Additional Script Updates
This commit is contained in:
Andrew Amason
@@ -0,0 +1,12 @@
|
||||
# Detection Script: Detect_BitLocker.ps1
|
||||
|
||||
# Check if BitLocker is enabled
|
||||
$bitLockerStatus = Get-BitLockerVolume -MountPoint "C:"
|
||||
|
||||
if ($bitLockerStatus.ProtectionStatus -ne "On") {
|
||||
Write-Output "BitLocker is not enabled on the system drive."
|
||||
exit 1
|
||||
} else {
|
||||
Write-Output "BitLocker is enabled on the system drive."
|
||||
exit 0
|
||||
}
|
||||
@@ -0,0 +1,6 @@
|
||||
# Remediation Script: Remediate_BitLocker.ps1
|
||||
|
||||
# Enable BitLocker on the system drive
|
||||
Enable-BitLocker -MountPoint "C:" -EncryptionMethod XtsAes256 -UsedSpaceOnly -TpmProtector
|
||||
|
||||
Write-Output "BitLocker has been enabled on the system drive."
|
||||
@@ -0,0 +1,12 @@
|
||||
# Detection Script: Detect_CredentialGuard.ps1
|
||||
|
||||
# Check if Credential Guard is enabled
|
||||
$credentialGuardStatus = Get-CimInstance -ClassName Win32_DeviceGuard -Namespace root\Microsoft\Windows\DeviceGuard
|
||||
|
||||
if ($credentialGuardStatus.SecurityServicesConfigured -contains 1 -and $credentialGuardStatus.SecurityServicesRunning -contains 1) {
|
||||
Write-Output "Credential Guard is enabled."
|
||||
exit 0
|
||||
} else {
|
||||
Write-Output "Credential Guard is not enabled."
|
||||
exit 1
|
||||
}
|
||||
@@ -0,0 +1,11 @@
|
||||
# Remediation Script: Remediate_CredentialGuard.ps1
|
||||
|
||||
# Enable Credential Guard
|
||||
$regKey = "HKLM:\SYSTEM\CurrentControlSet\Control\DeviceGuard"
|
||||
Set-ItemProperty -Path $regKey -Name "EnableVirtualizationBasedSecurity" -Value 1
|
||||
Set-ItemProperty -Path $regKey -Name "RequirePlatformSecurityFeatures" -Value 1
|
||||
|
||||
$regKey = "HKLM:\SYSTEM\CurrentControlSet\Control\LSA"
|
||||
Set-ItemProperty -Path $regKey -Name "LsaCfgFlags" -Value 1
|
||||
|
||||
Write-Output "Credential Guard has been enabled."
|
||||
@@ -0,0 +1,8 @@
|
||||
# Check if a specific file exists
|
||||
$filePath = "C:\Company\Compliance\requiredfile.txt"
|
||||
|
||||
if (Test-Path $filePath) {
|
||||
Write-Output "Compliance file is present."
|
||||
} else {
|
||||
Write-Output "Compliance file is missing."
|
||||
}
|
||||
@@ -0,0 +1,14 @@
|
||||
# Ensure the specific file is in place
|
||||
$filePath = "C:\Company\Compliance\requiredfile.txt"
|
||||
$fileContent = "This is a required compliance file."
|
||||
|
||||
if (-Not (Test-Path $filePath)) {
|
||||
# Create the directory if it doesn't exist
|
||||
$directoryPath = [System.IO.Path]::GetDirectoryName($filePath)
|
||||
if (-Not (Test-Path $directoryPath)) {
|
||||
New-Item -Path $directoryPath -ItemType Directory -Force | Out-Null
|
||||
}
|
||||
# Create the file with the required content
|
||||
New-Item -Path $filePath -ItemType File -Force | Out-Null
|
||||
Set-Content -Path $filePath -Value $fileContent
|
||||
}
|
||||
@@ -0,0 +1,13 @@
|
||||
# Check if a specific registry key exists and a service is running
|
||||
$regPath = "HKLM:\Software\MyCompany\Settings"
|
||||
$regName = "ComplianceSetting"
|
||||
$serviceName = "MyService"
|
||||
|
||||
$regExists = Test-Path "$regPath\$regName"
|
||||
$serviceStatus = Get-Service -Name $serviceName -ErrorAction SilentlyContinue
|
||||
|
||||
if ($regExists -and $serviceStatus.Status -eq "Running") {
|
||||
Write-Output "Compliance settings are in place."
|
||||
} else {
|
||||
Write-Output "Compliance settings are not in place."
|
||||
}
|
||||
@@ -0,0 +1,17 @@
|
||||
# Ensure the registry key is set and the service is running
|
||||
$regPath = "HKLM:\Software\MyCompany\Settings"
|
||||
$regName = "ComplianceSetting"
|
||||
$regValue = "Enabled"
|
||||
$serviceName = "MyService"
|
||||
|
||||
if (-Not (Test-Path "$regPath\$regName")) {
|
||||
New-Item -Path $regPath -Force | Out-Null
|
||||
New-ItemProperty -Path $regPath -Name $regName -Value $regValue -PropertyType String -Force | Out-Null
|
||||
} else {
|
||||
Set-ItemProperty -Path $regPath -Name $regName -Value $regValue
|
||||
}
|
||||
|
||||
$service = Get-Service -Name $serviceName -ErrorAction SilentlyContinue
|
||||
if ($service.Status -ne "Running") {
|
||||
Start-Service -Name $serviceName
|
||||
}
|
||||
@@ -0,0 +1,12 @@
|
||||
# Detection Script: Detect_DeviceGuard.ps1
|
||||
|
||||
# Check if Device Guard is enabled
|
||||
$deviceGuardStatus = Get-CimInstance -ClassName Win32_DeviceGuard -Namespace root\Microsoft\Windows\DeviceGuard
|
||||
|
||||
if ($deviceGuardStatus.SecurityServicesConfigured -contains 2 -and $deviceGuardStatus.SecurityServicesRunning -contains 2) {
|
||||
Write-Output "Device Guard is enabled."
|
||||
exit 0
|
||||
} else {
|
||||
Write-Output "Device Guard is not enabled."
|
||||
exit 1
|
||||
}
|
||||
@@ -0,0 +1,8 @@
|
||||
# Remediation Script: Remediate_DeviceGuard.ps1
|
||||
|
||||
# Enable Device Guard
|
||||
$regKey = "HKLM:\SYSTEM\CurrentControlSet\Control\DeviceGuard"
|
||||
Set-ItemProperty -Path $regKey -Name "EnableVirtualizationBasedSecurity" -Value 1
|
||||
Set-ItemProperty -Path $regKey -Name "RequirePlatformSecurityFeatures" -Value 1
|
||||
|
||||
Write-Output "Device Guard has been enabled."
|
||||
@@ -0,0 +1,14 @@
|
||||
# Detection Script: Detect_Firewall.ps1
|
||||
|
||||
# Check if the firewall is enabled
|
||||
$firewallStatus = Get-NetFirewallProfile -Profile Domain,Public,Private
|
||||
|
||||
foreach ($profile in $firewallStatus) {
|
||||
if ($profile.Enabled -eq $false) {
|
||||
Write-Output "Firewall is disabled for profile: $($profile.Name)"
|
||||
exit 1
|
||||
}
|
||||
}
|
||||
|
||||
Write-Output "Firewall is enabled for all profiles."
|
||||
exit 0
|
||||
@@ -0,0 +1,6 @@
|
||||
# Remediation Script: Remediate_Firewall.ps1
|
||||
|
||||
# Enable the firewall for all profiles
|
||||
Set-NetFirewallProfile -Profile Domain,Public,Private -Enabled True
|
||||
|
||||
Write-Output "Firewall has been enabled for all profiles."
|
||||
@@ -0,0 +1,10 @@
|
||||
# Detection Script: Detect_SecureBoot.ps1
|
||||
|
||||
# Check if Secure Boot is enabled
|
||||
if (Confirm-SecureBootUEFI) {
|
||||
Write-Output "Secure Boot is enabled."
|
||||
exit 0
|
||||
} else {
|
||||
Write-Output "Secure Boot is not enabled."
|
||||
exit 1
|
||||
}
|
||||
@@ -0,0 +1,7 @@
|
||||
# Remediation Script: Remediate_SecureBoot.ps1
|
||||
|
||||
# Enable Secure Boot
|
||||
$regKey = "HKLM:\SYSTEM\CurrentControlSet\Control\SecureBoot\State"
|
||||
Set-ItemProperty -Path $regKey -Name "UEFISecureBootEnabled" -Value 1
|
||||
|
||||
Write-Output "Secure Boot has been enabled. A system reboot is required for changes to take effect."
|
||||
@@ -0,0 +1,36 @@
|
||||
## Device Compliance
|
||||
|
||||
### Get-BitLocker
|
||||
[Link](https://github.com/AntoPorter/Intune-Remediations/tree/main/DeviceCompliance/Get-BitLocker)
|
||||
- **Detection**: Checks if BitLocker is enabled.
|
||||
- **Remediation**: Enables BitLocker if it is disabled.
|
||||
|
||||
### Get-CredentialGuard
|
||||
[Link](https://github.com/AntoPorter/Intune-Remediations/tree/main/DeviceCompliance/Get-CredentialGuard)
|
||||
- **Detection**: Checks if CredentialGuard is enabled.
|
||||
- **Remediation**: Enables CredentialGuard if it is disabled.
|
||||
|
||||
### Get-CustomCompliance-Registry
|
||||
[Link](https://github.com/AntoPorter/Intune-Remediations/tree/main/DeviceCompliance/Get-CustomCompliance-Registry)
|
||||
- **Detection**: Checks for an existing Registry File, considered required for "Compliance" in your environment.
|
||||
- **Remediation**: Creates the Registry File specified if the detection cannot find the mentioned registry key.
|
||||
|
||||
### Get-CustomCompliance-File
|
||||
[Link](https://github.com/AntoPorter/Intune-Remediations/tree/main/DeviceCompliance/Get-CustomCompliance-File)
|
||||
- **Detection**: Checks for an existing File in a File Path, considered required for "Compliance" in your environment.
|
||||
- **Remediation**: Creates the File (and Path) specified if the detection cannot find the mentioned file.
|
||||
|
||||
### Get-DeviceGuard
|
||||
[Link](https://github.com/AntoPorter/Intune-Remediations/tree/main/DeviceCompliance/Get-DeviceGuard)
|
||||
- **Detection**: Checks if DeviceGuard is enabled.
|
||||
- **Remediation**: Enables DeviceGuard if it is disabled.
|
||||
|
||||
### Get-Firewall
|
||||
[Link](https://github.com/AntoPorter/Intune-Remediations/tree/main/DeviceCompliance/Get-Firewall)
|
||||
- **Detection**: Checks if any Firewall profiles are disabled.
|
||||
- **Remediation**: Enables the Firewall profiles if they are disabled.
|
||||
|
||||
### Get-SecureBoot
|
||||
[Link](https://github.com/AntoPorter/Intune-Remediations/tree/main/DeviceCompliance/Get-SecureBoot)
|
||||
- **Detection**: Checks if SecureBoot is enabled.
|
||||
- **Remediation**: Enables SecureBoot if it is disabled. (This will require a reboot)
|
||||
@@ -0,0 +1,9 @@
|
||||
# Check if the certificate is installed
|
||||
$cert = Get-ChildItem -Path Cert:\LocalMachine\My | Where-Object { $_.Subject -eq "CN=CorporateCert" }
|
||||
if ($cert) {
|
||||
Write-Output "Certificate is installed"
|
||||
exit 0
|
||||
} else {
|
||||
Write-Output "Certificate is not installed"
|
||||
exit 1
|
||||
}
|
||||
@@ -0,0 +1,3 @@
|
||||
# Install the certificate
|
||||
Import-Certificate -FilePath "C:\Path\To\CorporateCert.cer" -CertStoreLocation Cert:\LocalMachine\My
|
||||
Write-Output "Certificate installed"
|
||||
@@ -0,0 +1,9 @@
|
||||
# Check if the VPN profile is configured
|
||||
$vpnProfile = Get-VpnConnection -Name "CorporateVPN" -ErrorAction SilentlyContinue
|
||||
if ($vpnProfile) {
|
||||
Write-Output "VPN is configured"
|
||||
exit 0
|
||||
} else {
|
||||
Write-Output "VPN is not configured"
|
||||
exit 1
|
||||
}
|
||||
@@ -0,0 +1,3 @@
|
||||
# Configure the VPN profile
|
||||
Add-VpnConnection -Name "CorporateVPN" -ServerAddress "vpn.corporate.com" -TunnelType "L2tp" -AuthenticationMethod "Eap" -EncryptionLevel "Required" -RememberCredential
|
||||
Write-Output "VPN configured"
|
||||
@@ -0,0 +1,10 @@
|
||||
# Check if the corporate wallpaper is set
|
||||
$wallpaperPath = "C:\Path\To\CorporateWallpaper.jpg"
|
||||
$currentWallpaper = Get-ItemProperty -Path "HKCU:\Control Panel\Desktop\" -Name Wallpaper
|
||||
if ($currentWallpaper.Wallpaper -ne $wallpaperPath) {
|
||||
Write-Output "Wallpaper needs to be set"
|
||||
exit 1
|
||||
} else {
|
||||
Write-Output "Wallpaper is already set"
|
||||
exit 0
|
||||
}
|
||||
@@ -0,0 +1,5 @@
|
||||
# Set the corporate wallpaper
|
||||
$wallpaperPath = "C:\Path\To\CorporateWallpaper.jpg"
|
||||
Set-ItemProperty -Path "HKCU:\Control Panel\Desktop\" -Name Wallpaper -Value $wallpaperPath
|
||||
RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
|
||||
Write-Output "Wallpaper set"
|
||||
@@ -0,0 +1,16 @@
|
||||
# Detection Script: Detect_DriveMapping.ps1
|
||||
|
||||
# Define the network drive letter and path
|
||||
$driveLetter = "Z:"
|
||||
$networkPath = "\\server\share"
|
||||
|
||||
# Check if the drive is mapped
|
||||
$drive = Get-PSDrive -Name $driveLetter -ErrorAction SilentlyContinue
|
||||
|
||||
if ($null -eq $drive -or $drive.Root -ne $networkPath) {
|
||||
Write-Output "Network drive not mapped: $driveLetter"
|
||||
exit 1
|
||||
} else {
|
||||
Write-Output "Network drive is mapped: $driveLetter"
|
||||
exit 0
|
||||
}
|
||||
@@ -0,0 +1,10 @@
|
||||
# Remediation Script: Remediate_DriveMapping.ps1
|
||||
|
||||
# Define the network drive letter and path
|
||||
$driveLetter = "Z:"
|
||||
$networkPath = "\\server\share"
|
||||
|
||||
# Map the network drive
|
||||
New-PSDrive -Name $driveLetter -PSProvider FileSystem -Root $networkPath -Persist
|
||||
|
||||
Write-Output "Network drive has been mapped: $driveLetter"
|
||||
@@ -0,0 +1,9 @@
|
||||
# Check DNS settings
|
||||
$dnsServers = Get-DnsClientServerAddress -AddressFamily IPv4 | Select-Object -ExpandProperty ServerAddresses
|
||||
if ($dnsServers -notcontains "8.8.8.8") {
|
||||
Write-Output "DNS settings need to be updated"
|
||||
exit 1
|
||||
} else {
|
||||
Write-Output "DNS settings are correct"
|
||||
exit 0
|
||||
}
|
||||
@@ -0,0 +1,3 @@
|
||||
# Set DNS settings
|
||||
Set-DnsClientServerAddress -InterfaceAlias "Ethernet" -ServerAddresses "8.8.8.8","8.8.4.4"
|
||||
Write-Output "DNS settings updated"
|
||||
@@ -0,0 +1,9 @@
|
||||
# Detection Script (Detect_OfficeTemplates.ps1)
|
||||
$TemplatePath = "C:\Program Files\Microsoft Office\root\Templates\1033\CompanyLetter.dotx"
|
||||
if (Test-Path -Path $TemplatePath) {
|
||||
Write-Host "Template file exists: $TemplatePath"
|
||||
exit 0
|
||||
} else {
|
||||
Write-Host "Template file not found: $TemplatePath"
|
||||
exit 1
|
||||
}
|
||||
@@ -0,0 +1,10 @@
|
||||
# Remediation Script (Remediate_OfficeTemplates.ps1)
|
||||
$SourcePath = "\\server\share\Templates\CompanyLetter.dotx"
|
||||
$DestinationPath = "C:\Program Files\Microsoft Office\root\Templates\1033\CompanyLetter.dotx"
|
||||
|
||||
if (Test-Path -Path $SourcePath) {
|
||||
Copy-Item -Path $SourcePath -Destination $DestinationPath -Force
|
||||
Write-Host "Template file copied to: $DestinationPath"
|
||||
} else {
|
||||
Write-Host "Template file not found in the central repository."
|
||||
}
|
||||
@@ -0,0 +1,9 @@
|
||||
# Detection Script (Detect_OutlookTemplate.ps1)
|
||||
$TemplatePath = "$env:APPDATA\Microsoft\Templates\NormalEmail.dotm"
|
||||
if (Test-Path -Path $TemplatePath) {
|
||||
Write-Host "NormalEmail.dotm template exists: $TemplatePath"
|
||||
exit 0
|
||||
} else {
|
||||
Write-Host "NormalEmail.dotm template not found: $TemplatePath"
|
||||
exit 1
|
||||
}
|
||||
@@ -0,0 +1,10 @@
|
||||
# Remediation Script (Remediate_OutlookTemplate.ps1)
|
||||
$SourcePath = "\\server\share\Templates\NormalEmail.dotm"
|
||||
$DestinationPath = "$env:APPDATA\Microsoft\Templates\NormalEmail.dotm"
|
||||
|
||||
if (Test-Path -Path $SourcePath) {
|
||||
Copy-Item -Path $SourcePath -Destination $DestinationPath -Force
|
||||
Write-Host "NormalEmail.dotm template updated."
|
||||
} else {
|
||||
Write-Host "Template file not found in the central repository."
|
||||
}
|
||||
@@ -0,0 +1,15 @@
|
||||
# Detection Script: Detect_TimeZone.ps1
|
||||
|
||||
# Define the required time zone
|
||||
$requiredTimeZone = "Pacific Standard Time"
|
||||
|
||||
# Get the current time zone
|
||||
$currentTimeZone = (Get-TimeZone).Id
|
||||
|
||||
if ($currentTimeZone -ne $requiredTimeZone) {
|
||||
Write-Output "Incorrect time zone: $currentTimeZone"
|
||||
exit 1
|
||||
} else {
|
||||
Write-Output "Time zone is correct: $currentTimeZone"
|
||||
exit 0
|
||||
}
|
||||
@@ -0,0 +1,9 @@
|
||||
# Remediation Script: Remediate_TimeZone.ps1
|
||||
|
||||
# Define the required time zone
|
||||
$requiredTimeZone = "Pacific Standard Time"
|
||||
|
||||
# Set the time zone
|
||||
Set-TimeZone -Id $requiredTimeZone
|
||||
|
||||
Write-Output "Time zone has been set to: $requiredTimeZone"
|
||||
@@ -0,0 +1,15 @@
|
||||
# Detection Script: Detect_UAC.ps1
|
||||
|
||||
# Check if UAC is enabled
|
||||
$uacStatus = Get-ItemPropertyValue -Path 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System' -Name 'EnableLUA' -ErrorAction SilentlyContinue
|
||||
|
||||
if ($null -eq $uacStatus) {
|
||||
Write-Output "UAC status: NotConfigured"
|
||||
exit 1
|
||||
} elseif ($uacStatus -eq 0) {
|
||||
Write-Output "UAC status: Disabled"
|
||||
exit 1
|
||||
} else {
|
||||
Write-Output "UAC status: Enabled"
|
||||
exit 0
|
||||
}
|
||||
@@ -0,0 +1,12 @@
|
||||
# Remediation Script: Remediate_UAC.ps1
|
||||
|
||||
# Check if UAC is enabled
|
||||
$uacStatus = Get-ItemPropertyValue -Path 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System' -Name 'EnableLUA' -ErrorAction SilentlyContinue
|
||||
|
||||
if ($null -eq $uacStatus -or $uacStatus -eq 0) {
|
||||
# Enable UAC
|
||||
Set-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System' -Name 'EnableLUA' -Value 1
|
||||
Write-Output "UAC has been enabled."
|
||||
} else {
|
||||
Write-Output "UAC is already enabled."
|
||||
}
|
||||
@@ -0,0 +1,12 @@
|
||||
# Detection Script: Detect_WDAC.ps1
|
||||
|
||||
# Check if WDAC is enabled
|
||||
$wdacStatus = Get-CimInstance -ClassName Win32_DeviceGuard -Namespace root\Microsoft\Windows\DeviceGuard
|
||||
|
||||
if ($wdacStatus.SecurityServicesConfigured -contains 2 -and $wdacStatus.SecurityServicesRunning -contains 2) {
|
||||
Write-Output "WDAC is enabled."
|
||||
exit 0
|
||||
} else {
|
||||
Write-Output "WDAC is not enabled."
|
||||
exit 1
|
||||
}
|
||||
@@ -0,0 +1,13 @@
|
||||
# Remediation Script: Remediate_WDAC.ps1
|
||||
|
||||
# Define the path to the WDAC policy binary file
|
||||
$policyBinaryPath = "C:\Path\To\Your\Policy.cip"
|
||||
|
||||
# Copy the policy binary to the correct location
|
||||
$destinationFolder = "$env:windir\System32\CodeIntegrity\CIPolicies\Active\"
|
||||
Copy-Item -Path $policyBinaryPath -Destination $destinationFolder
|
||||
|
||||
# Enable WDAC policy
|
||||
Start-Process -FilePath "powershell.exe" -ArgumentList "-Command", "ciTool.exe --update-policy $policyBinaryPath" -NoNewWindow -Wait
|
||||
|
||||
Write-Output "WDAC policy has been applied. A system reboot is required for changes to take effect."
|
||||
@@ -0,0 +1,51 @@
|
||||
## Device Configuration
|
||||
|
||||
### Get-CorporateCertificate
|
||||
[Link](https://github.com/AntoPorter/Intune-Remediations/tree/main/DeviceConfiguration/Get-CorporateCertificate)
|
||||
- **Detection**: Checks for a specific certificate is installed (requires modification based on your requirements).
|
||||
- **Remediation**: Installs the missing certificate from a file path.
|
||||
|
||||
### Get-CorporateVPN
|
||||
[Link](https://github.com/AntoPorter/Intune-Remediations/tree/main/DeviceConfiguration/Get-CorporateVPN)
|
||||
- **Detection**: Checks for a specific VPN Connection is configured (requires modification based on your requirements).
|
||||
- **Remediation**: Configures the missing VPN Connection.
|
||||
|
||||
### Get-CustomWallpaper
|
||||
[Link](https://github.com/AntoPorter/Intune-Remediations/tree/main/DeviceConfiguration/Get-CustomWallpaper)
|
||||
- **Detection**: Checks for a specific wallpaper is configured (requires modification based on your requirements).
|
||||
- **Remediation**: Configures the custom wallpaper.
|
||||
|
||||
### Get-DriveMapping
|
||||
[Link](https://github.com/AntoPorter/Intune-Remediations/tree/main/DeviceConfiguration/Get-DriveMapping)
|
||||
- **Detection**: Checks for a specific mapped drive (requires modification based on your requirements).
|
||||
- **Remediation**: Maps the missing drive if it is not located.
|
||||
|
||||
### Get-LocalDNSSettings
|
||||
[Link](https://github.com/AntoPorter/Intune-Remediations/tree/main/DeviceConfiguration/Get-LocalDNSSettings)
|
||||
- **Detection**: Checks for a specific DNS Setting on your Ethernet (requires modification based on your requirements).
|
||||
- **Remediation**: Configures the Local DNS settings if it is incorrect.
|
||||
|
||||
### Get-OfficeTemplates
|
||||
[Link](https://github.com/AntoPorter/Intune-Remediations/tree/main/DeviceConfiguration/Get-OfficeTemplates)
|
||||
- **Detection**: Checks the Templates folder for a specific template file within Program Files repo.
|
||||
- **Remediation**: Will copy a template file from a network share to the Program Files repo.
|
||||
|
||||
### Get-OutlookTemplate
|
||||
[Link](https://github.com/AntoPorter/Intune-Remediations/tree/main/DeviceConfiguration/Get-OutlookTemplate)
|
||||
- **Detection**: Checks the **NormalEmail.dotm** file within AppData associated to Outlook Emails.
|
||||
- **Remediation**: Will copy the **NormalEmail.dotm** file from a network share to the AppData repo.
|
||||
|
||||
### Get-TimeZone
|
||||
[Link](https://github.com/AntoPorter/Intune-Remediations/tree/main/DeviceConfiguration/Get-TimeZone)
|
||||
- **Detection**: Checks for a specific Time Zone (requires modification based on your requirements).
|
||||
- **Remediation**: Corrects the endpoint's Time Zone if it is incorrect.
|
||||
|
||||
### Get-UAC
|
||||
[Link](https://github.com/AntoPorter/Intune-Remediations/tree/main/DeviceConfiguration/Get-UAC)
|
||||
- **Detection**: Checks if UAC is enabled.
|
||||
- **Remediation**: Enables UAC if it is disabled.
|
||||
|
||||
### Get-WDAC
|
||||
[Link](https://github.com/AntoPorter/Intune-Remediations/tree/main/DeviceConfiguration/Get-WDAC)
|
||||
- **Detection**: Checks for a specific WDAC Policy (requires modification based on your requirements).
|
||||
- **Remediation**: Corrects the endpoint's WDAC Policy if it is not detected.
|
||||
@@ -0,0 +1,9 @@
|
||||
# Check for low disk space
|
||||
$freeSpace = (Get-PSDrive -Name C).Free
|
||||
if ($freeSpace -lt 10GB) {
|
||||
Write-Output "Low disk space"
|
||||
exit 1
|
||||
} else {
|
||||
Write-Output "Sufficient disk space"
|
||||
exit 0
|
||||
}
|
||||
@@ -0,0 +1,3 @@
|
||||
# Perform disk cleanup
|
||||
Start-Process -FilePath "cleanmgr.exe" -ArgumentList "/sagerun:1" -Wait
|
||||
Write-Output "Disk cleanup performed"
|
||||
@@ -0,0 +1,24 @@
|
||||
# Define the inactivity threshold in days
|
||||
$inactivityThreshold = 90
|
||||
|
||||
# Get the current date
|
||||
$currentDate = Get-Date
|
||||
|
||||
# Get all user profiles on the endpoint
|
||||
$userProfiles = Get-WmiObject -Class Win32_UserProfile | Where-Object { $_.Special -eq $false }
|
||||
|
||||
foreach ($profile in $userProfiles) {
|
||||
# Get the last use time of the profile
|
||||
$lastUseTime = [Management.ManagementDateTimeConverter]::ToDateTime($profile.LastUseTime)
|
||||
|
||||
# Calculate the number of days since the profile was last used
|
||||
$daysInactive = ($currentDate - $lastUseTime).Days
|
||||
|
||||
if ($daysInactive -ge $inactivityThreshold) {
|
||||
# Exit with code 1 to indicate an issue was detected
|
||||
exit 1
|
||||
}
|
||||
}
|
||||
|
||||
# Exit with code 0 to indicate no issues were detected
|
||||
exit 0
|
||||
@@ -0,0 +1,24 @@
|
||||
# Define the inactivity threshold in days
|
||||
$inactivityThreshold = 90
|
||||
|
||||
# Get the current date
|
||||
$currentDate = Get-Date
|
||||
|
||||
# Get all user profiles on the endpoint
|
||||
$userProfiles = Get-WmiObject -Class Win32_UserProfile | Where-Object { $_.Special -eq $false }
|
||||
|
||||
foreach ($profile in $userProfiles) {
|
||||
# Get the last use time of the profile
|
||||
$lastUseTime = [Management.ManagementDateTimeConverter]::ToDateTime($profile.LastUseTime)
|
||||
|
||||
# Calculate the number of days since the profile was last used
|
||||
$daysInactive = ($currentDate - $lastUseTime).Days
|
||||
|
||||
if ($daysInactive -ge $inactivityThreshold) {
|
||||
# Log the profile that is inactive
|
||||
Write-Output "Inactive profile detected: $($profile.LocalPath) - Last used: $lastUseTime"
|
||||
|
||||
# Optionally, remove the inactive profile
|
||||
# Remove-WmiObject -InputObject $profile
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,23 @@
|
||||
# Detection Script: Detect_InactiveUsers.ps1
|
||||
|
||||
# Define the inactivity threshold in days
|
||||
$inactivityThreshold = 90
|
||||
|
||||
# Get the current date
|
||||
$currentDate = Get-Date
|
||||
|
||||
# Get all user accounts
|
||||
$userAccounts = Get-LocalUser
|
||||
|
||||
foreach ($user in $userAccounts) {
|
||||
# Check the last logon date
|
||||
$lastLogonDate = (Get-LocalUser -Name $user.Name).LastLogon
|
||||
|
||||
if ($lastLogonDate -lt $currentDate.AddDays(-$inactivityThreshold)) {
|
||||
Write-Output "Inactive user account detected: $($user.Name)"
|
||||
exit 1
|
||||
}
|
||||
}
|
||||
|
||||
Write-Output "No inactive user accounts detected."
|
||||
exit 0
|
||||
@@ -0,0 +1,23 @@
|
||||
# Remediation Script: Remediate_InactiveUsers.ps1
|
||||
|
||||
# Define the inactivity threshold in days
|
||||
$inactivityThreshold = 90
|
||||
|
||||
# Get the current date
|
||||
$currentDate = Get-Date
|
||||
|
||||
# Get all user accounts
|
||||
$userAccounts = Get-LocalUser
|
||||
|
||||
foreach ($user in $userAccounts) {
|
||||
# Check the last logon date
|
||||
$lastLogonDate = (Get-LocalUser -Name $user.Name).LastLogon
|
||||
|
||||
if ($lastLogonDate -lt $currentDate.AddDays(-$inactivityThreshold)) {
|
||||
# Disable inactive user account
|
||||
Disable-LocalUser -Name $user.Name
|
||||
Write-Output "Disabled inactive user account: $($user.Name)"
|
||||
}
|
||||
}
|
||||
|
||||
Write-Output "Inactive user accounts have been disabled."
|
||||
@@ -0,0 +1,15 @@
|
||||
# Detection Script: Detect_LowDiskSpace.ps1
|
||||
|
||||
# Define the threshold for low disk space in GB
|
||||
$thresholdGB = 10
|
||||
|
||||
# Get the free space on the system drive
|
||||
$freeSpaceGB = [math]::Round((Get-PSDrive -Name C).Free / 1GB, 2)
|
||||
|
||||
if ($freeSpaceGB -lt $thresholdGB) {
|
||||
Write-Output "Low disk space detected: $freeSpaceGB GB free"
|
||||
exit 1
|
||||
} else {
|
||||
Write-Output "Sufficient disk space: $freeSpaceGB GB free"
|
||||
exit 0
|
||||
}
|
||||
@@ -0,0 +1,14 @@
|
||||
# Remediation Script: Remediate_LowDiskSpace.ps1
|
||||
|
||||
# Clear temporary files
|
||||
$TempFolder = "$env:Temp"
|
||||
Remove-Item "$TempFolder\*" -Recurse -Force -ErrorAction SilentlyContinue
|
||||
|
||||
# Clear Windows Update cache
|
||||
$WindowsUpdateCache = "C:\Windows\SoftwareDistribution\Download"
|
||||
Remove-Item "$WindowsUpdateCache\*" -Recurse -Force -ErrorAction SilentlyContinue
|
||||
|
||||
# Clear Recycle Bin
|
||||
Clear-RecycleBin -Force -ErrorAction SilentlyContinue
|
||||
|
||||
Write-Output "Disk space cleanup completed."
|
||||
@@ -0,0 +1,24 @@
|
||||
# Detection Script: Detect_SystemPerformance.ps1
|
||||
|
||||
# Define thresholds for high usage
|
||||
$cpuThreshold = 80
|
||||
$memoryThreshold = 80
|
||||
$diskThreshold = 80
|
||||
|
||||
# Get current CPU usage
|
||||
$cpuUsage = Get-Counter '\Processor(_Total)\% Processor Time' | Select-Object -ExpandProperty CounterSamples | Select-Object -ExpandProperty CookedValue
|
||||
|
||||
# Get current memory usage
|
||||
$memoryUsage = (Get-Counter '\Memory\% Committed Bytes In Use').CounterSamples.CookedValue
|
||||
|
||||
# Get current disk usage
|
||||
$diskUsage = Get-Counter '\LogicalDisk(_Total)\% Disk Time' | Select-Object -ExpandProperty CounterSamples | Select-Object -ExpandProperty CookedValue
|
||||
|
||||
# Check if any usage exceeds the threshold
|
||||
if ($cpuUsage -gt $cpuThreshold -or $memoryUsage -gt $memoryThreshold -or $diskUsage -gt $diskThreshold) {
|
||||
Write-Output "High system resource usage detected: CPU=$cpuUsage%, Memory=$memoryUsage%, Disk=$diskUsage%"
|
||||
exit 1
|
||||
} else {
|
||||
Write-Output "System resource usage is within acceptable limits: CPU=$cpuUsage%, Memory=$memoryUsage%, Disk=$diskUsage%"
|
||||
exit 0
|
||||
}
|
||||
@@ -0,0 +1,20 @@
|
||||
# Remediation Script: Remediate_SystemPerformance.ps1
|
||||
|
||||
# Clear temporary files
|
||||
$TempFolder = "$env:Temp"
|
||||
Remove-Item "$TempFolder\*" -Recurse -Force -ErrorAction SilentlyContinue
|
||||
|
||||
# Clear Windows Update cache
|
||||
$WindowsUpdateCache = "C:\Windows\SoftwareDistribution\Download"
|
||||
Remove-Item "$WindowsUpdateCache\*" -Recurse -Force -ErrorAction SilentlyContinue
|
||||
|
||||
# Optimize disk space
|
||||
Start-Process -FilePath "cleanmgr.exe" -ArgumentList "/sagerun:1" -NoNewWindow -Wait
|
||||
|
||||
# Defragment the disk (if not SSD)
|
||||
$diskType = Get-PhysicalDisk | Where-Object MediaType -eq "HDD"
|
||||
if ($diskType) {
|
||||
Optimize-Volume -DriveLetter C -Defrag -Verbose
|
||||
}
|
||||
|
||||
Write-Output "System performance optimization tasks completed."
|
||||
@@ -0,0 +1,32 @@
|
||||
# Detection Script: Detect_UserProfiles.ps1
|
||||
|
||||
# Define the size threshold in MB
|
||||
$sizeThresholdMB = 500
|
||||
|
||||
# Get all user profiles
|
||||
$userProfiles = Get-WmiObject -Class Win32_UserProfile | Where-Object { $_.Special -eq $false }
|
||||
|
||||
# Initialize flag for non-compliance
|
||||
$nonCompliant = $false
|
||||
|
||||
foreach ($profile in $userProfiles) {
|
||||
# Check if the profile is corrupted
|
||||
if ($profile.Status -ne 0) {
|
||||
Write-Output "Corrupted profile detected: $($profile.LocalPath)"
|
||||
$nonCompliant = $true
|
||||
}
|
||||
|
||||
# Check if the profile size exceeds the threshold
|
||||
$profileSizeMB = [math]::Round((Get-ChildItem -Path $profile.LocalPath -Recurse | Measure-Object -Property Length -Sum).Sum / 1MB, 2)
|
||||
if ($profileSizeMB -gt $sizeThresholdMB) {
|
||||
Write-Output "Profile size exceeds threshold: $($profile.LocalPath) - Size: $profileSizeMB MB"
|
||||
$nonCompliant = $true
|
||||
}
|
||||
}
|
||||
|
||||
if ($nonCompliant) {
|
||||
exit 1
|
||||
} else {
|
||||
Write-Output "All user profiles are compliant."
|
||||
exit 0
|
||||
}
|
||||
@@ -0,0 +1,26 @@
|
||||
# Remediation Script: Remediate_UserProfiles.ps1
|
||||
|
||||
# Define the size threshold in MB
|
||||
$sizeThresholdMB = 500
|
||||
|
||||
# Get all user profiles
|
||||
$userProfiles = Get-WmiObject -Class Win32_UserProfile | Where-Object { $_.Special -eq $false }
|
||||
|
||||
foreach ($profile in $userProfiles) {
|
||||
# Check if the profile is corrupted
|
||||
if ($profile.Status -ne 0) {
|
||||
# Remove corrupted profile
|
||||
Remove-WmiObject -InputObject $profile
|
||||
Write-Output "Removed corrupted profile: $($profile.LocalPath)"
|
||||
}
|
||||
|
||||
# Check if the profile size exceeds the threshold
|
||||
$profileSizeMB = [math]::Round((Get-ChildItem -Path $profile.LocalPath -Recurse | Measure-Object -Property Length -Sum).Sum / 1MB, 2)
|
||||
if ($profileSizeMB -gt $sizeThresholdMB) {
|
||||
# Remove large profile
|
||||
Remove-WmiObject -InputObject $profile
|
||||
Write-Output "Removed large profile: $($profile.LocalPath) - Size: $profileSizeMB MB"
|
||||
}
|
||||
}
|
||||
|
||||
Write-Output "User profile remediation tasks completed."
|
||||
@@ -0,0 +1,31 @@
|
||||
## Device Performance
|
||||
|
||||
### Get-DiskCleanup
|
||||
[Link](https://github.com/AntoPorter/Intune-Remediations/tree/main/DevicePerformance/Get-DiskCleanup)
|
||||
- **Detection**: Checks for low disk space on C: (requires modification based on your requirements).
|
||||
- **Remediation**: Performs Disk Cleanup if low disk space is detected.
|
||||
|
||||
### Get-InactiveUsers-EntraID
|
||||
[Link](https://github.com/AntoPorter/Intune-Remediations/tree/main/DevicePerformance/Get-InactiveUsers-EntraID)
|
||||
- **Detection**: Checks for all inactive profiles (Including Entra ID) based on a specified time period (requires modification based on your requirements).
|
||||
- **Remediation**: Removes inactive profiles if detected.
|
||||
|
||||
### Get-InactiveUsers-Local
|
||||
[Link](https://github.com/AntoPorter/Intune-Remediations/tree/main/DevicePerformance/Get-InactiveUsers-Local)
|
||||
- **Detection**: Checks for any local inactive profiles based on a specified time period (requires modification based on your requirements).
|
||||
- **Remediation**: Removes inactive profiles if detected.
|
||||
|
||||
### Get-LowDiskSpace
|
||||
[Link](https://github.com/AntoPorter/Intune-Remediations/tree/main/DevicePerformance/Get-LowDiskSpace)
|
||||
- **Detection**: Checks for low disk space on C: (requires modification based on your requirements).
|
||||
- **Remediation**: Clears notable Temp locations if low disk space is detected.
|
||||
|
||||
### Get-SystemPerformance
|
||||
[Link](https://github.com/AntoPorter/Intune-Remediations/tree/main/DevicePerformance/Get-SystemPerformance)
|
||||
- **Detection**: Checks the % usage of CPU/Memory/Disk (requires modification based on your requirements).
|
||||
- **Remediation**: Clears notable Temp locations and performs optimization tasks if usage is above the specified threshold.
|
||||
|
||||
### Get-UserProfiles
|
||||
[Link](https://github.com/AntoPorter/Intune-Remediations/tree/main/DevicePerformance/Get-UserProfiles)
|
||||
- **Detection**: Checks for large user profile sizes (requires modification based on your requirements).
|
||||
- **Remediation**: Clears notable Temp locations if large profiles are detected. Also reports and clears corrupted profiles as required.
|
||||
@@ -0,0 +1,10 @@
|
||||
# Check if cloud-delivered protection is enabled
|
||||
$cloudProtection = Get-MpPreference | Select-Object -ExpandProperty MAPSReporting
|
||||
|
||||
if ($cloudProtection -ne 0) {
|
||||
Write-Output "Cloud-delivered protection is enabled."
|
||||
exit 0
|
||||
} else {
|
||||
Write-Output "Cloud-delivered protection is disabled."
|
||||
exit 1
|
||||
}
|
||||
@@ -0,0 +1,3 @@
|
||||
# Enable cloud-delivered protection
|
||||
Set-MpPreference -MAPSReporting Advanced
|
||||
exit 0
|
||||
@@ -0,0 +1,10 @@
|
||||
# Check if exploit protection settings are applied
|
||||
$exploitProtection = Get-MpPreference | Select-Object -ExpandProperty ExploitProtection
|
||||
|
||||
if ($exploitProtection) {
|
||||
Write-Output "Exploit protection settings are applied."
|
||||
exit 0
|
||||
} else {
|
||||
Write-Output "Exploit protection settings are not applied."
|
||||
exit 1
|
||||
}
|
||||
@@ -0,0 +1,3 @@
|
||||
# Apply recommended exploit protection settings
|
||||
Add-MpPreference -ExploitProtectionSettings "Recommended"
|
||||
exit 0
|
||||
@@ -0,0 +1,10 @@
|
||||
# Check if network protection is enabled
|
||||
$networkProtection = Get-MpPreference | Select-Object -ExpandProperty EnableNetworkProtection
|
||||
|
||||
if ($networkProtection -eq 1) {
|
||||
Write-Output "Network protection is enabled."
|
||||
exit 0
|
||||
} else {
|
||||
Write-Output "Network protection is disabled."
|
||||
exit 1
|
||||
}
|
||||
@@ -0,0 +1,3 @@
|
||||
# Enable network protection
|
||||
Set-MpPreference -EnableNetworkProtection Enabled
|
||||
exit 0
|
||||
@@ -0,0 +1,7 @@
|
||||
if((Get-MpPreference).PUAProtection -eq 1) {
|
||||
Write-Output "Device Compliant"
|
||||
exit 0
|
||||
} else {
|
||||
Write-Output "Device Non-Compliant"
|
||||
exit 1
|
||||
}
|
||||
@@ -0,0 +1,9 @@
|
||||
try {
|
||||
Set-MpPreference -PUAProtection Enabled
|
||||
Write-Output "Device Remediated"
|
||||
exit 0
|
||||
}
|
||||
catch {
|
||||
Write-Output "Remediation Failed"
|
||||
exit 1
|
||||
}
|
||||
@@ -0,0 +1,15 @@
|
||||
# Detection Script: Detect_Malware.ps1
|
||||
|
||||
# Perform a quick scan using Microsoft Defender
|
||||
Start-MpScan -ScanType QuickScan
|
||||
|
||||
# Check the scan results
|
||||
$scanResults = Get-MpThreatDetection
|
||||
|
||||
if ($scanResults) {
|
||||
Write-Output "Malware detected: $($scanResults.ThreatName)"
|
||||
exit 1
|
||||
} else {
|
||||
Write-Output "No malware detected."
|
||||
exit 0
|
||||
}
|
||||
@@ -0,0 +1,15 @@
|
||||
# Remediation Script: Remediate_Malware.ps1
|
||||
|
||||
# Perform a full scan using Microsoft Defender
|
||||
Start-MpScan -ScanType FullScan
|
||||
|
||||
# Check the scan results
|
||||
$scanResults = Get-MpThreatDetection
|
||||
|
||||
if ($scanResults) {
|
||||
# Remove detected malware
|
||||
Remove-MpThreat -ThreatID $scanResults.ThreatID
|
||||
Write-Output "Malware removed: $($scanResults.ThreatName)"
|
||||
} else {
|
||||
Write-Output "No malware detected."
|
||||
}
|
||||
@@ -0,0 +1,7 @@
|
||||
if((Get-MpComputerStatus).BehaviorMonitorEnabled -eq "True") {
|
||||
Write-Output "Device Compliant"
|
||||
exit 0
|
||||
} else {
|
||||
Write-Output "Device Non-Compliant"
|
||||
exit 1
|
||||
}
|
||||
@@ -0,0 +1,9 @@
|
||||
try {
|
||||
Set-MpPreference -DisableBehaviorMonitoring $false
|
||||
Write-Output "Device Remediated"
|
||||
exit 0
|
||||
}
|
||||
catch {
|
||||
Write-Output "Remediation Failed"
|
||||
exit 1
|
||||
}
|
||||
@@ -0,0 +1,8 @@
|
||||
|
||||
if((Get-MpComputerStatus).RealTimeProtectionEnabled -eq "True") {
|
||||
Write-Output "Device Compliant"
|
||||
exit 0
|
||||
} else {
|
||||
Write-Output "Device Non-Compliant"
|
||||
exit 1
|
||||
}
|
||||
@@ -0,0 +1,9 @@
|
||||
try {
|
||||
Set-MpPreference -DisableRealtimeMonitoring $false
|
||||
Write-Output "Device Remediated"
|
||||
exit 0
|
||||
}
|
||||
catch {
|
||||
Write-Output "Remediation Failed"
|
||||
exit 1
|
||||
}
|
||||
@@ -0,0 +1,10 @@
|
||||
# Check if scheduled scans are configured
|
||||
$scanSchedule = Get-MpPreference | Select-Object -ExpandProperty ScanScheduleQuickScanTime
|
||||
|
||||
if ($scanSchedule) {
|
||||
Write-Output "Scheduled scans are configured."
|
||||
exit 0
|
||||
} else {
|
||||
Write-Output "Scheduled scans are not configured."
|
||||
exit 1
|
||||
}
|
||||
@@ -0,0 +1,4 @@
|
||||
# Schedule quick scans daily and full scans weekly
|
||||
Set-MpPreference -ScanScheduleQuickScanTime (Get-Date).AddDays(1).TimeOfDay
|
||||
Set-MpPreference -ScanScheduleFullScanTime (Get-Date).AddDays(7).TimeOfDay
|
||||
exit 0
|
||||
@@ -0,0 +1,10 @@
|
||||
# Check if security intelligence updates are up-to-date
|
||||
$lastUpdate = Get-MpComputerStatus | Select-Object -ExpandProperty AntivirusSignatureLastUpdated
|
||||
|
||||
if ($lastUpdate -lt (Get-Date).AddDays(-1)) {
|
||||
Write-Output "Security intelligence updates are outdated."
|
||||
exit 1
|
||||
} else {
|
||||
Write-Output "Security intelligence updates are up-to-date."
|
||||
exit 0
|
||||
}
|
||||
@@ -0,0 +1,3 @@
|
||||
# Update security intelligence
|
||||
Update-MpSignature
|
||||
exit 0
|
||||
@@ -0,0 +1,10 @@
|
||||
# Check if tamper protection is enabled
|
||||
$tamperProtection = Get-MpPreference | Select-Object -ExpandProperty DisableTamperProtection
|
||||
|
||||
if ($tamperProtection -eq $false) {
|
||||
Write-Output "Tamper protection is enabled."
|
||||
exit 0
|
||||
} else {
|
||||
Write-Output "Tamper protection is disabled."
|
||||
exit 1
|
||||
}
|
||||
@@ -0,0 +1,3 @@
|
||||
# Enable tamper protection
|
||||
Set-MpPreference -DisableTamperProtection $false
|
||||
exit 0
|
||||
@@ -0,0 +1,51 @@
|
||||
## Microsoft Defender AV
|
||||
|
||||
### Get-CloudDeliveredProtection
|
||||
[Link](https://github.com/AntoPorter/Intune-Remediations/tree/main/MicrosoftDefenderAV/Get-CloudDeliveredProtection)
|
||||
- **Detection**: Checks if Cloud-Delivered Protection is enabled.
|
||||
- **Remediation**: Enables Cloud-Delivered Protection if it is disabled.
|
||||
|
||||
### Get-ExploitProtection
|
||||
[Link](https://github.com/AntoPorter/Intune-Remediations/tree/main/MicrosoftDefenderAV/Get-ExploitProtection)
|
||||
- **Detection**: Checks if Exploit Protection is enabled.
|
||||
- **Remediation**: Enables Exploit Protection if it is disabled.
|
||||
|
||||
### Get-NetworkProtection
|
||||
[Link](https://github.com/AntoPorter/Intune-Remediations/tree/main/MicrosoftDefenderAV/Get-NetworkProtection)
|
||||
- **Detection**: Checks if Network Protection is enabled.
|
||||
- **Remediation**: Enables Network Protection if it is disabled.
|
||||
|
||||
### Get-PUAProtection
|
||||
[Link](https://github.com/AntoPorter/Intune-Remediations/tree/main/MicrosoftDefenderAV/Get-PUAProtection)
|
||||
- **Detection**: Checks if PUA Protection is enabled.
|
||||
- **Remediation**: Enables PUA Protection if it is disabled.
|
||||
|
||||
### Get-QuickScan
|
||||
[Link](https://github.com/AntoPorter/Intune-Remediations/tree/main/MicrosoftDefenderAV/Get-QuickScan)
|
||||
- **Detection**: Performs a Quick Scan via Defender AV on the endpoint.
|
||||
- **Remediation**: Performs a Full Scan if malware is detected during the Quick Scan.
|
||||
|
||||
### Get-RealTimeBehaviour
|
||||
[Link](https://github.com/AntoPorter/Intune-Remediations/tree/main/MicrosoftDefenderAV/Get-RealTimeBehaviour)
|
||||
- **Detection**: Checks if Real Time Behaviour is enabled.
|
||||
- **Remediation**: Enables Real Time Behaviour if it is disabled.
|
||||
|
||||
### Get-RealTimeProtection
|
||||
[Link](https://github.com/AntoPorter/Intune-Remediations/tree/main/MicrosoftDefenderAV/Get-RealTimeProtection)
|
||||
- **Detection**: Checks if Real Time Protection is enabled.
|
||||
- **Remediation**: Enables Real Time Protection if it is disabled.
|
||||
|
||||
### Get-ScheduledScan
|
||||
[Link](https://github.com/AntoPorter/Intune-Remediations/tree/main/MicrosoftDefenderAV/Get-ScheduledScan)
|
||||
- **Detection**: Checks if a Scheduled AV Scan is present on the Endpoint.
|
||||
- **Remediation**: Configures a Daily Quick Scan and Weekly Full Scan if no scan is present on the Endpoint.
|
||||
|
||||
### Get-SecurityIntelligenceUpdates
|
||||
[Link](https://github.com/AntoPorter/Intune-Remediations/tree/main/MicrosoftDefenderAV/Get-SecurityIntelligenceUpdates)
|
||||
- **Detection**: Checks if Security Intelligence Updates are current on the Endpoint.
|
||||
- **Remediation**: Runs a Security Intelligence Updates if the device is found not to be running a recent version of Security Intelligence Updates.
|
||||
|
||||
### Get-TamperProtection
|
||||
[Link](https://github.com/AntoPorter/Intune-Remediations/tree/main/MicrosoftDefenderAV/Get-TamperProtection)
|
||||
- **Detection**: Checks if Tamper Protection is enabled.
|
||||
- **Remediation**: Enables Tamper Protection if it is disabled.
|
||||
@@ -0,0 +1,20 @@
|
||||
##Enter the path to the registry key
|
||||
$regpath = "HKCU:\Software\Policies\Microsoft\Windows\WindowsAI"
|
||||
##Enter the name of the registry key
|
||||
$regname = "DisableAIDataAnalysis"
|
||||
##Enter the value of the registry key
|
||||
$regvalue = "1"
|
||||
|
||||
Try {
|
||||
$Registry = Get-ItemProperty -Path $regpath -Name $regname -ErrorAction Stop | Select-Object -ExpandProperty $regname
|
||||
If ($Registry -eq $regvalue){
|
||||
Write-Output "Compliant"
|
||||
Exit 0
|
||||
}
|
||||
Write-Warning "Not Compliant"
|
||||
Exit 1
|
||||
}
|
||||
Catch {
|
||||
Write-Output "RegKey Not Found, Compliant"
|
||||
Exit 0
|
||||
}
|
||||
@@ -0,0 +1,20 @@
|
||||
##Enter the path to the registry key
|
||||
$regpath = "HKLM:\SOFTWARE\Microsoft\PolicyManager\default\WindowsAI"
|
||||
##Enter the name of the registry key
|
||||
$regname = "DisableAIDataAnalysis"
|
||||
##Enter the value of the registry key
|
||||
$regvalue = "1"
|
||||
|
||||
Try {
|
||||
$Registry = Get-ItemProperty -Path $regpath -Name $regname -ErrorAction Stop | Select-Object -ExpandProperty $regname
|
||||
If ($Registry -eq $regvalue){
|
||||
Write-Output "Compliant"
|
||||
Exit 0
|
||||
}
|
||||
Write-Warning "Not Compliant"
|
||||
Exit 1
|
||||
}
|
||||
Catch {
|
||||
Write-Output "RegKey Not Found, Compliant"
|
||||
Exit 0
|
||||
}
|
||||
@@ -0,0 +1,10 @@
|
||||
##Enter the path to the registry key
|
||||
$regpath = "HKCU:\Software\Policies\Microsoft\Windows\WindowsAI"
|
||||
##Enter the name of the registry key
|
||||
$regname = "DisableAIDataAnalysis"
|
||||
##Enter the value of the registry key
|
||||
$regvalue = "1"
|
||||
##Enter the type of the registry key
|
||||
$regtype = "DWord"
|
||||
|
||||
New-ItemProperty -Path $regpath -Name $regname -Value $regvalue -PropertyType $regtype -Force
|
||||
@@ -0,0 +1,10 @@
|
||||
##Enter the path to the registry key
|
||||
$regpath = "HKLM:\SOFTWARE\Microsoft\PolicyManager\default\WindowsAI"
|
||||
##Enter the name of the registry key
|
||||
$regname = "DisableAIDataAnalysis"
|
||||
##Enter the value of the registry key
|
||||
$regvalue = "1"
|
||||
##Enter the type of the registry key
|
||||
$regtype = "DWord"
|
||||
|
||||
New-ItemProperty -Path $regpath -Name $regname -Value $regvalue -PropertyType $regtype -Force
|
||||
@@ -0,0 +1,3 @@
|
||||
# (Detect_CustomScript.ps1)
|
||||
|
||||
exit 1
|
||||
@@ -0,0 +1,2 @@
|
||||
# (Remediate_CustomScript.ps1)
|
||||
# Enter your script contents here
|
||||
@@ -0,0 +1,11 @@
|
||||
# (Detect_GenericRegistryChange.ps1)
|
||||
# Detect if the registry key exists
|
||||
|
||||
$RegistryPath = "HKLM:\SOFTWARE\Microsoft\IntuneManagementExtension\SideCarPolicies\Scripts"
|
||||
if (Test-Path -Path $RegistryPath) {
|
||||
Write-Host "Registry key exists: $RegistryPath"
|
||||
exit 0
|
||||
} else {
|
||||
Write-Host "Registry key not found: $RegistryPath"
|
||||
exit 1
|
||||
}
|
||||
@@ -0,0 +1,4 @@
|
||||
# (Remediate_GenericRegistryChange.ps1)
|
||||
# Modify a registry value
|
||||
|
||||
Set-ItemProperty -Path "HKLM:\Software\MyApp" -Name "MySetting" -Value "NewValue"
|
||||
@@ -0,0 +1,3 @@
|
||||
# (Detect_GenericRestartService.ps1)
|
||||
|
||||
exit 1
|
||||
@@ -0,0 +1,4 @@
|
||||
# (Remediate_GenericRestartService.ps1)
|
||||
# Restart a service
|
||||
|
||||
Restart-Service -Name "wuauserv"
|
||||
@@ -0,0 +1,4 @@
|
||||
if (Test-Path C:\Windows\SoftwareDistribution.old)
|
||||
{exit 0}
|
||||
else
|
||||
{exit 1}
|
||||
@@ -0,0 +1,3 @@
|
||||
Get-Service -Name wuauserv | Stop-Service
|
||||
Rename-Item -Path C:\Windows\SoftwareDistribution -NewName SoftwareDistribution.old
|
||||
Get-Service -Name wuauserv | Start-Service
|
||||
@@ -0,0 +1,7 @@
|
||||
if (Test-Path C:\Windows\SoftwareDistribution.old)
|
||||
{Write-Output "Folder Exist"
|
||||
exit 1
|
||||
} else {
|
||||
Write-Output "Folder Doesnt Exists"
|
||||
exit 0
|
||||
}
|
||||
@@ -0,0 +1 @@
|
||||
Remove-Item -Path C:\Windows\SoftwareDistribution.old
|
||||
@@ -0,0 +1,27 @@
|
||||
## Miscellaneous
|
||||
|
||||
### Disable-WindowsAI-Registry
|
||||
[Link](https://github.com/AntoPorter/Intune-Remediations/tree/main/Miscellaneous/Disable-WindowsAI-Registry)
|
||||
- **Detection**: Checks the registry keys used by Windows AI.
|
||||
- **Remediation**: Disables the registry keys if they are enabled.
|
||||
|
||||
### Get-CustomScript
|
||||
[Link](https://github.com/AntoPorter/Intune-Remediations/tree/main/Miscellaneous/Get-CustomScript)
|
||||
- **Detection**: Includes only 'Exit 1', which will automatically run the Remediation Script.
|
||||
- **Remediation**: Include the contents of your PowerShell Script you wish to run on a schedule.
|
||||
|
||||
### Get-GenericRegistryChange
|
||||
[Link](https://github.com/AntoPorter/Intune-Remediations/tree/main/Miscellaneous/Get-GenericRegistryChange)
|
||||
- **Detection**: Checks for a specified registry key in the environment.
|
||||
- **Remediation**: If the registry key is not found, creates the registry key.
|
||||
|
||||
### Get-GenericRestartService
|
||||
[Link](https://github.com/AntoPorter/Intune-Remediations/tree/main/Miscellaneous/Get-GenericRestartService)
|
||||
- **Detection**: Includes only 'Exit 1', which will automatically run the Remediation Script.
|
||||
- **Remediation**: Will restart the specified service. Example include '**wuauserv**'.
|
||||
|
||||
### Get-SoftwareDistributionFolder and Get-SoftwareDistributionFolderPT2
|
||||
[Link](https://github.com/AntoPorter/Intune-Remediations/tree/main/Miscellaneous/Get-SoftwareDistributionFolder)
|
||||
[Link - PT2](https://github.com/AntoPorter/Intune-Remediations/tree/main/Miscellaneous/Get-SoftwareDistributionFolderPT2)
|
||||
- **Part 1**: Resets the device's SoftwareDistribution folder by stopping the WUAUSERV service, renaming the 'C:\Windows\SoftwareDistribution' folder to "SoftwareDistribution.old," and then starting the service.
|
||||
- **Part 2**: Deletes the 'C:\Windows\SoftwareDistribution.old' folder as a cleanup step following the successful deployment of 'Reset-SoftwareDistributionFolder.'
|
||||
@@ -0,0 +1,12 @@
|
||||
# Check BitLocker encryption status
|
||||
$bitLockerStatus = Get-BitLockerVolume | Select-Object MountPoint, VolumeStatus, EncryptionPercentage
|
||||
|
||||
# Output the BitLocker encryption status
|
||||
# Write-Output $bitLockerStatus
|
||||
|
||||
$csvPath = "C:\temp\BitLockerStatus.csv"
|
||||
|
||||
$bitLockerStatus | Export-Csv -Path $csvPath -NoTypeInformation
|
||||
Write-Output "BitLocker status exported to $csvPath"
|
||||
|
||||
Exit 0
|
||||
@@ -0,0 +1 @@
|
||||
## Remediation Script for Report
|
||||
@@ -0,0 +1,12 @@
|
||||
# Check for certificates nearing expiry
|
||||
$certificates = Get-ChildItem -Path Cert:\LocalMachine\My | Where-Object { $_.NotAfter -lt (Get-Date).AddDays(30) } | Select-Object Subject, NotAfter
|
||||
|
||||
# Output the certificates nearing expiry
|
||||
# Write-Output $certificates
|
||||
|
||||
$csvPath = "C:\temp\CertificateExpiryStatus.csv"
|
||||
|
||||
$certificates | Export-Csv -Path $csvPath -NoTypeInformation
|
||||
Write-Output "Certificate Expiry status exported to $csvPath"
|
||||
|
||||
Exit 0
|
||||
@@ -0,0 +1 @@
|
||||
## Remediation Script for Report
|
||||
@@ -0,0 +1,12 @@
|
||||
# Check disk space usage
|
||||
$diskSpace = Get-PSDrive -PSProvider FileSystem | Select-Object Name, @{Name="Used(GB)";Expression={[math]::round($_.Used/1GB,2)}}, @{Name="Free(GB)";Expression={[math]::round($_.Free/1GB,2)}}
|
||||
|
||||
# Output the disk space usage
|
||||
# Write-Output $diskSpace
|
||||
|
||||
$csvPath = "C:\temp\DiskSpaceStatus.csv"
|
||||
|
||||
$diskSpace | Export-Csv -Path $csvPath -NoTypeInformation
|
||||
Write-Output "Disk Space status exported to $csvPath"
|
||||
|
||||
Exit 0
|
||||
@@ -0,0 +1 @@
|
||||
## Remediation Script for Report
|
||||
@@ -0,0 +1,12 @@
|
||||
# Check endpoint protection status
|
||||
$protectionStatus = Get-MpComputerStatus | Select-Object AMServiceEnabled, AMServiceVersion, AntivirusEnabled, AntivirusSignatureLastUpdated
|
||||
|
||||
# Output the endpoint protection status
|
||||
# Write-Output $protectionStatus
|
||||
|
||||
$csvPath = "C:\temp\EndpointProtectionStatus.csv"
|
||||
|
||||
$protectionStatus | Export-Csv -Path $csvPath -NoTypeInformation
|
||||
Write-Output "Endpoint Protection status exported to $csvPath"
|
||||
|
||||
Exit 0
|
||||
@@ -0,0 +1 @@
|
||||
## Remediation Script for Report
|
||||
@@ -0,0 +1,12 @@
|
||||
# Check for errors in the event log
|
||||
$eventErrors = Get-EventLog -LogName System -EntryType Error -Newest 100 | Select-Object TimeGenerated, Source, EventID, Message
|
||||
|
||||
# Output the event log errors
|
||||
# Write-Output $eventErrors
|
||||
|
||||
$csvPath = "C:\temp\EventLogErrorStatus.csv"
|
||||
|
||||
$eventErrors | Export-Csv -Path $csvPath -NoTypeInformation
|
||||
Write-Output "Event Log Error status exported to $csvPath"
|
||||
|
||||
Exit 0
|
||||
@@ -0,0 +1 @@
|
||||
## Remediation Script for Report
|
||||
@@ -0,0 +1,12 @@
|
||||
# Check Windows Firewall status
|
||||
$firewallStatus = Get-NetFirewallProfile | Select-Object Name, Enabled, DefaultInboundAction, DefaultOutboundAction
|
||||
|
||||
# Output the Firewall status
|
||||
# Write-Output $firewallStatus
|
||||
|
||||
$csvPath = "C:\temp\FirewallProfileStatus.csv"
|
||||
|
||||
$firewallStatus | Export-Csv -Path $csvPath -NoTypeInformation
|
||||
Write-Output "Firewall Profile status exported to $csvPath"
|
||||
|
||||
Exit 0
|
||||
@@ -0,0 +1 @@
|
||||
## Remediation Script for Report
|
||||
@@ -0,0 +1,12 @@
|
||||
# Check local administrators group membership
|
||||
$localAdmins = Get-LocalGroupMember -Group "Administrators" | Select-Object Name, PrincipalSource
|
||||
|
||||
# Output the local administrators group membership
|
||||
# Write-Output $localAdmins
|
||||
|
||||
$csvPath = "C:\temp\LocalAdminGroupStatus.csv"
|
||||
|
||||
$localAdmins | Export-Csv -Path $csvPath -NoTypeInformation
|
||||
Write-Output "Local Admin Group status exported to $csvPath"
|
||||
|
||||
Exit 0
|
||||
@@ -0,0 +1 @@
|
||||
## Remediation Script for Report
|
||||
@@ -0,0 +1,10 @@
|
||||
# Check for pending reboot
|
||||
$pendingReboot = Get-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\RebootPending" -ErrorAction SilentlyContinue
|
||||
|
||||
if ($pendingReboot) {
|
||||
Write-Output "Reboot is pending."
|
||||
} else {
|
||||
Write-Output "No reboot pending."
|
||||
}
|
||||
|
||||
Exit 0
|
||||
Some files were not shown because too many files have changed in this diff Show More
Reference in New Issue
Block a user