Powershell to check TMP, BIOS and Secure Boot

brainspark · 2021-01-25T07:04:20.000Z

Hello Guys,

Long story short, we have going to deploy BitLocker to our environment and below are the prerequisites that needs to be pulled before we can start testing.

TMP Version
BIOS / EFI Mode
Secure Boot

I am able to pull TMP using a one liner:

wmic /namespace:\root\CIMV2\Security\MicrosoftTpm path Win32_Tpm get /value

and for Bios, bcdedit

Can you please help me with a script so i can run it for multiple machines.

Thank you very much!

Neally · 2021-01-25T07:12:26.000Z

What have you tried? Where are you stuck?

You can use e.g. ‘invoke-command’ if winrm is setup right to get all that info.

brainspark · 2021-01-25T07:41:48.000Z

$ErrorActionPreference=“silentlycontinue”
$Computers= Get-Content c:\powershell\ComputerList.txt
Foreach ($Computer in $Computers)
{if(!(Test-Connection -Cn $computer -BufferSize 16 -Count 1 -ea 0 -quiet))
{write-host “cannot reach $computer” -f red}
Else{
$RegBase = [Microsoft.Win32.RegistryKey]::OpenRemoteBaseKey([Microsoft.Win32.RegistryHive]::LocalMachine,$Computer)
$Reg=$RegBase.OpenSubKey(‘System\CurrentControlSet\control\SecureBoot\State’)

if (!$reg)
{
Write-Host “Secure Boot not enabled on $Computer”
}

else
{
Write-Host “Secure Boot is enabled on $Computer” -f green
}

}
}

I have tried this, it will let us know if Secure boot is enabled or not. But i need TMP, BIOS / EFI and secureboot in one script

Neally · 2021-01-25T08:00:18.000Z

Yes, you can add all those into one script e.g. with invoke-command
basically you need the code how to get the info you need locally , then you just invoke it on the remote machines

PLEASE READ BEFORE POSTING! Read if you're new to the PowerShell forum! Programming & Development

Hi, and welcome to the PowerShell forum! Don’t apologize for being a “noob” or “newbie” or “n00b.” There’s just no need – nobody will think you’re stupid, and the forums are all about asking questions. Just ask! Use a descriptive subject. Don't say "Need help" or "PowerShell Help", actually summarize what the problem is. It helps the rest of us keep track of which problem is which. Don’t post massive scripts. We’re all volunteers and we don’t have time to read all that, nor will we copy, past…

if you post code, please use the insert code button. please and thank you

brainspark · 2021-01-25T08:05:14.000Z

$computers = Get-Content c:\powershell\ComputerList.txt
$TPM = Get-WmiObject -class Win32_Tpm -namespace root\CIMV2\Security\MicrosoftTpm -Computername $Computers   
foreach ($machine in $computers) 
{
invoke-command -ComputerName $machine -ScriptBlock
 {
$TPM.PSComputerName
$TPM.PhysicalPresenceVersionInfo
 }
}
Export-csv "c:\folder\file.csv" -NoTypeInformation

Hello Neally,

I tried Invoke command, can you please help correct above script

DoctorDNS · 2021-01-25T09:59:39.000Z

WMIC is NOT PowerShell - it was released long before Monad came about - nearly 20 years ago.

Instead of:

wmic /namespace:\\root\CIMV2\Security\MicrosoftTpm path Win32_Tpm get /value

Try

Get-CimInstance -Class MicrosoftTpm -Namespace root\cimv2\security

although on my system, that does not generate anything…

brainspark · 2021-01-25T10:04:26.000Z

yes wmic is not powershell, we run it on command prompt

DoctorDNS · 2021-01-25T10:11:01.000Z

BrainSpark:

yes wmic is not powershell, we run it on command prompt

Please do yourself, your company, and all future employers a big favour, move to PowerShell. You do NOT NEED cmd.exe on any supported version of WIndows. WIndows PowerShell, or better PowerSHell 7.x, is available and much preferable. Everything you could do in CMD is available in PowerSHell. CMD and WMIC are over twenty years old, they are tools that were feature complete and superceded a very long time ago.

Evan7191 · 2021-01-25T13:27:08.000Z

BrainSpark:

$computers = Get-Content c:\powershell\ComputerList.txt
$TPM = Get-WmiObject -class Win32_Tpm -namespace root\CIMV2\Security\MicrosoftTpm -Computername $Computers   
foreach ($machine in $computers) 
{
invoke-command -ComputerName $machine -ScriptBlock
 {
$TPM.PSComputerName
$TPM.PhysicalPresenceVersionInfo
 }
}
Export-csv "c:\folder\file.csv" -NoTypeInformation

Hello Neally,

I tried Invoke command, can you please help correct above script

Get-WmiObject has been deprecated and replaced with Get-CimInstance, which is much more efficient, but you don’t need it to check TPM. You can use the built-in Powershell command Get-TPM.

learn.microsoft.com

Get-Tpm (TrustedPlatformModule)

Use this topic to help manage Windows and Windows Server technologies with Windows PowerShell.

For example:

$computers = Get-Content c:\powershell\ComputerList.txt
$$results = foreach ($machine in $computers) {
    invoke-command -ComputerName $machine -ScriptBlock {
        $TPM = Get-TPM
        [PSCustomObject]@{
            ComputerName = $machine
            TpmPresent = $TPM.TpmPresent
            TpmReady = $TPM.TpmReady
            TpmEnabled = $TPM.TpmEnabled
            TpmActivated = $TPM.TpmActivated
        }
    }
}
$Results | Export-csv "c:\folder\file.csv" -NoTypeInformation

jimlong3 · 2021-01-25T14:02:04.000Z

BrainSpark:

$computers = Get-Content c:\powershell\ComputerList.txt
$TPM = Get-WmiObject -class Win32_Tpm -namespace root\CIMV2\Security\MicrosoftTpm -Computername $Computers   
foreach ($machine in $computers) 
{
invoke-command -ComputerName $machine -ScriptBlock
 {
$TPM.PSComputerName
$TPM.PhysicalPresenceVersionInfo
 }
}
Export-csv "c:\folder\file.csv" -NoTypeInformation

The command that sets $TPM gets the whole list from -ComputerName at the same time. It looks like you want to run that ForEach over them all. The ForEach won’t have access to $TPM in the way you seem to want. No need for Invoke-Command in this case.

Also, you don’t send anything to Export-CSV.

I don’t have your WMI class installed, but I suspect this

Get-WmiObject -class Win32_Tpm -namespace root\CIMV2\Security\MicrosoftTpm -Computername $Computers |
foreach {
     $_.PSComputerName
     $_.PhysicalPresenceVersionInfo
}  # End, for each computer

will get you what you want, assuming those 2 Properties are members of $TPM. PhysicalPresenceVersionInfo may not be a Default Property, so you’d need to add “-Properties PhysicalPresenceVersionInfo” to the GWMI, if the previous test doesn’t show it to you.

If it does, what do you get from

Get-WmiObject -class Win32_Tpm -namespace root\CIMV2\Security\MicrosoftTpm -Computername $Computers |
 Sort PSComputerName |
 FT PSComputerName, PhysicalPresenceVersionInfo -A

?
If that gets you what you want, instead of Sort… etc. just pipe the GWMI to Select-Object PSComputerName, PhysicalPresenceVersionInfo and pipe that to Export-CSV “filename.csv” -NoTypeInformation
Did that get you a little further down the path?

brainspark · 2021-01-27T11:28:42.000Z

Thank you very much. It was very helpful