[SOLVED] Memory Integrity bounces back to "turned off" state after Windows restart - fast ring 19536
This is an old post and the issue is no longer relevant. This has been happening since a couple of builds ago as well. I turn on the Memory Integrity in Core isolation section of Windows Defender, then after a restart or two, I go check again and see it's turned off. it usually happens when I uninstall a program that needs to be restarted. but it also happens when I uninstall a software that does Not need Windows restart to finish uninstall process. https://aka.ms/AA6xajf
Get-MpComputerStatus returns no output
Hello, on a Server 2019 with windows defender installed in the "Windows Security GUI" all is fine. Protection definitions are up to date, exclusions are set ... (managed with SCCM) But when i use the Get-MpComputerStatus it returns no output. (not even an error) Please help.
A false detection of Windows 10 Defender for my exe file suddenly occurred again
I have an .exe file that I created myself. I submitted it to Microsoft Security Intelligence webpage and it was approved as a false detection a few months ago. Today, That false detection suddenly happened and caused a lot of inconveniences to my users who using this file. So, what's the reason? Why did this detection happened again? And how can I report it and get it done forever?Windows Defender tamper protection management in Microsoft Intune
This month we’ve released Windows Defender tamper protection management in Microsoft Intune! Tamper protection is a new setting available in the Windows Security app which adds additional protections against change to key Windows Defender security features. Enabling this feature prevents others (including malicious apps) from changing/disabling important protection features such as: Real-time protection, which is the core antimalware scanning feature of Microsoft Defender ATP next gen protection and should rarely, if ever, be disabled Cloud-delivered protection, which uses our cloud-based detection and prevention services to block never-before seen malware within seconds IOAV, which handles the detection of suspicious files from the Internet Behavior monitoring, which works with real-time protection to analyze and determine if active processes are behaving in a suspicious or malicious way and blocks them The feature also prevents the deletion of security intelligence updates and the disabling of the entire antimalware solution. Enterprise management of this feature via Intune requires an E5 license (such as those with a Microsoft Defender ATP license) and the device be MDM enrolled into Intune. The feature is available on Windows 10 1903 Enterprise devices, and we’re looking at backporting the feature to down level Windows clients later this year. Before you can enable the setting, you need to connect Microsoft Defender ATP to Intune. To do this, browse to https://securitycenter.windows.com and visit Settings > Advanced features. Turn the Microsoft Intune connection on and press save. Next, browse to the Microsoft Intune console. To enable Windows Defender tamper protection, create an Endpoint Protection policy in Intune and enable the Tamper protection feature. Assign this policy to a user or device group, and tamper protection will be enabled. To disable the feature, change the setting to Disabled and deploy the policy to the target devices. Note: Not configured will not change the state of a previously deployed configuration. To disable tamper protection, you must deploy a Disabled policy state. For more information on the Windows Defender tamper protection feature, visit https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection Matt Shadbolt Senior Program Manager Microsoft Intune
New-AntiPhishPolicy Parameters Don't seem to work properly
I'm making a script to automate the process of setting up EOP automatically for our customers everything works fine, except the part with the anti-phishing policy. When running the command New-AntiPhishPolicy with a variety of parameters (see Original command) i get the error "-ParameterX" is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again (For full error see Error Example). When the parameters that cause the error are removed from the script i end up with only eight working parameters (See Working parameters). When i create the policy in the GUI all Parameters i use below are available. I also tried different accounts i first tried via delegated acces, i then tried to run the same command with the global admin but no luck either. Security license used in the tenant: Defender for O365 (subscription 1) Original command: New-AntiPhishPolicy -Name $AntiPhishPolicyName -ImpersonationProtectionState automatic ` -EnableTargetedUserProtection $true ` -EnableMailboxIntelligenceProtection $true ` -EnableTargetedDomainsProtection $true ` -EnableOrganizationDomainsProtection $true ` -EnableMailboxIntelligence $true ` -EnableFirstContactSafetyTips $true -EnableSimilarUsersSafetyTips $true ` -EnableSimilarDomainsSafetyTips $true ` -EnableUnusualCharactersSafetyTips $true ` -TargetedUserProtectionAction Quarantine ` -TargetedUserQuarantineTag $quarantinepolicy ` -MailboxIntelligenceProtectionAction Quarantine ` -MailboxIntelligenceQuarantineTag $quarantinepolicy ` -TargetedDomainProtectionAction Quarantine ` -TargetedDomainQuarantineTag $quarantinepolicy ` -AuthenticationFailAction Quarantine ` -SpoofQuarantineTag $quarantinepolicy ` -EnableSpoofIntelligence $true ` -EnableViaTag $true ` -EnableUnauthenticatedSender $true ` -EnableSuspiciousSafetyTip $true ` -PhishThresholdLevel 2 ` -MakeDefault ` -TargetedDomainsToProtect $Customerdomains Working Parameters: New-AntiPhishPolicy -Name $AntiPhishPolicyName ` -ImpersonationProtectionState automatic ` -EnableTargetedUserProtection $true ` -EnableMailboxIntelligenceProtection $true ` -EnableTargetedDomainsProtection $true ` -EnableOrganizationDomainsProtection $true ` -EnableMailboxIntelligence $true ` -EnableFirstContactSafetyTips $true Error Example: -EnableSimilarUsersSafetyTips : The term '-EnableSimilarUsersSafetyTips' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again. At line:9 char:2 + -EnableSimilarUsersSafetyTips $true ` + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : ObjectNotFound: (-EnableSimilarUsersSafetyTips:String) [], CommandNotFoundException + FullyQualifiedErrorId : CommandNotFoundException -EnableSpoofIntelligence : The term '-EnableSpoofIntelligence' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again. At line:20 char:2 + -EnableSpoofIntelligence $true ` + ~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : ObjectNotFound: (-EnableSpoofIntelligence:String) [], CommandNotFoundException + FullyQualifiedErrorId : CommandNotFoundException
Get-MpPreference
I try the attached commands in powershell and I have no answer Get-MpPreference | Select-Object -ExpandProperty AttackSurfaceReductionRules_Ids Get-MpPreference | Select-Object -ExpandProperty AttackSurfaceReductionRules_Actions by example seems to be ok -PS C:\WINDOWS\system32> (Get-Service windefend).Status RunningYou can now sync your favorites with Application Guard Window from Windows Defender
Microsoft Edge version 91.0.831.0 (Official build) canary (64-bit) you need to enable this newly added flag: edge://flags/#edge-wdag-favorites-sync and then when you open a new application guard window, your favorites will be there. Learn more about Windows Defender Application Guard mode (WDAG) and it's security features here: https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview https://docs.microsoft.com/en-us/deployedge/microsoft-edge-security-windows-defender-application-guardPowerShell script is triggering the AD alert when executing on any local server. as user or computer
Hello All, I have PowerShell script which generates the data from each local server. This script tested and its working fine but the challenge is it trigger the alert on AD server as "user of computer logged on to this computer from the network" , but script is executing on any server not on AD. Why this is happening I am not able to find out it. Is the AD level security configured or hardening which is creating this problem. Where I do find the exact cause of this. Can any one help me please. I am attaching the script here for the reference. ############################Script##################### $Computer = $env:ComputerName $OutputDir = "c:\temp\" $Name = ($OutputDir + $Computer + "_LocalUser.csv") out-file -filepath $Name $OutputFile = $Name Add-Content -Path $OutPutFile -Value "ComputerName;OS;IP;UserID;FullName;SID;UserType;PasswordLastSet;Enabled;UserMayChangePassword;PasswordNeverExpires;InteractiveLogon;AccessDetails;LastLogOn;TimeZone" $LocalUsers = Get-WmiObject -Class Win32_UserAccount -Filter "LocalAccount=True" | Select-Object -ExpandProperty Name $localgroups = Get-WmiObject Win32_Group -Filter “LocalAccount=True” | Select-Object -ExpandProperty Name $groupsOutput = $null $IP = $(((ipconfig | findstr [0-9].\.)[0]).Split()[-1]) if($PSVersionTable.PSVersion.Major -gt 4){ foreach($localuser in $LocalUsers) { $Name = $localuser $FullName = Get-LocalUser -Name $localuser | Select-Object -ExpandProperty FullName $SID = Get-LocalUser -Name $localuser | Select-Object -ExpandProperty SID $UserType = Get-LocalUser -Name $localuser | Select-Object -ExpandProperty PrincipalSource $PasswordLastSet = Get-LocalUser -Name $localuser | Select-Object -ExpandProperty PasswordLastSet $Enabled = Get-LocalUser -Name $localuser | Select-Object -ExpandProperty Enabled $UserMayChangePassword = Get-LocalUser -Name $localuser | Select-Object -ExpandProperty UserMayChangePassword $PasswordNeverExpires = (Get-LocalUser -Name $localuser | Select-Object -ExpandProperty PasswordExpires) -eq $null [Int]$i=0 $groupsOutput = "" $groups = (Get-LocalGroup | Where-Object { (Get-LocalGroupMember $_).name -eq "$Computer\$Name" }).Name foreach($group in $groups) { $i++ if($i -le 1) { $groupsOutput = -join ("$groupsOutput", "$group") } else { $groupsOutput = -join ("$groupsOutput", " / " ,"$group") } } $LastLogOn = Get-LocalUser -Name $localuser | Select-Object -ExpandProperty LastLogOn $TimeZone = [regex]::Matches([System.TimeZoneInfo]::Local.DisplayName, '(?<=\()(.*)(?=\))').Value Add-Content -Path $OutPutFile -Value "$Computer;Windows;$IP;$Name;$FullName;$SID;$UserType;$PasswordLastSet;$Enabled;$UserMayChangePassword;$PasswordNeverExpires;;$groupsOutput;$LastLogOn;$TimeZone" } }else{ foreach($localuser in $LocalUsers) { $user = Get-WmiObject -query "SELECT * FROM Win32_UserAccount WHERE LocalAccount = 'True' and Name = ""$localuser""" $Name = $localuser $FullName = $user.FullName $SID = $user.SID $UserType = "Local" $PasswordLastSet = $(net user $Name| findstr /B /C:"Password last set") $PasswordLastSet = $PasswordLastSet.Substring(29) $Enabled = -not $user.Disabled $UserMayChangePassword = -not $user.PasswordChangeable $PasswordNeverExpires = -not $user.PasswordExpires $groupList = Get-CimInstance -ClassName Win32_UserAccount -Filter "Name='$name'" | Get-CimAssociatedInstance -Association Win32_GroupUser | Select-Object Name $groups = "" foreach($group in $groupList.Name){ $groups += $group + "," } $groups = $groups.Substring(0,$groups.Length-1) $LastLogOn = $(net user $Name| findstr /B /C:"Last logon") $LastLogOn = $LastLogOn.Substring(29) $TimeZone = [regex]::Matches([System.TimeZoneInfo]::Local.DisplayName, '(?<=\()(.*)(?=\))').Value $passwordNeverExpires = -not $user.passwordExpires Add-Content -Path $OutPutFile -Value "$Computer;Windows;$IP;$Name;$FullName;$SID;$UserType;$PasswordLastSet;$Enabled;$UserMayChangePassword;$PasswordNeverExpires;;$groups;$LastLogOn;$TimeZone" } }
