IntuneSecurityBaselineDefenderForEndpoint

Parameters

Parameter Attribute DataType Description Allowed Values
Description Write String Policy description
DisplayName Key String Policy name
RoleScopeTagIds Write StringArray[] List of Scope Tags for this Entity instance.
Id Write String The unique identifier for an entity. Read-only.
DeviceSettings Write MSFT_MicrosoftGraphIntuneSettingsCatalogDeviceSettings_IntuneSecurityBaselineDefenderForEndpoint Scope for Device Setting
UserSettings Write MSFT_MicrosoftGraphIntuneSettingsCatalogUserSettings_IntuneSecurityBaselineDefenderForEndpoint Scope for Device Setting
Assignments Write MSFT_DeviceManagementConfigurationPolicyAssignments[] Represents the assignment to the Intune policy.
Ensure Write String Present ensures the policy exists, absent ensures it is removed. Present, Absent
Credential Write PSCredential Credentials of the Admin
ApplicationId Write String Id of the Azure Active Directory application to authenticate with.
TenantId Write String Id of the Azure Active Directory tenant used for authentication.
ApplicationSecret Write PSCredential Secret of the Azure Active Directory tenant used for authentication.
CertificateThumbprint Write String Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication.
ManagedIdentity Write Boolean Managed ID being used for authentication.
AccessTokens Write StringArray[] Access token used for authentication.

MSFT_DeviceManagementConfigurationPolicyAssignments

Parameters

Parameter Attribute DataType Description Allowed Values
dataType Write String The type of the target assignment. #microsoft.graph.groupAssignmentTarget, #microsoft.graph.allLicensedUsersAssignmentTarget, #microsoft.graph.allDevicesAssignmentTarget, #microsoft.graph.exclusionGroupAssignmentTarget, #microsoft.graph.configurationManagerCollectionAssignmentTarget
deviceAndAppManagementAssignmentFilterType Write String The type of filter of the target assignment i.e. Exclude or Include. Possible values are:none, include, exclude. none, include, exclude
deviceAndAppManagementAssignmentFilterId Write String The Id of the filter for the target assignment.
groupId Write String The group Id that is the target of the assignment.
groupDisplayName Write String The group Display Name that is the target of the assignment.
collectionId Write String The collection Id that is the target of the assignment.(ConfigMgr)

MSFT_MicrosoftGraphIntuneSettingsCatalogDeviceSettings_IntuneSecurityBaselineDefenderForEndpoint

Parameters

Parameter Attribute DataType Description Allowed Values
DeviceInstall_Classes_Deny Write String Prevent installation of devices using drivers that match these device setup classes (0: Disabled, 1: Enabled) 0, 1
DeviceInstall_Classes_Deny_List Write StringArray[] Prevented Classes - Depends on DeviceInstall_Classes_Deny
DeviceInstall_Classes_Deny_Retroactive Write String Also apply to matching devices that are already installed. - Depends on DeviceInstall_Classes_Deny (0: False, 1: True) 0, 1
EncryptionMethodWithXts_Name Write String Choose drive encryption method and cipher strength (Windows 10 [Version 1511] and later) (0: Disabled, 1: Enabled) 0, 1
EncryptionMethodWithXtsOsDropDown_Name Write String Select the encryption method for operating system drives: - Depends on EncryptionMethodWithXts_Name (3: AES-CBC 128-bit, 4: AES-CBC 256-bit, 6: XTS-AES 128-bit (default), 7: XTS-AES 256-bit) 3, 4, 6, 7
EncryptionMethodWithXtsFdvDropDown_Name Write String Select the encryption method for fixed data drives: - Depends on EncryptionMethodWithXts_Name (3: AES-CBC 128-bit, 4: AES-CBC 256-bit, 6: XTS-AES 128-bit (default), 7: XTS-AES 256-bit) 3, 4, 6, 7
EncryptionMethodWithXtsRdvDropDown_Name Write String Select the encryption method for removable data drives: - Depends on EncryptionMethodWithXts_Name (3: AES-CBC 128-bit (default), 4: AES-CBC 256-bit, 6: XTS-AES 128-bit, 7: XTS-AES 256-bit) 3, 4, 6, 7
FDVRecoveryUsage_Name Write String Choose how BitLocker-protected fixed drives can be recovered (0: Disabled, 1: Enabled) 0, 1
FDVActiveDirectoryBackup_Name Write String Save BitLocker recovery information to AD DS for fixed data drives - Depends on FDVRecoveryUsage_Name (0: False, 1: True) 0, 1
FDVHideRecoveryPage_Name Write String Omit recovery options from the BitLocker setup wizard - Depends on FDVRecoveryUsage_Name (0: False, 1: True) 0, 1
FDVRecoveryPasswordUsageDropDown_Name Write String Configure user storage of BitLocker recovery information: - Depends on FDVRecoveryUsage_Name (2: Allow 48-digit recovery password, 1: Require 48-digit recovery password, 0: Do not allow 48-digit recovery password) 2, 1, 0
FDVRequireActiveDirectoryBackup_Name Write String Do not enable BitLocker until recovery information is stored to AD DS for fixed data drives - Depends on FDVRecoveryUsage_Name (0: False, 1: True) 0, 1
FDVAllowDRA_Name Write String Allow data recovery agent - Depends on FDVRecoveryUsage_Name (0: False, 1: True) 0, 1
FDVActiveDirectoryBackupDropDown_Name Write String Configure storage of BitLocker recovery information to AD DS: - Depends on FDVRecoveryUsage_Name (1: Backup recovery passwords and key packages, 2: Backup recovery passwords only) 1, 2
FDVRecoveryKeyUsageDropDown_Name Write String - Depends on FDVRecoveryUsage_Name (2: Allow 256-bit recovery key, 1: Require 256-bit recovery key, 0: Do not allow 256-bit recovery key) 2, 1, 0
FDVDenyWriteAccess_Name Write String Deny write access to fixed drives not protected by BitLocker (0: Disabled, 1: Enabled) 0, 1
FDVEncryptionType_Name Write String Enforce drive encryption type on fixed data drives (0: Disabled, 1: Enabled) 0, 1
FDVEncryptionTypeDropDown_Name Write String Select the encryption type: (Device) - Depends on FDVEncryptionType_Name (0: Allow user to choose (default), 1: Full encryption, 2: Used Space Only encryption) 0, 1, 2
EnablePreBootPinExceptionOnDECapableDevice_Name Write String Allow devices compliant with InstantGo or HSTI to opt out of pre-boot PIN. (0: Disabled, 1: Enabled) 0, 1
EnhancedPIN_Name Write String Allow enhanced PINs for startup (0: Disabled, 1: Enabled) 0, 1
OSRecoveryUsage_Name Write String Choose how BitLocker-protected operating system drives can be recovered (0: Disabled, 1: Enabled) 0, 1
OSRequireActiveDirectoryBackup_Name Write String Do not enable BitLocker until recovery information is stored to AD DS for operating system drives - Depends on OSRecoveryUsage_Name (0: False, 1: True) 0, 1
OSActiveDirectoryBackup_Name Write String Save BitLocker recovery information to AD DS for operating system drives - Depends on OSRecoveryUsage_Name (0: False, 1: True) 0, 1
OSRecoveryPasswordUsageDropDown_Name Write String Configure user storage of BitLocker recovery information: - Depends on OSRecoveryUsage_Name (2: Allow 48-digit recovery password, 1: Require 48-digit recovery password, 0: Do not allow 48-digit recovery password) 2, 1, 0
OSHideRecoveryPage_Name Write String Omit recovery options from the BitLocker setup wizard - Depends on OSRecoveryUsage_Name (0: False, 1: True) 0, 1
OSAllowDRA_Name Write String Allow data recovery agent - Depends on OSRecoveryUsage_Name (0: False, 1: True) 0, 1
OSRecoveryKeyUsageDropDown_Name Write String - Depends on OSRecoveryUsage_Name (2: Allow 256-bit recovery key, 1: Require 256-bit recovery key, 0: Do not allow 256-bit recovery key) 2, 1, 0
OSActiveDirectoryBackupDropDown_Name Write String Configure storage of BitLocker recovery information to AD DS: - Depends on OSRecoveryUsage_Name (1: Store recovery passwords and key packages, 2: Store recovery passwords only) 1, 2
EnablePrebootInputProtectorsOnSlates_Name Write String Enable use of BitLocker authentication requiring preboot keyboard input on slates (0: Disabled, 1: Enabled) 0, 1
OSEncryptionType_Name Write String Enforce drive encryption type on operating system drives (0: Disabled, 1: Enabled) 0, 1
OSEncryptionTypeDropDown_Name Write String Select the encryption type: (Device) - Depends on OSEncryptionType_Name (0: Allow user to choose (default), 1: Full encryption, 2: Used Space Only encryption) 0, 1, 2
ConfigureAdvancedStartup_Name Write String Require additional authentication at startup (0: Disabled, 1: Enabled) 0, 1
ConfigureTPMStartupKeyUsageDropDown_Name Write String Configure TPM startup key: - Depends on ConfigureAdvancedStartup_Name (2: Allow startup key with TPM, 1: Require startup key with TPM, 0: Do not allow startup key with TPM) 2, 1, 0
ConfigureTPMPINKeyUsageDropDown_Name Write String Configure TPM startup key and PIN: - Depends on ConfigureAdvancedStartup_Name (2: Allow startup key and PIN with TPM, 1: Require startup key and PIN with TPM, 0: Do not allow startup key and PIN with TPM) 2, 1, 0
ConfigureTPMUsageDropDown_Name Write String Configure TPM startup: - Depends on ConfigureAdvancedStartup_Name (2: Allow TPM, 1: Require TPM, 0: Do not allow TPM) 2, 1, 0
ConfigureNonTPMStartupKeyUsage_Name Write String Allow BitLocker without a compatible TPM (requires a password or a startup key on a USB flash drive) - Depends on ConfigureAdvancedStartup_Name (0: False, 1: True) 0, 1
ConfigurePINUsageDropDown_Name Write String Configure TPM startup PIN: - Depends on ConfigureAdvancedStartup_Name (2: Allow startup PIN with TPM, 1: Require startup PIN with TPM, 0: Do not allow startup PIN with TPM) 2, 1, 0
RDVConfigureBDE Write String Control use of BitLocker on removable drives (0: Disabled, 1: Enabled) 0, 1
RDVAllowBDE_Name Write String Allow users to apply BitLocker protection on removable data drives (Device) - Depends on RDVConfigureBDE (0: False, 1: True) 0, 1
RDVEncryptionType_Name Write String Enforce drive encryption type on removable data drives (0: Disabled, 1: Enabled) 0, 1
RDVEncryptionTypeDropDown_Name Write String Select the encryption type: (Device) (0: Allow user to choose (default), 1: Full encryption, 2: Used Space Only encryption) 0, 1, 2
RDVDisableBDE_Name Write String Allow users to suspend and decrypt BitLocker protection on removable data drives (Device) - Depends on RDVConfigureBDE (0: False, 1: True) 0, 1
RDVDenyWriteAccess_Name Write String Deny write access to removable drives not protected by BitLocker (0: Disabled, 1: Enabled) 0, 1
RDVCrossOrg Write String Do not allow write access to devices configured in another organization - Depends on RDVDenyWriteAccess_Name (0: False, 1: True) 0, 1
EnableSmartScreen Write String Configure Windows Defender SmartScreen (0: Disabled, 1: Enabled) 0, 1
EnableSmartScreenDropdown Write String Pick one of the following settings: (Device) - Depends on EnableSmartScreen (block: Warn and prevent bypass, warn: Warn) block, warn
DisableSafetyFilterOverrideForAppRepUnknown Write String Prevent bypassing SmartScreen Filter warnings about files that are not commonly downloaded from the Internet (0: Disabled, 1: Enabled) 0, 1
Disable_Managing_Safety_Filter_IE9 Write String Prevent managing SmartScreen Filter (0: Disabled, 1: Enabled) 0, 1
IE9SafetyFilterOptions Write String Select SmartScreen Filter mode - Depends on Disable_Managing_Safety_Filter_IE9 (0: Off, 1: On) 0, 1
AllowWarningForOtherDiskEncryption Write String Allow Warning For Other Disk Encryption (0: Disabled, 1: Enabled) 0, 1
AllowStandardUserEncryption Write String Allow Standard User Encryption - Depends on AllowWarningForOtherDiskEncryption (0: This is the default, when the policy is not set. If current logged on user is a standard user, 'RequireDeviceEncryption' policy will not try to enable encryption on any drive., 1: 'RequireDeviceEncryption' policy will try to enable encryption on all fixed drives even if a current logged in user is standard user.) 0, 1
ConfigureRecoveryPasswordRotation Write String Configure Recovery Password Rotation (0: Refresh off (default), 1: Refresh on for Azure AD-joined devices, 2: Refresh on for both Azure AD-joined and hybrid-joined devices) 0, 1, 2
RequireDeviceEncryption Write String Require Device Encryption (0: Disabled, 1: Enabled) 0, 1
AllowArchiveScanning Write String Allow Archive Scanning (0: Not allowed. Turns off scanning on archived files., 1: Allowed. Scans the archive files.) 0, 1
AllowBehaviorMonitoring Write String Allow Behavior Monitoring (0: Not allowed. Turns off behavior monitoring., 1: Allowed. Turns on real-time behavior monitoring.) 0, 1
AllowCloudProtection Write String Allow Cloud Protection (0: Not allowed. Turns off the Microsoft Active Protection Service., 1: Allowed. Turns on the Microsoft Active Protection Service.) 0, 1
AllowEmailScanning Write String Allow Email Scanning (0: Not allowed. Turns off email scanning., 1: Allowed. Turns on email scanning.) 0, 1
AllowFullScanRemovableDriveScanning Write String Allow Full Scan Removable Drive Scanning (0: Not allowed. Turns off scanning on removable drives., 1: Allowed. Scans removable drives.) 0, 1
AllowOnAccessProtection Write String Allow On Access Protection (0: Not allowed., 1: Allowed.) 0, 1
AllowRealtimeMonitoring Write String Allow Realtime Monitoring (0: Not allowed. Turns off the real-time monitoring service., 1: Allowed. Turns on and runs the real-time monitoring service.) 0, 1
AllowScanningNetworkFiles Write String Allow Scanning Network Files (0: Not allowed. Turns off scanning of network files., 1: Allowed. Scans network files.) 0, 1
AllowIOAVProtection Write String Allow scanning of all downloaded files and attachments (0: Not allowed., 1: Allowed.) 0, 1
AllowScriptScanning Write String Allow Script Scanning (0: Not allowed., 1: Allowed.) 0, 1
AllowUserUIAccess Write String Allow User UI Access (0: Not allowed. Prevents users from accessing UI., 1: Allowed. Lets users access UI.) 0, 1
BlockExecutionOfPotentiallyObfuscatedScripts Write String Block execution of potentially obfuscated scripts - Depends on AttackSurfaceReductionRules (off: Off, block: Block, audit: Audit, warn: Warn) off, block, audit, warn
BlockExecutionOfPotentiallyObfuscatedScripts_ASROnlyPerRuleExclusions Write StringArray[] ASR Only Per Rule Exclusions
BlockWin32APICallsFromOfficeMacros Write String Block Win32 API calls from Office macros - Depends on AttackSurfaceReductionRules (off: Off, block: Block, audit: Audit, warn: Warn) off, block, audit, warn
BlockWin32APICallsFromOfficeMacros_ASROnlyPerRuleExclusions Write StringArray[] ASR Only Per Rule Exclusions
BlockExecutableFilesRunningUnlessTheyMeetPrevalenceAgeTrustedListCriterion Write String Block executable files from running unless they meet a prevalence, age, or trusted list criterion - Depends on AttackSurfaceReductionRules (off: Off, block: Block, audit: Audit, warn: Warn) off, block, audit, warn
BlockExecutableFilesRunningUnlessTheyMeetPrevalenceAgeTrustedListCriterion_ASROnlyPerRuleExclusions Write StringArray[] ASR Only Per Rule Exclusions
BlockOfficeCommunicationAppFromCreatingChildProcesses Write String Block Office communication application from creating child processes - Depends on AttackSurfaceReductionRules (off: Off, block: Block, audit: Audit, warn: Warn) off, block, audit, warn
BlockOfficeCommunicationAppFromCreatingChildProcesses_ASROnlyPerRuleExclusions Write StringArray[] ASR Only Per Rule Exclusions
BlockAllOfficeApplicationsFromCreatingChildProcesses Write String Block all Office applications from creating child processes - Depends on AttackSurfaceReductionRules (off: Off, block: Block, audit: Audit, warn: Warn) off, block, audit, warn
BlockAllOfficeApplicationsFromCreatingChildProcesses_ASROnlyPerRuleExclusions Write StringArray[] ASR Only Per Rule Exclusions
BlockAdobeReaderFromCreatingChildProcesses Write String Block Adobe Reader from creating child processes - Depends on AttackSurfaceReductionRules (off: Off, block: Block, audit: Audit, warn: Warn) off, block, audit, warn
BlockAdobeReaderFromCreatingChildProcesses_ASROnlyPerRuleExclusions Write StringArray[] ASR Only Per Rule Exclusions
BlockCredentialStealingFromWindowsLocalSecurityAuthoritySubsystem Write String Block credential stealing from the Windows local security authority subsystem - Depends on AttackSurfaceReductionRules (off: Off, block: Block, audit: Audit, warn: Warn) off, block, audit, warn
BlockCredentialStealingFromWindowsLocalSecurityAuthoritySubsystem_ASROnlyPerRuleExclusions Write StringArray[] ASR Only Per Rule Exclusions
BlockJavaScriptOrVBScriptFromLaunchingDownloadedExecutableContent Write String Block JavaScript or VBScript from launching downloaded executable content - Depends on AttackSurfaceReductionRules (off: Off, block: Block, audit: Audit, warn: Warn) off, block, audit, warn
BlockJavaScriptOrVBScriptFromLaunchingDownloadedExecutableContent_ASROnlyPerRuleExclusions Write StringArray[] ASR Only Per Rule Exclusions
BlockWebshellCreationForServers Write String Block Webshell creation for Servers - Depends on AttackSurfaceReductionRules (off: Off, block: Block, audit: Audit, warn: Warn) off, block, audit, warn
BlockWebshellCreationForServers_ASROnlyPerRuleExclusions Write StringArray[] ASR Only Per Rule Exclusions
BlockUntrustedUnsignedProcessesThatRunFromUSB Write String Block untrusted and unsigned processes that run from USB - Depends on AttackSurfaceReductionRules (off: Off, block: Block, audit: Audit, warn: Warn) off, block, audit, warn
BlockUntrustedUnsignedProcessesThatRunFromUSB_ASROnlyPerRuleExclusions Write StringArray[] ASR Only Per Rule Exclusions
BlockPersistenceThroughWMIEventSubscription Write String Block persistence through WMI event subscription - Depends on AttackSurfaceReductionRules (off: Off, block: Block, audit: Audit, warn: Warn) off, block, audit, warn
BlockUseOfCopiedOrImpersonatedSystemTools Write String [PREVIEW] Block use of copied or impersonated system tools - Depends on AttackSurfaceReductionRules (off: Off, block: Block, audit: Audit, warn: Warn) off, block, audit, warn
BlockUseOfCopiedOrImpersonatedSystemTools_ASROnlyPerRuleExclusions Write StringArray[] ASR Only Per Rule Exclusions
BlockAbuseOfExploitedVulnerableSignedDrivers Write String Block abuse of exploited vulnerable signed drivers (Device) - Depends on AttackSurfaceReductionRules (off: Off, block: Block, audit: Audit, warn: Warn) off, block, audit, warn
BlockAbuseOfExploitedVulnerableSignedDrivers_ASROnlyPerRuleExclusions Write StringArray[] ASR Only Per Rule Exclusions
BlockProcessCreationsFromPSExecAndWMICommands Write String Block process creations originating from PSExec and WMI commands - Depends on AttackSurfaceReductionRules (off: Off, block: Block, audit: Audit, warn: Warn) off, block, audit, warn
BlockProcessCreationsFromPSExecAndWMICommands_ASROnlyPerRuleExclusions Write StringArray[] ASR Only Per Rule Exclusions
BlockOfficeApplicationsFromCreatingExecutableContent Write String Block Office applications from creating executable content - Depends on AttackSurfaceReductionRules (off: Off, block: Block, audit: Audit, warn: Warn) off, block, audit, warn
BlockOfficeApplicationsFromCreatingExecutableContent_ASROnlyPerRuleExclusions Write StringArray[] ASR Only Per Rule Exclusions
BlockOfficeApplicationsFromInjectingCodeIntoOtherProcesses Write String Block Office applications from injecting code into other processes - Depends on AttackSurfaceReductionRules (off: Off, block: Block, audit: Audit, warn: Warn) off, block, audit, warn
BlockOfficeApplicationsFromInjectingCodeIntoOtherProcesses_ASROnlyPerRuleExclusions Write StringArray[] ASR Only Per Rule Exclusions
BlockRebootingMachineInSafeMode Write String [PREVIEW] Block rebooting machine in Safe Mode - Depends on AttackSurfaceReductionRules (off: Off, block: Block, audit: Audit, warn: Warn) off, block, audit, warn
BlockRebootingMachineInSafeMode_ASROnlyPerRuleExclusions Write StringArray[] ASR Only Per Rule Exclusions
UseAdvancedProtectionAgainstRansomware Write String Use advanced protection against ransomware - Depends on AttackSurfaceReductionRules (off: Off, block: Block, audit: Audit, warn: Warn) off, block, audit, warn
UseAdvancedProtectionAgainstRansomware_ASROnlyPerRuleExclusions Write StringArray[] ASR Only Per Rule Exclusions
BlockExecutableContentFromEmailClientAndWebmail Write String Block executable content from email client and webmail - Depends on AttackSurfaceReductionRules (off: Off, block: Block, audit: Audit, warn: Warn) off, block, audit, warn
BlockExecutableContentFromEmailClientAndWebmail_ASROnlyPerRuleExclusions Write StringArray[] ASR Only Per Rule Exclusions
CheckForSignaturesBeforeRunningScan Write String Check For Signatures Before Running Scan (0: Disabled, 1: Enabled) 0, 1
CloudBlockLevel Write String Cloud Block Level (0: NotConfigured, 2: High, 4: HighPlus, 6: ZeroTolerance) 0, 2, 4, 6
CloudExtendedTimeout Write SInt32 Cloud Extended Timeout
DisableLocalAdminMerge Write String Disable Local Admin Merge (0: Enable Local Admin Merge, 1: Disable Local Admin Merge) 0, 1
EnableNetworkProtection Write String Enable Network Protection (0: Disabled, 1: Enabled (block mode), 2: Enabled (audit mode)) 0, 1, 2
HideExclusionsFromLocalAdmins Write String Hide Exclusions From Local Admins (1: If you enable this setting, local admins will no longer be able to see the exclusion list in Windows Security App or via PowerShell., 0: If you disable or do not configure this setting, local admins will be able to see exclusions in the Windows Security App and via PowerShell.) 1, 0
HideExclusionsFromLocalUsers Write String Hide Exclusions From Local Users (1: If you enable this setting, local users will no longer be able to see the exclusion list in Windows Security App or via PowerShell., 0: If you disable or do not configure this setting, local users will be able to see exclusions in the Windows Security App and via PowerShell.) 1, 0
OobeEnableRtpAndSigUpdate Write String Oobe Enable Rtp And Sig Update (1: If you enable this setting, real-time protection and Security Intelligence Updates are enabled during OOBE., 0: If you either disable or do not configure this setting, real-time protection and Security Intelligence Updates during OOBE is not enabled.) 1, 0
PUAProtection Write String PUA Protection (0: PUA Protection off. Windows Defender will not protect against potentially unwanted applications., 1: PUA Protection on. Detected items are blocked. They will show in history along with other threats., 2: Audit mode. Windows Defender will detect potentially unwanted applications, but take no action. You can review information about the applications Windows Defender would have taken action against by searching for events created by Windows Defender in the Event Viewer.) 0, 1, 2
RealTimeScanDirection Write String Real Time Scan Direction (0: Monitor all files (bi-directional)., 1: Monitor incoming files., 2: Monitor outgoing files.) 0, 1, 2
ScanParameter Write String Scan Parameter (1: Quick scan, 2: Full scan) 1, 2
ScheduleQuickScanTime Write SInt32 Schedule Quick Scan Time
ScheduleScanDay Write String Schedule Scan Day (0: Every day, 1: Sunday, 2: Monday, 3: Tuesday, 4: Wednesday, 5: Thursday, 6: Friday, 7: Saturday, 8: No scheduled scan) 0, 1, 2, 3, 4, 5, 6, 7, 8
ScheduleScanTime Write SInt32 Schedule Scan Time
SignatureUpdateInterval Write SInt32 Signature Update Interval
SubmitSamplesConsent Write String Submit Samples Consent (0: Always prompt., 1: Send safe samples automatically., 2: Never send., 3: Send all samples automatically.) 0, 1, 2, 3
LsaCfgFlags Write String Credential Guard (0: (Disabled) Turns off Credential Guard remotely if configured previously without UEFI Lock., 1: (Enabled with UEFI lock) Turns on Credential Guard with UEFI lock., 2: (Enabled without lock) Turns on Credential Guard without UEFI lock.) 0, 1, 2
DeviceEnumerationPolicy Write String Device Enumeration Policy (0: Block all (Most restrictive), 1: Only after log in/screen unlock, 2: Allow all (Least restrictive)) 0, 1, 2
SmartScreenEnabled Write String Configure Microsoft Defender SmartScreen (0: Disabled, 1: Enabled) 0, 1
SmartScreenPuaEnabled Write String Configure Microsoft Defender SmartScreen to block potentially unwanted apps (0: Disabled, 1: Enabled) 0, 1
SmartScreenDnsRequestsEnabled Write String Enable Microsoft Defender SmartScreen DNS requests (0: Disabled, 1: Enabled) 0, 1
NewSmartScreenLibraryEnabled Write String Enable new SmartScreen library (0: Disabled, 1: Enabled) 0, 1
SmartScreenForTrustedDownloadsEnabled Write String Force Microsoft Defender SmartScreen checks on downloads from trusted sources (0: Disabled, 1: Enabled) 0, 1
PreventSmartScreenPromptOverride Write String Prevent bypassing Microsoft Defender SmartScreen prompts for sites (0: Disabled, 1: Enabled) 0, 1
PreventSmartScreenPromptOverrideForFiles Write String Prevent bypassing of Microsoft Defender SmartScreen warnings about downloads (0: Disabled, 1: Enabled) 0, 1

MSFT_MicrosoftGraphIntuneSettingsCatalogUserSettings_IntuneSecurityBaselineDefenderForEndpoint

Parameters

Parameter Attribute DataType Description Allowed Values
DisableSafetyFilterOverrideForAppRepUnknown Write String Prevent bypassing SmartScreen Filter warnings about files that are not commonly downloaded from the Internet (User) (0: Disabled, 1: Enabled) 0, 1

Description

Intune Security Baseline Defender For Endpoint

Permissions

Microsoft Graph

To authenticate with the Microsoft Graph API, this resource required the following permissions:

Delegated permissions

  • Read

    • Group.Read.All, DeviceManagementConfiguration.Read.All
  • Update

    • Group.Read.All, DeviceManagementConfiguration.ReadWrite.All

Application permissions

  • Read

    • Group.Read.All, DeviceManagementConfiguration.Read.All
  • Update

    • Group.Read.All, DeviceManagementConfiguration.ReadWrite.All

Examples

Example 1

This example is used to test new resources and showcase the usage of new resources being worked on. It is not meant to use as a production baseline.

Configuration Example
{
    param(
        [Parameter()]
        [System.String]
        $ApplicationId,

        [Parameter()]
        [System.String]
        $TenantId,

        [Parameter()]
        [System.String]
        $CertificateThumbprint
    )
    Import-DscResource -ModuleName Microsoft365DSC

    node localhost
    {
        IntuneSecurityBaselineDefenderForEndpoint 'mySecurityBaselineDefenderForEndpoint'
        {
            DisplayName           = 'test'
            DeviceSettings = MSFT_MicrosoftGraphIntuneSettingsCatalogDeviceSettings_IntuneSecurityBaselineDefenderForEndpoint
            {
                BlockExecutionOfPotentiallyObfuscatedScripts = 'off'
                AllowRealtimeMonitoring = '1'
                BlockWin32APICallsFromOfficeMacros = 'warn'
                CloudBlockLevel = '2'
            }
            UserSettings = MSFT_MicrosoftGraphIntuneSettingsCatalogUserSettings_IntuneSecurityBaselineDefenderForEndpoint
            {
                DisableSafetyFilterOverrideForAppRepUnknown = '1'
            }
            Ensure                = 'Present'
            ApplicationId         = $ApplicationId
            TenantId              = $TenantId
            CertificateThumbprint = $CertificateThumbprint
        }
    }
}

Example 2

This example is used to test new resources and showcase the usage of new resources being worked on. It is not meant to use as a production baseline.

Configuration Example
{
    param(
        [Parameter()]
        [System.String]
        $ApplicationId,

        [Parameter()]
        [System.String]
        $TenantId,

        [Parameter()]
        [System.String]
        $CertificateThumbprint
    )
    Import-DscResource -ModuleName Microsoft365DSC

    node localhost
    {
        IntuneSecurityBaselineDefenderForEndpoint 'mySecurityBaselineDefenderForEndpoint'
        {
            DisplayName           = 'test'
            DeviceSettings = MSFT_MicrosoftGraphIntuneSettingsCatalogDeviceSettings_IntuneSecurityBaselineDefenderForEndpoint
            {
                BlockExecutionOfPotentiallyObfuscatedScripts = 'off'
                AllowRealtimeMonitoring = '0' #drift
                BlockWin32APICallsFromOfficeMacros = 'warn'
                CloudBlockLevel = '2'
            }
            UserSettings = MSFT_MicrosoftGraphIntuneSettingsCatalogUserSettings_IntuneSecurityBaselineDefenderForEndpoint
            {
                DisableSafetyFilterOverrideForAppRepUnknown = '1'
            }
            Ensure                = 'Present'
            ApplicationId         = $ApplicationId;
            TenantId              = $TenantId;
            CertificateThumbprint = $CertificateThumbprint;
        }
    }
}

Example 3

This example is used to test new resources and showcase the usage of new resources being worked on. It is not meant to use as a production baseline.

Configuration Example
{
    param(
        [Parameter()]
        [System.String]
        $ApplicationId,

        [Parameter()]
        [System.String]
        $TenantId,

        [Parameter()]
        [System.String]
        $CertificateThumbprint
    )
    Import-DscResource -ModuleName Microsoft365DSC

    node localhost
    {
        IntuneSecurityBaselineDefenderForEndpoint 'mySecurityBaselineDefenderForEndpoint'
        {
            DisplayName           = 'test'
            Ensure                = 'Absent'
            ApplicationId         = $ApplicationId;
            TenantId              = $TenantId;
            CertificateThumbprint = $CertificateThumbprint;
        }
    }
}