bmsimp
diff --git a/‎Modules/CIPPCore/Public/Set-CIPPDBCacheIntunePolicies.ps1‎
Lines changed: 31 additions & 11 deletions b/‎Modules/CIPPCore/Public/Set-CIPPDBCacheIntunePolicies.ps1‎
Lines changed: 31 additions & 11 deletions
diff --git a/‎Modules/CIPPCore/Public/Tests/Invoke-CippTestZTNA24540.ps1‎
Lines changed: 68 additions & 0 deletions b/‎Modules/CIPPCore/Public/Tests/Invoke-CippTestZTNA24540.ps1‎
Lines changed: 68 additions & 0 deletions
diff --git a/‎Modules/CIPPCore/Public/Tests/Invoke-CippTestZTNA24550.ps1‎
Lines changed: 92 additions & 0 deletions b/‎Modules/CIPPCore/Public/Tests/Invoke-CippTestZTNA24550.ps1‎
Lines changed: 92 additions & 0 deletions
diff --git a/‎Modules/CIPPCore/Public/Tests/Invoke-CippTestZTNA24552.ps1‎
Lines changed: 89 additions & 0 deletions b/‎Modules/CIPPCore/Public/Tests/Invoke-CippTestZTNA24552.ps1‎
Lines changed: 89 additions & 0 deletions
@@ -23,23 +23,43 @@ function Set-CIPPDBCacheIntunePolicies {
         Write-LogMessage -API 'CIPPDBCache' -tenant $TenantFilter -message 'Caching Intune policies' -sev Info
 
         $PolicyTypes = @(
-            @{ Type = 'DeviceCompliancePolicies'; Uri = 'https://graph.microsoft.com/beta/deviceManagement/deviceCompliancePolicies?$top=999' }
-            @{ Type = 'DeviceConfigurations'; Uri = 'https://graph.microsoft.com/beta/deviceManagement/deviceConfigurations?$top=999' }
-            @{ Type = 'ConfigurationPolicies'; Uri = 'https://graph.microsoft.com/beta/deviceManagement/configurationPolicies?$top=999' }
-            @{ Type = 'GroupPolicyConfigurations'; Uri = 'https://graph.microsoft.com/beta/deviceManagement/groupPolicyConfigurations?$top=999' }
-            @{ Type = 'MobileAppConfigurations'; Uri = 'https://graph.microsoft.com/beta/deviceManagement/mobileAppConfigurations?$top=999' }
-            @{ Type = 'AppProtectionPolicies'; Uri = 'https://graph.microsoft.com/beta/deviceAppManagement/managedAppPolicies?$top=999' }
-            @{ Type = 'WindowsAutopilotDeploymentProfiles'; Uri = 'https://graph.microsoft.com/beta/deviceManagement/windowsAutopilotDeploymentProfiles?$top=999' }
-            @{ Type = 'DeviceEnrollmentConfigurations'; Uri = 'https://graph.microsoft.com/beta/deviceManagement/deviceEnrollmentConfigurations?$top=999' }
-            @{ Type = 'DeviceManagementScripts'; Uri = 'https://graph.microsoft.com/beta/deviceManagement/deviceManagementScripts?$top=999' }
-            @{ Type = 'MobileApps'; Uri = 'https://graph.microsoft.com/beta/deviceAppManagement/mobileApps?$top=999' }
+            @{ Type = 'DeviceCompliancePolicies'; Uri = 'https://graph.microsoft.com/beta/deviceManagement/deviceCompliancePolicies'; SupportsExpand = $true }
+            @{ Type = 'DeviceConfigurations'; Uri = 'https://graph.microsoft.com/beta/deviceManagement/deviceConfigurations'; SupportsExpand = $true }
+            @{ Type = 'ConfigurationPolicies'; Uri = 'https://graph.microsoft.com/beta/deviceManagement/configurationPolicies'; SupportsExpand = $true; ExpandSettings = $true }
+            @{ Type = 'GroupPolicyConfigurations'; Uri = 'https://graph.microsoft.com/beta/deviceManagement/groupPolicyConfigurations'; SupportsExpand = $true }
+            @{ Type = 'MobileAppConfigurations'; Uri = 'https://graph.microsoft.com/beta/deviceManagement/mobileAppConfigurations'; SupportsExpand = $true }
+            @{ Type = 'AppProtectionPolicies'; Uri = 'https://graph.microsoft.com/beta/deviceAppManagement/managedAppPolicies'; SupportsExpand = $false }
+            @{ Type = 'WindowsAutopilotDeploymentProfiles'; Uri = 'https://graph.microsoft.com/beta/deviceManagement/windowsAutopilotDeploymentProfiles'; SupportsExpand = $true }
+            @{ Type = 'DeviceEnrollmentConfigurations'; Uri = 'https://graph.microsoft.com/beta/deviceManagement/deviceEnrollmentConfigurations'; SupportsExpand = $false }
+            @{ Type = 'DeviceManagementScripts'; Uri = 'https://graph.microsoft.com/beta/deviceManagement/deviceManagementScripts'; SupportsExpand = $true }
+            @{ Type = 'MobileApps'; Uri = 'https://graph.microsoft.com/beta/deviceAppManagement/mobileApps'; SupportsExpand = $false }
         )
 
         foreach ($PolicyType in $PolicyTypes) {
             try {
-                $Policies = New-GraphGetRequest -uri $PolicyType.Uri -tenantid $TenantFilter
+                $UriWithParams = $PolicyType.Uri + '?$top=999'
+                if ($PolicyType.SupportsExpand) {
+                    $UriWithParams += '&$expand=assignments'
+                }
+                if ($PolicyType.ExpandSettings) {
+                    $UriWithParams += ',settings'
+                }
+
+                $Policies = New-GraphGetRequest -uri $UriWithParams -tenantid $TenantFilter
 
                 if ($Policies) {
+                    if (-not $PolicyType.SupportsExpand) {
+                        foreach ($Policy in $Policies) {
+                            try {
+                                $AssignmentUri = "$($PolicyType.Uri)/$($Policy.id)/assignments"
+                                $Assignments = New-GraphGetRequest -uri $AssignmentUri -tenantid $TenantFilter
+                                $Policy | Add-Member -NotePropertyName 'assignments' -NotePropertyValue $Assignments -Force
+                            } catch {
+                                Write-LogMessage -API 'CIPPDBCache' -tenant $TenantFilter -message "Failed to get assignments for $($Policy.id): $($_.Exception.Message)" -sev Verbose
+                            }
+                        }
+                    }
+
                     Add-CIPPDbItem -TenantFilter $TenantFilter -Type "Intune$($PolicyType.Type)" -Data $Policies
                     Add-CIPPDbItem -TenantFilter $TenantFilter -Type "Intune$($PolicyType.Type)" -Data $Policies -Count
                     Write-LogMessage -API 'CIPPDBCache' -tenant $TenantFilter -message "Cached $($Policies.Count) $($PolicyType.Type)" -sev Info
 
@@ -0,0 +1,68 @@
+function Invoke-CippTestZTNA24540 {
+    param($Tenant)
+
+    try {
+        $ConfigurationPolicies = New-CIPPDbRequest -TenantFilter $Tenant -Type 'IntuneConfigurationPolicies'
+        if (-not $ConfigurationPolicies) {
+            Add-CippTestResult -TenantFilter $Tenant -TestId 'ZTNA24540' -TestType 'Devices' -Status 'Investigate' -ResultMarkdown 'Intune configuration policies not found in database' -Risk 'High' -Name 'Windows Firewall policies protect against unauthorized network access' -UserImpact 'Medium' -ImplementationEffort 'Low' -Category 'Device'
+            return
+        }
+
+        $FirewallPolicies = $ConfigurationPolicies | Where-Object {
+            $_.templateReference -and $_.templateReference.templateFamily -eq 'endpointSecurityFirewall'
+        }
+
+        if ($FirewallPolicies.Count -eq 0) {
+            Add-CippTestResult -TenantFilter $Tenant -TestId 'ZTNA24540' -TestType 'Devices' -Status 'Failed' -ResultMarkdown 'No Windows Firewall configuration policies found' -Risk 'High' -Name 'Windows Firewall policies protect against unauthorized network access' -UserImpact 'Medium' -ImplementationEffort 'Low' -Category 'Device'
+            return
+        }
+
+        $AssignedPolicies = $FirewallPolicies | Where-Object {
+            $_.assignments -and $_.assignments.Count -gt 0
+        }
+
+        if ($AssignedPolicies.Count -gt 0) {
+            $Status = 'Passed'
+            $ResultLines = @(
+                'At least one Windows Firewall policy is created and assigned to a group.'
+                ''
+                '**Windows Firewall Configuration Policies:**'
+                ''
+                '| Policy Name | Status | Assignment Count |'
+                '| :---------- | :----- | :--------------- |'
+            )
+
+            foreach ($Policy in $FirewallPolicies) {
+                $PolicyStatus = if ($Policy.assignments -and $Policy.assignments.Count -gt 0) {
+                    '✅ Assigned'
+                } else {
+                    '❌ Not assigned'
+                }
+                $AssignmentCount = if ($Policy.assignments) { $Policy.assignments.Count } else { 0 }
+                $ResultLines += "| $($Policy.name) | $PolicyStatus | $AssignmentCount |"
+            }
+
+            $Result = $ResultLines -join "`n"
+        } else {
+            $Status = 'Failed'
+            $ResultLines = @(
+                'There are no firewall policies assigned to any groups.'
+                ''
+                '**Windows Firewall Configuration Policies (Unassigned):**'
+                ''
+            )
+
+            foreach ($Policy in $FirewallPolicies) {
+                $ResultLines += "- $($Policy.name)"
+            }
+
+            $Result = $ResultLines -join "`n"
+        }
+
+        Add-CippTestResult -TenantFilter $Tenant -TestId 'ZTNA24540' -TestType 'Devices' -Status $Status -ResultMarkdown $Result -Risk 'High' -Name 'Windows Firewall policies protect against unauthorized network access' -UserImpact 'Medium' -ImplementationEffort 'Low' -Category 'Device'
+    } catch {
+        $ErrorMessage = Get-CippException -Exception $_
+        Write-LogMessage -API 'Tests' -tenant $Tenant -message "Failed to run test: $($ErrorMessage.NormalizedError)" -sev Error -LogData $ErrorMessage
+        Add-CippTestResult -TenantFilter $Tenant -TestId 'ZTNA24540' -TestType 'Devices' -Status 'Failed' -ResultMarkdown "Test failed: $($ErrorMessage.NormalizedError)" -Risk 'High' -Name 'Windows Firewall policies protect against unauthorized network access' -UserImpact 'Medium' -ImplementationEffort 'Low' -Category 'Device'
+    }
+}
@@ -0,0 +1,92 @@
+function Invoke-CippTestZTNA24550 {
+    param($Tenant)
+
+    try {
+        $ConfigurationPolicies = New-CIPPDbRequest -TenantFilter $Tenant -Type 'IntuneConfigurationPolicies'
+        if (-not $ConfigurationPolicies) {
+            Add-CippTestResult -TenantFilter $Tenant -TestId 'ZTNA24550' -TestType 'Devices' -Status 'Investigate' -ResultMarkdown 'Intune configuration policies not found in database' -Risk 'High' -Name 'Data on Windows is protected by BitLocker encryption' -UserImpact 'Low' -ImplementationEffort 'Low' -Category 'Device'
+            return
+        }
+
+        $WindowsPolicies = $ConfigurationPolicies | Where-Object {
+            $_.platforms -match 'windows10'
+        }
+
+        $WindowsBitLockerPolicies = @()
+        foreach ($WindowsPolicy in $WindowsPolicies) {
+            $ValidSettingValues = @('device_vendor_msft_bitlocker_requiredeviceencryption_1')
+
+            if ($WindowsPolicy.settings.settinginstance.choicesettingvalue.value) {
+                $PolicySettingValues = $WindowsPolicy.settings.settinginstance.choicesettingvalue.value
+                if ($PolicySettingValues -isnot [array]) {
+                    $PolicySettingValues = @($PolicySettingValues)
+                }
+
+                $HasValidSetting = $false
+                foreach ($SettingValue in $PolicySettingValues) {
+                    if ($ValidSettingValues -contains $SettingValue) {
+                        $HasValidSetting = $true
+                        break
+                    }
+                }
+
+                if ($HasValidSetting) {
+                    $WindowsBitLockerPolicies += $WindowsPolicy
+                }
+            }
+        }
+
+        $AssignedPolicies = $WindowsBitLockerPolicies | Where-Object {
+            $_.assignments -and $_.assignments.Count -gt 0
+        }
+
+        if ($AssignedPolicies.Count -gt 0) {
+            $Status = 'Passed'
+            $ResultLines = @(
+                "At least one Windows BitLocker policy is configured and assigned."
+                ''
+                "**Windows BitLocker Policies:**"
+                ''
+                "| Policy Name | Status | Assignment Count |"
+                "| :---------- | :----- | :--------------- |"
+            )
+
+            foreach ($Policy in $WindowsBitLockerPolicies) {
+                $PolicyStatus = if ($Policy.assignments -and $Policy.assignments.Count -gt 0) {
+                    '✅ Assigned'
+                } else {
+                    '❌ Not assigned'
+                }
+                $AssignmentCount = if ($Policy.assignments) { $Policy.assignments.Count } else { 0 }
+                $ResultLines += "| $($Policy.name) | $PolicyStatus | $AssignmentCount |"
+            }
+
+            $Result = $ResultLines -join "`n"
+        }
+        else {
+            $Status = 'Failed'
+            if ($WindowsBitLockerPolicies.Count -gt 0) {
+                $ResultLines = @(
+                    "Windows BitLocker policies exist but none are assigned."
+                    ''
+                    "**Unassigned BitLocker Policies:**"
+                    ''
+                )
+                foreach ($Policy in $WindowsBitLockerPolicies) {
+                    $ResultLines += "- $($Policy.name)"
+                }
+            }
+            else {
+                $ResultLines = @("No Windows BitLocker policy is configured or assigned.")
+            }
+            $Result = $ResultLines -join "`n"
+        }
+
+        Add-CippTestResult -TenantFilter $Tenant -TestId 'ZTNA24550' -TestType 'Devices' -Status $Status -ResultMarkdown $Result -Risk 'High' -Name 'Data on Windows is protected by BitLocker encryption' -UserImpact 'Low' -ImplementationEffort 'Low' -Category 'Device'
+    }
+    catch {
+        $ErrorMessage = Get-CippException -Exception $_
+        Write-LogMessage -API 'Tests' -tenant $Tenant -message "Failed to run test: $($ErrorMessage.NormalizedError)" -sev Error -LogData $ErrorMessage
+        Add-CippTestResult -TenantFilter $Tenant -TestId 'ZTNA24550' -TestType 'Devices' -Status 'Failed' -ResultMarkdown "Test failed: $($ErrorMessage.NormalizedError)" -Risk 'High' -Name 'Data on Windows is protected by BitLocker encryption' -UserImpact 'Low' -ImplementationEffort 'Low' -Category 'Device'
+    }
+}
@@ -0,0 +1,89 @@
+function Invoke-CippTestZTNA24552 {
+    param($Tenant)
+
+    try {
+        $ConfigurationPolicies = New-CIPPDbRequest -TenantFilter $Tenant -Type 'IntuneConfigurationPolicies'
+        if (-not $ConfigurationPolicies) {
+            Add-CippTestResult -TenantFilter $Tenant -TestId 'ZTNA24552' -TestType 'Devices' -Status 'Investigate' -ResultMarkdown 'Intune configuration policies not found in database' -Risk 'High' -Name 'Data on macOS is protected by firewall' -UserImpact 'Low' -ImplementationEffort 'Low' -Category 'Device'
+            return
+        }
+
+        $MacOSPolicies = $ConfigurationPolicies | Where-Object {
+            $_.platforms -match 'macOS'
+        }
+
+        $MacOSFirewallPolicies = @()
+        foreach ($MacOSPolicy in $MacOSPolicies) {
+            $ValidSettingValues = @('com.apple.security.firewall_enablefirewall_true')
+
+            if ($MacOSPolicy.settings.settinginstance.choicesettingvalue.value) {
+                $PolicySettingValues = $MacOSPolicy.settings.settinginstance.choicesettingvalue.value
+                if ($PolicySettingValues -isnot [array]) {
+                    $PolicySettingValues = @($PolicySettingValues)
+                }
+
+                $HasValidSetting = $false
+                foreach ($SettingValue in $PolicySettingValues) {
+                    if ($ValidSettingValues -contains $SettingValue) {
+                        $HasValidSetting = $true
+                        break
+                    }
+                }
+
+                if ($HasValidSetting) {
+                    $MacOSFirewallPolicies += $MacOSPolicy
+                }
+            }
+        }
+
+        $AssignedPolicies = $MacOSFirewallPolicies | Where-Object {
+            $_.assignments -and $_.assignments.Count -gt 0
+        }
+
+        if ($AssignedPolicies.Count -gt 0) {
+            $Status = 'Passed'
+            $ResultLines = @(
+                'At least one macOS Firewall policy is configured and assigned.'
+                ''
+                '**macOS Firewall Policies:**'
+                ''
+                '| Policy Name | Status | Assignment Count |'
+                '| :---------- | :----- | :--------------- |'
+            )
+
+            foreach ($Policy in $MacOSFirewallPolicies) {
+                $PolicyStatus = if ($Policy.assignments -and $Policy.assignments.Count -gt 0) {
+                    '✅ Assigned'
+                } else {
+                    '❌ Not assigned'
+                }
+                $AssignmentCount = if ($Policy.assignments) { $Policy.assignments.Count } else { 0 }
+                $ResultLines += "| $($Policy.name) | $PolicyStatus | $AssignmentCount |"
+            }
+
+            $Result = $ResultLines -join "`n"
+        } else {
+            $Status = 'Failed'
+            if ($MacOSFirewallPolicies.Count -gt 0) {
+                $ResultLines = @(
+                    'macOS Firewall policies exist but none are assigned.'
+                    ''
+                    '**Unassigned Firewall Policies:**'
+                    ''
+                )
+                foreach ($Policy in $MacOSFirewallPolicies) {
+                    $ResultLines += "- $($Policy.name)"
+                }
+            } else {
+                $ResultLines = @('No macOS Firewall policy is configured or assigned.')
+            }
+            $Result = $ResultLines -join "`n"
+        }
+
+        Add-CippTestResult -TenantFilter $Tenant -TestId 'ZTNA24552' -TestType 'Devices' -Status $Status -ResultMarkdown $Result -Risk 'High' -Name 'Data on macOS is protected by firewall' -UserImpact 'Low' -ImplementationEffort 'Low' -Category 'Device'
+    } catch {
+        $ErrorMessage = Get-CippException -Exception $_
+        Write-LogMessage -API 'Tests' -tenant $Tenant -message "Failed to run test: $($ErrorMessage.NormalizedError)" -sev Error -LogData $ErrorMessage
+        Add-CippTestResult -TenantFilter $Tenant -TestId 'ZTNA24552' -TestType 'Devices' -Status 'Failed' -ResultMarkdown "Test failed: $($ErrorMessage.NormalizedError)" -Risk 'High' -Name 'Data on macOS is protected by firewall' -UserImpact 'Low' -ImplementationEffort 'Low' -Category 'Device'
+    }
+}