Finding Ignite 2020 and Tech Community video hub content with PowerShell

This week at Ignite 2020 Microsoft delivered 811 sessions. Although I did attend several sessions during the live event, I was not able to join all the sessions I wanted to. But luckily most of the sessions are recorded so they can be watched online or if you prefer you can download the video and content. Like every year, Microsoft provides a PowerShell script to download all the content or specific sessions. When you click Read More …

Generating Advanced hunting queries with PowerShell

I was recently writing some advanced hunting queries for Microsoft Defender ATP to search for the execution of specific PowerShell commands. If you are just looking for one specific command, you can run query as sown below But if you are looking for several functions, then there is going to be a lot of manual editing, and so the idea was born to use PowerShell to help me generate an advanced hunting query. The below Read More …

PowerShell 7 – Group Policy Settings and Eventlogs

On December 16th Joey announced the availability of the PowerShell 7.0 release candidate. Time to look at the configuration options. Since I’m interested in the aspects of managing these settings within an enterprise environment, I closely followed the discussions on GitHub here https://github.com/PowerShell/PowerShell/pull/10468 and here https://github.com/PowerShell/PowerShell/issues/9309 and the outcome of these discussions is documented here https://github.com/PowerShell/PowerShell-RFC/blob/master/4-Experimental-Accepted/RFC0041-Policy.md Installation Now let’s look what options we have for the configuration of logging PowerShell 7 events. Let’s start with Read More …

Importing GPO Security Baselines with PowerShell

Okay there’s this rule , if you do something manually for the third time, it’s about time to think of automating it. Here’s a script that I created to create Group Policy Objects and import the security baseline settings. The script will work with any security baseline that is provided with Group Policy backups e.g. Microsoft Security baseline, CIS, NSA. Let me show you this with an example: First download the latest Microsoft Security baseline Read More …

Extract ConfigMgr Script Status Results with PowerShell

During a recent customer engagement I had to collect the size of user profiles across a large number of devices. I was first thinking of using a script that would collect the information we need, store it into a custom WMI table and then collect the data using ConfigMgr hardware inventory, but since we only needed a one time snapshot of this information I decided against that idea. The next option would be to go Read More …

ConfigMgr CMPivot , the PowerShell Script, the Events…

While working with CMPivot this week, I wanted to find out how locally on the client the data is collected, I already knew that when you execute a CMPivot query from the ConfigMgr console, it will run the query on the target device and returns the result back to ConfigMgr. While investigating I also came across this blog post CM Pivot Internals that describes how things work, nevertheless I wanted to dig a bit deeper. Read More …

Microsoft Defender ATP – Live Response

Back in May the Microsoft Defender Advanced Threat Protection team announced the availability of the Live response feature in MDATP. Today I took a closer look at this and thought I’d share my experiences and findings. What’s that live response thing again? “Live response is a capability that gives you instantaneous access to a machine using a remote shell connection. This gives you the power to do in-depth investigative work and take immediate response actions Read More …

The case of Running the Device and Credential Guard Hardware Readiness Tool and unknown architecture

To close this week, let me share my findings with you about running the Windows Device and Credential Guard Hardware Readiness Tool and the unknown architecture error. Believe it or not, there are still people, probably more than I assume, that run Windows in their native language instead of English. I can understand when end users do so, but honestly when administrating an infrastructure? Anyway, I recently worked for a client where the UI is Read More …

Exploring Microsoft Cloud App Security with PowerShell – Part1

Last Friday I was given the opportunity to present at the Configuration Manager Community Event (CMCE1905) in Bern, Switzerland. Although Microsoft Cloud App Security is not really related to ConfigMgr, many of the attendees are dealing with managing classic and modern workplaces and security is almost on everyone’s list of interest. During my session “Unleash the power of Microsoft Cloud App Security” I also demonstrated how one can explore information within Microsoft Cloud App Security Read More …

Check Windows Defender ATP Client Status with PowerShell

Here’s a little utility to check the status of Windows Defender ATP on a local or remote client. I basically took some code from the WDATP connectivity verification tool, removed the network connectivity testing part (I might add that later as well) and transformed the code so it can be used to check whether the client is properly onboarded and if all required services are running.