The scripts for configuring the Specialized security baseline are located in this folder. Before the scripts can be run install Azure AD powershell module on your device
Import-Module Microsoft.Graph -forceand allow scripts to run on your device;
Set-ExecutionPolicy remotesignedMasterScript_SPE.PS1 - This script is used to import the Compliance policies, Configuration profiles used to apply the Specialized Profile settings
To import the Specialized Profile configuration settings into your tenant Open powershell console Navigate to SPE folder in Repo
.\MasterScript-SPE.ps1Enter username and password of an account that has Intune Administrator (preferred) or Global Admin privilege
Wait for the import process to complete.
The MasterScript_SPE.ps1 file calls the following scripts to import the Compliance Policies, Configuration Profiles
Import-SPE-DeviceCompliancePolicies.ps1 - This scripts imports the three device compliance policies for the Specialized profile. Three policies are used to ensure that Conditional Access does not prevent a user from being able to access resources. Refer to Windows 10 and later settings to mark devices as compliant or not compliant using Intune
-
Specialized Compliance ATP policy is used to feed the Threat Intelligence data from Microsoft Defender for Endpoint into the devices compliance state so its signals can be used as part of the Conditional Access evaluation process.
-
Specialized Compliance Delayed policy applies a more complete set of compliance settings to the device but its application is delayed by 24 hours. this is because the device health attestation that is required to assess policies like BitLocker and Secure Boot is only calculated once a device has rebooted and then might take a number of hours to process whether the device is compliant or not.
-
Specialized-Compliance-Immediate policy is used to apply a minimum level of compliance to users and is configured to apply immediately.
Import-SPE-DeviceConfiguration.ps1 - this script is used to import the Device Configuration profiles that harden the Operating System. there are five profiles used:
-
Specialized-Config-Win10-Custom-CSP Applies configuration service provider (CSP) settings that are not available in the Endpoint Manager UI, refer to Configuration service provider reference for the complete list of the CSP settings available.
-
Specialized-Config-Win10-Device-Restrictions-UI applies settings that restrict cloud account use, configure password policy, Microsoft Defender SmartScreen, Microsoft Defender Antivirus. Refer to Windows 10 (and newer) device settings to allow or restrict features using Intune for more details of the settings applied using the profile.
-
Specialized-Config-Win10-Endpoint-Protection-UI applies settings that are used to protect devices in endpoint protection configuration profiles including BitLocker, Device Guard, Microsoft Defender Firewall, Microsoft Defender Exploit Guard, refer to Windows 10 (and later) settings to protect devices using Intune for more details of the settings applied using the profile.
-
Specialized-Config-Win10-Identity-Protection-UI applies the Windows Hello for Business settings to devices, refer to Windows 10 device settings to enable Windows Hello for Business in Intune for more details of the settings applied using the profile.
-
SPE-Win10-AppLocker-Custom-CSP applies the Restricted Execution Model policies in audit mode. The AppLocker configuration is configured to allow applications to run under C:\Program Files, C:\Program Files (x86) and C:\Windows, with user writable paths under blocked. the characteristics for the AppLocker approach is:
- Assumption is that users are non-privileged users.
- Wherever a user can write they are blocked from executing
- Wherever a user can execute they are blocked from writing
The Specialized policy also includes rules to allow OneDrive and Microsoft Teams clients to run under the user's profile directory
Import-SPE-DeviceConfigurationADMX.ps1 this script is used to import the Device Configuration ADMX Template profile that configures Microsoft Edge security settings.
- Specialized-Edge Version 85 - Computer applies administrative policies that control features in Microsoft Edge version 77 and later, refer to Microsoft Edge - Policies or more details of the settings applied using the profile.