From 787360c706f22543a4fea56bb670d34855a490bc Mon Sep 17 00:00:00 2001
From: Tom Frost
 <avedelphina@2001-1aef-115-96dc-799a-eea1-9131-226d.ip6.tmcz.cz>
Date: Tue, 17 Feb 2026 13:28:39 +0100
Subject: [PATCH] Fail fast when FIPS policy is enabled for weak password test

---
 CHANGELOG.md             |  6 ++++++
 Test-WeakADPasswords.ps1 | 26 ++++++++++++++++++++++++--
 2 files changed, 30 insertions(+), 2 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 38081a6..171890e 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -2,6 +2,12 @@
 
 ## 2026-02-17
 
+### Test-WeakADPasswords.ps1 v1.4.4
+Changed:
+- Added startup FIPS policy detection (`HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\FipsAlgorithmPolicy\Enabled`) with fail-fast behavior and explicit remediation steps to avoid opaque DSInternals runtime failures.
+
+## 2026-02-17
+
 ### Test-WeakADPasswords.ps1 v1.4.3
 Fixed:
 - Added explicit handling for `Microsoft.PowerShell.Commands.WriteErrorException,DSInternals.Bootstrap.psm1` so known FIPS bootstrap errors are downgraded to a controlled warning when possible, with a clear fail message if DSInternals cannot load under policy.
diff --git a/Test-WeakADPasswords.ps1 b/Test-WeakADPasswords.ps1
index be6d939..53dcee1 100644
--- a/Test-WeakADPasswords.ps1
+++ b/Test-WeakADPasswords.ps1
@@ -8,7 +8,7 @@
 ##################################################
 ## Project: Elysium                             ##
 ## File: Test-WeakADPasswords.ps1               ##
-## Version: 1.4.3                               ##
+## Version: 1.4.4                               ##
 ## Support: support@cqre.net                    ##
 ##################################################
 
@@ -92,7 +92,7 @@ function Invoke-UsageBeacon {
     if ($normalizedMethod -in @('POST', 'PUT')) {
         $payload = [ordered]@{
             script   = 'Test-WeakADPasswords'
-            version  = '1.4.3'
+            version  = '1.4.4'
             ranAtUtc = (Get-Date).ToUniversalTime().ToString('o')
         }
         if (-not [string]::IsNullOrWhiteSpace($InstanceId)) {
@@ -217,6 +217,28 @@ if ($runningInPSCore -and -not $onWindows) {
     throw 'This script requires Windows when running under PowerShell 7 (AD/DSInternals are Windows-only).'
 }
 
+function Test-IsFipsPolicyEnabled {
+    if (-not $onWindows) { return $false }
+    try {
+        $fipsReg = Get-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\FipsAlgorithmPolicy' -Name Enabled -ErrorAction Stop
+        return ([int]$fipsReg.Enabled -eq 1)
+    } catch {
+        return $false
+    }
+}
+
+if (Test-IsFipsPolicyEnabled) {
+    throw @"
+FIPS policy is enabled on this host (HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\FipsAlgorithmPolicy\Enabled = 1).
+Test-WeakADPasswords uses DSInternals/AD replication operations that are not fully compatible with this policy in this environment.
+
+Remediation:
+1. Run this script from a dedicated non-FIPS workstation/jump host.
+2. If approved by your security policy, temporarily disable local FIPS policy for this host, run the test, then re-enable it.
+3. If FIPS must remain enforced, use an alternative fully FIPS-validated workflow/tool for weak password assessment.
+"@
+}
+
 function Test-IsAdmin {
     try {
         $wi = [Security.Principal.WindowsIdentity]::GetCurrent()