Merge pull request #727 from HenrikPiecha/add-intune-platform-tests

Add intune platform tests

Author: merill

powershell/Maester.psd1

@@ -156,6 +156,7 @@ FunctionsToExport = 'Add-MtTestResultDetail', 'Clear-MtGraphCache', 'Connect-Mae
                'Test-MtCisZAP',
                'Test-MtConditionalAccessWhatIf',
                'Test-MtConnection',
+               'Test-MtDeviceCleanupSettings', 'Test-MtDeviceComplianceSettings',
                'Test-MtEidscaControl',
                'Test-MtPimAlertsExists', 'Test-MtPrivPermanentDirectoryRole',
                'Update-MaesterTests', 'Compare-MtTestResult',  'Get-MailAuthenticationRecord',

powershell/public/maester/intune/Test-MtDeviceCleanupSettings.md

@@ -0,0 +1,23 @@
+Ensure device clean-up rule is configured
+
+This test checks if the device clean-up rule is configured.
+
+Set your Intune device cleanup rules to delete Intune MDM enrolled devices that appear inactive, stale, or unresponsive. Intune applies cleanup rules immediately and continuously so that your device records remain current.
+
+#### Remediation action:
+
+To enable device clean-up rules:
+1. Navigate to Microsoft Intune admin center [https://intune.microsoft.com](https://intune.microsoft.com).
+2. Click **Devices** scroll down to **Organize devices**.
+3. Select **Device clean-up rules**.
+4. Set **Delete devices based on last check-in date** to **Yes**
+5. Set **Delete devices that haven’t checked in for this many days** to **30 days or more** depending on your organizational needs.
+6. Click **Save**.
+
+#### Related links
+
+* [Microsoft 365 Admin Center](https://admin.microsoft.com)
+* [Microsoft Intune - Device clean-up rules](https://intune.microsoft.com/?ref=AdminCenter#view/Microsoft_Intune_DeviceSettings/DevicesMenu/~/deviceCleanUp)
+
+<!--- Results --->
+%TestResult%

powershell/public/maester/intune/Test-MtDeviceCleanupSettings.ps1

@@ -0,0 +1,41 @@
+<#
+.SYNOPSIS
+    Ensure device clean-up rule is configured
+
+.DESCRIPTION
+    The device clean-up rule should be configured
+
+.EXAMPLE
+    Test-MtManagedDeviceCleanupSettings
+
+    Returns true if the device clean-up rule is configured
+
+.LINK
+    https://maester.dev/docs/commands/Test-MtManagedDeviceCleanupSettings
+#>
+function Test-MtManagedDeviceCleanupSettings {
+    [CmdletBinding()]
+    [OutputType([bool])]
+    param()
+
+    if ((Get-MtLicenseInformation EntraID) -eq "Free") {
+        Add-MtTestResultDetail -SkippedBecause NotLicensedEntraIDP1
+        return $null
+    }
+
+    $return = $true
+    try {
+        $deviceCleanupSettings = Invoke-MtGraphRequest -RelativeUri "deviceManagement/managedDeviceCleanupSettings" -ApiVersion beta
+        if ((-not $deviceCleanupSettings.deviceInactivityBeforeRetirementInDays) -or ($deviceCleanupSettings.deviceInactivityBeforeRetirementInDays -eq 0)) {
+            $testResultMarkdown = "Your Intune device clean-up rule is not configured."
+            $return = $false
+        } else {
+            $testResultMarkdown = "Well done. Your Intune device clean-up rule is configured to retire inactive devices after $($deviceCleanupSettings.deviceInactivityBeforeRetirementInDays) days."
+        }
+        Add-MtTestResultDetail -Result $testResultMarkdown
+    } catch {
+        $return = $false
+        Write-Error $_.Exception.Message
+    }
+    return $return
+}

powershell/public/maester/intune/Test-MtDeviceComplianceSettings.md

@@ -0,0 +1,22 @@
+Ensure the built-in Device Compliance Policy marks devices with no compliance policy assigned as 'Not compliant'.
+
+Set your Intune built-in Device Compliance Policy to mark devices with no compliance policy assigned as 'Not compliant'.
+This ensures that new devices that do not have any policies assigned are not compliant per default.
+
+#### Remediation action:
+
+To change the built-in device compliance policy:
+1. Navigate to Microsoft Intune admin center [https://intune.microsoft.com](https://intune.microsoft.com).
+2. Click **Devices** scroll down to **Manage devices**.
+3. Select **Compliance** and Select **Compliance settings**.
+4. Set **Mark devices with no compliance policy assigned as** to **Not compliant**
+5. Click **Save**.
+
+#### Related links
+
+* [Microsoft 365 Admin Center](https://admin.microsoft.com)
+* [Microsoft Intune - Compliance](https://intune.microsoft.com/?ref=AdminCenter#view/Microsoft_Intune_DeviceSettings/DevicesMenu/~/compliance)
+* [Compliance policy settings](https://learn.microsoft.com/de-de/mem/intune/protect/device-compliance-get-started#compliance-policy-settings)
+
+<!--- Results --->
+%TestResult%

powershell/public/maester/intune/Test-MtDeviceComplianceSettings.ps1

@@ -0,0 +1,43 @@
+<#
+.SYNOPSIS
+    Ensure the built-in Device Compliance Policy marks devices with no compliance policy assigned as 'Not compliant'
+
+.DESCRIPTION
+    The built-in Device Compliance Policy should mark devices with no compliance policy assigned as 'Not compliant'
+
+
+.EXAMPLE
+    Test-MtDeviceComplianceSettings
+
+    Returns true if the device compliance settings are configured
+
+.LINK
+    https://maester.dev/docs/commands/Test-MtDeviceComplianceSettings
+#>
+function Test-MtDeviceComplianceSettings {
+    [CmdletBinding()]
+    [OutputType([bool])]
+    param()
+
+    if ((Get-MtLicenseInformation EntraID) -eq "Free") {
+        Add-MtTestResultDetail -SkippedBecause NotLicensedEntraIDP1
+        return $null
+    }
+
+    $return = $true
+    try {
+        $deviceComplianceSettings = Invoke-MtGraphRequest -RelativeUri "deviceManagement/settings" -ApiVersion beta
+        Write-Verbose "Device Compliance Settings: $deviceComplianceSettings"
+        if ($deviceComplianceSettings.secureByDefault -ne $true) {
+            $testResultMarkdown = "Your Intune built-in Device Compliance Policy **incorrectly** marks devices with no compliance policy assigned as 'Compliant'."
+            $return = $false
+        } else {
+            $testResultMarkdown = "Well done. Your Intune built-in Device Compliance Policy marks devices with no compliance policy assigned as 'Not compliant'."
+        }
+        Add-MtTestResultDetail -Result $testResultMarkdown
+    } catch {
+        $return = $false
+        Write-Error $_.Exception.Message
+    }
+    return $return
+}

tests/Maester/Intune/Test-MtIntunePlatform.Tests.ps1

@@ -0,0 +1,15 @@
+Describe "Intune" -Tag "Maester", "Intune", "All" {
+    It "Ensure intune device clean-up rule is configured" -Tag "MT.1053" {
+        $result = Test-MtManagedDeviceCleanupSettings
+        if ($null -ne $result) {
+            $result | Should -Be $true -Because "automatic device clean-up rule is configured."
+        }
+    }
+
+    It "Ensure built-in Device Compliance Policy marks devices with no compliance policy assigned as 'Not compliant'" -Tag "MT.1054" {
+        $result = Test-MtDeviceComplianceSettings
+        if ($null -ne $result) {
+            $result | Should -Be $true -Because "built-in device compliance policy marks devices with no policy assigned as 'Not compliant'."
+        }
+    }
+}

website/docs/sections/permissions.md

@@ -9,3 +9,4 @@
 - **RoleManagement.Read.All**
 - **SharePointTenantSettings.Read.All**
 - **UserAuthenticationMethod.Read.All**
+- **DeviceManagementManagedDevices.Read.All**

website/docs/tests/maester/MT.1053.md

@@ -0,0 +1,25 @@
+---
+title: MT.1053 - Intune automatic device clean-up rule is configured.
+description: Checks if the intune automatic device clean-up rule is configured.
+slug: /tests/MT.1053
+sidebar_class_name: hidden
+---
+
+# Intune automatic device clean-up rule is configured.
+
+## Description
+
+Set your Intune device cleanup rules to delete Intune MDM enrolled devices that appear inactive, stale, or unresponsive. Intune applies cleanup rules immediately and continuously so that your device records remain current.
+
+## How to fix
+
+1. Navigate to Microsoft Intune admin center [https://intune.microsoft.com](https://intune.microsoft.com).
+2. Click **Devices** scroll down to **Organize devices**.
+3. Select **Device clean-up rules**.
+4. Set **Delete devices based on last check-in date** to **Yes**
+5. Set **Delete devices that haven’t checked in for this many days** to **30 days or more** depending on your organizational needs.
+6. Click **Save**.
+
+## Learn more
+* [Microsoft 365 Admin Center](https://admin.microsoft.com)
+* [Microsoft Intune - Device clean-up rules](https://intune.microsoft.com/?ref=AdminCenter#view/Microsoft_Intune_DeviceSettings/DevicesMenu/~/deviceCleanUp)

website/docs/tests/maester/MT.1054.md

@@ -0,0 +1,26 @@
+---
+title: MT.1054 - Intune built-in Device Compliance Policy marks devices with no compliance policy assigned as 'Not compliant'.
+description: Checks if the intune built-in Device Compliance Policy marks devices with no compliance policy assigned as 'Not compliant'
+slug: /tests/MT.1054
+sidebar_class_name: hidden
+---
+
+# Intune built-in Device Compliance Policy marks devices with no compliance policy assigned as 'Not compliant'.
+
+## Description
+
+Set your Intune built-in Device Compliance Policy to mark devices with no compliance policy assigned as 'Not compliant'.
+This ensures that new devices that do not have any policies assigned are not compliant per default.
+
+## How to fix
+
+1. Navigate to Microsoft Intune admin center [https://intune.microsoft.com](https://intune.microsoft.com).
+2. Click **Devices** scroll down to **Manage devices**.
+3. Select **Compliance** and Select **Compliance settings**.
+4. Set **Mark devices with no compliance policy assigned as** to **Not compliant**
+5. Click **Save**.
+
+## Learn more
+* [Microsoft 365 Admin Center](https://admin.microsoft.com)
+* [Microsoft Intune - Compliance](https://intune.microsoft.com/?ref=AdminCenter#view/Microsoft_Intune_DeviceSettings/DevicesMenu/~/compliance)
+* [Compliance policy settings](https://learn.microsoft.com/de-de/mem/intune/protect/device-compliance-get-started#compliance-policy-settings)