Microsoft 365 Knowledge Series Episode 6: Enabling and Managing Remote Work


In this blockbuster episode, Stephen and Paul are joined by Microsoft director Jeremy Chapman to discuss how organizations can effectively transition to remote work without compromising control.


Paul Thurrott (00:01):
Welcome back everyone to the Microsoft 365 Knowledge Series. I’m Paul Thurrott, I’m here as usual with Stephen Rose, Senior Product Marketing Manager for Modern Workplace, Teams and Platform at Microsoft. And our special guest this week is our old friend Jeremy Chapman, Director of Microsoft 365. Jeremy, how you doing?

Jeremy Chapman (00:20):
Good. Thanks for having me on the show.

Paul Thurrott (00:22):
Yeah. Excited to have you. Do you mind, maybe you could tell the audience a little about yourself? We have quite a history and you and Stephen have quite a history.

Jeremy Chapman (00:31):
Yes. So I came in, I started out in IT. I came from there into Microsoft in I want to say 2003, first as a partner and then I went full time in 2005. Started out in the Server and Tools engineering org, building solution accelerators. So that’s where we built out things like Business Desktop Deployment, Microsoft Deployment Toolkit, which it later became and was there for a few years. Then I went to the Windows side and did basically Windows deployment through the end of Vista and all the way through Windows 7. And that’s where I met Stephen. And then from there, after kind of getting Windows 7 deployed and pretty much all of that job done, I guess, then I moved on to Office to really think about how do we repackage Office in a way that made it more cloud-friendly, you know, work on the activation, the delivery, and that’s where Click-to-Run,

Jeremy Chapman (01:24):
And all those kind of things came from. And then based on that work, we started trying to demystify what that looked like through, what was called the Office Garage at the time. And then that later became Office Mechanics. And then we started adding other groups to it from Office 365 into the Surface Hardware Team and then Azure. And then finally the Windows Team was part of it. So now with Microsoft Mechanics, we really span the entire company and we’re, from a subscriber and follower perspective, we’ve got one of the larger followings at the company, you know, with commercial followers doing all the different aspects of deployment, management, all those things. So we create about a hundred different kind of instructional or announcement type deep-dive videos per year through Microsoft Mechanics. And that’s what my main job is at the moment at Microsoft. Really trying to make sure people know how our stuff works, how they can use it, why should they care, and really how to deploy and be successful with our products.

Paul Thurrott (02:25):
So what I got out of that is that we can blame you for Click-to-Run and more seriously, you’ve been basically involved with deployment for almost your entire career at Microsoft it seems.

Jeremy Chapman (02:38):
Yeah, that’s, that’s why it’s in my Twitter handle @deployjeremy, I’ve been doing this deployment, even before I came to Microsoft. That was my last IT Pro kind of Project was getting XP deployed out and when I was working in China for a German company, but that was kind of what got me into the solution accelerator org at Microsoft at first.

Paul Thurrott (02:58):

Stephen Rose (02:58):
What was cool was that when Jeremy and I met, we were really going, we have all these great free tools that nobody had known about. And what we did was we rolled every one on out saying here’s how you can deploy Windows 7, here’s how I can get it to run without having to spend any money. Here’s all the really cool free tools for your 7DT and Map and Act and all these other ones. And it was great because people said, I’ve never seen Microsoft come to my town and do a whole thing and talk about free tools that are available now. What was always, here’s what you have to buy. And it was great cause he and I both felt that we had not seen a great job done with IT Pros, where it was always like buy our stuff. And then once we did, we sort of left them behind to really go back and show them how to do this, give them good guidance and show them these great tools, many of which are free that they could leverage today. So it was great. So he and I really connected on that and it really connected with the audience and it was a big change for us and how people viewed us back in 2009.

Jeremy Chapman (03:57):
Yeah. And the other thing, and I still see it today, is you know, sometimes you’ll get something that’s too difficult to deploy or too difficult to enable or configure and they’ll say, Oh, that’s what a partner is for, and then my job is done, wipe my hands clean. And I always think like if you’re the product manager or somebody who’s at Microsoft, saying, that’s your answer, then you’ve already lost. Because you need to get the people in IT actually bought into the Process and at least understand the architecture of how the product works. Yes, partners then get domain expertise and they’re Probably more efficient. But once you say like that’s the only option is to use a partner to do something, cause then what happens is you might have a bench of a dozen partners globally that know how to do something really well.

Jeremy Chapman (04:39):
And then the rest of the people that you know want to do, you know, 500 seat deployment or whatever won’t be able to even touch it. Or you won’t be able to become a partner, to get your skills deep enough to kind of qualify for that exclusive crowd of the partner that can help you. So, you know, we tried to mainstream everything from a deployment perspective and really like Stephen said on some previous episodes, move from sector-based imaging, you know, Ghost and in those types of Processes to more of a file based imaging. And I remember the early, early days of building out the WIN file format and single instance files inside of that image and having all the different SKUs and everything available. And that was actually pretty cool. And it’s kind of, I would even say to some extent, it’s kind of a predecessor to Click-to-Run in the sense that, you know, we’re delivering a set of components and we’re looking to see that that manifest of components is available on the computer. And that’s the way kind of the WIN unpacking works when you, when you expand a web image on a desk. So it’s kind of semi-close to how we would do the virtualization part within Click-to-Run. We just have to do a bit more virtualization with, you know, register keys and things and different services we need to enable as part of C to R.

Paul Thurrott (05:46):
Right. You know, this episode is kind of an interesting nexus of things and it’s great that you’re here for this because in the original episode, the first episode we talked about how in that Windows 7 Springboard timeframe you folks were talking about, at the time was the Modern Desktop, you know, Windows 7 plus Office, what was it, Office 2013, Probably.

Jeremy Chapman (06:06):

Stephen Rose (06:07):

Jeremy Chapman (06:07):
2010, I think.

Paul Thurrott (06:07):
Oh, right. Okay. And you know, how as we move forward now 10 years or more you know, things have shifted and the Modern Desktop such as it is, is a different place. You know, the Modern Workplace is a different place. And of course since we started the podcast series the COVID-19 pandemic happened and a lot of people are working remotely now for the first time. And this has caused a lot of angst on a number of levels. But for organizations that have to react quickly to this, getting people working remotely and then kind of retroactively securing that, which is one thing we talked about in the last episode but just making sure that people have the tools they need and so forth. And we thought maybe it would be a good idea to take a step back and think about how organizations can enable remote work and that, you know, your work on deployment over all these years is kind of uniquely suited for this conversation.

Jeremy Chapman (07:05):
Yeah, totally. I mean there are so many things and even just being in Microsoft and watching the transition, you know there was a time when we all needed VPN connectivity to get our work done to you know, apProve expenses to put things into the system, to find files through file shares and literally, I mean I can Probably count on one hand the number of times I’ve needed a VPN connection back to something, a corporate resource that I have to grab in the last month like it still happens but it’s very rare and all of our line of business apps, everything’s web-based now. All of our files have moved from file shares into you know, into SharePoint or OneDrive locations. And I think that’s kind of the main thing is moving away from that. I remember like, and I’ve listened to one of the earlier ones that you guys did, you know where the desk phone went away.

Jeremy Chapman (07:55):
Like that was an old thing, an old vestige I guess of office work. Now the file share can go away. And how do we then move into some stuff that’s more cloud native. And I think that’s the bigger kind of longterm goal is to say how do we maintain all the control that we need? Even increase it in a lot of areas, but make sure that our files are at least retrievable in our line of business apps and those kinds of things are retrievable through network connectivity that is cloud based and not having to funnel everything through a VPN. Cause I think one of the things that a lot of people have learned just in the past couple of months is if I siphon all the connection through that small straw that that pipe that is the VPN pipe, that’s got to do software updates, that’s got to do all of my web traffic.

Jeremy Chapman (08:40):
If my users want to go to you know, a video site and watch a mechanics video, whatever, all of that has to in a lot of companies go through their VPN and of course you’re going to saturate that connection to where there’s zero performance. So I think it’s been like, you know, like those old cartoons where people put their fingers on the various holes in the wall trying to say, okay, how do I get enough things going through that to where, you know, traffic that makes sense. Whether it’s Teams or video calling or other things to be on a second or split tunnel. And I think what one of the things that we learned even at Microsoft even though we’ve been on this journey for many, many years is how important it is to make sure that you’ve got a secure way to basically service your customers, your users in IT without having to get everything or make everything go through that VPN so that you’re thoughtful about it.

Jeremy Chapman (09:32):
And I think that’s part of the reason why, you know, we always harp on things like multi factor authentication. I think hopefully people respect the value of MFA at this point. But so many other things that you can do to protect files, down to the file level and you know files down to the folder level, whether it’s email, whether it’s chat, all those different things, just to make sure that you still have that same kind of control or better control than you would have had in terms of making everything happen within your perimeter.

Stephen Rose (10:01):
Yeah, and I keep hearing from IT Pros, you know, I don’t want to lose control. And then you’re like, you’re not, you’re gaining control. Once you move stuff in SharePoint, once people have stuff in OneDrive, you’re going to have more control where things like DLP and AIP and all these other things kick in. So you know, you can protect all of those endpoints. You know exactly what’s coming in, what’s coming out, how people are working. And you’re giving people that choice to be able to work from any device and not limit them to this one that you’ve locked down. So it’s also part of that switch and mentality and moving away from that. We’re going to keep it on the X drive and not let you do this. But like Jeremy was saying, the amount of bandwidth that you end up having to crack is just crazy. It’s insane.

Jeremy Chapman (10:48):
Yeah. In what I’m sharing here. And maybe you can, so one of the things that we’ve done even recently. It’s not up yet?

Stephen Rose (10:56):
I don’t see it.

Paul Thurrott (10:58):
I was afraid I lost something. I just see a gray screen. I do have problems in Skype sometimes where I just lose the video.

Stephen Rose (11:08):
There we go.

Jeremy Chapman (11:08):
There it is, okay. I’ll probably keep this on my feed. So basically one of the things that we’ve done in the last couple of months, and if you read Alex Weinert’s post from last November, I want to say, yeah, we were replacing security baselines with security defaults. Now this means that any net new tenant that’s created for Microsoft 365 is going to have MFA configured. And that’s a big deal because, you know, in terms of going from like normal single factor password authentication to MFA, we like to say it’s, and we’ve got data to prove it. It’s 99.9% plus effective on credential based attacks. And I think it’s in the high nineties on attacks overall because passwords, especially when mastered in the cloud, are things that are fairly, you know, easily targeted, hacked, you know, phishing schemes, those kinds of things to get. Brute force, password spray attacks, those types of things.

Jeremy Chapman (11:58):
So that’s a big deal. Another thing that, you know, as I mentioned our VPN, there’s a great blog here from Lucas. It’s basically going through all of our own implementation of our VPN to handle kind of COVID-19 and the increased demand that we had. And, you know, we’ve seen just in terms of payoff, connectivity success rate has gone way up, number of concurrent sessions, 200,000. I mean all of the different employees that we have, 128,000 employees that we’re managing through it. Everything that we’re doing through VPN has been, you know, we’ve been able to succeed at effectively because we’ve got the split tunnel and most of the traffic going through kind of public connectivity so we don’t have to have as much traffic going through VPN.

Jeremy Chapman (12:50):
So it’s actually, it’s quite good in that sense. The other things that we can do, you know, in terms of thinking about how we holistically protect, you know, our environment. We’ve got tools like Azure Sentinel that will help in terms of protecting or I should say monitoring any of the activities that you have across your apps. You can do things like App Proxy as part of Azure AD to really monitor the traffic. So if you do have cloud based apps, you are wanting that kind of networking security blanket that you’ve got in terms of some of the on-prem networking resources that you’re using now. These are things that you can do in order to have, again, a split tunnel, a lot of public traffic going through, but then having the same visibility into all the different connections that are happening.

Jeremy Chapman (13:40):
So this is a big deal. Let me go back to this desktop. And so, I mean these are some of the things that you can do just to make sure that you can basically survive and thrive in a world where, you know, the VPN might not have enough throughput to handle all the connections to all the different services that you’re using. So I think this is one of the main things longterm is just to make sure that you can handle, you know, public traffic and use those resources as best possible. And I’ll go into some other capabilities in a sec, but these are some main kind of longterm principles. And then we’ll drill into some of the other technologies here in the next few minutes.

Paul Thurrott (14:29):
Great. Oh, also, you know, we had talked earlier about this notion of variable trust, which I think is really interesting because it’s not just Conditional Access, which is part of it. But there’s a whole other world around there of app control SharePoint and OneDrive device-based control and so forth. I mean, can you speak a little bit to that?

Jeremy Chapman (14:51):
Yeah. So with Conditional Access, I mean, it’s kind of a family of options that you have there. On the SharePoint side for example, you can say, I want to trust certain IP ranges or I want to trust certain users or devices. And if say a device is unknown to me or it’s not considered a trusted device, we can basically start to tailor what you can do with any assets that you find through SharePoint. So for example, if I just want you to be able to view a document on a home machine but not be able to print it or download it, these are things that are now native inside of SharePoint online. So this is super pertinent from a work from home kind of perspective because there’s a lot of these you know, you probably got into the closet and found like your old laptop from years ago, maybe Stephen and I helped you deploy it to Windows 7 back in 2010. When you fire that up and basically try to connect to Office 365, it’s going to do all the different integrity checks and health checks against the system.

Jeremy Chapman (15:49):
And if for example it sees Hey this is not a managed or known device for us, you can actually tailor the experience so it’s safe for your files and your information so that you might be able to view something. If it’s a browser and the machine’s up to date and all the things that we want, but you won’t be able to actually take that file down and load it onto the machine, or print it, for example. Those are big deals. Plus if you think about Conditional Access on the device level, we can then look at things like that as well. And say, okay, this device is just not healthy enough to even log in through Azure AD. So you have to go through a number of different you know, software update passes, different things to get that machine to a state where it is actually deemed healthy.

Jeremy Chapman (16:32):
And that’s what kind of the device based Conditional Access will give you, as well as some of the other things like risk based login. If you’ve never logged in from, you know, from Russia or from North Korea and now you’re logging in, we’ll be able to see that, you know, those are the kind of things that we can check or even if it’s not those locations. So even if I’m just now in Europe, all of a sudden like, how did that happen between, you know, in the last six hours? Those are the kinds of things where we can flag it. And then we can say, okay, based on this unusual login activity, we’re gonna up you to a second factor of authentication or block you. And you know, beyond that we can even do, you know, app level Conditional Access too. To where we we can basically say which apps are the right apps to be connecting to services.

Jeremy Chapman (17:17):
So one of the things that we often show in demo is like you’ve got a Tor browser for example, and you’re connecting to services. A lot of times we’ll determine that Tor browser isn’t an app that we want to be able to connect to services so we can either block or in the same way you know, up it to a multi factor authentication. So there’s a lot of things that you can do on that side that’s really kind of tying that kind of Intune slash Azure AD capability to really assess the login, assess the situation and then on the fly determine whether or not we want to give you access to that or we deem it less risky or the risk is low enough to actually give that access. And that’s one of the things that we can do with Conditional Access. It’s a super cool bit of technology. But I don’t think everybody has it deployed at the moment. It’s something that a lot of people can really benefit from

Stephen Rose (18:04):
And this is going to be key when you have guests that are coming into your network, you’re working with vendors because now you can say with that and Azure B2B, really not have to sit there and create all these guest accounts and go through this. You can much more easily say, Hey, you’re here. This is what you can do. I’m going to take my base level for my employees and just not allow you to do these 10 things and very easily scale that up or down to give the right level of permissions without having to start, create all these secondary networks and all this. It just, it gets so, I was chatting with people during Build and my session and the things that they were doing to allow people access. I’m like, why not just do Azure B2B Conditional Access and just set this up and they’re like, I can do that? I’m like, yeah, and it will make it so much easier to make sure that people meet your requirements. For the network without having to go through a ton of extra steps.

Paul Thurrott (18:55):
Yeah, I mean I think the scenario that Jeremy had earlier where, you know, we all come home all of a sudden. Well, what do we have, you know, that we can use to work on is probably one of the more common scenarios that has occurred. And so the fact that you can trust that computer to whatever degree based on where it is with security updates and so forth and whether you know how you sign in is super important because I think a lot, a lot of people are going to run into that exact scenario. And you spoke earlier about cloud data, which I love, but also cloud for document storage is super important as well. This kind of speaks to the end of the X drive a bit that Stephen talks about. So, what’s going on with with cloud-based document access for organizations?

Stephen Rose (19:40):
Well, let me, I’ll start on that one, then I’ll let Jeremy pile on. I mean, the big thing, and again, it was a question that popped up in Build last week, so it was great, was we have great free tools like the SharePoint Migration Toolkit. The SharePoint Migration Toolkit SPMT, you can take your X drive and you can move it to SharePoint. And what’s great is you say, Hey HR, here’s your group. We’re going to move all that content over there. So things that are going to be shared by, need to be accessed by multiple people. It’s right there. You’re not going to need a VPN to have to go into it unless you’ve set it up that way, but don’t have to sit there and start mapping drives and then people’s personal data. You can use the same tool to move it into OneDrive.

Stephen Rose (20:20):
And what’s great is not only is it there, not only when you login to a new machine is that there, but like I said, I go to my iPad, I click on desktop, there’s all the files, everything’s in sync, but we also have protections. A lot of folks are not aware that we have malware protection, ransomware protection built right into OneDrive. Let me see if I can share my desktop here. So we’ll do that. Let me know when new guys can see that.

Paul Thurrott (20:46):

Stephen Rose (20:47):
Awesome. So by going here into OneDrive and you know by clicking on settings, I’m going to pop up you know right here into my main OneDrive and I’m going to pull you down and by clicking on the little gear up in the top right hand corner, so I’ll show that. You’ll see right next to your person there that there is a gear that will pop up, there we go and if you click it, go to restore your OneDrive and this will show you every file that you have deleted, changed, anything for the past 30 days.

Stephen Rose (21:26):
So we can pick all these files, a single file and we can restore that back. And what’s great is if you got hit with ransomware on Friday at 11:00 AM, you could say, I want to go back to 10:59 on Friday. Every file, every folder, everything, will be, you know, put back to exactly that point. Most folks don’t even know that they have this.

Paul Thurrott (21:45):
Right, I mean this is cloud based file history, which is kind of like that time machine effect where you can,

Stephen Rose (21:51):

Paul Thurrott (21:51):
Like you said, go back. That’s amazing. That’s an amazing capability.

Stephen Rose (21:54):
And the fact that it’s in there is there, the fact that if you know, you for some reason, you know, if OneDrive finds that you suddenly have a ton of files that are being rewritten, it will actually stop and say, what’s going on? Is this something that you’re doing? It’ll say, are you aware you just threw away 2000 files? Or if it sees a lot of files being rewritten, our anti-malware kicks in, it will stop. It will take a look and it gets user involvement. So you have that protection and don’t need to worry about that. And that’s built in as well as Vault and other great features in there. And that goes across SharePoint, OneDrive and Teams because it’s that same backend of that.

Paul Thurrott (22:37):
Right, right.

Jeremy Chapman (22:39):
Yeah. And the things in terms of the number of controls that you have are actually amazing from an IT Pro perspective. And it’s going to take a second for my screen to pop up, I think. Based on the last attempt of sharing. But basically you have these nice sliders. There we go. So we have these nice sliders where you can actually say in terms of external sharing, you know, how permissive do you want the sharing to be in both SharePoint and OneDrive. So these are the things that we get asked about all the time. Like, okay, I trust the people that are inside of my domain, but I don’t want people sending files outside my domain to my competitors or others. And you can do things like targeting with an allow list of the domains that you want to allow sharing to happen, like with your best partners.

Jeremy Chapman (23:30):
And I can anti target for example, and say like if my, if, if I’m Contoso and my arch-rival is Fabrikam, our two favorite companies, then I can actually block any sharing to Fabrikam. So this is all real stuff that we can do, that really you know, helps in terms of how people share. And the other thing is, what are some of the defaults that you get? Cause when you click like copy link or share and you get these different sharing options, we can choose what the defaults are as part of that. So I might have a posture where I say, yeah, I want everybody that’s a full-time employee of my company to have access to that file by default. And you have to select, you know, down level that to maybe the individual person you’re sharing with or you can go the other way and say, I want it, no when somebody hits share and copy link.

Jeremy Chapman (24:14):
It’s going to start with just the explicit person I’m sharing with. And then I’ve got to up level that into other, you know, larger populations of users. So we have all of that control and this is the kind of the access controls I was talking about where you have the ability to say again manage things that are coming in. If an unmanaged device is coming in, I can do a limited web access only. This is where I set that control in the SharePoint admin center. I can automatically sign people out if somebody reports their device is stolen, I can sign them out of any active browser session so that they’ll be out of SharePoint online or OneDrive, network location, so IP ranges that I trust. And then, you know, I’ve got apps and this is going back to our Office 2010 statements earlier that don’t use modern off, I can actually block those from connecting to services here, right from the admin portal. So there’s a lot of control that you have really down to the file level to make sure that your information stays protected and all this stuff is, is really easy to kind of turn on through SharePoint admin center and also the OneDrive admin centers.

Stephen Rose (25:21):
Yeah. And if you have any DLP policies that you’ve set up for Exchange by just pushing a single button, you can now extend those out to SharePoint and to OneDrive as well. So all of that connects up and that’s really the key thing is, you’re really looking at a single pane of glass to now manage all document sharing across all those different surfaces.

Jeremy Chapman (25:40):
Right. And one of my favorite things that kind of, and we just did a show on this last week, that kind of comes out of this, is once everything’s up in the cloud and can be indexed and searched, you can actually start to enable Microsoft Search, which is kind of a derivative of Bing in something that you can use to not only find your different files, people, even floor plans. And I’ll show you what that looks like in a sec. But you can actually find everything that you, okay, come on.

Jeremy Chapman (26:12):
There we go. That’s where I want it. You can actually find information that you’re looking for across the internet as well as the intranet in one place. So let me just show you what that looks like. So I’m going to open a new tab with search and let’s say I’m looking for information about a 401k. And so if I do that, what will happen is, it will actually

Jeremy Chapman (26:36):
Search and it will find, make sure I’m in the right tenant here. There we go. It will actually find information in my tenant and it’s populating here. Got a bit of a connection issue I think at the moment, but it will actually populate both internal search results along with kind of the public web search results. There we go. And if I search for, and this is right from the address bar, if I search for, say, a colleague, our favorite demo colleague, Adele Vance. You’ll see that it will find everything in terms of her, you know, office location, those kinds of things. As well as even like stuff from Azure Active Directory, the organization that she’s in, files that I have access to and permissions to. I can see all of that information as well. And there you go. And then any upcoming appointments or you know, meetings that I have with Adele, I can actually see those here. There we go. We’ve got a Project Tailspin meeting coming up, all of that’s there and in search. So it’s actually pretty cool integrated and you still get the public search results as well.

Stephen Rose (27:44):
And we get to learn that her favorite movie is the Legend of Bagger Vance, which is terrifying, but good.

Jeremy Chapman (27:51):
That’s a great, great movie.

Paul Thurrott (27:52):
That’s how you can tell it’s a fictional character,

Stephen Rose (27:54):
Right, exactly.

Jeremy Chapman (27:56):
So, and something new that we’ve added is what we call the work vertical. So this gives you all of that work stuff in one kind of view, and then you can actually navigate through it here. One of my favorite capabilities though is you can actually have a look at, you know, if you need driving directions, like this is, this is where for us it’s always interesting at Microsoft to be able to find the various buildings that we have across Redmond. In here I’ll do a search for Millennium and Millennium is one of the harder buildings that we have to find cause it’s actually in you know, in Redmond kind of in the Redmond Proper or Whole Foods kind of area. But all of this will actually give you a map and you can use this to get directions for how to drive there.

Jeremy Chapman (28:39):
And then we can even do, if we want to do floor plans, we get the ability to even say, okay, I know somebody is at Millennium 1260. I can even see where their office is. So if I’m either in my computer, in my phone, it works if I’m signed into Bing on the phone and sorry, Edge on the phone, I can actually see exactly where that person’s office is as I’m going to look for Adele or Megan Bowen or any of these people that I search for in the, you know, directory through Microsoft Search. So these are, once again, once your files are in OneDrive and SharePoint, these are other options that kind of open up to you in terms of being able to find content more easily and kind of lower the barriers to get work done and to find what you need to find, you know, through a normal search, through the address bar even.

Stephen Rose (29:28):
That’s also going to power things, you know, similar to what we see with Exchange Online where now you can go into the Outlook mobile client to a simple search and not just find emails from people, but all of that. And now it brings that across all those different apps and devices and platforms.

Paul Thurrott (29:42):
It’s also worth pointing out that one of the many nice things about the new Microsoft Edge is that it supports work and consumer profiles.

Jeremy Chapman (29:51):

Paul Thurrott (29:51):
And when you’re signed into a work profile, like you are here, you get this Bing Microsoft Search experience, which is great. But even if you’re signed in, as you know, your consumer Microsoft account profile, if you hit a work website, it will auto switch profiles for you and pass through that authentication.

Stephen Rose (30:08):
And that’s relatively new. But yeah, once you realize what it’s trying to do, it figures that out intelligently. And I went from a work I was signing in to buy something personal and it switched me automatically. So again, it’s that, because it’s smart, it knows when it needs to go back and forth, which is great.

Paul Thurrott (30:29):
And that’s good for working from home because the reality is people are going to be switching back and forth, you know, between their personal and work needs as they browse.

Jeremy Chapman (30:38):
Another kind of thing, another favorite here, and this goes back to our deployment days for Windows. You can actually define acronyms. Ooh, hold on. I need to go into all, you can actually define acronyms for things that you’re searching for. Like for example, if I’m searching for MDT, and now that should, after this page loads, show up the work-related acronym. Let me try it again just to make sure. Cause I did define it for that right through search and just to show you after that loads. If it does, maybe it won’t cooperate this time, but here’s where you configure everything. So this is all done through the admin portal in Microsoft 365 and Microsoft Search. You can set up all your acronyms, bookmarks, the floor plans that we saw earlier, locations, which were the map location like for Millennium. In about a day or so, you can get all of this stuff, configured, and you’ve got that super powerful kind of search working across, you know, all of your files and all of your office locations, all your terms, all your internet, to where anybody can find what they need. So this is one of my favorite new capabilities. And it’s kind of funny when it started rolling out at Microsoft, I thought, is this just an internal thing that we can use at Microsoft? It turns out everybody can use it.

Stephen Rose (31:59):

Paul Thurrott (32:00):
Yeah, I think this is one of the greatest things that you folks, Microsoft have rolled out in a while. It’s just really impressive. Speaking of impressive, we should move along to Microsoft Teams. And this is something that’s kind of personal for me because my organization is in the process of switching over to Microsoft 365 and Teams and you know, it’s a new world and Teams is not just an app, it’s a platform. There’s a lot going on there. And specifically for the kind of remote work, work from home scenario. Obviously people are going to be having meetings online. They’re going to be collaborating remotely. I mean, can you folks speak a little bit to that and how that works?

Jeremy Chapman (32:40):
Yeah. So with Microsoft Teams it’s been huge in terms of the, just the amount of traffic, the amount of usage, the people that have been using Teams, especially in the last few months. It’s been crazy. I think you’ve spoken to the kind of, the different updates in terms of the user counts in the past few webcasts that you’ve done, but just the number, you know, of sheer meeting minutes that are happening at the moment. It’s unprecedented. It’s been a huge enabler and I think that, you know, whether you’re, whether you’re using it for chat, whether you’re using it for online meetings, I think the strongest part for me, especially vis-a-vis some of the other options is just the deep integration that’s there between things that are in Office 365 and Microsoft 365.

Jeremy Chapman (33:30):
And just being able to kind of hop through all of that, as well as even your line of business apps or any Power Apps or things that you’re building, all in the one kind of chrome, the one construct of Teams. So it’s a fully integrated, we used to say it’s kind of a chat-based workspace, but it’s more than that. It’s a broader collaboration app that has, you know, basically connectivity points to all the other apps that you use in the span of a day. So I’m literally living in Teams probably, you know, 10 hours a day myself in terms of just hopping through all the different meetings and files and things that I’m working on.

Stephen Rose (34:03):
Yeah. At Build last week, we saw some amazing customers and how they’ve either built low code, no code apps that they’ve gone ahead and dropped in. We’ve had end users basically say, Hey, there’s a SQL database of stuff, that I want to be able to leverage on my mobile phone and dropped it into Teams, as well as what we’re doing around firstline workers and bringing the Graph and intelligence into it. So as people start to look at it, not as this, as Jeremy said, this chat app, but look at it as a platform that we can build upon, that we can add intelligence to. You can bring in photos and have AI take a look at it and make a decision on what happens based on what it sees in that photo. It really starts to open up some interesting new ways to take a look at simple business processes and how to reduce the amount of time or manpower it takes to go through some of those. So you can really spend the time deciding how do I leverage this and use this.

Jeremy Chapman (34:57):
I was going to say, and the other thing that I’ve loved to see, especially over the last couple of years, cause we were there from the very first kind of beta timeframe, you know, the preview announcements I should say. The amount of control that you have in IT is, you know, this is one of the things I think that really sets it apart from other options is that, I mean I’m showing the admin portal here, but just in terms of managing Teams you know, you’ve got all of the Teams management, device management, you know what users can see the policies, if you don’t want the GIPHYs to be too fun. Like those kinds of things if you’re in a conservative, all of that stuff. And even things like data loss prevention, if I’m trying to chat, credit card information, those types of things, we can control all of that through all the different admin controls that we have through Teams.

Jeremy Chapman (35:49):
So what you’re seeing here is really the work of several years of, you know, listening to people, listening to IT organizations and adding, you know, very granular, very detailed control over how Teams is used, how the various experiences within it are used. And you can, the cool thing is you can differentiate policy. So I can scope it all the way down to a user or I can scope policies up to entire departments or countries or however I want to split that up. But I have, really almost infinite number of configurations, things that I can do with it and we do have a lot of great guidance to, you know, not lock it down too much, there are things that you can do that are probably overboard for a lot of the companies, but we do give you all the options to be able to set up a very secure environment across all the different things that you can do within Teams.

Stephen Rose (36:38):

Paul Thurrott (36:39):
Yeah. People who have been listening to this podcast are probably already tired of me comparing Teams to Outlook and this notion that Teams is the new Outlook, but in many ways, you know, Teams is the new Windows. It’s,

Stephen Rose (36:51):

Paul Thurrott (36:51):
It’s where you run your apps, it’s where you are. It’s where you collaborate with people. It’s becoming everything.

Stephen Rose (36:58):
Yeah. Think it is a platform more than an app. And I think that’s the big difference that people are starting to figure out that more and more of my day is being spent in Teams and there are opportunities to increase that and to add depth from, you know, on an end user point of view.

Jeremy Chapman (37:16):
Right. And that’s kind of like Jeffrey Snover who’s our technical fellow now and I’m one of his biggest fans I think in terms of his PowerShell days, but like his, his move into Microsoft 365 and to Rajesh’s org, it’s huge. And he’s also thinking about it, we did a show at Ignite that was kind of, he called it the people operating system, where if you think about how Windows is constructed with its various APIs and you know, application front end services, all of these kinds of things. At a very macro level, this is kind of representing that. If you tie in, you know, underlying services like Microsoft Graph for the kind of search components, Teams, you know, and all the various pieces there. There’s a great analogy, like you said, it’s like an operating system, but at a massive scale and across all these different services. And so even when you think of the different dialogues, like the sharing dialogue or the people cards or those things. We’re sharing that across the various services in Microsoft 365 so it’s all very uniform and consistent and these are the kinds of things that you strive for in an operating system as well as you build those pieces out.

Paul Thurrott (38:23):
Right, right. So, I guess shifting gears a little bit, you know Microsoft 365 has kind of a massive suite of services that spans beyond what was available just in Office 365, also includes Windows 7 capability, sorry, Windows 10 capabilities and capabilities that used to be associated with Intune and Microsoft’s other management, Endpoint management solutions. What’s going on in that space with Microsoft 365 today?

Jeremy Chapman (38:54):
The, oh, go ahead Stephen.

Stephen Rose (38:57):
Oh, I was just going to say Endpoint Manager is really kind of our end all be all for folks there. But go ahead. You take it Jeremy.

Jeremy Chapman (39:04):
This is like where I grew up cause I started out doing even in the old days of SMS, not short message service, systems management. So even growing up in that capacity and you know, through the days of Configuration Manager and that name changed back in 2007. And you know, building out the deployment tech, now we’re at a space you know, with Microsoft Endpoint Manager where we’ve truly got the best of both worlds in terms of config manager, which is basically able to do anything. It’s got all of the, you know, supersedence and all the different app provision capabilities, operating system, deployment, you name it. On the Intune side, you know, we’ve done a lot of work, especially recently in terms of what we called co-management or it’s still called co-management.

Jeremy Chapman (39:53):
But now I can even do, attach effectively my CM database up into Intune, where I can do things like device policy you know, forced device policy check against various devices. I can do a lot of the stuff that I would do from Help Desk that I had to have, you know, console access too, for config manager. A lot of those things are available through Endpoint Manager. So what you see, and this is now, and we’ve changed the URL. It’s now, is really this bringing together of, you know, Intune along with Microsoft Endpoint Configuration Manager. It’s new name, to really have all of that capability in one place. And this is where you’re going to do things, you know, not only around security policy, but even you know, for deployment.

Jeremy Chapman (40:42):
And we talk a lot about things like Autopilot for deploying out Windows devices. That’s where you’ll configure your Autopilot profiles, for example, through the portal, through Endpoint Manager. So all of those, all the devices that you’re managing that are trying to get access, and we talked about Conditional Access earlier that can be configured here as well. All of these things can be done through Endpoint Manager across different OS platforms. So, you know, we have, you know, Windows devices, and then I’ll go into enrollment. But this is where you can set up all the different policies around enrolling the device into the Intune service. Setting up Hello for Business, setting up Autopilot rules and profiles, all that can be done here in one place. And then you can even have visibility over effectively what you have on prem.

Jeremy Chapman (41:38):
And then some of the other things that we’ve done on the config manager side, and I actually have a VM running of config manager. I didn’t start up, but when you start to add things like Cloud Management Gateway and basically deploying updates from the cloud, you can actually again reduce reliance on VPN because you’re delivering not from your distribution points. You’re delivering from basically cloud distribution points, your software and app updates and app packages that you would have had to have in the past forced VPN connection on. So this is another, even another way to pay off, you know, doing things that don’t require as much connectivity back to your internal perimeter. And these technologies, again, have radically been improved and just kind of merged together in a way that gives them a lot of power and a lot of things that you can do.

Jeremy Chapman (42:29):
And now recently we’ve even added things like Shell Script support for Mac. You know, there’s the Mac deployment in general. There’s a lot more capability in terms of getting apps onto Mac. There’s built in the Edge browser packages, Office packages that you can do. So there’s a lot that you can do through the web console alone. And then when you add config manager to it, you know, you can basically do anything. And that’s what I love. And the nice thing with this is everything supports the best levels of automation. Or if I want to ship a patch out or an app out to a hundred thousand users, you can expect that that will be available on those devices as quickly as it can be done through the physics of getting those bits onto those devices. And this is the kind of power that you have in terms of whether or not you want to do policy or you know other Provisioning. All of this can happen through through the Endpoint Management suites.

Stephen Rose (43:20):
Hey Jeremy, can you go back to the devices page? So go back one, up at the top.

Jeremy Chapman (43:24):
I can I don’t have any devices enrolled in.

Stephen Rose (43:27):
It’s okay. Just go to where it says devices up one level.

Jeremy Chapman (43:30):
Oh, devices here, yeah.

Stephen Rose (43:31):

Jeremy Chapman (43:32):

Stephen Rose (43:35):
And what’s great is there you’ll see iOS, iPad, Mac, Android, all of that is in there as we take a look at this by platform and what you’re looking to manage too. And that’s something else too where it’s not separate or off on something else. We brought all that in to really allow you to look at your organization holistically and not oh, let me just get my PCs done. Now I’ll go look at everything else and have to look at, you know, different tools to do that. That’s the value of having that altogether. And again, going back to that single pane of glass where we can start to see for, Hey, this seems to be hitting only my Macs. I got to take a look at this. Or this is hitting Mac and Windows and it must be something at a higher level or et cetera to really help you to be proactive rather than reactive.

Jeremy Chapman (44:20):
And the other thing I love about this, and there’s this kind of shared underlying set of APIs and services that we use that are kind of spanning Azure AD. And what you can do through the Intune service, whether it’s policy management. We’ve added ADMX support even for group policy through the Intune service, which is awesome. But we’ve also added a service called the Office Cloud Policy Service, which basically does cloud policy management for Office. So if you’re familiar with this tool, which you can get to it at You sign in and basically you create settings files for how Office will be deployed for the Click-to-Run packages. And the Click-to-Run packages now, by the way, they include the Volume Licensing, the Perpetual Activation ones as well. So if you’re doing, whether you’re doing Microsoft 365 apps for enterprise or even a 2019 Volume License, like that’s all done here.

Jeremy Chapman (45:17):
So this is something that we actually specced a lot of this stuff out in my transition moving from Windows into Office. But you can select all of the, you know, the update channels, which products you deploy. Like this is basically the governance of what will be laid down on your computer once you actually deploy Office with the XML file that this outputs. And then the other cool thing that you can do, and this is kind of tying back into the kind of the Intune side.

Stephen Rose (45:47):
Oh, hang on, go back to the screen and scroll up. My favorite feature is that you can also have it pinned to the task bar. I love that because that was something we heard from a ton of folks. If you scroll down the over on the right, up a little bit up, it’s over on the right, a little bit, a little bit, a little bit, right there.

Jeremy Chapman (46:04):
On the right? Oh, you’re talking about the setting.

Stephen Rose (46:07):
So you can as part of the installation. Yeah, you can actually have it pinned to the task bar, which is huge. And folks were asking that, how do I immediately make folks know that that’s there, that you can now do that as part of that installation and log it and make sure that that’s happened.

Paul Thurrott (46:21):
Can we briefly kind of discuss, what’s the end user experience for this and for Endpoint? So you sign in with your work account on a Windows PC or mobile device, policy occurs. What’s the look here for Office? Is this something you get as part of that process? It’s going to be automatically deployed to the desktop when they sign in for the first time.

Jeremy Chapman (46:40):
This is when I’m doing push style deployment, I’m provisioning it out through, say Configuration Manager.

Paul Thurrott (46:48):

Jeremy Chapman (46:48):
So this ingests the output is an XML file. And then basically I say run the ODT, the Office Deployment Tool, which is the command line interface for this. I point it to this XML file and this is basically the instruction set that says here are the packages that we want, 32, 64 bit. Do we want to omit any apps? What’s the update channel that we’re going to write to the registry? Do we want to have, you know, this is the package for example, that enables the service for Microsoft Search that we saw earlier. So I can have that actually even set my my browser or my search engine defaults. All of that’s done through the push style deployment.

Stephen Rose (47:34):
Sort of like the old MPC scripts but just so much easier to do and not having to write it all out.

Jeremy Chapman (47:38):
Right, right. And you don’t have to, before you had to kind of author all of this stuff in an XML file with notepad, you know, like if you didn’t, there were some gooey tools that we’d built that were like on GitHub and stuff, but this is much easier.

Jeremy Chapman (47:52):
And you actually, you can see we were able to save different deployment files. But I think to your other question as the user, so let’s say a user has got admin rights and they sign into Office 365 and I open up the Microsoft 365 Apps for Enterprise package for them to self install. Well basically I can go in and actually set up policies for those machines that connect as well. So let me go into policy management. I was trying to, let me open up the policy first. But basically this will do things like give you the ability to configure whether or not the machine can run macros or do any of the you know, we can actually set policy of the behavior of the computer when they’re signed in. So here, let me try this one more time. I think that this control didn’t turn on, which it should have. Let me just create a new policy. I’ll cancel that

Jeremy Chapman (49:07):
And then this is where you can define who will get set. And then if I search for users, we’ll just add a security group. And now here are those policies that you can do. But you’ll see there’s literally hundreds of policies that we can set. So the cool thing is if I’m logged in with my domain credentials for Microsoft 365, that will actually snap the device to the policies that are configurable through this tool. So once I deploy these out and I’ve targeted them to my right security group. You can see, for example, some of the things that we can do. If I search for, let me just search for macro, I’ll search for macro and you’ll see that, you know, block macros, set VBA, macro controls, all these things that I can do directly from policy management. And this sits up in the cloud, again, as a package that gets kind of pushed down to the client endpoint. And then it’s going to snap to what you, how you want it to behave effectively as an IT admin. And again, that machine doesn’t have to be domain joined. It doesn’t need to be enrolled even into Intune or have any management affinity. It’s literally because I’ve signed in, I’ve brokered that connection and that trust with Azure AD, these policies that you

Jeremy Chapman (50:28):
Define here will get pushed down to that machine. So you can actually protect an unmanaged computer who’s using effectively your managed set of software, which is your Microsoft 365 Apps for Enterprise.

Paul Thurrott (50:39):
Yeah. So this combines with what we talked about earlier, this notion that someone’s pulling a laptop out of a closet, getting it up to date.

Stephen Rose (50:45):

Paul Thurrott (50:45):
And at that point, because they’ve signed in with their work account, they can get this automatically deployed.

Jeremy Chapman (50:51):

Paul Thurrott (50:52):
To the system. Yeah. That’s fantastic. Well, we need to address the last big topic which is something that just came up recently at Build, was the discussion around virtual Windows Virtual Desktop. This notion of Windows hosted in Azure.

Stephen Rose (51:12):

Paul Thurrott (51:13):
How does this change things?

Stephen Rose (51:14):
I’m a huge fan of this and this is something where even last year at Ignite in our booth, we were showing off plugging an Android phone into a USBC hub with a keyboard, mouse, monitor, ethernet and running a full version of Windows 10 in the cloud through that and using it like a fully functional PC. What’s great is our customers that are E3, E5 from Microsoft 365 Licensed automatically get this. And what’s awesome is you really have two kind of key ways you can use this. Either a, you can push out to somebody a full Windows 10 desktop using the same deployment tools that you use today. And what’s great is they’re going to get that Windows 10 and it’s going to have those apps. You can run it through the browser, you can run it through the, you know, through Remote Desktop app on any platform.

Stephen Rose (52:05):
I’ve been using it on my Mac with the new keyboard and mouse setup and you now have this self-contained Windows instanced that you can’t drag and drop things through a local desktop. So for those who want this, either, a, great experience or want a secure experience, you have that. Or you can push out just specific apps. This is awesome if you’re using two apps, two different versions of the same app, you’re going to go to a new one. You can say, Hey, you can continue to use app version one until July 1st. Here’s the new one, take the training, start to use it, and that version will go away. Plus we’ve also extended support for Windows 7, by leveraging Windows Virtual Desktop, which means if you have apps that only run in Windows 7, it was the only thing holding you back from migrating to Windows 10. You can continue to use those in a supported manner as you start to build those out as either, you know, a new app or a cloud-based app, et cetera. So for customers that were spending a lot of money on third party, it’s now included, you’re just using Azure as a way of hosting an app and you have that amazing level of control.

Paul Thurrott (53:16):
It’s rather incredible. I mean for people who have been around for a while, like me, unfortunately, you’ll remember the Microsoft Desktop Optimization Pack, had two forms of virtualization, was the application virtualization, mentioned.

Stephen Rose (53:29):
APP-V and MED-V.

Paul Thurrott (53:30):
Exactly. So this is a combination of those capabilities, right? App and desktop virtualization but delivered through the cloud. That’s incredible.

Jeremy Chapman (53:41):
Yeah. So, and then the other thing is just the ease of provisioning. So once you wire in effectively or directory service against Windows Virtual Desktop, you can start to create your host pools, which are those VMs that you can assign to multiple people. One of the things that’s unique here is we have multi-session, kind of a Windows 10 Enterprise multi-session support. So you can have multiple users logged into client operating systems. You don’t have to use a server for that capability. Which is nice cause you know what I mean, like tradeoffs in terms of usability and you know, you can do all of your management here from one place in terms of assigning the different compute, assigning the users, the apps. I’ve actually got an app here of a legacy app that’s a beautiful looking old Contoso Invoicing app. But you’ll see that, you know, because of this I can do things like run if I want to, like you said, a down level version of Windows or an app that maybe I don’t trust or want to have provisioned running on people’s devices.

Jeremy Chapman (54:40):
But I want to have that on a very locked down kind of sandboxed Windows environment that’s fully contained. So now I’m actually launching this app, you know, the first sign into this VM is going to take a second cause it’s actually kind of spinning everything up. But then once I’m in, it’s literally just cutting out that window of the app that’s running in that version of Windows. So this is actually in a VM and it behaves like it’s running locally. The only evidence you can see here is this glyph that’s on the start menu icon, that it’s a virtual app. So all of this stuff works and it’s great for testing and it’s great for compatibility reasons. Great for having just more control over where some of these apps run so that you have full visibility into what’s on that operating system.

Stephen Rose (55:24):
And now you’ve got cross-platform compatibility instantly as well.

Paul Thurrott (55:28):
So this is something you’re running directly from the browser. It’s not necessarily in this case, I should say.

Jeremy Chapman (55:37):
It’s running RDP. It’s basically a link that’s, you know, it’s here in my start menu.

Paul Thurrott (55:40):
Okay, I was going to say it. Okay. I’m sorry. I’m sorry. I thought you clicked the link on the webpage.

Jeremy Chapman (55:44):
You can do, there’s basically, if you go to and I don’t have all my credits memorized, but you can actually go in through an HTML 5 browser. Do the same thing, the app window or the full desktop from a browser as well, and not have to have the remote desktop plant configured on the machine.

Stephen Rose (56:05):
Right. But the whole goal is that, you know, for end-users, they don’t care how it works. It just has to work. And this is one of those where they see the icon, they click it, it works like they expect, they don’t even realize it’s not a locally connected app, as long as they, you know, the only time they’re gonna realize it is if they’re on a laptop with no internet and they got to launch, it will say sorry. And that’s about the only time. But no matter whether it’s through a browser, you could be on a Mac and have it through Windows Virtual Desktop or have it run the same way where they click that app and it runs out. So that’s what’s great is it’s this seamless experience for end-users where they don’t even realize it. And that’s awesome.

Paul Thurrott (56:41):
Honestly, just having, sorry.

Stephen Rose (56:43):
No, no, that’s it.

Paul Thurrott (56:44):
I mean, just having the app that you want, this is what’s going to delight people. They’ll see it come up and say, Oh yes, thank you. You know, they don’t really care where it’s coming from.

Jeremy Chapman (56:52):

Stephen Rose (56:52):
No, they don’t. And that’s the whole great thing is now it’s also secure. You can also add additional things saying, look, I don’t want any files being saved locally from this. So if you’ve got a sales guy who’s using some, you know, sales app like Goldmine or Act or even an old version, if they’re running it this way, when they go to export it, it’s not going to show them the local C drive. They won’t be able to get to it. So now you’ve also ensured that the content will stay within the app itself and not be downloaded locally or a database can’t be exported, things like that. So you start to get levels of control as you do this. And like I said, I could do this from a mobile phone, plug it into a hub and then use it just like a PC without it being any different.

Stephen Rose (57:34):
And we brought AutoCAD from this because it’s the cloud that’s providing all the processing power. It’s not the phone, the phone’s just redrawing. So as long as it has a decent graphics capability, it’ll work great.

Paul Thurrott (57:46):
We are living in the future.

Stephen Rose (57:47):
We are, where’s my jet pack?

Paul Thurrott (57:51):
Exactly, flying cars, we were promised.

Stephen Rose (57:54):
We were promised that will be, you know, I was told 1977, the world will go metric and except for needing, you know, Coca Cola, we don’t use anything in that. I was terrified that somebody would need a hectoliter of blood. I wouldn’t know how much that is. And they would die. That was life in 1977 so I realized a hectoliter of blood it’s a lot of blood.

Paul Thurrott (58:13):
I think we were all handed the rulers, you know, with those measurements and said, you gotta learn this. Yeah.

Stephen Rose (58:24):
That’s it and we were supposed to have jet packs. The jet packs is still not here and we have not gone metric. The rest of the world has, just not us.

Jeremy Chapman (58:28):
I’m actually a fan of metrics.

Paul Thurrott (58:30):
We should be fans of anything that is 10 based, right?

Stephen Rose (58:36):

Jeremy Chapman (58:36):
Yeah, exactly.

Stephen Rose (58:37):
That’s how many fingers and toes we have, most of us.

Jeremy Chapman (58:39):
How many hands is a horse tall?

Paul Thurrott (58:42):
Yes. Well there is the notion of a finger of alcohol, which I always questioned, you mean a finger width or a finger length?

Paul Thurrott (58:54):
So we covered a lot of ground today. And Jeremy, it’s really good to catch up with you. I have a very long lasting memory of you convincing me to wear a parachute outfit or a skydivers outfit for a bit that we did that I will never forget. So thank you for that.

Jeremy Chapman (59:09):
I remember, that was for Click-to-Run. We wanted to show that you can install Office in the 90 seconds or so of free fall from a plane without internet connectivity. That was the whole point of that one.

Paul Thurrott (59:19):
I did draw the line at jumping out of the plane, [inaudible] I’ll always have that, so thank you. And Stephen, obviously, always, always a pleasure. Thank you guys so much and thank everyone for tuning in to this latest episode of the Microsoft 365 Knowledge Series.