Had an interesting question about scheduling Defender AV scans against custom locations

In case anyone needs it, here's one of a few ways to do it :)

'%ProgramFiles%\Windows Defender\MpCmdRun.exe' -Scan -ScanType 3 -File 'C:\Path\To\Directory'

learn.microsoft.com/en-us/defender…

I did not have this on my bingo card for 2024, but here we are!

This week in Part 2, we cover Microsoft Windows Best Practices in #InfoSec covering #baselines #patching #compliance and much more! #MVPBuzz #EUC #EDR MicrosoftEdge Microsoft Security ConfigMgrDogs Christiaan Brinkhoff props to Nathan McNulty and James Robinson | MVP
mobile-jon.com/2024/05/14/win…

Hehe, Server 2016 R2

Already created a PR to fix, but this one had me laughing for a minute :p

Sometimes on calls people ask about an API or we're curious about automating something

I usually start with Developer Tools - Network tab, and when I open it, I frequently hear 'Shoot, I forgot that existed!'

This is your reminder that it exists, and it is awesome :)

If you still have issues with the Enterprise subscription activation during #windowsautopilot (uplift from #Windows pro to Enterprise), you must read the latest update on my blog.

Microsoft is indeed aware of this issue, and they already have a fix in place. That's lovely! Why?…

Developed custom detections for some crucial events in MDE:
- Detection of offboarding package downloads
- Device isolation events (detects what is isolation type was applied)
- Tamper protection disablements
- File retrieval via Live Response

lousec.be/mde/microsoft-…

#MDE

In case you ever need it, Entra Password Protection forest registration information can be found in the Configuration naming context ;)

I don't believe there is a native cmdlet, but you could do something like this:
Get-ADObject 'CN=Azure AD Password…

OK, yeah, this is pretty cool 😎

For Defender AV catch-up scans, the default for DisableCatchupFullScan and DisableCatchupQuickScan is Disable, which is a value of 1

To disable catch-up scans, we have to set the value to Enable, which is a value of 0

🫠

Don't sleep on this underutilized protection in Active Directory--but also don't be a dummy and turn it on without reading the details! 🔎🔐

I've seen this MDE issue with several clients now. Anyone else?

Servers are discovered and assigned a tag prior to onboarding

Once onboarded, the 'Can be onboarded' object is still there and not the onboarded one

The onboarded object can be found by searching senseId or this:

Always worth it though. I'll never get a chance to have those moments again, but the tech stuff will still be there any time :)

I probably seem very sporadic, disappear mid conversation even, but with 4 kids, it's non-stop interruption. Trying my best to maximize time :p