Enable ALL These Windows Security Features!
Вставка
- Опубліковано 9 чер 2024
- Check out Karma for a smart shopping experience! ⇨ shop.karmanow.com/thiojoe (Sponsored)
Here are my wallpapers I made myself ⇨ thiojoe.art/
▼ Time Stamps: ▼
0:00 - Intro
0:27 - Windows Sandbox
2:26 - Exploit Protection
4:07 - Very Good Thing
5:33 - Application Guard
7:30 - Reputation-Based Protection
9:12 - Memory Integrity
10:00 - Bitlocker Encryption
11:35 - Find My Device
11:56 - Controlled Folder Access
▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬
Merch ⇨ teespring.com/stores/thiojoe
⇨ / thiojoe
⇨ / thiojoe
⇨ / thiojoetv
My Gear & Equipment ⇨ kit.co/ThioJoe
▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬ - Наука та технологія
The windows sandbox is actually really useful! On my machine it actually had Edge installed.
It also was installed into my PC!
It's installed there by default.
@@lucky_lol and what is that? 1:27
It's not as good as an actual virtual machine though, because Sandbox does share some resources with your main Windows install in a way that could potentially have exploitable leaks.
Mine also has Edge installed
9:15 Enabling memory integrity makes VirtualBox’s performance tank. I was going through my settings one day and enabled it. A month later when I wanted to use VirtualBox again, I was confused as to why its performance was so bad. Figuring it out was not easy.
For me VirtualBox just crashes when it's on and you try to start a machine
That could explain why Java uses too much CPU in my machine
Switch to vmware
@@akali1586 I'm fairly sure that VMware had similar issues unless they recently updated in in v 16
@@twinssword VMware does perform worse when Hyper-V hypervisor is active, but it is usable.
What types of services should we stop in the service tab in Windows 10? because many services consume a lot of RAM and CPU.
Idk it's risky to go about disabling services you don't understand
You can disable the Print Spooler if you don't have a printer. I haven't had any repercussions with doing that.
If you don't want to spend much time looking up services that are safe to disable just look for ones that you know for sure you won't use like print spooler, Bluetooth or old apps that you don't use but have background services running.
Chris Titus Tech
Well,I personally think that disabling a few of them won't break your machine, I also disabled some of them and my laptop runs fine,also if you want you can change the startup type of many services to manual
You are such a huge help to those of us unable to get anyone to answer!Questions others just look
when I ask often are lost to their understanding!! Thanks for all your HELP!!♥️♥️
Thanks for the very nice recommendations!
I myself activated additionally to the ones I had the app protection in the windows features and the for the edge the guard one.
I'm in favor of dedicated and detailed videos about those features.
Okay, the Sandbox one alone is godsend. Thanks Thio.
Love this channel ever since you stopped doing satire. Such awesome videos and straight to the point information. Love you Thio! 😁
Great video as always. I like your Windows 11 theme, is it a custom theme?
Thanks ThioJoe! I'm pretty savvy but there's always one or two things I forget about, like the Core Isolation setting.
Hyper-V does not have to be enabled to use Windows Sandbox. However, virtualization does need to be enabled. Virtualization is usually disabled by default in the bios settings of most motherboard manufacturers. You can check if virtualization is enabled on your computer by opening the Task Manager, clicking on the Performance tab, and clicking on CPU. On the bottom right, it should say “Virtualization: “ and “Enabled” or “Disabled.”
The Exploit Protection at 2:26 is for using the internal Windows Defender antivirus. If that is disabled, those settings will not work. If you're using a separate antivirus, this is irrelevant, and will be controlled by the separate antivirus, and will disable Windows Defender. Same goes for Application Guard at 5:33 and Reputation Based Protection at 7:30.
HyperVisor is really only needed if you run Virtual Machines on your PC where you need the extra security for devices connected through a passthrough to the virtual machine.
2:13 ThioJoe, great rundwon on Windows Sandbox! For those wonderng, while it’s perfect for checking out files you’re unsre about, just a heads up, it’s not ideal for everything. Like, don’t expec to run high-end games or tackle sophistcated viruses in it. But for that extra piece of mind with everyday downloads, it’s pretty neat. ThioJoe’s insights are always on point, and it’s cool to see featurs like this geting highlighted.
Thanks for your sharing
Security is a teeter totter with ease of use. If you are completely secure, it's unusable and vice versa. It comes down to a balance of secure enough for everyday usability.
Excellent info... Thanks. 😎😎😀😀
Thank you Theo. Only thing you missed was to turn on System Restore which is not on by default. Be handy if an update breaks an unsupported machine yes.
Bitlocker is on laptops enabled by default (In the EU), because Microsoft is by EU law required to do everything they can to protect peoples data.
Damn, EU seems to be the only place that actually cares about peoples privacy
bitlocker is so useless
@@alexandreman8601 No without bitlocker anyone on the network can read the data of your harddrive. Furthermore if your laptop gets stolen they can read the data of your harddrive as well by plugging it in to there pc. Bitlocker blocks those 2 things.
@@alexandreman8601 do you know how it works? It's very useful
Microsoft protecting ppl data 😂
The Most useful channel on UA-cam for explaining new things on our PCs. Thank You!
I completely agree with that
Thanks a lot!
Thank you so much!
Thank you Joe
There absolutely is a thing as too much security ... when it becomes so cumbersome that you actively avoid it or cannot function in a reasonable manner then that is too much security.
Also, if it's so much security that it compromises your privacy. I chose Windows Defender as the security software on my new PC because of privacy, actually, because it's less likely MS is gathering much info from their AV when they already gather info from other places on the OS.
@@jakobfel2 Defender sends to M$ the name of every domain you visit in any browser, and the hash and filename of every binary you launch. With Defender off, OS itself does not do that.
@@BarafuAlbino If you have automatic sample submission on, yes.
MS is already getting that info through other means in the OS. I'd rather not give my data to other corpos more than I have to.
Thanks! This helped me! ❤️
Sorry my keyboard autocorrect
Awesome tutorial
Also you need to enable Virtualization in BIOS for Hyper Visor and Sandbox to be selectable in the first place.
This is kina awkward since on Ryzen having Virtualization enabled seems to interfere with using Ryzen Master for some odd reason and only let you run it. But if you're not overclocking then who cares? Also keep in mind Win10 calls it "Hyper-V," and "Hyper Visor" in Win11 in the list of Windows Features, but they are exactly the same thing. You can enable Hyper Visor with Virtualization disabled, but you're just installed a client-side app that lets you connect to a hypervisor VM being ran on another PC or server on your network.
A great channel with many amazing tips and tricks for your home pc / laptop setup 🥰😇👍
Important note for Core Isolation > Memory Integrity, If your PC isn't powerful enough, better balance your needs as it could slow your computer down. To be fair, I'm running my Windows on VM so it is so noticeable.
That Sandbox is awesome.
I'm curious about the impact on speed for applications, especially when it comes to games old and new. And ssd operations.
Always helps!
I would suggest encrypting your desktop with Bitlocker. It's no more intrusive than doing the same on your laptop. And, yes someone could break in your home to steal your desktop. Less likely, but possible. However, what's being missed here is the day you have to replace your hard drive or you sell your desktop. With full disk encryption enabled, the data is not retrievable if the disk is removed and opened on another computer or if you clear the TPM (security chip) on the desktop. Simply formatting the disk is not enough to secure the data on an unencrypted disk. But with full disk encryption, all you have to do is throw away the key and the data is no more meaningful than random junk data. That's the easiest, fastest, and most secure way to decommission old hardware (aside large shredders and acid baths).
If your motherboard dies, you're also potentially screwed, if you lose your Bitlocker key. The problem with Bitlocker, is you're at risk of being locked out of your own data due to hardware failure. Unless you have sensitive data you're taking out of your home to a public setting, there's not reason to use it. As for disposing of drive, there are many utilities, including some that are free, which will do military grade erasures. You could also take a power drill and drive holes in the drive before you dispose of it.
@@wildbill4496 if you’re making proper backups losing your computer shouldn’t be a concern.
@@disgustedluigi So you're saying you're encrypting your working drive, but not your, presumably external, backup drives? Then what's the point of encrypting anything?
@@wildbill4496 what are you talking about, you can encrypt your backups too you know. And not just with Bitlocker. A lot of DAS or NAS devices (both retail or open source DIY) have their own robust encryption and data security methods. Plus if you keep them in, say, a locked networking closet in an enclosed rack you get the added physical security as well.
@@disgustedluigi Yeah let's tell every computer owner to go out and put a safe in their house to lock up their backup drives. LOL. The problem is the same with backup drives. If you lose your encryption key and your hardware fails you are still screwed with Bitlocker. The vast majority of home consumers do not need to encrypt their drives, if they secure their home network, and encrypting their drives actually adds another potential point for data loss. Now if you have a laptop you are frequently traveling with, then yes it would be a good idea to encrypt those drives if they contain sensitive data, but you are beyond paranoid (or probably doing something illegal or living in a bad neighborhood with lots of breakins), if you feel the need to encrypt drives that stay in your home and/or don't take into public settings. Simply put for most home consumers, the risks outweigh the benefits, when it comes to encrypting drives.
Your recommendations caused my CPU temperatures to go from the high 40s to the high 90s.
thanks Joe!
Very helpful.
Excellent work and video! Too bad these features aren't on by default. Thanks for sharing
Thanks!
Love your videos
Good information .Stay safe
For the few of you, who are interested in maxing out Windows's Security, check this guide out. It's very hardcore, but high security has a price....unless you run linux of coursr
Hola Tio, thanks for the tips even though most people don't need them as they have the home versions of malware windows 10 / 11
9:20 If the Core Isolation option is not available in Windows settings despite the hardware being supported, the Virtual Machine in the BIOS is most likely disabled. To enable it, go to the motherboard BIOS and look for "SVM Mode" for AMD and "Intel (VMX) Virtualization Technology" for INTEL Systems.
Thanks ThioJoe, time to disable all these annoying features now!
For Windows Sandbox you haven't to activate the Hypervisor Platform, but "Hyper-V" (virtualization service), and to activate Hyper-V you gotta go in BIOS and make sure the virtualization is supported by CPU and motherboard and activated ;-D
Hi Theo,
Can you make a video or blog for Windows 10 to Win 11 upgrade, what all backup I need to take, just C: or whole hard drive ?
You should make a list of security tools in descriptionb(and ideally the timestamp where that topic starts)
this is going to be great!
1:30 Hi please answer! Would you copy the shortcut of the installed file? Or would you copy the installer file and install & run it in the sandbox? Or did you mean something else completely?
My wallpaper now is your "Another Failed Simulation" masterpiece
Noice
Hey Joe. can you talk about the products of Hak5?
They make normal looking USB or lightning cables that have a built in keylogger, can exectue scripts on a device, have a built in wireless access point to controll the cable from the far and many more features. A cable costs between 40 and 160 USD, which is dirt cheap for such a tool.
Would you please show such a product and teach the people about how increadibly dangerous it can be, to put in a random usb cable into a device. Most people probably don't think that a USB cable they found somewhere can be extremely dangerous.
I disable them to get more fps😎
uhh
Hmmm
Great features! I have not know about all of them! BTW - Windows PIN instead of simple password should be mentioned here. Bitlocker for all Windows devices (not laptops only) is definitely a right thing to make use of.
I make my pin larger than my use to be password. I make them alphanumeric!
You've got some great wall paper, Another Failed Simulation and Fall of Midnight.
my favorite windows security feature is installing linux /hj
windows sandbox is actually really cool though, had no idea that existed!
Bitlocker and Windows' Built-In Encryption feature is actually two distinct features, they are not mutually exclusive.
Difference?
How are they different?
Before enabling bitlocker, please be aware that if you are dual booting your machine then it's not a good idea. It might potentially corrupt the whole boot partition and you'd most likely have to reinstall windows.
The more you know! Knowledge is power! 🧠💪
I actually have enabled all of these except for Controlled Folder Access as it has so many false positives. Windows 11 in Insiders Builds also has Smart App Control (although it requires a clean install or a reset to work :( ) Edge also can disable JIT for more security (but with worse performance) if you run it normally or in Application Guard by going into Edge Settings (it was formerly known as Super Duper Secure Mode while it was in beta (I am not even kidding that was the name). Finally there are Attack Surface Reduction (ASR) rules which also requires Windows Pro edition that can increase security quite a bit
The warnings you get from Controlled Folder Access are not false positives. That is its literal job, to not allow untrusted apps to access folders. You can just go and whatever you're running to exclusions.
@@heyporange sadly with a lot of updated to even trusted programs it blocks em because of the temp files created. So you would still have to turn it off, update and then reenable
@@Damascus_Zeramas You don't have to turn it off. Just add the executable to exclusions.
@@heyporange i did and have but it always game me an error as it tried to make a temp file in an “invisible” location (not in a hidden file mind you) and it never allowed it to update. I have a long list of excluded programs and it still caused the issue. So it remains off
@@heyporange I mean I get that but it just constantly blocks apps over and over. Worst part is that some apps just give an error when they are not able to save with no chance to retry. Some installers that save shortcut to Desktop also give errors during install (so I don’t know if the program completely installed just without the shortcut or it is an incomplete install)
Helpful ! PS: Wallpaper Download link please ?
Is there a way to export firewall rules/settings from Bitdefender, and then import the rules into Windows defender, before I get rid of Bitdefender? Have been looking everywhere to no avail.
Thank you.
Love your videos why don't I get your notifications when I set it
There is a work around to install Sandbox on W10 Home, but it didn't work for me. It is listed in my programs, but it fails to initialize, when I try to open it. Also, I cannot remove it, so I ignore it. Exploit protection settings also enabled by default in 10 Home.
Wasn't there a problem with memory core isolation feature causing games slow down or something?
12:05 controlled folder access is an abandoned feature... windows doesnt even automatically whitelist games from xbox game pass that save files in documents
Personally, as a dev, i would recommend to disable SmartScreen instead. Most of the time, it is redundant as you can already guess if an app is common or not.
It also makes it harder and scarier for users to install smaller apps, and not everyone can afford to pay a very expensive license monthly or yearly. This is just a measure that hurts smaller devs a little while it is pretty much useless against malwares anyways.
If you're developing in compiled languages, it can also be very annoying to allow your own compiled app to run each time.
I am sure my computer can run Application Guard. Can you give me a check list of what I need to have set up[ first on my computer? There was a setting in the bios that was turned off when I installed Windows 11.
Hey, Joe! I wanna know ... how to make Windows Explorer ALWAYS show ... details! Windows insists on showing icons and even if I tell it details and go to a different folder, icons again. Why does it default to icons and how can I force it to default to details? I've tried the trick where you set up the window as you like and tell it to make all windows look like that, but it doesn't take. Help!
Video about turning of windows telemetry in win 11 would be useful
0:50 5:37 I'm running Windows 10 Pro and have Windows Hypervisor Platform enabled. It tells me Sandbox and Microsoft Application Guard can't be installed because "Virtulization support is disabled in the firmware."
9:17 Core Isolation does not exist on my OS.
Core Integrity is actually a feature introduced in Windows 11 that I really liked. So, thanks for reminding me to activate it!
Does not Sanbox slow one's computer down noticebly, expecially with a mechanical drive? Or for some reason even CPU's - Thanks Same with Bitlocker I guess
I’m using windows 11 pro BUT there is no “phishing protection” under “reputation-based protection”, can you tell me why? I would appreciate your help as it’s quite puzzling at the moment! Thanks!
Windows sandbox needs virtualization techology enabled in bios?
Thank you ThioJoe! Much appreciated 👍
Thanks Joe!
Btw, Im having problem on my window security. My "Microsoft Vulnerable Driver Blocklist is greyed out". Is it safe? If not how can I enable it?
I had to remove the controlled folder access because it always prevented programs from updating because they tried ti create a temp file. The thing is the location was not set up to be “guarded” by the controlled folder access and when i read the location it basically did not exist. I like the feature but that aspect made me turn it off.
I had heard that Windows 11 requires you to use a Microsoft account, but you referred to using a local account in your video. That is good news!
on win 10 pro 21H1 all exploit protection were all enabled except for image randomization
The ONLY security I absolutely NEED: Preventing Microshaft's system destroyer updates!
All my software wiped, all software certifications gone, and none of my sites recognized me.
Took me 4 days to resume working! That was on a latest model Asus Zenbook. that perfectly until the update.
What is PC Health Check note that appears when I check updates in Windows 10. I checked and I have the app but can't access it. Do I need this?? My PC and laptop crashed recently so I'm really scared to click on anything and it's like swimming in a shark pool sometimes
Hello Thio
I can't check the box for Microsoft Defender Application Guard, it says:
"Windows Defender Application Guard cannot be installed: Virtualization support is disabled in firmware"
how can I fix that
Thanks
@ThioJoe, is it me or does the Airline Pilot Kelsey from "74 Gear" youtube channel have very similar mannerism to yours.
I couldnt put my finger on it but i always had a feeling that he was reminding me of someone, and recently i realised it was Thio.
Anyone else thinks so?
I suggested a Windows sandbox. Not sure if I was the only one but I suggested it at least. I was a member of the insider. Not now tho after Windows 11.
I cant get the Sandbox to work at all. Everything is installed but when i type "sandbox" from the start menu it has no idea what I'm talking about and does a Bing search for it. Does this not work on Ryzen PCs and Windows 10? I have Virtualization enabled in BIOS, Hyper-V installed (management tools and platform and all items under them), and Windows Sandbox checked.. but it's just NO WHERE to be found. What am I missing?
3:11 Force randomization for images (Mandatory ASLR)
Can you save files you gennerate an ececutable in the sandbox to usb or storage ?
Enabled all of them except controld folder access because use Bitdefender antivirus and core isolation because have incompatible drivers.
Controlled Folder Access can be quite annoying. I managed to build source code in Document folder. That process involves a lot of executables. It is a nightmare to add all of it in the whitelist. I ended up doing that outside the Document folder.
It cannot do batch addition is another inconvenience. Although you can somehow do this with Group Policy, you cannot simply copy a list into the configurations.
Windows sandbox and the windows application guard are faded and I cannot enable them. It says virtualization support is disabled in the firmware.
does anyone know how he made the windows 11 start menu look so much nicer/what program?
I have win 10 pro, seems sandbox is disabled, something about disabled in the firmware on my computer. so I click on hypervisor platform but that did not help. core isolation is not supported. It seems that all windows are not equal lol.
Controlled Folder Access coulda been real useful if it allowed modifications of the protected directories
Not a good security practice I know, but for people lacking in their backups they could dedicate a library location as their "backup" for important files and let CFA protect it
how do we know there is a virus in the file when opening it in the sandbox which it has no antivirus software or anything? especially malware, they'll operate in the background. How can we tell the sandbox is infected?
I can't find MS Defender Application Guard in my Windows Features. Using Win11 Home Single Language 22H2 that came with my Lenovo Legion laptop.
You can activate Core isolation by regedit when it's not suported
What do you think about sandboxie?
Both Windows Sandbox and Application Guard won't enable, they keep saying "Virtualization support is disabled in the firmware". Like, l get Windows Sandbox, maybe l don't even have Windows Pro after all, but wb Application guard?
It was no bid deal but I had to enable virtualization support in the Motherboard bios
Mine windows 10, is greyed option s for Windows Sandbox and Windows Defender Application Guard.