Windows 10: Inconsistent Controlled file access behaviour 1809 LTSC

Dont want to pollute the tutorial thread with this problem, seems to be one of many apparent bugs I have come across. But here is the description of the problem. So today I started looking into this feature, I had noticed it was already turned on for a while on the default settings, didnt need to toggle the widget, but since I had defender off for several weeks in practice it has only been on for maybe a week. So I wasnt sure if it was working at all, so I enabled it for my user profile folder know that many apps constantly write to that location, and sure enough it didnt take long to start seeing notifications. However I have noticed two clear problems. Both apparent in audit mode. Audit mode can only be accessed via group policy, the security applet toggle is just a basic on and off. So looking at the documentation on Microsoft's website and the description inside group policy, the way this feature should work is there is a predefined list of whitelisted applications, I expect for user conveniance, they dont want users been hassled having to whitelist explorer, notepad etc. But this whitelist is not limited to Microsoft binaries like UAC, it does include 3rd party applications as well. After I had added my user profile folder to the protection list very quickly I received prompts from dumeter service, vivaldi web browser and powershell. From the logs, powershell was for updating its command history. Vivaldi was for updating the recent files location, but it would also be for the browser profile if I hadnt moved it off my user profile folder. So there is a few problems I have noticed. When I enabled audit mode after I realised that is a more sensible approach to seeing what applications would be affected, two things were happening. 1 - After a period of time, the logs were reporting blocked access instead of "would be blocked", and I got the blocked notifications as well. I checked in group policy still on audit, and security applet was still forced in the off position saying settings managed by organisation. So this problem is kind of like the anti tamper weirdness that 1809 currently has. 2 - Once this starts happening vivaldi suddenly is not whitelisted anymore, start getting notifications and log entries for it, if I push it back to block mode sure enough its still in the whitelist. I do have a working theory as to what is going on, basically defender is still actively updated on 1809 LTSC, but the security applet is not been updated along with it, possibly along with other OS support files, and I feel it may have got to the point the two are not fully compatible with each other anymore (remember all the anti tamper weirdness posted in tutorial thread for LTSC). I am now finding myself questioning the LTSC decision, as in theory it should be a more stable build of windows, but I expect Microsoft are treating it as an afterthought compared to the latest consumer versions. Most bugs I have found are defender/security related, I found one last week where the defender log is not honouring timezone settings, so it was showing a time one hour in the future on its log. Yes I did screenshot it lol. (attached at bottom, check the definition update time and compare to clock at bottom right) Not sure what I am going to do at this point on the windows build, as I dont like the idea of feature updating windows on an annual basis, maybe 21H2 LTSC will be much better (at least for couple of years before defender gets too detached again) so will see. LOG snippets below. the 22:15:49 I had switched from audit to blocked back to audit again which made it audit again, after that setting was not changed and can see on the next occurence when back at pc just after midnight it started blocking evem though its still in audit mode. Also vivaldi remains in whitelist whilst this is occuring. Code: PS C:\Windows\system32> Get-WinEvent -LogName "Microsoft-Windows-Windows Defender/Operational" | Where-Object {$_.ID -eq "1123" -or $_.ID -eq "1124" -or $_.ID -eq "1127"} ProviderName: Microsoft-Windows-Windows DefenderTimeCreated Id LevelDisplayName Message----------- -- ---------------- -------30/04/2021 00:04:03 1123 Warning C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe has be...30/04/2021 00:03:47 1123 Warning C:\Program Files\Vivaldi\Application\vivaldi.exe has been blocke...29/04/2021 22:15:49 1124 Information C:\Program Files\Vivaldi\Application\vivaldi.exe would have been...29/04/2021 22:15:19 1123 Warning C:\Program Files\Vivaldi\Application\vivaldi.exe has been blocke...29/04/2021 22:08:36 1124 Information C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe would ...29/04/2021 21:52:33 1123 Warning C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe has be...29/04/2021 21:52:10 1123 Warning C:\Program Files\Vivaldi\Application\vivaldi.exe has been blocke...29/04/2021 21:14:09 1123 Warning C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe has be...29/04/2021 21:02:36 1123 Warning C:\Program Files\Vivaldi\Application\vivaldi.exe has been blocke...29/04/2021 21:02:36 1123 Warning C:\Program Files\Vivaldi\Application\vivaldi.exe has been blocke...29/04/2021 21:00:13 1123 Warning C:\Program Files\Vivaldi\Application\vivaldi.exe has been blocke...29/04/2021 21:00:13 1123 Warning C:\Program Files\Vivaldi\Application\vivaldi.exe has been blocke...29/04/2021 20:38:59 1124 Information C:\Program Files\Vivaldi\Application\vivaldi.exe would have been...29/04/2021 20:38:59 1123 Warning C:\Program Files\Vivaldi\Application\vivaldi.exe has been blocke...29/04/2021 20:27:18 1124 Information C:\Program Files\Vivaldi\Application\vivaldi.exe would have been... - - - Updated - - - An update, I discovered if I turn this off in the security applet, then enable audit mode, the mode sticks, so I expect its another anti tamper protection. So it does behave in audit mode providing it was already turned off before enabling it. - - - Updated - - - Another update, it actually still is all over the place, after some sleep and using PC again, I noticed I got another is blocked notification (still in audit mode) so checked the logs. here is latest entries. Code: TimeCreated Id LevelDisplayName Message----------- -- ---------------- -------30/04/2021 13:49:41 1123 Warning C:\Program Files\Vivaldi\Application\vivaldi.exe has been blocke...30/04/2021 13:17:20 1124 Information C:\Program Files (x86)\MPC-HC Repack\mpc-hc64.exe would have bee...30/04/2021 11:30:25 1123 Warning C:\Program Files\Vivaldi\Application\vivaldi.exe has been blocke...30/04/2021 10:38:29 1123 Warning C:\Program Files\Vivaldi\Application\vivaldi.exe has been blocke...30/04/2021 05:25:23 1123 Warning C:\Program Files\Vivaldi\Application\vivaldi.exe has been blocke...30/04/2021 03:09:09 1124 Information C:\Program Files\KeePass Password Safe\KeePass.exe would have be...30/04/2021 02:58:13 1124 Information C:\Program Files (x86)\BrokenURL\BrokenUrl.exe would have been b...30/04/2021 02:54:39 1123 Warning C:\Program Files\Vivaldi\Application\vivaldi.exe has been blocke... I noticed a pattern, it was ignoring audit for vivaldi.exe, but running rest of applications in audit mode. Audit/Block/Off is a global setting, not per application. I then restarted vivaldi and powershell, I think the issue is that the applications only apply the new settings on a new launch.

:)

 

Inconsistent "Controlled file access behaviour" 1809 LTSC

Dont want to pollute the tutorial thread with this problem, seems to be one of many apparent bugs I have come across.

But here is the description of the problem.

So today I started looking into this feature, I had noticed it was already turned on for a while on the default settings, didnt need to toggle the widget, but since I had defender off for several weeks in practice it has only been on for maybe a week.

So I wasnt sure if it was working at all, so I enabled it for my user profile folder know that many apps constantly write to that location, and sure enough it didnt take long to start seeing notifications.

However I have noticed two clear problems. Both apparent in audit mode.

Audit mode can only be accessed via group policy, the security applet toggle is just a basic on and off.

So looking at the documentation on Microsoft's website and the description inside group policy, the way this feature should work is there is a predefined list of whitelisted applications, I expect for user conveniance, they dont want users been hassled having to whitelist explorer, notepad etc. But this whitelist is not limited to Microsoft binaries like UAC, it does include 3rd party applications as well.

After I had added my user profile folder to the protection list very quickly I received prompts from dumeter service, vivaldi web browser and powershell.

From the logs, powershell was for updating its command history. Vivaldi was for updating the recent files location, but it would also be for the browser profile if I hadnt moved it off my user profile folder.

So there is a few problems I have noticed.

When I enabled audit mode after I realised that is a more sensible approach to seeing what applications would be affected, two things were happening.

1 - After a period of time, the logs were reporting blocked access instead of "would be blocked", and I got the blocked notifications as well. I checked in group policy still on audit, and security applet was still forced in the off position saying settings managed by organisation. So this problem is kind of like the anti tamper weirdness that 1809 currently has.
2 - Once this starts happening vivaldi suddenly is not whitelisted anymore, start getting notifications and log entries for it, if I push it back to block mode sure enough its still in the whitelist.

I do have a working theory as to what is going on, basically defender is still actively updated on 1809 LTSC, but the security applet is not been updated along with it, possibly along with other OS support files, and I feel it may have got to the point the two are not fully compatible with each other anymore (remember all the anti tamper weirdness posted in tutorial thread for LTSC). I am now finding myself questioning the LTSC decision, as in theory it should be a more stable build of windows, but I expect Microsoft are treating it as an afterthought compared to the latest consumer versions. Most bugs I have found are defender/security related, I found one last week where the defender log is not honouring timezone settings, so it was showing a time one hour in the future on its log. *Wink Yes I did screenshot it lol. (attached at bottom, check the definition update time and compare to clock at bottom right)

Not sure what I am going to do at this point on the windows build, as I dont like the idea of feature updating windows on an annual basis, maybe 21H2 LTSC will be much better (at least for couple of years before defender gets too detached again) so will see.

LOG snippets below.

the 22:15:49 I had switched from audit to blocked back to audit again which made it audit again, after that setting was not changed and can see on the next occurence when back at pc just after midnight it started blocking evem though its still in audit mode. Also vivaldi remains in whitelist whilst this is occuring.

Code:

- - - Updated - - -

An update, I discovered if I turn this off in the security applet, then enable audit mode, the mode sticks, so I expect its another anti tamper protection. So it does behave in audit mode providing it was already turned off before enabling it.

 

Upgrading from Windows 10 LTSC 1809 to another version

I get that LTSB and LTSC's whole thing is that "stability" side of things. But since 1809 is incredibly buggy and royally sucks, I want to know if there is a way to move LTSC to a different version.

Trying to deploy LTSC 2019 (1809) on my campus but the stupid default programs bug is straight up bricking explorer, effectively turning the computer into a potato. Need a different version.

***Original title:Is there a way to upgrade Windows 10 LTSC 2019 (which is version 1809) to a different version?***

 

Outlook 365 inconsistent login behaviour with IMAP gmail

Hi there
@fireberd

I've long since complained about the lack of configuratation possibilities for email accounts in the latest versions (click2run) of Office 2016/2019/365 especially if you have different inbound / outbound mail servers / different user accounts on them etc etc.

However there is an applet in the control panel (still called Mail Outlook 2016) which allows access to the classical advanced configuration screens --the new simplified screens are 100% useless if you have anything other than typical bog standard email acounts that the Ms database knows about -- the auto customising screens are an abomination !!

If you have an older version of outlook 2016 you can export and re-import (it's a reg file) the profiles but that's a bit of a messy solution.

Use the control panel applet while it still exists. Confusing but for O/2106,O/2019,O/365 it's still called Mail Outlook 2016.

Use the manual setup ( 2nd option on screenshot 2 - haven't got english version but it's in the same place on an eng screen) -- then you'll get all the advanced options etc as before Ms went for the rediculous "auto setup" things - these do actually work !!!! I have some accounts with domain mail servers and they all send / receive mail via outlook 2019 perfectly now.













etc etc.

Cheers
jimbo