My Goal was to be able to add a Windows Information Protection (WIP) policy using Powershell that utilises the API, I then wanted to be able to update the policy leading to version control of policies across Azure.
The Intune API has been in preview for a while and has now been released to General Availability.
I’ve been tinkering with the API for a while now and trying to replicate whatever task I am doing in the Azure Portal with Powershell. My job was made a whole lot easier with Dave Falkus’s scripts, which if you haven't already seem them are available here.
The scripts are organised into different sections which represent most of the areas in the Azure portal.
Here is an example of adding a Windows Information Protection Policy
I used the WIP Add script.
The script will add 2 policies one for enrolled machines MDM and one for unenrolled machines, the First thing I wanted to do in the script was change it so that it only added a policy for managed machines, so I commented out the add section at the very bottom of the script to remove the line to add the JSON ManagedAppPolicyWIP. As you’ll see in a moment the JSON sections are in the script.
My first test was a fairly easy test as to whether I can add some changes to the JSON section Within the script you will find the JSON section as below, JSON always takes the format
“blabla”: “entry into blabla”,
“baaba”: “another entry”,
So I modified some easy stuff such as the Name and Description and ran the script
In the Azure Portal we can see our policy with it’s title and description.
Now we know that we can create policies quickly and easy it’s time to get the settings we want. After watching the Microsoft Ignite videos around Windows Information Protection, it was suggested that your company domains should be added to the policy as well as company IP addresses and other settings.
The easiest way I found to get all the settings needed was to set one up and grab the JSON from Microsoft Graph.
So here I setup my Policy in the Portal just as I want it.
These are some standard settings as recommended by Microsoft
Now I have my settings I can take a look at these settings from a JSON perspective within Graph Explorer
So if you’ve used Graph Explorer you’ll know it helps to know where to find things, my policy is within https://graph.microsoft.com/Beta/deviceAppManagement/mdmWindowsInformationProtectionPolicies/
notice the Beta, that should change soon as it’s now out of Beta
So I run the Get query
Scrolling through the JSON at the bottom you will see some familiar Sections you want, which can be added to your JSON in your Powershell Script
Heres the IP addresses I added and the Appcompat setting
We can now Copy and paste these into our script
Here’s the IP Section copied into our script
Once all the sections are copied you have a complete policy ready to roll out.
PATCH
The last piece I wanted to look at was updating the policy rather than keep creating a new.
As with most API’s Microsoft have included GET, POST, and also PATCH, in Daves original script you will see the post command
POST will create anew where as Patch will update
So I changed to PATCH and Changed a setting, but I came across a couple of snags
- As seen above you have to enter the ID of your policy otherwise Graph has no way of knowing what you are trying to update. You can get your policy ID from Dave Falkus’s other Script GetAppProtection Policies
- My script now gave a failure that it couldnt run as it didn’t understand how to update the section for Applocker policies, when I looked deeper into this I consulted the Graph documentation and found that some of the sections cannot be updated using PATCH — APPlocker files in Azure API do not accept the PATCH command
From this discovery I realised it was going to be easier to update the sections I want by removing the rest of the JSON and just leaving the section I want to update. (BY the way as you can see if you want to update the Applocker section you would use UPDATE not PATCH)
I’m going to change my IP range
I removed the section for Applocker files in the JSON and changed the IP
Important if anything is removed or not updated it wont be changed so you can remove any section and you can leave the rest there i.e if you don’t change the title it wont change it.
And that’ it, my policy is now updated with the new IP addresses.
Conclusion, this is really leading to a much more DEVOPS way of admin and hopefully we can have these scripts in Version Control like Github for a good overview on changes everyone has made.
