Security Posture

Validate status of Windows 10 security settings

I’ve created a Powershell-script for detecting status of different security related device features and settings related to Windows 10. The ambition with this script is to be able to check the current setting of different features in a quick way without utilizing any portals. Currently the script detects the status of:

  • Operating System (Edition, Architecture, Version, and Buildnumber)
  • TPM
  • Bitlocker
  • UEFI
  • SecureBoot
  • Defender (Antivirus, Antispyware, Realtime Protection, Tamper Protection, IOAV Protection, Network Protection, PUAProtection)
  • CloudProtectionService (MAPS for Defender)
  • DefenderATP
  • ApplicationGuard
  • Windows Sandbox
  • Credential Guard
  • Device Guard
  • Attack Surface Reduction
  • Controlled Folder Access

The script will write entries to a log file residing at the client (C:\Windows\Temp\Client-SecurityPosture.log) which preferably is read using CMTrace or OneTrace.

Install the Script
The script itself can be found at Powershell Gallery and installed using:
Install-Script -Name SecurityPosture -force  

Or you can download it manually from my Github.

Running the Script
Security Posture has support for running individual functions (switches), let’s try and check the Operating System and the status of UEFI and Secure Boot as an example:

Next thing to try is running the script querying every function in it:

The status of more functions and features will be displayed:

Logging
As I stated in the beginning of this post. the script will write entries to a log file residing at the client at C:\Windows\Temp\Client-SecurityPosture.log which preferably is read using CMTrace or OneTrace.

Example:

More detailed information can be found in the description of the script. I’m planning on upgrading it to a module in the future with more visible help related to each function. I have a project for the script listed on my Github. Feel free to comment or DM me suggestions/ideas or errors you may encounter.

Manage authentication method (MFA in AzureAD, telephone-number)

Finally some new capabilites for us in regards to displaying, changing and turning off MFA-configurations for users. My past post regarding MFA-status can be read here which utilized Get-Msoluser. Now, Microsoft has released a new set of commands in the MSGraph api for Azure Multi-factor authentication which I’ll briefly go through in this post. Note that this is only in beta right now and more features will be added later.

First, let’s see what we can do as stated here:

“The new APIs we’ve released in this wave give you the ability to:

  • Read, add, update, and remove a user’s authentication phones.
  • Reset a user’s password.
  • Turn on and off SMS sign-in.”

Sweet, let’s try it out. We’ll start by navigating to Microsoft Graph and consent to the required permissions. For this example, be sure to use an account who is Global Administrator or Authentication Administrator.

Enter this information (change UPN to a test-user in your tenant):

https://graph.microsoft.com/beta/users//authentication/phoneMethods

Now select “Modify permissions” and be sure to consent to the permission UserAuthenticationMethod.ReadWrite.All 

Note that I’ve specified GET (fetch information) and when I press Run Query now, the result:

No value, which was expected in my case since my test-user does not have any phone number registered as authentication method for MFA. So let’s now try to POST the information instead and give the user a registered telephone number.

Change GET to POST







In the request Body, enter the following entries with your chosen values:

{
“phoneType”: “mobile”,
“phoneNumber”: “+46234567890”
}

Example:

Press Run Query again.. Success!

If you would like to verify the setting, change POST to GET again to fetch the same users Authentication Methods and now you’ll see the phone number:

The information can also be verified in AzureAD of course under Authentication Methods:

As Microsoft has stated here, more methods will be added in the future for these API-calls which will be much appreciated by many of us out there.