├── .gitignore ├── Intune-Plaster-Build ├── templates │ ├── scripts │ │ ├── Wallpaper Scaling │ │ │ ├── Wallpaper Scaling.json │ │ │ └── Wallpaper Scaling.ps1 │ │ ├── OD4B Silent Config │ │ │ ├── OD4B Silent Config.json │ │ │ └── OD4B Silent Config.ps1 │ │ ├── Auto Timezone Config │ │ │ ├── Auto Timezone Config.json │ │ │ └── Auto Timezone Config.ps1 │ │ └── Enable Bitlocker not on 1809 │ │ │ ├── Enable Bitlocker not on 1809.json │ │ │ └── Enable Bitlocker not on 1809.ps1 │ ├── compliance-policies │ │ └── Win10 Basic Compliance.json │ └── config-profiles │ │ ├── Win10 Endpoint Protection.json │ │ ├── Win10 Bitlocker.json │ │ ├── Win10 Corporate Branding.json │ │ └── Win10 Device Restrictions.json └── plasterManifest.xml ├── test.yaml ├── README.md └── capture.ps1 /.gitignore: -------------------------------------------------------------------------------- 1 | EUC-* -------------------------------------------------------------------------------- /Intune-Plaster-Build/templates/scripts/Wallpaper Scaling/Wallpaper Scaling.json: -------------------------------------------------------------------------------- 1 | { 2 | "@odata.context": "https://graph.microsoft.com/Beta/$metadata#deviceManagement/deviceManagementScripts/$entity", 3 | "displayName": "Wallpaper Scaling", 4 | "description": "", 5 | "runAsAccount": "system", 6 | "enforceSignatureCheck": false, 7 | "fileName": "Set-WallpaperStyle.ps1", 8 | "runAs32Bit": false 9 | } 10 | -------------------------------------------------------------------------------- /Intune-Plaster-Build/templates/scripts/OD4B Silent Config/OD4B Silent Config.json: -------------------------------------------------------------------------------- 1 | { 2 | "@odata.context": "https://graph.microsoft.com/Beta/$metadata#deviceManagement/deviceManagementScripts/$entity", 3 | "displayName": "OD4B Silent Config", 4 | "description": "", 5 | "runAsAccount": "system", 6 | "enforceSignatureCheck": false, 7 | "fileName": "OD4B_silent_config.ps1", 8 | "runAs32Bit": false 9 | } 10 | -------------------------------------------------------------------------------- /Intune-Plaster-Build/templates/scripts/Auto Timezone Config/Auto Timezone Config.json: -------------------------------------------------------------------------------- 1 | { 2 | "@odata.context": "https://graph.microsoft.com/Beta/$metadata#deviceManagement/deviceManagementScripts/$entity", 3 | "displayName": "Auto Timezone Config", 4 | "description": "", 5 | "runAsAccount": "system", 6 | "enforceSignatureCheck": false, 7 | "fileName": "TimeZone_AutoUpdate.ps1", 8 | "runAs32Bit": true 9 | } 10 | -------------------------------------------------------------------------------- /Intune-Plaster-Build/templates/scripts/Enable Bitlocker not on 1809/Enable Bitlocker not on 1809.json: -------------------------------------------------------------------------------- 1 | { 2 | "@odata.context": "https://graph.microsoft.com/Beta/$metadata#deviceManagement/deviceManagementScripts/$entity", 3 | "displayName": "Enable Bitlocker not on 1809", 4 | "description": "Enable bitlocker for devices on 1803 or lower.", 5 | "runAsAccount": "system", 6 | "enforceSignatureCheck": false, 7 | "fileName": "Enable_BitLocker.ps1", 8 | "runAs32Bit": false 9 | } 10 | -------------------------------------------------------------------------------- /test.yaml: -------------------------------------------------------------------------------- 1 | client: Contoso 2 | tenantDomain: contoso.com 3 | configPolicies: 4 | - bitlocker 5 | - corporateBranding: 6 | - desktopImageUrl: "" 7 | - lockscreenImageUrl: "" 8 | - deviceRestrictions: 9 | - homepageUrl: "https://contoso.com" 10 | - endpointProtection: 11 | - corporateMsgTitle: "Welcome to Contoso!" 12 | - corporateMsgText: "Enter at your own risk..." 13 | compliancePolicies: 14 | - bitlocker 15 | scripts: 16 | - timezone 17 | - bitlocker 18 | - onedrive 19 | - wallpaperFix -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Introduction 2 | TODO: Give a short introduction of your project. Let this section explain the objectives or the motivation behind this project. 3 | 4 | # Getting Started 5 | TODO: Guide users through getting your code up and running on their own system. In this section you can talk about: 6 | 1. Installation process 7 | 2. Software dependencies 8 | 3. Latest releases 9 | 4. API references 10 | 11 | # Build and Test 12 | TODO: Describe and show how to build your code and run the tests. 13 | 14 | # Contribute 15 | TODO: Explain how other users and developers can contribute to make your code better. 16 | 17 | If you want to learn more about creating good readme files then refer the following [guidelines](https://docs.microsoft.com/en-us/azure/devops/repos/git/create-a-readme?view=azure-devops). You can also seek inspiration from the below readme files: 18 | - [ASP.NET Core](https://github.com/aspnet/Home) 19 | - [Visual Studio Code](https://github.com/Microsoft/vscode) 20 | - [Chakra Core](https://github.com/Microsoft/ChakraCore) -------------------------------------------------------------------------------- /Intune-Plaster-Build/templates/compliance-policies/Win10 Basic Compliance.json: -------------------------------------------------------------------------------- 1 | { 2 | "@odata.context": "https://graph.microsoft.com/Beta/$metadata#deviceManagement/deviceCompliancePolicies/$entity", 3 | "@odata.type": "#microsoft.graph.windows10CompliancePolicy", 4 | "description": "", 5 | "displayName": "Win10 Basic Compliance", 6 | "passwordRequired": false, 7 | "passwordBlockSimple": false, 8 | "scheduledActionsForRule":[{"ruleName":"BitlockerRequired","scheduledActionConfigurations":[{"actionType":"block","gracePeriodHours":24,"notificationTemplateId":""}]}], 9 | "passwordRequiredToUnlockFromIdle": false, 10 | "passwordMinutesOfInactivityBeforeLock": null, 11 | "passwordExpirationDays": null, 12 | "passwordMinimumLength": null, 13 | "passwordMinimumCharacterSetCount": null, 14 | "passwordRequiredType": "deviceDefault", 15 | "passwordPreviousPasswordBlockCount": null, 16 | "requireHealthyDeviceReport": false, 17 | "osMinimumVersion": null, 18 | "osMaximumVersion": null, 19 | "mobileOsMinimumVersion": null, 20 | "mobileOsMaximumVersion": null, 21 | "earlyLaunchAntiMalwareDriverEnabled": false, 22 | "bitLockerEnabled": true, 23 | "secureBootEnabled": false, 24 | "codeIntegrityEnabled": false, 25 | "storageRequireEncryption": true, 26 | "activeFirewallRequired": false, 27 | "defenderEnabled": true, 28 | "defenderVersion": null, 29 | "signatureOutOfDate": true, 30 | "rtpEnabled": false, 31 | "antivirusRequired": false, 32 | "antiSpywareRequired": false, 33 | "deviceThreatProtectionEnabled": false, 34 | "deviceThreatProtectionRequiredSecurityLevel": "unavailable", 35 | "configurationManagerComplianceRequired": false, 36 | "tpmRequired": false, 37 | "validOperatingSystemBuildRanges": [ 38 | 39 | ] 40 | } 41 | -------------------------------------------------------------------------------- /Intune-Plaster-Build/templates/scripts/Auto Timezone Config/Auto Timezone Config.ps1: -------------------------------------------------------------------------------- 1 | #region Config 2 | $AppName = "Set_AutoDetect_Timezone" 3 | $client = "<%=$PLASTER_PARAM_ClientName%>" 4 | $logPath = "$env:ProgramData\$client\logs" 5 | $logFile = "$logPath\$appName.log" 6 | #endregion 7 | #region Logging 8 | if (!(Test-Path -Path $logPath)) { 9 | New-Item -Path $logPath -ItemType Directory -Force | Out-Null 10 | } 11 | Start-Transcript -Path $logFile -Force 12 | #endregion 13 | #region Main Process 14 | try { 15 | $regKeys = @( 16 | [PSCustomObject]@{ 17 | Path = "HKLM:\System\CurrentControlSet\Services\tzautoupdate" 18 | Name = "Start" 19 | value = "3" 20 | } 21 | ) 22 | foreach ($key in $regKeys) { 23 | Write-Host "Setting Timezone Auto Update in registry.." -ForegroundColor Green 24 | if (!(Test-Path $($key.Path))) { 25 | Write-Host "Registry path not found. Creating now." -ForegroundColor Green 26 | New-Item -Path $($key.Path) -Force | Out-Null 27 | Write-Host "Creating item property." -ForegroundColor Green 28 | New-ItemProperty -Path $($key.Path) -Name $($key.Name) -Value $($key.value) -PropertyType DWORD -Force | Out-Null 29 | } 30 | else { 31 | Write-Host "Registry path found." -ForegroundColor Green 32 | Write-Host "Creating item property." -ForegroundColor Green 33 | New-ItemProperty -Path $($key.Path) -Name $($key.Name) -Value $($key.value) -PropertyType DWORD -Force | Out-Null 34 | } 35 | } 36 | } 37 | catch { 38 | $errorMsg = $_.Exception.Message 39 | } 40 | finally { 41 | if ($errorMsg) { 42 | Write-Warning $errorMsg 43 | Stop-Transcript 44 | throw $errorMsg 45 | } 46 | else { 47 | Write-Host "Script completed successfully.." 48 | Stop-Transcript 49 | } 50 | } 51 | #endregion 52 | -------------------------------------------------------------------------------- /capture.ps1: -------------------------------------------------------------------------------- 1 | [cmdletbinding()] 2 | param ( 3 | [string]$un, 4 | 5 | [string]$pw, 6 | 7 | [string]$tenantId 8 | ) 9 | #region Config 10 | $deviceConfigurationPath = "$PSScriptPath\Intune-Plaster-Build\templates\config-profiles" 11 | $deviceCompliancePath = "$PSScriptPath\Intune-Plaster-Build\templates\compliance-policies" 12 | $deviceScriptPath = "$PSScriptPath\Intune-Plaster-Build\templates\scripts" 13 | #endregion 14 | #region Functions 15 | function Get-UnattendedAuth { 16 | param ( 17 | [Parameter(mandatory = $true)] 18 | [string]$un, 19 | 20 | [Parameter(mandatory = $true)] 21 | [string]$pw, 22 | 23 | [Parameter(mandatory = $true)] 24 | [string]$cid, 25 | 26 | [Parameter(mandatory = $true)] 27 | [string]$resourceURL 28 | , 29 | [Parameter(mandatory = $true)] 30 | [string]$tenantId, 31 | 32 | [Parameter(mandatory = $false)] 33 | [string]$refresh 34 | 35 | ) 36 | if ($refresh) { 37 | $body = @{ 38 | resource = $resourceURL 39 | client_id = $cid 40 | grant_type = "refresh_token" 41 | username = $un 42 | scope = "openid" 43 | password = $pw 44 | refresh_token = $refresh 45 | } 46 | } 47 | else { 48 | $body = @{ 49 | resource = $resourceURL 50 | client_id = $cid 51 | grant_type = "password" 52 | username = $un 53 | scope = "openid" 54 | password = $pw 55 | } 56 | } 57 | $response = Invoke-RestMethod -Method post -Uri "https://login.microsoftonline.com/$tenantId/oauth2/token" -Body $body 58 | return $response 59 | } 60 | Function Get-DeviceManagementPolicy { 61 | [cmdletbinding()] 62 | param 63 | ( 64 | [Parameter(Mandatory = $false)] 65 | $authToken = $authheader, 66 | 67 | [Parameter(Mandatory)] 68 | [ValidateSet('Configuration', 'Compliance', 'Script')] 69 | [string]$managementType 70 | 71 | ) 72 | switch ($managementType) { 73 | "Configuration" { 74 | $graphEndpoint = "deviceManagement/deviceConfigurations" 75 | break 76 | } 77 | "Compliance" { 78 | $graphEndpoint = "deviceManagement/deviceCompliancePolicies" 79 | break 80 | } 81 | "Script" { 82 | $graphEndpoint = "deviceManagement/deviceManagementScripts" 83 | break 84 | } 85 | } 86 | $graphApiVersion = "Beta" 87 | Write-Verbose "Resource: $graphEndpoint" 88 | $uri = "https://graph.microsoft.com/$graphApiVersion/$($graphEndpoint)" 89 | try { 90 | if ($managementType -eq "Script") { 91 | $response = @() 92 | $tmpRes = Invoke-RestMethod -Method Get -Uri $uri -Headers $authToken -ContentType "application/json" | select-object value -ExpandProperty value 93 | foreach ($x in $tmpRes) { 94 | $response += Invoke-RestMethod -Method Get -Uri "https://graph.microsoft.com/$graphApiVersion/$($graphEndpoint)/$($x.id)" -Headers $authToken -ContentType "application/json" 95 | } 96 | return $response 97 | } 98 | else { 99 | $response = Invoke-RestMethod -Method Get -Uri $uri -Headers $authToken -ContentType "application/json" | select-object value -ExpandProperty value 100 | if ($response) { 101 | Write-Host "Found $($response.count) objects" 102 | return $response 103 | } 104 | else { 105 | throw "Nothing returned.." 106 | } 107 | } 108 | } 109 | catch { 110 | $ex = $_.Exception 111 | Write-Warning $ex 112 | break 113 | } 114 | } 115 | #endregion 116 | #region Unattended Authentication 117 | $global:authParams = @{ 118 | un = $un 119 | pw = $pw 120 | tenantId = $tenantId 121 | resource = "https://graph.microsoft.com" 122 | cId = "d1ddf0e4-d672-4dae-b554-9d5bdfd93547" 123 | } 124 | $global:authToken = Get-UnattendedAuth @authParams 125 | $authHeader = @{ } 126 | $authHeader.Authorization = "$($authToken.token_type) $($authToken.access_token)" 127 | #endregion 128 | $deviceConfiguration = Get-DeviceManagementPolicy -authToken $authHeader -managementType Configuration | Select-Object * -ExcludeProperty value 129 | $deviceCompliance = Get-DeviceManagementPolicy -authToken $authHeader -managementType Compliance | Select-Object * -ExcludeProperty value 130 | $scripts = Get-DeviceManagementPolicy -authToken $authHeader -managementType Script | Select-Object * -ExcludeProperty value 131 | 132 | foreach ($d in $deviceConfiguration) { 133 | $d | Select-Object * -ExcludeProperty id, lastModifiedDateTime, roleScopeTagIds, supportsScopeTags, createdDateTime, version | ConvertTo-Json -Depth 100 | Out-File -FilePath "$configPath\$($d.displayName)`.json" -Encoding ascii -Force 134 | } 135 | 136 | foreach ($d in $deviceCompliance) { 137 | $d | Select-Object * -ExcludeProperty id, lastModifiedDateTime, roleScopeTagIds, supportsScopeTags, createdDateTime, version | ConvertTo-Json -Depth 100 | Out-File -FilePath "$compPath\$($d.displayName)`.json" -Encoding ascii -Force 138 | } 139 | foreach ($d in $scripts) { 140 | $tmpJson = $d | select-object '@odata.context', displayName, description, runAsAccount, enforceSignatureCheck, fileName, runAs32Bit; 141 | New-Item "$scriptPath\$($d.DisplayName)" -ItemType Directory -Force | Out-Null; 142 | $tmpJson | ConvertTo-Json -Depth 100 | Out-File -FilePath "$scriptPath\$($d.displayName)\$($d.displayName)`.json" -Encoding ascii -Force; 143 | [System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String("$($d.scriptContent)")) | Out-File -FilePath "$scriptPath\$($d.displayName)\$($d.displayName)`.ps1" -Encoding ascii -Force; 144 | } -------------------------------------------------------------------------------- /Intune-Plaster-Build/templates/scripts/Enable Bitlocker not on 1809/Enable Bitlocker not on 1809.ps1: -------------------------------------------------------------------------------- 1 | [cmdletbinding()] 2 | param( 3 | [Parameter()] 4 | [ValidateNotNullOrEmpty()] 5 | [string] $OSDrive = $env:SystemDrive 6 | ) 7 | #region Config 8 | $targetVer = 17134 9 | $osVer = (Get-WmiObject -Class Win32_OperatingSystem).BuildNumber 10 | $client = "<%=$PLASTER_PARAM_ClientName%>" 11 | $logPath = "$ENV:ProgramData\$($client)\Logs" 12 | $logFile = "$logPath\Bitlocker.log" 13 | #endregion 14 | #region Logging 15 | if (!(Test-Path -Path $logPath)) { 16 | new-item -Path "$LogPath" -ItemType Directory -Force 17 | } 18 | Start-Transcript -Path "$logFile" -Force 19 | #endregion 20 | #region Main Process 21 | Write-Host "Beginning Bitlocker configuration" -ForegroundColor Green 22 | [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 23 | try { 24 | if ($osVer -gt $targetVer) { 25 | $skipRun = $true 26 | Throw "OS Version: $OSVer is higher than maximum target version: $targetVer`. We should be able to have bitlocker configured via Intune configuration policies, Skip set to: $skipRun" 27 | } 28 | $bdeProtect = Get-BitLockerVolume $OSDrive | Select-Object -Property VolumeStatus, ProtectionStatus 29 | if ($bdeProtect.VolumeStatus -eq "FullyDecrypted") { 30 | Write-Host "$OSDrive not currently encrypted. Will now attempt to encrypt" -ForegroundColor Green 31 | # Enable Bitlocker using TPM 32 | Enable-BitLocker -MountPoint $OSDrive -TpmProtector -ErrorAction SilentlyContinue 33 | Enable-BitLocker -MountPoint $OSDrive -RecoveryPasswordProtector 34 | 35 | } 36 | else { 37 | if (($bdeProtect.VolumeStatus -eq "FullyEncrypted") -and ($bdeProtect.ProtectionStatus -eq "Off")){ 38 | Write-Host "$OSDrive is currently encrypted, however we may not have the key. So we will decrypt and start again." -ForegroundColor Yellow 39 | Disable-BitLocker -MountPoint $OSDrive 40 | while ($(Get-BitLockerVolume).EncryptionPercentage -ne 0) { 41 | Write-Host "Waiting for Bitlocker decryption to complete" 42 | Start-Sleep -Seconds 2 43 | } 44 | Write-Host "Bitlocker turned off. Now starting again." 45 | Enable-BitLocker -MountPoint $OSDrive -TpmProtector -ErrorAction SilentlyContinue 46 | Enable-BitLocker -MountPoint $OSDrive -RecoveryPasswordProtector 47 | } 48 | } 49 | if ((Get-BitLockerVolume -MountPoint $OSDrive).KeyProtector) { 50 | Write-Host "Encryption key found. Will store in log folder." -ForegroundColor Green 51 | New-Item -ItemType Directory -Force -Path "$logPath" | out-null 52 | (Get-BitLockerVolume -MountPoint $OSDrive).KeyProtector | Out-File "$logPath\$($env:computername)_BitlockerRecoveryPassword.txt" 53 | } 54 | else { 55 | Write-Host "No bitlocker key found. Will error out" -ForegroundColor Red 56 | throw 57 | } 58 | Write-Host "Check if we can use BackupToAAD-BitLockerKeyProtector commandlet" -ForegroundColor Green 59 | $cmdName = "BackupToAAD-BitLockerKeyProtector" 60 | if (Get-Command $cmdName -ErrorAction SilentlyContinue) { 61 | Write-Host "BackupToAAD-BitLockerKeyProtector commandlet exists" -ForegroundColor Green 62 | $BLV = Get-BitLockerVolume -MountPoint $OSDrive | Select-Object * 63 | BackupToAAD-BitLockerKeyProtector -MountPoint $OSDrive -KeyProtectorId $BLV.KeyProtector[1].KeyProtectorId 64 | } 65 | else { 66 | 67 | Write-Host "BackupToAAD-BitLockerKeyProtector commandlet not available, using other mechanism" -ForegroundColor Green 68 | Write-Host "Get the AAD Machine Certificate" -ForegroundColor Green 69 | $cert = Get-ChildItem Cert:\LocalMachine\My\ | Where-Object { $_.Issuer -match "CN=MS-Organization-Access" } 70 | 71 | Write-Host "Obtain the AAD Device ID from the certificate" -ForegroundColor Green 72 | $id = $cert.Subject.Replace("CN=", "") 73 | 74 | Write-Host "Get the tenant name from the registry" -ForegroundColor Green 75 | $tenant = (Get-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Control\CloudDomainJoin\JoinInfo\$($id)).UserEmail.Split('@')[1] 76 | 77 | Write-Host "Generate the body to send to AAD containing the recovery information" -ForegroundColor Green 78 | Write-Host "Get the BitLocker key information from WMI" -ForegroundColor Green 79 | (Get-BitLockerVolume -MountPoint $OSDrive).KeyProtector | Where-Object {$_.KeyProtectorType -eq 'RecoveryPassword'} | ForEach-Object { 80 | $key = $_ 81 | write-verbose "kid : $($key.KeyProtectorId) key: $($key.RecoveryPassword)" 82 | $body = "{""key"":""$($key.RecoveryPassword)"",""kid"":""$($key.KeyProtectorId.replace('{','').Replace('}',''))"",""vol"":""OSV""}" 83 | 84 | Write-Host "Create the URL to post the data to based on the tenant and device information" -ForegroundColor Green 85 | $url = "https://enterpriseregistration.windows.net/manage/$tenant/device/$($id)?api-version=1.0" 86 | 87 | Write-Host "Post the data to the URL and sign it with the AAD Machine Certificate" -ForegroundColor Green 88 | $req = Invoke-WebRequest -Uri $url -Body $body -UseBasicParsing -Method Post -UseDefaultCredentials -Certificate $cert 89 | $req.RawContent 90 | } 91 | } 92 | #> 93 | 94 | } 95 | catch { 96 | if ($skipRun = $true) { 97 | Write-Host "OS Version is higher than 1803 and should be able to have bitlocker configured via Intune configuration policies, thus we will skip this script." 98 | } 99 | else { 100 | $errorMsg = "Error while setting up AAD Bitlocker, make sure that you are AAD joined and are running the cmdlet as an admin: $_" 101 | } 102 | } 103 | finally { 104 | if ($erroMsg) { 105 | Write-Warning $errorMsg 106 | Stop-Transcript 107 | Throw $errorMsg 108 | } 109 | else { 110 | Write-Host "Script completed successfully" 111 | Stop-Transcript 112 | } 113 | } 114 | #endregion 115 | 116 | -------------------------------------------------------------------------------- /Intune-Plaster-Build/plasterManifest.xml: -------------------------------------------------------------------------------- 1 | 2 | 4 | 5 | Intune-Plaster-Build 6 | 6c5e7287-17ea-4e8b-a1be-203460ddc557 7 | 0.9 8 | Intune Plaster-Build 9 | 10 | Ben Reader 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | 26 | 27 | 28 | 29 | 30 | 31 | 32 | 33 | 34 | 35 | 36 | 37 | 38 | 39 | 40 | 41 | 42 | 43 | 44 | 45 | 46 | 47 | 48 | 49 | 50 | 51 | 52 | 53 | 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | 74 | 75 | 76 | building from modules... 77 | 78 | 79 | 80 | 81 | 82 | 83 | 84 | 85 | 86 | 87 | 88 | 89 | 90 | 91 | 92 | 93 | 94 | 95 | 96 | -------------------------------------------------------------------------------- /Intune-Plaster-Build/templates/scripts/Wallpaper Scaling/Wallpaper Scaling.ps1: -------------------------------------------------------------------------------- 1 | #region Config 2 | $AppName = "Set-WallpaperStyle" 3 | $client = "<%=$PLASTER_PARAM_ClientName%>" 4 | $logPath = "$env:ProgramData\$client\logs" 5 | $logFile = "$logPath\$appName.log" 6 | #endregion 7 | #region Functions 8 | function Set-ComputerRegistryValues { 9 | param ( 10 | [Parameter(Mandatory = $true)] 11 | [array]$RegistryInstance 12 | ) 13 | try { 14 | foreach ($key in $RegistryInstance) { 15 | $keyPath = "HKLM:\$($key.Path)" 16 | if (!(Test-Path $keyPath)) { 17 | Write-Host "Registry path : $keyPath not found. Creating now." -ForegroundColor Green 18 | New-Item -Path $key.Path -Force | Out-Null 19 | Write-Host "Creating item property: $($key.Name)" -ForegroundColor Green 20 | New-ItemProperty -Path $keyPath -Name $key.Name -Value $key.Value -PropertyType $key.Type -Force 21 | } 22 | else { 23 | Write-Host "Creating item property: $($key.Name)" -ForegroundColor Green 24 | New-ItemProperty -Path $keyPath -Name $key.Name -Value $key.Value -PropertyType $key.Type -Force 25 | } 26 | } 27 | } 28 | catch { 29 | Throw $_.Exception.Message 30 | } 31 | } 32 | function Set-RegistryValueForAllUsers { 33 | <# 34 | .SYNOPSIS 35 | This function uses Active Setup to create a "seeder" key which creates or modifies a user-based registry value 36 | for all users on a computer. If the key path doesn't exist to the value, it will automatically create the key and add the value. 37 | .EXAMPLE 38 | PS> Set-RegistryValueForAllUsers -RegistryInstance @{'Name' = 'Setting'; 'Type' = 'String'; 'Value' = 'someval'; 'Path' = 'SOFTWARE\Microsoft\Windows\Something'} 39 | This example would modify the string registry value 'Type' in the path 'SOFTWARE\Microsoft\Windows\Something' to 'someval' 40 | for every user registry hive. 41 | .PARAMETER RegistryInstance 42 | A hash table containing key names of 'Name' designating the registry value name, 'Type' to designate the type 43 | of registry value which can be 'String,Binary,Dword,ExpandString or MultiString', 'Value' which is the value itself of the 44 | registry value and 'Path' designating the parent registry key the registry value is in. 45 | #> 46 | [CmdletBinding()] 47 | param ( 48 | [Parameter(Mandatory = $true)] 49 | [array]$RegistryInstance 50 | ) 51 | try { 52 | New-PSDrive -Name HKU -PSProvider Registry -Root Registry::HKEY_USERS | Out-Null 53 | 54 | ## Change the registry values for the currently logged on user. Each logged on user SID is under HKEY_USERS 55 | $LoggedOnSids = $(Get-ChildItem HKU: | Where-Object { $_.Name -match 'S-\d-\d+-(\d+-){1,14}\d+$' } | foreach-object { $_.Name }) 56 | Write-Verbose "Found $($LoggedOnSids.Count) logged on user SIDs" 57 | foreach ($sid in $LoggedOnSids) { 58 | Write-Host "Loading the user registry hive for the logged on SID $sid" -ForegroundColor Green 59 | foreach ($instance in $RegistryInstance) { 60 | ## Create the key path if it doesn't exist 61 | if (!(Test-Path "HKU:\$sid\$($instance.Path)")) { 62 | New-Item -Path "HKU:\$sid\$($instance.Path | Split-Path -Parent)" -Name ($instance.Path | Split-Path -Leaf) -Force 63 | } 64 | ## Create (or modify) the value specified in the param 65 | Set-ItemProperty -Path "HKU:\$sid\$($instance.Path)" -Name $instance.Name -Value $instance.Value -Type $instance.Type -Force 66 | } 67 | } 68 | 69 | ## Create the Active Setup registry key so that the reg add cmd will get ran for each user 70 | ## logging into the machine. 71 | ## http://www.itninja.com/blog/view/an-active-setup-primer 72 | Write-Host "Setting Active Setup registry value to apply to all other users" -ForegroundColor Green 73 | foreach ($instance in $RegistryInstance) { 74 | ## Generate a unique value (usually a GUID) to use for Active Setup 75 | $Guid = $instance.Guid 76 | $ActiveSetupRegParentPath = 'HKLM:\Software\Microsoft\Active Setup\Installed Components' 77 | ## Create the GUID registry key under the Active Setup key 78 | $ActiveSetupRegPath = "HKLM:\Software\Microsoft\Active Setup\Installed Components\$Guid" 79 | if (!(Test-Path -Path "$ActiveSetupRegPath")) { 80 | New-Item -Path $ActiveSetupRegParentPath -Name $Guid -Force 81 | } 82 | Write-Verbose "Using registry path '$ActiveSetupRegPath'" 83 | ## Convert the registry value type to one that reg.exe can understand. This will be the 84 | ## type of value that's created for the value we want to set for all users 85 | switch ($instance.Type) { 86 | 'String' { 87 | $RegValueType = 'REG_SZ' 88 | } 89 | 'Dword' { 90 | $RegValueType = 'REG_DWORD' 91 | } 92 | 'Binary' { 93 | $RegValueType = 'REG_BINARY' 94 | } 95 | 'ExpandString' { 96 | $RegValueType = 'REG_EXPAND_SZ' 97 | } 98 | 'MultiString' { 99 | $RegValueType = 'REG_MULTI_SZ' 100 | } 101 | default { 102 | throw "Registry type '$($instance.Type)' not recognized" 103 | } 104 | } 105 | 106 | ## Build the registry value to use for Active Setup which is the command to create the registry value in all user hives 107 | $ActiveSetupValue = "reg add `"{0}`" /v {1} /t {2} /d {3} /f" -f "HKCU\$($instance.Path)", $instance.Name, $RegValueType, $instance.Value 108 | Write-Verbose -Message "Active setup value is '$ActiveSetupValue'" 109 | ## Create the necessary Active Setup registry values 110 | Set-ItemProperty -Path $ActiveSetupRegPath -Name '(Default)' -Value 'Active Setup Test' -Force 111 | Set-ItemProperty -Path $ActiveSetupRegPath -Name 'Version' -Value '1' -Force 112 | Set-ItemProperty -Path $ActiveSetupRegPath -Name 'StubPath' -Value $ActiveSetupValue -Force 113 | } 114 | } 115 | catch { 116 | Throw -Message $_.Exception.Message 117 | } 118 | } 119 | #endregion 120 | #region Logging 121 | if (!(Test-Path -Path $logPath)) { 122 | New-Item -Path $logPath -ItemType Directory -Force | Out-Null 123 | } 124 | $errorOccurred = $false 125 | Start-Transcript -Path $logFile -ErrorAction SilentlyContinue -Force 126 | #endregion 127 | #region Keys 128 | $hklmKeys = $null 129 | 130 | $hkcuKeys = @( 131 | [PSCustomObject]@{ 132 | Guid = "{687af3cf-7032-424a-8e5a-7ab17ee08a38}" #set a random guid for each property 133 | Name = "WallpaperStyle" 134 | Type = "String" #String, ExpandString, Binary, DWord, MultiString, QWord, Unknown 135 | Value = "6" 136 | Path = "Control Panel\Desktop" 137 | } 138 | ) 139 | #endregion 140 | #region Process 141 | try { 142 | if ($hklmKeys) { 143 | Write-Host "Seting HKLM registry keys.." -ForegroundColor Green 144 | Set-ComputerRegistryValues -RegistryInstance $hklmKeys 145 | Write-Host "========" 146 | } 147 | if ($hkcuKeys) { 148 | Write-Host "Seting HKCU registry keys.." -ForegroundColor Green 149 | Set-RegistryValueForAllUsers -RegistryInstance $hkcuKeys 150 | Write-Host "========" 151 | } 152 | } 153 | catch { 154 | $errorOccurred = $true 155 | throw $_.Exception.Message 156 | } 157 | finally { 158 | if (!($errorOccurred)) { 159 | Write-Host "Configuration completed successfully." 160 | } 161 | Stop-Transcript -ErrorAction SilentlyContinue 162 | } 163 | if (!($errorOccurred)) { 164 | Write-Host "Configuration completed successfully." 165 | } 166 | #endregion 167 | -------------------------------------------------------------------------------- /Intune-Plaster-Build/templates/scripts/OD4B Silent Config/OD4B Silent Config.ps1: -------------------------------------------------------------------------------- 1 | #region Config 2 | $client = "<%=$PLASTER_PARAM_ClientName%>" 3 | $appName = "OD4B_SilentConfig" 4 | $scriptsPath = "$env:ProgramData\$client\Scripts" 5 | $clientFQDN = "<%=$PLASTER_PARAM_ClientDomain%>" 6 | $logPath = "`$env:ProgramData\`$client\logs" 7 | #endregion 8 | #region Env config 9 | if (!(Test-Path $scriptsPath)) { 10 | New-Item -Path $scriptsPath -ItemType Directory -Force | Out-Null 11 | } 12 | #endregion 13 | #region Main Process 14 | $mainScript = @" 15 | #region Config 16 | `$AppName = "OneDriveConfig-EnableAutoConfig" 17 | `$client = "$client" 18 | `$clientFQDN = "$clientFQDN" 19 | `$logPath = "$logPath" 20 | `$logFile = "`$logPath\`$appName.log" 21 | #endregion 22 | #region Functions 23 | function Set-RegistryValueForAllUsers { 24 | <# 25 | .SYNOPSIS 26 | This function uses Active Setup to create a "seeder" key which creates or modifies a user-based registry value 27 | for all users on a computer. If the key path doesn't exist to the value, it will automatically create the key and add the value. 28 | .EXAMPLE 29 | PS> Set-RegistryValueForAllUsers -RegistryInstance @{'Name' = 'Setting'; 'Type' = 'String'; 'Value' = 'someval'; 'Path' = 'SOFTWARE\Microsoft\Windows\Something'} 30 | This example would modify the string registry value 'Type' in the path 'SOFTWARE\Microsoft\Windows\Something' to 'someval' 31 | for every user registry hive. 32 | .PARAMETER RegistryInstance 33 | A hash table containing key names of 'Name' designating the registry value name, 'Type' to designate the type 34 | of registry value which can be 'String,Binary,Dword,ExpandString or MultiString', 'Value' which is the value itself of the 35 | registry value and 'Path' designating the parent registry key the registry value is in. 36 | #> 37 | [CmdletBinding()] 38 | param ( 39 | [Parameter(Mandatory = `$true)] 40 | [hashtable[]]`$RegistryInstance 41 | ) 42 | try { 43 | New-PSDrive -Name HKU -PSProvider Registry -Root Registry::HKEY_USERS | Out-Null 44 | 45 | ## Change the registry values for the currently logged on user. Each logged on user SID is under HKEY_USERS 46 | `$LoggedOnSids = `$(Get-ChildItem HKU: | Where-Object { `$_.Name -match 'S-\d-\d+-(\d+-){1,14}\d+`$' } | foreach-object { `$_.Name }) 47 | Write-Verbose "Found `$(`$LoggedOnSids.Count) logged on user SIDs" 48 | foreach (`$sid in `$LoggedOnSids) { 49 | Write-Verbose -Message "Loading the user registry hive for the logged on SID `$sid" 50 | foreach (`$instance in `$RegistryInstance) { 51 | ## Create the key path if it doesn't exist 52 | if (!(Test-Path "HKU:\`$sid\`$(`$instance.Path)")) { 53 | New-Item -Path "HKU:\`$sid\`$(`$instance.Path | Split-Path -Parent)" -Name (`$instance.Path | Split-Path -Leaf) -Force | Out-Null 54 | } 55 | ## Create (or modify) the value specified in the param 56 | Set-ItemProperty -Path "HKU:\`$sid\`$(`$instance.Path)" -Name `$instance.Name -Value `$instance.Value -Type `$instance.Type -Force 57 | } 58 | } 59 | 60 | ## Create the Active Setup registry key so that the reg add cmd will get ran for each user 61 | ## logging into the machine. 62 | ## http://www.itninja.com/blog/view/an-active-setup-primer 63 | Write-Verbose "Setting Active Setup registry value to apply to all other users" 64 | foreach (`$instance in `$RegistryInstance) { 65 | ## Generate a unique value (usually a GUID) to use for Active Setup 66 | `$Guid = `$instance.Guid 67 | `$ActiveSetupRegParentPath = 'HKLM:\Software\Microsoft\Active Setup\Installed Components' 68 | ## Create the GUID registry key under the Active Setup key 69 | `$ActiveSetupRegPath = "HKLM:\Software\Microsoft\Active Setup\Installed Components\`$Guid" 70 | if (!(Test-Path -Path "`$ActiveSetupRegPath")) { 71 | New-Item -Path `$ActiveSetupRegParentPath -Name `$Guid -Force | Out-Null 72 | } 73 | Write-Verbose "Using registry path '`$ActiveSetupRegPath'" 74 | ## Convert the registry value type to one that reg.exe can understand. This will be the 75 | ## type of value that's created for the value we want to set for all users 76 | switch (`$instance.Type) { 77 | 'String' { 78 | `$RegValueType = 'REG_SZ' 79 | } 80 | 'Dword' { 81 | `$RegValueType = 'REG_DWORD' 82 | } 83 | 'Binary' { 84 | `$RegValueType = 'REG_BINARY' 85 | } 86 | 'ExpandString' { 87 | `$RegValueType = 'REG_EXPAND_SZ' 88 | } 89 | 'MultiString' { 90 | `$RegValueType = 'REG_MULTI_SZ' 91 | } 92 | default { 93 | throw "Registry type '`$(`$instance.Type)' not recognized" 94 | } 95 | } 96 | 97 | ## Build the registry value to use for Active Setup which is the command to create the registry value in all user hives 98 | `$ActiveSetupValue = 'reg add "{0}" /v {1} /t {2} /d {3} /f' -f "HKCU\`$(`$instance.Path)", `$instance.Name, `$RegValueType, `$instance.Value 99 | Write-Verbose -Message "Active setup value is '`$ActiveSetupValue'" 100 | ## Create the necessary Active Setup registry values 101 | Set-ItemProperty -Path `$ActiveSetupRegPath -Name '(Default)' -Value 'Active Setup Test' -Force 102 | Set-ItemProperty -Path `$ActiveSetupRegPath -Name 'Version' -Value '1' -Force 103 | Set-ItemProperty -Path `$ActiveSetupRegPath -Name 'StubPath' -Value `$ActiveSetupValue -Force 104 | } 105 | } 106 | catch { 107 | Throw -Message `$_.Exception.Message 108 | } 109 | } 110 | function Get-TenantIdFromDomain { 111 | param ( 112 | [Parameter(Mandatory = `$true)] 113 | [string]`$FQDN 114 | ) 115 | try { 116 | `$uri = "https://login.microsoftonline.com/`$(`$FQDN)/.well-known/openid-configuration" 117 | `$rest = Invoke-RestMethod -Method Get -UseBasicParsing -Uri `$uri 118 | if (`$rest.authorization_endpoint) { 119 | `$result = `$((`$rest.authorization_endpoint | Select-String '\w{8}-\w{4}-\w{4}-\w{4}-\w{12}').Matches.Value) 120 | if (`$result -match '\w{8}-\w{4}-\w{4}-\w{4}-\w{12}') { 121 | return `$result 122 | } 123 | else { 124 | throw "Tenant ID not found." 125 | } 126 | } 127 | else { 128 | throw "Tenant ID not found." 129 | } 130 | } 131 | catch { 132 | throw `$_.Exception.Message 133 | } 134 | } 135 | #endregion 136 | #region Logging 137 | if (!(Test-Path -Path `$logPath)) { 138 | New-Item -Path `$logPath -ItemType Directory -Force | Out-Null 139 | } 140 | Start-Transcript -Path `$logFile -ErrorAction SilentlyContinue -Force 141 | #endregion 142 | #region Main 143 | try { 144 | #region Check for Office Installation 145 | if ((!(Get-Process -Name "OfficeClickToRun" -ErrorAction SilentlyContinue)) -or (Get-CimInstance Win32_Process -Filter "name = 'OfficeClickToRun.exe'" | Where-Object {`$_.CommandLine -ne '"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service'})) { 146 | #office setup is probably running, or office hasn't been installed yet.. let's drop out and try again in a few minutes.. 147 | throw "Office 365 is installing or hasnt started installing - we will end this script and try again in a few minutes." 148 | } 149 | #endregion 150 | #region System Registry 151 | `$tenantId = Get-TenantIdFromDomain -FQDN `$clientFQDN 152 | `$regKeys = @( 153 | [PSCustomObject]@{ 154 | Name = "KFMBlockOptOut" 155 | Type = "DWORD" 156 | Value = "1" 157 | Path = "HKLM:\SOFTWARE\Policies\Microsoft\OneDrive" 158 | } 159 | [PSCustomObject]@{ 160 | Name = "SilentAccountConfig" 161 | Type = "DWORD" 162 | Value = "1" 163 | Path = "HKLM:\SOFTWARE\Policies\Microsoft\OneDrive" 164 | } 165 | [PSCustomObject]@{ 166 | Name = "FilesOnDemandEnabled" 167 | Type = "DWORD" 168 | Value = "1" 169 | Path = "HKLM:\SOFTWARE\Policies\Microsoft\OneDrive" 170 | } 171 | [PSCustomObject]@{ 172 | Name = "KFMOptInWithWizard" 173 | Type = "ExpandString" 174 | Value = `$tenantId 175 | Path = "HKLM:\SOFTWARE\Policies\Microsoft\OneDrive" 176 | } 177 | [PSCustomObject]@{ 178 | Name = "KFMSilentOptIn" 179 | Type = "ExpandString" 180 | Value = `$tenantId 181 | Path = "HKLM:\SOFTWARE\Policies\Microsoft\OneDrive" 182 | } 183 | [PSCustomObject]@{ 184 | Name = "KFMSilentOptInWithNotification" 185 | Type = "DWORD" 186 | Value = "0" 187 | Path = "HKLM:\SOFTWARE\Policies\Microsoft\OneDrive" 188 | } 189 | ) 190 | foreach (`$key in `$regKeys) { 191 | if (!(Test-Path `$key.Path)) { 192 | Write-Host "Registry path : `$(`$key.Path) not found. Creating now." -ForegroundColor Green 193 | New-Item -Path `$key.Path -Force | Out-Null 194 | Write-Host "Creating item property: `$(`$key.Name)" -ForegroundColor Green 195 | New-ItemProperty -Path `$key.Path -Name `$key.Name -Value `$key.Value -PropertyType `$key.Type -Force | Out-Null 196 | } 197 | else { 198 | Write-Host "Creating item property: `$(`$key.Name)" -ForegroundColor Green 199 | New-ItemProperty -Path `$key.Path -Name `$key.Name -Value `$key.Value -PropertyType `$key.Type -Force | Out-Null 200 | } 201 | } 202 | #endregion 203 | #region User Registry 204 | `$regKeys = @{ 205 | Guid = "{2F8FA12D-1C5E-483C-AA41-CEF357ADF6F6}" 206 | Name = "EnableADAL" 207 | Type = "DWORD" 208 | Value = "1" 209 | Path = "SOFTWARE\Microsoft\OneDrive" 210 | } 211 | Write-Host "OneDrive - Enabling ADAL" -ForegroundColor Green 212 | Set-RegistryValueForAllUsers -RegistryInstance `$regKeys -Verbose 213 | #endregion 214 | } 215 | catch { 216 | `$errorMsg = `$_.Exception.Message 217 | } 218 | finally { 219 | if (`$errorMsg) { 220 | Write-Warning `$errorMsg 221 | Stop-Transcript 222 | Throw `$errorMsg 223 | } 224 | else { 225 | Write-Host "script completed successfully.." 226 | Unregister-ScheduledTask -TaskName "$appName" -Confirm:`$false 227 | Stop-Transcript 228 | Remove-Item `$MyInvocation.InvocationName -Force 229 | } 230 | } 231 | #endregion 232 | "@ 233 | out-file -FilePath "$scriptsPath\$appName.ps1" -Encoding unicode -Force -InputObject $mainScript 234 | #endregion 235 | #region Scheduled Task Creation 236 | $Time = New-ScheduledTaskTrigger ` 237 | -Once ` 238 | -At (Get-Date) ` 239 | -RepetitionInterval (New-TimeSpan -Minutes 1) ` 240 | -RepetitionDuration (New-TimeSpan -Days (365 * 20)) 241 | $User = "SYSTEM" 242 | $Action = New-ScheduledTaskAction -Execute "powershell.exe" -Argument "-ex bypass -file `"$scriptsPath\$appName.ps1`"" 243 | Register-ScheduledTask -TaskName "$appName" -Trigger $Time -User $User -Action $Action -Force 244 | #endregion 245 | -------------------------------------------------------------------------------- /Intune-Plaster-Build/templates/config-profiles/Win10 Endpoint Protection.json: -------------------------------------------------------------------------------- 1 | { 2 | "@odata.context": "https://graph.microsoft.com/Beta/$metadata#deviceManagement/deviceConfigurations/$entity", 3 | "@odata.type": "#microsoft.graph.windows10EndpointProtectionConfiguration", 4 | "description": "Win10 Endpoint Protection", 5 | "displayName": "Win10 Endpoint Protection", 6 | "dmaGuardDeviceEnumerationPolicy": "deviceDefault", 7 | "userRightsAccessCredentialManagerAsTrustedCaller": null, 8 | "userRightsAllowAccessFromNetwork": null, 9 | "userRightsBlockAccessFromNetwork": null, 10 | "userRightsActAsPartOfTheOperatingSystem": null, 11 | "userRightsLocalLogOn": null, 12 | "userRightsBackupData": null, 13 | "userRightsChangeSystemTime": null, 14 | "userRightsCreateGlobalObjects": null, 15 | "userRightsCreatePageFile": null, 16 | "userRightsCreatePermanentSharedObjects": null, 17 | "userRightsCreateSymbolicLinks": null, 18 | "userRightsCreateToken": null, 19 | "userRightsDebugPrograms": null, 20 | "userRightsRemoteDesktopServicesLogOn": null, 21 | "userRightsDelegation": null, 22 | "userRightsGenerateSecurityAudits": null, 23 | "userRightsImpersonateClient": null, 24 | "userRightsIncreaseSchedulingPriority": null, 25 | "userRightsLoadUnloadDrivers": null, 26 | "userRightsLockMemory": null, 27 | "userRightsManageAuditingAndSecurityLogs": null, 28 | "userRightsManageVolumes": null, 29 | "userRightsModifyFirmwareEnvironment": null, 30 | "userRightsModifyObjectLabels": null, 31 | "userRightsProfileSingleProcess": null, 32 | "userRightsRemoteShutdown": null, 33 | "userRightsRestoreData": null, 34 | "userRightsTakeOwnership": null, 35 | "userRightsRegisterProcessAsService": null, 36 | "xboxServicesEnableXboxGameSaveTask": false, 37 | "xboxServicesAccessoryManagementServiceStartupMode": "disabled", 38 | "xboxServicesLiveAuthManagerServiceStartupMode": "disabled", 39 | "xboxServicesLiveGameSaveServiceStartupMode": "disabled", 40 | "xboxServicesLiveNetworkingServiceStartupMode": "disabled", 41 | "localSecurityOptionsBlockMicrosoftAccounts": true, 42 | "localSecurityOptionsBlockRemoteLogonWithBlankPassword": false, 43 | "localSecurityOptionsDisableAdministratorAccount": false, 44 | "localSecurityOptionsAdministratorAccountName": null, 45 | "localSecurityOptionsDisableGuestAccount": false, 46 | "localSecurityOptionsGuestAccountName": null, 47 | "localSecurityOptionsAllowUndockWithoutHavingToLogon": true, 48 | "localSecurityOptionsBlockUsersInstallingPrinterDrivers": false, 49 | "localSecurityOptionsBlockRemoteOpticalDriveAccess": false, 50 | "localSecurityOptionsFormatAndEjectOfRemovableMediaAllowedUser": "administrators", 51 | "localSecurityOptionsMachineInactivityLimit": 15, 52 | "localSecurityOptionsMachineInactivityLimitInMinutes": 15, 53 | "localSecurityOptionsDoNotRequireCtrlAltDel": false, 54 | "localSecurityOptionsHideLastSignedInUser": false, 55 | "localSecurityOptionsHideUsernameAtSignIn": false, 56 | "localSecurityOptionsLogOnMessageTitle": "<%=$PLASTER_PARAM_corporateMsgTitle%>", 57 | "localSecurityOptionsLogOnMessageText": "<%=$PLASTER_PARAM_corporateMsgText%>", 58 | "localSecurityOptionsAllowPKU2UAuthenticationRequests": false, 59 | "localSecurityOptionsAllowRemoteCallsToSecurityAccountsManagerHelperBool": false, 60 | "localSecurityOptionsAllowRemoteCallsToSecurityAccountsManager": null, 61 | "localSecurityOptionsMinimumSessionSecurityForNtlmSspBasedClients": "none", 62 | "localSecurityOptionsMinimumSessionSecurityForNtlmSspBasedServers": "none", 63 | "lanManagerAuthenticationLevel": "lmAndNltm", 64 | "lanManagerWorkstationDisableInsecureGuestLogons": false, 65 | "localSecurityOptionsClearVirtualMemoryPageFile": false, 66 | "localSecurityOptionsAllowSystemToBeShutDownWithoutHavingToLogOn": false, 67 | "localSecurityOptionsAllowUIAccessApplicationElevation": false, 68 | "localSecurityOptionsVirtualizeFileAndRegistryWriteFailuresToPerUserLocations": false, 69 | "localSecurityOptionsOnlyElevateSignedExecutables": false, 70 | "localSecurityOptionsAdministratorElevationPromptBehavior": "notConfigured", 71 | "localSecurityOptionsStandardUserElevationPromptBehavior": "notConfigured", 72 | "localSecurityOptionsSwitchToSecureDesktopWhenPromptingForElevation": false, 73 | "localSecurityOptionsDetectApplicationInstallationsAndPromptForElevation": false, 74 | "localSecurityOptionsAllowUIAccessApplicationsForSecureLocations": false, 75 | "localSecurityOptionsUseAdminApprovalMode": false, 76 | "localSecurityOptionsUseAdminApprovalModeForAdministrators": false, 77 | "localSecurityOptionsInformationShownOnLockScreen": "userDisplayNameOnly", 78 | "localSecurityOptionsInformationDisplayedOnLockScreen": "administratorsAndPowerUsers", 79 | "localSecurityOptionsDisableClientDigitallySignCommunicationsIfServerAgrees": false, 80 | "localSecurityOptionsClientDigitallySignCommunicationsAlways": false, 81 | "localSecurityOptionsClientSendUnencryptedPasswordToThirdPartySMBServers": false, 82 | "localSecurityOptionsDisableServerDigitallySignCommunicationsAlways": false, 83 | "localSecurityOptionsDisableServerDigitallySignCommunicationsIfClientAgrees": false, 84 | "localSecurityOptionsRestrictAnonymousAccessToNamedPipesAndShares": false, 85 | "localSecurityOptionsDoNotAllowAnonymousEnumerationOfSAMAccounts": false, 86 | "localSecurityOptionsAllowAnonymousEnumerationOfSAMAccountsAndShares": false, 87 | "localSecurityOptionsDoNotStoreLANManagerHashValueOnNextPasswordChange": false, 88 | "localSecurityOptionsSmartCardRemovalBehavior": "lockWorkstation", 89 | "defenderSecurityCenterDisableAppBrowserUI": false, 90 | "defenderSecurityCenterDisableFamilyUI": false, 91 | "defenderSecurityCenterDisableHealthUI": false, 92 | "defenderSecurityCenterDisableNetworkUI": false, 93 | "defenderSecurityCenterDisableVirusUI": false, 94 | "defenderSecurityCenterDisableAccountUI": false, 95 | "defenderSecurityCenterDisableClearTpmUI": false, 96 | "defenderSecurityCenterDisableHardwareUI": false, 97 | "defenderSecurityCenterDisableNotificationAreaUI": false, 98 | "defenderSecurityCenterDisableRansomwareUI": false, 99 | "defenderSecurityCenterDisableSecureBootUI": false, 100 | "defenderSecurityCenterDisableTroubleshootingUI": false, 101 | "defenderSecurityCenterDisableVulnerableTpmFirmwareUpdateUI": false, 102 | "defenderSecurityCenterOrganizationDisplayName": null, 103 | "defenderSecurityCenterHelpEmail": null, 104 | "defenderSecurityCenterHelpPhone": null, 105 | "defenderSecurityCenterHelpURL": null, 106 | "defenderSecurityCenterNotificationsFromApp": "notConfigured", 107 | "defenderSecurityCenterITContactDisplay": "notConfigured", 108 | "firewallBlockStatefulFTP": false, 109 | "firewallIdleTimeoutForSecurityAssociationInSeconds": null, 110 | "firewallPreSharedKeyEncodingMethod": "deviceDefault", 111 | "firewallIPSecExemptionsAllowNeighborDiscovery": false, 112 | "firewallIPSecExemptionsAllowICMP": false, 113 | "firewallIPSecExemptionsAllowRouterDiscovery": false, 114 | "firewallIPSecExemptionsAllowDHCP": false, 115 | "firewallCertificateRevocationListCheckMethod": "deviceDefault", 116 | "firewallMergeKeyingModuleSettings": false, 117 | "firewallPacketQueueingMethod": "deviceDefault", 118 | "firewallProfileDomain": null, 119 | "firewallProfilePublic": null, 120 | "firewallProfilePrivate": null, 121 | "defenderAdobeReaderLaunchChildProcess": "userDefined", 122 | "defenderAttackSurfaceReductionExcludedPaths": [ 123 | 124 | ], 125 | "defenderOfficeAppsOtherProcessInjectionType": "userDefined", 126 | "defenderOfficeAppsOtherProcessInjection": "userDefined", 127 | "defenderOfficeCommunicationAppsLaunchChildProcess": "userDefined", 128 | "defenderOfficeAppsExecutableContentCreationOrLaunchType": "userDefined", 129 | "defenderOfficeAppsExecutableContentCreationOrLaunch": "userDefined", 130 | "defenderOfficeAppsLaunchChildProcessType": "userDefined", 131 | "defenderOfficeAppsLaunchChildProcess": "userDefined", 132 | "defenderOfficeMacroCodeAllowWin32ImportsType": "userDefined", 133 | "defenderOfficeMacroCodeAllowWin32Imports": "userDefined", 134 | "defenderScriptObfuscatedMacroCodeType": "userDefined", 135 | "defenderScriptObfuscatedMacroCode": "userDefined", 136 | "defenderScriptDownloadedPayloadExecutionType": "userDefined", 137 | "defenderScriptDownloadedPayloadExecution": "userDefined", 138 | "defenderPreventCredentialStealingType": "userDefined", 139 | "defenderProcessCreationType": "userDefined", 140 | "defenderProcessCreation": "userDefined", 141 | "defenderUntrustedUSBProcessType": "userDefined", 142 | "defenderUntrustedUSBProcess": "userDefined", 143 | "defenderUntrustedExecutableType": "userDefined", 144 | "defenderUntrustedExecutable": "userDefined", 145 | "defenderEmailContentExecutionType": "userDefined", 146 | "defenderEmailContentExecution": "userDefined", 147 | "defenderAdvancedRansomewareProtectionType": "userDefined", 148 | "defenderGuardMyFoldersType": "userDefined", 149 | "defenderGuardedFoldersAllowedAppPaths": [ 150 | 151 | ], 152 | "defenderAdditionalGuardedFolders": [ 153 | 154 | ], 155 | "defenderNetworkProtectionType": "userDefined", 156 | "defenderExploitProtectionXml": null, 157 | "defenderExploitProtectionXmlFileName": null, 158 | "defenderSecurityCenterBlockExploitProtectionOverride": false, 159 | "appLockerApplicationControl": "notConfigured", 160 | "deviceGuardLocalSystemAuthorityCredentialGuardSettings": "notConfigured", 161 | "deviceGuardEnableVirtualizationBasedSecurity": false, 162 | "deviceGuardEnableSecureBootWithDMA": false, 163 | "deviceGuardLaunchSystemGuard": "notConfigured", 164 | "smartScreenEnableInShell": false, 165 | "smartScreenBlockOverrideForFiles": false, 166 | "applicationGuardEnabled": false, 167 | "applicationGuardEnabledOptions": "notConfigured", 168 | "applicationGuardBlockFileTransfer": "notConfigured", 169 | "applicationGuardBlockNonEnterpriseContent": false, 170 | "applicationGuardAllowPersistence": false, 171 | "applicationGuardForceAuditing": false, 172 | "applicationGuardBlockClipboardSharing": "notConfigured", 173 | "applicationGuardAllowPrintToPDF": false, 174 | "applicationGuardAllowPrintToXPS": false, 175 | "applicationGuardAllowPrintToLocalPrinters": false, 176 | "applicationGuardAllowPrintToNetworkPrinters": false, 177 | "applicationGuardAllowVirtualGPU": false, 178 | "applicationGuardAllowFileSaveOnHost": false, 179 | "bitLockerAllowStandardUserEncryption": false, 180 | "bitLockerDisableWarningForOtherDiskEncryption": false, 181 | "bitLockerEnableStorageCardEncryptionOnMobile": false, 182 | "bitLockerEncryptDevice": false, 183 | "firewallRules": [ 184 | 185 | ], 186 | "bitLockerSystemDrivePolicy": { 187 | "encryptionMethod": null, 188 | "startupAuthenticationRequired": false, 189 | "startupAuthenticationBlockWithoutTpmChip": false, 190 | "startupAuthenticationTpmUsage": "blocked", 191 | "startupAuthenticationTpmPinUsage": "blocked", 192 | "startupAuthenticationTpmKeyUsage": "blocked", 193 | "startupAuthenticationTpmPinAndKeyUsage": "blocked", 194 | "minimumPinLength": null, 195 | "recoveryOptions": null, 196 | "prebootRecoveryEnableMessageAndUrl": false, 197 | "prebootRecoveryMessage": null, 198 | "prebootRecoveryUrl": null 199 | }, 200 | "bitLockerFixedDrivePolicy": { 201 | "encryptionMethod": null, 202 | "requireEncryptionForWriteAccess": false, 203 | "recoveryOptions": null 204 | }, 205 | "bitLockerRemovableDrivePolicy": { 206 | "encryptionMethod": null, 207 | "requireEncryptionForWriteAccess": false, 208 | "blockCrossOrganizationWriteAccess": false 209 | } 210 | } 211 | -------------------------------------------------------------------------------- /Intune-Plaster-Build/templates/config-profiles/Win10 Bitlocker.json: -------------------------------------------------------------------------------- 1 | { 2 | "@odata.context": "https://graph.microsoft.com/Beta/$metadata#deviceManagement/deviceConfigurations/$entity", 3 | "@odata.type": "#microsoft.graph.windows10EndpointProtectionConfiguration", 4 | "description": "Will only work for 1809 devices.", 5 | "displayName": "Win10 Bitlocker", 6 | "dmaGuardDeviceEnumerationPolicy": "deviceDefault", 7 | "userRightsAccessCredentialManagerAsTrustedCaller": null, 8 | "userRightsAllowAccessFromNetwork": null, 9 | "userRightsBlockAccessFromNetwork": null, 10 | "userRightsActAsPartOfTheOperatingSystem": null, 11 | "userRightsLocalLogOn": null, 12 | "userRightsBackupData": null, 13 | "userRightsChangeSystemTime": null, 14 | "userRightsCreateGlobalObjects": null, 15 | "userRightsCreatePageFile": null, 16 | "userRightsCreatePermanentSharedObjects": null, 17 | "userRightsCreateSymbolicLinks": null, 18 | "userRightsCreateToken": null, 19 | "userRightsDebugPrograms": null, 20 | "userRightsRemoteDesktopServicesLogOn": null, 21 | "userRightsDelegation": null, 22 | "userRightsGenerateSecurityAudits": null, 23 | "userRightsImpersonateClient": null, 24 | "userRightsIncreaseSchedulingPriority": null, 25 | "userRightsLoadUnloadDrivers": null, 26 | "userRightsLockMemory": null, 27 | "userRightsManageAuditingAndSecurityLogs": null, 28 | "userRightsManageVolumes": null, 29 | "userRightsModifyFirmwareEnvironment": null, 30 | "userRightsModifyObjectLabels": null, 31 | "userRightsProfileSingleProcess": null, 32 | "userRightsRemoteShutdown": null, 33 | "userRightsRestoreData": null, 34 | "userRightsTakeOwnership": null, 35 | "userRightsRegisterProcessAsService": null, 36 | "xboxServicesEnableXboxGameSaveTask": false, 37 | "xboxServicesAccessoryManagementServiceStartupMode": "manual", 38 | "xboxServicesLiveAuthManagerServiceStartupMode": "manual", 39 | "xboxServicesLiveGameSaveServiceStartupMode": "manual", 40 | "xboxServicesLiveNetworkingServiceStartupMode": "manual", 41 | "localSecurityOptionsBlockMicrosoftAccounts": false, 42 | "localSecurityOptionsBlockRemoteLogonWithBlankPassword": false, 43 | "localSecurityOptionsDisableAdministratorAccount": false, 44 | "localSecurityOptionsAdministratorAccountName": null, 45 | "localSecurityOptionsDisableGuestAccount": false, 46 | "localSecurityOptionsGuestAccountName": null, 47 | "localSecurityOptionsAllowUndockWithoutHavingToLogon": false, 48 | "localSecurityOptionsBlockUsersInstallingPrinterDrivers": false, 49 | "localSecurityOptionsBlockRemoteOpticalDriveAccess": false, 50 | "localSecurityOptionsFormatAndEjectOfRemovableMediaAllowedUser": "notConfigured", 51 | "localSecurityOptionsMachineInactivityLimit": null, 52 | "localSecurityOptionsMachineInactivityLimitInMinutes": null, 53 | "localSecurityOptionsDoNotRequireCtrlAltDel": false, 54 | "localSecurityOptionsHideLastSignedInUser": false, 55 | "localSecurityOptionsHideUsernameAtSignIn": false, 56 | "localSecurityOptionsLogOnMessageTitle": null, 57 | "localSecurityOptionsLogOnMessageText": null, 58 | "localSecurityOptionsAllowPKU2UAuthenticationRequests": false, 59 | "localSecurityOptionsAllowRemoteCallsToSecurityAccountsManagerHelperBool": false, 60 | "localSecurityOptionsAllowRemoteCallsToSecurityAccountsManager": null, 61 | "localSecurityOptionsMinimumSessionSecurityForNtlmSspBasedClients": "none", 62 | "localSecurityOptionsMinimumSessionSecurityForNtlmSspBasedServers": "none", 63 | "lanManagerAuthenticationLevel": "lmAndNltm", 64 | "lanManagerWorkstationDisableInsecureGuestLogons": false, 65 | "localSecurityOptionsClearVirtualMemoryPageFile": false, 66 | "localSecurityOptionsAllowSystemToBeShutDownWithoutHavingToLogOn": false, 67 | "localSecurityOptionsAllowUIAccessApplicationElevation": false, 68 | "localSecurityOptionsVirtualizeFileAndRegistryWriteFailuresToPerUserLocations": false, 69 | "localSecurityOptionsOnlyElevateSignedExecutables": false, 70 | "localSecurityOptionsAdministratorElevationPromptBehavior": "notConfigured", 71 | "localSecurityOptionsStandardUserElevationPromptBehavior": "notConfigured", 72 | "localSecurityOptionsSwitchToSecureDesktopWhenPromptingForElevation": false, 73 | "localSecurityOptionsDetectApplicationInstallationsAndPromptForElevation": false, 74 | "localSecurityOptionsAllowUIAccessApplicationsForSecureLocations": false, 75 | "localSecurityOptionsUseAdminApprovalMode": false, 76 | "localSecurityOptionsUseAdminApprovalModeForAdministrators": false, 77 | "localSecurityOptionsInformationShownOnLockScreen": "notConfigured", 78 | "localSecurityOptionsInformationDisplayedOnLockScreen": "notConfigured", 79 | "localSecurityOptionsDisableClientDigitallySignCommunicationsIfServerAgrees": false, 80 | "localSecurityOptionsClientDigitallySignCommunicationsAlways": false, 81 | "localSecurityOptionsClientSendUnencryptedPasswordToThirdPartySMBServers": false, 82 | "localSecurityOptionsDisableServerDigitallySignCommunicationsAlways": false, 83 | "localSecurityOptionsDisableServerDigitallySignCommunicationsIfClientAgrees": false, 84 | "localSecurityOptionsRestrictAnonymousAccessToNamedPipesAndShares": false, 85 | "localSecurityOptionsDoNotAllowAnonymousEnumerationOfSAMAccounts": false, 86 | "localSecurityOptionsAllowAnonymousEnumerationOfSAMAccountsAndShares": false, 87 | "localSecurityOptionsDoNotStoreLANManagerHashValueOnNextPasswordChange": false, 88 | "localSecurityOptionsSmartCardRemovalBehavior": "lockWorkstation", 89 | "defenderSecurityCenterDisableAppBrowserUI": false, 90 | "defenderSecurityCenterDisableFamilyUI": false, 91 | "defenderSecurityCenterDisableHealthUI": false, 92 | "defenderSecurityCenterDisableNetworkUI": false, 93 | "defenderSecurityCenterDisableVirusUI": false, 94 | "defenderSecurityCenterDisableAccountUI": false, 95 | "defenderSecurityCenterDisableClearTpmUI": false, 96 | "defenderSecurityCenterDisableHardwareUI": false, 97 | "defenderSecurityCenterDisableNotificationAreaUI": false, 98 | "defenderSecurityCenterDisableRansomwareUI": false, 99 | "defenderSecurityCenterDisableSecureBootUI": false, 100 | "defenderSecurityCenterDisableTroubleshootingUI": false, 101 | "defenderSecurityCenterDisableVulnerableTpmFirmwareUpdateUI": false, 102 | "defenderSecurityCenterOrganizationDisplayName": null, 103 | "defenderSecurityCenterHelpEmail": null, 104 | "defenderSecurityCenterHelpPhone": null, 105 | "defenderSecurityCenterHelpURL": null, 106 | "defenderSecurityCenterNotificationsFromApp": "notConfigured", 107 | "defenderSecurityCenterITContactDisplay": "notConfigured", 108 | "firewallBlockStatefulFTP": false, 109 | "firewallIdleTimeoutForSecurityAssociationInSeconds": null, 110 | "firewallPreSharedKeyEncodingMethod": "deviceDefault", 111 | "firewallIPSecExemptionsAllowNeighborDiscovery": false, 112 | "firewallIPSecExemptionsAllowICMP": false, 113 | "firewallIPSecExemptionsAllowRouterDiscovery": false, 114 | "firewallIPSecExemptionsAllowDHCP": false, 115 | "firewallCertificateRevocationListCheckMethod": "deviceDefault", 116 | "firewallMergeKeyingModuleSettings": false, 117 | "firewallPacketQueueingMethod": "deviceDefault", 118 | "firewallProfileDomain": null, 119 | "firewallProfilePublic": null, 120 | "firewallProfilePrivate": null, 121 | "defenderAdobeReaderLaunchChildProcess": "userDefined", 122 | "defenderAttackSurfaceReductionExcludedPaths": [ 123 | 124 | ], 125 | "defenderOfficeAppsOtherProcessInjectionType": "userDefined", 126 | "defenderOfficeAppsOtherProcessInjection": "userDefined", 127 | "defenderOfficeCommunicationAppsLaunchChildProcess": "userDefined", 128 | "defenderOfficeAppsExecutableContentCreationOrLaunchType": "userDefined", 129 | "defenderOfficeAppsExecutableContentCreationOrLaunch": "userDefined", 130 | "defenderOfficeAppsLaunchChildProcessType": "userDefined", 131 | "defenderOfficeAppsLaunchChildProcess": "userDefined", 132 | "defenderOfficeMacroCodeAllowWin32ImportsType": "userDefined", 133 | "defenderOfficeMacroCodeAllowWin32Imports": "userDefined", 134 | "defenderScriptObfuscatedMacroCodeType": "userDefined", 135 | "defenderScriptObfuscatedMacroCode": "userDefined", 136 | "defenderScriptDownloadedPayloadExecutionType": "userDefined", 137 | "defenderScriptDownloadedPayloadExecution": "userDefined", 138 | "defenderPreventCredentialStealingType": "userDefined", 139 | "defenderProcessCreationType": "userDefined", 140 | "defenderProcessCreation": "userDefined", 141 | "defenderUntrustedUSBProcessType": "userDefined", 142 | "defenderUntrustedUSBProcess": "userDefined", 143 | "defenderUntrustedExecutableType": "userDefined", 144 | "defenderUntrustedExecutable": "userDefined", 145 | "defenderEmailContentExecutionType": "userDefined", 146 | "defenderEmailContentExecution": "userDefined", 147 | "defenderAdvancedRansomewareProtectionType": "userDefined", 148 | "defenderGuardMyFoldersType": "userDefined", 149 | "defenderGuardedFoldersAllowedAppPaths": [ 150 | 151 | ], 152 | "defenderAdditionalGuardedFolders": [ 153 | 154 | ], 155 | "defenderNetworkProtectionType": "userDefined", 156 | "defenderExploitProtectionXml": null, 157 | "defenderExploitProtectionXmlFileName": null, 158 | "defenderSecurityCenterBlockExploitProtectionOverride": false, 159 | "appLockerApplicationControl": "notConfigured", 160 | "deviceGuardLocalSystemAuthorityCredentialGuardSettings": "notConfigured", 161 | "deviceGuardEnableVirtualizationBasedSecurity": false, 162 | "deviceGuardEnableSecureBootWithDMA": false, 163 | "deviceGuardLaunchSystemGuard": "notConfigured", 164 | "smartScreenEnableInShell": false, 165 | "smartScreenBlockOverrideForFiles": false, 166 | "applicationGuardEnabled": false, 167 | "applicationGuardEnabledOptions": "notConfigured", 168 | "applicationGuardBlockFileTransfer": "notConfigured", 169 | "applicationGuardBlockNonEnterpriseContent": false, 170 | "applicationGuardAllowPersistence": false, 171 | "applicationGuardForceAuditing": false, 172 | "applicationGuardBlockClipboardSharing": "notConfigured", 173 | "applicationGuardAllowPrintToPDF": false, 174 | "applicationGuardAllowPrintToXPS": false, 175 | "applicationGuardAllowPrintToLocalPrinters": false, 176 | "applicationGuardAllowPrintToNetworkPrinters": false, 177 | "applicationGuardAllowVirtualGPU": false, 178 | "applicationGuardAllowFileSaveOnHost": false, 179 | "bitLockerAllowStandardUserEncryption": true, 180 | "bitLockerDisableWarningForOtherDiskEncryption": true, 181 | "bitLockerEnableStorageCardEncryptionOnMobile": false, 182 | "bitLockerEncryptDevice": true, 183 | "firewallRules": [ 184 | 185 | ], 186 | "bitLockerSystemDrivePolicy": { 187 | "encryptionMethod": "xtsAes256", 188 | "startupAuthenticationRequired": true, 189 | "startupAuthenticationBlockWithoutTpmChip": false, 190 | "startupAuthenticationTpmUsage": "allowed", 191 | "startupAuthenticationTpmPinUsage": "allowed", 192 | "startupAuthenticationTpmKeyUsage": "allowed", 193 | "startupAuthenticationTpmPinAndKeyUsage": "allowed", 194 | "minimumPinLength": null, 195 | "prebootRecoveryEnableMessageAndUrl": false, 196 | "prebootRecoveryMessage": null, 197 | "prebootRecoveryUrl": null, 198 | "recoveryOptions": { 199 | "blockDataRecoveryAgent": false, 200 | "recoveryPasswordUsage": "allowed", 201 | "recoveryKeyUsage": "allowed", 202 | "hideRecoveryOptions": true, 203 | "enableRecoveryInformationSaveToStore": true, 204 | "recoveryInformationToStore": "passwordAndKey", 205 | "enableBitLockerAfterRecoveryInformationToStore": true 206 | } 207 | }, 208 | "bitLockerFixedDrivePolicy": { 209 | "encryptionMethod": "xtsAes128", 210 | "requireEncryptionForWriteAccess": false, 211 | "recoveryOptions": null 212 | }, 213 | "bitLockerRemovableDrivePolicy": { 214 | "encryptionMethod": "aesCbc128", 215 | "requireEncryptionForWriteAccess": false, 216 | "blockCrossOrganizationWriteAccess": false 217 | } 218 | } 219 | -------------------------------------------------------------------------------- /Intune-Plaster-Build/templates/config-profiles/Win10 Corporate Branding.json: -------------------------------------------------------------------------------- 1 | { 2 | "@odata.context": "https://graph.microsoft.com/Beta/$metadata#deviceManagement/deviceConfigurations/$entity", 3 | "@odata.type": "#microsoft.graph.windows10GeneralConfiguration", 4 | "description": "", 5 | "displayName": "Win10 Corporate Branding", 6 | "taskManagerBlockEndTask": false, 7 | "windows10AppsForceUpdateSchedule": null, 8 | "enableAutomaticRedeployment": false, 9 | "microsoftAccountSignInAssistantSettings": "notConfigured", 10 | "authenticationAllowSecondaryDevice": false, 11 | "authenticationWebSignIn": "notConfigured", 12 | "authenticationPreferredAzureADTenantDomainName": null, 13 | "cryptographyAllowFipsAlgorithmPolicy": false, 14 | "displayAppListWithGdiDPIScalingTurnedOn": [ 15 | 16 | ], 17 | "displayAppListWithGdiDPIScalingTurnedOff": [ 18 | 19 | ], 20 | "enterpriseCloudPrintDiscoveryEndPoint": null, 21 | "enterpriseCloudPrintOAuthAuthority": null, 22 | "enterpriseCloudPrintOAuthClientIdentifier": null, 23 | "enterpriseCloudPrintResourceIdentifier": null, 24 | "enterpriseCloudPrintDiscoveryMaxLimit": null, 25 | "enterpriseCloudPrintMopriaDiscoveryResourceIdentifier": null, 26 | "experienceDoNotSyncBrowserSettings": "notConfigured", 27 | "messagingBlockSync": false, 28 | "messagingBlockMMS": false, 29 | "messagingBlockRichCommunicationServices": false, 30 | "printerNames": [ 31 | 32 | ], 33 | "printerDefaultName": null, 34 | "printerBlockAddition": false, 35 | "searchBlockDiacritics": false, 36 | "searchDisableAutoLanguageDetection": false, 37 | "searchDisableIndexingEncryptedItems": false, 38 | "searchEnableRemoteQueries": false, 39 | "searchDisableUseLocation": false, 40 | "searchDisableLocation": false, 41 | "searchDisableIndexerBackoff": false, 42 | "searchDisableIndexingRemovableDrive": false, 43 | "searchEnableAutomaticIndexSizeManangement": false, 44 | "searchBlockWebResults": false, 45 | "securityBlockAzureADJoinedDevicesAutoEncryption": false, 46 | "diagnosticsDataSubmissionMode": "userDefined", 47 | "oneDriveDisableFileSync": false, 48 | "systemTelemetryProxyServer": null, 49 | "edgeTelemetryForMicrosoft365Analytics": "notConfigured", 50 | "inkWorkspaceAccess": "notConfigured", 51 | "inkWorkspaceAccessState": "notConfigured", 52 | "inkWorkspaceBlockSuggestedApps": false, 53 | "smartScreenEnableAppInstallControl": false, 54 | "personalizationDesktopImageUrl": "<%=$PLASTER_PARAM_desktopImageUrl%>", 55 | "personalizationLockScreenImageUrl": "<%=$PLASTER_PARAM_lockscreenImageUrl%>", 56 | "bluetoothAllowedServices": [ 57 | 58 | ], 59 | "bluetoothBlockAdvertising": false, 60 | "bluetoothBlockPromptedProximalConnections": false, 61 | "bluetoothBlockDiscoverableMode": false, 62 | "bluetoothBlockPrePairing": false, 63 | "edgeBlockAutofill": false, 64 | "edgeBlocked": false, 65 | "edgeCookiePolicy": "userDefined", 66 | "edgeBlockDeveloperTools": false, 67 | "edgeBlockSendingDoNotTrackHeader": false, 68 | "edgeBlockExtensions": false, 69 | "edgeBlockInPrivateBrowsing": false, 70 | "edgeBlockJavaScript": false, 71 | "edgeBlockPasswordManager": false, 72 | "edgeBlockAddressBarDropdown": false, 73 | "edgeBlockCompatibilityList": false, 74 | "edgeClearBrowsingDataOnExit": false, 75 | "edgeAllowStartPagesModification": false, 76 | "edgeDisableFirstRunPage": false, 77 | "edgeBlockLiveTileDataCollection": false, 78 | "edgeSyncFavoritesWithInternetExplorer": false, 79 | "edgeFavoritesListLocation": null, 80 | "edgeBlockEditFavorites": false, 81 | "edgeNewTabPageURL": null, 82 | "edgeHomeButtonConfiguration": null, 83 | "edgeHomeButtonConfigurationEnabled": false, 84 | "edgeOpensWith": "notConfigured", 85 | "edgeBlockSideloadingExtensions": false, 86 | "edgeRequiredExtensionPackageFamilyNames": [ 87 | 88 | ], 89 | "edgeBlockPrinting": false, 90 | "edgeFavoritesBarVisibility": "notConfigured", 91 | "edgeBlockSavingHistory": false, 92 | "edgeBlockFullScreenMode": false, 93 | "edgeBlockWebContentOnNewTabPage": false, 94 | "edgeBlockTabPreloading": false, 95 | "edgeBlockPrelaunch": false, 96 | "edgeShowMessageWhenOpeningInternetExplorerSites": "notConfigured", 97 | "edgePreventCertificateErrorOverride": false, 98 | "edgeKioskModeRestriction": "notConfigured", 99 | "edgeKioskResetAfterIdleTimeInMinutes": null, 100 | "cellularBlockDataWhenRoaming": false, 101 | "cellularBlockVpn": false, 102 | "cellularBlockVpnWhenRoaming": false, 103 | "cellularData": "allowed", 104 | "defenderBlockEndUserAccess": false, 105 | "defenderDaysBeforeDeletingQuarantinedMalware": null, 106 | "defenderDetectedMalwareActions": null, 107 | "defenderSystemScanSchedule": "userDefined", 108 | "defenderFilesAndFoldersToExclude": [ 109 | 110 | ], 111 | "defenderFileExtensionsToExclude": [ 112 | 113 | ], 114 | "defenderScanMaxCpu": null, 115 | "defenderMonitorFileActivity": "userDefined", 116 | "defenderPotentiallyUnwantedAppAction": "deviceDefault", 117 | "defenderPotentiallyUnwantedAppActionSetting": "userDefined", 118 | "defenderProcessesToExclude": [ 119 | 120 | ], 121 | "defenderPromptForSampleSubmission": "userDefined", 122 | "defenderRequireBehaviorMonitoring": false, 123 | "defenderRequireCloudProtection": false, 124 | "defenderRequireNetworkInspectionSystem": false, 125 | "defenderRequireRealTimeMonitoring": false, 126 | "defenderScanArchiveFiles": false, 127 | "defenderScanDownloads": false, 128 | "defenderScheduleScanEnableLowCpuPriority": false, 129 | "defenderDisableCatchupQuickScan": false, 130 | "defenderDisableCatchupFullScan": false, 131 | "defenderScanNetworkFiles": false, 132 | "defenderScanIncomingMail": false, 133 | "defenderScanMappedNetworkDrivesDuringFullScan": false, 134 | "defenderScanRemovableDrivesDuringFullScan": false, 135 | "defenderScanScriptsLoadedInInternetExplorer": false, 136 | "defenderSignatureUpdateIntervalInHours": null, 137 | "defenderScanType": "userDefined", 138 | "defenderScheduledScanTime": null, 139 | "defenderScheduledQuickScanTime": null, 140 | "defenderCloudBlockLevel": "notConfigured", 141 | "defenderCloudExtendedTimeout": null, 142 | "defenderCloudExtendedTimeoutInSeconds": null, 143 | "defenderBlockOnAccessProtection": false, 144 | "defenderSubmitSamplesConsentType": "sendSafeSamplesAutomatically", 145 | "lockScreenAllowTimeoutConfiguration": false, 146 | "lockScreenBlockActionCenterNotifications": false, 147 | "lockScreenBlockCortana": true, 148 | "lockScreenBlockToastNotifications": false, 149 | "lockScreenTimeoutInSeconds": null, 150 | "passwordBlockSimple": false, 151 | "passwordExpirationDays": null, 152 | "passwordMinimumLength": null, 153 | "passwordMinutesOfInactivityBeforeScreenTimeout": null, 154 | "passwordMinimumCharacterSetCount": null, 155 | "passwordPreviousPasswordBlockCount": null, 156 | "passwordRequired": false, 157 | "passwordRequireWhenResumeFromIdleState": false, 158 | "passwordRequiredType": "deviceDefault", 159 | "passwordSignInFailureCountBeforeFactoryReset": null, 160 | "passwordMinimumAgeInDays": null, 161 | "privacyAdvertisingId": "notConfigured", 162 | "privacyAutoAcceptPairingAndConsentPrompts": false, 163 | "privacyDisableLaunchExperience": false, 164 | "privacyBlockInputPersonalization": false, 165 | "privacyBlockPublishUserActivities": false, 166 | "privacyBlockActivityFeed": false, 167 | "startBlockUnpinningAppsFromTaskbar": false, 168 | "startMenuAppListVisibility": "userDefined", 169 | "startMenuHideChangeAccountSettings": false, 170 | "startMenuHideFrequentlyUsedApps": false, 171 | "startMenuHideHibernate": false, 172 | "startMenuHideLock": false, 173 | "startMenuHidePowerButton": false, 174 | "startMenuHideRecentJumpLists": false, 175 | "startMenuHideRecentlyAddedApps": false, 176 | "startMenuHideRestartOptions": false, 177 | "startMenuHideShutDown": false, 178 | "startMenuHideSignOut": false, 179 | "startMenuHideSleep": false, 180 | "startMenuHideSwitchAccount": false, 181 | "startMenuHideUserTile": false, 182 | "startMenuLayoutEdgeAssetsXml": null, 183 | "startMenuLayoutXml": null, 184 | "startMenuMode": "userDefined", 185 | "startMenuPinnedFolderDocuments": "notConfigured", 186 | "startMenuPinnedFolderDownloads": "notConfigured", 187 | "startMenuPinnedFolderFileExplorer": "notConfigured", 188 | "startMenuPinnedFolderHomeGroup": "notConfigured", 189 | "startMenuPinnedFolderMusic": "notConfigured", 190 | "startMenuPinnedFolderNetwork": "notConfigured", 191 | "startMenuPinnedFolderPersonalFolder": "notConfigured", 192 | "startMenuPinnedFolderPictures": "notConfigured", 193 | "startMenuPinnedFolderSettings": "notConfigured", 194 | "startMenuPinnedFolderVideos": "notConfigured", 195 | "settingsBlockSettingsApp": false, 196 | "settingsBlockSystemPage": false, 197 | "settingsBlockDevicesPage": false, 198 | "settingsBlockNetworkInternetPage": false, 199 | "settingsBlockPersonalizationPage": false, 200 | "settingsBlockAccountsPage": false, 201 | "settingsBlockTimeLanguagePage": false, 202 | "settingsBlockEaseOfAccessPage": false, 203 | "settingsBlockPrivacyPage": false, 204 | "settingsBlockUpdateSecurityPage": false, 205 | "settingsBlockAppsPage": false, 206 | "settingsBlockGamingPage": false, 207 | "windowsSpotlightBlockConsumerSpecificFeatures": false, 208 | "windowsSpotlightBlocked": false, 209 | "windowsSpotlightBlockOnActionCenter": false, 210 | "windowsSpotlightBlockTailoredExperiences": false, 211 | "windowsSpotlightBlockThirdPartyNotifications": false, 212 | "windowsSpotlightBlockWelcomeExperience": false, 213 | "windowsSpotlightBlockWindowsTips": false, 214 | "windowsSpotlightConfigureOnLockScreen": "notConfigured", 215 | "networkProxyApplySettingsDeviceWide": false, 216 | "networkProxyDisableAutoDetect": false, 217 | "networkProxyAutomaticConfigurationUrl": null, 218 | "networkProxyServer": null, 219 | "accountsBlockAddingNonMicrosoftAccountEmail": false, 220 | "antiTheftModeBlocked": false, 221 | "bluetoothBlocked": false, 222 | "cameraBlocked": false, 223 | "connectedDevicesServiceBlocked": false, 224 | "certificatesBlockManualRootCertificateInstallation": false, 225 | "copyPasteBlocked": false, 226 | "cortanaBlocked": false, 227 | "deviceManagementBlockFactoryResetOnMobile": false, 228 | "deviceManagementBlockManualUnenroll": false, 229 | "safeSearchFilter": "userDefined", 230 | "edgeBlockPopups": false, 231 | "edgeBlockSearchSuggestions": false, 232 | "edgeBlockSearchEngineCustomization": false, 233 | "edgeBlockSendingIntranetTrafficToInternetExplorer": false, 234 | "edgeSendIntranetTrafficToInternetExplorer": false, 235 | "edgeRequireSmartScreen": false, 236 | "edgeEnterpriseModeSiteListLocation": null, 237 | "edgeFirstRunUrl": null, 238 | "edgeSearchEngine": null, 239 | "edgeHomepageUrls": [ 240 | 241 | ], 242 | "edgeBlockAccessToAboutFlags": false, 243 | "smartScreenBlockPromptOverride": false, 244 | "smartScreenBlockPromptOverrideForFiles": false, 245 | "webRtcBlockLocalhostIpAddress": false, 246 | "internetSharingBlocked": false, 247 | "settingsBlockAddProvisioningPackage": false, 248 | "settingsBlockRemoveProvisioningPackage": false, 249 | "settingsBlockChangeSystemTime": false, 250 | "settingsBlockEditDeviceName": false, 251 | "settingsBlockChangeRegion": false, 252 | "settingsBlockChangeLanguage": false, 253 | "settingsBlockChangePowerSleep": false, 254 | "locationServicesBlocked": false, 255 | "microsoftAccountBlocked": false, 256 | "microsoftAccountBlockSettingsSync": false, 257 | "nfcBlocked": false, 258 | "resetProtectionModeBlocked": false, 259 | "screenCaptureBlocked": false, 260 | "storageBlockRemovableStorage": false, 261 | "storageRequireMobileDeviceEncryption": false, 262 | "usbBlocked": false, 263 | "voiceRecordingBlocked": false, 264 | "wiFiBlockAutomaticConnectHotspots": false, 265 | "wiFiBlocked": false, 266 | "wiFiBlockManualConfiguration": false, 267 | "wiFiScanInterval": null, 268 | "wirelessDisplayBlockProjectionToThisDevice": false, 269 | "wirelessDisplayBlockUserInputFromReceiver": false, 270 | "wirelessDisplayRequirePinForPairing": false, 271 | "windowsStoreBlocked": false, 272 | "appsAllowTrustedAppsSideloading": "notConfigured", 273 | "windowsStoreBlockAutoUpdate": false, 274 | "developerUnlockSetting": "notConfigured", 275 | "sharedUserAppDataAllowed": false, 276 | "appsBlockWindowsStoreOriginatedApps": false, 277 | "windowsStoreEnablePrivateStoreOnly": false, 278 | "storageRestrictAppDataToSystemVolume": false, 279 | "storageRestrictAppInstallToSystemVolume": false, 280 | "gameDvrBlocked": false, 281 | "experienceBlockDeviceDiscovery": false, 282 | "experienceBlockErrorDialogWhenNoSIM": false, 283 | "experienceBlockTaskSwitcher": false, 284 | "logonBlockFastUserSwitching": false, 285 | "tenantLockdownRequireNetworkDuringOutOfBoxExperience": false, 286 | "appManagementMSIAllowUserControlOverInstall": false, 287 | "appManagementMSIAlwaysInstallWithElevatedPrivileges": false, 288 | "dataProtectionBlockDirectMemoryAccess": false, 289 | "appManagementPackageFamilyNamesToLaunchAfterLogOn": [ 290 | 291 | ] 292 | } 293 | -------------------------------------------------------------------------------- /Intune-Plaster-Build/templates/config-profiles/Win10 Device Restrictions.json: -------------------------------------------------------------------------------- 1 | { 2 | "@odata.context": "https://graph.microsoft.com/Beta/$metadata#deviceManagement/deviceConfigurations/$entity", 3 | "@odata.type": "#microsoft.graph.windows10GeneralConfiguration", 4 | "description": "Win10 Device Restrictions", 5 | "displayName": "Win10 Device Restrictions", 6 | "taskManagerBlockEndTask": false, 7 | "windows10AppsForceUpdateSchedule": null, 8 | "enableAutomaticRedeployment": false, 9 | "microsoftAccountSignInAssistantSettings": "notConfigured", 10 | "authenticationAllowSecondaryDevice": false, 11 | "authenticationWebSignIn": "notConfigured", 12 | "authenticationPreferredAzureADTenantDomainName": null, 13 | "cryptographyAllowFipsAlgorithmPolicy": false, 14 | "displayAppListWithGdiDPIScalingTurnedOn": [ 15 | 16 | ], 17 | "displayAppListWithGdiDPIScalingTurnedOff": [ 18 | 19 | ], 20 | "enterpriseCloudPrintDiscoveryEndPoint": null, 21 | "enterpriseCloudPrintOAuthAuthority": null, 22 | "enterpriseCloudPrintOAuthClientIdentifier": null, 23 | "enterpriseCloudPrintResourceIdentifier": null, 24 | "enterpriseCloudPrintDiscoveryMaxLimit": null, 25 | "enterpriseCloudPrintMopriaDiscoveryResourceIdentifier": null, 26 | "experienceDoNotSyncBrowserSettings": "notConfigured", 27 | "messagingBlockSync": false, 28 | "messagingBlockMMS": false, 29 | "messagingBlockRichCommunicationServices": false, 30 | "printerNames": [ 31 | 32 | ], 33 | "printerDefaultName": null, 34 | "printerBlockAddition": false, 35 | "searchBlockDiacritics": false, 36 | "searchDisableAutoLanguageDetection": false, 37 | "searchDisableIndexingEncryptedItems": false, 38 | "searchEnableRemoteQueries": false, 39 | "searchDisableUseLocation": false, 40 | "searchDisableLocation": false, 41 | "searchDisableIndexerBackoff": false, 42 | "searchDisableIndexingRemovableDrive": false, 43 | "searchEnableAutomaticIndexSizeManangement": false, 44 | "searchBlockWebResults": false, 45 | "securityBlockAzureADJoinedDevicesAutoEncryption": false, 46 | "diagnosticsDataSubmissionMode": "userDefined", 47 | "oneDriveDisableFileSync": false, 48 | "systemTelemetryProxyServer": null, 49 | "edgeTelemetryForMicrosoft365Analytics": "notConfigured", 50 | "inkWorkspaceAccess": "notConfigured", 51 | "inkWorkspaceAccessState": "notConfigured", 52 | "inkWorkspaceBlockSuggestedApps": false, 53 | "smartScreenEnableAppInstallControl": false, 54 | "personalizationDesktopImageUrl": null, 55 | "personalizationLockScreenImageUrl": null, 56 | "bluetoothAllowedServices": [ 57 | 58 | ], 59 | "bluetoothBlockAdvertising": false, 60 | "bluetoothBlockPromptedProximalConnections": false, 61 | "bluetoothBlockDiscoverableMode": false, 62 | "bluetoothBlockPrePairing": false, 63 | "edgeBlockAutofill": false, 64 | "edgeBlocked": false, 65 | "edgeCookiePolicy": "userDefined", 66 | "edgeBlockDeveloperTools": false, 67 | "edgeBlockSendingDoNotTrackHeader": false, 68 | "edgeBlockExtensions": false, 69 | "edgeBlockInPrivateBrowsing": false, 70 | "edgeBlockJavaScript": false, 71 | "edgeBlockPasswordManager": false, 72 | "edgeBlockAddressBarDropdown": false, 73 | "edgeBlockCompatibilityList": true, 74 | "edgeClearBrowsingDataOnExit": false, 75 | "edgeAllowStartPagesModification": false, 76 | "edgeDisableFirstRunPage": true, 77 | "edgeBlockLiveTileDataCollection": false, 78 | "edgeSyncFavoritesWithInternetExplorer": true, 79 | "edgeFavoritesListLocation": null, 80 | "edgeBlockEditFavorites": false, 81 | "edgeNewTabPageURL": "<%=$PLASTER_PARAM_homepageUrl%>", 82 | "edgeHomeButtonConfigurationEnabled": false, 83 | "edgeOpensWith": "newTabPage", 84 | "edgeBlockSideloadingExtensions": false, 85 | "edgeRequiredExtensionPackageFamilyNames": [ 86 | 87 | ], 88 | "edgeBlockPrinting": false, 89 | "edgeFavoritesBarVisibility": "notConfigured", 90 | "edgeBlockSavingHistory": false, 91 | "edgeBlockFullScreenMode": false, 92 | "edgeBlockWebContentOnNewTabPage": false, 93 | "edgeBlockTabPreloading": false, 94 | "edgeBlockPrelaunch": false, 95 | "edgeShowMessageWhenOpeningInternetExplorerSites": "notConfigured", 96 | "edgePreventCertificateErrorOverride": false, 97 | "edgeKioskModeRestriction": "notConfigured", 98 | "edgeKioskResetAfterIdleTimeInMinutes": null, 99 | "cellularBlockDataWhenRoaming": false, 100 | "cellularBlockVpn": false, 101 | "cellularBlockVpnWhenRoaming": false, 102 | "cellularData": "allowed", 103 | "defenderBlockEndUserAccess": false, 104 | "defenderDaysBeforeDeletingQuarantinedMalware": null, 105 | "defenderDetectedMalwareActions": null, 106 | "defenderSystemScanSchedule": "userDefined", 107 | "defenderFilesAndFoldersToExclude": [ 108 | 109 | ], 110 | "defenderFileExtensionsToExclude": [ 111 | 112 | ], 113 | "defenderScanMaxCpu": null, 114 | "defenderMonitorFileActivity": "userDefined", 115 | "defenderPotentiallyUnwantedAppAction": "deviceDefault", 116 | "defenderPotentiallyUnwantedAppActionSetting": "userDefined", 117 | "defenderProcessesToExclude": [ 118 | 119 | ], 120 | "defenderPromptForSampleSubmission": "userDefined", 121 | "defenderRequireBehaviorMonitoring": false, 122 | "defenderRequireCloudProtection": false, 123 | "defenderRequireNetworkInspectionSystem": false, 124 | "defenderRequireRealTimeMonitoring": true, 125 | "defenderScanArchiveFiles": false, 126 | "defenderScanDownloads": true, 127 | "defenderScheduleScanEnableLowCpuPriority": false, 128 | "defenderDisableCatchupQuickScan": false, 129 | "defenderDisableCatchupFullScan": false, 130 | "defenderScanNetworkFiles": false, 131 | "defenderScanIncomingMail": false, 132 | "defenderScanMappedNetworkDrivesDuringFullScan": false, 133 | "defenderScanRemovableDrivesDuringFullScan": false, 134 | "defenderScanScriptsLoadedInInternetExplorer": true, 135 | "defenderSignatureUpdateIntervalInHours": 2, 136 | "defenderScanType": "userDefined", 137 | "defenderScheduledScanTime": null, 138 | "defenderScheduledQuickScanTime": null, 139 | "defenderCloudBlockLevel": "notConfigured", 140 | "defenderCloudExtendedTimeout": null, 141 | "defenderCloudExtendedTimeoutInSeconds": null, 142 | "defenderBlockOnAccessProtection": false, 143 | "defenderSubmitSamplesConsentType": "sendSafeSamplesAutomatically", 144 | "lockScreenAllowTimeoutConfiguration": false, 145 | "lockScreenBlockActionCenterNotifications": false, 146 | "lockScreenBlockCortana": false, 147 | "lockScreenBlockToastNotifications": false, 148 | "lockScreenTimeoutInSeconds": null, 149 | "passwordBlockSimple": false, 150 | "passwordExpirationDays": null, 151 | "passwordMinimumLength": null, 152 | "passwordMinutesOfInactivityBeforeScreenTimeout": null, 153 | "passwordMinimumCharacterSetCount": null, 154 | "passwordPreviousPasswordBlockCount": null, 155 | "passwordRequired": false, 156 | "passwordRequireWhenResumeFromIdleState": false, 157 | "passwordRequiredType": "deviceDefault", 158 | "passwordSignInFailureCountBeforeFactoryReset": null, 159 | "passwordMinimumAgeInDays": null, 160 | "privacyAdvertisingId": "notConfigured", 161 | "privacyAutoAcceptPairingAndConsentPrompts": false, 162 | "privacyDisableLaunchExperience": false, 163 | "privacyBlockInputPersonalization": false, 164 | "privacyBlockPublishUserActivities": false, 165 | "privacyBlockActivityFeed": false, 166 | "startBlockUnpinningAppsFromTaskbar": false, 167 | "startMenuAppListVisibility": "userDefined", 168 | "startMenuHideChangeAccountSettings": false, 169 | "startMenuHideFrequentlyUsedApps": false, 170 | "startMenuHideHibernate": false, 171 | "startMenuHideLock": false, 172 | "startMenuHidePowerButton": false, 173 | "startMenuHideRecentJumpLists": false, 174 | "startMenuHideRecentlyAddedApps": false, 175 | "startMenuHideRestartOptions": false, 176 | "startMenuHideShutDown": false, 177 | "startMenuHideSignOut": false, 178 | "startMenuHideSleep": false, 179 | "startMenuHideSwitchAccount": false, 180 | "startMenuHideUserTile": false, 181 | "startMenuLayoutEdgeAssetsXml": null, 182 | "startMenuLayoutXml": null, 183 | "startMenuMode": "userDefined", 184 | "startMenuPinnedFolderDocuments": "notConfigured", 185 | "startMenuPinnedFolderDownloads": "notConfigured", 186 | "startMenuPinnedFolderFileExplorer": "notConfigured", 187 | "startMenuPinnedFolderHomeGroup": "notConfigured", 188 | "startMenuPinnedFolderMusic": "notConfigured", 189 | "startMenuPinnedFolderNetwork": "notConfigured", 190 | "startMenuPinnedFolderPersonalFolder": "notConfigured", 191 | "startMenuPinnedFolderPictures": "notConfigured", 192 | "startMenuPinnedFolderSettings": "notConfigured", 193 | "startMenuPinnedFolderVideos": "notConfigured", 194 | "settingsBlockSettingsApp": false, 195 | "settingsBlockSystemPage": false, 196 | "settingsBlockDevicesPage": false, 197 | "settingsBlockNetworkInternetPage": false, 198 | "settingsBlockPersonalizationPage": false, 199 | "settingsBlockAccountsPage": false, 200 | "settingsBlockTimeLanguagePage": false, 201 | "settingsBlockEaseOfAccessPage": false, 202 | "settingsBlockPrivacyPage": false, 203 | "settingsBlockUpdateSecurityPage": false, 204 | "settingsBlockAppsPage": false, 205 | "settingsBlockGamingPage": false, 206 | "windowsSpotlightBlockConsumerSpecificFeatures": false, 207 | "windowsSpotlightBlocked": false, 208 | "windowsSpotlightBlockOnActionCenter": false, 209 | "windowsSpotlightBlockTailoredExperiences": false, 210 | "windowsSpotlightBlockThirdPartyNotifications": false, 211 | "windowsSpotlightBlockWelcomeExperience": false, 212 | "windowsSpotlightBlockWindowsTips": false, 213 | "windowsSpotlightConfigureOnLockScreen": "notConfigured", 214 | "networkProxyApplySettingsDeviceWide": false, 215 | "networkProxyDisableAutoDetect": false, 216 | "networkProxyAutomaticConfigurationUrl": null, 217 | "networkProxyServer": null, 218 | "accountsBlockAddingNonMicrosoftAccountEmail": false, 219 | "antiTheftModeBlocked": false, 220 | "bluetoothBlocked": false, 221 | "cameraBlocked": false, 222 | "connectedDevicesServiceBlocked": false, 223 | "certificatesBlockManualRootCertificateInstallation": false, 224 | "copyPasteBlocked": false, 225 | "cortanaBlocked": false, 226 | "deviceManagementBlockFactoryResetOnMobile": false, 227 | "deviceManagementBlockManualUnenroll": false, 228 | "safeSearchFilter": "userDefined", 229 | "edgeBlockPopups": false, 230 | "edgeBlockSearchSuggestions": false, 231 | "edgeBlockSearchEngineCustomization": false, 232 | "edgeBlockSendingIntranetTrafficToInternetExplorer": false, 233 | "edgeSendIntranetTrafficToInternetExplorer": false, 234 | "edgeRequireSmartScreen": true, 235 | "edgeEnterpriseModeSiteListLocation": null, 236 | "edgeFirstRunUrl": null, 237 | "edgeHomepageUrls": [ 238 | 239 | ], 240 | "edgeBlockAccessToAboutFlags": false, 241 | "smartScreenBlockPromptOverride": true, 242 | "smartScreenBlockPromptOverrideForFiles": false, 243 | "webRtcBlockLocalhostIpAddress": false, 244 | "internetSharingBlocked": false, 245 | "settingsBlockAddProvisioningPackage": false, 246 | "settingsBlockRemoveProvisioningPackage": false, 247 | "settingsBlockChangeSystemTime": false, 248 | "settingsBlockEditDeviceName": false, 249 | "settingsBlockChangeRegion": false, 250 | "settingsBlockChangeLanguage": false, 251 | "settingsBlockChangePowerSleep": false, 252 | "locationServicesBlocked": false, 253 | "microsoftAccountBlocked": false, 254 | "microsoftAccountBlockSettingsSync": false, 255 | "nfcBlocked": false, 256 | "resetProtectionModeBlocked": false, 257 | "screenCaptureBlocked": false, 258 | "storageBlockRemovableStorage": false, 259 | "storageRequireMobileDeviceEncryption": false, 260 | "usbBlocked": false, 261 | "voiceRecordingBlocked": false, 262 | "wiFiBlockAutomaticConnectHotspots": false, 263 | "wiFiBlocked": false, 264 | "wiFiBlockManualConfiguration": false, 265 | "wiFiScanInterval": null, 266 | "wirelessDisplayBlockProjectionToThisDevice": false, 267 | "wirelessDisplayBlockUserInputFromReceiver": false, 268 | "wirelessDisplayRequirePinForPairing": true, 269 | "windowsStoreBlocked": false, 270 | "appsAllowTrustedAppsSideloading": "notConfigured", 271 | "windowsStoreBlockAutoUpdate": false, 272 | "developerUnlockSetting": "notConfigured", 273 | "sharedUserAppDataAllowed": false, 274 | "appsBlockWindowsStoreOriginatedApps": false, 275 | "windowsStoreEnablePrivateStoreOnly": false, 276 | "storageRestrictAppDataToSystemVolume": false, 277 | "storageRestrictAppInstallToSystemVolume": false, 278 | "gameDvrBlocked": false, 279 | "experienceBlockDeviceDiscovery": false, 280 | "experienceBlockErrorDialogWhenNoSIM": false, 281 | "experienceBlockTaskSwitcher": false, 282 | "logonBlockFastUserSwitching": false, 283 | "tenantLockdownRequireNetworkDuringOutOfBoxExperience": false, 284 | "appManagementMSIAllowUserControlOverInstall": false, 285 | "appManagementMSIAlwaysInstallWithElevatedPrivileges": false, 286 | "dataProtectionBlockDirectMemoryAccess": false, 287 | "appManagementPackageFamilyNamesToLaunchAfterLogOn": [ 288 | 289 | ], 290 | "edgeHomeButtonConfiguration": { 291 | "@odata.type": "#microsoft.graph.edgeHomeButtonOpensCustomURL", 292 | "homeButtonCustomURL": "<%=$PLASTER_PARAM_homepageUrl%>" 293 | }, 294 | "edgeSearchEngine": { 295 | "@odata.type": "#microsoft.graph.edgeSearchEngineCustom", 296 | "edgeSearchEngineOpenSearchXmlUrl": "https://go.microsoft.com/fwlink/?linkid=842596" 297 | } 298 | } 299 | --------------------------------------------------------------------------------