Well,I personally think that disabling a few of them won't break your machine, I also disabled some of them and my laptop runs fine,also if you want you can change the startup type of many services to manual
9:15 Enabling memory integrity makes VirtualBox’s performance tank. I was going through my settings one day and enabled it. A month later when I wanted to use VirtualBox again, I was confused as to why its performance was so bad. Figuring it out was not easy.
It's not as good as an actual virtual machine though, because Sandbox does share some resources with your main Windows install in a way that could potentially have exploitable leaks.
Most people don't have Pro. I'm still using Windows 10, due to the plethora of negative remarks I've seen, pertaining to Windows 11. I'd like to make a friendly and helpful suggestion that you pitch this for Windows Home users and be a little more Windows 10 savvy. It doesn't inspire confidence when you are continually saying that you're "not sure: about features in Windows 10. You're a RU-vid presenter. If you're not sure, research it first. I hope you take on board these suggestions as constructive criticism, not admonishment. We all appreciate the efforts you've gone to but things must be relevant to "The great unwashed".
There absolutely is a thing as too much security ... when it becomes so cumbersome that you actively avoid it or cannot function in a reasonable manner then that is too much security.
Also, if it's so much security that it compromises your privacy. I chose Windows Defender as the security software on my new PC because of privacy, actually, because it's less likely MS is gathering much info from their AV when they already gather info from other places on the OS.
@@jakobfel2 Defender sends to M$ the name of every domain you visit in any browser, and the hash and filename of every binary you launch. With Defender off, OS itself does not do that.
@@BarafuAlbino If you have automatic sample submission on, yes. MS is already getting that info through other means in the OS. I'd rather not give my data to other corpos more than I have to.
A lot of the features will make your life very difficult. Micrsoft flags most programs that are not in their partner program {a paid service} as malicisous. Also it will delete the program after being downloaded. DO NOT USE BITLOCKER, unless you have 100% of your data ALWAYS syncing to the cloud, I mean ALWAYS! and you must be comfortable and mindfull of monitoring your syncing software. I have worked with 3 businesses who shut down because of bitlocker. Its a great fature, but most users, even those who consider themselves power users are not mindful enough to use the feature. If you use these setting I would suggest turn them one at a time run for a month and add the next one. Nearly all industry software do not function with one or more of these settings. This video is for personal users. These are good videos, I love watching Joe go on this journey, but his videos SEEM like he is lacking a lot of experince in using the things he is talking about. Also Joe, if you read this, you should find a local industry tech and produce training videos with them. Good money in that, companies are willing to pay 10's of thousands of dollars for yearly training.
Security is a teeter totter with ease of use. If you are completely secure, it's unusable and vice versa. It comes down to a balance of secure enough for everyday usability.
@@alexandreman8601 No without bitlocker anyone on the network can read the data of your harddrive. Furthermore if your laptop gets stolen they can read the data of your harddrive as well by plugging it in to there pc. Bitlocker blocks those 2 things.
Bitlocker is the bane of a repair technician. Customers never remember their microsoft logins. :( Still the only windows security measure that actually protects your data. Passwords don't mean a thing.
I would suggest encrypting your desktop with Bitlocker. It's no more intrusive than doing the same on your laptop. And, yes someone could break in your home to steal your desktop. Less likely, but possible. However, what's being missed here is the day you have to replace your hard drive or you sell your desktop. With full disk encryption enabled, the data is not retrievable if the disk is removed and opened on another computer or if you clear the TPM (security chip) on the desktop. Simply formatting the disk is not enough to secure the data on an unencrypted disk. But with full disk encryption, all you have to do is throw away the key and the data is no more meaningful than random junk data. That's the easiest, fastest, and most secure way to decommission old hardware (aside large shredders and acid baths).
If your motherboard dies, you're also potentially screwed, if you lose your Bitlocker key. The problem with Bitlocker, is you're at risk of being locked out of your own data due to hardware failure. Unless you have sensitive data you're taking out of your home to a public setting, there's not reason to use it. As for disposing of drive, there are many utilities, including some that are free, which will do military grade erasures. You could also take a power drill and drive holes in the drive before you dispose of it.
@@disgustedluigi So you're saying you're encrypting your working drive, but not your, presumably external, backup drives? Then what's the point of encrypting anything?
@@wildbill4496 what are you talking about, you can encrypt your backups too you know. And not just with Bitlocker. A lot of DAS or NAS devices (both retail or open source DIY) have their own robust encryption and data security methods. Plus if you keep them in, say, a locked networking closet in an enclosed rack you get the added physical security as well.
@@disgustedluigi Yeah let's tell every computer owner to go out and put a safe in their house to lock up their backup drives. LOL. The problem is the same with backup drives. If you lose your encryption key and your hardware fails you are still screwed with Bitlocker. The vast majority of home consumers do not need to encrypt their drives, if they secure their home network, and encrypting their drives actually adds another potential point for data loss. Now if you have a laptop you are frequently traveling with, then yes it would be a good idea to encrypt those drives if they contain sensitive data, but you are beyond paranoid (or probably doing something illegal or living in a bad neighborhood with lots of breakins), if you feel the need to encrypt drives that stay in your home and/or don't take into public settings. Simply put for most home consumers, the risks outweigh the benefits, when it comes to encrypting drives.
The Exploit Protection at 2:26 is for using the internal Windows Defender antivirus. If that is disabled, those settings will not work. If you're using a separate antivirus, this is irrelevant, and will be controlled by the separate antivirus, and will disable Windows Defender. Same goes for Application Guard at 5:33 and Reputation Based Protection at 7:30.
first: I tried today some Android apps and my AV raised alarm about three apps, that are infected. How can i report those apps? second: Two days ago a channel 'MetaBallStudios' got hacked. I saw this as soon it began steaming crypto ponzi scheme BS. Why is this still happening on YT?
Personally, as a dev, i would recommend to disable SmartScreen instead. Most of the time, it is redundant as you can already guess if an app is common or not. It also makes it harder and scarier for users to install smaller apps, and not everyone can afford to pay a very expensive license monthly or yearly. This is just a measure that hurts smaller devs a little while it is pretty much useless against malwares anyways. If you're developing in compiled languages, it can also be very annoying to allow your own compiled app to run each time.
@ThioJoe, is it me or does the Airline Pilot Kelsey from "74 Gear" youtube channel have very similar mannerism to yours. I couldnt put my finger on it but i always had a feeling that he was reminding me of someone, and recently i realised it was Thio. Anyone else thinks so?
6:42 broo plz. Delete egde and defender and app guard. Enable vbs boot ot secure launch with eset internet security its works with secure launch . Windows defender slow pc soo hard :/
Although this is a good video, The audience definitely needs to know which version of windows is being spoken about. is it windows 11 student edition or is it ultimate? stuff like that.
For the few of you, who are interested in maxing out Windows's Security, check this guide out. It's very hardcore, but high security has a price....unless you run linux of coursr
I actually have enabled all of these except for Controlled Folder Access as it has so many false positives. Windows 11 in Insiders Builds also has Smart App Control (although it requires a clean install or a reset to work :( ) Edge also can disable JIT for more security (but with worse performance) if you run it normally or in Application Guard by going into Edge Settings (it was formerly known as Super Duper Secure Mode while it was in beta (I am not even kidding that was the name). Finally there are Attack Surface Reduction (ASR) rules which also requires Windows Pro edition that can increase security quite a bit
The warnings you get from Controlled Folder Access are not false positives. That is its literal job, to not allow untrusted apps to access folders. You can just go and whatever you're running to exclusions.
@@heyporange sadly with a lot of updated to even trusted programs it blocks em because of the temp files created. So you would still have to turn it off, update and then reenable
@@heyporange i did and have but it always game me an error as it tried to make a temp file in an “invisible” location (not in a hidden file mind you) and it never allowed it to update. I have a long list of excluded programs and it still caused the issue. So it remains off
@@heyporange I mean I get that but it just constantly blocks apps over and over. Worst part is that some apps just give an error when they are not able to save with no chance to retry. Some installers that save shortcut to Desktop also give errors during install (so I don’t know if the program completely installed just without the shortcut or it is an incomplete install)
These features are probably good for security, but they also affect performance, especially perceived latency when opening files and programs. I don't care about security on my gaming computer and i want it to feel fast, so I disable Microsoft Defender altogether.
Important note for Core Isolation > Memory Integrity, If your PC isn't powerful enough, better balance your needs as it could slow your computer down. To be fair, I'm running my Windows on VM so it is so noticeable.
Also you need to enable Virtualization in BIOS for Hyper Visor and Sandbox to be selectable in the first place. This is kina awkward since on Ryzen having Virtualization enabled seems to interfere with using Ryzen Master for some odd reason and only let you run it. But if you're not overclocking then who cares? Also keep in mind Win10 calls it "Hyper-V," and "Hyper Visor" in Win11 in the list of Windows Features, but they are exactly the same thing. You can enable Hyper Visor with Virtualization disabled, but you're just installed a client-side app that lets you connect to a hypervisor VM being ran on another PC or server on your network.
Hyper-V does not have to be enabled to use Windows Sandbox. However, virtualization does need to be enabled. Virtualization is usually disabled by default in the bios settings of most motherboard manufacturers. You can check if virtualization is enabled on your computer by opening the Task Manager, clicking on the Performance tab, and clicking on CPU. On the bottom right, it should say “Virtualization: “ and “Enabled” or “Disabled.”
Thanks for the very nice recommendations! I myself activated additionally to the ones I had the app protection in the windows features and the for the edge the guard one.
Sandbox: I have a fresh windows 11 Pro installed. I did what you said and it would not open. Just got that gray box. I called MS tech support and they referred me to the developer and they said they only do business accounts. They said they don't support home users. So, that being said, what can I use as a 3rd party app to take the place of Sandbox?
Before enabling bitlocker, please be aware that if you are dual booting your machine then it's not a good idea. It might potentially corrupt the whole boot partition and you'd most likely have to reinstall windows.
Yes, I suppose you can't have "too much security", but what about having not enough security? Microsoft Defender Application Guard is not, in any way, shape or form, available for users of Windows 10 Home Edition. The Microsoft Defender Application Guard extensions for Chrome/Brave and Firefox and the companion app both depend completely on you having the main application program itself, which allegedly can be enabled from the Control Panel. I tried that and there isn't even a listing for Microsoft Defender Application Guard in the optional features. I can't even install it in PowerShell as an Admin, it throws an error every time I attempt it. So far, all of the Microsoft-specific documentation I have found says this is only available for Windows 10 Professional, Windows 10 Enterprise, Windows 10 Education for "certain configurations" and Windows 11. I don't know exactly how necessary these apps are, but considering that I'm not in any position to pay money I don't have to Microsoft for an upgrade nor am I ready to migrate to Windows 11 at this time, I think it's safe to say that I will likely never be able to find out. So, if this is absolutely critical to have, I'm not gonna have it, full stop. Unless ThioJoe or somebody else can instruct me on how to get these features installed and working properly in Windows 10 Home, that is.
When searching for a feature, type it _exactly_ as Joe shows you. Windows is dumb. It won't even suggest something if you make a typo or leave out a hyphen.
Thank you Theo. Only thing you missed was to turn on System Restore which is not on by default. Be handy if an update breaks an unsupported machine yes.
Note that you don’t want to install windows sandbox if you’re using other virtual machines. It has compatibility issues with Vmware workstations and probably also with other virtual machines. And what’s the point of having two virtual machines?
For Windows Sandbox you haven't to activate the Hypervisor Platform, but "Hyper-V" (virtualization service), and to activate Hyper-V you gotta go in BIOS and make sure the virtualization is supported by CPU and motherboard and activated ;-D
2 года назад
Hey Joe. can you talk about the products of Hak5? They make normal looking USB or lightning cables that have a built in keylogger, can exectue scripts on a device, have a built in wireless access point to controll the cable from the far and many more features. A cable costs between 40 and 160 USD, which is dirt cheap for such a tool. Would you please show such a product and teach the people about how increadibly dangerous it can be, to put in a random usb cable into a device. Most people probably don't think that a USB cable they found somewhere can be extremely dangerous.
The ONLY security I absolutely NEED: Preventing Microshaft's system destroyer updates! All my software wiped, all software certifications gone, and none of my sites recognized me. Took me 4 days to resume working! That was on a latest model Asus Zenbook. that perfectly until the update.
Both Windows Sandbox and Application Guard won't enable, they keep saying "Virtualization support is disabled in the firmware". Like, l get Windows Sandbox, maybe l don't even have Windows Pro after all, but wb Application guard?
Great features! I have not know about all of them! BTW - Windows PIN instead of simple password should be mentioned here. Bitlocker for all Windows devices (not laptops only) is definitely a right thing to make use of.
Hardware Benchmarking Windows Vista to 8: What's your Windows Experience Index (WinSAT) score for Aero? Windows 10 to 11: What's your Windows Hardware Security Capability Score? (I just called it score for the Not Supported, Standard, Enhanced, and Secured-core messages). What's the fastest now turned what's the most secure. Times changed...
After the restart, my Windows 11 Pro messaged me that something went wrong. It backed out the Sandbox update and 'blanked' the box out next to the sandbox option (removed my check). My Version of Windows 11 Pro came with my new Dell in May 2023.
I cant get the Sandbox to work at all. Everything is installed but when i type "sandbox" from the start menu it has no idea what I'm talking about and does a Bing search for it. Does this not work on Ryzen PCs and Windows 10? I have Virtualization enabled in BIOS, Hyper-V installed (management tools and platform and all items under them), and Windows Sandbox checked.. but it's just NO WHERE to be found. What am I missing?
Is there a way to export firewall rules/settings from Bitdefender, and then import the rules into Windows defender, before I get rid of Bitdefender? Have been looking everywhere to no avail. Thank you.
Wow. I just slided through timeline to see if there is anything actually interesting/useful to me, > "very good thing" > Hmmmmm what is that *Watches the ad thinking where is the "very good thing"* *Realizes it is just timeline bait* >:O
What is PC Health Check note that appears when I check updates in Windows 10. I checked and I have the app but can't access it. Do I need this?? My PC and laptop crashed recently so I'm really scared to click on anything and it's like swimming in a shark pool sometimes
On a win11 VM I tried to delete stuff you have not delete yet I think it’s called something/ram/cpu/info/winprotect/firewall/something I forgot the whole Path anyways when you delete this a lot of things happen
There's no such thing as secure in windows 8 and up. Microsoft always has a back door. Yes, it is possible to make windows 10 secure ish; however, using these features isn't even a way of securing windows. Starting with windows 8, windows is only meant to sell data like facebook and google does.
I have win 10 pro, seems sandbox is disabled, something about disabled in the firmware on my computer. so I click on hypervisor platform but that did not help. core isolation is not supported. It seems that all windows are not equal lol.
Its bullshit: many PCs are absolutely outdated and all this features will slow them down completely. For 99% only 1 really good option is aviable - good antivirus.
how do we know there is a virus in the file when opening it in the sandbox which it has no antivirus software or anything? especially malware, they'll operate in the background. How can we tell the sandbox is infected?
i think this is one of your lazier efforts. too many "i'm not sure/i don't know"s when you could have just did a basic search online if you didn't have the patience/time to test and confirm it yourself. it would have been more useful if you actually DID spend the time on each feature instead of giving people a vague sense of uncertainty how useful any one of these is with the minimal level of details you provided.
My core isolation says it's managed by my administrator. Well, I'M the administrator of my personal device--so what gives? Who is this administrator that won't let me enable it?
Always gives a lot of trust when someone tells you ... yea, not sure, you may try an enable of disable when in doesn't work.... don;t follow this guys' 'advice'
12:05 controlled folder access is an abandoned feature... windows doesnt even automatically whitelist games from xbox game pass that save files in documents
yay, more completely unnecessary security options. does anyone here ever have a virus, or malware or literally anything that *wasnt* the result fo your own stupidity? i literally never had a single security issue that wasnt due to my own stupidity, and even then, they were largely harmless and useless in the end for anything actually dangerous. windows security, to me, is a vastly overblown issue.
When I type "Ransomware Protection" it says that my it administration has limited my acces, is this normal because this isnt a work computer or anything. Can someone please help
I suggested a Windows sandbox. Not sure if I was the only one but I suggested it at least. I was a member of the insider. Not now tho after Windows 11.