Did you know that the maester framework now supports Microsoft Intune checks? In this blog post, I’ll give you a quick overview of the new capabilities and how to get started.

About Maester

Maester is an open-source security assessment framework that helps you evaluate the security posture of your Microsoft Entra ID and Microsoft 365 environments. It provides a collection of tests that can be run against your tenant to identify potential misconfigurations and security risks.

After executing the tests, maester generates a detailed report that highlights the findings and provides recommendations for remediation:

Maester Example

The great thing about maester is that it’s highly extensible, allowing you to add custom tests and checks based on your specific requirements. To share some Intune best practices with the community, I contributed a set of Intune related checks to the maester framework.

The following Intune checks are now available in maester:

  • MT.1090 - Global administrator role should not be added as local administrator on the device during Microsoft Entra join
  • MT.1091 - Registering user should not be added as local administrator on the device during Microsoft Entra join
  • MT.1092 - Intune APNS certificate should be valid for more than 30 days
  • MT.1093 - Apple Automated Device Enrollment Tokens should be valid for more than 30 days
  • MT.1094 - Apple Volume Purchase Program Tokens should be valid for more than 30 days
  • MT.1095 - Android Enterprise account connection should be healthy
  • MT.1096 - Ensure at least one Intune Multi Admin Approval policy is configured
  • MT.1097 - Ensure all Intune Certificate Connectors are healthy and running supported versions
  • MT.1098 - Mobile Threat Defense Connectors should be healthy
  • MT.1099 - Windows Diagnostic Data Processing should be enabled
  • MT.1100 - Intune Diagnostic Settings should include Audit Logs
  • MT.1101 - Default Branding Profile should be customized
  • MT.1102 - Windows Feature Update Policy Settings should not reference end of support builds
  • MT.1103 - Ensure Intune RBAC groups are protected by Restricted Management Administrative Units or Role Assignable groups
  • MT.1105 - Ensure MDM Authority is set to Intune

Example

To run the tests you can simply run:

# Establish connection to Graph
Connect-Maester
# Establish Connection to Azure for Intune Diagnostic Settings check
Connect-AzAccount
# Start the assessment
Invoke-Maester

and it will automatically include the Intune checks. Optionally you can also specify only the Intune checks based on their IDs.

§Maester Intune Checks

Some of the checks are more focused around connector health while others focus on Intune service configuration to match security best practices.

With that - happy maestering! 🚀

P.S.: I have already a lot of ideas for more Intune checks, so stay tuned for future updates.