security
5142 TopicsSign up for Microsoft Partner Incentives performance measurement reports
As part of a larger push to empower you to deliver exceptional business outcomes, we've introduced incentives performance measurement reports, available through email. Delivered during the first week of every month, these reports include presales and post-sales partner performance measurements and earning cap status so you can get essential insights into your engagements across hero investments. These hero investments include Azure Accelerate, AI Workforce: Microsoft 365 Copilot + Power Accelerate, Al Business Process, and Security Activities. Here’s what to expect: Performance requirements pausing policy: Starting on November 15, 2025,* partners who are not meeting performance requirements will be paused from nominating new claims. This applies only to new nominations; in-progress projects will not be affected. Further, partners who have reached their earning cap and have nominations paused will be notified when they are eligible to nominate projects again. Reactivation of nominations: Paused partners will be reviewed each Tuesday by Microsoft to determine if they meet performance thresholds. Those who meet thresholds will be notified by email within two business days after their review and reactivated within seven business days after their review. Earning cap reviews: Partners who are approaching their earning cap and are meeting performance benchmarks will be considered for an earning cap increase based on budget availability and quality of claims. Claim quality can be affected by factors such as accuracy of your activity reporting, number of duplicate claims, and how your investments are leveraged. Increased cap value: If you’re approved for an earning cap increase, you can expect up to 50% above the engagement’s initial cap. Earning cap extension approval is not guaranteed. Earning cap pausing: Partners who have reached their earning cap and did not receive a notification of an increased cap based on review will be paused from submitting new claims and will be notified. This pause applies only to new nominations; in-progress projects will remain unaffected. No partner action is required, and Microsoft will proactively review and communicate decisions about earning caps. Review the updated policy for partner performance measurements and earning caps (available November 1, 2025). Sign up now for monthly reports so you can fuel transformation with expertise and funding and drive faster time to value for your projects. Sign up for monthly reports today! *Starting December 1, 2025, Security Activities will issue monthly partner performance reports, and beginning January 1, 2026, partners not meeting requirements will be paused from nominating new claims.71Views1like0CommentsQuestion malware detected Defender for Windows 10
Why did my Microsoft Defender detect a malicious file in AppData\Roaming\Secure\QtWebKit4.dll (Trojan:Win32/Wacatac.C!ml) during a full scan and the Kaspersky Free and Malwarebytes Free scans didn't detect it? Was it maliciously modifying, corrupting, or deleting various files on my PC before detection? I sent it to Virus Total, the hash: 935cd9070679168cfcea6aea40d68294ae5f44c551cee971e69dc32f0d7ce14b Inside the same folder as this DLL, there's another folder with a suspicious file, Caller.exe. I sent it to Virus Total, and only one detection from 72 antivirus programs was found, with the name TrojanPSW.Rhadamanthys. VT hash: d2251490ca5bd67e63ea52a65bbff8823f2012f417ad0bd073366c02aa0b382831Views0likes2CommentsFingerprint Login No Longer Working
Login with Fingerprint is no longer working after the latest Windows 11, 25H2 update. It recognizes my fingerprint but immediately says "your pin is required to sign in". I have removed my fingerprint and PIN, restarted the computer, re-added the PIN and fingerprint, but continue to experience the same issue. The issue started after the most recent round of updates. KB5066835, KB5066128, and KB5068331 were installed. I removed KB5066835 and the functionality returned to normal. Anyone else experiencing this issue?36Views0likes2CommentsBlack Screen.....What's going on here?
I’ve been having a weird issue with my PC. It randomly goes to a black screen while I’m browsing the internet or doing other light tasks, but the system doesn’t completely shut down — the CPU and GPU fans keep spinning. I have to do a hard reset to get it working again. What’s confusing is that it never happens while I’m gaming or doing anything intensive. I’ve already tried reinstalling Windows, but that didn’t solve the issue. Temps seem normal and nothing is overclocked.37Views0likes1CommentStart menu "Best Match" allowing access to run command
We operate an educational network of PCs which we restrict quite strictly to prevent students accessing certain programs. We use a number of group policy settings already to restrict the command prompt, hide or restrict certain drives and prevent access to the run command (via right click on start button and within the start menu). However, the recent updates to the start menu in Windows 11 allow users to search (and run) applications and network UNC paths, which they previously wouldn't have access to. We have found that the "Best Match" on the start menu search, allows users to open UNC paths to servers which are normally blocked by group policy when keying in to the address bar in explorer. Disabling the run command has always been effective at preventing apps being run which we don't directly present in the past. This creates a bit of a vulnerability for us as we need to run as tight a setup as possible to prevent students tampering. We need students to be able to write to shares, but we don't want them to be able to browse directly to the root of server shares (even if the permissions are tight around the shares). The only way we've found to prevent access to this is to fully disable the search UI. As this policy is a computer policy we cannot disable this for only certain users which is frustrating. The DisableSearchBoxSuggestions setting has no effect on the "Best Match" suggestion. We feel that Microsoft need to address this issue, as being able to prevent access to the "run" command is important to many Network Admins in Education.44Views0likes1CommentWindows 11, version 25H2 security baseline
Microsoft is pleased to announce the security baseline package for Windows 11, version 25H2! You can download the baseline package from the Microsoft Security Compliance Toolkit, test the recommended configurations in your environment, and customize / implement them as appropriate. Summary of changes This release includes several changes made since the Windows 11, version 24H2 security baseline to further assist in the security of enterprise customers, to include better alignment with the latest capabilities and standards. The changes include what is depicted in the table below. Security Policy Change Summary Printer: Impersonate a client after authentication Add “RESTRICTED SERVICES\PrintSpoolerService” to allow the Print Spooler’s restricted service identity to impersonate clients securely NTLM Auditing Enhancements Enable by default to improve visibility into NTLM usage within your environment MDAV: Attack Surface Reduction (ASR) Add "Block process creations originating from PSExec and WMI commands" (d1e49aac-8f56-4280-b9ba-993a6d77406c) with a recommended value of 2 (Audit) to improve visibility into suspicious activity MDAV: Control whether exclusions are visible to local users Move to Not Configured as it is overridden by the parent setting MDAV: Scan packed executables Remove from the baseline because the setting is no longer functional - Windows always scans packed executables by default Network: Configure NetBIOS settings Disable NetBIOS name resolution on all network adapters to reduce legacy protocol exposure Disable Internet Explorer 11 Launch Via COM Automation Disable to prevent legacy scripts and applications from programmatically launching Internet Explorer 11 using COM automation interfaces Include command line in process creation events Enable to improve visibility into how processes are executed across the system WDigest Authentication Remove from the baseline because the setting is obsolete - WDigest is disabled by default and no longer needed in modern Windows environments Printer Improving Print Security with IPPS and Certificate Validation To enhance the security of network printing, Windows introduces two new policies focused on controlling the use of IPP (Internet Printing Protocol) printers and enforcing encrypted communications. The setting, "Require IPPS for IPP printers", (Administrative Templates\Printers) determines whether printers that do not support TLS are allowed to be installed. When this policy is disabled (default), both IPP and IPPS transport printers can be installed - although IPPS is preferred when both are available. When enabled, only IPPS printers will be installed; attempts to install non-compliant printers will fail and generate an event in the Application log, indicating that installation was blocked by policy. The second policy, "Set TLS/SSL security policy for IPP printers" (same policy path) requires that printers present valid and trusted TLS/SSL certificates before connections can be established. Enabling this policy defends against spoofed or unauthorized printers, reducing the risk of credential theft or redirection of sensitive print jobs. While these policies significantly improve security posture, enabling them may introduce operational challenges in environments where IPP and self-signed or locally issued certificates are still commonly used. For this reason, neither policy is enforced in the security baseline, at this time. We recommend that you assess your printers, and if they meet the requirements, consider enabling those policies with a remediation plan to address any non-compliant printers in a controlled and predictable manner. User Rights Assignment Update: Impersonate a client after authentication We have added RESTRICTED SERVICES\PrintSpoolerService in the “Impersonate a client after authentication” User Rights Assignment policy. The baseline already includes Administrators, SERVICE, LOCAL SERVICE, and NETWORK SERVICE for this user right. Adding the restricted Print Spooler supports Microsoft’s ongoing effort to apply least privilege to system services. It enables Print Spooler to securely impersonate user tokens in modern print scenarios using a scoped, restricted service identity. Although this identity is associated with functionality introduced as part of Windows Protected Print (WPP), it is required to support proper print operations even if WPP is not currently enabled. The system manifests the identity by default, and its presence ensures forward compatibility with WPP-based printing. Note: This account may appear as a raw SID (e.g., S-1-5-99-...) in Group Policy or local policy tools before the service is fully initialized. This is expected and does not indicate a misconfiguration. Warning: Removing this entry will result in print failures in environments where WPP is enabled. We recommend retaining this entry in any custom security configuration that defines this user right. NTLM Auditing Enhancements Windows 11, version 25H2 includes enhanced NTLM auditing capabilities, enabled by default, which significantly improves visibility into NTLM usage within your environment. These enhancements provide detailed audit logs to help security teams monitor and investigate authentication activity, identify insecure practices, and prepare for future NTLM restrictions. Since these auditing improvements are enabled by default, no additional configuration is required, and thus the baseline does not explicitly enforce them. For more details, see Overview of NTLM auditing enhancements in Windows 11 and Windows Server 2025. Microsoft Defender Antivirus Attack Surface Reduction (ASR) In this release, we've updated the Attack Surface Reduction (ASR) rules to add the policy Block process creations originating from PSExec and WMI commands (d1e49aac-8f56-4280-b9ba-993a6d77406c) with a recommended value of 2 (Audit). By auditing this rule, you can gain essential visibility into potential privilege escalation attempts via tools such as PSExec or persistence mechanisms using WMI. This enhancement helps organizations proactively identify suspicious activities without impacting legitimate administrative workflows. Control whether exclusions are visible to local users We have removed the configuration for the policy "Control whether exclusions are visible to local users" (Windows Components\Microsoft Defender Antivirus) from the baseline in this release. This change was made because the parent policy "Control whether or not exclusions are visible to Local Admins" is already set to Enabled, which takes precedence and effectively overrides the behavior of the former setting. As a result, explicitly configuring the child policy is unnecessary. You can continue to manage exclusion visibility through the parent policy, which provides the intended control over whether local administrators can view exclusion lists. Scan packed executables The “Scan packed executables” setting (Windows Components\Microsoft Defender Antivirus\Scan) has been removed from the security baseline because it is no longer functional in modern Windows releases. Microsoft Defender Antivirus always scans packed executables by default, therefore configuring this policy has no effect on the system. Disable NetBIOS Name Resolution on All Networks In this release, we start disabling NetBIOS name resolution on all network adapters in the security baseline, including those connected to private and domain networks. The change is reflected in the policy setting “Configure NetBIOS settings” (Network\DNS Client). We are trying to eliminate the legacy name resolution protocol that is vulnerable to spoofing and credential theft. NetBIOS is no longer needed in modern environments where DNS is fully deployed and supported. To mitigate potential compatibility issues, you should ensure that all internal systems and applications use DNS for name resolution. We recommend the following; test critical workflows in a staging environment prior to deployment, monitor for any resolution failures or fallback behavior, and inform support staff of the change to assist with troubleshooting as needed. This update aligns with our broader efforts to phase out legacy protocols and improve security. Disable Internet Explorer 11 Launch Via COM Automation To enhance the security posture of enterprise environments, we recommend disabling Internet Explorer 11 Launch Via COM Automation (Windows Components\Internet Explorer) to prevent legacy scripts and applications from programmatically launching Internet Explorer 11 using COM automation interfaces such as CreateObject("InternetExplorer.Application"). Allowing such behavior poses a significant risk by exposing systems to the legacy MSHTML and ActiveX components, which are vulnerable to exploitation. Include command line in process creation events We have enabled the setting "Include command line in process creation events" (System\Audit Process Creation) in the baseline to improve visibility into how processes are executed across the system. Capturing command-line arguments allows defenders to detect and investigate malicious activity that may otherwise appear legitimate, such as abuse of scripting engines, credential theft tools, or obfuscated payloads using native binaries. This setting supports modern threat detection techniques with minimal performance overhead and is highly recommended. WDigest Authentication We removed the policy "WDigest Authentication (disabling may require KB2871997)" from the security baseline because it is no longer necessary for Windows. This policy was originally enforced to prevent WDigest from storing user’s plaintext passwords in memory, which posed a serious credential theft risk. However, starting with 24H2 update, the engineering teams deprecated this policy. As a result, there is no longer a need to explicitly enforce this setting, and the policy has been removed from the baseline to reflect the current default behavior. Since the setting does not write to the normal policies location in the registry it will not be cleaned up automatically for any existing deployments. Please let us know your thoughts by commenting on this post or through the Security Baseline Community.6.3KViews6likes6CommentsEndpoints and AI strategy: Lessons of the Microsoft Work Trend Index 2025
AI adoption is accelerating, and PCs are now key to delivering fast, secure, and seamless AI experiences. Surface Copilot+ PCs combine local AI processing, cloud connectivity, and enterprise-grade security—making endpoints central to every AI strategy.119Views0likes0CommentsHow to force Windows 11 to reuse the former Recovery Partition?
Before migrating from Windows 10 to Windows 11 I had decrypted my BitLocker-encrypted C:-partition - just to be on the safe side if anything goes wrong during the migration. Now, after the successful migration to Windows 11 I wanted to re-encrypt that partition. When I started BitLocker it explained that it would first need to create a recovery partition. When I clicked OK it declared it would now first shrink my C:-drive to create space for that partition and then create a new recovery environment on it. However, I already do have a recovery partition at the end of my current system drive (at least it is labeled as Recovery Partition, its size is 1000MB/1GB). Why does Windows 11 try create me yet another recovery partiation and does not reuse that existing one? I don't want end up having two recovery partitions one of which is useless. Would I first have to delete that existing recovery partition, then add it to the (i.e. grow the existing) C:-drive partition such that this process can then shrink it again in order to recreate a new recovery partition? Is there no shortcut to force this process to simply re-use the existing recovery partition?29Views0likes1Comment