Readme.md

Enterprise Profile configuration

The scripts for configuring the Enterprise security baseline are located in this folder. Before the scripts can be run install Azure AD powershell module on your device

Import-Module Microsoft.Graph -force

and allow scripts to run on your device;

Set-ExecutionPolicy remotesigned

MasterScript_ENT.PS1 - This script is used to import the Compliance policies, Configuration profiles used to apply the Enterprise Profile settings

To import the Enterprise Profile configuration settings into your tenant Open powershell comsole Navigate to ENT folder in Repo

.\MasterScript-ENT.ps1

Enter username and password of an account that has Intune Administrator (preferred) or Global Admin privilege

Wait for the import process to complete.

The MasterScript_ENT.ps1 file calls the following scripts to import the Compliance Policies, Configuration Profiles

Import-ENT-DeviceCompliancePolicies.ps1 - This scripts imports the three device compliance policies for the Enterprise profile. Three policies are used to ensure that Conditional Access does not prevent a user from being able to access resources. Refer to Windows 10 and later settings to mark devices as compliant or not compliant using Intune

1. Enterprise Compliance ATP policy is used to feed the Threat Intelligence data from Microsoft Defender for Endpoint into the devices compliance state so its signals can be used as part of the Conditional Access evaluation process.

2. Enterprise Compliance Delayed policy applies a more complete set of compliance settings to the device but its application is delayed by 24 hours. this is because the device health attestation that is required to assess policies like BitLocker and Secure Boot is only calculated once a device has rebooted and then might take a number of hours to process whether the device is compliant or not.

3. ENT-Compliance-Immediate policy is used to apply a minimum level of compliance to users and is configured to apply immediately.

Import-ENT-DeviceConfiguration.ps1 - this script is used to import the Device Configuration profiles that harden the Operating System. there are five profiles used:

1. Enterprise-Config-Win10-Custom-CSP Applies configuration service provider (CSP) settings that are not available in the Endpoint Manager UI, refer to Configuration service provider reference for the complete list of the CSP settings available.
2. Enterprise-Config-Win10-Device-Restrictions-UI applies settings that restrict cloud account use, configure password policy, Microsoft Defender SmartScreen, Microsoft Defender Antivirus. Refer to Windows 10 (and newer) device settings to allow or restrict features using Intune for more details of the settings applied using the profile.
3. Enterprise-Config-Win10-Endpoint-Protection-UI applies settings that are used to protect devices in endpoint protection configuration profiles including BitLocker, Device Guard, Microsoft Defender Firewall, Microsoft Defender Exploit Guard, refer to Windows 10 (and later) settings to protect devices using Intune for more details of the settings applied using the profile.
4. Enterprise-Config-Win10-Identity-Protection-UI applies the Windows Hello for Business settings to devices, refer to Windows 10 device settings to enable Windows Hello for Business in Intune for more details of the settings applied using the profile.

Import-ENT-DeviceConfigurationADMX.ps1 this script is used to import the Device Configuration ADMX Template profile that configures Microsoft Edge security settings.

1. Enterprise-Edge Version 85 - Computer applies administrative policies that control features in Microsoft Edge version 77 and later, refer to Microsoft Edge - Policies or more details of the settings applied using the profile.