Remove Quick Assist (and other built-in apps) across your enterprise automatically using PowerShell and Microsoft Intune


Disclaimer! Following introduction has been written using Copilot, because time is of the essence and AI is or will be an inevitable thing – also in regard to writing blogs. The script and the rest of the post is written by me. 🙂

In the ever-evolving landscape of cybersecurity, staying one step ahead is crucial. Today, we delve into a PowerShell script designed to enhance your system’s security by removing the Quick Assist app from Windows 11.

As highlighted in this Microsoft Security Blog, threat actors have been misusing Quick Assist in social engineering attacks leading to ransomware. Quick Assist, a built-in remote control app in Windows 11, has been exploited by cybercriminals, notably the financially motivated group Storm-1811, known for deploying Black Basta ransomware.

To counter this threat, our featured PowerShell script, removes the Quick Assist app from your system. This script is a proactive measure to mitigate the risk of such attacks, especially for environments where Quick Assist is not in use.

In the following sections, we’ll walk you through the script and its usage with Microsoft Intune. Let’s get started!

Read more…

Configure ‘Allow logon locally’ automatically using PowerShell and Microsoft Intune

I know Microsoft Intune has the ability to configure this particular user rights assignment natively already. At time of writing, the new security baseline for Windows 11 23H2 in Intune configure this as well, restricting local logons to the built-in groups: Users and Administrators.

This solution does something else. This solution grabs the currently logged on user and configures the ‘Allow logon locally‘ policy to ONLY allow this very user as well as Administrators to be able to log on locally. A custom group is added as well for backup reasons. If no user is logged on, the script does nothing. More details down below.

The solution is made to prevent ‘stealing’ credentials from one user/device and be able to use it on another device within the same environment.

Read more…

Uninstall any application in a jiffy using PowerShell and Microsoft Intune


This post is a just a quick follow up on my previous post: Uninstall any application in a jiffy using PowerShell and Configuration Manager

I received a few questions whether the PowerShell script can be used with Microsoft Intune instead of Microsoft Configuration Manager. And sure! This post will explain one of many approaches available with Intune. 🙂

Read more…

Reduce your attack surface by uninstalling PowerShell version 2 using PowerShell and Microsoft Intune


PowerShell version 2 is to this day still preinstalled on Windows 11 and all Windows Server versions with the exception of Windows Server 2022.

As the reader may know, PowerShell is a powerful tool that plays an important role in administering Windows systems. However, it also contains various features that can be leveraged by attackers with ill intentions.

If PowerShell version 2 is installed, it’s possible to bypass the constrained language mode, which normally is being enforced by application control solutions like AppLocker and similar.

PowerShell Constrained Language is a language mode of PowerShell designed to support day-to-day administrative tasks, yet restrict access to sensitive language elements that can be used to invoke arbitrary Windows APIs

If you haven’t removed PowerShell version 2 already, you should consider looking into it today as an early Christmas present. 🙂

Ps. this solution is only targeting workstations. If you need to remove PowerShell version 2 from servers, you cannot leverage Microsoft Intune. You should instead look into Configuration Manager or similar.

Read more…

How I enabled and tested Windows Copilot for the first time


Last week, on September 21, Microsoft announced that Windows Copilot will begin to roll out to Windows 11, starting September 26.

Curious to know more on managing Windows Copilot, I dug into the various documentation on the subject, as well as researching on Twitter.

I managed to get to enable Windows Copilot on my Intune-managed Windows 11 device. Note that I’m located in Europe, and some documentation suggests that Windows Copilot isn’t available here just yet.

This post serves as notes from the field. 🙂

Read more…

Silently enable BitLocker on non-Modern Standby capable devices using Microsoft Endpoint Manager


I’ve been encrypting my Windows 11 devices using an Endpoint security disk encryption policy for a while now and haven’t had any issues. That’s until today.

Turns out there’s a known issue around this, which I haven’t encountered until now.

If the device in question doesn’t support Modern Standby, you will have to combine the ‘old’ Endpoint protection policies with the new Endpoint security policies. My findings down below.

If the device is HSTI-compliant but doesn’t support Modern Standby, an endpoint protection policy has to be configured to enforce silent BitLocker drive encryption

Read more…

Getting Windows 11 CIS compliant: Configuring Windows Firewall Logging using PowerShell and Microsoft Intune


I’m currently working on getting my Windows 11 devices CIS (CIS Center for Internet Security ( compliant in regards to their benchmark. This takes some effort, especially if you don’t use Group Policy anymore. 🙂

The CIS Benchmark for Microsoft Windows 11 Enterprise dictates that logging for Windows Firewall is enabled, and is configured with certain settings. None of those settings, at the time of writing, are available natively via Intune, so I have chosen to resort to PowerShell and Proactive Remediations.

My scripts will create each log file, for each firewall profile: Domain, Private, Public and make sure those log files are configured with the correct permissions (otherwise the Defender engine won’t have permissions to write to the files). Firewall logging will then be enabled with the recommended values.

Read more…

Configure and use Lenovo BIOS supervisor password during OSD using PowerShell and Configuration Manager


Following up on my previous post, continuing on the Lenovo BIOS password topic. This time I’m illustrating, how you initially can set the supervisor password during the deployment of the operating system.

Last time I mentioned, how this cannot be done remotely for security reasons. However, there are an option to allow this during OSD (Operating System Deployment), called System Deployment Boot Mode. If taking advantage of this, you’re allowed to set the supervisor password programmatically in WinPE.

I’m using PowerShell to do so, and this post will walk you through the necessities.

Read more…

Inventory Lenovo BIOS password states using PowerShell and Proactive Remediations


Configuring the BIOS password on a Lenovo device for the first time, requires manual labor. Either by you or by the OEM before shipping. For security reasons, this cannot be done remotely.

So, what if the idea of having a supervisor password on your devices is relatively new, and you have thousands of devices out there without?

Then you’ll have to come up with a process on getting to them manually, and in this process, knowing exactly which devices that needs attention is key.

Read more…

Use Group Policy analytics to migrate Microsoft 365 Apps Security Baseline to the cloud


A new version of Microsoft 365 Apps for enterprise security baseline was released last week, delivering the latest recommended security configuration for the included applications.

Now, by the time of writing, not everything can be transitioned into Microsoft Intune natively. There are simply not MDM support for each and every setting. So for those settings without MDM support, you will have to leverage ADMX ingestion or PowerShell.

This post will give you insight on using Group Policy Analytics, as well as how to use ADMX ingestion and PowerShell to completely transition management of the security baseline into the cloud.

Read more…