Year: 2024

Windows 11, version 24H2, now available!

Microsoft just released the new version of Windows 11, version 24H2!

This update will gradually be offered to current devices with Windows 11 or can be manually installed from scratch.

The ISOs and the Media Creator (to create the USB installer) can be downloaded from here:

https://www.microsoft.com/en-us/software-download/windows11

How to get new experiences for Windows 11

New experiences coming to Copilot+ PCs and Windows 11

Windows 11, version 24H2 security baseline

Windows 11, version 24H2: What’s new for IT pros

Administrative Templates (.admx) for Windows 11 2024 Update (24H2)

Group Policy Settings Reference Spreadsheet for Windows 11 2024 Update (24H2)

I completed my initial training at Microsoft!

I’m happy to report I have completed the intensive internal training at Microsoft, related to Microsoft Defender for Endpoint (MDE), of about 70 hours!

This means that soon I will start taking real cases from customers!

Wish me luck!

Certificate of the 1 hour assessment I just passed.

The full course outline is below:

MDE – Foundational Training – General Certificate link

  • Foundational Training – Getting started
  • Internal Tools and Customer Communication
  • Initial Scoping

MDE Lab Creation Certificate link

  • Create Your Azure Labs
  • Local Virtual Machines
  • Creating local VM’s – Hyper-V

Basic Portal overviews / General cross platform features Certificate link

  • M365 Converged Portal
  • MDE – Threat and Vulnerability Management (TVM)
  • MDE Alerting
  • MDE – Tagging and Grouping
  • Defender Antivirus – Network Protection
  • MDE – Microsoft Threat Experts
  • MDE – Response Actions
  • MDE – Indicators
  • Microsoft Defender Endpoint licensing requirements & offering plans
  • Defender for Cloud Integration, Onboarding and Offboarding
  • Action Center
  • Device inventory and Timeline
  • Basic Connectivity Information
  • Defender AV (Compatibility with 3rd party AV)
  • Malware Submissions WDSI
  • Microsoft Defender for Office Integration
  • Live Response
  • Intune Integration
  • Advanced Hunting
  • Region Reset
  • Azure Permissions + MDE RBAC
  • Suppression Rules
  • Tenant Attach
  • Device Discovery
  • Contain Device
  • EDR Network Device Discovery
  • Device Health and Compliance Report
  • False Positives
  • MDE – Troubleshooting Mode

Windows – MDE Foundational Certificate link

  • Microsoft Defender Antivirus
  • Microsoft Defender Antivirus
  • Antimalware Extension (IAAS)
  • MDE – Run Client Analyzer
  • MDE – Machine Isolation
  • MDE – Offboarding Machines
  • MDE – Client Analyzer II
  • MDE – Onboarding Machines
  • MDE – Indicators
  • Defender Antivirus – Exploit Protection
  • SCCM / SCEM Enrolment, Onboarding and Offboarding
  • Defender AV Updates
  • Defender AV – Log Collection
  • MDE – API Offboarding
  • Modern Unified Solution for 2012R2 / 2016
  • System Center Endpoint Protection logs
  • Troubleshooting SmartScreen
  • MDE – Web Content Filtering (WCF)
  • MSRT – Microsoft Safety Removal Tool
  • Defender Antivirus – Attack Surface Reduction (ASR)
  • Potentially Unwanted Applications (PUA)
  • MDE Security Configuration Management
  • Safety Scanner
  • Foundational – Controlled Folder Access (CFA)
  • MDE Troubleshooting Device Control for Windows
  • Troubleshooting Device Control for Windows
  • Automated Investigation and Response (AIR)
  • Host Firewall Reporting
  • Device Groups and Tags
  • EDR in Block Mode
  • Azure ARC (windows)
  • On / Offboarding with Group Policy

MDE Log Collection Methods Certificate link

  • MDE Client Analyzer Logs
  • Defender Log Collection
  • ASR Log Collection
  • Linux and macOS Log Collection
  • Android and iOS Log Collection

Linux – MDE Foundational Certificate link

  • MDE – Linux onboarding
  • MDE – Client Analyzer for Linux Servers / macOS
  • Configuring AV Exclusions on Linux
  • TVM on Linux
  • Running AV Scans on Linux
  • Cloud Protection – Linux
  • Managing Updates
  • Configuring AuditD Exclusions on Linux
  • Licensing – Linux
  • Configuring Network Protection on Linux
  • Deploying Defender for Linux

Mac – MDE Foundational Certificate link

  • Internal Mac Test Machines
  • MDE – macOS Onboarding

Android / iOS – MDE Foundational Certificate link

  • MDE for Android – Hands on lab
  • MDE for iOS – Hands on lab
  • Android / iOS Network Protection
  • Android / iOS Network Protection

Endpoint Protection Foundational assessment Certificate link

  • The final exam

I started working for Microsoft!

I’m very happy to announce today was my first day of working at Microsoft!

While the job is fully remote, I chose to work onsite, at the Lisbon Office of Microsoft Portugal, for my first day.

I’ve met some of my colleagues, and thankfully I liked the vibe of the workplace, with several people helping out.

I also liked the space, modern, yet comfortable and cozy.

As for the actual job, I will be working with Microsoft Defender for Endpoint.

Let us hope this is the beginning of a long and productive journey!

I made a tool to fix the CrowdStrike incident!

I just released a tool to fix the problems with the recent CrowdStrike update.

This helps delete the problematic files, and is made simple to use, so it can be used for Junior IT personnel.

This is made in Object Pascal, with Lazarus IDE, and I’m releasing it for free, as open-source.

Features

  • Simple and intuitive
  • Ability to first check for the problematic files (C-00000291*.sys), without changing anything on the system
  • 1-Click removal of the problematic files
  • Ability to Enable and Disable the Windows Safe Mode – both from the App and from the WinPE bootable ISO
  • Does not require the use of command line
  • Works fully offline and does not contact any servers (eg. does not “phone home”)
  • Free and open-source

How to use

1. Boot into Safe mode or Windows Recovery Environment
2. Run the application and click "FIX IT"
3. Reboot

Download

Download version 1.04 (64 Bits)

100% clean on VirusTotal

SHA-1 Hash: CA9E87F62404E73C27CE1823ED808E8C516AEA0A

Source Code

Major IT disruptions wordwide caused by faulty CrowdStrike update

Todays we are seeing major disruptions to IT infrastructure worldwide, afecting Airlines, Banks, Hospitals, Emergency services, Telecom companies, Media outlets, Payments processing, among others. [1] [2]

The root cause seems to be a faulty update released by CrowdStrike, a Cybersecurity company, for Falcon Sensor, their Endpoint Protection solution, which caused computer to lock-up and not turn-on properly, showing a Blue-screen error.

In an unrelated event, Microsoft Azure Cloud services also had major issues around the time of the “CrowdStrike problem” a Central US Azure outage (Tracking Id: 1K80-N_8) – those issues with Azure seem to be already mostly resolved. [3]

Solution for IT admins

As the affected computers and not running properly, unfortunately it seems they will need to be fixed one-by-one.

The solution seems to be:

1. Boot into Safe mode or the Windows Recovery Environment
2. Run the command:
 del "C:\Windows\System32\drivers\CrowdStrike\C-00000291*.sys"
3. Reboot

Key takeaways

  • Software and Hardware Vendors have a high responsibility and should extensively test their products – both with automated tools and manually
  • Vendors should do gradual releases of software updates, with live monitoring for issues and clients reported issues
  • You don’t release significant updates on a Friday!
  • Vendors should provide easy options or tools to control updates: delay updates for X amount of days, completely disable updates should always be available for IT admins
  • For companies at large, they should have mechanisms to delay or manually approve updates for their entire IT infrastrucutre – unfortunately this is not always easy and is largely dependant of options provided (or not provided) by Vendors

Remember the 3 basic principles of Cybersecurity are Confidentiality, Integrity and Availability, in the quest to secure the systems we should pay attention to issues like this, which end-up causing as much disruptions as a major CyberAttack.

We should also be aware that Cybersecurity is, in large part, a risk-management and a balancing act between those 3 pillars.

Statement from CrowdStrike

Advice from Microsoft to solve this issue

I will be working for Microsoft!

I’m very happy to announce that today I signed a work contract with Microsoft!

I will be working in Cybersecurity, as a Support Engineer, providing technical support and advice related to Microsoft Defender for Endpoint, to clients in Europe, Middle East and Africa (EMEA).

I’m also happy that the Certified Ethical Hacker certification helped me get this job – it was one of the preferred qualifications on the job posting.

I will start in less than 1 month, working for Microsoft Portugal, and certainly will have more news soon!