Network 25372: Global Secure Access (GSA) client is deployed on all managed endpoints #794
Conversation
There was a problem hiding this comment.
Pull request overview
This PR introduces a new assessment test (ID: 25372) to validate Global Secure Access (GSA) client deployment coverage across managed endpoints. The test evaluates whether organizations have adequately deployed the GSA client to their Intune-managed devices.
Changes:
- Adds PowerShell test script that queries GSA device usage and Intune managed device counts
- Implements assessment logic with configurable thresholds (90% pass, 70-90% investigate, <70% fail)
- Provides comprehensive documentation explaining security risks and remediation steps
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.
| File | Description |
|---|---|
src/powershell/tests/Test-Assessment.25372.ps1 |
Implements the assessment test with data collection from GSA and Intune APIs, edge case handling for data inconsistencies, and markdown report generation |
src/powershell/tests/Test-Assessment.25372.md |
Provides security context, threat analysis, and platform-specific remediation guidance for deploying GSA clients |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
alexandair
left a comment
alexandair
left a comment
There was a problem hiding this comment.
@ashwinikarke Please, address my feedback.
alexandair
left a comment
alexandair
left a comment
There was a problem hiding this comment.
@ashwinikarke Please, address my feedback.
| $gap = 'N/A' | ||
| $testResultMarkdown = "⚠️ Global Secure Access device count exceeds the Intune-managed device count. This indicates stale GSA device records, devices removed from Intune management, or data synchronization issues between systems. Review both data sources to reconcile counts.`n`n%TestResult%" | ||
| } | ||
| # Edge case: No devices at all (both = 0) - Fail per spec |
There was a problem hiding this comment.
I think the spec says it differently:
Investigate (No Data): No Intune-managed devices or Global Secure Access-connected devices were detected during the evaluation period. This may indicate that the organization is using a different device management solution and/or an alternative SASE or network security platform, or that these services are not currently in scope for this environment. As a result, deployment coverage for the Global Secure Access client cannot be evaluated.
If I understand it correctly, that's "Investigate" not "Fail".
There was a problem hiding this comment.
@alexandair Thanks for pointing this out. I believe this comment was based on the older version of the spec. Thomas has since updated the spec, and it should be Investigate, not Fail.
I’m not sure how this was missed earlier, apologies for that. I’ve updated the details and raised a new PR with the corrected spec.
Here’s the PR for the updated spec: https://github.com/microsoft/ztspecs/pull/211
|
Created New PR #844 |
No description provided.