Forum Widgets
Latest Discussions
[On demand] The latest and greatest in the world of Windows LAPS
Windows LAPS continues to evolve. Find out what's new - from automatic account management and passphrases to disaster recovery and bug fixes. Watch The latest and greatest in the world of Windows LAPS – now on demand – and join the conversation at https://aka.ms/LatestInLAPS. To help you learn more, here are the links referenced in the session: Automatic account management demo Passphrase support demo Rollback detection demo Password recovery demo What is Windows LAPS? Windows LAPS feedback For more free technical skilling on the latest in Windows, Windows in the cloud, and Microsoft Intune, view the full Microsoft Technical Takeoff session list.[On demand] Secure corporate data and privacy with Win32 app isolation
Learn how to use Win32 app isolation to help contain the damage an application may cause in case of compromise. Watch Secure corporate data and privacy with Win32 app isolation – now on demand – and join the conversation at https://aka.ms/AboutWin32AppIsolation. To help you learn more, here are the links referenced in the session: Win32 app isolation overview Repo Issues Public preview: Improve Win32 app security via app isolation For more free technical skilling on the latest in Windows, Windows in the cloud, and Microsoft Intune, view the full Microsoft Technical Takeoff session list.[On demand] How to protect your administrator users on the device
Get tips to help you enforce least privilege with Windows 11—and minimize the risk of admin users making a system-level change by mistake. Watch How to protect your administrator users on the device – now on demand – and join the conversation at https://aka.ms/ProtectAdminUsers. To help you learn more, here are the links referenced in the session: Admin experience: via Intune setting catalog – The feature is configurable in the LocalPoliciesSecurityOptions – policy CSP. Administrator protection on Windows 11 blog For more free technical skilling on the latest in Windows, Windows in the cloud, and Microsoft Intune, view the full Microsoft Technical Takeoff session list.[On demand] Data protection with hardware-based security and Windows 11
Do you know how to combine Windows 11 security features like Personal Data Encryption and BitLocker integrate with hardware features like TPM 2.0, Microsoft Pluton, and VBS to keep users and data protected? Watch Data protection with hardware-based security and Windows 11 – now on demand – and join the conversation at https://aka.ms/HardwareBasedSecurity. For more free technical skilling on the latest in Windows, Windows in the cloud, and Microsoft Intune, view the full Microsoft Technical Takeoff session list.[On demand] Get to know Windows security and resiliency in the cloud
Explore the investments and capabilities that strengthen security and enhance resiliency across Windows 365 and Azure Virtual Desktop. Watch Get to know Windows security and resiliency in the cloud – now on demand – and join the conversation at https://aka.ms/WindowsCloudResiliency. To help you learn more, here are the links referenced in the session: I QUIT Patching Windows And You Should Too video Azure Proactive Resiliency Library v2 For more free technical skilling on the latest in Windows, Windows in the cloud, and Microsoft Intune, view the full Microsoft Technical Takeoff session list.
Hotspot through Windows Defender Firewall
I would like to know ALL ports and protocols, services, etc... that need to be whitelisted for hotspot to work with windows defender firewall. Or otherwise the baseline/recommended procedure I have tested to enable the below so far: Inbound/Outbound: UDP:67,68,53, 5355 TCP:443,80, 53 ICMP4/6: protocols 1/58 Types and codes: 0/8 Services: icssvc I still get drop events here and there in Windows Defender firewall logs for ports 80/ICMP, etc...... Any Idea what could be the reason and what is the best way to set this up to allow hotspot access from the device.Microsoft Ignite 2024 companion guide: Windows security
With all the exciting news coming this week from Ignite, here are some great resources to help you dive deeper into Windows 11 security topics after you watch my session on Windows 11 security and resiliency. Hardware baselines Pluton, Secured-Core PC, secure by default – Review hardware-based security features available out-of-the box in Windows 11. Protect data Personal Data Encryption for known folders – Learn about file-based encryption capabilities using Windows Hello Authentication, available starting in Windows 11 Enterprise, version 22H2. Virtualization-based security (VBS) enclaves – Find an overview and development guide for VBS enclaves and learn how to enable isolation of sensitive workloads from both the host application and the rest of the system. Multifactor authentication and identity hardening Passwordless authentication – Discover how Windows Hello and passkeys on Windows enable safer sign-ins with passwordless authentication. Recall security and privacy architecture – Get the latest information on how Microsoft is designing Recall with security and privacy in mind. Delegated Managed Service Accounts (dMSA) Overview in Windows Server 2025 – Read more about the new dMSA account type introduced in Windows Server 2025 and watch a demo about the migration path from a service account to dMSA. NTLMless – Keep up to date with deprecated Windows features, including NTLM. Verified, least privilege apps and drivers Modern print platform: Windows Protected Print – Take a closer look at how Modern print provides a simple, streamlined and secure printing experience. Tools for Win32app isolation – Access tools for using Win32app isolation feature on Windows to help contain the damage and safeguard user privacy choices in the event of an app compromise. Administrator protection – Find out how this new Windows 11 platform security feature protects users while still allowing just-in-time administrator privileges authorized using Windows Hello. Trusted Signing – Check out the new code signing service for developers and IT professionals, backed by a Microsoft managed certification authority. Smart App Control, App Control for Business – Read how you can use policies to provide peace of mind that only verified apps can run on your device. OS configuration Device Health Attestation – Help confirm devices are in a good state and haven't been tampered with. New Windows 11, version 24H2 security baseline – Get the latest information about changes to the security baseline for Windows 11, version 24H2, including additional protections to LAN Manager, Kerberos, User Account Control, and more. Config Refresh – Use Config Refresh helps enforce IT-defined security policies by automatically returning PC settings to the preferred configuration. Zero Trust DNS – Discover how Zero Trust DNS enables domain-name-based lockdown to block network traffic to unapproved network destinations. Hotpatching with Windows Autopatch - Hotpatch updates for Windows 11 Enterprise, version 24H2 client devices are now available in public preview. Learn more Finally, to learn more about how Windows 11 is built secure by design and secure by default to help businesses transform and thrive in a new era, bookmark the Windows 11 Security Book!Build 2024 companion guide: Windows developer security resources
Ready to learn more about the topics discussed in our sessions on "Unleash Windows App Security & Reputation with Trusted Signing" and "The Latest in Windows Security for Developers" at Microsoft Build 2024? Here are some resources and tools to help you get started: Dive deeper into: Passkeys in Windows - (1 min.) Get a quick overview of passkeys, how they are used in Windows, and how they compare to passwords. Virtualization-based security (VBS) key protection - (5 min.) Learn how to create, import, and protect your keys using VBS. NTLM-less - (4 min.) Find the syntax, parameters, return value, and remarks for the AcquireCredentialsHandle (Negotiate) function. Personal Data Encryption (PDE) - (5 min.) Get information on prerequisites, protection levels, and more for this security feature that provides file-based data encryption capabilities to Windows. Virtualization-based security (VBS) Enclave - (1 min.) Explore the functions used by System Services and Secure Enclaves. Trusted Platform Module attestation - (8 min.) Explore key TPM attestation concepts and capabilities supported by Azure Attestation. Zero Trust DNS - (4 min.) Learn more about Zero Trust DNS (ZTDNS), currently in development for a future version of Windows to help support those trying to lock down devices so that they can access approved network destinations only. Win32 app isolation repo - Access the documentation and tools you need to help you isolate your applications. MSIX app packaging - (3 min.) Learn how to use the MSIX Packaging Tool to repackage your existing desktop applications to the MSIX format. Trusted Signing - Access how-to guides, quickstart tutorials, and other documentation to help you utilize this Microsoft fully managed end-to-end signing solution for third party developers. Smart App Control - (3 min.) Get to know the requirements and stages for Smart App Control, plus get answers to frequently asked questions. Coming soon: Making admins more secure Granular privacy controls for all Win32 apps Continue the conversation. Find best practices. Join us on the Windows security discussion board.
Suggestion to Enhance File Ownership Security and Usability in Windows
Dear Windows Engineering Team, I would like to address an aspect of file ownership control in Windows that could benefit from additional security and usability measures. This concerns the disparity between how easily administrators can change ownership from TrustedInstaller (or other system accounts) in the Properties > Security GUI and the complex, command-line-only methods required to revert ownership back to TrustedInstaller. This design presents potential risks for system stability and security. Current Issue: Currently, any administrator can take ownership of critical system files from TrustedInstaller via the graphical interface with a few clicks. However, to restore ownership to TrustedInstaller, users must navigate complex command-line tools like SubInAcl or icacls, which are not accessible or known to many users, especially non-specialists. This discrepancy can lead to: Accidental Ownership Changes: Non-specialist administrators might take ownership of system files, unaware of the potential consequences. This can inadvertently weaken the system’s security model, as files intended to be protected under TrustedInstaller’s restricted access are now more vulnerable. Irreversible System State: After taking ownership, users often cannot easily restore it to TrustedInstaller, as it requires knowledge of specific command-line tools and service account nuances. This restriction can leave critical files permanently less secure or misconfigured, creating system instability and potential security gaps. Suggested Solution: To mitigate these issues, I propose a balanced approach to file ownership control. The following changes would improve both security and usability: Two-Way Ownership Controls in the GUI: Allow the Properties > Security > Advanced > Owner dialog to not only take ownership from system accounts but also restore ownership back to TrustedInstaller. This would ensure users can revert any changes made accidentally or for temporary troubleshooting purposes without requiring command-line tools. Enhanced Warnings and Permissions: Introduce additional warnings or elevated confirmation when changing ownership from critical system accounts like TrustedInstaller to make the potential impact clear. This would help non-specialists make informed decisions. Ownership Reversion Assistance: A guided wizard or dedicated tool in Windows that allows users to return ownership to TrustedInstaller or other system accounts would also address this gap, giving administrators a straightforward way to correct accidental changes. This change would enhance system integrity by making it easier for users to return files to their original secure state and by ensuring that file ownership changes—especially those affecting system accounts—are managed consistently across both directions. Thank you for considering this suggestion. I believe that these adjustments would make Windows more secure and user-friendly for all administrators, regardless of expertise level. Sincerely, a long time Windows user
