SHELL/5.1.4.6.ps1
|
$CheckId = "5.1.4.6" $Title = "Ensure users are restricted from recovering BitLocker keys" $Level = "L2" $BenchmarkType = "Automated" $AuditCommands = @( '(Get-MgPolicyAuthorizationPolicy).DefaultUserRolePermissions | Format-List AllowedToReadBitlockerKeysForOwnedDevice' ) function Get-AllowedToReadBitlockerKeysForOwnedDeviceValue { param( [Parameter(Mandatory = $true)] [object]$AuthorizationPolicy ) $DefaultPerms = $AuthorizationPolicy.DefaultUserRolePermissions if ($null -ne $DefaultPerms) { if ($null -ne $DefaultPerms.PSObject -and $null -ne $DefaultPerms.PSObject.Properties['AllowedToReadBitlockerKeysForOwnedDevice']) { return $DefaultPerms.AllowedToReadBitlockerKeysForOwnedDevice } if ($DefaultPerms -is [System.Collections.IDictionary]) { if ($DefaultPerms.Contains('AllowedToReadBitlockerKeysForOwnedDevice')) { return $DefaultPerms['AllowedToReadBitlockerKeysForOwnedDevice'] } if ($DefaultPerms.Contains('allowedToReadBitlockerKeysForOwnedDevice')) { return $DefaultPerms['allowedToReadBitlockerKeysForOwnedDevice'] } } } if ($null -ne $AuthorizationPolicy.PSObject.Properties['AdditionalProperties']) { $Additional = $AuthorizationPolicy.AdditionalProperties if ($Additional -is [System.Collections.IDictionary] -and $Additional.Contains('defaultUserRolePermissions')) { $Inner = $Additional['defaultUserRolePermissions'] if ($Inner -is [System.Collections.IDictionary]) { if ($Inner.Contains('allowedToReadBitlockerKeysForOwnedDevice')) { return $Inner['allowedToReadBitlockerKeysForOwnedDevice'] } if ($Inner.Contains('AllowedToReadBitlockerKeysForOwnedDevice')) { return $Inner['AllowedToReadBitlockerKeysForOwnedDevice'] } } } } return $null } try { if (-not (Get-Command -Name Get-MgPolicyAuthorizationPolicy -ErrorAction SilentlyContinue)) { [pscustomobject]@{ CheckId = $CheckId Title = $Title Level = $Level BenchmarkType = $BenchmarkType Status = "ERROR" Pass = $null Evidence = [pscustomobject]@{ AuditCommands = $AuditCommands SourceDocument = "CIS_Microsoft_365_Foundations_Benchmark_v6.0.1" } Error = "Get-MgPolicyAuthorizationPolicy cmdlet is unavailable in the current session." Timestamp = Get-Date } return } $AuthPolicy = Get-MgPolicyAuthorizationPolicy if ($null -eq $AuthPolicy) { [pscustomobject]@{ CheckId = $CheckId Title = $Title Level = $Level BenchmarkType = $BenchmarkType Status = "ERROR" Pass = $null Evidence = [pscustomobject]@{ AuditCommands = $AuditCommands SourceDocument = "CIS_Microsoft_365_Foundations_Benchmark_v6.0.1" } Error = "Get-MgPolicyAuthorizationPolicy returned no result." Timestamp = Get-Date } return } $AllowedRaw = Get-AllowedToReadBitlockerKeysForOwnedDeviceValue -AuthorizationPolicy $AuthPolicy if ($null -eq $AllowedRaw) { [pscustomobject]@{ CheckId = $CheckId Title = $Title Level = $Level BenchmarkType = $BenchmarkType Status = "ERROR" Pass = $null Evidence = [pscustomobject]@{ AuditCommands = $AuditCommands AuthorizationPolicy = $AuthPolicy SourceDocument = "CIS_Microsoft_365_Foundations_Benchmark_v6.0.1" } Error = "AllowedToReadBitlockerKeysForOwnedDevice value was not found in DefaultUserRolePermissions." Timestamp = Get-Date } return } $Allowed = [bool]$AllowedRaw $Pass = ($Allowed -eq $false) [pscustomobject]@{ CheckId = $CheckId Title = $Title Level = $Level BenchmarkType = $BenchmarkType Status = if ($Pass) { "PASS" } else { "FAIL" } Pass = $Pass Evidence = [pscustomobject]@{ AuditCommands = $AuditCommands AllowedToReadBitlockerKeysForOwnedDevice = $Allowed RawAllowedToReadBitlockerKeysForOwnedDevice = $AllowedRaw RecommendedState = "AllowedToReadBitlockerKeysForOwnedDevice = False" SourceDocument = "CIS_Microsoft_365_Foundations_Benchmark_v6.0.1" } Error = if ($Pass) { $null } else { "AllowedToReadBitlockerKeysForOwnedDevice is True (users can recover BitLocker keys for owned devices)." } Timestamp = Get-Date } } catch { [pscustomobject]@{ CheckId = $CheckId Title = $Title Level = $Level BenchmarkType = $BenchmarkType Status = "ERROR" Pass = $null Evidence = [pscustomobject]@{ AuditCommands = $AuditCommands SourceDocument = "CIS_Microsoft_365_Foundations_Benchmark_v6.0.1" } Error = $_.Exception.Message Timestamp = Get-Date } } |