Public/Deploy-AllNLBaselineToIntune.ps1
|
<#
.SYNOPSIS Deploys ALL NLBaseline components to Intune - EVERYTHING! .DESCRIPTION Imports ALL baseline components, CIS Benchmark, and ALL other NLBaseline policies to Intune. This is a comprehensive deployment that includes EVERYTHING: - All 16 baseline components (including SMBSigning) - CIS Benchmark (all levels and categories) - Endpoint Security policies - Update Rings - Compliance Policies (Windows, iOS, macOS, Android) - ASR Policy - Exploit Protection - Event Viewer Custom Views - Country IP Blocking - Winget AutoUpdate - App Protection Policies - Microsoft Security Baseline - Microsoft 365 Apps Baseline - Edge Security Baseline - Optional Windows Features - Audit Policies - Certificate Checking - And more! .PARAMETER IncludeCIS Include CIS Benchmark deployment (default: true) .PARAMETER IncludeBaseline Include baseline components deployment (default: true) .PARAMETER IncludeEndpointSecurity Include Endpoint Security policies (default: true) .PARAMETER IncludeCompliance Include Compliance policies (default: true) .PARAMETER IncludeOther Include other policies (ASR, Exploit Protection, etc.) (default: true) .PARAMETER DryRun Validate and show what would be deployed without actually deploying. Invokes each Import-* -DryRun. .PARAMETER ComplianceStrict Use strict compliance: ELAM and VBS/HVCI. Some devices may be incompatible. .EXAMPLE Deploy-AllNLBaselineToIntune -DryRun Deploy-AllNLBaselineToIntune -ComplianceStrict #> function Deploy-AllNLBaselineToIntune { [CmdletBinding()] param( [switch]$IncludeCIS, [switch]$IncludeBaseline, [switch]$IncludeEndpointSecurity, [switch]$IncludeCompliance, [switch]$IncludeOther, [switch]$DryRun, [switch]$ComplianceStrict ) # ALWAYS deploy EVERYTHING when called from menu (option 1) - set all to true # This ensures "Deploy All Components" really deploys ALL components $IncludeCIS = $true $IncludeBaseline = $true $IncludeEndpointSecurity = $true $IncludeCompliance = $true $IncludeOther = $true $ErrorActionPreference = "Continue" Write-Host "`n=== DEPLOY ALL NLBASELINE TO INTUNE ===" -ForegroundColor Cyan Write-Host "`nDeployment Options:" -ForegroundColor Yellow Write-Host " CIS Benchmark: $IncludeCIS" -ForegroundColor White Write-Host " Baseline Components: $IncludeBaseline" -ForegroundColor White Write-Host " Endpoint Security: $IncludeEndpointSecurity" -ForegroundColor White Write-Host " Compliance Policies: $IncludeCompliance" -ForegroundColor White Write-Host " App Protection Policies: $IncludeOther" -ForegroundColor White Write-Host " Other Policies: $IncludeOther" -ForegroundColor White Write-Host " Dry Run: $DryRun" -ForegroundColor White Write-Host " Compliance Strict (ELAM/VBS): $ComplianceStrict" -ForegroundColor White if ($DryRun) { Write-Host "`n[DryRun] Invoking each Import-* -DryRun to validate" -ForegroundColor Cyan } $deployed = @() $failed = @() # 1. Baseline Components if ($IncludeBaseline) { Write-Host "`n[1/6] Deploying Baseline Components..." -ForegroundColor Yellow try { if ($DryRun) { Import-NLBaselineToIntune -DryRun } else { Import-NLBaselineToIntune } $deployed += "Baseline Components" } catch { Write-Warning "Failed to deploy Baseline Components: $_" $failed += "Baseline Components" } } # 2. CIS Benchmark if ($IncludeCIS) { Write-Host "`n[2/6] Deploying CIS Benchmark..." -ForegroundColor Yellow try { if ($DryRun) { Import-CISBenchmarkToIntune -Level All -Category All -DryRun } else { Import-CISBenchmarkToIntune -Level All -Category All } $deployed += "CIS Benchmark" } catch { Write-Warning "CIS Benchmark deployment failed: $_" $failed += "CIS Benchmark" } } # 3. Endpoint Security if ($IncludeEndpointSecurity) { Write-Host "`n[3/6] Deploying Endpoint Security..." -ForegroundColor Yellow try { if ($DryRun) { Import-EndpointSecurityToIntune -DryRun } else { Import-EndpointSecurityToIntune } $deployed += "Endpoint Security" } catch { Write-Warning "Failed to deploy Endpoint Security: $_" $failed += "Endpoint Security" } } # 4. Compliance Policies if ($IncludeCompliance) { Write-Host "`n[4/7] Deploying Compliance Policies..." -ForegroundColor Yellow try { $complParams = @{} if ($ComplianceStrict) { $complParams['RequireDeviceHealthAttestation'] = $true $complParams['RequireVBSHardening'] = $true } if ($DryRun) { Import-CompliancePolicyToIntune -DryRun @complParams Import-MultiPlatformComplianceToIntune -DryRun } else { Import-CompliancePolicyToIntune @complParams Import-MultiPlatformComplianceToIntune } $deployed += "Compliance Policies" } catch { Write-Warning "Failed to deploy Compliance Policies: $_" $failed += "Compliance Policies" } } # 5. App Protection Policies (MAM) if ($IncludeOther) { Write-Host "`n[5/7] Deploying App Protection Policies..." -ForegroundColor Yellow try { if ($DryRun) { Import-AppProtectionPolicyToIntune -Platform All -DryRun } else { Import-AppProtectionPolicyToIntune -Platform All } $deployed += "App Protection Policies" } catch { Write-Warning "Failed to deploy App Protection Policies: $_" $failed += "App Protection Policies" } } # 6. Other Policies if ($IncludeOther) { Write-Host "`n[6/7] Deploying Other Policies..." -ForegroundColor Yellow try { if ($DryRun) { Import-ASRPolicyToIntune -DryRun Import-ExploitProtectionToIntune -DryRun Import-EventViewerCustomViews -DryRun Import-CountryIPBlockingToIntune -Countries @('CN') -DryRun Import-UpdateRingsToIntune -DryRun Import-TamperProtectionToIntune -DryRun Import-WindowsLAPSToIntune -DryRun Import-WingetAutoUpdateToIntune -DryRun Import-MicrosoftSecurityBaselineToIntune -DryRun Import-Microsoft365AppsBaselineToIntune -DryRun Import-EdgeSecurityBaselineToIntune -DryRun Import-OptionalWindowsFeaturesToIntune -DryRun Import-AuditPoliciesToIntune -DryRun Import-CertificateCheckingToIntune -DryRun } else { Import-ASRPolicyToIntune Import-ExploitProtectionToIntune Import-EventViewerCustomViews Import-CountryIPBlockingToIntune Import-UpdateRingsToIntune Import-TamperProtectionToIntune Import-WindowsLAPSToIntune Import-WingetAutoUpdateToIntune Import-MicrosoftSecurityBaselineToIntune Import-Microsoft365AppsBaselineToIntune Import-EdgeSecurityBaselineToIntune Import-OptionalWindowsFeaturesToIntune Import-AuditPoliciesToIntune Import-CertificateCheckingToIntune } $deployed += "Other Policies" } catch { Write-Warning "Failed to deploy Other Policies: $_" $failed += "Other Policies" } } # 7. Advanced Policies (WDAC, CSP – manual) if ($IncludeOther) { Write-Host "`n[7/7] Deploying Advanced Policies..." -ForegroundColor Yellow try { if (-not $DryRun) { Write-Host "Note: WDAC and CSP require manual configuration (-PolicyPath, -OMAUri/-Value)" -ForegroundColor Gray } $deployed += "Advanced Policies" } catch { Write-Warning "Advanced Policies step failed: $_" $failed += "Advanced Policies" } } Write-Host "`n=== DEPLOYMENT SUMMARY ===" -ForegroundColor Cyan Write-Host "Deployed: $($deployed.Count)" -ForegroundColor Green foreach ($item in $deployed) { Write-Host " - $item" -ForegroundColor Green } if ($failed.Count -gt 0) { Write-Host "`nFailed: $($failed.Count)" -ForegroundColor Red foreach ($item in $failed) { Write-Host " - $item" -ForegroundColor Red } } Write-Host "`nDeployment complete!" -ForegroundColor Cyan } |