Category: Security

I got request form IT Security team to block DNS query malware in DNS Service.

They guide me with follow this link. 

ex: Add-DnsServerQueryResolutionPolicy -Name “BlockListPolicy” -Action IGNORE -FQDN “EQ,*.onion” -PassThru

Unfortunately, this PowerShell command works only Windows server 2016 or greater.

For previous versions read those articles:

third-party DNS firewall:




DFIR ORC, where ORC stands for “Outil de Recherche de Compromission” in French, is a collection of specialized tools dedicated to reliably parse and collect critical artefacts such as the MFT, registry hives or event logs. It can also embed external tools and their configurations.

DFIR ORC collects data, but does not analyze it: it is not meant to triage machines. It cannot spy on an attacker either, as an EDR or HIDS/HIPS would. It rather provides a forensically relevant snapshot of machines running Microsoft Windows.



Microsoft has release a new PS  module to manage Azure Information Protection : AIPService. At the same time, MS is deprecating the previous AIP module called AADRM (for the 15th, July  2020).


Reference article:


# Set a password to expire

Run one of the following commands:

To set the password of one user so that the password expires, run the following cmdlet by using the UPN or the user ID of the user:

Set-AzureADUser -ObjectId <user ID> -PasswordPolicies None

To set the passwords of all users in the organization so that they expire, use the following cmdlet:

Get-AzureADUser -All $true | Set-AzureADUser -PasswordPolicies None


# Set a password to never expire

Run one of the following commands:

To set the password of one user to never expire, run the following cmdlet by using the UPN or the user ID of the user:

Set-AzureADUser -ObjectId <user ID> -PasswordPolicies DisablePasswordExpiration

To set the passwords of all the users in an organization to never expire, run the following cmdlet:

Get-AzureADUser -All $true | Set-AzureADUser -PasswordPolicies DisablePasswordExpiration


Passwords set to -PasswordPolicies DisablePasswordExpiration still age based on the pwdLastSet attribute. If you set the user passwords to never expire and then 90+ days go by, the passwords expire. Based on the pwdLastSet attribute, if you change the expiration to -PasswordPolicies None, all passwords that have a pwdLastSet older than 90 days require the user to change them the next time they sign in. This change can affect a large number of users.

# To get if password will expire for a user

Get-AzureADUser -ObjectId <user id or UPN> | Select-Object UserprincipalName,@{
N=”PasswordNeverExpires”;E={$_.PasswordPolicies -contains “DisablePasswordExpiration”}

# To get a report of all the users with PasswordNeverExpires in HTML

Get-AzureADUser -All $true | Select-Object UserprincipalName,@{
N=”PasswordNeverExpires”;E={$_.PasswordPolicies -contains “DisablePasswordExpiration”}
} | ConvertTo-Html | Out-File $env:userprofile\Desktop\ReportPasswordNeverExpires.html

# To get a report of all the users with PasswordNeverExpires in CSV

Get-AzureADUser -All $true | Select-Object UserprincipalName,@{
N=”PasswordNeverExpires”;E={$_.PasswordPolicies -contains “DisablePasswordExpiration”}
} | ConvertTo-Csv -NoTypeInformation | Out-File $env:userprofile\Desktop\ReportPasswordNeverExpires.csv


Reference article:



To configure Intune to enroll devices with internal PKI certificates and with SCCM in co-management mode read first the articles below:


NDES troubleshooting articles:

Note : a GitHub script to validate the NDES configuration: Validate-NDESConfiguration.ps1.



Azure AD password protection is now generally available:


Azure AD password protection – how to eliminate bad passwords:

Architecture (to cover also onprem AD domain controllers):




Eliminate bad passwords in your organization:


Azure AD Password protection monitoring:


Azure AD password protection troubleshooting:



Microsoft has recently announced the public preview of Azure Active Directory’s passwordless login. This new capability enables your employees to use external security keys to sign into their Azure Active Directory-Joined Windows 10 machines (running version 1809 or higher) and get single sign-on to their cloud resources. They can also sign into Azure AD-connected apps on supported browsers including the latest versions of Microsoft Edge and Mozilla Firefox.

You can learn more about how it works here:

To help get you started, MS partners are offering promotions so you can try out their solutions:

  1. For a limited time, Yubico is offering complimentary YubiKey Starter Kits to organizations with Microsoft 365 customers who are interested in beginning their passwordless journey. The starter kit includes the YubiKey 5 NFC and YubiKey 5C. You can learn more about Yubico’s promotion here:
  2. FEITIAN is offering the first 500 Microsoft referred clients limited-time promotional discounts of more than 30% for Fingerprint Biometric Passwordless Security Keys. Visit
  3. HID Global will take 10% off the manufacturer’s suggested retail price (MSRP) for orders above 500 Crescendo C2300 cards or the Crescendo Key, until August 16, 2019. Learn more at


TechNet article how-to:




Need 2012 R2 Domain functional level on the forest to use authentication silos/policies

Their are part of the configuration partition (so, at the forest level), replicated on all domain controllers