Security and Assurance

Security and compliance in datacenters, private cloud and hosting environments.

How can we help address your security and compliance needs in your server environment?

(thinking…)

Enter your idea and we'll search to see if someone has already suggested it.

If a similar idea already exists, you can support and comment on it.

If it doesn't exist, you can post your idea so others can support it.

Enter your idea and we'll search to see if someone has already suggested it.

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. HGS (host guardian service) as Azure service

    For PAW or other guarded host scenario, to leverage Azure HGS for device health attestation

    3 votes
    Sign in
    Check!
    (thinking…)
    Reset
    or sign in with
    • facebook
    • google
      Password icon
      Signed in as (Sign out)

      We’ll send you updates on this idea

      0 comments  ·  Flag idea as inappropriate…  ·  Admin →
    • Install-AdcsEnrollmentPolicyWebService Ignores -WhatIf Parameter

      The following PowerShell command should NOT configure the Enrollment Policy Web Service, because it has the -WhatIf parameter:
      Install-AdcsEnrollmentPolicyWebService -AuthenticationType Certificate -Force -SSLCertThumbprint 'f0262dcf287f3e250d1760508c4ca87946006e1e' -KeyBasedRenewal:$false -WhatIf

      However, it does configure it. The same goes for Uninstall-AdcsEnrollmentPolicyWebService

      This is bad practice for PowerShell cmdlets. It is also preventing us creating a DSC resource to configure this feature.

      4 votes
      Sign in
      Check!
      (thinking…)
      Reset
      or sign in with
      • facebook
      • google
        Password icon
        Signed in as (Sign out)

        We’ll send you updates on this idea

        2 comments  ·  Certificates and CA  ·  Flag idea as inappropriate…  ·  Admin →
      • MICROSOFT AC BUS

        SIR BILL GATES IS OUR IDEAL PERSON.HE IS CREATED SO MANY EASY WAY FOR OUR LIFESTYLE.OTHERWISE IF HE WILL BE CREATING A DECENT MICROSOFT AC BUS FOR ALL CLASSES PEOPLE.ITS WILL BE A BEST IMPACT FOR OUR LIFE STYLE.& WE NEED TO A LOT OF THAT BUS IN INDIA.

        1 vote
        Sign in
        Check!
        (thinking…)
        Reset
        or sign in with
        • facebook
        • google
          Password icon
          Signed in as (Sign out)

          We’ll send you updates on this idea

          0 comments  ·  Authorization  ·  Flag idea as inappropriate…  ·  Admin →
        • SUPERIOR MICROSOFT AROPLANE

          WE ARE INDIAN&WE LOVES OUR WORLD SO MUCH.NOW,THE WORLD IS SO MUCH FAST & CLEAN.IN THIS TIME,MICROSOFT IS A GREAT WAY FOR OUR LIFESTYLE.MICROSOFT WILL BE CREATING&MAKING A LOT OF DECENT AIRPLANE FOR OUR EASIER LIFESTYLE.ITS WILL BE A BEST IMPACT FOR OUR WHOLE WORLD.THAT AIRPLANE WILL BE USING FOR PASSENGERS,CONTAIN PRODUCTS,SUPPLYING(WATER,FOOD,CLOTHES,MEDICINE,ETC)&PATIENT FOR EMERGENCY.I MEAN ITS A VARIOUS WAYS LIKE STEP 1=PASSENGER AIRPLANE,STEP 2=WATER AIRPLANE,STEP 3=PATIENT AIRPLANE,STEP 4=SUPPLYING ALL LEGAL (PRODUCTS,FOOD,MEDICINE).

          1 vote
          Sign in
          Check!
          (thinking…)
          Reset
          or sign in with
          • facebook
          • google
            Password icon
            Signed in as (Sign out)

            We’ll send you updates on this idea

            0 comments  ·  Authorization  ·  Flag idea as inappropriate…  ·  Admin →
          • HELPING HANDS FOR POOR CHILD&PEOPLES

            NOW AT THIS TIME OUR WORLDS MANY FAMILY FACES FLOODS.THEY ARE SOMEONE RICHES BUT MANY OF THE FAMILY SO MUCH POOR.PLEASE REQUEST YOU ALL RICHEST PERSON PLEASE HELP THEM WITHIN FOOD,MEDICINE,CLOTHES,HOUSE PLEASE PLEASE PLEASE

            1 vote
            Sign in
            Check!
            (thinking…)
            Reset
            or sign in with
            • facebook
            • google
              Password icon
              Signed in as (Sign out)

              We’ll send you updates on this idea

              0 comments  ·  Auditing  ·  Flag idea as inappropriate…  ·  Admin →
            • Initialize-HgsServer fails when Kerberos RC4 is disabled

              If you modify the security setting "Network security: Configure encryption types allowed for Kerberos" to only allow AES and not RC4, you get this error when initializing the Host Guardian Service

              New-HgsGmsa : Active Directory operation failed with the following error:
              Install-ADServiceAccount : Cannot install service account. Error Message: 'The provided context did not match the
              target.'.

              This happens with gMSA accounts and is described in this blog post
              https://blogs.technet.microsoft.com/joelvickery/cannot-install-service-account-the-provided-context-did-not-match-the-target/

              The New-ADServiceAccount command within HgsServer.psm1 should be modified to pass the KerberosEncryptionTypes parameter.

              1 vote
              Sign in
              Check!
              (thinking…)
              Reset
              or sign in with
              • facebook
              • google
                Password icon
                Signed in as (Sign out)

                We’ll send you updates on this idea

                0 comments  ·  Flag idea as inappropriate…  ·  Admin →
              • Priviledged access workstation managed by Azure

                Azure PAW service, so the customer PAW devices can be managed by Microsoft, and customer can run multiple workloads on the secure device.

                3 votes
                Sign in
                Check!
                (thinking…)
                Reset
                or sign in with
                • facebook
                • google
                  Password icon
                  Signed in as (Sign out)

                  We’ll send you updates on this idea

                  0 comments  ·  Misc  ·  Flag idea as inappropriate…  ·  Admin →
                • Defender AV should be in passive mode when enrolled with ATP with 3rd party AV

                  Windows Defender AV should act the same on Server 2016 as it does on Windows 10. if the Server is enrolled to Defender ATP and third party AV is installed it should go into passive mode to ensure that it can still apply reactive protection to the Server OS as required by Defender ATP.

                  also, then you will be able to troubleshoot Windows Update by using the get-windowsupdatelog command!

                  3 votes
                  Sign in
                  Check!
                  (thinking…)
                  Reset
                  or sign in with
                  • facebook
                  • google
                    Password icon
                    Signed in as (Sign out)

                    We’ll send you updates on this idea

                    0 comments  ·  Flag idea as inappropriate…  ·  Admin →
                  • Definition Updates for Defender should not use Windows Update

                    Defender could easily get new definitions with another mechanism than Windows Update - like every other AV tool.

                    It is a pain to get announcements of new updates all the time just because Defender needs new definitions.

                    Please do not tell me to use wsus or sccm. I have no need for either of them.

                    5 votes
                    Sign in
                    Check!
                    (thinking…)
                    Reset
                    or sign in with
                    • facebook
                    • google
                      Password icon
                      Signed in as (Sign out)

                      We’ll send you updates on this idea

                      1 comment  ·  Flag idea as inappropriate…  ·  Admin →
                    • verification while holding the fingerprintreader, combined with a IR-Face-ID-Cam

                      Hi

                      I'm not sure if I'm on the right place and I'm just a normal user.

                      I've to change my passwords every few weeks and must change it in every device. I’ve to write it every time while I’m working on different levels on another computer. The passwords become longer and longer and more and more complex. The topic "passwords in a company" or even on a private System needs a lot of time over a year. I have a long password with all kinds of Extras in it and I'm not that bad on a keyboard but I'm sure…

                      1 vote
                      Sign in
                      Check!
                      (thinking…)
                      Reset
                      or sign in with
                      • facebook
                      • google
                        Password icon
                        Signed in as (Sign out)

                        We’ll send you updates on this idea

                        0 comments  ·  Biometric  ·  Flag idea as inappropriate…  ·  Admin →
                      • RDCMan doesn't expose an option for Restricted Admin

                        This might not be the most optimal place for this request, but it somewhat fits and I can't seem to find anywhere more suitable, plus RDCMan is an official Microsoft tool...

                        Remote Desktop Connection Manager (RDCMan) doesn't currently seem to expose the RDP Restricted Admin option.

                        This feature is great for secure remote server administration when you can't use PowerShell remoting - many such cases still exist!

                        It's probably not a huge task either, the GUI just needs a checkbox for the feature which is already implemented elsewhere.

                        5 votes
                        Sign in
                        Check!
                        (thinking…)
                        Reset
                        or sign in with
                        • facebook
                        • google
                          Password icon
                          Signed in as (Sign out)

                          We’ll send you updates on this idea

                          0 comments  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
                        • xcertificateimport

                          When using the interactive Windows Certificates snap-in, a 3rd very important cert target store type can be selected:
                          One can select "my user account", "computer account" and "service account" as target for certificates.

                          xCertificateImport currently seems to only support 2 target store types:
                          Location: 'LocalMachine' or 'CurrentUser'

                          As an admin it would be very cool to be able to also use xCertificateImport to also manage service-related certificates, as there are otherwise no PowerShell means to do so and the GUI cert tool is a PITA, as its not scriptable. And there are Microsoft own services out there that needs such…

                          1 vote
                          Sign in
                          Check!
                          (thinking…)
                          Reset
                          or sign in with
                          • facebook
                          • google
                            Password icon
                            Signed in as (Sign out)

                            We’ll send you updates on this idea

                            1 comment  ·  Certificates and CA  ·  Flag idea as inappropriate…  ·  Admin →
                          • File Audit recording users activates not added to be audit

                            The security log still recording users activates not added to audit setting and recording permissions not added to be audit, like if you want to audit write only the security log still audit the read & list folder contents which is i don't need to audit and this is make the audit log huge.

                            1 vote
                            Sign in
                            Check!
                            (thinking…)
                            Reset
                            or sign in with
                            • facebook
                            • google
                              Password icon
                              Signed in as (Sign out)

                              We’ll send you updates on this idea

                              1 comment  ·  Auditing  ·  Flag idea as inappropriate…  ·  Admin →
                            • ADFS Management Console missing from RSAT

                              As Windows Server 2016 Core no longer supports Minimal UI I setup a management server for remote management. Installed all the management tools, but not there is no MMC for ADFS.

                              28 votes
                              Sign in
                              Check!
                              (thinking…)
                              Reset
                              or sign in with
                              • facebook
                              • google
                                Password icon
                                Signed in as (Sign out)

                                We’ll send you updates on this idea

                                3 comments  ·  Management tools  ·  Flag idea as inappropriate…  ·  Admin →
                              • Allow Windows Server 2016 to support disabling SMBv1 _and_ Server SPN target name validation

                                https://social.technet.microsoft.com/Forums/windowsserver/en-US/d520f2d4-4847-403d-bab6-1b33251a761c/issue-disabling-smbv1-and-windows-server-2016?forum=winserversecurity
                                On Server 2016, disabling (removing) SMBv1 and having Microsoft network server: Server SPN target name validation level = Required from client (2) are currently not “working together”, yet it works on the other Windows operating systems just fine.

                                To recreate this:
                                1) Test with a Domain-joined Windows Server 2016 box
                                2) Remove-WindowsFeature FS-SMB1 on the Windows Server 2016 box
                                3) GPO set or reghack on the Windows Server 2016 box: Server SPN target name validation level = Required from client (2)
                                4) Reboot the Windows Server 2016

                                Domain Admins are now unable to connect to the \\Server2016\C$ default share…

                                7 votes
                                Sign in
                                Check!
                                (thinking…)
                                Reset
                                or sign in with
                                • facebook
                                • google
                                  Password icon
                                  Signed in as (Sign out)

                                  We’ll send you updates on this idea

                                  3 comments  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
                                • Add ECDSA Platform Crypto Provider

                                  Now that TPM 2.0 supports EC, the Platform Crypto Provider should support it.

                                  4 votes
                                  Sign in
                                  Check!
                                  (thinking…)
                                  Reset
                                  or sign in with
                                  • facebook
                                  • google
                                    Password icon
                                    Signed in as (Sign out)

                                    We’ll send you updates on this idea

                                    2 comments  ·  Certificates and CA  ·  Flag idea as inappropriate…  ·  Admin →
                                  • import-pfxcertificate needs to support legacy private key storage format

                                    When using Import-PFXCertificate to import PFXs that contain a private key the private key appears to be stored using CNG "Microsoft Software Key Storage Provider" instead of the legacy format "Microsoft Enhanced Cryptographic Provider v1.0"

                                    Most Microsoft products can't read this format.

                                    The PS-Drive Provider "Certificate" can't even read keys in this format.

                                    It would be helpful to update the CMDLet to support CNG, however, as pointed out in this article: https://www.sysadmins.lv/blog-en/retrieve-cng-key-container-name-and-unique-name.aspx - almost no .NET apps use CNG because it has only been accessible via native APIs.

                                    Without being able to force the key storage format to the older…

                                    3 votes
                                    Sign in
                                    Check!
                                    (thinking…)
                                    Reset
                                    or sign in with
                                    • facebook
                                    • google
                                      Password icon
                                      Signed in as (Sign out)

                                      We’ll send you updates on this idea

                                      0 comments  ·  Certificates and CA  ·  Flag idea as inappropriate…  ·  Admin →
                                    • Enhance the password complexity requirements

                                      Give the possibility for admins to increase the numbers of character set combinations. Currently it is 3, but we would like to make it 4 and we can't. We are "forced" to invest in an external party creating custom password filters - from what I am reading in TechNet forums.

                                      7 votes
                                      Sign in
                                      Check!
                                      (thinking…)
                                      Reset
                                      or sign in with
                                      • facebook
                                      • google
                                        Password icon
                                        Signed in as (Sign out)

                                        We’ll send you updates on this idea

                                        1 comment  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
                                      • Disable Insecure Cipher Suites and Protocols BY DEFAULT

                                        SCHannel in Windows Server 2016 TP5 still has RC4 Ciphers and even SSLv3 enabled by default. Which is a complete joke from a security standpoint. If Microsoft doesn't want their server do be insecure by default disable those like every other major vendor has done.

                                        10 votes
                                        Sign in
                                        Check!
                                        (thinking…)
                                        Reset
                                        or sign in with
                                        • facebook
                                        • google
                                          Password icon
                                          Signed in as (Sign out)

                                          We’ll send you updates on this idea

                                          1 comment  ·  SSL/TLS/Schannel  ·  Flag idea as inappropriate…  ·  Admin →
                                        • Remove Windows Defender from default install

                                          1) Windows Defender causes the installation of a lab setup to be 4x slower: https://github.com/Microsoft/ws2016lab/wiki

                                          2) Please don't even get me started on how wrong you are doing if you need to put an antivirus solution IN A SERVER. (WTF Microsoft?!)

                                          3) Obligatory xkcd reference: https://xkcd.com/463/

                                          5 votes
                                          Sign in
                                          Check!
                                          (thinking…)
                                          Reset
                                          or sign in with
                                          • facebook
                                          • google
                                            Password icon
                                            Signed in as (Sign out)

                                            We’ll send you updates on this idea

                                            2 comments  ·  Misc  ·  Flag idea as inappropriate…  ·  Admin →
                                          ← Previous 1
                                          • Don't see your idea?

                                          Feedback and Knowledge Base