PowerShell Code

Secure Boot and TPM Readiness

View-only PowerShell code for review.

<#
.SYNOPSIS
    Check Secure Boot and TPM settings on remote servers.
.DESCRIPTION
    This script checks the Secure Boot and TPM settings on a list of remote servers.
.EXAMPLE
    Check-SecureBootTPM.ps1
.EXAMPLE
    Check-SecureBootTPM.ps1 -ServerList "C:\Servers.txt" -OutputFile "C:\SecureBootTPMStatus.txt"
.INPUTS
    The script does not take any inputs directly, but you can modify the variables at the beginning of the script to change the server list and output file path.
    - ServerList: The path to the text file containing the list of server names or IP addresses.
    - OutputFile: The path to the text file where the results will be saved.
.OUTPUTS
    The script outputs the Secure Boot and TPM status of each server to a specified text file.
.NOTES
    Ensure you have the necessary permissions to access the remote servers and retrieve Secure Boot and TPM information.
    Run this script with administrative privileges. Be mindful of servers in disparate domains, networks, etc, as authentication issues may arise.
#>


# Path to the text file
$ServerList = Get-Content "C:\yourserverlist.txt"

# Path to the output
$OutputFile = "C:\youroutputfile.txt"

# Clear the output file if it already exists
Clear-Content $OutputFile -ErrorAction SilentlyContinue

foreach ($Server in $ServerList) {
    Write-Host "`n===== Checking $Server ====="

    try {
        # Check Secure Boot status remotely
        $secureBoot = Invoke-Command -ComputerName $Server -ScriptBlock {
            Confirm-SecureBootUEFI
        } -ErrorAction SilentlyContinue

        if ($secureBoot -eq $true) {
            $secureBootStatus = "Secure Boot: Enabled"
        } elseif ($secureBoot -eq $false) {
            $secureBootStatus = "Secure Boot: Disabled"
        } else {
            $secureBootStatus = "Secure Boot: Unknown/Not Supported"
        }

        # Check TPM status remotely
        $tpm = Invoke-Command -ComputerName $Server -ScriptBlock {
            Get-WmiObject -Namespace "Root\CIMv2\Security\MicrosoftTpm" -Class Win32_Tpm -ErrorAction SilentlyContinue
        }

        if ($null -eq $tpm) {
            $tpmStatus = "TPM: Not Found"
        } else {
            if ($tpm.IsEnabled_InitialValue -eq $true -and $tpm.IsActivated_InitialValue -eq $true) {
                $tpmStatus = "TPM: Present, Enabled, Activated"
            } elseif ($tpm.IsEnabled_InitialValue -eq $true) {
                $tpmStatus = "TPM: Present, Enabled, Not Activated"
            } else {
                $tpmStatus = "TPM: Present, Not Enabled"
            }
        }

        # Write results to file
        $result = "Server: $Server | $secureBootStatus | $tpmStatus"
        Add-Content -Path $OutputFile -Value $result
        Write-Host $result
    }
    catch {
        $errorMsg = "Server: $Server | Error: Could not connect"
        Add-Content -Path $OutputFile -Value $errorMsg
        Write-Host $errorMsg
    }
}

Write-Host "`n✅ Results written to $OutputFile"