This is my first post on this platform, and I’m really enjoying the open discussions about privacy-related topics. I plan to stay here for a long time. Hi (
), I’m D, yet another power-user! As mentioned in the title, I’m seeking information about the maturity of the project (kind of a following up of this → Which is the best version of Windows for privacy: Windows 11 EU (GDPR), AME11 or RevOS?). As a Ameliorated’s user, I feel quite comfortable so far. I recommend it based on what I’ve learned while being part of their community, especially regarding how Windows works. I’ve observed several positive developments, and their self-financing model seems promising. However, I’m curious to improve my analytical skills in evaluating that aspect, coming here to discuss about it with a fairly malleable perspective (thank you for those who then will and can answer me). They have created their own method, the AME Wizard, to help eliminate sketchy ISOs and their distribution also. The importance of having the local standard user controlling the system (out of the box) and the fact that it always asks you for a password to modify anything in my opinion is a game-changer that few people value while on Windows (documentation will follow) 
Hi, welcome to the forum.
I’m no professional but it says on their documentation that it’s a beta, so by definition I wouldn’t consider it “mature”.
Seems like a cool project. My opinion in general with these kinds of tools is that as long as it doesn’t kill windows update or disable important security features then they are probably fine. Does the default playbook disable the MS Store? Because as of now it’s the only good/reliable/supported way to run sandboxed apps in windows.
Also this probably will cause stability issues at some point due to the modifications to the OS. Probably also safer to use on 10 than on 11 since 10 no longer gets new features that can break stuff.
It’s going to take time and require adjustments along the way, as most projects do, and I understand that. However, I’m confident that it has the potential to succeed (more information can be found in the link, gathered by me to give you an overview! But a lot of things improved from those statements → PrivateBin). Anyway… it seems like they are nearing a soft launch given the current conditions (from what I could gather), because the development team has taken many positive steps since 2018, which I believe are towards a good direction.
See the link from Privatebin above… it explains everything! But I generally agree, however, I haven’t encountered any major issues with missing updates… frankly!
I’m currently use Sandboxie Plus so software-based isolation and I’m doing just fine. But perhaps I need to catch up?
Ironically… since the system doesn’t receive version updates and/or edition upgrades, it’s much more stable.
Yes I had a look at AME when it was new. Being unable to install updates was a dealbreaker than (this is not the case anymore, right?).
You need a security-hardened sandbox with SysCallLockDown, which in turn will break a lot of programs.
This is not a sandboxie problem but a windows problem, and a recurring one too from what I understand.
Windows store apps in theory should be safer because they must adhere to the higher security standards that Microsoft may impose upon them.
That being said though… use linux if possible.
To be fair Windows 11 has some nice security enhancements, but in my humble opinion they are not worth the issues that also come with it.
Archive, when the Bin disappears:
Summary
FEW NOTES speaked by LEAD DEVELOPER Alexander Clay Taylor (@actrons on Telegram) over time, in no particular order ↓
Abou the modification ↓
Let me briefly address this = Over 99% of the traffic the operating system produces in idle has been completely eliminated in AME. The remaining traffic comprises extremely rudimentary pings and is mostly from software components which don’t even fully function anymore, but are almost impossible to completely remove. This traffic is also staggeringly negligible in size, comprising a few KB of packets here and there. Making any sort of judgment based on both the consumer-grade tool being used here (Safing Portmaster), as well as there being no comparison to a non-ameliorated system, is entirely pointless. Nowhere do we claim to remove all traffic in its entirety, but you can be rest assured that over 99% of traffic (and that is not an exaggeration), along with anything being sent that is tied to personally identifiable information (that is, useful for data gathering on a large scale), has been completely removed from the OS.
What’s missing ↓
You cannot install security updates on AME. You cannot install ANY updates, period. The entire subsystem has been ripped out of the OS. Various mitigations are in-place in AME to help fend off current and future common security vulnerabilities, however, overall stability is being favored over bleeding edge security. Though AME’s decision to change the default user permissions massively improves the security situation over any default-configured vanilla installation. If you truly require bleeding edge security, you should NOT be using Windows whatsoever. It is a fundamentally insecure OS. The overwhelming majority of AME users will not be putting themselves at any greater risk by using such a release, and will never encounter any sort of security issue.
Why a standard local user is more secure?
The default user having Administrator permissions, which is how Microsoft ships it by default in Windows 10, caused 70% of the attack surface (https://web.archive.org/web/20210618023509/https://www.beyondtrust.com/assets/documents/BeyondTrust-Microsoft-Vulnerabilities-Report-2021.pdf) of all critical vulnerabilities reported in 2020, and 80% in 2019 (Wayback Machine). On Linux or Unix systems (such as Ubuntu or macOS), the default user never has so-called root (administrator) permissions for this very reason. There is a hidden user with elevated permissions, which is invoked if such permissions are required, and then needs to be authenticated in order to grant a temporary elevation. Fortunately Windows 10 can, with a bit of tweaking, be configured to reassemble such a configuration, and this is what we have done in AME. Some applications however, do not follow clearly defined installation specifications, and opt to, for example, install and run from the user directory. This can create initial issues when installing such programs on AME. Luckily these non-spec apps are few and far between, and there are quick workarounds available allowing one to install and use them without hinderance.
It’s available! See AME 11 - Ameliorated Documentation at the Receive Updates section (meanwhile I discovered a typo… improvmenets). I was able to upgrade to the latest .apbx for Windows 11 provided by the Ameliorated Team (from v0.5 to v0.7) 
. For migration to new versions of Windows 11/10 (conveniently downloadable at uupdump dot net) on the other hand you need to follow this procedure right here → AME 21H1 To AME 11 - Ameliorated Documentation theoretically without losing files 
I see… it is a topic I’d like to explore further 
Unfortunately, I have never been able to appreciate Universal Windows Platforms (UWPs). As safe as they may be with the reasons you listed, I would rather rely on good practices (possibly also reduce attack scenarios) than trusting Microsoft’s inherent code 
I almost forgot to mention that I have the Sandboxie-Plus Advanced Encryption Pack (https://xanasoft.com/product/sandboxie-plus-advanced-upgrade), so I rarely use the Standard Sandbox (the yellow one). According to description → With this feature, the box file root is mounted from an AES-XTS encrypted box image 