Giter VIP home page Giter VIP logo

whfbchecks's Introduction

Open in Visual Studio Code

WHfBChecks

A group of PowerShell scripts to check that your environment is ready for Windows Hello for Business - Hybrid Key Trust

Needs to have the RSAT Active Directory tools enabled. The MSOnline module needs to be installed on the computer running the script. WinRM needs to be enabled on all servers you plan to target, otherwise run locally.

  • Get-WHFBADSyncVersion: This will return the version of AAD Connect that you have installed.
  • Get-WHFBADSyncAccount: This will return the user account AAD Connect uses to sync to Active Directory.
  • Get-WHFBADSyncAccountGroups: This will return the Group Membership for the AAD Connect AD Sync account (should be a member of Key Admins group).
  • Get-WHFBADSchema: This will return the Active Directory Schema.
  • Get-WHFBADKeyAdmins: This will check if the Key Admins group exists in AD (gets created when the FSMO roles land on a 2016 domain controller).
  • Get-WHFBADSyncNGCSync: This will check to see if the NGC object is syncing to the MS-KeyCredentialLink property.
  • Get-WHFBADSyncNGCProp: This will check to see if the AAD Connect Schema supports syncing NGC to MS-KeyCredentialLink.
  • Get-WHFBADDCs: This will return all Domain Controllers in the domain, limited to include only name, IP, OS version, FSMO, enabled, and if the DC is supported.
  • Get-WHFBCA: This will return all CA's registered into Active Directory.
  • Get-WHFBADDCCerts: This will return Certs from the DC's that allow for KDC auth.
  • Get-WHFBCASettings: This will return the settings for the CA, including KeySize, provider, and associated settings.
  • Get-WHFBCertCRLDP: This will return the CRL DP from certificate to allow for validation.
  • Get-WHFBADFunctionalLevel: This will return the AD Functional Level for both domain and forest.
  • Test-WHFB: This will test all of the functions in your environment.
  • Get-WHFBAADCCurrentVersion: This will query MS Docs to get the AAD Connect Versions.
  • Get-WHFBAADConnectSettings: This will return the AAD Connect settings from AAD.
  • Get-WHFBADCertTR: This will return the Trusted Root certificate of a certificate.
  • Get-WHFBCertHasPrivateKey: This will check if the certificate has a private key.
  • Get-WHFBCertKey: This will return the Certificate Signing Key details.
  • Get-WHFBCertSAN: This will return the Certificate Subject Alternate Names.
  • Get-WHFBCertTemplate: This will return the Certificate template details.
  • Get-WHFBADConfig: This will return the FQDN and NetBios names for the domain.
  • Get-WHFBCACRLValid: This will query if the CRL is valid.
  • Get-WHFBCACertTemplate: This will return the KDC Certificate Template from AD.

whfbchecks's People

Contributors

stevenhosking-msft avatar onpremcloudguy avatar stevehosko avatar tabs-not-spaces avatar ajf8729 avatar adamgrosstx avatar binntech avatar scobbercareys avatar

Stargazers

ASysadmin Story avatar avatar avatar Jim Gipson avatar Robin Hoodie avatar avatar avatar Emil Larsson avatar Merill Fernando avatar Sam Erde avatar ZeClab avatar avatar AVA avatar FSCorrupt avatar Sebastian Werner avatar Adam avatar avatar avatar Thomas Reinig avatar avatar Cameron Kollwitz avatar Colin Edwards avatar avatar avatar

Watchers

avatar Thomas Reinig avatar

Forkers

asquaredozen ajf8729 dbona75 adamgrosstx scobbercareys binntech eddga gippper asysadminstory

whfbchecks's Issues

HTTP CRL is missing

I keep getting the error "CA KDC cert on Domain Controller ****** HTTP CRL is missing", although my certs are hosted with http and are reachable by my client computers.

What could be the cause to this issue?

MSOnline issue

Microsoft.IdentityModel.Clients.ActiveDirectory.dll was removed from MSOnline versions 1.1.183.80 and newer. So, you will get an error that this file does not exist. Use version 1.1.183.66 to resolve this issue. Install this prior to running Test-WHFB. Use the below command to install the needed version and not the most recent version.
Install-Module -Name MSOnline -RequiredVersion 1.1.183.66

CRL URL parsing not correct?

The CRL attribute on certs in my environment is in a format <URL> (<URL-encoded URL>). Looks like the script does not parse this correctly, and fails on download:

image

Is my CRL attribute in the wrong format or is this a script parsing problem?

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.