A Single PowerShell Script for Multiple Intune Custom Compliance Policies

Intune is a cloud-based service from Microsoft that allows organizations to manage their employees' devices and applications. Intune provides various policies to help organizations enforce security and compliance requirements for their devices and applications. Custom compliance policies are policies that an organization creates to enforce specific compliance requirements that are not covered by the default Intune compliance policies.

Custom compliance policies in Intune allow the use of PowerShell scripts to evaluate the compliance state of devices by performing checks against specific criteria. The PowerShell script's output should be in JSON format, which the policy can use to access the settings and perform validations. Custom compliance policies in Intune can be used to make sure devices meet certain requirements, such as having specific apps installed or a minimum amount of free space on their hard drive. To do this, two files are needed: a PowerShell script and a JSON file. The PowerShell script checks the device to see if it meets the requirements, and the JSON file helps the script figure out what those requirements are. The results are compared against the reference file, and devices that meet the requirements pass, while those that don't are marked as not meeting the standards.

Writing a custom compliance script in PowerShell is similar to writing any other PowerShell script. However, there are some specific requirements to ensure the script output is in JSON format.

JSON (short for JavaScript Object Notation) is a lightweight data format that is easy for humans to read and write and easy for machines to parse and generate. It consists of key-value pairs, where keys are strings and values can be strings, numbers, arrays, or objects. JSON can nest multiple settings, making it a more versatile format than CSV.

This article provides an overview of custom compliance policies and details the steps needed to create the required PowerShell script and JSON file. Additionally, it includes a demonstration of how to use the custom compliance setting to verify the device compliance policy.

Writing PowerShell Script

Suppose you want to check the RAM size of a device. The PowerShell code to do this is:

(Get-WMIObject -class Win32_ComputerSystem).TotalPhysicalMemory

This code will return the RAM size in kilobytes. However, for compliance purposes, it is better to have the RAM size displayed in gigabytes, and the output should be in JSON format. To achieve this, you can divide the RAM size in kilobytes by 1GB and use typecasting to get an integer value. The code will look like this:

[int](((Get-WMIObject -class Win32_ComputerSystem).TotalPhysicalMemory)/1GB)

The output of this code is a simple integer value, but for JSON, we need to use the {properties/setting:value} format. We can do this by using a hashtable or a PSCustomObject.

For example, to convert the RAM size to a hashtable, we can use the following code:

$RAMhash=@{ 'RAM Size' = [int](((Get-WMIObject -class Win32_ComputerSystem).TotalPhysicalMemory)/1GB)}

Here, the hashtable key is "RAM Size," and the value is the RAM size in gigabytes.

Finally, we need to convert the output to JSON format using the ConvertTo-Json cmdlet. We can do this using the following code:

return $RAMhash | ConvertTo-Json -Compress

This code returns the RAM size in JSON format, where the key is "RAM Size" and the value is the RAM size in gigabytes.

This way you can create multiple settings in PowerShell. Below is such list of settings. You can add or remove or modify settings.

$cs=Get-WMIObject -class Win32_ComputerSystem
$os=Get-WMIObject win32_operatingsystem
$bs=Get-WmiObject win32_bios
$bl=Get-BitLockerVolume -MountPoint c:
$lp=Get-CimInstance SoftwareLicensingProduct -Filter "Name like 'Windows%'" | Where-Object { $_.PartialProductKey } | Select-Object Description, LicenseStatus
$updatecount=((New-Object -ComObject Microsoft.Update.Session).CreateupdateSearcher().Search("IsHidden=0 and IsInstalled=0").Updates).count
$result=[PSCustomObject]@{
    Name=$env:COMPUTERNAME
    OS=$os.Caption
    Serial=$bs.serialnumber
    'BIOS Version'=$bs.Version
    'OSDisk Free Space'=[math]::Round((Get-PSDrive -Name C).Free / 1Gb)
    'Antivirus Presence'=if(Get-CimInstance -Namespace root/SecurityCenter2 -ClassName AntiVirusProduct){"Yes"}else{"No"}
    'Pending Update'=if($updatecount -ne 0){"Yes"}else{"No"}
    'Encryption State'=[string]($bl.VolumeStatus)
    'TPM Chip Present'=if((Get-Tpm).tpmpresent){"Present"}else{"Absent"}
    'Tanium'=if(Get-Package -Name "*tanium client*"){"Present"}else{"Absent"}
    'SecureBoot'=if(Confirm-SecureBootUEFI){"Enabled"}else {"Disabled"}
    'Firmware Type'=$env:firmware_type
}
return $result | ConvertTo-Json -Compress

A complete list of PowerShell settings and JSON file is available at Github.

Writing JSON file

Once you are completed with writing PowerShell scripting, it's time to write JSON file which will establish custom compliance settings in Intune. This file not only specifies the settings to be verified but also includes acceptable values and optional instructions for users in case of non-compliance.

When creating the JSON file for custom compliance settings, it is crucial to consider the following key components:

1. SettingName: This field specifies the name of the custom compliance setting, derived from the PowerShell script's output. For instance, in the case of checking the RAM size, the setting name would be 'RAM Size'.

2. Operator: The operator determines the action to be taken for the compliance rule, such as IsEquals, NotEquals, GreaterThan, GreaterEquals, LessThan, or LessEquals. To enforce a minimum RAM requirement of 2GB, we would utilize the GreaterEquals operator.

3. DataType: This attribute identifies the type of data returned by the PowerShell script. It can be Boolean, Int64, Double, String, DateTime, or Version, depending on the evaluated data. In the case of RAM Size, it should be of integer type. If not, typecasting may be necessary within the script.

4. Operand: The operand represents the values to which the operator is applied during compliance evaluation. It defines the criteria a device must meet to be considered compliant. In this example, the operand should be set to 2, indicating the minimum RAM requirement of 2GB.

5. MoreInfoURL: Including a URL in this field provides users with additional resources to access more information about the specific custom compliance setting. It offers valuable insights and guidance related to compliance requirements, helping users gain a better understanding of the setting's purpose.

6. RemediationStrings: This field serves as a reference for users to effectively address non-compliance issues. It provides instructions, recommendations, or helpful messages to guide users in rectifying any non-compliant aspects on their devices.

Please find the complete JSON file for RAM Size compliance.

{
    "Rules":[ 
   { 
        "SettingName":"Physical Memory(GB)",
        "Operator":"GreaterEquals",
        "DataType":"Int64",
        "Operand":"2",
        "MoreInfoUrl":"https://powerofpowershell.com",
        "RemediationStrings":[ 
        { 
            "Language":"en_US",
            "Title":"Memroy is less than 2GB",
            "Description": "Please install more memories."
        }
        ]                     
    }                
    ],
}

The GitHub source have the single JSON for all settings. With these resources in hand, you can proceed to the Intune portal, where you can easily create compliance policies using these files.

• Navigate to "Endpoint security > Device compliance > Scripts" and upload script on page "Compliance policies | Scripts".

• Navigate to "Endpoint security > Device compliance > Policies" and create policy from page "Compliance policies | Policies". Here you need to select the script which is created earlier and upload JSON file. Assign this policy to required group.

• Now go to device which is part of the group where policy is assigned and perform a sync.

• Once Sync is successful, go to the respective device in Intune portal and select appropriate compliance policy from ''Device Compliance". You will see all the settings and their state. State may be "Compliant", "Not compliant" or "Error".

Notes

When working with JSON files for custom compliance settings in Intune, it's important to ensure that the data types in the JSON match those of the corresponding PowerShell script results.

You can use either [PSCustomObject] or a hashtable in your PowerShell script to store the settings.

If your setting name consists of multiple words or includes special characters, make sure to enclose it in single quotes (''). This ensures that the JSON file correctly interprets the setting name as a single entity.

In this discussion, we explored custom compliance settings in Intune using PowerShell scripts and JSON files. These settings allow administrators to check specific criteria on devices and evaluate their compliance state. By constructing a JSON file with key components like setting names, operators, data types, operands, URLs, and remediation instructions, organizations can define and enforce compliance requirements effectively. PowerShell scripts enable the retrieval and conversion of device information, while the JSON file serves as a reference for evaluating compliance. This approach empowers organizations to ensure devices meet specific criteria, enhancing security and efficient device management.