1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
| function Invoke-DeviceHealthCheck {
[CmdletBinding()]
param(
[ValidateSet('Basic','Full')]
[string]$ScanLevel = 'Basic'
)
$healthReport = [PSCustomObject]@{
Timestamp = Get-Date -Format 'yyyy-MM-dd HH:mm:ss'
DeviceID = (Get-CimInstance -ClassName Win32_ComputerSystem).Name
Compliance = $true
SecurityScore = 100
Findings = @()
}
$checks = @(
{ Get-CimInstance -ClassName Win32_BIOS | Select-Object Version,ReleaseDate },
{ Get-WindowsUpdateLog -Last 7 | Where Status -ne 'Installed' },
{ Get-NetFirewallProfile | Where Enabled -eq $false }
)
if ($ScanLevel -eq 'Full') {
$checks += @(
{ Get-Service -Name WinDefend | Where Status -ne 'Running' },
{ Get-ChildItem 'C:\Temp' -Recurse -File | Where {$_.LastWriteTime -gt (Get-Date).AddDays(-1)} },
{ Get-LocalUser | Where PasswordNeverExpires -eq $true }
)
}
foreach ($check in $checks) {
try {
$result = & $check
if ($result) {
$healthReport.Findings += [PSCustomObject]@{
CheckName = $check.ToString().Split('{')[1].Trim()
Status = 'NonCompliant'
Details = $result | ConvertTo-Json -Compress
}
$healthReport.SecurityScore -= 10
$healthReport.Compliance = $false
}
}
catch {
Write-Warning "检查项执行失败: $_"
}
}
$healthReport | Export-Clixml -Path "$env:TEMP\DeviceHealthReport_$(Get-Date -Format yyyyMMdd).xml"
return $healthReport
}
|