I.F.S. = Incredibly Fucking Stupid
TL/DR: 5,000 workstations are hit with a surprise reboot in the middle of the morning because the policy says “Audit mode only” and the documentation doesn’t warn that “Oh by the way….”
At work, one of our security team members changed a policy in Microsoft Defender. The policy had a piece: Audit Mode Only.
When I read Audit Mode Only, I would believe that this would be a low-impact change. Nothing really is going to change, but some things will start to be logged. That’s what I would expect, and that’s what my co-worker expected.
Silly him. He hit Apply and 5,000+ machines got notified that they would be rebooted in 5 minutes. And then 2 minutes. And then all the work you have in progress was sent to go kick rocks.
If adding Audit Mode Only were going to impact things, wouldn’t it behoove Microsoft to warn people? Yeah, no, we’re talking about Microsoft here. Nowhere before the Apply button is one warned that one is about to reboot every machine in the organization.
Look at the date on that: 5 years ago. And four years later in the same thread, one guy reports still being hit with it.
Turns out that hitting Apply deploys the policy that won’t do anything but audit, but deploy does force a reboot. Surprise!
I think the biggest failing here is that for five years, Microsoft had a chance to put large warnings into the product about what will happen, and they did not.
The icing on this cake was that it happened at 10:30 AM on a Tuesday. Once per week, at 10 AM on Tuesdays, our highest elected officials hold a Public Meeting, in their chambers, where official business is conducted, with a couple hundred people in attendance. The timing couldn’t have been worse (or better, if the goal is to expose what clowns Microsoft are).