Public/Import-WDACPolicyToIntune.ps1
|
<#
.SYNOPSIS Imports WDAC (Windows Defender Application Control) policy to Intune. .DESCRIPTION Deploys WDAC/App Control policies to Intune using Device Configuration with OMA-URI. WDAC policies must be in .cip (Code Integrity Policy) format. .EXAMPLE Import-WDACPolicyToIntune -PolicyPath "C:\Policies\BasePolicy.cip" -PolicyName "Base WDAC Policy" #> function Import-WDACPolicyToIntune { [CmdletBinding()] param( [Parameter(Mandatory = $true)] [ValidateScript({ Test-Path $_ -PathType Leaf })] [string]$PolicyPath, [Parameter(Mandatory = $false)] [string]$PolicyName, [switch]$DryRun ) $ErrorActionPreference = "Stop" $workspacePath = Get-WorkspacePath if (-not $workspacePath) { Write-Error "Workspace not configured. Run Initialize-NLBaseline first." return } $config = Get-Config -WorkspacePath $workspacePath if (-not $config -or [string]::IsNullOrEmpty($config.AppRegistration.ClientId) -or [string]::IsNullOrEmpty($config.AppRegistration.ClientSecret) -or [string]::IsNullOrEmpty($config.AppRegistration.TenantId)) { Write-Error "App Registration not configured in config.json." return } if (-not (Test-Path $PolicyPath)) { Write-Error "Policy file not found: $PolicyPath" return } $policyFile = Get-Item $PolicyPath if ($policyFile.Extension -ne ".cip" -and $policyFile.Extension -ne ".bin") { Write-Warning "Policy file should be in .cip or .bin format. Continuing anyway..." } if (-not $PolicyName) { $PolicyName = $policyFile.BaseName } Write-Host "`nImporting WDAC Policy to Intune`n" -ForegroundColor Cyan Write-Host "Policy File: $PolicyPath" -ForegroundColor White Write-Host "Policy Name: $PolicyName" -ForegroundColor White if ($DryRun) { Write-Host "[DryRun] Would create WDAC Policy in Intune" -ForegroundColor Cyan Write-Host "Policy will be deployed via OMA-URI: ./Device/Vendor/MSFT/ApplicationControl/Policy" -ForegroundColor Gray return } $connected = Connect-Intune -Config $config if (-not $connected) { Write-Error "Failed to connect to Microsoft Graph." return } try { # Read policy file as Base64 $policyBytes = [System.IO.File]::ReadAllBytes($PolicyPath) $policyBase64 = [System.Convert]::ToBase64String($policyBytes) # Create OMA-URI setting for WDAC policy $omaSettings = @( @{ "@odata.type" = "#microsoft.graph.omaSettingBase64" displayName = "WDAC Policy" description = "Windows Defender Application Control Policy" omaUri = "./Device/Vendor/MSFT/ApplicationControl/Policy" fileName = $policyFile.Name value = $policyBase64 } ) $policyDisplayName = "NLBaseline - WDAC Policy - $PolicyName" # Check if policy with same displayName already exists and remove it $removed = Remove-IntunePolicyByDisplayName -DisplayName $policyDisplayName -PolicyType "Configuration" if ($removed) { Write-Host "Removed existing policy: $policyDisplayName" -ForegroundColor Yellow } $body = @{ "@odata.type" = "#microsoft.graph.windows10CustomConfiguration" displayName = $policyDisplayName description = "Windows Defender Application Control (WDAC) policy for application whitelisting" omaSettings = $omaSettings } $res = Invoke-IntuneGraphRequest -Method POST -Uri "https://graph.microsoft.com/v1.0/deviceManagement/deviceConfigurations" -Body ($body | ConvertTo-Json -Depth 20) Write-Host "Created WDAC Policy: $($res.displayName) (id: $($res.id))" -ForegroundColor Green Write-Host "`nNote: WDAC policies require:" -ForegroundColor Yellow Write-Host " - Devices must support UEFI and Secure Boot" -ForegroundColor White Write-Host " - For enforcement mode, enable 'Deploy Windows Defender Application Control' in Device Configuration" -ForegroundColor White Write-Host " - For audit mode, use audit-only policies" -ForegroundColor White } catch { Write-Error "Failed to create WDAC Policy: $_" if ($_.Exception.Response) { $reader = New-Object System.IO.StreamReader($_.Exception.Response.GetResponseStream()) $responseBody = $reader.ReadToEnd() Write-Host "Response: $responseBody" -ForegroundColor Red } } } |