Using PowerShell scripts in Endpoint Manager Compliance Policies

I wrote a blog post about where you could use PowerShell scripts in Endpoint Manager here, but I didn’t mention the possibility of using it in Compliance Policies. In this blog post, I will 🙂

Preparation

Detection Script

Before creating a Custom Compliance policy, you must upload a PowerShell script in the Endpoint Manager Admin center in the Devices/Compliance Policies/Scripts pane. This script will return a JSON formatted response with the results of the checks you do in your script. The example script below checks if my Bios version is equal to or higher than a particular version because older versions have a specific security issue. For my Lenovo T14 laptop, the version installed at this moment is R1BET72W(1.41). In the script below, the bios version number will be read and returned in a JSON format:

#Retrieve version
$biosversion = Get-WmiObject -Class Win32_Bios

#Split biosversion, get the version number and save to $LenovoBiosVersion
$LenovoBiosVersion=$Biosversion.SMBIOSBIOSVersion.Split('( ')[1]

$hash = @{ Version = $LenovoBiosVersion }
return $hash | ConvertTo-Json -Compress

The $hash variable is being converted to a JSON format which looks like this:

{"Version":"1.41"}

This script must be uploaded to the Scripts pane. Steps are:

  • Go to Scripts
  • Select Add
  • Select Windows 10 and later.
  • Fill in the Name, Description, and Publisher, and select Next

  • Copy the script’s contents into the Detection script pane, check all sliders, and select Next.

  • Select Create to finish the wizard.

JSON File

You must also create a JSON file that identifies the settings and values to use in the Custom Compliance policy. For our example Lenovo Bios check that would look like this:

{
    "Rules": [
        {
            "SettingName": "LenovoBiosVersion",
            "Operator": "GreaterEquals",
            "DataType": "Version",
            "Operand": "1.41",
            "MoreInfoUrl": "https://download.lenovo.com/pccbbs/mobiles/r1buj72w.exe",
            "RemediationStrings": [
                {
                    "Language": "en_US",
                    "Title": "BIOS Version needs to be upgraded to at least 1.41.",
                    "Description": "BIOS must be updated, Please refer to the link above"
                }
            ]
        }
    ]
}

Azure AD Group

For example, we must create a Dynamic Group containing Lenovo T14 machines to assign the custom Compliance Policy. Follow these steps to create one:

  • Go to Groups
  • Select New Group
  • Enter ‘Intune – Lenovo T14 devices’ as Group Name with Dynamic Device as Membership Type and select Create
  • Open the Group and select Dynamic membership rules
  • Choose Edit in the Rule Syntax and use this string to identify the Lenovo T14:
(device.deviceModel -eq "20UD001AMH")
  • Press Ok and Save

Configuring the custom Compliance Policy

You can now add a new Compliance Policy containing custom settings by following these steps:

  • Go to Policies
  • Select Create Policy
  • Select Windows 10 and later as Platform and select Create.
  • Fill in Name and Description and choose Next.

  • Select Custom Compliance, select Require and select Click to select
  • Select the script that you just created and click on Select

  • Click on Select a file and browse to the location where you saved the JSON file and select it, after selecting it should be displayed with the settings as you configured it (LenovoBiosVersion:

  • Select Next and configure the actions for non-compliant devices:

  • Select Next and assign the Compliance Policy to a Device group in our Example containing Lenovo machines on which the bios level needs to be 1.41 or greater, in this case, the ‘Intune – Lenovo T14 devices’ group:

  • Select Next and Create to save the custom Compliance policy.

And you’re done. You have now created a custom Compliance Policy with a PowerShell detection script. This will help determine even more if your device is compliant, which is essential for Conditional Access policies, which have configured the ‘Require device to be marked as compliant’ setting.

Note: More information about Custom Compliance Policies (Formatting the JSON file, script, or limitations) is available here

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.