MS-DEFCON 2: Microsoft and compliance

By Susan Bradley

An international company must deal with the jurisdictions in which it operates. Microsoft is no different.

February is always marked on my calendar as the month in which Microsoft is back in full force, holidays behind them. That means we’ll see a rash of updates. I’m raising the MS-DEFCON level to 2 as a result.

Some of those updates will deal with the requirements of the Digital Markets Act (DMA) in the European Economic Area (EEA). Microsoft published a post in the Windows blog on this subject. The necessary changes to bring Windows into compliance will be dribbling out until the deadline — March 6, 2024 — and will be seen in updates to Windows 10 22H2 and Windows 11 23H2.

The major change is the ability to uninstall built-in Windows apps such as Camera, Cortana, Photos, Edge, and Web Search from Bing. The operating system will respect chosen default types as well as identify those apps that are specifically system applications.

If many of these changes sound like a really good thing, I agree! I’m hoping that they will make it into all Windows releases.

I would be remiss if I didn’t bring up our dear friend KB5034441, the source of much consternation in January and the spark that lit up our extensive coverage. Although we had hoped for a quick fix, as of this Alert Microsoft has not released an update. If you used the tools at BlockAPatch to hide the update, remember to remove the block once you hear from us that the fix is in.

Over the last several weeks, it’s been interesting to see many review the default WinRE partition location in the various releases of Windows 10. You’ll recall that all versions of Windows need this WinRE partition patch, but Windows 10 has been the primary victim of update failures for the patch.

Over the years, Microsoft has not been consistent about where the recovery partition was located. I’m still hoping — no, that’s not right — I expect Microsoft to come up with a permanent solution to the problem. In the meantime, I’ll keep an eye out for any changes and re-releases.

My fingers are crossed that the February updates will be nice and boring — or, to put it another way, not so eventful as the unexpected havoc in January. I anticipate many security fixes in both Windows and Office, now that Microsoft is fully back in the office.

One thing we do know about is a problem with Outlook, as described in the Microsoft support post Outlook unexpectedly has an App Search bar above the message list. I guess “unexpectedly” is Microsoft’s new word for “bug.” At any rate, the post provides workarounds to roll back to a prior version of Outlook or put the Reading Pane at the bottom of your view. That last one sounds a bit weird.

As usual, I recommend that, at a minimum, you defer updates until we get a better picture of what lies ahead. Whether you prefer to use the toggle to defer by date, or any of the tools to manually control updates, the main thing to consider is burrowing like groundhogs and not coming out for updates until we know what to expect. We’ll keep you up to date.

For those of you who also manage or maintain Apple devices in a business setting and have tried out the new Stolen Device Protection, remember this: when the feature is turned on, more-sensitive operations require a Security Delay — a successful Face ID or Touch ID, an hour-long wait, and then an additional successful biometric authentication. Security Delay helps prevent someone from making changes to settings that can lock you out of your iPhone or Apple ID account. The time period for the delay is not configurable. In addition, I’ve seen reports that, after this policy is turned on, you can’t install management certificates. Thus test before deploying in a business setting.

If you manage many printers in a network setting, here’s some follow-up guidance that came across my desk the other day. In the post A Practical Guide to PrintNightmare in 2024, itm4n points out that there are some trade-offs to make if you want users to be able to install shared printers. If you are struggling to come up with a good compromise between usability and security, I’d recommend reviewing that post.

As you may be aware, Microsoft has been infiltrated several times within the past year, most recently when an malicious OAuth application was given rights it shouldn’t have. My recommendation to Microsoft? Use your own tools. Take the time to review the CISA Microsoft 365 secure configuration guidance. Then make sure your users do not have the right to install third-party apps and that they must have an admin approve the prompt. (See Microsoft’s Managing user consent to apps in Microsoft 365 post.)

Also, log in to your Microsoft 365 account and review which applications are already listed as having rights to your tenant. Go to entra.microsoft.com in the Applications settings, and look for App registrations. Ensure you have identified and recognized the applications listed. Don’t panic if you see a P2P Server listed — it’s a placeholder for the first AD-joined machine. But vet and investigate any other application.

Resources

Source

(That's 15 news posts in 38 minutes. Enjoy...)