Custom compliance discovery scripts for Microsoft Intune (Planned)

Welcome to the community, Daniel Wheeler 🙂!

I can't say as I have used Compliance Discovery Scripts, yet.
They look really cool.
At a high-level, it looks pretty simple (import scripts from an existing tenant and deploy them to customer tenants), but we'll have to see what options are available to us in the GraphAPI.

Are you currently utilizing Compliance Discovery Scripts or is it more, “this is where we want to get to with all of our customers”?

Hi Dave,

Yes, I leverage custom compliance policies for customers using EDR solutions beyond Defender, such as SentinelOne and CrowdStrike. These policies also help ensure applications are running approved versions on endpoints, making it easy to identify vulnerable applications across devices.

I deploy these using the Graph API, and they consist of two key components:

1. Discovery Script 
A PowerShell script that outputs results in JSON format, which gets uploaded to the tenant via Graph API (the script must be Base64-encoded):
POST https://graph.microsoft.com/beta/deviceManagement/deviceComplianceScripts

Request Body

{
 "@odata.type": "#microsoft.graph.deviceComplianceScript",
 "publisher": "Your Organization Name",
 "version": "1",
 "displayName": "Name of the Script as Shown in Intune",
 "description": "What this script is checking for and how it determines compliance.",
 "detectionScriptContent": "<Base64-encoded PowerShell script>",
 "runAsAccount": "system", // or "user"
 "enforceSignatureCheck": false,
 "runAs32Bit": false,
 "roleScopeTagIds": []
}

2. Validation Rule 
A JSON format rule that defines compliance criteria. This is defined and lives in the Compliance policy, unlike the discovery script.

Example

{
    "Rules":[
        { 
           "SettingName":"Sentinel Agent",
           "Operator":"GreaterEquals",
           "DataType":"Version",
           "Operand":"24.0.0",
           "MoreInfoUrl":"https://www.sentinelOne.com",
           "RemediationStrings":[ 
              { 
                 "Language": "en_US",
                 "Title": "Sentinel Agent is outdated.",
                 "Description": "Make sure to patch Sentinel Agent to the latest version."
              }
           ]
        }
     ]
}

-----------------------------------------------------------------------------------------------------------------------------------------------

The discovery script gets assigned an ID in the tenant which can be obtained using Graph

GET https://graph.microsoft.com/beta/deviceManagement/deviceComplianceScripts

I maintain global variables at the MSP level as placeholders for these Script IDs, then assign them at the account level for scalability.

The validation rule is then encoded in Base64 and integrated into the Compliance Policy JSON where it's compared against the Discovery Script output (e.g., application version number):
 

    "deviceCompliancePolicyScript": {
        "deviceComplianceScriptId": "{$InheritedVars.CP-400}",
        "rulesContent": "<Base64 encoded JSON rule> "
    },

Long story short… The Graph API can be utilized for this use case. Custom compliance policies are a valuable but underutilized resource in most tenants, offering significant potential for enhanced monitoring and management. 

Daniel Wheeler Thanks for the suggestion! Custom compliance discovery scripts for Intune are actually in our plans as part of a larger initiative we have on the roadmap. Stay tuned!

Gido Veekens  How far is this up the roadmap yet? Can't find it on the roadmap.