public/maester/defender/Test-MtMdeDisableLocalAdminMerge.ps1
|
function Test-MtMdeDisableLocalAdminMerge { <# .SYNOPSIS Checks if local admin merge is disabled to block local exclusions .DESCRIPTION Tests that all assigned Microsoft Defender Antivirus policies have the disable local admin merge setting enabled. Local admin policy override allows privilege escalation to bypass security controls on managed devices. .PARAMETER ComplianceLogic Determines how policy compliance is evaluated. 'AllPolicies' requires every assigned policy to be compliant; 'AnyPolicy' requires at least one. Default: 'AllPolicies'. .PARAMETER PolicyFiltering Determines which Defender Antivirus policies are evaluated. 'OnlyAssigned' (default) checks only assigned policies; 'IncludeUnassigned' includes unassigned policies; 'All' includes every policy. .PARAMETER ComplianceLogic Specify compliance logic: AllPolicies or AnyPolicy .PARAMETER PolicyFiltering Specify policy filtering: All, IncludeUnassigned, or OnlyAssigned .EXAMPLE Test-MtMdeDisableLocalAdminMerge Returns $true if all policies have local admin merge disabled. .LINK https://maester.dev/docs/commands/Test-MtMdeDisableLocalAdminMerge #> [CmdletBinding()] [OutputType([bool])] param( [ValidateSet('AllPolicies', 'AnyPolicy')] [string]$ComplianceLogic = 'AllPolicies', [ValidateSet('All', 'IncludeUnassigned', 'OnlyAssigned')] [string]$PolicyFiltering = 'OnlyAssigned' ) Write-Verbose "Running Test-MtMdeDisableLocalAdminMerge..." if (!(Test-MtConnection Graph)) { Add-MtTestResultDetail -SkippedBecause NotConnectedGraph return $null } $deviceCount = 0 $policyConfig = $null try { $deviceCount = Get-MdeDeviceCount $policyConfig = Get-MdePolicyConfiguration -PolicyFiltering $PolicyFiltering } catch { Add-MtTestResultDetail -SkippedBecause Error -SkippedError $_ return $null } if ($deviceCount -eq 0) { Add-MtTestResultDetail -SkippedBecause Custom -SkippedCustomReason "No MDE-managed Windows devices found" return $null } if ($policyConfig.TotalCount -eq 0) { Add-MtTestResultDetail -SkippedBecause Custom -SkippedCustomReason "No assigned Microsoft Defender Antivirus policies found" return $null } try { $compliance = Test-MdePolicyCompliance -PolicyConfiguration $policyConfig ` -ComplianceLogic $ComplianceLogic ` -SettingId "device_vendor_msft_defender_configuration_disablelocaladminmerge" ` -ComplianceCheck "Boolean" ` -ExpectedValue "_1" $testResult = $compliance.IsCompliant if ($testResult) { $testResultMarkdown = "Well done. Disable local admin merge is correctly configured in all $($policyConfig.TotalCount) assigned Defender Antivirus policies." } else { $testResultMarkdown = "Disable local admin merge is not properly configured in all policies." if ($compliance.NonCompliantPolicies.Count -gt 0) { $testResultMarkdown += "`n`nNon-compliant policies: $($compliance.NonCompliantPolicies -join ', ')" } if ($compliance.NotConfiguredPolicies.Count -gt 0) { $testResultMarkdown += "`n`nPolicies without this setting configured: $($compliance.NotConfiguredPolicies -join ', ')" } } Add-MtTestResultDetail -Result $testResultMarkdown return $testResult } catch { Add-MtTestResultDetail -SkippedBecause Error -SkippedError $_ return $null } } |