NLBaselineIntuneDeviceHardening

1.0.0

Public/Import-TamperProtectionToIntune.ps1

                                <#

.SYNOPSIS

    Enables Defender Tamper Protection prerequisites and documents Tamper Protection setup.

.DESCRIPTION

    Creates a custom OMA-URI policy that sets DisableLocalAdminMerge = 1 (Defender CSP).

    When using Intune for Defender, DisableLocalAdminMerge must be true to avoid breaking management.

    Tamper Protection itself is enabled via Endpoint Security > Antivirus > Windows Security Experience in Intune.

.PARAMETER DryRun

    Validate only; do not create policy.

.EXAMPLE

    Import-TamperProtectionToIntune

    Import-TamperProtectionToIntune -DryRun

#>

function Import-TamperProtectionToIntune {

    [CmdletBinding()]

    param([switch]$DryRun)

    $ErrorActionPreference = "Stop"

    $workspacePath = Get-WorkspacePath

    if (-not $workspacePath) {

        Write-Error "Workspace not configured. Run Initialize-NLBaseline first."

        return

    }

    $config = Get-Config -WorkspacePath $workspacePath

    if (-not $config -or [string]::IsNullOrEmpty($config.AppRegistration.ClientId) -or [string]::IsNullOrEmpty($config.AppRegistration.ClientSecret) -or [string]::IsNullOrEmpty($config.AppRegistration.TenantId)) {

        Write-Error "App Registration not configured in config.json."

        return

    }

    Write-Host "`nTamper Protection prerequisites and policy`n" -ForegroundColor Cyan

    $omaSettings = @(

        @{

            "@odata.type" = "#microsoft.graph.omaSettingInteger"

            displayName   = "DisableLocalAdminMerge"

            description   = "Prevent local admin from merging Defender settings with org policy. Required when managing Tamper Protection via Intune."

            omaUri        = "./Device/Vendor/MSFT/Defender/Configuration/DisableLocalAdminMerge"

            value         = 1

        }

    )

    $body = @{

        "@odata.type" = "#microsoft.graph.windows10CustomConfiguration"

        displayName   = "NLBaseline - Tamper Protection (DisableLocalAdminMerge)"

        description   = "Defender CSP: DisableLocalAdminMerge. Enable Tamper Protection via Endpoint Security > Antivirus > Windows Security Experience."

        omaSettings   = $omaSettings

    }

    if ($DryRun) {

        Write-Host "[DryRun] Would create: NLBaseline - Tamper Protection (DisableLocalAdminMerge)" -ForegroundColor Cyan

        return

    }

    $connected = Connect-Intune -Config $config

    if (-not $connected) {

        Write-Error "Failed to connect to Microsoft Graph."

        return

    }

    try {

        $removed = Remove-IntunePolicyByDisplayName -DisplayName "NLBaseline - Tamper Protection (DisableLocalAdminMerge)" -PolicyType "Configuration"

        if ($removed) { Write-Host "Removed existing policy." -ForegroundColor Yellow }

        $res = Invoke-IntuneGraphRequest -Method POST -Uri "https://graph.microsoft.com/v1.0/deviceManagement/deviceConfigurations" -Body ($body | ConvertTo-Json -Depth 10)

        Write-Host "Created: NLBaseline - Tamper Protection (DisableLocalAdminMerge) (id: $($res.id))" -ForegroundColor Green

    }

    catch {

        Write-Error "Failed to create policy: $_"

        return

    }

    Write-Host "`nTo enable Tamper Protection:" -ForegroundColor Yellow

    Write-Host "  1. Intune admin center > Endpoint security > Antivirus" -ForegroundColor White

    Write-Host "  2. Create policy > Platform: Windows > Profile: Windows Security Experience" -ForegroundColor White

    Write-Host "  3. Defender section > Tamper protection (device): On" -ForegroundColor White

    Write-Host "  4. Assign to All devices or target groups.`n" -ForegroundColor White

}