Forum Widgets
Latest Discussions
WDAC allow rule not working for non program or windows directories
I was testing WDAC. I used App Control Wizard to create a Multiple Policy Format Base Policy. I selected the Default Windows Mode and left all option as default (except I turned off audit mode as I was just testing it in a testing machine). Set up the allow rules for the following paths %WINDIR%\* %OSDRIVE%\Program Files\* %OSDRIVE%\Program Files (x86)\* %OSDRIVE%\ProgramData\* %OSDRIVE%\Users\* %OSDRIVE%\Temp\* Use the Citool to update the policy to a test machine. The WDAC worked for the first 4 directories. I can run MSOffice and programs that are located in these 4 directories and their subdirectories. However, it did not work for the last 2 directories (c:\Users and c:\Temp). I used the same program that worked in the first 4 directories. The program execution was blocked by WDAC in c:\Temp. It could be run in c:\Users but not in its subdirectories. I thought WDAC did not perform blocking by default for the first 4 directory. I removed the allow rules. As soon as I removed the allow rules and update the policy using Citool. It did block program running from the 4 directories. I looked at the event log and cannot figure why the behavior is different from the first 4 directories and the last 2. Appreciate any comment. ThanksSolvedJamesY650Nov 20, 2024Copper Contributor68Views0likes2Comments
WORKGROUPs name role in establishing connection to SMB Share
If I understand it correctly, workgroups are used for easier permission management of shares and facilitating share discovery for computers that are grouped up having similar access rights (let's say inside an organisation). I am currently studying for OSCP and I cant understand why when connecting to the SMB share using smbclient, the workgroup name is required? As workgroup is not supposed to be used for any authentication purposes and the authorisation can be done just by username.Solvedpaul0ssNov 12, 2024Copper Contributor72Views0likes1Comment
WDAC and file attributes filename not working
Hey all, We have some dll files that exist under our users profile that we want to whitelist in WDAC. I can't use the hash method as it updates reasonably regularly and some users have a different version of the file, so that would be onerous to maintain. The dll's aren't signed so can't use that method. We are running Win10 so can't use wildcards to point to the path. I have tried a simple filename rule as below but it doesn't work. <Allow ID="ID_ALLOW_A_0_0_1_1_0_0" FriendlyName="Allow files based on file attributes: dllfile.dll" FileName="dllfile.DLL" /> Am I missing something with the filename rule? cheers jSolvedDeletedOct 09, 20231.4KViews0likes2Comments
Create NON admin windows user Microsoft account
I have a Windows 11 Pro OS with a single local admin account. When I try to add a new user with a Microsoft account using the Settings->Accounts->Access Work or school and enter their Azure / Office 365 email and password it creates the user OK. However, it always makes them an admin on the machine and I see no way to remove them as a local admin. I see no settings when adding the account to set their account type.. Any ideas? ThanksSolvedKenTayOct 05, 2023Copper Contributor9KViews0likes2Comments
Extended Security Updates in CSP
Hi Community, We are an Indirect Provider and we need to clarify our options regarding Extended Security Updates through the CSP channel. Even though I have not found an official Microsoft announcement on this, this blog article refers that and i quote "Starting September 2023, Microsoft will offer the Extended Security Updates for Windows Server 2012/2012R2 as well as SQL Server 2012 as a month-by-month Pay-as-you-Go option. Customers will need to enroll their applicable servers in Azure Arcand do need to have an Azure subscription as a payment mechanism (this can be an Azure subscription through a Cloud Solution Provider (CSP) Partner).With this new option, Extended Security Updates finally come into reach of SMB customers. For pricing, aim at 75% of the license price per year, divided by 12 for a rough indication of the monthly price. Exact pricing will be published in September on the Azure website". This is a really critical point for us. Could you please enlight us when and how we will be able to utilize this new ESU PAYG option via CSP? Thank you in advance for your significant input. Best regards, NickSolvednick_AnagSep 22, 2023Iron Contributor3.7KViews1like5Commentswsusscn2.cab file download verification
Hi, I use the wsusscn2.cab file to check missing security updates on an offline computer. I download the .cab file fromhttps://catalog.s.download.windowsupdate.com/microsoftupdate/v6/wsusscan/wsusscn2.cab How can I verify the download? Can I find the SHA-256 checksum for the .cab file somewhere? Thanks for the help!Solvedsamlo1775Sep 21, 2023Copper Contributor3.3KViews0likes3Comments
How To Purchase Defender for Server Plan 1 and 2?
Hello According to the following linkhttps://learn.microsoft.com/en-us/azure/defender-for-cloud/plan-defender-for-servers-select-plan,"Defender for Servers" Plan 1 & 2 is available for purchase. The July price list for NCE only lists "Defender for Business Server" and not "Defender for Servers". Therefore, how is "Defender for Server Plan 2" provisioned? Thank you in advance. LCSolved3.1KViews0likes2CommentsAppLocker GPO support on Windows 10 / 11 Professional SKU since 2022/10 Patchday?
Hi, we noticed that AppLocker GPOs are applied and are working fine on Windows 10/11 Professional since 2022/10 Patchday. All documentation is stating that Applocker GPOs are only applied/supported on Enterprise / Education SKU and not Professional. Did the Professional SKU become a supported AppLocker GPO configuration or is this some kind of bug and will be fixed in a later relase of Win 10/11?SolvedJanMiFeb 15, 2023Brass Contributor1.8KViews0likes1CommentUpdating Web Media Extensions when Microsoft Store is not available
I have several computers that require version1.0.40831.0 of Microsoft.WebMediaExtensions. There is a serious vulnerability that needs to be patched. Microsoft Store is not an option because I do not have time to touch 600+ computers; there is no automated way to check if Microsoft Store is updating computers properly (other than my vulnerability scans) and if I have to go to each computer that is not updating and do it manually with the user logged on then that is a problem. I need to do this silently and without interrupting people's work. I tried to figure this out using winget but the winget source does not support Web Media Extensions for some reason. What are my options? I've spent the better part of a day trying to figure this out reading many articles and forum posts. There should be a way to do this using PowerShell and I thought winget might be the answer but it's not so how do I patch this?SolvedStephenFeltmateFeb 01, 2023Brass Contributor6.4KViews1like4CommentsWDAC Policies not applying!
Hello, Trying out WDAC for the first time. I have: - Downloaded the WDAC Wizard - Created a base "Windows Works" policy - Created a supplemantal policy that allows the 2 Program Files folders - All of this in Audit Mode Only - I have created a custom profile in MEM and used 2 OMA-URIs, one fo each policy, using the ApplicationControl CSP, as per the docs. - I have verified that these 2 policies appear on the workstation, looking inC:\Windows\System32\CodeIntegrity\CiPolicies\Active, where they appear. - The MEM reports for the device show that the profile is applied correctly. And yet, when I look at the CodeIntegrity event log, all the events I see refer to the default audit policy that comes with windows. I see (Policy ID:{a244370e-44c9-4c06-b551-f6016e563076}) instead of *my* policy IDs, no matter what I do. I've rebooted a couple of times for good measure. I left the endpoint control profile setting for WDAC to "Not Configured", sinceDeploy WDAC policies using Mobile Device Management (MDM) (Windows) - Windows security | Microsoft Docssays the built-in policies use the AppLocker CSP and pre-1903 settings. (I did have it set to Audit Only" previously though). Any one have any idea what might be going on here? What am I missing? Thanks, J.F.SolvedjfdoyonAug 31, 2022Copper Contributor4.6KViews0likes1Comment
Resources
Tags
- BitLocker9 Topics
- Windows 109 Topics
- security9 Topics
- Windows Defender6 Topics
- windows5 Topics
- wdac5 Topics
- Defender5 Topics
- Intune4 Topics
- Edge4 Topics
- SCCM3 Topics
