Microsoft 365 Knowledge Series Episode 3: Management and Security
This week, we look at the management capabilities available in Microsoft 365, which provide a unified interface for managing users, devices, apps, and services plus security features aimed at safeguarding data at every level.
Paul Thurrott (00:16): Welcome back to the Microsoft 365 Knowledge Series. I’m Paul Thurrott. I’m here with Stephen Rose, the Senior Product Marketing Manager for Microsoft 365.
Stephen Rose (00:42): Morning,
Passwords Haven’t Disappeared Yet
123456. Qwerty. Iloveyou. No, these are not exercises for people who are brand new to typing. Shockingly, they are among the most common passwords that end users choose in 2021. Research has found that the average business user must manually type out, or copy/paste, the credentials to 154 websites per month. We repeatedly got one question that surprised us: “Why would I ever trust a third party with control of my network?
Paul Thurrott (00:43): Good morning. So we, over the past couple of episodes, I feel like we haven’t talked in a while, but yeah, we’ve kinda hit on the basics. I would say the core parts of Microsoft 365 which of course are mostly Office 365 related. But this week we’re going to take a look at the management and security capabilities that are available, set of interfaces that Microsoft provides for managing users, devices, apps, services, plus obviously security. But before we get to that you just penned an interesting blog post. I was wondering if you wanted to discuss that a little bit. This is the five steps for boosting digital transformation with Microsoft 365.
Stephen Rose (01:21): Yeah. One of the things that I heard from a lot of folks from the podcast that we did, I just did one with Mary Jo a few weeks ago, and some others was, Hey, this is great. We’re already on it. But the thing that we’re missing is how do we drive adoption? A lot of people going, Hey, we’re using teams, but we’re just using the IM portion of it and things along that line. So I put together mostly free resources.
There’s one paid resource, which is the My Analytics piece, but really things that you can do from, Hey, you’re going to build yourself a portal to different tools, to different training places. And I’m going to continue to do that as well as chat with some customers on what they’re doing. So, really try to help folks over that hump and get them, not just a bunch of, Hey, here’s what other companies are doing, but really here’s tools, here’s resources, here’s what the lessons learned from other folks, not just that they’re using Microsoft 365. That’s great. How are they finding success and what that did? So this is the first in a series that I’ll continue to work on on the Microsoft 365 blog.
Paul Thurrott (02:25): Yeah. This was surprising to me because I hadn’t actually heard of a few of these, I’m embarrassed to say. And yeah, some great resources. I mean there’s some neat stuff in there, I had heard of, for example, the productivity score stuff and we’ll talk about some of the other similar portals that you folks built into Microsoft 365. But yeah, there is some really, really nice resources there. And the digital transformation, of course, is the term that you folks at Microsoft are using to describe this transition to, you know, from the kind of old school on on-prem infrastructure of the past to the cloud based and hybrid infrastructure that we see from Microsoft 365
Stephen Rose (03:03): Yeah, I think at the core, customers are looking to retain great talent and the younger generation we talked about this, they want to be able to work from anywhere on any device. You know, which means we have to better manage and secure those devices. But we also need to give people the resources that they need to be productive. And one of the things we talk about is Workplace Analytics. Tons of people get the My Analytics email, but they have no clue that there’s a whole suite that will tell you when, and you can’t look at individuals, but you can look at groups, whether it be sales or marketing or by you know, product or et cetera that says, Hey, 40% of your meetings were unproductive. Because in marketing, they were multitasking.
They were doing email while they were in a meeting and not doing this because it looks at the login and says, Hey, you’re writing a bunch of emails in the middle of a meeting and not one note. So you’re multitasking. Or these meetings went way too long and this isn’t productive or just not enough time for people to get things done in the middle of their day, focused on. So it’s great to bring that, especially HR and other folks really love that feature because it helps them to really look at what’s the effect when a executive sends out an email on Friday at five and how much work over the weekend and after hours are people going to have to do. And it can be really eye opening for a lot of companies.
Paul Thurrott (04:20): Yeah, it’s astonishing. And the deep dive you can do into all of these areas is incredible. If you haven’t looked through the the admin interface, which again, we’ll talk about a little bit more later, but the example you have in your blog post is really neat. Just the percent of time that people spend collaborating on documents, how much or what percentage of the users actually have content in the cloud, et cetera, et cetera. You can just dive into every little analytical piece you could imagine. And that’s a big part of the, the central theme really of this show when you think about it, which is that a lot has changed since Windows 7 and Office 2010.
And you and I were discussing offline, I was joking with him that I had a dream about this. I didn’t want to get too embarrassing here, but, it’s very possible and probable that you and I met as part of the Microsoft springboard activities back in the Windows 7 timeframe, which was basically the effort then, which is similar to what’s happening now, where Microsoft wants to get people on a more modern desktop, which at that time was Windows 7 and Office 2010, which of course now we’re trying to get people off of.
Stephen Rose (05:23): We did, as I said earlier, we just did way too good a job there. And now,
Paul Thurrott (05:26): Yes.
Stephen Rose (05:27): Everybody’s like, Hey, but we listened to you. I’m like, yeah, but not back in 2010 when I had this conversation.
Paul Thurrott (05:34): Well, I think, you know, one of the big changes since then is that back then you, or Microsoft had to basically come out and obviously this best practices they provide, they talk to some of their big customers, see what the issues are having with, you had said something to the effect of that is some large percentage of deployments had stalled two thirds of the way through and you know, how do you get around that?
But today there were all these tools available, most of them for free in this blog post for example, where businesses themselves can go and look at this and figure out the best path forward. And that has changed I think a lot too. This is so much more data that’s actionable today.
Stephen Rose (06:10): Oh yeah. My whole thing was you could use MDT to build a stick with Windows 7 on it and you could do an offline deployment in 30 minutes or less and bring that stuff over and using all free tools. And when I showed this to people, they’d be like, wait a minute, you’re Microsoft, you’re talking about free tools. I’m like, yeah, this MDT thing that I was working on with Jeremy Chapman and Michael Niehaus is incredible. And I put the image on it, I slide it in, I reboot, I go answer a few questions and boom, 30 minutes later.
And that was very fast then here is a brand new ready to go Windows 7 laptop with all your data migrated over. And people were just blown away by that. And now we’ve come so much further with management and you know, autopilot and so many other things where we can do this so much more quickly and efficiently. But the whole idea was if you’re ghosting, you’re spending months you know, out of the year, updating those images and updating the software and doing that. And that just doesn’t make sense. And that was really the goal was to get people off of ghost to this more modern desktop.
Paul Thurrott (07:13): Plus, I mean those images were not just machine specific, they were model specific. It was just a huge amount of difficulty.
Stephen Rose (07:20): Sid ghosting. And sid replacement and all that fun stuff.
Paul Thurrott (07:25): Who doesn’t miss those days? So
Stephen Rose (07:31): You youngins, look what you don’t have to deal with, back in my day.
Paul Thurrott (07:37): Flip a switch In a web-based console and it just goes out to the world. I don’t know. It’s easy. So what’s available? So from a management perspective, I have what I consider to be the smallest possible, I guess it’s technically Office 365 but Microsoft 365 install in the world, right? One person, one user. But I use it to keep up to date on this stuff and obviously there’s a full suite of management capabilities for users and applications and services.
A lot of people may not realize this, but you get a free version of AAD with even the least expensive version of Office 365 so you can manage your users from the cloud as well. And then if you have a, once you move up to Microsoft, 365, specifically Microsoft 365 Business, you get additional active directory features there as well. Like settings or I’m sorry, enterprise state roaming, which is essentially the settings sync capabilities. So what else is going on? From a management perspective in Microsoft 365.
Stephen Rose (08:39):
I think Intune is probably one of the biggest, and I remember back when that was, you know, Windows Intune long before Microsoft Intune, we came out with that back in the Windows 7 days and really just worked to augment that. And really it does three key things. It supports that mobile ecosystem. So whether it’s iOS or Android or Windows or Mac, you now have that single endpoint management solution so that you can deploy and provision, policy, updates, app delivery, you name it can all be done through that. And because it’s cloud based, it’s really, you know, it’s scalable, which is awesome. So we can leverage, you know, the cloud for things like baselines and insights that help us to really understand what’s going on with these devices. And we can now, and this is really the key thing because this goes back to our conversation that look, people are moving away from securing the device to securing the data.
Stephen Rose (09:38): It will safeguard the data when you don’t manage devices used by employees or partners when they access work files. Or we can get even more granular with the Office 365 data on those devices itself. So it’s more than just a way to deploy apps. It’s more than just a way to manage. It really is becoming kind of, the core of our kind of security tools that can be used.
And yes, you can be using Mobile Iron or AirWatch or one of those, we plug in with those systems. They’re partners of ours, but that’s really sort of at the core before we start to get into things like, you know, sentinels and DLP and all the rest of the great stuff that’s really at the highest level to just go, I need to manage all these devices and ensure that they’re secure when they connect to any of our resources.
Paul Thurrott (10:27): Right, right. Yeah, I covered Intune from the very beginning. I remember it was kind of a side tool in the beginning next to the, the, the heavy Microsoft management infrastructure with a system center and so forth. And, today, like you said, I mean the ability to just basically deploy policy out to mobile devices wherever they are in the world, all the user has to do is you know, they bring their own device perhaps or they got it from a company. It doesn’t really matter.
But just by signing in to their Microsoft 365 account, those policies are all applied down and you get that separation of data, you get that data protection. We’re going to look at some of those specifically in a little while. And it’s just, it’s basically instant. It’s rather incredible.
Stephen Rose (11:12): And it’s so important because, and this is something too where we found that companies were not meeting with their HR departments before turning this on. And you’re saying, well, why? Well, if I bring my iPad, I need to know that, Hey, you’re going to manage this device, but you’re also not going to get rid of all my pictures. My first pictures of my kid or whatever that is. And that really became the key thing as we saw MDM and ADM grow, which is, it’s okay for you to manage this. But if I have these apps open, I can’t open these.
And people said, well, that doesn’t really work because it did in the beginning, but now we have more and more consumer apps that we use in business. So then it became, well now it’s not about having two different apps are open or specific versions like with app blocker, which still in some cases may be the key thing, but it’s more what data can I use? What can stay on the device? What can’t, if the device gets lost, what can I wipe? What can I, sorry, it’s earlier. What can I better manage and sort of bring that together. And that’s really the key is you know, to be able to bring those two sides together, keep the hot side hot and cold side hold personal and business on the same device but not allow those to mix when you need them to.
Paul Thurrott (12:23): Yup. Yeah. And that’s true across mobile. That’s true across Windows 10 PCs as well. You know, all the settings you can make automatically deploy Office applications if that’s what you want, configure how the updates are going to work across all of those things. Configure security obviously, like we said.
Stephen Rose (12:39): Yep.
Paul Thurrott (12:39): So speaking of security and that’s really kind of the big part here. I would say the big change between the past and the present is that now we’re working toward being proactive with security. And a lot of what you just said about you know, setting up data protection on a device is related to that. Just ensuring that by virtue of the fact that they’re signing in, your policies will be applied and proactively we’re going to be able to control how users are able to access the data that we have inside the organization.
Stephen Rose (13:09): Yeah. And there’s a lot of different tools that we do to do that. You know, I think a great way to look at is we have tools like secure score at the highest level that say how are we doing as a company and how do we compare to other companies. Then when you start to go down the line, then we get into things like categorization, threat protection, Sentinel, working its way down to Defender, and then we have individual policies like data categorization and DLP and things like that, that are going to limit what we can do within documents and how we share that information.
So it’s definitely a multilayered approach, which was great because they, small business of 10 people can say, we just want to put in these three pieces. We just want to make sure that we’re not going to get hit by malware or ransomware or something like that. So we’re going to turn on OneDrive for the, you know, the folder move, which gives us now the ransomware protection and we want to make sure that every device has all the latest updates when they connect, all the way up to far more advanced security policies. So it’s very scalable even for smaller businesses. And I think that’s really the key thing is, was not to get overwhelmed by all these pieces, but go, we get to pick and choose which parts of these we need.
Paul Thurrott (14:18): Well, I mean we should talk about a bunch of that stuff. I mean, so for example, the Microsoft Security Center is the new console for basically monitoring all of these security activities. And you mentioned the security score. I did, the secure score, excuse me, last week. I look at this for my organization. I’m not doing very well. So, but what’s interesting about it, but of course I’m not, because a lot of this is best practices made real where you can act on those best practices and enable policies that will change the security stance of your organization.
So my current score is about 38%, it’s terrible, but, what’s interesting about this is there’s kind of a gamification aspect to it where you can go into individual policies and see what they are. So one of the ones that I did enable and I think that bumped my score from 37 to 38% was to get rid of, or to disable legacy sign ins. Right. Which was something that was common with Office 2013 and probably before then. But you have that ability to kind of go through that list. You probably won’t, I won’t be able to do it in one day, but over some period of time and evaluate the different policies that you can enable and improve that score, which is fun on one level. But really what that’s about is improving the security stance of your organization.
Stephen Rose (15:40): Yeah. It’s basically like a credit score and it will go through and say, Hey, you turn on MFA, you’re going to get 50 points just for doing that because we should get rid of the password. Passwords are bad. We’ve done everything we can between Windows Hello and biometrics and everything else to try to do that. But this way when somebody’s logging in from a device that’s not trusted or we don’t know, they’re going to have to go to their phone and use either finger or face to go ahead and log into this and we want to do this. And once you do, your score goes up. It compares you to other companies within certain size ranges and things along that line.
And we’re looking to get even more granular with industry and things like that in the future. But it does put together that organizational posture. It shows you all the possible improvements. It doesn’t matter your license, it’s free to everybody, which is great and it helps you to understand what are the best practices, how you can improve your score, and then how you attack, how you can address those attack surfaces along with their status. And that’s really sort of the key thing.
Paul Thurrott (16:44): There’s also this notion of Microsoft threat protection. And I’m not, I think this may require certain levels of Microsoft 365?
Stephen Rose (16:53): It does. Yeah. I think it’s E5 to get the Microsoft security threat protection, but that provides a view of the organization’s overall threat landscape. So administrators can see threats and attacks and then take actions. And what’s nice with this is some are automated, some are not. So for example, you can set up a process that says, if you know Paul logs in from this location, great, it knows that it checks that out. If 10 minutes later, all of a sudden you’re logging in from Beijing, it goes, wait a minute, you can’t log in from the East coast and then from Beijing, there’s no flight that fast to get you there in 20 minutes.
This seems odd. Or Hey, you just got an exe file, I’m going to lock that out and I’m not going to allow it and, but I’m going to let you as an administrator know and you can choose what to do next.
Stephen Rose (17:44): So some things are going absolutely. If you get any sort, you know, executable or any sort of script in an email, automatically don’t allow that to happen. And if I start to see a series of things where it says, you know what, these four people got executables. Then they got a bunch of scripts the next day and this I am either going to do better education with those users on where are you going and what are you doing.
Paul Thurrott (18:06): Right.
Stephe (18:08): Or change my policies because we’re encountering some new threats, but it takes you from being reactive. I have a virus, I have ransomware, I have a threat, et cetera, to being proactive saying, Hey, there’s a bunch of weird things that are all separate, but when you put them together, show a trend that you should be aware of and there is a point where you need to get involved and make decisions on this user or this group’s behalf that go beyond automated what I can do and what’s nice is when you click on something it actually tells you, this is what this is, this is the virus, this is how it works, or whatever that is. Here’s how you remediate that and actually walks you through step by step. So whether you are junior or a very, very senior IT person, it will really help you to know exactly what you need to do to get to the best posture and place that you can get to.
Paul Thurrott (18:59): Nice. So we have a video demo, I believe, of Microsoft Threat Protection.
Stephen Rose (19:05): So here we see there was a suspicious PowerShell. It tells you that it’s running, it tells you who got that, it then comes up, it says, yep, here’s when it happened. Here’s the risk level that we’re at and here’s what’s been generated. So I can take a look at the investigation, it will tell me what’s running. It tells me what’s been automatically remediated, which is great.
And at the bottom it shows me this has been remediated. So I’ve already done conditional access and I’ve done this and I’m doing it, but here’s what you need to do to go ahead and fix that and remediate that out. So it walks you through all those different steps.
Paul Thurrott (19:40): You know, one of the conversations we almost have to have about this kind of thing, you said Microsoft 365 is so comprehensive. I mean there’s so much actionable data in there and then so many things you can do, I mean, is there any conversation around integration with third parties? I mean, is Microsoft everything for everybody or, how does one decide which direction to go there?
Stephen Rose (20:05): Yeah, I think there’s some different things. So first of all, any of the data inside a security center can be exported out from logs all the way down. So if you’re a Jira person, you can bring it all into JIra and Jira actually goes into Teams, which is great. So I’ve seen a lot of companies who set up all of their IT on that. We also have Azure Sentinel, which is cloud-native security information and event manager. And what that does is it uses AI to help analyze all these large bits of data that come across the enterprise and it aggregates it. It takes a look at things like users and application service and devices that are running on-prem and in the cloud, brings that all together. It’s got built in collectors. And then that can be brought out into formats like CES, CF, or a SIS log if you want.
Stephen Rose (20:56): But what’s also nice beyond that is it also works with things like Amazon Cloud and it works with Barracuda and F5 and all these other ones. So there’s a pretty wide variety of things that you can do. The advantage is to have that single pane of glass that shows you that proactive reactive, but you can absolutely take all this data, bring it into your third party solutions, export it, and take a look at it from there. So it’s not that you have to use our stuff, but for many folks, they already have it and it may be worthwhile for them to take a look at it.
Paul Thurrott (21:28): Right, right. Okay, that makes sense. I mean, that’s Microsoft in a nutshell right there. They’re basically, I mean, it works with everybody.
Stephen Rose (21:37): And I was just going to say best of breed was very much how many people looked at things and that was the old way. It’s got to have the best of everything. But the problem with best of breed is it’s like ticking a car. If you get the best of breed of anything and you put it into a car, it’s going to look weird and it’s going to have a lot of drawbacks.
You’re not going to get by having these things integrated natively and lots of little gaps. So that’s really sort of the key thing here is it’s not, you have to throw out all your stuff, but you may find that by integrating more of our pieces and saving yourself some money using less of some of the other ones that are now duplicative, you’re going to get that,
Paul Thurrott (22:13): I guess on the flip side, for those organizations that have made investments in Symantec or Barracuda or whatever, they can still move forward with Microsoft 365 knowing that that stuff is going to integrate. And if in the future they want to just use the integrated Microsoft solution, they can, but they can continue using whichever solutions they prefer.
So, that’s all good. Yeah. So we mentioned secure score. Actually, we do have a video for that as well. We should’ve done that earlier. But secure score is that way that you can basically take a look at your security stance, I’ll call it, and you can improve that stance by making policy changes.
Stephen Rose (22:51): Yeah. Yeah. So here we can see this company, you know, has a secure score 227. It has recommended actions. So if we go down, we can see, Hey, if you turn on Intune, you’re going to gain so many points. If you turn on MFA, you’re going to gain 30 points and 50, if you do for Azure AD privilege rolls, tells you it’s not completed.
It tells you what you’re going to benefit and how that comes in. And then as you make these changes around identity, data, device and apps and infrastructure, that will show you that impact and what’s now working better and what isn’t. And watch that score go up and down as you play with those things. So it’s.
Paul Thurrott (23:30): I really enjoy the secure score. Yeah, and it’s, it’s neat because it’s not just advice. You can click here to make it happen and you go to the exact admin interface, you have to go there, whether it’s Azure or Microsoft 365, whatever. I just think it’s a great, it’s a neat tool.
Stephen Rose (23:44): And it’s free. It’s free.
Paul; Thurrott (23:44): Yeah. Yeah. And a lot of it, I mean I had hundreds of items I could have enabled to improve my score. You know, I’m a, what we would call a lightly managed organization for sure. But a lot of those things seemed like they were kind of no brainers. Like like the MFA thing. I mean, obviously, you know, they were obvious.
Stephen Rose (24:06): Some are these really deep dive things that most administrators don’t think about or aren’t aware of. And it’s going to give you awareness of, Oh yeah, that’s right I can do that. And you may have to do it with the third party product if you own one and it won’t raise your score because we can’t always track all those products, some we can some we can’t, but it will at least tell you, Hey, these are the gaps and if you want me to automate it, I can do it. But if not, you’re going to have to do that manually. But at least it tells you.
Paul Thurrott (24:30): Yeah, I mean honestly, in a way it’s a really friendly front end to some of the, you know, the understandable complexity that has to occur just by virtue of all of the things that you can configure inside of Microsoft 365. And so I think for a lot of administrators or IT pros who look at that dashboard, they’re going to say, yeah, I didn’t even know that existed or I didn’t know where it existed.
Obviously we need to enable that feature. So I’m quite taken with this. I just think it’s neat, but there is a lot more obviously to security in Microsoft 365 including some things that have been around for quite some time, like exchange online protection, right? That’s available across all of the Microsoft 365 skews, including Office 365. But Microsoft 365 builds on that with advanced threat protection.
Stephen Rose (25:19): Well we have advanced threat protection. Which is a big part of that. Absolutely. And what that’s going to do is, Oh, we have advanced threat protection and advanced data protection. So two different things. The advanced threat protection is exactly that. It is, here are things that we are seeing as potential threats. You know, how to, let’s take a step back. It gives you a view of your organizations overall threat landscape. So administrators can spot these new threats and attacks. It can figure out the actions that need to take. And again, as we said earlier, whether it’s automated, manually triggered or some sort of combination of that. So it’s keeping track of all this stuff.
Paul Thurrott (25:59): Yeah. And that speaks to the proactive bit. I mean in some cases it’s obvious what needs to happen. Just make that happen. You don’t have to go to, you know, the administrators should be alerted that it happened, but they shouldn’t have to flip a switch and say, yes, make this happen. So we do have a video here, this is for anti, phishing and safe links, which is part of Office 365 advanced threat protection on mobile.
Stephen Rose (26:21): Yup. So here we see there was an email and it’s saying, Hey, this is somebody, it’s a similar, but it’s not the same address. So you should be aware that this could be a risk. And by using the Microsoft browser, as soon as you click it, it goes, Hey, not a good site. This is, it’s not going to where you think it’s going to go. And that becomes a key piece of that. And that’s something that’s again, happening in the background, but all we can do is we can just turn that on and start to make that much easier for folks. And then we can also extend out, like I said, DLP or conditional access and things like that as we want to build upon that.
Paul Thurrott (26:56): Yeah. And again, just by virtue of the fact that you signed into your Microsoft 365 account on the mobile device, those policies and what comes down to that stuff happens automatically. So it’s awesome. It’s just automatic goodness.
Stephen Rose (27:09): Yeah and it keeps people who just click things without thinking about it, give them a moment of pause. They’re probably still gonna say yes, go ahead. But at least they’re warning and maybe, maybe they might read it and go, no. And the big browser saying, Nope, probably don’t want to go here. It’s a good way to ensure that people go, Oh no, that doesn’t look right. I’m going to go backwards.
Paul Thurrott (27:26): Right, right. And yeah, that’s interesting because, you know, with app protection, which you get to in a moment for data or data protection I should say, you want that stuff to be automatic. You don’t want the, the person to say, eh, you know. And so, you know, we’ll look at that in one moment, but you and I have spoken about Intune selective wipe in the past, but I think it bears repeating. One of the fears that people might have signing in to their corporate account on a personal mobile device is that they’ll leave the company or something, they’ll lose the phone perhaps, and your personal data’s going to get wiped out. But of course, that’s not how that works anyway.
Stephen Rose (28:05): No. And also people get this fear like, well, now they’re watching everything I’m doing. And that’s the other thing that isn’t happening. You know, when you’re inside of a business app, it’s gonna limit you to things like saying, Hey, you can’t send a credit card number, and I know we’ll talk about some of this stuff later, but it’s not going to keep you from doing that in your personal stuff.
And it’s only going to be looking at stuff when you’re in a business app connected through the network and it’s running through that data. So again, different companies have generally different policies, but by default, we’re not doing that. That’s something that is an organization by organization, is picking and choosing and they should make their end users very aware of what that policy is and how they’re doing it.
Paul Thurrott (28:46): Right, right. I don’t want to embarrass anybody, but I have a friend who works in the financial services industry who doesn’t understand why the people he works with use their work phone that they provide for personal use. And you don’t understand why someone gave you $1,000 phone and you want to use it. I mean, you know, I think, you know, he’s kind of an old school IT guy. I think from his perspective, you know, they’re like you said they’re spying on me or they’re going to wipe up my data and no, you know, that’s not how that works.
Stephen Rose (29:15): No, they’re just making sure that nothing that you’re getting on your phone is going to get into the network and crash the network and you’re not sending out something that you shouldn’t be. And if you are, that’s fine. But at least it’s wrapped in some sort of protection where if I fire you the next day, you lose access to all that stuff, no matter where it lives and can’t get to it without disrupting anybody else. And that’s at the core.
Paul Thurrott (29:36): Which is the exact right way it should happen. And if you’re on your own device, you still have your device and you still have everything that you had on it. It’s just that you no longer have access to the corporate data. Yes. So I mean it makes perfect sense. And then I think the best part of this, or the most interesting part in some ways is the data protection capabilities, especially on mobile, which is kind of what we’re talking about here. There’s lots of stuff. Information rights management goes back you know, many, many years. The ability to by policy determine whether information can be sent to or from the Microsoft apps on the phone and thus from your organization archiving, et cetera. But can you speak a little bit about the data protection capabilities on mobile.
Stephen Rose (30:15): And it’s also a good time to say that things like IRM. And do not copy and do not forward are different capabilities. Those are, you may already have those.
Paul Thurrott (30:26): Right. I’m sorry, I meant to say those are related.
Stephen Rose (30:28): Yeah, absolutely. But they’re not exactly the same. So we have at the highest level that we’re protecting people from bad actors and malicious, you know aspects we’re really looking at pre threat and what’s going on there. And choosing is information encrypted, which is different from, you know, information rights and do not copy which is being done differently. And DLP, which is also being done differently. So at this point we can be categorizing, we can be searching for specific types of information and make sure we’re not copying and sharing that. So they’re all different. And again, it’s not a one size fits all. So you may choose to use different pieces of this at different levels.
Paul Thurrott (31:08): Okay. And we do have an advanced data protection video as well. I think this is the final video.
Stephen Rose (31:15): Yeah. And what this is going to do is protect your sensitive data. It’s mitigating the risk of it getting into the wrong hands. Like here we can see somebody who’s trying to drop in a credit card number and then if they go, Oh, that’s right, I’ll, I’ll put that info into a document or something else. It’s still not going to allow that, that is now encrypted.
And those policies are both inbox and they’re customizable as we start to do that. So that’s really making sure that the stuff, if it’s marked confidential or this and that, you’re not sharing it with outside vendors and if you need to then reclassify that person and give them a guest account or require a higher level of management on that device or things along that line. And it’s not that you can’t do it, it’s just there are additional things that have to happen on both sides. Cause we’ve decided as a company, this is how data needs to flow back and forth.
Paul Thurrott (32:02): Right. Right. So the third big piece of Microsoft 365 and we really haven’t talked about this too much yet, is Windows 10, specifically Windows 10 Enterprise. A lot of the, all of, I should say all of the data protection.
Let me look back and make sure this is correct. I mean all of this stuff we just talked about is all applicable to Windows 10, of course, but as the richest client and Microsoft’s own client, there’s some additional capabilities there that are kind of interesting. Windows defender obviously is available as part of Windows 10, but Windows defender exploit guard is something that you get with with Microsoft 365.
Stephen Rose (32:41): Yeah. And that again, it’s that pre threat detection and prevention that we talked about and you’re getting Windows defender for malware. So again, it’s that wrapper around and that goes above all the things that are built into the operating system, in the chip set. When we get past BitLocker and we get past you know, the things that Intel had built into their chip sets. So we’re really looking to make it as seamless as possible. So the message pops up for the user and says, hi, we’ve detected some malware. Sit tight while we fix this. Or in OneDrive. If we see a lot of files getting rewritten very quickly, we’re going to pop up and say, Hey, we’re gonna pause this because we think there might be some malware. We’re going to check it out. Yup, we found it. Or please do this to go ahead and get rid of it or we’re going to bring you back to a restore point.
Stephen Rose (33:29):So the system has become very intelligent, so it just doesn’t give you some message going warning and people go, okay, you have my attention. Then it goes, yeah, I got your attention. You’re like, okay, well what do I do? Well, I don’t really know. So now at least we can walk folks through that and do that. And I think that was one of the things that we did get out of Windows 8 was we learned how to better because we built an operating system almost from the ground up. It wasn’t just Windows 7 plus more, that we built in some of that stuff, but leveraged what was good and made it better in Windows 10 and got rid of things like, hi, are you sure you want to install this app?
Are you really sure you want to install this app? I’m going to darken your screen and get your attention and make sure you know what you’re doing. Are you really sure? Yes, I want to install the goddamn app. Let me do it please. You know, to the point where people just turn that stuff off, which was the opposite. So it should be seamless and in the background and only coming to the attention if it’s something that is out of the ordinary and it starts to learn that and that’s really sort of at the core of our exploit guard. It’s seamless. It’s happening in the background, as well as most of these other tools so that if we, sorry, I need more caffeine.
Paul Thurrott (34:40): It is demonstrably lighter than it was when we recorded this a month ago. But anyway, I assume by the time this series winds done, we will be full summer and you know.
Stephen Rose (34:49): I think we should do the last one, sitting on our back decks, having some cocktails,
Paul Thurrott (34:54): Yeah, little umbrellas.
Stephen Rose (34:54): You know, dogs hanging out, little umbrellas, the whole thing and just do the last one, that we’ve now made it through the full season of gloom.
Paul Thurrott (35:03): I like it. So a lot more with Windows 10 obviously. We don’t talk about this from this perspective enough I think. But the new Microsoft Edge, is an interesting thing with obviously built in tracking protection and so forth. What has kind of changed there?
Stephen Rose (35:20): It’s that sandbox and you know, a, going to chromium was great. I actually installed some Chrome extensions into the browser and without a problem. That was great. I’m like, Oh Hey, this works really well.
I use Spotify a lot, so it was a way for me to do some things in Spotify in the browser I wasn’t able to do before. But everything is sandbox, which is great, which means when the browser crashes, it’s not going to pull anything else down. If you get malware, if you get an infection, something that doesn’t look right, it basically says, all right, I’m just going to close the browser, delete the sandbox, and get rid of this right there. So we’ve made it very solid while increasing speed, making it simpler to use. So again, it’s a lot of things like, Hey, you ran a safe link so it’s green.
Stephen Rose (36:03): Hey, this doesn’t look right. So it’s red at the top and now very different symbols, not just the locks. We’ve gone way beyond that. An easier way to be able to see the certificate for that site by simply just clicking and being able to see what’s there. So it’s small things to, again, very seamless to the user, but we’ve really redesigned this browser from the bottom up to be fast and secure, to really give you that best of both worlds. And I think it’s just not a great job.
It is one of the first products from Microsoft from the moment I played with one of the early betas, I went, wow, this is really going to be something. And I think they’ve done, finally got this figured out. I met with Roger Capriati over on the Windows team and I went, it is awesome. Great job. I think you guys have finally figured this one out.
Paul Thurrott (36:47): Yeah, I agree with you. Yeah, it’s felt solid since day one. You know, the first pre-release version, I mean for sure. And it’s as seamless as the old Edge in the sense that you get the authentication pass-through capabilities. So if you’re signing in with your work or school account or your MSA or whatever that stuff all pushes through. That’s the browser so.
Stephen Rose (37:07): Yeah and I’m signing in so much less, cause it’s just recognizing and going, yep, I know you have the right tokens. You’re automatically in, less of that having to go to my phone. Plus I love the fact now that I was using it on a different device than on my phone and I get back and everything is properly synced and it even said. You have some extensions and collections used on another version of the browser. Do you want to import them here? Of course, I do. Yes. Great click and it just did that and I was like, Aw, that’s awesome. That’s what I’ve been waiting for.
Paul Thurrott (37:37): Yeah.
Stephen Rose (37:37): And now we’re finally working on backing up the Outlook signature so.
Paul Thurrott (37:42): It’s come full circle. It’s funny because if you and everyone does, I mean you use other online accounts, everyone has them. It is so much more tedious to use another online account compared to the Microsoft accounts because on the Microsoft side it can be passwordless and it is just so wonderful not to have to manage that or worry about that kind of stuff.
Stephen Rose (38:07): It really is, and now that I’m using more Mac and iOS devices as well as Windows, it’s so much more seamless as I go back and forth, which I appreciated, except for the fact that on my Mac and iOS device, I sometimes have to show up my face to get in. If it’s been a while to something, which is absolutely fine, it’s an extra five, six seconds, but, it’s secure.
Paul Thurrott (38:24): Well, but re authenticating is so much easier with Microsoft because it’s still going to be passwordless. That you don’t get into a situation where you’re forced to enter your password, which you are with, I would say with Apple and with Google as well. And it already seems archaic.
Stephen Rose (38:44): It does. Yeah. It comes up on my watch and I go, okay, tap approved and there it is. And then, look at my phone, my phone sees my face and it goes, great, you’re done. Then that’s it. And I’m in, right.
Paul Thurrott (38:54): Yeah. Perfectly reasonable that you may occasionally need to re authenticate, but you can do it with a MFA without a password. Beautiful.
Stephen Rose (39:01): Yes. And that, that has made a huge difference in just I’m in speed and access and just, you know, peace of mind knowing that what I’m doing is secure.
Paul Thurrott (39:11): Yeah. Yeah. This is great. So the final Windows 10 piece I think we need to discuss is servicing which has gotten kind of a bad rap. But actually I would say this is another one of those areas where since Windows 7, anyone who’s ever had to update a Windows 7 PC will tell you the unique hell that that is. And that situation has changed dramatically on Windows 7 and of course it’s also something that you can configure as an organization.
Stephen Rose (39:40): Yeah. And on Windows 10, I mean, what we’ve done there is gotten away from, we’re going to have to rewrite the whole OS back when it was in the Windows 7 days. And now with Windows 8 and Windows 10, we made it more like Lego. We remove a small piece, we then put the new piece in and we just compile it, make sure everything goes good and we let you in. So that’s gotten much faster. What’s really amazing is I started to play with Windows 10 X and I was able to flash the device in about 60 seconds from start to finish. The OS crashed, I flashed it and I was right back on some smaller, like a Surface Go. It was absolutely amazing. So we’ve learned a lot about those pieces and how to just update smaller pieces to do that.
Stephen Rose (40:25): But it’s interesting cause you know I did the show with Mary Jo last week and she brought up the whole, you know, Windows Edge question that came up about, you know, how we were gonna with Bing and ads and stuff like that. And I said, look, that’s not my table. But what I can say is, it’s not my area. But like we did with servicing and Windows 10, we definitely listened to the customers and the customer said, we cannot be updating this every three months. We’re going to go to a longterm servicing branch if you do that. And then we stepped back and we took a look at it and said, well what if we do it every six to eight months? Well that’s a little bit better. Well then let’s do longterm servicing branch. Let’s do where we’re only once a year, you’re going to be forced to do this update.
Stephen Rose (41:10): We’ll keep it as short as possible, but we’re going to have lots more little ones that we’ll do. But most of them won’t require rebooting. So that should be okay for you. So I think we’re always listening to the customers when we get to that. And there’s a middle ground between getting the most value out of the operating system and getting these new features, which are going to make things better for end users and more secure versus not, you know, slowing people down or forcing them to do a ton of reboots or their day taking longer because of things like that. So it’s always that balancing act. But I think we’ve listened and I think we’ve done a good job around that.
Paul Thurrott (41:46): Yeah. I remember Microsoft speaking about the desire to have everyone be on the same Windows version and how that would be so great for the community, not just for Microsoft making it easier to deliver the updates, but it would be make everyone more secure because the updates would be that much more easy to deliver. But obviously in some cases longterm servicing is necessary. I mean, aside from just, you know, old school environment, we kind of don’t feel comfortable updating on this cadence. I mean, what are the situations do you think, where it makes sense.
Stephen Rose (42:17): It’s funny as soon as we say, are you using Office and they go, yes then that is not longterm servicing branch cause it should not be for people who are using Office, which means it’s going to be manufacturing. It’s probably going to be you knowhealth and life services where they’re in a hospital or something along that line. Retail, banking, things like that where there are very, very specific apps that are being run and that’s it. You’re not doing email, you’re not doing those things where it needs to be locked down to manage. But Michael Niehaus said that, you’re running Office, then you’re not an LTS.
Paul Thurrott (42:52): Yeah. That’s great.
Stephen Rose (42:55): Yeah. And it’s a good simple way to look at it.
Paul Thurrott (42:55): Yeah I would have said something. You know if you’re on a machine where you’re actually browsing around looking for apps, that’s not going to be a, but actually Office is an even better way to say it. That’s great.
Stephen Rose (43:03): Yeah, Office makes perfect sense. It’s just, Hey, then you’re an information worker and that’s not the right person. But yes, I run a piece of machinery and you know, I went out to Miller Brewing and yeah, I got to configure the line and everything works in there and I’m doing that, then that’s great, then that should be it because you’re looking at millions of dollars of disruption if something’s not working correctly or happening the wrong way. So, or people’s lives are in the balance, whether you’re an air traffic controller or a nurse. So things along that line. But yeah, it’s a simpler way to look at it.
Paul Thurrott (43:35): That’s brilliant. No, that’s going to be my takeaway from this episode. That’s beautiful. A couple of news points real quick. I try to just cover some of the things that have happened, the last time we spoke on this podcast was almost a month ago. So we’ve had another month of Microsoft, 365 updates. As you know there is a massive list every month. It’s really hard to follow.
I write about some of this stuff on my site, but you know, X look up has come to Excel, et cetera, walkie talkie features coming to Teams, which is kind of interesting. Features for FirstLine workers, live presentations in PowerPoints. It kind of goes on and on and on. But some of the things that really stuck out to me this past month, Mary Jo had a story that 25% of all Office 365 licenses are not coming from Microsoft 365. The timing on that is really interesting. That’s higher than I would have expected. One thing. So that’s great. That speaks to the,
Stephen Rose (44:29): 25% of all Office 365 licenses now come from Microsoft.
Paul Thurrott (44:33): Yes. Not completely, not out in the world, but as of now.
Stephen Rose (44:37): I think you flipped it.
Paul Thurrott (44:38): Oh, I’m sorry.
Stephen Rose (44:39): That’s okay.
Paul Thurrott (44:40): So that’s very interesting and I think that speaks to the success of Microsoft 365 today, and we don’t get a lot of hard data there that, you know, Microsoft doesn’t break that down a lot. So that was really interesting. We just did our own audience survey on Petri.com and I’m not sure if I can share the exact number right now, but I’ll just say more vaguely that the Microsoft 365 deployment rate was higher than I had expected there as well. And I think kind of mirrors this.
So that is very interesting. And when did, well I guess we’ll call it Microsoft Defender, most likely on mobile is coming as well. So the Windows defender features that Microsoft has in Windows 10 are coming to Android and iOS.
Stephen Rose (45:19): Yeah. We also pushed out that Office mobile app, which has all those really cool features of scanning and pinning together PDFs and all that. So that’s there. It also has that code share, which is really cool, where you can create a code, somebody else can easily just bump share stuff back and forth. So that was a big one. And then one of my favorite, it’s funny, I get asked all the time like, what’s my favorite feature in Office? And it makes me think as we’ve talked about some of the new [inaudible] and things, but the one that wows people every single time, and I’ll encourage folks if they haven’t done it, it works on desktop and mobile is live translation.
It is the coolest feature. I will stand in front of an office, you know, in front of an audience and I’ve done it in India, Sweden and Amsterdam where I’ve just turned on Dutch translation or Japanese translation and it does a really great job in showing that translation and it’s not one of those, you have to train it with your voice, it, listens to your voice for about five, six seconds and then it starts to pump it out.
Stephen Rose (46:21): If you’ve not played with that feature, do it, it will blow you away. It is absolutely amazing. So now live presentations, it’s adding even more cool stuff to take that to the next level.
Paul Thurrott (46:31): Nice. Yeah. I don’t speak another language fluently enough to know how well that works. But what I’ve heard many times is people who do know the second language when asked will say, yeah, that actually works. That actually did pretty well.
Stephen Rose (46:46): Yeah, as long as you’re careful not to use some really odd or unique terms like embiggen and ensmallen, when you’re talking about pinching and zooming,
Paul Thurrott (46:54): Right.
Stephen Rose (46:54): I use that. I’m going to embiggen it I’m going to ensmallen it and I go, just go say embiggen.
Paul Thurrott (47:02): If you’ve ever watched an international movie. Sometimes you’ll see those words will just kind of come through like, well whatever it is.
Stephen Rose (47:06): Yeah, yeah. But it’s great. I mean, audiences I’ll start to talk, and the audiences will be applauding and they’re like, what software did you use? I’m like, PowerPoint, like, no, no, no. For the translational like PowerPoint, that’s a great example of the power of our cloud and you can tap into that with SDKs. It’s cool.
Paul Thurrott (47:22): Actually, so a couple of things you just mentioned kind of fall into that category. The new Office app on mobile, for example, where you’re combining not just core Office apps into one app, but also additional capabilities that used to be separate like Office lens and PDF annotate and so forth. The fact that you don’t need something else to make it happen is like putting the technology where it needs to be, is I think the important part. I think that’s the cool part of this though. This just happened last night. But Edge on iOS got tracking protection. I think that’s the first time it’s come to a mobile client. And so yeah, so presumably we’ll see that on Android soon as well. And if you’re using Edge and mobile and you should be you can of course sync with the the new version of Edge now across platforms. So that’s good. And what else do we have? Well, Microsoft has lots of resources for businesses moving off of Windows 7. Of course they do.
Stephen Rose (48:18): I’m doing an AMA in April, so watch my Twitter feed for that, we’ll push that out. But we’re going to get folks from engineering. So for those of you who are saying, Hey, I want to dig in deeper into some of the stuff that we’ve been talking about, or I have some very specific questions, that’ll be a great opportunity for folks to come in and dig in and do that. So watch my Twitter feed. I’ll be announcing, I’m giving you the exclusive. I haven’t even announced it yet.
Paul Thurrott (48:46): So this is what part, this is like early April probably?
Stephen Rose (48:50): Um, yes. Hang on.
Paul Thurrott (48:52): So we’ll record at least one more episode of this podcast before this. And so maybe by next time we’ll have the exact, we can put up a link.
Stephen Rose (49:02): I’ll get it to you.
Paul Thurrott (49:02): Okay. All right.
Stephen Rose (49:04): I will hook you up right now. I just got to launch my Outlook and don’t want anything to crash or get weird while I do it. Hang on. Let’s see how quickly I can find it.
Paul Thurrott (49:28): Yeah, I don’t know. I didn’t have it in my notes.
Stephen Rose (49:30): I don’t, I could’ve swore I had it. Going to give myself 10 more seconds to look for it. And if I don’t then that’s fine.
Stephen Rose (49:43): All right, I’ll get it to you. We’ll put it here at the bottom of the screen or in the notes or something and you’ll all be able to check it out, obviously within the next time,
Paul Thurrott (49:52): I mean we still have some time obviously before then.
Stephen Rose (49:54): Yes, we do. Oh, hang on, I found it. Here we go. Life is good. So I’m launching it right now, let’s see, it is techcommunity.com\Microsoft365AMA, it will be on April 21st from 9:00 to 10:00 AM in the Microsoft 365 AMA space. So that’s where that will be. That is at AKA.ms\teamsama
Paul Thurrott (50:29): Nice. Okay. That’s easy.
Stephen Rose (50:31): Yup. So that’s pretty easy and we’ll remind folks again next month of that. But yeah, if you want to dig in deeper, we encourage you to come check that out and we’ll get people that are way smarter than me on that.
Paul Thurrott (50:40): Well, I dunno. Okay. But I mean, you know, we do what we can do here. I mean, obviously this is a high level overview, so this will be more of a deep dive, which I think is good.
Stephen Rose (50:48): Yes it will. Yeah, we’ll go 400 level for those folks who want to do it and if not, we’ll follow up with the right answer, so. We like to.
Paul Thurrott (50:53): Okay. Yeah. So just a couple of tips real quick for users. Stephen mentioned the new Office app and what’s interesting about that, one of the things that’s interesting about that is that Microsoft now has a cohesive and integrated and nearly identical interface for Office across multiple end points. So you get the Windows 10 app, which is fantastic if you haven’t seen it.
The iOS and Android app, Office.com of course, and that works for consumers or commercial users of Office and Microsoft 365 and even the Office extension from Chrome, it’s basically all the same thing. It’s a way to access your apps and your recent documents and pin documents, important documents and so forth. And then we talked about some of the admin experiences in Microsoft 365, the two URLs, the two top level URLs to remember. And these have changed a little bit over time. I always think of these things in terms of portal dot something, but now it’s admin.microsoft.com for Microsoft 365 and then Azure is the portal.azure.com and the reason you might want to go there, well one of the reasons is to to manage the Azure active directory stuff. It’s on there.
Stephen Rose (52:00): And individual ones like you can also replace that with OneDrive, SharePoint. Most of them, that admin dot blank dot com will get you to, if there’s a separate one, like there’s features in the OneDrive and SharePoint one, you don’t get in some of the others that are all at the highest level, but easier to break down by product. You can sometimes do that.
Paul Thurrott (52:20): Right. So you may be specifically responsible for security or compliance or like you said, SharePoint, whatever. Those things don’t appear in the left rail by default, but you can get down to them and then they have these specific URLs. And that’s of course where you’re going to live every day if that’s what your job is. But those things are all available online so that’s cool. Well, thank you sir. Thank you again.
Stephen Rose (52:42): Of course, thank you.
Paul Thurrott (52:42): We will be back, probably in about a month, it seems with our next episode.
Stephen Rose (52:47):What are we talking about next? The next one?
Paul Thurrott (52:49): I believe, we are talking about Microsoft Teams and the power apps.
Stephen Rose (52:52): That’s right, cause we’re coming up on the Team’s third anniversary.
Paul Thurrott (52:55): Yeah.
Stephen Rose (52:56): So yes, I think that’ll be great cause I’m looking forward to diving in more deeply into not just Teams, but also some of the third party connections and different ways folks are using it. And we’ll bring up a few tips and tricks and things like that. So that’ll be cool, looking forward to that.
Paul Thurrott (53:10): Yep. See you next month.
Stephen Rose (53:11): Absolutely. Thank you.