Sophos Endpoint Protection - Uninstall without Tamper Protection Password

To uninstall Sophos Endpoint Protection, or install a new copy if you are not able to disable the tamper protection, follow the directions below

1. If BitLocker is enabled, suspend it. You will need to boot into safe mode and BitLocker will trigger if it’s not suspended

2. Create a .reg file with the info below, and save it to the desktop

[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Sophos\SavService\TamperProtection]
"Enabled"=dword:00000000
            
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sophos Endpoint Defense\TamperProtection\Config]
"SAVEnabled"=dword:00000000
"SEDEnabled"=dword:00000000
            
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sophos MCS Agent]
"Start"=dword:00000004

3. Restart the computer in Safe Mode

Start>Settings>Update & Security>Recovery>Restart Now (Under the Advanced Startup Section).
Then when the blue screen pops up, click on Troubleshoot>Advanced Options>Startup Settings> Restart
Press number 5 for Safe Mode with Networking

4. Right click on the .reg file you created and click merge.

5. Reboot into Windows normally, and then you are able to uninstall or install over the current Sophos installation.

BitLocker Triggering Every Reboot - One Possible Cause and it's Solution

We had a few machines that were triggering BitLocker every time they rebooted. We tracked the issue down to the fact that SSD were formatted as MBR, and the BIOS mode in System Info was showing as legacy.

(We had 4 brand new machines with the same hardware and the only difference was that the 2 that were working were GPT and UEFI, and the 2 that weren't were MBR and Legacy)

This is how I fixed it:

1. I suspended Bitlocker but did not turn it off (I tried one computer with turning it off and it wasn't good... had to rebuild the machine to get the TPM working with bitlocker)
2. I converted the SSD to GPT (Read my directions here)
3. Made sure I set the BIOS options to UEFI
4. Booted back into windows, and bitlocker wasn't working. When I tried to manually reactivate bitlocker it gave an error saying "The system cannot find the file specified"
5. Rename or Delete the  REAgent.xml file (in C:\Windows\System32\Recovery) to fix the error from Step 4
6. Manually activate BitLocker again and it works. 
7. Reboot a couple of times to test. Everything works! No more triggering of Bitlocker.

Convert MBR System Disk to GPT for Free! - Windows 10 - 1703

We had an issue recently where the solution was to convert the system disk from MBR to GPT. We didn't want to rebuild the computer, and didn't want to pay for some of the commercial tools out there. The fix as it turns out is built into Windows 10 (1703).

To convert the disk, Microsoft has made a little command line tool called mbr2gpt.

To use it is simple:

1. Boot into Windows Recovery
1. Select the Start  button, then choose Settings
2. Select Update & security  > Recovery.
3. Under Advanced startup select Restart now.
4. After your PC restarts to the Choose an option screen, select Troubleshoot > Advanced options> Command Prompt
2. Confirm the disk number you want to work on. If you only have one disk, it should be Disk 0
1. Type "diskpart" to start the DiskPart Tool
2. Type "list disk" to view the disks.
   
   
3. Type "Exit" after you determine which Disk you want to edit. In this case, Disk 1 contains my Windows installation.
3. run "mbr2gpt /convert /disk:X" (Replace X with your disk number)
4. When it completes, your System disk will be converted to GPT. Make sure you make the appropriate BIOS/UEFI changes to allow you to boot to UEFI instead of Legacy.

Domain Accounts instantly locking out after unlocking them

We deployed a lockout policy for a client and they had a couple of user accounts that were immediately getting locked out again after we unlocked them. I dug around and tried to figure out what was going on. MS Server doesn't have the best reporting for accounts locking out, but I found a Freeware tool that did a excellent job helping me troubleshoot the issues.

It is called Netwrix Account Lockout Examiner and it is a lifesaver when it comes to trying to diagnose these issues. You can download it here: https://www.netwrix.com/account_lockout_examiner.html

Using that tool, I was able to figure out that the login attempts that were locking the user accounts were brute force attacks coming in on RDP on the desktop machines.

We use non-standard ports other than 3389 for RDP at this client, but they were using the correct port and the correct username for the computers. I used a free 30 day demo of  RDPGuard (https://rdpguard.com) to block the incoming brute force attack by automatically adding a deny rule for the originating IP address to the windows firewall. It looks like the 2 ip address it caught were hitting our systems from Russia. As soon as RDPGuard  did its job, the accounts stopped locking out instantly.

We have since changed how the users remote in at this client to a much more secure process so we have less of a chance of this occurring again. As we all know, no form of security is absolutely perfect.

Anyways, I will have to look into purchasing RDPGuard for protecting our public facing servers. It never hurts to have an extra layer of security. It can also protect other protocols like ftp, sql, iis and others.

(This is a not a sales pitch for either of these programs. I just like to share tough fixes, and neat tools when I find them.)

Check Replication Status of Domain/Forest

Source: https://technet.microsoft.com/en-us/library/dd464018(WS.10).aspx

"Run the following Repadmin.exe command to ensure that replication is working throughout the forest:

repadmin /replsum /bysrc /bydest /sort:delta

All domain controllers should show 0 in the Fails column, and the largest deltas (which indicate the time that has elapsed since the last successful replication) should be less than or roughly equal to the replication frequency of the site link that the domain controller uses for replication. The default replication frequency is 180 minutes."

Adobe Reader saying all PDFs are corrupted, when accessing files over SonicWall VPN

We had this issues and banged our heads against it for a couple days. We would get all sorts of errors when trying to open the PDF files on a network share, and when we could get them open, we couldn't save over the top of them files and would get an error saying the network name cannot be found, or the network location is no longer available. We looked at everything from Adobe, to MTU settings, to our ISP. I was poking around in the SonicWall checking the VPN connections, and I tried turning off content filtering. No change, so I tried turning off the Gateway AV. Success!!! The users could open and save, without any issues. Some trial and error testing narrowed it down to the CIFS/Netbios setting in the Gateway AV settings. This helps block ransomware/cryptolocker so I won't leave it off forever, but tomorrow I am going to call Sonicwall to get the skinny on what we need to do to properly fix this

TL;DR  If you are getting a bunch of weird issues accessing files and folders over VPN, disable CIFS/Netbios in the Gateway Anti Virus section.

I will update when I get the rest of the fix figured out.

uncheck CIFS/Netbios

Run elevated programs from normal command prompt

I had an issue recently where a computer joined the domain while sysprep was still active and a group policy with password complexity broke the admin account that sysprep was using. To fix this we had to run a command prompt with admin permissions to run some commands, but we weren't able to start an elevated prompt.

The fix is to run the following command

runas /netonly /user:computername\adminaccount cmd

This will open an elevated command prompt. You can substitute cmd with anything else to run it as an admin.

FAILED: Unable to create a VSS snapshot of the source volume(s). Error code: 2147754758 (0x80042306). - VMware

I was getting this error trying to convert a couple of physical machines to virtual machines.

FAILED: Unable to create a VSS snapshot of the source volume(s). Error code: 2147754758 (0x80042306).

None of the other blogs or posts were able to help me fix it.

Resolution: The VSS settings on the HDDs were somehow set for 32mb. VSS requires a minimum of 300mb.

This is your PowerShell ISE on ISESteroids

This is your PowerShell ISE on ISESteroids 

PowerShell. I have learned to love it over the past few months. At work, I have ran into issues that Macro Express or AutoHotKey wouldn't cut it as a viable option. I had looked into PS before, but with just the shell, its not that accessible. Resigning myself to work in the shell, I started to do some research. I found out that MS released a tool for PowerShell that was like an IDE. Hallelujah! As I was playing in it, I came to the realization that I needed "MOAR POWER". PowerShell ISE is amazing, but it still needed a bit more.... umph. Dr. Tobias Weltner is a brilliant man because he thought the same thing! :D However, he is much more brilliant than I because he did something about it.

He gave PowerShell ISE a shot of steroids. ISE Steroids that is. You can download a trial at his website:  http://www.powertheshell.com/isesteroids2/download/

This tool is like dropping a turbocharger into your car, but 10 times easier. You install it and you are up and running in no time flat.

I am going to skip over the installation (you can find instructions on the link above) and talk about some of my favorite features.

Refactoring

First off I love refactoring. It lets me build out test scripts quickly without worrying about a naming scheme, or what I am calling my variables. Might not be the best SOP but it works for me. PowerShell ISE does have a replace feature (Ctrl + H) but to me its a bit clunky, and not as useful. ISE Steroids gives you in-line on-the-fly refactoring with one button

1. Place the cursor in the text you want to change. (I am refactoring the $install variable on line 2)
2. Press F2
3. Start typing to refactor!

Original

After refactor

Did you notice that it only changed in the function that you are working in? That is great if you don't want to go changing every instance of that text in your whole script. But what if you want to?

Original

After refactor

1. Highlight the whole selection you want to change ($client including the $)
2. Press F2
3. Start typing to refactor! It will refactor all instances (look at the second function, all the $client instances were renamed too)

Start typing to refactor! It will refactor all instances