It's not as good as an actual virtual machine though, because Sandbox does share some resources with your main Windows install in a way that could potentially have exploitable leaks.
9:15 Enabling memory integrity makes VirtualBox’s performance tank. I was going through my settings one day and enabled it. A month later when I wanted to use VirtualBox again, I was confused as to why its performance was so bad. Figuring it out was not easy.
The Exploit Protection at 2:26 is for using the internal Windows Defender antivirus. If that is disabled, those settings will not work. If you're using a separate antivirus, this is irrelevant, and will be controlled by the separate antivirus, and will disable Windows Defender. Same goes for Application Guard at 5:33 and Reputation Based Protection at 7:30.
Well,I personally think that disabling a few of them won't break your machine, I also disabled some of them and my laptop runs fine,also if you want you can change the startup type of many services to manual
I would suggest encrypting your desktop with Bitlocker. It's no more intrusive than doing the same on your laptop. And, yes someone could break in your home to steal your desktop. Less likely, but possible. However, what's being missed here is the day you have to replace your hard drive or you sell your desktop. With full disk encryption enabled, the data is not retrievable if the disk is removed and opened on another computer or if you clear the TPM (security chip) on the desktop. Simply formatting the disk is not enough to secure the data on an unencrypted disk. But with full disk encryption, all you have to do is throw away the key and the data is no more meaningful than random junk data. That's the easiest, fastest, and most secure way to decommission old hardware (aside large shredders and acid baths).
If your motherboard dies, you're also potentially screwed, if you lose your Bitlocker key. The problem with Bitlocker, is you're at risk of being locked out of your own data due to hardware failure. Unless you have sensitive data you're taking out of your home to a public setting, there's not reason to use it. As for disposing of drive, there are many utilities, including some that are free, which will do military grade erasures. You could also take a power drill and drive holes in the drive before you dispose of it.
@@disgustedluigi So you're saying you're encrypting your working drive, but not your, presumably external, backup drives? Then what's the point of encrypting anything?
@@wildbill4496 what are you talking about, you can encrypt your backups too you know. And not just with Bitlocker. A lot of DAS or NAS devices (both retail or open source DIY) have their own robust encryption and data security methods. Plus if you keep them in, say, a locked networking closet in an enclosed rack you get the added physical security as well.
@@disgustedluigi Yeah let's tell every computer owner to go out and put a safe in their house to lock up their backup drives. LOL. The problem is the same with backup drives. If you lose your encryption key and your hardware fails you are still screwed with Bitlocker. The vast majority of home consumers do not need to encrypt their drives, if they secure their home network, and encrypting their drives actually adds another potential point for data loss. Now if you have a laptop you are frequently traveling with, then yes it would be a good idea to encrypt those drives if they contain sensitive data, but you are beyond paranoid (or probably doing something illegal or living in a bad neighborhood with lots of breakins), if you feel the need to encrypt drives that stay in your home and/or don't take into public settings. Simply put for most home consumers, the risks outweigh the benefits, when it comes to encrypting drives.
Security is a teeter totter with ease of use. If you are completely secure, it's unusable and vice versa. It comes down to a balance of secure enough for everyday usability.
Hyper-V does not have to be enabled to use Windows Sandbox. However, virtualization does need to be enabled. Virtualization is usually disabled by default in the bios settings of most motherboard manufacturers. You can check if virtualization is enabled on your computer by opening the Task Manager, clicking on the Performance tab, and clicking on CPU. On the bottom right, it should say “Virtualization: “ and “Enabled” or “Disabled.”
@@alexandreman8601 No without bitlocker anyone on the network can read the data of your harddrive. Furthermore if your laptop gets stolen they can read the data of your harddrive as well by plugging it in to there pc. Bitlocker blocks those 2 things.
There absolutely is a thing as too much security ... when it becomes so cumbersome that you actively avoid it or cannot function in a reasonable manner then that is too much security.
Also, if it's so much security that it compromises your privacy. I chose Windows Defender as the security software on my new PC because of privacy, actually, because it's less likely MS is gathering much info from their AV when they already gather info from other places on the OS.
@@jakobfel2 Defender sends to M$ the name of every domain you visit in any browser, and the hash and filename of every binary you launch. With Defender off, OS itself does not do that.
@@BarafuAlbino If you have automatic sample submission on, yes. MS is already getting that info through other means in the OS. I'd rather not give my data to other corpos more than I have to.
Thank you Theo. Only thing you missed was to turn on System Restore which is not on by default. Be handy if an update breaks an unsupported machine yes.
Thanks for the very nice recommendations! I myself activated additionally to the ones I had the app protection in the windows features and the for the edge the guard one.
Important note for Core Isolation > Memory Integrity, If your PC isn't powerful enough, better balance your needs as it could slow your computer down. To be fair, I'm running my Windows on VM so it is so noticeable.
@ThioJoe, is it me or does the Airline Pilot Kelsey from "74 Gear" youtube channel have very similar mannerism to yours. I couldnt put my finger on it but i always had a feeling that he was reminding me of someone, and recently i realised it was Thio. Anyone else thinks so?
2:13 ThioJoe, great rundwon on Windows Sandbox! For those wonderng, while it’s perfect for checking out files you’re unsre about, just a heads up, it’s not ideal for everything. Like, don’t expec to run high-end games or tackle sophistcated viruses in it. But for that extra piece of mind with everyday downloads, it’s pretty neat. ThioJoe’s insights are always on point, and it’s cool to see featurs like this geting highlighted.
Also you need to enable Virtualization in BIOS for Hyper Visor and Sandbox to be selectable in the first place. This is kina awkward since on Ryzen having Virtualization enabled seems to interfere with using Ryzen Master for some odd reason and only let you run it. But if you're not overclocking then who cares? Also keep in mind Win10 calls it "Hyper-V," and "Hyper Visor" in Win11 in the list of Windows Features, but they are exactly the same thing. You can enable Hyper Visor with Virtualization disabled, but you're just installed a client-side app that lets you connect to a hypervisor VM being ran on another PC or server on your network.
9:20 If the Core Isolation option is not available in Windows settings despite the hardware being supported, the Virtual Machine in the BIOS is most likely disabled. To enable it, go to the motherboard BIOS and look for "SVM Mode" for AMD and "Intel (VMX) Virtualization Technology" for INTEL Systems.
For Windows Sandbox you haven't to activate the Hypervisor Platform, but "Hyper-V" (virtualization service), and to activate Hyper-V you gotta go in BIOS and make sure the virtualization is supported by CPU and motherboard and activated ;-D
For the few of you, who are interested in maxing out Windows's Security, check this guide out. It's very hardcore, but high security has a price....unless you run linux of coursr
Hey Joe. can you talk about the products of Hak5? They make normal looking USB or lightning cables that have a built in keylogger, can exectue scripts on a device, have a built in wireless access point to controll the cable from the far and many more features. A cable costs between 40 and 160 USD, which is dirt cheap for such a tool. Would you please show such a product and teach the people about how increadibly dangerous it can be, to put in a random usb cable into a device. Most people probably don't think that a USB cable they found somewhere can be extremely dangerous.
I actually have enabled all of these except for Controlled Folder Access as it has so many false positives. Windows 11 in Insiders Builds also has Smart App Control (although it requires a clean install or a reset to work :( ) Edge also can disable JIT for more security (but with worse performance) if you run it normally or in Application Guard by going into Edge Settings (it was formerly known as Super Duper Secure Mode while it was in beta (I am not even kidding that was the name). Finally there are Attack Surface Reduction (ASR) rules which also requires Windows Pro edition that can increase security quite a bit
The warnings you get from Controlled Folder Access are not false positives. That is its literal job, to not allow untrusted apps to access folders. You can just go and whatever you're running to exclusions.
@@heyporange sadly with a lot of updated to even trusted programs it blocks em because of the temp files created. So you would still have to turn it off, update and then reenable
@@heyporange i did and have but it always game me an error as it tried to make a temp file in an “invisible” location (not in a hidden file mind you) and it never allowed it to update. I have a long list of excluded programs and it still caused the issue. So it remains off
@@heyporange I mean I get that but it just constantly blocks apps over and over. Worst part is that some apps just give an error when they are not able to save with no chance to retry. Some installers that save shortcut to Desktop also give errors during install (so I don’t know if the program completely installed just without the shortcut or it is an incomplete install)
12:05 controlled folder access is an abandoned feature... windows doesnt even automatically whitelist games from xbox game pass that save files in documents
Personally, as a dev, i would recommend to disable SmartScreen instead. Most of the time, it is redundant as you can already guess if an app is common or not. It also makes it harder and scarier for users to install smaller apps, and not everyone can afford to pay a very expensive license monthly or yearly. This is just a measure that hurts smaller devs a little while it is pretty much useless against malwares anyways. If you're developing in compiled languages, it can also be very annoying to allow your own compiled app to run each time.
6:42 broo plz. Delete egde and defender and app guard. Enable vbs boot ot secure launch with eset internet security its works with secure launch . Windows defender slow pc soo hard :/
Most people don't have Pro. I'm still using Windows 10, due to the plethora of negative remarks I've seen, pertaining to Windows 11. I'd like to make a friendly and helpful suggestion that you pitch this for Windows Home users and be a little more Windows 10 savvy. It doesn't inspire confidence when you are continually saying that you're "not sure: about features in Windows 10. You're a UA-cam presenter. If you're not sure, research it first. I hope you take on board these suggestions as constructive criticism, not admonishment. We all appreciate the efforts you've gone to but things must be relevant to "The great unwashed".
Before enabling bitlocker, please be aware that if you are dual booting your machine then it's not a good idea. It might potentially corrupt the whole boot partition and you'd most likely have to reinstall windows.
1:30 Hi please answer! Would you copy the shortcut of the installed file? Or would you copy the installer file and install & run it in the sandbox? Or did you mean something else completely?
Although this is a good video, The audience definitely needs to know which version of windows is being spoken about. is it windows 11 student edition or is it ultimate? stuff like that.
Bitlocker is the bane of a repair technician. Customers never remember their microsoft logins. :( Still the only windows security measure that actually protects your data. Passwords don't mean a thing.
Note that you don’t want to install windows sandbox if you’re using other virtual machines. It has compatibility issues with Vmware workstations and probably also with other virtual machines. And what’s the point of having two virtual machines?
Great features! I have not know about all of them! BTW - Windows PIN instead of simple password should be mentioned here. Bitlocker for all Windows devices (not laptops only) is definitely a right thing to make use of.
1:02 keeps saying "virtualization support is disabled in the firmware", says the same thing for the application guard (Yes, my pc is a windows 10 pro and i enabled windows hypervisor platform)
Sandbox: I have a fresh windows 11 Pro installed. I did what you said and it would not open. Just got that gray box. I called MS tech support and they referred me to the developer and they said they only do business accounts. They said they don't support home users. So, that being said, what can I use as a 3rd party app to take the place of Sandbox?
The ONLY security I absolutely NEED: Preventing Microshaft's system destroyer updates! All my software wiped, all software certifications gone, and none of my sites recognized me. Took me 4 days to resume working! That was on a latest model Asus Zenbook. that perfectly until the update.
for those are using AMD custom resolution before enabling the "Windows-Sandbox" just in case because for some reason when i had the custom AMD Resolution on after i enabled the windows sandbox my display was messed up for example the display was offscreen somewhat but after i deleted my display and re-created it it was working completely fine now it just needed a refresh. 1. disable your custom resolution first from the "AMD Radeon Software (The Red One)" "Gaming > Display (Custom Resolutions)" 2. then enable "Windows-Sandbox" then restart your computer 3. then once done and logged in go into "AMD Radeon Software(The Red One)" and in the menu "Gaming > Display then under the custom color there should be a (Custom Resolutions)" then re-enable it
Is there a way to export firewall rules/settings from Bitdefender, and then import the rules into Windows defender, before I get rid of Bitdefender? Have been looking everywhere to no avail. Thank you.
0:505:37 I'm running Windows 10 Pro and have Windows Hypervisor Platform enabled. It tells me Sandbox and Microsoft Application Guard can't be installed because "Virtulization support is disabled in the firmware." 9:17 Core Isolation does not exist on my OS.
I am sure my computer can run Application Guard. Can you give me a check list of what I need to have set up[ first on my computer? There was a setting in the bios that was turned off when I installed Windows 11.
I had to remove the controlled folder access because it always prevented programs from updating because they tried ti create a temp file. The thing is the location was not set up to be “guarded” by the controlled folder access and when i read the location it basically did not exist. I like the feature but that aspect made me turn it off.
Controlled Folder Access can be quite annoying. I managed to build source code in Document folder. That process involves a lot of executables. It is a nightmare to add all of it in the whitelist. I ended up doing that outside the Document folder. It cannot do batch addition is another inconvenience. Although you can somehow do this with Group Policy, you cannot simply copy a list into the configurations.
Hi, thanks for a great video. I tried activating HVCI setting but it reported a list of incompatible driver instead. I searched internet for a solution and found a complete solution. For a driver with a publisher name, run "pnputil -f -d " without angled brackets, in administrator console. For a driver without a publisher name, run autoruns (included in Sysinternals Suite, can be downloaded from Windows Store) in administrator mode, and navigate to driver tab. There you can disable loading certain drivers. Find the incompatible drivers by name in the list from the Security UI. Now that the all incompatible drivers are either removed or inactive, you can try restarting Windows and see if it works.
Also, I have recently upgraded from Windows 11 from Windows 10, and Security UI was not opening. If that's the case, run "Windows PowerShell" in Administrator mode, not the "Powershell" (pscore) or "Windows Terminal". Then, run following line: Get-AppXPackage -AllUsers | Foreach {Add-AppxPackage -DisableDevelopmentMode -Register "$($_.InstallLocation)\AppXManifest.xml"} for some reason running this with gsudo does not work, so you'll have to launch the powershell window in a admin mode.
These features are probably good for security, but they also affect performance, especially perceived latency when opening files and programs. I don't care about security on my gaming computer and i want it to feel fast, so I disable Microsoft Defender altogether.
Thanks Joe! Btw, Im having problem on my window security. My "Microsoft Vulnerable Driver Blocklist is greyed out". Is it safe? If not how can I enable it?
Does not Sanbox slow one's computer down noticebly, expecially with a mechanical drive? Or for some reason even CPU's - Thanks Same with Bitlocker I guess
I have win 10 pro, seems sandbox is disabled, something about disabled in the firmware on my computer. so I click on hypervisor platform but that did not help. core isolation is not supported. It seems that all windows are not equal lol.
HyperVisor is really only needed if you run Virtual Machines on your PC where you need the extra security for devices connected through a passthrough to the virtual machine.
What is PC Health Check note that appears when I check updates in Windows 10. I checked and I have the app but can't access it. Do I need this?? My PC and laptop crashed recently so I'm really scared to click on anything and it's like swimming in a shark pool sometimes
The windows sandbox is actually really useful! On my machine it actually had Edge installed.
It also was installed into my PC!
It's installed there by default.
@@lucky_lol and what is that? 1:27
It's not as good as an actual virtual machine though, because Sandbox does share some resources with your main Windows install in a way that could potentially have exploitable leaks.
Mine also has Edge installed
9:15 Enabling memory integrity makes VirtualBox’s performance tank. I was going through my settings one day and enabled it. A month later when I wanted to use VirtualBox again, I was confused as to why its performance was so bad. Figuring it out was not easy.
For me VirtualBox just crashes when it's on and you try to start a machine
That could explain why Java uses too much CPU in my machine
Switch to vmware
@@Ivedotwav I'm fairly sure that VMware had similar issues unless they recently updated in in v 16
@@twinssword VMware does perform worse when Hyper-V hypervisor is active, but it is usable.
The Exploit Protection at 2:26 is for using the internal Windows Defender antivirus. If that is disabled, those settings will not work. If you're using a separate antivirus, this is irrelevant, and will be controlled by the separate antivirus, and will disable Windows Defender. Same goes for Application Guard at 5:33 and Reputation Based Protection at 7:30.
What types of services should we stop in the service tab in Windows 10? because many services consume a lot of RAM and CPU.
Idk it's risky to go about disabling services you don't understand
You can disable the Print Spooler if you don't have a printer. I haven't had any repercussions with doing that.
Chris Titus Tech
Well,I personally think that disabling a few of them won't break your machine, I also disabled some of them and my laptop runs fine,also if you want you can change the startup type of many services to manual
@@koosschutter1675 TBH his script doesn't make much difference, I tried it, it's okay but not that great
Thanks!
Yep glad it helped 👍
I'm in favor of dedicated and detailed videos about those features.
I would suggest encrypting your desktop with Bitlocker. It's no more intrusive than doing the same on your laptop. And, yes someone could break in your home to steal your desktop. Less likely, but possible. However, what's being missed here is the day you have to replace your hard drive or you sell your desktop. With full disk encryption enabled, the data is not retrievable if the disk is removed and opened on another computer or if you clear the TPM (security chip) on the desktop. Simply formatting the disk is not enough to secure the data on an unencrypted disk. But with full disk encryption, all you have to do is throw away the key and the data is no more meaningful than random junk data. That's the easiest, fastest, and most secure way to decommission old hardware (aside large shredders and acid baths).
If your motherboard dies, you're also potentially screwed, if you lose your Bitlocker key. The problem with Bitlocker, is you're at risk of being locked out of your own data due to hardware failure. Unless you have sensitive data you're taking out of your home to a public setting, there's not reason to use it. As for disposing of drive, there are many utilities, including some that are free, which will do military grade erasures. You could also take a power drill and drive holes in the drive before you dispose of it.
@@wildbill4496 if you’re making proper backups losing your computer shouldn’t be a concern.
@@disgustedluigi So you're saying you're encrypting your working drive, but not your, presumably external, backup drives? Then what's the point of encrypting anything?
@@wildbill4496 what are you talking about, you can encrypt your backups too you know. And not just with Bitlocker. A lot of DAS or NAS devices (both retail or open source DIY) have their own robust encryption and data security methods. Plus if you keep them in, say, a locked networking closet in an enclosed rack you get the added physical security as well.
@@disgustedluigi Yeah let's tell every computer owner to go out and put a safe in their house to lock up their backup drives. LOL. The problem is the same with backup drives. If you lose your encryption key and your hardware fails you are still screwed with Bitlocker. The vast majority of home consumers do not need to encrypt their drives, if they secure their home network, and encrypting their drives actually adds another potential point for data loss. Now if you have a laptop you are frequently traveling with, then yes it would be a good idea to encrypt those drives if they contain sensitive data, but you are beyond paranoid (or probably doing something illegal or living in a bad neighborhood with lots of breakins), if you feel the need to encrypt drives that stay in your home and/or don't take into public settings. Simply put for most home consumers, the risks outweigh the benefits, when it comes to encrypting drives.
Security is a teeter totter with ease of use. If you are completely secure, it's unusable and vice versa. It comes down to a balance of secure enough for everyday usability.
Hyper-V does not have to be enabled to use Windows Sandbox. However, virtualization does need to be enabled. Virtualization is usually disabled by default in the bios settings of most motherboard manufacturers. You can check if virtualization is enabled on your computer by opening the Task Manager, clicking on the Performance tab, and clicking on CPU. On the bottom right, it should say “Virtualization: “ and “Enabled” or “Disabled.”
Bitlocker is on laptops enabled by default (In the EU), because Microsoft is by EU law required to do everything they can to protect peoples data.
Damn, EU seems to be the only place that actually cares about peoples privacy
bitlocker is so useless
@@alexandreman8601 No without bitlocker anyone on the network can read the data of your harddrive. Furthermore if your laptop gets stolen they can read the data of your harddrive as well by plugging it in to there pc. Bitlocker blocks those 2 things.
@@alexandreman8601 do you know how it works? It's very useful
Microsoft protecting ppl data 😂
There absolutely is a thing as too much security ... when it becomes so cumbersome that you actively avoid it or cannot function in a reasonable manner then that is too much security.
Also, if it's so much security that it compromises your privacy. I chose Windows Defender as the security software on my new PC because of privacy, actually, because it's less likely MS is gathering much info from their AV when they already gather info from other places on the OS.
@@jakobfel2 Defender sends to M$ the name of every domain you visit in any browser, and the hash and filename of every binary you launch. With Defender off, OS itself does not do that.
@@BarafuAlbino If you have automatic sample submission on, yes.
MS is already getting that info through other means in the OS. I'd rather not give my data to other corpos more than I have to.
Love this channel ever since you stopped doing satire. Such awesome videos and straight to the point information. Love you Thio! 😁
Thank you Theo. Only thing you missed was to turn on System Restore which is not on by default. Be handy if an update breaks an unsupported machine yes.
Thanks for the very nice recommendations!
I myself activated additionally to the ones I had the app protection in the windows features and the for the edge the guard one.
My wallpaper now is your "Another Failed Simulation" masterpiece
Noice
Okay, the Sandbox one alone is godsend. Thanks Thio.
Important note for Core Isolation > Memory Integrity, If your PC isn't powerful enough, better balance your needs as it could slow your computer down. To be fair, I'm running my Windows on VM so it is so noticeable.
@ThioJoe, is it me or does the Airline Pilot Kelsey from "74 Gear" youtube channel have very similar mannerism to yours.
I couldnt put my finger on it but i always had a feeling that he was reminding me of someone, and recently i realised it was Thio.
Anyone else thinks so?
2:13 ThioJoe, great rundwon on Windows Sandbox! For those wonderng, while it’s perfect for checking out files you’re unsre about, just a heads up, it’s not ideal for everything. Like, don’t expec to run high-end games or tackle sophistcated viruses in it. But for that extra piece of mind with everyday downloads, it’s pretty neat. ThioJoe’s insights are always on point, and it’s cool to see featurs like this geting highlighted.
Extremely useful video. Thank you
I disable them to get more fps😎
uhh
Hmmm
Yeah gotta make sure that free FPS tweaker download works
Also you need to enable Virtualization in BIOS for Hyper Visor and Sandbox to be selectable in the first place.
This is kina awkward since on Ryzen having Virtualization enabled seems to interfere with using Ryzen Master for some odd reason and only let you run it. But if you're not overclocking then who cares? Also keep in mind Win10 calls it "Hyper-V," and "Hyper Visor" in Win11 in the list of Windows Features, but they are exactly the same thing. You can enable Hyper Visor with Virtualization disabled, but you're just installed a client-side app that lets you connect to a hypervisor VM being ran on another PC or server on your network.
I'm curious about the impact on speed for applications, especially when it comes to games old and new. And ssd operations.
9:20 If the Core Isolation option is not available in Windows settings despite the hardware being supported, the Virtual Machine in the BIOS is most likely disabled. To enable it, go to the motherboard BIOS and look for "SVM Mode" for AMD and "Intel (VMX) Virtualization Technology" for INTEL Systems.
Bitlocker and Windows' Built-In Encryption feature is actually two distinct features, they are not mutually exclusive.
Difference?
How are they different?
For Windows Sandbox you haven't to activate the Hypervisor Platform, but "Hyper-V" (virtualization service), and to activate Hyper-V you gotta go in BIOS and make sure the virtualization is supported by CPU and motherboard and activated ;-D
For the few of you, who are interested in maxing out Windows's Security, check this guide out. It's very hardcore, but high security has a price....unless you run linux of coursr
The Most useful channel on UA-cam for explaining new things on our PCs. Thank You!
I completely agree with that
Hey Joe. can you talk about the products of Hak5?
They make normal looking USB or lightning cables that have a built in keylogger, can exectue scripts on a device, have a built in wireless access point to controll the cable from the far and many more features. A cable costs between 40 and 160 USD, which is dirt cheap for such a tool.
Would you please show such a product and teach the people about how increadibly dangerous it can be, to put in a random usb cable into a device. Most people probably don't think that a USB cable they found somewhere can be extremely dangerous.
I actually have enabled all of these except for Controlled Folder Access as it has so many false positives. Windows 11 in Insiders Builds also has Smart App Control (although it requires a clean install or a reset to work :( ) Edge also can disable JIT for more security (but with worse performance) if you run it normally or in Application Guard by going into Edge Settings (it was formerly known as Super Duper Secure Mode while it was in beta (I am not even kidding that was the name). Finally there are Attack Surface Reduction (ASR) rules which also requires Windows Pro edition that can increase security quite a bit
The warnings you get from Controlled Folder Access are not false positives. That is its literal job, to not allow untrusted apps to access folders. You can just go and whatever you're running to exclusions.
@@heyporange sadly with a lot of updated to even trusted programs it blocks em because of the temp files created. So you would still have to turn it off, update and then reenable
@@Damascus_Zeramas You don't have to turn it off. Just add the executable to exclusions.
@@heyporange i did and have but it always game me an error as it tried to make a temp file in an “invisible” location (not in a hidden file mind you) and it never allowed it to update. I have a long list of excluded programs and it still caused the issue. So it remains off
@@heyporange I mean I get that but it just constantly blocks apps over and over. Worst part is that some apps just give an error when they are not able to save with no chance to retry. Some installers that save shortcut to Desktop also give errors during install (so I don’t know if the program completely installed just without the shortcut or it is an incomplete install)
12:05 controlled folder access is an abandoned feature... windows doesnt even automatically whitelist games from xbox game pass that save files in documents
Personally, as a dev, i would recommend to disable SmartScreen instead. Most of the time, it is redundant as you can already guess if an app is common or not.
It also makes it harder and scarier for users to install smaller apps, and not everyone can afford to pay a very expensive license monthly or yearly. This is just a measure that hurts smaller devs a little while it is pretty much useless against malwares anyways.
If you're developing in compiled languages, it can also be very annoying to allow your own compiled app to run each time.
Your recommendations caused my CPU temperatures to go from the high 40s to the high 90s.
1:26 "If you downloaded a program that you think is kinda suspicious" **types "edge" in the search bar**
6:42 broo plz. Delete egde and defender and app guard. Enable vbs boot ot secure launch with eset internet security its works with secure launch . Windows defender slow pc soo hard :/
Great video as always. I like your Windows 11 theme, is it a custom theme?
That Sandbox is awesome.
Most people don't have Pro. I'm still using Windows 10, due to the plethora of negative remarks I've seen, pertaining to Windows 11.
I'd like to make a friendly and helpful suggestion that you pitch this for Windows Home users and be a little more Windows 10 savvy. It doesn't inspire confidence when you are continually saying that you're "not sure: about features in Windows 10. You're a UA-cam presenter. If you're not sure, research it first. I hope you take on board these suggestions as constructive criticism, not admonishment. We all appreciate the efforts you've gone to but things must be relevant to "The great unwashed".
Awesome video, what software do you use for your start menu? looks kinda like the windows 10 menu.
You've got some great wall paper, Another Failed Simulation and Fall of Midnight.
Before enabling bitlocker, please be aware that if you are dual booting your machine then it's not a good idea. It might potentially corrupt the whole boot partition and you'd most likely have to reinstall windows.
Windows sandbox needs virtualization techology enabled in bios?
Thanks ThioJoe! I'm pretty savvy but there's always one or two things I forget about, like the Core Isolation setting.
Thanks! This helped me! ❤️
Sorry my keyboard autocorrect
3:11 Force randomization for images (Mandatory ASLR)
You should make a list of security tools in descriptionb(and ideally the timestamp where that topic starts)
1:30 Hi please answer! Would you copy the shortcut of the installed file? Or would you copy the installer file and install & run it in the sandbox? Or did you mean something else completely?
Thanks for your sharing
Although this is a good video,
The audience definitely needs to know which version of windows is being spoken about.
is it windows 11 student edition or is it ultimate?
stuff like that.
5:57 It does not appear in Windows 11 Home edition, so we can assume you need the Pro edition.
Excellent info... Thanks. 😎😎😀😀
Bitlocker is the bane of a repair technician. Customers never remember their microsoft logins. :( Still the only windows security measure that actually protects your data. Passwords don't mean a thing.
Note that you don’t want to install windows sandbox if you’re using other virtual machines. It has compatibility issues with Vmware workstations and probably also with other virtual machines. And what’s the point of having two virtual machines?
You need to have a CPU that supports VMware (Intel virtualization or AMD) for Windows Sandbox
All (?) modern CPUs support virtualization, but this function is disabled by default. Check your UEFI settings.
Great features! I have not know about all of them! BTW - Windows PIN instead of simple password should be mentioned here. Bitlocker for all Windows devices (not laptops only) is definitely a right thing to make use of.
I make my pin larger than my use to be password. I make them alphanumeric!
Awesome tutorial
The more you know! Knowledge is power! 🧠💪
on win 10 pro 21H1 all exploit protection were all enabled except for image randomization
Hey Joe, really needed this. Anyways. Is Windows Sandbox propperly isolated? I mean,can I destroy it with viruses safely?
I'm also interested in the answer
Thank you Joe
Hi Theo,
Can you make a video or blog for Windows 10 to Win 11 upgrade, what all backup I need to take, just C: or whole hard drive ?
I had heard that Windows 11 requires you to use a Microsoft account, but you referred to using a local account in your video. That is good news!
Always helps!
Wasn't there a problem with memory core isolation feature causing games slow down or something?
Thank you so much!
What do you think about sandboxie?
1:02 keeps saying "virtualization support is disabled in the firmware", says the same thing for the application guard
(Yes, my pc is a windows 10 pro and i enabled windows hypervisor platform)
You have to go into your BIOS/UEFI (that's what the "firmware" is) and enable CPU virtualization.
@@knubswak Thx
Sandbox: I have a fresh windows 11 Pro installed. I did what you said and it would not open. Just got that gray box. I called MS tech support and they referred me to the developer and they said they only do business accounts. They said they don't support home users. So, that being said, what can I use as a 3rd party app to take the place of Sandbox?
I recommend Sandboxie Plus as your 3rd party app and have used it since I had Windows 10 Home but now I got Windows 10 Pro version.
The ONLY security I absolutely NEED: Preventing Microshaft's system destroyer updates!
All my software wiped, all software certifications gone, and none of my sites recognized me.
Took me 4 days to resume working! That was on a latest model Asus Zenbook. that perfectly until the update.
Excellent work and video! Too bad these features aren't on by default. Thanks for sharing
for those are using AMD custom resolution before enabling the "Windows-Sandbox" just in case because for some reason when i had the custom AMD Resolution on after i enabled the windows sandbox my display was messed up for example the display was offscreen somewhat but after i deleted my display and re-created it it was working completely fine now it just needed a refresh.
1. disable your custom resolution first from the "AMD Radeon Software (The Red One)" "Gaming > Display (Custom Resolutions)"
2. then enable "Windows-Sandbox" then restart your computer
3. then once done and logged in go into "AMD Radeon Software(The Red One)" and in the menu "Gaming > Display then under the custom color there should be a (Custom Resolutions)" then re-enable it
this was on a tv btw
thanks Joe!
A great channel with many amazing tips and tricks for your home pc / laptop setup 🥰😇👍
Love your videos
Is there a way to export firewall rules/settings from Bitdefender, and then import the rules into Windows defender, before I get rid of Bitdefender? Have been looking everywhere to no avail.
Thank you.
Can you save files you gennerate an ececutable in the sandbox to usb or storage ?
Thanks ThioJoe, time to disable all these annoying features now!
0:50 5:37 I'm running Windows 10 Pro and have Windows Hypervisor Platform enabled. It tells me Sandbox and Microsoft Application Guard can't be installed because "Virtulization support is disabled in the firmware."
9:17 Core Isolation does not exist on my OS.
you need to enable it from BIOS
@@MyVlogTubes Do you mean both the virtualization support and the core isolation?
Thanks a lot!
I am sure my computer can run Application Guard. Can you give me a check list of what I need to have set up[ first on my computer? There was a setting in the bios that was turned off when I installed Windows 11.
Good information .Stay safe
Helpful ! PS: Wallpaper Download link please ?
Mine windows 10, is greyed option s for Windows Sandbox and Windows Defender Application Guard.
I had to remove the controlled folder access because it always prevented programs from updating because they tried ti create a temp file. The thing is the location was not set up to be “guarded” by the controlled folder access and when i read the location it basically did not exist. I like the feature but that aspect made me turn it off.
Controlled Folder Access can be quite annoying. I managed to build source code in Document folder. That process involves a lot of executables. It is a nightmare to add all of it in the whitelist. I ended up doing that outside the Document folder.
It cannot do batch addition is another inconvenience. Although you can somehow do this with Group Policy, you cannot simply copy a list into the configurations.
this is going to be great!
What is the build number of windows 11 installed on your PC?
Hi, thanks for a great video.
I tried activating HVCI setting but it reported a list of incompatible driver instead.
I searched internet for a solution and found a complete solution.
For a driver with a publisher name, run "pnputil -f -d " without angled brackets, in administrator console.
For a driver without a publisher name, run autoruns (included in Sysinternals Suite, can be downloaded from Windows Store) in administrator mode, and navigate to driver tab. There you can disable loading certain drivers. Find the incompatible drivers by name in the list from the Security UI.
Now that the all incompatible drivers are either removed or inactive, you can try restarting Windows and see if it works.
Also, I have recently upgraded from Windows 11 from Windows 10, and Security UI was not opening.
If that's the case, run "Windows PowerShell" in Administrator mode, not the "Powershell" (pscore) or "Windows Terminal".
Then, run following line:
Get-AppXPackage -AllUsers | Foreach {Add-AppxPackage -DisableDevelopmentMode -Register "$($_.InstallLocation)\AppXManifest.xml"}
for some reason running this with gsudo does not work, so you'll have to launch the powershell window in a admin mode.
Enabled all of them except controld folder access because use Bitdefender antivirus and core isolation because have incompatible drivers.
These features are probably good for security, but they also affect performance, especially perceived latency when opening files and programs. I don't care about security on my gaming computer and i want it to feel fast, so I disable Microsoft Defender altogether.
Is application guard a windows pro thing only?
If you have the Home edition you shorten pretty much the process, as the Home version doesn't feature many of these things.
Thanks Joe!
Btw, Im having problem on my window security. My "Microsoft Vulnerable Driver Blocklist is greyed out". Is it safe? If not how can I enable it?
Very helpful.
Does not Sanbox slow one's computer down noticebly, expecially with a mechanical drive? Or for some reason even CPU's - Thanks Same with Bitlocker I guess
I have win 10 pro, seems sandbox is disabled, something about disabled in the firmware on my computer. so I click on hypervisor platform but that did not help. core isolation is not supported. It seems that all windows are not equal lol.
HyperVisor is really only needed if you run Virtual Machines on your PC where you need the extra security for devices connected through a passthrough to the virtual machine.
You can activate Core isolation by regedit when it's not suported
what can I do as a local user to secure my pc?
What is PC Health Check note that appears when I check updates in Windows 10. I checked and I have the app but can't access it. Do I need this?? My PC and laptop crashed recently so I'm really scared to click on anything and it's like swimming in a shark pool sometimes