Add MT.1177-MT.1180: LAPS, ASR, App Control, Managed Installer Intune tests#1676
Add MT.1177-MT.1180: LAPS, ASR, App Control, Managed Installer Intune tests#1676OfirGavish wants to merge 17 commits into
Conversation
…d Managed Installer Rules.
…tests - MT.1124: Ensure LAPS policy backs up passwords to Entra ID - MT.1125: Ensure ASR rules configured in Block/Audit mode - MT.1126: Ensure App Control for Business is configured - MT.1127: Ensure Managed Installer enabled in App Control Changes: - Move functions from functions/ to powershell/public/maester/intune/ - Add companion .md remediation files for each test - Add FunctionsToExport entries to Maester.psd1 - Renumber from MT.1200-1203 to MT.1124-1127 - PSScriptAnalyzer clean, pester.ps1 5230/5230 passed
Move MT.1124-1127 It blocks into the shared Describe block in Test-MtIntunePlatform.Tests.ps1, matching the upstream Maester pattern. Remove the 4 separate .Tests.ps1 files.
…r365#1017, MT.1147 by f-bader)
Up to standards ✅🟢 Issues
|
There was a problem hiding this comment.
Pull request overview
Adds four new Maester Intune Endpoint Security tests (MT.1148–MT.1151) that query deviceManagement/configurationPolicies and validate specific CSP-backed settings for LAPS, ASR Rules, App Control for Business, and Managed Installer, along with remediation docs and module/test wiring.
Changes:
- Added 4 new Intune test functions plus corresponding remediation markdown docs.
- Exported the new functions from the PowerShell module manifest.
- Added 4 new Pester
Itblocks to execute the tests in the Intune platform suite.
Reviewed changes
Copilot reviewed 10 out of 10 changed files in this pull request and generated 7 comments.
Show a summary per file
| File | Description |
|---|---|
| tests/Maester/Intune/Test-MtIntunePlatform.Tests.ps1 | Adds MT.1148–MT.1151 Pester entries |
| powershell/public/maester/intune/Test-MtIntuneLAPSConfiguration.ps1 | New test for LAPS Entra ID password backup |
| powershell/public/maester/intune/Test-MtIntuneLAPSConfiguration.md | New remediation guidance for LAPS policy |
| powershell/public/maester/intune/Test-MtIntuneASRRules.ps1 | New test to evaluate ASR rule modes via configurationPolicies settings |
| powershell/public/maester/intune/Test-MtIntuneASRRules.md | New remediation guidance for ASR rules |
| powershell/public/maester/intune/Test-MtIntuneAppControl.ps1 | New test to validate presence/config of App Control for Business policies |
| powershell/public/maester/intune/Test-MtIntuneAppControl.md | New remediation guidance for App Control for Business |
| powershell/public/maester/intune/Test-MtIntuneManagedInstallerRules.ps1 | New test to verify Managed Installer is enabled in App Control policies |
| powershell/public/maester/intune/Test-MtIntuneManagedInstallerRules.md | New remediation guidance for Managed Installer |
| powershell/Maester.psd1 | Exports the 4 new functions |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
- ASR test: align Because text with Block/Audit acceptance criteria - Managed Installer test: clarify Because text to specific MI requirement - ASR.md: document Warn as a fourth supported mode (informational only) - ASR.ps1: do not treat Warn as an active rule for pass criteria - AppControl.md / ManagedInstallerRules.md: fix portal link to Application control blade - maester-config.json: add MT.1148-MT.1151 severity/title entries
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 11 out of 11 changed files in this pull request and generated 2 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
|
I love the amount of detail in this PR description, @OfirGavish! What did you generate that summary with? Did you use our new agent skill or your own prompt? |
Thank you for this fantastic contribution! 🙌@OfirGavish — this is a really well-executed PR. Adding LAPS, ASR Rules, App Control for Business, and Managed Installer coverage in one shot fills a meaningful gap in Maester's Intune Endpoint Security story. The code quality is high, the companion documentation is thorough, and the remediation guidance is actionable. Great work. I've done a detailed review below. There's one blocker to address before merging, a couple of things worth double-checking, and a few minor suggestions for polish. Full Disclosure: AI helped me write these detailed suggestions based on our custom agent skill for creating and validating Maester tests. 😉 🔴 Blocking — Website documentation pages are missingThe four helper functions reference public docs URLs in their …but the corresponding files (
Example frontmatter for MT.1148: ---
title: MT.1148 - Ensure LAPS Configuration Policy is properly set
description: Checks Intune Endpoint Security Account Protection policies for Windows LAPS profiles that back up local administrator passwords to Microsoft Entra ID.
slug: /tests/MT.1148
sidebar_class_name: hidden
---🟡 Important —
|
|
Thank you Sam, I used my own personal prompt, working with GHCP on VSCode with Opus 4.6 mostly |
- Add website docs pages MT.1148-MT.1151 (blocking item) - Add Test-MtConnection Graph guard to all 4 functions - Fix LAPS AutoAccountMgmt to handle both simpleSettingValue and choiceSettingValue - Add 'See https://maester.dev/docs/tests/MT.XXXX' links to all 4 It block titles - Prefix pass result messages with 'Well done.' per Maester style guide - Add break after BackupDirectory suffix match in LAPS test - Track and display Warn rule count in ASR policy summary
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 15 out of 15 changed files in this pull request and generated 1 comment.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
- LAPS: surface PostAuthDelay in the per-policy results table (was parsed but unused) - ASR: update comment-based help to list all four supported modes (Block/Audit/Warn/Disabled), matching the implementation and the .md doc
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 15 out of 15 changed files in this pull request and generated 1 comment.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
The condition matches policies with no Block rules and >=1 Audit rule (which may also include Warn/Disabled rules), so the wording 'Audit mode only' was misleading. Reworded to accurately describe what the condition checks.
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 15 out of 15 changed files in this pull request and generated 1 comment.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 15 out of 15 changed files in this pull request and generated 1 comment.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Address Copilot follow-up review on PR maester365#1676: The per-policy ASR summary line previously displayed TotalRules along with Block/Audit/Warn/Disabled counters, but rules whose mode value did not match any of the known suffixes ('*_block', '*_audit', '*_warn', '*_off') were silently excluded from the rollup. As a result the displayed counts could be lower than TotalRules and 'Not configured' rules were hidden from view. This change adds a NotConfiguredCount counter (incremented in the else branch alongside the existing mode detection) and surfaces it in the per-policy summary line so the four counters now reconcile with TotalRules.
|
@copilot resolve the merge conflicts in this pull request |
|
Thanks so much for putting this together — these Intune checks fill an important gap, and the PR is already in good shape structurally. I reviewed it with the Maester test checklist and the I do think a few logic issues should be tightened before this is production-ready, mainly to avoid false passes/false failures in tenant assessments:
One more practical blocker: GitHub currently reports the PR as conflicting, so it will also need a rebase or merge update before it can be merged. Again, thank you for the contribution — the scaffolding and documentation are very close. Once the pass criteria match the stated security outcomes and the conflict is resolved, this should be much easier to approve confidently. |
SamErde
left a comment
SamErde
left a comment
There was a problem hiding this comment.
See previous comment and suggestions. Thanks again! 🙂
Upstream merill commit 7ebade5 (Added test meta data, May 2 2026) claimed MT.1148-MT.1151 for Microsoft Defender antivirus tests: MT.1148 Archive Scanning should be enabled MT.1149 Behavior Monitoring should be enabled MT.1150 Cloud Protection should be enabled MT.1151 Email Scanning should be enabled Renumber this PR's Intune Endpoint Security tests to the next available contiguous range MT.1177-MT.1180 to resolve the add/add conflicts on website/docs/tests/maester/MT.115X.md and the title collisions in tests/maester-config.json. MT.1148 -> MT.1177 LAPS Configuration Policy MT.1149 -> MT.1178 ASR Rules MT.1150 -> MT.1179 App Control for Business MT.1151 -> MT.1180 Managed Installer
MT.1177 LAPS: pass now requires Entra backup AND complexity >= _4 AND length >= 14 AND a defined post-auth action (per-policy boolean tracking, Compliant column added). MT.1178 ASR: pivot to Microsoft Defender ASR Standard Protection baseline. Pass now requires every baseline rule (Block abuse of exploited vulnerable signed drivers, Block credential stealing from LSASS, Block persistence through WMI event subscription) to be in Block or Audit mode across the union of all policies. Additional rules still listed for visibility. MT.1179 App Control: detect uploaded XML payload (simpleSettingValue under upload_policy_selected). Pass now requires at least one policy to be enforcing (audit mode disabled) AND have either built-in controls or a non-empty XML upload. Audit-only policies and empty XML uploads are reported but no longer pass. MT.1180 Managed Installer: pass now requires at least one App Control policy to be in Enforce mode AND have Managed Installer enabled. Managed Installer on an audit-only policy is reported but no longer passes, since the underlying App Control is not blocking. Website docs (MT.1177-1180.md) updated to document the new pass criteria.
OfirGavish
changed the title
|
Hi @SamErde - thanks again for the detailed review. Pushing the following in Renumber: MT.1148-MT.1151 -> MT.1177-MT.1180 Upstream Logic gaps from your second-round review
Validation
Note on remaining mergeable=CONFLICTING The renumbering cleared the file-rename collision on the website docs. The remaining conflict is positional in |
|
@copilot resolve the merge conflicts in this pull request |
Resolves conflicts in powershell/Maester.psd1 and tests/maester-config.json by taking upstream's version and re-inserting the four MT.1177-MT.1180 entries (LAPS, ASR, App Control, Managed Installer). Validation: - PowerShell parser: clean on all 4 test files - PSScriptAnalyzer (Warning + Error): 0 issues - Test-ModuleManifest: passes (now reports v2.0.0 from upstream) - maester-config.json: parses
|
Follow-up: I went ahead and rebased / merged GitHub now reports the PR as
Ready for another look whenever you have time. |
Code fixes: - Test-MtIntuneASRRules.ps1: remove duplicate .EXAMPLE block. - Test-MtIntuneManagedInstallerRules.ps1: gate pass on active App Control (built-in controls OR non-empty uploaded XML). An enforce-mode upload policy with empty XML + MI enabled no longer falsely passes. Mirrors the active-control gate used by MT.1179. Report empty-XML MI policies alongside audit-mode MI policies in failure output. Expand result table with Build Options + Policy XML columns. Update .DESCRIPTION and .EXAMPLE accordingly. Companion docs (powershell/public/maester/intune/*.md): - LAPS: pass now requires Entra backup AND complexity >= _4 AND length >= 14 AND a defined post-auth action. - ASRRules: pass now requires every Standard Protection baseline rule (drivers, LSASS, WMI persistence) in Block or Audit across the union of all ASR policies. Links to MS Defender baseline. - AppControl: pass now requires Enforce mode AND active control (built-in or non-empty uploaded XML). - ManagedInstallerRules: pass now requires Enforce mode AND MI enabled AND active control. Website docs: - Regenerated MT.1177.md, MT.1178.md, MT.1179.md, MT.1180.md via website/scripts/generate-test-docs.mjs so they reflect the authoritative companion .md content (no longer hand-authored).
|
Thanks for the thorough review! I've pushed Code (2)
Companion
Website docs (4) — Validation: parser clean, PSScriptAnalyzer clean for all four |
| '_8' = 'Large + small + numbers + special (improved)' | ||
| } | ||
|
|
||
| # Pass-criteria thresholds | ||
| $minPasswordLength = 14 | ||
| $minComplexitySuffixes = @('_4', '_8') # 4-class or improved 4-class |
| - **Backup Directory**: Must be set to **Azure AD only** (Entra ID) to store passwords in the cloud where they can be retrieved by authorized admins. | ||
| - **Password Complexity**: Must be `Large + small + numbers + special` (`_4`) or improved (`_8`). | ||
| - **Password Length**: Must be **>= 14** characters. | ||
| - **Post-Authentication Actions**: Must be set to a defined action (`_1` reset / `_3` reset+logoff / `_5` reset+reboot / `_11` disabled-with-rotation) so the password rotates after use. |
| { | ||
| "Id": "MT.1177", | ||
| "Severity": "High", | ||
| "Title": "Ensure LAPS Configuration Policy is properly set" | ||
| }, |
| ## Remediation | ||
|
|
||
| 1. Navigate to [Microsoft Intune admin center](https://intune.microsoft.com). | ||
| 2. Go to **Endpoint security** > **Account protection**. | ||
| 3. Click **+ Create policy**. | ||
| 4. Set **Platform** to **Windows 10 and later** and **Profile** to **Local admin password solution (Windows LAPS)**. | ||
| 5. Enter a policy name (e.g., "LAPS - Entra ID Backup"). | ||
| 6. Configure the following settings: | ||
| - **Backup Directory**: **Azure AD only** | ||
| - **Password Complexity**: **Large letters + small letters + numbers + special characters** | ||
| - **Password Length**: **21** (or at least 14) | ||
| - **Post-Authentication Actions**: **Reset password and logoff** | ||
| - **Post-Authentication Reset Delay**: **1 hour** | ||
| - **Administrator Account Name**: Leave default or specify custom account | ||
| 7. Assign the policy to your device groups and click **Create**. | ||
|
|
||
| ## Related Links | ||
|
|
||
| - [Microsoft Intune - Endpoint Security Account Protection](https://intune.microsoft.com/#view/Microsoft_Intune_Workflows/SecurityManagementMenu/~/accountprotection) | ||
| - [Microsoft Learn - Windows LAPS with Microsoft Intune](https://learn.microsoft.com/en-us/mem/intune/protect/windows-laps-overview) | ||
| - [Microsoft Learn - Windows LAPS CSP reference](https://learn.microsoft.com/en-us/windows/client-management/mdm/laps-csp) | ||
| - [CIS Benchmark - Ensure LAPS is configured for local admin accounts](https://www.cisecurity.org/benchmark/microsoft_intune_for_windows) | ||
|
|
| ## Remediation | ||
|
|
||
| 1. Navigate to [Microsoft Intune admin center](https://intune.microsoft.com). | ||
| 2. Go to **Endpoint security** > **Attack surface reduction**. | ||
| 3. Click **+ Create policy**. | ||
| 4. Set **Platform** to **Windows 10 and later** and **Profile** to **Attack Surface Reduction Rules**. | ||
| 5. Enter a policy name (e.g., "ASR Rules - Audit Mode"). | ||
| 6. Configure individual ASR rules — start with **Audit** mode for all rules: | ||
| - Block abuse of exploited vulnerable signed drivers | ||
| - Block Adobe Reader from creating child processes | ||
| - Block all Office applications from creating child processes | ||
| - Block credential stealing from Windows LSASS | ||
| - Block executable content from email client and webmail | ||
| - Block executable files unless they meet prevalence, age, or trusted list criteria | ||
| - Block execution of potentially obfuscated scripts | ||
| - Block JavaScript or VBScript from launching downloaded executable content | ||
| - Block Office applications from creating executable content | ||
| - Block Office applications from injecting code into other processes | ||
| - Block Office communication app from creating child processes | ||
| - Block persistence through WMI event subscription | ||
| - Block process creations originating from PSExec and WMI commands | ||
| - Block untrusted and unsigned processes that run from USB | ||
| - Block Win32 API calls from Office macros | ||
| - Use advanced protection against ransomware | ||
| 7. Assign the policy to your device groups and click **Create**. | ||
| 8. Monitor audit events in **Microsoft Defender for Endpoint** > **Reports** > **Attack surface reduction rules** for 2–4 weeks before transitioning rules to **Block** mode. | ||
|
|
||
| ## Related Links | ||
|
|
||
| - [Microsoft Intune - Attack Surface Reduction](https://intune.microsoft.com/#view/Microsoft_Intune_Workflows/SecurityManagementMenu/~/asr) | ||
| - [Microsoft Learn - ASR rules reference](https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules-reference) | ||
| - [Microsoft Learn - Enable ASR rules in Intune](https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/enable-attack-surface-reduction) | ||
| - [Microsoft Learn - ASR rules deployment guide](https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules-deployment) | ||
|
|
| ## Remediation | ||
|
|
||
| 1. Navigate to [Microsoft Intune admin center](https://intune.microsoft.com). | ||
| 2. Go to **Endpoint security** > **Application control**. | ||
| 3. Click **+ Create policy**. | ||
| 4. Set **Platform** to **Windows 10 and later** and **Profile** to **App Control for Business**. | ||
| 5. Enter a policy name (e.g., "App Control - Audit Mode"). | ||
| 6. Configure the following settings: | ||
| - **App Control for Business**: Select **Built-in controls** | ||
| - **Audit mode**: **Enabled** (start in audit mode to identify blocked apps) | ||
| - **Trust apps from managed installer**: **Enabled** (trusts Intune-deployed apps) | ||
| - **Trust apps with good reputation**: **Disabled** (optional — ISG adds convenience but reduces strictness) | ||
| 7. Assign the policy to a test device group first. | ||
| 8. Monitor blocked/audited apps in **Microsoft Defender for Endpoint** > **Reports** > **Application control**. | ||
| 9. After validating that legitimate apps are not being blocked, transition to **Enforce mode**. | ||
|
|
| ## Remediation | ||
|
|
||
| 1. Navigate to [Microsoft Intune admin center](https://intune.microsoft.com). | ||
| 2. Go to **Endpoint security** > **Application control**. | ||
| 3. Edit an existing App Control for Business policy (or create a new one). | ||
| 4. Under **App Control for Business**, select **Built-in controls**. | ||
| 5. Set **Trust apps from managed installer** to **Enabled**. | ||
| 6. Save and assign the policy to your device groups. | ||
|
|
||
| > **Note:** Managed Installer works by tagging files written by the Intune Management Extension (IME) process. The App Control policy then trusts any file that was installed by a tagged managed installer process. This is transparent to end users. | ||
|
|
| 4. Under **App Control for Business**, select **Built-in controls**. | ||
| 5. Set **Trust apps from managed installer** to **Enabled**. | ||
| 6. Save and assign the policy to your device groups. | ||
|
|
| ## Remediation | ||
|
|
||
| 1. Navigate to [Microsoft Intune admin center](https://intune.microsoft.com). | ||
| 2. Go to **Endpoint security** > **Account protection**. | ||
| 3. Click **+ Create policy**. |
| ## Remediation | ||
|
|
||
| 1. Navigate to [Microsoft Intune admin center](https://intune.microsoft.com). | ||
| 2. Go to **Endpoint security** > **Attack surface reduction**. | ||
| 3. Click **+ Create policy**. |
| ## Remediation | ||
|
|
||
| 1. Navigate to [Microsoft Intune admin center](https://intune.microsoft.com). | ||
| 2. Go to **Endpoint security** > **Application control**. | ||
| 3. Click **+ Create policy**. |
| ## Remediation | ||
|
|
||
| 1. Navigate to [Microsoft Intune admin center](https://intune.microsoft.com). | ||
| 2. Go to **Endpoint security** > **Application control**. | ||
| 3. Edit an existing App Control for Business policy (or create a new one). |
| - **Password Complexity**: Must be `Large + small + numbers + special` (`_4`) or improved (`_8`). | ||
| - **Password Length**: Must be **>= 14** characters. | ||
| - **Post-Authentication Actions**: Must be set to a defined action (`_1` reset / `_3` reset+logoff / `_5` reset+reboot / `_11` disabled-with-rotation) so the password rotates after use. | ||
| - **Automatic Account Management**: Whether LAPS auto-manages the local admin account lifecycle (informational). | ||
|
|
This PR adds four Intune Endpoint Security tests for Microsoft Defender controls. Tests have been renumbered to MT.1177-MT.1180 to avoid collision with upstream MT.1148-MT.1151 (Defender antivirus batch).
Tests
Pass criteria (per @SamErde review)
_4AND Password Length >= 14 AND a defined Post-Authentication Action (_1/_3/_5/_11).Files
powershell/public/maester/intune/Test-MtIntuneLAPSConfiguration.ps1powershell/public/maester/intune/Test-MtIntuneASRRules.ps1powershell/public/maester/intune/Test-MtIntuneAppControl.ps1powershell/public/maester/intune/Test-MtIntuneManagedInstallerRules.ps1tests/Maester/Intune/Test-MtIntunePlatform.Tests.ps1(4Itblocks)tests/maester-config.json(4 entries)website/docs/tests/maester/MT.1177.md...MT.1180.mdpowershell/Maester.psd1(4 function exports)Validation
Test-ModuleManifestonMaester.psd1: passesmaester-config.json: parsesRequired Graph permissions
DeviceManagementConfiguration.Read.AllNotes
The remaining
Maester.psd1andtests/maester-config.jsonmergeable=CONFLICTING is positional only (function export ordering / config insert position) caused by upstream churn since the fork branched. Happy to rebase or take a maintainer suggestion on resolution strategy.