From 7e1e5cb768034f1c3b3dc28782811792a865bb75 Mon Sep 17 00:00:00 2001 From: Elena Arganova Date: Fri, 8 Nov 2024 17:06:05 +0100 Subject: [PATCH 1/4] add windows10 security baseline --- .../MSFT_IntuneSecurityBaselineWindows10.psm1 | 2154 +++++++++++++++++ ...IntuneSecurityBaselineWindows10.schema.mof | 528 ++++ .../readme.md | 6 + .../settings.json | 39 + ....IntuneSecurityBaselineWindows10.Tests.ps1 | 495 ++++ 5 files changed, 3222 insertions(+) create mode 100644 Modules/Microsoft365DSC/DSCResources/MSFT_IntuneSecurityBaselineWindows10/MSFT_IntuneSecurityBaselineWindows10.psm1 create mode 100644 Modules/Microsoft365DSC/DSCResources/MSFT_IntuneSecurityBaselineWindows10/MSFT_IntuneSecurityBaselineWindows10.schema.mof create mode 100644 Modules/Microsoft365DSC/DSCResources/MSFT_IntuneSecurityBaselineWindows10/readme.md create mode 100644 Modules/Microsoft365DSC/DSCResources/MSFT_IntuneSecurityBaselineWindows10/settings.json create mode 100644 Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneSecurityBaselineWindows10.Tests.ps1 diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneSecurityBaselineWindows10/MSFT_IntuneSecurityBaselineWindows10.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneSecurityBaselineWindows10/MSFT_IntuneSecurityBaselineWindows10.psm1 new file mode 100644 index 0000000000..149ae81c24 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneSecurityBaselineWindows10/MSFT_IntuneSecurityBaselineWindows10.psm1 @@ -0,0 +1,2154 @@ +function Get-TargetResource +{ + [CmdletBinding()] + [OutputType([System.Collections.Hashtable])] + param + ( + #region resource generator code + [Parameter()] + [System.String] + $Description, + + [Parameter(Mandatory = $true)] + [System.String] + $DisplayName, + + [Parameter()] + [System.String[]] + $RoleScopeTagIds, + + [Parameter()] + [System.String] + $Id, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $DeviceSettings, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $UserSettings, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $Assignments, + #endregion + + [Parameter()] + [System.String] + [ValidateSet('Absent', 'Present')] + $Ensure = 'Present', + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + try + { + $ConnectionMode = New-M365DSCConnection -Workload 'MicrosoftGraph' ` + -InboundParameters $PSBoundParameters + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $nullResult = $PSBoundParameters + $nullResult.Ensure = 'Absent' + + $getValue = $null + #region resource generator code + $getValue = Get-MgBetaDeviceManagementConfigurationPolicy -DeviceManagementConfigurationPolicyId $Id -ErrorAction SilentlyContinue + + if ($null -eq $getValue) + { + Write-Verbose -Message "Could not find an Intune Security Baseline for Windows10 with Id {$Id}" + + if (-not [System.String]::IsNullOrEmpty($DisplayName)) + { + $getValue = Get-MgBetaDeviceManagementConfigurationPolicy ` + -Filter "Name eq '$DisplayName'" ` + -ErrorAction SilentlyContinue + } + } + #endregion + if ($null -eq $getValue) + { + Write-Verbose -Message "Could not find an Intune Security Baseline for Windows10 with Name {$DisplayName}." + return $nullResult + } + $Id = $getValue.Id + Write-Verbose -Message "An Intune Security Baseline for Windows10 with Id {$Id} and Name {$DisplayName} was found" + + # Retrieve policy specific settings + [array]$settings = Get-MgBetaDeviceManagementConfigurationPolicySetting ` + -DeviceManagementConfigurationPolicyId $Id ` + -ExpandProperty 'settingDefinitions' ` + -All ` + -ErrorAction Stop + + $policySettings = @{} + $policySettings = Export-IntuneSettingCatalogPolicySettings -Settings $settings -ReturnHashtable $policySettings -ContainsDeviceAndUserSettings + + #region resource generator code + $complexDeviceSettings = @{} + # Add device settings with conditional checks + if ($null -ne $policySettings.DeviceSettings.cPL_Personalization_NoLockScreenCamera) { + $complexDeviceSettings.Add('CPL_Personalization_NoLockScreenCamera', $policySettings.DeviceSettings.cPL_Personalization_NoLockScreenCamera) + } + if ($null -ne $policySettings.DeviceSettings.cPL_Personalization_NoLockScreenSlideshow) { + $complexDeviceSettings.Add('CPL_Personalization_NoLockScreenSlideshow', $policySettings.DeviceSettings.cPL_Personalization_NoLockScreenSlideshow) + } + if ($null -ne $policySettings.DeviceSettings.pol_SecGuide_0201_LATFP) { + $complexDeviceSettings.Add('Pol_SecGuide_0201_LATFP', $policySettings.DeviceSettings.pol_SecGuide_0201_LATFP) + } + if ($null -ne $policySettings.DeviceSettings.pol_SecGuide_0002_SMBv1_ClientDriver) { + $complexDeviceSettings.Add('Pol_SecGuide_0002_SMBv1_ClientDriver', $policySettings.DeviceSettings.pol_SecGuide_0002_SMBv1_ClientDriver) + } + if ($null -ne $policySettings.DeviceSettings.pol_SecGuide_SMB1ClientDriver) { + $complexDeviceSettings.Add('Pol_SecGuide_SMB1ClientDriver', $policySettings.DeviceSettings.pol_SecGuide_SMB1ClientDriver) + } + if ($null -ne $policySettings.DeviceSettings.pol_SecGuide_0001_SMBv1_Server) { + $complexDeviceSettings.Add('Pol_SecGuide_0001_SMBv1_Server', $policySettings.DeviceSettings.pol_SecGuide_0001_SMBv1_Server) + } + if ($null -ne $policySettings.DeviceSettings.pol_SecGuide_0102_SEHOP) { + $complexDeviceSettings.Add('Pol_SecGuide_0102_SEHOP', $policySettings.DeviceSettings.pol_SecGuide_0102_SEHOP) + } + if ($null -ne $policySettings.DeviceSettings.pol_SecGuide_0202_WDigestAuthn) { + $complexDeviceSettings.Add('Pol_SecGuide_0202_WDigestAuthn', $policySettings.DeviceSettings.pol_SecGuide_0202_WDigestAuthn) + } + if ($null -ne $policySettings.DeviceSettings.pol_MSS_DisableIPSourceRoutingIPv6) { + $complexDeviceSettings.Add('Pol_MSS_DisableIPSourceRoutingIPv6', $policySettings.DeviceSettings.pol_MSS_DisableIPSourceRoutingIPv6) + } + if ($null -ne $policySettings.DeviceSettings.disableIPSourceRoutingIPv6) { + $complexDeviceSettings.Add('DisableIPSourceRoutingIPv6', $policySettings.DeviceSettings.disableIPSourceRoutingIPv6) + } + if ($null -ne $policySettings.DeviceSettings.pol_MSS_DisableIPSourceRouting) { + $complexDeviceSettings.Add('Pol_MSS_DisableIPSourceRouting', $policySettings.DeviceSettings.pol_MSS_DisableIPSourceRouting) + } + if ($null -ne $policySettings.DeviceSettings.disableIPSourceRouting) { + $complexDeviceSettings.Add('DisableIPSourceRouting', $policySettings.DeviceSettings.disableIPSourceRouting) + } + if ($null -ne $policySettings.DeviceSettings.pol_MSS_EnableICMPRedirect) { + $complexDeviceSettings.Add('Pol_MSS_EnableICMPRedirect', $policySettings.DeviceSettings.pol_MSS_EnableICMPRedirect) + } + if ($null -ne $policySettings.DeviceSettings.pol_MSS_NoNameReleaseOnDemand) { + $complexDeviceSettings.Add('Pol_MSS_NoNameReleaseOnDemand', $policySettings.DeviceSettings.pol_MSS_NoNameReleaseOnDemand) + } + if ($null -ne $policySettings.DeviceSettings.turn_Off_Multicast) { + $complexDeviceSettings.Add('Turn_Off_Multicast', $policySettings.DeviceSettings.turn_Off_Multicast) + } + if ($null -ne $policySettings.DeviceSettings.nC_ShowSharedAccessUI) { + $complexDeviceSettings.Add('NC_ShowSharedAccessUI', $policySettings.DeviceSettings.nC_ShowSharedAccessUI) + } + if ($null -ne $policySettings.DeviceSettings.hardenedUNCPaths_Pol_HardenedPaths) { + $complexDeviceSettings.Add('HardenedUNCPaths_Pol_HardenedPaths', $policySettings.DeviceSettings.hardenedUNCPaths_Pol_HardenedPaths) + } + # Process complexPol_hardenedpaths array + $complexPol_hardenedpaths = @() + foreach ($currentPol_hardenedpaths in $policySettings.DeviceSettings.pol_hardenedpaths) + { + $myPol_hardenedpaths = @{} + if ($myPol_hardenedpaths.values.Where({$null -ne $_}).Count -gt 0) + { + $complexPol_hardenedpaths += $myPol_hardenedpaths + } + } + if ($complexPol_hardenedpaths.Count -gt 0) { + $complexDeviceSettings.Add('Pol_hardenedpaths', $complexPol_hardenedpaths) + } + # Continue adding device settings with conditional checks + if ($null -ne $policySettings.DeviceSettings.wCM_BlockNonDomain) { + $complexDeviceSettings.Add('WCM_BlockNonDomain', $policySettings.DeviceSettings.wCM_BlockNonDomain) + } + if ($null -ne $policySettings.DeviceSettings.configureRedirectionGuardPolicy) { + $complexDeviceSettings.Add('ConfigureRedirectionGuardPolicy', $policySettings.DeviceSettings.configureRedirectionGuardPolicy) + } + if ($null -ne $policySettings.DeviceSettings.redirectionGuardPolicy_Enum) { + $complexDeviceSettings.Add('RedirectionGuardPolicy_Enum', $policySettings.DeviceSettings.redirectionGuardPolicy_Enum) + } + if ($null -ne $policySettings.DeviceSettings.configureRpcConnectionPolicy) { + $complexDeviceSettings.Add('ConfigureRpcConnectionPolicy', $policySettings.DeviceSettings.configureRpcConnectionPolicy) + } + if ($null -ne $policySettings.DeviceSettings.rpcConnectionAuthentication_Enum) { + $complexDeviceSettings.Add('RpcConnectionAuthentication_Enum', $policySettings.DeviceSettings.rpcConnectionAuthentication_Enum) + } + if ($null -ne $policySettings.DeviceSettings.rpcConnectionProtocol_Enum) { + $complexDeviceSettings.Add('RpcConnectionProtocol_Enum', $policySettings.DeviceSettings.rpcConnectionProtocol_Enum) + } + if ($null -ne $policySettings.DeviceSettings.configureRpcListenerPolicy) { + $complexDeviceSettings.Add('ConfigureRpcListenerPolicy', $policySettings.DeviceSettings.configureRpcListenerPolicy) + } + if ($null -ne $policySettings.DeviceSettings.rpcAuthenticationProtocol_Enum) { + $complexDeviceSettings.Add('RpcAuthenticationProtocol_Enum', $policySettings.DeviceSettings.rpcAuthenticationProtocol_Enum) + } + if ($null -ne $policySettings.DeviceSettings.rpcListenerProtocols_Enum) { + $complexDeviceSettings.Add('RpcListenerProtocols_Enum', $policySettings.DeviceSettings.rpcListenerProtocols_Enum) + } + if ($null -ne $policySettings.DeviceSettings.configureRpcTcpPort) { + $complexDeviceSettings.Add('ConfigureRpcTcpPort', $policySettings.DeviceSettings.configureRpcTcpPort) + } + if ($null -ne $policySettings.DeviceSettings.rpcTcpPort) { + $complexDeviceSettings.Add('RpcTcpPort', $policySettings.DeviceSettings.rpcTcpPort) + } + if ($null -ne $policySettings.DeviceSettings.restrictDriverInstallationToAdministrators) { + $complexDeviceSettings.Add('RestrictDriverInstallationToAdministrators', $policySettings.DeviceSettings.restrictDriverInstallationToAdministrators) + } + if ($null -ne $policySettings.DeviceSettings.configureCopyFilesPolicy) { + $complexDeviceSettings.Add('ConfigureCopyFilesPolicy', $policySettings.DeviceSettings.configureCopyFilesPolicy) + } + if ($null -ne $policySettings.DeviceSettings.copyFilesPolicy_Enum) { + $complexDeviceSettings.Add('CopyFilesPolicy_Enum', $policySettings.DeviceSettings.copyFilesPolicy_Enum) + } + if ($null -ne $policySettings.DeviceSettings.allowEncryptionOracle) { + $complexDeviceSettings.Add('AllowEncryptionOracle', $policySettings.DeviceSettings.allowEncryptionOracle) + } + if ($null -ne $policySettings.DeviceSettings.allowEncryptionOracleDrop) { + $complexDeviceSettings.Add('AllowEncryptionOracleDrop', $policySettings.DeviceSettings.allowEncryptionOracleDrop) + } + if ($null -ne $policySettings.DeviceSettings.allowProtectedCreds) { + $complexDeviceSettings.Add('AllowProtectedCreds', $policySettings.DeviceSettings.allowProtectedCreds) + } + if ($null -ne $policySettings.DeviceSettings.deviceInstall_Classes_Deny) { + $complexDeviceSettings.Add('DeviceInstall_Classes_Deny', $policySettings.DeviceSettings.deviceInstall_Classes_Deny) + } + if ($null -ne $policySettings.DeviceSettings.deviceInstall_Classes_Deny_List) { + $complexDeviceSettings.Add('DeviceInstall_Classes_Deny_List', $policySettings.DeviceSettings.deviceInstall_Classes_Deny_List) + } + if ($null -ne $policySettings.DeviceSettings.deviceInstall_Classes_Deny_Retroactive) { + $complexDeviceSettings.Add('DeviceInstall_Classes_Deny_Retroactive', $policySettings.DeviceSettings.deviceInstall_Classes_Deny_Retroactive) + } + if ($null -ne $policySettings.DeviceSettings.pOL_DriverLoadPolicy_Name) { + $complexDeviceSettings.Add('POL_DriverLoadPolicy_Name', $policySettings.DeviceSettings.pOL_DriverLoadPolicy_Name) + } + if ($null -ne $policySettings.DeviceSettings.selectDriverLoadPolicy) { + $complexDeviceSettings.Add('SelectDriverLoadPolicy', $policySettings.DeviceSettings.selectDriverLoadPolicy) + } + if ($null -ne $policySettings.DeviceSettings.cSE_Registry) { + $complexDeviceSettings.Add('CSE_Registry', $policySettings.DeviceSettings.cSE_Registry) + } + if ($null -ne $policySettings.DeviceSettings.cSE_NOBACKGROUND10) { + $complexDeviceSettings.Add('CSE_NOBACKGROUND10', $policySettings.DeviceSettings.cSE_NOBACKGROUND10) + } + if ($null -ne $policySettings.DeviceSettings.cSE_NOCHANGES10) { + $complexDeviceSettings.Add('CSE_NOCHANGES10', $policySettings.DeviceSettings.cSE_NOCHANGES10) + } + if ($null -ne $policySettings.DeviceSettings.disableWebPnPDownload_2) { + $complexDeviceSettings.Add('DisableWebPnPDownload_2', $policySettings.DeviceSettings.disableWebPnPDownload_2) + } + if ($null -ne $policySettings.DeviceSettings.shellPreventWPWDownload_2) { + $complexDeviceSettings.Add('ShellPreventWPWDownload_2', $policySettings.DeviceSettings.shellPreventWPWDownload_2) + } + if ($null -ne $policySettings.DeviceSettings.allowCustomSSPsAPs) { + $complexDeviceSettings.Add('AllowCustomSSPsAPs', $policySettings.DeviceSettings.allowCustomSSPsAPs) + } + if ($null -ne $policySettings.DeviceSettings.allowStandbyStatesDC_2) { + $complexDeviceSettings.Add('AllowStandbyStatesDC_2', $policySettings.DeviceSettings.allowStandbyStatesDC_2) + } + if ($null -ne $policySettings.DeviceSettings.allowStandbyStatesAC_2) { + $complexDeviceSettings.Add('AllowStandbyStatesAC_2', $policySettings.DeviceSettings.allowStandbyStatesAC_2) + } + if ($null -ne $policySettings.DeviceSettings.dCPromptForPasswordOnResume_2) { + $complexDeviceSettings.Add('DCPromptForPasswordOnResume_2', $policySettings.DeviceSettings.dCPromptForPasswordOnResume_2) + } + if ($null -ne $policySettings.DeviceSettings.aCPromptForPasswordOnResume_2) { + $complexDeviceSettings.Add('ACPromptForPasswordOnResume_2', $policySettings.DeviceSettings.aCPromptForPasswordOnResume_2) + } + if ($null -ne $policySettings.DeviceSettings.rA_Solicit) { + $complexDeviceSettings.Add('RA_Solicit', $policySettings.DeviceSettings.rA_Solicit) + } + if ($null -ne $policySettings.DeviceSettings.rA_Solicit_ExpireUnits_List) { + $complexDeviceSettings.Add('RA_Solicit_ExpireUnits_List', $policySettings.DeviceSettings.rA_Solicit_ExpireUnits_List) + } + if ($null -ne $policySettings.DeviceSettings.rA_Solicit_ExpireValue_Edt) { + $complexDeviceSettings.Add('RA_Solicit_ExpireValue_Edt', $policySettings.DeviceSettings.rA_Solicit_ExpireValue_Edt) + } + if ($null -ne $policySettings.DeviceSettings.rA_Solicit_Control_List) { + $complexDeviceSettings.Add('RA_Solicit_Control_List', $policySettings.DeviceSettings.rA_Solicit_Control_List) + } + if ($null -ne $policySettings.DeviceSettings.rA_Solicit_Mailto_List) { + $complexDeviceSettings.Add('RA_Solicit_Mailto_List', $policySettings.DeviceSettings.rA_Solicit_Mailto_List) + } + if ($null -ne $policySettings.DeviceSettings.rpcRestrictRemoteClients) { + $complexDeviceSettings.Add('RpcRestrictRemoteClients', $policySettings.DeviceSettings.rpcRestrictRemoteClients) + } + if ($null -ne $policySettings.DeviceSettings.rpcRestrictRemoteClientsList) { + $complexDeviceSettings.Add('RpcRestrictRemoteClientsList', $policySettings.DeviceSettings.rpcRestrictRemoteClientsList) + } + if ($null -ne $policySettings.DeviceSettings.appxRuntimeMicrosoftAccountsOptional) { + $complexDeviceSettings.Add('AppxRuntimeMicrosoftAccountsOptional', $policySettings.DeviceSettings.appxRuntimeMicrosoftAccountsOptional) + } + if ($null -ne $policySettings.DeviceSettings.noAutoplayfornonVolume) { + $complexDeviceSettings.Add('NoAutoplayfornonVolume', $policySettings.DeviceSettings.noAutoplayfornonVolume) + } + if ($null -ne $policySettings.DeviceSettings.noAutorun) { + $complexDeviceSettings.Add('NoAutorun', $policySettings.DeviceSettings.noAutorun) + } + if ($null -ne $policySettings.DeviceSettings.noAutorun_Dropdown) { + $complexDeviceSettings.Add('NoAutorun_Dropdown', $policySettings.DeviceSettings.noAutorun_Dropdown) + } + if ($null -ne $policySettings.DeviceSettings.autorun) { + $complexDeviceSettings.Add('Autorun', $policySettings.DeviceSettings.autorun) + } + if ($null -ne $policySettings.DeviceSettings.autorun_Box) { + $complexDeviceSettings.Add('Autorun_Box', $policySettings.DeviceSettings.autorun_Box) + } + if ($null -ne $policySettings.DeviceSettings.fDVDenyWriteAccess_Name) { + $complexDeviceSettings.Add('FDVDenyWriteAccess_Name', $policySettings.DeviceSettings.fDVDenyWriteAccess_Name) + } + if ($null -ne $policySettings.DeviceSettings.rDVDenyWriteAccess_Name) { + $complexDeviceSettings.Add('RDVDenyWriteAccess_Name', $policySettings.DeviceSettings.rDVDenyWriteAccess_Name) + } + if ($null -ne $policySettings.DeviceSettings.rDVCrossOrg) { + $complexDeviceSettings.Add('RDVCrossOrg', $policySettings.DeviceSettings.rDVCrossOrg) + } + if ($null -ne $policySettings.DeviceSettings.enumerateAdministrators) { + $complexDeviceSettings.Add('EnumerateAdministrators', $policySettings.DeviceSettings.enumerateAdministrators) + } + if ($null -ne $policySettings.DeviceSettings.channel_LogMaxSize_1) { + $complexDeviceSettings.Add('Channel_LogMaxSize_1', $policySettings.DeviceSettings.channel_LogMaxSize_1) + } + if ($null -ne $policySettings.DeviceSettings.channel_LogMaxSize_1_Channel_LogMaxSize) { + $complexDeviceSettings.Add('Channel_LogMaxSize_1_Channel_LogMaxSize', $policySettings.DeviceSettings.channel_LogMaxSize_1_Channel_LogMaxSize) + } + if ($null -ne $policySettings.DeviceSettings.channel_LogMaxSize_2) { + $complexDeviceSettings.Add('Channel_LogMaxSize_2', $policySettings.DeviceSettings.channel_LogMaxSize_2) + } + if ($null -ne $policySettings.DeviceSettings.channel_LogMaxSize_2_Channel_LogMaxSize) { + $complexDeviceSettings.Add('Channel_LogMaxSize_2_Channel_LogMaxSize', $policySettings.DeviceSettings.channel_LogMaxSize_2_Channel_LogMaxSize) + } + if ($null -ne $policySettings.DeviceSettings.channel_LogMaxSize_4) { + $complexDeviceSettings.Add('Channel_LogMaxSize_4', $policySettings.DeviceSettings.channel_LogMaxSize_4) + } + if ($null -ne $policySettings.DeviceSettings.channel_LogMaxSize_4_Channel_LogMaxSize) { + $complexDeviceSettings.Add('Channel_LogMaxSize_4_Channel_LogMaxSize', $policySettings.DeviceSettings.channel_LogMaxSize_4_Channel_LogMaxSize) + } + if ($null -ne $policySettings.DeviceSettings.enableSmartScreen) { + $complexDeviceSettings.Add('EnableSmartScreen', $policySettings.DeviceSettings.enableSmartScreen) + } + if ($null -ne $policySettings.DeviceSettings.enableSmartScreenDropdown) { + $complexDeviceSettings.Add('EnableSmartScreenDropdown', $policySettings.DeviceSettings.enableSmartScreenDropdown) + } + if ($null -ne $policySettings.DeviceSettings.noDataExecutionPrevention) { + $complexDeviceSettings.Add('NoDataExecutionPrevention', $policySettings.DeviceSettings.noDataExecutionPrevention) + } + if ($null -ne $policySettings.DeviceSettings.noHeapTerminationOnCorruption) { + $complexDeviceSettings.Add('NoHeapTerminationOnCorruption', $policySettings.DeviceSettings.noHeapTerminationOnCorruption) + } + if ($null -ne $policySettings.DeviceSettings.advanced_InvalidSignatureBlock) { + $complexDeviceSettings.Add('Advanced_InvalidSignatureBlock', $policySettings.DeviceSettings.advanced_InvalidSignatureBlock) + } + if ($null -ne $policySettings.DeviceSettings.advanced_CertificateRevocation) { + $complexDeviceSettings.Add('Advanced_CertificateRevocation', $policySettings.DeviceSettings.advanced_CertificateRevocation) + } + if ($null -ne $policySettings.DeviceSettings.advanced_DownloadSignatures) { + $complexDeviceSettings.Add('Advanced_DownloadSignatures', $policySettings.DeviceSettings.advanced_DownloadSignatures) + } + if ($null -ne $policySettings.DeviceSettings.advanced_DisableEPMCompat) { + $complexDeviceSettings.Add('Advanced_DisableEPMCompat', $policySettings.DeviceSettings.advanced_DisableEPMCompat) + } + if ($null -ne $policySettings.DeviceSettings.advanced_SetWinInetProtocols) { + $complexDeviceSettings.Add('Advanced_SetWinInetProtocols', $policySettings.DeviceSettings.advanced_SetWinInetProtocols) + } + if ($null -ne $policySettings.DeviceSettings.advanced_WinInetProtocolOptions) { + $complexDeviceSettings.Add('Advanced_WinInetProtocolOptions', $policySettings.DeviceSettings.advanced_WinInetProtocolOptions) + } + if ($null -ne $policySettings.DeviceSettings.advanced_EnableEnhancedProtectedMode64Bit) { + $complexDeviceSettings.Add('Advanced_EnableEnhancedProtectedMode64Bit', $policySettings.DeviceSettings.advanced_EnableEnhancedProtectedMode64Bit) + } + if ($null -ne $policySettings.DeviceSettings.advanced_EnableEnhancedProtectedMode) { + $complexDeviceSettings.Add('Advanced_EnableEnhancedProtectedMode', $policySettings.DeviceSettings.advanced_EnableEnhancedProtectedMode) + } + if ($null -ne $policySettings.DeviceSettings.noCertError) { + $complexDeviceSettings.Add('NoCertError', $policySettings.DeviceSettings.noCertError) + } + if ($null -ne $policySettings.DeviceSettings.iZ_PolicyAccessDataSourcesAcrossDomains_1) { + $complexDeviceSettings.Add('IZ_PolicyAccessDataSourcesAcrossDomains_1', $policySettings.DeviceSettings.iZ_PolicyAccessDataSourcesAcrossDomains_1) + } + if ($null -ne $policySettings.DeviceSettings.iZ_PolicyAccessDataSourcesAcrossDomains_1_IZ_Partname1406) { + $complexDeviceSettings.Add('IZ_PolicyAccessDataSourcesAcrossDomains_1_IZ_Partname1406', $policySettings.DeviceSettings.iZ_PolicyAccessDataSourcesAcrossDomains_1_IZ_Partname1406) + } + if ($null -ne $policySettings.DeviceSettings.iZ_PolicyAllowPasteViaScript_1) { + $complexDeviceSettings.Add('IZ_PolicyAllowPasteViaScript_1', $policySettings.DeviceSettings.iZ_PolicyAllowPasteViaScript_1) + } + if ($null -ne $policySettings.DeviceSettings.iZ_PolicyAllowPasteViaScript_1_IZ_Partname1407) { + $complexDeviceSettings.Add('IZ_PolicyAllowPasteViaScript_1_IZ_Partname1407', $policySettings.DeviceSettings.iZ_PolicyAllowPasteViaScript_1_IZ_Partname1407) + } + if ($null -ne $policySettings.DeviceSettings.iZ_PolicyDropOrPasteFiles_1) { + $complexDeviceSettings.Add('IZ_PolicyDropOrPasteFiles_1', $policySettings.DeviceSettings.iZ_PolicyDropOrPasteFiles_1) + } + if ($null -ne $policySettings.DeviceSettings.iZ_PolicyDropOrPasteFiles_1_IZ_Partname1802) { + $complexDeviceSettings.Add('IZ_PolicyDropOrPasteFiles_1_IZ_Partname1802', $policySettings.DeviceSettings.iZ_PolicyDropOrPasteFiles_1_IZ_Partname1802) + } + if ($null -ne $policySettings.DeviceSettings.iZ_Policy_XAML_1) { + $complexDeviceSettings.Add('IZ_Policy_XAML_1', $policySettings.DeviceSettings.iZ_Policy_XAML_1) + } + if ($null -ne $policySettings.DeviceSettings.iZ_Policy_XAML_1_IZ_Partname2402) { + $complexDeviceSettings.Add('IZ_Policy_XAML_1_IZ_Partname2402', $policySettings.DeviceSettings.iZ_Policy_XAML_1_IZ_Partname2402) + } + if ($null -ne $policySettings.DeviceSettings.iZ_PolicyOnlyAllowApprovedDomainsToUseActiveXWithoutPrompt_Both_Internet) { + $complexDeviceSettings.Add('IZ_PolicyOnlyAllowApprovedDomainsToUseActiveXWithoutPrompt_Both_Internet', $policySettings.DeviceSettings.iZ_PolicyOnlyAllowApprovedDomainsToUseActiveXWithoutPrompt_Both_Internet) + } + if ($null -ne $policySettings.DeviceSettings.iZ_PolicyOnlyAllowApprovedDomainsToUseActiveXWithoutPrompt_Both_Internet_IZ_Partname120b) { + $complexDeviceSettings.Add('IZ_PolicyOnlyAllowApprovedDomainsToUseActiveXWithoutPrompt_Both_Internet_IZ_Partname120b', $policySettings.DeviceSettings.iZ_PolicyOnlyAllowApprovedDomainsToUseActiveXWithoutPrompt_Both_Internet_IZ_Partname120b) + } + if ($null -ne $policySettings.DeviceSettings.iZ_PolicyAllowTDCControl_Both_Internet) { + $complexDeviceSettings.Add('IZ_PolicyAllowTDCControl_Both_Internet', $policySettings.DeviceSettings.iZ_PolicyAllowTDCControl_Both_Internet) + } + if ($null -ne $policySettings.DeviceSettings.iZ_PolicyAllowTDCControl_Both_Internet_IZ_Partname120c) { + $complexDeviceSettings.Add('IZ_PolicyAllowTDCControl_Both_Internet_IZ_Partname120c', $policySettings.DeviceSettings.iZ_PolicyAllowTDCControl_Both_Internet_IZ_Partname120c) + } + if ($null -ne $policySettings.DeviceSettings.iZ_PolicyWindowsRestrictionsURLaction_1) { + $complexDeviceSettings.Add('IZ_PolicyWindowsRestrictionsURLaction_1', $policySettings.DeviceSettings.iZ_PolicyWindowsRestrictionsURLaction_1) + } + if ($null -ne $policySettings.DeviceSettings.iZ_PolicyWindowsRestrictionsURLaction_1_IZ_Partname2102) { + $complexDeviceSettings.Add('IZ_PolicyWindowsRestrictionsURLaction_1_IZ_Partname2102', $policySettings.DeviceSettings.iZ_PolicyWindowsRestrictionsURLaction_1_IZ_Partname2102) + } + if ($null -ne $policySettings.DeviceSettings.iZ_Policy_WebBrowserControl_1) { + $complexDeviceSettings.Add('IZ_Policy_WebBrowserControl_1', $policySettings.DeviceSettings.iZ_Policy_WebBrowserControl_1) + } + if ($null -ne $policySettings.DeviceSettings.iZ_Policy_WebBrowserControl_1_IZ_Partname1206) { + $complexDeviceSettings.Add('IZ_Policy_WebBrowserControl_1_IZ_Partname1206', $policySettings.DeviceSettings.iZ_Policy_WebBrowserControl_1_IZ_Partname1206) + } + if ($null -ne $policySettings.DeviceSettings.iZ_Policy_AllowScriptlets_1) { + $complexDeviceSettings.Add('IZ_Policy_AllowScriptlets_1', $policySettings.DeviceSettings.iZ_Policy_AllowScriptlets_1) + } + if ($null -ne $policySettings.DeviceSettings.iZ_Policy_AllowScriptlets_1_IZ_Partname1209) { + $complexDeviceSettings.Add('IZ_Policy_AllowScriptlets_1_IZ_Partname1209', $policySettings.DeviceSettings.iZ_Policy_AllowScriptlets_1_IZ_Partname1209) + } + if ($null -ne $policySettings.DeviceSettings.iZ_Policy_ScriptStatusBar_1) { + $complexDeviceSettings.Add('IZ_Policy_ScriptStatusBar_1', $policySettings.DeviceSettings.iZ_Policy_ScriptStatusBar_1) + } + if ($null -ne $policySettings.DeviceSettings.iZ_Policy_ScriptStatusBar_1_IZ_Partname2103) { + $complexDeviceSettings.Add('IZ_Policy_ScriptStatusBar_1_IZ_Partname2103', $policySettings.DeviceSettings.iZ_Policy_ScriptStatusBar_1_IZ_Partname2103) + } + if ($null -ne $policySettings.DeviceSettings.iZ_PolicyAllowVBScript_1) { + $complexDeviceSettings.Add('IZ_PolicyAllowVBScript_1', $policySettings.DeviceSettings.iZ_PolicyAllowVBScript_1) + } + if ($null -ne $policySettings.DeviceSettings.iZ_PolicyAllowVBScript_1_IZ_Partname140C) { + $complexDeviceSettings.Add('IZ_PolicyAllowVBScript_1_IZ_Partname140C', $policySettings.DeviceSettings.iZ_PolicyAllowVBScript_1_IZ_Partname140C) + } + if ($null -ne $policySettings.DeviceSettings.iZ_PolicyNotificationBarDownloadURLaction_1) { + $complexDeviceSettings.Add('IZ_PolicyNotificationBarDownloadURLaction_1', $policySettings.DeviceSettings.iZ_PolicyNotificationBarDownloadURLaction_1) + } + if ($null -ne $policySettings.DeviceSettings.iZ_PolicyNotificationBarDownloadURLaction_1_IZ_Partname2200) { + $complexDeviceSettings.Add('IZ_PolicyNotificationBarDownloadURLaction_1_IZ_Partname2200', $policySettings.DeviceSettings.iZ_PolicyNotificationBarDownloadURLaction_1_IZ_Partname2200) + } + if ($null -ne $policySettings.DeviceSettings.iZ_PolicyAntiMalwareCheckingOfActiveXControls_1) { + $complexDeviceSettings.Add('IZ_PolicyAntiMalwareCheckingOfActiveXControls_1', $policySettings.DeviceSettings.iZ_PolicyAntiMalwareCheckingOfActiveXControls_1) + } + if ($null -ne $policySettings.DeviceSettings.iZ_PolicyAntiMalwareCheckingOfActiveXControls_1_IZ_Partname270C) { + $complexDeviceSettings.Add('IZ_PolicyAntiMalwareCheckingOfActiveXControls_1_IZ_Partname270C', $policySettings.DeviceSettings.iZ_PolicyAntiMalwareCheckingOfActiveXControls_1_IZ_Partname270C) + } + if ($null -ne $policySettings.DeviceSettings.iZ_PolicyDownloadSignedActiveX_1) { + $complexDeviceSettings.Add('IZ_PolicyDownloadSignedActiveX_1', $policySettings.DeviceSettings.iZ_PolicyDownloadSignedActiveX_1) + } + if ($null -ne $policySettings.DeviceSettings.iZ_PolicyDownloadSignedActiveX_1_IZ_Partname1001) { + $complexDeviceSettings.Add('IZ_PolicyDownloadSignedActiveX_1_IZ_Partname1001', $policySettings.DeviceSettings.iZ_PolicyDownloadSignedActiveX_1_IZ_Partname1001) + } + if ($null -ne $policySettings.DeviceSettings.iZ_PolicyDownloadUnsignedActiveX_1) { + $complexDeviceSettings.Add('IZ_PolicyDownloadUnsignedActiveX_1', $policySettings.DeviceSettings.iZ_PolicyDownloadUnsignedActiveX_1) + } + if ($null -ne $policySettings.DeviceSettings.iZ_PolicyDownloadUnsignedActiveX_1_IZ_Partname1004) { + $complexDeviceSettings.Add('IZ_PolicyDownloadUnsignedActiveX_1_IZ_Partname1004', $policySettings.DeviceSettings.iZ_PolicyDownloadUnsignedActiveX_1_IZ_Partname1004) + } + if ($null -ne $policySettings.DeviceSettings.iZ_PolicyDragDropAcrossDomainsAcrossWindows_Both_Internet) { + $complexDeviceSettings.Add('IZ_PolicyDragDropAcrossDomainsAcrossWindows_Both_Internet', $policySettings.DeviceSettings.iZ_PolicyDragDropAcrossDomainsAcrossWindows_Both_Internet) + } + if ($null -ne $policySettings.DeviceSettings.iZ_PolicyDragDropAcrossDomainsAcrossWindows_Both_Internet_IZ_Partname2709) { + $complexDeviceSettings.Add('IZ_PolicyDragDropAcrossDomainsAcrossWindows_Both_Internet_IZ_Partname2709', $policySettings.DeviceSettings.iZ_PolicyDragDropAcrossDomainsAcrossWindows_Both_Internet_IZ_Partname2709) + } + if ($null -ne $policySettings.DeviceSettings.iZ_PolicyDragDropAcrossDomainsWithinWindow_Both_Internet) { + $complexDeviceSettings.Add('IZ_PolicyDragDropAcrossDomainsWithinWindow_Both_Internet', $policySettings.DeviceSettings.iZ_PolicyDragDropAcrossDomainsWithinWindow_Both_Internet) + } + if ($null -ne $policySettings.DeviceSettings.iZ_PolicyDragDropAcrossDomainsWithinWindow_Both_Internet_IZ_Partname2708) { + $complexDeviceSettings.Add('IZ_PolicyDragDropAcrossDomainsWithinWindow_Both_Internet_IZ_Partname2708', $policySettings.DeviceSettings.iZ_PolicyDragDropAcrossDomainsWithinWindow_Both_Internet_IZ_Partname2708) + } + if ($null -ne $policySettings.DeviceSettings.iZ_Policy_LocalPathForUpload_1) { + $complexDeviceSettings.Add('IZ_Policy_LocalPathForUpload_1', $policySettings.DeviceSettings.iZ_Policy_LocalPathForUpload_1) + } + if ($null -ne $policySettings.DeviceSettings.iZ_Policy_LocalPathForUpload_1_IZ_Partname160A) { + $complexDeviceSettings.Add('IZ_Policy_LocalPathForUpload_1_IZ_Partname160A', $policySettings.DeviceSettings.iZ_Policy_LocalPathForUpload_1_IZ_Partname160A) + } + if ($null -ne $policySettings.DeviceSettings.iZ_PolicyScriptActiveXNotMarkedSafe_1) { + $complexDeviceSettings.Add('IZ_PolicyScriptActiveXNotMarkedSafe_1', $policySettings.DeviceSettings.iZ_PolicyScriptActiveXNotMarkedSafe_1) + } + if ($null -ne $policySettings.DeviceSettings.iZ_PolicyScriptActiveXNotMarkedSafe_1_IZ_Partname1201) { + $complexDeviceSettings.Add('IZ_PolicyScriptActiveXNotMarkedSafe_1_IZ_Partname1201', $policySettings.DeviceSettings.iZ_PolicyScriptActiveXNotMarkedSafe_1_IZ_Partname1201) + } + if ($null -ne $policySettings.DeviceSettings.iZ_PolicyJavaPermissions_1) { + $complexDeviceSettings.Add('IZ_PolicyJavaPermissions_1', $policySettings.DeviceSettings.iZ_PolicyJavaPermissions_1) + } + if ($null -ne $policySettings.DeviceSettings.iZ_PolicyJavaPermissions_1_IZ_Partname1C00) { + $complexDeviceSettings.Add('IZ_PolicyJavaPermissions_1_IZ_Partname1C00', $policySettings.DeviceSettings.iZ_PolicyJavaPermissions_1_IZ_Partname1C00) + } + if ($null -ne $policySettings.DeviceSettings.iZ_PolicyLaunchAppsAndFilesInIFRAME_1) { + $complexDeviceSettings.Add('IZ_PolicyLaunchAppsAndFilesInIFRAME_1', $policySettings.DeviceSettings.iZ_PolicyLaunchAppsAndFilesInIFRAME_1) + } + if ($null -ne $policySettings.DeviceSettings.iZ_PolicyLaunchAppsAndFilesInIFRAME_1_IZ_Partname1804) { + $complexDeviceSettings.Add('IZ_PolicyLaunchAppsAndFilesInIFRAME_1_IZ_Partname1804', $policySettings.DeviceSettings.iZ_PolicyLaunchAppsAndFilesInIFRAME_1_IZ_Partname1804) + } + if ($null -ne $policySettings.DeviceSettings.iZ_PolicyLogon_1) { + $complexDeviceSettings.Add('IZ_PolicyLogon_1', $policySettings.DeviceSettings.iZ_PolicyLogon_1) + } + if ($null -ne $policySettings.DeviceSettings.iZ_PolicyLogon_1_IZ_Partname1A00) { + $complexDeviceSettings.Add('IZ_PolicyLogon_1_IZ_Partname1A00', $policySettings.DeviceSettings.iZ_PolicyLogon_1_IZ_Partname1A00) + } + if ($null -ne $policySettings.DeviceSettings.iZ_PolicyNavigateSubframesAcrossDomains_1) { + $complexDeviceSettings.Add('IZ_PolicyNavigateSubframesAcrossDomains_1', $policySettings.DeviceSettings.iZ_PolicyNavigateSubframesAcrossDomains_1) + } + if ($null -ne $policySettings.DeviceSettings.iZ_PolicyNavigateSubframesAcrossDomains_1_IZ_Partname1607) { + $complexDeviceSettings.Add('IZ_PolicyNavigateSubframesAcrossDomains_1_IZ_Partname1607', $policySettings.DeviceSettings.iZ_PolicyNavigateSubframesAcrossDomains_1_IZ_Partname1607) + } + if ($null -ne $policySettings.DeviceSettings.iZ_PolicyUnsignedFrameworkComponentsURLaction_1) { + $complexDeviceSettings.Add('IZ_PolicyUnsignedFrameworkComponentsURLaction_1', $policySettings.DeviceSettings.iZ_PolicyUnsignedFrameworkComponentsURLaction_1) + } + if ($null -ne $policySettings.DeviceSettings.iZ_PolicyUnsignedFrameworkComponentsURLaction_1_IZ_Partname2004) { + $complexDeviceSettings.Add('IZ_PolicyUnsignedFrameworkComponentsURLaction_1_IZ_Partname2004', $policySettings.DeviceSettings.iZ_PolicyUnsignedFrameworkComponentsURLaction_1_IZ_Partname2004) + } + if ($null -ne $policySettings.DeviceSettings.iZ_PolicySignedFrameworkComponentsURLaction_1) { + $complexDeviceSettings.Add('IZ_PolicySignedFrameworkComponentsURLaction_1', $policySettings.DeviceSettings.iZ_PolicySignedFrameworkComponentsURLaction_1) + } + if ($null -ne $policySettings.DeviceSettings.iZ_PolicySignedFrameworkComponentsURLaction_1_IZ_Partname2001) { + $complexDeviceSettings.Add('IZ_PolicySignedFrameworkComponentsURLaction_1_IZ_Partname2001', $policySettings.DeviceSettings.iZ_PolicySignedFrameworkComponentsURLaction_1_IZ_Partname2001) + } + if ($null -ne $policySettings.DeviceSettings.iZ_Policy_UnsafeFiles_1) { + $complexDeviceSettings.Add('IZ_Policy_UnsafeFiles_1', $policySettings.DeviceSettings.iZ_Policy_UnsafeFiles_1) + } + if ($null -ne $policySettings.DeviceSettings.iZ_Policy_UnsafeFiles_1_IZ_Partname1806) { + $complexDeviceSettings.Add('IZ_Policy_UnsafeFiles_1_IZ_Partname1806', $policySettings.DeviceSettings.iZ_Policy_UnsafeFiles_1_IZ_Partname1806) + } + if ($null -ne $policySettings.DeviceSettings.iZ_PolicyTurnOnXSSFilter_Both_Internet) { + $complexDeviceSettings.Add('IZ_PolicyTurnOnXSSFilter_Both_Internet', $policySettings.DeviceSettings.iZ_PolicyTurnOnXSSFilter_Both_Internet) + } + if ($null -ne $policySettings.DeviceSettings.iZ_PolicyTurnOnXSSFilter_Both_Internet_IZ_Partname1409) { + $complexDeviceSettings.Add('IZ_PolicyTurnOnXSSFilter_Both_Internet_IZ_Partname1409', $policySettings.DeviceSettings.iZ_PolicyTurnOnXSSFilter_Both_Internet_IZ_Partname1409) + } + if ($null -ne $policySettings.DeviceSettings.iZ_Policy_TurnOnProtectedMode_1) { + $complexDeviceSettings.Add('IZ_Policy_TurnOnProtectedMode_1', $policySettings.DeviceSettings.iZ_Policy_TurnOnProtectedMode_1) + } + if ($null -ne $policySettings.DeviceSettings.iZ_Policy_TurnOnProtectedMode_1_IZ_Partname2500) { + $complexDeviceSettings.Add('IZ_Policy_TurnOnProtectedMode_1_IZ_Partname2500', $policySettings.DeviceSettings.iZ_Policy_TurnOnProtectedMode_1_IZ_Partname2500) + } + if ($null -ne $policySettings.DeviceSettings.iZ_Policy_Phishing_1) { + $complexDeviceSettings.Add('IZ_Policy_Phishing_1', $policySettings.DeviceSettings.iZ_Policy_Phishing_1) + } + if ($null -ne $policySettings.DeviceSettings.iZ_Policy_Phishing_1_IZ_Partname2301) { + $complexDeviceSettings.Add('IZ_Policy_Phishing_1_IZ_Partname2301', $policySettings.DeviceSettings.iZ_Policy_Phishing_1_IZ_Partname2301) + } + if ($null -ne $policySettings.DeviceSettings.iZ_PolicyBlockPopupWindows_1) { + $complexDeviceSettings.Add('IZ_PolicyBlockPopupWindows_1', $policySettings.DeviceSettings.iZ_PolicyBlockPopupWindows_1) + } + if ($null -ne $policySettings.DeviceSettings.iZ_PolicyBlockPopupWindows_1_IZ_Partname1809) { + $complexDeviceSettings.Add('IZ_PolicyBlockPopupWindows_1_IZ_Partname1809', $policySettings.DeviceSettings.iZ_PolicyBlockPopupWindows_1_IZ_Partname1809) + } + if ($null -ne $policySettings.DeviceSettings.iZ_PolicyUserdataPersistence_1) { + $complexDeviceSettings.Add('IZ_PolicyUserdataPersistence_1', $policySettings.DeviceSettings.iZ_PolicyUserdataPersistence_1) + } + if ($null -ne $policySettings.DeviceSettings.iZ_PolicyUserdataPersistence_1_IZ_Partname1606) { + $complexDeviceSettings.Add('IZ_PolicyUserdataPersistence_1_IZ_Partname1606', $policySettings.DeviceSettings.iZ_PolicyUserdataPersistence_1_IZ_Partname1606) + } + if ($null -ne $policySettings.DeviceSettings.iZ_PolicyZoneElevationURLaction_1) { + $complexDeviceSettings.Add('IZ_PolicyZoneElevationURLaction_1', $policySettings.DeviceSettings.iZ_PolicyZoneElevationURLaction_1) + } + if ($null -ne $policySettings.DeviceSettings.iZ_PolicyZoneElevationURLaction_1_IZ_Partname2101) { + $complexDeviceSettings.Add('IZ_PolicyZoneElevationURLaction_1_IZ_Partname2101', $policySettings.DeviceSettings.iZ_PolicyZoneElevationURLaction_1_IZ_Partname2101) + } + if ($null -ne $policySettings.DeviceSettings.iZ_UNCAsIntranet) { + $complexDeviceSettings.Add('IZ_UNCAsIntranet', $policySettings.DeviceSettings.iZ_UNCAsIntranet) + } + if ($null -ne $policySettings.DeviceSettings.iZ_PolicyAntiMalwareCheckingOfActiveXControls_3) { + $complexDeviceSettings.Add('IZ_PolicyAntiMalwareCheckingOfActiveXControls_3', $policySettings.DeviceSettings.iZ_PolicyAntiMalwareCheckingOfActiveXControls_3) + } + if ($null -ne $policySettings.DeviceSettings.iZ_PolicyAntiMalwareCheckingOfActiveXControls_3_IZ_Partname270C) { + $complexDeviceSettings.Add('IZ_PolicyAntiMalwareCheckingOfActiveXControls_3_IZ_Partname270C', $policySettings.DeviceSettings.iZ_PolicyAntiMalwareCheckingOfActiveXControls_3_IZ_Partname270C) + } + if ($null -ne $policySettings.DeviceSettings.iZ_PolicyScriptActiveXNotMarkedSafe_3) { + $complexDeviceSettings.Add('IZ_PolicyScriptActiveXNotMarkedSafe_3', $policySettings.DeviceSettings.iZ_PolicyScriptActiveXNotMarkedSafe_3) + } + if ($null -ne $policySettings.DeviceSettings.iZ_PolicyScriptActiveXNotMarkedSafe_3_IZ_Partname1201) { + $complexDeviceSettings.Add('IZ_PolicyScriptActiveXNotMarkedSafe_3_IZ_Partname1201', $policySettings.DeviceSettings.iZ_PolicyScriptActiveXNotMarkedSafe_3_IZ_Partname1201) + } + if ($null -ne $policySettings.DeviceSettings.iZ_PolicyJavaPermissions_3) { + $complexDeviceSettings.Add('IZ_PolicyJavaPermissions_3', $policySettings.DeviceSettings.iZ_PolicyJavaPermissions_3) + } + if ($null -ne $policySettings.DeviceSettings.iZ_PolicyJavaPermissions_3_IZ_Partname1C00) { + $complexDeviceSettings.Add('IZ_PolicyJavaPermissions_3_IZ_Partname1C00', $policySettings.DeviceSettings.iZ_PolicyJavaPermissions_3_IZ_Partname1C00) + } + if ($null -ne $policySettings.DeviceSettings.iZ_PolicyAntiMalwareCheckingOfActiveXControls_9) { + $complexDeviceSettings.Add('IZ_PolicyAntiMalwareCheckingOfActiveXControls_9', $policySettings.DeviceSettings.iZ_PolicyAntiMalwareCheckingOfActiveXControls_9) + } + if ($null -ne $policySettings.DeviceSettings.iZ_PolicyAntiMalwareCheckingOfActiveXControls_9_IZ_Partname270C) { + $complexDeviceSettings.Add('IZ_PolicyAntiMalwareCheckingOfActiveXControls_9_IZ_Partname270C', $policySettings.DeviceSettings.iZ_PolicyAntiMalwareCheckingOfActiveXControls_9_IZ_Partname270C) + } + if ($null -ne $policySettings.DeviceSettings.iZ_PolicyJavaPermissions_9) { + $complexDeviceSettings.Add('IZ_PolicyJavaPermissions_9', $policySettings.DeviceSettings.iZ_PolicyJavaPermissions_9) + } + if ($null -ne $policySettings.DeviceSettings.iZ_PolicyJavaPermissions_9_IZ_Partname1C00) { + $complexDeviceSettings.Add('IZ_PolicyJavaPermissions_9_IZ_Partname1C00', $policySettings.DeviceSettings.iZ_PolicyJavaPermissions_9_IZ_Partname1C00) + } + if ($null -ne $policySettings.DeviceSettings.iZ_Policy_Phishing_2) { + $complexDeviceSettings.Add('IZ_Policy_Phishing_2', $policySettings.DeviceSettings.iZ_Policy_Phishing_2) + } + if ($null -ne $policySettings.DeviceSettings.iZ_Policy_Phishing_2_IZ_Partname2301) { + $complexDeviceSettings.Add('IZ_Policy_Phishing_2_IZ_Partname2301', $policySettings.DeviceSettings.iZ_Policy_Phishing_2_IZ_Partname2301) + } + if ($null -ne $policySettings.DeviceSettings.iZ_PolicyJavaPermissions_4) { + $complexDeviceSettings.Add('IZ_PolicyJavaPermissions_4', $policySettings.DeviceSettings.iZ_PolicyJavaPermissions_4) + } + if ($null -ne $policySettings.DeviceSettings.iZ_PolicyJavaPermissions_4_IZ_Partname1C00) { + $complexDeviceSettings.Add('IZ_PolicyJavaPermissions_4_IZ_Partname1C00', $policySettings.DeviceSettings.iZ_PolicyJavaPermissions_4_IZ_Partname1C00) + } + if ($null -ne $policySettings.DeviceSettings.iZ_PolicyJavaPermissions_10) { + $complexDeviceSettings.Add('IZ_PolicyJavaPermissions_10', $policySettings.DeviceSettings.iZ_PolicyJavaPermissions_10) + } + if ($null -ne $policySettings.DeviceSettings.iZ_PolicyJavaPermissions_10_IZ_Partname1C00) { + $complexDeviceSettings.Add('IZ_PolicyJavaPermissions_10_IZ_Partname1C00', $policySettings.DeviceSettings.iZ_PolicyJavaPermissions_10_IZ_Partname1C00) + } + if ($null -ne $policySettings.DeviceSettings.iZ_PolicyJavaPermissions_8) { + $complexDeviceSettings.Add('IZ_PolicyJavaPermissions_8', $policySettings.DeviceSettings.iZ_PolicyJavaPermissions_8) + } + if ($null -ne $policySettings.DeviceSettings.iZ_PolicyJavaPermissions_8_IZ_Partname1C00) { + $complexDeviceSettings.Add('IZ_PolicyJavaPermissions_8_IZ_Partname1C00', $policySettings.DeviceSettings.iZ_PolicyJavaPermissions_8_IZ_Partname1C00) + } + if ($null -ne $policySettings.DeviceSettings.iZ_Policy_Phishing_8) { + $complexDeviceSettings.Add('IZ_Policy_Phishing_8', $policySettings.DeviceSettings.iZ_Policy_Phishing_8) + } + if ($null -ne $policySettings.DeviceSettings.iZ_Policy_Phishing_8_IZ_Partname2301) { + $complexDeviceSettings.Add('IZ_Policy_Phishing_8_IZ_Partname2301', $policySettings.DeviceSettings.iZ_Policy_Phishing_8_IZ_Partname2301) + } + if ($null -ne $policySettings.DeviceSettings.iZ_PolicyJavaPermissions_6) { + $complexDeviceSettings.Add('IZ_PolicyJavaPermissions_6', $policySettings.DeviceSettings.iZ_PolicyJavaPermissions_6) + } + if ($null -ne $policySettings.DeviceSettings.iZ_PolicyJavaPermissions_6_IZ_Partname1C00) { + $complexDeviceSettings.Add('IZ_PolicyJavaPermissions_6_IZ_Partname1C00', $policySettings.DeviceSettings.iZ_PolicyJavaPermissions_6_IZ_Partname1C00) + } + if ($null -ne $policySettings.DeviceSettings.iZ_PolicyAccessDataSourcesAcrossDomains_7) { + $complexDeviceSettings.Add('IZ_PolicyAccessDataSourcesAcrossDomains_7', $policySettings.DeviceSettings.iZ_PolicyAccessDataSourcesAcrossDomains_7) + } + if ($null -ne $policySettings.DeviceSettings.iZ_PolicyAccessDataSourcesAcrossDomains_7_IZ_Partname1406) { + $complexDeviceSettings.Add('IZ_PolicyAccessDataSourcesAcrossDomains_7_IZ_Partname1406', $policySettings.DeviceSettings.iZ_PolicyAccessDataSourcesAcrossDomains_7_IZ_Partname1406) + } + if ($null -ne $policySettings.DeviceSettings.iZ_PolicyActiveScripting_7) { + $complexDeviceSettings.Add('IZ_PolicyActiveScripting_7', $policySettings.DeviceSettings.iZ_PolicyActiveScripting_7) + } + if ($null -ne $policySettings.DeviceSettings.iZ_Partname1400) { + $complexDeviceSettings.Add('IZ_Partname1400', $policySettings.DeviceSettings.iZ_Partname1400) + } + if ($null -ne $policySettings.DeviceSettings.iZ_PolicyBinaryBehaviors_7) { + $complexDeviceSettings.Add('IZ_PolicyBinaryBehaviors_7', $policySettings.DeviceSettings.iZ_PolicyBinaryBehaviors_7) + } + if ($null -ne $policySettings.DeviceSettings.iZ_Partname2000) { + $complexDeviceSettings.Add('IZ_Partname2000', $policySettings.DeviceSettings.iZ_Partname2000) + } + if ($null -ne $policySettings.DeviceSettings.iZ_PolicyAllowPasteViaScript_7) { + $complexDeviceSettings.Add('IZ_PolicyAllowPasteViaScript_7', $policySettings.DeviceSettings.iZ_PolicyAllowPasteViaScript_7) + } + if ($null -ne $policySettings.DeviceSettings.iZ_PolicyAllowPasteViaScript_7_IZ_Partname1407) { + $complexDeviceSettings.Add('IZ_PolicyAllowPasteViaScript_7_IZ_Partname1407', $policySettings.DeviceSettings.iZ_PolicyAllowPasteViaScript_7_IZ_Partname1407) + } + if ($null -ne $policySettings.DeviceSettings.iZ_PolicyDropOrPasteFiles_7) { + $complexDeviceSettings.Add('IZ_PolicyDropOrPasteFiles_7', $policySettings.DeviceSettings.iZ_PolicyDropOrPasteFiles_7) + } + if ($null -ne $policySettings.DeviceSettings.iZ_PolicyDropOrPasteFiles_7_IZ_Partname1802) { + $complexDeviceSettings.Add('IZ_PolicyDropOrPasteFiles_7_IZ_Partname1802', $policySettings.DeviceSettings.iZ_PolicyDropOrPasteFiles_7_IZ_Partname1802) + } + if ($null -ne $policySettings.DeviceSettings.iZ_PolicyFileDownload_7) { + $complexDeviceSettings.Add('IZ_PolicyFileDownload_7', $policySettings.DeviceSettings.iZ_PolicyFileDownload_7) + } + if ($null -ne $policySettings.DeviceSettings.iZ_Partname1803) { + $complexDeviceSettings.Add('IZ_Partname1803', $policySettings.DeviceSettings.iZ_Partname1803) + } + if ($null -ne $policySettings.DeviceSettings.iZ_Policy_XAML_7) { + $complexDeviceSettings.Add('IZ_Policy_XAML_7', $policySettings.DeviceSettings.iZ_Policy_XAML_7) + } + if ($null -ne $policySettings.DeviceSettings.iZ_Policy_XAML_7_IZ_Partname2402) { + $complexDeviceSettings.Add('IZ_Policy_XAML_7_IZ_Partname2402', $policySettings.DeviceSettings.iZ_Policy_XAML_7_IZ_Partname2402) + } + if ($null -ne $policySettings.DeviceSettings.iZ_PolicyAllowMETAREFRESH_7) { + $complexDeviceSettings.Add('IZ_PolicyAllowMETAREFRESH_7', $policySettings.DeviceSettings.iZ_PolicyAllowMETAREFRESH_7) + } + if ($null -ne $policySettings.DeviceSettings.iZ_Partname1608) { + $complexDeviceSettings.Add('IZ_Partname1608', $policySettings.DeviceSettings.iZ_Partname1608) + } + if ($null -ne $policySettings.DeviceSettings.iZ_PolicyOnlyAllowApprovedDomainsToUseActiveXWithoutPrompt_Both_Restricted) { + $complexDeviceSettings.Add('IZ_PolicyOnlyAllowApprovedDomainsToUseActiveXWithoutPrompt_Both_Restricted', $policySettings.DeviceSettings.iZ_PolicyOnlyAllowApprovedDomainsToUseActiveXWithoutPrompt_Both_Restricted) + } + if ($null -ne $policySettings.DeviceSettings.iZ_PolicyOnlyAllowApprovedDomainsToUseActiveXWithoutPrompt_Both_Restricted_IZ_Partname120b) { + $complexDeviceSettings.Add('IZ_PolicyOnlyAllowApprovedDomainsToUseActiveXWithoutPrompt_Both_Restricted_IZ_Partname120b', $policySettings.DeviceSettings.iZ_PolicyOnlyAllowApprovedDomainsToUseActiveXWithoutPrompt_Both_Restricted_IZ_Partname120b) + } + if ($null -ne $policySettings.DeviceSettings.iZ_PolicyAllowTDCControl_Both_Restricted) { + $complexDeviceSettings.Add('IZ_PolicyAllowTDCControl_Both_Restricted', $policySettings.DeviceSettings.iZ_PolicyAllowTDCControl_Both_Restricted) + } + if ($null -ne $policySettings.DeviceSettings.iZ_PolicyAllowTDCControl_Both_Restricted_IZ_Partname120c) { + $complexDeviceSettings.Add('IZ_PolicyAllowTDCControl_Both_Restricted_IZ_Partname120c', $policySettings.DeviceSettings.iZ_PolicyAllowTDCControl_Both_Restricted_IZ_Partname120c) + } + if ($null -ne $policySettings.DeviceSettings.iZ_PolicyWindowsRestrictionsURLaction_7) { + $complexDeviceSettings.Add('IZ_PolicyWindowsRestrictionsURLaction_7', $policySettings.DeviceSettings.iZ_PolicyWindowsRestrictionsURLaction_7) + } + if ($null -ne $policySettings.DeviceSettings.iZ_PolicyWindowsRestrictionsURLaction_7_IZ_Partname2102) { + $complexDeviceSettings.Add('IZ_PolicyWindowsRestrictionsURLaction_7_IZ_Partname2102', $policySettings.DeviceSettings.iZ_PolicyWindowsRestrictionsURLaction_7_IZ_Partname2102) + } + if ($null -ne $policySettings.DeviceSettings.iZ_Policy_WebBrowserControl_7) { + $complexDeviceSettings.Add('IZ_Policy_WebBrowserControl_7', $policySettings.DeviceSettings.iZ_Policy_WebBrowserControl_7) + } + if ($null -ne $policySettings.DeviceSettings.iZ_Policy_WebBrowserControl_7_IZ_Partname1206) { + $complexDeviceSettings.Add('IZ_Policy_WebBrowserControl_7_IZ_Partname1206', $policySettings.DeviceSettings.iZ_Policy_WebBrowserControl_7_IZ_Partname1206) + } + if ($null -ne $policySettings.DeviceSettings.iZ_Policy_AllowScriptlets_7) { + $complexDeviceSettings.Add('IZ_Policy_AllowScriptlets_7', $policySettings.DeviceSettings.iZ_Policy_AllowScriptlets_7) + } + if ($null -ne $policySettings.DeviceSettings.iZ_Policy_AllowScriptlets_7_IZ_Partname1209) { + $complexDeviceSettings.Add('IZ_Policy_AllowScriptlets_7_IZ_Partname1209', $policySettings.DeviceSettings.iZ_Policy_AllowScriptlets_7_IZ_Partname1209) + } + if ($null -ne $policySettings.DeviceSettings.iZ_Policy_ScriptStatusBar_7) { + $complexDeviceSettings.Add('IZ_Policy_ScriptStatusBar_7', $policySettings.DeviceSettings.iZ_Policy_ScriptStatusBar_7) + } + if ($null -ne $policySettings.DeviceSettings.iZ_Policy_ScriptStatusBar_7_IZ_Partname2103) { + $complexDeviceSettings.Add('IZ_Policy_ScriptStatusBar_7_IZ_Partname2103', $policySettings.DeviceSettings.iZ_Policy_ScriptStatusBar_7_IZ_Partname2103) + } + if ($null -ne $policySettings.DeviceSettings.iZ_PolicyAllowVBScript_7) { + $complexDeviceSettings.Add('IZ_PolicyAllowVBScript_7', $policySettings.DeviceSettings.iZ_PolicyAllowVBScript_7) + } + if ($null -ne $policySettings.DeviceSettings.iZ_PolicyAllowVBScript_7_IZ_Partname140C) { + $complexDeviceSettings.Add('IZ_PolicyAllowVBScript_7_IZ_Partname140C', $policySettings.DeviceSettings.iZ_PolicyAllowVBScript_7_IZ_Partname140C) + } + if ($null -ne $policySettings.DeviceSettings.iZ_PolicyNotificationBarDownloadURLaction_7) { + $complexDeviceSettings.Add('IZ_PolicyNotificationBarDownloadURLaction_7', $policySettings.DeviceSettings.iZ_PolicyNotificationBarDownloadURLaction_7) + } + if ($null -ne $policySettings.DeviceSettings.iZ_PolicyNotificationBarDownloadURLaction_7_IZ_Partname2200) { + $complexDeviceSettings.Add('IZ_PolicyNotificationBarDownloadURLaction_7_IZ_Partname2200', $policySettings.DeviceSettings.iZ_PolicyNotificationBarDownloadURLaction_7_IZ_Partname2200) + } + if ($null -ne $policySettings.DeviceSettings.iZ_PolicyAntiMalwareCheckingOfActiveXControls_7) { + $complexDeviceSettings.Add('IZ_PolicyAntiMalwareCheckingOfActiveXControls_7', $policySettings.DeviceSettings.iZ_PolicyAntiMalwareCheckingOfActiveXControls_7) + } + if ($null -ne $policySettings.DeviceSettings.iZ_PolicyAntiMalwareCheckingOfActiveXControls_7_IZ_Partname270C) { + $complexDeviceSettings.Add('IZ_PolicyAntiMalwareCheckingOfActiveXControls_7_IZ_Partname270C', $policySettings.DeviceSettings.iZ_PolicyAntiMalwareCheckingOfActiveXControls_7_IZ_Partname270C) + } + if ($null -ne $policySettings.DeviceSettings.iZ_PolicyDownloadSignedActiveX_7) { + $complexDeviceSettings.Add('IZ_PolicyDownloadSignedActiveX_7', $policySettings.DeviceSettings.iZ_PolicyDownloadSignedActiveX_7) + } + if ($null -ne $policySettings.DeviceSettings.iZ_PolicyDownloadSignedActiveX_7_IZ_Partname1001) { + $complexDeviceSettings.Add('IZ_PolicyDownloadSignedActiveX_7_IZ_Partname1001', $policySettings.DeviceSettings.iZ_PolicyDownloadSignedActiveX_7_IZ_Partname1001) + } + if ($null -ne $policySettings.DeviceSettings.iZ_PolicyDownloadUnsignedActiveX_7) { + $complexDeviceSettings.Add('IZ_PolicyDownloadUnsignedActiveX_7', $policySettings.DeviceSettings.iZ_PolicyDownloadUnsignedActiveX_7) + } + if ($null -ne $policySettings.DeviceSettings.iZ_PolicyDownloadUnsignedActiveX_7_IZ_Partname1004) { + $complexDeviceSettings.Add('IZ_PolicyDownloadUnsignedActiveX_7_IZ_Partname1004', $policySettings.DeviceSettings.iZ_PolicyDownloadUnsignedActiveX_7_IZ_Partname1004) + } + if ($null -ne $policySettings.DeviceSettings.iZ_PolicyDragDropAcrossDomainsAcrossWindows_Both_Restricted) { + $complexDeviceSettings.Add('IZ_PolicyDragDropAcrossDomainsAcrossWindows_Both_Restricted', $policySettings.DeviceSettings.iZ_PolicyDragDropAcrossDomainsAcrossWindows_Both_Restricted) + } + if ($null -ne $policySettings.DeviceSettings.iZ_PolicyDragDropAcrossDomainsAcrossWindows_Both_Restricted_IZ_Partname2709) { + $complexDeviceSettings.Add('IZ_PolicyDragDropAcrossDomainsAcrossWindows_Both_Restricted_IZ_Partname2709', $policySettings.DeviceSettings.iZ_PolicyDragDropAcrossDomainsAcrossWindows_Both_Restricted_IZ_Partname2709) + } + if ($null -ne $policySettings.DeviceSettings.iZ_PolicyDragDropAcrossDomainsWithinWindow_Both_Restricted) { + $complexDeviceSettings.Add('IZ_PolicyDragDropAcrossDomainsWithinWindow_Both_Restricted', $policySettings.DeviceSettings.iZ_PolicyDragDropAcrossDomainsWithinWindow_Both_Restricted) + } + if ($null -ne $policySettings.DeviceSettings.iZ_PolicyDragDropAcrossDomainsWithinWindow_Both_Restricted_IZ_Partname2708) { + $complexDeviceSettings.Add('IZ_PolicyDragDropAcrossDomainsWithinWindow_Both_Restricted_IZ_Partname2708', $policySettings.DeviceSettings.iZ_PolicyDragDropAcrossDomainsWithinWindow_Both_Restricted_IZ_Partname2708) + } + if ($null -ne $policySettings.DeviceSettings.iZ_Policy_LocalPathForUpload_7) { + $complexDeviceSettings.Add('IZ_Policy_LocalPathForUpload_7', $policySettings.DeviceSettings.iZ_Policy_LocalPathForUpload_7) + } + if ($null -ne $policySettings.DeviceSettings.iZ_Policy_LocalPathForUpload_7_IZ_Partname160A) { + $complexDeviceSettings.Add('IZ_Policy_LocalPathForUpload_7_IZ_Partname160A', $policySettings.DeviceSettings.iZ_Policy_LocalPathForUpload_7_IZ_Partname160A) + } + if ($null -ne $policySettings.DeviceSettings.iZ_PolicyScriptActiveXNotMarkedSafe_7) { + $complexDeviceSettings.Add('IZ_PolicyScriptActiveXNotMarkedSafe_7', $policySettings.DeviceSettings.iZ_PolicyScriptActiveXNotMarkedSafe_7) + } + if ($null -ne $policySettings.DeviceSettings.iZ_PolicyScriptActiveXNotMarkedSafe_7_IZ_Partname1201) { + $complexDeviceSettings.Add('IZ_PolicyScriptActiveXNotMarkedSafe_7_IZ_Partname1201', $policySettings.DeviceSettings.iZ_PolicyScriptActiveXNotMarkedSafe_7_IZ_Partname1201) + } + if ($null -ne $policySettings.DeviceSettings.iZ_PolicyJavaPermissions_7) { + $complexDeviceSettings.Add('IZ_PolicyJavaPermissions_7', $policySettings.DeviceSettings.iZ_PolicyJavaPermissions_7) + } + if ($null -ne $policySettings.DeviceSettings.iZ_PolicyJavaPermissions_7_IZ_Partname1C00) { + $complexDeviceSettings.Add('IZ_PolicyJavaPermissions_7_IZ_Partname1C00', $policySettings.DeviceSettings.iZ_PolicyJavaPermissions_7_IZ_Partname1C00) + } + if ($null -ne $policySettings.DeviceSettings.iZ_PolicyLaunchAppsAndFilesInIFRAME_7) { + $complexDeviceSettings.Add('IZ_PolicyLaunchAppsAndFilesInIFRAME_7', $policySettings.DeviceSettings.iZ_PolicyLaunchAppsAndFilesInIFRAME_7) + } + if ($null -ne $policySettings.DeviceSettings.iZ_PolicyLaunchAppsAndFilesInIFRAME_7_IZ_Partname1804) { + $complexDeviceSettings.Add('IZ_PolicyLaunchAppsAndFilesInIFRAME_7_IZ_Partname1804', $policySettings.DeviceSettings.iZ_PolicyLaunchAppsAndFilesInIFRAME_7_IZ_Partname1804) + } + if ($null -ne $policySettings.DeviceSettings.iZ_PolicyLogon_7) { + $complexDeviceSettings.Add('IZ_PolicyLogon_7', $policySettings.DeviceSettings.iZ_PolicyLogon_7) + } + if ($null -ne $policySettings.DeviceSettings.iZ_PolicyLogon_7_IZ_Partname1A00) { + $complexDeviceSettings.Add('IZ_PolicyLogon_7_IZ_Partname1A00', $policySettings.DeviceSettings.iZ_PolicyLogon_7_IZ_Partname1A00) + } + if ($null -ne $policySettings.DeviceSettings.iZ_PolicyNavigateSubframesAcrossDomains_7) { + $complexDeviceSettings.Add('IZ_PolicyNavigateSubframesAcrossDomains_7', $policySettings.DeviceSettings.iZ_PolicyNavigateSubframesAcrossDomains_7) + } + if ($null -ne $policySettings.DeviceSettings.iZ_PolicyNavigateSubframesAcrossDomains_7_IZ_Partname1607) { + $complexDeviceSettings.Add('IZ_PolicyNavigateSubframesAcrossDomains_7_IZ_Partname1607', $policySettings.DeviceSettings.iZ_PolicyNavigateSubframesAcrossDomains_7_IZ_Partname1607) + } + if ($null -ne $policySettings.DeviceSettings.iZ_PolicyUnsignedFrameworkComponentsURLaction_7) { + $complexDeviceSettings.Add('IZ_PolicyUnsignedFrameworkComponentsURLaction_7', $policySettings.DeviceSettings.iZ_PolicyUnsignedFrameworkComponentsURLaction_7) + } + if ($null -ne $policySettings.DeviceSettings.iZ_PolicyUnsignedFrameworkComponentsURLaction_7_IZ_Partname2004) { + $complexDeviceSettings.Add('IZ_PolicyUnsignedFrameworkComponentsURLaction_7_IZ_Partname2004', $policySettings.DeviceSettings.iZ_PolicyUnsignedFrameworkComponentsURLaction_7_IZ_Partname2004) + } + if ($null -ne $policySettings.DeviceSettings.iZ_PolicySignedFrameworkComponentsURLaction_7) { + $complexDeviceSettings.Add('IZ_PolicySignedFrameworkComponentsURLaction_7', $policySettings.DeviceSettings.iZ_PolicySignedFrameworkComponentsURLaction_7) + } + if ($null -ne $policySettings.DeviceSettings.iZ_PolicySignedFrameworkComponentsURLaction_7_IZ_Partname2001) { + $complexDeviceSettings.Add('IZ_PolicySignedFrameworkComponentsURLaction_7_IZ_Partname2001', $policySettings.DeviceSettings.iZ_PolicySignedFrameworkComponentsURLaction_7_IZ_Partname2001) + } + if ($null -ne $policySettings.DeviceSettings.iZ_PolicyRunActiveXControls_7) { + $complexDeviceSettings.Add('IZ_PolicyRunActiveXControls_7', $policySettings.DeviceSettings.iZ_PolicyRunActiveXControls_7) + } + if ($null -ne $policySettings.DeviceSettings.iZ_Partname1200) { + $complexDeviceSettings.Add('IZ_Partname1200', $policySettings.DeviceSettings.iZ_Partname1200) + } + if ($null -ne $policySettings.DeviceSettings.iZ_PolicyScriptActiveXMarkedSafe_7) { + $complexDeviceSettings.Add('IZ_PolicyScriptActiveXMarkedSafe_7', $policySettings.DeviceSettings.iZ_PolicyScriptActiveXMarkedSafe_7) + } + if ($null -ne $policySettings.DeviceSettings.iZ_Partname1405) { + $complexDeviceSettings.Add('IZ_Partname1405', $policySettings.DeviceSettings.iZ_Partname1405) + } + if ($null -ne $policySettings.DeviceSettings.iZ_PolicyScriptingOfJavaApplets_7) { + $complexDeviceSettings.Add('IZ_PolicyScriptingOfJavaApplets_7', $policySettings.DeviceSettings.iZ_PolicyScriptingOfJavaApplets_7) + } + if ($null -ne $policySettings.DeviceSettings.iZ_Partname1402) { + $complexDeviceSettings.Add('IZ_Partname1402', $policySettings.DeviceSettings.iZ_Partname1402) + } + if ($null -ne $policySettings.DeviceSettings.iZ_Policy_UnsafeFiles_7) { + $complexDeviceSettings.Add('IZ_Policy_UnsafeFiles_7', $policySettings.DeviceSettings.iZ_Policy_UnsafeFiles_7) + } + if ($null -ne $policySettings.DeviceSettings.iZ_Policy_UnsafeFiles_7_IZ_Partname1806) { + $complexDeviceSettings.Add('IZ_Policy_UnsafeFiles_7_IZ_Partname1806', $policySettings.DeviceSettings.iZ_Policy_UnsafeFiles_7_IZ_Partname1806) + } + if ($null -ne $policySettings.DeviceSettings.iZ_PolicyTurnOnXSSFilter_Both_Restricted) { + $complexDeviceSettings.Add('IZ_PolicyTurnOnXSSFilter_Both_Restricted', $policySettings.DeviceSettings.iZ_PolicyTurnOnXSSFilter_Both_Restricted) + } + if ($null -ne $policySettings.DeviceSettings.iZ_PolicyTurnOnXSSFilter_Both_Restricted_IZ_Partname1409) { + $complexDeviceSettings.Add('IZ_PolicyTurnOnXSSFilter_Both_Restricted_IZ_Partname1409', $policySettings.DeviceSettings.iZ_PolicyTurnOnXSSFilter_Both_Restricted_IZ_Partname1409) + } + if ($null -ne $policySettings.DeviceSettings.iZ_Policy_TurnOnProtectedMode_7) { + $complexDeviceSettings.Add('IZ_Policy_TurnOnProtectedMode_7', $policySettings.DeviceSettings.iZ_Policy_TurnOnProtectedMode_7) + } + if ($null -ne $policySettings.DeviceSettings.iZ_Policy_TurnOnProtectedMode_7_IZ_Partname2500) { + $complexDeviceSettings.Add('IZ_Policy_TurnOnProtectedMode_7_IZ_Partname2500', $policySettings.DeviceSettings.iZ_Policy_TurnOnProtectedMode_7_IZ_Partname2500) + } + if ($null -ne $policySettings.DeviceSettings.iZ_Policy_Phishing_7) { + $complexDeviceSettings.Add('IZ_Policy_Phishing_7', $policySettings.DeviceSettings.iZ_Policy_Phishing_7) + } + if ($null -ne $policySettings.DeviceSettings.iZ_Policy_Phishing_7_IZ_Partname2301) { + $complexDeviceSettings.Add('IZ_Policy_Phishing_7_IZ_Partname2301', $policySettings.DeviceSettings.iZ_Policy_Phishing_7_IZ_Partname2301) + } + if ($null -ne $policySettings.DeviceSettings.iZ_PolicyBlockPopupWindows_7) { + $complexDeviceSettings.Add('IZ_PolicyBlockPopupWindows_7', $policySettings.DeviceSettings.iZ_PolicyBlockPopupWindows_7) + } + if ($null -ne $policySettings.DeviceSettings.iZ_PolicyBlockPopupWindows_7_IZ_Partname1809) { + $complexDeviceSettings.Add('IZ_PolicyBlockPopupWindows_7_IZ_Partname1809', $policySettings.DeviceSettings.iZ_PolicyBlockPopupWindows_7_IZ_Partname1809) + } + if ($null -ne $policySettings.DeviceSettings.iZ_PolicyUserdataPersistence_7) { + $complexDeviceSettings.Add('IZ_PolicyUserdataPersistence_7', $policySettings.DeviceSettings.iZ_PolicyUserdataPersistence_7) + } + if ($null -ne $policySettings.DeviceSettings.iZ_PolicyUserdataPersistence_7_IZ_Partname1606) { + $complexDeviceSettings.Add('IZ_PolicyUserdataPersistence_7_IZ_Partname1606', $policySettings.DeviceSettings.iZ_PolicyUserdataPersistence_7_IZ_Partname1606) + } + if ($null -ne $policySettings.DeviceSettings.iZ_PolicyZoneElevationURLaction_7) { + $complexDeviceSettings.Add('IZ_PolicyZoneElevationURLaction_7', $policySettings.DeviceSettings.iZ_PolicyZoneElevationURLaction_7) + } + if ($null -ne $policySettings.DeviceSettings.iZ_PolicyZoneElevationURLaction_7_IZ_Partname2101) { + $complexDeviceSettings.Add('IZ_PolicyZoneElevationURLaction_7_IZ_Partname2101', $policySettings.DeviceSettings.iZ_PolicyZoneElevationURLaction_7_IZ_Partname2101) + } + if ($null -ne $policySettings.DeviceSettings.iZ_PolicyAntiMalwareCheckingOfActiveXControls_5) { + $complexDeviceSettings.Add('IZ_PolicyAntiMalwareCheckingOfActiveXControls_5', $policySettings.DeviceSettings.iZ_PolicyAntiMalwareCheckingOfActiveXControls_5) + } + if ($null -ne $policySettings.DeviceSettings.iZ_PolicyAntiMalwareCheckingOfActiveXControls_5_IZ_Partname270C) { + $complexDeviceSettings.Add('IZ_PolicyAntiMalwareCheckingOfActiveXControls_5_IZ_Partname270C', $policySettings.DeviceSettings.iZ_PolicyAntiMalwareCheckingOfActiveXControls_5_IZ_Partname270C) + } + if ($null -ne $policySettings.DeviceSettings.iZ_PolicyScriptActiveXNotMarkedSafe_5) { + $complexDeviceSettings.Add('IZ_PolicyScriptActiveXNotMarkedSafe_5', $policySettings.DeviceSettings.iZ_PolicyScriptActiveXNotMarkedSafe_5) + } + if ($null -ne $policySettings.DeviceSettings.iZ_PolicyScriptActiveXNotMarkedSafe_5_IZ_Partname1201) { + $complexDeviceSettings.Add('IZ_PolicyScriptActiveXNotMarkedSafe_5_IZ_Partname1201', $policySettings.DeviceSettings.iZ_PolicyScriptActiveXNotMarkedSafe_5_IZ_Partname1201) + } + if ($null -ne $policySettings.DeviceSettings.iZ_PolicyJavaPermissions_5) { + $complexDeviceSettings.Add('IZ_PolicyJavaPermissions_5', $policySettings.DeviceSettings.iZ_PolicyJavaPermissions_5) + } + if ($null -ne $policySettings.DeviceSettings.iZ_PolicyJavaPermissions_5_IZ_Partname1C00) { + $complexDeviceSettings.Add('IZ_PolicyJavaPermissions_5_IZ_Partname1C00', $policySettings.DeviceSettings.iZ_PolicyJavaPermissions_5_IZ_Partname1C00) + } + if ($null -ne $policySettings.DeviceSettings.iZ_PolicyWarnCertMismatch) { + $complexDeviceSettings.Add('IZ_PolicyWarnCertMismatch', $policySettings.DeviceSettings.iZ_PolicyWarnCertMismatch) + } + if ($null -ne $policySettings.DeviceSettings.disableSafetyFilterOverride) { + $complexDeviceSettings.Add('DisableSafetyFilterOverride', $policySettings.DeviceSettings.disableSafetyFilterOverride) + } + if ($null -ne $policySettings.DeviceSettings.disableSafetyFilterOverrideForAppRepUnknown) { + $complexDeviceSettings.Add('DisableSafetyFilterOverrideForAppRepUnknown', $policySettings.DeviceSettings.disableSafetyFilterOverrideForAppRepUnknown) + } + if ($null -ne $policySettings.DeviceSettings.disable_Managing_Safety_Filter_IE9) { + $complexDeviceSettings.Add('Disable_Managing_Safety_Filter_IE9', $policySettings.DeviceSettings.disable_Managing_Safety_Filter_IE9) + } + if ($null -ne $policySettings.DeviceSettings.iE9SafetyFilterOptions) { + $complexDeviceSettings.Add('IE9SafetyFilterOptions', $policySettings.DeviceSettings.iE9SafetyFilterOptions) + } + if ($null -ne $policySettings.DeviceSettings.disablePerUserActiveXInstall) { + $complexDeviceSettings.Add('DisablePerUserActiveXInstall', $policySettings.DeviceSettings.disablePerUserActiveXInstall) + } + if ($null -ne $policySettings.DeviceSettings.verMgmtDisableRunThisTime) { + $complexDeviceSettings.Add('VerMgmtDisableRunThisTime', $policySettings.DeviceSettings.verMgmtDisableRunThisTime) + } + if ($null -ne $policySettings.DeviceSettings.verMgmtDisable) { + $complexDeviceSettings.Add('VerMgmtDisable', $policySettings.DeviceSettings.verMgmtDisable) + } + if ($null -ne $policySettings.DeviceSettings.advanced_EnableSSL3Fallback) { + $complexDeviceSettings.Add('Advanced_EnableSSL3Fallback', $policySettings.DeviceSettings.advanced_EnableSSL3Fallback) + } + if ($null -ne $policySettings.DeviceSettings.advanced_EnableSSL3FallbackOptions) { + $complexDeviceSettings.Add('Advanced_EnableSSL3FallbackOptions', $policySettings.DeviceSettings.advanced_EnableSSL3FallbackOptions) + } + if ($null -ne $policySettings.DeviceSettings.iESF_PolicyExplorerProcesses_5) { + $complexDeviceSettings.Add('IESF_PolicyExplorerProcesses_5', $policySettings.DeviceSettings.iESF_PolicyExplorerProcesses_5) + } + if ($null -ne $policySettings.DeviceSettings.iESF_PolicyExplorerProcesses_6) { + $complexDeviceSettings.Add('IESF_PolicyExplorerProcesses_6', $policySettings.DeviceSettings.iESF_PolicyExplorerProcesses_6) + } + if ($null -ne $policySettings.DeviceSettings.iESF_PolicyExplorerProcesses_3) { + $complexDeviceSettings.Add('IESF_PolicyExplorerProcesses_3', $policySettings.DeviceSettings.iESF_PolicyExplorerProcesses_3) + } + if ($null -ne $policySettings.DeviceSettings.iESF_PolicyExplorerProcesses_10) { + $complexDeviceSettings.Add('IESF_PolicyExplorerProcesses_10', $policySettings.DeviceSettings.iESF_PolicyExplorerProcesses_10) + } + if ($null -ne $policySettings.DeviceSettings.iESF_PolicyExplorerProcesses_9) { + $complexDeviceSettings.Add('IESF_PolicyExplorerProcesses_9', $policySettings.DeviceSettings.iESF_PolicyExplorerProcesses_9) + } + if ($null -ne $policySettings.DeviceSettings.iESF_PolicyExplorerProcesses_11) { + $complexDeviceSettings.Add('IESF_PolicyExplorerProcesses_11', $policySettings.DeviceSettings.iESF_PolicyExplorerProcesses_11) + } + if ($null -ne $policySettings.DeviceSettings.iESF_PolicyExplorerProcesses_12) { + $complexDeviceSettings.Add('IESF_PolicyExplorerProcesses_12', $policySettings.DeviceSettings.iESF_PolicyExplorerProcesses_12) + } + if ($null -ne $policySettings.DeviceSettings.iESF_PolicyExplorerProcesses_8) { + $complexDeviceSettings.Add('IESF_PolicyExplorerProcesses_8', $policySettings.DeviceSettings.iESF_PolicyExplorerProcesses_8) + } + if ($null -ne $policySettings.DeviceSettings.security_zones_map_edit) { + $complexDeviceSettings.Add('Security_zones_map_edit', $policySettings.DeviceSettings.security_zones_map_edit) + } + if ($null -ne $policySettings.DeviceSettings.security_options_edit) { + $complexDeviceSettings.Add('Security_options_edit', $policySettings.DeviceSettings.security_options_edit) + } + if ($null -ne $policySettings.DeviceSettings.security_HKLM_only) { + $complexDeviceSettings.Add('Security_HKLM_only', $policySettings.DeviceSettings.security_HKLM_only) + } + if ($null -ne $policySettings.DeviceSettings.onlyUseAXISForActiveXInstall) { + $complexDeviceSettings.Add('OnlyUseAXISForActiveXInstall', $policySettings.DeviceSettings.onlyUseAXISForActiveXInstall) + } + if ($null -ne $policySettings.DeviceSettings.addonManagement_RestrictCrashDetection) { + $complexDeviceSettings.Add('AddonManagement_RestrictCrashDetection', $policySettings.DeviceSettings.addonManagement_RestrictCrashDetection) + } + if ($null -ne $policySettings.DeviceSettings.disable_Security_Settings_Check) { + $complexDeviceSettings.Add('Disable_Security_Settings_Check', $policySettings.DeviceSettings.disable_Security_Settings_Check) + } + if ($null -ne $policySettings.DeviceSettings.disableBlockAtFirstSeen) { + $complexDeviceSettings.Add('DisableBlockAtFirstSeen', $policySettings.DeviceSettings.disableBlockAtFirstSeen) + } + if ($null -ne $policySettings.DeviceSettings.realtimeProtection_DisableScanOnRealtimeEnable) { + $complexDeviceSettings.Add('RealtimeProtection_DisableScanOnRealtimeEnable', $policySettings.DeviceSettings.realtimeProtection_DisableScanOnRealtimeEnable) + } + if ($null -ne $policySettings.DeviceSettings.scan_DisablePackedExeScanning) { + $complexDeviceSettings.Add('Scan_DisablePackedExeScanning', $policySettings.DeviceSettings.scan_DisablePackedExeScanning) + } + if ($null -ne $policySettings.DeviceSettings.disableRoutinelyTakingAction) { + $complexDeviceSettings.Add('DisableRoutinelyTakingAction', $policySettings.DeviceSettings.disableRoutinelyTakingAction) + } + if ($null -ne $policySettings.DeviceSettings.tS_CLIENT_DISABLE_PASSWORD_SAVING_2) { + $complexDeviceSettings.Add('TS_CLIENT_DISABLE_PASSWORD_SAVING_2', $policySettings.DeviceSettings.tS_CLIENT_DISABLE_PASSWORD_SAVING_2) + } + if ($null -ne $policySettings.DeviceSettings.tS_CLIENT_DRIVE_M) { + $complexDeviceSettings.Add('TS_CLIENT_DRIVE_M', $policySettings.DeviceSettings.tS_CLIENT_DRIVE_M) + } + if ($null -ne $policySettings.DeviceSettings.tS_PASSWORD) { + $complexDeviceSettings.Add('TS_PASSWORD', $policySettings.DeviceSettings.tS_PASSWORD) + } + if ($null -ne $policySettings.DeviceSettings.tS_RPC_ENCRYPTION) { + $complexDeviceSettings.Add('TS_RPC_ENCRYPTION', $policySettings.DeviceSettings.tS_RPC_ENCRYPTION) + } + if ($null -ne $policySettings.DeviceSettings.tS_ENCRYPTION_POLICY) { + $complexDeviceSettings.Add('TS_ENCRYPTION_POLICY', $policySettings.DeviceSettings.tS_ENCRYPTION_POLICY) + } + if ($null -ne $policySettings.DeviceSettings.tS_ENCRYPTION_LEVEL) { + $complexDeviceSettings.Add('TS_ENCRYPTION_LEVEL', $policySettings.DeviceSettings.tS_ENCRYPTION_LEVEL) + } + if ($null -ne $policySettings.DeviceSettings.disable_Downloading_of_Enclosures) { + $complexDeviceSettings.Add('Disable_Downloading_of_Enclosures', $policySettings.DeviceSettings.disable_Downloading_of_Enclosures) + } + if ($null -ne $policySettings.DeviceSettings.enableMPRNotifications) { + $complexDeviceSettings.Add('EnableMPRNotifications', $policySettings.DeviceSettings.enableMPRNotifications) + } + if ($null -ne $policySettings.DeviceSettings.automaticRestartSignOn) { + $complexDeviceSettings.Add('AutomaticRestartSignOn', $policySettings.DeviceSettings.automaticRestartSignOn) + } + if ($null -ne $policySettings.DeviceSettings.enableScriptBlockLogging) { + $complexDeviceSettings.Add('EnableScriptBlockLogging', $policySettings.DeviceSettings.enableScriptBlockLogging) + } + if ($null -ne $policySettings.DeviceSettings.enableScriptBlockInvocationLogging) { + $complexDeviceSettings.Add('EnableScriptBlockInvocationLogging', $policySettings.DeviceSettings.enableScriptBlockInvocationLogging) + } + if ($null -ne $policySettings.DeviceSettings.allowBasic_2) { + $complexDeviceSettings.Add('AllowBasic_2', $policySettings.DeviceSettings.allowBasic_2) + } + if ($null -ne $policySettings.DeviceSettings.allowUnencrypted_2) { + $complexDeviceSettings.Add('AllowUnencrypted_2', $policySettings.DeviceSettings.allowUnencrypted_2) + } + if ($null -ne $policySettings.DeviceSettings.disallowDigest) { + $complexDeviceSettings.Add('DisallowDigest', $policySettings.DeviceSettings.disallowDigest) + } + if ($null -ne $policySettings.DeviceSettings.allowBasic_1) { + $complexDeviceSettings.Add('AllowBasic_1', $policySettings.DeviceSettings.allowBasic_1) + } + if ($null -ne $policySettings.DeviceSettings.allowUnencrypted_1) { + $complexDeviceSettings.Add('AllowUnencrypted_1', $policySettings.DeviceSettings.allowUnencrypted_1) + } + if ($null -ne $policySettings.DeviceSettings.disableRunAs) { + $complexDeviceSettings.Add('DisableRunAs', $policySettings.DeviceSettings.disableRunAs) + } + if ($null -ne $policySettings.DeviceSettings.accountLogon_AuditCredentialValidation) { + $complexDeviceSettings.Add('AccountLogon_AuditCredentialValidation', $policySettings.DeviceSettings.accountLogon_AuditCredentialValidation) + } + if ($null -ne $policySettings.DeviceSettings.accountLogonLogoff_AuditAccountLockout) { + $complexDeviceSettings.Add('AccountLogonLogoff_AuditAccountLockout', $policySettings.DeviceSettings.accountLogonLogoff_AuditAccountLockout) + } + if ($null -ne $policySettings.DeviceSettings.accountLogonLogoff_AuditGroupMembership) { + $complexDeviceSettings.Add('AccountLogonLogoff_AuditGroupMembership', $policySettings.DeviceSettings.accountLogonLogoff_AuditGroupMembership) + } + if ($null -ne $policySettings.DeviceSettings.accountLogonLogoff_AuditLogon) { + $complexDeviceSettings.Add('AccountLogonLogoff_AuditLogon', $policySettings.DeviceSettings.accountLogonLogoff_AuditLogon) + } + if ($null -ne $policySettings.DeviceSettings.policyChange_AuditAuthenticationPolicyChange) { + $complexDeviceSettings.Add('PolicyChange_AuditAuthenticationPolicyChange', $policySettings.DeviceSettings.policyChange_AuditAuthenticationPolicyChange) + } + if ($null -ne $policySettings.DeviceSettings.policyChange_AuditPolicyChange) { + $complexDeviceSettings.Add('PolicyChange_AuditPolicyChange', $policySettings.DeviceSettings.policyChange_AuditPolicyChange) + } + if ($null -ne $policySettings.DeviceSettings.objectAccess_AuditFileShare) { + $complexDeviceSettings.Add('ObjectAccess_AuditFileShare', $policySettings.DeviceSettings.objectAccess_AuditFileShare) + } + if ($null -ne $policySettings.DeviceSettings.accountLogonLogoff_AuditOtherLogonLogoffEvents) { + $complexDeviceSettings.Add('AccountLogonLogoff_AuditOtherLogonLogoffEvents', $policySettings.DeviceSettings.accountLogonLogoff_AuditOtherLogonLogoffEvents) + } + if ($null -ne $policySettings.DeviceSettings.accountManagement_AuditSecurityGroupManagement) { + $complexDeviceSettings.Add('AccountManagement_AuditSecurityGroupManagement', $policySettings.DeviceSettings.accountManagement_AuditSecurityGroupManagement) + } + if ($null -ne $policySettings.DeviceSettings.system_AuditSecuritySystemExtension) { + $complexDeviceSettings.Add('System_AuditSecuritySystemExtension', $policySettings.DeviceSettings.system_AuditSecuritySystemExtension) + } + if ($null -ne $policySettings.DeviceSettings.accountLogonLogoff_AuditSpecialLogon) { + $complexDeviceSettings.Add('AccountLogonLogoff_AuditSpecialLogon', $policySettings.DeviceSettings.accountLogonLogoff_AuditSpecialLogon) + } + if ($null -ne $policySettings.DeviceSettings.accountManagement_AuditUserAccountManagement) { + $complexDeviceSettings.Add('AccountManagement_AuditUserAccountManagement', $policySettings.DeviceSettings.accountManagement_AuditUserAccountManagement) + } + if ($null -ne $policySettings.DeviceSettings.detailedTracking_AuditPNPActivity) { + $complexDeviceSettings.Add('DetailedTracking_AuditPNPActivity', $policySettings.DeviceSettings.detailedTracking_AuditPNPActivity) + } + if ($null -ne $policySettings.DeviceSettings.detailedTracking_AuditProcessCreation) { + $complexDeviceSettings.Add('DetailedTracking_AuditProcessCreation', $policySettings.DeviceSettings.detailedTracking_AuditProcessCreation) + } + if ($null -ne $policySettings.DeviceSettings.objectAccess_AuditDetailedFileShare) { + $complexDeviceSettings.Add('ObjectAccess_AuditDetailedFileShare', $policySettings.DeviceSettings.objectAccess_AuditDetailedFileShare) + } + if ($null -ne $policySettings.DeviceSettings.objectAccess_AuditOtherObjectAccessEvents) { + $complexDeviceSettings.Add('ObjectAccess_AuditOtherObjectAccessEvents', $policySettings.DeviceSettings.objectAccess_AuditOtherObjectAccessEvents) + } + if ($null -ne $policySettings.DeviceSettings.objectAccess_AuditRemovableStorage) { + $complexDeviceSettings.Add('ObjectAccess_AuditRemovableStorage', $policySettings.DeviceSettings.objectAccess_AuditRemovableStorage) + } + if ($null -ne $policySettings.DeviceSettings.policyChange_AuditMPSSVCRuleLevelPolicyChange) { + $complexDeviceSettings.Add('PolicyChange_AuditMPSSVCRuleLevelPolicyChange', $policySettings.DeviceSettings.policyChange_AuditMPSSVCRuleLevelPolicyChange) + } + if ($null -ne $policySettings.DeviceSettings.policyChange_AuditOtherPolicyChangeEvents) { + $complexDeviceSettings.Add('PolicyChange_AuditOtherPolicyChangeEvents', $policySettings.DeviceSettings.policyChange_AuditOtherPolicyChangeEvents) + } + if ($null -ne $policySettings.DeviceSettings.privilegeUse_AuditSensitivePrivilegeUse) { + $complexDeviceSettings.Add('PrivilegeUse_AuditSensitivePrivilegeUse', $policySettings.DeviceSettings.privilegeUse_AuditSensitivePrivilegeUse) + } + if ($null -ne $policySettings.DeviceSettings.system_AuditOtherSystemEvents) { + $complexDeviceSettings.Add('System_AuditOtherSystemEvents', $policySettings.DeviceSettings.system_AuditOtherSystemEvents) + } + if ($null -ne $policySettings.DeviceSettings.system_AuditSecurityStateChange) { + $complexDeviceSettings.Add('System_AuditSecurityStateChange', $policySettings.DeviceSettings.system_AuditSecurityStateChange) + } + if ($null -ne $policySettings.DeviceSettings.system_AuditSystemIntegrity) { + $complexDeviceSettings.Add('System_AuditSystemIntegrity', $policySettings.DeviceSettings.system_AuditSystemIntegrity) + } + if ($null -ne $policySettings.DeviceSettings.allowPasswordManager) { + $complexDeviceSettings.Add('AllowPasswordManager', $policySettings.DeviceSettings.allowPasswordManager) + } + if ($null -ne $policySettings.DeviceSettings.allowSmartScreen) { + $complexDeviceSettings.Add('AllowSmartScreen', $policySettings.DeviceSettings.allowSmartScreen) + } + if ($null -ne $policySettings.DeviceSettings.preventCertErrorOverrides) { + $complexDeviceSettings.Add('PreventCertErrorOverrides', $policySettings.DeviceSettings.preventCertErrorOverrides) + } + if ($null -ne $policySettings.DeviceSettings.browser_PreventSmartScreenPromptOverride) { + $complexDeviceSettings.Add('Browser_PreventSmartScreenPromptOverride', $policySettings.DeviceSettings.browser_PreventSmartScreenPromptOverride) + } + if ($null -ne $policySettings.DeviceSettings.preventSmartScreenPromptOverrideForFiles) { + $complexDeviceSettings.Add('PreventSmartScreenPromptOverrideForFiles', $policySettings.DeviceSettings.preventSmartScreenPromptOverrideForFiles) + } + if ($null -ne $policySettings.DeviceSettings.allowDirectMemoryAccess) { + $complexDeviceSettings.Add('AllowDirectMemoryAccess', $policySettings.DeviceSettings.allowDirectMemoryAccess) + } + if ($null -ne $policySettings.DeviceSettings.allowArchiveScanning) { + $complexDeviceSettings.Add('AllowArchiveScanning', $policySettings.DeviceSettings.allowArchiveScanning) + } + if ($null -ne $policySettings.DeviceSettings.allowBehaviorMonitoring) { + $complexDeviceSettings.Add('AllowBehaviorMonitoring', $policySettings.DeviceSettings.allowBehaviorMonitoring) + } + if ($null -ne $policySettings.DeviceSettings.allowCloudProtection) { + $complexDeviceSettings.Add('AllowCloudProtection', $policySettings.DeviceSettings.allowCloudProtection) + } + if ($null -ne $policySettings.DeviceSettings.allowFullScanRemovableDriveScanning) { + $complexDeviceSettings.Add('AllowFullScanRemovableDriveScanning', $policySettings.DeviceSettings.allowFullScanRemovableDriveScanning) + } + if ($null -ne $policySettings.DeviceSettings.allowOnAccessProtection) { + $complexDeviceSettings.Add('AllowOnAccessProtection', $policySettings.DeviceSettings.allowOnAccessProtection) + } + if ($null -ne $policySettings.DeviceSettings.allowRealtimeMonitoring) { + $complexDeviceSettings.Add('AllowRealtimeMonitoring', $policySettings.DeviceSettings.allowRealtimeMonitoring) + } + if ($null -ne $policySettings.DeviceSettings.allowIOAVProtection) { + $complexDeviceSettings.Add('AllowIOAVProtection', $policySettings.DeviceSettings.allowIOAVProtection) + } + if ($null -ne $policySettings.DeviceSettings.allowScriptScanning) { + $complexDeviceSettings.Add('AllowScriptScanning', $policySettings.DeviceSettings.allowScriptScanning) + } + if ($null -ne $policySettings.DeviceSettings.blockExecutionOfPotentiallyObfuscatedScripts) { + $complexDeviceSettings.Add('BlockExecutionOfPotentiallyObfuscatedScripts', $policySettings.DeviceSettings.blockExecutionOfPotentiallyObfuscatedScripts) + } + if ($null -ne $policySettings.DeviceSettings.blockExecutionOfPotentiallyObfuscatedScripts_ASROnlyPerRuleExclusions) { + $complexDeviceSettings.Add('BlockExecutionOfPotentiallyObfuscatedScripts_ASROnlyPerRuleExclusions', $policySettings.DeviceSettings.blockExecutionOfPotentiallyObfuscatedScripts_ASROnlyPerRuleExclusions) + } + if ($null -ne $policySettings.DeviceSettings.blockWin32APICallsFromOfficeMacros) { + $complexDeviceSettings.Add('BlockWin32APICallsFromOfficeMacros', $policySettings.DeviceSettings.blockWin32APICallsFromOfficeMacros) + } + if ($null -ne $policySettings.DeviceSettings.blockWin32APICallsFromOfficeMacros_ASROnlyPerRuleExclusions) { + $complexDeviceSettings.Add('BlockWin32APICallsFromOfficeMacros_ASROnlyPerRuleExclusions', $policySettings.DeviceSettings.blockWin32APICallsFromOfficeMacros_ASROnlyPerRuleExclusions) + } + if ($null -ne $policySettings.DeviceSettings.blockExecutableFilesRunningUnlessTheyMeetPrevalenceAgeTrustedListCriterion) { + $complexDeviceSettings.Add('BlockExecutableFilesRunningUnlessTheyMeetPrevalenceAgeTrustedListCriterion', $policySettings.DeviceSettings.blockExecutableFilesRunningUnlessTheyMeetPrevalenceAgeTrustedListCriterion) + } + if ($null -ne $policySettings.DeviceSettings.blockExecutableFilesRunningUnlessTheyMeetPrevalenceAgeTrustedListCriterion_ASROnlyPerRuleExclusions) { + $complexDeviceSettings.Add('BlockExecutableFilesRunningUnlessTheyMeetPrevalenceAgeTrustedListCriterion_ASROnlyPerRuleExclusions', $policySettings.DeviceSettings.blockExecutableFilesRunningUnlessTheyMeetPrevalenceAgeTrustedListCriterion_ASROnlyPerRuleExclusions) + } + if ($null -ne $policySettings.DeviceSettings.blockOfficeCommunicationAppFromCreatingChildProcesses) { + $complexDeviceSettings.Add('BlockOfficeCommunicationAppFromCreatingChildProcesses', $policySettings.DeviceSettings.blockOfficeCommunicationAppFromCreatingChildProcesses) + } + if ($null -ne $policySettings.DeviceSettings.blockOfficeCommunicationAppFromCreatingChildProcesses_ASROnlyPerRuleExclusions) { + $complexDeviceSettings.Add('BlockOfficeCommunicationAppFromCreatingChildProcesses_ASROnlyPerRuleExclusions', $policySettings.DeviceSettings.blockOfficeCommunicationAppFromCreatingChildProcesses_ASROnlyPerRuleExclusions) + } + if ($null -ne $policySettings.DeviceSettings.blockAllOfficeApplicationsFromCreatingChildProcesses) { + $complexDeviceSettings.Add('BlockAllOfficeApplicationsFromCreatingChildProcesses', $policySettings.DeviceSettings.blockAllOfficeApplicationsFromCreatingChildProcesses) + } + if ($null -ne $policySettings.DeviceSettings.blockAllOfficeApplicationsFromCreatingChildProcesses_ASROnlyPerRuleExclusions) { + $complexDeviceSettings.Add('BlockAllOfficeApplicationsFromCreatingChildProcesses_ASROnlyPerRuleExclusions', $policySettings.DeviceSettings.blockAllOfficeApplicationsFromCreatingChildProcesses_ASROnlyPerRuleExclusions) + } + if ($null -ne $policySettings.DeviceSettings.blockAdobeReaderFromCreatingChildProcesses) { + $complexDeviceSettings.Add('BlockAdobeReaderFromCreatingChildProcesses', $policySettings.DeviceSettings.blockAdobeReaderFromCreatingChildProcesses) + } + if ($null -ne $policySettings.DeviceSettings.blockAdobeReaderFromCreatingChildProcesses_ASROnlyPerRuleExclusions) { + $complexDeviceSettings.Add('BlockAdobeReaderFromCreatingChildProcesses_ASROnlyPerRuleExclusions', $policySettings.DeviceSettings.blockAdobeReaderFromCreatingChildProcesses_ASROnlyPerRuleExclusions) + } + if ($null -ne $policySettings.DeviceSettings.blockCredentialStealingFromWindowsLocalSecurityAuthoritySubsystem) { + $complexDeviceSettings.Add('BlockCredentialStealingFromWindowsLocalSecurityAuthoritySubsystem', $policySettings.DeviceSettings.blockCredentialStealingFromWindowsLocalSecurityAuthoritySubsystem) + } + if ($null -ne $policySettings.DeviceSettings.blockCredentialStealingFromWindowsLocalSecurityAuthoritySubsystem_ASROnlyPerRuleExclusions) { + $complexDeviceSettings.Add('BlockCredentialStealingFromWindowsLocalSecurityAuthoritySubsystem_ASROnlyPerRuleExclusions', $policySettings.DeviceSettings.blockCredentialStealingFromWindowsLocalSecurityAuthoritySubsystem_ASROnlyPerRuleExclusions) + } + if ($null -ne $policySettings.DeviceSettings.blockJavaScriptOrVBScriptFromLaunchingDownloadedExecutableContent) { + $complexDeviceSettings.Add('BlockJavaScriptOrVBScriptFromLaunchingDownloadedExecutableContent', $policySettings.DeviceSettings.blockJavaScriptOrVBScriptFromLaunchingDownloadedExecutableContent) + } + if ($null -ne $policySettings.DeviceSettings.blockJavaScriptOrVBScriptFromLaunchingDownloadedExecutableContent_ASROnlyPerRuleExclusions) { + $complexDeviceSettings.Add('BlockJavaScriptOrVBScriptFromLaunchingDownloadedExecutableContent_ASROnlyPerRuleExclusions', $policySettings.DeviceSettings.blockJavaScriptOrVBScriptFromLaunchingDownloadedExecutableContent_ASROnlyPerRuleExclusions) + } + if ($null -ne $policySettings.DeviceSettings.blockWebshellCreationForServers) { + $complexDeviceSettings.Add('BlockWebshellCreationForServers', $policySettings.DeviceSettings.blockWebshellCreationForServers) + } + if ($null -ne $policySettings.DeviceSettings.blockWebshellCreationForServers_ASROnlyPerRuleExclusions) { + $complexDeviceSettings.Add('BlockWebshellCreationForServers_ASROnlyPerRuleExclusions', $policySettings.DeviceSettings.blockWebshellCreationForServers_ASROnlyPerRuleExclusions) + } + if ($null -ne $policySettings.DeviceSettings.blockUntrustedUnsignedProcessesThatRunFromUSB) { + $complexDeviceSettings.Add('BlockUntrustedUnsignedProcessesThatRunFromUSB', $policySettings.DeviceSettings.blockUntrustedUnsignedProcessesThatRunFromUSB) + } + if ($null -ne $policySettings.DeviceSettings.blockUntrustedUnsignedProcessesThatRunFromUSB_ASROnlyPerRuleExclusions) { + $complexDeviceSettings.Add('BlockUntrustedUnsignedProcessesThatRunFromUSB_ASROnlyPerRuleExclusions', $policySettings.DeviceSettings.blockUntrustedUnsignedProcessesThatRunFromUSB_ASROnlyPerRuleExclusions) + } + if ($null -ne $policySettings.DeviceSettings.blockPersistenceThroughWMIEventSubscription) { + $complexDeviceSettings.Add('BlockPersistenceThroughWMIEventSubscription', $policySettings.DeviceSettings.blockPersistenceThroughWMIEventSubscription) + } + if ($null -ne $policySettings.DeviceSettings.blockUseOfCopiedOrImpersonatedSystemTools) { + $complexDeviceSettings.Add('BlockUseOfCopiedOrImpersonatedSystemTools', $policySettings.DeviceSettings.blockUseOfCopiedOrImpersonatedSystemTools) + } + if ($null -ne $policySettings.DeviceSettings.blockUseOfCopiedOrImpersonatedSystemTools_ASROnlyPerRuleExclusions) { + $complexDeviceSettings.Add('BlockUseOfCopiedOrImpersonatedSystemTools_ASROnlyPerRuleExclusions', $policySettings.DeviceSettings.blockUseOfCopiedOrImpersonatedSystemTools_ASROnlyPerRuleExclusions) + } + if ($null -ne $policySettings.DeviceSettings.blockAbuseOfExploitedVulnerableSignedDrivers) { + $complexDeviceSettings.Add('BlockAbuseOfExploitedVulnerableSignedDrivers', $policySettings.DeviceSettings.blockAbuseOfExploitedVulnerableSignedDrivers) + } + if ($null -ne $policySettings.DeviceSettings.blockAbuseOfExploitedVulnerableSignedDrivers_ASROnlyPerRuleExclusions) { + $complexDeviceSettings.Add('BlockAbuseOfExploitedVulnerableSignedDrivers_ASROnlyPerRuleExclusions', $policySettings.DeviceSettings.blockAbuseOfExploitedVulnerableSignedDrivers_ASROnlyPerRuleExclusions) + } + if ($null -ne $policySettings.DeviceSettings.blockProcessCreationsFromPSExecAndWMICommands) { + $complexDeviceSettings.Add('BlockProcessCreationsFromPSExecAndWMICommands', $policySettings.DeviceSettings.blockProcessCreationsFromPSExecAndWMICommands) + } + if ($null -ne $policySettings.DeviceSettings.blockProcessCreationsFromPSExecAndWMICommands_ASROnlyPerRuleExclusions) { + $complexDeviceSettings.Add('BlockProcessCreationsFromPSExecAndWMICommands_ASROnlyPerRuleExclusions', $policySettings.DeviceSettings.blockProcessCreationsFromPSExecAndWMICommands_ASROnlyPerRuleExclusions) + } + if ($null -ne $policySettings.DeviceSettings.blockOfficeApplicationsFromCreatingExecutableContent) { + $complexDeviceSettings.Add('BlockOfficeApplicationsFromCreatingExecutableContent', $policySettings.DeviceSettings.blockOfficeApplicationsFromCreatingExecutableContent) + } + if ($null -ne $policySettings.DeviceSettings.blockOfficeApplicationsFromCreatingExecutableContent_ASROnlyPerRuleExclusions) { + $complexDeviceSettings.Add('BlockOfficeApplicationsFromCreatingExecutableContent_ASROnlyPerRuleExclusions', $policySettings.DeviceSettings.blockOfficeApplicationsFromCreatingExecutableContent_ASROnlyPerRuleExclusions) + } + if ($null -ne $policySettings.DeviceSettings.blockOfficeApplicationsFromInjectingCodeIntoOtherProcesses) { + $complexDeviceSettings.Add('BlockOfficeApplicationsFromInjectingCodeIntoOtherProcesses', $policySettings.DeviceSettings.blockOfficeApplicationsFromInjectingCodeIntoOtherProcesses) + } + if ($null -ne $policySettings.DeviceSettings.blockOfficeApplicationsFromInjectingCodeIntoOtherProcesses_ASROnlyPerRuleExclusions) { + $complexDeviceSettings.Add('BlockOfficeApplicationsFromInjectingCodeIntoOtherProcesses_ASROnlyPerRuleExclusions', $policySettings.DeviceSettings.blockOfficeApplicationsFromInjectingCodeIntoOtherProcesses_ASROnlyPerRuleExclusions) + } + if ($null -ne $policySettings.DeviceSettings.blockRebootingMachineInSafeMode) { + $complexDeviceSettings.Add('BlockRebootingMachineInSafeMode', $policySettings.DeviceSettings.blockRebootingMachineInSafeMode) + } + if ($null -ne $policySettings.DeviceSettings.blockRebootingMachineInSafeMode_ASROnlyPerRuleExclusions) { + $complexDeviceSettings.Add('BlockRebootingMachineInSafeMode_ASROnlyPerRuleExclusions', $policySettings.DeviceSettings.blockRebootingMachineInSafeMode_ASROnlyPerRuleExclusions) + } + if ($null -ne $policySettings.DeviceSettings.useAdvancedProtectionAgainstRansomware) { + $complexDeviceSettings.Add('UseAdvancedProtectionAgainstRansomware', $policySettings.DeviceSettings.useAdvancedProtectionAgainstRansomware) + } + if ($null -ne $policySettings.DeviceSettings.useAdvancedProtectionAgainstRansomware_ASROnlyPerRuleExclusions) { + $complexDeviceSettings.Add('UseAdvancedProtectionAgainstRansomware_ASROnlyPerRuleExclusions', $policySettings.DeviceSettings.useAdvancedProtectionAgainstRansomware_ASROnlyPerRuleExclusions) + } + if ($null -ne $policySettings.DeviceSettings.blockExecutableContentFromEmailClientAndWebmail) { + $complexDeviceSettings.Add('BlockExecutableContentFromEmailClientAndWebmail', $policySettings.DeviceSettings.blockExecutableContentFromEmailClientAndWebmail) + } + if ($null -ne $policySettings.DeviceSettings.blockExecutableContentFromEmailClientAndWebmail_ASROnlyPerRuleExclusions) { + $complexDeviceSettings.Add('BlockExecutableContentFromEmailClientAndWebmail_ASROnlyPerRuleExclusions', $policySettings.DeviceSettings.blockExecutableContentFromEmailClientAndWebmail_ASROnlyPerRuleExclusions) + } + if ($null -ne $policySettings.DeviceSettings.cloudBlockLevel) { + $complexDeviceSettings.Add('CloudBlockLevel', $policySettings.DeviceSettings.cloudBlockLevel) + } + if ($null -ne $policySettings.DeviceSettings.cloudExtendedTimeout) { + $complexDeviceSettings.Add('CloudExtendedTimeout', $policySettings.DeviceSettings.cloudExtendedTimeout) + } + if ($null -ne $policySettings.DeviceSettings.disableLocalAdminMerge) { + $complexDeviceSettings.Add('DisableLocalAdminMerge', $policySettings.DeviceSettings.disableLocalAdminMerge) + } + if ($null -ne $policySettings.DeviceSettings.enableFileHashComputation) { + $complexDeviceSettings.Add('EnableFileHashComputation', $policySettings.DeviceSettings.enableFileHashComputation) + } + if ($null -ne $policySettings.DeviceSettings.enableNetworkProtection) { + $complexDeviceSettings.Add('EnableNetworkProtection', $policySettings.DeviceSettings.enableNetworkProtection) + } + if ($null -ne $policySettings.DeviceSettings.hideExclusionsFromLocalAdmins) { + $complexDeviceSettings.Add('HideExclusionsFromLocalAdmins', $policySettings.DeviceSettings.hideExclusionsFromLocalAdmins) + } + if ($null -ne $policySettings.DeviceSettings.pUAProtection) { + $complexDeviceSettings.Add('PUAProtection', $policySettings.DeviceSettings.pUAProtection) + } + if ($null -ne $policySettings.DeviceSettings.realTimeScanDirection) { + $complexDeviceSettings.Add('RealTimeScanDirection', $policySettings.DeviceSettings.realTimeScanDirection) + } + if ($null -ne $policySettings.DeviceSettings.submitSamplesConsent) { + $complexDeviceSettings.Add('SubmitSamplesConsent', $policySettings.DeviceSettings.submitSamplesConsent) + } + if ($null -ne $policySettings.DeviceSettings.configureSystemGuardLaunch) { + $complexDeviceSettings.Add('ConfigureSystemGuardLaunch', $policySettings.DeviceSettings.configureSystemGuardLaunch) + } + if ($null -ne $policySettings.DeviceSettings.lsaCfgFlags) { + $complexDeviceSettings.Add('LsaCfgFlags', $policySettings.DeviceSettings.lsaCfgFlags) + } + if ($null -ne $policySettings.DeviceSettings.enableVirtualizationBasedSecurity) { + $complexDeviceSettings.Add('EnableVirtualizationBasedSecurity', $policySettings.DeviceSettings.enableVirtualizationBasedSecurity) + } + if ($null -ne $policySettings.DeviceSettings.requirePlatformSecurityFeatures) { + $complexDeviceSettings.Add('RequirePlatformSecurityFeatures', $policySettings.DeviceSettings.requirePlatformSecurityFeatures) + } + if ($null -ne $policySettings.DeviceSettings.devicePasswordEnabled) { + $complexDeviceSettings.Add('DevicePasswordEnabled', $policySettings.DeviceSettings.devicePasswordEnabled) + } + if ($null -ne $policySettings.DeviceSettings.devicePasswordExpiration) { + $complexDeviceSettings.Add('DevicePasswordExpiration', $policySettings.DeviceSettings.devicePasswordExpiration) + } + if ($null -ne $policySettings.DeviceSettings.minDevicePasswordLength) { + $complexDeviceSettings.Add('MinDevicePasswordLength', $policySettings.DeviceSettings.minDevicePasswordLength) + } + if ($null -ne $policySettings.DeviceSettings.alphanumericDevicePasswordRequired) { + $complexDeviceSettings.Add('AlphanumericDevicePasswordRequired', $policySettings.DeviceSettings.alphanumericDevicePasswordRequired) + } + if ($null -ne $policySettings.DeviceSettings.minDevicePasswordComplexCharacters) { + $complexDeviceSettings.Add('MinDevicePasswordComplexCharacters', $policySettings.DeviceSettings.minDevicePasswordComplexCharacters) + } + if ($null -ne $policySettings.DeviceSettings.maxDevicePasswordFailedAttempts) { + $complexDeviceSettings.Add('MaxDevicePasswordFailedAttempts', $policySettings.DeviceSettings.maxDevicePasswordFailedAttempts) + } + if ($null -ne $policySettings.DeviceSettings.maxInactivityTimeDeviceLock) { + $complexDeviceSettings.Add('MaxInactivityTimeDeviceLock', $policySettings.DeviceSettings.maxInactivityTimeDeviceLock) + } + if ($null -ne $policySettings.DeviceSettings.devicePasswordHistory) { + $complexDeviceSettings.Add('DevicePasswordHistory', $policySettings.DeviceSettings.devicePasswordHistory) + } + if ($null -ne $policySettings.DeviceSettings.allowSimpleDevicePassword) { + $complexDeviceSettings.Add('AllowSimpleDevicePassword', $policySettings.DeviceSettings.allowSimpleDevicePassword) + } + if ($null -ne $policySettings.DeviceSettings.deviceEnumerationPolicy) { + $complexDeviceSettings.Add('DeviceEnumerationPolicy', $policySettings.DeviceSettings.deviceEnumerationPolicy) + } + if ($null -ne $policySettings.DeviceSettings.enableInsecureGuestLogons) { + $complexDeviceSettings.Add('EnableInsecureGuestLogons', $policySettings.DeviceSettings.enableInsecureGuestLogons) + } + if ($null -ne $policySettings.DeviceSettings.accounts_LimitLocalAccountUseOfBlankPasswordsToConsoleLogonOnly) { + $complexDeviceSettings.Add('Accounts_LimitLocalAccountUseOfBlankPasswordsToConsoleLogonOnly', $policySettings.DeviceSettings.accounts_LimitLocalAccountUseOfBlankPasswordsToConsoleLogonOnly) + } + if ($null -ne $policySettings.DeviceSettings.interactiveLogon_MachineInactivityLimit) { + $complexDeviceSettings.Add('InteractiveLogon_MachineInactivityLimit', $policySettings.DeviceSettings.interactiveLogon_MachineInactivityLimit) + } + if ($null -ne $policySettings.DeviceSettings.interactiveLogon_SmartCardRemovalBehavior) { + $complexDeviceSettings.Add('InteractiveLogon_SmartCardRemovalBehavior', $policySettings.DeviceSettings.interactiveLogon_SmartCardRemovalBehavior) + } + if ($null -ne $policySettings.DeviceSettings.microsoftNetworkClient_DigitallySignCommunicationsAlways) { + $complexDeviceSettings.Add('MicrosoftNetworkClient_DigitallySignCommunicationsAlways', $policySettings.DeviceSettings.microsoftNetworkClient_DigitallySignCommunicationsAlways) + } + if ($null -ne $policySettings.DeviceSettings.microsoftNetworkClient_SendUnencryptedPasswordToThirdPartySMBServers) { + $complexDeviceSettings.Add('MicrosoftNetworkClient_SendUnencryptedPasswordToThirdPartySMBServers', $policySettings.DeviceSettings.microsoftNetworkClient_SendUnencryptedPasswordToThirdPartySMBServers) + } + if ($null -ne $policySettings.DeviceSettings.microsoftNetworkServer_DigitallySignCommunicationsAlways) { + $complexDeviceSettings.Add('MicrosoftNetworkServer_DigitallySignCommunicationsAlways', $policySettings.DeviceSettings.microsoftNetworkServer_DigitallySignCommunicationsAlways) + } + if ($null -ne $policySettings.DeviceSettings.networkAccess_DoNotAllowAnonymousEnumerationOfSAMAccounts) { + $complexDeviceSettings.Add('NetworkAccess_DoNotAllowAnonymousEnumerationOfSAMAccounts', $policySettings.DeviceSettings.networkAccess_DoNotAllowAnonymousEnumerationOfSAMAccounts) + } + if ($null -ne $policySettings.DeviceSettings.networkAccess_DoNotAllowAnonymousEnumerationOfSamAccountsAndShares) { + $complexDeviceSettings.Add('NetworkAccess_DoNotAllowAnonymousEnumerationOfSamAccountsAndShares', $policySettings.DeviceSettings.networkAccess_DoNotAllowAnonymousEnumerationOfSamAccountsAndShares) + } + if ($null -ne $policySettings.DeviceSettings.networkAccess_RestrictAnonymousAccessToNamedPipesAndShares) { + $complexDeviceSettings.Add('NetworkAccess_RestrictAnonymousAccessToNamedPipesAndShares', $policySettings.DeviceSettings.networkAccess_RestrictAnonymousAccessToNamedPipesAndShares) + } + if ($null -ne $policySettings.DeviceSettings.networkAccess_RestrictClientsAllowedToMakeRemoteCallsToSAM) { + $complexDeviceSettings.Add('NetworkAccess_RestrictClientsAllowedToMakeRemoteCallsToSAM', $policySettings.DeviceSettings.networkAccess_RestrictClientsAllowedToMakeRemoteCallsToSAM) + } + if ($null -ne $policySettings.DeviceSettings.networkSecurity_DoNotStoreLANManagerHashValueOnNextPasswordChange) { + $complexDeviceSettings.Add('NetworkSecurity_DoNotStoreLANManagerHashValueOnNextPasswordChange', $policySettings.DeviceSettings.networkSecurity_DoNotStoreLANManagerHashValueOnNextPasswordChange) + } + if ($null -ne $policySettings.DeviceSettings.networkSecurity_LANManagerAuthenticationLevel) { + $complexDeviceSettings.Add('NetworkSecurity_LANManagerAuthenticationLevel', $policySettings.DeviceSettings.networkSecurity_LANManagerAuthenticationLevel) + } + if ($null -ne $policySettings.DeviceSettings.networkSecurity_MinimumSessionSecurityForNTLMSSPBasedClients) { + $complexDeviceSettings.Add('NetworkSecurity_MinimumSessionSecurityForNTLMSSPBasedClients', $policySettings.DeviceSettings.networkSecurity_MinimumSessionSecurityForNTLMSSPBasedClients) + } + if ($null -ne $policySettings.DeviceSettings.networkSecurity_MinimumSessionSecurityForNTLMSSPBasedServers) { + $complexDeviceSettings.Add('NetworkSecurity_MinimumSessionSecurityForNTLMSSPBasedServers', $policySettings.DeviceSettings.networkSecurity_MinimumSessionSecurityForNTLMSSPBasedServers) + } + if ($null -ne $policySettings.DeviceSettings.userAccountControl_BehaviorOfTheElevationPromptForAdministrators) { + $complexDeviceSettings.Add('UserAccountControl_BehaviorOfTheElevationPromptForAdministrators', $policySettings.DeviceSettings.userAccountControl_BehaviorOfTheElevationPromptForAdministrators) + } + if ($null -ne $policySettings.DeviceSettings.userAccountControl_BehaviorOfTheElevationPromptForStandardUsers) { + $complexDeviceSettings.Add('UserAccountControl_BehaviorOfTheElevationPromptForStandardUsers', $policySettings.DeviceSettings.userAccountControl_BehaviorOfTheElevationPromptForStandardUsers) + } + if ($null -ne $policySettings.DeviceSettings.userAccountControl_DetectApplicationInstallationsAndPromptForElevation) { + $complexDeviceSettings.Add('UserAccountControl_DetectApplicationInstallationsAndPromptForElevation', $policySettings.DeviceSettings.userAccountControl_DetectApplicationInstallationsAndPromptForElevation) + } + if ($null -ne $policySettings.DeviceSettings.userAccountControl_OnlyElevateUIAccessApplicationsThatAreInstalledInSecureLocations) { + $complexDeviceSettings.Add('UserAccountControl_OnlyElevateUIAccessApplicationsThatAreInstalledInSecureLocations', $policySettings.DeviceSettings.userAccountControl_OnlyElevateUIAccessApplicationsThatAreInstalledInSecureLocations) + } + if ($null -ne $policySettings.DeviceSettings.userAccountControl_RunAllAdministratorsInAdminApprovalMode) { + $complexDeviceSettings.Add('UserAccountControl_RunAllAdministratorsInAdminApprovalMode', $policySettings.DeviceSettings.userAccountControl_RunAllAdministratorsInAdminApprovalMode) + } + if ($null -ne $policySettings.DeviceSettings.userAccountControl_UseAdminApprovalMode) { + $complexDeviceSettings.Add('UserAccountControl_UseAdminApprovalMode', $policySettings.DeviceSettings.userAccountControl_UseAdminApprovalMode) + } + if ($null -ne $policySettings.DeviceSettings.userAccountControl_VirtualizeFileAndRegistryWriteFailuresToPerUserLocations) { + $complexDeviceSettings.Add('UserAccountControl_VirtualizeFileAndRegistryWriteFailuresToPerUserLocations', $policySettings.DeviceSettings.userAccountControl_VirtualizeFileAndRegistryWriteFailuresToPerUserLocations) + } + if ($null -ne $policySettings.DeviceSettings.configureLsaProtectedProcess) { + $complexDeviceSettings.Add('ConfigureLsaProtectedProcess', $policySettings.DeviceSettings.configureLsaProtectedProcess) + } + if ($null -ne $policySettings.DeviceSettings.allowGameDVR) { + $complexDeviceSettings.Add('AllowGameDVR', $policySettings.DeviceSettings.allowGameDVR) + } + if ($null -ne $policySettings.DeviceSettings.mSIAllowUserControlOverInstall) { + $complexDeviceSettings.Add('MSIAllowUserControlOverInstall', $policySettings.DeviceSettings.mSIAllowUserControlOverInstall) + } + if ($null -ne $policySettings.DeviceSettings.mSIAlwaysInstallWithElevatedPrivileges) { + $complexDeviceSettings.Add('MSIAlwaysInstallWithElevatedPrivileges', $policySettings.DeviceSettings.mSIAlwaysInstallWithElevatedPrivileges) + } + if ($null -ne $policySettings.DeviceSettings.smartScreenEnabled) { + $complexDeviceSettings.Add('SmartScreenEnabled', $policySettings.DeviceSettings.smartScreenEnabled) + } + if ($null -ne $policySettings.DeviceSettings.smartScreen_PreventSmartScreenPromptOverride) { + $complexDeviceSettings.Add('SmartScreen_PreventSmartScreenPromptOverride', $policySettings.DeviceSettings.smartScreen_PreventSmartScreenPromptOverride) + } + if ($null -ne $policySettings.DeviceSettings.letAppsActivateWithVoiceAboveLock) { + $complexDeviceSettings.Add('LetAppsActivateWithVoiceAboveLock', $policySettings.DeviceSettings.letAppsActivateWithVoiceAboveLock) + } + if ($null -ne $policySettings.DeviceSettings.allowIndexingEncryptedStoresOrItems) { + $complexDeviceSettings.Add('AllowIndexingEncryptedStoresOrItems', $policySettings.DeviceSettings.allowIndexingEncryptedStoresOrItems) + } + if ($null -ne $policySettings.DeviceSettings.enableSmartScreenInShell) { + $complexDeviceSettings.Add('EnableSmartScreenInShell', $policySettings.DeviceSettings.enableSmartScreenInShell) + } + if ($null -ne $policySettings.DeviceSettings.notifyMalicious) { + $complexDeviceSettings.Add('NotifyMalicious', $policySettings.DeviceSettings.notifyMalicious) + } + if ($null -ne $policySettings.DeviceSettings.notifyPasswordReuse) { + $complexDeviceSettings.Add('NotifyPasswordReuse', $policySettings.DeviceSettings.notifyPasswordReuse) + } + if ($null -ne $policySettings.DeviceSettings.notifyUnsafeApp) { + $complexDeviceSettings.Add('NotifyUnsafeApp', $policySettings.DeviceSettings.notifyUnsafeApp) + } + if ($null -ne $policySettings.DeviceSettings.serviceEnabled) { + $complexDeviceSettings.Add('ServiceEnabled', $policySettings.DeviceSettings.serviceEnabled) + } + if ($null -ne $policySettings.DeviceSettings.preventOverrideForFilesInShell) { + $complexDeviceSettings.Add('PreventOverrideForFilesInShell', $policySettings.DeviceSettings.preventOverrideForFilesInShell) + } + if ($null -ne $policySettings.DeviceSettings.configureXboxAccessoryManagementServiceStartupMode) { + $complexDeviceSettings.Add('ConfigureXboxAccessoryManagementServiceStartupMode', $policySettings.DeviceSettings.configureXboxAccessoryManagementServiceStartupMode) + } + if ($null -ne $policySettings.DeviceSettings.configureXboxLiveAuthManagerServiceStartupMode) { + $complexDeviceSettings.Add('ConfigureXboxLiveAuthManagerServiceStartupMode', $policySettings.DeviceSettings.configureXboxLiveAuthManagerServiceStartupMode) + } + if ($null -ne $policySettings.DeviceSettings.configureXboxLiveGameSaveServiceStartupMode) { + $complexDeviceSettings.Add('ConfigureXboxLiveGameSaveServiceStartupMode', $policySettings.DeviceSettings.configureXboxLiveGameSaveServiceStartupMode) + } + if ($null -ne $policySettings.DeviceSettings.configureXboxLiveNetworkingServiceStartupMode) { + $complexDeviceSettings.Add('ConfigureXboxLiveNetworkingServiceStartupMode', $policySettings.DeviceSettings.configureXboxLiveNetworkingServiceStartupMode) + } + if ($null -ne $policySettings.DeviceSettings.enableXboxGameSaveTask) { + $complexDeviceSettings.Add('EnableXboxGameSaveTask', $policySettings.DeviceSettings.enableXboxGameSaveTask) + } + if ($null -ne $policySettings.DeviceSettings.accessFromNetwork) { + $complexDeviceSettings.Add('AccessFromNetwork', $policySettings.DeviceSettings.accessFromNetwork) + } + if ($null -ne $policySettings.DeviceSettings.allowLocalLogOn) { + $complexDeviceSettings.Add('AllowLocalLogOn', $policySettings.DeviceSettings.allowLocalLogOn) + } + if ($null -ne $policySettings.DeviceSettings.backupFilesAndDirectories) { + $complexDeviceSettings.Add('BackupFilesAndDirectories', $policySettings.DeviceSettings.backupFilesAndDirectories) + } + if ($null -ne $policySettings.DeviceSettings.createGlobalObjects) { + $complexDeviceSettings.Add('CreateGlobalObjects', $policySettings.DeviceSettings.createGlobalObjects) + } + if ($null -ne $policySettings.DeviceSettings.createPageFile) { + $complexDeviceSettings.Add('CreatePageFile', $policySettings.DeviceSettings.createPageFile) + } + if ($null -ne $policySettings.DeviceSettings.debugPrograms) { + $complexDeviceSettings.Add('DebugPrograms', $policySettings.DeviceSettings.debugPrograms) + } + if ($null -ne $policySettings.DeviceSettings.denyAccessFromNetwork) { + $complexDeviceSettings.Add('DenyAccessFromNetwork', $policySettings.DeviceSettings.denyAccessFromNetwork) + } + if ($null -ne $policySettings.DeviceSettings.denyRemoteDesktopServicesLogOn) { + $complexDeviceSettings.Add('DenyRemoteDesktopServicesLogOn', $policySettings.DeviceSettings.denyRemoteDesktopServicesLogOn) + } + if ($null -ne $policySettings.DeviceSettings.impersonateClient) { + $complexDeviceSettings.Add('ImpersonateClient', $policySettings.DeviceSettings.impersonateClient) + } + if ($null -ne $policySettings.DeviceSettings.loadUnloadDeviceDrivers) { + $complexDeviceSettings.Add('LoadUnloadDeviceDrivers', $policySettings.DeviceSettings.loadUnloadDeviceDrivers) + } + if ($null -ne $policySettings.DeviceSettings.manageAuditingAndSecurityLog) { + $complexDeviceSettings.Add('ManageAuditingAndSecurityLog', $policySettings.DeviceSettings.manageAuditingAndSecurityLog) + } + if ($null -ne $policySettings.DeviceSettings.manageVolume) { + $complexDeviceSettings.Add('ManageVolume', $policySettings.DeviceSettings.manageVolume) + } + if ($null -ne $policySettings.DeviceSettings.modifyFirmwareEnvironment) { + $complexDeviceSettings.Add('ModifyFirmwareEnvironment', $policySettings.DeviceSettings.modifyFirmwareEnvironment) + } + if ($null -ne $policySettings.DeviceSettings.profileSingleProcess) { + $complexDeviceSettings.Add('ProfileSingleProcess', $policySettings.DeviceSettings.profileSingleProcess) + } + if ($null -ne $policySettings.DeviceSettings.remoteShutdown) { + $complexDeviceSettings.Add('RemoteShutdown', $policySettings.DeviceSettings.remoteShutdown) + } + if ($null -ne $policySettings.DeviceSettings.restoreFilesAndDirectories) { + $complexDeviceSettings.Add('RestoreFilesAndDirectories', $policySettings.DeviceSettings.restoreFilesAndDirectories) + } + if ($null -ne $policySettings.DeviceSettings.takeOwnership) { + $complexDeviceSettings.Add('TakeOwnership', $policySettings.DeviceSettings.takeOwnership) + } + if ($null -ne $policySettings.DeviceSettings.hypervisorEnforcedCodeIntegrity) { + $complexDeviceSettings.Add('HypervisorEnforcedCodeIntegrity', $policySettings.DeviceSettings.hypervisorEnforcedCodeIntegrity) + } + if ($null -ne $policySettings.DeviceSettings.allowAutoConnectToWiFiSenseHotspots) { + $complexDeviceSettings.Add('AllowAutoConnectToWiFiSenseHotspots', $policySettings.DeviceSettings.allowAutoConnectToWiFiSenseHotspots) + } + if ($null -ne $policySettings.DeviceSettings.allowInternetSharing) { + $complexDeviceSettings.Add('AllowInternetSharing', $policySettings.DeviceSettings.allowInternetSharing) + } + if ($null -ne $policySettings.DeviceSettings.facialFeaturesUseEnhancedAntiSpoofing) { + $complexDeviceSettings.Add('FacialFeaturesUseEnhancedAntiSpoofing', $policySettings.DeviceSettings.facialFeaturesUseEnhancedAntiSpoofing) + } + if ($null -ne $policySettings.DeviceSettings.allowWindowsInkWorkspace) { + $complexDeviceSettings.Add('AllowWindowsInkWorkspace', $policySettings.DeviceSettings.allowWindowsInkWorkspace) + } + if ($null -ne $policySettings.DeviceSettings.backupDirectory) { + $complexDeviceSettings.Add('BackupDirectory', $policySettings.DeviceSettings.backupDirectory) + } + if ($null -ne $policySettings.DeviceSettings.aDEncryptedPasswordHistorySize) { + $complexDeviceSettings.Add('ADEncryptedPasswordHistorySize', $policySettings.DeviceSettings.aDEncryptedPasswordHistorySize) + } + if ($null -ne $policySettings.DeviceSettings.passwordagedays) { + $complexDeviceSettings.Add('Passwordagedays', $policySettings.DeviceSettings.passwordagedays) + } + if ($null -ne $policySettings.DeviceSettings.aDPasswordEncryptionEnabled) { + $complexDeviceSettings.Add('ADPasswordEncryptionEnabled', $policySettings.DeviceSettings.aDPasswordEncryptionEnabled) + } + if ($null -ne $policySettings.DeviceSettings.passwordagedays_aad) { + $complexDeviceSettings.Add('Passwordagedays_aad', $policySettings.DeviceSettings.passwordagedays_aad) + } + if ($null -ne $policySettings.DeviceSettings.aDPasswordEncryptionPrincipal) { + $complexDeviceSettings.Add('ADPasswordEncryptionPrincipal', $policySettings.DeviceSettings.aDPasswordEncryptionPrincipal) + } + if ($null -ne $policySettings.DeviceSettings.passwordExpirationProtectionEnabled) { + $complexDeviceSettings.Add('PasswordExpirationProtectionEnabled', $policySettings.DeviceSettings.passwordExpirationProtectionEnabled) + } + # Check if $complexDeviceSettings is empty + if ($complexDeviceSettings.Values.Where({ $null -ne $_ }).Count -eq 0) { + $complexDeviceSettings = $null + } + $policySettings.Remove('DeviceSettings') | Out-Null + + $complexUserSettings = @{} + # Add user settings with conditional checks + if ($null -ne $policySettings.UserSettings.noLockScreenToastNotification) { + $complexUserSettings.Add('NoLockScreenToastNotification', $policySettings.UserSettings.noLockScreenToastNotification) + } + if ($null -ne $policySettings.UserSettings.restrictFormSuggestPW) { + $complexUserSettings.Add('RestrictFormSuggestPW', $policySettings.UserSettings.restrictFormSuggestPW) + } + if ($null -ne $policySettings.UserSettings.chkBox_PasswordAsk) { + $complexUserSettings.Add('ChkBox_PasswordAsk', $policySettings.UserSettings.chkBox_PasswordAsk) + } + if ($null -ne $policySettings.UserSettings.allowWindowsSpotlight) { + $complexUserSettings.Add('AllowWindowsSpotlight', $policySettings.UserSettings.allowWindowsSpotlight) + } + if ($null -ne $policySettings.UserSettings.allowWindowsTips) { + $complexUserSettings.Add('AllowWindowsTips', $policySettings.UserSettings.allowWindowsTips) + } + if ($null -ne $policySettings.UserSettings.allowTailoredExperiencesWithDiagnosticData) { + $complexUserSettings.Add('AllowTailoredExperiencesWithDiagnosticData', $policySettings.UserSettings.allowTailoredExperiencesWithDiagnosticData) + } + if ($null -ne $policySettings.UserSettings.allowWindowsSpotlightOnActionCenter) { + $complexUserSettings.Add('AllowWindowsSpotlightOnActionCenter', $policySettings.UserSettings.allowWindowsSpotlightOnActionCenter) + } + if ($null -ne $policySettings.UserSettings.allowWindowsConsumerFeatures) { + $complexUserSettings.Add('AllowWindowsConsumerFeatures', $policySettings.UserSettings.allowWindowsConsumerFeatures) + } + if ($null -ne $policySettings.UserSettings.configureWindowsSpotlightOnLockScreen) { + $complexUserSettings.Add('ConfigureWindowsSpotlightOnLockScreen', $policySettings.UserSettings.configureWindowsSpotlightOnLockScreen) + } + if ($null -ne $policySettings.UserSettings.allowWindowsSpotlightWindowsWelcomeExperience) { + $complexUserSettings.Add('AllowWindowsSpotlightWindowsWelcomeExperience', $policySettings.UserSettings.allowWindowsSpotlightWindowsWelcomeExperience) + } + if ($null -ne $policySettings.UserSettings.allowThirdPartySuggestionsInWindowsSpotlight) { + $complexUserSettings.Add('AllowThirdPartySuggestionsInWindowsSpotlight', $policySettings.UserSettings.allowThirdPartySuggestionsInWindowsSpotlight) + } + # Check if $complexUserSettings is empty + if ($complexUserSettings.Values.Where({ $null -ne $_ }).Count -eq 0) { + $complexUserSettings = $null + } + $policySettings.Remove('UserSettings') | Out-Null + #endregion + + $results = @{ + #region resource generator code + Description = $getValue.Description + DisplayName = $getValue.Name + Platforms = $enumPlatforms + RoleScopeTagIds = $getValue.RoleScopeTagIds + Technologies = $enumTechnologies + Id = $getValue.Id + DeviceSettings = $complexDeviceSettings + UserSettings = $complexUserSettings + Ensure = 'Present' + Credential = $Credential + ApplicationId = $ApplicationId + TenantId = $TenantId + ApplicationSecret = $ApplicationSecret + CertificateThumbprint = $CertificateThumbprint + ManagedIdentity = $ManagedIdentity.IsPresent + #endregion + } + $results += $policySettings + + $assignmentsValues = Get-MgBetaDeviceManagementConfigurationPolicyAssignment -DeviceManagementConfigurationPolicyId $Id + $assignmentResult = @() + if ($assignmentsValues.Count -gt 0) + { + $assignmentResult += ConvertFrom-IntunePolicyAssignment -Assignments $assignmentsValues -IncludeDeviceFilter $true + } + $results.Add('Assignments', $assignmentResult) + + return [System.Collections.Hashtable] $results + } + catch + { + New-M365DSCLogEntry -Message 'Error retrieving data:' ` + -Exception $_ ` + -Source $($MyInvocation.MyCommand.Source) ` + -TenantId $TenantId ` + -Credential $Credential + + return $nullResult + } +} + +function Set-TargetResource +{ + [CmdletBinding()] + param + ( + #region resource generator code + [Parameter()] + [System.String] + $Description, + + [Parameter(Mandatory = $true)] + [System.String] + $DisplayName, + + [Parameter()] + [System.String[]] + $RoleScopeTagIds, + + [Parameter()] + [System.String] + $Id, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $DeviceSettings, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $UserSettings, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $Assignments, + #endregion + [Parameter()] + [System.String] + [ValidateSet('Absent', 'Present')] + $Ensure = 'Present', + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $currentInstance = Get-TargetResource @PSBoundParameters + + $BoundParameters = Remove-M365DSCAuthenticationParameter -BoundParameters $PSBoundParameters + + $templateReferenceId = '66df8dce-0166-4b82-92f7-1f74e3ca17a3_1' + $platforms = 'windows10' + $technologies = 'mdm' + + if ($Ensure -eq 'Present' -and $currentInstance.Ensure -eq 'Absent') + { + Write-Verbose -Message "Creating an Intune Security Baseline for Windows10 with Name {$DisplayName}" + $BoundParameters.Remove("Assignments") | Out-Null + + $settings = Get-IntuneSettingCatalogPolicySetting ` + -DSCParams ([System.Collections.Hashtable]$BoundParameters) ` + -TemplateId $templateReferenceId ` + -ContainsDeviceAndUserSettings + + $createParameters = @{ + Name = $DisplayName + Description = $Description + TemplateReference = @{ templateId = $templateReferenceId } + Platforms = $platforms + Technologies = $technologies + Settings = $settings + } + + #region resource generator code + $policy = New-MgBetaDeviceManagementConfigurationPolicy -BodyParameter $createParameters + + if ($policy.Id) + { + $assignmentsHash = ConvertTo-IntunePolicyAssignment -IncludeDeviceFilter:$true -Assignments $Assignments + Update-DeviceConfigurationPolicyAssignment ` + -DeviceConfigurationPolicyId $policy.Id ` + -Targets $assignmentsHash ` + -Repository 'deviceManagement/configurationPolicies' + } + #endregion + } + elseif ($Ensure -eq 'Present' -and $currentInstance.Ensure -eq 'Present') + { + Write-Verbose -Message "Updating the Intune Security Baseline for Windows10 with Id {$($currentInstance.Id)}" + $BoundParameters.Remove("Assignments") | Out-Null + + $settings = Get-IntuneSettingCatalogPolicySetting ` + -DSCParams ([System.Collections.Hashtable]$BoundParameters) ` + -TemplateId $templateReferenceId ` + -ContainsDeviceAndUserSettings + + Update-IntuneDeviceConfigurationPolicy ` + -DeviceConfigurationPolicyId $currentInstance.Id ` + -Name $DisplayName ` + -Description $Description ` + -TemplateReferenceId $templateReferenceId ` + -Platforms $platforms ` + -Technologies $technologies ` + -Settings $settings + + #region resource generator code + $assignmentsHash = ConvertTo-IntunePolicyAssignment -IncludeDeviceFilter:$true -Assignments $Assignments + Update-DeviceConfigurationPolicyAssignment ` + -DeviceConfigurationPolicyId $currentInstance.Id ` + -Targets $assignmentsHash ` + -Repository 'deviceManagement/configurationPolicies' + #endregion + } + elseif ($Ensure -eq 'Absent' -and $currentInstance.Ensure -eq 'Present') + { + Write-Verbose -Message "Removing the Intune Security Baseline for Windows10 with Id {$($currentInstance.Id)}" + #region resource generator code + Remove-MgBetaDeviceManagementConfigurationPolicy -DeviceManagementConfigurationPolicyId $currentInstance.Id + #endregion + } +} + +function Test-TargetResource +{ + [CmdletBinding()] + [OutputType([System.Boolean])] + param + ( + #region resource generator code + [Parameter()] + [System.String] + $Description, + + [Parameter(Mandatory = $true)] + [System.String] + $DisplayName, + + [Parameter()] + [System.String[]] + $RoleScopeTagIds, + + [Parameter()] + [System.String] + $Id, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $DeviceSettings, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance] + $UserSettings, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $Assignments, + #endregion + + [Parameter()] + [System.String] + [ValidateSet('Absent', 'Present')] + $Ensure = 'Present', + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + Write-Verbose -Message "Testing configuration of the Intune Security Baseline for Windows10 with Id {$Id} and Name {$DisplayName}" + + $CurrentValues = Get-TargetResource @PSBoundParameters + [Hashtable]$ValuesToCheck = @{} + $MyInvocation.MyCommand.Parameters.GetEnumerator() | ForEach-Object { + if ($_.Key -notlike '*Variable' -or $_.Key -notin @('Verbose', 'Debug', 'ErrorAction', 'WarningAction', 'InformationAction')) + { + if ($null -ne $CurrentValues[$_.Key] -or $null -ne $PSBoundParameters[$_.Key]) + { + $ValuesToCheck.Add($_.Key, $null) + if (-not $PSBoundParameters.ContainsKey($_.Key)) + { + $PSBoundParameters.Add($_.Key, $null) + } + } + } + } + + if ($CurrentValues.Ensure -ne $Ensure) + { + Write-Verbose -Message "Test-TargetResource returned $false" + return $false + } + $testResult = $true + + #Compare Cim instances + foreach ($key in $PSBoundParameters.Keys) + { + $source = $PSBoundParameters.$key + $target = $CurrentValues.$key + if ($null -ne $source -and $source.GetType().Name -like '*CimInstance*') + { + $testResult = Compare-M365DSCComplexObject ` + -Source ($source) ` + -Target ($target) + + if (-not $testResult) + { + break + } + + $ValuesToCheck.Remove($key) | Out-Null + } + } + + $ValuesToCheck.Remove('Id') | Out-Null + $ValuesToCheck = Remove-M365DSCAuthenticationParameter -BoundParameters $ValuesToCheck + + Write-Verbose -Message "Current Values: $(Convert-M365DscHashtableToString -Hashtable $CurrentValues)" + Write-Verbose -Message "Target Values: $(Convert-M365DscHashtableToString -Hashtable $PSBoundParameters)" + + if ($testResult) + { + $testResult = Test-M365DSCParameterState -CurrentValues $CurrentValues ` + -Source $($MyInvocation.MyCommand.Source) ` + -DesiredValues $PSBoundParameters ` + -ValuesToCheck $ValuesToCheck.Keys + } + + Write-Verbose -Message "Test-TargetResource returned $testResult" + + return $testResult +} + +function Export-TargetResource +{ + [CmdletBinding()] + [OutputType([System.String])] + param + ( + [Parameter()] + [System.String] + $Filter, + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + $ConnectionMode = New-M365DSCConnection -Workload 'MicrosoftGraph' ` + -InboundParameters $PSBoundParameters + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + try + { + #region resource generator code + $policyTemplateID = "66df8dce-0166-4b82-92f7-1f74e3ca17a3_1" + [array]$getValue = Get-MgBetaDeviceManagementConfigurationPolicy ` + -Filter $Filter ` + -All ` + -ErrorAction Stop | Where-Object ` + -FilterScript { + $_.TemplateReference.TemplateId -eq $policyTemplateID + } + #endregion + + $i = 1 + $dscContent = '' + if ($getValue.Length -eq 0) + { + Write-Host $Global:M365DSCEmojiGreenCheckMark + } + else + { + Write-Host "`r`n" -NoNewline + } + foreach ($config in $getValue) + { + $displayedKey = $config.Id + if (-not [String]::IsNullOrEmpty($config.displayName)) + { + $displayedKey = $config.displayName + } + elseif (-not [string]::IsNullOrEmpty($config.name)) + { + $displayedKey = $config.name + } + Write-Host " |---[$i/$($getValue.Count)] $displayedKey" -NoNewline + $params = @{ + Id = $config.Id + DisplayName = $config.Name + Ensure = 'Present' + Credential = $Credential + ApplicationId = $ApplicationId + TenantId = $TenantId + ApplicationSecret = $ApplicationSecret + CertificateThumbprint = $CertificateThumbprint + ManagedIdentity = $ManagedIdentity.IsPresent + AccessTokens = $AccessTokens + } + + $Results = Get-TargetResource @Params + $Results = Update-M365DSCExportAuthenticationResults -ConnectionMode $ConnectionMode ` + -Results $Results + if ($null -ne $Results.DeviceSettings) + { + $complexMapping = @( + @{ + Name = 'DeviceSettings' + CimInstanceName = 'MicrosoftGraphIntuneSettingsCatalogDeviceSettings_IntuneSecurityBaselineWindows10' + IsRequired = $False + } + @{ + Name = 'pol_hardenedpaths' + CimInstanceName = 'MicrosoftGraphUNC' + IsRequired = $False + } + ) + $complexTypeStringResult = Get-M365DSCDRGComplexTypeToString ` + -ComplexObject $Results.DeviceSettings ` + -CIMInstanceName 'MicrosoftGraphIntuneSettingsCatalogDeviceSettings_IntuneSecurityBaselineWindows10' ` + -ComplexTypeMapping $complexMapping + + if (-not [String]::IsNullOrWhiteSpace($complexTypeStringResult)) + { + $Results.DeviceSettings = $complexTypeStringResult + } + else + { + $Results.Remove('DeviceSettings') | Out-Null + } + } + if ($null -ne $Results.UserSettings) + { + $complexTypeStringResult = Get-M365DSCDRGComplexTypeToString ` + -ComplexObject $Results.UserSettings ` + -CIMInstanceName 'MicrosoftGraphIntuneSettingsCatalogUserSettings_IntuneSecurityBaselineWindows10' + if (-not [String]::IsNullOrWhiteSpace($complexTypeStringResult)) + { + $Results.UserSettings = $complexTypeStringResult + } + else + { + $Results.Remove('UserSettings') | Out-Null + } + } + + if ($Results.Assignments) + { + $complexTypeStringResult = Get-M365DSCDRGComplexTypeToString -ComplexObject $Results.Assignments -CIMInstanceName DeviceManagementConfigurationPolicyAssignments + if ($complexTypeStringResult) + { + $Results.Assignments = $complexTypeStringResult + } + else + { + $Results.Remove('Assignments') | Out-Null + } + } + + if ($Results.Assignments) + { + $complexTypeStringResult = Get-M365DSCDRGComplexTypeToString -ComplexObject $Results.Assignments -CIMInstanceName MSFT_MicrosoftGraphIntuneSettingsCatalogpol_hardenedpaths + if ($complexTypeStringResult) + { + $Results.Assignments = $complexTypeStringResult + } + else + { + $Results.Remove('Assignments') | Out-Null + } + } + + $currentDSCBlock = Get-M365DSCExportContentForResource -ResourceName $ResourceName ` + -ConnectionMode $ConnectionMode ` + -ModulePath $PSScriptRoot ` + -Results $Results ` + -Credential $Credential + if ($Results.DeviceSettings) + { + $currentDSCBlock = Convert-DSCStringParamToVariable -DSCBlock $currentDSCBlock -ParameterName "DeviceSettings" -IsCIMArray:$False + } + if ($Results.UserSettings) + { + $currentDSCBlock = Convert-DSCStringParamToVariable -DSCBlock $currentDSCBlock -ParameterName "UserSettings" -IsCIMArray:$False + } + + if ($Results.Assignments) + { + $currentDSCBlock = Convert-DSCStringParamToVariable -DSCBlock $currentDSCBlock -ParameterName "Assignments" -IsCIMArray:$true + } + + $dscContent += $currentDSCBlock + Save-M365DSCPartialExport -Content $currentDSCBlock ` + -FileName $Global:PartialExportFileName + $i++ + Write-Host $Global:M365DSCEmojiGreenCheckMark + } + return $dscContent + } + catch + { + Write-Host $Global:M365DSCEmojiRedX + + New-M365DSCLogEntry -Message 'Error during Export:' ` + -Exception $_ ` + -Source $($MyInvocation.MyCommand.Source) ` + -TenantId $TenantId ` + -Credential $Credential + + return '' + } +} + +Export-ModuleMember -Function *-TargetResource diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneSecurityBaselineWindows10/MSFT_IntuneSecurityBaselineWindows10.schema.mof b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneSecurityBaselineWindows10/MSFT_IntuneSecurityBaselineWindows10.schema.mof new file mode 100644 index 0000000000..6375b4d0db --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneSecurityBaselineWindows10/MSFT_IntuneSecurityBaselineWindows10.schema.mof @@ -0,0 +1,528 @@ +[ClassVersion("1.0.0.0")] +class MSFT_DeviceManagementConfigurationPolicyAssignments +{ + [Write, Description("The type of the target assignment."), ValueMap{"#microsoft.graph.groupAssignmentTarget","#microsoft.graph.allLicensedUsersAssignmentTarget","#microsoft.graph.allDevicesAssignmentTarget","#microsoft.graph.exclusionGroupAssignmentTarget","#microsoft.graph.configurationManagerCollectionAssignmentTarget"}, Values{"#microsoft.graph.groupAssignmentTarget","#microsoft.graph.allLicensedUsersAssignmentTarget","#microsoft.graph.allDevicesAssignmentTarget","#microsoft.graph.exclusionGroupAssignmentTarget","#microsoft.graph.configurationManagerCollectionAssignmentTarget"}] String dataType; + [Write, Description("The type of filter of the target assignment i.e. Exclude or Include. Possible values are:none, include, exclude."), ValueMap{"none","include","exclude"}, Values{"none","include","exclude"}] String deviceAndAppManagementAssignmentFilterType; + [Write, Description("The Id of the filter for the target assignment.")] String deviceAndAppManagementAssignmentFilterId; + [Write, Description("The group Id that is the target of the assignment.")] String groupId; + [Write, Description("The group Display Name that is the target of the assignment.")] String groupDisplayName; + [Write, Description("The collection Id that is the target of the assignment.(ConfigMgr)")] String collectionId; +}; + +[ClassVersion("1.0.0.0")] +class MSFT_MicrosoftGraphIntuneSettingsCatalogpol_hardenedpaths +{ + [Write, Description("Name")] String Pol_HardenedPathsKey; + [Write, Description("Value")] String Pol_HardenedPathsValue; +}; + +[ClassVersion("1.0.0.0")] +class MSFT_MicrosoftGraphIntuneSettingsCatalogDeviceSettings_IntuneSecurityBaselineWindows10 +{ + [Write, Description("Prevent enabling lock screen camera (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String CPL_Personalization_NoLockScreenCamera; + [Write, Description("Prevent enabling lock screen slide show (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String CPL_Personalization_NoLockScreenSlideshow; + [Write, Description("Apply UAC restrictions to local accounts on network logons (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String Pol_SecGuide_0201_LATFP; + [Write, Description("Configure SMB v1 client driver (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String Pol_SecGuide_0002_SMBv1_ClientDriver; + [Write, Description("Configure MrxSmb10 driver - Depends on Pol_SecGuide_0002_SMBv1_ClientDriver (4: Disable driver (recommended), 3: Manual start (default for Win7/2008/2008R2/2012), 2: Automatic start (default for Win8.1/2012R2/newer))"), ValueMap{"4", "3", "2"}, Values{"4", "3", "2"}] String Pol_SecGuide_SMB1ClientDriver; + [Write, Description("Configure SMB v1 server (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String Pol_SecGuide_0001_SMBv1_Server; + [Write, Description("Enable Structured Exception Handling Overwrite Protection (SEHOP) (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String Pol_SecGuide_0102_SEHOP; + [Write, Description("WDigest Authentication (disabling may require KB2871997) (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String Pol_SecGuide_0202_WDigestAuthn; + [Write, Description("MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing) (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String Pol_MSS_DisableIPSourceRoutingIPv6; + [Write, Description("DisableIPSourceRoutingIPv6 (Device) - Depends on Pol_MSS_DisableIPSourceRoutingIPv6 (0: No additional protection, source routed packets are allowed, 1: Medium, source routed packets ignored when IP forwarding is enabled, 2: Highest protection, source routing is completely disabled)"), ValueMap{"0", "1", "2"}, Values{"0", "1", "2"}] String DisableIPSourceRoutingIPv6; + [Write, Description("MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing) (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String Pol_MSS_DisableIPSourceRouting; + [Write, Description("DisableIPSourceRouting (Device) - Depends on Pol_MSS_DisableIPSourceRouting (0: No additional protection, source routed packets are allowed, 1: Medium, source routed packets ignored when IP forwarding is enabled, 2: Highest protection, source routing is completely disabled)"), ValueMap{"0", "1", "2"}, Values{"0", "1", "2"}] String DisableIPSourceRouting; + [Write, Description("MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String Pol_MSS_EnableICMPRedirect; + [Write, Description("MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String Pol_MSS_NoNameReleaseOnDemand; + [Write, Description("Turn off multicast name resolution (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String Turn_Off_Multicast; + [Write, Description("Prohibit use of Internet Connection Sharing on your DNS domain network (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String NC_ShowSharedAccessUI; + [Write, Description("Hardened UNC Paths (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String HardenedUNCPaths_Pol_HardenedPaths; + [Write, Description("Hardened UNC Paths: (Device) - Depends on HardenedUNCPaths_Pol_HardenedPaths"), EmbeddedInstance("MSFT_MicrosoftGraphIntuneSettingsCatalogpol_hardenedpaths")] String pol_hardenedpaths[]; + [Write, Description("Prohibit connection to non-domain networks when connected to domain authenticated network (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String WCM_BlockNonDomain; + [Write, Description("Configure Redirection Guard (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String ConfigureRedirectionGuardPolicy; + [Write, Description("Redirection Guard Options (Device) - Depends on ConfigureRedirectionGuardPolicy (0: Redirection Guard Disabled, 1: Redirection Guard Enabled, 2: Redirection Guard Audit Only)"), ValueMap{"0", "1", "2"}, Values{"0", "1", "2"}] String RedirectionGuardPolicy_Enum; + [Write, Description("Configure RPC connection settings (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String ConfigureRpcConnectionPolicy; + [Write, Description("Use authentication for outgoing RPC connections: (Device) - Depends on ConfigureRpcConnectionPolicy (0: Default, 1: Authentication enabled, 2: Authentication disabled)"), ValueMap{"0", "1", "2"}, Values{"0", "1", "2"}] String RpcConnectionAuthentication_Enum; + [Write, Description("Protocol to use for outgoing RPC connections: (Device) - Depends on ConfigureRpcConnectionPolicy (0: RPC over TCP, 1: RPC over named pipes)"), ValueMap{"0", "1"}, Values{"0", "1"}] String RpcConnectionProtocol_Enum; + [Write, Description("Configure RPC listener settings (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String ConfigureRpcListenerPolicy; + [Write, Description("Authentication protocol to use for incoming RPC connections: (Device) - Depends on ConfigureRpcListenerPolicy (0: Negotiate, 1: Kerberos)"), ValueMap{"0", "1"}, Values{"0", "1"}] String RpcAuthenticationProtocol_Enum; + [Write, Description("Protocols to allow for incoming RPC connections: (Device) - Depends on ConfigureRpcListenerPolicy (3: RPC over named pipes, 5: RPC over TCP, 7: RPC over named pipes and TCP)"), ValueMap{"3", "5", "7"}, Values{"3", "5", "7"}] String RpcListenerProtocols_Enum; + [Write, Description("Configure RPC over TCP port (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String ConfigureRpcTcpPort; + [Write, Description("RPC over TCP port: (Device) - Depends on ConfigureRpcTcpPort")] SInt32 RpcTcpPort; + [Write, Description("Limits print driver installation to Administrators (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String RestrictDriverInstallationToAdministrators; + [Write, Description("Manage processing of Queue-specific files (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String ConfigureCopyFilesPolicy; + [Write, Description("Manage processing of Queue-Specific files: (Device) - Depends on ConfigureCopyFilesPolicy (0: Do not allow Queue-specific files, 1: Limit Queue-specific files to Color profiles, 2: Allow all Queue-specfic files)"), ValueMap{"0", "1", "2"}, Values{"0", "1", "2"}] String CopyFilesPolicy_Enum; + [Write, Description("Encryption Oracle Remediation (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String AllowEncryptionOracle; + [Write, Description("Protection Level: (Device) - Depends on AllowEncryptionOracle (0: Force Updated Clients, 1: Mitigated, 2: Vulnerable)"), ValueMap{"0", "1", "2"}, Values{"0", "1", "2"}] String AllowEncryptionOracleDrop; + [Write, Description("Remote host allows delegation of non-exportable credentials (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String AllowProtectedCreds; + [Write, Description("Prevent installation of devices using drivers that match these device setup classes (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String DeviceInstall_Classes_Deny; + [Write, Description("Prevented Classes - Depends on DeviceInstall_Classes_Deny")] String DeviceInstall_Classes_Deny_List[]; + [Write, Description("Also apply to matching devices that are already installed. - Depends on DeviceInstall_Classes_Deny (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String DeviceInstall_Classes_Deny_Retroactive; + [Write, Description("Boot-Start Driver Initialization Policy (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String POL_DriverLoadPolicy_Name; + [Write, Description("Choose the boot-start drivers that can be initialized: - Depends on POL_DriverLoadPolicy_Name (8: Good only, 1: Good and unknown, 3: Good, unknown and bad but critical, 7: All)"), ValueMap{"8", "1", "3", "7"}, Values{"8", "1", "3", "7"}] String SelectDriverLoadPolicy; + [Write, Description("Configure registry policy processing (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String CSE_Registry; + [Write, Description("Do not apply during periodic background processing (Device) - Depends on CSE_Registry (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String CSE_NOBACKGROUND10; + [Write, Description("Process even if the Group Policy objects have not changed (Device) - Depends on CSE_Registry (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String CSE_NOCHANGES10; + [Write, Description("Turn off downloading of print drivers over HTTP (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String DisableWebPnPDownload_2; + [Write, Description("Turn off Internet download for Web publishing and online ordering wizards (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String ShellPreventWPWDownload_2; + [Write, Description("Allow Custom SSPs and APs to be loaded into LSASS (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String AllowCustomSSPsAPs; + [Write, Description("Allow standby states (S1-S3) when sleeping (on battery) (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String AllowStandbyStatesDC_2; + [Write, Description("Allow standby states (S1-S3) when sleeping (plugged in) (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String AllowStandbyStatesAC_2; + [Write, Description("Require a password when a computer wakes (on battery) (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String DCPromptForPasswordOnResume_2; + [Write, Description("Require a password when a computer wakes (plugged in) (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String ACPromptForPasswordOnResume_2; + [Write, Description("Configure Solicited Remote Assistance (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String RA_Solicit; + [Write, Description("Maximum ticket time (units): - Depends on RA_Solicit (0: Minutes, 1: Hours, 2: Days)"), ValueMap{"0", "1", "2"}, Values{"0", "1", "2"}] String RA_Solicit_ExpireUnits_List; + [Write, Description("Maximum ticket time (value): - Depends on RA_Solicit")] SInt32 RA_Solicit_ExpireValue_Edt; + [Write, Description("Permit remote control of this computer: - Depends on RA_Solicit (1: Allow helpers to remotely control the computer, 0: Allow helpers to only view the computer)"), ValueMap{"1", "0"}, Values{"1", "0"}] String RA_Solicit_Control_List; + [Write, Description("Method for sending email invitations: - Depends on RA_Solicit (0: Simple MAPI, 1: Mailto)"), ValueMap{"0", "1"}, Values{"0", "1"}] String RA_Solicit_Mailto_List; + [Write, Description("Restrict Unauthenticated RPC clients (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String RpcRestrictRemoteClients; + [Write, Description("RPC Runtime Unauthenticated Client Restriction to Apply: - Depends on RpcRestrictRemoteClients (0: None, 1: Authenticated, 2: Authenticated without exceptions)"), ValueMap{"0", "1", "2"}, Values{"0", "1", "2"}] String RpcRestrictRemoteClientsList; + [Write, Description("Allow Microsoft accounts to be optional (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String AppxRuntimeMicrosoftAccountsOptional; + [Write, Description("Disallow Autoplay for non-volume devices (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String NoAutoplayfornonVolume; + [Write, Description("Set the default behavior for AutoRun (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String NoAutorun; + [Write, Description("Default AutoRun Behavior - Depends on NoAutorun (1: Do not execute any autorun commands, 2: Automatically execute autorun commands)"), ValueMap{"1", "2"}, Values{"1", "2"}] String NoAutorun_Dropdown; + [Write, Description("Turn off Autoplay (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String Autorun; + [Write, Description("Turn off Autoplay on: - Depends on Autorun (181: CD-ROM and removable media drives, 255: All drives)"), ValueMap{"181", "255"}, Values{"181", "255"}] String Autorun_Box; + [Write, Description("Deny write access to fixed drives not protected by BitLocker (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String FDVDenyWriteAccess_Name; + [Write, Description("Deny write access to removable drives not protected by BitLocker (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String RDVDenyWriteAccess_Name; + [Write, Description("Do not allow write access to devices configured in another organization - Depends on RDVDenyWriteAccess_Name (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String RDVCrossOrg; + [Write, Description("Enumerate administrator accounts on elevation (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String EnumerateAdministrators; + [Write, Description("Specify the maximum log file size (KB) (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String Channel_LogMaxSize_1; + [Write, Description("Maximum Log Size (KB) - Depends on Channel_LogMaxSize_1")] SInt32 Channel_LogMaxSize_1_Channel_LogMaxSize; + [Write, Description("Specify the maximum log file size (KB) (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String Channel_LogMaxSize_2; + [Write, Description("Maximum Log Size (KB) - Depends on Channel_LogMaxSize_2")] SInt32 Channel_LogMaxSize_2_Channel_LogMaxSize; + [Write, Description("Specify the maximum log file size (KB) (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String Channel_LogMaxSize_4; + [Write, Description("Maximum Log Size (KB) - Depends on Channel_LogMaxSize_4")] SInt32 Channel_LogMaxSize_4_Channel_LogMaxSize; + [Write, Description("Configure Windows Defender SmartScreen (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String EnableSmartScreen; + [Write, Description("Pick one of the following settings: (Device) - Depends on EnableSmartScreen (block: Warn and prevent bypass, warn: Warn)"), ValueMap{"block", "warn"}, Values{"block", "warn"}] String EnableSmartScreenDropdown; + [Write, Description("Turn off Data Execution Prevention for Explorer (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String NoDataExecutionPrevention; + [Write, Description("Turn off heap termination on corruption (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String NoHeapTerminationOnCorruption; + [Write, Description("Allow software to run or install even if the signature is invalid (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String Advanced_InvalidSignatureBlock; + [Write, Description("Check for server certificate revocation (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String Advanced_CertificateRevocation; + [Write, Description("Check for signatures on downloaded programs (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String Advanced_DownloadSignatures; + [Write, Description("Do not allow ActiveX controls to run in Protected Mode when Enhanced Protected Mode is enabled (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String Advanced_DisableEPMCompat; + [Write, Description("Turn off encryption support (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String Advanced_SetWinInetProtocols; + [Write, Description("Secure Protocol combinations - Depends on Advanced_SetWinInetProtocols (0: Use no secure protocols, 8: Only use SSL 2.0, 32: Only use SSL 3.0, 40: Use SSL 2.0 and SSL 3.0, 128: Only use TLS 1.0, 136: Use SSL 2.0 and TLS 1.0, 160: Use SSL 3.0 and TLS 1.0, 168: Use SSL 2.0, SSL 3.0, and TLS 1.0, 512: Only use TLS 1.1, 520: Use SSL 2.0 and TLS 1.1, 544: Use SSL 3.0 and TLS 1.1, 552: Use SSL 2.0, SSL 3.0, and TLS 1.1, 640: Use TLS 1.0 and TLS 1.1, 648: Use SSL 2.0, TLS 1.0, and TLS 1.1, 672: Use SSL 3.0, TLS 1.0, and TLS 1.1, 680: Use SSL 2.0, SSL 3.0, TLS 1.0, and TLS 1.1, 2048: Only use TLS 1.2, 2056: Use SSL 2.0 and TLS 1.2, 2080: Use SSL 3.0 and TLS 1.2, 2088: Use SSL 2.0, SSL 3.0, and TLS 1.2, 2176: Use TLS 1.0 and TLS 1.2, 2184: Use SSL 2.0, TLS 1.0, and TLS 1.2, 2208: Use SSL 3.0, TLS 1.0, and TLS 1.2, 2216: Use SSL 2.0, SSL 3.0, TLS 1.0, and TLS 1.2, 2560: Use TLS 1.1 and TLS 1.2, 2568: Use SSL 2.0, TLS 1.1, and TLS 1.2, 2592: Use SSL 3.0, TLS 1.1, and TLS 1.2, 2600: Use SSL 2.0, SSL 3.0, TLS 1.1, and TLS 1.2, 2688: Use TLS 1.0, TLS 1.1, and TLS 1.2, 2696: Use SSL 2.0, TLS 1.0, TLS 1.1, and TLS 1.2, 2720: Use SSL 3.0, TLS 1.0, TLS 1.1, and TLS 1.2, 2728: Use SSL 2.0, SSL 3.0, TLS 1.0, TLS 1.1, and TLS 1.2, 8192: Only use TLS 1.3, 10240: Use TLS 1.2 and TLS 1.3, 10752: Use TLS 1.1, TLS 1.2, and TLS 1.3, 10880: Use TLS 1.0, TLS 1.1, TLS 1.2, and TLS 1.3, 10912: Use SSL 3.0, TLS 1.0, TLS 1.1, TLS 1.2, and TLS 1.3)"), ValueMap{"0", "8", "32", "40", "128", "136", "160", "168", "512", "520", "544", "552", "640", "648", "672", "680", "2048", "2056", "2080", "2088", "2176", "2184", "2208", "2216", "2560", "2568", "2592", "2600", "2688", "2696", "2720", "2728", "8192", "10240", "10752", "10880", "10912"}, Values{"0", "8", "32", "40", "128", "136", "160", "168", "512", "520", "544", "552", "640", "648", "672", "680", "2048", "2056", "2080", "2088", "2176", "2184", "2208", "2216", "2560", "2568", "2592", "2600", "2688", "2696", "2720", "2728", "8192", "10240", "10752", "10880", "10912"}] String Advanced_WinInetProtocolOptions; + [Write, Description("Turn on 64-bit tab processes when running in Enhanced Protected Mode on 64-bit versions of Windows (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String Advanced_EnableEnhancedProtectedMode64Bit; + [Write, Description("Turn on Enhanced Protected Mode (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String Advanced_EnableEnhancedProtectedMode; + [Write, Description("Prevent ignoring certificate errors (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String NoCertError; + [Write, Description("Access data sources across domains (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String IZ_PolicyAccessDataSourcesAcrossDomains_1; + [Write, Description("Access data sources across domains - Depends on IZ_PolicyAccessDataSourcesAcrossDomains_1 (0: Enable, 3: Disable, 1: Prompt)"), ValueMap{"0", "3", "1"}, Values{"0", "3", "1"}] String IZ_PolicyAccessDataSourcesAcrossDomains_1_IZ_Partname1406; + [Write, Description("Allow cut, copy or paste operations from the clipboard via script (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String IZ_PolicyAllowPasteViaScript_1; + [Write, Description("Allow paste operations via script - Depends on IZ_PolicyAllowPasteViaScript_1 (0: Enable, 3: Disable, 1: Prompt)"), ValueMap{"0", "3", "1"}, Values{"0", "3", "1"}] String IZ_PolicyAllowPasteViaScript_1_IZ_Partname1407; + [Write, Description("Allow drag and drop or copy and paste files (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String IZ_PolicyDropOrPasteFiles_1; + [Write, Description("Allow drag and drop or copy and paste files - Depends on IZ_PolicyDropOrPasteFiles_1 (0: Enable, 3: Disable, 1: Prompt)"), ValueMap{"0", "3", "1"}, Values{"0", "3", "1"}] String IZ_PolicyDropOrPasteFiles_1_IZ_Partname1802; + [Write, Description("Allow loading of XAML files (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String IZ_Policy_XAML_1; + [Write, Description("XAML Files - Depends on IZ_Policy_XAML_1 (0: Enable, 3: Disable, 1: Prompt)"), ValueMap{"0", "3", "1"}, Values{"0", "3", "1"}] String IZ_Policy_XAML_1_IZ_Partname2402; + [Write, Description("Allow only approved domains to use ActiveX controls without prompt (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String IZ_PolicyOnlyAllowApprovedDomainsToUseActiveXWithoutPrompt_Both_Internet; + [Write, Description("Only allow approved domains to use ActiveX controls without prompt - Depends on IZ_PolicyOnlyAllowApprovedDomainsToUseActiveXWithoutPrompt_Both_Internet (3: Enable, 0: Disable)"), ValueMap{"3", "0"}, Values{"3", "0"}] String IZ_PolicyOnlyAllowApprovedDomainsToUseActiveXWithoutPrompt_Both_Internet_IZ_Partname120b; + [Write, Description("Allow only approved domains to use the TDC ActiveX control (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String IZ_PolicyAllowTDCControl_Both_Internet; + [Write, Description("Only allow approved domains to use the TDC ActiveX control - Depends on IZ_PolicyAllowTDCControl_Both_Internet (3: Enable, 0: Disable)"), ValueMap{"3", "0"}, Values{"3", "0"}] String IZ_PolicyAllowTDCControl_Both_Internet_IZ_Partname120c; + [Write, Description("Allow script-initiated windows without size or position constraints (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String IZ_PolicyWindowsRestrictionsURLaction_1; + [Write, Description("Allow script-initiated windows without size or position constraints - Depends on IZ_PolicyWindowsRestrictionsURLaction_1 (0: Enable, 3: Disable)"), ValueMap{"0", "3"}, Values{"0", "3"}] String IZ_PolicyWindowsRestrictionsURLaction_1_IZ_Partname2102; + [Write, Description("Allow scripting of Internet Explorer WebBrowser controls (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String IZ_Policy_WebBrowserControl_1; + [Write, Description("Internet Explorer web browser control - Depends on IZ_Policy_WebBrowserControl_1 (0: Enable, 3: Disable)"), ValueMap{"0", "3"}, Values{"0", "3"}] String IZ_Policy_WebBrowserControl_1_IZ_Partname1206; + [Write, Description("Allow scriptlets (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String IZ_Policy_AllowScriptlets_1; + [Write, Description("Scriptlets - Depends on IZ_Policy_AllowScriptlets_1 (0: Enable, 3: Disable)"), ValueMap{"0", "3"}, Values{"0", "3"}] String IZ_Policy_AllowScriptlets_1_IZ_Partname1209; + [Write, Description("Allow updates to status bar via script (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String IZ_Policy_ScriptStatusBar_1; + [Write, Description("Status bar updates via script - Depends on IZ_Policy_ScriptStatusBar_1 (0: Enable, 3: Disable)"), ValueMap{"0", "3"}, Values{"0", "3"}] String IZ_Policy_ScriptStatusBar_1_IZ_Partname2103; + [Write, Description("Allow VBScript to run in Internet Explorer (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String IZ_PolicyAllowVBScript_1; + [Write, Description("Allow VBScript to run in Internet Explorer - Depends on IZ_PolicyAllowVBScript_1 (0: Enable, 3: Disable, 1: Prompt)"), ValueMap{"0", "3", "1"}, Values{"0", "3", "1"}] String IZ_PolicyAllowVBScript_1_IZ_Partname140C; + [Write, Description("Automatic prompting for file downloads (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String IZ_PolicyNotificationBarDownloadURLaction_1; + [Write, Description("Automatic prompting for file downloads - Depends on IZ_PolicyNotificationBarDownloadURLaction_1 (0: Enable, 3: Disable)"), ValueMap{"0", "3"}, Values{"0", "3"}] String IZ_PolicyNotificationBarDownloadURLaction_1_IZ_Partname2200; + [Write, Description("Don't run antimalware programs against ActiveX controls (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String IZ_PolicyAntiMalwareCheckingOfActiveXControls_1; + [Write, Description("Don't run antimalware programs against ActiveX controls - Depends on IZ_PolicyAntiMalwareCheckingOfActiveXControls_1 (3: Enable, 0: Disable)"), ValueMap{"3", "0"}, Values{"3", "0"}] String IZ_PolicyAntiMalwareCheckingOfActiveXControls_1_IZ_Partname270C; + [Write, Description("Download signed ActiveX controls (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String IZ_PolicyDownloadSignedActiveX_1; + [Write, Description("Download signed ActiveX controls - Depends on IZ_PolicyDownloadSignedActiveX_1 (0: Enable, 3: Disable, 1: Prompt)"), ValueMap{"0", "3", "1"}, Values{"0", "3", "1"}] String IZ_PolicyDownloadSignedActiveX_1_IZ_Partname1001; + [Write, Description("Download unsigned ActiveX controls (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String IZ_PolicyDownloadUnsignedActiveX_1; + [Write, Description("Download unsigned ActiveX controls - Depends on IZ_PolicyDownloadUnsignedActiveX_1 (0: Enable, 3: Disable, 1: Prompt)"), ValueMap{"0", "3", "1"}, Values{"0", "3", "1"}] String IZ_PolicyDownloadUnsignedActiveX_1_IZ_Partname1004; + [Write, Description("Enable dragging of content from different domains across windows (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String IZ_PolicyDragDropAcrossDomainsAcrossWindows_Both_Internet; + [Write, Description("Enable dragging of content from different domains across windows - Depends on IZ_PolicyDragDropAcrossDomainsAcrossWindows_Both_Internet (0: Enable, 3: Disable)"), ValueMap{"0", "3"}, Values{"0", "3"}] String IZ_PolicyDragDropAcrossDomainsAcrossWindows_Both_Internet_IZ_Partname2709; + [Write, Description("Enable dragging of content from different domains within a window (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String IZ_PolicyDragDropAcrossDomainsWithinWindow_Both_Internet; + [Write, Description("Enable dragging of content from different domains within a window - Depends on IZ_PolicyDragDropAcrossDomainsWithinWindow_Both_Internet (0: Enable, 3: Disable)"), ValueMap{"0", "3"}, Values{"0", "3"}] String IZ_PolicyDragDropAcrossDomainsWithinWindow_Both_Internet_IZ_Partname2708; + [Write, Description("Include local path when user is uploading files to a server (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String IZ_Policy_LocalPathForUpload_1; + [Write, Description("Include local directory path when uploading files to a server - Depends on IZ_Policy_LocalPathForUpload_1 (0: Enable, 3: Disable)"), ValueMap{"0", "3"}, Values{"0", "3"}] String IZ_Policy_LocalPathForUpload_1_IZ_Partname160A; + [Write, Description("Initialize and script ActiveX controls not marked as safe (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String IZ_PolicyScriptActiveXNotMarkedSafe_1; + [Write, Description("Initialize and script ActiveX controls not marked as safe - Depends on IZ_PolicyScriptActiveXNotMarkedSafe_1 (0: Enable, 3: Disable, 1: Prompt)"), ValueMap{"0", "3", "1"}, Values{"0", "3", "1"}] String IZ_PolicyScriptActiveXNotMarkedSafe_1_IZ_Partname1201; + [Write, Description("Java permissions (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String IZ_PolicyJavaPermissions_1; + [Write, Description("Java permissions - Depends on IZ_PolicyJavaPermissions_1 (65536: High safety, 131072: Medium safety, 196608: Low safety, 8388608: Custom, 0: Disable Java)"), ValueMap{"65536", "131072", "196608", "8388608", "0"}, Values{"65536", "131072", "196608", "8388608", "0"}] String IZ_PolicyJavaPermissions_1_IZ_Partname1C00; + [Write, Description("Launching applications and files in an IFRAME (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String IZ_PolicyLaunchAppsAndFilesInIFRAME_1; + [Write, Description("Launching applications and files in an IFRAME - Depends on IZ_PolicyLaunchAppsAndFilesInIFRAME_1 (0: Enable, 3: Disable, 1: Prompt)"), ValueMap{"0", "3", "1"}, Values{"0", "3", "1"}] String IZ_PolicyLaunchAppsAndFilesInIFRAME_1_IZ_Partname1804; + [Write, Description("Logon options (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String IZ_PolicyLogon_1; + [Write, Description("Logon options - Depends on IZ_PolicyLogon_1 (196608: Anonymous logon, 131072: Automatic logon only in Intranet zone, 0: Automatic logon with current username and password, 65536: Prompt for user name and password)"), ValueMap{"196608", "131072", "0", "65536"}, Values{"196608", "131072", "0", "65536"}] String IZ_PolicyLogon_1_IZ_Partname1A00; + [Write, Description("Navigate windows and frames across different domains (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String IZ_PolicyNavigateSubframesAcrossDomains_1; + [Write, Description("Navigate windows and frames across different domains - Depends on IZ_PolicyNavigateSubframesAcrossDomains_1 (0: Enable, 3: Disable, 1: Prompt)"), ValueMap{"0", "3", "1"}, Values{"0", "3", "1"}] String IZ_PolicyNavigateSubframesAcrossDomains_1_IZ_Partname1607; + [Write, Description("Run .NET Framework-reliant components not signed with Authenticode (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String IZ_PolicyUnsignedFrameworkComponentsURLaction_1; + [Write, Description("Run .NET Framework-reliant components not signed with Authenticode - Depends on IZ_PolicyUnsignedFrameworkComponentsURLaction_1 (0: Enable, 3: Disable, 1: Prompt)"), ValueMap{"0", "3", "1"}, Values{"0", "3", "1"}] String IZ_PolicyUnsignedFrameworkComponentsURLaction_1_IZ_Partname2004; + [Write, Description("Run .NET Framework-reliant components signed with Authenticode (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String IZ_PolicySignedFrameworkComponentsURLaction_1; + [Write, Description("Run .NET Framework-reliant components signed with Authenticode - Depends on IZ_PolicySignedFrameworkComponentsURLaction_1 (0: Enable, 3: Disable, 1: Prompt)"), ValueMap{"0", "3", "1"}, Values{"0", "3", "1"}] String IZ_PolicySignedFrameworkComponentsURLaction_1_IZ_Partname2001; + [Write, Description("Show security warning for potentially unsafe files (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String IZ_Policy_UnsafeFiles_1; + [Write, Description("Launching programs and unsafe files - Depends on IZ_Policy_UnsafeFiles_1 (0: Enable, 3: Disable, 1: Prompt)"), ValueMap{"0", "3", "1"}, Values{"0", "3", "1"}] String IZ_Policy_UnsafeFiles_1_IZ_Partname1806; + [Write, Description("Turn on Cross-Site Scripting Filter (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String IZ_PolicyTurnOnXSSFilter_Both_Internet; + [Write, Description("Turn on Cross-Site Scripting (XSS) Filter - Depends on IZ_PolicyTurnOnXSSFilter_Both_Internet (0: Enable, 3: Disable)"), ValueMap{"0", "3"}, Values{"0", "3"}] String IZ_PolicyTurnOnXSSFilter_Both_Internet_IZ_Partname1409; + [Write, Description("Turn on Protected Mode (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String IZ_Policy_TurnOnProtectedMode_1; + [Write, Description("Protected Mode - Depends on IZ_Policy_TurnOnProtectedMode_1 (0: Enable, 3: Disable)"), ValueMap{"0", "3"}, Values{"0", "3"}] String IZ_Policy_TurnOnProtectedMode_1_IZ_Partname2500; + [Write, Description("Turn on SmartScreen Filter scan (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String IZ_Policy_Phishing_1; + [Write, Description("Use SmartScreen Filter - Depends on IZ_Policy_Phishing_1 (0: Enable, 3: Disable)"), ValueMap{"0", "3"}, Values{"0", "3"}] String IZ_Policy_Phishing_1_IZ_Partname2301; + [Write, Description("Use Pop-up Blocker (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String IZ_PolicyBlockPopupWindows_1; + [Write, Description("Use Pop-up Blocker - Depends on IZ_PolicyBlockPopupWindows_1 (0: Enable, 3: Disable)"), ValueMap{"0", "3"}, Values{"0", "3"}] String IZ_PolicyBlockPopupWindows_1_IZ_Partname1809; + [Write, Description("Userdata persistence (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String IZ_PolicyUserdataPersistence_1; + [Write, Description("Userdata persistence - Depends on IZ_PolicyUserdataPersistence_1 (0: Enable, 3: Disable)"), ValueMap{"0", "3"}, Values{"0", "3"}] String IZ_PolicyUserdataPersistence_1_IZ_Partname1606; + [Write, Description("Web sites in less privileged Web content zones can navigate into this zone (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String IZ_PolicyZoneElevationURLaction_1; + [Write, Description("Web sites in less privileged Web content zones can navigate into this zone - Depends on IZ_PolicyZoneElevationURLaction_1 (0: Enable, 3: Disable, 1: Prompt)"), ValueMap{"0", "3", "1"}, Values{"0", "3", "1"}] String IZ_PolicyZoneElevationURLaction_1_IZ_Partname2101; + [Write, Description("Intranet Sites: Include all network paths (UNCs) (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String IZ_UNCAsIntranet; + [Write, Description("Don't run antimalware programs against ActiveX controls (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String IZ_PolicyAntiMalwareCheckingOfActiveXControls_3; + [Write, Description("Don't run antimalware programs against ActiveX controls - Depends on IZ_PolicyAntiMalwareCheckingOfActiveXControls_3 (3: Enable, 0: Disable)"), ValueMap{"3", "0"}, Values{"3", "0"}] String IZ_PolicyAntiMalwareCheckingOfActiveXControls_3_IZ_Partname270C; + [Write, Description("Initialize and script ActiveX controls not marked as safe (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String IZ_PolicyScriptActiveXNotMarkedSafe_3; + [Write, Description("Initialize and script ActiveX controls not marked as safe - Depends on IZ_PolicyScriptActiveXNotMarkedSafe_3 (0: Enable, 3: Disable, 1: Prompt)"), ValueMap{"0", "3", "1"}, Values{"0", "3", "1"}] String IZ_PolicyScriptActiveXNotMarkedSafe_3_IZ_Partname1201; + [Write, Description("Java permissions (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String IZ_PolicyJavaPermissions_3; + [Write, Description("Java permissions - Depends on IZ_PolicyJavaPermissions_3 (65536: High safety, 131072: Medium safety, 196608: Low safety, 8388608: Custom, 0: Disable Java)"), ValueMap{"65536", "131072", "196608", "8388608", "0"}, Values{"65536", "131072", "196608", "8388608", "0"}] String IZ_PolicyJavaPermissions_3_IZ_Partname1C00; + [Write, Description("Don't run antimalware programs against ActiveX controls (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String IZ_PolicyAntiMalwareCheckingOfActiveXControls_9; + [Write, Description("Don't run antimalware programs against ActiveX controls - Depends on IZ_PolicyAntiMalwareCheckingOfActiveXControls_9 (3: Enable, 0: Disable)"), ValueMap{"3", "0"}, Values{"3", "0"}] String IZ_PolicyAntiMalwareCheckingOfActiveXControls_9_IZ_Partname270C; + [Write, Description("Java permissions (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String IZ_PolicyJavaPermissions_9; + [Write, Description("Java permissions - Depends on IZ_PolicyJavaPermissions_9 (65536: High safety, 131072: Medium safety, 196608: Low safety, 8388608: Custom, 0: Disable Java)"), ValueMap{"65536", "131072", "196608", "8388608", "0"}, Values{"65536", "131072", "196608", "8388608", "0"}] String IZ_PolicyJavaPermissions_9_IZ_Partname1C00; + [Write, Description("Turn on SmartScreen Filter scan (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String IZ_Policy_Phishing_2; + [Write, Description("Use SmartScreen Filter - Depends on IZ_Policy_Phishing_2 (0: Enable, 3: Disable)"), ValueMap{"0", "3"}, Values{"0", "3"}] String IZ_Policy_Phishing_2_IZ_Partname2301; + [Write, Description("Java permissions (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String IZ_PolicyJavaPermissions_4; + [Write, Description("Java permissions - Depends on IZ_PolicyJavaPermissions_4 (65536: High safety, 131072: Medium safety, 196608: Low safety, 8388608: Custom, 0: Disable Java)"), ValueMap{"65536", "131072", "196608", "8388608", "0"}, Values{"65536", "131072", "196608", "8388608", "0"}] String IZ_PolicyJavaPermissions_4_IZ_Partname1C00; + [Write, Description("Java permissions (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String IZ_PolicyJavaPermissions_10; + [Write, Description("Java permissions - Depends on IZ_PolicyJavaPermissions_10 (65536: High safety, 131072: Medium safety, 196608: Low safety, 8388608: Custom, 0: Disable Java)"), ValueMap{"65536", "131072", "196608", "8388608", "0"}, Values{"65536", "131072", "196608", "8388608", "0"}] String IZ_PolicyJavaPermissions_10_IZ_Partname1C00; + [Write, Description("Java permissions (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String IZ_PolicyJavaPermissions_8; + [Write, Description("Java permissions - Depends on IZ_PolicyJavaPermissions_8 (65536: High safety, 131072: Medium safety, 196608: Low safety, 8388608: Custom, 0: Disable Java)"), ValueMap{"65536", "131072", "196608", "8388608", "0"}, Values{"65536", "131072", "196608", "8388608", "0"}] String IZ_PolicyJavaPermissions_8_IZ_Partname1C00; + [Write, Description("Turn on SmartScreen Filter scan (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String IZ_Policy_Phishing_8; + [Write, Description("Use SmartScreen Filter - Depends on IZ_Policy_Phishing_8 (0: Enable, 3: Disable)"), ValueMap{"0", "3"}, Values{"0", "3"}] String IZ_Policy_Phishing_8_IZ_Partname2301; + [Write, Description("Java permissions (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String IZ_PolicyJavaPermissions_6; + [Write, Description("Java permissions - Depends on IZ_PolicyJavaPermissions_6 (65536: High safety, 131072: Medium safety, 196608: Low safety, 8388608: Custom, 0: Disable Java)"), ValueMap{"65536", "131072", "196608", "8388608", "0"}, Values{"65536", "131072", "196608", "8388608", "0"}] String IZ_PolicyJavaPermissions_6_IZ_Partname1C00; + [Write, Description("Access data sources across domains (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String IZ_PolicyAccessDataSourcesAcrossDomains_7; + [Write, Description("Access data sources across domains - Depends on IZ_PolicyAccessDataSourcesAcrossDomains_7 (0: Enable, 3: Disable, 1: Prompt)"), ValueMap{"0", "3", "1"}, Values{"0", "3", "1"}] String IZ_PolicyAccessDataSourcesAcrossDomains_7_IZ_Partname1406; + [Write, Description("Allow active scripting (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String IZ_PolicyActiveScripting_7; + [Write, Description("Allow active scripting - Depends on IZ_PolicyActiveScripting_7 (0: Enable, 3: Disable, 1: Prompt)"), ValueMap{"0", "3", "1"}, Values{"0", "3", "1"}] String IZ_Partname1400; + [Write, Description("Allow binary and script behaviors (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String IZ_PolicyBinaryBehaviors_7; + [Write, Description("Allow Binary and Script Behaviors - Depends on IZ_PolicyBinaryBehaviors_7 (0: Enable, 65536: Administrator approved, 3: Disable)"), ValueMap{"0", "65536", "3"}, Values{"0", "65536", "3"}] String IZ_Partname2000; + [Write, Description("Allow cut, copy or paste operations from the clipboard via script (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String IZ_PolicyAllowPasteViaScript_7; + [Write, Description("Allow paste operations via script - Depends on IZ_PolicyAllowPasteViaScript_7 (0: Enable, 3: Disable, 1: Prompt)"), ValueMap{"0", "3", "1"}, Values{"0", "3", "1"}] String IZ_PolicyAllowPasteViaScript_7_IZ_Partname1407; + [Write, Description("Allow drag and drop or copy and paste files (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String IZ_PolicyDropOrPasteFiles_7; + [Write, Description("Allow drag and drop or copy and paste files - Depends on IZ_PolicyDropOrPasteFiles_7 (0: Enable, 3: Disable, 1: Prompt)"), ValueMap{"0", "3", "1"}, Values{"0", "3", "1"}] String IZ_PolicyDropOrPasteFiles_7_IZ_Partname1802; + [Write, Description("Allow file downloads (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String IZ_PolicyFileDownload_7; + [Write, Description("Allow file downloads - Depends on IZ_PolicyFileDownload_7 (0: Enable, 3: Disable)"), ValueMap{"0", "3"}, Values{"0", "3"}] String IZ_Partname1803; + [Write, Description("Allow loading of XAML files (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String IZ_Policy_XAML_7; + [Write, Description("XAML Files - Depends on IZ_Policy_XAML_7 (0: Enable, 3: Disable, 1: Prompt)"), ValueMap{"0", "3", "1"}, Values{"0", "3", "1"}] String IZ_Policy_XAML_7_IZ_Partname2402; + [Write, Description("Allow META REFRESH (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String IZ_PolicyAllowMETAREFRESH_7; + [Write, Description("Allow META REFRESH - Depends on IZ_PolicyAllowMETAREFRESH_7 (0: Enable, 3: Disable)"), ValueMap{"0", "3"}, Values{"0", "3"}] String IZ_Partname1608; + [Write, Description("Allow only approved domains to use ActiveX controls without prompt (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String IZ_PolicyOnlyAllowApprovedDomainsToUseActiveXWithoutPrompt_Both_Restricted; + [Write, Description("Only allow approved domains to use ActiveX controls without prompt - Depends on IZ_PolicyOnlyAllowApprovedDomainsToUseActiveXWithoutPrompt_Both_Restricted (3: Enable, 0: Disable)"), ValueMap{"3", "0"}, Values{"3", "0"}] String IZ_PolicyOnlyAllowApprovedDomainsToUseActiveXWithoutPrompt_Both_Restricted_IZ_Partname120b; + [Write, Description("Allow only approved domains to use the TDC ActiveX control (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String IZ_PolicyAllowTDCControl_Both_Restricted; + [Write, Description("Only allow approved domains to use the TDC ActiveX control - Depends on IZ_PolicyAllowTDCControl_Both_Restricted (3: Enable, 0: Disable)"), ValueMap{"3", "0"}, Values{"3", "0"}] String IZ_PolicyAllowTDCControl_Both_Restricted_IZ_Partname120c; + [Write, Description("Allow script-initiated windows without size or position constraints (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String IZ_PolicyWindowsRestrictionsURLaction_7; + [Write, Description("Allow script-initiated windows without size or position constraints - Depends on IZ_PolicyWindowsRestrictionsURLaction_7 (0: Enable, 3: Disable)"), ValueMap{"0", "3"}, Values{"0", "3"}] String IZ_PolicyWindowsRestrictionsURLaction_7_IZ_Partname2102; + [Write, Description("Allow scripting of Internet Explorer WebBrowser controls (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String IZ_Policy_WebBrowserControl_7; + [Write, Description("Internet Explorer web browser control - Depends on IZ_Policy_WebBrowserControl_7 (0: Enable, 3: Disable)"), ValueMap{"0", "3"}, Values{"0", "3"}] String IZ_Policy_WebBrowserControl_7_IZ_Partname1206; + [Write, Description("Allow scriptlets (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String IZ_Policy_AllowScriptlets_7; + [Write, Description("Scriptlets - Depends on IZ_Policy_AllowScriptlets_7 (0: Enable, 3: Disable)"), ValueMap{"0", "3"}, Values{"0", "3"}] String IZ_Policy_AllowScriptlets_7_IZ_Partname1209; + [Write, Description("Allow updates to status bar via script (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String IZ_Policy_ScriptStatusBar_7; + [Write, Description("Status bar updates via script - Depends on IZ_Policy_ScriptStatusBar_7 (0: Enable, 3: Disable)"), ValueMap{"0", "3"}, Values{"0", "3"}] String IZ_Policy_ScriptStatusBar_7_IZ_Partname2103; + [Write, Description("Allow VBScript to run in Internet Explorer (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String IZ_PolicyAllowVBScript_7; + [Write, Description("Allow VBScript to run in Internet Explorer - Depends on IZ_PolicyAllowVBScript_7 (0: Enable, 3: Disable, 1: Prompt)"), ValueMap{"0", "3", "1"}, Values{"0", "3", "1"}] String IZ_PolicyAllowVBScript_7_IZ_Partname140C; + [Write, Description("Automatic prompting for file downloads (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String IZ_PolicyNotificationBarDownloadURLaction_7; + [Write, Description("Automatic prompting for file downloads - Depends on IZ_PolicyNotificationBarDownloadURLaction_7 (0: Enable, 3: Disable)"), ValueMap{"0", "3"}, Values{"0", "3"}] String IZ_PolicyNotificationBarDownloadURLaction_7_IZ_Partname2200; + [Write, Description("Don't run antimalware programs against ActiveX controls (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String IZ_PolicyAntiMalwareCheckingOfActiveXControls_7; + [Write, Description("Don't run antimalware programs against ActiveX controls - Depends on IZ_PolicyAntiMalwareCheckingOfActiveXControls_7 (3: Enable, 0: Disable)"), ValueMap{"3", "0"}, Values{"3", "0"}] String IZ_PolicyAntiMalwareCheckingOfActiveXControls_7_IZ_Partname270C; + [Write, Description("Download signed ActiveX controls (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String IZ_PolicyDownloadSignedActiveX_7; + [Write, Description("Download signed ActiveX controls - Depends on IZ_PolicyDownloadSignedActiveX_7 (0: Enable, 3: Disable, 1: Prompt)"), ValueMap{"0", "3", "1"}, Values{"0", "3", "1"}] String IZ_PolicyDownloadSignedActiveX_7_IZ_Partname1001; + [Write, Description("Download unsigned ActiveX controls (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String IZ_PolicyDownloadUnsignedActiveX_7; + [Write, Description("Download unsigned ActiveX controls - Depends on IZ_PolicyDownloadUnsignedActiveX_7 (0: Enable, 3: Disable, 1: Prompt)"), ValueMap{"0", "3", "1"}, Values{"0", "3", "1"}] String IZ_PolicyDownloadUnsignedActiveX_7_IZ_Partname1004; + [Write, Description("Enable dragging of content from different domains across windows (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String IZ_PolicyDragDropAcrossDomainsAcrossWindows_Both_Restricted; + [Write, Description("Enable dragging of content from different domains across windows - Depends on IZ_PolicyDragDropAcrossDomainsAcrossWindows_Both_Restricted (0: Enable, 3: Disable)"), ValueMap{"0", "3"}, Values{"0", "3"}] String IZ_PolicyDragDropAcrossDomainsAcrossWindows_Both_Restricted_IZ_Partname2709; + [Write, Description("Enable dragging of content from different domains within a window (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String IZ_PolicyDragDropAcrossDomainsWithinWindow_Both_Restricted; + [Write, Description("Enable dragging of content from different domains within a window - Depends on IZ_PolicyDragDropAcrossDomainsWithinWindow_Both_Restricted (0: Enable, 3: Disable)"), ValueMap{"0", "3"}, Values{"0", "3"}] String IZ_PolicyDragDropAcrossDomainsWithinWindow_Both_Restricted_IZ_Partname2708; + [Write, Description("Include local path when user is uploading files to a server (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String IZ_Policy_LocalPathForUpload_7; + [Write, Description("Include local directory path when uploading files to a server - Depends on IZ_Policy_LocalPathForUpload_7 (0: Enable, 3: Disable)"), ValueMap{"0", "3"}, Values{"0", "3"}] String IZ_Policy_LocalPathForUpload_7_IZ_Partname160A; + [Write, Description("Initialize and script ActiveX controls not marked as safe (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String IZ_PolicyScriptActiveXNotMarkedSafe_7; + [Write, Description("Initialize and script ActiveX controls not marked as safe - Depends on IZ_PolicyScriptActiveXNotMarkedSafe_7 (0: Enable, 3: Disable, 1: Prompt)"), ValueMap{"0", "3", "1"}, Values{"0", "3", "1"}] String IZ_PolicyScriptActiveXNotMarkedSafe_7_IZ_Partname1201; + [Write, Description("Java permissions (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String IZ_PolicyJavaPermissions_7; + [Write, Description("Java permissions - Depends on IZ_PolicyJavaPermissions_7 (65536: High safety, 131072: Medium safety, 196608: Low safety, 8388608: Custom, 0: Disable Java)"), ValueMap{"65536", "131072", "196608", "8388608", "0"}, Values{"65536", "131072", "196608", "8388608", "0"}] String IZ_PolicyJavaPermissions_7_IZ_Partname1C00; + [Write, Description("Launching applications and files in an IFRAME (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String IZ_PolicyLaunchAppsAndFilesInIFRAME_7; + [Write, Description("Launching applications and files in an IFRAME - Depends on IZ_PolicyLaunchAppsAndFilesInIFRAME_7 (0: Enable, 3: Disable, 1: Prompt)"), ValueMap{"0", "3", "1"}, Values{"0", "3", "1"}] String IZ_PolicyLaunchAppsAndFilesInIFRAME_7_IZ_Partname1804; + [Write, Description("Logon options (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String IZ_PolicyLogon_7; + [Write, Description("Logon options - Depends on IZ_PolicyLogon_7 (196608: Anonymous logon, 131072: Automatic logon only in Intranet zone, 0: Automatic logon with current username and password, 65536: Prompt for user name and password)"), ValueMap{"196608", "131072", "0", "65536"}, Values{"196608", "131072", "0", "65536"}] String IZ_PolicyLogon_7_IZ_Partname1A00; + [Write, Description("Navigate windows and frames across different domains (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String IZ_PolicyNavigateSubframesAcrossDomains_7; + [Write, Description("Navigate windows and frames across different domains - Depends on IZ_PolicyNavigateSubframesAcrossDomains_7 (0: Enable, 3: Disable, 1: Prompt)"), ValueMap{"0", "3", "1"}, Values{"0", "3", "1"}] String IZ_PolicyNavigateSubframesAcrossDomains_7_IZ_Partname1607; + [Write, Description("Run .NET Framework-reliant components not signed with Authenticode (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String IZ_PolicyUnsignedFrameworkComponentsURLaction_7; + [Write, Description("Run .NET Framework-reliant components not signed with Authenticode - Depends on IZ_PolicyUnsignedFrameworkComponentsURLaction_7 (0: Enable, 3: Disable, 1: Prompt)"), ValueMap{"0", "3", "1"}, Values{"0", "3", "1"}] String IZ_PolicyUnsignedFrameworkComponentsURLaction_7_IZ_Partname2004; + [Write, Description("Run .NET Framework-reliant components signed with Authenticode (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String IZ_PolicySignedFrameworkComponentsURLaction_7; + [Write, Description("Run .NET Framework-reliant components signed with Authenticode - Depends on IZ_PolicySignedFrameworkComponentsURLaction_7 (0: Enable, 3: Disable, 1: Prompt)"), ValueMap{"0", "3", "1"}, Values{"0", "3", "1"}] String IZ_PolicySignedFrameworkComponentsURLaction_7_IZ_Partname2001; + [Write, Description("Run ActiveX controls and plugins (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String IZ_PolicyRunActiveXControls_7; + [Write, Description("Run ActiveX controls and plugins - Depends on IZ_PolicyRunActiveXControls_7 (65536: Administrator approved, 0: Enable, 3: Disable, 1: Prompt)"), ValueMap{"65536", "0", "3", "1"}, Values{"65536", "0", "3", "1"}] String IZ_Partname1200; + [Write, Description("Script ActiveX controls marked safe for scripting (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String IZ_PolicyScriptActiveXMarkedSafe_7; + [Write, Description("Script ActiveX controls marked safe for scripting - Depends on IZ_PolicyScriptActiveXMarkedSafe_7 (0: Enable, 3: Disable, 1: Prompt)"), ValueMap{"0", "3", "1"}, Values{"0", "3", "1"}] String IZ_Partname1405; + [Write, Description("Scripting of Java applets (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String IZ_PolicyScriptingOfJavaApplets_7; + [Write, Description("Scripting of Java applets - Depends on IZ_PolicyScriptingOfJavaApplets_7 (0: Enable, 3: Disable, 1: Prompt)"), ValueMap{"0", "3", "1"}, Values{"0", "3", "1"}] String IZ_Partname1402; + [Write, Description("Show security warning for potentially unsafe files (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String IZ_Policy_UnsafeFiles_7; + [Write, Description("Launching programs and unsafe files - Depends on IZ_Policy_UnsafeFiles_7 (0: Enable, 3: Disable, 1: Prompt)"), ValueMap{"0", "3", "1"}, Values{"0", "3", "1"}] String IZ_Policy_UnsafeFiles_7_IZ_Partname1806; + [Write, Description("Turn on Cross-Site Scripting Filter (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String IZ_PolicyTurnOnXSSFilter_Both_Restricted; + [Write, Description("Turn on Cross-Site Scripting (XSS) Filter - Depends on IZ_PolicyTurnOnXSSFilter_Both_Restricted (0: Enable, 3: Disable)"), ValueMap{"0", "3"}, Values{"0", "3"}] String IZ_PolicyTurnOnXSSFilter_Both_Restricted_IZ_Partname1409; + [Write, Description("Turn on Protected Mode (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String IZ_Policy_TurnOnProtectedMode_7; + [Write, Description("Protected Mode - Depends on IZ_Policy_TurnOnProtectedMode_7 (0: Enable, 3: Disable)"), ValueMap{"0", "3"}, Values{"0", "3"}] String IZ_Policy_TurnOnProtectedMode_7_IZ_Partname2500; + [Write, Description("Turn on SmartScreen Filter scan (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String IZ_Policy_Phishing_7; + [Write, Description("Use SmartScreen Filter - Depends on IZ_Policy_Phishing_7 (0: Enable, 3: Disable)"), ValueMap{"0", "3"}, Values{"0", "3"}] String IZ_Policy_Phishing_7_IZ_Partname2301; + [Write, Description("Use Pop-up Blocker (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String IZ_PolicyBlockPopupWindows_7; + [Write, Description("Use Pop-up Blocker - Depends on IZ_PolicyBlockPopupWindows_7 (0: Enable, 3: Disable)"), ValueMap{"0", "3"}, Values{"0", "3"}] String IZ_PolicyBlockPopupWindows_7_IZ_Partname1809; + [Write, Description("Userdata persistence (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String IZ_PolicyUserdataPersistence_7; + [Write, Description("Userdata persistence - Depends on IZ_PolicyUserdataPersistence_7 (0: Enable, 3: Disable)"), ValueMap{"0", "3"}, Values{"0", "3"}] String IZ_PolicyUserdataPersistence_7_IZ_Partname1606; + [Write, Description("Web sites in less privileged Web content zones can navigate into this zone (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String IZ_PolicyZoneElevationURLaction_7; + [Write, Description("Web sites in less privileged Web content zones can navigate into this zone - Depends on IZ_PolicyZoneElevationURLaction_7 (0: Enable, 3: Disable, 1: Prompt)"), ValueMap{"0", "3", "1"}, Values{"0", "3", "1"}] String IZ_PolicyZoneElevationURLaction_7_IZ_Partname2101; + [Write, Description("Don't run antimalware programs against ActiveX controls (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String IZ_PolicyAntiMalwareCheckingOfActiveXControls_5; + [Write, Description("Don't run antimalware programs against ActiveX controls - Depends on IZ_PolicyAntiMalwareCheckingOfActiveXControls_5 (3: Enable, 0: Disable)"), ValueMap{"3", "0"}, Values{"3", "0"}] String IZ_PolicyAntiMalwareCheckingOfActiveXControls_5_IZ_Partname270C; + [Write, Description("Initialize and script ActiveX controls not marked as safe (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String IZ_PolicyScriptActiveXNotMarkedSafe_5; + [Write, Description("Initialize and script ActiveX controls not marked as safe - Depends on IZ_PolicyScriptActiveXNotMarkedSafe_5 (0: Enable, 3: Disable, 1: Prompt)"), ValueMap{"0", "3", "1"}, Values{"0", "3", "1"}] String IZ_PolicyScriptActiveXNotMarkedSafe_5_IZ_Partname1201; + [Write, Description("Java permissions (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String IZ_PolicyJavaPermissions_5; + [Write, Description("Java permissions - Depends on IZ_PolicyJavaPermissions_5 (65536: High safety, 131072: Medium safety, 196608: Low safety, 8388608: Custom, 0: Disable Java)"), ValueMap{"65536", "131072", "196608", "8388608", "0"}, Values{"65536", "131072", "196608", "8388608", "0"}] String IZ_PolicyJavaPermissions_5_IZ_Partname1C00; + [Write, Description("Turn on certificate address mismatch warning (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String IZ_PolicyWarnCertMismatch; + [Write, Description("Prevent bypassing SmartScreen Filter warnings (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String DisableSafetyFilterOverride; + [Write, Description("Prevent bypassing SmartScreen Filter warnings about files that are not commonly downloaded from the Internet (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String DisableSafetyFilterOverrideForAppRepUnknown; + [Write, Description("Prevent managing SmartScreen Filter (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String Disable_Managing_Safety_Filter_IE9; + [Write, Description("Select SmartScreen Filter mode - Depends on Disable_Managing_Safety_Filter_IE9 (0: Off, 1: On)"), ValueMap{"0", "1"}, Values{"0", "1"}] String IE9SafetyFilterOptions; + [Write, Description("Prevent per-user installation of ActiveX controls (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String DisablePerUserActiveXInstall; + [Write, Description("Remove "Run this time" button for outdated ActiveX controls in Internet Explorer (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String VerMgmtDisableRunThisTime; + [Write, Description("Turn off blocking of outdated ActiveX controls for Internet Explorer (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String VerMgmtDisable; + [Write, Description("Allow fallback to SSL 3.0 (Internet Explorer) (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String Advanced_EnableSSL3Fallback; + [Write, Description("Allow insecure fallback for: - Depends on Advanced_EnableSSL3Fallback (0: No Sites, 1: Non-Protected Mode Sites, 3: All Sites)"), ValueMap{"0", "1", "3"}, Values{"0", "1", "3"}] String Advanced_EnableSSL3FallbackOptions; + [Write, Description("Internet Explorer Processes (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String IESF_PolicyExplorerProcesses_5; + [Write, Description("Internet Explorer Processes (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String IESF_PolicyExplorerProcesses_6; + [Write, Description("Internet Explorer Processes (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String IESF_PolicyExplorerProcesses_3; + [Write, Description("Internet Explorer Processes (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String IESF_PolicyExplorerProcesses_10; + [Write, Description("Internet Explorer Processes (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String IESF_PolicyExplorerProcesses_9; + [Write, Description("Internet Explorer Processes (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String IESF_PolicyExplorerProcesses_11; + [Write, Description("Internet Explorer Processes (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String IESF_PolicyExplorerProcesses_12; + [Write, Description("Internet Explorer Processes (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String IESF_PolicyExplorerProcesses_8; + [Write, Description("Security Zones: Do not allow users to add/delete sites (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String Security_zones_map_edit; + [Write, Description("Security Zones: Do not allow users to change policies (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String Security_options_edit; + [Write, Description("Security Zones: Use only machine settings (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String Security_HKLM_only; + [Write, Description("Specify use of ActiveX Installer Service for installation of ActiveX controls (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String OnlyUseAXISForActiveXInstall; + [Write, Description("Turn off Crash Detection (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String AddonManagement_RestrictCrashDetection; + [Write, Description("Turn off the Security Settings Check feature (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String Disable_Security_Settings_Check; + [Write, Description("Configure the 'Block at First Sight' feature (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String DisableBlockAtFirstSeen; + [Write, Description("Turn on process scanning whenever real-time protection is enabled (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String RealtimeProtection_DisableScanOnRealtimeEnable; + [Write, Description("Scan packed executables (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String Scan_DisablePackedExeScanning; + [Write, Description("Turn off routine remediation (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String DisableRoutinelyTakingAction; + [Write, Description("Do not allow passwords to be saved (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String TS_CLIENT_DISABLE_PASSWORD_SAVING_2; + [Write, Description("Do not allow drive redirection (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String TS_CLIENT_DRIVE_M; + [Write, Description("Always prompt for password upon connection (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String TS_PASSWORD; + [Write, Description("Require secure RPC communication (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String TS_RPC_ENCRYPTION; + [Write, Description("Set client connection encryption level (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String TS_ENCRYPTION_POLICY; + [Write, Description("Encryption Level - Depends on TS_ENCRYPTION_POLICY (1: Low Level, 2: Client Compatible, 3: High Level)"), ValueMap{"1", "2", "3"}, Values{"1", "2", "3"}] String TS_ENCRYPTION_LEVEL; + [Write, Description("Prevent downloading of enclosures (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String Disable_Downloading_of_Enclosures; + [Write, Description("Enable MPR notifications for the system (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String EnableMPRNotifications; + [Write, Description("Sign-in and lock last interactive user automatically after a restart (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String AutomaticRestartSignOn; + [Write, Description("Turn on PowerShell Script Block Logging (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String EnableScriptBlockLogging; + [Write, Description("Log script block invocation start / stop events: - Depends on EnableScriptBlockLogging (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String EnableScriptBlockInvocationLogging; + [Write, Description("Allow Basic authentication (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String AllowBasic_2; + [Write, Description("Allow unencrypted traffic (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String AllowUnencrypted_2; + [Write, Description("Disallow Digest authentication (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String DisallowDigest; + [Write, Description("Allow Basic authentication (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String AllowBasic_1; + [Write, Description("Allow unencrypted traffic (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String AllowUnencrypted_1; + [Write, Description("Disallow WinRM from storing RunAs credentials (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String DisableRunAs; + [Write, Description("Account Logon Audit Credential Validation (0: Off/None, 1: Success, 2: Failure, 3: Success+Failure)"), ValueMap{"0", "1", "2", "3"}, Values{"0", "1", "2", "3"}] String AccountLogon_AuditCredentialValidation; + [Write, Description("Account Logon Logoff Audit Account Lockout (0: Off/None, 1: Success, 2: Failure, 3: Success+Failure)"), ValueMap{"0", "1", "2", "3"}, Values{"0", "1", "2", "3"}] String AccountLogonLogoff_AuditAccountLockout; + [Write, Description("Account Logon Logoff Audit Group Membership (0: Off/None, 1: Success, 2: Failure, 3: Success+Failure)"), ValueMap{"0", "1", "2", "3"}, Values{"0", "1", "2", "3"}] String AccountLogonLogoff_AuditGroupMembership; + [Write, Description("Account Logon Logoff Audit Logon (0: Off/None, 1: Success, 2: Failure, 3: Success+Failure)"), ValueMap{"0", "1", "2", "3"}, Values{"0", "1", "2", "3"}] String AccountLogonLogoff_AuditLogon; + [Write, Description("Audit Authentication Policy Change (0: Off/None, 1: Success, 2: Failure, 3: Success+Failure)"), ValueMap{"0", "1", "2", "3"}, Values{"0", "1", "2", "3"}] String PolicyChange_AuditAuthenticationPolicyChange; + [Write, Description("Audit Changes to Audit Policy (0: Off/None, 1: Success, 2: Failure, 3: Success+Failure)"), ValueMap{"0", "1", "2", "3"}, Values{"0", "1", "2", "3"}] String PolicyChange_AuditPolicyChange; + [Write, Description("Audit File Share Access (0: Off/None, 1: Success, 2: Failure, 3: Success+Failure)"), ValueMap{"0", "1", "2", "3"}, Values{"0", "1", "2", "3"}] String ObjectAccess_AuditFileShare; + [Write, Description("Audit Other Logon Logoff Events (0: Off/None, 1: Success, 2: Failure, 3: Success+Failure)"), ValueMap{"0", "1", "2", "3"}, Values{"0", "1", "2", "3"}] String AccountLogonLogoff_AuditOtherLogonLogoffEvents; + [Write, Description("Audit Security Group Management (0: Off/None, 1: Success, 2: Failure, 3: Success+Failure)"), ValueMap{"0", "1", "2", "3"}, Values{"0", "1", "2", "3"}] String AccountManagement_AuditSecurityGroupManagement; + [Write, Description("Audit Security System Extension (0: Off/None, 1: Success, 2: Failure, 3: Success+Failure)"), ValueMap{"0", "1", "2", "3"}, Values{"0", "1", "2", "3"}] String System_AuditSecuritySystemExtension; + [Write, Description("Audit Special Logon (0: Off/None, 1: Success, 2: Failure, 3: Success+Failure)"), ValueMap{"0", "1", "2", "3"}, Values{"0", "1", "2", "3"}] String AccountLogonLogoff_AuditSpecialLogon; + [Write, Description("Audit User Account Management (0: Off/None, 1: Success, 2: Failure, 3: Success+Failure)"), ValueMap{"0", "1", "2", "3"}, Values{"0", "1", "2", "3"}] String AccountManagement_AuditUserAccountManagement; + [Write, Description("Detailed Tracking Audit PNP Activity (0: Off/None, 1: Success, 2: Failure, 3: Success+Failure)"), ValueMap{"0", "1", "2", "3"}, Values{"0", "1", "2", "3"}] String DetailedTracking_AuditPNPActivity; + [Write, Description("Detailed Tracking Audit Process Creation (0: Off/None, 1: Success, 2: Failure, 3: Success+Failure)"), ValueMap{"0", "1", "2", "3"}, Values{"0", "1", "2", "3"}] String DetailedTracking_AuditProcessCreation; + [Write, Description("Object Access Audit Detailed File Share (0: Off/None, 1: Success, 2: Failure, 3: Success+Failure)"), ValueMap{"0", "1", "2", "3"}, Values{"0", "1", "2", "3"}] String ObjectAccess_AuditDetailedFileShare; + [Write, Description("Object Access Audit Other Object Access Events (0: Off/None, 1: Success, 2: Failure, 3: Success+Failure)"), ValueMap{"0", "1", "2", "3"}, Values{"0", "1", "2", "3"}] String ObjectAccess_AuditOtherObjectAccessEvents; + [Write, Description("Object Access Audit Removable Storage (0: Off/None, 1: Success, 2: Failure, 3: Success+Failure)"), ValueMap{"0", "1", "2", "3"}, Values{"0", "1", "2", "3"}] String ObjectAccess_AuditRemovableStorage; + [Write, Description("Policy Change Audit MPSSVC Rule Level Policy Change (0: Off/None, 1: Success, 2: Failure, 3: Success+Failure)"), ValueMap{"0", "1", "2", "3"}, Values{"0", "1", "2", "3"}] String PolicyChange_AuditMPSSVCRuleLevelPolicyChange; + [Write, Description("Policy Change Audit Other Policy Change Events (0: Off/None, 1: Success, 2: Failure, 3: Success+Failure)"), ValueMap{"0", "1", "2", "3"}, Values{"0", "1", "2", "3"}] String PolicyChange_AuditOtherPolicyChangeEvents; + [Write, Description("Privilege Use Audit Sensitive Privilege Use (0: Off/None, 1: Success, 2: Failure, 3: Success+Failure)"), ValueMap{"0", "1", "2", "3"}, Values{"0", "1", "2", "3"}] String PrivilegeUse_AuditSensitivePrivilegeUse; + [Write, Description("System Audit Other System Events (0: Off/None, 1: Success, 2: Failure, 3: Success+Failure)"), ValueMap{"0", "1", "2", "3"}, Values{"0", "1", "2", "3"}] String System_AuditOtherSystemEvents; + [Write, Description("System Audit Security State Change (0: Off/None, 1: Success, 2: Failure, 3: Success+Failure)"), ValueMap{"0", "1", "2", "3"}, Values{"0", "1", "2", "3"}] String System_AuditSecurityStateChange; + [Write, Description("System Audit System Integrity (0: Off/None, 1: Success, 2: Failure, 3: Success+Failure)"), ValueMap{"0", "1", "2", "3"}, Values{"0", "1", "2", "3"}] String System_AuditSystemIntegrity; + [Write, Description("Allow Password Manager (0: Not allowed., 1: Allowed.)"), ValueMap{"0", "1"}, Values{"0", "1"}] String AllowPasswordManager; + [Write, Description("Allow Smart Screen (0: Turned off. Do not protect users from potential threats and prevent users from turning it on., 1: Turned on. Protect users from potential threats and prevent users from turning it off.)"), ValueMap{"0", "1"}, Values{"0", "1"}] String AllowSmartScreen; + [Write, Description("Prevent Cert Error Overrides (0: Allowed/turned on. Override the security warning to sites that have SSL errors., 1: Prevented/turned on.)"), ValueMap{"0", "1"}, Values{"0", "1"}] String PreventCertErrorOverrides; + [Write, Description("Prevent Smart Screen Prompt Override (0: Allowed/turned off. Users can ignore the warning and continue to the site., 1: Prevented/turned on.)"), ValueMap{"0", "1"}, Values{"0", "1"}] String Browser_PreventSmartScreenPromptOverride; + [Write, Description("Prevent Smart Screen Prompt Override For Files (0: Allowed/turned off. Users can ignore the warning and continue to download the unverified file(s)., 1: Prevented/turned on.)"), ValueMap{"0", "1"}, Values{"0", "1"}] String PreventSmartScreenPromptOverrideForFiles; + [Write, Description("Allow Direct Memory Access (0: Not allowed., 1: Allowed.)"), ValueMap{"0", "1"}, Values{"0", "1"}] String AllowDirectMemoryAccess; + [Write, Description("Allow Archive Scanning (0: Not allowed. Turns off scanning on archived files., 1: Allowed. Scans the archive files.)"), ValueMap{"0", "1"}, Values{"0", "1"}] String AllowArchiveScanning; + [Write, Description("Allow Behavior Monitoring (0: Not allowed. Turns off behavior monitoring., 1: Allowed. Turns on real-time behavior monitoring.)"), ValueMap{"0", "1"}, Values{"0", "1"}] String AllowBehaviorMonitoring; + [Write, Description("Allow Cloud Protection (0: Not allowed. Turns off the Microsoft Active Protection Service., 1: Allowed. Turns on the Microsoft Active Protection Service.)"), ValueMap{"0", "1"}, Values{"0", "1"}] String AllowCloudProtection; + [Write, Description("Allow Full Scan Removable Drive Scanning (0: Not allowed. Turns off scanning on removable drives., 1: Allowed. Scans removable drives.)"), ValueMap{"0", "1"}, Values{"0", "1"}] String AllowFullScanRemovableDriveScanning; + [Write, Description("Allow On Access Protection (0: Not allowed., 1: Allowed.)"), ValueMap{"0", "1"}, Values{"0", "1"}] String AllowOnAccessProtection; + [Write, Description("Allow Realtime Monitoring (0: Not allowed. Turns off the real-time monitoring service., 1: Allowed. Turns on and runs the real-time monitoring service.)"), ValueMap{"0", "1"}, Values{"0", "1"}] String AllowRealtimeMonitoring; + [Write, Description("Allow scanning of all downloaded files and attachments (0: Not allowed., 1: Allowed.)"), ValueMap{"0", "1"}, Values{"0", "1"}] String AllowIOAVProtection; + [Write, Description("Allow Script Scanning (0: Not allowed., 1: Allowed.)"), ValueMap{"0", "1"}, Values{"0", "1"}] String AllowScriptScanning; + [Write, Description("Block execution of potentially obfuscated scripts - Depends on AttackSurfaceReductionRules (off: Off, block: Block, audit: Audit, warn: Warn)"), ValueMap{"off", "block", "audit", "warn"}, Values{"off", "block", "audit", "warn"}] String BlockExecutionOfPotentiallyObfuscatedScripts; + [Write, Description("ASR Only Per Rule Exclusions")] String BlockExecutionOfPotentiallyObfuscatedScripts_ASROnlyPerRuleExclusions[]; + [Write, Description("Block Win32 API calls from Office macros - Depends on AttackSurfaceReductionRules (off: Off, block: Block, audit: Audit, warn: Warn)"), ValueMap{"off", "block", "audit", "warn"}, Values{"off", "block", "audit", "warn"}] String BlockWin32APICallsFromOfficeMacros; + [Write, Description("ASR Only Per Rule Exclusions")] String BlockWin32APICallsFromOfficeMacros_ASROnlyPerRuleExclusions[]; + [Write, Description("Block executable files from running unless they meet a prevalence, age, or trusted list criterion - Depends on AttackSurfaceReductionRules (off: Off, block: Block, audit: Audit, warn: Warn)"), ValueMap{"off", "block", "audit", "warn"}, Values{"off", "block", "audit", "warn"}] String BlockExecutableFilesRunningUnlessTheyMeetPrevalenceAgeTrustedListCriterion; + [Write, Description("ASR Only Per Rule Exclusions")] String BlockExecutableFilesRunningUnlessTheyMeetPrevalenceAgeTrustedListCriterion_ASROnlyPerRuleExclusions[]; + [Write, Description("Block Office communication application from creating child processes - Depends on AttackSurfaceReductionRules (off: Off, block: Block, audit: Audit, warn: Warn)"), ValueMap{"off", "block", "audit", "warn"}, Values{"off", "block", "audit", "warn"}] String BlockOfficeCommunicationAppFromCreatingChildProcesses; + [Write, Description("ASR Only Per Rule Exclusions")] String BlockOfficeCommunicationAppFromCreatingChildProcesses_ASROnlyPerRuleExclusions[]; + [Write, Description("Block all Office applications from creating child processes - Depends on AttackSurfaceReductionRules (off: Off, block: Block, audit: Audit, warn: Warn)"), ValueMap{"off", "block", "audit", "warn"}, Values{"off", "block", "audit", "warn"}] String BlockAllOfficeApplicationsFromCreatingChildProcesses; + [Write, Description("ASR Only Per Rule Exclusions")] String BlockAllOfficeApplicationsFromCreatingChildProcesses_ASROnlyPerRuleExclusions[]; + [Write, Description("Block Adobe Reader from creating child processes - Depends on AttackSurfaceReductionRules (off: Off, block: Block, audit: Audit, warn: Warn)"), ValueMap{"off", "block", "audit", "warn"}, Values{"off", "block", "audit", "warn"}] String BlockAdobeReaderFromCreatingChildProcesses; + [Write, Description("ASR Only Per Rule Exclusions")] String BlockAdobeReaderFromCreatingChildProcesses_ASROnlyPerRuleExclusions[]; + [Write, Description("Block credential stealing from the Windows local security authority subsystem - Depends on AttackSurfaceReductionRules (off: Off, block: Block, audit: Audit, warn: Warn)"), ValueMap{"off", "block", "audit", "warn"}, Values{"off", "block", "audit", "warn"}] String BlockCredentialStealingFromWindowsLocalSecurityAuthoritySubsystem; + [Write, Description("ASR Only Per Rule Exclusions")] String BlockCredentialStealingFromWindowsLocalSecurityAuthoritySubsystem_ASROnlyPerRuleExclusions[]; + [Write, Description("Block JavaScript or VBScript from launching downloaded executable content - Depends on AttackSurfaceReductionRules (off: Off, block: Block, audit: Audit, warn: Warn)"), ValueMap{"off", "block", "audit", "warn"}, Values{"off", "block", "audit", "warn"}] String BlockJavaScriptOrVBScriptFromLaunchingDownloadedExecutableContent; + [Write, Description("ASR Only Per Rule Exclusions")] String BlockJavaScriptOrVBScriptFromLaunchingDownloadedExecutableContent_ASROnlyPerRuleExclusions[]; + [Write, Description("Block Webshell creation for Servers - Depends on AttackSurfaceReductionRules (off: Off, block: Block, audit: Audit, warn: Warn)"), ValueMap{"off", "block", "audit", "warn"}, Values{"off", "block", "audit", "warn"}] String BlockWebshellCreationForServers; + [Write, Description("ASR Only Per Rule Exclusions")] String BlockWebshellCreationForServers_ASROnlyPerRuleExclusions[]; + [Write, Description("Block untrusted and unsigned processes that run from USB - Depends on AttackSurfaceReductionRules (off: Off, block: Block, audit: Audit, warn: Warn)"), ValueMap{"off", "block", "audit", "warn"}, Values{"off", "block", "audit", "warn"}] String BlockUntrustedUnsignedProcessesThatRunFromUSB; + [Write, Description("ASR Only Per Rule Exclusions")] String BlockUntrustedUnsignedProcessesThatRunFromUSB_ASROnlyPerRuleExclusions[]; + [Write, Description("Block persistence through WMI event subscription - Depends on AttackSurfaceReductionRules (off: Off, block: Block, audit: Audit, warn: Warn)"), ValueMap{"off", "block", "audit", "warn"}, Values{"off", "block", "audit", "warn"}] String BlockPersistenceThroughWMIEventSubscription; + [Write, Description("[PREVIEW] Block use of copied or impersonated system tools - Depends on AttackSurfaceReductionRules (off: Off, block: Block, audit: Audit, warn: Warn)"), ValueMap{"off", "block", "audit", "warn"}, Values{"off", "block", "audit", "warn"}] String BlockUseOfCopiedOrImpersonatedSystemTools; + [Write, Description("ASR Only Per Rule Exclusions")] String BlockUseOfCopiedOrImpersonatedSystemTools_ASROnlyPerRuleExclusions[]; + [Write, Description("Block abuse of exploited vulnerable signed drivers (Device) - Depends on AttackSurfaceReductionRules (off: Off, block: Block, audit: Audit, warn: Warn)"), ValueMap{"off", "block", "audit", "warn"}, Values{"off", "block", "audit", "warn"}] String BlockAbuseOfExploitedVulnerableSignedDrivers; + [Write, Description("ASR Only Per Rule Exclusions")] String BlockAbuseOfExploitedVulnerableSignedDrivers_ASROnlyPerRuleExclusions[]; + [Write, Description("Block process creations originating from PSExec and WMI commands - Depends on AttackSurfaceReductionRules (off: Off, block: Block, audit: Audit, warn: Warn)"), ValueMap{"off", "block", "audit", "warn"}, Values{"off", "block", "audit", "warn"}] String BlockProcessCreationsFromPSExecAndWMICommands; + [Write, Description("ASR Only Per Rule Exclusions")] String BlockProcessCreationsFromPSExecAndWMICommands_ASROnlyPerRuleExclusions[]; + [Write, Description("Block Office applications from creating executable content - Depends on AttackSurfaceReductionRules (off: Off, block: Block, audit: Audit, warn: Warn)"), ValueMap{"off", "block", "audit", "warn"}, Values{"off", "block", "audit", "warn"}] String BlockOfficeApplicationsFromCreatingExecutableContent; + [Write, Description("ASR Only Per Rule Exclusions")] String BlockOfficeApplicationsFromCreatingExecutableContent_ASROnlyPerRuleExclusions[]; + [Write, Description("Block Office applications from injecting code into other processes - Depends on AttackSurfaceReductionRules (off: Off, block: Block, audit: Audit, warn: Warn)"), ValueMap{"off", "block", "audit", "warn"}, Values{"off", "block", "audit", "warn"}] String BlockOfficeApplicationsFromInjectingCodeIntoOtherProcesses; + [Write, Description("ASR Only Per Rule Exclusions")] String BlockOfficeApplicationsFromInjectingCodeIntoOtherProcesses_ASROnlyPerRuleExclusions[]; + [Write, Description("[PREVIEW] Block rebooting machine in Safe Mode - Depends on AttackSurfaceReductionRules (off: Off, block: Block, audit: Audit, warn: Warn)"), ValueMap{"off", "block", "audit", "warn"}, Values{"off", "block", "audit", "warn"}] String BlockRebootingMachineInSafeMode; + [Write, Description("ASR Only Per Rule Exclusions")] String BlockRebootingMachineInSafeMode_ASROnlyPerRuleExclusions[]; + [Write, Description("Use advanced protection against ransomware - Depends on AttackSurfaceReductionRules (off: Off, block: Block, audit: Audit, warn: Warn)"), ValueMap{"off", "block", "audit", "warn"}, Values{"off", "block", "audit", "warn"}] String UseAdvancedProtectionAgainstRansomware; + [Write, Description("ASR Only Per Rule Exclusions")] String UseAdvancedProtectionAgainstRansomware_ASROnlyPerRuleExclusions[]; + [Write, Description("Block executable content from email client and webmail - Depends on AttackSurfaceReductionRules (off: Off, block: Block, audit: Audit, warn: Warn)"), ValueMap{"off", "block", "audit", "warn"}, Values{"off", "block", "audit", "warn"}] String BlockExecutableContentFromEmailClientAndWebmail; + [Write, Description("ASR Only Per Rule Exclusions")] String BlockExecutableContentFromEmailClientAndWebmail_ASROnlyPerRuleExclusions[]; + [Write, Description("Cloud Block Level (0: NotConfigured, 2: High, 4: HighPlus, 6: ZeroTolerance)"), ValueMap{"0", "2", "4", "6"}, Values{"0", "2", "4", "6"}] String CloudBlockLevel; + [Write, Description("Cloud Extended Timeout")] SInt32 CloudExtendedTimeout; + [Write, Description("Disable Local Admin Merge (0: Enable Local Admin Merge, 1: Disable Local Admin Merge)"), ValueMap{"0", "1"}, Values{"0", "1"}] String DisableLocalAdminMerge; + [Write, Description("Enable File Hash Computation (0: Disable, 1: Enable)"), ValueMap{"0", "1"}, Values{"0", "1"}] String EnableFileHashComputation; + [Write, Description("Enable Network Protection (0: Disabled, 1: Enabled (block mode), 2: Enabled (audit mode))"), ValueMap{"0", "1", "2"}, Values{"0", "1", "2"}] String EnableNetworkProtection; + [Write, Description("Hide Exclusions From Local Admins (1: If you enable this setting, local admins will no longer be able to see the exclusion list in Windows Security App or via PowerShell., 0: If you disable or do not configure this setting, local admins will be able to see exclusions in the Windows Security App and via PowerShell.)"), ValueMap{"1", "0"}, Values{"1", "0"}] String HideExclusionsFromLocalAdmins; + [Write, Description("PUA Protection (0: PUA Protection off. Windows Defender will not protect against potentially unwanted applications., 1: PUA Protection on. Detected items are blocked. They will show in history along with other threats., 2: Audit mode. Windows Defender will detect potentially unwanted applications, but take no action. You can review information about the applications Windows Defender would have taken action against by searching for events created by Windows Defender in the Event Viewer.)"), ValueMap{"0", "1", "2"}, Values{"0", "1", "2"}] String PUAProtection; + [Write, Description("Real Time Scan Direction (0: Monitor all files (bi-directional)., 1: Monitor incoming files., 2: Monitor outgoing files.)"), ValueMap{"0", "1", "2"}, Values{"0", "1", "2"}] String RealTimeScanDirection; + [Write, Description("Submit Samples Consent (0: Always prompt., 1: Send safe samples automatically., 2: Never send., 3: Send all samples automatically.)"), ValueMap{"0", "1", "2", "3"}, Values{"0", "1", "2", "3"}] String SubmitSamplesConsent; + [Write, Description("Configure System Guard Launch (0: Unmanaged Configurable by Administrative user, 1: Unmanaged Enables Secure Launch if supported by hardware, 2: Unmanaged Disables Secure Launch)"), ValueMap{"0", "1", "2"}, Values{"0", "1", "2"}] String ConfigureSystemGuardLaunch; + [Write, Description("Credential Guard (0: (Disabled) Turns off Credential Guard remotely if configured previously without UEFI Lock., 1: (Enabled with UEFI lock) Turns on Credential Guard with UEFI lock., 2: (Enabled without lock) Turns on Credential Guard without UEFI lock.)"), ValueMap{"0", "1", "2"}, Values{"0", "1", "2"}] String LsaCfgFlags; + [Write, Description("Enable Virtualization Based Security (0: disable virtualization based security., 1: enable virtualization based security.)"), ValueMap{"0", "1"}, Values{"0", "1"}] String EnableVirtualizationBasedSecurity; + [Write, Description("Require Platform Security Features (1: Turns on VBS with Secure Boot., 3: Turns on VBS with Secure Boot and direct memory access (DMA). DMA requires hardware support.)"), ValueMap{"1", "3"}, Values{"1", "3"}] String RequirePlatformSecurityFeatures; + [Write, Description("Device Password Enabled (0: Enabled, 1: Disabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String DevicePasswordEnabled; + [Write, Description("Device Password Expiration - Depends on DevicePasswordEnabled")] SInt32 DevicePasswordExpiration; + [Write, Description("Min Device Password Length - Depends on DevicePasswordEnabled")] SInt32 MinDevicePasswordLength; + [Write, Description("Alphanumeric Device Password Required - Depends on DevicePasswordEnabled (0: Password or Alphanumeric PIN required., 1: Password or Numeric PIN required., 2: Password, Numeric PIN, or Alphanumeric PIN required.)"), ValueMap{"0", "1", "2"}, Values{"0", "1", "2"}] String AlphanumericDevicePasswordRequired; + [Write, Description("Min Device Password Complex Characters (1: Digits only, 2: Digits and lowercase letters are required, 3: Digits lowercase letters and uppercase letters are required. Not supported in desktop Microsoft accounts and domain accounts, 4: Digits lowercase letters uppercase letters and special characters are required. Not supported in desktop)"), ValueMap{"1", "2", "3", "4"}, Values{"1", "2", "3", "4"}] String MinDevicePasswordComplexCharacters; + [Write, Description("Max Device Password Failed Attempts - Depends on DevicePasswordEnabled")] SInt32 MaxDevicePasswordFailedAttempts; + [Write, Description("Min Device Password Complex Characters - Depends on DevicePasswordEnabled (1: Digits only, 2: Digits and lowercase letters are required, 3: Digits lowercase letters and uppercase letters are required. Not supported in desktop Microsoft accounts and domain accounts, 4: Digits lowercase letters uppercase letters and special characters are required. Not supported in desktop)"), ValueMap{"1", "2", "3", "4"}, Values{"1", "2", "3", "4"}] String MinDevicePasswordComplexCharacters; + [Write, Description("Max Inactivity Time Device Lock - Depends on DevicePasswordEnabled")] SInt32 MaxInactivityTimeDeviceLock; + [Write, Description("Device Password History - Depends on DevicePasswordEnabled")] SInt32 DevicePasswordHistory; + [Write, Description("Allow Simple Device Password - Depends on DevicePasswordEnabled (0: Not allowed., 1: Allowed.)"), ValueMap{"0", "1"}, Values{"0", "1"}] String AllowSimpleDevicePassword; + [Write, Description("Device Enumeration Policy (0: Block all (Most restrictive), 1: Only after log in/screen unlock, 2: Allow all (Least restrictive))"), ValueMap{"0", "1", "2"}, Values{"0", "1", "2"}] String DeviceEnumerationPolicy; + [Write, Description("Enable Insecure Guest Logons (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String EnableInsecureGuestLogons; + [Write, Description("Accounts Limit Local Account Use Of Blank Passwords To Console Logon Only (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String Accounts_LimitLocalAccountUseOfBlankPasswordsToConsoleLogonOnly; + [Write, Description("Interactive Logon Machine Inactivity Limit")] SInt32 InteractiveLogon_MachineInactivityLimit; + [Write, Description("Interactive Logon Smart Card Removal Behavior (0: No Action, 1: Lock Workstation, 2: Force Logoff, 3: Disconnect if a Remote Desktop Services session)"), ValueMap{"0", "1", "2", "3"}, Values{"0", "1", "2", "3"}] String InteractiveLogon_SmartCardRemovalBehavior; + [Write, Description("Microsoft Network Client Digitally Sign Communications Always (1: Enable, 0: Disable)"), ValueMap{"1", "0"}, Values{"1", "0"}] String MicrosoftNetworkClient_DigitallySignCommunicationsAlways; + [Write, Description("Microsoft Network Client Send Unencrypted Password To Third Party SMB Servers (1: Enable, 0: Disable)"), ValueMap{"1", "0"}, Values{"1", "0"}] String MicrosoftNetworkClient_SendUnencryptedPasswordToThirdPartySMBServers; + [Write, Description("Microsoft Network Server Digitally Sign Communications Always (1: Enable, 0: Disable)"), ValueMap{"1", "0"}, Values{"1", "0"}] String MicrosoftNetworkServer_DigitallySignCommunicationsAlways; + [Write, Description("Network Access Do Not Allow Anonymous Enumeration Of SAM Accounts (1: Enabled, 0: Disabled)"), ValueMap{"1", "0"}, Values{"1", "0"}] String NetworkAccess_DoNotAllowAnonymousEnumerationOfSAMAccounts; + [Write, Description("Network Access Do Not Allow Anonymous Enumeration Of Sam Accounts And Shares (1: Enabled, 0: Disabled)"), ValueMap{"1", "0"}, Values{"1", "0"}] String NetworkAccess_DoNotAllowAnonymousEnumerationOfSamAccountsAndShares; + [Write, Description("Network Access Restrict Anonymous Access To Named Pipes And Shares (1: Enable, 0: Disable)"), ValueMap{"1", "0"}, Values{"1", "0"}] String NetworkAccess_RestrictAnonymousAccessToNamedPipesAndShares; + [Write, Description("Network Access Restrict Clients Allowed To Make Remote Calls To SAM")] String NetworkAccess_RestrictClientsAllowedToMakeRemoteCallsToSAM; + [Write, Description("Network Security Do Not Store LAN Manager Hash Value On Next Password Change (1: Enable, 0: Disable)"), ValueMap{"1", "0"}, Values{"1", "0"}] String NetworkSecurity_DoNotStoreLANManagerHashValueOnNextPasswordChange; + [Write, Description("Network Security LAN Manager Authentication Level (0: Send LM and NTLM responses, 1: Send LM and NTLM-use NTLMv2 session security if negotiated, 2: Send LM and NTLM responses only, 3: Send LM and NTLMv2 responses only, 4: Send LM and NTLMv2 responses only. Refuse LM, 5: Send LM and NTLMv2 responses only. Refuse LM and NTLM)"), ValueMap{"0", "1", "2", "3", "4", "5"}, Values{"0", "1", "2", "3", "4", "5"}] String NetworkSecurity_LANManagerAuthenticationLevel; + [Write, Description("Network Security Minimum Session Security For NTLMSSP Based Clients (0: None, 524288: Require NTLMv2 session security, 536870912: Require 128-bit encryption, 537395200: Require NTLM and 128-bit encryption)"), ValueMap{"0", "524288", "536870912", "537395200"}, Values{"0", "524288", "536870912", "537395200"}] String NetworkSecurity_MinimumSessionSecurityForNTLMSSPBasedClients; + [Write, Description("Network Security Minimum Session Security For NTLMSSP Based Servers (0: None, 524288: Require NTLMv2 session security, 536870912: Require 128-bit encryption, 537395200: Require NTLM and 128-bit encryption)"), ValueMap{"0", "524288", "536870912", "537395200"}, Values{"0", "524288", "536870912", "537395200"}] String NetworkSecurity_MinimumSessionSecurityForNTLMSSPBasedServers; + [Write, Description("User Account Control Behavior Of The Elevation Prompt For Administrators (0: Elevate without prompting, 1: Prompt for credentials on the secure desktop, 2: Prompt for consent on the secure desktop, 3: Prompt for credentials, 4: Prompt for consent, 5: Prompt for consent for non-Windows binaries)"), ValueMap{"0", "1", "2", "3", "4", "5"}, Values{"0", "1", "2", "3", "4", "5"}] String UserAccountControl_BehaviorOfTheElevationPromptForAdministrators; + [Write, Description("User Account Control Behavior Of The Elevation Prompt For Standard Users (0: Automatically deny elevation requests, 1: Prompt for credentials on the secure desktop, 3: Prompt for credentials)"), ValueMap{"0", "1", "3"}, Values{"0", "1", "3"}] String UserAccountControl_BehaviorOfTheElevationPromptForStandardUsers; + [Write, Description("User Account Control Detect Application Installations And Prompt For Elevation (1: Enable, 0: Disable)"), ValueMap{"1", "0"}, Values{"1", "0"}] String UserAccountControl_DetectApplicationInstallationsAndPromptForElevation; + [Write, Description("User Account Control Only Elevate UI Access Applications That Are Installed In Secure Locations (0: Disabled: Application runs with UIAccess integrity even if it does not reside in a secure location., 1: Enabled: Application runs with UIAccess integrity only if it resides in secure location.)"), ValueMap{"0", "1"}, Values{"0", "1"}] String UserAccountControl_OnlyElevateUIAccessApplicationsThatAreInstalledInSecureLocations; + [Write, Description("User Account Control Run All Administrators In Admin Approval Mode (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String UserAccountControl_RunAllAdministratorsInAdminApprovalMode; + [Write, Description("User Account Control Use Admin Approval Mode (1: Enable, 0: Disable)"), ValueMap{"1", "0"}, Values{"1", "0"}] String UserAccountControl_UseAdminApprovalMode; + [Write, Description("User Account Control Virtualize File And Registry Write Failures To Per User Locations (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String UserAccountControl_VirtualizeFileAndRegistryWriteFailuresToPerUserLocations; + [Write, Description("Configure Lsa Protected Process (0: Disabled. Default value. LSA will not run as protected process., 1: Enabled with UEFI lock. LSA will run as protected process and this configuration is UEFI locked., 2: Enabled without UEFI lock. LSA will run as protected process and this configuration is not UEFI locked.)"), ValueMap{"0", "1", "2"}, Values{"0", "1", "2"}] String ConfigureLsaProtectedProcess; + [Write, Description("Allow Game DVR (0: Not allowed., 1: Allowed.)"), ValueMap{"0", "1"}, Values{"0", "1"}] String AllowGameDVR; + [Write, Description("MSI Allow User Control Over Install (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String MSIAllowUserControlOverInstall; + [Write, Description("MSI Always Install With Elevated Privileges (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String MSIAlwaysInstallWithElevatedPrivileges; + [Write, Description("Configure Microsoft Defender SmartScreen (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String SmartScreenEnabled; + [Write, Description("Prevent bypassing Microsoft Defender SmartScreen prompts for sites (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String MicrosoftEdge_~SmartScreen_PreventSmartScreenPromptOverride; + [Write, Description("Let Apps Activate With Voice Above Lock (0: User in control. Users can decide if Windows apps can be activated by voice while the screen is locked using Settings > Privacy options on the device., 1: Force allow. Windows apps can be activated by voice while the screen is locked, and users cannot change it., 2: Force deny. Windows apps cannot be activated by voice while the screen is locked, and users cannot change it.)"), ValueMap{"0", "1", "2"}, Values{"0", "1", "2"}] String LetAppsActivateWithVoiceAboveLock; + [Write, Description("Allow Indexing Encrypted Stores Or Items (0: Not allowed., 1: Allowed.)"), ValueMap{"0", "1"}, Values{"0", "1"}] String AllowIndexingEncryptedStoresOrItems; + [Write, Description("Enable Smart Screen In Shell (0: Disabled., 1: Enabled.)"), ValueMap{"0", "1"}, Values{"0", "1"}] String EnableSmartScreenInShell; + [Write, Description("Notify Malicious (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String NotifyMalicious; + [Write, Description("Notify Password Reuse (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String NotifyPasswordReuse; + [Write, Description("Notify Unsafe App (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String NotifyUnsafeApp; + [Write, Description("Service Enabled (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String ServiceEnabled; + [Write, Description("Prevent Override For Files In Shell (0: Do not prevent override., 1: Prevent override.)"), ValueMap{"0", "1"}, Values{"0", "1"}] String PreventOverrideForFilesInShell; + [Write, Description("Configure Xbox Accessory Management Service Startup Mode (2: Automatic, 3: Manual, 4: Disabled)"), ValueMap{"2", "3", "4"}, Values{"2", "3", "4"}] String ConfigureXboxAccessoryManagementServiceStartupMode; + [Write, Description("Configure Xbox Live Auth Manager Service Startup Mode (2: Automatic, 3: Manual, 4: Disabled)"), ValueMap{"2", "3", "4"}, Values{"2", "3", "4"}] String ConfigureXboxLiveAuthManagerServiceStartupMode; + [Write, Description("Configure Xbox Live Game Save Service Startup Mode (2: Automatic, 3: Manual, 4: Disabled)"), ValueMap{"2", "3", "4"}, Values{"2", "3", "4"}] String ConfigureXboxLiveGameSaveServiceStartupMode; + [Write, Description("Configure Xbox Live Networking Service Startup Mode (2: Automatic, 3: Manual, 4: Disabled)"), ValueMap{"2", "3", "4"}, Values{"2", "3", "4"}] String ConfigureXboxLiveNetworkingServiceStartupMode; + [Write, Description("Enable Xbox Game Save Task (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String EnableXboxGameSaveTask; + [Write, Description("Access From Network")] String AccessFromNetwork[]; + [Write, Description("Allow Local Log On")] String AllowLocalLogOn[]; + [Write, Description("Backup Files And Directories")] String BackupFilesAndDirectories[]; + [Write, Description("Create Global Objects")] String CreateGlobalObjects[]; + [Write, Description("Create Page File")] String CreatePageFile[]; + [Write, Description("Debug Programs")] String DebugPrograms[]; + [Write, Description("Deny Access From Network")] String DenyAccessFromNetwork[]; + [Write, Description("Deny Remote Desktop Services Log On")] String DenyRemoteDesktopServicesLogOn[]; + [Write, Description("Impersonate Client")] String ImpersonateClient[]; + [Write, Description("Load Unload Device Drivers")] String LoadUnloadDeviceDrivers[]; + [Write, Description("Manage Auditing And Security Log")] String ManageAuditingAndSecurityLog[]; + [Write, Description("Manage Volume")] String ManageVolume[]; + [Write, Description("Modify Firmware Environment")] String ModifyFirmwareEnvironment[]; + [Write, Description("Profile Single Process")] String ProfileSingleProcess[]; + [Write, Description("Remote Shutdown")] String RemoteShutdown[]; + [Write, Description("Restore Files And Directories")] String RestoreFilesAndDirectories[]; + [Write, Description("Take Ownership")] String TakeOwnership[]; + [Write, Description("Hypervisor Enforced Code Integrity (0: (Disabled) Turns off Hypervisor-Protected Code Integrity remotely if configured previously without UEFI Lock., 1: (Enabled with UEFI lock) Turns on Hypervisor-Protected Code Integrity with UEFI lock., 2: (Enabled without lock) Turns on Hypervisor-Protected Code Integrity without UEFI lock.)"), ValueMap{"0", "1", "2"}, Values{"0", "1", "2"}] String HypervisorEnforcedCodeIntegrity; + [Write, Description("Allow Auto Connect To Wi Fi Sense Hotspots (0: Not allowed., 1: Allowed.)"), ValueMap{"0", "1"}, Values{"0", "1"}] String AllowAutoConnectToWiFiSenseHotspots; + [Write, Description("Allow Internet Sharing (0: Not allowed., 1: Allowed.)"), ValueMap{"0", "1"}, Values{"0", "1"}] String AllowInternetSharing; + [Write, Description("Facial Features Use Enhanced Anti Spoofing (false: Disabled, true: Enabled)"), ValueMap{"false", "true"}, Values{"false", "true"}] String FacialFeaturesUseEnhancedAntiSpoofing; + [Write, Description("Allow Windows Ink Workspace (0: access to ink workspace is disabled. The feature is turned off., 1: ink workspace is enabled (feature is turned on), but the user cannot access it above the lock screen., 2: ink workspace is enabled (feature is turned on), and the user is allowed to use it above the lock screen.)"), ValueMap{"0", "1", "2"}, Values{"0", "1", "2"}] String AllowWindowsInkWorkspace; + [Write, Description("Backup Directory (0: Disabled (password will not be backed up), 1: Backup the password to Azure AD only, 2: Backup the password to Active Directory only)"), ValueMap{"0", "1", "2"}, Values{"0", "1", "2"}] String BackupDirectory; + [Write, Description("AD Encrypted Password History Size - Depends on BackupDirectory")] SInt32 ADEncryptedPasswordHistorySize; + [Write, Description("Password Age Days - Depends on BackupDirectory")] SInt32 passwordagedays; + [Write, Description("AD Password Encryption Enabled - Depends on BackupDirectory (false: Store the password in clear-text form in Active Directory, true: Store the password in encrypted form in Active Directory)"), ValueMap{"false", "true"}, Values{"false", "true"}] String ADPasswordEncryptionEnabled; + [Write, Description("Password Age Days - Depends on BackupDirectory")] SInt32 passwordagedays_aad; + [Write, Description("AD Password Encryption Principal - Depends on BackupDirectory")] String ADPasswordEncryptionPrincipal; + [Write, Description("Password Expiration Protection Enabled - Depends on BackupDirectory (false: Allow configured password expiriration timestamp to exceed maximum password age, true: Do not allow configured password expiriration timestamp to exceed maximum password age)"), ValueMap{"false", "true"}, Values{"false", "true"}] String PasswordExpirationProtectionEnabled; +}; + +[ClassVersion("1.0.0.0")] +class MSFT_MicrosoftGraphIntuneSettingsCatalogUserSettings_IntuneSecurityBaselineWindows10 +{ + [Write, Description("Turn off toast notifications on the lock screen (User) (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String NoLockScreenToastNotification; + [Write, Description("Turn on the auto-complete feature for user names and passwords on forms (User) (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String RestrictFormSuggestPW; + [Write, Description("Prompt me to save passwords (User) - Depends on RestrictFormSuggestPW (0: False, 1: True)"), ValueMap{"0", "1"}, Values{"0", "1"}] String ChkBox_PasswordAsk; + [Write, Description("Allow Windows Spotlight (User) (0: Not allowed., 1: Allowed.)"), ValueMap{"0", "1"}, Values{"0", "1"}] String AllowWindowsSpotlight; + [Write, Description("Allow Windows Tips - Depends on AllowWindowsSpotlight (0: Disabled., 1: Enabled.)"), ValueMap{"0", "1"}, Values{"0", "1"}] String AllowWindowsTips; + [Write, Description("Allow Tailored Experiences With Diagnostic Data (User) - Depends on AllowWindowsSpotlight (0: Not allowed., 1: Allowed.)"), ValueMap{"0", "1"}, Values{"0", "1"}] String AllowTailoredExperiencesWithDiagnosticData; + [Write, Description("Allow Windows Spotlight On Action Center (User) - Depends on AllowWindowsSpotlight (0: Not allowed., 1: Allowed.)"), ValueMap{"0", "1"}, Values{"0", "1"}] String AllowWindowsSpotlightOnActionCenter; + [Write, Description("Allow Windows Consumer Features - Depends on AllowWindowsSpotlight (0: Not allowed., 1: Allowed.)"), ValueMap{"0", "1"}, Values{"0", "1"}] String AllowWindowsConsumerFeatures; + [Write, Description("Configure Windows Spotlight On Lock Screen (User) - Depends on AllowWindowsSpotlight (0: Windows spotlight disabled., 1: Windows spotlight enabled., 2: Windows spotlight is always enabled, the user cannot disable it, 3: Windows spotlight is always enabled, the user cannot disable it. For special configurations only)"), ValueMap{"0", "1", "2", "3"}, Values{"0", "1", "2", "3"}] String ConfigureWindowsSpotlightOnLockScreen; + [Write, Description("Allow Windows Spotlight Windows Welcome Experience (User) - Depends on AllowWindowsSpotlight (0: Not allowed., 1: Allowed.)"), ValueMap{"0", "1"}, Values{"0", "1"}] String AllowWindowsSpotlightWindowsWelcomeExperience; + [Write, Description("Allow Third Party Suggestions In Windows Spotlight (User) - Depends on AllowWindowsSpotlight (0: Third-party suggestions not allowed., 1: Third-party suggestions allowed.)"), ValueMap{"0", "1"}, Values{"0", "1"}] String AllowThirdPartySuggestionsInWindowsSpotlight; +}; +[ClassVersion("1.0.0.0"), FriendlyName("IntuneSecurityBaselineWindows10")] +class MSFT_IntuneSecurityBaselineWindows10 : OMI_BaseResource +{ + [Write, Description("Policy description")] String Description; + [Key, Description("Policy name")] String DisplayName; + [Write, Description("List of Scope Tags for this Entity instance.")] String RoleScopeTagIds[]; + [Weite, Description("The unique identifier for an entity. Read-only.")] String Id; + [Write, Description(""), EmbeddedInstance("MSFT_MicrosoftGraphIntuneSettingsCatalogDeviceSettings_IntuneSecurityBaselineWindows10")] String DeviceSettings; + [Write, Description(""), EmbeddedInstance("MSFT_MicrosoftGraphIntuneSettingsCatalogUserSettings_IntuneSecurityBaselineWindows10")] String UserSettings; + + [Write, Description("Represents the assignment to the Intune policy."), EmbeddedInstance("MSFT_DeviceManagementConfigurationPolicyAssignments")] String Assignments[]; + [Write, Description("Present ensures the policy exists, absent ensures it is removed."), ValueMap{"Present","Absent"}, Values{"Present","Absent"}] string Ensure; + [Write, Description("Credentials of the Admin"), EmbeddedInstance("MSFT_Credential")] string Credential; + [Write, Description("Id of the Azure Active Directory application to authenticate with.")] String ApplicationId; + [Write, Description("Id of the Azure Active Directory tenant used for authentication.")] String TenantId; + [Write, Description("Secret of the Azure Active Directory tenant used for authentication."), EmbeddedInstance("MSFT_Credential")] String ApplicationSecret; + [Write, Description("Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication.")] String CertificateThumbprint; + [Write, Description("Managed ID being used for authentication.")] Boolean ManagedIdentity; + [Write, Description("Access token used for authentication.")] String AccessTokens[]; +}; diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneSecurityBaselineWindows10/readme.md b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneSecurityBaselineWindows10/readme.md new file mode 100644 index 0000000000..05204b24bb --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneSecurityBaselineWindows10/readme.md @@ -0,0 +1,6 @@ + +# IntuneSecurityBaselineWindows10 + +## Description + +Intune Security Baseline for Windows10 diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneSecurityBaselineWindows10/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneSecurityBaselineWindows10/settings.json new file mode 100644 index 0000000000..0c9bd6badf --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneSecurityBaselineWindows10/settings.json @@ -0,0 +1,39 @@ +{ + "resourceName": "IntuneSecurityBaselineWindows10", + "description": "This resource configures an Intune Security Baseline for Windows10.", + "permissions": { + "graph": { + "delegated": { + "read": [ + { + "name": "DeviceManagementConfiguration.Read.All" + }, + { + "name": "Group.Read.All" + } + ], + "update": [ + { + "name": "Group.Read.All" + } + ] + }, + "application": { + "read": [ + { + "name": "DeviceManagementConfiguration.Read.All" + }, + { + "name": "Group.Read.All" + } + ], + "update": [ + { + "name": "Group.Read.All" + } + ] + } + } +} + +} diff --git a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneSecurityBaselineWindows10.Tests.ps1 b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneSecurityBaselineWindows10.Tests.ps1 new file mode 100644 index 0000000000..87ecd5912a --- /dev/null +++ b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneSecurityBaselineWindows10.Tests.ps1 @@ -0,0 +1,495 @@ +[CmdletBinding()] +param( +) +$M365DSCTestFolder = Join-Path -Path $PSScriptRoot ` + -ChildPath '..\..\Unit' ` + -Resolve +$CmdletModule = (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\Stubs\Microsoft365.psm1' ` + -Resolve) +$GenericStubPath = (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\Stubs\Generic.psm1' ` + -Resolve) +Import-Module -Name (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\UnitTestHelper.psm1' ` + -Resolve) + +$Global:DscHelper = New-M365DscUnitTestHelper -StubModule $CmdletModule ` + -DscResource "IntuneSecurityBaselineWindows10" -GenericStubModule $GenericStubPath +Describe -Name $Global:DscHelper.DescribeHeader -Fixture { + InModuleScope -ModuleName $Global:DscHelper.ModuleName -ScriptBlock { + Invoke-Command -ScriptBlock $Global:DscHelper.InitializeScript -NoNewScope + BeforeAll { + + $secpasswd = ConvertTo-SecureString (New-Guid | Out-String) -AsPlainText -Force + $Credential = New-Object System.Management.Automation.PSCredential ('tenantadmin@mydomain.com', $secpasswd) + + Mock -CommandName Confirm-M365DSCDependencies -MockWith { + } + + Mock -CommandName Get-PSSession -MockWith { + } + + Mock -CommandName Remove-PSSession -MockWith { + } + + Mock -CommandName Update-MgBetaDeviceManagementConfigurationPolicy -MockWith { + } + + Mock -CommandName New-MgBetaDeviceManagementConfigurationPolicy -MockWith { + return @{ + Id = '12345-12345-12345-12345-12345' + } + } + + Mock -CommandName Get-MgBetaDeviceManagementConfigurationPolicy -MockWith { + return @{ + Id = '12345-12345-12345-12345-12345' + Description = 'My Test' + Name = 'My Test' + RoleScopeTagIds = @("FakeStringValue") + TemplateReference = @{ + TemplateId = '66df8dce-0166-4b82-92f7-1f74e3ca17a3_1' + } + } + } + + Mock -CommandName Remove-MgBetaDeviceManagementConfigurationPolicy -MockWith { + } + + Mock -CommandName Update-IntuneDeviceConfigurationPolicy -MockWith { + } + + Mock -CommandName Get-IntuneSettingCatalogPolicySetting -MockWith { + } + + Mock -CommandName Get-MgBetaDeviceManagementConfigurationPolicySetting -MockWith { + return @( + @{ + Id = '0' + SettingDefinitions = @( + @{ + Id = 'device_vendor_msft_policy_config_msslegacy_ipv6sourceroutingprotectionlevel' + Name = 'Pol_MSS_DisableIPSourceRoutingIPv6' + OffsetUri = '/Config/MSSLegacy/IPv6SourceRoutingProtectionLevel' + AdditionalProperties = @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingDefinition' + options=@( + @{ + name ='Enabled' + itemId = 'device_vendor_msft_policy_config_msslegacy_ipv6sourceroutingprotectionlevel_1' + } + ) + } + }, + @{ + Id = 'device_vendor_msft_policy_config_msslegacy_ipv6sourceroutingprotectionlevel_disableipsourceroutingipv6' + Name = 'DisableIPSourceRoutingIPv6' + OffsetUri = '/Config/MSSLegacy/IPv6SourceRoutingProtectionLevel' + AdditionalProperties = @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingDefinition' + options=@( + @{ + name ='No additional protection, source routed packets are allowed' + itemId = 'device_vendor_msft_policy_config_msslegacy_ipv6sourceroutingprotectionlevel_disableipsourceroutingipv6_0' + dependentOn = @( + @{ + dependentOn = 'device_vendor_msft_policy_config_msslegacy_ipv6sourceroutingprotectionlevel_1' + parentSettingId = 'device_vendor_msft_policy_config_msslegacy_ipv6sourceroutingprotectionlevel' + } + ) + } + ) + } + } + ) + SettingInstance = @{ + SettingDefinitionId = 'device_vendor_msft_policy_config_msslegacy_ipv6sourceroutingprotectionlevel' + SettingInstanceTemplateReference = @{ + SettingInstanceTemplateId = 'd26001a0-5e2d-4f45-94f6-a8fb15b016d8' + } + AdditionalProperties = @{ + '@odata.type' = "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance" + choiceSettingValue = @{ + children = @( + @{ + SettingDefinitionId = 'device_vendor_msft_policy_config_msslegacy_ipv6sourceroutingprotectionlevel_disableipsourceroutingipv6' + '@odata.type' = "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance" + choiceSettingValue = @{ + children = @() + value = "device_vendor_msft_policy_config_msslegacy_ipv6sourceroutingprotectionlevel_disableipsourceroutingipv6_0" + } + } + ) + value = "device_vendor_msft_policy_config_msslegacy_ipv6sourceroutingprotectionlevel_1" + } + } + } + } + @{ + Id = '1' + SettingDefinitions = @( + @{ + Id = 'device_vendor_msft_policy_config_connectivity_hardeneduncpaths' + Name = 'Pol_HardenedPaths' + OffsetUri = '/Config/Connectivity/HardenedUNCPaths' + AdditionalProperties = @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationSimpleSettingDefinition' + options=@( + @{ + name ='Enabled' + itemId = 'device_vendor_msft_policy_config_connectivity_hardeneduncpaths_1' + } + ) + } + }, + @{ + Id = 'device_vendor_msft_policy_config_connectivity_hardeneduncpaths_pol_hardenedpaths' + Name = 'Pol_HardenedPaths' + OffsetUri = '/Config/Connectivity/HardenedUNCPaths' + AdditionalProperties = @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationSettingGroupCollectionDefinition' + maximumCount = 600 + minimumCount = 1 + childIds = @( + 'device_vendor_msft_policy_config_connectivity_hardeneduncpaths_pol_hardenedpaths_key', + 'device_vendor_msft_policy_config_connectivity_hardeneduncpaths_pol_hardenedpaths_value' + ) + + } + }, + @{ + Id = 'device_vendor_msft_policy_config_connectivity_hardeneduncpaths_pol_hardenedpaths_value' + Name = 'Pol_HardenedPaths' + OffsetUri = '/Config/Connectivity/HardenedUNCPaths' + AdditionalProperties = @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationSimpleSettingDefinition' + dependentOn = @( + @{ + dependentOn = 'device_vendor_msft_policy_config_connectivity_hardeneduncpaths_pol_hardenedpaths' + parentSettingId = 'device_vendor_msft_policy_config_connectivity_hardeneduncpaths_pol_hardenedpaths' + } + ) + } + }, + @{ + Id = 'device_vendor_msft_policy_config_connectivity_hardeneduncpaths_pol_hardenedpaths_key' + Name = 'Pol_HardenedPaths' + OffsetUri = '/Config/Connectivity/HardenedUNCPaths' + AdditionalProperties = @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationSimpleSettingDefinition' + dependentOn = @( + @{ + dependentOn = 'device_vendor_msft_policy_config_connectivity_hardeneduncpaths_pol_hardenedpaths' + parentSettingId = 'device_vendor_msft_policy_config_connectivity_hardeneduncpaths_pol_hardenedpaths' + } + ) + } + } + ) + SettingInstance = @{ + SettingDefinitionId = 'device_vendor_msft_policy_config_connectivity_hardeneduncpaths' + SettingInstanceTemplateReference = @{ + SettingInstanceTemplateId = 'd26001a0-5e2d-4f45-94f6-a8fb15b016d8' + } + AdditionalProperties = @{ + '@odata.type' = "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance" + choiceSettingValue = @{ + children = @( + @{ + SettingDefinitionId = 'device_vendor_msft_policy_config_connectivity_hardeneduncpaths_pol_hardenedpaths' + '@odata.type' = "#microsoft.graph.deviceManagementConfigurationGroupSettingCollectionInstance" + groupSettingCollectionValue = @{ + children = @( + @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationSimpleSettingInstance' + settingDefinitionId = 'device_vendor_msft_policy_config_connectivity_hardeneduncpaths_pol_hardenedpaths_value' + simpleSettingValue = @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationStringSettingValue' + value = 'RequireMutualAuthentication=1,RequireIntegrity=1' + } + }, + @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationSimpleSettingInstance' + settingDefinitionId = 'device_vendor_msft_policy_config_connectivity_hardeneduncpaths_pol_hardenedpaths_key' + simpleSettingValue = @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationStringSettingValue' + value = '\\*\SYSVOL' + } + } + ) + } + } + ) + value = "device_vendor_msft_policy_config_connectivity_hardeneduncpaths_1" + } + } + } + } + @{ + Id = '2' + SettingDefinitions = @( + @{ + Id = 'user_vendor_msft_policy_config_experience_allowwindowsspotlight' + Name = 'AllowWindowsSpotlight' + OffsetUri = '/Config/Experience/AllowWindowsSpotlight' + AdditionalProperties = @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingDefinition' + options=@( + @{ + name ='Allowed.' + itemId = 'user_vendor_msft_policy_config_experience_allowwindowsspotlight_1' + } + ) + } + } + ) + SettingInstance = @{ + SettingDefinitionId = 'user_vendor_msft_policy_config_experience_allowwindowsspotlight' + SettingInstanceTemplateReference = @{ + SettingInstanceTemplateId = 'bb79e6fc-a957-476b-b8a1-0a7b1ac81c6a' + } + AdditionalProperties = @{ + '@odata.type' = "#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance" + choiceSettingValue = @{ + children = @() + value = "user_vendor_msft_policy_config_experience_allowwindowsspotlight_1" + } + } + } + + } + ) + } + + Mock -CommandName Update-DeviceConfigurationPolicyAssignment -MockWith { + } + + Mock -CommandName New-M365DSCConnection -MockWith { + return "Credentials" + } + + # Mock Write-Host to hide output during the tests + Mock -CommandName Write-Host -MockWith { + } + $Script:exportedInstances =$null + $Script:ExportMode = $false + + Mock -CommandName Get-MgBetaDeviceManagementConfigurationPolicyAssignment -MockWith { + return @(@{ + Id = '12345-12345-12345-12345-12345' + Source = 'direct' + SourceId = '12345-12345-12345-12345-12345' + Target = @{ + DeviceAndAppManagementAssignmentFilterId = '12345-12345-12345-12345-12345' + DeviceAndAppManagementAssignmentFilterType = 'none' + AdditionalProperties = @( + @{ + '@odata.type' = '#microsoft.graph.exclusionGroupAssignmentTarget' + groupId = '26d60dd1-fab6-47bf-8656-358194c1a49d' + } + ) + } + }) + } + + } + # Test contexts + Context -Name "The IntuneSecurityBaselineWindows10 should exist but it DOES NOT" -Fixture { + BeforeAll { + $testParams = @{ + Assignments = [CimInstance[]]@( + (New-CimInstance -ClassName MSFT_DeviceManagementConfigurationPolicyAssignments -Property @{ + DataType = '#microsoft.graph.exclusionGroupAssignmentTarget' + groupId = '26d60dd1-fab6-47bf-8656-358194c1a49d' + deviceAndAppManagementAssignmentFilterType = 'none' + } -ClientOnly) + ) + Description = "My Test" + deviceSettings = (New-CimInstance -ClassName MSFT_MicrosoftGraphIntuneSettingsCatalogDeviceSettings_IntuneSecurityBaselineWindows10 -Property @{ + Pol_MSS_DisableIPSourceRoutingIPv6 = '1' + DisableIPSourceRoutingIPv6 = '0' + HardenedUNCPaths_Pol_HardenedPaths = '1' + pol_hardenedpaths = [CimInstance[]]@( + (New-CimInstance -ClassName MSFT_MicrosoftGraphIntuneSettingsCatalogpol_hardenedpaths -Property @{ + key = "\\*\SYSVOL" + value = "RequireMutualAuthentication=1,RequireIntegrity=1" + } -ClientOnly) + ) + } -ClientOnly) + Id = "12345-12345-12345-12345-12345" + DisplayName = "My Test" + RoleScopeTagIds = @("FakeStringValue") + userSettings = (New-CimInstance -ClassName MSFT_MicrosoftGraphIntuneSettingsCatalogUserSettings_IntuneSecurityBaselineWindows10 -Property @{ + AllowWindowsSpotlight = '1' + } -ClientOnly) + Ensure = "Present" + Credential = $Credential; + } + + Mock -CommandName Get-MgBetaDeviceManagementConfigurationPolicy -MockWith { + return $null + } + } + It 'Should return Values from the Get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Absent' + } + It 'Should return false from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + It 'Should Create the group from the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName New-MgBetaDeviceManagementConfigurationPolicy -Exactly 1 + } + } + + Context -Name "The IntuneSecurityBaselineWindows10 exists but it SHOULD NOT" -Fixture { + BeforeAll { + $testParams = @{ + Assignments = [CimInstance[]]@( + (New-CimInstance -ClassName MSFT_DeviceManagementConfigurationPolicyAssignments -Property @{ + DataType = '#microsoft.graph.exclusionGroupAssignmentTarget' + groupId = '26d60dd1-fab6-47bf-8656-358194c1a49d' + deviceAndAppManagementAssignmentFilterType = 'none' + } -ClientOnly) + ) + Description = "My Test" + deviceSettings = (New-CimInstance -ClassName MSFT_MicrosoftGraphIntuneSettingsCatalogDeviceSettings_IntuneSecurityBaselineWindows10 -Property @{ + Pol_MSS_DisableIPSourceRoutingIPv6 = '1' + DisableIPSourceRoutingIPv6 = '0' + HardenedUNCPaths_Pol_HardenedPaths = '1' + pol_hardenedpaths = [CimInstance[]]@( + (New-CimInstance -ClassName MSFT_MicrosoftGraphIntuneSettingsCatalogpol_hardenedpaths -Property @{ + key = "\\*\SYSVOL" + value = "RequireMutualAuthentication=1,RequireIntegrity=1" + } -ClientOnly) + ) + } -ClientOnly) + Id = "12345-12345-12345-12345-12345" + DisplayName = "My Test" + RoleScopeTagIds = @("FakeStringValue") + userSettings = (New-CimInstance -ClassName MSFT_MicrosoftGraphIntuneSettingsCatalogUserSettings_IntuneSecurityBaselineWindows10 -Property @{ + AllowWindowsSpotlight = '1' + } -ClientOnly) + Ensure = "Absent" + Credential = $Credential; + } + } + + It 'Should return Values from the Get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Present' + } + + It 'Should return true from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + + It 'Should Remove the group from the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName Remove-MgBetaDeviceManagementConfigurationPolicy -Exactly 1 + } + } + + Context -Name "The IntuneSecurityBaselineWindows10 Exists and Values are already in the desired state" -Fixture { + BeforeAll { + $testParams = @{ + Assignments = [CimInstance[]]@( + (New-CimInstance -ClassName MSFT_DeviceManagementConfigurationPolicyAssignments -Property @{ + DataType = '#microsoft.graph.exclusionGroupAssignmentTarget' + groupId = '26d60dd1-fab6-47bf-8656-358194c1a49d' + deviceAndAppManagementAssignmentFilterType = 'none' + } -ClientOnly) + ) + Description = "My Test" + deviceSettings = (New-CimInstance -ClassName MSFT_MicrosoftGraphIntuneSettingsCatalogDeviceSettings_IntuneSecurityBaselineWindows10 -Property @{ + Pol_MSS_DisableIPSourceRoutingIPv6 = '1' + DisableIPSourceRoutingIPv6 = '0' + HardenedUNCPaths_Pol_HardenedPaths = '1' + pol_hardenedpaths = [CimInstance[]]@( + (New-CimInstance -ClassName MSFT_MicrosoftGraphIntuneSettingsCatalogpol_hardenedpaths -Property @{ + key = "\\*\SYSVOL" + value = "RequireMutualAuthentication=1,RequireIntegrity=1" + } -ClientOnly) + ) + } -ClientOnly) + Id = "12345-12345-12345-12345-12345" + DisplayName = "My Test" + RoleScopeTagIds = @("FakeStringValue") + userSettings = (New-CimInstance -ClassName MSFT_MicrosoftGraphIntuneSettingsCatalogUserSettings_IntuneSecurityBaselineWindows10 -Property @{ + AllowWindowsSpotlight = '1' + } -ClientOnly) + Ensure = "Present" + Credential = $Credential; + } + } + + It 'Should return true from the Test method' { + Test-TargetResource @testParams | Should -Be $true + } + } + + Context -Name "The IntuneSecurityBaselineWindows10 exists and values are NOT in the desired state" -Fixture { + BeforeAll { + $testParams = @{ + Assignments = [CimInstance[]]@( + (New-CimInstance -ClassName MSFT_DeviceManagementConfigurationPolicyAssignments -Property @{ + DataType = '#microsoft.graph.exclusionGroupAssignmentTarget' + groupId = '26d60dd1-fab6-47bf-8656-358194c1a49d' + deviceAndAppManagementAssignmentFilterType = 'none' + } -ClientOnly) + ) + Description = "My Test" + deviceSettings = (New-CimInstance -ClassName MSFT_MicrosoftGraphIntuneSettingsCatalogDeviceSettings_IntuneSecurityBaselineWindows10 -Property @{ + Pol_MSS_DisableIPSourceRoutingIPv6 = '1' + DisableIPSourceRoutingIPv6 = '0' + HardenedUNCPaths_Pol_HardenedPaths = '1' + pol_hardenedpaths = [CimInstance[]]@( + (New-CimInstance -ClassName MSFT_MicrosoftGraphIntuneSettingsCatalogpol_hardenedpaths -Property @{ + key = "\\*\SYSVOL" + value = "RequireMutualAuthentication=1,RequireIntegrity=1" + } -ClientOnly) + ) + } -ClientOnly) + Id = "12345-12345-12345-12345-12345" + DisplayName = "My Test" + RoleScopeTagIds = @("FakeStringValue") + userSettings = (New-CimInstance -ClassName MSFT_MicrosoftGraphIntuneSettingsCatalogUserSettings_IntuneSecurityBaselineWindows10 -Property @{ + AllowWindowsSpotlight = '0' + } -ClientOnly) + Ensure = "Present" + Credential = $Credential; + } + } + + It 'Should return Values from the Get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Present' + } + + It 'Should return false from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + + It 'Should call the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName Update-IntuneDeviceConfigurationPolicy -Exactly 1 + } + } + + Context -Name 'ReverseDSC Tests' -Fixture { + BeforeAll { + $Global:CurrentModeIsExport = $true + $Global:PartialExportFileName = "$(New-Guid).partial.ps1" + $testParams = @{ + Credential = $Credential + } + } + + It 'Should Reverse Engineer resource from the Export method' { + $result = Export-TargetResource @testParams + $result | Should -Not -BeNullOrEmpty + } + } + } +} + +Invoke-Command -ScriptBlock $Global:DscHelper.CleanupScript -NoNewScope From 855ddf429565d1d573c2d1a105977b1edac6cd0c Mon Sep 17 00:00:00 2001 From: Elena Arganova Date: Thu, 21 Nov 2024 17:02:37 +0100 Subject: [PATCH 2/4] Add Intune Security Baseline for Windows 10 --- CHANGELOG.md | 4 + .../settings.json | 75 ++-- .../MSFT_IntuneSecurityBaselineWindows10.psm1 | 336 +++++++++--------- ...IntuneSecurityBaselineWindows10.schema.mof | 105 +++--- .../settings.json | 81 +++-- .../1-Create.ps1 | 53 +++ .../2-Update.ps1 | 53 +++ .../3-Remove.ps1 | 34 ++ .../M365DSCIntuneSettingsCatalogUtil.psm1 | 1 + ....IntuneSecurityBaselineWindows10.Tests.ps1 | 124 +++++-- 10 files changed, 563 insertions(+), 303 deletions(-) create mode 100644 Modules/Microsoft365DSC/Examples/Resources/IntuneSecurityBaselineWindows10/1-Create.ps1 create mode 100644 Modules/Microsoft365DSC/Examples/Resources/IntuneSecurityBaselineWindows10/2-Update.ps1 create mode 100644 Modules/Microsoft365DSC/Examples/Resources/IntuneSecurityBaselineWindows10/3-Remove.ps1 diff --git a/CHANGELOG.md b/CHANGELOG.md index 6c48ff3231..f13627f53f 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,10 @@ # UNRELEASED +* IntuneSecurityBaselineDefenderForEndpoint + * Added Group.Read.All permission. +* IntuneSecurityBaselineWindows10 + * Initial release. * MISC * Removed hardcoded Graph urls and replaced by MSCloudLoginAssistant values. diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneSecurityBaselineDefenderForEndpoint/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneSecurityBaselineDefenderForEndpoint/settings.json index 4e92507acb..0e0761a29f 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneSecurityBaselineDefenderForEndpoint/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneSecurityBaselineDefenderForEndpoint/settings.json @@ -1,33 +1,44 @@ { - "resourceName": "IntuneSecurityBaselineDefenderForEndpoint", - "description": "This resource configures an Test Intune Security Baseline Defender For Endpoint.", - "permissions": { - "graph": { - "delegated": { - "read": [ - { - "name": "DeviceManagementConfiguration.Read.All" - } - ], - "update": [ - { - "name": "DeviceManagementConfiguration.ReadWrite.All" - } - ] - }, - "application": { - "read": [ - { - "name": "DeviceManagementConfiguration.Read.All" - } - ], - "update": [ - { - "name": "DeviceManagementConfiguration.ReadWrite.All" - } - ] - } - } -} - -} + "resourceName":"IntuneSecurityBaselineDefenderForEndpoint", + "description":"This resource configures an Test Intune Security Baseline Defender For Endpoint.", + "permissions":{ + "graph":{ + "delegated":{ + "read":[ + { + "name":"Group.Read.All" + }, + { + "name":"DeviceManagementConfiguration.Read.All" + } + ], + "update":[ + { + "name":"Group.Read.All" + }, + { + "name":"DeviceManagementConfiguration.ReadWrite.All" + } + ] + }, + "application":{ + "read":[ + { + "name":"Group.Read.All" + }, + { + "name":"DeviceManagementConfiguration.Read.All" + } + ], + "update":[ + { + "name":"Group.Read.All" + }, + { + "name":"DeviceManagementConfiguration.ReadWrite.All" + } + ] + } + } + } +} \ No newline at end of file diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneSecurityBaselineWindows10/MSFT_IntuneSecurityBaselineWindows10.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneSecurityBaselineWindows10/MSFT_IntuneSecurityBaselineWindows10.psm1 index 149ae81c24..d333fb4c85 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneSecurityBaselineWindows10/MSFT_IntuneSecurityBaselineWindows10.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneSecurityBaselineWindows10/MSFT_IntuneSecurityBaselineWindows10.psm1 @@ -11,11 +11,11 @@ function Get-TargetResource [Parameter(Mandatory = $true)] [System.String] - $DisplayName, - + $DisplayName, + [Parameter()] [System.String[]] - $RoleScopeTagIds, + $RoleScopeTagIds, [Parameter()] [System.String] @@ -124,7 +124,121 @@ function Get-TargetResource #region resource generator code $complexDeviceSettings = @{} - # Add device settings with conditional checks + $attackSurfaceReductionRules = @{} + if ($null -ne $policySettings.DeviceSettings.blockExecutionOfPotentiallyObfuscatedScripts) { + $attackSurfaceReductionRules.Add('BlockExecutionOfPotentiallyObfuscatedScripts', $policySettings.DeviceSettings.blockExecutionOfPotentiallyObfuscatedScripts) + } + if ($null -ne $policySettings.DeviceSettings.blockExecutionOfPotentiallyObfuscatedScripts_ASROnlyPerRuleExclusions) { + $attackSurfaceReductionRules.Add('BlockExecutionOfPotentiallyObfuscatedScripts_ASROnlyPerRuleExclusions', $policySettings.DeviceSettings.blockExecutionOfPotentiallyObfuscatedScripts_ASROnlyPerRuleExclusions) + } + if ($null -ne $policySettings.DeviceSettings.blockWin32APICallsFromOfficeMacros) { + $attackSurfaceReductionRules.Add('BlockWin32APICallsFromOfficeMacros', $policySettings.DeviceSettings.blockWin32APICallsFromOfficeMacros) + } + if ($null -ne $policySettings.DeviceSettings.blockWin32APICallsFromOfficeMacros_ASROnlyPerRuleExclusions) { + $attackSurfaceReductionRules.Add('BlockWin32APICallsFromOfficeMacros_ASROnlyPerRuleExclusions', $policySettings.DeviceSettings.blockWin32APICallsFromOfficeMacros_ASROnlyPerRuleExclusions) + } + if ($null -ne $policySettings.DeviceSettings.blockExecutableFilesRunningUnlessTheyMeetPrevalenceAgeTrustedListCriterion) { + $attackSurfaceReductionRules.Add('BlockExecutableFilesRunningUnlessTheyMeetPrevalenceAgeTrustedListCriterion', $policySettings.DeviceSettings.blockExecutableFilesRunningUnlessTheyMeetPrevalenceAgeTrustedListCriterion) + } + if ($null -ne $policySettings.DeviceSettings.blockExecutableFilesRunningUnlessTheyMeetPrevalenceAgeTrustedListCriterion_ASROnlyPerRuleExclusions) { + $attackSurfaceReductionRules.Add('BlockExecutableFilesRunningUnlessTheyMeetPrevalenceAgeTrustedListCriterion_ASROnlyPerRuleExclusions', $policySettings.DeviceSettings.blockExecutableFilesRunningUnlessTheyMeetPrevalenceAgeTrustedListCriterion_ASROnlyPerRuleExclusions) + } + if ($null -ne $policySettings.DeviceSettings.blockOfficeCommunicationAppFromCreatingChildProcesses) { + $attackSurfaceReductionRules.Add('BlockOfficeCommunicationAppFromCreatingChildProcesses', $policySettings.DeviceSettings.blockOfficeCommunicationAppFromCreatingChildProcesses) + } + if ($null -ne $policySettings.DeviceSettings.blockOfficeCommunicationAppFromCreatingChildProcesses_ASROnlyPerRuleExclusions) { + $attackSurfaceReductionRules.Add('BlockOfficeCommunicationAppFromCreatingChildProcesses_ASROnlyPerRuleExclusions', $policySettings.DeviceSettings.blockOfficeCommunicationAppFromCreatingChildProcesses_ASROnlyPerRuleExclusions) + } + if ($null -ne $policySettings.DeviceSettings.blockAllOfficeApplicationsFromCreatingChildProcesses) { + $attackSurfaceReductionRules.Add('BlockAllOfficeApplicationsFromCreatingChildProcesses', $policySettings.DeviceSettings.blockAllOfficeApplicationsFromCreatingChildProcesses) + } + if ($null -ne $policySettings.DeviceSettings.blockAllOfficeApplicationsFromCreatingChildProcesses_ASROnlyPerRuleExclusions) { + $attackSurfaceReductionRules.Add('BlockAllOfficeApplicationsFromCreatingChildProcesses_ASROnlyPerRuleExclusions', $policySettings.DeviceSettings.blockAllOfficeApplicationsFromCreatingChildProcesses_ASROnlyPerRuleExclusions) + } + if ($null -ne $policySettings.DeviceSettings.blockAdobeReaderFromCreatingChildProcesses) { + $attackSurfaceReductionRules.Add('BlockAdobeReaderFromCreatingChildProcesses', $policySettings.DeviceSettings.blockAdobeReaderFromCreatingChildProcesses) + } + if ($null -ne $policySettings.DeviceSettings.blockAdobeReaderFromCreatingChildProcesses_ASROnlyPerRuleExclusions) { + $attackSurfaceReductionRules.Add('BlockAdobeReaderFromCreatingChildProcesses_ASROnlyPerRuleExclusions', $policySettings.DeviceSettings.blockAdobeReaderFromCreatingChildProcesses_ASROnlyPerRuleExclusions) + } + if ($null -ne $policySettings.DeviceSettings.blockCredentialStealingFromWindowsLocalSecurityAuthoritySubsystem) { + $attackSurfaceReductionRules.Add('BlockCredentialStealingFromWindowsLocalSecurityAuthoritySubsystem', $policySettings.DeviceSettings.blockCredentialStealingFromWindowsLocalSecurityAuthoritySubsystem) + } + if ($null -ne $policySettings.DeviceSettings.blockCredentialStealingFromWindowsLocalSecurityAuthoritySubsystem_ASROnlyPerRuleExclusions) { + $attackSurfaceReductionRules.Add('BlockCredentialStealingFromWindowsLocalSecurityAuthoritySubsystem_ASROnlyPerRuleExclusions', $policySettings.DeviceSettings.blockCredentialStealingFromWindowsLocalSecurityAuthoritySubsystem_ASROnlyPerRuleExclusions) + } + if ($null -ne $policySettings.DeviceSettings.blockJavaScriptOrVBScriptFromLaunchingDownloadedExecutableContent) { + $attackSurfaceReductionRules.Add('BlockJavaScriptOrVBScriptFromLaunchingDownloadedExecutableContent', $policySettings.DeviceSettings.blockJavaScriptOrVBScriptFromLaunchingDownloadedExecutableContent) + } + if ($null -ne $policySettings.DeviceSettings.blockJavaScriptOrVBScriptFromLaunchingDownloadedExecutableContent_ASROnlyPerRuleExclusions) { + $attackSurfaceReductionRules.Add('BlockJavaScriptOrVBScriptFromLaunchingDownloadedExecutableContent_ASROnlyPerRuleExclusions', $policySettings.DeviceSettings.blockJavaScriptOrVBScriptFromLaunchingDownloadedExecutableContent_ASROnlyPerRuleExclusions) + } + if ($null -ne $policySettings.DeviceSettings.blockWebshellCreationForServers) { + $attackSurfaceReductionRules.Add('BlockWebshellCreationForServers', $policySettings.DeviceSettings.blockWebshellCreationForServers) + } + if ($null -ne $policySettings.DeviceSettings.blockWebshellCreationForServers_ASROnlyPerRuleExclusions) { + $attackSurfaceReductionRules.Add('BlockWebshellCreationForServers_ASROnlyPerRuleExclusions', $policySettings.DeviceSettings.blockWebshellCreationForServers_ASROnlyPerRuleExclusions) + } + if ($null -ne $policySettings.DeviceSettings.blockUntrustedUnsignedProcessesThatRunFromUSB) { + $attackSurfaceReductionRules.Add('BlockUntrustedUnsignedProcessesThatRunFromUSB', $policySettings.DeviceSettings.blockUntrustedUnsignedProcessesThatRunFromUSB) + } + if ($null -ne $policySettings.DeviceSettings.blockUntrustedUnsignedProcessesThatRunFromUSB_ASROnlyPerRuleExclusions) { + $attackSurfaceReductionRules.Add('BlockUntrustedUnsignedProcessesThatRunFromUSB_ASROnlyPerRuleExclusions', $policySettings.DeviceSettings.blockUntrustedUnsignedProcessesThatRunFromUSB_ASROnlyPerRuleExclusions) + } + if ($null -ne $policySettings.DeviceSettings.blockPersistenceThroughWMIEventSubscription) { + $attackSurfaceReductionRules.Add('BlockPersistenceThroughWMIEventSubscription', $policySettings.DeviceSettings.blockPersistenceThroughWMIEventSubscription) + } + if ($null -ne $policySettings.DeviceSettings.blockUseOfCopiedOrImpersonatedSystemTools) { + $attackSurfaceReductionRules.Add('BlockUseOfCopiedOrImpersonatedSystemTools', $policySettings.DeviceSettings.blockUseOfCopiedOrImpersonatedSystemTools) + } + if ($null -ne $policySettings.DeviceSettings.blockUseOfCopiedOrImpersonatedSystemTools_ASROnlyPerRuleExclusions) { + $attackSurfaceReductionRules.Add('BlockUseOfCopiedOrImpersonatedSystemTools_ASROnlyPerRuleExclusions', $policySettings.DeviceSettings.blockUseOfCopiedOrImpersonatedSystemTools_ASROnlyPerRuleExclusions) + } + if ($null -ne $policySettings.DeviceSettings.blockAbuseOfExploitedVulnerableSignedDrivers) { + $attackSurfaceReductionRules.Add('BlockAbuseOfExploitedVulnerableSignedDrivers', $policySettings.DeviceSettings.blockAbuseOfExploitedVulnerableSignedDrivers) + } + if ($null -ne $policySettings.DeviceSettings.blockAbuseOfExploitedVulnerableSignedDrivers_ASROnlyPerRuleExclusions) { + $attackSurfaceReductionRules.Add('BlockAbuseOfExploitedVulnerableSignedDrivers_ASROnlyPerRuleExclusions', $policySettings.DeviceSettings.blockAbuseOfExploitedVulnerableSignedDrivers_ASROnlyPerRuleExclusions) + } + if ($null -ne $policySettings.DeviceSettings.blockProcessCreationsFromPSExecAndWMICommands) { + $attackSurfaceReductionRules.Add('BlockProcessCreationsFromPSExecAndWMICommands', $policySettings.DeviceSettings.blockProcessCreationsFromPSExecAndWMICommands) + } + if ($null -ne $policySettings.DeviceSettings.blockProcessCreationsFromPSExecAndWMICommands_ASROnlyPerRuleExclusions) { + $attackSurfaceReductionRules.Add('BlockProcessCreationsFromPSExecAndWMICommands_ASROnlyPerRuleExclusions', $policySettings.DeviceSettings.blockProcessCreationsFromPSExecAndWMICommands_ASROnlyPerRuleExclusions) + } + if ($null -ne $policySettings.DeviceSettings.blockOfficeApplicationsFromCreatingExecutableContent) { + $attackSurfaceReductionRules.Add('BlockOfficeApplicationsFromCreatingExecutableContent', $policySettings.DeviceSettings.blockOfficeApplicationsFromCreatingExecutableContent) + } + if ($null -ne $policySettings.DeviceSettings.blockOfficeApplicationsFromCreatingExecutableContent_ASROnlyPerRuleExclusions) { + $attackSurfaceReductionRules.Add('BlockOfficeApplicationsFromCreatingExecutableContent_ASROnlyPerRuleExclusions', $policySettings.DeviceSettings.blockOfficeApplicationsFromCreatingExecutableContent_ASROnlyPerRuleExclusions) + } + if ($null -ne $policySettings.DeviceSettings.blockOfficeApplicationsFromInjectingCodeIntoOtherProcesses) { + $attackSurfaceReductionRules.Add('BlockOfficeApplicationsFromInjectingCodeIntoOtherProcesses', $policySettings.DeviceSettings.blockOfficeApplicationsFromInjectingCodeIntoOtherProcesses) + } + if ($null -ne $policySettings.DeviceSettings.blockOfficeApplicationsFromInjectingCodeIntoOtherProcesses_ASROnlyPerRuleExclusions) { + $attackSurfaceReductionRules.Add('BlockOfficeApplicationsFromInjectingCodeIntoOtherProcesses_ASROnlyPerRuleExclusions', $policySettings.DeviceSettings.blockOfficeApplicationsFromInjectingCodeIntoOtherProcesses_ASROnlyPerRuleExclusions) + } + if ($null -ne $policySettings.DeviceSettings.blockRebootingMachineInSafeMode) { + $attackSurfaceReductionRules.Add('BlockRebootingMachineInSafeMode', $policySettings.DeviceSettings.blockRebootingMachineInSafeMode) + } + if ($null -ne $policySettings.DeviceSettings.blockRebootingMachineInSafeMode_ASROnlyPerRuleExclusions) { + $attackSurfaceReductionRules.Add('BlockRebootingMachineInSafeMode_ASROnlyPerRuleExclusions', $policySettings.DeviceSettings.blockRebootingMachineInSafeMode_ASROnlyPerRuleExclusions) + } + if ($null -ne $policySettings.DeviceSettings.useAdvancedProtectionAgainstRansomware) { + $attackSurfaceReductionRules.Add('UseAdvancedProtectionAgainstRansomware', $policySettings.DeviceSettings.useAdvancedProtectionAgainstRansomware) + } + if ($null -ne $policySettings.DeviceSettings.useAdvancedProtectionAgainstRansomware_ASROnlyPerRuleExclusions) { + $attackSurfaceReductionRules.Add('UseAdvancedProtectionAgainstRansomware_ASROnlyPerRuleExclusions', $policySettings.DeviceSettings.useAdvancedProtectionAgainstRansomware_ASROnlyPerRuleExclusions) + } + if ($null -ne $policySettings.DeviceSettings.blockExecutableContentFromEmailClientAndWebmail) { + $attackSurfaceReductionRules.Add('BlockExecutableContentFromEmailClientAndWebmail', $policySettings.DeviceSettings.blockExecutableContentFromEmailClientAndWebmail) + } + if ($null -ne $policySettings.DeviceSettings.blockExecutableContentFromEmailClientAndWebmail_ASROnlyPerRuleExclusions) { + $attackSurfaceReductionRules.Add('BlockExecutableContentFromEmailClientAndWebmail_ASROnlyPerRuleExclusions', $policySettings.DeviceSettings.blockExecutableContentFromEmailClientAndWebmail_ASROnlyPerRuleExclusions) + } + if ($attackSurfaceReductionRules.values.Where({$null -ne $_}).Count -gt 0) { + $complexDeviceSettings.Add('AttackSurfaceReductionRules', $attackSurfaceReductionRules) + } if ($null -ne $policySettings.DeviceSettings.cPL_Personalization_NoLockScreenCamera) { $complexDeviceSettings.Add('CPL_Personalization_NoLockScreenCamera', $policySettings.DeviceSettings.cPL_Personalization_NoLockScreenCamera) } @@ -173,23 +287,27 @@ function Get-TargetResource if ($null -ne $policySettings.DeviceSettings.nC_ShowSharedAccessUI) { $complexDeviceSettings.Add('NC_ShowSharedAccessUI', $policySettings.DeviceSettings.nC_ShowSharedAccessUI) } - if ($null -ne $policySettings.DeviceSettings.hardenedUNCPaths_Pol_HardenedPaths) { - $complexDeviceSettings.Add('HardenedUNCPaths_Pol_HardenedPaths', $policySettings.DeviceSettings.hardenedUNCPaths_Pol_HardenedPaths) + if ($null -ne $policySettings.DeviceSettings.hardeneduncpaths_Pol_HardenedPaths) { + $complexDeviceSettings.Add('hardeneduncpaths_Pol_HardenedPaths', $policySettings.DeviceSettings.hardeneduncpaths_Pol_HardenedPaths) } - # Process complexPol_hardenedpaths array - $complexPol_hardenedpaths = @() - foreach ($currentPol_hardenedpaths in $policySettings.DeviceSettings.pol_hardenedpaths) - { - $myPol_hardenedpaths = @{} - if ($myPol_hardenedpaths.values.Where({$null -ne $_}).Count -gt 0) + if ($null -ne $policySettings.DeviceSettings.pol_hardenedPaths) { + $complexPol_hardenedpaths = @() + foreach ($currentPol_hardenedpaths in $policySettings.DeviceSettings.pol_hardenedPaths) { - $complexPol_hardenedpaths += $myPol_hardenedpaths + $myPol_hardenedpaths = @{} + if ($null -ne $currentPol_hardenedpaths.value) { + $myPol_hardenedpaths.Add('Value', $currentPol_hardenedpaths.value) + } + if ($null -ne $currentPol_hardenedpaths.Key) { + $myPol_hardenedpaths.Add('Key', $currentPol_hardenedpaths.key) + } + if ($myPol_hardenedpaths.values.Where({$null -ne $_}).Count -gt 0) + { + $complexPol_hardenedpaths += $myPol_hardenedpaths + } } - } - if ($complexPol_hardenedpaths.Count -gt 0) { - $complexDeviceSettings.Add('Pol_hardenedpaths', $complexPol_hardenedpaths) - } - # Continue adding device settings with conditional checks + $complexDeviceSettings.Add('pol_hardenedPaths', $complexPol_hardenedpaths) + } if ($null -ne $policySettings.DeviceSettings.wCM_BlockNonDomain) { $complexDeviceSettings.Add('WCM_BlockNonDomain', $policySettings.DeviceSettings.wCM_BlockNonDomain) } @@ -1152,118 +1270,7 @@ function Get-TargetResource } if ($null -ne $policySettings.DeviceSettings.allowScriptScanning) { $complexDeviceSettings.Add('AllowScriptScanning', $policySettings.DeviceSettings.allowScriptScanning) - } - if ($null -ne $policySettings.DeviceSettings.blockExecutionOfPotentiallyObfuscatedScripts) { - $complexDeviceSettings.Add('BlockExecutionOfPotentiallyObfuscatedScripts', $policySettings.DeviceSettings.blockExecutionOfPotentiallyObfuscatedScripts) - } - if ($null -ne $policySettings.DeviceSettings.blockExecutionOfPotentiallyObfuscatedScripts_ASROnlyPerRuleExclusions) { - $complexDeviceSettings.Add('BlockExecutionOfPotentiallyObfuscatedScripts_ASROnlyPerRuleExclusions', $policySettings.DeviceSettings.blockExecutionOfPotentiallyObfuscatedScripts_ASROnlyPerRuleExclusions) - } - if ($null -ne $policySettings.DeviceSettings.blockWin32APICallsFromOfficeMacros) { - $complexDeviceSettings.Add('BlockWin32APICallsFromOfficeMacros', $policySettings.DeviceSettings.blockWin32APICallsFromOfficeMacros) - } - if ($null -ne $policySettings.DeviceSettings.blockWin32APICallsFromOfficeMacros_ASROnlyPerRuleExclusions) { - $complexDeviceSettings.Add('BlockWin32APICallsFromOfficeMacros_ASROnlyPerRuleExclusions', $policySettings.DeviceSettings.blockWin32APICallsFromOfficeMacros_ASROnlyPerRuleExclusions) - } - if ($null -ne $policySettings.DeviceSettings.blockExecutableFilesRunningUnlessTheyMeetPrevalenceAgeTrustedListCriterion) { - $complexDeviceSettings.Add('BlockExecutableFilesRunningUnlessTheyMeetPrevalenceAgeTrustedListCriterion', $policySettings.DeviceSettings.blockExecutableFilesRunningUnlessTheyMeetPrevalenceAgeTrustedListCriterion) - } - if ($null -ne $policySettings.DeviceSettings.blockExecutableFilesRunningUnlessTheyMeetPrevalenceAgeTrustedListCriterion_ASROnlyPerRuleExclusions) { - $complexDeviceSettings.Add('BlockExecutableFilesRunningUnlessTheyMeetPrevalenceAgeTrustedListCriterion_ASROnlyPerRuleExclusions', $policySettings.DeviceSettings.blockExecutableFilesRunningUnlessTheyMeetPrevalenceAgeTrustedListCriterion_ASROnlyPerRuleExclusions) - } - if ($null -ne $policySettings.DeviceSettings.blockOfficeCommunicationAppFromCreatingChildProcesses) { - $complexDeviceSettings.Add('BlockOfficeCommunicationAppFromCreatingChildProcesses', $policySettings.DeviceSettings.blockOfficeCommunicationAppFromCreatingChildProcesses) - } - if ($null -ne $policySettings.DeviceSettings.blockOfficeCommunicationAppFromCreatingChildProcesses_ASROnlyPerRuleExclusions) { - $complexDeviceSettings.Add('BlockOfficeCommunicationAppFromCreatingChildProcesses_ASROnlyPerRuleExclusions', $policySettings.DeviceSettings.blockOfficeCommunicationAppFromCreatingChildProcesses_ASROnlyPerRuleExclusions) - } - if ($null -ne $policySettings.DeviceSettings.blockAllOfficeApplicationsFromCreatingChildProcesses) { - $complexDeviceSettings.Add('BlockAllOfficeApplicationsFromCreatingChildProcesses', $policySettings.DeviceSettings.blockAllOfficeApplicationsFromCreatingChildProcesses) - } - if ($null -ne $policySettings.DeviceSettings.blockAllOfficeApplicationsFromCreatingChildProcesses_ASROnlyPerRuleExclusions) { - $complexDeviceSettings.Add('BlockAllOfficeApplicationsFromCreatingChildProcesses_ASROnlyPerRuleExclusions', $policySettings.DeviceSettings.blockAllOfficeApplicationsFromCreatingChildProcesses_ASROnlyPerRuleExclusions) - } - if ($null -ne $policySettings.DeviceSettings.blockAdobeReaderFromCreatingChildProcesses) { - $complexDeviceSettings.Add('BlockAdobeReaderFromCreatingChildProcesses', $policySettings.DeviceSettings.blockAdobeReaderFromCreatingChildProcesses) - } - if ($null -ne $policySettings.DeviceSettings.blockAdobeReaderFromCreatingChildProcesses_ASROnlyPerRuleExclusions) { - $complexDeviceSettings.Add('BlockAdobeReaderFromCreatingChildProcesses_ASROnlyPerRuleExclusions', $policySettings.DeviceSettings.blockAdobeReaderFromCreatingChildProcesses_ASROnlyPerRuleExclusions) - } - if ($null -ne $policySettings.DeviceSettings.blockCredentialStealingFromWindowsLocalSecurityAuthoritySubsystem) { - $complexDeviceSettings.Add('BlockCredentialStealingFromWindowsLocalSecurityAuthoritySubsystem', $policySettings.DeviceSettings.blockCredentialStealingFromWindowsLocalSecurityAuthoritySubsystem) - } - if ($null -ne $policySettings.DeviceSettings.blockCredentialStealingFromWindowsLocalSecurityAuthoritySubsystem_ASROnlyPerRuleExclusions) { - $complexDeviceSettings.Add('BlockCredentialStealingFromWindowsLocalSecurityAuthoritySubsystem_ASROnlyPerRuleExclusions', $policySettings.DeviceSettings.blockCredentialStealingFromWindowsLocalSecurityAuthoritySubsystem_ASROnlyPerRuleExclusions) - } - if ($null -ne $policySettings.DeviceSettings.blockJavaScriptOrVBScriptFromLaunchingDownloadedExecutableContent) { - $complexDeviceSettings.Add('BlockJavaScriptOrVBScriptFromLaunchingDownloadedExecutableContent', $policySettings.DeviceSettings.blockJavaScriptOrVBScriptFromLaunchingDownloadedExecutableContent) - } - if ($null -ne $policySettings.DeviceSettings.blockJavaScriptOrVBScriptFromLaunchingDownloadedExecutableContent_ASROnlyPerRuleExclusions) { - $complexDeviceSettings.Add('BlockJavaScriptOrVBScriptFromLaunchingDownloadedExecutableContent_ASROnlyPerRuleExclusions', $policySettings.DeviceSettings.blockJavaScriptOrVBScriptFromLaunchingDownloadedExecutableContent_ASROnlyPerRuleExclusions) - } - if ($null -ne $policySettings.DeviceSettings.blockWebshellCreationForServers) { - $complexDeviceSettings.Add('BlockWebshellCreationForServers', $policySettings.DeviceSettings.blockWebshellCreationForServers) - } - if ($null -ne $policySettings.DeviceSettings.blockWebshellCreationForServers_ASROnlyPerRuleExclusions) { - $complexDeviceSettings.Add('BlockWebshellCreationForServers_ASROnlyPerRuleExclusions', $policySettings.DeviceSettings.blockWebshellCreationForServers_ASROnlyPerRuleExclusions) - } - if ($null -ne $policySettings.DeviceSettings.blockUntrustedUnsignedProcessesThatRunFromUSB) { - $complexDeviceSettings.Add('BlockUntrustedUnsignedProcessesThatRunFromUSB', $policySettings.DeviceSettings.blockUntrustedUnsignedProcessesThatRunFromUSB) - } - if ($null -ne $policySettings.DeviceSettings.blockUntrustedUnsignedProcessesThatRunFromUSB_ASROnlyPerRuleExclusions) { - $complexDeviceSettings.Add('BlockUntrustedUnsignedProcessesThatRunFromUSB_ASROnlyPerRuleExclusions', $policySettings.DeviceSettings.blockUntrustedUnsignedProcessesThatRunFromUSB_ASROnlyPerRuleExclusions) - } - if ($null -ne $policySettings.DeviceSettings.blockPersistenceThroughWMIEventSubscription) { - $complexDeviceSettings.Add('BlockPersistenceThroughWMIEventSubscription', $policySettings.DeviceSettings.blockPersistenceThroughWMIEventSubscription) - } - if ($null -ne $policySettings.DeviceSettings.blockUseOfCopiedOrImpersonatedSystemTools) { - $complexDeviceSettings.Add('BlockUseOfCopiedOrImpersonatedSystemTools', $policySettings.DeviceSettings.blockUseOfCopiedOrImpersonatedSystemTools) - } - if ($null -ne $policySettings.DeviceSettings.blockUseOfCopiedOrImpersonatedSystemTools_ASROnlyPerRuleExclusions) { - $complexDeviceSettings.Add('BlockUseOfCopiedOrImpersonatedSystemTools_ASROnlyPerRuleExclusions', $policySettings.DeviceSettings.blockUseOfCopiedOrImpersonatedSystemTools_ASROnlyPerRuleExclusions) - } - if ($null -ne $policySettings.DeviceSettings.blockAbuseOfExploitedVulnerableSignedDrivers) { - $complexDeviceSettings.Add('BlockAbuseOfExploitedVulnerableSignedDrivers', $policySettings.DeviceSettings.blockAbuseOfExploitedVulnerableSignedDrivers) - } - if ($null -ne $policySettings.DeviceSettings.blockAbuseOfExploitedVulnerableSignedDrivers_ASROnlyPerRuleExclusions) { - $complexDeviceSettings.Add('BlockAbuseOfExploitedVulnerableSignedDrivers_ASROnlyPerRuleExclusions', $policySettings.DeviceSettings.blockAbuseOfExploitedVulnerableSignedDrivers_ASROnlyPerRuleExclusions) - } - if ($null -ne $policySettings.DeviceSettings.blockProcessCreationsFromPSExecAndWMICommands) { - $complexDeviceSettings.Add('BlockProcessCreationsFromPSExecAndWMICommands', $policySettings.DeviceSettings.blockProcessCreationsFromPSExecAndWMICommands) - } - if ($null -ne $policySettings.DeviceSettings.blockProcessCreationsFromPSExecAndWMICommands_ASROnlyPerRuleExclusions) { - $complexDeviceSettings.Add('BlockProcessCreationsFromPSExecAndWMICommands_ASROnlyPerRuleExclusions', $policySettings.DeviceSettings.blockProcessCreationsFromPSExecAndWMICommands_ASROnlyPerRuleExclusions) - } - if ($null -ne $policySettings.DeviceSettings.blockOfficeApplicationsFromCreatingExecutableContent) { - $complexDeviceSettings.Add('BlockOfficeApplicationsFromCreatingExecutableContent', $policySettings.DeviceSettings.blockOfficeApplicationsFromCreatingExecutableContent) - } - if ($null -ne $policySettings.DeviceSettings.blockOfficeApplicationsFromCreatingExecutableContent_ASROnlyPerRuleExclusions) { - $complexDeviceSettings.Add('BlockOfficeApplicationsFromCreatingExecutableContent_ASROnlyPerRuleExclusions', $policySettings.DeviceSettings.blockOfficeApplicationsFromCreatingExecutableContent_ASROnlyPerRuleExclusions) - } - if ($null -ne $policySettings.DeviceSettings.blockOfficeApplicationsFromInjectingCodeIntoOtherProcesses) { - $complexDeviceSettings.Add('BlockOfficeApplicationsFromInjectingCodeIntoOtherProcesses', $policySettings.DeviceSettings.blockOfficeApplicationsFromInjectingCodeIntoOtherProcesses) - } - if ($null -ne $policySettings.DeviceSettings.blockOfficeApplicationsFromInjectingCodeIntoOtherProcesses_ASROnlyPerRuleExclusions) { - $complexDeviceSettings.Add('BlockOfficeApplicationsFromInjectingCodeIntoOtherProcesses_ASROnlyPerRuleExclusions', $policySettings.DeviceSettings.blockOfficeApplicationsFromInjectingCodeIntoOtherProcesses_ASROnlyPerRuleExclusions) - } - if ($null -ne $policySettings.DeviceSettings.blockRebootingMachineInSafeMode) { - $complexDeviceSettings.Add('BlockRebootingMachineInSafeMode', $policySettings.DeviceSettings.blockRebootingMachineInSafeMode) - } - if ($null -ne $policySettings.DeviceSettings.blockRebootingMachineInSafeMode_ASROnlyPerRuleExclusions) { - $complexDeviceSettings.Add('BlockRebootingMachineInSafeMode_ASROnlyPerRuleExclusions', $policySettings.DeviceSettings.blockRebootingMachineInSafeMode_ASROnlyPerRuleExclusions) - } - if ($null -ne $policySettings.DeviceSettings.useAdvancedProtectionAgainstRansomware) { - $complexDeviceSettings.Add('UseAdvancedProtectionAgainstRansomware', $policySettings.DeviceSettings.useAdvancedProtectionAgainstRansomware) - } - if ($null -ne $policySettings.DeviceSettings.useAdvancedProtectionAgainstRansomware_ASROnlyPerRuleExclusions) { - $complexDeviceSettings.Add('UseAdvancedProtectionAgainstRansomware_ASROnlyPerRuleExclusions', $policySettings.DeviceSettings.useAdvancedProtectionAgainstRansomware_ASROnlyPerRuleExclusions) - } - if ($null -ne $policySettings.DeviceSettings.blockExecutableContentFromEmailClientAndWebmail) { - $complexDeviceSettings.Add('BlockExecutableContentFromEmailClientAndWebmail', $policySettings.DeviceSettings.blockExecutableContentFromEmailClientAndWebmail) - } - if ($null -ne $policySettings.DeviceSettings.blockExecutableContentFromEmailClientAndWebmail_ASROnlyPerRuleExclusions) { - $complexDeviceSettings.Add('BlockExecutableContentFromEmailClientAndWebmail_ASROnlyPerRuleExclusions', $policySettings.DeviceSettings.blockExecutableContentFromEmailClientAndWebmail_ASROnlyPerRuleExclusions) - } + } if ($null -ne $policySettings.DeviceSettings.cloudBlockLevel) { $complexDeviceSettings.Add('CloudBlockLevel', $policySettings.DeviceSettings.cloudBlockLevel) } @@ -1315,12 +1322,12 @@ function Get-TargetResource if ($null -ne $policySettings.DeviceSettings.alphanumericDevicePasswordRequired) { $complexDeviceSettings.Add('AlphanumericDevicePasswordRequired', $policySettings.DeviceSettings.alphanumericDevicePasswordRequired) } - if ($null -ne $policySettings.DeviceSettings.minDevicePasswordComplexCharacters) { - $complexDeviceSettings.Add('MinDevicePasswordComplexCharacters', $policySettings.DeviceSettings.minDevicePasswordComplexCharacters) - } if ($null -ne $policySettings.DeviceSettings.maxDevicePasswordFailedAttempts) { $complexDeviceSettings.Add('MaxDevicePasswordFailedAttempts', $policySettings.DeviceSettings.maxDevicePasswordFailedAttempts) } + if ($null -ne $policySettings.DeviceSettings.minDevicePasswordComplexCharacters) { + $complexDeviceSettings.Add('MinDevicePasswordComplexCharacters', $policySettings.DeviceSettings.minDevicePasswordComplexCharacters) + } if ($null -ne $policySettings.DeviceSettings.maxInactivityTimeDeviceLock) { $complexDeviceSettings.Add('MaxInactivityTimeDeviceLock', $policySettings.DeviceSettings.maxInactivityTimeDeviceLock) } @@ -1542,9 +1549,9 @@ function Get-TargetResource } if ($null -ne $policySettings.DeviceSettings.passwordExpirationProtectionEnabled) { $complexDeviceSettings.Add('PasswordExpirationProtectionEnabled', $policySettings.DeviceSettings.passwordExpirationProtectionEnabled) - } - # Check if $complexDeviceSettings is empty - if ($complexDeviceSettings.Values.Where({ $null -ne $_ }).Count -eq 0) { + } + if ($complexDeviceSettings.Values.Where({ $null -ne $_ }).Count -eq 0) + { $complexDeviceSettings = $null } $policySettings.Remove('DeviceSettings') | Out-Null @@ -1589,15 +1596,13 @@ function Get-TargetResource $complexUserSettings = $null } $policySettings.Remove('UserSettings') | Out-Null - #endregion + #endregion $results = @{ #region resource generator code Description = $getValue.Description DisplayName = $getValue.Name - Platforms = $enumPlatforms RoleScopeTagIds = $getValue.RoleScopeTagIds - Technologies = $enumTechnologies Id = $getValue.Id DeviceSettings = $complexDeviceSettings UserSettings = $complexUserSettings @@ -1646,11 +1651,11 @@ function Set-TargetResource [Parameter(Mandatory = $true)] [System.String] - $DisplayName, - + $DisplayName, + [Parameter()] [System.String[]] - $RoleScopeTagIds, + $RoleScopeTagIds, [Parameter()] [System.String] @@ -1803,11 +1808,11 @@ function Test-TargetResource [Parameter(Mandatory = $true)] [System.String] - $DisplayName, - + $DisplayName, + [Parameter()] [System.String[]] - $RoleScopeTagIds, + $RoleScopeTagIds, [Parameter()] [System.String] @@ -2051,7 +2056,12 @@ function Export-TargetResource } @{ Name = 'pol_hardenedpaths' - CimInstanceName = 'MicrosoftGraphUNC' + CimInstanceName = 'MicrosoftGraphIntuneSettingsCatalogpol_hardenedpaths' + IsRequired = $False + } + @{ + Name = 'AttackSurfaceReductionRules' + CimInstanceName = 'MicrosoftGraphIntuneSettingsCatalogAttackSurfaceReductionRules' IsRequired = $False } ) @@ -2071,9 +2081,28 @@ function Export-TargetResource } if ($null -ne $Results.UserSettings) { + $complexMapping = @( + @{ + Name = 'UserSettings' + CimInstanceName = 'MicrosoftGraphIntuneSettingsCatalogUserSettings_IntuneSecurityBaselineWindows10' + IsRequired = $False + } + @{ + Name = 'pol_hardenedpaths' + CimInstanceName = 'MicrosoftGraphIntuneSettingsCatalogpol_hardenedpaths' + IsRequired = $False + } + @{ + Name = 'AttackSurfaceReductionRules' + CimInstanceName = 'MicrosoftGraphIntuneSettingsCatalogAttackSurfaceReductionRules' + IsRequired = $False + } + ) $complexTypeStringResult = Get-M365DSCDRGComplexTypeToString ` -ComplexObject $Results.UserSettings ` - -CIMInstanceName 'MicrosoftGraphIntuneSettingsCatalogUserSettings_IntuneSecurityBaselineWindows10' + -CIMInstanceName 'MicrosoftGraphIntuneSettingsCatalogUserSettings_IntuneSecurityBaselineWindows10' ` + -ComplexTypeMapping $complexMapping + if (-not [String]::IsNullOrWhiteSpace($complexTypeStringResult)) { $Results.UserSettings = $complexTypeStringResult @@ -2097,19 +2126,6 @@ function Export-TargetResource } } - if ($Results.Assignments) - { - $complexTypeStringResult = Get-M365DSCDRGComplexTypeToString -ComplexObject $Results.Assignments -CIMInstanceName MSFT_MicrosoftGraphIntuneSettingsCatalogpol_hardenedpaths - if ($complexTypeStringResult) - { - $Results.Assignments = $complexTypeStringResult - } - else - { - $Results.Remove('Assignments') | Out-Null - } - } - $currentDSCBlock = Get-M365DSCExportContentForResource -ResourceName $ResourceName ` -ConnectionMode $ConnectionMode ` -ModulePath $PSScriptRoot ` diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneSecurityBaselineWindows10/MSFT_IntuneSecurityBaselineWindows10.schema.mof b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneSecurityBaselineWindows10/MSFT_IntuneSecurityBaselineWindows10.schema.mof index 6375b4d0db..acf11f4c1d 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneSecurityBaselineWindows10/MSFT_IntuneSecurityBaselineWindows10.schema.mof +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneSecurityBaselineWindows10/MSFT_IntuneSecurityBaselineWindows10.schema.mof @@ -9,11 +9,55 @@ class MSFT_DeviceManagementConfigurationPolicyAssignments [Write, Description("The collection Id that is the target of the assignment.(ConfigMgr)")] String collectionId; }; + + [ClassVersion("1.0.0.0")] class MSFT_MicrosoftGraphIntuneSettingsCatalogpol_hardenedpaths { - [Write, Description("Name")] String Pol_HardenedPathsKey; - [Write, Description("Value")] String Pol_HardenedPathsValue; + [Write, Description("Value")] String value; + [Write, Description("Name")] String key; +}; + +[ClassVersion("1.0.0.0")] +class MSFT_MicrosoftGraphIntuneSettingsCatalogAttackSurfaceReductionRules +{ + [Write, Description("Block execution of potentially obfuscated scripts - Depends on AttackSurfaceReductionRules (off: Off, block: Block, audit: Audit, warn: Warn)"), ValueMap{"off", "block", "audit", "warn"}, Values{"off", "block", "audit", "warn"}] String BlockExecutionOfPotentiallyObfuscatedScripts; + [Write, Description("ASR Only Per Rule Exclusions")] String BlockExecutionOfPotentiallyObfuscatedScripts_ASROnlyPerRuleExclusions[]; + [Write, Description("Block Win32 API calls from Office macros - Depends on AttackSurfaceReductionRules (off: Off, block: Block, audit: Audit, warn: Warn)"), ValueMap{"off", "block", "audit", "warn"}, Values{"off", "block", "audit", "warn"}] String BlockWin32APICallsFromOfficeMacros; + [Write, Description("ASR Only Per Rule Exclusions")] String BlockWin32APICallsFromOfficeMacros_ASROnlyPerRuleExclusions[]; + [Write, Description("Block executable files from running unless they meet a prevalence, age, or trusted list criterion - Depends on AttackSurfaceReductionRules (off: Off, block: Block, audit: Audit, warn: Warn)"), ValueMap{"off", "block", "audit", "warn"}, Values{"off", "block", "audit", "warn"}] String BlockExecutableFilesRunningUnlessTheyMeetPrevalenceAgeTrustedListCriterion; + [Write, Description("ASR Only Per Rule Exclusions")] String BlockExecutableFilesRunningUnlessTheyMeetPrevalenceAgeTrustedListCriterion_ASROnlyPerRuleExclusions[]; + [Write, Description("Block Office communication application from creating child processes - Depends on AttackSurfaceReductionRules (off: Off, block: Block, audit: Audit, warn: Warn)"), ValueMap{"off", "block", "audit", "warn"}, Values{"off", "block", "audit", "warn"}] String BlockOfficeCommunicationAppFromCreatingChildProcesses; + [Write, Description("ASR Only Per Rule Exclusions")] String BlockOfficeCommunicationAppFromCreatingChildProcesses_ASROnlyPerRuleExclusions[]; + [Write, Description("Block all Office applications from creating child processes - Depends on AttackSurfaceReductionRules (off: Off, block: Block, audit: Audit, warn: Warn)"), ValueMap{"off", "block", "audit", "warn"}, Values{"off", "block", "audit", "warn"}] String BlockAllOfficeApplicationsFromCreatingChildProcesses; + [Write, Description("ASR Only Per Rule Exclusions")] String BlockAllOfficeApplicationsFromCreatingChildProcesses_ASROnlyPerRuleExclusions[]; + [Write, Description("Block Adobe Reader from creating child processes - Depends on AttackSurfaceReductionRules (off: Off, block: Block, audit: Audit, warn: Warn)"), ValueMap{"off", "block", "audit", "warn"}, Values{"off", "block", "audit", "warn"}] String BlockAdobeReaderFromCreatingChildProcesses; + [Write, Description("ASR Only Per Rule Exclusions")] String BlockAdobeReaderFromCreatingChildProcesses_ASROnlyPerRuleExclusions[]; + [Write, Description("Block credential stealing from the Windows local security authority subsystem - Depends on AttackSurfaceReductionRules (off: Off, block: Block, audit: Audit, warn: Warn)"), ValueMap{"off", "block", "audit", "warn"}, Values{"off", "block", "audit", "warn"}] String BlockCredentialStealingFromWindowsLocalSecurityAuthoritySubsystem; + [Write, Description("ASR Only Per Rule Exclusions")] String BlockCredentialStealingFromWindowsLocalSecurityAuthoritySubsystem_ASROnlyPerRuleExclusions[]; + [Write, Description("Block JavaScript or VBScript from launching downloaded executable content - Depends on AttackSurfaceReductionRules (off: Off, block: Block, audit: Audit, warn: Warn)"), ValueMap{"off", "block", "audit", "warn"}, Values{"off", "block", "audit", "warn"}] String BlockJavaScriptOrVBScriptFromLaunchingDownloadedExecutableContent; + [Write, Description("ASR Only Per Rule Exclusions")] String BlockJavaScriptOrVBScriptFromLaunchingDownloadedExecutableContent_ASROnlyPerRuleExclusions[]; + [Write, Description("Block Webshell creation for Servers - Depends on AttackSurfaceReductionRules (off: Off, block: Block, audit: Audit, warn: Warn)"), ValueMap{"off", "block", "audit", "warn"}, Values{"off", "block", "audit", "warn"}] String BlockWebshellCreationForServers; + [Write, Description("ASR Only Per Rule Exclusions")] String BlockWebshellCreationForServers_ASROnlyPerRuleExclusions[]; + [Write, Description("Block untrusted and unsigned processes that run from USB - Depends on AttackSurfaceReductionRules (off: Off, block: Block, audit: Audit, warn: Warn)"), ValueMap{"off", "block", "audit", "warn"}, Values{"off", "block", "audit", "warn"}] String BlockUntrustedUnsignedProcessesThatRunFromUSB; + [Write, Description("ASR Only Per Rule Exclusions")] String BlockUntrustedUnsignedProcessesThatRunFromUSB_ASROnlyPerRuleExclusions[]; + [Write, Description("Block persistence through WMI event subscription - Depends on AttackSurfaceReductionRules (off: Off, block: Block, audit: Audit, warn: Warn)"), ValueMap{"off", "block", "audit", "warn"}, Values{"off", "block", "audit", "warn"}] String BlockPersistenceThroughWMIEventSubscription; + [Write, Description("[PREVIEW] Block use of copied or impersonated system tools - Depends on AttackSurfaceReductionRules (off: Off, block: Block, audit: Audit, warn: Warn)"), ValueMap{"off", "block", "audit", "warn"}, Values{"off", "block", "audit", "warn"}] String BlockUseOfCopiedOrImpersonatedSystemTools; + [Write, Description("ASR Only Per Rule Exclusions")] String BlockUseOfCopiedOrImpersonatedSystemTools_ASROnlyPerRuleExclusions[]; + [Write, Description("Block abuse of exploited vulnerable signed drivers (Device) - Depends on AttackSurfaceReductionRules (off: Off, block: Block, audit: Audit, warn: Warn)"), ValueMap{"off", "block", "audit", "warn"}, Values{"off", "block", "audit", "warn"}] String BlockAbuseOfExploitedVulnerableSignedDrivers; + [Write, Description("ASR Only Per Rule Exclusions")] String BlockAbuseOfExploitedVulnerableSignedDrivers_ASROnlyPerRuleExclusions[]; + [Write, Description("Block process creations originating from PSExec and WMI commands - Depends on AttackSurfaceReductionRules (off: Off, block: Block, audit: Audit, warn: Warn)"), ValueMap{"off", "block", "audit", "warn"}, Values{"off", "block", "audit", "warn"}] String BlockProcessCreationsFromPSExecAndWMICommands; + [Write, Description("ASR Only Per Rule Exclusions")] String BlockProcessCreationsFromPSExecAndWMICommands_ASROnlyPerRuleExclusions[]; + [Write, Description("Block Office applications from creating executable content - Depends on AttackSurfaceReductionRules (off: Off, block: Block, audit: Audit, warn: Warn)"), ValueMap{"off", "block", "audit", "warn"}, Values{"off", "block", "audit", "warn"}] String BlockOfficeApplicationsFromCreatingExecutableContent; + [Write, Description("ASR Only Per Rule Exclusions")] String BlockOfficeApplicationsFromCreatingExecutableContent_ASROnlyPerRuleExclusions[]; + [Write, Description("Block Office applications from injecting code into other processes - Depends on AttackSurfaceReductionRules (off: Off, block: Block, audit: Audit, warn: Warn)"), ValueMap{"off", "block", "audit", "warn"}, Values{"off", "block", "audit", "warn"}] String BlockOfficeApplicationsFromInjectingCodeIntoOtherProcesses; + [Write, Description("ASR Only Per Rule Exclusions")] String BlockOfficeApplicationsFromInjectingCodeIntoOtherProcesses_ASROnlyPerRuleExclusions[]; + [Write, Description("[PREVIEW] Block rebooting machine in Safe Mode - Depends on AttackSurfaceReductionRules (off: Off, block: Block, audit: Audit, warn: Warn)"), ValueMap{"off", "block", "audit", "warn"}, Values{"off", "block", "audit", "warn"}] String BlockRebootingMachineInSafeMode; + [Write, Description("ASR Only Per Rule Exclusions")] String BlockRebootingMachineInSafeMode_ASROnlyPerRuleExclusions[]; + [Write, Description("Use advanced protection against ransomware - Depends on AttackSurfaceReductionRules (off: Off, block: Block, audit: Audit, warn: Warn)"), ValueMap{"off", "block", "audit", "warn"}, Values{"off", "block", "audit", "warn"}] String UseAdvancedProtectionAgainstRansomware; + [Write, Description("ASR Only Per Rule Exclusions")] String UseAdvancedProtectionAgainstRansomware_ASROnlyPerRuleExclusions[]; + [Write, Description("Block executable content from email client and webmail - Depends on AttackSurfaceReductionRules (off: Off, block: Block, audit: Audit, warn: Warn)"), ValueMap{"off", "block", "audit", "warn"}, Values{"off", "block", "audit", "warn"}] String BlockExecutableContentFromEmailClientAndWebmail; + [Write, Description("ASR Only Per Rule Exclusions")] String BlockExecutableContentFromEmailClientAndWebmail_ASROnlyPerRuleExclusions[]; }; [ClassVersion("1.0.0.0")] @@ -35,8 +79,8 @@ class MSFT_MicrosoftGraphIntuneSettingsCatalogDeviceSettings_IntuneSecurityBasel [Write, Description("MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String Pol_MSS_NoNameReleaseOnDemand; [Write, Description("Turn off multicast name resolution (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String Turn_Off_Multicast; [Write, Description("Prohibit use of Internet Connection Sharing on your DNS domain network (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String NC_ShowSharedAccessUI; - [Write, Description("Hardened UNC Paths (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String HardenedUNCPaths_Pol_HardenedPaths; - [Write, Description("Hardened UNC Paths: (Device) - Depends on HardenedUNCPaths_Pol_HardenedPaths"), EmbeddedInstance("MSFT_MicrosoftGraphIntuneSettingsCatalogpol_hardenedpaths")] String pol_hardenedpaths[]; + [Write, Description("Hardened UNC Paths (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String hardeneduncpaths_Pol_HardenedPaths; + [Write, Description("Hardened UNC Paths: (Device) - Depends on hardeneduncpaths_Pol_HardenedPaths"), EmbeddedInstance("MSFT_MicrosoftGraphIntuneSettingsCatalogpol_hardenedpaths")] String pol_hardenedpaths[]; [Write, Description("Prohibit connection to non-domain networks when connected to domain authenticated network (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String WCM_BlockNonDomain; [Write, Description("Configure Redirection Guard (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String ConfigureRedirectionGuardPolicy; [Write, Description("Redirection Guard Options (Device) - Depends on ConfigureRedirectionGuardPolicy (0: Redirection Guard Disabled, 1: Redirection Guard Enabled, 2: Redirection Guard Audit Only)"), ValueMap{"0", "1", "2"}, Values{"0", "1", "2"}] String RedirectionGuardPolicy_Enum; @@ -282,7 +326,7 @@ class MSFT_MicrosoftGraphIntuneSettingsCatalogDeviceSettings_IntuneSecurityBasel [Write, Description("Prevent managing SmartScreen Filter (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String Disable_Managing_Safety_Filter_IE9; [Write, Description("Select SmartScreen Filter mode - Depends on Disable_Managing_Safety_Filter_IE9 (0: Off, 1: On)"), ValueMap{"0", "1"}, Values{"0", "1"}] String IE9SafetyFilterOptions; [Write, Description("Prevent per-user installation of ActiveX controls (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String DisablePerUserActiveXInstall; - [Write, Description("Remove "Run this time" button for outdated ActiveX controls in Internet Explorer (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String VerMgmtDisableRunThisTime; + [Write, Description("Remove 'Run this time' button for outdated ActiveX controls in Internet Explorer (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String VerMgmtDisableRunThisTime; [Write, Description("Turn off blocking of outdated ActiveX controls for Internet Explorer (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String VerMgmtDisable; [Write, Description("Allow fallback to SSL 3.0 (Internet Explorer) (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String Advanced_EnableSSL3Fallback; [Write, Description("Allow insecure fallback for: - Depends on Advanced_EnableSSL3Fallback (0: No Sites, 1: Non-Protected Mode Sites, 3: All Sites)"), ValueMap{"0", "1", "3"}, Values{"0", "1", "3"}] String Advanced_EnableSSL3FallbackOptions; @@ -358,43 +402,7 @@ class MSFT_MicrosoftGraphIntuneSettingsCatalogDeviceSettings_IntuneSecurityBasel [Write, Description("Allow Realtime Monitoring (0: Not allowed. Turns off the real-time monitoring service., 1: Allowed. Turns on and runs the real-time monitoring service.)"), ValueMap{"0", "1"}, Values{"0", "1"}] String AllowRealtimeMonitoring; [Write, Description("Allow scanning of all downloaded files and attachments (0: Not allowed., 1: Allowed.)"), ValueMap{"0", "1"}, Values{"0", "1"}] String AllowIOAVProtection; [Write, Description("Allow Script Scanning (0: Not allowed., 1: Allowed.)"), ValueMap{"0", "1"}, Values{"0", "1"}] String AllowScriptScanning; - [Write, Description("Block execution of potentially obfuscated scripts - Depends on AttackSurfaceReductionRules (off: Off, block: Block, audit: Audit, warn: Warn)"), ValueMap{"off", "block", "audit", "warn"}, Values{"off", "block", "audit", "warn"}] String BlockExecutionOfPotentiallyObfuscatedScripts; - [Write, Description("ASR Only Per Rule Exclusions")] String BlockExecutionOfPotentiallyObfuscatedScripts_ASROnlyPerRuleExclusions[]; - [Write, Description("Block Win32 API calls from Office macros - Depends on AttackSurfaceReductionRules (off: Off, block: Block, audit: Audit, warn: Warn)"), ValueMap{"off", "block", "audit", "warn"}, Values{"off", "block", "audit", "warn"}] String BlockWin32APICallsFromOfficeMacros; - [Write, Description("ASR Only Per Rule Exclusions")] String BlockWin32APICallsFromOfficeMacros_ASROnlyPerRuleExclusions[]; - [Write, Description("Block executable files from running unless they meet a prevalence, age, or trusted list criterion - Depends on AttackSurfaceReductionRules (off: Off, block: Block, audit: Audit, warn: Warn)"), ValueMap{"off", "block", "audit", "warn"}, Values{"off", "block", "audit", "warn"}] String BlockExecutableFilesRunningUnlessTheyMeetPrevalenceAgeTrustedListCriterion; - [Write, Description("ASR Only Per Rule Exclusions")] String BlockExecutableFilesRunningUnlessTheyMeetPrevalenceAgeTrustedListCriterion_ASROnlyPerRuleExclusions[]; - [Write, Description("Block Office communication application from creating child processes - Depends on AttackSurfaceReductionRules (off: Off, block: Block, audit: Audit, warn: Warn)"), ValueMap{"off", "block", "audit", "warn"}, Values{"off", "block", "audit", "warn"}] String BlockOfficeCommunicationAppFromCreatingChildProcesses; - [Write, Description("ASR Only Per Rule Exclusions")] String BlockOfficeCommunicationAppFromCreatingChildProcesses_ASROnlyPerRuleExclusions[]; - [Write, Description("Block all Office applications from creating child processes - Depends on AttackSurfaceReductionRules (off: Off, block: Block, audit: Audit, warn: Warn)"), ValueMap{"off", "block", "audit", "warn"}, Values{"off", "block", "audit", "warn"}] String BlockAllOfficeApplicationsFromCreatingChildProcesses; - [Write, Description("ASR Only Per Rule Exclusions")] String BlockAllOfficeApplicationsFromCreatingChildProcesses_ASROnlyPerRuleExclusions[]; - [Write, Description("Block Adobe Reader from creating child processes - Depends on AttackSurfaceReductionRules (off: Off, block: Block, audit: Audit, warn: Warn)"), ValueMap{"off", "block", "audit", "warn"}, Values{"off", "block", "audit", "warn"}] String BlockAdobeReaderFromCreatingChildProcesses; - [Write, Description("ASR Only Per Rule Exclusions")] String BlockAdobeReaderFromCreatingChildProcesses_ASROnlyPerRuleExclusions[]; - [Write, Description("Block credential stealing from the Windows local security authority subsystem - Depends on AttackSurfaceReductionRules (off: Off, block: Block, audit: Audit, warn: Warn)"), ValueMap{"off", "block", "audit", "warn"}, Values{"off", "block", "audit", "warn"}] String BlockCredentialStealingFromWindowsLocalSecurityAuthoritySubsystem; - [Write, Description("ASR Only Per Rule Exclusions")] String BlockCredentialStealingFromWindowsLocalSecurityAuthoritySubsystem_ASROnlyPerRuleExclusions[]; - [Write, Description("Block JavaScript or VBScript from launching downloaded executable content - Depends on AttackSurfaceReductionRules (off: Off, block: Block, audit: Audit, warn: Warn)"), ValueMap{"off", "block", "audit", "warn"}, Values{"off", "block", "audit", "warn"}] String BlockJavaScriptOrVBScriptFromLaunchingDownloadedExecutableContent; - [Write, Description("ASR Only Per Rule Exclusions")] String BlockJavaScriptOrVBScriptFromLaunchingDownloadedExecutableContent_ASROnlyPerRuleExclusions[]; - [Write, Description("Block Webshell creation for Servers - Depends on AttackSurfaceReductionRules (off: Off, block: Block, audit: Audit, warn: Warn)"), ValueMap{"off", "block", "audit", "warn"}, Values{"off", "block", "audit", "warn"}] String BlockWebshellCreationForServers; - [Write, Description("ASR Only Per Rule Exclusions")] String BlockWebshellCreationForServers_ASROnlyPerRuleExclusions[]; - [Write, Description("Block untrusted and unsigned processes that run from USB - Depends on AttackSurfaceReductionRules (off: Off, block: Block, audit: Audit, warn: Warn)"), ValueMap{"off", "block", "audit", "warn"}, Values{"off", "block", "audit", "warn"}] String BlockUntrustedUnsignedProcessesThatRunFromUSB; - [Write, Description("ASR Only Per Rule Exclusions")] String BlockUntrustedUnsignedProcessesThatRunFromUSB_ASROnlyPerRuleExclusions[]; - [Write, Description("Block persistence through WMI event subscription - Depends on AttackSurfaceReductionRules (off: Off, block: Block, audit: Audit, warn: Warn)"), ValueMap{"off", "block", "audit", "warn"}, Values{"off", "block", "audit", "warn"}] String BlockPersistenceThroughWMIEventSubscription; - [Write, Description("[PREVIEW] Block use of copied or impersonated system tools - Depends on AttackSurfaceReductionRules (off: Off, block: Block, audit: Audit, warn: Warn)"), ValueMap{"off", "block", "audit", "warn"}, Values{"off", "block", "audit", "warn"}] String BlockUseOfCopiedOrImpersonatedSystemTools; - [Write, Description("ASR Only Per Rule Exclusions")] String BlockUseOfCopiedOrImpersonatedSystemTools_ASROnlyPerRuleExclusions[]; - [Write, Description("Block abuse of exploited vulnerable signed drivers (Device) - Depends on AttackSurfaceReductionRules (off: Off, block: Block, audit: Audit, warn: Warn)"), ValueMap{"off", "block", "audit", "warn"}, Values{"off", "block", "audit", "warn"}] String BlockAbuseOfExploitedVulnerableSignedDrivers; - [Write, Description("ASR Only Per Rule Exclusions")] String BlockAbuseOfExploitedVulnerableSignedDrivers_ASROnlyPerRuleExclusions[]; - [Write, Description("Block process creations originating from PSExec and WMI commands - Depends on AttackSurfaceReductionRules (off: Off, block: Block, audit: Audit, warn: Warn)"), ValueMap{"off", "block", "audit", "warn"}, Values{"off", "block", "audit", "warn"}] String BlockProcessCreationsFromPSExecAndWMICommands; - [Write, Description("ASR Only Per Rule Exclusions")] String BlockProcessCreationsFromPSExecAndWMICommands_ASROnlyPerRuleExclusions[]; - [Write, Description("Block Office applications from creating executable content - Depends on AttackSurfaceReductionRules (off: Off, block: Block, audit: Audit, warn: Warn)"), ValueMap{"off", "block", "audit", "warn"}, Values{"off", "block", "audit", "warn"}] String BlockOfficeApplicationsFromCreatingExecutableContent; - [Write, Description("ASR Only Per Rule Exclusions")] String BlockOfficeApplicationsFromCreatingExecutableContent_ASROnlyPerRuleExclusions[]; - [Write, Description("Block Office applications from injecting code into other processes - Depends on AttackSurfaceReductionRules (off: Off, block: Block, audit: Audit, warn: Warn)"), ValueMap{"off", "block", "audit", "warn"}, Values{"off", "block", "audit", "warn"}] String BlockOfficeApplicationsFromInjectingCodeIntoOtherProcesses; - [Write, Description("ASR Only Per Rule Exclusions")] String BlockOfficeApplicationsFromInjectingCodeIntoOtherProcesses_ASROnlyPerRuleExclusions[]; - [Write, Description("[PREVIEW] Block rebooting machine in Safe Mode - Depends on AttackSurfaceReductionRules (off: Off, block: Block, audit: Audit, warn: Warn)"), ValueMap{"off", "block", "audit", "warn"}, Values{"off", "block", "audit", "warn"}] String BlockRebootingMachineInSafeMode; - [Write, Description("ASR Only Per Rule Exclusions")] String BlockRebootingMachineInSafeMode_ASROnlyPerRuleExclusions[]; - [Write, Description("Use advanced protection against ransomware - Depends on AttackSurfaceReductionRules (off: Off, block: Block, audit: Audit, warn: Warn)"), ValueMap{"off", "block", "audit", "warn"}, Values{"off", "block", "audit", "warn"}] String UseAdvancedProtectionAgainstRansomware; - [Write, Description("ASR Only Per Rule Exclusions")] String UseAdvancedProtectionAgainstRansomware_ASROnlyPerRuleExclusions[]; - [Write, Description("Block executable content from email client and webmail - Depends on AttackSurfaceReductionRules (off: Off, block: Block, audit: Audit, warn: Warn)"), ValueMap{"off", "block", "audit", "warn"}, Values{"off", "block", "audit", "warn"}] String BlockExecutableContentFromEmailClientAndWebmail; - [Write, Description("ASR Only Per Rule Exclusions")] String BlockExecutableContentFromEmailClientAndWebmail_ASROnlyPerRuleExclusions[]; + [Write, Description("Attack Surface Reduction Rules"), EmbeddedInstance("MSFT_MicrosoftGraphIntuneSettingsCatalogAttackSurfaceReductionRules")] String AttackSurfaceReductionRules; [Write, Description("Cloud Block Level (0: NotConfigured, 2: High, 4: HighPlus, 6: ZeroTolerance)"), ValueMap{"0", "2", "4", "6"}, Values{"0", "2", "4", "6"}] String CloudBlockLevel; [Write, Description("Cloud Extended Timeout")] SInt32 CloudExtendedTimeout; [Write, Description("Disable Local Admin Merge (0: Enable Local Admin Merge, 1: Disable Local Admin Merge)"), ValueMap{"0", "1"}, Values{"0", "1"}] String DisableLocalAdminMerge; @@ -412,7 +420,6 @@ class MSFT_MicrosoftGraphIntuneSettingsCatalogDeviceSettings_IntuneSecurityBasel [Write, Description("Device Password Expiration - Depends on DevicePasswordEnabled")] SInt32 DevicePasswordExpiration; [Write, Description("Min Device Password Length - Depends on DevicePasswordEnabled")] SInt32 MinDevicePasswordLength; [Write, Description("Alphanumeric Device Password Required - Depends on DevicePasswordEnabled (0: Password or Alphanumeric PIN required., 1: Password or Numeric PIN required., 2: Password, Numeric PIN, or Alphanumeric PIN required.)"), ValueMap{"0", "1", "2"}, Values{"0", "1", "2"}] String AlphanumericDevicePasswordRequired; - [Write, Description("Min Device Password Complex Characters (1: Digits only, 2: Digits and lowercase letters are required, 3: Digits lowercase letters and uppercase letters are required. Not supported in desktop Microsoft accounts and domain accounts, 4: Digits lowercase letters uppercase letters and special characters are required. Not supported in desktop)"), ValueMap{"1", "2", "3", "4"}, Values{"1", "2", "3", "4"}] String MinDevicePasswordComplexCharacters; [Write, Description("Max Device Password Failed Attempts - Depends on DevicePasswordEnabled")] SInt32 MaxDevicePasswordFailedAttempts; [Write, Description("Min Device Password Complex Characters - Depends on DevicePasswordEnabled (1: Digits only, 2: Digits and lowercase letters are required, 3: Digits lowercase letters and uppercase letters are required. Not supported in desktop Microsoft accounts and domain accounts, 4: Digits lowercase letters uppercase letters and special characters are required. Not supported in desktop)"), ValueMap{"1", "2", "3", "4"}, Values{"1", "2", "3", "4"}] String MinDevicePasswordComplexCharacters; [Write, Description("Max Inactivity Time Device Lock - Depends on DevicePasswordEnabled")] SInt32 MaxInactivityTimeDeviceLock; @@ -446,7 +453,7 @@ class MSFT_MicrosoftGraphIntuneSettingsCatalogDeviceSettings_IntuneSecurityBasel [Write, Description("MSI Allow User Control Over Install (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String MSIAllowUserControlOverInstall; [Write, Description("MSI Always Install With Elevated Privileges (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String MSIAlwaysInstallWithElevatedPrivileges; [Write, Description("Configure Microsoft Defender SmartScreen (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String SmartScreenEnabled; - [Write, Description("Prevent bypassing Microsoft Defender SmartScreen prompts for sites (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String MicrosoftEdge_~SmartScreen_PreventSmartScreenPromptOverride; + [Write, Description("Prevent bypassing Microsoft Defender SmartScreen prompts for sites (0: Disabled, 1: Enabled)"), ValueMap{"0", "1"}, Values{"0", "1"}] String MicrosoftEdge_SmartScreen_PreventSmartScreenPromptOverride; [Write, Description("Let Apps Activate With Voice Above Lock (0: User in control. Users can decide if Windows apps can be activated by voice while the screen is locked using Settings > Privacy options on the device., 1: Force allow. Windows apps can be activated by voice while the screen is locked, and users cannot change it., 2: Force deny. Windows apps cannot be activated by voice while the screen is locked, and users cannot change it.)"), ValueMap{"0", "1", "2"}, Values{"0", "1", "2"}] String LetAppsActivateWithVoiceAboveLock; [Write, Description("Allow Indexing Encrypted Stores Or Items (0: Not allowed., 1: Allowed.)"), ValueMap{"0", "1"}, Values{"0", "1"}] String AllowIndexingEncryptedStoresOrItems; [Write, Description("Enable Smart Screen In Shell (0: Disabled., 1: Enabled.)"), ValueMap{"0", "1"}, Values{"0", "1"}] String EnableSmartScreenInShell; @@ -490,7 +497,6 @@ class MSFT_MicrosoftGraphIntuneSettingsCatalogDeviceSettings_IntuneSecurityBasel [Write, Description("AD Password Encryption Principal - Depends on BackupDirectory")] String ADPasswordEncryptionPrincipal; [Write, Description("Password Expiration Protection Enabled - Depends on BackupDirectory (false: Allow configured password expiriration timestamp to exceed maximum password age, true: Do not allow configured password expiriration timestamp to exceed maximum password age)"), ValueMap{"false", "true"}, Values{"false", "true"}] String PasswordExpirationProtectionEnabled; }; - [ClassVersion("1.0.0.0")] class MSFT_MicrosoftGraphIntuneSettingsCatalogUserSettings_IntuneSecurityBaselineWindows10 { @@ -510,12 +516,11 @@ class MSFT_MicrosoftGraphIntuneSettingsCatalogUserSettings_IntuneSecurityBaselin class MSFT_IntuneSecurityBaselineWindows10 : OMI_BaseResource { [Write, Description("Policy description")] String Description; - [Key, Description("Policy name")] String DisplayName; + [Key, Description("Policy name")] String DisplayName; [Write, Description("List of Scope Tags for this Entity instance.")] String RoleScopeTagIds[]; - [Weite, Description("The unique identifier for an entity. Read-only.")] String Id; - [Write, Description(""), EmbeddedInstance("MSFT_MicrosoftGraphIntuneSettingsCatalogDeviceSettings_IntuneSecurityBaselineWindows10")] String DeviceSettings; - [Write, Description(""), EmbeddedInstance("MSFT_MicrosoftGraphIntuneSettingsCatalogUserSettings_IntuneSecurityBaselineWindows10")] String UserSettings; - + [Write, Description("The unique identifier for an entity. Read-only.")] String Id; + [Write, Description("The policy settings for the device scope."), EmbeddedInstance("MSFT_MicrosoftGraphIntuneSettingsCatalogDeviceSettings_IntuneSecurityBaselineWindows10")] String DeviceSettings; + [Write, Description("The policy settings for the user scope."), EmbeddedInstance("MSFT_MicrosoftGraphIntuneSettingsCatalogUserSettings_IntuneSecurityBaselineWindows10")] String UserSettings; [Write, Description("Represents the assignment to the Intune policy."), EmbeddedInstance("MSFT_DeviceManagementConfigurationPolicyAssignments")] String Assignments[]; [Write, Description("Present ensures the policy exists, absent ensures it is removed."), ValueMap{"Present","Absent"}, Values{"Present","Absent"}] string Ensure; [Write, Description("Credentials of the Admin"), EmbeddedInstance("MSFT_Credential")] string Credential; diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneSecurityBaselineWindows10/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneSecurityBaselineWindows10/settings.json index 0c9bd6badf..8aa5e3e5a9 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneSecurityBaselineWindows10/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneSecurityBaselineWindows10/settings.json @@ -1,39 +1,44 @@ { - "resourceName": "IntuneSecurityBaselineWindows10", - "description": "This resource configures an Intune Security Baseline for Windows10.", - "permissions": { - "graph": { - "delegated": { - "read": [ - { - "name": "DeviceManagementConfiguration.Read.All" - }, - { - "name": "Group.Read.All" - } - ], - "update": [ - { - "name": "Group.Read.All" - } - ] - }, - "application": { - "read": [ - { - "name": "DeviceManagementConfiguration.Read.All" - }, - { - "name": "Group.Read.All" - } - ], - "update": [ - { - "name": "Group.Read.All" - } - ] - } - } -} - -} + "resourceName":"IntuneSecurityBaselineWindows10", + "description":"This resource configures an Intune Security Baseline for Windows10.", + "permissions":{ + "graph":{ + "delegated":{ + "read":[ + { + "name":"DeviceManagementConfiguration.Read.All" + }, + { + "name":"Group.Read.All" + } + ], + "update":[ + { + "name":"Group.Read.All" + }, + { + "name":"DeviceManagementConfiguration.ReadWrite.All" + } + ] + }, + "application":{ + "read":[ + { + "name":"DeviceManagementConfiguration.Read.All" + }, + { + "name":"Group.Read.All" + } + ], + "update":[ + { + "name":"Group.Read.All" + }, + { + "name":"DeviceManagementConfiguration.ReadWrite.All" + } + ] + } + } + } +} \ No newline at end of file diff --git a/Modules/Microsoft365DSC/Examples/Resources/IntuneSecurityBaselineWindows10/1-Create.ps1 b/Modules/Microsoft365DSC/Examples/Resources/IntuneSecurityBaselineWindows10/1-Create.ps1 new file mode 100644 index 0000000000..d8110c32df --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/IntuneSecurityBaselineWindows10/1-Create.ps1 @@ -0,0 +1,53 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + + node localhost + { + IntuneSecurityBaselineWindows10 'mySecurityBaselineWindows10' + { + DisplayName = 'test' + DeviceSettings = MSFT_MicrosoftGraphIntuneSettingsCatalogDeviceSettings_IntuneSecurityBaselineWindows10 + { + Pol_MSS_DisableIPSourceRoutingIPv6 = '1' + DisableIPSourceRoutingIPv6 = '0' + HardenedUNCPaths_Pol_HardenedPaths = '1' + pol_hardenedPaths = @( + MSFT_MicrosoftGraphIntuneSettingsCatalogpol_hardenedpaths{ + Key = '\\*\SYSVOL' + Value = 'RequireMutualAuthentication=1,RequireIntegrity=1' + } + ) + AttackSurfaceReductionRules = MSFT_MicrosoftGraphIntuneSettingsCatalogAttackSurfaceReductionRules{ + BlockExecutionOfPotentiallyObfuscatedScripts = 'block' + } + } + UserSettings = MSFT_MicrosoftGraphIntuneSettingsCatalogUserSettings_IntuneSecurityBaselineWindows10 + { + AllowWindowsSpotlight = '1' + } + Ensure = 'Present' + ApplicationId = $ApplicationId; + TenantId = $TenantId; + CertificateThumbprint = $CertificateThumbprint; + } + } +} diff --git a/Modules/Microsoft365DSC/Examples/Resources/IntuneSecurityBaselineWindows10/2-Update.ps1 b/Modules/Microsoft365DSC/Examples/Resources/IntuneSecurityBaselineWindows10/2-Update.ps1 new file mode 100644 index 0000000000..c826f89d62 --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/IntuneSecurityBaselineWindows10/2-Update.ps1 @@ -0,0 +1,53 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + + node localhost + { + IntuneSecurityBaselineWindows10 'mySecurityBaselineWindows10' + { + DisplayName = 'test' + DeviceSettings = MSFT_MicrosoftGraphIntuneSettingsCatalogDeviceSettings_IntuneSecurityBaselineWindows10 + { + Pol_MSS_DisableIPSourceRoutingIPv6 = '1' + DisableIPSourceRoutingIPv6 = '0' + HardenedUNCPaths_Pol_HardenedPaths = '1' + pol_hardenedPaths = @( + MSFT_MicrosoftGraphIntuneSettingsCatalogpol_hardenedpaths{ + Key = '\\*\SYSVOL' + Value = 'RequireMutualAuthentication=1,RequireIntegrity=1' + } + ) + AttackSurfaceReductionRules = MSFT_MicrosoftGraphIntuneSettingsCatalogAttackSurfaceReductionRules{ + BlockExecutionOfPotentiallyObfuscatedScripts = 'block' + } + } + UserSettings = MSFT_MicrosoftGraphIntuneSettingsCatalogUserSettings_IntuneSecurityBaselineWindows10 + { + AllowWindowsSpotlight = '1' #drift + } + Ensure = 'Present' + ApplicationId = $ApplicationId; + TenantId = $TenantId; + CertificateThumbprint = $CertificateThumbprint; + } + } +} diff --git a/Modules/Microsoft365DSC/Examples/Resources/IntuneSecurityBaselineWindows10/3-Remove.ps1 b/Modules/Microsoft365DSC/Examples/Resources/IntuneSecurityBaselineWindows10/3-Remove.ps1 new file mode 100644 index 0000000000..ca70840d40 --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/IntuneSecurityBaselineWindows10/3-Remove.ps1 @@ -0,0 +1,34 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.String] + $CertificateThumbprint + ) + Import-DscResource -ModuleName Microsoft365DSC + + node localhost + { + IntuneSecurityBaselineWindows10 'mySecurityBaselineWindows10' + { + DisplayName = 'test' + Ensure = 'Absent' + ApplicationId = $ApplicationId; + TenantId = $TenantId; + CertificateThumbprint = $CertificateThumbprint; + } + } +} diff --git a/Modules/Microsoft365DSC/Modules/M365DSCIntuneSettingsCatalogUtil.psm1 b/Modules/Microsoft365DSC/Modules/M365DSCIntuneSettingsCatalogUtil.psm1 index 795c291c35..dd018afce6 100644 --- a/Modules/Microsoft365DSC/Modules/M365DSCIntuneSettingsCatalogUtil.psm1 +++ b/Modules/Microsoft365DSC/Modules/M365DSCIntuneSettingsCatalogUtil.psm1 @@ -100,6 +100,7 @@ 'microsoft_edge~Policy~microsoft_edge~*' { $settingName = $settingName.Replace('microsoft_edge~Policy~microsoft_edge', 'MicrosoftEdge_') } 'edge~httpauthentication*' { $settingName = $settingName.Replace('edge~httpauthentication', 'MicrosoftEdge_HTTPAuthentication') } 'edge~contentsettings*' { $settingName = $settingName.Replace('edge~contentsettings', 'MicrosoftEdge_ContentSettings') } + '*~SmartScreen_*' { $settingName = $settingName.Replace('~SmartScreen', 'SmartScreen') } '*~L_Security~*' { $settingName = $settingName.Replace('~L_Security', 'Security') } '*~L_TrustCenter*' { $settingName = $settingName.Replace('~L_TrustCenter', '_TrustCenter') } '*~L_ProtectedView_*' { $settingName = $settingName.Replace('~L_ProtectedView', 'ProtectedView') } diff --git a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneSecurityBaselineWindows10.Tests.ps1 b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneSecurityBaselineWindows10.Tests.ps1 index 87ecd5912a..f10f01a4e8 100644 --- a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneSecurityBaselineWindows10.Tests.ps1 +++ b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneSecurityBaselineWindows10.Tests.ps1 @@ -134,8 +134,8 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { Name = 'Pol_HardenedPaths' OffsetUri = '/Config/Connectivity/HardenedUNCPaths' AdditionalProperties = @{ - '@odata.type' = '#microsoft.graph.deviceManagementConfigurationSimpleSettingDefinition' - options=@( + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingDefinition' + options = @( @{ name ='Enabled' itemId = 'device_vendor_msft_policy_config_connectivity_hardeneduncpaths_1' @@ -154,8 +154,13 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { childIds = @( 'device_vendor_msft_policy_config_connectivity_hardeneduncpaths_pol_hardenedpaths_key', 'device_vendor_msft_policy_config_connectivity_hardeneduncpaths_pol_hardenedpaths_value' - ) - + ) + dependentOn = @( + @{ + dependentOn = 'device_vendor_msft_policy_config_connectivity_hardeneduncpaths_1' + parentSettingId = 'device_vendor_msft_policy_config_connectivity_hardeneduncpaths' + } + ) } }, @{ @@ -256,12 +261,72 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { value = "user_vendor_msft_policy_config_experience_allowwindowsspotlight_1" } } + } + } + @{ + Id = '3' + SettingDefinitions = @( + @{ + Id = 'device_vendor_msft_policy_config_defender_attacksurfacereductionrules' + Name = 'AttackSurfaceReductionRules' + OffsetUri = '/Config/Defender/AttackSurfaceReductionRules' + AdditionalProperties = @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationSettingGroupCollectionDefinition' + maximumCount = 1 + minimumCount = 0 + childIds = @( + 'device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockexecutionofpotentiallyobfuscatedscripts' + ) + + } + }, + @{ + Id = 'device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockexecutionofpotentiallyobfuscatedscripts' + Name = 'BlockExecutionOfPotentiallyObfuscatedScripts' + OffsetUri = '/Config/Defender/AttackSurfaceReductionRules' + AdditionalProperties = @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingDefinition' + options=@( + @{ + name ='Block' + itemId = 'device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockexecutionofpotentiallyobfuscatedscripts_block' + dependentOn = @( + @{ + dependentOn = 'device_vendor_msft_policy_config_defender_attacksurfacereductionrules' + parentSettingId = 'device_vendor_msft_policy_config_defender_attacksurfacereductionrules' + } + ) + } + ) + } + } + ) + SettingInstance = @{ + SettingDefinitionId = 'device_vendor_msft_policy_config_defender_attacksurfacereductionrules' + SettingInstanceTemplateReference = @{ + SettingInstanceTemplateId = '3d6107c2-c307-4399-8070-6542f1760309' + } + AdditionalProperties = @{ + SettingDefinitionId = 'device_vendor_msft_policy_config_defender_attacksurfacereductionrules' + '@odata.type' = "#microsoft.graph.deviceManagementConfigurationGroupSettingCollectionInstance" + groupSettingCollectionValue = @{ + children = @( + @{ + '@odata.type' = '#microsoft.graph.deviceManagementConfigurationChoiceSettingInstance' + settingDefinitionId = 'device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockexecutionofpotentiallyobfuscatedscripts' + choiceSettingValue = @{ + children = @() + value = 'device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockexecutionofpotentiallyobfuscatedscripts_block' + } + } + ) + } + } } - } ) } - + Mock -CommandName Update-DeviceConfigurationPolicyAssignment -MockWith { } @@ -294,6 +359,7 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { } } + # Test contexts Context -Name "The IntuneSecurityBaselineWindows10 should exist but it DOES NOT" -Fixture { BeforeAll { @@ -312,16 +378,19 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { HardenedUNCPaths_Pol_HardenedPaths = '1' pol_hardenedpaths = [CimInstance[]]@( (New-CimInstance -ClassName MSFT_MicrosoftGraphIntuneSettingsCatalogpol_hardenedpaths -Property @{ - key = "\\*\SYSVOL" - value = "RequireMutualAuthentication=1,RequireIntegrity=1" + value = "RequireMutualAuthentication=1,RequireIntegrity=1" + key = "\\*\SYSVOL" } -ClientOnly) ) + AttackSurfaceReductionRules = (New-CimInstance -ClassName MSFT_MicrosoftGraphIntuneSettingsCatalogAttackSurfaceReductionRules -Property @{ + BlockExecutionOfPotentiallyObfuscatedScripts = 'block' + } -ClientOnly) } -ClientOnly) Id = "12345-12345-12345-12345-12345" DisplayName = "My Test" - RoleScopeTagIds = @("FakeStringValue") + RoleScopeTagIds = @("FakeStringValue") userSettings = (New-CimInstance -ClassName MSFT_MicrosoftGraphIntuneSettingsCatalogUserSettings_IntuneSecurityBaselineWindows10 -Property @{ - AllowWindowsSpotlight = '1' + AllowWindowsSpotlight = '1' } -ClientOnly) Ensure = "Present" Credential = $Credential; @@ -360,21 +429,24 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { HardenedUNCPaths_Pol_HardenedPaths = '1' pol_hardenedpaths = [CimInstance[]]@( (New-CimInstance -ClassName MSFT_MicrosoftGraphIntuneSettingsCatalogpol_hardenedpaths -Property @{ - key = "\\*\SYSVOL" value = "RequireMutualAuthentication=1,RequireIntegrity=1" + key = "\\*\SYSVOL" } -ClientOnly) ) + AttackSurfaceReductionRules = (New-CimInstance -ClassName MSFT_MicrosoftGraphIntuneSettingsCatalogAttackSurfaceReductionRules -Property @{ + BlockExecutionOfPotentiallyObfuscatedScripts = 'block' + } -ClientOnly) } -ClientOnly) Id = "12345-12345-12345-12345-12345" DisplayName = "My Test" - RoleScopeTagIds = @("FakeStringValue") + RoleScopeTagIds = @("FakeStringValue") userSettings = (New-CimInstance -ClassName MSFT_MicrosoftGraphIntuneSettingsCatalogUserSettings_IntuneSecurityBaselineWindows10 -Property @{ - AllowWindowsSpotlight = '1' + AllowWindowsSpotlight = '1' } -ClientOnly) Ensure = "Absent" Credential = $Credential; - } - } + } + } It 'Should return Values from the Get method' { (Get-TargetResource @testParams).Ensure | Should -Be 'Present' @@ -407,20 +479,23 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { HardenedUNCPaths_Pol_HardenedPaths = '1' pol_hardenedpaths = [CimInstance[]]@( (New-CimInstance -ClassName MSFT_MicrosoftGraphIntuneSettingsCatalogpol_hardenedpaths -Property @{ - key = "\\*\SYSVOL" value = "RequireMutualAuthentication=1,RequireIntegrity=1" + key = "\\*\SYSVOL" } -ClientOnly) ) + AttackSurfaceReductionRules = (New-CimInstance -ClassName MSFT_MicrosoftGraphIntuneSettingsCatalogAttackSurfaceReductionRules -Property @{ + BlockExecutionOfPotentiallyObfuscatedScripts = 'block' + } -ClientOnly) } -ClientOnly) Id = "12345-12345-12345-12345-12345" DisplayName = "My Test" - RoleScopeTagIds = @("FakeStringValue") + RoleScopeTagIds = @("FakeStringValue") userSettings = (New-CimInstance -ClassName MSFT_MicrosoftGraphIntuneSettingsCatalogUserSettings_IntuneSecurityBaselineWindows10 -Property @{ - AllowWindowsSpotlight = '1' + AllowWindowsSpotlight = '1' } -ClientOnly) Ensure = "Present" Credential = $Credential; - } + } } It 'Should return true from the Test method' { @@ -445,16 +520,19 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { HardenedUNCPaths_Pol_HardenedPaths = '1' pol_hardenedpaths = [CimInstance[]]@( (New-CimInstance -ClassName MSFT_MicrosoftGraphIntuneSettingsCatalogpol_hardenedpaths -Property @{ - key = "\\*\SYSVOL" value = "RequireMutualAuthentication=1,RequireIntegrity=1" + key = "\\*\SYSVOL" } -ClientOnly) ) + AttackSurfaceReductionRules = (New-CimInstance -ClassName MSFT_MicrosoftGraphIntuneSettingsCatalogAttackSurfaceReductionRules -Property @{ + BlockExecutionOfPotentiallyObfuscatedScripts = 'block' + } -ClientOnly) } -ClientOnly) Id = "12345-12345-12345-12345-12345" DisplayName = "My Test" - RoleScopeTagIds = @("FakeStringValue") + RoleScopeTagIds = @("FakeStringValue") userSettings = (New-CimInstance -ClassName MSFT_MicrosoftGraphIntuneSettingsCatalogUserSettings_IntuneSecurityBaselineWindows10 -Property @{ - AllowWindowsSpotlight = '0' + AllowWindowsSpotlight = '0' #drift } -ClientOnly) Ensure = "Present" Credential = $Credential; @@ -481,7 +559,7 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { $Global:PartialExportFileName = "$(New-Guid).partial.ps1" $testParams = @{ Credential = $Credential - } + } } It 'Should Reverse Engineer resource from the Export method' { From a8609a8f5b3720b32a54f4744651a31ac956c519 Mon Sep 17 00:00:00 2001 From: Elena Arganova Date: Thu, 12 Dec 2024 11:22:45 +0100 Subject: [PATCH 3/4] regenerated ressource with updated generator --- .../MSFT_IntuneSecurityBaselineWindows10.psm1 | 134 +++++++----------- ...IntuneSecurityBaselineWindows10.schema.mof | 80 +++++------ .../settings.json | 40 +++--- ....IntuneSecurityBaselineWindows10.Tests.ps1 | 24 ++-- 4 files changed, 120 insertions(+), 158 deletions(-) diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneSecurityBaselineWindows10/MSFT_IntuneSecurityBaselineWindows10.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneSecurityBaselineWindows10/MSFT_IntuneSecurityBaselineWindows10.psm1 index d333fb4c85..3a60698d16 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneSecurityBaselineWindows10/MSFT_IntuneSecurityBaselineWindows10.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneSecurityBaselineWindows10/MSFT_IntuneSecurityBaselineWindows10.psm1 @@ -15,7 +15,7 @@ function Get-TargetResource [Parameter()] [System.String[]] - $RoleScopeTagIds, + $RoleScopeTagIds, [Parameter()] [System.String] @@ -68,6 +68,8 @@ function Get-TargetResource $AccessTokens ) + Write-Verbose -Message "Getting configuration of the Intune Security Baseline for Windows10 with Id {$Id} and Name {$DisplayName}" + try { $ConnectionMode = New-M365DSCConnection -Workload 'MicrosoftGraph' ` @@ -124,121 +126,117 @@ function Get-TargetResource #region resource generator code $complexDeviceSettings = @{} - $attackSurfaceReductionRules = @{} if ($null -ne $policySettings.DeviceSettings.blockExecutionOfPotentiallyObfuscatedScripts) { - $attackSurfaceReductionRules.Add('BlockExecutionOfPotentiallyObfuscatedScripts', $policySettings.DeviceSettings.blockExecutionOfPotentiallyObfuscatedScripts) + $complexDeviceSettings.Add('BlockExecutionOfPotentiallyObfuscatedScripts', $policySettings.DeviceSettings.blockExecutionOfPotentiallyObfuscatedScripts) } if ($null -ne $policySettings.DeviceSettings.blockExecutionOfPotentiallyObfuscatedScripts_ASROnlyPerRuleExclusions) { - $attackSurfaceReductionRules.Add('BlockExecutionOfPotentiallyObfuscatedScripts_ASROnlyPerRuleExclusions', $policySettings.DeviceSettings.blockExecutionOfPotentiallyObfuscatedScripts_ASROnlyPerRuleExclusions) + $complexDeviceSettings.Add('BlockExecutionOfPotentiallyObfuscatedScripts_ASROnlyPerRuleExclusions', $policySettings.DeviceSettings.blockExecutionOfPotentiallyObfuscatedScripts_ASROnlyPerRuleExclusions) } if ($null -ne $policySettings.DeviceSettings.blockWin32APICallsFromOfficeMacros) { - $attackSurfaceReductionRules.Add('BlockWin32APICallsFromOfficeMacros', $policySettings.DeviceSettings.blockWin32APICallsFromOfficeMacros) + $complexDeviceSettings.Add('BlockWin32APICallsFromOfficeMacros', $policySettings.DeviceSettings.blockWin32APICallsFromOfficeMacros) } if ($null -ne $policySettings.DeviceSettings.blockWin32APICallsFromOfficeMacros_ASROnlyPerRuleExclusions) { - $attackSurfaceReductionRules.Add('BlockWin32APICallsFromOfficeMacros_ASROnlyPerRuleExclusions', $policySettings.DeviceSettings.blockWin32APICallsFromOfficeMacros_ASROnlyPerRuleExclusions) + $complexDeviceSettings.Add('BlockWin32APICallsFromOfficeMacros_ASROnlyPerRuleExclusions', $policySettings.DeviceSettings.blockWin32APICallsFromOfficeMacros_ASROnlyPerRuleExclusions) } if ($null -ne $policySettings.DeviceSettings.blockExecutableFilesRunningUnlessTheyMeetPrevalenceAgeTrustedListCriterion) { - $attackSurfaceReductionRules.Add('BlockExecutableFilesRunningUnlessTheyMeetPrevalenceAgeTrustedListCriterion', $policySettings.DeviceSettings.blockExecutableFilesRunningUnlessTheyMeetPrevalenceAgeTrustedListCriterion) + $complexDeviceSettings.Add('BlockExecutableFilesRunningUnlessTheyMeetPrevalenceAgeTrustedListCriterion', $policySettings.DeviceSettings.blockExecutableFilesRunningUnlessTheyMeetPrevalenceAgeTrustedListCriterion) } if ($null -ne $policySettings.DeviceSettings.blockExecutableFilesRunningUnlessTheyMeetPrevalenceAgeTrustedListCriterion_ASROnlyPerRuleExclusions) { - $attackSurfaceReductionRules.Add('BlockExecutableFilesRunningUnlessTheyMeetPrevalenceAgeTrustedListCriterion_ASROnlyPerRuleExclusions', $policySettings.DeviceSettings.blockExecutableFilesRunningUnlessTheyMeetPrevalenceAgeTrustedListCriterion_ASROnlyPerRuleExclusions) + $complexDeviceSettings.Add('BlockExecutableFilesRunningUnlessTheyMeetPrevalenceAgeTrustedListCriterion_ASROnlyPerRuleExclusions', $policySettings.DeviceSettings.blockExecutableFilesRunningUnlessTheyMeetPrevalenceAgeTrustedListCriterion_ASROnlyPerRuleExclusions) } if ($null -ne $policySettings.DeviceSettings.blockOfficeCommunicationAppFromCreatingChildProcesses) { - $attackSurfaceReductionRules.Add('BlockOfficeCommunicationAppFromCreatingChildProcesses', $policySettings.DeviceSettings.blockOfficeCommunicationAppFromCreatingChildProcesses) + $complexDeviceSettings.Add('BlockOfficeCommunicationAppFromCreatingChildProcesses', $policySettings.DeviceSettings.blockOfficeCommunicationAppFromCreatingChildProcesses) } if ($null -ne $policySettings.DeviceSettings.blockOfficeCommunicationAppFromCreatingChildProcesses_ASROnlyPerRuleExclusions) { - $attackSurfaceReductionRules.Add('BlockOfficeCommunicationAppFromCreatingChildProcesses_ASROnlyPerRuleExclusions', $policySettings.DeviceSettings.blockOfficeCommunicationAppFromCreatingChildProcesses_ASROnlyPerRuleExclusions) + $complexDeviceSettings.Add('BlockOfficeCommunicationAppFromCreatingChildProcesses_ASROnlyPerRuleExclusions', $policySettings.DeviceSettings.blockOfficeCommunicationAppFromCreatingChildProcesses_ASROnlyPerRuleExclusions) } if ($null -ne $policySettings.DeviceSettings.blockAllOfficeApplicationsFromCreatingChildProcesses) { - $attackSurfaceReductionRules.Add('BlockAllOfficeApplicationsFromCreatingChildProcesses', $policySettings.DeviceSettings.blockAllOfficeApplicationsFromCreatingChildProcesses) + $complexDeviceSettings.Add('BlockAllOfficeApplicationsFromCreatingChildProcesses', $policySettings.DeviceSettings.blockAllOfficeApplicationsFromCreatingChildProcesses) } if ($null -ne $policySettings.DeviceSettings.blockAllOfficeApplicationsFromCreatingChildProcesses_ASROnlyPerRuleExclusions) { - $attackSurfaceReductionRules.Add('BlockAllOfficeApplicationsFromCreatingChildProcesses_ASROnlyPerRuleExclusions', $policySettings.DeviceSettings.blockAllOfficeApplicationsFromCreatingChildProcesses_ASROnlyPerRuleExclusions) + $complexDeviceSettings.Add('BlockAllOfficeApplicationsFromCreatingChildProcesses_ASROnlyPerRuleExclusions', $policySettings.DeviceSettings.blockAllOfficeApplicationsFromCreatingChildProcesses_ASROnlyPerRuleExclusions) } if ($null -ne $policySettings.DeviceSettings.blockAdobeReaderFromCreatingChildProcesses) { - $attackSurfaceReductionRules.Add('BlockAdobeReaderFromCreatingChildProcesses', $policySettings.DeviceSettings.blockAdobeReaderFromCreatingChildProcesses) + $complexDeviceSettings.Add('BlockAdobeReaderFromCreatingChildProcesses', $policySettings.DeviceSettings.blockAdobeReaderFromCreatingChildProcesses) } if ($null -ne $policySettings.DeviceSettings.blockAdobeReaderFromCreatingChildProcesses_ASROnlyPerRuleExclusions) { - $attackSurfaceReductionRules.Add('BlockAdobeReaderFromCreatingChildProcesses_ASROnlyPerRuleExclusions', $policySettings.DeviceSettings.blockAdobeReaderFromCreatingChildProcesses_ASROnlyPerRuleExclusions) + $complexDeviceSettings.Add('BlockAdobeReaderFromCreatingChildProcesses_ASROnlyPerRuleExclusions', $policySettings.DeviceSettings.blockAdobeReaderFromCreatingChildProcesses_ASROnlyPerRuleExclusions) } if ($null -ne $policySettings.DeviceSettings.blockCredentialStealingFromWindowsLocalSecurityAuthoritySubsystem) { - $attackSurfaceReductionRules.Add('BlockCredentialStealingFromWindowsLocalSecurityAuthoritySubsystem', $policySettings.DeviceSettings.blockCredentialStealingFromWindowsLocalSecurityAuthoritySubsystem) + $complexDeviceSettings.Add('BlockCredentialStealingFromWindowsLocalSecurityAuthoritySubsystem', $policySettings.DeviceSettings.blockCredentialStealingFromWindowsLocalSecurityAuthoritySubsystem) } if ($null -ne $policySettings.DeviceSettings.blockCredentialStealingFromWindowsLocalSecurityAuthoritySubsystem_ASROnlyPerRuleExclusions) { - $attackSurfaceReductionRules.Add('BlockCredentialStealingFromWindowsLocalSecurityAuthoritySubsystem_ASROnlyPerRuleExclusions', $policySettings.DeviceSettings.blockCredentialStealingFromWindowsLocalSecurityAuthoritySubsystem_ASROnlyPerRuleExclusions) + $complexDeviceSettings.Add('BlockCredentialStealingFromWindowsLocalSecurityAuthoritySubsystem_ASROnlyPerRuleExclusions', $policySettings.DeviceSettings.blockCredentialStealingFromWindowsLocalSecurityAuthoritySubsystem_ASROnlyPerRuleExclusions) } if ($null -ne $policySettings.DeviceSettings.blockJavaScriptOrVBScriptFromLaunchingDownloadedExecutableContent) { - $attackSurfaceReductionRules.Add('BlockJavaScriptOrVBScriptFromLaunchingDownloadedExecutableContent', $policySettings.DeviceSettings.blockJavaScriptOrVBScriptFromLaunchingDownloadedExecutableContent) + $complexDeviceSettings.Add('BlockJavaScriptOrVBScriptFromLaunchingDownloadedExecutableContent', $policySettings.DeviceSettings.blockJavaScriptOrVBScriptFromLaunchingDownloadedExecutableContent) } if ($null -ne $policySettings.DeviceSettings.blockJavaScriptOrVBScriptFromLaunchingDownloadedExecutableContent_ASROnlyPerRuleExclusions) { - $attackSurfaceReductionRules.Add('BlockJavaScriptOrVBScriptFromLaunchingDownloadedExecutableContent_ASROnlyPerRuleExclusions', $policySettings.DeviceSettings.blockJavaScriptOrVBScriptFromLaunchingDownloadedExecutableContent_ASROnlyPerRuleExclusions) + $complexDeviceSettings.Add('BlockJavaScriptOrVBScriptFromLaunchingDownloadedExecutableContent_ASROnlyPerRuleExclusions', $policySettings.DeviceSettings.blockJavaScriptOrVBScriptFromLaunchingDownloadedExecutableContent_ASROnlyPerRuleExclusions) } if ($null -ne $policySettings.DeviceSettings.blockWebshellCreationForServers) { - $attackSurfaceReductionRules.Add('BlockWebshellCreationForServers', $policySettings.DeviceSettings.blockWebshellCreationForServers) + $complexDeviceSettings.Add('BlockWebshellCreationForServers', $policySettings.DeviceSettings.blockWebshellCreationForServers) } if ($null -ne $policySettings.DeviceSettings.blockWebshellCreationForServers_ASROnlyPerRuleExclusions) { - $attackSurfaceReductionRules.Add('BlockWebshellCreationForServers_ASROnlyPerRuleExclusions', $policySettings.DeviceSettings.blockWebshellCreationForServers_ASROnlyPerRuleExclusions) + $complexDeviceSettings.Add('BlockWebshellCreationForServers_ASROnlyPerRuleExclusions', $policySettings.DeviceSettings.blockWebshellCreationForServers_ASROnlyPerRuleExclusions) } if ($null -ne $policySettings.DeviceSettings.blockUntrustedUnsignedProcessesThatRunFromUSB) { - $attackSurfaceReductionRules.Add('BlockUntrustedUnsignedProcessesThatRunFromUSB', $policySettings.DeviceSettings.blockUntrustedUnsignedProcessesThatRunFromUSB) + $complexDeviceSettings.Add('BlockUntrustedUnsignedProcessesThatRunFromUSB', $policySettings.DeviceSettings.blockUntrustedUnsignedProcessesThatRunFromUSB) } if ($null -ne $policySettings.DeviceSettings.blockUntrustedUnsignedProcessesThatRunFromUSB_ASROnlyPerRuleExclusions) { - $attackSurfaceReductionRules.Add('BlockUntrustedUnsignedProcessesThatRunFromUSB_ASROnlyPerRuleExclusions', $policySettings.DeviceSettings.blockUntrustedUnsignedProcessesThatRunFromUSB_ASROnlyPerRuleExclusions) + $complexDeviceSettings.Add('BlockUntrustedUnsignedProcessesThatRunFromUSB_ASROnlyPerRuleExclusions', $policySettings.DeviceSettings.blockUntrustedUnsignedProcessesThatRunFromUSB_ASROnlyPerRuleExclusions) } if ($null -ne $policySettings.DeviceSettings.blockPersistenceThroughWMIEventSubscription) { - $attackSurfaceReductionRules.Add('BlockPersistenceThroughWMIEventSubscription', $policySettings.DeviceSettings.blockPersistenceThroughWMIEventSubscription) + $complexDeviceSettings.Add('BlockPersistenceThroughWMIEventSubscription', $policySettings.DeviceSettings.blockPersistenceThroughWMIEventSubscription) } if ($null -ne $policySettings.DeviceSettings.blockUseOfCopiedOrImpersonatedSystemTools) { - $attackSurfaceReductionRules.Add('BlockUseOfCopiedOrImpersonatedSystemTools', $policySettings.DeviceSettings.blockUseOfCopiedOrImpersonatedSystemTools) + $complexDeviceSettings.Add('BlockUseOfCopiedOrImpersonatedSystemTools', $policySettings.DeviceSettings.blockUseOfCopiedOrImpersonatedSystemTools) } if ($null -ne $policySettings.DeviceSettings.blockUseOfCopiedOrImpersonatedSystemTools_ASROnlyPerRuleExclusions) { - $attackSurfaceReductionRules.Add('BlockUseOfCopiedOrImpersonatedSystemTools_ASROnlyPerRuleExclusions', $policySettings.DeviceSettings.blockUseOfCopiedOrImpersonatedSystemTools_ASROnlyPerRuleExclusions) + $complexDeviceSettings.Add('BlockUseOfCopiedOrImpersonatedSystemTools_ASROnlyPerRuleExclusions', $policySettings.DeviceSettings.blockUseOfCopiedOrImpersonatedSystemTools_ASROnlyPerRuleExclusions) } if ($null -ne $policySettings.DeviceSettings.blockAbuseOfExploitedVulnerableSignedDrivers) { - $attackSurfaceReductionRules.Add('BlockAbuseOfExploitedVulnerableSignedDrivers', $policySettings.DeviceSettings.blockAbuseOfExploitedVulnerableSignedDrivers) + $complexDeviceSettings.Add('BlockAbuseOfExploitedVulnerableSignedDrivers', $policySettings.DeviceSettings.blockAbuseOfExploitedVulnerableSignedDrivers) } if ($null -ne $policySettings.DeviceSettings.blockAbuseOfExploitedVulnerableSignedDrivers_ASROnlyPerRuleExclusions) { - $attackSurfaceReductionRules.Add('BlockAbuseOfExploitedVulnerableSignedDrivers_ASROnlyPerRuleExclusions', $policySettings.DeviceSettings.blockAbuseOfExploitedVulnerableSignedDrivers_ASROnlyPerRuleExclusions) + $complexDeviceSettings.Add('BlockAbuseOfExploitedVulnerableSignedDrivers_ASROnlyPerRuleExclusions', $policySettings.DeviceSettings.blockAbuseOfExploitedVulnerableSignedDrivers_ASROnlyPerRuleExclusions) } if ($null -ne $policySettings.DeviceSettings.blockProcessCreationsFromPSExecAndWMICommands) { - $attackSurfaceReductionRules.Add('BlockProcessCreationsFromPSExecAndWMICommands', $policySettings.DeviceSettings.blockProcessCreationsFromPSExecAndWMICommands) + $complexDeviceSettings.Add('BlockProcessCreationsFromPSExecAndWMICommands', $policySettings.DeviceSettings.blockProcessCreationsFromPSExecAndWMICommands) } if ($null -ne $policySettings.DeviceSettings.blockProcessCreationsFromPSExecAndWMICommands_ASROnlyPerRuleExclusions) { - $attackSurfaceReductionRules.Add('BlockProcessCreationsFromPSExecAndWMICommands_ASROnlyPerRuleExclusions', $policySettings.DeviceSettings.blockProcessCreationsFromPSExecAndWMICommands_ASROnlyPerRuleExclusions) + $complexDeviceSettings.Add('BlockProcessCreationsFromPSExecAndWMICommands_ASROnlyPerRuleExclusions', $policySettings.DeviceSettings.blockProcessCreationsFromPSExecAndWMICommands_ASROnlyPerRuleExclusions) } if ($null -ne $policySettings.DeviceSettings.blockOfficeApplicationsFromCreatingExecutableContent) { - $attackSurfaceReductionRules.Add('BlockOfficeApplicationsFromCreatingExecutableContent', $policySettings.DeviceSettings.blockOfficeApplicationsFromCreatingExecutableContent) + $complexDeviceSettings.Add('BlockOfficeApplicationsFromCreatingExecutableContent', $policySettings.DeviceSettings.blockOfficeApplicationsFromCreatingExecutableContent) } if ($null -ne $policySettings.DeviceSettings.blockOfficeApplicationsFromCreatingExecutableContent_ASROnlyPerRuleExclusions) { - $attackSurfaceReductionRules.Add('BlockOfficeApplicationsFromCreatingExecutableContent_ASROnlyPerRuleExclusions', $policySettings.DeviceSettings.blockOfficeApplicationsFromCreatingExecutableContent_ASROnlyPerRuleExclusions) + $complexDeviceSettings.Add('BlockOfficeApplicationsFromCreatingExecutableContent_ASROnlyPerRuleExclusions', $policySettings.DeviceSettings.blockOfficeApplicationsFromCreatingExecutableContent_ASROnlyPerRuleExclusions) } if ($null -ne $policySettings.DeviceSettings.blockOfficeApplicationsFromInjectingCodeIntoOtherProcesses) { - $attackSurfaceReductionRules.Add('BlockOfficeApplicationsFromInjectingCodeIntoOtherProcesses', $policySettings.DeviceSettings.blockOfficeApplicationsFromInjectingCodeIntoOtherProcesses) + $complexDeviceSettings.Add('BlockOfficeApplicationsFromInjectingCodeIntoOtherProcesses', $policySettings.DeviceSettings.blockOfficeApplicationsFromInjectingCodeIntoOtherProcesses) } if ($null -ne $policySettings.DeviceSettings.blockOfficeApplicationsFromInjectingCodeIntoOtherProcesses_ASROnlyPerRuleExclusions) { - $attackSurfaceReductionRules.Add('BlockOfficeApplicationsFromInjectingCodeIntoOtherProcesses_ASROnlyPerRuleExclusions', $policySettings.DeviceSettings.blockOfficeApplicationsFromInjectingCodeIntoOtherProcesses_ASROnlyPerRuleExclusions) + $complexDeviceSettings.Add('BlockOfficeApplicationsFromInjectingCodeIntoOtherProcesses_ASROnlyPerRuleExclusions', $policySettings.DeviceSettings.blockOfficeApplicationsFromInjectingCodeIntoOtherProcesses_ASROnlyPerRuleExclusions) } if ($null -ne $policySettings.DeviceSettings.blockRebootingMachineInSafeMode) { - $attackSurfaceReductionRules.Add('BlockRebootingMachineInSafeMode', $policySettings.DeviceSettings.blockRebootingMachineInSafeMode) + $complexDeviceSettings.Add('BlockRebootingMachineInSafeMode', $policySettings.DeviceSettings.blockRebootingMachineInSafeMode) } if ($null -ne $policySettings.DeviceSettings.blockRebootingMachineInSafeMode_ASROnlyPerRuleExclusions) { - $attackSurfaceReductionRules.Add('BlockRebootingMachineInSafeMode_ASROnlyPerRuleExclusions', $policySettings.DeviceSettings.blockRebootingMachineInSafeMode_ASROnlyPerRuleExclusions) + $complexDeviceSettings.Add('BlockRebootingMachineInSafeMode_ASROnlyPerRuleExclusions', $policySettings.DeviceSettings.blockRebootingMachineInSafeMode_ASROnlyPerRuleExclusions) } if ($null -ne $policySettings.DeviceSettings.useAdvancedProtectionAgainstRansomware) { - $attackSurfaceReductionRules.Add('UseAdvancedProtectionAgainstRansomware', $policySettings.DeviceSettings.useAdvancedProtectionAgainstRansomware) + $complexDeviceSettings.Add('UseAdvancedProtectionAgainstRansomware', $policySettings.DeviceSettings.useAdvancedProtectionAgainstRansomware) } if ($null -ne $policySettings.DeviceSettings.useAdvancedProtectionAgainstRansomware_ASROnlyPerRuleExclusions) { - $attackSurfaceReductionRules.Add('UseAdvancedProtectionAgainstRansomware_ASROnlyPerRuleExclusions', $policySettings.DeviceSettings.useAdvancedProtectionAgainstRansomware_ASROnlyPerRuleExclusions) + $complexDeviceSettings.Add('UseAdvancedProtectionAgainstRansomware_ASROnlyPerRuleExclusions', $policySettings.DeviceSettings.useAdvancedProtectionAgainstRansomware_ASROnlyPerRuleExclusions) } if ($null -ne $policySettings.DeviceSettings.blockExecutableContentFromEmailClientAndWebmail) { - $attackSurfaceReductionRules.Add('BlockExecutableContentFromEmailClientAndWebmail', $policySettings.DeviceSettings.blockExecutableContentFromEmailClientAndWebmail) + $complexDeviceSettings.Add('BlockExecutableContentFromEmailClientAndWebmail', $policySettings.DeviceSettings.blockExecutableContentFromEmailClientAndWebmail) } if ($null -ne $policySettings.DeviceSettings.blockExecutableContentFromEmailClientAndWebmail_ASROnlyPerRuleExclusions) { - $attackSurfaceReductionRules.Add('BlockExecutableContentFromEmailClientAndWebmail_ASROnlyPerRuleExclusions', $policySettings.DeviceSettings.blockExecutableContentFromEmailClientAndWebmail_ASROnlyPerRuleExclusions) + $complexDeviceSettings.Add('BlockExecutableContentFromEmailClientAndWebmail_ASROnlyPerRuleExclusions', $policySettings.DeviceSettings.blockExecutableContentFromEmailClientAndWebmail_ASROnlyPerRuleExclusions) } - if ($attackSurfaceReductionRules.values.Where({$null -ne $_}).Count -gt 0) { - $complexDeviceSettings.Add('AttackSurfaceReductionRules', $attackSurfaceReductionRules) - } if ($null -ne $policySettings.DeviceSettings.cPL_Personalization_NoLockScreenCamera) { $complexDeviceSettings.Add('CPL_Personalization_NoLockScreenCamera', $policySettings.DeviceSettings.cPL_Personalization_NoLockScreenCamera) } @@ -291,21 +289,21 @@ function Get-TargetResource $complexDeviceSettings.Add('hardeneduncpaths_Pol_HardenedPaths', $policySettings.DeviceSettings.hardeneduncpaths_Pol_HardenedPaths) } if ($null -ne $policySettings.DeviceSettings.pol_hardenedPaths) { - $complexPol_hardenedpaths = @() + $complexPol_hardenedpaths = @() foreach ($currentPol_hardenedpaths in $policySettings.DeviceSettings.pol_hardenedPaths) - { - $myPol_hardenedpaths = @{} + { + $myPol_hardenedpaths = @{} if ($null -ne $currentPol_hardenedpaths.value) { - $myPol_hardenedpaths.Add('Value', $currentPol_hardenedpaths.value) + $myPol_hardenedpaths.Add('Value', $currentPol_hardenedpaths.value) } if ($null -ne $currentPol_hardenedpaths.Key) { - $myPol_hardenedpaths.Add('Key', $currentPol_hardenedpaths.key) + $myPol_hardenedpaths.Add('Key', $currentPol_hardenedpaths.key) } - if ($myPol_hardenedpaths.values.Where({$null -ne $_}).Count -gt 0) - { - $complexPol_hardenedpaths += $myPol_hardenedpaths - } + if ($myPol_hardenedpaths.values.Where({$null -ne $_}).Count -gt 0) + { + $complexPol_hardenedpaths += $myPol_hardenedpaths } + } $complexDeviceSettings.Add('pol_hardenedPaths', $complexPol_hardenedpaths) } if ($null -ne $policySettings.DeviceSettings.wCM_BlockNonDomain) { @@ -1596,7 +1594,7 @@ function Get-TargetResource $complexUserSettings = $null } $policySettings.Remove('UserSettings') | Out-Null - #endregion + #endregion $results = @{ #region resource generator code @@ -1655,7 +1653,7 @@ function Set-TargetResource [Parameter()] [System.String[]] - $RoleScopeTagIds, + $RoleScopeTagIds, [Parameter()] [System.String] @@ -1707,6 +1705,8 @@ function Set-TargetResource $AccessTokens ) + Write-Verbose -Message "Setting configuration of the Intune Security Baseline for Windows10 with Id {$Id} and Name {$DisplayName}" + #Ensure the proper dependencies are installed in the current environment. Confirm-M365DSCDependencies @@ -1812,7 +1812,7 @@ function Test-TargetResource [Parameter()] [System.String[]] - $RoleScopeTagIds, + $RoleScopeTagIds, [Parameter()] [System.String] @@ -2059,11 +2059,6 @@ function Export-TargetResource CimInstanceName = 'MicrosoftGraphIntuneSettingsCatalogpol_hardenedpaths' IsRequired = $False } - @{ - Name = 'AttackSurfaceReductionRules' - CimInstanceName = 'MicrosoftGraphIntuneSettingsCatalogAttackSurfaceReductionRules' - IsRequired = $False - } ) $complexTypeStringResult = Get-M365DSCDRGComplexTypeToString ` -ComplexObject $Results.DeviceSettings ` @@ -2081,28 +2076,9 @@ function Export-TargetResource } if ($null -ne $Results.UserSettings) { - $complexMapping = @( - @{ - Name = 'UserSettings' - CimInstanceName = 'MicrosoftGraphIntuneSettingsCatalogUserSettings_IntuneSecurityBaselineWindows10' - IsRequired = $False - } - @{ - Name = 'pol_hardenedpaths' - CimInstanceName = 'MicrosoftGraphIntuneSettingsCatalogpol_hardenedpaths' - IsRequired = $False - } - @{ - Name = 'AttackSurfaceReductionRules' - CimInstanceName = 'MicrosoftGraphIntuneSettingsCatalogAttackSurfaceReductionRules' - IsRequired = $False - } - ) $complexTypeStringResult = Get-M365DSCDRGComplexTypeToString ` -ComplexObject $Results.UserSettings ` - -CIMInstanceName 'MicrosoftGraphIntuneSettingsCatalogUserSettings_IntuneSecurityBaselineWindows10' ` - -ComplexTypeMapping $complexMapping - + -CIMInstanceName 'MicrosoftGraphIntuneSettingsCatalogUserSettings_IntuneSecurityBaselineWindows10' if (-not [String]::IsNullOrWhiteSpace($complexTypeStringResult)) { $Results.UserSettings = $complexTypeStringResult diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneSecurityBaselineWindows10/MSFT_IntuneSecurityBaselineWindows10.schema.mof b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneSecurityBaselineWindows10/MSFT_IntuneSecurityBaselineWindows10.schema.mof index acf11f4c1d..ab1b31ec58 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneSecurityBaselineWindows10/MSFT_IntuneSecurityBaselineWindows10.schema.mof +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneSecurityBaselineWindows10/MSFT_IntuneSecurityBaselineWindows10.schema.mof @@ -18,48 +18,6 @@ class MSFT_MicrosoftGraphIntuneSettingsCatalogpol_hardenedpaths [Write, Description("Name")] String key; }; -[ClassVersion("1.0.0.0")] -class MSFT_MicrosoftGraphIntuneSettingsCatalogAttackSurfaceReductionRules -{ - [Write, Description("Block execution of potentially obfuscated scripts - Depends on AttackSurfaceReductionRules (off: Off, block: Block, audit: Audit, warn: Warn)"), ValueMap{"off", "block", "audit", "warn"}, Values{"off", "block", "audit", "warn"}] String BlockExecutionOfPotentiallyObfuscatedScripts; - [Write, Description("ASR Only Per Rule Exclusions")] String BlockExecutionOfPotentiallyObfuscatedScripts_ASROnlyPerRuleExclusions[]; - [Write, Description("Block Win32 API calls from Office macros - Depends on AttackSurfaceReductionRules (off: Off, block: Block, audit: Audit, warn: Warn)"), ValueMap{"off", "block", "audit", "warn"}, Values{"off", "block", "audit", "warn"}] String BlockWin32APICallsFromOfficeMacros; - [Write, Description("ASR Only Per Rule Exclusions")] String BlockWin32APICallsFromOfficeMacros_ASROnlyPerRuleExclusions[]; - [Write, Description("Block executable files from running unless they meet a prevalence, age, or trusted list criterion - Depends on AttackSurfaceReductionRules (off: Off, block: Block, audit: Audit, warn: Warn)"), ValueMap{"off", "block", "audit", "warn"}, Values{"off", "block", "audit", "warn"}] String BlockExecutableFilesRunningUnlessTheyMeetPrevalenceAgeTrustedListCriterion; - [Write, Description("ASR Only Per Rule Exclusions")] String BlockExecutableFilesRunningUnlessTheyMeetPrevalenceAgeTrustedListCriterion_ASROnlyPerRuleExclusions[]; - [Write, Description("Block Office communication application from creating child processes - Depends on AttackSurfaceReductionRules (off: Off, block: Block, audit: Audit, warn: Warn)"), ValueMap{"off", "block", "audit", "warn"}, Values{"off", "block", "audit", "warn"}] String BlockOfficeCommunicationAppFromCreatingChildProcesses; - [Write, Description("ASR Only Per Rule Exclusions")] String BlockOfficeCommunicationAppFromCreatingChildProcesses_ASROnlyPerRuleExclusions[]; - [Write, Description("Block all Office applications from creating child processes - Depends on AttackSurfaceReductionRules (off: Off, block: Block, audit: Audit, warn: Warn)"), ValueMap{"off", "block", "audit", "warn"}, Values{"off", "block", "audit", "warn"}] String BlockAllOfficeApplicationsFromCreatingChildProcesses; - [Write, Description("ASR Only Per Rule Exclusions")] String BlockAllOfficeApplicationsFromCreatingChildProcesses_ASROnlyPerRuleExclusions[]; - [Write, Description("Block Adobe Reader from creating child processes - Depends on AttackSurfaceReductionRules (off: Off, block: Block, audit: Audit, warn: Warn)"), ValueMap{"off", "block", "audit", "warn"}, Values{"off", "block", "audit", "warn"}] String BlockAdobeReaderFromCreatingChildProcesses; - [Write, Description("ASR Only Per Rule Exclusions")] String BlockAdobeReaderFromCreatingChildProcesses_ASROnlyPerRuleExclusions[]; - [Write, Description("Block credential stealing from the Windows local security authority subsystem - Depends on AttackSurfaceReductionRules (off: Off, block: Block, audit: Audit, warn: Warn)"), ValueMap{"off", "block", "audit", "warn"}, Values{"off", "block", "audit", "warn"}] String BlockCredentialStealingFromWindowsLocalSecurityAuthoritySubsystem; - [Write, Description("ASR Only Per Rule Exclusions")] String BlockCredentialStealingFromWindowsLocalSecurityAuthoritySubsystem_ASROnlyPerRuleExclusions[]; - [Write, Description("Block JavaScript or VBScript from launching downloaded executable content - Depends on AttackSurfaceReductionRules (off: Off, block: Block, audit: Audit, warn: Warn)"), ValueMap{"off", "block", "audit", "warn"}, Values{"off", "block", "audit", "warn"}] String BlockJavaScriptOrVBScriptFromLaunchingDownloadedExecutableContent; - [Write, Description("ASR Only Per Rule Exclusions")] String BlockJavaScriptOrVBScriptFromLaunchingDownloadedExecutableContent_ASROnlyPerRuleExclusions[]; - [Write, Description("Block Webshell creation for Servers - Depends on AttackSurfaceReductionRules (off: Off, block: Block, audit: Audit, warn: Warn)"), ValueMap{"off", "block", "audit", "warn"}, Values{"off", "block", "audit", "warn"}] String BlockWebshellCreationForServers; - [Write, Description("ASR Only Per Rule Exclusions")] String BlockWebshellCreationForServers_ASROnlyPerRuleExclusions[]; - [Write, Description("Block untrusted and unsigned processes that run from USB - Depends on AttackSurfaceReductionRules (off: Off, block: Block, audit: Audit, warn: Warn)"), ValueMap{"off", "block", "audit", "warn"}, Values{"off", "block", "audit", "warn"}] String BlockUntrustedUnsignedProcessesThatRunFromUSB; - [Write, Description("ASR Only Per Rule Exclusions")] String BlockUntrustedUnsignedProcessesThatRunFromUSB_ASROnlyPerRuleExclusions[]; - [Write, Description("Block persistence through WMI event subscription - Depends on AttackSurfaceReductionRules (off: Off, block: Block, audit: Audit, warn: Warn)"), ValueMap{"off", "block", "audit", "warn"}, Values{"off", "block", "audit", "warn"}] String BlockPersistenceThroughWMIEventSubscription; - [Write, Description("[PREVIEW] Block use of copied or impersonated system tools - Depends on AttackSurfaceReductionRules (off: Off, block: Block, audit: Audit, warn: Warn)"), ValueMap{"off", "block", "audit", "warn"}, Values{"off", "block", "audit", "warn"}] String BlockUseOfCopiedOrImpersonatedSystemTools; - [Write, Description("ASR Only Per Rule Exclusions")] String BlockUseOfCopiedOrImpersonatedSystemTools_ASROnlyPerRuleExclusions[]; - [Write, Description("Block abuse of exploited vulnerable signed drivers (Device) - Depends on AttackSurfaceReductionRules (off: Off, block: Block, audit: Audit, warn: Warn)"), ValueMap{"off", "block", "audit", "warn"}, Values{"off", "block", "audit", "warn"}] String BlockAbuseOfExploitedVulnerableSignedDrivers; - [Write, Description("ASR Only Per Rule Exclusions")] String BlockAbuseOfExploitedVulnerableSignedDrivers_ASROnlyPerRuleExclusions[]; - [Write, Description("Block process creations originating from PSExec and WMI commands - Depends on AttackSurfaceReductionRules (off: Off, block: Block, audit: Audit, warn: Warn)"), ValueMap{"off", "block", "audit", "warn"}, Values{"off", "block", "audit", "warn"}] String BlockProcessCreationsFromPSExecAndWMICommands; - [Write, Description("ASR Only Per Rule Exclusions")] String BlockProcessCreationsFromPSExecAndWMICommands_ASROnlyPerRuleExclusions[]; - [Write, Description("Block Office applications from creating executable content - Depends on AttackSurfaceReductionRules (off: Off, block: Block, audit: Audit, warn: Warn)"), ValueMap{"off", "block", "audit", "warn"}, Values{"off", "block", "audit", "warn"}] String BlockOfficeApplicationsFromCreatingExecutableContent; - [Write, Description("ASR Only Per Rule Exclusions")] String BlockOfficeApplicationsFromCreatingExecutableContent_ASROnlyPerRuleExclusions[]; - [Write, Description("Block Office applications from injecting code into other processes - Depends on AttackSurfaceReductionRules (off: Off, block: Block, audit: Audit, warn: Warn)"), ValueMap{"off", "block", "audit", "warn"}, Values{"off", "block", "audit", "warn"}] String BlockOfficeApplicationsFromInjectingCodeIntoOtherProcesses; - [Write, Description("ASR Only Per Rule Exclusions")] String BlockOfficeApplicationsFromInjectingCodeIntoOtherProcesses_ASROnlyPerRuleExclusions[]; - [Write, Description("[PREVIEW] Block rebooting machine in Safe Mode - Depends on AttackSurfaceReductionRules (off: Off, block: Block, audit: Audit, warn: Warn)"), ValueMap{"off", "block", "audit", "warn"}, Values{"off", "block", "audit", "warn"}] String BlockRebootingMachineInSafeMode; - [Write, Description("ASR Only Per Rule Exclusions")] String BlockRebootingMachineInSafeMode_ASROnlyPerRuleExclusions[]; - [Write, Description("Use advanced protection against ransomware - Depends on AttackSurfaceReductionRules (off: Off, block: Block, audit: Audit, warn: Warn)"), ValueMap{"off", "block", "audit", "warn"}, Values{"off", "block", "audit", "warn"}] String UseAdvancedProtectionAgainstRansomware; - [Write, Description("ASR Only Per Rule Exclusions")] String UseAdvancedProtectionAgainstRansomware_ASROnlyPerRuleExclusions[]; - [Write, Description("Block executable content from email client and webmail - Depends on AttackSurfaceReductionRules (off: Off, block: Block, audit: Audit, warn: Warn)"), ValueMap{"off", "block", "audit", "warn"}, Values{"off", "block", "audit", "warn"}] String BlockExecutableContentFromEmailClientAndWebmail; - [Write, Description("ASR Only Per Rule Exclusions")] String BlockExecutableContentFromEmailClientAndWebmail_ASROnlyPerRuleExclusions[]; -}; - [ClassVersion("1.0.0.0")] class MSFT_MicrosoftGraphIntuneSettingsCatalogDeviceSettings_IntuneSecurityBaselineWindows10 { @@ -402,7 +360,43 @@ class MSFT_MicrosoftGraphIntuneSettingsCatalogDeviceSettings_IntuneSecurityBasel [Write, Description("Allow Realtime Monitoring (0: Not allowed. Turns off the real-time monitoring service., 1: Allowed. Turns on and runs the real-time monitoring service.)"), ValueMap{"0", "1"}, Values{"0", "1"}] String AllowRealtimeMonitoring; [Write, Description("Allow scanning of all downloaded files and attachments (0: Not allowed., 1: Allowed.)"), ValueMap{"0", "1"}, Values{"0", "1"}] String AllowIOAVProtection; [Write, Description("Allow Script Scanning (0: Not allowed., 1: Allowed.)"), ValueMap{"0", "1"}, Values{"0", "1"}] String AllowScriptScanning; - [Write, Description("Attack Surface Reduction Rules"), EmbeddedInstance("MSFT_MicrosoftGraphIntuneSettingsCatalogAttackSurfaceReductionRules")] String AttackSurfaceReductionRules; + [Write, Description("Block execution of potentially obfuscated scripts - Depends on AttackSurfaceReductionRules (off: Off, block: Block, audit: Audit, warn: Warn)"), ValueMap{"off", "block", "audit", "warn"}, Values{"off", "block", "audit", "warn"}] String BlockExecutionOfPotentiallyObfuscatedScripts; + [Write, Description("ASR Only Per Rule Exclusions")] String BlockExecutionOfPotentiallyObfuscatedScripts_ASROnlyPerRuleExclusions[]; + [Write, Description("Block Win32 API calls from Office macros - Depends on AttackSurfaceReductionRules (off: Off, block: Block, audit: Audit, warn: Warn)"), ValueMap{"off", "block", "audit", "warn"}, Values{"off", "block", "audit", "warn"}] String BlockWin32APICallsFromOfficeMacros; + [Write, Description("ASR Only Per Rule Exclusions")] String BlockWin32APICallsFromOfficeMacros_ASROnlyPerRuleExclusions[]; + [Write, Description("Block executable files from running unless they meet a prevalence, age, or trusted list criterion - Depends on AttackSurfaceReductionRules (off: Off, block: Block, audit: Audit, warn: Warn)"), ValueMap{"off", "block", "audit", "warn"}, Values{"off", "block", "audit", "warn"}] String BlockExecutableFilesRunningUnlessTheyMeetPrevalenceAgeTrustedListCriterion; + [Write, Description("ASR Only Per Rule Exclusions")] String BlockExecutableFilesRunningUnlessTheyMeetPrevalenceAgeTrustedListCriterion_ASROnlyPerRuleExclusions[]; + [Write, Description("Block Office communication application from creating child processes - Depends on AttackSurfaceReductionRules (off: Off, block: Block, audit: Audit, warn: Warn)"), ValueMap{"off", "block", "audit", "warn"}, Values{"off", "block", "audit", "warn"}] String BlockOfficeCommunicationAppFromCreatingChildProcesses; + [Write, Description("ASR Only Per Rule Exclusions")] String BlockOfficeCommunicationAppFromCreatingChildProcesses_ASROnlyPerRuleExclusions[]; + [Write, Description("Block all Office applications from creating child processes - Depends on AttackSurfaceReductionRules (off: Off, block: Block, audit: Audit, warn: Warn)"), ValueMap{"off", "block", "audit", "warn"}, Values{"off", "block", "audit", "warn"}] String BlockAllOfficeApplicationsFromCreatingChildProcesses; + [Write, Description("ASR Only Per Rule Exclusions")] String BlockAllOfficeApplicationsFromCreatingChildProcesses_ASROnlyPerRuleExclusions[]; + [Write, Description("Block Adobe Reader from creating child processes - Depends on AttackSurfaceReductionRules (off: Off, block: Block, audit: Audit, warn: Warn)"), ValueMap{"off", "block", "audit", "warn"}, Values{"off", "block", "audit", "warn"}] String BlockAdobeReaderFromCreatingChildProcesses; + [Write, Description("ASR Only Per Rule Exclusions")] String BlockAdobeReaderFromCreatingChildProcesses_ASROnlyPerRuleExclusions[]; + [Write, Description("Block credential stealing from the Windows local security authority subsystem - Depends on AttackSurfaceReductionRules (off: Off, block: Block, audit: Audit, warn: Warn)"), ValueMap{"off", "block", "audit", "warn"}, Values{"off", "block", "audit", "warn"}] String BlockCredentialStealingFromWindowsLocalSecurityAuthoritySubsystem; + [Write, Description("ASR Only Per Rule Exclusions")] String BlockCredentialStealingFromWindowsLocalSecurityAuthoritySubsystem_ASROnlyPerRuleExclusions[]; + [Write, Description("Block JavaScript or VBScript from launching downloaded executable content - Depends on AttackSurfaceReductionRules (off: Off, block: Block, audit: Audit, warn: Warn)"), ValueMap{"off", "block", "audit", "warn"}, Values{"off", "block", "audit", "warn"}] String BlockJavaScriptOrVBScriptFromLaunchingDownloadedExecutableContent; + [Write, Description("ASR Only Per Rule Exclusions")] String BlockJavaScriptOrVBScriptFromLaunchingDownloadedExecutableContent_ASROnlyPerRuleExclusions[]; + [Write, Description("Block Webshell creation for Servers - Depends on AttackSurfaceReductionRules (off: Off, block: Block, audit: Audit, warn: Warn)"), ValueMap{"off", "block", "audit", "warn"}, Values{"off", "block", "audit", "warn"}] String BlockWebshellCreationForServers; + [Write, Description("ASR Only Per Rule Exclusions")] String BlockWebshellCreationForServers_ASROnlyPerRuleExclusions[]; + [Write, Description("Block untrusted and unsigned processes that run from USB - Depends on AttackSurfaceReductionRules (off: Off, block: Block, audit: Audit, warn: Warn)"), ValueMap{"off", "block", "audit", "warn"}, Values{"off", "block", "audit", "warn"}] String BlockUntrustedUnsignedProcessesThatRunFromUSB; + [Write, Description("ASR Only Per Rule Exclusions")] String BlockUntrustedUnsignedProcessesThatRunFromUSB_ASROnlyPerRuleExclusions[]; + [Write, Description("Block persistence through WMI event subscription - Depends on AttackSurfaceReductionRules (off: Off, block: Block, audit: Audit, warn: Warn)"), ValueMap{"off", "block", "audit", "warn"}, Values{"off", "block", "audit", "warn"}] String BlockPersistenceThroughWMIEventSubscription; + [Write, Description("[PREVIEW] Block use of copied or impersonated system tools - Depends on AttackSurfaceReductionRules (off: Off, block: Block, audit: Audit, warn: Warn)"), ValueMap{"off", "block", "audit", "warn"}, Values{"off", "block", "audit", "warn"}] String BlockUseOfCopiedOrImpersonatedSystemTools; + [Write, Description("ASR Only Per Rule Exclusions")] String BlockUseOfCopiedOrImpersonatedSystemTools_ASROnlyPerRuleExclusions[]; + [Write, Description("Block abuse of exploited vulnerable signed drivers (Device) - Depends on AttackSurfaceReductionRules (off: Off, block: Block, audit: Audit, warn: Warn)"), ValueMap{"off", "block", "audit", "warn"}, Values{"off", "block", "audit", "warn"}] String BlockAbuseOfExploitedVulnerableSignedDrivers; + [Write, Description("ASR Only Per Rule Exclusions")] String BlockAbuseOfExploitedVulnerableSignedDrivers_ASROnlyPerRuleExclusions[]; + [Write, Description("Block process creations originating from PSExec and WMI commands - Depends on AttackSurfaceReductionRules (off: Off, block: Block, audit: Audit, warn: Warn)"), ValueMap{"off", "block", "audit", "warn"}, Values{"off", "block", "audit", "warn"}] String BlockProcessCreationsFromPSExecAndWMICommands; + [Write, Description("ASR Only Per Rule Exclusions")] String BlockProcessCreationsFromPSExecAndWMICommands_ASROnlyPerRuleExclusions[]; + [Write, Description("Block Office applications from creating executable content - Depends on AttackSurfaceReductionRules (off: Off, block: Block, audit: Audit, warn: Warn)"), ValueMap{"off", "block", "audit", "warn"}, Values{"off", "block", "audit", "warn"}] String BlockOfficeApplicationsFromCreatingExecutableContent; + [Write, Description("ASR Only Per Rule Exclusions")] String BlockOfficeApplicationsFromCreatingExecutableContent_ASROnlyPerRuleExclusions[]; + [Write, Description("Block Office applications from injecting code into other processes - Depends on AttackSurfaceReductionRules (off: Off, block: Block, audit: Audit, warn: Warn)"), ValueMap{"off", "block", "audit", "warn"}, Values{"off", "block", "audit", "warn"}] String BlockOfficeApplicationsFromInjectingCodeIntoOtherProcesses; + [Write, Description("ASR Only Per Rule Exclusions")] String BlockOfficeApplicationsFromInjectingCodeIntoOtherProcesses_ASROnlyPerRuleExclusions[]; + [Write, Description("[PREVIEW] Block rebooting machine in Safe Mode - Depends on AttackSurfaceReductionRules (off: Off, block: Block, audit: Audit, warn: Warn)"), ValueMap{"off", "block", "audit", "warn"}, Values{"off", "block", "audit", "warn"}] String BlockRebootingMachineInSafeMode; + [Write, Description("ASR Only Per Rule Exclusions")] String BlockRebootingMachineInSafeMode_ASROnlyPerRuleExclusions[]; + [Write, Description("Use advanced protection against ransomware - Depends on AttackSurfaceReductionRules (off: Off, block: Block, audit: Audit, warn: Warn)"), ValueMap{"off", "block", "audit", "warn"}, Values{"off", "block", "audit", "warn"}] String UseAdvancedProtectionAgainstRansomware; + [Write, Description("ASR Only Per Rule Exclusions")] String UseAdvancedProtectionAgainstRansomware_ASROnlyPerRuleExclusions[]; + [Write, Description("Block executable content from email client and webmail - Depends on AttackSurfaceReductionRules (off: Off, block: Block, audit: Audit, warn: Warn)"), ValueMap{"off", "block", "audit", "warn"}, Values{"off", "block", "audit", "warn"}] String BlockExecutableContentFromEmailClientAndWebmail; + [Write, Description("ASR Only Per Rule Exclusions")] String BlockExecutableContentFromEmailClientAndWebmail_ASROnlyPerRuleExclusions[]; [Write, Description("Cloud Block Level (0: NotConfigured, 2: High, 4: HighPlus, 6: ZeroTolerance)"), ValueMap{"0", "2", "4", "6"}, Values{"0", "2", "4", "6"}] String CloudBlockLevel; [Write, Description("Cloud Extended Timeout")] SInt32 CloudExtendedTimeout; [Write, Description("Disable Local Admin Merge (0: Enable Local Admin Merge, 1: Disable Local Admin Merge)"), ValueMap{"0", "1"}, Values{"0", "1"}] String DisableLocalAdminMerge; diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneSecurityBaselineWindows10/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneSecurityBaselineWindows10/settings.json index 8aa5e3e5a9..bbbb105b3f 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneSecurityBaselineWindows10/settings.json +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneSecurityBaselineWindows10/settings.json @@ -5,40 +5,40 @@ "graph":{ "delegated":{ "read":[ - { + { "name":"DeviceManagementConfiguration.Read.All" - }, - { + }, + { "name":"Group.Read.All" - } - ], + } + ], "update":[ - { + { "name":"Group.Read.All" }, { "name":"DeviceManagementConfiguration.ReadWrite.All" - } - ] - }, + } + ] + }, "application":{ "read":[ - { + { "name":"DeviceManagementConfiguration.Read.All" - }, - { + }, + { "name":"Group.Read.All" - } - ], + } + ], "update":[ - { + { "name":"Group.Read.All" }, { "name":"DeviceManagementConfiguration.ReadWrite.All" - } - ] - } - } - } + } + ] + } + } +} } \ No newline at end of file diff --git a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneSecurityBaselineWindows10.Tests.ps1 b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneSecurityBaselineWindows10.Tests.ps1 index f10f01a4e8..a7deb68382 100644 --- a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneSecurityBaselineWindows10.Tests.ps1 +++ b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneSecurityBaselineWindows10.Tests.ps1 @@ -376,15 +376,13 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { Pol_MSS_DisableIPSourceRoutingIPv6 = '1' DisableIPSourceRoutingIPv6 = '0' HardenedUNCPaths_Pol_HardenedPaths = '1' + BlockExecutionOfPotentiallyObfuscatedScripts = 'block' pol_hardenedpaths = [CimInstance[]]@( (New-CimInstance -ClassName MSFT_MicrosoftGraphIntuneSettingsCatalogpol_hardenedpaths -Property @{ value = "RequireMutualAuthentication=1,RequireIntegrity=1" key = "\\*\SYSVOL" } -ClientOnly) ) - AttackSurfaceReductionRules = (New-CimInstance -ClassName MSFT_MicrosoftGraphIntuneSettingsCatalogAttackSurfaceReductionRules -Property @{ - BlockExecutionOfPotentiallyObfuscatedScripts = 'block' - } -ClientOnly) } -ClientOnly) Id = "12345-12345-12345-12345-12345" DisplayName = "My Test" @@ -427,15 +425,13 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { Pol_MSS_DisableIPSourceRoutingIPv6 = '1' DisableIPSourceRoutingIPv6 = '0' HardenedUNCPaths_Pol_HardenedPaths = '1' + BlockExecutionOfPotentiallyObfuscatedScripts = 'block' pol_hardenedpaths = [CimInstance[]]@( (New-CimInstance -ClassName MSFT_MicrosoftGraphIntuneSettingsCatalogpol_hardenedpaths -Property @{ value = "RequireMutualAuthentication=1,RequireIntegrity=1" key = "\\*\SYSVOL" } -ClientOnly) ) - AttackSurfaceReductionRules = (New-CimInstance -ClassName MSFT_MicrosoftGraphIntuneSettingsCatalogAttackSurfaceReductionRules -Property @{ - BlockExecutionOfPotentiallyObfuscatedScripts = 'block' - } -ClientOnly) } -ClientOnly) Id = "12345-12345-12345-12345-12345" DisplayName = "My Test" @@ -446,7 +442,7 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { Ensure = "Absent" Credential = $Credential; } - } + } It 'Should return Values from the Get method' { (Get-TargetResource @testParams).Ensure | Should -Be 'Present' @@ -461,7 +457,7 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { Should -Invoke -CommandName Remove-MgBetaDeviceManagementConfigurationPolicy -Exactly 1 } } - + Context -Name "The IntuneSecurityBaselineWindows10 Exists and Values are already in the desired state" -Fixture { BeforeAll { $testParams = @{ @@ -477,15 +473,13 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { Pol_MSS_DisableIPSourceRoutingIPv6 = '1' DisableIPSourceRoutingIPv6 = '0' HardenedUNCPaths_Pol_HardenedPaths = '1' + BlockExecutionOfPotentiallyObfuscatedScripts = 'block' pol_hardenedpaths = [CimInstance[]]@( (New-CimInstance -ClassName MSFT_MicrosoftGraphIntuneSettingsCatalogpol_hardenedpaths -Property @{ value = "RequireMutualAuthentication=1,RequireIntegrity=1" key = "\\*\SYSVOL" } -ClientOnly) ) - AttackSurfaceReductionRules = (New-CimInstance -ClassName MSFT_MicrosoftGraphIntuneSettingsCatalogAttackSurfaceReductionRules -Property @{ - BlockExecutionOfPotentiallyObfuscatedScripts = 'block' - } -ClientOnly) } -ClientOnly) Id = "12345-12345-12345-12345-12345" DisplayName = "My Test" @@ -495,7 +489,7 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { } -ClientOnly) Ensure = "Present" Credential = $Credential; - } + } } It 'Should return true from the Test method' { @@ -518,15 +512,13 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { Pol_MSS_DisableIPSourceRoutingIPv6 = '1' DisableIPSourceRoutingIPv6 = '0' HardenedUNCPaths_Pol_HardenedPaths = '1' + BlockExecutionOfPotentiallyObfuscatedScripts = 'block' pol_hardenedpaths = [CimInstance[]]@( (New-CimInstance -ClassName MSFT_MicrosoftGraphIntuneSettingsCatalogpol_hardenedpaths -Property @{ value = "RequireMutualAuthentication=1,RequireIntegrity=1" key = "\\*\SYSVOL" } -ClientOnly) ) - AttackSurfaceReductionRules = (New-CimInstance -ClassName MSFT_MicrosoftGraphIntuneSettingsCatalogAttackSurfaceReductionRules -Property @{ - BlockExecutionOfPotentiallyObfuscatedScripts = 'block' - } -ClientOnly) } -ClientOnly) Id = "12345-12345-12345-12345-12345" DisplayName = "My Test" @@ -559,7 +551,7 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { $Global:PartialExportFileName = "$(New-Guid).partial.ps1" $testParams = @{ Credential = $Credential - } + } } It 'Should Reverse Engineer resource from the Export method' { From b2348c32528ec2376e8fabd25f261c84c60b233d Mon Sep 17 00:00:00 2001 From: Elena Arganova Date: Thu, 12 Dec 2024 16:45:59 +0100 Subject: [PATCH 4/4] fix different data type name --- .../Resources/IntuneSecurityBaselineWindows10/1-Create.ps1 | 6 ++---- .../Resources/IntuneSecurityBaselineWindows10/2-Update.ps1 | 6 ++---- Modules/Microsoft365DSC/Modules/M365DSCDRGUtil.psm1 | 4 ++++ 3 files changed, 8 insertions(+), 8 deletions(-) diff --git a/Modules/Microsoft365DSC/Examples/Resources/IntuneSecurityBaselineWindows10/1-Create.ps1 b/Modules/Microsoft365DSC/Examples/Resources/IntuneSecurityBaselineWindows10/1-Create.ps1 index d8110c32df..a0b3517eb0 100644 --- a/Modules/Microsoft365DSC/Examples/Resources/IntuneSecurityBaselineWindows10/1-Create.ps1 +++ b/Modules/Microsoft365DSC/Examples/Resources/IntuneSecurityBaselineWindows10/1-Create.ps1 @@ -28,7 +28,8 @@ Configuration Example DeviceSettings = MSFT_MicrosoftGraphIntuneSettingsCatalogDeviceSettings_IntuneSecurityBaselineWindows10 { Pol_MSS_DisableIPSourceRoutingIPv6 = '1' - DisableIPSourceRoutingIPv6 = '0' + DisableIPSourceRoutingIPv6 = '0' + BlockExecutionOfPotentiallyObfuscatedScripts = 'block' HardenedUNCPaths_Pol_HardenedPaths = '1' pol_hardenedPaths = @( MSFT_MicrosoftGraphIntuneSettingsCatalogpol_hardenedpaths{ @@ -36,9 +37,6 @@ Configuration Example Value = 'RequireMutualAuthentication=1,RequireIntegrity=1' } ) - AttackSurfaceReductionRules = MSFT_MicrosoftGraphIntuneSettingsCatalogAttackSurfaceReductionRules{ - BlockExecutionOfPotentiallyObfuscatedScripts = 'block' - } } UserSettings = MSFT_MicrosoftGraphIntuneSettingsCatalogUserSettings_IntuneSecurityBaselineWindows10 { diff --git a/Modules/Microsoft365DSC/Examples/Resources/IntuneSecurityBaselineWindows10/2-Update.ps1 b/Modules/Microsoft365DSC/Examples/Resources/IntuneSecurityBaselineWindows10/2-Update.ps1 index c826f89d62..9c33bb8e91 100644 --- a/Modules/Microsoft365DSC/Examples/Resources/IntuneSecurityBaselineWindows10/2-Update.ps1 +++ b/Modules/Microsoft365DSC/Examples/Resources/IntuneSecurityBaselineWindows10/2-Update.ps1 @@ -28,7 +28,8 @@ Configuration Example DeviceSettings = MSFT_MicrosoftGraphIntuneSettingsCatalogDeviceSettings_IntuneSecurityBaselineWindows10 { Pol_MSS_DisableIPSourceRoutingIPv6 = '1' - DisableIPSourceRoutingIPv6 = '0' + DisableIPSourceRoutingIPv6 = '0' + BlockExecutionOfPotentiallyObfuscatedScripts = 'block' HardenedUNCPaths_Pol_HardenedPaths = '1' pol_hardenedPaths = @( MSFT_MicrosoftGraphIntuneSettingsCatalogpol_hardenedpaths{ @@ -36,9 +37,6 @@ Configuration Example Value = 'RequireMutualAuthentication=1,RequireIntegrity=1' } ) - AttackSurfaceReductionRules = MSFT_MicrosoftGraphIntuneSettingsCatalogAttackSurfaceReductionRules{ - BlockExecutionOfPotentiallyObfuscatedScripts = 'block' - } } UserSettings = MSFT_MicrosoftGraphIntuneSettingsCatalogUserSettings_IntuneSecurityBaselineWindows10 { diff --git a/Modules/Microsoft365DSC/Modules/M365DSCDRGUtil.psm1 b/Modules/Microsoft365DSC/Modules/M365DSCDRGUtil.psm1 index 2858541d08..318d605b84 100644 --- a/Modules/Microsoft365DSC/Modules/M365DSCDRGUtil.psm1 +++ b/Modules/Microsoft365DSC/Modules/M365DSCDRGUtil.psm1 @@ -2032,6 +2032,10 @@ function Get-IntuneSettingCatalogPolicySettingInstanceValue { $childSettingValue.Add('settingInstanceTemplateReference', @{'settingInstanceTemplateId' = $childSettingInstanceTemplate.settingInstanceTemplateId }) } + if ($childSettingType -eq '#microsoft.graph.deviceManagementConfigurationSettingGroupCollectionInstance') + { + $childSettingType = '#microsoft.graph.deviceManagementConfigurationGroupSettingCollectionInstance' + } $childSettingValue.Add('@odata.type', $childSettingType) $choiceSettingValueChildren += $childSettingValue }