On Thursday, OpenAI released an early Windows version of its first ChatGPT app for Windows, following a Mac version that launched in May. Currently, it’s only available to subscribers of Plus, Team, Enterprise, and Edu versions of ChatGPT, and users can download it for free in the Microsoft Store for Windows.
OpenAI is positioning the release as a beta test. “This is an early version, and we plan to bring the full experience to all users later this year,” OpenAI writes on the Microsoft Store entry for the app. (Interestingly, ChatGPT shows up as being rated “T for Teen” by the ESRB in the Windows store, despite not being a video game.)
A screenshot of the new Windows ChatGPT app captured on October 18, 2024.
Credit: Benj Edwards
A screenshot of the new Windows ChatGPT app captured on October 18, 2024. Credit: Benj Edwards
Upon opening the app, OpenAI requires users to log into a paying ChatGPT account, and from there, the app is basically identical to the web browser version of ChatGPT. You can currently use it to access several models: GPT-4o, GPT-4o with Canvas, 01-preview, 01-mini, GPT-4o mini, and GPT-4. Also, it can generate images using DALL-E 3 or analyze uploaded files and images.
If you’re running Windows 11, you can instantly call up a small ChatGPT window when the app is open using an Alt+Space shortcut (it did not work in Windows 10 when we tried). That could be handy for asking ChatGPT a quick question at any time.
A screenshot of the new Windows ChatGPT app listing in the Microsoft Store captured on October 18, 2024.
Credit: Benj Edwards
A screenshot of the new Windows ChatGPT app listing in the Microsoft Store captured on October 18, 2024. Credit: Benj Edwards
And just like the web version, all the AI processing takes place in the cloud on OpenAI’s servers, which means an Internet connection is required.
So as usual, chat like somebody’s watching, and don’t rely on ChatGPT as a factual reference for important decisions—GPT-4o in particular is great at telling you what you want to hear, whether it’s correct or not. As OpenAI says in a small disclaimer at the bottom of the app window: “ChatGPT can make mistakes.”
A look at some of the changes and odds and ends in this year’s Windows release.
The Windows 11 2024 Update, also known as Windows 11 24H2, started rolling out last week. Your PC may have even installed it already!
The continuous feature development of Windows 11 (and Microsoft’s phased update rollouts) can make it a bit hard to track exactly what features you can expect to be available on any given Windows PC, even if it seems like it’s fully up to date.
This isn’t a comprehensive record of all the changes in the 2024 Update, and it doesn’t reiterate some basic but important things like Wi-Fi 7 or 80Gbps USB4 support. But we’ve put together a small list of new and interesting changes that you’re guaranteed to see when your version number rolls over from 22H2 or 23H2 to 24H2. And while Microsoft’s announcement post spent most of its time on Copilot and features unique to Copilot+ PCs, here, we’ll only cover things that will be available on any PC you install Windows 11 on (whether it’s officially supported or not).
Quick Settings improvements
The Quick Settings panel sees a few nice quality-of-life improvements. The biggest is a little next/previous page toggle that makes all of the Quick Settings buttons accessible without needing to edit the menu to add them. Instead of clicking a button and entering an edit menu to add and remove items from the menu, you click and drag items between pages. The downside is that you can’t see all of the buttons at once across three rows as you could before, but it’s definitely more handy if there are some items you want to access sometimes but don’t want to see all the time.
A couple of individual Quick Settings items see small improvements: a refresh button in the lower-right corner of the Wi-Fi settings will rescan for new Wi-Fi networks instead of making you exit and reopen the Wi-Fi settings entirely. Padding in the Accessibility menu has also been tweaked so that all items can be clearly seen and toggled without scrolling. If you use one or more VPNs that are managed by Windows’ settings, it will be easier to toggle individual VPN connections on and off, too. And a Live Captions accessibility button to generate automatic captions for audio and video is also present in Quick Settings starting in 24H2.
More Start menu “suggestions” (aka ads)
Amid apps I’ve recently installed and files I’ve recently opened, the “recommended” area of the Start menu will periodically recommend apps to install. These change every time I open the Start menu and don’t seem to have anything to do with my actual PC usage. Credit: Andrew Cunningham
One of the first things a fresh Windows install does when it connects to the Internet is dump a small collection of icons into your Start menu, things grabbed from the Microsoft Store that you didn’t ask for and may not want. The exact apps change from time to time, but these auto-installs have been happening since the Windows 10 days.
The 24H2 update makes this problem subtly worse by adding more “recommendations” to the lower part of the Start menu below your pinned apps. This lower part of the Start menu is usually used for recent files or newly (intentionally) installed apps, but with recommendations enabled, it can also pull recommended apps from the Microsoft Store, giving Microsoft’s app store yet another place to push apps on you.
These recommendations change every time you open the Start menu—sometimes you’ll see no recommended apps at all, and sometimes you’ll see one of a few different app recommendations. The only thing that distinguishes these items from the apps and files you have actually interacted with is that there’s no timestamp or “recently added” tag attached to the recommendations; otherwise, you’d think you had downloaded and installed them already.
These recommendations can be turned off in the Start menu section of the Personalization tab in Settings.
Context menu labels
Text labels added to the main actions in the right-click/context menu. Credit: Andrew Cunningham
When Windows 11 redesigned the right-click/context menu to help clean up years of clutter, it changed basic commands like copy and paste from text labels to small text-free glyphs. The 2024 Update doesn’t walk this back, but it does add text labels back to the glyphs, just in case the icons by themselves didn’t accurately communicate what each button was used for.
Windows 11’s user interface is full of little things like this—stuff that was changed from Windows 10, only to be changed back in subsequent updates, either because people complained or because the old way was actually better (few text-free glyphs are truly as unambiguously, universally understood as a text label can be, even for basic commands like cut, copy, and paste).
To recap, each annual Windows update also has a new major build number; for 24H2, that build number is 26100. In 22H2 and 23H2, it was 22621 and 22631. There’s also a minor build number, which is how you track which of Windows’ various monthly feature and security updates you’ve installed. This number starts at zero for each new annual update and slowly increases over time. The PC I’m typing this on is running Windows 11 build 26100.1882; the first version released to the Release Preview Windows Insider channel in June was 26100.712.
In previous versions of Windows, any monthly cumulative update that your PC downloads and installs can update any build of Windows 11 22H2/23H2 to the newest build. That’s true whether you’re updating a fresh install that’s missing months’ worth of updates or an actively used PC that’s only a month or two out of date. As more and more updates are released, these cumulative updates get larger and take longer to install.
Starting in Windows 11 24H2, Microsoft will be able to designate specific monthly updates as “checkpoint” updates, which then become a new update baseline. The next few months’ worth of updates you download to that PC will contain only the files that have been changed since the last checkpoint release instead of every single file that has been changed since the original release of 24H2.
If you’re already letting Windows do its update thing automatically in the background, you probably won’t notice a huge difference. But Microsoft says these checkpoint cumulative updates will “save time, bandwidth, and hard drive space” compared to the current way of doing things, something that may be more noticeable for IT admins with dozens or hundreds of systems to keep updated.
Sudo for Windows
A Windows version of the venerable Linux sudo command—short for “superuser do” or “substitute user do” and generally used to grant administrator-level access to whatever command you’re trying to run—first showed up in experimental Windows builds early this year. The feature has formally been added in the 24H2 update, though it’s off by default, and you’ll need to head to the System settings and then the “For developers” section to turn it on.
When enabled, Sudo for Windows (as Microsoft formally calls it) allows users to run software as administrator without doing the dance of launching a separate console window as an administrator.
By default, using Sudo for Windows will still open a separate console window with administrator privileges, similar to the existing runas command. But it can also be configured to run inline, similar to how it works from a Linux or macOS Terminal window, so you could run a mix of elevated and unelevated software from within the same window. A third option, “with input disabled,” will run your software with administrator privileges but won’t allow additional input, which Microsoft says reduces the risk of malicious software gaining administrator privileges via the sudo command.
One thing the runas command supports that Sudo for Windows doesn’t is the ability to run software as any local user—you can run software as the currently-logged-in user or as administrator, but not as another user on the machine, or using an account you’ve set up to run some specific service. Microsoft says that “this functionality is on the roadmap for the sudo command but does not yet exist.”
Protected print mode
Enabling the (currently optional) protected print mode in Windows 11 24H2. Credit: Andrew Cunningham
Microsoft is gradually phasing out third-party print drivers in Windows in favor of more widely compatible universal drivers. Printer manufacturers will still be able to add things on top of those drivers with their own apps, but the drivers themselves will rely on standards like the Internet Printing Protocol (IPP), defined by the Mopria Alliance.
Windows 11 24H2 doesn’t end support for third-party print drivers yet; Microsoft’s plan for switching over will take years. But 24H2 does give users and IT administrators the ability to flip the switch early. In the Settings app, navigate to “Bluetooth & devices” and then to “Printers & scanners” and enable Windows protected print mode to default to the universal drivers and disable compatibility. You may need to reconnect to any printer you had previously set up on your system—at least, that was how it worked with a network-connected Brother HL-L2340D I use.
This isn’t a one-way street, at least not yet. If you discover your printer won’t work in protected print mode, you can switch the setting off as easily as you turned it on.
New setup interface for clean installs
When you create a bootable USB drive to install a fresh copy of Windows—because you’ve built a new PC, installed a new disk in an existing PC, or just want to blow away all the existing partitions on a disk when you do your new install—the interface has stayed essentially the same since Windows Vista launched back in 2006. Color schemes and some specific dialog options have been tweaked, but the interface itself has not.
For the 2024 Update, Microsoft has spruced up the installer you see when booting from an external device. It accomplishes the same basic tasks as before, giving you a user interface for entering your product key/Windows edition and partitioning disks. The disk-partitioning interface has gotten the biggest facelift, though one of the changes is potentially a bit confusing—the volumes on the USB drive you’re booted from also show up alongside any internal drives installed in your system. For most PCs with just a single internal disk, disk 0 should be the one you’re installing to.
Wi-Fi drivers during setup
Microsoft’s obnoxious no-exceptions Microsoft account requirement for all new PCs (and new Windows installs) is at its most obnoxious when you’re installing on a system without a functioning network adapter. This scenario has come up most frequently for me when clean-installing Windows on a brand-new PC with a brand-new, as-yet-unknown Wi-Fi adapter that Windows 11 doesn’t have built-in drivers for. Windows Update is usually good for this kind of thing, but you can’t use an Internet connection to fix not having an Internet connection.
Microsoft has added a fallback option to the first-time setup process for Windows 11 that allows users to install drivers from a USB drive if the Windows installer doesn’t already include what you need. As a failover, would we prefer to see an easy-to-use option that didn’t require Microsoft account sign-in? Sure. But this is better than it was before.
To bypass this entirely, there are still local account workarounds available for experts. Pressing Shift + F10, typing OOBEBYPASSNRO in the Command Prompt window that opens, and hitting Enter is still there for you in these situations.
Boosted security for file sharing
The 24H2 update has boosted the default security for SMB file-sharing connections, though, as Microsoft Principal Program Manager Ned Pyle notes, it may result in some broken things. In this case, that’s generally a good thing, as they’re only breaking because they were less secure than they ought to be. Still, it may be dismaying if something suddenly stops functioning when it was working before.
The two big changes are that all SMB connections need to be signed by default to prevent relay attacks and that Guest access for SMB shares is disabled in the Pro edition of Windows 11 (it had already been disabled in Enterprise, Education, and Pro for Workstation editions of Windows in the Windows 10 days). Guest fallback access is still available by default in Windows 11 Home, though the SMB signing requirement does apply to all Windows editions.
Microsoft notes that this will mainly cause problems for home NAS products or when you use your router’s USB port to set up network-attached storage—situations where security tends to be disabled by default or for ease of use.
If you run into network-attached storage that won’t work because of the security changes to 24H2, Microsoft’s default recommendation is to make the network-attached storage more secure. That usually involves configuring a username and password for access, enabling signing if it exists, and installing firmware updates that might enable login credentials and SMB signing on devices that don’t already support it. Microsoft also recommends replacing older or insecure devices that don’t meet these requirements.
That said, advanced users can turn off both the SMB signing requirements and guest fallback protection by using the Local Group Policy Editor. Those steps are outlined here. That post also outlines the process for disabling the SMB signing requirement for Windows 11 Home, where the Local Group Policy Editor doesn’t exist.
Windows Mixed Reality is dead and gone
Several technology hype cycles ago, before the Metaverse and when most “AI” stuff was still called “machine learning,” Microsoft launched a new software and hardware initiative called Windows Mixed Reality. Built on top of work it had done on its HoloLens headset in 2015, Windows Mixed Reality was meant to bring in app developers and the PC makers and allowed them to build interoperable hardware and software for both virtual reality headsets that covered your eyes entirely and augmented reality headsets that superimpose objects over the real world.
But like some other mid-2010s VR-related initiatives, both HoloLens and Windows Mixed Reality kind of fizzled and flailed, and both are on their way out. Microsoft officially announced the end of HoloLens at the beginning of the month, and Windows 11 24H2 utterly removes everything Mixed Reality from Windows.
Microsoft announced this in December of 2023 (in a message that proclaims “we remain committed to HoloLens”), though this is a shorter off-ramp than some deprecated features (like the Android Subsystem for Windows) have gotten. Users who want to keep using Windows Mixed Reality can continue to use Windows 23H2, though support will end for good in November 2026 when support for the 23H2 update expires.
WordPad is also dead
WordPad running in Windows 11 22H2. It will continue to be available in 22H2/23H2, but it’s been removed from the 2024 update. Credit: Andrew Cunningham
We’ve written plenty about this already, but the 24H2 update is the one that pulls the plug on WordPad, the rich text editor that has always existed a notch above Notepad and many, many notches below Word in the hierarchy of Microsoft-developed Windows word processors.
WordPad’s last update of any real substance came in 2009, when it was given the then-new “ribbon” user interface from the then-recent Office 2007 update. It’s one of the few in-box Windows apps not to see some kind of renaissance in the Windows 11 era; Notepad, by contrast, has gotten more new features in the last two years than it had in the preceding two decades. And now it has been totally removed, gone the way of Internet Explorer and Encarta.
Andrew is a Senior Technology Reporter at Ars Technica, with a focus on consumer tech including computer hardware and in-depth reviews of operating systems like Windows and macOS. Andrew lives in Philadelphia and co-hosts a weekly book podcast called Overdue.
Enlarge/ Emojipedia sample images of the new Unicode 16.0 emoji.
The Unicode Consortium has finalized and released version 16.0 of the Unicode standard, the elaborate character set that ensures that our phones, tablets, PCs, and other devices can all communicate and interoperate with each other. The update adds 5,185 new characters to the standard, bringing the total up to a whopping 154,998.
Of those 5,185 characters, the ones that will get the most attention are the eight new emoji characters, including a shovel, a fingerprint, a leafless tree, a radish (formally classified as “root vegetable”), a harp, a purple splat that evokes the ’90s Nickelodeon logo, and a flag for the island of Sark. The standout, of course, is “face with bags under eyes,” whose long-suffering thousand-yard stare perfectly encapsulates the era it has been born into. Per usual, Emojipedia has sample images that give you some idea of what these will look like when they’re implemented by various operating systems, apps, and services.
We last got new emoji in 2023’s Unicode 15.1 update, though all of these designs were technically modifications of existing emoji rather than new characters—many emoji, most notably for skin and hair color variants, use a base emoji plus a modifier emoji, combined together with a “zero-width joiner” (ZWJ) character that makes them display as one character instead. The lime emoji in Unicode 15.1 was actually a lemon emoji combined with the color green; the phoenix was a regular bird joined to the fire emoji. This was likely because 15.1 was only intended as a minor update to 2022’s Unicode 15.0 standard.
Most of the Unicode 16.0 emoji, by contrast, are their own unique characters. The one exception is the Sark flag emoji; flag sequences are created by placing two “regional indicator letters” directly next to each other and don’t require a ZWJ character between them.
Incorporation into the Unicode standard is only the first step that new emoji and other characters take on their journey from someone’s mind to your phone or computer; software makers like Apple, Google, Microsoft, Samsung, and others need to design iterations that fit with their existing spin on the emoji characters, they need to release software updates that use the new characters, and people need to download and install them.
We’ve seen a few people share on social media that the Unicode 16.0 release includes a “greenwashing” emoji designed by Shepard Fairey, an artist best known for the 2008 Barack Obama “Hope” poster. This emoji, and an attempt to gin up controversy around it, is all an elaborate hoax: there’s a fake Unicode website announcing it, a fake lawsuit threat that purports to be from a real natural gas industry group, and a fake Cory Doctorow article about the entire “controversy” published in a fake version of Wired. These were all published to websites with convincing-looking but fake domains, all registered within a couple of weeks of each other in August 2024. The face-with-bags-under-eyes emoji feels like an appropriate response.
Enlarge/ It’s hard to fit the perfomance-minded but pricey ROG Ally X into a simple product category. It’s also tricky to fit it into a photo, at the right angle, while it’s in your hands.
Kevin Purdy
The first ROG Ally from Asus, a $700 Windows-based handheld gaming PC, performed better than the Steam Deck, but it did so through notable compromises on battery life. The hardware also had a first-gen feel and software jank from both Asus’ own wraparound gaming app and Windows itself. The Ally asked an awkward question: “Do you want to pay nearly 50 percent more than you’d pay for a Steam Deck for a slightly faster but far more awkward handheld?”
The ROG Ally X makes that question more interesting and less obvious to answer. Yes, it’s still a handheld that’s trying to hide Windows annoyances, and it’s still missing trackpads, without which some PC games just feel bad. And (review spoiler) it still eats a charge faster than the Steam Deck OLED on less demanding games.
But the improvements Asus made to this X sequel are notable, and its new performance stats make it more viable for those who want to play more demanding games on a rather crisp screen. At $800, or $100 more than the original ROG Ally with no extras thrown in, you have to really, really want the best possible handheld gaming experience while still tolerating Windows’ awkward fit.
The ROG Ally X is essentially the ROG Ally with a bigger battery packed into a shell that is impressively not much bigger or heavier, more storage and RAM, and two USB-C ports instead of one USB-C and one weird mobile port that nobody could use. Asus reshaped the device and changed the face-button feel, and it all feels noticeably better, especially now that gaming sessions can last longer. The company also moved the microSD card slot so that your cards don’t melt, which is nice.
There’s a bit more to each of those changes that we’ll get into, but that’s the short version. Small spec bumps wouldn’t have changed much about the ROG Ally experience, but the changes Asus made for the X version do move the needle. Having more RAM available has a sizable impact on the frame performance of demanding games, and you can see that in our benchmarks.
We kept the LCD Steam Deck in our benchmarks because its chip has roughly the same performance as its OLED upgrade. But it’s really the Ally-to-Ally-X comparisons that are interesting; the Steam Deck has been fading back from AAA viability. If you want the Ally X to run modern, GPU-intensive games as fast as is feasible for a battery-powered device, it can now do that a lot better—for longer—and feel a bit better while you do.
The Rog Ally X has better answered the question “why not just buy a gaming laptop?” than its predecessor. At $800 and up, you might still ask how much portability is worth to you. But the Ally X is not as much of a niche (Windows-based handheld) inside a niche (moderately higher-end handhelds).
I normally would not use this kind of handout image with descriptive text embedded, but Asus is right: the ROG Ally X is indeed way more comfortable (just maybe not all-caps).
Asus
How it feels using the Rog Ally X
My testing of the Rog Ally X consisted of benchmarks, battery testing, and playing some games on the couch. Specifically: Deep Rock Galactic: Survivor and Tactical Breach Wizards on the devices lowest-power setting (“Silent”), Deathloop on its medium-power setting (“Performance”), and Shadow of the Erdtree on its all-out “Turbo” mode.
All four of those games worked mostly fine, but DRG: Survivor pushed the boundaries of Silent mode a bit when its levels got crowded with enemies and projectiles. Most games could automatically figure out a decent settings scheme for the Ally X. If a game offers AMD’s FSR (FidelityFX Super Resolution) upscaling, you should at least try it; it’s usually a big boon to a game running on this handheld.
Overall, the ROG Ally X was a device I didn’t notice when I was using it, which is the best recommendation I can make. Perhaps I noticed that the 1080p screen was brighter, closer to the glass, and sharper than the LCD (original) Steam Deck. At handheld distance, the difference between 800p and 1080p isn’t huge to me, but the difference between LCD and OLED is more so. (Of course, an OLED version of the Steam Deck was released late last year.)
Microsoft is stepping up its plans to make Windows more resilient to buggy software after a botched CrowdStrike update took down millions of PCs and servers in a global IT outage.
The tech giant has in the past month intensified talks with partners about adapting the security procedures around its operating system to better withstand the kind of software error that crashed 8.5 million Windows devices on July 19.
Critics say that any changes by Microsoft would amount to a concession of shortcomings in Windows’ handling of third-party security software that could have been addressed sooner.
Yet they would also prove controversial among security vendors that would have to make radical changes to their products, and force many Microsoft customers to adapt their software.
Last month’s outages—which are estimated to have caused billions of dollars in damages after grounding thousands of flights and disrupting hospital appointments worldwide—heightened scrutiny from regulators and business leaders over the extent of access that third-party software vendors have to the core, or kernel, of Windows operating systems.
Microsoft will host a summit next month for government representatives and cyber security companies, including CrowdStrike, to “discuss concrete steps we will all take to improve security and resiliency for our joint customers,” Microsoft said on Friday.
The gathering will take place on September 10 at Microsoft’s headquarters near Seattle, it said in a blog post.
Bugs in the kernel can quickly crash an entire operating system, triggering the millions of “blue screens of death” that appeared around the globe after CrowdStrike’s faulty software update was sent out to clients’ devices.
Microsoft told the Financial Times it was considering several options to make its systems more stable and had not ruled out completely blocking access to the Windows kernel—an option some rivals fear would put their software at a disadvantage to the company’s internal security product, Microsoft Defender.
“All of the competitors are concerned that [Microsoft] will use this to prefer their own products over third-party alternatives,” said Ryan Kalember, head of cyber security strategy at Proofpoint.
Microsoft may also demand new testing procedures from cyber security vendors rather than adapting the Windows system itself.
Apple, which was not hit by the outages, blocks all third-party providers from accessing the kernel of its MacOS operating system, forcing them to operate in the more limited “user-mode.”
Microsoft has previously said it could not do the same, after coming to an understanding with the European Commission in 2009 that it would give third parties the same access to its systems as that for Microsoft Defender.
Some experts said, however, that this voluntary commitment to the EU had not tied Microsoft’s hands in the way it claimed, arguing that the company had always been free to make the changes now under consideration.
“These are technical decisions of Microsoft that were not part of [the arrangement],” said Thomas Graf, a partner at Cleary Gottlieb in Brussels who was involved in the case.
“The text [of the understanding] does not require them to give access to the kernel,” added AJ Grotto, a former senior director for cyber security policy at the White House.
Grotto said Microsoft shared some of the blame for the July disruption since the outages would not have been possible without its decision to allow access to the kernel.
Nevertheless, while it might boost a system’s resilience, blocking kernel access could also bring “real trade-offs” for the compatibility with other software that had made Windows so popular among business customers, Forrester analyst Allie Mellen said.
“That would be a fundamental shift for Microsoft’s philosophy and business model,” she added.
Operating exclusively outside the kernel may lower the risk of triggering mass outages but it was also “very limiting” for security vendors and could make their products “less effective” against hackers, Mellen added.
Operating within the kernel gave security companies more information about potential threats and enabled their defensive tools to activate before malware could take hold, she added.
An alternative option could be to replicate the model used by the open-source operating system Linux, which uses a filtering mechanism that creates a segregated environment within the kernel in which software, including cyber defense tools, can run.
But the complexity of overhauling how other security software works with Windows means that any changes will be hard for regulators to police and Microsoft will have strong incentives to favor its own products, rivals said.
It “sounds good on paper, but the devil is in the details,” said Matthew Prince, chief executive of digital services group Cloudflare.
Enlarge/ The Recall feature provides a timeline of screenshots and a searchable database of text, thoroughly tracking everything about a person’s PC usage.
Microsoft
Microsoft will begin sending a revised version of its controversial Recall feature to Windows Insider PCs beginning in October, according to an update published today to the company’s original blog post about the Recall controversy. The company didn’t elaborate further on specific changes it’s making to Recall beyond what it already announced in June.
For those unfamiliar, Recall is a Windows service that runs in the background on compatible PCs, continuously taking screenshots of user activity, scanning those screenshots with optical character recognition (OCR), and saving the OCR text and the screenshots to a giant searchable database on your PC. The goal, according to Microsoft, is to help users retrace their steps and dig up information about things they had used their PCs to find or do in the past.
The problem was that other users on the same PC, or attackers with physical or remote access to your PC, could easily access, view, and export those screenshots and the OCR database since none of the information was encrypted at rest or protected in any substantive way.
Microsoft had planned to launch Recall as one of the flagship features of its Copilot+ PC launch in July, along with the new Qualcomm Snapdragon-powered Surface devices, but its rollout was bumped back and then paused entirely so that Recall could be reworked and then sent out to Windows Insiders for testing like most other Windows features are.
Among the changes Microsoft has said it will make: The database will be encrypted at rest and will require authentication (and periodic reauthentication) with Windows Hello before users will be allowed to access it. The feature will also be off by default, whereas the original plan was to turn it on by default and make users go into Settings to turn it off.
“Security continues to be our top priority and when Recall is available for Windows Insiders in October we will publish a blog with more details,” reads today’s update to Microsoft Windows and Devices Corporate Vice President Pavan Davuluri’s blog post.
When the preview is released, Windows Insiders who want to test the Recall preview will need to do it on a PC that meets Microsoft’s Copilot+ system requirements. Those include a processor with a neural processing unit (NPU) capable of at least 40 trillion operations per second (TOPS), 16GB of RAM, and 256GB of storage. The x86 builds of Windows for Intel and AMD processors don’t currently support any Copilot+ features regardless of whether the PC meets those requirements, but that should change later this year.
That said, security researchers and reporters who found the holes in the original version of Recall could only find them because it was possible to enable them on unsupported PCs, just as it’s possible to run Windows 11 on PCs that don’t meet the system requirements. It’s possible that users will figure out how to get Recall and other Copilot+ features running on unsupported PCs at some point, too.
Enlarge/ The Recall feature as it currently exists in Windows 11 24H2 preview builds.
Andrew Cunningham
Microsoft’s Windows 11 Copilot+ PCs come with quite a few new AI and machine learning-driven features, but the tentpole is Recall. Described by Microsoft as a comprehensive record of everything you do on your PC, the feature is pitched as a way to help users remember where they’ve been and to provide Windows extra contextual information that can help it better understand requests from and meet the needs of individual users.
This, as many users in infosec communities on social media immediately pointed out, sounds like a potential security nightmare. That’s doubly true because Microsoft says that by default, Recall’s screenshots take no pains to redact sensitive information, from usernames and passwords to health care information to NSFW site visits. By default, on a PC with 256GB of storage, Recall can store a couple dozen gigabytes of data across three months of PC usage, a huge amount of personal data.
The line between “potential security nightmare” and “actual security nightmare” is at least partly about the implementation, and Microsoft has been saying things that are at least superficially reassuring. Copilot+ PCs are required to have a fast neural processing unit (NPU) so that processing can be performed locally rather than sending data to the cloud; local snapshots are protected at rest by Windows’ disk encryption technologies, which are generally on by default if you’ve signed into a Microsoft account; neither Microsoft nor other users on the PC are supposed to be able to access any particular user’s Recall snapshots; and users can choose to exclude apps or (in most browsers) individual websites to exclude from Recall’s snapshots.
This all sounds good in theory, but some users are beginning to use Recall now that the Windows 11 24H2 update is available in preview form, and the actual implementation has serious problems.
“Fundamentally breaks the promise of security in Windows”
Enlarge/ This is Recall, as seen on a PC running a preview build of Windows 11 24H2. It takes and saves periodic screenshots, which can then be searched for and viewed in various ways.
Andrew Cunningham
Security researcher Kevin Beaumont, first in a thread on Mastodon and later in a more detailed blog post, has written about some of the potential implementation issues after enabling Recall on an unsupported system (which is currently the only way to try Recall since Copilot+ PCs that officially support the feature won’t ship until later this month). We’ve also given this early version of Recall a try on a Windows Dev Kit 2023, which we’ve used for all our recent Windows-on-Arm testing, and we’ve independently verified Beaumont’s claims about how easy it is to find and view raw Recall data once you have access to a user’s PC.
To test Recall yourself, developer and Windows enthusiast Albacore has published a tool called AmperageKit that will enable it on Arm-based Windows PCs running Windows 11 24H2 build 26100.712 (the build currently available in the Windows Insider Release Preview channel). Other Windows 11 24H2 versions are missing the underlying code necessary to enable Recall.
Windows uses OCR on all the text in all the screenshots it takes. That text is also saved to an SQLite database to facilitate faster searches.
Andrew Cunningham
Searching for “iCloud,” for example, brings up every single screenshot with the word “iCloud” in it, including the app itself and its entry in the Microsoft Store. If I had visited websites that mentioned it, they would show up here, too.
Andrew Cunningham
The short version is this: In its current form, Recall takes screenshots and uses OCR to grab the information on your screen; it then writes the contents of windows plus records of different user interactions in a locally stored SQLite database to track your activity. Data is stored on a per-app basis, presumably to make it easier for Microsoft’s app-exclusion feature to work. Beaumont says “several days” of data amounted to a database around 90KB in size. In our usage, screenshots taken by Recall on a PC with a 2560×1440 screen come in at 500KB or 600KB apiece (Recall saves screenshots at your PC’s native resolution, minus the taskbar area).
Recall works locally thanks to Azure AI code that runs on your device, and it works without Internet connectivity and without a Microsoft account. Data is encrypted at rest, sort of, at least insofar as your entire drive is generally encrypted when your PC is either signed into a Microsoft account or has Bitlocker turned on. But in its current form, Beaumont says Recall has “gaps you can drive a plane through” that make it trivially easy to grab and scan through a user’s Recall database if you either (1) have local access to the machine and can log into any account (not just the account of the user whose database you’re trying to see), or (2) are using a PC infected with some kind of info-stealer virus that can quickly transfer the SQLite database to another system.
Translating human-readable domain names into numerical IP addresses has long been fraught with gaping security risks. After all, lookups are rarely end-to-end encrypted. The servers providing domain name lookups provide translations for virtually any IP address—even when they’re known to be malicious. And many end-user devices can easily be configured to stop using authorized lookup servers and instead use malicious ones.
Microsoft on Friday provided a peek at a comprehensive framework that aims to sort out the Domain Name System (DNS) mess so that it’s better locked down inside Windows networks. It’s called ZTDNS (zero trust DNS). Its two main features are (1) encrypted and cryptographically authenticated connections between end-user clients and DNS servers and (2) the ability for administrators to tightly restrict the domains these servers will resolve.
Clearing the minefield
One of the reasons DNS has been such a security minefield is that these two features can be mutually exclusive. Adding cryptographic authentication and encryption to DNS often obscures the visibility admins need to prevent user devices from connecting to malicious domains or detect anomalous behavior inside a network. As a result, DNS traffic is either sent in clear text or it’s encrypted in a way that allows admins to decrypt it in transit through what is essentially an adversary-in-the-middle attack.
Admins are left to choose between equally unappealing options: (1) route DNS traffic in clear text with no means for the server and client device to authenticate each other so malicious domains can be blocked and network monitoring is possible, or (2) encrypt and authenticate DNS traffic and do away with the domain control and network visibility.
ZTDNS aims to solve this decades-old problem by integrating the Windows DNS engine with the Windows Filtering Platform—the core component of the Windows Firewall—directly into client devices.
Jake Williams, VP of research and development at consultancy Hunter Strategies, said the union of these previously disparate engines would allow updates to be made to the Windows firewall on a per-domain name basis. The result, he said, is a mechanism that allows organizations to, in essence, tell clients “only use our DNS server, that uses TLS, and will only resolve certain domains.” Microsoft calls this DNS server or servers the “protective DNS server.”
By default, the firewall will deny resolutions to all domains except those enumerated in allow lists. A separate allow list will contain IP address subnets that clients need to run authorized software. Key to making this work at scale inside an organization with rapidly changing needs. Networking security expert Royce Williams (no relation to Jake Williams) called this a “sort of a bidirectional API for the firewall layer, so you can both trigger firewall actions (by input *tothe firewall), and trigger external actions based on firewall state (output *fromthe firewall). So instead of having to reinvent the firewall wheel if you are an AV vendor or whatever, you just hook into WFP.”
Enlarge/ I have hundreds of UUIDs and I must scream.
Getty Images
The modern “smart” TV asks a lot of us. In exchange for connecting you to a few streaming services you use, a TV will collect data, show ads, and serve as another vector for bad actors. In a few reported cases, though, a modern connected TV has been blamed for attacks not on privacy, eyeballs, or passwords but on an entirely different computer.
The TV in question is a Hisense TV, and the computer is a Windows PC, specifically one belonging to Priscilla Snow, a musician and audio designer in Montréal, Quebec. Her post about her Hisense experience reads like a mystery. Of course, because you already know the crime and the culprit, it’s more like a Columbo episode. Either way, it’s thrilling in a very specific I-can’t-believe-that-fixed-it kind of thrill.
Disappearing Settings, keyboards, remote desktops, and eventually taskbars
Snow’s Windows PC had “a few hiccups over the past couple of years,” Snow wrote on April 19. She couldn’t open display settings, for one. A MIDI keyboard interface stopped working. Task manager would start to hang until force-closed. Video capture cards had trouble connecting. As Snow notes, any veteran of a Windows computer that has had lots of stuff installed on it can mentally write off most of these things, or at least stash them away until the next reinstall.
Then, while trying to figure out why a remote desktop session wasn’t working, the task bars on Snow’s PC disappeared. The PC refused to launch any settings panels. After updating drivers and restarting the PC, the taskbars returned, but only for six days. Snow hunted for solutions, and after using “the exact right string in my search,” she found a Reddit thread that led to a Microsoft support question, all describing the same kinds of seemingly spectral problems her computer was having over time, with no clear cause.
User Narayan B wrote in Microsoft’s forum that the issue is the Hisense TV generating “random UUIDs for UPNP network discovery every few minutes.” Windows, seemingly not knowing why any device would routinely do this, sees and adds those alternate Hisense devices to its Device Association Framework, or DAF. This service being stuffed full of attention-grabbing devices can hang up Task Manager, Bluetooth, the Settings apps, File Explorer, and more.
The fix is deleting hundreds of keys from the registry. Narayan B wrote that noticed his Hisense TV flooding Windows’ device discovery systems before but “didn’t think Windows would go for a toss due to this.” Snow did the same, and everything—Task Manager, MIDI keyboard, remote desktop, even a CRT monitor she had assumed was broken—started working again.
UUID, UPNP, DAF, and hundreds of Registry keys
Along with deleting hundreds of keys with maniacal keyboard pounding, Snow notes in chats attached to her post that she disabled “Set up network connected devices automatically” on her “Private networks” settings in Windows. And, of course, she recommend not buying the same Hisense 50Q8G she bought, or at least not having it on the same network.
The mystery is solved, but the culprit remains very much at large. Or culprits—plural—depending on how you think a Windows PC should react to a shapeshifting TV.
Ars reached out to Hisense to ask for comment and will update the post if we hear back.
Kremlin-backed hackers have been exploiting a critical Microsoft vulnerability for four years in attacks that targeted a vast array of organizations with a previously undocumented tool, the software maker disclosed Monday.
When Microsoft patched the vulnerability in October 2022—at least two years after it came under attack by the Russian hackers—the company made no mention that it was under active exploitation. As of publication, the company’s advisory still made no mention of the in-the-wild targeting. Windows users frequently prioritize the installation of patches based on whether a vulnerability is likely to be exploited in real-world attacks.
Exploiting CVE-2022-38028, as the vulnerability is tracked, allows attackers to gain system privileges, the highest available in Windows, when combined with a separate exploit. Exploiting the flaw, which carries a 7.8 severity rating out of a possible 10, requires low existing privileges and little complexity. It resides in the Windows print spooler, a printer-management component that has harbored previous critical zero-days. Microsoft said at the time that it learned of the vulnerability from the US National Security Agency.
On Monday, Microsoft revealed that a hacking group tracked under the name Forest Blizzard has been exploiting CVE-2022-38028 since at least June 2020—and possibly as early as April 2019. The threat group—which is also tracked under names including APT28, Sednit, Sofacy, GRU Unit 26165, and Fancy Bear—has been linked by the US and the UK governments to Unit 26165 of the Main Intelligence Directorate, a Russian military intelligence arm better known as the GRU. Forest Blizzard focuses on intelligence gathering through the hacking of a wide array of organizations, mainly in the US, Europe, and the Middle East.
Since as early as April 2019, Forest Blizzard has been exploiting CVE-2022-38028 in attacks that, once system privileges are acquired, use a previously undocumented tool that Microsoft calls GooseEgg. The post-exploitation malware elevates privileges within a compromised system and goes on to provide a simple interface for installing additional pieces of malware that also run with system privileges. This additional malware, which includes credential stealers and tools for moving laterally through a compromised network, can be customized for each target.
“While a simple launcher application, GooseEgg is capable of spawning other applications specified at the command line with elevated permissions, allowing threat actors to support any follow-on objectives such as remote code execution, installing a backdoor, and moving laterally through compromised networks,” Microsoft officials wrote.
GooseEgg is typically installed using a simple batch script, which is executed following the successful exploitation of CVE-2022-38028 or another vulnerability, such as CVE-2023-23397, which Monday’s advisory said has also been exploited by Forest Blizzard. The script is responsible for installing the GooseEgg binary, often named justice.exe or DefragmentSrv.exe, then ensuring that they run each time the infected machine is rebooted.
Schleswig-Holstein, one of Germany’s 16 states, on Wednesday confirmed plans to move tens of thousands of systems from Microsoft Windows to Linux. The announcement follows previously established plans to migrate the state government off Microsoft Office in favor of open source LibreOffice.
As spotted by The Document Foundation, the government has apparently finished its pilot run of LibreOffice and is now announcing plans to expand to more open source offerings.
In 2021, the state government announced plans to move 25,000 computers to LibreOffice by 2026. At the time, Schleswig-Holstein said it had already been testing LibreOffice for two years.
As announced on Minister-President Daniel Gunther’s webpage this week, the state government confirmed that it’s moving all systems to the Linux operating system (OS), too. Per a website-provided translation:
With the cabinet decision, the state government has made the concrete beginning of the switch away from proprietary software and towards free, open-source systems and digitally sovereign IT workplaces for the state administration’s approximately 30,000 employees.
The state government is offering a training program that it said it will update as necessary.
Regarding LibreOffice, the government maintains the possibility that some jobs may use software so specialized that they won’t be able to move to open source software.
In 2021, Jan Philipp Albrecht, then-minister for Energy, Agriculture, the Environment, Nature, and Digitalization of Schleswig-Holstein, discussed interest in moving the state government off of Windows.
“Due to the high hardware requirements of Windows 11, we would have a problem with older computers. With Linux we don’t have that,” Albrecht told Heise magazine, per a Google translation.
This week’s announcement also said that the Schleswig-Holstein government will ditch Microsoft Sharepoint and Exchange/Outlook in favor of open source offerings Nextcloud and Open-Xchange, and Mozilla Thunderbird in conjunction with the Univention active directory connector.
Schleswig-Holstein is also developing an open source directory service to replace Microsoft’s Active Directory and an open source telephony offering.
Digital sovereignty dreams
Explaining the decision, the Schleswig-Holstein government’s announcement named enhanced IT security, cost efficiencies, and collaboration between different systems as its perceived benefits of switching to open source software.
Further, the government is pushing the idea of digital sovereignty, with Schleswig-Holstein Digitalization Minister Dirk Schrödter quoted in the announcement as comparing the concept’s value to that of energy sovereignty. The announcement also quoted Schrödter as saying that digital sovereignty isn’t achievable “with the current standard IT workplace products.”
Schrödter pointed to the state government’s growing reliance on cloud services and said that with related proprietary software, users have no influence on data flow and whether that data makes its way to other countries.
Schrödter also claimed that the move would help with the state’s budget by diverting money from licensing fees to “real programming services from our domestic digital economy” that could also create local jobs.
In 2021, Albrecht said the state was reaching its limits with proprietary software contracts because “license fees have continued to rise in recent years,” per Google’s translation.
“Secondly, regarding our goals for the digitalization of administration, open source simply offers us more flexibility,” he added.
At the time, Albrecht claimed that 90 percent of video conferences in the state government ran on the open source program Jitsi, which was advantageous during the COVID-19 pandemic because the state was able to quickly increase video conferencing capacity.
Additionally, he said that because the school portal was based on (unnamed) open source software, “we can design the interface flexibly and combine services the way we want.”
There are numerous other examples globally of government entities switching to Linux in favor of open source technology. Federal governments with particular interest in avoiding US-based technologies, including North Korea and China, are some examples. The South Korean government has also shared plans to move to Linux by 2026, and the city of Barcelona shared migration plans in 2018.
But some government bodies that have made the move regretted it and ended up crawling back to Windows. Vienna released the Debian-based distribution WIENUX in 2005 but gave up on migration by 2009.
In 2003, Munich announced it would be moving some 14,000 PCs off Windows and to Linux. In 2013, the LiMux project finished, but high associated costs and user dissatisfaction resulted in Munich announcing in 2017 that it would spend the next three years reverting back to Windows.
Albrecht in 2021 addressed this failure when speaking to Heise, saying, per Google’s translation:
The main problem there was that the employees weren’t sufficiently involved. We do that better. We are planning long transition phases with parallel use. And we are introducing open source step by step where the departments are ready for it. This also creates the reason for further rollout because people see that it works.
Enlarge/ A Dell XPS 14 laptop. The Copilot key is to the right of the right-Alt button.
In January, Microsoft introduced a new key to Windows PC keyboards for the first time in 30 years. The Copilot key, dedicated to launching Microsoft’s eponymous generative AI assistant, is already on some Windows laptops released this year. On Monday, Tom’s Hardware dug into the new addition and determined exactly what pressing the button does, which is actually pretty simple. Pushing a computer’s integrated Copilot button is like pressing left-Shift + Windows key + F23 simultaneously.
Tom’s Hardware confirmed this after wondering if the Copilot key introduced a new scan code to Windows or if it worked differently. Using the scripting program AuthoHotkey with a new laptop with a Copilot button, Tom’s Hardware discovered the keystrokes registered when a user presses the Copilot key. The publication confirmed with Dell that “this key assignment is standard for the Copilot key and done at Microsoft’s direction.”
F23
Surprising to see in that string of keys is F23. Having a computer keyboard with a function row or rows that take you from F1 all the way to F23 is quite rare today. When I try to imagine a keyboard that comes with an F23 button, vintage keyboards come to mind, more specifically buckling spring keyboards from IBM.
IBM’s Model F, which debuted in 1981 and used buckling spring switches over a capacitive PCB, and the Model M, which launched in 1985 and used buckling spring switches over a membrane sheet, both offered layouts with 122 keys. These layouts included not one, but two rows of function keys that would leave today’s 60 percent keyboard fans sweating over the wasted space.
But having 122 keys was helpful for keyboards tied to IBM business terminals. The keyboard layout even included a bank of keys to the left of the primary alpha block of keys for even more forms of input.
The 122-key keyboard layout with F23 lives on. Beyond people who still swear by old Model F and M keyboards, Model F Labs and Unicomp both currently sell modern buckling spring keyboards with built-in F23 buttons. Another reason a modern Windows PC user might have access to an F23 key is if they use a macro pad.
But even with those uses in mind, the F23 key remains rare. That helps explain why Microsoft would use the key for launching Copilot; users are unlikely to have F23 programmed for other functions. This was also likely less work than making a key with an entirely new scan code.
The Copilot button is reprogrammable
When I previewed Dell’s 2024 XPS laptops, a Dell representative told me that the integrated Copilot key wasn’t reprogrammable. However, in addition to providing some interesting information about the newest PC key since the Windows button, Tom’s Hardware’s revelation shows why the Copilot key is actually reprogrammable, even if OEMs don’t give users a way to do so out of the box. (If you need help, check out the website’s tutorial for reprogramming the Windows Copilot key.)
I suspect there’s a strong interest in reprogramming that button. For one, generative AI, despite all its hype and potential, is still an emerging technology. Many don’t need or want access to any chatbot—let alone Microsoft’s—instantly or even at all. Those who don’t use their system with a Microsoft account have no use for the button, since being logged in to a Microsoft account is required for the button to launch Copilot.
Additionally, there are other easy ways to launch Copilot on a computer that has the program downloaded, like double-clicking an icon or pressing Windows + C, that make a dedicated button unnecessary. (Ars Technica asked Microsoft why the Copilot key doesn’t just register Windows + C, but the company declined to comment. Windows + C has launched other apps in the past, including Cortana, so it’s possible that Microsoft wanted to avoid the Copilot key performing a different function when pressed on computers that use Windows images without Copilot.)
In general, shoehorning the Copilot key into Windows laptops seems premature. Copilot is young and still a preview; just a few months ago, it was called Bing Chat. Further, the future of generative AI, including its popularity and top uses, is still forming and could evolve substantially during the lifetime of a Windows laptop. Microsoft’s generative AI efforts could also flounder over the years. Imagine if Microsoft went all-in on Bing back in the day and made all Windows keyboards have a Bing button, for example. Just because Microsoft wants something to become mainstream doesn’t mean that it will.
This all has made the Copilot button seem more like a way to force the adoption of Microsoft’s chatbot than a way to improve Windows keyboards. Microsoft has also made the Copilot button a requirement for its AI PC certification (which also requires an integrated neural processing unit and having Copilot pre-installed). Microsoft plans to make Copilot keys a requirement for Windows 11 OEM PCs eventually, it told Ars Technica in January.
At least for now, the basic way that the Copilot button works means you can turn the key into something more useful. Now, the tricky part would be finding a replacement keycap to eradicate Copilot’s influence from your keyboard.
