IT administrators Archives

Winsage

May 1, 2026

Microsoft now lets admins choose pre-installed Store apps to uninstall

Microsoft has updated its Windows 11 operating system to enhance the management of preinstalled applications. The new RemoveDefaultMicrosoftStorePackages policy allows IT administrators to remove any preinstalled MSIX/APPX applications by referencing their Package Family Name (PFN) through Group Policy Object (GPO) or custom OMA-URI for mobile device management (MDM). This feature requires devices to have at least the April 2026 Windows non-security update. It is available for Windows 11 version 24H2 Enterprise and Education editions, whereas it was initially exclusive to version 25H2 or later. A comprehensive list of supported applications and instructions for applying the policy are provided in Microsoft's documentation. Additionally, a new policy setting enables the uninstallation of the AI-powered Copilot digital assistant from enterprise devices after the April 2026 Patch Tuesday updates. The dynamic list option for this policy will be rolled out in the coming months.

Winsage

April 30, 2026

Windows AI Recall is pushing data destruction upstream

The introduction of Copilot+ PCs has created new complexities in IT asset disposition (ITAD), as these devices may contain a comprehensive, time-stamped archive of user activity, which was not present on corporate laptops two years ago. Microsoft's Recall feature captures user activity screenshots and stores them securely, but recent research by Alexander Hagenah suggests that the safeguards may be ineffective, as his tool can extract sensitive data without breaking encryption. Microsoft defends the security of Recall, stating that observed access patterns align with intended protections. This situation presents challenges for ITAD operators, as pre-collection now constitutes a data-destruction event, requiring devices to be powered down or purged before leaving the client’s environment. Certificates of sanitization must evolve to address the specific destruction of Recall snapshot stores, and conversations with clients should differentiate between managed and unmanaged fleets regarding Recall settings. The presence of Recall shifts some data-destruction responsibilities upstream to clients, complicating traditional ITAD value propositions.

AppWizard

April 28, 2026

10,000 Users Exposed As Fake Document Reader App Delivers Anatsa Banking Trojan

Security researchers from ThreatLabz discovered a malicious document reader app on the Google Play Store that delivered the Anatsa Android banking trojan. The app, which had over 10,000 downloads before its removal, disguised itself as a legitimate file management tool using the package name com.groundstation.informationcontrol.filestationbrowsefilesreaddocs. It employed a "dropper" technique to hide its malicious code, connecting to an external server to retrieve the malware payload after installation. Anatsa is designed to steal financial information by overlaying a fake login screen over legitimate banking apps, capturing user credentials and enabling unauthorized transactions. Users are advised to delete the app and monitor their financial accounts. Technical indicators for identifying infections include the Anatsa Installer SHA256 (5c9b09819b196970a867b1d459f9053da38a6a2721f21264324e0a8ffef01e20), Payload URL (http://23.251.108[.]10:8080/privacy.txt), Payload SHA256 Hash (88fd72ac0cdab37c74ce14901c5daf214bd54f64e0e68093526a0076df4e042f), and Command and Control servers (http://172.86.91[.]94/api/ and http://193.24.123[.]18:85/api/).

Winsage

April 28, 2026

Microsoft Releases Enterprise Policy Option to Disable Windows 11 Copilot

Microsoft has introduced a new enterprise policy setting that allows IT administrators to silently uninstall the Microsoft Copilot app from managed Windows 11 devices. The RemoveMicrosoftCopilotApp policy became available after the April 2026 Patch Tuesday security updates and is compatible with enterprise management solutions like Microsoft Intune and System Center Configuration Manager (SCCM). Administrators can find the policy in the Group Policy Editor under User Configuration > Administrative Templates > Windows AI > Remove Microsoft Copilot App. It specifically targets Windows 11 Pro, Enterprise, and Education SKUs, excluding Home edition users. The uninstallation process is triggered when three conditions are met: Microsoft 365 Copilot is installed on the device, it was provisioned (not user-installed), and it has not been launched by the user in the last 28 days. The policy was initially available for Windows Insiders in January 2026 and became generally accessible afterward. However, future updates or user reinstalls from the Microsoft Store may reintroduce the Copilot app, necessitating ongoing policy enforcement for permanent removal. Organizations seeking broader exclusion may need to use PowerShell scripts or additional MDM configurations.

Winsage

April 27, 2026

Microsoft Adds Policy to Let IT Admins Uninstall Copilot From Enterprise Windows 11 Devices

Microsoft has introduced a policy allowing IT administrators to remove the Microsoft Copilot app from managed enterprise devices. This "Remove Microsoft Copilot App" policy will be available as a Policy CSP and Group Policy after the April 2026 Windows security updates for Windows 11 devices on the 25H2 update, specifically for Enterprise, Professional, and Education editions. The policy will uninstall Copilot under certain conditions: both Microsoft 365 Copilot and Microsoft Copilot must be installed, the user must not have manually installed the app, and the app must not have been launched in the past 28 days. Administrators can enable the policy through the Group Policy Editor or configure it via Microsoft Intune and SCCM after the April 2026 updates. The policy aligns with Microsoft's recent changes in managing Copilot, including the cessation of automatic installations and the cancellation of plans to integrate Copilot into system notifications and other features. The policy was initially available to Windows Insiders in January before becoming generally accessible in April 2026.

Winsage

April 24, 2026

Microsoft Throws IT Admins a Bone With Ability to Remove Copilot From Windows

Microsoft is adjusting its rollout strategy for Copilot AI in Windows 11 in response to user concerns by slowing down the introduction and visibility of AI features. IT administrators can now completely remove Copilot from their systems with the new setting called RemoveMicrosoftCopilotApp, introduced in Windows 11, version 25H2 (KB5083769). This feature allows for non-disruptive uninstallation of Copilot for organizations using Pro, Enterprise, Education, or IoT Enterprise editions. Specific criteria must be met for effective removal: both Microsoft 365 Copilot and Microsoft Copilot must be installed, the app should not have been installed by the user, and it must not have been launched in the past 28 days. The change is reversible, allowing for reinstallation if needed.

Tech Optimizer

April 22, 2026

New STX RAT Uses Hidden Remote Desktop and Infostealer Features to Evade Detection

A newly identified remote access trojan, STX RAT, emerged in 2026, integrating hidden remote desktop access with credential theft features. The name "STX" comes from the Start of Text magic byte x02, which it appends to communications with its command-and-control (C2) server. Initial sightings were reported in late February 2026, when it was delivered via a browser-downloaded VBScript file to a financial organization. By early March, Malwarebytes noted a campaign distributing STX RAT through compromised FileZilla installers. Researchers from eSentire’s Threat Response Unit analyzed the malware, which includes extensive anti-analysis measures and employs techniques like AMSI-ghosting. Once operational, STX RAT connects to a C2 server at 95.216.51.236, transmitting system information securely. It targets saved credentials from applications like FileZilla and includes a Hidden Virtual Network Computing (HVNC) module, allowing attackers to control a victim's machine without detection. Security teams are advised to block the C2 IP and implement detection rules to mitigate the threat.

Winsage

April 18, 2026

OWC MacDrive 12– One Solution for Complete Mac Disk Access on Windows

OWC has launched MacDrive 12, which allows Windows users to access various Mac formats such as HFS+, APFS, APFS Encrypted, SoftRAID, and Apple RAID through Windows Explorer. Key features include full read/write access to Mac formats, disk management tools for creating and repairing Mac disks, professional performance for demanding tasks, native integration with Windows, enterprise-grade security for encrypted volumes, RAID array support, and advanced APFS crash protection. Use cases include support for creative professionals, production companies, business users, IT administrators, data recovery specialists, and remote teams. MacDrive 12 will be available at the end of April for .99, with upgrade pricing for existing users at .99.

Winsage

April 17, 2026

Microsoft’s April patch puts Windows domain controllers into reboot loops — third known issue from KB5082063 is affecting Windows Server 2016 through 2025

Microsoft has acknowledged that the April 2026 security update for Windows Server, patch KB5082063, has caused significant disruptions for some enterprise domain controllers, leading to continuous reboot cycles in non-Global Catalog domain controllers used in Privileged Access Management (PAM) deployments. This has resulted in the unavailability of Active Directory authentication and directory services on affected servers. Additionally, the installation of KB5082063 may fail on some Windows Server 2025 systems. This issue marks the third consecutive year that April security updates have caused problems for Windows Server domain controllers. In previous years, Microsoft issued emergency fixes for similar issues, including crashes and complications with NTLM authentication. Administrators currently have limited options, including delaying the update, isolating a test domain controller, or engaging with Microsoft Support for tailored mitigation steps.

Winsage

April 17, 2026

What to do when device settings don’t migrate to Windows 11

On October 10, 2025, Microsoft ceased support for Windows 10, ending technical assistance, feature updates, and security updates. Organizations are required to transition to Windows 11. During the migration, IT administrators may face errors indicating that certain device settings were not successfully migrated, which can disrupt user experience. Causes of these errors include outdated or incompatible device drivers, failing physical components, incompatible software, restrictive group policies, missing registry keys, and interference from third-party tools. Affected devices may malfunction, impacting productivity. IT teams can troubleshoot these issues by restarting computers, identifying problematic devices using Device Manager, verifying and updating device drivers, checking physical devices, ensuring the operating environment is up to date, utilizing Microsoft command-line utilities, and performing clean boots or system restores if necessary.