How To Get There From Here: Monitor Passkey and Phishing-resistant MFA User Adoption with PowerShell

January 19, 2026January 19, 2026 by Martin Bengtsson

Introduction

In the first episode of How To Get There From Here 🎙️, we talked with Michael Mardahl about passkeys and phishing-resistant MFA in Microsoft Entra ID. In the previous post, we implemented break glass accounts with passkey (FIDO2) authentication.

This post covers the next practical step: Monitoring passkey adoption across your organization.

Microsoft Entra ID provides authentication method reports in the portal, but tracking passkey adoption at scale isn’t straightforward. While you can view individual user registration details, identifying users who haven’t enrolled passkeys requires manual work – exporting data, filtering through lists, and piecing together adoption statistics across your organization.

This post shares a PowerShell script that queries Microsoft Graph API to check authentication method enrollment at scale. The script can track Microsoft Authenticator, Passkey (FIDO2), or both methods across all users or specific groups. It generates adoption statistics and identifies users who haven’t enrolled the required methods.

Yet again, we’ll show you How To Get There From Here. 🔒

How To Get There From Here: Break Glass Account With Phishing-resistant MFA in Entra ID

January 19, 2026January 17, 2026 by Martin Bengtsson

Introduction

In the first episode of How To Get There From Here 🎙️, we talked with Michael Mardahl about passkeys in Microsoft Entra ID – what they are, how they work, and how to get started with phishing-resistant and passwordless authentication.

As Conditional Access policies become more complex and phishing-resistant authentication becomes a requirement, break glass accounts need to be configured correctly. An improperly configured emergency access account won’t help during an actual lockout scenario.

This post documents how to set up a break glass account with passkey (FIDO2) authentication from scratch. Microsoft recommends phishing-resistant MFA for emergency access accounts, and we’ll walk through the complete implementation in our own tenant.

Each step is covered, including TAP configuration, passkey registration, SSPR handling, and Conditional Access exclusions. The process follows Microsoft’s official guidance while showing the practical details you’ll encounter when building this yourself.

This walkthrough is a collaboration between Martin Bengtsson and Christian Frohn, documenting the implementation in our tenant.

So when your Conditional Access policies say “you can’t get there from here,” we’ll show you How To Get There From Here.

Deploying and configuring uBlock Origin Lite with PowerShell and Microsoft Intune

December 8, 2025December 7, 2025 by Martin Bengtsson

Introduction

Ad blocking is often dismissed as a convenience feature for users tired of intrusive banners and pop-ups. But in 2025 – almost 2026 – it’s time to reframe the conversation: ad blocking is a fundamental security control every organization should implement.

Malvertising has become an extremely effective attack vector. Threat actors exploit legitimate ad networks to deliver malware, phishing sites, and exploit kits – even on trusted websites. Tracking scripts in ads also collect sensitive data, creating privacy and compliance risks.

The good news? Ad blocking is free, proven security you can deploy today. Installing uBlock Origin Lite is easy. Configuring it at scale for an enterprise? That’s the challenging part. In this post, I’ll show you how I solved that challenge with a comprehensive PowerShell script that centrally configures uBlock Origin Lite across managed browsers using Microsoft Intune.

Building a Break-Glass Local Admin Solution for Windows 11 using Intune and Defender for Endpoint

November 5, 2025November 4, 2025 by Martin Bengtsson

Introduction

I’ve been in situations where I needed local admin access to a device, and I needed it *now*. Users couldn’t log in, LAPS wouldn’t retrieve passwords, or domain connectivity and trust had failed. You’re staring at a locked device with no way in, and waiting isn’t an option.

Modern endpoint management is fantastic until it isn’t. We’ve eliminated persistent local admin accounts, embraced cloud authentication, and deployed LAPS – all best practices. But what happens when all of those fail simultaneously?

This post documents the break-glass solution I built for those “need it now” scenarios: a remotely deployable emergency local administrator account using Intune Remediations, with monitoring through Microsoft Defender for Endpoint.

💡 By default, remediations run on a schedule. However, you can run remediations on-demand in Intune, which triggers the scripts to execute instantly (almost) on targeted devices via Windows Notification Service (WNS). This is critical for true emergencies when you can’t wait.

Automating ‘Have I Been Pwned’ Breach Checks for Entra ID Groups using PowerShell

October 26, 2025October 25, 2025 by Martin Bengtsson

Introduction

In today’s digital landscape, data breaches are unfortunately common. As security-conscious professionals, we need to be proactive about monitoring whether our users’ credentials have been compromised. That’s why I built an automated PowerShell tool that checks Entra ID (Azure AD) group members against the Have I Been Pwned database.

The tool generates professional HTML and PDF reports that are perfect for security audits, compliance documentation, and executive briefings – making it easy to communicate breach findings to both technical and non-technical audiences.

Also, it was Friday evening, and I needed a fun project to wrap up the week – turns out automating security checks is a pretty good way to spend it! 😀

Auditing Password Reuse in On-Premises Active Directory with PowerShell and DSInternals

November 2, 2025October 21, 2025 by Martin Bengtsson

Introduction

Password reuse among privileged accounts represents one of the most critical security vulnerabilities in on-premises Active Directory environments.

When multiple privileged accounts share the same password, a single compromise can cascade across your entire infrastructure.

In this post, I’ll demonstrate how to audit your Active Directory environment for shared passwords using PowerShell and the DSInternals module.

Blocking SSH binaries with AppLocker and Port 22 in Windows Firewall Using Microsoft Intune

October 6, 2025 by Martin Bengtsson

Introduction

Outbound SSH can be a serious blind spot. Attackers can use SSH tunnels to bypass firewalls, EDR, and even AppLocker — proxying malicious activity without running tools directly on the host. This enables lateral movement and internal compromise.

To mitigate this, I block outbound SSH connections and enforce application control on SSH binaries using Microsoft Intune, combining Windows Firewall and AppLocker for layered protection.

Windows Protected Print: Securing Printing on Windows 11 with Microsoft Intune

September 17, 2025August 14, 2025 by Martin Bengtsson

Introduction

Windows Protected Print (WPP) is a new feature in Windows 11 24H2 designed to enhance print security by addressing vulnerabilities such as PrintNightmare. No more dodgy third-party drivers! WPP uses the Internet Printing Protocol (IPP) and Mopria-certified printers to keep things secure and simple. Let’s break down how it works with Windows 11, how to manage it with Microsoft Intune, and what to do when things go south. Buckle up!

Automating Sysmon installation and configuration with PowerShell

February 18, 2025 by Martin Bengtsson

Introduction

In today’s fast-paced digital world, quick response to security incidents is crucial. Sysmon (System Monitor) from Microsoft’s Sysinternals suite is an essential tool for detailed system monitoring and security analysis. However, traditional installation can be time-consuming, especially in urgent situations.

This blog post introduces a PowerShell script that automates the download, extraction, and installation of Sysmon, along with applying a pre-configured setup. This rapid deployment ensures your systems are monitored and protected within minutes, enhancing your incident response capabilities and maintaining a strong security posture.

Encrypt your files located in Desktop, Documents and Photos in Windows 11 24H2 using Personal Data Encryption and Microsoft Intune

November 22, 2024 by Martin Bengtsson

Introduction

In an era where data breaches and cyber threats are increasingly common, protecting your personal files has never been more important.

With the release of Windows 11 24H2, Microsoft has introduced enhanced features for personal data encryption, making it easier than ever to secure your sensitive information.

This blog post will guide you through the process of encrypting your files located in Desktop, Documents, and Photos using Personal Data Encryption and Microsoft Intune.