The problem? Those leftover admin rights don’t go away on their own. Over time, they quietly pile up and turn into a serious security risk, which most monitoring tools never bother to check. If you don’t know who’s in the local Administrators group, you’re basically trusting luck.

In this guide, I’ll walk you trough how to use Intune and Log Analytics to get a clear, reliable report of who actually has local admin access on every device in your environment.

Solution Overview

We use a proactive approach to ensure no local admins stay hidden:

1. Detection: A PowerShell script runs daily on every machine to query the administrators group.
2. Ingestion: Data is sent to a custom table in our Log Analytics Workspace.
3. Analysis: KQL queries filter out authorized local administrator accounts to highlight outliers.

1. The PowerShell Collection Script

This script gathers members of the local admin group and sends the data to Azure. By running this via Intune, we get a fresh snapshot of the local admins on each PC every 24 hours.

Prerequisite 1: Get the $CustomerID from the log analytics workspace Overview tab.

Prerequisite 2: To get the $SharedKey, use this AZ CLI query.

az monitor log-analytics workspace get-shared-keys \
   --resource-group xxxxx \
   --workspace-name xxxxxx \
   --query "primarySharedKey"

# --------------------------------------------------------------------------
# PowerShell Script: Send Local Administrator Group Members to Log Analytics
# --------------------------------------------------------------------------

# ======================
# 1. Configuration
# ======================
$CustomerID = "<your-customer-id>"
$SharedKey  = "<your-shared-key>"
$LogType    = "LocalAdminReport"

# ======================
# 2. Data Collection
# ======================
$DeviceName = $env:COMPUTERNAME

try {
    $AdminMembers = Get-LocalGroupMember -Group "Administrators"
} catch {
    Write-Error "Error retrieving local group members: $($_.Exception.Message)"
    exit 1
}

$DataToSend = @()
foreach ($Member in $AdminMembers) {
    $MemberName = $Member.Name
    $MemberSource = $Member.PrincipalSource
    if (-not [string]::IsNullOrEmpty($MemberName)) {
        $DataToSend += [PSCustomObject]@{
            DeviceName = $DeviceName
            AdminName  = $MemberName
            PrincipalSource = $MemberSource
            TimeGenerated = (Get-Date -Format s)
        }
    }
}

if ($DataToSend.Count -eq 0) {
    Write-Host "No members found in the Administrators group. Skipping log submission."
    exit 0
}

$JsonPayload = $DataToSend | ConvertTo-Json -Depth 5

# ======================
# 3. Build Request and Signature
# ======================
$Bytes         = [System.Text.Encoding]::UTF8.GetBytes($JsonPayload)
$ContentLength = $Bytes.Length
$APIVersion    = "2016-04-01"
$Date          = (Get-Date).ToUniversalTime().ToString("r")
$ResourcePath  = "/api/logs"

# Build the string for signature (see MS Docs)
$SignatureString = "POST`n$ContentLength`napplication/json`nx-ms-date:$Date`n$ResourcePath"

# Decode Shared Key and calculate signature
try {
    $KeyBytes   = [Convert]::FromBase64String($SharedKey)
    $HMACSHA256 = New-Object System.Security.Cryptography.HMACSHA256
    $HMACSHA256.Key = $KeyBytes
    $Hash = $HMACSHA256.ComputeHash([System.Text.Encoding]::UTF8.GetBytes($SignatureString))
    $Signature = [Convert]::ToBase64String($Hash)
} catch {
    Write-Error "Failed to create signature: $($_.Exception.Message)"
    exit 1
}

$Authorization = "SharedKey ${CustomerId}:$Signature"
$URI = "https://$CustomerID.ods.opinsights.azure.com/api/logs?api-version=$APIVersion"

# ======================
# 4. Send Data
# ======================
$Headers = @{
    "Authorization"        = $Authorization
    "x-ms-date"            = $Date
    "Content-Type"         = "application/json"
    "Log-Type"             = $LogType
    "x-ms-log-type"        = $LogType
    "time-generated-field" = "TimeGenerated"
}

try {
    Write-Host "Sending data to Log Analytics ($LogType)..."
    Write-Host "Target URI: $URI"
    $Response = Invoke-RestMethod -Uri $URI -Method Post -Headers $Headers -Body $JsonPayload
    Write-Host "Successfully sent log data."
} catch {
    Write-Error "Failed to send log data. Error: $($_.Exception.Message)"
    if ($_.Exception.Response) {
        try {
            $Reader = New-Object System.IO.StreamReader($_.Exception.Response.GetResponseStream())
            $Details = $Reader.ReadToEnd()
            Write-Error "Azure Response: $Details"
        } catch { }
    }
    exit 1
}

exit 0

2. Running the Script Daily via Intune

To force the check daily, we deploy an Intune remediation script.

1. Go to https://intune.microsoft.com.
2. Navigate to Devices > Scripts and remediations > Create.
3. Enter the above script as the Detection Script and leave the Remediation Script empty.

3. Analyzing the Local Administrator Report

Once the data is in our log analytics workspace, we use Kusto (KQL) to audit the results. The goal is to separate legitimate domain accounts from unauthorized user accounts that still have the local admin right.

Compliance Summary

This query counts the number of devices where a user is in the administrators group but does not have “admin” in their name (filtering out the built-in administrator and domain admins).

let allDevices = LocalAdminReport_CL | summarize by DeviceName_s;
let offenderDevices = LocalAdminReport_CL
    | where isnotempty(AdminName_s)
    | where AdminName_s !contains "Admin"
    | summarize by DeviceName_s;
let totalOffenders = offenderDevices 
    | summarize Count = count() 
    | extend Category = "Devices with Local Admin Access";
let compliantDevices = (allDevices
    | join kind=leftanti offenderDevices on DeviceName_s
    | summarize Count = count()
    | extend Category = "Compliant Devices"
);
totalOffenders
| union compliantDevices
| project Category, Count
| order by Category asc

Detailed Account Audit

Use this query to select and list every specific account that has been granted local admin permissions in the last 90 days across your computer fleet.

LocalAdminReport_CL
| where TimeGenerated > ago(90d)
| where isnotempty(AdminName_s)
| where AdminName_s !contains "Admin"
| summarize LatestSeen = max(TimeGenerated) by DeviceName_s, AdminName_s
| order by DeviceName_s asc

Implementation Tips

• Intune Deployment: Set the script to run daily using Devices > Remediations. This ensures that if a user is added and then removed, your logs stay accurate.
• Filtering: Adjust the !contains "Admin" logic if your organization uses a different naming standard for authorized admin accounts.
• Workbook Visuals: In Azure Workbooks, use the “Pie Chart” renderer for the first query to get an immediate view of your environment’s health.

Summary

Good security isn’t about saying “no” to everything. It’s about knowing what’s actually happening in your environment. With this script and report in place, you get a clear audit trail that shows exactly when someone is added as a local administrator. That way, “temporary” access doesn’t quietly turn into a permanent problem, and you stay in control instead of playing cleanup later.

The post Local Admin Report with Intune and Log Analytics appeared first on Cyberillo.

This guide’s got you covered. We’ll go through the steps of capturing a customized Windows image, as well as the most common issues you’ll encounter.

1. Get Your Windows 11 Ready

To start, you’ll need a Windows 11 ISO.

• If you’re working with volume licensing, grab your Windows 11 Enterprise ISO from the Microsoft 365 Admin Center.
• If not, you can download the Windows 11 ISO from here.

2. Set Up Your Build Environment

We’ll be building this image inside a virtual machine. So, enable the Hyper-V feature on your workstation.

• Navigate to the control panel and select Programs > Turns Windows features on or off.
• Tick the Hyper-V feature and click on OK.

You’ll need to restart your PC for the Hyper-V feature to be installed.

N.B. You also need to have virtualization enabled in your system BIOS to use Hyper-V, VMWare, VirtualBox, etc.

After restarting your workstation, create your new virtual machine in Hyper-V and make sure TPM is turned on… Windows 11 insists on it.

3. Install Windows and Your Essential Apps

Now, install Windows 11 as you normally would within your virtual machine. Then, add all the software you want pre-installed in your custom Windows Image.

N.B. If you want to make any AppData changes to all user profiles that will be using the customized Windows installation, apply the changes to C:\Users\Default\AppData\Roaming.

After getting all your core applications installed, take a moment to tidy up. Uninstall any bloatware you don’t need, like Xbox or Solitaire.

4. Generalize Your Windows Installation with Sysprep

Sysprep is the tool that prepares our Windows setup for capturing. It essentially makes the installation generic, so it can be deployed on different machines.

• Open Command Prompt as an Administrator.
• Change directory to Sysprep: cd C:\Windows\System32\Sysprep
• Run the Sysprep command: sysprep.exe /oobe /generalize /shutdown

You might hit a snag if your OS drive is encrypted… This is typical on Windows 11 installations. If Sysprep throws an error, check the log file; it will likely point to the encryption.

To fix this, turn off BitLocker by running this command in CMD: manage-bde -off C:

You’ll see a message that decryption is underway. You can keep an eye on its progress with: manage-bde -status

Once your OS drive is fully decrypted, give that Sysprep command another go.

Another common hiccup happens if one of the Windows Store apps is installed for one user but not set up for all users. The Sysprep log will clue you in on which app is causing the trouble.

To remove it, open an elevated PowerShell session and type:

Remove-AppxPackage -Package <<packagenamegoeshere>>

You might need to repeat this for a couple of apps until Sysprep runs through without a hitch.

5. Capture Your Master Image

After Sysprep works its magic and shuts down the virtual machine, it’s time to capture our customized image.

• Attach an empty VHD to your virtual machine.
• Boot up your VM using Hiren’s Boot CD or a WinPE environment.
• In the boot environment, make sure your Windows installation is mounted as C:\ and your empty VHD as E:\.
• Now, capture your image and save it to E:\ with this DISM command:

DISM /capture-image /imagefile:E:\install.wim /capturedir:C:\ /name:"Win11" /compress:fast

6. Personalize Your Windows 11 ISO

Now that you have your install.wim file, you’ll integrate it into a Windows 11 ISO. Using a tool like AnyBurn, open the ISO, navigate to the sources folder, remove the original install.wim, and drop in your newly captured install.wim file.

7. Create a Bootable USB

Last but not least, we need to make a bootable USB stick from our new custom ISO. Grab Rufus (or your preferred tool). Select your USB stick (double-check you don’t have anything important on it, as it will be wiped), pick your custom ISO, and hit start.

A Quick Note on Windows 11 24H2

Heads up! When using Windows 11 24H2 as my base ISO, I bumped into the below installation error, which seems to be related to the new Windows setup interface.

As a workaround, you can either use Windows 11 23H2 as your base ISO or select Previous Version of Setup during the installation wizard.

That’s it! I hope you found this guide helpful. Feel free to reach out if you need any help setting up your custom Windows image. I’m always happy to help!

The post How to Create a Windows Image for Deployment appeared first on Cyberillo.

Microsoft’s attack simulation training module in the Security Center makes it simple to run realistic phishing tests that don’t just show you who’s at risk but help them get better. This guide breaks down how to set up a phishing campaign step by step, so you can start building a team that’s sharp and ready for whatever’s lurking in their inbox.

1. Go to https://security.microsoft.com.
2. Navigate to Email & Collaboration > Attack Simulation training > Simulations. Here you can find a list of previously created campaigns. To create a new phishing campaign, click on Launch a simulation.

3. The attack simulation training module offers various social engineering techniques to choose from, like Credential Harvest, Malware Attachment, Link in Attachment, Link to Malware, Drive-by URL, and Oauth Consent Grant. Choose the preferred technique for your phishing campaign and select Next.

4. Give a friendly name to your campaign, and optionally write a description.

5. The next step is to determine the payload that you want to deliver. As with any other phishing campaign software the attack simulator allows you to create custom payloads with personalised email text and attachments. You can do this by clicking on Tenant payloads > Create a payload. Alternatively, you may select one of the ready-made payloads designed by Microsoft from the Global payloads tab.

6. Each payload designed by Microsoft comes with a nice little metric – Predicted Compromise Rate (%). This serves as an indication of the result to expect when using the predesigned payload & login page. To preview the design of the email and login page, click on the title of the payload (not the checkbox).

7. If you’re happy with the payload and login page, move to the next step and select the target users for the campaign. You can restrict the scope to named users or groups, or target the entire organisation. I like to test the campaign on a small group first before a full rollout to the entire organisation.

8. Based on your company policy, you may require victims of the campaign to attend a phishing awareness training session. The attack simulator allows you to bake this right into the campaign. You may redirect users to a custom URL to schedule their training session, or opt for the Microsoft training experience. In case of the latter, you may handpick training modules from Microsoft’s catalog to train your users or let Microsoft automatically assign training courses based on the user’s previous campaign results and training experiences.

9. With regards to the post-phish landing page experience, some prefer to be more harsh than others. It’s up to you to determine what works best in your organisation. You may choose a pre-designed landing page from Microsoft’s catalog or design one yourself.

10. Next, you can configure whether to send user notifications associated with this campaign.
    • Positive reinforcement notification (to thank users who report the phish)
    • Training reminder notification (if you linked training in the previous steps)

11. The last thing to configure is the scheduled date for the attack simulation and the length of the campaign. Once you’re ready, review the details you configured and submit the simulation.

12. From my observations, the reporting on the campaign is real-time and the figures are updated every minute (more or less). At a glance, you can get a quick summary of the outcome, with key metrics such as the number of users who:
    • were compromised
    • reported the message
    • read the message
    • opened attachments

You also get a tabular view listing all users targeted by the campaign together with some key information such as:

• the actions they took
• whether they reported
• whether they were compromised
• whether they attended the scheduled training

Running phishing simulations isn’t just about catching people out—it’s about giving them the tools to improve. With the attack simulation training in Microsoft Security Center, you can run smart, effective tests that actually make a difference. The goal is to raise awareness, build confidence, and reduce the chances of a mistake turning into a disaster. Keep running these simulations, keep learning from them, and you’ll be well on your way to a team that’s not just prepared but proactive when it comes to phishing threats.

The post How to Create a Phishing Campaign in the Microsoft Security Center appeared first on Cyberillo.

In this post, I’ll show you how to use the DSInternals PowerShell module to test Active Directory password quality and identify flaws in your AD security posture. Then, we’ll create a Power BI report to get a quick glance at the number of password quality issues, together with a list of users affected by each issue.

Complete PowerShell Script

## Active Directory Password Quality Data Export ##
#░█████╗░██╗░░░██╗██████╗░███████╗██████╗░██╗██╗░░░░░██╗░░░░░░█████╗░
#██╔══██╗╚██╗░██╔╝██╔══██╗██╔════╝██╔══██╗██║██║░░░░░██║░░░░░██╔══██╗
#██║░░╚═╝░╚████╔╝░██████╦╝█████╗░░██████╔╝██║██║░░░░░██║░░░░░██║░░██║
#██║░░██╗░░╚██╔╝░░██╔══██╗██╔══╝░░██╔══██╗██║██║░░░░░██║░░░░░██║░░██║
#╚█████╔╝░░░██║░░░██████╦╝███████╗██║░░██║██║███████╗███████╗╚█████╔╝
#░╚════╝░░░░╚═╝░░░╚═════╝░╚══════╝╚═╝░░╚═╝╚═╝╚══════╝╚══════╝░╚════╝░

# Define Variables
$dictionary = ".\Dictionary.txt"
$domain = "dc=contoso,dc=com"
$dc = "10.10.10.1"

# Retrieve AD Accounts and Test Password Quality
$data = Get-ADReplAccount -All -Server $dc -NamingContext $domain |
        Test-PasswordQuality -WeakPasswordsFile $dictionary -IncludeDisabledAccounts

# Define the Password Quality Criteria
$qualityCriteria = @(
    "ClearTextPassword",
    "LMHash",
    "EmptyPassword",
    "WeakPassword",
    "SamAccountNameAsPassword",
    "DefaultComputerPassword",
    "PasswordNotRequired",
    "PasswordNeverExpires",
    "AESKeysMissing",
    "PreAuthNotRequired",
    "DESEncryptionOnly",
    "Kerberoastable",
    "DelegatableAdmins",
    "SmartCardUsersWithPassword",
    "DuplicatePasswordGroups"
)

# Initialize an array to store expanded data
$expandedData = @([pscustomobject]@{
                    "ClearTextPassword" = ""
                    "LMHash" = ""
                    "EmptyPassword" = ""
                    "WeakPassword" = ""
                    "SamAccountNameAsPassword" = ""
                    "DefaultComputerPassword" = ""
                    "PasswordNotRequired" = ""
                    "PasswordNeverExpires" = ""
                    "AESKeysMissing" = ""
                    "PreAuthNotRequired" = ""
                    "DESEncryptionOnly" = ""
                    "Kerberoastable" = ""
                    "DelegatableAdmins" = ""
                    "SmartCardUsersWithPassword" = ""
                    "DuplicatePasswordGroups" = ""
                })

# Iterate through each account and expand the criteria into separate rows
foreach ($account in $data) {
    foreach ($criterion in $qualityCriteria) {
        # Check if the criterion contains values
        if ($account.PSObject.Properties[$criterion].Value -and $account.$criterion.Count -gt 0) {
            # Expand each item in the collection into a new row
            foreach ($user in $account.$criterion) {
                $expandedData += [pscustomobject]@{
                    "$Criterion"   = $user
                }
            }
        }
    }
}

# Export all expanded data into a single CSV
$expandedData | Export-Csv -Path "PasswordQuality.csv" -NoTypeInformation

Write-Host "Exported expanded data to PasswordQuality.csv with $($expandedData.Count) records."

Script Breakdown

We’ll start with the PowerShell script that gathers all the information we need from Active Directory.

Here’s what it does:

1. Pulls AD account information from your domain controller (DC).
2. Checks password quality based on various criteria, like whether the password is weak, missing, or stored improperly.
3. Expands the data into a more readable format.
4. Exports the results to a CSV file for analysis.

1. Setting Up Your Variables

# Define Variables
$dictionary = ".\Dictionary.txt"
$domain = "dc=contoso,dc=com"
$dc = "10.10.10.1"

You need to define a few things at the start: where the script can find a list of weak passwords (Dictionary.txt), your domain name, and the IP address of your domain controller. Change these to match your environment.

You can customize the dictionary as needed, but a good starting point can be found here.

2. Getting AD Accounts and Testing Password Quality

$data = Get-ADReplAccount -All -Server $dc -NamingContext $domain |
        Test-PasswordQuality -WeakPasswordsFile $dictionary -IncludeDisabledAccounts

This section uses the Get-ADReplAccount and Test-PasswordQuality cmdlets from the DSInternals PowerShell module.

It retrieves all the accounts in your domain and checks their password quality. We’re looking for things like weak passwords, missing encryption, or even accounts that use their username as a password (yikes!). This script can also include disabled accounts—because even they can be a security risk if left unchecked.

3. Defining Password Quality Criteria

$qualityCriteria = @(
    "ClearTextPassword", "LMHash", "EmptyPassword", "WeakPassword", 
    "SamAccountNameAsPassword", "DefaultComputerPassword", "PasswordNotRequired", 
    "PasswordNeverExpires", "AESKeysMissing", "PreAuthNotRequired", 
    "DESEncryptionOnly", "Kerberoastable", "DelegatableAdmins", 
    "SmartCardUsersWithPassword", "DuplicatePasswordGroups"
)

This part sets the criteria we care about—whether the password is empty, weak, or stored as an old LMHash, just to name a few. These are the key things that pose risks, and the Test-PasswordQuality cmdlet checks for all of them.

4. Storing and Expanding the Data

$expandedData = @()
foreach ($account in $data) {
    foreach ($criterion in $qualityCriteria) {
        if ($account.PSObject.Properties[$criterion].Value -and $account.$criterion.Count -gt 0) {
            foreach ($user in $account.$criterion) {
                $expandedData += [pscustomobject]@{ "$criterion" = $user }
            }
        }
    }
}

This portion of the script is all about organizing the data in a way that’s easy to analyze and visualize later on, especially when we move the data into Power BI. Let’s break it down step-by-step:

A) Initializing the Expanded Data Array

$expandedData = @()

• Purpose: Here, we’re creating an empty array called $expandedData. This array will store each password quality issue we find, structured in a consistent format.
• Why It Matters: By initializing an empty array, we ensure that we have a clean slate to start adding our processed data. This helps in avoiding any unintended data carryover from previous runs or other parts of the script.

B) Looping Through Each AD Account

foreach ($account in $data) {
    ...
}

• Purpose: This outer loop goes through each account retrieved earlier by the Get-ADReplAccount cmdlet.
• Why It Matters: We need to evaluate each account individually to check for any password-related issues. This ensures that no account is overlooked in our analysis.

C) Checking Each Password Quality Criterion

foreach ($criterion in $qualityCriteria) {
    ...
}

• Purpose: For every account, we loop through each password quality criterion defined in the $qualityCriteria array.
• Why It Matters: Each criterion represents a specific type of password issue (e.g., weak password, empty password). By iterating through each one, we can systematically check for all possible vulnerabilities associated with the account.

D) Confirm Existence of Password Quality Issues

if ($account.PSObject.Properties[$criterion].Value -and $account.$criterion.Count -gt 0) {
    ...
}

• Purpose: This if statement checks two things:
  1. $account.PSObject.Properties[$criterion].Value: Ensures that the current criterion has a value, meaning that there is at least one instance of this issue for the account.
  2. $account.$criterion.Count -gt 0: Confirms that the number of issues under this criterion is greater than zero.
• Why It Matters: We only want to record criteria that are actually present. This prevents our final data set from being cluttered with empty or irrelevant entries, making our analysis cleaner and more focused on real issues.

E) Expanding Each Issue into a New Row

foreach ($user in $account.$criterion) {
    $expandedData += [pscustomobject]@{ "$criterion" = $user }
}

• Purpose: For each issue found under the current criterion, we create a new custom PowerShell object and add it to the $expandedData array.
  • [pscustomobject]@{ "$criterion" = $user }: This creates a new object with a property named after the current criterion and assigns it the value of the specific issue ($user).
  • $expandedData += ...: This appends the newly created object to the $expandedData array.
• Why It Matters: By expanding each issue into its own row, we transform our data into a flat, tabular format that’s ideal for analysis and visualization. This structure is especially useful when importing the data into Power BI, as it allows for easy creation of filters, charts, and other visuals based on specific criteria.

F) Putting It All Together

Let’s visualize what’s happening with an example:

• Suppose we have an AD account, jdoe, with the following password issues:
  • WeakPassword: password123
  • PasswordNeverExpires: Enabled
• Processing Steps:
  1. First Loop ($account): Processes the jdoe account.
  2. Second Loop ($criterion): Checks each criterion for jdoe.
     • WeakPassword:
       • Condition Check: True (since password123 is listed in the dictionary)
       • Inner Loop: Adds a new object { "WeakPassword" = "jdoe" } to $expandedData.
     • PasswordNeverExpires:
       • Condition Check: True (since it’s enabled)
       • Inner Loop: Adds another object { "PasswordNeverExpires" = "jdoe" } to $expandedData.
     • Other Criteria: If jdoe doesn’t have issues like EmptyPassword or LMHash, those criteria are skipped and no new rows are created.

This flattened structure makes it straightforward to create visuals in Power BI, such as:

• Bar Charts: Showing the number of accounts with each type of password issue.
• Tables: Listing all accounts alongside their specific vulnerabilities.
• Pie Charts: Representing the proportion of each issue relative to the total number of issues.

G) Why Use This Approach?

• Simplicity: By expanding each issue into its own row, the data becomes easier to work with, especially when dealing with multiple criteria across numerous accounts.
• Flexibility: This format allows you to filter, sort, and visualize the data with little extra data manipulation.
• Scalability: As your organization grows and the number of AD accounts increases, this method remains efficient and manageable.

5. Exporting to CSV

$expandedData | Export-Csv -Path "PasswordQuality.csv" -NoTypeInformation
Write-Host "Exported expanded data to PasswordQuality.csv with $($expandedData.Count) records."

Finally, all the findings get exported to a CSV file, which we’ll use as a data source to create our Power BI report. The CSV will contain the password quality issues as columns, and one user per row (under the appropriate column). One user can have multiple rows in the CSV if his account has more than one password quality issue.

Create a Power BI Report

Now that we have the data in PasswordQuality.csv, it’s time to visualize it in Power BI. This will help you spot trends and focus on the biggest security risks.

Steps:

1. Open Power BI and go to Home -> Get Data -> Text/CSV.

2. Browse to your exported PasswordQuality.csv and click Transform Data.

3. In the Power Query editor, click on Use First Row as Headers.

4. Then, click on Replace Values.

5. Leave Value to find blank and enter null in the Replace With field. Then, click on OK. This will take care of the blank values in our data.

6. Save the Power Query changes by clicking on Close & Apply.

7. This next step is crucial. We will use our data to create a new table with two columns, User and Issue. This will make it easier to visualize and filter the data. Go to Modeling -> New table.

8. In the DAX query, type the following code:

Issues = 
VAR _AESKeysMissing =
    SELECTCOLUMNS (
        PasswordQuality,
        "User", PasswordQuality[AESKeysMissing],
        "Issue", "AESKeysMissing"
    )
VAR _ClearTextPassword =
    SELECTCOLUMNS (
        PasswordQuality,
        "User", PasswordQuality[ClearTextPassword],
        "Issue", "ClearTextPassword"
    )
VAR _DESEncryptionOnly =
    SELECTCOLUMNS (
        PasswordQuality,
        "User", PasswordQuality[DESEncryptionOnly],
        "Issue", "DESEncryptionOnly"
    )
VAR _DefaultComputerPassword =
    SELECTCOLUMNS (
        PasswordQuality,
        "User", PasswordQuality[DefaultComputerPassword],
        "Issue", "DefaultComputerPassword"
    )
VAR _DelegatableAdmins =
    SELECTCOLUMNS (
        PasswordQuality,
        "User", PasswordQuality[DelegatableAdmins],
        "Issue", "DelegatableAdmins"
    )
VAR _DuplicatePasswordGroups =
    SELECTCOLUMNS (
        PasswordQuality,
        "User", PasswordQuality[DuplicatePasswordGroups],
        "Issue", "DuplicatePasswordGroups"
    )
VAR _EmptyPassword =
    SELECTCOLUMNS (
        PasswordQuality,
        "User", PasswordQuality[EmptyPassword],
        "Issue", "EmptyPassword"
    )
VAR _Kerberoastable =
    SELECTCOLUMNS (
        PasswordQuality,
        "User", PasswordQuality[Kerberoastable],
        "Issue", "Kerberoastable"
    )
VAR _LMHash =
    SELECTCOLUMNS (
        PasswordQuality,
        "User", PasswordQuality[LMHash],
        "Issue", "LMHash"
    )
VAR _PasswordNeverExpires =
    SELECTCOLUMNS (
        PasswordQuality,
        "User", PasswordQuality[PasswordNeverExpires],
        "Issue", "PasswordNeverExpires"
    )
VAR _PasswordNotRequired =
    SELECTCOLUMNS (
        PasswordQuality,
        "User", PasswordQuality[PasswordNotRequired],
        "Issue", "PasswordNotRequired"
    )
VAR _PreAuthNotRequired =
    SELECTCOLUMNS (
        PasswordQuality,
        "User", PasswordQuality[PreAuthNotRequired],
        "Issue", "PreAuthNotRequired"
    )
VAR _SamAccountNameAsPassword =
    SELECTCOLUMNS (
        PasswordQuality,
        "User", PasswordQuality[SamAccountNameAsPassword],
        "Issue", "SamAccountNameAsPassword"
    )
VAR _SmartCardUsersWithPassword =
    SELECTCOLUMNS (
        PasswordQuality,
        "User", PasswordQuality[SmartCardUsersWithPassword],
        "Issue", "SmartCardUsersWithPassword"
    )
VAR _WeakPassword =
    SELECTCOLUMNS (
        PasswordQuality,
        "User", PasswordQuality[WeakPassword],
        "Issue", "WeakPassword"
    )

RETURN
    DISTINCT (
        UNION (
            _AESKeysMissing,
            _ClearTextPassword,
            _DESEncryptionOnly,
            _DefaultComputerPassword,
            _DelegatableAdmins,
            _DuplicatePasswordGroups,
            _EmptyPassword,
            _Kerberoastable,
            _LMHash,
            _PasswordNeverExpires,
            _PasswordNotRequired,
            _PreAuthNotRequired,
            _SamAccountNameAsPassword,
            _SmartCardUsersWithPassword,
            _WeakPassword
        )
    )

9. Now, you can visualize the data as needed. A report which I find convenient is a donut chart with the Issue column as the legend, and the count of the User column as the values. This shows the most common password quality issues in the domain. The list of users affected by each issue can be filtered by clicking on the different donut slices.

Wrapping Up

And that’s it! You’ve now used a PowerShell script to gather AD password quality data and created a Power BI report to visualize it. This is a powerful way to stay on top of password security, spot potential vulnerabilities, and make sure your organization’s accounts are protected.

Remember, scheduling the script at regular intervals (and refreshing the report data) can help you stay ahead of any security risks related to weak passwords. And with Power BI, you can easily share the findings and keep the rest of your team in the loop.

Let me know if you have any questions or if you’d like to see more advanced Power BI visuals. Stay secure!

The post Active Directory Password Quality Report in Power BI appeared first on Cyberillo.

Complete Script

## How to Bulk Add Devices to Azure AD Group Using PowerShell ##
#░█████╗░██╗░░░██╗██████╗░███████╗██████╗░██╗██╗░░░░░██╗░░░░░░█████╗░
#██╔══██╗╚██╗░██╔╝██╔══██╗██╔════╝██╔══██╗██║██║░░░░░██║░░░░░██╔══██╗
#██║░░╚═╝░╚████╔╝░██████╦╝█████╗░░██████╔╝██║██║░░░░░██║░░░░░██║░░██║
#██║░░██╗░░╚██╔╝░░██╔══██╗██╔══╝░░██╔══██╗██║██║░░░░░██║░░░░░██║░░██║
#╚█████╔╝░░░██║░░░██████╦╝███████╗██║░░██║██║███████╗███████╗╚█████╔╝
#░╚════╝░░░░╚═╝░░░╚═════╝░╚══════╝╚═╝░░╚═╝╚═╝╚══════╝╚══════╝░╚════╝░

# Import the AzureAD module
Import-Module AzureAD

# Login to Azure AD
Connect-AzureAD

# Path to your CSV file
$csvFilePath = "C:\path\to\your\devices.csv"

# Security Group Name
$securityGroupName = "Your-Security-Group-Name"

# Get the Security Group Object ID from the group name
$securityGroup = Get-AzureADGroup -SearchString $securityGroupName
if ($securityGroup -eq $null) {
    Write-Host "Security group not found: $securityGroupName"
    exit
}

$securityGroupId = $securityGroup.ObjectId

# Import the CSV file
$devices = Import-Csv -Path $csvFilePath

# Loop through each device in the CSV
foreach ($device in $devices) {
    $deviceName = $device.DeviceName

    # Get the Device Object ID from the device name
    $deviceObject = Get-AzureADDevice -SearchString $deviceName
    if ($deviceObject -eq $null) {
        Write-Host "Device not found: $deviceName"
        continue
    }

    $deviceId = $deviceObject.ObjectId

    try {
        # Add the device to the security group
        Add-AzureADGroupMember -ObjectId $securityGroupId -RefObjectId $deviceId
        Write-Host "Successfully added Device: $deviceName to the group."
    } catch {
        Write-Host "Failed to add Device: $deviceName. Error: $_"
    }
}

# Disconnect from Azure AD
Disconnect-AzureAD

Overview of the Script

So, what does the script do?

1. Import devices from a CSV file.
2. Search for these devices in Azure AD.
3. Add the devices to a specified security group.
4. Report success or errors for each device.

Prerequisites

Before running the script, ensure the following:

• You have the AzureAD PowerShell module installed.
• The script is executed by a user with permissions to manage devices and groups in Azure AD.
• A CSV file containing device names is available.
• The correct security group already exists in Azure AD.

Step-by-Step Breakdown

1. Import the Azure AD Module

The script starts by loading the AzureAD module, which contains cmdlets to manage Azure AD resources from PowerShell.

Import-Module AzureAD

This step is necessary for interacting with Azure AD using PowerShell. If you don’t have the module installed, run:

Install-Module AzureAD

2. Authenticate with Azure AD

Before performing any Azure AD operations, the script requires the user to authenticate:

Connect-AzureAD

This prompts the user to enter credentials or use existing session credentials to connect to Azure AD.

3. Specify the CSV File Path and Security Group

You’ll need a CSV file that lists the devices to be added. The CSV should contain a column titled DeviceName, which holds the names of the devices you want to add.

$csvFilePath = "C:\path\to\your\devices.csv"
$securityGroupName = "Your-Security-Group-Name"

Here, $csvFilePath points to the CSV file and $securityGroupName is the name of the Azure AD security group you want to add the devices to.

4. Retrieve the Security Group Object ID

Azure AD uses unique object IDs for each resource, including security groups. To add devices to a group, the script must first retrieve the Object ID of the target security group:

$securityGroup = Get-AzureADGroup -SearchString $securityGroupName
if ($securityGroup -eq $null) {
    Write-Host "Security group not found: $securityGroupName"
    exit
}

If the group isn’t found, the script exits with an appropriate message. Otherwise, the script proceeds to store the Object ID of the group in $securityGroupId:

$securityGroupId = $securityGroup.ObjectId

5. Import the CSV File

The devices from the CSV file are imported into a variable $devices:

$devices = Import-Csv -Path $csvFilePath

Each device is stored as a record, and the script processes each device by looping through the records.

6. Loop through Devices and Add to Group

For each device, the script:

• Retrieves the device’s Object ID from Azure AD using the DeviceName from the CSV.
• Adds the device to the specified security group.
• Logs the outcome for each device.

foreach ($device in $devices) {
    $deviceName = $device.DeviceName
    $deviceObject = Get-AzureADDevice -SearchString $deviceName
    if ($deviceObject -eq $null) {
        Write-Host "Device not found: $deviceName"
        continue
    }

    $deviceId = $deviceObject.ObjectId

    try {
        Add-AzureADGroupMember -ObjectId $securityGroupId -RefObjectId $deviceId
        Write-Host "Successfully added Device: $deviceName to the group."
    } catch {
        Write-Host "Failed to add Device: $deviceName. Error: $_"
    }
}

If the device isn’t found in Azure AD, a message is displayed, and the script moves on to the next device. If an error occurs during the addition process, it’s caught and logged.

7. Disconnect from Azure AD

After processing all the devices, the script disconnects from Azure AD:

Disconnect-AzureAD

This closes the session and ensures no lingering connections remain.

The post How to Bulk Add Devices to Azure AD Group Using PowerShell appeared first on Cyberillo.

You forgot, didn’t you? That password you set on your zipped folder with all your precious files. Wishing you didn’t set it in the first place?

When you encounter a locked zip file, it can be frustrating. Whether you’ve forgotten the password or inherited a protected zip archive, recovering access is essential. Fortunately, there are various methods and tools available for zip password recovery that can help you regain access to your files.

How to crack a zip file password?

You’re in luck, John the Ripper has a tool made just for this purpose.

1. Download the ZipRipper tool from GitHub by clicking on Code and then Download ZIP.

2. Extract the downloaded ZIP file.
3. Launch the password cracker by double-clicking on ZipRipper.cmd from the extracted archive.

4. Microsoft Defender SmartScreen might block the program. When, prompted that Windows Protected your PC, click on More info and then, Run anyway.

5. Click on Start once the ZipRipper GUI pops up.

6. Select the password protected ZIP file you would like to decrypt, and click on Open.

7. The password cracker will get to work – make sure you have an active Internet connection if using it in online mode.
8. When asked whether or not to split the word list, select No.

9. Simple passwords will be cracked in a matter of seconds, whereas more complex passwords may take minutes, days, weeks … You get it.
10. Once the password is successfully cracked, you get a popup showing the cracked password/s. A file with the cracked passwords is also saved to the desktop.

11. Congratulations, you can now open your password protected ZIP file.

What is a Zip File and Why Protect It?

A zip file is a compressed archive that can contain one or more files or folders. These archives are often password protected to ensure that sensitive data remains secure. Password protection uses encryption to prevent unauthorized access, making it crucial to remember or securely store the password. If you lose the password, you’ll need to recover it to access the files within.

Understanding Zip Password Recovery

Zip password recovery involves retrieving the lost or forgotten password to unlock an encrypted zip file. This process can be done using specialized software known as a password recovery tool. These tools employ various techniques, such as brute force, dictionary attacks, and mask attacks, to find the password.

Popular Methods for Zip Password Recovery

1. Brute Force Attack: This method systematically tries every possible combination of characters until the correct password is found. While it can be effective, it may take a long time, depending on the password length and complexity.
2. Dictionary Attack: This technique uses a pre-defined list of potential passwords. The tool runs through the list and checks each one until the right password is found. This method is faster than brute force but relies on the password being within the dictionary.
3. Mask Attack: If you remember part of the password or have an idea of its structure, a mask attack can be useful. You can set parameters like password length, character set, or specific characters to narrow down the search, making the recovery process quicker.

Alternative Tools for Recovering Zip Passwords

ZipRipper aside, there are several other apps and tools available that can assist with zip password recovery:

• WinZip: A popular archiver that offers built-in tools for password recovery and decryption. While it’s a paid app, you can find free downloads of its demo version, which might include limited password recovery functionality.
• Zip Password Unlocker: This tool is designed specifically for recovering passwords from encrypted zip archives. It supports various versions of popular archivers and offers an easy-to-use interface.
• RAR Password Recovery Tool: Though primarily for RAR files, this tool also supports zip file recovery. It uses advanced algorithms to find the password efficiently.

How to Use a Zip Password Recovery Tool

1. Download and Install: Choose a zip password recovery tool that suits your needs and download the latest version. Install it on your Windows computer.
2. Upload Your File: Open the tool and upload your encrypted zip file. Most tools will allow you to drag and drop the file directly into the interface.
3. Set Parameters: If using a mask attack, set your parameters such as the password length or character set. For dictionary attacks, upload your dictionary file.
4. Start the Recovery Process: Initiate the password recovery. The tool will begin searching for the correct password. The time taken will depend on the chosen method and the password’s complexity.
5. Recover and Copy the Password: Once the tool finds the password, it will display it on the screen. Copy the password and use it to unlock your protected zip file.

Legal Considerations

It’s important to affirm that using zip password recovery tools should only be done when you have the legal right to access the data. Recovering passwords for files obtained without authorization or through other illegal means may constitute theft and can lead to criminal prosecution. Always ensure you are the rightful owner of all files or have explicit permission from the owner to perform these operations.

Conclusion

Zip password recovery is a necessary skill when dealing with protected archives, especially if you’ve lost access to sensitive files. With the right tool and approach, you can recover your password and regain access to your data. Remember to use these tools responsibly and within the bounds of the law to avoid any legal repercussions.

The post ZIP Password Recovery: How to Crack ZIP Password in 2024 appeared first on Cyberillo.

How to Password Protect a Zipped Folder on Windows Using 7-Zip

7-Zip is a powerful, free tool that lets you password-protect your zip files with strong AES-256 encryption.

Steps to Create a Password-Protected Zip File Using 7-Zip:

1. Download and install 7-Zip from here.
2. Navigate to the folder containing the files you want to compress.
3. Right-click the file or files you want to zip and choose 7-Zip > Add to archive.

4. In the window that opens, select ZIP as the archive format.
5. Under the Encryption section, set a password in both the Enter password and Reenter password fields.
6. Select AES-256 as the Encryption Method.
7. Click OK to create the zip file.

Your new zip file is now password-protected, ensuring that only those with the correct password can access the compressed files.

Using WinRAR to Password Protect a Zip File on Windows

WinRAR is another popular third-party software for file compression that allows you to add a password to your zip files.

Steps to Password Protect Files Using WinRAR:

1. Download and install WinRAR from here.
2. Select the files or folder you want to encrypt.
3. Right-click and choose WinRAR > Add to archive….

4. Choose ZIP as the archive format.
5. Click on Set password… at the bottom right.
6. Enter the password you want to use and click OK.
7. Click OK again to create the zip file.

With WinRAR, your password-protected zip file will prevent unauthorized access, making it a good choice for protecting sensitive information.

(Bonus) How to Password-Protect a Zip File on Windows Using EFS

If you’re using Windows 7, 8, 10 or 11, the Encrypting File System (EFS) is a built-in option to encrypt your files. While EFS doesn’t allow you to put a password directly on a zip file, it does encrypt the files and folders before they are zipped, keeping them safe from unauthorized access.

Steps to Encrypt Files Using EFS:

1. Navigate to the folder containing the file or files you want to encrypt.
2. Right-click the folder you want to encrypt and select Properties.
3. Under the General tab, click on Advanced.
4. Check the box that says Encrypt contents to secure data.
5. Click OK, then Apply.

After the files are encrypted, you can create a zip file using your preferred method. The encryption stays with the files, but remember that this encryption method is tied to your Windows user account.

How to Password Protect a Zip File on macOS

If you’re on a Mac, you can use the Terminal or a third-party application like Keka to password protect a zip file.

Steps to Create a Password-Protected Zip File on macOS Using Terminal:

1. Open Terminal (found in the Applications folder under Utilities).
2. Navigate to the folder containing the file or files you want to compress.
3. Use the following command to create a password-protected zip: zip -er newzip.zip file1 file2. Replace newzip.zip with your desired zip file name and file1 file2 with the files you want to compress.
4. Enter the password when prompted.

Your encrypted zip file is now ready, and only those with the password can access it.

How to Encrypt a Zip File on Linux

On Linux, you can also use the Terminal to create a password-protected zip file.

Steps to Password Protect a Zip File on Linux:

1. Open the Terminal.
2. Navigate to the folder containing the files you want to compress.
3. Use the command: zip -er newzip.zip file1 file2. Replace newzip.zip with your desired zip file name and file1 file2 with the files you want to compress.
4. Set the password when prompted.

This method is effective and works across all Linux distributions.

Great! So, now you know how to password protect a ZIP file. Wondering what happens if you forget the password?

Check out this guide on how to crack a ZIP file password. That’s right, password-protecting your ZIP files is not foolproof. With the right-tools and enough time, they can be cracked as well.

The post How to Password Protect a ZIP File [Windows, Mac & Linux] appeared first on Cyberillo.

A Windows device is joined to the domain and synchronized to Azure AD (Microsoft Entra). The Registered column for the device in Azure AD shows Pending and the MDM column shows None.

The device does not show up in Intune since it was not successfully enrolled.

Running dsregcmd /status in CMD shows:

AzureAdJoined : YES [under Device State]

DomainJoined : YES [under Device State]

AzureAdPrt : No [under SSO State]

The problem here is that AzureAdPrt (Primary Refresh Token) is showing No. In a nutshell, this means that the device did not manage to authenticate successfully to Azure. Therefore, Intune auto-enrollment will fail.

You can confirm that device enrollment failed by checking for an error of the sort: “Auto MDM Enroll Device Credential 0x0, Failed” in the Event Viewer at the following location:

Event Viewer → Applications and Services Logs → Microsoft → Windows → DeviceManagement-Enterprise-Diagnostics-Provider → Admin

Resolution

1. Make sure that you have checked all the prerequisites for Intune Auto Enrollment.
2. In CMD (on the target device) run the following command:

%windir%/System32/deviceenroller.exe /autoenrollmdm

In some cases, this one-liner does its magic and triggers a successful enrollment to Intune. If the device shows up in Intune after a while (5 to 15 minutes), the issue is resolved. If not, move on to the next steps to completely remove the device from your on-premises AD and Azure AD (Entra), re-join, and successfully enroll to Intune.

3. In CMD (on the target device) run the following command to unregister from Azure AD.

dsregcmd /leave

4. Delete the device object from Azure AD.

5. Disjoin the device from the on-premises Active Directory domain.
6. Delete the device computer object from Active Directory.

7. Re-join the device to the domain and wait for the next synchronization cycle to Azure AD or force it through PowerShell on your AD Connect Server:

Import-Module ADSync
Start-ADSyncSyncCycle -PolicyType Delta

8. The device will show up in Azure AD.
9. Logon to the device with the target user’s credentials.

After a while (5 to 15 minutes), the device will successfully enroll to Intune via auto-enrollment.

Running dsregcmd /status in CMD now shows:

AzureAdJoined : YES [under Device State]

DomainJoined : YES [under Device State]

AzureAdPrt : YES [under SSO State]

The post Hybrid Azure AD Joined Device Fails Intune Auto Enrollment appeared first on Cyberillo.

The error indicates that the Linux distribution you’re trying to use cannot be registered properly and that an update for the kernel of the WSL 2 (Windows Subsystem for Linux) is required.

How to fix WslRegisterDistribution failed with error: 0x800701bc

1. Update Windows to Version 1903 or later

WSL 2 is only available in Windows 11 or Windows 10, Version 1903, Build 18362 or later.

Start by making sure that your system is running Windows 10/11 version 1903 or later. You can check this by typing winver in the start menu.

This will return your Windows version and build number. If you’re running an earlier version of Windows, make sure to install the latest Windows Feature Update.

2. Enable Virtualization in BIOS

WSL 2 requires virtualization to be enabled on your computer. To check if virtualization is enabled, open up the Task Manager in Windows, navigate to Performance and look for the Virtualization attribute. This needs to be set to Enabled.

If Virtualization is not enabled, you need to enable it in BIOS by following these steps:

1. Restart Your Computer:
   • Save any open files and restart your computer.
2. Enter BIOS Setup:
   • As your computer is starting up, press the key that opens the BIOS setup utility. This key is usually displayed during the startup process and could be one of the following: F2, F10, Del, Esc, or another key specific to your computer’s manufacturer. You might need to press it repeatedly to enter the BIOS.
3. Find the Virtualization Setting:
   • Once in the BIOS, look for the virtualization settings. The location and name of this setting can vary, but it is often found in the following sections:
     • Advanced
     • Advanced BIOS Features
     • Advanced CPU Configuration
     • System Configuration
   • The setting might be named:
     • Intel Virtualization Technology
     • VT-x
     • AMD-V
     • SVM Mode
4. Enable Virtualization:
   • Change the virtualization setting to Enabled. Use the arrow keys to navigate, and the Enter key to select options.
5. Save and Exit:
   • Save your changes and exit the BIOS. This option is often found in the Exit menu or by pressing a key such as F10. Confirm that you want to save the changes if prompted.
6. Reboot Your Computer:
   • Your computer will restart with virtualization enabled.

3. Enable the Windows Virtual Machine Platform feature

WSL 2 requires the Windows Virtual Machine Platform feature to be enabled.

Follow these steps to enable the Virtual Machine Platform feature in Windows 10 and 11.

1. Search for and open up the Control Panel in the start menu.
2. Click on Programs.
3. Select Turn Windows features on or off. You need administrator privileges on the system.

4. Scroll down to the Windows Virtual Machine Platform feature and tick it to enable it.
5. Click on OK and reboot your computer for changes to take effect.

4. Set WSL 2 as default

WSL 2 supports a full Linux kernel. Set it to default to make sure you’re not using WSL 1.

Open up CMD and type the following command.

wsl --set-default-version 2

5. Update WSL 2 to the latest version

Make sure you have the latest updates of WSL installed on your system by entering this command in CMD.

wsl --update

6. Run your Linux Distribution

After following the above steps, you should be able to successfully run your Linux distribution. If you already installed it, launch it from the start menu.

If not, you can install a Linux distro by searching for it in the Microsoft store or directly from the CMD.

wsl --install --distribution ubuntu

The post [Solved] WslRegisterDistribution failed with error: 0x800701bc appeared first on Cyberillo.

How to expand or collapse all headers directly from the Azure portal service menu

To expand all headers in the Azure Portal service menu, click on the up/down double arrow symbol at the top of the menu on the left-hand side of the screen. This icon allows you to toggle between having the headers expanded or collapsed.

How to change the default expand/collapse behaviour of the Azure portal service menu

To change the default expand/collapse behaviour of the Azure portal service menu:

1. Navigate to the gear wheel icon at the top of the screen in the Azure portal to open up the settings.
2. Go to Appearance + startup views from the menu on the left.
3. Choose between Collapsed or Expanded in the Service menu behavior section.

The post How to Expand All Headers in the Azure Portal Service Menu appeared first on Cyberillo.