Tuesday, July 23, 2024
HomePowershellUtilizing PowerShell scripts in Endpoint Supervisor Compliance Insurance policies

Utilizing PowerShell scripts in Endpoint Supervisor Compliance Insurance policies


I wrote a weblog submit about the place you may use PowerShell scripts in Endpoint Supervisor right here, however I didn’t point out the likelihood to make use of it in Compliance Insurance policies. On this weblog submit, I’ll 🙂

Preparation

Detection Script

Earlier than you’ll be able to create a Customized Compliance coverage, you first must add a PowerShell script within the Endpoint Supervisor Admin heart within the Units/Compliance Insurance policies/Scripts pane. This script will return a JSON formatted response with the outcomes of the checks that you simply do in your script, within the instance script under there’s a examine if my Bios model is the same as or larger than a sure model as a result of older variations have a sure safety challenge. For my Lenovo T14 laptop computer, the model put in at this second is R1BET72W(1.41). Within the script under the bios model quantity shall be learn and returned in a JSON format:

#Retrieve model
$biosversion = Get-WmiObject -Class Win32_Bios

#Cut up biosversion, get the model quantity and save to $LenovoBiosVersion
$LenovoBiosVersion=$Biosversion.SMBIOSBIOSVersion.Cut up('( ')[1]

$hash = @{ Model = $LenovoBiosVersion }
return $hash | ConvertTo-Json -Compress

The $hash variable is being transformed to a JSON format which appears to be like like this:

{"Model":"1.41"}

This script may be uploaded to the Scripts pane. Steps are:

  • Go to Scripts
  • Choose Add
  • Choose Home windows 10 and later
  • Fill within the Identify, Description, and Writer fields and choose Subsequent
  • Copy the contents of the script into the Detection script pane and choose Subsequent
  • Choose Create to complete the wizard.

JSON File

You additionally need to create a JSON file that identifies the settings and values to make use of within the Customized Compliance coverage, for our instance Lenovo Bios examine that will appear like this:

{
    "Guidelines": [
        {
            "SettingName": "LenovoBiosVersion",
            "Operator": "GreaterEquals",
            "DataType": "Version",
            "Operand": "1.41",
            "MoreInfoUrl": "https://download.lenovo.com/pccbbs/mobiles/r1buj72w.exe",
            "RemediationStrings": [
                {
                    "Language": "en_US",
                    "Title": "BIOS Version needs to be upgraded to at least 1.41.",
                    "Description": "BIOS must be updated, Please refer to the link above"
                }
            ]
        }
    ]
}

Azure AD Group

For our instance, we have to create a Dynamic Group containing Lenovo T14 machines to make use of for assigning the customized Compliance Coverage. Observe these steps to create one:

  • Go to Teams
  • Choose New Group
  • Enter ‘Intune – Lenovo T14 gadgets’ as Group Identify with Dynamic Machine as Membership Kind and choose Create
  • Open the Group and choose Dynamic membership guidelines
  • Select Edit within the Rule Syntax and use this string to determine the Lenovo T14:
(system.deviceModel -eq "20UD001AMH")

Configuring the customized Compliance Coverage

Now you can add a brand new Compliance Coverage containing customized settings by following these steps:

  • Go to Scripts
  • Choose Create Coverage
  • Choose Home windows 10 and later as Platform and choose Create
  • Fill in Identify and Description and select Subsequent
  • Choose Custom Compliance, choose Require and choose Click on to pick out
  • Choose the script that you simply simply created and click on on Choose
  • Click on on Choose a file and browse to the placement the place you saved the JSON file and choose it, after choosing it must be displayed with the settings as you configured it (LenovoBiosVersion:
  • Choose Subsequent and configure the actions for non-compliant gadgets:
  • Choose Subsequent and assign the Compliance Coverage to a Machine group in our Instance containing Lenovo machines on which the bios degree must be 1.41 or higher, on this case, the ‘Intune – Lenovo T14 gadgets’ group:
  • Choose Subsequent and Create to save lots of the customized Compliance coverage.

And also you’re executed, you’ve now created a customized Compliance Coverage with a PowerShell detection script. This may assist decide much more in case your system is compliant, necessary for Conditional Entry insurance policies which have the ‘Require system to be marked as compliant’ setting configured.

Notice: Extra details about Customized Compliance Insurance policies (Formatting the JSON file, script, or limitations) is accessible right here

RELATED ARTICLES

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Most Popular

Recent Comments