feat(baseline): declarative Intune baseline deployer

- Add Deploy-IntuneBaseline.ps1 for YAML-driven policy + assignment deployment - Add ConvertTo-IntuneBaseline.ps1 to convert export folders to baseline manifests - Add example OpenIntuneBaseline YAML in Baselines/ - Supports mutations, group auto-creation, idempotency, and WhatIf mode
2026-04-14 14:59:29 +02:00
parent 87b7af25a7
commit c4b8f4aaf6
5 changed files with 881 additions and 0 deletions
--- a/Baselines/OpenIntuneBaseline.example.yaml
+++ b/Baselines/OpenIntuneBaseline.example.yaml
@@ -0,0 +1,81 @@
+baseline:
+  name: OpenIntuneBaseline-v3-Example
+  conflictResolution: Skip      # Skip | Update | Error
+  whatIf: false
+
+  # Global name mutation applied to every policy (optional)
+  tenantMutation:
+    search: "OIB-"
+    replace: "CONTOSO-"
+    # Alternatively use prefix instead of search/replace:
+    # prefix: "CONTOSO-"
+
+  # Cloud-only security groups to create if they do not exist
+  groups:
+    - displayName: "Baseline - Windows Devices"
+      mailNickname: "BaselineWinDevices"
+      securityEnabled: true
+    - displayName: "Baseline - macOS Devices"
+      mailNickname: "BaselineMacDevices"
+      securityEnabled: true
+    - displayName: "Baseline - Pilot Users"
+      mailNickname: "BaselinePilotUsers"
+      securityEnabled: true
+
+  policies:
+    # Device Configuration
+    - sourcePath: ./policies/OIB-Windows-Defender-ASR.json
+      type: DeviceConfiguration
+      assignments:
+        - targetType: Group
+          groupName: "Baseline - Windows Devices"
+
+    # Settings Catalog (uses 'name' instead of displayName)
+    - sourcePath: ./policies/OIB-SettingsCatalog-LoginWindow.json
+      type: SettingsCatalog
+      # Per-policy mutation override
+      mutation:
+        search: "OIB-"
+        replace: "CONTOSO-"
+      assignments:
+        - targetType: Group
+          groupName: "Baseline - macOS Devices"
+        - targetType: AllDevices
+
+    # Compliance Policy
+    - sourcePath: ./policies/OIB-Compliance-Windows.json
+      type: CompliancePolicies
+      assignments:
+        - targetType: Group
+          groupName: "Baseline - Windows Devices"
+
+    # Endpoint Security (DeviceManagementIntents)
+    # If a sibling file *_Settings.json exists, it will be imported automatically.
+    - sourcePath: ./policies/OIB-EndpointSecurity-Defender.json
+      type: EndpointSecurity
+      assignments:
+        - targetType: Group
+          groupName: "Baseline - Windows Devices"
+
+    # Administrative Templates
+    - sourcePath: ./policies/OIB-ADMX-OfficeSettings.json
+      type: AdministrativeTemplates
+      assignments:
+        - targetType: Group
+          groupName: "Baseline - Pilot Users"
+
+    # macOS Script
+    - sourcePath: ./policies/OIB-MacScript-CompanyBranding.json
+      type: MacScripts
+      assignments:
+        - targetType: Group
+          groupName: "Baseline - macOS Devices"
+
+    # Application (metadata JSON only; .intunewin binary upload is NOT handled here)
+    - sourcePath: ./apps/OIB-CompanyPortal.json
+      type: Applications
+      assignments:
+        - targetType: AllUsers
+          intent: Available
+        - targetType: AllDevices
+          intent: Required