Added MDE Support

[bdrogja]

Comprehensive MDE policy validation with 46 automated organized based on custom made benchmarks, covering antivirus configurations, global settings (manual review), and policy design quality (manual review) on custom made benchmarks, covering antivirus configurations, global settings (manual review), and policy design quality (manual review).

See MDE-FEATURE-DOCUMENTATION.md for complete feature documentation.

[merill]

@bdrogja thanks a lot for the PR. This is AMAZING work 👏

I took a look at the implementation and while I appreciate the effort to use a config driven flow for the tests, it makes it a little hard to maintain over the long term. Plus this format deviates a lot from the rest of the Maester tests.

With the Maester tests, we want users who run the test and notice a failure to be able to open the tests file, open the associated cmdlet and easily understand the logic of the check.

The EIDSCA implementation is the closest to what you have in this PR. One key difference is that we use a json to drive the generation of the EIDSCA tests since it's mostly checking for config.

See https://maester.dev/docs/contributing#updating-eidsca-tests-and-documentation

I feel like we can do the same here and generate the MDE tests at build time. This way the final test that runs and the markdown will follow the format of the rest of the tests.

We can re-use a lot of the existing cmdlets as is, since it will be the generated cmdlet running it.

In terms of custom config we have plans to build on https://github.com/maester365/maester/blob/main/tests/maester-config.json so users could customize the parameters they pass into each cmdlet.

We also want to build a UX in the report to be able to customize the parameters. Hence keeping the config files consistent will make it easy to add these core features.

Thoughts?

[bdrogja]

Thanks for the very fast review and feedback on this. I know, you have a lot of projects on the table, appreciate that.

I think that shouldnt be a big deal to build it the same way as the EIDSCA tests.
Even though it increases the code and redundancy a lot, I agree that its still better understandable and readable for admins.

Whats your idea for the config file?
Should I remove the global config file and merge it directly into each test? The filters (only Windows for now, only msSense and mdm managed, and soo on) can be configured directly in the cmdlets, as well as the Compliance Logic and Policy Filtering Feature.

Or do you have a different idea?

[merill]

Thanks a lot @bdrogja that would be awesome.

I think if we can make these parameters for the cmdlets and have sensible defaults, then when we build a custom ux we can generate the UI based on the cmdlet parameters for each test.

[merill]

@bdrogja please see comments in the thread on the requested changes.

[merill]

@bdrogja thoughts...

[codacy-production]

Up to standards ✅

🟢 Issues 0 issues

Results:
0 new issues

View in Codacy

🟢 Metrics 0 duplication

Metric	Results
Duplication	0

View in Codacy

_{TIP This summary will be updated as you push new changes. Give us feedback}

[Copilot]

Pull request overview

Adds a new Microsoft Defender for Endpoint (MDE) test suite to Maester, including documentation pages, sidebar navigation, configuration options, and PowerShell test/utility functions to evaluate Intune Defender Antivirus settings via Microsoft Graph.

Changes:

• Adds a new “Defender for Endpoint” docs section (overview + MT.1123–MT.1146 test pages) and updates website navigation.
• Introduces MDE configuration (GlobalSettings.MdeConfig) docs and internal logic to evaluate policy compliance across Intune configuration policies.
• Adds new PowerShell public cmdlets and internal helpers for MDE policy retrieval/compliance evaluation, plus a Pester test file and test metadata entries.

Reviewed changes

Copilot reviewed 90 out of 90 changed files in this pull request and generated 8 comments.

Show a summary per file

File	Description
website/sidebars.js	Adds Defender for Endpoint section to the docs sidebar.
website/docs/tests/readme.md	Adds Defender for Endpoint tests entry to the tests overview page.
website/docs/tests/defender/readme.md	New Defender for Endpoint docs overview (permissions, config, test index).
website/docs/tests/defender/MT.1123.md	New test doc page (Archive Scanning).
website/docs/tests/defender/MT.1124.md	New test doc page (Behavior Monitoring).
website/docs/tests/defender/MT.1125.md	New test doc page (Cloud Protection).
website/docs/tests/defender/MT.1126.md	New test doc page (Email Scanning).
website/docs/tests/defender/MT.1127.md	New test doc page (Script Scanning).
website/docs/tests/defender/MT.1128.md	New test doc page (Real-time Monitoring).
website/docs/tests/defender/MT.1129.md	New test doc page (Full Scan Removable Drives).
website/docs/tests/defender/MT.1130.md	New test doc page (Mapped Drives scanning disabled).
website/docs/tests/defender/MT.1131.md	New test doc page (Scanning Network Files).
website/docs/tests/defender/MT.1132.md	New test doc page (CPU Load Factor).
website/docs/tests/defender/MT.1133.md	New test doc page (Scheduled scan).
website/docs/tests/defender/MT.1134.md	New test doc page (Quick Scan Time not required).
website/docs/tests/defender/MT.1135.md	New test doc page (Signatures before scan).
website/docs/tests/defender/MT.1136.md	New test doc page (Cloud Block Level).
website/docs/tests/defender/MT.1137.md	New test doc page (Cloud Extended Timeout).
website/docs/tests/defender/MT.1138.md	New test doc page (Signature update interval).
website/docs/tests/defender/MT.1139.md	New test doc page (PUA Protection).
website/docs/tests/defender/MT.1140.md	New test doc page (Network Protection).
website/docs/tests/defender/MT.1141.md	New test doc page (Local Admin Merge).
website/docs/tests/defender/MT.1142.md	New test doc page (Real-time scan direction).
website/docs/tests/defender/MT.1143.md	New test doc page (Retain cleaned malware).
website/docs/tests/defender/MT.1144.md	New test doc page (Disable catch-up full scan).
website/docs/tests/defender/MT.1145.md	New test doc page (Disable catch-up quick scan).
website/docs/tests/defender/MT.1146.md	New test doc page (Submit samples consent).
website/docs/contributing.md	Documents new /Defender tests folder under Maester tests.
website/docs/configuration/overview.md	Documents GlobalSettings.MdeConfig options and defaults.
tests/Maester/Defender/Test-MtMdiHealthIssues.Tests.ps1	Modifies MDI health issues test (currently in a broken state).
tests/Maester/Defender/Test-MtMdeAntivirusPolicy.Tests.ps1	Adds Pester tests that execute the new MDE validation cmdlets.
tests/maester-config.json	Adds MT.1123–MT.1146 entries (severity/title) to test metadata.
powershell/public/defender/Test-MtMdeSubmitSamplesConsent.ps1	New MDE cmdlet: validates sample submission consent.
powershell/public/defender/Test-MtMdeSubmitSamplesConsent.md	New cmdlet help content for sample submission consent.
powershell/public/defender/Test-MtMdeSignatureUpdateInterval.ps1	New MDE cmdlet: validates signature update interval range.
powershell/public/defender/Test-MtMdeSignatureUpdateInterval.md	New cmdlet help content for signature update interval.
powershell/public/defender/Test-MtMdeSignatureBeforeScan.ps1	New MDE cmdlet: validates signature check before scan.
powershell/public/defender/Test-MtMdeSignatureBeforeScan.md	New cmdlet help content for signature check before scan.
powershell/public/defender/Test-MtMdeScriptScanning.ps1	New MDE cmdlet: validates script scanning enabled.
powershell/public/defender/Test-MtMdeScriptScanning.md	New cmdlet help content for script scanning.
powershell/public/defender/Test-MtMdeScheduleScanDay.ps1	New MDE cmdlet: validates scan schedule day is configured.
powershell/public/defender/Test-MtMdeScheduleScanDay.md	New cmdlet help content for scan schedule day.
powershell/public/defender/Test-MtMdeRetainCleanedMalware.ps1	New MDE cmdlet: validates cleaned malware retention minimum.
powershell/public/defender/Test-MtMdeRetainCleanedMalware.md	New cmdlet help content for cleaned malware retention.
powershell/public/defender/Test-MtMdeRemovableDriveScanning.ps1	New MDE cmdlet: validates removable drive scanning enabled.
powershell/public/defender/Test-MtMdeRemovableDriveScanning.md	New cmdlet help content for removable drive scanning.
powershell/public/defender/Test-MtMdeRealtimeScanDirection.ps1	New MDE cmdlet: validates real-time scan direction setting.
powershell/public/defender/Test-MtMdeRealtimeScanDirection.md	New cmdlet help content for real-time scan direction.
powershell/public/defender/Test-MtMdeRealtimeMonitoring.ps1	New MDE cmdlet: validates real-time monitoring enabled.
powershell/public/defender/Test-MtMdeRealtimeMonitoring.md	New cmdlet help content for real-time monitoring.
powershell/public/defender/Test-MtMdeQuickScanTime.ps1	New MDE cmdlet: marks quick scan time as not required.
powershell/public/defender/Test-MtMdeQuickScanTime.md	New cmdlet help content for quick scan time.
powershell/public/defender/Test-MtMdePuaProtection.ps1	New MDE cmdlet: validates PUA protection enabled.
powershell/public/defender/Test-MtMdePuaProtection.md	New cmdlet help content for PUA protection.
powershell/public/defender/Test-MtMdePolicyHasAssignments.ps1	New helper cmdlet: checks whether a config policy has assignments.
powershell/public/defender/Test-MtMdeNetworkProtection.ps1	New MDE cmdlet: validates network protection enabled.
powershell/public/defender/Test-MtMdeNetworkProtection.md	New cmdlet help content for network protection.
powershell/public/defender/Test-MtMdeNetworkFileScanning.ps1	New MDE cmdlet: validates scanning network files enabled.
powershell/public/defender/Test-MtMdeNetworkFileScanning.md	New cmdlet help content for scanning network files.
powershell/public/defender/Test-MtMdeMappedDriveScanning.ps1	New MDE cmdlet: validates mapped drive full scan disabled.
powershell/public/defender/Test-MtMdeMappedDriveScanning.md	New cmdlet help content for mapped drive scanning.
powershell/public/defender/Test-MtMdeEmailScanning.ps1	New MDE cmdlet: validates email scanning enabled.
powershell/public/defender/Test-MtMdeEmailScanning.md	New cmdlet help content for email scanning.
powershell/public/defender/Test-MtMdeDisableLocalAdminMerge.ps1	New MDE cmdlet: validates local admin merge disabled.
powershell/public/defender/Test-MtMdeDisableLocalAdminMerge.md	New cmdlet help content for local admin merge.
powershell/public/defender/Test-MtMdeCpuLoadFactor.ps1	New MDE cmdlet: validates CPU load factor range.
powershell/public/defender/Test-MtMdeCpuLoadFactor.md	New cmdlet help content for CPU load factor.
powershell/public/defender/Test-MtMdeCloudProtection.ps1	New MDE cmdlet: validates cloud protection enabled.
powershell/public/defender/Test-MtMdeCloudProtection.md	New cmdlet help content for cloud protection.
powershell/public/defender/Test-MtMdeCloudExtendedTimeout.ps1	New MDE cmdlet: validates cloud extended timeout range.
powershell/public/defender/Test-MtMdeCloudExtendedTimeout.md	New cmdlet help content for cloud extended timeout.
powershell/public/defender/Test-MtMdeCloudBlockLevel.ps1	New MDE cmdlet: validates cloud block level minimum.
powershell/public/defender/Test-MtMdeCloudBlockLevel.md	New cmdlet help content for cloud block level.
powershell/public/defender/Test-MtMdeCatchupQuickScan.ps1	New MDE cmdlet: validates catch-up quick scan disabled.
powershell/public/defender/Test-MtMdeCatchupQuickScan.md	New cmdlet help content for catch-up quick scan.
powershell/public/defender/Test-MtMdeCatchupFullScan.ps1	New MDE cmdlet: validates catch-up full scan disabled.
powershell/public/defender/Test-MtMdeCatchupFullScan.md	New cmdlet help content for catch-up full scan.
powershell/public/defender/Test-MtMdeBehaviorMonitoring.ps1	New MDE cmdlet: validates behavior monitoring enabled.
powershell/public/defender/Test-MtMdeBehaviorMonitoring.md	New cmdlet help content for behavior monitoring.
powershell/public/defender/Test-MtMdeArchiveScanning.ps1	New MDE cmdlet: validates archive scanning enabled.
powershell/public/defender/Test-MtMdeArchiveScanning.md	New cmdlet help content for archive scanning.
powershell/public/defender/Get-MtMdeDeviceCount.ps1	New cmdlet: counts eligible MDE-managed Windows devices.
powershell/public/defender/Get-MtMdeConfiguration.ps1	New cmdlet: pulls device/policy/baseline data from Graph for MDE tests.
powershell/Maester.psd1	Exports newly added Defender/MDE functions (currently includes an internal function).
powershell/internal/Get-MtMdeConfig.ps1	New internal helper: reads GlobalSettings.MdeConfig with defaults.
powershell/internal/Get-MtMaesterConfig.ps1	Minor formatting-only adjustment.
powershell/internal/defender/Test-MdeSettingCompliance.ps1	New internal helper: evaluates a single setting value against compliance rules.
powershell/internal/defender/Test-MdePolicyCompliance.ps1	New internal helper: evaluates a setting across all selected policies, with configurable logic.
powershell/internal/defender/Get-MdeSettingValue.ps1	New internal helper: extracts setting values from Graph policy settings responses.
powershell/internal/defender/Get-MdePolicyConfiguration.ps1	New internal helper: selects Defender AV configuration policies and applies assignment filtering.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.