onpremcloudguy · StevenHosking-Msft · Jan 20, 2021
diff --git a/README.md b/README.md
@@ -3,6 +3,8 @@ A group of PowerShell scripts to check that your environment is ready for Window
 
 Needs to have the RSAT Active Directory tools enabled.
 The MSOnline module needs to be installed on the computer running the script.
+The WHfBTools Module needs to be installed on the computer running the script.
+The Invoke-CommandAs module needs to be installed on the computer running the script.
 WinRM needs to be enabled on all servers you plan to target, otherwise run locally.
 
 - Get-WHFBADSyncVersion:        This will return the version of AAD Connect that you have installed.

diff --git a/WHFBCHECKS/public/Get-WHFBADSyncNGCSync.ps1 b/WHFBCHECKS/public/Get-WHFBADSyncNGCSync.ps1
@@ -4,7 +4,7 @@ function Get-WHFBADSyncNGCSync {
         [Parameter()]
         [string]
         $Computername,
-        [Parameter(Mandatory=$false)]
+        [Parameter(Mandatory = $false)]
         [pscredential]
         $Creds
     )
@@ -19,11 +19,11 @@ function Get-WHFBADSyncNGCSync {
     $MSKeyCredSync = $false
     if ($PSBoundParameters.ContainsKey('Computername')) {
         $MSKeyCredSync = Invoke-CommandAs -ComputerName $Computername -ScriptBlock {
-            (Get-ADSyncRule | Where-Object {$_.AttributeFlowMappings.destination -eq "msDS-KeyCredentialLink" -and $_.disabled -eq $false}).count -gt 0
+            (Get-ADSyncRule | Where-Object { $_.AttributeFlowMappings.destination -eq "msDS-KeyCredentialLink" -and $_.disabled -eq $false }).count -gt 0
         } -Credential $cred -AsSystem
-    } else
-    {
-        $MSKeyCredSync = (Get-ADSyncRule | Where-Object {$_.AttributeFlowMappings.destination -eq "msDS-KeyCredentialLink" -and $_.disabled -eq $false}).count -gt 0
+    }
+    else {
+        $MSKeyCredSync = (Get-ADSyncRule | Where-Object { $_.AttributeFlowMappings.destination -eq "msDS-KeyCredentialLink" -and $_.disabled -eq $false }).count -gt 0
     }
     return $MSKeyCredSync
 }
diff --git a/WHFBCHECKS/public/Test-WHFBAADUser.ps1 b/WHFBCHECKS/public/Test-WHFBAADUser.ps1
@@ -0,0 +1,51 @@
+function Ge-WHFBAADUser {
+    param (
+        [string]
+        $UPN,
+        [string]
+        $sAMAccountName,
+        [string]
+        $DomainNetBiosName
+    )
+    if (!(get-module -ListAvailable MSOnline)) {
+        install-module MSOnline -scope CurrentUser
+    }
+    if (!(Get-Module -ListAvailable WHfBTools)) {
+        install-module WHfBTools -Scope CurrentUser
+    }
+    import-module MSOnline
+    $module = Get-Module MSOnline
+    add-type -path "$($module.ModuleBase)\Microsoft.IdentityModel.Clients.ActiveDirectory.dll"
+    $AuthSessions = [Microsoft.IdentityModel.Clients.ActiveDirectory.TokenCache]::DefaultShared.ReadItems()
+    $authed = $false
+    foreach ($AuthSession in $AuthSessions) {
+        if ($AuthSession.clientid -eq "1b730954-1685-4b74-9bfd-dac224a7b894") {
+            if ($AuthSession.expireson -gt (Get-Date)) {
+                $authed = $true
+            }
+        }
+    }
+    if (!$authed) {
+        Connect-MsolService
+        $AuthSessions = [Microsoft.IdentityModel.Clients.ActiveDirectory.TokenCache]::DefaultShared.ReadItems()
+    }
+    $auths = $AuthSessions | where-object { $_.ClientId -eq "1b730954-1685-4b74-9bfd-dac224a7b894" } | Select-Object -Last 1
+    $authHeader = @{
+        'Content-Type'  = 'application/json'
+        'Authorization' = $($Auths.AccessToken)
+        'ExpiresOn'     = $Auths.ExpiresOn
+    }
+    $gu = (Invoke-WebRequest -Method get -Uri "https://graph.microsoft.com/beta/users/$UPN" -Headers $authHeader -UseBasicParsing).content | ConvertFrom-Json
+    $devices = [System.Collections.ArrayList]::new()
+    if ((get-member -InputObject $gu).name -contains "devicekeys") {
+        foreach ($d in $GU.devicekeys) {
+            $device = Get-MsolDevice -DeviceId $d.deviceid
+            if ($device) {
+                $devices.add($device)
+            }
+        }
+    }
+    $aduser = Get-ADWHfBKeys -Domain $DomainNetBiosName -SamAccountName $sAMAccountName -skipcheckfororphanedkeys
+    Write-Output "ADUser:$($aduser.KeyDeviceID)`n`rKey:$($aduser.KeyMaterial)"
+    write-output "AADUser:$($GU.devicekeys.deviceid)`n`rKey:$($GU.devicekeys.keymaterial)"
+}
diff --git a/WHFBCHECKS/public/test-WHFB.ps1 b/WHFBCHECKS/public/test-WHFB.ps1
@@ -12,7 +12,7 @@ function Test-WHFB {
         $cred = Get-Credential
     }
     if (!(Get-Module -ListAvailable Invoke-CommandAs)) {
-        Write-Host "Installing Invoke-CommandAs module to ensure PowerShell Remote works for AAD Connect" -ForegroundColor Green
+        Write-FormattedHost -Message "Invoke-CommandAs module not installed, this ensures PowerShell Remote works for AAD Connect" -ResultState Fail -ResultMessage "Installing Invoke-CommandAs now"
         Install-Module Invoke-CommandAs -scope CurrentUser
     }
     #region AD
@@ -114,34 +114,35 @@ function Test-WHFB {
     }
     elseif ($ca.count -eq 1) {
         if ($ca.osver -lt 6.2) {
-            Write-Host "CA $($ca.name) is on an unsupported version of Windows, it needs to be at Windows Server 2012 or higher`n`rMore information here: https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs#public-key-infrastructure" -ForegroundColor Red
+            Write-FormattedHost -Message "CA $($ca.name) version of Windows is $($ca.osver) which is:" -ResultState Fail -ResultMessage "Unsupported" -AdditionalInfo "More information here: https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs#public-key-infrastructure"
         }
         else {
-            Write-Host "CA $($ca.name) is on a supported version of Windows Server" -ForegroundColor Green
+            Write-FormattedHost -Message "CA $($ca.name) version of Windows is $($ca.osver) which is:" -ResultState Pass -ResultMessage "Supported"
         }
     }
     elseif ($ca.count -gt 1) {
         foreach ($c in $ca) {
             if ($c.osver -lt 6.2) {
-                Write-Host "CA $($c.name) is on an unsupported version of Windows, it needs to be at Windows Server 2012 or higher`n`rMore information here: https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs#public-key-infrastructure" -ForegroundColor Red
+                Write-FormattedHost -Message "CA $($ca.name) version of Windows is $($ca.osver) which is:" -ResultState Fail -ResultMessage "Unsupported" -AdditionalInfo "More information here: https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs#public-key-infrastructure"
             }
             else {
-                Write-Host "CA $($c.name) is on a supported version of Windows Server" -ForegroundColor Green
+                Write-FormattedHost -Message "CA $($ca.name) version of Windows is $($ca.osver) which is:" -ResultState Pass -ResultMessage "Supported"
             }
         }
     }
     $CACertTemplate = Get-WHFBCACertTemplate
     if(!($CACertTemplate)) {
-        Write-Host "CA No KDC Certificate Template found`n`rMore information here: https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs#public-key-infrastructure" -ForegroundColor Red
+        Write-FormattedHost -Message "CA KDC Certificate Template is:" -ResultState Fail -ResultMessage "Missing" -AdditionalInfo "More information here: https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs#public-key-infrastructure"
     } else {
-        Write-Host "CA KDC Certificate Template named: `"$($CACertTemplate.displayName)`" exists." -ForegroundColor Green
+        Write-FormattedHost -Message "CA KDC Certificate Template is:" -ResultState Pass -ResultMessage $CACertTemplate.displayName
     }
     if ($dccerts.Count -eq 0) {
-        Write-Host "CA no KDC certificates found on the Domain Controllers`n`rMore information here: https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base" -ForegroundColor Red
+        Write-FormattedHost -Message "CA KDC Certificate on Domain Controllers:" -ResultState Fail -ResultMessage "Missing" -AdditionalInfo "More information here: https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base"
     }
     elseif ($DCCerts.count -eq 1) {
         $CertCRLDP = (Get-WHFBCertCRLDP -CertPath $DCCerts.PSPath -Computername $DCCerts.PSComputerName -Creds $cred).DistributionPoints | Where-Object { $_ -like '*http:*' }
         if (!($CertCRLDP)) {
+
             Write-Host "CA KDC cert on Domain Controller $($DCCerts.PSComputerName) does not include a HTTP CRL`n`rMore information here: https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base#configuring-a-crl-distribution-point-for-an-issuing-certificate-authority" -ForegroundColor Red
         }
         else {