Category Archives: Security

MS Defender Update Targets Deployment Images

If you can trust the header data in this MS Support note (I do) it was updated on June 5, 2023. The item is entitled “Windows Defender update for Windows Operating system installation. It describes how to imbue offline Windows images with the latest and greatest Defender capabilities. In fact, that article includes a warning not to apply them to live images. Thus, it’s clear that this MS Defender update targets deployment images.

I got my date information about the article from its HTML meta-data:

<meta name="lastPublishedDate" content="2023-06-05">
<meta name="firstPublishedDate" content="2020-12-04">

How  MS Defender Update Targets Deployment Images

Pre-requisites to run the updates — for WIM and VHD files — include:

  • Works on OS install images for 64-bit Windows 10 and 11, and Windows Server 2016 and 2019
  • OS environment must include PowerShell version 5.1 or newer (current production version is 7.3.4 as I write this)
  • Microsoft.Powershell.Security and DISM modules installed
  • The PowerShell session for the script  <code>DefenderUpdateWinImage.ps1</code> runs with admin privileges. (“Run as administrator” or equivalent.)

The script provides switches to apply, remove or roll back, and list details for the installed update. Useful for those who maintain Windows images and want their security levels up to current snuff.

Find all the details in the MS Support article previously named. Do this before your next scheduled update window, for sure. Of course, this means you’re using Windows Defender as part of your security infrastructure.

MS Is BIG in Security

I just worked on a promotional piece for a joint Rubrik and MIcrosoft security webinar (YouTube video). Amazingly, MS describes itself as “the biggest cyber security company in the world” and did over US$20B in such business in 2022. I guess they do have some legs to stand on in this arena. And indeed, they’re doing all kinds of fascinating stuff with AI and ML to improve their security posture and incident response capabilities. Great stuff!



Zoom Restores Unpaid Update Capability

Let me first confess: I don’t know exactly when the change I report here actually occurred. What I do know is that I reported last October (2022) that the free version of Zoom no longer offered a “Check for Updates” option in its free version’s user menu. It’s highlighted in the red box in the lead-in graphic at right. Because my son is back home from college, I accidentally logged into Zoom on his (free) account yesterday, and saw that the same update item was present. Good-oh!

Glad Zoom Restores Unpaid Update Capability

If you read my earlier post, you’ll see I dinged the Zoom developers for making update a paid-only capability. Why? Because that approach fosters the possibility of security exposures for the class of users that stick to the free version. I took it as a deliberate strategy to force that class to trade security against cost. That’s not good.

Given what I discovered yesterday, I take it all back. Zoom is now doing the right thing. It may have been doing so for some time without my knowledge. That IS good, and I thank them for reversing the earlier development decisions that made users choose between more cost, better security and lower cost, lower security (or more work, to get around that limitation).

Indeed, as I mentioned in my October 2022 post, users could always uninstall an outdated version, then install the current one. This would bring them back to par, and let them benefit from any security patches or fixes in the newer version. Now, thanks to Zoom’s decision to reinstate the “Check for Updates” menu item — and its supported auto-download and -install capabilities — such contortions are unnecessary. Once again: good! And thanks again to Zoom for taking the right path, regardless of exactly when that occurred.


P16 Manifests LSASS Bug

The Windows Local Security Authority Subsystem Service, aka LSASS, handles security policy enforcement for that OS. With KB5023706 (installed on 3/14) on my mainstream Windows 11 PC, some have shown interesting side-effects. My P16 manifests LSASS bug shown in the lead-in graphic.

Basically, it falsely asserts that LSASS protection is turned off (see text in red box). How do I know it’s actually running? As I searched the System log in Event Viewer, I found a message indicating the “LSASS.exe (process) was started…” as part of that system’s last boot-up. According to this discussion of that very issue at, this indicates that LSASS protection is enabled and working as it should be.

P16 Manifests LSASS Bug.evt-viewer

The Event Viewer (System Log) reports a successful start of LSASS.exe as part of the OS boot-up process. It’s working!

What To Do If Your P16 Manifests LSASS Bug

Of course, this applies to all Windows PCs of all kinds. That said, the afore-linked BleepingComputer story explains a couple of Registry hacks that will fix such spurious notifications. MS will probably get around to fixing this sooner or later. Meanwhile, I’m not concerned about false security flags. Indeed, I’m content to wait until it’s corrected in some future update.

It sounds like a serious error. And it would be a major security hole, if the notification were true. But since it’s simply a false positive, and I’ve proved to myself that things are working as they should be, I’ll live with it.

This problem has been in play for some while now (BleepingComputer reports it goes back to January 2023). If I search for “Local security authority protection is off” at, I see hits as far back as March 1, 2023, on this topic. All are unanimous in flagging this as a false positive not worth corrective action.

But that’s the way things sometimes go here in Windows-World. Take it under advisement if you see the “Yellow bang!” in Windows Security on your Windows 11 PC. Cheers!


Build 25158 Gains DNS Over TLS Support

Earlier this week, MS released Build 25158 into the Dev Channel. Among the many notes in this build’s announcements, you’ll find an item that starts off “DNS over TLS testing is now available for Windows DNS client query protection.” Thus, when Build 25158 gains DNS over TLS support, that means improved security for DNS traffic on networks everywhere. Given that DNS is a constant focus for direct and indirect attack, this is a good thing. So, how can you try this new feature out?

Putting Build 25158 Gains DNS Over TLS Support to Work

For brevity and convenience, DNS over TLS is usually abbreviated as DoT. Two ingredients are needed to take DoT for a spin:

1. You need to point your IP stack at a DoT DNS server. You’ll find a list of same at the DNS Privacy Project. It provided the lead-in graphic for this story, in fact. For the nonce, I’m using Google’s and addresses (and associated domain names for certificate authentication). There are several other options available.

2. A series of configuration tweaks, including Settings changes, and netsh and ipconfig commands, are required to set this up and make it work. Fortunately, all those details are covered in an MS Networking Blog post entitled “DNS over TLS available to Windows Insiders.” Therein, Tommy Jensen provides nicely illustrated step-by-step instructions to get you through the process.

More to Follow After Additional Try-Outs

I have two (2) test machines running Build 25158. I’ll try DoT on both of them, and let you know what happens. Mr. Jensen’s post on setting things up includes a potentially scary phrase. That is “This may result in a small performance improvement depending on the network environment at the cost of the flexibility HTTPS-based protocols can provide” (italic emphasis mine).

I’m afraid I know what this means. Indeed, I’ll be curious to see what’s still working — and what’s not — after experimenting with these changes. Given an upcoming out of office adventure, I might wait until week after next to put this to a real test. Stay tuned! In the meantime, you might find this Wikipedia article about DoT worth a quick read-through (good discussion and lots of good additional references there).


MS 365 Brings New Defender Aboard

OK, then. Now I finally understand what’s up with the Store-based version of Windows Defender. It’s been “out there” for while now for Insiders. Called “Microsoft Defender for individuals,” it’s available to anyone with an active Microsoft 365 subscription. (Either Personal or Family subscriptions qualify.) That’s why I say “MS 365 brings new Defender aboard” in today’s title. The lead-in graphic shows the dashboard (in part) from my production Windows 10 desktop. Both “other devices” run Windows 11.

When MS 365 Brings New Defender Aboard, Then What?

According to the tool is built on Microsoft Defender Endpoint technology. Thus, it brings the same cloud-based security to end users already available to Enterprise customers. A June 16 Microsoft Security blog post confirms this assertion. It describes this new Defender version as “an exciting step in our journey to bring security to all.” The tool works on Windows, iOS, Android, and macOS devices to provide family-wide protection across whole households.

MS explains Microsoft Defender for individuals as enabling the following capabilities (also including “continuous antivirus and anti-phishing protection for your data and devices”):

  • Manage your security protections and view security protections for everyone in your family, from a single easy-to-use, centralized dashboard.
  • View your existing antivirus protection (such as Norton or McAfee). Defender recognizes these protections within the dashboard.
  • Extend Windows device protections to iOS, Android, and macOS devices for cross-platform malware protection on the devices you and your family use the most.
  • Receive instant security alerts, resolution strategies, and expert tips to help keep your data and devices secure.

I’m giving it a try on my production PC which still runs Norton 360, along with a couple of my Defender-only test machines running Windows 11. Should be interesting to see how it all turns out! If you’d like to check it out for yourself and your devices (and your family’s, if applicable) visit the Microsoft 365 Defender page for a download link.




Various .NET Versions Facing EoS Soon

On April 4, an End of Support notice surfaced in  the MIcrosoft Message Center. Its initial text appears in the lead-in graphic for this story above. A quick summary of its contents is that various .NET versions facing EoS soon. The version numbers involved are 4.5.2, 4.6 and 4.6.1 runtime. MS recommends that affected PCs update to .NET Framework 4.6.2 before April 26, 2022. No updates or security patches will be issued for those versions after that date.

If Various .NET Versions Facing EoS Soon, Then What?

This is an issue only if certain applications still in use employ those older .NET versions, and they themselves haven’t yet been upgraded to use a newer one. As I look at the relevant folder in my production  Windows 10 desktop — namely:


these are the folders that I see

If I understand how this works correctly, all versions lower than 4.0 reflect older .NET versions currently installed on this PC. Thus by reading the version numbers for those folders you can see that 5 such versions are installed, from v1.0.3705 through v3.5.

On the other hand, if you display properties for any .dll file in the V4.0.30319 folder, you’ll see what version of .NET is currently present, to wit:The Product Version line reads 4.8.4084.0, and tells me that I’ve got the latest and greatest .NET version installed here, as well as the earlier versions already mentioned.

What To Do About Impending Retirements?

If you’re using no software that depends on earlier .NET versions, you need do nothing. OTOH, if some of your software does depend on them you must decide if you’ll keep using it and risk possible security exposure, or find an alternative that isn’t subject to such risk. For my part, I recommend the latter approach, unless there’s no other choice. And in that case, the safest thing to do would be to run such software in the MIcrosoft Sandbox as a matter of prudent security policy. ‘Nuff said!


Windows Memory Integrity Now Covers Device Drivers

With the latest versions of Windows 10 and 11, Windows Security gains driver level protection. I’m talking about Build 19044.1586 or higher for Windows 10. Also, 22000.593 or higher for production 11, and 22581.200 or higher for Dev Channel Insider Previews. Looks like those still running Beta (22000.588, or higher) are also covered. Go into Microsoft Security, under the left-panel Device security heading. Drill into Core isolation details, then turn on Memory integrity (see lead-in graphic). Do all those things, and Windows memory integrity now covers device drivers. I’ll explain. . .

What Windows Memory Integrity Now Covers Device Drivers Means

With Core Isolation turned on (requires Hyper-V and VM support turned on in UEFI or BIOS), you can visit the MS Support Core isolation page to learn more. It also provides detailed, step-by-step instructions on how to turn this feature on (note: a restart is required).

Here’s a brief summary:

1. Memory integrity, aka Hypervisor-protected Code Integrity (HVCI), enables low-level Windows security and protects against driver hijack attacks.

2. Memory integrity creates an isolated environment (e.g. a sandbox) using hardware virtualization.

3. Programs must pass code to memory integrity inside the sandbox for verification. It only runs if the memory integrity check confirms code safety. MS asserts “Typically, this happens very quickly.”

Essentially, memory integrity/core isolation puts security inside a more secure area. There it can better protect itself from attack, while prevents drivers (and the runtime environments they serve) from malicious code and instructions.

What Can Go Wrong?

If any suspect drivers  are already present on a target system, you can’t turn memory integrity on. Instead you’ll get an error message something like this:

Note: the name of the driver appears in the warning. Thus, you can use a tool like RAPR.exe to excise it from your system. Be sure to find and be ready to install a safe replacement because that may render the affected device inaccessible and/or unusable.

Should you attempt to install a suspect or known malicious driver after turning this security feature on, Windows will refuse. It will provide a similar error message to report that the driver is blocked because it might install malware or otherwise compromise your PC.

That’s good: because that means driver protection is working as intended. Cheers!


AdwCleaner Roots Out PUAs

For months now, I’ve been seeing traces of a low-risk “potentially unwanted app”  (PUA) on one of my Dev Channel test PCs. You can see the Windows Security log trace entry for this item above. It’s named FusionCore.C and it shows up as low-risk adware. This morning I ran Malwarebytes’ AdwCleaner (v 8.3.1) to see if it would make it go away. It did, so I can report that AdwCleaner roots out PUAs. It’s free and doesn’t install so it inflicts no system footprint, either.

Because AdwCleaner Roots Out PUAs, Use It!

Now that Microsoft Defender has shown itself to be a great first-line of security defense for Windows PCs, I don’t recommend third-party AV or other real-time protection tools anymore. That said, cleanup tools like AdwCleaner can be helpful. That goes double, because while Defender flags FusionCore.C and other adware instances, it doesn’t offer its own clean-up capability (or even remediation advice).

When you run the AdwCleaner executable (adwcleaner_8.3.1.exe), it finds the two offending PUA elements right away. These consist of a .tmp file and and .exe file. Both have FusionCore.C in their file names. If you check those items under the PUP (Potentially Unwanted Program) heading, you can flag them for quarantine and removal. The following screencap shows the two items checked for potential quarantine.

AdwCleaner Roots Out PUAs.checked

All you need to do to flag items is to check the box to the left for each one you’d like to quarantine or remove.

Then, simply click Next to get to the quarantine Window. On this PC a bunch of pre-installed Lenovo items also appear (I don’t care about those: I actually USE most of them). I check none of those items, which are hidden behind the fore-window that says “Cancel” and “Continue.” I choose “Continue” and the items get quarantined. I run another Defender scan and sure enough, the PUAs no longer get reported. A visual inspection of the source folder (shown in the lead-in graphic) shows the items are no longer present there as well. Good-oh!

AdwCleaner Roots Out PUAs.quarantine

Click “Continue” and the checked PUA items go into quarantine, and off Defender’s scan radar. Done!


MS Defender Preview Accepts Personal MSAs

Hoo boy! I’ve been checking in on the Store-based version of the Microsoft Defender Preview since last November. Until this morning, I had no luck getting this cross-platform, multi-device app working. After seeing a story in WindowsUpdate minutes ago, I zipped into the MS Store to try again. And indeed, now that MS Defender Preview accepts personal MSAs (Microsoft Accounts) it appears to be working!

If MS Defender Accepts Personal MSAs, Anybody Can Use It

In the next screencap you can see the dashboard screen from the Microsoft Defender Preview. One must, however, also install this app on other devices before they show up on this dashboard. So naturally, I dashed over to my other Dev Channel test machine (via RDP, no physical movement needed) and used the URL to go straight to the app in Store:

MS Defender Preview Accepts Personal MSAs.dashboard

The dashboard doesn’t look like much until you start adding devices. [Click image for full-sized view.]

After a quick  update, I opened the newest version to see the initial welcome screen I missed on my first MS Defender Preview encounter. I signed up with the same MSA (so both devices would show up on a single dashboard: IDs are deliberately obscured).

To see devices on the same dashboard, you must associate them with a common MSA. [Click image for full-sized view.]

With Time and Exposure, More to Come

That’s about all I have time to deal with this morning. I’m tightly wrapped in legal business this week, so my posts will be short and less frequent than usual. This opening up of the preview, however, was big enough news that I had to share. Check it out, and have fun!


New MS Defender Preview Impediment

I have to chuckle. At the start of November, I wrote here that “I Get No MS Defender Preview.” Just to check up, I went back to the store to grab the Preview. It was no surprise at all that I can still report the same thing. What’s different now is the error message that comes up, as shown in the lead-in graphic. My latest sticking point represents a new MS Defender Preview impediment. As you can see, my account is now recognized, but I can’t log into the preview. Sigh.

Clueless on Overcoming New MS Defender Preview Impediment

I’ve dug around online, at both Microsoft and third-party Windows sites. I cannot find any info on how to subscribe to the Microsoft Defender Preview. Presumably, that would also provide me with necessary login info. But there’s no enlightenment obtainable on how that might be arranged.

Often, when Windows features go into limited release in the Preview channels, I find myself at the end of the pack in gaining access. That phenomenon seems likely in this case, too. I’ll raise a flag in the WIMVP forums and see if I can provoke any action. Shoot! I’d be happy just to get more information on how to subscribe and start participating in the Microsoft Defender Preview.

But — as is so often the case in my experience — I’m on the outside looking in. I know this Preview is happening. I simply can’t get access to it, to sample its functions and capabilities. Stay tuned: I’ll keep you posted as I try to work my way into that charmed space. Hopefully that will happen sooner rather than later. We’ll see!