Add Get-ComputerIDP script and enhance Deploy-CheckExtension features

[MWG-Logan]

This pull request introduces significant enhancements and new features to the Deploy-CheckExtension.ps1 script, focusing on expanding configuration options, improving security controls (especially around domain squatting detection), and increasing branding and integration flexibility. It also adds a new script, Get-ComputerIDP.ps1, to inventory device identity provider status. Below are the most important changes grouped by theme:

Security and Detection Enhancements:

• Added extensive domain squatting detection configuration, including enabling/disabling the feature, setting detection thresholds, toggling specific detection algorithms (Levenshtein, homoglyph, typosquat, combosquat), specifying protected domains, and defining actions and logging for detections. All options are exposed as parameters and mapped into the registry structure. [1] [2] [3]
• Introduced a generic webhook integration for sending detection and event notifications to custom endpoints, with configurable event types and validation to ensure URLs are provided when enabled. [1] [2] [3]

Branding and UI Customization:

• Expanded branding options to include support, privacy policy, and about URLs, in addition to existing company and product information. These are now settable via parameters and stored in the registry. [1] [2] [3]
• Added a parameter to force pinning the extension to the browser toolbar, with browser-specific registry handling for Chrome and Edge. [1] [2] [3]

Configuration and Policy Improvements:

• Added parameters for valid page badge timeout, CIPP tenant ID override, and improved allowlist handling by storing allowlist entries as numbered subkeys per upstream schema. [1] [2] [3] [4]
• Improved input validation for required fields when enabling CIPP reporting or generic webhooks, including logic for resolving the effective CIPP tenant ID.

Inventory Script Addition:

• Added new script Inventory/Get-ComputerIDP.ps1 to determine if a device is joined to Active Directory, Entra ID, or both, and output a JSON report with relevant identifiers.

Minor Corrections:

• Updated script attribution to the correct GitHub user in the header comment.

These changes collectively provide more granular control, better security posture, and improved integration and branding capabilities for extension deployment and inventory scripts.

[Copilot]

Pull request overview

Enhances the existing Check extension deployment task to support additional extension policy/branding controls (including domain-squatting detection and webhook integration), and adds a new inventory script to report device identity provider (AD DS / Entra ID) status.

Changes:

• Expanded Deploy-CheckExtension.ps1 parameters and registry mapping (domain squatting config, webhook events, branding URLs, toolbar pinning, allowlist schema, and additional validations).
• Added Inventory/Get-ComputerIDP.ps1 to inventory AD DS / Entra ID join status via CIM + dsregcmd.
• Minor updates to workstation security tweaks script header guidance and a formatting fix.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 3 comments.

File	Description
Task/Windows Workstation Security Tweaks Combined Script.ps1	Adds usage guidance in the header and fixes a formatting/line issue.
Task/Deploy-CheckExtension.ps1	Adds new extension policy/branding/webhook/domain-squatting options and registry write/cleanup logic.
Inventory/Get-ComputerIDP.ps1	New inventory metascript to report device join/IDP status and identifiers.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The domain squatting policy key uses value name Action (capital A) while all other policy names in this script use lower camel case (e.g., enabled, deviationThreshold, logDetections). Because Chrome/Edge managed-storage keys become case-sensitive object properties for the extension, this likely creates a different key than intended. Consider changing the value name to lower camel case (e.g., action) to match the rest of the schema.

Suggested change

	@{ Path=$domainSquattingKey; Name='Action'; Type='String'; Value=$DomainSquattingAction },
	@{ Path=$domainSquattingKey; Name='action'; Type='String'; Value=$DomainSquattingAction },

[Copilot]

Header says the script "emits a JSON report", but the implementation outputs a PowerShell hashtable/object and never calls ConvertTo-Json. Either update the header comment to match the actual output, or emit JSON explicitly (and include an appropriate -Depth).

[Copilot]

This inventory script makes two separate Invoke-ImmyCommand calls (one in Get-DomainJoinData and one in Get-EntraJoinData). If Invoke-ImmyCommand is a remote/agent hop, this adds avoidable overhead. Consider collecting both domain join and dsregcmd status in a single Invoke-ImmyCommand invocation and returning a single object.

Suggested change

	function Get-DomainJoinData {
	<# Retrieves domain membership info from the endpoint via CIM. #>
	Invoke-ImmyCommand {
	try {
	$system = Get-CimInstance -ClassName Win32_ComputerSystem -ErrorAction Stop
	[hashtable]@{
	PartOfDomain = [bool]$system.PartOfDomain
	Domain = $system.Domain
	}
	} catch {
	$null
	}
	}
	}
	function Get-EntraJoinData {
	<# Parses dsregcmd output on the endpoint to capture Entra ID join metadata. #>
	Invoke-ImmyCommand {
	$exe = Join-Path $env:SystemRoot 'System32\dsregcmd.exe'
	if (-not (Test-Path $exe)) {
	return $null
	}
	function Get-JoinInventoryData {
	<# Retrieves domain membership info and Entra join metadata from the endpoint in a single remote invocation. #>
	if ($script:JoinInventoryData) {
	return $script:JoinInventoryData
	}
	$script:JoinInventoryData = Invoke-ImmyCommand {
	$domainData = $null
	$entraData = $null
	try {
	$system = Get-CimInstance -ClassName Win32_ComputerSystem -ErrorAction Stop
	$domainData = [hashtable]@{
	PartOfDomain = [bool]$system.PartOfDomain
	Domain = $system.Domain
	}
	} catch {
	$domainData = $null
	}
	try {
	$exe = Join-Path $env:SystemRoot 'System32\dsregcmd.exe'
	if (Test-Path $exe) {
	$output = & $exe /status 2>$null
	if ($output) {
	$parsed = [ordered]@{}
	foreach ($line in $output) {
	if ($line -match '^\s*([^:]+?)\s*:\s*(.*?)\s*$') {
	$key = ($matches[1] -replace '\s+', '')
	$value = $matches[2].Trim()
	if ($key) {
	$parsed[$key] = $value
	}
	}
	}
	$entraData = [hashtable]@{
	AzureAdJoined = $parsed['AzureAdJoined']
	TenantId = $parsed['TenantId']
	TenantName = $parsed['TenantName']
	DeviceId = $parsed['DeviceId']
	}
	}
	}
	} catch {
	$entraData = $null
	}
	[hashtable]@{
	Domain = $domainData
	Entra = $entraData
	}
	}
	$script:JoinInventoryData
	}
	function Get-DomainJoinData {
	<# Retrieves domain membership info from the combined cached endpoint join data. #>
	$joinData = Get-JoinInventoryData
	if ($joinData) {
	return $joinData.Domain
	}
	$null
	}
	function Get-EntraJoinData {
	<# Returns Entra ID join metadata from the combined cached endpoint join data. #>
	$joinData = Get-JoinInventoryData
	if ($joinData) {
	return $joinData.Entra
	}
	return $null