updated

Author: KelvinTegelaar

Modules/CIPPActivityTriggers/Public/Entrypoints/Activity Triggers/Tests/Push-CIPPTestsList.ps1

@@ -31,7 +31,7 @@ function Push-CIPPTestsList {
 
         # Emit one task per suite — suite names must match the ValidateSet in Invoke-CIPPTestCollection.
         # Function discovery happens inside Invoke-CIPPTestCollection via Get-Command (path-independent).
-        $Suites = @('ZTNA', 'ORCA', 'EIDSCA', 'CISA', 'CIS', 'CopilotReadiness', 'GenericTests', 'Custom')
+        $Suites = @('ZTNA', 'ORCA', 'EIDSCA', 'CISA', 'CIS', 'SMB1001', 'CopilotReadiness', 'GenericTests', 'Custom')
 
         $Tasks = foreach ($Suite in $Suites) {
             [PSCustomObject]@{

Modules/CIPPCore/Public/Invoke-CIPPTestCollection.ps1

@@ -15,6 +15,7 @@ function Invoke-CIPPTestCollection {
         - EIDSCA           → Invoke-CippTestEIDSCA*
         - CISA             → Invoke-CippTestCISA*
         - CIS              → Invoke-CippTestCIS_*
+        - SMB1001          → Invoke-CippTestSMB1001_*
         - CopilotReadiness → Invoke-CippTestCopilotReady*
         - Custom           → Special: enumerates enabled ScriptGuids from DB and calls
                              Invoke-CippTestCustomScripts once per guid (the function
@@ -32,7 +33,7 @@ function Invoke-CIPPTestCollection {
     [CmdletBinding()]
     param(
         [Parameter(Mandatory = $true)]
-        [ValidateSet('ZTNA', 'ORCA', 'EIDSCA', 'CISA', 'CIS', 'CopilotReadiness', 'GenericTests', 'Custom')]
+        [ValidateSet('ZTNA', 'ORCA', 'EIDSCA', 'CISA', 'CIS', 'SMB1001', 'CopilotReadiness', 'GenericTests', 'Custom')]
         [string]$SuiteName,
 
         [Parameter(Mandatory = $true)]
@@ -47,6 +48,7 @@ function Invoke-CIPPTestCollection {
         EIDSCA           = 'Invoke-CippTestEIDSCA*'
         CISA             = 'Invoke-CippTestCISA*'
         CIS              = 'Invoke-CippTestCIS_*'
+        SMB1001          = 'Invoke-CippTestSMB1001_*'
         CopilotReadiness = 'Invoke-CippTestCopilotReady*'
         GenericTests     = 'Invoke-CippTestGenericTest*'
     }

Modules/CIPPTests/Public/Tests/SMB1001/Devices/Invoke-CippTestSMB1001_1_10.md

@@ -0,0 +1,18 @@
+SMB1001 (1.10) — Level 5 — disable untrusted Microsoft Office macros. The Intune-managed implementation is Defender Attack Surface Reduction (ASR) rules. The two key rules for SMB1001 1.10 are:
+
+- **Block Win32 API calls from Office macros** — prevents macros from calling Win32 APIs to download/execute payloads.
+- **Block all Office applications from creating child processes** — prevents Office from spawning malicious processes.
+
+**Remediation Action**
+
+1. Intune admin centre > Endpoint security > Attack surface reduction > Create policy.
+2. Choose Windows > Attack Surface Reduction Rules.
+3. Set both Office-macro rules to **Block** (or Audit while validating).
+4. Assign to All Devices or a target group.
+
+**Links**
+- [SMB1001:2026 Standard](https://dsi.org)
+- [Attack Surface Reduction rules reference](https://learn.microsoft.com/en-us/defender-endpoint/attack-surface-reduction-rules-reference)
+
+<!--- Results --->
+%TestResult%

Modules/CIPPTests/Public/Tests/SMB1001/Devices/Invoke-CippTestSMB1001_1_10.ps1

@@ -0,0 +1,60 @@
+function Invoke-CippTestSMB1001_1_10 {
+    <#
+    .SYNOPSIS
+    Tests SMB1001 (1.10) - Disable untrusted Microsoft Office macros
+
+    .DESCRIPTION
+    Verifies an Attack Surface Reduction (ASR) policy is deployed via Intune that blocks
+    Win32 API calls from Office macros and child processes from Office apps. SMB1001 1.10
+    (Level 5) requires untrusted Office macros to be disabled.
+    #>
+    param($Tenant)
+
+    try {
+        $ConfigurationPolicies = Get-CIPPTestData -TenantFilter $Tenant -Type 'IntuneConfigurationPolicies'
+
+        if (-not $ConfigurationPolicies) {
+            Add-CippTestResult -TenantFilter $Tenant -TestId 'SMB1001_1_10' -TestType 'Devices' -Status 'Skipped' -ResultMarkdown 'No data found in database. This may be due to missing Intune licenses or data collection not yet completed.' -Risk 'High' -Name 'Untrusted Microsoft Office macros are disabled' -UserImpact 'Low' -ImplementationEffort 'Medium' -Category 'Device'
+            return
+        }
+
+        $ASRPolicies = $ConfigurationPolicies | Where-Object {
+            $_.platforms -like '*windows10*' -and
+            $_.settings.settingInstance.settingDefinitionId -contains 'device_vendor_msft_policy_config_defender_attacksurfacereductionrules'
+        }
+
+        if (-not $ASRPolicies -or $ASRPolicies.Count -eq 0) {
+            Add-CippTestResult -TenantFilter $Tenant -TestId 'SMB1001_1_10' -TestType 'Devices' -Status 'Failed' -ResultMarkdown 'No Attack Surface Reduction policies found. ASR rules block Office macro abuse, which SMB1001 1.10 requires.' -Risk 'High' -Name 'Untrusted Microsoft Office macros are disabled' -UserImpact 'Low' -ImplementationEffort 'Medium' -Category 'Device'
+            return
+        }
+
+        $MacroProtected = $ASRPolicies | Where-Object {
+            $children = $_.settings.settingInstance.groupSettingCollectionValue.children
+            $win32MacroSetting = $children | Where-Object { $_.settingDefinitionId -eq 'device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockwin32apicallsfromofficemacros' }
+            $officeChildSetting = $children | Where-Object { $_.settingDefinitionId -eq 'device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockallofficeapplicationsfromcreatingchildprocesses' }
+            ($win32MacroSetting.choiceSettingValue.value -like '*_block' -or $win32MacroSetting.choiceSettingValue.value -like '*_warn') -or
+            ($officeChildSetting.choiceSettingValue.value -like '*_block' -or $officeChildSetting.choiceSettingValue.value -like '*_warn')
+        }
+
+        if (-not $MacroProtected -or $MacroProtected.Count -eq 0) {
+            Add-CippTestResult -TenantFilter $Tenant -TestId 'SMB1001_1_10' -TestType 'Devices' -Status 'Failed' -ResultMarkdown 'ASR policies exist but none enable the Office macro protection rules (Block Win32 API calls from Office macros / Block Office child processes).' -Risk 'High' -Name 'Untrusted Microsoft Office macros are disabled' -UserImpact 'Low' -ImplementationEffort 'Medium' -Category 'Device'
+            return
+        }
+
+        $Assigned = $MacroProtected | Where-Object { $_.assignments -and $_.assignments.Count -gt 0 }
+
+        if ($Assigned.Count -gt 0) {
+            $Status = 'Passed'
+            $Result = "$($Assigned.Count) ASR policy/policies are assigned with Office macro protection rules enabled."
+        } else {
+            $Status = 'Failed'
+            $Result = "ASR policies with Office macro protection exist but are not assigned. Found $($MacroProtected.Count) unassigned policy/policies."
+        }
+
+        Add-CippTestResult -TenantFilter $Tenant -TestId 'SMB1001_1_10' -TestType 'Devices' -Status $Status -ResultMarkdown $Result -Risk 'High' -Name 'Untrusted Microsoft Office macros are disabled' -UserImpact 'Low' -ImplementationEffort 'Medium' -Category 'Device'
+    } catch {
+        $ErrorMessage = Get-CippException -Exception $_
+        Write-LogMessage -API 'Tests' -tenant $Tenant -message "Failed to run test: $($ErrorMessage.NormalizedError)" -sev Error -LogData $ErrorMessage
+        Add-CippTestResult -TenantFilter $Tenant -TestId 'SMB1001_1_10' -TestType 'Devices' -Status 'Failed' -ResultMarkdown "Test failed: $($ErrorMessage.NormalizedError)" -Risk 'High' -Name 'Untrusted Microsoft Office macros are disabled' -UserImpact 'Low' -ImplementationEffort 'Medium' -Category 'Device'
+    }
+}

Modules/CIPPTests/Public/Tests/SMB1001/Devices/Invoke-CippTestSMB1001_1_12.md

@@ -0,0 +1,19 @@
+SMB1001 (1.12) — Level 3 + Level 5 — implement Endpoint Detection and Response (EDR). At Level 5 the EDR must be paired with a Managed Detection and Response (MDR) service with a defined SLA. The Microsoft 365 implementation is Microsoft Defender for Endpoint, deployed via Intune onboarding plus an Endpoint security > EDR configuration policy.
+
+The MDR contractual relationship is verified separately to a Dynamic Standard Certifier (it is an operational control, not a tenant config).
+
+**Remediation Action**
+
+1. Microsoft 365 Defender > Settings > Endpoints > Onboarding — generate the onboarding package.
+2. Intune admin centre > Endpoint security > Endpoint detection and response > Create policy.
+3. Choose "Auto-configure from MDE connector" so devices use the connector's configuration.
+4. Assign to All Devices.
+
+Use CIPP `standards.IntuneTemplate` with an EDR template to deploy across tenants.
+
+**Links**
+- [SMB1001:2026 Standard](https://dsi.org)
+- [Onboard devices to Defender for Endpoint with Intune](https://learn.microsoft.com/en-us/defender-endpoint/configure-endpoints-mdm)
+
+<!--- Results --->
+%TestResult%

Modules/CIPPTests/Public/Tests/SMB1001/Devices/Invoke-CippTestSMB1001_1_12.ps1

@@ -0,0 +1,42 @@
+function Invoke-CippTestSMB1001_1_12 {
+    <#
+    .SYNOPSIS
+    Tests SMB1001 (1.12) - Implement Endpoint Detection and Response (EDR)
+
+    .DESCRIPTION
+    Verifies the Microsoft Defender for Endpoint - Intune connector is enabled. The connector
+    is the prerequisite for onboarding devices to MDE via Intune. SMB1001 1.12 Level 5
+    additionally prescribes a Managed Detection and Response (MDR) service contract — that is
+    a contractual control evidenced separately.
+    #>
+    param($Tenant)
+
+    $TestId = 'SMB1001_1_12'
+    $Name = 'Endpoint Detection and Response (EDR) is deployed'
+
+    try {
+        $MDEOnboarding = Get-CIPPTestData -TenantFilter $Tenant -Type 'MDEOnboarding'
+
+        if (-not $MDEOnboarding) {
+            Add-CippTestResult -TenantFilter $Tenant -TestId $TestId -TestType 'Devices' -Status 'Skipped' -ResultMarkdown 'MDEOnboarding cache not found. This may be due to missing Defender for Endpoint licenses or data collection not yet completed.' -Risk 'High' -Name $Name -UserImpact 'Low' -ImplementationEffort 'Medium' -Category 'Device'
+            return
+        }
+
+        $Connector = $MDEOnboarding | Select-Object -First 1
+        $State = $Connector.partnerState
+
+        if ($State -eq 'enabled') {
+            $Status = 'Passed'
+            $Result = "The Microsoft Defender for Endpoint - Intune connector is enabled (partnerState: $State). Devices onboarded via Intune can report to MDE for EDR. If you are at L5, evidence the MDR service contract separately."
+        } else {
+            $Status = 'Failed'
+            $Result = "The Microsoft Defender for Endpoint - Intune connector is not enabled (partnerState: $($State ?? 'unavailable')). Onboard tenant in Microsoft 365 Defender > Settings > Endpoints > Advanced features and connect Intune."
+        }
+
+        Add-CippTestResult -TenantFilter $Tenant -TestId $TestId -TestType 'Devices' -Status $Status -ResultMarkdown $Result -Risk 'High' -Name $Name -UserImpact 'Low' -ImplementationEffort 'Medium' -Category 'Device'
+    } catch {
+        $ErrorMessage = Get-CippException -Exception $_
+        Write-LogMessage -API 'Tests' -tenant $Tenant -message "Failed to run test: $($ErrorMessage.NormalizedError)" -sev Error -LogData $ErrorMessage
+        Add-CippTestResult -TenantFilter $Tenant -TestId $TestId -TestType 'Devices' -Status 'Failed' -ResultMarkdown "Test failed: $($ErrorMessage.NormalizedError)" -Risk 'High' -Name $Name -UserImpact 'Low' -ImplementationEffort 'Medium' -Category 'Device'
+    }
+}

Modules/CIPPTests/Public/Tests/SMB1001/Devices/Invoke-CippTestSMB1001_1_2.md

@@ -0,0 +1,16 @@
+SMB1001 (1.2) — Level 1+ — install and configure a firewall on every device that connects to the Internet. The Intune-managed implementation is the Microsoft Defender Firewall configuration policy under Endpoint security > Firewall. This test passes when at least one firewall policy is assigned to a group.
+
+**Remediation Action**
+
+1. Intune admin centre > Endpoint security > Firewall > Create policy.
+2. Choose platform (Windows or macOS) and the Microsoft Defender Firewall profile.
+3. Configure rules and assign to All Devices or a target group.
+
+Use CIPP `standards.IntuneTemplate` with a Defender Firewall template to deploy across tenants.
+
+**Links**
+- [SMB1001:2026 Standard](https://dsi.org)
+- [Configure Microsoft Defender Firewall with Intune](https://learn.microsoft.com/en-us/intune/intune-service/protect/endpoint-security-firewall-policy)
+
+<!--- Results --->
+%TestResult%

Modules/CIPPTests/Public/Tests/SMB1001/Devices/Invoke-CippTestSMB1001_1_2.ps1

@@ -0,0 +1,58 @@
+function Invoke-CippTestSMB1001_1_2 {
+    <#
+    .SYNOPSIS
+    Tests SMB1001 (1.2) - Install and configure a firewall on all devices
+
+    .DESCRIPTION
+    Verifies an Intune endpoint security firewall configuration policy exists and is assigned.
+    SMB1001 1.2 requires firewalls on every device that connects to the Internet, including
+    personal devices used for work.
+    #>
+    param($Tenant)
+
+    $TestId = 'SMB1001_1_2'
+    $Name = 'Firewall is configured on all devices'
+
+    try {
+        $ConfigurationPolicies = Get-CIPPTestData -TenantFilter $Tenant -Type 'IntuneConfigurationPolicies'
+
+        if (-not $ConfigurationPolicies) {
+            Add-CippTestResult -TenantFilter $Tenant -TestId $TestId -TestType 'Devices' -Status 'Skipped' -ResultMarkdown 'No data found in database. This may be due to missing Intune licenses or data collection not yet completed.' -Risk 'High' -Name $Name -UserImpact 'Low' -ImplementationEffort 'Low' -Category 'Device'
+            return
+        }
+
+        $FirewallPolicies = @($ConfigurationPolicies | Where-Object {
+                $_.templateReference -and $_.templateReference.templateFamily -eq 'endpointSecurityFirewall'
+            })
+
+        if ($FirewallPolicies.Count -eq 0) {
+            Add-CippTestResult -TenantFilter $Tenant -TestId $TestId -TestType 'Devices' -Status 'Failed' -ResultMarkdown 'No endpoint security firewall configuration policies found in Intune.' -Risk 'High' -Name $Name -UserImpact 'Low' -ImplementationEffort 'Low' -Category 'Device'
+            return
+        }
+
+        $AssignedPolicies = @($FirewallPolicies | Where-Object { $_.assignments -and $_.assignments.Count -gt 0 })
+
+        if ($AssignedPolicies.Count -gt 0) {
+            $Status = 'Passed'
+            $TableRows = foreach ($P in $FirewallPolicies) {
+                $A = if ($P.assignments -and $P.assignments.Count -gt 0) { '✅ Yes' } else { '❌ No' }
+                "| $($P.name) | $A |"
+            }
+            $Result = (@(
+                    "$($AssignedPolicies.Count) of $($FirewallPolicies.Count) firewall policy/policies are assigned."
+                    ''
+                    '| Policy Name | Assigned |'
+                    '| :---------- | :------- |'
+                ) + $TableRows) -join "`n"
+        } else {
+            $Status = 'Failed'
+            $Result = "Firewall policies exist but none are assigned. Found $($FirewallPolicies.Count) unassigned policy/policies."
+        }
+
+        Add-CippTestResult -TenantFilter $Tenant -TestId $TestId -TestType 'Devices' -Status $Status -ResultMarkdown $Result -Risk 'High' -Name $Name -UserImpact 'Low' -ImplementationEffort 'Low' -Category 'Device'
+    } catch {
+        $ErrorMessage = Get-CippException -Exception $_
+        Write-LogMessage -API 'Tests' -tenant $Tenant -message "Failed to run test: $($ErrorMessage.NormalizedError)" -sev Error -LogData $ErrorMessage
+        Add-CippTestResult -TenantFilter $Tenant -TestId $TestId -TestType 'Devices' -Status 'Failed' -ResultMarkdown "Test failed: $($ErrorMessage.NormalizedError)" -Risk 'High' -Name $Name -UserImpact 'Low' -ImplementationEffort 'Low' -Category 'Device'
+    }
+}

Modules/CIPPTests/Public/Tests/SMB1001/Devices/Invoke-CippTestSMB1001_1_3.md

@@ -0,0 +1,15 @@
+SMB1001 (1.3) — Level 1+ — install and enable antivirus on every workstation and laptop. Mobile devices are covered by ensuring built-in protections (Google Play Protect, App Store) are active. The Intune-managed implementation is a Microsoft Defender Antivirus configuration policy under Endpoint security > Antivirus.
+
+**Remediation Action**
+
+1. Intune admin centre > Endpoint security > Antivirus > Create policy.
+2. Choose platform (Windows, macOS) and Microsoft Defender Antivirus profile.
+3. Configure real-time protection, cloud-delivered protection, automatic sample submission.
+4. Assign to All Devices or a target group.
+
+**Links**
+- [SMB1001:2026 Standard](https://dsi.org)
+- [Antivirus policy for Endpoint security in Intune](https://learn.microsoft.com/en-us/intune/intune-service/protect/endpoint-security-antivirus-policy)
+
+<!--- Results --->
+%TestResult%

Modules/CIPPTests/Public/Tests/SMB1001/Devices/Invoke-CippTestSMB1001_1_3.ps1

@@ -0,0 +1,58 @@
+function Invoke-CippTestSMB1001_1_3 {
+    <#
+    .SYNOPSIS
+    Tests SMB1001 (1.3) - Install antivirus software on all organization devices
+
+    .DESCRIPTION
+    Verifies an Intune endpoint security antivirus configuration policy exists and is assigned.
+    SMB1001 1.3 requires actively-updated antivirus on workstations and laptops.
+    #>
+    param($Tenant)
+
+    $TestId = 'SMB1001_1_3'
+    $Name = 'Antivirus is installed and configured on all devices'
+
+    try {
+        $ConfigurationPolicies = Get-CIPPTestData -TenantFilter $Tenant -Type 'IntuneConfigurationPolicies'
+
+        if (-not $ConfigurationPolicies) {
+            Add-CippTestResult -TenantFilter $Tenant -TestId $TestId -TestType 'Devices' -Status 'Skipped' -ResultMarkdown 'No data found in database. This may be due to missing Intune licenses or data collection not yet completed.' -Risk 'High' -Name $Name -UserImpact 'Low' -ImplementationEffort 'Low' -Category 'Device'
+            return
+        }
+
+        $AVPolicies = @($ConfigurationPolicies | Where-Object {
+                $_.templateReference -and $_.templateReference.templateFamily -eq 'endpointSecurityAntivirus'
+            })
+
+        if ($AVPolicies.Count -eq 0) {
+            Add-CippTestResult -TenantFilter $Tenant -TestId $TestId -TestType 'Devices' -Status 'Failed' -ResultMarkdown 'No endpoint security antivirus configuration policies found in Intune.' -Risk 'High' -Name $Name -UserImpact 'Low' -ImplementationEffort 'Low' -Category 'Device'
+            return
+        }
+
+        $AssignedPolicies = @($AVPolicies | Where-Object { $_.assignments -and $_.assignments.Count -gt 0 })
+
+        if ($AssignedPolicies.Count -gt 0) {
+            $Status = 'Passed'
+            $TableRows = foreach ($P in $AVPolicies) {
+                $A = if ($P.assignments -and $P.assignments.Count -gt 0) { '✅ Yes' } else { '❌ No' }
+                $Plat = if ($P.platforms) { $P.platforms } else { 'unknown' }
+                "| $($P.name) | $Plat | $A |"
+            }
+            $Result = (@(
+                    "$($AssignedPolicies.Count) of $($AVPolicies.Count) antivirus policy/policies are assigned."
+                    ''
+                    '| Policy Name | Platform | Assigned |'
+                    '| :---------- | :------- | :------- |'
+                ) + $TableRows) -join "`n"
+        } else {
+            $Status = 'Failed'
+            $Result = "Antivirus policies exist but none are assigned. Found $($AVPolicies.Count) unassigned policy/policies."
+        }
+
+        Add-CippTestResult -TenantFilter $Tenant -TestId $TestId -TestType 'Devices' -Status $Status -ResultMarkdown $Result -Risk 'High' -Name $Name -UserImpact 'Low' -ImplementationEffort 'Low' -Category 'Device'
+    } catch {
+        $ErrorMessage = Get-CippException -Exception $_
+        Write-LogMessage -API 'Tests' -tenant $Tenant -message "Failed to run test: $($ErrorMessage.NormalizedError)" -sev Error -LogData $ErrorMessage
+        Add-CippTestResult -TenantFilter $Tenant -TestId $TestId -TestType 'Devices' -Status 'Failed' -ResultMarkdown "Test failed: $($ErrorMessage.NormalizedError)" -Risk 'High' -Name $Name -UserImpact 'Low' -ImplementationEffort 'Low' -Category 'Device'
+    }
+}