feat: Add Invoke-AddDefenderTemplate function and update policy functions to support template-only mode

Author: JohnDuprey

Modules/CIPPCore/Public/Entrypoints/HTTP Functions/Endpoint/MEM/Invoke-AddDefenderTemplate.ps1

@@ -0,0 +1,136 @@
+function Invoke-AddDefenderTemplate {
+    <#
+    .FUNCTIONALITY
+        Entrypoint
+    .ROLE
+        Endpoint.MEM.ReadWrite
+    #>
+    [CmdletBinding()]
+    param($Request, $TriggerMetadata)
+
+    $APIName = $Request.Params.CIPPEndpoint
+    $Headers = $Request.Headers
+
+    $TemplateName = $Request.Body.templateName
+    if (-not $TemplateName) {
+        return ([HttpResponseContext]@{
+                StatusCode = [HttpStatusCode]::BadRequest
+                Body       = @{ Results = 'A template name prefix is required.' }
+            })
+    }
+
+    $PolicySettings = $Request.Body.Policy
+    $DefenderExclusions = $Request.Body.Exclusion
+    $ASR = $Request.Body.ASR
+    $EDR = $Request.Body.EDR
+    $Package = [string]$Request.Body.package
+
+    $Table = Get-CippTable -tablename 'templates'
+    $Table.Force = $true
+
+    $Results = [System.Collections.Generic.List[string]]::new()
+
+    try {
+        if ($PolicySettings) {
+            $GUID = (New-Guid).GUID
+            $PolicyJson = Set-CIPPDefenderAVPolicy -PolicySettings $PolicySettings -TemplateOnly
+            $Object = [PSCustomObject]@{
+                Displayname      = '{0} - AV Policy' -f $TemplateName
+                Description      = ''
+                RAWJson          = (ConvertTo-Json -Depth 15 -Compress -InputObject $PolicyJson)
+                Type             = 'Catalog'
+                GUID             = $GUID
+                ReusableSettings = @()
+            } | ConvertTo-Json -Compress
+            Add-CIPPAzDataTableEntity @Table -Entity @{
+                JSON         = "$Object"
+                RowKey       = "$GUID"
+                PartitionKey = 'IntuneTemplate'
+                GUID         = "$GUID"
+                Package      = $Package
+            }
+            $Results.Add('Successfully created AV Policy template')
+            Write-LogMessage -headers $Headers -API $APIName -message ("Created Defender AV Policy template '{0} - AV Policy'" -f $TemplateName) -Sev 'Info'
+        }
+
+        if ($ASR) {
+            $GUID = (New-Guid).GUID
+            $AsrJson = Set-CIPPDefenderASRPolicy -ASR $ASR -TemplateOnly
+            $Object = [PSCustomObject]@{
+                Displayname      = '{0} - ASR Policy' -f $TemplateName
+                Description      = ''
+                RAWJson          = (ConvertTo-Json -Depth 15 -Compress -InputObject $AsrJson)
+                Type             = 'Catalog'
+                GUID             = $GUID
+                ReusableSettings = @()
+            } | ConvertTo-Json -Compress
+            Add-CIPPAzDataTableEntity @Table -Entity @{
+                JSON         = "$Object"
+                RowKey       = "$GUID"
+                PartitionKey = 'IntuneTemplate'
+                GUID         = "$GUID"
+                Package      = $Package
+            }
+            $Results.Add('Successfully created ASR Policy template')
+            Write-LogMessage -headers $Headers -API $APIName -message ("Created Defender ASR Policy template '{0} - ASR Policy'" -f $TemplateName) -Sev 'Info'
+        }
+
+        if ($EDR) {
+            $GUID = (New-Guid).GUID
+            $EdrJson = Set-CIPPDefenderEDRPolicy -EDR $EDR -TemplateOnly
+            if ($EdrJson) {
+                $Object = [PSCustomObject]@{
+                    Displayname      = '{0} - EDR Policy' -f $TemplateName
+                    Description      = ''
+                    RAWJson          = (ConvertTo-Json -Depth 15 -Compress -InputObject $EdrJson)
+                    Type             = 'Catalog'
+                    GUID             = $GUID
+                    ReusableSettings = @()
+                } | ConvertTo-Json -Compress
+                Add-CIPPAzDataTableEntity @Table -Entity @{
+                    JSON         = "$Object"
+                    RowKey       = "$GUID"
+                    PartitionKey = 'IntuneTemplate'
+                    GUID         = "$GUID"
+                    Package      = $Package
+                }
+                $Results.Add('Successfully created EDR Policy template')
+                Write-LogMessage -headers $Headers -API $APIName -message ("Created Defender EDR Policy template '{0} - EDR Policy'" -f $TemplateName) -Sev 'Info'
+            }
+        }
+
+        if ($DefenderExclusions) {
+            $GUID = (New-Guid).GUID
+            $ExclusionJson = Set-CIPPDefenderExclusionPolicy -DefenderExclusions $DefenderExclusions -TemplateOnly
+            if ($ExclusionJson) {
+                $Object = [PSCustomObject]@{
+                    Displayname      = '{0} - AV Exclusion Policy' -f $TemplateName
+                    Description      = ''
+                    RAWJson          = (ConvertTo-Json -Depth 15 -Compress -InputObject $ExclusionJson)
+                    Type             = 'Catalog'
+                    GUID             = $GUID
+                    ReusableSettings = @()
+                } | ConvertTo-Json -Compress
+                Add-CIPPAzDataTableEntity @Table -Entity @{
+                    JSON         = "$Object"
+                    RowKey       = "$GUID"
+                    PartitionKey = 'IntuneTemplate'
+                    GUID         = "$GUID"
+                    Package      = $Package
+                }
+                $Results.Add('Successfully created AV Exclusion Policy template')
+                Write-LogMessage -headers $Headers -API $APIName -message ("Created Defender AV Exclusion Policy template '{0} - AV Exclusion Policy'" -f $TemplateName) -Sev 'Info'
+            }
+        }
+    } catch {
+        $ErrorMessage = Get-CippException -Exception $_
+        $FullError = "Failed to create template: $($ErrorMessage.NormalizedMessage) | $($_.InvocationInfo.ScriptName):$($_.InvocationInfo.ScriptLineNumber) | $($_.Exception.GetType().FullName)"
+        $Results.Add($FullError)
+        Write-LogMessage -headers $Headers -API $APIName -message $FullError -Sev 'Error' -LogData $ErrorMessage
+    }
+
+    return ([HttpResponseContext]@{
+            StatusCode = [HttpStatusCode]::OK
+            Body       = @{ Results = @($Results) }
+        })
+}

Modules/CIPPCore/Public/Set-CIPPDefenderASRPolicy.ps1

@@ -8,7 +8,8 @@ function Set-CIPPDefenderASRPolicy {
         [string]$TenantFilter,
         $ASR,
         $Headers,
-        [string]$APIName
+        [string]$APIName,
+        [switch]$TemplateOnly
     )
 
     # Fallback to block mode
@@ -52,7 +53,7 @@ function Set-CIPPDefenderASRPolicy {
         }
     }
 
-    $ASRbody = ConvertTo-Json -Depth 15 -Compress -InputObject @{
+    $ASRBodyObj = @{
         name              = 'ASR Default rules'
         description       = ''
         platforms         = 'windows10'
@@ -70,6 +71,9 @@ function Set-CIPPDefenderASRPolicy {
             })
     }
 
+    if ($TemplateOnly) { return $ASRBodyObj }
+
+    $ASRbody = ConvertTo-Json -Depth 15 -Compress -InputObject $ASRBodyObj
     $CheckExistingASR = New-GraphGETRequest -uri 'https://graph.microsoft.com/beta/deviceManagement/configurationPolicies' -tenantid $TenantFilter
     if ('ASR Default rules' -in $CheckExistingASR.Name) {
         "$($TenantFilter): ASR Policy already exists. Skipping"

Modules/CIPPCore/Public/Set-CIPPDefenderAVPolicy.ps1

@@ -8,7 +8,8 @@ function Set-CIPPDefenderAVPolicy {
         [string]$TenantFilter,
         $PolicySettings,
         $Headers,
-        [string]$APIName
+        [string]$APIName,
+        [switch]$TemplateOnly
     )
 
     # Builds a choice-type setting entry
@@ -157,19 +158,23 @@ function Set-CIPPDefenderAVPolicy {
             })
     }
 
+    $PolBodyObj = @{
+        name              = 'Default AV Policy'
+        description       = ''
+        platforms         = 'windows10'
+        technologies      = 'mdm,microsoftSense'
+        roleScopeTagIds   = @('0')
+        templateReference = @{ templateId = '804339ad-1553-4478-a742-138fb5807418_1' }
+        settings          = @($Settings)
+    }
+
+    if ($TemplateOnly) { return $PolBodyObj }
+
     $CheckExisting = New-GraphGETRequest -uri 'https://graph.microsoft.com/beta/deviceManagement/configurationPolicies' -tenantid $TenantFilter
     if ('Default AV Policy' -in $CheckExisting.Name) {
         "$($TenantFilter): AV Policy already exists. Skipping"
     } else {
-        $PolBody = ConvertTo-Json -Depth 10 -Compress -InputObject @{
-            name              = 'Default AV Policy'
-            description       = ''
-            platforms         = 'windows10'
-            technologies      = 'mdm,microsoftSense'
-            roleScopeTagIds   = @('0')
-            templateReference = @{ templateId = '804339ad-1553-4478-a742-138fb5807418_1' }
-            settings          = @($Settings)
-        }
+        $PolBody = ConvertTo-Json -Depth 10 -Compress -InputObject $PolBodyObj
 
         $PolicyRequest = New-GraphPOSTRequest -uri 'https://graph.microsoft.com/beta/deviceManagement/configurationPolicies' -tenantid $TenantFilter -type POST -body $PolBody
         if ($PolicySettings.AssignTo -ne 'None') {

Modules/CIPPCore/Public/Set-CIPPDefenderEDRPolicy.ps1

@@ -8,7 +8,8 @@ function Set-CIPPDefenderEDRPolicy {
         [string]$TenantFilter,
         $EDR,
         $Headers,
-        [string]$APIName
+        [string]$APIName,
+        [switch]$TemplateOnly
     )
 
     $EDRSettings = [System.Collections.Generic.List[object]]::new()
@@ -57,7 +58,7 @@ function Set-CIPPDefenderEDRPolicy {
     }
 
     if (($EDRSettings | Measure-Object).Count -gt 0) {
-        $EDRbody = ConvertTo-Json -Depth 15 -Compress -InputObject @{
+        $EDRBodyObj = @{
             name              = 'EDR Configuration'
             description       = ''
             platforms         = 'windows10'
@@ -66,6 +67,8 @@ function Set-CIPPDefenderEDRPolicy {
             templateReference = @{templateId = '0385b795-0f2f-44ac-8602-9f65bf6adede_1' }
             settings          = @($EDRSettings)
         }
+        if ($TemplateOnly) { return $EDRBodyObj }
+        $EDRbody = ConvertTo-Json -Depth 15 -Compress -InputObject $EDRBodyObj
         Write-Host ($EDRbody)
         $CheckExistingEDR = New-GraphGETRequest -uri 'https://graph.microsoft.com/beta/deviceManagement/configurationPolicies' -tenantid $TenantFilter | Where-Object -Property Name -EQ 'EDR Configuration'
         if ($CheckExistingEDR) {

Modules/CIPPCore/Public/Set-CIPPDefenderExclusionPolicy.ps1

@@ -8,7 +8,8 @@ function Set-CIPPDefenderExclusionPolicy {
         [string]$TenantFilter,
         $DefenderExclusions,
         $Headers,
-        [string]$APIName
+        [string]$APIName,
+        [switch]$TemplateOnly
     )
 
     $ExclusionAssignTo = $DefenderExclusions.AssignTo
@@ -64,7 +65,7 @@ function Set-CIPPDefenderExclusionPolicy {
     }
 
     if ($ExclusionSettings.Count -gt 0) {
-        $ExclusionBody = ConvertTo-Json -Depth 15 -Compress -InputObject @{
+        $ExclusionBodyObj = @{
             name              = 'Default AV Exclusion Policy'
             displayName       = 'Default AV Exclusion Policy'
             settings          = @($ExclusionSettings)
@@ -77,6 +78,8 @@ function Set-CIPPDefenderExclusionPolicy {
                 templateDisplayVersion = 'Version 1'
             }
         }
+        if ($TemplateOnly) { return $ExclusionBodyObj }
+        $ExclusionBody = ConvertTo-Json -Depth 15 -Compress -InputObject $ExclusionBodyObj
         $CheckExistingExclusion = New-GraphGetRequest -uri 'https://graph.microsoft.com/beta/deviceManagement/configurationPolicies' -tenantid $TenantFilter
         if ('Default AV Exclusion Policy' -in $CheckExistingExclusion.Name) {
             "$($TenantFilter): Exclusion Policy already exists. Skipping"