NLBaselineIntuneDeviceHardening

1.0.0

Public/Import-ASRPolicyToIntune.ps1

                                <#

.SYNOPSIS

    Imports Attack Surface Reduction (ASR) policies to Intune.

.DESCRIPTION

    Creates comprehensive ASR policies for Windows Defender with all recommended rules enabled.

.EXAMPLE

    Import-ASRPolicyToIntune

#>

function Import-ASRPolicyToIntune {

    [CmdletBinding()]

    param(

        [switch]$DryRun

    )

    $ErrorActionPreference = "Stop"

    $workspacePath = Get-WorkspacePath

    if (-not $workspacePath) {

        Write-Error "Workspace not configured. Run Initialize-NLBaseline first."

        return

    }

    $config = Get-Config -WorkspacePath $workspacePath

    if (-not $config -or [string]::IsNullOrEmpty($config.AppRegistration.ClientId) -or [string]::IsNullOrEmpty($config.AppRegistration.ClientSecret) -or [string]::IsNullOrEmpty($config.AppRegistration.TenantId)) {

        Write-Error "App Registration not configured in config.json."

        return

    }

    Write-Host "`nImporting Attack Surface Reduction (ASR) Policy to Intune`n" -ForegroundColor Cyan

    if (-not $DryRun) {

        $connected = Connect-Intune -Config $config

        if (-not $connected) {

            Write-Error "Failed to connect to Microsoft Graph."

            return

        }

    }

    $body = @{

        "@odata.type" = "#microsoft.graph.windows10EndpointProtectionConfiguration"

        displayName = "NLBaseline - ASR Policy (Comprehensive)"

        description = "ASR policy with Microsoft-recommended rules (GUIDs per attack-surface-reduction-rules-reference). Excludes Webshell (server-only)."

        defenderAttackSurfaceReductionExcludedPaths = @()

        defenderAttackSurfaceReductionProtectedPaths = @()

        defenderAttackSurfaceReductionRules = @(

            @{ ruleId = "56A863A9-875E-4185-98A7-B882C64B5CE5"; action = "block"; ruleName = "Block abuse of exploited vulnerable signed drivers" },

            @{ ruleId = "7674BA52-37EB-4A4F-A9A1-F0F9A1619A2C"; action = "block"; ruleName = "Block Adobe Reader from creating child processes" },

            @{ ruleId = "D4F940AB-401B-4EFC-AADC-AD5F3C50688A"; action = "block"; ruleName = "Block all Office applications from creating child processes" },

            @{ ruleId = "9E6C4E1F-7D60-472F-BA1A-A39EF669E4B2"; action = "block"; ruleName = "Block credential stealing from the Windows local security authority subsystem (lsass.exe)" },

            @{ ruleId = "BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550"; action = "block"; ruleName = "Block executable content from email client and webmail" },

            @{ ruleId = "01443614-CD74-433A-B99E-2ECDC07BFC25"; action = "block"; ruleName = "Block executable files from running unless they meet a prevalence, age, or trusted list criterion" },

            @{ ruleId = "5BEB7EFE-FD9A-4556-801D-275E5FFC04CC"; action = "block"; ruleName = "Block execution of potentially obfuscated scripts" },

            @{ ruleId = "D3E037E1-3EB8-44C8-A917-57927947596D"; action = "block"; ruleName = "Block JavaScript or VBScript from launching downloaded executable content" },

            @{ ruleId = "3B576869-A4EC-4529-8536-B80A7769E899"; action = "block"; ruleName = "Block Office applications from creating executable content" },

            @{ ruleId = "75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84"; action = "block"; ruleName = "Block Office applications from injecting code into other processes" },

            @{ ruleId = "26190899-1602-49E8-8B27-EB1D0A1CE869"; action = "block"; ruleName = "Block Office communication application from creating child processes" },

            @{ ruleId = "E6DB77E5-3DF2-4CF1-B95A-636979351E5B"; action = "block"; ruleName = "Block persistence through WMI event subscription" },

            @{ ruleId = "D1E49AAC-8F56-4280-B9BA-993A6D77406C"; action = "block"; ruleName = "Block process creations originating from PSExec and WMI commands" },

            @{ ruleId = "33DDEDF1-C6E0-47CB-833E-DE6133960387"; action = "block"; ruleName = "Block rebooting machine in Safe Mode" },

            @{ ruleId = "B2B3F03D-6A65-4F7B-A9C7-1C7EF74A9BA4"; action = "block"; ruleName = "Block untrusted and unsigned processes that run from USB" },

            @{ ruleId = "C0033C00-D16D-4114-A5A0-DC9B3A7D2CEB"; action = "block"; ruleName = "Block use of copied or impersonated system tools" },

            @{ ruleId = "92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B"; action = "block"; ruleName = "Block Win32 API calls from Office macros" },

            @{ ruleId = "C1DB55AB-C21A-4637-BB3F-A12568109D35"; action = "block"; ruleName = "Use advanced protection against ransomware" }

        )

        defenderBlockEndUserAccess = $false

        defenderCloudBlockLevel = "high"

        defenderCloudExtendedTimeout = 50

        defenderDaysBeforeDeletingQuarantinedMalware = 0

        defenderDetectedMalwareActions = @{

            lowSeverity = "clean"

            moderateSeverity = "quarantine"

            highSeverity = "remove"

            severeSeverity = "remove"

        }

        defenderDisableBehaviorMonitoring = $false

        defenderDisableCloudProtection = $false

        defenderDisableIntrusionPreventionSystem = $false

        defenderDisableOnAccessProtection = $false

        defenderDisableRealTimeMonitoring = $false

        defenderDisableScanArchiveFiles = $false

        defenderDisableScanDownloads = $false

        defenderDisableScanNetworkFiles = $false

        defenderDisableScanRemovableDrivesDuringFullScan = $false

        defenderDisableScanScriptsLoadedInInternetExplorer = $false

        defenderEnableNetworkProtection = "enabled"

        defenderEnableRealTimeProtection = $true

        defenderFileExtensionsToExclude = @()

        defenderFilesAndFoldersToExclude = @()

        defenderMonitorFileActivity = "monitorAllFiles"

        defenderProcessesToExclude = @()

        defenderPromptForSampleSubmission = "sendSafeSamplesAutomatically"

        defenderRequireBehaviorMonitoring = $true

        defenderRequireCloudProtection = $true

        defenderRequireNetworkInspectionSystem = $true

        defenderRequireRealTimeMonitoring = $true

        defenderScanMaxCpuPercentage = 50

        defenderSignatureUpdateIntervalInHours = 8

        defenderSubmitSamplesConsentType = "sendSafeSamplesAutomatically"

    }

    if ($DryRun) {

        Write-Host "[DryRun] Would create ASR Policy with $($body.defenderAttackSurfaceReductionRules.Count) rules" -ForegroundColor Cyan

        return

    }

    try {

        # Check if policy with same displayName already exists and remove it

        $policyDisplayName = $body.displayName

        $removed = Remove-IntunePolicyByDisplayName -DisplayName $policyDisplayName -PolicyType "Configuration"

        if ($removed) {

            Write-Host "Removed existing policy: $policyDisplayName" -ForegroundColor Yellow

        }

        $res = Invoke-IntuneGraphRequest -Method POST -Uri "https://graph.microsoft.com/v1.0/deviceManagement/deviceConfigurations" -Body ($body | ConvertTo-Json -Depth 20)

        Write-Host "Created ASR Policy: $($res.displayName) (id: $($res.id))" -ForegroundColor Green

        Write-Host "ASR Rules configured: $($body.defenderAttackSurfaceReductionRules.Count)" -ForegroundColor Green

    }

    catch {

        Write-Error "Failed to create ASR Policy: $_"

    }

}