Security and Assurance

Update: Microsoft will be moving away from UserVoice sites on a product-by-product basis throughout the 2021 calendar year. We will leverage 1st party solutions for customer feedback. Learn more

Security and compliance in datacenters, private cloud and hosting environments.
  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. Allow to set user rights for windows services in services.msc

    Please add a "Security" tab for services in services.msc to be able to give specific users/groups the right to start and stop a service.

    This would make it easier to have less users with admin priviledges on the systems.

    Currently I have to use process explorer to archive this.

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Management tools  ·  Flag idea as inappropriate…  ·  Admin →
  2. Allow (g)MSA accounts to be used with task scheduler gui

    Currently you have to use PowerShell to set a (g)MSA account in task scheduler. This is not very user friendly. After every change in the GUI you have to enter valid credentials - but you can't specify a (g)MSA. So you have to enter a dummy account and change it to the (g)MSA later with Powershell :/

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Management tools  ·  Flag idea as inappropriate…  ·  Admin →
  3. `Actually I really don`t even know what your talking about I just want to be heard everywhere I go About a business poo poo`ed

    My idea is this, Take all of your employees and retrain every one of them. Starting with " CUSTOMERS"The customer is always right. Once they get that down. Then stop there and have everyone drive to a mall close by, and just stop. Find some people and engage first with "WAIT A MINUTE" listen. What ever you were thinking to do or thinking what ever just wait. You shouldnt be bummed. Dont let it get you BUTT HURT. At least were on the right track. Once you start engaging with real people youll find that their…

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  4. PCI BUS

    I DONT KNOW ABOUT YOU,
    BUT WHEN I PURCHASED MY INSIGNIA FLEX,AND PAID FOR 1 YEAR OF INSURANCE ON TOP OF MY WARRANTY.
    DID I KNOW SOMEONE WAS GOING TO INTERNALLY TAKE IT OVER,LOCK ME OUT OF MY OWN ADMIN ACCOUNT AND TO THIS DAY,HAVE NO ACCSESS ON My OWN COMPUTOR.
    MY COMP WONT UPDATE AND I SPEND ALL OF MY TIME DOING THIS,FINDING SOLUTIONS AND ******** FOR TWO YEARS NOW...I WILL BE MORE THAN HAPPPY TO SALE IT TO WHOM EVER REMOTELY CONTROLS IT..I DIDNT GIVE THEM ANY PERMISSION..THEY HAVE TAKEN OVER MY INTERNET ALSO AND USE ME AS…

    2 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Dynamic Access Control (DAC)  ·  Flag idea as inappropriate…  ·  Admin →
  5. HGS (host guardian service) as Azure service

    For PAW or other guarded host scenario, to leverage Azure HGS for device health attestation

    30 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Flag idea as inappropriate…  ·  Admin →
  6. Priviledged access workstation managed by Azure

    Azure PAW service, so the customer PAW devices can be managed by Microsoft, and customer can run multiple workloads on the secure device.

    54 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    4 comments  ·  Misc  ·  Flag idea as inappropriate…  ·  Admin →
  7. Memory corruption issue on certificates mmc snap-in (german language)

    Reproduceable on Windows Server 2016 and Server 2019 (any many other versions with german language)

    -open mmc.exe and import the certificates snap in two times (user and computer)
    -open the "Personal Certificates"->"Certificates" Folder
    -Then click on "All Tasks" -> "Import..." -> Next -> Browse
    -Open the file type ComboBox

    Some random characters appear.

    https://social.technet.microsoft.com/Forums/office/en-US/f0736be4-7ff1-496a-9275-d5a8faf25b1d/memory-corruption-issue-on-certificates-mmc-snapin?forum=win10itprogeneral

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Certificates and CA  ·  Flag idea as inappropriate…  ·  Admin →
  8. Publish somewhere, an explanation about new SIDs added in service security descriptors of Windows Server 2019

    For example, in Windows Server 2016 1607, the SD SDDL for w32time service (sc sdshow w32time) is:
    D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)(A;;CCLCSWRPLOCRRC;;;LS)(A;;CCSWWPLORC;;;LS)

    Now, in Windows Server 2019 1809, the SD SDDL for w32time service is:
    D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)(A;;CCLCSWRPLOCRRC;;;LS)(A;;CCSWWPLORC;;;LS)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-80-3169285310-278349998-1452333686-3865143136-4212226833)

    What is the identity for this unsolvable SID?
    S-1-5-80-3169285310-278349998-1452333686-3865143136-4212226833

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Misc  ·  Flag idea as inappropriate…  ·  Admin →
  9. Initialize-HgsServer fails when Kerberos RC4 is disabled

    If you modify the security setting "Network security: Configure encryption types allowed for Kerberos" to only allow AES and not RC4, you get this error when initializing the Host Guardian Service

    New-HgsGmsa : Active Directory operation failed with the following error:
    Install-ADServiceAccount : Cannot install service account. Error Message: 'The provided context did not match the
    target.'.

    This happens with gMSA accounts and is described in this blog post
    https://blogs.technet.microsoft.com/joelvickery/cannot-install-service-account-the-provided-context-did-not-match-the-target/

    The New-ADServiceAccount command within HgsServer.psm1 should be modified to pass the KerberosEncryptionTypes parameter.

    3 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Flag idea as inappropriate…  ·  Admin →
  10. HELPING HANDS FOR POOR CHILD&PEOPLES

    NOW AT THIS TIME OUR WORLDS MANY FAMILY FACES FLOODS.THEY ARE SOMEONE RICHES BUT MANY OF THE FAMILY SO MUCH POOR.PLEASE REQUEST YOU ALL RICHEST PERSON PLEASE HELP THEM WITHIN FOOD,MEDICINE,CLOTHES,HOUSE PLEASE PLEASE PLEASE

    1 vote

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Auditing  ·  Flag idea as inappropriate…  ·  Admin →
  11. Defender AV should be in passive mode when enrolled with ATP with 3rd party AV

    Windows Defender AV should act the same on Server 2016 as it does on Windows 10. if the Server is enrolled to Defender ATP and third party AV is installed it should go into passive mode to ensure that it can still apply reactive protection to the Server OS as required by Defender ATP.

    also, then you will be able to troubleshoot Windows Update by using the get-windowsupdatelog command!

    4 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Flag idea as inappropriate…  ·  Admin →
  12. ADFS Management Console missing from RSAT

    As Windows Server 2016 Core no longer supports Minimal UI I setup a management server for remote management. Installed all the management tools, but not there is no MMC for ADFS.

    63 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    9 comments  ·  Management tools  ·  Flag idea as inappropriate…  ·  Admin →
  13. Definition Updates for Defender should not use Windows Update

    Defender could easily get new definitions with another mechanism than Windows Update - like every other AV tool.

    It is a pain to get announcements of new updates all the time just because Defender needs new definitions.

    Please do not tell me to use wsus or sccm. I have no need for either of them.

    8 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Flag idea as inappropriate…  ·  Admin →
  14. RDCMan doesn't expose an option for Restricted Admin

    This might not be the most optimal place for this request, but it somewhat fits and I can't seem to find anywhere more suitable, plus RDCMan is an official Microsoft tool...

    Remote Desktop Connection Manager (RDCMan) doesn't currently seem to expose the RDP Restricted Admin option.

    This feature is great for secure remote server administration when you can't use PowerShell remoting - many such cases still exist!

    It's probably not a huge task either, the GUI just needs a checkbox for the feature which is already implemented elsewhere.

    8 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  15. verification while holding the fingerprintreader, combined with a IR-Face-ID-Cam

    Hi

    I'm not sure if I'm on the right place and I'm just a normal user.

    I've to change my passwords every few weeks and must change it in every device. I’ve to write it every time while I’m working on different levels on another computer. The passwords become longer and longer and more and more complex. The topic "passwords in a company" or even on a private System needs a lot of time over a year. I have a long password with all kinds of Extras in it and I'm not that bad on a keyboard but I'm sure…

    2 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Biometric  ·  Flag idea as inappropriate…  ·  Admin →
  16. Allow Windows Server 2016 to support disabling SMBv1 _and_ Server SPN target name validation

    https://social.technet.microsoft.com/Forums/windowsserver/en-US/d520f2d4-4847-403d-bab6-1b33251a761c/issue-disabling-smbv1-and-windows-server-2016?forum=winserversecurity
    On Server 2016, disabling (removing) SMBv1 and having Microsoft network server: Server SPN target name validation level = Required from client (2) are currently not “working together”, yet it works on the other Windows operating systems just fine.

    To recreate this:
    1) Test with a Domain-joined Windows Server 2016 box
    2) Remove-WindowsFeature FS-SMB1 on the Windows Server 2016 box
    3) GPO set or reghack on the Windows Server 2016 box: Server SPN target name validation level = Required from client (2)
    4) Reboot the Windows Server 2016

    Domain Admins are now unable to connect to the \Server2016\C$ default share…

    8 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    3 comments  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  17. import-pfxcertificate needs to support legacy private key storage format

    When using Import-PFXCertificate to import PFXs that contain a private key the private key appears to be stored using CNG "Microsoft Software Key Storage Provider" instead of the legacy format "Microsoft Enhanced Cryptographic Provider v1.0"

    Most Microsoft products can't read this format.

    The PS-Drive Provider "Certificate" can't even read keys in this format.

    It would be helpful to update the CMDLet to support CNG, however, as pointed out in this article: https://www.sysadmins.lv/blog-en/retrieve-cng-key-container-name-and-unique-name.aspx - almost no .NET apps use CNG because it has only been accessible via native APIs.

    Without being able to force the key storage format to the older…

    6 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    0 comments  ·  Certificates and CA  ·  Flag idea as inappropriate…  ·  Admin →
  18. Enhance the password complexity requirements

    Give the possibility for admins to increase the numbers of character set combinations. Currently it is 3, but we would like to make it 4 and we can't. We are "forced" to invest in an external party creating custom password filters - from what I am reading in TechNet forums.

    10 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  Authentication  ·  Flag idea as inappropriate…  ·  Admin →
  19. Disable Insecure Cipher Suites and Protocols BY DEFAULT

    SCHannel in Windows Server 2016 TP5 still has RC4 Ciphers and even SSLv3 enabled by default. Which is a complete joke from a security standpoint. If Microsoft doesn't want their server do be insecure by default disable those like every other major vendor has done.

    14 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    1 comment  ·  SSL/TLS/Schannel  ·  Flag idea as inappropriate…  ·  Admin →
  20. Remove Windows Defender from default install

    1) Windows Defender causes the installation of a lab setup to be 4x slower: https://github.com/Microsoft/ws2016lab/wiki

    2) Please don't even get me started on how wrong you are doing if you need to put an antivirus solution IN A SERVER. (WTF Microsoft?!)

    3) Obligatory xkcd reference: https://xkcd.com/463/

    6 votes

    We're glad you're here

    Please sign in to leave feedback

    Signed in as (Sign out)

    We’ll send you updates on this idea

    2 comments  ·  Misc  ·  Flag idea as inappropriate…  ·  Admin →
← Previous 1
  • Don't see your idea?

Feedback and Knowledge Base