Save the date: Windows Office Hours - June 19, 2025
Join us for our next monthly Windows Office Hours, on June 19th from 8:00-9:00a PT! We will have a broad group of product experts, servicing experts, and engineers representing Windows, Microsoft Intune, Configuration Manager, Windows 365, Windows Autopilot, security, public sector, FastTrack, and more. They will be standing by -- in chat -- to provide guidance, discuss strategies and tactics, and, of course, answer any specific questions you may have. For more details about how Windows Office Hours works, go to our Windows IT Pro Blog. If 8:00 a.m. Pacific Time doesn't work for you, post your questions on the Windows Office Hours: June 19th event page, up to 48 hours in advance. Hope you to see you there!
Copy & paste permission error after Win11 23H2
I have a file share that has very specific permissions due to regulations. Users are only allowed to read and write files, but they are not allowed to delete or modify the files in any way once they are created, see picture below. Note that users do not have "Write attributes" or "Write extended attributes". Users get their permissions through nested security groups. This has been working well for several years when users had Win10 and the Win11 OS. But after users upgraded to Win11 23H2 they are getting an error when they are copy & pasting files from their workstation "you need permissions to perform this action". Same user on a Win10 or Win11 22H2 workstations can perform the same copy & paste action. If I add the "Write attributes" or "Write extended attributes" permission to their security group they can copy & paste files to the share from a Win11 23H2 or 24H2 workstation. I know that the file explorer in Win11 23H2 got a new code base and many new features. Has anybody seen this behavior or can they replicate this problem?KB5055528 Breaks RDP
Hello All, Looks like there is a bug with KB5055528. Once applied it break inbound RDP. Session prompts for user/pass then immediately disconnects. Once uninstalling the KB, RDP connections work fine. Anyone have a workaround or a new setting that I should be aware of? Other notes: - I see the Audit Success in Event Viewer - I see Session 2 has been disconnected, reason code 17 in TS logs
Hunting for MFA manipulations in Entra ID tenants using KQL
The following article, Hunting for MFA manipulations in Entra ID tenants using KQL proved to be an invaluable resource in my search for an automated way to notify users of MFA modifications. I've adapted the KQL query to function within Defender Advanced Hunting or Azure Entra, my objective is to establish an alert that directly E-Mails the affected user, informing them of the MFA change and advising them to contact security if they did not initiate it. While the query runs correctly under Defender Advanced Hunting, I'm currently unable to create a workable custom alert because no "ReportId" is being captured. Despite consulting with Copilot, Gemini, CDW Support, and Microsoft Support, no workable solution has been achieved. Any insight would be greatly appreciated - Thank You! //Advanced Hunting query to parse modified: //StrongAuthenticationUserDetails (SAUD) //StrongAuthenticationMethod (SAM) let SearchWindow = 1h; let AuthenticationMethods = dynamic(["TwoWayVoiceMobile","TwoWaySms","TwoWayVoiceOffice","TwoWayVoiceOtherMobile","TwoWaySmsOtherMobile","OneWaySms","PhoneAppNotification","PhoneAppOTP"]); let AuthenticationMethodChanges = CloudAppEvents | where ActionType == "Update user." and RawEventData contains "StrongAuthenticationMethod" | extend Target = tostring(RawEventData.ObjectId) | extend Actor = tostring(RawEventData.UserId) | mv-expand ModifiedProperties = parse_json(RawEventData.ModifiedProperties) | where ModifiedProperties.Name == "StrongAuthenticationMethod" | project Timestamp,Actor,Target,ModifiedProperties,RawEventData,ReportId; let OldValues = AuthenticationMethodChanges | extend OldValue = parse_json(tostring(ModifiedProperties.OldValue)) | mv-apply OldValue on (extend Old_MethodType=tostring(OldValue.MethodType),Old_Default=tostring(OldValue.Default) | sort by Old_MethodType); let NewValues = AuthenticationMethodChanges | extend NewValue = parse_json(tostring(ModifiedProperties.NewValue)) | mv-apply NewValue on (extend New_MethodType=tostring(NewValue.MethodType),New_Default=tostring(NewValue.Default) | sort by New_MethodType); let RemovedMethods = AuthenticationMethodChanges | join kind=inner OldValues on ReportId | join kind=leftouter NewValues on ReportId,$left.Old_MethodType==$right.New_MethodType | where Old_MethodType != New_MethodType | extend Action = strcat("Removed (" , AuthenticationMethods[toint(Old_MethodType)], ") from Authentication Methods.") | extend ChangedValue = "Method Removed"; let AddedMethods = AuthenticationMethodChanges | join kind=inner NewValues on ReportId | join kind=leftouter OldValues on ReportId,$left.New_MethodType==$right.Old_MethodType | where Old_MethodType != New_MethodType | extend Action = strcat("Added (" , AuthenticationMethods[toint(New_MethodType)], ") as Authentication Method.") | extend ChangedValue = "Method Added"; let DefaultMethodChanges = AuthenticationMethodChanges | join kind=inner OldValues on ReportId | join kind=inner NewValues on ReportId | where Old_Default != New_Default and Old_MethodType == New_MethodType and New_Default == "true" | join kind=inner OldValues on ReportId | where Old_Default1 == "true" and Old_MethodType1 != New_MethodType | extend Old_MethodType = Old_MethodType1 | extend Action = strcat("Default Authentication Method was changed to (" , AuthenticationMethods[toint(New_MethodType)], ").") | extend ChangedValue = "Default Method"; let AuthenticationMethodReport = union RemovedMethods,AddedMethods,DefaultMethodChanges | project Timestamp,Action,Actor,Target,ChangedValue,OldValue=case(isempty(Old_MethodType), "",strcat(Old_MethodType,": ", AuthenticationMethods[toint(Old_MethodType)])),NewValue=case(isempty( New_MethodType),"", strcat(New_MethodType,": ", AuthenticationMethods[toint(New_MethodType)])); let AuthenticationDetailsChanges = CloudAppEvents | where ActionType == "Update user." and RawEventData contains "StrongAuthenticationUserDetails" | extend Target = tostring(RawEventData.ObjectId) | extend Actor = tostring(RawEventData.UserId) | extend ReportId= tostring(RawEventData.ReportId) | mvexpand ModifiedProperties = parse_json(RawEventData.ModifiedProperties) | where ModifiedProperties.Name == "StrongAuthenticationUserDetails" | extend NewValue = parse_json(replace_string(replace_string(tostring(ModifiedProperties.NewValue),"[",""),"]","")) | extend OldValue = parse_json(replace_string(replace_string(tostring(ModifiedProperties.OldValue),"[",""),"]","")) | mv-expand NewValue | mv-expand OldValue | where (tostring( bag_keys(OldValue)) == tostring(bag_keys(NewValue))) or (isempty(OldValue) and tostring(NewValue) !contains ":null") or (isempty(NewValue) and tostring(OldValue) !contains ":null") | extend ChangedValue = tostring(bag_keys(NewValue)[0]) | extend OldValue = tostring(parse_json(OldValue)[ChangedValue]) | extend NewValue = tostring(parse_json(NewValue)[ChangedValue]) | extend OldValue = case(ChangedValue == "PhoneNumber" or ChangedValue == "AlternativePhoneNumber", replace_strings(OldValue,dynamic([' ','(',')']), dynamic(['','',''])), OldValue ) | extend NewValue = case(ChangedValue == "PhoneNumber" or ChangedValue == "AlternativePhoneNumber", replace_strings(NewValue,dynamic([' ','(',')']), dynamic(['','',''])), NewValue ) | where tostring(OldValue) != tostring(NewValue) | extend Action = case(isempty(OldValue), strcat("Added new ",ChangedValue, " to Strong Authentication."),isempty(NewValue),strcat("Removed existing ",ChangedValue, " from Strong Authentication."),strcat("Changed ",ChangedValue," in Strong Authentication.")); union AuthenticationMethodReport, AuthenticationDetailsChanges | extend AccountUpn = Target | where Timestamp > ago(SearchWindow) //| summarize count() by Timestamp, Action, Actor, Target, ChangedValue, OldValue, NewValue, ReportId, AccountDisplayName, AccountId, AccountUpn | summarize arg_max(Timestamp, *) by Action | project Timestamp, Action, Actor, Target, ChangedValue, OldValue, NewValue, ReportId, AccountDisplayName, AccountId, AccountUpn | sort by Timestamp desc
Program Data folder admin permissions corrupted - Help please!
Hi, I'd appreciate some help form an expert! My folder permissions in 'C:\Program Data\Dell' folder have somehow been restricted to Authenticated Users (by a Dell Command Update failure or an unfortunate Dell Core Services uninstall), which now limits that Folder to 'Authenticated Users' - read and execute, read, and list folder contents, so software installs can't create new folders and write files. Within the Dell folder there are a number of folders that have full control (SYSTEM, Administrators permissions etc), but some that are ONLY 'Authenticated Users': D3, DTP.DataManager.SubAgent, DTP.Diagnostics. SubAgent, DTP.Instrumentation.SubAgent, ePSA, MyDell Notification Manger, orca, OS Recovery Tool. DTP (Dell Data Protection) main folder and Dell Vault are OK Dell are suggesting I reinstall the OS, but I have a huge number of apps installed and am trying to avoid that - everything else but Dell apps seems to be working. The machine is an XPS15 9520 laptop on Win11 Pro 24H2. I can create new folder 'Dell2' and copy all the folders across and they then have full permissions, but of course I can't copy those folders back into the original folder with corrected permissions... What would happen if I rename the C:\ProgramData \Dell folder to something else and then rename the Dell2 folder to 'Dell', and try again and see if SupportAssist or DCU installs correctly, or could that do more damage? I think some Dell security stuff is in the BIOS but some will be in registry so would that 'notice' the folder its looking for is not the original folder but a different one with the same name? Or is it better to install another user and give them admin privileges and have to login with a different ID for Dell software updates from now on? NB this machine is set up for LOCAL ACCOUNT with a password, WITHOUT a Microsoft account on the machine, though it does have O365 subscription... thanks so much!
Fingerprint recognition issue on Matebook pro x after clean Win 11 install
Laptop: Huawei MateBook X Pro (2018 model MACH-WX9), after performing a clean installation of Windows 11 24H2. Background: I recently repartitioned my hard drive to merge the C:\ and D:\ partitions into a single C:\ drive. As part of this process, I performed a clean installation of Windows 11 (latest stable version, fully updated) using the official Microsoft USB installer. I installed Huawei PC Manager to restore missing drivers, and all device drivers (including fingerprint and chipset) are now correctly installed, according to Device Manager and Windows Update. The Issue: The fingerprint sensor is detected and shows the correct driver version (Goodix Fingerprint Driver v1.1.11.41, dated 2020). I had to manually install this version from the huawei site as the pc manager installed the .32 version (which also didn't work). However, when setting up Windows Hello Fingerprint, I am prompted to tap repeatedly but the process never completes, suggesting the sensor isn't fully functional. Pc manager also states the sensor as 'abnormal'. What I've Tried: Installed all optional and recommended Windows Updates (including drivers). Installed and updated all drivers via Huawei PC Manager. Confirmed that the fingerprint sensor was fully functional before the reinstallation. Verified that all other device drivers (including Intel MEI and Watchdog Timer) are installed and stable. My Conclusion: It appears that the existing Goodix fingerprint driver (v1.1.11.41) may not be compatible with newer Windows 11 security requirements — specifically Memory Integrity (HVCI). I’m reaching out to ask: Is there an updated fingerprint driver available or in development that is compatible with the latest Windows 11 build and security features? If not, is there a recommended workaround or plan for future support? I have seen blogs of users disabling Disabling Memory Integrity, but I am not prepared to do this to risk malicious malware entering my system. ThanksEvent log error
When I open Administrative Events I get a box "Microsoft Windows-The instance name passed was not recognized as valid WMI data provider" The summary page shows Event 22. The event logging service encountered an error while initializing publishing resources for channel Microsoft-Windows-USBVideo/Analytic. If channel type is Analytic or Debug, then this could mean there was an error initializing logging resources as well". This occurred after I did an in place recovery. Is there a way to fix this?Partner center verification status
Hi I'm assistant at the Qubitpilot company. We can't get partner status. Everything went wrong at the Accoutnt cerification status step- "Rejected". The "fix now" button is not active. We have written to support many times, called the Microsoft hotline, the problem has not been solved for 2 weeks. What should we do? We urgently need to solve this problem. We've open the tickets 3 times but they wer closed down or not answered.
