Final Check

Copy and paste into Powershell : Run as Administrator

# Auto-elevate script to Administrator if needed

$isAdmin = ([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)

if (-not $isAdmin) {

    Start-Process powershell -ArgumentList "-NoProfile -ExecutionPolicy Bypass -File `"$PSCommandPath`"" -Verb RunAs

    Exit

}

# --- UNIFIED VELOCITY AUDIO STREAMER ---

function Write-RapidType {

    param (

        [string]$Text,

        [string]$ForegroundColor = "White",

        [bool]$NoNewLine = $false

    )

    $chars = $Text.ToCharArray()

    foreach ($c in $chars) {

        Write-Host $c -ForegroundColor $ForegroundColor -NoNewline

        if ($c -match '\S') {

            [Console]::Beep(700, 1)

            Start-Sleep -Milliseconds 2

        } else {

            Start-Sleep -Milliseconds 2

        }

    }

    if (-not $NoNewLine) { Write-Host "" }

}

Clear-Host

Write-Host "============================================================" -ForegroundColor Cyan

Write-Host "         NEXUS CONTEXT-AWARE FLEET STATE ENGINE v4          " -ForegroundColor Cyan

Write-Host "============================================================" -ForegroundColor Cyan

Write-Host ""

# ============================================================

# STEP 1: DYNAMIC FLEET HARDWARE & INTUNE CONTEXT TRIAGE

# ============================================================

Write-Host "[ STEP 1: PARSING WORKSPACE ENVIRONMENT & IDENTITY ]" -ForegroundColor Cyan

Write-Host "------------------------------------------------------------"

$isManagedByIntune = $false

if (Test-Path "HKLM:\SOFTWARE\Microsoft\Enrollments") {

    $enrolls = Get-ChildItem "HKLM:\SOFTWARE\Microsoft\Enrollments" -ErrorAction SilentlyContinue

    foreach ($entry in $enrolls) {

        if (Get-ItemProperty -Path $entry.PSPath -Name "DiscoveryServiceFullURL" -ErrorAction SilentlyContinue) { 

            $isManagedByIntune = $true 

        }

    }

}

$cs = Get-CimInstance Win32_ComputerSystem -ErrorAction SilentlyContinue

$isDomainJoined = if ($cs.PartOfDomain) { $true } else { $false }

Write-Host "  [MANAGEMENT ARCHITECTURE]: " -NoNewline

if ($isManagedByIntune) {

    Write-Host "ENTERPRISE MANAGED (Cloud Intune MDM)" -ForegroundColor Cyan

} elseif ($isDomainJoined) {

    Write-Host "ENTERPRISE MANAGED (Hybrid Active Directory Domain)" -ForegroundColor Blue

} else {

    Write-Host "STANDALONE / WORKGROUP ENVIRONMENT (Independent PC)" -ForegroundColor Green

}

$bios = Get-CimInstance Win32_Bios -ErrorAction SilentlyContinue

Write-Host "  [Device Platform Model]  : $($cs.Model) // BIOS Ver: $($bios.SMBIOSBIOSVersion)" -ForegroundColor Gray

$dbInstalled = $false

try {

    $dbBytes = (Get-SecureBootUEFI db -ErrorAction SilentlyContinue).bytes

    if ($dbBytes) { 

        $dbInstalled = [System.Text.Encoding]::ASCII.GetString($dbBytes) -match 'Windows UEFI CA 2023' 

    }

} catch {

    Write-Host "  [!] WARNING: Direct UEFI firmware layer verification restricted." -ForegroundColor Yellow

}

$regPhase = 0

try {

    $regVal = (Get-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecureBoot\Servicing' -Name 'WindowsUEFICA2023Capable' -ErrorAction SilentlyContinue).WindowsUEFICA2023Capable

    if ($regVal) { $regPhase = $regVal }

} catch {}

$nvramChoked = $false

$testPath = "$env:TEMP\nvram_engine_test.xml"

try {

    $process = Start-Process bcdedit -ArgumentList "/export `"$testPath`"" -NoNewWindow -PassThru -Wait -ErrorAction SilentlyContinue

    if ($process.ExitCode -ne 0 -or -not (Test-Path $testPath)) { $nvramChoked = $true } 

    else { Remove-Item $testPath -Force -ErrorAction SilentlyContinue }

} catch { $nvramChoked = $true }

Write-RapidType "  [*] Interrogating localized NVRAM layers..." -ForegroundColor "White"

if ($dbInstalled) {

    Write-Host "      -> FIRMWARE KEY: Windows UEFI CA 2023 is INSTALLED." -ForegroundColor Green

} else {

    Write-Host "      -> FIRMWARE KEY: Windows UEFI CA 2023 is MISSING." -ForegroundColor Red

}

Write-RapidType "  [*] Interrogating operating system staging engine..." -ForegroundColor "White"

switch ($regPhase) {

    2 { Write-Host "      -> COMPLIANCE PHASE: Phase 2 Active (Fully Secured Environment)." -ForegroundColor Green }

    1 { Write-Host "      -> COMPLIANCE PHASE: Phase 1 Staged (Handshake In Progress)." -ForegroundColor Yellow }

    0 { Write-Host "      -> COMPLIANCE PHASE: Phase 0 Unstarted (Action Required)." -ForegroundColor Red }

}

Write-Host "------------------------------------------------------------"

Write-Host ""

# ============================================================

# STEP 2: CONTEXT-AWARE MULTI-PHASE ROUTING LOGIC

# ============================================================

if ($regPhase -eq 2) {

    [Console]::Beep(880, 120)

    Write-Host "============================================================" -ForegroundColor Green

    Write-Host " [PHASE 2 SUCCESS] REMEDIATION VECTOR COMPLETED             " -ForegroundColor Green

    Write-Host "============================================================" -ForegroundColor Green

    Write-Host ""

    Write-RapidType "  -> Verification Result: This computer is fully up-to-date and protected." -ForegroundColor White

    Write-Host ""

    Read-Host "Press ENTER to exit workspace control"

    Exit

}

if ($nvramChoked -and $regPhase -ne 1) {

    [Console]::Beep(440, 300)

    Write-Host "============================================================" -ForegroundColor Red

    Write-Host " [BLOCKER DETECTED] MOTHERBOARD HARDWARE CONSTRAINT         " -ForegroundColor Red

    Write-Host "============================================================" -ForegroundColor Red

    Write-Host ""

    Write-RapidType "  -> Problem: The physical NVRAM storage chip on this machine is FULL." -ForegroundColor Red

    if ($isManagedByIntune -or $isDomainJoined) {

        Write-RapidType "  -> ACTION : Deploy an updated HP SoftPaq firmware suite via Intune proactively." -ForegroundColor Cyan

    } else {

        Write-RapidType "  -> ACTION : Go to the manufacturer's support portal, download the newest BIOS." -ForegroundColor Green

    }

    Write-Host ""

    Read-Host "Press ENTER to return to desktop safely"

    Exit

}

if ($regPhase -eq 1) {

    Write-Host "============================================================" -ForegroundColor Yellow

    Write-Host " [PHASE 1 DETECTION] ENGINE STEP-DOWN Handshake DETECTED     " -ForegroundColor Yellow

    Write-Host "============================================================" -ForegroundColor Yellow

    Write-Host ""

    Write-RapidType "  Current State: Motherboard keys updated, but boot files require a final pass." -ForegroundColor White

    Start-ScheduledTask -TaskName "\Microsoft\Windows\PI\Secure-Boot-Update" -ErrorAction SilentlyContinue

    Write-Host "  [+] Final bootloader sync routine signaled." -ForegroundColor Green

    Write-Host ""

    $rebootChoice = Read-Host "Execute final hardware restart sequence right now? (Y/N)"

    if ($rebootChoice -match "Y|y") { Restart-Computer -Force }

    Exit

}

if ($regPhase -eq 0) {

    Write-Host "[ EXECUTION PHASE: COLD START RECOVERY INITIALIZED ]" -ForegroundColor Cyan

    Write-RapidType " This endpoint requires a primary cert staging and structural vault injection." -ForegroundColor Yellow

    Write-Host ""

    $confirm = Read-Host "Begin core execution sequence on this asset? (Y/N)"

    if ($confirm -notmatch "Y|y") { Write-Host "Execution script canceled."; Exit }

    # Conditional BitLocker Management Block with explicit key location mapping

    Write-Host ""

    Write-Host " [*] Checking local volume BitLocker matrix state..." -ForegroundColor Cyan

    $blVolume = Get-BitLockerVolume -MountPoint 'C:' -ErrorAction SilentlyContinue

    $wasBitLockerSuspended = $false

    if ($null -ne $blVolume -and $blVolume.ProtectionStatus -eq 'On') {

        Write-RapidType "     [!] Active BitLocker infrastructure found on C:." -ForegroundColor Yellow

        Write-Host "     -------------------------------------------------------" -ForegroundColor DarkYellow

        Write-Host "     KEY RECOVERY REFERENCE DIRECTORY:" -ForegroundColor Yellow

        if ($isManagedByIntune -or $isDomainJoined) {

            Write-Host "     -> TYPE   : School / Enterprise Asset Managed Device." -ForegroundColor Cyan

            Write-Host "     -> ESCROW : Keys are backed up directly to the institution's tenant." -ForegroundColor Cyan

            Write-Host "     -> ACCESS : If locked, contact your School IT Helpdesk Portal." -ForegroundColor Cyan

        } else {

            Write-Host "     -> TYPE   : Personal / Standalone Workgroup Device." -ForegroundColor Green

            Write-Host "     -> ESCROW : Key is tied to the owner's Personal Microsoft Account." -ForegroundColor Green

            Write-Host "     -> ACCESS : Retrieve instantly via web browser at either link:" -ForegroundColor Green

            Write-Host "                 https://aka.ms/myrecoverykey" -ForegroundColor Cyan

            Write-Host "                 https://myaccount.microsoft.com" -ForegroundColor Cyan

        }

        Write-Host "     -------------------------------------------------------" -ForegroundColor DarkYellow

        Write-RapidType "     [*] Granting temporary 2-reboot validation exemption window..." -ForegroundColor White

        Suspend-BitLocker -MountPoint "C:" -RebootCount 2 -ErrorAction SilentlyContinue

        $wasBitLockerSuspended = $true

        Write-Host "     [+] Protectors suspended cleanly. Safe to modify firmware keys." -ForegroundColor Green

    } else {

        Write-Host "     [+] BitLocker is inactive or unconfigured. Proceeding with safety..." -ForegroundColor Gray

    }

    # Write Combination Bitfield Matrix 0x5944

    Write-Host ""

    Write-Host " [*] Staging registry available update metrics..." -ForegroundColor Cyan

    try {

        $regPath = "HKLM:\SYSTEM\CurrentControlSet\Control\SecureBoot"

        Set-ItemProperty -Path $regPath -Name "AvailableUpdates" -Value 22852 -Type DWord -Force -ErrorAction Stop

        Write-Host "     [+] Deployment variables locked into kernel database." -ForegroundColor Green

    } catch {

        Write-Host "     [-] CRITICAL ERROR: Registry manipulation blocked: $_" -ForegroundColor Red

        if ($wasBitLockerSuspended) { Resume-BitLocker -MountPoint "C:" -ErrorAction SilentlyContinue }

        Read-Host "Press ENTER to abandon execution"

        Exit

    }

    # Kick Windows Servicing Platform Engine Task

    Write-Host ""

    Write-Host " [*] Firing internal Windows Platform Integrity System Task..." -ForegroundColor Cyan

    Start-ScheduledTask -TaskName "\Microsoft\Windows\PI\Secure-Boot-Update" -ErrorAction SilentlyContinue

    Write-Host "     [+] Platform servicing execution loop successfully executed." -ForegroundColor Green

    Write-Host ""

    Write-Host "============================================================" -ForegroundColor Green

    Write-Host "       INITIAL STAGING SEQUENCE EXECUTED SUCCESSFULLY        " -ForegroundColor Green

    Write-Host "============================================================" -ForegroundColor Green

    Write-Host ""

    Write-RapidType "  1. Restart this computer immediately (Select 'Y' below)."

    Write-RapidType "  2. Once signed back into Windows, run this EXACT script again."

    Write-RapidType "  3. The script will automatically trigger the final 'Phase 1' cleanup for you."

    Write-Host ""

    $rebootChoice = Read-Host "Initiate hardware restart sequence right now? (Y/N)"

    if ($rebootChoice -match "Y|y") { Restart-Computer -Force }

}