Get command status from Active Directory Domain machines

Running the Script Remotely

PowerShell Remoting

If remoting is enabled on the target machines, you can execute this script from a central machine using:

Invoke-Command -ComputerName $computer -ScriptBlock {
    # Include the script here
} -Credential (Get-Credential)

Detailed Explanation:

• Windows Update Status: The script checks the installed hotfixes/updates using Win32_QuickFixEngineering. If needed, you can also query Get-HotFix or other methods for specific update details.
• BitLocker Status: The Get-BitLockerVolume cmdlet will give you information about the encryption status and method on the system drive (usually C:).
• Local Admin Users: The script checks the Administrators group using Get-LocalGroupMember and counts the number of members. You could further filter for specific users if needed.
• LAPS Installation Check: The script checks if LAPS is installed by verifying the presence of the Get-AdmPwdPassword cmdlet, which is part of the LAPS installation

$results = @()

# Function to check the Last Windows Update status
function Get-LastWindowsUpdateStatus {
    $updateStatus = Get-WmiObject -Class "Win32_QuickFixEngineering" | Select-Object -Property Description, InstalledOn
    return $updateStatus
}

# Function to check BitLocker Status
function Get-BitLockerStatus {
    $bitLockerStatus = Get-BitLockerVolume -MountPoint "C:" | Select-Object -Property VolumeStatus, EncryptionMethod
    return $bitLockerStatus
}

# Function to get the total local admin users
function Get-LocalAdminUsers {
    $adminGroup = Get-LocalGroupMember -Group "Administrators" | Select-Object -ExpandProperty Name
    return $adminGroup.Count
}

# Function to check if LAPS is installed
function Get-LAPSStatus {
    $lapsStatus = Get-Command -Name "Get-AdmPwdPassword" -ErrorAction SilentlyContinue
    if ($lapsStatus) {
        return "LAPS Installed"
    } else {
        return "LAPS Not Installed"
    }
}

# Iterate over each computer (list the computers in a text file or use a predefined list)
$computers = Get-Content "C:\computers.txt"  # Text file with a list of computer names

foreach ($computer in $computers) {
    $status = [PSCustomObject]@{
        ComputerName            = $computer
        LastWindowsUpdate      = (Get-LastWindowsUpdateStatus -ComputerName $computer)
        BitLockerStatus        = (Get-BitLockerStatus -ComputerName $computer)
        LocalAdminUsersCount   = (Get-LocalAdminUsers -ComputerName $computer)
        LAPSStatus             = (Get-LAPSStatus -ComputerName $computer)
    }
    $results += $status
}

# Output the results (to console or export to CSV)
$results | Format-Table -AutoSize
$results | Export-Csv -Path "C:\Reports\MachineStatusReport.csv" -NoTypeInformation

1. Last Windows Update Status
2. BitLocker Status (Installed and Configured)
3. Total Local Admin Users
4. LAPS (Local Administrator Password Solution) Installed Status

You can collect this information in multiple ways, but since you mentioned that PowerShell script execution is disabled via GPO, the approach will need to be adapted accordingly. One way to bypass that restriction is by using Group Policy (GPO) to run a scheduled task or to use PowerShell Remoting (if remoting is allowed) to run the script on the machines.

Approach Overview

• PowerShell Remoting: Enable PowerShell Remoting using Enable-PSRemoting on the machines and run the script via remoting from a central management machine.
• GPO for Scheduled Task: You can use Group Policy to create a scheduled task that runs the script at specific times. The output can be saved on a shared network folder or sent via email.

PowerShell Script to Gather Required Status

Below is a PowerShell script that can retrieve the status of the desired commands