ROOTM365

1.0.1

SHELL/5.1.4.5.ps1

$CheckId = "5.1.4.5"
$Title = "Ensure Local Administrator Password Solution is enabled"

function Get-NestedValue {
    param(
        [Parameter(Mandatory = $true)][object]$InputObject,
        [Parameter(Mandatory = $true)][string[]]$Path
    )

    $Current = $InputObject
    foreach ($Segment in $Path) {
        if ($null -eq $Current) {
            return $null
        }

        if ($Current -is [System.Collections.IDictionary]) {
            if ($Current.Contains($Segment)) {
                $Current = $Current[$Segment]
            }
            else {
                return $null
            }
        }
        else {
            $Prop = $Current.PSObject.Properties[$Segment]
            if ($null -eq $Prop) {
                return $null
            }
            $Current = $Prop.Value
        }
    }
    return $Current
}

$Uri = "https://graph.microsoft.com/beta/policies/deviceRegistrationPolicy"

try {
    $Policy = Invoke-MgGraphRequest -Method GET -Uri $Uri
    $LocalAdminPassword = Get-NestedValue -InputObject $Policy -Path @("localAdminPassword")
    $IsEnabledRaw = Get-NestedValue -InputObject $Policy -Path @("localAdminPassword", "isEnabled")

    if ($null -eq $IsEnabledRaw) {
        [pscustomobject]@{
            CheckId   = $CheckId
            Title     = $Title
            Status    = "MANUAL_REVIEW"
            Pass      = $null
            Evidence  = [pscustomobject]@{
                Uri                 = $Uri
                localAdminPassword  = $LocalAdminPassword
                ReviewAction        = "Verify localAdminPassword.isEnabled is True."
            }
            Error     = "Could not determine localAdminPassword.isEnabled."
            Timestamp = Get-Date
        }
    }
    else {
        $IsEnabled = [bool]$IsEnabledRaw

        [pscustomobject]@{
            CheckId   = $CheckId
            Title     = $Title
            Status    = if ($IsEnabled) { "PASS" } else { "FAIL" }
            Pass      = $IsEnabled
            Evidence  = [pscustomobject]@{
                Uri                 = $Uri
                localAdminPassword  = $LocalAdminPassword
                isEnabled           = $IsEnabled
                RecommendedState    = "True"
            }
            Error     = $null
            Timestamp = Get-Date
        }
    }
}
catch {
    $Message = $_.Exception.Message
    $IsPermissionIssue = $Message -match "(?i)forbidden|insufficient|authorization|access denied"

    [pscustomobject]@{
        CheckId   = $CheckId
        Title     = $Title
        Status    = if ($IsPermissionIssue) { "MANUAL_REVIEW" } else { "ERROR" }
        Pass      = $null
        Evidence  = [pscustomobject]@{
            Uri                   = $Uri
            RequiredGraphScope    = "Policy.Read.DeviceConfiguration"
            ReviewAction          = "Verify localAdminPassword.isEnabled is True."
        }
        Error     = $Message
        Timestamp = Get-Date
    }
}