Windows on Anything About IT

Use Microsoft Endpoint Configuration Manager to Configure the Windows Print Spooler Service

Sat, 10 Jul 2021 15:07:17 +0000

Hello there,

In my earlier post Use Microsoft Endpoint Configuration Manager to stop the Windows Print Spooler Service – Anything about IT (verboon.info) I explained how to stop the Print Spooler service using Microsoft Endpoint Configuration Manager leveraging CMPivot to identify servers where the Print Spooler is running and the Run Script function to stop and disable the service. This method was intended as a first response action, however as new servers get deployed, we want to make sure the print spooler remains disabled, so we need a more permanent solution.

Hunting for Local Group Membership changes

Sun, 06 Sep 2020 08:22:11 +0000

Hello there,

A couple of days ago, someone in a forum asked whether it would be possible to detect changes to the local administrator’s group using Microsoft Defender Advanced Threat protection. Before I continue why would you want to monitor such changes? Well here is what comes to my mind:

An attacker tries to maintain persistence, creates an account, and adds it to the local administrator’s group. T1136.001 - Create Account: Local Account
A user obtained a LAPS password and misuses the temporary permission to add their own account to the local administrative group
Local IT support works on fixing an issue, adds the user to the local administrator’s group, but forgets to remove the account after the issue is being resolved
In the days of COVID19, IT sometimes is in a rush and does anything to enable their users to work, a user is quickly added to the local administrators or remote desktop users group to enable them to use Remote Desktop Services (RDP)

Now the good news is, yes changes to local groups can be detected. As you can see from the screenshot below Microsoft Defender ATP exposes UserAccountAddedToLocalGroup ActionType in the DeviceEvents table.

Windows 10 2004 - What is new in the Windows Security App

Thu, 21 May 2020 13:10:05 +0000

When all goes well, Microsoft will soon release the next version of Windows 10 aka as Windows 10 2004. I am an active Windows Insider user and noticed a few little changes within the Windows 10 Security App that I think are worth sharing.

I used the following Windows 10 builds to identify changes, new features:

Windows 10, 1909, Version 10.0.18363.836
Windows 10, 2004, Version 10.0.19628.1

Windows Security App Icon

First thing you will notice is that there is a new tray icon. Windows 10 – 1909 Windows 10 - 2004

The case of Running the Device and Credential Guard Hardware Readiness Tool and unknown architecture

Fri, 31 May 2019 15:47:53 +0000

To close this week, let me share my findings with you about running the Windows Device and Credential Guard Hardware Readiness Tool and the unknown architecture error.

Believe it or not, there are still people, probably more than I assume, that run Windows in their native language instead of English. I can understand when end users do so, but honestly when administrating an infrastructure? Anyway, I recently worked for a client where the UI is set to German language, well after 10 minutes I felt so lost that I had to install the English language pack to become productive. While supporting the client to get ready for the Deployment of Windows Defender Credential Guard, following best practices I executed the Device Guard and Credential Guard Hardware Readiness Tool on one of their devices and got the following error:

Retrieving Windows Defender Exploit Guard Windows Event logs with PowerShell

Thu, 02 May 2019 15:14:57 +0000

Most of the features included in Windows Defender Exploit Guard can be enabled in audit or block mode. The impact can then be analyzed either by looking at the corresponding Windows Event log entries or through advanced hunting queries in Windows Defender ATP.

Today, I’ll share a script I recently wrote to quickly pull Windows Defender Exploit Guard related events from the Windows Event log. Anytime soon I will share some Kusto queries for the advanced hunting method through MDATP.

It’s never too late to start learning PowerShell

Tue, 27 Mar 2018 10:34:53 +0000

It’s 2018 now and you might think who doesn’t know PowerShell yet. Although I’ve seen the number of people using PowerShell increasing over the past years, there’s still plenty of people out there that have the learning curve for PowerShell ahead of them. A few years ago, when the use of PowerShell got traction amongst many IT professionals the web was full of learning resources by means of blog posts, podcasts and online trainings. It seems that nowadays we expect everyone to be past the beginner’s level and so the type of content that is shared within the community is slightly changing to more advanced topics as well and that’s good for those that are riding the PowerShell wave already. However, let’s take into consideration that even in 2018, twelve years after PowerShell (Monad) arrived there are people that just start their journey into PowerShell. Think of the younger generation of IT professionals who spend the last ten years in school or the senior IT pro who’s changing their career into a field where PowerShell knowledge becomes inevitable.

Retrieving Windows Defender ATP query API data with PowerShell

Tue, 09 Jan 2018 20:45:15 +0000

I am currently working on some automation around Windows Defender, so started to look at the Windows Defender Advanced Threat Protection query API.

Note that this API is still in preview. I wrote two functions for this.

Connect-WindowsATP is used to get an access token. Note that you will need to first register the API in Azure Directory so that you get an Application ID that you have to include at the top of the script.

The System Center Configuration Manager Cmdlet Library

Wed, 17 Jun 2015 18:21:01 +0000

Hey there, usually when I post something I try to post something new, something that ideally hasn’t been posted before. Today, I’ll make an exception. This becasue when recently speaking to others dealing with ConfigMgr I noticed that not everyone is aware yet that back in April the ConfigMgr team released the System Center Configuation Manager CmdLet Library. So i believe it’s worth to spread the word again.

So here we go:

How to troubleshoot a Windows-based Azure Virtual Machine

Sun, 05 Apr 2015 22:52:41 +0000

When a physical device running Windows has problems, you have all sorts of possibilities to fix it, when virtual machine hosted within your on-premise virtualization infrastructure runs into issues, you still have all options to fix it. But the first time when a virtual machine hosted in Azure gets into trouble you might feel a little bit lost. But there’s hope. When I ran into an issue myself recently I found the following article “Troubleshoot Remote Desktop connections to a Windows-based Azure Virtual Machine”

Analysing the file content of Windows Installer files using PowerShell

Sun, 05 Oct 2014 18:59:14 +0000

A few weeks ago we have started with the preparation for introducing Microsoft Office 2013 and Internet Explorer 11. As with every introduction of new software it’s all about compatibility. During the course of testing applications we were informed that some of them caused an issue due to hard coded paths. Each application is going to be installed anyway so that application owners can conduct testing, but at the same time I thought, it would be nice if we could identify potentially affected applications upfront without having to go through an actual install.

Good to know: System Center 2012 Configuration Pack for Microsoft User Experience Virtualization

Tue, 14 Jan 2014 20:59:28 +0000

Based on a conversation I had yesterday at the ConfigMgr Community event here , it appears that few people know about the existance of the ConfigMgr pack for Microsoft UE-V. There’s one for UE-V version 1.0 and just a few weeks ago one for UE-V 2.0 was released.

After Microsoft User Experience Virtualization (UE-V) and its required components are installed, UE-V must be configured. This UE-V Configuration Pack provides a way for administrators to use the Compliance Settings feature of System Center Configuration Manager 2012 SP1 to apply consistent configuration across sites where UE-V is installed. The UE-V Configuration Pack for UE-V 2.0 provides tools to do the following: The UE-V Configuration Pack provides tools to do the following: 1. Create UE-V template distribution baselines. a. Defines UE-V templates to be registered or unregistered b. Updates UE-V template configuration items and baselines as templates are added or updated. c. Distribute and register UE-V templates using standard Configuration Item remediation

ConfigMgr OSD - Enable .NET Framework 3.5 on Windows 8.1

Sat, 14 Dec 2013 01:17:13 +0000

Windows 8.1 has the .NET Framework 4.5.1 enabled by default. If you need .NET Framework 3.5 which also includes support for .NET 3.0, and 2.0, then you must enable the feature as it is not enabled by default.However to enable it you need access to the content of the Sources\SXS folder that resides on the Windows 8.1 installation media. More details are described in the MSDN article Installing the .NET Framework 3.5 on Windows 8 or 8.1

Group Policy changes included in the Windows Management Framework 3.0

Tue, 26 Feb 2013 06:48:22 +0000

While creating a new Group Policy object to enable WinRM (Windows Remote Management) on clients, I noticed some Group Policy changes that are introduced with the Windows Management Framework 3.0. The Windows Management Framework 3.0 contains the following updates:

Windows PowerShell 3.0
Windows Management Instrumentation (WMI) 3.0
Windows Remote Management (WinRM)
Management OData IIS Extension
Server Manager CIM Provider

I became aware of the changes as I was referring to a blog post I had written a while back about how to enable Windows Remote Management via Group Policy.I noticed that the name of the Group Policy setting located under Computer Configuration \ Windows Components \ Windows Remote Management (WinRM) \ WinRM Service \ Allow automatic configuration of listeners was changed to Allow Remote Server management through WinRM

No MBSA for Windows 8 planned

Thu, 08 Nov 2012 18:55:21 +0000

Many companies and individuals use the Microsoft Baseline Security Analyzer (MBSA) to assess the security state of their Windows Clients. But according to a statement from Microsoft in their August 2012 Security Bulletin, there are currently no plans to release an updated version for Windows 8.

Q: Will the current version of MBSA support Windows 8?

A: No, the current version of MBSA will not support Windows 8 and Microsoft currently has no plans to release an updated version of the tool.

How the Windows Defender Offline Beta Tool works

Mon, 02 Jan 2012 00:21:02 +0000

In addition to the Microsoft Security Essentials software and the Microsoft Safety Scanner Microsoft just recently released another FREE antimalware removal product called the Windows Defender Offline Beta. While Security Essentials and Safety Scanner run within Windows, the purpose of the Windows Defender Offline Tool is to run offline from bootable USB or CD/DVD media.

In fact the tool isn’t really something new, those familiar with the Microsoft Desktop Optimization Pack Suite (MDOP) which includes the Diagnostics and Recovery Toolset (DaRT) have probably seen or used the Standalone System Sweeper tool before. Now when looking at the log files produced by the Windows Defender Offline tool, you’ll notice Microsoft Standalone System Sweeper tool entries rather than Windows Defender Offline.

A Security Baseline Resource for Windows 7–Internet Explorer and Windows 7 Firewall

Mon, 31 Jan 2011 20:51:35 +0000

If you are looking for some ideas how to secure your Windows 7 clients, have a look at the USGCB (The United States Government Configuration Baseline). The USGCB has been developed by the Department of Defense (DoD) and the National Institute of Standards and Technology. The documentation looks impressive and even if you aren’t going to apply all of these 1-1, it might give you some ideas on how to make your clients more secure.

A quick look at the Windows PowerShell Module for Intel vPro

Sat, 04 Sep 2010 18:41:44 +0000

In a previous post Using Intel AMT Power Management @ Home I wrote about how to use Intel AMT Power Management at home or let’s say in an environment where you don’t have systems managed by an infrastructure that provides integrated support for Intel AMT.

Now Intel has released a PowerShell Module for Intel vPro. You find all the details in the following blog posts.

Intel Core vPro Processor PowerShell Module - Release & Introduction

Least Privilege Security for Windows 7, Vista and XP

Tue, 27 Jul 2010 18:48:26 +0000

Yesterday I received a pre-release copy of Russel Smith’s book called Least Privilege Security for Windows 7, Vista and XP. The book is entirely dedicated to the subject of running Least Privilege Security (or standard user accounts) on Windows operating systems in the enterprise.

The book has 420 pages and covers the following topics:

Chapter 1, An Overview of Least Privilege Security in Microsoft Windows
Chapter 2, Political and Cultural Challenges for Least Privilege Security

Hide the Unused Updates

Sat, 31 Oct 2009 22:34:52 +0000

When opening Windows Update, you might see a number of Important and optional updates that are available to your system. But what to do if you are not interested in installing one of these updates? Over time the list will keep growing as new updates will be released and it becomes quite an annoying job to go over the entire list over and over again.

When you click on the “optional updates are available” link, all updates are listed as shown in the picture below.

Microsoft Baseline Security Analyzer with support for Windows 7 and Server 2008 R2

Tue, 27 Oct 2009 22:12:36 +0000

With the launch of Windows 7 Microsoft also released an updated version of the Microsoft Baseline Security Analyzer also known as MBSA. The version is 2.1.1 which is indicating that this is basically just a minor revision of the previous MBSA 2.1, and that is exactly what it is . MBSA 2.1.1 does not appear to bring any new features other than adding support for Windows 7 and Windows Server 2008 R2.

Quick Access to installed QFEs

Wed, 23 Sep 2009 20:20:03 +0000

Instead of opening several windows, here’s an easy way to get a list of installed QFE’s. simply open a command prompt and type:

**WMIC QFE **

WMIC QFE get caption,hotfixid,installedon

or if you are looking for a specific update, enter the following command:

WMIC QFE | find “958559”

where 958559 relates to the MS KB number. If the QFE is installed, it will be listed.

3 seconds to get system serial number

Applocker Documentation

Mon, 06 Jul 2009 20:03:58 +0000

The AppLocker Technical Documentation for Windows 7 and Windows Server 2008 R2 provides technical guidance about understanding how AppLocker works and how to effectively plan and deploy AppLocker policies.

The download contains two documents:

BETA - AppLocker Frequently Asked Questions.pdf BETA - Planning and Deploying Windows AppLocker Policies.pdf

Download here

Windows XP mainstream support ends in 2 days

Sun, 12 Apr 2009 19:00:41 +0000

On April 14th mainstream support for Windows XP will end. for the next 5 years the operating system goes into extended support. The table below illustrates the differences between mainstream and extended support.

The Microsoft Windows XP product page explains it as following:

Mainstream Support delivers complimentary and paid support, free security updates, and bug fixes to all Windows customers who purchase a retail copy of Windows XP (i.e., a shrink-wrapped, not pre-installed copy). Mainstream Support for Windows XP will continue through April 2009.

Using AppLocker in Windows 7 video

Thu, 26 Feb 2009 22:46:20 +0000

Watch the Using AppLocker in Win7 video on TechNet where Paul Cooke gives an insight on what Applocker is, how it works and how to deploy it.

Encrypted on Windows 7 and use on Vista as well

Wed, 18 Feb 2009 21:38:15 +0000

With Windows 7 we can not only encrypt our local fixed drives but also USB devices. Considering that probably many of do carry around one or more memory sticks that could contain sensitive data or just data you don’t want anyone else to get access too.

Now of course any new operating system comes with tons of new features, but I would consider this as one of those features that people are also really going to use, as it simple to use.

Windows 7 Partner information

Thu, 08 Jan 2009 20:55:53 +0000

For those of you that have access to the Microsoft Partner Program website Microsoft has published a couple of Windows7 related documents today that might be of use such as a feature and deployment overview presentation.

Windows PowerShell - Free booklet

Thu, 27 Nov 2008 22:10:10 +0000

As it looks like, Windows PowerShell will become part of Windows7, so it’s about time to start learning this powerfull scripting language. After i had downloaded PowerShell v1.0 (v2.0 is currently in CTP), i’ve started collecting and searching the documentation and learning guides. I’m not goig to list them all here, most resources and further links can be found on the Microsoft Technet Script Center. But there is one i would like to reference as it is a comprehensive and well written booklet provided and written by a Microsoft Consultant. Free Windows PowerShell workbook: server administration

It's about time to install MS08-067

Wed, 26 Nov 2008 20:18:54 +0000

If you haven’t done so yet, it’s about time you get the MS08-067 patch installed on your Windows clients. According to a recent post on the Microsoft® Malware Protection Center blog, another wave of attacks has been identified. By the way for those still running Windows NT 4.0, Microsoft indeed seems to have a patch for that retired OS but companies will have to pay to get it.

Windows Azure an introduction

Mon, 27 Oct 2008 19:23:31 +0000

Curious about Windows Azure ?

Manuvir-Das-Introducing-Windows-Azure

More information about Windows Azure can be found here

A lap around Windows Azure

The end of Windows 3.11

Thu, 31 Jul 2008 18:18:49 +0000

Remember this boot screen ?

Although retired for years now, the Embedded community could still use it.

In November 2008 it will definitely retire. Read more about the end of WFW 3.11 on John Coyne’s Embedded blog.

As this discussion started in our internal discussion forum, i started looking in my drawer and guess what….. found an old floppy.

Reading - Administering Windows Vista Security

Sun, 06 Jul 2008 11:03:32 +0000

Although you usually don’t read IT related books from page 1 and end it on the last page, I consider having finished reading Mark Minasis’ Administering Windows Vista Security - The Big surprises.

While many IT books can end up being a bit annoying, i found this one very nice to read as it does include the authors own opinion and practical experiences and it does real fluently.

The book gives you a good insight into Vista’s UAC, File and Registry virtualization and other security related topics.