andrewamason/Intune
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Additional Script Updates

Browse Source
This commit is contained in:
Andrew Amason
2025-05-19 15:19:36 -04:00
parent ec2b22290a
commit 9c8438d7d1
136 changed files with 1595 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
intune/Externally Sourced Remediations/DeviceCompliance/Get-BitLocker/Detect_BitLocker.ps1 Normal file
View File

@@ -0,0 +1,12 @@
# Detection Script: Detect_BitLocker.ps1
# Check if BitLocker is enabled
$bitLockerStatus = Get-BitLockerVolume -MountPoint "C:"
if ($bitLockerStatus.ProtectionStatus -ne "On") {
Write-Output "BitLocker is not enabled on the system drive."
exit 1
} else {
Write-Output "BitLocker is enabled on the system drive."
exit 0
}

6
intune/Externally Sourced Remediations/DeviceCompliance/Get-BitLocker/Remediate_BitLocker.ps1 Normal file
View File

@@ -0,0 +1,6 @@
# Remediation Script: Remediate_BitLocker.ps1
# Enable BitLocker on the system drive
Enable-BitLocker -MountPoint "C:" -EncryptionMethod XtsAes256 -UsedSpaceOnly -TpmProtector
Write-Output "BitLocker has been enabled on the system drive."

12
intune/Externally Sourced Remediations/DeviceCompliance/Get-CredentialGuard/Detect_CredentialGuard.ps1 Normal file
View File

@@ -0,0 +1,12 @@
# Detection Script: Detect_CredentialGuard.ps1
# Check if Credential Guard is enabled
$credentialGuardStatus = Get-CimInstance -ClassName Win32_DeviceGuard -Namespace root\Microsoft\Windows\DeviceGuard
if ($credentialGuardStatus.SecurityServicesConfigured -contains 1 -and $credentialGuardStatus.SecurityServicesRunning -contains 1) {
Write-Output "Credential Guard is enabled."
exit 0
} else {
Write-Output "Credential Guard is not enabled."
exit 1
}

11
intune/Externally Sourced Remediations/DeviceCompliance/Get-CredentialGuard/Remediate_CredentialGuard.ps1 Normal file
View File

@@ -0,0 +1,11 @@
# Remediation Script: Remediate_CredentialGuard.ps1
# Enable Credential Guard
$regKey = "HKLM:\SYSTEM\CurrentControlSet\Control\DeviceGuard"
Set-ItemProperty -Path $regKey -Name "EnableVirtualizationBasedSecurity" -Value 1
Set-ItemProperty -Path $regKey -Name "RequirePlatformSecurityFeatures" -Value 1
$regKey = "HKLM:\SYSTEM\CurrentControlSet\Control\LSA"
Set-ItemProperty -Path $regKey -Name "LsaCfgFlags" -Value 1
Write-Output "Credential Guard has been enabled."

8
intune/Externally Sourced Remediations/DeviceCompliance/Get-CustomCompliance-File/Detect_CustomCompliance_File.ps1 Normal file
View File

@@ -0,0 +1,8 @@
# Check if a specific file exists
$filePath = "C:\Company\Compliance\requiredfile.txt"
if (Test-Path $filePath) {
Write-Output "Compliance file is present."
} else {
Write-Output "Compliance file is missing."
}

14
intune/Externally Sourced Remediations/DeviceCompliance/Get-CustomCompliance-File/Remediate_CustomCompliance_File.ps1 Normal file
View File

@@ -0,0 +1,14 @@
# Ensure the specific file is in place
$filePath = "C:\Company\Compliance\requiredfile.txt"
$fileContent = "This is a required compliance file."
if (-Not (Test-Path $filePath)) {
# Create the directory if it doesn't exist
$directoryPath = [System.IO.Path]::GetDirectoryName($filePath)
if (-Not (Test-Path $directoryPath)) {
New-Item -Path $directoryPath -ItemType Directory -Force | Out-Null
}
# Create the file with the required content
New-Item -Path $filePath -ItemType File -Force | Out-Null
Set-Content -Path $filePath -Value $fileContent
}

13
intune/Externally Sourced Remediations/DeviceCompliance/Get-CustomCompliance-Registry/Detect_CustomCompliance_Reg.ps1 Normal file
View File

@@ -0,0 +1,13 @@
# Check if a specific registry key exists and a service is running
$regPath = "HKLM:\Software\MyCompany\Settings"
$regName = "ComplianceSetting"
$serviceName = "MyService"
$regExists = Test-Path "$regPath\$regName"
$serviceStatus = Get-Service -Name $serviceName -ErrorAction SilentlyContinue
if ($regExists -and $serviceStatus.Status -eq "Running") {
Write-Output "Compliance settings are in place."
} else {
Write-Output "Compliance settings are not in place."
}

17
intune/Externally Sourced Remediations/DeviceCompliance/Get-CustomCompliance-Registry/Remediate_CustomCompliance_Reg.ps1 Normal file
View File

@@ -0,0 +1,17 @@
# Ensure the registry key is set and the service is running
$regPath = "HKLM:\Software\MyCompany\Settings"
$regName = "ComplianceSetting"
$regValue = "Enabled"
$serviceName = "MyService"
if (-Not (Test-Path "$regPath\$regName")) {
New-Item -Path $regPath -Force | Out-Null
New-ItemProperty -Path $regPath -Name $regName -Value $regValue -PropertyType String -Force | Out-Null
} else {
Set-ItemProperty -Path $regPath -Name $regName -Value $regValue
}
$service = Get-Service -Name $serviceName -ErrorAction SilentlyContinue
if ($service.Status -ne "Running") {
Start-Service -Name $serviceName
}

12
intune/Externally Sourced Remediations/DeviceCompliance/Get-DeviceGuard/Detect_DeviceGuard.ps1 Normal file
View File

@@ -0,0 +1,12 @@
# Detection Script: Detect_DeviceGuard.ps1
# Check if Device Guard is enabled
$deviceGuardStatus = Get-CimInstance -ClassName Win32_DeviceGuard -Namespace root\Microsoft\Windows\DeviceGuard
if ($deviceGuardStatus.SecurityServicesConfigured -contains 2 -and $deviceGuardStatus.SecurityServicesRunning -contains 2) {
Write-Output "Device Guard is enabled."
exit 0
} else {
Write-Output "Device Guard is not enabled."
exit 1
}

8
intune/Externally Sourced Remediations/DeviceCompliance/Get-DeviceGuard/Remediate_DeviceGuard.ps1 Normal file
View File

@@ -0,0 +1,8 @@
# Remediation Script: Remediate_DeviceGuard.ps1
# Enable Device Guard
$regKey = "HKLM:\SYSTEM\CurrentControlSet\Control\DeviceGuard"
Set-ItemProperty -Path $regKey -Name "EnableVirtualizationBasedSecurity" -Value 1
Set-ItemProperty -Path $regKey -Name "RequirePlatformSecurityFeatures" -Value 1
Write-Output "Device Guard has been enabled."

14
intune/Externally Sourced Remediations/DeviceCompliance/Get-Firewall/Detect_Firewall.ps1 Normal file
View File

@@ -0,0 +1,14 @@
# Detection Script: Detect_Firewall.ps1
# Check if the firewall is enabled
$firewallStatus = Get-NetFirewallProfile -Profile Domain,Public,Private
foreach ($profile in $firewallStatus) {
if ($profile.Enabled -eq $false) {
Write-Output "Firewall is disabled for profile: $($profile.Name)"
exit 1
}
}
Write-Output "Firewall is enabled for all profiles."
exit 0

6
intune/Externally Sourced Remediations/DeviceCompliance/Get-Firewall/Remediate_Firewall.ps1 Normal file
View File

@@ -0,0 +1,6 @@
# Remediation Script: Remediate_Firewall.ps1
# Enable the firewall for all profiles
Set-NetFirewallProfile -Profile Domain,Public,Private -Enabled True
Write-Output "Firewall has been enabled for all profiles."

10
intune/Externally Sourced Remediations/DeviceCompliance/Get-SecureBoot/Detect_SecureBoot.ps1 Normal file
View File

@@ -0,0 +1,10 @@
# Detection Script: Detect_SecureBoot.ps1
# Check if Secure Boot is enabled
if (Confirm-SecureBootUEFI) {
Write-Output "Secure Boot is enabled."
exit 0
} else {
Write-Output "Secure Boot is not enabled."
exit 1
}

7
intune/Externally Sourced Remediations/DeviceCompliance/Get-SecureBoot/Remediate_SecureBoot.ps1 Normal file
View File

@@ -0,0 +1,7 @@
# Remediation Script: Remediate_SecureBoot.ps1
# Enable Secure Boot
$regKey = "HKLM:\SYSTEM\CurrentControlSet\Control\SecureBoot\State"
Set-ItemProperty -Path $regKey -Name "UEFISecureBootEnabled" -Value 1
Write-Output "Secure Boot has been enabled. A system reboot is required for changes to take effect."

36
intune/Externally Sourced Remediations/DeviceCompliance/README.md Normal file
View File

@@ -0,0 +1,36 @@
## Device Compliance
### Get-BitLocker
[Link](https://github.com/AntoPorter/Intune-Remediations/tree/main/DeviceCompliance/Get-BitLocker)
- **Detection**: Checks if BitLocker is enabled.
- **Remediation**: Enables BitLocker if it is disabled.
### Get-CredentialGuard
[Link](https://github.com/AntoPorter/Intune-Remediations/tree/main/DeviceCompliance/Get-CredentialGuard)
- **Detection**: Checks if CredentialGuard is enabled.
- **Remediation**: Enables CredentialGuard if it is disabled.
### Get-CustomCompliance-Registry
[Link](https://github.com/AntoPorter/Intune-Remediations/tree/main/DeviceCompliance/Get-CustomCompliance-Registry)
- **Detection**: Checks for an existing Registry File, considered required for "Compliance" in your environment.
- **Remediation**: Creates the Registry File specified if the detection cannot find the mentioned registry key.
### Get-CustomCompliance-File
[Link](https://github.com/AntoPorter/Intune-Remediations/tree/main/DeviceCompliance/Get-CustomCompliance-File)
- **Detection**: Checks for an existing File in a File Path, considered required for "Compliance" in your environment.
- **Remediation**: Creates the File (and Path) specified if the detection cannot find the mentioned file.
### Get-DeviceGuard
[Link](https://github.com/AntoPorter/Intune-Remediations/tree/main/DeviceCompliance/Get-DeviceGuard)
- **Detection**: Checks if DeviceGuard is enabled.
- **Remediation**: Enables DeviceGuard if it is disabled.
### Get-Firewall
[Link](https://github.com/AntoPorter/Intune-Remediations/tree/main/DeviceCompliance/Get-Firewall)
- **Detection**: Checks if any Firewall profiles are disabled.
- **Remediation**: Enables the Firewall profiles if they are disabled.
### Get-SecureBoot
[Link](https://github.com/AntoPorter/Intune-Remediations/tree/main/DeviceCompliance/Get-SecureBoot)
- **Detection**: Checks if SecureBoot is enabled.
- **Remediation**: Enables SecureBoot if it is disabled. (This will require a reboot)