Skip to content
/ WHfBChecks Public

A group of PowerShell scripts to check that your environment is ready for Windows Hello for Business - Hybrid Key Trust

License

MIT license
24 stars 9 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

onpremcloudguy/WHfBChecks

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

61 Commits
.github/workflows
.github/workflows
 
 
WHFBCHECKS
WHFBCHECKS
 
 
docs
docs
 
 
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
build.ps1
build.ps1
 
 

Repository files navigation

Open in Visual Studio Code

WHfBChecks

A group of PowerShell scripts to check that your environment is ready for Windows Hello for Business - Hybrid Key Trust

Needs to have the RSAT Active Directory tools enabled. The MSOnline module needs to be installed on the computer running the script. WinRM needs to be enabled on all servers you plan to target, otherwise run locally.

  • Get-WHFBADSyncVersion: This will return the version of AAD Connect that you have installed.
  • Get-WHFBADSyncAccount: This will return the user account AAD Connect uses to sync to Active Directory.
  • Get-WHFBADSyncAccountGroups: This will return the Group Membership for the AAD Connect AD Sync account (should be a member of Key Admins group).
  • Get-WHFBADSchema: This will return the Active Directory Schema.
  • Get-WHFBADKeyAdmins: This will check if the Key Admins group exists in AD (gets created when the FSMO roles land on a 2016 domain controller).
  • Get-WHFBADSyncNGCSync: This will check to see if the NGC object is syncing to the MS-KeyCredentialLink property.
  • Get-WHFBADSyncNGCProp: This will check to see if the AAD Connect Schema supports syncing NGC to MS-KeyCredentialLink.
  • Get-WHFBADDCs: This will return all Domain Controllers in the domain, limited to include only name, IP, OS version, FSMO, enabled, and if the DC is supported.
  • Get-WHFBCA: This will return all CA's registered into Active Directory.
  • Get-WHFBADDCCerts: This will return Certs from the DC's that allow for KDC auth.
  • Get-WHFBCASettings: This will return the settings for the CA, including KeySize, provider, and associated settings.
  • Get-WHFBCertCRLDP: This will return the CRL DP from certificate to allow for validation.
  • Get-WHFBADFunctionalLevel: This will return the AD Functional Level for both domain and forest.
  • Test-WHFB: This will test all of the functions in your environment.
  • Get-WHFBAADCCurrentVersion: This will query MS Docs to get the AAD Connect Versions.
  • Get-WHFBAADConnectSettings: This will return the AAD Connect settings from AAD.
  • Get-WHFBADCertTR: This will return the Trusted Root certificate of a certificate.
  • Get-WHFBCertHasPrivateKey: This will check if the certificate has a private key.
  • Get-WHFBCertKey: This will return the Certificate Signing Key details.
  • Get-WHFBCertSAN: This will return the Certificate Subject Alternate Names.
  • Get-WHFBCertTemplate: This will return the Certificate template details.
  • Get-WHFBADConfig: This will return the FQDN and NetBios names for the domain.
  • Get-WHFBCACRLValid: This will query if the CRL is valid.
  • Get-WHFBCACertTemplate: This will return the KDC Certificate Template from AD.

About

A group of PowerShell scripts to check that your environment is ready for Windows Hello for Business - Hybrid Key Trust

Resources

Readme

License

MIT license
Activity

Stars

24 stars

Watchers

2 watching

Forks

9 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors 8

Languages