Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

IntuneEndpointSecurityDiskEncryptionPolicyWindows10: New resource proposal #4050

Closed
ricmestre opened this issue Dec 15, 2023 · 1 comment · Fixed by #4869 or #4902
Closed

IntuneEndpointSecurityDiskEncryptionPolicyWindows10: New resource proposal #4050

ricmestre opened this issue Dec 15, 2023 · 1 comment · Fixed by #4869 or #4902
Labels
Enhancement New feature or request Intune

Comments

@ricmestre
Copy link
Contributor

Description

This resource would be used to export/apply Disk Encryption policy for Windows10

Link to manage this policy through Intune admin portal is https://intune.microsoft.com/#view/Microsoft_Intune_Workflows/SecurityManagementMenu/~/diskencryption

Proposed properties

All

Special considerations or limitations

Cmdlet: {Get,Update,Remove}-MgBetaDeviceManagementConfigurationPolicy
Filter: templateReference/TemplateFamily eq 'endpointSecurityDiskEncryption'

@malauter malauter added Enhancement New feature or request Intune labels Jan 2, 2024
@AnthonyKersten
Copy link

As a workaround I was able to workaround this and deploy it like this.
Alter the following script to match your needs.

Configuration EnsureBitlockerPolicy {
    Import-DscResource -ModuleName PSDesiredStateConfiguration

    Node "localhost" {
        Script BitlockerPolicy {
            GetScript = {
                $policyId = "f2e1a6ad-318a-491c-a9bb-da378174654d"
                $existingPolicy = Invoke-MgGraphRequest -Method GET -Uri "https://graph.microsoft.com/beta/deviceManagement/configurationPolicies" -ErrorAction SilentlyContinue
                $existingPolicy.value | Where-Object { $_.id -eq $policyId }
            }
            TestScript = {
                $policyId = "f2e1a6ad-318a-491c-a9bb-da378174654d"
                $existingPolicy = Invoke-MgGraphRequest -Method GET -Uri "https://graph.microsoft.com/beta/deviceManagement/configurationPolicies" -ErrorAction SilentlyContinue
                $policy = $existingPolicy.value | Where-Object { $_.id -eq $policyId }
                if ($null -eq $policy) {
                    $false
                } else {
                    $true
                }
            }
            SetScript = {
                $newPolicyData = @{
                    technologies = "mdm"
                    description = ""
                    roleScopeTagIds = @("0")
                    templateReference = @{
                        templateFamily = "endpointSecurityDiskEncryption"
                        templateDisplayName = "BitLocker"
                        templateDisplayVersion = "Version 1"
                        templateId = "46ddfc50-d10f-4867-b852-9434254b3bff_1"
                    }
                    priorityMetaData = $null
                    creationSource = $null
                    name = "Default Bitlocker"
                    platforms = "windows10"
                    settingCount = 2
                    settings = @(
                        @{
                            settingInstance = @{
                                "@odata.type" = "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance"
                                settingDefinitionId = "device_vendor_msft_bitlocker_requiredeviceencryption"
                                settingInstanceTemplateReference = @{
                                    settingInstanceTemplateId = "20ec1f6e-0d7a-4b6f-9a4f-9ed33e69ce51"
                                }
                                choiceSettingValue = @{
                                    children = @()
                                    settingValueTemplateReference = @{
                                        useTemplateDefault = $false
                                        settingValueTemplateId = "86da5fa5-67cf-48d1-8215-8787a9900ae6"
                                    }
                                    value = "device_vendor_msft_bitlocker_requiredeviceencryption_1"
                                }
                            }
                            id = "0"
                        },
                        @{
                            settingInstance = @{
                                "@odata.type" = "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance"
                                settingDefinitionId = "device_vendor_msft_bitlocker_allowwarningforotherdiskencryption"
                                settingInstanceTemplateReference = @{
                                    settingInstanceTemplateId = "e40531ee-2225-406b-b07b-1c17186c088c"
                                }
                                choiceSettingValue = @{
                                    children = @(
                                        @{
                                            "@odata.type" = "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance"
                                            settingDefinitionId = "device_vendor_msft_bitlocker_allowstandarduserencryption"
                                            settingInstanceTemplateReference = $null
                                            choiceSettingValue = @{
                                                children = @()
                                                settingValueTemplateReference = $null
                                                value = "device_vendor_msft_bitlocker_allowstandarduserencryption_1"
                                            }
                                        }
                                    )
                                    settingValueTemplateReference = @{
                                        useTemplateDefault = $false
                                        settingValueTemplateId = "7d348597-0f2a-43db-9fad-8b55c4f89bfe"
                                    }
                                    value = "device_vendor_msft_bitlocker_allowwarningforotherdiskencryption_0"
                                }
                            }
                            id = "1"
                        }
                    )
                }
                $jsonBody = $newPolicyData | ConvertTo-Json -Depth 10
                Invoke-MgGraphRequest -Method POST -Uri "https://graph.microsoft.com/beta/deviceManagement/configurationPolicies" -Body $jsonBody -ContentType "application/json"
            }
        }

    }
}

# Apply the configuration
EnsureBitlockerPolicy -OutputPath "C:\DSC\EnsureBitlockerPolicy"
Start-DscConfiguration -Path "C:\DSC\EnsureBitlockerPolicy" -Wait -Verbose -Force

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Enhancement New feature or request Intune
Projects
None yet
3 participants