PowerShell

Reduce your attack surface by disabling NetBIOS using PowerShell and Microsoft Intune

by

Introduction

If you are working with device management and IT security in general, you have probably heard about the recommendation to disable the legacy protocol NetBIOS in Windows.

If this is news to you, there’s some interesting reading for you in this article: Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay, Sub-technique T1557.001 – Enterprise | MITRE ATT&CK

NOTE: Before disabling anything, make sure you do your due diligence and monitor your environment for NetBIOS traffic, so you don’t accidently break stuff! Wireshark can help you with this. 🙂

Read more…

Uninstall any application in a jiffy using PowerShell and Microsoft Intune

by

Introduction

This post is a just a quick follow up on my previous post: Uninstall any application in a jiffy using PowerShell and Configuration Manager

I received a few questions whether the PowerShell script can be used with Microsoft Intune instead of Microsoft Configuration Manager. And sure! This post will explain one of many approaches available with Intune. 🙂

Read more…

Reduce your attack surface by uninstalling PowerShell version 2 using PowerShell and Microsoft Intune

by

Introduction

PowerShell version 2 is to this day still preinstalled on Windows 11 and all Windows Server versions with the exception of Windows Server 2022.

As the reader may know, PowerShell is a powerful tool that plays an important role in administering Windows systems. However, it also contains various features that can be leveraged by attackers with ill intentions.

If PowerShell version 2 is installed, it’s possible to bypass the constrained language mode, which normally is being enforced by application control solutions like AppLocker and similar.

PowerShell Constrained Language is a language mode of PowerShell designed to support day-to-day administrative tasks, yet restrict access to sensitive language elements that can be used to invoke arbitrary Windows APIs

If you haven’t removed PowerShell version 2 already, you should consider looking into it today as an early Christmas present. 🙂

Ps. this solution is only targeting workstations. If you need to remove PowerShell version 2 from servers, you cannot leverage Microsoft Intune. You should instead look into Configuration Manager or similar.

Read more…

Automatically remove and disable unwelcome objects from privileged on-premises Active Directory groups using Microsoft Sentinel

by

Introduction

Active Directory is a prime target for attackers – and for most organizations something that’s considered the crown jewels. This is due to Active Directory still being the bread and butter for most organizations in regard to authentication and authorization.

When it comes to security, automation is your best friend and keeping a close eye on privileged group membership should be on top of your list.

This post will walk you through, how you can make sure no unwelcome objects make their way into privileged groups in on-premises AD, by leveraging Microsoft Sentinel and its option to run playbooks automated.

This breaks down to Microsoft Sentinel generating an alert, which triggers the associated Playbook, which triggers a Logic app, which triggers a Runbook in an Automation Account, which ultimately runs a PowerShell script on an on-premises server.

Big shout out to my colleague Christian Frohn Petersen who assisted in setting up the prerequisites for this solution. 🙂

Read more…

Getting Windows 11 CIS compliant: Configuring Windows Firewall Logging using PowerShell and Microsoft Intune

by

Introduction

I’m currently working on getting my Windows 11 devices CIS (CIS Center for Internet Security (cisecurity.org) compliant in regards to their benchmark. This takes some effort, especially if you don’t use Group Policy anymore. 🙂

The CIS Benchmark for Microsoft Windows 11 Enterprise dictates that logging for Windows Firewall is enabled, and is configured with certain settings. None of those settings, at the time of writing, are available natively via Intune, so I have chosen to resort to PowerShell and Proactive Remediations.

My scripts will create each log file, for each firewall profile: Domain, Private, Public and make sure those log files are configured with the correct permissions (otherwise the Defender engine won’t have permissions to write to the files). Firewall logging will then be enabled with the recommended values.

Read more…

Configure and use Lenovo BIOS supervisor password during OSD using PowerShell and Configuration Manager

by

Introduction

Following up on my previous post, continuing on the Lenovo BIOS password topic. This time I’m illustrating, how you initially can set the supervisor password during the deployment of the operating system.

Last time I mentioned, how this cannot be done remotely for security reasons. However, there are an option to allow this during OSD (Operating System Deployment), called System Deployment Boot Mode. If taking advantage of this, you’re allowed to set the supervisor password programmatically in WinPE.

I’m using PowerShell to do so, and this post will walk you through the necessities.

Read more…

Inventory Lenovo BIOS password states using PowerShell and Proactive Remediations

by

Introduction

Configuring the BIOS password on a Lenovo device for the first time, requires manual labor. Either by you or by the OEM before shipping. For security reasons, this cannot be done remotely.

So, what if the idea of having a supervisor password on your devices is relatively new, and you have thousands of devices out there without?

Then you’ll have to come up with a process on getting to them manually, and in this process, knowing exactly which devices that needs attention is key.

Read more…

Use Group Policy analytics to migrate Microsoft 365 Apps Security Baseline to the cloud

by

Introduction

A new version of Microsoft 365 Apps for enterprise security baseline was released last week, delivering the latest recommended security configuration for the included applications.

Now, by the time of writing, not everything can be transitioned into Microsoft Intune natively. There are simply not MDM support for each and every setting. So for those settings without MDM support, you will have to leverage ADMX ingestion or PowerShell.

This post will give you insight on using Group Policy Analytics, as well as how to use ADMX ingestion and PowerShell to completely transition management of the security baseline into the cloud.

Read more…

Escrow BitLocker recovery keys to Azure AD during Feature Update to Windows 11

by

Introduction

As promised, I’m continuing my Windows 11 journey, this time giving you a small nugget on how to escrow BitLocker recovery keys to Azure AD during a Windows 11 Feature Update.

In my specific scenario, the recovery keys has so far been stored in on-premises AD. For Windows 11, we change that, and store them in Azure AD instead.

For your convenience, find links to my previous Windows 11 posts here:

Read more…

Customize your Windows 11 taskbar during OSD with ConfigMgr using just PowerShell

by

Introduction

A short and sweet blog post to re-kickstart my blogging activities, after a long period focusing on cybersecurity and the increased cybersecurity threat towards organizations. For same reasons, my Windows 11 project has temporarily been on pause.

However, now I’m back working on Windows 11, showing how you can customize the taskbar during OSD (Operating System Deployment) with Configuration Manager using just PowerShell (and no source files).

And yes, we are still leveraging Configuration Manager for regular OSD. This still makes the most sense for our type of business. 🙂

Read more…