It's not as good as an actual virtual machine though, because Sandbox does share some resources with your main Windows install in a way that could potentially have exploitable leaks.
9:15 Enabling memory integrity makes VirtualBox’s performance tank. I was going through my settings one day and enabled it. A month later when I wanted to use VirtualBox again, I was confused as to why its performance was so bad. Figuring it out was not easy.
Well,I personally think that disabling a few of them won't break your machine, I also disabled some of them and my laptop runs fine,also if you want you can change the startup type of many services to manual
The Exploit Protection at 2:26 is for using the internal Windows Defender antivirus. If that is disabled, those settings will not work. If you're using a separate antivirus, this is irrelevant, and will be controlled by the separate antivirus, and will disable Windows Defender. Same goes for Application Guard at 5:33 and Reputation Based Protection at 7:30.
@@alexandreman8601 No without bitlocker anyone on the network can read the data of your harddrive. Furthermore if your laptop gets stolen they can read the data of your harddrive as well by plugging it in to there pc. Bitlocker blocks those 2 things.
Important note for Core Isolation > Memory Integrity, If your PC isn't powerful enough, better balance your needs as it could slow your computer down. To be fair, I'm running my Windows on VM so it is so noticeable.
Thanks for the very nice recommendations! I myself activated additionally to the ones I had the app protection in the windows features and the for the edge the guard one.
Hyper-V does not have to be enabled to use Windows Sandbox. However, virtualization does need to be enabled. Virtualization is usually disabled by default in the bios settings of most motherboard manufacturers. You can check if virtualization is enabled on your computer by opening the Task Manager, clicking on the Performance tab, and clicking on CPU. On the bottom right, it should say “Virtualization: “ and “Enabled” or “Disabled.”
There absolutely is a thing as too much security ... when it becomes so cumbersome that you actively avoid it or cannot function in a reasonable manner then that is too much security.
Also, if it's so much security that it compromises your privacy. I chose Windows Defender as the security software on my new PC because of privacy, actually, because it's less likely MS is gathering much info from their AV when they already gather info from other places on the OS.
@@jakobfel2 Defender sends to M$ the name of every domain you visit in any browser, and the hash and filename of every binary you launch. With Defender off, OS itself does not do that.
@@BarafuAlbino If you have automatic sample submission on, yes. MS is already getting that info through other means in the OS. I'd rather not give my data to other corpos more than I have to.
I would suggest encrypting your desktop with Bitlocker. It's no more intrusive than doing the same on your laptop. And, yes someone could break in your home to steal your desktop. Less likely, but possible. However, what's being missed here is the day you have to replace your hard drive or you sell your desktop. With full disk encryption enabled, the data is not retrievable if the disk is removed and opened on another computer or if you clear the TPM (security chip) on the desktop. Simply formatting the disk is not enough to secure the data on an unencrypted disk. But with full disk encryption, all you have to do is throw away the key and the data is no more meaningful than random junk data. That's the easiest, fastest, and most secure way to decommission old hardware (aside large shredders and acid baths).
If your motherboard dies, you're also potentially screwed, if you lose your Bitlocker key. The problem with Bitlocker, is you're at risk of being locked out of your own data due to hardware failure. Unless you have sensitive data you're taking out of your home to a public setting, there's not reason to use it. As for disposing of drive, there are many utilities, including some that are free, which will do military grade erasures. You could also take a power drill and drive holes in the drive before you dispose of it.
@@disgustedluigi So you're saying you're encrypting your working drive, but not your, presumably external, backup drives? Then what's the point of encrypting anything?
@@wildbill4496 what are you talking about, you can encrypt your backups too you know. And not just with Bitlocker. A lot of DAS or NAS devices (both retail or open source DIY) have their own robust encryption and data security methods. Plus if you keep them in, say, a locked networking closet in an enclosed rack you get the added physical security as well.
@@disgustedluigi Yeah let's tell every computer owner to go out and put a safe in their house to lock up their backup drives. LOL. The problem is the same with backup drives. If you lose your encryption key and your hardware fails you are still screwed with Bitlocker. The vast majority of home consumers do not need to encrypt their drives, if they secure their home network, and encrypting their drives actually adds another potential point for data loss. Now if you have a laptop you are frequently traveling with, then yes it would be a good idea to encrypt those drives if they contain sensitive data, but you are beyond paranoid (or probably doing something illegal or living in a bad neighborhood with lots of breakins), if you feel the need to encrypt drives that stay in your home and/or don't take into public settings. Simply put for most home consumers, the risks outweigh the benefits, when it comes to encrypting drives.
Security is a teeter totter with ease of use. If you are completely secure, it's unusable and vice versa. It comes down to a balance of secure enough for everyday usability.
Thank you Theo. Only thing you missed was to turn on System Restore which is not on by default. Be handy if an update breaks an unsupported machine yes.
@ThioJoe, is it me or does the Airline Pilot Kelsey from "74 Gear" youtube channel have very similar mannerism to yours. I couldnt put my finger on it but i always had a feeling that he was reminding me of someone, and recently i realised it was Thio. Anyone else thinks so?
For the few of you, who are interested in maxing out Windows's Security, check this guide out. It's very hardcore, but high security has a price....unless you run linux of coursr
2:13 ThioJoe, great rundwon on Windows Sandbox! For those wonderng, while it’s perfect for checking out files you’re unsre about, just a heads up, it’s not ideal for everything. Like, don’t expec to run high-end games or tackle sophistcated viruses in it. But for that extra piece of mind with everyday downloads, it’s pretty neat. ThioJoe’s insights are always on point, and it’s cool to see featurs like this geting highlighted.
Personally, as a dev, i would recommend to disable SmartScreen instead. Most of the time, it is redundant as you can already guess if an app is common or not. It also makes it harder and scarier for users to install smaller apps, and not everyone can afford to pay a very expensive license monthly or yearly. This is just a measure that hurts smaller devs a little while it is pretty much useless against malwares anyways. If you're developing in compiled languages, it can also be very annoying to allow your own compiled app to run each time.
Most people don't have Pro. I'm still using Windows 10, due to the plethora of negative remarks I've seen, pertaining to Windows 11. I'd like to make a friendly and helpful suggestion that you pitch this for Windows Home users and be a little more Windows 10 savvy. It doesn't inspire confidence when you are continually saying that you're "not sure: about features in Windows 10. You're a RUclips presenter. If you're not sure, research it first. I hope you take on board these suggestions as constructive criticism, not admonishment. We all appreciate the efforts you've gone to but things must be relevant to "The great unwashed".
6:42 broo plz. Delete egde and defender and app guard. Enable vbs boot ot secure launch with eset internet security its works with secure launch . Windows defender slow pc soo hard :/
Before enabling bitlocker, please be aware that if you are dual booting your machine then it's not a good idea. It might potentially corrupt the whole boot partition and you'd most likely have to reinstall windows.
I actually have enabled all of these except for Controlled Folder Access as it has so many false positives. Windows 11 in Insiders Builds also has Smart App Control (although it requires a clean install or a reset to work :( ) Edge also can disable JIT for more security (but with worse performance) if you run it normally or in Application Guard by going into Edge Settings (it was formerly known as Super Duper Secure Mode while it was in beta (I am not even kidding that was the name). Finally there are Attack Surface Reduction (ASR) rules which also requires Windows Pro edition that can increase security quite a bit
The warnings you get from Controlled Folder Access are not false positives. That is its literal job, to not allow untrusted apps to access folders. You can just go and whatever you're running to exclusions.
@@heyporange sadly with a lot of updated to even trusted programs it blocks em because of the temp files created. So you would still have to turn it off, update and then reenable
@@heyporange i did and have but it always game me an error as it tried to make a temp file in an “invisible” location (not in a hidden file mind you) and it never allowed it to update. I have a long list of excluded programs and it still caused the issue. So it remains off
@@heyporange I mean I get that but it just constantly blocks apps over and over. Worst part is that some apps just give an error when they are not able to save with no chance to retry. Some installers that save shortcut to Desktop also give errors during install (so I don’t know if the program completely installed just without the shortcut or it is an incomplete install)
Also you need to enable Virtualization in BIOS for Hyper Visor and Sandbox to be selectable in the first place. This is kina awkward since on Ryzen having Virtualization enabled seems to interfere with using Ryzen Master for some odd reason and only let you run it. But if you're not overclocking then who cares? Also keep in mind Win10 calls it "Hyper-V," and "Hyper Visor" in Win11 in the list of Windows Features, but they are exactly the same thing. You can enable Hyper Visor with Virtualization disabled, but you're just installed a client-side app that lets you connect to a hypervisor VM being ran on another PC or server on your network.
Although this is a good video, The audience definitely needs to know which version of windows is being spoken about. is it windows 11 student edition or is it ultimate? stuff like that.
Bitlocker is the bane of a repair technician. Customers never remember their microsoft logins. :( Still the only windows security measure that actually protects your data. Passwords don't mean a thing.
Great video as always. I like your Windows 11 theme, is it a custom theme?
2 года назад+1
Hey Joe. can you talk about the products of Hak5? They make normal looking USB or lightning cables that have a built in keylogger, can exectue scripts on a device, have a built in wireless access point to controll the cable from the far and many more features. A cable costs between 40 and 160 USD, which is dirt cheap for such a tool. Would you please show such a product and teach the people about how increadibly dangerous it can be, to put in a random usb cable into a device. Most people probably don't think that a USB cable they found somewhere can be extremely dangerous.
Great features! I have not know about all of them! BTW - Windows PIN instead of simple password should be mentioned here. Bitlocker for all Windows devices (not laptops only) is definitely a right thing to make use of.
For Windows Sandbox you haven't to activate the Hypervisor Platform, but "Hyper-V" (virtualization service), and to activate Hyper-V you gotta go in BIOS and make sure the virtualization is supported by CPU and motherboard and activated ;-D
Just an FYI to anyone who uses cracked software. Dont turn on the majority of these settings because Windows will erase the activator/cracking software. An easy way to enable security AND have those tools on your machine is to convert your folder into a winrar or winzip archive and add it to MS security exclusions list. I cant tell you how many times I've had to re-download something because windows saw it as a threat. By the way Brave is the best browser in the world!
12:05 controlled folder access is an abandoned feature... windows doesnt even automatically whitelist games from xbox game pass that save files in documents
The ONLY security I absolutely NEED: Preventing Microshaft's system destroyer updates! All my software wiped, all software certifications gone, and none of my sites recognized me. Took me 4 days to resume working! That was on a latest model Asus Zenbook. that perfectly until the update.
Note that you don’t want to install windows sandbox if you’re using other virtual machines. It has compatibility issues with Vmware workstations and probably also with other virtual machines. And what’s the point of having two virtual machines?
These features are probably good for security, but they also affect performance, especially perceived latency when opening files and programs. I don't care about security on my gaming computer and i want it to feel fast, so I disable Microsoft Defender altogether.
9:20 If the Core Isolation option is not available in Windows settings despite the hardware being supported, the Virtual Machine in the BIOS is most likely disabled. To enable it, go to the motherboard BIOS and look for "SVM Mode" for AMD and "Intel (VMX) Virtualization Technology" for INTEL Systems.
for those are using AMD custom resolution before enabling the "Windows-Sandbox" just in case because for some reason when i had the custom AMD Resolution on after i enabled the windows sandbox my display was messed up for example the display was offscreen somewhat but after i deleted my display and re-created it it was working completely fine now it just needed a refresh. 1. disable your custom resolution first from the "AMD Radeon Software (The Red One)" "Gaming > Display (Custom Resolutions)" 2. then enable "Windows-Sandbox" then restart your computer 3. then once done and logged in go into "AMD Radeon Software(The Red One)" and in the menu "Gaming > Display then under the custom color there should be a (Custom Resolutions)" then re-enable it
1:30 Hi please answer! Would you copy the shortcut of the installed file? Or would you copy the installer file and install & run it in the sandbox? Or did you mean something else completely?
I suggested a Windows sandbox. Not sure if I was the only one but I suggested it at least. I was a member of the insider. Not now tho after Windows 11.
Careful with exploit protection! Chances are, if a toggle is disabled by default there's a reason for it. Be weary of issues and worse stability if you don't know much about what each toggle does or what its risks are
It would be good to include a warning before the application guard stuff. I put the browser extension on while watching this, and it stops you browsing if you don't have the application guard companion app also installed. BUT that companion app forces you to put your windows account on windows instead of just having a user account. It also can screw with your options if you don't have genuine windows. It disabled dark mode for me, and now my browser is in light mode because chrome was using windows dark mode to determine its colour scheme. That's literally the behaviour of malware, the exact thing this video is meant to be stopping. Please include warnings like that in future.
Update: it screwed my windows dark mode, and it no longer worked because I don't have genuine windows. I had to regedit to get it back: Computer\HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\Personalize appsuselighttheme 0 For anyone who has the same problem.
Controlled Folder Access coulda been real useful if it allowed modifications of the protected directories Not a good security practice I know, but for people lacking in their backups they could dedicate a library location as their "backup" for important files and let CFA protect it
I had to remove the controlled folder access because it always prevented programs from updating because they tried ti create a temp file. The thing is the location was not set up to be “guarded” by the controlled folder access and when i read the location it basically did not exist. I like the feature but that aspect made me turn it off.
Pro Tip: use system image software like Acronis True Image and set it up to update a master image of your complete system "on event " I choose startup Get infected NP remove or turn off internet access 1st reboot and install fresh copy of windows 2nd install Acronis ..I was prompted with a message that the software had found an image restore point ( on local disc hopefully you did not wipe to install new copy of windows ...this would be bad ..for redundancy I copy weekly versions of my system image to external thumb nail drive or memory card and set up Acronis to write the back up in 699MB blocks so if I ever felt the need I could make CDRW disc copy's of the system ) and asked if i would like to load from it ? YES I WOULD ... depending on the size of the back up image ( encryption options vary this size) the last time I had to use it 45min later everything was as I had left it ..100% exactly the same every setting in windows every doc, shortcut ....everything and the best part is this is before the infection so no worries of quarantined files ect. I would reset passwords as a extra step just for safe measure Another damming and time saving (before a remote control attack of your system can be used ) option is to shut off ( disable or remove windows features) remote access to your PC through windows features .. those pestkey scammers will have no idea what the hell is going on and why they can not connect remotely to your PC ..this will hopefully make you realize something shady is about to go down and you can terminate the connection ..My favorite method of this is to disable any network adapters not in use by my connection ... So if you are pugged in via ethernet ( hopefully :) -) disable the WIFY at the hardware level through windows .. and if ya think something is weird or you are locked out of your keyboard and mouse I just pull the plug litterly unplug the network ethernet cable and Wi-Fi will not auto connect and hard power down the PC .. I feel this is good for me ( my opinion) and a better trade for system resources with my particular PC builds and usage thus far .. Also I had a psychical HDD fail replaced the hardware and went through the steps for mentioned back up and running in less then 1 hour.. hope this info helps someone protect their data and when used with windows features you should have no problems ... Be safe and stop looking at porn ...that is where ya get PC VD ....
A lot of the features will make your life very difficult. Micrsoft flags most programs that are not in their partner program {a paid service} as malicisous. Also it will delete the program after being downloaded. DO NOT USE BITLOCKER, unless you have 100% of your data ALWAYS syncing to the cloud, I mean ALWAYS! and you must be comfortable and mindfull of monitoring your syncing software. I have worked with 3 businesses who shut down because of bitlocker. Its a great fature, but most users, even those who consider themselves power users are not mindful enough to use the feature. If you use these setting I would suggest turn them one at a time run for a month and add the next one. Nearly all industry software do not function with one or more of these settings. This video is for personal users. These are good videos, I love watching Joe go on this journey, but his videos SEEM like he is lacking a lot of experince in using the things he is talking about. Also Joe, if you read this, you should find a local industry tech and produce training videos with them. Good money in that, companies are willing to pay 10's of thousands of dollars for yearly training.
Sandbox: I have a fresh windows 11 Pro installed. I did what you said and it would not open. Just got that gray box. I called MS tech support and they referred me to the developer and they said they only do business accounts. They said they don't support home users. So, that being said, what can I use as a 3rd party app to take the place of Sandbox?
Is there a way to export firewall rules/settings from Bitdefender, and then import the rules into Windows defender, before I get rid of Bitdefender? Have been looking everywhere to no avail. Thank you.
Thanks Joe! Btw, Im having problem on my window security. My "Microsoft Vulnerable Driver Blocklist is greyed out". Is it safe? If not how can I enable it?
1:02 keeps saying "virtualization support is disabled in the firmware", says the same thing for the application guard (Yes, my pc is a windows 10 pro and i enabled windows hypervisor platform)
![Jack Harlow - Hello Miss Johnson [Official Music Video]](http://i.ytimg.com/vi/Q86_nlRoIGw/mqdefault.jpg)
The windows sandbox is actually really useful! On my machine it actually had Edge installed.
It also was installed into my PC!
It's installed there by default.
@@lucky_lol and what is that? 1:27
It's not as good as an actual virtual machine though, because Sandbox does share some resources with your main Windows install in a way that could potentially have exploitable leaks.
Mine also has Edge installed
9:15 Enabling memory integrity makes VirtualBox’s performance tank. I was going through my settings one day and enabled it. A month later when I wanted to use VirtualBox again, I was confused as to why its performance was so bad. Figuring it out was not easy.
For me VirtualBox just crashes when it's on and you try to start a machine
That could explain why Java uses too much CPU in my machine
Switch to vmware
@@Ivedotwav I'm fairly sure that VMware had similar issues unless they recently updated in in v 16
@@twinssword VMware does perform worse when Hyper-V hypervisor is active, but it is usable.
What types of services should we stop in the service tab in Windows 10? because many services consume a lot of RAM and CPU.
Idk it's risky to go about disabling services you don't understand
You can disable the Print Spooler if you don't have a printer. I haven't had any repercussions with doing that.
Chris Titus Tech
Well,I personally think that disabling a few of them won't break your machine, I also disabled some of them and my laptop runs fine,also if you want you can change the startup type of many services to manual
@@koosschutter1675 TBH his script doesn't make much difference, I tried it, it's okay but not that great
I'm in favor of dedicated and detailed videos about those features.
The Exploit Protection at 2:26 is for using the internal Windows Defender antivirus. If that is disabled, those settings will not work. If you're using a separate antivirus, this is irrelevant, and will be controlled by the separate antivirus, and will disable Windows Defender. Same goes for Application Guard at 5:33 and Reputation Based Protection at 7:30.
I disable them to get more fps😎
uhh
Hmmm
Yeah gotta make sure that free FPS tweaker download works
Bitlocker is on laptops enabled by default (In the EU), because Microsoft is by EU law required to do everything they can to protect peoples data.
Damn, EU seems to be the only place that actually cares about peoples privacy
bitlocker is so useless
@@alexandreman8601 No without bitlocker anyone on the network can read the data of your harddrive. Furthermore if your laptop gets stolen they can read the data of your harddrive as well by plugging it in to there pc. Bitlocker blocks those 2 things.
@@alexandreman8601 do you know how it works? It's very useful
Microsoft protecting ppl data 😂
Important note for Core Isolation > Memory Integrity, If your PC isn't powerful enough, better balance your needs as it could slow your computer down. To be fair, I'm running my Windows on VM so it is so noticeable.
Okay, the Sandbox one alone is godsend. Thanks Thio.
Thanks for the very nice recommendations!
I myself activated additionally to the ones I had the app protection in the windows features and the for the edge the guard one.
Hyper-V does not have to be enabled to use Windows Sandbox. However, virtualization does need to be enabled. Virtualization is usually disabled by default in the bios settings of most motherboard manufacturers. You can check if virtualization is enabled on your computer by opening the Task Manager, clicking on the Performance tab, and clicking on CPU. On the bottom right, it should say “Virtualization: “ and “Enabled” or “Disabled.”
Love this channel ever since you stopped doing satire. Such awesome videos and straight to the point information. Love you Thio! 😁
There absolutely is a thing as too much security ... when it becomes so cumbersome that you actively avoid it or cannot function in a reasonable manner then that is too much security.
Also, if it's so much security that it compromises your privacy. I chose Windows Defender as the security software on my new PC because of privacy, actually, because it's less likely MS is gathering much info from their AV when they already gather info from other places on the OS.
@@jakobfel2 Defender sends to M$ the name of every domain you visit in any browser, and the hash and filename of every binary you launch. With Defender off, OS itself does not do that.
@@BarafuAlbino If you have automatic sample submission on, yes.
MS is already getting that info through other means in the OS. I'd rather not give my data to other corpos more than I have to.
I would suggest encrypting your desktop with Bitlocker. It's no more intrusive than doing the same on your laptop. And, yes someone could break in your home to steal your desktop. Less likely, but possible. However, what's being missed here is the day you have to replace your hard drive or you sell your desktop. With full disk encryption enabled, the data is not retrievable if the disk is removed and opened on another computer or if you clear the TPM (security chip) on the desktop. Simply formatting the disk is not enough to secure the data on an unencrypted disk. But with full disk encryption, all you have to do is throw away the key and the data is no more meaningful than random junk data. That's the easiest, fastest, and most secure way to decommission old hardware (aside large shredders and acid baths).
If your motherboard dies, you're also potentially screwed, if you lose your Bitlocker key. The problem with Bitlocker, is you're at risk of being locked out of your own data due to hardware failure. Unless you have sensitive data you're taking out of your home to a public setting, there's not reason to use it. As for disposing of drive, there are many utilities, including some that are free, which will do military grade erasures. You could also take a power drill and drive holes in the drive before you dispose of it.
@@wildbill4496 if you’re making proper backups losing your computer shouldn’t be a concern.
@@disgustedluigi So you're saying you're encrypting your working drive, but not your, presumably external, backup drives? Then what's the point of encrypting anything?
@@wildbill4496 what are you talking about, you can encrypt your backups too you know. And not just with Bitlocker. A lot of DAS or NAS devices (both retail or open source DIY) have their own robust encryption and data security methods. Plus if you keep them in, say, a locked networking closet in an enclosed rack you get the added physical security as well.
@@disgustedluigi Yeah let's tell every computer owner to go out and put a safe in their house to lock up their backup drives. LOL. The problem is the same with backup drives. If you lose your encryption key and your hardware fails you are still screwed with Bitlocker. The vast majority of home consumers do not need to encrypt their drives, if they secure their home network, and encrypting their drives actually adds another potential point for data loss. Now if you have a laptop you are frequently traveling with, then yes it would be a good idea to encrypt those drives if they contain sensitive data, but you are beyond paranoid (or probably doing something illegal or living in a bad neighborhood with lots of breakins), if you feel the need to encrypt drives that stay in your home and/or don't take into public settings. Simply put for most home consumers, the risks outweigh the benefits, when it comes to encrypting drives.
Security is a teeter totter with ease of use. If you are completely secure, it's unusable and vice versa. It comes down to a balance of secure enough for everyday usability.
Thank you Theo. Only thing you missed was to turn on System Restore which is not on by default. Be handy if an update breaks an unsupported machine yes.
The Most useful channel on RUclips for explaining new things on our PCs. Thank You!
I completely agree with that
@ThioJoe, is it me or does the Airline Pilot Kelsey from "74 Gear" youtube channel have very similar mannerism to yours.
I couldnt put my finger on it but i always had a feeling that he was reminding me of someone, and recently i realised it was Thio.
Anyone else thinks so?
For the few of you, who are interested in maxing out Windows's Security, check this guide out. It's very hardcore, but high security has a price....unless you run linux of coursr
2:13 ThioJoe, great rundwon on Windows Sandbox! For those wonderng, while it’s perfect for checking out files you’re unsre about, just a heads up, it’s not ideal for everything. Like, don’t expec to run high-end games or tackle sophistcated viruses in it. But for that extra piece of mind with everyday downloads, it’s pretty neat. ThioJoe’s insights are always on point, and it’s cool to see featurs like this geting highlighted.
Personally, as a dev, i would recommend to disable SmartScreen instead. Most of the time, it is redundant as you can already guess if an app is common or not.
It also makes it harder and scarier for users to install smaller apps, and not everyone can afford to pay a very expensive license monthly or yearly. This is just a measure that hurts smaller devs a little while it is pretty much useless against malwares anyways.
If you're developing in compiled languages, it can also be very annoying to allow your own compiled app to run each time.
Most people don't have Pro. I'm still using Windows 10, due to the plethora of negative remarks I've seen, pertaining to Windows 11.
I'd like to make a friendly and helpful suggestion that you pitch this for Windows Home users and be a little more Windows 10 savvy. It doesn't inspire confidence when you are continually saying that you're "not sure: about features in Windows 10. You're a RUclips presenter. If you're not sure, research it first. I hope you take on board these suggestions as constructive criticism, not admonishment. We all appreciate the efforts you've gone to but things must be relevant to "The great unwashed".
My wallpaper now is your "Another Failed Simulation" masterpiece
Noice
Extremely useful video. Thank you
6:42 broo plz. Delete egde and defender and app guard. Enable vbs boot ot secure launch with eset internet security its works with secure launch . Windows defender slow pc soo hard :/
Before enabling bitlocker, please be aware that if you are dual booting your machine then it's not a good idea. It might potentially corrupt the whole boot partition and you'd most likely have to reinstall windows.
I'm curious about the impact on speed for applications, especially when it comes to games old and new. And ssd operations.
I actually have enabled all of these except for Controlled Folder Access as it has so many false positives. Windows 11 in Insiders Builds also has Smart App Control (although it requires a clean install or a reset to work :( ) Edge also can disable JIT for more security (but with worse performance) if you run it normally or in Application Guard by going into Edge Settings (it was formerly known as Super Duper Secure Mode while it was in beta (I am not even kidding that was the name). Finally there are Attack Surface Reduction (ASR) rules which also requires Windows Pro edition that can increase security quite a bit
The warnings you get from Controlled Folder Access are not false positives. That is its literal job, to not allow untrusted apps to access folders. You can just go and whatever you're running to exclusions.
@@heyporange sadly with a lot of updated to even trusted programs it blocks em because of the temp files created. So you would still have to turn it off, update and then reenable
@@Damascus_Zeramas You don't have to turn it off. Just add the executable to exclusions.
@@heyporange i did and have but it always game me an error as it tried to make a temp file in an “invisible” location (not in a hidden file mind you) and it never allowed it to update. I have a long list of excluded programs and it still caused the issue. So it remains off
@@heyporange I mean I get that but it just constantly blocks apps over and over. Worst part is that some apps just give an error when they are not able to save with no chance to retry. Some installers that save shortcut to Desktop also give errors during install (so I don’t know if the program completely installed just without the shortcut or it is an incomplete install)
Also you need to enable Virtualization in BIOS for Hyper Visor and Sandbox to be selectable in the first place.
This is kina awkward since on Ryzen having Virtualization enabled seems to interfere with using Ryzen Master for some odd reason and only let you run it. But if you're not overclocking then who cares? Also keep in mind Win10 calls it "Hyper-V," and "Hyper Visor" in Win11 in the list of Windows Features, but they are exactly the same thing. You can enable Hyper Visor with Virtualization disabled, but you're just installed a client-side app that lets you connect to a hypervisor VM being ran on another PC or server on your network.
That Sandbox is awesome.
Although this is a good video,
The audience definitely needs to know which version of windows is being spoken about.
is it windows 11 student edition or is it ultimate?
stuff like that.
Bitlocker and Windows' Built-In Encryption feature is actually two distinct features, they are not mutually exclusive.
Difference?
How are they different?
Bitlocker is the bane of a repair technician. Customers never remember their microsoft logins. :( Still the only windows security measure that actually protects your data. Passwords don't mean a thing.
Thanks ThioJoe! I'm pretty savvy but there's always one or two things I forget about, like the Core Isolation setting.
Great video as always. I like your Windows 11 theme, is it a custom theme?
Hey Joe. can you talk about the products of Hak5?
They make normal looking USB or lightning cables that have a built in keylogger, can exectue scripts on a device, have a built in wireless access point to controll the cable from the far and many more features. A cable costs between 40 and 160 USD, which is dirt cheap for such a tool.
Would you please show such a product and teach the people about how increadibly dangerous it can be, to put in a random usb cable into a device. Most people probably don't think that a USB cable they found somewhere can be extremely dangerous.
You've got some great wall paper, Another Failed Simulation and Fall of Midnight.
Your recommendations caused my CPU temperatures to go from the high 40s to the high 90s.
Great features! I have not know about all of them! BTW - Windows PIN instead of simple password should be mentioned here. Bitlocker for all Windows devices (not laptops only) is definitely a right thing to make use of.
I make my pin larger than my use to be password. I make them alphanumeric!
Excellent work and video! Too bad these features aren't on by default. Thanks for sharing
For Windows Sandbox you haven't to activate the Hypervisor Platform, but "Hyper-V" (virtualization service), and to activate Hyper-V you gotta go in BIOS and make sure the virtualization is supported by CPU and motherboard and activated ;-D
Windows sandbox needs virtualization techology enabled in bios?
The more you know! Knowledge is power! 🧠💪
Just an FYI to anyone who uses cracked software. Dont turn on the majority of these settings because Windows will erase the activator/cracking software. An easy way to enable security AND have those tools on your machine is to convert your folder into a winrar or winzip archive and add it to MS security exclusions list. I cant tell you how many times I've had to re-download something because windows saw it as a threat. By the way Brave is the best browser in the world!
Awesome video, what software do you use for your start menu? looks kinda like the windows 10 menu.
12:05 controlled folder access is an abandoned feature... windows doesnt even automatically whitelist games from xbox game pass that save files in documents
You should make a list of security tools in descriptionb(and ideally the timestamp where that topic starts)
A great channel with many amazing tips and tricks for your home pc / laptop setup 🥰😇👍
The ONLY security I absolutely NEED: Preventing Microshaft's system destroyer updates!
All my software wiped, all software certifications gone, and none of my sites recognized me.
Took me 4 days to resume working! That was on a latest model Asus Zenbook. that perfectly until the update.
Thanks ThioJoe, time to disable all these annoying features now!
Note that you don’t want to install windows sandbox if you’re using other virtual machines. It has compatibility issues with Vmware workstations and probably also with other virtual machines. And what’s the point of having two virtual machines?
These features are probably good for security, but they also affect performance, especially perceived latency when opening files and programs. I don't care about security on my gaming computer and i want it to feel fast, so I disable Microsoft Defender altogether.
9:20 If the Core Isolation option is not available in Windows settings despite the hardware being supported, the Virtual Machine in the BIOS is most likely disabled. To enable it, go to the motherboard BIOS and look for "SVM Mode" for AMD and "Intel (VMX) Virtualization Technology" for INTEL Systems.
You need to have a CPU that supports VMware (Intel virtualization or AMD) for Windows Sandbox
All (?) modern CPUs support virtualization, but this function is disabled by default. Check your UEFI settings.
I had heard that Windows 11 requires you to use a Microsoft account, but you referred to using a local account in your video. That is good news!
Excellent info... Thanks. 😎😎😀😀
Wasn't there a problem with memory core isolation feature causing games slow down or something?
my favorite windows security feature is installing linux /hj
windows sandbox is actually really cool though, had no idea that existed!
for those are using AMD custom resolution before enabling the "Windows-Sandbox" just in case because for some reason when i had the custom AMD Resolution on after i enabled the windows sandbox my display was messed up for example the display was offscreen somewhat but after i deleted my display and re-created it it was working completely fine now it just needed a refresh.
1. disable your custom resolution first from the "AMD Radeon Software (The Red One)" "Gaming > Display (Custom Resolutions)"
2. then enable "Windows-Sandbox" then restart your computer
3. then once done and logged in go into "AMD Radeon Software(The Red One)" and in the menu "Gaming > Display then under the custom color there should be a (Custom Resolutions)" then re-enable it
this was on a tv btw
Thanks! This helped me! ❤️
Sorry my keyboard autocorrect
Some settings require correct BIOS settings to be enabled.
1:26 "If you downloaded a program that you think is kinda suspicious" **types "edge" in the search bar**
Hola Tio, thanks for the tips even though most people don't need them as they have the home versions of malware windows 10 / 11
1:30 Hi please answer! Would you copy the shortcut of the installed file? Or would you copy the installer file and install & run it in the sandbox? Or did you mean something else completely?
Core Integrity is actually a feature introduced in Windows 11 that I really liked. So, thanks for reminding me to activate it!
If you have the Home edition you shorten pretty much the process, as the Home version doesn't feature many of these things.
Awesome tutorial
Thank you Joe
this is going to be great!
Hi Theo,
Can you make a video or blog for Windows 10 to Win 11 upgrade, what all backup I need to take, just C: or whole hard drive ?
Helpful ! PS: Wallpaper Download link please ?
Thanks for your sharing
Hey Joe, really needed this. Anyways. Is Windows Sandbox propperly isolated? I mean,can I destroy it with viruses safely?
I'm also interested in the answer
Good information .Stay safe
thanks Joe!
Love your videos why don't I get your notifications when I set it
on win 10 pro 21H1 all exploit protection were all enabled except for image randomization
I suggested a Windows sandbox. Not sure if I was the only one but I suggested it at least. I was a member of the insider. Not now tho after Windows 11.
Always helps!
Love your videos
Careful with exploit protection! Chances are, if a toggle is disabled by default there's a reason for it. Be weary of issues and worse stability if you don't know much about what each toggle does or what its risks are
5:57 It does not appear in Windows 11 Home edition, so we can assume you need the Pro edition.
What do you think about sandboxie?
Thank you so much!
It would be good to include a warning before the application guard stuff.
I put the browser extension on while watching this, and it stops you browsing if you don't have the application guard companion app also installed.
BUT that companion app forces you to put your windows account on windows instead of just having a user account.
It also can screw with your options if you don't have genuine windows. It disabled dark mode for me, and now my browser is in light mode because chrome was using windows dark mode to determine its colour scheme.
That's literally the behaviour of malware, the exact thing this video is meant to be stopping.
Please include warnings like that in future.
Update: it screwed my windows dark mode, and it no longer worked because I don't have genuine windows.
I had to regedit to get it back:
Computer\HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\Personalize
appsuselighttheme
0
For anyone who has the same problem.
@@lw8882 how about you get genuine windows and stop complaining? I’m sure if you actually had windows it wouldn’t be a problem lol
Controlled Folder Access coulda been real useful if it allowed modifications of the protected directories
Not a good security practice I know, but for people lacking in their backups they could dedicate a library location as their "backup" for important files and let CFA protect it
I had to remove the controlled folder access because it always prevented programs from updating because they tried ti create a temp file. The thing is the location was not set up to be “guarded” by the controlled folder access and when i read the location it basically did not exist. I like the feature but that aspect made me turn it off.
Pro Tip: use system image software like Acronis True Image and set it up to update a master image of your complete system "on event " I choose startup Get infected NP remove or turn off internet access 1st reboot and install fresh copy of windows 2nd install Acronis ..I was prompted with a message that the software had found an image restore point ( on local disc hopefully you did not wipe to install new copy of windows ...this would be bad ..for redundancy I copy weekly versions of my system image to external thumb nail drive or memory card and set up Acronis to write the back up in 699MB blocks so if I ever felt the need I could make CDRW disc copy's of the system ) and asked if i would like to load from it ? YES I WOULD ... depending on the size of the back up image ( encryption options vary this size) the last time I had to use it 45min later everything was as I had left it ..100% exactly the same every setting in windows every doc, shortcut ....everything and the best part is this is before the infection so no worries of quarantined files ect. I would reset passwords as a extra step just for safe measure Another damming and time saving (before a remote control attack of your system can be used ) option is to shut off ( disable or remove windows features) remote access to your PC through windows features .. those pestkey scammers will have no idea what the hell is going on and why they can not connect remotely to your PC ..this will hopefully make you realize something shady is about to go down and you can terminate the connection ..My favorite method of this is to disable any network adapters not in use by my connection ... So if you are pugged in via ethernet ( hopefully :) -) disable the WIFY at the hardware level through windows .. and if ya think something is weird or you are locked out of your keyboard and mouse I just pull the plug litterly unplug the network ethernet cable and Wi-Fi will not auto connect and hard power down the PC .. I feel this is good for me ( my opinion) and a better trade for system resources with my particular PC builds and usage thus far .. Also I had a psychical HDD fail replaced the hardware and went through the steps for mentioned back up and running in less then 1 hour.. hope this info helps someone protect their data and when used with windows features you should have no problems ... Be safe and stop looking at porn ...that is where ya get PC VD ....
What would happen if you delete the administrator account from the user folder?
You can activate Core isolation by regedit when it's not suported
Thank you ThioJoe! Much appreciated 👍
A lot of the features will make your life very difficult. Micrsoft flags most programs that are not in their partner program {a paid service} as malicisous. Also it will delete the program after being downloaded. DO NOT USE BITLOCKER, unless you have 100% of your data ALWAYS syncing to the cloud, I mean ALWAYS! and you must be comfortable and mindfull of monitoring your syncing software. I have worked with 3 businesses who shut down because of bitlocker. Its a great fature, but most users, even those who consider themselves power users are not mindful enough to use the feature. If you use these setting I would suggest turn them one at a time run for a month and add the next one. Nearly all industry software do not function with one or more of these settings. This video is for personal users. These are good videos, I love watching Joe go on this journey, but his videos SEEM like he is lacking a lot of experince in using the things he is talking about.
Also Joe, if you read this, you should find a local industry tech and produce training videos with them. Good money in that, companies are willing to pay 10's of thousands of dollars for yearly training.
Very helpful.
Video about turning of windows telemetry in win 11 would be useful
Thanks a lot!
Sandbox: I have a fresh windows 11 Pro installed. I did what you said and it would not open. Just got that gray box. I called MS tech support and they referred me to the developer and they said they only do business accounts. They said they don't support home users. So, that being said, what can I use as a 3rd party app to take the place of Sandbox?
I recommend Sandboxie Plus as your 3rd party app and have used it since I had Windows 10 Home but now I got Windows 10 Pro version.
It's a good feeling being early, isn't it?
Is there a way to export firewall rules/settings from Bitdefender, and then import the rules into Windows defender, before I get rid of Bitdefender? Have been looking everywhere to no avail.
Thank you.
Thanks Joe!
Btw, Im having problem on my window security. My "Microsoft Vulnerable Driver Blocklist is greyed out". Is it safe? If not how can I enable it?
1:02 keeps saying "virtualization support is disabled in the firmware", says the same thing for the application guard
(Yes, my pc is a windows 10 pro and i enabled windows hypervisor platform)
You have to go into your BIOS/UEFI (that's what the "firmware" is) and enable CPU virtualization.
@@knubswak Thx