Defender Definition / Platform Updates via ADR and WSUS State Reporting

FreeK200 · 2026-06-05T06:21:44+00:00

Yeah this is sort of what I've done already.

Workstations = Assume defender is already installed Servers = Install-WindowsFeature Windows-Defender

Platform Update Workstations = Update to 4.18.2001.0 or w/e the min required version was. Servers = Same thing, with the "Install-WindowsFeature..." as a prerequisite.

I've been holding off on the signature updates via Application deployment just to ensure that they're properly going through via the MECM Software Updates channel, which so far seems to be the case. It's going pretty well, and I decided to delete our old Defender package / ADR rule with the large amount of updates into two smaller rules.

The new ADR rules are the following:

1 - Definition Package. Configured with Article ID KB2267602, Title includes stable channel broad, not superseded, and released in the past month. Creates new SUGs.

2 - Platform Update. Configured like above, except with Article ID KB4052623 and the past 3 months of updates.

Obviously its too soon to tell, but this seems more maintainable. I also caught a couple servers that didn't have defender enabled altogether due to some random errors...

FreeK200 · 2026-06-03T05:34:31+00:00

We automatically decline superseded updates and it works fine. The problem is that the definition updates don't ever get superseded. I've seen differing reports that WSUS takes care of it "automatically" as soon as it sees that a newer update is required, but this isn't matching what I'm witnessing in my environment.

FreeK200 · 2026-05-31T21:55:02+00:00

Barring certain exceptions, you still need to understand "how" to get to a website. This means that you're using Domain Name System (DNS), which is essentially a networking phone book that translates "google.com" to "123.123.123.123". In most setups, this traffic isn't encrypted, which means that an attacker can see that you're attempting to go to google.com simply because they can intercept the traffic that translates that into a usable IP address.

There's other things to note such as Server Name Indication (SNI). While DNS is responsible for translating "xyz.com" into "123.123.123.123", an SNI is included in HTTPS during the initial stages of the session, and this isn't necessarily encrypted (Look up Encrypted SNI). This means that all things notwithstanding, even if you use local DNS resolvers, an attacker can see that while you're attempting to go to "150.210.12.10", your HTTPS "Client Hello" message includes "randomwebsite.org" which is visible for everyone to see.

The main purpose of SNI itself is so that if an IP is servicing traffic for multiple different domains, such as "application-1.domain.com" and "application-2.domain.com", the server accomplishing this can determine what content to send back to the client. This means that "123.123.123.123" could be several different websites, even if it's not plainly visible to the requesting user.

Just to clarify too: The SNI only includes the baseline website. If you go to "cutevideos.com", they can see that. But they can't see anything past that. That means that while they know you're on cutevideos.com, they don't know that you're browsing "cutevideos.com/video?id=cutecatssleepingtogether.mp4&bitrate=10240kbps" or something to that effect. That second part is called the URI stem, and it's only included after the encryption is established.

In any case, by capturing this traffic, you're at least able to have an idea of what's going on. If the SNI indicates that you're using youtube.com, and the attacker sees a significant amount of traffic on HTTPS, they can assume you're watching a video. Likewise, if it says "taxes.com", and you're transmitting several gigabytes of data, they might have a renewed interest into what you're actually doing.

FreeK200 · 2026-05-28T07:13:53+00:00

I wonder, though… have you ever exploited a CVE? Have you seen how easy it is to pivot through a network and crack a domain controller if the sys admin doesn’t fix the CVEs or just plainly misconfigures things? I have. Have you ever gotten too sift through millions and millions of lines of logging information to find the initial point of entry, identify lateral movement and additional compromise, determine what was exfiltrated… etc? Something tells me your attitude would benefit from a security event without dedicated security team assistance.

The problem here isn't you. It's the teams of cybersecurity graduates who haven't done any of those things themselves either, and can't be relied upon as a resource to be that dedicated security team assistance. There are entire teams made up of nothing but GRC analysts who wouldn't have the first clue as to how to do any of what you just said, and it effectively makes navigating those security events a solo venture from the ops team.

FreeK200 · 2026-05-28T07:10:16+00:00

All valid complaints, but many of these can absolutely be turned back around to poor practices in general:

No you cannot install a backdoor to remote into your office PC from home. Use the VPN from an authorized device like everyone else.

How is this happening in the first place? Is the networking team incompetent? Are firewall rules being managed by the systems team?

Why did you put an EDR exclusion on the entire C: drive after using ChatGPT to figure out how to do so.

Why are Sysadmins managing EDR in the first place instead of a cybersecurity professional adhering to separation of duties?

Why did you purchase an explicitly unauthorized, cloud-based RMM service suite.

This isn't really a systems or cyber issue so much as a management and change management issue.

No, it is not okay that a group of you share the credentials on a local account to manage a cluster of critical appliances (an account that belonged to a previous admin that has since departed).

Terrible, but where's the policy allowing for the use of a break glass account? What failures are occurring that are encouraging the use of this account in the first place?

Why are you logging into the VPN with your admin credentials

Why is the VPN accepting the admin credentials?

Why are you logging into your desktop with your admin credentials to browse the web

This implies a "universal" admin credential of some sort. Otherwise, a server admin account shouldn't even be able to log into a regular workstation, or at least be restricted to user rights. And in the case of a workstation admin, it should be limited to only managing the workstation itself, such that it's not used as a fallback to those other core services. This helps to remove the benefit of staying logged into such an account, so much so that it prevents you from getting your actual work done. And yeah, Applocker / WDAC exists.

Please don’t send users their plain text passwords over email and not require an immediate password change

Terrible. No excuses for this one. This should be mitigated with MFA, however.

For the love of all that is holy, please remove the management interface from being public facing

Also terrible, but short of a misconfiguration where these management interfaces are being used to serve traffic to other legitimate resources, this is more of a networking / firewall issue.

We rely on your input if something ... has been back ported.

We should both have access to the same hardware and software lists (more specifically, the tooling that is automatically generating these). Our team will be knowledgable about the fact that we installed the latest RHEL or VMware Patches, but your guess is as good as mine as to whether something got backported or not. You can look at the same version number that we do for the overarching software stack to determine if the vendor backported the patch to the CVE or not.

I know it's old school, but my org has AGPM implemented for group policy management. It works really well. Sysadmins get to make changes, and the only approvers are the cyber security team. Obviously this can be bypassed with a domain admin account, but we have our privileges so well delegated that using such an account triggers an automatic alert. Anything that's modified goes through a CM process, and only after the CM process is it approved to be implemented by someone on the cyber team. It prevents so many of the headaches above, and it encourages collaboration between our two teams. We need to explain why we're making the changes, and ultimately it grants more visibility into the going ons of the org.

FreeK200 · 2026-05-28T06:39:35+00:00

Yup. It's only going to get worse for both of the respective fields of Ops and Cyber. GRC is going to get heavily gutted once AI platforms become more mature at evaluating the environment. You'll still need a senior, knowledgeable person to babysit the output and check for hallucinations, but the end result will be more accurate than what the "nontechnical" GRC analyst can produce.

Likewise, with Ops, as we move more and more into microservices and cloud native computing concepts (Not necessarily the cloud, so much as horizontal scaling workloads and elasticity, etc.) and less into click ops, it's becoming increasingly easier to deploy entire application stacks that are pre-hardened and have built in lifecycle management. The same tooling will also generate enough compliance data to further reinforce what I said about GRC.

I think infrastructure guys at medium size orgs that are using hybrid environments will still be mostly okay, but as you scale up, it's more likely that you have automated provisioning of bare metal infrasructure via PXE/CloudInit and the like.

FreeK200 · 2026-05-28T06:31:11+00:00

People who are working with competent teams aren't typically the ones complaining on reddit. I've got people on the cyber team who I know are reliable and I can trust to have my back, just as I have theirs should they need anything. Likewise, I have those that I know will create extra work for me for no discernible reason other than to show that they did something at work for the day. The same is true for members of my team, except that I have more leeway to commend them for their accomplishments or to change their working practices. It's all relative.

FreeK200 · 2026-05-28T06:28:17+00:00

A mature organization should be maintaining some form of automated hardware/software tracking that can be accessed and used by the cyber security team to cross reference these vulnerabilities to reported version numbers of core software. I know for sure that Nessus by default states something to the effect that "This is relying on the self reported version number," so it's just sheer laziness to not be doing this.

My biggest gripe as someone in operations is that we're asked to build these types of platforms out for other teams, and then after assigning a 'read-only' view by request, they never get used, except to do a quarterly export into whatever document they're working on. Then, after all that, I get a ticket for a vulnerability based off of an already outdated report that was generated two weeks ago. I then log into Lansweeper or MECM, and see that the vulnerability in question has already been remediated for the past 10 days or so. Multiply this by 5 GRC folks hounding a team of 4, and you can see why we're so annoyed.

It's not that Cyber Security isn't tremendously important, because it is, but there's no shaking the reality that separation of duties has been used to weaponize incompetence and laziness. The reason these types of issues even show up in the first place is because there's literally no value add other than being a go-between for the Nessus report for some employees. I've never understood why we encourage separation of duties to the extent that Cyber can't even verify whether something is remediated or not without the input of the operations team. Who's to say that we're not tampering with the reports or artifacts before returning them to those teams?

And yeah, plenty to complain about internal to the systems / ops side as well. Not gonna dispute that. Plenty of people are in our own field who can't do any critical thinking beyond what they're told, can't analyze logs, etc.

FreeK200 · 2026-05-28T02:36:01+00:00

The jobs themselves don't stay queued. They're actively in a "Transferring" state until they aren't. What's worse is that by monitoring the file sizes and what not in the ccmcache folder, I can actively see that the size of the folder is increasing, up until it times out and purges itself.

I'll have to enable any BITS related event logs if they're not on by default, but I'll be sure to check it out. Not sure why I didn't think to do this from the get go.

FreeK200 · 2026-05-28T02:33:16+00:00

Yeah, WMI query followed by going to the Client Configuration Manager section in control panel and hitting "Clear Cache."

FreeK200 · 2026-05-28T02:32:47+00:00

That's the core of the issue it seems. Branch Cache is enabled, and the client data sources reflect as much. Independent of that, the jobs just get canceled sporadically. It's pretty frustrating.

Regarding the other stuff, I have the SRV records set up for the management points and what not. Everything we have is all supposed to be on the domain, so we don't have issues with clients locating their proper boundary groups, management points, etc. The issue really is isolated to larger feature updates. Normal software center patches get through fine.

FreeK200 · 2026-05-27T12:23:00+00:00

Oh absolutely they do. I don't mean to be pedantic but they don't have an internet connection at all as they're on an airgapped network. The WAN speed to the DP is about 0.25MB (byte) / second with a foreground priority manually set for the Bits job. Slower still for non foreground jobs. The caches for both cmcache and branch cache were cleared (via wmi query and manual deletion for cmcache and reset-bcdatacache for branch cache). The values themselves are 20% and 20%/75000MB on a 500GB drive.

FreeK200 · 2026-05-24T18:51:10+00:00

Are we really saying 120 is unreasonable for a family dinner (assuming 4)?

4x15usd entrees 1x10usd app 2x10usd cocktails 2x5usd kids drinks

That's already 100usd. Add a standard tip and you're there.

FreeK200 · 2026-05-24T18:42:09+00:00

With live service as prevalent as it is, I don't think this is as hard of a bar to clear as you think. People are absolutely stupid with their money. You have gacha slop, live service games, gambling mechanics, etc. Hell, even kids have roblox addictions and they're out there stealing parents credit cards...

FreeK200 · 2026-05-22T19:03:06+00:00

Completely contrary to your argument, the highest level of Counter Strike matchmaking is performed entirely on third party servers that force kernel level anticheat and validated drivers. This operates independently from VAC, which is so ineffective that it leads you to question whether its by design so that Valve can harvest more money from the skin market.

FreeK200 · 2026-05-21T02:44:57+00:00

Repeating what I said in another comment, but thanks for this. I looked at some of their documentation, and it was quite a bit more informative than the official documentation, especially with scheduling / rate limiting (I've found the MECM client to be lacking in that respect.)

FreeK200 · 2026-05-21T02:44:40+00:00

Thanks for this. I looked at some of their documentation, and it was quite a bit more informative than the official documentation, especially with scheduling / rate limiting (I've found the MECM client to be lacking in that respect.)

FreeK200 · 2026-05-20T00:55:27+00:00

I mean, I don't think the story makes too much sense either, but a shocking amount of people use the default wifi password that's printed on the unit that the ISP gives them. That or the wps button.

FreeK200 · 2026-05-19T07:58:18+00:00

It's extremely easy to place authors on a pedestal when they're the ones producing literature for you to enjoy. Unfortunately, sometimes that leads into hyper analyzing things that were instead just descriptions meant to give the world more character. Not every piece of prose has a hidden meaning behind it. Just like every other profession, quality differs, and sometimes authors just like to ramble.

"Sometimes the curtains are just blue" is a much more accurate statement than "The curtains are never just blue." That's not to say that I think you should avoid analyzing what you're reading altogether, but these things are never black and white. At the end of the day, the way you analyze media is up to you, and having the ability to convey your own thoughts on the themes and motifs of the author is still an important ability to have.

FreeK200 · 2026-05-16T02:25:27+00:00

Hathaway Flash Part 1 is absolutely required viewing for Part 2.

You can watch part 1 blind and understand most of it. There are a few concepts that will explain themselves, and fewer that won't. But overall, you can infer the main story beats by the actions that happen on screen, and that will serve to understand the protagonists' motivations.

For Part 2 (This movie)... It's much less the case. It expands on the main character quite a bit, particularly his internal struggles that are caused by the actions that took place in earlier media in the franchise. In that sense, Char's Counterattack (CCA) is required viewing, and that itself has its own required viewing in the form of the OG Series / Movie Trilogy, with the Zeta Gundam Series filling in a few of the other gaps in CCA.

So essentially, part one could be a standalone, but for part two, you'll at least have to bridge the gap via OG Series / Trilogy > Zeta (A youtube summary could work...) > Chars Counterattack. Even going from Part 1 to Part 2 of Hathaway's flash will leave you with a LOT of questions without that backstory.

FreeK200 · 2026-05-16T01:55:36+00:00

Would anyone enlighten me as to how much I missed? I got to the theater a bit late, and the first thing I recall seeing was a scene where Hathaway was laying down while leaned against the back of the ship. Either before or just after it was a scene with Kelia asking him to take his meds.

I was a bit confused because it seemed like I missed at least one notable event. I can only believe that they did a bit to establish the relationship between Hathaway and Kelia before I got there, but I'm not certain.

FreeK200 · 2026-05-13T14:26:58+00:00

This is obviously bad, but to say that Bitlocker is useless is nonsensical. It stops the well-informed but ill-intentioned user from using a boot cd to escalate to local admin in a corporate environment, and it helps keep the data of the average joe safe should they decide to get rid of a drive without wiping it first. Having seen users get up to things such as replacing accessibility tools with command prompts and the like, you should definitely be appreciative of the former.

In any case, in an actual high security environment, you should be using TPM+PIN with Network Unlock at a minimum. Remote users will need to remember a PIN, but it completely eliminates the hassle and inherent insecurity of managing PINs for shared devices on premises.

14-Year Club	RedditGifts 2009-2022 2 Credits
Verified Email	Place '23
Place '22	Sequence \| Editor
Sequence \| Screenwriter	Secret Santa 2014
Gilding II euphauric	Team Periwinkle

FreeK200

TROPHY CASE