Merge pull request #468 from KelvinTegelaar/dev

[pull] dev from KelvinTegelaar:dev

Author: pull[bot]

Config/standards.json

@@ -3428,6 +3428,163 @@
     "addedDate": "2025-04-01",
     "powershellEquivalent": "Graph API",
     "recommendedBy": []
+  },
+    {
+    "name": "standards.EnrollmentWindowsHelloForBusinessConfiguration",
+    "cat": "Intune Standards",
+    "tag": [],
+    "helpText": "Sets the Windows Hello for Business configuration during device enrollment.",
+    "executiveText": "Enables or disables Windows Hello for Business during device enrollment, enhancing security through biometric or PIN-based authentication methods. This ensures that devices meet corporate security standards while providing a user-friendly sign-in experience.",
+    "addedComponent": [
+      {
+        "type": "autoComplete",
+        "name": "standards.EnrollmentWindowsHelloForBusinessConfiguration.state",
+        "label": "Configure Windows Hello for Business",
+        "multiple": false,
+        "options": [
+          {
+            "label": "Not configured",
+            "value": "notConfigured"
+          },
+          {
+            "label": "Enabled",
+            "value": "enabled"
+          },
+          {
+            "label": "Disabled",
+            "value": "disabled"
+          }
+        ]
+      },
+      {
+        "type": "switch",
+        "name": "standards.EnrollmentWindowsHelloForBusinessConfiguration.securityDeviceRequired",
+        "label": "Use a Trusted Platform Module (TPM)",
+        "default": true
+      },
+      {
+        "type": "number",
+        "name": "standards.EnrollmentWindowsHelloForBusinessConfiguration.pinMinimumLength",
+        "label": "Minimum PIN length (4-127)",
+        "default": 4
+      },
+      {
+        "type": "number",
+        "name": "standards.EnrollmentWindowsHelloForBusinessConfiguration.pinMaximumLength",
+        "label": "Maximum PIN length (4-127)",
+        "default": 127
+      },
+      {
+        "type": "autoComplete",
+        "name": "standards.EnrollmentWindowsHelloForBusinessConfiguration.pinLowercaseCharactersUsage",
+        "label": "Lowercase letters in PIN",
+        "multiple": false,
+        "options": [
+          {
+            "label": "Not allowed",
+            "value": "disallowed"
+          },
+          {
+            "label": "Allowed",
+            "value": "allowed"
+          },
+          {
+            "label": "Required",
+            "value": "required"
+          }
+        ]
+      },
+      {
+        "type": "autoComplete",
+        "name": "standards.EnrollmentWindowsHelloForBusinessConfiguration.pinUppercaseCharactersUsage",
+        "label": "Uppercase letters in PIN",
+        "multiple": false,
+        "options": [
+          {
+            "label": "Not allowed",
+            "value": "disallowed"
+          },
+          {
+            "label": "Allowed",
+            "value": "allowed"
+          },
+          {
+            "label": "Required",
+            "value": "required"
+          }
+        ]
+      },
+      {
+        "type": "autoComplete",
+        "name": "standards.EnrollmentWindowsHelloForBusinessConfiguration.pinSpecialCharactersUsage",
+        "label": "Special characters in PIN",
+        "multiple": false,
+        "options": [
+          {
+            "label": "Not allowed",
+            "value": "disallowed"
+          },
+          {
+            "label": "Allowed",
+            "value": "allowed"
+          },
+          {
+            "label": "Required",
+            "value": "required"
+          }
+        ]
+      },
+      {
+        "type": "number",
+        "name": "standards.EnrollmentWindowsHelloForBusinessConfiguration.pinExpirationInDays",
+        "label": "PIN expiration (days) - 0 to disable",
+        "default": 0
+      },
+      {
+        "type": "number",
+        "name": "standards.EnrollmentWindowsHelloForBusinessConfiguration.pinPreviousBlockCount",
+        "label": "PIN history - 0 to disable",
+        "default": 0
+      },
+      {
+        "type": "switch",
+        "name": "standards.EnrollmentWindowsHelloForBusinessConfiguration.unlockWithBiometricsEnabled",
+        "label": "Allow biometric authentication",
+        "default": true
+      },
+      {
+        "type": "autoComplete",
+        "name": "standards.EnrollmentWindowsHelloForBusinessConfiguration.enhancedBiometricsState",
+        "label": "Use enhanced anti-spoofing when available",
+        "multiple": false,
+        "options": [
+          {
+            "label": "Not configured",
+            "value": "notConfigured"
+          },
+          {
+            "label": "Enabled",
+            "value": "enabled"
+          },
+          {
+            "label": "Disabled",
+            "value": "disabled"
+          }
+        ]
+      },
+      {
+        "type": "switch",
+        "name": "standards.EnrollmentWindowsHelloForBusinessConfiguration.remotePassportEnabled",
+        "label": "Allow phone sign-in",
+        "default": true
+      }
+    ],
+    "label": "Windows Hello for Business enrollment configuration",
+    "impact": "Low Impact",
+    "impactColour": "info",
+    "addedDate": "2025-09-25",
+    "powershellEquivalent": "Graph API",
+    "recommendedBy": []
   },
   {
     "name": "standards.intuneDeviceReg",

Modules/CIPPCore/Public/Authentication/Get-CIPPHttpFunctions.ps1

@@ -11,14 +11,14 @@ function Get-CIPPHttpFunctions {
             if ($Help.Functionality -notmatch 'Entrypoint') { continue }
             if ($Help.Role -eq 'Public') { continue }
             [PSCustomObject]@{
-                Function = $Function.Name
-                Role     = $Help.Role
+                Function    = $Function.Name
+                Role        = $Help.Role
+                Description = $Help.Description
             }
         }
 
         if ($ByRole.IsPresent -or $ByRoleGroup.IsPresent) {
-            $Results = $Results | Group-Object -Property Role | Select-Object -Property @{l = 'Permission'; e = { $_.Name -eq '' ? 'None' : $_.Name } }, Count, @{l = 'Functions'; e = { $_.Group.Function -replace 'Invoke-' } } | Sort-Object -Property Permission
-
+            $Results = $Results | Group-Object -Property Role | Select-Object -Property @{l = 'Permission'; e = { $_.Name -eq '' ? 'None' : $_.Name } }, Count, @{l = 'Functions'; e = { $_.Group | Select-Object @{l='Name'; e={$_.Function -replace 'Invoke-'}}, Description } } | Sort-Object -Property Permission
             if ($ByRoleGroup.IsPresent) {
                 $RoleGroup = @{}
                 foreach ($Permission in $Results) {

Modules/CIPPCore/Public/Get-CIPPIntunePolicy.ps1

@@ -13,32 +13,77 @@ function Get-CIPPIntunePolicy {
         switch ($TemplateType) {
             'AppProtection' {
                 $PlatformType = 'deviceAppManagement'
-                $TemplateTypeURL = 'androidManagedAppProtections'
+                $AndroidTemplateTypeURL = 'androidManagedAppProtections'
+                $iOSTemplateTypeURL = 'iosManagedAppProtections'
+
+                # Define bulk request for both platforms - used by all scenarios
+                $BulkRequests = @(
+                    @{
+                        id     = 'AndroidPolicies'
+                        url    = "$PlatformType/$AndroidTemplateTypeURL"
+                        method = 'GET'
+                    },
+                    @{
+                        id     = 'iOSPolicies'
+                        url    = "$PlatformType/$iOSTemplateTypeURL"
+                        method = 'GET'
+                    }
+                )
+                $BulkResults = New-GraphBulkRequest -Requests $BulkRequests -tenantid $tenantFilter
+
+                $androidPolicies = ($BulkResults | Where-Object { $_.id -eq 'AndroidPolicies' }).body.value
+                $iOSPolicies = ($BulkResults | Where-Object { $_.id -eq 'iOSPolicies' }).body.value
 
                 if ($DisplayName) {
-                    $policies = New-GraphGETRequest -uri "https://graph.microsoft.com/beta/$PlatformType/$TemplateTypeURL" -tenantid $tenantFilter
-                    $policy = $policies | Where-Object -Property displayName -EQ $DisplayName
-                    if ($policy) {
-                        $policyDetails = New-GraphGETRequest -uri "https://graph.microsoft.com/beta/$PlatformType/$TemplateTypeURL('$($policy.id)')" -tenantid $tenantFilter
-                        $policyJson = ConvertTo-Json -InputObject $policyDetails -Depth 100 -Compress
-                        $policy | Add-Member -MemberType NoteProperty -Name 'cippconfiguration' -Value $policyJson -Force
+                    $androidPolicy = $androidPolicies | Where-Object -Property displayName -EQ $DisplayName
+                    $iOSPolicy = $iOSPolicies | Where-Object -Property displayName -EQ $DisplayName
+
+                    # Return the matching policy (Android or iOS) - using full data from bulk request
+                    if ($androidPolicy) {
+                        $policyJson = ConvertTo-Json -InputObject $androidPolicy -Depth 100 -Compress
+                        $androidPolicy | Add-Member -MemberType NoteProperty -Name 'cippconfiguration' -Value $policyJson -Force
+                        return $androidPolicy
+                    } elseif ($iOSPolicy) {
+                        $policyJson = ConvertTo-Json -InputObject $iOSPolicy -Depth 100 -Compress
+                        $iOSPolicy | Add-Member -MemberType NoteProperty -Name 'cippconfiguration' -Value $policyJson -Force
+                        return $iOSPolicy
                     }
-                    return $policy
+                    return $null
+
                 } elseif ($PolicyId) {
-                    $policy = New-GraphGETRequest -uri "https://graph.microsoft.com/beta/$PlatformType/$TemplateTypeURL('$PolicyId')" -tenantid $tenantFilter
-                    if ($policy) {
+                    $androidPolicy = $androidPolicies | Where-Object -Property id -EQ $PolicyId
+                    $iOSPolicy = $iOSPolicies | Where-Object -Property id -EQ $PolicyId
+
+                    # Return the matching policy - using full data from bulk request
+                    if ($androidPolicy) {
+                        $policyJson = ConvertTo-Json -InputObject $androidPolicy -Depth 100 -Compress
+                        $androidPolicy | Add-Member -MemberType NoteProperty -Name 'cippconfiguration' -Value $policyJson -Force
+                        return $androidPolicy
+                    } elseif ($iOSPolicy) {
+                        $policyJson = ConvertTo-Json -InputObject $iOSPolicy -Depth 100 -Compress
+                        $iOSPolicy | Add-Member -MemberType NoteProperty -Name 'cippconfiguration' -Value $policyJson -Force
+                        return $iOSPolicy
+                    }
+                    return $null
+
+                } else {
+                    # Process all Android policies
+                    foreach ($policy in $androidPolicies) {
                         $policyJson = ConvertTo-Json -InputObject $policy -Depth 100 -Compress
                         $policy | Add-Member -MemberType NoteProperty -Name 'cippconfiguration' -Value $policyJson -Force
                     }
-                    return $policy
-                } else {
-                    $policies = New-GraphGETRequest -uri "https://graph.microsoft.com/beta/$PlatformType/$TemplateTypeURL" -tenantid $tenantFilter
-                    foreach ($policy in $policies) {
-                        $policyDetails = New-GraphGETRequest -uri "https://graph.microsoft.com/beta/$PlatformType/$TemplateTypeURL('$($policy.id)')" -tenantid $tenantFilter
-                        $policyJson = ConvertTo-Json -InputObject $policyDetails -Depth 100 -Compress
+
+                    # Process all iOS policies
+                    foreach ($policy in $iOSPolicies) {
+                        $policyJson = ConvertTo-Json -InputObject $policy -Depth 100 -Compress
                         $policy | Add-Member -MemberType NoteProperty -Name 'cippconfiguration' -Value $policyJson -Force
                     }
-                    return $policies
+
+                    # Combine and return all policies
+                    $allPolicies = [System.Collections.Generic.List[object]]::new()
+                    if ($androidPolicies) { $allPolicies.AddRange($androidPolicies) }
+                    if ($iOSPolicies) { $allPolicies.AddRange($iOSPolicies) }
+                    return $allPolicies
                 }
             }
             'deviceCompliancePolicies' {

Modules/CIPPCore/Public/Standards/Invoke-CIPPStandardBranding.ps1

@@ -38,29 +38,62 @@ function Invoke-CIPPStandardBranding {
 
     $TenantId = Get-Tenants | Where-Object -Property defaultDomainName -EQ $Tenant
 
-    try {
-        $CurrentState = New-GraphGetRequest -Uri "https://graph.microsoft.com/beta/organization/$($TenantId.customerId)/branding/localizations/0" -tenantID $Tenant -AsApp $true
-    }
-    catch {
-        $ErrorMessage = Get-NormalizedError -Message $_.Exception.Message
-        Write-LogMessage -API 'Standards' -Tenant $Tenant -Message "Could not get the Branding state for $Tenant. Error: $ErrorMessage" -Sev Error
-        return
-    }
-
+    $Localizations = New-GraphGetRequest -Uri "https://graph.microsoft.com/beta/organization/$($TenantId.customerId)/branding/localizations" -tenantID $Tenant -AsApp $true
     # Get layoutTemplateType value using null-coalescing operator
     $layoutTemplateType = $Settings.layoutTemplateType.value ?? $Settings.layoutTemplateType
+    # If default localization (id "0") exists, use that to get the currentState. Otherwise we have to create it first.
+    if ($Localizations | Where-Object { $_.id -eq '0' }) {
+        try {
+            $CurrentState = New-GraphGetRequest -Uri "https://graph.microsoft.com/beta/organization/$($TenantId.customerId)/branding/localizations/0" -tenantID $Tenant -AsApp $true
+        }
+        catch {
+            $ErrorMessage = Get-NormalizedError -Message $_.Exception.Message
+            Write-LogMessage -API 'Standards' -Tenant $Tenant -Message "Could not get the Branding state for $Tenant. Error: $ErrorMessage" -Sev Error
+            return
+        }
+    }
+    else {
+        try {
+            $GraphRequest = @{
+                tenantID    = $Tenant
+                uri         = "https://graph.microsoft.com/beta/organization/$($TenantId.customerId)/branding/localizations"
+                AsApp       = $true
+                Type        = 'POST'
+                ContentType = 'application/json; charset=utf-8'
+                Body        = [pscustomobject]@{
+                    signInPageText                  = $Settings.signInPageText
+                    usernameHintText                = $Settings.usernameHintText
+                    loginPageTextVisibilitySettings = [pscustomobject]@{
+                        hideAccountResetCredentials = $Settings.hideAccountResetCredentials
+                    }
+                    loginPageLayoutConfiguration    = [pscustomobject]@{
+                        layoutTemplateType = $layoutTemplateType
+                        isHeaderShown      = $Settings.isHeaderShown
+                        isFooterShown      = $Settings.isFooterShown
+                    }
+                } | ConvertTo-Json -Compress
+            }
+            $CurrentState = New-GraphPostRequest @GraphRequest
+        }
+        catch {
+            $ErrorMessage = Get-NormalizedError -Message $_.Exception.Message
+            Write-LogMessage -API 'Standards' -Tenant $Tenant -Message "Could not create the default Branding localization for $Tenant. Error: $ErrorMessage" -Sev Error
+            return
+        }
+    }
 
     $StateIsCorrect = ($CurrentState.signInPageText -eq $Settings.signInPageText) -and
-                        ($CurrentState.usernameHintText -eq $Settings.usernameHintText) -and
-                        ($CurrentState.loginPageTextVisibilitySettings.hideAccountResetCredentials -eq $Settings.hideAccountResetCredentials) -and
-                        ($CurrentState.loginPageLayoutConfiguration.layoutTemplateType -eq $layoutTemplateType) -and
-                        ($CurrentState.loginPageLayoutConfiguration.isHeaderShown -eq $Settings.isHeaderShown) -and
-                        ($CurrentState.loginPageLayoutConfiguration.isFooterShown -eq $Settings.isFooterShown)
+    ($CurrentState.usernameHintText -eq $Settings.usernameHintText) -and
+    ($CurrentState.loginPageTextVisibilitySettings.hideAccountResetCredentials -eq $Settings.hideAccountResetCredentials) -and
+    ($CurrentState.loginPageLayoutConfiguration.layoutTemplateType -eq $layoutTemplateType) -and
+    ($CurrentState.loginPageLayoutConfiguration.isHeaderShown -eq $Settings.isHeaderShown) -and
+    ($CurrentState.loginPageLayoutConfiguration.isFooterShown -eq $Settings.isFooterShown)
 
     If ($Settings.remediate -eq $true) {
         if ($StateIsCorrect -eq $true) {
             Write-LogMessage -API 'Standards' -Tenant $Tenant -Message 'Branding is already applied correctly.' -Sev Info
-        } else {
+        }
+        else {
             try {
                 $GraphRequest = @{
                     tenantID    = $Tenant
@@ -83,7 +116,8 @@ function Invoke-CIPPStandardBranding {
                 }
                 $null = New-GraphPostRequest @GraphRequest
                 Write-LogMessage -API 'Standards' -Tenant $Tenant -Message 'Successfully updated branding.' -Sev Info
-            } catch {
+            }
+            catch {
                 $ErrorMessage = Get-CippException -Exception $_
                 Write-LogMessage -API 'Standards' -Tenant $Tenant -Message "Failed to update branding. Error: $($ErrorMessage.NormalizedError)" -Sev Error -LogData $ErrorMessage
             }
@@ -95,7 +129,8 @@ function Invoke-CIPPStandardBranding {
 
         if ($StateIsCorrect -eq $true) {
             Write-LogMessage -API 'Standards' -Tenant $Tenant -Message 'Branding is correctly set.' -Sev Info
-        } else {
+        }
+        else {
             Write-StandardsAlert -message 'Branding is incorrectly set.' -object ($CurrentState | Select-Object -Property signInPageText, usernameHintText, loginPageTextVisibilitySettings, loginPageLayoutConfiguration) -tenant $Tenant -standardName 'Branding' -standardId $Settings.standardId
             Write-LogMessage -API 'Standards' -Tenant $Tenant -Message 'Branding is incorrectly set.' -Sev Info
         }