Windows security topics Windows security topics Tue, 26 Oct 2021 17:23:41 GMT Windows-10-security 2021-10-26T17:23:41Z This site has been reported as unsafe <P>hie, got a website that was hacked couple of months ago, we lost every data .so we decided to change the server and build another from scratch, git a new ssl and all but only when I visit the website using edge its showing unsafe website .</P><P>how&nbsp; can i get rid of this&nbsp; error</P> Tue, 26 Oct 2021 17:19:45 GMT code_slayer 2021-10-26T17:19:45Z I want my own username back <P>Recently, I was trying to enter my password to sign into my account and came upon a different question.&nbsp; I clicked on it trying to find out more then found I opened a hornet's nest!&nbsp; What I had done was to give me a "split personality" one being an administrator. Now I find I cannot get into my account or indeed anything. Using all of the usernames I know, I just cannot open anything. I've tried everything including many hours on most parts of M.S. help and I am more confused than ever. All I need to know is how can I go back to my original username and cancel the dual profile situation that I find myself in.</P> Tue, 19 Oct 2021 05:59:54 GMT aerolit50gmailcom 2021-10-19T05:59:54Z M Defender is blocking an old file from Web Cam Trust called "14382-03_02.exe" <P>hi,</P><P>how could i install this file 14382-03_02.exe to start using my web cam in w10?&nbsp;</P><P>&nbsp;</P><P>i get a message saying that this application has been blocked to protect me.</P><P>&nbsp;</P><P>i am running the pc as the administrator.</P><P>&nbsp;</P><P>thank you for any help, Juan</P> Sun, 17 Oct 2021 14:35:12 GMT juan jimenez 2021-10-17T14:35:12Z Event id 4625 is not being genertaed when I rdp the host with correct username and wrong password <P>Event id 4625 is not being genertaed when I rdp the host with correct username and wrong password</P><P>But</P><P>when i use wrong username event id 4625 is being generated what could be the probable cause for this</P><P>&nbsp;</P><P>when i do interactive login(locally) with correct username and wrong password 4625 is being generated</P> Tue, 28 Sep 2021 09:29:48 GMT deepak198486 2021-09-28T09:29:48Z Enable Bitlocker on devices without TPM - Standard Users <P>Hello,&nbsp;</P><P>We are in the process of migrating our Drive Encryption solution to Bitlocker. We successfully migrated the majority of our clients with TPM to Bitlocker by using Intune Configuration Profiles.&nbsp;</P><P>The issue we are facing now is that we need to enable Bitlocker on devices without TPM. Users are not local admins so they cannot complete the Bitlocker Wizard.</P><P>I have played around with different Intune Profiles, Encryption Policies and custom OMA-URI but the closest I get is through the first prompt regarding 3rd party encryption and then I get UAC prompt to elevate.&nbsp;</P><P>&nbsp;</P><P>Is there a configuration that allows me to enable Bitlocker on devices that do not have TPM, without requiring IT to have to manually touch each device?</P><P>&nbsp;</P><P>Some screenshot of settings below... I have tried with the "Compatible TPM Startup" as Blocker / Not Configured / Allowed...&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Gian202b_0-1631906302779.png" style="width: 400px;"><img src=";px=400" role="button" title="Gian202b_0-1631906302779.png" alt="Gian202b_0-1631906302779.png" /></span></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Gian202b_1-1631906417758.png" style="width: 400px;"><img src=";px=400" role="button" title="Gian202b_1-1631906417758.png" alt="Gian202b_1-1631906417758.png" /></span></P><P>&nbsp;</P> Fri, 17 Sep 2021 19:25:11 GMT Gian202b 2021-09-17T19:25:11Z Block malware filehash values using applocker <P>Hi All, is there a way we can block malware filehash values using Applocker GPO without having to locate or have a actual copy of the malware file ? appreciate your response... cheers..&nbsp;</P> Tue, 24 Aug 2021 00:40:02 GMT hari-siva 2021-08-24T00:40:02Z File Scanner <P>Hello Everyone,</P><P>&nbsp;</P><P>Hope you guys are doing well !</P><P>&nbsp;</P><P>Can anyone please let me know how&nbsp; we can scan files more than 1 GB in size, like virus total is having a file size limit of 650 MB. But what in case i want to scan files which are more than 650 MB in size? Any leads would be greatly appreciated.</P><P>&nbsp;</P><P>Thank you advance</P><P>Amol</P> Wed, 28 Jul 2021 10:41:18 GMT AmolB25 2021-07-28T10:41:18Z BitLock-Wiederherstellung - Schlüssel nicht vorhanden <P>Ich habe eine Frage bezüglich BitLocker: Mein Laptop ist seit gestern durch BitLock gesperrt. Ich habe meinen Rechner nicht über einen Windows-Account registriert - daher ist der Schlüssel nicht über den Account abrufbar. Bei der Einrichtung des Rechners habe ich BitLocker nicht aktiviert. Mir ist es also schleierhaft, wie das passiert konnte. Allerdings liegt mir daher der Code auch nicht vor - da ich ihn ja nicht bei der Einrichtung aktiviert und damit abspeichert konnte. Warum der Schlüssel auf einmal abgefragt wurde, ist mir auch nicht klar. Ich vermute, es liegt an dem letzten Update.</P><P>Nun ist der Rechner komplett gesperrt und der Support konnte mir bis jetzt nicht helfen.</P><P>Gibt es ein Möglichkeit einer Fehlerbehebungs- und Wiederherstellungsoption im BIOS.</P><P>Der Lenovo Support meinte, dass es über Preinstalled OS Licence eine Möglichkeit gibt.</P><P>Ich hoffe hier kann mir jemand helfen. Vielen Dank und beste Grüße!</P> Mon, 23 Aug 2021 09:42:06 GMT KRouk 2021-08-23T09:42:06Z Risk of cookies, trackers; Should clearing cache be part of IR. <P>DShield's Aug 5th, '21 article mentions cookies on a phishing page. It made me think if they should be considered for incident response. Example, defender alerts a user clicked a link. Proxy logs show they visited and no other traffic, referrals, posts, etc. The user didn't download the phishing document. Generally, analysis concludes the risk has ended, no further action to take. Yet, would a malicious site leverage cookies, trackers, and similar objects. Should incident response include clearing cookies and cache?</P> Fri, 06 Aug 2021 14:32:07 GMT JimLeary 2021-08-06T14:32:07Z Microsoft Security issues - File lists <P>Hi,</P><P>Has others fighting with the Microsoft's CSV files when trying to check the files related to updates. Let us the latest printing nightmare issue as an example:&nbsp;<A href="#" target="_self">July 6, 2021—KB5004946...</A>&nbsp;</P><P>On bottom you have the "File Information", and there is a link to the CSV file.</P><P>&nbsp;</P><P>When you download the file, you are getting a file which contains line like followings:</P><P><FONT color="#0000FF">Windows 10 version 1909 x86-based Out-of-band,,,,</FONT><BR /><FONT color="#0000FF">File name,File version,Date,Time,File size</FONT><BR /><FONT color="#0000FF">Microsoft.HyperV.PowerShell.Cmdlets.resources.dll,10.0.18362.959,7-Jul-2020,7:05,"76,800"</FONT></P><P><FONT color="#0000FF">.</FONT></P><P><FONT color="#0000FF">.</FONT></P><P><FONT color="#0000FF">Windows 10 version 1909 x64-based Out-of-band,,,,</FONT><BR /><FONT color="#0000FF">File name,File version,Date,Time,File size</FONT><BR /><FONT color="#0000FF">aagwrapper.dll,10.0.18362.1049,17-Aug-2020,0:44,"67,072"</FONT></P><P><FONT color="#0000FF">.</FONT></P><P><FONT color="#0000FF">.</FONT></P><P>&nbsp;</P><P>So they basically have multiple CSV files in one file.</P><P>&nbsp;</P><P>How cool it would be, if they are publishing these files so that OS version is one of the column instead of own line? And then they do have one big CSV file. Something like following:</P><P><FONT color="#0000FF">Windows OS, File name,File version,Date,Time,File size</FONT></P><P>Then it would be possible to use PS against that file directly. You only need to do filtering based your OS version.</P><P>&nbsp;</P><P>#DoLessDoSmarter</P><P>&nbsp;</P><P>&nbsp;</P> Thu, 05 Aug 2021 15:31:52 GMT Petri X 2021-08-05T15:31:52Z Windows Defender: Although folder excluded files are scanned <P>Hi</P><P>&nbsp;</P><P>Having Windows Defender running on a server 2016.</P><P>Excluded a folder: s:\database\application\data</P><P>Verified in the logfile C:\ProgramData\Microsoft\Windows&nbsp;Defender\Support</P><P>the exclusion:</P><LI-CODE lang="applescript">2021-07-22T00:22:08.983Z [Exclusion] s:\database\application\data -&gt; \Device\HarddiskVolume6\database\application\data</LI-CODE><P>&nbsp;</P><P>So far so good.</P><P>But found afterwards log-entries like:</P><LI-CODE lang="applescript">2021-07-28T05:14:04.851Z [Mini-filter] Unsuccessful scan status: \Device\HarddiskVolume6\database\application\data\subfolder\00000001000001A300000026. Process: (unknown), Status: 0xc000004b, State: 0, ScanRequest #382525762, FileId: 0x27bb0000000079e4, Reason: OnClose, IoStatusBlockForNewFile: 0xffffffff, DesiredAccess:0x0, FileAttributes:0x20, ScanAttributes:0x10, AccessStateFlags:0x801, BackingFileInfo: 0x0, 0x0, 0x0:0\0x0:0</LI-CODE><P>&nbsp;</P><P>Does Windows Defender scans the file although the parent folder is excluded?</P><P>If yes what can I do to avoid scanning of the files in the folder s:\database\application\data and it's subfolders?</P><P>Thanks for info</P><P>&nbsp;</P><P>&nbsp;</P><DIV class="lia-message-body lia-component-message-view-widget-body lia-component-body-signature-highlight-escalation lia-component-message-view-widget-body-signature-highlight-escalation"><DIV class="lia-message-body-content">Is my interpretation of the logfile correct:</DIV><DIV class="lia-message-body-content">Window Defender scans the file?</DIV></DIV><P>&nbsp;</P> Mon, 16 Aug 2021 14:12:59 GMT Vik 2021-08-16T14:12:59Z Defender webfilter: Blocking legitimate urls <P>We have two URLs:&nbsp;&nbsp;<SPAN> and&nbsp;</SPAN><SPAN> getting blocked by windows defender web filter. These are completely safe and legitimate URLs responsible for providing important services to our website. How do I submit these URLs for re-evaluation so that they can be whitelisted at a global level for our customers?</SPAN></P><P>&nbsp;</P><P><SPAN>I have attached the screenshot of the error message.</SPAN></P><DIV class="mceNonEditable lia-copypaste-placeholder">&nbsp;</DIV><DIV class="mceNonEditable lia-copypaste-placeholder">&nbsp;</DIV><P>&nbsp;</P><P><SPAN>&nbsp;</SPAN></P> Thu, 29 Jul 2021 12:09:40 GMT suyash1590 2021-07-29T12:09:40Z What is this Windows Defender that breaks with one button? <P><SPAN class=""><SPAN>Hi everyone!</SPAN></SPAN></P><P>&nbsp;</P><P><SPAN class="">Why does&nbsp;</SPAN><STRONG>Windows Defender</STRONG><SPAN>&nbsp;breaks with one button in the&nbsp;</SPAN><STRONG>Win 10 Tweaker</STRONG><SPAN>&nbsp;program?</SPAN></P><P>If Windows Defender breaks easily with&nbsp;<STRONG>Win 10 Tweaker</STRONG>, it can break with another program too...</P><P>&nbsp;</P><P><STRONG>Why is Windows Defender so weak?</STRONG></P> Sun, 25 Jul 2021 08:04:00 GMT Alex_Nameov 2021-07-25T08:04:00Z hacked via DEV. TOOLS. <P>CAN ANYONE HELP ME CHANGE MY I.P. BACK TO THE ORIGINAL? THIS GUY CHANGED MY I.P. AND CONTINUES TO HACK ME. I AM DEAD IN THE WATER BECAUSE OF THIS. PLEASE LET ME KNOW ANY INFO. THANK YOU.&nbsp;</P> Thu, 22 Jul 2021 05:44:07 GMT Duke12016 2021-07-22T05:44:07Z Local Administrator Password Solution locks my domain administrator <P>Hi everyone,</P><P>&nbsp;</P><P>We deployed LAPS in our environment, I installed the management on our domain controller.</P><P>My problem is, if I need to login to a managed computer with the local administrator it locks my domain administrator account... I don't understand why.</P><P>&nbsp;</P><P>Googling this didn't help me. Can anyone help?</P><P>&nbsp;</P><P>Rahamim.</P> Tue, 13 Jul 2021 09:07:54 GMT RahamimL 2021-07-13T09:07:54Z PrintNightmare for administrators: Trying to sum up the current knowledge for decision-making: <P>Hi guys,</P><P>I wrote this blog post in the hope of making it possible to make decisions on how to mitigate PrintNightmare, while waiting for an official patch from Microsoft.</P><P>I hope it's useful :)</img></P><P><A href="#" target="_blank"></A></P> Mon, 05 Jul 2021 09:48:08 GMT Martin Jeppesen 2021-07-05T09:48:08Z The Microsoft Attack Surface Analyzer in practice! <P>&nbsp;</P> <P>Dear Microsoft Security Friends,</P> <P>&nbsp;</P> <P>In this article I will describe how I used the Microsoft Attack Surface Analyzer. I know this is absolutely nothing spectacular, but I would like to share my experience with you.</P> <P>&nbsp;</P> <P>I have encountered the following situation at the customer:</P> <P><BR />A software provider had the order to install a new application on a server, so far everything was fine. <BR />Immediately the additional information came that still some telemetry data are collected. And now I quickly became extremely alert. I asked, what kind of telemetry data? How is it collected, by means of an agent? No question was answered correctly and I knew immediately that the Attack Surface Analyzer would be used.</P> <P>&nbsp;</P> <P>Let us now start with the setup of the Microsoft Attack Surface Analyzer.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ASA_1.JPG" style="width: 200px;"><img src=";px=200" role="button" title="ASA_1.JPG" alt="ASA_1.JPG" /></span></P> <P>1.&nbsp;We can find the tool on GitHub.</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ASA_2.JPG" style="width: 999px;"><img src=";px=999" role="button" title="ASA_2.JPG" alt="ASA_2.JPG" /></span></P> <P>&nbsp;</P> <P>&nbsp;</P> <P>2.&nbsp;Navigate down to "Releases".</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ASA_3.JPG" style="width: 879px;"><img src=";px=999" role="button" title="ASA_3.JPG" alt="ASA_3.JPG" /></span></P> <P>&nbsp;</P> <P>3. Klick on Tags.</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ASA_4.JPG" style="width: 905px;"><img src=";px=999" role="button" title="ASA_4.JPG" alt="ASA_4.JPG" /></span></P> <P>&nbsp;</P> <P>4. Move down to the latest (not beta) version.</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ASA_5.JPG" style="width: 846px;"><img src=";px=999" role="button" title="ASA_5.JPG" alt="ASA_5.JPG" /></span></P> <P>&nbsp;</P> <P>5. Download the (in my case the Windows Version) .zip file to the server where you want to run the scan.</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ASA_6.JPG" style="width: 917px;"><img src=";px=999" role="button" title="ASA_6.JPG" alt="ASA_6.JPG" /></span></P> <P>&nbsp;</P> <P>6.&nbsp;Now extract the zip file.</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ASA_7.JPG" style="width: 537px;"><img src=";px=999" role="button" title="ASA_7.JPG" alt="ASA_7.JPG" /></span></P> <P>&nbsp;</P> <P>7.&nbsp;Start a command prompt with elevated privileges and navigate to the folder with the extracted files.&nbsp;Enter the following: asa.exe gui</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ASA_8.JPG" style="width: 649px;"><img src=";px=999" role="button" title="ASA_8.JPG" alt="ASA_8.JPG" /></span></P> <P>&nbsp;</P> <P>8.&nbsp;The browser starts and you are on the home page. Click on "Get Started".</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ASA_9.JPG" style="width: 999px;"><img src=";px=999" role="button" title="ASA_9.JPG" alt="ASA_9.JPG" /></span></P> <P>&nbsp;</P> <P>9.&nbsp;Now we create the "before" scan, that is before the app is installed and whatever else is installed that we don't know. For "Scan Type" I have selected "Static Scan". At "Choose Collectors" select the options that are important for you (in this example I have selected all of them) and click "Collect Data".&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ASA_10.JPG" style="width: 999px;"><img src=";px=999" role="button" title="ASA_10.JPG" alt="ASA_10.JPG" /></span></P> <P>&nbsp;</P> <P>10.&nbsp;After the app and other programs are installed, create a new scan exactly the same as in step 9.</P> <P>&nbsp;</P> <P>11.&nbsp;Now we can compare the results. Click on "Results" at the top of the browser. For "Base Run Id" select the first scan and for "Product Run Id" select the second. On the left select a collector e.g. "Files" and we can see immediately what has changed on the system!</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ASA_11.JPG" style="width: 999px;"><img src=";px=999" role="button" title="ASA_11.JPG" alt="ASA_11.JPG" /></span></P> <P>&nbsp;</P> <P>12. Klick on "Registry".</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ASA_13.JPG" style="width: 999px;"><img src=";px=999" role="button" title="ASA_13.JPG" alt="ASA_13.JPG" /></span></P> <P>&nbsp;</P> <P>13. Klick on "Services".</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ASA_14.JPG" style="width: 999px;"><img src=";px=999" role="button" title="ASA_14.JPG" alt="ASA_14.JPG" /></span></P> <P>&nbsp;</P> <P>14. Klick on "Firewall".</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ASA_15.JPG" style="width: 999px;"><img src=";px=999" role="button" title="ASA_15.JPG" alt="ASA_15.JPG" /></span></P> <P>&nbsp;</P> <P>These were just a few examples. Of course, I invite you to examine the other collectors as well. But we have seen how great this tool is, it shows us exactly what changes have been made to the system by installing the software! Bingo!</P> <P>&nbsp;</P> <P>I am absolutely aware that this is nothing spectacular. I just wanted to share a few impressions with you.</P> <P>&nbsp;</P> <P>I hope this article was useful. Best regards, Tom Wechsler</P> Sat, 03 Jul 2021 16:27:10 GMT TomWechsler 2021-07-03T16:27:10Z Turn off Windows 10 Locate Device in Intune <P>Hi,</P><P>&nbsp;</P><P>The new function in Intune for finding lost devices is great in some use cases. However, at other use cases I want to be able to:<BR /><BR /></P><P>- Turn this feature off IN Intune.</P><P>- Restrict the usage of the feature by scope tags or by RBAC</P><P>&nbsp;</P><P>Is it possible to do, today? If not, is it on the roadmap?</P><P>&nbsp;</P><P><A href="#" target="_blank">Find lost devices with Microsoft Intune - Azure | Microsoft Docs</A></P><P>&nbsp;</P> Wed, 23 Jun 2021 09:53:20 GMT Simon Håkansson 2021-06-23T09:53:20Z Microsoft Defender Blocking My Website <P>Hi folks,&nbsp;</P><P>&nbsp;</P><P>I apologize in advance if this isn't the proper forum for this type of question but I would appreciate any direction or input you might have.</P><P>&nbsp;</P><P>I am having an issue where my some (but not all) of my company's emails and web pages is being blocked by Microsoft Defender for Office 365. I have signed up for their junk and spam alerting service and not gotten anything back. Ideally I'd like a way to submit a claim to have my website globally whitelisted.</P><P>&nbsp;</P><P>It is incredibly inconvenient and honestly embarrassing to ask your customers to whitelist you in their anti-virus software in our security related industry.&nbsp;</P><P>&nbsp;</P><P>Any help or direction appreciated, thank you.</P> Tue, 15 Jun 2021 21:37:31 GMT sampittman 2021-06-15T21:37:31Z Windows Security and BitDefender automatically getting removed after Windows Update <P class="">Hi</P><P class="">&nbsp;</P><P>I have had to restore/reset my Windows 10 installation, at least 5 times in the last one year ! My laptop is a ThinkPad E14 with Windows 10 Pro.</P><P>&nbsp;</P><P>I have BitDefender Gravityzone Endpoint security installed and suddenly notice that the taskbar icon has disappeared. On searching, I find it has been uninstalled. I immediately do to Windows Security to enable Virus Protection, but the Security page shows up blank!</P><P>&nbsp;</P><P>Tried all options, including manually starting through Services, but could not get any security software to install or run. Ultimately had to do a System Restore or complete reset and then reinstall BitDefender Endpoint.</P><P>&nbsp;</P><P><STRONG>Ultimately found out that this problem occurs everytime a Windows Update is done, especially Security Update! This is not happening on any other PC of the company, where BitDefender Endpoint is installed. Even Windows Update stops working and shows error 0x80070424.</STRONG></P><P>&nbsp;</P><P>I have tried to search the net for a solution, but haven't been able to find any.</P><P>&nbsp;</P><P>Please help! Thanks.</P> Thu, 10 Jun 2021 10:14:57 GMT ashishbagaria 2021-06-10T10:14:57Z windows sever2016漏洞安全问题 <P>&nbsp;我的windows遭受了漏洞攻击,漏洞名称“<SPAN>NTP Ntp_request.c 远程拒绝服务漏洞”,但是现在windows并没有此漏洞的修复补丁。NTPd(Network Time Protocol daemon)是一个操作系统守护进程,它使用网络时间协议(NTP)与时间服务器的系统时间保持同步。NTP 4.2.7p26之前的版本中的ntpd守护进程中的ntp_request.c文件中的monlist功能中存在输入验证漏洞。远程攻击者可通过伪造REQ_MON_GETLIST或REQ_MON_GETLIST_1请求利用该漏洞造成拒绝服务。</SPAN></P><P><SPAN>希望windows尽快解决此问题。</SPAN></P> Mon, 31 May 2021 01:51:21 GMT lichenyu 2021-05-31T01:51:21Z CircleAuth - Adopt a faster Windows Hello experience - The mobile app authenticator <P><SPAN><STRONG><BR />UX - IF - UI _Security Design -<BR /><BR /></STRONG>"We the Users" may all want a new HELLO experience that lets' users have a much faster/easier quick login using Mobile Phone Authenticator + Cam&nbsp;&nbsp;| To Microsoft Development, will you design a HELLO experience that lets' user has a quick login using the interaction with the authenticator,&nbsp;&nbsp;The way I see it:<BR />- when the logon screen becomes visible with the PIN / Password input box</SPAN></P><P><SPAN>- specific symbols or markings are animated to go around CCW/CW the round avatar (user picture)</SPAN></P><P><SPAN>- a mobile app (authenticator) is used to pick up the symbols and begin negotiating/handshaking for the Hello login<BR /></SPAN></P><P>&nbsp;</P><P><SPAN>MSDEV: the 'round' user avatar that is presented at the log in screen may have a band or ring with good contrast security tokens that visually circle around the avatar picture - these may be the tokens that a mobile phone can interact with by using the mobile phone cam<BR /><STRONG><BR />For those interested in promoting this feature:</STRONG><BR />What we need is some animated logon picture that helps explain how we envision a log-in session with our mobile phone, using the authenticator app (Microsoft). If some symbols appear on the hello LOGIN screen, circling the avatar IE the round picture in the middle above the login box, this animation of some sort can be picked up by the mobile CAM and login&nbsp;immediately.<BR /><BR />This technique is gaining popularity as 2AF in all kinds of incarnations: QR code - any symbol that may be immediate connect like&nbsp;</SPAN><A href="#" target="_blank" rel="noopener"></A><SPAN>&nbsp;</SPAN></P> Sun, 30 May 2021 12:22:43 GMT chargen 2021-05-30T12:22:43Z Microsoft Edge Defender Is Showing My Site As Unsafe <P class="">Ever since Edge went live, my website<SPAN>&nbsp;</SPAN><A href="#" target="_blank" rel="nofollow noopener noreferrer"></A>&nbsp;shows as unsafe to anyone trying to access it.&nbsp; This problem is not just for people on a specific computer or people using a specific OS... anyone using Edge anywhere gets this popup.&nbsp;&nbsp;I have called numerous times.&nbsp; Most recently they created ticket #1022861212, transferred me 4 times to 4 different people and ultimately gave me a phone number that doesn't go anywhere.&nbsp; When trying to access my site, the red screen shows up stating my site is unsafe.&nbsp; There is a link on there where you can dispute the findings, I've since lost count how many times I've filled out that form.&nbsp; It doesn't seem like anything I do gets me any closer to getting this fixed.&nbsp; I have also double checked the SSL and it is enabled.&nbsp;&nbsp;</P><P>&nbsp;</P><P>At this point I'm really not sure what to do.&nbsp; I just need someone to actually view my site to&nbsp;see that my site is an informational site only where I display my work and that I don't gather any personal information at all and remove my site from the blacklist.&nbsp; Has anyone had a similar experience?&nbsp; If so, how did you get this removed?&nbsp; Aside from the usual generic articles about how to dispute this (that dont work) is there a way to escalate this and actually have a person review my site and remove it?</P> Thu, 20 May 2021 17:56:34 GMT AaronAguilar 2021-05-20T17:56:34Z SMB <P>Dear all,</P><P>I am using windows 10, but to access my NAS, I must enable SMB1.</P><P>What is risk if I connect on above? Please share for me your experience.</P><P>Thanks you,</P><P>&nbsp;</P> Thu, 13 May 2021 04:33:37 GMT Thao Dao Phuong 2021-05-13T04:33:37Z Phishing site screen <P>Hi any ideas who to contact to get this warning removed</P> Tue, 11 May 2021 17:18:39 GMT bokeye 2021-05-11T17:18:39Z Intune Bitlocker for USB/external drive (Missing policy for Azure AD Join scenario) <P><SPAN>When we enable intune policy: Block write access to devices configured in another organization in Intune Bitlocker policy</SPAN></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Pa_D_1-1620147429993.png" style="width: 400px;"><img src=";px=400" role="button" title="Pa_D_1-1620147429993.png" alt="Pa_D_1-1620147429993.png" /></span></P><P>&nbsp;</P><P><SPAN>We also need to deploy an Onprem GPO policy: Provide unique identifier for your organization. </SPAN></P><P><SPAN>This will allow the PC to differentiate the Org it belongs to.</SPAN></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Pa_D_3-1620147536779.png" style="width: 400px;"><img src=";px=400" role="button" title="Pa_D_3-1620147536779.png" alt="Pa_D_3-1620147536779.png" /></span></P><P>GPO policy: Provide unique identifier for your organization is missing in Intune.</P><P>Because of this we cannot use Intune policy: Block write access to devices configured in another organization.</P><P>&nbsp;</P><P>Looking for suggestions how we implement Block write access to devices configured in another organization in Intune for Azure AD Join (not hybrid domain join)?</P><P>&nbsp;</P><DIV class="mceNonEditable lia-copypaste-placeholder">&nbsp;</DIV><P>&nbsp;</P> Tue, 04 May 2021 17:19:14 GMT Pa_D 2021-05-04T17:19:14Z Is my sytem and folders visible on my network? And can a "hacker" access them? <P><SPAN>Dear everyone</SPAN></P><P>&nbsp;</P><P><SPAN>1.</SPAN><BR /><SPAN>Are those default shared folders in Windows? (The attached screenshot in the thread)</SPAN><BR /><BR /><SPAN>2.</SPAN><BR /><SPAN>Can those folders be compromised, infected etc. like regular shared folders? (The folders on the screenshot)</SPAN><BR /><BR /><SPAN>3.</SPAN><BR /><SPAN>File and Printer sharing is only available, when Network Discovery is turned ON?</SPAN><BR /><BR /><SPAN>4.</SPAN><BR /><SPAN>When Network Discovery is turned OFF, are the Default folders presented in the Command Prompt screenshot still accessable on the network?</SPAN><BR /><BR /><SPAN>5.</SPAN><BR /><SPAN>When Network Discovery is turned OFF, is it then impossible for a "hacker", who has access to my / is withtin my network, to see and locate my PC system?<BR /><BR />6.<BR />If a "hacker" has access to my network via Wi-fi password or cable, the person would still have to know my Windows user password, to be able to access my system?<BR /><BR />7.<BR />If a "hacker" don't have access to my network, the person would still have to know my Windows user password, to be able to access my system external / through the internet?<BR /><BR />Thanks in advance for replies<BR /><BR />Best regards</SPAN></P> Wed, 28 Apr 2021 15:53:23 GMT emil frederiksen 2021-04-28T15:53:23Z Exploit guard Hi dears. I got sad face cause i enabled windows defender exploit guard option on wininit rundll and dllhost. How to go around not even safe mode loads after win 10 blue icon disappears again i wonder what could ive done wrong again all was allowed now i forgot which option could been it cause some executables of windows microsoft dont need same options of exploit guard but i didnt do arbitary and code guard and strict config i didnt do import or export or win32k calls or child processes unless misclicked and eyes rolled. Please no image no restore no reinstall. Can i rename wininit to cmd and launch explorer while it loads and open windows defender? Some help similar like that much applazed. Plz. I hate there's no public claim of what exploit guard may do to computer exactly but that's why that's good but why be in windows itself broke it myself again. Now how fixy so i understand this? Tue, 27 Apr 2021 16:50:09 GMT igemxrozb 2021-04-27T16:50:09Z WDAC on TFS build servers <P>Hi,</P><P>I have been trying to implement WDAC (Windows Defender Application Control) onto our on prem TFS (2017) build servers (win2019 1809) with build agents. We had some initial problems getting jobs to push correctly to a build server with WDAC enabled, but this part is now resolved.</P><P>&nbsp;</P><P>However we are still seeing builds fail when they try to build due to WDAC.</P><P>For example when msbuild.exe tries to load a .dll file, the .dll is blocked by WDAC:</P><P>The errors we are seeing are: (&lt;removed&gt;=identifying data)</P><P>&nbsp;</P><P><EM>Event ID 3092: Code Integrity testing module \213\s\BuildTargets\Core\&lt;removed&gt;\&lt;removed&gt;Tasks.dll against policy DefaultWindowsAudit. Status System Integrity policy has been violated.</EM></P><P>&nbsp;</P><P><EM>Event ID 3033: Code Integrity determined that a process (\Device\HarddiskVolume4\Program Files (x86)\Microsoft Visual Studio\2019\Enterprise\MSBuild\Current\Bin\MSBuild.exe) attempted to load \Device\HarddiskVolume7\213\s\BuildTargets\Core\&lt;removed&gt;Tools\&lt;removed&gt;Tasks.dll that did not meet the Enterprise signing level requirements.</EM></P><P>&nbsp;</P><P>I configured a managed installer to try to get around this issue and added in “MSBuild” as a managed installer which should have allowed any Dlls used by the MSBuild task:</P><P><A href="#" target="_blank"></A></P><P>&nbsp;</P><P>However it’s not working as the errors still occur and it hasn't solved the issue with the Event ID 3033 above.</P><P>&nbsp;</P><P>Any advice would be great.</P><P>Thanks.</P><P>&nbsp;</P><P>&nbsp;</P> Thu, 22 Apr 2021 13:37:31 GMT da18ap 2021-04-22T13:37:31Z Start-MpScan fails but GUI scan works on server 2016 <P>I have a Windows Server 2016 that gets the following error when I run&nbsp;<STRONG>Start-MpScan -ScanType FullScan -Verbose</STRONG></P><P><BR /><FONT color="#FF0000"><EM>Start-MpScan : A general error occurred that is not covered by a more specific error code.</EM></FONT><BR /><FONT color="#FF0000"><EM>At line:1 char:1</EM></FONT><BR /><FONT color="#FF0000"><EM>+ Start-MpScan -ScanType FullScan -Verbose</EM></FONT><BR /><FONT color="#FF0000"><EM>+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~</EM></FONT><BR /><FONT color="#FF0000"><EM>+ CategoryInfo : NotSpecified: (MSFT_MpScan:ROOT\Microsoft\...der\MSFT_MpScan) [Start-MpScan], CimExcepti</EM><EM>on</EM></FONT><BR /><FONT color="#FF0000"><EM>+ FullyQualifiedErrorId : MI RESULT 1,Start-MpScan</EM></FONT></P><P>&nbsp;</P><P>But if I go thru the GUI to run the full scan it completes with no issues in about the same time as it takes to generate the error above.&nbsp; I cannot find anything on the error MI RESULT 1.&nbsp; Any help is appreciated.</P> Sat, 17 Apr 2021 21:50:11 GMT MDoucet2 2021-04-17T21:50:11Z Explorer.exe class not registered? <P><SPAN>Ive had this erorr and have tried to follow the steps to fix it in other threads but none of them have worked. Ive tried to run the DISM/ System File Checker and it hasnt opened. I also tried to repair the DLL in CMD however CMD wouldnt open at all (neither did DISM). Then I tried to do the next step and make a new account however I couldnt do that either as clicking it and pressing enter didnt work. What should I do?&nbsp;</SPAN></P> Fri, 09 Apr 2021 19:38:39 GMT Hatchye13 2021-04-09T19:38:39Z WDAG not working with Office Apps <P>Untrusted sample documents are still opening in protected view and not Application Guard. I have application guard enabled on my test machine and group policy option for WDAG managed mode enabled and set to 3.&nbsp;<BR /><BR />WDAG works fine in Edge. Just can't get it to work for Office Apps.&nbsp;</P><P>&nbsp;</P><P>Any ideas?</P> Thu, 08 Apr 2021 20:32:34 GMT tgs-ts 2021-04-08T20:32:34Z Is my Windows user password protected, and what does it protect against? <P>Hello everyone<BR /><BR /></P><P>I can't figure out, if my Windows user is really password protected<BR /><BR /></P><P>I am using Microsoft Windows 10 Home<BR />I have only 1 local user / admin<BR /><BR /></P><P>If I shutdown PC, and turn on again, I don't have to enter password<BR />If I restart PC, I don't have to enter password<BR /><BR /></P><P>If I Windows key + L / log off, I see my Windows user and have to enter password</P><P>In Optins - Setting for logon - Password<BR />When I press change, it shows my user profile and asks for Current password<BR /><BR /></P><P>1)<BR />Is my Windows user password protected?<BR />2)<BR />Having a password protected Windows user, does is protect against other devices / hackers on the network from getting access to my system / files?<BR />3)<BR />Having a password protected Windows user, does is protect against other devices / hackers through the internet from getting access to my system / files?<BR /><BR /></P><P>Thanks in advance for replying<BR /><BR /></P><P>Best regards</P> Tue, 06 Apr 2021 12:17:32 GMT emil frederiksen 2021-04-06T12:17:32Z Defender Exploit Guard and Application Guard <P>Hi,</P><P>&nbsp;</P><P>I would like to know general usage on the two of the Defender features.</P><OL><LI>Exploit Guard</LI><LI>Application Guard</LI></OL><P>These features are set to be mostly white list operation and it is difficult to have them enabled on all PCs in the company where each department uses different applications and web sites.</P><P>Since there is not enough case information available and is difficult to configure and maintain those features, I'd like to know if there is any case for deploying to company wide.</P><P>&nbsp;</P><P>I appreciate for any information or cases.</P><P>&nbsp;</P><P>It is best to provide case for only for those department with more security to be deployed in controlled manner and not recommending to deploy to company wide as the conclusion for me, but I lack on deployment cases to backup my suggestion to customer.</P><P>&nbsp;</P><P>&nbsp;</P><P>Hiroshi</P><P>&nbsp;</P><P>&nbsp;</P> Tue, 06 Apr 2021 01:49:13 GMT Hiroshi77 2021-04-06T01:49:13Z MRSC Security Update <P>Is this site (<A href="#" target="_blank"></A>) for checking the latest CVE for Microsoft Product along with the relevant security update?</P> Mon, 05 Apr 2021 14:19:42 GMT Jamie_1945 2021-04-05T14:19:42Z 关于IPSec的疑问,不是VPN <P>&nbsp;</P><P class="x-hidden-focus">组策略中(计算机配置\windows设置\安全设置\IP安全策略,在本计算机),设置的策略在注册表</P><P>计算机\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ 中,</P><P>我想对子键&nbsp;ipsecFilter{Guid}中的"ipsecData"进行操作,键值是二进制的,一部分我已经知道其代表的含义,</P><P>每个filter筛选器对应的二进制数据70个,其中第1-18和35-70以明白其含义,但是19-34没有头绪,查了2天MSDN</P><P class="x-hidden-focus">没有找到任何信息!求助,急急急!!!</P> Thu, 01 Apr 2021 05:15:15 GMT Chen_Boyong 2021-04-01T05:15:15Z Risk of system getting hacked through the internet or Wi-fi? <P>Dear everyone</P><P>&nbsp;</P><P>I am not a high profile person or anything like that. I just dislike the idea, that someone with bad intentions could access my personal files, documents, photos etc. (personal diary, baby pictures of my children etc.)</P><P>I am not worried about anyone getting a look at my internet traffic / man-in-the-middle attack etc. I am only concerned about, that someone with bad intentions being able to access my personal files.</P><P>I assume, that it is not impossible to “hack” my system and get access to my files, but “how hard” would it be for someone commited to the task?</P><P>Is the only way to access my files, if they planted malware on my system?</P><P>Or if they accessed screen share?<BR /><BR /></P><P>My questions concerns both:</P><P>If the person accessed / hacked my wi-fi / home network</P><P>Or</P><P>Only through the internet<BR /><BR />Settings:</P><P>Microsoft Windows 10 Home</P><P>Windows login password protected</P><P>Windows Defender firewall</P><P>No file or folder sharing enabled</P><P>Network discovery is turned off</P><P>File and printer sharing is turned off</P><P>AVG registers threats in real-time</P><P>All software drivers etc. fully updated</P><P>&nbsp;</P><P>Wi-fi is password protected</P><P>Network / Wi-fi profile: Private</P><P>Router security WPA2-Personal</P><P>&nbsp;</P><P>I become uneasy, when I read posts like this, which makes it sound “easy”:</P><P><A href="#" target="_blank"></A></P><P><A href="#" target="_blank">**bleep**-Dangwal</A></P><P>&nbsp;</P><P>Please let me know, if I shall add more info concerning the above.<BR /><BR />Thanks in advance for replying</P><P><BR />Best regards</P> Wed, 31 Mar 2021 22:35:18 GMT emil frederiksen 2021-03-31T22:35:18Z Watchdog. EXE was found on my computer, 3 different versions. Spyware. <P>I ran Security from Microsoft. Did not detect. Am using Malwarebytes. Won't detect. Defender Offline. won't detect. how do I find it. I saw the Icon on my taskbar. It's there.</P> Sun, 28 Mar 2021 14:39:55 GMT powerwagon7777hotmail 2021-03-28T14:39:55Z Microsoft Defender - is it even good? <P class="_1qeIAgB0cPwnLhDF9XSiJM">Hello Windows folks!</P><P class="_1qeIAgB0cPwnLhDF9XSiJM">I have created a report &amp; review of the Microsoft Defender in 2021. I also tested the powerful cloud capabilities and even run some test virus on my machines, to see how it reacts!</P><P class="_1qeIAgB0cPwnLhDF9XSiJM">If you're interested, check it out. It would please me :)</img></P><P class="_1qeIAgB0cPwnLhDF9XSiJM"><A href="#" target="_blank">Microsoft Defender: a review (</A></P><P class="_1qeIAgB0cPwnLhDF9XSiJM"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="defender-logo.png" style="width: 452px;"><img src=";px=999" role="button" title="defender-logo.png" alt="defender-logo.png" /></span></P> Mon, 22 Mar 2021 12:18:32 GMT thenikk 2021-03-22T12:18:32Z Is Application Guard possible to deploy all users? <P>Since Application Guard is white list operation and has issues on performance and function limitations, I'm wondering if it is possible to deploy on all PCs for over 10,000 users?</P> Tue, 02 Mar 2021 09:02:49 GMT Hiroshi77 2021-03-02T09:02:49Z win10 <P>version :win10 1909</P><P><SPAN>&nbsp;patch&nbsp; :KB4592449&nbsp; &nbsp; KB4598229&nbsp; &nbsp;KB4601315&nbsp; &nbsp;KB5001028</SPAN></P><P><SPAN>failure:0x80010988</SPAN></P> Fri, 26 Feb 2021 09:50:53 GMT super_moo 2021-02-26T09:50:53Z Kernal DMA Protection in dell inspiron 14 5405 <P><EM><STRONG>AMD Ryzen 7 4700U</STRONG> </EM></P><P>&nbsp;</P><P><SPAN>I have upgraded the OS from home to pro to Enterprise version 20H2</SPAN></P><P><BR /><SPAN>Then I checked the Hyper-V using the <STRONG>systeminfo.exe</STRONG> command from cmd</SPAN><BR /><BR /><SPAN>The output was compatible:</SPAN><BR /><BR /><STRONG>64-bit processor with second-level address translation (SLAT) is <FONT color="#800000">enable</FONT></STRONG><BR /><BR /><STRONG>Virtual Machine Monitor Mode Extensions is <FONT color="#800000">enable</FONT></STRONG><BR /><BR /><STRONG>Virtualization Enabled In Firmware (<FONT color="#800000">These require enabling from bios</FONT>)</STRONG><BR /><BR /><STRONG>Data Execution Prevention is <FONT color="#800000">enable</FONT></STRONG><BR /><BR /><SPAN>I entered the <FONT color="#800000">bios</FONT> by pressing F2</SPAN><BR /><BR /><SPAN>For Hyper-V the BIOS has one line which is: <FONT color="#800000">Virtualization Technology</FONT></SPAN><BR /><BR /><SPAN>I have enabling it.</SPAN><BR /><BR /><SPAN>Now I have verified <STRONG>Hyper-V</STRONG> requires using the system info command</SPAN><BR /><BR /><SPAN>The result was <STRONG>Hyper-V Requirements: A hypervisor has been detected. Features required for Hyper-V will not be displayed</STRONG>.</SPAN><BR /><BR /><SPAN>Meaning, Hyper-V is detected but!!!!!</SPAN></P><P>&nbsp;</P><P>I check for <STRONG>kernel dma protection</STRONG> in system information</P><P>&nbsp;</P><P>What does it require?</P><P>&nbsp;</P><P>The rule says that when you enabling Virtualization Technology on bios , kernel Dma protection is enabling&nbsp;<SPAN>Automatically.</SPAN></P><P>&nbsp;</P><P><STRONG>Why kernel dma protection is off?</STRONG></P><P><BR /><STRONG>I tried Coreinfo64.exe</STRONG></P><P><BR /><SPAN>When <STRONG>disable</STRONG> Virtualization Technology on bios</SPAN></P><P>&nbsp;</P><P><STRONG>coreinfo Output:</STRONG></P><P><BR /><STRONG>HYPERVISOR - Hypervisor is present</STRONG></P><P><STRONG>SVM * Supports AMD hardware-assisted virtualization</STRONG><BR /><STRONG>NP * Supports AMD nested page tables (SLAT)</STRONG></P><P><BR /><SPAN>- : not enable&nbsp;</SPAN><BR /><SPAN>* : SVM and slat mode is enable</SPAN></P><P>&nbsp;</P><P>Again check kernel dma protection - kernel dma protection is off !!!<BR /><BR /><SPAN>And when I enabling Virtualization Technology from the bios:</SPAN></P><P>&nbsp;</P><P><STRONG>coreinfo Output:</STRONG></P><P>&nbsp;</P><P><STRONG>HYPERVISOR * Hypervisor is present</STRONG></P><P><STRONG>SVM - Supports AMD hardware-assisted virtualization</STRONG><BR /><STRONG>NP - Supports AMD nested page tables (SLAT)</STRONG></P><P><BR /><SPAN>SVM and slat mode is disable and&nbsp;<STRONG>Virtualization&nbsp; is enable</STRONG></SPAN></P><P>&nbsp;</P><P>WHAT!!!!<BR /><BR /><STRONG>Therefore, I cannot use Device Guard and Credential Guard.</STRONG></P><P>&nbsp;</P><P>Why kernel dma protection is off?</P><P>&nbsp;</P><P>The reason...</P><P>&nbsp;</P><P>I have to check several things, and they are:</P><P>&nbsp;</P><P>Secure boot <STRONG>enabled</STRONG></P><P>TPM v2.0</P><P>Ensure boot is configured to use (UEFI)</P><P>&nbsp;</P><P>OK All steps are available</P><P>&nbsp;</P><P>There are requirements to look out for and they are :</P><P>&nbsp;</P><P>IOMMU i/o Memory Management Unit</P><P>Enabling Secure Virtual Machine Mode (Svm)</P><P>Or I looked for something called AMD-V</P><P>&nbsp;</P><P>All of these steps require checking bios settings</P><P>&nbsp;</P><P><SPAN class="VIiyi"><SPAN class="JLqJ4b ChMk0b"><SPAN>In the bios configured insydeh20 on this device, these settings do not exist</SPAN></SPAN></SPAN></P><P>&nbsp;</P><P><STRONG>Why I'm enabling Virtualization Technology from the bios</STRONG></P><P>&nbsp;</P><P>(Svm) <STRONG>disable</STRONG></P><P><SPAN class="VIiyi"><SPAN class="JLqJ4b ChMk0b"><SPAN>(SLAT) is <STRONG>disable</STRONG></SPAN></SPAN></SPAN></P><P>&nbsp;</P><P><SPAN class="VIiyi"><SPAN class="JLqJ4b ChMk0b"><SPAN><STRONG>And when I disable Virtualization Technology from the bios </STRONG></SPAN></SPAN></SPAN></P><P>&nbsp;</P><P><SPAN class="VIiyi"><SPAN class="JLqJ4b ChMk0b"><SPAN><STRONG>Svm and slat is enable</STRONG></SPAN></SPAN></SPAN></P><P>&nbsp;</P><P><SPAN class="VIiyi"><SPAN class="JLqJ4b ChMk0b"><SPAN>Is there an overlap (Virtual enable on exe windows) or what</SPAN></SPAN></SPAN></P><P>&nbsp;</P><P><SPAN class="VIiyi"><SPAN class="JLqJ4b ChMk0b"><SPAN>I need to use&nbsp;<STRONG>Device Guard and Credential Guard</STRONG></SPAN></SPAN></SPAN></P> Thu, 25 Feb 2021 00:15:06 GMT Mehdi_Sellami 2021-02-25T00:15:06Z WDAC deployment guidance and questions. <P>Hi</P><P>I am currently working with a client who currently use AppLocker and will soon be mandated to use WDAC. I am currently setting it up in audit mode in the short term however I will be configuring it with the intention of enabling. I am looking for some deployment of WDAC assistance.</P><P>&nbsp;</P><P>A few questions I had were:<BR /><BR />Does WDAC use 'allow' and 'deny' rules or is it just a whitelist or blacklist control?</P><P>AppLocker has rules based on multiple conditions (path, publisher, hash etc), how would these transfer to WDAC?</P><P>When merging WDAC policies, is there and order of precedence or are they just grouped together (in block /allow)?</P><P>&nbsp;</P><P>Can AppLocker and WDAC co-exist on the same machine at the same time?</P><P>If so, can AppLocker allow something WDAC doesn't? Or can AppLocker only block what WDAC has allowed?</P><P>Some of the scenarios the client does with AppLocker</P><P>Using certain IT tools are only allowed for an IT AD group.</P><P>C:\Program Files\* is allowed, with expectations for applications that require users to have modify rights on the directory.</P><P>C:\Windows\* is allowed, with expectations for dir/applications that we don’t want to run by a std user. (exclusion example C:\windows\temp)</P><P>App1.exe is hashed and allowed for all users.</P><P>App2.exe is signed and allowed for all users.</P> Tue, 23 Feb 2021 14:48:28 GMT isotonic_uk 2021-02-23T14:48:28Z How can I test my Windows 10 PC for a virus? <P>How can I test my Windows 10 PC for a virus?</P> Mon, 22 Feb 2021 20:05:12 GMT ronlill1yahoocom 2021-02-22T20:05:12Z 3rd party Whitelisting Application Control and Windows OS Upgrades from SCCM <P>Hello everyone!</P><P>&nbsp;</P><P>I am being as ambiguous as possible because I do not want to identify the vendor or customer.</P><P>&nbsp;</P><P>I am an admin for a 3rd party Application Control software with a client with a concern:</P><P>OS: Windows 10 1909, upgrading to 20H2</P><P>&nbsp;</P><P>Some context: Automating Windows Upgrades. I use 3rd party software to manage the same software. Windows Updates work fine, as only a few execution control rules need to be created. Major OS Upgrades (1909 to 20H2, in this case) are largely blocked, which is by design since the Windows directory itself is protected.</P><P>&nbsp;</P><P>The customer has a strict governance on the software allowed/whitelisted. While my software has a specific mode that is designed for this type of upgrade, which by nature allows changes to be made to the system. Leaving the system in this mode longer than is required for the OS Upgrade is a security hole we need to avoid. We do this the Application to change to this mode in order to make the required changes to the OS.</P><P>&nbsp;</P><P>Currently, SCCM creates a custom variable that my software scans for, and then executes the change on the system(s), then creates another variable when the upgrade is complete to lock the system down again. I do not want to depend on SCCM for my deployments. I'm trying to remove an extra point of failure.</P><P>&nbsp;</P><P>All that leads to this ask: Is there any flag, change, or otherwise modification that occurs, with respect to Windows, before the upgrade? I'm effectively looking for something that I can detect or scan for reliably to automate changing modes from my own automation. Thank y'all for your time!</P> Fri, 19 Feb 2021 22:04:58 GMT Distantgeek 2021-02-19T22:04:58Z Difference between KB and MS <P>Hi,</P><P>&nbsp;</P><P>I have to update a server with a list of updates and patches different MS&nbsp;Vulnerability and KB numbers. I can download the KBs from the catalogue but I need to know what is a difference between a MS Vulnerability and KB is? Or is MS Vulnerability it cover by KB?&nbsp;</P><P>Thank you.</P> Thu, 11 Feb 2021 01:48:08 GMT kabby 2021-02-11T01:48:08Z WDAG Not Starting In MS Office <P>Our test lab is a local Active Directory domain hosted on Server 2019 domain controllers managing Windows 10 Pro workstations, all running either Windows 10 1909 or 20H2. Since these are not Enterprise workstations, I've installed Windows Application Guard on a 20H2 workstation according to the instructions at <A href="#" target="_blank"></A> in Standalone Mode and configured the appropriate group policies, including enabling "Allow files to download and save to the host operating system from Windows Defender Application Guard".</P><P>&nbsp;</P><P>WDAG appears to work in Edge (Chrome) when manually activated. However, downloaded Word documents that I open in Word 2016 are still opened in Protected View and not by WDAG. Thinking that this might be because these are not Enterprise but Pro machines, I configured the same WDAG group policy settings in the local policy and restarted the machine. It didn't work. WDAG does not open downloaded documents in MS Word.</P><P>&nbsp;</P><P>Does WDAG for Office work only on Enterprise machines and not on Pro? Is there some trick that I'm missing? I'll be grateful for any information.</P> Mon, 01 Feb 2021 02:06:23 GMT RTEsysadmin 2021-02-01T02:06:23Z Domain joined BitLocker recovery ID not updating in AD but is in MECM <P>Hi fellow professionals.</P><P>&nbsp;</P><P>I have a question regarding BitLocker key recovery in AD. On-premises AD is based on 2008 R2, MECM environment is 1910 and Windows 10 is on 1909.&nbsp;</P><P>&nbsp;</P><P>I am working with a client who is seeing inconsistent recovery keys being updated into AD and seems to be intermittent. Devices can be either on the corporate network or using a VPN. What they are finding is if they need to recover the key it won't always update the value in AD.&nbsp;</P><P>&nbsp;</P><P>The devices are also managed by ConfigMgr (MECM) and also recovery can be performed by Microsoft BitLocker Administration and Monitoring. If the recovery is performed here it successfully writes the drive recovery key into the MECM database.</P><P>&nbsp;</P><P>During the OSD built there is a MECM task sequence to enable BitLocker and enable the key recovery into AD. This first key after OSD build seems to always appear in AD, its the subsequent ones where it changes.&nbsp;</P><P>&nbsp;</P><P>My understanding is once you setup MECM Bitlocker and following post build of Windows 10 and the ConfigMgr client is installed, receiving MECM policies the MECM Bitlocker feature then takes over.&nbsp;</P><P>&nbsp;</P><P>I am just puzzled why the recovery key writes successfully for some devices and not others. I thought it maybe because they client doesn't have a CMG and it is unable to write the keys to AD over VPN however it appear to occur for corporate devices as well.</P><P>&nbsp;</P><P>If anyone could clarify this it would be greatly appreciated.</P><P>&nbsp;</P><P>Thanks</P><P>&nbsp;</P> Fri, 29 Jan 2021 15:52:36 GMT isotonic_uk 2021-01-29T15:52:36Z encountering errors in creating a new CI policy <P>Hi all,</P><P>&nbsp;</P><P>currently trying to learn how to implement WDAC on a windows 10 machine. I've run the following command to create a code integrity policy and get a number of errors. I am running this as administrator through PowerShell. Any thoughts on where I'm going wrong?&nbsp;</P><P>&nbsp;</P><P><EM>New-CIPolicy -Level PCACertificate -UserPEs -FilePath C:\Windows\System32\CodeIntegrity\Initial.xml</EM></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="viperv536_0-1611833157204.png" style="width: 400px;"><img src=";px=400" role="button" title="viperv536_0-1611833157204.png" alt="viperv536_0-1611833157204.png" /></span></P><P>&nbsp;</P><P>Thanks in advance!</P><P>&nbsp;</P> Thu, 28 Jan 2021 11:26:17 GMT viperv536 2021-01-28T11:26:17Z Telemetry domainto white list <P>Hello, actually i use an adblocker (like many).</P><P>But i also use AdGuard Home (DNS adblocker like pihole).</P><P>And in the list of ads and tracker many add telemetry of Windows 10, but i know that some of these telemetry link is for security purposes (like MAPS) for instance.</P><P>&nbsp;</P><P>So i just want to ask if someone know what website i have to whitelist to be sure to not broke my security because of this network level filter.</P><P>&nbsp;</P><P>For those who will tell me it's not usefull to filter DNS don't forget it's the easy way to block ads on mobile (iPhone) or Android without impacting battery life (since i don't have to install thirs party app who do VPN to filters ads), or worse Root android or jailbreak IOS who literrally destroy the security.</P> Sun, 17 Jan 2021 18:32:01 GMT Wittycat 2021-01-17T18:32:01Z Does Microsoft Cares about Windows Update <P>Hello,</P><P>&nbsp;</P><P>While MS is doing all the way to secure the computers with Windows Updates and Feature Updates, i recently noticed that in my org many users started using a 3rd Party utility (StopUpdates10)&nbsp;to Block Windows updates. This utility does the hard block of windows update and never allows to turn on Windows updates.</P><P>This makes my environment very vulnerable. The Free utility is portable and user can run with out UAC restrictions as well.</P><P>&nbsp;</P><P>I want Microsoft to take some action on that, and this Utility must be deleted automatically by Defender. At any cost, windows update services must not be turned off using any means of Registry or any other 3rd party and Microsoft must look into this.</P> Fri, 15 Jan 2021 11:25:10 GMT venka91 2021-01-15T11:25:10Z Is Microsoft going to actually remove built-in Flash? <P>So i have installed January Windows 10 1909 patches on my machine and today Qualys is still complaining i have Obsolete software (like thousands of other machines on the network). It points to ocx files. On KB page of this month's cumulative patch they say "Flash content will be blocked from running". So it seems they are not actually removing it. I wonder if they are going to remove it later or just leave it as is. I have went through a cycle "click this link to have more info" and nowhere they say something concrete and eventually lead you to Adobe's page, which is not relevant for built-in Flash player. We can of course remove this file with our management software, but i would rather leave this for Microsoft to do. Decided to ask around if anyone has seen some post/article or anything about that. Asked in our Teams channel with Microsoft, but have not much hopes to get answer from them. They usually consult about licenses.</P> Thu, 14 Jan 2021 19:23:18 GMT Oleg K 2021-01-14T19:23:18Z kb4592438 GPO - what does it do? <P>Hi all,</P><P>&nbsp;</P><P>at the bottom of this KB article <A href="#" target="_blank" rel="noopener"></A> is a link to a group policy.</P><P>&nbsp;</P><P>I've installed the policy but the policy has no details about what it does. It display the details below so what does this GPO actually do to "fix" the potential chkdsk issue?</P><P>&nbsp;</P><P>The reason I'm asking is that I would like to push this out to my machines but I'll never get this past the change committee without knowing what the GPO actually does. The wording is rather poor in that regard.</P><P>&nbsp;</P><P class="">thanks.</P><P class="">&nbsp;</P><P class=""><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="two.PNG" style="width: 999px;"><img src=";px=999" role="button" title="two.PNG" alt="two.PNG" /></span></P> Mon, 11 Jan 2021 21:02:42 GMT Gary Williams 2021-01-11T21:02:42Z Harma ransomware Hi.<BR />I have Windows server installed on my IBM Server .<BR /><BR />The server was hit by Harma Ransomware 5 days back and all files on the servers for got encrypted .<BR /><BR />I am looking for help to decrypt my files .<BR /><BR />I have been notified to pay ransom to the hacker but I don't want. To contact the hackers.<BR />Need help from Microsoft if Possible.<BR /><BR /> Sat, 02 Jan 2021 12:39:00 GMT Tarun265 2021-01-02T12:39:00Z Windows Defender Firewall - Deny Windows Apps rules creation <P>How can I disable Windows apps automatic Defender firewall rule creation?</P><P>&nbsp;</P><P>I have configured&nbsp;<EM>local firewall rules</EM> and <EM>connection security rules</EM>&nbsp;Settings in the WDFASecurity panel.</P><P><EM><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Mafecteau_1-1608314565570.png" style="width: 400px;"><img src=";px=400" role="button" title="Mafecteau_1-1608314565570.png" alt="Mafecteau_1-1608314565570.png" /></span></EM></P><P>&nbsp;</P><P>I runned powershell commands to remove all outbound rules</P><P>$FirewallOutRules = Get-NetFirewallRule | Where-Object {$_.Direction -EQ "Outbound"}<BR />Remove-NetFirewallRule $FirewallOutRules.Name</P><DIV class="mceNonEditable lia-copypaste-placeholder">&nbsp;</DIV><DIV class="mceNonEditable lia-copypaste-placeholder">&nbsp;</DIV><DIV class="mceNonEditable lia-copypaste-placeholder">&nbsp;</DIV><DIV class="mceNonEditable lia-copypaste-placeholder">&nbsp;</DIV><P>After an App like <EM>Mixed reality portal, Windows map&nbsp;</EM>is updated, a&nbsp;rule is automaticaly created.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Mafecteau_0-1608314405944.png" style="width: 400px;"><img src=";px=400" role="button" title="Mafecteau_0-1608314405944.png" alt="Mafecteau_0-1608314405944.png" /></span></P><P>&nbsp;</P><P>How can I stop this behavior?</P><P>&nbsp;</P> Fri, 18 Dec 2020 18:44:36 GMT Mafecteau 2020-12-18T18:44:36Z Risks stemming from the Russian hacks <P>I have some Windows 10 (and possibly Office 2019) updates pending.</P><P>&nbsp;</P><P>With news of successful exploits by the Russian hacking teams, can you assure me that those updates are free of viruses and other malware?</P><P>&nbsp;</P><P>Aside from that, do you have other guidance you can provide?</P><P>&nbsp;</P><P>I suspect other members/users may be concerned, as well.</P><P>&nbsp;</P><P>Thanks,</P><P>Steve</P><P>&nbsp;</P> Fri, 18 Dec 2020 18:38:23 GMT EastendSteve 2020-12-18T18:38:23Z user cant access his Microsoft account and his computer. Crashed during login after reset. Critical <P>An 82 year old user had a crash or power outage while putting his password in after system reset.</P><P>Now Microsoft wont recognize his password and the phone issue doesnt allow him to get a text message for resetting his password. WE tried to use my email to reset with the code but after putting in his information sans recent email titles but it said the reset had exceeded the number of tries. He could not remember any email titles or content because it has been several weeks and he had not sent an email for several months.</P><P>He uses his computer to pay bills. I'ts going on the 4th week. He is desperate.</P><P>I need a way to recover or a work around.</P> Wed, 16 Dec 2020 10:01:14 GMT RockUT 2020-12-16T10:01:14Z Manage Firewall on Laptops remotely and logs <P>We have a very high number of employees working from home now and we used to have better visibility into proctecting them when in the office with our on premise firewall but now all are at home.</P><P>&nbsp;</P><P>We also used to be able to control the firewall settings with GPOs while on our LAN</P><P>&nbsp;</P><P>How can we manage all our remote laptop Win10 firewall settings and yet gain some monitoring of firewall logs from those remote laptops? We ask as we sued to sue our central on premise firewall but again everyone is at home so not insights.</P><P>Consider VPN is an option but not always on and a headache.</P><P>&nbsp;</P><P>Any tools out there or better way?</P> Mon, 14 Dec 2020 00:40:16 GMT scrappy67 2020-12-14T00:40:16Z Win10 Windows Defender wrong blocking .exe as trojan <P>Hello,</P><P>&nbsp;</P><P>We created a .exe which is downloaded from a web site and even if it is well signed Windows Defender is blocking it as a virus / trojan. This .exe is just a new version of a software which lives in our web site for several years ago.&nbsp;</P><P>&nbsp;</P><P>How can i contact MS support to check that it is not a threat and&nbsp; whitelist it?</P><P>Thanks!</P> Thu, 26 Nov 2020 17:36:50 GMT torresc12 2020-11-26T17:36:50Z BitLocker data protection-Local Disk (C:) BitLocker OFF <P>Hello, Good afternoon!</P><P>&nbsp;</P><P>I am Vincent Yeo stay in Malaysia, while my daughter study at University in Singapore, she using the Desktop-3PLA4K1 [Windows 10]. On the 16 October, 2020, she discovered that her PC BitLocker data Protection on Local Disk (C:) if turn off [BitLocker Off], her PC was lock, can not start her work on this PC. Later, she has email to Microsoft technical for help and follow the instruction try to turn "BitLocker On" but still No Working [I had checked her device on the Microsoft account, the BitLocker still turn Off]. The case had been pending for more than 2 weeks. My daughter depend on this PC to do her assignment because all the important data was kept on this PC.&nbsp;</P><P>&nbsp;</P><P>Kindly assist my daughter to solve this BitLocker issue instantly, her email address register with Microsoft is <A href="" target="_blank"></A>.</P><P>&nbsp;</P><P>Your promptly attention and action to this matter is highly appreciated.</P><P>&nbsp;</P><P>Thanks again for your helping hand.</P><P>&nbsp;</P><P>With Best Regard,</P><P>&nbsp;</P><P>Vincent Yeo</P><P>&nbsp;</P> Sun, 01 Nov 2020 04:20:34 GMT ycsobimgmailcom113 2020-11-01T04:20:34Z Microsoft Defender Smartscreen false positive detection <P>Hello everybody,</P><P>&nbsp;</P><P>we are a software house. Our newest Version will detected as risky from defender smartscreen.</P><P>&nbsp;</P><P>How can I report a fals positive case to microsoft? I hace to upload a file which size ist over 500 MB. So this Page:&nbsp;<A href="#" target="_blank"></A>&nbsp;is not my solutions.</P><P>&nbsp;</P><P>Thank you:)</P> Wed, 28 Oct 2020 10:17:15 GMT jonasbreitenbach 2020-10-28T10:17:15Z Archiving software needs to be added to the default exclusion list for the Defender's AV scan. <P>Bandizip, the archiving software from Bandisoft, has an issue that its processing speed is very low when decompressing an archive in which multiple files of small sizes are stored. Windows Defender performs an AV scan for every file which has been newly created as a result of the decompression by Bandizip, and therefore a significant delay occurs during the decompression. As evidence, 7-Zip and other archivers do not have such an issue, and adding Bandizip to the exclusion list for the Defender's AV scan also removes this issue. It is required for Microsoft to add Bandizip ("Bandizip.exe" and "bz.exe") to the default exclusion list for the Defender's AV scan since the archiver is widely and commonly used in Korea and the rest of the world.</P><P>&nbsp;</P><P>Bandizip's official website: <A href="#" target="_blank"></A></P> Mon, 26 Oct 2020 06:35:12 GMT seyo5370 2020-10-26T06:35:12Z Windows Defender Application Control deployment <P>Has anyone embarked on deploying WDAC?</P><P>&nbsp;</P><P>Unfortunately, due to the nature of our estate, rather than trying to build a single device will "all" the apps on it, we've deployed audit mode to all our devices.<BR /><BR />Using Windows Defender Security Center and advanced hunting -</P><DIV><DIV>&nbsp;</DIV><DIV><SPAN>DeviceEvents</SPAN></DIV><DIV><SPAN>| where Timestamp &gt; ago(7d) and</SPAN></DIV><DIV><SPAN>ActionType startswith "AppControl"<BR /><BR /><BR /></SPAN></DIV><DIV><SPAN>We're hoping to be able to convert the output of advanced hunting into the WDAC xml policies.</SPAN></DIV><DIV>&nbsp;</DIV><DIV><SPAN>Has anyone taken this approach?</SPAN></DIV></DIV> Thu, 22 Oct 2020 09:11:31 GMT Nitecon 2020-10-22T09:11:31Z Windows 10 Update GPO Confusion <P>I am configuring a new Windows 10 update scheme using Group Policy.</P><P>I won't post all of the details about how I have it configured, but I am running into a conflict in the descriptions of two GPO settings:</P><P>&nbsp;</P><P>No auto-restart with logged on users for scheduled automatic update installations - Disabled.</P><P>Always automatically restart at the scheduled time - Enabled - 180 Minutes.</P><P>&nbsp;</P><P>The 'No auto-restart' GPO description suggests that when a Windows Update is installed (scheduled for 4PM, daily), the user will be given 5 minutes' warning and then will be forced to reboot.</P><P>&nbsp;</P><P>However, I configured the 'Always automatically restart' GPO for 180 minutes.</P><P>&nbsp;</P><P>Which is it?&nbsp; Will the computer reboot in 5 minutes, or 180 minutes?&nbsp; They seem to conflict to me.&nbsp; I don't want the user booted after 5 minutes.&nbsp; But I can't seem to figure out the resulting action with these two GPO set.&nbsp; I performed a lot of research.</P><P>&nbsp;</P><P>Thanks for your help, Phil.</P><P>&nbsp;</P> Thu, 08 Oct 2020 16:45:59 GMT PhilM1435 2020-10-08T16:45:59Z Windows Defender Application Guard - opening files <P>How do I configure Windows Defender Application Guard in order to open Microsoft Office files?&nbsp;</P><P>&nbsp;</P><P>The only way I have found so far is to enable the policy '</P><P><SPAN>Allow files to download and save to the host operating system from Windows Defender Application Guard</SPAN><SPAN>&nbsp;'.&nbsp;&nbsp;</SPAN></P><P>&nbsp;</P><P><SPAN>Is there a way to open MS Office files within the WDAG session without saving the to the host operating system?</SPAN></P><P>&nbsp;</P><P><SPAN>Many thanks</SPAN></P><P><SPAN>Simon</SPAN></P> Thu, 08 Oct 2020 13:37:52 GMT Simon Smith 2020-10-08T13:37:52Z Microsoft outlook and administrator <P>My outlook keeps asking me for a password. I have tried every password I have used and none are correct. I contacted Microsoft and apparently, they need to change something so that I can become the administrator. Otherwise, I can't change the password.&nbsp; Well, now, I can't get in touch with Microsoft and don't know where my old IT guy is that set it up.</P><P>&nbsp;</P><P>How do I become administrator so that I can change my password?</P><P>&nbsp;</P><P>Thanks</P> Tue, 29 Sep 2020 19:53:24 GMT RhondaJ52 2020-09-29T19:53:24Z Clarifying how clearing pagefile on shutdown works <P>Via group policy or via registry, the page file can be set to be cleared on shutdown.</P><OL><LI>Navigate to<SPAN>&nbsp;</SPAN><STRONG>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management</STRONG></LI><LI>Select<SPAN>&nbsp;</SPAN><STRONG>ClearPageFileAtShutdown</STRONG><SPAN>&nbsp;</SPAN>from the list on the right.</LI><LI>Right on it and select<SPAN>&nbsp;</SPAN><STRONG>Modify</STRONG>.</LI><LI>Change the value to<SPAN>&nbsp;</SPAN><STRONG>1<SPAN>&nbsp;</SPAN></STRONG>to enable.</LI></OL><P>However I have not yet been able to really figure out how this will work when pagefile resides on a SSD.&nbsp;</P><P>&nbsp;</P><P>On normal HDD there is no lack of understanding, the pagefile gets overwritten during shutdown. However we know overwriting or wiping on a SSD does not really work as there is no control how data is distributed on storage cells. So I am wondering how this feature is implemented that the pagefile in fact gets overwritten / cleared. I have not found anything on the web that specifically addresses this feature in regards to a SSD, so if someone with more insight into this could please enlighten me.</P><P>&nbsp;</P><P>If some Microsoft tech is going to answer this, I am having an additional question related to the previous one: Pagefile has the feature to be encrypted. Now when clearing pagefile on shutdown, why is it even necessary to overwrite the pagefile? Wouldn't it be way smarter and faster, if on shutdown the encryption key for the pagefile encryption gets destroyed?</P><P>The only reason I can think if why it is not handled that way is that it is the same key that is used for EFS encryption on the system. So an implementation that created a onetime encryption key only for the page file that can be safely destroyed on shutdown, would bring an incredible performance boost for the shutdown process as overwriting would no longer be required to turn the pagefile into pure garbage.</P> Tue, 29 Sep 2020 05:11:57 GMT ahandson 2020-09-29T05:11:57Z Windows 10 WIP rules and Chromium Edge cannot access Sharepoint Online ERR_BLOCKED_BY_ADMINISTRATOR <P>Hi all,</P><P>&nbsp;</P><P>A few weeks ago Sharepoint Online access via Edge (Chromium) browser stopped working from our AAD joined + Intune Windows 10 (2004) computers.&nbsp;</P><P>&nbsp;</P><P><FONT size="1 2 3 4 5 6 7">Error from Edge:</FONT></P><P>&nbsp;</P><P class="lia-indent-padding-left-30px"><FONT color="#FF6600"><STRONG>You don’t have access to this content</STRONG></FONT></P><P class="lia-indent-padding-left-30px"><BR /><FONT color="#FF6600">Try accessing the site again using a profile connected to your work or school account. Learn more. If the problem continues, contact your administrator.</FONT></P><P class="lia-indent-padding-left-30px"><BR /><FONT size="1 2 3 4 5 6 7" color="#FF6600">ERR_BLOCKED_BY_ADMINISTRATOR</FONT></P><P>&nbsp;</P><P>I suspect the issue has something to do with Windows Information Protection (WIP) policy because of the error message and since IE still works.&nbsp;</P><P>&nbsp;</P><P>There is no briefcase in Edge address bar.</P><P>&nbsp;</P><P>Intune App Protection have and Windows Information Protection (WIP) policy. The policy have both WIPMode Allow and Exempt policy XML files added. It have worked for a few months up to a couple weeks ago. We have not touched any policy.</P><P>&nbsp;</P><P><SPAN>MsEdge - WIPMode-Allow - Enterprise AppLocker Policy File.xml</SPAN></P><P><SPAN>MsEdge - WIPMode-Exempt - Enterprise AppLocker Policy File.xml</SPAN></P><P>&nbsp;</P><P>Also, the WIP policy do have a Network Boundary for Sharepoint</P><P><span class="lia-inline-image-display-wrapper lia-image-align-left" image-alt="Edit network boundary.png" style="width: 400px;"><img src=";px=400" role="button" title="Edit network boundary.png" alt="Edit network boundary.png" /></span></P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>Any suggestions?</P><P>&nbsp;</P><P>Thanks!</P><P>&nbsp;</P><P>&nbsp;</P> Wed, 16 Sep 2020 14:50:25 GMT Björn Lagerwall 2020-09-16T14:50:25Z WDAG - all sites open in Application Guard window <P>I have configured WDAG (via Intune) and have set up a configuration policy with Network Boundaries where I have mentioned my network domains (with proper wild cards ex.|, cloud resources, neutral resources. I have a surface pro and when I applied the policy, all the websites are now opening in WDAG including the sites I have defined. The configuration policy shows its applied successfully for the device so I am not sure what is going on.&nbsp;</P><P>I have created a App Protection Policy too and defined <STRONG>/*AppCompat*/&nbsp;</STRONG>for cloud resources and still no difference.&nbsp;</P><P>&nbsp;</P> Tue, 08 Sep 2020 14:57:55 GMT mkaif22 2020-09-08T14:57:55Z Request for feedback [Bitlocker on Removable Drives] <P>Hello community!</P> <P>&nbsp;</P> <DIV>Microsoft recognizes importance of encryption of removable drives and is working on improving existing Bitlocker technology in this area. This would include automatic encryption of removable storage, exemption of specific drives and storing recovery password for such drives in the cloud. We are looking for feedback from the customers that are interested in this functionality to better understand their needs.</DIV> <DIV>&nbsp;</DIV> <DIV>Please fill out below survey, survey is anonymous and will help us build this feature for you.</DIV> <DIV>&nbsp;</DIV> <DIV><A href="#" target="_blank"></A></DIV> <DIV>&nbsp;</DIV> <DIV><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Untitled.png" style="width: 171px;"><img src="" width="171" height="169" role="button" title="Untitled.png" alt="Untitled.png" /></span></DIV> <DIV id="tinyMceEditorRafal_Sosnowski_0" class="mceNonEditable lia-copypaste-placeholder">&nbsp;</DIV> <P>Best Regards</P> <P>Rafal Sosnowski</P> <P>Program Manager</P> <P>Windows Core Data Protection Team</P> <DIV id="tinyMceEditorRafal_Sosnowski_1" class="mceNonEditable lia-copypaste-placeholder">&nbsp;</DIV> <P>&nbsp;</P> Wed, 02 Sep 2020 21:01:52 GMT Rafal_Sosnowski 2020-09-02T21:01:52Z Microsoft Defender ATP noit recieving link <P>Hi Forum/Microsoft.&nbsp;<BR />I've have sign up for testing Microsoft Dewfender ATP - and should recieve a email within 7Work days.&nbsp;</P><P>&nbsp;</P><P>Now I have tried twice - buit are not recieving any mails regarding this program.&nbsp; Out HostingCompany should use this - but since I cannot get the access I'm stuck here&nbsp;</P><P>&nbsp;</P><P>Please advise&nbsp;</P><P>&nbsp;</P><P>P</P> Thu, 20 Aug 2020 06:41:19 GMT Pbj_Insatech 2020-08-20T06:41:19Z Windows user profile switch to Application Guard <P>Recently some of our endpoints (Windows 10, hybrid Azure AD Joined devices) after logging in to the user profile, after few minutes switches to Application Guard mode. The explorer side bar shows "Application Guard" instead of "This PC" and C drive shows the folders as shown below</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="fmn4li1y.bmp" style="width: 400px;"><img src=";px=400" role="button" title="fmn4li1y.bmp" alt="fmn4li1y.bmp" /></span></P><P> </P><P>&nbsp;</P><P>I cant do anything else, and the quick fix is to login as&nbsp; local admin and then from control panel, disable windows defender application guard but not sure what's causing it to stop it from happening.</P><P>&nbsp;</P> Fri, 14 Aug 2020 08:32:55 GMT Ambarish RH 2020-08-14T08:32:55Z Prohibit standard users from adding exclusions to Windows Defender (Windows Security) <P>Hello there,</P><P>&nbsp;</P><P><STRONG>How can I prohibit standard users from adding exclusions in Windows Defender?</STRONG></P><P>I would like to only control the Defender-exclusions from a central point and the standard users should not be able to add exclusions themselves.</P><P>&nbsp;</P><P>I've searched through GPO's and settings in Intune but can't seem to find the correct setting. Does anyone know if this is possible? If it is, where is the setting then?</P><P>&nbsp;</P><P>Windows 10 Enterprise, 1903 and 2004.&nbsp;</P><P>Devices are Hybrid Azure AD Joined</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="102833666_10157841084478025_2775693378921168896_n.jpg" style="width: 578px;"><img src=";px=999" role="button" title="102833666_10157841084478025_2775693378921168896_n.jpg" alt="102833666_10157841084478025_2775693378921168896_n.jpg" /></span></P> Fri, 14 Aug 2020 05:35:10 GMT Simon Håkansson 2020-08-14T05:35:10Z ASR Rules block launching Teams meetings from Outlook <P>After deploying the security baselines which enables the ASR rule 'Block Office communication application from creating child processes' (26190899-1602-49E8-8B27-EB1D0A1CE869) users are no longer able to launch Teams meetings from a calendar entry in Outlook.</P><P>&nbsp;</P><P>The following is logged:</P><LI-CODE lang="applescript">Microsoft Defender Exploit Guard has blocked an operation that is not allowed by your IT administrator. For more information please contact your IT administrator. ID: 26190899-1602-49E8-8B27-EB1D0A1CE869 Detection time: 2020-08-11T07:03:51.689Z User: CACT\user Path: C:\ProgramData\user\Microsoft\Teams\current\Teams.exe Process Name: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE Security intelligence Version: 1.321.1142.0 Engine Version: 1.1.17300.4 Product Version: 4.18.2007.8</LI-CODE><P>&nbsp;</P><P>Is it possible to create an exception only for the Teams client to launch as it is installed on a per-user basis?</P> Tue, 11 Aug 2020 08:49:46 GMT Tom13984 2020-08-11T08:49:46Z Application Control - LOB Application Exclusions <P>Hi,</P><P>&nbsp;</P><P>Consider I've tested Application Control in either audit or enforce mode (setting from Endpoint Manager/Endpoint Protection/AC). Everything seems to work fine except a few LOB-applications.</P><P>&nbsp;</P><P>Questions:</P><P>How do I exclude these LOB-applications from Application Control?</P><P>I think I've read about that you need to combine Application Control with Applocker for exclusions is that true? If that's the case where can I find documentation on how to setup exclusions?</P><P>If that's true - does the exclusions need to be managed by GPO or can it be managed via MDM only? (AAD Join only)</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Simon Håkansson_0-1596787272574.png" style="width: 852px;"><img src=";px=999" role="button" title="Simon Håkansson_0-1596787272574.png" alt="Simon Håkansson_0-1596787272574.png" /></span></P> Fri, 07 Aug 2020 08:06:15 GMT Simon Håkansson 2020-08-07T08:06:15Z Why is MsMpEng.exe still scanning excluded directories <P>THe MsMpEng.exe process is very active in our environment.</P><P>Checking with Process Monitor filtered on MsMpEng.exe i can see it is very busy scanning my ISO directory, but i have excluded that directory in real-time scanning in Defender long ago.</P><P>&nbsp;</P><P>Why is it still scanning that directory, and i see many others i excluded it is also scanning?</P><P>&nbsp;</P><P>Will Azure Intune rules overwrite local configurations? if so wouldn't it gray them out? I am able to set exclusions.</P><P>&nbsp;</P> Fri, 07 Aug 2020 07:42:24 GMT Arris Aarssen 2020-08-07T07:42:24Z Smart security Hello<BR />i am a developer, i know a smart way to make smart computers systems antivirus, we don't need human , now the computers have an immunity , smart immunity we can depend on, easy way and effective way, new innovation in computers i am a developer, i know a smart way to make smart computers systems antivirus world Thu, 06 Aug 2020 21:54:57 GMT Abrahemyosef 2020-08-06T21:54:57Z Setup and configure Bit locker network unlock remotely <P>Hi Fellow members</P><P>&nbsp;</P><P>This is a question for anyone who has setup and configured the Bitlocker network unlock feature. I have been asked to set this up in my enterprise however with COVID-19 I am working remotely.&nbsp;</P><P>&nbsp;</P><P>For anyone who has done this already, is it possible to do all the configuration and testing of this remotely or will I need to be in the office? I am thinking that whilst the server configuration I could do remotely, my question would be how would I test it?&nbsp;</P><P>&nbsp;</P><P>So I will be following this article:&nbsp;<A href="#" target="_blank">,properly%20configured%20Active%20Directory%20Services%20Certification...%20More%20</A></P><P>&nbsp;</P><P>Any thoughts on this would be most appreciated.</P><P><BR />Thanks</P><P>&nbsp;</P> Thu, 30 Jul 2020 19:12:40 GMT Ranjeet Singh Bassi 2020-07-30T19:12:40Z Run a windows defender scan in windows 10 using POWERSHELL <P class="">Folks,</P><P>&nbsp;</P><P class="x-hidden-focus">Windows 10 by default doesnt have periodic scanning enabled, to enable that i have to toggle the switch then i am able to scan.</P><P class="x-hidden-focus">&nbsp;</P><P class="">I am looking for a powershell command that can flip this on and another command to get scan results once the scan is finished.</P><P class="">&nbsp;</P><P class=""><span class="lia-inline-image-display-wrapper lia-image-align-right" image-alt="win defender scan.png" style="width: 400px;"><img src=";px=400" role="button" title="win defender scan.png" alt="win defender scan.png" /></span></P> Wed, 29 Jul 2020 17:30:22 GMT Kes2020 2020-07-29T17:30:22Z Microsoft Account Troubleshooter: not updated since Oct. 2013 <P><SPAN>Hi! I downloaded today (2020-07-14) the tool (&nbsp;</SPAN><A href="#" target="_blank" rel="noopener"><STRONG><U>microsoftaccounts.diagcab</U></STRONG></A><SPAN>&nbsp;) and&nbsp;</SPAN><STRONG>opened it with 7-zip</STRONG><SPAN>. The files there are from&nbsp;</SPAN><STRONG>Oct. 2013</STRONG><SPAN>. It means that the&nbsp;</SPAN><STRONG>tool might not know about changes to account authentication</STRONG><SPAN>. Therefore,&nbsp;</SPAN><STRONG>it may report wrong conclusions/detections</STRONG><SPAN>.</SPAN></P><P>&nbsp;</P><P><SPAN>I may be wrong but it seems to me that the tool needs some updating.</SPAN></P><P>&nbsp;</P><P><SPAN><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="MSA1.png" style="width: 412px;"><img src=";px=999" role="button" title="MSA1.png" alt="MSA1.png" /></span></SPAN></P><P>&nbsp;</P><P><SPAN><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="MSA2.png" style="width: 571px;"><img src=";px=999" role="button" title="MSA2.png" alt="MSA2.png" /></span></SPAN></P><P>&nbsp;</P> Thu, 16 Jul 2020 14:46:31 GMT sandro 2020-07-16T14:46:31Z A bug in basic NTFS permissions? <P>Hi all, I feel I'm missing something very basic here.&nbsp;&nbsp;</P><P>I have a new Win 10 Pro machine, build 1909.&nbsp; Created a folder on C:, named DATA.&nbsp; Under DATA, I have a subfolder called SHARED.&nbsp; I've set SHARED to disable inheritance.&nbsp; Then via the Advanced permissions sreen, removed Authenticated Users and Users, leaving only System and Administrators as Full Control for "this folder and all sub items".&nbsp; So, all default stuff so far.&nbsp;</P><P>I noticed the ownership was set to my actual logged-in user, which is in the Administrators group. I changed the ownership to the Administrators group instead of just me.&nbsp;&nbsp;</P><P>Clicked all the OK's and what not.&nbsp;&nbsp;</P><P>Now, every time I go into the SEcurity tab for SHARED, I'm told I don't have Read permissions.&nbsp; Click the Advanced button in the Security tab, that screen tells me it can't show the owner info, and that I need Read permissions.&nbsp;&nbsp;</P><P>If I click the Change link next to the ownership line, or, click the Continue button to grant myself Read permissions, all permissions/user stuff shows fine.&nbsp;&nbsp;</P><P>&nbsp;</P><P>I'm familiar with the idea that to access certain resources on a system where permissions aren't elevated by default you have to basically click a Continue button, like one admin user accessing the Users profile folder of another user on the system, but I don't recall this hassle in the permissions screens.&nbsp;&nbsp;</P><P>&nbsp;</P><P>What left me wondering if there's a bug is that when first going into Advanced via the Security tab and seeing the "unable to display owner" line, if I click Change, then just ESC the screen away, it shows me everything after that.&nbsp;&nbsp;</P><P>&nbsp;</P><P>In terms of "real world" access, it turns out that if I try to actually browse/double-click to get into the folder called SHARED, I'm met with that prompt about having not permissions and having to click Continue to get in.&nbsp;&nbsp;</P><P>&nbsp;</P><P>Am I missing something with how the Administrators group functions in Win 10?&nbsp; I'm trying to set this machine up as a basic file share server for a small business, so I have a half dozen user accounts created - can't have all the shares prompting users constantly with these stupid permissions screens.&nbsp;&nbsp;</P><P>&nbsp;</P><P>Edited to add:&nbsp; I intend to have further sets of subfolders up to 5 levels down, most or all with explicit permissions and very little if any inheritance happening.&nbsp;&nbsp;</P> Tue, 14 Jul 2020 18:06:32 GMT ViProCon 2020-07-14T18:06:32Z Limit Windows Defender CPU Usage <P>I have the problem that our Clients use too much CPU during a FullScan. Actually, the usage is limited to 20%, but the setting seems to have no effect. Whether I set it via Configuration Manager or GPO, the result is the same.</P><P>&nbsp;</P><P>Does anyone have a similar problem or even better... a solution?</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="HighCPU.PNG" style="width: 993px;"><img src=";px=999" role="button" title="HighCPU.PNG" alt="HighCPU.PNG" /></span></P> Thu, 09 Jul 2020 09:46:31 GMT philippwree 2020-07-09T09:46:31Z BitLocker backup to cloud domain error id 846 access denied <P>Hi everyone,</P><P>Weird story: We have close to 100 workgroup laptops which are managed in SCCM (ICBM). We want to move them to Intune only without CMG. They all have BitLocker enabled on them. Here is what we do:</P><OL><LI>Uninstall SCCM Client</LI><LI>Change OS from education to pro</LI><LI>Join to azure with laptop's owner user account</LI><LI>backup BitLocker recovery key to cloud</LI><LI>Set user as standard user.</LI></OL><P>Most of these laptops are 1803 and we want them to be upgraded via Intune. After 15 successful laptops, a laptop was unable to backup to domain cloud. Checking with google I found out that an event log folder names BitLocker-API contains all the information about the BitLocker encryption process. I found error 846 detailing "Access Denied". My google search found nothing so far.</P><P>I decided to manually upgrade to 1909 and got the same result in my BitLocker. I than attempted to disconnect from Azure, delete the computer from both Intune and Azure and rejoin to Azure. This time I got both the "Can't backup to domain cloud" and "Your Active Directory domain schema isn't configure" ???</P><P>I am at a loss, I can't reset the computer because of the Corona Virus.&nbsp;</P><P>Any help would be appreciated</P><P>Rahamim.</P><P>&nbsp;</P> Thu, 25 Jun 2020 09:50:38 GMT RahamimL 2020-06-25T09:50:38Z RDP over UDP - are TCP initalization required? <P>I have a RDP security question:</P><P>&nbsp;</P><P>When you allow RDP over both TCP/UDP, are the client required to set up a connection via TCP and do handshake with encryption keys, before being allowed to use UDP during session?</P><P>&nbsp;</P><P>The reason I ask, is that I have a external authentication via a proxy server, which requires the user to authenticate securely via&nbsp; one-time token. When the user have been authenticated, the user's IP is added to firewall rule allowing RDP access.</P><P>&nbsp;</P><P>So basically, the RDP server (Windows 10 Pro), is set to allow passwordless login (autologin via the "Log in" button in the windows logon screen) via RDP with built-in encryption (no SSL).</P><P>&nbsp;</P><P>The RDP port in firewall is then controlled by a external authentication mechanism, that will allow certain source IPs after authenticating.</P><P>&nbsp;</P><P>The initial question is because, if the client can set up a session using ONLY UDP, then a client could spoof the source IP of an authenticated user. In TCP its not possible to spoof IP because of the requirement of the three-way SYN-ACKSYN-ACK handshake, and if a session setup is required using TCP, then it does not matter if UDP is later used.</P> Thu, 25 Jun 2020 09:30:21 GMT SebastianNielsen 2020-06-25T09:30:21Z Windows Hello Webauthn page is behind the browser. <P>I am using the windows hello webauthn for my intranet system.&nbsp;But one of my colleagues have a problem.</P><P>&nbsp;</P><P>When he tries to login with windows hello webauthn, the authentication page is behind the browser or lost the focus. So, he has to click the mouse on the authentication page. After that, the windows hello authentication is proceeded. Other colleagues don't have this problem.</P><P>&nbsp;</P><P>I don't know how to resolve this problem. Do you have any idea ?</P><P>&nbsp;</P><P>Environment&nbsp;</P><P>- Windows 10 1909</P><P>- Using AD &amp; Windows Hello for business</P><P>&nbsp;</P><P>&nbsp;</P> Wed, 24 Jun 2020 00:39:51 GMT hyoil 2020-06-24T00:39:51Z Bitlocker Encryption still running at 128kb instead of the required 256kb. <P>Hi</P><P>Hopefully I have put this in the correct forum :)</img></P><P>&nbsp;</P><P>&nbsp;</P><P>We use SCCM and have created a Windows 10 deployment which should set bitlocker encryption to 256KB but instead it's setting it to 128KB. The step to change the encryption is set in the build sequence.&nbsp;</P><P>&nbsp;</P><P>Its not Group policy that is affecting it as its occuring well before then and at build.&nbsp;</P><P>Does anyone have any suggestions what it could be?</P><P>I will post this on the Microsoft Endpoint Manager forum in case its best answered there.&nbsp;</P><P>&nbsp;</P><P>Many Thanks</P><P>&nbsp;</P><P>&nbsp;</P> Tue, 23 Jun 2020 16:25:33 GMT isotonic_uk 2020-06-23T16:25:33Z Product still listed as enabled in Antivirusproduct class even though uninstalled 5 days ago <P>&nbsp;</P><P>I uninstalled F-Secure 5 days ago and have restarted/powered down this device several times since. It seems that either the data returned by this query is outdated (and a refresh/reload may solve the issue, if at all possible) or that Windows truly believes the F-Secure product is still installed and enabled.</P><P>&nbsp;</P><P>&nbsp;</P><LI-CODE lang="powershell">Function ConvertTo-NPHex { Param([int]$Number)"0x{0:x}" -f $Number } $Products = @(); Get-CimInstance -Namespace root/SecurityCenter2 -ClassName Antivirusproduct -ErrorAction Stop | ForEach-Object{ $hex = ConvertTo-NPHex $_.ProductState; $mid = $hex.Substring(3,2); $end = $hex.Substring(5); $Products += [ordered]@{ DisplayName = $_.DisplayName; Enabled = $( If( $mid -match "00|01" ){ $False }Else{ $True } ); UpToDate = $( If($end -eq "00"){ $True }Else{ $False } ); Updated = $( (Get-Date -Date $_.Timestamp).ToUniversalTime().ToString("yyyy-MM-ddTHH:mm:ssZ") ) } }; Return $Products | ConvertTo-Json;</LI-CODE><P>&nbsp;</P><P>&nbsp;</P><P><STRONG>Output from snippet above:</STRONG></P><P>&nbsp;</P><LI-CODE lang="json">[ { "DisplayName": "F-Secure SAFE", "ProductState": 270336, "Enabled": true, "UpToDate": true, "Updated": "2020-06-17T08:09:16Z" }, { "DisplayName": "Windows Defender", "ProductState": 393472, "Enabled": false, "UpToDate": true, "Updated": "2020-06-17T07:59:53Z" }, { "DisplayName": "ESET Security", "ProductState": 266240, "Enabled": true, "UpToDate": true, "Updated": "2020-06-22T12:28:56Z" } ]</LI-CODE><P>&nbsp;</P><P>&nbsp;</P><P>I am absolutely certain that F-Secure is not installed. Not only did I remove it manually, but it's also not visible in the Security Center UI, not under installed programs and not detected by a PowerShell script that looks through the registry for installed programs. This device is also not listed in my F-Secure web administration console, so I know it's uninstalled.</P><P>&nbsp;</P><P><STRONG>Expected situation:</STRONG></P><OL><LI>F-Secure isn't listed at all (it's not installed)</LI><LI>Windows Defender is listed and not enabled</LI><LI>ESET is listed and enabled</LI></OL><P><STRONG>Questions:</STRONG></P><OL><LI>Is it possible to 'force' a refresh of this class?</LI><LI>Is it known when this class is 'organically' updated?</LI><LI>Any tacit knowledge as to why the product is still in the response?</LI></OL><P>&nbsp;</P> Mon, 22 Jun 2020 15:09:24 GMT michaelmcdonald 2020-06-22T15:09:24Z Lock the computer if no WiFi connection for a predetermined time period <P>I have a weird request from my E suite.</P><P>&nbsp;</P><P>Per the subject line, they want to be able to either disable the security trust or lock the workstation if it has not connected to any WiFi for a predetermined time period.&nbsp; &nbsp;I am not seeing a way to make that happen but figured I would ask.</P><P>&nbsp;</P><P>&nbsp;</P> Wed, 17 Jun 2020 22:08:12 GMT jwolff 2020-06-17T22:08:12Z Cannot Sign In to a different organization in Windows 10 <P>I signed in to my former organization account on Windows 10 in March, However, I resigned and joined a different organization. I have not been able to completely remove my former company's data from the PC and mobile. and I can't even sign-in on the browser to my new company account. What do I do?</P> Tue, 16 Jun 2020 11:58:08 GMT mrphayo 2020-06-16T11:58:08Z needed commands for MpDlpCmd.exe this application is from windows 10 v2004 64bit <P>I am trying to configure defender through DLP (Data Leak Protection) command-line utility,</P><P>MpDlpCmd.exe is located under&nbsp;</P><P>C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2005.5-0</P><P>&nbsp;</P><P>there is no help usage file to use command, so if any adavnced user knows the commands for&nbsp;</P><P>MpDlpCmd.exe, please post here, it will be helpful to other users also.&nbsp;</P> Tue, 09 Jun 2020 14:46:38 GMT RAJUMATHEMATICSMSC 2020-06-09T14:46:38Z What additional details' do I need to specify for phone 2fa when setting up an account? <P>I am trying to setup a newly received computer and have been given this prompt:</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="adante111_0-1591164104477.png" style="width: 999px;"><img src=";px=999" role="button" title="adante111_0-1591164104477.png" alt="adante111_0-1591164104477.png" /></span></P><P>&nbsp;</P><P>I have redacted the actual number for privacy reasons but to confirm, when I dial +61 and the number that is redacted, I am able to call the number successfully. This leads me to believe the number is fine.</P><P>&nbsp;</P><P>When I click next, sometimes the 'Additional details' will disappear, but otherwise the screen stays the same.</P><P>&nbsp;</P><P>I do not receive a phone call.</P><P>&nbsp;</P><P>The error message has not been particularly useful in illuminating the problem here so I was wondering if anybody is able to provide some insight.</P><P>&nbsp;</P> Wed, 03 Jun 2020 06:07:37 GMT adante111 2020-06-03T06:07:37Z Today I Found Unsigned Drive Program <P><EM><STRONG>I Scan My Windows 10 Computer Today I Found One Unsigned Driver Of My Nvida Graphics Drive Will Keep Ant Trust It?<span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Annotation 2020-04-18 231044.jpg" style="width: 967px;"><img src=";px=999" role="button" title="Annotation 2020-04-18 231044.jpg" alt="Annotation 2020-04-18 231044.jpg" /></span></STRONG></EM></P> Sun, 19 Apr 2020 13:46:06 GMT MuthuKumaraVel 2020-04-19T13:46:06Z Maximum Anti-Exploit hardening for new Edge <P>I would like to hear your Anti-Exploit settings for new Chromium-Edge.</P><P>From forum i got the following:</P><P>&nbsp;</P><P>(* will break Chrome or extensions)</P><P>ACG (off)*<BR />BLII (on)<BR />BRI (on)<BR />BUF (on)<BR />CIG (on) - also allow loading of images signed by Microsoft Store<BR />CFG (on) - Strict (Off)*<BR />DEP (on) - ATL (on)<BR />Dep (on)<BR />Win32k (off)*<BR />Child Process (off)<BR />EAF (off)*<BR />Mandatory ASLR (on) - Stripped (on)<BR />IAF (off)*<BR />BottomUp ASLR (on)<BR />SimExec (off)*<BR />CallerCheck (off)*<BR />SEHOP (on)<BR />VHU (on)<BR />VHI (on)<BR />VIDI (on)<BR />StackPivot (off)</P><P>&nbsp;</P><P>Edit: Also someone say the settings are needed for "MicrosoftEdgeCP.exe" too.</P> Fri, 10 Apr 2020 08:52:01 GMT Deleted 2020-04-10T08:52:01Z (workaround available) Local credentials of user who installed Windows 10 1909 w/ (already existing) <P>Hi everyone! Thanks for reading this! And yes, this problem has a workaround.</P><P>&nbsp;</P><P>I have just reinstalled Windows 10 1909. When I entered my MS account (my email), I was asked to select one of 3 numbers in my iOS MS Authenticator app. I also set my fingerprint and face authentication. Everything run smoothly.</P><P>&nbsp;</P><P>Later on, I have tried to access a folder on this computer from another one. However much I tried, I was unable to access. I checked Event Viewer Security log and it was clearly stated there "wrong user or password". Strange.</P><P>&nbsp;</P><P>As I was sure I knew my username/password, I did one last thing: I used recovery options and rebooted into "Command Prompt" Mode. Voilà! It did not recognize my password.</P><P>&nbsp;</P><P>To fix this, I changed my login to use a local account instead of MS account. I was asked for a username (which I select the same 5-letter one) and the same password of my MS account. Problem solved.</P><P>&nbsp;</P><P>To bring things back to what it was before, I returned the login to use my MS account.</P><P>&nbsp;</P><P>I would like to have someone to validate my workaround and perhaps to have someone inside MS empowered to fix this to solve it. It is really tricky!</P><P>&nbsp;</P><P>Thanks for your attention!</P><P>&nbsp;</P> Tue, 07 Apr 2020 02:18:17 GMT sandro 2020-04-07T02:18:17Z ADV200006 | Type 1 Font Parsing Remote Code Execution Vulnerability <P>Hello Team,<BR /><BR />Please can some one guide me for above subject line issue<BR />how can I update my server</P> Mon, 30 Mar 2020 09:01:12 GMT yakumoha 2020-03-30T09:01:12Z Is it possible to control DNS client on Win 10 <P>Hi,</P><P>As we all know, the DNS is one of the services which is leaking information out from the organizations. I have read some plans to have possibilities to do filtering how much DNS servers are leaking data out. But in case your workstation is living two two different life: VPN and without VPN.</P><P>&nbsp;</P><P>So normally when workstation is having VPN established, all the DNS queries are of course traveling through the VPN.</P><P>&nbsp;</P><P>But when domain joined workstation is starting without VPN it is shooting many different internal DNS queries to the first available DNS server. And as we all know, those queries are plain text on the wire.</P><P>&nbsp;</P><P>Has any on here tried to solve this issue somehow? Having own DNS client for VPN and closing down OS's own DNS client? Or filtering DNS queries for internal domains by local FW?</P> Fri, 27 Mar 2020 21:17:40 GMT Petri X 2020-03-27T21:17:40Z WiFiTask.exe <P><SPAN class="">I observed traffic towards<SPAN>&nbsp;</SPAN><SPAN><A href="#" target="_blank" rel="noopener noreferrer"></A>&nbsp;from a Windows 10 Machine.</SPAN></SPAN></P><P><SPAN>The used user agent captured was&nbsp;“Microsoft</SPAN><SPAN>!</SPAN><SPAN>WiFiTask_File_Downloader” and&nbsp;</SPAN><SPAN>have no information on the official website of the Microsoft.</SPAN></P><P>&nbsp;</P><P><SPAN>On further analysis i found wifitask.exe generating this traffic which is a background service.</SPAN></P><P>&nbsp;</P><P><SPAN>Also after analyzing wifitask.exe in "<A href="#" target="_blank"></A>" i found the&nbsp;“Microsoft!WiFiTask_File_Downloader”&nbsp;in the strings.</SPAN></P><P>&nbsp;</P><P><SPAN>Ref Link :&nbsp;<A href="#" target="_blank"></A></SPAN></P><P>&nbsp;</P><P><SPAN>Can any one please help me understand,</SPAN></P><P>&nbsp;</P><P><SPAN>1. Why wifitask.exe is generating traffic towards&nbsp;<A href="#" target="_blank" rel="noopener noreferrer"></A>?</SPAN></P><P><SPAN>2. Why&nbsp;“Microsoft!WiFiTask_File_Downloader”&nbsp;is captured as User Agent in logs?&nbsp;</SPAN></P> Tue, 24 Mar 2020 14:15:29 GMT prannay_21 2020-03-24T14:15:29Z WVD disk encryption <P>Set-AzVMDiskEncryptionExtension : Long running operation failed with status 'Failed'. Additional Info:'VM has reported a failure when processing extension 'AzureDiskEncryption'. Error</P><P>message: "Failed to configure bitlocker as expected. Exception: Encrypt failed with 2147942487, InnerException: , stack trace:&nbsp;&nbsp;&nbsp; at</P><P>Microsoft.Cis.Security.BitLocker.BitlockerIaasVMExtension.BitlockerWmi.Win32EncryptableVolumeWrap.Encrypt() in</P><P>X:\bt\1084354\repo\src\BitLocker\BitlockerIaasVMExtension\BitlockerWMI\Win32EncryptableVolumeWrap.cs:line 423</P><P>&nbsp;&nbsp; at Microsoft.Cis.Security.BitLocker.BitlockerIaasVMExtension.BitlockerOperations.StartEncryptionOnVolume(EncryptableVolume vol) in</P><P>X:\bt\1084354\repo\src\BitLocker\BitlockerIaasVMExtension\BitlockerOperations.cs:line 893</P><P>&nbsp;&nbsp; at Microsoft.Cis.Security.BitLocker.BitlockerIaasVMExtension.BitlockerExtension.EnableEncryption() in X:\bt\1084354\repo\src\BitLocker\BitlockerIaasVMExtension\BitlockerExtension.cs:line</P><P>1460</P><P>&nbsp;&nbsp; at Microsoft.Cis.Security.BitLocker.BitlockerIaasVMExtension.BitlockerExtension.HandleEncryptionOperations() in</P><P>X:\bt\1084354\repo\src\BitLocker\BitlockerIaasVMExtension\BitlockerExtension.cs:line 1695</P><P>&nbsp;&nbsp; at Microsoft.Cis.Security.BitLocker.BitlockerIaasVMExtension.BitlockerExtension.OnEnable() in X:\bt\1084354\repo\src\BitLocker\BitlockerIaasVMExtension\BitlockerExtension.cs:line 1785"</P><P>More information on troubleshooting is available at <A href="#" target="_blank"></A> '</P><P>ErrorCode: VMExtensionProvisioningError</P><P>ErrorMessage: VM has reported a failure when processing extension 'AzureDiskEncryption'. Error message: "Failed to configure bitlocker as expected. Exception: Encrypt failed with</P><P>2147942487, InnerException: , stack trace:&nbsp;&nbsp; &nbsp;at Microsoft.Cis.Security.BitLocker.BitlockerIaasVMExtension.BitlockerWmi.Win32EncryptableVolumeWrap.Encrypt() in</P><P>X:\bt\1084354\repo\src\BitLocker\BitlockerIaasVMExtension\BitlockerWMI\Win32EncryptableVolumeWrap.cs:line 423</P><P>&nbsp;&nbsp; at Microsoft.Cis.Security.BitLocker.BitlockerIaasVMExtension.BitlockerOperations.StartEncryptionOnVolume(EncryptableVolume vol) in</P><P>X:\bt\1084354\repo\src\BitLocker\BitlockerIaasVMExtension\BitlockerOperations.cs:line 893</P><P>&nbsp;&nbsp; at Microsoft.Cis.Security.BitLocker.BitlockerIaasVMExtension.BitlockerExtension.EnableEncryption() in X:\bt\1084354\repo\src\BitLocker\BitlockerIaasVMExtension\BitlockerExtension.cs:line</P><P>1460</P><P>&nbsp;&nbsp; at Microsoft.Cis.Security.BitLocker.BitlockerIaasVMExtension.BitlockerExtension.HandleEncryptionOperations() in</P><P>X:\bt\1084354\repo\src\BitLocker\BitlockerIaasVMExtension\BitlockerExtension.cs:line 1695</P><P>&nbsp;&nbsp; at Microsoft.Cis.Security.BitLocker.BitlockerIaasVMExtension.BitlockerExtension.OnEnable() in X:\bt\1084354\repo\src\BitLocker\BitlockerIaasVMExtension\BitlockerExtension.cs:line 1785"</P><P>More information on troubleshooting is available at <A href="#" target="_blank"></A></P><P>ErrorTarget:</P><P>StartTime: 3/13/2020 11:58:01 AM</P><P>EndTime: 3/13/2020 11:58:01 AM</P><P>OperationID: e240c127-49e5-47c7-b0ce-c5b02736ce8f</P><P>Status: Failed</P><P>At line:11 char:1</P><P>+ Set-AzVMDiskEncryptionExtension -ResourceGroupName SNOW_POC -VMName W ...</P><P>+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~</P><P>&nbsp;&nbsp;&nbsp; + CategoryInfo&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : CloseError: (:) [Set-AzVMDiskEncryptionExtension], ComputeCloudException</P><P>&nbsp;&nbsp;&nbsp; + FullyQualifiedErrorId : Microsoft.Azure.Commands.Compute.Extension.AzureDiskEncryption.SetAzureDiskEncryptionExtensionCommand</P> Wed, 18 Mar 2020 16:30:37 GMT Alexander Larkin 2020-03-18T16:30:37Z Windows Defender Application Guard (WDAG) for legacy Edge not accepting keyboard input anywhere. <P>My WDAG for legacy Edge sometimes do not accept keyboard input anywhere. I click on address bar, the cursor starts to blink there and when I type nothing happens. The same happens to the search box of the default page (in my case, MSN).</P><P><BR />To make matters worse, I may have WDAG running fine for a moment and, just after a reboot, it comes back to this strange behaviour and no keyboard input again. Since I have made absolutely no change on setting on my own, I really can not understand what is going on.</P><P><BR />At first I thought there was a hidden interaction with Controlled Folder Access (CFA) enabled but I do not think anymore that this is the reason. Nevertheless, I fix the problem by turning off CFA and rebooting. As soon as I confirm that WDAG is accepting keyboard input I re-enable CFA. Reboot and it is just fine. I leave the computer on for several hours and no problem, Then, a new reboot and voilà, the problem is back again.</P><P>&nbsp;</P><P>Some hints and info:</P><P>* Windows 10, 1909 Pro - not a Windows Insider release.</P><P>* Windows Sandbox is fine, but I can not type anything in the search box - in this case it seems to be disabled because the cursor does not appear there. Nonetheless, the WDAG problem aforementioned already exists long before installing the Sandbox.</P><P>* CFA is turned on and there is no CFA-related event (according to Microsoft Docs) registered in either CFA history or Windows Event Viewer.</P><P>* Languages/Keyboard set:<BR />&nbsp;&nbsp;&nbsp; en-UK/US international<BR />&nbsp;&nbsp;&nbsp; en-UK/Brazilian Portuguese ABNT-2<BR />&nbsp;&nbsp;&nbsp; pt-BR/US-international</P><P>* Windows Display Language: en-UK</P><P>* Country Region: en-UK</P><P>* Reliability Monitor shows only usual software update. No crash.</P><P>* DISM/SFC: fine! No problem here.</P><P>* I am the administrator of the machine.</P><P>* Manufacturer drivers up to date.</P><P>This computer has been just reset from OEM Windows 10 1709 and upgraded straight to 1909. WDAG was installed just after that so I could say that there is no old programme causing trouble.</P><P>&nbsp;</P> Sun, 15 Mar 2020 20:31:00 GMT sandro 2020-03-15T20:31:00Z Could we find a laptop using Microsoft product key for the Windows installed on it <P>Could we find a laptop using Microsoft product key for the Windows installed on it.</P> Fri, 28 Feb 2020 19:51:15 GMT Hassan20201415 2020-02-28T19:51:15Z