DSCResources/MSFT_IntuneASRRulesPolicyWindows10/MSFT_IntuneASRRulesPolicyWindows10.psm1
|
function Get-TargetResource { [CmdletBinding()] [OutputType([System.Collections.Hashtable])] param ( [Parameter(Mandatory = $True)] [System.String] $Identity, [Parameter()] [System.String] $DisplayName, [Parameter()] [System.String] $Description, [Parameter()] [ValidateSet('userDefined', 'block', 'auditMode', 'warn', 'disable')] [System.String] $ProcessCreationType, [Parameter()] [ValidateSet('notConfigured', 'userDefined', 'enable', 'auditMode')] [System.String] $AdvancedRansomewareProtectionType, [Parameter()] [ValidateSet('userDefined', 'block', 'auditMode', 'warn', 'disable')] [System.String] $BlockPersistenceThroughWmiType, [Parameter()] [ValidateSet('userDefined', 'block', 'auditMode', 'warn', 'disable')] [System.String] $ScriptObfuscatedMacroCodeType, [Parameter()] [ValidateSet('userDefined', 'block', 'auditMode', 'warn', 'disable')] [System.String] $OfficeMacroCodeAllowWin32ImportsType, [Parameter()] [ValidateSet('userDefined', 'block', 'auditMode', 'warn', 'disable')] [System.String] $OfficeAppsLaunchChildProcessType, [Parameter()] [ValidateSet('userDefined', 'enable', 'auditMode', 'blockDiskModification', 'auditDiskModification')] [System.String] $GuardMyFoldersType, [Parameter()] [ValidateSet('userDefined', 'block', 'auditMode', 'warn', 'disable')] [System.String] $UntrustedUSBProcessType, [Parameter()] [System.String[]] $AttackSurfaceReductionExcludedPaths, [Parameter()] [ValidateSet('userDefined', 'block', 'auditMode', 'warn', 'disable')] [System.String] $UntrustedExecutableType, [Parameter()] [ValidateSet('notConfigured', 'enable', 'auditMode', 'warn', 'disable')] [System.String] $OfficeCommunicationAppsLaunchChildProcess, [Parameter()] [ValidateSet('userDefined', 'block', 'auditMode', 'warn', 'disable')] [System.String] $EmailContentExecutionType, [Parameter()] [ValidateSet('userDefined', 'block', 'auditMode', 'warn', 'disable')] [System.String] $ScriptDownloadedPayloadExecutionType, [Parameter()] [System.String[]] $AdditionalGuardedFolders, [Parameter()] [ValidateSet('notConfigured', 'userDefined', 'enable', 'auditMode', 'warn')] [System.String] $AdobeReaderLaunchChildProcess, [Parameter()] [ValidateSet('userDefined', 'block', 'auditMode', 'warn', 'disable')] [System.String] $OfficeAppsExecutableContentCreationOrLaunchType, [Parameter()] [ValidateSet('notConfigured', 'userDefined', 'enable', 'auditMode', 'warn')] [System.String] $PreventCredentialStealingType, [Parameter()] [ValidateSet('userDefined', 'block', 'auditMode', 'warn', 'disable')] [System.String] $OfficeAppsOtherProcessInjectionType, [Parameter()] [System.String[]] $GuardedFoldersAllowedAppPaths, [Parameter(Mandatory = $True)] [System.String] [ValidateSet('Absent', 'Present')] $Ensure = 'Present', [Parameter()] [System.Management.Automation.PSCredential] $Credential, [Parameter()] [System.String] $ApplicationId, [Parameter()] [System.String] $TenantId, [Parameter()] [System.Management.Automation.PSCredential] $ApplicationSecret, [Parameter()] [System.String] $CertificateThumbprint, [Parameter()] [Switch] $ManagedIdentity ) Write-Verbose -Message "Checking for the Intune Endpoint Protection Attack Surface Protection rules Policy {$DisplayName}" $ConnectionMode = New-M365DSCConnection -Workload 'MicrosoftGraph' ` -InboundParameters $PSBoundParameters ` -ProfileName 'beta' -ErrorAction Stop $context = Get-MgContext if ($null -eq $context) { $ConnectionMode = New-M365DSCConnection -Workload 'MicrosoftGraph' ` -InboundParameters $PSBoundParameters -ProfileName 'beta' -ErrorAction Stop } Write-Verbose -Message 'Select-MgProfile' #Ensure the proper dependencies are installed in the current environment. Confirm-M365DSCDependencies #region Telemetry $ResourceName = $MyInvocation.MyCommand.ModuleName -replace 'MSFT_', '' $CommandName = $MyInvocation.MyCommand $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` -CommandName $CommandName ` -Parameters $PSBoundParameters Add-M365DSCTelemetryEvent -Data $data #endregion $nullResult = $PSBoundParameters $nullResult.Ensure = 'Absent' try { #Retrieve policy general settings try { $policy = Get-MgDeviceManagementIntent -DeviceManagementIntentId $Identity -ErrorAction Stop } catch { Write-Verbose -Message "No Endpoint Protection Attack Surface Protection rules Policy {$DisplayName} was found" return $nullResult } if ($null -eq $policy) { Write-Verbose -Message "No Endpoint Protection Attack Surface Protection rules Policy {$DisplayName} was found" return $nullResult } #Retrieve policy specific settings [array]$settings = Get-MgDeviceManagementIntentSetting ` -DeviceManagementIntentId $Identity ` -ErrorAction Stop $definitionIdPrefix = 'windows10EndpointProtectionConfiguration_defender' $returnHashtable = @{} $returnHashtable.Add('Identity', $Identity) $returnHashtable.Add('DisplayName', $policy.DisplayName) $returnHashtable.Add('Description', $policy.Description) foreach ($setting in $settings) { $settingName = $setting.definitionId.replace("deviceConfiguration--$definitionIdPrefix", '') $settingValue = ($settings | Where-Object ` -FilterScript { $_.DefinitionId -like "*$settingName" }).ValueJson | ConvertFrom-Json $returnHashtable.Add($settingName, $settingValue) } Write-Verbose -Message "Found Endpoint Protection Attack Surface Protection rules Policy {$DisplayName}" $returnHashtable.Add('Ensure', 'Present') $returnHashtable.Add('Credential', $Credential) $returnHashtable.Add('ApplicationId', $ApplicationId) $returnHashtable.Add('TenantId', $TenantId) $returnHashtable.Add('ApplicationSecret', $ApplicationSecret) $returnHashtable.Add('CertificateThumbprint', $CertificateThumbprint) $returnHashtable.Add('ManagedIdentity', $ManagedIdentity.IsPresent) return $returnHashtable } catch { try { Write-Verbose -Message $_ $tenantIdValue = '' $tenantIdValue = $Credential.UserName.Split('@')[1] Add-M365DSCEvent -Message $_ -EntryType 'Error' ` -EventID 1 -Source $($MyInvocation.MyCommand.Source) ` -TenantId $tenantIdValue } catch { Write-Verbose -Message $_ } return $nullResult } } function Set-TargetResource { [CmdletBinding()] param ( [Parameter(Mandatory = $True)] [System.String] $Identity, [Parameter()] [System.String] $DisplayName, [Parameter()] [System.String] $Description, [Parameter()] [ValidateSet('userDefined', 'block', 'auditMode', 'warn', 'disable')] [System.String] $ProcessCreationType, [Parameter()] [ValidateSet('notConfigured', 'userDefined', 'enable', 'auditMode')] [System.String] $AdvancedRansomewareProtectionType, [Parameter()] [ValidateSet('userDefined', 'block', 'auditMode', 'warn', 'disable')] [System.String] $BlockPersistenceThroughWmiType, [Parameter()] [ValidateSet('userDefined', 'block', 'auditMode', 'warn', 'disable')] [System.String] $ScriptObfuscatedMacroCodeType, [Parameter()] [ValidateSet('userDefined', 'block', 'auditMode', 'warn', 'disable')] [System.String] $OfficeMacroCodeAllowWin32ImportsType, [Parameter()] [ValidateSet('userDefined', 'block', 'auditMode', 'warn', 'disable')] [System.String] $OfficeAppsLaunchChildProcessType, [Parameter()] [ValidateSet('userDefined', 'enable', 'auditMode', 'blockDiskModification', 'auditDiskModification')] [System.String] $GuardMyFoldersType, [Parameter()] [ValidateSet('userDefined', 'block', 'auditMode', 'warn', 'disable')] [System.String] $UntrustedUSBProcessType, [Parameter()] [System.String[]] $AttackSurfaceReductionExcludedPaths, [Parameter()] [ValidateSet('userDefined', 'block', 'auditMode', 'warn', 'disable')] [System.String] $UntrustedExecutableType, [Parameter()] [ValidateSet('notConfigured', 'enable', 'auditMode', 'warn', 'disable')] [System.String] $OfficeCommunicationAppsLaunchChildProcess, [Parameter()] [ValidateSet('userDefined', 'block', 'auditMode', 'warn', 'disable')] [System.String] $EmailContentExecutionType, [Parameter()] [ValidateSet('userDefined', 'block', 'auditMode', 'warn', 'disable')] [System.String] $ScriptDownloadedPayloadExecutionType, [Parameter()] [System.String[]] $AdditionalGuardedFolders, [Parameter()] [ValidateSet('notConfigured', 'userDefined', 'enable', 'auditMode', 'warn')] [System.String] $AdobeReaderLaunchChildProcess, [Parameter()] [ValidateSet('userDefined', 'block', 'auditMode', 'warn', 'disable')] [System.String] $OfficeAppsExecutableContentCreationOrLaunchType, [Parameter()] [ValidateSet('notConfigured', 'userDefined', 'enable', 'auditMode', 'warn')] [System.String] $PreventCredentialStealingType, [Parameter()] [ValidateSet('userDefined', 'block', 'auditMode', 'warn', 'disable')] [System.String] $OfficeAppsOtherProcessInjectionType, [Parameter()] [System.String[]] $GuardedFoldersAllowedAppPaths, [Parameter(Mandatory = $True)] [System.String] [ValidateSet('Absent', 'Present')] $Ensure = 'Present', [Parameter()] [System.Management.Automation.PSCredential] $Credential, [Parameter()] [System.String] $ApplicationId, [Parameter()] [System.String] $TenantId, [Parameter()] [System.Management.Automation.PSCredential] $ApplicationSecret, [Parameter()] [System.String] $CertificateThumbprint, [Parameter()] [Switch] $ManagedIdentity ) $ConnectionMode = New-M365DSCConnection -Workload 'MicrosoftGraph' ` -InboundParameters $PSBoundParameters ` -ProfileName 'beta' Select-MgProfile -Name 'beta' #Ensure the proper dependencies are installed in the current environment. Confirm-M365DSCDependencies #region Telemetry $ResourceName = $MyInvocation.MyCommand.ModuleName -replace 'MSFT_', '' $CommandName = $MyInvocation.MyCommand $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` -CommandName $CommandName ` -Parameters $PSBoundParameters Add-M365DSCTelemetryEvent -Data $data #endregion $currentPolicy = Get-TargetResource @PSBoundParameters $PSBoundParameters.Remove('Ensure') | Out-Null $PSBoundParameters.Remove('Credential') | Out-Null $PSBoundParameters.Remove('ApplicationId') | Out-Null $PSBoundParameters.Remove('TenantId') | Out-Null $PSBoundParameters.Remove('ApplicationSecret') | Out-Null $PSBoundParameters.Remove('CertificateThumbprint') | Out-Null $PSBoundParameters.Remove('ManagedIdentity') | Out-Null $policyTemplateID = '0e237410-1367-4844-bd7f-15fb0f08943b' $definitionIdPrefix = 'windows10EndpointProtectionConfiguration_defender' if ($Ensure -eq 'Present' -and $currentPolicy.Ensure -eq 'Absent') { Write-Verbose -Message "Creating new Endpoint Protection Attack Surface Protection rules Policy {$DisplayName}" $PSBoundParameters.Remove('Identity') | Out-Null $PSBoundParameters.Remove('DisplayName') | Out-Null $PSBoundParameters.Remove('Description') | Out-Null $settings = Get-M365DSCIntuneDeviceConfigurationSettings ` -Properties ([System.Collections.Hashtable]$PSBoundParameters) ` -DefinitionIdPrefix $definitionIdPrefix New-MgDeviceManagementIntent -DisplayName $DisplayName ` -Description $Description ` -TemplateId $policyTemplateID ` -Settings $settings } elseif ($Ensure -eq 'Present' -and $currentPolicy.Ensure -eq 'Present') { Write-Verbose -Message "Updating existing Endpoint Protection Attack Surface Protection rules Policy {$DisplayName}" $PSBoundParameters.Remove('Identity') | Out-Null $PSBoundParameters.Remove('DisplayName') | Out-Null $PSBoundParameters.Remove('Description') | Out-Null $settings = Get-M365DSCIntuneDeviceConfigurationSettings ` -Properties ([System.Collections.Hashtable]$PSBoundParameters) ` -DefinitionIdPrefix $definitionIdPrefix Update-MgDeviceManagementIntent -ErrorAction Stop ` -DisplayName $DisplayName ` -Description $Description ` -DeviceManagementIntentId $Identity $currentSettings = Get-MgDeviceManagementIntentSetting ` -DeviceManagementIntentId $Identity ` -ErrorAction Stop foreach ($setting in $settings) { $mySetting = $currentSettings | Where-Object{ $_.DefinitionId -eq $setting.DefinitionId } $setting.add('id', $mySetting.Id) } $Uri = "https://graph.microsoft.com/beta/deviceManagement/intents/$Identity/updateSettings" $body = @{'settings' = $settings } Write-Verbose -Message ($body | ConvertTo-Json -Depth 20) Invoke-MgGraphRequest -Method POST -Uri $Uri -Body ($body | ConvertTo-Json -Depth 20) -ContentType 'application/json' -ErrorAction Stop } elseif ($Ensure -eq 'Absent' -and $currentPolicy.Ensure -eq 'Present') { Write-Verbose -Message "Removing Endpoint Protection Attack Surface Protection rules Policy {$DisplayName}" Remove-MgDeviceManagementIntent -DeviceManagementIntentId $Identity -Confirm:$false -ErrorAction Stop } } function Test-TargetResource { [CmdletBinding()] [OutputType([System.Boolean])] param ( [Parameter(Mandatory = $True)] [System.String] $Identity, [Parameter()] [System.String] $DisplayName, [Parameter()] [System.String] $Description, [Parameter()] [ValidateSet('userDefined', 'block', 'auditMode', 'warn', 'disable')] [System.String] $ProcessCreationType, [Parameter()] [ValidateSet('notConfigured', 'userDefined', 'enable', 'auditMode')] [System.String] $AdvancedRansomewareProtectionType, [Parameter()] [ValidateSet('userDefined', 'block', 'auditMode', 'warn', 'disable')] [System.String] $BlockPersistenceThroughWmiType, [Parameter()] [ValidateSet('userDefined', 'block', 'auditMode', 'warn', 'disable')] [System.String] $ScriptObfuscatedMacroCodeType, [Parameter()] [ValidateSet('userDefined', 'block', 'auditMode', 'warn', 'disable')] [System.String] $OfficeMacroCodeAllowWin32ImportsType, [Parameter()] [ValidateSet('userDefined', 'block', 'auditMode', 'warn', 'disable')] [System.String] $OfficeAppsLaunchChildProcessType, [Parameter()] [ValidateSet('userDefined', 'enable', 'auditMode', 'blockDiskModification', 'auditDiskModification')] [System.String] $GuardMyFoldersType, [Parameter()] [ValidateSet('userDefined', 'block', 'auditMode', 'warn', 'disable')] [System.String] $UntrustedUSBProcessType, [Parameter()] [System.String[]] $AttackSurfaceReductionExcludedPaths, [Parameter()] [ValidateSet('userDefined', 'block', 'auditMode', 'warn', 'disable')] [System.String] $UntrustedExecutableType, [Parameter()] [ValidateSet('notConfigured', 'enable', 'auditMode', 'warn', 'disable')] [System.String] $OfficeCommunicationAppsLaunchChildProcess, [Parameter()] [ValidateSet('userDefined', 'block', 'auditMode', 'warn', 'disable')] [System.String] $EmailContentExecutionType, [Parameter()] [ValidateSet('userDefined', 'block', 'auditMode', 'warn', 'disable')] [System.String] $ScriptDownloadedPayloadExecutionType, [Parameter()] [System.String[]] $AdditionalGuardedFolders, [Parameter()] [ValidateSet('notConfigured', 'userDefined', 'enable', 'auditMode', 'warn')] [System.String] $AdobeReaderLaunchChildProcess, [Parameter()] [ValidateSet('userDefined', 'block', 'auditMode', 'warn', 'disable')] [System.String] $OfficeAppsExecutableContentCreationOrLaunchType, [Parameter()] [ValidateSet('notConfigured', 'userDefined', 'enable', 'auditMode', 'warn')] [System.String] $PreventCredentialStealingType, [Parameter()] [ValidateSet('userDefined', 'block', 'auditMode', 'warn', 'disable')] [System.String] $OfficeAppsOtherProcessInjectionType, [Parameter()] [System.String[]] $GuardedFoldersAllowedAppPaths, [Parameter(Mandatory = $True)] [System.String] [ValidateSet('Absent', 'Present')] $Ensure = 'Present', [Parameter()] [System.Management.Automation.PSCredential] $Credential, [Parameter()] [System.String] $ApplicationId, [Parameter()] [System.String] $TenantId, [Parameter()] [System.Management.Automation.PSCredential] $ApplicationSecret, [Parameter()] [System.String] $CertificateThumbprint, [Parameter()] [Switch] $ManagedIdentity ) #Ensure the proper dependencies are installed in the current environment. Confirm-M365DSCDependencies #region Telemetry $ResourceName = $MyInvocation.MyCommand.ModuleName -replace 'MSFT_', '' $CommandName = $MyInvocation.MyCommand $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` -CommandName $CommandName ` -Parameters $PSBoundParameters Add-M365DSCTelemetryEvent -Data $data #endregion Write-Verbose -Message "Testing configuration of Endpoint Protection Attack Surface Protection rules Policy {$DisplayName}" $CurrentValues = Get-TargetResource @PSBoundParameters Write-Verbose -Message "Current Values: $(Convert-M365DscHashtableToString -Hashtable $CurrentValues)" Write-Verbose -Message "Target Values: $(Convert-M365DscHashtableToString -Hashtable $PSBoundParameters)" $ValuesToCheck = $PSBoundParameters $ValuesToCheck.Remove('Credential') | Out-Null $ValuesToCheck.Remove('ApplicationId') | Out-Null $ValuesToCheck.Remove('TenantId') | Out-Null $ValuesToCheck.Remove('ApplicationSecret') | Out-Null $TestResult = Test-M365DSCParameterState -CurrentValues $CurrentValues ` -Source $($MyInvocation.MyCommand.Source) ` -DesiredValues $PSBoundParameters ` -ValuesToCheck $ValuesToCheck.Keys Write-Verbose -Message "Test-TargetResource returned $TestResult" return $TestResult } function Export-TargetResource { [CmdletBinding()] [OutputType([System.String])] param ( [Parameter()] [System.String] $Filter, [Parameter()] [System.Management.Automation.PSCredential] $Credential, [Parameter()] [System.String] $ApplicationId, [Parameter()] [System.String] $TenantId, [Parameter()] [System.Management.Automation.PSCredential] $ApplicationSecret, [Parameter()] [System.String] $CertificateThumbprint, [Parameter()] [Switch] $ManagedIdentity ) $ConnectionMode = New-M365DSCConnection -Workload 'MicrosoftGraph' ` -InboundParameters $PSBoundParameters ` -SkipModuleReload:$true Select-MgProfile -Name 'Beta' #Ensure the proper dependencies are installed in the current environment. Confirm-M365DSCDependencies #region Telemetry $ResourceName = $MyInvocation.MyCommand.ModuleName -replace 'MSFT_', '' $CommandName = $MyInvocation.MyCommand $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` -CommandName $CommandName ` -Parameters $PSBoundParameters Add-M365DSCTelemetryEvent -Data $data #endregion $dscContent = '' $i = 1 try { $policyTemplateID = '0e237410-1367-4844-bd7f-15fb0f08943b' [array]$policies = Get-MgDeviceManagementIntent ` -ErrorAction Stop ` -All:$true ` -Filter $Filter ` | Where-Object -FilterScript { $_.TemplateId -eq $policyTemplateID } if ($policies.Length -eq 0) { Write-Host $Global:M365DSCEmojiGreenCheckMark } else { Write-Host "`r`n" -NoNewline } foreach ($policy in $policies) { Write-Host " |---[$i/$($policies.Count)] $($policy.DisplayName)" -NoNewline $params = @{ Identity = $policy.Id Ensure = 'Present' Credential = $Credential ApplicationId = $ApplicationId TenantId = $TenantId ApplicationSecret = $ApplicationSecret CertificateThumbprint = $CertificateThumbprint Managedidentity = $ManagedIdentity.IsPresent } $Results = Get-TargetResource @params if ($Results.Ensure -eq 'Present') { $Results = Update-M365DSCExportAuthenticationResults -ConnectionMode $ConnectionMode ` -Results $Results $currentDSCBlock = Get-M365DSCExportContentForResource -ResourceName $ResourceName ` -ConnectionMode $ConnectionMode ` -ModulePath $PSScriptRoot ` -Results $Results ` -Credential $Credential $dscContent += $currentDSCBlock Save-M365DSCPartialExport -Content $currentDSCBlock ` -FileName $Global:PartialExportFileName Write-Host $Global:M365DSCEmojiGreenCheckMark $i++ } } return $dscContent } catch { Write-Host $Global:M365DSCEmojiRedX if ($_.Exception -like '*401*') { Write-Host "`r`n $($Global:M365DSCEmojiYellowCircle) The current tenant is not registered for Intune." } try { Write-Verbose -Message $_ $tenantIdValue = $Credential.UserName.Split('@')[1] Add-M365DSCEvent -Message $_ -EntryType 'Error' ` -EventID 1 -Source $($MyInvocation.MyCommand.Source) ` -TenantId $tenantIdValue } catch { Write-Verbose -Message $_ } return '' } } function Get-M365DSCIntuneDeviceConfigurationSettings { [CmdletBinding()] [OutputType([System.Collections.Hashtable])] param( [Parameter(Mandatory = 'true')] [System.Collections.Hashtable] $Properties, [Parameter()] [System.String] $DefinitionIdPrefix ) $results = @() foreach ($property in $properties.Keys) { if ($property -ne 'Verbose') { $setting = @{} switch (($properties.$property.gettype()).name) { 'String' { $settingType = '#microsoft.graph.deviceManagementStringSettingInstance' } 'Boolean' { $settingType = '#microsoft.graph.deviceManagementBooleanSettingInstance' } 'Int32' { $settingType = '#microsoft.graph.deviceManagementIntegerSettingInstance' } 'String[]' { $settingType = '#microsoft.graph.deviceManagementCollectionSettingInstance' } Default { $settingType = '#microsoft.graph.deviceManagementComplexSettingInstance' } } $settingDefinitionIdPrefix = "deviceConfiguration--$DefinitionIdPrefix" $settingDefinitionId = $settingDefinitionIdPrefix + $property $setting.Add('@odata.type', $settingType) $setting.Add('definitionId', $settingDefinitionId) if ('String[]' -eq ($properties.$property.gettype()).name -and $properties.$property.count -eq 0 ) { $setting.Add('valueJson', '[]') } else { $setting.Add('valueJson', ($properties.$property | ConvertTo-Json)) } $results += $setting } } return $results } Export-ModuleMember -Function *-TargetResource |