-
Notifications
You must be signed in to change notification settings - Fork 247
Windows Compliance Policy Check
directorcia edited this page Nov 18, 2025
·
2 revisions
The asd-wincomp-get.ps1 script is a comprehensive compliance auditing tool that validates Microsoft Intune Windows 10/11 Compliance Policies against the Australian Signals Directorate (ASD) Blueprint baseline requirements. It retrieves policies from Microsoft Graph, compares them against defined security baselines, and generates detailed compliance reports in HTML and optionally CSV formats.
This script automates the verification process for Windows device compliance policies in Microsoft Intune, ensuring they meet the security standards defined in the ASD Blueprint for Secure Cloud. It identifies configuration gaps and non-compliant settings, providing IT administrators with actionable insights to strengthen their organization's security posture.
- Author: CIAOPS
- Version: 1.0
- Last Updated: November 19, 2025
- Repository: https://github.com/directorcia/office365
-
Microsoft.Graph.Authentication: PowerShell module for Microsoft Graph API authentication
- Install command:
Install-Module Microsoft.Graph -Scope CurrentUser
- Install command:
- DeviceManagementConfiguration.Read.All: Required to read Intune compliance policies
- Alternative: Global Reader role provides sufficient access
- PowerShell 5.1 or later
- Internet connection (when using GitHub-hosted baseline)
- Valid Microsoft 365/Azure AD credentials with appropriate permissions
| Parameter | Type | Required | Default | Description |
|---|---|---|---|---|
ExportToCSV |
Switch | No | False | Enables CSV export of compliance check results |
CSVPath |
String | No | Auto-generated | Custom path for CSV export file. Defaults to parent directory with timestamp |
BaselinePath |
String | No | GitHub URL | Path or URL to baseline JSON file. Defaults to latest ASD Blueprint settings from GitHub |
DetailedLogging |
Switch | No | False | Enables detailed logging to file for troubleshooting |
LogPath |
String | No | Auto-generated | Custom path for log file. Defaults to parent directory with timestamp |
HTMLPath |
String | No | Auto-generated | Custom output path for HTML compliance report |
PolicyName |
String | No | All policies | Target specific compliance policy by display name. If not specified, all Windows compliance policies are checked |
The script uses a JSON baseline file that defines required compliance settings. By default, it retrieves the latest baseline from:
https://raw.githubusercontent.com/directorcia/bp/main/Intune/Policies/ASD/windows-compliance.json
The baseline must conform to the Microsoft Graph windows10CompliancePolicy schema:
{
"@odata.type": "#microsoft.graph.windows10CompliancePolicy",
"passwordRequired": true,
"passwordBlockSimple": true,
"passwordMinimumLength": 15,
"passwordRequiredType": "deviceDefault",
"passwordMinutesOfInactivityBeforeLock": 15,
"passwordExpirationDays": null,
"passwordPreviousPasswordBlockCount": null,
"requireHealthyDeviceReport": true,
"osMinimumVersion": "10.0.19041.1",
"osMaximumVersion": null,
"mobileOsMinimumVersion": null,
"mobileOsMaximumVersion": null,
"earlyLaunchAntiMalwareDriverEnabled": true,
"bitLockerEnabled": true,
"secureBootEnabled": true,
"codeIntegrityEnabled": true,
"storageRequireEncryption": true,
"activeFirewallRequired": true,
"defenderEnabled": true,
"defenderVersion": null,
"signatureOutOfDate": false,
"rtpEnabled": true,
"antivirusRequired": true,
"antiSpywareRequired": true,
"deviceThreatProtectionEnabled": false,
"deviceThreatProtectionRequiredSecurityLevel": "unavailable",
"configurationManagerComplianceRequired": false,
"tpmRequired": true
}Users can provide their own baseline JSON file by specifying the -BaselinePath parameter:
.\asd-wincomp-get.ps1 -BaselinePath "C:\Baselines\custom-windows-compliance.json"Write-Log
- Writes timestamped log entries to file when detailed logging is enabled
- Parameters:
$Message(string),$Level(string: INFO/WARN/ERROR) - Silently handles logging errors to prevent script interruption
Write-ColorOutput
- Provides color-coded console output for improved readability
- Automatically logs messages when detailed logging is enabled
- Color mapping:
- Green: Success messages
- Yellow: Warning messages
- Red: Error messages
- Cyan: Informational messages
Test-BaselineSchema
- Validates baseline JSON structure and schema compliance
- Verifies presence of
@odata.typeproperty - Ensures the type matches
*windows10CompliancePolicy* - Returns: Boolean (true if valid, false if invalid)
Get-BaselineSettings
- Loads baseline configuration from URL or local file
- Handles both HTTP/HTTPS URLs and local file paths
- Validates JSON parsing and schema compliance
- Sets
$script:baselineLoadedflag on success - Returns: Parsed JSON object or
$nullon failure
Test-GraphModule
- Verifies Microsoft.Graph.Authentication module is installed and loadable
- Provides installation guidance if module is missing
- Returns: Boolean (true if available, false if not)
Connect-MSGraph
- Establishes connection to Microsoft Graph API
- Checks for existing active connection before attempting new connection
- NEW: Automatic fallback to device code authentication if localhost binding fails
- NEW: Opens browser automatically to device login page when needed
- NEW: Enhanced error messages with troubleshooting solutions
- Requests
DeviceManagementConfiguration.Read.Allscope - Displays connected tenant ID for verification
- Returns: Boolean (true if connected, false on failure)
Authentication Flow:
- Check if already connected (reuse existing session)
- Attempt interactive browser authentication
- If localhost binding fails (HttpListenerException):
- Automatically switch to device code authentication
- Open browser to https://microsoft.com/devicelogin
- Display device code in console
- Wait for user to complete authentication
- Provide helpful error messages if all methods fail
Test-GraphPermissions
- Validates that the authenticated user has sufficient permissions
- Performs a test query to
deviceManagement/deviceCompliancePolicies - Returns: Boolean (true if permissions are adequate, false if insufficient)
Normalize-Value
- Standardizes values for accurate comparison
- Handles multiple data types:
- Booleans: Returns as true boolean
- Arrays: Converts to compressed JSON string
- Strings: Trims whitespace, converts "True"/"False" to boolean
- Null: Returns null
- Returns: Normalized value object
Compare-Values
- Compares current policy setting against required baseline value
- Uses normalized values for consistent comparison
- Implements case-insensitive string comparison
- Handles special cases:
- Both values null: Considered compliant
- Required value null: Considered compliant (setting not enforced)
- Array values: JSON string comparison
- Boolean values: Direct equality
- Returns: Boolean (true if compliant, false if non-compliant)
Test-Setting
- Evaluates a single policy setting against baseline requirement
- Creates structured result object with:
- Policy name
- Setting name
- Current value (or "Not set")
- Required value (or "Not set")
- Compliant flag (boolean)
- Status (PASS/FAIL)
- Logs result with appropriate level (INFO for pass, WARN for fail)
- Returns: PSCustomObject with compliance result
New-HTMLReport
- Generates comprehensive HTML compliance report
- Calculates statistics:
- Total checks performed
- Number of passed checks
- Number of failed checks
- Compliance percentage
- Overall status (COMPLIANT/NON-COMPLIANT)
- Creates responsive HTML with:
- Gradient header with script branding
- Summary cards with key metrics
- Detailed results table with all findings
- Visual status badges (PASS/FAIL)
- Overall compliance status banner
- Reference links to ASD Blueprint documentation
- Styling features:
- Modern gradient design
- Responsive grid layout
- Hover effects on cards
- Color-coded status indicators
- Mobile-friendly viewport
- Returns: Boolean (true if successful, false on error)
Invoke-CompliancePolicyCheck
- Orchestrates the entire compliance checking process
-
Policy Retrieval:
- Queries Microsoft Graph API beta endpoint
- Retrieves all device compliance policies
- Handles pagination for large policy sets
- Filters for Windows 10 compliance policies (
#microsoft.graph.windows10CompliancePolicy) - Optionally filters by specific policy name
-
Setting Analysis:
- Extracts baseline settings (excludes metadata fields)
- Handles mutually exclusive settings (passwordRequiredType vs passwordComplexity)
- Retrieves detailed policy configuration for each policy
- Compares each setting against baseline requirements
- Handles additional properties in Graph API responses
-
Results Processing:
- Displays color-coded console output for each check
- Shows current vs. required values
- Calculates summary statistics
- Determines overall compliance status
- Exports to CSV if requested
- Generates HTML report
- Attempts to open HTML report in default browser
- Returns: Array of compliance result objects
├── Parse command-line parameters
├── Set default paths (CSV, HTML, Log)
├── Initialize script-scope variables
└── Display script header with configuration
├── Determine baseline source (URL or local file)
├── Download or read baseline JSON
├── Parse JSON content
├── Validate schema compliance
└── Set baselineLoaded flag
├── Check for Microsoft.Graph.Authentication module
├── Import required module
├── Check existing Graph connection
├── Connect to Microsoft Graph (if needed)
│ ├── Try interactive browser authentication
│ └── Fallback to device code if localhost binding fails
├── Request DeviceManagementConfiguration.Read.All scope
└── Validate permissions with test query
├── Query deviceManagement/deviceCompliancePolicies endpoint
├── Handle pagination for complete results
├── Filter for Windows 10 compliance policies
├── Apply policy name filter (if specified)
└── Display count of policies found
For each Windows compliance policy:
├── Retrieve full policy details via Graph API
├── Extract baseline settings list
├── Handle conflicting settings (passwordComplexity/passwordRequiredType)
├── For each baseline setting:
│ ├── Read current value from policy
│ ├── Read required value from baseline
│ ├── Normalize both values
│ ├── Compare values
│ ├── Create result object (PASS/FAIL)
│ └── Display result to console
└── Collect all results
├── Display detailed results in console
├── Calculate summary statistics
│ ├── Total checks
│ ├── Passed checks
│ ├── Failed checks
│ └── Compliance percentage
├── Determine overall status
├── Export to CSV (if requested)
├── Generate HTML report
│ ├── Create styled HTML structure
│ ├── Embed summary cards
│ ├── Build results table
│ ├── Add reference links
│ └── Save to file
└── Attempt to open report in browser
.\asd-wincomp-get.ps1Behavior:
- Connects to Microsoft Graph with interactive authentication
- Downloads latest baseline from GitHub
- Checks all Windows compliance policies
- Generates HTML report in parent directory
- Opens report in default browser
.\asd-wincomp-get.ps1 -ExportToCSVBehavior:
- Performs standard compliance check
- Generates HTML report
- Exports results to CSV file with timestamp
- CSV includes: Policy, Setting, CurrentValue, RequiredValue, Status
.\asd-wincomp-get.ps1 -BaselinePath "C:\Security\Baselines\windows-compliance.json"Behavior:
- Uses local baseline file instead of GitHub source
- Validates custom baseline schema
- Performs compliance check against custom requirements
.\asd-wincomp-get.ps1 -PolicyName "ASD Windows 10 Compliance"Behavior:
- Checks only the specified policy
- Reduces execution time for targeted audits
- Useful for validating specific policy changes
.\asd-wincomp-get.ps1 -DetailedLoggingBehavior:
- Enables comprehensive logging to file
- Includes timestamps for all operations
- Logs all setting comparisons
- Useful for troubleshooting and audit trails
.\asd-wincomp-get.ps1 -CSVPath "C:\Reports\compliance.csv" -HTMLPath "C:\Reports\compliance.html" -LogPath "C:\Logs\compliance.log" -ExportToCSV -DetailedLoggingBehavior:
- Specifies custom locations for all output files
- Enables both CSV export and detailed logging
- Useful for integration with existing reporting systems
.\asd-wincomp-get.ps1 -BaselinePath "C:\Baselines\custom.json" -PolicyName "Production Compliance" -ExportToCSV -CSVPath "C:\Audits\prod-compliance.csv" -DetailedLogging -LogPath "C:\Audits\prod-compliance.log"Behavior:
- Uses custom baseline
- Targets specific policy
- Exports to custom CSV location
- Enables detailed logging to custom location
- Comprehensive audit for production environment
Location: <parent-directory>\asd-wincomp-get-YYYYMMDD-HHmmss.html
Features:
- Responsive design optimized for desktop and mobile
- Modern gradient styling with professional appearance
- Summary dashboard with key compliance metrics:
- Total checks performed
- Passed checks (green)
- Failed checks (red)
- Overall compliance percentage
- Detailed results table showing:
- Visual status badges (PASS/FAIL)
- Policy name
- Setting name
- Current configured value
- Required baseline value
- Overall compliance banner
- Reference links to:
- ASD Blueprint for Secure Cloud documentation
- Security controls explanation wiki
- Automatically opens in default browser after generation
Location: <parent-directory>\asd-wincomp-get-YYYYMMDD-HHmmss.csv
Format:
Policy,Setting,CurrentValue,RequiredValue,Status
"ASD Windows 10 Compliance","passwordRequired","True","True","PASS"
"ASD Windows 10 Compliance","passwordMinimumLength","15","15","PASS"
"ASD Windows 10 Compliance","bitLockerEnabled","False","True","FAIL"
Columns:
- Policy: Display name of the compliance policy
- Setting: Name of the configuration setting
- CurrentValue: Current value in Intune policy
- RequiredValue: Required value from baseline
- Status: PASS or FAIL
Location: <parent-directory>\asd-wincomp-get-YYYYMMDD-HHmmss.log
Format:
[2025-11-19 14:30:15] [INFO] Loading baseline from: https://raw.githubusercontent.com/...
[2025-11-19 14:30:16] [INFO] Check [ASD Windows 10 Compliance] passwordRequired - Current: True, Required: True, Status: PASS
[2025-11-19 14:30:16] [WARN] Check [ASD Windows 10 Compliance] bitLockerEnabled - Current: False, Required: True, Status: FAIL
Content:
- Timestamped entries for all operations
- Detailed setting comparison results
- Error messages and warnings
- Useful for debugging and audit trails
========================================
ASD Windows Compliance Policy Check
========================================
Baseline: GitHub (latest)
Location: https://raw.githubusercontent.com/directorcia/bp/main/Intune/Policies/ASD/windows-compliance.json
Output: C:\downloads\source
Checking for Microsoft.Graph modules...
Microsoft.Graph.Authentication module loaded.
Checking Microsoft Graph connection...
Connecting to Microsoft Graph...
Connected to Microsoft Graph.
Tenant: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
Validating Microsoft Graph permissions...
Permission validation passed.
========================================
ASD Windows Compliance Policy Check v1.0
ASD Blueprint Compliance Check
========================================
Retrieving Windows compliance policies from Intune...
Found 2 Windows compliance policies to check.
Checking policy: ASD Windows 10 Compliance
Checking policy: Legacy Windows Compliance
========================================
CHECK RESULTS
========================================
[✓] [ASD Windows 10 Compliance] passwordRequired
Current : True
Required: True
Status : PASS
[✗] [ASD Windows 10 Compliance] bitLockerEnabled
Current : False
Required: True
Status : FAIL
[✓] [ASD Windows 10 Compliance] secureBootEnabled
Current : True
Required: True
Status : PASS
========================================
SUMMARY
========================================
Total Checks : 30
Passed : 27
Failed : 3
Compliance : 90.0%
Status : NON-COMPLIANT ✗
========================================
Results exported to: C:\downloads\source\asd-wincomp-get-20251119-143025.csv
Generating HTML report...
HTML report generated: C:\downloads\source\asd-wincomp-get-20251119-143025.html
Script completed.
The script validates the following compliance settings against the ASD Blueprint baseline:
-
passwordRequired: Whether a password is required -
passwordBlockSimple: Block simple passwords -
passwordMinimumLength: Minimum password length -
passwordRequiredType: Type of password required (deviceDefault, alphanumeric, numeric) -
passwordMinutesOfInactivityBeforeLock: Inactivity timeout before lock -
passwordExpirationDays: Password expiration period -
passwordPreviousPasswordBlockCount: Number of previous passwords to block
-
requireHealthyDeviceReport: Require device to report as healthy -
earlyLaunchAntiMalwareDriverEnabled: Early Launch Anti-Malware (ELAM) driver enabled -
bitLockerEnabled: BitLocker drive encryption enabled -
secureBootEnabled: Secure Boot enabled -
codeIntegrityEnabled: Code integrity (Device Guard) enabled -
storageRequireEncryption: Storage encryption required -
tpmRequired: Trusted Platform Module (TPM) required
-
osMinimumVersion: Minimum Windows OS version -
osMaximumVersion: Maximum Windows OS version -
mobileOsMinimumVersion: Minimum mobile OS version (if applicable) -
mobileOsMaximumVersion: Maximum mobile OS version (if applicable)
-
activeFirewallRequired: Windows Firewall must be active -
defenderEnabled: Windows Defender enabled -
defenderVersion: Minimum Windows Defender version -
signatureOutOfDate: Block outdated virus definitions -
rtpEnabled: Real-time protection enabled -
antivirusRequired: Antivirus required -
antiSpywareRequired: Anti-spyware required
-
deviceThreatProtectionEnabled: Device threat protection enabled -
deviceThreatProtectionRequiredSecurityLevel: Required security level (unavailable, secured, low, medium, high, notSet) -
configurationManagerComplianceRequired: Configuration Manager compliance required
The script handles the following mutually exclusive settings per Microsoft Graph API limitations:
-
passwordRequiredType(preferred) -
passwordComplexity(skipped when passwordRequiredType is present)
Failed to connect to Microsoft Graph: InteractiveBrowserCredential authentication failed
Resolution:
- Script now automatically falls back to device code authentication
- Browser opens automatically to https://microsoft.com/devicelogin
- Copy the displayed device code and paste in browser
- Alternative: Run PowerShell as Administrator
- Alternative: Run
netsh http add iplisten 127.0.0.1as Admin
Permission validation failed: Insufficient privileges
Required permission: DeviceManagementConfiguration.Read.All
Resolution:
- Request admin to grant DeviceManagementConfiguration.Read.All permission
- Alternative: Request Global Reader role assignment
- Contact tenant administrator for permission elevation
Failed to load/parse baseline JSON: The remote server returned an error: (404) Not Found
Resolution:
- Verify baseline URL is accessible
- Check internet connectivity
- Use local baseline file with
-BaselinePathparameter - Verify JSON syntax in custom baseline files
Failed to load Microsoft.Graph.Authentication module
Install with: Install-Module Microsoft.Graph -Scope CurrentUser
Resolution:
- Install module:
Install-Module Microsoft.Graph -Scope CurrentUser - Restart PowerShell session
- Verify module installation:
Get-Module Microsoft.Graph.* -ListAvailable
If device code is not displaying:
- Update Microsoft.Graph module:
Update-Module Microsoft.Graph -Force - Manually connect first:
Connect-MgGraph -Scopes "DeviceManagementConfiguration.Read.All" -UseDeviceAuthentication - Check module version:
Get-Module Microsoft.Graph.Authentication -ListAvailable
- Uses delegated authentication via Microsoft Graph
- Requires interactive sign-in for consent
- NEW: Supports device code authentication for restricted environments
- Credentials are never stored by the script
- Leverages Microsoft Identity Platform security
- Minimal permission scope requested (DeviceManagementConfiguration.Read.All)
- Read-only access to compliance policies
- No modification capabilities
- Follows principle of least privilege
- No sensitive data is stored locally (except optional logs)
- Reports contain configuration data, not user data
- Baseline JSON contains only setting names and values
- Log files should be treated as confidential and stored securely
- Uses HTTPS for GitHub baseline downloads
- Microsoft Graph API uses TLS encryption
- No external dependencies beyond Microsoft services
Symptoms: Script appears frozen, no console output
Possible Causes:
- Graph API rate limiting
- Large number of policies
- Network latency
Solutions:
- Enable detailed logging:
-DetailedLogging - Target specific policy:
-PolicyName "PolicyName" - Check network connectivity
- Wait for rate limiting to clear (usually 60 seconds)
Symptoms: Report generated but doesn't open in browser
Possible Causes:
- Default browser not configured
- File association issues
- Security restrictions
Solutions:
- Manually open HTML file from output path
- Use alternative browser
- Check file permissions
- Verify HTML file was created successfully
Symptoms: "Baseline JSON schema validation failed" error
Possible Causes:
- Invalid JSON syntax
- Missing required properties
- Incorrect @odata.type
Solutions:
- Validate JSON syntax using online validator
- Ensure
@odata.typeis#microsoft.graph.windows10CompliancePolicy - Compare against example baseline structure
- Use default GitHub baseline to verify script functionality
Symptoms: "No Windows 10/11 compliance policies found"
Possible Causes:
- No compliance policies configured in tenant
- Policies are not Windows 10 type
- Incorrect policy name specified
Solutions:
- Verify policies exist in Intune portal
- Check policy type (must be Windows 10 Compliance)
- Verify
-PolicyNameparameter spelling - Remove
-PolicyNameparameter to check all policies
Symptoms: HttpListenerException occurred while listening on http://localhost
Automatic Handling:
- Script automatically detects this error
- Switches to device code authentication
- Opens browser to device login page
- Displays device code in console
Manual Solutions:
- Run PowerShell as Administrator (easiest)
- Run:
netsh http add iplisten 127.0.0.1(as Admin) - Pre-connect:
Connect-MgGraph -Scopes "DeviceManagementConfiguration.Read.All" -UseDeviceAuthentication
The script can be scheduled using Windows Task Scheduler:
# Create scheduled task
$action = New-ScheduledTaskAction -Execute "PowerShell.exe" -Argument "-ExecutionPolicy Bypass -File C:\Scripts\asd-wincomp-get.ps1 -ExportToCSV -DetailedLogging"
$trigger = New-ScheduledTaskTrigger -Weekly -DaysOfWeek Monday -At 9am
$principal = New-ScheduledTaskPrincipal -UserId "DOMAIN\ServiceAccount" -LogonType Password
Register-ScheduledTask -TaskName "ASD Compliance Check" -Action $action -Trigger $trigger -Principal $principalExample Azure DevOps pipeline:
steps:
- task: PowerShell@2
inputs:
filePath: '$(System.DefaultWorkingDirectory)/asd-wincomp-get.ps1'
arguments: '-ExportToCSV -CSVPath "$(Build.ArtifactStagingDirectory)/compliance.csv" -HTMLPath "$(Build.ArtifactStagingDirectory)/compliance.html"'
displayName: 'Run ASD Compliance Check'
- task: PublishBuildArtifacts@1
inputs:
pathToPublish: '$(Build.ArtifactStagingDirectory)'
artifactName: 'ComplianceReports'Integrate with Send-MailMessage for automated reporting:
.\asd-wincomp-get.ps1 -ExportToCSV
$mailParams = @{
From = "[email protected]"
To = "[email protected]"
Subject = "ASD Windows Compliance Report - $(Get-Date -Format 'yyyy-MM-dd')"
Body = "Please find attached the latest compliance report."
Attachments = (Get-ChildItem "$PSScriptRoot\..\asd-wincomp-get-*.html" | Sort-Object LastWriteTime -Descending | Select-Object -First 1).FullName
SmtpServer = "smtp.company.com"
}
Send-MailMessage @mailParams- ASD's Blueprint for Secure Cloud: https://blueprint.asd.gov.au/
- Windows Device Compliance: https://blueprint.asd.gov.au/configuration/intune/device-compliance/
- Security Controls Wiki: https://github.com/directorcia/bp/wiki/Windows-Compliance-Policy-Check
- Microsoft Graph API: https://docs.microsoft.com/en-us/graph/api/resources/intune-deviceconfig-windows10compliancepolicy
- Intune Compliance Policies: https://docs.microsoft.com/en-us/mem/intune/protect/device-compliance-get-started
- Microsoft.Graph PowerShell Module: https://docs.microsoft.com/en-us/powershell/microsoftgraph/
- asd-wincomp-set.ps1: Script to configure Windows compliance policies (companion script)
- Graph API Scripts: Additional Microsoft Graph automation scripts in repository
- Initial release
- Core compliance checking functionality
- HTML and CSV report generation
- Microsoft Graph API integration
- ASD Blueprint baseline support
- Detailed logging capability
- Error handling and validation
- Responsive HTML report design
- NEW: Automatic device code authentication fallback for localhost binding issues
- NEW: Browser auto-launch for device code authentication
- NEW: Enhanced error messages with troubleshooting guidance
- NEW: Improved authentication reliability across different environments
- GitHub Issues: https://github.com/directorcia/office365/issues
- Include script version, PowerShell version, and error messages
- Attach log file (if detailed logging was enabled)
- Fork the repository
- Create feature branch
- Submit pull request with detailed description
- Follow existing code style and documentation standards
- GitHub Repository: https://github.com/directorcia/office365
- Wiki Documentation: https://github.com/directorcia/office365/wiki
This script is provided as-is without warranty. Use at your own risk. Always test in a non-production environment before deploying to production.
Last Updated: November 19, 2025
Documentation Version: 1.0