Skip to main content
Glama
DynamicEndpoints

Microsoft 365 Core MCP Server

by DynamicEndpoints
OverviewSchemaRelated ServersScoreDiscussions
JavaScript
Remote

manage_intune_windows_policies

Manage Windows device policies in Intune to configure security baselines, compliance rules, update rings, and deployment settings for enterprise devices.

Instructions

Manage Windows configuration profiles and compliance policies including security baselines and update rings.

Input Schema

TableJSON Schema
NameRequiredDescriptionDefault
actionYesIntune Windows policy management action
policyIdNoPolicy ID for policy-specific operations
policyTypeYesType of Windows policy
nameNoPolicy name
descriptionNoPolicy description
settingsNoPolicy configuration settings
assignmentsNoPolicy assignments
deploymentSettingsNoDeployment settings

Implementation Reference

  • src/handlers/intune-windows-handler.ts:176-549 (handler)
    Main handler function implementing manage_intune_windows_policies tool logic. Handles actions: list, get, create, update, delete, assign, deploy policies, create settings catalog and PPC policies using Microsoft Graph API.
    export async function handleIntuneWindowsPolicies( graphClient: Client, args: IntuneWindowsPolicyArgs ): Promise<{ content: { type: string; text: string }[] }> { // Create Intune-specific client for proper authentication const intuneClient = createIntuneGraphClient(graphClient); let apiPath = ''; let result: any; switch (args.action) { case 'list': switch (args.policyType) { case 'Configuration': apiPath = '/deviceManagement/deviceConfigurations'; break; case 'Compliance': apiPath = '/deviceManagement/deviceCompliancePolicies'; break; case 'Security': apiPath = '/deviceManagement/intents'; break; case 'Update': apiPath = '/deviceManagement/deviceConfigurations'; apiPath += '?$filter=deviceManagementApplicabilityRuleOsEdition/osEditionTypes/any(x:x eq \'windows10Enterprise\')'; break; case 'AppProtection': apiPath = '/deviceAppManagement/managedAppPolicies'; break; case 'EndpointSecurity': apiPath = '/deviceManagement/intents'; apiPath += '?$filter=templateId eq \'d1174162-1dd2-4976-affc-6667049ab0ae\''; // Endpoint Security template break; default: throw new McpError(ErrorCode.InvalidParams, `Unknown policy type: ${args.policyType}`); } result = await graphClient.api(apiPath).get(); break; case 'get': if (!args.policyId) { throw new McpError(ErrorCode.InvalidParams, 'policyId is required for get action'); } switch (args.policyType) { case 'Configuration': apiPath = `/deviceManagement/deviceConfigurations/${args.policyId}`; break; case 'Compliance': apiPath = `/deviceManagement/deviceCompliancePolicies/${args.policyId}`; break; case 'Security': case 'EndpointSecurity': apiPath = `/deviceManagement/intents/${args.policyId}`; break; case 'Update': apiPath = `/deviceManagement/deviceConfigurations/${args.policyId}`; break; case 'AppProtection': apiPath = `/deviceAppManagement/managedAppPolicies/${args.policyId}`; break; default: throw new McpError(ErrorCode.InvalidParams, `Unknown policy type: ${args.policyType}`); } result = await graphClient.api(apiPath).get(); break; case 'create': if (!args.name) { throw new McpError(ErrorCode.InvalidParams, 'name is required for create action'); } const createPayload: any = { displayName: args.name, description: args.description || '', ...args.settings }; switch (args.policyType) { case 'Configuration': apiPath = '/deviceManagement/deviceConfigurations'; createPayload['@odata.type'] = '#microsoft.graph.windows10GeneralConfiguration'; break; case 'Compliance': apiPath = '/deviceManagement/deviceCompliancePolicies'; createPayload['@odata.type'] = '#microsoft.graph.windows10CompliancePolicy'; break; case 'Security': apiPath = '/deviceManagement/intents'; createPayload.templateId = 'd1174162-1dd2-4976-affc-6667049ab0ae'; // Security baseline template break; case 'Update': apiPath = '/deviceManagement/deviceConfigurations'; createPayload['@odata.type'] = '#microsoft.graph.windowsUpdateForBusinessConfiguration'; break; case 'AppProtection': apiPath = '/deviceAppManagement/managedAppPolicies'; createPayload['@odata.type'] = '#microsoft.graph.windowsManagedAppProtection'; break; case 'EndpointSecurity': apiPath = '/deviceManagement/intents'; createPayload.templateId = 'e044e60e-5901-41ea-92c5-87e8b6edd6bb'; // Endpoint Security template break; default: throw new McpError(ErrorCode.InvalidParams, `Unknown policy type: ${args.policyType}`); } result = await graphClient.api(apiPath).post(createPayload); break; case 'update': if (!args.policyId) { throw new McpError(ErrorCode.InvalidParams, 'policyId is required for update action'); } const updatePayload: any = {}; if (args.name) updatePayload.displayName = args.name; if (args.description) updatePayload.description = args.description; if (args.settings) Object.assign(updatePayload, args.settings); switch (args.policyType) { case 'Configuration': apiPath = `/deviceManagement/deviceConfigurations/${args.policyId}`; break; case 'Compliance': apiPath = `/deviceManagement/deviceCompliancePolicies/${args.policyId}`; break; case 'Security': case 'EndpointSecurity': apiPath = `/deviceManagement/intents/${args.policyId}`; break; case 'Update': apiPath = `/deviceManagement/deviceConfigurations/${args.policyId}`; break; case 'AppProtection': apiPath = `/deviceAppManagement/managedAppPolicies/${args.policyId}`; break; default: throw new McpError(ErrorCode.InvalidParams, `Unknown policy type: ${args.policyType}`); } result = await graphClient.api(apiPath).patch(updatePayload); break; case 'delete': if (!args.policyId) { throw new McpError(ErrorCode.InvalidParams, 'policyId is required for delete action'); } switch (args.policyType) { case 'Configuration': apiPath = `/deviceManagement/deviceConfigurations/${args.policyId}`; break; case 'Compliance': apiPath = `/deviceManagement/deviceCompliancePolicies/${args.policyId}`; break; case 'Security': case 'EndpointSecurity': apiPath = `/deviceManagement/intents/${args.policyId}`; break; case 'Update': apiPath = `/deviceManagement/deviceConfigurations/${args.policyId}`; break; case 'AppProtection': apiPath = `/deviceAppManagement/managedAppPolicies/${args.policyId}`; break; default: throw new McpError(ErrorCode.InvalidParams, `Unknown policy type: ${args.policyType}`); } result = await graphClient.api(apiPath).delete(); break; case 'assign': if (!args.policyId || !args.assignments) { throw new McpError(ErrorCode.InvalidParams, 'policyId and assignments are required for assign action'); } switch (args.policyType) { case 'Configuration': apiPath = `/deviceManagement/deviceConfigurations/${args.policyId}/assign`; break; case 'Compliance': apiPath = `/deviceManagement/deviceCompliancePolicies/${args.policyId}/assign`; break; case 'Security': case 'EndpointSecurity': apiPath = `/deviceManagement/intents/${args.policyId}/assign`; break; case 'Update': apiPath = `/deviceManagement/deviceConfigurations/${args.policyId}/assign`; break; case 'AppProtection': apiPath = `/deviceAppManagement/managedAppPolicies/${args.policyId}/assign`; break; default: throw new McpError(ErrorCode.InvalidParams, `Unknown policy type: ${args.policyType}`); } result = await graphClient.api(apiPath).post({ assignments: args.assignments }); break; case 'deploy': if (!args.policyId) { throw new McpError(ErrorCode.InvalidParams, 'policyId is required for deploy action'); } // Deploy immediately to assigned groups apiPath = `/deviceManagement/deviceConfigurations/${args.policyId}/assignments`; const assignments = await graphClient.api(apiPath).get(); result = { message: 'Policy deployment initiated', policyId: args.policyId, assignmentCount: assignments.value ? assignments.value.length : 0, deploymentSettings: args.deploymentSettings }; break; case 'create_settings_catalog': // Create a Settings Catalog policy from template if (!args.settingsCatalogTemplate) { throw new McpError(ErrorCode.InvalidParams, 'settingsCatalogTemplate is required for create_settings_catalog action'); } let catalogPolicy: SettingsCatalogPolicy; // Check if using a pre-built template if (args.settingsCatalogTemplate in SETTINGS_CATALOG_POLICY_TEMPLATES) { const templateName = args.settingsCatalogTemplate as keyof typeof SETTINGS_CATALOG_POLICY_TEMPLATES; const templateFunc = SETTINGS_CATALOG_POLICY_TEMPLATES[templateName]; // Some templates accept parameters if (templateName === 'WINDOWS_UPDATE' && args.settingsCatalogParams) { const { deferQualityDays, deferFeatureDays } = args.settingsCatalogParams; catalogPolicy = templateFunc(deferQualityDays, deferFeatureDays); } else if (templateName === 'PASSWORD_POLICY' && args.settingsCatalogParams) { const { minLength, complexity } = args.settingsCatalogParams; catalogPolicy = templateFunc(minLength, complexity); } else { catalogPolicy = templateFunc(); } } else if (args.customSettingsCatalogPolicy) { // Use custom policy definition catalogPolicy = args.customSettingsCatalogPolicy; } else { throw new McpError(ErrorCode.InvalidParams, 'Invalid settingsCatalogTemplate or customSettingsCatalogPolicy required'); } // Override name and description if provided if (args.name) catalogPolicy.name = args.name; if (args.description) catalogPolicy.description = args.description; // Validate policy structure const validation = validateSettingsCatalogPolicy(catalogPolicy); if (!validation.valid) { throw new McpError( ErrorCode.InvalidParams, `Invalid Settings Catalog policy: ${validation.errors.join(', ')}` ); } // Create the policy using Graph API apiPath = '/deviceManagement/configurationPolicies'; const catalogPayload = { name: catalogPolicy.name, description: catalogPolicy.description || '', platforms: catalogPolicy.platforms, technologies: catalogPolicy.technologies, settings: catalogPolicy.settings, templateReference: catalogPolicy.templateReference }; result = await graphClient.api(apiPath).post(catalogPayload); // If assignments provided, assign the policy if (args.assignments && args.assignments.length > 0) { const assignPath = `/deviceManagement/configurationPolicies/${result.id}/assign`; await graphClient.api(assignPath).post({ assignments: args.assignments }); } result.message = 'Settings Catalog policy created successfully'; result.template = args.settingsCatalogTemplate; break; case 'create_ppc': // Create a Platform Protection Configuration (PPC) policy from template if (!args.ppcTemplate) { throw new McpError(ErrorCode.InvalidParams, 'ppcTemplate is required for create_ppc action'); } let ppcPolicy: PPCPolicyConfig; // Check if using a pre-built template if (args.ppcTemplate in PPC_POLICY_TEMPLATES) { const templateName = args.ppcTemplate as keyof typeof PPC_POLICY_TEMPLATES; ppcPolicy = PPC_POLICY_TEMPLATES[templateName](); } else if (args.customPPCPolicy) { // Use custom policy definition ppcPolicy = args.customPPCPolicy; } else { throw new McpError(ErrorCode.InvalidParams, 'Invalid ppcTemplate or customPPCPolicy required'); } // Override name and description if provided if (args.name) ppcPolicy.name = args.name; if (args.description) ppcPolicy.description = args.description; // Validate policy structure const ppcValidation = validatePPCPolicy(ppcPolicy); if (!ppcValidation.valid) { throw new McpError( ErrorCode.InvalidParams, `Invalid PPC policy: ${ppcValidation.errors.join(', ')}` ); } // Create the PPC policy using Security Management Intent API apiPath = '/deviceManagement/intents'; const ppcPayload = { displayName: ppcPolicy.name, description: ppcPolicy.description || '', templateId: ppcPolicy.templateId, settingsDelta: ppcPolicy.settings.map(setting => ({ '@odata.type': '#microsoft.graph.deviceManagementIntentSettingDelta', definitionId: setting.id, value: { '@odata.type': '#microsoft.graph.deviceManagementStringValue', value: String(setting.value) }, valueState: setting.valueState || 'configured' })) }; result = await graphClient.api(apiPath).post(ppcPayload); // If assignments provided, assign the policy if (args.assignments && args.assignments.length > 0) { const assignPath = `/deviceManagement/intents/${result.id}/assign`; await graphClient.api(assignPath).post({ assignments: args.assignments }); } result.message = 'PPC policy created successfully'; result.template = args.ppcTemplate; break; case 'list_templates': // List available Settings Catalog and PPC templates result = { settingsCatalogTemplates: Object.keys(SETTINGS_CATALOG_POLICY_TEMPLATES).map(key => ({ name: key, description: SETTINGS_CATALOG_POLICY_TEMPLATES[key as keyof typeof SETTINGS_CATALOG_POLICY_TEMPLATES]().description })), ppcTemplates: Object.keys(PPC_POLICY_TEMPLATES).map(key => ({ name: key, description: PPC_POLICY_TEMPLATES[key as keyof typeof PPC_POLICY_TEMPLATES]().description })) }; break; default: throw new McpError(ErrorCode.InvalidParams, `Unknown action: ${args.action}`); } return { content: [ { type: 'text', text: `Windows Policy Management Result:\n${JSON.stringify(result, null, 2)}` } ] }; }
  • src/types/intune-types.ts:468-494 (schema)
    TypeScript interface defining input parameters (IntuneWindowsPolicyArgs) for the manage_intune_windows_policies tool, including actions, policy types, settings, assignments.
    export interface IntuneWindowsPolicyArgs { action: 'list' | 'get' | 'create' | 'update' | 'delete' | 'assign' | 'deploy' | 'create_settings_catalog' | 'create_ppc' | 'list_templates'; policyId?: string; policyType: 'Configuration' | 'Compliance' | 'Security' | 'Update' | 'AppProtection' | 'EndpointSecurity'; name?: string; description?: string; settings?: WindowsPolicySettings; assignments?: PolicyAssignment[]; deploymentSettings?: { installBehavior?: 'doNotInstall' | 'installAsManaged' | 'installAsUnmanaged'; uninstallOnDeviceRemoval?: boolean; installAsManaged?: boolean; rebootBehavior?: 'allow' | 'suppress' | 'force'; }; // Settings Catalog Policy parameters settingsCatalogTemplate?: 'BITLOCKER_ENCRYPTION' | 'DEFENDER_ANTIVIRUS' | 'WINDOWS_UPDATE' | 'FIREWALL_CONFIGURATION' | 'PASSWORD_POLICY' | 'ATTACK_SURFACE_REDUCTION'; settingsCatalogParams?: { deferQualityDays?: number; deferFeatureDays?: number; minLength?: number; complexity?: number; }; customSettingsCatalogPolicy?: any; // PPC Policy parameters ppcTemplate?: 'ATTACK_SURFACE_REDUCTION_PPC' | 'EXPLOIT_PROTECTION_PPC' | 'WEB_PROTECTION_PPC'; customPPCPolicy?: any; }
  • src/handlers/intune-policy-templates.ts:142-490 (helper)
    Helper module providing pre-built templates and validation for Settings Catalog and Platform Protection Configuration (PPC) policies, used by create_settings_catalog and create_ppc actions.
    export const SETTINGS_CATALOG_POLICY_TEMPLATES = { /** * BitLocker Encryption Policy */ BITLOCKER_ENCRYPTION: (): SettingsCatalogPolicy => ({ name: 'BitLocker Disk Encryption', description: 'Enforce BitLocker encryption on Windows devices', platforms: 'windows10', technologies: 'mdm', settings: [ createSettingsCatalogSetting( COMMON_SETTINGS_DEFINITIONS.BITLOCKER_REQUIRE_DEVICE_ENCRYPTION, true, 'boolean' ), createSettingsCatalogSetting( COMMON_SETTINGS_DEFINITIONS.BITLOCKER_FIXED_DRIVE_ENCRYPTION_TYPE, 1, // Full encryption 'int' ), createSettingsCatalogSetting( COMMON_SETTINGS_DEFINITIONS.BITLOCKER_REMOVABLE_DRIVE_ENCRYPTION_TYPE, 1, 'int' ) ] }), /** * Windows Defender Antivirus Policy */ DEFENDER_ANTIVIRUS: (): SettingsCatalogPolicy => ({ name: 'Windows Defender Antivirus Protection', description: 'Configure Windows Defender antivirus protection settings', platforms: 'windows10', technologies: 'mdm', settings: [ createSettingsCatalogSetting( COMMON_SETTINGS_DEFINITIONS.DEFENDER_REAL_TIME_PROTECTION, true, 'boolean' ), createSettingsCatalogSetting( COMMON_SETTINGS_DEFINITIONS.DEFENDER_CLOUD_PROTECTION, true, 'boolean' ), createSettingsCatalogSetting( COMMON_SETTINGS_DEFINITIONS.DEFENDER_BEHAVIOR_MONITORING, true, 'boolean' ), createSettingsCatalogSetting( COMMON_SETTINGS_DEFINITIONS.DEFENDER_SCAN_TYPE, 2, // Full scan 'int' ) ] }), /** * Windows Update Policy */ WINDOWS_UPDATE: (deferQualityDays: number = 7, deferFeatureDays: number = 14): SettingsCatalogPolicy => ({ name: 'Windows Update Configuration', description: 'Configure Windows Update settings and deferral periods', platforms: 'windows10', technologies: 'mdm', settings: [ createSettingsCatalogSetting( COMMON_SETTINGS_DEFINITIONS.UPDATE_BRANCH_READINESS_LEVEL, 16, // Current Branch for Business 'int' ), createSettingsCatalogSetting( COMMON_SETTINGS_DEFINITIONS.UPDATE_DEFER_QUALITY_UPDATES, deferQualityDays, 'int' ), createSettingsCatalogSetting( COMMON_SETTINGS_DEFINITIONS.UPDATE_DEFER_FEATURE_UPDATES, deferFeatureDays, 'int' ) ] }), /** * Firewall Policy */ FIREWALL_CONFIGURATION: (): SettingsCatalogPolicy => ({ name: 'Windows Firewall Configuration', description: 'Enable and configure Windows Firewall for all network profiles', platforms: 'windows10', technologies: 'mdm', settings: [ createSettingsCatalogSetting( COMMON_SETTINGS_DEFINITIONS.FIREWALL_DOMAIN_PROFILE_ENABLED, true, 'boolean' ), createSettingsCatalogSetting( COMMON_SETTINGS_DEFINITIONS.FIREWALL_PUBLIC_PROFILE_ENABLED, true, 'boolean' ), createSettingsCatalogSetting( COMMON_SETTINGS_DEFINITIONS.FIREWALL_PRIVATE_PROFILE_ENABLED, true, 'boolean' ) ] }), /** * Password Policy */ PASSWORD_POLICY: (minLength: number = 8, complexity: number = 2): SettingsCatalogPolicy => ({ name: 'Device Password Policy', description: 'Configure password requirements for Windows devices', platforms: 'windows10', technologies: 'mdm', settings: [ createSettingsCatalogSetting( COMMON_SETTINGS_DEFINITIONS.PASSWORD_MIN_LENGTH, minLength, 'int' ), createSettingsCatalogSetting( COMMON_SETTINGS_DEFINITIONS.PASSWORD_COMPLEXITY, complexity, 'int' ), createSettingsCatalogSetting( COMMON_SETTINGS_DEFINITIONS.PASSWORD_EXPIRATION, 90, // 90 days 'int' ), createSettingsCatalogSetting( COMMON_SETTINGS_DEFINITIONS.PASSWORD_HISTORY, 24, // Remember 24 previous passwords 'int' ) ] }), /** * Attack Surface Reduction Rules */ ATTACK_SURFACE_REDUCTION: (): SettingsCatalogPolicy => ({ name: 'Attack Surface Reduction Rules', description: 'Configure Attack Surface Reduction rules to protect against threats', platforms: 'windows10', technologies: 'mdm', settings: [ createSettingsCatalogSetting( COMMON_SETTINGS_DEFINITIONS.ASR_RULES, [ // Block executable content from email and webmail 'BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550=1', // Block Office applications from creating executable content '3B576869-A4EC-4529-8536-B80A7769E899=1', // Block Office applications from injecting code into other processes '75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84=1', // Block JavaScript or VBScript from launching downloaded executable content 'D3E037E1-3EB8-44C8-A917-57927947596D=1', // Block execution of potentially obfuscated scripts '5BEB7EFE-FD9A-4556-801D-275E5FFC04CC=1' ], 'collection' ) ] }) }; /** * Platform Protection Configuration (PPC) Helper */ export interface PPCPolicyConfig { name: string; description?: string; templateId: string; settings: PPCSetting[]; assignments?: any[]; } export interface PPCSetting { id: string; value: any; valueState?: 'configured' | 'notConfigured'; } /** * Create a PPC policy configuration */ export function createPPCPolicy( name: string, templateId: string, settings: Record<string, any>, description?: string ): PPCPolicyConfig { const ppcSettings: PPCSetting[] = Object.entries(settings).map(([id, value]) => ({ id, value, valueState: 'configured' })); return { name, description: description || '', templateId, settings: ppcSettings }; } /** * Pre-built PPC Policy Templates */ export const PPC_POLICY_TEMPLATES = { /** * Attack Surface Reduction PPC Policy */ ATTACK_SURFACE_REDUCTION_PPC: (): PPCPolicyConfig => createPPCPolicy( 'Attack Surface Reduction', PPC_TEMPLATES.ATTACK_SURFACE_REDUCTION, { 'blockExecutableContentFromEmailAndWebmail': 'block', 'blockOfficeAppsFromCreatingExecutableContent': 'block', 'blockOfficeAppsFromInjectingIntoOtherProcesses': 'block', 'blockJavaScriptOrVBScriptFromLaunchingContent': 'block', 'blockExecutionOfPotentiallyObfuscatedScripts': 'block', 'blockWin32ApiCallsFromOfficeMacros': 'block', 'blockUntrustedUnsignedProcesses': 'block', 'blockCredentialStealingFromWindowsLsass': 'block', 'blockAdobeReaderFromCreatingChildProcesses': 'block', 'blockPersistenceThroughWMIEventSubscription': 'block' }, 'Configure Attack Surface Reduction rules for endpoint protection' ), /** * Exploit Protection PPC Policy */ EXPLOIT_PROTECTION_PPC: (): PPCPolicyConfig => createPPCPolicy( 'Exploit Protection', PPC_TEMPLATES.EXPLOIT_PROTECTION, { 'dataExecutionPrevention': 'on', 'controlFlowGuard': 'on', 'randomizeMemoryAllocations': 'on', 'validateExceptionChains': 'on', 'validateStackIntegrity': 'on', 'disableExtensionPoints': 'on', 'disableWin32kSystemCalls': 'on', 'blockUntrustedFonts': 'block', 'codeIntegrityGuard': 'on', 'blockRemoteImageLoads': 'on' }, 'Configure exploit protection settings for Windows devices' ), /** * Web Protection PPC Policy */ WEB_PROTECTION_PPC: (): PPCPolicyConfig => createPPCPolicy( 'Web Protection', PPC_TEMPLATES.WEB_PROTECTION, { 'enableNetworkProtection': 'enabled', 'networkProtectionLevel': 'block', 'enableSmartScreenForEdge': 'enabled', 'preventSmartScreenPromptOverride': 'required', 'preventSmartScreenPromptOverrideForFiles': 'required', 'allowUserFeedback': 'notAllowed', 'allowUserToBlockMaliciousSites': 'notAllowed' }, 'Configure web protection settings including SmartScreen' ) }; /** * Validate Settings Catalog policy structure */ export function validateSettingsCatalogPolicy(policy: SettingsCatalogPolicy): { valid: boolean; errors: string[] } { const errors: string[] = []; if (!policy.name || policy.name.trim() === '') { errors.push('Policy name is required'); } if (!policy.platforms) { errors.push('Platform specification is required'); } if (!policy.technologies) { errors.push('Technology specification is required'); } if (!policy.settings || policy.settings.length === 0) { errors.push('At least one setting is required'); } // Validate each setting policy.settings?.forEach((setting, index) => { if (!setting.settingInstance?.settingDefinitionId) { errors.push(`Setting at index ${index} is missing settingDefinitionId`); } }); return { valid: errors.length === 0, errors }; } /** * Validate PPC policy structure */ export function validatePPCPolicy(policy: PPCPolicyConfig): { valid: boolean; errors: string[] } { const errors: string[] = []; if (!policy.name || policy.name.trim() === '') { errors.push('Policy name is required'); } if (!policy.templateId) { errors.push('Template ID is required'); } if (!policy.settings || policy.settings.length === 0) { errors.push('At least one setting is required'); } // Validate each setting policy.settings?.forEach((setting, index) => { if (!setting.id) { errors.push(`Setting at index ${index} is missing id`); } if (setting.value === undefined || setting.value === null) { errors.push(`Setting at index ${index} is missing value`); } }); return { valid: errors.length === 0, errors }; }
  • src/tool-metadata.ts:154-157 (registration)
    Tool metadata registration providing description, title, and annotations for the manage_intune_windows_policies tool.
    manage_intune_windows_policies: { description: "Manage Windows configuration profiles and compliance policies including security baselines and update rings.", title: "Intune Windows Policy Manager", annotations: { title: "Intune Windows Policy Manager", readOnlyHint: false, destructiveHint: true, idempotentHint: false, openWorldHint: true }
  • src/handlers/intune-windows-handler.ts:3-541 (helper)
    Imports for types and helpers used in the Intune Windows handler implementation.
    import { IntuneWindowsDeviceArgs, IntuneWindowsPolicyArgs, IntuneWindowsAppArgs, IntuneWindowsComplianceArgs } from '../types/intune-types.js'; import { createIntuneGraphClient, isIntuneEndpoint } from '../utils/modern-graph-client.js'; import { SETTINGS_CATALOG_POLICY_TEMPLATES, PPC_POLICY_TEMPLATES, validateSettingsCatalogPolicy, validatePPCPolicy, SettingsCatalogPolicy, PPCPolicyConfig } from './intune-policy-templates.js'; // Intune Windows Device Management Handler export async function handleIntuneWindowsDevices( graphClient: Client, args: IntuneWindowsDeviceArgs ): Promise<{ content: { type: string; text: string }[] }> { // Create Intune-specific client for proper authentication const intuneClient = createIntuneGraphClient(graphClient); let apiPath = ''; let result: any; switch (args.action) { case 'list': // List all Windows devices managed by Intune apiPath = '/deviceManagement/managedDevices'; const queryOptions: string[] = []; // Filter for Windows devices queryOptions.push(`$filter=operatingSystem eq 'Windows'`); if (args.filter) { queryOptions.push(`and ${args.filter}`); } if (queryOptions.length > 0) { apiPath += `?${queryOptions.join('')}`; } result = (await intuneClient.makeApiCall(apiPath)).data; break; case 'get': if (!args.deviceId) { throw new McpError(ErrorCode.InvalidParams, 'deviceId is required for get action'); } apiPath = `/deviceManagement/managedDevices/${args.deviceId}`; result = await graphClient.api(apiPath).get(); break; case 'enroll': // Create enrollment invitation for Windows devices apiPath = '/deviceManagement/deviceEnrollmentConfigurations'; const enrollmentPayload = { displayName: 'Windows Device Enrollment', description: 'Automated Windows device enrollment', deviceEnrollmentConfigurationType: 'windows10EnrollmentCompletionPageConfiguration', priority: 0, showInstallationProgress: true, blockDeviceSetupRetryByUser: false, allowDeviceResetOnInstallFailure: true, allowLogCollectionOnInstallFailure: true, customErrorMessage: 'Setup could not be completed. Please try again or contact your support person for help.', installProgressTimeoutInMinutes: 60, allowDeviceUseOnInstallFailure: true, selectedMobileAppIds: [], trackInstallProgressForAutopilotOnly: false, disableUserStatusTrackingAfterFirstUser: true }; if (args.enrollmentType) { enrollmentPayload.deviceEnrollmentConfigurationType = args.enrollmentType === 'AzureADJoin' ? 'azureADJoinUsingBulkEnrollment' : args.enrollmentType === 'HybridAzureADJoin' ? 'hybridAzureADJoin' : 'windows10EnrollmentCompletionPageConfiguration'; } result = await graphClient.api(apiPath).post(enrollmentPayload); break; case 'retire': if (!args.deviceId) { throw new McpError(ErrorCode.InvalidParams, 'deviceId is required for retire action'); } apiPath = `/deviceManagement/managedDevices/${args.deviceId}/retire`; result = await graphClient.api(apiPath).post({ keepEnrollmentData: false, keepUserData: true }); break; case 'wipe': if (!args.deviceId) { throw new McpError(ErrorCode.InvalidParams, 'deviceId is required for wipe action'); } apiPath = `/deviceManagement/managedDevices/${args.deviceId}/wipe`; result = await graphClient.api(apiPath).post({ keepEnrollmentData: false, keepUserData: false, useProtectedWipe: true }); break; case 'restart': if (!args.deviceId) { throw new McpError(ErrorCode.InvalidParams, 'deviceId is required for restart action'); } apiPath = `/deviceManagement/managedDevices/${args.deviceId}/rebootNow`; result = await graphClient.api(apiPath).post({}); break; case 'sync': if (!args.deviceId) { throw new McpError(ErrorCode.InvalidParams, 'deviceId is required for sync action'); } apiPath = `/deviceManagement/managedDevices/${args.deviceId}/syncDevice`; result = await graphClient.api(apiPath).post({}); break; case 'remote_lock': if (!args.deviceId) { throw new McpError(ErrorCode.InvalidParams, 'deviceId is required for remote_lock action'); } apiPath = `/deviceManagement/managedDevices/${args.deviceId}/remoteLock`; result = await graphClient.api(apiPath).post({}); break; case 'collect_logs': if (!args.deviceId) { throw new McpError(ErrorCode.InvalidParams, 'deviceId is required for collect_logs action'); } apiPath = `/deviceManagement/managedDevices/${args.deviceId}/createDeviceLogCollectionRequest`; result = await graphClient.api(apiPath).post({ templateType: 'predefined' }); break; case 'bitlocker_recovery': if (!args.deviceId) { throw new McpError(ErrorCode.InvalidParams, 'deviceId is required for bitlocker_recovery action'); } apiPath = `/informationProtection/bitlocker/recoveryKeys`; const filter = `$filter=deviceId eq '${args.deviceId}'`; result = await graphClient.api(`${apiPath}?${filter}`).get(); break; case 'autopilot_reset': if (!args.deviceId) { throw new McpError(ErrorCode.InvalidParams, 'deviceId is required for autopilot_reset action'); } apiPath = `/deviceManagement/managedDevices/${args.deviceId}/autopilotReset`; result = await graphClient.api(apiPath).post({ keepUserData: false }); break; default: throw new McpError(ErrorCode.InvalidParams, `Unknown action: ${args.action}`); } return { content: [ { type: 'text', text: `Windows Device Management Result:\n${JSON.stringify(result, null, 2)}` } ] }; } // Intune Windows Policy Management Handler export async function handleIntuneWindowsPolicies( graphClient: Client, args: IntuneWindowsPolicyArgs ): Promise<{ content: { type: string; text: string }[] }> { // Create Intune-specific client for proper authentication const intuneClient = createIntuneGraphClient(graphClient); let apiPath = ''; let result: any; switch (args.action) { case 'list': switch (args.policyType) { case 'Configuration': apiPath = '/deviceManagement/deviceConfigurations'; break; case 'Compliance': apiPath = '/deviceManagement/deviceCompliancePolicies'; break; case 'Security': apiPath = '/deviceManagement/intents'; break; case 'Update': apiPath = '/deviceManagement/deviceConfigurations'; apiPath += '?$filter=deviceManagementApplicabilityRuleOsEdition/osEditionTypes/any(x:x eq \'windows10Enterprise\')'; break; case 'AppProtection': apiPath = '/deviceAppManagement/managedAppPolicies'; break; case 'EndpointSecurity': apiPath = '/deviceManagement/intents'; apiPath += '?$filter=templateId eq \'d1174162-1dd2-4976-affc-6667049ab0ae\''; // Endpoint Security template break; default: throw new McpError(ErrorCode.InvalidParams, `Unknown policy type: ${args.policyType}`); } result = await graphClient.api(apiPath).get(); break; case 'get': if (!args.policyId) { throw new McpError(ErrorCode.InvalidParams, 'policyId is required for get action'); } switch (args.policyType) { case 'Configuration': apiPath = `/deviceManagement/deviceConfigurations/${args.policyId}`; break; case 'Compliance': apiPath = `/deviceManagement/deviceCompliancePolicies/${args.policyId}`; break; case 'Security': case 'EndpointSecurity': apiPath = `/deviceManagement/intents/${args.policyId}`; break; case 'Update': apiPath = `/deviceManagement/deviceConfigurations/${args.policyId}`; break; case 'AppProtection': apiPath = `/deviceAppManagement/managedAppPolicies/${args.policyId}`; break; default: throw new McpError(ErrorCode.InvalidParams, `Unknown policy type: ${args.policyType}`); } result = await graphClient.api(apiPath).get(); break; case 'create': if (!args.name) { throw new McpError(ErrorCode.InvalidParams, 'name is required for create action'); } const createPayload: any = { displayName: args.name, description: args.description || '', ...args.settings }; switch (args.policyType) { case 'Configuration': apiPath = '/deviceManagement/deviceConfigurations'; createPayload['@odata.type'] = '#microsoft.graph.windows10GeneralConfiguration'; break; case 'Compliance': apiPath = '/deviceManagement/deviceCompliancePolicies'; createPayload['@odata.type'] = '#microsoft.graph.windows10CompliancePolicy'; break; case 'Security': apiPath = '/deviceManagement/intents'; createPayload.templateId = 'd1174162-1dd2-4976-affc-6667049ab0ae'; // Security baseline template break; case 'Update': apiPath = '/deviceManagement/deviceConfigurations'; createPayload['@odata.type'] = '#microsoft.graph.windowsUpdateForBusinessConfiguration'; break; case 'AppProtection': apiPath = '/deviceAppManagement/managedAppPolicies'; createPayload['@odata.type'] = '#microsoft.graph.windowsManagedAppProtection'; break; case 'EndpointSecurity': apiPath = '/deviceManagement/intents'; createPayload.templateId = 'e044e60e-5901-41ea-92c5-87e8b6edd6bb'; // Endpoint Security template break; default: throw new McpError(ErrorCode.InvalidParams, `Unknown policy type: ${args.policyType}`); } result = await graphClient.api(apiPath).post(createPayload); break; case 'update': if (!args.policyId) { throw new McpError(ErrorCode.InvalidParams, 'policyId is required for update action'); } const updatePayload: any = {}; if (args.name) updatePayload.displayName = args.name; if (args.description) updatePayload.description = args.description; if (args.settings) Object.assign(updatePayload, args.settings); switch (args.policyType) { case 'Configuration': apiPath = `/deviceManagement/deviceConfigurations/${args.policyId}`; break; case 'Compliance': apiPath = `/deviceManagement/deviceCompliancePolicies/${args.policyId}`; break; case 'Security': case 'EndpointSecurity': apiPath = `/deviceManagement/intents/${args.policyId}`; break; case 'Update': apiPath = `/deviceManagement/deviceConfigurations/${args.policyId}`; break; case 'AppProtection': apiPath = `/deviceAppManagement/managedAppPolicies/${args.policyId}`; break; default: throw new McpError(ErrorCode.InvalidParams, `Unknown policy type: ${args.policyType}`); } result = await graphClient.api(apiPath).patch(updatePayload); break; case 'delete': if (!args.policyId) { throw new McpError(ErrorCode.InvalidParams, 'policyId is required for delete action'); } switch (args.policyType) { case 'Configuration': apiPath = `/deviceManagement/deviceConfigurations/${args.policyId}`; break; case 'Compliance': apiPath = `/deviceManagement/deviceCompliancePolicies/${args.policyId}`; break; case 'Security': case 'EndpointSecurity': apiPath = `/deviceManagement/intents/${args.policyId}`; break; case 'Update': apiPath = `/deviceManagement/deviceConfigurations/${args.policyId}`; break; case 'AppProtection': apiPath = `/deviceAppManagement/managedAppPolicies/${args.policyId}`; break; default: throw new McpError(ErrorCode.InvalidParams, `Unknown policy type: ${args.policyType}`); } result = await graphClient.api(apiPath).delete(); break; case 'assign': if (!args.policyId || !args.assignments) { throw new McpError(ErrorCode.InvalidParams, 'policyId and assignments are required for assign action'); } switch (args.policyType) { case 'Configuration': apiPath = `/deviceManagement/deviceConfigurations/${args.policyId}/assign`; break; case 'Compliance': apiPath = `/deviceManagement/deviceCompliancePolicies/${args.policyId}/assign`; break; case 'Security': case 'EndpointSecurity': apiPath = `/deviceManagement/intents/${args.policyId}/assign`; break; case 'Update': apiPath = `/deviceManagement/deviceConfigurations/${args.policyId}/assign`; break; case 'AppProtection': apiPath = `/deviceAppManagement/managedAppPolicies/${args.policyId}/assign`; break; default: throw new McpError(ErrorCode.InvalidParams, `Unknown policy type: ${args.policyType}`); } result = await graphClient.api(apiPath).post({ assignments: args.assignments }); break; case 'deploy': if (!args.policyId) { throw new McpError(ErrorCode.InvalidParams, 'policyId is required for deploy action'); } // Deploy immediately to assigned groups apiPath = `/deviceManagement/deviceConfigurations/${args.policyId}/assignments`; const assignments = await graphClient.api(apiPath).get(); result = { message: 'Policy deployment initiated', policyId: args.policyId, assignmentCount: assignments.value ? assignments.value.length : 0, deploymentSettings: args.deploymentSettings }; break; case 'create_settings_catalog': // Create a Settings Catalog policy from template if (!args.settingsCatalogTemplate) { throw new McpError(ErrorCode.InvalidParams, 'settingsCatalogTemplate is required for create_settings_catalog action'); } let catalogPolicy: SettingsCatalogPolicy; // Check if using a pre-built template if (args.settingsCatalogTemplate in SETTINGS_CATALOG_POLICY_TEMPLATES) { const templateName = args.settingsCatalogTemplate as keyof typeof SETTINGS_CATALOG_POLICY_TEMPLATES; const templateFunc = SETTINGS_CATALOG_POLICY_TEMPLATES[templateName]; // Some templates accept parameters if (templateName === 'WINDOWS_UPDATE' && args.settingsCatalogParams) { const { deferQualityDays, deferFeatureDays } = args.settingsCatalogParams; catalogPolicy = templateFunc(deferQualityDays, deferFeatureDays); } else if (templateName === 'PASSWORD_POLICY' && args.settingsCatalogParams) { const { minLength, complexity } = args.settingsCatalogParams; catalogPolicy = templateFunc(minLength, complexity); } else { catalogPolicy = templateFunc(); } } else if (args.customSettingsCatalogPolicy) { // Use custom policy definition catalogPolicy = args.customSettingsCatalogPolicy; } else { throw new McpError(ErrorCode.InvalidParams, 'Invalid settingsCatalogTemplate or customSettingsCatalogPolicy required'); } // Override name and description if provided if (args.name) catalogPolicy.name = args.name; if (args.description) catalogPolicy.description = args.description; // Validate policy structure const validation = validateSettingsCatalogPolicy(catalogPolicy); if (!validation.valid) { throw new McpError( ErrorCode.InvalidParams, `Invalid Settings Catalog policy: ${validation.errors.join(', ')}` ); } // Create the policy using Graph API apiPath = '/deviceManagement/configurationPolicies'; const catalogPayload = { name: catalogPolicy.name, description: catalogPolicy.description || '', platforms: catalogPolicy.platforms, technologies: catalogPolicy.technologies, settings: catalogPolicy.settings, templateReference: catalogPolicy.templateReference }; result = await graphClient.api(apiPath).post(catalogPayload); // If assignments provided, assign the policy if (args.assignments && args.assignments.length > 0) { const assignPath = `/deviceManagement/configurationPolicies/${result.id}/assign`; await graphClient.api(assignPath).post({ assignments: args.assignments }); } result.message = 'Settings Catalog policy created successfully'; result.template = args.settingsCatalogTemplate; break; case 'create_ppc': // Create a Platform Protection Configuration (PPC) policy from template if (!args.ppcTemplate) { throw new McpError(ErrorCode.InvalidParams, 'ppcTemplate is required for create_ppc action'); } let ppcPolicy: PPCPolicyConfig; // Check if using a pre-built template if (args.ppcTemplate in PPC_POLICY_TEMPLATES) { const templateName = args.ppcTemplate as keyof typeof PPC_POLICY_TEMPLATES; ppcPolicy = PPC_POLICY_TEMPLATES[templateName](); } else if (args.customPPCPolicy) { // Use custom policy definition ppcPolicy = args.customPPCPolicy; } else { throw new McpError(ErrorCode.InvalidParams, 'Invalid ppcTemplate or customPPCPolicy required'); } // Override name and description if provided if (args.name) ppcPolicy.name = args.name; if (args.description) ppcPolicy.description = args.description; // Validate policy structure const ppcValidation = validatePPCPolicy(ppcPolicy); if (!ppcValidation.valid) { throw new McpError( ErrorCode.InvalidParams, `Invalid PPC policy: ${ppcValidation.errors.join(', ')}` ); } // Create the PPC policy using Security Management Intent API apiPath = '/deviceManagement/intents'; const ppcPayload = { displayName: ppcPolicy.name, description: ppcPolicy.description || '', templateId: ppcPolicy.templateId, settingsDelta: ppcPolicy.settings.map(setting => ({ '@odata.type': '#microsoft.graph.deviceManagementIntentSettingDelta', definitionId: setting.id, value: { '@odata.type': '#microsoft.graph.deviceManagementStringValue', value: String(setting.value) }, valueState: setting.valueState || 'configured' })) }; result = await graphClient.api(apiPath).post(ppcPayload); // If assignments provided, assign the policy if (args.assignments && args.assignments.length > 0) { const assignPath = `/deviceManagement/intents/${result.id}/assign`; await graphClient.api(assignPath).post({ assignments: args.assignments }); } result.message = 'PPC policy created successfully'; result.template = args.ppcTemplate; break; case 'list_templates': // List available Settings Catalog and PPC templates result = { settingsCatalogTemplates: Object.keys(SETTINGS_CATALOG_POLICY_TEMPLATES).map(key => ({ name: key, description: SETTINGS_CATALOG_POLICY_TEMPLATES[key as keyof typeof SETTINGS_CATALOG_POLICY_TEMPLATES]().description })), ppcTemplates: Object.keys(PPC_POLICY_TEMPLATES).map(key => ({ name: key, description: PPC_POLICY_TEMPLATES[key as keyof typeof PPC_POLICY_TEMPLATES]().description })) }; break; default: throw new McpError(ErrorCode.InvalidParams, `Unknown action: ${args.action}`); } return {
Install Server

Other Tools

Latest Blog Posts

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/DynamicEndpoints/m365-core-mcp'

If you have feedback or need assistance with the MCP directory API, please join our Discord server