Automating ‘Have I Been Pwned’ Breach Checks for Entra ID Groups using PowerShell

October 26, 2025October 25, 2025 by Martin Bengtsson

Introduction

In today’s digital landscape, data breaches are unfortunately common. As security-conscious professionals, we need to be proactive about monitoring whether our users’ credentials have been compromised. That’s why I built an automated PowerShell tool that checks Entra ID (Azure AD) group members against the Have I Been Pwned database.

The tool generates professional HTML and PDF reports that are perfect for security audits, compliance documentation, and executive briefings – making it easy to communicate breach findings to both technical and non-technical audiences.

Also, it was Friday evening, and I needed a fun project to wrap up the week – turns out automating security checks is a pretty good way to spend it! 😀

How to manage the new Microsoft 365 companion apps rolling out to Windows 11

October 3, 2025October 3, 2025 by Martin Bengtsson

Introduction

Microsoft is introducing new Microsoft 365 companion apps to Windows 11 devices as part of a broader integration effort. These apps may be installed automatically unless you opt out, but you can also choose to install them early for testing.

In this post, I’ll walk through how to manage the rollout: opting out of auto-installation, installing manually, uninstalling if needed, disabling automatic startup, and pinning the apps to your taskbar for quick access.

Windows Protected Print: Securing Printing on Windows 11 with Microsoft Intune

September 17, 2025August 14, 2025 by Martin Bengtsson

Introduction

Windows Protected Print (WPP) is a new feature in Windows 11 24H2 designed to enhance print security by addressing vulnerabilities such as PrintNightmare. No more dodgy third-party drivers! WPP uses the Internet Printing Protocol (IPP) and Mopria-certified printers to keep things secure and simple. Let’s break down how it works with Windows 11, how to manage it with Microsoft Intune, and what to do when things go south. Buckle up!

Prevent users from switching and migrating to new Outlook using PowerShell and Microsoft Intune

December 9, 2024December 8, 2024 by Martin Bengtsson

Introduction

The new Outlook transitioned from preview to general availability (GA) in August 2024. If you’re using Microsoft 365 apps for Enterprise (formerly known as Microsoft Office) on the current channel, you might be automatically switched from the classic Outlook to the new Outlook starting January 2025, unless you take action now!

I’m already leveraging some comprehensive PowerShell scripts to manage parts of the registry within our environment, so it didn’t take long for me to add the necessary registry keys and values to:

Remove the toggle to switch to the new Outlook.
Prevent future automatic migration to the new Outlook.

In this post, I’ll share the PowerShell script I’m using to prevent users from migrating to the new Outlook if your environment isn’t quite ready for it. If the script seem too complex for your needs, let this post serve as both inspiration and a reminder about the new Outlook.

I was troubleshooting a missing Microsoft 365 add-in in Outlook and this was the solution

February 12, 2025December 7, 2024 by Martin Bengtsson

Introduction

In this brief post, I will share the solution to a recurring issue within our environment where a Microsoft 365 add-in (also known as an integrated app) deployed from the Microsoft 365 admin center was frequently missing in Outlook.

The custom integrated app in question is deployed by uploading an add-in manifest to the Microsoft 365 admin center. From there, it is assigned to either the entire organization or a selected group of users.

In this instance, the add-in manifest was updated with a new version. However, the changes were not properly reflected in Outlook for our users.

It appears that Outlook does not effectively clear cached content from the add-in. Therefore, it is recommended to manually clear this cache if any issues arise.

Getting Windows 11 CIS compliant: Configuring Windows Firewall Logging using PowerShell and Microsoft Intune

September 14, 2022September 14, 2022 by Martin Bengtsson

Introduction

I’m currently working on getting my Windows 11 devices CIS (CIS Center for Internet Security (cisecurity.org) compliant in regards to their benchmark. This takes some effort, especially if you don’t use Group Policy anymore. 🙂

For those who don’t know CIS benchmarks, get more details here: CIS Benchmarks (cisecurity.org) and here: Center for Internet Security (CIS) Benchmarks – Microsoft Compliance | Microsoft Docs

The CIS Benchmark for Microsoft Windows 11 Enterprise dictates that logging for Windows Firewall is enabled, and is configured with certain settings. None of those settings, at the time of writing, are available natively via Intune, so I have chosen to resort to PowerShell and Proactive Remediations.

My scripts will create each log file, for each firewall profile: Domain, Private, Public and make sure those log files are configured with the correct permissions (otherwise the Defender engine won’t have permissions to write to the files). Firewall logging will then be enabled with the recommended values.

Prevent Write and Execute access to non-approved removable storage using Device Control and Microsoft Intune

July 22, 2022July 22, 2022 by Martin Bengtsson

Introduction

Controlling which and how removable storage devices can be used in your environment, seems to be an increasing demand from new and existing business partners. At least that’s my observation made from within the legal vertical.

It all boils down to preventing data leakage and hardening of your security posture, so I figured showing how this can be achieved with Microsoft Defender for Endpoint Device Control and Microsoft Intune, would make a decent blog post.

Inventory Lenovo BIOS password states using PowerShell and Proactive Remediations

June 26, 2022June 26, 2022 by Martin Bengtsson

Introduction

Configuring the BIOS password on a Lenovo device for the first time, requires manual labor. Either by you or by the OEM before shipping. For security reasons, this cannot be done remotely.

So, what if the idea of having a supervisor password on your devices is relatively new, and you have thousands of devices out there without?

Then you’ll have to come up with a process on getting to them manually, and in this process, knowing exactly which devices that needs attention is key.

Use Group Policy analytics to migrate Microsoft 365 Apps Security Baseline to the cloud

June 27, 2022June 25, 2022 by Martin Bengtsson

Introduction

A new version of Microsoft 365 Apps for enterprise security baseline was released last week, delivering the latest recommended security configuration for the included applications.

Now, by the time of writing, not everything can be transitioned into Microsoft Intune natively. There are simply not MDM support for each and every setting. So for those settings without MDM support, you will have to leverage ADMX ingestion or PowerShell.

This post will give you insight on using Group Policy Analytics, as well as how to use ADMX ingestion and PowerShell to completely transition management of the security baseline into the cloud.

Deploy your Always On VPN Profile for Windows 11 using Proactive Remediations in Microsoft Intune

January 26, 2022January 26, 2022 by Martin Bengtsson

Introduction

Why would you do this, when there’s a built-in option to do so, you may ask?

Well, I needed an alternative, as I kept getting some weird errors when using the built-in configuration profile in Intune. The errors only happens for me on Windows 11, so while I’m investigating these, I wanted to have an alternative in order for us to move on with our Windows 11 process.

EDIT: I was just made aware in the comment section, that there’s a known issue around this. Granted, this post can obviously serve as a workaround (or permanent solution moving forward) 🙂

Also, there’s still no option to lock the VPN strategy to SSTP-only in the native configuration profile in Intune. For that I used to run another weekly PowerShell script, resetting the strategy from IKEv2 to SSTP-only. Using a solution like this, also removes that requirement.