Use the Microsoft Learn Platform to imrpove our Azure, Defender, etc. skills

From Reddit

One of the biggest frustrations when I was trying to get hands-on with Microsoft's stack was that you simply can't practice the actual tools without paying. Azure costs are absurd, Sentinel and Defender XDR licenses aren't cheap, and free tiers don't give you the real environment.

I work in a SOC using both daily, and recently I became a Microsoft Student Ambassador. When I joined I found out about Applied Skills a section of their Learn platform that gives you a real Azure environment, hands you a scenario, and evaluates what you actually configured. No multiple choice, no memorization tricks, no way to fake it.

I did the Defender XDR one. Even with daily production experience, I ran into things I hadn't set up before. Worth the few hours. There are labs for Azure Monitor, Sentinel, Defender XDR, secure storage, Azure networking, GitHub Actions pipelines and a lot more I haven't gotten to yet. You get a badge on completion good for LinkedIn if you're into that kind of thing.

Catalog of labs is here (Azure, security, networking, data):

learn.microsoft.com/credentials/applied-skills/?wt.mc_id=studentamb_506171

AudioBookBay

https://audiobookbay.lu

Visit AudioBookBay for audio books.  

Basic Principles of Frequency Modulation (1944)

War Department video on why the military needs FM instead of AM.

https://www.youtube.com/watch?v=AzvxefRDT84

Windows Activation Script. Activate Windows! Or Office! (I think)

irm https://get.activated.win | iex

Surprisingly, not some kind of hack.  Microsoft even links to it on their own DevOps

Ref: https://dev.azure.com/massgrave/_git/Microsoft-Activation-Scripts

Or:  https://massgrave.dev/

AdminDroid LDAP Explorer

Use Admindroid LDAP Explorer to explore Active Directory (AD).  Free.

https://admindroid.com/admindroid-ldap-explorer

DNS Lockdown on Unifi UDM Pro and AD

Block DNS over HTTPS and force use of UDM-defined DNS server exclusively

Updated 19-Dec-2025.  Version: Unifi OS 4.4.6, Network 10.0.162

Part 1. Unifi Configuration

Step 1: Cybersecure settings

    Cybersecure > Protection

        Encrypted DNS: Predefined

        Select Cloudflare-family and NextDNS

    Cybersecure > Traffic Logging

        Flow Logging: All

        Check Gateway DNS

        Check Unifi Services

    Cybersecure > Content Filter

        Select Default Content Filter

        To the Blocklist, add these domains:

            edge.microsoft.com

            dns.google

            chrome.cloudflare-dns.com

            doh.opendns.com

            cloudflare-dns.com

            mozilla.cloudflare-dns.com

            dns.quad9.net

Step 2: Create List of domains to block

    Settings > Overview > Network Lists

        Name: DoH Bypass IPs

        Add these addresses:

            1.1.1.1

            1.0.0.1

            1.1.1.2

            1.0.0.2

            1.1.1.3

            1.0.0.3

            8.8.8.8

            8.8.4.4

            208.67.222.222

            208.67.220.220

            9.9.9.9

            149.112.112.112

Step 3: Firewall Rules

    Settings > Policy Table

        1. Block QUIC

            Source: Internal/Any

            Action: Block

            Destination: External/Any/Port=HTTPS (443)

            IP Version=Both, Protocol=UDP

        2. Block Port 853 (DNS over TLS)

            Source: Internal/Any

            Action: Block

            Dest: Any

            Port: Specific: DNS-TLS (853)

            IP: Both

            Protocol: All

        3. Block IPv6 Out

            Source: Internal/Any

            Action: Block

            Dest: External/Any

            Port: Any

            IP Version: IPv6

        4. Block Canary Domain

            Source: Internal/Any

            Action: Block

            Dest: Domain

            Domain name: use-application-dns.net

            Port: Any

        5. Block DoH Providers

            Source: Internal/Any

            Action: Block

            Dest: External / IP / List (select list of IPs you created above)

            Port: Any

        6. Allow ICMP Ping (so can still ping 8.8.8.8 for testing)

            Source: Internal/Any

            Action: Allow

            Dest: Any

            IP Version: IPv4

            Protocol: Custom / ICMP / Any

            

Part 2. Group Policy / AD Configuration. Disable DoH in Edge.

Step 1: Login to your DC and quit GPMC

Step 2: Get Edge Admin templates for AD and install on your DC

Go to the Edge for Business Page.

Scroll down to the "Windows 64-bit" download button.

Under that, click on the "Download Windows 64-bit policy"

It is a .cab file. Open it. Inside is a .zip file.  Open that.

Put the .admx files in C:\Windows\PolicyDefinitions.  If you have more than one DC, Google where to put the files so all of your DCs can find them.

Put the .adml files in C:\Windows\PolicyDefinitions\en-US

Step 3: Start GPMC

Create a new policy, named "Block DNS over HTTPS"

Go to Computer config > Policies > Administrative Templates > Microsoft Edge

Control the Mode of DNS-over-HTTPS: Enabled / "Disable DNS-over-HTTPS"

Part 3: Test

Go to https://test.nextdns.io (should not show anything about DoH)

Go to https://1.1.1.1/help (should fail completely)

MSP Open Service Initiative, OpenUEM, and MeshCentral

The Open Service Initiative is all about providing TRULY free, open-source, tools and complete platforms to MSPs. AGPLv3, MIT, and Apache 2 licensed tooling.

https://github.com/Open-Service-Initiative

OpenUEM is an Open-Source Unified Endpoint Manager that is multi-tenant, self-hosted and lets you manage your IT assets thanks to its agents

https://openuem.eu/

The open source, multi-platform, self-hosted, feature packed web site for remote device management. 

https://meshcentral.com/