Tests

Author: KelvinTegelaar

Modules/CIPPCore/Public/Tests/Invoke-CippTestZTNA24541.ps1

@@ -0,0 +1,44 @@
+function Invoke-CippTestZTNA24541 {
+    param($Tenant)
+
+    $TestId = 'ZTNA24541'
+
+    try {
+        $IntunePolicies = New-CIPPDbRequest -TenantFilter $Tenant -Type 'IntunePolicies'
+
+        if (-not $IntunePolicies) {
+            Add-CippTestResult -TenantFilter $Tenant -TestId $TestId -TestType 'Devices' -Status 'Investigate' -ResultMarkdown 'Intune policies not found in database' -Risk 'High' -Name 'Compliance policies protect Windows devices' -UserImpact 'Medium' -ImplementationEffort 'Low' -Category 'Tenant'
+            return
+        }
+
+        $WindowsPolicies = @($IntunePolicies | Where-Object {
+            $_.'@odata.type' -in @('#microsoft.graph.windows10CompliancePolicy', '#microsoft.graph.windows11CompliancePolicy')
+        })
+
+        $AssignedPolicies = @($WindowsPolicies | Where-Object { $_.assignments -and $_.assignments.Count -gt 0 })
+        $Passed = $AssignedPolicies.Count -gt 0
+
+        if ($Passed) {
+            $ResultMarkdown = "✅ At least one Windows compliance policy exists and is assigned.`n`n"
+        } else {
+            $ResultMarkdown = "❌ No Windows compliance policy exists or none are assigned.`n`n"
+        }
+
+        $ResultMarkdown += "## Windows Compliance Policies`n`n"
+        $ResultMarkdown += "| Policy Name | Assigned |`n"
+        $ResultMarkdown += "| :---------- | :------- |`n"
+
+        foreach ($policy in $WindowsPolicies) {
+            $assigned = if ($policy.assignments -and $policy.assignments.Count -gt 0) { '✅ Yes' } else { '❌ No' }
+            $ResultMarkdown += "| $($policy.displayName) | $assigned |`n"
+        }
+
+        $Status = if ($Passed) { 'Passed' } else { 'Failed' }
+        Add-CippTestResult -TenantFilter $Tenant -TestId $TestId -TestType 'Devices' -Status $Status -ResultMarkdown $ResultMarkdown -Risk 'High' -Name 'Compliance policies protect Windows devices' -UserImpact 'Medium' -ImplementationEffort 'Low' -Category 'Tenant'
+
+    } catch {
+        $ErrorMessage = Get-CippException -Exception $_
+        Write-LogMessage -API 'Tests' -tenant $Tenant -message "Failed to run test: $($ErrorMessage.NormalizedError)" -sev Error -LogData $ErrorMessage
+        Add-CippTestResult -TenantFilter $Tenant -TestId $TestId -TestType 'Devices' -Status 'Failed' -ResultMarkdown "Error running test: $($ErrorMessage.NormalizedError)" -Risk 'High' -Name 'Compliance policies protect Windows devices' -UserImpact 'Medium' -ImplementationEffort 'Low' -Category 'Tenant'
+    }
+}

Modules/CIPPCore/Public/Tests/Invoke-CippTestZTNA24542.ps1

@@ -0,0 +1,41 @@
+function Invoke-CippTestZTNA24542 {
+    param($Tenant)
+
+    $TestId = 'ZTNA24542'
+
+    try {
+        $IntunePolicies = New-CIPPDbRequest -TenantFilter $Tenant -Type 'IntunePolicies'
+
+        if (-not $IntunePolicies) {
+            Add-CippTestResult -TenantFilter $Tenant -TestId $TestId -TestType 'Devices' -Status 'Investigate' -ResultMarkdown 'Intune policies not found in database' -Risk 'High' -Name 'Compliance policies protect macOS devices' -UserImpact 'Medium' -ImplementationEffort 'Low' -Category 'Tenant'
+            return
+        }
+
+        $MacOSPolicies = @($IntunePolicies | Where-Object { $_.'@odata.type' -eq '#microsoft.graph.macOSCompliancePolicy' })
+        $AssignedPolicies = @($MacOSPolicies | Where-Object { $_.assignments -and $_.assignments.Count -gt 0 })
+        $Passed = $AssignedPolicies.Count -gt 0
+
+        if ($Passed) {
+            $ResultMarkdown = "✅ At least one macOS compliance policy exists and is assigned.`n`n"
+        } else {
+            $ResultMarkdown = "❌ No macOS compliance policy exists or none are assigned.`n`n"
+        }
+
+        $ResultMarkdown += "## macOS Compliance Policies`n`n"
+        $ResultMarkdown += "| Policy Name | Assigned |`n"
+        $ResultMarkdown += "| :---------- | :------- |`n"
+
+        foreach ($policy in $MacOSPolicies) {
+            $assigned = if ($policy.assignments -and $policy.assignments.Count -gt 0) { '✅ Yes' } else { '❌ No' }
+            $ResultMarkdown += "| $($policy.displayName) | $assigned |`n"
+        }
+
+        $Status = if ($Passed) { 'Passed' } else { 'Failed' }
+        Add-CippTestResult -TenantFilter $Tenant -TestId $TestId -TestType 'Devices' -Status $Status -ResultMarkdown $ResultMarkdown -Risk 'High' -Name 'Compliance policies protect macOS devices' -UserImpact 'Medium' -ImplementationEffort 'Low' -Category 'Tenant'
+
+    } catch {
+        $ErrorMessage = Get-CippException -Exception $_
+        Write-LogMessage -API 'Tests' -tenant $Tenant -message "Failed to run test: $($ErrorMessage.NormalizedError)" -sev Error -LogData $ErrorMessage
+        Add-CippTestResult -TenantFilter $Tenant -TestId $TestId -TestType 'Devices' -Status 'Failed' -ResultMarkdown "Error running test: $($ErrorMessage.NormalizedError)" -Risk 'High' -Name 'Compliance policies protect macOS devices' -UserImpact 'Medium' -ImplementationEffort 'Low' -Category 'Tenant'
+    }
+}

Modules/CIPPCore/Public/Tests/Invoke-CippTestZTNA24543.ps1

@@ -0,0 +1,41 @@
+function Invoke-CippTestZTNA24543 {
+    param($Tenant)
+
+    $TestId = 'ZTNA24543'
+
+    try {
+        $IntunePolicies = New-CIPPDbRequest -TenantFilter $Tenant -Type 'IntunePolicies'
+
+        if (-not $IntunePolicies) {
+            Add-CippTestResult -TenantFilter $Tenant -TestId $TestId -TestType 'Devices' -Status 'Investigate' -ResultMarkdown 'Intune policies not found in database' -Risk 'High' -Name 'Compliance policies protect iOS/iPadOS devices' -UserImpact 'Medium' -ImplementationEffort 'Low' -Category 'Tenant'
+            return
+        }
+
+        $iOSPolicies = @($IntunePolicies | Where-Object { $_.'@odata.type' -eq '#microsoft.graph.iosCompliancePolicy' })
+        $AssignedPolicies = @($iOSPolicies | Where-Object { $_.assignments -and $_.assignments.Count -gt 0 })
+        $Passed = $AssignedPolicies.Count -gt 0
+
+        if ($Passed) {
+            $ResultMarkdown = "✅ At least one iOS/iPadOS compliance policy exists and is assigned.`n`n"
+        } else {
+            $ResultMarkdown = "❌ No iOS/iPadOS compliance policy exists or none are assigned.`n`n"
+        }
+
+        $ResultMarkdown += "## iOS/iPadOS Compliance Policies`n`n"
+        $ResultMarkdown += "| Policy Name | Assigned |`n"
+        $ResultMarkdown += "| :---------- | :------- |`n"
+
+        foreach ($policy in $iOSPolicies) {
+            $assigned = if ($policy.assignments -and $policy.assignments.Count -gt 0) { '✅ Yes' } else { '❌ No' }
+            $ResultMarkdown += "| $($policy.displayName) | $assigned |`n"
+        }
+
+        $Status = if ($Passed) { 'Passed' } else { 'Failed' }
+        Add-CippTestResult -TenantFilter $Tenant -TestId $TestId -TestType 'Devices' -Status $Status -ResultMarkdown $ResultMarkdown -Risk 'High' -Name 'Compliance policies protect iOS/iPadOS devices' -UserImpact 'Medium' -ImplementationEffort 'Low' -Category 'Tenant'
+
+    } catch {
+        $ErrorMessage = Get-CippException -Exception $_
+        Write-LogMessage -API 'Tests' -tenant $Tenant -message "Failed to run test: $($ErrorMessage.NormalizedError)" -sev Error -LogData $ErrorMessage
+        Add-CippTestResult -TenantFilter $Tenant -TestId $TestId -TestType 'Devices' -Status 'Failed' -ResultMarkdown "Error running test: $($ErrorMessage.NormalizedError)" -Risk 'High' -Name 'Compliance policies protect iOS/iPadOS devices' -UserImpact 'Medium' -ImplementationEffort 'Low' -Category 'Tenant'
+    }
+}

Modules/CIPPCore/Public/Tests/Invoke-CippTestZTNA24569.ps1

@@ -0,0 +1,50 @@
+function Invoke-CippTestZTNA24569 {
+    param($Tenant)
+
+    $TestId = 'ZTNA24569'
+
+    try {
+        $DeviceConfigs = New-CIPPDbRequest -TenantFilter $Tenant -Type 'IntuneDeviceConfigurations'
+
+        if (-not $DeviceConfigs) {
+            Add-CippTestResult -TenantFilter $Tenant -TestId $TestId -TestType 'Devices' -Status 'Investigate' -ResultMarkdown 'Device configurations not found in database' -Risk 'High' -Name 'FileVault encryption protects data on macOS devices' -UserImpact 'Medium' -ImplementationEffort 'Low' -Category 'Device'
+            return
+        }
+
+        $MacOSEndpointProtectionPolicies = @($DeviceConfigs | Where-Object {
+                $_.'@odata.type' -eq '#microsoft.graph.macOSEndpointProtectionConfiguration'
+            })
+
+        $FileVaultEnabledPolicies = @($MacOSEndpointProtectionPolicies | Where-Object { $_.fileVaultEnabled -eq $true })
+        $AssignedFileVaultPolicies = @($FileVaultEnabledPolicies | Where-Object { $_.assignments -and $_.assignments.Count -gt 0 })
+        $Passed = $AssignedFileVaultPolicies.Count -gt 0
+
+        if ($Passed) {
+            $ResultMarkdown = "✅ macOS FileVault encryption policies are configured and assigned in Intune.`n`n"
+        } else {
+            $ResultMarkdown = "❌ No relevant macOS FileVault encryption policies are configured or assigned.`n`n"
+        }
+
+        if ($FileVaultEnabledPolicies.Count -gt 0) {
+            $ResultMarkdown += "## macOS FileVault Policies`n`n"
+            $ResultMarkdown += "| Policy Name | FileVault Enabled | Assigned |`n"
+            $ResultMarkdown += "| :---------- | :---------------- | :------- |`n"
+
+            foreach ($policy in $FileVaultEnabledPolicies) {
+                $fileVault = if ($policy.fileVaultEnabled -eq $true) { '✅ Yes' } else { '❌ No' }
+                $assigned = if ($policy.assignments -and $policy.assignments.Count -gt 0) { '✅ Yes' } else { '❌ No' }
+                $ResultMarkdown += "| $($policy.displayName) | $fileVault | $assigned |`n"
+            }
+        } else {
+            $ResultMarkdown += "No macOS Endpoint Protection policies with FileVault settings found.`n"
+        }
+
+        $Status = if ($Passed) { 'Passed' } else { 'Failed' }
+        Add-CippTestResult -TenantFilter $Tenant -TestId $TestId -TestType 'Devices' -Status $Status -ResultMarkdown $ResultMarkdown -Risk 'High' -Name 'FileVault encryption protects data on macOS devices' -UserImpact 'Medium' -ImplementationEffort 'Low' -Category 'Device'
+
+    } catch {
+        $ErrorMessage = Get-CippException -Exception $_
+        Write-LogMessage -API 'Tests' -tenant $Tenant -message "Failed to run test: $($ErrorMessage.NormalizedError)" -sev Error -LogData $ErrorMessage
+        Add-CippTestResult -TenantFilter $Tenant -TestId $TestId -TestType 'Devices' -Status 'Failed' -ResultMarkdown "Error running test: $($ErrorMessage.NormalizedError)" -Risk 'High' -Name 'FileVault encryption protects data on macOS devices' -UserImpact 'Medium' -ImplementationEffort 'Low' -Category 'Device'
+    }
+}

Modules/CIPPCore/Public/Tests/Invoke-CippTestZTNA24572.ps1

@@ -0,0 +1,47 @@
+function Invoke-CippTestZTNA24572 {
+    param($Tenant)
+
+    $TestId = 'ZTNA24572'
+
+    try {
+        $EnrollmentConfigs = New-CIPPDbRequest -TenantFilter $Tenant -Type 'IntuneDeviceEnrollmentConfigurations'
+
+        if (-not $EnrollmentConfigs) {
+            Add-CippTestResult -TenantFilter $Tenant -TestId $TestId -TestType 'Devices' -Status 'Investigate' -ResultMarkdown 'Device enrollment configurations not found in database' -Risk 'Medium' -Name 'Device enrollment notifications are enforced to ensure user awareness and secure onboarding' -UserImpact 'Medium' -ImplementationEffort 'Low' -Category 'Tenant'
+            return
+        }
+
+        $EnrollmentNotifications = @($EnrollmentConfigs | Where-Object {
+            $_.'@odata.type' -eq '#microsoft.graph.windowsEnrollmentStatusScreenSettings' -or
+            $_.'deviceEnrollmentConfigurationType' -eq 'EnrollmentNotificationsConfiguration'
+        })
+
+        $AssignedNotifications = @($EnrollmentNotifications | Where-Object { $_.assignments -and $_.assignments.Count -gt 0 })
+        $Passed = $AssignedNotifications.Count -gt 0
+
+        if ($Passed) {
+            $ResultMarkdown = "✅ At least one device enrollment notification is configured and assigned.`n`n"
+        } else {
+            $ResultMarkdown = "❌ No device enrollment notification is configured or assigned in Intune.`n`n"
+        }
+
+        if ($EnrollmentNotifications.Count -gt 0) {
+            $ResultMarkdown += "## Device Enrollment Notifications`n`n"
+            $ResultMarkdown += "| Policy Name | Assigned |`n"
+            $ResultMarkdown += "| :---------- | :------- |`n"
+
+            foreach ($policy in $EnrollmentNotifications) {
+                $assigned = if ($policy.assignments -and $policy.assignments.Count -gt 0) { '✅ Yes' } else { '❌ No' }
+                $ResultMarkdown += "| $($policy.displayName) | $assigned |`n"
+            }
+        }
+
+        $Status = if ($Passed) { 'Passed' } else { 'Failed' }
+        Add-CippTestResult -TenantFilter $Tenant -TestId $TestId -TestType 'Devices' -Status $Status -ResultMarkdown $ResultMarkdown -Risk 'Medium' -Name 'Device enrollment notifications are enforced to ensure user awareness and secure onboarding' -UserImpact 'Medium' -ImplementationEffort 'Low' -Category 'Tenant'
+
+    } catch {
+        $ErrorMessage = Get-CippException -Exception $_
+        Write-LogMessage -API 'Tests' -tenant $Tenant -message "Failed to run test: $($ErrorMessage.NormalizedError)" -sev Error -LogData $ErrorMessage
+        Add-CippTestResult -TenantFilter $Tenant -TestId $TestId -TestType 'Devices' -Status 'Failed' -ResultMarkdown "Error running test: $($ErrorMessage.NormalizedError)" -Risk 'Medium' -Name 'Device enrollment notifications are enforced to ensure user awareness and secure onboarding' -UserImpact 'Medium' -ImplementationEffort 'Low' -Category 'Tenant'
+    }
+}

Modules/CIPPCore/Public/Tests/Invoke-CippTestZTNA24576.ps1

@@ -0,0 +1,48 @@
+function Invoke-CippTestZTNA24576 {
+    param($Tenant)
+
+    $TestId = 'ZTNA24576'
+
+    try {
+        $DeviceConfigs = New-CIPPDbRequest -TenantFilter $Tenant -Type 'IntuneDeviceConfigurations'
+
+        if (-not $DeviceConfigs) {
+            Add-CippTestResult -TenantFilter $Tenant -TestId $TestId -TestType 'Devices' -Status 'Investigate' -ResultMarkdown 'Device configurations not found in database' -Risk 'Low' -Name 'Endpoint Analytics is enabled to help identify risks on Windows devices' -UserImpact 'Low' -ImplementationEffort 'Low' -Category 'Tenant'
+            return
+        }
+
+        $WindowsHealthMonitoringPolicies = @($DeviceConfigs | Where-Object { 
+                $_.'@odata.type' -eq '#microsoft.graph.windowsHealthMonitoringConfiguration' 
+            })
+        
+        $AssignedPolicies = @($WindowsHealthMonitoringPolicies | Where-Object { $_.assignments -and $_.assignments.Count -gt 0 })
+        $Passed = $AssignedPolicies.Count -gt 0
+
+        if ($Passed) {
+            $ResultMarkdown = "✅ An Endpoint analytics policy is created and assigned.`n`n"
+        } else {
+            $ResultMarkdown = "❌ Endpoint analytics policy is not created or not assigned.`n`n"
+        }
+
+        if ($WindowsHealthMonitoringPolicies.Count -gt 0) {
+            $ResultMarkdown += "## Endpoint Analytics Policies`n`n"
+            $ResultMarkdown += "| Policy Name | Assigned |`n"
+            $ResultMarkdown += "| :---------- | :------- |`n"
+
+            foreach ($policy in $WindowsHealthMonitoringPolicies) {
+                $assigned = if ($policy.assignments -and $policy.assignments.Count -gt 0) { '✅ Yes' } else { '❌ No' }
+                $ResultMarkdown += "| $($policy.displayName) | $assigned |`n"
+            }
+        } else {
+            $ResultMarkdown += "No Endpoint Analytics policies found in this tenant.`n"
+        }
+
+        $Status = if ($Passed) { 'Passed' } else { 'Failed' }
+        Add-CippTestResult -TenantFilter $Tenant -TestId $TestId -TestType 'Devices' -Status $Status -ResultMarkdown $ResultMarkdown -Risk 'Low' -Name 'Endpoint Analytics is enabled to help identify risks on Windows devices' -UserImpact 'Low' -ImplementationEffort 'Low' -Category 'Tenant'
+
+    } catch {
+        $ErrorMessage = Get-CippException -Exception $_
+        Write-LogMessage -API 'Tests' -tenant $Tenant -message "Failed to run test: $($ErrorMessage.NormalizedError)" -sev Error -LogData $ErrorMessage
+        Add-CippTestResult -TenantFilter $Tenant -TestId $TestId -TestType 'Devices' -Status 'Failed' -ResultMarkdown "Error running test: $($ErrorMessage.NormalizedError)" -Risk 'Low' -Name 'Endpoint Analytics is enabled to help identify risks on Windows devices' -UserImpact 'Low' -ImplementationEffort 'Low' -Category 'Tenant'
+    }
+}