function Invoke-DeviceHealthCheck {
    [CmdletBinding()]
    param(
        [Parameter(Mandatory=$true)]
        [string]$DeviceName
    )

    $healthReport = [PSCustomObject]@{
        Timestamp = Get-Date -Format 'yyyy-MM-dd HH:mm:ss'
        Device = $DeviceName
        TPMEnabled = $false
        SecureBoot = $false
        AntivirusStatus = 'Unknown'
        ComplianceScore = 0
    }

    try {
        # 检查TPM状态
        $tpm = Get-Tpm -ErrorAction Stop
        $healthReport.TPMEnabled = $tpm.TpmPresent

        # 验证安全启动状态
        $healthReport.SecureBoot = Confirm-SecureBootUEFI

        # 获取反病毒状态
        $avStatus = Get-MpComputerStatus
        $healthReport.AntivirusStatus = $avStatus.AMServiceEnabled ? 'Active' : 'Inactive'

        # 计算合规分数
        $compliance = 0
        if($healthReport.TPMEnabled) { $compliance += 30 }
        if($healthReport.SecureBoot) { $compliance += 30 }
        if($healthReport.AntivirusStatus -eq 'Active') { $compliance += 40 }
        $healthReport.ComplianceScore = $compliance
    }
    catch {
        Write-Warning "设备健康检查失败: $_"
    }

    $healthReport | Export-Clixml -Path "$env:TEMP/DeviceHealth_$DeviceName.xml"
    return $healthReport
}

function Invoke-DeviceHealthCheck {
    param(
        [string[]]$ComputerNames = $env:COMPUTERNAME
    )

    $securityBaseline = @{
        SecureBootEnabled = $true
        TPMPresent = $true
        BitLockerStatus = 'FullyEncrypted'
        AntivirusStatus = 'Enabled'
        FirewallProfile = 'Domain'
    }

    $results = @()

    foreach ($computer in $ComputerNames) {
        try {
            $osInfo = Get-CimInstance -ClassName Win32_OperatingSystem -ComputerName $computer
            $tpm = Get-CimInstance -ClassName Win32_Tpm -ComputerName $computer -ErrorAction Stop
            $bitlocker = Get-BitLockerVolume -MountPoint $osInfo.SystemDrive -ErrorAction Stop
            
            $healthStatus = [PSCustomObject]@{
                ComputerName = $computer
                LastBootTime = $osInfo.LastBootUpTime
                SecureBoot = [bool](Confirm-SecureBootUEFI)
                TPMVersion = $tpm.SpecVersion
                BitLockerProtection = $bitlocker.ProtectionStatus
                DefenderStatus = (Get-MpComputerStatus).AntivirusEnabled
                FirewallStatus = (Get-NetFirewallProfile -Name Domain).Enabled
                ComplianceScore = 0
            }

            # 计算合规分数
            $healthStatus.ComplianceScore = [math]::Round((
                ($healthStatus.SecureBoot -eq $securityBaseline.SecureBootEnabled) + 
                ($healthStatus.TPMVersion -match '2.0') + 
                ($healthStatus.BitLockerProtection -eq 'On') + 
                ($healthStatus.DefenderStatus -eq $true) + 
                ($healthStatus.FirewallStatus -eq $true)
            ) / 5 * 100, 2)

            $results += $healthStatus
        }
        catch {
            Write-Warning "$computer 健康检查失败: $_"
        }
    }

    $results | Format-Table -AutoSize
}

function Invoke-ServerlessHealthCheck {
    [CmdletBinding()]
    param(
        [Parameter(Mandatory=$true)]
        [string]$ResourceGroup
    )

    # 获取函数应用运行环境信息
    $context = Get-AzContext
    $functions = Get-AzFunctionApp -ResourceGroupName $ResourceGroup

    $report = [PSCustomObject]@{
        Timestamp = Get-Date -Format 'yyyy-MM-dd HH:mm:ss'
        FunctionApps = @()
        SecurityFindings = @()
    }

    # 检查TLS版本配置
    $functions | ForEach-Object {
        $config = Get-AzFunctionAppSetting -Name $_.Name -ResourceGroupName $ResourceGroup
        
        $appReport = [PSCustomObject]@{
            AppName = $_.Name
            RuntimeVersion = $_.Config.NetFrameworkVersion
            HTTPSOnly = $_.Config.HttpsOnly
            MinTLSVersion = $config['minTlsVersion']
        }
        $report.FunctionApps += $appReport

        if ($appReport.MinTLSVersion -lt '1.2') {
            $report.SecurityFindings += [PSCustomObject]@{
                Severity = 'High'
                Description = "函数应用 $($_.Name) 使用不安全的TLS版本: $($appReport.MinTLSVersion)"
                Recommendation = '在应用设置中将minTlsVersion更新为1.2'
            }
        }
    }

    # 生成安全报告
    $report | Export-Clixml -Path "$env:TEMP/ServerlessSecurityReport_$(Get-Date -Format yyyyMMdd).xml"
    return $report
}

function Invoke-DeviceHealthCheck {
    [CmdletBinding()]
    param(
        [Parameter(Mandatory=$true)]
        [string]$DeviceName,
        
        [ValidateSet('Basic','Full')]
        [string]$ScanMode = 'Basic'
    )

    $complianceReport = [PSCustomObject]@{
        Timestamp = Get-Date -Format 'yyyy-MM-dd HH:mm:ss'
        DeviceName = $DeviceName
        EncryptionStatus = $null
        PatchLevel = $null
        FirewallRules = @()
        ComplianceScore = 0
    }

    try {
        # 验证BitLocker加密状态
        $encryptionStatus = Get-BitLockerVolume -MountPoint C: | 
            Select-Object -ExpandProperty EncryptionPercentage
        $complianceReport.EncryptionStatus = $encryptionStatus -ge 100 ? 'Compliant' : 'Non-Compliant'

        # 检查系统更新状态
        $updates = Get-HotFix | 
            Where-Object InstalledOn -lt (Get-Date).AddDays(-30)
        $complianceReport.PatchLevel = $updates.Count -eq 0 ? 'Current' : 'Outdated'

        # 审计防火墙规则（完整扫描模式）
        if ($ScanMode -eq 'Full') {
            $firewallRules = Get-NetFirewallRule |
                Where-Object Enabled -eq True |
                Select-Object DisplayName, Direction, Action
            $complianceReport.FirewallRules = $firewallRules
        }

        # 计算合规分数
        $score = 0
        if ($complianceReport.EncryptionStatus -eq 'Compliant') { $score += 40 }
        if ($complianceReport.PatchLevel -eq 'Current') { $score += 30 }
        if ($complianceReport.FirewallRules.Count -eq 0) { $score += 30 }
        $complianceReport.ComplianceScore = $score
    }
    catch {
        Write-Error "设备健康检查失败: $_"
    }

    # 生成零信任合规报告
    $complianceReport | Export-Clixml -Path "$env:TEMP/${DeviceName}_ComplianceReport_$(Get-Date -Format yyyyMMdd).xml"
    return $complianceReport
}