• Microsoft’s announcements this week

    Q: So Susan, I see that Microsoft held this event this week to make announcements regarding hybrid work, what are your thoughts about what was discussed?

    A.  Well, it’s like this. While as you can imagine I’m totally excited about the security announcements, but I’m a realist. So I ALWAYS look a these announcements with either my home computer or my small business computing needs in mind.  Too many of Microsoft’s security these days are hooked to subscription enterprise licenses so while all of these security announcements sound cool, unless normal users like you can I can take advantage of this, it’s not keeping us secure.

    Q. What do you mean?

    A: Well take this list:    The Windows 11 Security Announcements include Pluton (new security specific chip) SHIPPING, HVCI/VBS (Hypervisor-Protected Code Integrity (HVCI) ) on default ALL CPUs, Credguard default ON, LSASS Protection default ON, EXE signed or rep REQUIRED, Script Blocking from Internet ON, Enhanced Phishing ON, File Layer Encryption with Hello ON.  Some of those features I KNOW are only in Enterprise and in E3 or E5 and thus only available for businesses with subscription agreements.  So like ” In the future, Credential Guard will be enabled by default for organizations using the Enterprise edition of Windows 11. ”  Translation – that’s businesses with enterprise subscription agreements ONLY. You and I won’t be able to get that.

    Q. But isn’t security important for Enterprises?

    A. Oh, don’t get me wrong, I love security enhancements.  It PAINS me every time someone in the forum talks about how they still run Windows XP and they consider it secure (If you still are using it and it’s connected to the Internet and not isolated, it’s honestly not, you can’t install a modern browser on it) or love Windows 7 (I’ll be covering Windows 7 and the future in this week’s newsletter — stay tuned). But it also PAINS me every time something that I feel should be available to all Windows users from home users to small business to big business without restriction.  For example “The enhanced phishing detection and protection built into Windows with Microsoft Defender SmartScreen will help protect users from phishing attacks by identifying and alerting users when they are entering their Microsoft credentials into a malicious application or hacked website”.  That shouldn’t just be for “Microsoft credentials”.  That should be ANY credentials.  And it remains to be seen if that’s tied to certain Enterprise only subscription models.

    Q. What about this new thing called “Smart app control “that prevents users from running malicious applications on Windows devices that default blocks untrusted or unsigned applications. Smart App Control goes beyond previous built-in browser protections and is woven directly into the core of the OS at the process level. Using code signing along with AI, our new Smart App Control only allows processes to run that are predicted to be safe based on either code certificates or an AI model for application trust within the Microsoft cloud. Model inference occurs 24 hours a day on the latest threat intelligence that provides trillions of signals. When a new application is run on Windows 11, its core signing and core features are checked against this model, ensuring only known safe applications are allowed to run. This means Windows 11 users can be confident they are using only safe and reliable applications on their new Windows devices. Smart App Control will ship on new devices with Windows 11 installed. Devices running previous versions of Windows 11 will have to be reset and have a clean installation of Windows 11 to take advantage of this feature. “

    A. First off have you tried buying a computer or laptop right now?  Most/many of my IT folks are scrambling to buy equipment because of supply chain issues. Next “clean installation of Windows 11” is a heavy burden.  Do you know where all of your product keys are?  I guarantee there is some older app you probably will have a hard time reinstalling clean. Finally – and again – what license is needed for this?  And show me a home user or small business and I GUARANTEE you that I STILL find an application that isn’t code signed.  So I’m going to bet that we’re going to have to either whitelist apps or find workarounds. Realistically this only will be helpful in an Office only worker computer – someone that only uses Windows and Office, not a key line of business type of computer.

    Q. So these announcements weren’t important?

    A. No, I’m not saying that.  I’m just saying that I don’t parrot public relations blasts and immediately post about them. That’s not what we’re about here at Askwoody.com  I wait until actual software is released, I can test it, I can see if it’s useful (or not) and most importantly to me and I’m sure the readers of Askwoody.com, I wait to see how it’s licensed.  If it’s not either default to all users – or reasonably priced – it’s not going to be a realistic security solution to the folks that need help.  We’re about what really works here on Askwoody.com, not what isn’t yet released.  So the readers of Askwoody.com will get reality, not public relations blasts regurgitation.

    Q. You always plan to talk to yourself like this and ask yourself questions?

    A. It’s Friday.  What can I say.  Have a good weekend all.  Patch Tuesday is next week, make sure you defer those updates!