Merge pull request KelvinTegelaar#1545 from kris6673/defender-exclusions

JohnDuprey · web-flow · commit 113d98ad65cc · 2025-07-02T19:07:09.000-04:00
Feat: Add defender exclusions
diff --git a/Modules/CIPPCore/Public/Entrypoints/HTTP Functions/Endpoint/MEM/Invoke-AddDefenderDeployment.ps1 b/Modules/CIPPCore/Public/Entrypoints/HTTP Functions/Endpoint/MEM/Invoke-AddDefenderDeployment.ps1
@@ -18,45 +18,48 @@ Function Invoke-AddDefenderDeployment {
     if ('AllTenants' -in $Tenants) { $Tenants = (Get-Tenants -IncludeErrors).defaultDomainName }
     $Compliance = $Request.Body.Compliance
     $PolicySettings = $Request.Body.Policy
+    $DefenderExclusions = $Request.Body.Exclusion
     $ASR = $Request.Body.ASR
     $EDR = $Request.Body.EDR
-    $results = foreach ($tenant in $Tenants) {
+    $Results = foreach ($tenant in $Tenants) {
         try {
-            $SettingsObject = @{
-                id                                                  = 'fc780465-2017-40d4-a0c5-307022471b92'
-                androidEnabled                                      = [bool]$Compliance.ConnectAndroid
-                iosEnabled                                          = [bool]$Compliance.ConnectIos
-                windowsEnabled                                      = [bool]$Compliance.Connectwindows
-                macEnabled                                          = [bool]$Compliance.ConnectMac
-                partnerUnsupportedOsVersionBlocked                  = [bool]$Compliance.BlockunsupportedOS
-                partnerUnresponsivenessThresholdInDays              = 7
-                allowPartnerToCollectIOSApplicationMetadata         = [bool]$Compliance.ConnectIosCompliance
-                allowPartnerToCollectIOSPersonalApplicationMetadata = [bool]$Compliance.ConnectIosCompliance
-                androidMobileApplicationManagementEnabled           = [bool]$Compliance.ConnectAndroidCompliance
-                iosMobileApplicationManagementEnabled               = [bool]$Compliance.appSync
-                microsoftDefenderForEndpointAttachEnabled           = [bool]$true
-            }
-            $SettingsObj = $SettingsObject | ConvertTo-Json -Compress
-            try {
-                $ExistingSettings = New-GraphGETRequest -uri 'https://graph.microsoft.com/beta/deviceManagement/mobileThreatDefenseConnectors/fc780465-2017-40d4-a0c5-307022471b92' -tenantid $tenant
+            if ($Compliance) {
+                $SettingsObject = @{
+                    id                                                  = 'fc780465-2017-40d4-a0c5-307022471b92'
+                    androidEnabled                                      = [bool]$Compliance.ConnectAndroid
+                    iosEnabled                                          = [bool]$Compliance.ConnectIos
+                    windowsEnabled                                      = [bool]$Compliance.Connectwindows
+                    macEnabled                                          = [bool]$Compliance.ConnectMac
+                    partnerUnsupportedOsVersionBlocked                  = [bool]$Compliance.BlockunsupportedOS
+                    partnerUnresponsivenessThresholdInDays              = 7
+                    allowPartnerToCollectIOSApplicationMetadata         = [bool]$Compliance.ConnectIosCompliance
+                    allowPartnerToCollectIOSPersonalApplicationMetadata = [bool]$Compliance.ConnectIosCompliance
+                    androidMobileApplicationManagementEnabled           = [bool]$Compliance.ConnectAndroidCompliance
+                    iosMobileApplicationManagementEnabled               = [bool]$Compliance.appSync
+                    microsoftDefenderForEndpointAttachEnabled           = [bool]$true
+                }
+                $SettingsObj = $SettingsObject | ConvertTo-Json -Compress
+                try {
+                    $ExistingSettings = New-GraphGETRequest -uri 'https://graph.microsoft.com/beta/deviceManagement/mobileThreatDefenseConnectors/fc780465-2017-40d4-a0c5-307022471b92' -tenantid $tenant
 
-                # Check if any setting doesn't match
-                foreach ($key in $SettingsObject.Keys) {
-                    if ($ExistingSettings.$key -ne $SettingsObject[$key]) {
-                        $ExistingSettings = $false
-                        break
+                    # Check if any setting doesn't match
+                    foreach ($key in $SettingsObject.Keys) {
+                        if ($ExistingSettings.$key -ne $SettingsObject[$key]) {
+                            $ExistingSettings = $false
+                            break
+                        }
                     }
+                } catch {
+                    $ExistingSettings = $false
+                }
+                if ($ExistingSettings) {
+                    "Defender Intune Configuration already correct and active for $($tenant). Skipping"
+                } else {
+                    $null = New-GraphPOSTRequest -uri 'https://graph.microsoft.com/beta/deviceManagement/mobileThreatDefenseConnectors/' -tenantid $tenant -type POST -body $SettingsObj -AsApp $true
+                    "$($tenant): Successfully set Defender Compliance and Reporting settings. Please remember to enable the Intune Connector in the Defender portal."
                 }
-            } catch {
-                $ExistingSettings = $false
             }
 
-            if ($ExistingSettings) {
-                "Defender Intune Configuration already correct and active for $($tenant). Skipping"
-            } else {
-                $null = New-GraphPOSTRequest -uri 'https://graph.microsoft.com/beta/deviceManagement/mobileThreatDefenseConnectors/' -tenantid $tenant -type POST -body $SettingsObj -AsApp $true
-                "$($tenant): Successfully set Defender Compliance and Reporting settings. Please remember to enable the Intune Connector in the Defender portal."
-            }
 
             if ($PolicySettings) {
                 $Settings = switch ($PolicySettings) {
@@ -117,7 +120,7 @@ Function Invoke-AddDefenderDeployment {
                     if ($PolicySettings.AssignTo -ne 'None') {
                         $AssignBody = if ($PolicySettings.AssignTo -ne 'AllDevicesAndUsers') { '{"assignments":[{"id":"","target":{"@odata.type":"#microsoft.graph.' + $($PolicySettings.AssignTo) + 'AssignmentTarget"}}]}' } else { '{"assignments":[{"id":"","target":{"@odata.type":"#microsoft.graph.allDevicesAssignmentTarget"}},{"id":"","target":{"@odata.type":"#microsoft.graph.allLicensedUsersAssignmentTarget"}}]}' }
                         $null = New-GraphPOSTRequest -uri "https://graph.microsoft.com/beta/deviceManagement/configurationPolicies('$($PolicyRequest.id)')/assign" -tenantid $tenant -type POST -body $AssignBody
-                        Write-LogMessage -headers $Request.Headers -API $APINAME -tenant $($tenant) -message "Assigned policy $($DisplayName) to $($PolicySettings.AssignTo)" -Sev 'Info'
+                        Write-LogMessage -headers $Headers -API $APINAME -tenant $($tenant) -message "Assigned policy $($DisplayName) to $($PolicySettings.AssignTo)" -Sev 'Info'
                     }
                     "$($tenant): Successfully set Default AV Policy settings"
                 }
@@ -175,7 +178,7 @@ Function Invoke-AddDefenderDeployment {
                         if ($ASR.AssignTo -and $ASR.AssignTo -ne 'none') {
                             $AssignBody = if ($ASR.AssignTo -ne 'AllDevicesAndUsers') { '{"assignments":[{"id":"","target":{"@odata.type":"#microsoft.graph.' + $($asr.AssignTo) + 'AssignmentTarget"}}]}' } else { '{"assignments":[{"id":"","target":{"@odata.type":"#microsoft.graph.allDevicesAssignmentTarget"}},{"id":"","target":{"@odata.type":"#microsoft.graph.allLicensedUsersAssignmentTarget"}}]}' }
                             $null = New-GraphPOSTRequest -uri "https://graph.microsoft.com/beta/deviceManagement/configurationPolicies('$($ASRRequest.id)')/assign" -tenantid $tenant -type POST -body $AssignBody
-                            Write-LogMessage -headers $Request.Headers -API $APINAME -tenant $($tenant) -message "Assigned policy $($DisplayName) to $($ASR.AssignTo)" -Sev 'Info'
+                            Write-LogMessage -headers $Headers -API $APINAME -tenant $($tenant) -message "Assigned policy $($DisplayName) to $($ASR.AssignTo)" -Sev 'Info'
                         }
                         "$($tenant): Successfully added ASR Settings"
                     }
@@ -252,26 +255,105 @@ Function Invoke-AddDefenderDeployment {
                         if ($ASR -and $ASR.AssignTo -ne 'none') {
                             $AssignBody = if ($ASR.AssignTo -ne 'AllDevicesAndUsers') { '{"assignments":[{"id":"","target":{"@odata.type":"#microsoft.graph.' + $($asr.AssignTo) + 'AssignmentTarget"}}]}' } else { '{"assignments":[{"id":"","target":{"@odata.type":"#microsoft.graph.allDevicesAssignmentTarget"}},{"id":"","target":{"@odata.type":"#microsoft.graph.allLicensedUsersAssignmentTarget"}}]}' }
                             $null = New-GraphPOSTRequest -uri "https://graph.microsoft.com/beta/deviceManagement/configurationPolicies('$($EDRRequest.id)')/assign" -tenantid $tenant -type POST -body $AssignBody
-                            Write-LogMessage -headers $Request.Headers -API $APINAME -tenant $($tenant) -message "Assigned EDR policy $($DisplayName) to $($ASR.AssignTo)" -Sev 'Info'
+                            Write-LogMessage -headers $Headers -API $APINAME -tenant $($tenant) -message "Assigned EDR policy $($DisplayName) to $($ASR.AssignTo)" -Sev 'Info'
                         }
                         "$($tenant): Successfully added EDR Settings"
                     }
                 }
             }
+            # Exclusion Policy Section
+            if ($DefenderExclusions) {
+                $ExclusionAssignTo = $DefenderExclusions.AssignTo
+                if ($DefenderExclusions.excludedExtensions) {
+                    $ExcludedExtensions = $DefenderExclusions.excludedExtensions | Where-Object { $_ -and $_.Trim() } | ForEach-Object {
+                        @{ '@odata.type' = '#microsoft.graph.deviceManagementConfigurationStringSettingValue'; value = $_ }
+                    }
+                }
+                if ($DefenderExclusions.excludedPaths) {
+                    $ExcludedPaths = $DefenderExclusions.excludedPaths | Where-Object { $_ -and $_.Trim() } | ForEach-Object {
+                        @{ '@odata.type' = '#microsoft.graph.deviceManagementConfigurationStringSettingValue'; value = $_ }
+                    }
+                }
+                if ($DefenderExclusions.excludedProcesses) {
+                    $ExcludedProcesses = $DefenderExclusions.excludedProcesses | Where-Object { $_ -and $_.Trim() } | ForEach-Object {
+                        @{ '@odata.type' = '#microsoft.graph.deviceManagementConfigurationStringSettingValue'; value = $_ }
+                    }
+                }
+                $ExclusionSettings = [System.Collections.Generic.List[System.Object]]::new()
+                if ($ExcludedExtensions.Count -gt 0) {
+                    $ExclusionSettings.Add(@{
+                            id              = '2'
+                            settingInstance = @{
+                                '@odata.type'                    = '#microsoft.graph.deviceManagementConfigurationSimpleSettingCollectionInstance'
+                                settingDefinitionId              = 'device_vendor_msft_policy_config_defender_excludedextensions'
+                                settingInstanceTemplateReference = @{ settingInstanceTemplateId = 'c203725b-17dc-427b-9470-673a2ce9cd5e' }
+                                simpleSettingCollectionValue     = @($ExcludedExtensions)
+                            }
+                        })
+                }
+                if ($ExcludedPaths.Count -gt 0) {
+                    $ExclusionSettings.Add(@{
+                            id              = '1'
+                            settingInstance = @{
+                                '@odata.type'                    = '#microsoft.graph.deviceManagementConfigurationSimpleSettingCollectionInstance'
+                                settingDefinitionId              = 'device_vendor_msft_policy_config_defender_excludedpaths'
+                                settingInstanceTemplateReference = @{ settingInstanceTemplateId = 'aaf04adc-c639-464f-b4a7-152e784092e8' }
+                                simpleSettingCollectionValue     = @($ExcludedPaths)
+                            }
+                        })
+                }
+                if ($ExcludedProcesses.Count -gt 0) {
+                    $ExclusionSettings.Add(@{
+                            id              = '0'
+                            settingInstance = @{
+                                '@odata.type'                    = '#microsoft.graph.deviceManagementConfigurationSimpleSettingCollectionInstance'
+                                settingDefinitionId              = 'device_vendor_msft_policy_config_defender_excludedprocesses'
+                                settingInstanceTemplateReference = @{ settingInstanceTemplateId = '96b046ed-f138-4250-9ae0-b0772a93d16f' }
+                                simpleSettingCollectionValue     = @($ExcludedProcesses)
+                            }
+                        })
+                }
+                if ($ExclusionSettings.Count -gt 0) {
+                    $ExclusionBody = ConvertTo-Json -Depth 15 -Compress -InputObject @{
+                        name              = 'Default AV Exclusion Policy'
+                        displayName       = 'Default AV Exclusion Policy'
+                        settings          = @($ExclusionSettings)
+                        platforms         = 'windows10'
+                        technologies      = 'mdm,microsoftSense'
+                        templateReference = @{
+                            templateId             = '45fea5e9-280d-4da1-9792-fb5736da0ca9_1'
+                            templateFamily         = 'endpointSecurityAntivirus'
+                            templateDisplayName    = 'Microsoft Defender Antivirus exclusions'
+                            templateDisplayVersion = 'Version 1'
+                        }
+                    }
+                    $CheckExistingExclusion = New-GraphGetRequest -uri 'https://graph.microsoft.com/beta/deviceManagement/configurationPolicies' -tenantid $tenant
+                    if ('Default AV Exclusion Policy' -in $CheckExistingExclusion.Name) {
+                        "$($tenant): Exclusion Policy already exists. Skipping"
+                    } else {
+                        $ExclusionRequest = New-GraphPOSTRequest -uri 'https://graph.microsoft.com/beta/deviceManagement/configurationPolicies' -tenantid $tenant -type POST -body $ExclusionBody
+                        if ($ExclusionAssignTo -and $ExclusionAssignTo -ne 'none') {
+                            $AssignBody = if ($ExclusionAssignTo -ne 'AllDevicesAndUsers') { '{"assignments":[{"id":"","target":{"@odata.type":"#microsoft.graph.' + $($ExclusionAssignTo) + 'AssignmentTarget"}}]}' } else { '{"assignments":[{"id":"","target":{"@odata.type":"#microsoft.graph.allDevicesAssignmentTarget"}},{"id":"","target":{"@odata.type":"#microsoft.graph.allLicensedUsersAssignmentTarget"}}]}' }
+                            $null = New-GraphPOSTRequest -uri "https://graph.microsoft.com/beta/deviceManagement/configurationPolicies('$($ExclusionRequest.id)')/assign" -tenantid $tenant -type POST -body $AssignBody
+                            Write-LogMessage -headers $Headers -API $APIName -tenant $tenant -message "Assigned Exclusion policy to $($ExclusionAssignTo)" -Sev 'Info'
+                        }
+                        "$($tenant): Successfully set Default AV Exclusion Policy settings"
+                    }
+                }
+            }
         } catch {
             "Failed to add policy for $($tenant): $($_.Exception.Message)"
-            Write-LogMessage -headers $Request.Headers -API $APINAME -tenant $($tenant) -message "Failed adding policy $($DisplayName). Error: $($_.Exception.Message)" -Sev 'Error'
+            Write-LogMessage -headers $Headers -API $APIName -tenant $tenant -message "Failed adding policy $($DisplayName). Error: $($_.Exception.Message)" -Sev 'Error'
             continue
         }
 
     }
 
-    $body = [pscustomobject]@{'Results' = @($results) }
 
     # Associate values to output bindings by calling 'Push-OutputBinding'.
     Push-OutputBinding -Name Response -Value ([HttpResponseContext]@{
             StatusCode = [HttpStatusCode]::OK
-            Body       = $body
+            Body       = @{'Results' = @($Results) }
         })
 
 }
