Using PowerShell scripts in Endpoint Manager Compliance Policies

I wrote a blog post about where you could use PowerShell scripts in Endpoint Manager here, but I didn’t mention the possibility to use it in Compliance Policies. In this blog post, I will 🙂

Preparation

Detection Script

Before you can create a Custom Compliance policy, you first need to upload a PowerShell script in the Endpoint Manager Admin center in the Devices/Compliance Policies/Scripts pane. This script will return a JSON formatted response with the results of the checks that you do in your script, in the example script below there’s a check if my Bios version is equal to or higher than a certain version because older versions have a certain security issue. For my Lenovo T14 laptop, the version installed at this moment is R1BET72W(1.41). In the script below the bios version number will be read and returned in a JSON format:

#Retrieve version
$biosversion = Get-WmiObject -Class Win32_Bios

#Split biosversion, get the version number and save to $LenovoBiosVersion
$LenovoBiosVersion=$Biosversion.SMBIOSBIOSVersion.Split('( ')[1]

$hash = @{ Version = $LenovoBiosVersion }
return $hash | ConvertTo-Json -Compress

The $hash variable is being converted to a JSON format which looks like this:

{"Version":"1.41"}

This script can be uploaded to the Scripts pane. Steps are:

  • Go to Scripts
  • Select Add
  • Select Windows 10 and later
  • Fill in the Name, Description, and Publisher fields and select Next

  • Copy the contents of the script into the Detection script pane and select Next

  • Select Create to finish the wizard.

JSON File

You also have to create a JSON file that identifies the settings and values to use in the Custom Compliance policy, for our example Lenovo Bios check that would look like this:

{
    "Rules": [
        {
            "SettingName": "LenovoBiosVersion",
            "Operator": "GreaterEquals",
            "DataType": "Version",
            "Operand": "1.41",
            "MoreInfoUrl": "https://download.lenovo.com/pccbbs/mobiles/r1buj72w.exe",
            "RemediationStrings": [
                {
                    "Language": "en_US",
                    "Title": "BIOS Version needs to be upgraded to at least 1.41.",
                    "Description": "BIOS must be updated, Please refer to the link above"
                }
            ]
        }
    ]
}

Azure AD Group

For our example, we need to create a Dynamic Group containing Lenovo T14 machines to use for assigning the custom Compliance Policy. Follow these steps to create one:

  • Go to Groups
  • Select New Group
  • Enter ‘Intune – Lenovo T14 devices’ as Group Name with Dynamic Device as Membership Type and select Create
  • Open the Group and select Dynamic membership rules
  • Choose Edit in the Rule Syntax and use this string to identify the Lenovo T14:
(device.deviceModel -eq "20UD001AMH")
  • Press Ok and Save

Configuring the custom Compliance Policy

You can now add a new Compliance Policy containing custom settings by following these steps:

  • Go to Scripts
  • Select Create Policy
  • Select Windows 10 and later as Platform and select Create
  • Fill in Name and Description and choose Next

  • Select Custom Compliance, select Require and select Click to select
  • Select the script that you just created and click on Select

  • Click on Select a file and browse to the location where you saved the JSON file and select it, after selecting it should be displayed with the settings as you configured it (LenovoBiosVersion:

  • Select Next and configure the actions for non-compliant devices:

  • Select Next and assign the Compliance Policy to a Device group in our Example containing Lenovo machines on which the bios level needs to be 1.41 or greater, in this case, the ‘Intune – Lenovo T14 devices’ group:

  • Select Next and Create to save the custom Compliance policy.

And you’re done, you have now created a custom Compliance Policy with a PowerShell detection script. This will help determine even more if your device is compliant, important for Conditional Access policies which have the ‘Require device to be marked as compliant’ setting configured.

Note: More information about Custom Compliance Policies (Formatting the JSON file, script, or limitations) is available here

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.