Forum Widgets
Latest Discussions
Microsoft Defender fails to update from File Share
Hello! I've tried to configure my Windows system to use Defender Updates through File Share. On my domain controller I've set two GPOs to make it possible. Define file shares for downloading security intelligence updates -> \\fileserver\DefenderUpdates Define the order of sources for downloading security intelligence updates -> FileShares When running the command Get-MpPreference I can see that the GPOs were successful with the following output: SignatureDefinitionUpdateFileSharesSources : \\fileserver\DefenderUpdates SignatureDisableUpdateOnStartupWithoutEngine : False SignatureFallbackOrder : FileShares The file structure on the file share looks like the following: \---DefenderUpdates \---x64 mpam-fe.exe Then I tried to run the command Update-MpSignature and I get the following error message: Update-MpSignature: Virtus and spyware definitions update was complated with errors. At line:1 char:1 + Update-MpSignature + + CategoryInfo : NotSpecified: <MSFT_MpSignature:ROOT\Microsoft\...SFT_MpSignature> [Update-Signature], CimException + FullyQualifiedErrorId : HRESULT 0x8024402c,Update-MpSignature This has worked previously but I don't know what has changed. Does any one have a clue? Best regards, dedicated-worker.
WDAC Managed Installer and Applocker Audit logs
Hello, I am looking to deploy WDAC to Intune managed Windows 11 devices. In testing I have followed guidance (link below) to create the required supporting Applocker ManagedInstaller rule: Allow apps deployed with a WDAC managed installer (Windows) | Microsoft Learn In testing, whilst this appears to work (in that an app deployed by Intune is allowed, but the same app installed locally by an admin is not), I have noticed that the configuration results in a excessive amount of logging to the Applocker Microsoft-Windows-AppLocker/EXE and DLL log, i.e. a 8003 audit event for pretty much every DLL execution: Does anyone know if this is expected? Seems an obvious question as I see how the configuration of the Applocker ManagedInstaller rule collection in audit mode could cause this: Just looking for some clarification that this is expected as I had not anticipated the use of this (MDAC) option to result in such aggressive logging by Applocker (which I am otherwise not looking to use)? I have seen no mention of this in the documentation, so I guess it is either deemed obvious (which one could argue is the case!) or I have miss configured something? Does anyone else have this configured and if so, do you see the same? Many thanks, Phil
WDAC DLL-Blocking
Hi everyone, I am currently trying to implement WDAC with Intune as a managed installer and have followed the documentation (Allow apps deployed with a WDAC managed installer - Windows Security | Microsoft Learn) for this. This works pretty well so far, most applications that are packaged and deployed via Intune are allowed to run. What surprises me, though: In the WDAC policy, I left out policy rule option 19 (Enabled: Dynamic Code Security) because we don't want to block DLLs. Nevertheless, it happens from time to time that DLLs are blocked. Nevertheless, it happens from time to time that DLLs are blocked. The errors then look like this: Code Integrity determined that a process (\Device\HarddiskVolume3\Users\xxxxx\AppData\Roaming\Autodesk\ADPSDK\bin\AdpSDKUtil.exe) attempted to load \Device\HarddiskVolume3\Users\xxxxxx\AppData\Roaming\Autodesk\ADPSDK\bin\AdpSDKIdentityWrapper.dll that did not meet the Enterprise signing level requirements or violated code integrity policy (Policy ID:{xxxxxxxx). Is there any way to disable this behavior or have I overlooked something here? Is it at all possible to disable blocking of DLLs completely? The AppLocker configuration for the managed installer: The Rule Options selected in the WDAC Wizard:
WDAC not applying via Group Policy
Hello and greetings from Portugal! I'm trying to implement WDAC via group policy. I've used WDAC Wizard and if I copy the *.cip file to "C:\Windows\System32\CodeIntegrity\CiPolicies\Active" I see that WDAC get enabled, for example using the MSInfo32. But, I cannot enable WDAC via GPO. I've converted the *.xml to *.bin and enable the "Deploy Windows Defender Application Control". I see the event id 7010 "Device Guard successfully processed the Group Policy: Configurable Code Integrity Policy = Enabled" but the thing is MSInfo still doesn't show that WDAC is activated. Can someone please help?
Limit Windows Defender CPU Usage
I have the problem that our Clients use too much CPU during a FullScan. Actually, the usage is limited to 20%, but the setting seems to have no effect. Whether I set it via Configuration Manager or GPO, the result is the same. Does anyone have a similar problem or even better... a solution?Hotspot through Windows Defender Firewall
I would like to know ALL ports and protocols, services, etc... that need to be whitelisted for hotspot to work with windows defender firewall. Or otherwise the baseline/recommended procedure I have tested to enable the below so far: Inbound/Outbound: UDP:67,68,53, 5355 TCP:443,80, 53 ICMP4/6: protocols 1/58 Types and codes: 0/8 Services: icssvc I still get drop events here and there in Windows Defender firewall logs for ports 80/ICMP, etc...... Any Idea what could be the reason and what is the best way to set this up to allow hotspot access from the device.Microsoft Ignite 2024 companion guide: Windows security
With all the exciting news coming this week from Ignite, here are some great resources to help you dive deeper into Windows 11 security topics after you watch my session on Windows 11 security and resiliency. Hardware baselines Pluton, Secured-Core PC, secure by default – Review hardware-based security features available out-of-the box in Windows 11. Protect data Personal Data Encryption for known folders – Learn about file-based encryption capabilities using Windows Hello Authentication, available starting in Windows 11 Enterprise, version 22H2. Virtualization-based security (VBS) enclaves – Find an overview and development guide for VBS enclaves and learn how to enable isolation of sensitive workloads from both the host application and the rest of the system. Multifactor authentication and identity hardening Passwordless authentication – Discover how Windows Hello and passkeys on Windows enable safer sign-ins with passwordless authentication. Recall security and privacy architecture – Get the latest information on how Microsoft is designing Recall with security and privacy in mind. Delegated Managed Service Accounts (dMSA) Overview in Windows Server 2025 – Read more about the new dMSA account type introduced in Windows Server 2025 and watch a demo about the migration path from a service account to dMSA. NTLMless – Keep up to date with deprecated Windows features, including NTLM. Verified, least privilege apps and drivers Modern print platform: Windows Protected Print – Take a closer look at how Modern print provides a simple, streamlined and secure printing experience. Tools for Win32app isolation – Access tools for using Win32app isolation feature on Windows to help contain the damage and safeguard user privacy choices in the event of an app compromise. Administrator protection – Find out how this new Windows 11 platform security feature protects users while still allowing just-in-time administrator privileges authorized using Windows Hello. Trusted Signing – Check out the new code signing service for developers and IT professionals, backed by a Microsoft managed certification authority. Smart App Control, App Control for Business – Read how you can use policies to provide peace of mind that only verified apps can run on your device. OS configuration Device Health Attestation – Help confirm devices are in a good state and haven't been tampered with. New Windows 11, version 24H2 security baseline – Get the latest information about changes to the security baseline for Windows 11, version 24H2, including additional protections to LAN Manager, Kerberos, User Account Control, and more. Config Refresh – Use Config Refresh helps enforce IT-defined security policies by automatically returning PC settings to the preferred configuration. Zero Trust DNS – Discover how Zero Trust DNS enables domain-name-based lockdown to block network traffic to unapproved network destinations. Hotpatching with Windows Autopatch - Hotpatch updates for Windows 11 Enterprise, version 24H2 client devices are now available in public preview. Learn more Finally, to learn more about how Windows 11 is built secure by design and secure by default to help businesses transform and thrive in a new era, bookmark the Windows 11 Security Book!
Build 2024 companion guide: Windows developer security resources
Ready to learn more about the topics discussed in our sessions on "Unleash Windows App Security & Reputation with Trusted Signing" and "The Latest in Windows Security for Developers" at Microsoft Build 2024? Here are some resources and tools to help you get started: Dive deeper into: Passkeys in Windows - (1 min.) Get a quick overview of passkeys, how they are used in Windows, and how they compare to passwords. Virtualization-based security (VBS) key protection - (5 min.) Learn how to create, import, and protect your keys using VBS. NTLM-less - (4 min.) Find the syntax, parameters, return value, and remarks for the AcquireCredentialsHandle (Negotiate) function. Personal Data Encryption (PDE) - (5 min.) Get information on prerequisites, protection levels, and more for this security feature that provides file-based data encryption capabilities to Windows. Virtualization-based security (VBS) Enclave - (1 min.) Explore the functions used by System Services and Secure Enclaves. Trusted Platform Module attestation - (8 min.) Explore key TPM attestation concepts and capabilities supported by Azure Attestation. Zero Trust DNS - (4 min.) Learn more about Zero Trust DNS (ZTDNS), currently in development for a future version of Windows to help support those trying to lock down devices so that they can access approved network destinations only. Win32 app isolation repo - Access the documentation and tools you need to help you isolate your applications. MSIX app packaging - (3 min.) Learn how to use the MSIX Packaging Tool to repackage your existing desktop applications to the MSIX format. Trusted Signing - Access how-to guides, quickstart tutorials, and other documentation to help you utilize this Microsoft fully managed end-to-end signing solution for third party developers. Smart App Control - (3 min.) Get to know the requirements and stages for Smart App Control, plus get answers to frequently asked questions. Coming soon: Making admins more secure Granular privacy controls for all Win32 apps Continue the conversation. Find best practices. Join us on the Windows security discussion board.
