Travel Segment Host (2:33)

Podcasts you.

Will (2:34)

Love from people you trust.

Travel Segment Host (2:38)

This is twit.

Paul Thurrott (2:43)

Hello everybody and welcome back To Hands on Windows. I'm Paul Throt and this week we are going to take a look at a new security feature coming to Windows 11, 25H2, but also to 24H2 because they back port everything these days. And this is a really good solution to a problem that we've had in Windows for I'm going to say 30 years. So I'm actually really excited about this. It doesn't sound like it's exciting, but this is actually pretty great. So if you're familiar with how accounts work in Windows 11. Good, because I don't have time to describe the whole thing, but we've talked about this a lot on the show. We've talked about this notion of signing with a Microsoft account, signing in with a work or school account, signing in with a local account, which is deprecated in the sense that Microsoft really doesn't want you to do that anymore. But all of the things that we see in accounts in Windows 11 kind of date back to 30, it's actually 30 plus years ago now. And the work that Microsoft did originally in Windows NT and, and among the many changes that NT brought was this sense of user accounts, right? That everyone would have their own account when they had signed into the PC. And these things evolved over time. There were starts and stops and you know, Windows 9X sort of supported it, but not really. But in NT based operating systems, which is what we have now. And then starting with XP, especially in 2001, this kind of became mainstream and then improved over time, right? And so from the beginning, you know, for the beginning of NT, which was 1993 all the way through going to say Windows 8, we would sign in with a local account, as you do today, say on a Mac, which is just an account you create just for that computer you're assigned or you give yourself, if you're the only user, some form of privileges, typically administrator or standard user privileges. And those that account type determines what you're able to do without getting the approval from an administrator if you are a standard user, right. And so that was the system for a long time. So Windows 8 introduced the concept of online accounts, Microsoft accounts as we call them today, and then work in school accounts. And so rather than creating an account that was only on that computer, you just sign into account you already have, that's up in the cloud, as we would call it today, Microsoft account. And that's fine. And there's some many controversies around that. But one of the nice things there is just the ability to recover your account they have protections built in for your data up in the cloud, et cetera, et cetera. So there's reasons for is, but we've also added this notion of different ways to sign in, right? And these can be very, very secure. So on this particular computer, I have facial recognition, but not fingerprint recognition, does not have a fingerprint reader. And then everyone has a pin. So anytime you sign in with an online account, whatever kind of account it is, as long as it's an online account, you have to create a pin. And these three things collectively are referred to as Windows hello. Right? So Windows hello facial recognition, fingerprint recognition or pin. And on this particular computer, which is a Copilot plus PC, it's Windows hello Enhanced security or enhanced sign in security, which is an even more secure form of Windows hello. So this is a really nice authentication system and it's the way that you authenticate yourself. And so when you sign into your computer, however, you do kind of passes through that authentication to different services. And that's the reason why if I were to go, say to the Microsoft Store, it will automatically sign me into this account, which is that account that I signed into the computer with. Now I can change that, but that's one of those niceties that it just kind of passes through.

Travel Segment Host (6:24)

Let's map out this week's amazing destinations and travel tips.

Will (6:28)

Honestly, Will, I didn't plan any trips, but I did switch to T Mobile with their new Family Freedom offer.

Travel Segment Host (6:36)

That's not the itinerary we're following.

Will (6:38)

Well, I'm departing from ATT and embarking on a new journey with T Mobile. They paid off my family's four phones up to $3200 and gave us four new phones. On the house.

Paul Thurrott (6:52)

Bon voyage.

T-Mobile Announcer (6:53)

Introducing Family Freedom. Our lowest cost will switch our biggest family savings all on America's largest 5G network. Visit your local T Mobile location or learn more@t mobile.com familyfreedom.

T-Mobile Terms Announcer (7:07)

Up to $800 per line via virtual prepaid card typically takes 15 days. Free phones via 24 monthly bill credits with finance agreement eg Apple iPhone 16128 gigabyte 82999 eligible trade in eg iPhone 11 Pro for well credits end and balance due if you pay off earlier.

T-Mobile Announcer (7:18)

Cancel contact T Mobile this episode brought.

Travel Segment Host (7:20)

To you by Red Canary. When cybersecurity threats hit fast, you need an MDR partner that moves faster. Red Canary delivers 24.7expert MDR support, total visibility and actionable insights. Plus it helps you detect four times more threats so you can Stay ahead without burning out. Red Canary clears the noise and has your back every hour, every incident. Get the backup you deserve. Visit redcanary.com difference to learn.

Paul Thurrott (7:50)

So tied to this notion of online accounts, or just accounts in general, I guess, in Windows is, of course, security. And one of the big problems with security in Windows is that every user, by default, every first user on any computer certainly is an administrator account, and they have elevated privileges. And that means as you do things, you're basically allowed to do anything you want to do on the computer. But if your account is compromised, that means that a hacker could also run malicious code at this escalated level. And so the advice over the years was what you should do was sign in the first time, because you have to with whatever account and it becomes an administrator account. So in my case here, it's a Microsoft account. And then in Windows 11, what you would do is go down to other users. I've actually created a second account, but you'd add an account, and so you could create or sign into a Microsoft account or whatever kind of account, and that account would be a standard user account. Right. And so I think this one is probably an admin. But let me bring this little guy up. Actually, we're seeing the feature I want to show you. You're not seeing it because it's hiding, but by default, this thing would be a standard user account. And so if you're signed in, then you would sign in as that user. Most of the tasks that are running as you use the computer are running at a lower privilege level. And so the system is more secure. But it's also annoying because you have to ask the admin on the computer, which is you. Right, but with a different sign in for approval to do certain things. No one does this. So this is the problem. No one does this. And even the people that are, well meaning that want to do this, or the companies that are well meaning that want to do this find that it's just too annoying to do because there are just too many times where you need the approval of someone else, maybe or just yourself, where you have to just provide a second sign in interrupts what you're trying to do. It takes too long. Nobody does it. So the solution to this problem is something called administrator protection. This is rolling out, like I said, in Windows 1125H2. And let me find the. I had to take screenshots of this because I've already set this up. But if you look at this shot here, this is the Windows security app, which I will Go to later, you'll see a new Administrator Protection section under Account Protection. So that's new to 25H2. And when you click on the Administrative Protection settings, you'll see that there's one setting and it is off. And if you enable it, you have to restart. And then once you restart, the system is running with Administrative Protection on, there's nothing else to do. So if I go in there right now and find Windows Security, this is in dark mode, so it's a little easier on the eyes. If it ever loads and go to Account Protection, you can see this here again, same thing. There's one setting. This is it. It's on or it's off. So it is on. Now, I can't show you the prompt, but what I can tell you is that you're pro. You use Windows. So you've seen a user account control prompt. You know what that is, but you may not actually know what it is. If you think about you've seen it, but you may not really understand it. There's no sense of authentication there, right? You're already signed in as an admin, usually most people are. So when you see that, it's sort of like the third brake light on a car, it's just like a little extra, like, hey, just think about this for a second. Are you sure you want to do this? And you say yes, and you move on. And most people don't think about it that much. So with Administrative Protection on, most of the tasks that you're running are actually just running always at a lower escalation level, a lower level of privilege. When you run a task that needs an escalated privilege level, it will throw up not a user account control, but rather a Windows hello authentication dialog. So I had to take a screenshot. This is a Microsoft screenshot. So I have to show you this because when it comes up on the screen, my screen recording software will not record it because you know it's actually a secure process, right? And so in this case, what it's doing is a Windows hello facial recognition. You can see here there are options for fingerprint and pin. And you'll. What you see there will depend on your system. I have. My laptop is to my left here, so I have to turn to it. So when this thing comes on, I have to actually look at it. It looks at me and says, okay, you're you, and then you're allowing the change. So from a kind of a process perspective, this works exactly like uac, but under the covers. This is in fact way more secure than uac because normally you're just doing everything at a standard user level of protection even though you have an admin account. It's just that when this happens that they create a. It's basically a temporary in time admin level processes that runs, does the thing you need to do and then disappears. So it's just a slice in time thing and normally you're not running at that escalated level. So what are the types of things that would set this thing off? Installing software. So if I go and try to. I just like tried to do this earlier like this focusrite driver. When I click on this again you're not going to really see the system. I have to look right at the camera here. It sees that it's me, it says it's okay. Welcome back, Paul. Allow changes. Your screen just went blank, I'm sure. And then the thing runs, but I'm going to close it down because I don't need that. It will if you try to edit the registry, right? There are certain settings if you try to change the time, which I know sounds like a weird thing to have protected, but you know, there are reasons for that and you just have to say yeah, no I really want to do this. And so it runs elevated, goes away and then you're done. So there's a third category and this one I haven't been able to find an example of when you are accessing sensitive data, whatever that means. So I suspect that that one might be more oriented toward, toward like a work or school account where you maybe you're going into like a company owned data repository, whatever, but I haven't seen one of those for individuals yet. So installing software, certainly setting certain features, you know, changing the time or editing the registry, that kind of thing. We'll set this off. So I guess the important thing here is just that a, this thing is not on by default. So Once you get 25H2 you should enable it or if you want to test it now, join the insider program dev or beta channel will get this for you. It's in the Windows security app. Like I said, turn it on, reboot. As far as day to day, you'll probably see more prompts than usual, but it's not going to be off the charts. It's a slightly different experience because it's Windows hello. So it's not uac, but the interruption level is just about the same. And so day to day your life is not going to change very much, but the security of your system is going to change dramatically. So whether or not you think that's exciting, I guess it's a matter of opinion, but I think this is exciting. This is. Like I said, I've been following Windows since NT was just started and this has always been a problem. It's always been a problem and it's always been a problem. And they, you know, done little UIC was one attempt and okay, it was a good step in the right direction. But I think administrative protection is the. Is it now that we have Windows. Hello. I think this they finally cracked the nut on this. So this is something everyone's going to want to turn on. I strongly, strongly recommend enabling this when you can. So I hope you found this to be useful. We record new episodes of Hands on Windows or we release new episodes of Hands on Windows every Thursday. You can find out more at TWiT TV. HRW. Thank you for watching. Thank you especially to our Club TWIT members. We love you. If you're not a member, please Twit TV Club Twit. Give it a look. Think about supporting everybody who's working hard to bring you this content. Really appreciate it and I will see you next week. It.