Microsoft Ships a Record 570 CVEs and Three Zero Days in One Patch Tuesday, PSGuerrilla is Now Guerrilla
+Microsoft.Graph PowerShell SDK 2.38.1 Released
Congrats to all of the renewed MVPs this week! I was also renewed myself :) As I said on LinkedIn, it is a privilege to be a part of this community. I do fundamentally believe PowerShell is a force for good in the world. Thanks to Jake Hildreth, Sam Erde, Aleksandar Nikolić, Andreas Dieckmann, Andreas, Andrew Pla, Barbara Forbes, Bart Pasmans, Bas Wijdenes, Ben Reader, Björn Sundling, Brad Wyatt, Chris Bergmeister, Chrissy LeMaire, Christian Ritter, Clayton Tyger, Daniel Schroeder, David Sass, Emanuel Palm, Erik Graa, Fabian Bader, Fabien Tschanz, Frank Lesniak, Gilbert Sanchez, Hailey Phillips, Harm Veenstra, James Petty, Jeff Hicks, Jorge Suarez, Josh Hendricks, Justin, Marc-André Moreau, Mark Orr, Matthew Dowst, Rob Sewell, Simon Wåhlin, Stephen Valdinger, and Steven Judd for the blogs, the modules, the podcasts, the conference talks, and the willingness to answer questions. Going together goes farther. Also, sorry if I missed you on that list :)
PSGuerrilla is Now Guerrilla
PSGuerrilla is now Guerrilla. If you have it installed, that’s the part that affects you: the PSGallery package name changed, so it’s Install-PSResource Guerrilla now. The old PSGuerrilla listing stays up pointing at the new one, but it won’t get updates. Gallery names are permanent and there’s no redirect, so this is a one time move I had to make by hand.
Why drop the PS? Because the prefix names the implementation language, not the job. That’s the right call for a utility library (PSReadLine really is PowerShell plumbing) and the wrong call for something trying to be a tool in its own right. Pester didn’t need it. dbatools didn’t need it. The tell was that everything around the project had already dropped it without asking me: the domain has been guerrilla.army for a while, the philosophy has always been Guerrilla Zero Trust, and the module manifest was the last thing still introducing itself by its shell. The rename is the small story.
The bigger one is that I deleted about half the module. Guerrilla had sprawled into monitors, alert channels, schedulers, and threat feeds. That’s detection, which is a job other platforms do full time and better. I really wanted to do some monitoring piece to this project, but they are two different things that I feel like had to be separated. The exported surface went from 67 commands to 34, and everything that survived serves one loop: assess, score, compare, report. Deleting code you wrote is harder than writing it (like scary in a way, but also I hate scoping something back because I always want to go big). It was still the right call, and the module is better for being smaller.
What’s left, honestly stated: 636 checks across Active Directory, Entra ID / M365, and Google Workspace, mapped to CISA SCuBA, EIDSCA, CIS, NIST SP 800-53, and MITRE ATT&CK. 1,829 golden fixtures gate every release, because a check that renders a verdict nobody tested is just an opinion with a color attached (this is how I’m checking things that I can’t yet validate in a production environment because I don’t have it in a production environment). When a check cannot assess something, it says Not Assessed and stays out of the score. Absence of evidence is never a pass. I’ll be talking through the whole philosophy behind it next week at Midwest Tech Talk.
That said, I could really use your help! I would love to add more contributors to Guerrilla to make useful for everyone around the world. Check out the repo here: https://github.com/jimrtyler/guerrilla
Microsoft Ships a Record 570 CVEs and Three Zero Days in One Patch Tuesday
Tuesday’s Patch Tuesday came in at 570 vulnerabilities across Windows, SharePoint Server, Office, .NET, Visual Studio, SQL Server, and the rest of the Microsoft catalog. That is roughly triple last month and easily the largest single release on record. Three of them are zero days. Two are being actively exploited: CVE-2026-56155, an AD FS elevation of privilege bug that Microsoft’s own DART team discovered while investigating live incidents, and a SharePoint Server on premise flaw. The third is a publicly disclosed BitLocker bypass. If you run AD FS or on premise SharePoint, patch this weekend. Microsoft also confirmed the volume is partly the output of their AI assisted vulnerability discovery pipeline, so this is likely the new normal.
Huntress Catches a Threat Actor Deploying AI Generated PowerShell Against Active Directory
This one deserves your full attention. Huntress recovered a PowerShell script called Untitled1.ps1 from a real intrusion in early June, and Jevon Ang and Dray Agha published the full breakdown this week. The script is a textbook Active Directory enumeration tool, complete with a cascading five step fallback for locating the domain controller, and it is almost certainly AI generated. The tells include an unedited placeholder server name the attacker never bothered to change and an internal title that reads “100% Working AD Information Gathering Script - FULLY FIXED.”
👉 https://thehackernews.com/2026/07/attacker-uses-suspected-ai-generated.html
Write the Test First: Robert Prüst on Pester, PSConf, and Learning in Public
Andrew Pla and Robert Prüst spend an hour on Pester and why testing is the essential safety net for AI generated PowerShell. Given the Huntress story this week, the timing is uncomfortably good. 👉
Tony Redmond on Identifying Obsolete SharePoint Sites with PowerShell
Tony wrote up a Reddit question about identifying obsolete SharePoint Online sites and turned it into a full walkthrough for scanning a tenant with PowerShell. He pulls usage data from the Graph, cross references it against basic site properties from SharePoint, and lands on a report an admin can act on. The example filters for sites owned by inactive users with less than a gigabyte of data and no modifications since 2024, but the pattern is the useful part. Get-MgSite, Entra ID app registration, application permissions, hash table processing. Practical.
👉 https://office365itpros.com/2026/07/13/find-obsolete-sites/
Entra Connect Sync 2.6.84 Fixes What 2.6.79 Broke
A few weeks ago Microsoft released Entra Connect Sync 2.6.79, discovered a bug, and pulled it. Version 2.6.84 shipped Tuesday as the corrected release. If you deferred the last update cycle because of the pulled build, this is your green light. Andres has the release notes and installer link.
👉 https://blog.icewolf.ch/archive/2026/07/14/entra-connect-sync-2-6-84-released/
Fred Weinmann Wraps Seven Years of Work on the Active Directory Management Framework
Friedrich Weinmann from Microsoft Security Automation took over PowerShell Wednesday this week to walk through Active Directory Management Framework, the configuration as code project he has been building for seven and a half years. This week’s milestone ships the last major security piece the framework needed, and Fred rebuilt the website at admf.one in the same push. The pitch is straightforward. Put your entire AD topology, group policies, access rules, schema extensions, and delegations into source control, generate a diff between the plan and what is actually in your domain, then decide which changes you want to apply. This is where ADMF beats Desired State Configuration for real world AD work. DSC is all or nothing. ADMF lets you accept the seven changes you can push today and defer the three that depend on another team. Works for a single forest or for hundreds of them, runs locally or from a remote machine without a trust required, and Fred demoed the whole loop live against a real domain.
Microsoft.Graph PowerShell SDK 2.38.1 Released
A point release addressing issues in 2.38.0 shipped Monday. Andres notes both the Microsoft.Graph and Microsoft.Graph.Beta modules are updated. Given how many admins run into odd behaviors after the 2.38 line dropped in June, this is worth pulling into your baseline.
👉 https://blog.icewolf.ch/archive/2026/07/13/microsoft-graph-powershell-modules-2-38-1-released/
Harm Veenstra Renewed as Microsoft MVP for 2026-2027
Great community news to close on. Harm Veenstra, who runs PowerShellIsFun.com and produces some of the most consistently useful practical PowerShell writing anywhere, was renewed as a Microsoft MVP for another year on Wednesday (yes, I noted above already, but he has a blog post on it haha). Harm has been publishing weekly on his blog for years, and his consistency is a big part of what makes him a community anchor. Congratulations.
👉 https://powershellisfun.com/2026/07/16/microsoft-powershell-mvp-2026-2027/
Events
Midwest Tech Talk 2026 | July 19 to 21, 2026 | Lake of the Ozarks, Missouri I am speaking at this one - actually keynoting :)
👉 https://www.midwesttechtalk.com/
MMS Midway | October 25 to 28, 2026 | San Diego, California
The classic endpoint management and PowerShell conference moves to San Diego this fall.
👉 https://mmsmoa.com/
SpiceWorld 2026 | November 12 to 13, 2026 | Austin, Texas
Jeff Hicks is returning to Austin this fall to talk PowerShell at the annual Spiceworks community event.
👉 https://www.spiceworks.com/spiceworld/
Zero Trust World 2027 | February 17 to 19, 2027 | Orlando, Florida
👉 https://ztw.com/
PowerShell + DevOps Global Summit 2027 | April 5 to 8, 2027 | Orlando, Florida
The flagship US PowerShell event moves to the Sheraton Lake Buena Vista in Orlando.
👉 https://powershellsummit.org/
PSConfEU 2027 | Dates and location to be announced SynEdgy is organizing the eleventh edition of PowerShell Conference
👉 https://psconf.eu/




