search

microsoft / Microsoft365DSC

Manages, configures, extracts and monitors Microsoft 365 tenant configurations
https://aka.ms/M365DSC
MIT License
1.64k stars 503 forks source link

Feature Request: Support for Endpoint Security Policies #4229

Open Cyanic-Cloud opened 10 months ago

Cyanic-Cloud commented 10 months ago

Description

Upon reviewing the existing issues and feature requests, I noticed an absence of discussions regarding support for the following Endpoint Security features within Microsoft 365 DSC:

Currently, all available Graph API commands seem to be limited to devicemanagement/configurationPolicies, but to return all policies we also need deviceManagement/intents. This limitation presents a significant challenge as it prevents the exportation and deployment of the aforementioned settings using Microsoft 365 DSC.

image

Is there any plan or ongoing development to incorporate these features into Microsoft 365 DSC? It would be incredibly beneficial for users seeking more comprehensive control over their Endpoint Security policies through DSC.

Is this in the pipeline to be done?

Proposed properties

Integrate additional Graph API functionalities specifically targeting the properties under devicemanagement/intents to support the deployment and management of Endpoint Security policies, including AntiVirus, Windows Firewall, and Device Control policies, using Microsoft 365 DSC.

Special considerations or limitations

Cyanic-Cloud commented 9 months ago

@William-Francillette @ricmestre Are you guys able to deploy intents policies?

William-Francillette commented 9 months ago

We already have a few intents policies implemented like MSFT_IntuneApplicationControlPolicyWindows10 - it's only a question of time

Cyanic-Cloud commented 9 months ago

These policies are the last of many to complete my baseline, would be great to have them included. I am able to deploy using graph functions outside of DSC for now.
Would it help / speed up the process if included my code that use to deploy the policies using graph?
I would like to help out where possible . . .

Cyanic-Cloud commented 9 months ago

@NikCharlebois @ykuijs do you think the intent policies will be supported in the near future?

GeldHades27355 commented 8 months ago

@Cyanic-Cloud Not sure if I'm barking up the wrong tree, but I think they ARE included - just not in a section called "Endpoint Security".

I'm looking at a full dump from our master tenant - both from M365DSC and from https://github.com/Micke-K/IntuneManagement.

I can see "Attack Surface Reduction", "Exploit Protection", "Antivirus", "Endpoint Detection and Response" and "Disk Encryption" policies on both outputs. They're just scattered all over the place, presumably because what Intune UI shows as categories does not necessarily map to the same categories in the back end.

It seems many get dumped as part of "Settings Catalog", which may make it hard to find. But search through your outputs dumps for some specific settings - they ARE there.

I will admit that I can't find many Firewall policy settings in M365DSC's output, but https://github.com/Micke-K/IntuneManagement dumps those for sure. So they can be "got", but not sure if DSC supports it yet.

Or is this about something different?

Cyanic-Cloud commented 7 months ago

Configuration policies are present and exportable, intent policies are not unfortunately.

GeldHades27355 commented 7 months ago

What's the difference between an intent and configuration policy?

FabienTschanz commented 2 months ago

I'm currently working on most of the resources mentioned in the issue description.

@GeldHades27355 The difference is simply the technology used to export. Intent policies are the previous templates, and configuration policies are the newer templates based on the Intune Settings Catalog.

FabienTschanz commented 2 weeks ago

Update: Currently the support for the following policies is still lacking: