Advancing Windows driver security: Removing trust for the cross-signed driver program
Microsoft announces the removal of trust for all kernel drivers signed by the deprecated cross-signed root program, enhancing Windows security by enforcing that only drivers signed through the Windows Hardware Compatibility Program (WHCP) are trusted by default. This change will take effect with the April 2026 Windows update for Windows 11 versions 24H2, 25H2, 26H1, and Windows Server 2025, aiming to reduce attack surfaces while maintaining compatibility for essential cross-signed drivers through an allow list.
How to fix: kb5086672 breaks network?
After installing update KB5086672 on Windows 11, my network connection completely stopped working. The update shows as installed successfully but my PC cannot detect any Wi-Fi networks or connect via Ethernet, even though other devices on the same router work fine. I have already tried restarting my PC and router, running the network troubleshooter, and resetting network settings, but nothing has brought back connectivity. Rolling back the update immediately restores network functionality, so the update is definitely the cause. On a separate note I am also dealing with another Windows update that has failed to install for the second time in a row, always rolling back at around 75 percent. Has anyone found a permanent fix for KB5086672 breaking the network stack without having to uninstall and hide the update permanently? Any help would be greatly appreciated.Can there be any problems if I install the most recent drivers on a Windows 10 laptop?
Ever since Windows 10 went EOL, Lenovo's driver updates have been marked as "for Windows 11". The thing is, i'm running more than year-old drivers at this point and could do with an update since i've gotten new ram a while ago and am having problems both with the ram and the webcam, and i'd like to try fix things myself before i send the pc to support for up to a few weeks. Will i encounter any problems or break stuff on the computer if i install Windows 11 drivers on my Windows 10 Lenovo laptop?
Is there a way to have Firefox output to two different audio endpoints in Windows 11?
I want to use Firefox on my laptop and also extend onto my TV. I would like the firefox window on my laptop to output to my headphones and the firefox window on my tv to go through the tv speakers. Does anyone have a good solution for this?Support tip: Upcoming Microsoft Intune network changes
3/18/2026 Update: The rollout of the Intune network changes described in this blog are in progress across each workload. Additionally, we are beginning to slowly rollout to each scale unit starting with North America 0702. You can find your scale unit location under Tenant administration > Tenant status > Tenant details. To avoid issues or failures with your device management, ensure your network infrastructure allows traffic for Azure Front Door IP addresses. See the details below to verify if your configuration requires an update and use the Azure Front Door Connectivity Diagnostics Tool to validate or troubleshoot. We know many customers don’t always check their service change messages in the Microsoft 365 admin center or the corresponding Message Center content in the Microsoft Intune admin center, so in this blog post we’re highlighting an important upcoming change to Intune network service endpoints. Starting on or shortly after December 2, 2025, Intune will also use Azure Front Door IP addresses to improve security and simplify firewall management. If your organization uses outbound traffic policies based on IP addresses or service tags, you’ll want to review and update your firewall rules to avoid service disruptions. We’ll keep you updated if the timeline shifts. In the meantime, here’s the service change communication that posted to all Intune customers: MC1147982 - Action Required: Update firewall configurations to include new Intune network endpoints As part of Microsoft’s ongoing Secure Future Initiative (SFI), starting on or shortly after December 2, 2025, the network service endpoints for Microsoft Intune will also use Azure Front Door IP addresses. This improvement supports better alignment with modern security practices and over time will make it easier for organizations using multiple Microsoft products to manage and maintain their firewall configurations. As a result, customers may be required to add these network (firewall) configurations in third-party applications to enable proper function of Intune device and app management. This change will affect customers using a firewall allowlist that allows outbound traffic based on IP addresses or Azure service tags. Do not remove any existing network endpoints required for Microsoft Intune. Additional network endpoints are documented as part of the Azure Front Door and service tags information referenced in the files linked below: Public clouds: Download Azure IP Ranges and Service Tags – Public Cloud from Official Microsoft Download Center Government clouds: Download Azure IP Ranges and Service Tags – US Government Cloud from Official Microsoft Download Center The additional ranges are those listed in the JSON files linked above and can be found by searching for “AzureFrontDoor.MicrosoftSecurity”. How this will affect your organization If you have configured an outbound traffic policy for Intune IP address ranges or Azure service tags for your firewalls, routers, proxy servers, client-based firewalls, VPN or network security groups, you will need to update them to include the new Azure Front Door ranges with the “AzureFrontDoor.MicrosoftSecurity” tag. Intune requires internet access for devices under Intune management, whether for mobile device management or mobile application management. If your outbound traffic policy doesn’t include the new Azure Front Door IP address ranges, users may face login issues, devices might lose connectivity with Intune, and access to apps like the Intune Company Portal or those protected by app protection policies could be disrupted. What you need to do to prepare Ensure that your firewall rules are updated and added to your firewall’s allowlist with the additional IP addresses documented under Azure Front Door by December 2, 2025. Alternatively, you may add the service tag “AzureFrontDoor.MicrosoftSecurity” to your firewall rules to allow outbound traffic on port 443 for the addresses in the tag. If you are not the IT admin who can make this change, notify your networking team. If you are responsible for configuring internet traffic, refer to the following documentation for more details: Azure Front Door Azure service tags Intune network endpoints US government network endpoints for Intune If you have a helpdesk, inform them about this upcoming change. If you need additional assistance, contact Microsoft Intune Support and refer to this Message Center post. Note: The above post went to all customers in our public cloud. Customers in Microsoft Intune for US Government GCC High and DoD received the following post (the only difference is the focus on US government network endpoints): MC1147978 - Action Required: Update firewall configurations to include additional Intune network endpoints Note: The previously available PowerShell scripts for retrieving Microsoft Intune endpoint IP addresses and FQDNs no longer returns accurate data from the Office 365 Endpoint service. Instead, use the consolidated list provided in the Intune endpoints documentation. Using the original scripts or endpoint lists from the Office 365 Endpoint service is insufficient and may lead to incorrect configurations. For network best practices, make sure to check out the blog: Support tip: Aligning network policy with Intune and Zero Trust. New: Azure Front Door Connectivity Diagnostics Tool for Intune To help you validate or troubleshoot the recent Intune network changes, we’ve published a lightweight Azure Front Door (AFD) Connectivity Diagnostics Tool. The script tests DNS resolution, outbound TCP connectivity on ports 80 and 443, and HTTPS reachability to the AFD IP ranges used by Intune, directly from an Intune-managed device. This is useful for environments that rely on IP-based firewall, proxy, or VPN rules. Important: This script only tests Azure Front Door endpoints. It does not validate connectivity to non-AFD Intune endpoints, including existing Intune IPs, service FQDNs, or related services such as Windows Notification Service (WNS) or Windows Autopilot. If you have any questions, leave a comment below or reach out to us on X @IntuneSuppTeam or @MSIntune. You can also connect with us on LinkedIn. Post updates: 11/13/25: Added a note to use the consolidated list of Intune endpoints. 12/18/25: We’ve published a new Azure Front Door (AFD) Connectivity Diagnostics Tool to help validate and troubleshoot Intune connectivity after updating firewall rules.I want to keep Windows 11 install
I purchased a CPU/ motherboard combo that was very cost-effective (the motherboard was basically free, so I decided to use it). Therefore, I plan to upgrade the motherboard. I want to keep the existing Windows 11 Pro system because it's only been installed for a few months. Windows 11 version: 10.0.26200 build 26200 What steps should I take to ensure that my Windows 11 installation is not affected when replacing the motherboard? 1) Create a system image and drive clone (I will do both at the same time because I have a spare SSD) as a backup. 2) All drives have BitLocker disabled. 3) Should I disable AMD fTPM in the motherboard BIOS before replacing the motherboard? Or should I disable Secure Boot or other similar functions? 4) Before removing the old motherboard, should I uninstall the old chipset drivers from Windows 11 first? 5) After installing the new motherboard, before rebooting to Windows 11, what settings do I need to turn off or enable? 6) Windows 11 needs to be reactivated. Before replacing the motherboard, should I remove the computer from the Microsoft account and then re-add it after starting the new motherboard's Windows system? I don't remember how I reactivated it before.Security Review for Microsoft Edge version 149
We have reviewed the new settings in Microsoft Edge version 149 and determined that there are no additional security settings that require enforcement. The Microsoft Edge version 139 security baseline continues to be our recommended configuration which can be downloaded from the Microsoft Security Compliance Toolkit. Microsoft Edge version 149 introduced 7 new Computer and User settings; we have included a spreadsheet listing the new settings to make it easier for you to find. As a friendly reminder, all available settings for Microsoft Edge are documented here, and all available settings for Microsoft Edge Update are documented here. Please continue to give us feedback through the Security Baselines Discussion site or this post.
