NLBaselineIntuneDeviceHardening

1.0.0

Public/Import-UpdateRingsToIntune.ps1

                                <#

.SYNOPSIS

    Imports Windows Update Rings to Intune.

.DESCRIPTION

    Creates Windows Update for Business policies (Update Rings).

.EXAMPLE

    Import-UpdateRingsToIntune -RingName "Security Updates"

#>

function Import-UpdateRingsToIntune {

    [CmdletBinding()]

    param(

        [string]$RingName = "NLBaseline - Security Updates",

        [switch]$DryRun

    )

    $ErrorActionPreference = "Stop"

    $workspacePath = Get-WorkspacePath

    if (-not $workspacePath) {

        Write-Error "Workspace not configured. Run Initialize-NLBaseline first."

        return

    }

    $config = Get-Config -WorkspacePath $workspacePath

    if (-not $config -or [string]::IsNullOrEmpty($config.AppRegistration.ClientId) -or [string]::IsNullOrEmpty($config.AppRegistration.ClientSecret) -or [string]::IsNullOrEmpty($config.AppRegistration.TenantId)) {

        Write-Error "App Registration not configured in config.json."

        return

    }

    Write-Host "`nImporting Windows Update Ring to Intune`n" -ForegroundColor Cyan

    if (-not $DryRun) {

        $connected = Connect-Intune -Config $config

        if (-not $connected) {

            Write-Error "Failed to connect to Microsoft Graph."

            return

        }

    }

    $body = @{

        "@odata.type" = "#microsoft.graph.windowsUpdateForBusinessConfiguration"

        displayName = $RingName

        description = "Windows Update ring from NLBaseline"

        deliveryOptimizationMode = "httpOnly"

        prereleaseFeatures = "userDefined"

        automaticUpdateMode = "autoInstallAtMaintenanceTime"

        microsoftUpdateServiceAllowed = $true

        driversExcluded = $false

        installationSchedule = @{

            "@odata.type" = "#microsoft.graph.windowsUpdateActiveHoursInstall"

            activeHoursStart = "08:00:00.0000000"

            activeHoursEnd = "17:00:00.0000000"

        }

        qualityUpdatesDeferralPeriodInDays = 0

        featureUpdatesDeferralPeriodInDays = 0

        qualityUpdatesPaused = $false

        featureUpdatesPaused = $false

        businessReadyUpdatesOnly = "userDefined"

        skipChecksBeforeRestart = $false

        updateWeeks = "userDefined"

        allowWindows11Upgrade = $true

    }

    if ($DryRun) {

        Write-Host "[DryRun] Would create Update Ring: $RingName" -ForegroundColor Cyan

        return

    }

    try {

        $res = Invoke-IntuneGraphRequest -Method POST -Uri "https://graph.microsoft.com/v1.0/deviceManagement/deviceConfigurations" -Body ($body | ConvertTo-Json -Depth 20)

        Write-Host "Created Update Ring: $RingName (id: $($res.id))" -ForegroundColor Green

    }

    catch {

        Write-Error "Failed to create Update Ring: $_"

    }

}