frontend updates

Author: KelvinTegelaar

Modules/CIPPCore/Public/Add-CippTestResult.ps1

@@ -47,7 +47,7 @@ function Add-CippTestResult {
         [Parameter(Mandatory = $true)]
         [string]$TestId,
 
-        [Parameter(Mandatory = $true)]
+        [Parameter(Mandatory = $false)]
         [string]$testType = 'identity',
 
         [Parameter(Mandatory = $true)]

Modules/CIPPCore/Public/Entrypoints/HTTP Functions/Invoke-ListTests.ps1

@@ -93,6 +93,23 @@ function Invoke-ListTests {
         $IdentityResults = $TestResultsData.TestResults | Where-Object { $_.TestType -eq 'Identity' }
         $DeviceResults = $TestResultsData.TestResults | Where-Object { $_.TestType -eq 'Devices' }
 
+        # Add descriptions from markdown files to each test result
+        foreach ($TestResult in $TestResultsData.TestResults) {
+            $MdFile = Get-ChildItem -Path 'Modules\CIPPCore\Public\Tests' -Filter "*$($TestResult.RowKey).md" -Recurse -ErrorAction SilentlyContinue | Select-Object -First 1
+            if ($MdFile) {
+                try {
+                    $MdContent = Get-Content $MdFile.FullName -Raw -ErrorAction SilentlyContinue
+                    if ($MdContent) {
+                        $Description = ($MdContent -split '<!--- Results --->')[0].Trim()
+                        $Description = ($Description -split '%TestResult%')[0].Trim()
+                        $TestResult | Add-Member -NotePropertyName 'Description' -NotePropertyValue $Description -Force
+                    }
+                } catch {
+                    #Test
+                }
+            }
+        }
+
         $TestCounts = @{
             Identity = @{
                 Passed      = @($IdentityResults | Where-Object { $_.Status -eq 'Passed' }).Count

Modules/CIPPCore/Public/Tests/ZTNA/Devices/Invoke-CippTestZTNA24518.md

@@ -0,0 +1,9 @@
+Without owners, enterprise applications become orphaned assets that threat actors can exploit through credential harvesting and privilege escalation techniques, as these applications often retain elevated permissions and access to sensitive resources while lacking proper oversight and security governance. The elevation of privilege to owners can raise a security concern in some cases depending on the application's permissions, but more critically, applications without owner create a blind spot in security monitoring where threat actors can establish persistence by leveraging existing application permissions to access data or create backdoor accounts without triggering ownership-based detection mechanisms. When applications lack owners, security teams cannot effectively conduct application lifecycle management, leaving applications with potentially excessive permissions, outdated configurations, or compromised credentials that threat actors can discover through enumeration techniques and exploit to move laterally within the environment. The absence of ownership also prevents proper access reviews and permission audits, allowing threat actors to maintain long-term access through applications that should have been decommissioned or had their permissions reduced, ultimately providing persistent access vectors that can be leveraged for data exfiltration or further compromise of the environment.
+
+
+**Remediation action**
+
+- [Assign owners to the application](https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/assign-app-owners?pivots=portal)
+
+<!--- Results --->
+%TestResult%

Modules/CIPPCore/Public/Tests/ZTNA/Devices/Invoke-CippTestZTNA24540.md

@@ -0,0 +1,18 @@
+If policies for Windows Firewall aren't configured and assigned, threat actors can exploit unprotected endpoints to gain unauthorized access, move laterally, and escalate privileges within the environment. Without enforced firewall rules, attackers can bypass network segmentation, exfiltrate data, or deploy malware, increasing the risk of widespread compromise.
+
+Enforcing Windows Firewall policies ensures consistent application of inbound and outbound traffic controls, reducing exposure to unauthorized access and supporting Zero Trust through network segmentation and device-level protection.
+
+**Remediation action**
+
+Configure and assign firewall policies for Windows in Intune to block unauthorized traffic and enforce consistent network protections across all managed devices:
+
+- [Configure firewall policies for Windows devices](https://learn.microsoft.com/intune/intune-service/protect/endpoint-security-firewall-policy?wt.mc_id=zerotrustrecommendations_automation_content_cnl_csasci). Intune uses two complementary profiles to manage firewall settings:
+  - **Windows Firewall** - Use this profile to configure overall firewall behavior based on network type.
+  - **Windows Firewall rules** - Use this profile to define traffic rules for apps, ports, or IPs, tailored to specific groups or workloads. This Intune profile also supports use of [reusable settings groups](https://learn.microsoft.com/intune/intune-service/protect/endpoint-security-firewall-policy?wt.mc_id=zerotrustrecommendations_automation_content_cnl_csasci#add-reusable-settings-groups-to-profiles-for-firewall-rules) to help simplify management of common settings you use for different profile instances.
+- [Assign policies in Intune](https://learn.microsoft.com/intune/intune-service/configuration/device-profile-assign?wt.mc_id=zerotrustrecommendations_automation_content_cnl_csasci#assign-a-policy-to-users-or-groups)
+
+For more information, see:  
+- [Available Windows Firewall settings](https://learn.microsoft.com/intune/intune-service/protect/endpoint-security-firewall-profile-settings?wt.mc_id=zerotrustrecommendations_automation_content_cnl_csasci#windows-firewall-profile)
+<!--- Results --->
+%TestResult%
+

Modules/CIPPCore/Public/Tests/ZTNA/Devices/Invoke-CippTestZTNA24541.md

@@ -0,0 +1,11 @@
+If compliance policies for Windows devices aren't configured and assigned, threat actors can exploit unmanaged or noncompliant endpoints to gain unauthorized access to corporate resources, bypass security controls, and persist within the environment. Without enforced compliance, devices can lack critical security configurations like BitLocker encryption, password requirements, firewall settings, and OS version controls. These gaps increase the risk of data leakage, privilege escalation, and lateral movement. Inconsistent device compliance weakens the organization’s security posture and makes it harder to detect and remediate threats before significant damage occurs.
+
+Enforcing compliance policies ensures Windows devices meet core security requirements and supports Zero Trust by validating device health and reducing exposure to misconfigured endpoints.
+
+**Remediation action**
+
+Create and assign Intune compliance policies to Windows devices to enforce organizational standards for secure access and management:
+- [Create and assign Intune compliance policies](https://learn.microsoft.com/intune/intune-service/protect/create-compliance-policy?wt.mc_id=zerotrustrecommendations_automation_content_cnl_csasci#create-the-policy)
+- [Review the Windows compliance settings you can manage with Intune](https://learn.microsoft.com/intune/intune-service/protect/compliance-policy-create-windows?wt.mc_id=zerotrustrecommendations_automation_content_cnl_csasci)<!--- Results --->
+%TestResult%
+

Modules/CIPPCore/Public/Tests/ZTNA/Devices/Invoke-CippTestZTNA24542.md

@@ -0,0 +1,12 @@
+If compliance policies for macOS devices aren't configured and assigned, threat actors can exploit unmanaged or noncompliant endpoints to gain unauthorized access to corporate resources, bypass security controls, and persist within the environment. Without enforced compliance, macOS devices can lack critical security configurations like data storage encryption, password requirements, and OS version controls. These gaps increase the risk of data leakage, privilege escalation, and lateral movement. Inconsistent device compliance weakens the organization’s security posture and makes it harder to detect and remediate threats before significant damage occurs.
+
+Enforcing compliance policies ensures macOS devices meet core security requirements and supports Zero Trust by validating device health and reducing exposure to misconfigured endpoints.
+
+**Remediation actions**
+
+Create and assign Intune compliance policies to macOS devices to enforce organizational standards for secure access and management:  
+- [Create and assign Intune compliance policies](https://learn.microsoft.com/intune/intune-service/protect/create-compliance-policy?wt.mc_id=zerotrustrecommendations_automation_content_cnl_csasci#create-the-policy)
+- [Review the macOS compliance settings you can manage with Intune](https://learn.microsoft.com/intune/intune-service/protect/compliance-policy-create-mac-os?wt.mc_id=zerotrustrecommendations_automation_content_cnl_csasci)
+<!--- Results --->
+%TestResult%
+

Modules/CIPPCore/Public/Tests/ZTNA/Devices/Invoke-CippTestZTNA24543.md

@@ -0,0 +1,12 @@
+If compliance policies aren't assigned to iOS/iPadOS devices in Intune, threat actors can exploit noncompliant endpoints to gain unauthorized access to corporate resources, bypass security controls, and persist in the environment. Without enforced compliance, devices can lack critical security configurations like passcode requirements and OS version controls. These gaps increase the risk of data leakage, privilege escalation, and lateral movement. Inconsistent device compliance weakens the organization’s security posture and makes it harder to detect and remediate threats before significant damage occurs.
+
+Enforcing compliance policies ensures iOS/iPadOS devices meet core security requirements and supports Zero Trust by validating device health and reducing exposure to misconfigured or unmanaged endpoints.
+
+**Remediation action**
+
+Create and assign Intune compliance policies to iOS/iPadOS devices to enforce organizational standards for secure access and management:  
+- [Create a compliance policy in Microsoft Intune](https://learn.microsoft.com/intune/intune-service/protect/create-compliance-policy?wt.mc_id=zerotrustrecommendations_automation_content_cnl_csasci#create-the-policy)
+- [Review the iOS/iPadOS compliance settings you can manage with Intune](https://learn.microsoft.com/intune/intune-service/protect/compliance-policy-create-ios?wt.mc_id=zerotrustrecommendations_automation_content_cnl_csasci)
+<!--- Results --->
+%TestResult%
+

Modules/CIPPCore/Public/Tests/ZTNA/Devices/Invoke-CippTestZTNA24545.md

@@ -0,0 +1,11 @@
+If compliance policies aren't assigned to fully managed Android Enterprise devices in Intune, threat actors can exploit noncompliant endpoints to gain unauthorized access to corporate resources, bypass security controls, and persist in the environment. Without enforced compliance, devices can lack critical security configurations such as passcode requirements, data storage encryption, and OS version controls. These gaps increase the risk of data leakage, privilege escalation, and lateral movement. Inconsistent device compliance weakens the organization’s security posture and makes it harder to detect and remediate threats before significant damage occurs.
+
+Enforcing compliance policies ensures Android Enterprise devices meet core security requirements and supports Zero Trust by validating device health and reducing exposure to misconfigured or unmanaged endpoints.
+
+**Remediation action**
+
+Create and assign Intune compliance policies to fully managed and corporate-owned Android Enterprise devices to enforce organizational standards for secure access and management:  
+- [Create a compliance policy in Microsoft Intune](https://learn.microsoft.com/intune/intune-service/protect/create-compliance-policy?wt.mc_id=zerotrustrecommendations_automation_content_cnl_csasci#create-the-policy)
+- [Review the Android Enterprise compliance settings you can manage with Intune](https://learn.microsoft.com/intune/intune-service/protect/compliance-policy-create-android-for-work?wt.mc_id=zerotrustrecommendations_automation_content_cnl_csasci)<!--- Results --->
+%TestResult%
+

Modules/CIPPCore/Public/Tests/ZTNA/Devices/Invoke-CippTestZTNA24546.md

@@ -0,0 +1,14 @@
+If Windows automatic enrollment isn't enabled, unmanaged devices can become an entry point for attackers. Threat actors might use these devices to access corporate data, bypass compliance policies, and introduce vulnerabilities into the environment. Devices joined to Microsoft Entra without Intune enrollment create gaps in visibility and control. These unmanaged endpoints can expose weaknesses in the operating system or misconfigured applications that attackers can exploit.
+
+Enforcing automatic enrollment ensures Windows devices are managed from the start, enabling consistent policy enforcement and visibility into compliance. This supports Zero Trust by ensuring all devices are verified, monitored, and governed by security controls.
+
+**Remediation action**
+
+Enable automatic enrollment for Windows devices using Intune and Microsoft Entra to ensure all domain-joined or Entra-joined devices are managed:  
+- [Enable Windows automatic enrollment](https://learn.microsoft.com/intune/intune-service/enrollment/windows-enroll?wt.mc_id=zerotrustrecommendations_automation_content_cnl_csasci#enable-windows-automatic-enrollment)
+
+For more information, see:  
+- [Deployment guide - Enrollment for Windows](https://learn.microsoft.com/intune/intune-service/fundamentals/deployment-guide-enroll?tabs=work-profile%2Ccorporate-owned-apple%2Cautomatic-enrollment&wt.mc_id=zerotrustrecommendations_automation_content_cnl_csasci#enrollment-for-windows)
+<!--- Results --->
+%TestResult%
+

Modules/CIPPCore/Public/Tests/ZTNA/Devices/Invoke-CippTestZTNA24547.md

@@ -0,0 +1,12 @@
+If compliance policies aren't assigned to Android Enterprise personally owned devices in Intune, threat actors can exploit noncompliant endpoints to gain unauthorized access to corporate resources, bypass security controls, and introduce vulnerabilities. Without enforced compliance, devices can lack critical security configurations like passcode requirements, data storage encryption, and OS version controls. These gaps increase the risk of data leakage and unauthorized access. Inconsistent device compliance weakens the organization’s security posture and makes it harder to detect and remediate threats before significant damage occurs.
+
+Enforcing compliance policies ensures that personally owned Android devices meet core security requirements and supports Zero Trust by validating device health and reducing exposure to misconfigured or unmanaged endpoints.
+
+**Remediation action**
+
+Create and assign Intune compliance policies to Android Enterprise personally owned devices to enforce organizational standards for secure access and management:  
+- [Create a compliance policy in Microsoft Intune](https://learn.microsoft.com/intune/intune-service/protect/create-compliance-policy?wt.mc_id=zerotrustrecommendations_automation_content_cnl_csasci#create-the-policy)
+- [Review the Android Enterprise compliance settings you can manage with Intune](https://learn.microsoft.com/intune/intune-service/protect/compliance-policy-create-android-for-work?wt.mc_id=zerotrustrecommendations_automation_content_cnl_csasci)
+<!--- Results --->
+%TestResult%
+