Skip to content

Commit a67c910

Browse files
kris6673kris6673
committed
Add defender exclusions page
1 parent 25419ba commit a67c910

File tree

1 file changed

+99
-4
lines changed

1 file changed

+99
-4
lines changed

Modules/CIPPCore/Public/Entrypoints/HTTP Functions/Endpoint/MEM/Invoke-AddDefenderDeployment.ps1

Lines changed: 99 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -18,6 +18,7 @@ Function Invoke-AddDefenderDeployment {
1818
if ('AllTenants' -in $Tenants) { $Tenants = (Get-Tenants -IncludeErrors).defaultDomainName }
1919
$Compliance = $Request.Body.Compliance
2020
$PolicySettings = $Request.Body.Policy
21+
$DefenderExclusions = $Request.Body.Exclusion
2122
$ASR = $Request.Body.ASR
2223
$EDR = $Request.Body.EDR
2324
$results = foreach ($tenant in $Tenants) {
@@ -117,7 +118,7 @@ Function Invoke-AddDefenderDeployment {
117118
if ($PolicySettings.AssignTo -ne 'None') {
118119
$AssignBody = if ($PolicySettings.AssignTo -ne 'AllDevicesAndUsers') { '{"assignments":[{"id":"","target":{"@odata.type":"#microsoft.graph.' + $($PolicySettings.AssignTo) + 'AssignmentTarget"}}]}' } else { '{"assignments":[{"id":"","target":{"@odata.type":"#microsoft.graph.allDevicesAssignmentTarget"}},{"id":"","target":{"@odata.type":"#microsoft.graph.allLicensedUsersAssignmentTarget"}}]}' }
119120
$null = New-GraphPOSTRequest -uri "https://graph.microsoft.com/beta/deviceManagement/configurationPolicies('$($PolicyRequest.id)')/assign" -tenantid $tenant -type POST -body $AssignBody
120-
Write-LogMessage -headers $Request.Headers -API $APINAME -tenant $($tenant) -message "Assigned policy $($DisplayName) to $($PolicySettings.AssignTo)" -Sev 'Info'
121+
Write-LogMessage -headers $Headers -API $APINAME -tenant $($tenant) -message "Assigned policy $($DisplayName) to $($PolicySettings.AssignTo)" -Sev 'Info'
121122
}
122123
"$($tenant): Successfully set Default AV Policy settings"
123124
}
@@ -175,7 +176,7 @@ Function Invoke-AddDefenderDeployment {
175176
if ($ASR.AssignTo -and $ASR.AssignTo -ne 'none') {
176177
$AssignBody = if ($ASR.AssignTo -ne 'AllDevicesAndUsers') { '{"assignments":[{"id":"","target":{"@odata.type":"#microsoft.graph.' + $($asr.AssignTo) + 'AssignmentTarget"}}]}' } else { '{"assignments":[{"id":"","target":{"@odata.type":"#microsoft.graph.allDevicesAssignmentTarget"}},{"id":"","target":{"@odata.type":"#microsoft.graph.allLicensedUsersAssignmentTarget"}}]}' }
177178
$null = New-GraphPOSTRequest -uri "https://graph.microsoft.com/beta/deviceManagement/configurationPolicies('$($ASRRequest.id)')/assign" -tenantid $tenant -type POST -body $AssignBody
178-
Write-LogMessage -headers $Request.Headers -API $APINAME -tenant $($tenant) -message "Assigned policy $($DisplayName) to $($ASR.AssignTo)" -Sev 'Info'
179+
Write-LogMessage -headers $Headers -API $APINAME -tenant $($tenant) -message "Assigned policy $($DisplayName) to $($ASR.AssignTo)" -Sev 'Info'
179180
}
180181
"$($tenant): Successfully added ASR Settings"
181182
}
@@ -252,15 +253,109 @@ Function Invoke-AddDefenderDeployment {
252253
if ($ASR -and $ASR.AssignTo -ne 'none') {
253254
$AssignBody = if ($ASR.AssignTo -ne 'AllDevicesAndUsers') { '{"assignments":[{"id":"","target":{"@odata.type":"#microsoft.graph.' + $($asr.AssignTo) + 'AssignmentTarget"}}]}' } else { '{"assignments":[{"id":"","target":{"@odata.type":"#microsoft.graph.allDevicesAssignmentTarget"}},{"id":"","target":{"@odata.type":"#microsoft.graph.allLicensedUsersAssignmentTarget"}}]}' }
254255
$null = New-GraphPOSTRequest -uri "https://graph.microsoft.com/beta/deviceManagement/configurationPolicies('$($EDRRequest.id)')/assign" -tenantid $tenant -type POST -body $AssignBody
255-
Write-LogMessage -headers $Request.Headers -API $APINAME -tenant $($tenant) -message "Assigned EDR policy $($DisplayName) to $($ASR.AssignTo)" -Sev 'Info'
256+
Write-LogMessage -headers $Headers -API $APINAME -tenant $($tenant) -message "Assigned EDR policy $($DisplayName) to $($ASR.AssignTo)" -Sev 'Info'
256257
}
257258
"$($tenant): Successfully added EDR Settings"
258259
}
259260
}
260261
}
262+
# Exclusion Policy Section
263+
$ExclusionToggle = $Request.Body.showExclusionPolicy
264+
$ExcludedExtensions = $Request.Body.Exclusion.excludedExtensions
265+
$ExcludedPaths = $Request.Body.Exclusion.excludedPaths
266+
$ExcludedProcesses = $Request.Body.Exclusion.excludedProcesses
267+
$ExclusionAssignTo = $Request.Body.Exclusion.AssignTo
268+
if ($ExclusionToggle -and $DefenderExclusions) {
269+
function Escape-ExclusionValue($val) {
270+
$escaped = $val -replace '\\', '\\\\' # Escape backslashes
271+
if ($escaped -match ' ' -and -not ($escaped -match '^".*"$')) {
272+
$escaped = '"' + $escaped + '"'
273+
}
274+
return $escaped
275+
}
276+
$extArr = @()
277+
if ($ExcludedExtensions) {
278+
$extArr = $ExcludedExtensions | Where-Object { $_ -and $_.Trim() } | ForEach-Object {
279+
@{ '@odata.type' = '#microsoft.graph.deviceManagementConfigurationStringSettingValue'; value = (Escape-ExclusionValue $_) }
280+
}
281+
}
282+
$pathArr = @()
283+
if ($ExcludedPaths) {
284+
$pathArr = $ExcludedPaths | Where-Object { $_ -and $_.Trim() } | ForEach-Object {
285+
@{ '@odata.type' = '#microsoft.graph.deviceManagementConfigurationStringSettingValue'; value = (Escape-ExclusionValue $_) }
286+
}
287+
}
288+
$procArr = @()
289+
if ($ExcludedProcesses) {
290+
$procArr = $ExcludedProcesses | Where-Object { $_ -and $_.Trim() } | ForEach-Object {
291+
@{ '@odata.type' = '#microsoft.graph.deviceManagementConfigurationStringSettingValue'; value = (Escape-ExclusionValue $_) }
292+
}
293+
}
294+
$ExclusionSettings = @()
295+
if ($extArr.Count -gt 0) {
296+
$ExclusionSettings = $ExclusionSettings + @(@{
297+
id = '2'
298+
settingInstance = @{
299+
'@odata.type' = '#microsoft.graph.deviceManagementConfigurationSimpleSettingCollectionInstance'
300+
settingDefinitionId = 'device_vendor_msft_policy_config_defender_excludedextensions'
301+
settingInstanceTemplateReference = @{ settingInstanceTemplateId = 'c203725b-17dc-427b-9470-673a2ce9cd5e' }
302+
simpleSettingCollectionValue = @($extArr)
303+
}
304+
})
305+
}
306+
if ($pathArr.Count -gt 0) {
307+
$ExclusionSettings = $ExclusionSettings + @(@{
308+
id = '1'
309+
settingInstance = @{
310+
'@odata.type' = '#microsoft.graph.deviceManagementConfigurationSimpleSettingCollectionInstance'
311+
settingDefinitionId = 'device_vendor_msft_policy_config_defender_excludedpaths'
312+
settingInstanceTemplateReference = @{ settingInstanceTemplateId = 'aaf04adc-c639-464f-b4a7-152e784092e8' }
313+
simpleSettingCollectionValue = @($pathArr)
314+
}
315+
})
316+
}
317+
if ($procArr.Count -gt 0) {
318+
$ExclusionSettings = $ExclusionSettings + @(@{
319+
id = '0'
320+
settingInstance = @{
321+
'@odata.type' = '#microsoft.graph.deviceManagementConfigurationSimpleSettingCollectionInstance'
322+
settingDefinitionId = 'device_vendor_msft_policy_config_defender_excludedprocesses'
323+
settingInstanceTemplateReference = @{ settingInstanceTemplateId = '96b046ed-f138-4250-9ae0-b0772a93d16f' }
324+
simpleSettingCollectionValue = @($procArr)
325+
}
326+
})
327+
}
328+
if ($ExclusionSettings.Count -gt 0) {
329+
$ExclusionBody = ConvertTo-Json -Depth 15 -Compress -InputObject @{
330+
name = 'Default AV Exclusion Policy'
331+
displayName = 'Default AV Exclusion Policy'
332+
settings = $ExclusionSettings
333+
platforms = 'windows10'
334+
technologies = 'mdm,microsoftSense'
335+
templateReference = @{
336+
templateId = '45fea5e9-280d-4da1-9792-fb5736da0ca9_1'
337+
templateFamily = 'endpointSecurityAntivirus'
338+
templateDisplayName = 'Microsoft Defender Antivirus exclusions'
339+
templateDisplayVersion = 'Version 1'
340+
}
341+
}
342+
$CheckExistingExclusion = New-GraphGetRequest -uri 'https://graph.microsoft.com/beta/deviceManagement/configurationPolicies' -tenantid $tenant
343+
if ('Default AV Exclusion Policy' -in $CheckExistingExclusion.Name) {
344+
"$($tenant): Exclusion Policy already exists. Skipping"
345+
} else {
346+
$ExclusionRequest = New-GraphPOSTRequest -uri 'https://graph.microsoft.com/beta/deviceManagement/configurationPolicies' -tenantid $tenant -type POST -body $ExclusionBody
347+
if ($ExclusionAssignTo -and $ExclusionAssignTo -ne 'none') {
348+
$AssignBody = if ($ExclusionAssignTo -ne 'AllDevicesAndUsers') { '{"assignments":[{"id":"","target":{"@odata.type":"#microsoft.graph.' + $($ExclusionAssignTo) + 'AssignmentTarget"}}]}' } else { '{"assignments":[{"id":"","target":{"@odata.type":"#microsoft.graph.allDevicesAssignmentTarget"}},{"id":"","target":{"@odata.type":"#microsoft.graph.allLicensedUsersAssignmentTarget"}}]}' }
349+
$null = New-GraphPOSTRequest -uri "https://graph.microsoft.com/beta/deviceManagement/configurationPolicies('$($ExclusionRequest.id)')/assign" -tenantid $tenant -type POST -body $AssignBody
350+
Write-LogMessage -headers $Headers -API $APINAME -tenant $($tenant) -message "Assigned Exclusion policy to $($ExclusionAssignTo)" -Sev 'Info'
351+
}
352+
"$($tenant): Successfully set Default AV Exclusion Policy settings"
353+
}
354+
}
355+
}
261356
} catch {
262357
"Failed to add policy for $($tenant): $($_.Exception.Message)"
263-
Write-LogMessage -headers $Request.Headers -API $APINAME -tenant $($tenant) -message "Failed adding policy $($DisplayName). Error: $($_.Exception.Message)" -Sev 'Error'
358+
Write-LogMessage -headers $Headers -API $APINAME -tenant $($tenant) -message "Failed adding policy $($DisplayName). Error: $($_.Exception.Message)" -Sev 'Error'
264359
continue
265360
}
266361

0 commit comments

Comments
 (0)