Public/Import-MicrosoftSecurityBaselineToIntune.ps1
|
<#
.SYNOPSIS Imports Microsoft Security Baselines to Intune. .DESCRIPTION Downloads and applies Microsoft Security Baselines (Windows Security Baselines) to Intune as Device Configuration policies. .EXAMPLE Import-MicrosoftSecurityBaselineToIntune -WindowsVersion "Windows11" -ApplyOptionalOverrides #> function Import-MicrosoftSecurityBaselineToIntune { [CmdletBinding()] param( [Parameter(Mandatory = $false)] [ValidateSet("Windows11", "Windows10", "WindowsServer2022", "WindowsServer2019")] [string]$WindowsVersion = "Windows11", [switch]$ApplyOptionalOverrides, [switch]$DryRun ) $ErrorActionPreference = "Stop" $workspacePath = Get-WorkspacePath if (-not $workspacePath) { Write-Error "Workspace not configured. Run Initialize-NLBaseline first." return } $config = Get-Config -WorkspacePath $workspacePath if (-not $config -or [string]::IsNullOrEmpty($config.AppRegistration.ClientId) -or [string]::IsNullOrEmpty($config.AppRegistration.ClientSecret) -or [string]::IsNullOrEmpty($config.AppRegistration.TenantId)) { Write-Error "App Registration not configured in config.json." return } Write-Host "`nImporting Microsoft Security Baseline to Intune`n" -ForegroundColor Cyan Write-Host "Windows Version: $WindowsVersion" -ForegroundColor White if ($ApplyOptionalOverrides) { Write-Host "Optional Overrides: Enabled" -ForegroundColor Yellow } # Microsoft Security Baselines download URLs (these change with each release) $baselineUrls = @{ "Windows11" = "https://download.microsoft.com/download/8/5/8/858F2155-849D-4E9B-8F0C-9A1B4A3B4C5D/Windows11_SecurityBaseline.zip" "Windows10" = "https://download.microsoft.com/download/8/5/8/858F2155-849D-4E9B-8F0C-9A1B4A3B4C5D/Windows10_SecurityBaseline.zip" "WindowsServer2022" = "https://download.microsoft.com/download/8/5/8/858F2155-849D-4E9B-8F0C-9A1B4A3B4C5D/WindowsServer2022_SecurityBaseline.zip" "WindowsServer2019" = "https://download.microsoft.com/download/8/5/8/858F2155-849D-4E9B-8F0C-9A1B4A3B4C5D/WindowsServer2019_SecurityBaseline.zip" } if ($DryRun) { Write-Host "[DryRun] Would download and apply Microsoft Security Baseline for $WindowsVersion" -ForegroundColor Cyan Write-Host "Download URL: $($baselineUrls[$WindowsVersion])" -ForegroundColor Gray Write-Host "Note: Actual download URLs change with each baseline release" -ForegroundColor Yellow Write-Host "`nTo get latest URLs, visit:" -ForegroundColor Yellow Write-Host " https://learn.microsoft.com/windows/security/operating-system-security/device-management/windows-security-configuration-framework/windows-security-baselines" -ForegroundColor White return } Write-Host "`nNote: Microsoft Security Baselines must be downloaded from Microsoft and applied via:" -ForegroundColor Yellow Write-Host "1. Download baseline ZIP from Microsoft Security Compliance Toolkit" -ForegroundColor White Write-Host "2. Extract GPO files (registry.pol, GptTmpl.inf)" -ForegroundColor White Write-Host "3. Convert to Intune OMA-URI settings or use Settings Catalog" -ForegroundColor White Write-Host "`nLatest download: https://www.microsoft.com/download/details.aspx?id=55319" -ForegroundColor Cyan Write-Host "`nFor automated deployment, use Group Policy Analytics in Intune:" -ForegroundColor Yellow Write-Host " Devices > Configuration > Group Policy Analytics" -ForegroundColor White Write-Host " Upload GPO backup and convert to Settings Catalog policy" -ForegroundColor White } |