Maester

2.1.33-preview

maester-tests/Maester/Intune/Test-MtIntunePlatform.Tests.ps1

Describe "Maester/Intune" -Tag "Maester", "Intune" {
    It "MT.1053: Ensure intune device clean-up rule is configured" -Tag "MT.1053" {
        $result = Test-MtManagedDeviceCleanupSettings
        if ($null -ne $result) {
            $result | Should -Be $true -Because "automatic device clean-up rule is configured."
        }
    }

    It "MT.1054: Ensure built-in Device Compliance Policy marks devices with no compliance policy assigned as 'Not compliant'" -Tag "MT.1054" {
        $result = Test-MtDeviceComplianceSettings
        if ($null -ne $result) {
            $result | Should -Be $true -Because "built-in device compliance policy marks devices with no policy assigned as 'Not compliant'."
        }
    }

    It "MT.1096: Ensure at least one Intune Multi Admin Approval policy is configured" -Tag "MT.1096" {
        $result = Test-MtOperationApprovalPolicies
        if ($null -ne $result) {
            $result | Should -Be $true -Because "at least one Intune Multi Admin Approval policy is configured."
        }
    }

    It "MT.1099: Windows Diagnostic Data Processing should be enabled" -Tag "MT.1099" {
        $result = Test-MtWindowsDataProcessor
        if ($null -ne $result) {
            $result | Should -Be $true -Because "Windows Diagnostic Data Processing is enabled."
        }
    }

    It "MT.1100: Intune Diagnostic Settings should include Audit Logs" -Tag "MT.1100" {
        $result = Test-MtIntuneDiagnosticSettings
        if ($null -ne $result) {
            $result | Should -Be $true -Because "Intune Diagnostic Settings include Audit Logs."
        }
    }

    It "MT.1101: Default Branding Profile should be customized" -Tag "MT.1101" {
        $result = Test-MtTenantCustomization
        if ($null -ne $result) {
            $result | Should -Be $true -Because "Default Branding Profile is customized."
        }
    }

    It "MT.1102: Windows Feature Update Policy Settings should not reference end of support builds" -Tag "MT.1102" {
        $result = Test-MtFeatureUpdatePolicy
        if ($null -ne $result) {
            $result | Should -Be $true -Because "Windows Feature Update Policy Settings do not reference end of support builds."
        }
    }

    It "MT.1103: Ensure Intune RBAC groups are protected by Restricted Management Administrative Units or Role Assignable groups" -Tag "MT.1103" {
        $result = Test-MtIntuneRbacGroupsProtected
        if ($null -ne $result) {
            $result | Should -Be $true -Because "Intune RBAC groups are protected by Restricted Management Administrative Units or Role Assignable groups."
        }
    }

    It "MT.1105: Ensure MDM Authority is set to Intune" -Tag "MT.1105" {
        $result = Test-MtMdmAuthority
        if ($null -ne $result) {
            $result | Should -Be $true -Because "MDM Authority is set to Intune."
        }
    }

    It "MT.1123: Ensure BitLocker full disk encryption is configured" -Tag "MT.1123" {
        $result = Test-MtBitLockerFullDiskEncryption
        if ($null -ne $result) {
            $result | Should -Be $true -Because "at least one Intune Endpoint Security Disk encryption policy enforces BitLocker full disk encryption."
        }
    }

    It "MT.1177: Ensure LAPS Configuration Policy is properly set. See https://maester.dev/docs/tests/MT.1177" -Tag "MT.1177" {
        $result = Test-MtIntuneLAPSConfiguration
        if ($null -ne $result) {
            $result | Should -Be $true -Because "a LAPS Configuration policy is properly set in Intune."
        }
    }

    It "MT.1178: Ensure ASR Rules are configured correctly. See https://maester.dev/docs/tests/MT.1178" -Tag "MT.1178" {
        $result = Test-MtIntuneASRRules
        if ($null -ne $result) {
            $result | Should -Be $true -Because "Attack Surface Reduction (ASR) Rules are configured in Block or Audit mode."
        }
    }

    It "MT.1179: Ensure App Control for Business is enabled. See https://maester.dev/docs/tests/MT.1179" -Tag "MT.1179" {
        $result = Test-MtIntuneAppControl
        if ($null -ne $result) {
            $result | Should -Be $true -Because "App Control for Business is enabled in Intune."
        }
    }

    It "MT.1180: Ensure Managed Installer Rules are configured correctly. See https://maester.dev/docs/tests/MT.1180" -Tag "MT.1180" {
        $result = Test-MtIntuneManagedInstallerRules
        if ($null -ne $result) {
            $result | Should -Be $true -Because "'Trust apps from managed installer' is enabled in at least one App Control policy."
        }
    }
}