fbprogmbh / mbam-test-automation Goto Github PK

Rework folder TashScheduler and add info to readme file.

Check the database connection string for compliance and recovery database to include

• Encrypt=Yes

• TrustServerCertificate=False (if True -> warning)

Update the check for BitLocker driver version to newest version number

Add some javascript in the report to e.g. collapse sections of the report or search for a keyword.
Standard report must be created without javascript.

Javascript code must be implemented in a seperate file which will automatically be included.

Report creation with javascript will be triggered by a switch parameter.

Hi Team,

after MBAM-TAP is done, it looks like MBAM-TAP is searching for GPO, which are not set in MBAM included in SCCM. Instead the policies are sent to the SCCM-Agent installed on the Client. As this is one of the future ways to use MBAM, we should have a look on that

Switch from a one day to a multiple day email dispatch

Typo in variable name -> tests fails because value is null

The latest Client version for Windows 10 1809 is not supportet.
Latest supportet version is actualy: 10.017763.719
Latest version for Windows 10 1809 should be: 10.017763.1490

• Implement test case for installed Bitlocker Driver on System
• Display in report

Adapt code of Get-TpmObject to CIMInstance => isOwned() not working anymore.

Hi Team,

it looks like Windows 10 fall update 2018 and Windows 10 spring update 2019 are not included in the MBAM-TAP. I get the error: Operating system not in List.

Do further testing -> also test settings labeled as disabled to prove they are really disabled

Use get-wmiobject win32_bios to get informations about bios

Update BitLocker driver version for windows 1709 / 1803 /1809

Suppress output of Get-MBAMGpoRuleState

As describes - for better integration in systems management infrastucture log all entries (Info, Warning, Error) in a custom Eventlog.

For systems management tools like SCOM or other ones this will lead to a better integration in alerting, e.g.

Function gets messed up with hibernation mode.
Seems status report frequency does not get triggered from last system startup. Recheck code.

$obj.Status("TPM not present")

If a system restart is necessary, report shows YES YES YES YES.
Remove redundanten YES.

Add a parameter with an exception list for DC who do not reply at a ping (firewall rule, etc...)

Windows feature Web-WMI should not be installed for security reasons.

Bring back the quick server report, but instead of an own script add a parameter quick or short to skip some parts during report creation.

Change report filename to MBAM_report_"computername"_"data".html

add Error-Action SilentlyContinue to suppress error output if no event log entry is found

Check against locally installed Monitoring agents like SCOM (Microsoft) or Truesight (BMC) and get "high Level" Status of System in Report.

In the gpo_template file all policies are marked as disabled. This should raise some error messages in a configured environment where policies are enabled.
Problem:
If the write-logfile function throws an error it will be catch and obj.status and obj.passed will be set to an incorrect value regardless of the result of Get-MBAMGpoRuleState.

 if($policy.PolicyState -eq 'disabled')
            {
                try 
                {
                    Get-MBAMGpoRuleState -PolicyKey $policy.PolicyKey -PolicyValue $policy.PolicyValue -path $policy.PolicyPath -ErrorAction Stop | Out-Null
                    
                    $obj.Status = "Policy falsely enabled"
                    $obj.Passed = 2

                    # log error
                    $mes = "MBAM Policy $($policy.PolicyKey) falsely enabled, please check settings."+[System.Environment]::NewLine
                    $msg += $_.Exception.toString()+[System.Environment]::NewLine
                    $msg += "; " + $_.ScriptStackTrace.toString()
                    write-LogFile -Path $LogPath -name $LogName -message $msg -Level Error

                }
                catch
                {
                    $obj.Status = "Policy disabled as expected"
                    $obj.Passed = 1
                }            
            }

PS C:\WINDOWS\system32> (Get-CimClass -Namespace ROOT/CIMV2/Security/MicrosoftTpm -ClassName Win32_Tpm).CimClassProperti
es | where name -match specversion

Name : SpecVersion
Value :
CimType : String
Flags : Property, NullValue
Qualifiers : {Description, Implemented}
ReferenceClassName :

PS C:\WINDOWS\system32> wmic /namespace:\root\CIMV2\Security\MicrosoftTpm path Win32_Tpm get /value

IsActivated_InitialValue=TRUE
IsEnabled_InitialValue=TRUE
IsOwned_InitialValue=TRUE
ManufacturerId=1229346816
ManufacturerIdTxt=IFX
ManufacturerVersion=5.62
ManufacturerVersionFull20=5.62.12.13826
ManufacturerVersionInfo=534c423936363500000000000000000000
PhysicalPresenceVersionInfo=1.3
SpecVersion=2.0, 0, 1.16

Therefor take e.g.

• Web-Service-URLs
• Reporting frequency

Exchange Import-LocalizedData to Import-PowerShellDataFile to avoid recurring problems with loading the config file (there is no localized data at the moment, therefore a MUI folder structure like en-US, de-DE is a little bit overkill)

Add GPO template explanation to readme file.