diff --git a/CHANGELOG.md b/CHANGELOG.md index 537c3a5134..4a75e47b57 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,40 @@ # Change log for Microsoft365DSC +# 1.24.522.1 + +* IntuneDeviceConfigurationPlatformScriptWindows + * Initial Release + FIXES [#4157](https://github.com/microsoft/Microsoft365DSC/issues/4157) +* IntuneDeviceConfigurationPlatformScriptMacOS + * Initial Release + FIXES [#4157](https://github.com/microsoft/Microsoft365DSC/issues/4157) +* IntuneDeviceEnrollmentPlatformRestriction + * Fix missing export of the default policy + FIXES [#4694](https://github.com/microsoft/Microsoft365DSC/issues/4694) +* IntuneDeviceEnrollmentStatusPageWindows10 + * Return all authentication methods when retrieving the policies otherwise + it may fail deducing the OrganizationName via TenantId +* IntuneDeviceRemediation + * Initial Release + FIXES [#4159](https://github.com/microsoft/Microsoft365DSC/issues/4159) +* IntuneWindowsUpdateForBusinessDriverUpdateProfileWindows10 + * Initial Release + FIXES [#3747](https://github.com/microsoft/Microsoft365DSC/issues/3747) +* SPOTenantCdnPolicy + * If properties in the tenant are empty then export them as empty arrays + instead of null strings, missed while fixing #4658 +* SPOTenantSettings + * Remove property UserVoiceForFeedbackEnabled when setting the resource since + it has been deprecated +* M365DSCUtil + * Fixed an issue in `Assert-M365DSCBlueprint` where the clone and export + of a blueprint with a GUID could lead to configuration name starting + with a digit instead of a letter. + Partially fixes [#4681](https://github.com/microsoft/Microsoft365DSC/issues/4681) +* DEPENDENCIES + * Updated ExchangeOnlineManagement to version 3.5.0 + * Updated MicrosoftTeams to version 6.2.0 + # 1.24.515.2 * EXOManagementRoleEntry @@ -11,6 +46,11 @@ * Initial release, set the azure portal and default Timeout. * AADGroup * Fixes #4596 +* AADConditionalAccessPolicy + * Fix ExcludeGuestOrExternalUserTypes and IncludeGuestOrExternalUserTypes parameters + FIXES [#4630] + * Added support for Authentication Flow TransferMethod + FIXES [#4472] * AADGroupSettings * Added support for parameter NewUnifiedGroupWritebackDefault * EXOManagementRoleEntry diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADConditionalAccessPolicy/MSFT_AADConditionalAccessPolicy.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_AADConditionalAccessPolicy/MSFT_AADConditionalAccessPolicy.psm1 index a8b75a65a3..017e2a4cd2 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_AADConditionalAccessPolicy/MSFT_AADConditionalAccessPolicy.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADConditionalAccessPolicy/MSFT_AADConditionalAccessPolicy.psm1 @@ -198,6 +198,10 @@ function Get-TargetResource [System.String[]] $AuthenticationContexts, + [Parameter()] + [System.String] + $TransferMethods, + #generic [Parameter()] [ValidateSet('Present', 'Absent')] @@ -676,6 +680,7 @@ function Get-TargetResource #no translation needed AuthenticationStrength = $AuthenticationStrengthValue AuthenticationContexts = $AuthenticationContextsValues + TransferMethods = [System.String]$Policy.Conditions.AuthenticationFlows.TransferMethods #Standard part TermsOfUse = $termOfUseName Ensure = 'Present' @@ -891,6 +896,10 @@ function Set-TargetResource [System.String[]] $AuthenticationContexts, + [Parameter()] + [System.String] + $TransferMethods, + #generic [Parameter()] [ValidateSet('Present', 'Absent')] @@ -956,23 +965,23 @@ function Set-TargetResource { Write-Verbose -Message "Set-Targetresource: Policy $Displayname Ensure Present" $NewParameters = @{} - $NewParameters.Add('DisplayName', $DisplayName) - $NewParameters.Add('State', $State) + $NewParameters.Add('displayName', $DisplayName) + $NewParameters.Add('state', $State) #create Conditions object Write-Verbose -Message 'Set-Targetresource: create Conditions object' $conditions = @{ - Applications = @{} - Users = @{} + applications = @{} + users = @{} } #create and provision Application Condition object Write-Verbose -Message 'Set-Targetresource: create Application Condition object' if ($currentParameters.ContainsKey('IncludeApplications')) { - $conditions.Applications.Add('IncludeApplications', $IncludeApplications) + $conditions.Applications.Add('includeApplications', $IncludeApplications) } - if ($currentParameters.ContainsKey('ExcludeApplications')) + if ($currentParameters.ContainsKey('excludeApplications')) { - $conditions.Applications.Add('ExcludeApplications', $ExcludeApplications) + $conditions.Applications.Add('excludeApplications', $ExcludeApplications) } if ($ApplicationsFilter -and $ApplicationsFilterMode) { @@ -980,11 +989,11 @@ function Set-TargetResource rule = $ApplicationsFilter mode = $ApplicationsFilterMode } - $conditions.Applications.Add('ApplicationFilter', $appFilterValue) + $conditions.Applications.Add('applicationFilter', $appFilterValue) } if ($IncludeUserActions) { - $conditions.Applications.Add('IncludeUserActions', $IncludeUserActions) + $conditions.Applications.Add('includeUserActions', $IncludeUserActions) } if ($AuthenticationContexts) { @@ -999,14 +1008,14 @@ function Set-TargetResource $AuthenticationContextsValues += $currentClassId.Id } } - $conditions.Applications.Add('IncludeAuthenticationContextClassReferences', $AuthenticationContextsValues) + $conditions.Applications.Add('includeAuthenticationContextClassReferences', $AuthenticationContextsValues) } #create and provision User Condition object Write-Verbose -Message 'Set-Targetresource: process includeusers' if ($currentParameters.ContainsKey('IncludeUsers')) { - $conditions.Users.Add('IncludeUsers', @()) + $conditions.Users.Add('includeUsers', @()) foreach ($includeuser in $IncludeUsers) { #translate user UPNs to GUID, except id value is GuestsOrExternalUsers, None or All @@ -1039,12 +1048,12 @@ function Set-TargetResource } else { - $conditions.Users.IncludeUsers += $userguid + $conditions.users.includeUsers += $userguid } } else { - $conditions.Users.IncludeUsers += $includeuser + $conditions.users.includeUsers += $includeuser } } } @@ -1053,7 +1062,7 @@ function Set-TargetResource Write-Verbose -Message 'Set-Targetresource: process excludeusers' if ($currentParameters.ContainsKey('ExcludeUsers')) { - $conditions.Users.Add('ExcludeUsers', @()) + $conditions.users.Add('excludeUsers', @()) foreach ($excludeuser in $ExcludeUsers) { #translate user UPNs to GUID, except id value is GuestsOrExternalUsers, None or All @@ -1086,12 +1095,12 @@ function Set-TargetResource } else { - $conditions.Users.ExcludeUsers += $userguid + $conditions.users.excludeUsers += $userguid } } else { - $conditions.Users.ExcludeUsers += $excludeuser + $conditions.users.excludeUsers += $excludeuser } } } @@ -1100,7 +1109,7 @@ function Set-TargetResource Write-Verbose -Message 'Set-Targetresource: process includegroups' if ($currentParameters.ContainsKey('IncludeGroups')) { - $conditions.Users.Add('IncludeGroups', @()) + $conditions.users.Add('includeGroups', @()) foreach ($includegroup in $IncludeGroups) { #translate user Group names to GUID @@ -1150,7 +1159,7 @@ function Set-TargetResource Write-Verbose -Message 'Set-Targetresource: process excludegroups' if ($currentParameters.ContainsKey('ExcludeGroups')) { - $conditions.Users.Add('ExcludeGroups', @()) + $conditions.users.Add('excludeGroups', @()) foreach ($ExcludeGroup in $ExcludeGroups) { #translate user Group names to GUID @@ -1191,7 +1200,7 @@ function Set-TargetResource else { Write-Verbose -Message 'Adding group to ExcludeGroups' - $conditions.Users.ExcludeGroups += $GroupLookup.Id + $conditions.users.excludeGroups += $GroupLookup.Id } } } @@ -1200,7 +1209,7 @@ function Set-TargetResource Write-Verbose -Message 'Set-Targetresource: process includeroles' if ($currentParameters.ContainsKey('IncludeRoles')) { - $conditions.Users.Add('IncludeRoles', @()) + $conditions.Users.Add('includeRoles', @()) if ($IncludeRoles) { #translate role names to template guid if defined @@ -1224,7 +1233,7 @@ function Set-TargetResource } else { - $conditions.Users.IncludeRoles += $rolelookup[$IncludeRole] + $conditions.users.includeRoles += $rolelookup[$IncludeRole] } } } @@ -1234,7 +1243,7 @@ function Set-TargetResource Write-Verbose -Message 'Set-Targetresource: process excluderoles' if ($currentParameters.ContainsKey('ExcludeRoles')) { - $conditions.Users.Add('ExcludeRoles', @()) + $conditions.users.Add('excludeRoles', @()) if ($ExcludeRoles) { #translate role names to template guid if defined @@ -1258,7 +1267,7 @@ function Set-TargetResource } else { - $conditions.Users.ExcludeRoles += $rolelookup[$ExcludeRole] + $conditions.users.excludeRoles += $rolelookup[$ExcludeRole] } } } @@ -1268,55 +1277,63 @@ function Set-TargetResource Write-Verbose -Message 'Set-Targetresource: process includeGuestOrExternalUser' If ($currentParameters.ContainsKey('IncludeGuestOrExternalUserTypes')) { + $includeGuestsOrExternalUsers = $null if ($IncludeGuestOrExternalUserTypes.Count -ne 0) { - $includeGuestsOrExternalUsers = @{} - [string]$IncludeGuestOrExternalUserTypes = $IncludeGuestOrExternalUserTypes -join ',' - $includeGuestsOrExternalUsers.Add('guestOrExternalUserTypes', $IncludeGuestOrExternalUserTypes) - $externalTenants = @{} - if ($IncludeExternalTenantsMembershipKind -eq 'All') - { - $externalTenants.Add('@odata.type', '#microsoft.graph.conditionalAccessAllExternalTenants') - } - elseif ($IncludeExternalTenantsMembershipKind -eq 'enumerated') - { - $externalTenants.Add('@odata.type', '#microsoft.graph.conditionalAccessEnumeratedExternalTenants') - } - $externalTenants.Add('membershipKind', $IncludeExternalTenantsMembershipKind) - if ($IncludeExternalTenantsMembers) + if ($IncludeGuestOrExternalUserTypes -ne 'None') { - $externalTenants.Add('members', $IncludeExternalTenantsMembers) + $includeGuestsOrExternalUsers = @{} + [string]$IncludeGuestOrExternalUserTypes = $IncludeGuestOrExternalUserTypes -join ',' + $includeGuestsOrExternalUsers.Add('guestOrExternalUserTypes', $IncludeGuestOrExternalUserTypes) + $externalTenants = @{} + if ($IncludeExternalTenantsMembershipKind -eq 'All') + { + $externalTenants.Add('@odata.type', '#microsoft.graph.conditionalAccessAllExternalTenants') + } + elseif ($IncludeExternalTenantsMembershipKind -eq 'enumerated') + { + $externalTenants.Add('@odata.type', '#microsoft.graph.conditionalAccessEnumeratedExternalTenants') + } + $externalTenants.Add('membershipKind', $IncludeExternalTenantsMembershipKind) + if ($IncludeExternalTenantsMembers) + { + $externalTenants.Add('members', $IncludeExternalTenantsMembers) + } + $includeGuestsOrExternalUsers.Add('externalTenants', $externalTenants) } - $includeGuestsOrExternalUsers.Add('externalTenants', $externalTenants) - $conditions.Users.Add('includeGuestsOrExternalUsers', $includeGuestsOrExternalUsers) } + $conditions.Users.Add('includeGuestsOrExternalUsers', $includeGuestsOrExternalUsers) } Write-Verbose -Message 'Set-Targetresource: process excludeGuestsOrExternalUsers' If ($currentParameters.ContainsKey('ExcludeGuestOrExternalUserTypes')) { + $excludeGuestsOrExternalUsers = $null if ($ExcludeGuestOrExternalUserTypes.Count -ne 0) { - $excludeGuestsOrExternalUsers = @{} - [string]$ExcludeGuestOrExternalUserTypes = $ExcludeGuestOrExternalUserTypes -join ',' - $excludeGuestsOrExternalUsers.Add('guestOrExternalUserTypes', $ExcludeGuestOrExternalUserTypes) - $externalTenants = @{} - if ($ExcludeExternalTenantsMembershipKind -eq 'All') - { - $externalTenants.Add('@odata.type', '#microsoft.graph.conditionalAccessAllExternalTenants') - } - elseif ($ExcludeExternalTenantsMembershipKind -eq 'enumerated') - { - $externalTenants.Add('@odata.type', '#microsoft.graph.conditionalAccessEnumeratedExternalTenants') - } - $externalTenants.Add('membershipKind', $ExcludeExternalTenantsMembershipKind) - if ($ExcludeExternalTenantsMembers) + if ($ExcludeGuestOrExternalUserTypes -ne 'None') { - $externalTenants.Add('members', $ExcludeExternalTenantsMembers) + $excludeGuestsOrExternalUsers = @{} + [string]$ExcludeGuestOrExternalUserTypes = $ExcludeGuestOrExternalUserTypes -join ',' + $excludeGuestsOrExternalUsers.Add('guestOrExternalUserTypes', $ExcludeGuestOrExternalUserTypes) + $externalTenants = @{} + if ($ExcludeExternalTenantsMembershipKind -eq 'All') + { + $externalTenants.Add('@odata.type', '#microsoft.graph.conditionalAccessAllExternalTenants') + } + elseif ($ExcludeExternalTenantsMembershipKind -eq 'enumerated') + { + $externalTenants.Add('@odata.type', '#microsoft.graph.conditionalAccessEnumeratedExternalTenants') + } + $externalTenants.Add('membershipKind', $ExcludeExternalTenantsMembershipKind) + if ($ExcludeExternalTenantsMembers) + { + $externalTenants.Add('members', $ExcludeExternalTenantsMembers) + } + $excludeGuestsOrExternalUsers.Add('externalTenants', $externalTenants) } - $excludeGuestsOrExternalUsers.Add('externalTenants', $externalTenants) - $conditions.Users.Add('excludeGuestsOrExternalUsers', $excludeGuestsOrExternalUsers) } + $conditions.Users.Add('excludeGuestsOrExternalUsers', $excludeGuestsOrExternalUsers) } Write-Verbose -Message 'Set-Targetresource: process platform condition' @@ -1325,36 +1342,36 @@ function Set-TargetResource if ($IncludePlatforms -or $ExcludePlatforms) { #create and provision Platform condition object if used - if (-not $conditions.Contains('Platforms')) + if (-not $conditions.Contains('platforms')) { - $conditions.Add('Platforms', @{ - ExcludePlatforms = @() - IncludePlatforms = @() + $conditions.Add('platforms', @{ + excludePlatforms = @() + includePlatforms = @() }) } else { - $conditions.Platforms.Add('ExcludePlatforms', @()) - $conditions.Platforms.Add('IncludePlatforms', @()) + $conditions.platforms.Add('excludePlatforms', @()) + $conditions.platforms.Add('includePlatforms', @()) } Write-Verbose -Message "Set-Targetresource: IncludePlatforms: $IncludePlatforms" if (([Array]$IncludePlatforms).Length -eq 0) { - $conditions.Platforms.IncludePlatforms = @('all') + $conditions.platforms.includePlatforms = @('all') } else { - $conditions.Platforms.IncludePlatforms = @() + $IncludePlatforms + $conditions.platforms.includePlatforms = @() + $IncludePlatforms } #no translation or conversion needed Write-Verbose -Message "Set-Targetresource: ExcludePlatforms: $ExcludePlatforms" - $conditions.Platforms.ExcludePlatforms = @() + $ExcludePlatforms + $conditions.platforms.excludePlatforms = @() + $ExcludePlatforms #no translation or conversion needed } else { Write-Verbose -Message 'Set-Targetresource: setting platform condition to null' - $conditions.Platforms = $null + $conditions.platforms = $null } } @@ -1363,18 +1380,18 @@ function Set-TargetResource { if ($IncludeLocations -or $ExcludeLocations) { - $conditions.Add('Locations', @{ - ExcludeLocations = @() - IncludeLocations = @() + $conditions.Add('locations', @{ + excludeLocations = @() + includeLocations = @() }) - $conditions.Locations.IncludeLocations = @() - $conditions.Locations.ExcludeLocations = @() + $conditions.locations.includeLocations = @() + $conditions.locations.excludeLocations = @() Write-Verbose -Message 'Set-Targetresource: locations specified' #create and provision Location condition object if used, translate Location names to guid $LocationLookup = @{} foreach ($Location in Get-MgBetaIdentityConditionalAccessNamedLocation) { - $LocationLookup[$Location.DisplayName] = $Location.Id + $LocationLookup[$Location.displayName] = $Location.Id } foreach ($IncludeLocation in $IncludeLocations) { @@ -1382,11 +1399,11 @@ function Set-TargetResource { if ($IncludeLocation -in 'All', 'AllTrusted') { - $conditions.Locations.IncludeLocations += $IncludeLocation + $conditions.locations.includeLocations += $IncludeLocation } elseif ($IncludeLocation -eq 'Multifactor authentication trusted IPs') { - $conditions.Locations.IncludeLocations += '00000000-0000-0000-0000-000000000000' + $conditions.locations.includeLocations += '00000000-0000-0000-0000-000000000000' } elseif ($null -eq $LocationLookup[$IncludeLocation]) { @@ -1398,7 +1415,7 @@ function Set-TargetResource } else { - $conditions.Locations.IncludeLocations += $LocationLookup[$IncludeLocation] + $conditions.locations.includeLocations += $LocationLookup[$IncludeLocation] } } } @@ -1408,11 +1425,11 @@ function Set-TargetResource { if ($ExcludeLocation -eq 'All' -or $ExcludeLocation -eq 'AllTrusted') { - $conditions.Locations.ExcludeLocations += $ExcludeLocation + $conditions.locations.excludeLocations += $ExcludeLocation } elseif ($ExcludeLocation -eq 'Multifactor authentication trusted IPs') { - $conditions.Locations.ExcludeLocations += '00000000-0000-0000-0000-000000000000' + $conditions.locations.excludeLocations += '00000000-0000-0000-0000-000000000000' } elseif ($null -eq $LocationLookup[$ExcludeLocation]) { @@ -1424,7 +1441,7 @@ function Set-TargetResource } else { - $conditions.Locations.ExcludeLocations += $LocationLookup[$ExcludeLocation] + $conditions.locations.excludeLocations += $LocationLookup[$ExcludeLocation] } } } @@ -1438,36 +1455,36 @@ function Set-TargetResource { if (-not $conditions.Contains('Devices')) { - $conditions.Add('Devices', @{}) - $conditions.Devices.Add('DeviceFilter', @{}) - $conditions.Devices.DeviceFilter.Add('Mode', $DeviceFilterMode) - $conditions.Devices.DeviceFilter.Add('Rule', $DeviceFilterRule) + $conditions.Add('devices', @{}) + $conditions.devices.Add('deviceFilter', @{}) + $conditions.devices.deviceFilter.Add('mode', $DeviceFilterMode) + $conditions.devices.deviceFilter.Add('rule', $DeviceFilterRule) } else { if (-not $conditions.Devices.Contains('DeviceFilter')) { - $conditions.Devices.Add('DeviceFilter', @{}) - $conditions.Devices.DeviceFilter.Add('Mode', $DeviceFilterMode) - $conditions.Devices.DeviceFilter.Add('Rule', $DeviceFilterRule) + $conditions.devices.Add('DeviceFilter', @{}) + $conditions.devices.deviceFilter.Add('mode', $DeviceFilterMode) + $conditions.devices.deviceFilter.Add('rule', $DeviceFilterRule) } else { - if (-not $conditions.Devices.DeviceFilter.Contains('Mode')) + if (-not $conditions.devices.deviceFilter.Contains('mode')) { - $conditions.Devices.DeviceFilter.Add('Mode', $DeviceFilterMode) + $conditions.devices.deviceFilter.Add('mode', $DeviceFilterMode) } else { - $conditions.Devices.DeviceFilter.Mode = $DeviceFilterMode + $conditions.devices.deviceFilter.mode = $DeviceFilterMode } - if (-not $conditions.Devices.DeviceFilter.Contains('Rule')) + if (-not $conditions.devices.deviceFilter.Contains('rule')) { - $conditions.Devices.DeviceFilter.Add('Rule', $DeviceFilterRule) + $conditions.devices.deviceFilter.Add('rule', $DeviceFilterRule) } else { - $conditions.Devices.DeviceFilter.Rule = $DeviceFilterRule + $conditions.devices.deviceFilter.rule = $DeviceFilterRule } } } @@ -1478,7 +1495,7 @@ function Set-TargetResource Write-Verbose -Message "Set-Targetresource: UserRiskLevels: $UserRiskLevels" If ($currentParameters.ContainsKey('UserRiskLevels')) { - $Conditions.Add('UserRiskLevels', $UserRiskLevels) + $Conditions.Add('userRiskLevels', $UserRiskLevels) #no translation or conversion needed } @@ -1486,7 +1503,7 @@ function Set-TargetResource Write-Verbose -Message "Set-Targetresource: SignInRiskLevels: $SignInRiskLevels" If ($currentParameters.ContainsKey('SignInRiskLevels')) { - $Conditions.Add('SignInRiskLevels', $SignInRiskLevels) + $Conditions.Add('signInRiskLevels', $SignInRiskLevels) #no translation or conversion needed } @@ -1494,24 +1511,41 @@ function Set-TargetResource Write-Verbose -Message "Set-Targetresource: ClientAppTypes: $ClientAppTypes" If ($currentParameters.ContainsKey('ClientAppTypes')) { - $Conditions.Add('ClientAppTypes', $ClientAppTypes) + $Conditions.Add('clientAppTypes', $ClientAppTypes) #no translation or conversion needed } + + Write-Verbose -Message "Set-Targetresource: authenticationFlows transferMethods: $TransferMethods" + if ($currentParameters.ContainsKey('TransferMethods')) + { + #create and provision TransferMethods condition object if used + if (-not $conditions.Contains('authenticationFlows')) + { + $conditions.Add('authenticationFlows', @{ + transferMethods = $TransferMethods + }) + } + else + { + $conditions.authenticationFlows.Add('transferMethods', $TransferMethods) + } + + } Write-Verbose -Message 'Set-Targetresource: Adding processed conditions' #add all conditions to the parameter list - $NewParameters.Add('Conditions', $Conditions) + $NewParameters.Add('conditions', $Conditions) #create and provision Grant Control object Write-Verbose -Message 'Set-Targetresource: create and provision Grant Control object' if ($GrantControlOperator -and ($BuiltInControls -or $TermsOfUse -or $CustomAuthenticationFactors -or $AuthenticationStrength)) { - $GrantControls = @{ - Operator = $GrantControlOperator + $grantControls = @{ + operator = $GrantControlOperator } if ($BuiltInControls) { - $GrantControls.Add('BuiltInControls', $BuiltInControls) + $GrantControls.Add('builtInControls', $BuiltInControls) } if ($customAuthenticationFactors) { @@ -1534,12 +1568,12 @@ function Set-TargetResource { Write-Verbose -Message "Gettign Terms of Use {$TermsOfUse}" $TermsOfUseObj = Get-MgBetaAgreement | Where-Object -FilterScript { $_.DisplayName -eq $TermsOfUse } - $GrantControls.Add('TermsOfUse', $TermsOfUseObj.Id) + $GrantControls.Add('termsOfUse', $TermsOfUseObj.Id) } #no translation or conversion needed Write-Verbose -Message 'Set-Targetresource: Adding processed grant controls' - $NewParameters.Add('GrantControls', $GrantControls) + $NewParameters.Add('grantControls', $GrantControls) } Write-Verbose -Message 'Set-Targetresource: process session controls' @@ -1549,70 +1583,70 @@ function Set-TargetResource { Write-Verbose -Message 'Set-Targetresource: create provision Session Control object' $sessioncontrols = @{ - ApplicationEnforcedRestrictions = @{} + applicationEnforcedRestrictions = @{} } if ($ApplicationEnforcedRestrictionsIsEnabled -eq $true) { #create and provision ApplicationEnforcedRestrictions object if used - $sessioncontrols.ApplicationEnforcedRestrictions.Add('IsEnabled', $true) + $sessioncontrols.applicationEnforcedRestrictions.Add('IsEnabled', $true) } if ($CloudAppSecurityIsEnabled) { - $CloudAppSecurityValue = @{ - IsEnabled = $false - CloudAppSecurityType = $null + $cloudAppSecurityValue = @{ + isEnabled = $false + cloudAppSecurityType = $null } - $sessioncontrols.Add('CloudAppSecurity', $CloudAppSecurityValue) + $sessioncontrols.Add('cloudAppSecurity', $CloudAppSecurityValue) #create and provision CloudAppSecurity object if used - $sessioncontrols.CloudAppSecurity.IsEnabled = $true - $sessioncontrols.CloudAppSecurity.CloudAppSecurityType = $CloudAppSecurityType + $sessioncontrols.cloudAppSecurity.isEnabled = $true + $sessioncontrols.cloudAppSecurity.cloudAppSecurityType = $CloudAppSecurityType } if ($SignInFrequencyIsEnabled) { - $SigninFrequencyProp = @{ + $signinFrequencyProp = @{ isEnabled = $true type = $null value = $null frequencyInterval = $null } - $sessioncontrols.Add('SignInFrequency', $SigninFrequencyProp) + $sessioncontrols.Add('signInFrequency', $SigninFrequencyProp) #create and provision SignInFrequency object if used - $sessioncontrols.SignInFrequency.isEnabled = $true + $sessioncontrols.signInFrequency.isEnabled = $true if ($SignInFrequencyType -ne '') { - $sessioncontrols.SignInFrequency.type = $SignInFrequencyType + $sessioncontrols.signInFrequency.type = $SignInFrequencyType } else { - $sessioncontrols.SignInFrequency.Remove('type') | Out-Null + $sessioncontrols.signInFrequency.Remove('type') | Out-Null } if ($SignInFrequencyValue -gt 0) { - $sessioncontrols.SignInFrequency.value = $SignInFrequencyValue + $sessioncontrols.signInFrequency.value = $SignInFrequencyValue } else { - $sessioncontrols.SignInFrequency.Remove('value') | Out-Null + $sessioncontrols.signInFrequency.Remove('value') | Out-Null } - $sessioncontrols.SignInFrequency.frequencyInterval = $SignInFrequencyInterval + $sessioncontrols.signInFrequency.frequencyInterval = $SignInFrequencyInterval } if ($PersistentBrowserIsEnabled) { - $PersistentBrowserValue = @{ - IsEnabled = $false - Mode = $false + $persistentBrowserValue = @{ + isEnabled = $false + mode = $false } - $sessioncontrols.Add('PersistentBrowser', $PersistentBrowserValue) + $sessioncontrols.Add('persistentBrowser', $PersistentBrowserValue) Write-Verbose -Message "Set-Targetresource: Persistent Browser settings defined: PersistentBrowserIsEnabled:$PersistentBrowserIsEnabled, PersistentBrowserMode:$PersistentBrowserMode" #create and provision PersistentBrowser object if used - $sessioncontrols.PersistentBrowser.IsEnabled = $true - $sessioncontrols.PersistentBrowser.Mode = $PersistentBrowserMode + $sessioncontrols.persistentBrowser.isEnabled = $true + $sessioncontrols.persistentBrowser.mode = $PersistentBrowserMode } } - $NewParameters.Add('SessionControls', $sessioncontrols) + $NewParameters.Add('sessionControls', $sessioncontrols) #add SessionControls to the parameter list } if ($Ensure -eq 'Present' -and $currentPolicy.Ensure -eq 'Present') @@ -1622,7 +1656,7 @@ function Set-TargetResource try { Write-Verbose -Message "Updating existing policy with values: $(Convert-M365DscHashtableToString -Hashtable $NewParameters)" - Update-MgBetaIdentityConditionalAccessPolicy @NewParameters + Invoke-MgGraphRequest -Method PATCH -Uri "https://graph.microsoft.com/beta/identity/conditionalAccess/policies/$($currentPolicy.Id)" -Body $NewParameters } catch { @@ -1645,7 +1679,7 @@ function Set-TargetResource { try { - New-MgBetaIdentityConditionalAccessPolicy @NewParameters + Invoke-MgGraphRequest -Method POST -Uri 'https://graph.microsoft.com/beta/identity/conditionalAccess/policies' -Body $NewParameters } catch { @@ -1889,6 +1923,10 @@ function Test-TargetResource [System.String[]] $AuthenticationContexts, + [Parameter()] + [System.String] + $TransferMethods, + #generic [Parameter()] [ValidateSet('Present', 'Absent')] diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_AADConditionalAccessPolicy/MSFT_AADConditionalAccessPolicy.schema.mof b/Modules/Microsoft365DSC/DSCResources/MSFT_AADConditionalAccessPolicy/MSFT_AADConditionalAccessPolicy.schema.mof index f0a18c7051..e31287c13f 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_AADConditionalAccessPolicy/MSFT_AADConditionalAccessPolicy.schema.mof +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_AADConditionalAccessPolicy/MSFT_AADConditionalAccessPolicy.schema.mof @@ -44,6 +44,7 @@ class MSFT_AADConditionalAccessPolicy : OMI_BaseResource [Write, Description("Specifies, whether Browser Persistence is controlled by the Policy.")] Boolean PersistentBrowserIsEnabled; [Write, Description("Specifies, what Browser Persistence control is enforced by the Policy."), ValueMap{"Always","Never",""}, Values{"Always","Never",""}] String PersistentBrowserMode; [Write, Description("Name of the associated authentication strength policy.")] String AuthenticationStrength; + [Write, Description("Names of the associated authentication flow transfer methods")] String TransferMethods; [Write, Description("Authentication context class references.")] String AuthenticationContexts[]; [Write, Description("Specify if the Azure AD CA Policy should exist or not."), ValueMap{"Present","Absent"}, Values{"Present","Absent"}] String Ensure; [Write, Description("Credentials for the Microsoft Graph delegated permissions."), EmbeddedInstance("MSFT_Credential")] string Credential; diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationPlatformScriptMacOS/MSFT_IntuneDeviceConfigurationPlatformScriptMacOS.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationPlatformScriptMacOS/MSFT_IntuneDeviceConfigurationPlatformScriptMacOS.psm1 new file mode 100644 index 0000000000..3e403e98ec --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationPlatformScriptMacOS/MSFT_IntuneDeviceConfigurationPlatformScriptMacOS.psm1 @@ -0,0 +1,681 @@ +function Get-TargetResource +{ + [CmdletBinding()] + [OutputType([System.Collections.Hashtable])] + param + ( + #region resource generator code + [Parameter()] + [System.Boolean] + $BlockExecutionNotifications, + + [Parameter()] + [System.String] + $Description, + + [Parameter(Mandatory = $true)] + [System.String] + $DisplayName, + + [Parameter()] + [System.String] + $ExecutionFrequency, + + [Parameter()] + [System.String] + $FileName, + + [Parameter()] + [System.Int32] + $RetryCount, + + [Parameter()] + [System.String[]] + $RoleScopeTagIds, + + [Parameter()] + [ValidateSet('system','user')] + [System.String] + $RunAsAccount, + + [Parameter()] + [System.String] + $ScriptContent, + + [Parameter(Mandatory = $true)] + [System.String] + $Id, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $Assignments, + #endregion + + [Parameter()] + [System.String] + [ValidateSet('Absent', 'Present')] + $Ensure = 'Present', + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + try + { + $ConnectionMode = New-M365DSCConnection -Workload 'MicrosoftGraph' ` + -InboundParameters $PSBoundParameters + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $nullResult = $PSBoundParameters + $nullResult.Ensure = 'Absent' + + $getValue = $null + #region resource generator code + $getValue = Get-MgBetaDeviceManagementDeviceShellScript ` + -DeviceShellScriptId $Id ` + -ExpandProperty "assignments" ` + -ErrorAction SilentlyContinue + + if ($null -eq $getValue) + { + Write-Verbose -Message "Could not find an Intune Device Configuration Platform Script MacOS with Id {$Id}" + + if (-Not [string]::IsNullOrEmpty($DisplayName)) + { + $getValue = Get-MgBetaDeviceManagementDeviceShellScript ` + -Filter "DisplayName eq '$DisplayName'" ` + -ExpandProperty "assignments" ` + -ErrorAction SilentlyContinue + if ($null -ne $getValue) + { + $getValue = Get-MgBetaDeviceManagementDeviceShellScript -DeviceShellScriptId $getValue.Id + } + } + } + #endregion + if ($null -eq $getValue) + { + Write-Verbose -Message "Could not find an Intune Device Configuration Platform Script MacOS with DisplayName {$DisplayName}" + return $nullResult + } + $Id = $getValue.Id + Write-Verbose -Message "An Intune Device Configuration Platform Script MacOS with Id {$Id} and DisplayName {$DisplayName} was found." + + #region resource generator code + $enumRunAsAccount = $null + if ($null -ne $getValue.RunAsAccount) + { + $enumRunAsAccount = $getValue.RunAsAccount.ToString() + } + #endregion + + $results = @{ + #region resource generator code + BlockExecutionNotifications = $getValue.BlockExecutionNotifications + Description = $getValue.Description + DisplayName = $getValue.DisplayName + ExecutionFrequency = $getValue.ExecutionFrequency + FileName = $getValue.FileName + RetryCount = $getValue.RetryCount + RoleScopeTagIds = $getValue.RoleScopeTagIds + RunAsAccount = $enumRunAsAccount + ScriptContent = [System.Convert]::ToBase64String($getValue.ScriptContent) + Id = $getValue.Id + Ensure = 'Present' + Credential = $Credential + ApplicationId = $ApplicationId + TenantId = $TenantId + ApplicationSecret = $ApplicationSecret + CertificateThumbprint = $CertificateThumbprint + ManagedIdentity = $ManagedIdentity.IsPresent + AccessTokens = $AccessTokens + #endregion + } + # Get-MgBetaDeviceManagementDeviceShellScriptAssignment returns a 'No OData route exists that match template...' error + #$assignmentsValues = Get-MgBetaDeviceManagementDeviceShellScriptAssignment -DeviceShellScriptId $Id + $AssignmentsValues = $getValue.Assignments + $assignmentResult = @() + foreach ($assignmentEntry in $AssignmentsValues) + { + $assignmentValue = @{ + dataType = $assignmentEntry.Target.AdditionalProperties.'@odata.type' + deviceAndAppManagementAssignmentFilterType = $(if ($null -ne $assignmentEntry.Target.DeviceAndAppManagementAssignmentFilterType) + {$assignmentEntry.Target.DeviceAndAppManagementAssignmentFilterType.ToString()}) + deviceAndAppManagementAssignmentFilterId = $assignmentEntry.Target.DeviceAndAppManagementAssignmentFilterId + groupId = $assignmentEntry.Target.AdditionalProperties.groupId + } + $assignmentResult += $assignmentValue + } + $results.Add('Assignments', $assignmentResult) + + return [System.Collections.Hashtable] $results + } + catch + { + New-M365DSCLogEntry -Message 'Error retrieving data:' ` + -Exception $_ ` + -Source $($MyInvocation.MyCommand.Source) ` + -TenantId $TenantId ` + -Credential $Credential + + return $nullResult + } +} + +function Set-TargetResource +{ + [CmdletBinding()] + param + ( + #region resource generator code + [Parameter()] + [System.Boolean] + $BlockExecutionNotifications, + + [Parameter()] + [System.String] + $Description, + + [Parameter(Mandatory = $true)] + [System.String] + $DisplayName, + + [Parameter()] + [System.String] + $ExecutionFrequency, + + [Parameter()] + [System.String] + $FileName, + + [Parameter()] + [System.Int32] + $RetryCount, + + [Parameter()] + [System.String[]] + $RoleScopeTagIds, + + [Parameter()] + [ValidateSet('system','user')] + [System.String] + $RunAsAccount, + + [Parameter()] + [System.String] + $ScriptContent, + + [Parameter(Mandatory = $true)] + [System.String] + $Id, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $Assignments, + #endregion + [Parameter()] + [System.String] + [ValidateSet('Absent', 'Present')] + $Ensure = 'Present', + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $currentInstance = Get-TargetResource @PSBoundParameters + + $BoundParameters = Remove-M365DSCAuthenticationParameter -BoundParameters $PSBoundParameters + + if ($Ensure -eq 'Present' -and $currentInstance.Ensure -eq 'Absent') + { + Write-Verbose -Message "Creating an Intune Device Configuration Platform Script MacOS with DisplayName {$DisplayName}" + $BoundParameters.Remove("Assignments") | Out-Null + + $CreateParameters = ([Hashtable]$BoundParameters).clone() + $CreateParameters = Rename-M365DSCCimInstanceParameter -Properties $CreateParameters + $CreateParameters.ScriptContent = [System.Convert]::FromBase64String($ScriptContent) + + $CreateParameters.Remove('Id') | Out-Null + + $keys = (([Hashtable]$CreateParameters).clone()).Keys + foreach ($key in $keys) + { + if ($null -ne $CreateParameters.$key -and $CreateParameters.$key.getType().Name -like '*cimInstance*') + { + $CreateParameters.$key = Convert-M365DSCDRGComplexTypeToHashtable -ComplexObject $CreateParameters.$key + } + } + #region resource generator code + $CreateParameters.Add("@odata.type", "#microsoft.graph.DeviceShellScript") + $policy = New-MgBetaDeviceManagementDeviceShellScript -BodyParameter $CreateParameters + $assignmentsHash = @() + foreach ($assignment in $Assignments) + { + $assignmentsHash += Get-M365DSCDRGComplexTypeToHashtable -ComplexObject $Assignment + } + + if ($policy.Id) + { + Update-DeviceConfigurationPolicyAssignment -DeviceConfigurationPolicyId $policy.Id ` + -Targets $assignmentsHash ` + -Repository 'deviceManagement/deviceShellScripts' ` + -RootIdentifier 'deviceManagementScriptAssignments' + } + #endregion + } + elseif ($Ensure -eq 'Present' -and $currentInstance.Ensure -eq 'Present') + { + Write-Verbose -Message "Updating the Intune Device Configuration Platform Script MacOS with Id {$($currentInstance.Id)}" + $BoundParameters.Remove("Assignments") | Out-Null + + $UpdateParameters = ([Hashtable]$BoundParameters).clone() + $UpdateParameters = Rename-M365DSCCimInstanceParameter -Properties $UpdateParameters + $UpdateParameters.ScriptContent = [System.Convert]::FromBase64String($ScriptContent) + + $UpdateParameters.Remove('Id') | Out-Null + + $keys = (([Hashtable]$UpdateParameters).clone()).Keys + foreach ($key in $keys) + { + if ($null -ne $UpdateParameters.$key -and $UpdateParameters.$key.getType().Name -like '*cimInstance*') + { + $UpdateParameters.$key = Convert-M365DSCDRGComplexTypeToHashtable -ComplexObject $UpdateParameters.$key + } + } + #region resource generator code + $UpdateParameters.Add("@odata.type", "#microsoft.graph.DeviceShellScript") + Update-MgBetaDeviceManagementDeviceShellScript ` + -DeviceShellScriptId $currentInstance.Id ` + -BodyParameter $UpdateParameters + $assignmentsHash = @() + foreach ($assignment in $Assignments) + { + $assignmentsHash += Get-M365DSCDRGComplexTypeToHashtable -ComplexObject $Assignment + } + Update-DeviceConfigurationPolicyAssignment ` + -DeviceConfigurationPolicyId $currentInstance.id ` + -Targets $assignmentsHash ` + -Repository 'deviceManagement/deviceShellScripts' ` + -RootIdentifier 'deviceManagementScriptAssignments' + #endregion + } + elseif ($Ensure -eq 'Absent' -and $currentInstance.Ensure -eq 'Present') + { + Write-Verbose -Message "Removing the Intune Device Configuration Platform Script MacOS with Id {$($currentInstance.Id)}" + #region resource generator code + Remove-MgBetaDeviceManagementDeviceShellScript -DeviceShellScriptId $currentInstance.Id + #endregion + } +} + +function Test-TargetResource +{ + [CmdletBinding()] + [OutputType([System.Boolean])] + param + ( + #region resource generator code + [Parameter()] + [System.Boolean] + $BlockExecutionNotifications, + + [Parameter()] + [System.String] + $Description, + + [Parameter(Mandatory = $true)] + [System.String] + $DisplayName, + + [Parameter()] + [System.String] + $ExecutionFrequency, + + [Parameter()] + [System.String] + $FileName, + + [Parameter()] + [System.Int32] + $RetryCount, + + [Parameter()] + [System.String[]] + $RoleScopeTagIds, + + [Parameter()] + [ValidateSet('system','user')] + [System.String] + $RunAsAccount, + + [Parameter()] + [System.String] + $ScriptContent, + + [Parameter(Mandatory = $true)] + [System.String] + $Id, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $Assignments, + #endregion + + [Parameter()] + [System.String] + [ValidateSet('Absent', 'Present')] + $Ensure = 'Present', + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + Write-Verbose -Message "Testing configuration of the Intune Device Configuration Platform Script MacOS with Id {$Id} and DisplayName {$DisplayName}" + + $CurrentValues = Get-TargetResource @PSBoundParameters + $ValuesToCheck = ([Hashtable]$PSBoundParameters).clone() + + if ($CurrentValues.Ensure -ne $Ensure) + { + Write-Verbose -Message "Test-TargetResource returned $false" + return $false + } + $testResult = $true + + #Compare Cim instances + foreach ($key in $PSBoundParameters.Keys) + { + $source = $PSBoundParameters.$key + $target = $CurrentValues.$key + if ($source.getType().Name -like '*CimInstance*') + { + $source = Get-M365DSCDRGComplexTypeToHashtable -ComplexObject $source + + $testResult = Compare-M365DSCComplexObject ` + -Source ($source) ` + -Target ($target) + + if (-Not $testResult) + { + $testResult = $false + break + } + + $ValuesToCheck.Remove($key) | Out-Null + } + } + + $ValuesToCheck.remove('Id') | Out-Null + $ValuesToCheck.Remove('Credential') | Out-Null + $ValuesToCheck.Remove('ApplicationId') | Out-Null + $ValuesToCheck.Remove('TenantId') | Out-Null + $ValuesToCheck.Remove('ApplicationSecret') | Out-Null + + Write-Verbose -Message "Current Values: $(Convert-M365DscHashtableToString -Hashtable $CurrentValues)" + Write-Verbose -Message "Target Values: $(Convert-M365DscHashtableToString -Hashtable $ValuesToCheck)" + + if ($testResult) + { + $testResult = Test-M365DSCParameterState -CurrentValues $CurrentValues ` + -Source $($MyInvocation.MyCommand.Source) ` + -DesiredValues $PSBoundParameters ` + -ValuesToCheck $ValuesToCheck.Keys + } + + Write-Verbose -Message "Test-TargetResource returned $testResult" + + return $testResult +} + +function Export-TargetResource +{ + [CmdletBinding()] + [OutputType([System.String])] + param + ( + [Parameter()] + [System.String] + $Filter, + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + $ConnectionMode = New-M365DSCConnection -Workload 'MicrosoftGraph' ` + -InboundParameters $PSBoundParameters + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + try + { + #region resource generator code + [array]$getValue = Get-MgBetaDeviceManagementDeviceShellScript ` + -Filter $Filter ` + -All ` + -ErrorAction Stop + #endregion + + $i = 1 + $dscContent = '' + if ($getValue.Length -eq 0) + { + Write-Host $Global:M365DSCEmojiGreenCheckMark + } + else + { + Write-Host "`r`n" -NoNewline + } + foreach ($config in $getValue) + { + $displayedKey = $config.Id + if (-not [String]::IsNullOrEmpty($config.displayName)) + { + $displayedKey = $config.displayName + } + Write-Host " |---[$i/$($getValue.Count)] $displayedKey" -NoNewline + $params = @{ + Id = $config.Id + DisplayName = $config.DisplayName + Ensure = 'Present' + Credential = $Credential + ApplicationId = $ApplicationId + TenantId = $TenantId + ApplicationSecret = $ApplicationSecret + CertificateThumbprint = $CertificateThumbprint + ManagedIdentity = $ManagedIdentity.IsPresent + AccessTokens = $AccessTokens + } + + $Results = Get-TargetResource @Params + $Results = Update-M365DSCExportAuthenticationResults -ConnectionMode $ConnectionMode ` + -Results $Results + if ($Results.Assignments) + { + $complexTypeStringResult = Get-M365DSCDRGComplexTypeToString -ComplexObject $Results.Assignments -CIMInstanceName DeviceManagementConfigurationPolicyAssignments + if ($complexTypeStringResult) + { + $Results.Assignments = $complexTypeStringResult + } + else + { + $Results.Remove('Assignments') | Out-Null + } + } + $currentDSCBlock = Get-M365DSCExportContentForResource -ResourceName $ResourceName ` + -ConnectionMode $ConnectionMode ` + -ModulePath $PSScriptRoot ` + -Results $Results ` + -Credential $Credential + if ($Results.Assignments) + { + $currentDSCBlock = Convert-DSCStringParamToVariable -DSCBlock $currentDSCBlock -ParameterName "Assignments" -isCIMArray:$true + } + + $dscContent += $currentDSCBlock + Save-M365DSCPartialExport -Content $currentDSCBlock ` + -FileName $Global:PartialExportFileName + $i++ + Write-Host $Global:M365DSCEmojiGreenCheckMark + } + return $dscContent + } + catch + { + Write-Host $Global:M365DSCEmojiRedX + + New-M365DSCLogEntry -Message 'Error during Export:' ` + -Exception $_ ` + -Source $($MyInvocation.MyCommand.Source) ` + -TenantId $TenantId ` + -Credential $Credential + + return '' + } +} + +Export-ModuleMember -Function *-TargetResource diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationPlatformScriptMacOS/MSFT_IntuneDeviceConfigurationPlatformScriptMacOS.schema.mof b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationPlatformScriptMacOS/MSFT_IntuneDeviceConfigurationPlatformScriptMacOS.schema.mof new file mode 100644 index 0000000000..2b6c661b7f --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationPlatformScriptMacOS/MSFT_IntuneDeviceConfigurationPlatformScriptMacOS.schema.mof @@ -0,0 +1,34 @@ +[ClassVersion("1.0.0.0")] +class MSFT_DeviceManagementConfigurationPolicyAssignments +{ + [Write, Description("The type of the target assignment."), ValueMap{"#microsoft.graph.groupAssignmentTarget","#microsoft.graph.allLicensedUsersAssignmentTarget","#microsoft.graph.allDevicesAssignmentTarget","#microsoft.graph.exclusionGroupAssignmentTarget","#microsoft.graph.configurationManagerCollectionAssignmentTarget"}, Values{"#microsoft.graph.groupAssignmentTarget","#microsoft.graph.allLicensedUsersAssignmentTarget","#microsoft.graph.allDevicesAssignmentTarget","#microsoft.graph.exclusionGroupAssignmentTarget","#microsoft.graph.configurationManagerCollectionAssignmentTarget"}] String dataType; + [Write, Description("The type of filter of the target assignment i.e. Exclude or Include. Possible values are:none, include, exclude."), ValueMap{"none","include","exclude"}, Values{"none","include","exclude"}] String deviceAndAppManagementAssignmentFilterType; + [Write, Description("The Id of the filter for the target assignment.")] String deviceAndAppManagementAssignmentFilterId; + [Write, Description("The group Id that is the target of the assignment.")] String groupId; + [Write, Description("The group Display Name that is the target of the assignment.")] String groupDisplayName; + [Write, Description("The collection Id that is the target of the assignment.(ConfigMgr)")] String collectionId; +}; + +[ClassVersion("1.0.0.0"), FriendlyName("IntuneDeviceConfigurationPlatformScriptMacOS")] +class MSFT_IntuneDeviceConfigurationPlatformScriptMacOS : OMI_BaseResource +{ + [Write, Description("Does not notify the user a script is being executed")] Boolean BlockExecutionNotifications; + [Write, Description("Optional description for the device management script.")] String Description; + [Required, Description("Name of the device management script.")] String DisplayName; + [Write, Description("The script file name.")] String FileName; + [Write, Description("The interval for script to run. If not defined the script will run once")] String ExecutionFrequency; + [Write, Description("Number of times for the script to be retried if it fails")] UInt32 RetryCount; + [Write, Description("List of Scope Tag IDs for this PowerShellScript instance.")] String RoleScopeTagIds[]; + [Write, Description("Indicates the type of execution context. Possible values are: system, user."), ValueMap{"system","user"}, Values{"system","user"}] String RunAsAccount; + [Write, Description("The script content in Base64.")] String ScriptContent; + [Key, Description("The unique identifier for an entity. Read-only.")] String Id; + [Write, Description("Represents the assignment to the Intune policy."), EmbeddedInstance("MSFT_DeviceManagementConfigurationPolicyAssignments")] String Assignments[]; + [Write, Description("Present ensures the policy exists, absent ensures it is removed."), ValueMap{"Present","Absent"}, Values{"Present","Absent"}] string Ensure; + [Write, Description("Credentials of the Admin"), EmbeddedInstance("MSFT_Credential")] string Credential; + [Write, Description("Id of the Azure Active Directory application to authenticate with.")] String ApplicationId; + [Write, Description("Id of the Azure Active Directory tenant used for authentication.")] String TenantId; + [Write, Description("Secret of the Azure Active Directory tenant used for authentication."), EmbeddedInstance("MSFT_Credential")] String ApplicationSecret; + [Write, Description("Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication.")] String CertificateThumbprint; + [Write, Description("Managed ID being used for authentication.")] Boolean ManagedIdentity; + [Write, Description("Access token used for authentication.")] String AccessTokens[]; +}; diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationPlatformScriptMacOS/readme.md b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationPlatformScriptMacOS/readme.md new file mode 100644 index 0000000000..8f3761c564 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationPlatformScriptMacOS/readme.md @@ -0,0 +1,6 @@ + +# IntuneDeviceConfigurationPlatformScriptMacOS + +## Description + +Intune Device Configuration Platform Script MacOS diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationPlatformScriptMacOS/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationPlatformScriptMacOS/settings.json new file mode 100644 index 0000000000..2923dc7038 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationPlatformScriptMacOS/settings.json @@ -0,0 +1,45 @@ +{ + "resourceName": "IntuneDeviceConfigurationPlatformScriptMacOS", + "description": "This resource configures an Intune Device Configuration Platform Script MacOS.", + "permissions": { + "graph": { + "delegated": { + "read": [ + { + "name": "DeviceManagementConfiguration.Read.All" + }, + { + "name": "DeviceManagementManagedDevices.Read.All" + } + ], + "update": [ + { + "name": "DeviceManagementConfiguration.ReadWrite.All" + }, + { + "name": "DeviceManagementManagedDevices.ReadWrite.All" + } + ] + }, + "application": { + "read": [ + { + "name": "DeviceManagementConfiguration.Read.All" + }, + { + "name": "DeviceManagementManagedDevices.Read.All" + } + ], + "update": [ + { + "name": "DeviceManagementConfiguration.ReadWrite.All" + }, + { + "name": "DeviceManagementManagedDevices.ReadWrite.All" + } + ] + } + } +} + +} diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationPlatformScriptWindows/MSFT_IntuneDeviceConfigurationPlatformScriptWindows.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationPlatformScriptWindows/MSFT_IntuneDeviceConfigurationPlatformScriptWindows.psm1 new file mode 100644 index 0000000000..69fc4522d6 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationPlatformScriptWindows/MSFT_IntuneDeviceConfigurationPlatformScriptWindows.psm1 @@ -0,0 +1,663 @@ +function Get-TargetResource +{ + [CmdletBinding()] + [OutputType([System.Collections.Hashtable])] + param + ( + #region resource generator code + [Parameter()] + [System.String] + $Description, + + [Parameter(Mandatory = $true)] + [System.String] + $DisplayName, + + [Parameter()] + [System.Boolean] + $EnforceSignatureCheck, + + [Parameter()] + [System.String] + $FileName, + + [Parameter()] + [System.String[]] + $RoleScopeTagIds, + + [Parameter()] + [System.Boolean] + $RunAs32Bit, + + [Parameter()] + [ValidateSet('system','user')] + [System.String] + $RunAsAccount, + + [Parameter()] + [System.String] + $ScriptContent, + + [Parameter(Mandatory = $true)] + [System.String] + $Id, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $Assignments, + #endregion + + [Parameter()] + [System.String] + [ValidateSet('Absent', 'Present')] + $Ensure = 'Present', + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + try + { + $ConnectionMode = New-M365DSCConnection -Workload 'MicrosoftGraph' ` + -InboundParameters $PSBoundParameters + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $nullResult = $PSBoundParameters + $nullResult.Ensure = 'Absent' + + $getValue = $null + #region resource generator code + $getValue = Get-MgBetaDeviceManagementScript -DeviceManagementScriptId $Id -ErrorAction SilentlyContinue + + if ($null -eq $getValue) + { + Write-Verbose -Message "Could not find an Intune Device Configuration Platform Script Windows with Id {$Id}" + + if (-Not [string]::IsNullOrEmpty($DisplayName)) + { + $getValue = Get-MgBetaDeviceManagementScript ` + -Filter "DisplayName eq '$DisplayName'" ` + -ErrorAction SilentlyContinue + if ($null -ne $getValue) + { + $getValue = Get-MgBetaDeviceManagementScript -DeviceManagementScriptId $getValue.Id + } + } + } + #endregion + if ($null -eq $getValue) + { + Write-Verbose -Message "Could not find an Intune Device Configuration Platform Script Windows with DisplayName {$DisplayName}" + return $nullResult + } + $Id = $getValue.Id + + Write-Verbose -Message "An Intune Device Configuration Platform Script Windows with Id {$Id} and DisplayName {$DisplayName} was found." + + #region resource generator code + $enumRunAsAccount = $null + if ($null -ne $getValue.RunAsAccount) + { + $enumRunAsAccount = $getValue.RunAsAccount.ToString() + } + #endregion + + $results = @{ + #region resource generator code + Description = $getValue.Description + DisplayName = $getValue.DisplayName + EnforceSignatureCheck = $getValue.EnforceSignatureCheck + FileName = $getValue.FileName + RoleScopeTagIds = $getValue.RoleScopeTagIds + RunAs32Bit = $getValue.RunAs32Bit + RunAsAccount = $enumRunAsAccount + ScriptContent = [System.Convert]::ToBase64String($getValue.ScriptContent) + Id = $getValue.Id + Ensure = 'Present' + Credential = $Credential + ApplicationId = $ApplicationId + TenantId = $TenantId + ApplicationSecret = $ApplicationSecret + CertificateThumbprint = $CertificateThumbprint + ManagedIdentity = $ManagedIdentity.IsPresent + AccessTokens = $AccessTokens + #endregion + } + $assignmentsValues = Get-MgBetaDeviceManagementScriptAssignment -DeviceManagementScriptId $Id + $assignmentResult = @() + foreach ($assignmentEntry in $AssignmentsValues) + { + $assignmentValue = @{ + dataType = $assignmentEntry.Target.AdditionalProperties.'@odata.type' + deviceAndAppManagementAssignmentFilterType = $(if ($null -ne $assignmentEntry.Target.DeviceAndAppManagementAssignmentFilterType) + {$assignmentEntry.Target.DeviceAndAppManagementAssignmentFilterType.ToString()}) + deviceAndAppManagementAssignmentFilterId = $assignmentEntry.Target.DeviceAndAppManagementAssignmentFilterId + groupId = $assignmentEntry.Target.AdditionalProperties.groupId + } + $assignmentResult += $assignmentValue + } + $results.Add('Assignments', $assignmentResult) + + return [System.Collections.Hashtable] $results + } + catch + { + New-M365DSCLogEntry -Message 'Error retrieving data:' ` + -Exception $_ ` + -Source $($MyInvocation.MyCommand.Source) ` + -TenantId $TenantId ` + -Credential $Credential + + return $nullResult + } +} + +function Set-TargetResource +{ + [CmdletBinding()] + param + ( + #region resource generator code + [Parameter()] + [System.String] + $Description, + + [Parameter(Mandatory = $true)] + [System.String] + $DisplayName, + + [Parameter()] + [System.Boolean] + $EnforceSignatureCheck, + + [Parameter()] + [System.String] + $FileName, + + [Parameter()] + [System.String[]] + $RoleScopeTagIds, + + [Parameter()] + [System.Boolean] + $RunAs32Bit, + + [Parameter()] + [ValidateSet('system','user')] + [System.String] + $RunAsAccount, + + [Parameter()] + [System.String] + $ScriptContent, + + [Parameter(Mandatory = $true)] + [System.String] + $Id, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $Assignments, + #endregion + [Parameter()] + [System.String] + [ValidateSet('Absent', 'Present')] + $Ensure = 'Present', + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $currentInstance = Get-TargetResource @PSBoundParameters + + $BoundParameters = Remove-M365DSCAuthenticationParameter -BoundParameters $PSBoundParameters + + if ($Ensure -eq 'Present' -and $currentInstance.Ensure -eq 'Absent') + { + Write-Verbose -Message "Creating an Intune Device Configuration Platform Script Windows with DisplayName {$DisplayName}" + $BoundParameters.Remove("Assignments") | Out-Null + + $CreateParameters = ([Hashtable]$BoundParameters).clone() + $CreateParameters = Rename-M365DSCCimInstanceParameter -Properties $CreateParameters + $CreateParameters.ScriptContent = [System.Convert]::FromBase64String($CreateParameters.ScriptContent) + + $CreateParameters.Remove('Id') | Out-Null + + $keys = (([Hashtable]$CreateParameters).clone()).Keys + foreach ($key in $keys) + { + if ($null -ne $CreateParameters.$key -and $CreateParameters.$key.getType().Name -like '*cimInstance*') + { + $CreateParameters.$key = Convert-M365DSCDRGComplexTypeToHashtable -ComplexObject $CreateParameters.$key + } + } + #region resource generator code + $CreateParameters.Add("@odata.type", "#microsoft.graph.DeviceManagementScript") + $policy = New-MgBetaDeviceManagementScript -BodyParameter $CreateParameters + $assignmentsHash = @() + foreach ($assignment in $Assignments) + { + $assignmentsHash += Get-M365DSCDRGComplexTypeToHashtable -ComplexObject $Assignment + } + + if ($policy.Id) + { + Update-DeviceConfigurationPolicyAssignment -DeviceConfigurationPolicyId $policy.Id ` + -Targets $assignmentsHash ` + -Repository 'deviceManagement/deviceManagementScripts' ` + -RootIdentifier 'deviceManagementScriptAssignments' + } + #endregion + } + elseif ($Ensure -eq 'Present' -and $currentInstance.Ensure -eq 'Present') + { + Write-Verbose -Message "Updating the Intune Device Configuration Platform Script Windows with Id {$($currentInstance.Id)}" + $BoundParameters.Remove("Assignments") | Out-Null + + $UpdateParameters = ([Hashtable]$BoundParameters).clone() + $UpdateParameters = Rename-M365DSCCimInstanceParameter -Properties $UpdateParameters + $UpdateParameters.ScriptContent = [System.Convert]::FromBase64String($UpdateParameters.ScriptContent) + + $UpdateParameters.Remove('Id') | Out-Null + + $keys = (([Hashtable]$UpdateParameters).clone()).Keys + foreach ($key in $keys) + { + if ($null -ne $UpdateParameters.$key -and $UpdateParameters.$key.getType().Name -like '*cimInstance*') + { + $UpdateParameters.$key = Convert-M365DSCDRGComplexTypeToHashtable -ComplexObject $UpdateParameters.$key + } + } + #region resource generator code + $UpdateParameters.Add("@odata.type", "#microsoft.graph.DeviceManagementScript") + Update-MgBetaDeviceManagementScript ` + -DeviceManagementScriptId $currentInstance.Id ` + -BodyParameter $UpdateParameters + $assignmentsHash = @() + foreach ($assignment in $Assignments) + { + $assignmentsHash += Get-M365DSCDRGComplexTypeToHashtable -ComplexObject $Assignment + } + Update-DeviceConfigurationPolicyAssignment ` + -DeviceConfigurationPolicyId $currentInstance.id ` + -Targets $assignmentsHash ` + -Repository 'deviceManagement/deviceManagementScripts' ` + -RootIdentifier 'deviceManagementScriptAssignments' + #endregion + } + elseif ($Ensure -eq 'Absent' -and $currentInstance.Ensure -eq 'Present') + { + Write-Verbose -Message "Removing the Intune Device Configuration Platform Script Windows with Id {$($currentInstance.Id)}" + #region resource generator code + Remove-MgBetaDeviceManagementScript -DeviceManagementScriptId $currentInstance.Id + #endregion + } +} + +function Test-TargetResource +{ + [CmdletBinding()] + [OutputType([System.Boolean])] + param + ( + #region resource generator code + [Parameter()] + [System.String] + $Description, + + [Parameter(Mandatory = $true)] + [System.String] + $DisplayName, + + [Parameter()] + [System.Boolean] + $EnforceSignatureCheck, + + [Parameter()] + [System.String] + $FileName, + + [Parameter()] + [System.String[]] + $RoleScopeTagIds, + + [Parameter()] + [System.Boolean] + $RunAs32Bit, + + [Parameter()] + [ValidateSet('system','user')] + [System.String] + $RunAsAccount, + + [Parameter()] + [System.String] + $ScriptContent, + + [Parameter(Mandatory = $true)] + [System.String] + $Id, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $Assignments, + #endregion + + [Parameter()] + [System.String] + [ValidateSet('Absent', 'Present')] + $Ensure = 'Present', + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + Write-Verbose -Message "Testing configuration of the Intune Device Configuration Platform Script Windows with Id {$Id} and DisplayName {$DisplayName}" + + $CurrentValues = Get-TargetResource @PSBoundParameters + $ValuesToCheck = ([Hashtable]$PSBoundParameters).clone() + + if ($CurrentValues.Ensure -ne $Ensure) + { + Write-Verbose -Message "Test-TargetResource returned $false" + return $false + } + $testResult = $true + + #Compare Cim instances + foreach ($key in $PSBoundParameters.Keys) + { + $source = $PSBoundParameters.$key + $target = $CurrentValues.$key + if ($source.getType().Name -like '*CimInstance*') + { + $source = Get-M365DSCDRGComplexTypeToHashtable -ComplexObject $source + + $testResult = Compare-M365DSCComplexObject ` + -Source ($source) ` + -Target ($target) + + if (-Not $testResult) + { + $testResult = $false + break + } + + $ValuesToCheck.Remove($key) | Out-Null + } + } + + $ValuesToCheck.remove('Id') | Out-Null + $ValuesToCheck.Remove('Credential') | Out-Null + $ValuesToCheck.Remove('ApplicationId') | Out-Null + $ValuesToCheck.Remove('TenantId') | Out-Null + $ValuesToCheck.Remove('ApplicationSecret') | Out-Null + + Write-Verbose -Message "Current Values: $(Convert-M365DscHashtableToString -Hashtable $CurrentValues)" + Write-Verbose -Message "Target Values: $(Convert-M365DscHashtableToString -Hashtable $ValuesToCheck)" + + if ($testResult) + { + $testResult = Test-M365DSCParameterState -CurrentValues $CurrentValues ` + -Source $($MyInvocation.MyCommand.Source) ` + -DesiredValues $PSBoundParameters ` + -ValuesToCheck $ValuesToCheck.Keys + } + + Write-Verbose -Message "Test-TargetResource returned $testResult" + + return $testResult +} + +function Export-TargetResource +{ + [CmdletBinding()] + [OutputType([System.String])] + param + ( + [Parameter()] + [System.String] + $Filter, + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + $ConnectionMode = New-M365DSCConnection -Workload 'MicrosoftGraph' ` + -InboundParameters $PSBoundParameters + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + try + { + #region resource generator code + [array]$getValue = Get-MgBetaDeviceManagementScript ` + -Filter $Filter ` + -All ` + -ErrorAction Stop + #endregion + + $i = 1 + $dscContent = '' + if ($getValue.Length -eq 0) + { + Write-Host $Global:M365DSCEmojiGreenCheckMark + } + else + { + Write-Host "`r`n" -NoNewline + } + foreach ($config in $getValue) + { + $displayedKey = $config.Id + if (-not [String]::IsNullOrEmpty($config.displayName)) + { + $displayedKey = $config.displayName + } + Write-Host " |---[$i/$($getValue.Count)] $displayedKey" -NoNewline + $params = @{ + Id = $config.Id + DisplayName = $config.DisplayName + Ensure = 'Present' + Credential = $Credential + ApplicationId = $ApplicationId + TenantId = $TenantId + ApplicationSecret = $ApplicationSecret + CertificateThumbprint = $CertificateThumbprint + ManagedIdentity = $ManagedIdentity.IsPresent + AccessTokens = $AccessTokens + } + + $Results = Get-TargetResource @Params + $Results = Update-M365DSCExportAuthenticationResults -ConnectionMode $ConnectionMode ` + -Results $Results + if ($Results.Assignments) + { + $complexTypeStringResult = Get-M365DSCDRGComplexTypeToString -ComplexObject $Results.Assignments -CIMInstanceName DeviceManagementConfigurationPolicyAssignments + if ($complexTypeStringResult) + { + $Results.Assignments = $complexTypeStringResult + } + else + { + $Results.Remove('Assignments') | Out-Null + } + } + $currentDSCBlock = Get-M365DSCExportContentForResource -ResourceName $ResourceName ` + -ConnectionMode $ConnectionMode ` + -ModulePath $PSScriptRoot ` + -Results $Results ` + -Credential $Credential + if ($Results.Assignments) + { + $currentDSCBlock = Convert-DSCStringParamToVariable -DSCBlock $currentDSCBlock -ParameterName "Assignments" -isCIMArray:$true + } + + $dscContent += $currentDSCBlock + Save-M365DSCPartialExport -Content $currentDSCBlock ` + -FileName $Global:PartialExportFileName + $i++ + Write-Host $Global:M365DSCEmojiGreenCheckMark + } + return $dscContent + } + catch + { + Write-Host $Global:M365DSCEmojiRedX + + New-M365DSCLogEntry -Message 'Error during Export:' ` + -Exception $_ ` + -Source $($MyInvocation.MyCommand.Source) ` + -TenantId $TenantId ` + -Credential $Credential + + return '' + } +} + +Export-ModuleMember -Function *-TargetResource diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationPlatformScriptWindows/MSFT_IntuneDeviceConfigurationPlatformScriptWindows.schema.mof b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationPlatformScriptWindows/MSFT_IntuneDeviceConfigurationPlatformScriptWindows.schema.mof new file mode 100644 index 0000000000..d5b901186a --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationPlatformScriptWindows/MSFT_IntuneDeviceConfigurationPlatformScriptWindows.schema.mof @@ -0,0 +1,33 @@ +[ClassVersion("1.0.0.0")] +class MSFT_DeviceManagementConfigurationPolicyAssignments +{ + [Write, Description("The type of the target assignment."), ValueMap{"#microsoft.graph.groupAssignmentTarget","#microsoft.graph.allLicensedUsersAssignmentTarget","#microsoft.graph.allDevicesAssignmentTarget","#microsoft.graph.exclusionGroupAssignmentTarget","#microsoft.graph.configurationManagerCollectionAssignmentTarget"}, Values{"#microsoft.graph.groupAssignmentTarget","#microsoft.graph.allLicensedUsersAssignmentTarget","#microsoft.graph.allDevicesAssignmentTarget","#microsoft.graph.exclusionGroupAssignmentTarget","#microsoft.graph.configurationManagerCollectionAssignmentTarget"}] String dataType; + [Write, Description("The type of filter of the target assignment i.e. Exclude or Include. Possible values are:none, include, exclude."), ValueMap{"none","include","exclude"}, Values{"none","include","exclude"}] String deviceAndAppManagementAssignmentFilterType; + [Write, Description("The Id of the filter for the target assignment.")] String deviceAndAppManagementAssignmentFilterId; + [Write, Description("The group Id that is the target of the assignment.")] String groupId; + [Write, Description("The group Display Name that is the target of the assignment.")] String groupDisplayName; + [Write, Description("The collection Id that is the target of the assignment.(ConfigMgr)")] String collectionId; +}; + +[ClassVersion("1.0.0.0"), FriendlyName("IntuneDeviceConfigurationPlatformScriptWindows")] +class MSFT_IntuneDeviceConfigurationPlatformScriptWindows : OMI_BaseResource +{ + [Write, Description("Optional description for the device management script.")] String Description; + [Required, Description("Name of the device management script.")] String DisplayName; + [Write, Description("Indicate whether the script signature needs be checked.")] Boolean EnforceSignatureCheck; + [Write, Description("The script file name.")] String FileName; + [Write, Description("List of Scope Tag IDs for this PowerShellScript instance.")] String RoleScopeTagIds[]; + [Write, Description("A value indicating whether the PowerShell script should run as 32-bit")] Boolean RunAs32Bit; + [Write, Description("Indicates the type of execution context. Possible values are: system, user."), ValueMap{"system","user"}, Values{"system","user"}] String RunAsAccount; + [Write, Description("The script content in Base64.")] String ScriptContent; + [Key, Description("The unique identifier for an entity. Read-only.")] String Id; + [Write, Description("Represents the assignment to the Intune policy."), EmbeddedInstance("MSFT_DeviceManagementConfigurationPolicyAssignments")] String Assignments[]; + [Write, Description("Present ensures the policy exists, absent ensures it is removed."), ValueMap{"Present","Absent"}, Values{"Present","Absent"}] string Ensure; + [Write, Description("Credentials of the Admin"), EmbeddedInstance("MSFT_Credential")] string Credential; + [Write, Description("Id of the Azure Active Directory application to authenticate with.")] String ApplicationId; + [Write, Description("Id of the Azure Active Directory tenant used for authentication.")] String TenantId; + [Write, Description("Secret of the Azure Active Directory tenant used for authentication."), EmbeddedInstance("MSFT_Credential")] String ApplicationSecret; + [Write, Description("Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication.")] String CertificateThumbprint; + [Write, Description("Managed ID being used for authentication.")] Boolean ManagedIdentity; + [Write, Description("Access token used for authentication.")] String AccessTokens[]; +}; diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationPlatformScriptWindows/readme.md b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationPlatformScriptWindows/readme.md new file mode 100644 index 0000000000..65b85e6061 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationPlatformScriptWindows/readme.md @@ -0,0 +1,6 @@ + +# IntuneDeviceConfigurationPlatformScriptWindows + +## Description + +Intune Device Configuration Platform Script Windows diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationPlatformScriptWindows/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationPlatformScriptWindows/settings.json new file mode 100644 index 0000000000..070e75b660 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceConfigurationPlatformScriptWindows/settings.json @@ -0,0 +1,17 @@ +{ + "resourceName": "IntuneDeviceConfigurationPlatformScriptWindows", + "description": "This resource configures an Intune Device Configuration Platform Script Windows.", + "permissions": { + "graph": { + "delegated": { + "read": [], + "update": [] + }, + "application": { + "read": [], + "update": [] + } + } +} + +} diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceEnrollmentPlatformRestriction/MSFT_IntuneDeviceEnrollmentPlatformRestriction.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceEnrollmentPlatformRestriction/MSFT_IntuneDeviceEnrollmentPlatformRestriction.psm1 index 87bf02821c..3176ce93b0 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceEnrollmentPlatformRestriction/MSFT_IntuneDeviceEnrollmentPlatformRestriction.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceEnrollmentPlatformRestriction/MSFT_IntuneDeviceEnrollmentPlatformRestriction.psm1 @@ -712,7 +712,7 @@ function Export-TargetResource try { [array]$configs = Get-MgBetaDeviceManagementDeviceEnrollmentConfiguration -Filter $Filter -All ` - -ErrorAction Stop | Where-Object -FilterScript { $_.DeviceEnrollmentConfigurationType -eq 'singlePlatformRestriction' } + -ErrorAction Stop | Where-Object -FilterScript { $_.DeviceEnrollmentConfigurationType -like '*platformRestriction*' } $i = 1 $dscContent = '' @@ -792,6 +792,7 @@ function Export-TargetResource $Results.Remove('WindowsHomeSkuRestriction') | Out-Null } } + if ($null -ne $Results.WindowsMobileRestriction) { $complexTypeStringResult = Get-M365DSCDRGComplexTypeToString -ComplexObject ($Results.WindowsMobileRestriction) -CIMInstanceName DeviceEnrollmentPlatformRestriction diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceEnrollmentStatusPageWindows10/MSFT_IntuneDeviceEnrollmentStatusPageWindows10.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceEnrollmentStatusPageWindows10/MSFT_IntuneDeviceEnrollmentStatusPageWindows10.psm1 index 7aaca3cda7..6ef11e526d 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceEnrollmentStatusPageWindows10/MSFT_IntuneDeviceEnrollmentStatusPageWindows10.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceEnrollmentStatusPageWindows10/MSFT_IntuneDeviceEnrollmentStatusPageWindows10.psm1 @@ -192,6 +192,12 @@ function Get-TargetResource DisplayName = $getValue.DisplayName Id = $getValue.Id Ensure = 'Present' + Credential = $Credential + ApplicationId = $ApplicationId + TenantId = $TenantId + ApplicationSecret = $ApplicationSecret + CertificateThumbprint = $CertificateThumbprint + ManagedIdentity = $ManagedIdentity.IsPresent AccessTokens = $AccessTokens #endregion } diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceRemediation/MSFT_IntuneDeviceRemediation.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceRemediation/MSFT_IntuneDeviceRemediation.psm1 new file mode 100644 index 0000000000..84faf65371 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceRemediation/MSFT_IntuneDeviceRemediation.psm1 @@ -0,0 +1,787 @@ +function Get-TargetResource +{ + [CmdletBinding()] + [OutputType([System.Collections.Hashtable])] + param + ( + #region resource generator code + [Parameter()] + [System.String] + $Description, + + [Parameter()] + [System.String] + $DetectionScriptContent, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $DetectionScriptParameters, + + [Parameter()] + [ValidateSet('deviceHealthScript','managedInstallerScript')] + [System.String] + $DeviceHealthScriptType, + + [Parameter(Mandatory = $true)] + [System.String] + $DisplayName, + + [Parameter()] + [System.Boolean] + $EnforceSignatureCheck, + + [Parameter()] + [System.String] + $Publisher, + + [Parameter()] + [System.String] + $RemediationScriptContent, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $RemediationScriptParameters, + + [Parameter()] + [System.String[]] + $RoleScopeTagIds, + + [Parameter()] + [System.Boolean] + $RunAs32Bit, + + [Parameter()] + [ValidateSet('system','user')] + [System.String] + $RunAsAccount, + + [Parameter(Mandatory = $true)] + [System.String] + $Id, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $Assignments, + #endregion + + [Parameter()] + [System.String] + [ValidateSet('Absent', 'Present')] + $Ensure = 'Present', + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity + ) + + try + { + $ConnectionMode = New-M365DSCConnection -Workload 'MicrosoftGraph' ` + -InboundParameters $PSBoundParameters + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $nullResult = $PSBoundParameters + $nullResult.Ensure = 'Absent' + + $getValue = $null + #region resource generator code + $getValue = Get-MgBetaDeviceManagementDeviceHealthScript -DeviceHealthScriptId $Id -ErrorAction SilentlyContinue + + if ($null -eq $getValue) + { + Write-Verbose -Message "Could not find an Intune Device Remediation with Id {$Id}" + + if (-Not [string]::IsNullOrEmpty($DisplayName)) + { + $getValue = Get-MgBetaDeviceManagementDeviceHealthScript ` + -Filter "DisplayName eq '$DisplayName'" ` + -ErrorAction SilentlyContinue | Where-Object ` + -FilterScript { ` + $_.DeviceHealthScriptType -eq "deviceHealthScript" ` + } + if ($null -ne $getValue) + { + $getValue = Get-MgBetaDeviceManagementDeviceHealthScript -DeviceHealthScriptId $getValue.Id + } + } + } + #endregion + if ($null -eq $getValue) + { + Write-Verbose -Message "Could not find an Intune Device Remediation with DisplayName {$DisplayName}" + return $nullResult + } + $Id = $getValue.Id + Write-Verbose -Message "An Intune Device Remediation with Id {$Id} and DisplayName {$DisplayName} was found." + + #region resource generator code + $complexDetectionScriptParameters = @() + foreach ($currentDetectionScriptParameters in $getValue.detectionScriptParameters) + { + $myDetectionScriptParameters = @{} + $myDetectionScriptParameters.Add('ApplyDefaultValueWhenNotAssigned', $currentDetectionScriptParameters.applyDefaultValueWhenNotAssigned) + $myDetectionScriptParameters.Add('Description', $currentDetectionScriptParameters.description) + $myDetectionScriptParameters.Add('IsRequired', $currentDetectionScriptParameters.isRequired) + $myDetectionScriptParameters.Add('Name', $currentDetectionScriptParameters.name) + $myDetectionScriptParameters.Add('DefaultValue', $currentDetectionScriptParameters.defaultValue) + if ($null -ne $currentDetectionScriptParameters.'@odata.type') + { + $myDetectionScriptParameters.Add('odataType', $currentDetectionScriptParameters.'@odata.type'.toString()) + } + if ($myDetectionScriptParameters.values.Where({$null -ne $_}).count -gt 0) + { + $complexDetectionScriptParameters += $myDetectionScriptParameters + } + } + + $complexRemediationScriptParameters = @() + foreach ($currentRemediationScriptParameters in $getValue.remediationScriptParameters) + { + $myRemediationScriptParameters = @{} + $myRemediationScriptParameters.Add('ApplyDefaultValueWhenNotAssigned', $currentRemediationScriptParameters.applyDefaultValueWhenNotAssigned) + $myRemediationScriptParameters.Add('Description', $currentRemediationScriptParameters.description) + $myRemediationScriptParameters.Add('IsRequired', $currentRemediationScriptParameters.isRequired) + $myRemediationScriptParameters.Add('Name', $currentRemediationScriptParameters.name) + $myRemediationScriptParameters.Add('DefaultValue', $currentRemediationScriptParameters.defaultValue) + if ($null -ne $currentRemediationScriptParameters.'@odata.type') + { + $myRemediationScriptParameters.Add('odataType', $currentRemediationScriptParameters.'@odata.type'.toString()) + } + if ($myRemediationScriptParameters.values.Where({$null -ne $_}).count -gt 0) + { + $complexRemediationScriptParameters += $myRemediationScriptParameters + } + } + #endregion + + #region resource generator code + $enumDeviceHealthScriptType = $null + if ($null -ne $getValue.DeviceHealthScriptType) + { + $enumDeviceHealthScriptType = $getValue.DeviceHealthScriptType.ToString() + } + + $enumRunAsAccount = $null + if ($null -ne $getValue.RunAsAccount) + { + $enumRunAsAccount = $getValue.RunAsAccount.ToString() + } + #endregion + + $results = @{ + #region resource generator code + Description = $getValue.Description + DetectionScriptContent = [System.Convert]::ToBase64String($getValue.DetectionScriptContent) + DetectionScriptParameters = $complexDetectionScriptParameters + DeviceHealthScriptType = $enumDeviceHealthScriptType + DisplayName = $getValue.DisplayName + EnforceSignatureCheck = $getValue.EnforceSignatureCheck + Publisher = $getValue.Publisher + RemediationScriptContent = [System.Convert]::ToBase64String($getValue.RemediationScriptContent) + RemediationScriptParameters = $complexRemediationScriptParameters + RoleScopeTagIds = $getValue.RoleScopeTagIds + RunAs32Bit = $getValue.RunAs32Bit + RunAsAccount = $enumRunAsAccount + Id = $getValue.Id + Ensure = 'Present' + Credential = $Credential + ApplicationId = $ApplicationId + TenantId = $TenantId + ApplicationSecret = $ApplicationSecret + CertificateThumbprint = $CertificateThumbprint + Managedidentity = $ManagedIdentity.IsPresent + #endregion + } + $assignmentsValues = Get-MgBetaDeviceManagementDeviceHealthScriptAssignment -DeviceHealthScriptId $Id + $assignmentResult = @() + foreach ($assignmentEntry in $AssignmentsValues) + { + $assignmentValue = @{ + dataType = $assignmentEntry.Target.AdditionalProperties.'@odata.type' + deviceAndAppManagementAssignmentFilterType = $(if ($null -ne $assignmentEntry.Target.DeviceAndAppManagementAssignmentFilterType) + {$assignmentEntry.Target.DeviceAndAppManagementAssignmentFilterType.ToString()}) + deviceAndAppManagementAssignmentFilterId = $assignmentEntry.Target.DeviceAndAppManagementAssignmentFilterId + groupId = $assignmentEntry.Target.AdditionalProperties.groupId + } + $assignmentResult += $assignmentValue + } + $results.Add('Assignments', $assignmentResult) + + return [System.Collections.Hashtable] $results + } + catch + { + New-M365DSCLogEntry -Message 'Error retrieving data:' ` + -Exception $_ ` + -Source $($MyInvocation.MyCommand.Source) ` + -TenantId $TenantId ` + -Credential $Credential + + return $nullResult + } +} + +function Set-TargetResource +{ + [CmdletBinding()] + param + ( + #region resource generator code + [Parameter()] + [System.String] + $Description, + + [Parameter()] + [System.String] + $DetectionScriptContent, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $DetectionScriptParameters, + + [Parameter()] + [ValidateSet('deviceHealthScript','managedInstallerScript')] + [System.String] + $DeviceHealthScriptType, + + [Parameter(Mandatory = $true)] + [System.String] + $DisplayName, + + [Parameter()] + [System.Boolean] + $EnforceSignatureCheck, + + [Parameter()] + [System.String] + $Publisher, + + [Parameter()] + [System.String] + $RemediationScriptContent, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $RemediationScriptParameters, + + [Parameter()] + [System.String[]] + $RoleScopeTagIds, + + [Parameter()] + [System.Boolean] + $RunAs32Bit, + + [Parameter()] + [ValidateSet('system','user')] + [System.String] + $RunAsAccount, + + [Parameter(Mandatory = $true)] + [System.String] + $Id, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $Assignments, + #endregion + [Parameter()] + [System.String] + [ValidateSet('Absent', 'Present')] + $Ensure = 'Present', + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity + ) + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $currentInstance = Get-TargetResource @PSBoundParameters + + $BoundParameters = Remove-M365DSCAuthenticationParameter -BoundParameters $PSBoundParameters + + if ($Ensure -eq 'Present' -and $currentInstance.Ensure -eq 'Absent') + { + Write-Verbose -Message "Creating an Intune Device Remediation with DisplayName {$DisplayName}" + $BoundParameters.Remove("Assignments") | Out-Null + + $CreateParameters = ([Hashtable]$BoundParameters).clone() + $CreateParameters = Rename-M365DSCCimInstanceParameter -Properties $CreateParameters + $CreateParameters.Add('IsGlobalScript', $false) | Out-Null + $CreateParameters.DetectionScriptContent = [System.Convert]::FromBase64String($CreateParameters.DetectionScriptContent) + $CreateParameters.RemediationScriptContent = [System.Convert]::FromBase64String($CreateParameters.RemediationScriptContent) + $CreateParameters.Remove('Id') | Out-Null + + $keys = (([Hashtable]$CreateParameters).clone()).Keys + foreach ($key in $keys) + { + if ($null -ne $CreateParameters.$key -and $CreateParameters.$key.getType().Name -like '*cimInstance*') + { + $CreateParameters.$key = Convert-M365DSCDRGComplexTypeToHashtable -ComplexObject $CreateParameters.$key + } + } + #region resource generator code + $CreateParameters.Add("@odata.type", "#microsoft.graph.DeviceHealthScript") + $policy = New-MgBetaDeviceManagementDeviceHealthScript -BodyParameter $CreateParameters + $assignmentsHash = @() + foreach ($assignment in $Assignments) + { + $assignmentsHash += Get-M365DSCDRGComplexTypeToHashtable -ComplexObject $Assignment + } + + if ($policy.id) + { + Update-DeviceConfigurationPolicyAssignment -DeviceConfigurationPolicyId $policy.id ` + -Targets $assignmentsHash ` + -Repository 'deviceManagement/deviceHealthScripts' + } + #endregion + } + elseif ($Ensure -eq 'Present' -and $currentInstance.Ensure -eq 'Present') + { + Write-Verbose -Message "Updating the Intune Device Remediation with Id {$($currentInstance.Id)}" + $BoundParameters.Remove("Assignments") | Out-Null + + $UpdateParameters = ([Hashtable]$BoundParameters).clone() + $UpdateParameters = Rename-M365DSCCimInstanceParameter -Properties $UpdateParameters + $UpdateParameters.DetectionScriptContent = [System.Convert]::FromBase64String($UpdateParameters.DetectionScriptContent) + $UpdateParameters.RemediationScriptContent = [System.Convert]::FromBase64String($UpdateParameters.RemediationScriptContent) + $UpdateParameters.Remove('DeviceHealthScriptType') | Out-Null + $UpdateParameters.Remove('Id') | Out-Null + + $keys = (([Hashtable]$UpdateParameters).clone()).Keys + foreach ($key in $keys) + { + if ($null -ne $UpdateParameters.$key -and $UpdateParameters.$key.getType().Name -like '*cimInstance*') + { + $UpdateParameters.$key = Convert-M365DSCDRGComplexTypeToHashtable -ComplexObject $UpdateParameters.$key + } + } + #region resource generator code + $UpdateParameters.Add("@odata.type", "#microsoft.graph.DeviceHealthScript") + Update-MgBetaDeviceManagementDeviceHealthScript ` + -DeviceHealthScriptId $currentInstance.Id ` + -BodyParameter $UpdateParameters + $assignmentsHash = @() + foreach ($assignment in $Assignments) + { + $assignmentsHash += Get-M365DSCDRGComplexTypeToHashtable -ComplexObject $Assignment + } + Update-DeviceConfigurationPolicyAssignment ` + -DeviceConfigurationPolicyId $currentInstance.id ` + -Targets $assignmentsHash ` + -Repository 'deviceManagement/deviceHealthScripts' + #endregion + } + elseif ($Ensure -eq 'Absent' -and $currentInstance.Ensure -eq 'Present') + { + Write-Verbose -Message "Removing the Intune Device Remediation with Id {$($currentInstance.Id)}" + #region resource generator code + Remove-MgBetaDeviceManagementDeviceHealthScript -DeviceHealthScriptId $currentInstance.Id + #endregion + } +} + +function Test-TargetResource +{ + [CmdletBinding()] + [OutputType([System.Boolean])] + param + ( + #region resource generator code + [Parameter()] + [System.String] + $Description, + + [Parameter()] + [System.String] + $DetectionScriptContent, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $DetectionScriptParameters, + + [Parameter()] + [ValidateSet('deviceHealthScript','managedInstallerScript')] + [System.String] + $DeviceHealthScriptType, + + [Parameter(Mandatory = $true)] + [System.String] + $DisplayName, + + [Parameter()] + [System.Boolean] + $EnforceSignatureCheck, + + [Parameter()] + [System.String] + $Publisher, + + [Parameter()] + [System.String] + $RemediationScriptContent, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $RemediationScriptParameters, + + [Parameter()] + [System.String[]] + $RoleScopeTagIds, + + [Parameter()] + [System.Boolean] + $RunAs32Bit, + + [Parameter()] + [ValidateSet('system','user')] + [System.String] + $RunAsAccount, + + [Parameter(Mandatory = $true)] + [System.String] + $Id, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $Assignments, + #endregion + + [Parameter()] + [System.String] + [ValidateSet('Absent', 'Present')] + $Ensure = 'Present', + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity + ) + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + Write-Verbose -Message "Testing configuration of the Intune Device Remediation with Id {$Id} and DisplayName {$DisplayName}" + + $CurrentValues = Get-TargetResource @PSBoundParameters + $ValuesToCheck = ([Hashtable]$PSBoundParameters).clone() + + if ($CurrentValues.Ensure -ne $Ensure) + { + Write-Verbose -Message "Test-TargetResource returned $false" + return $false + } + $testResult = $true + + #Compare Cim instances + foreach ($key in $PSBoundParameters.Keys) + { + $source = $PSBoundParameters.$key + $target = $CurrentValues.$key + if ($source.getType().Name -like '*CimInstance*') + { + $source = Get-M365DSCDRGComplexTypeToHashtable -ComplexObject $source + + $testResult = Compare-M365DSCComplexObject ` + -Source ($source) ` + -Target ($target) + + if (-Not $testResult) + { + $testResult = $false + break + } + + $ValuesToCheck.Remove($key) | Out-Null + } + } + + $ValuesToCheck.remove('Id') | Out-Null + $ValuesToCheck.Remove('Credential') | Out-Null + $ValuesToCheck.Remove('ApplicationId') | Out-Null + $ValuesToCheck.Remove('TenantId') | Out-Null + $ValuesToCheck.Remove('ApplicationSecret') | Out-Null + + Write-Verbose -Message "Current Values: $(Convert-M365DscHashtableToString -Hashtable $CurrentValues)" + Write-Verbose -Message "Target Values: $(Convert-M365DscHashtableToString -Hashtable $ValuesToCheck)" + + if ($testResult) + { + $testResult = Test-M365DSCParameterState -CurrentValues $CurrentValues ` + -Source $($MyInvocation.MyCommand.Source) ` + -DesiredValues $PSBoundParameters ` + -ValuesToCheck $ValuesToCheck.Keys + } + + Write-Verbose -Message "Test-TargetResource returned $testResult" + + return $testResult +} + +function Export-TargetResource +{ + [CmdletBinding()] + [OutputType([System.String])] + param + ( + [Parameter()] + [System.String] + $Filter, + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity + ) + + $ConnectionMode = New-M365DSCConnection -Workload 'MicrosoftGraph' ` + -InboundParameters $PSBoundParameters + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + try + { + #region resource generator code + # Only export scripts that are not from Microsoft + [array]$getValue = Get-MgBetaDeviceManagementDeviceHealthScript ` + -Filter $Filter ` + -All ` + -ErrorAction Stop | Where-Object -FilterScript { + $_.IsGlobalScript -eq $false + } + #endregion + + $i = 1 + $dscContent = '' + if ($getValue.Length -eq 0) + { + Write-Host $Global:M365DSCEmojiGreenCheckMark + } + else + { + Write-Host "`r`n" -NoNewline + } + foreach ($config in $getValue) + { + $displayedKey = $config.Id + if (-not [String]::IsNullOrEmpty($config.displayName)) + { + $displayedKey = $config.displayName + } + Write-Host " |---[$i/$($getValue.Count)] $displayedKey" -NoNewline + $params = @{ + Id = $config.Id + DisplayName = $config.DisplayName + Ensure = 'Present' + Credential = $Credential + ApplicationId = $ApplicationId + TenantId = $TenantId + ApplicationSecret = $ApplicationSecret + CertificateThumbprint = $CertificateThumbprint + Managedidentity = $ManagedIdentity.IsPresent + } + + $Results = Get-TargetResource @Params + $Results = Update-M365DSCExportAuthenticationResults -ConnectionMode $ConnectionMode ` + -Results $Results + if ($null -ne $Results.DetectionScriptParameters) + { + $complexTypeStringResult = Get-M365DSCDRGComplexTypeToString ` + -ComplexObject $Results.DetectionScriptParameters ` + -CIMInstanceName 'MicrosoftGraphdeviceHealthScriptParameter' + if (-Not [String]::IsNullOrWhiteSpace($complexTypeStringResult)) + { + $Results.DetectionScriptParameters = $complexTypeStringResult + } + else + { + $Results.Remove('DetectionScriptParameters') | Out-Null + } + } + if ($null -ne $Results.RemediationScriptParameters) + { + $complexTypeStringResult = Get-M365DSCDRGComplexTypeToString ` + -ComplexObject $Results.RemediationScriptParameters ` + -CIMInstanceName 'MicrosoftGraphdeviceHealthScriptParameter' + if (-Not [String]::IsNullOrWhiteSpace($complexTypeStringResult)) + { + $Results.RemediationScriptParameters = $complexTypeStringResult + } + else + { + $Results.Remove('RemediationScriptParameters') | Out-Null + } + } + if ($Results.Assignments) + { + $complexTypeStringResult = Get-M365DSCDRGComplexTypeToString -ComplexObject $Results.Assignments -CIMInstanceName DeviceManagementConfigurationPolicyAssignments + if ($complexTypeStringResult) + { + $Results.Assignments = $complexTypeStringResult + } + else + { + $Results.Remove('Assignments') | Out-Null + } + } + $currentDSCBlock = Get-M365DSCExportContentForResource -ResourceName $ResourceName ` + -ConnectionMode $ConnectionMode ` + -ModulePath $PSScriptRoot ` + -Results $Results ` + -Credential $Credential + if ($Results.DetectionScriptParameters) + { + $currentDSCBlock = Convert-DSCStringParamToVariable -DSCBlock $currentDSCBlock -ParameterName "DetectionScriptParameters" -isCIMArray:$True + } + if ($Results.RemediationScriptParameters) + { + $currentDSCBlock = Convert-DSCStringParamToVariable -DSCBlock $currentDSCBlock -ParameterName "RemediationScriptParameters" -isCIMArray:$True + } + if ($Results.Assignments) + { + $currentDSCBlock = Convert-DSCStringParamToVariable -DSCBlock $currentDSCBlock -ParameterName "Assignments" -isCIMArray:$true + } + + $dscContent += $currentDSCBlock + Save-M365DSCPartialExport -Content $currentDSCBlock ` + -FileName $Global:PartialExportFileName + $i++ + Write-Host $Global:M365DSCEmojiGreenCheckMark + } + return $dscContent + } + catch + { + Write-Host $Global:M365DSCEmojiRedX + + New-M365DSCLogEntry -Message 'Error during Export:' ` + -Exception $_ ` + -Source $($MyInvocation.MyCommand.Source) ` + -TenantId $TenantId ` + -Credential $Credential + + return '' + } +} + +Export-ModuleMember -Function *-TargetResource diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceRemediation/MSFT_IntuneDeviceRemediation.schema.mof b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceRemediation/MSFT_IntuneDeviceRemediation.schema.mof new file mode 100644 index 0000000000..8632084be7 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceRemediation/MSFT_IntuneDeviceRemediation.schema.mof @@ -0,0 +1,46 @@ +[ClassVersion("1.0.0.0")] +class MSFT_DeviceManagementConfigurationPolicyAssignments +{ + [Write, Description("The type of the target assignment."), ValueMap{"#microsoft.graph.groupAssignmentTarget","#microsoft.graph.allLicensedUsersAssignmentTarget","#microsoft.graph.allDevicesAssignmentTarget","#microsoft.graph.exclusionGroupAssignmentTarget","#microsoft.graph.configurationManagerCollectionAssignmentTarget"}, Values{"#microsoft.graph.groupAssignmentTarget","#microsoft.graph.allLicensedUsersAssignmentTarget","#microsoft.graph.allDevicesAssignmentTarget","#microsoft.graph.exclusionGroupAssignmentTarget","#microsoft.graph.configurationManagerCollectionAssignmentTarget"}] String dataType; + [Write, Description("The type of filter of the target assignment i.e. Exclude or Include. Possible values are:none, include, exclude."), ValueMap{"none","include","exclude"}, Values{"none","include","exclude"}] String deviceAndAppManagementAssignmentFilterType; + [Write, Description("The Id of the filter for the target assignment.")] String deviceAndAppManagementAssignmentFilterId; + [Write, Description("The group Id that is the target of the assignment.")] String groupId; + [Write, Description("The group Display Name that is the target of the assignment.")] String groupDisplayName; + [Write, Description("The collection Id that is the target of the assignment.(ConfigMgr)")] String collectionId; +}; +[ClassVersion("1.0.0")] +class MSFT_MicrosoftGraphDeviceHealthScriptParameter +{ + [Write, Description("Whether Apply DefaultValue When Not Assigned")] Boolean ApplyDefaultValueWhenNotAssigned; + [Write, Description("The description of the param")] String Description; + [Write, Description("Whether the param is required")] Boolean IsRequired; + [Write, Description("The name of the param")] String Name; + [Write, Description("The default value of boolean param")] Boolean DefaultValue; + [Write, Description("The type of the entity."), ValueMap{"#microsoft.graph.deviceHealthScriptBooleanParameter","#microsoft.graph.deviceHealthScriptIntegerParameter","#microsoft.graph.deviceHealthScriptStringParameter"}, Values{"#microsoft.graph.deviceHealthScriptBooleanParameter","#microsoft.graph.deviceHealthScriptIntegerParameter","#microsoft.graph.deviceHealthScriptStringParameter"}] String odataType; +}; + +[ClassVersion("1.0.0.0"), FriendlyName("IntuneDeviceRemediation")] +class MSFT_IntuneDeviceRemediation : OMI_BaseResource +{ + [Write, Description("Description of the device health script")] String Description; + [Write, Description("The entire content of the detection powershell script")] String DetectionScriptContent; + [Write, Description("List of ComplexType DetectionScriptParameters objects."), EmbeddedInstance("MSFT_MicrosoftGraphdeviceHealthScriptParameter")] String DetectionScriptParameters[]; + [Write, Description("DeviceHealthScriptType for the script policy. Possible values are: deviceHealthScript, managedInstallerScript."), ValueMap{"deviceHealthScript","managedInstallerScript"}, Values{"deviceHealthScript","managedInstallerScript"}] String DeviceHealthScriptType; + [Required, Description("Name of the device health script")] String DisplayName; + [Write, Description("Indicate whether the script signature needs be checked")] Boolean EnforceSignatureCheck; + [Write, Description("Name of the device health script publisher")] String Publisher; + [Write, Description("The entire content of the remediation powershell script")] String RemediationScriptContent; + [Write, Description("List of ComplexType RemediationScriptParameters objects."), EmbeddedInstance("MSFT_MicrosoftGraphdeviceHealthScriptParameter")] String RemediationScriptParameters[]; + [Write, Description("List of Scope Tag IDs for the device health script")] String RoleScopeTagIds[]; + [Write, Description("Indicate whether PowerShell script(s) should run as 32-bit")] Boolean RunAs32Bit; + [Write, Description("Indicates the type of execution context. Possible values are: system, user."), ValueMap{"system","user"}, Values{"system","user"}] String RunAsAccount; + [Key, Description("The unique identifier for an entity. Read-only.")] String Id; + [Write, Description("Represents the assignment to the Intune policy."), EmbeddedInstance("MSFT_DeviceManagementConfigurationPolicyAssignments")] String Assignments[]; + [Write, Description("Present ensures the policy exists, absent ensures it is removed."), ValueMap{"Present","Absent"}, Values{"Present","Absent"}] string Ensure; + [Write, Description("Credentials of the Admin"), EmbeddedInstance("MSFT_Credential")] string Credential; + [Write, Description("Id of the Azure Active Directory application to authenticate with.")] String ApplicationId; + [Write, Description("Id of the Azure Active Directory tenant used for authentication.")] String TenantId; + [Write, Description("Secret of the Azure Active Directory tenant used for authentication."), EmbeddedInstance("MSFT_Credential")] String ApplicationSecret; + [Write, Description("Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication.")] String CertificateThumbprint; + [Write, Description("Managed ID being used for authentication.")] Boolean ManagedIdentity; +}; diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceRemediation/readme.md b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceRemediation/readme.md new file mode 100644 index 0000000000..09ed9308a5 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceRemediation/readme.md @@ -0,0 +1,6 @@ + +# IntuneDeviceRemediation + +## Description + +Intune Device Remediation diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceRemediation/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceRemediation/settings.json new file mode 100644 index 0000000000..1b08179b72 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneDeviceRemediation/settings.json @@ -0,0 +1,39 @@ +{ + "resourceName": "IntuneDeviceRemediation", + "description": "This resource configures an Intune Device Remediation.", + "permissions": { + "graph": { + "application": { + "read": [ + { + "name": "DeviceManagementConfiguration.Read.All" + } + ], + "update": [ + { + "name": "DeviceManagementConfiguration.Read.All" + }, + { + "name": "DeviceManagementConfiguration.ReadWrite.All" + } + ] + }, + "delegated": { + "read": [ + { + "name": "DeviceManagementConfiguration.Read.All" + } + ], + "update": [ + { + "name": "DeviceManagementConfiguration.Read.All" + }, + { + "name": "DeviceManagementConfiguration.ReadWrite.All" + } + ] + } + } +} + +} diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneWindowsUpdateForBusinessDriverUpdateProfileWindows10/MSFT_IntuneWindowsUpdateForBusinessDriverUpdateProfileWindows10.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneWindowsUpdateForBusinessDriverUpdateProfileWindows10/MSFT_IntuneWindowsUpdateForBusinessDriverUpdateProfileWindows10.psm1 new file mode 100644 index 0000000000..5e8f837fd0 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneWindowsUpdateForBusinessDriverUpdateProfileWindows10/MSFT_IntuneWindowsUpdateForBusinessDriverUpdateProfileWindows10.psm1 @@ -0,0 +1,614 @@ +function Get-TargetResource +{ + [CmdletBinding()] + [OutputType([System.Collections.Hashtable])] + param + ( + #region resource generator code + [Parameter()] + [System.String] + $Id, + + [Parameter(Mandatory = $true)] + [System.String] + $DisplayName, + + [Parameter()] + [System.String] + $Description, + + [Parameter()] + [System.String] + [ValidateSet('manual', 'automatic')] + $ApprovalType, + + [Parameter()] + [System.Int32] + $DeploymentDeferralInDays, + + [Parameter()] + [System.String[]] + $RoleScopeTagIds, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $Assignments, + #endregion + + [Parameter()] + [System.String] + [ValidateSet('Absent', 'Present')] + $Ensure = 'Present', + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + try + { + $ConnectionMode = New-M365DSCConnection -Workload 'MicrosoftGraph' ` + -InboundParameters $PSBoundParameters + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $nullResult = $PSBoundParameters + $nullResult.Ensure = 'Absent' + + $getValue = $null + #region resource generator code + $uri = "/beta/deviceManagement/windowsDriverUpdateProfiles/$Id" + $getValue = (Invoke-MgGraphRequest -Method GET -Uri $uri -SkipHttpErrorCheck).value + + if ($null -eq $getValue) + { + Write-Verbose -Message "Could not find an Intune Windows Update For Business Driver Update Profile for Windows 10 with Id {$Id}" + + if (-Not [string]::IsNullOrEmpty($DisplayName)) + { + $uri = '/beta/deviceManagement/windowsDriverUpdateProfiles' + $getValue = (Invoke-MgGraphRequest -Method GET -Uri $uri).value | Where-Object -FilterScript { + $_.displayName -eq $DisplayName + } + } + } + #endregion + if ($null -eq $getValue) + { + Write-Verbose -Message "Could not find an Intune Windows Update For Business Driver Update Profie for Windows 10 with DisplayName {$DisplayName}" + return $nullResult + } + $Id = $getValue.Id + Write-Verbose -Message "An Intune Windows Update For Business Driver Update Profile for Windows 10 with Id {$Id} and DisplayName {$DisplayName} was found." + + $enumApprovalType = $null + if ($null -ne $getValue.approvalType) + { + $enumApprovalType = $getValue.approvalType.ToString() + } + + $results = @{ + #region resource generator code + ApprovalType = $enumApprovalType + DeploymentDeferralInDays = $getValue.deploymentDeferralInDays + RoleScopeTagIds = $getValue.roleScopeTagIds + Description = $getValue.description + DisplayName = $getValue.displayName + Id = $Id + Ensure = 'Present' + Credential = $Credential + ApplicationId = $ApplicationId + TenantId = $TenantId + ApplicationSecret = $ApplicationSecret + CertificateThumbprint = $CertificateThumbprint + ManagedIdentity = $ManagedIdentity.IsPresent + AccessTokens = $AccessTokens + #endregion + } + $uri = "/beta/deviceManagement/windowsDriverUpdateProfiles/$($Id)/assignments" + $assignmentsValues = (Invoke-MgGraphRequest -Method GET -Uri $uri).value + $assignmentResult = @() + foreach ($assignmentEntry in $AssignmentsValues) + { + $assignmentValue = @{ + dataType = $assignmentEntry.Target.'@odata.type' + deviceAndAppManagementAssignmentFilterType = $(if ($null -ne $assignmentEntry.Target.DeviceAndAppManagementAssignmentFilterType) + { + $assignmentEntry.Target.DeviceAndAppManagementAssignmentFilterType + }) + deviceAndAppManagementAssignmentFilterId = $assignmentEntry.Target.DeviceAndAppManagementAssignmentFilterId + groupId = $assignmentEntry.Target.groupId + } + $assignmentResult += $assignmentValue + } + $results.Add('Assignments', $assignmentResult) + + return [System.Collections.Hashtable] $results + } + catch + { + New-M365DSCLogEntry -Message 'Error retrieving data:' ` + -Exception $_ ` + -Source $($MyInvocation.MyCommand.Source) ` + -TenantId $TenantId ` + -Credential $Credential + + return $nullResult + } +} + +function Set-TargetResource +{ + [CmdletBinding()] + param + ( + #region resource generator code + [Parameter()] + [System.String] + $Id, + + [Parameter(Mandatory = $true)] + [System.String] + $DisplayName, + + [Parameter()] + [System.String] + $Description, + + [Parameter()] + [System.String] + [ValidateSet('manual', 'automatic')] + $ApprovalType, + + [Parameter()] + [System.Int32] + $DeploymentDeferralInDays, + + [Parameter()] + [System.String[]] + $RoleScopeTagIds, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $Assignments, + #endregion + + [Parameter()] + [System.String] + [ValidateSet('Absent', 'Present')] + $Ensure = 'Present', + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + $currentInstance = Get-TargetResource @PSBoundParameters + + $BoundParameters = Remove-M365DSCAuthenticationParameter -BoundParameters $PSBoundParameters + + if ($Ensure -eq 'Present' -and $currentInstance.Ensure -eq 'Absent') + { + Write-Verbose -Message "Creating an Intune Windows Update For Business Driver Update Profile for Windows 10 with DisplayName {$DisplayName}" + $BoundParameters.Remove('Assignments') | Out-Null + $CreateParameters = ([Hashtable]$BoundParameters).clone() + $CreateParameters = Rename-M365DSCCimInstanceParameter -Properties $CreateParameters + $CreateParameters.Remove('Id') | Out-Null + + $keys = (([Hashtable]$CreateParameters).clone()).Keys + foreach ($key in $keys) + { + if ($null -ne $CreateParameters.$key -and $CreateParameters.$key.getType().Name -like '*cimInstance*') + { + $CreateParameters.$key = Convert-M365DSCDRGComplexTypeToHashtable -ComplexObject $CreateParameters.$key + } + } + + #region resource generator code + $uri = '/beta/deviceManagement/windowsDriverUpdateProfiles' + $policy = Invoke-MgGraphRequest -Method POST -Uri $uri -Body $($CreateParameters | ConvertTo-Json) + $assignmentsHash = @() + foreach ($assignment in $Assignments) + { + $assignmentsHash += Get-M365DSCDRGComplexTypeToHashtable -ComplexObject $Assignment + } + + if ($policy.id) + { + Update-DeviceConfigurationPolicyAssignment -DeviceConfigurationPolicyId $policy.id ` + -Targets $assignmentsHash ` + -Repository 'deviceManagement/windowsDriverUpdateProfiles' + } + #endregion + } + elseif ($Ensure -eq 'Present' -and $currentInstance.Ensure -eq 'Present') + { + Write-Verbose -Message "Updating the Intune Windows Update For Business Driver Update Profile for Windows 10 with Id {$($currentInstance.Id)}" + $BoundParameters.Remove('Assignments') | Out-Null + $UpdateParameters = ([Hashtable]$BoundParameters).clone() + $UpdateParameters = Rename-M365DSCCimInstanceParameter -Properties $UpdateParameters + $UpdateParameters.Remove('ApprovalType') | Out-Null + $UpdateParameters.Remove('Id') | Out-Null + + $keys = (([Hashtable]$UpdateParameters).clone()).Keys + foreach ($key in $keys) + { + if ($null -ne $UpdateParameters.$key -and $UpdateParameters.$key.getType().Name -like '*cimInstance*') + { + $UpdateParameters.$key = Convert-M365DSCDRGComplexTypeToHashtable -ComplexObject $UpdateParameters.$key + } + } + #region resource generator code + $uri = "/beta/deviceManagement/windowsDriverUpdateProfiles/$($currentInstance.Id)" + Invoke-MgGraphRequest -Method PATCH -Uri $uri -Body $($UpdateParameters | ConvertTo-Json) + $assignmentsHash = @() + foreach ($assignment in $Assignments) + { + $assignmentsHash += Get-M365DSCDRGComplexTypeToHashtable -ComplexObject $assignment + } + Update-DeviceConfigurationPolicyAssignment ` + -DeviceConfigurationPolicyId $currentInstance.Id ` + -Targets $assignmentsHash ` + -Repository 'deviceManagement/windowsDriverUpdateProfiles' + #endregion + } + elseif ($Ensure -eq 'Absent' -and $currentInstance.Ensure -eq 'Present') + { + Write-Verbose -Message "Removing the Intune Windows Update For Business Driver Update Profile for Windows 10 with Id {$($currentInstance.Id)}" + #region resource generator code + $uri = "/beta/deviceManagement/windowsDriverUpdateProfiles/$($currentInstance.Id)" + Invoke-MgGraphRequest -Method DELETE -Uri $uri + #endregion + } +} + +function Test-TargetResource +{ + [CmdletBinding()] + [OutputType([System.Boolean])] + param + ( + #region resource generator code + [Parameter()] + [System.String] + $Id, + + [Parameter(Mandatory = $true)] + [System.String] + $DisplayName, + + [Parameter()] + [System.String] + $Description, + + [Parameter()] + [System.String] + [ValidateSet('manual', 'automatic')] + $ApprovalType, + + [Parameter()] + [System.Int32] + $DeploymentDeferralInDays, + + [Parameter()] + [System.String[]] + $RoleScopeTagIds, + + [Parameter()] + [Microsoft.Management.Infrastructure.CimInstance[]] + $Assignments, + #endregion + + [Parameter()] + [System.String] + [ValidateSet('Absent', 'Present')] + $Ensure = 'Present', + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + Write-Verbose -Message "Testing configuration of the Intune Windows Update For Business Driver Update Profile for Windows 10 with Id {$Id} and DisplayName {$DisplayName}" + + $CurrentValues = Get-TargetResource @PSBoundParameters + $ValuesToCheck = ([Hashtable]$PSBoundParameters).clone() + + if ($CurrentValues.Ensure -ne $Ensure) + { + Write-Verbose -Message "Test-TargetResource returned $false" + return $false + } + $testResult = $true + + #Compare Cim instances + foreach ($key in $PSBoundParameters.Keys) + { + $source = $PSBoundParameters.$key + $target = $CurrentValues.$key + if ($source.getType().Name -like '*CimInstance*') + { + $source = Get-M365DSCDRGComplexTypeToHashtable -ComplexObject $source + + $testResult = Compare-M365DSCComplexObject ` + -Source ($source) ` + -Target ($target) + + if (-Not $testResult) + { + $testResult = $false + break + } + + $ValuesToCheck.Remove($key) | Out-Null + } + } + + $ValuesToCheck.remove('Id') | Out-Null + $ValuesToCheck.Remove('Credential') | Out-Null + $ValuesToCheck.Remove('ApplicationId') | Out-Null + $ValuesToCheck.Remove('TenantId') | Out-Null + $ValuesToCheck.Remove('ApplicationSecret') | Out-Null + + Write-Verbose -Message "Current Values: $(Convert-M365DscHashtableToString -Hashtable $CurrentValues)" + Write-Verbose -Message "Target Values: $(Convert-M365DscHashtableToString -Hashtable $ValuesToCheck)" + + if ($testResult) + { + $testResult = Test-M365DSCParameterState -CurrentValues $CurrentValues ` + -Source $($MyInvocation.MyCommand.Source) ` + -DesiredValues $PSBoundParameters ` + -ValuesToCheck $ValuesToCheck.Keys + } + + Write-Verbose -Message "Test-TargetResource returned $testResult" + + return $testResult +} + +function Export-TargetResource +{ + [CmdletBinding()] + [OutputType([System.String])] + param + ( + [Parameter()] + [System.String] + $Filter, + + [Parameter()] + [System.Management.Automation.PSCredential] + $Credential, + + [Parameter()] + [System.String] + $ApplicationId, + + [Parameter()] + [System.String] + $TenantId, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ApplicationSecret, + + [Parameter()] + [System.String] + $CertificateThumbprint, + + [Parameter()] + [Switch] + $ManagedIdentity, + + [Parameter()] + [System.String[]] + $AccessTokens + ) + + $ConnectionMode = New-M365DSCConnection -Workload 'MicrosoftGraph' ` + -InboundParameters $PSBoundParameters + + #Ensure the proper dependencies are installed in the current environment. + Confirm-M365DSCDependencies + + #region Telemetry + $ResourceName = $MyInvocation.MyCommand.ModuleName.Replace('MSFT_', '') + $CommandName = $MyInvocation.MyCommand + $data = Format-M365DSCTelemetryParameters -ResourceName $ResourceName ` + -CommandName $CommandName ` + -Parameters $PSBoundParameters + Add-M365DSCTelemetryEvent -Data $data + #endregion + + try + { + #region resource generator code + # Filter is currently not supported + [array]$getValue = (Invoke-MgGraphRequest -Method GET -Uri '/beta/deviceManagement/windowsDriverUpdateProfiles').value + #endregion + + $i = 1 + $dscContent = '' + if ($getValue.Length -eq 0) + { + Write-Host $Global:M365DSCEmojiGreenCheckMark + } + else + { + Write-Host "`r`n" -NoNewline + } + foreach ($config in $getValue) + { + $displayedKey = $config.Id + if (-not [String]::IsNullOrEmpty($config.displayName)) + { + $displayedKey = $config.displayName + } + Write-Host " |---[$i/$($getValue.Count)] $displayedKey" -NoNewline + $params = @{ + Id = $config.Id + DisplayName = $config.DisplayName + Ensure = 'Present' + Credential = $Credential + ApplicationId = $ApplicationId + TenantId = $TenantId + ApplicationSecret = $ApplicationSecret + CertificateThumbprint = $CertificateThumbprint + ManagedIdentity = $ManagedIdentity.IsPresent + AccessTokens = $AccessTokens + } + + $Results = Get-TargetResource @Params + $Results = Update-M365DSCExportAuthenticationResults -ConnectionMode $ConnectionMode ` + -Results $Results + if ($Results.Assignments) + { + $complexTypeStringResult = Get-M365DSCDRGComplexTypeToString -ComplexObject $Results.Assignments -CIMInstanceName DeviceManagementConfigurationPolicyAssignments + if ($complexTypeStringResult) + { + $Results.Assignments = $complexTypeStringResult + } + else + { + $Results.Remove('Assignments') | Out-Null + } + } + $currentDSCBlock = Get-M365DSCExportContentForResource -ResourceName $ResourceName ` + -ConnectionMode $ConnectionMode ` + -ModulePath $PSScriptRoot ` + -Results $Results ` + -Credential $Credential + if ($Results.Assignments) + { + $currentDSCBlock = Convert-DSCStringParamToVariable -DSCBlock $currentDSCBlock -ParameterName 'Assignments' -IsCIMArray:$true + } + + $dscContent += $currentDSCBlock + Save-M365DSCPartialExport -Content $currentDSCBlock ` + -FileName $Global:PartialExportFileName + $i++ + Write-Host $Global:M365DSCEmojiGreenCheckMark + } + return $dscContent + } + catch + { + Write-Host $Global:M365DSCEmojiRedX + + New-M365DSCLogEntry -Message 'Error during Export:' ` + -Exception $_ ` + -Source $($MyInvocation.MyCommand.Source) ` + -TenantId $TenantId ` + -Credential $Credential + + return '' + } +} + +Export-ModuleMember -Function *-TargetResource diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneWindowsUpdateForBusinessDriverUpdateProfileWindows10/MSFT_IntuneWindowsUpdateForBusinessDriverUpdateProfileWindows10.schema.mof b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneWindowsUpdateForBusinessDriverUpdateProfileWindows10/MSFT_IntuneWindowsUpdateForBusinessDriverUpdateProfileWindows10.schema.mof new file mode 100644 index 0000000000..932a9536b9 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneWindowsUpdateForBusinessDriverUpdateProfileWindows10/MSFT_IntuneWindowsUpdateForBusinessDriverUpdateProfileWindows10.schema.mof @@ -0,0 +1,30 @@ +[ClassVersion("1.0.0.0")] +class MSFT_DeviceManagementConfigurationPolicyAssignments +{ + [Write, Description("The type of the target assignment."), ValueMap{"#microsoft.graph.groupAssignmentTarget","#microsoft.graph.allLicensedUsersAssignmentTarget","#microsoft.graph.allDevicesAssignmentTarget","#microsoft.graph.exclusionGroupAssignmentTarget","#microsoft.graph.configurationManagerCollectionAssignmentTarget"}, Values{"#microsoft.graph.groupAssignmentTarget","#microsoft.graph.allLicensedUsersAssignmentTarget","#microsoft.graph.allDevicesAssignmentTarget","#microsoft.graph.exclusionGroupAssignmentTarget","#microsoft.graph.configurationManagerCollectionAssignmentTarget"}] String dataType; + [Write, Description("The type of filter of the target assignment i.e. Exclude or Include. Possible values are:none, include, exclude."), ValueMap{"none","include","exclude"}, Values{"none","include","exclude"}] String deviceAndAppManagementAssignmentFilterType; + [Write, Description("The Id of the filter for the target assignment.")] String deviceAndAppManagementAssignmentFilterId; + [Write, Description("The group Id that is the target of the assignment.")] String groupId; + [Write, Description("The group Display Name that is the target of the assignment.")] String groupDisplayName; + [Write, Description("The collection Id that is the target of the assignment.(ConfigMgr)")] String collectionId; +}; + +[ClassVersion("1.0.0.0"), FriendlyName("IntuneWindowsUpdateForBusinessDriverUpdateProfileWindows10")] +class MSFT_IntuneWindowsUpdateForBusinessDriverUpdateProfileWindows10 : OMI_BaseResource +{ + [Write, Description("Id of the Intune policy.")] String Id; + [Key, Description("Display name of the Intune policy.")] String DisplayName; + [Write, Description("Description of the Intune policy.")] String Description; + [Write, Description("Driver update profile approval type. For example, manual or automatic approval. Possible values are: manual, automatic."), ValueMap{"manual","automatic"}, Values{"manual","automatic"}] String ApprovalType; + [Write, Description("Deployment deferral settings in days, only applicable when ApprovalType is set to automatic approval.")] UInt32 DeploymentDeferralInDays; + [Write, Description("List of Scope Tag IDs for the Driver Update entity.")] String RoleScopeTagIds[]; + [Write, Description("Represents the assignment to the Intune policy."), EmbeddedInstance("MSFT_DeviceManagementConfigurationPolicyAssignments")] String Assignments[]; + [Write, Description("Present ensures the policy exists, absent ensures it is removed."), ValueMap{"Present","Absent"}, Values{"Present","Absent"}] string Ensure; + [Write, Description("Credentials of the Admin"), EmbeddedInstance("MSFT_Credential")] string Credential; + [Write, Description("Id of the Azure Active Directory application to authenticate with.")] String ApplicationId; + [Write, Description("Id of the Azure Active Directory tenant used for authentication.")] String TenantId; + [Write, Description("Secret of the Azure Active Directory tenant used for authentication."), EmbeddedInstance("MSFT_Credential")] String ApplicationSecret; + [Write, Description("Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication.")] String CertificateThumbprint; + [Write, Description("Managed ID being used for authentication.")] Boolean ManagedIdentity; + [Write, Description("Access token used for authentication.")] String AccessTokens[]; +}; diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneWindowsUpdateForBusinessDriverUpdateProfileWindows10/readme.md b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneWindowsUpdateForBusinessDriverUpdateProfileWindows10/readme.md new file mode 100644 index 0000000000..399a17d15f --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneWindowsUpdateForBusinessDriverUpdateProfileWindows10/readme.md @@ -0,0 +1,8 @@ + +# IntuneWindowsUpdateForBusinessDriverUpdateProfileWindows10 + +## Description + +Intune Windows Update For Business Driver Update Profile for Windows 10 + +Please note: Once a policy is created, the `ApprovalType` cannot be changed. A new policy must be created. diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneWindowsUpdateForBusinessDriverUpdateProfileWindows10/settings.json b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneWindowsUpdateForBusinessDriverUpdateProfileWindows10/settings.json new file mode 100644 index 0000000000..ceffeec248 --- /dev/null +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_IntuneWindowsUpdateForBusinessDriverUpdateProfileWindows10/settings.json @@ -0,0 +1,32 @@ +{ + "resourceName": "IntuneWindowsUpdateForBusinessDriverUpdateProfileWindows10", + "description": "This resource configures an Intune Windows Update For Business Driver Update Profile for Windows 10.", + "permissions": { + "graph": { + "delegated": { + "read": [ + { + "name": "DeviceManagementConfiguration.Read.All" + } + ], + "update": [ + { + "name": "DeviceManagementConfiguration.ReadWrite.All" + } + ] + }, + "application": { + "read": [ + { + "name": "DeviceManagementConfiguration.Read.All" + } + ], + "update": [ + { + "name": "DeviceManagementConfiguration.ReadWrite.All" + } + ] + } + } + } +} diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_SPOTenantCdnPolicy/MSFT_SPOTenantCdnPolicy.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_SPOTenantCdnPolicy/MSFT_SPOTenantCdnPolicy.psm1 index a8f43d240a..69f35dbbff 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_SPOTenantCdnPolicy/MSFT_SPOTenantCdnPolicy.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_SPOTenantCdnPolicy/MSFT_SPOTenantCdnPolicy.psm1 @@ -77,23 +77,23 @@ function Get-TargetResource try { $Policies = Get-PnPTenantCdnPolicies -CdnType $CDNType -ErrorAction Stop - if ($null -ne $Policies['ExcludeRestrictedSiteClassifications']) + if ($Policies['ExcludeRestrictedSiteClassifications'].Length -gt 0) { $ExcludeRestrictedSiteClassifications = ` $Policies['ExcludeRestrictedSiteClassifications'].Split(',') } else { - $ExcludeRestrictedSiteClassifications = $null + $ExcludeRestrictedSiteClassifications = @() } - if ($null -ne $Policies['IncludeFileExtensions']) + if ($Policies['IncludeFileExtensions'].Length -gt 0) { $IncludeFileExtensions = ` $Policies['IncludeFileExtensions'].Split(',') } else { - $IncludeFileExtensions = $null + $IncludeFileExtensions = @() } return @{ diff --git a/Modules/Microsoft365DSC/DSCResources/MSFT_SPOTenantSettings/MSFT_SPOTenantSettings.psm1 b/Modules/Microsoft365DSC/DSCResources/MSFT_SPOTenantSettings/MSFT_SPOTenantSettings.psm1 index 41d497ec48..6409765020 100644 --- a/Modules/Microsoft365DSC/DSCResources/MSFT_SPOTenantSettings/MSFT_SPOTenantSettings.psm1 +++ b/Modules/Microsoft365DSC/DSCResources/MSFT_SPOTenantSettings/MSFT_SPOTenantSettings.psm1 @@ -189,7 +189,7 @@ function Get-TargetResource LegacyAuthProtocolsEnabled = $SPOTenantSettings.LegacyAuthProtocolsEnabled SignInAccelerationDomain = $SPOTenantSettings.SignInAccelerationDomain UsePersistentCookiesForExplorerView = $SPOTenantSettings.UsePersistentCookiesForExplorerView - UserVoiceForFeedbackEnabled = $SPOTenantSettings.UserVoiceForFeedbackEnabled + #UserVoiceForFeedbackEnabled = $SPOTenantSettings.UserVoiceForFeedbackEnabled PublicCdnEnabled = $SPOTenantSettings.PublicCdnEnabled PublicCdnAllowedFileTypes = $SPOTenantSettings.PublicCdnAllowedFileTypes UseFindPeopleInPeoplePicker = $SPOTenantSettings.UseFindPeopleInPeoplePicker @@ -413,6 +413,11 @@ function Set-TargetResource $CurrentParameters.Remove('AccessTokens') | Out-Null $CurrentParameters.Remove('TenantDefaultTimezone') | Out-Null # this one is updated separately using Graph + if ($CurrentParameters.Keys.Contains('UserVoiceForFeedbackEnabled')) + { + Write-Verbose -Message 'Property UserVoiceForFeedbackEnabled is deprecated, removing it' + $CurrentParameters.Remove('UserVoiceForFeedbackEnabled') | Out-Null + } if ($PublicCdnEnabled -eq $false) { diff --git a/Modules/Microsoft365DSC/Dependencies/Manifest.psd1 b/Modules/Microsoft365DSC/Dependencies/Manifest.psd1 index 6da587efdd..b28afb06dd 100644 --- a/Modules/Microsoft365DSC/Dependencies/Manifest.psd1 +++ b/Modules/Microsoft365DSC/Dependencies/Manifest.psd1 @@ -6,7 +6,7 @@ }, @{ ModuleName = 'ExchangeOnlineManagement' - RequiredVersion = '3.4.0' + RequiredVersion = '3.5.0' }, @{ ModuleName = 'Microsoft.Graph.Applications' @@ -86,7 +86,7 @@ }, @{ ModuleName = 'MicrosoftTeams' - RequiredVersion = '6.1.0' + RequiredVersion = '6.2.0' }, @{ ModuleName = "MSCloudLoginAssistant" diff --git a/Modules/Microsoft365DSC/Examples/Resources/IntuneDeviceConfigurationPlatformScriptMacOS/1-Create.ps1 b/Modules/Microsoft365DSC/Examples/Resources/IntuneDeviceConfigurationPlatformScriptMacOS/1-Create.ps1 new file mode 100644 index 0000000000..76b273ad8c --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/IntuneDeviceConfigurationPlatformScriptMacOS/1-Create.ps1 @@ -0,0 +1,40 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter(Mandatory = $true)] + [PSCredential] + $Credscredential + ) + Import-DscResource -ModuleName Microsoft365DSC + + node localhost + { + IntuneDeviceConfigurationPlatformScriptMacOS 'Example' + { + Assignments = @( + MSFT_DeviceManagementConfigurationPolicyAssignments{ + deviceAndAppManagementAssignmentFilterType = 'none' + dataType = '#microsoft.graph.allDevicesAssignmentTarget' + } + ); + Credential = $Credscredential; + DisplayName = "custom"; + Ensure = "Present"; + BlockExecutionNotifications = $False; + Description = ""; + ExecutionFrequency = "00:00:00"; + FileName = "shellscript.sh"; + Id = "00000000-0000-0000-0000-000000000000"; + RetryCount = 0; + RoleScopeTagIds = @("0"); + RunAsAccount = "user"; + ScriptContent = "Base64 encoded script content"; + TenantId = $OrganizationName; + } + } +} diff --git a/Modules/Microsoft365DSC/Examples/Resources/IntuneDeviceConfigurationPlatformScriptMacOS/2-Update.ps1 b/Modules/Microsoft365DSC/Examples/Resources/IntuneDeviceConfigurationPlatformScriptMacOS/2-Update.ps1 new file mode 100644 index 0000000000..f3708d3311 --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/IntuneDeviceConfigurationPlatformScriptMacOS/2-Update.ps1 @@ -0,0 +1,40 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter(Mandatory = $true)] + [PSCredential] + $Credscredential + ) + Import-DscResource -ModuleName Microsoft365DSC + + node localhost + { + IntuneDeviceConfigurationPlatformScriptMacOS 'Example' + { + Assignments = @( + MSFT_DeviceManagementConfigurationPolicyAssignments{ + deviceAndAppManagementAssignmentFilterType = 'none' + dataType = '#microsoft.graph.allDevicesAssignmentTarget' + } + ); + Credential = $Credscredential; + DisplayName = "custom"; + Ensure = "Present"; + BlockExecutionNotifications = $False; + Description = ""; + ExecutionFrequency = "00:00:00"; + FileName = "shellscript.sh"; + Id = "00000000-0000-0000-0000-000000000000"; + RetryCount = 1; # Updated property + RoleScopeTagIds = @("0"); + RunAsAccount = "user"; + ScriptContent = "Base64 encoded script content"; + TenantId = $OrganizationName; + } + } +} diff --git a/Modules/Microsoft365DSC/Examples/Resources/IntuneDeviceConfigurationPlatformScriptMacOS/3-Remove.ps1 b/Modules/Microsoft365DSC/Examples/Resources/IntuneDeviceConfigurationPlatformScriptMacOS/3-Remove.ps1 new file mode 100644 index 0000000000..4b210f57a4 --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/IntuneDeviceConfigurationPlatformScriptMacOS/3-Remove.ps1 @@ -0,0 +1,25 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter(Mandatory = $true)] + [PSCredential] + $Credscredential + ) + Import-DscResource -ModuleName Microsoft365DSC + + node localhost + { + IntuneDeviceConfigurationPlatformScriptMacOS 'Example' + { + Credential = $Credscredential; + DisplayName = "custom"; + Ensure = "Absent"; + Id = "00000000-0000-0000-0000-000000000000"; + } + } +} diff --git a/Modules/Microsoft365DSC/Examples/Resources/IntuneDeviceConfigurationPlatformScriptWindows/1-Create.ps1 b/Modules/Microsoft365DSC/Examples/Resources/IntuneDeviceConfigurationPlatformScriptWindows/1-Create.ps1 new file mode 100644 index 0000000000..b5775736dd --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/IntuneDeviceConfigurationPlatformScriptWindows/1-Create.ps1 @@ -0,0 +1,37 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter(Mandatory = $true)] + [PSCredential] + $Credscredential + ) + Import-DscResource -ModuleName Microsoft365DSC + + node localhost + { + IntuneDeviceConfigurationPlatformScriptWindows 'Example' + { + Assignments = @( + MSFT_DeviceManagementConfigurationPolicyAssignments{ + deviceAndAppManagementAssignmentFilterType = 'none' + dataType = '#microsoft.graph.allDevicesAssignmentTarget' + } + ); + Credential = $Credscredential; + DisplayName = "custom"; + Ensure = "Present"; + EnforceSignatureCheck = $False; + FileName = "script.ps1"; + Id = "00000000-0000-0000-0000-000000000000"; + RunAs32Bit = $True; + RunAsAccount = "system"; + ScriptContent = "Base64 encoded script content"; + TenantId = $OrganizationName; + } + } +} diff --git a/Modules/Microsoft365DSC/Examples/Resources/IntuneDeviceConfigurationPlatformScriptWindows/2-Update.ps1 b/Modules/Microsoft365DSC/Examples/Resources/IntuneDeviceConfigurationPlatformScriptWindows/2-Update.ps1 new file mode 100644 index 0000000000..6498d54c6e --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/IntuneDeviceConfigurationPlatformScriptWindows/2-Update.ps1 @@ -0,0 +1,37 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter(Mandatory = $true)] + [PSCredential] + $Credscredential + ) + Import-DscResource -ModuleName Microsoft365DSC + + node localhost + { + IntuneDeviceConfigurationPlatformScriptWindows 'Example' + { + Assignments = @( + MSFT_DeviceManagementConfigurationPolicyAssignments{ + deviceAndAppManagementAssignmentFilterType = 'none' + dataType = '#microsoft.graph.allDevicesAssignmentTarget' + } + ); + Credential = $Credscredential; + DisplayName = "custom"; + Ensure = "Present"; + EnforceSignatureCheck = $False; + FileName = "script.ps1"; + Id = "00000000-0000-0000-0000-000000000000"; + RunAs32Bit = $False; # Updated property + RunAsAccount = "system"; + ScriptContent = "Base64 encoded script content"; + TenantId = $OrganizationName; + } + } +} diff --git a/Modules/Microsoft365DSC/Examples/Resources/IntuneDeviceConfigurationPlatformScriptWindows/3-Remove.ps1 b/Modules/Microsoft365DSC/Examples/Resources/IntuneDeviceConfigurationPlatformScriptWindows/3-Remove.ps1 new file mode 100644 index 0000000000..d3933101bc --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/IntuneDeviceConfigurationPlatformScriptWindows/3-Remove.ps1 @@ -0,0 +1,26 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter(Mandatory = $true)] + [PSCredential] + $Credscredential + ) + Import-DscResource -ModuleName Microsoft365DSC + + node localhost + { + IntuneDeviceConfigurationPlatformScriptWindows 'Example' + { + Credential = $Credscredential; + DisplayName = "custom"; + Ensure = "Absent"; + Id = "00000000-0000-0000-0000-000000000000"; + TenantId = $OrganizationName; + } + } +} diff --git a/Modules/Microsoft365DSC/Examples/Resources/IntuneDeviceRemediation/1-Create.ps1 b/Modules/Microsoft365DSC/Examples/Resources/IntuneDeviceRemediation/1-Create.ps1 new file mode 100644 index 0000000000..47145d4c9a --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/IntuneDeviceRemediation/1-Create.ps1 @@ -0,0 +1,40 @@ +<# +This example creates a new Device Remediation. +#> + +Configuration Example +{ + param( + [Parameter(Mandatory = $true)] + [PSCredential] + $Credscredential + ) + Import-DscResource -ModuleName Microsoft365DSC + + node localhost + { + IntuneDeviceRemediation 'ConfigureDeviceRemediation' + { + Assignments = @( + MSFT_DeviceManagementConfigurationPolicyAssignments{ + deviceAndAppManagementAssignmentFilterType = 'none' + dataType = '#microsoft.graph.allDevicesAssignmentTarget' + } + ); + Credential = $Credscredential + Description = 'Description' + DetectionScriptContent = "Base64 encoded script content"; + DeviceHealthScriptType = "deviceHealthScript"; + DisplayName = "Device remediation"; + EnforceSignatureCheck = $False; + Ensure = "Present"; + Id = '00000000-0000-0000-0000-000000000000' + Publisher = "Some Publisher"; + RemediationScriptContent = "Base64 encoded script content"; + RoleScopeTagIds = @("0"); + RunAs32Bit = $True; + RunAsAccount = "system"; + TenantId = $OrganizationName; + } + } +} diff --git a/Modules/Microsoft365DSC/Examples/Resources/IntuneDeviceRemediation/2-Update.ps1 b/Modules/Microsoft365DSC/Examples/Resources/IntuneDeviceRemediation/2-Update.ps1 new file mode 100644 index 0000000000..dc4bef9bde --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/IntuneDeviceRemediation/2-Update.ps1 @@ -0,0 +1,40 @@ +<# +This example updates a new Device Remediation. +#> + +Configuration Example +{ + param( + [Parameter(Mandatory = $true)] + [PSCredential] + $Credscredential + ) + Import-DscResource -ModuleName Microsoft365DSC + + node localhost + { + IntuneDeviceRemediation 'ConfigureDeviceRemediation' + { + Assignments = @( + MSFT_DeviceManagementConfigurationPolicyAssignments{ + deviceAndAppManagementAssignmentFilterType = 'none' + dataType = '#microsoft.graph.allDevicesAssignmentTarget' + } + ); + Credential = $Credscredential + Description = 'Description' + DetectionScriptContent = "Base64 encoded script content 2"; # Updated property + DeviceHealthScriptType = "deviceHealthScript"; + DisplayName = "Device remediation"; + EnforceSignatureCheck = $False; + Ensure = "Present"; + Id = '00000000-0000-0000-0000-000000000000' + Publisher = "Some Publisher"; + RemediationScriptContent = "Base64 encoded script content 2"; # Updated property + RoleScopeTagIds = @("0"); + RunAs32Bit = $True; + RunAsAccount = "system"; + TenantId = $OrganizationName; + } + } +} diff --git a/Modules/Microsoft365DSC/Examples/Resources/IntuneDeviceRemediation/3-Remove.ps1 b/Modules/Microsoft365DSC/Examples/Resources/IntuneDeviceRemediation/3-Remove.ps1 new file mode 100644 index 0000000000..85b0b6a6a0 --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/IntuneDeviceRemediation/3-Remove.ps1 @@ -0,0 +1,24 @@ +<# +This example removes a Device Remediation. +#> + +Configuration Example +{ + param( + [Parameter(Mandatory = $true)] + [PSCredential] + $Credscredential + ) + Import-DscResource -ModuleName Microsoft365DSC + + node localhost + { + IntuneDeviceRemediation 'ConfigureDeviceRemediation' + { + Id = '00000000-0000-0000-0000-000000000000' + DisplayName = 'Device remediation' + Ensure = 'Absent' + Credential = $Credscredential + } + } +} diff --git a/Modules/Microsoft365DSC/Examples/Resources/IntuneWindowsUpdateForBusinessDriverUpdateProfileWindows10/1-Create.ps1 b/Modules/Microsoft365DSC/Examples/Resources/IntuneWindowsUpdateForBusinessDriverUpdateProfileWindows10/1-Create.ps1 new file mode 100644 index 0000000000..bb31ab852c --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/IntuneWindowsUpdateForBusinessDriverUpdateProfileWindows10/1-Create.ps1 @@ -0,0 +1,27 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter(Mandatory = $true)] + [PSCredential] + $Credscredential + ) + Import-DscResource -ModuleName Microsoft365DSC + + node localhost + { + IntuneWindowsUpdateForBusinessDriverUpdateProfileWindows10 'Example' + { + DisplayName = 'Driver Update Example' + Assignments = @() + Description = 'test 2' + approvalType = 'manual' + Ensure = 'Present' + Credential = $Credscredential + } + } +} diff --git a/Modules/Microsoft365DSC/Examples/Resources/IntuneWindowsUpdateForBusinessDriverUpdateProfileWindows10/2-Update.ps1 b/Modules/Microsoft365DSC/Examples/Resources/IntuneWindowsUpdateForBusinessDriverUpdateProfileWindows10/2-Update.ps1 new file mode 100644 index 0000000000..efe6c0eaa5 --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/IntuneWindowsUpdateForBusinessDriverUpdateProfileWindows10/2-Update.ps1 @@ -0,0 +1,27 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter(Mandatory = $true)] + [PSCredential] + $Credscredential + ) + Import-DscResource -ModuleName Microsoft365DSC + + node localhost + { + IntuneWindowsUpdateForBusinessDriverUpdateProfileWindows10 'Example' + { + DisplayName = 'Driver Update Example' + Assignments = @() + Description = 'test 3' # Updated property + approvalType = 'manual' + Ensure = 'Present' + Credential = $Credscredential + } + } +} diff --git a/Modules/Microsoft365DSC/Examples/Resources/IntuneWindowsUpdateForBusinessDriverUpdateProfileWindows10/3-Remove.ps1 b/Modules/Microsoft365DSC/Examples/Resources/IntuneWindowsUpdateForBusinessDriverUpdateProfileWindows10/3-Remove.ps1 new file mode 100644 index 0000000000..25a5c12adb --- /dev/null +++ b/Modules/Microsoft365DSC/Examples/Resources/IntuneWindowsUpdateForBusinessDriverUpdateProfileWindows10/3-Remove.ps1 @@ -0,0 +1,25 @@ +<# +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. +#> + +Configuration Example +{ + param( + [Parameter(Mandatory = $true)] + [PSCredential] + $Credscredential + ) + Import-DscResource -ModuleName Microsoft365DSC + + node localhost + { + IntuneWindowsUpdateForBusinessDriverUpdateProfileWindows10 'Example' + { + DisplayName = 'Driver Update Example' + Description = 'test 2' + Ensure = 'Absent' + Credential = $Credscredential + } + } +} diff --git a/Modules/Microsoft365DSC/Microsoft365DSC.psd1 b/Modules/Microsoft365DSC/Microsoft365DSC.psd1 index d86afc51e7..ecaec37626 100644 --- a/Modules/Microsoft365DSC/Microsoft365DSC.psd1 +++ b/Modules/Microsoft365DSC/Microsoft365DSC.psd1 @@ -11,7 +11,7 @@ # RootModule = '' # Version number of this module. - ModuleVersion = '1.24.515.2' + ModuleVersion = '1.24.522.1' # Supported PSEditions # CompatiblePSEditions = @() @@ -142,71 +142,26 @@ IconUri = 'https://github.com/microsoft/Microsoft365DSC/blob/Dev/Modules/Microsoft365DSC/Dependencies/Images/Logo.png?raw=true' # ReleaseNotes of this module - ReleaseNotes = '* AADActivityBasedTimeoutPolicy - * Initial release, set the azure portal and default Timeout. - * AADGroup - * Fixes #4596 - * AADGroupSettings - * Added support for parameter NewUnifiedGroupWritebackDefault - * EXOManagementRoleEntry + ReleaseNotes = '* IntuneDeviceConfigurationPlatformScriptWindows * Initial Release - * Added support for the WebSite type. - * IntuneAntivirusPolicyWindows10SettingCatalog - * Add missing properties from templates - * Update setting handling so that the value is reverted to default when unset - * IntuneDeviceConfigurationCustomPolicyWindows10 - * Fixed an issue where the payload of xml files was not encoded as base64. - * IntuneDeviceConfigurationDefenderForEndpointOnboardingPolicyWindows10 - * Fixed a creation and update issue when the exported policy contains a - onboarding blob and the tenant is connected to Defender for Endpoint Service. - * SCAutoSensitivityLabelPolicy - * Fix incorrect mandatory Credential parameter in Set and Test methods - FIXES [#4283](https://github.com/microsoft/Microsoft365DSC/issues/4283) - * SPOSharingSettings - * Remove properties from being tested in certain conditions - FIXES [#4649](https://github.com/microsoft/Microsoft365DSC/issues/4649) - * Changed logic to retrieve my site for sovereign clouds. + FIXES [#4157](https://github.com/microsoft/Microsoft365DSC/issues/4157) + * IntuneDeviceConfigurationPlatformScriptMacOS + * Initial Release + FIXES [#4157](https://github.com/microsoft/Microsoft365DSC/issues/4157) * SPOTenantCdnPolicy - * Fixed an issue when both IncludeFileExtensions and - ExcludeRestrictedSiteClassifications needed to be changed but the latter got - the value of the former instead of the correct one - FIXES [#4658](https://github.com/microsoft/Microsoft365DSC/issues/4658) - * TeamsAudioConferencingPolicy - * Fix export and creation/set of this resource by converting a string array - into a comma-separated string and a comma-separated string into a string - array respectively - FIXES [#4655](https://github.com/microsoft/Microsoft365DSC/issues/4655) - * TeamsMeetingPolicy - * Fix creation and set of resource when cloud recording is set to false (off) - FIXES [#4653](https://github.com/microsoft/Microsoft365DSC/issues/4653) - * Fixed issue with property MeetingChatEnabledType by allowing the value - EnabledExceptAnonymous to be selected - FIXES [#4667](https://github.com/microsoft/Microsoft365DSC/issues/4667) - * TeamsGroupPolicyAssignment - * Add missing policy type TeamsVerticalPackagePolicy - FIXES [#4647](https://github.com/microsoft/Microsoft365DSC/issues/4647) - * TeamsUpdateManagementPolicy - * Remove unnecessary parameters from PSBoundParameters such as authentication - methods, Ensure and Verbose by calling Remove-M365DSCAuthenticationParameter - FIXES [#4651](https://github.com/microsoft/Microsoft365DSC/issues/4651) + * If properties in the tenant are empty then export them as empty arrays + instead of null strings, missed while fixing #4658 + * SPOTenantSettings + * Remove property UserVoiceForFeedbackEnabled when setting the resource since + it has been deprecated * M365DSCUtil - * Fixed an issue where one could not pass empty arrays to the - `Compare-PSCustomObjectArrays` function. - * Fixed an issue with how the ResourceInstanceName was being assigned for - resource SPOTenantCdnPolicy by adding its primary key CDNType to the - heuristics - FIXES [#4658](https://github.com/microsoft/Microsoft365DSC/issues/4658) + * Fixed an issue in `Assert-M365DSCBlueprint` where the clone and export + of a blueprint with a GUID could lead to configuration name starting + with a digit instead of a letter. + Partially fixes [#4681](https://github.com/microsoft/Microsoft365DSC/issues/4681) * DEPENDENCIES - * Updated DSCParser to version 2.0.0.4. - * Updated Microsoft.Graph to version 2.19.0. - * Updated Microsoft.PowerApps.Administration.PowerShell to version 2.0.187. - * MISC - * Added support for Access Tokens across AAD resources. - * Added support for Access Tokens across SC resources. - * Added support for Access Tokens across SPO resources. - * Added support for Access Tokens across Teams resources. - * Fixing fake passwords in Unit Tests. - * Added ability to configure Telemetry client by ConnectionString.' + * Updated ExchangeOnlineManagement to version 3.5.0 + * Updated MicrosoftTeams to version 6.2.0' # Flag to indicate whether the module requires explicit user acceptance for install/update # RequireLicenseAcceptance = $false diff --git a/Modules/Microsoft365DSC/Modules/M365DSCUtil.psm1 b/Modules/Microsoft365DSC/Modules/M365DSCUtil.psm1 index 775b1e711c..c87282c1d5 100644 --- a/Modules/Microsoft365DSC/Modules/M365DSCUtil.psm1 +++ b/Modules/Microsoft365DSC/Modules/M365DSCUtil.psm1 @@ -2720,7 +2720,7 @@ function Assert-M365DSCBlueprint Add-M365DSCTelemetryEvent -Data $data #endregion - $TempBluePrintName = (New-Guid).ToString() + '.M365' + $TempBluePrintName = 'TempBlueprint_' + (New-Guid).ToString() + '.M365' $LocalBluePrintPath = Join-Path -Path $env:Temp -ChildPath $TempBluePrintName try { @@ -2793,7 +2793,7 @@ function Assert-M365DSCBlueprint # Call the Export-M365DSCConfiguration cmdlet to extract only the resource # types contained within the BluePrint; Write-Host "Initiating the Export of those ($($ResourcesInBluePrint.Length)) components from the tenant..." - $TempExportName = (New-Guid).ToString() + '.ps1' + $TempExportName = 'TempExport_' + (New-Guid).ToString() + '.ps1' Export-M365DSCConfiguration -Components $ResourcesInBluePrint ` -Path $env:temp ` -FileName $TempExportName ` diff --git a/Modules/Microsoft365DSC/SchemaDefinition.json b/Modules/Microsoft365DSC/SchemaDefinition.json index 55936d8288..e0f73db12f 100644 --- a/Modules/Microsoft365DSC/SchemaDefinition.json +++ b/Modules/Microsoft365DSC/SchemaDefinition.json @@ -2027,6 +2027,11 @@ "Name": "AuthenticationStrength", "Option": "Write" }, + { + "CIMType": "String", + "Name": "TransferMethods", + "Option": "Write" + }, { "CIMType": "String[]", "Name": "AuthenticationContexts", @@ -22144,6 +22149,201 @@ } ] }, + { + "ClassName": "MSFT_IntuneDeviceConfigurationPlatformScriptMacOS", + "Parameters": [ + { + "CIMType": "Boolean", + "Name": "BlockExecutionNotifications", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "Description", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "DisplayName", + "Option": "Required" + }, + { + "CIMType": "String", + "Name": "FileName", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "ExecutionFrequency", + "Option": "Write" + }, + { + "CIMType": "UInt32", + "Name": "RetryCount", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "RoleScopeTagIds", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "RunAsAccount", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "ScriptContent", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "Id", + "Option": "Key" + }, + { + "CIMType": "MSFT_DeviceManagementConfigurationPolicyAssignments[]", + "Name": "Assignments", + "Option": "Write" + }, + { + "CIMType": "string", + "Name": "Ensure", + "Option": "Write" + }, + { + "CIMType": "MSFT_Credential", + "Name": "Credential", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "ApplicationId", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "TenantId", + "Option": "Write" + }, + { + "CIMType": "MSFT_Credential", + "Name": "ApplicationSecret", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "CertificateThumbprint", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "ManagedIdentity", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "AccessTokens", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_IntuneDeviceConfigurationPlatformScriptWindows", + "Parameters": [ + { + "CIMType": "String", + "Name": "Description", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "DisplayName", + "Option": "Required" + }, + { + "CIMType": "Boolean", + "Name": "EnforceSignatureCheck", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "FileName", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "RoleScopeTagIds", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "RunAs32Bit", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "RunAsAccount", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "ScriptContent", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "Id", + "Option": "Key" + }, + { + "CIMType": "MSFT_DeviceManagementConfigurationPolicyAssignments[]", + "Name": "Assignments", + "Option": "Write" + }, + { + "CIMType": "string", + "Name": "Ensure", + "Option": "Write" + }, + { + "CIMType": "MSFT_Credential", + "Name": "Credential", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "ApplicationId", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "TenantId", + "Option": "Write" + }, + { + "CIMType": "MSFT_Credential", + "Name": "ApplicationSecret", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "CertificateThumbprint", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "ManagedIdentity", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "AccessTokens", + "Option": "Write" + } + ] + }, { "ClassName": "MSFT_MicrosoftGraphapplistitem", "Parameters": [ @@ -28814,6 +29014,151 @@ } ] }, + { + "ClassName": "MSFT_MicrosoftGraphDeviceHealthScriptParameter", + "Parameters": [ + { + "CIMType": "Boolean", + "Name": "ApplyDefaultValueWhenNotAssigned", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "Description", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "IsRequired", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "Name", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "DefaultValue", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "odataType", + "Option": "Write" + } + ] + }, + { + "ClassName": "MSFT_IntuneDeviceRemediation", + "Parameters": [ + { + "CIMType": "String", + "Name": "Description", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "DetectionScriptContent", + "Option": "Write" + }, + { + "CIMType": "MSFT_MicrosoftGraphdeviceHealthScriptParameter[]", + "Name": "DetectionScriptParameters", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "DeviceHealthScriptType", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "DisplayName", + "Option": "Required" + }, + { + "CIMType": "Boolean", + "Name": "EnforceSignatureCheck", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "Publisher", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "RemediationScriptContent", + "Option": "Write" + }, + { + "CIMType": "MSFT_MicrosoftGraphdeviceHealthScriptParameter[]", + "Name": "RemediationScriptParameters", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "RoleScopeTagIds", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "RunAs32Bit", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "RunAsAccount", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "Id", + "Option": "Key" + }, + { + "CIMType": "MSFT_DeviceManagementConfigurationPolicyAssignments[]", + "Name": "Assignments", + "Option": "Write" + }, + { + "CIMType": "string", + "Name": "Ensure", + "Option": "Write" + }, + { + "CIMType": "MSFT_Credential", + "Name": "Credential", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "ApplicationId", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "TenantId", + "Option": "Write" + }, + { + "CIMType": "MSFT_Credential", + "Name": "ApplicationSecret", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "CertificateThumbprint", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "ManagedIdentity", + "Option": "Write" + } + ] + }, { "ClassName": "MSFT_IntuneEndpointDetectionAndResponsePolicyWindows10", "Parameters": [ @@ -31299,6 +31644,86 @@ } ] }, + { + "ClassName": "MSFT_IntuneWindowsUpdateForBusinessDriverUpdateProfileWindows10", + "Parameters": [ + { + "CIMType": "String", + "Name": "Id", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "DisplayName", + "Option": "Key" + }, + { + "CIMType": "String", + "Name": "Description", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "ApprovalType", + "Option": "Write" + }, + { + "CIMType": "UInt32", + "Name": "DeploymentDeferralInDays", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "RoleScopeTagIds", + "Option": "Write" + }, + { + "CIMType": "MSFT_DeviceManagementConfigurationPolicyAssignments[]", + "Name": "Assignments", + "Option": "Write" + }, + { + "CIMType": "string", + "Name": "Ensure", + "Option": "Write" + }, + { + "CIMType": "MSFT_Credential", + "Name": "Credential", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "ApplicationId", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "TenantId", + "Option": "Write" + }, + { + "CIMType": "MSFT_Credential", + "Name": "ApplicationSecret", + "Option": "Write" + }, + { + "CIMType": "String", + "Name": "CertificateThumbprint", + "Option": "Write" + }, + { + "CIMType": "Boolean", + "Name": "ManagedIdentity", + "Option": "Write" + }, + { + "CIMType": "String[]", + "Name": "AccessTokens", + "Option": "Write" + } + ] + }, { "ClassName": "MSFT_MicrosoftGraphWindowsUpdateRolloutSettings", "Parameters": [ diff --git a/Tests/Integration/Microsoft365DSC/M365DSCIntegration.INTUNE.Create.Tests.ps1 b/Tests/Integration/Microsoft365DSC/M365DSCIntegration.INTUNE.Create.Tests.ps1 index 5177e01c66..562ed8fd4e 100644 --- a/Tests/Integration/Microsoft365DSC/M365DSCIntegration.INTUNE.Create.Tests.ps1 +++ b/Tests/Integration/Microsoft365DSC/M365DSCIntegration.INTUNE.Create.Tests.ps1 @@ -1055,6 +1055,47 @@ SubjectNameFormat = "custom"; SubjectNameFormatString = "CN={{UserName}},E={{EmailAddress}}"; } + IntuneDeviceConfigurationPlatformScriptMacOS 'Example' + { + Assignments = @( + MSFT_DeviceManagementConfigurationPolicyAssignments{ + deviceAndAppManagementAssignmentFilterType = 'none' + dataType = '#microsoft.graph.allDevicesAssignmentTarget' + } + ); + Credential = $Credscredential; + DisplayName = "custom"; + Ensure = "Present"; + BlockExecutionNotifications = $False; + Description = ""; + ExecutionFrequency = "00:00:00"; + FileName = "shellscript.sh"; + Id = "00000000-0000-0000-0000-000000000000"; + RetryCount = 0; + RoleScopeTagIds = @("0"); + RunAsAccount = "user"; + ScriptContent = "Base64 encoded script content"; + TenantId = $OrganizationName; + } + IntuneDeviceConfigurationPlatformScriptWindows 'Example' + { + Assignments = @( + MSFT_DeviceManagementConfigurationPolicyAssignments{ + deviceAndAppManagementAssignmentFilterType = 'none' + dataType = '#microsoft.graph.allDevicesAssignmentTarget' + } + ); + Credential = $Credscredential; + DisplayName = "custom"; + Ensure = "Present"; + EnforceSignatureCheck = $False; + FileName = "script.ps1"; + Id = "00000000-0000-0000-0000-000000000000"; + RunAs32Bit = $True; + RunAsAccount = "system"; + ScriptContent = "Base64 encoded script content"; + TenantId = $OrganizationName; + } IntuneDeviceConfigurationPolicyAndroidDeviceAdministrator 'myAndroidDeviceAdmin' { DisplayName = 'Android device admin' @@ -1966,6 +2007,29 @@ TrackInstallProgressForAutopilotOnly = $True; Credential = $Credscredential } + IntuneDeviceRemediation 'ConfigureDeviceRemediation' + { + Assignments = @( + MSFT_DeviceManagementConfigurationPolicyAssignments{ + deviceAndAppManagementAssignmentFilterType = 'none' + dataType = '#microsoft.graph.allDevicesAssignmentTarget' + } + ); + Credential = $Credscredential + Description = 'Description' + DetectionScriptContent = "Base64 encoded script content"; + DeviceHealthScriptType = "deviceHealthScript"; + DisplayName = "Device remediation"; + EnforceSignatureCheck = $False; + Ensure = "Present"; + Id = '00000000-0000-0000-0000-000000000000' + Publisher = "Some Publisher"; + RemediationScriptContent = "Base64 encoded script content"; + RoleScopeTagIds = @("0"); + RunAs32Bit = $True; + RunAsAccount = "system"; + TenantId = $OrganizationName; + } IntuneEndpointDetectionAndResponsePolicyWindows10 'myEDRPolicy' { DisplayName = 'Edr Policy' diff --git a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADConditionalAccessPolicy.Tests.ps1 b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADConditionalAccessPolicy.Tests.ps1 index 81b7abea66..78a0fa3010 100644 --- a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADConditionalAccessPolicy.Tests.ps1 +++ b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.AADConditionalAccessPolicy.Tests.ps1 @@ -33,10 +33,7 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { return 'Credentials' } - Mock -CommandName New-MgBetaIdentityConditionalAccessPolicy -MockWith { - } - - Mock -CommandName Update-MgBetaIdentityConditionalAccessPolicy -MockWith { + Mock -CommandName Invoke-MgGraphRequest -MockWith { } Mock -CommandName Remove-MgBetaIdentityConditionalAccessPolicy -MockWith { @@ -140,7 +137,7 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { It 'Should create the policy in the Set method' { Set-TargetResource @testParams - Should -Invoke -CommandName New-MgBetaIdentityConditionalAccessPolicy -Exactly 1 + Should -Invoke -CommandName Invoke-MgGraphRequest -Exactly 1 } } @@ -294,7 +291,7 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { It 'Should update the settings from the Set method' { Set-TargetResource @testParams - Should -Invoke -CommandName Update-MgBetaIdentityConditionalAccessPolicy -Exactly 1 + Should -Invoke -CommandName Invoke-MgGraphRequest -Exactly 1 } } @@ -412,7 +409,7 @@ Describe -Name $Global:DscHelper.DescribeHeader -Fixture { It 'Should update the settings from the Set method' { Set-TargetResource @testParams - Should -Invoke -CommandName Update-MgBetaIdentityConditionalAccessPolicy -Exactly 1 + Should -Invoke -CommandName Invoke-MgGraphRequest -Exactly 1 } } diff --git a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneDeviceConfigurationPlatformScriptMacOS.Tests.ps1 b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneDeviceConfigurationPlatformScriptMacOS.Tests.ps1 new file mode 100644 index 0000000000..bd3ebf966c --- /dev/null +++ b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneDeviceConfigurationPlatformScriptMacOS.Tests.ps1 @@ -0,0 +1,255 @@ +[CmdletBinding()] +param( +) +$M365DSCTestFolder = Join-Path -Path $PSScriptRoot ` + -ChildPath '..\..\Unit' ` + -Resolve +$CmdletModule = (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\Stubs\Microsoft365.psm1' ` + -Resolve) +$GenericStubPath = (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\Stubs\Generic.psm1' ` + -Resolve) +Import-Module -Name (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\UnitTestHelper.psm1' ` + -Resolve) + +$Global:DscHelper = New-M365DscUnitTestHelper -StubModule $CmdletModule ` + -DscResource "IntuneDeviceConfigurationPlatformScriptMacOS" -GenericStubModule $GenericStubPath +Describe -Name $Global:DscHelper.DescribeHeader -Fixture { + InModuleScope -ModuleName $Global:DscHelper.ModuleName -ScriptBlock { + Invoke-Command -ScriptBlock $Global:DscHelper.InitializeScript -NoNewScope + BeforeAll { + + $secpasswd = ConvertTo-SecureString (New-Guid | Out-String) -AsPlainText -Force + $Credential = New-Object System.Management.Automation.PSCredential ('tenantadmin@mydomain.com', $secpasswd) + + Mock -CommandName Confirm-M365DSCDependencies -MockWith { + } + + Mock -CommandName Get-PSSession -MockWith { + } + + Mock -CommandName Remove-PSSession -MockWith { + } + + Mock -CommandName Update-MgBetaDeviceManagementDeviceShellScript -MockWith { + } + + Mock -CommandName New-MgBetaDeviceManagementDeviceShellScript -MockWith { + } + + Mock -CommandName Remove-MgBetaDeviceManagementDeviceShellScript -MockWith { + } + + Mock -CommandName New-M365DSCConnection -MockWith { + return "Credentials" + } + + Mock -CommandName Update-DeviceConfigurationPolicyAssignment -MockWith { + } + + # Mock Write-Host to hide output during the tests + Mock -CommandName Write-Host -MockWith { + } + $Script:exportedInstances =$null + $Script:ExportMode = $false + + Mock -CommandName Get-MgBetaDeviceManagementDeviceShellScriptAssignment -MockWith { + } + + } + # Test contexts + Context -Name "The IntuneDeviceConfigurationPlatformScriptMacOS should exist but it DOES NOT" -Fixture { + BeforeAll { + $testParams = @{ + BlockExecutionNotifications = $True + Description = "FakeStringValue" + DisplayName = "FakeStringValue" + FileName = "FakeStringValue" + Id = "FakeStringValue" + RoleScopeTagIds = @("FakeStringValue") + RunAsAccount = "system" + ScriptContent = "AAAAAAA=" + Ensure = "Present" + Credential = $Credential + } + + Mock -CommandName Get-MgBetaDeviceManagementDeviceShellScript -MockWith { + return $null + } + } + It 'Should return Values from the Get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Absent' + } + It 'Should return false from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + It 'Should Create the group from the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName New-MgBetaDeviceManagementDeviceShellScript -Exactly 1 + } + } + + Context -Name "The IntuneDeviceConfigurationPlatformScriptMacOS exists but it SHOULD NOT" -Fixture { + BeforeAll { + $testParams = @{ + BlockExecutionNotifications = $True + Description = "FakeStringValue" + DisplayName = "FakeStringValue" + FileName = "FakeStringValue" + Id = "FakeStringValue" + RoleScopeTagIds = @("FakeStringValue") + RunAsAccount = "system" + ScriptContent = "AAAAAAA=" + Ensure = 'Absent' + Credential = $Credential + } + + Mock -CommandName Get-MgBetaDeviceManagementDeviceShellScript -MockWith { + return @{ + AdditionalProperties = @{ + '@odata.type' = "#microsoft.graph.DeviceShellScript" + } + BlockExecutionNotifications = $True + Description = "FakeStringValue" + DisplayName = "FakeStringValue" + FileName = "FakeStringValue" + Id = "FakeStringValue" + RoleScopeTagIds = @("FakeStringValue") + RunAsAccount = "system" + ScriptContent = [byte[]]::new(5) + } + } + } + + It 'Should return Values from the Get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Present' + } + + It 'Should return true from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + + It 'Should Remove the group from the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName Remove-MgBetaDeviceManagementDeviceShellScript -Exactly 1 + } + } + Context -Name "The IntuneDeviceConfigurationPlatformScriptMacOS Exists and Values are already in the desired state" -Fixture { + BeforeAll { + $testParams = @{ + BlockExecutionNotifications = $True + Description = "FakeStringValue" + DisplayName = "FakeStringValue" + FileName = "FakeStringValue" + Id = "FakeStringValue" + RoleScopeTagIds = @("FakeStringValue") + RunAsAccount = "system" + ScriptContent = "AAAAAAA=" + Ensure = 'Present' + Credential = $Credential + } + + Mock -CommandName Get-MgBetaDeviceManagementDeviceShellScript -MockWith { + return @{ + AdditionalProperties = @{ + '@odata.type' = "#microsoft.graph.DeviceShellScript" + } + BlockExecutionNotifications = $True + Description = "FakeStringValue" + DisplayName = "FakeStringValue" + FileName = "FakeStringValue" + Id = "FakeStringValue" + LastModifiedDateTime = "2023-01-01T00:00:00.0000000+01:00" + RoleScopeTagIds = @("FakeStringValue") + RunAsAccount = "system" + ScriptContent = [byte[]]::new(5) + } + } + } + + + It 'Should return true from the Test method' { + Test-TargetResource @testParams | Should -Be $true + } + } + + Context -Name "The IntuneDeviceConfigurationPlatformScriptMacOS exists and values are NOT in the desired state" -Fixture { + BeforeAll { + $testParams = @{ + BlockExecutionNotifications = $True + Description = "FakeStringValue" + DisplayName = "FakeStringValue" + FileName = "FakeStringValue" + Id = "FakeStringValue" + RoleScopeTagIds = @("FakeStringValue") + RunAsAccount = "system" + ScriptContent = "AAAAAAA=" + Ensure = 'Present' + Credential = $Credential + } + + Mock -CommandName Get-MgBetaDeviceManagementDeviceShellScript -MockWith { + return @{ + CreatedDateTime = "2023-01-01T00:00:00.0000000+01:00" + Description = "FakeStringValue" + DisplayName = "FakeStringValue" + FileName = "FakeStringValue" + Id = "FakeStringValue" + LastModifiedDateTime = "2023-01-01T00:00:00.0000000+01:00" + RetryCount = 7 + RoleScopeTagIds = @("FakeStringValue") + RunAsAccount = "system" + ScriptContent = [byte[]]::new(5) + } + } + } + + It 'Should return Values from the Get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Present' + } + + It 'Should return false from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + + It 'Should call the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName Update-MgBetaDeviceManagementDeviceShellScript -Exactly 1 + } + } + + Context -Name 'ReverseDSC Tests' -Fixture { + BeforeAll { + $Global:CurrentModeIsExport = $true + $Global:PartialExportFileName = "$(New-Guid).partial.ps1" + $testParams = @{ + Credential = $Credential + } + + Mock -CommandName Get-MgBetaDeviceManagementDeviceShellScript -MockWith { + return @{ + AdditionalProperties = @{ + '@odata.type' = "#microsoft.graph.DeviceShellScript" + } + BlockExecutionNotifications = $True + Description = "FakeStringValue" + DisplayName = "FakeStringValue" + FileName = "FakeStringValue" + Id = "FakeStringValue" + RoleScopeTagIds = @("FakeStringValue") + RunAsAccount = "system" + ScriptContent = [byte[]]::new(5) + } + } + } + It 'Should Reverse Engineer resource from the Export method' { + $result = Export-TargetResource @testParams + $result | Should -Not -BeNullOrEmpty + } + } + } +} + +Invoke-Command -ScriptBlock $Global:DscHelper.CleanupScript -NoNewScope diff --git a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneDeviceConfigurationPlatformScriptWindows.Tests.ps1 b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneDeviceConfigurationPlatformScriptWindows.Tests.ps1 new file mode 100644 index 0000000000..d85d346ede --- /dev/null +++ b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneDeviceConfigurationPlatformScriptWindows.Tests.ps1 @@ -0,0 +1,260 @@ +[CmdletBinding()] +param( +) +$M365DSCTestFolder = Join-Path -Path $PSScriptRoot ` + -ChildPath '..\..\Unit' ` + -Resolve +$CmdletModule = (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\Stubs\Microsoft365.psm1' ` + -Resolve) +$GenericStubPath = (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\Stubs\Generic.psm1' ` + -Resolve) +Import-Module -Name (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\UnitTestHelper.psm1' ` + -Resolve) + +$Global:DscHelper = New-M365DscUnitTestHelper -StubModule $CmdletModule ` + -DscResource "IntuneDeviceConfigurationPlatformScriptWindows" -GenericStubModule $GenericStubPath +Describe -Name $Global:DscHelper.DescribeHeader -Fixture { + InModuleScope -ModuleName $Global:DscHelper.ModuleName -ScriptBlock { + Invoke-Command -ScriptBlock $Global:DscHelper.InitializeScript -NoNewScope + BeforeAll { + + $secpasswd = ConvertTo-SecureString (New-Guid | Out-String) -AsPlainText -Force + $Credential = New-Object System.Management.Automation.PSCredential ('tenantadmin@mydomain.com', $secpasswd) + + Mock -CommandName Confirm-M365DSCDependencies -MockWith { + } + + Mock -CommandName Get-PSSession -MockWith { + } + + Mock -CommandName Remove-PSSession -MockWith { + } + + Mock -CommandName Update-MgBetaDeviceManagementScript -MockWith { + } + + Mock -CommandName New-MgBetaDeviceManagementScript -MockWith { + } + + Mock -CommandName Remove-MgBetaDeviceManagementScript -MockWith { + } + + Mock -CommandName New-M365DSCConnection -MockWith { + return "Credentials" + } + + Mock -CommandName Update-DeviceConfigurationPolicyAssignment -MockWith { + } + + # Mock Write-Host to hide output during the tests + Mock -CommandName Write-Host -MockWith { + } + $Script:exportedInstances =$null + $Script:ExportMode = $false + + Mock -CommandName Get-MgBetaDeviceManagementScriptAssignment -MockWith { + } + + } + # Test contexts + Context -Name "The IntuneDeviceConfigurationPlatformScriptWindows should exist but it DOES NOT" -Fixture { + BeforeAll { + $testParams = @{ + Description = "FakeStringValue" + DisplayName = "FakeStringValue" + EnforceSignatureCheck = $True + FileName = "FakeStringValue" + Id = "FakeStringValue" + RoleScopeTagIds = @("FakeStringValue") + RunAs32Bit = $True + RunAsAccount = "system" + ScriptContent = "AAAAAAA=" + Ensure = "Present" + Credential = $Credential + } + + Mock -CommandName Get-MgBetaDeviceManagementScript -MockWith { + return $null + } + } + It 'Should return Values from the Get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Absent' + } + It 'Should return false from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + It 'Should Create the group from the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName New-MgBetaDeviceManagementScript -Exactly 1 + } + } + + Context -Name "The IntuneDeviceConfigurationPlatformScriptWindows exists but it SHOULD NOT" -Fixture { + BeforeAll { + $testParams = @{ + Description = "FakeStringValue" + DisplayName = "FakeStringValue" + EnforceSignatureCheck = $True + FileName = "FakeStringValue" + Id = "FakeStringValue" + RoleScopeTagIds = @("FakeStringValue") + RunAs32Bit = $True + RunAsAccount = "system" + ScriptContent = "AAAAAAA=" + Ensure = 'Absent' + Credential = $Credential + } + + Mock -CommandName Get-MgBetaDeviceManagementScript -MockWith { + return @{ + AdditionalProperties = @{ + '@odata.type' = "#microsoft.graph.DeviceManagementScript" + } + Description = "FakeStringValue" + DisplayName = "FakeStringValue" + EnforceSignatureCheck = $True + FileName = "FakeStringValue" + Id = "FakeStringValue" + RoleScopeTagIds = @("FakeStringValue") + RunAs32Bit = $True + RunAsAccount = "system" + ScriptContent = [byte[]]::new(5) + } + } + } + + It 'Should return Values from the Get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Present' + } + + It 'Should return true from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + + It 'Should Remove the group from the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName Remove-MgBetaDeviceManagementScript -Exactly 1 + } + } + Context -Name "The IntuneDeviceConfigurationPlatformScriptWindows Exists and Values are already in the desired state" -Fixture { + BeforeAll { + $testParams = @{ + Description = "FakeStringValue" + DisplayName = "FakeStringValue" + EnforceSignatureCheck = $True + FileName = "FakeStringValue" + Id = "FakeStringValue" + RoleScopeTagIds = @("FakeStringValue") + RunAs32Bit = $True + RunAsAccount = "system" + ScriptContent = "AAAAAAA=" + Ensure = 'Present' + Credential = $Credential + } + + Mock -CommandName Get-MgBetaDeviceManagementScript -MockWith { + return @{ + AdditionalProperties = @{ + '@odata.type' = "#microsoft.graph.DeviceManagementScript" + } + Description = "FakeStringValue" + DisplayName = "FakeStringValue" + EnforceSignatureCheck = $True + FileName = "FakeStringValue" + Id = "FakeStringValue" + RoleScopeTagIds = @("FakeStringValue") + RunAs32Bit = $True + RunAsAccount = "system" + ScriptContent = [byte[]]::new(5) + } + } + } + + + It 'Should return true from the Test method' { + Test-TargetResource @testParams | Should -Be $true + } + } + + Context -Name "The IntuneDeviceConfigurationPlatformScriptWindows exists and values are NOT in the desired state" -Fixture { + BeforeAll { + $testParams = @{ + Description = "FakeStringValue" + DisplayName = "FakeStringValue" + EnforceSignatureCheck = $True + FileName = "FakeStringValue" + Id = "FakeStringValue" + RoleScopeTagIds = @("FakeStringValue") + RunAs32Bit = $True + RunAsAccount = "system" + ScriptContent = "AAAAAAA=" + Ensure = 'Present' + Credential = $Credential + } + + Mock -CommandName Get-MgBetaDeviceManagementScript -MockWith { + return @{ + Description = "FakeStringValue" + DisplayName = "FakeStringValue" + FileName = "FakeStringValue" + Id = "FakeStringValue" + RoleScopeTagIds = @("FakeStringValue") + RunAsAccount = "system" + ScriptContent = [byte[]]::new(5) + } + } + } + + It 'Should return Values from the Get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Present' + } + + It 'Should return false from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + + It 'Should call the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName Update-MgBetaDeviceManagementScript -Exactly 1 + } + } + + Context -Name 'ReverseDSC Tests' -Fixture { + BeforeAll { + $Global:CurrentModeIsExport = $true + $Global:PartialExportFileName = "$(New-Guid).partial.ps1" + $testParams = @{ + Credential = $Credential + } + + Mock -CommandName Get-MgBetaDeviceManagementScript -MockWith { + return @{ + AdditionalProperties = @{ + '@odata.type' = "#microsoft.graph.DeviceManagementScript" + } + CreatedDateTime = "2023-01-01T00:00:00.0000000+01:00" + Description = "FakeStringValue" + DisplayName = "FakeStringValue" + EnforceSignatureCheck = $True + FileName = "FakeStringValue" + Id = "FakeStringValue" + LastModifiedDateTime = "2023-01-01T00:00:00.0000000+01:00" + RoleScopeTagIds = @("FakeStringValue") + RunAs32Bit = $True + RunAsAccount = "system" + ScriptContent = [byte[]]::new(5) + } + } + } + It 'Should Reverse Engineer resource from the Export method' { + $result = Export-TargetResource @testParams + $result | Should -Not -BeNullOrEmpty + } + } + } +} + +Invoke-Command -ScriptBlock $Global:DscHelper.CleanupScript -NoNewScope diff --git a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneDeviceRemediation.Tests.ps1 b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneDeviceRemediation.Tests.ps1 new file mode 100644 index 0000000000..5b991519be --- /dev/null +++ b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneDeviceRemediation.Tests.ps1 @@ -0,0 +1,421 @@ +[CmdletBinding()] +param( +) +$M365DSCTestFolder = Join-Path -Path $PSScriptRoot ` + -ChildPath '..\..\Unit' ` + -Resolve +$CmdletModule = (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\Stubs\Microsoft365.psm1' ` + -Resolve) +$GenericStubPath = (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\Stubs\Generic.psm1' ` + -Resolve) +Import-Module -Name (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\UnitTestHelper.psm1' ` + -Resolve) + +$Global:DscHelper = New-M365DscUnitTestHelper -StubModule $CmdletModule ` + -DscResource "IntuneDeviceRemediation" -GenericStubModule $GenericStubPath +Describe -Name $Global:DscHelper.DescribeHeader -Fixture { + InModuleScope -ModuleName $Global:DscHelper.ModuleName -ScriptBlock { + Invoke-Command -ScriptBlock $Global:DscHelper.InitializeScript -NoNewScope + BeforeAll { + + $secpasswd = ConvertTo-SecureString (New-Guid | Out-String) -AsPlainText -Force + $Credential = New-Object System.Management.Automation.PSCredential ('tenantadmin@mydomain.com', $secpasswd) + + Mock -CommandName Confirm-M365DSCDependencies -MockWith { + } + + Mock -CommandName Get-PSSession -MockWith { + } + + Mock -CommandName Remove-PSSession -MockWith { + } + + Mock -CommandName Update-MgBetaDeviceManagementDeviceHealthScript -MockWith { + } + + Mock -CommandName New-MgBetaDeviceManagementDeviceHealthScript -MockWith { + } + + Mock -CommandName Remove-MgBetaDeviceManagementDeviceHealthScript -MockWith { + } + + Mock -CommandName Update-DeviceConfigurationPolicyAssignment -MockWith { + } + + Mock -CommandName New-M365DSCConnection -MockWith { + return "Credentials" + } + + # Mock Write-Host to hide output during the tests + Mock -CommandName Write-Host -MockWith { + } + $Script:exportedInstances =$null + $Script:ExportMode = $false + + Mock -CommandName Get-MgBetaDeviceManagementDeviceHealthScriptAssignment -MockWith { + } + } + # Test contexts + Context -Name "The IntuneDeviceRemediation should exist but it DOES NOT" -Fixture { + BeforeAll { + $testParams = @{ + Description = "FakeStringValue" + DetectionScriptContent = "VGVzdA==" # "Test" + DetectionScriptParameters = [CimInstance[]]@( + (New-CimInstance -ClassName MSFT_MicrosoftGraphdeviceHealthScriptParameter -Property @{ + DefaultValue = $True + IsRequired = $True + Description = "FakeStringValue" + Name = "FakeStringValue" + odataType = "#microsoft.graph.deviceHealthScriptBooleanParameter" + ApplyDefaultValueWhenNotAssigned = $True + } -ClientOnly) + ) + DeviceHealthScriptType = "deviceHealthScript" + DisplayName = "FakeStringValue" + EnforceSignatureCheck = $True + Id = "FakeStringValue" + Publisher = "FakeStringValue" + RemediationScriptContent = "VGVzdA==" # "Test" + RemediationScriptParameters = [CimInstance[]]@( + (New-CimInstance -ClassName MSFT_MicrosoftGraphdeviceHealthScriptParameter -Property @{ + DefaultValue = $True + IsRequired = $True + Description = "FakeStringValue" + Name = "FakeStringValue" + odataType = "#microsoft.graph.deviceHealthScriptBooleanParameter" + ApplyDefaultValueWhenNotAssigned = $True + } -ClientOnly) + ) + RoleScopeTagIds = @("FakeStringValue") + RunAs32Bit = $True + RunAsAccount = "system" + Ensure = "Present" + Credential = $Credential; + } + + Mock -CommandName Get-MgBetaDeviceManagementDeviceHealthScript -MockWith { + return $null + } + } + It 'Should return Values from the Get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Absent' + } + It 'Should return false from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + It 'Should Create the group from the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName New-MgBetaDeviceManagementDeviceHealthScript -Exactly 1 + } + } + + Context -Name "The IntuneDeviceRemediation exists but it SHOULD NOT" -Fixture { + BeforeAll { + $testParams = @{ + Description = "FakeStringValue" + DetectionScriptContent = "VGVzdA==" # "Test" + DetectionScriptParameters = [CimInstance[]]@( + (New-CimInstance -ClassName MSFT_MicrosoftGraphdeviceHealthScriptParameter -Property @{ + DefaultValue = $True + IsRequired = $True + Description = "FakeStringValue" + Name = "FakeStringValue" + odataType = "#microsoft.graph.deviceHealthScriptBooleanParameter" + ApplyDefaultValueWhenNotAssigned = $True + } -ClientOnly) + ) + DeviceHealthScriptType = "deviceHealthScript" + DisplayName = "FakeStringValue" + EnforceSignatureCheck = $True + Id = "FakeStringValue" + Publisher = "FakeStringValue" + RemediationScriptContent = "VGVzdA==" # "Test" + RemediationScriptParameters = [CimInstance[]]@( + (New-CimInstance -ClassName MSFT_MicrosoftGraphdeviceHealthScriptParameter -Property @{ + DefaultValue = $True + IsRequired = $True + Description = "FakeStringValue" + Name = "FakeStringValue" + odataType = "#microsoft.graph.deviceHealthScriptBooleanParameter" + ApplyDefaultValueWhenNotAssigned = $True + } -ClientOnly) + ) + RoleScopeTagIds = @("FakeStringValue") + RunAs32Bit = $True + RunAsAccount = "system" + Ensure = 'Absent' + Credential = $Credential; + } + + Mock -CommandName Get-MgBetaDeviceManagementDeviceHealthScript -MockWith { + return @{ + Description = "FakeStringValue" + DetectionScriptContent = [byte[]] @(84, 101, 115, 116) + DetectionScriptParameters = @( + @{ + '@odata.type' = "#microsoft.graph.deviceHealthScriptBooleanParameter" + DefaultValue = $True + IsRequired = $True + Description = "FakeStringValue" + Name = "FakeStringValue" + ApplyDefaultValueWhenNotAssigned = $True + } + ) + DeviceHealthScriptType = "deviceHealthScript" + DisplayName = "FakeStringValue" + EnforceSignatureCheck = $True + Id = "FakeStringValue" + IsGlobalScript = $False + Publisher = "FakeStringValue" + RemediationScriptContent = [byte[]] @(84, 101, 115, 116) + RemediationScriptParameters = @( + @{ + '@odata.type' = "#microsoft.graph.deviceHealthScriptBooleanParameter" + DefaultValue = $True + IsRequired = $True + Description = "FakeStringValue" + Name = "FakeStringValue" + ApplyDefaultValueWhenNotAssigned = $True + } + ) + RoleScopeTagIds = @("FakeStringValue") + RunAs32Bit = $True + RunAsAccount = "system" + } + } + } + + It 'Should return Values from the Get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Present' + } + + It 'Should return true from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + + It 'Should Remove the group from the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName Remove-MgBetaDeviceManagementDeviceHealthScript -Exactly 1 + } + } + Context -Name "The IntuneDeviceRemediation Exists and Values are already in the desired state" -Fixture { + BeforeAll { + $testParams = @{ + Description = "FakeStringValue" + DetectionScriptContent = "VGVzdA==" # "Test" + DetectionScriptParameters = [CimInstance[]]@( + (New-CimInstance -ClassName MSFT_MicrosoftGraphdeviceHealthScriptParameter -Property @{ + DefaultValue = $True + IsRequired = $True + Description = "FakeStringValue" + Name = "FakeStringValue" + odataType = "#microsoft.graph.deviceHealthScriptBooleanParameter" + ApplyDefaultValueWhenNotAssigned = $True + } -ClientOnly) + ) + DeviceHealthScriptType = "deviceHealthScript" + DisplayName = "FakeStringValue" + EnforceSignatureCheck = $True + Id = "FakeStringValue" + Publisher = "FakeStringValue" + RemediationScriptContent = "VGVzdA==" # "Test" + RemediationScriptParameters = [CimInstance[]]@( + (New-CimInstance -ClassName MSFT_MicrosoftGraphdeviceHealthScriptParameter -Property @{ + DefaultValue = $True + IsRequired = $True + Description = "FakeStringValue" + Name = "FakeStringValue" + odataType = "#microsoft.graph.deviceHealthScriptBooleanParameter" + ApplyDefaultValueWhenNotAssigned = $True + } -ClientOnly) + ) + RoleScopeTagIds = @("FakeStringValue") + RunAs32Bit = $True + RunAsAccount = "system" + Ensure = 'Present' + Credential = $Credential; + } + + Mock -CommandName Get-MgBetaDeviceManagementDeviceHealthScript -MockWith { + return @{ + Description = "FakeStringValue" + DetectionScriptContent = [byte[]] @(84, 101, 115, 116) + DetectionScriptParameters = @( + @{ + '@odata.type' = "#microsoft.graph.deviceHealthScriptBooleanParameter" + DefaultValue = $True + IsRequired = $True + Description = "FakeStringValue" + Name = "FakeStringValue" + ApplyDefaultValueWhenNotAssigned = $True + } + ) + DeviceHealthScriptType = "deviceHealthScript" + DisplayName = "FakeStringValue" + EnforceSignatureCheck = $True + Id = "FakeStringValue" + IsGlobalScript = $False + Publisher = "FakeStringValue" + RemediationScriptContent = [byte[]] @(84, 101, 115, 116) + RemediationScriptParameters = @( + @{ + '@odata.type' = "#microsoft.graph.deviceHealthScriptBooleanParameter" + DefaultValue = $True + IsRequired = $True + Description = "FakeStringValue" + Name = "FakeStringValue" + ApplyDefaultValueWhenNotAssigned = $True + } + ) + RoleScopeTagIds = @("FakeStringValue") + RunAs32Bit = $True + RunAsAccount = "system" + } + } + } + + It 'Should return true from the Test method' { + Test-TargetResource @testParams | Should -Be $true + } + } + + Context -Name "The IntuneDeviceRemediation exists and values are NOT in the desired state" -Fixture { + BeforeAll { + $testParams = @{ + Description = "FakeStringValue" + DetectionScriptContent = "VGVzdA==" # "Test" + DetectionScriptParameters = [CimInstance[]]@( + (New-CimInstance -ClassName MSFT_MicrosoftGraphdeviceHealthScriptParameter -Property @{ + DefaultValue = $True + IsRequired = $True + Description = "FakeStringValue" + Name = "FakeStringValue" + odataType = "#microsoft.graph.deviceHealthScriptBooleanParameter" + ApplyDefaultValueWhenNotAssigned = $True + } -ClientOnly) + ) + DeviceHealthScriptType = "deviceHealthScript" + DisplayName = "FakeStringValue" + EnforceSignatureCheck = $True + Id = "FakeStringValue" + Publisher = "FakeStringValue" + RemediationScriptContent = "VGVzdA==" # "Test" + RemediationScriptParameters = [CimInstance[]]@( + (New-CimInstance -ClassName MSFT_MicrosoftGraphdeviceHealthScriptParameter -Property @{ + DefaultValue = $True + IsRequired = $True + Description = "FakeStringValue" + Name = "FakeStringValue" + odataType = "#microsoft.graph.deviceHealthScriptBooleanParameter" + ApplyDefaultValueWhenNotAssigned = $True + } -ClientOnly) + ) + RoleScopeTagIds = @("FakeStringValue") + RunAs32Bit = $True + RunAsAccount = "system" + Ensure = 'Present' + Credential = $Credential; + } + + Mock -CommandName Get-MgBetaDeviceManagementDeviceHealthScript -MockWith { + return @{ + Description = "FakeStringValue" + DetectionScriptContent = [byte[]] @(84, 101, 115, 116) + DetectionScriptParameters = @( + @{ + Name = "FakeStringValue" + '@odata.type' = "#microsoft.graph.deviceHealthScriptBooleanParameter" + Description = "FakeStringValue" + } + ) + DeviceHealthScriptType = "deviceHealthScript" + DisplayName = "FakeStringValue" + Id = "FakeStringValue" + IsGlobalScript = $False + Publisher = "FakeStringValue" + RemediationScriptContent = [byte[]] @(84, 101, 115, 116) + RemediationScriptParameters = @( + @{ + Name = "FakeStringValue" + '@odata.type' = "#microsoft.graph.deviceHealthScriptBooleanParameter" + Description = "FakeStringValue" + } + ) + RoleScopeTagIds = @("FakeStringValue") + RunAsAccount = "system" + } + } + } + + It 'Should return Values from the Get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Present' + } + + It 'Should return false from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + + It 'Should call the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName Update-MgBetaDeviceManagementDeviceHealthScript -Exactly 1 + } + } + + Context -Name 'ReverseDSC Tests' -Fixture { + BeforeAll { + $Global:CurrentModeIsExport = $true + $Global:PartialExportFileName = "$(New-Guid).partial.ps1" + $testParams = @{ + Credential = $Credential + } + + Mock -CommandName Get-MgBetaDeviceManagementDeviceHealthScript -MockWith { + return @{ + Description = "FakeStringValue" + DetectionScriptContent = [byte[]] @(84, 101, 115, 116) + DetectionScriptParameters = @( + @{ + '@odata.type' = "#microsoft.graph.deviceHealthScriptBooleanParameter" + DefaultValue = $True + IsRequired = $True + Description = "FakeStringValue" + Name = "FakeStringValue" + ApplyDefaultValueWhenNotAssigned = $True + } + ) + DeviceHealthScriptType = "deviceHealthScript" + DisplayName = "FakeStringValue" + EnforceSignatureCheck = $True + Id = "FakeStringValue" + IsGlobalScript = $False + Publisher = "FakeStringValue" + RemediationScriptContent = [byte[]] @(84, 101, 115, 116) + RemediationScriptParameters = @( + @{ + '@odata.type' = "#microsoft.graph.deviceHealthScriptBooleanParameter" + DefaultValue = $True + IsRequired = $True + Description = "FakeStringValue" + Name = "FakeStringValue" + ApplyDefaultValueWhenNotAssigned = $True + } + ) + RoleScopeTagIds = @("FakeStringValue") + RunAs32Bit = $True + RunAsAccount = "system" + } + } + } + It 'Should Reverse Engineer resource from the Export method' { + $result = Export-TargetResource @testParams + $result | Should -Not -BeNullOrEmpty + } + } + } +} + +Invoke-Command -ScriptBlock $Global:DscHelper.CleanupScript -NoNewScope diff --git a/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneWindowsUpdateForBusinessDriverUpdateProfileWindows10.Tests.ps1 b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneWindowsUpdateForBusinessDriverUpdateProfileWindows10.Tests.ps1 new file mode 100644 index 0000000000..d6dd76dca5 --- /dev/null +++ b/Tests/Unit/Microsoft365DSC/Microsoft365DSC.IntuneWindowsUpdateForBusinessDriverUpdateProfileWindows10.Tests.ps1 @@ -0,0 +1,212 @@ +[CmdletBinding()] +param( +) +$M365DSCTestFolder = Join-Path -Path $PSScriptRoot ` + -ChildPath '..\..\Unit' ` + -Resolve +$CmdletModule = (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\Stubs\Microsoft365.psm1' ` + -Resolve) +$GenericStubPath = (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\Stubs\Generic.psm1' ` + -Resolve) +Import-Module -Name (Join-Path -Path $M365DSCTestFolder ` + -ChildPath '\UnitTestHelper.psm1' ` + -Resolve) + +$Global:DscHelper = New-M365DscUnitTestHelper -StubModule $CmdletModule ` + -DscResource "IntuneWindowsUpdateForBusinessDriverUpdateProfileWindows10" -GenericStubModule $GenericStubPath +Describe -Name $Global:DscHelper.DescribeHeader -Fixture { + InModuleScope -ModuleName $Global:DscHelper.ModuleName -ScriptBlock { + Invoke-Command -ScriptBlock $Global:DscHelper.InitializeScript -NoNewScope + BeforeAll { + + $secpasswd = ConvertTo-SecureString (New-Guid | Out-String) -AsPlainText -Force + $Credential = New-Object System.Management.Automation.PSCredential ('tenantadmin@mydomain.com', $secpasswd) + + Mock -CommandName Confirm-M365DSCDependencies -MockWith { + } + + Mock -CommandName Get-PSSession -MockWith { + } + + Mock -CommandName Remove-PSSession -MockWith { + } + + Mock -CommandName Invoke-MgGraphRequest -MockWith { + } + + Mock -CommandName Update-DeviceConfigurationPolicyAssignment -MockWith { + } + + Mock -CommandName New-M365DSCConnection -MockWith { + return "Credentials" + } + + # Mock Write-Host to hide output during the tests + Mock -CommandName Write-Host -MockWith { + } + $Script:exportedInstances =$null + $Script:ExportMode = $false + } + # Test contexts + Context -Name "The IntuneWindowsUpdateForBusinessDriverUpdateProfileWindows10 should exist but it DOES NOT" -Fixture { + BeforeAll { + $testParams = @{ + ApprovalType = 'manual' + DisplayName = 'FakeStringValue' + Description = 'FakeStringValue' + Id = 'FakeStringValue' + Ensure = "Present" + Credential = $Credential; + } + + Mock -CommandName Invoke-MgGraphRequest -MockWith { + @{ + value = $null + } + } + } + It 'Should return Values from the Get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Absent' + } + It 'Should return false from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + It 'Should Create the group from the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName Invoke-MgGraphRequest -ParameterFilter { $Method -eq 'POST' } -Exactly 1 + } + } + + Context -Name "The IntuneWindowsUpdateForBusinessDriverUpdateProfileWindows10 exists but it SHOULD NOT" -Fixture { + BeforeAll { + $testParams = @{ + ApprovalType = 'manual' + DisplayName = 'FakeStringValue' + Description = 'FakeStringValue' + Id = 'FakeStringValue' + Ensure = 'Absent' + Credential = $Credential; + } + + Mock -CommandName Invoke-MgGraphRequest -MockWith { + return @{ + value = @( + @{ + ApprovalType = 'manual' + DisplayName = 'FakeStringValue' + Description = 'FakeStringValue' + Id = 'FakeStringValue' + } + ) + } + } + } + + It 'Should return Values from the Get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Present' + } + + It 'Should return true from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + + It 'Should Remove the group from the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName Invoke-MgGraphRequest -ParameterFilter { $Method -eq 'DELETE' } -Exactly 1 + } + } + Context -Name "The IntuneWindowsUpdateForBusinessDriverUpdateProfileWindows10 Exists and Values are already in the desired state" -Fixture { + BeforeAll { + $testParams = @{ + ApprovalType = 'manual' + DisplayName = 'FakeStringValue' + Description = 'FakeStringValue' + Id = 'FakeStringValue' + Ensure = 'Present' + Credential = $Credential; + } + + Mock -CommandName Invoke-MgGraphRequest -MockWith { + return @{ + value = @{ + ApprovalType = 'manual' + DisplayName = 'FakeStringValue' + Description = 'FakeStringValue' + Id = 'FakeStringValue' + } + } + } + } + + It 'Should return true from the Test method' { + Test-TargetResource @testParams | Should -Be $true + } + } + + Context -Name "The IntuneWindowsUpdateForBusinessDriverUpdateProfileWindows10 exists and values are NOT in the desired state" -Fixture { + BeforeAll { + $testParams = @{ + ApprovalType = 'manual' + DisplayName = 'FakeStringValue' + Description = 'FakeStringValue' + Id = 'FakeStringValue' + Ensure = 'Present' + Credential = $Credential; + } + + Mock -CommandName Invoke-MgGraphRequest -MockWith { + return @{ + value = @{ + ApprovalType = 'manual' + DisplayName = 'FakeStringValue1234' + Description = 'FakeStringValue' + Id = 'FakeStringValue' + } + } + } + } + + It 'Should return Values from the Get method' { + (Get-TargetResource @testParams).Ensure | Should -Be 'Present' + } + + It 'Should return false from the Test method' { + Test-TargetResource @testParams | Should -Be $false + } + + It 'Should call the Set method' { + Set-TargetResource @testParams + Should -Invoke -CommandName Invoke-MgGraphRequest -ParameterFilter { $Method -eq 'PATCH' } -Exactly 1 + } + } + + Context -Name 'ReverseDSC Tests' -Fixture { + BeforeAll { + $Global:CurrentModeIsExport = $true + $Global:PartialExportFileName = "$(New-Guid).partial.ps1" + $testParams = @{ + Credential = $Credential + } + + Mock -CommandName Invoke-MgGraphRequest -MockWith { + return @{ + value = @{ + ApprovalType = 'manual' + DisplayName = 'FakeStringValue' + Description = 'FakeStringValue' + Id = 'FakeStringValue' + } + } + } + } + It 'Should Reverse Engineer resource from the Export method' { + $result = Export-TargetResource @testParams + $result | Should -Not -BeNullOrEmpty + } + } + } +} + +Invoke-Command -ScriptBlock $Global:DscHelper.CleanupScript -NoNewScope diff --git a/Tests/Unit/Stubs/Microsoft365.psm1 b/Tests/Unit/Stubs/Microsoft365.psm1 index 6bad920a1a..3f9409e864 100644 --- a/Tests/Unit/Stubs/Microsoft365.psm1 +++ b/Tests/Unit/Stubs/Microsoft365.psm1 @@ -82188,3 +82188,1434 @@ function Remove-MgBetaDirectoryRoleMemberDirectoryObjectByRef $Confirm ) } +#region MgBetaDeviceManagementScript +function Get-MgBetaDeviceManagementScript +{ + [CmdletBinding()] + param + ( + [Parameter()] + [System.String] + $DeviceManagementScriptId, + + [Parameter()] + [PSObject] + $InputObject, + + [Parameter()] + [System.String[]] + $ExpandProperty, + + [Parameter()] + [System.String[]] + $Property, + + [Parameter()] + [System.String] + $Filter, + + [Parameter()] + [System.String] + $Search, + + [Parameter()] + [System.Int32] + $Skip, + + [Parameter()] + [System.String[]] + $Sort, + + [Parameter()] + [System.Int32] + $Top, + + [Parameter()] + [System.String] + $ResponseHeadersVariable, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Break, + + [Parameter()] + [System.Collections.IDictionary] + $Headers, + + [Parameter()] + [PSObject[]] + $HttpPipelineAppend, + + [Parameter()] + [PSObject[]] + $HttpPipelinePrepend, + + [Parameter()] + [System.Uri] + $Proxy, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ProxyCredential, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $ProxyUseDefaultCredentials, + + [Parameter()] + [System.Int32] + $PageSize, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $All, + + [Parameter()] + [System.String] + $CountVariable + ) +} + +function New-MgBetaDeviceManagementScript +{ + [CmdletBinding()] + param + ( + [Parameter()] + [PSObject] + $BodyParameter, + + [Parameter()] + [System.String] + $ResponseHeadersVariable, + + [Parameter()] + [System.Collections.Hashtable] + $AdditionalProperties, + + [Parameter()] + [PSObject[]] + $Assignments, + + [Parameter()] + [System.String] + $Description, + + [Parameter()] + [PSObject[]] + $DeviceRunStates, + + [Parameter()] + [System.String] + $DisplayName, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $EnforceSignatureCheck, + + [Parameter()] + [System.String] + $FileName, + + [Parameter()] + [PSObject[]] + $GroupAssignments, + + [Parameter()] + [System.String] + $Id, + + [Parameter()] + [System.String[]] + $RoleScopeTagIds, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $RunAs32Bit, + + [Parameter()] + [PSObject] + $RunAsAccount, + + [Parameter()] + [PSObject] + $RunSummary, + + [Parameter()] + [System.String] + $ScriptContentInputFile, + + [Parameter()] + [PSObject[]] + $UserRunStates, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Break, + + [Parameter()] + [System.Collections.IDictionary] + $Headers, + + [Parameter()] + [PSObject[]] + $HttpPipelineAppend, + + [Parameter()] + [PSObject[]] + $HttpPipelinePrepend, + + [Parameter()] + [System.Uri] + $Proxy, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ProxyCredential, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $ProxyUseDefaultCredentials, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Confirm + ) +} + +function Remove-MgBetaDeviceManagementScript +{ + [CmdletBinding()] + param + ( + [Parameter()] + [System.String] + $DeviceManagementScriptId, + + [Parameter()] + [PSObject] + $InputObject, + + [Parameter()] + [System.String] + $ResponseHeadersVariable, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Break, + + [Parameter()] + [System.Collections.IDictionary] + $Headers, + + [Parameter()] + [PSObject[]] + $HttpPipelineAppend, + + [Parameter()] + [PSObject[]] + $HttpPipelinePrepend, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $PassThru, + + [Parameter()] + [System.Uri] + $Proxy, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ProxyCredential, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $ProxyUseDefaultCredentials, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Confirm + ) +} + +function Update-MgBetaDeviceManagementScript +{ + [CmdletBinding()] + param + ( + [Parameter()] + [System.String] + $DeviceManagementScriptId, + + [Parameter()] + [PSObject] + $InputObject, + + [Parameter()] + [PSObject] + $BodyParameter, + + [Parameter()] + [System.String] + $ResponseHeadersVariable, + + [Parameter()] + [System.Collections.Hashtable] + $AdditionalProperties, + + [Parameter()] + [PSObject[]] + $Assignments, + + [Parameter()] + [System.String] + $Description, + + [Parameter()] + [PSObject[]] + $DeviceRunStates, + + [Parameter()] + [System.String] + $DisplayName, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $EnforceSignatureCheck, + + [Parameter()] + [System.String] + $FileName, + + [Parameter()] + [PSObject[]] + $GroupAssignments, + + [Parameter()] + [System.String] + $Id, + + [Parameter()] + [System.String[]] + $RoleScopeTagIds, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $RunAs32Bit, + + [Parameter()] + [PSObject] + $RunAsAccount, + + [Parameter()] + [PSObject] + $RunSummary, + + [Parameter()] + [System.String] + $ScriptContentInputFile, + + [Parameter()] + [PSObject[]] + $UserRunStates, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Break, + + [Parameter()] + [System.Collections.IDictionary] + $Headers, + + [Parameter()] + [PSObject[]] + $HttpPipelineAppend, + + [Parameter()] + [PSObject[]] + $HttpPipelinePrepend, + + [Parameter()] + [System.Uri] + $Proxy, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ProxyCredential, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $ProxyUseDefaultCredentials, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Confirm + ) +} + +#endregion + +#region MgBetaDeviceManagementScriptAssignment +function Get-MgBetaDeviceManagementScriptAssignment +{ + [CmdletBinding()] + param + ( + [Parameter()] + [System.String] + $DeviceManagementScriptAssignmentId, + + [Parameter()] + [System.String] + $DeviceManagementScriptId, + + [Parameter()] + [PSObject] + $InputObject, + + [Parameter()] + [System.String[]] + $ExpandProperty, + + [Parameter()] + [System.String[]] + $Property, + + [Parameter()] + [System.String] + $Filter, + + [Parameter()] + [System.String] + $Search, + + [Parameter()] + [System.Int32] + $Skip, + + [Parameter()] + [System.String[]] + $Sort, + + [Parameter()] + [System.Int32] + $Top, + + [Parameter()] + [System.String] + $ResponseHeadersVariable, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Break, + + [Parameter()] + [System.Collections.IDictionary] + $Headers, + + [Parameter()] + [PSObject[]] + $HttpPipelineAppend, + + [Parameter()] + [PSObject[]] + $HttpPipelinePrepend, + + [Parameter()] + [System.Uri] + $Proxy, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ProxyCredential, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $ProxyUseDefaultCredentials, + + [Parameter()] + [System.Int32] + $PageSize, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $All, + + [Parameter()] + [System.String] + $CountVariable + ) +} + +#endregion + +#region MgBetaDeviceManagementDeviceShellScript +function Get-MgBetaDeviceManagementDeviceShellScript +{ + [CmdletBinding()] + param + ( + [Parameter()] + [System.String] + $DeviceShellScriptId, + + [Parameter()] + [PSObject] + $InputObject, + + [Parameter()] + [System.String[]] + $ExpandProperty, + + [Parameter()] + [System.String[]] + $Property, + + [Parameter()] + [System.String] + $Filter, + + [Parameter()] + [System.String] + $Search, + + [Parameter()] + [System.Int32] + $Skip, + + [Parameter()] + [System.String[]] + $Sort, + + [Parameter()] + [System.Int32] + $Top, + + [Parameter()] + [System.String] + $ResponseHeadersVariable, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Break, + + [Parameter()] + [System.Collections.IDictionary] + $Headers, + + [Parameter()] + [PSObject[]] + $HttpPipelineAppend, + + [Parameter()] + [PSObject[]] + $HttpPipelinePrepend, + + [Parameter()] + [System.Uri] + $Proxy, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ProxyCredential, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $ProxyUseDefaultCredentials, + + [Parameter()] + [System.Int32] + $PageSize, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $All, + + [Parameter()] + [System.String] + $CountVariable + ) +} + +function New-MgBetaDeviceManagementDeviceShellScript +{ + [CmdletBinding()] + param + ( + [Parameter()] + [PSObject] + $BodyParameter, + + [Parameter()] + [System.String] + $ResponseHeadersVariable, + + [Parameter()] + [System.Collections.Hashtable] + $AdditionalProperties, + + [Parameter()] + [PSObject[]] + $Assignments, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $BlockExecutionNotifications, + + [Parameter()] + [System.String] + $Description, + + [Parameter()] + [PSObject[]] + $DeviceRunStates, + + [Parameter()] + [System.String] + $DisplayName, + + [Parameter()] + [System.TimeSpan] + $ExecutionFrequency, + + [Parameter()] + [System.String] + $FileName, + + [Parameter()] + [PSObject[]] + $GroupAssignments, + + [Parameter()] + [System.String] + $Id, + + [Parameter()] + [System.Int32] + $RetryCount, + + [Parameter()] + [System.String[]] + $RoleScopeTagIds, + + [Parameter()] + [PSObject] + $RunAsAccount, + + [Parameter()] + [PSObject] + $RunSummary, + + [Parameter()] + [System.String] + $ScriptContentInputFile, + + [Parameter()] + [PSObject[]] + $UserRunStates, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Break, + + [Parameter()] + [System.Collections.IDictionary] + $Headers, + + [Parameter()] + [PSObject[]] + $HttpPipelineAppend, + + [Parameter()] + [PSObject[]] + $HttpPipelinePrepend, + + [Parameter()] + [System.Uri] + $Proxy, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ProxyCredential, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $ProxyUseDefaultCredentials, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Confirm + ) +} + +function Remove-MgBetaDeviceManagementDeviceShellScript +{ + [CmdletBinding()] + param + ( + [Parameter()] + [System.String] + $DeviceShellScriptId, + + [Parameter()] + [PSObject] + $InputObject, + + [Parameter()] + [System.String] + $ResponseHeadersVariable, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Break, + + [Parameter()] + [System.Collections.IDictionary] + $Headers, + + [Parameter()] + [PSObject[]] + $HttpPipelineAppend, + + [Parameter()] + [PSObject[]] + $HttpPipelinePrepend, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $PassThru, + + [Parameter()] + [System.Uri] + $Proxy, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ProxyCredential, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $ProxyUseDefaultCredentials, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Confirm + ) +} + +function Update-MgBetaDeviceManagementDeviceShellScript +{ + [CmdletBinding()] + param + ( + [Parameter()] + [System.String] + $DeviceShellScriptId, + + [Parameter()] + [PSObject] + $InputObject, + + [Parameter()] + [PSObject] + $BodyParameter, + + [Parameter()] + [System.String] + $ResponseHeadersVariable, + + [Parameter()] + [System.Collections.Hashtable] + $AdditionalProperties, + + [Parameter()] + [PSObject[]] + $Assignments, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $BlockExecutionNotifications, + + [Parameter()] + [System.String] + $Description, + + [Parameter()] + [PSObject[]] + $DeviceRunStates, + + [Parameter()] + [System.String] + $DisplayName, + + [Parameter()] + [System.TimeSpan] + $ExecutionFrequency, + + [Parameter()] + [System.String] + $FileName, + + [Parameter()] + [PSObject[]] + $GroupAssignments, + + [Parameter()] + [System.String] + $Id, + + [Parameter()] + [System.Int32] + $RetryCount, + + [Parameter()] + [System.String[]] + $RoleScopeTagIds, + + [Parameter()] + [PSObject] + $RunAsAccount, + + [Parameter()] + [PSObject] + $RunSummary, + + [Parameter()] + [System.String] + $ScriptContentInputFile, + + [Parameter()] + [PSObject[]] + $UserRunStates, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Break, + + [Parameter()] + [System.Collections.IDictionary] + $Headers, + + [Parameter()] + [PSObject[]] + $HttpPipelineAppend, + + [Parameter()] + [PSObject[]] + $HttpPipelinePrepend, + + [Parameter()] + [System.Uri] + $Proxy, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ProxyCredential, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $ProxyUseDefaultCredentials, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Confirm + ) +} + +#endregion + +#region MgBetaDeviceManagementDeviceShellScriptAssignment +function Get-MgBetaDeviceManagementDeviceShellScriptAssignment +{ + [CmdletBinding()] + param + ( + [Parameter()] + [System.String] + $DeviceManagementScriptAssignmentId, + + [Parameter()] + [System.String] + $DeviceShellScriptId, + + [Parameter()] + [PSObject] + $InputObject, + + [Parameter()] + [System.String[]] + $ExpandProperty, + + [Parameter()] + [System.String[]] + $Property, + + [Parameter()] + [System.String] + $Filter, + + [Parameter()] + [System.String] + $Search, + + [Parameter()] + [System.Int32] + $Skip, + + [Parameter()] + [System.String[]] + $Sort, + + [Parameter()] + [System.Int32] + $Top, + + [Parameter()] + [System.String] + $ResponseHeadersVariable, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Break, + + [Parameter()] + [System.Collections.IDictionary] + $Headers, + + [Parameter()] + [PSObject[]] + $HttpPipelineAppend, + + [Parameter()] + [PSObject[]] + $HttpPipelinePrepend, + + [Parameter()] + [System.Uri] + $Proxy, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ProxyCredential, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $ProxyUseDefaultCredentials, + + [Parameter()] + [System.Int32] + $PageSize, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $All, + + [Parameter()] + [System.String] + $CountVariable + ) +} + +#endregion + +#region MgBetaDeviceManagementDeviceHealthScript +function Get-MgBetaDeviceManagementDeviceHealthScript +{ + [CmdletBinding()] + param + ( + [Parameter()] + [System.String] + $DeviceHealthScriptId, + + [Parameter()] + [PSObject] + $InputObject, + + [Parameter()] + [System.String[]] + $ExpandProperty, + + [Parameter()] + [System.String[]] + $Property, + + [Parameter()] + [System.String] + $Filter, + + [Parameter()] + [System.String] + $Search, + + [Parameter()] + [System.Int32] + $Skip, + + [Parameter()] + [System.String[]] + $Sort, + + [Parameter()] + [System.Int32] + $Top, + + [Parameter()] + [System.String] + $ResponseHeadersVariable, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Break, + + [Parameter()] + [System.Collections.IDictionary] + $Headers, + + [Parameter()] + [PSObject[]] + $HttpPipelineAppend, + + [Parameter()] + [PSObject[]] + $HttpPipelinePrepend, + + [Parameter()] + [System.Uri] + $Proxy, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ProxyCredential, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $ProxyUseDefaultCredentials, + + [Parameter()] + [System.Int32] + $PageSize, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $All, + + [Parameter()] + [System.String] + $CountVariable + ) +} + +function New-MgBetaDeviceManagementDeviceHealthScript +{ + [CmdletBinding()] + param + ( + [Parameter()] + [PSObject] + $BodyParameter, + + [Parameter()] + [System.String] + $ResponseHeadersVariable, + + [Parameter()] + [System.Collections.Hashtable] + $AdditionalProperties, + + [Parameter()] + [PSObject[]] + $Assignments, + + [Parameter()] + [System.String] + $Description, + + [Parameter()] + [System.String] + $DetectionScriptContentInputFile, + + [Parameter()] + [PSObject[]] + $DetectionScriptParameters, + + [Parameter()] + [PSObject] + $DeviceHealthScriptType, + + [Parameter()] + [PSObject[]] + $DeviceRunStates, + + [Parameter()] + [System.String] + $DisplayName, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $EnforceSignatureCheck, + + [Parameter()] + [System.String] + $HighestAvailableVersion, + + [Parameter()] + [System.String] + $Id, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $IsGlobalScript, + + [Parameter()] + [System.String] + $Publisher, + + [Parameter()] + [System.String] + $RemediationScriptContentInputFile, + + [Parameter()] + [PSObject[]] + $RemediationScriptParameters, + + [Parameter()] + [System.String[]] + $RoleScopeTagIds, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $RunAs32Bit, + + [Parameter()] + [PSObject] + $RunAsAccount, + + [Parameter()] + [PSObject] + $RunSummary, + + [Parameter()] + [System.String] + $Version, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Break, + + [Parameter()] + [System.Collections.IDictionary] + $Headers, + + [Parameter()] + [PSObject[]] + $HttpPipelineAppend, + + [Parameter()] + [PSObject[]] + $HttpPipelinePrepend, + + [Parameter()] + [System.Uri] + $Proxy, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ProxyCredential, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $ProxyUseDefaultCredentials, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Confirm + ) +} + +function Remove-MgBetaDeviceManagementDeviceHealthScript +{ + [CmdletBinding()] + param + ( + [Parameter()] + [System.String] + $DeviceHealthScriptId, + + [Parameter()] + [PSObject] + $InputObject, + + [Parameter()] + [System.String] + $ResponseHeadersVariable, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Break, + + [Parameter()] + [System.Collections.IDictionary] + $Headers, + + [Parameter()] + [PSObject[]] + $HttpPipelineAppend, + + [Parameter()] + [PSObject[]] + $HttpPipelinePrepend, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $PassThru, + + [Parameter()] + [System.Uri] + $Proxy, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ProxyCredential, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $ProxyUseDefaultCredentials, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Confirm + ) +} + +function Update-MgBetaDeviceManagementDeviceHealthScript +{ + [CmdletBinding()] + param + ( + [Parameter()] + [System.String] + $DeviceHealthScriptId, + + [Parameter()] + [PSObject] + $InputObject, + + [Parameter()] + [PSObject] + $BodyParameter, + + [Parameter()] + [System.String] + $ResponseHeadersVariable, + + [Parameter()] + [System.Collections.Hashtable] + $AdditionalProperties, + + [Parameter()] + [PSObject[]] + $Assignments, + + [Parameter()] + [System.String] + $Description, + + [Parameter()] + [System.String] + $DetectionScriptContentInputFile, + + [Parameter()] + [PSObject[]] + $DetectionScriptParameters, + + [Parameter()] + [PSObject] + $DeviceHealthScriptType, + + [Parameter()] + [PSObject[]] + $DeviceRunStates, + + [Parameter()] + [System.String] + $DisplayName, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $EnforceSignatureCheck, + + [Parameter()] + [System.String] + $HighestAvailableVersion, + + [Parameter()] + [System.String] + $Id, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $IsGlobalScript, + + [Parameter()] + [System.String] + $Publisher, + + [Parameter()] + [System.String] + $RemediationScriptContentInputFile, + + [Parameter()] + [PSObject[]] + $RemediationScriptParameters, + + [Parameter()] + [System.String[]] + $RoleScopeTagIds, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $RunAs32Bit, + + [Parameter()] + [PSObject] + $RunAsAccount, + + [Parameter()] + [PSObject] + $RunSummary, + + [Parameter()] + [System.String] + $Version, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Break, + + [Parameter()] + [System.Collections.IDictionary] + $Headers, + + [Parameter()] + [PSObject[]] + $HttpPipelineAppend, + + [Parameter()] + [PSObject[]] + $HttpPipelinePrepend, + + [Parameter()] + [System.Uri] + $Proxy, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ProxyCredential, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $ProxyUseDefaultCredentials, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Confirm + ) +} + +#endregion + +#region MgBetaDeviceManagementDeviceHealthScriptAssignment +function Get-MgBetaDeviceManagementDeviceHealthScriptAssignment +{ + [CmdletBinding()] + param + ( + [Parameter()] + [System.String] + $DeviceHealthScriptAssignmentId, + + [Parameter()] + [System.String] + $DeviceHealthScriptId, + + [Parameter()] + [PSObject] + $InputObject, + + [Parameter()] + [System.String[]] + $ExpandProperty, + + [Parameter()] + [System.String[]] + $Property, + + [Parameter()] + [System.String] + $Filter, + + [Parameter()] + [System.String] + $Search, + + [Parameter()] + [System.Int32] + $Skip, + + [Parameter()] + [System.String[]] + $Sort, + + [Parameter()] + [System.Int32] + $Top, + + [Parameter()] + [System.String] + $ResponseHeadersVariable, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $Break, + + [Parameter()] + [System.Collections.IDictionary] + $Headers, + + [Parameter()] + [PSObject[]] + $HttpPipelineAppend, + + [Parameter()] + [PSObject[]] + $HttpPipelinePrepend, + + [Parameter()] + [System.Uri] + $Proxy, + + [Parameter()] + [System.Management.Automation.PSCredential] + $ProxyCredential, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $ProxyUseDefaultCredentials, + + [Parameter()] + [System.Int32] + $PageSize, + + [Parameter()] + [System.Management.Automation.SwitchParameter] + $All, + + [Parameter()] + [System.String] + $CountVariable + ) +} + +#endregion + diff --git a/docs/docs/resources/azure-ad/AADConditionalAccessPolicy.md b/docs/docs/resources/azure-ad/AADConditionalAccessPolicy.md index 75311bc856..166950184d 100644 --- a/docs/docs/resources/azure-ad/AADConditionalAccessPolicy.md +++ b/docs/docs/resources/azure-ad/AADConditionalAccessPolicy.md @@ -47,6 +47,7 @@ | **PersistentBrowserIsEnabled** | Write | Boolean | Specifies, whether Browser Persistence is controlled by the Policy. | | | **PersistentBrowserMode** | Write | String | Specifies, what Browser Persistence control is enforced by the Policy. | `Always`, `Never`, `` | | **AuthenticationStrength** | Write | String | Name of the associated authentication strength policy. | | +| **TransferMethods** | Write | String | Names of the associated authentication flow transfer methods | | | **AuthenticationContexts** | Write | StringArray[] | Authentication context class references. | | | **Ensure** | Write | String | Specify if the Azure AD CA Policy should exist or not. | `Present`, `Absent` | | **Credential** | Write | PSCredential | Credentials for the Microsoft Graph delegated permissions. | | diff --git a/docs/docs/resources/intune/IntuneDeviceConfigurationPlatformScriptMacOS.md b/docs/docs/resources/intune/IntuneDeviceConfigurationPlatformScriptMacOS.md new file mode 100644 index 0000000000..022d2c4211 --- /dev/null +++ b/docs/docs/resources/intune/IntuneDeviceConfigurationPlatformScriptMacOS.md @@ -0,0 +1,186 @@ +# IntuneDeviceConfigurationPlatformScriptMacOS + +## Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **BlockExecutionNotifications** | Write | Boolean | Does not notify the user a script is being executed | | +| **Description** | Write | String | Optional description for the device management script. | | +| **DisplayName** | Required | String | Name of the device management script. | | +| **FileName** | Write | String | The script file name. | | +| **ExecutionFrequency** | Write | String | The interval for script to run. If not defined the script will run once | | +| **RetryCount** | Write | UInt32 | Number of times for the script to be retried if it fails | | +| **RoleScopeTagIds** | Write | StringArray[] | List of Scope Tag IDs for this PowerShellScript instance. | | +| **RunAsAccount** | Write | String | Indicates the type of execution context. Possible values are: system, user. | `system`, `user` | +| **ScriptContent** | Write | String | The script content in Base64. | | +| **Id** | Key | String | The unique identifier for an entity. Read-only. | | +| **Assignments** | Write | MSFT_DeviceManagementConfigurationPolicyAssignments[] | Represents the assignment to the Intune policy. | | +| **Ensure** | Write | String | Present ensures the policy exists, absent ensures it is removed. | `Present`, `Absent` | +| **Credential** | Write | PSCredential | Credentials of the Admin | | +| **ApplicationId** | Write | String | Id of the Azure Active Directory application to authenticate with. | | +| **TenantId** | Write | String | Id of the Azure Active Directory tenant used for authentication. | | +| **ApplicationSecret** | Write | PSCredential | Secret of the Azure Active Directory tenant used for authentication. | | +| **CertificateThumbprint** | Write | String | Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication. | | +| **ManagedIdentity** | Write | Boolean | Managed ID being used for authentication. | | +| **AccessTokens** | Write | StringArray[] | Access token used for authentication. | | + +### MSFT_DeviceManagementConfigurationPolicyAssignments + +#### Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **dataType** | Write | String | The type of the target assignment. | `#microsoft.graph.groupAssignmentTarget`, `#microsoft.graph.allLicensedUsersAssignmentTarget`, `#microsoft.graph.allDevicesAssignmentTarget`, `#microsoft.graph.exclusionGroupAssignmentTarget`, `#microsoft.graph.configurationManagerCollectionAssignmentTarget` | +| **deviceAndAppManagementAssignmentFilterType** | Write | String | The type of filter of the target assignment i.e. Exclude or Include. Possible values are:none, include, exclude. | `none`, `include`, `exclude` | +| **deviceAndAppManagementAssignmentFilterId** | Write | String | The Id of the filter for the target assignment. | | +| **groupId** | Write | String | The group Id that is the target of the assignment. | | +| **groupDisplayName** | Write | String | The group Display Name that is the target of the assignment. | | +| **collectionId** | Write | String | The collection Id that is the target of the assignment.(ConfigMgr) | | + + +## Description + +Intune Device Configuration Platform Script MacOS + +## Permissions + +### Microsoft Graph + +To authenticate with the Microsoft Graph API, this resource required the following permissions: + +#### Delegated permissions + +- **Read** + + - DeviceManagementConfiguration.Read.All, DeviceManagementManagedDevices.Read.All + +- **Update** + + - DeviceManagementConfiguration.ReadWrite.All, DeviceManagementManagedDevices.ReadWrite.All + +#### Application permissions + +- **Read** + + - DeviceManagementConfiguration.Read.All, DeviceManagementManagedDevices.Read.All + +- **Update** + + - DeviceManagementConfiguration.ReadWrite.All, DeviceManagementManagedDevices.ReadWrite.All + +## Examples + +### Example 1 + +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. + +```powershell +Configuration Example +{ + param( + [Parameter(Mandatory = $true)] + [PSCredential] + $Credscredential + ) + Import-DscResource -ModuleName Microsoft365DSC + + node localhost + { + IntuneDeviceConfigurationPlatformScriptMacOS 'Example' + { + Assignments = @( + MSFT_DeviceManagementConfigurationPolicyAssignments{ + deviceAndAppManagementAssignmentFilterType = 'none' + dataType = '#microsoft.graph.allDevicesAssignmentTarget' + } + ); + Credential = $Credscredential; + DisplayName = "custom"; + Ensure = "Present"; + BlockExecutionNotifications = $False; + Description = ""; + ExecutionFrequency = "00:00:00"; + FileName = "shellscript.sh"; + Id = "00000000-0000-0000-0000-000000000000"; + RetryCount = 0; + RoleScopeTagIds = @("0"); + RunAsAccount = "user"; + ScriptContent = "Base64 encoded script content"; + TenantId = $OrganizationName; + } + } +} +``` + +### Example 2 + +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. + +```powershell +Configuration Example +{ + param( + [Parameter(Mandatory = $true)] + [PSCredential] + $Credscredential + ) + Import-DscResource -ModuleName Microsoft365DSC + + node localhost + { + IntuneDeviceConfigurationPlatformScriptMacOS 'Example' + { + Assignments = @( + MSFT_DeviceManagementConfigurationPolicyAssignments{ + deviceAndAppManagementAssignmentFilterType = 'none' + dataType = '#microsoft.graph.allDevicesAssignmentTarget' + } + ); + Credential = $Credscredential; + DisplayName = "custom"; + Ensure = "Present"; + BlockExecutionNotifications = $False; + Description = ""; + ExecutionFrequency = "00:00:00"; + FileName = "shellscript.sh"; + Id = "00000000-0000-0000-0000-000000000000"; + RetryCount = 1; # Updated property + RoleScopeTagIds = @("0"); + RunAsAccount = "user"; + ScriptContent = "Base64 encoded script content"; + TenantId = $OrganizationName; + } + } +} +``` + +### Example 3 + +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. + +```powershell +Configuration Example +{ + param( + [Parameter(Mandatory = $true)] + [PSCredential] + $Credscredential + ) + Import-DscResource -ModuleName Microsoft365DSC + + node localhost + { + IntuneDeviceConfigurationPlatformScriptMacOS 'Example' + { + Credential = $Credscredential; + DisplayName = "custom"; + Ensure = "Absent"; + Id = "00000000-0000-0000-0000-000000000000"; + } + } +} +``` + diff --git a/docs/docs/resources/intune/IntuneDeviceConfigurationPlatformScriptWindows.md b/docs/docs/resources/intune/IntuneDeviceConfigurationPlatformScriptWindows.md new file mode 100644 index 0000000000..961259c9f9 --- /dev/null +++ b/docs/docs/resources/intune/IntuneDeviceConfigurationPlatformScriptWindows.md @@ -0,0 +1,180 @@ +# IntuneDeviceConfigurationPlatformScriptWindows + +## Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **Description** | Write | String | Optional description for the device management script. | | +| **DisplayName** | Required | String | Name of the device management script. | | +| **EnforceSignatureCheck** | Write | Boolean | Indicate whether the script signature needs be checked. | | +| **FileName** | Write | String | The script file name. | | +| **RoleScopeTagIds** | Write | StringArray[] | List of Scope Tag IDs for this PowerShellScript instance. | | +| **RunAs32Bit** | Write | Boolean | A value indicating whether the PowerShell script should run as 32-bit | | +| **RunAsAccount** | Write | String | Indicates the type of execution context. Possible values are: system, user. | `system`, `user` | +| **ScriptContent** | Write | String | The script content in Base64. | | +| **Id** | Key | String | The unique identifier for an entity. Read-only. | | +| **Assignments** | Write | MSFT_DeviceManagementConfigurationPolicyAssignments[] | Represents the assignment to the Intune policy. | | +| **Ensure** | Write | String | Present ensures the policy exists, absent ensures it is removed. | `Present`, `Absent` | +| **Credential** | Write | PSCredential | Credentials of the Admin | | +| **ApplicationId** | Write | String | Id of the Azure Active Directory application to authenticate with. | | +| **TenantId** | Write | String | Id of the Azure Active Directory tenant used for authentication. | | +| **ApplicationSecret** | Write | PSCredential | Secret of the Azure Active Directory tenant used for authentication. | | +| **CertificateThumbprint** | Write | String | Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication. | | +| **ManagedIdentity** | Write | Boolean | Managed ID being used for authentication. | | +| **AccessTokens** | Write | StringArray[] | Access token used for authentication. | | + +### MSFT_DeviceManagementConfigurationPolicyAssignments + +#### Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **dataType** | Write | String | The type of the target assignment. | `#microsoft.graph.groupAssignmentTarget`, `#microsoft.graph.allLicensedUsersAssignmentTarget`, `#microsoft.graph.allDevicesAssignmentTarget`, `#microsoft.graph.exclusionGroupAssignmentTarget`, `#microsoft.graph.configurationManagerCollectionAssignmentTarget` | +| **deviceAndAppManagementAssignmentFilterType** | Write | String | The type of filter of the target assignment i.e. Exclude or Include. Possible values are:none, include, exclude. | `none`, `include`, `exclude` | +| **deviceAndAppManagementAssignmentFilterId** | Write | String | The Id of the filter for the target assignment. | | +| **groupId** | Write | String | The group Id that is the target of the assignment. | | +| **groupDisplayName** | Write | String | The group Display Name that is the target of the assignment. | | +| **collectionId** | Write | String | The collection Id that is the target of the assignment.(ConfigMgr) | | + + +## Description + +Intune Device Configuration Platform Script Windows + +## Permissions + +### Microsoft Graph + +To authenticate with the Microsoft Graph API, this resource required the following permissions: + +#### Delegated permissions + +- **Read** + + - None + +- **Update** + + - None + +#### Application permissions + +- **Read** + + - None + +- **Update** + + - None + +## Examples + +### Example 1 + +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. + +```powershell +Configuration Example +{ + param( + [Parameter(Mandatory = $true)] + [PSCredential] + $Credscredential + ) + Import-DscResource -ModuleName Microsoft365DSC + + node localhost + { + IntuneDeviceConfigurationPlatformScriptWindows 'Example' + { + Assignments = @( + MSFT_DeviceManagementConfigurationPolicyAssignments{ + deviceAndAppManagementAssignmentFilterType = 'none' + dataType = '#microsoft.graph.allDevicesAssignmentTarget' + } + ); + Credential = $Credscredential; + DisplayName = "custom"; + Ensure = "Present"; + EnforceSignatureCheck = $False; + FileName = "script.ps1"; + Id = "00000000-0000-0000-0000-000000000000"; + RunAs32Bit = $True; + RunAsAccount = "system"; + ScriptContent = "Base64 encoded script content"; + TenantId = $OrganizationName; + } + } +} +``` + +### Example 2 + +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. + +```powershell +Configuration Example +{ + param( + [Parameter(Mandatory = $true)] + [PSCredential] + $Credscredential + ) + Import-DscResource -ModuleName Microsoft365DSC + + node localhost + { + IntuneDeviceConfigurationPlatformScriptWindows 'Example' + { + Assignments = @( + MSFT_DeviceManagementConfigurationPolicyAssignments{ + deviceAndAppManagementAssignmentFilterType = 'none' + dataType = '#microsoft.graph.allDevicesAssignmentTarget' + } + ); + Credential = $Credscredential; + DisplayName = "custom"; + Ensure = "Present"; + EnforceSignatureCheck = $False; + FileName = "script.ps1"; + Id = "00000000-0000-0000-0000-000000000000"; + RunAs32Bit = $False; # Updated property + RunAsAccount = "system"; + ScriptContent = "Base64 encoded script content"; + TenantId = $OrganizationName; + } + } +} +``` + +### Example 3 + +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. + +```powershell +Configuration Example +{ + param( + [Parameter(Mandatory = $true)] + [PSCredential] + $Credscredential + ) + Import-DscResource -ModuleName Microsoft365DSC + + node localhost + { + IntuneDeviceConfigurationPlatformScriptWindows 'Example' + { + Credential = $Credscredential; + DisplayName = "custom"; + Ensure = "Absent"; + Id = "00000000-0000-0000-0000-000000000000"; + TenantId = $OrganizationName; + } + } +} +``` + diff --git a/docs/docs/resources/intune/IntuneDeviceRemediation.md b/docs/docs/resources/intune/IntuneDeviceRemediation.md new file mode 100644 index 0000000000..ae69aa10fa --- /dev/null +++ b/docs/docs/resources/intune/IntuneDeviceRemediation.md @@ -0,0 +1,200 @@ +# IntuneDeviceRemediation + +## Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **Description** | Write | String | Description of the device health script | | +| **DetectionScriptContent** | Write | String | The entire content of the detection powershell script | | +| **DetectionScriptParameters** | Write | MSFT_MicrosoftGraphdeviceHealthScriptParameter[] | List of ComplexType DetectionScriptParameters objects. | | +| **DeviceHealthScriptType** | Write | String | DeviceHealthScriptType for the script policy. Possible values are: deviceHealthScript, managedInstallerScript. | `deviceHealthScript`, `managedInstallerScript` | +| **DisplayName** | Required | String | Name of the device health script | | +| **EnforceSignatureCheck** | Write | Boolean | Indicate whether the script signature needs be checked | | +| **Publisher** | Write | String | Name of the device health script publisher | | +| **RemediationScriptContent** | Write | String | The entire content of the remediation powershell script | | +| **RemediationScriptParameters** | Write | MSFT_MicrosoftGraphdeviceHealthScriptParameter[] | List of ComplexType RemediationScriptParameters objects. | | +| **RoleScopeTagIds** | Write | StringArray[] | List of Scope Tag IDs for the device health script | | +| **RunAs32Bit** | Write | Boolean | Indicate whether PowerShell script(s) should run as 32-bit | | +| **RunAsAccount** | Write | String | Indicates the type of execution context. Possible values are: system, user. | `system`, `user` | +| **Id** | Key | String | The unique identifier for an entity. Read-only. | | +| **Assignments** | Write | MSFT_DeviceManagementConfigurationPolicyAssignments[] | Represents the assignment to the Intune policy. | | +| **Ensure** | Write | String | Present ensures the policy exists, absent ensures it is removed. | `Present`, `Absent` | +| **Credential** | Write | PSCredential | Credentials of the Admin | | +| **ApplicationId** | Write | String | Id of the Azure Active Directory application to authenticate with. | | +| **TenantId** | Write | String | Id of the Azure Active Directory tenant used for authentication. | | +| **ApplicationSecret** | Write | PSCredential | Secret of the Azure Active Directory tenant used for authentication. | | +| **CertificateThumbprint** | Write | String | Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication. | | +| **ManagedIdentity** | Write | Boolean | Managed ID being used for authentication. | | + +### MSFT_DeviceManagementConfigurationPolicyAssignments + +#### Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **dataType** | Write | String | The type of the target assignment. | `#microsoft.graph.groupAssignmentTarget`, `#microsoft.graph.allLicensedUsersAssignmentTarget`, `#microsoft.graph.allDevicesAssignmentTarget`, `#microsoft.graph.exclusionGroupAssignmentTarget`, `#microsoft.graph.configurationManagerCollectionAssignmentTarget` | +| **deviceAndAppManagementAssignmentFilterType** | Write | String | The type of filter of the target assignment i.e. Exclude or Include. Possible values are:none, include, exclude. | `none`, `include`, `exclude` | +| **deviceAndAppManagementAssignmentFilterId** | Write | String | The Id of the filter for the target assignment. | | +| **groupId** | Write | String | The group Id that is the target of the assignment. | | +| **groupDisplayName** | Write | String | The group Display Name that is the target of the assignment. | | +| **collectionId** | Write | String | The collection Id that is the target of the assignment.(ConfigMgr) | | + +### MSFT_MicrosoftGraphDeviceHealthScriptParameter + +#### Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **ApplyDefaultValueWhenNotAssigned** | Write | Boolean | Whether Apply DefaultValue When Not Assigned | | +| **Description** | Write | String | The description of the param | | +| **IsRequired** | Write | Boolean | Whether the param is required | | +| **Name** | Write | String | The name of the param | | +| **DefaultValue** | Write | Boolean | The default value of boolean param | | +| **odataType** | Write | String | The type of the entity. | `#microsoft.graph.deviceHealthScriptBooleanParameter`, `#microsoft.graph.deviceHealthScriptIntegerParameter`, `#microsoft.graph.deviceHealthScriptStringParameter` | + + +## Description + +Intune Device Remediation + +## Permissions + +### Microsoft Graph + +To authenticate with the Microsoft Graph API, this resource required the following permissions: + +#### Delegated permissions + +- **Read** + + - DeviceManagementConfiguration.Read.All + +- **Update** + + - DeviceManagementConfiguration.Read.All, DeviceManagementConfiguration.ReadWrite.All + +#### Application permissions + +- **Read** + + - DeviceManagementConfiguration.Read.All + +- **Update** + + - DeviceManagementConfiguration.Read.All, DeviceManagementConfiguration.ReadWrite.All + +## Examples + +### Example 1 + +This example creates a new Device Remediation. + +```powershell +Configuration Example +{ + param( + [Parameter(Mandatory = $true)] + [PSCredential] + $Credscredential + ) + Import-DscResource -ModuleName Microsoft365DSC + + node localhost + { + IntuneDeviceRemediation 'ConfigureDeviceRemediation' + { + Assignments = @( + MSFT_DeviceManagementConfigurationPolicyAssignments{ + deviceAndAppManagementAssignmentFilterType = 'none' + dataType = '#microsoft.graph.allDevicesAssignmentTarget' + } + ); + Credential = $Credscredential + Description = 'Description' + DetectionScriptContent = "Base64 encoded script content"; + DeviceHealthScriptType = "deviceHealthScript"; + DisplayName = "Device remediation"; + EnforceSignatureCheck = $False; + Ensure = "Present"; + Id = '00000000-0000-0000-0000-000000000000' + Publisher = "Some Publisher"; + RemediationScriptContent = "Base64 encoded script content"; + RoleScopeTagIds = @("0"); + RunAs32Bit = $True; + RunAsAccount = "system"; + TenantId = $OrganizationName; + } + } +} +``` + +### Example 2 + +This example updates a new Device Remediation. + +```powershell +Configuration Example +{ + param( + [Parameter(Mandatory = $true)] + [PSCredential] + $Credscredential + ) + Import-DscResource -ModuleName Microsoft365DSC + + node localhost + { + IntuneDeviceRemediation 'ConfigureDeviceRemediation' + { + Assignments = @( + MSFT_DeviceManagementConfigurationPolicyAssignments{ + deviceAndAppManagementAssignmentFilterType = 'none' + dataType = '#microsoft.graph.allDevicesAssignmentTarget' + } + ); + Credential = $Credscredential + Description = 'Description' + DetectionScriptContent = "Base64 encoded script content 2"; # Updated property + DeviceHealthScriptType = "deviceHealthScript"; + DisplayName = "Device remediation"; + EnforceSignatureCheck = $False; + Ensure = "Present"; + Id = '00000000-0000-0000-0000-000000000000' + Publisher = "Some Publisher"; + RemediationScriptContent = "Base64 encoded script content 2"; # Updated property + RoleScopeTagIds = @("0"); + RunAs32Bit = $True; + RunAsAccount = "system"; + TenantId = $OrganizationName; + } + } +} +``` + +### Example 3 + +This example removes a Device Remediation. + +```powershell +Configuration Example +{ + param( + [Parameter(Mandatory = $true)] + [PSCredential] + $Credscredential + ) + Import-DscResource -ModuleName Microsoft365DSC + + node localhost + { + IntuneDeviceRemediation 'ConfigureDeviceRemediation' + { + Id = '00000000-0000-0000-0000-000000000000' + DisplayName = 'Device remediation' + Ensure = 'Absent' + Credential = $Credscredential + } + } +} +``` + diff --git a/docs/docs/resources/intune/IntuneWindowsUpdateForBusinessDriverUpdateProfileWindows10.md b/docs/docs/resources/intune/IntuneWindowsUpdateForBusinessDriverUpdateProfileWindows10.md new file mode 100644 index 0000000000..9f0ae10108 --- /dev/null +++ b/docs/docs/resources/intune/IntuneWindowsUpdateForBusinessDriverUpdateProfileWindows10.md @@ -0,0 +1,158 @@ +# IntuneWindowsUpdateForBusinessDriverUpdateProfileWindows10 + +## Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **Id** | Write | String | Id of the Intune policy. | | +| **DisplayName** | Key | String | Display name of the Intune policy. | | +| **Description** | Write | String | Description of the Intune policy. | | +| **ApprovalType** | Write | String | Driver update profile approval type. For example, manual or automatic approval. Possible values are: manual, automatic. | `manual`, `automatic` | +| **DeploymentDeferralInDays** | Write | UInt32 | Deployment deferral settings in days, only applicable when ApprovalType is set to automatic approval. | | +| **RoleScopeTagIds** | Write | StringArray[] | List of Scope Tag IDs for the Driver Update entity. | | +| **Assignments** | Write | MSFT_DeviceManagementConfigurationPolicyAssignments[] | Represents the assignment to the Intune policy. | | +| **Ensure** | Write | String | Present ensures the policy exists, absent ensures it is removed. | `Present`, `Absent` | +| **Credential** | Write | PSCredential | Credentials of the Admin | | +| **ApplicationId** | Write | String | Id of the Azure Active Directory application to authenticate with. | | +| **TenantId** | Write | String | Id of the Azure Active Directory tenant used for authentication. | | +| **ApplicationSecret** | Write | PSCredential | Secret of the Azure Active Directory tenant used for authentication. | | +| **CertificateThumbprint** | Write | String | Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication. | | +| **ManagedIdentity** | Write | Boolean | Managed ID being used for authentication. | | +| **AccessTokens** | Write | StringArray[] | Access token used for authentication. | | + +### MSFT_DeviceManagementConfigurationPolicyAssignments + +#### Parameters + +| Parameter | Attribute | DataType | Description | Allowed Values | +| --- | --- | --- | --- | --- | +| **dataType** | Write | String | The type of the target assignment. | `#microsoft.graph.groupAssignmentTarget`, `#microsoft.graph.allLicensedUsersAssignmentTarget`, `#microsoft.graph.allDevicesAssignmentTarget`, `#microsoft.graph.exclusionGroupAssignmentTarget`, `#microsoft.graph.configurationManagerCollectionAssignmentTarget` | +| **deviceAndAppManagementAssignmentFilterType** | Write | String | The type of filter of the target assignment i.e. Exclude or Include. Possible values are:none, include, exclude. | `none`, `include`, `exclude` | +| **deviceAndAppManagementAssignmentFilterId** | Write | String | The Id of the filter for the target assignment. | | +| **groupId** | Write | String | The group Id that is the target of the assignment. | | +| **groupDisplayName** | Write | String | The group Display Name that is the target of the assignment. | | +| **collectionId** | Write | String | The collection Id that is the target of the assignment.(ConfigMgr) | | + + +## Description + +Intune Windows Update For Business Driver Update Profile for Windows 10 + +Please note: Once a policy is created, the `ApprovalType` cannot be changed. A new policy must be created. + +## Permissions + +### Microsoft Graph + +To authenticate with the Microsoft Graph API, this resource required the following permissions: + +#### Delegated permissions + +- **Read** + + - DeviceManagementConfiguration.Read.All + +- **Update** + + - DeviceManagementConfiguration.ReadWrite.All + +#### Application permissions + +- **Read** + + - DeviceManagementConfiguration.Read.All + +- **Update** + + - DeviceManagementConfiguration.ReadWrite.All + +## Examples + +### Example 1 + +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. + +```powershell +Configuration Example +{ + param( + [Parameter(Mandatory = $true)] + [PSCredential] + $Credscredential + ) + Import-DscResource -ModuleName Microsoft365DSC + + node localhost + { + IntuneWindowsUpdateForBusinessDriverUpdateProfileWindows10 'Example' + { + DisplayName = 'Driver Update Example' + Assignments = @() + Description = 'test 2' + approvalType = 'manual' + Ensure = 'Present' + Credential = $Credscredential + } + } +} +``` + +### Example 2 + +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. + +```powershell +Configuration Example +{ + param( + [Parameter(Mandatory = $true)] + [PSCredential] + $Credscredential + ) + Import-DscResource -ModuleName Microsoft365DSC + + node localhost + { + IntuneWindowsUpdateForBusinessDriverUpdateProfileWindows10 'Example' + { + DisplayName = 'Driver Update Example' + Assignments = @() + Description = 'test 3' # Updated property + approvalType = 'manual' + Ensure = 'Present' + Credential = $Credscredential + } + } +} +``` + +### Example 3 + +This example is used to test new resources and showcase the usage of new resources being worked on. +It is not meant to use as a production baseline. + +```powershell +Configuration Example +{ + param( + [Parameter(Mandatory = $true)] + [PSCredential] + $Credscredential + ) + Import-DscResource -ModuleName Microsoft365DSC + + node localhost + { + IntuneWindowsUpdateForBusinessDriverUpdateProfileWindows10 'Example' + { + DisplayName = 'Driver Update Example' + Description = 'test 2' + Ensure = 'Absent' + Credential = $Credscredential + } + } +} +``` +