Microsoft April 2022 Patch Tuesday fixes 119 flaws, 2 zero-days

Today is Microsoft’s April 2022 Patch Tuesday, and with it comes fixes for two zero-day vulnerabilities and a total of 119 flaws.

Microsoft has fixed 119 vulnerabilities (not including 26 Microsoft Edge vulnerabilities) with today’s update, with ten classified as Critical as they allow remote code execution.

The number of bugs in each vulnerability category is listed below:

  • 47 Elevation of Privilege Vulnerabilities
  • 0 Security Feature Bypass Vulnerabilities
  • 47 Remote Code Execution Vulnerabilities
  • 13 Information Disclosure Vulnerabilities
  • 9 Denial of Service Vulnerabilities
  • 3 Spoofing Vulnerabilities
  • 26 Edge – Chromium Vulnerabilities

For information about the non-security Windows updates, you can read about today’s Windows 10 KB5012599 and KB5012591 updates and the Windows 11 KB5012592 update.

Two zero-days fixed, one actively exploited

This month’s Patch Tuesday includes fixes for two zero-day vulnerabilities, one publicly disclosed and the other actively exploited in attacks.

Microsoft classifies a vulnerability as a zero-day if it is publicly disclosed or actively exploited with no official fix available.

The actively exploited zero-day vulnerability fixed today is a bug that security researcher Abdelhamid Naceri discovered that Microsoft previously tried to fix twice after new patch bypasses were discovered.

  • CVE-2022-26904 – Windows User Profile Service Elevation of Privilege Vulnerability

The publicly exposed zero-day is a privilege elevation bug discovered by CrowdStrike and the US National Security Agency (NSA).

  • CVE-2022-24521 – Windows Common Log File System Driver Elevation of Privilege Vulnerability

Now that Microsoft has issued patches for these vulnerabilities, it should be expected for threat actors to analyze the vulnerabilities to learn how to exploit them.

Therefore, it is strongly advised to install today’s security updates as soon as possible.

Recent updates from other companies

Other vendors who released updates in April 2022 include:

The April 2022 Patch Tuesday Security Updates

Below is the complete list of resolved vulnerabilities and released advisories in the April 2022 Patch Tuesday updates. To access the full description of each vulnerability and the systems that it affects, you can view the full report here.

TagCVE IDCVE TitleSeverity
.NET FrameworkCVE-2022-26832.NET Framework Denial of Service VulnerabilityImportant
Active Directory Domain ServicesCVE-2022-26814Windows DNS Server Remote Code Execution VulnerabilityImportant
Active Directory Domain ServicesCVE-2022-26817Windows DNS Server Remote Code Execution VulnerabilityImportant
Azure SDKCVE-2022-26907Azure SDK for .NET Information Disclosure VulnerabilityImportant
Azure Site RecoveryCVE-2022-26898Azure Site Recovery Remote Code Execution VulnerabilityImportant
Azure Site RecoveryCVE-2022-26897Azure Site Recovery Information Disclosure VulnerabilityImportant
Azure Site RecoveryCVE-2022-26896Azure Site Recovery Information Disclosure VulnerabilityImportant
LDAP – Lightweight Directory Access ProtocolCVE-2022-26831Windows LDAP Denial of Service VulnerabilityImportant
LDAP – Lightweight Directory Access ProtocolCVE-2022-26919Windows LDAP Remote Code Execution VulnerabilityCritical
Microsoft Bluetooth DriverCVE-2022-26828Windows Bluetooth Driver Elevation of Privilege VulnerabilityImportant
Microsoft DynamicsCVE-2022-23259Microsoft Dynamics 365 (on-premises) Remote Code Execution VulnerabilityCritical
Microsoft Edge (Chromium-based)CVE-2022-26909Microsoft Edge (Chromium-based) Elevation of Privilege VulnerabilityModerate
Microsoft Edge (Chromium-based)CVE-2022-1139Chromium: CVE-2022-1139 Inappropriate implementation in Background Fetch APIUnknown
Microsoft Edge (Chromium-based)CVE-2022-26912Microsoft Edge (Chromium-based) Elevation of Privilege VulnerabilityModerate
Microsoft Edge (Chromium-based)CVE-2022-26908Microsoft Edge (Chromium-based) Elevation of Privilege VulnerabilityImportant
Microsoft Edge (Chromium-based)CVE-2022-1146Chromium: CVE-2022-1146 Inappropriate implementation in Resource TimingUnknown
Microsoft Edge (Chromium-based)CVE-2022-26895Microsoft Edge (Chromium-based) Elevation of Privilege VulnerabilityImportant
Microsoft Edge (Chromium-based)CVE-2022-26900Microsoft Edge (Chromium-based) Elevation of Privilege VulnerabilityImportant
Microsoft Edge (Chromium-based)CVE-2022-26894Microsoft Edge (Chromium-based) Elevation of Privilege VulnerabilityImportant
Microsoft Edge (Chromium-based)CVE-2022-1232Chromium: CVE-2022-1232 Type Confusion in V8Unknown
Microsoft Edge (Chromium-based)CVE-2022-26891Microsoft Edge (Chromium-based) Elevation of Privilege VulnerabilityImportant
Microsoft Edge (Chromium-based)CVE-2022-1125Chromium: CVE-2022-1125 Use after free in PortalsUnknown
Microsoft Edge (Chromium-based)CVE-2022-1136Chromium: CVE-2022-1136 Use after free in Tab StripUnknown
Microsoft Edge (Chromium-based)CVE-2022-24475Microsoft Edge (Chromium-based) Elevation of Privilege VulnerabilityImportant
Microsoft Edge (Chromium-based)CVE-2022-1145Chromium: CVE-2022-1145 Use after free in ExtensionsUnknown
Microsoft Edge (Chromium-based)CVE-2022-1135Chromium: CVE-2022-1135 Use after free in Shopping CartUnknown
Microsoft Edge (Chromium-based)CVE-2022-1138Chromium: CVE-2022-1138 Inappropriate implementation in Web CursorUnknown
Microsoft Edge (Chromium-based)CVE-2022-1143Chromium: CVE-2022-1143 Heap buffer overflow in WebUIUnknown
Microsoft Edge (Chromium-based)CVE-2022-24523Microsoft Edge (Chromium-based) Spoofing VulnerabilityModerate
Microsoft Edge (Chromium-based)CVE-2022-1137Chromium: CVE-2022-1137 Inappropriate implementation in ExtensionsUnknown
Microsoft Edge (Chromium-based)CVE-2022-1134Chromium: CVE-2022-1134 Type Confusion in V8Unknown
Microsoft Edge (Chromium-based)CVE-2022-1127Chromium: CVE-2022-1127 Use after free in QR Code GeneratorUnknown
Microsoft Edge (Chromium-based)CVE-2022-1128Chromium: CVE-2022-1128 Inappropriate implementation in Web Share APIUnknown
Microsoft Edge (Chromium-based)CVE-2022-1133Chromium: CVE-2022-1133 Use after free in WebRTCUnknown
Microsoft Edge (Chromium-based)CVE-2022-1130Chromium: CVE-2022-1130 Insufficient validation of untrusted input in WebOTPUnknown
Microsoft Edge (Chromium-based)CVE-2022-1129Chromium: CVE-2022-1129 Inappropriate implementation in Full Screen ModeUnknown
Microsoft Edge (Chromium-based)CVE-2022-1131Chromium: CVE-2022-1131 Use after free in Cast UIUnknown
Microsoft Graphics ComponentCVE-2022-26920Windows Graphics Component Information Disclosure VulnerabilityImportant
Microsoft Graphics ComponentCVE-2022-26903Windows Graphics Component Remote Code Execution VulnerabilityImportant
Microsoft Local Security Authority Server (lsasrv)CVE-2022-24493Microsoft Local Security Authority (LSA) Server Information Disclosure VulnerabilityImportant
Microsoft Office ExcelCVE-2022-24473Microsoft Excel Remote Code Execution VulnerabilityImportant
Microsoft Office ExcelCVE-2022-26901Microsoft Excel Remote Code Execution VulnerabilityImportant
Microsoft Office SharePointCVE-2022-24472Microsoft SharePoint Server Spoofing VulnerabilityImportant
Microsoft Windows ALPCCVE-2022-24482Windows ALPC Elevation of Privilege VulnerabilityImportant
Microsoft Windows ALPCCVE-2022-24540Windows ALPC Elevation of Privilege VulnerabilityImportant
Microsoft Windows Codecs LibraryCVE-2022-24532HEVC Video Extensions Remote Code Execution VulnerabilityImportant
Microsoft Windows Media FoundationCVE-2022-24495Windows Direct Show – Remote Code Execution VulnerabilityImportant
Power BICVE-2022-23292Microsoft Power BI Spoofing VulnerabilityImportant
Role: DNS ServerCVE-2022-26815Windows DNS Server Remote Code Execution VulnerabilityImportant
Role: DNS ServerCVE-2022-26816Windows DNS Server Information Disclosure VulnerabilityImportant
Role: DNS ServerCVE-2022-24536Windows DNS Server Remote Code Execution VulnerabilityImportant
Role: DNS ServerCVE-2022-26824Windows DNS Server Remote Code Execution VulnerabilityImportant
Role: DNS ServerCVE-2022-26823Windows DNS Server Remote Code Execution VulnerabilityImportant
Role: DNS ServerCVE-2022-26822Windows DNS Server Remote Code Execution VulnerabilityImportant
Role: DNS ServerCVE-2022-26829Windows DNS Server Remote Code Execution VulnerabilityImportant
Role: DNS ServerCVE-2022-26826Windows DNS Server Remote Code Execution VulnerabilityImportant
Role: DNS ServerCVE-2022-26825Windows DNS Server Remote Code Execution VulnerabilityImportant
Role: DNS ServerCVE-2022-26821Windows DNS Server Remote Code Execution VulnerabilityImportant
Role: DNS ServerCVE-2022-26820Windows DNS Server Remote Code Execution VulnerabilityImportant
Role: DNS ServerCVE-2022-26813Windows DNS Server Remote Code Execution VulnerabilityImportant
Role: DNS ServerCVE-2022-26818Windows DNS Server Remote Code Execution VulnerabilityImportant
Role: DNS ServerCVE-2022-26819Windows DNS Server Remote Code Execution VulnerabilityImportant
Role: DNS ServerCVE-2022-26811Windows DNS Server Remote Code Execution VulnerabilityImportant
Role: DNS ServerCVE-2022-26812Windows DNS Server Remote Code Execution VulnerabilityImportant
Role: Windows Hyper-VCVE-2022-22008Windows Hyper-V Remote Code Execution VulnerabilityCritical
Role: Windows Hyper-VCVE-2022-24490Windows Hyper-V Shared Virtual Hard Disks Information Disclosure VulnerabilityImportant
Role: Windows Hyper-VCVE-2022-24539Windows Hyper-V Shared Virtual Hard Disks Information Disclosure VulnerabilityImportant
Role: Windows Hyper-VCVE-2022-26785Windows Hyper-V Shared Virtual Hard Disks Information Disclosure VulnerabilityImportant
Role: Windows Hyper-VCVE-2022-26783Windows Hyper-V Shared Virtual Hard Disks Information Disclosure VulnerabilityImportant
Role: Windows Hyper-VCVE-2022-24537Windows Hyper-V Remote Code Execution VulnerabilityCritical
Role: Windows Hyper-VCVE-2022-23268Windows Hyper-V Denial of Service VulnerabilityImportant
Role: Windows Hyper-VCVE-2022-23257Windows Hyper-V Remote Code Execution VulnerabilityCritical
Role: Windows Hyper-VCVE-2022-22009Windows Hyper-V Remote Code Execution VulnerabilityImportant
Skype for BusinessCVE-2022-26911Skype for Business Information Disclosure VulnerabilityImportant
Skype for BusinessCVE-2022-26910Skype for Business and Lync Spoofing VulnerabilityImportant
Visual StudioCVE-2022-24767GitHub: Git for Windows’ uninstaller vulnerable to DLL hijacking when run under the SYSTEM user accountImportant
Visual StudioCVE-2022-24765GitHub: Uncontrolled search for the Git directory in Git for WindowsImportant
Visual StudioCVE-2022-24513Visual Studio Elevation of Privilege VulnerabilityImportant
Visual Studio CodeCVE-2022-26921Visual Studio Code Elevation of Privilege VulnerabilityImportant
Windows Ancillary Function Driver for WinSockCVE-2022-24494Windows Ancillary Function Driver for WinSock Elevation of Privilege VulnerabilityImportant
Windows App StoreCVE-2022-24488Windows Desktop Bridge Elevation of Privilege VulnerabilityImportant
Windows AppX Package ManagerCVE-2022-24549Windows AppX Package Manager Elevation of Privilege VulnerabilityImportant
Windows Cluster Client FailoverCVE-2022-24489Cluster Client Failover (CCF) Elevation of Privilege VulnerabilityImportant
Windows Cluster Shared Volume (CSV)CVE-2022-24538Windows Cluster Shared Volume (CSV) Denial of Service VulnerabilityImportant
Windows Cluster Shared Volume (CSV)CVE-2022-26784Windows Cluster Shared Volume (CSV) Denial of Service VulnerabilityImportant
Windows Cluster Shared Volume (CSV)CVE-2022-24484Windows Cluster Shared Volume (CSV) Denial of Service VulnerabilityImportant
Windows Common Log File System DriverCVE-2022-24521Windows Common Log File System Driver Elevation of Privilege VulnerabilityImportant
Windows Common Log File System DriverCVE-2022-24481Windows Common Log File System Driver Elevation of Privilege VulnerabilityImportant
Windows DefenderCVE-2022-24548Microsoft Defender Denial of Service VulnerabilityImportant
Windows DWM Core LibraryCVE-2022-24546Windows DWM Core Library Elevation of Privilege VulnerabilityImportant
Windows Endpoint Configuration ManagerCVE-2022-24527Windows Endpoint Configuration Manager Elevation of Privilege VulnerabilityImportant
Windows Fax Compose FormCVE-2022-26917Windows Fax Compose Form Remote Code Execution VulnerabilityImportant
Windows Fax Compose FormCVE-2022-26916Windows Fax Compose Form Remote Code Execution VulnerabilityImportant
Windows Fax Compose FormCVE-2022-26918Windows Fax Compose Form Remote Code Execution VulnerabilityImportant
Windows Feedback HubCVE-2022-24479Connected User Experiences and Telemetry Elevation of Privilege VulnerabilityImportant
Windows File ExplorerCVE-2022-26808Windows File Explorer Elevation of Privilege VulnerabilityImportant
Windows File ServerCVE-2022-26827Windows File Server Resource Management Service Elevation of Privilege VulnerabilityImportant
Windows File ServerCVE-2022-26810Windows File Server Resource Management Service Elevation of Privilege VulnerabilityImportant
Windows InstallerCVE-2022-24499Windows Installer Elevation of Privilege VulnerabilityImportant
Windows InstallerCVE-2022-24530Windows Installer Elevation of Privilege VulnerabilityImportant
Windows iSCSI Target ServiceCVE-2022-24498Windows iSCSI Target Service Information Disclosure VulnerabilityImportant
Windows KerberosCVE-2022-24545Windows Kerberos Remote Code Execution VulnerabilityImportant
Windows KerberosCVE-2022-24486Windows Kerberos Elevation of Privilege VulnerabilityImportant
Windows KerberosCVE-2022-24544Windows Kerberos Elevation of Privilege VulnerabilityImportant
Windows KernelCVE-2022-24483Windows Kernel Information Disclosure VulnerabilityImportant
Windows Local Security Authority Subsystem ServiceCVE-2022-24487Windows Local Security Authority (LSA) Remote Code Execution VulnerabilityImportant
Windows Local Security Authority Subsystem ServiceCVE-2022-24496Local Security Authority (LSA) Elevation of Privilege VulnerabilityImportant
Windows MediaCVE-2022-24547Windows Digital Media Receiver Elevation of Privilege VulnerabilityImportant
Windows Network File SystemCVE-2022-24491Windows Network File System Remote Code Execution VulnerabilityCritical
Windows Network File SystemCVE-2022-24497Windows Network File System Remote Code Execution VulnerabilityCritical
Windows PowerShellCVE-2022-26788PowerShell Elevation of Privilege VulnerabilityImportant
Windows Print Spooler ComponentsCVE-2022-26789Windows Print Spooler Elevation of Privilege VulnerabilityImportant
Windows Print Spooler ComponentsCVE-2022-26787Windows Print Spooler Elevation of Privilege VulnerabilityImportant
Windows Print Spooler ComponentsCVE-2022-26786Windows Print Spooler Elevation of Privilege VulnerabilityImportant
Windows Print Spooler ComponentsCVE-2022-26796Windows Print Spooler Elevation of Privilege VulnerabilityImportant
Windows Print Spooler ComponentsCVE-2022-26790Windows Print Spooler Elevation of Privilege VulnerabilityImportant
Windows Print Spooler ComponentsCVE-2022-26803Windows Print Spooler Elevation of Privilege VulnerabilityImportant
Windows Print Spooler ComponentsCVE-2022-26802Windows Print Spooler Elevation of Privilege VulnerabilityImportant
Windows Print Spooler ComponentsCVE-2022-26794Windows Print Spooler Elevation of Privilege VulnerabilityImportant
Windows Print Spooler ComponentsCVE-2022-26795Windows Print Spooler Elevation of Privilege VulnerabilityImportant
Windows Print Spooler ComponentsCVE-2022-26797Windows Print Spooler Elevation of Privilege VulnerabilityImportant
Windows Print Spooler ComponentsCVE-2022-26798Windows Print Spooler Elevation of Privilege VulnerabilityImportant
Windows Print Spooler ComponentsCVE-2022-26791Windows Print Spooler Elevation of Privilege VulnerabilityImportant
Windows Print Spooler ComponentsCVE-2022-26801Windows Print Spooler Elevation of Privilege VulnerabilityImportant
Windows Print Spooler ComponentsCVE-2022-26793Windows Print Spooler Elevation of Privilege VulnerabilityImportant
Windows Print Spooler ComponentsCVE-2022-26792Windows Print Spooler Elevation of Privilege VulnerabilityImportant
Windows RDPCVE-2022-24533Remote Desktop Protocol Remote Code Execution VulnerabilityImportant
Windows Remote Procedure Call RuntimeCVE-2022-26809Remote Procedure Call Runtime Remote Code Execution VulnerabilityCritical
Windows Remote Procedure Call RuntimeCVE-2022-24528Remote Procedure Call Runtime Remote Code Execution VulnerabilityImportant
Windows Remote Procedure Call RuntimeCVE-2022-24492Remote Procedure Call Runtime Remote Code Execution VulnerabilityImportant
Windows schannelCVE-2022-26915Windows Secure Channel Denial of Service VulnerabilityImportant
Windows SMBCVE-2022-24485Win32 File Enumeration Remote Code Execution VulnerabilityImportant
Windows SMBCVE-2022-26830DiskUsage.exe Remote Code Execution VulnerabilityImportant
Windows SMBCVE-2022-21983Win32 Stream Enumeration Remote Code Execution VulnerabilityImportant
Windows SMBCVE-2022-24541Windows Server Service Remote Code Execution VulnerabilityCritical
Windows SMBCVE-2022-24500Windows SMB Remote Code Execution VulnerabilityCritical
Windows SMBCVE-2022-24534Win32 Stream Enumeration Remote Code Execution VulnerabilityImportant
Windows Telephony ServerCVE-2022-24550Windows Telephony Server Elevation of Privilege VulnerabilityImportant
Windows Upgrade AssistantCVE-2022-24543Windows Upgrade Assistant Remote Code Execution VulnerabilityImportant
Windows User Profile ServiceCVE-2022-26904Windows User Profile Service Elevation of Privilege VulnerabilityImportant
Windows Win32KCVE-2022-24474Windows Win32k Elevation of Privilege VulnerabilityImportant
Windows Win32KCVE-2022-26914Win32k Elevation of Privilege VulnerabilityImportant
Windows Win32KCVE-2022-24542Windows Win32k Elevation of Privilege VulnerabilityImportant
Windows Work Folder ServiceCVE-2022-26807Windows Work Folder Service Elevation of Privilege VulnerabilityImportant
YARP reverse proxyCVE-2022-26924YARP Denial of Service VulnerabilityImportant

Source :
https://www.bleepingcomputer.com/news/microsoft/microsoft-april-2022-patch-tuesday-fixes-119-flaws-2-zero-days/

Microsoft: New malware uses Windows bug to hide scheduled tasks

Microsoft has discovered a new malware used by the Chinese-backed Hafnium hacking group to maintain persistence on compromised Windows systems by creating and hiding scheduled tasks.

The Hafnium threat group has previously targeted US defense companies, think tanks, and researchers in cyberespionage attacks.

It is also one of the state-sponsored groups linked by Microsoft to last year’s global scale exploitation of the ProxyLogon zero-day flaws impacting all supported Microsoft Exchange versions.

Persistence via Windows registry value removal

“As Microsoft continues to track the high-priority state-sponsored threat actor HAFNIUM, new activity has been uncovered that leverages unpatched zero-day vulnerabilities as initial vectors,” the Microsoft Detection and Response Team (DART) said.

“Further investigation reveals forensic artifacts of the usage of Impacket tooling for lateral movement and execution and the discovery of a defense evasion malware called Tarrask that creates ‘hidden’ scheduled tasks, and subsequent actions to remove the task attributes, to conceal the scheduled tasks from traditional means of identification.”

This hacking tool, dubbed Tarrask, uses a previously unknown Windows bug to hide them from “schtasks /query” and Task Scheduler by deleting the associated Security Descriptor registry value.

The threat group used these “hidden” scheduled tasks to maintain access to the hacked devices even after reboots by re-establishing dropped connections to command-and-control (C2) infrastructure.

While the Hafnium operators could have removed all on-disk artifacts, including all registry keys and the XML file added to the system folder to delete all traces of their malicious activity, it would have removed persistence across restarts.

Deleting Security Descriptor to hide a scheduled task
Deleting Security Descriptor to hide a scheduled task (Microsoft)

How to defend against Tarrask attacks

The “hidden” tasks can only be found upon closer manual inspection of the Windows Registry if you look for scheduled tasks without an SD (security descriptor) Value within their Task Key.

Admins can also enable the Security.evtx and the Microsoft-Windows-TaskScheduler/Operational.evtx logs to check for key events linked to tasks “hidden” using Tarrask malware.

Microsoft also recommends enabling logging for ‘TaskOperational’ within the Microsoft-Windows-TaskScheduler/Operational Task Scheduler log and monitoring for outbound connections from critical Tier 0 and Tier 1 assets.

“The threat actors in this campaign used hidden scheduled tasks to maintain access to critical assets exposed to the internet by regularly re-establishing outbound communications with C&C infrastructure,” DART added.

“We recognize that scheduled tasks are an effective tool for adversaries to automate certain tasks while achieving persistence, which brings us to raising awareness about this oft-overlooked technique.”

Source :
https://www.bleepingcomputer.com/news/security/microsoft-new-malware-uses-windows-bug-to-hide-scheduled-tasks/

Microsoft: Windows Server now supports automatic .NET updates

Microsoft says Windows admins can now opt into automatic updates for .NET Framework and .NET Core via Microsoft Update (MU) on Windows Server systems.

The new option has started rolling out today, and once you opt-in, it will add .NET Core 3.1, .NET 5.0, and .NET 6.0 to the Automatic Updates channel as a third option on top of Windows Server Update Services (WSUS) and Microsoft Update Catalog.

“We’re excited to announce that starting April 2022, we will be making monthly updates for modern .NET (.NET Core) available for server operating systems via Microsoft Update (MU) on an opt-in basis,” explained Jamshed Damkewala, a .NET Principal Engineering Manager at Microsoft.

“If you do not want to have your servers updated automatically for you no action is required. There is no change for client operating systems which will continue to receive updates via Automatic Updates, WSUS, and MU Catalog as earlier.”

This new option has been added for customers asking for a way to install .NET updates without using a deployment tool, just as on Windows client platforms.

Making it an opt-in change will allow admins to choose their preferred method of keeping server operating systems up to date, depending on their deployment approach.

How to enable .NET automatic updates

You can opt-in for .NET automatic updates on Windows Server by setting registry keys listed in the table below (manually or with the help of Group Policy as detailed here).

.NET VersionRegistry KeyNameValue
ALL[HKEY_LOCAL_MACHINESOFTWAREMicrosoft.NET]“AllowAUOnServerOS”dword:00000001
.NET 6.0[HKEY_LOCAL_MACHINESOFTWAREMicrosoft.NET6.0]“AllowAUOnServerOS”dword:00000001
.NET 5.0[HKEY_LOCAL_MACHINESOFTWAREMicrosoft.NET5.0]“AllowAUOnServerOS”dword:00000001
.NET 3.1[HKEY_LOCAL_MACHINESOFTWAREMicrosoft.NET3.1]“AllowAUOnServerOS”dword:00000001

“We’re excited to start delivering updates for modern .NET to server operating systems via Microsoft Update on an opt-in basis and look forward to your feedback on this experience,” Damkewala added.

In December 2020, following customer requests, Microsoft first started delivering .NET and .NET Core updates on Windows via Microsoft Update (via WSUS and MU Catalog for server OS and Automatic Updates for client OS).

In early April 2022, the company reminded customers that multiple .NET Framework versions (i.e., 4.5.2, 4.6, and 4.6.1) signed using the insecure Secure Hash Algorithm 1 (SHA-1) will reach their end of life at the end of the month.

Redmond is also planning to roll out in July 2022 a new Windows Autopatch service that will automatically keep Windows and Office software up to date for Microsoft customers with a Windows 10/11 Enterprise E3 or above license.

Source :
https://www.bleepingcomputer.com/news/microsoft/microsoft-windows-server-now-supports-automatic-net-updates/

Fix the ‘This PC can’t run Windows 11’ Error: How to enable TPM and Secure Boot

Tried to upgrade your PC to Windows 11, but run into the dreaded ‘This PC can’t run Windows 11’ error message? Don’t give up, it could be because your system doesn’t have two security settings turned on: Secure Boot and TPM 2.0. 

Trend Micro Windows 11 Upgrade Helper checks eight aspects of your computer, and perhaps most crucially, which TPM version it is running. Windows 11 requires TPM 2.0, so if your PC is not currently running or is not capable of running TPM 2.0, Windows 11 Upgrade Helper will let you know.Get Windows 11 Upgrade Helper

What are TPM and Secure Boot?

Trusted Platform Module (TPM) is a technology designed to provide hardware-based, security-related functions. A TPM chip is a secure crypto-processor that is designed to carry out cryptographic operations. The chip includes multiple physical security mechanisms to make it tamper-resistant. Malicious software isn’t able to tamper with the security functions of the TPM, either.

Secure Boot is a feature from the latest Unified Extensible Firmware Interface (UEFI). It offers another layer of protection against potential malware infections. It can detect when boot loaders or key operating system files are being tampered with by malware and actively block them before they can infect the system. Both TPM and Secure Boot offer unique ways of strengthening the protection of Windows 11.

Is my device capable of TPM 2.0 and Secure Boot?

To check if your device has Secure Boot, you can follow these steps:
1. In the Windows search box, type “System Information” and open the System Information app.

Fix the 'This PC can't run Windows 11' Error: How to enable TPM and Secure Boot

2. Select System Summary, and in the panel on the right side, look for “Secure Boot State”.

Fix the 'This PC can't run Windows 11' Error: How to enable TPM and Secure Boot

3. The value indicates the status of Secure Boot. “On” means it is turned on, “Off” means it is disabled, and “Unsupported” means your hardware does not support Secure Boot.

To check if your device has TPM, follow the steps below:

1. In the Windows search box, type “tpm.msc” and click Open.

Fix the 'This PC can't run Windows 11' Error: How to enable TPM and Secure Boot

2. Under Status, if you see “The TPM is ready for use”, you know that the TPM is present and available. If you see the message “Compatible TPM cannot be found”, it means that either your computer cannot find the TPM or that it has been disabled in the BIOS or UEFI.

Fix the 'This PC can't run Windows 11' Error: How to enable TPM and Secure Boot

You can also check if your device is using TPM 2.0 through Device Manager. Here’s how to do so:

1. Right-click on the Windows Start menu icon located in the lower left of your screen, then select Device Manager.

Fix the 'This PC can't run Windows 11' Error: How to enable TPM and Secure Boot

2. Select Security Devices from the list and it will show you what TPM chip you have. If it says Trusted Platform Module 2.0, you are good to go.

Fix the 'This PC can't run Windows 11' Error: How to enable TPM and Secure Boot

How to enable TPM and Secure Boot

To enable TPM and Secure Boot, you need to restart your computer to access the BIOS settings. After restarting, at the boot screen, press your computer’s BIOS access key. The most common BIOS access keys are DEL and F2. Here’s a reference for popular PC and motherboard brands and their BIOS access keys:

Fix the 'This PC can't run Windows 11' Error: How to enable TPM and Secure Boot

In the example below, we show you how to enable TPM on an ASUS TUF Gaming Z490-PLUS [WI-FI] motherboard, but the instructions will almost certainly differ depending on which brand of PC or motherboard you have.

1. At the UEFI BIOS Utility screen, press F7 to access Advanced Mode.

Fix the 'This PC can't run Windows 11' Error: How to enable TPM and Secure Boot

2. Click the “Advanced” tab and select “PCH-FW Configuration”.

Fix the 'This PC can't run Windows 11' Error: How to enable TPM and Secure Boot

3. Alongside “TPM Device Selection”, select “Enable Firmware TPM”.

Fix the 'This PC can't run Windows 11' Error: How to enable TPM and Secure Boot

To enable Secure Boot, in the “Boot” tab, follow the steps below:

1. Select “Secure Boot”.

Fix the 'This PC can't run Windows 11' Error: How to enable TPM and Secure Boot

2. Select “OS Type” and beside it, select “Windows UEFI Mode”.

Fix the 'This PC can't run Windows 11' Error: How to enable TPM and Secure Boot

3. Go to the “Exit” tab to save the changes and restart the computer. TPM and Secure Boot will be enabled after the restart.

What can I do if I don’t have a TPM chip?

Your device may have a TPM chip, but you need to update your BIOS to have access to it. Please contact your PC or motherboard manufacturer to learn more about how to enable TPM on your device.

You could also buy a TPM module online, but you must know which TPM module is compatible with your motherboard. You also need to install the module onto the motherboard, which might not be an easy task — especially if you don’t have any experience in working with motherboards. If you would like to go down this route, we advise that you contact a technician or take it to a local PC repair shop.

Alternatively, you could upgrade to a new computer.

What’s the most convenient way to check if I can upgrade to Windows 11?

There are tools created that can help you assess if your computer is ready for Windows 11. One of those tools is Trend Micro Windows 11 Upgrade Helper .

Fix the 'This PC can't run Windows 11' Error: How to enable TPM and Secure Boot

Trend Micro Windows 11 Upgrade Helper can check if your computer meets all the requirements for Windows 11. You can talk to Premium Support Service if you need assistance in making your computer Windows 11 ready, too.Get Windows 11 Upgrade Helper

Source :
https://news.trendmicro.com/2021/10/04/fix-the-this-pc-cant-run-windows-11-error-how-to-enable-tpm-and-secure-boot/

How to Remove Bing on Chrome, Firefox, and Edge

Users have been complaining that the search engine, Bing, loads as the default instead of Google. Annoying, but don’t fret! We’ve put together a simple guide on how to get rid of Bing and restore your preferred search engine.

On Google Chrome

1. Open Google Chrome and click the 3-dots menu.
2. Select More Tools, then choose Extensions.

3. Remove any Bing Extensions you see.
4. Go back to the Menu, then select Settings.

5. Look for Search Engine and click it.

6. On the right side, choose your preferred Search Engine (Google, Yahoo, DuckDuckGo or Ecosia).
7. Restart Google Chrome.  If it still uses Bing as your search engine, we suggest resetting or reinstalling Chrome.

On Mozilla Firefox

1. Open Mozilla Firefox and click the hamburger menu (3 horizontal lines).
2. Select Add-ons and themes.

3. Choose Extensions on the left side, then remove any Bing extensions you see.

4. Go back to the Menu, then select Settings.
5. On the left side, click Search and look for the Default Search Engine section on the right side.

6. Choose your preferred Search Engine (Google, Amazon.com, DuckDuckGo or Wikipedia).
7. Restart Firefox. If it still uses Bing as your search engine, we suggest resetting or reinstalling Firefox.

On Microsoft Edge

1. Open Microsoft Edge.
2. Click the 3-dots menu on the upper right corner, then select Settings.

3. Select View Advance Settings and click the Change search engine button.

4. Choose your preferred Search Engine then click the Set as default button.

We hope this short guide has helped you get things back to normal! If you’ve found it a useful article, please do SHARE with friends and family.

Source :
https://news.trendmicro.com/2021/11/17/how-to-remove-bing-on-chrome-firefox-and-edge/

Top 10 Most Used Search Engines & Tips for Browsing

In the modern world, searching for information is simple. There’s no need to go from one library to another, flipping through numerous pages, or checking the table of contents before you get to what you’re looking for. Simply typing words on the internet will give you limitless results — all you need to do is narrow them down.

What is a Search Engine?

If you need to find something, like a website or page that contains your needed information, you’ll need to go and visit a search engine page to query keywords.

A search engine is a program or application that checks, hunts, and searches the web for sites based on keywords. It uses these keywords and returns pages that are connected to what you have typed.

Search engines use web crawlers or web spiders to catalog the World Wide Web. These crawling bots are used for indexing contents. They will scan, check, assess and inspect site pages and their information across the web.

Notable Search Engines and Their Brief Histories

Archie — During the 1990s, the very first search engine arrived, named Archie. Its purpose was to search FTP sites to create indexes of files that are downloadable.

Veronica and Jughead — Created around 1992/93, they both searched file names and titles in Gopher index systems.

Infoseek — In 1994, Webmasters would submit and provide a page in real-time with this program.

Yahoo Search — Also created in 1994, it created a collection of favorable web pages with description of each website.

LooksmartExcite and AltaVista — These search engines were created in 1995 and tried to compete with Yahoo.

Backrub — Created around 1996, Google’s initial project, Backrub, was a search engine that utilized backlinks for searches. It ranked pages depending on citations from other sites.

Ask Jeeves — Started in 1996, this search engine used human editors that tried to match search queries.

Google — Officially launched in 1998.

MSN Search — Relied on three different search engines: Looksmart, Overture and Inktomi.

Snap — A somewhat complex search engine, released in 2005, that shows search volumes, revenues and advertisers.

Bing — Rebranded name for MSN/Live Search.

Schema.Org — In 2011, Microsoft, Google and Yahoo collaborated to create Schema.org to create structured internet data.

Top 10 Most Used Search Engines

The following list contains the top ten from across the world:

1. Google:“Just google it” is a ubiquitous expression nowadays. Google is the most popular across all search engines — even more than all others combined. According to statistics, around 78% of desktops and laptops uses Google.

2. Yahoo: In the past, Yahoo had competed with Google. But as the years went on, Yahoo users had declined significantly. Now it is mostly used as a backup search engine in case the dominant one is down.

3. Bing: Microsoft Bing (or just Bing) is owned by Microsoft. Its origin came from MSN Search and Windows Live Search. This search engine is proud of its ‘decision’ engine which provides suggestions on the sides.

4. AOL Search: Known before as American Online Search. This search engine is used mostly by older people accustomed to AOL.

5. Duck Duck Go: Some say that Duck Duck Go is for and by Hipsters. But the main reason users choose this search engine is that it does not track search history and avoids spammy websites.

6. Baidu: This search engine is the 3rd largest out there. Baidu dominates the Chinese market and is the first choice in China. This engine has a sophisticated online censorship system since there’s many restrictions in its operating region.

7. Yandex: If Baidu has China as its market, then Yandex has the Russian market.

8. Ask: Its origin is the older “Ask Jeeves”. Since it could not compete with Google, it’s now powered by Google — if you can’t beat ‘em, join ‘em!

9. Naver: South Korea is another huge tech and communications market with its own search engine, Naver.

10.Seznam: The search engine popular in the Czech Republic and C. Europe.

And some honorable mentions:

  • Ecosia — Donates surplus income to organizations that plant trees.
  • Dogpile — Shows results from the top 3 search engines (Google, Bing and Baidu).
  • Gigablast — An open-source search engine.
  • Qwant — A popular, EU-based search engine.

Tips For Using Search Engines

Search engines are brilliant tools to immediately get the information we want. However, since search engines generally do not have much security capability, you should invest in a security product to provide and efficient browsing.

1. Install the Maximum Security tool bar to prevent you from visiting malicious websites.

You can install the Trend Micro Maximum Security toolbar service, which warns you of security risks relevant to the websites you visit.

When you search online, it monitors and rates websites in search engines such as Google, Bing, Baidu, and Yahoo. The Trend Micro Toolbar provides Page Ratings that show if the page is safesuspiciousdangeroustrusted or untested.

  • A Mac User? No problem. Trend Micro Antivirus for Mac has the same toolbar feature to protect your online activity.

2. Install AdBlock One to stop annoying ads.

In addition, be sure to also use AdBlock One for Safari. This app stops annoying online ads from bothering you and helps load web pages faster — a significant boost in securing and improving your digital life.

Without AdBlock One

With AdBlock One

Get AdBlock OneIt’s free

If you’ve found this article an interesting and/or useful read, please do SHARE with family and friends.

Source :
https://news.trendmicro.com/2021/11/25/top-10-most-used-search-engines-tips-for-browsing/

Urgent Update Released for Zero-Day Chrome & Edge Vulnerability

Updates for both Google Chrome and Microsoft Edge have been released which address the critical CVE-2022-1096 zero-day exploit. If you use either of these web browsers, you should install the update immediately.

What we know so far

The high severity vulnerability — referred to as CVE-2022-1096 — stems from a newly-discovered “type confusion” issue with V8, Google’s open-source JavaScript engine that powers both Google Chrome and Microsoft Edge. The vulnerability, which affects Windows, Mac, and Linux, could allow hackers to hijack people’s web browsers and embed malicious code.

Although it didn’t elaborate, in a short blog post addressing the issue, Google stated that a known exploit currently exists in the wild, although it is not clear how many people have already been affected or how damaging this exploit is.

The vulnerability also affects Microsoft’s Chromium-based web browser Edge in the same way.

What you need to do

You can stay protected from this vulnerability by ensuring your web browser is updated to the latest version. For Google Chrome, this is version 99.0.4844.84 and for Microsoft Edge, it is version 99.0.1150.55.

To check if you have the latest version installed, within one of the web browsers, click the three vertical dots in the top right-hand corner > Settings > About Chrome/About Microsoft Edge. If you don’t already have the latest version installed, you will be presented with the option to download and install it.

How to help the online community

Due to Google remaining tight-lipped about the severity of the known exploit, the level of harm it could cause to potential victims is as yet unclear. To limit the fallout, we all need to do our part in spreading the word — especially when considering how easy it is to install the latest update and guarantee protection. If you found this article helpful and you would like to see that others are protected, please consider sharing this post.

Source :
https://news.trendmicro.com/2022/03/30/urgent-update-chrome-edge-zero-day/

What’s New in System Center 2022?

Launched in “early preview” in November 2021 the next version of System Center is going to be released in the first quarter of 2022.

In this article, we’ll look at what’s new in each of the main components, Virtual Machine Manager, Operations Manager and Data Protection Manager and make some predictions around the finished product.

Virtual Machine Manager 2022

If you have a medium to large deployment of Hyper-V clusters, VMM is a must for management. Somewhat equivalent to vCenter in the VMware world this is the server product that lets you manage templates for VMs, including templates with multiple VMs (called a service) and other artefacts as well as automated deployments. VMM also manages your Software Defined Networking (SDN) stack and your backend storage (SANs and S2D). Notably, it also manages VMware virtualization hosts and clusters and can also integrate with Azure for light VM management.

SC Virtual Machine Manager 2022 Installation

SC Virtual Machine Manager 2022 Installation

There are a few new features in this version but the running theme throughout System Center 2022 (unless there’s a surprise reveal at GA) is that this is mostly about finishing little details and ensuring compatibility with current platforms. VMM 2022 runs on Windows Server 2022 and can manage Windows Server 2022 hosts.

On the networking side, the SDN stack gets support for dual-stack IPv4 and IPv6. You’ll need to be using the SDN v2 stack but that’s been where any new features have appeared since System Center 2016. In case you’re not familiar, up to System Center 2012R2 / Windows Server 2012R2 Microsoft built their own network virtualization stack and protocol but in 2016 they offered VXLan from VMware as an alternative. They also switched to an Azure inspired architecture where there’s a set of Network Controller VMs running on your cluster, managing all the virtualized networks. There are also Software Load Balancer VMs managing incoming network traffic, plus a Gateway providing connectivity from a virtualized network to the wider world. The dual-stack support covers all of these components, including site to site VPN (IPSec, GRE tunnel and L3 tunnels) so if your datacenter is adopting IPv6 – VMM is all ready to go. Note that you’ll need to provide both IPv4 and IPv6 address pools when setting this up.

VMM Logical Network with IPv4 and IPv6 subnets

VMM Logical Network with IPv4 and IPv6 subnets

The other big-ticket item is support for Azure Stack HCI (version 20H2 and 21H2) and Windows Server 2022. Note that VMM 2019 Update Release 3 (UR3) does provide support for Azure Stack HCI 20H2. If you missed our Windows Server 2022 webinar and haven’t heard of Azure Stack HCI realize that it’s got very little to do with Azure. This is a special version of Windows Server and Hyper-V that you cluster on top of Storage Spaces Direct (S2D) which you can then manage from Azure. The benefit of Azure Stack HCI is that all the latest features in Windows Server (and Hyper-V) are released for it (unlike “normal” Windows Server) and the downside is that you pay a subscription fee per core, per month, for it.

You can add existing Azure Stack HCI clusters, and you can also create new ones from within VMM. You can manage the entire VM lifecycle, set up VLAN based networks, deploy/manage the SDN controller and manage storage, creation of virtual disks and cluster shared volumes (CSVs) and application of storage QoS. There are new PowerShell cmdlets to handle Azure Stack HCI (Register-SCAzStackHCI).

Note that disaggregated Azure Stack HCI clusters (for Scale Out File Server, SOFS) aren’t supported, nor is Live Migration from an Azure Stack HCI cluster to a Windows Server cluster (although quick migration should work).

I installed the “early preview” on a Windows Server 2022 VM, and it works as advertised, with no visual differences from VMM 2019.

Operations Manager

Apart from VMM, I think SCOM is probably the strongest part of System Center. This venerable product keeps an eye on everything in your virtualized datacenter. Using Dell/HP/Lenovo servers? Just install the free management pack and you’ll get hardware monitoring, down to individual fans in your servers. The same goes for your networking and storage gear. Properly configured, SCOM provides visibility into your entire datacenter stack, from physical hardware to user-facing application code.

There are two new RBAC roles: Read-only Administrator which does what it says on the tin, including reporting. The Delegated Administrator profile doesn’t include report viewing but you can customize exactly what it should be able to do by adding one or more of:

  • Agent management
  • Account management
  • Connector Management
  • Global settings
  • Management pack authoring
  • Notification management
  • Operator permissions
  • Reporting permissions

If you have disabled NTLM in your organization, SCOM 2016/2019 reporting services are impacted, 2022 has a new authentication type (Windows Negotiate) that fixes this issue.

An interesting twist is the ability to choose the alert closure behavior, in 2019 you can’t close an alert when the underlying monitor is unhealthy, now you can choose to be able to close the alert and reset the monitor health, which will let you bulk close alerts. This brings back the behavior from earlier versions of SCOM. Alternatively, you can choose to stay with the 2019 behavior.

There are improvements to the upgrade process where registry key settings and custom install location of the Monitoring Agent is maintained when going from SCOM 2019 to 2022.

Alerts can now be sent to Teams channels, instead of Skype for Business.

SCOM can also monitor Azure Stack HCI deployments, using a new MP, which is actually a grouping of current Management Packs (BaseOS, Cluster, Hyper-V, SDN and Storage).

There are also some other minor fixes such as running the SCOM database on SQL Always On (no post configuration changes required), SHA256 encryption for certificates for the Linux agent, the FQDN source of alerts is now shown when tuning Management Packs and you can view the alert source for active alerts. Newer Linux distros such as Ubuntu20, Debian 10 and Oracle Linux 8 are also now supported for monitoring.

The dependency on the LocalSystem account on Management Servers has been removed and just like the other System Center components, SCOM 2022 runs on Windows Server 2022.

Data Protection Manager

Apart from running on Windows Server 2022, there are a few improvements in DPM. The main one (depending on your restore scenarios) is removing the requirement of file catalogue metadata for individual file and folder restores and instead uses an iSCSI based approach which improves backup times and restores.

If you’re using DPM to protect VMware vCenter you can now restore VMs in parallel, the default value is up to 8 VM simultaneously but you can up that limit with a simple registry change. Speaking of vCenter, VMware 7.0, 6.7 and 6.5 are supported and you can now separate the VDDK logs that relate to VMware operations from the rest of the DPM logs and store them in a user-defined file.

Another “big” improvement is the change of the maximum data storage for a DPM server from 120 TB to 300 TB. As before, it’s recommended to have tiered storage with a small amount of SSD cache and the rest hard-drive-based and use the ReFS file system.

Should you be Excited?

It seems that System Center Orchestrator will come in a 64-bit version although the bits weren’t part of the Early Preview, nor were System Center Service Manager 2022.

Overall, for me there’s nothing that we’ve covered in this article that’s a “must-have” to entice me to upgrade but if I’m upgrading to Windows Server 2022 anyway, or considering Azure Stack HCI, it’s a natural step.

I often express it like this – System Center is on life support. Microsoft isn’t looking to gain more market share against other datacenter management suites, they’re simply keeping System Center up to date and able to manage the latest OSs so that if you’re already a customer – you have a comfortable upgrade path. All System Center products also incorporate various levels of Azure/Microsoft 365 integration to tick the box of being “hybrid” and helping enterprises in their journey to the cloud.

Source :
https://www.altaro.com/hyper-v/system-center-2022/

Deep Dive on Microsoft 365 Defender

The best way to protect a business of any size today against cyber risks is with an integrated suite of tools. Microsoft 365 Defender is one such service that we’ll look at in this article.

For many years the conventional wisdom, especially in larger organizations, was to buy best of breed solutions for each area. So, you ended up with the “best” (defining the “best” solution is hard, and changes quite quickly) email hygiene solution, the best anti-malware solution, the best firewall etc. And because none of them natively integrated with each other, and manual integration is hard and time-consuming, you ended up with multiple consoles and multiple data silos where low fidelity signals were ignored, while they could actually have told you about a breach in progress if you’d been able to correlate those individual low severity signals between each of the systems. A way to solve this issue is via Security Orchestration and Automation Response (SOAR) solutions that act as a “glue” between each product. Another is to buy an already integrated suite of tools such as Microsoft 365 Defender. The promise is eXtended Detection and Response (XDR), which is an extension of Endpoint Detection and Response (EDR) to indicate that not only endpoints but all systems are included in the protection and response.

Microsoft 365 Defender Main Dashboard

Microsoft 365 Defender Main Dashboard

Name changes

In late 2020, Microsoft changed the names of nearly all of their security products so if you’re used to hearing about Advanced Threat Protection (ATP) or Microsoft Threat Protection (MTP), those have all been replaced. There’s now Microsoft 365 Defender which is the umbrella term for the Defenders in M365, as well as a unified console. There’s also Microsoft Defender for Identity (formerly Azure ATP), Microsoft Defender for Office 365 (formerly Office 365 Advanced Threat Protection), Defender for Endpoint (formerly Microsoft Windows Defender, then Microsoft Defender).

These products all tie into Microsoft 365 Defender (M365D) and are commonly abbreviated MDI, MDO and MDE. Microsoft’s Cloud App Security Broker (CASB) was renamed to Defender for Cloud Apps (MDCA?) at the Ignite conference in November 2021, it was previously known as Cloud App Security (MCAS). This makes a whole lot of sense as it’s part of the Defender family and can feed logs into the unified console.

Whilst not strictly a security product, and not bearing the Defender moniker, Azure Active Directory (AAD) and its security features also tie strongly into Microsoft 365 Defender.

There’s also Azure Defender for your IaaS and PaaS workloads in Azure, which also changed its name at Ignite in November 2021 to Microsoft Defender for Cloud. Also, separate from all of these security products but eminently capable of working with all of them is Azure Sentinel – a cloud-based Security Information and Event Management (SIEM).

Meet the Defenders

We have deep-dive articles on MDI, MDO and MDE here in the M365 Dojo but understanding what each of them does is crucial to understanding how Microsoft 365 Defender ties them all together.

MDI is a cloud-based service that monitors your on-premises Active Directory for specific indicators of compromised identities and attacker operations. Anytime an attacker gains a foothold in your organization, one of their first goals is to move laterally and elevate privileges, preferably reaching Domain Dominance. This last stage, where your entire on-premises identity infrastructure is completely under the criminal’s control, takes on average 48 hours. MDI relies on agents on your Domain Controllers (DCs) or if your security team can’t stomach that, a member server that receives forwarded event log data from each DC and catches network traffic using port mirroring. MDI will catch attacker activity during five phases: ReconnaissanceCompromised credentialsLateral movementDomain dominance and Exfiltration. Because MDI is laser-focused on AD (and AD Federation Services ADFS, after the Solarwinds attacks), it produces high fidelity alerts with very specific data to catch and contain miscreants on your network. Examples of attacks detected include Account enumeration reconnaissance, AS-REP Roasting, Identity theft (pass-the-hash), Skeleton Key attack and Data exfiltration over SMB and many, many others.

Threat and Vulnerability Management dashboard

MDO is all about providing advanced protection for your Office Online workloads. So, after incoming emails and attachments have been scanned by Exchange Online Protection (EOP) which includes three AV engines to provide a base level of protection if an attachment has never been seen before it’ll be opened in a VM and automatically inspected for malicious behaviour to catch zero-day attacks. MDO also looks at every URL in emails to see if they lead to compromised sites. It also provides time-of-click scanning as attackers will frequently compromise a benign website, send out their emails with links that won’t raise flags as they’re delivered (since the site isn’t displaying malicious indications at this point), then activate the malicious payload on the website. By checking the link atthe time of actually clicking on it, MDO provides stronger protection for your end-users. MDO comes in two flavours, plan 1 covers the above features, whereas plan 2 adds Threat Trackers (intelligence on current attacks in the wild), Threat Explorer (also known as Explorer, shows you recent threats in your tenant), Automated Investigation and Response (AIR) and Attack simulation training (to train your users to recognize dangerous phishing emails).

MDE on the other hand is a full-fledged EDR and anti-malware solution for your endpoints, including Windows, MacOS, Android, iOS and Linux. On Windows there’s no agent to deploy, it’s simply a matter of activating the bits already in the OS through onboarding, either with a script or Configuration Manager, Intune, or Group Policy at scale. Apart from local and cloud-based Machine Learning (ML) models to identify new threats, MDE also offers AIR and a complete Threat and Vulnerability Management (TVM) solution.

Threat and Vulnerability Management dashboard

TVM inventories all software installed on your endpoints (Windows 8.1, 10 (1709+), 11 and Windows Server 2008R2+, MacOS and Linux) and compares against known software vulnerabilities. Using signals such as the risk of the vulnerability being exploited, the number of devices in your organization where it’s installed and the usage of the application it’ll give you a prioritized list of programs to upgrade. As this is often a task for the endpoint/desktop team rather than the security team, there’s built-in functionality to create a task in Intune with links to the relevant upgrades etc.

Until recently there was only one version of MDE, but in August 2021 Microsoft announced a new version called Plan 1, while the full-featured version became Plan 2. Plan 1 is in preview and brings Next-generation protection (anti-malware/virus), Attack surface reduction, Manual response actions, Centralized management, Security reports and API access. Plan 2 adds Device discovery, TVM as above, AIR, Advanced hunting, full EDR and Microsoft Threat Experts (MTE). This last one is a managed SOC service by Microsoft which gives you two services, targeted attack notifications where analysts have identified an ongoing attack in your environment and access to experts on-demand to help your SOC if you need them.

At the Ignite 2021 conference, these two siblings (Plan 1 & Plan 2) were joined by a cousin, Microsoft Defender for Business which will (it’s “coming to preview soon”) protect your Windows, macOS, iOS, and Android endpoints for up to 300 users in a business. Unlike Plan 1, it comes with TVM, and AIR and full EDR so the only things that are missing are Linux support, MTE and advanced hunting. It’ll be available as part of Microsoft 365 Business Premium or as a standalone license at $3 per user per month. It’ll also integrate with Microsoft 365 Lighthouse.

A common misunderstanding is between MDE and the built-in security features that every Windows 10 user can take advantage of Microsoft Defender Security Center and Microsoft Defender Antivirus. These basic protection features are used by MDE, but it adds many advanced features on top as outlined above.

There are good alternatives to Microsoft’s services, if you’re looking for email hygiene, archiving / journaling, zero-day protection and email continuity even if Exchange Online is unavailable, plus optional backup, 365 Total Protection is excellent.

Microsoft 365 Defender

MDE used to have its own portal, separate from other security products (securitycenter.windows.com) and while it’s still there it comes with a banner strongly suggesting redirecting users to the main M365 Defender portal (security.microsoft.com). MDI’s previous portal is completely retired and its functionality was moved into the Defender for Cloud Apps portal quite some time ago and MDO is already housed in the M365 Defender portal. The work to integrate MDI into the main Microsoft 365 Defender portal is extensive and is likely to take some time. There’s more to the integration than just a single portal, although that’s a good start.

If you are using MCAS, you can integrate its telemetry into Microsoft 365 Defender.

First, there’s a unified alerts queue, so you’re not looking in one place for an email threat that might have snuck past your mail filtering, and in another place for endpoints where that same email attachment might have been opened, it’s all in the same place. The same goes for the unified user page, a user account is an object in MDI (AD) but also an entity in MDO (has a mailbox, OneDrive for Business storage etc.) and of course an object in MDE on whatever devices they’re logged in to.

The unified investigation page is my favourite, the ability to see details of automated actions (AIR) along with options to further investigate myself is very powerful, especially as it spans all the different Defenders. By popular demand, there’s also an email entity page that lets you investigate suspicious emails, including previewing them if they’re stored in an Exchange online mailbox.

Email entity page

Email entity page

There are two ways of controlling access to M365 Defender data using RBAC, either using built-in Azure AD roles or if you want to control access very granularly in a large environment, using Custom role access.

You don’t need to have all the different Defenders enabled to take advantage of M365 Defender, as soon as you enable one workload it works, as you add more services, more of the portal will light up.

Do you like to Hunt?

The coolest benefit of the integration however is the ability to do advanced hunting across all the data flowing into Microsoft 365 Defender. This is a sign of a mature security organization where it’s not all about dealing with alerts and incidents raised by the security systems but where there’s also time for an analyst to say, “I wonder if that attack against a company similar to us last week could have hit us too – let me grab the Indicators of Compromise (IOCs) and look through our logs”. All Microsoft security products rely on Kusto Query Language (KQL) with a similar syntax to SQL for searching through large amounts of security log data and the ability to look in one query over email data (MDO), identity data (MDI), endpoint processes and actions (MDE) as well as third party cloud service logs (MCAS) is incredibly powerful.

There’s a new Advanced Hunting UI, recently released, which offers tabs for each query you’re working with and feedback on the performance of each query run.

Here I’m looking to see if any suspicious PowerShell activity was launched within 30 minutes of a known malicious email being received in the last 7 days.

Advanced Hunting in Microsoft 365 Defender

Advanced Hunting in Microsoft 365 Defender

If you find events of interest during hunting, you can now use them to create an incident or add them as alerts to an existing incident. You can also bring in external data into hunting queries from lists of IP addresses, accounts etc.

Microsoft 365 Defender also offers a Secure Score across identities, devices and apps, giving you an overview of where you have strong controls in place and areas where you can improve your tenant’s overall security posture.

Microsoft 365 Defender Secure Score

Microsoft 365 Defender Secure Score

There’s also a unified view of Alerts and Incidents, actions taken by AIR and reports for endpoints, emails, identity, and overall security.

Alternative Solutions

While Microsoft 365 Defender is a comprehensive security solution it’s not the only game in town. There are many other providers that offer various solutions for email hygiene that integrate neatly with Exchange Online and provide features Microsoft doesn’t. There are also services for email continuity (when Exchange Online is down), encryption of sensitive data, long term archiving of emails for compliance, signature services, backup of Office 365 data and many other EDR and XDR solutions on the market. One reason for choosing a different provider is the perceived conflict of interest when Microsoft is both providing the collaboration platform and the security services on top. Another reason could be to pick a best of breed solution for a particular threat – just make sure the integration to the rest of the security stack you need is available.

Conclusion

The power of an integrated suite that looks for malicious activity across email, identity and endpoints cannot be underestimated. There are a few things to keep in mind, however: Microsoft 365 Defender is focused on Microsoft 365 (it’s in the name) but most organizations have many other platforms and services to secure and monitor which is where a SIEM like Azure Sentinel comes into play. It can ingest data from Microsoft 365 Defender and many other Microsoft services, along with 100+ third-party data sources for a true single view of your digital estate. There’s also bi-directional synchronization between them so if you close an incident in Microsoft 365 Defender, it closes in Azure Sentinel and vice versa. Log retention is only 30 days in Microsoft 365 Defender whereas Azure Sentinel gives you 90 days for free, with several different options for storing security log data for longer.

Secondly, most features in the Defender family require Microsoft 365 E5 licensing (or M365 E3 plus add-ons) which isn’t cheap, especially in medium to large organizations. There’s definitely a conversation to be had about the role of Microsoft providing the platforms and then charging extra on top for the advanced security features, rather than just ensuring that the platform itself has the required security in place. An alternative is a trusted third-party solution such as Hornet Security’s 365 Total Protection which is also considerably more cost-effective.

Source :
https://www.altaro.com/microsoft-365/deep-dive-m365-defender/

OneDrive for Business: Tips and Tricks for High-Performing Admins

This article focuses on administration and management exclusively for OneDrive for Business. We will cover advice and best practices from my extensive experience working with service ideal for system admins and those actively working with it on a daily basis.

What is Microsoft OneDrive?

Microsoft has two different, but similar services called OneDrive, both of which offer cloud file storage for users. A free version of OneDrive is available to everyone and is often called the “consumer” version. The business version is “OneDrive for Business” and requires a subscription to Microsoft 365 or Office 365. Both look a lot alike but are managed very differently. To add to the mix, Microsoft often refers to OneDrive for Business as simply “OneDrive” in their documentation and even in the UI.
Note: I may refer to OneDrive instead of OneDrive for Business from time to time in this article for the sake of brevity, but I always mean OneDrive for Business unless otherwise stated.

OneDrive for Business has company-wide administration in mind. A service administrator can control the deployment of the synchronization app, network performance, and many other settings. With OneDrive (consumer), there is no management framework. The individual using the service controls their settings.

Where Should Users Save Files?

OneDrive for Business makes it very easy to share files with others, but if you find yourself sharing lots of files, it is recommended to use Teams or SharePoint instead. Teams and SharePoint are simply better for collaboration. For example, with OneDrive, you can’t check-in and check-out a document. Also, in Teams, any document you upload to Teams is available to the entire Team by default, whereas documents you upload to OneDrive are private by default. Also, in Teams, a conversation about a document is shared in a Teams channel rather than via email. The general guidance is if you are working on a file without others involved use OneDrive for Business. If you need others involved, use a more collaborative service – Teams or SharePoint.

OneDrive for Business uses SharePoint Online as Service

As the service administrator, one of the most important concepts to master is that OneDrive for Business is a special purpose SharePoint document library created automatically for every user in your company. When a user is assigned an Office 365 or Microsoft 365 license, the services automatically create a personal OneDrive for Business document library.

The URL for OneDrive for Business is formatted as follows:

https://<company base name>-my.sharpoint.com/personal/<user-id>

OneDrive For Business SharePoint Library

The landing page (shown above) for OneDrive for Business shows “My Files” which are your files. You can also navigate from here to any SharePoint asset, including SharePoint Document Libraries, files hosted for Teams, or other SharePoint content.

Now that you know OneDrive for Business is using SharePoint under the hood, the following guidance makes sense:

To manage the OneDrive sharing settings for your organization, use the Sharing page of the new SharePoint admin center, instead of the Sharing page in the OneDrive admin center. It lets you manage all the settings and latest features in one place.

In this way, settings related to file sharing on SharePoint are aligned with those for OneDrive for Business (and Teams, which also uses SharePoint as a file store). OneDrive picks up many features from SharePoint, such as the ability to do File RestoresRestore a previous version of file, and synchronize files to your desktop.

Easy Anonymous Access

One main reason OneDrive for Business is well-liked is that it’s so easy to share a document with anyone. You can send someone a URL to a document and relax. It just works, and you won’t hear the dreaded “I can’t open the document” (which is all too common and a huge productivity sink).

The screenshot below exemplifies my point. What’s being shown is the side-by-side sharing experience in Teams vs. OneDrive. Take note! There is no Share option in Teams. You can copy the link to the file, but you must know if the user you send it to has rights to view the document in the Teams library. In OneDrive for Business, however, there is a Share option that allows you to send a URL to anyone. This is called Anonymous Access and is one of the primary reasons users share from OneDrive rather than Teams.

OneDrive For Business, Microsoft Teams

Also, in OneDrive, if you click on Anyone with the link can edit, you can further refine the Sharing options.

OneDrive For Business Sharing Options

As a side note, users frustrated by Teams’ lack of sharing controls can easily open a document or folder in SharePoint instead of Teams (as shown below). In SharePoint, you can share the file with anyone just like in OneDrive. There’s no need to copy a file in Teams to OneDrive to share anonymously. Just open it in SharePoint instead!

SharePoint Document Sharing

<>Controlling Default Permissions

Many businesses prefer to control who can open company documents. You can change the default settings in the OneDrive administration center, but let’s follow Microsoft’s advice to use SharePoint administration instead.

OneDrive SharePoint Admin Center

There are separate controls for External Sharing for SharePoint and OneDrive, ranging from Only people in your Organization to Anyone. However, what a static snapshot does not reveal is that the OneDrive settings cannot be more permissive than SharePoint. If you lower the permission on SharePoint, the permission also lowers on OneDrive. OneDrive can be more restrictive than SharePoint but never less restrictive. Since SharePoint hosts OneDrive files, this makes sense.

These settings are company-wide. Let users know before you make changes to global settings that cause changes in expected behavior. You WILL hear from them, and it generally won’t be a happy face emoji.

When guest users are needed, as they frequently are, consider securing the environment with the guidance provided by Microsoft in the documentation page titled Create a secure guest sharing environment.

Savvy admins can control sharing using options available when you click on More external sharing settings on the same screen shown above:

OneDrive SharePoint External Sharing Settings

The option Limit external sharing by domain lets you allow or deny sharing to a particular domain. This can be a great way to go when you want to constrain sharing to a specific set of partners or external resources.

Allow only users in specific security groups to share externally lets you control who can share files with people outside your organization. A security group is an Azure AD object that is generally a collection of users and other groups. After populating the security group with users, you can assign permissions and policies to the group, such as granting the group access to a SharePoint site, a mailbox, or forcing members of the group to use 2-factor authentication.

Consider the following scenario. Marketing is involved with a lot of external sharing, so we want to enable sharing for members of Marketing but deny everyone else, AND we don’t want to have to make adjustments every time someone moves into or out of marketing.

To illustrate how this can be achieved with security groups, I created a security group in Azure AD named Marketing-Org and added four users. As employees come and go, members of marketing are added to and removed from this group. (If you haven’t created security groups in Azure AD, it’s straightforward.)

Next, (shown below) I created another security group called External-Sharing.

Azure AD External Sharing

Security groups can have other security groups as members! By adding Marketing-Org to External-Sharing, the users in Marketing-Org automatically inherit External-Org permissions and policies

After that, I assigned the sharing permissions to the External-Org group. Returning to the SharePoint admin center Policies->Sharing->More external sharing settings-> Allow only users in specific security groups to share externally. Then, by clicking on Manage Security Groups (shown below)I added the External-Sharing group and set them so they can share with Anyone. To limit the ability of everyone else, I added the built-in security group Everyone except external users and set them to share with Authenticated guests only.

SharePoint Admin Center Manage Security Groups

In this way, everyone in the company can only share with authenticated guests, whereas only the members of External-Sharing can share with anyone.

The screenshot below shows the result. The user on the left is not a member of the External-Sharing group (the Anyone option is grey and cannot be selected). However, the user on the right can.

OneDrive For Business External Sharing

Once configured, effective administrators can manage membership of the security groups using PowerShell with the Add-AzureADGroupMember and associated cmdlets.

Storage space per user

Most Microsoft 365 and Office 365 plans come with 1TB of storage per user for OneDrive. If there are more than 5 users on a plan, 1TB can be increased by administrators to 5TB. You can even go to 25TB on a user-by-user basis by filing a support ticket with Microsoft.

To increase the storage limit for all users, browse to the OneDrive administration console, and select Storage. Change the setting from 1024 to the new limit. Shown below is updating the limit to 5TB. There are no additional charges for the increase in capacity.

OneDrive For Business Storage Limit

A global or SharePoint admin can change storage quotas with PowerShell after you connect to SharePoint using the SharePoint Online Management Shell and run the following command:

Set-SPOSite -Identity <user’s OneDrive URL> -StorageQuota <quota>.

You have to construct the OneDrive URL from the company name and user name, as mentioned earlier. Then, find the user name from the list of active users in the Office or Microsoft 365 admin center.

For <Quota>, enter a number between 1024 (1MB is the minimum) and 5242880 (for 5 TB). Values are rounded up. 1TB is 1048576.

As of this writing, OneDrive allows files up to 100GB.

Request Files

In some scenarios, you may want to collect files from others, rather than send files to others. OneDrive for Business makes this easy with the Request Files feature. With this feature, users can send an email asking others to upload content to a specific folder.

To set up a request files email, in the OneDrive UI, select a folder, click on the ellipses (…), and click Request files. You will see a window similar to the one shown below.

OneDrive For Business Request Files

After clicking Next, you will see the Send file request window:

OneDrive For Business Send File Request

The email sent by this form provides a URL for uploading content to the OneDrive for Business folder. Request files is a great way to collect and concentrate needed files into a single location for processing. That said, you need to make sure to enable uploads for the folder locations in the request.

Of course, a savvy administrator is thinking, “Hmm, does this provide a way for these users to upload content forever to this location?”

Shown below is the SharePoint admin center for Policies, Sharing.

SharePoint Admin Center Policies Sharing

With these settings, you can put some boundaries around the ability to upload files to location access given in the Request files invitation. These settings apply to anonymous links sent from OneDrive and SharePoint as well. As a best practice, if you permit users to send links to Anyone, which is enabled by default, you should expire those links. Otherwise, over a period of years, there can be hundreds or thousands of URLs that provide access to your content making access control distressingly challenging or impossible without disabling anonymous access altogether.

Folders must be set to View, edit, and upload as shown above to allow users to upload files in response to a file request.

Synchronization

One of the main features of OneDrive for Business is the ability to synchronize files from a user’s PC or laptop with OneDrive. With the synch service running, users can work on files locally, and the changes are sent to the cloud. Also, well-known folder locations such as Documents can be synchronized, ensuring essential documents are both local and in the cloud. You can easily sync Teams File Repositories as well as SharePoint Document Libraries.

The synchronization service is part of Windows 10, so you do not generally need to download it individually. Users can install the service by clicking Start and typing OneDrive.

One Drive For Business App Windows 10
OneDrive For Business Sign In

Click on the OneDrive app to launch the setup. OneDrive is then accessible in the taskbar as the cloud icon (shown before logging in, below).

Alternatively, users can enable the client by logging into onedrive.microsoft.com and clicking Sync.

When installed, users can enjoy the integration of OneDrive with Windows File Explorer. A OneDrive location is visible in the File listing. The OneDrive file listing is unique as you can see if a file is in the cloud (cloud icon), local and in the cloud (checkmark), or synchronizing (arrows). Also, when you right-click on a file in the OneDrive folder, you can Share a file, View online, and check the version history.

OneDrive Windows File Explorer

Pay particular attention to the following icons. Shown below is a screenshot from one that appears during the installation of the OneDrive client.

OneDrive Client Installation

TAKE NOTE – File on demand enabled by default!

Imagine this scenario. You are working on an important project with several others. A Teams site is used for collaboration. You’re headed out for an important meeting with your clients, and a colleague posts several important files to Teams. You’ve installed the sync client, and you’re headed off to the airport, so you think “no worries, I’ve got them synced to my laptop, and I can view them in flight.” Aloft, you open your laptop and see there is a cloud icon next to files. Clicking on a file, it’s not accessible. What happened?

What happened is the Files On-Demand is enabled by default.

Files On-Demand marks content that appears in the cloud as cloud-only. A file added to a Teams File Repository will not automatically sync locally. It’s not available offline until you open the file, or set the file or folder to Always keep on this device. Optionally, you could also disable Files On-Demand, which we’ll get to in a minute.

For an important file or folder, right-click in Windows Explorer and select Always keep on this device. Users can also disable Files On-Demand in the OneDrive client by opening the client and clicking More->Settings->Settings, then clear the checkbox that reads Files On-Demand.

Microsoft OneDrive Files On-Demand

When you clear the checkbox, a pop-up message says that, indeed, the files will download to your PC instead of being cloud-only.

Microsoft OneDrive Disable Files On-Demand

Be advised that as the message above states, if your files in OneDrive for Business take up, say, 1TB, then that 1TB will be downloaded to your PC. Local storage needs to allow for this. Also, administrators need to consider the impact on bandwidth should you disable Files On-Demand for many users at the same time.

As an alternative, consider instructing users to mark files and folders they want to always be available offline “Always available on this device” using Windows File Explorer as previously discussed. Then you can keep Files On-Demand enabled to preserve bandwidth as only the designated files and folder will be permanently synched, while those you open, will be temporarily synched. All others will reside in the cloud.

Using Policy

For small businesses, administrators can manage OneDrive for Business effectively with the OneDrive for Business administration console. Larger organizations will be interested in using policy. The policy system for Microsoft and Office 365 is considered the most efficient way to manage many settings including those for OneDrive for Business. Policy-based administration provides administrators control, scale, repeatability, and flexibility.

Policy automation can be a complicated topic and breaks into different scenarios depending on your network architecture and configuration. For those with on-premise Active Directory environments, you manage policy via SCCM or Azure AD Domain Services.

If your environment is cloud-only (meaning, you are not using domain controllers locally), using Microsoft’s InTune service lets you deploy the OneDrive sync service to desktops using the Microsoft Endpoint Manager admin center.

Microsoft Endpoint Manager admin center.

You can also create and apply profiles to users that control OneDrive behavior. Shown below is a policy profile limiting the client upload rate to a percentage of available bandwidth. This one of many possible settings to control OneDrive policies in Microsoft Endpoint Manager.

OneDrive policies in Microsoft Endpoint Manager

Previously, you saw how you can limit sharing with anonymous users to members of a specific security group. Similarly, you can apply different policy profiles to different security groups.

Microsoft EndPoint Manager Security Groups

In this way, you manage the behavior of OneDrive and many other aspects of your cloud service by membership in security groups. It’s easy to imagine uses for this practice with a group for New Hires, Legal-Review-Team, Alliance Partners, Vendors, or other typical roles with differing needs in a busy organization.

Network Impact

In regards to OneDrive, you want to be thoughtful about bandwidth consumption in your company, especially on the initial deployment of OneDrive for Business. More than one company has had issues with essential business services becoming sluggish when hundreds or even thousands of newly deployed OneDrive for Business sync clients start downloading content at the same time. Files On-Demand, as discussed earlier, helps significantly to reduce the initial bandwidth hit as files located in the cloud are not automatically downloaded to clients when enabled.

Known folder moves (discussed next) can also impact network performance by automatically uploading users’ local folders to the cloud when the client is deployed.

To help manage network impacts, the OneDrive sync client has bandwidth controls built-in. For a small business, you may want to adjust these settings on each users’ system. Right-click on the OneDrive for Business sync client, then click Settings->Network to see the settings.

Microsoft OneDrive Sync Client

In a larger business, you can use policy to push the desired settings, including the ability to mark OneDrive network traffic with QoS settings.

Known Folder Moves

Finally, a feature called Known Folder Moves is of keen interest to administrators as it can help reduce support desk calls and ease users’ transitions to new computers when replaced or upgraded.

As you probably know, specific folders in Windows, such as Documents, Desktop, and Pictures, and others are unique. These are “known folders” as they are in the same location in the file system on every Windows operating system.

OneDrive includes a feature where known folder locations are synced to OneDrive for Business. When a user needs a file in one of these locations and their PC is not available, they can access it from any device, including a mobile device that has an internet connection. Also, when a user moves to a new PC or laptop, all the previous documents, images, and important files are online and can easily be synched back to the new device.

Known Folder Moves can be enabled in the sync client by clicking on Setting->Backup->Manage Backup.

Microsoft OneDrive Known Folder Moves

Of course, you can also use policy with the methods previously discussed. Should you decide to roll this out, be mindful of bandwidth impacts and network performance,all that content will be uploaded to the cloud.

Summary

OneDrive for Business is an exceptionally useful service. In this article, we’ve discussed many of the key considerations, benefits, best practices, and capabilities of OneDrive for Business so you can effectively manage the service for users. A capable administrator will understand the business use cases for sharing as well as the network impact of OneDrive for Business, and be familiar with how to administer the service including using policy to enforce the desired settings for your Business.

When set up, users will enjoy cloud access to essential files, including their Desktop, Document, Pictures, Team sites, and other files of importance, allowing them to share content quickly and work locally or collaboratively.

Of course, Microsoft is continuously updating OneDrive for Business, so as a last tip, bookmark the Microsoft official OneDrive blog to keep up-to-date.

Source :
https://www.altaro.com/microsoft-365/onedrive-business-tips-tricks/

Exit mobile version