Documentation adjustement

[Mrkuff]

In "Microsoft Defender Policies" section there's 2 parameters marked with a magenta point and it's now available with GPO too:

Async Inspection for Network protection
https://learn.microsoft.com/en-us/defender-endpoint/network-protection?view=o365-worldwide#use-group-policy-to-enable-turn-on-asynchronous-inspection

Enables a network protection setting that blocks malicious network traffic instead of displaying a warning.
https://learn.microsoft.com/en-us/defender-endpoint/network-protection#use-group-policy-to-enable-convert-warn-verdict-to-block

[Mrkuff]

In "Microsoft Defender Policies" section there's this one :

Enables [ECS Configurations] in the Microsoft Defender. They improve product health and security by automatically fixing any possible issues/bugs that may arise, in a timely manner.

When I look how this is configured, this seem to be documented here :
https://learn.microsoft.com/en-us/defender-endpoint/microsoft-defender-core-service-overview

But this feature look's gone.. there nothing in "Computer Configuration -> Administrative Templates -> Windows Components -> Microsoft Defender Antivirus" Turn on Experimentation and Configuration Service (ECS) integration for Defender core service

And the switch -DisableCoreServiceECSIntegration and -DisableCoreServiceTelemetry for Set-MpPreference are gone too. (they did a typo on the doc and called the cmdlet "Set-MpPreferenceS "

Have you implemented this with the registry key? Is it still something working?

The default is said it's activated by default:
DisableCoreService1DSTelemetry (dword) 0 (hex)
0 = Not configured, enabled (default)
1 = Disabled

DisableCoreServiceECSIntegration (dword) 0 (hex)
0 = Not configured, enabled (default)
1 = Disabled

So we dont need to worry about it?

Thx again for all!

[HotCakeX]

Hi,
Thanks for the review, the reason the 2 items are still being applied via CIM/COM is mentioned here: https://github.com/HotCakeX/Harden-Windows-Security/releases/tag/Hardening-Module-v.0.6.4
Reported the problem back in October so i didn't switch to group policy and left them to continue being applied via COM/CIM, but in the next version i will change them to group policy.

Everything being applied via registry is in here:
https://github.com/HotCakeX/Harden-Windows-Security/blob/main/Harden-Windows-Security%20Module/Main%20files/Resources/Registry.csv

This is how the ECS Configurations policy is being applied (via CIM/COM):

Harden-Windows-Security/Harden-Windows-Security Module/Main files/C#/Protect Methods/MicrosoftDefender.cs

Line 35 in 8d39104

ConfigDefenderHelper.ManageMpPreference("EnableEcsConfiguration", true, true);

All 3 parameters, DisableCoreServiceTelemetry, DisableCoreServiceECSIntegration and EnableEcsConfiguration exist in Windows 11 build 26100.3476 which is the latest stable release. They're in the results of Get-MpPreference cmdlet. If i gets removed in a future build i'll remove it from the module too.

[HotCakeX]

The reason is mentioned in Edge category: https://github.com/HotCakeX/Harden-Windows-Security?tab=readme-ov-file#edge-browser-configurations

[Mrkuff]

Awesome! i gonna double/triple check now before asking question. You send me the RTFM reply way more than I would like too! Kudos for the Edge Baseline analyze, didn't know that about these applying in big part to domain only. I need to change a thing or two now :P

[HotCakeX]

no it's okay, the reason i use links is bcz i don't wanna say something here and then if things change in the future i'll have to edit all comments again just to correct it, so i just use links to point to a single place i can keep up to date, hope that makes sense,

And yeah, it wasn't always like that, they added the notice about personal accounts about a year ago or so

[Mrkuff]

Just a quick question... is there a reason why "Microsoft Defender" ArchiveMaxDepth is DWORD ValueIsList=True with "4294967295,2147483647" in it ?

You want a futur double value for different profile? ( like for exemple Windows Server) ?

I'm working on a PS import registry. So far so good

$CsvFile = 'd:\Registry resources.csv'

import-csv -Path $CsvFile | ForEach-Object {
    $Hive = $_.hive
    $Hive = $Hive -replace "HKEY_LOCAL_MACHINE","HKLM:"  # Registry::HKEY_LOCAL_MACHINE didn't work on the Test-Path cmdLet. Had to use HKLM:
    $Hive = $Hive -replace "HKEY_CURRENT_USER","HKCU:"
    $Key = $_.Key
    $Path = "$Hive\$Key"
    $Path = $Path -replace "/","`/"  # for entry like HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\DES 56/56  Escaping the /
    $Name = $_.Name      
    $Value = $_.Value
    $ValueIsList = $_.ValueIsList    # Exception for ArchiveMaxDepth since it's the first value who's used in the GPO
    if ($ValueIsList-eq "true"){
        $Value =  $Value.split(",")[0]  # Taking the first one
    }      
    $Type = $_.Type
    if ($Type -eq "MULTI_STRING"){   #  Here translating MULTI_STRING for the -PropertyType
        $Type = "MultiString"
        $Value = $Value.split(",")   #  Transform value to an array
    }
    ##########################################
    #Overrite section
    if($Name -eq "UseTPMPIN"){       # overriding UseTPMPIN
        $Value = 0
    }
    if($Name -eq "UseTPMKey"){       # overriding UseTPMKey
        $Value = 0
    }
    if($Name -eq "UseTPMKeyPIN"){    # overriding UseTPMPIN
        $Value = 1
    }
    ##########################################

    Write-Host "$Path - $Name - $Type - $Value"
    if(($Path -ne '') -and (!(Test-Path -literalPath $Path))){ # If the registry path doesn't exist, create it       
        New-Item -Path $Path -Force | Out-Null
    }
    if (($Path -ne '') -and ($Name -ne '')){   # if the property name is provided       
        if ((Get-ItemProperty -Path $Path -Name $Name) -ne $Null){           
            Remove-ItemProperty -Path $Path -Name "$Name" -Force | out-null
        }
        New-ItemProperty -Path $Path -Name "$Name" -Value $Value -PropertyType $Type -ErrorAction Stop -Force | Out-Null
    }
}

[HotCakeX]

@Mrkuff That's max uint and i wanted to not set any limits to the depth at which archives are scanned by the Defender. DWORD is uint.

[HotCakeX]

I tried using Group policy for the 2 policies you mentioned but they still have problem and when implemented through policy, they are not detected via CIM/COM. When we use CIM/COM, we can see the actual effective state of things, Group Policies only change registry keys. For this reason i let them continue by applied via COM/CIM as before.

[Mrkuff]

I'm on 10.26100 and I've found DisableCoreServiceTelemetry, DisableCoreServiceECSIntegration but not EnableEcsConfiguration in
Get-MpPreference. maybe just 26100.3476. Cutting edge hun?

[HotCakeX]

@Mrkuff

Mmm maybe, this is screenshot on 26100.3775. If it ever gets removed then the module will gracefully skip it and will report that it's skipped it in the logs.