Reduce your attack surface by disabling NetBIOS using PowerShell and Microsoft Intune

April 4, 2024April 3, 2024 by Martin Bengtsson

Introduction

If you are working with device management and IT security in general, you have probably heard about the recommendation to disable the legacy protocol NetBIOS in Windows.

If this is news to you, there’s some interesting reading for you in this article: Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay, Sub-technique T1557.001 – Enterprise | MITRE ATT&CK

NOTE: Before disabling anything, make sure you do your due diligence and monitor your environment for NetBIOS traffic, so you don’t accidently break stuff! Wireshark can help you with this. 🙂

Uninstall any application in a jiffy using PowerShell and Configuration Manager

December 20, 2023December 17, 2023 by Martin Bengtsson

Introduction

I was recently tasked with the complete removal of Google Chrome from an environment. Google Chrome in question was installed via the default installer from Google, but also via a few custom repackaged installers, so I had multiple product IDs to consider.

Instead of manually looking for each product ID and use that with separate uninstallations, I figured to create some PowerShell code to do that for me automatically and on the fly.

This can be used to uninstall any application registered with the Windows installer, installed either as a .MSI or a select .EXE compiler.

How I enabled and tested Windows Copilot for the first time

September 29, 2023September 29, 2023 by Martin Bengtsson

Introduction

Last week, on September 21, Microsoft announced that Windows Copilot will begin to roll out to Windows 11, starting September 26.

Curious to know more on managing Windows Copilot, I dug into the various documentation on the subject, as well as researching on Twitter.

I managed to get to enable Windows Copilot on my Intune-managed Windows 11 device. Note that I’m located in Europe, and some documentation suggests that Windows Copilot isn’t available here just yet.

This post serves as notes from the field. 🙂

Silently enable BitLocker on non-Modern Standby capable devices using Microsoft Endpoint Manager

December 14, 2022December 14, 2022 by Martin Bengtsson

Introduction

I’ve been encrypting my Windows 11 devices using an Endpoint security disk encryption policy for a while now and haven’t had any issues. That’s until today.

Turns out there’s a known issue around this, which I haven’t encountered until now.

If the device in question doesn’t support Modern Standby, you will have to combine the ‘old’ Endpoint protection policies with the new Endpoint security policies. My findings down below.

If the device is HSTI-compliant but doesn’t support Modern Standby, an endpoint protection policy has to be configured to enforce silent BitLocker drive encryption

Getting Windows 11 CIS compliant: Configuring Windows Firewall Logging using PowerShell and Microsoft Intune

September 14, 2022September 14, 2022 by Martin Bengtsson

Introduction

I’m currently working on getting my Windows 11 devices CIS (CIS Center for Internet Security (cisecurity.org) compliant in regards to their benchmark. This takes some effort, especially if you don’t use Group Policy anymore. 🙂

For those who don’t know CIS benchmarks, get more details here: CIS Benchmarks (cisecurity.org) and here: Center for Internet Security (CIS) Benchmarks – Microsoft Compliance | Microsoft Docs

The CIS Benchmark for Microsoft Windows 11 Enterprise dictates that logging for Windows Firewall is enabled, and is configured with certain settings. None of those settings, at the time of writing, are available natively via Intune, so I have chosen to resort to PowerShell and Proactive Remediations.

My scripts will create each log file, for each firewall profile: Domain, Private, Public and make sure those log files are configured with the correct permissions (otherwise the Defender engine won’t have permissions to write to the files). Firewall logging will then be enabled with the recommended values.

Prevent Write and Execute access to non-approved removable storage using Device Control and Microsoft Intune

July 22, 2022July 22, 2022 by Martin Bengtsson

Introduction

Controlling which and how removable storage devices can be used in your environment, seems to be an increasing demand from new and existing business partners. At least that’s my observation made from within the legal vertical.

It all boils down to preventing data leakage and hardening of your security posture, so I figured showing how this can be achieved with Microsoft Defender for Endpoint Device Control and Microsoft Intune, would make a decent blog post.

Configure and use Lenovo BIOS supervisor password during OSD using PowerShell and Configuration Manager

June 30, 2022June 29, 2022 by Martin Bengtsson

Introduction

Following up on my previous post, continuing on the Lenovo BIOS password topic. This time I’m illustrating, how you initially can set the supervisor password during the deployment of the operating system.

Find my previous post here: Inventory Lenovo BIOS password states using PowerShell and Proactive Remediations – imab.dk

Last time I mentioned, how this cannot be done remotely for security reasons. However, there are an option to allow this during OSD (Operating System Deployment), called System Deployment Boot Mode. If taking advantage of this, you’re allowed to set the supervisor password programmatically in WinPE.

I’m using PowerShell to do so, and this post will walk you through the necessities.

Inventory Lenovo BIOS password states using PowerShell and Proactive Remediations

June 26, 2022June 26, 2022 by Martin Bengtsson

Introduction

Configuring the BIOS password on a Lenovo device for the first time, requires manual labor. Either by you or by the OEM before shipping. For security reasons, this cannot be done remotely.

So, what if the idea of having a supervisor password on your devices is relatively new, and you have thousands of devices out there without?

Then you’ll have to come up with a process on getting to them manually, and in this process, knowing exactly which devices that needs attention is key.

Use Group Policy analytics to migrate Microsoft 365 Apps Security Baseline to the cloud

June 27, 2022June 25, 2022 by Martin Bengtsson

Introduction

A new version of Microsoft 365 Apps for enterprise security baseline was released last week, delivering the latest recommended security configuration for the included applications.

Now, by the time of writing, not everything can be transitioned into Microsoft Intune natively. There are simply not MDM support for each and every setting. So for those settings without MDM support, you will have to leverage ADMX ingestion or PowerShell.

This post will give you insight on using Group Policy Analytics, as well as how to use ADMX ingestion and PowerShell to completely transition management of the security baseline into the cloud.

Escrow BitLocker recovery keys to Azure AD during Feature Update to Windows 11

June 9, 2022 by Martin Bengtsson

Introduction

As promised, I’m continuing my Windows 11 journey, this time giving you a small nugget on how to escrow BitLocker recovery keys to Azure AD during a Windows 11 Feature Update.

In my specific scenario, the recovery keys has so far been stored in on-premises AD. For Windows 11, we change that, and store them in Azure AD instead.

For your convenience, find links to my previous Windows 11 posts here: