Hawx

It's well-established email API provider used by a lot of developers, nothing more to say really. SendGrid is a direct competitor that's on par in terms of popularity & features.

The point of the feature is to reduce the potential attack surface if a popular app is exploited, not to stop random malicious apps (that's what SAC/Defender are for). You're missing the human factor that a few thousand software developers work on the Windows codebase, and the source code is shared with universities and external researchers (occasionally). Google's Project Zero security team targets windows full-time as well. Between whistleblower risk and the sheer number of eyes on Windows, it's incredibly unlikely there's anything unknown going on.

App isolation is opt-in by the developer. It mostly benefits popular applications that have a large potential exploit surface (ie sandbox escapes within electron apps).

We shouldn't have secure hardware enclaves because it might fail at some point and cause an error? You could apply that logic to literally any hardware component in your system. TPMs already have a number of usages on consumer PCs, such as Windows Hello, as its PIN-based login is only considered secure when running on a system with a TPM.

Take a look at https://support.microsoft.com/en-us/windows/how-to-check-if-your-device-meets-windows-11-system-requirements-after-changing-device-hardware-f3bc0aeb-6884-41a1-ab57-88258df6812b if you want to re-run the check sooner.

Your board appears to have it enabled out of the box as it's marked as Windows 11 ready.

How in the world did you come to this conclusion? Stack protection is designed to protect against memory attacks involving buffer overflows & dangling pointers, it has nothing to do with driver matching. Although this feature does protect against a wide range of attacks, if all you do is gaming and you need to play BE-protected games, then disabling it should be alright from a risk perspective. Hopefully BE will be updated within a few months to support it.

Yes, this tool works fine.

They'll still work, nothing was mentioned regarding old win32 apps no longer running, app isolation will be opt-in for developers for the foreseeable future. The whole point is to separate Pluton firmware so Microsoft can update it without waiting for manufacturers to push a new BIOS, thus it has nothing to do with BIOS updates.

The app itself. I'd recommend watching the relevant section of the video for more information. I don't see a performance hit being an issue with the architecture involved. No, the application has to be updated to be bundled with a security manifest. Packaging tooling will come out later this year to support adding it. Nothing stops the developer adding more permissions; however, users will be able to see what permissions the application needs and question the developer if something is included that doesn't make sense. Yes, future AMD and Intel products will include Pluton support. This doesn't really matter. It's a security chip, so its existence will be completely transparent to the user and there'll be no settings to customize.

The only change is that when applications require admin escalation you will be asked instead of applications being given free rein by default. The goal here is to stop applications having unnecessary privileges and becoming an exploit/escalation risk, not to stop users doing what they like.

Summary A recent presentation by David Weston, Director of OS Security at Microsoft, has managed to fly under the radar, but contains loads of information about the future security state of Windows along with upcoming features to support this state. There's quite a lot of information in the video that I'll attempt to summarize here, although I'd suggest giving it a watch if you're in the Development/Infosec/IT space. Windows 11 has provided a hardware security baseline for Microsoft, with features that require hardware support (HVCI, TPM etc) to be enabled by default going forward, stating that Windows 10 strategy of off-by-default was a failure. Admin accounts are a continued security problem within the Windows ecosystem, so a future version of Windows will be adding a new "Adminless" account model with linux-like just-in-time escalation. This new model intends to provide a secure middle-ground between the frustrations of a standard user account and the security risks of an Admin account. "Adminless" accounts will run as a "less privileged" user by default and prompt users with Windows Hello when an application requires escalation for a given operation, rather than permanently running the account as a standard or admin user. Win32 Applications will be bundled under the new Win32 App Isolation model in an attempt to prevent privilege escalation if an application is compromised/exploited, meaning that: The application registry and file system will be virtualized, resulting in clean uninstalls. The application specifies what permissions it requires when packaged and said permissions will integrate within Windows (similar to UWP apps) Applications will still have full access to the system, but restricted by what permissions were declared with the manifest, ie a notepad app should not have permissions to access your webcam. The MSIX packager will automatically analyze the application behavior and work out a permissions baseline for the developer to make the move as easy as possible. A full demo of Notepad++ running with this sandbox enabled was shown to demonstrate that all existing win32 features are supported. Inspired by what third-party AVs already do, Smart App Control is going to be rolled out, working as a cloud-driven reputation system to only permit signed and/or well-known high-reputation software from running. SAC is intended to prevent zero-day exploits from spreading before Defender has received updated definitions. This will be rolled out by default depending on what software someone uses. For example, if you use IDEs or other technical tools it'll be disabled, whilst someone that only uses Chrome and Spotify will have it enabled. The system can be disabled in a single click if required. (Note: this feature is already available in some markets for fresh Windows 11 installs) TPMs within the ecosystem are not in a healthy state, with telemetry telling Microsoft that many are running vulnerable firmware due to manufactures not pushing out updates, and some being inoperable due to hardware failures or other issues. Microsoft is working on its Pluton security chip to replace/augment the existing TPM ecosystem and have the ability to push out firmware updates via Windows Update. Software/Hardware mitigations are reaching the end of the road in terms of viability. Microsoft is now focused on eliminating classes of security bugs with extensive R&D going into the use of Memory-safe languages (Rust) in areas of the system that exploits often appear in: To prove it out, the font analysis/rendering subsystem was rewritten over 6 months from 96k lines of C++ to 152k lines of Rust. This has also improved performance by 5%-15%. Parts of Win32k GDI have also been rewritten in Rust and will be shipping with an upcoming Insider build of Windows. Quotes Slide dumping a bit here as they're more useful than anything I could quote from the talk. My thoughts I believe the adminless account model will be a massive improvement for ecosystem security without annoying users like with previous attempts. Smart access control also appears fine to enable for the vast majority of users that do nothing more than browse the internet with their computers and should be able to prevent a whole class of zero-day attacks. Sources Presentation slides: https://github.com/dwizzzle/Presentations/blob/master/David Weston - Windows 11 Security by-default - Bluehat IL 2023.pdf

I noticed the HX850 has been removed from a number of Australian retailers in the last few weeks. Just poor stock levels or a refresh incoming?

FYI, There's a pretty good interview with David Weston, partner director of enterprise and OS security at Microsoft, that goes over the reasoning behind the requirements: Windows 11: Understanding the system requirements and the security benefits - TechRepublic

Please take your strawman elsewhere. I have no problem with privacy concerned people, I have a problem when that energy is misplaced into nonsense like this due to people being unable to read privacy documentation correctly. My post was specifically around windows telemetry and how it ties to Microsoft's goals as a company, you've managed to write a reply to an argument I wasn't making. Just an FYI that Microsoft's privacy statement is a global document that aggregates literally everything Microsoft does across all of its business units, from the Microsoft website, to Azure Cloud to Bing Ads. At its top level, it's designed to be a catch-all, so new Microsoft products and projects don't need to go to legal and ask for a new document to be drawn up. For example, all of Microsoft's open source projects on Github that collect debug and/or usage information are covered under the exact same privacy statement. When exact privacy information about a Microsoft product is provided, that information takes precedence over what's stated in the top level policy. For example, Windows is provided with an extensive section + documentation that covers all data collection & usage at a per-feature level, therefore it's far more relevant than the top level policy. It's for the same reason that businesses using Azure Cloud or Office 365 to hold personal & financial data don't glance at the ultra generic top-level Microsoft Privacy Statement and proceed to freak out, because the information in Microsoft's trust center is specific to their use and therefore supersedes it. Instead of going "WTF???" I would recommend clicking on "Learn More", which provides proper context of the statements provided: Advertising. Microsoft does not use what you say in email, chat, video calls, or voice mail, or your documents, photos, or other personal files to target ads to you. We use data we collect through our interactions with you, through some of our products, and on third-party web properties, for advertising in our products and on third-party properties. We may use automated processes to help make advertising more relevant to you. The "third parties" is explicitly "third-party web properties", which in this context would be, for example, you clicking on an advert on a website that integrates with Bing Ads (https://ads.microsoft.com/) and Microsoft tracking the conversion from that click + using the click for future ad personalization. The dedicated advertising section also expands on this: The ads that you see may also be selected based on other information learned about you over time using demographic data, location data, search queries, interests and favorites, usage data from our products and sites, and the information we collect about you from the sites and apps of our advertisers and partners I'm unsure how you can frame this as some kind of "gotcha". All of the major voice assistants and speech processors have a similar clause in the effort to improve speech recognition. 1) For starters, I never made that claim. My post is around Windows & Windows Telemetry specifically and the grand conspiracy that Microsoft is intentionally siphoning data from your system to show you adverts. Microsoft runs Bing Ads as well as its own adverts, so yes there's a small section of Microsoft that is responsible for traditional contextual advertising. The point I was attempting to make is that it makes up less than 10% of Microsoft's revenue and clearly isn't a company priority. 2) Covered. 3) Yes, if you use speech-recognition services or Cortana and have online speech recognition enabled, there is a chance that some random person will hear the response to validate the processing/reply. If you don't like that simply don't use those services. 4) There's a lot of different privacy dashboards that Microsoft offers across a lot of services, but it simply can't cover absolutely everything Microsoft does across hundreds of products and hundreds of thousands of potential data ingest points. They do offer the ability the contact them if you wish to control any additional data they have.