function Get-DeviceCompliance {
    [CmdletBinding()]
    param(
        [Parameter(Mandatory=$true)]
        [string]$ComputerName
    )

    # 验证TPM状态
    $tpmStatus = Get-Tpm -ComputerName $ComputerName -ErrorAction SilentlyContinue
    # 检查BitLocker加密状态
    $bitlocker = Get-BitLockerVolume -MountPoint $env:SystemDrive -ErrorAction SilentlyContinue
    # 获取防病毒状态
    $avStatus = Get-MpComputerStatus -ErrorAction SilentlyContinue

    [PSCustomObject]@{
        ComputerName = $ComputerName
        TPMEnabled = $tpmStatus.TpmPresent
        SecureBoot = (Confirm-SecureBootUEFI).SecureBootEnabled
        BitLockerStatus = $bitlocker.VolumeStatus
        AntivirusEnabled = $avStatus.AMServiceEnabled
        LastUpdate = (Get-HotFix | Sort-Object InstalledOn -Descending | Select-Object -First 1).InstalledOn
    }
}

# 执行企业终端健康检查
$devices = 'PC001','PC002','PC003'
$report = $devices | ForEach-Object {
    Get-DeviceCompliance -ComputerName $_ -Verbose
}

# 生成合规性报告
$report | Export-Csv -Path "ZeroTrust_Compliance_Report_$(Get-Date -Format yyyyMMdd).csv" -NoTypeInformation

function Invoke-DeviceHealthCheck {
    [CmdletBinding()]
    param(
        [ValidateSet('Basic','Full')]
        [string]$ScanLevel = 'Basic'
    )

    $healthReport = [PSCustomObject]@{
        Timestamp     = Get-Date -Format 'yyyy-MM-dd HH:mm:ss'
        DeviceID      = (Get-CimInstance -ClassName Win32_ComputerSystem).Name
        Compliance    = $true
        SecurityScore = 100
        Findings      = @()
    }

    # 基础检查项
    $checks = @(
        { Get-CimInstance -ClassName Win32_BIOS | Select-Object Version,ReleaseDate },
        { Get-WindowsUpdateLog -Last 7 | Where Status -ne 'Installed' },
        { Get-NetFirewallProfile | Where Enabled -eq $false }
    )

    if ($ScanLevel -eq 'Full') {
        $checks += @(
            { Get-Service -Name WinDefend | Where Status -ne 'Running' },
            { Get-ChildItem 'C:\Temp' -Recurse -File | Where {$_.LastWriteTime -gt (Get-Date).AddDays(-1)} },
            { Get-LocalUser | Where PasswordNeverExpires -eq $true }
        )
    }

    foreach ($check in $checks) {
        try {
            $result = & $check
            if ($result) {
                $healthReport.Findings += [PSCustomObject]@{
                    CheckName = $check.ToString().Split('{')[1].Trim()
                    Status    = 'NonCompliant'
                    Details   = $result | ConvertTo-Json -Compress
                }
                $healthReport.SecurityScore -= 10
                $healthReport.Compliance = $false
            }
        }
        catch {
            Write-Warning "检查项执行失败: $_"
        }
    }

    $healthReport | Export-Clixml -Path "$env:TEMP\DeviceHealthReport_$(Get-Date -Format yyyyMMdd).xml"
    return $healthReport
}