System Administration – Geoff Nelson

BitLocker Volume Details in Splunk

Monitoring BitLocker Volume Details

I was recently asked if BitLocker encryption details can be reported on in Splunk.

The answer is yes, if you send the right data to Splunk.

There is a Windows Event Log (Microsoft-Windows-BitLocker/BitLocker Management) that will log when someone encrypts or decrypts a volume. This information is good to know, but what happens after a volume is decrypted… after days, weeks, or months has passed you will need to search back an extended amount of time to see that activity. And eventually these events will be removed from Splunk based on the index’s retention.

I have created a solution that will allow you to see the latest volume status (latest based on an interval you can configure; the default is every 4 hours). In addition to whether BitLocker Encryption is enabled for each volume, the script also records the volume type (Operating System or Data) and Drive Type (Fixed or Removable) so you can filter the dashboard to view the status for scenarios where you are only concerned with Fixed disks, Operating System disks, or Data disks.

Universal Forwarder Inputs

Download the ut_splunkforwarder_inputs_bitlocker app from GitHub – BeckhamTX/Splunk-Inputs-WinSysAdminToolkit

Configure the app

You must configure the index that you want to send the BitLocker data to:
- Create a new folder named local inside ut_splunkforwarder_inputs_bitlocker
- Create a new file named inputs.conf inside ut_splunkforwarder_inputs_bitlocker\local
- Edit inputs.conf to include the following, replacing myIndex with the index you want to send to
  
  [powershell://BitLockerVolumeDetails]
  
  index = myIndex

You can optionally adjust the schedule that the volume details are gathered on:

Edit ut_splunkforwarder_inputs_bitlocker\local\inputs.conf

Add the following line replacing 6 */4 * * * with your custom schedule
schedule = 6 */4 * * *
The schedule can be in one of the following two formats:

Format	Syntax	Example
Cron	Cron notation (minute, hour, day of month, day, day of week	6 /4 * * would be at 6 minutes past the hour, every 4 hours (4.00 am, 8.00 am, 12.00 pm, 4.00 pm…)
Seconds	An integer (specifically the number of seconds before it runs again)	7200 would be every 7200 seconds (every 2 hours)

Deploy the ut_splunkforwarder_inputs_bitlocker app to your Universal Forwarders.
You have several options to get this configuration out to all of your hosts: You may be running a Splunk Deployment Server. If not, you can use systems management tools such as SCCM/MEMCM.
The Universal Forwarders must be restarted to start using the new BitLocker input configuration. This can be done using the following command:
“C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe” restart

Splunk Dashboards

There are two dashboards I have created as part of my Windows SysAdmin Toolkit Splunk app.

This app is not (yet) on Splunkbase, so I will post the dashboard source code here soon. (If you would like the dashboard source code before I get to post it, please leave a comment on here and I can send it to you directly.)

BitLocker – Comprehensive Overview of Latest Volume Details

This dashboard includes:

a few statistics about drive encryption across all hosts
the latest status for each volume on all hosts (there are several filter options available here)
events from the BitLocker Management Windows Event log for all hosts

BitLocker – Details for a Host

This dashboard provides details for a single host (although you can wildcard the host name if you want to see details for multiple hosts with a common naming pattern.)

An Overview of Windows LAPS

What is Windows LAPS?

Windows LAPS (Local Administrator Password Solution) automatically manages a local administrator account’s password: changing the password when it expires (using password length and complexity settings) and backing up the password to Active Directory so it is available for authorized users to retrieve.

Windows LAPS was made available with the April 2023 Cumulative Update for the following Operating Systems:

Windows 11 22H2
Windows 11 21H2
Windows 10 (those editions still supported by Microsoft)
Windows Server 2022
Windows Server 2019

Windows LAPS is not available for Windows Server 2016, but you can continue to use legacy LAPS with it.

Windows LAPS is a whole new solution for managing the local administrator password and is not just an update of the legacy LAPS solution that was originally released in 2015. It includes much of the same functionality of legacy LAPS, and also includes a couple of new things:

Supports encrypting passwords stored in AD
Can store password history in AD (for encrypted passwords only)
Supports saving the password to Azure AD instead of Windows Server (on-prem) AD

Comparing Windows LAPS and Legacy LAPS

Comparing Windows LAPS and Legacy LAPS
	Windows LAPS	Legacy LAPS
Password-management bits	Included with the April 2023 Cumulative Update for Windows	The client-side extension must be installed on each computer.
Frequency of processing the LAPS policy cycle	This is hard-coded in Windows to 1 hour The Invoke-LapsPolicyProcessing PowerShell cmdlet can be used to trigger processing in addition to gpupdate /force.	Since this was a Group Policy Client-side extension, this was done at the same time as a group policy refresh. gpupdate /force will force the processing of Group Policy
Configuration options	Group Policy Configuration Service Provider (such as Intune – but this option is currently not available at the University)	Group Policy
Group Policy settings location	Computer Configuration – Policies – Administrative Templates – System – LAPS	Computer Configuration – Policies – Administrative Templates – LAPS
Where is the password stored in AD	All Windows LAPS attributes are confidential attributes: msLAPS-PasswordExpirationTime: This is a regular attribute that stores the date and time that the LAPS password will expire / when it will be reset, calculated by adding the value of the Password Age (Days) setting to the time the password was last set msLAPS-Password: A clear-text string that contains the name of the managed account, the timestamp of the password update, and the current password msLAPS-EncryptedPassword: The encrypted current password msLAPS-EncryptedPasswordHistory: Contains the encrypted previous passwords (it will store as many of the previous passwords as it is configured to, which allows for a maximum of 12) msLAPS-EncryptedDSRMPassword: This setting only pertains to Domain Controllers. msLAPS-EncryptedDSRMPasswordHistory: This setting only pertains to Domain Controllers.	ms-mcs-AdmPwd: This is a confidential attribute where the password is stored ms-mcs-AdmPwdExpirationTime: This is a regular attribute that stores the date and time that the LAPS password will expire / when it will be reset, calculated by adding the value of the Password Age (Days) setting to the time the password was last set
Is the password that is stored in Active Directory encrypted?	It depends on the LAPS policy in use when the password is saved in AD.	No
Where can the password be backed up to?	Windows Server (on-prem) Active Directory or Azure Active Directory.	Windows Server Active Directory only.
Who can access the password in AD	If the password is not encrypted (msLAPS-Password) you must have access to the confidential attribute in AD. If the password is encrypted (msLAPS-EncryptedPassword, msLAPS-EncryptedPasswordHistory) you must have access to the confidential attribute in AD AND be an authorized password decryptor (refer to the Windows LAPS Policy Settings section below). Note that each encrypted password in the password history can/may have a different decryptor.	You must have access to the confidential attribute in AD.

Prerequisites for Using Windows LAPS

The computer object must have permission to write its password to itself in Active Directory.
The computer must be running an Operating System for which Windows LAPS is available.
The computer must be updated with the April 2023 Cumulative Update for Windows or later.
The computer must have a Windows LAPS policy assigned to it.
The computer must be able to reach a Domain Controller.

Windows LAPS Policy Settings

The following settings are located in Computer Configuration – Policies – Administrative Templates – System – LAPS:

Setting	Description
Post-authentication actions	If enabled, you can set an action that will be triggered after the successful authentication of the account whose password is being managed. The available actions are: Take no actions Reset the password Reset the password and logoff the managed account Reset the password and reboot the device Set the grace period to the time you want it to wait after the authentication before the action is triggered. The grace period must be set greater than 0; if set to 0 the action will not be triggered.
Password Settings	If enabled, you can configure the following aspects of the password that is generated: Password Complexity: Determines what type of characters are used to generate the password. The available actions are: Large letters Large letters + small letters Large letters + small letters + numbers Large letters + small letters + numbers + specials Password Length: Determines how many characters the password will be in length. This must be a number from 8 – 64. The default value is 14. Password Age (Days): This is the number of days that will be used to set the password expiration time. This must be a number from 1 – 365. The default value is 30.
Name of administrator account to manage	The name of the local administrator account whose password is managed. Only set this if you want Windows LAPS to manage an account other than the built-in Administrator. The default, when not specified, is the built-in Administrator (by its well-known RID). Notes: If you specify a disabled account, the password will be managed by the account will not be enabled by LAPS. If you specify an account that does not exist, . If you specify an account that is not a member of the local Administrators group it will not be added to the local Administrators by LAPS.
Enable password encryption	If enabled, the password is encrypted before it is backed up to AD. If disabled, the password is not encrypted before it is backed up to AD. If not configured, the default value is Enabled.
Enable password backup for DSRM accounts	This setting only pertains to Domain Controllers.
Do not allow password expiration time longer than required by policy	If enabled, LAPS will adhere to the computer’s password settings policy and the password will be reset when the password has expired based on the computer’s password settings policy. The new expiration is then set so it adheres to the computer’s password settings policy. If disabled, the expiration of the password set by LAPS could exceed the requirement of the computer’s password settings policy. If not configured, the default value is Enabled.
Configure size of encrypted password history	If enabled, you can specify how many older encrypted passwords to store in AD. This must be a number from 0 – 12. This setting only applies when encrypted passwords are being backed up to AD. This setting may help out when reverting to a VM shapshot where an older password was in use at the time the snapshot was taken. The default value, if not configured, is 0.
Configure password backup directory	Determines where the password is backed up to. Options: 0: Disabled 1: Azure AD only 2: Windows Server (on-prem) AD only The default value when not specified is 0 (the password will not be backed up).
Configure authorized password decryptors	When enabled, you will specify the user or group that is authorized to decrypt the encrypted password in AD. You must provide one of the following as the decryptor The SID of the group or user The name of the group or user in the following format: AUSTIN\<name> Warning: If the device cannot resolve the SID or name provided, the password will not be backed up. This setting only applies when encrypted passwords are being backed up to AD. The default value when not specified is the Domain Admins group.
Post-authentication actions	Specify an action that will be triggered after the successful authentication of the account whose password is being managed. The available actions are: Take no actions Reset the password Reset the password and logoff the managed account Reset the password and reboot the device Set the grace period to the time you want it to wait after the authentication before the action is triggered. The grace period must be set greater than 0; if set to 0 the action will not be triggered. The default behaviour, when this setting is disabled or not configured, is to reset the password and logoff the managed account after 24 hours. If you want it to take no action, enable this setting and select Take no actions.

Retrieving a LAPS Password

There are several methods to retrieve the LAPS password.

Using the Active Directory Users and Computers (ADUC) Console

Open the Properties for the computer.
Select the LAPS tab.

On the LAPS tab of the computer’s Properties page:
- The Current LAPS password expiration is displayed.
- You can specify a new password expiration.
  After specifying the new expiration click OK or Apply.
- You can make the password expire now by clicking on the Expire now button and then clicking on OK or Apply.
  This will set the expiration to the current date and time.
  The password will not actually be changed immediately on the computer, but when it next processes LAPS policy.
- The LAPS local admin account name is displayed.
- The LAPS local admin account password is masked by default
  - Clicking Copy password will put the clear-text password on your clipboard without unmasking it here.
  - Clicking Show password will display the password in clear text here.
Note: You cannot view the password history from here. You must use PowerShell to access the password history.

Using Active Directory Administration Center

Open the properties for the computer.
Scroll down to the Extensions.
Select the LAPS tab.

The LAPS tab is available just as it would appear in ADUC. Refer to the ADUC section above for details.

Using PowerShell

You can retrieve the LAPS password using the Get-LapsADPassword cmdlet.

Use the Get-LapsPassword cmdletGet-LapsADPassword -Identity <computername>
will return the current password in a Secure String object.The Account property shows the managed account name.The Password property contains the password.The PasswordUpdateTime shows when the password was updated.The ExpirationTimestamp shows when the current password expires/when a new password will be required.The DecryptionStatus property will show Success if you are allowed to decrypt the password. It will show Unauthorized if you are not.The AuthorizedDecryptor property will show the user or group that can decrypt the password.Note: When using tab-completion it is easy to accidentally run the Get-LapsAADPassword instead. This is the cmdlet used to retrieve the password from Azure Active Directory.
Or to get the password in plain text

Get-LapsAdPassword -Identity <computername> -AsPlainText
will return the current password in plain text.
Or to get the password history in plain text

Get-LapsAdPassword -Identity <computername> -AsPlainText -IncludeHistory
will return the password history in plain text
The number of passwords in the password history depends on the LAPS policy applied and how many times the password has been changed by LAPS.
Each password in the password history can have a different Authorized Decryptor, depending on what was specified in the policy when the password was encrypted and stored in AD.The AuthorizedDecryptor shows who can decrypt the password.
The DecryptiomStatus shows whether the password was successfully decrypted for the user running the cmdlet.In this example, the user running the cmdlet can see the latest password as they are a member of the Authorized Dectryptors. They cannot see the previous password as the Authorized Dectryptors for it is a different group that the user is not a member of.

Windows Event Log

A new Windows Event Log channel has been created for Windows LAPS.

In Event Viewer, navigate to: Application and Services Logs – Microsoft – Windows – LAPS – Operational.

PowerShell Module

Below are some helpful cmdlets included in the LAPS PowerShell module.

Cmdlet	Description
Get-LapsAdPassword	Gets the escrowed password(s) from Windows Server Active Directory. Review the Retrieving a LAPS Password section above for details and examples.
Invoke-LapsPolicyProcessing	Initiates the processing of the current LAPS policy, independent of the hourly processing cycle).
Reset-LapsPassword	Attempts to immediately change the managed account’s password (whether or not it has expired).

Frequently Asked Questions

Q1: Can I initiate a password change ahead of the expiration time?

A1: There are a couple of ways to have the managed password changed:

Use the Reset-LapsPassword cmdlet, which will result in LAPS attempting to reset the password immediately.
Edit the password expiration for the computer to the current time, which will result in the password being reset the next time LAPS policy is processed on the computer.

Q2: What happens if the computer cannot reach a Domain Controller when the password expires? Will the password be set without the new password being backed up in AD?

A2: As with legacy LAPS, Windows LAPS will first escrow the new password in Active Directory. Only if that is successful with the password actually be changed on the computer.

Q3: Who can decrypt an encrypted password in Active Directory?

A3: This is specified by the user or group set as the authorized password decryptors in the LAPS policy at the time the password was stored in AD.

Is this setting was not set, the decryptors default to the Domain Admins.

Q4: What happens to the password and password expiration stored in Active Directory when Windows LAPS manages the password?

A4: The attributes used by legacy LAPS are not modified by Windows LAPS. After Windows LAPS starts to manage the account’s password the legacy LAPS attributes will remain intact. Windows LAPS does not clear out the Legacy LAPS attributes.
This can be confusing, having two sets of password attributes, but you should avoid programmatically clearing out all of the legacy LAPS attributes on all of your computers without verifying they are no longer valid. You could be clearing out currently-set passwords making them unavailable (Windows LAPS is not available for Windows Server 2016 which will continue to use legacy LAPS if enabled. Windows LAPS may not have changed the password yet if there is no Windows LAPS policy assigned to the computer).

Q5: What will happen if a computer has both a legacy LAPS and Windows LAPS policy applied to it?

A5: Windows LAPS will manage the password.

Q6: Will Windows LAPS save both an unencrypted and encrypted password to AD?

A6: No, Windows LAPS will store only an encrypted password or unencrypted password based on the computer’s policy settings.

Q7: What will happen if the account I specify as the Name of administrator account to manage does not exist?

A7: Windows LAPS policy processing will fail. It can not manage an account that does not exist. This scenario can lead you to being locked out of the computer / not having a way to get admin access to it.

Q8: What will happen if the account I specify as the Name of administrator account to manage is disabled?

A8: Windows LAPS policy processing will succeed. It will manage the account’s password, but it will not enable the account. The account must be enabled before it can be used. This scenario can lead you to being locked out of the computer / not having a way to get admin access to it.

Q9: What will happen if the account I specify as the Name of administrator account to manage is not a member of the local Administrators group?

A9: Windows LAPS policy processing will succeed. It will manage the account’s password, but it will not add it to the Administrators group. This scenario can lead you to being locked out of the computer / not having a way to get admin access to it.

Q10: Can the password of more than one account be managed by Windows LAPS?

A10: No, only one account can be managed.

Q11: Should I remove (delete or unlink) my GPO(s) that configure Legacy LAPS?

A11: To “clean things up”, you can unlink or delete any GPOs that configure Legacy LAPS as long as you do not have any computers running an operating system that Windows LAPS is not available on. If you need to keep using Legacy LAPS for older operating systems, you can optionally use filtering (security filtering or WMI filtering) on the GPO to have it only apply to these computers – although you do not need to do anything as Windows LAPS will manage the password in the scenario where Windows LAPS and Legacy LAPS are both enabled.

Setting the Security Logon Banner Message on iDRAC 9 (14G Servers)

There are a lot of new features available on the iDRAC9 which comes with 14G Dell servers.
One of these features that I have implemented right away is the logon banner message, which is displayed as the Security Notice on the logon page.

To set the a custom message you can use racadm:

Local racadm:
racadm set iDRAC.GUI.SecurityPolicyMessage “Message Here.”
Remote racadm:
racadm -i -r <DNS Name or IP of iDRAC> set iDRAC.GUI.SecurityPolicyMessage “Message Here.”

NIC Teaming in Windows Server 2012 – Part 2: PowerShell Method

This is the second in a two-part series on NIC Teaming in Windows Server 2012. Part 1 focused on the GUI method (using Server Manager.) Part 2 focuses on using PowerShell.

Depending on its configuration, NIC Teaming provides the following benefits:

bandwidth aggregation – If you team 2 NICs, you have the capability to double your network throughput.
resisiliancy to a dropped network connection – Our data centre has duplicate network infrastructure that connects to all servers: an A network and a B network. When network maintenance needs to be performed it is done on each network separately: when maintenanice is performed on the A network, the B network stays online. Each server has a Team that consists of a NIC on the A network and a NIC on the B network to avoid loss of connectivity when one of the networks goes down temporarily for maintenance.

In older Windows operating systems in order to create a NIC team you had to use software provided by the NIC vendor. Server 2012 brings this functionality into the OS. With NIC Teaming functionality now built into Windows, the process is much simpler, consistent (does not matter what vendor has manufactured the NICs), and is supported by Microsoft (since Teaming using vendor software is not supported by Microsoft, PSS would often request a Team be broken to verify the Team is not causing any issues.)

Creating a NIC Team Using PowerShell

Determine the names of each NIC that you want to add to the team. This can be done from Network Connections.
Launch PowerShell (Run as Administrator.)
Run the following cmdlet, replacing the values of the -Name and -TeamMembers parameters for your own values:
New-NetLbfoTeam -Name “Team 1” -TeamMembers “Ethernet 3″,”Ethernet 4” -TeamingMode LACP -LoadBalancingAlgorithm TransportPorts -Confirm:$false Notes on Parameters:
-TeamMembers accepts a coma-separated list of NIC names
-Confirm:false prevents the confirmation prompt from appearing
-TeamNICName (an optional parameter) can be used to name the Virtual/Teamed NIC. If this parameter is not used, the Team name will also be used for the name of the Virtual/Teamed NIC.
A new Virtual/Team NIC will appear in Network Connections.
Use the following PowerShell cmdlet to set the IP config of the Virtual/Team NIC, replacing the example values for each paramter with your own values:
New-NetIPAddress -InterfaceAlias “Team 1” -AddressFamily IPv4 -IPAddress 1.2.3.4 -DefaultGateway 1.2.3.1 -PrefixLength 28

Note: The PrefixLength parameter relates to the subnet mask. In this example, the PrefixLength is set to 28 because the subnet mask is 255.255.255.240 (it is a /28 network.)
Use the following PowerShell cmdlet to set the DNS servers for the Virtual/Team NIC, replacing the example values for each paramter with your own values:
Set-DnsClientServerAddress -InterfaceAlias “Team 1” -ServerAddresses “128.83.185.40”,”128.83.185.41″

Additional NIC Teaming Cmdlets

Additional PowerShell cmdlets dealing with NIC teaming are available on the following techNet article:

http://technet.microsoft.com/en-us/library/jj130849.aspx

NIC Teaming in Windows Server 2012 – Part 1: GUI Method

This is the first in a two-part series on NIC Teaming in Windows Server 2012. Part 1 focuses on the GUI method (using Server Manager.) Part 2 will focus on using PowerShell.

Depending on its configuration, NIC Teaming provides the following benefits

bandwidth aggregation – If you team 2- 1 GB NICs, you have the capability to double your network throughput.
resisiliancy to a dropped network connection – Our data centre has duplicate network infrastructure that connects to all servers: an A network and a B network. When network maintenance needs to be performed (firmware updates on switches, etc.) it is done on each network separately: when maintenanice is performed on the A side, the B side stays online. Each server has a Team that consists of a NIC on the A network and a NIC on the B network.

Creating a NIC Team Using Server Manager

Launch Server Manager.
Select Local Server.
(You can actually configure a NIC Team on one – or more – remote servers by selecting All Servers and then adding servers to the console.)
Click on the (Disabled or Enabled) link next to NIC Teaming.
The NIC Teaming window will appear.
At the top right of the Teams pane, select New Team from the Tasks menu.
A second NIC Teaming window will appear.
1. Provide a Name for the Team.
2. Select the NICs that you want to add to the Team.
3. Click on the expand arrow next to Additional Properties.
4. Select a Teaming Mode.
5. Select a Load Balancing Mode.
6. Click OK to close this window.
A new Virtual/Team NIC will appear in Network Connection. configure TCP/IP for this NIC as you would any other NIC.

To edit the properties or delete a NIC Team, select the Team in the Teams pane and select Properties or Edit from the Tasks menu.

Desired Configuration Management – NLA for Remote Desktop

With the MS12-020 RDP explit that was just announced, I wanted to be able to determine which of our servers have Network Level Authentication enabled for Remote Desktop, which will help reduce the risk until they are patched. I created a Configuration Item to determine if NLA is enabled based on the UserAuthentication value being set to “1” in the following registry key: HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp. After reviewing some comlpiance reports, I noticed some servers were showing up as not compliant even though a GPO was in place to enable NLA for them. Of course, I overlooked the fact that if you enable NLA using Group Policy, the UserAuthentication value is located in HKLM\Software\Policies\Microsoft\Windows NT\Terminal Services.

I have only used the DCM feature of SCCM once before, so I was not very familiar with it. I attempted to find a way to create a second Configuration Item for the second registry location, and create a baseline that reports compliance if one or the other items are validated. It appears this is not possible.

So – in order to get accurate compliance information (whether a server has NLA enabled manually or through Group Policy) I wrote a script to check both registry locations and report as compliant if NLA is enabled in either location.

————
REM This script will detect if Network Level Authentication is enabled either manually or by GPO
REM This script will return “Compliant” if NLA is enabledstrComputer = “.”

Const HKLM = &H80000002

Const PathManual = “System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp”
Const PathGPO = “Software\Policies\Microsoft\Windows NT\Terminal Services”
Const valueName = “UserAuthentication”

Set REG=GetObject(“winmgmts:{impersonationLevel=impersonate}!\\” & strComputer & “\root\default:StdRegProv”)
REG.GetDWORDValue HKLM,PathManual,valueName,manualNLA
REG.GetDWORDValue HKLM,PathGPO,valueName,GPONLA

IF manualNLA = 1 THEN
wscript.echo “Compliant”
ELSEIF GPONLA = 1 THEN
wscript.echo “Compliant”
ELSE
wscript.echo “NOTCompliant”
END IF

————-

This is how the Configuration Item is configured:

On the Settings tab select New – Script.

On the General tab provide a Name, specify VBScript as the Script language, and enter the following script:
On the Validation tab set the Data Type to String, and create a new validation entry by clicking the New button.
The Validation Operator should be set to Equals, and the Value should be set to Compliant (because the script returns either “Compliant” or “NOTCompliant”)

Add this Configuration Item to a Baseline and assign it to a Collection.

Ensure Your Array is an Array

I was working on a PowerShell script that pulls errors out of the Event Log into an array from a list of servers. The script will then report the errors for each server, or will report that no errors were found, as seen in a condensed version of the script below:
$events = Get-EventLog -Computer $ComputerName – Logname Application
IF ($errors.Count -lt 1)
{Write-Output “No errors were found from the application log on $ComputerName”}

This seemed to work most of the time, but on the outputted report there were a few servers that would show an error taken from the Event Log and also state there were no errors found. The first thinig I noticed was that this only happened when a single error was returned from the Event Log. So I thought maybe something was wrong with my logic in the if statement and the use of the count property of the array. The actual problem was that for the servers with only one error, the $errors variable was not an array since it only contained a single value.

In order to ensure the $errors variable was an array, I had to designate it as an array using the @ symbol. I already knew I could declare a new empty array using $newarray = @(), I just didn’t apply that knowledge to this script until I ran into problems and had to do some research online. Below is the new condensed excerpt from my script:
$events = @(Get-EventLog -Computer $ComputerName – Logname Application)
IF ($errors.Count -lt 1)
{Write-Output “No errors were found from the application log on $ComputerName”}

Now $errors will be an array, whether it has just one value, more than one value, or even no values at all.

So when working with an array, make sure your array is an array.