A quick function for setting permissions in Active Directory to allow the Microsoft Identity Manager Global Address List (GAL) sync Management Agent to do its thing. I put it in a GitHub gist so it might help someone else!
It’s also a good intro to look at for getting into dealing with Access Control Lists (ACLs) in AD, as it deals with setting specific permissions or extended rights. Anyways, here’s the script!
The new update has been out for a little while now (KB3106514) and brings with it three new settings.
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Microsoft Antimalware\MpEngine
DWORD name: MpEnablePUS
This setting enables detection and removal of Potentially Unwanted Applications (PUA) downloaded through IE, Firefox or Chrome. One thing about this is that it will only apply to new detections going forward. This setting will not cause existing PUAs to be detected and removed.
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Antimalware\UX Configuration
DWORD name: SuppressRebootNotification
This is a setting to suppress the reboot notification from the client if it detects that a reboot is required to finish the clean-up of any malware. This is useful in shared environments (RDS, etc.), where a this kind of thing would not be fun.
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Microsoft Antimalware
DWORD name: ThreatFileHashLogging
This setting records an event with ID 1120 to the log file containing the SHA-1 hash of the affected file for more research and correlation with other infections or threats.
There’s also a link from the knowledge base page to a script on the PowerShell gallery for setting up anti-malware client updates on a UNC share, which is quite nice for new deployments, without using something like System Center Configuration Manager (SCCM) or Windows Server Update Services (WSUS).
I have added these updates to my ADMX template for System Center Endpoint Protection, which can be downloaded from GitHub. Note that from this update on, the file names and data drop the 2012R2 version number from the file name, which makes more sense going forward. The old files are still there for reference.
The direct links to the files are:
SystemCenterEndpointProtection.admx
SystemCenterEndpointProtection.adml
It’s been just over a year since the last policy template settings change from Microsoft for their Endpoint Protection products and still no sign of an official file! I’ll keep on with the updates for this until Microsoft sort it out.
I’ve made a couple more changes to add two new policy options that I had previously overlooked, these are:
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Microsoft Antimalware\Real-Time Protection
DWORD name: DisableScriptScanning
This setting provides an admin override to disable script scanning.
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Microsoft Antimalware\Real-Time Protection
DWORD name: LocalSettingOverrideDisableScriptScanning
This setting allows the local client setting for script scanning to take precedence over a group policy setting.
Today, I published my first module to the PowerShell gallery!
It’s the fairly simple module I wrote to manage the timezone on the local machine, wrapping the tzutil command. It’s all really come together over the last couple of days (I fixed a bunch of problems by writing some proper tests for it!). I’ve also been using it to work with a lot of cool stuff with it like advanced parameter completion, psake and PSDeploy to streamline the testing and deployment.
Some of these ideas came from things I saw recently on the PowerShell.org Global Summit videos (They are all incredible). I’m annoyed I couldn’t make it this time, but the videos and the other awesome stuff people are doing with PowerShell getting out there is great!
This script requires the excellent Wizard to Create Powershell-based Monitors Management Pack (or a similar Management Pack to run PowerShell scripts from SCOM).
It generates a property bag of whether you have each of the Internet Explorer Enhanced Security Configuration (IE-ESC) profiles enabled or disabled and (depending on how you’ve configured the monitor), alerts on them.
It’s just another useful little script for maintaining a good security posture for servers in your organisation.
Hmm, long time no post…
This script requires the excellent Wizard to Create Powershell-based Monitors Management Pack (or a similar Management Pack to run PowerShell scripts from SCOM).
It generates a property bag of whether you have each of the three Windows Firewall profiles enabled/disabled and (depending on how you’ve configured the monitor), alerts on them.
It’s a very useful little script to ferret out those little servers with the firewall turned off!