原始发布日期: 2025 年 11 月 17 日
KB ID:5072718
安全启动清单数据收集脚本示例
复制并粘贴此示例脚本,并根据需要修改环境:示例安全启动清单数据收集脚本。
Sample_Secure_Boot_Inventory_Data_Collection_script
# 1. HostName # PS 版本:全部 |管理员:否 |系统要求:无 try { $hostname = $env:COMPUTERNAME if ([string]::IsNullOrEmpty ($hostname) ) { Write-Warning“无法确定主机名” $hostname = “Unknown” } Write-Host“主机名: $hostname” } catch { Write-Warning“检索主机名时出错: $_” $hostname = “Error” Write-Host“主机名: $hostname” }
# 2. CollectionTime # PS 版本:全部 |管理员:否 |系统要求:无 try { $collectionTime = Get-Date 如果 ($null -eq $collectionTime) { Write-Warning“无法检索当前日期/时间” $collectionTime = “Unknown” } Write-Host“收集时间:$collectionTime” } catch { Write-Warning“检索日期/时间时出错: $_” $collectionTime = “Error” Write-Host“收集时间:$collectionTime” }
# Registry: Secure Boot Main Key (3 values)
# 3. SecureBootEnabled # PS 版本:3.0+ |管理员:可能是必需的 |系统要求:支持 UEFI/安全启动的系统 try { $secureBootEnabled = Confirm-SecureBootUEFI -ErrorAction Stop Write-Host“已启用安全启动:$secureBootEnabled” } catch { Write-Warning“无法通过 cmdlet 确定安全启动状态: $_” # 尝试注册表回退 try { $regValue = Get-ItemProperty -Path “HKLM:\SYSTEM\CurrentControlSet\Control\SecureBoot\State” -Name UEFISecureBootEnabled -ErrorAction Stop $secureBootEnabled = [bool]$regValue.UEFISecureBootEnabled Write-Host“已启用安全启动:$secureBootEnabled” } catch { Write-Warning“无法通过注册表确定安全启动状态。 系统可能不支持 UEFI/安全启动。” $secureBootEnabled = $null Write-Host“已启用安全启动:不可用” } }
# 4. HighConfidenceOptOut # PS 版本:全部 |管理员:可能是必需的 |系统要求:无 try { $regValue = Get-ItemProperty -Path “HKLM:\SYSTEM\CurrentControlSet\Control\SecureBoot” -Name HighConfidenceOptOut -ErrorAction Stop $highConfidenceOptOut = $regValue.HighConfidenceOptOut Write-Host“高置信度选择退出:$highConfidenceOptOut” } catch { Write-Warning“找不到或无法访问 HighConfidenceOptOut 注册表项” $highConfidenceOptOut = $null Write-Host“高置信度选择退出:不可用” }
# 5. AvailableUpdates # PS 版本:全部 |管理员:可能是必需的 |系统要求:无 try { $regValue = Get-ItemProperty -Path “HKLM:\SYSTEM\CurrentControlSet\Control\SecureBoot” -Name AvailableUpdates -ErrorAction Stop $availableUpdates = $regValue.AvailableUpdates 如果 ($null -ne $availableUpdates) { # 转换为十六进制格式 $availableUpdatesHex = “0x{0:X}” -f $availableUpdates Write-Host“可用汇报:$availableUpdatesHex” } else { Write-Host“可用汇报:不可用” } } catch { Write-Warning“AvailableUpdates 注册表项未找到或无法访问” $availableUpdates = $null Write-Host“可用汇报:不可用” }
# Registry: Servicing Key (3 values)
# 6. UEFICA2023Status # PS 版本:全部 |管理员:可能是必需的 |系统要求:无 try { $regValue = Get-ItemProperty -Path “HKLM:\SYSTEM\CurrentControlSet\Control\SecureBoot\Servicing” -Name UEFICA2023Status -ErrorAction Stop $uefica 2023Status = $regValue.UEFICA2023Status Write-Host“UEFI CA 2023 状态: $uefica 2023Status” } catch { Write-Warning“找不到或无法访问 UEFICA2023Status 注册表项” $uefica 2023Status = $null Write-Host“UEFI CA 2023 状态:不可用” }
# 7. UEFICA2023Capable # PS 版本:全部 |管理员:可能是必需的 |系统要求:无 try { $regValue = Get-ItemProperty -Path “HKLM:\SYSTEM\CurrentControlSet\Control\SecureBoot\Servicing” -Name UEFICA2023Capable -ErrorAction Stop $uefica 2023Capable = $regValue.UEFICA2023Capable Write-Host“UEFI CA 2023 支持:$uefica 2023Capable” } catch { Write-Warning“找不到或无法访问 UEFICA2023Capable 注册表项” $uefica 2023Capable = $null Write-Host“UEFI CA 2023 支持:不可用” }
# 8. UEFICA2023Error # PS 版本:全部 |管理员:可能是必需的 |系统要求:无 try { $regValue = Get-ItemProperty -Path “HKLM:\SYSTEM\CurrentControlSet\Control\SecureBoot\Servicing” -Name UEFICA2023Error -ErrorAction Stop $uefica 2023Error = $regValue.UEFICA2023Error Write-Host“UEFI CA 2023 错误: $uefica 2023Error” } catch { Write-Warning“找不到或无法访问 UEFICA2023Error 注册表项” $uefica 2023Error = $null Write-Host“UEFI CA 2023 错误:不可用” }
# Registry: Device Attributes (7 values)
# 9. OEMManufacturerName # PS 版本:全部 |管理员:可能是必需的 |系统要求:无 try { $regValue = Get-ItemProperty -Path “HKLM:\SYSTEM\CurrentControlSet\Control\SecureBoot\DeviceAttributes” -Name OEMManufacturerName -ErrorAction Stop $oemManufacturerName = $regValue.OEMManufacturerName if ([string]::IsNullOrEmpty ($oemManufacturerName) ) { Write-Warning“OEMManufacturerName 为空” $oemManufacturerName = “Unknown” } Write-Host“OEM 制造商名称: $oemManufacturerName” } catch { Write-Warning“找不到或无法访问 OEMManufacturerName 注册表项” $oemManufacturerName = $null Write-Host“OEM 制造商名称:不可用” }
# 10. OEMModelSystemFamily # PS 版本:全部 |管理员:可能是必需的 |系统要求:无 try { $regValue = Get-ItemProperty -Path “HKLM:\SYSTEM\CurrentControlSet\Control\SecureBoot\DeviceAttributes” -Name OEMModelSystemFamily -ErrorAction Stop $oemModelSystemFamily = $regValue.OEMModelSystemFamily if ([string]::IsNullOrEmpty ($oemModelSystemFamily) ) { Write-Warning“OEMModelSystemFamily 为空” $oemModelSystemFamily = “Unknown” } Write-Host“OEM 模型系统系列:$oemModelSystemFamily” } catch { Write-Warning“找不到或无法访问 OEMModelSystemFamily 注册表项” $oemModelSystemFamily = $null Write-Host“OEM 模型系统系列:不可用” }
# 11. OEMModelNumber # PS 版本:全部 |管理员:可能是必需的 |系统要求:无 try { $regValue = Get-ItemProperty -Path “HKLM:\SYSTEM\CurrentControlSet\Control\SecureBoot\DeviceAttributes” -Name OEMModelNumber -ErrorAction Stop $oemModelNumber = $regValue.OEMModelNumber if ([string]::IsNullOrEmpty ($oemModelNumber) ) { Write-Warning“OEMModelNumber 为空” $oemModelNumber = “Unknown” } Write-Host“OEM 型号:$oemModelNumber” } catch { Write-Warning“找不到或无法访问 OEMModelNumber 注册表项” $oemModelNumber = $null Write-Host“OEM 型号:不可用” }
# 12. FirmwareVersion # PS 版本:全部 |管理员:可能是必需的 |系统要求:无 try { $regValue = Get-ItemProperty -Path “HKLM:\SYSTEM\CurrentControlSet\Control\SecureBoot\DeviceAttributes” -Name FirmwareVersion -ErrorAction Stop $firmwareVersion = $regValue.FirmwareVersion if ([string]::IsNullOrEmpty ($firmwareVersion) ) { Write-Warning“FirmwareVersion 为空” $firmwareVersion = “Unknown” } Write-Host“固件版本: $firmwareVersion” } catch { Write-Warning“找不到或无法访问 FirmwareVersion 注册表项” $firmwareVersion = $null Write-Host“固件版本:不可用” }
# 13. FirmwareReleaseDate # PS 版本:全部 |管理员:可能是必需的 |系统要求:无 try { $regValue = Get-ItemProperty -Path “HKLM:\SYSTEM\CurrentControlSet\Control\SecureBoot\DeviceAttributes” -Name FirmwareReleaseDate -ErrorAction Stop $firmwareReleaseDate = $regValue.FirmwareReleaseDate if ([string]::IsNullOrEmpty ($firmwareReleaseDate) ) { Write-Warning“FirmwareReleaseDate 为空” $firmwareReleaseDate = “Unknown” } Write-Host“固件发布日期:$firmwareReleaseDate” } catch { Write-Warning“FirmwareReleaseDate 注册表项未找到或无法访问” $firmwareReleaseDate = $null Write-Host“固件发布日期:不可用” }
# 14. OSArchitecture # PS 版本:全部 |管理员:否 |系统要求:无 try { $osArchitecture = $env:PROCESSOR_ARCHITECTURE if ([string]::IsNullOrEmpty ($osArchitecture) ) { # 尝试注册表回退 $regValue = Get-ItemProperty -Path “HKLM:\SYSTEM\CurrentControlSet\Control\SecureBoot\DeviceAttributes” -Name OSArchitecture -ErrorAction Stop $osArchitecture = $regValue.OSArchitecture } if ([string]::IsNullOrEmpty ($osArchitecture) ) { Write-Warning“无法确定 OSArchitecture” $osArchitecture = “Unknown” } Write-Host“OS 体系结构:$osArchitecture” } catch { Write-Warning“检索 OSArchitecture 时出错: $_” $osArchitecture = “Unknown” Write-Host“OS 体系结构:$osArchitecture” }
# 15. CanAttemptUpdateAfter (FILETIME) # PS 版本:全部 |管理员:可能是必需的 |系统要求:无 try { $regValue = Get-ItemProperty -Path “HKLM:\SYSTEM\CurrentControlSet\Control\SecureBoot\DeviceAttributes” -Name CanAttemptUpdateAfter -ErrorAction Stop $canAttemptUpdateAfter = $regValue.CanAttemptUpdateAfter # 如果 FILETIME 是有效数字,请将 FILETIME 转换为 DateTime 如果 ($null -ne $canAttemptUpdateAfter -and $canAttemptUpdateAfter -is [long]) { try { $canAttemptUpdateAfter = [DateTime]::FromFileTime ($canAttemptUpdateAfter) } catch { Write-Warning“无法将 CanAttemptUpdateAfter FILETIME 转换为 DateTime” } } Write-Host“可以尝试更新后:$canAttemptUpdateAfter” } catch { Write-Warning“CanAttemptUpdateAfter 注册表项未找到或无法访问” $canAttemptUpdateAfter = $null Write-Host“可以尝试更新之后:不可用” }
# Event Logs: System Log (5 values)
# 16-20. Event Log queries # PS 版本:3.0+ |管理员:系统日志可能需要 |系统要求:无 try { $allEventIds = @ (1801、1808) $events = @ (Get-WinEvent -FilterHashtable @{LogName='System';ID=$allEventIds} -MaxEvents 20 -ErrorAction Stop)
if ($events.Count -eq 0) { Write-Warning“系统日志中找不到安全启动事件 (1801/1808) ” $latestEventId = $null $bucketId = $null $confidence = $null $event 1801Count = 0 $event 1808Count = 0 Write-Host“最新事件 ID: 不可用” Write-Host“存储桶 ID:不可用” Write-Host“置信度:不可用” Write-Host“事件 1801 计数: 0” Write-Host“事件 1808 计数: 0” } else { # 16. LatestEventId $latestEvent = $events |Sort-Object TimeCreated -Descending |Select-Object -First 1 如果 ($null -eq $latestEvent) { Write-Warning“无法确定最新事件” $latestEventId = $null Write-Host“最新事件 ID: 不可用” } else { $latestEventId = $latestEvent.Id Write-Host“最新事件 ID: $latestEventId” }
# 17. BucketID - Extracted from Event 1801/1808 如果 ($null -ne $latestEvent -and $null -ne $latestEvent.Message) { 如果 ($latestEvent.Message -match 'BucketId:\s* (.+) ') { $bucketId = $matches[1]。剪裁 () Write-Host“存储桶 ID: $bucketId” } else { Write-Warning“在事件消息中找不到 BucketId” $bucketId = $null Write-Host“存储桶 ID:在事件中找不到” } } else { Write-Warning“最新事件或消息为 null,无法提取 BucketId” $bucketId = $null Write-Host“存储桶 ID: 不可用” }
# 18. Confidence - Extracted from Event 1801/1808 如果 ($null -ne $latestEvent -and $null -ne $latestEvent.Message) { 如果 ($latestEvent.Message -match 'BucketConfidenceLevel:\s* (.+) ') { $confidence = $matches[1]。剪裁 () Write-Host“信心:$confidence” } else { Write-Warning“在事件消息中找不到置信度级别” $confidence = $null Write-Host“置信度:在事件中找不到” } } else { Write-Warning“最新事件或消息为 null,无法提取置信度” $confidence = $null Write-Host“置信度:不可用” }
# 19. Event1801Count $event 1801Array = @ ($events |Where-Object {$_。Id -eq 1801}) $event 1801Count = $event 1801Array.Count Write-Host“事件 1801 计数: $event 1801Count”
# 20. Event1808Count $event 1808Array = @ ($events |Where-Object {$_。Id -eq 1808}) $event 1808Count = $event 1808Array.Count Write-Host“事件 1808 计数:$event 1808Count” } } catch { Write-Warning“检索事件日志时出错。 可能需要管理员权限:$_” $latestEventId = $null $bucketId = $null $confidence = $null $event 1801Count = 0 $event 1808Count = 0 Write-Host“最新事件 ID: 错误” Write-Host“存储桶 ID: 错误” Write-Host“置信度:错误” Write-Host“事件 1801 计数: 0” Write-Host“事件 1808 计数: 0” }
# WMI/CIM Queries (4 values)
# 21. OSVersion # PS 版本:3.0+ (将 Get-WmiObject 用于 2.0) |管理员:否 |系统要求:无 try { $osInfo = Get-CimInstance Win32_OperatingSystem -ErrorAction Stop 如果 ($null -eq $osInfo -或 [string]::IsNullOrEmpty ($osInfo.Version) ) { Write-Warning“无法检索 OS 版本” $osVersion = “Unknown” } else { $osVersion = $osInfo.Version } Write-Host“OS 版本:$osVersion” } catch { Write-Warning“检索 OS 版本时出错: $_” $osVersion = “Unknown” Write-Host“OS 版本:$osVersion” }
# 22. LastBootTime # PS 版本:3.0+ (将 Get-WmiObject 用于 2.0) |管理员:否 |系统要求:无 try { $osInfo = Get-CimInstance Win32_OperatingSystem -ErrorAction Stop 如果 ($null -eq $osInfo -或 $null -eq $osInfo.LastBootUpTime) { Write-Warning“无法检索上次启动时间” $lastBootTime = $null Write-Host“上次启动时间:不可用” } else { $lastBootTime = $osInfo.LastBootUpTime Write-Host“上次启动时间:$lastBootTime” } } catch { Write-Warning“检索上次启动时间时出错: $_” $lastBootTime = $null Write-Host“上次启动时间:不可用” }
# 23. BaseBoardManufacturer # PS 版本:3.0+ (将 Get-WmiObject 用于 2.0) |管理员:否 |系统要求:无 try { $baseBoard = Get-CimInstance Win32_BaseBoard -ErrorAction Stop if ($null -eq $baseBoard -or [string]::IsNullOrEmpty ($baseBoard.Manufacturer) ) { Write-Warning“无法检索基板制造商” $baseBoardManufacturer = “Unknown” } else { $baseBoardManufacturer = $baseBoard.Manufacturer } Write-Host“基板制造商:$baseBoardManufacturer” } catch { Write-Warning“检索基板制造商时出错: $_” $baseBoardManufacturer = “Unknown” Write-Host“基板制造商: $baseBoardManufacturer” }
# 24. BaseBoardProduct # PS 版本:3.0+ (将 Get-WmiObject 用于 2.0) |管理员:否 |系统要求:无 try { $baseBoard = Get-CimInstance Win32_BaseBoard -ErrorAction Stop if ($null -eq $baseBoard -or [string]::IsNullOrEmpty ($baseBoard.Product) ) { Write-Warning“无法检索基板产品” $baseBoardProduct = “Unknown” } else { $baseBoardProduct = $baseBoard.Product } Write-Host“基板产品: $baseBoardProduct” } catch { Write-Warning“检索基板产品时出错: $_” $baseBoardProduct = “Unknown” Write-Host“基板产品: $baseBoardProduct”}
