BIG ANNOUNCEMENT: Toast Notification Script v3 is here!

I’ve been in situations where I needed local admin access to a device, and I needed it *now*. Users couldn’t log in, LAPS wouldn’t retrieve passwords, or domain connectivity and trust had failed. You’re staring at a locked device with no way in, and waiting isn’t an option.

Modern endpoint management is fantastic until it isn’t. We’ve eliminated persistent local admin accounts, embraced cloud authentication, and deployed LAPS – all best practices. But what happens when all of those fail simultaneously?

This post documents the break-glass solution I built for those “need it now” scenarios: a remotely deployable emergency local administrator account using Intune Remediations, with monitoring through Microsoft Defender for Endpoint.

💡 By default, remediations run on a schedule. However, you can run remediations on-demand in Intune, which triggers the scripts to execute instantly (almost) on targeted devices via Windows Notification Service (WNS). This is critical for true emergencies when you can’t wait.

Automating ‘Have I Been Pwned’ Breach Checks for Entra ID Groups using PowerShell

October 26, 2025October 25, 2025 by Martin Bengtsson

Introduction

In today’s digital landscape, data breaches are unfortunately common. As security-conscious professionals, we need to be proactive about monitoring whether our users’ credentials have been compromised. That’s why I built an automated PowerShell tool that checks Entra ID (Azure AD) group members against the Have I Been Pwned database.

The tool generates professional HTML and PDF reports that are perfect for security audits, compliance documentation, and executive briefings – making it easy to communicate breach findings to both technical and non-technical audiences.

Also, it was Friday evening, and I needed a fun project to wrap up the week – turns out automating security checks is a pretty good way to spend it! 😀

Auditing Password Reuse in On-Premises Active Directory with PowerShell and DSInternals

November 2, 2025October 21, 2025 by Martin Bengtsson

Introduction

Password reuse among privileged accounts represents one of the most critical security vulnerabilities in on-premises Active Directory environments.

When multiple privileged accounts share the same password, a single compromise can cascade across your entire infrastructure.

In this post, I’ll demonstrate how to audit your Active Directory environment for shared passwords using PowerShell and the DSInternals module.

How I stole my colleague’s OneDrive content and WiFi passwords using a fake iPhone cable and PowerShell

October 9, 2023October 8, 2023 by Martin Bengtsson

Introduction

Big disclaimer: This is done for educational purposes. Do not steal anyone’s OneDrive content or WiFi passwords – actually don’t steal anything at all. 🙂

Endpoint management and endpoint security are 2 sides of the same coin, which means I’m heavily invested in both worlds. I run internal attack simulations several times a year, and recently came up with a new idea in educating our users.

How about I demo how a fake iPhone cable is enough to steal their OneDrive content and password for their home WiFi?

This post will walk you through the details of doing just that. This involves the use of the infamous O.MG cable and a custom payload launching my PowerShell script directly from GitHub – and ultimately uploading the stolen loot to Dropbox.

Digitally signing my Toast Notification Script to use with ConfigMgr, AppLocker and Constrained Language Mode

January 6, 2022January 5, 2022 by Martin Bengtsson

Introduction

My Toast Notification Script unfortunately only works in PowerShell Full Language Mode (for the time being. I have plans to look into this).

This requirement does not work well with AppLocker and having Constrained Language Mode enabled. My solution to this, is to digitally sign the New-ToastNotification.ps1 file. While working my way through the process myself, I realized that a few changes to the Toast Notification Script itself was needed.

The changes made to this “edition” of the script, are only targeted Configuration Manager. I’m not sure that moving between PowerShell Language Modes coming from Proactive Remediations in Intune, is something that’s possible (if anyone knows this, please let me know).

Additionally to the changes needed, I thought the process itself would make a decent and useful blog post. So here goes. 🙂

Remove desktop shortcuts for the current user and public profile using PowerShell and Proactive Remediations

October 11, 2021October 9, 2021 by Martin Bengtsson

Introduction

I think most IT-professionals who’s working with software delivery in some sort, has dealt with software and software installers in general, that puts a shortcut on the desktop by default. Annoying indeed.

Typically you’re in for a treat, when trying to figure out how to customize the installer, to prevent the shortcut on the desktop from being created. It’s not rare either, that the installer simply doesn’t support that.

And finally, we are all aware of the desktop-shortcut-mess, when using OneDrive PC folder backup (formerly known as ‘Known Folder Move’), where shortcuts are duplicated and synced between devices. Yikes.

Long story short, I was tired of spending time on desktop shortcuts, so I figured it was time to create my own solution to the problem.

Install the new Remote Desktop Connection Manager (RDCMan) with ConfigMgr and PowerShell

June 28, 2021 by Martin Bengtsson

Introduction

Another kickstarting blog post, getting into the swing of things again after a somewhat lacking period.

Now, RDCman has been revived and arrived last week in a new version 2.8.

For fun and giggles, I did a short PowerShell script which uninstalls the old version (2.7, registered with windows installer) and downloads the new version 2.8 directly from live.sysinternals.com.

This is a little something on the script itself and how to put that to use with ConfigMgr.

Windows 10 Toast Notification Script Update: Improved re-run behavior with ConfigMgr and allow running in SYSTEM context

April 20, 2021April 20, 2021 by Martin Bengtsson

Introduction

A new version of the Windows 10 Toast Notification Script is here. The script is now being on version 2.2.0.

This version brings the option to run the script and thus display toast notifications coming from SYSTEM context.

A requirement has been so far, that the script is being run with the logged on user’s credentials. This is still recommended, but for scenarios where this is not possible, like running this with a task sequence (task sequences always run as local system), this new ability will give you the option to display toast notification for the logged on user, even if coming from local system context.

The work done here, with running the script under SYSTEM, is entirely done by Andrew. Thank you!

Also, with a built-in prevention of having multiple toast notifications being displayed in a row, the script is now also better at handling the re-run behavior in ConfigMgr. Having multiple toast notification displayed in a row, is something that can happen, if a device misses a deployment schedule. The nature of ConfigMgr is to catch up on the missed schedule, and this can lead to multiple toast notifications being displayed.

Notify users when their device is running low on disk space using Toast Notifications and Endpoint Analytics Proactive Remediations

February 4, 2021February 3, 2021 by Martin Bengtsson

Introduction

This is a follow up, on the post I did a few weeks ago, on notifying users with devices being low on disk space, using Toast Notifications and Configuration Manager

Find the mentioned post here: Notify users when their device is running low on disk space using Toast Notifications and Configuration Manager

This time, I’m moving all of it, into the Endpoint Analytics Proactive Remediations feature of Microsoft Endpoint Manager Intune. This will actually simplify things a lot, as it removes the need for custom collections, Configuration Items and Baselines.