Hands-On Windows 174 transcript
Please be advised this transcript is AI-generated and may not be word for word. Time codes refer to the approximate times in the ad-supported version of the show.
Paul Thurrott [00:00:00]:
Coming up next on Hands on Windows, we're going to look at a 2026 security checkup for the new year podcasts you love from people you trust. This is Twit. Hello everybody and welcome back to Hands on Windows. I'm Paul Throt and it's a little late for this, but in a sort of New Year's resolution sense, I thought this would be a good time to everyone to do a quick security checkup on your online accounts, Windows 11, PCs, et cetera. So obviously I'm going to focus mostly on the Microsoft account, but a lot of that advice applies to other online accounts. You know, Apple, Google, Amazon, whatever, and then Windows 11. And in many ways, I know we've probably looked at this stuff over time, but I think it's useful every once in a while to go back and just make sure things are configured the way you want them to be. So let's start with the Microsoft account.
Paul Thurrott [00:00:58]:
If you go to the Microsoft account website, I have a screenshot here. So I can just take out some personal information, but basically go into the security section. You'll have to log, you know, you'll have to re authenticate. And there is an option to manage the ways that you can prove who you are. And there's different terms for this, but these are verification or authentication options. Some of them are what I would call second step or two factor or multi factor authentication forms of authentication. But the important thing to know here is that these are how you prove you are to Microsoft, in this case with the Microsoft account. And you're going to use multiple things, right? You're not just going to have the email address and the password.
Paul Thurrott [00:01:44]:
You're going to have different forms of authentication. So I have this set up pretty much the way I recommend it with the one exception. You can have multiple email addresses associated with account for recovery purposes, in other words, or for just authentication purposes. So you go to sign into your account, it asks for a second form of authentication. You'll have a list of choices. One of them will be send an email to a different account and then you can look at that, get the code and then type it in there and then get into your account that way. So I recommend having at least one of those, really. I recommend having two.
Paul Thurrott [00:02:20]:
So I do have two. And these are other email addresses obviously, right. It's not the email address associated with this account. The one I don't necessarily recommend is the text, the code 1, which I do have set up. It is kind of an interesting issue where you actually do want to have a phone number associated with your Microsoft account, but you don't necessarily want Microsoft to text you. This is like a seventh choice on the list. So I like having a number associated with the account, but I don't actually ever use it for this purpose because this can be intercepted fairly easily. The next two are related to Authenticator apps, right? So like the Microsoft Authenticator app, the Google Authenticator app.
Paul Thurrott [00:02:59]:
I use Proton Authenticator. But there are two forums of verification or authentication that you can do through an Authenticator app, especially the Microsoft Authenticator. One is to send a sign in notification. So what that does is you get a pop up on your phone from the Microsoft Authenticator app in this case and it says is this you? And you say yes. And you're biometrically signing in either with face ID or the equivalent on Android or your fingerprint, or just typing in a pen or whatever. The other one is to have the Authenticator app generate a code that's the more common one outside of the Microsoft space. And that can go in two directions. So you could either get a code on the PC that you have to type into the Authenticator app, or vice versa.
Paul Thurrott [00:03:44]:
You look at it on your phone, you type it in where you're trying to sign in, right? And then the most modern one is passkey. And we're going to actually do at least I think two episodes about passkeys very soon. So we're going to go into this in more detail. But a passkey is essentially a modern replacement for a password that is phishing resistant. It's much more secure, much more convenient, and it used to be device bound, meaning each passkey would be stored on whatever device, in this case a PC, but now they're portable through Password Manager. So we will take a look at that one soon. But again, the goal here is to have multiple ways that you can prove who you are because you might go to the site, do something passwordless where you type in just maybe your email address and not even that actually, if you have a pass key in some cases, and then it will ask you for that second authentication. You want to have options on there.
Paul Thurrott [00:04:40]:
So just make sure you've got that configured correctly. All right, after this break, we're going to take a look at other online accounts and also Windows 11. All right, so for other online accounts, meaning non Microsoft accounts, the goal is similar, but the, the overreaching advice rather than the specifics of how you might secure each account is to use a single password manager, which is really an identity manager. It's not just about passwords. It will also manage passkeys and other things. You know, you could have your passport, your id, you know, whatever forms of documentation, whatever you want, you can store in these things. But in this case we'll just think of it as a password manager. Ideally this would be a third party password manager, meaning not one that is associated with a platform maker like Microsoft, Google or Apple, not one that's included inside of a web browser.
Paul Thurrott [00:05:33]:
But if you are going to use one of those things, the, the bigger goal sort of is that it should be portable, meaning it should be available everywhere you are. So you have a phone, you have a computer, you might have a tablet, iPad or whatever. You want to be able to access that thing everywhere because it's going to do autofill on mobile and it's also going to do auto fill on the web on a computer. Whether it's Windows, Mac, Linux, whatever. I use ProtonPass but one password, Bitwarden, Dashlane, ProtonPass, et cetera. These are all, these are all good third party's best. But you know, Chrome obviously is everywhere, edges everywhere. If you're an Apple guy, you might use Apple passwords.
Paul Thurrott [00:06:15]:
I don't recommend that here because you know, we're talking about Windows here and that's not really a seamless experience. So it's better to have something that just works everywhere. And of course third party password managers have additional features, etc. So in this case I guess I'll bring up Microsoft Edge. So what I've done here, actually I've disabled it because I've got all this different stuff going on here, but I'll go into Settings here and enable. Actually I want to go into Extensions and enable this. So I use Proton Pass, like I said. So I'll enable that.
Paul Thurrott [00:06:47]:
It's up here in the taskbar or the toolbar. When this is enabled, this is what will autofill passwords and passkeys and other things, right? And so that's very useful. But the other thing you actually have to do is go into passwords in autofill or whatever the equivalent is in whatever browser it is you're using and turn off the native password features in the browser because you don't want these two things fighting each other, right. So in this case you can see I've actually turned this off. So Microsoft Password Manager is disabled, leave it disabled and all the options related to it are disabled. Right. And so that will just hand off everything that I'm going to do to that other password manager. In my case, proton pass.
Paul Thurrott [00:07:32]:
But whichever one. But the important part is to disable this. The other thing you have to do is, and this I did not do with Microsoft is delete all of the passwords you have. You can see I still have some in here. I didn't do this on purpose. I do a lot of testing of different things. So I have to actually have multiple versions of this. So this is not a full copy of my passwords, but I do have some here.
Paul Thurrott [00:07:57]:
Seriously, get rid of those things. So don't have them in multiple places. Okay. So Windows 11, we talked about this a lot. Strongly feel that you should sign in with a Microsoft account or a Microsoft work or school account if that's what you have to do. And not a local account. These online accounts are protected with two fa, mfa, whatever, two step authentication. They can be recovered if they're hacked.
Paul Thurrott [00:08:22]:
They back up certain settings to the cloud automatically. They're protected by Windows. Hello. So anytime you sign into Windows with a password based account or an account with a password, you have to set up a pin. That's another small level of security. You're supposed to have a different code. It could be a 4 or 6, whatever alphanumeric code for every computer or device that you use. I suspect most people do not do that, but you should.
Paul Thurrott [00:08:46]:
And then you can use the facial recognition or fingerprint recognition. Right. When you sign in with a Microsoft account or a Microsoft work or school account, the disk is automatically encrypted. I'm actually in here already and I think I can show that pretty quickly. You can see it's just encrypted, it's automatic. The recovery key for this is backed up automatically to OneDrive so you can get to it from any device. That's good. And then you get this passkey based, it's single sign on capability.
Paul Thurrott [00:09:15]:
I think of it as authentication pass through for apps and services you run in Windows. So when I run OneDrive or RunEdge, the Microsoft Store and so on, whatever I've signed in with passes through those apps automatically. If you are going to use a local account. We talked about this, we did an episode sometime in the past year. But just take the steps to secure this computer. Set up a password, then set up a pin, then set up other forms of Windows. Hello. Go and encrypt the disk.
Paul Thurrott [00:09:43]:
You'll have to back up that recovery key yourself. You'll need to add your Microsoft account in settings or manually sign into apps and so forth. But I think for most people it's easier just to just to sign up with a Microsoft account. I think this is the safest approach for most people. You need to look at the Windows security app from time to time. That's this thing here. In my case, it's looking good. There's a little green checkbox.
Paul Thurrott [00:10:08]:
Everything's fine. But if we run this app, sometimes you'll see some of these things will have a yellow bang, like an exclamation point. That means something needs to be looked at. Some security feature isn't enabled. Microsoft doesn't enable all security features in Windows by default because of privacy concerns. I don't see any actual privacy concerns here, but if there's any data being exchanged here in the context of a security feature, it's anonymized, etc. So whatever that might be, I would go with like app and browser control. One of these might be off, turn it on, you know, that kind of thing.
Paul Thurrott [00:10:44]:
A couple of things you should look at, and I think we discussed some of these fairly recently. Ransomware protection. You can turn on controlled folder access if you're using OneDrive. You get this automatically for your documents. If you're saving them there, that's great. Smart app control is actually changing this year. But the way that this works is you get a new computer, it's in evaluation mode. Generally speaking, in my experience, it's just turned off over time, in which case you could never turn it back on.
Paul Thurrott [00:11:13]:
You could just come in here and turn it on. And what this basically does is uses heuristics, they would probably call it AI today to determine if an unknown app might or might not be malicious. And if it is, it will try to block it. I have seen recently, however, this is actually starting to turn on for me on certain PCs. So that's interesting. And Microsoft announced they're going to let you toggle this thing on and off at any time. So that's fantastic. It'll be easier to use and that's good.
Paul Thurrott [00:11:40]:
We also talked about a feature called admin protection or administrative protection. And if you go in here, you can see it's not here. I believe this has actually been delayed. They've been testing it through the Insider program. It's supposed to ship in 25H2. It will be disabled by default whenever it does ship, if you don't have it yet. It's an aggressive feature and it's actually kind of hard to use, so we'll see what happens here. But basically, when it comes to securing your computer in Windows 11 case anyway, it's mostly just about common sense, right? If you are.
Paul Thurrott [00:12:14]:
If you want to be super careful about things. There is a feature in Windows called Windows Sandbox. You'll find it here in this turn. Windows feature on or off Control Panel. This is a. A virtualized copy of this version of the operating system. So it's actually sort of a mini copy of what you're running here. So it spins up really quick.
Paul Thurrott [00:12:34]:
You can install an app in it, make sure it's what you want, make sure it's not doing anything screwy, and if it works that way, you can just install it on the computer. I don't have Sandbox installed here. I just showed you how to get it. But the. The point of this is when you close this thing, it disappears. So whatever you did in there is gone forever. The other thing it helps to just pay a little bit attention to is the recovery features in Windows 11. So technically you can get to this from two different places, but it's really in system and then recovery.
Paul Thurrott [00:13:05]:
Here you can go through Windows Update advanced Options. Down here, you'll see recovery again, but it just goes to System recovery. Right? We've talked about a bunch of this stuff over time. Quick Machine recovery is a fairly new feature that's kind of a good one. But if you're having problems with your PC, you can get into the Windows recovery environment. You can reset the computer if you want to blow the whole thing away. Quick Machine recovery and also fix problems with Windows Updates are really neat ways to bring back a computer that might not be working as well as you want. And sure, I've given this advice too, but it helps to have Windows 11 install Meteor on hand.
Paul Thurrott [00:13:42]:
You can always download it from the web. But if something's going wrong and you want to get going again, it's nice if you can just plug that thing and go so that stuff is on the disk. But if you can't get to it, it's helpful to have a USB key that can do that. And then the other thing is just to sync everything to the cloud. That doesn't actually have to mean OneDrive, although Microsoft would like it to mean OneDrive. I am on this computer actually using OneDrive, but I usually use Synology drive. I've used Google Drive, obviously Dropbox, and there are other solutions, but the idea here is that you don't have files all over your computer. So that if you can't get in for some reason, maybe the computer was stolen or something's wrong with it.
Paul Thurrott [00:14:19]:
You don't have files sitting on only that disk so in my case, I have my own little folder structure here, but if you go into here, you can see where I have all my stuff. So the things that are over here in the navigation bar on the left are basically in this folder here. And so these things are synced to the cloud. If I lose this computer tomorrow, I open another laptop, I can get right to everything. And so just working through OneDrive or any cloud service. Right. Will kind of help relieve that anxiety that could occur when something goes wrong with hardware, as it often does. Okay, so this was a high level overview that was by design.
Paul Thurrott [00:14:58]:
Sorry there wasn't a lot of hands on there. But next, at least two or three episodes, we're going to dive deeper on some of the stuff, starting with passkeys, which I think will be about two episodes long. We'll look at authenticator apps and we'll look at other aspects of security over time. But this is the right time of year, I think, to look at this stuff again. So hopefully you found this useful. And we'll have a new episode of Hands on Windows every Thursday. You can find out more@Twit TV. HRW.
Paul Thurrott [00:15:28]:
Thank you so much for watching. Thank you especially to our Club Twit members. We do love you. If you're not a member, please consider it and you can find out more about that at Twit tv. Club Twit. Thanks. I'll see you next week.
