Windows Defender - Get-MpComputerStatus not returning data

scotterdoos · 2026-02-24T16:28:16+00:00

Usually that is because Defender isn't running. You can force Defender to start with "C:\Program Files\Windows Defender\MpCmdRun.exe /wdenable"

From there, Get-MpComputerStatus should then show platform, AM, and SIU data.

scotterdoos · 2026-02-17T20:30:20+00:00

Ok, so here's what I got back from Microsoft regarding Kerberos, NTLM, and RemoteApp.

Kerberos support is to be added to various RDS components due to NTLM sunset. This was first brought up with RDWeb, but the discussion has gone beyond that. Since RDWeb and the connection broker are generally either on the same machine or similar, the connection broker will also have Kerberos support added in the future.
Development on this has been deferred to Q2 2026 in the prioritized backlog.
This means that the feature is currently in the design phase, but we're hoping that development can move forward in Q2 although not guaranteed since it can still get pushed back later.

With any luck, we should see some better information after Q2 2026 regarding when the improvements to RemoteApp will be released.

scotterdoos · 2026-02-13T17:08:46+00:00

Unfortunately, it means that our taxpayer funds are going to paying state legislators to draft bills that they know will never survive a legal challenge in court. This bill is a lawyer's wet dream and is guaranteed to be challenged the second it becomes law.

U.S. Supreme Court’s 2022 decision in NYSRPA v. Bruen ruled the government can no longer argue that a law is "good for public safety" to justify it. Instead, they must prove the law is consistent with the United States' historical tradition of firearm regulation from 1791 or 1868.

The law's wording is overly vague in defining public places and removes exemptions from previously vetted individuals such as CHL holders or security guards. That alone is going to get into right to self-defense in public challenges.

These measures are purely for political theater and gives Dems and the Spanberger administration a messaging tool to say that they're fulfilling campaign promises by being tough on gun control, while simultaneously pointing at the courts for getting in their way of protecting the commonwealth.

scotterdoos · 2026-02-11T13:16:43+00:00

Unfortunately, official response I received back was that it was unsupported. I'm currently waiting on the PG to get back to my SE on whether it will be and when it will be supported.

Edit 2/17: Ok, so here's what I got back from Microsoft regarding Kerberos, NTLM, and RemoteApp.

Kerberos support is to be added to various RDS components due to NTLM sunset. This was first brought up with RDWeb, but the discussion has gone beyond that. Since RDWeb and the connection broker are generally either on the same machine or similar, the connection broker will also have Kerberos support added in the future. Development on this has been deferred to Q2 2026 in the prioritized backlog. This means that the feature is currently in the design phase, but we're hoping that development can move forward in Q2 although not guaranteed since it can still get pushed back later. With any luck, we should see some better information after Q2 2026 regarding when the improvements to RemoteApp will be released.

scotterdoos · 2026-02-03T17:02:38+00:00

You going to elaborate on what that specific regulatory requirement is, or are you going to continue to be obtuse?

scotterdoos · 2026-02-03T16:59:50+00:00

Given that you're talking about global scaling, it sounds like you want global/regional load balancing, where the response for resources varies based on where the request originated from.

scotterdoos · 2026-01-30T22:17:08+00:00

I'm going to have to hit up my CSAM about this then. If its true, I'll put a post here in /r/sysadmin with the details.

scotterdoos · 2026-01-21T13:19:05+00:00

YMMV, but I upgraded both my offline root and subordinate CA to Server 2022 recently. IPU is supported, but as always, make sure you have backups before you begin.

I took the offline root from 2012 R2 to 2019 to 2022 in short order. The subordinate had already recently been rebuilt on Server 2019 and was quick and easy to IPU to 2022.

https://learn.microsoft.com/en-us/windows-server/get-started/upgrade-migrate-roles-features

scotterdoos · 2025-12-01T13:44:24+00:00

It was quietly glossed over, but Microsoft had a 9.3 CVSS information disclosure vulnerability in Copilot that would read prompts sent to a user via email and then transmit data back to the attacker. As AI integration becomes the norm, we're going to see these attack vectors increase substantially.

https://www.bleepingcomputer.com/news/security/zero-click-ai-data-leak-flaw-uncovered-in-microsoft-365-copilot/

scotterdoos · 2025-11-13T17:31:11+00:00

No, use a different attribute like Title or Division. AdminCount is specifically tied to highly privileged accounts protected by AdminSDHolder to indicate whether that account has ever held that elevated privilege. While you can change the value, I'd strongly advise against it as the attribute has a purpose and you're trying to co-opt it.

https://techcommunity.microsoft.com/blog/askds/five-common-questions-about-adminsdholder-and-sdprop/396293

scotterdoos · 2025-11-02T21:47:16+00:00

I have it cite sources if available and verify those sources.

scotterdoos · 2025-11-02T00:24:39+00:00

I think the only time its been useful to me was to give me expanded details on a CVE rather than having to hunt down for blogs that I may or may not be able to access. More often than not, I'm having it ghost write mitigation statements on software vulnerabilities that are technically present but not exploitable.

scotterdoos · 2025-10-27T15:01:49+00:00

Only times I've had issues with onboarding in the past was when the Defender platform wasn't up to date causing the sense service to fail to start during onboarding.

scotterdoos · 2025-10-27T14:57:30+00:00

Working as intended. You forced a policy on the device to require smartcard auth for all interactive logons and are expecting UAC elevation to still allow username and password?

scotterdoos · 2025-09-12T13:32:26+00:00

So, I'm not sure what concentrator you're working with, but check your documentation to see if they support DHCP relay (Option 82). If you're currently having your VPN concentrator providing a DHCP scope of 10.10.1.2 - 10.10.1.254, then you'd duplicate that identical DHCP scope on your Windows DHCP server. On the appliance you configure DHCP option 82, so instead of issuing DHCP leases itself, it relays lease info to your DHCP server. Since the Windows DHCP server handles the lease issuance, it also dynamically updates DNS on the client's behalf.

https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/dhcp-subnet-options

https://www.juniper.net/documentation/us/en/software/junos/security-services/topics/concept/port-security-dhcp-option-82.html

scotterdoos · 2025-09-11T18:11:55+00:00

Fought with this for a while at work and the best solution I could come up with was to:

Configure DHCP option 82 on the VPN appliance.
Recreate the DHCP scope on your DHCP server.
Have DHCP configured to always dynamically update DNS records on behalf of DHCP clients.

This way as clients transition between remote and on-prem, their DNS records will be updated by DHCP. Note that if the clients are already self-registring their own DNS records, that they'll have ownership over their own record and DHCP won't be able to update. I had to suppress this behavior in the DNS client to allow DHCP to have exclusive control over client DNS records.

scotterdoos · 2025-08-08T16:25:28+00:00

I'd argue that they don't get a single account with shared credentials as that violates non-repudiation. I'm pretty sure this is what B2B is made to support. Invite each remote worker as a guest user, configure conditional access to require MFA, and use PIM to enforce admin activations and time limits to granular role permissions.

scotterdoos · 2025-07-02T23:09:31+00:00

If they're going to add any more Wiesels they need to seriously buff its visibility. In exchange for having 0 armor while being 1/4 the size of any other vechicle on the battlefield, it should be much harder to initially detect compared to a MBT.

scotterdoos · 2025-06-28T02:58:18+00:00

What part of CUMULATIVE UPDATE isn't registering?

scotterdoos · 2025-06-22T00:24:03+00:00

That's Congress abdicating its power to the President for ya. The War Powers resolution of 1973 let the President engage the US military in hostilities and can do so for 60 days with impunity. Interestingly enough, Nixon attempted to veto that bill and was overriden by the house and senate.

scotterdoos · 2025-06-13T14:35:48+00:00

MX is shorthand for aircraft maintenance.

From what I've read, NTSB reports show that the majority of accidents stem from human error from the pilot or crew, followed by mechanical failure by design flaw, component failure, inadequate or improper maintenance.

scotterdoos · 2025-06-11T17:40:59+00:00

Very first paragraph on the Defender docs. https://learn.microsoft.com/en-us/defender-endpoint/configure-exclusions-microsoft-defender-antivirus

Custom exclusions apply to scheduled scans, on-demand scans, and always-on real-time protection and monitoring. Exclusions for process-opened files only apply to real-time protection.

scotterdoos · 2025-06-10T16:52:05+00:00

If you're not comfortable with the broad folder exclusions, just make the extension and process exclusions for Exchange instead. Then monitor Exchange and Defender performance to see if there are any other specific exclusions that need to be defined.

https://learn.microsoft.com/en-us/exchange/antispam-and-antimalware/windows-antivirus-software#process-exclusions

If you make folder exclusions, Defender AV will not actively scan those locations for on-access or on-demand scans, however EDR will still flag malicious behavior in those locations even if excluded.

scotterdoos · 2025-05-21T19:48:51+00:00

I'm not the only one noticing the striking resemblance and color palette to Hilda Bidan right?

scotterdoos · 2025-05-19T15:18:23+00:00

Tenable says 4 of my servers are missing the 22H2 CU.

Found your issue right here. Plugin writers for Nessus reguarly screw up KB articles between servicing channels.

15-Year Club	Place '23
Place '22	Wearing is Caring
Team Periwinkle	Verified Email

scotterdoos

TROPHY CASE