$firmware = (Get-ComputerInfo).BiosFirmwareType $bootinfo = bcdedit /enum | Select-String "hypervisorlaunchtype" $sysinfo = & cmd /c "chcp 437 > null && systeminfo " | Out-String $pdisk = Get-PhysicalDisk $partition = Get-Partition $volume = Get-Volume $netadapter = Get-NetAdapter | Select Name,ifIndex,Status,MacAddress $ipconf = Get-NetIpConfiguration if (Get-Command Get-BitLockerVolume -ErrorAction SilentlyContinue){ $bvolumes = Get-BitLockerVolume | Select VolumeType,MountPoint,CapacityGB,VolumeStatus,KeyProtector,ProtectionStatus } else { $bvolumes = $null } Write-Output "### COMPUTERNAME ###" Write-Output "" $env:COMPUTERNAME Write-Output "" Write-Output "### Firmware Type ###" Write-Output "" $firmware Write-Output "" Write-Output "### Hypervisor Info. ###" Write-Output "" if ($bootinfo -match "auto") { Write-Output "hypervisorlaunchtype (bcd): Auto" } elseif ($bootinfo -match "off") { Write-Output "hypervisorlaunchtype (bcd): Off" } else { Write-Output "hypervisorlaunchtype (bcd): -" } if ($sysinfo -match "A hypervisor has been detected") { Write-Output "Hypervisor: Detected" } else { Write-Output "Hypervisor: Not Detected" } Write-Output "" Write-Output "### Physical Disk Info. ###" $pdisk |Format-Table -AutoSize Write-Output "" Write-Output "### Partition Info. ###" $partition |Format-Table -AutoSize Write-Output "" Write-Output "### Volume Info. ###" $volume |Format-Table -AutoSize Write-Output "" Write-Output "### Network Adapter Info. ###" $netadapter | Format-Table -AutoSize Write-Output "" Write-Output "### IP Configuration Info. ###" $ipconf |Format-List Write-Output "" Write-Output "### BitLocker Info. ###" ForEach ($bvolume in $bvolumes) { if($bvolume.ProtectionStatus -eq "on"){ $bvolume | Format-Table -AutoSize $bvolume.KeyProtector |Select KeyProtectorType, RecoveryPassword } } Write-Output "" Write-Output "### Hardware Security Info. ###" Write-Output "" ### copy from WAC (v2) ### # tpm version check function CheckTpmVersion { $TpmObj = Get-CimInstance -classname Win32_Tpm -namespace root\cimv2\Security\MicrosoftTpm if ($null -ne $TpmObj) { return $TpmObj.SpecVersion[0] -eq "2" } return $false } <# Check whether VBS is enabled and running 0. VBS is not enabled. 1. VBS is enabled but not running. 2. VBS is enabled and running. #> function CheckVBS { return (Get-CimInstance -classname Win32_DeviceGuard -namespace root\Microsoft\Windows\DeviceGuard).VirtualizationBasedSecurityStatus } <# # device guard checked used for hcvi and system guard 0. No services running. 1. If present, Windows Defender Credential Guard is running. 2. If present, HVCI is running. 3. If present, System Guard Secure Launch is running. 4. If present, SMM Firmware Measurement is running. #> function CheckDGSecurityServicesRunning($_val) { $DGObj = Get-CimInstance -classname Win32_DeviceGuard -namespace root\Microsoft\Windows\DeviceGuard # loop to avoid out of index out of bounds errors for ($i = 0; $i -lt $DGObj.SecurityServicesRunning.length; $i++) { if ($DGObj.SecurityServicesRunning[$i] -eq $_val) { return $true } } return $false } <# Indicates whether the Windows Defender Credential Guard or HVCI service has been configured. 0. No services configured. 1. If present, Windows Defender Credential Guard is configured. 2. If present, HVCI is configured. 3. If present, System Guard Secure Launch is configured. 4. If present, SMM Firmware Measurement is configured. #> function CheckDGSecurityServicesConfigured($_val) { $DGObj = Get-CimInstance -classname Win32_DeviceGuard -namespace root\Microsoft\Windows\DeviceGuard if ($_val -in $DGObj.SecurityServicesConfigured) { return $true } return $false } # bootDMAProtection check $bootDMAProtectionCheck = @" namespace SystemInfo { using System; using System.Runtime.InteropServices; public static class NativeMethods { internal enum SYSTEM_DMA_GUARD_POLICY_INFORMATION : int { /// SystemDmaGuardPolicyInformation = 202 } [DllImport("ntdll.dll")] internal static extern Int32 NtQuerySystemInformation( SYSTEM_DMA_GUARD_POLICY_INFORMATION SystemDmaGuardPolicyInformation, IntPtr SystemInformation, Int32 SystemInformationLength, out Int32 ReturnLength); public static byte BootDmaCheck() { Int32 result; Int32 SystemInformationLength = 1; IntPtr SystemInformation = Marshal.AllocHGlobal(SystemInformationLength); Int32 ReturnLength; result = NativeMethods.NtQuerySystemInformation( NativeMethods.SYSTEM_DMA_GUARD_POLICY_INFORMATION.SystemDmaGuardPolicyInformation, SystemInformation, SystemInformationLength, out ReturnLength); if (result == 0) { byte info = Marshal.ReadByte(SystemInformation, 0); return info; } return 0; } } } "@ Add-Type -TypeDefinition $bootDMAProtectionCheck function checkSecureBoot { if ((Get-Command Confirm-SecureBootUEFI -ErrorAction SilentlyContinue) -ne $null) { <# For devices that Standard hardware security is not supported, this means that the device does not meet at least one of the requirements of standard hardware security. This causes the Confirm-SecureBootUEFI command to fail with the error: Cmdlet not supported on this platform: 0xC0000002 #> try { return Confirm-SecureBootUEFI } catch { return $false } } return $false } ### copy from WAC (v2) ### switch (CheckVBS) { 0 { Write-Output "VBS (Virualization-Based Security): Disabled" } 1 { Write-Output "VBS (Virualization-Based Security): ON (not running)" } 2 { Write-Output "VBS (Virualization-Based Security): ON" } } $osBuildNumber = [int](Get-CimInstance Win32_OperatingSystem).BuildNumber $osVersion22H2 = 20349; if ($osBuildNumber -le $osVersion22H2) { if (CheckDGSecurityServicesRunning(3) ) { Write-Output "HVCI (Hypervisor-Protected Code Integrity): ON (Secure Launch)" } else { Write-Output "HVCI (Hypervisor-Protected Code Integrity): OFF" } } else { if (CheckDGSecurityServicesRunning(2) ) { Write-Output "HVCI (Hypervisor-Protected Code Integrity): ON" } else { Write-Output "HVCI (Hypervisor-Protected Code Integrity): OFF" } } if (CheckTpmVersion -eq 2){ Write-Output "TPM (Trusted Platform Module) 2.0: ON" } else { Write-Output "TPM (Trusted Platform Module) 2.0: Not Supported" } if (CheckSecureBoot) { Write-Output "Secure Boot: ON" } else { Write-Output "Secure Boot: OFF" } if ([SystemInfo.NativeMethods]::BootDmaCheck() -ne 0) { Write-Output "boot DMA Protection: ON" } else { Write-Output "boot DMA Protection: Not Supported" }