SamErde
commented
1 day ago I just submitted a fix PR for this. For now, you can try it by downloading the updated Test-MdiReadiness.ps1 directly from my branch.
It works by finding the well-known SID of the Cert Publishers group in your domain and then getting group members by SID instead of name. Let me know if that solves your issue!
I inform a bug in Microsoft Defender for Identity: PowerShell’s commands don’t work in non-English domains, example Italian, Spanish and Portuguese.
Reason: Error when domain is in Portuguese-Brasil because "Cert Publishers" group call in PT-BR as "Editores de Certificados" and "Domain Controllers" as "Controladores de domínio", the script didn't found CA server if domain in other languages. Includes domains in Spanish as well.
2 Examples of Identity Scripts:
Example: c:\Test-MdiReadiness.ps1 -OpenHtmlReport -verbose Result: PS C:\Windows\system32> c:\Test-MdiReadiness.ps1 -OpenHtmlReport -verbose VERBOSE: Performing the operation "Create MDI related configuration reports" on t arget "RITRAMABR1.LOCAL". VERBOSE: Searching for Domain Controllers in RITRAMABR1.LOCAL VERBOSE: Found 2 Domain Controller(s) VERBOSE: Testing server requirements for RITRAMABR02.RITRAMABR1.LOCAL VERBOSE: Testing power settings for RITRAMABR02.RITRAMABR1.LOCAL VERBOSE: Testing advanced auditing for RITRAMABR02.RITRAMABR1.LOCAL VERBOSE: Testing NTLM auditing for RITRAMABR02.RITRAMABR1.LOCAL VERBOSE: Testing certificates readiness for RITRAMABR02.RITRAMABR1.LOCAL VERBOSE: Testing MDI sensor for RITRAMABR02.RITRAMABR1.LOCAL VERBOSE: Testing capturing component for RITRAMABR02.RITRAMABR1.LOCAL VERBOSE: Getting virtualization platform for RITRAMABR02.RITRAMABR1.LOCAL VERBOSE: Getting Operating System for RITRAMABR02.RITRAMABR1.LOCAL VERBOSE: Testing server requirements for BR1-SE-AD.RITRAMABR1.LOCAL VERBOSE: Testing power settings for BR1-SE-AD.RITRAMABR1.LOCAL VERBOSE: Testing advanced auditing for BR1-SE-AD.RITRAMABR1.LOCAL VERBOSE: Testing NTLM auditing for BR1-SE-AD.RITRAMABR1.LOCAL VERBOSE: Testing certificates readiness for BR1-SE-AD.RITRAMABR1.LOCAL VERBOSE: Testing MDI sensor for BR1-SE-AD.RITRAMABR1.LOCAL VERBOSE: Testing capturing component for BR1-SE-AD.RITRAMABR1.LOCAL VERBOSE: Getting virtualization platform for BR1-SE-AD.RITRAMABR1.LOCAL VERBOSE: Getting Operating System for BR1-SE-AD.RITRAMABR1.LOCAL VERBOSE: Getting MDI related ADFS auditing configuration VERBOSE: Getting MDI related DS Object auditing configuration VERBOSE: Getting MDI related Exchange auditing configuration VERBOSE: Getting AD Schema Version VERBOSE: Searching for CA servers in RITRAMABR1.LOCAL VERBOSE: Cannot validate argument on parameter 'Identity'. The argument is null o r an element of the argument collection contains a null value. VERBOSE: Found 0 CA server(s) VERBOSE: Creating detailed json report: .\mdi-RITRAMABR1.LOCAL.json VERBOSE: Creating html report: .\mdi-RITRAMABR1.LOCAL.html False
Example: Test-MDIConfiguration -Mode Domain -Configuration All Result: PS C:\Windows\system32> Test-MDIConfiguration -Mode Domain -Configuration All Get-GPPermission : The operation cannot be completed because "Cert Publishers" is not a valid security group in the RITRAMABR1.LOCAL domain. Make sure that the TargetName and TargetType parameters specify a valid security group for the domain. Then, run the command again. Parameter name: targetName At C:\Program Files\WindowsPowerShell\Modules\DefenderForIdentity\1.0.0.1\Defend erForIdentity.psm1:1675 char:13 Get-GPPermission : The operation cannot be completed because "Domain Controllers" is not a valid security group in the RITRAMABR1.LOCAL domain. Make sure that the TargetName and TargetType parameters specify a valid security group for the domain. Then, run the command again. Parameter name: targetName At C:\Program Files\WindowsPowerShell\Modules\DefenderForIdentity\1.0.0.1\Defend erForIdentity.psm1:1675 char:13