From 9af0d442bd74d3e85e0261bf90c50bc34e17d6ab Mon Sep 17 00:00:00 2001 From: David Paulson Date: Wed, 1 Nov 2023 15:49:56 -0500 Subject: [PATCH] Improve Credential Guard Running Check --- ...ke-AnalyzerFrequentConfigurationIssues.ps1 | 15 ++++++- .../Get-OperatingSystemInformation.ps1 | 42 +++++++++++++------ ...thCheckerTest.CommonMocks.NotPublished.ps1 | 2 + 3 files changed, 45 insertions(+), 14 deletions(-) diff --git a/Diagnostics/HealthChecker/Analyzer/Invoke-AnalyzerFrequentConfigurationIssues.ps1 b/Diagnostics/HealthChecker/Analyzer/Invoke-AnalyzerFrequentConfigurationIssues.ps1 index 16685eafd9..d68f5345e8 100644 --- a/Diagnostics/HealthChecker/Analyzer/Invoke-AnalyzerFrequentConfigurationIssues.ps1 +++ b/Diagnostics/HealthChecker/Analyzer/Invoke-AnalyzerFrequentConfigurationIssues.ps1 @@ -107,7 +107,15 @@ function Invoke-AnalyzerFrequentConfigurationIssues { } Add-AnalyzedResultInformation @params - $displayValue = $credentialGuardValue = $osInformation.RegistryValues.CredentialGuard -ne 0 + $credGuardRunning = $false + $credGuardUnknown = $osInformation.CredentialGuardCimInstance -eq "Unknown" + + if (-not ($credGuardUnknown)) { + # CredentialGuardCimInstance is an array type and not sure if we can have multiple here, so just going to loop thru and handle it this way. + $credGuardRunning = $null -ne ($osInformation.CredentialGuardCimInstance | Where-Object { $_ -ne 0 }) + } + + $displayValue = $credentialGuardValue = $osInformation.RegistryValues.CredentialGuard -ne 0 -or $credGuardRunning $displayWriteType = "Grey" if ($credentialGuardValue) { @@ -115,6 +123,11 @@ function Invoke-AnalyzerFrequentConfigurationIssues { $displayWriteType = "Red" } + if ($credGuardUnknown -and (-not ($credentialGuardValue))) { + $displayValue = "Unknown `r`n`t`tWarning: Unable to determine Credential Guard status. If enabled, this can cause a performance hit on the server." + $displayWriteType = "Yellow" + } + $params = $baseParams + @{ Name = "Credential Guard Enabled" Details = $displayValue diff --git a/Diagnostics/HealthChecker/DataCollection/ServerInformation/Get-OperatingSystemInformation.ps1 b/Diagnostics/HealthChecker/DataCollection/ServerInformation/Get-OperatingSystemInformation.ps1 index 60686263f7..841d55d527 100644 --- a/Diagnostics/HealthChecker/DataCollection/ServerInformation/Get-OperatingSystemInformation.ps1 +++ b/Diagnostics/HealthChecker/DataCollection/ServerInformation/Get-OperatingSystemInformation.ps1 @@ -44,6 +44,21 @@ function Get-OperatingSystemInformation { Invoke-CatchActions } + $credentialGuardCimInstance = $false + try { + $params = @{ + ClassName = "Win32_DeviceGuard" + Namespace = "root\Microsoft\Windows\DeviceGuard" + ErrorAction = "Stop" + ComputerName = $Server + } + $credentialGuardCimInstance = (Get-CimInstance @params).SecurityServicesRunning + } catch { + Write-Verbose "Failed to run Get-CimInstance for Win32_DeviceGuard" + Invoke-CatchActions + $credentialGuardCimInstance = "Unknown" + } + $serverPendingReboot = (Get-ServerRebootPending -ServerName $Server -CatchActionFunction ${Function:Invoke-CatchActions}) $timeZoneInformation = Get-TimeZoneInformation -MachineName $Server -CatchActionFunction ${Function:Invoke-CatchActions} $tlsSettings = Get-AllTlsSettings -MachineName $Server -CatchActionFunction ${Function:Invoke-CatchActions} @@ -54,19 +69,20 @@ function Get-OperatingSystemInformation { } end { Write-Verbose "Exiting: $($MyInvocation.MyCommand)" return [PSCustomObject]@{ - BuildInformation = $buildInformation - NetworkInformation = $networkInformation - PowerPlan = $powerPlan - PageFile = $pageFile - ServerPendingReboot = $serverPendingReboot - TimeZone = $timeZoneInformation - TLSSettings = $tlsSettings - ServerBootUp = $serverBootUp - VcRedistributable = [array]$vcRedistributable - RegistryValues = $registryValues - Smb1ServerSettings = $smb1ServerSettings - HotFixes = $hotFixes - NETFramework = $netFrameworkInformation + BuildInformation = $buildInformation + NetworkInformation = $networkInformation + PowerPlan = $powerPlan + PageFile = $pageFile + ServerPendingReboot = $serverPendingReboot + TimeZone = $timeZoneInformation + TLSSettings = $tlsSettings + ServerBootUp = $serverBootUp + VcRedistributable = [array]$vcRedistributable + RegistryValues = $registryValues + Smb1ServerSettings = $smb1ServerSettings + HotFixes = $hotFixes + NETFramework = $netFrameworkInformation + CredentialGuardCimInstance = $credentialGuardCimInstance } } } diff --git a/Diagnostics/HealthChecker/Tests/HealthCheckerTest.CommonMocks.NotPublished.ps1 b/Diagnostics/HealthChecker/Tests/HealthCheckerTest.CommonMocks.NotPublished.ps1 index fc9762b45b..c0d295ed9a 100644 --- a/Diagnostics/HealthChecker/Tests/HealthCheckerTest.CommonMocks.NotPublished.ps1 +++ b/Diagnostics/HealthChecker/Tests/HealthCheckerTest.CommonMocks.NotPublished.ps1 @@ -34,6 +34,8 @@ Mock Invoke-ScriptBlockHandler -ParameterFilter { $ScriptBlockDescription -eq "G # Handle IIS collection of files Mock Invoke-ScriptBlockHandler -ParameterFilter { $ScriptBlockDescription -eq "Getting applicationHost.config" } -MockWith { return Get-Content "$Script:MockDataCollectionRoot\Exchange\IIS\applicationHost.config" -Raw } +Mock Get-CimInstance -ParameterFilter { $ClassName -eq "Win32_DeviceGuard" } -MockWith { return [PSCustomObject]@{ SecurityServicesRunning = @(0 , 0) } } + # WebAdministration function Get-WebSite { param($Name) } Mock Get-WebSite -ParameterFilter { $null -eq $Name } -MockWith { return Import-Clixml "$Script:MockDataCollectionRoot\Exchange\IIS\GetWebSite.xml" }