Microsoft 365 Knowledge Series Episode 5: Enhancing Your Security
This week, we are taking a look at the security features offered within the Microsoft 365 suite and how you can take advantage of them for your operations. Joining Paul Thurrott and Stephen Rose this week is Chris Jackson – Principal Architect, Commercial Endpoint Customer Experience Engineering
Read the Best Personal and Business Tech without Ads
Staying updated on what is happening in the technology sector is important to your career and your personal life but ads can make reading news, distracting. With Thurrott Premium, you can enjoy the best coverage in tech without the annoying ads.
Paul Thurrott (00:06):
Hello and welcome to episode five of the Microsoft 365 Knowledge Series. I’m Paul Thurrott and I’m here as always with Stephen Rose, the Senior Product Marketing Manager for Microsoft 365, but also this week with Chris Jackson. Chris, I have to talk to you about your, your title. Chris is a Principal Architect, Commercial EndPoint Customer Experience Engineering, but also is the Chief Awesomeologist, Cybersecurity, Windows and Browser Enthusiasts. Please explain, sir.
Chris Jackson (00:37):
So, there’s a session I did at Build, was also done for a number of internal sessions called Amplify Your Awesome, cause one of the things I like to do in my spare time is study people who’ve had this really enormous success in their lives and in their careers. I’ve had them talk about it. So we actually did a series of talks using a format that I completely ripped off, which is, you know, 20 slides auto-advancing every 15 seconds. So it’s five minutes in and out and you’re done. Stephen you actually did that for me once.
Stephen Rose (01:04):
I did, I did your first one.
Chris Jackson (01:06):
So it really was, you know, Hey, I really want to study what other people are doing. So you know, much like, you know, you do not yourself have to be made of urine to be a urologist. I do not personally have to be awesome to be an awesomeologist. But instead, I just studied people who are awesome, so.
Paul Thurrott (01:23):
Stephen Rose (01:24):
I will say this, it is the hardest presentation I’ve ever done because with only 15 seconds per slide and it auto advances, by slide two, you have to be deep into your story and what you’re talking about. Super engaging. I did it like four times and then ripped it apart the night before and completely redid it, but really enjoyed it. But it is, it’s a neat concept.
Paul Thurrott (01:48):
I mean, I’ve spent an hour and 40 minutes on slide two, so I’m not sure how that would work exactly. But so, well, okay, so Chris is obviously a subject expert in security. And we did cover security a bit in episode three, but this week we thought we’d take a deeper look at the Microsoft 365 Security story specifically because of what’s happening in the world, right? So a lot of people, IT pros have as Stephen was telling me earlier, have done in a matter of days what they had planned to do in months. And now it’s time to kind of take a step back and say, look, we gotta make sure we’re doing this securely. Not just the devices, obviously Windows 10, PCs and mobile devices of all kinds, the BYOD thing factors in here. But also the data on those devices.
And Chris, you weren’t here for this and this will probably not be particularly exciting for you, but we did, the stuff that we talked about before in brief, we looked at some of the security controls across Microsoft 365, Exchange Online Protection, the Intune, Selective Wipe, App Protection, Windows Defender Exploit Guard, the browser protections in Edge, and of course the Security and Compliance center in Microsoft 365 Secure Score and so forth. So that was a big part of the conversation that we had last time, but I thought maybe this time we could look at security a little more holistically, but also across everything that Microsoft 365 has to offer and what IT pros should be doing now given the situation. To kind of take a step back, like I said, and maybe reevaluate their security stance with everyone working remotely and maybe this being the new normal.
Paul Thurrott (03:31):
So where do you guys want to start? Just, you want to bring it right through the products, we can go Windows, Edge that way. Or how do you want to look at this?
Stephen Rose (03:42):
Yeah, I think let’s start with personal productivity. So desktops and maybe browser and you know, some of the Windows security features and then go bigger. What do you think, Chris?
Chris Jackson (03:53):
No, I think that makes sense. Yeah. I mean if we kind of take-off and you mentioned, you know, a couple of like, you know, point solutions that, like Exploit Guard, like, show me what’s on there. App guard, you may have talked about before. And I’m, going to kind of, you know, boil that up a little bit and really think about you know, what are the key scenarios and what’s some of the guidance that we have around how do we get there, right? Because the number one scenario that I’m hearing from absolutely everyone is, Holy cow I had a perimeter-based security paradigm. I depended on everything coming through. We have forced VPN. And even at Microsoft, we saw a 3x increase in the number of people coming through VPN because, you know, if you think our devs are coming in with a device, that is not what’s happening.
Chris Jackson (04:45):
So even we, you know, sort of had this like, Hey I think the VPN appliances are almost on fire at the moment. And how do we scale that up? And we have a split tunnel put up. So what really it comes down to is I’m taking the fast road to zero trust. And most people are kind of starting it off with baby steps of, you know, Hey, step one, let’s look at, you know, how do I at least put some selective things outside of my VPN tunnel, so that, you know, the updating and things like that. As we think more holistically about how do I get to the point eventually, when I only have to use the ability to tunnel in to gain access to the things that need to be inside and otherwise I have that zero trust posture.
Paul Thurrott (05:32):
Yeah. I think Microsoft 365 as an org actually posted something recently about VPN in this new age, and some of the concerns are obviously with VPN you might have concerns with performance and reliability and so forth, but do you think that this current situation is going to drive more people and more organizations, I should say, to put more of their infrastructure in the cloud and outside of that local infrastructure that you’re trying to protect there? I mean, do you think this is going to be a big driver in change at that level?
Chris Jackson (06:10):
Go ahead Stephen.
Stephen Rose (06:11):
No, no, real quick. I was just going to say, I think we’ve seen three or four really interesting things happen recently. Number one is WVD has absolutely exploded, Windows Virtual Desktop and I’ve seen a lot of folks where they said, we don’t, the amount of time and effort for us to lock all this down is going to be almost impossible. So we’re just going to put this into Windows Virtual Desktop. What’s great is if you’re E3 or E5, you’re already licensed for it. They put it in there and then they pushed out those Virtual Desktops out to users. What’s great is, especially if they didn’t have a work laptop that they were able to bring home, they could use BYOD, but again, all the processing power is happening on the back end in the clouds. What’s great is you could have a five or seven year old device and still be able, as long as you have a good connection, be able to have a really, really great experience.
Stephen Rose (06:59):
Paul Thurrott (07:00):
And this is Azure hosted. In other words, this is the Azure host.
Stephen Rose (07:04):
Right, yep. Or to take a few specific apps and host those in Windows Virtual Desktop and just push out the apps to users where they want it to secure it, where they want to to wrap it or put a boundary around it. And that’s one of the first things that we saw. And then the second was finish moving some apps to the cloud and leveraging the browser. But I think there’s some really important things to keep in mind as we look at browser security. And for that, I’m going to throw that back to Chris cause that’s more his area of speciality.
Chris Jackson (07:35):
Oh sure. And in the context of the browser, well, before we even get to security, I want to talk about productivity is, you know, particularly in a case of BYOD, how many people at home today are honestly running Internet Explorer? How many people at work are? Right? And you’ll notice
Paul Thurrott (07:54):
Are we allowed to say those words?
Stephen Rose (07:57):
We can, but only for a moment. There has to be some language [inaudible]
Paul Thurrott (08:01):
Some [inaudible] collecting that needs to occur suddenly.
Chris Jackson (08:04):
Well, it’s just where, you know, things have been built. It’s the same thing as trying to bad mouth, you know, VB 6, right? VB 6 still powers such an enormous percentage of all the things that are running. And they work, right? It’s like, yeah, I could invest in redoing the same thing. I call that being on the treadmill, right? Where at the end I’m tired, money’s gone away, you know, but I’ve not actually gone anywhere. I’m standing in exactly the same spot. So I understand why an organization would do this, but now you’ve got this mismatch. So the ability to start targeting my users at home and say, Hey, I can give you the new Microsoft Edge and configure IE mode so that all of the sites that we have internally that need IE, will just work, just launch this browser.
Chris Jackson (08:43):
And all of it comes to be like magic instead of, you know, what we used to have to do is have every single user remember which app needs which browser. And that also from a security perspective ensures that IE is only used for those sites that truly need it. That you’re not, you know, actually just sort of using IE all the time. In fact, when you start thinking about how we go through this process, right? The initial, you know, get it all configured, make sure it’s working, but you can set a policy that says, Hey, if you’re in IE and you go to something that’s not on the site list, kick me back out. And now I start to really reduce that surface area of, Hey, you know, where am I going to put something in where it can have this binary extensibility where it doesn’t have the same advanced security features.
Chris Jackson (09:27):
I will use it for the sites that need it, but only the sites that need it. And then we can then start building on top of that to say, all right, well with this foundation of my legacy stuff works, my new stuff works. All of that’s good. Now I can start looking at, you know, Hey, I get all of the security features that come with having a Chromium based browser, which builds on top of a lot of Windows security features. Ironically enough, initially came out in the wildly popular Windows Vista release. But you know, that you know, really formed the foundation of this, the security sandbox that builds there and then have the accessibility of an even stronger sandbox, which is, you know, what we call a Krypton container. Externally, it’s called Defender Application Guard. Which in essence puts it into its own micro VM.
Chris Jackson (10:19):
And the hyper-v boundary is one of the very best security boundaries that you have on Windows. You know, I like to say that a hyper-v boundary is the thing that makes Azure a viable commercial product. And now you may or may not have determined, but you know, it seems we’re a little bit bullish on the cloud. We’re kind of silent about that. Don’t talk about it too much, but believe it or not, we do believe in the cloud. And so if you’re going to be behind the technology getting behind the one that is all about the thing that makes Azure possible that’s a good bet to place.
Stephen Rose (10:52):
Yeah. And that sandboxing is really critical because that’s going to do a few things for end users. Number one, if the browser locks up and crashes, it doesn’t take everything else down with it. So that’s really great because you can immediately continue to work and when you relaunch it, it’ll probably reopen those Windows. But from a security standpoint, what’s really critical there is if you get any malicious actors that come in, they’re within that sandbox. They’re not going to get at the critical data. We’ve already solved that issue. You know with Windows 8 and Windows 10, from the moment you hit power until the operating system loads. There’s no gaps. But the big gap was always once the operating system loaded what was going on with the browser. So by now separating that out, providing that secure container and now also being able to, in one of my favorite features in Chromium Edge is the ability to take a website and save it as an application, which is great.
Stephen Rose (11:46):
So now you’re taking this thing where you don’t have a dedicated app for it, and whether it’s Facebook, whatever it is that you’re using, you can save that now as an application, pin it, leverage it that way and do it, but be able to do it securely. So you may have apps that you haven’t built as a Windows app, but that is a webpage app that you can now push out. And it looks just like an application to your end users and removes a lot of that confusion. So there’s a lot of value there in making it easier for end users, which is, you know, my big focus and for Chris what we’re doing on the background to make sure it’s that secure environment so that administrators don’t need to you know, lose sleep.
Paul Thurrott (12:29):
So just to be clear the policy based IE mode that Chris was referring to earlier is one of the things that IT pros can do today after the fact. Now people are already working from home they’re hitting their internal sites with a browser and so forth. But this is something you can now whitelist and blacklist, I presume, sites to or at least determine which part of the browser they’re going to use. In other words, this is something that you can do retroactively to ensure that your users are hitting the right sites with the right browser, essentially. Right? Right. browser engine, I guess.
Chris Jackson (13:03):
Correct. Yeah, it’s a configuration file. So, you know, through either group policy or through Intune or any other management tool, you have, you in essence define an XML file. We have a tool for creating it so you can, you know, you don’t have to manually edit XML. Although you certainly can. But, you create this file and then you just set the policy and say, Hey, here’s where you go get the file. Then, you know, we go and fetch it and we use that to determine what’s in and what’s out and can make it really seamless. And unlike what we used to do in the older version of Edge, the legacy version where it’ll actually pop a whole different window. So you had this pretty disruptive user experience where all of a sudden it’s like I navigate somewhere, boom, a whole nother window pops up. Now, you know, you navigate somewhere and you can’t even tell. Like a lot of times you actually have to sort of right click and look at the menu and go, Oh, that’s the IE pop up menu and not the Edge one, to even tell the difference or be like, Hey, is this Silverlight? What, like, what’s going on in here?
Paul Thurrott (13:59):
We don’t talk about that either.
Stephen Rose (14:01):
Paul Thurrott (14:05):
But yes, I mean this is the dream. You know, back in the day there were, when IE was an ongoing concern. There were problems moving from version to version and that you, a lot of companies would buy third party solutions that would help them run a specific version of Java and Activex and the IE rendering engine and so forth. And now this is all just by upgrading now to Edge, you essentially get this capability to use a single browser and the user doesn’t even have to worry about it. It’s just happens automatically.
Chris Jackson (14:32):
Well to that point, it’s sort of interesting, and this is kind of, you know, a little bit of a tangent, but it’s actually that was the most common request we got every single time and we’d been solving it through something we call document modes. So if you look at how IE works today, there’s actually like 14 different ways it could potentially render a webpage depending upon, you know, all the markup and the declarations and the headers and so forth that determine that. So, but it was so hard to configure that most people didn’t always get it right and they’d say, just give me the whole browser side by side. What we kind of did with the last version of Edge and it turns out everyone hates it, they don’t want to have to track which browser to use for which one that you know, the new experience, which is, you know, kind of going back to what we did before, but in a slightly different way, that basically sort of draws a line between this is the perpetually updating one and then here’s the old stuff that you can keep around as long as you need it.
Chris Jackson (15:24):
Right. And we will constrain that security surface area and that compatibility surface area for you.
Paul Thurrott (15:30):
Stephen Rose (15:32):
Let me just add this. One of the other great features about Chromium that I also really love is you can also use Chrome extensions. So you can go out to the Google marketplace, you can take those extensions and bring those in. And there are some really good IT pro extensions that are doing a variety of things that I thought, wow, this would be great if we could use it with the browser. So it really gets rid of even as an IT pro like, well I have to have Chrome cause I’m running these two extensions, which are important to map, you know, how much usage is going through my VPN or what my portfolio is doing today. And you can now have those. So it’s hard to do that.
Chris Jackson (16:06):
Well let’s take that and riff it. That’s kind of another point to think about is, security baselines, which is something a lot of people are starting to look at now, which is, Hey, suddenly I’m managing a whole bunch of new devices. Maybe I’ll start with this. And the extensions reminded me of that specifically because if you look at the security base ends, we have security baselines through Edge 81, which is the current stable release we have now. And one of the things we put into the baseline is, don’t use extensions. Right? We will actually, you know, do a block list for a star, right? All of them are block listed because it’d be, you know, and you have this great flexibility of control. And I mentioned this because yeah, if I deal with extensions, extensions are to some extent a voluntary man in the middle attack.
Chris Jackson (16:52):
I’m going to trust this piece of software to intercept all of my HTML and do whatever it wants to with it and hopefully it will do no evil in the process. So we have a vetting process and there’s sort of a processes all around that. But you know, I wanted to talk about baselines because it’s important to be careful, particularly if you’re going after a BYOD, the baselines are designed to get you 90% of the way there. Like, Hey, if you want to be really, really secure, this is what, you know, the US Department of Defense starts with, this is what major banks start with. And so they’re going to weigh things potentially differently than what you might. So you might want to have this productivity feature that someone else who’s trying to protect something that launches missiles at other countries wouldn’t tolerate.
Chris Jackson (17:41):
And there are differences between what you would set. And so, you know, we have the ability, you know, we have a full experience in Intune where you can control it. We have the GPO bay signs to take this as a starting point and think through. And in fact, one of the things we’ve been working on recently is a framework we call SecCon or the security configuration framework, which says, you know, tries to partition out, you know, here are all of the policies that we have, determine how much you want to harden your device. Right we kind of did SecCon one and two and three that, you know, three is a full implementation of the baselines, but one is like, Hey, this is something I can do in the next 30 days to tangibly increase the security of my devices without sacrificing a lot around the ability to get work done. Without sacrificing the user experience as much, this is the low impact settings. The moderate impacts things, then you get into the high impact settings of you can’t have extensions, you can’t be an administrator, you can’t be, there’s all these different things. So as we’re moving quickly, I think it’s important to also move smartly and take advantage of the work that, you know, the security researchers are doing behind the scenes to not only set the baselines but help you tune them to be appropriate for the security sensitivity of the device you’re applying them to.
Paul Thurrott (18:59):
So just a couple of questions on what you just said. So when you, refer to devices in the context of Microsoft 365, we’re talking about the gamut of devices that are manageable. Windows 10, PCs, obviously Mac’s, I presume through MDM and Android and iOS devices, right?
Chris Jackson (19:15):
Yes. So far we have baselines for Windows 10 and that’s one of the things we’ve gotten a lot of feedback on, which is, Hey, keep going. So,
Paul Thurrott (19:24):
Yeah, that’s what I was wondering.
Chris Jackson (19:26):
We have introduced one for the app protection policies. So the APP framework is based upon the work we did with SecCon which says, Hey, here’s three levels you can go through. Right? The more you want to protect the app, the kind of tighter you can twist the knobs.
Paul Thurrott (19:42):
I’m sorry. Yeah. So I mean, what does this interface look like? One of the things that Stephen and I talked about previously was this notion of the Secure Score. And it’s almost like a gamification of the settings that you can configure through the security and compliance center. You know, here’s a bunch of things. If you turn this on, you know, your score goes up, et cetera, and it might inspire some IT pros just to kind of go through the list to try to get that score as high as possible. Is this, these security baselines, is that part of this interface? Is that how you interact with it?
Chris Jackson (20:14):
Oh, so the, the two of them are very complimentary. So, the security baselines are designed to give you a starting point. Whereas Secure Score, you know, takes into account information. In fact, we even expose this as well through TBM in Defender ATP, we’re able to expose the configurations compared to the baselines and we’ll actually show you like, Hey, you know, a recommendation would be to apply this setting. So what I see people having the most success with is figure out the right starting point based on the sensitivity of the device and the potential impact of the organization and set it here to the starting point. And then over time what the Secure Score will give you, is that context aware, here’s what people are attacking you with, you should prioritize this. Cause what we want to pivot from is the way people used to do their security settings.
Chris Jackson (21:04):
And the way I describe it is when we’d release a new version of the OS, like, you know, Windows 7 would come out. We had a giant Excel sheet with all of the settings. So if you’ve ever seen the movie, The Jerk with Steve Martin, was like, the new phone books are here, the new phone books here, it’s the new group policies are here, the new group policies are here. And they would call a meeting and those meetings could last for weeks of reading through one by one and trying to decide what’s the best answer to this in the absence of no data.
Paul Thurrott (21:29):
Which of these are actually important.
Chris Jackson (21:31):
Right? And that’s what we want to try and fix is a, give you a smart starting point that is a well known and proven solution that’s on millions of devices and then evolve it based on the data of what’s happening in your organization.
Paul Thurrott (21:49):
All right, so security baselines are Windows specific. Is there anything else going on in Windows that IT pros and admins need to think about now with people working from home and so forth? Anything else?
Stephen Rose (22:02):
I think the split tunneling that Chris brought up earlier is incredibly important. And I’ve seen some really great blog posts on that, Jeremy Chapman has done some really good stuff around that. I think that’s one of the first things is a, what do we need to do? Number two, what can we get off the network? What doesn’t need to be on the network? But I think the third is BYOD that a lot of folks did not bring home their work laptops or it’s not suitable for how they’re working or they’re now working from an iPad. So I think taking a look at MDM, how you’re having things locked down. And one of the interesting things was I was chatting with a customer the other day who said we had to get with HR because we were going to increase how we were managing devices on MDM, which included when we got back to normalcy, a complete wipe of those devices.
Stephen Rose (22:51):
And HR said, you can’t do that. Somebody had a baby, their first baby pictures are on there, you wipe it without them being aware of that, we’re going to get sued. So, and we’re like, well why are you even doing this? Why isn’t it selective wipe? So I think it’s as you’re moving forward, people tend to go with this all or nothing approach and just sort of meat hammer it in there rather than go, what really makes the most sense for what we’re doing and how we’re doing it and what are the granular controls? I always say to people if you have like, you know back, if you have an equalizer, you can’t turn everything up to 10 cause it’s just fuzz. You have to figure out where to turn those things up. Companies like Disney are not tracking where people are going on.
Stephen Rose (23:35):
They don’t limit where people go on browser, on websites via the browser. They say creativity could be anywhere and inspiration could be anywhere and we don’t want to limit where you’re going. There’s some interesting arguments around that. But again, my point is, it’s a great time to go back and take a look at policies that you built five years ago when people were still on Windows 7 and working out of the office and weren’t working off a mobile device and weren’t working off their phone and retake a look at those on what makes good sense now and there is no better time to do it than now because if you do something wrong, people are going to let you know pretty quickly on that. And if you’re doing something right, you know, people are gonna say, Hey, this is working much better. And I think a lot of things that we’re talking about across browser, across virtualization, across leveraging Secure Score, putting MFA into place, if you haven’t done it already, things like that. This is really the time to be doing those things if you haven’t fully invested in that now.
Chris Jackson (24:31):
I’m actually going to hit the other angle. That’s a really good point, Stephen, is when we think about, you know, the, the BYOD I think the other area where people are now suddenly starting to have to face the music is, you know, not just the completely unmanaged devices, but the devices that are historically managed that perhaps they were a bit looser on before, you know, great example is what are you doing to administer, you know, your critical systems and services, right? And servers and so forth. Right. And the concept of you know, the privilege access workstations, been around for a while. But if we’re honest, a lot of people were like, yeah, eventually we should probably do something like that. But suddenly we’re in a much higher risk environment where, Hey, just whatever laptop you walked out with, that’s what you’re using to connect in and administer our security services.
Chris Jackson (25:22):
You know, so I think getting the administrative experience and securing privileged access as a concept is something that we’re also struggling with. So I think we also need to hit the other side of the spectrum which is, you know, that thing which needs to be even more secure. So to even start off with the ability to do a conditional access rule based upon device risk, to say, Hey, if you’re going to connect into, you know, the administer you know, Azure AD or administer Defender ATP you should have a device that is not registering as potentially infected with malware at a minimum and then,
Paul Thurrott (25:59):
Sounds so reasonable when you say it that way.
Chris Jackson (26:01):
… start evolving from there, then saying, all right, Hey, you know, maybe I want to kind of go down the path of, you know, Hey, where are devices in general going, right.
Chris Jackson (26:12):
And I kind of view several significant epics in terms of, you know, compatibility and security configuration. First there was the, you know, just let it all roam epic, which really was the first 20 years of our evolution. And then starting around,
Stephen Rose (26:25):
Let it roam, sorry.
Chris Jackson (26:26):
And Stephen croons. But the next era really began in the era of Windows Vista, which is starting to move towards non admin, which historically we never took very serious. We talked about it, but we didn’t really do it. We never really lived that. And you know, a lot of people made that part of their business justification for moving to Win 7. So I think there’s at least completing that, particularly for administrators scenarios and then getting into what I consider to be the emerging ethic, which is the app control epic, which is, you know, Hey, I’m no longer going to trust all software by default.
Chris Jackson (27:03):
I’m going to pivot and I’m going to start trusting by exception when you’ve earned that trust. And really leading out in that, which I think will eventually hit all of my devices. But I need to start today with, Hey, if you’re a domain admin, you’re you know, a global admin in the cloud, you’re going to have some additional constraints placed on you. And I need to really accelerate my zero trust journey, at least for you. Perhaps I can’t do it for everyone. And I know that a lot of you know IT projects that are internally facing are paused or slowed at the moment. And that makes sense. But that scenario is a real important one to continue to keep, you know, higher on the priority list.
Stephen Rose (27:45):
Yeah. And I think a good double click on that is version control as well. We have so many companies where they’re using nine different versions of either allowing users, or on the server we’ll have nine different versions of Acrobat or things along that line. Using this time to go, we’re going to move to this version because it’s tested. Maybe it isn’t the newest or it is the newest, but it’s the best. But also starting to reduce duplicity of applications and overlap of applications. It’s going to make your job easier and it’s going to make it simpler for end users. And just saying, look, we’re not going to allow box and Dropbox and OneDrive. We’re moving all to OneDrive and here’s why. And here is the adoption and the training materials to do it. Becomes a really important thing. And people are going to say, well, you’re slowing me down.
Stephen Rose (28:29):
And you’re like, yeah, but we’re not, we don’t know what’s going outside the company. And if we’re going to put in policies to be able to you know, do document labeling, to be able to track content, to be able to basically encrypt content as it leaves the company and to get the most out of this platform. It is getting it into the cloud to leverage that which not only makes it more intelligent, it makes it more secure. So starting to take a look at some of those and where can we remove this duplicity? This is a really great time to be doing that. And by default it will help you and put you in a good position to do a lot of what Chris is talking about here.
Chris Jackson (29:06):
Yeah. Well then our TBM product as well, you know, focuses specifically on that scenario, which is to help you prioritize because of course you could, you know, service everything all the time. If we ignore the fact that even the most tightly managed organizations that I’ve worked with that are of any significant size have a software asset inventory of roughly 2,500 apps. You know, try keeping track of all of those, it’s difficult. And that’s a well managed org. I mean the worst I’ve seen so far and this is not a record worth aspiring to, but 225,000 unique applications in the environment. And so, you know, that’s one of the challenges we each sought to solve in TBM, which is Hey, let’s focus on the, you know, the older versions of applications you have, that have vulnerabilities, prioritized if there’s an exploit in the wild, prioritized even more if there’s an exploit that’s running in your environment, just to help you build that to do list. Cause that’s really what everyone needs some help with is, you know, yes, there’s always something I could be doing. Patching could always, always get better, but how do I do it? What do I do first?
Paul Thurrott (30:19):
Yeah. What’s the biggest bang for your buck? What’s the priority? I was going to, it’s funny that you launched into this because I was literally thinking, you know, what’s the low hanging fruit here? How do you, you know, where’s the starting point? It seems like this is the starting point.
Stephen Rose (30:32):
And what’s interesting is, and Chris did this, god back at Tech Ed, I think New Orleans was the first time he brought this and I thought this is a really great way of looking at it is he’s like, make a pie chart. List all your apps and list all the ones that are used daily, weekly, monthly, quarterly, yearly, bi yearly. What’s interesting is when you get down to the apps that affect the most amount of people on a daily basis, you end up getting down to an incredibly small percentage of apps, 2 – 3% of the total apps in the company.
Stephen Rose (31:03):
Those are the ones that you start with. Those are the ones that are going to affect the most people and give you the biggest bang for the buck. There may be this incredibly difficult app that you know, you can’t shim and you can’t get to work or you have to virtualize. But if it’s only being used by 20 people once a year, why are you prioritizing that over something that 80% of your staff uses every single day? So by going out and and leveraging our tools to help you catalog what everybody’s using and then coming back and using that level of logic, which was one of the rare times that Chris has said something that made sense to me. It was great to be able to do that.
Paul Thurrott (31:36):
Just seeing if we’re paying attention, I see.
Stephen Rose (31:40):
No, no, but it was brilliant. I remember you doing that knocking down and watching the light bulb for all these IT pros who are looking at it as this mountain of things they had to do to move to Windows 7 at the time. It’s the same with all these apps and it really makes a lot of sense. So there you go. Giving you some kudos.
Chris Jackson (31:58):
It”s a taxonomy that I’ve had a lot of success, you know, cause as you know, right. I’ve been working in app compat and security and modernization, all that for a long time. And that taxonomy of, you know, it’s four parts basically managed, supported, unsupported and banned, right? Figure out what you want to do, right? Not everything needs to be tightly managed. The fact that someone’s running something somewhere does not constitute a permanent commitment for you to support that version of that app from now until the end of time. So that may fall into the either, you know, supported if you want to take phone calls about it or unsupported, you know what you’re okay running it. Just don’t call me if you have a problem. And then banned will be the ones that you want to actively try and keep from running.
Chris Jackson (32:45):
But that taxonomy helps to really simplify as you think about how do I evolve my processes to service and manage software better over time. Maybe even starting with Windows. That’s one of the projects we’ve got running right now with our servicing team inside of Windows is they recently did some work with Microsoft IT internally, where they went from, Hey, you know, in seven days, which is our goal to get everyone updated. You know, we were about 40% updated across the entire company and with a few changes in policies, we got to the point where within seven days, in fact I think it’s even less than seven days, we’re in excess of 95% patched and obviously some variation because a lot of people have multiple machines. They don’t always turn off. Like I know I’ve not been firing up my laptops very much because I don’t have to cause I haven’t left my house.
Chris Jackson (33:35):
And so I’d much rather have this over the big monitor spread that I have done here with the desktop. So those are not being serviced really well. So 95% in our context is actually pretty darn good. So figuring out how do I, you know, to Stephen’s point start with the low hanging fruit and then evolve the processes and then use data to help me figure out and then think about in root cause, why is this hard and how could I make it easy? What would this be like if it were easy?
Paul Thurrott (34:05):
This is very much like the organizational version of I think what we’re all kind of doing on a personal level during this pandemic, which is kind of re-evaluating things and looking at what’s essential, and trying to, you know, hit those targets that make the most sense. And I feel like for the discussion we’re having here today in organizations that have Microsoft 365, that there will be, you know, permanent workflow changes or permanent changes just to the way that we do things as a result and that you know, as bad as this is, it is terrible. The current situation, there’s a silver lining to it in some ways. I mean we might emerge on the other side. More efficient, more secure. I don’t want to say more managed, it’s more like more correctly managed maybe or you know, just in a better position.
Stephen Rose (34:58):
And like I said, I think I mentioned this in one of the previous episodes, I was doing an interview with the CIO from Dentsu Aegis. And he said, we can no longer in good confidence say you have to be here to do this job, that we can’t hire somebody who works in a completely different country as long as they’re willing to abide by time zones. And when we have meetings, we can’t do that. And the thought of, I want to go work from home three days a week to do my job, to take care of my kids and do that better. We can’t say no, you can’t be productive and you can’t be efficient and doing that. So I agree it’s going to be very, very hard for companies who had that 2012 attitude of you have to be here in the office to be productive and get work done.
Paul Thurrott (35:38):
Stephen Rose (35:38):
Yes, there was something to be said about meeting in person. I had an interesting conversation on someone about Inspire, was Inspire going to become permanently online. And I’m like, no, there is a lot to be said about walking up to a booth and building relationships and chatting with your peers and chatting with our engineers. But you can still have great impact that way. And I think it’s a balance of both. Showing up in meetings is important so people see your face and things happen organically, but it doesn’t remove any value that you can do in being on a Teams meeting and calling in. And now that people are more used to that and being more respectful of this, the window panes and how people are talking and moving things back and forth and doing that, which is a learned skill set, it’s going to get a lot easier.
Paul Thurrott (36:21):
Yeah, I agree. So Chris, we can’t leave this without discussing your office. You have what appears to be a lot of stereo equipment and is that a model or a Lego Millennium Falcon? I’m looking at it.
Chris Jackson (36:34):
It is a Lego millennium Falcon. Of course that is the ultimate collector’s edition, which is gigantic and it is down here because I am not allowed to keep that anywhere else in my house.
Paul Thurrott (36:46):
So it sounds like you have a pragmatic spouse.
Chris Jackson (36:48):
In fact that’s what the entire room is all about is, these are all the things that I am not allowed to put anywhere else. In the back is all of the the music gear. So what I like to say, I’m a guitarist and what I like to say is that what I lack in talent I make up for in volume, which is why I have a full sized Marshall stack in my basement.
Paul Thurrott (37:09):
Chris Jackson (37:09):
You know, drum kit gets stuck down here and sort of all of the other, you know, toys I have, I have my original Commodore 64, which is where the journey all began off in the corner. You can’t see it from where you are, but it’s something that’s where I can see it, and sort of, just always reminds me of where I came from. So.
Paul Thurrott (37:26):
Oh, you know, you could take a page from the Kiss playbook and get empty stacks and it would make it look like you have a wall of Marshalls.
Chris Jackson (37:34):
So they actually do that at music stores and I was trying to, they have like a corkboard they can hang things on and I really, I couldn’t figure out where you could buy them.
Paul Thurrott (37:43):
Yeah. Oh, okay. This must be pretty cheap if you can find them.
Stephen Rose (37:45):
Yeah, go to eBay.
Chris Jackson (37:47):
I didn’t want them that bad, but I did look on eBay at the time and didn’t find them, you know. But yeah, that’s the last thing that that my wife wants me doing is searching for more ways to just make my basement room look ridiculous and awesome.
Stephen Rose (38:02):
So Chris, let me ask you this. Three takeaways. What are three things that IT pros when they finish watching this episode should sit down and go do immediately,
Paul Thurrott (38:11):
Chris Jackson (38:13):
Ooh, that’s a good
Stephen Rose (38:14):
Sorry, did I think away your line Paul?
Chris Jackson (38:16):
No, that’s good stuff. And please put them in order of priority.
Chris Jackson (38:23):
The question you’re not prepared for, based on the conversation that roamed in directions that none of us ever really planned. No, I think the first one is absolutely, positively leverage all of the knowledge that we have and have been sharing on what people have already tried and knows that works. There are all kinds, and we didn’t get into any of the stories here, but there are all kinds of well known consequences of security lockdowns if you’re suddenly doing it in a hurry, you can avoid a lot of pain by sort of taking a starting point and leveraging that knowledge. So I would say look for those starting points that we are trying to share as much as possible. This is my second podcast today. Cause we really are aggressively trying to solve all these challenges for folks.
Chris Jackson (39:10):
So look at the knowledge that’s already out there and leverage what people are already doing. Number one. Number two, I would say be mindful of the two ends of the spectrum. That conversation we had a short while ago. Understand what you need to do for any BYOD you’re introducing, any, you know, suddenly portable devices and how you’re replacing your perimeter security, but also be sensitive to your high security scenarios. If you treat everything as important, then you’re really treating nothing as important. So make sure you gain a balance between the two of those. And then the third one is, I think you can, and Stephen talked about a bunch of reasons, but I think it’s really timely that we have the new release of Microsoft Edge, just came out on January 15th. Because I do think that enables a whole bunch of new scenarios. Potentially, you know, it gives the opportunity to add a bunch of value to make it easier for people to be productive. And I would absolutely investigate doing that. Even if it’s slowed down. And again, we’ve talked to a lot of folks, said I’m slowing it down for my, you know, mainstream devices. But as an enabler for devices that weren’t previously productivity devices for the masses before, that can significantly improve their experience, as well as the security overall of what they’re doing.
Stephen Rose (40:24):
Yeah. Plus it works on mobile. I mean, you’ve got it working on iOS and Android, which means they can use on every device. I’ll tell you the one thing not to do, I had somebody ping me on Twitter saying they were going to go to longterm servicing branch to help make security easier, which I’m like, longterm servicing branch is great if you don’t have people who are using Office, information workers, if it’s, you know, and they’re like, Oh, well everybody uses that. I’m like, then again, you’re doing that baby with the bathwater. You’re going to an extreme, which is not going to solve your issue. So LTSB is not the solution there.
Chris Jackson (40:55):
Well, we also add significant security. Look at like ASR rules or tech surface production rules. Those get added, you know, a lot of times we’re releasing, there’s new ones that are coming in. So figuring out how to evolve your security. Now, most of the time we put it in a, you know, either a, we’ll just turn on by default. If it’s just likely to not have an impact, a or b, we’ll have an audit workflow where you can enable them at a time that makes sense to you if there’s the risk of impact. But it’s always changing. The threat landscape is not stagnant and that’s a really important thing to keep in mind is just because you know, you want to avoid moving really, really fast, attackers are very happy to move fast and are very agile. We just need to stay up with them.
Stephen Rose (41:38):
Paul Thurrott (41:41):
So before we head out, I wanted to just quickly discuss some of the news that’s occurred with Microsoft 365 over the past three or four weeks. We have been recording these episodes roughly one month apart. And as you might imagine with this COVID pandemic and everything a lot has happened in the world of Microsoft 365. The biggest news is that Microsoft announced consumer versions of Microsoft 365 that will replace the Office 365 Personal and Home offerings that we see today. So those will become Microsoft 365 Personal and Microsoft 365 Family. They’re adding some additional features. They’re not particularly interesting or I should say pertinent to the broader world of Microsoft 365. But it is kind of an interesting branding thing.
Paul Thurrott (42:26):
And there were also rebranding all of the Office 365 offerings for small businesses as well. And so things like Office 365 Business and Business Premium and also Pro Plus are becoming Microsoft 365 branded sometime in, I think in the next 30 days. So that will be happening soon. A bunch of consumer features coming to Teams as well as a version of teams for consumers, which is kind of interesting. And this speaks to the mixing of our work and home lives, especially now, but you know, in all times of course people might want to do things like be able to see their, what their kids are up to while they’re working, etc. And those things are coming, that’s for much later in the year. But it is something that Microsoft’s working on. Also Microsoft provided a more precise timeline on some of the new Teams features that they announced back in March.
Paul Thurrott (43:16):
And this is actually kind of interesting. You might remember some of these, the custom backgrounds, raised hand, and meeting participant report, and realtime noise suppression. Most of those features are actually going to come very soon to Teams sometime in the next 30 days. The only one that will be a little bit later in the year is the real time noise suppression feature. You might remember the video where the guy crunched up the potato chip bag. And then actually, some of this happened just right on as we were about to record this show. Microsoft announced Yammer integration with Teams. It’s coming soon and kind of a nine pain, what I call a Brady bunch of features. They could have nine people on the screen at once in a Team meeting. Which should be pretty interesting. And I think it’s just good to highlight with all the Zoom security issues that are happening out in the world right now.
Paul Thurrott (44:04):
You should use an online meeting provider you can trust. I would say that Microsoft is more trustworthy than some at this point, but that’s up to you of course. I also want to highlight the work that Microsoft continues to do on it’s Microsoft 365 blog. If you’re not looking at it, you should. They come out with posts almost every single day these days. They’ve done some great posts that are security-related recently, for example, security for IT pros and then security for Teams, I should say security and privacy for Teams specifically in two separate posts. They’ve talked about the efforts they make to thwart cybercriminals who are trying to take advantage of the COVID situation by sending out phishing attacks via email, which is unbelievable. How they pivoted a lot of Microsoft employees to promote work.
Paul Thurrott (44:49):
And also just some, you know, just general tips and tricks, you know, working from home with kids and so forth. Stephen mentioned earlier, Inspire and Inspire is Microsoft’s partner show. And we know that Microsoft won’t be having any in-person events through at least the middle of 2021. And so it’s possible that Inspire 2021 could happen in person, but this year’s Inspire like Ignite is not going to happen. It will to be some sort of a digital event. We don’t really know what form that’s going to take, but just as an aside, Mary Jo Foley and I have recorded, or we’ve done a live recording of a post keynote segment with Channel 9 at Microsoft Build for the past few years. We’re actually gonna do it again this year and this will be the first major digital event that Microsoft will be holding, will be Build, which occurs in May.
Paul Thurrott (45:39):
And so we’ll see what form that takes. We’ve kind of agreed to the, you know, to the schedule and when we’re going to do it and so forth. I assume that means this will in fact be a live keynote. I guess we’ll see how that happens. But you know, even with all of the terribleness that’s happening in the world and the changes things like this are still going forward just in a different form. And I think that’s, that’s kind of interesting. Well, we are out of time, unfortunately. We still have a few more things we could discuss, but like Chris, we all actually have other podcasts and webinars to do today. So we’ll have to cut this one here, but thank you both so much. Chris, thank you for joining us. And Stephen, thank you, as always.
Stephen Rose (46:20):
Chris Jackson (46:20):
Thanks for having me.