacy extension point blocking (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String BrowserLegacyExtensionPointsBlockingEnabled; + [Write, Description("Enable site isolation for every site (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String SitePerProcess; + [Write, Description("Enhance images enabled (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String EdgeEnhanceImagesEnabled; + [Write, Description("Control which extensions cannot be installed (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String ExtensionInstallBlocklist; + [Write, Description("Extension IDs the user should be prevented from installing (or * for all) (Device) - Depends on ExtensionInstallBlocklist")] String ExtensionInstallBlocklistDesc[]; + [Write, Description("Force WebSQL to be enabled (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String WebSQLAccess; + [Write, Description("Allow Basic authentication for HTTP (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String BasicAuthOverHttpEnabled; + [Write, Description("Supported authentication schemes (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String MicrosoftEdge_HTTPAuthentication_AuthSchemes; + [Write, Description("Supported authentication schemes (Device) - Depends on MicrosoftEdge_HTTPAuthentication_AuthSchemes")] String authschemes; + [Write, Description("Allow user-level native messaging hosts (installed without admin permissions) (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String NativeMessagingUserLevelHosts; + [Write, Description("Specifies whether to allow insecure websites to make requests to more-private network endpoints (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String InsecurePrivateNetworkRequestsAllowed; + [Write, Description("Show the Reload in Internet Explorer mode button in the toolbar (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String InternetExplorerModeToolbarButtonEnabled; + [Write, Description("Configure Microsoft Defender SmartScreen (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String SmartScreenEnabled; + [Write, Description("Configure Microsoft Defender SmartScreen to block potentially unwanted apps (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String SmartScreenPuaEnabled; + [Write, Description("Prevent bypassing Microsoft Defender SmartScreen prompts for sites (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String PreventSmartScreenPromptOverride; + [Write, Description("Prevent bypassing of Microsoft Defender SmartScreen warnings about downloads (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String PreventSmartScreenPromptOverrideForFiles; + [Write, Description("Specifies whether SharedArrayBuffers can be used in a non cross-origin-isolated context (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String SharedArrayBufferUnrestrictedAccessAllowed; + [Write, Description("Configure Edge TyposquattingChecker (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String TyposquattingCheckerEnabled; + [Write, Description("Represents the assignment to the Intune policy."), EmbeddedInstance("MSFT_DeviceManagementConfigurationPolicyAssignments")] String Assignments[]; + [Write, Description("Present ensures the policy exists, absent ensures it is removed."), ValueMap{"Present","Absent"}, Values{"Present","Absent"}] string Ensure; + [Write, Description("Credentials of the Admin"), EmbeddedInstance("MSFT_Credential")] string Credential; + [Write, Description("Id of the Azure Active Directory application to authenticate with.")] String ApplicationId; + [Write, Description("Id of the Azure Active Directory tenant used for authentication.")] String TenantId; + [Write, Description("Secret of the Azure Active Directory tenant used for authentication."), EmbeddedInstance("MSFT_Credential")] String ApplicationSecret; + [Write, Description("Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication.")] String CertificateThumbprint; + [Write, Description("Managed ID being used for authentication.")] Boolean ManagedIdentity; + [Write, Description("Access token used for authentication.")] String AccessTokens[]; +}; diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneSecurityBaselineMicrosoftEdge/readme.md b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneSecurityBaselineMicrosoftEdge/readme.md new file mode 100644 index 0000000000..f614869e4f --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneSecurityBaselineMicrosoftEdge/readme.md @@ -0,0 +1,6 @@ + +# IntuneSecurityBaselineMicrosoftEdge + +## Description + +Intune Security Baseline Microsoft Edge diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneSecurityBaselineMicrosoftEdge/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneSecurityBaselineMicrosoftEdge/settings.json new file mode 100644 index 0000000000..67b62b373e --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneSecurityBaselineMicrosoftEdge/settings.json @@ -0,0 +1,33 @@ +{ + "resourceName": "IntuneSecurityBaselineMicrosoftEdge", + "description": "This resource configures an Intune Security Baseline Microsoft Edge.", + "permissions": { + "graph": { + "application": { + "read": [ + { + "name": "DeviceManagementConfiguration.Read.All" + } + ], + "update": [ + { + "name": "DeviceManagementConfiguration.ReadWrite.All" + } + ] + }, + "delegated": { + "read": [ + { + "name": "DeviceManagementConfiguration.Read.All" + } + ], + "update": [ + { + "name": "DeviceManagementConfiguration.ReadWrite.All" + } + ] + } + } +} + +} diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_TeamsClientConfiguration/MSFT_TeamsClientConfiguration.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_TeamsClientConfiguration/MSFT_TeamsClientConfiguration.psm1 index b75b494596..92381749be 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_TeamsClientConfiguration/MSFT_TeamsClientConfiguration.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_TeamsClientConfiguration/MSFT_TeamsClientConfiguration.psm1 @@ -140,7 +140,7 @@ function Get-TargetResource ManagedIdentity = $ManagedIdentity.IsPresent AccessTokens = $AccessTokens } - if ([System.String]::IsNullOrEmpty($RestrictedSenderList)) + if ([System.String]::IsNullOrEmpty($Config.RestrictedSenderList)) { $result.Remove('RestrictedSenderList') | Out-Null } @@ -282,12 +282,9 @@ function Set-TargetResource } else { - $tempValue = $null - foreach ($sender in $SetParams.RestrictedSenderList) - { - $tempValue += $sender + ',' - } - $tempValue = $tempValue.Substring(0, $tempValue.Length - 1) + # https://learn.microsoft.com/en-us/powershell/module/teams/set-csteamsclientconfiguration?view=teams-ps#-restrictedsenderlist + # This is a semicolon-separated string of the domains you'd like to allow to send emails to Teams channels + $tempValue = $SetParams['RestrictedSenderList'] -join ';' $SetParams.RestrictedSenderList = $tempValue } Set-CsTeamsClientConfiguration @SetParams diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_TeamsUpgradePolicy/MSFT_TeamsUpgradePolicy.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_TeamsUpgradePolicy/MSFT_TeamsUpgradePolicy.psm1 index 1bc09914bf..20ecfd0716 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_TeamsUpgradePolicy/MSFT_TeamsUpgradePolicy.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_TeamsUpgradePolicy/MSFT_TeamsUpgradePolicy.psm1 @@ -175,10 +175,22 @@ function Set-TargetResource $ConnectionMode = New-M365DSCConnection -Workload 'MicrosoftTeams' ` -InboundParameters $PSBoundParameters - foreach ($user in $Users) + if ($Identity -eq 'Global' -and $Users.Length -eq 1 -and $Users[0] -eq '*') { - Write-Verbose -Message "Granting TeamsUpgradePolicy {$Identity} to User {$user} with MigrateMeetingsToTeams=$MigrateMeetingsToTeams" - Grant-CsTeamsUpgradePolicy -PolicyName $Identity -Identity $user -MigrateMeetingsToTeams:$MigrateMeetingsToTeams + Write-Verbose -Message "Granting TeamsUpgradePolicy {$Identity} to all Users with MigrateMeetingsToTeams=$MigrateMeetingsToTeams" + Grant-CsTeamsUpgradePolicy -PolicyName $Identity ` + -MigrateMeetingsToTeams:$MigrateMeetingsToTeams ` + -Global + } + else + { + foreach ($user in $Users) + { + Write-Verbose -Message "Granting TeamsUpgradePolicy {$Identity} to User {$user} with MigrateMeetingsToTeams=$MigrateMeetingsToTeams" + Grant-CsTeamsUpgradePolicy -PolicyName $Identity ` + -Identity $user ` + -MigrateMeetingsToTeams:$MigrateMeetingsToTeams + } } } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_TeamsUpgradePolicy/MSFT_TeamsUpgradePolicy.schema.mof b/Modules/Microsoft365DSC/DSCResources/MSFT_TeamsUpgradePolicy/MSFT_TeamsUpgradePolicy.schema.mof index 96c8e8e81a..dcd1b3df49 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_TeamsUpgradePolicy/MSFT_TeamsUpgradePolicy.schema.mof +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_TeamsUpgradePolicy/MSFT_TeamsUpgradePolicy.schema.mof @@ -2,7 +2,7 @@ class MSFT_TeamsUpgradePolicy : OMI_BaseResource { [Key, Description("Identity of the Teams Upgrade Policy.")] String Identity; - [Write, Description("List of users that will be granted the Upgrade Policy to.")] String Users[]; + [Write, Description("List of users that will be granted the Upgrade Policy to. Use value * to apply the policy globally.")] String Users[]; [Write, Description("Specifies whether to move existing Skype for Business meetings organized by the user to Teams. This parameter can only be true if the mode of the specified policy instance is either TeamsOnly or SfBWithTeamsCollabAndMeetings, and if the policy instance is being granted to a specific user. It not possible to trigger meeting migration when granting TeamsUpgradePolicy to the entire tenant.")] Boolean MigrateMeetingsToTeams; [Write, Description("Credentials of the Teams Admin"), EmbeddedInstance("MSFT_Credential")] string Credential; [Write, Description("Id of the Azure Active Directory application to authenticate with.")] String ApplicationId; diff --git a/Modules/Microsoft365DSC/Examples/Resources/IntuneAccountProtectionPolicyWindows10/1-Create.ps1 b/Modules/Microsoft365DSC/Examples/Resources/IntuneAccountProtectionPolicyWindows10/1-Create.ps1 index 13e7d999e7..d5b7854a82 100644 --- a/Modules/Microsoft365DSC/Examples/Resources/IntuneAccountProtectionPolicyWindows10/1-Create.ps1 +++ b/Modules/Microsoft365DSC/Examples/Resources/IntuneAccountProtectionPolicyWindows10/1-Create.ps1 @@ -25,12 +25,12 @@ Configuration Example IntuneAccountProtectionPolicyWindows10 'myAccountProtectionPolicy' { DisplayName = 'test' - DeviceSettings = MSFT_MicrosoftGraphIntuneSettingsCatalogDeviceSettings + DeviceSettings = MSFT_MicrosoftGraphIntuneSettingsCatalogDeviceSettings_IntuneAccountProtectionPolicyWindows10 { History = 10 EnablePinRecovery = 'true' } - UserSettings = MSFT_MicrosoftGraphIntuneSettingsCatalogUserSettings + UserSettings = MSFT_MicrosoftGraphIntuneSettingsCatalogUserSettings_IntuneAccountProtectionPolicyWindows10 { History = 20 EnablePinRecovery = 'true' diff --git a/Modules/Microsoft365DSC/Examples/Resources/IntuneAccountProtectionPolicyWindows10/2-Update.ps1 b/Modules/Microsoft365DSC/Examples/Resources/IntuneAccountProtectionPolicyWindows10/2-Update.ps1 index 3752c70dd6..4ea17bbc2c 100644 --- a/Modules/Microsoft365DSC/Examples/Resources/IntuneAccountProtectionPolicyWindows10/2-Update.ps1 +++ b/Modules/Microsoft365DSC/Examples/Resources/IntuneAccountProtectionPolicyWindows10/2-Update.ps1 @@ -25,12 +25,12 @@ Configuration Example IntuneAccountProtectionPolicyWindows10 'myAccountProtectionPolicy' { DisplayName = 'test' - DeviceSettings = MSFT_MicrosoftGraphIntuneSettingsCatalogDeviceSettings + DeviceSettings = MSFT_MicrosoftGraphIntuneSettingsCatalogDeviceSettings_IntuneAccountProtectionPolicyWindows10 { History = 10 EnablePinRecovery = 'true' } - UserSettings = MSFT_MicrosoftGraphIntuneSettingsCatalogUserSettings + UserSettings = MSFT_MicrosoftGraphIntuneSettingsCatalogUserSettings_IntuneAccountProtectionPolicyWindows10 { History = 30 # Updated property EnablePinRecovery = 'true' diff --git a/Modules/Microsoft365DSC/Examples/Resources/IntuneMobileAppsWindowsOfficeSuiteApp/1-Create.ps1 b/Modules/Microsoft365DSC/Examples/Resources/IntuneMobileAppsWindowsOfficeSuiteApp/1-Create.ps1 new file mode 100644 index 0000000000..1eb9c2d9fb --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/IntuneMobileAppsWindowsOfficeSuiteApp/1-Create.ps1 @@ -0,0 +1,54 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + IntuneMobileAppsWindowsOfficeSuiteApp "IntuneMobileAppsWindowsOfficeSuiteApp-Microsoft 365 Apps for Windows 10 and later" + { + Id = "8e683524-4ec1-4813-bb3e-6256b2f293d" + Description = "Microsoft 365 Apps for Windows 10 and laterr" + DisplayName = "Microsoft 365 Apps for Windows 10 and later" + Ensure = "Present"; + InformationUrl = ""; + IsFeatured = $False; + Notes = "" + PrivacyInformationUrl = "" + RoleScopeTagIds = @() + Assignments = @( + MSFT_DeviceManagementMobileAppAssignment{ + deviceAndAppManagementAssignmentFilterType = 'none' + dataType = '#microsoft.graph.groupAssignmentTarget' + groupId = '42c02b60-f28c-4eef-b3e1-973184cc4a6c' + intent = 'required' + } + ); + Categories = @( + MSFT_DeviceManagementMobileAppCategory { + Id = '8e683524-4ec1-4813-bb3e-6256b2f293d8' + DisplayName = 'Productivity' + }); + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + } + } +} diff --git a/Modules/Microsoft365DSC/Examples/Resources/IntuneMobileAppsWindowsOfficeSuiteApp/2-Update.ps1 b/Modules/Microsoft365DSC/Examples/Resources/IntuneMobileAppsWindowsOfficeSuiteApp/2-Update.ps1 new file mode 100644 index 0000000000..1eb9c2d9fb --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/IntuneMobileAppsWindowsOfficeSuiteApp/2-Update.ps1 @@ -0,0 +1,54 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + IntuneMobileAppsWindowsOfficeSuiteApp "IntuneMobileAppsWindowsOfficeSuiteApp-Microsoft 365 Apps for Windows 10 and later" + { + Id = "8e683524-4ec1-4813-bb3e-6256b2f293d" + Description = "Microsoft 365 Apps for Windows 10 and laterr" + DisplayName = "Microsoft 365 Apps for Windows 10 and later" + Ensure = "Present"; + InformationUrl = ""; + IsFeatured = $False; + Notes = "" + PrivacyInformationUrl = "" + RoleScopeTagIds = @() + Assignments = @( + MSFT_DeviceManagementMobileAppAssignment{ + deviceAndAppManagementAssignmentFilterType = 'none' + dataType = '#microsoft.graph.groupAssignmentTarget' + groupId = '42c02b60-f28c-4eef-b3e1-973184cc4a6c' + intent = 'required' + } + ); + Categories = @( + MSFT_DeviceManagementMobileAppCategory { + Id = '8e683524-4ec1-4813-bb3e-6256b2f293d8' + DisplayName = 'Productivity' + }); + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + } + } +} diff --git a/Modules/Microsoft365DSC/Examples/Resources/IntuneMobileAppsWindowsOfficeSuiteApp/3-Remove.ps1 b/Modules/Microsoft365DSC/Examples/Resources/IntuneMobileAppsWindowsOfficeSuiteApp/3-Remove.ps1 new file mode 100644 index 0000000000..8b731ff4ac --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/IntuneMobileAppsWindowsOfficeSuiteApp/3-Remove.ps1 @@ -0,0 +1,35 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + IntuneMobileAppsWindowsOfficeSuiteApp "IntuneMobileAppsWindowsOfficeSuiteApp-Microsoft 365 Apps for Windows 10 and later" + { + Id = "8e683524-4ec1-4813-bb3e-6256b2f293d8"; + DisplayName = "Microsoft 365 Apps for Windows 10 and later"; + Ensure = "Absent"; + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + } + } +} diff --git a/Modules/Microsoft365DSC/Examples/Resources/IntuneSecurityBaselineMicrosoft365AppsForEnterprise/1-Create.ps1 b/Modules/Microsoft365DSC/Examples/Resources/IntuneSecurityBaselineMicrosoft365AppsForEnterprise/1-Create.ps1 new file mode 100644 index 0000000000..4999c28f32 --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/IntuneSecurityBaselineMicrosoft365AppsForEnterprise/1-Create.ps1 @@ -0,0 +1,58 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + + node localhost + { + IntuneSecurityBaselineMicrosoft365AppsForEnterprise 'mySecurityBaselineMicrosoft365AppsForEnterprisePolicy' + { + DisplayName = 'test' + DeviceSettings = MSFT_MicrosoftGraphIntuneSettingsCatalogDeviceSettings_IntuneSecurityBaselineMicrosoft365AppsForEnterprise + { + L_ProtectionFromZoneElevation = '1' + L_grooveexe98 = '1' + L_excelexe99 = '1' + L_mspubexe100 = '1' + L_powerpntexe101 = '1' + L_pptviewexe102 = '1' + L_visioexe103 = '1' + L_winprojexe104 = '1' + L_winwordexe105 = '1' + L_outlookexe106 = '1' + L_spdesignexe107 = '1' + L_exprwdexe108 = '1' + L_msaccessexe109 = '1' + L_onenoteexe110 = '1' + L_mse7exe111 = '1' + } + UserSettings = MSFT_MicrosoftGraphIntuneSettingsCatalogUserSettings_IntuneSecurityBaselineMicrosoft365AppsForEnterprise + { + MicrosoftPublisherV3_Security_TrustCenter_L_BlockMacroExecutionFromInternet = '1' + MicrosoftVisio_Security_TrustCenter_L_VBAWarningsPolicy = '1' + MicrosoftVisio_Security_TrustCenter_L_VBAWarningsPolicy_L_Empty = '3' + } + Ensure = 'Present' + ApplicationId = $ApplicationId; + TenantId = $TenantId; + CertificateThumbprint = $CertificateThumbprint; + } + } +} diff --git a/Modules/Microsoft365DSC/Examples/Resources/IntuneSecurityBaselineMicrosoft365AppsForEnterprise/2-Update.ps1 b/Modules/Microsoft365DSC/Examples/Resources/IntuneSecurityBaselineMicrosoft365AppsForEnterprise/2-Update.ps1 new file mode 100644 index 0000000000..9462f97414 --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/IntuneSecurityBaselineMicrosoft365AppsForEnterprise/2-Update.ps1 @@ -0,0 +1,58 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + + node localhost + { + IntuneSecurityBaselineMicrosoft365AppsForEnterprise 'mySecurityBaselineMicrosoft365AppsForEnterprisePolicy' + { + DisplayName = 'test' + DeviceSettings = MSFT_MicrosoftGraphIntuneSettingsCatalogDeviceSettings_IntuneSecurityBaselineMicrosoft365AppsForEnterprise + { + L_ProtectionFromZoneElevation = '1' + L_grooveexe98 = '1' + L_excelexe99 = '1' + L_mspubexe100 = '1' + L_powerpntexe101 = '1' + L_pptviewexe102 = '1' + L_visioexe103 = '1' + L_winprojexe104 = '1' + L_winwordexe105 = '1' + L_outlookexe106 = '1' + L_spdesignexe107 = '1' + L_exprwdexe108 = '1' + L_msaccessexe109 = '1' + L_onenoteexe110 = '1' + L_mse7exe111 = '1' + } + UserSettings = MSFT_MicrosoftGraphIntuneSettingsCatalogUserSettings_IntuneSecurityBaselineMicrosoft365AppsForEnterprise + { + MicrosoftPublisherV3_Security_TrustCenter_L_BlockMacroExecutionFromInternet = '1' + MicrosoftVisio_Security_TrustCenter_L_VBAWarningsPolicy = '1' + MicrosoftVisio_Security_TrustCenter_L_VBAWarningsPolicy_L_Empty = '2' # Updated property + } + Ensure = 'Present' + ApplicationId = $ApplicationId; + TenantId = $TenantId; + CertificateThumbprint = $CertificateThumbprint; + } + } +} diff --git a/Modules/Microsoft365DSC/Examples/Resources/IntuneSecurityBaselineMicrosoft365AppsForEnterprise/3-Remove.ps1 b/Modules/Microsoft365DSC/Examples/Resources/IntuneSecurityBaselineMicrosoft365AppsForEnterprise/3-Remove.ps1 new file mode 100644 index 0000000000..b9a8c3c849 --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/IntuneSecurityBaselineMicrosoft365AppsForEnterprise/3-Remove.ps1 @@ -0,0 +1,34 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + + node localhost + { + IntuneSecurityBaselineMicrosoft365AppsForEnterprise 'mySecurityBaselineMicrosoft365AppsForEnterprisePolicy' + { + DisplayName = 'test' + Ensure = 'Absent' + ApplicationId = $ApplicationId; + TenantId = $TenantId; + CertificateThumbprint = $CertificateThumbprint; + } + } +} diff --git a/Modules/Microsoft365DSC/Examples/Resources/IntuneSecurityBaselineMicrosoftEdge/1-Create.ps1 b/Modules/Microsoft365DSC/Examples/Resources/IntuneSecurityBaselineMicrosoftEdge/1-Create.ps1 new file mode 100644 index 0000000000..fdb3b29ab6 --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/IntuneSecurityBaselineMicrosoftEdge/1-Create.ps1 @@ -0,0 +1,38 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + + node localhost + { + IntuneSecurityBaselineMicrosoftEdge 'mySecurityBaselineMicrosoftEdge' + { + DisplayName = 'test' + InsecurePrivateNetworkRequestsAllowed = "0"; + InternetExplorerIntegrationReloadInIEModeAllowed = "0"; + InternetExplorerIntegrationZoneIdentifierMhtFileAllowed = "0"; + InternetExplorerModeToolbarButtonEnabled = "0"; + Ensure = 'Present' + ApplicationId = $ApplicationId; + TenantId = $TenantId; + CertificateThumbprint = $CertificateThumbprint; + } + } +} diff --git a/Modules/Microsoft365DSC/Examples/Resources/IntuneSecurityBaselineMicrosoftEdge/2-Update.ps1 b/Modules/Microsoft365DSC/Examples/Resources/IntuneSecurityBaselineMicrosoftEdge/2-Update.ps1 new file mode 100644 index 0000000000..125c7be94d --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/IntuneSecurityBaselineMicrosoftEdge/2-Update.ps1 @@ -0,0 +1,38 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + + node localhost + { + IntuneSecurityBaselineMicrosoftEdge 'mySecurityBaselineMicrosoftEdge' + { + DisplayName = 'test' + InsecurePrivateNetworkRequestsAllowed = "0"; + InternetExplorerIntegrationReloadInIEModeAllowed = "0"; + InternetExplorerIntegrationZoneIdentifierMhtFileAllowed = "0"; + InternetExplorerModeToolbarButtonEnabled = "1"; # Drift + Ensure = 'Present' + ApplicationId = $ApplicationId; + TenantId = $TenantId; + CertificateThumbprint = $CertificateThumbprint; + } + } +} diff --git a/Modules/Microsoft365DSC/Examples/Resources/IntuneSecurityBaselineMicrosoftEdge/3-Remove.ps1 b/Modules/Microsoft365DSC/Examples/Resources/IntuneSecurityBaselineMicrosoftEdge/3-Remove.ps1 new file mode 100644 index 0000000000..d9830b3fe9 --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/IntuneSecurityBaselineMicrosoftEdge/3-Remove.ps1 @@ -0,0 +1,34 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + + node localhost + { + IntuneSecurityBaselineMicrosoftEdge 'mySecurityBaselineMicrosoftEdge' + { + DisplayName = 'test' + Ensure = 'Absent' + ApplicationId = $ApplicationId; + TenantId = $TenantId; + CertificateThumbprint = $CertificateThumbprint; + } + } +} diff --git a/Modules/Microsoft365DSC/Modules/M365DSCDRGUtil.psm1 b/Modules/Microsoft365DSC/Modules/M365DSCDRGUtil.psm1 index d85eaa083e..e5ff29e4b2 100644 --- a/Modules/Microsoft365DSC/Modules/M365DSCDRGUtil.psm1 +++ b/Modules/Microsoft365DSC/Modules/M365DSCDRGUtil.psm1 @@ -2121,6 +2121,7 @@ function Get-IntuneSettingCatalogPolicySettingDSCValue $matchCombined = $false $matchesId = $false $matchesOffsetUri = $false + $offsetUriFound = $false $settingDefinitions = $SettingTemplates.SettingDefinitions ` | Where-Object -FilterScript { $_.Name -eq $key } @@ -2146,7 +2147,26 @@ function Get-IntuneSettingCatalogPolicySettingDSCValue # If no parent definition is found, it might have been combined with the OffsetUri if ($null -eq $parentDefinition) { - $definition = Get-SettingDefinitionFromNameWithParentFromOffsetUri -OffsetUriName $key -SettingDefinitions $SettingTemplates.SettingDefinitions + $newKey = $key + switch -wildcard ($newKey) + { + '*_HTTPAuthentication_*' { $newKey = $newKey.Replace('HTTPAuthentication', '~HTTPAuthentication') } + '*TrustCenterTrustedLocations_*' { $newKey = $newKey.Replace('TrustCenterTrustedLocations', 'TrustCenter~L_TrustedLocations') } + '*TrustCenterFileBlockSettings_*' { $newKey = $newKey.Replace('TrustCenterFileBlockSettings', 'TrustCenter~L_FileBlockSettings') } + '*TrustCenterProtectedView_*' { $newKey = $newKey.Replace('TrustCenterProtectedView', 'TrustCenter~L_ProtectedView') } + '*_TrustCenter*' { $newKey = $newKey.Replace('_TrustCenter', '~L_TrustCenter') } + '*_Security_*' { $newKey = $newKey.Replace('Security', '~L_Security') } + 'MicrosoftEdge_*' { $newKey = $newKey.Replace('MicrosoftEdge_', 'microsoft_edge~Policy~microsoft_edge') } + 'MicrosoftPublisherV3_*' { $newKey = $newKey.Replace('MicrosoftPublisherV3_', 'pub16v3~Policy~L_MicrosoftOfficePublisher') } + 'MicrosoftPublisherV2_*' { $newKey = $newKey.Replace('MicrosoftPublisherV2_', 'pub16v2~Policy~L_MicrosoftOfficePublisher') } + 'MicrosoftVisio_*' { $newKey = $newKey.Replace('MicrosoftVisio_', 'visio16v2~Policy~L_MicrosoftVisio~L_VisioOptions') } + 'MicrosoftProject_*' { $newKey = $newKey.Replace('MicrosoftProject_', 'proj16v2~Policy~L_Proj~L_ProjectOptions') } + 'MicrosoftPowerPoint_*' { $newKey = $newKey.Replace('MicrosoftPowerPoint_', 'ppt16v2~Policy~L_MicrosoftOfficePowerPoint~L_PowerPointOptions') } + 'MicrosoftWord_*' { $newKey = $newKey.Replace('MicrosoftWord_', 'word16v2~Policy~L_MicrosoftOfficeWord~L_WordOptions') } + 'MicrosoftExcel_*' { $newKey = $newKey.Replace('MicrosoftExcel_', 'excel16v2~Policy~L_MicrosoftOfficeExcel~L_ExcelOptions') } + 'MicrosoftAccess_*' { $newKey = $newKey.Replace('MicrosoftAccess_', 'access16v2~Policy~L_MicrosoftOfficeaccess~L_ApplicationSettings') } + } + $definition = Get-SettingDefinitionFromNameWithParentFromOffsetUri -OffsetUriName $newKey -SettingDefinitions $SettingTemplates.SettingDefinitions if ($null -ne $definition) { $offsetUriFound = $true @@ -2189,6 +2209,19 @@ function Get-IntuneSettingCatalogPolicySettingDSCValue $SettingDefinition = $_ } } + + if (-not $matchesId) + { + $definition = Get-SettingDefinitionFromNameWithParentFromOffsetUri -OffsetUriName $key -SettingDefinitions $SettingTemplates.SettingDefinitions + if ($null -ne $definition) + { + $offsetUriFound = $true + if ($SettingDefinition.Id -eq $definition.Id) + { + $matchesOffsetUri = $true + } + } + } } } @@ -2279,18 +2312,31 @@ function Get-SettingDefinitionFromNameWithParentFromOffsetUri $settingName = $OffsetUriName $offsetUriPrefix = "" - foreach ($part in $offsetUriParts) + for ($i = 0; $i -lt $offsetUriParts.Count; $i++) { - if ($settingName -like "*$($part)_*") + $part = $offsetUriParts[$i] + if ($settingName -like "$($part)_*") { $settingName = $settingName.Replace("$($part)_", "") # Add wildcards to match removed parts with invalid characters $offsetUriPrefix += "*$($part)*" + $i = 0 } } - $filteredDefinitions = $SettingDefinitions | Where-Object -FilterScript { - $_.Name -eq $settingName -and $_.OffsetUri -like "*$offsetUriPrefix*" + if ($settingName -eq "v2") + { + $settingName = $offsetUriPrefix.Split("*")[-2] + "_v2" # Add the last element of the offset Uri parts before the v2 + $filteredDefinitions = $SettingDefinitions | Where-Object -FilterScript { + ($_.Id -like "*$settingName" -and $_.Name -eq $settingName.Replace('_v2', '') -and $_.OffsetUri -like "*$offsetUriPrefix*") -or + ($_.Name -eq $settingName -and $_.OffsetUri -like "*$offsetUriPrefix*") + } + } + else + { + $filteredDefinitions = $SettingDefinitions | Where-Object -FilterScript { + $_.Name -eq $settingName -and $_.OffsetUri -like "*$offsetUriPrefix*" + } } if ($filteredDefinitions.Count -eq 1) @@ -2302,7 +2348,9 @@ function Get-SettingDefinitionFromNameWithParentFromOffsetUri $settingsWithSameName = $filteredDefinitions foreach ($definition in $filteredDefinitions) { + $parentSetting = Get-ParentSettingDefinition -SettingDefinition $definition -AllSettingDefinitions $SettingDefinitions $skip = 0 + $breakCounter = 0 $newSettingName = $settingName do { $previousSettingName = $newSettingName @@ -2313,12 +2361,34 @@ function Get-SettingDefinitionFromNameWithParentFromOffsetUri $newName = Get-SettingDefinitionNameWithParentFromOffsetUri -OffsetUri $_.OffsetUri -SettingName $previousSettingName -Skip $skip if ($newName -eq $newSettingName) { - $combinationMatchesWithOffsetUri += $_ + # Exclude v2 versions from the comparison + if ($definition.Id -like "*_v2" -and $_.Id -ne $definition.Id.Replace('_v2', '') -or + $definition.Id -notlike "*_v2" -and $_.Id -ne $definition.Id + "_v2") + { + $combinationMatchesWithOffsetUri += $_ + } } } $settingsWithSameName = $combinationMatchesWithOffsetUri + $breakCounter++ $skip++ - } while ($combinationMatchesWithOffsetUri.Count -gt 1) + } while ($combinationMatchesWithOffsetUri.Count -gt 1 -and $breakCounter -lt 8) + + if ($breakCounter -eq 8) + { + if ($null -ne $parentSetting) + { + # Alternative way if no unique setting name can be found + $parentSettingIdProperty = $parentSetting.Id.Split('_')[-1] + $parentSettingIdWithoutProperty = $parentSetting.Id.Replace("_$parentSettingIdProperty", "") + # We can't use the entire setting here, because the child setting id does not have to come after the parent setting id + $settingNameV2 = $definition.Id.Replace($parentSettingIdWithoutProperty + "_", "").Replace($parentSettingIdProperty + "_", "") + if ($settingNameV2 -eq $OffsetUriName) + { + $newSettingName = $settingNameV2 + } + } + } if ($newSettingName -eq $OffsetUriName) { @@ -2379,6 +2449,12 @@ function Get-SettingDefinitionNameWithParentFromOffsetUri { { $splittedOffsetUri = $splittedOffsetUri[1..($splittedOffsetUri.Length - 1)] } + + if ($Skip -gt $splittedOffsetUri.Length - 1) + { + return $SettingName + } + $splittedOffsetUri = $splittedOffsetUri[0..($splittedOffsetUri.Length - 1 - $Skip)] $traversed = $false while (-not $traversed -and $splittedOffsetUri.Length -gt 1) # Prevent adding the first element of the OffsetUri @@ -2524,7 +2600,12 @@ function Export-IntuneSettingCatalogPolicySettings $newName = Get-SettingDefinitionNameWithParentFromOffsetUri -OffsetUri $_.OffsetUri -SettingName $previousSettingName -Skip $skip if ($newName -eq $newSettingName) { - $combinationMatchesWithOffsetUri += $_ + # Exclude v2 versions from the comparison + if ($settingDefinition.Id -like "*_v2" -and $_.Id -ne $settingDefinition.Id.Replace('_v2', '') -or + $settingDefinition.Id -notlike "*_v2" -and $_.Id -ne $settingDefinition.Id + "_v2") + { + $combinationMatchesWithOffsetUri += $_ + } } } $settingsWithSameName = $combinationMatchesWithOffsetUri @@ -2534,6 +2615,10 @@ function Export-IntuneSettingCatalogPolicySettings if ($breakCounter -lt 8) { + if ($settingDefinition.Id -like "*_v2" -and $newSettingName -notlike "*_v2") + { + $newSettingName += "_v2" + } $settingName = $newSettingName } else @@ -2555,6 +2640,26 @@ function Export-IntuneSettingCatalogPolicySettings { $settingName = Get-SettingDefinitionNameWithParentFromOffsetUri -OffsetUri $settingDefinition.OffsetUri -SettingName $settingName } + + # Simplify names from the OffsetUri. This is done to make the names more readable, especially in case of long and complex OffsetUris. + switch -wildcard ($settingName) + { + 'access16v2~Policy~L_MicrosoftOfficeaccess~L_ApplicationSettings~*' { $settingName = $settingName.Replace('access16v2~Policy~L_MicrosoftOfficeaccess~L_ApplicationSettings', 'MicrosoftAccess_') } + 'excel16v2~Policy~L_MicrosoftOfficeExcel~L_ExcelOptions~*' { $settingName = $settingName.Replace('excel16v2~Policy~L_MicrosoftOfficeExcel~L_ExcelOptions', 'MicrosoftExcel_') } + 'word16v2~Policy~L_MicrosoftOfficeWord~L_WordOptions~*' { $settingName = $settingName.Replace('word16v2~Policy~L_MicrosoftOfficeWord~L_WordOptions', 'MicrosoftWord_') } + 'ppt16v2~Policy~L_MicrosoftOfficePowerPoint~L_PowerPointOptions~*' { $settingName = $settingName.Replace('ppt16v2~Policy~L_MicrosoftOfficePowerPoint~L_PowerPointOptions', 'MicrosoftPowerPoint_') } + 'proj16v2~Policy~L_Proj~L_ProjectOptions~*' { $settingName = $settingName.Replace('proj16v2~Policy~L_Proj~L_ProjectOptions', 'MicrosoftProject_') } + 'visio16v2~Policy~L_MicrosoftVisio~L_VisioOptions~*' { $settingName = $settingName.Replace('visio16v2~Policy~L_MicrosoftVisio~L_VisioOptions', 'MicrosoftVisio_') } + 'pub16v2~Policy~L_MicrosoftOfficePublisher~*' { $settingName = $settingName.Replace('pub16v2~Policy~L_MicrosoftOfficePublisher', 'MicrosoftPublisherV2_') } + 'pub16v3~Policy~L_MicrosoftOfficePublisher~*' { $settingName = $settingName.Replace('pub16v3~Policy~L_MicrosoftOfficePublisher', 'MicrosoftPublisherV3_') } + 'microsoft_edge~Policy~microsoft_edge~*' { $settingName = $settingName.Replace('microsoft_edge~Policy~microsoft_edge', 'MicrosoftEdge_') } + '*~L_Security~*' { $settingName = $settingName.Replace('~L_Security', 'Security') } + '*~L_TrustCenter*' { $settingName = $settingName.Replace('~L_TrustCenter', '_TrustCenter') } + '*~L_ProtectedView_*' { $settingName = $settingName.Replace('~L_ProtectedView', 'ProtectedView') } + '*~L_FileBlockSettings_*' { $settingName = $settingName.Replace('~L_FileBlockSettings', 'FileBlockSettings') } + '*~L_TrustedLocations*' { $settingName = $settingName.Replace('~L_TrustedLocations', 'TrustedLocations') } + '*~HTTPAuthentication_*' { $settingName = $settingName.Replace('~HTTPAuthentication', 'HTTPAuthentication') } + } } $odataType = if ($IsRoot) { $SettingInstance.AdditionalProperties.'@odata.type' } else { $SettingInstance.'@odata.type' } @@ -2712,7 +2817,7 @@ function Update-IntuneDeviceConfigurationPolicy 'settings' = $Settings } $body = $policy | ConvertTo-Json -Depth 20 - #write-verbose -Message $body + #Write-Verbose -Message $body Invoke-MgGraphRequest -Method PUT -Uri $Uri -Body $body -ErrorAction Stop } catch diff --git a/Modules/Microsoft365DSC/SchemaDefinition.json b/Modules/Microsoft365DSC/SchemaDefinition.json index b405f20354..a592c2b6d5 100644 --- a/Modules/Microsoft365DSC/SchemaDefinition.json +++ b/Modules/Microsoft365DSC/SchemaDefinition.json @@ -6024,6 +6024,21 @@ } ] }, + { + "ClassName": "MSFT_AADServicePrincipalDelegatedPermissionClassification", + "Parameters": [ + { + "CIMType": "String", + "Name": "Classification", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "PermissionName", + "Option": "Write" + } + ] + }, { "ClassName": "MSFT_AADServicePrincipal", "Parameters": [ @@ -6112,6 +6127,11 @@ "Name": "Tags", "Option": "Write" }, + { + "CIMType": "MSFT_AADServicePrincipalDelegatedPermissionClassification[]", + "Name": "DelegatedPermissionClassifications", + "Option": "Write" + }, { "CIMType": "String", "Name": "Ensure", @@ -19790,7 +19810,7 @@ ] }, { - "ClassName": "MSFT_MicrosoftGraphIntuneSettingsCatalogDeviceSettings", + "ClassName": "MSFT_MicrosoftGraphIntuneSettingsCatalogDeviceSettings_IntuneAccountProtectionPolicyWindows10", "Parameters": [ { "CIMType": "String", @@ -19860,7 +19880,7 @@ ] }, { - "ClassName": "MSFT_MicrosoftGraphIntuneSettingsCatalogUserSettings", + "ClassName": "MSFT_MicrosoftGraphIntuneSettingsCatalogUserSettings_IntuneAccountProtectionPolicyWindows10", "Parameters": [ { "CIMType": "String", @@ -19938,12 +19958,12 @@ "Option": "Write" }, { - "CIMType": "MSFT_MicrosoftGraphIntuneSettingsCatalogDeviceSettings", + "CIMType": "MSFT_MicrosoftGraphIntuneSettingsCatalogDeviceSettings_IntuneAccountProtectionPolicyWindows10", "Name": "DeviceSettings", "Option": "Write" }, { - "CIMType": "MSFT_MicrosoftGraphIntuneSettingsCatalogUserSettings", + "CIMType": "MSFT_MicrosoftGraphIntuneSettingsCatalogUserSettings_IntuneAccountProtectionPolicyWindows10", "Name": "UserSettings", "Option": "Write" }, @@ -36054,6 +36074,246 @@ } ] }, + { + "ClassName": "MSFT_DeviceManagementMobileAppExcludedApp", + "Parameters": [ + { + "CIMType": "Boolean", + "Name": "Access", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "Bing", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "Excel", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "Groove", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "InfoPath", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "Lync", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "OneDrive", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "OneNote", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "Outlook", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "PowerPoint", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "Publisher", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "SharePointDesigner", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "Teams", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "Visio", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "Word", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_IntuneMobileAppsWindowsOfficeSuiteApp", + "Parameters": [ + { + "CIMType": "String", + "Name": "DisplayName", + "Option": "Key" + }, + { + "CIMType": "String", + "Name": "Id", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "Description", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "IsFeatured", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "PrivacyInformationUrl", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "InformationUrl", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "Notes", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "RoleScopeTagIds", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "AutoAcceptEula", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "ProductIds", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "UseSharedComputerActivation", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "UpdateChannel", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "OfficeSuiteAppDefaultFileFormat", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "OfficePlatformArchitecture", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "LocalesToInstall", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "InstallProgressDisplayLevel", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "ShouldUninstallOlderVersionsOfOffice", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "TargetVersion", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "UpdateVersion", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "OfficeConfigurationXml", + "Option": "Write" + }, + { + "CIMType": "MSFT_DeviceManagementMobileAppCategory[]", + "Name": "Categories", + "Option": "Write" + }, + { + "CIMType": "MSFT_DeviceManagementMobileAppAssignment[]", + "Name": "Assignments", + "Option": "Write" + }, + { + "CIMType": "MSFT_DeviceManagementMobileAppExcludedApp", + "Name": "ExcludedApps", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "Ensure", + "Option": "Write" + }, + { + "CIMType": "MSFT_Credential", + "Name": "Credential", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "ApplicationId", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "TenantId", + "Option": "Write" + }, + { + "CIMType": "MSFT_Credential", + "Name": "ApplicationSecret", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "CertificateThumbprint", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "ManagedIdentity", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "AccessTokens", + "Option": "Write" + } + ] + }, { "ClassName": "MSFT_DeviceManagementConfigurationPolicyItems", "Parameters": [ @@ -36339,6 +36599,2456 @@ } ] }, + { + "ClassName": "MSFT_MicrosoftGraphIntuneSettingsCatalogDeviceSettings_IntuneSecurityBaselineMicrosoft365AppsForEnterprise", + "Parameters": [ + { + "CIMType": "String", + "Name": "Pol_SecGuide_A001_Block_Flash", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "Pol_SecGuide_Block_Flash", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "Pol_SecGuide_Legacy_JScript", + "Option": "Write" + }, + { + "CIMType": "SInt32", + "Name": "POL_SG_powerpnt", + "Option": "Write" + }, + { + "CIMType": "SInt32", + "Name": "POL_SG_onenote", + "Option": "Write" + }, + { + "CIMType": "SInt32", + "Name": "POL_SG_mspub", + "Option": "Write" + }, + { + "CIMType": "SInt32", + "Name": "POL_SG_msaccess", + "Option": "Write" + }, + { + "CIMType": "SInt32", + "Name": "POL_SG_winproj", + "Option": "Write" + }, + { + "CIMType": "SInt32", + "Name": "POL_SG_visio", + "Option": "Write" + }, + { + "CIMType": "SInt32", + "Name": "POL_SG_outlook", + "Option": "Write" + }, + { + "CIMType": "SInt32", + "Name": "POL_SG_winword", + "Option": "Write" + }, + { + "CIMType": "SInt32", + "Name": "POL_SG_excel", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_PolicyEnableSIPHighSecurityMode", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_PolicyDisableHttpConnect", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_AddonManagement", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_powerpntexe17", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_excelexe15", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_visioexe19", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_onenoteexe26", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_outlookexe22", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_pptviewexe18", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_winwordexe21", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_exprwdexe24", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_spdesignexe23", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_winprojexe20", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_grooveexe14", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_mspubexe16", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_mse7exe27", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_msaccessexe25", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_ConsistentMimeHandling", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_excelexe43", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_spdesignexe51", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_onenoteexe54", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_outlookexe50", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_pptviewexe46", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_mspubexe44", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_visioexe47", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_winprojexe48", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_msaccessexe53", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_powerpntexe45", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_grooveexe42", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_mse7exe55", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_winwordexe49", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_exprwdexe52", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_Disableusernameandpassword", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_excelexe127", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_grooveexe126", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_onenoteexe138", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_mse7exe139", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_mspubexe128", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_visioexe131", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_exprwdexe136", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_msaccessexe137", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_spdesignexe135", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_winwordexe133", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_powerpntexe129", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_outlookexe134", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_winprojexe132", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_pptviewexe130", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_Informationbar", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_excelexe113", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_mspubexe114", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_msaccessexe123", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_onenoteexe124", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_outlookexe120", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_winprojexe118", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_powerpntexe115", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_spdesignexe121", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_grooveexe112", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_visioexe117", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_mse7exe125", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_winwordexe119", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_exprwdexe122", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_pptviewexe116", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_LocalMachineZoneLockdownSecurity", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_mse7exe41", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_powerpntexe31", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_mspubexe30", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_outlookexe36", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_pptviewexe32", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_excelexe29", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_exprwdexe38", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_grooveexe28", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_winwordexe35", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_msaccessexe39", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_spdesignexe37", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_visioexe33", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_onenoteexe40", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_winprojexe34", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_MimeSniffingSafetyFature", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_powerpntexe59", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_exprwdexe66", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_grooveexe56", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_visioexe61", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_outlookexe64", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_mspubexe58", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_mse7exe69", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_msaccessexe67", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_pptviewexe60", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_winprojexe62", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_spdesignexe65", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_onenoteexe68", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_winwordexe63", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_excelexe57", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_NavigateURL", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_spdesignexe177", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_onenoteexe180", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_pptviewexe172", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_outlookexe176", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_winprojexe174", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_msaccessexe179", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_winwordexe175", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_excelexe169", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_mspubexe170", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_exprwdexe178", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_powerpntexe171", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_visioexe173", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_mse7exe181", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_grooveexe168", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_ObjectCachingProtection", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_winwordexe77", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_powerpntexe73", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_spdesignexe79", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_mse7exe83", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_mspubexe72", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_msaccessexe81", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_onenoteexe82", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_outlookexe78", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_grooveexe70", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_excelexe71", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_visioexe75", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_pptviewexe74", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_winprojexe76", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_exprwdexe80", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_ProtectionFromZoneElevation", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_mspubexe100", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_visioexe103", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_powerpntexe101", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_excelexe99", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_mse7exe111", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_winwordexe105", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_exprwdexe108", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_msaccessexe109", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_spdesignexe107", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_onenoteexe110", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_pptviewexe102", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_winprojexe104", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_grooveexe98", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_outlookexe106", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_RestrictActiveXInstall", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_mse7exe", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_powerpntexe", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_spDesignexe", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_onenoteexe", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_excelexe", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_mspubexe", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_visioexe", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_exprwdexe", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_outlookexe", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_pptviewexe", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_winprojexe", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_winwordexe", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_grooveexe", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_msaccessexe", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_RestrictFileDownload", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_visioexe5", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_winprojexe6", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_msaccessexe11", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_spdesignexe9", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_excelexe1", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_powerpntexe3", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_mspubexe2", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_exprwdexe10", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_outlookexe8", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_pptviewexe4", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_winwordexe7", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_onenoteexe12", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_mse7exe13", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_grooveexe0", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_SavedfromURL", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_pptviewexe158", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_exprwdexe164", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_mse7exe167", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_spdesignexe163", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_winprojexe160", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_mspubexe156", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_visioexe159", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_winwordexe161", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_msaccessexe165", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_onenoteexe166", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_outlookexe162", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_grooveexe154", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_excelexe155", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_powerpntexe157", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_ScriptedWindowSecurityRestrictions", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_exprwdexe94", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_mse7exe97", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_mspubexe86", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_outlookexe92", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_msaccessexe95", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_powerpntexe87", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_grooveexe84", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_excelexe85", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_pptviewexe88", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_spdesignexe93", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_visioexe89", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_onenoteexe96", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_winprojexe90", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_winwordexe91", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_MicrosoftGraphIntuneSettingsCatalogUserSettings_IntuneSecurityBaselineMicrosoft365AppsForEnterprise", + "Parameters": [ + { + "CIMType": "String", + "Name": "MicrosoftAccess_Security_TrustCenter_L_BlockMacroExecutionFromInternet", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "MicrosoftAccess_Security_TrustCenter_L_DisableTrustBarNotificationforunsigned", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "MicrosoftAccess_Security_TrustCenter_L_RequirethatApplicationExtensionsaresigned", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "MicrosoftAccess_Security_TrustCenterTrustedLocations_L_AllowTrustedLocationsOnTheNetwork", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "MicrosoftAccess_Security_TrustCenter_L_VBAWarningsPolicy", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "MicrosoftAccess_Security_TrustCenter_L_VBAWarningsPolicy_L_Empty", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_Donotshowdataextractionoptionswhenopeningcorruptworkbooks", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_Asktoupdateautomaticlinks", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_LoadpicturesfromWebpagesnotcreatedinExcel", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_DisableAutoRepublish", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_DoNotShowAutoRepublishWarningAlert", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_Forcefileextenstionstomatch", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_Forcefileextenstionstomatch_L_Empty", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_DeterminewhethertoforceencryptedExcel", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_DeterminewhethertoforceencryptedExcelDropID", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_BlockXLLFromInternet", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_BlockXLLFromInternetEnum", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "MicrosoftExcel_Security_TrustCenter_L_BlockMacroExecutionFromInternet", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "MicrosoftExcel_Security_TrustCenter_L_DisableTrustBarNotificationforunsigned", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_EnableBlockUnsecureQueryFiles", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_DBaseIIIANDIVFiles", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_DBaseIIIANDIVFilesDropID", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_DifAndSylkFiles", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_DifAndSylkFilesDropID", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_Excel2MacrosheetsAndAddInFiles", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_Excel2MacrosheetsAndAddInFilesDropID", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_Excel2Worksheets", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_Excel2WorksheetsDropID", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_Excel3MacrosheetsAndAddInFiles", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_Excel3MacrosheetsAndAddInFilesDropID", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_Excel3Worksheets", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_Excel3WorksheetsDropID", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_Excel4MacrosheetsAndAddInFiles", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_Excel4MacrosheetsAndAddInFilesDropID", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_Excel4Workbooks", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_Excel4WorkbooksDropID", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_Excel4Worksheets", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_Excel4WorksheetsDropID", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_Excel95Workbooks", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_Excel95WorkbooksDropID", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_Excel9597WorkbooksAndTemplates", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_Excel9597WorkbooksAndTemplatesDropID", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_Excel972003WorkbooksAndTemplates", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_Excel972003WorkbooksAndTemplatesDropID", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "MicrosoftExcel_Security_TrustCenterFileBlockSettings_L_SetDefaultFileBlockBehavior", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "MicrosoftExcel_Security_TrustCenterFileBlockSettings_L_SetDefaultFileBlockBehaviorDropID", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_WebPagesAndExcel2003XMLSpreadsheets", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_WebPagesAndExcel2003XMLSpreadsheetsDropID", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_XL4KillSwitchPolicy", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_EnableDataBaseFileProtectedView", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "MicrosoftExcel_Security_TrustCenterProtectedView_L_DoNotOpenFilesFromTheInternetZoneInProtectedView", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "MicrosoftExcel_Security_TrustCenterProtectedView_L_DoNotOpenFilesInUnsafeLocationsInProtectedView", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "MicrosoftExcel_Security_TrustCenterProtectedView_L_SetDocumentBehaviorIfFileValidationFails", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "MicrosoftExcel_Security_TrustCenterProtectedView_L_SetDocumentBehaviorIfFileValidationFailsStr3", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "MicrosoftExcel_Security_TrustCenterProtectedView_L_SetDocumentBehaviorIfFileValidationFailsDropID", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "MicrosoftExcel_Security_TrustCenterProtectedView_L_TurnOffProtectedViewForAttachmentsOpenedFromOutlook", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "MicrosoftExcel_Security_TrustCenter_L_RequirethatApplicationExtensionsaresigned", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "MicrosoftExcel_Security_TrustCenter_L_DisableTrustBarNotificationforunsigned_v2", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "MicrosoftExcel_Security_TrustCenterTrustedLocations_L_AllowTrustedLocationsOnTheNetwork", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "MicrosoftExcel_Security_TrustCenter_L_VBAWarningsPolicy", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_empty4", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "MicrosoftExcel_Security_L_TurnOffFileValidation", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_WebContentWarningLevel", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_WebContentWarningLevelValue", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_NoExtensibilityCustomizationFromDocumentPolicy", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_NoExtensibilityCustomizationFromDocumentPolicyWord", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_NoExtensibilityCustomizationFromDocumentPolicyExcel", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_NoExtensibilityCustomizationFromDocumentPolicyVisio", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_NoExtensibilityCustomizationFromDocumentPolicyPowerPoint", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_NoExtensibilityCustomizationFromDocumentPolicyPublisher", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_NoExtensibilityCustomizationFromDocumentPolicyOutlook", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_NoExtensibilityCustomizationFromDocumentPolicyProject", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_NoExtensibilityCustomizationFromDocumentPolicyAccess", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_NoExtensibilityCustomizationFromDocumentPolicyInfoPath", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_ActiveXControlInitialization", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_ActiveXControlInitializationcolon", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_BasicAuthProxyBehavior", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_AllowVbaIntranetRefs", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_AutomationSecurity", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_SettheAutomationSecuritylevel", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_AuthenticationFBABehavior", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_AuthenticationFBAEnabledHostsID", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_authenticationFBABehaviorEnum", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_DisableStrictVbaRefsSecurityPolicy", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_DisableallTrustBarnotificationsfor", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_Encryptiontypeforirm", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_Encryptiontypeforirmcolon", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_Encryptiontypeforpasswordprotectedoffice972003", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_encryptiontypecolon318", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_Encryptiontypeforpasswordprotectedofficeopen", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_Encryptiontypecolon", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_LoadControlsinForms3", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_LoadControlsinForms3colon", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_MacroRuntimeScanScope", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_MacroRuntimeScanScopeEnum", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_Protectdocumentmetadataforrightsmanaged", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_Allowmixofpolicyanduserlocations", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_DisabletheOfficeclientfrompolling", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_DisableSmartDocumentsuseofmanifests", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_OutlookSecurityMode", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_OOMAddressAccess", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_OOMAddressAccess_Setting", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_OOMMeetingTaskRequest", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_OOMMeetingTaskRequest_Setting", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_OOMSend", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_OOMSend_Setting", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_Preventusersfromcustomizingattachmentsecuritysettings", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_RetrievingCRLsCertificateRevocationLists", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_empty31", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_OOMFormula", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_OOMFormula_Setting", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_AuthenticationwithExchangeServer", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_SelecttheauthenticationwithExchangeserver", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_EnableRPCEncryption", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_Enablelinksinemailmessages", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_OOMAddressBook", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_OOMAddressBook_Setting", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_OutlookSecurityPolicy", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_AllowUsersToLowerAttachments", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_AllowActiveXOneOffForms", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_empty29", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_EnableScriptsInOneOffForms", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_Level2RemoveFilePolicy", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_removedextensions25", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_MSGUnicodeformatwhendraggingtofilesystem", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_OnExecuteCustomActionOOM", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_OnExecuteCustomActionOOM_Setting", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_DisableOutlookobjectmodelscriptsforpublicfolders", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_BlockInternet", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_SecurityLevelOutlook", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_SecurityLevel", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_Level1RemoveFilePolicy", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_RemovedExtensions", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_SignatureWarning", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_signaturewarning30", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_Level1Attachments", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_Minimumencryptionsettings", + "Option": "Write" + }, + { + "CIMType": "SInt32", + "Name": "L_Minimumkeysizeinbits", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_DisableOutlookobjectmodelscripts", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_OOMSaveAs", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_OOMSaveAs_Setting", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_JunkEmailprotectionlevel", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_Selectlevel", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_RunPrograms", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_RunPrograms_L_Empty", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_Determinewhethertoforceencryptedppt", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_DeterminewhethertoforceencryptedpptDropID", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "MicrosoftPowerPoint_Security_TrustCenter_L_BlockMacroExecutionFromInternet", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "MicrosoftPowerPoint_Security_TrustCenter_L_DisableTrustBarNotificationforunsigned", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_PowerPoint972003PresentationsShowsTemplatesandAddInFiles", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_PowerPoint972003PresentationsShowsTemplatesandAddInFilesDropID", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "MicrosoftPowerPoint_Security_TrustCenterFileBlockSettings_L_SetDefaultFileBlockBehavior", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "MicrosoftPowerPoint_Security_TrustCenterFileBlockSettings_L_SetDefaultFileBlockBehaviorDropID", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "MicrosoftPowerPoint_Security_TrustCenterProtectedView_L_DoNotOpenFilesFromTheInternetZoneInProtectedView", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "MicrosoftPowerPoint_Security_TrustCenterProtectedView_L_DoNotOpenFilesInUnsafeLocationsInProtectedView", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "MicrosoftPowerPoint_Security_TrustCenterProtectedView_L_SetDocumentBehaviorIfFileValidationFails", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "MicrosoftPowerPoint_Security_TrustCenterProtectedView_L_SetDocumentBehaviorIfFileValidationFailsStr3", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "MicrosoftPowerPoint_Security_TrustCenterProtectedView_L_SetDocumentBehaviorIfFileValidationFailsDropID", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "MicrosoftPowerPoint_Security_TrustCenterProtectedView_L_TurnOffProtectedViewForAttachmentsOpenedFromOutlook", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "MicrosoftPowerPoint_Security_TrustCenter_L_RequirethatApplicationExtensionsaresigned", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "MicrosoftPowerPoint_Security_TrustCenter_L_DisableTrustBarNotificationforunsigned_v2", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "MicrosoftPowerPoint_Security_TrustCenterTrustedLocations_L_AllowTrustedLocationsOnTheNetwork", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "MicrosoftPowerPoint_Security_TrustCenter_L_VBAWarningsPolicy", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_empty3", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "MicrosoftPowerPoint_Security_L_TurnOffFileValidation", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "MicrosoftProject_Security_TrustCenter_L_AllowTrustedLocationsOnTheNetwork", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "MicrosoftProject_Security_TrustCenter_L_DisableTrustBarNotificationforunsigned", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "MicrosoftProject_Security_TrustCenter_L_RequirethatApplicationExtensionsaresigned", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "MicrosoftProject_Security_TrustCenter_L_DisableTrustBarNotificationforunsigned_v2", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "MicrosoftProject_Security_TrustCenter_L_VBAWarningsPolicy", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "MicrosoftProject_Security_TrustCenter_L_VBAWarningsPolicy_L_Empty", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_PublisherAutomationSecurityLevel", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_PublisherAutomationSecurityLevel_L_Empty", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "MicrosoftPublisherV3_Security_TrustCenter_L_BlockMacroExecutionFromInternet", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "MicrosoftPublisherV2_Security_TrustCenter_L_DisableTrustBarNotificationforunsigned", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "MicrosoftPublisherV2_Security_TrustCenter_L_RequirethatApplicationExtensionsaresigned", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "MicrosoftPublisherV2_Security_TrustCenter_L_DisableTrustBarNotificationforunsigned_v2", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "MicrosoftPublisherV2_Security_TrustCenter_L_VBAWarningsPolicy", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_empty0", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "MicrosoftVisio_Security_TrustCenter_L_AllowTrustedLocationsOnTheNetwork", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "MicrosoftVisio_Security_TrustCenter_L_BlockMacroExecutionFromInternet", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "MicrosoftVisio_Security_TrustCenter_L_DisableTrustBarNotificationforunsigned", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_Visio2000Files", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_Visio2000FilesDropID", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_Visio2003Files", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_Visio2003FilesDropID", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_Visio50AndEarlierFiles", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_Visio50AndEarlierFilesDropID", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "MicrosoftVisio_Security_TrustCenter_L_RequirethatApplicationExtensionsaresigned", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "MicrosoftVisio_Security_TrustCenter_L_DisableTrustBarNotificationforunsigned_v2", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "MicrosoftVisio_Security_TrustCenter_L_VBAWarningsPolicy", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "MicrosoftVisio_Security_TrustCenter_L_VBAWarningsPolicy_L_Empty", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "MicrosoftWord_Security_TrustCenter_L_BlockMacroExecutionFromInternet", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "MicrosoftWord_Security_TrustCenter_L_DisableTrustBarNotificationforunsigned", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_AllowDDE", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_AllowDDEDropID", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "MicrosoftWord_Security_TrustCenterFileBlockSettings_L_SetDefaultFileBlockBehavior", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "MicrosoftWord_Security_TrustCenterFileBlockSettings_L_SetDefaultFileBlockBehaviorDropID", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_Word2AndEarlierBinaryDocumentsAndTemplates", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_Word2AndEarlierBinaryDocumentsAndTemplatesDropID", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_Word2000BinaryDocumentsAndTemplates", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_Word2000BinaryDocumentsAndTemplatesDropID", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_Word2003BinaryDocumentsAndTemplates", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_Word2003BinaryDocumentsAndTemplatesDropID", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_Word2007AndLaterBinaryDocumentsAndTemplates", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_Word2007AndLaterBinaryDocumentsAndTemplatesDropID", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_Word6Pt0BinaryDocumentsAndTemplates", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_Word6Pt0BinaryDocumentsAndTemplatesDropID", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_Word95BinaryDocumentsAndTemplates", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_Word95BinaryDocumentsAndTemplatesDropID", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_Word97BinaryDocumentsAndTemplates", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_Word97BinaryDocumentsAndTemplatesDropID", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_WordXPBinaryDocumentsAndTemplates", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_WordXPBinaryDocumentsAndTemplatesDropID", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "MicrosoftWord_Security_TrustCenterProtectedView_L_DoNotOpenFilesFromTheInternetZoneInProtectedView", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "MicrosoftWord_Security_TrustCenterProtectedView_L_DoNotOpenFilesInUnsafeLocationsInProtectedView", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "MicrosoftWord_Security_TrustCenterProtectedView_L_SetDocumentBehaviorIfFileValidationFails", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "MicrosoftWord_Security_TrustCenterProtectedView_L_SetDocumentBehaviorIfFileValidationFailsDropID", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "MicrosoftWord_Security_TrustCenterProtectedView_L_SetDocumentBehaviorIfFileValidationFailsStr3", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "MicrosoftWord_Security_TrustCenterProtectedView_L_TurnOffProtectedViewForAttachmentsOpenedFromOutlook", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "MicrosoftWord_Security_TrustCenter_L_RequirethatApplicationExtensionsaresigned", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "MicrosoftWord_Security_TrustCenter_L_DisableTrustBarNotificationforunsigned_v2", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_DeterminewhethertoforceencryptedWord", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_DeterminewhethertoforceencryptedWordDropID", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "MicrosoftWord_Security_TrustCenter_L_VBAWarningsPolicy", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "L_empty19", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "MicrosoftWord_Security_L_TurnOffFileValidation", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "MicrosoftWord_Security_TrustCenterTrustedLocations_L_AllowTrustedLocationsOnTheNetwork", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_IntuneSecurityBaselineMicrosoft365AppsForEnterprise", + "Parameters": [ + { + "CIMType": "String", + "Name": "Description", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "DisplayName", + "Option": "Key" + }, + { + "CIMType": "String[]", + "Name": "RoleScopeTagIds", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "Id", + "Option": "Write" + }, + { + "CIMType": "MSFT_MicrosoftGraphIntuneSettingsCatalogDeviceSettings_IntuneSecurityBaselineMicrosoft365AppsForEnterprise", + "Name": "DeviceSettings", + "Option": "Write" + }, + { + "CIMType": "MSFT_MicrosoftGraphIntuneSettingsCatalogUserSettings_IntuneSecurityBaselineMicrosoft365AppsForEnterprise", + "Name": "UserSettings", + "Option": "Write" + }, + { + "CIMType": "MSFT_DeviceManagementConfigurationPolicyAssignments[]", + "Name": "Assignments", + "Option": "Write" + }, + { + "CIMType": "string", + "Name": "Ensure", + "Option": "Write" + }, + { + "CIMType": "MSFT_Credential", + "Name": "Credential", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "ApplicationId", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "TenantId", + "Option": "Write" + }, + { + "CIMType": "MSFT_Credential", + "Name": "ApplicationSecret", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "CertificateThumbprint", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "ManagedIdentity", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "AccessTokens", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_IntuneSecurityBaselineMicrosoftEdge", + "Parameters": [ + { + "CIMType": "String", + "Name": "Description", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "DisplayName", + "Option": "Key" + }, + { + "CIMType": "String[]", + "Name": "RoleScopeTagIds", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "Id", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "InternetExplorerIntegrationReloadInIEModeAllowed", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "SSLErrorOverrideAllowed", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "InternetExplorerIntegrationZoneIdentifierMhtFileAllowed", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "BrowserLegacyExtensionPointsBlockingEnabled", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "SitePerProcess", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "EdgeEnhanceImagesEnabled", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "ExtensionInstallBlocklist", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "ExtensionInstallBlocklistDesc", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "WebSQLAccess", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "BasicAuthOverHttpEnabled", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "MicrosoftEdge_HTTPAuthentication_AuthSchemes", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "authschemes", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "NativeMessagingUserLevelHosts", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "InsecurePrivateNetworkRequestsAllowed", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "InternetExplorerModeToolbarButtonEnabled", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "SmartScreenEnabled", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "SmartScreenPuaEnabled", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "PreventSmartScreenPromptOverride", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "PreventSmartScreenPromptOverrideForFiles", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "SharedArrayBufferUnrestrictedAccessAllowed", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "TyposquattingCheckerEnabled", + "Option": "Write" + }, + { + "CIMType": "MSFT_DeviceManagementConfigurationPolicyAssignments[]", + "Name": "Assignments", + "Option": "Write" + }, + { + "CIMType": "string", + "Name": "Ensure", + "Option": "Write" + }, + { + "CIMType": "MSFT_Credential", + "Name": "Credential", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "ApplicationId", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "TenantId", + "Option": "Write" + }, + { + "CIMType": "MSFT_Credential", + "Name": "ApplicationSecret", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "CertificateThumbprint", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "ManagedIdentity", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "AccessTokens", + "Option": "Write" + } + ] + }, { "ClassName": "MSFT_IntuneSettingCatalogASRRulesPolicyWindows10", "Parameters": [ diff --git a/ResourceGenerator/M365DSCResourceGenerator.psm1 b/ResourceGenerator/M365DSCResourceGenerator.psm1 index fbe1658771..0f8d094ab5 100644 --- a/ResourceGenerator/M365DSCResourceGenerator.psm1 +++ b/ResourceGenerator/M365DSCResourceGenerator.psm1 @@ -278,6 +278,10 @@ function New-M365DSCResource $deviceDefinitionSettings = @() foreach ($deviceTemplateSetting in $deviceTemplateSettings) { + foreach ($deviceChildSetting in $deviceTemplateSetting.ChildSettings) + { + $deviceChildSetting.DisplayName += " - Depends on $($deviceTemplateSetting.Name)" + } $deviceDefinitionSettings += New-ParameterDefinitionFromSettingsCatalogTemplateSetting ` -TemplateSetting $deviceTemplateSetting } @@ -285,6 +289,10 @@ function New-M365DSCResource $userDefinitionSettings = @() foreach ($userTemplateSetting in $userTemplateSettings) { + foreach ($userChildSetting in $userTemplateSetting.ChildSettings) + { + $userChildSetting.DisplayName += " - Depends on $($userTemplateSetting.Name)" + } $userDefinitionSettings += New-ParameterDefinitionFromSettingsCatalogTemplateSetting ` -TemplateSetting $userTemplateSetting } @@ -308,14 +316,14 @@ function New-M365DSCResource MOFInstance = @( @" [ClassVersion("1.0.0.0")] -class MSFT_MicrosoftGraphIntuneSettingsCatalogDeviceSettings +class MSFT_MicrosoftGraphIntuneSettingsCatalogDeviceSettings_$($ResourceName) { $($deviceDefinitionSettings.MOF -join "`r`n") }; "@, @" [ClassVersion("1.0.0.0")] -class MSFT_MicrosoftGraphIntuneSettingsCatalogUserSettings +class MSFT_MicrosoftGraphIntuneSettingsCatalogUserSettings_$($ResourceName) { $($userDefinitionSettings.MOF -join "`r`n") }; @@ -336,13 +344,13 @@ $($userDefinitionSettings.MOF -join "`r`n") { $parameter -match '\$.*$' $parameterName = $Matches[0].Replace('$', '') - $parameterType = 'IntuneSettingsCatalog' + $parameterName - $cimInstance = $definitionSettings.MOFInstance | Where-Object -FilterScript { $_ -like "*$parameterType`n*" } + $parameterType = 'IntuneSettingsCatalog' + $parameterName + $(if ($parameterName -in @('DeviceSettings', 'UserSettings')) { "_$ResourceName" }) + $cimInstance = $definitionSettings.MOFInstance | Where-Object -FilterScript { $_ -like "*$parameterType`n*" -or $_ -like "*$parameterType`r`n*" } $rowFilter = '\[.*;' $cimRows = [regex]::Matches($cimInstance, $rowFilter) | Foreach-Object { $_.Value } - $cimPropertyNamequery = '[a-zA-Z_]+[\[\]]*;' + $cimPropertyNamequery = '[a-zA-Z0-9_]+[\[\]]*;' $cimProperties = @() foreach ($row in $cimRows) { @@ -364,7 +372,7 @@ $($userDefinitionSettings.MOF -join "`r`n") Name = $parameterName IsComplexType = $true IsMandatory = $false - IsArray = $true + IsArray = $parameter -match '\[.*\[\]\]' Type = $parameterType Properties = $cimProperties } @@ -539,6 +547,7 @@ $($userDefinitionSettings.MOF -join "`r`n") [array]`$settings = Get-$($CmdLetNoun)Setting `` -DeviceManagementConfigurationPolicyId `$Id `` -ExpandProperty 'settingDefinitions' `` + -All `` -ErrorAction Stop `$policySettings = @{} @@ -662,7 +671,7 @@ $($userDefinitionSettings.MOF -join "`r`n") $defaultCreateParameters = @" `$settings = Get-IntuneSettingCatalogPolicySetting `` -DSCParams ([System.Collections.Hashtable]`$BoundParameters) `` - -TemplateId `$templateReferenceId$(if ($containsDeviceAndUserSettings) { " ```r`n -ContainsDeviceAndUserSettings" })`r`n + -TemplateId `$templateReferenceId$(if ($containsDeviceAndUserSettings) { " ```r`n -ContainsDeviceAndUserSettings" }) `$createParameters = @{ Name = `$DisplayName @@ -785,7 +794,7 @@ $($userDefinitionSettings.MOF -join "`r`n") $defaultUpdateParameters = @" `$settings = Get-IntuneSettingCatalogPolicySetting `` -DSCParams ([System.Collections.Hashtable]`$BoundParameters) `` - -TemplateId `$templateReferenceId$(if ($containsDeviceAndUserSettings) { " ```r`n -ContainsDeviceAndUserSettings" })`r`n + -TemplateId `$templateReferenceId$(if ($containsDeviceAndUserSettings) { " ```r`n -ContainsDeviceAndUserSettings" }) Update-IntuneDeviceConfigurationPolicy `` -DeviceConfigurationPolicyId `$currentInstance.Id `` @@ -3894,7 +3903,12 @@ function New-SettingsCatalogSettingDefinitionSettingsFromTemplate { $newName = Get-SettingDefinitionNameWithParentFromOffsetUri -OffsetUri $_.OffsetUri -SettingName $previousSettingName -Skip $skip if ($newName -eq $newSettingName) { - $combinationMatchesWithOffsetUri += $_ + # Exclude v2 versions from the comparison + if ($settingDefinition.Id -like "*_v2" -and $_.Id -ne $settingDefinition.Id.Replace('_v2', '') -or + $settingDefinition.Id -notlike "*_v2" -and $_.Id -ne $settingDefinition.Id + "_v2") + { + $combinationMatchesWithOffsetUri += $_ + } } } $settingsWithSameName = $combinationMatchesWithOffsetUri @@ -3904,6 +3918,10 @@ function New-SettingsCatalogSettingDefinitionSettingsFromTemplate { if ($breakCounter -lt 8) { + if ($settingDefinition.Id -like "*_v2" -and $newSettingName -notlike "*_v2") + { + $newSettingName += "_v2" + } $settingName = $newSettingName } else @@ -3925,6 +3943,26 @@ function New-SettingsCatalogSettingDefinitionSettingsFromTemplate { { $settingName = Get-SettingDefinitionNameWithParentFromOffsetUri -OffsetUri $SettingDefinition.OffsetUri -SettingName $settingName } + + # Simplify names from the OffsetUri. This is done to make the names more readable, especially in case of long and complex OffsetUris. + switch -wildcard ($settingName) + { + 'access16v2~Policy~L_MicrosoftOfficeaccess~L_ApplicationSettings~*' { $settingName = $settingName.Replace('access16v2~Policy~L_MicrosoftOfficeaccess~L_ApplicationSettings', 'MicrosoftAccess_') } + 'excel16v2~Policy~L_MicrosoftOfficeExcel~L_ExcelOptions~*' { $settingName = $settingName.Replace('excel16v2~Policy~L_MicrosoftOfficeExcel~L_ExcelOptions', 'MicrosoftExcel_') } + 'word16v2~Policy~L_MicrosoftOfficeWord~L_WordOptions~*' { $settingName = $settingName.Replace('word16v2~Policy~L_MicrosoftOfficeWord~L_WordOptions', 'MicrosoftWord_') } + 'ppt16v2~Policy~L_MicrosoftOfficePowerPoint~L_PowerPointOptions~*' { $settingName = $settingName.Replace('ppt16v2~Policy~L_MicrosoftOfficePowerPoint~L_PowerPointOptions', 'MicrosoftPowerPoint_') } + 'proj16v2~Policy~L_Proj~L_ProjectOptions~*' { $settingName = $settingName.Replace('proj16v2~Policy~L_Proj~L_ProjectOptions', 'MicrosoftProject_') } + 'visio16v2~Policy~L_MicrosoftVisio~L_VisioOptions~*' { $settingName = $settingName.Replace('visio16v2~Policy~L_MicrosoftVisio~L_VisioOptions', 'MicrosoftVisio_') } + 'pub16v2~Policy~L_MicrosoftOfficePublisher~*' { $settingName = $settingName.Replace('pub16v2~Policy~L_MicrosoftOfficePublisher', 'MicrosoftPublisherV2_') } + 'pub16v3~Policy~L_MicrosoftOfficePublisher~*' { $settingName = $settingName.Replace('pub16v3~Policy~L_MicrosoftOfficePublisher', 'MicrosoftPublisherV3_') } + 'microsoft_edge~Policy~microsoft_edge~*' { $settingName = $settingName.Replace('microsoft_edge~Policy~microsoft_edge', 'MicrosoftEdge_') } + '*~L_Security~*' { $settingName = $settingName.Replace('~L_Security', 'Security') } + '*~L_TrustCenter*' { $settingName = $settingName.Replace('~L_TrustCenter', '_TrustCenter') } + '*~L_ProtectedView_*' { $settingName = $settingName.Replace('~L_ProtectedView', 'ProtectedView') } + '*~L_FileBlockSettings_*' { $settingName = $settingName.Replace('~L_FileBlockSettings', 'FileBlockSettings') } + '*~L_TrustedLocations*' { $settingName = $settingName.Replace('~L_TrustedLocations', 'TrustedLocations') } + '*~HTTPAuthentication_*' { $settingName = $settingName.Replace('~HTTPAuthentication', 'HTTPAuthentication') } + } } $childSettings = @() @@ -3997,6 +4035,12 @@ function Get-SettingDefinitionNameWithParentFromOffsetUri { { $splittedOffsetUri = $splittedOffsetUri[1..($splittedOffsetUri.Length - 1)] } + + if ($Skip -gt $splittedOffsetUri.Length - 1) + { + return $SettingName + } + $splittedOffsetUri = $splittedOffsetUri[0..($splittedOffsetUri.Length - 1 - $Skip)] $traversed = $false while (-not $traversed -and $splittedOffsetUri.Length -gt 1) # Prevent adding the first element of the OffsetUri @@ -4092,7 +4136,7 @@ class $ "@ - $mofDefinition = $mofParameterTemplate.Replace("", $TemplateSetting.DisplayName) + $mofDefinition = $mofParameterTemplate.Replace("", $TemplateSetting.DisplayName.Replace("`r`n", "")) $optionsString = "" $valueMapString = "" if ($TemplateSetting.Options) { diff --git a/Tests/Integration/Microsoft365DSC/M365DSCIntegration.AAD.Create.Tests.ps1 b/Tests/Integration/Microsoft365DSC/M365DSCIntegration.AAD.Create.Tests.ps1 index 828bde930b..d0e9424d6f 100644 --- a/Tests/Integration/Microsoft365DSC/M365DSCIntegration.AAD.Create.Tests.ps1 +++ b/Tests/Integration/Microsoft365DSC/M365DSCIntegration.AAD.Create.Tests.ps1 @@ -360,6 +360,47 @@ TenantId = $TenantId CertificateThumbprint = $CertificateThumbprint } + AADIdentityGovernanceLifecycleWorkflow 'AADIdentityGovernanceLifecycleWorkflow-Onboard pre-hire employee updated version' + { + Category = "joiner"; + Description = "Description the onboard of prehire employee"; + DisplayName = "Onboard pre-hire employee updated version"; + Ensure = "Present"; + ExecutionConditions = MSFT_IdentityGovernanceWorkflowExecutionConditions { + ScopeValue = MSFT_IdentityGovernanceScope { + Rule = '(not (country eq ''Brazil''))' + ODataType = '#microsoft.graph.identityGovernance.ruleBasedSubjectSet' + } + TriggerValue = MSFT_IdentityGovernanceTrigger { + OffsetInDays = 4 + TimeBasedAttribute = 'employeeHireDate' + ODataType = '#microsoft.graph.identityGovernance.timeBasedAttributeTrigger' + } + ODataType = '#microsoft.graph.identityGovernance.triggerAndScopeBasedConditions' + }; + IsEnabled = $True; + IsSchedulingEnabled = $False; + Tasks = @( + MSFT_AADIdentityGovernanceTask { + DisplayName = 'Add user to groups' + Description = 'Add user to selected groups' + Category = 'joiner,leaver,mover' + IsEnabled = $True + ExecutionSequence = 1 + ContinueOnError = $True + TaskDefinitionId = '22085229-5809-45e8-97fd-270d28d66910' + Arguments = @( + MSFT_AADIdentityGovernanceTaskArguments { + Name = 'groupID' + Value = '7ad01e00-8c3a-42a6-baaf-39f2390b2565' + } + ) + } + ); + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + } AADNamedLocationPolicy 'CompanyNetwork' { DisplayName = "Company Network" diff --git a/Tests/Integration/Microsoft365DSC/M365DSCIntegration.AAD.Remove.Tests.ps1 b/Tests/Integration/Microsoft365DSC/M365DSCIntegration.AAD.Remove.Tests.ps1 index c7f705b234..86e91dc321 100644 --- a/Tests/Integration/Microsoft365DSC/M365DSCIntegration.AAD.Remove.Tests.ps1 +++ b/Tests/Integration/Microsoft365DSC/M365DSCIntegration.AAD.Remove.Tests.ps1 @@ -285,6 +285,47 @@ TenantId = $TenantId CertificateThumbprint = $CertificateThumbprint } + AADIdentityGovernanceLifecycleWorkflow 'AADIdentityGovernanceLifecycleWorkflow-Onboard pre-hire employee updated version' + { + Category = "joiner"; + Description = "Updated description the onboard of prehire employee"; + DisplayName = "Onboard pre-hire employee updated version"; + Ensure = "Absent"; + ExecutionConditions = MSFT_IdentityGovernanceWorkflowExecutionConditions { + ScopeValue = MSFT_IdentityGovernanceScope { + Rule = '(not (country eq ''America''))' + ODataType = '#microsoft.graph.identityGovernance.ruleBasedSubjectSet' + } + TriggerValue = MSFT_IdentityGovernanceTrigger { + OffsetInDays = 4 + TimeBasedAttribute = 'employeeHireDate' + ODataType = '#microsoft.graph.identityGovernance.timeBasedAttributeTrigger' + } + ODataType = '#microsoft.graph.identityGovernance.triggerAndScopeBasedConditions' + }; + IsEnabled = $True; + IsSchedulingEnabled = $False; + Tasks = @( + MSFT_AADIdentityGovernanceTask { + DisplayName = 'Add user to groups' + Description = 'Add user to selected groups updated' + Category = 'joiner,leaver,mover' + IsEnabled = $True + ExecutionSequence = 1 + ContinueOnError = $True + TaskDefinitionId = '22085229-5809-45e8-97fd-270d28d66910' + Arguments = @( + MSFT_AADIdentityGovernanceTaskArguments { + Name = 'groupID' + Value = '7ad01e00-8c3a-42a6-baaf-39f2390b2565' + } + ) + } + ); + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + } AADNamedLocationPolicy 'CompanyNetwork' { DisplayName = "Company Network" diff --git a/Tests/Integration/Microsoft365DSC/M365DSCIntegration.AAD.Update.Tests.ps1 b/Tests/Integration/Microsoft365DSC/M365DSCIntegration.AAD.Update.Tests.ps1 index 38a257dddf..cce664e8ec 100644 --- a/Tests/Integration/Microsoft365DSC/M365DSCIntegration.AAD.Update.Tests.ps1 +++ b/Tests/Integration/Microsoft365DSC/M365DSCIntegration.AAD.Update.Tests.ps1 @@ -861,6 +861,50 @@ TenantId = $TenantId CertificateThumbprint = $CertificateThumbprint } + AADIdentityGovernanceLifecycleWorkflow 'AADIdentityGovernanceLifecycleWorkflow-Onboard pre-hire employee updated version' + { + Category = "joiner"; + #updated description + Description = "Updated description the onboard of prehire employee"; + DisplayName = "Onboard pre-hire employee updated version"; + Ensure = "Present"; + ExecutionConditions = MSFT_IdentityGovernanceWorkflowExecutionConditions { + ScopeValue = MSFT_IdentityGovernanceScope { + #updated rule + Rule = '(not (country eq ''America''))' + ODataType = '#microsoft.graph.identityGovernance.ruleBasedSubjectSet' + } + TriggerValue = MSFT_IdentityGovernanceTrigger { + OffsetInDays = 4 + TimeBasedAttribute = 'employeeHireDate' + ODataType = '#microsoft.graph.identityGovernance.timeBasedAttributeTrigger' + } + ODataType = '#microsoft.graph.identityGovernance.triggerAndScopeBasedConditions' + }; + IsEnabled = $True; + IsSchedulingEnabled = $False; + Tasks = @( + MSFT_AADIdentityGovernanceTask { + DisplayName = 'Add user to groups' + #updated description + Description = 'Add user to selected groups updated' + Category = 'joiner,leaver,mover' + IsEnabled = $True + ExecutionSequence = 1 + ContinueOnError = $True + TaskDefinitionId = '22085229-5809-45e8-97fd-270d28d66910' + Arguments = @( + MSFT_AADIdentityGovernanceTaskArguments { + Name = 'groupID' + Value = '7ad01e00-8c3a-42a6-baaf-39f2390b2565' + } + ) + } + ); + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + } AADLifecycleWorkflowSettings 'AADLifecycleWorkflowSettings' { ApplicationId = $ApplicationId; diff --git a/Tests/Integration/Microsoft365DSC/M365DSCIntegration.INTUNE.Create.Tests.ps1 b/Tests/Integration/Microsoft365DSC/M365DSCIntegration.INTUNE.Create.Tests.ps1 index dadb7d572a..368146fdd0 100644 --- a/Tests/Integration/Microsoft365DSC/M365DSCIntegration.INTUNE.Create.Tests.ps1 +++ b/Tests/Integration/Microsoft365DSC/M365DSCIntegration.INTUNE.Create.Tests.ps1 @@ -91,12 +91,12 @@ IntuneAccountProtectionPolicyWindows10 'myAccountProtectionPolicy' { DisplayName = 'test' - DeviceSettings = MSFT_MicrosoftGraphIntuneSettingsCatalogDeviceSettings + DeviceSettings = MSFT_MicrosoftGraphIntuneSettingsCatalogDeviceSettings_IntuneAccountProtectionPolicyWindows10 { History = 10 EnablePinRecovery = 'true' } - UserSettings = MSFT_MicrosoftGraphIntuneSettingsCatalogUserSettings + UserSettings = MSFT_MicrosoftGraphIntuneSettingsCatalogUserSettings_IntuneAccountProtectionPolicyWindows10 { History = 20 EnablePinRecovery = 'true' @@ -2570,6 +2570,34 @@ DisplayName = 'Kajal 3' }); } + IntuneMobileAppsWindowsOfficeSuiteApp 'IntuneMobileAppsWindowsOfficeSuiteApp-Microsoft 365 Apps for Windows 10 and later' + { + Id = "8e683524-4ec1-4813-bb3e-6256b2f293d" + Description = "Microsoft 365 Apps for Windows 10 and laterr" + DisplayName = "Microsoft 365 Apps for Windows 10 and later" + Ensure = "Present"; + InformationUrl = ""; + IsFeatured = $False; + Notes = "" + PrivacyInformationUrl = "" + RoleScopeTagIds = @() + Assignments = @( + MSFT_DeviceManagementMobileAppAssignment{ + deviceAndAppManagementAssignmentFilterType = 'none' + dataType = '#microsoft.graph.groupAssignmentTarget' + groupId = '42c02b60-f28c-4eef-b3e1-973184cc4a6c' + intent = 'required' + } + ); + Categories = @( + MSFT_DeviceManagementMobileAppCategory { + Id = '8e683524-4ec1-4813-bb3e-6256b2f293d8' + DisplayName = 'Productivity' + }); + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + } IntunePolicySets 'Example' { Assignments = @( @@ -2631,6 +2659,50 @@ TenantId = $TenantId; CertificateThumbprint = $CertificateThumbprint; } + IntuneSecurityBaselineMicrosoft365AppsForEnterprise 'mySecurityBaselineMicrosoft365AppsForEnterprisePolicy' + { + DisplayName = 'test' + DeviceSettings = MSFT_MicrosoftGraphIntuneSettingsCatalogDeviceSettings_IntuneSecurityBaselineMicrosoft365AppsForEnterprise + { + L_ProtectionFromZoneElevation = '1' + L_grooveexe98 = '1' + L_excelexe99 = '1' + L_mspubexe100 = '1' + L_powerpntexe101 = '1' + L_pptviewexe102 = '1' + L_visioexe103 = '1' + L_winprojexe104 = '1' + L_winwordexe105 = '1' + L_outlookexe106 = '1' + L_spdesignexe107 = '1' + L_exprwdexe108 = '1' + L_msaccessexe109 = '1' + L_onenoteexe110 = '1' + L_mse7exe111 = '1' + } + UserSettings = MSFT_MicrosoftGraphIntuneSettingsCatalogUserSettings_IntuneSecurityBaselineMicrosoft365AppsForEnterprise + { + MicrosoftPublisherV3_Security_TrustCenter_L_BlockMacroExecutionFromInternet = '1' + MicrosoftVisio_Security_TrustCenter_L_VBAWarningsPolicy = '1' + MicrosoftVisio_Security_TrustCenter_L_VBAWarningsPolicy_L_Empty = '3' + } + Ensure = 'Present' + ApplicationId = $ApplicationId; + TenantId = $TenantId; + CertificateThumbprint = $CertificateThumbprint; + } + IntuneSecurityBaselineMicrosoftEdge 'mySecurityBaselineMicrosoftEdge' + { + DisplayName = 'test' + InsecurePrivateNetworkRequestsAllowed = "0"; + InternetExplorerIntegrationReloadInIEModeAllowed = "0"; + InternetExplorerIntegrationZoneIdentifierMhtFileAllowed = "0"; + InternetExplorerModeToolbarButtonEnabled = "0"; + Ensure = 'Present' + ApplicationId = $ApplicationId; + TenantId = $TenantId; + CertificateThumbprint = $CertificateThumbprint; + } IntuneSettingCatalogASRRulesPolicyWindows10 'myASRRulesPolicy' { DisplayName = 'asr 2' diff --git a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneAccountProtectionPolicyWindows10.Tests.ps1 b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneAccountProtectionPolicyWindows10.Tests.ps1 index b83b974567..d3d8323968 100644 --- a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneAccountProtectionPolicyWindows10.Tests.ps1 +++ b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneAccountProtectionPolicyWindows10.Tests.ps1 @@ -219,7 +219,7 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { ) Description = "My Test" DeviceSettings = [CimInstance]( - New-CimInstance -ClassName MSFT_MicrosoftGraphIntuneSettingsCatalogDeviceSettings -Property @{ + New-CimInstance -ClassName MSFT_MicrosoftGraphIntuneSettingsCatalogDeviceSettings_IntuneAccountProtectionPolicyWindows10 -Property @{ History = 10 } -ClientOnly ) @@ -227,7 +227,7 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { DisplayName = "My Test" RoleScopeTagIds = @("FakeStringValue") UserSettings = [CimInstance]( - New-CimInstance -ClassName MSFT_MicrosoftGraphIntuneSettingsCatalogUserSettings -Property @{ + New-CimInstance -ClassName MSFT_MicrosoftGraphIntuneSettingsCatalogUserSettings_IntuneAccountProtectionPolicyWindows10 -Property @{ History = 20 } -ClientOnly ) @@ -263,7 +263,7 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { ) Description = "My Test" DeviceSettings = [CimInstance]( - New-CimInstance -ClassName MSFT_MicrosoftGraphIntuneSettingsCatalogDeviceSettings -Property @{ + New-CimInstance -ClassName MSFT_MicrosoftGraphIntuneSettingsCatalogDeviceSettings_IntuneAccountProtectionPolicyWindows10 -Property @{ History = 10 } -ClientOnly ) @@ -271,7 +271,7 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { DisplayName = "My Test" RoleScopeTagIds = @("FakeStringValue") UserSettings = [CimInstance]( - New-CimInstance -ClassName MSFT_MicrosoftGraphIntuneSettingsCatalogUserSettings -Property @{ + New-CimInstance -ClassName MSFT_MicrosoftGraphIntuneSettingsCatalogUserSettings_IntuneAccountProtectionPolicyWindows10 -Property @{ History = 20 } -ClientOnly ) @@ -305,7 +305,7 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { ) Description = "My Test" DeviceSettings = [CimInstance]( - New-CimInstance -ClassName MSFT_MicrosoftGraphIntuneSettingsCatalogDeviceSettings -Property @{ + New-CimInstance -ClassName MSFT_MicrosoftGraphIntuneSettingsCatalogDeviceSettings_IntuneAccountProtectionPolicyWindows10 -Property @{ History = 10 } -ClientOnly ) @@ -313,7 +313,7 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { DisplayName = "My Test" RoleScopeTagIds = @("FakeStringValue") UserSettings = [CimInstance]( - New-CimInstance -ClassName MSFT_MicrosoftGraphIntuneSettingsCatalogUserSettings -Property @{ + New-CimInstance -ClassName MSFT_MicrosoftGraphIntuneSettingsCatalogUserSettings_IntuneAccountProtectionPolicyWindows10 -Property @{ History = 20 } -ClientOnly ) @@ -339,7 +339,7 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { ) Description = "My Test" DeviceSettings = [CimInstance]( - New-CimInstance -ClassName MSFT_MicrosoftGraphIntuneSettingsCatalogDeviceSettings -Property @{ + New-CimInstance -ClassName MSFT_MicrosoftGraphIntuneSettingsCatalogDeviceSettings_IntuneAccountProtectionPolicyWindows10 -Property @{ History = 10 } -ClientOnly ) @@ -347,7 +347,7 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { DisplayName = "My Test" RoleScopeTagIds = @("FakeStringValue") UserSettings = [CimInstance]( - New-CimInstance -ClassName MSFT_MicrosoftGraphIntuneSettingsCatalogUserSettings -Property @{ + New-CimInstance -ClassName MSFT_MicrosoftGraphIntuneSettingsCatalogUserSettings_IntuneAccountProtectionPolicyWindows10 -Property @{ History = 30 # Drift } -ClientOnly ) diff --git a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneMobileAppsWindowsOfficeSuiteApp.Tests.ps1 b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneMobileAppsWindowsOfficeSuiteApp.Tests.ps1 new file mode 100644 index 0000000000..ff169134f0 --- /dev/null +++ b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneMobileAppsWindowsOfficeSuiteApp.Tests.ps1 @@ -0,0 +1,386 @@ +[CmdletBinding()] +param( +) +$M365DSCTestFolder = Join-Path -Path $PSScriptRoot ` + -ChildPath '..\..\Unit' ` + -Resolve +$CmdletModule = (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\Stubs\Microsoft365.psm1' ` + -Resolve) +$GenericStubPath = (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\Stubs\Generic.psm1' ` + -Resolve) +Import-Module -Name (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\UnitTestHelper.psm1' ` + -Resolve) + +$CurrentScriptPath = $PSCommandPath.Split('\') +$CurrentScriptName = $CurrentScriptPath[$CurrentScriptPath.Length -1] +$ResourceName = $CurrentScriptName.Split('.')[1] +$Global:DscHelper = New-M365DscUnitTestHelper -StubModule $CmdletModule ` + -DscResource $ResourceName -GenericStubModule $GenericStubPath + +Describe -Name $Global:DscHelper.DescribeHeader -Fixture { + InModuleScope -ModuleName $Global:DscHelper.ModuleName -ScriptBlock { + Invoke-Command -ScriptBlock $Global:DscHelper.InitializeScript -NoNewScope + BeforeAll { + + $secpasswd = ConvertTo-SecureString (New-Guid | Out-String) -AsPlainText -Force + $Credential = New-Object System.Management.Automation.PSCredential ('tenantadmin@mydomain.com', $secpasswd) + + Mock -CommandName Confirm-M365DSCDependencies -MockWith { + } + + Mock -CommandName Get-PSSession -MockWith { + } + + Mock -CommandName Remove-PSSession -MockWith { + } + + Mock -CommandName New-M365DSCConnection -MockWith { + return "Credentials" + } + + Mock -CommandName Get-MgBetaDeviceAppManagementMobileApp -MockWith { + } + Mock -CommandName New-MgBetaDeviceAppManagementMobileApp -MockWith { + } + Mock -CommandName Update-MgBetaDeviceAppManagementMobileApp -MockWith { + } + Mock -CommandName Remove-MgBetaDeviceAppManagementMobileApp -MockWith { + } + + Mock -CommandName Update-MgBetaDeviceAppManagementMobileAppAssignment -MockWith{} + + # Mock Write-Host to hide output during the tests + Mock -CommandName Write-Host -MockWith { + } + + $Script:exportedInstances =$null + $Script:ExportMode = $false + } + + # Test contexts + Context -Name "1. The instance should exist but it DOES NOT" -Fixture { + BeforeAll { + $testParams = @{ + Id = "8d027f94-0682-431e-97c1-827d1879fa79" + Categories = @() + Description = "Microsoft 365 Apps for Windows 10 and later" + DisplayName = "Microsoft 365 Apps for Windows 10 and later" + InformationUrl = "" + IsFeatured = $False + PrivacyInformationUrl = "" + ExcludedApps = (New-CimInstance -ClassName MSFT_DeviceManagementMobileAppExcludedApp -Property @{ + teams = $false + sharePointDesigner = $true + powerPoint = $false + outlook = $false + groove = $true + word = $false + lync = $true + oneNote = $false + oneDrive = $false + publisher = $false + bing = $false + visio = $false + access = $false + infoPath = $true + excel = $false + } -ClientOnly) + RoleScopeTagIds = @() + Notes = "" + Ensure = 'Present' + Credential = $Credential + } + + Mock -CommandName Get-MgBetaDeviceAppManagementMobileApp -MockWith { + return $null + } + } + + It '1.1 Should return Values from the Get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Absent' + } + It '1.2 Should return false from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + It '1.3 Should create a new instance from the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName New-MgBetaDeviceAppManagementMobileApp -Exactly 1 + } + } + + Context -Name "2. The instance exists but it SHOULD NOT" -Fixture { + BeforeAll { + $testParams = @{ + Id = "ad027f94-0682-431e-97c1-827d1879fa79" + Categories = @() + Description = "Microsoft 365 Apps for Windows 10 and later" + DisplayName = "Microsoft 365 Apps for Windows 10 and later" + InformationUrl = "" + IsFeatured = $False + ExcludedApps = (New-CimInstance -ClassName MSFT_DeviceManagementMobileAppExcludedApp -Property @{ + teams = $false + sharePointDesigner = $true + powerPoint = $false + outlook = $false + groove = $true + word = $false + lync = $true + oneNote = $false + oneDrive = $false + publisher = $false + bing = $false + visio = $false + access = $false + infoPath = $true + excel = $false + } -ClientOnly) + Notes = "" + PrivacyInformationUrl = "" + RoleScopeTagIds = @() + Ensure = 'Absent' + Credential = $Credential + } + + Mock -CommandName Get-MgBetaDeviceAppManagementMobileApp -MockWith { + return @{ + Id = "ad027f94-0682-431e-97c1-827d1879fa79" + Categories = @() + Description = "Microsoft 365 Apps for Windows 10 and laterr" + DisplayName = "Microsoft 365 Apps for Windows 10 and later" + InformationUrl = "" + IsFeatured = $False + Notes = "" + PrivacyInformationUrl = "" + RoleScopeTagIds = @() + ExcludedApps = (New-CimInstance -ClassName MSFT_DeviceManagementMobileAppExcludedApp -Property @{ + teams = $false + sharePointDesigner = $true + powerPoint = $false + outlook = $false + groove = $true + word = $false + lync = $true + oneNote = $false + oneDrive = $false + publisher = $false + bing = $false + visio = $false + access = $false + infoPath = $true + excel = $false + } -ClientOnly) + Ensure = 'Present' + } + } + + Mock -CommandName Get-MgBetaDeviceAppManagementMobileAppAssignment -MockWith{ + return $null + } + } + + It '2.1 Should return Values from the Get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Present' + } + It '2.2 Should return false from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + It '2.3 Should remove the instance from the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName Remove-MgBetaDeviceAppManagementMobileApp -Exactly 1 + } + } + + Context -Name "3. The instance exists and values are already in the desired state" -Fixture { + BeforeAll { + $testParams = @{ + Id = "8d027f94-0682-431e-97c1-827d1879fa79" + Categories = @() + Description = "Microsoft 365 Apps for Windows 10 and later" + DisplayName = "Microsoft 365 Apps for Windows 10 and later" + InformationUrl = "" + IsFeatured = $False + Notes = "" + PrivacyInformationUrl = "" + RoleScopeTagIds = @() + Ensure = 'Present' + Credential = $Credential + } + + Mock -CommandName Get-MgBetaDeviceAppManagementMobileApp -MockWith { + return @{ + Id = "8d027f94-0682-431e-97c1-827d1879fa79" + Categories = @() + Description = "Microsoft 365 Apps for Windows 10 and later" + DisplayName = "Microsoft 365 Apps for Windows 10 and later" + InformationUrl = "" + IsFeatured = $False + Notes = "" + PrivacyInformationUrl = "" + RoleScopeTagIds = @() + AdditionalProperties = @{ + '@odata.type' = '#microsoft.graph.officeSuiteApp' + minimumSupportedOperatingSystem = @{ + v11_0 = $true + } + } + Ensure = 'Present' + } + } + + # Remove Assignments logic for now as we debug this part + Mock -CommandName Get-MgBetaDeviceAppManagementMobileAppAssignment -MockWith{ + return $null + } + } + + It '3.0 Should return true from the Test method' { + Test-TargetResource @testParams | Should -Be $true + } + } + + Context -Name "4. The instance exists and values are NOT in the desired state" -Fixture { + BeforeAll { + $testParams = @{ + Id = "8d027f94-0682-431e-97c1-827d1879fa79" + Categories = @() + Description = "Microsoft 365 Apps for Windows 10 and later" + DisplayName = "Microsoft 365 Apps for Windows 10 and later" + InformationUrl = "" + IsFeatured = $False + ExcludedApps = (New-CimInstance -ClassName MSFT_DeviceManagementMobileAppExcludedApp -Property @{ + teams = $false + sharePointDesigner = $true + powerPoint = $false + outlook = $false + groove = $true + word = $false + lync = $true + oneNote = $false + oneDrive = $false + publisher = $false + bing = $false + visio = $false + access = $false + infoPath = $true + excel = $false + } -ClientOnly) + Notes = "" + PrivacyInformationUrl = "" + RoleScopeTagIds = @() + Ensure = 'Present' + Credential = $Credential; + } + + Mock -CommandName Get-MgBetaDeviceAppManagementMobileApp -MockWith { + return @{ + Id = "8d027f94-0682-431e-97c1-827d1879fa79" + Categories = @() + Description = "Microsoft 365 Apps for Windows 10 and later" + DisplayName = "Microsoft 365 Apps for Windows 10 and later drift" + InformationUrl = "" + IsFeatured = $False + Notes = "" + PrivacyInformationUrl = "" + ExcludedApps = (New-CimInstance -ClassName MSFT_DeviceManagementMobileAppExcludedApp -Property @{ + teams = $false + sharePointDesigner = $true + powerPoint = $false + outlook = $false + groove = $true + word = $false + lync = $true + oneNote = $false + oneDrive = $false + publisher = $false + bing = $false + visio = $false + access = $false + infoPath = $true + excel = $false + } -ClientOnly) + AdditionalProperties = @{ + '@odata.type' = '#microsoft.graph.officeSuiteApp' + minimumSupportedOperatingSystem = @{ + v11_0 = $true + } + } + } + } + Mock -CommandName Get-MgBetaDeviceAppManagementMobileAppAssignment -MockWith{ + return $null + } + } + + It '4.1 Should return Values from the Get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Present' + } + It '4.2 Should return false from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + It '4.3 Should call the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName Update-MgBetaDeviceAppManagementMobileApp -Exactly 1 + } + } + + Context -Name '5. ReverseDSC Tests' -Fixture { + BeforeAll { + $Global:CurrentModeIsExport = $true + $Global:PartialExportFileName = "$(New-Guid).partial.ps1" + $testParams = @{ + Credential = $Credential; + } + + Mock -CommandName Get-MgBetaDeviceAppManagementMobileApp -MockWith { + return @{ + Id = "8d027f94-0682-431e-97c1-827d1879fa79" + Categories = @() + Description = "Microsoft 365 Apps for Windows 10 and later" + DisplayName = "Microsoft 365 Apps for Windows 10 and later drift" + InformationUrl = "" + IsFeatured = $False + Notes = "" + PrivacyInformationUrl = "" + RoleScopeTagIds = @() + ExcludedApps = (New-CimInstance -ClassName MSFT_DeviceManagementMobileAppExcludedApp -Property @{ + teams = $false + sharePointDesigner = $true + powerPoint = $false + outlook = $false + groove = $true + word = $false + lync = $true + oneNote = $false + oneDrive = $false + publisher = $false + bing = $false + visio = $false + access = $false + infoPath = $true + excel = $false + } -ClientOnly) + AdditionalProperties = @{ + '@odata.type' = '#microsoft.graph.officeSuiteApp' + minimumSupportedOperatingSystem = @{ + v11_0 = $true + } + } + } + } + Mock -CommandName Get-MgBetaDeviceAppManagementMobileAppAssignment -MockWith{ + return $null + } + } + + It '5.0 Should Reverse Engineer resource from the Export method' { + $result = Export-TargetResource @testParams + $result | Should -Not -BeNullOrEmpty + } + } + } +} + +Invoke-Command -ScriptBlock $Global:DscHelper.CleanupScript -NoNewScope diff --git a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneSecurityBaselineMicrosoft365AppsForEnterprise.Tests.ps1 b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneSecurityBaselineMicrosoft365AppsForEnterprise.Tests.ps1 new file mode 100644 index 0000000000..a232790964 --- /dev/null +++ b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneSecurityBaselineMicrosoft365AppsForEnterprise.Tests.ps1 @@ -0,0 +1,500 @@ +[CmdletBinding()] +param( +) +$M365DSCTestFolder = Join-Path -Path $PSScriptRoot ` + -ChildPath '..\..\Unit' ` + -Resolve +$CmdletModule = (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\Stubs\Microsoft365.psm1' ` + -Resolve) +$GenericStubPath = (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\Stubs\Generic.psm1' ` + -Resolve) +Import-Module -Name (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\UnitTestHelper.psm1' ` + -Resolve) + +$Global:DscHelper = New-M365DscUnitTestHelper -StubModule $CmdletModule ` + -DscResource "IntuneSecurityBaselineMicrosoft365AppsForEnterprise" -GenericStubModule $GenericStubPath +Describe -Name $Global:DscHelper.DescribeHeader -Fixture { + InModuleScope -ModuleName $Global:DscHelper.ModuleName -ScriptBlock { + Invoke-Command -ScriptBlock $Global:DscHelper.InitializeScript -NoNewScope + BeforeAll { + + $secpasswd = ConvertTo-SecureString (New-Guid | Out-String) -AsPlainText -Force + $Credential = New-Object System.Management.Automation.PSCredential ('tenantadmin@mydomain.com', $secpasswd) + + Mock -CommandName Confirm-M365DSCDependencies -MockWith { + } + + Mock -CommandName Get-PSSession -MockWith { + } + + Mock -CommandName Remove-PSSession -MockWith { + } + + Mock -CommandName Update-MgBetaDeviceManagementConfigurationPolicy -MockWith { + } + + Mock -CommandName New-MgBetaDeviceManagementConfigurationPolicy -MockWith { + return @{ + Id = '12345-12345-12345-12345-12345' + } + } + + Mock -CommandName Get-MgBetaDeviceManagementConfigurationPolicy -MockWith { + return @{ + Id = '12345-12345-12345-12345-12345' + Description = 'My Test' + Name = 'My Test' + RoleScopeTagIds = @("FakeStringValue") + TemplateReference = @{ + TemplateId = '90316f12-246d-44c6-a767-f87692e86083_2' + } + } + } + + Mock -CommandName Remove-MgBetaDeviceManagementConfigurationPolicy -MockWith { + } + + Mock -CommandName Update-IntuneDeviceConfigurationPolicy -MockWith { + } + + Mock -CommandName Get-IntuneSettingCatalogPolicySetting -MockWith { + } + + Mock -CommandName Get-MgBetaDeviceManagementConfigurationPolicySetting -MockWith { + return @( + @{ + Id = '0' + SettingDefinitions = @( + @{ + Id = 'device_vendor_msft_policy_config_office16v2~policy~l_microsoftofficemachine~l_securitysettingsmachine~l_iesecurity_l_protectionfromzoneelevation' + Name = 'L_ProtectionFromZoneElevation' + OffsetUri = '/Config/office16v2~Policy~L_MicrosoftOfficemachine~L_SecuritySettingsMachine~L_IESecurity/L_ProtectionFromZoneElevation' + AdditionalProperties = @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingDefinition' + } + }, + @{ + Id = 'device_vendor_msft_policy_config_office16v2~policy~l_microsoftofficemachine~l_securitysettingsmachine~l_iesecurity_l_protectionfromzoneelevation_l_excelexe99' + Name = 'L_excelexe99' + OffsetUri = '/Config/office16v2~Policy~L_MicrosoftOfficemachine~L_SecuritySettingsMachine~L_IESecurity/L_ProtectionFromZoneElevation' + AdditionalProperties = @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingDefinition' + options = @( + @{ + name = 'False' + itemId = 'device_vendor_msft_policy_config_office16v2~policy~l_microsoftofficemachine~l_securitysettingsmachine~l_iesecurity_l_protectionfromzoneelevation_l_excelexe99_0' + dependentOn = @( + @{ + dependentOn = 'device_vendor_msft_policy_config_office16v2~policy~l_microsoftofficemachine~l_securitysettingsmachine~l_iesecurity_l_protectionfromzoneelevation_1' + parentSettingId = 'device_vendor_msft_policy_config_office16v2~policy~l_microsoftofficemachine~l_securitysettingsmachine~l_iesecurity_l_protectionfromzoneelevation' + } + ) + }, + @{ + name = 'True' + itemId = 'device_vendor_msft_policy_config_office16v2~policy~l_microsoftofficemachine~l_securitysettingsmachine~l_iesecurity_l_protectionfromzoneelevation_l_excelexe99_1' + dependentOn = @( + @{ + dependentOn = 'device_vendor_msft_policy_config_office16v2~policy~l_microsoftofficemachine~l_securitysettingsmachine~l_iesecurity_l_protectionfromzoneelevation_1' + parentSettingId = 'device_vendor_msft_policy_config_office16v2~policy~l_microsoftofficemachine~l_securitysettingsmachine~l_iesecurity_l_protectionfromzoneelevation' + } + ) + } + ) + } + }, + @{ + Id = 'device_vendor_msft_policy_config_office16v2~policy~l_microsoftofficemachine~l_securitysettingsmachine~l_iesecurity_l_protectionfromzoneelevation_l_grooveexe98' + Name = 'L_grooveexe98' + OffsetUri = '/Config/office16v2~Policy~L_MicrosoftOfficemachine~L_SecuritySettingsMachine~L_IESecurity/L_ProtectionFromZoneElevation' + AdditionalProperties = @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingDefinition' + options = @( + @{ + name = 'False' + itemId = 'device_vendor_msft_policy_config_office16v2~policy~l_microsoftofficemachine~l_securitysettingsmachine~l_iesecurity_l_protectionfromzoneelevation_l_grooveexe98_0' + dependentOn = @( + @{ + dependentOn = 'device_vendor_msft_policy_config_office16v2~policy~l_microsoftofficemachine~l_securitysettingsmachine~l_iesecurity_l_protectionfromzoneelevation_1' + parentSettingId = 'device_vendor_msft_policy_config_office16v2~policy~l_microsoftofficemachine~l_securitysettingsmachine~l_iesecurity_l_protectionfromzoneelevation' + } + ) + }, + @{ + name = 'True' + itemId = 'device_vendor_msft_policy_config_office16v2~policy~l_microsoftofficemachine~l_securitysettingsmachine~l_iesecurity_l_protectionfromzoneelevation_l_grooveexe98_1' + dependentOn = @( + @{ + dependentOn = 'device_vendor_msft_policy_config_office16v2~policy~l_microsoftofficemachine~l_securitysettingsmachine~l_iesecurity_l_protectionfromzoneelevation_1' + parentSettingId = 'device_vendor_msft_policy_config_office16v2~policy~l_microsoftofficemachine~l_securitysettingsmachine~l_iesecurity_l_protectionfromzoneelevation' + } + ) + } + ) + } + }, + @{ + Id = 'device_vendor_msft_policy_config_office16v2~policy~l_microsoftofficemachine~l_securitysettingsmachine~l_iesecurity_l_protectionfromzoneelevation_l_mspubexe100' + Name = 'L_mspubexe100' + OffsetUri = '/Config/office16v2~Policy~L_MicrosoftOfficemachine~L_SecuritySettingsMachine~L_IESecurity/L_ProtectionFromZoneElevation' + AdditionalProperties = @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingDefinition' + options = @( + @{ + name = 'False' + itemId = 'device_vendor_msft_policy_config_office16v2~policy~l_microsoftofficemachine~l_securitysettingsmachine~l_iesecurity_l_protectionfromzoneelevation_l_mspubexe100_0' + dependentOn = @( + @{ + dependentOn = 'device_vendor_msft_policy_config_office16v2~policy~l_microsoftofficemachine~l_securitysettingsmachine~l_iesecurity_l_protectionfromzoneelevation_1' + parentSettingId = 'device_vendor_msft_policy_config_office16v2~policy~l_microsoftofficemachine~l_securitysettingsmachine~l_iesecurity_l_protectionfromzoneelevation' + } + ) + }, + @{ + name = 'True' + itemId = 'device_vendor_msft_policy_config_office16v2~policy~l_microsoftofficemachine~l_securitysettingsmachine~l_iesecurity_l_protectionfromzoneelevation_l_mspubexe100_1' + dependentOn = @( + @{ + dependentOn = 'device_vendor_msft_policy_config_office16v2~policy~l_microsoftofficemachine~l_securitysettingsmachine~l_iesecurity_l_protectionfromzoneelevation_1' + parentSettingId = 'device_vendor_msft_policy_config_office16v2~policy~l_microsoftofficemachine~l_securitysettingsmachine~l_iesecurity_l_protectionfromzoneelevation' + } + ) + } + ) + } + } + ) + SettingInstance = @{ + SettingDefinitionId = 'device_vendor_msft_policy_config_office16v2~policy~l_microsoftofficemachine~l_securitysettingsmachine~l_iesecurity_l_protectionfromzoneelevation' + SettingInstanceTemplateReference = @{ + SettingInstanceTemplateId = '7f23a242-9f64-47a5-8a57-a4675ca74c2b' + } + AdditionalProperties = @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance' + choiceSettingValue = @{ + value = 'device_vendor_msft_policy_config_office16v2~policy~l_microsoftofficemachine~l_securitysettingsmachine~l_iesecurity_l_protectionfromzoneelevation_1' + children = @( + @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance' + settingDefinitionId = 'device_vendor_msft_policy_config_office16v2~policy~l_microsoftofficemachine~l_securitysettingsmachine~l_iesecurity_l_protectionfromzoneelevation_l_grooveexe98' + choiceSettingValue = @{ + children = @() + value = 'device_vendor_msft_policy_config_office16v2~policy~l_microsoftofficemachine~l_securitysettingsmachine~l_iesecurity_l_protectionfromzoneelevation_l_grooveexe98_1' + } + }, + @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance' + settingDefinitionId = 'device_vendor_msft_policy_config_office16v2~policy~l_microsoftofficemachine~l_securitysettingsmachine~l_iesecurity_l_protectionfromzoneelevation_l_excelexe99' + choiceSettingValue = @{ + children = @() + value = 'device_vendor_msft_policy_config_office16v2~policy~l_microsoftofficemachine~l_securitysettingsmachine~l_iesecurity_l_protectionfromzoneelevation_l_excelexe99_1' + } + }, + @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance' + settingDefinitionId = 'device_vendor_msft_policy_config_office16v2~policy~l_microsoftofficemachine~l_securitysettingsmachine~l_iesecurity_l_protectionfromzoneelevation_l_mspubexe100' + choiceSettingValue = @{ + children = @() + value = 'device_vendor_msft_policy_config_office16v2~policy~l_microsoftofficemachine~l_securitysettingsmachine~l_iesecurity_l_protectionfromzoneelevation_l_mspubexe100_1' + } + } + ) + } + } + } + }, + @{ + Id = '1' + SettingDefinitions = @( + @{ + Id = 'user_vendor_msft_policy_config_word16v2~policy~l_microsoftofficeword~l_wordoptions~l_security~l_trustcenter~l_fileblocksettings_l_word2003binarydocumentsandtemplates' + Name = 'L_Word2003BinaryDocumentsAndTemplates' + AdditionalProperties = @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingDefinition' + options = @( + @{ + name = 'Enabled' + itemId = 'user_vendor_msft_policy_config_word16v2~policy~l_microsoftofficeword~l_wordoptions~l_security~l_trustcenter~l_fileblocksettings_l_word2003binarydocumentsandtemplates_1' + } + ) + } + }, + @{ + Id = 'user_vendor_msft_policy_config_word16v2~policy~l_microsoftofficeword~l_wordoptions~l_security~l_trustcenter~l_fileblocksettings_l_word2003binarydocumentsandtemplates_l_word2003binarydocumentsandtemplatesdropid' + Name = 'L_Word2003BinaryDocumentsAndTemplatesDropID' + AdditionalProperties = @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingDefinition' + options = @( + @{ + name = 'Open/Save blocked, use open policy' + itemId = 'user_vendor_msft_policy_config_word16v2~policy~l_microsoftofficeword~l_wordoptions~l_security~l_trustcenter~l_fileblocksettings_l_word2003binarydocumentsandtemplates_l_word2003binarydocumentsandtemplatesdropid_2' + dependentOn = @( + @{ + dependentOn = 'user_vendor_msft_policy_config_word16v2~policy~l_microsoftofficeword~l_wordoptions~l_security~l_trustcenter~l_fileblocksettings_l_word2003binarydocumentsandtemplates_1' + parentSettingId = 'user_vendor_msft_policy_config_word16v2~policy~l_microsoftofficeword~l_wordoptions~l_security~l_trustcenter~l_fileblocksettings_l_word2003binarydocumentsandtemplates' + } + ) + } + ) + } + } + ) + SettingInstance = @{ + SettingDefinitionId = 'user_vendor_msft_policy_config_word16v2~policy~l_microsoftofficeword~l_wordoptions~l_security~l_trustcenter~l_fileblocksettings_l_word2003binarydocumentsandtemplates' + SettingInstanceTemplateReference = @{ + SettingInstanceTemplateId = '23436aa2-f056-40bd-aca3-9bc84b2aeff0' + } + AdditionalProperties = @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance' + choiceSettingValue = @{ + value = 'user_vendor_msft_policy_config_word16v2~policy~l_microsoftofficeword~l_wordoptions~l_security~l_trustcenter~l_fileblocksettings_l_word2003binarydocumentsandtemplates_1' + children = @( + @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance' + settingDefinitionId = 'user_vendor_msft_policy_config_word16v2~policy~l_microsoftofficeword~l_wordoptions~l_security~l_trustcenter~l_fileblocksettings_l_word2003binarydocumentsandtemplates_l_word2003binarydocumentsandtemplatesdropid' + choiceSettingValue = @{ + children = @() + value = 'user_vendor_msft_policy_config_word16v2~policy~l_microsoftofficeword~l_wordoptions~l_security~l_trustcenter~l_fileblocksettings_l_word2003binarydocumentsandtemplates_l_word2003binarydocumentsandtemplatesdropid_2' + } + } + ) + } + } + } + } + ) + } + + Mock -CommandName Update-DeviceConfigurationPolicyAssignment -MockWith { + } + + Mock -CommandName New-M365DSCConnection -MockWith { + return "Credentials" + } + + # Mock Write-Host to hide output during the tests + Mock -CommandName Write-Host -MockWith { + } + $Script:exportedInstances =$null + $Script:ExportMode = $false + + Mock -CommandName Get-MgBetaDeviceManagementConfigurationPolicyAssignment -MockWith { + return @(@{ + Id = '12345-12345-12345-12345-12345' + Source = 'direct' + SourceId = '12345-12345-12345-12345-12345' + Target = @{ + DeviceAndAppManagementAssignmentFilterId = '12345-12345-12345-12345-12345' + DeviceAndAppManagementAssignmentFilterType = 'none' + AdditionalProperties = @( + @{ + '@odata.type' = '#microsoft.graph.exclusionGroupAssignmentTarget' + groupId = '26d60dd1-fab6-47bf-8656-358194c1a49d' + } + ) + } + }) + } + + } + # Test contexts + Context -Name "The IntuneSecurityBaselineMicrosoft365AppsForEnterprise should exist but it DOES NOT" -Fixture { + BeforeAll { + $testParams = @{ + Assignments = [CimInstance[]]@( + (New-CimInstance -ClassName MSFT_DeviceManagementConfigurationPolicyAssignments -Property @{ + DataType = '#microsoft.graph.exclusionGroupAssignmentTarget' + groupId = '26d60dd1-fab6-47bf-8656-358194c1a49d' + deviceAndAppManagementAssignmentFilterType = 'none' + } -ClientOnly) + ) + Description = "My Test" + DeviceSettings = [CimInstance]( + New-CimInstance -ClassName MSFT_MicrosoftGraphIntuneSettingsCatalogDeviceSettings -Property @{ + L_ProtectionFromZoneElevation = '1' + L_grooveexe98 = '1' + L_excelexe99 = '1' + L_mspubexe100 = '1' + } -ClientOnly + ) + Id = "12345-12345-12345-12345-12345" + DisplayName = "My Test" + RoleScopeTagIds = @("FakeStringValue") + UserSettings = [CimInstance]( + New-CimInstance -ClassName MSFT_MicrosoftGraphIntuneSettingsCatalogUserSettings -Property @{ + L_Word2003BinaryDocumentsAndTemplates = '1' + L_Word2003BinaryDocumentsAndTemplatesDropID = '2' + } -ClientOnly + ) + Ensure = "Present" + Credential = $Credential + } + + Mock -CommandName Get-MgBetaDeviceManagementConfigurationPolicy -MockWith { + return $null + } + } + It 'Should return Values from the Get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Absent' + } + It 'Should return false from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + It 'Should Create the group from the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName New-MgBetaDeviceManagementConfigurationPolicy -Exactly 1 + } + } + + Context -Name "The IntuneSecurityBaselineMicrosoft365AppsForEnterprise exists but it SHOULD NOT" -Fixture { + BeforeAll { + $testParams = @{ + Assignments = [CimInstance[]]@( + (New-CimInstance -ClassName MSFT_DeviceManagementConfigurationPolicyAssignments -Property @{ + DataType = '#microsoft.graph.exclusionGroupAssignmentTarget' + groupId = '26d60dd1-fab6-47bf-8656-358194c1a49d' + deviceAndAppManagementAssignmentFilterType = 'none' + } -ClientOnly) + ) + Description = "My Test" + DeviceSettings = [CimInstance]( + New-CimInstance -ClassName MSFT_MicrosoftGraphIntuneSettingsCatalogDeviceSettings -Property @{ + L_ProtectionFromZoneElevation = '1' + L_grooveexe98 = '1' + L_excelexe99 = '1' + L_mspubexe100 = '1' + } -ClientOnly + ) + Id = "12345-12345-12345-12345-12345" + DisplayName = "My Test" + RoleScopeTagIds = @("FakeStringValue") + UserSettings = [CimInstance]( + New-CimInstance -ClassName MSFT_MicrosoftGraphIntuneSettingsCatalogUserSettings -Property @{ + L_Word2003BinaryDocumentsAndTemplates = '1' + L_Word2003BinaryDocumentsAndTemplatesDropID = '2' + } -ClientOnly + ) + Ensure = "Absent" + Credential = $Credential + } + } + + It 'Should return Values from the Get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Present' + } + + It 'Should return true from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + + It 'Should Remove the group from the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName Remove-MgBetaDeviceManagementConfigurationPolicy -Exactly 1 + } + } + Context -Name "The IntuneSecurityBaselineMicrosoft365AppsForEnterprise Exists and Values are already in the desired state" -Fixture { + BeforeAll { + $testParams = @{ + Assignments = [CimInstance[]]@( + (New-CimInstance -ClassName MSFT_DeviceManagementConfigurationPolicyAssignments -Property @{ + DataType = '#microsoft.graph.exclusionGroupAssignmentTarget' + groupId = '26d60dd1-fab6-47bf-8656-358194c1a49d' + deviceAndAppManagementAssignmentFilterType = 'none' + } -ClientOnly) + ) + Description = "My Test" + DeviceSettings = [CimInstance]( + New-CimInstance -ClassName MSFT_MicrosoftGraphIntuneSettingsCatalogDeviceSettings -Property @{ + L_ProtectionFromZoneElevation = '1' + L_grooveexe98 = '1' + L_excelexe99 = '1' + L_mspubexe100 = '1' + } -ClientOnly + ) + Id = "12345-12345-12345-12345-12345" + DisplayName = "My Test" + RoleScopeTagIds = @("FakeStringValue") + UserSettings = [CimInstance]( + New-CimInstance -ClassName MSFT_MicrosoftGraphIntuneSettingsCatalogUserSettings -Property @{ + L_Word2003BinaryDocumentsAndTemplates = '1' + L_Word2003BinaryDocumentsAndTemplatesDropID = '2' + } -ClientOnly + ) + Ensure = "Present" + Credential = $Credential + } + } + + + It 'Should return true from the Test method' { + Test-TargetResource @testParams | Should -Be $true + } + } + + Context -Name "The IntuneSecurityBaselineMicrosoft365AppsForEnterprise exists and values are NOT in the desired state" -Fixture { + BeforeAll { + $testParams = @{ + Assignments = [CimInstance[]]@( + (New-CimInstance -ClassName MSFT_DeviceManagementConfigurationPolicyAssignments -Property @{ + DataType = '#microsoft.graph.exclusionGroupAssignmentTarget' + groupId = '26d60dd1-fab6-47bf-8656-358194c1a49d' + deviceAndAppManagementAssignmentFilterType = 'none' + } -ClientOnly) + ) + Description = "My Test" + DeviceSettings = [CimInstance]( + New-CimInstance -ClassName MSFT_MicrosoftGraphIntuneSettingsCatalogDeviceSettings -Property @{ + L_ProtectionFromZoneElevation = '1' + L_grooveexe98 = '1' + L_excelexe99 = '1' + L_mspubexe100 = '0' # Drift + } -ClientOnly + ) + Id = "12345-12345-12345-12345-12345" + DisplayName = "My Test" + RoleScopeTagIds = @("FakeStringValue") + UserSettings = [CimInstance]( + New-CimInstance -ClassName MSFT_MicrosoftGraphIntuneSettingsCatalogUserSettings -Property @{ + L_Word2003BinaryDocumentsAndTemplates = '1' + L_Word2003BinaryDocumentsAndTemplatesDropID = '2' + } -ClientOnly + ) + Ensure = "Present" + Credential = $Credential + } + } + + It 'Should return Values from the Get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Present' + } + + It 'Should return false from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + + It 'Should call the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName Update-IntuneDeviceConfigurationPolicy -Exactly 1 + } + } + + Context -Name 'ReverseDSC Tests' -Fixture { + BeforeAll { + $Global:CurrentModeIsExport = $true + $Global:PartialExportFileName = "$(New-Guid).partial.ps1" + $testParams = @{ + Credential = $Credential + } + } + It 'Should Reverse Engineer resource from the Export method' { + $result = Export-TargetResource @testParams + $result | Should -Not -BeNullOrEmpty + } + } + } +} + +Invoke-Command -ScriptBlock $Global:DscHelper.CleanupScript -NoNewScope diff --git a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneSecurityBaselineMicrosoftEdge.Tests.ps1 b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneSecurityBaselineMicrosoftEdge.Tests.ps1 new file mode 100644 index 0000000000..c5f003a76e --- /dev/null +++ b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneSecurityBaselineMicrosoftEdge.Tests.ps1 @@ -0,0 +1,359 @@ +[CmdletBinding()] +param( +) +$M365DSCTestFolder = Join-Path -Path $PSScriptRoot ` + -ChildPath '..\..\Unit' ` + -Resolve +$CmdletModule = (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\Stubs\Microsoft365.psm1' ` + -Resolve) +$GenericStubPath = (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\Stubs\Generic.psm1' ` + -Resolve) +Import-Module -Name (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\UnitTestHelper.psm1' ` + -Resolve) + +$Global:DscHelper = New-M365DscUnitTestHelper -StubModule $CmdletModule ` + -DscResource "IntuneSecurityBaselineMicrosoftEdge" -GenericStubModule $GenericStubPath +Describe -Name $Global:DscHelper.DescribeHeader -Fixture { + InModuleScope -ModuleName $Global:DscHelper.ModuleName -ScriptBlock { + Invoke-Command -ScriptBlock $Global:DscHelper.InitializeScript -NoNewScope + BeforeAll { + + $secpasswd = ConvertTo-SecureString (New-Guid | Out-String) -AsPlainText -Force + $Credential = New-Object System.Management.Automation.PSCredential ('tenantadmin@mydomain.com', $secpasswd) + + Mock -CommandName Confirm-M365DSCDependencies -MockWith { + } + + Mock -CommandName Get-PSSession -MockWith { + } + + Mock -CommandName Remove-PSSession -MockWith { + } + + Mock -CommandName Update-MgBetaDeviceManagementConfigurationPolicy -MockWith { + } + + Mock -CommandName New-MgBetaDeviceManagementConfigurationPolicy -MockWith { + return @{ + Id = '12345-12345-12345-12345-12345' + } + } + + Mock -CommandName Get-MgBetaDeviceManagementConfigurationPolicy -MockWith { + return @{ + Id = '12345-12345-12345-12345-12345' + Description = 'My Test' + Name = 'My Test' + RoleScopeTagIds = @("FakeStringValue") + TemplateReference = @{ + TemplateId = 'c66347b7-8325-4954-a235-3bf2233dfbfd_2' + } + } + } + + Mock -CommandName Remove-MgBetaDeviceManagementConfigurationPolicy -MockWith { + } + + Mock -CommandName Update-IntuneDeviceConfigurationPolicy -MockWith { + } + + Mock -CommandName Get-IntuneSettingCatalogPolicySetting -MockWith { + } + + Mock -CommandName Get-MgBetaDeviceManagementConfigurationPolicySetting -MockWith { + return @( + @{ + Id = '0' + SettingDefinitions = @( + @{ + Id = 'device_vendor_msft_policy_config_microsoft_edgev92~policy~microsoft_edge~privatenetworkrequestsettings_insecureprivatenetworkrequestsallowed' + Name = 'InsecurePrivateNetworkRequestsAllowed' + AdditionalProperties = @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingDefinition' + } + } + ) + SettingInstance = @{ + SettingDefinitionId = 'device_vendor_msft_policy_config_microsoft_edgev92~policy~microsoft_edge~privatenetworkrequestsettings_insecureprivatenetworkrequestsallowed' + SettingInstanceTemplateReference = @{ + SettingInstanceTemplateId = 'c6dec9f2-a235-4878-8462-e88569b47e0b' + } + AdditionalProperties = @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance' + choiceSettingValue = @{ + children = @() + value = 'device_vendor_msft_policy_config_microsoft_edgev92~policy~microsoft_edge~privatenetworkrequestsettings_insecureprivatenetworkrequestsallowed_0' + } + } + } + }, + @{ + Id = '1' + SettingDefinitions = @( + @{ + Id = 'device_vendor_msft_policy_config_microsoft_edgev92~policy~microsoft_edge_internetexplorerintegrationreloadiniemodeallowed' + Name = 'InternetExplorerIntegrationReloadInIEModeAllowed' + AdditionalProperties = @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingDefinition' + } + } + ) + SettingInstance = @{ + SettingDefinitionId = 'device_vendor_msft_policy_config_microsoft_edgev92~policy~microsoft_edge_internetexplorerintegrationreloadiniemodeallowed' + SettingInstanceTemplateReference = @{ + SettingInstanceTemplateId = 'fd416796-3442-405c-9f9e-e1ca3c0b9e3f' + } + AdditionalProperties = @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance' + choiceSettingValue = @{ + children = @() + value = 'device_vendor_msft_policy_config_microsoft_edgev92~policy~microsoft_edge_internetexplorerintegrationreloadiniemodeallowed_0' + } + } + } + }, + @{ + Id = '2' + SettingDefinitions = @( + @{ + Id = 'device_vendor_msft_policy_config_microsoft_edgev117~policy~microsoft_edge_internetexplorerintegrationzoneidentifiermhtfileallowed' + Name = 'InternetExplorerIntegrationZoneIdentifierMhtFileAllowed' + AdditionalProperties = @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingDefinition' + } + } + ) + SettingInstance = @{ + SettingDefinitionId = 'device_vendor_msft_policy_config_microsoft_edgev117~policy~microsoft_edge_internetexplorerintegrationzoneidentifiermhtfileallowed' + SettingInstanceTemplateReference = @{ + SettingInstanceTemplateId = 'ba15aa09-ea95-49bd-92bf-de9cec9c1146' + } + AdditionalProperties = @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance' + choiceSettingValue = @{ + children = @() + value = 'device_vendor_msft_policy_config_microsoft_edgev117~policy~microsoft_edge_internetexplorerintegrationzoneidentifiermhtfileallowed_0' + } + } + } + }, + @{ + Id = '3' + SettingDefinitions = @( + @{ + Id = 'device_vendor_msft_policy_config_microsoft_edgev96~policy~microsoft_edge_internetexplorermodetoolbarbuttonenabled' + Name = 'InternetExplorerModeToolbarButtonEnabled' + AdditionalProperties = @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingDefinition' + } + } + ) + SettingInstance = @{ + SettingDefinitionId = 'device_vendor_msft_policy_config_microsoft_edgev96~policy~microsoft_edge_internetexplorermodetoolbarbuttonenabled' + SettingInstanceTemplateReference = @{ + SettingInstanceTemplateId = 'fd416796-3442-405c-9f9e-e1ca3c0b9e3f' + } + AdditionalProperties = @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance' + choiceSettingValue = @{ + children = @() + value = 'device_vendor_msft_policy_config_microsoft_edgev96~policy~microsoft_edge_internetexplorermodetoolbarbuttonenabled_0' + } + } + } + } + ) + } + + Mock -CommandName Update-DeviceConfigurationPolicyAssignment -MockWith { + } + + Mock -CommandName New-M365DSCConnection -MockWith { + return "Credentials" + } + + # Mock Write-Host to hide output during the tests + Mock -CommandName Write-Host -MockWith { + } + $Script:exportedInstances =$null + $Script:ExportMode = $false + + Mock -CommandName Get-MgBetaDeviceManagementConfigurationPolicyAssignment -MockWith { + return @(@{ + Id = '12345-12345-12345-12345-12345' + Source = 'direct' + SourceId = '12345-12345-12345-12345-12345' + Target = @{ + DeviceAndAppManagementAssignmentFilterId = '12345-12345-12345-12345-12345' + DeviceAndAppManagementAssignmentFilterType = 'none' + AdditionalProperties = @( + @{ + '@odata.type' = '#microsoft.graph.exclusionGroupAssignmentTarget' + groupId = '26d60dd1-fab6-47bf-8656-358194c1a49d' + } + ) + } + }) + } + + } + # Test contexts + Context -Name "The IntuneSecurityBaselineMicrosoftEdge should exist but it DOES NOT" -Fixture { + BeforeAll { + $testParams = @{ + Assignments = [CimInstance[]]@( + (New-CimInstance -ClassName MSFT_DeviceManagementConfigurationPolicyAssignments -Property @{ + DataType = '#microsoft.graph.exclusionGroupAssignmentTarget' + groupId = '26d60dd1-fab6-47bf-8656-358194c1a49d' + deviceAndAppManagementAssignmentFilterType = 'none' + } -ClientOnly) + ) + Description = "My Test" + Id = "12345-12345-12345-12345-12345" + InsecurePrivateNetworkRequestsAllowed = "0" + InternetExplorerIntegrationReloadInIEModeAllowed = "0" + InternetExplorerIntegrationZoneIdentifierMhtFileAllowed = "0" + InternetExplorerModeToolbarButtonEnabled = "0" + DisplayName = "My Test" + RoleScopeTagIds = @("FakeStringValue") + Ensure = "Present" + Credential = $Credential; + } + + Mock -CommandName Get-MgBetaDeviceManagementConfigurationPolicy -MockWith { + return $null + } + } + It 'Should return Values from the Get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Absent' + } + It 'Should return false from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + It 'Should Create the group from the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName New-MgBetaDeviceManagementConfigurationPolicy -Exactly 1 + } + } + + Context -Name "The IntuneSecurityBaselineMicrosoftEdge exists but it SHOULD NOT" -Fixture { + BeforeAll { + $testParams = @{ + Assignments = [CimInstance[]]@( + (New-CimInstance -ClassName MSFT_DeviceManagementConfigurationPolicyAssignments -Property @{ + DataType = '#microsoft.graph.exclusionGroupAssignmentTarget' + groupId = '26d60dd1-fab6-47bf-8656-358194c1a49d' + deviceAndAppManagementAssignmentFilterType = 'none' + } -ClientOnly) + ) + Description = "My Test" + Id = "12345-12345-12345-12345-12345" + InsecurePrivateNetworkRequestsAllowed = "0" + InternetExplorerIntegrationReloadInIEModeAllowed = "0" + InternetExplorerIntegrationZoneIdentifierMhtFileAllowed = "0" + InternetExplorerModeToolbarButtonEnabled = "0" + DisplayName = "My Test" + RoleScopeTagIds = @("FakeStringValue") + Ensure = "Absent" + Credential = $Credential; + } + } + + It 'Should return Values from the Get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Present' + } + + It 'Should return true from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + + It 'Should Remove the group from the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName Remove-MgBetaDeviceManagementConfigurationPolicy -Exactly 1 + } + } + Context -Name "The IntuneSecurityBaselineMicrosoftEdge Exists and Values are already in the desired state" -Fixture { + BeforeAll { + $testParams = @{ + Assignments = [CimInstance[]]@( + (New-CimInstance -ClassName MSFT_DeviceManagementConfigurationPolicyAssignments -Property @{ + DataType = '#microsoft.graph.exclusionGroupAssignmentTarget' + groupId = '26d60dd1-fab6-47bf-8656-358194c1a49d' + deviceAndAppManagementAssignmentFilterType = 'none' + } -ClientOnly) + ) + Description = "My Test" + Id = "12345-12345-12345-12345-12345" + InsecurePrivateNetworkRequestsAllowed = "0" + InternetExplorerIntegrationReloadInIEModeAllowed = "0" + InternetExplorerIntegrationZoneIdentifierMhtFileAllowed = "0" + InternetExplorerModeToolbarButtonEnabled = "0" + DisplayName = "My Test" + RoleScopeTagIds = @("FakeStringValue") + Ensure = "Present" + Credential = $Credential; + } + } + + It 'Should return true from the Test method' { + Test-TargetResource @testParams | Should -Be $true + } + } + + Context -Name "The IntuneSecurityBaselineMicrosoftEdge exists and values are NOT in the desired state" -Fixture { + BeforeAll { + $testParams = @{ + Assignments = [CimInstance[]]@( + (New-CimInstance -ClassName MSFT_DeviceManagementConfigurationPolicyAssignments -Property @{ + DataType = '#microsoft.graph.exclusionGroupAssignmentTarget' + groupId = '26d60dd1-fab6-47bf-8656-358194c1a49d' + deviceAndAppManagementAssignmentFilterType = 'none' + } -ClientOnly) + ) + Description = "My Test" + Id = "12345-12345-12345-12345-12345" + InsecurePrivateNetworkRequestsAllowed = "0" + InternetExplorerIntegrationReloadInIEModeAllowed = "0" + InternetExplorerIntegrationZoneIdentifierMhtFileAllowed = "0" + InternetExplorerModeToolbarButtonEnabled = "1" # Drift + DisplayName = "My Test" + RoleScopeTagIds = @("FakeStringValue") + Ensure = "Present" + Credential = $Credential; + } + } + + It 'Should return Values from the Get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Present' + } + + It 'Should return false from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + + It 'Should call the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName Update-IntuneDeviceConfigurationPolicy -Exactly 1 + } + } + + Context -Name 'ReverseDSC Tests' -Fixture { + BeforeAll { + $Global:CurrentModeIsExport = $true + $Global:PartialExportFileName = "$(New-Guid).partial.ps1" + $testParams = @{ + Credential = $Credential + } + } + It 'Should Reverse Engineer resource from the Export method' { + $result = Export-TargetResource @testParams + $result | Should -Not -BeNullOrEmpty + } + } + } +} + +Invoke-Command -ScriptBlock $Global:DscHelper.CleanupScript -NoNewScope diff --git a/docs/docs/resources/azure-ad/AADServicePrincipal.md b/docs/docs/resources/azure-ad/AADServicePrincipal.md index 8e360204df..fc48241314 100644 --- a/docs/docs/resources/azure-ad/AADServicePrincipal.md +++ b/docs/docs/resources/azure-ad/AADServicePrincipal.md @@ -21,6 +21,7 @@ | **ServicePrincipalNames** | Write | StringArray[] | Specifies an array of service principal names. Based on the identifierURIs collection, plus the application's appId property, these URIs are used to reference an application's service principal. | | | **ServicePrincipalType** | Write | String | The type of the service principal. | | | **Tags** | Write | StringArray[] | Tags linked to this service principal.Note that if you intend for this service principal to show up in the All Applications list in the admin portal, you need to set this value to {WindowsAzureActiveDirectoryIntegratedApp} | | +| **DelegatedPermissionClassifications** | Write | MSFT_AADServicePrincipalDelegatedPermissionClassification[] | The permission classifications for delegated permissions exposed by the app that this service principal represents. | | | **Ensure** | Write | String | Specify if the Azure AD App should exist or not. | `Present`, `Absent` | | **ApplicationId** | Write | String | Id of the Azure Active Directory application to authenticate with. | | | **TenantId** | Write | String | Id of the Azure Active Directory tenant used for authentication. | | @@ -39,6 +40,15 @@ | **PrincipalType** | Write | String | Type of principal. Accepted values are User or Group | `Group`, `User` | | **Identity** | Write | String | Unique identity representing the principal. | | +### MSFT_AADServicePrincipalDelegatedPermissionClassification + +#### Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **Classification** | Write | String | Classification of the delegated permission | `low`, `medium`, `high` | +| **PermissionName** | Write | String | Name of the permission | | + ## Description This resource configures an Azure Active Directory ServicePrincipal. diff --git a/docs/docs/resources/intune/IntuneAccountProtectionPolicyWindows10.md b/docs/docs/resources/intune/IntuneAccountProtectionPolicyWindows10.md index b48a438afa..8a3356509d 100644 --- a/docs/docs/resources/intune/IntuneAccountProtectionPolicyWindows10.md +++ b/docs/docs/resources/intune/IntuneAccountProtectionPolicyWindows10.md @@ -8,8 +8,8 @@ | **DisplayName** | Key | String | Policy name | | | **RoleScopeTagIds** | Write | StringArray[] | List of Scope Tags for this Entity instance. | | | **Id** | Write | String | The unique identifier for an entity. Read-only. | | -| **DeviceSettings** | Write | MSFT_MicrosoftGraphIntuneSettingsCatalogDeviceSettings | The policy settings for the device scope. | | -| **UserSettings** | Write | MSFT_MicrosoftGraphIntuneSettingsCatalogUserSettings | The policy settings for the user scope | | +| **DeviceSettings** | Write | MSFT_MicrosoftGraphIntuneSettingsCatalogDeviceSettings_IntuneAccountProtectionPolicyWindows10 | The policy settings for the device scope. | | +| **UserSettings** | Write | MSFT_MicrosoftGraphIntuneSettingsCatalogUserSettings_IntuneAccountProtectionPolicyWindows10 | The policy settings for the user scope | | | **Assignments** | Write | MSFT_DeviceManagementConfigurationPolicyAssignments[] | Represents the assignment to the Intune policy. | | | **Ensure** | Write | String | Present ensures the policy exists, absent ensures it is removed. | `Present`, `Absent` | | **Credential** | Write | PSCredential | Credentials of the Admin | | @@ -33,7 +33,7 @@ | **groupDisplayName** | Write | String | The group Display Name that is the target of the assignment. | | | **collectionId** | Write | String | The collection Id that is the target of the assignment.(ConfigMgr) | | -### MSFT_MicrosoftGraphIntuneSettingsCatalogDeviceSettings +### MSFT_MicrosoftGraphIntuneSettingsCatalogDeviceSettings_IntuneAccountProtectionPolicyWindows10 #### Parameters @@ -53,7 +53,7 @@ | **UseCertificateForOnPremAuth** | Write | String | Use Certificate For On Prem Auth (false: Disabled, true: Enabled) | `false`, `true` | | **UsePassportForWork** | Write | String | Use Windows Hello For Business (Device) (false: Disabled, true: Enabled) | `false`, `true` | -### MSFT_MicrosoftGraphIntuneSettingsCatalogUserSettings +### MSFT_MicrosoftGraphIntuneSettingsCatalogUserSettings_IntuneAccountProtectionPolicyWindows10 #### Parameters @@ -131,12 +131,12 @@ Configuration Example IntuneAccountProtectionPolicyWindows10 'myAccountProtectionPolicy' { DisplayName = 'test' - DeviceSettings = MSFT_MicrosoftGraphIntuneSettingsCatalogDeviceSettings + DeviceSettings = MSFT_MicrosoftGraphIntuneSettingsCatalogDeviceSettings_IntuneAccountProtectionPolicyWindows10 { History = 10 EnablePinRecovery = 'true' } - UserSettings = MSFT_MicrosoftGraphIntuneSettingsCatalogUserSettings + UserSettings = MSFT_MicrosoftGraphIntuneSettingsCatalogUserSettings_IntuneAccountProtectionPolicyWindows10 { History = 20 EnablePinRecovery = 'true' @@ -178,12 +178,12 @@ Configuration Example IntuneAccountProtectionPolicyWindows10 'myAccountProtectionPolicy' { DisplayName = 'test' - DeviceSettings = MSFT_MicrosoftGraphIntuneSettingsCatalogDeviceSettings + DeviceSettings = MSFT_MicrosoftGraphIntuneSettingsCatalogDeviceSettings_IntuneAccountProtectionPolicyWindows10 { History = 10 EnablePinRecovery = 'true' } - UserSettings = MSFT_MicrosoftGraphIntuneSettingsCatalogUserSettings + UserSettings = MSFT_MicrosoftGraphIntuneSettingsCatalogUserSettings_IntuneAccountProtectionPolicyWindows10 { History = 30 # Updated property EnablePinRecovery = 'true' diff --git a/docs/docs/resources/intune/IntuneMobileAppsWindowsOfficeSuiteApp.md b/docs/docs/resources/intune/IntuneMobileAppsWindowsOfficeSuiteApp.md new file mode 100644 index 0000000000..52bfea559e --- /dev/null +++ b/docs/docs/resources/intune/IntuneMobileAppsWindowsOfficeSuiteApp.md @@ -0,0 +1,276 @@ +# IntuneMobileAppsWindowsOfficeSuiteApp + +## Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **DisplayName** | Key | String | The admin provided or imported title of the app. Inherited from mobileApp. | | +| **Id** | Write | String | The unique identifier for an entity. Read-only. Inherited from mobileApp object. | | +| **Description** | Write | String | The description of the app. Inherited from mobileApp. | | +| **IsFeatured** | Write | Boolean | The value indicating whether the app is marked as featured by the admin. Inherited from mobileApp. | | +| **PrivacyInformationUrl** | Write | String | The privacy statement Url. Inherited from mobileApp. | | +| **InformationUrl** | Write | String | The InformationUrl of the app. Inherited from mobileApp. | | +| **Notes** | Write | String | Notes for the app. Inherited from mobileApp. | | +| **RoleScopeTagIds** | Write | StringArray[] | List of Scope Tag IDs for mobile app. | | +| **AutoAcceptEula** | Write | Boolean | Specifies if the EULA is accepted automatically on the end user's device. | | +| **ProductIds** | Write | StringArray[] | The Product IDs that represent the Office 365 Suite SKU, such as 'O365ProPlusRetail' or 'VisioProRetail'. | | +| **UseSharedComputerActivation** | Write | Boolean | Indicates whether shared computer activation is used for Office installations. | | +| **UpdateChannel** | Write | String | Specifies the update channel for the Office 365 app suite, such as 'Current' or 'Deferred'. | | +| **OfficeSuiteAppDefaultFileFormat** | Write | String | Specifies the default file format type for Office apps, such as 'OfficeOpenXMLFormat' or 'OfficeOpenDocumentFormat'. | | +| **OfficePlatformArchitecture** | Write | String | The architecture of the Office installation (e.g., 'X86', 'X64', or 'Arm64'). Cannot be changed after creation. | | +| **LocalesToInstall** | Write | StringArray[] | Specifies the locales to be installed when the Office 365 apps are deployed. Uses the standard RFC 5646 format (e.g., 'en-US', 'fr-FR'). | | +| **InstallProgressDisplayLevel** | Write | String | Specifies the display level of the installation progress for Office apps. Use 'Full' to display the installation UI, or 'None' for a silent installation. | | +| **ShouldUninstallOlderVersionsOfOffice** | Write | Boolean | Indicates whether older versions of Office should be uninstalled when deploying the Office 365 app suite. | | +| **TargetVersion** | Write | String | The specific target version of the Office 365 app suite to be deployed. | | +| **UpdateVersion** | Write | String | The update version in which the target version is available for the Office 365 app suite. | | +| **OfficeConfigurationXml** | Write | String | A base64-encoded XML configuration file that specifies Office ProPlus installation settings. Takes precedence over all other properties. When present, this XML file will be used to create the app. | | +| **Categories** | Write | MSFT_DeviceManagementMobileAppCategory[] | The list of categories for this app. | | +| **Assignments** | Write | MSFT_DeviceManagementMobileAppAssignment[] | The list of assignments for this app. | | +| **ExcludedApps** | Write | MSFT_DeviceManagementMobileAppExcludedApp | The property that represents the apps excluded from the selected Office 365 Product ID. | | +| **Ensure** | Write | String | Present ensures the policy exists, absent ensures it is removed. | `Present`, `Absent` | +| **Credential** | Write | PSCredential | Credentials of the Admin | | +| **ApplicationId** | Write | String | Id of the Azure Active Directory application to authenticate with. | | +| **TenantId** | Write | String | Id of the Azure Active Directory tenant used for authentication. | | +| **ApplicationSecret** | Write | PSCredential | Secret of the Azure Active Directory tenant used for authentication. | | +| **CertificateThumbprint** | Write | String | Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication. | | +| **ManagedIdentity** | Write | Boolean | Managed ID being used for authentication. | | +| **AccessTokens** | Write | StringArray[] | Access token used for authentication. | | + +### MSFT_DeviceManagementMobileAppAssignment + +#### Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **dataType** | Write | String | The type of the target assignment. | `#microsoft.graph.groupAssignmentTarget`, `#microsoft.graph.allLicensedUsersAssignmentTarget`, `#microsoft.graph.allDevicesAssignmentTarget`, `#microsoft.graph.exclusionGroupAssignmentTarget`, `#microsoft.graph.mobileAppAssignment` | +| **deviceAndAppManagementAssignmentFilterId** | Write | String | The Id of the filter for the target assignment. | | +| **deviceAndAppManagementAssignmentFilterType** | Write | String | The type of filter of the target assignment i.e. Exclude or Include. Possible values are: none, include, exclude. | `none`, `include`, `exclude` | +| **groupId** | Write | String | The group Id that is the target of the assignment. | | +| **groupDisplayName** | Write | String | The group Display Name that is the target of the assignment. | | +| **intent** | Write | String | Possible values for the install intent chosen by the admin. | `available`, `required`, `uninstall`, `availableWithoutEnrollment` | + +### MSFT_DeviceManagementMimeContent + +#### Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **Type** | Write | String | Indicates the type of content mime. | | +| **Value** | Write | String | The Base64 encoded string content. | | + +### MSFT_DeviceManagementMobileAppCategory + +#### Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **DisplayName** | Key | String | The name of the app category. | | +| **Id** | Write | String | The unique identifier for an entity. Read-only. | | + +### MSFT_DeviceManagementMobileAppExcludedApp + +#### Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **Access** | Write | Boolean | Specifies whether to exclude Microsoft Office Access from the installation. | | +| **Bing** | Write | Boolean | Specifies whether to exclude Microsoft Search (Bing) as the default from the installation. | | +| **Excel** | Write | Boolean | Specifies whether to exclude Microsoft Office Excel from the installation. | | +| **Groove** | Write | Boolean | Specifies whether to exclude Microsoft Office OneDrive for Business (Groove) from the installation. | | +| **InfoPath** | Write | Boolean | Specifies whether to exclude Microsoft Office InfoPath from the installation. | | +| **Lync** | Write | Boolean | Specifies whether to exclude Microsoft Office Skype for Business (Lync) from the installation. | | +| **OneDrive** | Write | Boolean | Specifies whether to exclude Microsoft Office OneDrive from the installation. | | +| **OneNote** | Write | Boolean | Specifies whether to exclude Microsoft Office OneNote from the installation. | | +| **Outlook** | Write | Boolean | Specifies whether to exclude Microsoft Office Outlook from the installation. | | +| **PowerPoint** | Write | Boolean | Specifies whether to exclude Microsoft Office PowerPoint from the installation. | | +| **Publisher** | Write | Boolean | Specifies whether to exclude Microsoft Office Publisher from the installation. | | +| **SharePointDesigner** | Write | Boolean | Specifies whether to exclude Microsoft Office SharePoint Designer from the installation. | | +| **Teams** | Write | Boolean | Specifies whether to exclude Microsoft Office Teams from the installation. | | +| **Visio** | Write | Boolean | Specifies whether to exclude Microsoft Office Visio from the installation. | | +| **Word** | Write | Boolean | Specifies whether to exclude Microsoft Office Word from the installation. | | + + +## Description + +This resource configures an Intune mobile app of OfficeSuiteApp type for Windows devices. + +## Permissions + +### Microsoft Graph + +To authenticate with the Microsoft Graph API, this resource required the following permissions: + +#### Delegated permissions + +- **Read** + + - DeviceManagementApps.Read.All + +- **Update** + + - DeviceManagementApps.ReadWrite.All + +#### Application permissions + +- **Read** + + - DeviceManagementApps.Read.All + +- **Update** + + - DeviceManagementApps.ReadWrite.All + +## Examples + +### Example 1 + +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. + +```powershell +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + IntuneMobileAppsWindowsOfficeSuiteApp "IntuneMobileAppsWindowsOfficeSuiteApp-Microsoft 365 Apps for Windows 10 and later" + { + Id = "8e683524-4ec1-4813-bb3e-6256b2f293d" + Description = "Microsoft 365 Apps for Windows 10 and laterr" + DisplayName = "Microsoft 365 Apps for Windows 10 and later" + Ensure = "Present"; + InformationUrl = ""; + IsFeatured = $False; + Notes = "" + PrivacyInformationUrl = "" + RoleScopeTagIds = @() + Assignments = @( + MSFT_DeviceManagementMobileAppAssignment{ + deviceAndAppManagementAssignmentFilterType = 'none' + dataType = '#microsoft.graph.groupAssignmentTarget' + groupId = '42c02b60-f28c-4eef-b3e1-973184cc4a6c' + intent = 'required' + } + ); + Categories = @( + MSFT_DeviceManagementMobileAppCategory { + Id = '8e683524-4ec1-4813-bb3e-6256b2f293d8' + DisplayName = 'Productivity' + }); + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + } + } +} +``` + +### Example 2 + +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. + +```powershell +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + IntuneMobileAppsWindowsOfficeSuiteApp "IntuneMobileAppsWindowsOfficeSuiteApp-Microsoft 365 Apps for Windows 10 and later" + { + Id = "8e683524-4ec1-4813-bb3e-6256b2f293d" + Description = "Microsoft 365 Apps for Windows 10 and laterr" + DisplayName = "Microsoft 365 Apps for Windows 10 and later" + Ensure = "Present"; + InformationUrl = ""; + IsFeatured = $False; + Notes = "" + PrivacyInformationUrl = "" + RoleScopeTagIds = @() + Assignments = @( + MSFT_DeviceManagementMobileAppAssignment{ + deviceAndAppManagementAssignmentFilterType = 'none' + dataType = '#microsoft.graph.groupAssignmentTarget' + groupId = '42c02b60-f28c-4eef-b3e1-973184cc4a6c' + intent = 'required' + } + ); + Categories = @( + MSFT_DeviceManagementMobileAppCategory { + Id = '8e683524-4ec1-4813-bb3e-6256b2f293d8' + DisplayName = 'Productivity' + }); + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + } + } +} +``` + +### Example 3 + +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. + +```powershell +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + + Import-DscResource -ModuleName Microsoft365DSC + node localhost + { + IntuneMobileAppsWindowsOfficeSuiteApp "IntuneMobileAppsWindowsOfficeSuiteApp-Microsoft 365 Apps for Windows 10 and later" + { + Id = "8e683524-4ec1-4813-bb3e-6256b2f293d8"; + DisplayName = "Microsoft 365 Apps for Windows 10 and later"; + Ensure = "Absent"; + ApplicationId = $ApplicationId + TenantId = $TenantId + CertificateThumbprint = $CertificateThumbprint + } + } +} +``` + diff --git a/docs/docs/resources/intune/IntuneSecurityBaselineMicrosoft365AppsForEnterprise.md b/docs/docs/resources/intune/IntuneSecurityBaselineMicrosoft365AppsForEnterprise.md new file mode 100644 index 0000000000..78a3f1969a --- /dev/null +++ b/docs/docs/resources/intune/IntuneSecurityBaselineMicrosoft365AppsForEnterprise.md @@ -0,0 +1,678 @@ +# IntuneSecurityBaselineMicrosoft365AppsForEnterprise + +## Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **Description** | Write | String | Policy description | | +| **DisplayName** | Key | String | Policy name | | +| **RoleScopeTagIds** | Write | StringArray[] | List of Scope Tags for this Entity instance. | | +| **Id** | Write | String | The unique identifier for an entity. Read-only. | | +| **DeviceSettings** | Write | MSFT_MicrosoftGraphIntuneSettingsCatalogDeviceSettings_IntuneSecurityBaselineMicrosoft365AppsForEnterprise | The policy settings for the device scope | | +| **UserSettings** | Write | MSFT_MicrosoftGraphIntuneSettingsCatalogUserSettings_IntuneSecurityBaselineMicrosoft365AppsForEnterprise | The policy settings for the user scope | | +| **Assignments** | Write | MSFT_DeviceManagementConfigurationPolicyAssignments[] | Represents the assignment to the Intune policy. | | +| **Ensure** | Write | String | Present ensures the policy exists, absent ensures it is removed. | `Present`, `Absent` | +| **Credential** | Write | PSCredential | Credentials of the Admin | | +| **ApplicationId** | Write | String | Id of the Azure Active Directory application to authenticate with. | | +| **TenantId** | Write | String | Id of the Azure Active Directory tenant used for authentication. | | +| **ApplicationSecret** | Write | PSCredential | Secret of the Azure Active Directory tenant used for authentication. | | +| **CertificateThumbprint** | Write | String | Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication. | | +| **ManagedIdentity** | Write | Boolean | Managed ID being used for authentication. | | +| **AccessTokens** | Write | StringArray[] | Access token used for authentication. | | + +### MSFT_DeviceManagementConfigurationPolicyAssignments + +#### Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **dataType** | Write | String | The type of the target assignment. | `#microsoft.graph.groupAssignmentTarget`, `#microsoft.graph.allLicensedUsersAssignmentTarget`, `#microsoft.graph.allDevicesAssignmentTarget`, `#microsoft.graph.exclusionGroupAssignmentTarget`, `#microsoft.graph.configurationManagerCollectionAssignmentTarget` | +| **deviceAndAppManagementAssignmentFilterType** | Write | String | The type of filter of the target assignment i.e. Exclude or Include. Possible values are:none, include, exclude. | `none`, `include`, `exclude` | +| **deviceAndAppManagementAssignmentFilterId** | Write | String | The Id of the filter for the target assignment. | | +| **groupId** | Write | String | The group Id that is the target of the assignment. | | +| **groupDisplayName** | Write | String | The group Display Name that is the target of the assignment. | | +| **collectionId** | Write | String | The collection Id that is the target of the assignment.(ConfigMgr) | | + +### MSFT_MicrosoftGraphIntuneSettingsCatalogDeviceSettings_IntuneSecurityBaselineMicrosoft365AppsForEnterprise + +#### Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **Pol_SecGuide_A001_Block_Flash** | Write | String | Block Flash activation in Office documents (0: Disabled, 1: Enabled) | `0`, `1` | +| **Pol_SecGuide_Block_Flash** | Write | String | Block Flash player in Office (Device) - Depends on Pol_SecGuide_A001_Block_Flash (block all flash activation: Block all activation, block embedded flash activation only: Block embedding/linking, allow other activation, allow all flash activation: Allow all activation) | `block all flash activation`, `block embedded flash activation only`, `allow all flash activation` | +| **Pol_SecGuide_Legacy_JScript** | Write | String | Restrict legacy JScript execution for Office (0: Disabled, 1: Enabled) | `0`, `1` | +| **POL_SG_powerpnt** | Write | SInt32 | PowerPoint: (Device) - Depends on Pol_SecGuide_Legacy_JScript | | +| **POL_SG_onenote** | Write | SInt32 | OneNote: (Device) - Depends on Pol_SecGuide_Legacy_JScript | | +| **POL_SG_mspub** | Write | SInt32 | Publisher: (Device) - Depends on Pol_SecGuide_Legacy_JScript | | +| **POL_SG_msaccess** | Write | SInt32 | Access: (Device) - Depends on Pol_SecGuide_Legacy_JScript | | +| **POL_SG_winproj** | Write | SInt32 | Project: (Device) - Depends on Pol_SecGuide_Legacy_JScript | | +| **POL_SG_visio** | Write | SInt32 | Visio: (Device) - Depends on Pol_SecGuide_Legacy_JScript | | +| **POL_SG_outlook** | Write | SInt32 | Outlook: (Device) - Depends on Pol_SecGuide_Legacy_JScript | | +| **POL_SG_winword** | Write | SInt32 | Word: (Device) - Depends on Pol_SecGuide_Legacy_JScript | | +| **POL_SG_excel** | Write | SInt32 | Excel: (Device) - Depends on Pol_SecGuide_Legacy_JScript | | +| **L_PolicyEnableSIPHighSecurityMode** | Write | String | Configure SIP security mode (0: Disabled, 1: Enabled) | `0`, `1` | +| **L_PolicyDisableHttpConnect** | Write | String | Disable HTTP fallback for SIP connection (0: Disabled, 1: Enabled) | `0`, `1` | +| **L_AddonManagement** | Write | String | Add-on Management (0: Disabled, 1: Enabled) | `0`, `1` | +| **L_powerpntexe17** | Write | String | powerpnt.exe (Device) - Depends on L_AddonManagement (0: False, 1: True) | `0`, `1` | +| **L_excelexe15** | Write | String | excel.exe (Device) - Depends on L_AddonManagement (0: False, 1: True) | `0`, `1` | +| **L_visioexe19** | Write | String | visio.exe (Device) - Depends on L_AddonManagement (0: False, 1: True) | `0`, `1` | +| **L_onenoteexe26** | Write | String | onent.exe (Device) - Depends on L_AddonManagement (0: False, 1: True) | `0`, `1` | +| **L_outlookexe22** | Write | String | outlook.exe (Device) - Depends on L_AddonManagement (0: False, 1: True) | `0`, `1` | +| **L_pptviewexe18** | Write | String | pptview.exe (Device) - Depends on L_AddonManagement (0: False, 1: True) | `0`, `1` | +| **L_winwordexe21** | Write | String | winword.exe (Device) - Depends on L_AddonManagement (0: False, 1: True) | `0`, `1` | +| **L_exprwdexe24** | Write | String | exprwd.exe (Device) - Depends on L_AddonManagement (0: False, 1: True) | `0`, `1` | +| **L_spdesignexe23** | Write | String | spDesign.exe (Device) - Depends on L_AddonManagement (0: False, 1: True) | `0`, `1` | +| **L_winprojexe20** | Write | String | winproj.exe (Device) - Depends on L_AddonManagement (0: False, 1: True) | `0`, `1` | +| **L_grooveexe14** | Write | String | groove.exe (Device) - Depends on L_AddonManagement (0: False, 1: True) | `0`, `1` | +| **L_mspubexe16** | Write | String | mspub.exe (Device) - Depends on L_AddonManagement (0: False, 1: True) | `0`, `1` | +| **L_mse7exe27** | Write | String | mse7.exe (Device) - Depends on L_AddonManagement (0: False, 1: True) | `0`, `1` | +| **L_msaccessexe25** | Write | String | msaccess.exe (Device) - Depends on L_AddonManagement (0: False, 1: True) | `0`, `1` | +| **L_ConsistentMimeHandling** | Write | String | Consistent Mime Handling (0: Disabled, 1: Enabled) | `0`, `1` | +| **L_excelexe43** | Write | String | excel.exe (Device) - Depends on L_ConsistentMimeHandling (0: False, 1: True) | `0`, `1` | +| **L_spdesignexe51** | Write | String | spDesign.exe (Device) - Depends on L_ConsistentMimeHandling (0: False, 1: True) | `0`, `1` | +| **L_onenoteexe54** | Write | String | onent.exe (Device) - Depends on L_ConsistentMimeHandling (0: False, 1: True) | `0`, `1` | +| **L_outlookexe50** | Write | String | outlook.exe (Device) - Depends on L_ConsistentMimeHandling (0: False, 1: True) | `0`, `1` | +| **L_pptviewexe46** | Write | String | pptview.exe (Device) - Depends on L_ConsistentMimeHandling (0: False, 1: True) | `0`, `1` | +| **L_mspubexe44** | Write | String | mspub.exe (Device) - Depends on L_ConsistentMimeHandling (0: False, 1: True) | `0`, `1` | +| **L_visioexe47** | Write | String | visio.exe (Device) - Depends on L_ConsistentMimeHandling (0: False, 1: True) | `0`, `1` | +| **L_winprojexe48** | Write | String | winproj.exe (Device) - Depends on L_ConsistentMimeHandling (0: False, 1: True) | `0`, `1` | +| **L_msaccessexe53** | Write | String | msaccess.exe (Device) - Depends on L_ConsistentMimeHandling (0: False, 1: True) | `0`, `1` | +| **L_powerpntexe45** | Write | String | powerpnt.exe (Device) - Depends on L_ConsistentMimeHandling (0: False, 1: True) | `0`, `1` | +| **L_grooveexe42** | Write | String | groove.exe (Device) - Depends on L_ConsistentMimeHandling (0: False, 1: True) | `0`, `1` | +| **L_mse7exe55** | Write | String | mse7.exe (Device) - Depends on L_ConsistentMimeHandling (0: False, 1: True) | `0`, `1` | +| **L_winwordexe49** | Write | String | winword.exe (Device) - Depends on L_ConsistentMimeHandling (0: False, 1: True) | `0`, `1` | +| **L_exprwdexe52** | Write | String | exprwd.exe (Device) - Depends on L_ConsistentMimeHandling (0: False, 1: True) | `0`, `1` | +| **L_Disableusernameandpassword** | Write | String | Disable user name and password (0: Disabled, 1: Enabled) | `0`, `1` | +| **L_excelexe127** | Write | String | excel.exe (Device) - Depends on L_Disableusernameandpassword (0: False, 1: True) | `0`, `1` | +| **L_grooveexe126** | Write | String | groove.exe (Device) - Depends on L_Disableusernameandpassword (0: False, 1: True) | `0`, `1` | +| **L_onenoteexe138** | Write | String | onent.exe (Device) - Depends on L_Disableusernameandpassword (0: False, 1: True) | `0`, `1` | +| **L_mse7exe139** | Write | String | mse7.exe (Device) - Depends on L_Disableusernameandpassword (0: False, 1: True) | `0`, `1` | +| **L_mspubexe128** | Write | String | mspub.exe (Device) - Depends on L_Disableusernameandpassword (0: False, 1: True) | `0`, `1` | +| **L_visioexe131** | Write | String | visio.exe (Device) - Depends on L_Disableusernameandpassword (0: False, 1: True) | `0`, `1` | +| **L_exprwdexe136** | Write | String | exprwd.exe (Device) - Depends on L_Disableusernameandpassword (0: False, 1: True) | `0`, `1` | +| **L_msaccessexe137** | Write | String | msaccess.exe (Device) - Depends on L_Disableusernameandpassword (0: False, 1: True) | `0`, `1` | +| **L_spdesignexe135** | Write | String | spDesign.exe (Device) - Depends on L_Disableusernameandpassword (0: False, 1: True) | `0`, `1` | +| **L_winwordexe133** | Write | String | winword.exe (Device) - Depends on L_Disableusernameandpassword (0: False, 1: True) | `0`, `1` | +| **L_powerpntexe129** | Write | String | powerpnt.exe (Device) - Depends on L_Disableusernameandpassword (0: False, 1: True) | `0`, `1` | +| **L_outlookexe134** | Write | String | outlook.exe (Device) - Depends on L_Disableusernameandpassword (0: False, 1: True) | `0`, `1` | +| **L_winprojexe132** | Write | String | winproj.exe (Device) - Depends on L_Disableusernameandpassword (0: False, 1: True) | `0`, `1` | +| **L_pptviewexe130** | Write | String | pptview.exe (Device) - Depends on L_Disableusernameandpassword (0: False, 1: True) | `0`, `1` | +| **L_Informationbar** | Write | String | Information Bar (0: Disabled, 1: Enabled) | `0`, `1` | +| **L_excelexe113** | Write | String | excel.exe (Device) - Depends on L_Informationbar (0: False, 1: True) | `0`, `1` | +| **L_mspubexe114** | Write | String | mspub.exe (Device) - Depends on L_Informationbar (0: False, 1: True) | `0`, `1` | +| **L_msaccessexe123** | Write | String | msaccess.exe (Device) - Depends on L_Informationbar (0: False, 1: True) | `0`, `1` | +| **L_onenoteexe124** | Write | String | onent.exe (Device) - Depends on L_Informationbar (0: False, 1: True) | `0`, `1` | +| **L_outlookexe120** | Write | String | outlook.exe (Device) - Depends on L_Informationbar (0: False, 1: True) | `0`, `1` | +| **L_winprojexe118** | Write | String | winproj.exe (Device) - Depends on L_Informationbar (0: False, 1: True) | `0`, `1` | +| **L_powerpntexe115** | Write | String | powerpnt.exe (Device) - Depends on L_Informationbar (0: False, 1: True) | `0`, `1` | +| **L_spdesignexe121** | Write | String | spDesign.exe (Device) - Depends on L_Informationbar (0: False, 1: True) | `0`, `1` | +| **L_grooveexe112** | Write | String | groove.exe (Device) - Depends on L_Informationbar (0: False, 1: True) | `0`, `1` | +| **L_visioexe117** | Write | String | visio.exe (Device) - Depends on L_Informationbar (0: False, 1: True) | `0`, `1` | +| **L_mse7exe125** | Write | String | mse7.exe (Device) - Depends on L_Informationbar (0: False, 1: True) | `0`, `1` | +| **L_winwordexe119** | Write | String | winword.exe (Device) - Depends on L_Informationbar (0: False, 1: True) | `0`, `1` | +| **L_exprwdexe122** | Write | String | exprwd.exe (Device) - Depends on L_Informationbar (0: False, 1: True) | `0`, `1` | +| **L_pptviewexe116** | Write | String | pptview.exe (Device) - Depends on L_Informationbar (0: False, 1: True) | `0`, `1` | +| **L_LocalMachineZoneLockdownSecurity** | Write | String | Local Machine Zone Lockdown Security (0: Disabled, 1: Enabled) | `0`, `1` | +| **L_mse7exe41** | Write | String | mse7.exe (Device) - Depends on L_LocalMachineZoneLockdownSecurity (0: False, 1: True) | `0`, `1` | +| **L_powerpntexe31** | Write | String | powerpnt.exe (Device) - Depends on L_LocalMachineZoneLockdownSecurity (0: False, 1: True) | `0`, `1` | +| **L_mspubexe30** | Write | String | mspub.exe (Device) - Depends on L_LocalMachineZoneLockdownSecurity (0: False, 1: True) | `0`, `1` | +| **L_outlookexe36** | Write | String | outlook.exe (Device) - Depends on L_LocalMachineZoneLockdownSecurity (0: False, 1: True) | `0`, `1` | +| **L_pptviewexe32** | Write | String | pptview.exe (Device) - Depends on L_LocalMachineZoneLockdownSecurity (0: False, 1: True) | `0`, `1` | +| **L_excelexe29** | Write | String | excel.exe (Device) - Depends on L_LocalMachineZoneLockdownSecurity (0: False, 1: True) | `0`, `1` | +| **L_exprwdexe38** | Write | String | exprwd.exe (Device) - Depends on L_LocalMachineZoneLockdownSecurity (0: False, 1: True) | `0`, `1` | +| **L_grooveexe28** | Write | String | groove.exe (Device) - Depends on L_LocalMachineZoneLockdownSecurity (0: False, 1: True) | `0`, `1` | +| **L_winwordexe35** | Write | String | winword.exe (Device) - Depends on L_LocalMachineZoneLockdownSecurity (0: False, 1: True) | `0`, `1` | +| **L_msaccessexe39** | Write | String | msaccess.exe (Device) - Depends on L_LocalMachineZoneLockdownSecurity (0: False, 1: True) | `0`, `1` | +| **L_spdesignexe37** | Write | String | spDesign.exe (Device) - Depends on L_LocalMachineZoneLockdownSecurity (0: False, 1: True) | `0`, `1` | +| **L_visioexe33** | Write | String | visio.exe (Device) - Depends on L_LocalMachineZoneLockdownSecurity (0: False, 1: True) | `0`, `1` | +| **L_onenoteexe40** | Write | String | onent.exe (Device) - Depends on L_LocalMachineZoneLockdownSecurity (0: False, 1: True) | `0`, `1` | +| **L_winprojexe34** | Write | String | winproj.exe (Device) - Depends on L_LocalMachineZoneLockdownSecurity (0: False, 1: True) | `0`, `1` | +| **L_MimeSniffingSafetyFature** | Write | String | Mime Sniffing Safety Feature (0: Disabled, 1: Enabled) | `0`, `1` | +| **L_powerpntexe59** | Write | String | powerpnt.exe (Device) - Depends on L_MimeSniffingSafetyFature (0: False, 1: True) | `0`, `1` | +| **L_exprwdexe66** | Write | String | exprwd.exe (Device) - Depends on L_MimeSniffingSafetyFature (0: False, 1: True) | `0`, `1` | +| **L_grooveexe56** | Write | String | groove.exe (Device) - Depends on L_MimeSniffingSafetyFature (0: False, 1: True) | `0`, `1` | +| **L_visioexe61** | Write | String | visio.exe (Device) - Depends on L_MimeSniffingSafetyFature (0: False, 1: True) | `0`, `1` | +| **L_outlookexe64** | Write | String | outlook.exe (Device) - Depends on L_MimeSniffingSafetyFature (0: False, 1: True) | `0`, `1` | +| **L_mspubexe58** | Write | String | mspub.exe (Device) - Depends on L_MimeSniffingSafetyFature (0: False, 1: True) | `0`, `1` | +| **L_mse7exe69** | Write | String | mse7.exe (Device) - Depends on L_MimeSniffingSafetyFature (0: False, 1: True) | `0`, `1` | +| **L_msaccessexe67** | Write | String | msaccess.exe (Device) - Depends on L_MimeSniffingSafetyFature (0: False, 1: True) | `0`, `1` | +| **L_pptviewexe60** | Write | String | pptview.exe (Device) - Depends on L_MimeSniffingSafetyFature (0: False, 1: True) | `0`, `1` | +| **L_winprojexe62** | Write | String | winproj.exe (Device) - Depends on L_MimeSniffingSafetyFature (0: False, 1: True) | `0`, `1` | +| **L_spdesignexe65** | Write | String | spDesign.exe (Device) - Depends on L_MimeSniffingSafetyFature (0: False, 1: True) | `0`, `1` | +| **L_onenoteexe68** | Write | String | onent.exe (Device) - Depends on L_MimeSniffingSafetyFature (0: False, 1: True) | `0`, `1` | +| **L_winwordexe63** | Write | String | winword.exe (Device) - Depends on L_MimeSniffingSafetyFature (0: False, 1: True) | `0`, `1` | +| **L_excelexe57** | Write | String | excel.exe (Device) - Depends on L_MimeSniffingSafetyFature (0: False, 1: True) | `0`, `1` | +| **L_NavigateURL** | Write | String | Navigate URL (0: Disabled, 1: Enabled) | `0`, `1` | +| **L_spdesignexe177** | Write | String | spDesign.exe (Device) - Depends on L_NavigateURL (0: False, 1: True) | `0`, `1` | +| **L_onenoteexe180** | Write | String | onent.exe (Device) - Depends on L_NavigateURL (0: False, 1: True) | `0`, `1` | +| **L_pptviewexe172** | Write | String | pptview.exe (Device) - Depends on L_NavigateURL (0: False, 1: True) | `0`, `1` | +| **L_outlookexe176** | Write | String | outlook.exe (Device) - Depends on L_NavigateURL (0: False, 1: True) | `0`, `1` | +| **L_winprojexe174** | Write | String | winproj.exe (Device) - Depends on L_NavigateURL (0: False, 1: True) | `0`, `1` | +| **L_msaccessexe179** | Write | String | msaccess.exe (Device) - Depends on L_NavigateURL (0: False, 1: True) | `0`, `1` | +| **L_winwordexe175** | Write | String | winword.exe (Device) - Depends on L_NavigateURL (0: False, 1: True) | `0`, `1` | +| **L_excelexe169** | Write | String | excel.exe (Device) - Depends on L_NavigateURL (0: False, 1: True) | `0`, `1` | +| **L_mspubexe170** | Write | String | mspub.exe (Device) - Depends on L_NavigateURL (0: False, 1: True) | `0`, `1` | +| **L_exprwdexe178** | Write | String | exprwd.exe (Device) - Depends on L_NavigateURL (0: False, 1: True) | `0`, `1` | +| **L_powerpntexe171** | Write | String | powerpnt.exe (Device) - Depends on L_NavigateURL (0: False, 1: True) | `0`, `1` | +| **L_visioexe173** | Write | String | visio.exe (Device) - Depends on L_NavigateURL (0: False, 1: True) | `0`, `1` | +| **L_mse7exe181** | Write | String | mse7.exe (Device) - Depends on L_NavigateURL (0: False, 1: True) | `0`, `1` | +| **L_grooveexe168** | Write | String | groove.exe (Device) - Depends on L_NavigateURL (0: False, 1: True) | `0`, `1` | +| **L_ObjectCachingProtection** | Write | String | Object Caching Protection (0: Disabled, 1: Enabled) | `0`, `1` | +| **L_winwordexe77** | Write | String | winword.exe (Device) - Depends on L_ObjectCachingProtection (0: False, 1: True) | `0`, `1` | +| **L_powerpntexe73** | Write | String | powerpnt.exe (Device) - Depends on L_ObjectCachingProtection (0: False, 1: True) | `0`, `1` | +| **L_spdesignexe79** | Write | String | spDesign.exe (Device) - Depends on L_ObjectCachingProtection (0: False, 1: True) | `0`, `1` | +| **L_mse7exe83** | Write | String | mse7.exe (Device) - Depends on L_ObjectCachingProtection (0: False, 1: True) | `0`, `1` | +| **L_mspubexe72** | Write | String | mspub.exe (Device) - Depends on L_ObjectCachingProtection (0: False, 1: True) | `0`, `1` | +| **L_msaccessexe81** | Write | String | msaccess.exe (Device) - Depends on L_ObjectCachingProtection (0: False, 1: True) | `0`, `1` | +| **L_onenoteexe82** | Write | String | onent.exe (Device) - Depends on L_ObjectCachingProtection (0: False, 1: True) | `0`, `1` | +| **L_outlookexe78** | Write | String | outlook.exe (Device) - Depends on L_ObjectCachingProtection (0: False, 1: True) | `0`, `1` | +| **L_grooveexe70** | Write | String | groove.exe (Device) - Depends on L_ObjectCachingProtection (0: False, 1: True) | `0`, `1` | +| **L_excelexe71** | Write | String | excel.exe (Device) - Depends on L_ObjectCachingProtection (0: False, 1: True) | `0`, `1` | +| **L_visioexe75** | Write | String | visio.exe (Device) - Depends on L_ObjectCachingProtection (0: False, 1: True) | `0`, `1` | +| **L_pptviewexe74** | Write | String | pptview.exe (Device) - Depends on L_ObjectCachingProtection (0: False, 1: True) | `0`, `1` | +| **L_winprojexe76** | Write | String | winproj.exe (Device) - Depends on L_ObjectCachingProtection (0: False, 1: True) | `0`, `1` | +| **L_exprwdexe80** | Write | String | exprwd.exe (Device) - Depends on L_ObjectCachingProtection (0: False, 1: True) | `0`, `1` | +| **L_ProtectionFromZoneElevation** | Write | String | Protection From Zone Elevation (0: Disabled, 1: Enabled) | `0`, `1` | +| **L_mspubexe100** | Write | String | mspub.exe (Device) - Depends on L_ProtectionFromZoneElevation (0: False, 1: True) | `0`, `1` | +| **L_visioexe103** | Write | String | visio.exe (Device) - Depends on L_ProtectionFromZoneElevation (0: False, 1: True) | `0`, `1` | +| **L_powerpntexe101** | Write | String | powerpnt.exe (Device) - Depends on L_ProtectionFromZoneElevation (0: False, 1: True) | `0`, `1` | +| **L_excelexe99** | Write | String | excel.exe (Device) - Depends on L_ProtectionFromZoneElevation (0: False, 1: True) | `0`, `1` | +| **L_mse7exe111** | Write | String | mse7.exe (Device) - Depends on L_ProtectionFromZoneElevation (0: False, 1: True) | `0`, `1` | +| **L_winwordexe105** | Write | String | winword.exe (Device) - Depends on L_ProtectionFromZoneElevation (0: False, 1: True) | `0`, `1` | +| **L_exprwdexe108** | Write | String | exprwd.exe (Device) - Depends on L_ProtectionFromZoneElevation (0: False, 1: True) | `0`, `1` | +| **L_msaccessexe109** | Write | String | msaccess.exe (Device) - Depends on L_ProtectionFromZoneElevation (0: False, 1: True) | `0`, `1` | +| **L_spdesignexe107** | Write | String | spDesign.exe (Device) - Depends on L_ProtectionFromZoneElevation (0: False, 1: True) | `0`, `1` | +| **L_onenoteexe110** | Write | String | onent.exe (Device) - Depends on L_ProtectionFromZoneElevation (0: False, 1: True) | `0`, `1` | +| **L_pptviewexe102** | Write | String | pptview.exe (Device) - Depends on L_ProtectionFromZoneElevation (0: False, 1: True) | `0`, `1` | +| **L_winprojexe104** | Write | String | winproj.exe (Device) - Depends on L_ProtectionFromZoneElevation (0: False, 1: True) | `0`, `1` | +| **L_grooveexe98** | Write | String | groove.exe (Device) - Depends on L_ProtectionFromZoneElevation (0: False, 1: True) | `0`, `1` | +| **L_outlookexe106** | Write | String | outlook.exe (Device) - Depends on L_ProtectionFromZoneElevation (0: False, 1: True) | `0`, `1` | +| **L_RestrictActiveXInstall** | Write | String | Restrict ActiveX Install (0: Disabled, 1: Enabled) | `0`, `1` | +| **L_mse7exe** | Write | String | mse7.exe (Device) - Depends on L_RestrictActiveXInstall (0: False, 1: True) | `0`, `1` | +| **L_powerpntexe** | Write | String | powerpnt.exe (Device) - Depends on L_RestrictActiveXInstall (0: False, 1: True) | `0`, `1` | +| **L_spDesignexe** | Write | String | spDesign.exe (Device) - Depends on L_RestrictActiveXInstall (0: False, 1: True) | `0`, `1` | +| **L_onenoteexe** | Write | String | onent.exe (Device) - Depends on L_RestrictActiveXInstall (0: False, 1: True) | `0`, `1` | +| **L_excelexe** | Write | String | excel.exe (Device) - Depends on L_RestrictActiveXInstall (0: False, 1: True) | `0`, `1` | +| **L_mspubexe** | Write | String | mspub.exe (Device) - Depends on L_RestrictActiveXInstall (0: False, 1: True) | `0`, `1` | +| **L_visioexe** | Write | String | visio.exe (Device) - Depends on L_RestrictActiveXInstall (0: False, 1: True) | `0`, `1` | +| **L_exprwdexe** | Write | String | exprwd.exe (Device) - Depends on L_RestrictActiveXInstall (0: False, 1: True) | `0`, `1` | +| **L_outlookexe** | Write | String | outlook.exe (Device) - Depends on L_RestrictActiveXInstall (0: False, 1: True) | `0`, `1` | +| **L_pptviewexe** | Write | String | pptview.exe (Device) - Depends on L_RestrictActiveXInstall (0: False, 1: True) | `0`, `1` | +| **L_winprojexe** | Write | String | winproj.exe (Device) - Depends on L_RestrictActiveXInstall (0: False, 1: True) | `0`, `1` | +| **L_winwordexe** | Write | String | winword.exe (Device) - Depends on L_RestrictActiveXInstall (0: False, 1: True) | `0`, `1` | +| **L_grooveexe** | Write | String | groove.exe (Device) - Depends on L_RestrictActiveXInstall (0: False, 1: True) | `0`, `1` | +| **L_msaccessexe** | Write | String | msaccess.exe (Device) - Depends on L_RestrictActiveXInstall (0: False, 1: True) | `0`, `1` | +| **L_RestrictFileDownload** | Write | String | Restrict File Download (0: Disabled, 1: Enabled) | `0`, `1` | +| **L_visioexe5** | Write | String | visio.exe (Device) - Depends on L_RestrictFileDownload (0: False, 1: True) | `0`, `1` | +| **L_winprojexe6** | Write | String | winproj.exe (Device) - Depends on L_RestrictFileDownload (0: False, 1: True) | `0`, `1` | +| **L_msaccessexe11** | Write | String | msaccess.exe (Device) - Depends on L_RestrictFileDownload (0: False, 1: True) | `0`, `1` | +| **L_spdesignexe9** | Write | String | spDesign.exe (Device) - Depends on L_RestrictFileDownload (0: False, 1: True) | `0`, `1` | +| **L_excelexe1** | Write | String | excel.exe (Device) - Depends on L_RestrictFileDownload (0: False, 1: True) | `0`, `1` | +| **L_powerpntexe3** | Write | String | powerpnt.exe (Device) - Depends on L_RestrictFileDownload (0: False, 1: True) | `0`, `1` | +| **L_mspubexe2** | Write | String | mspub.exe (Device) - Depends on L_RestrictFileDownload (0: False, 1: True) | `0`, `1` | +| **L_exprwdexe10** | Write | String | exprwd.exe (Device) - Depends on L_RestrictFileDownload (0: False, 1: True) | `0`, `1` | +| **L_outlookexe8** | Write | String | outlook.exe (Device) - Depends on L_RestrictFileDownload (0: False, 1: True) | `0`, `1` | +| **L_pptviewexe4** | Write | String | pptview.exe (Device) - Depends on L_RestrictFileDownload (0: False, 1: True) | `0`, `1` | +| **L_winwordexe7** | Write | String | winword.exe (Device) - Depends on L_RestrictFileDownload (0: False, 1: True) | `0`, `1` | +| **L_onenoteexe12** | Write | String | onent.exe (Device) - Depends on L_RestrictFileDownload (0: False, 1: True) | `0`, `1` | +| **L_mse7exe13** | Write | String | mse7.exe (Device) - Depends on L_RestrictFileDownload (0: False, 1: True) | `0`, `1` | +| **L_grooveexe0** | Write | String | groove.exe (Device) - Depends on L_RestrictFileDownload (0: False, 1: True) | `0`, `1` | +| **L_SavedfromURL** | Write | String | Saved from URL (0: Disabled, 1: Enabled) | `0`, `1` | +| **L_pptviewexe158** | Write | String | pptview.exe (Device) - Depends on L_SavedfromURL (0: False, 1: True) | `0`, `1` | +| **L_exprwdexe164** | Write | String | exprwd.exe (Device) - Depends on L_SavedfromURL (0: False, 1: True) | `0`, `1` | +| **L_mse7exe167** | Write | String | mse7.exe (Device) - Depends on L_SavedfromURL (0: False, 1: True) | `0`, `1` | +| **L_spdesignexe163** | Write | String | spDesign.exe (Device) - Depends on L_SavedfromURL (0: False, 1: True) | `0`, `1` | +| **L_winprojexe160** | Write | String | winproj.exe (Device) - Depends on L_SavedfromURL (0: False, 1: True) | `0`, `1` | +| **L_mspubexe156** | Write | String | mspub.exe (Device) - Depends on L_SavedfromURL (0: False, 1: True) | `0`, `1` | +| **L_visioexe159** | Write | String | visio.exe (Device) - Depends on L_SavedfromURL (0: False, 1: True) | `0`, `1` | +| **L_winwordexe161** | Write | String | winword.exe (Device) - Depends on L_SavedfromURL (0: False, 1: True) | `0`, `1` | +| **L_msaccessexe165** | Write | String | msaccess.exe (Device) - Depends on L_SavedfromURL (0: False, 1: True) | `0`, `1` | +| **L_onenoteexe166** | Write | String | onent.exe (Device) - Depends on L_SavedfromURL (0: False, 1: True) | `0`, `1` | +| **L_outlookexe162** | Write | String | outlook.exe (Device) - Depends on L_SavedfromURL (0: False, 1: True) | `0`, `1` | +| **L_grooveexe154** | Write | String | groove.exe (Device) - Depends on L_SavedfromURL (0: False, 1: True) | `0`, `1` | +| **L_excelexe155** | Write | String | excel.exe (Device) - Depends on L_SavedfromURL (0: False, 1: True) | `0`, `1` | +| **L_powerpntexe157** | Write | String | powerpnt.exe (Device) - Depends on L_SavedfromURL (0: False, 1: True) | `0`, `1` | +| **L_ScriptedWindowSecurityRestrictions** | Write | String | Scripted Window Security Restrictions (0: Disabled, 1: Enabled) | `0`, `1` | +| **L_exprwdexe94** | Write | String | exprwd.exe (Device) - Depends on L_ScriptedWindowSecurityRestrictions (0: False, 1: True) | `0`, `1` | +| **L_mse7exe97** | Write | String | mse7.exe (Device) - Depends on L_ScriptedWindowSecurityRestrictions (0: False, 1: True) | `0`, `1` | +| **L_mspubexe86** | Write | String | mspub.exe (Device) - Depends on L_ScriptedWindowSecurityRestrictions (0: False, 1: True) | `0`, `1` | +| **L_outlookexe92** | Write | String | outlook.exe (Device) - Depends on L_ScriptedWindowSecurityRestrictions (0: False, 1: True) | `0`, `1` | +| **L_msaccessexe95** | Write | String | msaccess.exe (Device) - Depends on L_ScriptedWindowSecurityRestrictions (0: False, 1: True) | `0`, `1` | +| **L_powerpntexe87** | Write | String | powerpnt.exe (Device) - Depends on L_ScriptedWindowSecurityRestrictions (0: False, 1: True) | `0`, `1` | +| **L_grooveexe84** | Write | String | groove.exe (Device) - Depends on L_ScriptedWindowSecurityRestrictions (0: False, 1: True) | `0`, `1` | +| **L_excelexe85** | Write | String | excel.exe (Device) - Depends on L_ScriptedWindowSecurityRestrictions (0: False, 1: True) | `0`, `1` | +| **L_pptviewexe88** | Write | String | pptview.exe (Device) - Depends on L_ScriptedWindowSecurityRestrictions (0: False, 1: True) | `0`, `1` | +| **L_spdesignexe93** | Write | String | spDesign.exe (Device) - Depends on L_ScriptedWindowSecurityRestrictions (0: False, 1: True) | `0`, `1` | +| **L_visioexe89** | Write | String | visio.exe (Device) - Depends on L_ScriptedWindowSecurityRestrictions (0: False, 1: True) | `0`, `1` | +| **L_onenoteexe96** | Write | String | onent.exe (Device) - Depends on L_ScriptedWindowSecurityRestrictions (0: False, 1: True) | `0`, `1` | +| **L_winprojexe90** | Write | String | winproj.exe (Device) - Depends on L_ScriptedWindowSecurityRestrictions (0: False, 1: True) | `0`, `1` | +| **L_winwordexe91** | Write | String | winword.exe (Device) - Depends on L_ScriptedWindowSecurityRestrictions (0: False, 1: True) | `0`, `1` | + +### MSFT_MicrosoftGraphIntuneSettingsCatalogUserSettings_IntuneSecurityBaselineMicrosoft365AppsForEnterprise + +#### Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **MicrosoftAccess_Security_TrustCenter_L_BlockMacroExecutionFromInternet** | Write | String | Block macros from running in Office files from the Internet (User) (0: Disabled, 1: Enabled) | `0`, `1` | +| **MicrosoftAccess_Security_TrustCenter_L_DisableTrustBarNotificationforunsigned** | Write | String | Disable Trust Bar Notification for unsigned application add-ins and block them (User) (0: Disabled, 1: Enabled) | `0`, `1` | +| **MicrosoftAccess_Security_TrustCenter_L_RequirethatApplicationExtensionsaresigned** | Write | String | Require that application add-ins are signed by Trusted Publisher (User) (0: Disabled, 1: Enabled) | `0`, `1` | +| **MicrosoftAccess_Security_TrustCenterTrustedLocations_L_AllowTrustedLocationsOnTheNetwork** | Write | String | Allow Trusted Locations on the network (User) (0: Disabled, 1: Enabled) | `0`, `1` | +| **MicrosoftAccess_Security_TrustCenter_L_VBAWarningsPolicy** | Write | String | VBA Macro Notification Settings (User) (0: Disabled, 1: Enabled) | `0`, `1` | +| **MicrosoftAccess_Security_TrustCenter_L_VBAWarningsPolicy_L_Empty** | Write | String | - Depends on MicrosoftAccess_Security_TrustCenter_L_VBAWarningsPolicy (2: Disable all with notification, 3: Disable all except digitally signed macros, 4: Disable all without notification, 1: Enable all macros (not recommended)) | `2`, `3`, `4`, `1` | +| **L_Donotshowdataextractionoptionswhenopeningcorruptworkbooks** | Write | String | Do not show data extraction options when opening corrupt workbooks (User) (0: Disabled, 1: Enabled) | `0`, `1` | +| **L_Asktoupdateautomaticlinks** | Write | String | Ask to update automatic links (User) (0: Disabled, 1: Enabled) | `0`, `1` | +| **L_LoadpicturesfromWebpagesnotcreatedinExcel** | Write | String | Load pictures from Web pages not created in Excel (User) (0: Disabled, 1: Enabled) | `0`, `1` | +| **L_DisableAutoRepublish** | Write | String | Disable AutoRepublish (User) (0: Disabled, 1: Enabled) | `0`, `1` | +| **L_DoNotShowAutoRepublishWarningAlert** | Write | String | Do not show AutoRepublish warning alert (User) (0: Disabled, 1: Enabled) | `0`, `1` | +| **L_Forcefileextenstionstomatch** | Write | String | Force file extension to match file type (User) (0: Disabled, 1: Enabled) | `0`, `1` | +| **L_Forcefileextenstionstomatch_L_Empty** | Write | String | - Depends on L_Forcefileextenstionstomatch (0: Allow different, 1: Allow different, but warn, 2: Always match file type) | `0`, `1`, `2` | +| **L_DeterminewhethertoforceencryptedExcel** | Write | String | Scan encrypted macros in Excel Open XML workbooks (User) (0: Disabled, 1: Enabled) | `0`, `1` | +| **L_DeterminewhethertoforceencryptedExcelDropID** | Write | String | - Depends on L_DeterminewhethertoforceencryptedExcel (0: Scan encrypted macros (default), 1: Scan if anti-virus software available, 2: Load macros without scanning) | `0`, `1`, `2` | +| **L_BlockXLLFromInternet** | Write | String | Block Excel XLL Add-ins that come from an untrusted source (User) (0: Disabled, 1: Enabled) | `0`, `1` | +| **L_BlockXLLFromInternetEnum** | Write | String | - Depends on L_BlockXLLFromInternet (1: Block, 0: Show Additional Warning, 2: Allow) | `1`, `0`, `2` | +| **MicrosoftExcel_Security_TrustCenter_L_BlockMacroExecutionFromInternet** | Write | String | Block macros from running in Office files from the Internet (User) (0: Disabled, 1: Enabled) | `0`, `1` | +| **MicrosoftExcel_Security_TrustCenter_L_DisableTrustBarNotificationforunsigned** | Write | String | Disable Trust Bar Notification for unsigned application add-ins and block them (User) (Deprecated) (0: Disabled, 1: Enabled) | `0`, `1` | +| **L_EnableBlockUnsecureQueryFiles** | Write | String | Always prevent untrusted Microsoft Query files from opening (User) (0: Disabled, 1: Enabled) | `0`, `1` | +| **L_DBaseIIIANDIVFiles** | Write | String | dBase III / IV files (User) (0: Disabled, 1: Enabled) | `0`, `1` | +| **L_DBaseIIIANDIVFilesDropID** | Write | String | File block setting: (User) - Depends on L_DBaseIIIANDIVFiles (0: Do not block, 2: Open/Save blocked, use open policy) | `0`, `2` | +| **L_DifAndSylkFiles** | Write | String | Dif and Sylk files (User) (0: Disabled, 1: Enabled) | `0`, `1` | +| **L_DifAndSylkFilesDropID** | Write | String | File block setting: (User) - Depends on L_DifAndSylkFiles (0: Do not block, 1: Save blocked, 2: Open/Save blocked, use open policy) | `0`, `1`, `2` | +| **L_Excel2MacrosheetsAndAddInFiles** | Write | String | Excel 2 macrosheets and add-in files (User) (0: Disabled, 1: Enabled) | `0`, `1` | +| **L_Excel2MacrosheetsAndAddInFilesDropID** | Write | String | File block setting: (User) - Depends on L_Excel2MacrosheetsAndAddInFiles (0: Do not block, 2: Open/Save blocked, use open policy, 3: Block, 4: Open in Protected View, 5: Allow editing and open in Protected View) | `0`, `2`, `3`, `4`, `5` | +| **L_Excel2Worksheets** | Write | String | Excel 2 worksheets (User) (0: Disabled, 1: Enabled) | `0`, `1` | +| **L_Excel2WorksheetsDropID** | Write | String | File block setting: (User) - Depends on L_Excel2Worksheets (0: Do not block, 2: Open/Save blocked, use open policy, 3: Block, 4: Open in Protected View, 5: Allow editing and open in Protected View) | `0`, `2`, `3`, `4`, `5` | +| **L_Excel3MacrosheetsAndAddInFiles** | Write | String | Excel 3 macrosheets and add-in files (User) (0: Disabled, 1: Enabled) | `0`, `1` | +| **L_Excel3MacrosheetsAndAddInFilesDropID** | Write | String | File block setting: (User) - Depends on L_Excel3MacrosheetsAndAddInFiles (0: Do not block, 2: Open/Save blocked, use open policy, 3: Block, 4: Open in Protected View, 5: Allow editing and open in Protected View) | `0`, `2`, `3`, `4`, `5` | +| **L_Excel3Worksheets** | Write | String | Excel 3 worksheets (User) (0: Disabled, 1: Enabled) | `0`, `1` | +| **L_Excel3WorksheetsDropID** | Write | String | File block setting: (User) - Depends on L_Excel3Worksheets (0: Do not block, 2: Open/Save blocked, use open policy, 3: Block, 4: Open in Protected View, 5: Allow editing and open in Protected View) | `0`, `2`, `3`, `4`, `5` | +| **L_Excel4MacrosheetsAndAddInFiles** | Write | String | Excel 4 macrosheets and add-in files (User) (0: Disabled, 1: Enabled) | `0`, `1` | +| **L_Excel4MacrosheetsAndAddInFilesDropID** | Write | String | File block setting: (User) - Depends on L_Excel4MacrosheetsAndAddInFiles (0: Do not block, 2: Open/Save blocked, use open policy, 3: Block, 4: Open in Protected View, 5: Allow editing and open in Protected View) | `0`, `2`, `3`, `4`, `5` | +| **L_Excel4Workbooks** | Write | String | Excel 4 workbooks (User) (0: Disabled, 1: Enabled) | `0`, `1` | +| **L_Excel4WorkbooksDropID** | Write | String | File block setting: (User) - Depends on L_Excel4Workbooks (0: Do not block, 2: Open/Save blocked, use open policy, 3: Block, 4: Open in Protected View, 5: Allow editing and open in Protected View) | `0`, `2`, `3`, `4`, `5` | +| **L_Excel4Worksheets** | Write | String | Excel 4 worksheets (User) (0: Disabled, 1: Enabled) | `0`, `1` | +| **L_Excel4WorksheetsDropID** | Write | String | File block setting: (User) - Depends on L_Excel4Worksheets (0: Do not block, 2: Open/Save blocked, use open policy, 3: Block, 4: Open in Protected View, 5: Allow editing and open in Protected View) | `0`, `2`, `3`, `4`, `5` | +| **L_Excel95Workbooks** | Write | String | Excel 95 workbooks (User) (0: Disabled, 1: Enabled) | `0`, `1` | +| **L_Excel95WorkbooksDropID** | Write | String | File block setting: (User) - Depends on L_Excel95Workbooks (0: Do not block, 1: Save blocked, 2: Open/Save blocked, use open policy, 3: Block, 4: Open in Protected View, 5: Allow editing and open in Protected View) | `0`, `1`, `2`, `3`, `4`, `5` | +| **L_Excel9597WorkbooksAndTemplates** | Write | String | Excel 95-97 workbooks and templates (User) (0: Disabled, 1: Enabled) | `0`, `1` | +| **L_Excel9597WorkbooksAndTemplatesDropID** | Write | String | File block setting: (User) - Depends on L_Excel9597WorkbooksAndTemplates (0: Do not block, 2: Open/Save blocked, use open policy, 3: Block, 4: Open in Protected View, 5: Allow editing and open in Protected View) | `0`, `2`, `3`, `4`, `5` | +| **L_Excel972003WorkbooksAndTemplates** | Write | String | Excel 97-2003 workbooks and templates (User) (0: Disabled, 1: Enabled) | `0`, `1` | +| **L_Excel972003WorkbooksAndTemplatesDropID** | Write | String | File block setting: (User) - Depends on L_Excel972003WorkbooksAndTemplates (0: Do not block, 1: Save blocked, 2: Open/Save blocked, use open policy, 3: Block, 4: Open in Protected View, 5: Allow editing and open in Protected View) | `0`, `1`, `2`, `3`, `4`, `5` | +| **MicrosoftExcel_Security_TrustCenterFileBlockSettings_L_SetDefaultFileBlockBehavior** | Write | String | Set default file block behavior (User) (0: Disabled, 1: Enabled) | `0`, `1` | +| **MicrosoftExcel_Security_TrustCenterFileBlockSettings_L_SetDefaultFileBlockBehaviorDropID** | Write | String | - Depends on MicrosoftExcel_Security_TrustCenterFileBlockSettings_L_SetDefaultFileBlockBehavior (0: Blocked files are not opened, 1: Blocked files open in Protected View and can not be edited, 2: Blocked files open in Protected View and can be edited) | `0`, `1`, `2` | +| **L_WebPagesAndExcel2003XMLSpreadsheets** | Write | String | Web pages and Excel 2003 XML spreadsheets (User) (0: Disabled, 1: Enabled) | `0`, `1` | +| **L_WebPagesAndExcel2003XMLSpreadsheetsDropID** | Write | String | File block setting: (User) - Depends on L_WebPagesAndExcel2003XMLSpreadsheets (0: Do not block, 1: Save blocked, 2: Open/Save blocked, use open policy, 3: Block, 4: Open in Protected View, 5: Allow editing and open in Protected View) | `0`, `1`, `2`, `3`, `4`, `5` | +| **L_XL4KillSwitchPolicy** | Write | String | Prevent Excel from running XLM macros (User) (0: Disabled, 1: Enabled) | `0`, `1` | +| **L_EnableDataBaseFileProtectedView** | Write | String | Always open untrusted database files in Protected View (User) (0: Disabled, 1: Enabled) | `0`, `1` | +| **MicrosoftExcel_Security_TrustCenterProtectedView_L_DoNotOpenFilesFromTheInternetZoneInProtectedView** | Write | String | Do not open files from the Internet zone in Protected View (User) (0: Disabled, 1: Enabled) | `0`, `1` | +| **MicrosoftExcel_Security_TrustCenterProtectedView_L_DoNotOpenFilesInUnsafeLocationsInProtectedView** | Write | String | Do not open files in unsafe locations in Protected View (User) (0: Disabled, 1: Enabled) | `0`, `1` | +| **MicrosoftExcel_Security_TrustCenterProtectedView_L_SetDocumentBehaviorIfFileValidationFails** | Write | String | Set document behavior if file validation fails (User) (0: Disabled, 1: Enabled) | `0`, `1` | +| **MicrosoftExcel_Security_TrustCenterProtectedView_L_SetDocumentBehaviorIfFileValidationFailsStr3** | Write | String | Checked: Allow edit. Unchecked: Do not allow edit. (User) - Depends on MicrosoftExcel_Security_TrustCenterProtectedView_L_SetDocumentBehaviorIfFileValidationFails (0: False, 1: True) | `0`, `1` | +| **MicrosoftExcel_Security_TrustCenterProtectedView_L_SetDocumentBehaviorIfFileValidationFailsDropID** | Write | String | - Depends on MicrosoftExcel_Security_TrustCenterProtectedView_L_SetDocumentBehaviorIfFileValidationFails (0: Block files, 1: Open in Protected View) | `0`, `1` | +| **MicrosoftExcel_Security_TrustCenterProtectedView_L_TurnOffProtectedViewForAttachmentsOpenedFromOutlook** | Write | String | Turn off Protected View for attachments opened from Outlook (User) (0: Disabled, 1: Enabled) | `0`, `1` | +| **MicrosoftExcel_Security_TrustCenter_L_RequirethatApplicationExtensionsaresigned** | Write | String | Require that application add-ins are signed by Trusted Publisher (User) (0: Disabled, 1: Enabled) | `0`, `1` | +| **MicrosoftExcel_Security_TrustCenter_L_DisableTrustBarNotificationforunsigned_v2** | Write | String | Disable Trust Bar Notification for unsigned application add-ins and block them (User) - Depends on MicrosoftExcel_Security_TrustCenter_L_RequirethatApplicationExtensionsaresigned (0: Disabled, 1: Enabled) | `0`, `1` | +| **MicrosoftExcel_Security_TrustCenterTrustedLocations_L_AllowTrustedLocationsOnTheNetwork** | Write | String | Allow Trusted Locations on the network (User) (0: Disabled, 1: Enabled) | `0`, `1` | +| **MicrosoftExcel_Security_TrustCenter_L_VBAWarningsPolicy** | Write | String | VBA Macro Notification Settings (User) (0: Disabled, 1: Enabled) | `0`, `1` | +| **L_empty4** | Write | String | - Depends on MicrosoftExcel_Security_TrustCenter_L_VBAWarningsPolicy (2: Disable VBA macros with notification, 3: Disable VBA macros except digitally signed macros, 4: Disable VBA macros without notification, 1: Enable VBA macros (not recommended)) | `2`, `3`, `4`, `1` | +| **MicrosoftExcel_Security_L_TurnOffFileValidation** | Write | String | Turn off file validation (User) (0: Disabled, 1: Enabled) | `0`, `1` | +| **L_WebContentWarningLevel** | Write | String | WEBSERVICE Function Notification Settings (User) (0: Disabled, 1: Enabled) | `0`, `1` | +| **L_WebContentWarningLevelValue** | Write | String | - Depends on L_WebContentWarningLevel (0: Enable all WEBSERVICE functions (not recommended), 1: Disable all with notification, 2: Disable all without notification) | `0`, `1`, `2` | +| **L_NoExtensibilityCustomizationFromDocumentPolicy** | Write | String | Disable UI extending from documents and templates (User) (0: Disabled, 1: Enabled) | `0`, `1` | +| **L_NoExtensibilityCustomizationFromDocumentPolicyWord** | Write | String | Disallow in Word (User) - Depends on L_NoExtensibilityCustomizationFromDocumentPolicy (0: False, 1: True) | `0`, `1` | +| **L_NoExtensibilityCustomizationFromDocumentPolicyExcel** | Write | String | Disallow in Excel (User) - Depends on L_NoExtensibilityCustomizationFromDocumentPolicy (0: False, 1: True) | `0`, `1` | +| **L_NoExtensibilityCustomizationFromDocumentPolicyVisio** | Write | String | Disallow in Visio (User) - Depends on L_NoExtensibilityCustomizationFromDocumentPolicy (0: False, 1: True) | `0`, `1` | +| **L_NoExtensibilityCustomizationFromDocumentPolicyPowerPoint** | Write | String | Disallow in PowerPoint (User) - Depends on L_NoExtensibilityCustomizationFromDocumentPolicy (0: False, 1: True) | `0`, `1` | +| **L_NoExtensibilityCustomizationFromDocumentPolicyPublisher** | Write | String | Disallow in Publisher (User) - Depends on L_NoExtensibilityCustomizationFromDocumentPolicy (0: False, 1: True) | `0`, `1` | +| **L_NoExtensibilityCustomizationFromDocumentPolicyOutlook** | Write | String | Disallow in Outlook (User) - Depends on L_NoExtensibilityCustomizationFromDocumentPolicy (0: False, 1: True) | `0`, `1` | +| **L_NoExtensibilityCustomizationFromDocumentPolicyProject** | Write | String | Disallow in Project (User) - Depends on L_NoExtensibilityCustomizationFromDocumentPolicy (0: False, 1: True) | `0`, `1` | +| **L_NoExtensibilityCustomizationFromDocumentPolicyAccess** | Write | String | Disallow in Access (User) - Depends on L_NoExtensibilityCustomizationFromDocumentPolicy (0: False, 1: True) | `0`, `1` | +| **L_NoExtensibilityCustomizationFromDocumentPolicyInfoPath** | Write | String | Disallow in InfoPath (User) - Depends on L_NoExtensibilityCustomizationFromDocumentPolicy (0: False, 1: True) | `0`, `1` | +| **L_ActiveXControlInitialization** | Write | String | ActiveX Control Initialization (User) (0: Disabled, 1: Enabled) | `0`, `1` | +| **L_ActiveXControlInitializationcolon** | Write | String | ActiveX Control Initialization: (User) - Depends on L_ActiveXControlInitialization (1: 1, 2: 2, 3: 3, 4: 4, 5: 5, 6: 6) | `1`, `2`, `3`, `4`, `5`, `6` | +| **L_BasicAuthProxyBehavior** | Write | String | Allow Basic Authentication prompts from network proxies (User) (0: Disabled, 1: Enabled) | `0`, `1` | +| **L_AllowVbaIntranetRefs** | Write | String | Allow VBA to load typelib references by path from untrusted intranet locations (User) (0: Disabled, 1: Enabled) | `0`, `1` | +| **L_AutomationSecurity** | Write | String | Automation Security (User) (0: Disabled, 1: Enabled) | `0`, `1` | +| **L_SettheAutomationSecuritylevel** | Write | String | Set the Automation Security level (User) - Depends on L_AutomationSecurity (3: Disable macros by default, 2: Use application macro security level, 1: Macros enabled (default)) | `3`, `2`, `1` | +| **L_AuthenticationFBABehavior** | Write | String | Control how Office handles form-based sign-in prompts (User) (0: Disabled, 1: Enabled) | `0`, `1` | +| **L_AuthenticationFBAEnabledHostsID** | Write | String | Specify hosts allowed to show form-based sign-in prompts to users: (User) - Depends on L_AuthenticationFBABehavior | | +| **L_authenticationFBABehaviorEnum** | Write | String | Behavior: (User) - Depends on L_AuthenticationFBABehavior (1: Block all prompts, 2: Ask the user what to do for each new host, 3: Show prompts only from allowed hosts) | `1`, `2`, `3` | +| **L_DisableStrictVbaRefsSecurityPolicy** | Write | String | Disable additional security checks on VBA library references that may refer to unsafe locations on the local machine (User) (0: Disabled, 1: Enabled) | `0`, `1` | +| **L_DisableallTrustBarnotificationsfor** | Write | String | Disable all Trust Bar notifications for security issues (User) (0: Disabled, 1: Enabled) | `0`, `1` | +| **L_Encryptiontypeforirm** | Write | String | Encryption mode for Information Rights Management (IRM) (User) (0: Disabled, 1: Enabled) | `0`, `1` | +| **L_Encryptiontypeforirmcolon** | Write | String | IRM Encryption Mode: (User) - Depends on L_Encryptiontypeforirm (1: Cipher Block Chaining (CBC), 2: Electronic Codebook (ECB)) | `1`, `2` | +| **L_Encryptiontypeforpasswordprotectedoffice972003** | Write | String | Encryption type for password protected Office 97-2003 files (User) (0: Disabled, 1: Enabled) | `0`, `1` | +| **L_encryptiontypecolon318** | Write | String | Encryption type: (User) - Depends on L_Encryptiontypeforpasswordprotectedoffice972003 | | +| **L_Encryptiontypeforpasswordprotectedofficeopen** | Write | String | Encryption type for password protected Office Open XML files (User) (0: Disabled, 1: Enabled) | `0`, `1` | +| **L_Encryptiontypecolon** | Write | String | Encryption type: (User) - Depends on L_Encryptiontypeforpasswordprotectedofficeopen | | +| **L_LoadControlsinForms3** | Write | String | Load Controls in Forms3 (User) (0: Disabled, 1: Enabled) | `0`, `1` | +| **L_LoadControlsinForms3colon** | Write | String | Load Controls in Forms3: (User) - Depends on L_LoadControlsinForms3 (1: 1, 2: 2, 3: 3, 4: 4) | `1`, `2`, `3`, `4` | +| **L_MacroRuntimeScanScope** | Write | String | Macro Runtime Scan Scope (User) (0: Disabled, 1: Enabled) | `0`, `1` | +| **L_MacroRuntimeScanScopeEnum** | Write | String | - Depends on L_MacroRuntimeScanScope (0: Disable for all documents, 1: Enable for low trust documents, 2: Enable for all documents) | `0`, `1`, `2` | +| **L_Protectdocumentmetadataforrightsmanaged** | Write | String | Protect document metadata for rights managed Office Open XML Files (User) (0: Disabled, 1: Enabled) | `0`, `1` | +| **L_Allowmixofpolicyanduserlocations** | Write | String | Allow mix of policy and user locations (User) (0: Disabled, 1: Enabled) | `0`, `1` | +| **L_DisabletheOfficeclientfrompolling** | Write | String | Disable the Office client from polling the SharePoint Server for published links (User) (0: Disabled, 1: Enabled) | `0`, `1` | +| **L_DisableSmartDocumentsuseofmanifests** | Write | String | Disable Smart Document's use of manifests (User) (0: Disabled, 1: Enabled) | `0`, `1` | +| **L_OutlookSecurityMode** | Write | String | Outlook Security Mode (User) (0: Disabled, 1: Enabled) | `0`, `1` | +| **L_OOMAddressAccess** | Write | String | Configure Outlook object model prompt when reading address information (User) - Depends on L_OutlookSecurityMode (0: Disabled, 1: Enabled) | `0`, `1` | +| **L_OOMAddressAccess_Setting** | Write | String | Guard behavior: (User) (1: Prompt User, 2: Automatically Approve, 0: Automatically Deny, 3: Prompt user based on computer security) | `1`, `2`, `0`, `3` | +| **L_OOMMeetingTaskRequest** | Write | String | Configure Outlook object model prompt when responding to meeting and task requests (User) - Depends on L_OutlookSecurityMode (0: Disabled, 1: Enabled) | `0`, `1` | +| **L_OOMMeetingTaskRequest_Setting** | Write | String | Guard behavior: (User) (1: Prompt User, 2: Automatically Approve, 0: Automatically Deny, 3: Prompt user based on computer security) | `1`, `2`, `0`, `3` | +| **L_OOMSend** | Write | String | Configure Outlook object model prompt when sending mail (User) - Depends on L_OutlookSecurityMode (0: Disabled, 1: Enabled) | `0`, `1` | +| **L_OOMSend_Setting** | Write | String | Guard behavior: (User) (1: Prompt User, 2: Automatically Approve, 0: Automatically Deny, 3: Prompt user based on computer security) | `1`, `2`, `0`, `3` | +| **L_Preventusersfromcustomizingattachmentsecuritysettings** | Write | String | Prevent users from customizing attachment security settings (User) - Depends on L_OutlookSecurityMode (0: Disabled, 1: Enabled) | `0`, `1` | +| **L_RetrievingCRLsCertificateRevocationLists** | Write | String | Retrieving CRLs (Certificate Revocation Lists) (User) - Depends on L_OutlookSecurityMode (0: Disabled, 1: Enabled) | `0`, `1` | +| **L_empty31** | Write | String | (0: Use system Default, 1: When online always retreive the CRL, 2: Never retreive the CRL) | `0`, `1`, `2` | +| **L_OOMFormula** | Write | String | Configure Outlook object model prompt When accessing the Formula property of a UserProperty object (User) - Depends on L_OutlookSecurityMode (0: Disabled, 1: Enabled) | `0`, `1` | +| **L_OOMFormula_Setting** | Write | String | Guard behavior: (User) (1: Prompt User, 2: Automatically Approve, 0: Automatically Deny, 3: Prompt user based on computer security) | `1`, `2`, `0`, `3` | +| **L_AuthenticationwithExchangeServer** | Write | String | Authentication with Exchange Server (User) - Depends on L_OutlookSecurityMode (0: Disabled, 1: Enabled) | `0`, `1` | +| **L_SelecttheauthenticationwithExchangeserver** | Write | String | Select the authentication with Exchange server. (User) (9: Kerberos/NTLM Password Authentication, 16: Kerberos Password Authentication, 10: NTLM Password Authentication, 2147545088: Insert a smart card) | `9`, `16`, `10`, `2147545088` | +| **L_EnableRPCEncryption** | Write | String | Enable RPC encryption (User) - Depends on L_OutlookSecurityMode (0: Disabled, 1: Enabled) | `0`, `1` | +| **L_Enablelinksinemailmessages** | Write | String | Allow hyperlinks in suspected phishing e-mail messages (User) - Depends on L_OutlookSecurityMode (0: Disabled, 1: Enabled) | `0`, `1` | +| **L_OOMAddressBook** | Write | String | Configure Outlook object model prompt when accessing an address book (User) - Depends on L_OutlookSecurityMode (0: Disabled, 1: Enabled) | `0`, `1` | +| **L_OOMAddressBook_Setting** | Write | String | Guard behavior: (User) (1: Prompt User, 2: Automatically Approve, 0: Automatically Deny, 3: Prompt user based on computer security) | `1`, `2`, `0`, `3` | +| **L_OutlookSecurityPolicy** | Write | String | Outlook Security Policy: (User) - Depends on L_OutlookSecurityMode (0: Outlook Default Security, 1: Use Security Form from 'Outlook Security Settings' Public Folder, 2: Use Security Form from 'Outlook 10 Security Settings' Public Folder, 3: Use Outlook Security Group Policy) | `0`, `1`, `2`, `3` | +| **L_AllowUsersToLowerAttachments** | Write | String | Allow users to demote attachments to Level 2 (User) - Depends on L_OutlookSecurityMode (0: Disabled, 1: Enabled) | `0`, `1` | +| **L_AllowActiveXOneOffForms** | Write | String | Allow Active X One Off Forms (User) - Depends on L_OutlookSecurityMode (0: Disabled, 1: Enabled) | `0`, `1` | +| **L_empty29** | Write | String | Sets which ActiveX controls to allow. (0: Load only Outlook Controls, 1: Allows only Safe Controls, 2: Allows all ActiveX Controls) | `0`, `1`, `2` | +| **L_EnableScriptsInOneOffForms** | Write | String | Allow scripts in one-off Outlook forms (User) - Depends on L_OutlookSecurityMode (0: Disabled, 1: Enabled) | `0`, `1` | +| **L_Level2RemoveFilePolicy** | Write | String | Remove file extensions blocked as Level 2 (User) - Depends on L_OutlookSecurityMode (0: Disabled, 1: Enabled) | `0`, `1` | +| **L_removedextensions25** | Write | String | Removed Extensions: (User) | | +| **L_MSGUnicodeformatwhendraggingtofilesystem** | Write | String | Use Unicode format when dragging e-mail message to file system (User) - Depends on L_OutlookSecurityMode (0: Disabled, 1: Enabled) | `0`, `1` | +| **L_OnExecuteCustomActionOOM** | Write | String | Set Outlook object model custom actions execution prompt (User) - Depends on L_OutlookSecurityMode (0: Disabled, 1: Enabled) | `0`, `1` | +| **L_OnExecuteCustomActionOOM_Setting** | Write | String | When executing a custom action: (User) (1: Prompt User, 2: Automatically Approve, 0: Automatically Deny, 3: Prompt user based on computer security) | `1`, `2`, `0`, `3` | +| **L_DisableOutlookobjectmodelscriptsforpublicfolders** | Write | String | Do not allow Outlook object model scripts to run for public folders (User) - Depends on L_OutlookSecurityMode (0: Disabled, 1: Enabled) | `0`, `1` | +| **L_BlockInternet** | Write | String | Include Internet in Safe Zones for Automatic Picture Download (User) - Depends on L_OutlookSecurityMode (0: Disabled, 1: Enabled) | `0`, `1` | +| **L_SecurityLevelOutlook** | Write | String | Security setting for macros (User) - Depends on L_OutlookSecurityMode (0: Disabled, 1: Enabled) | `0`, `1` | +| **L_SecurityLevel** | Write | String | Security Level (User) (2: Always warn, 4: Never warn, disable all, 3: Warn for signed, disable unsigned, 1: No security check) | `2`, `4`, `3`, `1` | +| **L_Level1RemoveFilePolicy** | Write | String | Remove file extensions blocked as Level 1 (User) - Depends on L_OutlookSecurityMode (0: Disabled, 1: Enabled) | `0`, `1` | +| **L_RemovedExtensions** | Write | String | Removed Extensions: (User) | | +| **L_SignatureWarning** | Write | String | Signature Warning (User) - Depends on L_OutlookSecurityMode (0: Disabled, 1: Enabled) | `0`, `1` | +| **L_signaturewarning30** | Write | String | Signature Warning (User) (0: Let user decide if they want to be warned, 1: Always warn about invalid signatures, 2: Never warn about invalid signatures) | `0`, `1`, `2` | +| **L_Level1Attachments** | Write | String | Display Level 1 attachments (User) - Depends on L_OutlookSecurityMode (0: Disabled, 1: Enabled) | `0`, `1` | +| **L_Minimumencryptionsettings** | Write | String | Minimum encryption settings (User) - Depends on L_OutlookSecurityMode (0: Disabled, 1: Enabled) | `0`, `1` | +| **L_Minimumkeysizeinbits** | Write | SInt32 | Minimum key size (in bits): (User) | | +| **L_DisableOutlookobjectmodelscripts** | Write | String | Do not allow Outlook object model scripts to run for shared folders (User) - Depends on L_OutlookSecurityMode (0: Disabled, 1: Enabled) | `0`, `1` | +| **L_OOMSaveAs** | Write | String | Configure Outlook object model prompt when executing Save As (User) - Depends on L_OutlookSecurityMode (0: Disabled, 1: Enabled) | `0`, `1` | +| **L_OOMSaveAs_Setting** | Write | String | Guard behavior: (User) (1: Prompt User, 2: Automatically Approve, 0: Automatically Deny, 3: Prompt user based on computer security) | `1`, `2`, `0`, `3` | +| **L_JunkEmailprotectionlevel** | Write | String | Junk E-mail protection level (User) - Depends on L_OutlookSecurityMode (0: Disabled, 1: Enabled) | `0`, `1` | +| **L_Selectlevel** | Write | String | Select level: (User) (4294967295: No Protection, 6: Low (Default), 3: High, 2147483648: Trusted Lists Only) | `4294967295`, `6`, `3`, `2147483648` | +| **L_RunPrograms** | Write | String | Run Programs (User) (0: Disabled, 1: Enabled) | `0`, `1` | +| **L_RunPrograms_L_Empty** | Write | String | - Depends on L_RunPrograms (0: disable (don't run any programs), 1: enable (prompt user before running), 2: enable all (run without prompting)) | `0`, `1`, `2` | +| **L_Determinewhethertoforceencryptedppt** | Write | String | Scan encrypted macros in PowerPoint Open XML presentations (User) (0: Disabled, 1: Enabled) | `0`, `1` | +| **L_DeterminewhethertoforceencryptedpptDropID** | Write | String | - Depends on L_Determinewhethertoforceencryptedppt (0: Scan encrypted macros (default), 1: Scan if anti-virus software available, 2: Load macros without scanning) | `0`, `1`, `2` | +| **MicrosoftPowerPoint_Security_TrustCenter_L_BlockMacroExecutionFromInternet** | Write | String | Block macros from running in Office files from the Internet (User) (0: Disabled, 1: Enabled) | `0`, `1` | +| **MicrosoftPowerPoint_Security_TrustCenter_L_DisableTrustBarNotificationforunsigned** | Write | String | Disable Trust Bar Notification for unsigned application add-ins and block them (User) (Deprecated) (0: Disabled, 1: Enabled) | `0`, `1` | +| **L_PowerPoint972003PresentationsShowsTemplatesandAddInFiles** | Write | String | PowerPoint 97-2003 presentations, shows, templates and add-in files (User) (0: Disabled, 1: Enabled) | `0`, `1` | +| **L_PowerPoint972003PresentationsShowsTemplatesandAddInFilesDropID** | Write | String | File block setting: (User) - Depends on L_PowerPoint972003PresentationsShowsTemplatesandAddInFiles (0: Do not block, 1: Save blocked, 2: Open/Save blocked, use open policy, 3: Block, 4: Open in Protected View, 5: Allow editing and open in Protected View) | `0`, `1`, `2`, `3`, `4`, `5` | +| **MicrosoftPowerPoint_Security_TrustCenterFileBlockSettings_L_SetDefaultFileBlockBehavior** | Write | String | Set default file block behavior (User) (0: Disabled, 1: Enabled) | `0`, `1` | +| **MicrosoftPowerPoint_Security_TrustCenterFileBlockSettings_L_SetDefaultFileBlockBehaviorDropID** | Write | String | - Depends on MicrosoftPowerPoint_Security_TrustCenterFileBlockSettings_L_SetDefaultFileBlockBehavior (0: Blocked files are not opened, 1: Blocked files open in Protected View and can not be edited, 2: Blocked files open in Protected View and can be edited) | `0`, `1`, `2` | +| **MicrosoftPowerPoint_Security_TrustCenterProtectedView_L_DoNotOpenFilesFromTheInternetZoneInProtectedView** | Write | String | Do not open files from the Internet zone in Protected View (User) (0: Disabled, 1: Enabled) | `0`, `1` | +| **MicrosoftPowerPoint_Security_TrustCenterProtectedView_L_DoNotOpenFilesInUnsafeLocationsInProtectedView** | Write | String | Do not open files in unsafe locations in Protected View (User) (0: Disabled, 1: Enabled) | `0`, `1` | +| **MicrosoftPowerPoint_Security_TrustCenterProtectedView_L_SetDocumentBehaviorIfFileValidationFails** | Write | String | Set document behavior if file validation fails (User) (0: Disabled, 1: Enabled) | `0`, `1` | +| **MicrosoftPowerPoint_Security_TrustCenterProtectedView_L_SetDocumentBehaviorIfFileValidationFailsStr3** | Write | String | Checked: Allow edit. Unchecked: Do not allow edit. (User) - Depends on MicrosoftPowerPoint_Security_TrustCenterProtectedView_L_SetDocumentBehaviorIfFileValidationFails (0: False, 1: True) | `0`, `1` | +| **MicrosoftPowerPoint_Security_TrustCenterProtectedView_L_SetDocumentBehaviorIfFileValidationFailsDropID** | Write | String | - Depends on MicrosoftPowerPoint_Security_TrustCenterProtectedView_L_SetDocumentBehaviorIfFileValidationFails (0: Block files, 1: Open in Protected View) | `0`, `1` | +| **MicrosoftPowerPoint_Security_TrustCenterProtectedView_L_TurnOffProtectedViewForAttachmentsOpenedFromOutlook** | Write | String | Turn off Protected View for attachments opened from Outlook (User) (0: Disabled, 1: Enabled) | `0`, `1` | +| **MicrosoftPowerPoint_Security_TrustCenter_L_RequirethatApplicationExtensionsaresigned** | Write | String | Require that application add-ins are signed by Trusted Publisher (User) (0: Disabled, 1: Enabled) | `0`, `1` | +| **MicrosoftPowerPoint_Security_TrustCenter_L_DisableTrustBarNotificationforunsigned_v2** | Write | String | Disable Trust Bar Notification for unsigned application add-ins and block them (User) - Depends on MicrosoftPowerPoint_Security_TrustCenter_L_RequirethatApplicationExtensionsaresigned (0: Disabled, 1: Enabled) | `0`, `1` | +| **MicrosoftPowerPoint_Security_TrustCenterTrustedLocations_L_AllowTrustedLocationsOnTheNetwork** | Write | String | Allow Trusted Locations on the network (User) (0: Disabled, 1: Enabled) | `0`, `1` | +| **MicrosoftPowerPoint_Security_TrustCenter_L_VBAWarningsPolicy** | Write | String | VBA Macro Notification Settings (User) (0: Disabled, 1: Enabled) | `0`, `1` | +| **L_empty3** | Write | String | - Depends on MicrosoftPowerPoint_Security_TrustCenter_L_VBAWarningsPolicy (2: Disable all with notification, 3: Disable all except digitally signed macros, 4: Disable all without notification, 1: Enable all macros (not recommended)) | `2`, `3`, `4`, `1` | +| **MicrosoftPowerPoint_Security_L_TurnOffFileValidation** | Write | String | Turn off file validation (User) (0: Disabled, 1: Enabled) | `0`, `1` | +| **MicrosoftProject_Security_TrustCenter_L_AllowTrustedLocationsOnTheNetwork** | Write | String | Allow Trusted Locations on the network (User) (0: Disabled, 1: Enabled) | `0`, `1` | +| **MicrosoftProject_Security_TrustCenter_L_DisableTrustBarNotificationforunsigned** | Write | String | Disable Trust Bar Notification for unsigned application add-ins and block them (User) (Deprecated) (0: Disabled, 1: Enabled) | `0`, `1` | +| **MicrosoftProject_Security_TrustCenter_L_RequirethatApplicationExtensionsaresigned** | Write | String | Require that application add-ins are signed by Trusted Publisher (User) (0: Disabled, 1: Enabled) | `0`, `1` | +| **MicrosoftProject_Security_TrustCenter_L_DisableTrustBarNotificationforunsigned_v2** | Write | String | Disable Trust Bar Notification for unsigned application add-ins and block them (User) - Depends on MicrosoftProject_Security_TrustCenter_L_RequirethatApplicationExtensionsaresigned (0: Disabled, 1: Enabled) | `0`, `1` | +| **MicrosoftProject_Security_TrustCenter_L_VBAWarningsPolicy** | Write | String | VBA Macro Notification Settings (User) (0: Disabled, 1: Enabled) | `0`, `1` | +| **MicrosoftProject_Security_TrustCenter_L_VBAWarningsPolicy_L_Empty** | Write | String | - Depends on MicrosoftProject_Security_TrustCenter_L_VBAWarningsPolicy (2: Disable all with notification, 3: Disable all except digitally signed macros, 4: Disable all without notification, 1: Enable all macros (not recommended)) | `2`, `3`, `4`, `1` | +| **L_PublisherAutomationSecurityLevel** | Write | String | Publisher Automation Security Level (User) (0: Disabled, 1: Enabled) | `0`, `1` | +| **L_PublisherAutomationSecurityLevel_L_Empty** | Write | String | - Depends on L_PublisherAutomationSecurityLevel (1: Low (enabled), 2: By UI (prompted), 3: High (disabled)) | `1`, `2`, `3` | +| **MicrosoftPublisherV3_Security_TrustCenter_L_BlockMacroExecutionFromInternet** | Write | String | Block macros from running in Office files from the internet (User) (0: Disabled, 1: Enabled) | `0`, `1` | +| **MicrosoftPublisherV2_Security_TrustCenter_L_DisableTrustBarNotificationforunsigned** | Write | String | Disable Trust Bar Notification for unsigned application add-ins (User) (Deprecated) (0: Disabled, 1: Enabled) | `0`, `1` | +| **MicrosoftPublisherV2_Security_TrustCenter_L_RequirethatApplicationExtensionsaresigned** | Write | String | Require that application add-ins are signed by Trusted Publisher (User) (0: Disabled, 1: Enabled) | `0`, `1` | +| **MicrosoftPublisherV2_Security_TrustCenter_L_DisableTrustBarNotificationforunsigned_v2** | Write | String | Disable Trust Bar Notification for unsigned application add-ins (User) - Depends on MicrosoftPublisherV2_Security_TrustCenter_L_RequirethatApplicationExtensionsaresigned (0: Disabled, 1: Enabled) | `0`, `1` | +| **MicrosoftPublisherV2_Security_TrustCenter_L_VBAWarningsPolicy** | Write | String | VBA Macro Notification Settings (User) (0: Disabled, 1: Enabled) | `0`, `1` | +| **L_empty0** | Write | String | - Depends on MicrosoftPublisherV2_Security_TrustCenter_L_VBAWarningsPolicy (2: Disable all with notification, 3: Disable all except digitally signed macros, 4: Disable all without notification, 1: Enable all macros (not recommended)) | `2`, `3`, `4`, `1` | +| **MicrosoftVisio_Security_TrustCenter_L_AllowTrustedLocationsOnTheNetwork** | Write | String | Allow Trusted Locations on the network (User) (0: Disabled, 1: Enabled) | `0`, `1` | +| **MicrosoftVisio_Security_TrustCenter_L_BlockMacroExecutionFromInternet** | Write | String | Block macros from running in Office files from the Internet (User) (0: Disabled, 1: Enabled) | `0`, `1` | +| **MicrosoftVisio_Security_TrustCenter_L_DisableTrustBarNotificationforunsigned** | Write | String | Disable Trust Bar Notification for unsigned application add-ins and block them (User) (Deprecated) (0: Disabled, 1: Enabled) | `0`, `1` | +| **L_Visio2000Files** | Write | String | Visio 2000-2002 Binary Drawings, Templates and Stencils (User) (0: Disabled, 1: Enabled) | `0`, `1` | +| **L_Visio2000FilesDropID** | Write | String | File block setting: (User) - Depends on L_Visio2000Files (0: Do not block, 2: Open/Save blocked) | `0`, `2` | +| **L_Visio2003Files** | Write | String | Visio 2003-2010 Binary Drawings, Templates and Stencils (User) (0: Disabled, 1: Enabled) | `0`, `1` | +| **L_Visio2003FilesDropID** | Write | String | File block setting: (User) - Depends on L_Visio2003Files (0: Do not block, 1: Save blocked, 2: Open/Save blocked) | `0`, `1`, `2` | +| **L_Visio50AndEarlierFiles** | Write | String | Visio 5.0 or earlier Binary Drawings, Templates and Stencils (User) (0: Disabled, 1: Enabled) | `0`, `1` | +| **L_Visio50AndEarlierFilesDropID** | Write | String | File block setting: (User) - Depends on L_Visio50AndEarlierFiles (0: Do not block, 2: Open/Save blocked) | `0`, `2` | +| **MicrosoftVisio_Security_TrustCenter_L_RequirethatApplicationExtensionsaresigned** | Write | String | Require that application add-ins are signed by Trusted Publisher (User) (0: Disabled, 1: Enabled) | `0`, `1` | +| **MicrosoftVisio_Security_TrustCenter_L_DisableTrustBarNotificationforunsigned_v2** | Write | String | Disable Trust Bar Notification for unsigned application add-ins and block them (User) - Depends on MicrosoftVisio_Security_TrustCenter_L_RequirethatApplicationExtensionsaresigned (0: Disabled, 1: Enabled) | `0`, `1` | +| **MicrosoftVisio_Security_TrustCenter_L_VBAWarningsPolicy** | Write | String | VBA Macro Notification Settings (User) (0: Disabled, 1: Enabled) | `0`, `1` | +| **MicrosoftVisio_Security_TrustCenter_L_VBAWarningsPolicy_L_Empty** | Write | String | - Depends on MicrosoftVisio_Security_TrustCenter_L_VBAWarningsPolicy (2: Disable all with notification, 3: Disable all except digitally signed macros, 4: Disable all without notification, 1: Enable all macros (not recommended)) | `2`, `3`, `4`, `1` | +| **MicrosoftWord_Security_TrustCenter_L_BlockMacroExecutionFromInternet** | Write | String | Block macros from running in Office files from the Internet (User) (0: Disabled, 1: Enabled) | `0`, `1` | +| **MicrosoftWord_Security_TrustCenter_L_DisableTrustBarNotificationforunsigned** | Write | String | Disable Trust Bar Notification for unsigned application add-ins and block them (User) (Deprecated) (0: Disabled, 1: Enabled) | `0`, `1` | +| **L_AllowDDE** | Write | String | Dynamic Data Exchange (User) (0: Disabled, 1: Enabled) | `0`, `1` | +| **L_AllowDDEDropID** | Write | String | Dynamic Data Exchange setting (User) - Depends on L_AllowDDE (1: Limited Dynamic Data Exchange, 2: Allow Dynamic Data Exchange) | `1`, `2` | +| **MicrosoftWord_Security_TrustCenterFileBlockSettings_L_SetDefaultFileBlockBehavior** | Write | String | Set default file block behavior (User) (0: Disabled, 1: Enabled) | `0`, `1` | +| **MicrosoftWord_Security_TrustCenterFileBlockSettings_L_SetDefaultFileBlockBehaviorDropID** | Write | String | - Depends on MicrosoftWord_Security_TrustCenterFileBlockSettings_L_SetDefaultFileBlockBehavior (0: Blocked files are not opened, 1: Blocked files open in Protected View and can not be edited, 2: Blocked files open in Protected View and can be edited) | `0`, `1`, `2` | +| **L_Word2AndEarlierBinaryDocumentsAndTemplates** | Write | String | Word 2 and earlier binary documents and templates (User) (0: Disabled, 1: Enabled) | `0`, `1` | +| **L_Word2AndEarlierBinaryDocumentsAndTemplatesDropID** | Write | String | File block setting: (User) - Depends on L_Word2AndEarlierBinaryDocumentsAndTemplates (0: Do not block, 2: Open/Save blocked, use open policy, 3: Block, 4: Open in Protected View, 5: Allow editing and open in Protected View) | `0`, `2`, `3`, `4`, `5` | +| **L_Word2000BinaryDocumentsAndTemplates** | Write | String | Word 2000 binary documents and templates (User) (0: Disabled, 1: Enabled) | `0`, `1` | +| **L_Word2000BinaryDocumentsAndTemplatesDropID** | Write | String | File block setting: (User) - Depends on L_Word2000BinaryDocumentsAndTemplates (0: Do not block, 2: Open/Save blocked, use open policy, 3: Block, 4: Open in Protected View, 5: Allow editing and open in Protected View) | `0`, `2`, `3`, `4`, `5` | +| **L_Word2003BinaryDocumentsAndTemplates** | Write | String | Word 2003 binary documents and templates (User) (0: Disabled, 1: Enabled) | `0`, `1` | +| **L_Word2003BinaryDocumentsAndTemplatesDropID** | Write | String | File block setting: (User) - Depends on L_Word2003BinaryDocumentsAndTemplates (0: Do not block, 2: Open/Save blocked, use open policy, 3: Block, 4: Open in Protected View, 5: Allow editing and open in Protected View) | `0`, `2`, `3`, `4`, `5` | +| **L_Word2007AndLaterBinaryDocumentsAndTemplates** | Write | String | Word 2007 and later binary documents and templates (User) (0: Disabled, 1: Enabled) | `0`, `1` | +| **L_Word2007AndLaterBinaryDocumentsAndTemplatesDropID** | Write | String | File block setting: (User) - Depends on L_Word2007AndLaterBinaryDocumentsAndTemplates (0: Do not block, 1: Save blocked, 2: Open/Save blocked, use open policy, 3: Block, 4: Open in Protected View, 5: Allow editing and open in Protected View) | `0`, `1`, `2`, `3`, `4`, `5` | +| **L_Word6Pt0BinaryDocumentsAndTemplates** | Write | String | Word 6.0 binary documents and templates (User) (0: Disabled, 1: Enabled) | `0`, `1` | +| **L_Word6Pt0BinaryDocumentsAndTemplatesDropID** | Write | String | File block setting: (User) - Depends on L_Word6Pt0BinaryDocumentsAndTemplates (0: Do not block, 2: Open/Save blocked, use open policy, 3: Block, 4: Open in Protected View, 5: Allow editing and open in Protected View) | `0`, `2`, `3`, `4`, `5` | +| **L_Word95BinaryDocumentsAndTemplates** | Write | String | Word 95 binary documents and templates (User) (0: Disabled, 1: Enabled) | `0`, `1` | +| **L_Word95BinaryDocumentsAndTemplatesDropID** | Write | String | File block setting: (User) - Depends on L_Word95BinaryDocumentsAndTemplates (0: Do not block, 2: Open/Save blocked, use open policy, 3: Block, 4: Open in Protected View, 5: Allow editing and open in Protected View) | `0`, `2`, `3`, `4`, `5` | +| **L_Word97BinaryDocumentsAndTemplates** | Write | String | Word 97 binary documents and templates (User) (0: Disabled, 1: Enabled) | `0`, `1` | +| **L_Word97BinaryDocumentsAndTemplatesDropID** | Write | String | File block setting: (User) - Depends on L_Word97BinaryDocumentsAndTemplates (0: Do not block, 2: Open/Save blocked, use open policy, 3: Block, 4: Open in Protected View, 5: Allow editing and open in Protected View) | `0`, `2`, `3`, `4`, `5` | +| **L_WordXPBinaryDocumentsAndTemplates** | Write | String | Word XP binary documents and templates (User) (0: Disabled, 1: Enabled) | `0`, `1` | +| **L_WordXPBinaryDocumentsAndTemplatesDropID** | Write | String | File block setting: (User) - Depends on L_WordXPBinaryDocumentsAndTemplates (0: Do not block, 2: Open/Save blocked, use open policy, 3: Block, 4: Open in Protected View, 5: Allow editing and open in Protected View) | `0`, `2`, `3`, `4`, `5` | +| **MicrosoftWord_Security_TrustCenterProtectedView_L_DoNotOpenFilesFromTheInternetZoneInProtectedView** | Write | String | Do not open files from the Internet zone in Protected View (User) (0: Disabled, 1: Enabled) | `0`, `1` | +| **MicrosoftWord_Security_TrustCenterProtectedView_L_DoNotOpenFilesInUnsafeLocationsInProtectedView** | Write | String | Do not open files in unsafe locations in Protected View (User) (0: Disabled, 1: Enabled) | `0`, `1` | +| **MicrosoftWord_Security_TrustCenterProtectedView_L_SetDocumentBehaviorIfFileValidationFails** | Write | String | Set document behavior if file validation fails (User) (0: Disabled, 1: Enabled) | `0`, `1` | +| **MicrosoftWord_Security_TrustCenterProtectedView_L_SetDocumentBehaviorIfFileValidationFailsDropID** | Write | String | - Depends on MicrosoftWord_Security_TrustCenterProtectedView_L_SetDocumentBehaviorIfFileValidationFails (0: Block files, 1: Open in Protected View) | `0`, `1` | +| **MicrosoftWord_Security_TrustCenterProtectedView_L_SetDocumentBehaviorIfFileValidationFailsStr3** | Write | String | Checked: Allow edit. Unchecked: Do not allow edit. (User) - Depends on MicrosoftWord_Security_TrustCenterProtectedView_L_SetDocumentBehaviorIfFileValidationFails (0: False, 1: True) | `0`, `1` | +| **MicrosoftWord_Security_TrustCenterProtectedView_L_TurnOffProtectedViewForAttachmentsOpenedFromOutlook** | Write | String | Turn off Protected View for attachments opened from Outlook (User) (0: Disabled, 1: Enabled) | `0`, `1` | +| **MicrosoftWord_Security_TrustCenter_L_RequirethatApplicationExtensionsaresigned** | Write | String | Require that application add-ins are signed by Trusted Publisher (User) (0: Disabled, 1: Enabled) | `0`, `1` | +| **MicrosoftWord_Security_TrustCenter_L_DisableTrustBarNotificationforunsigned_v2** | Write | String | Disable Trust Bar Notification for unsigned application add-ins and block them (User) - Depends on MicrosoftWord_Security_TrustCenter_L_RequirethatApplicationExtensionsaresigned (0: Disabled, 1: Enabled) | `0`, `1` | +| **L_DeterminewhethertoforceencryptedWord** | Write | String | Scan encrypted macros in Word Open XML documents (User) (0: Disabled, 1: Enabled) | `0`, `1` | +| **L_DeterminewhethertoforceencryptedWordDropID** | Write | String | - Depends on L_DeterminewhethertoforceencryptedWord (0: Scan encrypted macros (default), 1: Scan if anti-virus software available, 2: Load macros without scanning) | `0`, `1`, `2` | +| **MicrosoftWord_Security_TrustCenter_L_VBAWarningsPolicy** | Write | String | VBA Macro Notification Settings (User) (0: Disabled, 1: Enabled) | `0`, `1` | +| **L_empty19** | Write | String | - Depends on MicrosoftWord_Security_TrustCenter_L_VBAWarningsPolicy (2: Disable all with notification, 3: Disable all except digitally signed macros, 4: Disable all without notification, 1: Enable all macros (not recommended)) | `2`, `3`, `4`, `1` | +| **MicrosoftWord_Security_L_TurnOffFileValidation** | Write | String | Turn off file validation (User) (0: Disabled, 1: Enabled) | `0`, `1` | +| **MicrosoftWord_Security_TrustCenterTrustedLocations_L_AllowTrustedLocationsOnTheNetwork** | Write | String | Allow Trusted Locations on the network (User) (0: Disabled, 1: Enabled) | `0`, `1` | + + +## Description + +Intune Security Baseline Microsoft365 Apps For Enterprise + +## Permissions + +### Microsoft Graph + +To authenticate with the Microsoft Graph API, this resource required the following permissions: + +#### Delegated permissions + +- **Read** + + - DeviceManagementConfiguration.Read.All + +- **Update** + + - DeviceManagementConfiguration.ReadWrite.All + +#### Application permissions + +- **Read** + + - DeviceManagementConfiguration.Read.All + +- **Update** + + - DeviceManagementConfiguration.ReadWrite.All + +## Examples + +### Example 1 + +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. + +```powershell +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + + node localhost + { + IntuneSecurityBaselineMicrosoft365AppsForEnterprise 'mySecurityBaselineMicrosoft365AppsForEnterprisePolicy' + { + DisplayName = 'test' + DeviceSettings = MSFT_MicrosoftGraphIntuneSettingsCatalogDeviceSettings_IntuneSecurityBaselineMicrosoft365AppsForEnterprise + { + L_ProtectionFromZoneElevation = '1' + L_grooveexe98 = '1' + L_excelexe99 = '1' + L_mspubexe100 = '1' + L_powerpntexe101 = '1' + L_pptviewexe102 = '1' + L_visioexe103 = '1' + L_winprojexe104 = '1' + L_winwordexe105 = '1' + L_outlookexe106 = '1' + L_spdesignexe107 = '1' + L_exprwdexe108 = '1' + L_msaccessexe109 = '1' + L_onenoteexe110 = '1' + L_mse7exe111 = '1' + } + UserSettings = MSFT_MicrosoftGraphIntuneSettingsCatalogUserSettings_IntuneSecurityBaselineMicrosoft365AppsForEnterprise + { + MicrosoftPublisherV3_Security_TrustCenter_L_BlockMacroExecutionFromInternet = '1' + MicrosoftVisio_Security_TrustCenter_L_VBAWarningsPolicy = '1' + MicrosoftVisio_Security_TrustCenter_L_VBAWarningsPolicy_L_Empty = '3' + } + Ensure = 'Present' + ApplicationId = $ApplicationId; + TenantId = $TenantId; + CertificateThumbprint = $CertificateThumbprint; + } + } +} +``` + +### Example 2 + +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. + +```powershell +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + + node localhost + { + IntuneSecurityBaselineMicrosoft365AppsForEnterprise 'mySecurityBaselineMicrosoft365AppsForEnterprisePolicy' + { + DisplayName = 'test' + DeviceSettings = MSFT_MicrosoftGraphIntuneSettingsCatalogDeviceSettings_IntuneSecurityBaselineMicrosoft365AppsForEnterprise + { + L_ProtectionFromZoneElevation = '1' + L_grooveexe98 = '1' + L_excelexe99 = '1' + L_mspubexe100 = '1' + L_powerpntexe101 = '1' + L_pptviewexe102 = '1' + L_visioexe103 = '1' + L_winprojexe104 = '1' + L_winwordexe105 = '1' + L_outlookexe106 = '1' + L_spdesignexe107 = '1' + L_exprwdexe108 = '1' + L_msaccessexe109 = '1' + L_onenoteexe110 = '1' + L_mse7exe111 = '1' + } + UserSettings = MSFT_MicrosoftGraphIntuneSettingsCatalogUserSettings_IntuneSecurityBaselineMicrosoft365AppsForEnterprise + { + MicrosoftPublisherV3_Security_TrustCenter_L_BlockMacroExecutionFromInternet = '1' + MicrosoftVisio_Security_TrustCenter_L_VBAWarningsPolicy = '1' + MicrosoftVisio_Security_TrustCenter_L_VBAWarningsPolicy_L_Empty = '2' # Updated property + } + Ensure = 'Present' + ApplicationId = $ApplicationId; + TenantId = $TenantId; + CertificateThumbprint = $CertificateThumbprint; + } + } +} +``` + +### Example 3 + +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. + +```powershell +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + + node localhost + { + IntuneSecurityBaselineMicrosoft365AppsForEnterprise 'mySecurityBaselineMicrosoft365AppsForEnterprisePolicy' + { + DisplayName = 'test' + Ensure = 'Absent' + ApplicationId = $ApplicationId; + TenantId = $TenantId; + CertificateThumbprint = $CertificateThumbprint; + } + } +} +``` + diff --git a/docs/docs/resources/intune/IntuneSecurityBaselineMicrosoftEdge.md b/docs/docs/resources/intune/IntuneSecurityBaselineMicrosoftEdge.md new file mode 100644 index 0000000000..439264f0bc --- /dev/null +++ b/docs/docs/resources/intune/IntuneSecurityBaselineMicrosoftEdge.md @@ -0,0 +1,206 @@ +# IntuneSecurityBaselineMicrosoftEdge + +## Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **Description** | Write | String | Policy description | | +| **DisplayName** | Key | String | Policy name | | +| **RoleScopeTagIds** | Write | StringArray[] | List of Scope Tags for this Entity instance. | | +| **Id** | Write | String | The unique identifier for an entity. Read-only. | | +| **InternetExplorerIntegrationReloadInIEModeAllowed** | Write | String | Allow unconfigured sites to be reloaded in Internet Explorer mode (0: Disabled, 1: Enabled) | `0`, `1` | +| **SSLErrorOverrideAllowed** | Write | String | Allow users to proceed from the HTTPS warning page (0: Disabled, 1: Enabled) | `0`, `1` | +| **InternetExplorerIntegrationZoneIdentifierMhtFileAllowed** | Write | String | Automatically open downloaded MHT or MHTML files from the web in Internet Explorer mode (0: Disabled, 1: Enabled) | `0`, `1` | +| **BrowserLegacyExtensionPointsBlockingEnabled** | Write | String | Enable browser legacy extension point blocking (0: Disabled, 1: Enabled) | `0`, `1` | +| **SitePerProcess** | Write | String | Enable site isolation for every site (0: Disabled, 1: Enabled) | `0`, `1` | +| **EdgeEnhanceImagesEnabled** | Write | String | Enhance images enabled (0: Disabled, 1: Enabled) | `0`, `1` | +| **ExtensionInstallBlocklist** | Write | String | Control which extensions cannot be installed (0: Disabled, 1: Enabled) | `0`, `1` | +| **ExtensionInstallBlocklistDesc** | Write | StringArray[] | Extension IDs the user should be prevented from installing (or * for all) (Device) - Depends on ExtensionInstallBlocklist | | +| **WebSQLAccess** | Write | String | Force WebSQL to be enabled (0: Disabled, 1: Enabled) | `0`, `1` | +| **BasicAuthOverHttpEnabled** | Write | String | Allow Basic authentication for HTTP (0: Disabled, 1: Enabled) | `0`, `1` | +| **MicrosoftEdge_HTTPAuthentication_AuthSchemes** | Write | String | Supported authentication schemes (0: Disabled, 1: Enabled) | `0`, `1` | +| **authschemes** | Write | String | Supported authentication schemes (Device) - Depends on MicrosoftEdge_HTTPAuthentication_AuthSchemes | | +| **NativeMessagingUserLevelHosts** | Write | String | Allow user-level native messaging hosts (installed without admin permissions) (0: Disabled, 1: Enabled) | `0`, `1` | +| **InsecurePrivateNetworkRequestsAllowed** | Write | String | Specifies whether to allow insecure websites to make requests to more-private network endpoints (0: Disabled, 1: Enabled) | `0`, `1` | +| **InternetExplorerModeToolbarButtonEnabled** | Write | String | Show the Reload in Internet Explorer mode button in the toolbar (0: Disabled, 1: Enabled) | `0`, `1` | +| **SmartScreenEnabled** | Write | String | Configure Microsoft Defender SmartScreen (0: Disabled, 1: Enabled) | `0`, `1` | +| **SmartScreenPuaEnabled** | Write | String | Configure Microsoft Defender SmartScreen to block potentially unwanted apps (0: Disabled, 1: Enabled) | `0`, `1` | +| **PreventSmartScreenPromptOverride** | Write | String | Prevent bypassing Microsoft Defender SmartScreen prompts for sites (0: Disabled, 1: Enabled) | `0`, `1` | +| **PreventSmartScreenPromptOverrideForFiles** | Write | String | Prevent bypassing of Microsoft Defender SmartScreen warnings about downloads (0: Disabled, 1: Enabled) | `0`, `1` | +| **SharedArrayBufferUnrestrictedAccessAllowed** | Write | String | Specifies whether SharedArrayBuffers can be used in a non cross-origin-isolated context (0: Disabled, 1: Enabled) | `0`, `1` | +| **TyposquattingCheckerEnabled** | Write | String | Configure Edge TyposquattingChecker (0: Disabled, 1: Enabled) | `0`, `1` | +| **Assignments** | Write | MSFT_DeviceManagementConfigurationPolicyAssignments[] | Represents the assignment to the Intune policy. | | +| **Ensure** | Write | String | Present ensures the policy exists, absent ensures it is removed. | `Present`, `Absent` | +| **Credential** | Write | PSCredential | Credentials of the Admin | | +| **ApplicationId** | Write | String | Id of the Azure Active Directory application to authenticate with. | | +| **TenantId** | Write | String | Id of the Azure Active Directory tenant used for authentication. | | +| **ApplicationSecret** | Write | PSCredential | Secret of the Azure Active Directory tenant used for authentication. | | +| **CertificateThumbprint** | Write | String | Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication. | | +| **ManagedIdentity** | Write | Boolean | Managed ID being used for authentication. | | +| **AccessTokens** | Write | StringArray[] | Access token used for authentication. | | + +### MSFT_DeviceManagementConfigurationPolicyAssignments + +#### Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **dataType** | Write | String | The type of the target assignment. | `#microsoft.graph.groupAssignmentTarget`, `#microsoft.graph.allLicensedUsersAssignmentTarget`, `#microsoft.graph.allDevicesAssignmentTarget`, `#microsoft.graph.exclusionGroupAssignmentTarget`, `#microsoft.graph.configurationManagerCollectionAssignmentTarget` | +| **deviceAndAppManagementAssignmentFilterType** | Write | String | The type of filter of the target assignment i.e. Exclude or Include. Possible values are:none, include, exclude. | `none`, `include`, `exclude` | +| **deviceAndAppManagementAssignmentFilterId** | Write | String | The Id of the filter for the target assignment. | | +| **groupId** | Write | String | The group Id that is the target of the assignment. | | +| **groupDisplayName** | Write | String | The group Display Name that is the target of the assignment. | | +| **collectionId** | Write | String | The collection Id that is the target of the assignment.(ConfigMgr) | | + + +## Description + +Intune Security Baseline Microsoft Edge + +## Permissions + +### Microsoft Graph + +To authenticate with the Microsoft Graph API, this resource required the following permissions: + +#### Delegated permissions + +- **Read** + + - DeviceManagementConfiguration.Read.All + +- **Update** + + - DeviceManagementConfiguration.ReadWrite.All + +#### Application permissions + +- **Read** + + - DeviceManagementConfiguration.Read.All + +- **Update** + + - DeviceManagementConfiguration.ReadWrite.All + +## Examples + +### Example 1 + +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. + +```powershell +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + + node localhost + { + IntuneSecurityBaselineMicrosoftEdge 'mySecurityBaselineMicrosoftEdge' + { + DisplayName = 'test' + InsecurePrivateNetworkRequestsAllowed = "0"; + InternetExplorerIntegrationReloadInIEModeAllowed = "0"; + InternetExplorerIntegrationZoneIdentifierMhtFileAllowed = "0"; + InternetExplorerModeToolbarButtonEnabled = "0"; + Ensure = 'Present' + ApplicationId = $ApplicationId; + TenantId = $TenantId; + CertificateThumbprint = $CertificateThumbprint; + } + } +} +``` + +### Example 2 + +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. + +```powershell +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + + node localhost + { + IntuneSecurityBaselineMicrosoftEdge 'mySecurityBaselineMicrosoftEdge' + { + DisplayName = 'test' + InsecurePrivateNetworkRequestsAllowed = "0"; + InternetExplorerIntegrationReloadInIEModeAllowed = "0"; + InternetExplorerIntegrationZoneIdentifierMhtFileAllowed = "0"; + InternetExplorerModeToolbarButtonEnabled = "1"; # Drift + Ensure = 'Present' + ApplicationId = $ApplicationId; + TenantId = $TenantId; + CertificateThumbprint = $CertificateThumbprint; + } + } +} +``` + +### Example 3 + +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. + +```powershell +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + + node localhost + { + IntuneSecurityBaselineMicrosoftEdge 'mySecurityBaselineMicrosoftEdge' + { + DisplayName = 'test' + Ensure = 'Absent' + ApplicationId = $ApplicationId; + TenantId = $TenantId; + CertificateThumbprint = $CertificateThumbprint; + } + } +} +``` + diff --git a/docs/docs/resources/teams/TeamsUpgradePolicy.md b/docs/docs/resources/teams/TeamsUpgradePolicy.md index f06cf2599e..e27774070c 100644 --- a/docs/docs/resources/teams/TeamsUpgradePolicy.md +++ b/docs/docs/resources/teams/TeamsUpgradePolicy.md @@ -5,7 +5,7 @@ | Parameter | Attribute | DataType | Description | Allowed Values | | --- | --- | --- | --- | --- | | **Identity** | Key | String | Identity of the Teams Upgrade Policy. | | -| **Users** | Write | StringArray[] | List of users that will be granted the Upgrade Policy to. | | +| **Users** | Write | StringArray[] | List of users that will be granted the Upgrade Policy to. Use value * to apply the policy globally. | | | **MigrateMeetingsToTeams** | Write | Boolean | Specifies whether to move existing Skype for Business meetings organized by the user to Teams. This parameter can only be true if the mode of the specified policy instance is either TeamsOnly or SfBWithTeamsCollabAndMeetings, and if the policy instance is being granted to a specific user. It not possible to trigger meeting migration when granting TeamsUpgradePolicy to the entire tenant. | | | **Credential** | Write | PSCredential | Credentials of the Teams Admin | | | **ApplicationId** | Write | String | Id of the Azure Active Directory application to authenticate with. | |