Setting up Windows Hello Cloud Kerberos Trust

One of the biggest challenges that organizations can face is how their employees handle security protocols. Many will admit that some of the greatest vulnerabilities can come from something as avoidable as simple reused passwords for multiple scenarios. By doing this, individuals will not only leave themselves exposed to attacks but will put the entire organization’s network at risk as well. 

This type of challenge is precisely what Microsoft is trying to address with Windows Hello. It gives individuals a simpler but significantly more secure option to access various platforms. In this particular blog, I want us to take a look at how Windows Hello and Cloud Kerberos Trust can provide organizations with better security solutions. 

Introducing Windows Hello

For the benefit of those who may not yet be familiar with this service, let’s start by going over what Windows Hello is. As already mentioned above, how users access various platforms is something that can create vulnerabilities in an organization’s network.

So, with Windows Hello, Microsoft is giving us a biometrics-based solution that gives Windows 10 or Windows 11 users the option to sign in to their devices, apps, and networks using a fingerprint, iris scan, or facial recognition. The great thing about this solution is that it gives users a more personal way to authenticate access and offers enterprise-grade security but eliminates the need to type in a password.

Expectedly, some users worry about access to their biometric data by third parties. Fortunately, Windows assures us that your data continues to be highly encrypted and secure. Also, it does not leave your device nor is it stored anywhere else. And as long as you have a compatible device with the necessary hardware, getting started is easy. This is because there is a wizard that will teach the device to recognize your biometric credentials. 

You will, however, need to set up a PIN as a backup in case any of the biometric authentication measures happen to fail. Simply put, Windows Hello provides a simple but highly secure authentication service that can also ease concerns about typing in passwords or using sign-in gestures in public.

Windows Hello for Business

Now that we’ve gone over what Windows Hello is, let’s take a look at how it differs from Windows Hello for Business (WHfB). In the simplest of terms, WHfB has all the features of Windows Hello as well as other more advanced ones. Whereas Windows Hello is more suited to the home environment, WHfB, as the name suggests, intends to suit businesses. 

For the configuration of WHfB, you can use either a GPO or MDM. Also, Windows Hello for Business uses a PIN backed by an asymmetric key pair or certificate-based authentication. Eliminating the use of use hashes and thus the transmission of passwords means that security is significantly better. And if you want to use the asymmetric key, you’ll require Azure AD or the implementation of a Windows Server 2016 domain controller.

What is Cloud Kerberos Trust?

With the development of Windows Hello for Business Cloud Kerberos Trust, Microsoft is aiming to provide Windows Hello for Business with a simple passwordless experience. The objective is to also avail the service to new or existing Windows Hello for Business deployments. One of the key things about Windows Hello for Business Cloud Kerberos Trust is that it leverages Azure AD Kerberos. Doing it this way means that you create a simpler deployment as compared to the key trust model:

  • In this scenario, the deployment of a public key infrastructure (PKI) or changing an existing PKI becomes unnecessary.
  • Additionally, synchronizing public keys between Azure AD and Active Directory for users to access on-premises resources also becomes unnecessary.
  • Lastly, the deployment of passwordless security key sign-in becomes something that you can do with very little extra setup.

Therefore, with all these potential benefits, Microsoft advises that Windows Hello for Business Cloud Kerberos Trust be the recommended deployment model when compared to the key trust model. And for clients that do not need to support certificate authentication scenarios, this is also the most recommended deployment model.

Azure AD Kerberos and Cloud Kerberos Trust authentication

When it comes to requesting Kerberos ticket-granting-tickets (TGTs) for on-premises authentication, we find that certificate authentication-based Kerberos features usage by both key trust and certificate trust. And when performing this type of authentication, there are two requirements to meet.

  • PKI for DC certificates,
  • End-user certificates for certificate trust.

In the case of Cloud Kerberos Trust, by using Azure AD Kerberos this negates the need for a PKI to request TGTs. Also, these TGTs can be issued for one or more AD domains by Azure AD for Azure AD Kerberos. And then as far as Windows is concerned, when authenticating with Windows Hello for Business it can request a TGT from Azure AD. 

Once a TGT has been returned, Windows can then use it for sign-in or to access AD-based resources. However, it’s worth noting that Kerberos service tickets and authorization will still remain under the control of on-premises domain controllers.

With an enabled Active Directory domain, an Azure AD Kerberos server object will then be created in the domain and it will:

  • Not associate with any physical servers but will, however, still appear as Read Only Domain Controller (RODC) object.
  • Be solely used by Azure AD to create TGTs for the Active Directory domain. Furthermore, the Azure AD Kerberos Server object must adhere to the same rules and restrictions applied to RODCs.

It’s important to note, though, that there is something to consider before implementing the Cloud Kerberos Trust deployment model. You have to first verify that each of the Active Directory sites where users will be authenticating with Windows Hello for Business has enough read-write domain controllers. 

Prerequisites

RequirementNotes
Multi-factor authenticationThere are a few options that you can use to meet this requirement. These include:

Ø  Azure AD multi-factor authentication

Ø  multi-factor authentication is provided through AD FS or any other comparable solution.
Windows 10, version 21H2, or Windows 11 and laterFor clients that are using Windows 10 21H2, they will need to check that they have KB5010415 installed.

And then those using Windows 11 21H2, need to have KB5010414 installed.

Also, when it comes to Azure AD-joined and Hybrid Azure AD-joined devices, expect to find no Windows version support difference.
Windows Server 2016 or later Domain ControllersFor clients that are using Windows Server 2016, they will need to check that they have KB3534307 installed.

And then for those using Windows Server 2019, KB4534321 must be installed.
Azure AD Kerberos PowerShell moduleThis is the module that will be necessary for the enabling and management of Azure AD Kerberos. You can find it through the PowerShell gallery.
Device managementThe management of Windows Hello for Business Cloud Kerberos Trust can be done in a couple of ways:

Ø  using group policy,

Ø  using mobile device management (MDM) policyYou will need to enable this feature using policy because it comes disabled by default. 

Authentication to on-premises resources

For authentication to on-premises resources to work properly, Cloud Kerberos Trust will need to be enabled for the concerned user. Once enabled, if you attempt to access domain resources, the process will begin with the device receiving a name hint from metadata in the PRT. Then, a DC locator will find a valid DC before a partial TGT from Azure AD Kerberos is sent with a TGS_REQ to this valid DC. After this, a partial TGT validates and then a TGT is returned. However, the user will still need to be synchronized from Active Directory. And this is an important step that allows us to find the domain name associated with the user, in the event of ticket requests from the KDC.

Azure Active Directory

When it comes to Azure AD-joined devices, authentication to Active Directory will only begin when a particular user tries to access a resource that requires Kerberos authentication. At this point, the Kerberos security support provider will then leverage metadata from the WHfB key in order to get a hint of the user’s domain. 

Once the hint is available, the provider can then use a DC locator to find a 2016 domain controller. A domain hint is absolutely necessary for the DC locator. And this will be obtained from the onpremisedomainname that you get with the PRT. Next, the client will get a Domain Controller returned for the continuation of normal service ticket issuance. 

The Kerberos provider will then forward a partial TGT,, obtained from Azure AD from a prior Azure AD authentication with the domain, controller once an active 2016 domain controller is found. On this partial TGT, signed by Azure AD Kerberos, all you will get is the user SID. It will be the role of the domain controller to check the validity of the partial TGT.  If the process has been successful, the KDC will then send a full TGT to the client after which the client can request service tickets.

Deployment process

To complete the deployment of Windows Hello for Business Cloud Kerberos Trust, there are two steps to follow:

  • Set up Azure AD Kerberos.
  • Configure a Windows Hello for Business policy and deploy it to the devices.

Deploy Azure AD Kerberos

For those who have already deployed on-premises SSO for passwordless security key sign-in, you should be aware that this means that Azure AD Kerberos is already deployed as well in your hybrid environment. So, this negates the need to redeploy or change your existing Azure AD Kerberos deployment to support Windows Hello for Business. If you haven’t done so, however, you can find the instructions in this section Enable passwordless security key sign-in to on-premises resources by using Azure AD.

Configure Windows Hello for Business policy

Once you have the Azure AD Kerberos object set up, you’ll need to enable Windows Hello for Business Cloud Kerberos Trust on your Windows devices. To configure your devices using Microsoft Intune you can follow the instructions below.

Intune policies can configure Windows Hello for Business if the devices are already under Intune management. You have several options available to you if you want to enable and configure Windows Hello for Business in Intune:

  • Devices enrolled in Intune can have a tenant-wide policy applied to them. However, this policy can only be applied at enrolment time. So any changes that are later made to its configuration will not apply to already enrolled devices. This is precisely why, most of the time, you’ll find this policy disabled. And then WHfB can be enabled using a policy targeted to a security group.
  • A device configuration policy can be applied as soon as the device is enrolled in Intune. If you make any changes to the policy, these will only apply to the devices during regular policy refresh intervals. You get several policy types that you can choose from:

Ø  Settings catalogue

Ø  Security baselines

Ø   Custom policy, via the PassportForWork CSP

Ø   Account protection policy

Ø   Identity protection policy template

Verify the tenant-wide policy

If you want to verify exactly which Windows Hello for Business policy was applied at enrollment you can follow the steps below:

  • Navigate to the Microsoft Intune admin center and sign in.
  • Select Devices > Windows > Windows Enrollment.
  • Select Windows Hello for Business.
  • Now you can check the status of Configure Windows Hello for Business as well as any other configurable settings.

Enable Windows Hello for Business

Windows Hello for Business is configurable using an account protection policy and to do so you can follow the steps below:

  • Navigate to the Microsoft Intune admin center and sign in.
  • Select Endpoint security > Account protection.
  • Select + Create Policy.
  • If you want to go with Platform then you should select Windows 10 and later. But if you want Profile then you should select Account protection.
  • Select Create.
  • Decide on a Name and then, optionally, a Description > Next.
  • If you go and select Disabled under Block Windows Hello for Business, you’ll be able to see multiple available policies.

It’s important to note that these policies are optional to configure, but the recommendation is to configure Enable to use a Trusted Platform Module (TPM) to Yes.

  • Under Enable to certificate for on-premises resources, select Not configured.
  • Select Next.
  • You’ll also have the option to add scope tags and select Next.
  • Assign the policy to a security group that contains as members the devices or users that you want to configure > Next.
  • Go over the policy configuration again and if satisfied select Create.

Configure the Cloud Kerberos Trust policy

If you want to configure the Cloud Kerberos Trust policy, you can do so using a custom template. Also, this configuration is done separately from enabling Windows Hello for Business. The configuration process should follow the steps below:

  • Navigate to the Microsoft Intune admin center and sign in.
  • Select Devices > Windows > Configuration Profiles > Create profile.
  • For Profile Type, select Templates and select the Custom Template.
  • Next, you need to provide a name for the profile. Ideally, this is something simple such as “Windows Hello for Business Cloud Kerberos Trust.
  • Then, head over to Configuration Settings where you’ll need to add a new configuration with these settings:

Ø  Name: Windows Hello for Business Cloud Kerberos Trust or something else similarly simple

Ø  Description (optional): Enable Windows Hello for Business Cloud Kerberos Trust for sign-in and on-premises SSO

Ø  OMA-URI: ./Device/Vendor/MSFT/PassportForWork/<tenant ID>/Policies/UseCloudTrustForOnPremAu

(This tenant ID will need to be replaced with the tenant ID for your Azure AD tenant)

Ø  Data type: Boolean

Ø  Value: True

Ø  The final step requires you to assign the policy to a security group whose members are the devices or users that you want to configure.

A very important thing that you need to be aware of is that you will first need to ensure that the Use certificate for on-premises authentication policy is not configured on all the machines that you want to enable Cloud Kerberos Trust. The reason for this is that if you enable this policy then certificate trust will take precedence over Cloud Kerberos Trust.

Provision Windows Hello for Business

When it comes to the provisioning of Windows Hello for Business, the process will begin once a user has signed in. That is, of course, if they meet all the prerequisites. In cases where Cloud Kerberos Trust is enabled by policy on Hybrid Azure AD-joined devices, then Windows Hello for Business Cloud Kerberos Trust will also perform a prerequisite verification. 

And if you want to view the status of the prerequisite check you can navigate to User Device Registration admin log under Applications and Services Logs > Microsoft > Windows. Alternatively, you can also view this information from a console by using the dsregcmd /status command.

During a Cloud Kerberos Trust prerequisite check, the system will be looking to pick up whether the user has a partial TGT before the provisioning process proceeds. And the importance of this check is to validate whether Azure AD Kerberos is set up for the user’s domain and tenant. 

Upon completion of the check and verification of the Azure AD Kerberos setup, the user can then receive a partial TGT during sign-in with one of their other unlock methods. There are three possible states that you can encounter during the check: Yes, No, and Not Tested. You will see the Not Tested state in a couple of situations:

  • Cloud Kerberos Trust is not being enforced by policy
  • The device is Azure AD joined

However, please note that Azure AD-joined devices will not have the Cloud Kerberos Trust prerequisite check performed on them. Users can still sign in on Azure AD-joined devices even if Azure AD Kerberos is not provisioned. But, they won’t have SSO to on-premises resources secured by Active Directory.

PIN setup

Once a user completes the sign-in process, the process for enrolling in Windows Hello for Business begins and happens as follows:

  • The user will see a full-screen page appear prompting them to use Windows Hello with the organization account. They can then proceed to select OK.
  • Next up in the process will be the multi-factor authentication portion of the enrollment. The user will then receive notification that the system is trying to contact them through their configured form of MFA. And without the success, failure, or timing out of the authentication, the provisioning process cannot proceed. If the MFA fails or times out, the user faces an error and see a request to retry.
  • Once there is a successful MFA, the user will then be asked to create and validate a PIN. This PIN needs to adhere to the complexity policies that may be set on the device.

Sign-in

Signing in can be done as soon as the user has finished setting up a PIN with Cloud Kerberos Trust. For those using Hybrid Azure AD joined devices there will need to be a line of sight to a DC when the PIN is first used. However, after this initial sign-in or unlocking with the DC, the system will leverage cached sign-in for subsequent unlocks without line of sight or network connectivity.

Migrate from key trust deployment model to Cloud Kerberos Trust

Occasionally, there may be situations where someone may have deployed Windows Hello for Business using the key trust model, but is now looking to migrate to the Cloud Kerberos Trust model. To do so you only need to follow a few simple steps:

  • Start by setting up Azure AD Kerberos in your hybrid environment.
  • Then you’ll need to enable Cloud Kerberos Trust via Group Policy or Intune.
  • Also, you’ll need to first sign out and sign in to the device using Windows Hello for Business when it comes to hybrid Azure AD joined devices.

When signing in for the first time, users of hybrid Azure AD joined devices must sign in with new credentials while having line of sight to a DC.

Migrate from certificate trust deployment model to Cloud Kerberos Trust

An important thing to note is that when moving from certificate trust deployment to a Cloud Kerberos Trust deployment, you’re not going to find a direct migration path. So, if you want to migrate to Cloud Kerberos Trust the Windows Hello container will first need to be deleted. For users that are interested in using the Cloud Kerberos Trust model but had initially deployed Windows Hello for Business using the certificate trust model, they will need to redeploy Windows Hello for Business. The steps to do that are given below:

  • To begin the process, the certificate trust policy will need to be disabled.
  • With that done you must then leverage either Group Policy or Intune to enable Cloud Kerberos Trust.
  • The next step involves the removal of the certificate trust credential using the command certutil -deletehellocontainer from the user context.
  • Sign out and sign back in.
  • Lastly, you can now provision Windows Hello for Business using the method that is best for you.

And similar to the previous scenario, when signing in for the first time, users of hybrid Azure AD joined devices must sign in with new credentials while having line of sight to a DC.

How Azure AD Kerberos enables access to on-premises resources

Kerberos TGTs can be issued for one or more of your Active Directory domains by Azure AD. The benefit of this feature is that it enables users to sign in to Windows with modern credentials, such as FIDO2 security keys, and then access traditional Active Directory-based resources. 

However, your on-premises Active Directory DCs will retain control over authorization as well as the Kerberos Service Tickets. It’s also going to be in your on-premises Active Directory instance where Azure AD Kerberos Server objects will be created and subsequently securely published to Azure AD. These objects have no links to any physical servers. They are only resources that can be used by Azure Active Directory to generate Kerberos TGTs for your Active Directory domain.

  • Users will first need to sign in to a Windows 10 device with a FIDO2 security key and authenticates to Azure AD.
  • Next, Azure AD will go through the directory looking for a Kerberos Server key that matches the user’s on-premises Active Directory domain.
  • At this point, a Kerberos TGT will then be generated by Azure AD for the user’s on-premises Active Directory domain. There’s no authorization data on this TGT, only the user’s SID.
  • The client will now receive the TGT as well as the user’s Azure AD Primary Refresh Token (PRT).
  • Then, an on-premises Active Directory DC will be contacted by the client machine in order to trade the partial TGT for a fully formed TGT.
  • The client machine is now able to access both cloud and on-premises resources because of the Azure AD PRT and full Active Directory TGT that it has obtained.

Requirements

There are a few prerequisites that need to be met if you are to proceed. And these are:

  • All concerned devices need to have Windows 10 version 2004 or later.
  • All Windows Servers will need to have Windows Server 2016 or later and have patches installed for Windows Server 2016 and Windows Server 2019.
  • AES256_HMAC_SHA1 must be enabled when Network security: Configure encryption types allowed for Kerberos policy is configured on domain controllers.
  • You need to have the necessary credentials to carry out the steps in the scenario:

Ø  an Active Directory user who is a member of the Domain Admins group for a domain and a member of the Enterprise Admins group for a forest. Referred to as $domainCred.

Ø  an Azure AD user who is a member of the Global Administrators role referred to as $cloudCred.

Supported scenarios

In this section, the scenario that we’ll be going over supports SSO in the situations below:

  • Cloud resources such as Microsoft 365 and other Security Assertion Markup Language (SAML)-enabled applications.
  • On-premises resources, and Windows-integrated authentication to websites. The resources can include websites and SharePoint sites that require IIS authentication and/or resources that use NTLM authentication.

Unsupported scenarios

The scenarios given below will not be supported:

  • Windows Server Active Directory Domain Services (AD DS)-joined (on-premises only devices) deployment.
  • Remote Desktop Protocol (RDP), virtual desktop infrastructure (VDI), and Citrix scenarios by using a security key.
  • S/MIME by using a security key.
  • Run as by using a security key.
  • Log in to a server by using a security key

Install the Azure AD Kerberos PowerShell module

Admins will be glad to know that there are FIDO2 management features provided for them by the Azure AD Kerberos PowerShell module.

  • To begin, you’re going to need to use the Run as administrator option to open a PowerShell prompt.
  • Next, you need to install the following Azure AD Kerberos PowerShell module:

# First, ensure TLS 1.2 for PowerShell gallery access.

[Net.ServicePointManager]::SecurityProtocol = [Net.ServicePointManager]::SecurityProtocol -bor [Net.SecurityProtocolType]::Tls12

# Install the Azure AD Kerberos PowerShell Module.

Install-Module -Name AzureADHybr

Something that you should be aware of is that the Azure AD Kerberos PowerShell module uses the AzureADPreview PowerShell module to provide advanced Azure AD management features. For those that already have the Azure AD PowerShell module installed on the local computer, there could be a conflict that would result in the failure of the installation. 

So, if you want to avoid any such conflicts then you need to include the “-AllowClobber” option flag. The Azure AD Kerberos PowerShell module can be installed on any computer from which you can access your on-premises Active Directory DC. And this can happen without having to depend on the Azure AD Connect solution.

Furthermore, you’ll find that the Azure AD Kerberos PowerShell module is distributed through the PowerShell Gallery. What this Gallery will provide is a central repository for PowerShell content. If you are looking for useful PowerShell modules containing PowerShell commands and Desired State Configuration (DSC) resources then this is the place to find them.

Create a Kerberos Server object

Once you have completed the installation of the Azure AD Kerberos PowerShell module, admins can now use it to create an Azure AD Kerberos Server object in their on-premises directory. You’ll now need to perform the following for each domain and forest in your organization that contains Azure AD users:

  • To begin, you’re going to need to use the Run as administrator option to open a PowerShell prompt.
  • Next, there will be some PowerShell commands that are used for creating a new Azure AD Kerberos Server object both in your on-premises Active Directory domain and in your Azure Active Directory tenant that you will need to run. You can find examples of these prompts on this page.

View and verify the Azure AD Kerberos Server

At this point, you may want to check that everything that you’ve done has come out the way it’s supposed to. So, to check out the Azure AD Kerberos Server that you’ve been working on, you can use this command:

Get-AzureADKerberosServer -Domain $domain -CloudCredential $cloudCred -DomainCredential $domainCred

By using this command, you’ll be able to see the properties of the Azure AD Kerberos Server. Doing so allows you to verify these properties and determine if this was the result you were looking for.

Running against another domain by supplying the credential will connect over NTLM, and then it fails. The issue can be resolved for users in the Protected Users security group in Active Directory by following these steps:

  • Navigate to ADConnect and sign in as another domain user
  • Don’t supply “-domainCredential”

The user that’s already signed in is the one whose Kerberos ticket is going to be used. However, you need to verify whether the user has the required permissions in Active Directory to execute the previous command and you can do so by executing whoami /groups.

VERIFYING PERMISSIONS

PropertyDescription
IDRefers to the unique ID of the AD DS DC object. Occasionally, you will find this ID called slot or its branch ID.
DomainDnsNameRefers to the Active Directory domain’s DNS domain name.
ComputerAccountThe computer account object of the Azure AD Kerberos Server object (the DC).
UserAccountRefers to the disabled user account object containing the Azure AD Kerberos Server TGT encryption key. The account’s domain name is given below:

CN=krbtgt_AzureAD,CN=Users,<Domain-DN>.
KeyVersionRefers to the key version of the Azure AD Kerberos Server TGT encryption key. The version can only be assigned after the creation of the key and will be incremented each time the key is rotated. Increments are based on replication metadata and are likely greater than one. Please note that you should always ensure that the KeyVersion for the on-premises object and the CloudKeyVersion for the cloud object are the same.
KeyUpdatedOnSimply refers to the date and time of the creation or update date and time of the Azure AD Kerberos Server TGT.
KeyUpdatedFromThe Domain Controller where the Azure AD Kerberos Server TGT encryption key was last updated.
CloudIdThis is the ID from the Azure AD object and it should also be the same as the ID from the first line of the table.
CloudDomainDnsNameRefers to the Azure AD object’s DomainDnsName and it should be the same as the DomainDnsName from the second line of the table.
CloudKeyVersionRefers to the KeyVersion from the Azure AD object which needs to be the same as the KeyVersion from the fifth line of the table.
CloudKeyUpdatedOnRefers to the KeyUpdatedOn from the Azure AD object and it should be the same as the KeyUpdatedOn from the sixth line of the table.

Rotate the Azure AD Kerberos Server key

Users are advised to regularly rotate the Azure AD Kerberos Server encryption krbtgt keys. And as far as what schedule to follow, it’s recommended that you use the same rotation schedule applied to all the other Active Directory DC krbtgt keys.

Remove the Azure AD Kerberos Server

In some cases, you may need to revert the scenario and remove the Azure AD Kerberos Server from both the on-premises Active Directory and Azure Active Directory. To do so, you can follow the command below: 

Set-AzureADKerberosServer -Domain $domain -CloudCredential $cloudCred -DomainCredential $domainCred -RotateServerKey

Multiforest and multidomain scenarios

We find that in Azure AD the Azure AD Kerberos Server object is represented as a KerberosDomain object. And each on-premises Active Directory domain will be represented as a single KerberosDomain object in Azure AD. 

Wrap up

Something that should be as simple as a password can create plenty of problems for businesses. If a user forgets a password this will hinder productivity and will cost the business as IT has to come in and resolve the issue. This is just one example of how issues with passwords can be problematic for businesses. And these situations can create vulnerabilities in an organization’s network that can leave them exposed to malicious actors.
As you go over these problems, it’s easy to see why Windows Hello for Business can be just the right tool to address these challenges. It’s a service that offers you a simple but secure way to authenticate identities and thus enhance your overall organizational security. With cyber-attacks becoming more prevalent and sophisticated, solutions like Windows Hello for Business look like the way to go for the future.

Download all OneDrive files for a user using PowerShell

Powershell script to download a users OneDrive content.

New and improved: Download-OD4BAccount.ps1

.Example 
.\Download-OD4BAccount.ps1 -Username User@SampleTenantName.onmicrosoft.com -Destination "D:\OD4B" -ThreadCount 3 -Verbose

Script prerequisites:

1. Microsoft Graph PowerShell Module installed on local machine. The script automatically checks for and installs module if needed.

2. An Azure AD user that has an admin consent to approve the following permissions in Microsoft Graph application in Azure AD apps:
   Organization.Read.All, User.Read.All, Directory.Read.All

This was inspired by Adnan's script, which i have used on multiple occasions.
But when downloading very large OneDrive data structures, Multi-Threads seems to work faster and smoother.
 

Streamlining IT with Windows Update for Business Deployment Service

In March of 2021, at its Ignite developers conference, Microsoft announced several new features and functionality designed to better help IT manage Windows. One of those key announcements was about Windows Update for Business Deployment Service (WUfB Deployment Service). Plenty of businesses are still comfortable using 2005’s Windows Server Update Service (WSUS). However, Microsoft views WUfB Deployment Service as an important part of the drive to migrate IT to the cloud. 

According to the announcement and details shared, Windows Update for Deployment Service for both drivers and firmware will be available in Microsoft Endpoint Manager. And it will also be available in Microsoft Graph as a public preview from the first half of 2022.

What exactly is WUfB Deployment Service?

The key thing that most IT pros would like to know is what exactly this new service that Microsoft is rolling out is. And the latter describes Windows Update for Business Deployment Service as a cloud service that is a part of the Windows Update for Business product family.

It is a service that will allow control over the approval, scheduling, and safeguarding of updates delivered from Windows Update. And the beauty of it is that Microsoft says it will integrate seamlessly with existing Windows Update for Business policies.

IT pros should look forward to a platform that enables them to meet the goals of their business. They’ll also welcome the ability to meet the needs of end-users, regardless of where they may be. And this is crucially important, given the difficult time the world has been facing recently.

The need for more efficient cloud services is part of what is driving Microsoft to create services like the deployment service. It comes as an enterprise-grade solution that will enhance the existing servicing platform that Microsoft AI provides. And it will impact more than a billion devices across the globe.

Availability

Those looking forward to using the new Windows Update for Business Deployment Service for drivers and firmware should expect the public preview to become available starting with the first half of 2022. According to Microsoft, this will be available in Microsoft Endpoint Manager and Microsoft Graph.

In addition, a management reporting system for driver servicing capabilities is also on the way when the new service reaches public preview. This will allow you to access reports as Workbooks using Windows Update for Business: Update Compliance. 

The availability of reporting will extend to all recommended and approved updates that require attention. And these include drill-downs designed to reveal individual device impact. Public preview for the service should arrive in January 2022 for Microsoft Graph and the first half of 2022 for Intune.

Built for IT professionals

According to the information that Microsoft has given us, this deployment service takes into consideration feedback from their clients. Below are the capabilities WUfB Deployment Service provides:

IT will maintain control – You get to approve and schedule Windows content delivered from Windows Update. These approvals include feature updates, quality updates, drivers, and firmware. It means the IT pro has the final say. And any content they do not approve will not deploy.

Easy to adopt – Integrating the deployment service with Microsoft Endpoint Manager, either through the cloud-only controls or co-management, allows for easy adoption of content and features. As a result, this can be done at your convenience without having to worry about implementing all these changes at one time.

Responsive to change – Delivering innovation and new features through cloud services makes it easy for users to adopt. Capabilities are also common across OS releases. And you’ll no longer need to install an update to access new update controls.

Compliant and privacy-focused – WUfB deployment service fulfills the necessary compliance regulations. IT professionals will be happy to know the deployment service is ISO 27001, FedRAMP High, HiTRUST, and SOC II certified.

Enhancing deployment processes

Simplifying deployment processes can help your organization operate with greater efficiency. By leveraging Windows Update for Business Deployment Service, IT professionals can significantly extend the management plane available to devices connecting to Windows Update. This should then allow you to:

  • Schedule update deployments to begin on any specific, convenient to your organization.
  • Stage deployments over a period of time using rich expressions. This enables you to make deployments to a given number of devices each day.
  • Bypass pre-configured Windows Update for Business policies to quickly deploy a security update across your organization when emergencies arise.
  • Ensure coverage of hardware and software in your organization through deployments. These can be tailored to your unique device population through automatic piloting.
  • Leverage Microsoft ML to automatically identify. Also pause deployments to devices that are likely to be impacted by a safeguard hold.
  • Manage driver and firmware updates, just like feature updates and quality updates.

What you stand to gain

This new deployment service will present IT admins with plenty of exciting new features. When the service becomes available, it will enable IT, admins, to choose the right drivers for the devices that they are responsible for managing. 

They will do so by browsing the entire collection of drivers from independent hardware vendors and original equipment manufacturers available on Windows Update. 

Most end-users will be extremely grateful for this option because it relieves them of having to go through the entire Windows catalog to pick drivers themselves. By having IT admins perform this task, organizations will significantly reduce the risk of having incorrect or outdated drivers installed on company devices.

Also, businesses stand to benefit from regular deployment of driver updates from Windows Update. These benefits include that your devices will receive just the right drivers from Windows Update as well as getting new drivers and fixes regularly from the hardware ecosystem. All of this is key in ensuring that security issues are mitigated and your organization operates more efficiently.

Another benefit of this service for IT admins is to simplify the process of identifying the right drivers for the various devices. This is because of how Windows Update performs an automatic evaluation of all data. The device sends the update when it scans the service and identifies drivers on the service that are better than those that are already in place. This is possible because of the various factors Windows Update uses to identify the specific drivers, as well as the hardware.

Requirements

For you to be able to use the deployment service, there are a number of requirements that devices must meet. And those requirements are as follows:

  • You must be running Windows 10, version 1709 or later (or Windows 11),
  • Must be joined to Azure Active Directory (AD) or Hybrid AD,
  • You must have one of the following Windows 10 or Windows 11 editions installed: Pro, Enterprise, Education, Pro Education, or Pro for Workstations.

In addition to the above prerequisites, your organization must have one of the following subscriptions:

  • Windows 10/11 Enterprise E3 or E5 (included in Microsoft 365 F3, E3, or E5)
  • Subscription to Windows 10/11 Education A3 or A5 (included in Microsoft 365 A3 or A5),
  • The Windows Virtual Desktop Access E3 or E5
  • Microsoft 365 Business Premium.

How does Windows Update for Business Deployment Service work?

Microsoft intends for WUfB Deployment Service to complement and work seamlessly with existing Windows Update for business capabilities. This includes existing device policies among others. There are three main elements that make up Windows Update for business and these are:

1. Client policy to govern update experiences and timing – available through Group Policy and CSPs.

2. Deployment service APIs to approve and schedule specific updates – available through the Microsoft Graph and associated SDKs (including PowerShell).

3. Update Compliance to monitor update deployment – available through the Azure Marketplace.

One of the key differences between this new deployment service and the existing client policy is that it does not directly interact with devices. With the service being native to the cloud this means that all interactions will take place between the different Microsoft services. 

So what you’ll then end up with is a direct communication channel between management tools and the Windows Update service. As a result, the approval and offering of content is something that IT pros will directly control.

 For the most part, when using this deployment service things will usually proceed as below:

1)  An IT pro leverages a management tool to pick devices and approve content to be deployed. The management tool used can be either PowerShell or a Microsoft Graph app. You can even opt for a more complete management solution such as Microsoft Endpoint Manager.

2)    The chosen tool conveys your approval, scheduling, and device selection information to the deployment service.

3)    The deployment service processes the content approval and compares it with previously approved content. Final update applicability is determined and conveyed to Windows Update, which then offers approved content to devices on their next check for updates.

Types of updates on offer

Another thing that IT pros should be interested in knowing just what kinds of updates will be available to them. Windows Update for Business manages policies for several types of updates to Windows 10 devices:

·    Feature updates – in addition to security and quality revisions, feature updates also provide feature additions and changes. And they are released as soon as they are available.

·    Quality updates – this type of update is the traditional OS update that normally becomes available on the second Tuesday of every month. These will include security, critical, and driver updates. Under Windows Update for Business, non-Windows updates such as those for Microsoft Office or Visual Studio have also been considered quality updates. They are defined as Microsoft updates and devices can be programmed to receive them with their Windows updates.

·     Driver updates – these updates are for your necessary, non-Microsoft drivers and are on by default. You can, however, use Windows Update for Business policies to turn them off.

·     Microsoft product updates – updates for additional Microsoft products that are off by default and can be turned on by using Windows Update for Business policies. These other products can include things such as versions of Office that are installed by using Windows Installer (MSI).

Getting started

To get started using the deployment service, there are a few ways to go about it. You can use a management tool built on the platform, script common actions using PowerShell, or build your own application.

Microsoft Endpoint Manager – using Microsoft Endpoint Manager gives you the advantage of using a platform that integrates with the deployment service to provide Windows client update management capabilities.

PowerShell – scripting common actions using PowerShell is another way to go. The Microsoft Graph SDK includes a PowerShell extension that you can use to script and automate common update actions.

Building your own application – Microsoft Graph makes deployment service APIs available. There are a couple of learning paths that you can get started with:

1) Learning Path: Microsoft Graph Fundamentals

2) Learning Path: Build apps with Microsoft Graph

And as soon as one is comfortable with Microsoft Graph development, you can find more information in Windows updates API overview in Microsoft Graph.

Enhancing the update process

For years, IT admins and device managers have voiced their displeasure at the lack of control over Windows Updates. And by taking this feedback into consideration, Microsoft is now hoping to address the issues at hand using the Windows Update for Business Deployment Service

The cloud-based service will provide features that will help IT pros approve, schedule, and monitor updates. The greater control that this provides means that the update process will be a lot smoother for all devices on the network. And this is regardless of where that device may be. 

So far the new deployment service can deliver on its multiple promises, it is brining a massive upgrade to the existing update process. And the needed stability and reliability.

Cloud Computing Gets Better With Windows 365

Cloud technology has evolved rapidly over the last few decades. Right now, it is very much integral to the operations of many businesses. Especially as we consider the unprecedented disruptions that have been brought about by the global pandemic since early 2020. Moving forward, a hybrid work environment is increasingly becoming the norm. And Windows 365 looks to provide clients with the digital solutions necessary to bring about technological transformation.

This Windows suite of solutions will make it even simpler for employees to remain connected and collaborate regardless of whether they are working from home or are in the office. Cloud computing can undoubtedly be a key driver in the success of any business.

Windows in the cloud

Microsoft’s latest offering is certainly looking to take cloud technology to a higher level. Just to recap, Windows 365 is a subscription-based cloud PC service. In a way, you could describe it as an Operating System-as-a-Service solution.

All you need to do is purchase a subscription and you can remotely access a Windows desktop in any modern web browser. The service will provide you with a consistent experience across any device.

So if you happen to be working on a project with several application windows open and then you disconnect, that exact same state will be restored when you reconnect, regardless of whether you’re using the same device. Built on Microsoft’s Azure Virtual Desktop technology, Windows 365 could just be a game-changer.

Explaining cloud computing

Cloud computing refers to the robust delivery of on-demand computing services over the internet that are paid for according to your needs. These services can include servers, storage, applications, databases, networking, intelligence, analytics, and processing power. Because you only pay for the services you need, your business can lower its operating costs, run infrastructure more efficiently, and scale accordingly as per your needs.

The most common types of cloud services that you’ll come across include, Infrastructure as a Service (IaaS) along with Platform as a Service (PaaS). Another is Software as a Service (SaaS). IaaS allows you to rent IT infrastructure such as servers and virtual machines from a cloud services provider.

PaaS can help developers to work more efficiently when creating web or mobile apps. This is because users can rent an on-demand environment to develop, test, deliver, and manage software applications. And then with SaaS, service providers can deliver software applications to clients over the internet on a subscription basis.

And Microsoft is looking to enhance the technology even further. As Satya Nadella, chairman and CEO of Microsoft put it, “We are building the cloud for the next decade, expanding our addressable market and innovating across every layer of the tech stack to help our customers be resilient and transform.”  

He went on to further explain, “With Windows 365, we’re creating a new category: the Cloud PC. Just like applications were brought to the cloud with SaaS, we are now bringing the operating system to the cloud, providing organizations with greater flexibility and a secure way to empower their workforce to be more productive and connected, regardless of location.”

Modern computing

Constantly changing technology means that businesses need to embrace digital transformation processes to remain competitive. Integrating new forms of technology such as Windows 365 can have a significant impact on a business by speeding up, automating, and improving processes.

By leveraging the capabilities of the cloud, organizations can easily achieve the goals of digital transformation. This is because the cloud provides the natural solution to the heavy computational and storage needs that are required to implement these digital solutions.

If you are still unclear or on the fence about cloud technology then you should also consider that according to a study by 451 research, you are already behind 90% of companies. Cloud technology is clearly not a passing phenomenon, it’s here to stay. And it’s not too hard to see why, when looking at just what businesses stand to gain:

  • Cloud services are scalable and flexible enough to adapt to any business’ needs,
  • Businesses can make significant savings by eliminating the need for massive investments in on-premises infrastructure,
  • Companies stand to gain a competitive advantage from the valuable insights they get from the huge volumes of big data available,
  • The cloud also ensures business continuity in the event of a disaster, cyber attack, etc. A case in point being how businesses have remained operational despite the pandemic.

What does Windows 365 add?

We all know that cloud computing is not a new phenomenon. Neither is virtual technology. In fact, Microsoft itself already has Azure Virtual Desktop available. So naturally, one would wonder what does Windows 365 bring to cloud computing that isn’t already there? Apparently, quite a bit.

Windows 365 promises to provide clients with an alternative to their physical PCs. An alternative that lives permanently in the cloud and runs Windows 10 or (once it’s available later this year) Windows 11. The service would also allow you to sign in to that alternative PC on any desktop PC, Mac, or mobile device and pick up exactly where you left off.

With Windows 365, at least according to Microsoft, setting up, maintaining, and managing Windows will become easier. In addition, the Cloud PC provides a secured place to store apps, files, and documents that your employees will have access to at any time and on any device with an internet connection.

This creates a situation where your location doesn’t matter and you can easily switch between devices without losing your work. Also, unlike Azure Virtual Desktop’s consumption-based rate, Windows 365 offers flat subscription rates.

Windows 365 Functionality

Having seen what Windows 365 can bring to the table, you’ll probably need to know how the service functions. Firstly, you’ll need to determine what the needs of your organization are and then select a plan from the ones available.

And once you purchase a subscription, you can then link your Windows 365 product to an existing Microsoft account. With this done, all your apps, tools, data, and settings will become accessible from any device anywhere.

Moreover, Windows 365 is a fully customizable platform that allows you to customize the amount of power and storage that your Cloud PC uses both at the point of subscription and once you start using it.

One of the major challenges with existing cloud computing technology is the difficulty that one faces with scaling. So the fact that Windows 365 essentially eliminates this issue is a fantastic advantage. 

Another great tool that you have is the integration with Azure AD and Microsoft Endpoint Manager (MEM). For organizations that are already leveraging Azure virtual desktop infrastructure, Windows 365 will automatically integrate itself with your Azure AD infrastructure. In addition to your other virtual assets as well. Also, management and security policies can be applied to your Cloud PCs.

Cloud PC capabilities and Windows 365

The Cloud PC is designed to offer a better cloud experience than other services on the market. Including Windows traditional devices. Developed for hybrid working, Windows 365 can offer the kind of flexibility that allows seamless device changes without affecting the status of the work.

Not only that, but users will be happy to know that Windows 365 is compatible with other Microsoft 365 business applications. This means that you won’t miss out on your favorite apps such as Word, Planner, or SharePoint.

According to Wangui McKelvey, general manager for Windows 365, “However, the ability to work anytime, anywhere has become the new normal. All employees want technology that is familiar, easy to use, and available across devices. In the most complex cybersecurity environment we’ve ever seen, organizations need a solution that helps their employees collaborate, share, and create while protecting their data. We have the opportunity to develop the tools that enable this new world of hybrid work with a new perspective and the power and security of the cloud.“

Windows 365 also aims to tackle the security issues that organizations have been facing. And this can be done through integration with the security and identity management policies that you already have in place such as Azure AD.

Major features with Windows 365

There’s plenty to like about Windows 365 from the information that we have about the service so far. Features that enable this service to be a game-changer in the world of cloud computing. And these features include:

  • Instant boot to a personal Cloud PC,
  • Clients get the full Windows experience in the cloud,
  • Clients can also stream various applications, tools, data, and settings directly from the Microsoft cloud across any device,
  • You get a choice of running either Windows 10 or (once it’s available later this year) Windows 11,
  • Secure by design, and fully compliant with Microsoft’s Zero Trust principle,
  • Flexible per-user, per-month pricing plans at flat subscription rates,
  • A scalable set of virtual hardware parameters that lets you adjust to changing conditions whenever necessary,
  • Fully compliant with Azure AD and MEM,
  • Fast setup process that provisions your Cloud PC within minutes.

Addressing security concerns

Remote access has been essential during the pandemic in helping plenty of businesses to remain operational. But, the concern with working from home has always been how to maintain the security of an organization’s network.

This is why Windows 365 is attempting to resolve some of those security challenges by using a Zero Trust architecture. A service that also comes with multi-factor authentication (MFA). This means that login or access attempts to the Cloud PC will be verified using integration with Microsoft Azure Active Directory.

Furthermore, you will get options to delegate specific permissions such as licensing, device management, and cloud PC management using specific rules. This is in addition to getting to use Microsoft Defender for Endpoint to improve your overall security posture.

And then to make things even more secure, there is going to be high-level encryption for all stored data at rest, all managed disks running Windows 365-based Cloud PCs, as well as all network traffic to and from the PCs.

What else should you know?

One of the first questions you may be asking yourself as you find out more about Windows 365 is, is this for me? And according to Microsoft, Windows 365 is for all businesses regardless of size. As long as you need a secure and agile hybrid work solution for elastic workforces, distributed employees, etc, this service can help you.

What about Windows Hybrid Benefit? This will also be available to you if you have a device with a valid Windows Pro 10 license. Each individual assigned a Windows 365 Business license with a Windows Hybrid Benefit license must also be the primary user of a Windows 10 Pro licensed device. And that device needs to be their primary work device.

Another thing that Microsoft says clients need not worry about is their apps. All apps that worked on Windows 7, Windows 8.1, and Windows 10 should have no issues on Windows 365.

In case of any issues, Microsoft will help you to fix them at no cost. And as far as devices are concerned, as long as you have an internet connection then most modern devices will work with the service. Also, with regards to bandwidth, how much you need will depend on the workload. The requirements for Windows 365 are as follows:

  • HTML5 browser,
  • DSL connection or a wireless internet connection capable of streaming a video.

Wrap up

In the end, there is no escaping the fact that cloud computing has grown to become essential to how businesses operate. The endless possibilities that hybrid work environments can create can only mean good things.

But, the key to all of this is having a service that offers a great user experience as well as unquestionable cybersecurity. This is what this Windows solution claims to bring to the table.

An enhanced, modern cloud computing experience that is built on the foundation of other already successful Microsoft services. By leveraging the latter, Windows 365 has the potential to create a whole new paradigm.

Top 10 Benefits of Windows Autopilot

Gaining even the slightest advantage over your competitors can make a massive difference to the success of your business. With so much technology available, you need to choose the right solutions for the growth of your organization. Windows Autopilot is a collection of technologies that helps you to make better use of your time. It does this by helping you to pre-configure new devices and thus reducing the time to productivity.

So, not only is this going to simplify the operations of your IT department, but it will also empower your employees. Below we’ll go over the top 10 benefits of Windows Autopilot to your business.

1.    Self-deployment

There are few better ways to enhance your productivity than by having new devices ready for business straight off the shelf. Any new Windows 10 devices that have been pre-enrolled in the Windows Autopilot program will be ready to use on arrival with zero-touch and no involvement from your IT team. When a user takes possession of such a device, all they’ll need to do is turn it on, connect to a network, and then wait a little.

2.    No OS re-imaging

This part of setting up new devices is one that has always taken up a significant amount of time. With IT departments having to manually install apps and drivers, manage infrastructure, and set policies, the process took relatively long. But, Windows Autopilot does away with all that. By using a smart and easy pre-configuration, all of this becomes an automatic process. Once you have set up an Autopilot profile in Microsoft Intune, all the Windows devices that you have under that profile will have these settings applied.

3.    Customize OOB experience

To save time, Autopilot allows you to customize the out-of-the-box experience (OOBE) in advance. All you need to do is set your organization’s preferences. And this will simplify things for end-users by eliminating entire sections during setup that previously required manual input. So now they’ll be able to get through the setup process much faster and with a lot less hassle. With this kind of capability, you can ship devices directly to end-users and they’ll be up and running in no time.

4.    Enrollment status

Bypassing IT when setting up devices is something that will understandably concern some people. However, Autopilot has an enrollment status feature to alleviate those concerns. What this feature does is to ensure that a device is fully configured, compliant, and secure before the end-user gains access. That way, IT still gets to assess devices, make sure that they are properly set up, and resolve any errors when issues arise.

5.    Independent of MDM

Can you use Autopilot if your organization doesn’t use Microsoft Endpoint Manager/Microsoft Intune? The answer is yes you can. Any MDM will work with Autopilot but for an optimum experience with all the features then Intune would be best. So for any business that prefers other non-Microsoft technologies, you can still reap the benefits that Autopilot offers. You may be missing out on using this fantastic technology because of some of the misconceptions that people have.

6.    Available for existing devices

This is another area that often requires clarification as some existing devices can qualify. To be specific, users with Windows 1809 and above can also benefit from Windows Autopilot for existing devices. IT people can now facilitate processes like Windows 7 to Windows 10 migration through Autopilot. They can do this by using a ConfigMgr task sequence and then followed by an Autopilot user-driven mode.

7.    Simple redeployment

Occasionally, certain devices will need to be given to new users or repurposed entirely. Autopilot makes wiping a device a simple process that you can do in minutes. And once that is done, you’ll have a device back in OOBE status and ready to be handed over to someone else. This new user will receive the device with the specific configurations that they need already in place. By making resetting devices this easy, Autopilot further empowers IT teams and enhances their productivity.

8.    Avails latest technology

By pre-configuring devices, Autopilot enables end-users to immediately gain access to the latest versions of essential tools. These include Microsoft technologies such as Teams, Word, PowerPoint, Excel, etc. And so without the need to wait on IT, end-users will have all the essential apps they need with all the necessary settings already applied. Furthermore, you no longer need to worry about third-party bloatware that is often a nightmare to deal with. 

9.    No maintenance of images and drivers

Custom images require a significant time investment to create and maintain. And they will need you to wipe every single device that your organization acquires. Undoubtedly, they place a lot of work on the schedules of your IT people. With Autopilot, however, these custom images become unnecessary. All you have to do during provisioning is to get in touch with the manufacturer to get the device ID.

Latest Updates for Windows 10 Driver Management

Microsoft claims that the main cause of Windows 10 Driver Management or hardware failures has been the hardware drivers themselves. And this happens to be an area in which Microsoft has had no control.

In the past, Microsoft has given the driver update authority to the various hardware manufacturers. As a result of that, these manufacturers retain the ability to directly push drivers to their users through the system update.

Given the number of issues that users continue facing, Microsoft decided to make some adjustments to their driver update management policy. These updates will likely have a significant impact so let’s take a look and see what this means for us all.

Addressing the issues

In early 2020, Microsoft quietly went about the process of starting to address the driver issues that have been plaguing users. It started with the announcement that there was going to be an introduction of rolling out drivers in phases.

And this would differ from the past, where all Windows 10 computers were receiving major and minor updates automatically. These updates via Windows Updates released on the same day for everyone. The idea with the phase system is to allow the pushing of updates to highly active devices from where Microsoft can then collect diagnostic data that helps to assess compatibility issues.

Also, Microsoft mentioned implementing a new policy where their hardware partners can now ask them to block Windows 10 feature upgrades on a PC running an incompatible driver. The widespread problems that arose from Microsoft being the only one doing the assessing and blocking necessitated this change in approach. By doing all of this, Microsoft can begin the process of resolving the countless headaches that we have been facing.

Driver installation

So to bring an answer to this issue, Microsoft made another announcement to the effect that they would be adjusting the automatic driver installation strategy for Windows 10 20H2 from November 2020.

This update is meant to provide users with a greater degree of control over the driver update and in this way you will have better stability. This new driver management model is going to give hardware manufacturers options, either automatic or manual.

This is what Microsoft has said regarding the adjustments that came in to effect on the 5th of November last year:

1. Automatic driver updates will automatically be installed on your machine either when you plug-in a peripheral device for the first time, or when a device manufacturer publishes a driver to Windows Update. In other words, there will be no change to the plug-and-play scenario when an automatic driver is available on Windows Update.

2. Manual driver updates can be installed manually on your machine if you specifically request them by navigating to Settings > Update & Security > Windows Update > View optional updates.

However, these changes will only affect devices that receive updates directly from Windows Update. So if you’re an IT professional who manages drivers for a business, then these adjustments won’t affect the way you operate.

Manual driver updates

According to Microsoft, the abovementioned adjustments should now enable you to see a clear distinction between automatic and manual updates in Windows Update. With the end goal being to create a total transformation of the management of drivers, something that began earlier in the year with the rolling out of updates in phases.

All this should give users greater control by redefining the servicing of manual drivers for machines running Windows 10, version 2004 and later. Previously, when a user would connect a peripheral device with an optional driver such as a camera to their machine for the first time, there would be an automatic installation of that driver. Instead, with the changes that Microsoft has implemented, you now have control over how you proceed.

Driver distribution

When you submit a driver to Windows Update, the Driver Delivery Options section will present you with two radio buttons: Automatic and Manual. Under the Automatic option, there are two further options:

  • Automatically delivered during Windows Upgrades – under this option, drivers are classified as a Dynamic Update. When upgrading the OS, this is where Windows will automatically preload drivers.
  • Automatically delivered to all applicable systems – when you select this option, the drivers will be downloaded and installed automatically on all applicable systems once they are released.

How to submit a driver to Windows Update

Publishing a driver to Windows Update will require the creation of a hardware submission. Once that is done you can then proceed with the steps given below:

1) Find the hardware submission with the driver that you want to distribute.

2) Head over to Distribution and select New shipping label.

3) Under shipping label, go to Details and enter a name for the shipping label in the space provided. It’s this name that will allow you to search for and organize your shipping labels.

4) In the Properties section you will need to fill in the following fields: Destination, Specify the partner (if any) that is allowed visibility into this request, and Driver Delivery Options.

5) Go to Targeting and choose the driver package that you want to publish.

6) At this point, Select PNPs is now available so you can go ahead and choose the hardware IDs that you want to target.

7) Enter each CHID into the text box and select Add CHID(s) if you would like to add them.

8) You can limit public disclosure of your Shipping Label in the Windows Update Catalog and WSUS Catalog, by checking the Limit Public Disclosure of this Shipping Label information box.

9) If your driver targets Windows 10 in S mode, then you will need to select both boxes.

10) Select Publish to send your request to Windows Update or Save if you don’t want to publish as yet.

Optional installation

The optional updates feature is now available to users that have upgraded to Windows 10 20H2. With this feature, the system will let you know of the availability of device drivers other than the ones that the PC is currently using. If you go to the View optional updates section, you’ll see where it says Driver updates. And if you click on it, it will display a list of all the device drivers that are available for the target PC. Essentially what you get with this feature is the ability to install specific drivers if and when necessary. Otherwise, automatic updates will keep your drivers updated.

To install any of these drivers, simply follow the steps below:

1) Press WinKey + I to launch the Settings app.

2) Go to Update & Security and click on Windows Update.

3) Over on the right side, you’ll see View Optional updates just under the Check for updates button. Click on it.

4) Under the Driver Updates section, you’re going to find a list with all of the available updates for the computer.

5) Check all the boxes corresponding to the device drivers that you want to install. Click Download and install.

Windows 10 October 2020 Update common problems — and the fixes | Windows  Central

Windows 10 will then immediately start downloading the chosen driver updates. Once the process is complete, the system will install the updates and prompt the users to Restart Windows.

Should you install optional updates?

As mentioned above, you can install optional device drivers if the need for them arises. For instance, when doing a clean install of Windows 10, some may find it preferable to manually install graphic drivers that you download from Intel and NVIDIA.

However, it’s important to note that Windows will still automatically install all mandatory updates, including security updates and non-optional cumulative updates. Therefore you don’t need to worry about automatic driver updates because this new approach won’t affect them. This is because they will continue to be installed via Windows Update when they are published by the manufacturer or when you connect the device.

So with optional updates, Microsoft has changed the system such that driver updates are no longer forced on you. You can select those that you want and block any that give you problems. Most users will probably be leveraging this functionality for those times when compatibility issues arise.

Potential issues

Microsoft’s new model for driver management aims at resolving the multitude of problems that users have been grappling with. However, this new model is not without its potential issues. As much as it may give users more control, it’s also going to present challenges for peripherals that don’t have automatic drivers readily available.

This is because not everyone may be aware that they need to go to Windows Update and manually download the necessary driver for the hardware to work. Without this, Windows will return a Driver Not Found error that may leave more than a few people stuck.

Since Microsoft is also going to be blocking users from applying OEM or manufacturer drivers if Windows can’t verify software publisher, this will probably lead to a few driver errors when Microsoft is unable to verify the drivers. If verification fails, there are two error messages that you’ll likely see with the first being “Windows can’t verify the publisher of this driver software” and the second “No signature was present in the subject”. Microsoft’s advice in these scenarios is that you contact the manufacturer and ask them to upload the driver with appropriate fixes.

Key differences

Under the View Optional updates link, users get to view the optional updates that they won’t receive automatically. Using this link will replace having to use Windows 10’s Device Manager controls to find optional updates.

With Microsoft making minor adjustments to how Windows 10 drivers arrive for Windows Update service users, it’s important to note that this change is more than just a simple user-interface modification.

Those using the newer version of Windows 10 will get updated drivers only when they search for them using the View optional update command. And they’ll be getting only the drivers that are already on the device without searching for new ones via the Windows Update service.

In Windows 10, including version 1909 and earlier, Windows Update automatically distributes manual drivers and does so when:

a) a device has no applicable drivers available within the Driver Store (raising a “driver not found” error); additionally there is no applicable Automatic driver

b) a device only has a generic driver in the Driver Store, which provides basic device functionality only, and there is no applicable Automatic driver

But for users of Windows 10 and version 2004, Windows Update distributes only Automatic drivers for a system’s devices. When Manual drivers are available for devices on the computer, the Windows Update page in the Settings app displays View optional updates.

Time to enhance driver management

The challenges that we have all witnessed in recent years were in dire need of a solution. And a major one at that. The countless incompatibility issues that saw the trashing of Windows 10 were slowly but surely eroding the confidence that users have in the operating system.

Problems such as audio not working, system crashes, slow performance, etc, are significant issues that can severely hinder the productivity of a business. So it’s not really a surprise when we look at all the updates that Microsoft made to its driver management policy in 2020.

Security has improved and the new driver management model is a more stable platform that gives users greater control. And all of this you’ll get without having to worry about key updates being affected. Those are still performed automatically to ensure that your system remains as secure as possible. Undoubtedly, there are still a few bugs to iron out here and there, but the rapidly improving system is certainly enhancing the Windows 10 experience.

Modernize Your Business With Azure Active Directory

The capabilities of the cloud have literally changed the way organizations view remote work. Because it is designed to simplify access from anywhere, the cloud allows organizations to efficiently manage their remote workforce by handling more typical in-house IT tasks. Azure Active Directory (Azure AD) is one of the key technologies that can improve how your business operates. So what is it and how can it help you?

What is Azure Active Directory?

Plenty of office networks utilize Microsoft’s Active Directory to manage policies and permissions. What Azure AD does is to put that capability on the cloud. In short, it’s a cloud-based directory and identity management system. This infrastructure will enable your employees to sign in and access external resources in Office 365 as well as other SaaS applications. Being entirely cloud-based means that Azure AD can serve as your only directory or use Azure AD Connect to sync up with your on-premises directory.

Transforming your business

Azure Active Directory gives IT complete control over access to apps and resources. This is because of security protocols such as conditional access and MFA. By using built-in governance controls, IT can also apply automated lifecycle management and privileged access limitations. For end-users, they are going to benefit from faster and easier access to corporate resources using various devices and from just about anywhere. And with support for other virtual tools and operating systems, Azure AD enables you to leverage the technologies that are best for you.

Business security will improve

Azure AD has a wide range of security protocols to safeguard your organization from malicious or accidental issues. These include multi-factor authentication (MFA), privileged identity management (PIM), conditional access, and threat detection. Using MFA and conditional access will give you improved application security and management control. And then you also have advanced threat protection that gives you access to comprehensive reporting that monitors application usage. With this, you can apply enhanced security measures to protect your business.

Improving customer security

Customers need hassle-free solutions with robust security to optimize their experiences. And with Azure Active Directory B2C you get a product that fully delivers. It uses reliable, proactive security measures to ensure world-class protection. Customers will get highly secure access across your web and mobile apps through MFA. Add threat detection to that and customers can have peace of mind knowing that their identities are very secure. Because the platform is based on Microsoft Azure, you’ll also retain the significant potential to scale according to your needs.

Adapting to innovation

Trying to hold on to legacy systems can prove very costly to a business. Not only are they costly to maintain but the complexity of running them is hardly worth it. Technology such as Azure Active Directory offers you incredible benefits for modernizing your infrastructure. With increased security and customer satisfaction, reduced overhead, and more streamlined operations, it’s worth signing up for or at least reading up on these technologies.

Building a Modernizing Infrastructure Using Microsoft Technologies

If what you have is working great, then why change it? While that may very well be true, every business needs to adapt to the times and modernize if they want to maintain their success. Otherwise, your rivals won’t hesitate to take advantage if they can. Take Nokia for instance.

During the 90s, it dominated the smartphone market and at its peak in late 2007, it had a 50.9% share of the smartphone market. Yet, just 6 years later that number had plummeted to just 3.1%. Other companies came in with new technologies, the market changed, and Nokia has never fully recovered.

Modernizing helps you to expand your capabilities while reducing operational costs. And by leveraging cloud capabilities, you can unlock the limitless potential that can take your business to the next level. Microsoft Technologies provide you with the ideal platform to transform your IT infrastructure. And in this blog, we’ll show you just what these solutions can add to your business.   

Created for evolving businesses

Technology has changed the way businesses operate. The various solutions that are available to us have created new markets as well as exciting ways to serve clients. Whether it’s the scalability that Azure gives you, the flexibility provided by Endpoint Manager, or the security you get with Microsoft Defender ATP. The benefits are plenty. Evolving businesses can put themselves in a position where they reduce their overhead, streamline their operations, and market themselves better. Microsoft has recognized the needs that businesses have regarding effective IT solutions. 

Overview of Microsoft Technologies

The Microsoft Technologies that we’ll be going over consist of brilliant tools that will modernize your IT infrastructure. Rather than being individual entities that operate completely apart, Microsoft has designed these technologies such that they can function together. This will enhance your overall IT management and bring greater efficiency to your organization. The following technologies are going to be the focus of this blog:

1) Azure Active Directory

Microsoft’s cloud-based multi-tenant identity and access management service enables employees to sign in and access services from anywhere. Azure Active Directory (Azure AD) has plenty of features that help modernize your infrastructure, among which:

  • Application management: manages all apps, both cloud and on-premises, using Application Proxy, single sign-on, the MyApps portal, and any SaaS apps.
  • Authentication: manages Azure AD self-service password reset, MFA, smart lockout, and custom banned password list.
  • Conditional access: enforces and maintains control over access to your cloud apps.
  • Device management: controls the access that cloud and on-premises devices get to corporate data.
  • Business-to-business: helps you to maintain control over corporate data by managing guest users and external partners.
  • Reports and monitoring: allows you to receive insights concerning the security and usage patterns in your environment.

Key benefits

The advantage you’ll get from features like single sign-on is that employees won’t need multiple sign-ons for all their apps so password compliance issues are reduced. Simplified collaboration with guest users is possible because Azure AD allows you to invite these users into your directory to assign access. Also, the availability of real-time monitoring in conjunction with MFA and conditional access provides your organization with excellent application security and management control. And if you have productivity solutions that aren’t Microsoft products, you can still use them because Azure AD supports other OS and virtual tools.

2) Windows Autopilot

Windows Autopilot is Microsoft’s solution for transforming the provisioning of devices into an automated and friendly process. It aims to eliminate the countless, painful hours spent manually setting up devices. Undoubtedly, this is a product that will be a big hit with IT teams and it should please most employees as well. Its features include:

  • User-driven mode: provides a simple do-it-yourself approach to setting up new devices. This enables end-users to quickly get up and running without needing IT.
  • Self-deploying mode: allows you to deploy a Windows 10 device as a kiosk, digital signage device, or a shared device with minimal user interaction.
  • Support for existing devices: makes the process of deploying the latest version of Windows 10 to your existing devices quick and painless. In addition, whatever apps you need will be installed automatically and you’ll get your work profile synched as well.
  • Pre-provisioned deployment: partners and IT can pre-provision Windows 10 devices and have them business-ready for companies and their end-users.
  • Windows Autopilot reset: allows you to easily repurpose a device by wiping personal files, apps, and settings then restoring the device’s original settings.
  • Enrollment Status Page (ESP): the ESP tracks the setting up of the device to ensure that the device is fully configured correctly before the end-user can gain access.

Key benefits

As the saying goes, time is money. Hence the importance of the customized out-of-the-box experience (OOBE). It gets devices set up according to an organization’s preferences so that when the end-user receives it, they can immediately start using it. And they’ll have all the collaboration and productivity apps they need already installed. You’ll also gain time by not having to do any OS re-imaging because it’s done automatically. All of this will help to create an environment that empowers the user thereby increasing productivity rather than the restrictive nature of legacy IT.

3) Microsoft Endpoint Manager

Announced at Ignite 2019, Microsoft Endpoint Manager (MEM) is a brilliant development that merges ConfigMgr and Intune into a unified management platform. And you’ll get a lot of services with the product including co-management, Desktop Analytics, and the above-mentioned Windows Autopilot. MEM plays a key role in demonstrating the integration of Microsoft Technologies. Moreover, clients who already have Microsoft 365 licensing can benefit from the majority of the technologies that are within Microsoft Endpoint Manager.

What can MEM do for you?

According to Brad Anderson, Microsoft corporate vice president for Microsoft 365, MEM came about as a way to resolve the confusion surrounding modern management. It offered simplicity. And this simplicity should ease the way of doing business. For clients with ConfigMgr licenses, they automatically get Intune licenses thus enabling them to co-manage their devices.

With up to 190 million devices currently under ConfigMgr or Intune management, IT will get incredible insights that you can use for problem-solving and device deployment. MEM allows you to utilize the cloud where all data is stored in Azure thus eliminating data centers. This gives you the mobility advantages of the cloud as well as the security of Azure. However, some organizations prefer mixed environments so you can still use the cloud while retaining your on-premises infrastructure.

4) MSIX

The endless packaging and repackaging of applications has been the source of constant headaches over the years. Whenever you’d purchase new software, the problems would begin. Someone had to come up with a solution, and thus MSIX came to the fore.

MSIX is a universal package format designed for Windows 10 apps and has support for desktop, mobile, and all other Windows 10 devices. It’s an improvement on AppX and aims to resolve app packaging issues. The UWP features, app customization, and support for all Windows applications make MSIX a massive improvement on the currently available installers. Key features include:

  • Reliability: MSIX can just about guarantee installs with a success rate standing at a very impressive 99.96%.
  • Network bandwidth optimization: MSIX only downloads the 64k block and this allows for a reduction in impact to network bandwidth. It does this by leveraging the AppxBlockMap.xml file that’s in the MSIX app package.  
  • Disk space optimizations: MSIX doesn’t duplicate files across apps and Windows will manage the shared files across apps. Because apps remain independent, updates won’t affect other apps that share the file.

What you stand to gain

Microsoft has created a product that gives you the advantages of both MSI and AppX while eliminating their limitations. And it doesn’t just work on Windows only. You can use it on Linux, OSX, iOS, and Android. MSIX enables you to take a huge step towards modern management. Instead of the previous uncertainties, it offers you safety, reliability, and predictability of deployment. Security is enhanced as well with Windows giving you integrity for apps through tamper protection and policy controls.

5) Microsoft Defender ATP

As amazing as the above technologies are, you cannot successfully modernize your IT infrastructure without effective cybersecurity. In fact, all your efforts would probably be futile. But, with Microsoft Defender Advanced Threat Protection (MDATP), you get an enterprise endpoint security platform that enables your enterprise networks to prevent, detect, investigate, and remediate advanced threats.

Main capabilities

  • Endpoint behavioral sensors: these are sensors that are embedded in Windows 10 that collect and process behavioral signals from the OS. This data is then sent to your private, isolated, cloud instance of Microsoft Defender for Endpoint.
  • Threat and vulnerability management: MDATP has an overview of all the software on a device and can detect security vulnerabilities. It can then provide security recommendations for remediating endpoint vulnerabilities and misconfigurations.
  • Attack surface reduction: this capability enables you to put in place controls that reduce areas that are vulnerable to cyberattacks. With proper configuration settings and application of exploit mitigation techniques, this capability will resist attacks and exploitation.
  • Next-generation protection: MDATP offers you next-generation protection to catch all types of emerging threats.
  • Endpoint detection and response (EDR): EDR is designed to target advanced threats that make it past the first two security pillars.
  • Automated investigation and remediation: these capabilities help to create a reduction in the volume of alerts in minutes at scale.  
  • Microsoft secure score for devices: this tool will help you to carry out an assessment of the security status of your enterprise network and identify unprotected systems. After which, you can apply recommended actions to improve the overall security of your organization.

6) Windows Virtual Desktop

The advances that are happening in the field of technology not only enhance the modern workplace but can also completely change it. And with the internet creating “one global village”, the popularity of remote work has grown significantly. But for this to work, you need effective solutions. Enter Windows Virtual Desktop (WVD).

WVD is a desktop and app virtualization service that leverages the power of Microsoft Azure and runs on the cloud. So it can deliver a virtual desktop as well as remote apps to any device. Depending on your needs, you can configure WVD to run Windows 10 Enterprise, Windows 7 Enterprise, or Windows Server 2012 R2, 2016, 2019.

Benefits to your organization:

  • WVD gives you the ability to deliver Windows 10 desktops on any device, anywhere. By extension, you’ll give your employees an optimum virtual experience.
  • Cybersecurity is crucial and WVD has in-built intelligent security that is fully capable of proactive threat detection and remediation. Security protocols such as Azure Firewall, Azure Security Center, Azure Sentinel, and Microsoft Defender ATP ensure that corporate data is highly secure.
  • Your organization can become more efficient and productive because deployment and scaling can be carried out easily and quickly.
  • Utilizing the modern cloud-based virtual desktop infrastructure (VDI) is a great way to save costs. You’ll only pay for what you use.
  • Another way in which you’ll save costs is licensing. WVD is a free service so it comes with your Microsoft 365 or Windows per-user license.

Maximizing potential

By now most organizations are starting to appreciate just how legacy technology can hold them back. Instead of holding on to what has worked in the past, it’s important to know that technology can expire. Therefore, transformation is a must. Modern infrastructure will help you to reduce your costs, improve your cybersecurity, and provide easy and convenient access to corporate resources from anywhere. Microsoft has a vast array of technologies that can take your organization to the next level. The powerful and flexible hybrid-cloud architecture is something that we can all benefit from.

How AppLocker Improves Security and Compliance

The security of your organization is not something that you can afford to leave to chance. The wave of cybercrime over the last few years has been unrelenting. This is why you need to take advantage of platforms such as AppLocker. By leveraging its application whitelisting feature, you’ll get a very powerful way of stopping a multitude of attacks. And if you configure it correctly, you can massively increase the amount of time it would require for a cyber-attacker to get around the system. This is the kind of innovative technology that can enhance the security of your organization. Hence why we need to discuss just how AppLocker will help you with security and compliance measures.

Securing your organization

Arguably the biggest security risk for most organizations comes from employees simply running applications. As long as users can run executables or have access to files that can potentially contain malicious code, your organization is at risk. Such incidents could compromise the entire network and not just a single device. So by helping you to determine which files and applications users can run, AppLocker immediately improves your security. These files can include DLLs, scripts, Windows Installer files, and packaged app installers. Giving system admins greater control in these particular areas will shore up your business’ defenses.

Control allowed software

To maintain high-level security for corporate data and your business as a whole, system admins need to be strict about which software and applications are allowed to run. Otherwise, you risk giving access to software that can create vulnerabilities in your network. AppLocker is fully capable of denying applications from running, especially when you exclude them from the list of allowed apps. And in the production environment, when AppLocker rules are enforced any apps that are not in the allowed rules are blocked from running. Therefore, users can’t intentionally or accidentally run software that is explicitly excluded from the allowed list.

AppLocker rules

AppLocker has several different types of files that it can block. This makes it extremely efficient in its whitelisting capabilities because it’s highly unlikely that anything that you want to block will make it through. The types of files that AppLocker can block include the following:

  • Executable files such as .exe, and .com
  • Windows installer files such as .mst, .msi and .msp
  • Executable files such as .bat, .ps1, .cmd, .js and .vbs
  • DLL executables
  • Packaged app installers such as .appx

The organization of the above into rule collections is something that will help you to easily differentiate the rules for different types of apps.

Default rules

In addition to the above, AppLocker also gives you default rules for each rule collection. These rules are allowed in an AppLocker rule collection and they are necessary if Windows is to function correctly. To start, you’ll have to go and open the AppLocker console. Having done that, right-click the appropriate rule type, based on the automatic default rules you want. You can then automatically create executable rules, Windows Installer rules, script rules, and packaged application rules. Lastly, click on Create Default Rules.

Monitoring app usage

After you set your rules and deploy the AppLocker policies, monitoring app usage can help you assess whether policy implementation is per your expectations. To understand what application controls are currently enforced through AppLocker rules, you can:

  • Analyze the AppLocker logs in Event Viewer.
  • Enable the Audit-only AppLocker enforcement setting to ensure that the AppLocker rules are properly configured for your organization.
  • Review AppLocker events with Get-AppLocker File Information.
  • Review AppLocker events with Test-AppLocker Policy Windows PowerShell cmdlet to see whether any of the rules in your rule collections will be blocked on your reference device or the device on which you maintain policies.

Main advantages of AppLocker

Several benefits come with AppLocker that help to make it a more attractive option for any business looking to enhance security and compliance. The first thing is the cost. How much you ask? Well, if you already have the enterprise edition of Windows Server, then there is no extra cost to talk about. Moreover, AppLocker comes as an integrated part of Group Policy, which most Windows Admins are already familiar with. Because of that, this can simplify the AppLocker user experience and make it a seamless one. Also, any AppLocker policy can be imported into Intune as an XML file giving you a similar level of control of apps for MDM-enrolled devices as you would for on-premises, domain-joined devices. And to further save you productive time, Windows internal apps are automatically whitelisted.

Why consider AppLocker?

Even with all the security benefits available, as an organization, you still have to determine whether or not you actually need AppLocker. And for most, the answer will probably be a resounding yes. If your organization needs the ability to verify which apps are allowed to run on your corporate network, then you need AppLocker. Furthermore, if you want to check which users are allowed to use the licensed program, then you probably also need it. To these, you can also add organizations that need to provide audit logs containing the type of apps that clients have been running. And of course, wherever there is a need to prevent overzealous users from running random software, AppLocker can play a significant role.

Wrap up about AppLocker

Only the best technology will do for any organization that seeks to keep cybercriminals away. Attacks are being orchestrated from all around and the degree of sophistication is constantly changing. Therefore, organizations need to take proactive measures to stay ahead of hackers. And platforms such as AppLocker can enable you to do that. By setting up blocks for different types of files and software, you instantly reduce your surface area of attack. It’s time to leverage all available technology to fight back against cybercrime.

7 Microsoft 365 Tools for IT Professional and Admin Training

A lot of people are familiar with Microsoft software and have been using it for years. However, new products as well as updates are constantly being rolled out. As such, it’s important to educate yourself on all the new features that are available in order to optimize the user experience. Microsoft 365 (M365) has plenty of amazing features that can vastly improve how you operate. And there are several training tools available to help fully equip you with the necessary skills to run M365. It’s these tools that we’ll go over below to see just how they can help you.

Microsoft 365 via Video Hub

Poring over countless pages of documents can be a painstaking task for most people. It’s something that can very easily put one off from learning something. Fortunately, Microsoft 365 gives its clients a great alternative. With Video Hub you’ll get to do you learning through watching videos that will provide you with all the expertise you need. This platform contains over 150 technical videos about Microsoft technologies. Also, if you happen to have any questions, there are subject matter experts available to answer those for you. By using Video Hub, you will undoubtedly enhance your learning experience and gain new skills.

Instructor-led courses for Microsoft 365

To further sharpen your skills, Microsoft also has courses available that are taught by experts. Depending on your preference, you have the choice of taking the course online or in person. Moreover, the courses are taught by Microsoft Certified Trainers so you can be certain that you’ll be receiving a quality education. In addition, the web page comes with a filter so you don’t have to browse over a hundred courses searching for what you need. You get to pick the material that you want to learn and focus on that only. So whether you’re a beginner or advanced, an administrator or a developer, there are courses available for you.

Microsoft 365 Certification

The tools mentioned above can help you on your journey to get certification. For a lot of people, this is the goal as it will help to improve your prospects. Microsoft certification shows that you are keeping up with recent technological advances as well as the requirements that come with various roles. Similarly to the courses above, the certifications page also has a filter that will point you to the material that you need. Doing these certifications will boost not only your productivity as an individual but your value to your organization as well. Additionally, these certifications have great potential to advance your career and prepare you for future possibilities.

Online providers

Apart from Microsoft, you can also find online service providers that can provide you with the training you need. Having alternative options gives clients a lot more convenience as well as the choice of how they want to proceed with their learning. These courses can help individuals to get an in-depth understanding of the administrative capabilities of Microsoft 365. And the key thing here is to search for courses that are led by Microsoft certified trainers. Otherwise, you may end up receiving training that will not be recognized in the future. 

Microsoft Learn

Microsoft Learn is an exciting sandbox-based learning platform that enables people to learn about various technologies. By putting everything together in one place, Microsoft makes IT professional and admin training a whole lot simpler. All you need to get started is to set up a Microsoft account if you don’t already have one. It’s a very simple process that just requires you to fill in your details. Another great benefit that you get from this platform is the fun aspect of the learning process. Things such as points and trophies awarded for reaching certain goals serve to add a little fun to the learning process.

Learning paths and modules

Microsoft offers various learning paths and modules that are designed to fully equip you with the knowledge you need. You’ll find close to 300 options available on this particular web page. So this is an area that will provide you with step-by-step guidance to mastering Microsoft products. With some of these having no prerequisites it means that you can select a learning path or module and jump straight in. You’ll need to dedicate a couple of hours to learning the material but you can do it at your convenience. If you’re looking for efficient learning platforms then this is what you need.

YouTube tutorials

In addition to the Video Hub that you get from Microsoft, you’ll find that YouTube is also a rich source of learning material. In fact, Microsoft has the vast majority of M365 videos that can be found on YouTube. The advantage of using this platform is that you get to learn from various individuals. Although some may not be Microsoft certified trainers, they can still provide you with a great learning platform. Sometimes all you need to understand a challenging concept is for someone to explain it in a slightly different way and it’s as if a light has been switched on. Without a doubt, YouTube can be a valuable learning tool, if used with discretion of course.   

Equipping yourself

Technology is moving at a very rapid pace that makes it difficult to keep up with. And because of that pace, it’s not always feasible to physically attend classes or seminars to learn what you need. Fortunately, for Microsoft 365 users they get plenty of tools to provide them with adequate training. These tools allow you to enhance your skills at your own pace and gain Microsoft certification. All of which you can achieve in the comfort of your own home. Whatever you need to learn is potentially just the click of a button away.