Event banner
Event details
63 Comments
- Follow up on the password questions. Where does the keyword logging data get stored? And how much is getting stored? When does it get emptied? Does MS send the keyboard presses to the cloud?
- Fred Pullen
Microsoft
Keystrokes pass through the operating system to applications. These are not stored and no keystrokes are sent to the cloud.- Thank you
- How do we mitigate some of the various serious bypasses demonstrated by David at the event the other day, yes, I get it, Pluton fixes this. But enterprises (which I manage) have massive fleets of non-Pluton devices that we would like to ensure our secure. We are not just going to throw everything out. 😆 ... temporary mitigation options??
- Alan_Meeus
The attacks demonstrated all require a physical attack on the hardware to execute. Secured-core PCs and Windows 11 machines with Memory Access Protection turned on provide protection against trying to bypass the lock screen to access files on a locked PC. Implement Personal Data Encryption once available (announced on April 5) on top. Processor channel attacks are edge cases that need to be protected against. Start by select users that may be prone to such attacks and start replacing their devices with devices that support Pluton.
- Are there plans to incorporate O365 SSO with windows so that the same user can work in their own cross-domain windows accounts?
- I am talking about federated accounts...
ElConquistadorWith more and more defenses being employed to prevent local code running with elevated privileges from doing bad things - does the standard user / admin security boundary still matter?- For certain scenarios an end user needs local admin rights to run a specific program. Is their posibility to give it only for that one application instead of the entire Windows?
- SteveThomasAlso note that if this is because the application itself requires admin elevation, it would be best to retire/replace/recode the app for more modern, secure operating systems. That being said, there could also be legacy compatibility mitigation shims that could suffice: https://docs.microsoft.com/en-us/windows/deployment/planning/compatibility-fixes-for-windows-8-windows-7-and-windows-vista
- We at the University of Copenhagen started on defender on all, clients and servers, and now on IoT and give as full view on the environment, tnx it give us so much overview
JoeEngineerGiven the recent issues with driver signing we have seen in the news I am concerned that traditional attestation for binaries may not be adequate to ensure trust. Can you speak to how distributed ID fits into future code integrity plans? Will there ever be a means of crowdsourcing what signatures are valid or revoked?- Jeffrey_Sutherland
Addressing vulnerabilities in the kernel is a top priority for Microsoft and we have a number of initiatives underway to improve our ability to detect and respond to vulnerabilities and malicious code targeting the kernel. As Jordan mentioned live in the AMA, we maintain a blocklist of known vulnerable and compromised drivers which is continuously updated. Security researchers, driver publishers, and others can report suspected malicious or vulnerable drivers using the new submission portal that we announced in December. Improve kernel security with the new Microsoft Vulnerable and Malicious Driver Reporting Center - Microsoft Security Blog.
You can find the most up-to-date recommended block list at https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules. The policy is also now included as an example policy with Windows and can be found here %windir%\schemas\CodeIntegrity\ExamplePolicies. Customers who use WDAC can incorporate that blocklist into their WDAC policies today. Finally, all customers can activate the blocklist by enabling memory integrity, also known as hypervisor-protected code integrity (HVCI). And most new Windows 11 systems will have HVCI enabled by default.
- What’s the best way to started with the azure attestation service?
- SteveThomasQuick starts and Tutorials are found here: https://docs.microsoft.com/en-us/azure/attestation/
- Hey I have a question regarding AzureAD Kerberos. How do you extract TGT from the PRT? how does it gets injected to klist? Also, how does the proxy data loads (*.windows.net) for some reason i don't see it in ksetup. Thanks Dor Silverfort
- Microsoft Defender Application Control is missing an easy way to add custom apps to the Allow List via Microsoft Endpoint Manager. We can do it via a custom OMA-URI config profile. But something so important (Application Allowlisting) should not be such a difficult process, am I right? Any chance to boost this MEM-managed Defender feature?
- Jeffrey_Sutherland
Thank you for the feedback. Providing improved authoring experiences for Windows Defender App Control (WDAC) policies is a high priority for us. The MEM Intune team currently has some features in Preview that will make it easier to manage/deploy your custom WDAC policies and also configure the Intune Management Extension as a managed installer. As we improve our reporting and policy authoring experiences in Microsoft Defender for Endpoint and Microsoft Endpoint Manager, here are a few useful tools that our teams maintain in Github that you may find useful.
microsoft/AaronLocker: Robust and practical application control for Windows (github.com)
