Shout outs to @enigma0x3 and @tifkin_ for the great work pen testing smart app control to get this release ready

@dwizzzleMSFT any chance of third party access to Credential Guard e.g. store sensitive tokens in VBS; only unseal to same application?

@parityzero Yes - it’s called “key guard” (of course)

@dwizzzleMSFT Will any of these security improvements be backported to Win10?

@mdriley25519 Some of them are already in 10 and just turned on, the rest no

@dwizzzleMSFT "Presence detection sensors work with Windows Hello to sign you in when you approach, and lock when you leave." This sounds great What are the hardware dependencies?

@dwizzzleMSFT @panos_panay Well I certainly hope it's not less secure

@dwizzzleMSFT you removed mandatory ms account ?

@dwizzzleMSFT @MSFTnews no update?

@dwizzzleMSFT Yeah, sure. I don't like what that dialog is saying at all though. Can I turn it off?

@dwizzzleMSFT Do we still need an msft account?

@dwizzzleMSFT @MsftSecIntel Sweet noticed some changes when using FIDO key, is there a reason it switches to other user when signing back in from a locked session?

@dwizzzleMSFT Personally I think you should have left off the "most secure version of Windows we have ever produced". That's tempting fate

@dwizzzleMSFT Can you be specific about what items need X license?

@dwizzzleMSFT Most secure version of Windows is like saying the least poisonous version of poison 🤷‍♂️ Active directory is still an unmaintainable mess, as are UAC and other windows internals. #icannotshruganyharder

@dwizzzleMSFT Thank you for the great post! But what about Windows security features on ARM-based CPU: 1. How memory is protected? 2. How TPM is involved? 3. What are the key differences between new Windows security mechanisms on Intel-based and ARM-based CPU? Thank you!

@dwizzzleMSFT great post! here are a few additional mitigation ideas that i would love to see: - a unified syscall enable/disable mechanism :each process having a list of allowed syscalls. Would permit to restrict kernel attack surface from sandbox and simplify code by merging several 1/N

@dwizzzleMSFT Is it expected behavior that the The Microsoft vulnerable driver block list does not ever get updated on endpoints, with Windows Update or whatever other mechanism may be present with a powered-on machine?