Disable Windows Defender Summaries via Registry

Windows Defender does some great stuff, but in my opinion one of the more ‘noisy’ things it doesin Windows 10 is provide a frequent notification to say it’s working but hasn’t found anything.

Many users may find this notification unnecessary and breaking their work focus just to be told that their PC is fine. Especially in a business environment, they’d think that is someone else’s problem.

Windows Defender Security Center Settings

A user can turn these off themselves of course, in the Windows Defender Security Settings page under Virus & threat protection notifications. It’s possible to turn off all informational notifications, or untick certain types.

Although there is an inbuilt Group Policy to also turn off informational notifications, to me I’d still want users knowing a threat was found or something was blocked – those are useful to the user. However the recent activity and scan results is the one I’d suggest disabling, but there’s no Group Policy for that.

Luckily this is just a single registry key which I’ve found through using Procmon:


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender Security Center\Virus and threat protection\

REG_DWORD: SummaryNotificationDisabled

Value: 1 (decimal)

This setting can be rolled out through Group Policy (even as a run once and don’t reapply) if you’d like users to have control over turning the setting on.

Microsoft Software Ready For Betting?

If there’s one thing difficult to accuse modern American tech companies of, it’s inadequate preparation. While the consumer-facing sides of these companies deal with exciting products, software updates, and things of this nature, the same companies are constantly working behind the scenes in order to enrich their offerings. This includes development, marketing, maintenance, and perhaps most interestingly, concept consolidation and patent acquisition.

There are constant examples of major tech companies quietly filing patents long before a product actually goes to market, from a given type of screen for a mobile phone to current rumors of Apple’s designs for augmented reality glasses.

One recent example of this that seems to have flown under the radar is Microsoft’s file for Patent No. 0125691. This came to light late in 2016, with notes that the patent application includes words and phrases like “real-time” and “determine payout of event” that appear to point toward a gambling application. Said one article on the development, it could be a critical piece of a future with widespread legal gambling in the United States.

In 2016, that still sounded very much like a future, because there was little publicly evident momentum toward establishing legal betting beyond places like Nevada and New Jersey. That all changed early in 2018 however, when a Supreme Court decision altered the betting landscape significantly. It remains up to individual states to legalize the activity (and you can track their progress here), but to put it in clear terms, it’s now legal to make it legal, if that makes sense. And that means the environment Microsoft appears to have been preparing for with this particular patent is closer to materializing than we might have once believed.

As to what that environment will look like, and what sort of activity Microsoft could ultimately get involved with, we might best look to examples set in countries where sports betting is legal. This has been the case in the UK for some time for instance, and the same can be said of Australia. In these countries there are numerous betting sites available, and they tend to be accessible both online and via mobile. It may well be that Microsoft is aiming for the higher end of all this as well.

It’s recommended that people looking for modern betting sites pay attention to in-play services, which essentially allow for real-time gambling and decision-making, but which aren’t necessarily available through some older platforms. Given that the patent, as mentioned, references the term “real-time,” it would appear that Microsoft is up-to-date on what bettors look for in modern sites or applications.

It’s still not crystal clear how or when the patent might be used. But we may find out sooner than we thought thanks to the progress of legal betting in the U.S., and it certainly sounds as if the tech giant is going to have its own services available in this area. 

Azure AD Sign-in via Google Chrome and Conditional Access

While testing MFA, Conditional Access and all the other good stuff Azure AD provides, I came across this scenario:

Conditional Access configured to require MFA if the user wasn’t on an Azure AD Hybrid PC, or coming from an internal IP.

User on an Azure AD Hybrid PC, but on an external IP.

User uses Chrome to access a Microsoft resource, and gets challenged despite being on the Azure AD Hybrid PC.

It seems that the sign-in process isn’t aware of the state of the computer when using Chrome- but there is an easy fix: deploy Windows 10 Accounts extensions for Chrome.

This is really easy to do via Group Policy.

  1. If you don’t already have them, get the ADMX Group Policy files for Google Chrome and deploy into your environment
  2. Under User Configuration > Policies > Administrative Templates > Google > Google Chrome > Extensions, configure the policy ‘Configure the list of force-installed apps and extensions’:

3. Change the radio button to enabled, click ‘Show’ and enter the value for the add-in

ppnbnpeolgkicgegkbkbjmhlideopiji;https://clients2.google.com/service/update2/crx

4. Do your normal process of configuring the Group Policy object to target the users you want, run a gpupdate and see the addin silently turn up in Chrome. The only user impact will be a visible Windows logo to the left of the Google Accounts area in the top bar of Chrome.

Peter van de Woude has documented how to do this via registry, so read his post if you want info on how to do that –  as well as how to then deploy via Intune and PowerShell script.

Worth doing if you use Azure AD connect, and highly recommended if you’re using Conditional Access. 

“This page wants to run the following add-on…” won’t go away in Internet Explorer

In the last few weeks, I found that a lot of users were complaining about IE11 on Windows 10, and the prompt “This page wants to run the following add-on” with the add-on name, and the allow button:

This webpage wants to run the following add-on ‘Adobe Flash Player’ from Microsoft Windows Third Party Application Compon…

However, clicking the ‘Allow’ button, or using the drop down arrow to choose ‘Allow for all sites’ did nothing, and the prompt would show again and again.

I ended up working out this was due to the Add-On List GPO to list IE add-ons that was being used to manage the add-ons I wanted disabled or enabled https://docs.microsoft.com/en-us/internet-explorer/ie11-deploy-guide/enable-and-disable-add-ons-using-administrative-templates-and-group-policy

The policy explicitly states “The ‘Deny all add-ons unless specifically allowed in the Add-on List’ policy setting will still determine whether add-ons not in this list are assumed to be denied.”

However, since a recent update (either Windows 10 1803, or a recent security patch  – unsure which!), anything not listed in the Add-On List was being blocked. 

Adding an update to the list and allowing it with the ‘1’ value fixes the issue for that particular add-in, but it shouldn’t be working this way.

I even tried disabling the Group Policy setting ‘Deny all add-ons unless specifically allowed in the Add-on List’ but that made no difference. That policy also states: ‘If you disable or do not configure this policy setting, users may use Add-on Manager to allow or deny any add-ons that are not included in the ‘Add-on List’ policy setting.’

Something wacky’s going on – if I find out more I’ll update this post, but if you do use the ‘Add-On List’ GPO for Internet Explorer, be aware of this potential issue. You may need to list all your add-ins into the policy to avoid this.

I’ve also updated all my ADMX files for Win10 1803.

Users Managing Email Groups and Exchange Online

For a very long time, users have been able to manage email group members via the Outlook client. Going into the Address Book, finding the group in the Global Address list, going into Properties and choosing ‘Modify Members’:

From there, someone can add or remove members as long as they’d been added to the “Managed By” field against the object in Active Directory, as well as ticking the box “Manager can update membership list” below it.

Easy! Except, that no longer works if the user is in Exchange Online, and the Email Group is from on-premises AD rather than Azure AD/Office 365. It’s not supported. This problem has been around for a while, back in 2015 Perficent wrote about this same topic. The options given for managing these groups are:

  • Exchange Admin Center
  • Exchange Management Console
  • Exchange Management Shell

None of those are what you want your standard users touching in my opinion – although you can give someone access to the Exchange Admin Center and only see the distribution groups they own – but for me, I’m still on Exchange 2010 so this isn’t an option.  This leaves you with a few options:

1. Change all your email groups to Cloud based groups. If this makes sense for you, doing this will let the manager of a cloud based group add/remove members via the Outlook Address Book.
You can also look at changing distribution groups over to Office 365 Groups (which are also cloud based), which give a whole bunch of different features beyond a what a distribution group can do, while giving the same standard DG experience.

2. Make all requests come through to IT so you can make the changes yourself. Not great for anyone involved, as it’s double/triple handling something where the user could quickly do it themselves.

3. Create Dynamic Distribution Groups and let automation do it’s thing – which will work for some, but exceptions to rules and the inability to see who’s in a group can make this frustrating for some.

4. Provide another way for staff to change group members themselves.

I’ve gone with option 4 – as I’m a big fan of Adaxes which I’ve written about a few times on my blog before, and they have a nice way of giving users a web interface that only lets staff manage the groups they’re the owner of.

There’s other ways to do this as well of course and other 3rd party solutions that can expose ways of adding/removing members of a on-premises distribution group – but remember there could be up to a half hour delay in syncing the change from AD to AAD via Azure AD Connect. If possible, look at adding a trigger at the end of a group change to do a delta sync:

Start-ADSyncSyncCycle -PolicyType Delta

That’ll be the quickest way to get the change up quickly, as staff may be used to the change working immediately.

There’s a lot to consider on how you’ll manage this, so make sure it’s sorted before you migrate – or expect a lot more tickets going through your helpdesk.