Microsoft 365 Core MCP Server

Instructions

Implementation Reference

• src/handlers/intune-windows-handler.ts:176-549 (handler)

  Core handler function implementing manage_intune_windows_policies tool logic: CRUD operations on Windows configuration/compliance policies, assignments, Settings Catalog and Platform Protection Configuration (PPC) policy creation from templates.
  export async function handleIntuneWindowsPolicies( graphClient: Client, args: IntuneWindowsPolicyArgs ): Promise<{ content: { type: string; text: string }[] }> { // Create Intune-specific client for proper authentication const intuneClient = createIntuneGraphClient(graphClient); let apiPath = ''; let result: any; switch (args.action) { case 'list': switch (args.policyType) { case 'Configuration': apiPath = '/deviceManagement/deviceConfigurations'; break; case 'Compliance': apiPath = '/deviceManagement/deviceCompliancePolicies'; break; case 'Security': apiPath = '/deviceManagement/intents'; break; case 'Update': apiPath = '/deviceManagement/deviceConfigurations'; apiPath += '?$filter=deviceManagementApplicabilityRuleOsEdition/osEditionTypes/any(x:x eq \'windows10Enterprise\')'; break; case 'AppProtection': apiPath = '/deviceAppManagement/managedAppPolicies'; break; case 'EndpointSecurity': apiPath = '/deviceManagement/intents'; apiPath += '?$filter=templateId eq \'d1174162-1dd2-4976-affc-6667049ab0ae\''; // Endpoint Security template break; default: throw new McpError(ErrorCode.InvalidParams, `Unknown policy type: ${args.policyType}`); } result = await graphClient.api(apiPath).get(); break; case 'get': if (!args.policyId) { throw new McpError(ErrorCode.InvalidParams, 'policyId is required for get action'); } switch (args.policyType) { case 'Configuration': apiPath = `/deviceManagement/deviceConfigurations/${args.policyId}`; break; case 'Compliance': apiPath = `/deviceManagement/deviceCompliancePolicies/${args.policyId}`; break; case 'Security': case 'EndpointSecurity': apiPath = `/deviceManagement/intents/${args.policyId}`; break; case 'Update': apiPath = `/deviceManagement/deviceConfigurations/${args.policyId}`; break; case 'AppProtection': apiPath = `/deviceAppManagement/managedAppPolicies/${args.policyId}`; break; default: throw new McpError(ErrorCode.InvalidParams, `Unknown policy type: ${args.policyType}`); } result = await graphClient.api(apiPath).get(); break; case 'create': if (!args.name) { throw new McpError(ErrorCode.InvalidParams, 'name is required for create action'); } const createPayload: any = { displayName: args.name, description: args.description || '', ...args.settings }; switch (args.policyType) { case 'Configuration': apiPath = '/deviceManagement/deviceConfigurations'; createPayload['@odata.type'] = '#microsoft.graph.windows10GeneralConfiguration'; break; case 'Compliance': apiPath = '/deviceManagement/deviceCompliancePolicies'; createPayload['@odata.type'] = '#microsoft.graph.windows10CompliancePolicy'; break; case 'Security': apiPath = '/deviceManagement/intents'; createPayload.templateId = 'd1174162-1dd2-4976-affc-6667049ab0ae'; // Security baseline template break; case 'Update': apiPath = '/deviceManagement/deviceConfigurations'; createPayload['@odata.type'] = '#microsoft.graph.windowsUpdateForBusinessConfiguration'; break; case 'AppProtection': apiPath = '/deviceAppManagement/managedAppPolicies'; createPayload['@odata.type'] = '#microsoft.graph.windowsManagedAppProtection'; break; case 'EndpointSecurity': apiPath = '/deviceManagement/intents'; createPayload.templateId = 'e044e60e-5901-41ea-92c5-87e8b6edd6bb'; // Endpoint Security template break; default: throw new McpError(ErrorCode.InvalidParams, `Unknown policy type: ${args.policyType}`); } result = await graphClient.api(apiPath).post(createPayload); break; case 'update': if (!args.policyId) { throw new McpError(ErrorCode.InvalidParams, 'policyId is required for update action'); } const updatePayload: any = {}; if (args.name) updatePayload.displayName = args.name; if (args.description) updatePayload.description = args.description; if (args.settings) Object.assign(updatePayload, args.settings); switch (args.policyType) { case 'Configuration': apiPath = `/deviceManagement/deviceConfigurations/${args.policyId}`; break; case 'Compliance': apiPath = `/deviceManagement/deviceCompliancePolicies/${args.policyId}`; break; case 'Security': case 'EndpointSecurity': apiPath = `/deviceManagement/intents/${args.policyId}`; break; case 'Update': apiPath = `/deviceManagement/deviceConfigurations/${args.policyId}`; break; case 'AppProtection': apiPath = `/deviceAppManagement/managedAppPolicies/${args.policyId}`; break; default: throw new McpError(ErrorCode.InvalidParams, `Unknown policy type: ${args.policyType}`); } result = await graphClient.api(apiPath).patch(updatePayload); break; case 'delete': if (!args.policyId) { throw new McpError(ErrorCode.InvalidParams, 'policyId is required for delete action'); } switch (args.policyType) { case 'Configuration': apiPath = `/deviceManagement/deviceConfigurations/${args.policyId}`; break; case 'Compliance': apiPath = `/deviceManagement/deviceCompliancePolicies/${args.policyId}`; break; case 'Security': case 'EndpointSecurity': apiPath = `/deviceManagement/intents/${args.policyId}`; break; case 'Update': apiPath = `/deviceManagement/deviceConfigurations/${args.policyId}`; break; case 'AppProtection': apiPath = `/deviceAppManagement/managedAppPolicies/${args.policyId}`; break; default: throw new McpError(ErrorCode.InvalidParams, `Unknown policy type: ${args.policyType}`); } result = await graphClient.api(apiPath).delete(); break; case 'assign': if (!args.policyId || !args.assignments) { throw new McpError(ErrorCode.InvalidParams, 'policyId and assignments are required for assign action'); } switch (args.policyType) { case 'Configuration': apiPath = `/deviceManagement/deviceConfigurations/${args.policyId}/assign`; break; case 'Compliance': apiPath = `/deviceManagement/deviceCompliancePolicies/${args.policyId}/assign`; break; case 'Security': case 'EndpointSecurity': apiPath = `/deviceManagement/intents/${args.policyId}/assign`; break; case 'Update': apiPath = `/deviceManagement/deviceConfigurations/${args.policyId}/assign`; break; case 'AppProtection': apiPath = `/deviceAppManagement/managedAppPolicies/${args.policyId}/assign`; break; default: throw new McpError(ErrorCode.InvalidParams, `Unknown policy type: ${args.policyType}`); } result = await graphClient.api(apiPath).post({ assignments: args.assignments }); break; case 'deploy': if (!args.policyId) { throw new McpError(ErrorCode.InvalidParams, 'policyId is required for deploy action'); } // Deploy immediately to assigned groups apiPath = `/deviceManagement/deviceConfigurations/${args.policyId}/assignments`; const assignments = await graphClient.api(apiPath).get(); result = { message: 'Policy deployment initiated', policyId: args.policyId, assignmentCount: assignments.value ? assignments.value.length : 0, deploymentSettings: args.deploymentSettings }; break; case 'create_settings_catalog': // Create a Settings Catalog policy from template if (!args.settingsCatalogTemplate) { throw new McpError(ErrorCode.InvalidParams, 'settingsCatalogTemplate is required for create_settings_catalog action'); } let catalogPolicy: SettingsCatalogPolicy; // Check if using a pre-built template if (args.settingsCatalogTemplate in SETTINGS_CATALOG_POLICY_TEMPLATES) { const templateName = args.settingsCatalogTemplate as keyof typeof SETTINGS_CATALOG_POLICY_TEMPLATES; const templateFunc = SETTINGS_CATALOG_POLICY_TEMPLATES[templateName]; // Some templates accept parameters if (templateName === 'WINDOWS_UPDATE' && args.settingsCatalogParams) { const { deferQualityDays, deferFeatureDays } = args.settingsCatalogParams; catalogPolicy = templateFunc(deferQualityDays, deferFeatureDays); } else if (templateName === 'PASSWORD_POLICY' && args.settingsCatalogParams) { const { minLength, complexity } = args.settingsCatalogParams; catalogPolicy = templateFunc(minLength, complexity); } else { catalogPolicy = templateFunc(); } } else if (args.customSettingsCatalogPolicy) { // Use custom policy definition catalogPolicy = args.customSettingsCatalogPolicy; } else { throw new McpError(ErrorCode.InvalidParams, 'Invalid settingsCatalogTemplate or customSettingsCatalogPolicy required'); } // Override name and description if provided if (args.name) catalogPolicy.name = args.name; if (args.description) catalogPolicy.description = args.description; // Validate policy structure const validation = validateSettingsCatalogPolicy(catalogPolicy); if (!validation.valid) { throw new McpError( ErrorCode.InvalidParams, `Invalid Settings Catalog policy: ${validation.errors.join(', ')}` ); } // Create the policy using Graph API apiPath = '/deviceManagement/configurationPolicies'; const catalogPayload = { name: catalogPolicy.name, description: catalogPolicy.description || '', platforms: catalogPolicy.platforms, technologies: catalogPolicy.technologies, settings: catalogPolicy.settings, templateReference: catalogPolicy.templateReference }; result = await graphClient.api(apiPath).post(catalogPayload); // If assignments provided, assign the policy if (args.assignments && args.assignments.length > 0) { const assignPath = `/deviceManagement/configurationPolicies/${result.id}/assign`; await graphClient.api(assignPath).post({ assignments: args.assignments }); } result.message = 'Settings Catalog policy created successfully'; result.template = args.settingsCatalogTemplate; break; case 'create_ppc': // Create a Platform Protection Configuration (PPC) policy from template if (!args.ppcTemplate) { throw new McpError(ErrorCode.InvalidParams, 'ppcTemplate is required for create_ppc action'); } let ppcPolicy: PPCPolicyConfig; // Check if using a pre-built template if (args.ppcTemplate in PPC_POLICY_TEMPLATES) { const templateName = args.ppcTemplate as keyof typeof PPC_POLICY_TEMPLATES; ppcPolicy = PPC_POLICY_TEMPLATES[templateName](); } else if (args.customPPCPolicy) { // Use custom policy definition ppcPolicy = args.customPPCPolicy; } else { throw new McpError(ErrorCode.InvalidParams, 'Invalid ppcTemplate or customPPCPolicy required'); } // Override name and description if provided if (args.name) ppcPolicy.name = args.name; if (args.description) ppcPolicy.description = args.description; // Validate policy structure const ppcValidation = validatePPCPolicy(ppcPolicy); if (!ppcValidation.valid) { throw new McpError( ErrorCode.InvalidParams, `Invalid PPC policy: ${ppcValidation.errors.join(', ')}` ); } // Create the PPC policy using Security Management Intent API apiPath = '/deviceManagement/intents'; const ppcPayload = { displayName: ppcPolicy.name, description: ppcPolicy.description || '', templateId: ppcPolicy.templateId, settingsDelta: ppcPolicy.settings.map(setting => ({ '@odata.type': '#microsoft.graph.deviceManagementIntentSettingDelta', definitionId: setting.id, value: { '@odata.type': '#microsoft.graph.deviceManagementStringValue', value: String(setting.value) }, valueState: setting.valueState || 'configured' })) }; result = await graphClient.api(apiPath).post(ppcPayload); // If assignments provided, assign the policy if (args.assignments && args.assignments.length > 0) { const assignPath = `/deviceManagement/intents/${result.id}/assign`; await graphClient.api(assignPath).post({ assignments: args.assignments }); } result.message = 'PPC policy created successfully'; result.template = args.ppcTemplate; break; case 'list_templates': // List available Settings Catalog and PPC templates result = { settingsCatalogTemplates: Object.keys(SETTINGS_CATALOG_POLICY_TEMPLATES).map(key => ({ name: key, description: SETTINGS_CATALOG_POLICY_TEMPLATES[key as keyof typeof SETTINGS_CATALOG_POLICY_TEMPLATES]().description })), ppcTemplates: Object.keys(PPC_POLICY_TEMPLATES).map(key => ({ name: key, description: PPC_POLICY_TEMPLATES[key as keyof typeof PPC_POLICY_TEMPLATES]().description })) }; break; default: throw new McpError(ErrorCode.InvalidParams, `Unknown action: ${args.action}`); } return { content: [ { type: 'text', text: `Windows Policy Management Result:\n${JSON.stringify(result, null, 2)}` } ] }; }
• src/types/intune-types.ts:468-494 (schema)

  Type definition for tool input parameters (IntuneWindowsPolicyArgs), including actions, policy types, settings, assignments, and template parameters.
  export interface IntuneWindowsPolicyArgs { action: 'list' | 'get' | 'create' | 'update' | 'delete' | 'assign' | 'deploy' | 'create_settings_catalog' | 'create_ppc' | 'list_templates'; policyId?: string; policyType: 'Configuration' | 'Compliance' | 'Security' | 'Update' | 'AppProtection' | 'EndpointSecurity'; name?: string; description?: string; settings?: WindowsPolicySettings; assignments?: PolicyAssignment[]; deploymentSettings?: { installBehavior?: 'doNotInstall' | 'installAsManaged' | 'installAsUnmanaged'; uninstallOnDeviceRemoval?: boolean; installAsManaged?: boolean; rebootBehavior?: 'allow' | 'suppress' | 'force'; }; // Settings Catalog Policy parameters settingsCatalogTemplate?: 'BITLOCKER_ENCRYPTION' | 'DEFENDER_ANTIVIRUS' | 'WINDOWS_UPDATE' | 'FIREWALL_CONFIGURATION' | 'PASSWORD_POLICY' | 'ATTACK_SURFACE_REDUCTION'; settingsCatalogParams?: { deferQualityDays?: number; deferFeatureDays?: number; minLength?: number; complexity?: number; }; customSettingsCatalogPolicy?: any; // PPC Policy parameters ppcTemplate?: 'ATTACK_SURFACE_REDUCTION_PPC' | 'EXPLOIT_PROTECTION_PPC' | 'WEB_PROTECTION_PPC'; customPPCPolicy?: any; }
• src/handlers/intune-policy-templates.ts:1-490 (helper)

  Supporting module providing pre-built Settings Catalog and PPC policy templates, creation helpers, and validation functions used in the handler for template-based policy creation.
  /** * Intune Policy Templates and Helpers * Provides templates and utilities for creating Settings Catalog and PPC policies */ // Settings Catalog Template IDs export const SETTINGS_CATALOG_TEMPLATES = { // Windows Security Baselines SECURITY_BASELINE_WINDOWS: '034ccd46-190c-4afc-adf1-ad7cc11262eb', SECURITY_BASELINE_EDGE: '87e5e4ad-6f6c-4cdf-9c7a-5c6f8e1e8e8e', SECURITY_BASELINE_DEFENDER: 'e044e60e-5901-41ea-92c5-87e8b6edd6bb', // Device Configuration DEVICE_RESTRICTIONS: 'd1174162-1dd2-4976-affc-6667049ab0ae', ENDPOINT_PROTECTION: '0e237410-1367-4844-bd7f-15fb0f08943b', // Application Management APP_CONFIGURATION: '95d6e8e0-0f9e-4e5a-9c7e-3c3f0f2f1f1f', }; // Platform Protection Configuration Templates export const PPC_TEMPLATES = { ATTACK_SURFACE_REDUCTION: '9dc5088e-2e9e-4d98-bc1f-89c6a6f0e6e6', EXPLOIT_PROTECTION: '15e3f5e0-9c3e-4a8e-9e0a-7c8e0e9e0e9e', WEB_PROTECTION: '2e9e8e0e-9e0e-4e0e-9e0e-8e0e9e0e9e0e', }; /** * Settings Catalog Policy Structure */ export interface SettingsCatalogPolicy { name: string; description?: string; platforms: 'windows10' | 'macOS' | 'iOS' | 'android'; technologies: 'mdm' | 'windows10Endpointprotection' | 'configManager'; settings: SettingsCatalogSetting[]; templateReference?: { templateId: string; templateFamily?: string; }; } export interface SettingsCatalogSetting { '@odata.type': string; settingInstance: { '@odata.type': string; settingDefinitionId: string; [key: string]: any; }; } /** * Common Settings Catalog Setting Definitions */ export const COMMON_SETTINGS_DEFINITIONS = { // BitLocker Settings BITLOCKER_REQUIRE_DEVICE_ENCRYPTION: 'device_vendor_msft_bitlocker_requiredeviceencryption', BITLOCKER_FIXED_DRIVE_ENCRYPTION_TYPE: 'device_vendor_msft_bitlocker_fixeddrivesencryptiontype', BITLOCKER_REMOVABLE_DRIVE_ENCRYPTION_TYPE: 'device_vendor_msft_bitlocker_removabledrivesencryptiontype', // Windows Defender Settings DEFENDER_REAL_TIME_PROTECTION: 'device_vendor_msft_policy_config_defender_allowrealtimemonitoring', DEFENDER_CLOUD_PROTECTION: 'device_vendor_msft_policy_config_defender_allowcloudprotection', DEFENDER_BEHAVIOR_MONITORING: 'device_vendor_msft_policy_config_defender_allowbehaviormonitoring', DEFENDER_SCAN_TYPE: 'device_vendor_msft_policy_config_defender_scanparameter', // Windows Update Settings UPDATE_BRANCH_READINESS_LEVEL: 'device_vendor_msft_policy_config_update_branchreadinesslevel', UPDATE_DEFER_QUALITY_UPDATES: 'device_vendor_msft_policy_config_update_deferqualityupdatesperiodindays', UPDATE_DEFER_FEATURE_UPDATES: 'device_vendor_msft_policy_config_update_deferfeatureupdatesperiodindays', // Firewall Settings FIREWALL_DOMAIN_PROFILE_ENABLED: 'vendor_msft_firewall_mdmstore_domainprofile_enablefirewall', FIREWALL_PUBLIC_PROFILE_ENABLED: 'vendor_msft_firewall_mdmstore_publicprofile_enablefirewall', FIREWALL_PRIVATE_PROFILE_ENABLED: 'vendor_msft_firewall_mdmstore_privateprofile_enablefirewall', // Password Policy Settings PASSWORD_MIN_LENGTH: 'device_vendor_msft_policy_config_devicelock_mindevicepasswordlength', PASSWORD_COMPLEXITY: 'device_vendor_msft_policy_config_devicelock_mindevicepasswordcomplexcharacters', PASSWORD_EXPIRATION: 'device_vendor_msft_policy_config_devicelock_devicepasswordexpiration', PASSWORD_HISTORY: 'device_vendor_msft_policy_config_devicelock_devicepasswordhistory', // Application Control APPLOCKER_EXE_RULES: 'device_vendor_msft_applocker_applicationlaunchrestrictions_groupname_exe', APPLOCKER_DLL_RULES: 'device_vendor_msft_applocker_applicationlaunchrestrictions_groupname_dll', // Attack Surface Reduction ASR_RULES: 'device_vendor_msft_policy_config_defender_attacksurfacereductionrules', ASR_ONLY_EXCLUSIONS: 'device_vendor_msft_policy_config_defender_attacksurfacereductiononlyexclusions', }; /** * Create a Settings Catalog setting */ export function createSettingsCatalogSetting( settingDefinitionId: string, value: any, valueType: 'string' | 'int' | 'boolean' | 'collection' = 'string' ): SettingsCatalogSetting { const baseType = '#microsoft.graph.deviceManagementConfiguration'; let settingValueType: string; let settingValue: any; switch (valueType) { case 'int': settingValueType = `${baseType}IntegerSettingValue`; settingValue = { value: parseInt(value) }; break; case 'boolean': settingValueType = `${baseType}ChoiceSettingValue`; settingValue = { value: `${settingDefinitionId}_${value ? '1' : '0'}`, children: [] }; break; case 'collection': settingValueType = `${baseType}GroupSettingCollectionInstance`; settingValue = { groupSettingCollectionValue: value }; break; default: settingValueType = `${baseType}StringSettingValue`; settingValue = { value: String(value) }; } return { '@odata.type': `${baseType}SettingInstance`, settingInstance: { '@odata.type': `${baseType}SimpleSettingInstance`, settingDefinitionId: settingDefinitionId, simpleSettingValue: { '@odata.type': settingValueType, ...settingValue } } }; } /** * Pre-built Settings Catalog Policy Templates */ export const SETTINGS_CATALOG_POLICY_TEMPLATES = { /** * BitLocker Encryption Policy */ BITLOCKER_ENCRYPTION: (): SettingsCatalogPolicy => ({ name: 'BitLocker Disk Encryption', description: 'Enforce BitLocker encryption on Windows devices', platforms: 'windows10', technologies: 'mdm', settings: [ createSettingsCatalogSetting( COMMON_SETTINGS_DEFINITIONS.BITLOCKER_REQUIRE_DEVICE_ENCRYPTION, true, 'boolean' ), createSettingsCatalogSetting( COMMON_SETTINGS_DEFINITIONS.BITLOCKER_FIXED_DRIVE_ENCRYPTION_TYPE, 1, // Full encryption 'int' ), createSettingsCatalogSetting( COMMON_SETTINGS_DEFINITIONS.BITLOCKER_REMOVABLE_DRIVE_ENCRYPTION_TYPE, 1, 'int' ) ] }), /** * Windows Defender Antivirus Policy */ DEFENDER_ANTIVIRUS: (): SettingsCatalogPolicy => ({ name: 'Windows Defender Antivirus Protection', description: 'Configure Windows Defender antivirus protection settings', platforms: 'windows10', technologies: 'mdm', settings: [ createSettingsCatalogSetting( COMMON_SETTINGS_DEFINITIONS.DEFENDER_REAL_TIME_PROTECTION, true, 'boolean' ), createSettingsCatalogSetting( COMMON_SETTINGS_DEFINITIONS.DEFENDER_CLOUD_PROTECTION, true, 'boolean' ), createSettingsCatalogSetting( COMMON_SETTINGS_DEFINITIONS.DEFENDER_BEHAVIOR_MONITORING, true, 'boolean' ), createSettingsCatalogSetting( COMMON_SETTINGS_DEFINITIONS.DEFENDER_SCAN_TYPE, 2, // Full scan 'int' ) ] }), /** * Windows Update Policy */ WINDOWS_UPDATE: (deferQualityDays: number = 7, deferFeatureDays: number = 14): SettingsCatalogPolicy => ({ name: 'Windows Update Configuration', description: 'Configure Windows Update settings and deferral periods', platforms: 'windows10', technologies: 'mdm', settings: [ createSettingsCatalogSetting( COMMON_SETTINGS_DEFINITIONS.UPDATE_BRANCH_READINESS_LEVEL, 16, // Current Branch for Business 'int' ), createSettingsCatalogSetting( COMMON_SETTINGS_DEFINITIONS.UPDATE_DEFER_QUALITY_UPDATES, deferQualityDays, 'int' ), createSettingsCatalogSetting( COMMON_SETTINGS_DEFINITIONS.UPDATE_DEFER_FEATURE_UPDATES, deferFeatureDays, 'int' ) ] }), /** * Firewall Policy */ FIREWALL_CONFIGURATION: (): SettingsCatalogPolicy => ({ name: 'Windows Firewall Configuration', description: 'Enable and configure Windows Firewall for all network profiles', platforms: 'windows10', technologies: 'mdm', settings: [ createSettingsCatalogSetting( COMMON_SETTINGS_DEFINITIONS.FIREWALL_DOMAIN_PROFILE_ENABLED, true, 'boolean' ), createSettingsCatalogSetting( COMMON_SETTINGS_DEFINITIONS.FIREWALL_PUBLIC_PROFILE_ENABLED, true, 'boolean' ), createSettingsCatalogSetting( COMMON_SETTINGS_DEFINITIONS.FIREWALL_PRIVATE_PROFILE_ENABLED, true, 'boolean' ) ] }), /** * Password Policy */ PASSWORD_POLICY: (minLength: number = 8, complexity: number = 2): SettingsCatalogPolicy => ({ name: 'Device Password Policy', description: 'Configure password requirements for Windows devices', platforms: 'windows10', technologies: 'mdm', settings: [ createSettingsCatalogSetting( COMMON_SETTINGS_DEFINITIONS.PASSWORD_MIN_LENGTH, minLength, 'int' ), createSettingsCatalogSetting( COMMON_SETTINGS_DEFINITIONS.PASSWORD_COMPLEXITY, complexity, 'int' ), createSettingsCatalogSetting( COMMON_SETTINGS_DEFINITIONS.PASSWORD_EXPIRATION, 90, // 90 days 'int' ), createSettingsCatalogSetting( COMMON_SETTINGS_DEFINITIONS.PASSWORD_HISTORY, 24, // Remember 24 previous passwords 'int' ) ] }), /** * Attack Surface Reduction Rules */ ATTACK_SURFACE_REDUCTION: (): SettingsCatalogPolicy => ({ name: 'Attack Surface Reduction Rules', description: 'Configure Attack Surface Reduction rules to protect against threats', platforms: 'windows10', technologies: 'mdm', settings: [ createSettingsCatalogSetting( COMMON_SETTINGS_DEFINITIONS.ASR_RULES, [ // Block executable content from email and webmail 'BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550=1', // Block Office applications from creating executable content '3B576869-A4EC-4529-8536-B80A7769E899=1', // Block Office applications from injecting code into other processes '75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84=1', // Block JavaScript or VBScript from launching downloaded executable content 'D3E037E1-3EB8-44C8-A917-57927947596D=1', // Block execution of potentially obfuscated scripts '5BEB7EFE-FD9A-4556-801D-275E5FFC04CC=1' ], 'collection' ) ] }) }; /** * Platform Protection Configuration (PPC) Helper */ export interface PPCPolicyConfig { name: string; description?: string; templateId: string; settings: PPCSetting[]; assignments?: any[]; } export interface PPCSetting { id: string; value: any; valueState?: 'configured' | 'notConfigured'; } /** * Create a PPC policy configuration */ export function createPPCPolicy( name: string, templateId: string, settings: Record<string, any>, description?: string ): PPCPolicyConfig { const ppcSettings: PPCSetting[] = Object.entries(settings).map(([id, value]) => ({ id, value, valueState: 'configured' })); return { name, description: description || '', templateId, settings: ppcSettings }; } /** * Pre-built PPC Policy Templates */ export const PPC_POLICY_TEMPLATES = { /** * Attack Surface Reduction PPC Policy */ ATTACK_SURFACE_REDUCTION_PPC: (): PPCPolicyConfig => createPPCPolicy( 'Attack Surface Reduction', PPC_TEMPLATES.ATTACK_SURFACE_REDUCTION, { 'blockExecutableContentFromEmailAndWebmail': 'block', 'blockOfficeAppsFromCreatingExecutableContent': 'block', 'blockOfficeAppsFromInjectingIntoOtherProcesses': 'block', 'blockJavaScriptOrVBScriptFromLaunchingContent': 'block', 'blockExecutionOfPotentiallyObfuscatedScripts': 'block', 'blockWin32ApiCallsFromOfficeMacros': 'block', 'blockUntrustedUnsignedProcesses': 'block', 'blockCredentialStealingFromWindowsLsass': 'block', 'blockAdobeReaderFromCreatingChildProcesses': 'block', 'blockPersistenceThroughWMIEventSubscription': 'block' }, 'Configure Attack Surface Reduction rules for endpoint protection' ), /** * Exploit Protection PPC Policy */ EXPLOIT_PROTECTION_PPC: (): PPCPolicyConfig => createPPCPolicy( 'Exploit Protection', PPC_TEMPLATES.EXPLOIT_PROTECTION, { 'dataExecutionPrevention': 'on', 'controlFlowGuard': 'on', 'randomizeMemoryAllocations': 'on', 'validateExceptionChains': 'on', 'validateStackIntegrity': 'on', 'disableExtensionPoints': 'on', 'disableWin32kSystemCalls': 'on', 'blockUntrustedFonts': 'block', 'codeIntegrityGuard': 'on', 'blockRemoteImageLoads': 'on' }, 'Configure exploit protection settings for Windows devices' ), /** * Web Protection PPC Policy */ WEB_PROTECTION_PPC: (): PPCPolicyConfig => createPPCPolicy( 'Web Protection', PPC_TEMPLATES.WEB_PROTECTION, { 'enableNetworkProtection': 'enabled', 'networkProtectionLevel': 'block', 'enableSmartScreenForEdge': 'enabled', 'preventSmartScreenPromptOverride': 'required', 'preventSmartScreenPromptOverrideForFiles': 'required', 'allowUserFeedback': 'notAllowed', 'allowUserToBlockMaliciousSites': 'notAllowed' }, 'Configure web protection settings including SmartScreen' ) }; /** * Validate Settings Catalog policy structure */ export function validateSettingsCatalogPolicy(policy: SettingsCatalogPolicy): { valid: boolean; errors: string[] } { const errors: string[] = []; if (!policy.name || policy.name.trim() === '') { errors.push('Policy name is required'); } if (!policy.platforms) { errors.push('Platform specification is required'); } if (!policy.technologies) { errors.push('Technology specification is required'); } if (!policy.settings || policy.settings.length === 0) { errors.push('At least one setting is required'); } // Validate each setting policy.settings?.forEach((setting, index) => { if (!setting.settingInstance?.settingDefinitionId) { errors.push(`Setting at index ${index} is missing settingDefinitionId`); } }); return { valid: errors.length === 0, errors }; } /** * Validate PPC policy structure */ export function validatePPCPolicy(policy: PPCPolicyConfig): { valid: boolean; errors: string[] } { const errors: string[] = []; if (!policy.name || policy.name.trim() === '') { errors.push('Policy name is required'); } if (!policy.templateId) { errors.push('Template ID is required'); } if (!policy.settings || policy.settings.length === 0) { errors.push('At least one setting is required'); } // Validate each setting policy.settings?.forEach((setting, index) => { if (!setting.id) { errors.push(`Setting at index ${index} is missing id`); } if (setting.value === undefined || setting.value === null) { errors.push(`Setting at index ${index} is missing value`); } }); return { valid: errors.length === 0, errors }; }
• src/tool-metadata.ts:154-157 (registration)

  Tool metadata registration defining description, title, and annotations for the 'manage_intune_windows_policies' tool.
  manage_intune_windows_policies: { description: "Manage Windows configuration profiles and compliance policies including security baselines and update rings.", title: "Intune Windows Policy Manager", annotations: { title: "Intune Windows Policy Manager", readOnlyHint: false, destructiveHint: true, idempotentHint: false, openWorldHint: true }