AuditGroups/RSSeverityTests.ps1

$RootPath = Split-Path $MyInvocation.MyCommand.Path -Parent
$RootPath = Split-Path $RootPath -Parent
. "$RootPath\Helpers\AuditGroupFunctions.ps1"
$windefrunning = CheckWindefRunning
. "$RootPath\Helpers\Firewall.ps1"
$domainRole = (Get-CimInstance -Class Win32_ComputerSystem).DomainRole
$listOfWeakCipherSuites = getListOfWeakCipherSuites
$listOfInsecureCipherSuites = getListOfInsecureCipherSuites
[AuditTest] @{
    Id   = "1.1.7"
    Task = "Ensure 'Store passwords using reversible encryption' is set to 'Disabled'"
    Test = {
        $securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
        $setPolicy = $securityPolicy['System Access']["ClearTextPassword"]
        
        if ($null -eq $setPolicy) {
            return @{
                Message = "Currently not set."
                Status  = "False"
            }
        }
        $setPolicy = [long]$setPolicy
        
        if ($setPolicy -ne 0) {
            return @{
                Message = "'ClearTextPassword' currently set to: $setPolicy. Expected: 0"
                Status  = "False"
            }
        }
        
        return @{
            Message = "Compliant"
            Status  = "True"
        }
    }
}
if($domainRole -eq 3){
    [AuditTest] @{
        Id   = "2.2.38"
        Task = "Ensure 'Manage auditing and security log' is set to 'Administrators' (MS only)"
        Constraints = @(
            @{ "Property" = "DomainRole"; "Values" = "Member Server" }
        )
        Test = {
            $securityPolicy = Get-AuditResource "WindowsSecurityPolicy"
            $currentUserRights = $securityPolicy["Privilege Rights"]["SeSecurityPrivilege"]
            $identityAccounts = @(
                "S-1-5-32-544"
            ) | ConvertTo-NTAccountUser | Where-Object { $null -ne $_ }
            
            $unexpectedUsers = $currentUserRights.Account | Where-Object { $_ -notin $identityAccounts.Account }
            $missingUsers = $identityAccounts.Account | Where-Object { $_ -notin $currentUserRights.Account }
            
            if (($unexpectedUsers.Count -gt 0) -or ($missingUsers.Count -gt 0)) {
                $messages = @()
                if ($unexpectedUsers.Count -gt 0) {
                    $messages += "The user right 'SeSecurityPrivilege' contains following unexpected users: " + ($unexpectedUsers -join ", ")
                }
                if ($missingUsers.Count -gt 0) {
                    $messages += "The user 'SeSecurityPrivilege' setting does not contain the following users: " + ($missingUsers -join ", ")
                }
                $message = $messages -join [System.Environment]::NewLine
            
                return @{
                    Status  = "False"
                    Message = $message
                }
            }
            
            return @{
                Status  = "True"
                Message = "Compliant"
            }
        }
    }
}
if($domainRole -ge 4){
    [AuditTest] @{
        Id   = "2.3.5.2"
        Task = "Ensure 'Domain controller: LDAP server signing requirements' is set to 'Require signing' (DC only)"
        Constraints = @(
            @{ "Property" = "DomainRole"; "Values" = "Primary Domain Controller", "Backup Domain Controller" }
        )
        Test = {
            try {
                $regValue = Get-ItemProperty -ErrorAction Stop `
                    -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters" `
                    -Name "LDAPServerIntegrity" `
                | Select-Object -ExpandProperty "LDAPServerIntegrity"
            
                if ($regValue -ne 2) {
                    return @{
                        Message = "Registry value is '$regValue'. Expected: 2"
                        Status  = "False"
                    }
                }
            }
            catch [System.Management.Automation.PSArgumentException] {
                return @{
                    Message = "Registry value not found."
                    Status  = "False"
                }
            }
            catch [System.Management.Automation.ItemNotFoundException] {
                return @{
                    Message = "Registry key not found."
                    Status  = "False"
                }
            }
            
            return @{
                Message = "Compliant"
                Status  = "True"
            }
        }
    }
}
[AuditTest] @{
    Id   = "2.3.11.4"
    Task = "Ensure 'Network security: Configure encryption types allowed for Kerberos' is set to 'AES128_HMAC_SHA1, AES256_HMAC_SHA1, Future encryption types'"
    Test = {
        try {
            $regValue = Get-ItemProperty -ErrorAction Stop `
                -Path "Registry::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters" `
                -Name "SupportedEncryptionTypes" `
            | Select-Object -ExpandProperty "SupportedEncryptionTypes"
        
            if (($regValue -ne 2147483644) -and ($regValue -ne 2147483640)) {
                return @{
                    Message = "Registry value is '$regValue'. Expected: x == 2147483644 or x == 2147483640"
                    Status  = "False"
                }
            }
        }
        catch [System.Management.Automation.PSArgumentException] {
            return @{
                Message = "Registry value not found."
                Status  = "False"
            }
        }
        catch [System.Management.Automation.ItemNotFoundException] {
            return @{
                Message = "Registry key not found."
                Status  = "False"
            }
        }
        
        return @{
            Message = "Compliant"
            Status  = "True"
        }
    }
}
[AuditTest] @{
    Id   = "2.3.11.5"
    Task = "Ensure 'Network security: Do not store LAN Manager hash value on next password change' is set to 'Enabled'"
    Test = {
        try {
            $regValue = Get-ItemProperty -ErrorAction Stop `
                -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa" `
                -Name "NoLMHash" `
            | Select-Object -ExpandProperty "NoLMHash"
        
            if ($regValue -ne 1) {
                return @{
                    Message = "Registry value is '$regValue'. Expected: 1"
                    Status  = "False"
                }
            }
        }
        catch [System.Management.Automation.PSArgumentException] {
            return @{
                Message = "Registry value not found."
                Status  = "False"
            }
        }
        catch [System.Management.Automation.ItemNotFoundException] {
            return @{
                Message = "Registry key not found."
                Status  = "False"
            }
        }
        
        return @{
            Message = "Compliant"
            Status  = "True"
        }
    }
}
[AuditTest] @{
    Id   = "9.1.7"
    Task = "Ensure 'Windows Firewall: Domain: Logging: Log dropped packets' is set to 'Yes'"
    Constraints = @(
        @{ "Property" = "DomainRole"; "Values" = "Member Workstation", "Member Server", "Primary Domain Controller", "Backup Domain Controller"}
    )
    Test = {
        $path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging"
        $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging"      
        $key = "LogDroppedPackets"
        $expectedValue = 1;
        $profileType = "Domain"
        $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType
        return @{
            Message = $($result.Message)
            Status = $($result.Status)
        }
    }
}
[AuditTest] @{
    Id   = "9.1.8"
    Task = "Ensure 'Windows Firewall: Domain: Logging: Log successful connections' is set to 'Yes'"
    Constraints = @(
        @{ "Property" = "DomainRole"; "Values" = "Member Workstation", "Member Server", "Primary Domain Controller", "Backup Domain Controller"}
    )
    Test = {
        $path1 = "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging"
        $path2 = "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\Logging"      
        $key = "LogSuccessfulConnections"
        $expectedValue = 1;
        $profileType = "Domain"
        $result = $path1, $path2 | Test-FirewallPaths -Key $key -ExpectedValue $expectedValue -ProfileType $profileType
        return @{
            Message = $($result.Message)
            Status = $($result.Status)
        }
    }
}



[AuditTest] @{
    Id   = "18.3.3"
    Task = "Ensure 'Configure SMB v1 client driver' is set to 'Enabled: Disable driver'"
    Test = {
        try {
            $regValue = Get-ItemProperty -ErrorAction Stop `
                -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mrxsmb10" `
                -Name "Start" `
            | Select-Object -ExpandProperty "Start"
        
            if ($regValue -ne 4) {
                return @{
                    Message = "Registry value is '$regValue'. Expected: 4"
                    Status  = "False"
                }
            }
        }
        catch [System.Management.Automation.PSArgumentException] {
            return @{
                Message = "Registry value not found."
                Status  = "False"
            }
        }
        catch [System.Management.Automation.ItemNotFoundException] {
            return @{
                Message = "Registry key not found."
                Status  = "False"
            }
        }
        
        return @{
            Message = "Compliant"
            Status  = "True"
        }
    }
}
[AuditTest] @{
    Id   = "18.3.3"
    Task = "Ensure 'Configure SMB v1 server' is set to 'Disabled'"
    Test = {
        try {
            $regValue = Get-ItemProperty -ErrorAction Stop `
                -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" `
                -Name "SMB1" `
            | Select-Object -ExpandProperty "SMB1"
        
            if ($regValue -ne 0) {
                return @{
                    Message = "Registry value is '$regValue'. Expected: 0"
                    Status  = "False"
                }
            }
        }
        catch [System.Management.Automation.PSArgumentException] {
            return @{
                Message = "Registry value not found."
                Status  = "False"
            }
        }
        catch [System.Management.Automation.ItemNotFoundException] {
            return @{
                Message = "Registry key not found."
                Status  = "False"
            }
        }
        
        return @{
            Message = "Compliant"
            Status  = "True"
        }
    }
}



[AuditTest] @{
    Id   = "18.3.6"
    Task = "Ensure 'WDigest Authentication' is set to 'Disabled'"
    Test = {
        try {
            $regValue = Get-ItemProperty -ErrorAction Stop `
                -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest" `
                -Name "UseLogonCredential" `
            | Select-Object -ExpandProperty "UseLogonCredential"
        
            if ($regValue -ne 0) {
                return @{
                    Message = "Registry value is '$regValue'. Expected: 0"
                    Status  = "False"
                }
            }
        }
        catch [System.Management.Automation.PSArgumentException] {
            return @{
                Message = "Registry value not found."
                Status  = "False"
            }
        }
        catch [System.Management.Automation.ItemNotFoundException] {
            return @{
                Message = "Registry key not found."
                Status  = "False"
            }
        }
        
        return @{
            Message = "Compliant"
            Status  = "True"
        }
    }
}

[AuditTest] @{
    Id   = "18.6.2"
    Task = "Ensure 'Point and Print Restrictions: When installing drivers for a new connection' is set to 'Enabled: Show warning and elevation prompt'"
    Test = {
        try {
            $regValue = Get-ItemProperty -ErrorAction Stop `
                -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint" `
                -Name "NoWarningNoElevationOnInstall" `
            | Select-Object -ExpandProperty "NoWarningNoElevationOnInstall"
        
            if ($regValue -ne 0) {
                return @{
                    Message = "Registry value is '$regValue'. Expected: 0"
                    Status  = "False"
                }
            }
        }
        catch [System.Management.Automation.PSArgumentException] {
            return @{
                Message = "Registry value not found."
                Status  = "False"
            }
        }
        catch [System.Management.Automation.ItemNotFoundException] {
            return @{
                Message = "Registry key not found."
                Status  = "False"
            }
        }
        
        return @{
            Message = "Compliant"
            Status  = "True"
        }
    }
}
[AuditTest] @{
    Id   = "18.6.3"
    Task = "Ensure 'Point and Print Restrictions: When updating drivers for an existing connection' is set to 'Enabled: Show warning and elevation prompt'"
    Test = {
        try {
            $regValue = Get-ItemProperty -ErrorAction Stop `
                -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint" `
                -Name "UpdatePromptSettings" `
            | Select-Object -ExpandProperty "UpdatePromptSettings"
        
            if ($regValue -ne 0) {
                return @{
                    Message = "Registry value is '$regValue'. Expected: 0"
                    Status  = "False"
                }
            }
        }
        catch [System.Management.Automation.PSArgumentException] {
            return @{
                Message = "Registry value not found."
                Status  = "False"
            }
        }
        catch [System.Management.Automation.ItemNotFoundException] {
            return @{
                Message = "Registry key not found."
                Status  = "False"
            }
        }
        
        return @{
            Message = "Compliant"
            Status  = "True"
        }
    }
}
[AuditTest] @{
    Id   = "18.9.47.9.2"
    Task = "Ensure 'Turn off real-time protection' is set to 'Disabled'"
    Test = {
        try {
            if ((-not $windefrunning)) {
                return @{
                    Message = "This rule requires Windows Defender Antivirus to be enabled."
                    Status = "None"
                }
            }
            $regValue = Get-ItemProperty -ErrorAction Stop `
                -Path "Registry::HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" `
                -Name "DisableRealtimeMonitoring" `
            | Select-Object -ExpandProperty "DisableRealtimeMonitoring"
        
            if ($regValue -eq 1) {
                return @{
                    Message = "Registry value is '$regValue'. Expected: 0"
                    Status  = "False"
                }
            }
        }
        catch [System.Management.Automation.PSArgumentException] {
            return @{
                Message = "Registry value not found."
                Status  = "False"
            }
        }
        catch [System.Management.Automation.ItemNotFoundException] {
            return @{
                Message = "Registry key not found."
                Status  = "False"
            }
        }
        
        return @{
            Message = "Compliant"
            Status  = "True"
        }
    }
}
[AuditTest] @{
    Id = "18.9.47.5.1.2 A"
    Task = "Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Office communication application from creating child processes)"
    Test = {
        try {
            if ((-not $windefrunning)) {
                return @{
                    Message = "This rule requires Windows Defender Antivirus to be enabled."
                    Status = "None"
                }
            }
            $regValue = 0;
            $regValueTwo = 0;
            $Path = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules"
            $Value = "26190899-1602-49e8-8b27-eb1d0a1ce869"

            $asrTest1 = Test-ASRRules -Path $Path -Value $Value 
            if($asrTest1){
                $regValue = Get-ItemProperty -ErrorAction Stop `
                    -Path $Path `
                    -Name $Value `
                    | Select-Object -ExpandProperty $Value
            }

            $Path2 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules"
            $Value2 = "26190899-1602-49e8-8b27-eb1d0a1ce869"

            $asrTest2 = Test-ASRRules -Path $Path2 -Value $Value2 
            if($asrTest2){
                $regValueTwo = Get-ItemProperty -ErrorAction Stop `
                    -Path $Path2 `
                    -Name $Value2 `
                    | Select-Object -ExpandProperty $Value2
            }

            if ($regValue -ne 1 -and $regValueTwo -ne 1) {
                return @{
                    Message = "Registry value is '$regValue'. Expected: 1"
                    Status = "False"
                }
            }
        }
        catch [System.Management.Automation.PSArgumentException] {
            return @{
                Message = "Registry value not found."
                Status = "False"
            }
        }
        catch [System.Management.Automation.ItemNotFoundException] {
            return @{
                Message = "Registry key not found."
                Status = "False"
            }
        }
        
        return @{
            Message = "Compliant"
            Status = "True"
        }
    }
}
[AuditTest] @{
    Id = "18.9.47.5.1.2 B"
    Task = "Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Office applications from creating executable content)"
    Test = {
        try {
            if ((-not $windefrunning)) {
                return @{
                    Message = "This rule requires Windows Defender Antivirus to be enabled."
                    Status = "None"
                }
            }
            $regValue = 0;
            $regValueTwo = 0;
            $Path = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules"
            $Value = "3b576869-a4ec-4529-8536-b80a7769e899"

            $asrTest1 = Test-ASRRules -Path $Path -Value $Value 
            if($asrTest1){
                $regValue = Get-ItemProperty -ErrorAction Stop `
                    -Path $Path `
                    -Name $Value `
                    | Select-Object -ExpandProperty $Value
            }

            $Path2 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules"
            $Value2 = "3b576869-a4ec-4529-8536-b80a7769e899"

            $asrTest2 = Test-ASRRules -Path $Path2 -Value $Value2 
            if($asrTest2){
                $regValueTwo = Get-ItemProperty -ErrorAction Stop `
                    -Path $Path2 `
                    -Name $Value2 `
                    | Select-Object -ExpandProperty $Value2
            }

            if ($regValue -ne 1 -and $regValueTwo -ne 1) {
                return @{
                    Message = "Registry value is '$regValue'. Expected: 1"
                    Status = "False"
                }
            }
        }
        catch [System.Management.Automation.PSArgumentException] {
            return @{
                Message = "Registry value not found."
                Status = "False"
            }
        }
        catch [System.Management.Automation.ItemNotFoundException] {
            return @{
                Message = "Registry key not found."
                Status = "False"
            }
        }
        
        return @{
            Message = "Compliant"
            Status = "True"
        }
    }
}
[AuditTest] @{
    Id = "18.9.47.5.1.2 C"
    Task = "Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block execution of potentially obfuscated scripts)"
    Test = {
        try {
            if ((-not $windefrunning)) {
                return @{
                    Message = "This rule requires Windows Defender Antivirus to be enabled."
                    Status = "None"
                }
            }
            $regValue = 0;
            $regValueTwo = 0;
            $Path = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules"
            $Value = "5beb7efe-fd9a-4556-801d-275e5ffc04cc" 

            $asrTest1 = Test-ASRRules -Path $Path -Value $Value 
            if($asrTest1){
                $regValue = Get-ItemProperty -ErrorAction Stop `
                    -Path $Path `
                    -Name $Value `
                    | Select-Object -ExpandProperty $Value
            }

            $Path2 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules"
            $Value2 = "5beb7efe-fd9a-4556-801d-275e5ffc04cc" 

            $asrTest2 = Test-ASRRules -Path $Path2 -Value $Value2 
            if($asrTest2){
                $regValueTwo = Get-ItemProperty -ErrorAction Stop `
                    -Path $Path2 `
                    -Name $Value2 `
                    | Select-Object -ExpandProperty $Value2
            }

            if ($regValue -ne 1 -and $regValueTwo -ne 1) {
                return @{
                    Message = "Registry value is '$regValue'. Expected: 1"
                    Status = "False"
                }
            }
        }
        catch [System.Management.Automation.PSArgumentException] {
            return @{
                Message = "Registry value not found."
                Status = "False"
            }
        }
        catch [System.Management.Automation.ItemNotFoundException] {
            return @{
                Message = "Registry key not found."
                Status = "False"
            }
        }
        
        return @{
            Message = "Compliant"
            Status = "True"
        }
    }
}
[AuditTest] @{
    Id = "18.9.47.5.1.2 D"
    Task = "Ensure 'Configure Attack Surface Reduction rules: Block Office applications from injecting code into other processes' is configured"
    Test = {
        try {
            if ((-not $windefrunning)) {
                return @{
                    Message = "This rule requires Windows Defender Antivirus to be enabled."
                    Status = "None"
                }
            }
            $regValue = 0;
            $regValueTwo = 0;
            $Path = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules"
            $Value = "75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84"

            $asrTest1 = Test-ASRRules -Path $Path -Value $Value 
            if($asrTest1){
                $regValue = Get-ItemProperty -ErrorAction Stop `
                    -Path $Path `
                    -Name $Value `
                    | Select-Object -ExpandProperty $Value
            }

            $Path2 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules"
            $Value2 = "75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84"

            $asrTest2 = Test-ASRRules -Path $Path2 -Value $Value2 
            if($asrTest2){
                $regValueTwo = Get-ItemProperty -ErrorAction Stop `
                    -Path $Path2 `
                    -Name $Value2 `
                    | Select-Object -ExpandProperty $Value2
            }

            if ($regValue -ne 1 -and $regValueTwo -ne 1) {
                return @{
                    Message = "Registry value is '$regValue'. Expected: 1"
                    Status = "False"
                }
            }
        }
        catch [System.Management.Automation.PSArgumentException] {
            return @{
                Message = "Registry value not found."
                Status = "False"
            }
        }
        catch [System.Management.Automation.ItemNotFoundException] {
            return @{
                Message = "Registry key not found."
                Status = "False"
            }
        }
        
        return @{
            Message = "Compliant"
            Status = "True"
        }
    }
}
[AuditTest] @{
    Id = "18.9.47.5.1.2 E"
    Task = "Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Adobe Reader from creating child processes)"
    Test = {
        try {
            if ((-not $windefrunning)) {
                return @{
                    Message = "This rule requires Windows Defender Antivirus to be enabled."
                    Status = "None"
                }
            }
            $regValue = 0;
            $regValueTwo = 0;
            $Path = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules"
            $Value = "7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c"

            $asrTest1 = Test-ASRRules -Path $Path -Value $Value 
            if($asrTest1){
                $regValue = Get-ItemProperty -ErrorAction Stop `
                    -Path $Path `
                    -Name $Value `
                    | Select-Object -ExpandProperty $Value
            }

            $Path2 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules"
            $Value2 = "7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c"

            $asrTest2 = Test-ASRRules -Path $Path2 -Value $Value2 
            if($asrTest2){
                $regValueTwo = Get-ItemProperty -ErrorAction Stop `
                    -Path $Path2 `
                    -Name $Value2 `
                    | Select-Object -ExpandProperty $Value2
            }

            if ($regValue -ne 1 -and $regValueTwo -ne 1) {
                return @{
                    Message = "Registry value is '$regValue'. Expected: 1"
                    Status = "False"
                }
            }
        }
        catch [System.Management.Automation.PSArgumentException] {
            return @{
                Message = "Registry value not found."
                Status = "False"
            }
        }
        catch [System.Management.Automation.ItemNotFoundException] {
            return @{
                Message = "Registry key not found."
                Status = "False"
            }
        }
        
        return @{
            Message = "Compliant"
            Status = "True"
        }
    }
}
[AuditTest] @{
    Id = "18.9.47.5.1.2 F"
    Task = "Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Win32 API calls from Office macro)"
    Test = {
        try {
            if ((-not $windefrunning)) {
                return @{
                    Message = "This rule requires Windows Defender Antivirus to be enabled."
                    Status = "None"
                }
            }
            $regValue = 0;
            $regValueTwo = 0;
            $Path = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules"
            $Value = "92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b"

            $asrTest1 = Test-ASRRules -Path $Path -Value $Value 
            if($asrTest1){
                $regValue = Get-ItemProperty -ErrorAction Stop `
                    -Path $Path `
                    -Name $Value `
                    | Select-Object -ExpandProperty $Value
            }

            $Path2 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules"
            $Value2 = "92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b"

            $asrTest2 = Test-ASRRules -Path $Path2 -Value $Value2 
            if($asrTest2){
                $regValueTwo = Get-ItemProperty -ErrorAction Stop `
                    -Path $Path2 `
                    -Name $Value2 `
                    | Select-Object -ExpandProperty $Value2
            }

            if ($regValue -ne 1 -and $regValueTwo -ne 1) {
                return @{
                    Message = "Registry value is '$regValue'. Expected: 1"
                    Status = "False"
                }
            }
        }
        catch [System.Management.Automation.PSArgumentException] {
            return @{
                Message = "Registry value not found."
                Status = "False"
            }
        }
        catch [System.Management.Automation.ItemNotFoundException] {
            return @{
                Message = "Registry key not found."
                Status = "False"
            }
        }
        
        return @{
            Message = "Compliant"
            Status = "True"
        }
    }
}
[AuditTest] @{
    Id = "18.9.47.5.1.2 G"
    Task = "Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block credential stealing from the Windows local security authority subsystem (lsass.exe))"
    Test = {
        try {
            if ((-not $windefrunning)) {
                return @{
                    Message = "This rule requires Windows Defender Antivirus to be enabled."
                    Status = "None"
                }
            }
            $regValue = 0;
            $regValueTwo = 0;
            $Path = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules"
            $Value = "9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2"

            $asrTest1 = Test-ASRRules -Path $Path -Value $Value 
            if($asrTest1){
                $regValue = Get-ItemProperty -ErrorAction Stop `
                    -Path $Path `
                    -Name $Value `
                    | Select-Object -ExpandProperty $Value
            }

            $Path2 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules"
            $Value2 = "9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2"

            $asrTest2 = Test-ASRRules -Path $Path2 -Value $Value2 
            if($asrTest2){
                $regValueTwo = Get-ItemProperty -ErrorAction Stop `
                    -Path $Path2 `
                    -Name $Value2 `
                    | Select-Object -ExpandProperty $Value2
            }

            if ($regValue -ne 1 -and $regValueTwo -ne 1) {
                return @{
                    Message = "Registry value is '$regValue'. Expected: 1"
                    Status = "False"
                }
            }
        }
        catch [System.Management.Automation.PSArgumentException] {
            return @{
                Message = "Registry value not found."
                Status = "False"
            }
        }
        catch [System.Management.Automation.ItemNotFoundException] {
            return @{
                Message = "Registry key not found."
                Status = "False"
            }
        }
        
        return @{
            Message = "Compliant"
            Status = "True"
        }
    }
}
[AuditTest] @{
    Id = "18.9.47.5.1.2 H"
    Task = "Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block untrusted and unsigned processes that run from USB)"
    Test = {
        try {
            if ((-not $windefrunning)) {
                return @{
                    Message = "This rule requires Windows Defender Antivirus to be enabled."
                    Status = "None"
                }
            }
            $regValue = 0;
            $regValueTwo = 0;
            $Path = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules"
            $Value = "b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4"

            $asrTest1 = Test-ASRRules -Path $Path -Value $Value 
            if($asrTest1){
                $regValue = Get-ItemProperty -ErrorAction Stop `
                    -Path $Path `
                    -Name $Value `
                    | Select-Object -ExpandProperty $Value
            }

            $Path2 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules"
            $Value2 = "b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4"

            $asrTest2 = Test-ASRRules -Path $Path2 -Value $Value2 
            if($asrTest2){
                $regValueTwo = Get-ItemProperty -ErrorAction Stop `
                    -Path $Path2 `
                    -Name $Value2 `
                    | Select-Object -ExpandProperty $Value2
            }

            if ($regValue -ne 1 -and $regValueTwo -ne 1) {
                return @{
                    Message = "Registry value is '$regValue'. Expected: 1"
                    Status = "False"
                }
            }
        }
        catch [System.Management.Automation.PSArgumentException] {
            return @{
                Message = "Registry value not found."
                Status = "False"
            }
        }
        catch [System.Management.Automation.ItemNotFoundException] {
            return @{
                Message = "Registry key not found."
                Status = "False"
            }
        }
        
        return @{
            Message = "Compliant"
            Status = "True"
        }
    }
}
[AuditTest] @{
    Id = "18.9.47.5.1.2 I"
    Task = "Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block executable content from email client and webmail)"
    Test = {
        try {
            if ((-not $windefrunning)) {
                return @{
                    Message = "This rule requires Windows Defender Antivirus to be enabled."
                    Status = "None"
                }
            }
            $regValue = 0;
            $regValueTwo = 0;
            $Path = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules"
            $Value = "be9ba2d9-53ea-4cdc-84e5-9b1eeee46550"

            $asrTest1 = Test-ASRRules -Path $Path -Value $Value 
            if($asrTest1){
                $regValue = Get-ItemProperty -ErrorAction Stop `
                    -Path $Path `
                    -Name $Value `
                    | Select-Object -ExpandProperty $Value
            }

            $Path2 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules"
            $Value2 = "be9ba2d9-53ea-4cdc-84e5-9b1eeee46550"

            $asrTest2 = Test-ASRRules -Path $Path2 -Value $Value2 
            if($asrTest2){
                $regValueTwo = Get-ItemProperty -ErrorAction Stop `
                    -Path $Path2 `
                    -Name $Value2 `
                    | Select-Object -ExpandProperty $Value2
            }

            if ($regValue -ne 1 -and $regValueTwo -ne 1) {
                return @{
                    Message = "Registry value is '$regValue'. Expected: 1"
                    Status = "False"
                }
            }
        }
        catch [System.Management.Automation.PSArgumentException] {
            return @{
                Message = "Registry value not found."
                Status = "False"
            }
        }
        catch [System.Management.Automation.ItemNotFoundException] {
            return @{
                Message = "Registry key not found."
                Status = "False"
            }
        }
        
        return @{
            Message = "Compliant"
            Status = "True"
        }
    }
}
[AuditTest] @{
    Id = "18.9.47.5.1.2 J"
    Task = "Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block JavaScript or VBScript from launching downloaded executable content)"
    Test = {
       try {
            if ((-not $windefrunning)) {
                return @{
                    Message = "This rule requires Windows Defender Antivirus to be enabled."
                    Status = "None"
                }
            }
            $regValue = 0;
            $regValueTwo = 0;
            $Path = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules"
            $Value = "d3e037e1-3eb8-44c8-a917-57927947596d"

            $asrTest1 = Test-ASRRules -Path $Path -Value $Value 
            if($asrTest1){
                $regValue = Get-ItemProperty -ErrorAction Stop `
                    -Path $Path `
                    -Name $Value `
                    | Select-Object -ExpandProperty $Value
            }

            $Path2 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules"
            $Value2 = "d3e037e1-3eb8-44c8-a917-57927947596d"

            $asrTest2 = Test-ASRRules -Path $Path2 -Value $Value2 
            if($asrTest2){
                $regValueTwo = Get-ItemProperty -ErrorAction Stop `
                    -Path $Path2 `
                    -Name $Value2 `
                    | Select-Object -ExpandProperty $Value2
            }

            if ($regValue -ne 1 -and $regValueTwo -ne 1) {
                return @{
                    Message = "Registry value is '$regValue'. Expected: 1"
                    Status = "False"
                }
            }
        }
        catch [System.Management.Automation.PSArgumentException] {
            return @{
                Message = "Registry value not found."
                Status = "False"
            }
        }
        catch [System.Management.Automation.ItemNotFoundException] {
            return @{
                Message = "Registry key not found."
                Status = "False"
            }
        }
        
        return @{
            Message = "Compliant"
            Status = "True"
        }
    }
}
[AuditTest] @{
    Id = "18.9.47.5.1.2 K"
    Task = "Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block Office applications from creating child processes)"
    Test = {
        try {
            if ((-not $windefrunning)) {
                return @{
                    Message = "This rule requires Windows Defender Antivirus to be enabled."
                    Status = "None"
                }
            }
            $regValue = 0;
            $regValueTwo = 0;
            $Path = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules"
            $Value = "d4f940ab-401b-4efc-aadc-ad5f3c50688a"

            $asrTest1 = Test-ASRRules -Path $Path -Value $Value 
            if($asrTest1){
                $regValue = Get-ItemProperty -ErrorAction Stop `
                    -Path $Path `
                    -Name $Value `
                    | Select-Object -ExpandProperty $Value
            }

            $Path2 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules"
            $Value2 = "d4f940ab-401b-4efc-aadc-ad5f3c50688a"

            $asrTest2 = Test-ASRRules -Path $Path2 -Value $Value2 
            if($asrTest2){
                $regValueTwo = Get-ItemProperty -ErrorAction Stop `
                    -Path $Path2 `
                    -Name $Value2 `
                    | Select-Object -ExpandProperty $Value2
            }

            if ($regValue -ne 1 -and $regValueTwo -ne 1) {
                return @{
                    Message = "Registry value is '$regValue'. Expected: 1"
                    Status = "False"
                }
            }
        }
        catch [System.Management.Automation.PSArgumentException] {
            return @{
                Message = "Registry value not found."
                Status = "False"
            }
        }
        catch [System.Management.Automation.ItemNotFoundException] {
            return @{
                Message = "Registry key not found."
                Status = "False"
            }
        }
        
        return @{
            Message = "Compliant"
            Status = "True"
        }
    }
}
[AuditTest] @{
    Id = "18.9.47.5.1.2 L"
    Task = "Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block persistence through WMI event subscription)"
    Test = {
        try {
            if ((-not $windefrunning)) {
                return @{
                    Message = "This rule requires Windows Defender Antivirus to be enabled."
                    Status = "None"
                }
            }
            $regValue = 0;
            $regValueTwo = 0;
            $Path = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules"
            $Value = "e6db77e5-3df2-4cf1-b95a-636979351e5b"

            $asrTest1 = Test-ASRRules -Path $Path -Value $Value 
            if($asrTest1){
                $regValue = Get-ItemProperty -ErrorAction Stop `
                    -Path $Path `
                    -Name $Value `
                    | Select-Object -ExpandProperty $Value
            }

            $Path2 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules"
            $Value2 = "e6db77e5-3df2-4cf1-b95a-636979351e5b"

            $asrTest2 = Test-ASRRules -Path $Path2 -Value $Value2 
            if($asrTest2){
                $regValueTwo = Get-ItemProperty -ErrorAction Stop `
                    -Path $Path2 `
                    -Name $Value2 `
                    | Select-Object -ExpandProperty $Value2
            }

            if ($regValue -ne 1 -and $regValueTwo -ne 1) {
                return @{
                    Message = "Registry value is '$regValue'. Expected: 1"
                    Status = "False"
                }
            }
        }
        catch [System.Management.Automation.PSArgumentException] {
            return @{
                Message = "Registry value not found."
                Status = "False"
            }
        }
        catch [System.Management.Automation.ItemNotFoundException] {
            return @{
                Message = "Registry key not found."
                Status = "False"
            }
        }
        
        return @{
            Message = "Compliant"
            Status = "True"
        }
    }
}
[AuditTest] @{
    Id = "18.10.43.6.1.2 M"
    Task = "Ensure 'Configure Attack Surface Reduction rules: Set the state for each ASR rule' is configured (Block abuse of exploited vulnerable signed drivers)"
    Test = {
        try {
            if($avstatus){

                if ((-not $windefrunning)) {
                    return @{
                        Message = "This rule requires Windows Defender Antivirus to be enabled."
                        Status = "None"
                    }
                }
            }                  
            $regValue = 0;
            $regValueTwo = 0;
            $Path = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules"
            $Value = "56a863a9-875e-4185-98a7-b882c64b5ce5"

            $asrTest1 = Test-ASRRules -Path $Path -Value $Value 
            if($asrTest1){
                $regValue = Get-ItemProperty -ErrorAction Stop `
                    -Path $Path `
                    -Name $Value `
                    | Select-Object -ExpandProperty $Value
            }

            $Path2 = "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR\Rules"
            $Value2 = "56a863a9-875e-4185-98a7-b882c64b5ce5"

            $asrTest2 = Test-ASRRules -Path $Path2 -Value $Value2 
            if($asrTest2){
                $regValueTwo = Get-ItemProperty -ErrorAction Stop `
                    -Path $Path2 `
                    -Name $Value2 `
                    | Select-Object -ExpandProperty $Value2
            }

            if ($regValue -ne 1 -and $regValueTwo -ne 1) {
                return @{
                    Message = "Registry value is '$regValue'. Expected: 1"
                    Status = "False"
                }
            }
        }
        catch [System.Management.Automation.PSArgumentException] {
            return @{
                Message = "Registry value not found."
                Status = "False"
            }
        }
        catch [System.Management.Automation.ItemNotFoundException] {
            return @{
                Message = "Registry key not found."
                Status = "False"
            }
        }
        
        return @{
            Message = "Compliant"
            Status = "True"
        }
    }
}
[AuditTest] @{
    Id   = "18.9.58.3.10.1"
    Task = "Ensure 'Set time limit for active but idle Remote Desktop Services sessions' is set to 'Enabled: 15 minutes or less'"
    Test = {
        try {
            $regValue = Get-ItemProperty -ErrorAction Stop `
                -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" `
                -Name "MaxIdleTime" `
            | Select-Object -ExpandProperty "MaxIdleTime"
        
            if (($regValue -gt 900000 -or $regValue -eq 0)) {
                return @{
                    Message = "Registry value is '$regValue'. Expected: x <= 900000 and x != 0"
                    Status  = "False"
                }
            }
        }
        catch [System.Management.Automation.PSArgumentException] {
            return @{
                Message = "Registry value not found."
                Status  = "False"
            }
        }
        catch [System.Management.Automation.ItemNotFoundException] {
            return @{
                Message = "Registry key not found."
                Status  = "False"
            }
        }
        
        return @{
            Message = "Compliant"
            Status  = "True"
        }
    }
}
[AuditTest] @{
    Id   = "18.9.58.3.10.2"
    Task = "Ensure 'Set time limit for disconnected sessions' is set to 'Enabled: 1 minute'"
    Test = {
        try {
            $regValue = Get-ItemProperty -ErrorAction Stop `
                -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" `
                -Name "MaxDisconnectionTime" `
            | Select-Object -ExpandProperty "MaxDisconnectionTime"
        
            if ($regValue -ne 60000) {
                return @{
                    Message = "Registry value is '$regValue'. Expected: 60000"
                    Status  = "False"
                }
            }
        }
        catch [System.Management.Automation.PSArgumentException] {
            return @{
                Message = "Registry value not found."
                Status  = "False"
            }
        }
        catch [System.Management.Automation.ItemNotFoundException] {
            return @{
                Message = "Registry key not found."
                Status  = "False"
            }
        }
        
        return @{
            Message = "Compliant"
            Status  = "True"
        }
    }
}
[AuditTest] @{
    Id = "1.1.1"
    Task = "Disable SSLv2 Protocol (Server)"
    Test = {
        try {
            $regValue = Get-ItemProperty -ErrorAction Stop `
                -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server" `
                -Name "Enabled" `
                | Select-Object -ExpandProperty "Enabled"
        
            if ($regValue -ne 0) {
                return @{
                    Message = "Registry value is '$regValue'. Expected: 0"
                    Status = "False"
                }
            }
        }
        catch [System.Management.Automation.PSArgumentException] {
            return @{
                Message = "Registry value not found."
                Status = "False"
            }
        }
        catch [System.Management.Automation.ItemNotFoundException] {
            return @{
                Message = "Registry key not found."
                Status = "False"
            }
        }
        
        return @{
            Message = "Compliant"
            Status = "True"
        }
    }
}
[AuditTest] @{
    Id = "1.1.2"
    Task = "Disable SSLv2 Protocol (Server DisabledByDefault)"
    Test = {
        try {
            $regValue = Get-ItemProperty -ErrorAction Stop `
                -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server" `
                -Name "DisabledByDefault" `
                | Select-Object -ExpandProperty "DisabledByDefault"
        
            if ($regValue -ne 1) {
                return @{
                    Message = "Registry value is '$regValue'. Expected: 1"
                    Status = "False"
                }
            }
        }
        catch [System.Management.Automation.PSArgumentException] {
            return @{
                Message = "Registry value not found."
                Status = "False"
            }
        }
        catch [System.Management.Automation.ItemNotFoundException] {
            return @{
                Message = "Registry key not found."
                Status = "False"
            }
        }
        
        return @{
            Message = "Compliant"
            Status = "True"
        }
    }
}
[AuditTest] @{
    Id = "1.1.3"
    Task = "Disable SSLv2 Protocol (Client)"
    Test = {
        try {
            $regValue = Get-ItemProperty -ErrorAction Stop `
                -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client" `
                -Name "Enabled" `
                | Select-Object -ExpandProperty "Enabled"
        
            if ($regValue -ne 0) {
                return @{
                    Message = "Registry value is '$regValue'. Expected: 0"
                    Status = "False"
                }
            }
        }
        catch [System.Management.Automation.PSArgumentException] {
            return @{
                Message = "Registry value not found."
                Status = "False"
            }
        }
        catch [System.Management.Automation.ItemNotFoundException] {
            return @{
                Message = "Registry key not found."
                Status = "False"
            }
        }
        
        return @{
            Message = "Compliant"
            Status = "True"
        }
    }
}
[AuditTest] @{
    Id = "1.1.4"
    Task = "Disable SSLv2 Protocol (Client DisabledByDefault)"
    Test = {
        try {
            $regValue = Get-ItemProperty -ErrorAction Stop `
                -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client" `
                -Name "DisabledByDefault" `
                | Select-Object -ExpandProperty "DisabledByDefault"
        
            if ($regValue -ne 1) {
                return @{
                    Message = "Registry value is '$regValue'. Expected: 1"
                    Status = "False"
                }
            }
        }
        catch [System.Management.Automation.PSArgumentException] {
            return @{
                Message = "Registry value not found."
                Status = "False"
            }
        }
        catch [System.Management.Automation.ItemNotFoundException] {
            return @{
                Message = "Registry key not found."
                Status = "False"
            }
        }
        
        return @{
            Message = "Compliant"
            Status = "True"
        }
    }
}
[AuditTest] @{
    Id = "1.2.1"
    Task = "Disable SSLv3 Protocol (Server)"
    Test = {
        try {
            $regValue = Get-ItemProperty -ErrorAction Stop `
                -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server" `
                -Name "Enabled" `
                | Select-Object -ExpandProperty "Enabled"
        
            if ($regValue -ne 0) {
                return @{
                    Message = "Registry value is '$regValue'. Expected: 0"
                    Status = "False"
                }
            }
        }
        catch [System.Management.Automation.PSArgumentException] {
            return @{
                Message = "Registry value not found."
                Status = "False"
            }
        }
        catch [System.Management.Automation.ItemNotFoundException] {
            return @{
                Message = "Registry key not found."
                Status = "False"
            }
        }
        
        return @{
            Message = "Compliant"
            Status = "True"
        }
    }
}
[AuditTest] @{
    Id = "1.2.2"
    Task = "Disable SSLv3 Protocol (Server DisabledByDefault)"
    Test = {
        try {
            $regValue = Get-ItemProperty -ErrorAction Stop `
                -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server" `
                -Name "DisabledByDefault" `
                | Select-Object -ExpandProperty "DisabledByDefault"
        
            if ($regValue -ne 1) {
                return @{
                    Message = "Registry value is '$regValue'. Expected: 1"
                    Status = "False"
                }
            }
        }
        catch [System.Management.Automation.PSArgumentException] {
            return @{
                Message = "Registry value not found."
                Status = "False"
            }
        }
        catch [System.Management.Automation.ItemNotFoundException] {
            return @{
                Message = "Registry key not found."
                Status = "False"
            }
        }
        
        return @{
            Message = "Compliant"
            Status = "True"
        }
    }
}
[AuditTest] @{
    Id = "1.2.3"
    Task = "Disable SSLv3 Protocol (Client)"
    Test = {
        try {
            $regValue = Get-ItemProperty -ErrorAction Stop `
                -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client" `
                -Name "Enabled" `
                | Select-Object -ExpandProperty "Enabled"
        
            if ($regValue -ne 0) {
                return @{
                    Message = "Registry value is '$regValue'. Expected: 0"
                    Status = "False"
                }
            }
        }
        catch [System.Management.Automation.PSArgumentException] {
            return @{
                Message = "Registry value not found."
                Status = "False"
            }
        }
        catch [System.Management.Automation.ItemNotFoundException] {
            return @{
                Message = "Registry key not found."
                Status = "False"
            }
        }
        
        return @{
            Message = "Compliant"
            Status = "True"
        }
    }
}
[AuditTest] @{
    Id = "1.2.4"
    Task = "Disable SSLv3 Protocol (Client DisabledByDefault)"
    Test = {
        try {
            $regValue = Get-ItemProperty -ErrorAction Stop `
                -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client" `
                -Name "DisabledByDefault" `
                | Select-Object -ExpandProperty "DisabledByDefault"
        
            if ($regValue -ne 1) {
                return @{
                    Message = "Registry value is '$regValue'. Expected: 1"
                    Status = "False"
                }
            }
        }
        catch [System.Management.Automation.PSArgumentException] {
            return @{
                Message = "Registry value not found."
                Status = "False"
            }
        }
        catch [System.Management.Automation.ItemNotFoundException] {
            return @{
                Message = "Registry key not found."
                Status = "False"
            }
        }
        
        return @{
            Message = "Compliant"
            Status = "True"
        }
    }
}
[AuditTest] @{
    Id = "1.3.1"
    Task = "Disable TLS1.0 Protocol (Server)"
    Test = {
        try {
            $regValue = Get-ItemProperty -ErrorAction Stop `
                -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server" `
                -Name "Enabled" `
                | Select-Object -ExpandProperty "Enabled"
        
            if ($regValue -ne 0) {
                return @{
                    Message = "Registry value is '$regValue'. Expected: 0"
                    Status = "False"
                }
            }
        }
        catch [System.Management.Automation.PSArgumentException] {
            return @{
                Message = "Registry value not found."
                Status = "False"
            }
        }
        catch [System.Management.Automation.ItemNotFoundException] {
            return @{
                Message = "Registry key not found."
                Status = "False"
            }
        }
        
        return @{
            Message = "Compliant"
            Status = "True"
        }
    }
}
[AuditTest] @{
    Id = "1.3.2"
    Task = "Disable TLS1.0 Protocol (Server DisabledByDefault)"
    Test = {
        try {
            $regValue = Get-ItemProperty -ErrorAction Stop `
                -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server" `
                -Name "DisabledByDefault" `
                | Select-Object -ExpandProperty "DisabledByDefault"
        
            if ($regValue -ne 1) {
                return @{
                    Message = "Registry value is '$regValue'. Expected: 1"
                    Status = "False"
                }
            }
        }
        catch [System.Management.Automation.PSArgumentException] {
            return @{
                Message = "Registry value not found."
                Status = "False"
            }
        }
        catch [System.Management.Automation.ItemNotFoundException] {
            return @{
                Message = "Registry key not found."
                Status = "False"
            }
        }
        
        return @{
            Message = "Compliant"
            Status = "True"
        }
    }
}
[AuditTest] @{
    Id = "1.3.3"
    Task = "Disable TLS1.0 Protocol (Client)"
    Test = {
        try {
            $regValue = Get-ItemProperty -ErrorAction Stop `
                -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client" `
                -Name "Enabled" `
                | Select-Object -ExpandProperty "Enabled"
        
            if ($regValue -ne 0) {
                return @{
                    Message = "Registry value is '$regValue'. Expected: 0"
                    Status = "False"
                }
            }
        }
        catch [System.Management.Automation.PSArgumentException] {
            return @{
                Message = "Registry value not found."
                Status = "False"
            }
        }
        catch [System.Management.Automation.ItemNotFoundException] {
            return @{
                Message = "Registry key not found."
                Status = "False"
            }
        }
        
        return @{
            Message = "Compliant"
            Status = "True"
        }
    }
}
[AuditTest] @{
    Id = "1.3.4"
    Task = "Disable TLS1.0 Protocol (Client DisabledByDefault)"
    Test = {
        try {
            $regValue = Get-ItemProperty -ErrorAction Stop `
                -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client" `
                -Name "DisabledByDefault" `
                | Select-Object -ExpandProperty "DisabledByDefault"
        
            if ($regValue -ne 1) {
                return @{
                    Message = "Registry value is '$regValue'. Expected: 1"
                    Status = "False"
                }
            }
        }
        catch [System.Management.Automation.PSArgumentException] {
            return @{
                Message = "Registry value not found."
                Status = "False"
            }
        }
        catch [System.Management.Automation.ItemNotFoundException] {
            return @{
                Message = "Registry key not found."
                Status = "False"
            }
        }
        
        return @{
            Message = "Compliant"
            Status = "True"
        }
    }
}
[AuditTest] @{
    Id = "1.4.1"
    Task = "Disable TLS1.1 Protocol (Server)"
    Test = {
        try {
            $regValue = Get-ItemProperty -ErrorAction Stop `
                -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server" `
                -Name "Enabled" `
                | Select-Object -ExpandProperty "Enabled"
        
            if ($regValue -ne 0) {
                return @{
                    Message = "Registry value is '$regValue'. Expected: 0"
                    Status = "False"
                }
            }
        }
        catch [System.Management.Automation.PSArgumentException] {
            return @{
                Message = "Registry value not found."
                Status = "False"
            }
        }
        catch [System.Management.Automation.ItemNotFoundException] {
            return @{
                Message = "Registry key not found."
                Status = "False"
            }
        }
        
        return @{
            Message = "Compliant"
            Status = "True"
        }
    }
}
[AuditTest] @{
    Id = "1.4.2"
    Task = "Disable TLS1.1 Protocol (Server DisabledByDefault)"
    Test = {
        try {
            $regValue = Get-ItemProperty -ErrorAction Stop `
                -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server" `
                -Name "DisabledByDefault" `
                | Select-Object -ExpandProperty "DisabledByDefault"
        
            if ($regValue -ne 1) {
                return @{
                    Message = "Registry value is '$regValue'. Expected: 1"
                    Status = "False"
                }
            }
        }
        catch [System.Management.Automation.PSArgumentException] {
            return @{
                Message = "Registry value not found."
                Status = "False"
            }
        }
        catch [System.Management.Automation.ItemNotFoundException] {
            return @{
                Message = "Registry key not found."
                Status = "False"
            }
        }
        
        return @{
            Message = "Compliant"
            Status = "True"
        }
    }
}
[AuditTest] @{
    Id = "1.4.3"
    Task = "Disable TLS1.1 Protocol (Client)"
    Test = {
        try {
            $regValue = Get-ItemProperty -ErrorAction Stop `
                -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client" `
                -Name "Enabled" `
                | Select-Object -ExpandProperty "Enabled"
        
            if ($regValue -ne 0) {
                return @{
                    Message = "Registry value is '$regValue'. Expected: 0"
                    Status = "False"
                }
            }
        }
        catch [System.Management.Automation.PSArgumentException] {
            return @{
                Message = "Registry value not found."
                Status = "False"
            }
        }
        catch [System.Management.Automation.ItemNotFoundException] {
            return @{
                Message = "Registry key not found."
                Status = "False"
            }
        }
        
        return @{
            Message = "Compliant"
            Status = "True"
        }
    }
}
[AuditTest] @{
    Id = "1.4.4"
    Task = "Disable TLS1.1 Protocol (Client DisabledByDefault)"
    Test = {
        try {
            $regValue = Get-ItemProperty -ErrorAction Stop `
                -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client" `
                -Name "DisabledByDefault" `
                | Select-Object -ExpandProperty "DisabledByDefault"
        
            if ($regValue -ne 1) {
                return @{
                    Message = "Registry value is '$regValue'. Expected: 1"
                    Status = "False"
                }
            }
        }
        catch [System.Management.Automation.PSArgumentException] {
            return @{
                Message = "Registry value not found."
                Status = "False"
            }
        }
        catch [System.Management.Automation.ItemNotFoundException] {
            return @{
                Message = "Registry key not found."
                Status = "False"
            }
        }
        
        return @{
            Message = "Compliant"
            Status = "True"
        }
    }
}
[AuditTest] @{
    Id = "1.5.1"
    Task = "Enable TLS1.2 Protocol (Server)"
    Test = {
        try {
            $regValue = Get-ItemProperty -ErrorAction Stop `
                -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server" `
                -Name "Enabled" `
                | Select-Object -ExpandProperty "Enabled"
        
            if ($regValue -ne 1) {
                return @{
                    Message = "Registry value is '$regValue'. Expected: 1"
                    Status = "False"
                }
            }
        }
        catch [System.Management.Automation.PSArgumentException] {
            return @{
                Message = "Registry value not found."
                Status = "False"
            }
        }
        catch [System.Management.Automation.ItemNotFoundException] {
            return @{
                Message = "Registry key not found."
                Status = "False"
            }
        }
        
        return @{
            Message = "Compliant"
            Status = "True"
        }
    }
}
[AuditTest] @{
    Id = "1.5.2"
    Task = "Enable TLS1.2 Protocol (Server Default)"
    Test = {
        try {
            $regValue = Get-ItemProperty -ErrorAction Stop `
                -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server" `
                -Name "DisabledByDefault" `
                | Select-Object -ExpandProperty "DisabledByDefault"
        
            if ($regValue -ne 0) {
                return @{
                    Message = "Registry value is '$regValue'. Expected: 0"
                    Status = "False"
                }
            }
        }
        catch [System.Management.Automation.PSArgumentException] {
            return @{
                Message = "Registry value not found."
                Status = "False"
            }
        }
        catch [System.Management.Automation.ItemNotFoundException] {
            return @{
                Message = "Registry key not found."
                Status = "False"
            }
        }
        
        return @{
            Message = "Compliant"
            Status = "True"
        }
    }
}
[AuditTest] @{
    Id = "2.1"
    Task = "Disable NULL Cipher"
    Test = {
        try {
            $regValue = Get-ItemProperty -ErrorAction Stop `
                -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\NULL" `
                -Name "Enabled" `
                | Select-Object -ExpandProperty "Enabled"
        
            if ($regValue -ne 0) {
                return @{
                    Message = "Registry value is '$regValue'. Expected: 0"
                    Status = "False"
                }
            }
        }
        catch [System.Management.Automation.PSArgumentException] {
            return @{
                Message = "Registry value not found."
                Status = "False"
            }
        }
        catch [System.Management.Automation.ItemNotFoundException] {
            return @{
                Message = "Registry key not found."
                Status = "False"
            }
        }
        
        return @{
            Message = "Compliant"
            Status = "True"
        }
    }
}
[AuditTest] @{
    Id = "2.2"
    Task = "Disable DES Cipher Suite"
    Test = {
        try {
            $regValue = Get-ItemProperty -ErrorAction Stop `
                -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\DES 56/56" `
                -Name "Enabled" `
                | Select-Object -ExpandProperty "Enabled"
        
            if ($regValue -ne 0) {
                return @{
                    Message = "Registry value is '$regValue'. Expected: 0"
                    Status = "False"
                }
            }
        }
        catch [System.Management.Automation.PSArgumentException] {
            return @{
                Message = "Registry value not found."
                Status = "False"
            }
        }
        catch [System.Management.Automation.ItemNotFoundException] {
            return @{
                Message = "Registry key not found."
                Status = "False"
            }
        }
        
        return @{
            Message = "Compliant"
            Status = "True"
        }
    }
}
[AuditTest] @{
    Id = "2.3.1"
    Task = "Disable RC4 Cipher Suite - 40/128"
    Test = {
        try {
            $regValue = Get-ItemProperty -ErrorAction Stop `
                -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 40/128" `
                -Name "Enabled" `
                | Select-Object -ExpandProperty "Enabled"
        
            if ($regValue -ne 0) {
                return @{
                    Message = "Registry value is '$regValue'. Expected: 0"
                    Status = "False"
                }
            }
        }
        catch [System.Management.Automation.PSArgumentException] {
            return @{
                Message = "Registry value not found."
                Status = "False"
            }
        }
        catch [System.Management.Automation.ItemNotFoundException] {
            return @{
                Message = "Registry key not found."
                Status = "False"
            }
        }
        
        return @{
            Message = "Compliant"
            Status = "True"
        }
    }
}
[AuditTest] @{
    Id = "2.3.2"
    Task = "Disable RC4 Cipher Suite - 56/128"
    Test = {
        try {
            $regValue = Get-ItemProperty -ErrorAction Stop `
                -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 56/128" `
                -Name "Enabled" `
                | Select-Object -ExpandProperty "Enabled"
        
            if ($regValue -ne 0) {
                return @{
                    Message = "Registry value is '$regValue'. Expected: 0"
                    Status = "False"
                }
            }
        }
        catch [System.Management.Automation.PSArgumentException] {
            return @{
                Message = "Registry value not found."
                Status = "False"
            }
        }
        catch [System.Management.Automation.ItemNotFoundException] {
            return @{
                Message = "Registry key not found."
                Status = "False"
            }
        }
        
        return @{
            Message = "Compliant"
            Status = "True"
        }
    }
}
[AuditTest] @{
    Id = "2.3.3"
    Task = "Disable RC4 Cipher Suite - 64/128"
    Test = {
        try {
            $regValue = Get-ItemProperty -ErrorAction Stop `
                -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 64/128" `
                -Name "Enabled" `
                | Select-Object -ExpandProperty "Enabled"
        
            if ($regValue -ne 0) {
                return @{
                    Message = "Registry value is '$regValue'. Expected: 0"
                    Status = "False"
                }
            }
        }
        catch [System.Management.Automation.PSArgumentException] {
            return @{
                Message = "Registry value not found."
                Status = "False"
            }
        }
        catch [System.Management.Automation.ItemNotFoundException] {
            return @{
                Message = "Registry key not found."
                Status = "False"
            }
        }
        
        return @{
            Message = "Compliant"
            Status = "True"
        }
    }
}
[AuditTest] @{
    Id = "2.3.4"
    Task = "Disable RC4 Cipher Suite - 128/128"
    Test = {
        try {
            $regValue = Get-ItemProperty -ErrorAction Stop `
                -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 128/128" `
                -Name "Enabled" `
                | Select-Object -ExpandProperty "Enabled"
        
            if ($regValue -ne 0) {
                return @{
                    Message = "Registry value is '$regValue'. Expected: 0"
                    Status = "False"
                }
            }
        }
        catch [System.Management.Automation.PSArgumentException] {
            return @{
                Message = "Registry value not found."
                Status = "False"
            }
        }
        catch [System.Management.Automation.ItemNotFoundException] {
            return @{
                Message = "Registry key not found."
                Status = "False"
            }
        }
        
        return @{
            Message = "Compliant"
            Status = "True"
        }
    }
}
[AuditTest] @{
    Id = "2.4"
    Task = "Disable AES 128/128 Cipher Suite"
    Test = {
        try {
            $regValue = Get-ItemProperty -ErrorAction Stop `
                -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\AES 128/128" `
                -Name "Enabled" `
                | Select-Object -ExpandProperty "Enabled"
        
            if ($regValue -ne 0) {
                return @{
                    Message = "Registry value is '$regValue'. Expected: 0"
                    Status = "False"
                }
            }
        }
        catch [System.Management.Automation.PSArgumentException] {
            return @{
                Message = "Registry value not found."
                Status = "False"
            }
        }
        catch [System.Management.Automation.ItemNotFoundException] {
            return @{
                Message = "Registry key not found."
                Status = "False"
            }
        }
        
        return @{
            Message = "Compliant"
            Status = "True"
        }
    }
}
[AuditTest] @{
    Id = "2.5"
    Task = "Enable AES 256/256 Cipher Suite"
    Test = {
        try {
            $regValue = Get-ItemProperty -ErrorAction Stop `
                -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\AES 256/256" `
                -Name "Enabled" `
                | Select-Object -ExpandProperty "Enabled"
        
            if ($regValue -eq 4294967295) {
                return @{
                    Message = "The current registry value is '$regValue', which is no longer supported by Microsoft. For more information, please refer to this link:<br/>"`
                    +'<a href="https://learn.microsoft.com/en-us/windows-server/security/tls/tls-registry-settings?tabs=diffie-hellman#tls-dtls-and-ssl-protocol-version-settings">'`
                    +'Learn.microsoft.com - TLS, DTLS, and SSL protocol version settings<a/>'
                    Status = "False"
                }
            }
            if ($regValue -ne 1) {
                return @{
                    Message = "Registry value is '$regValue'. Expected: 1"
                    Status = "False"
                }
            }
        }
        catch [System.Management.Automation.PSArgumentException] {
            return @{
                Message = "Registry value not found."
                Status = "False"
            }
        }
        catch [System.Management.Automation.ItemNotFoundException] {
            return @{
                Message = "Registry key not found."
                Status = "False"
            }
        }
        
        return @{
            Message = "Compliant"
            Status = "True"
        }
    }
}
[AuditTest] @{
    Id = "2.6"
    Task = "Disable Triple DES Cipher Suite"
    Test = {
        try {
            $regValue = Get-ItemProperty -ErrorAction Stop `
                -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\Triple DES 168" `
                -Name "Enabled" `
                | Select-Object -ExpandProperty "Enabled"
        
            if ($regValue -ne 0) {
                return @{
                    Message = "Registry value is '$regValue'. Expected: 0"
                    Status = "False"
                }
            }
        }
        catch [System.Management.Automation.PSArgumentException] {
            return @{
                Message = "Registry value not found."
                Status = "False"
            }
        }
        catch [System.Management.Automation.ItemNotFoundException] {
            return @{
                Message = "Registry key not found."
                Status = "False"
            }
        }
        
        return @{
            Message = "Compliant"
            Status = "True"
        }
    }
}
[AuditTest] @{
    Id = "3.1"
    Task = "Disable SHA-1 hash"
    Test = {
        try {
            $regValue = Get-ItemProperty -ErrorAction Stop `
                -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes\SHA" `
                -Name "Enabled" `
                | Select-Object -ExpandProperty "Enabled"
        
            if ($regValue -ne 0) {
                return @{
                    Message = "Registry value is '$regValue'. Expected: 0"
                    Status = "False"
                }
            }
        }
        catch [System.Management.Automation.PSArgumentException] {
            return @{
                Message = "Registry value not found."
                Status = "False"
            }
        }
        catch [System.Management.Automation.ItemNotFoundException] {
            return @{
                Message = "Registry key not found."
                Status = "False"
            }
        }
        
        return @{
            Message = "Compliant"
            Status = "True"
        }
    }
}
[AuditTest] @{
    Id = "3.2"
    Task = "Disable MD5 hash"
    Test = {
        try {
            $regValue = Get-ItemProperty -ErrorAction Stop `
                -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes\MD5" `
                -Name "Enabled" `
                | Select-Object -ExpandProperty "Enabled"
        
            if ($regValue -ne 0) {
                return @{
                    Message = "Registry value is '$regValue'. Expected: 0"
                    Status = "False"
                }
            }
        }
        catch [System.Management.Automation.PSArgumentException] {
            return @{
                Message = "Registry value not found."
                Status = "False"
            }
        }
        catch [System.Management.Automation.ItemNotFoundException] {
            return @{
                Message = "Registry key not found."
                Status = "False"
            }
        }
        
        return @{
            Message = "Compliant"
            Status = "True"
        }
    }
}
[AuditTest] @{
    Id = "4.1"
    Task = "Configure Cipher Suite Ordering"
    Test = {
        #check if correct type
        $typeTable = @{
            "String" = "String Value"
            "Byte" = "Byte Value"
            "Int32" = "DWORD (32-bit) Value"
            "Int64" = "QWORD (64-bit) Value"
            "String[]" = "Multi-String Value"
        }
        #Default status
        $status = "Error"
    
        #Output
        $verbInsecure = "rules have"
        $verbWeak = "rules have"
    
        try {
            $regValue = Get-ItemProperty -ErrorAction Stop `
            -Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL\00010002" `
            -Name "Functions"
            $reference = "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256"
            $res = $regValue.Functions.GetType().Name
    
    
            $currentType = $typeTable[$res]
            if ($res -ne [String]) {
                return @{  
                    Message = "Wrong Registry type! Registry type is '$currentType'. Expected: 'String Value'"
                    Status = "False"
                }
            }
    
            #check if insecure or weak cipher is inside value
            $regValues = $regValue.Split(',')
            $regValues = $regValues -replace ' ', ''
            $weakRulesFound = @()
            $insecureRulesFound = @()
            foreach($element in $regValues){
                if($listOfWeakCipherSuites.Contains($element)){
                    $weakRulesFound += $element
                }
                if($listOfInsecureCipherSuites.Contains($element)){
                    $insecureRulesFound += $element
                }
            }
            if($insecureRulesFound.Count -eq 1){$verbInsecure = "rule has"}
            if($weakRulesFound.Count -eq 1){$verbWeak = "rule has"}
            $insecureMessage = "$($insecureRulesFound.Count) insecure $($verbInsecure) been found! List of insecure rules: <br/>"
            $weakMessage = "$($weakRulesFound.Count) weak $($verbWeak) been found! List of weak rules: <br/>"
    
            #Preparing message
            foreach($member in $weakRulesFound){
                $status = "Warning"
                $weakMessage += "$($member)<br/>"
            }          
            foreach($member in $insecureRulesFound){
                $status = "False"
                $insecureMessage += "$($member)<br/>"
            }          
            #Combine or shorten message
            if($insecureRulesFound.Count -gt 0 -or $weakRulesFound.Count -gt 0){
                $message = ""
                if($weakRulesFound.Count -eq 0){ $weakMessage = "" }
                if($insecureRulesFound.Count -eq 0){ $insecureMessage = "" }
    
                $message = $insecureMessage + $weakMessage
                return @{
                    Message = $message
                    Status = $status
                }
            }
        }
        catch {
            $regValue = Get-ItemProperty -ErrorAction Stop `
            -Path "Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Cryptography\Configuration\Local\SSL\00010002" `
            -Name "Functions"
            $reference = "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256"
            $res = $regValue.Functions.GetType().Name
    
            $currentType = $typeTable[$res]
            if ($res -ne [String[]]) {
                return @{  
                    Message = "Wrong Registry type! Registry type is '$currentType'. Expected: 'Multi-String Value'"
                    Status = "False"
                }
            }
    
            #check if insecure or weak cipher is inside value
            $regValues = $regValue -replace ' ', ''
            $weakRulesFound = @()
            $insecureRulesFound = @()
            foreach($element in $regValues){
                if($listOfWeakCipherSuites.Contains($element)){
                    $weakRulesFound += $element
                }
                if($listOfInsecureCipherSuites.Contains($element)){
                    $insecureRulesFound += $element
                }
            }
            if($insecureRulesFound.Count -eq 1){$verbInsecure = "rule has"}
            if($weakRulesFound.Count -eq 1){$verbWeak = "rule has"}
            $insecureMessage = "$($insecureRulesFound.Count) insecure $($verbInsecure) been found! List of insecure rules: <br/>"
            $weakMessage = "$($weakRulesFound.Count) weak $($verbWeak) been found! List of weak rules: <br/>"
    
            #Preparing message
            foreach($member in $weakRulesFound){
                $status = "Warning"
                $weakMessage += "$($member)<br/>"
            }          
            foreach($member in $insecureRulesFound){
                $status = "False"
                $insecureMessage += "$($member)<br/>"
            }          
            #Combine or shorten message
            if($insecureRulesFound.Count -gt 0 -or $weakRulesFound.Count -gt 0){
                $message = ""
                if($weakRulesFound.Count -eq 0){ $weakMessage = "" }
                if($insecureRulesFound.Count -eq 0){ $insecureMessage = "" }
    
                $message = $insecureMessage + $weakMessage
                return @{
                    Message = $message
                    Status = $status
                }
            }
        }
        
        return @{
            Message = "Compliant"
            Status = "True"
        }
    }
}