Category: Windows Update

This is why Windows 11 Will fail miserably with Security!

Paul
Photo by TheDigitalWay on Pixabay

Microsoft’s bad Idea

“Microsoft claims that their telemetry shows that they have seen up to a 60% reduction in malware when TPM-enabled features like Windows Hello and BitLocker encryption are used on supported devices — it’s unclear why that would be at all true, unless it’s correlation and not causation”   Steve Gibson (Security Now #825 Podcast)

I dare say it’s a terrible idea.  I have been doing some major research into secure boot and TPM and everything I’m seeing is a little bit worrying to say the least.  Even listening to others talk about what Windows 11 can do or can’t do seems quite obvious.   Afterall, I’ve even had my son get information on how to get around the security requirements for Windows 11 and install Windows a boot logged copy of it onto a USB just to play around with it.   I am quite concerned with this also because it seems Microsoft trying to force users onto a proprietary system.  Microsoft is only doing the complete opposite of what they claim.

Scrutinizing the Boot Process

The goal of a hardware root of trust is to verify that the software installed in every component of the hardware is the software that was intended.  — Jessie Frazelle

The problem with trust is that we should never trust anything and always question it.   How can a system trust that the software wasn’t installed as intended?   These are the basic problems with the premise of a TPM and even the Secure Boot process.

The goal of attestation is to prove to a third party that your operating system and application software are intact and trustworthy. — Jessie Frazelle

The problem with this is even more obvious to the security of a system.   Attestation can’t always witness or even prove a program doesn’t have the right to be run or used in boot up.   Unless Attestations can be programmed to boot Windows a certain everytime in hardware, we will always have the virus developers skirting around the boot process.

Some members of the technology industry have raised the concern that the well-documented, modern, high-level language interface provided by UEFI makes it easier to compromise a platform [12]; that the ability to add modules
and applications to the boot process could compromise security.

Richard Wilkins and Brian Richardson

I wouldn’t call some being a small amount of people but a large amount.  I’ve heard time and time again this idea and it seems to be a growing concern with UEFI and how virus writers / developers will overcome UEFI and be able to install viruses / Malware around the the Windows system to be able to do what they have always been able to do.

Security through Obscurity

Microsoft seems to have take this approach as  their next step through the security door and it’s seems quite evident that they’ve not learned their lesson from others.  I say that with the understanding that Apple tried this with their systems and they still have virus writers who can compromise their system.  It’s not like the security community doesn’t want all operating system to be secure, in fact most would want it so badly because we wouldn’t have to worry as much about the viruses or malware to being on peoples systems.   Let’s not forget we still have users who will do dumb things and that much will always be true.   There is always going to be need to teach the company users, how to be secure while using the company’s computer(s) or laptop(s).

Return-Oriented Programming

Return-Oriented Programming is a security exploit technique used by attackers to execute code on their target system. By obtaining control of the call stack, the attacker can control the flow of existing trusted software running on the computer and manipulate it to their own ends. — Secureteam UK

The ROP(return-oriented programming) has been a constant problem for several years now and will probably grow even more.   I say that not lightly because the Virus writers / Developers will have to start to use it more and more often and even find other exploits techniques to get around the Secure boot and UEFI protocols.  This is often called the Blindside attack and is most often used with IOT(Internet of Things) devices but can be used with Windows operating systems and will become more and more useful to them in the future, I suspect.

Not unlike the previous tutorial we will be crafting [ROP] the parameters to Windows API calls on the stack and then executing them.  — FuzzySecurity

As you can see, there is already programming that people can do with Windows 7 API and that’s been out for quite a while.  I am unsure when someone did this little experient and talked about the vulnerability.  This vulnerability is available on Windows 7.   It could very well be used on Windows 10 or even Windows 11, I suspect.

Mitigation

I will say there has been talk about mitigating this and other attacks but it requires a constant updating of the operating system and CPU (Secureteam UK).   As you know CPU manufacturers will take years to update a problem just because people will not want to go buy a new cpu or even a new computer until the old computer isn’t able to run or something actually breaks in the system.   I know Virus writers / developers will always be having to be a head of Windows updates and that might be what they are already doing.   Looking for vulnerabilities in the UEFI and Secure boot area.  I suspect they are already doing that now.   I can’t say if they’ll succeed but I know the virus writers make so much money on ransomware and getting those companies systems compromised.   So who really wins?  I would hazard a guess no one in the end, the security that Microsoft is trying to force will still fail miserably and I will be there saying “I told you so!

 

 

How to install Windows 11 on a given system.

Paul

Windows 11

Install Windows 11

It’s not as easy as it seems. Ever since Microsoft has told us what the requirements will be for Windows 11, there will be more than that for you to use Windows 11.   Some of the issues some users are having is going from non-secure boot to changing the partition to secure boot.   The problems associated has been far a wide for the people who are in the Preview program.   So what do you really need to do to install Windows 11.   I am will talk about some of the things you will probably need to do to get it to work on your system.

Gigabyte Motherboards

I currently have a B460M DS3H AC and finding Secure boot for my motherboard isn’t as easy as it seems.  I had to first update my bios from factory default to the latest.   You can download the bios for this motherboard and flash the motherboard with the latest bios updates.   It seems the latest bios F5B bios update has secure boot automatically enabled but for those who do not want to update their bios to the latest version.   In order to get secure to work on your motherboard you have to go to Advanced settings > Boot Menu.   Once there, you will need to scroll down to CSM and I needed to disable that to get secure boot to work.  Once that is down you can now have access to secure boot.

Converting your Partition

If you are like me have a MBR(Master Boot Record) partition than you will need to convert to GPT(GUID Partition Table) partition, in order to be able to run in secure boot.  There is a tool that can do that for you call MBR2GPT offered by Microsoft to be able to convert your partition to GPT.  Once you do this, than you can enable secure boot and have it ready for Windows 11.   Since we are talking about the preview build and not the actual build I can only sumeize that it will be required with Windows 11 when it is finally active.   It will be a long and hard process for many because there are several reasons why someone won’t want to go to GPT partition.   I haven’t decided if I will or not but I wanted to show you how to install Windows 11 preview if you are one of those who wanted to try Windows 11 but didn’t have the necessary system setup the right to be able to install it.

Still not Compatible

WhynotWin11 Capability Tool

If you are still having problems figuring out why you can’t install Windows.   There is a Great little tool that will tell you what you have or don’t have enabled or what hardware you are missing to be able to install Windows 11 and what you might need to do to get all the requirements for Windows 11.   In the end, this will at least help those who want to install Windows 11.   I’m still not sure if I will but at least you can now know what you need to do to be able to install Windows 11.

 

 

What is a TPM and why do you need to know you have one?

Paul
Photo by TheDigitalArtist on Pixabay

Trusted Platform Module

Everything about TPM screams security and ominous, some would call it.   I am sure everyone is thinking about this and wondering, why Microsoft is doing this.   We’ve heard them say it is  a requirement and thus far it seems to be a sure as gold that it will be a necessity to be able to upgrade to Windows 11.   So what is a TPM.  According to Wikipedia,

“[TPM] is an international standard for a secure cryptoprocessor, a dedicated microcontroller designed to secure hardware through integrated cryptographic keys

In other words, it basically is a hard encryptions and not a software encryption in your system.   If you have bitlocker without TPM, than your system has to decrypt and encrypt files on the fly and slow your system down.   If you had a TPM onboard it would be much faster and much safer because there would be no way a Man in the Middle attack could work, not saying it will never happen but I think it is far less likely.

Windows 11 Requirement

If you haven’t figure out if you have it on your motherboard.   There are several websites where they talk about how to find out if you already have a TPM on your Motherboard.  The real problem is if you haven’t no TPM and would like to be able to install Windows 11 on your computer.   There are several options you can do.   I’ll list them for you:

  • Install a Motherboard that has TPM
  • Check to see if you can Enable TPM on your current Motherboard
  • Install a TPM chip to be able to use Windows 11. Check out my Affiliate link if you need one!
  • Keep Windows 10 until the end of life which will be Year October 2025.

Scalpers a plenty

Scalping has seen an increase all over the net.   When Microsoft, released the information needed to upgrade to Windows 11.  It seemed to bring out the people who will charge even more than what you should be paying for it.   Obviously they did the same thing with Graphics Unit Processors in the past, they seemed to do the same thing with TPM Chips to install on Motherboards and other such systems.   I’m seeing more places that it cost more than you’d paid normally for a chip.   So that is  problem now with people wanting to get ready for Windows 11, there seems to be more people trying to make a buck out of this.  In the end, they will get out of trying to make a buck because the demand will drop and we won’t have to worry about this anymore.

 

Will Microsoft start watching you on Windows 11?

Paul


Microsoft Requirements

According to Microsoft requirement page for Windows 11, you will need to have some of these things enable to be able to install it.   Let me show you what I see of the top and maybe even read between the lines:

  • You will be required to have internet connectivity for Windows 11 Home.
  • The System will need to be TPM Enabled. (If you have an NVME, You probably already have a TPM on your system.)
  • Microsoft Edge will be the Default Browser (That’s was expected by me)
  • Taskbar Alignment to the bottom of the screen is the only location allowed.  (I heard there is a Hack for this).
  • Required to have at least two cores to be able to install Windows 11.
  • Apps can no longer customize areas of the Taskbar.  (I am not sure what they mean by this but it will probably change the app development in the future.)

So who’s watching you?

I have a few issues with this requirement for one, the need to require to have an internet access to for first boot.   There will be people in countries who have no access to internet or people who don’t want to be tracked by Microsoft.   That is something I am cautious about when it comes to booting into Windows.   I don’t want Microsoft to know what I am doing or have access to any of the data that I am during with their system.   I specifically make sure that is what I want by opting out of those features when I installed Windows 10.   I turned off those features before I even started using Windows 10.   I might just be one of those who was security aware of the problems associated with leaking my personal information or having someone watch what I am doing online.   I know I don’t have privacy online but I do try to protect what I can when I can.

WIndows 11 Pro?

Granted, Windows 11 Home is the only thing they say requires internet connection, I am curious to see what the requirements are for Windows 11 Pro.   Will I need to do all this for the Professional versions also?   Until Then, I will keep with Windows 10 Pro(*Get the OEM version for $21.96 USD* Affiliate Link), because I don’t have to worry about logging into Windows 10 with my Microsoft account.   Even though, I am using skype and other features that I log into.  I am however not giving them much information as I could be.   Although, As I am looking at the business side of Windows 11, I do not see the requirement for needing an internet connection to run Windows 11 Business.  I think that is what you call the Professional edition.   Either way, I’ll wait and see what happens in the future and see what the requirements are.

Are you going to use Windows 11?  What do you think about it?  Why not leave a comment and tell me what your thoughts are about Windows 11?

Why Having a rolling updates for Windows 10 is a Good Idea!

Paul

Microsoft Windows 10

Those unexpected times

So you need your Windows 10 for something important from maybe a church service, or you have an important meeting on zoom for Tuesday.   You have something important going on and Windows brings up this notification that you should reboot your system for an Windows 10 update.  You can tell it to schedule the update later that day or even during the night with no problems but what if you have to reboot your system?   There’s the problem, you do have the option to restart without updating but most people don’t know that option.   It’s an easy fix.   Go into command Mode by typing Cmd into the search bar.

cmd prompt

and then type:

shutdown -s -t 0

Once it shutdowns you just reboot your system and you are back to where you left off.  It however isn’t always that simple with people who seem to forget that little trick from time to time.

Rolling Updates

What if You don’t have time to do this little trick or you forget.  Well you know what happens, you wait for the update to take place.  It can take anywhere from a few seconds to a few minutes depending on how big the update is.   I’ve seen it take like 10 mins on some systems. It can take some time to update Windows 10 because you get some massive updates sometimes when it comes to updates.   You get new Revisions and you get new patches every 2nd Tuesday of the month.   What if you need the updates to update on a certain day.     There is a way to do it.  Depending on which day you need to do the updates, you can make Windows 10 pause the updates up to 35 days and that can be a very useful way to prevent unexpected updates when you need Windows 10 to just be working.   You can do this by going into windows update settings

WIndows update settings

Once you click Windows Update Settings and go to the menu.   You’ll want to hit the advanced options and then look for pause updates.   Then you can select a date up to 35 days.    This is something I tell my clients from time to time to do this because it really does help them from having those unexpected downtimes.

Once you do this, write down the date you selected and put it somewhere next your computer.   I like to use Google Calendar or some calendar app to remind a few days before that date and then I update Windows 10 at my convenience not the other way around.   You find a day that is convenient for you and you update windows before the 35 days or you just let it do it’s thing and you have two updates in one most of the time.   Once you update and restart your system, you go back into Windows update settings and pause the updates for another 35 days or whatever date you want to pause till.   You start the process over again and you have a rolling update schedule.

Change Active Hours

Something else I tell my clients is to change the active hours you work on your system.   Even though Windows 10 does a really good job, it isn’t perfect and thus you might be using the system when the system thinks it should be inactive.   You can also change that on the windows update setting page.   I usually turn off the active hours feature and then change the active hours and put it when I will be using the computer the most of the time.

Schedule the update

You can also schedule when Windows will do the update.   In the early days you could only pause the update for 4 hours before it would restart the system without your knowledge.   Now you can tell Windows when to restart the system and usually it will pick sometime while you are inactive and not doing anything.   So you can select the time that is convenient for you.   You can do this by just going to Windows update Settings page(See above) and hit the Schedule the Restart and then select the time of day you want the system to restart the computer.  This way if you forgot that there is an update and you are busy with work, you can tell it to wait till you aren’t busy with some important work.

Like what you read?  Why not subscribe to my blog and find other things that you might like and want to read?  Was this helpful?  Why not share this post with others so they can know these tricks and tips for the next time this happens.