About Thomas.Marcussen

Technology Architect & Evangelist, Microsoft Trainer and Everything System Center Professional with a passion for Technology

How Microsoft 365 Can Encourage Diversity & Inclusion

Posted on February 26, 2023 by Thomas.Marcussen

Microsoft is extending a commitment to diversity and inclusion. These efforts are promoted in a variety of ways, not the least of which is software development and the involvement of Microsoft’s Most Valuable Professionals (MVPs). As we look to a more technologically advanced and connected future, it hasn’t gone unnoticed that diversity and inclusion best practices must extend to include the technology and software we use. And Microsoft products, including Microsoft 365, can advance the efforts.

There has been a strong focus on diversity and inclusion in the workplace. And it’s a forefront discussion in society at large and especially in the preceding pandemic years. However, now it’s time to look seriously at what can be accomplished through software development and technology to further advance the efforts.

Conversations around diversity and inclusion in technology are only now starting to heat up. And there’s no denying that there are some unknowns and challenges. But one thing we can count on is for Microsoft to keep moving forward. The MS team continues with new features, patches, and updates that make their software more inclusive to people from all walks of life. And more importantly, it’s software blind to age, gender, race, disabilities, or otherwise. In many ways, the rest is up to us!

Microsoft 365, specifically, is an area of especial interest as applied to diversity and inclusion. One of the core reasons for this is because the suite of tools included in the package have remained cornerstones in Microsoft’s product line for a long time. And they remain a strong focus for the company.

Can Microsoft 365 help with diversity and inclusion? In this article, we look at:

What Microsoft 365 is
What diversity and inclusion through software looks like
How Microsoft is constantly making advancements in diversity and inclusion initiatives
How Microsoft 365 can promote diversity and inclusion
The benefits of diverse and inclusive software applications

What is Microsoft 365?

This bundle of cloud-based software didn’t always go by the name “Microsoft 365.” You may know it as Office 365. Of course, the product range has significantly changed (mostly updates) through the decades, especially as networks, internet, big data, and other advancements advanced.

Microsoft 365 is available for both home and business applications. There are two basic packages for home use, including Microsoft 365 Personal and Microsoft 365 Family. There are four packages for businesses, These include, Basic, Apps for business, Business Standard, and Business Premium. And they appeal to differing business needs. These are all available at slightly different price points, as well.

The range of software included depends on the plan, but is effectively made up of some combination of Word, Excel, PowerPoint, Teams, Outlook, Exchange, OneDrive, SharePoint, Access, Publisher, Intune, and Azure Information Protection.

Diversity & Inclusion Through Technology & Software?

The whole idea of diversity and inclusion through technology, and specifically Microsoft 365, may seem a little mercurial. After all, aren’t we essentially talking about word processors, spreadsheets, and presentation makers?

Indeed, software applications seek to handle specific digital tasks. And at first glance, they may not appear a shiny beacon for the future of humanity.

There is a reason why there are different programs for different tasks, though. A piece of software that “does everything” sounds good in theory. But it’s impractical in reality because of the sheer scope of the project. It’s tough too, when considering the near infinite (if not infinite) possibilities that would need to be accounted for in each. This bird’s eye view of software may seem a little too zoomed out. However, it is important to understand as we look to zoom in on diversity and inclusion.

A more granular approach

Diversity and inclusion must take both broader and more granular factors into account. It’s not enough to make software that accomplishes a specific task. Developers must also be thinking about who is going to be using their software and what language or dialect they speak. Software needs to be conducive regardless of cultural or religious customs, personal beliefs, gender identity, or disability status, to be truly inclusive.

Moving forward, this will be a critical consideration for software developers. They will need to be mindful of how to ensure their software is inclusive and usable by the parties using it. As these practices become more common, and more documentation becomes available, more companies will be able to make the necessary pivots. And they’ll do so without investing more heavily in research and development.

Until then, however, developers will need to be thorough in their research. They’ll look to, identify specific aspects of their software that need improvement, and be willing to offer ongoing support. It’s well worth documenting everything one discovers on the subject. Moreover, it could create a more holistic company manual in the future.

Microsoft is Always Making Advancements in Diversity & Inclusion Through Software

Obviously, the only way to know what’s going on behind the scenes at Microsoft is to be a Microsoft employee, or potentially a Microsoft MVP. You can look to the pillar pages on their website discussing the value they place on diversity and inclusion. Additionally, they do post the occasional update about making their software more accessible, usable, and inclusive as well.

Take for example their update from August 1, 2022, written by Aleš Holeček and titled: Promoting workplace equity through inclusive innovation: What’s new in Microsoft 365 accessibility for Summer 2022.

Here are the key points from this article:

Microsoft knows hybrid work (workplace/remote) is now the norm. And it will likely be the norm moving forward. They know, too, people are using video conferencing and hybrid meetings to keep their teams connected and on top of relevant work. As a result, they continue to make advancements by making Microsoft Teams meetings more inclusive to those with disabilities. At the time of the update, they added a Cameo feature in PowerPoint, for example. This feature allows users to insert a live feed into presentations. This update made it possible for everyone to connect more directly with the presenter as they’re sharing. They also added captioning and transcriptions across multiple platforms, along with multiple languages.
They also made some changes to Microsoft 365 allowing the creation, consumption, and collaboration of content easier and with more options. First, they made it so that Word, Excel, and PowerPoint files could be opened in the desktop app or web app, instead of inside Teams. Second, they updated dictation in Word, Outlook, and OneNote to make it easier for users to take advantage of speech-to-text and text-to-speech. They also added support for 25 new languages. Moreover, the team added a Data from Picture feature in Excel, and a Simple Markup View across a few different applications.

How Microsoft 365 is Leading the Way with Diversity & Inclusion in Technology

No doubt you can come to some of your own conclusions about how Microsoft is making progress in the arena of diversity and inclusion. We can only speculate on what’s coming next. But based on what we’ve been seeing, as well as what we know, here are some of the many ways Microsoft 365 is leading the way with diversity and inclusion in software.

Increased Accessibility

Accessibility in software means ensuring there are no barriers to accessing and using the application or suite of applications in question.

The internet, of course, makes it possible for people to access and share an array of information. And with cloud-based projects, like Microsoft 365, it has never been easier for individuals and companies to share relevant documents, data, and information with their teams or community. Anyone with an internet-connected device can utilize the software.

With Microsoft 365, the developer accounts for a variety of accessibility factors, including vision, hearing, neurodiversity, learning, mobility, and mental health.

For the vision impaired, there are screen readers and keyboard compatibility and Tell Me (which lets you access commands without using the command ribbon.) There’s also MailTip in Outlook (which lets you notify your coworkers of your preference for accessible content) and Office Lens, which can read aloud a printed page.

Users with hearing disabilities, can use real-time subtitles and captions for videos.

For the neurodiverse, there are features like Immersive Reader (which reads words aloud while highlighting them on screen), and files auto saving to OneDrive.

They also continue to develop Editor (which can spot spelling, grammatical, and writing style issues and errors), speech-to-text, automated design recommendations, themes, MyAnalytics (for keeping track of how you’re spending time at work), and more.

What we’ve covered here is only scratching the surface of the many ways Microsoft has, and is, supporting diversity and inclusion through their software.

Increased Usability

Usability is all about ensuring your software can accomplish a specific task, preferably in an efficient, satisfactory, and safe manner. Sometimes, the terms “accessibility” and “usability” are used interchangeably, or are bundled together. And form a holistic perspective, there is value in viewing these as an interconnected whole. To be fair, there is quite a bit of overlap, as you’re about to see.

Microsoft’s dedication to usability is clear from their frequent updates and usability testing alone. But there are also some features built into their software that make them more usable. Some of the built-in usability features in Microsoft 365 include.

Accessibility Checker. The Accessibility Checker analyzes text in your document that’s hard to read.
Design Ideas. Available in PowerPoint. This feature comes with built-in slide layouts that are easy for anyone to view and read.
Tell Me. A text field for entering what you want to do next. This feature lets you access commands without having to menu surf.

Enhanced Communication

Communication affects virtually every aspect of life, be it relationships, business, work, or otherwise. Microsoft knows this, and many of their recent software updates and enhancements focus on improving communication between an array of people.

Broadly, communication occurs synchronously and asynchronously. And communication tools like Teams and Outlook facilitate all types of communication that needs to take place between employees, at the times it needs to occur.

Again, Accessibility Checker is clearly an accessibility or usability tool. It can be used to make your content and documents easier to read and understand. And this can improve communication between various parties as well.

The aforementioned August 2022 update talked about how one can show their face while giving presentations over video conferencing. With hybrid work becoming the norm, these types of features encourage more connection and inclusiveness among presenters and viewers.

Improved Collaboration

With better accessibility and usability, as well as enhanced communication, it’s only natural that collaboration through software would also experience a revolution. Accessibility and usability makes it easier for people to understand each other and complete their projects with greater efficiency. Better communication leads to clarity around everyone’s responsibilities as well as what they’re taking on in a project. It can lead to better accountability, too.

With files stored in the cloud, users can access files from anywhere, at any time, assuming they have an internet connection. This makes it possible for globally distributed teams to make progress on the project. And they can do so without worrying about when the last change was made, or having to communicate at times that do not work for each other. They can complete their work at their convenience.

Video captions and transcripts also assist with globally distributed teams. These are helpful for those who need to communicate with synchronous or asynchronous video content.

There’s a broader talent pool on a global scale. So why should teams be limited by location, language, time zone, or other factors? With the right tools, collaborative projects can be created, managed, developed, and completed across the world. And this creates a more diverse and inclusive world, too.

Benefits of Diverse & Inclusive Software

There are many benefits to focusing on diverse and inclusive software that may not be immediately apparent. Having the entire world be empowered to use your software is a worthy ideal already, but furthering inclusivity and diversity best practices can result in many added benefits for the individual and organization. Microsoft 365 is well poised to create and enjoy many if not all of the following benefits. And their software can set you up for success in this area too.

Improved Training & Development

In fast changing industries, training and development is a constant. Employees must be brought up to speed on the latest processes, procedures, policies, and more. This can be time consuming and expensive, and there can even be pushback from employees who resist change (it’s only human.)

What if this training could be even more efficient? Diverse and inclusive software makes this possible. Present necessary information in an efficient, easily understandable format that works for everyone. Technologies like Teams are helpful to relay the information through video conferencing. Remote or hybrid workers can get the information they need without having to go to the office for a training session. These are but a few examples of what’s possible.

While it’s somewhat metaphysical, diversity and inclusion training can also be part of a company’s broader scope of training and development programs. This inspires team members to be mindful of diversity and inclusion in their own surroundings.

Increased Productivity

Diversity and inclusion isn’t just a value held by Microsoft. Increasingly, there are more and more people who feel strongly about including everyone, no matter their age, race, gender, identity, disability status, or otherwise. And this trend will only continue to grow.

When a workplace is truly diverse and inclusive, everyone on the team feels welcome. When people feel appreciated, their satisfaction in the workplace increases. And they also become more engaged in the company’s broader scope of activities.

You may know the names of your team members, but not their talents, skills, expertise, experience, perspectives, or working styles. Getting to know your team and having them be a part of meetings, projects, and decision making can lead to new insights and innovation (more on this later.) Facilitating their specific working styles can also lead to better output.

When everyone is given the opportunity to contribute and share, it can also give rise to friendly competition among your team members. This drives up output, as well.

Effectively, all factors mentioned contribute to increased productivity, something most leaders want for their teams.

Better Decision Making

More eyes on a project means more opportunities to identify potential pitfalls, issues, problems, and challenges that may end up cropping up down the line. Early detection of these issues means earlier resolution. And this leads to fewer headaches later.

This isn’t just theory. Cloverpop found that diverse and inclusive teams make better business decisions 87% of the time.

While it may seem like asking for more feedback on a project would slow down the decision making process, to the contrary, it accelerates it. And most projects can benefit from different ways of thinking, varying perspectives, and various skill sets.

Technology makes it easy to gather thoughts, opinions, and ideas from your team and collate them in a convenient location, whether in an Excel spreadsheet, Word document, or otherwise.

Increased Creativity & Innovation

Technology is at the forefront of innovation. Amazon and eCommerce weren’t even possible before the internet. Renting your home out to strangers was an obscure idea before Airbnb. Taxis were your only mode of transportation if you were in a bind, until smartphones made it more convenient to book an Uber.

With Microsoft constantly updating their software with new features, various individuals and companies are taking on projects with increased complexity, sophistication, and scope that were once unimaginable.

Technology becomes more accessible and usable, It means more and more people will be creating at a level that was impossible just years ago.

Employee Engagement

With hybrid and remote work becoming more prevalent, many companies are now pondering how to improve employee engagement. It’s not just a matter of ensuring they are doing the work assigned and keeping productivity levels high. Turnover, onboarding, and training can also be very expensive. Dissatisfied employees also sometimes lead to negative press or toxic work environments. And this is never a good color on a company that holds diversity and inclusion as a key value.

With Microsoft 365’s suite of tools, hosting virtual events is a cinch. These can offer valuable opportunities for your team to connect and bond. They are also great opportunities to acknowledge and recognize your team members. Reward them and incentivize them, too.

Community Outreach

Companies benefit greatly from having an outward focus on community. Not that community outreach programs are the sole responsibility of companies. Of course, individuals can take initiative and make a difference in their locality and even globally, too.

Either way, the use of technology in fundraising campaigns or volunteering activities is such a given that most people don’t even think about it anymore. But from keeping track of funds raised using Excel, or writing letters using Word, or sending emails via Outlook, there are many ways to put Microsoft 365 to use in fulfilling community outreach programs. Plus, you can keep it all organized inside Teams.

Community outreach is a form of diversity and inclusion unto itself. Again, metaphysical, perhaps, but it goes to show the prevalence of software and how it can ultimately be used for the better of humanity.

Conclusion about Windows 365

Moving forward, it will not be enough for companies to pay lip service to diversity and inclusion. Actions must be taken to ensure there is an inclusive and welcoming environment in one’s organization for people from all walks of life. Not just employees, but customers and clients too.

Microsoft 365’s suite of tools can assist in a variety of ways, whether video conferencing, text-to-speech, data collection, or otherwise. You can put confidence in Microsoft’s products knowing that they were developed with diversity and inclusion in mind. And that takes a lot of guesswork out of the equation.

This article is but the tip of the iceberg. There are so many projects, initiatives, and programs that could be created using Microsoft 365 to encourage and promote more diversity and inclusion. Especially since the software is being developed with intentionality around inclusive principles. There’s plenty of room left for creativity and innovation. It’s simply a matter of applying yourself to a more diverse and inclusive future.

Encouraging Diversity & Inclusion Through Microsoft’s MVP Program

Posted on February 24, 2023 by Thomas.Marcussen

Diversity and inclusion have never been more critical in all facets of culture. That includes IT, technology experts, and the technological infrastructures at large. Even the technology itself needs to take diversity and inclusion into consideration.

Microsoft’s Most Valuable Professional program recognizes some of the greatest evangelists of their products and services, and helpers of the community of users at large. MVPs are proven experts in their fields. They go above and beyond in this capacity, with a willingness and passion to help those seeking to better understand the technologies they’re using. And they’re advancing diversity and inclusion efforts for companies.

Microsoft also recognizes the critical importance of diversity and inclusion. They have it as their mission to use their influence on the world to encourage positive change in the workplace and in communities everywhere. They are leveraging their demonstrated history as innovators to look at diversity and inclusion in new ways, so that companies of the future always hold it as one of their key values and act on it too.

There is also a connection between the MVP program and Microsoft’s diversity and inclusion efforts. Here, we’ll be looking at exactly what the MVP program is, what it offers, and how it connects to diversity and inclusion initiatives at large.

How did the Microsoft Most Valuable Professional program get its start?

In 1993, developer Calvin Hsia created a list of the “Most Verbose People,” ranking the most active users in a CompuServe technology support forum. This list exists in fun to recognize the most active users. And Hsia didn’t necessarily expect anything to come of it.

But because at the time Microsoft offered a great deal of technical support to CompuServe, they took notice of Calvin’s List and those offering support of their own volition. Noting the difference these champions of technology were making for the community, they saw it as an opportunity to recognize and acknowledge their contributions in a more formal capacity.

We can guess with a fair bit of certainty that Microsoft also saw this as an opportunity to identify and leverage a talent pool, of which they weren’t previously aware.

Speculation aside, Calvin’s List identified the first ever 34 Most Valuable Professionals. The MVPs were invited to the first-ever Orlando TechEd conference. There, they could be recognized for their efforts in supporting Microsoft customers and promoting Microsoft products.

The initial list of 34 MVPs, including Hsia, got letters from Microsoft indicating their status as MVPs. This was the official beginning of the MVP awards program. Hsia would eventually join Microsoft and was also honored at the 20th Anniversary MVP Global Summit as a vital supporter of the program.

How many people are in the MVP program?

There are currently over 4,000 MVPs across 90 countries and regions – United States, Australia, Indonesia, Germany, Netherlands, India, Japan, Croatia, China, Sri Lanka, Sweden, and many, many others. This makes for a perfect environment for diversity and inclusion efforts, too.

Microsoft’s website is home to “Find an MVP” and “MPV Reconnect” portals, addressed later in this article.

What is a Microsoft MVP?

A Microsoft Most Valuable Professional refers to a technology expert who is passionate about what they do and freely shares their knowledge and expertise with the community, something they do in a “pro bono” or voluntary capacity.

MVPs are always “plugged in,” staying on top of new technologies and trends.They also have a deep understanding of Microsoft products and services. Most importantly, they are always willing to help others, a quality that can only stem from a passion for community.

One does not become an MVP, however, without demonstrating expertise in a variety of ways. MVPs must also demonstrate efforts in helping others through multiple channels (we’ll be covering what this might look like in a moment).

How to become a Microsoft MVP

The process to becoming a Microsoft MVP remains somewhat mercurial. Or, it may be better to say, it remains intentionally vague. Microsoft obviously applies their own criteria to identifying and finding potentials. However, visibility is obviously a big factor. So one must be able to create a public track record of productive technical support to others.

In Microsoft’s own words: “Be an expert, do lots of what you love, and let us know!”

More than anything, Microsoft is looking for people with a track record of engaging and supporting the community independently and voluntarily over the course of 12 months. This is difficult to accomplish without staying up to date with Microsoft products and continually educating yourself. So, if you’re looking to improve diversity and inclusion within your workplace, start with education.

There are a variety of activities to improve your chances of MVP recognition. For example:

Contributing to blogs, podcasts, and books
Helping users on forums and social media
Participating in user groups
Attending conferences and giving speeches
Building open-source software

Becoming an MVP, however, you will likely need to engage in a variety of activities. Focusing in one area often isn’t enough.

If you’re wondering where to put your energy and focus as a potential MVP, it would be good to know that Microsoft prioritizes the following award categories (this is where to put your focus):

Microsoft Azure
Windows development
M365 development
Developer technologies
Data platform
AI
Internet of Things
Cloud & datacenter management
Enterprise mobility
Windows & devices for IT
M365 apps & services
Business applications
Security
Mixed reality

However, there is a formal, defined process to getting on the map. To become an MVP, one must also receive a nomination referral by a Microsoft Full Time Employee (FTE) or Microsoft MVP. Having the right connections does make a difference.

How does The MVP program benefit IT Professionals?

People love recognition for their efforts. Of that there is little doubt!

Recognition as a Microsoft MVP can have a dramatic impact on one’s career. For example, employer, potential employer, and peer perceptions and reputations matter. But there’s so much more to it than perceptions alone. Being recognized as a cut above is just the tip of the iceberg.

IT professionals also benefit from:

Early access to Microsoft products.
Access to product teams.
Access to the Global MVP Summit.
Relationship with local Microsoft teams.
An executive recognition letter.
Visual Studio technical subscription.
An Office 365 subscription.

And these benefits continue to see improvements and augmentations by Microsoft, as they continue to look to the future of the MVP program.

And while these may be some of the “direct” benefits of becoming an MVP, MVPs enjoy a variety of other intangible and leveraged benefits we’ll be looking at momentarily. These include diversity and inclusion initiative advantages.

Find an MVP

Microsoft’s website features a Find an MVP portal where you can see:

The MVP’s picture
The MVP’s name
Their award category
Their country or region

If you know who you’re looking for, you can filter by keyword, award category, and country or region. You can also sort the entire list by award category, last name, first name, and country or region.

Additionally, you can learn more about each individual by clicking on their names. The amount of information on each MVP varies. But here are some of the tidbits you can expect to find on the Microsoft website:

Name
Country or region
Job title
Award category
The first year they achieved MVP
Number of MVP awards
Language(s) they speak
Certifications they’ve earned
Social media links
Biography
A timeline of recent activities

Anyone looking to reach out to a specific MVP for comment can learn something about them first by perusing this portal.

This portal also has a positive impact on the career of the MVPs as it gives them more visibility overall.

MVP Reconnect

There is a place for former MVPs as well. And it’s called the MVP Reconnect program. As with the Find An MVP function we just explored, you can search a database of more than 3,600 former MVPs who remain part of the greater MVP community using the MVP Reconnect portal.

What does it look like to be a Microsoft MVP?

Becoming an MVP takes commitment and hard work. But achieving this status opens the doors to valuable experiences, lucrative opportunities, support and collaboration, and a great deal more.

These are some of the ways MVPs benefit from the program and what their experiences are like:

MVPs are often the latest to hear about new developments in Microsoft. They also get to offer input and feedback on existing or new products. And if they have a stable of their own clients who are using Microsoft products, MVPs can offer timely, valuable, and specific guidance to them.
Some MVPs enjoy networking, sharing ideas, and collaborating with other MVPs. This should not come as a surprise, since MVPs have the answers to just about any question one might have about Microsoft products.
Being an MVP opens the door to new opportunities. The MVP program has a strong reputation. And anyone associated with it experiences a boost in their careers. Opportunities that may not have otherwise been available to them become available.
MVPs get to be on the cutting edge. The public isn’t privy to the latest developments at Microsoft, especially those not publicly announced. This gives MVPs the opportunity to build their awareness around new product features and incorporate them into their workflow.
Relocation matters. Some MVPs seek to establish themselves in new regions or communities. And with assistance from the MVP community, are able to find new jobs, homes, and more.
Getting answers quickly. In the MVP program, you have unprecedented access to like minded professionals with a tremendous amount of experience and knowledge in their respective fields. MVPs get access to other MVPs, who can offer guidance.
Access to a larger community. Besides the current roster of MVPs, Microsoft also has the MVP Reconnect program, which gives way to the greater MVP community, consisting of over 3,600 members.

Wasn’t The MVP program canceled?

Microsoft ostensibly canceled the MVP program on October 22, 1999. There are speculations and different reasons circulating, too. At the time, AOL newsgroup leaders sued AOL because they felt they should have been paid for their work. And the cancellation of the MVP program may have been Microsoft’s response to this backlash for independent, unpaid help.

But it seems people felt differently about the MVP program, as there was an outpouring of support for it. Many emails were even sent directly to Bill Gates and Steve Ballmer. And the program was reinstated only three days later.

Having made the decision to keep the awards program, Microsoft then worked out the finer details and logistics of the program. This increased levels of success in the ensuing years.

Microsoft periodically evaluates the MVP program and considers what it might have in store for the future. Most new developments, however, center on additional benefits for MVPs.

How can MVPs support diversity and inclusion?

There are both obvious and less obvious ways MVPs can support (or are already supporting) diversity and inclusion.

Consider this broad overview of the many ways MVPs can (or already do) promote diversity and inclusion.

The MVP program already represents a very diverse group of people from across the globe

IT talent exists everywhere. Whether it’s Japan or Argentina, there are highly-skilled individuals within their roles. They enjoy their work and are passionate about helping the users who are in need of assistance.

While it may be too “obvious” a thing to say, the MVP program already represents diversity and inclusion in many ways. Whether male, female, young, old, or otherwise, there are established experts representing every possible demographic and ethnicity imaginable.

Promoting the MVP program promotes diversity and inclusion of its own accord, and it can have a very positive impact on companies everywhere, who will need to hold diversity and inclusion as a key tenant of their operations moving forward.

MVPs can use their status as influencers to share about diversity and inclusion

MVPs don’t simply enjoy recognition from Microsoft. They earn recognition within the communities they support. As they answer questions and solve problems for others, their faces earn additional respect. They experience increased recognition and appreciated for their efforts. Additionally, their participation in a community elevates them to influencer status.

Their influence represents an opportunity to create conversations around diversity and inclusion and broach the subject in a considerate, congruent, and tactful way. They can share meaningfully about their own experiences. And they share what diversity and inclusion means to them and why they value it.

MVPs have a built in platform already. They’ve been serving the community and have gained the favor of others by being of service to them. This gives them the platform they need to speak to matters of greater importance.

MVPs make Microsoft products more accessible to anyone

MVPs may be influential in their own right. This platform isn’t to be abused or disrespected. Instead, it should be a primary tool in affecting people positively in a variety of ways.

One of the very practical ways an MVP can promote diversity and inclusion is by doing what they already do best – helping a variety of people in different regions, even underrepresented people, better understand and utilize Microsoft products.

People can connect through technology. Technology is also empowering. People who may not have found a way to bring their projects to fruition may discover new approaches through technology. People who may not know what their passion is can find a new passion in software. And people who may have found it hard to find a job in the past may be able to find new work by becoming IT professionals themselves.

MVPs can empower a variety of people through their ongoing, tireless support work.

MVPs can share relevant issues with their communities

Whether it’s blog subscribers, a social media following, a forum or message board, email list, some combination thereof, or otherwise, MVPs are already in the know with their various communities. They’ve demonstrated their passion for their work and their willingness to add value to others.

Again, being mindful of when and where to share is critical to one’s success, but as relevant issues arise, MVPs can share these with their communities and open them to discussion. Usually, it’s about promoting more conversations. And by staying current with the issues, MVPs can bring a lot of value to the conversations as they unfold.

MVPs Encouraged to participate in community initiatives & speak at events

To become an MVP, an IT professional must support the community at large. These opportunities only grow as they are awarded and recognized for their efforts, and MVPs are often invited to speak at events too.

Every community initiative and speaking engagement represents an opportunity for an MVP to share on topics of value and interest. It would be unwise for an MVP to shoehorn a message about diversity and inclusion into a speech where it doesn’t belong, but in environments where it’s appropriate, it would be a good opportunity to promote diversity and inclusion.

Sometimes, the events themselves are held to promote diversity and inclusion, in which case the angle is baked into the initiative.

MVPs can contribute their expertise to creating & developing products that can be used by anyone

MVPs have access to development teams and first looks at products. They’re also the first to learn about new changes and features. Additionally, they’re afforded the opportunity to give their input and feedback on Microsoft products.

MVPs can leverage this knowledge in helping Microsoft develop products that are inclusive to all. MVPs can offer input on issues development teams may not be present to, and help them course correct so that their products and services aren’t exclusive or offensive to specific people.

Conclusion About MVP and Diversity and Inclusion Efforts

The Microsoft MVP program represents a significant opportunity to promote diversity and inclusion through multiple channels. The program itself is made up of a variety of people from across different regions, different ethnicities, at different ages and different genders too.

Beyond that, though, MVPs have access to Microsoft, its teams, and its projects to an extent no one else has (save for Microsoft employees). This means they can help steer the direction of projects and ensure everyone is included.

Thanks to their deep working knowledge of Microsoft products and services, MVPs can also impart their knowledge to underrepresented minorities and empower them with new skills, opportunities, careers, and more.

MVPs can also speak directly to their own following and communities, touching on relevant, current subjects as appropriate.

Finally, MVPs also take part in community initiatives and are invited to speak at various events. Some of these events represent good opportunities for them to speak out about relevant issues, especially if they have specific experiences to relay. It has never been more critical for companies to evaluate how people can connect through technology, and how this can encourage inclusion and diversity more broadly.

Azure Virtual Desktop’s Latest Capabilities

Posted on February 8, 2023 by Thomas.Marcussen

Using virtual desktop services enables you to have secure access to work applications and other organizational resources from remote locations. This is something that vastly increases your capabilities beyond the traditional desktop in the office. Microsoft offers Azure Virtual Desktop (AVD) as a desktop and app virtualization service that runs on the cloud.

And as the work environment consistently evolves, desktop virtualization services are becoming an integral part of the way that organizations operate. It can make it easier to have employees working remotely without worrying about the security of your network.

Unlike in the past when running a virtual desktop environment would have been an extremely complex and expensive undertaking, AVD simplifies the process and also makes it affordable. Additionally, you can expect guaranteed, regular updates and new capabilities that continuously improve the service.

Azure Virtual Desktop main features

Azure Virtual Desktop comes with a lot of capabilities, designed to optimize the use of virtual desktops. By using this service, you can have an environment that perfectly meets the needs of your organization, is scalable when necessary, and is flexible. Below are the key capabilities that you will benefit from:

You can create a full desktop virtualization environment in your Azure subscription. And you can do so without having to run any gateway servers.
You can publish host pools as you need so that you can adequately accommodate your various workloads.
Allows you to have your own image for production workloads or test from the Azure Gallery.
The availability of pooled, multi-session resources is something that will help you to lower your costs. You can see this even more with the new Windows 10 and Windows 11 Enterprise multi-session capability that will enable you to cut down on the number of virtual machines as well as the operating system overhead costs without having to make compromises about the resources that your users have. (This capability is exclusive to Azure Virtual Desktop and Remote Desktop Session Host (RDSH) role on Windows Server).
Users can get individual ownership through personal (persistent) desktops.
You can manage costs further by leveraging autoscale to handle the automatic increasing or decreasing of capacity and this can be based on time of day, specific days of the week, or changes in demand.

For the deployment and management of virtual desktops:

You can do it through the Azure portal, Azure CLI, PowerShell and REST API for the configuration of host pools, the creation of app groups, the assignment of users, and the publishing of resources.
From a single host pool, it’s possible to publish full desktop or individual remote apps. You can also create individual app groups for different sets of users, and you could even cut down on the number of images by assigning users to multiple app groups.
You can gather diagnostics that will help you understand the various configuration or user errors by taking advantage of the built-in delegated access when assigning roles.
Troubleshooting errors is easier when using the new Diagnostics service.
The infrastructure will not require any managing, only the image and virtual machines will. Unlike with other Remote Desktop Services, you won’t have to personally manage the Remote Desktop roles. You only need to manage the virtual machines in your Azure subscription.

Assigning and connecting users to your virtual desktops is also something you can do:

Once assigned, users will be able to launch any Azure Virtual Desktop client to connect to their published Windows desktops and applications. Conveniently, you can use any device to connect and you can do so through the native applications on your device or you could use the Azure Virtual Desktop HTML5 web client.
Opening any inbound ports is not necessary because you can securely establish users through reverse connections to the service.

New multi-session capabilities

The features I’ve gone over above are key in delivering a virtualization experience that eliminates the complexities of traditional virtual desktop solutions. However, Microsoft is adding to those capabilities to give users an even better Windows experience by introducing Azure Virtual Desktop multi-session with Microsoft Intune.

With this addition, you’ll now be able to use Microsoft Intune to manage Windows 10 or Windows 11 Enterprise multi-session remote desktops in the Microsoft Endpoint Manager admin center the same way as you would for your regular shared Windows 10/11 client device.

Consequently, you can now manage these virtual machines using either device-based configurations meant for devices or user-based configurations meant for users. Windows 10 or Windows 11 Enterprise multi-session is a new Remote Desktop Session Host and it is exclusive to AVD on Azure. It has some very attractive features:

You can have several concurrent user sessions.
It offers users a familiar Windows 10 or Windows 11 experience.
It delivers great convenience by allowing you to use existing per-user Microsoft 365 licensing.

Microsoft has introduced user configuration in Microsoft Intune for Windows 11 multi-session VMs and this will mean that:

You’ll be able to use the Settings catalog for the configuration of user scope policies and then assign them to groups of users. To simplify this, there is a search bar that you can use to locate all the configurations with scope set to “user”.
You can configure user certificates and then assign them to users.
You’ll also be able to configure PowerShell scripts. These are installable in the user context and then assigned to users.

Pre-requisites

For Windows 10 multi-session, you need to be running version 1903 or later, or you should be running Windows 11 multi-session.
Your Azure Virtual Desktop agent needs to be version 1.0.2944.1400 or later.
You need to have the right Azure Virtual Desktop and Microsoft Intune license if the user is benefitting whether directly or not from the Microsoft Intune service. This includes access to the Intune service through a Microsoft API.
You’ll need to set up the VMs as remote desktops in pooled host pools. And deployment is through Azure Resource manager.
The VMs should also be Hybrid Azure AD-joined, as well as enrolled in Microsoft Intune via the methods below:
Configuration done with Active Directory group policy and then set to use Device credentials. Also, be sure to set credentials to enroll devices that are Hybrid Azure AD-joined automatically.
Configuration Manager co-management.
In addition, the VMs should also be Azure AD-joined and enrolled in Microsoft Intune by enabling Enroll the VM with Intune in the Azure portal.

You’ll need to remember that Windows 10 or Windows 11 Enterprise multi-session VMs are essentially different editions of the OS. Therefore, you can expect some Windows 10 or Windows 11 Enterprise configurations that aren’t supported for this edition. However, using Intune won’t interfere with AVD management of that VM nor does it depend on it.

Create the configuration profile

The Settings catalog in the MEM admin center is what you are going to have to use for configuring the configuration policies for Windows 10 or Windows 11 Enterprise multi-session VMs. Additionally, the following device configuration profile templates receive support for the Windows 10 or Windows 11 Enterprise multi-session VMs:

Trusted certificate – when targeting devices, it’s Device (machine) and when targeting users, it’s User.
SCEP certificate – when targeting devices, it’s Device (machine) and when targeting users, it’s User.
PKCS certificate – when targeting devices, it’s Device (machine) and when targeting users, it’s User.
VPN – Device Tunnel only

Except for the template above, the rest of the existing device configuration profile templates won’t have support. Unsupported templates will not be delivered to multi-session devices. And they will appear as Not applicable in reports.

Also, you’ll need to set the workload slider for Resource Access Policies to Intune or Pilot Intune. This applies if you use co-management for Intune and Configuration Manager. This is a necessary step that will enable Windows 10 and Windows 11 clients to begin the process of requesting the certificate.

Policy configuration

Navigate to the MEM admin center and sign in. Then, proceed to select Devices > Windows > Configuration profiles > Create Profile.
Next, you’ll want to choose Windows 10 and later for Platform.
For Profile type, you should select Settings catalog. However, you’ll need to select Templates as well as the name of the supported template if you’ll be deploying settings with a template.
Select Create.
Next, you’ll get to the Basics page where you need to give a Name and (optionally) Description > Next.
And when you get to the Configuration settings page, choose Add settings.
Next, we get to the Settings picker . Here you need to select Add filter and then pick the options below:
Key: OS edition
Operator: ==
Value: Enterprise multi-session
Select Apply. With this done, all the configuration profile categories that support Windows 10 or Windows 11 Enterprise multi-session will now appear on the filtered list.
You can now choose the categories that you want from this filtered list.
Every category you select will require you to choose the settings. These settings will apply to your new configuration profile.
In addition, you need to pick the value that you want for this configuration profile for each of your chosen settings.
After you’ve finished adding all the settings you want, select Next.
When you get to the Assignments page, you have to select the Azure AD groups that have the devices to which you want this profile assigned > Next.
Additionally, on the Scope tags, you have the option to add the scope tags you want > Next.
With all the above configured, you’ll then go to the Review + create page and select Create to create the profile.

Administrative templates

Administrative Templates for Windows 10 or Windows 11 are supported for Windows 10 or Windows 11 Enterprise multi-session through the Settings catalog. Addtionally, there are some limitations worth noting.

There are certain policies not available in the Settings catalog. However, ADMX-backed policies do have support.
ADMX-ingested policies also have support. And this includes the settings for Office and Microsoft Edge that are available in the administrative template files of both Office and Microsoft Edge. It’s also important to note that not all ADMX-ingested settings are applicable to Windows 10 or Windows 11 Enterprise multi-session. You can view the complete list of ADMX-ingested policy categories in the Win32 and Desktop Bridge app policy configuration.
At the time of writing, ADMX-ingested policies are supported for user targeting, only on Windows 11.

Compliance and Conditional access with Azure Virtual Desktop

Protecting your Windows 10 or Windows 11 Enterprise multi-session VMs will be of great importance to everyone. And to secure these VMs, you can go to the Microsoft Endpoint Manager admin center. There, you can configure the appropriate compliance as well as Conditional Access policies. Below is the list of compliance policies, supported on Windows 10 or Windows 11 Enterprise multi-session VMs:

Minimum OS version
Maximum OS version
Valid operating system builds
Simple passwords
Password type
Minimum password length
Password Complexity
Password expiration (days)
Number of previous passwords to prevent reuse
Microsoft Defender Antimalware
Microsoft Defender Antimalware security intelligence up-to-date
Firewall
Antivirus
Antispyware
Real-time protection
Microsoft Defender Antimalware minimum version
Defender ATP Risk score

These are the only policies you can use. And those not on this list will not be applicable.

Endpoint security

Without a doubt, endpoint security is one of the greatest concerns for most organizations today. Cyberattacks are growing in number and sophistication meaning that endpoints can easily become the weak point in your network. For multi-session VMs, you’ll have the ability to configure profiles under Endpoint security by choosing Platform Windows 10, Windows 11, and Windows Server. Any Platform that you will find unavailable will be for a profile that does not have support on multi-session VMs.

Deployment of applications

Having access to the applications that you need is essential to maintaining productivity and working efficiently. So naturally, I would want to know whether Windows 10 or Windows 11 apps will work for multi-session. Fortunately, all Windows 10 or Windows 11 apps are deployable to Windows 10 or Windows 11 Enterprise multi-session. However, it does come with certain limitations:

You should install the configuration of the apps within the system/device context. And aim to target specific devices. Additionally, web apps won’t apply to multi-session VMs because of how by default they always apply in the user context.
The next requirement involves the configuration of all the apps. They must indicate Required or Uninstall app assignment intent. As far as the Available apps deployment intent goes, it’s not going to have support on multi-session VMs.
For any Win32 apps with configuration to install in the system context, and have dependencies relationships on any apps configured, to install in the user context, their installation is not possible. Instead, you’ll need to create a separate instance of the system context app if you intend to apply to a Windows 10 or Windows 11 Enterprise multi-session VM. Alternatively, you must verify all the app dependencies are configured to install in the system context.
At present, there is no support in Microsoft Intune for MSIX app attach and Azure Virtual Desktop RemoteApp.

Script deployment

When it comes to script deployment, those configured to run in the system context, with assignment to devices, will have support on Windows 10 or Windows 11 Enterprise multi-session.

To configure this, navigate to Script settings and turn the Run this script using the logged on credentials to No. On the other hand, scripts configured to run in the user context and with assignment to users, will have support on Windows 11 Enterprise multi-session. Similarly, you can configure this by going over to Script settings. But this time, turn the Run this script using the logged on credentials to Yes.

Windows Update for Business

Managing the Windows Update settings for quality (security,) updates for Windows 10, or Windows 11, Enterprise multi-session VMs uses the settings catalog. Finding the supported settings that are necessary is pretty straightforward. You’ll first need to configure a settings filter for Enterprise multi-session. After that, you can expand the Windows Update for Business category. See the settings you can find in the catalog below:

Remote actions

When it comes to Windows 10 or Windows 11 remote actions, there are several that will not be supported. As a result, they will appear grayed out in the UI as well as disabled in Graph for Windows 10 or Windows 11 Enterprise multi-session VMs. These remote actions are as follows:

Autopilot reset
BitLocker key rotation
Fresh Start
Remote lock
Reset password
Wipe

Retirement

If you decide to delete certain VMs, then you can do so. But the device records will still remain in the Microsoft Endpoint Manager admin center. However, depending on the cleanup rules configured for the tenant, they will still automatically clean up.

Security baselines

Although security baselines are currently not available for Windows 10 or Windows 11 Enterprise multi-session, it’s still a good idea to go over those available. Having done that, you can then go to the Settings catalog and configure the recommended policies and values. This is vitally important as Windows security baselines intend to reinforce security for users and devices.

Using security baselines means that you can leverage the best practices and recommendations for enhanced security. And even though these security baselines come as groups of pre-configured Windows settings, you get the option of customizing each baseline that you deploy to enforce only the settings and values needed.

This is particularly important because the vast majority of the time the default settings in the security baselines are very restrictive. So, it would be good practice to adapt the baselines to meet your needs so that they do not conflict with any of your other pre-existing settings or features.

Unsupported configurations

There are some additional configurations that are not supported on Windows 10 or Windows 11 Enterprise multi-session VMs. Hopefully, this will change sooner rather than later. But currently Out of Box Experience (OOBE) enrollment isn’t available nor does it have support.

The unavailability of this option means that both Commercial OOBE and Windows Autopilot are not supported. And the same also applies to the Enrollment status page. Furthermore, as for the China Sovereign Cloud, Windows 10 or Windows 11 Enterprise multi-session is not as yet supported.

Troubleshooting common issues

Enrollment Issues	Detail
Failure to enroll hybrid Azure AD-joined virtual machine	Normally, auto-enrollment is set up to use user credentials. However, for Windows 10 or Windows 11 Enterprise multi-session virtual machines, the enrollment requires using device credentials. You need to use an Azure Virtual Desktop agent that is version 2944.1400 or later. Another issue is having more than a single MDM provider, which isn’t supported. You’ll also have issues with Windows 10 or Windows 11 Enterprise multi-session VMs configured outside of a host pool. This is because Microsoft Intune only supports VMs that are provisioned as part of a host pool. If your Azure Virtual Desktop host pool hasn’t been created through the Azure Resource Manager template, then that will present a problem.
Failure to enroll Azure AD-joined virtual machine	It could be as simple as you using an Azure Virtual Desktop agent that is not updated. You should be using an agent that is version 2944.1400 or later.If your Azure Virtual Desktop host pool hasn’t been created through the Azure Resource Manager template then that will present a problem.

More about configuration

Configuration issues	Detail
Failure of Settings catalog policy	Start by verifying whether the VM is enrolled using device credentials because at present enrollment with user credentials is not supported for Windows 10 or Windows 11 Enterprise multi-session.
Configuration policy didn’t apply	With the exception of Certificates, know that templates aren’t supported on Windows 10 or Windows 11 Enterprise multi-session. Therefore, the creation of all policies must be done via the settings catalog.
Configuration policy reports as Not applicable	It’s not all policies that are applicable to Azure Virtual Desktop VMs.
When applying the filter for Windows 10 or Windows 11 Enterprise multi-session edition, the Microsoft Edge/Microsoft Office ADMX policy is not showing up	The application of these settings is dependent on having those apps installed on the device, not on the Windows version or edition. In addition, the removal of filters applied in the settings picker may be necessary if you want to add these settings to your policy.
App configured to install in system context didn’t apply	Start by checking that the app doesn’t have a dependency or supersedence relationship on any of the apps configured to install in the user context. As of yet, Windows 10 or Windows 11 Enterprise multi-session doesn’t support user context apps.
Update rings for Windows 10 and later policy didn’t apply	At the time of writing, Windows Update for Business policies aren’t yet supported.

Availability of FSLogix Profiles

Another exciting new feature recently announced, is the availing of FSLogix Profiles for Azure AD-joined VMs for hybrid users in Azure Virtual Desktop. You can make use of Azure AD Kerberos with Azure Files to access file shares from Azure AD-joined VMs. This means you can then use to store your FSLogix profile containers. This new feature is going to provide you with the following capabilities:

You can now configure Azure Files with Azure AD Kerberos by using only a single checkbox.
Azure AD-joined Session Hosts can now achieve configuration with Azure AD Kerberos.
You can leverage Azure AD Kerberos to store FSLogix profile containers in Azure Files shares.
Access permissions for hybrid users, managed in Active Directory are also configurable.
The network line-of-sight from the Session Host to the Domain Controller can now be removed.

Getting started with Azure Virtual Desktop

This new release will be available on Windows 10, Windows 11, and Windows Server 2022 session hosts. Before you proceed, you first need to check the requirements to configure Azure Files with Azure AD Kerberos authentication.

A network line-of-sight from the session host to the domain controller is not necessary for FSLogix profiles in Azure Virtual Desktop. It will still be a requirement for configuring the permissions on the Azure Files share.

Configure your Azure storage account and file share

You will need to follow the steps given below to store your FSLogix profiles on an Azure file share:

Start by creating an Azure Storage account if you don’t already have one.
Next, you go to your storage account and create an Azure Files share where you can store your FSLogix profiles.
To enable access from Azure AD-joined VMs you need to enable Azure AD Kerberos authentication on Azure files.

For the configuration of the directory and file-level permissions you need to go to Configure the storage permissions for profile containers. And go through the recommended list of permissions for FSLogix profiles.
It’s possible for users to accidentally delete the user profile or access the personal information of different users. This is common if you do not put in place adequate directory-level permissions. Such mishaps are costly and need to be avoided by ensuring all users have the proper permissions.

Configure the session hosts

Configuring the session hosts is required for you to be able to access Azure file shares from an Azure AD-joined VM for FSLogix profiles. To do this, you can follow the steps below:

You first need to enable the Azure AD Kerberos functionality and there are a few methods you can use to do this:
Configure this Intune Policy CSP and apply it to the session host Kerberos/CloudKerberosTicketRetrievalEnabled.
You can also configure the Group policy and use it for the session host: AdministrativeTemplates\System\Kerberos\Allow retrieving the Azure AD Kerberos Ticket Granting Ticket during logon
Lastly, you can create the following registry value on the session host: reg add HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters /vCloudKerberosTicketRetrievalEnabled /t REG_DWORD /d 1

If you want to use Azure AD with a roaming profile solution such as FSLogix, then the credential keys in Credential Manager should be from the currently loading profile. Having it set up this way means that you’ll be able to load your profile on many different VMs. By simply running the command below, you can create a new registry value. This enables the setting: reg add HKLM\Software\Policies\Microsoft\AzureADAccount /v SLoadCredKeyFromProfile /t REG_DWORD /d 1

Configure FSLogix on the session host

Configuring a VM with FSLogix is possible by following a set of instructions whenever you configure a session host. You have several options available to make sure that the registry keys are set on all session hosts. These images can be set in an image or you could configure a group policy. See the steps for configuring FSLogix below:

If necessary, start by updating or installing FSLogix on your session host. In instances where you want to create the session host using the Azure Virtual Desktop service, you’ll need to have FSLogix already pre-installed.
To create the Enabled and VHDLocations registry values you should follow the instructions in Configure profile container registry settings. The value of VHDLocations should be set to: \\<Storage-account-name>.file.core.windows.net\<file-share-name>.

Test your deployment

The final step, after completing the necessary steps for the installation and configuration, is to test the deployment. This allows you to verify everything is working properly. You can do this by signing in with a user account with assignment to an application group on the host pool.

Before you sign in, make sure that the account that you are going to use has the necessary permission to use the file share. For any users that have previously signed in, you’ll find available existing local profiles that the service is going to use during the session.

If you don’t want to create a local profile, then you can create a new user account to use for your tests. Alternatively, you can enable the DeleteLocalProfileWhenVHDShouldApply setting by using the configuration methods that you can find in Tutorial: Configure profile container to redirect user profiles.

With these steps complete and the user sign-in successful, you can go ahead and check the profile in Azure Files.

Directions

Navigate to the Azure portal and sign in with an administrative account.
Next, go to the sidebar and choose Storage accounts.
You’ll need to then select the storage account that you had configured for your session host pool.
Once again, go to the sidebar and this time choose File shares.
Find the file share that you configured to store the profiles and select it.
What you should now see depending on whether everything has been configured correctly is a directory with a name formatted in the following manner: <user SID>_<username>.

In addition to testing your deployment, you may occasionally encounter issues with FSLogix products. Below is a table demonstrating some actions you can take, should you encounter challenges.

Issues

Issue	Actions you can take
Profile Container	Perform a comparative analysis between the data from this documentation and the current values of Status, Reason, and Error. Identify non-zero codes by looking at the log files. Verify you’ve met all requirements. The FSLogix Profiles product can only work properly if this patch is installed for users of Windows 7 or Windows Server 2008 R2. Additionally, check that the Enabled setting is set to 1. Check the ‘VHDLocations’ setting for a valid file system location. Check on the file server to see if the user has the necessary permissions to the VHD(X). Verify that the user is on the local FSLogix Profiles Include group rather than the Exclude groups there a pre-existing local profile for the user?
Office Container	Perform a comparative analysis between the data from this documentation and the current values of Status, Reason, and Error. Check for non-zero codes being returned by looking at the log files. Check that you’ve met all requirements. Check that the Enabled setting is set to 1. Check the ‘VHDLocations’ setting for a valid file system location. Verify that the user is on the local FSLogix ODFC Include group rather than the Exclude group. You should expect to NOT see OneDrive icons when using Windows Server 2016 as this is intended. When FSLogix is virtualizing Outlook Search you should also expect to NOT see Outlook in the windows indexing options.
Application Masking	Check that the rules have been moved to the Rules folder. Using sc query frxsvc and sc query frxdrv verify that the service and driver are running. Check for non-zero codes being returned by looking at the logs. Verify in the assignment files that the user is included in the assignment: Open the rule in the rule editor. Next, click the manage assignments button. Check that the concerned user is on the list and that the rule applies. In cases where folders or files are hidden from an excluded user then check that the Apply Rules to System button is not clicked.
Java Version Control	Verify that rules are loading properly by checking the IE Plugin for errors. From Tools > Manage Add-ons, check that FSLogix Internet Explorer Plugin is installing and enabling. Also, check that the rules move to the Rules folder. Additionally, check that you’re using 32-bit Java. Ensure that the Service and Driver are running.

Wrap Up About Azure Virtual Desktop

Organizations are witnessing a rapid change in the work environment as well as the preferences of employees. And as the popularity of cloud-based solutions grows organizations are having to invest in technology that supports a hybrid working model. This has plenty of potential benefits for any organization. Also, these include employee satisfaction garnered from some now preferring to work from home when possible.

By leveraging Azure Virtual Desktop, you can get a secure and cost-effective solution that eliminates the complexities of legacy virtualization infrastructure. This means no more fretting over managing licensing, RDS gateways, load balancing, and more.

In addition to the already extensive list of capabilities, Microsoft is now introducing Azure Virtual Desktop multi-session with Microsoft Intune and FSLogix Profiles for Azure AD-joined VMs. These new capabilities are going to further enhance the user experience and potentially increase productivity. Users will get an improved experience that gives them the familiar Windows 10 or Windows 11 experience. Without a doubt, these new features will help your organization to have a more efficient hybrid environment.

Windows Autopilot to enroll hybrid Azure AD-joined error

Posted on February 4, 2023 by Thomas.Marcussen

I came across this issue where joining the on-premise Active Directory failed during Windows Autopilot.

The full error message from the event viewer of the machine where the Intune Connector is installed.

Intune Connector event viewer error:

RequestOfflineDomainJoinBlob_Failure: Failed to generate ODJ blob
RequestId: 9d1e4614-3217-4d7c-87ef-df7fceb648c9
DeviceId: 83c83fd7-10c8-49c8-9c15-8489ff126eed
DomainName: Mydomain.LOCAL
RetryCount: 0
ErrorDescription: Failed to call NetProvisionComputerAccount machineName=AutoP-PFv5HetaE
InstanceId: C07C1188-586C-44BD-93C1-F236A633DA9B
DiagnosticCode: 268435455
WinErrorCode: 8557
DiagnosticText: We are unable to complete your request because a server-side error occurred. Please try again. [Exception Message: “DiagnosticException: 0x0FFFFFFF. We are unable to complete your request because a server-side error occurred. Please try again.”] [Exception Message: “Failed to call NetProvisionComputerAccount machineName=AutoP-PFv5HetaE”]

The Intune Connector for your Active Directory creates Microsoft Autopilot-enrolled computers in the on-premises Active Directory domain. The computer that hosts the Intune Connector must have the rights to create the computer objects within the domain.

Microsoft Autopilot error details continued…

Follow the guide to delegate control to the computer account hosting the Intune Connector. It solved the issue in this case, as the rights was misconfigured.

Open Active Directory Users and Computers (DSA.msc).
Right-click the organizational unit to use to create hybrid Azure AD-joined computers > Delegate Control.
In the Delegation of Control wizard, select Next > Add > Object Types.
In the Object Types pane, select the Computers > OK.
In the Select Users, Computers, or Groups pane, in the Enter the object names to select box, enter the name of the computer where the Intune Connector is installed with Windows Autopilot.
Select Check Names to validate your entry > OK > Next.
Select Create a custom task to delegate > Next.
Select Only the following objects in the folder > Computer objects.
Select Create selected objects in this folder and Delete selected objects in this folder.
Select Next.
Under Permissions, select the Full Control check box. This action selects all the other options.
Select Next > Finish.

Conclusion, Windows Autopilot

Review the full prerequisites: https://learn.microsoft.com/en-us/mem/autopilot/windows-autopilot-hybrid

Script to add a Windows 365 Cloud PC User – Add-CloudPCUser.ps1

Posted on January 31, 2023 by Thomas.Marcussen

Script prerequisites for Windows PowerShell:

1. A minimum Windows PowerShell version of ‘7.2’ is required to run this script. The script automatically checks for and installs module if needed.

2. Windows 365 Cloud PC Management PowerShell Module must be installed on local machine. The script automatically checks for and installs module if needed.

3. Microsoft Graph PowerShell Module must be installed on local machine. The script automatically checks for and installs module if needed.

4. An Azure AD user that has an admin consent permission, if needed, to approve the following permissions in Microsoft Graph application in Azure AD apps:

CloudPC.ReadWrite.All, DeviceManagementConfiguration.ReadWrite.All, DeviceManagementManagedDevices.ReadWrite.All, Directory.Read.All

.PARAMETER Username

Username to add to Windows 365 Cloud PC

.PARAMETER UsersListPath

CSV file path containing a list of users to add to Windows 365 Cloud PC. Sample file contents:

———- Windows PowerShell Continued

upn

[email protected]

.PARAMETER Group

Azure AD group name to add users to

.EXAMPLE

.\Add-CloudPCUser.ps1 -Username [email protected] -Group IT -Verbose

.EXAMPLE

.\Add-CloudPCUser.ps1 -UsersListPath c:\temp\users.csv -Group Sales -Verbose

Direct link: Add-CloudPCUser.ps1
Github – https://github.com/ThomasMarcussen/assortedScripts/

Download all OneDrive files for a user using PowerShell

Posted on January 19, 2023 by Thomas.Marcussen

Powershell script to download a users OneDrive content.

New and improved: Download-OD4BAccount.ps1

.Example 
.\Download-OD4BAccount.ps1 -Username [email protected] -Destination "D:\OD4B" -ThreadCount 3 -Verbose

Script prerequisites:

1. Microsoft Graph PowerShell Module installed on local machine. The script automatically checks for and installs module if needed.

2. An Azure AD user that has an admin consent to approve the following permissions in Microsoft Graph application in Azure AD apps:
   Organization.Read.All, User.Read.All, Directory.Read.All

This was inspired by Adnan's script, which i have used on multiple occasions.
But when downloading very large OneDrive data structures, Multi-Threads seems to work faster and smoother.

Exciting New Capabilities in Microsoft Defender for Endpoint

Posted on January 19, 2023 by Thomas.Marcussen

The way that businesses are conducting their operations has been consistently changing over the years. As technology has evolved and the devices available to us have gotten significantly better, hybrid work environments have become more popular.

More so if your business has employees working from home or hires freelancers who use various endpoint devices. Although the benefits of having a hybrid work setup are well known, it has become clear that endpoints are one of the biggest attack vectors because of the potential vulnerabilities.

Hence the need for a solution such as Microsoft Defender for Endpoint that can offer your organization comprehensive threat protection against external as well as internal attacks.

What is Microsoft Defender for Endpoint?

Microsoft Defender for Endpoint is an enterprise-level security platform that Microsoft has designed to prevent, detect, investigate, and then respond to advanced threats on enterprise networks. This is something that has become extremely necessary especially when you consider information from sources such as a Ponemon Institute study that indicates that 68% of organizations have been the victim of at least one endpoint attack.

And arguably the most worrying part of this is how these attacks are increasing not only in number but sophistication year by year. Consequently looking at this highlights the importance of having a comprehensive solution that offers intelligent threat detection and remediation.

Fortunately, there are several various technologies that Defender for Endpoint uses and these have been built into Windows 10 and some Microsoft Azure services. They include:

Cloud Security Analytics

Microsoft has the advantage of having access to significant amounts of data because of its massive service offering. Given that, this process will make use of big data, device learning, and unique Microsoft optics across the vast Windows ecosystem, enterprise cloud products, and online assets. Once the data has been put together, it can then be translated into insights, detections, and recommended responses to advanced threats.

Threat intelligence

Here also we’ll find a massive collection of data that is obtained not only by Microsoft hunters and security teams but by Microsoft partners as well. Because of the availability of this threat intelligence, Defender for Endpoint can identify attacker tools, techniques, and procedures thus allowing for the generation of alerts when observed in collected sensor data.

Endpoint behavioral sensors

These particular sensors which are built into Windows 10 have been designed to collect and process behavioral signals from the operating system. Following this, all the gathered information will then be sent to your private, isolated cloud instance of Microsoft Defender for Endpoint.

Key components

Automated investigation and remediation

Microsoft Defender for Endpoint does a lot more than just provide a swift response to attacks. In addition to that, it also offers automatic investigation and remediation capabilities that are built to reduce the volume of alerts in minutes at scale.

Attack Surface Reduction

This provides a set of capabilities that are designed to reduce the attack surfaces on endpoints. Doing so will enhance the protection of your organization’s devices and networks such that you minimize any potentially vulnerable areas that attackers could exploit.

When configuration settings have been properly set up and the relevant mitigation techniques are applied, ASR allows endpoints to effectively resist attacks and exploitation. With the inclusion of network protection and web protection, there will also be strict regulation of access to malicious IP addresses, domains, and URLs.

Core Defender Vulnerability Management

This feature offers clients a built-in solution that leverages a modern risk-based approach that enables the discovery, assessment, prioritization, and remediation of endpoint vulnerabilities and misconfigurations. Those who are using Plan 2 will get access to the Defender Vulnerability Management add-on that allows you to better assess your security posture and reduce risk.

Endpoint detection and response

Endpoint detection and response capabilities can be described as a type of second line of defense focused on the detection, investigation, and response to advanced threats that would potentially have made it past the initial barriers. With Advanced hunting, you get a query-based threat-hunting tool that allows you to proactively find breaches and custom detections. These capabilities are going to equip security teams to identify and respond to threats a lot faster.

Microsoft Secure Score for Devices

Included with Defender for Endpoint is Microsoft Secure Score for Devices which is a solution that ensures that you can dynamically assess the security state of your enterprise network. Furthermore, this feature can be used to identify unprotected systems and then perform all the necessary actions to enhance your overall security posture.

Microsoft Threat Experts

What you’ll be getting with this threat-hunting service is a tool that gives you proactive hunting, prioritization, and additional context and insights that further empower Security operation centers (SOCs) to identify and respond to threats quickly and accurately.

Next-generation protection

This feature is designed to ensure that the security perimeter of your network has the highest level of protection. Defender for Endpoint uses next-generation protections to detect and prevent emerging threats. Not only does this improve your security but it ensures that as attackers develop new ways of trying to penetrate your network your endpoint protection will remain solid.

Requirements

There are a few minimum requirements that you would need to meet before you can onboard devices to Microsoft Defender for Endpoint. These requirements include those for licensing, hardware, software, as well as other configuration settings.

Licensing requirements

Clients will need to know that the standalone versions of Defender for Endpoint Plan 1 and Plan 2 won’t include server licenses. And the same applies even when these versions are included as part of other Microsoft 365 plans. So what this means is that to onboard servers to those plans you need Defender for Servers Plan 1 or Plan 2 as part of the Defender for Cloud offering.

Browser requirements

If you want to access Defender for Endpoint then you have to do so through a browser. And Microsoft recommends using Microsoft Edge or Google Chrome for the best experience. You may still be able to use other browsers but the aforementioned two are the ones that are supported.

Supported Windows versions

Windows 11 Enterprise
Windows 11 Education
Windows 11 Pro
Windows 11 Pro Education
Windows 10 Enterprise
Windows 10 Enterprise LTSC 2016 (or later)
Windows 10 Enterprise IoT
Windows 10 Education
Windows 10 Pro
Windows 10 Pro Education
Windows 8.1 Enterprise
Windows 8.1 Pro
Windows 7 SPI Enterprise (Requires ESU for support.)
Windows 7 SPI Pro (Requires ESU for support.)
Windows Server
Windows Server 2008 R2 SP1 (Requires ESU for support.)
Windows Server 2012 R2
Windows Server 2016
Windows Server, version 1803 or later
Windows Server 2019 and later
Windows Server 2019 core edition
Windows Server 2022
Windows Virtual Desktop
Windows 365

So, all the devices on your network that want to use Defender for Endpoint should be running one of these editions. However, other operating systems such as Android, iOS, Linux, and macOS are also supported. As far as the hardware requirements go, they are the same across all supported editions: Cores: 2 minimum, 4 preferred Memory: 1 GB minimum, 4 preferred.

Introducing a new API

Recently, an announcement was made concerning a new Microsoft 365 Defender API for alerts. This new API is meant to help you to work with alerts across all products within Microsoft 365 Defender using just a single integration.

The API will offer alerts from Microsoft Defender for Endpoint, Microsoft Defender for Office 365, Microsoft Defender for Identity, Microsoft Defender for Cloud Apps, Azure Active Directory Identity Protection, and Microsoft Purview Data Loss Prevention.

And according to Microsoft, this is just a start as this will continue to be expanded in the future. The objective of this new tool is to enhance the client experience even more across Microsoft Defender products and this is enabled via the new, central API.

With this new API in place, organizations need to be aware that they have to start making plans to migrate from Microsoft Defender for Endpoint SIEM API as Microsoft has already announced plans for its deprecation.

However, to ensure that all clients will have sufficient time to make the migration, the deprecation date has been moved to December 21, 2023. When that eventually happens, Microsoft has stated that the SIEM API will remain available but will only receive support for security-related fixes. But, as of December 31, 2024, the SIEM API may be turned off without any further notice. There are some options that have been proposed to get you started with migration.

1. Pulling MDE alerts into an external system (SIEM/SOAR)

There are a few options available if you want to pull Defender for Endpoint alerts into an external system. Having multiple options means that organizations have the flexibility to select the option that most suits them.

Microsoft Sentinel

Scalable, cloud-native, SIEM, and SOAR solution. This tool will give you intelligent security analytics and threat intelligence across the entire enterprise. Consequently, this means that you’ll get a single solution providing proactive hunting, attack detection, threat response, and threat visibility. Additionally, you can leverage the Microsoft 365 Defender connector to pull in all incidents and alerts from all Microsoft 365 Defender products with relative ease.

IBM Security QRadar

SIEM offers enterprises centralized visibility and intelligent security analytics that can identify and prevent threats and vulnerabilities from disrupting business operations. Moreover, the QRadar SIEM team has just announced that a new DSM is on the way. The great thing about this new option is that it will integrate with the new Microsoft 365 Defender alerts API to pull in Microsoft Defender for Endpoint alerts. Any new customers that would be interested in testing out this new DSM will be able to do so upon its release.

Splunk SOAR

This can enable you to orchestrate workflows and automate tasks in a matter of seconds thus allowing you to work smarter and respond a lot faster. Also, you’ll find that Splunk SOAR is integrated with the new Microsoft 365 Defender APIs including the alerts API.

Calling the Microsoft 365 Defender alerts API directly

Below is a table that is going to give you information about the mapping between the SIEM API to the Microsoft Defender alerts API.

SIEM API property	Mapping	Microsoft 365 Defender alert API property
AlertTime	->	createdDateTime
ComputerDnsName	->	evidence/deviceEvidence: deviceDnsName
AlertTitle	->	Title
Category	->	category
Severity	->	severity
AlertId	->	Id
Actor	->	actorDisplayName
LinkToWDATP	->	alertWebUrl
IocName	X	IoC fields not supported
IocValue	X	IoC fields not supported
CreatorIocName	X	IoC fields not supported
CreatorIocValue	X	IoC fields not supported
Sha1	->	evidence/fileEvidence/fileDetails: sha1 (or evidence/processEvidence/imageFile: sha1)
FileName	->	evidence/fileEvidence/fileDetails: fileName (or evidence/processEvidence/image: fileName)
FilePath	->	evidence/fileEvidence/fileDetails: filePath (or evidence/processEvidence/image: filePath)
IPAddress	->	evidence/ipEvidence: ipAddress
URL	->	evidence/urlEvidence: url
IoaDefinitionId	->	detectorId
UserName	->	evidence/userEvidence/userAccount: accountName
AlertPart	X	Obsolete (MDE alerts are atomic/complete that are updatable, while the SIEM API were immutable records of detections)
FullId	X	IoC fields not supported
LastProcessedTimeUtc	->	lastActivityDateTime
ThreatCategory	->	mitreTechniques []
ThreatFamilyName	->	threatFamilyName
ThreatName	->	threatDisplayName
RemediationAction	->	evidence: remediationStatus
RemediationIsSuccess	->	evidence: remediationStatus (implied)
Source	->	detectionSource (use with serviceSource: microsoftDefenderForEndpoint)
Md5	X	Not supported
Sha256	->	evidence/fileEvidence/fileDetails: sha256 (or evidence/processEvidence/imageFile: sha256)
WasExecutingWhileDetected	->	evidence/processEvidence: detectionStatus
UserDomain	->	evidence/userEvidence/userAccount: domainName
LogOnUsers	->	evidence/deviceEvidence: loggedOnUsers []
MachineDomain	->	Included in evidence/deviceEvidence: deviceDnsName
MachineName	->	Included in evidence/deviceEvidence: deviceDnsName
InternalIPV4List	X	Not supported
InternalIPV6List	X	Not supported
FileHash	->	Use sha1 or sha256
DeviceID	->	evidence/deviceEvidence: mdeDeviceId
MachineGroup	->	evidence/deviceEvidence: rbacGroupName
Description	->	description
DeviceCreatedMachineTags	->	evidence: tags [] (for deviceEvidence)
CloudCreatedMachineTags	->	evidence: tags [] (for deviceEvidence)
CommandLine	->	evidence/processEvidence: processCommandLine
IncidentLinkToWDATP	->	incidentWebUrl
ReportId	X	Obsolete (MDE alerts are atomic/complete that are updatable, while the SIEM API were immutable records of detections)
LinkToMTP	->	alertWebUrl
IncidentLinkToMTP	->	incidentWebUrl
ExternalId	X	Obsolete
IocUniqueId	X	IoC fields not supported

Getting started

Using the Microsoft 365 Defender alerts API requires you to go through a registration process first. To register an application in Azure Active Directory you can simply follow the steps given below:

Start by navigating to the Azure Portal where you need to sign in as a user with the Global administrator role.
Next, head over to Azure Active Directory > App registrations > New registration.
Once you get to the registration form, you’ll then need to enter a name for your application. Select Register. You also have the option of selecting a redirect URI if necessary.
For the next step, you’ll select API Permissions > Microsoft Graph on your application page.
On the page that you see displayed, you need to select Delegated permissions. In the search box that appears, start typing “security” and from the options that you see select SecurityIncident.Read.All and then click on Add permission.
Click admin consent for your tenant. There are multiple permissions available for selection and you can grant admin consent for all of them.
Add a secret to the application. Then, proceed to select Certificates & secrets and then add a description to the secret. Select Add and make sure you save the secret.
Lastly, you need to ensure that you record your application ID and tenant ID someplace secure. You’ll find them listed on your application Overview page.

What is Defender for Endpoint Plan 1?

To cater to the different needs of its clients Microsoft now offers two plans. Instead of having just one complete solution, Microsoft introduced Plan 1 so that smaller organizations that did not need the full range of features could also benefit.

So, we now have Plan 1 which contains a smaller set of features and then the version that retains all the features is now referred to as Plan 2. Defender for Endpoint Plan 1 offers next-generation protection, manual response actions, attack surface reduction capabilities, centralized configuration, and management, as well as protection for a variety of platforms.

Next-generation protection

This platform is built to detect various types of emerging threats and in doing so will enhance the security perimeter of your network. It’s going to give you behavior-based heuristic, and real-time antivirus protection as part of the robust measures that will reinforce your security. Also, there is cloud-delivered protection that is meant to provide you with near-instant detection and blocking of emerging threats. Furthermore, next-generation protection will give you dedicated protection and product updates.

Manual response actions

These represent the actions that your security staff can implement in instances when threats are detected on endpoints or in files. Defender for Endpoint offers certain manual response actions that can be used on devices that appear suspicious. There are also response actions that you can take on files that are detected as threats. The manual response actions that you get in Defender for Endpoint Plan 1 are summarized in the table below:

File/Device	Action	Description
Device	Run antivirus scan	Launches an antivirus that aims to detect any threats that may be present on a device. If there are any they will be addressed during the scan.
Device	Isolate device	In an instance where there is a potential compromise, this action helps by disconnecting a device from the organization’s network. However, to keep the device under monitoring it will remain connected to Defender for Endpoint so that any further action that may be necessary can be carried out.
File	Stop and quarantine	This action will stop any running processes and subsequently quarantine the associated files.
File	Add an indicator to allow or block file	Indicators that block files are designed to block the reading, writing, or execution of portable executable files on devices. Allow indicators, on the other hand, are meant to prevent the blocking or remediation of files.

Attack surface reduction

Attack surfaces refer to all the potential attack points that exist in your organization and that cyber criminals could exploit. To reduce the risk of this happening, Defender for Endpoint Plan 1 minimizes your organization’s attack surfaces by protecting the devices and applications that you use. There are several attack surface reduction capabilities that are offered:

Attack surface reduction rules

These are meant to target software behaviors that could be considered risky such as:
launching executable files and scripts that try to run or download other files
running questionable scripts
initiate behaviors that you normally would not expect apps to perform during work

However, we do still need to remember that these software behaviors can also be seen with genuine business applications. But even if that is the case the behaviors are still considered risky because they present a vulnerability that attackers can exploit using malware. Thus, by taking advantage of attack surface reduction rules, you can restrict risky behaviors and reinforce your organization’s security.

Ransomware mitigation

Getting ransomware mitigation is something that you can obtain by using controlled folder access. What the latter does is that it restricts access to protected folders on your endpoints strictly to trusted apps. Therefore, there is a need for a trusted apps list and apps can only be added to it based on their prevalence and reputation. Additionally, your security team can add or remove apps from the list when necessary.

Device control

A lot of people carry around with them multiple USB drives for personal as well as professional use. Unfortunately, as convenient as these removable drives tend to be they can also present a significant risk to your organization’s devices.

To counter this threat, Defender for Endpoint offers capabilities aimed at preventing threats from unauthorized peripheral devices from compromising your organization’s devices. If need be, you can simply configure Defender for Endpoint to block removable devices and the files they contain.

Web protection

This feature is just what your organization needs to protect your devices from web threats and unwanted content. With unfiltered access, some employees can spend time browsing the web, going through social media, etc.

So, it’s a good thing that this will give you web threat protection as well as web content filtering. Web threat protection protects you by blocking access to risky areas of the internet such as phishing sites, suspicious sites, malware vectors, exploit sites, and other sites that you have on your blocked list.

And then with web content filtering, there is blocking of sites according to category. Therefore, sites can be blocked if they fall under social media, leisure, adult content, legal liability sites, etc.

Network protection

Network protection gives you a tool that will help you to block devices in your organization from accessing suspicious domains that are potentially hosting phishing scams, malware, or other types of malicious content.

Network firewall

This type of protection is going to enable you to set rules that will determine the network traffic that will be allowed to flow to or from your organization’s devices. When you combine the advanced security that Defender for Endpoint is offering with the network firewall protection then you’ll have something that enables you to:

Minimize the risk you face from network security threats
Reinforce the security of intellectual property and sensitive data
Extend your security investment
Application control

As we all know, people can find several different applications to carry out certain tasks. And most people have their favorites. However, not all of them are secure and so application control will help protect your endpoints by allowing only trusted applications and code to run in the system core (kernel). It is left up to the members of your security staff to set the application control rules as they see fit.

Centralized management

With the Defender for Endpoint Plan 1, you also get the Microsoft 365 Defender portal. And this is something that will help your security team:

View current data regarding any detected threats
Subsequently, take any necessary actions to reduce the threats
Centrally manage the threat protection settings of your organization
Role-based access control

Your security administrator can take advantage of role-based access control (RBAC) to create roles and groups that will provide the appropriate access to the Microsoft 365 Defender portal. Thus, by using RBAC you can retain a high level of control over who can have access to Defender for Cloud as well as what they can see and do.

Reporting

The Microsoft 365 Defender portal gives you a platform where you can easily view all the information about detected threats as well as the actions to address those threats.

You’ll find a simplified Home page that has cards showing users/devices at risk, the number of threats detected, and the alerts/incidents created.
There is an Incidents & alerts section showing the incidents that were created because of triggered alerts.
The Action Center shows you a list of remediations that were taken.
Lastly, there is a Reports section containing reports of detected threats and their status.

Microsoft endpoint security plans

Now that I’ve gone over what Defender for Endpoint Plan 1 has to offer, let’s take a look at a comparison of the available Microsoft endpoint security plans.

Plan	Capabilities on offer
Defender for Endpoint Plan 1	Next-generation protection including antimalware and antivirusAttack surface reductionManual response actionsCentralized managementSecurity reportsAPIsSupport for Windows 10, iOS, Android OS, and macOS devices
Defender for Endpoint Plan 2	Plan 2 has all the capabilities that you get with Plan 1 and then it also adds: Device discoveryDevice inventoryCore Defender Vulnerability Management capabilitiesThreat analyticsAutomated investigation and responseAdvanced huntingEndpoint detection and responseEndpoint attack notificationsSupport for Windows (client only) and non-Windows platforms (macOS, iOS, Android, and Linux).
Defender Vulnerability Management add-on	Here we see more Defender Vulnerability Management capabilities that also come with Defender for Endpoint Plan 2: Security baselines assessmentBlock vulnerable applicationsBrowser extensionsDigital certificate assessmentNetwork share analysisSupport for Windows (client and server) and non-Windows platforms (macOS, iOS, Android, and Linux).
Defender for Business (Small and medium enterprises can get this option as a standalone subscription or as part of Microsoft 365 Business Premium)	This is a list of services that have been optimized for small and medium-sized businesses: Email protection Antispam protection Antimalware protection Next-generation protection Attack surface reduction Endpoint detection and response Automated investigation and response Vulnerability management Centralized reporting APIs (for integration with custom apps or reporting solutions) Integration with Microsoft 365 Lighthouse

Defender for Cloud

One of the best things that will further strengthen your security is the integration of Defender for Endpoint with Defender for Cloud. This integration will provide you with extra features on top of what you’re already getting. These are:

Automated onboarding

Defender for Cloud is going to automatically enable the Defender for Endpoint sensor on all supported machines that are connected to Defender for Cloud.

Single pane of glass

You’ll be able to view your Defender for Endpoint alerts on the Defender for Cloud portal pages. However, if you want to see additional information so you can investigate further you can head over to Defender for Endpoint’s own portal pages and there you can view extra information such as the alert process tree and the incident graph. There will also be a detailed machine timeline that displays all the behaviors for a historical period of up to six months.

However, there are a few requirements that you’ll need to check before you can proceed with the integration of Defender for Endpoint with Defender for Cloud. You need to verify that your machine meets the Defender for Endpoint requirements given below.

The machine needs to be connected to Azure as well as the internet:

Azure virtual machines (Windows or Linux): you need to carry out the configuration of the network settings as described in the configure device proxy and internet connectivity settings.

On-premises machines: you need to connect the target machines to Azure Arc and you’ll find the details on doing that in Connect hybrid machines with Azure Arc-enabled servers

When it comes to Windows servers you’ll have to check and see that your servers meet the requirements for onboarding Microsoft Defender for Endpoint.

If instead, you have Linux servers then you need to have python installed. For all distros, Python 3 is a recommended option but for RHEL 8.x and Ubuntu 20.04 (or higher) it’s a strict requirement.

And for those who have moved their subscriptions between Azure tenants then they will be required to also carry out some manual preparatory steps.

Expanding security capabilities

The threats that organizations are facing will constantly evolve and so Microsoft Defender for Endpoint needs to keep enhancing its capabilities. By doing so, it remains a leading endpoint protection solution that can reinforce the security of your organization and minimize the risk of compromise. There have been a few features that have been announced recently and they are worth taking a look at.

Expanded capabilities at the network layer

In recent years, a lot of organizations have unfortunately had to deal with the increasing number of network-based attacks that are targeting endpoints. Subsequently, there are several reliable endpoint solutions that organizations can use to identify and deal with those threats.

However, the challenge that security teams will face is getting the necessary information that would enable them to identify any suspicious network communications on a device early on during the attack.

With that in mind, Defender for Endpoint is looking to strengthen its endpoint security defenses so as to give organizations greater protection at the network layer. Consequently, this will give your security team the tools they need to swiftly detect and remediate any threats.

Deep packet inspection support

Greater insights regarding endpoint activity at the network layer can vastly improve how efficiently organizations can mitigate network-based threats. To that end, Microsoft Defender for Endpoint has developed a new open-source partnership with Zeek. All in all, this is going to help by improving the way that attacks are handled by leveraging deep packet inspection support.

Ultimately, this will give your organization greater visibility into network signals across all the Defender for Endpoint devices. Those in the security department will be glad for the excellent signals they will receive for advanced threat hunting, the easier discovery of IoT devices, as well as vastly enhanced detection and response capabilities.

Because of the partnership Microsoft has with Corelight, the integration of Windows with Zeek is going to reinforce your organization’s security against network-based threats. In the long run, this is going to give you far greater overall endpoint security.

Detection and remediation of command and control attacks at the network layer

One of the key things that will help security teams quickly and accurately identify threats is having access to tools with excellent detection capabilities. Correspondingly, as the need for these kinds of tools grows, Microsoft has announced the release of Network Protection command and control (C2) detection and remediation capabilities for Defender for Endpoint.

By equipping security teams with these tools, network C2 attacks can then be detected a lot earlier during the attack. As a result, you will reduce the spread by swiftly blocking any further progression of the attack. In addition, the easy removal of malicious binaries will reduce the time needed for mitigation.

This capability inspects network packets, assesses them for C2 malware configuration patterns, and searches for any type. Defender for Endpoint has a Network Protection (NP) agent that is going to verify what the true nature of the connection is.

And this is something that it does by mapping the outbound connection’s IP address, port, hostname, and other NP connection values, with the Microsoft Cloud. The process will then leverage AI and scoring engines to decide whether the connection is malicious. At this point, certain actions will be implemented to block the connection and roll back the malware binaries on the endpoint to their previous clean state if detected.

Microsoft 365 Defender will display an appropriate alert under Incidents and alerts once detection has been made. Your security team can then verify the available information including the alert name, the severity level of the detection, the device status, and more. If you want to view more details on the alert, you can do so with a full timeline as well as the attack flow relative to your environment.

Wrap Up

The threat landscape that organizations are having to deal with is becoming increasingly worrying. By the same token, those looking to exploit potential vulnerabilities in organizations’ networks have grown more adept at compromising systems. By and large, we are witnessing some incredibly sophisticated cyberattacks that are targeting endpoints which they often identify as the weak point for infiltrating a network.

Organizations must seriously rethink their approaches to security because of this, and as more and more organizations adopt hybrid work environments, it becomes crucial to secure your endpoint devices to avoid vulnerability.

Doing so can have catastrophic consequences for organizational operations, data security, intellectual property, and much more. Hence, this is why Microsoft Defender for Endpoint can provide the perfect suite of capabilities to reinforce your security.

It gives you a comprehensive endpoint solution that goes far beyond what your legacy antivirus services can offer. Equally important, as emerging threats are attacking in extremely complex ways, it can only be good for businesses to have a solution that can deliver intelligent detection and response capabilities.

Taking A Closer Look At Windows 365 Security

Posted on January 13, 2023 by Thomas.Marcussen

The idea of having a desktop that you can access from just about anywhere is an incredible option to have. Not only that but you can do so using your PC, tablet, or smartphone. As can be seen by the disruptions we witnessed to business activities at the height of the pandemic, the lack of viable options can be disastrous. Hence why the Windows 365 Cloud PC has been very well received by organizations since coming onto the scene in 2021. It gives organizations a solution that they may not have had a few years back.

You can provide desktops for employees regardless of where they are working from. Be it at home or in the office, the Cloud PC remains accessible and productivity levels can be maintained.

But, the key question is how secure is Windows 365? Can the corporate network remain secure with the use of Cloud PCs?

Getting started with Windows 365

Organizations that use Windows 365 will benefit from an end-to-end connection flow for all their employees thus allowing them to work in a secure environment. Windows 365 has been designed with Zero Trust principles being integral to the security structure.

What this means is that clients have a great foundation that allows them to apply controls that help them to better secure their environments across the 6 pillars of Zero Trust. Microsoft allows you to implement Zero Trust controls in the following areas:

Securing access to the Cloud PC – this is something that is crucial to Identity and it enables you to set the specific regulations concerning who can access the Cloud PC and under which conditions.
Securing the Cloud PC device itself – the actual Cloud PC devices that one uses to access corporate resources require extremely high security. So this is an important category that allows for the securing of the Endpoint by placing extra security measures on the devices themselves.
Securing the Cloud PC data and other data available while using the Cloud PC – this last area allows you to place additional security measures to secure the data itself that users will need to access. Also, you can place extra measures on how Cloud PC users can access the data.

Default features

Microsoft has a few features that are enabled on all new Cloud PCs by default. These include:

Virtual Trusted Platform Module (vTPM): a vTPM is a virtualized version of a hardware Trusted Platform module and is designed to be compliant with the TPM2.0 spec. What it offers you is a dedicated secure vault for keys and measurements. With trusted launch, your virtual machine will get its own dedicated TPM instance that will run in a secure environment outside the reach of any VM.
Secure boot: this next feature could be described as something that provides the foundation of trusted launch. Secure boot is a mode that is implemented in platform firmware and enhances the overall security posture by protecting against the installation of malware-based rootkits and boot kits. Basically, what you get is a system that ensures that only signed operating systems and drivers can boot. Therefore, any image that Secure Boot fails to Authenticate will be restricted from booting.

As a result of having the above features enabled, Windows 365 will support the enabling of the Windows security features below:

Hypervisor Code Integrity (HVCI)
Microsoft Defender Credential Guard

Automatic enrollment

Another key thing that Microsoft has advised clients to secure their Windows 365 Cloud PCs is to configure devices to enroll into MEM using automatic enrollment. However, to do that, you need to meet the following requirements:

Microsoft Intune subscription (if you don’t have an Intune subscription you can sign up for a free trial account).
You need to first create a user and create a group to complete the quick start.

Sign in Intune in Microsoft Endpoint Manager

Start by signing in to the MEM admin center as a Global administrator. If you are using the Trial subscription, then the account you used to create the subscription becomes the Global administrator.

Set up Windows 10/11 automatic enrollment

If you want to enroll both corporate and bring-your-own-devices, you’ll have to use MDM enrollment. In addition, you have to sign up for a free Azure AD Premium subscription.

Navigate to the MEM admin center. Select All services > M365 Azure Active Directory > Azure Active Directory > Mobility (MDM and MAM).
Choose Get a free Premium trial to use this feature. This enables auto-enrollment using the Azure AD free Premium trial.
Select the Enterprise Mobility + Security E5 free trial option.
Click Free trial > Activate the free trial.
Choose Microsoft Intune to configure Intune.
Go to the MDM user scope and select Some. This enables you to use MDM auto-enrollment to manage enterprise data on your employees’ Windows devices. This will configure MDM auto-enrollment for AAD joined devices and bring your own device scenarios.
Click Select groups > Contoso Testers > Select as the assigned group.
And then for data management on your workforce’s device, choose Some from the MAM Users scope.
Choose Select groups > Contoso Testers > Select as the assigned group.
And then, for the remaining configuration values, you’ll use the default values.
Choose Save.

Windows 365 Business

Windows 365 comes in two different options to cater to the various businesses and their different needs. Microsoft intends for Cloud PCs to be available for both small and large enterprises. Therefore, smaller organizations have Windows 365 Business that can meet the needs of the business.

If your organization does not have an IT department/staff or central IT management solutions then this is the option for you. This option gives end users local admin rights to their Cloud PCs in a way that is typically seen with smaller businesses.

In instances where IT would like to use Windows 365 Business for a particular scenario, Microsoft recommends sticking to standard IT protocols. That is, of course, if you intend to set users as standard users on their devices. You can use Microsoft Endpoint to carry this out and to do so you need to follow the steps below:

The process starts with device configuration to enroll the devices in MEM using automatic enrollment.
The next step involves the management of the Local Administrators group. This can be done using Azure Active Directory (Azure AD) or using Microsoft Endpoint Manager.
In addition, it would be a good idea to have Microsoft Defender Attack surface reduction (ASR) rules enabled. This would be very useful because these rules are in-depth defense mitigations for specific security concerns, such as blocking credential stealing from the Windows local security authority subsystem.

Windows 365 Enterprise

When it comes to Windows 365 Enterprise, the process is slightly easier for IT admins. This is because, for the Enterprise license, Cloud PCs are automatically enrolled. Not only that but they also get reporting of Microsoft Defender Antivirus alerts as well as optional onboarding into Microsoft Defender for Endpoint capabilities.

By default, Enterprise users are automatically set up as standard users. However, admins still retain the option to make per-user exceptions when necessary. The guidelines for users of Windows 365 Enterprise Cloud PCs are as below:

Users should stick to standard Windows 10 security practices. This also means restricting access to your Cloud PC using local administrator privileges.
You need to deploy Windows 365 security baselines to your Cloud PC from MEM. Furthermore, you should utilize Microsoft Defender to protect your endpoints, especially all Cloud PCs.
Taking advantage of Azure AD conditional access is a must. With features such as multifactor authentication (MFA) and user/sign-in risk mitigation, you can significantly reduce the risk of unauthorized access to your Cloud PC.

Enhancing your security posture with Windows 365

Microsoft offers organizations security recommendations that are meant to enable you to improve your security. These guidelines are as follows:

Conditional Access

Microsoft recommends the use of Conditional Access policies to improve your authentication processes. These policies are central to the zero trust strategy and help to secure your corporate network by putting strict controls concerning which devices can access it and how. You can even configure Conditional Access policies to meet the specific needs of your business and your Windows 365 environment.

Microsoft Defender for Endpoint

Microsoft Defender for Endpoint (MDE) has been described as an enterprise endpoint security platform designed to help enterprise networks prevent, detect, investigate, and respond to advanced threats. Organizations can connect MDE to their Cloud PC devices and thus have access to security procedures that are an industry standard for endpoint protection.

You can significantly improve your security because of how MDE can easily integrate with other Microsoft security tools. Clients with Windows 10 or Windows 11 licenses will get Microsoft Defender and Microsoft Defender Firewall as part of Windows Security which comes with their subscriptions. This also includes firewall and network protection, account protection, virus and threat protection, and device security among others.

Another thing to be aware of is that if you have a Microsoft 365 E5 plan then you’ll also get Microsoft 365 Defender. This service, which may also be purchased as an add-on for other Microsoft 365 subscriptions, compiles security data from the Microsoft 365 ecosystem and organizes it into a centralized dashboard.

And the way this dashboard has been designed simplifies the task for admins by making it easier to detect and respond to threats while setting aside the non-urgent. Ultimately, leveraging this security platform will help organizations to provide next-generation cybersecurity for their Windows 365 environment.

Intune compliance

The use of Intune compliance policies is highly recommended as a way to set the requirements and settings that users and devices must abide by to be considered compliant. These policies can be used in conjunction with Conditional Access policies for your Windows 365 environment. This means that you can block any non-compliant devices from accessing corporate resources until any issues have been resolved.

Regular updates

Another recommendation that Microsoft gives has to do with OS updates. Devices need regular updates to not only maintain high levels of security but to keep enhancing performance as well. Occasionally, vulnerabilities are discovered that may be exploited so updates will help mitigate those issues and provide new features as well. And when it comes to Cloud PCs, IT admins can use Endpoint Manager to configure Intune Windows 10/11 update rings and policies for Windows Update for Business.

Admin rights

With regard to Windows 365 Business, the target market is small businesses that may not have an IT team to manage the environment. So it makes sense that users are granted local admin rights. For Windows 365 Enterprise, on the other hand, users will not get those same privileges. And this is by default so as to be in line with Windows 10/11 security guidance.

Integration

Microsoft further enhances the overall security by having an integration between Microsoft Defender for Endpoint and Windows 365. What this means is that security and endpoint admins can collaborate on the management of the Cloud PC environment just like for any regular physical endpoint. If subscribed, Cloud PCs will:

Send data through to Microsoft 365 Secure Score.
Have the option to view unhealthy PCs on the Microsoft Defender for Endpoint Security Center and threat analysis dashboards.
The response of Cloud PCs to remediation measures will replicate that of any other managed devices.

Deployment of security baselines

Every organization needs specific security controls that can help to address its cybersecurity needs. To ensure the highest level of security, Microsoft recommends using industry-standard security measures that have been well-tested.

With Windows 365 security baselines, you’ll be getting Microsoft-recommended security measures that are based on best practices and expert feedback. This will help to improve the security of your Cloud PCs because of the recommendations you benefit from. Windows 365 security baselines are going to affect the following areas:

Windows 10 settings: 1809
MDATP settings: version 4
Edge settings: April 2020 (Edge version 80 and later)

Applying Windows 365 baselines

Microsoft also optionally allows you to apply Windows 365 security baselines to the Azure AD groups containing Cloud PC devices in your tenant. Once you are ready to deploy the security configurations, you’ll follow the steps below:

Navigate to the Microsoft Endpoint Manager admin center and sign in. Then select Endpoint Security > View Security Baselines.
Select Cloud PC Security Baseline (Preview).
Next, you select Create Profile and then give a name for the profile.
The groups of settings for the baseline you chose can now be viewed on the Configuration settings tab. If you want to view the settings in a particular group as well as the default values for those settings in the baseline, all you need to do is expand the group. And if you want to see specific settings:
Select a group to expand and from there you can review the available settings.
You can use the search bar to type in specific keywords so that you get results displaying only the groups that match your search criteria.

Default configurations

All the settings in a baseline will have default configurations for that particular baseline version. To cater to varying business needs, Microsoft gives you the option to reconfigure the default settings. You will also notice that depending on the intent of the baseline, some baselines will have the same setting but will use different default values for that setting.

Next, go to the Assignments tab and select a device group with Cloud PCs to include. After that, you’ll need to assign the baseline to one or more groups with your Cloud PCs. You can use Select groups to exclude to fine-tune the assignment.
After completing the above and you’re ready for deployment, go to the Review + create tab and review the details for the baseline. To save and deploy the profile click on Create.

Application of the baseline to the assigned group is carried out immediately following the creation of the profile.

Implementing Conditional Access

Conditional Access is a system designed to enhance the security of corporate networks by restricting access to verified and compliant devices. Being a policy-based approach allows you to configure the specific conditions that you want to apply to the access controls. As Microsoft puts it, these policies are basically “if-then” statements. If a user needs to access certain resources on the corporate network then it follows that he/she will need to meet certain requirements. Using Conditional Access can help you to accomplish the following:

◆ Enable users to maintain productivity levels wherever they may be.

◆ Safeguard corporate resources.

Assigning conditionalcccess policies to cloud PCs

Windows 365 Enterprise admins should be aware that Conditional Access policies aren’t set for tenants by default. So to assign policies to the Cloud PC first-party app you’ll need to use either of the following services:

◆ Azure

◆ Microsoft Endpoint Manager by performing the steps below:

Navigate to the MEM admin center and sign in. Proceed to select Endpoint Security > Conditional Access > New Policy.
The specific Conditional Access policy that you want will require you to provide a name for it.
Go to the New Policy tab and select Specific users included which you’ll find under Users and groups. Next, you need to pick the specific user or group that you want to target with the policy. You also get the option to Exclude certain users or groups if that’s the way you want to set up.
Select No cloud apps, action, or authentication contexts selected. You can find this option under Cloud apps or actions.
Select Cloud apps > Include > Select apps.
Next, head over to the Select pane. Here you’ll need to search for and select the apps below:
Windows 365 (you can also search for “cloud” to find this app).
Windows Virtual Desktop (this may also appear as Azure Virtual Desktop)

More to know about Windows 365

Ensuring that the policy is applied to the Cloud PC end-user portal as well as the connection to the Cloud PC.is achieved by choosing both of the apps above. Choosing both of these apps is also necessary if you want to be able to exclude apps.

Fine-tuning a policy can be performed by going over to Access and then choosing the options that you want to apply to all objects assigned to this policy.
Before you proceed any further you may want to test the policy. This can be done by going to Enable Policy and turning the setting Report-only to Off. This will prevent the policy from being applied as soon as you’ve completed the creation process.
All that’s left now is for you to select Create and you’ll complete the creation of the policy.

If you want to see the list of your active and inactive policies, navigate to the Policies view in the Conditional Access UI.

Windows 365 wrap up

Remote desktop services offer countless benefits to businesses that can help enhance the overall performance of the business. Businesses can easily have hybrid workforces without having to sacrifice productivity. Not only that but services like Windows 365 ensure that if an unexpected event such as the COVID-19 pandemic occurs, the disruption to business activities can be minimized.

However, all of this doesn’t mean much without the best security features you can get to safeguard corporate data as well as the physical devices that employees use. And Microsoft has provided Windows 365 clients with a wide array of security features to ensure that Cloud PCs have next-generation protection. This will make it such that the user experience becomes significantly better.

Getting Set up With Windows 365

Posted on December 21, 2022 by Thomas.Marcussen

Cloud computing and Cloud PC has come a long way in the last couple of decades. As a way of delivering various on-demand IT resources over the internet, cloud computing has an endless list of applications. These can then offer individuals and organizations alike access to resources that may otherwise be beyond their means.

As you can imagine, the cost of running an on-premises IT environment can be very steep. This is why cloud computing is being adopted by a lot of organizations as they realize the benefits and convenience you get. And Microsoft has been providing these services for a long time but with Windows 365, the company is looking to make cloud computing even better.

Windows 365

Windows 365 is a Desktop as a Service offering that was introduced by Microsoft in 2021. It is designed to provide both small and large organizations with a cloud computing environment that can adequately meet the various needs. And when you consider that Microsoft already had other virtualization technologies on offer, you can trust that this new service will give you some of the best of those other technologies.

In fact, Windows 365 is built on the Azure infrastructure so that already breeds confidence in the service. Microsoft has basically leveraged its existing products and gone for a new approach to delivering virtual desktop infrastructure. Organizations can use the Cloud PC to increase security as well as productivity. In addition, having a cloud-based Windows PC can also help employees collaborate better regardless of where they physically are.

By using the Windows 365 Cloud PC, users will be able to stream their Windows PC to any supported device. And this is something that you can do using either a browser or a native RDP client.

Rooted in simplicity

Arguably the key foundational concept of Windows 365 is simplicity and so Microsoft has designed the service to be relatively easy to set up and use. In line with that, you’ll get to use all your favorite tools such as Microsoft 365, Microsoft Dynamics 365, Microsoft Power Platform, and plenty more.

Furthermore, Windows 365 comes in two editions to cater to both small and large enterprises. The Windows 365 Business edition targets the small to medium enterprise sector that may only need a few desktops. Organizations can get up to 300 desktops and will be charged a fixed rate that depends on the selected hardware configuration.

For larger enterprises, there is Windows 365 Enterprise which can help you to integrate the desktops with your existing Azure virtual network.

Simplifying virtual desktop infrastructure

One of the things that Windows 365 aims to do is to ensure that it can avail cloud computing to as many people as possible. With traditional VDI environments, you would need to set up a server, install applications, and then provide access to users.

But, Windows 365 does away with all of that. Microsoft has designed a product that has all the building blocks automated for you and will take care of all the virtualization. In addition, the service can scale with you in a highly optimized way to use Microsoft 365 apps.

Your organization doesn’t need to worry about the hardware and software configurations of the devices that your users have. Admins will be particularly glad to hear this because it means that deployment will become significantly easier and faster.

Traditional VDI may sometimes have limitations regarding where one can get access. This is not so with Windows 365 as users can access their Cloud PCs from anywhere on almost any device. The kind of freedom that Windows 365 gives its users is what makes it the ideal product for an increasingly hybrid world.

Device requirements

So, before you get started with setting up your Windows 365 environment, you’ll need to find out what the device requirements are. Are there any specific devices that your organization needs to purchase if you want to use Windows 365? Fortunately, there’s not much to worry about in this regard because Microsoft wants to make accessing Cloud PCs convenient and easy.

Therefore, Windows 365 will do this by allowing you to use most devices which Microsoft also hopes will help you reduce your IT costs in the hardware department. Because Windows 365 is essentially PC hardware that runs in the cloud, the importance of your actual physical device is significantly less.

As long as you have an internet connection, you’ll be able to operate a reasonably powerful Windows PC using just about any device. To access this Cloud PC, you can use any modern browser or the Remote Desktop app.

Additional benefits of Cloud PC

A setup like this is going to be extremely beneficial for organizations that have a sizeable remote or seasonal workforce. Your organization won’t need to make a massive investment in hardware for all those employees. Even better is the fact that they’ll be able to easily access these Cloud PCs anywhere without losing any progress.

In short, all Windows 10 and Windows 11 devices should be compatible with Windows 365. The best part, however, is that clients will be able to easily stream a Windows 365 session to hardware running macOS, iOS, Linux, and Android.

However, for the best experience, Microsoft recommends devices that have a traditional keyboard and mouse. For the most part, as long as your device has an HTML5 browser and a DSL connection or a wireless internet connection capable of streaming a video you will be just fine. The amount of bandwidth that you’ll need, however, will depend on your workload.

How much does it cost?

Microsoft offers Windows 365 at varying prices to cater to the different needs of the target organizations. From the small outfit needing only a handful of PCs to the larger enterprises that may require unlimited options. Not only that but it also helps to ensure that users will only pay for what they need.

So, support staff can get a Cloud PC that works for them, and individuals such as engineers that have heavier computing needs can also get something that suits them. You can get Cloud PCs in multiple configurations from $20 per user per month for the lowest-end SKU, to $162 per user per month for the most expensive one.

This fixed per month pricing model is something else that distinguishes Windows 365 from Azure Virtual Desktop which is consumption-based. And if the need to scale up ever arises then you have the option of doing that by getting a different subscription.

Windows 365 Business Edition

For the Windows 365 Business edition, the $20 per user per month fee is going to get you a single virtual core, 2GB of RAM, and 64GB of storage. Although you will require Windows Hybrid Benefit, which is Microsoft’s Bring-Your-Own license model that is designed to help clients to apply existing (or new) licenses toward the cost of a product.

Otherwise, if you don’t have Windows Hybrid Benefit then the cost goes up to $24 per user per month. At the other end of the spectrum, clients will be able to purchase the Business SKU that offers eight virtual cores, 32GB of RAM, and 512GB of storage for $158. And similar to the previous one, without Windows Hybrid Benefit the cost goes up, this time to $162.

Larger organizations have the Windows 365 Enterprise edition designed for them and the pricing range is similar. Users that have lighter computing needs can get a single virtual core with 2GB of RAM and 64GB of storage for $20 per user per month. And for the other users that require virtual machines that can deliver significantly more, you can get an option that gives you eight virtual cores, 32GB of RAM, and 512GB of storage for $158 per user per month.

Provisioning with Cloud PC

The provisioning process is going to create a Cloud PC virtual machine and then set it up for a user. Provisioning also enables the completion of other tasks that will prepare the machine for use as well as the sending of access information to the user. To start the process, admins will have to provide configuration details to set up the process.

Once that’s been done, users that have a Windows 365 license that matches the configuration details will automatically get Cloud PCs provisioned for them. However, each user and license pair can only have one Cloud PC provisioned for them because the provisioning setup works on a one-time per user and per-license basis. The steps of the provisioning process are given below:

A provisioning policy is created to manage access to the Cloud PCs. These provisioning policies are integral to the process because they are responsible for building, configuring, and availing Cloud PCs to end-users. As such, each policy needs you to provide information about the on-premises network connection, the image used to create each Cloud PC, and an Azure AD user group.
The provisioning process will begin with the assignment of a Windows 365 license to users in the Azure AD user group. Subsequently, Windows 365 will then proceed with the automatic provisioning of the Cloud PC. And after doing that, the necessary access information will be sent to the user. The automation is performed in 3 phases that will remain invisible to the administrator.
Once all the above has been carried out successfully, what only remains is for the end user to get the access data that will provide them with access to sign in to the Windows Cloud PC from anywhere.

Improving the Cloud PC setup process

In the first few months of 2022, Microsoft announced that it was implementing a few changes meant to make setting up Cloud PCs even easier. The announcement informed us about how Windows 365 was going to get the “join” feature. Azure AD joined devices are those whose computer object is no longer stored in the on-premises Active Directory Domain Services environment.

Instead, it is now located in Azure Active Directory. By using Azure AD Join you’ll be able to join devices directly to Azure AD without the need to join to on-premises Active Directory. And all this can be done while keeping your users productive and secure. Your admins can easily leverage Azure AD Join for both at-scale and scoped deployments. According to Microsoft, this feature was highly requested by organizations who wanted to simplify the onboarding process.

Microsoft’s announcement

When Microsoft made the announcement, it was said that Azure AD join had been the most requested feature since Windows 365 reached general availability. So, admins will be glad to know that they now have the possibility of using Azure AD join as a Cloud PC join type option.

Therefore, what this means for organizations is that you no longer need to have an existing Azure infrastructure to use the service but just your Azure AD users. All of this has been done to make it easier for admins to onboard users using Azure Active Directory.

Expectedly, this presents a massive upgrade, especially when looking at how integral Azure AD is to Microsoft’s identity and security services. Bringing the ‘join’ feature to the Windows 365 platform will go a long way in maintaining the theme of ease of use that Microsoft has described for its Cloud PC.

Before this upgrade, the ‘join’ feature had helped businesses that use the on-premises version of Active Directory by functioning as a device-joining bridge. Simply put, adding Azure AD Join to the Windows 365 platform is going to enable admins to enroll devices without the need to have on-premises Active Directory. Now all you need to do is use your Azure AD users.

Accessing your Cloud PC

After everything has been set up it’s time for users to learn just how they can connect to the Cloud PC. We need to clarify what clients can be used as well as what options the end-users will have. Also, we need to know how administrative credentials can be provided to the end-user. Microsoft has provided two ways for users to connect to the Cloud PC:

Web browser – the first method that users have for accessing the Cloud PC is via a web browser. All you have to do is simply navigate to windows365.microsoft.com. Once there, you can log in with the user credentials that have a desktop provisioned. The portal will show you an overview of the desktops available to you. However, to access the Cloud PC using this website, users’ devices need to meet the following requirements:
supported operating systems: Windows, macOS, ChromeOS, Linux,
a modern browser like Microsoft Edge, Google Chrome, Safari, or Mozilla Firefox (v55.0 and later).

Task management

When using windows365.microsoft.com, end users can carry out various tasks on their Cloud PCs. They only need to select the gear icon on a Cloud PC card.

rename: doing this will change the name of the Cloud PC that the user sees on the website. But, performing this action doesn’t change any name in Microsoft Endpoint Manager. Nor does it change Azure Active Directory, on the device, or in the Remote Desktop Apps.
restart: this will restart the Cloud PC.
troubleshoot: whenever a user is encountering challenges with connecting to the Cloud PC, this will help to resolve those challenges. A few checks will verify that all the files and agents necessary for connectivity have been properly installed. There will also be a check for the availability of Azure resources.
Remote desktop – the second method that Microsoft offers clients for connecting to the Cloud PC. This works by using the Microsoft Remote Desktop app. This is designed to enable users to access and control a remote PC, including a Cloud PC. So, for those who have been using Azure Virtual Desktop, this is an app they will already be familiar with. Setting up the Remote Desktop is a relatively simple process that requires you to follow a few steps:
first, you’ll have to download the Remote Desktop app. You can find it on the Download App page at www.microsoft.com/windows-365?rtc=1.
next, you select Subscribe.
the next step will require you to enter your Azure Active Directory credentials.
you will then see the Cloud PC appear on a list. Simply double-click it to launch.

Cloud PC security

Microsoft provides Cloud PCs with good security measures straight out of the box. And just like you have with your physical computers, Windows 365 Cloud PCs will come with Microsoft Defender. This helps to ensure that your device is secure from the first-run experience.

Also, the provisioning of the Cloud PCs is done using a gallery image. To ensure improved security, the image will have the latest updates for Windows 10 through Windows Update for Business. However, there are a few differences between what exactly you’ll get for Windows 365 Business and for Windows 365 Enterprise.

Windows 365 Business

Since Windows 365 Business is a service aimed at smaller organizations, particularly those that may not have IT staff, users on this edition are granted local admin rights to their Cloud PCs. So, this situation basically replicates what happens with a lot of small businesses. And users purchase computers and retain local admin rights.

For IT departments that want to use Windows 365 Business for particular cases, they need to follow standard security practices. These intend to make those users standard users on their devices. To use MEM for this approach, you’ll need to follow the guidelines below:

The process starts with device configuration to enroll the devices in MEM

using automatic enrollment.

The next step involves the management of the Local Administrators group.

This can be done using Azure AD or MEM.

In addition, it would be a good idea to have Microsoft Defender Attack Surface Reduction (ASR) rules enabled. This would be very useful because these rules are in-depth defense mitigations for specific security concerns. These include blocking credential stealing from the Windows local security authority subsystem.

Windows 365 Enterprise

When it comes to Windows 365 Enterprise, you’ll start to see some significant differences right away. This edition intends to serve organizations that have dedicated IT teams. This makes things slightly easier for IT, too. It provides a system that is bases on the management and security that Microsoft Endpoint Manager provides. All Cloud PCs in Windows 365 Enterprise configure users as standard users by default.

However, admins still have the ability to make exceptions on a per-user basis. Furthermore, all Cloud PCs will be enrolled in MEM with reporting of Microsoft Defender Antivirus alerts. You’ll also get the ability to onboard into the full Microsoft Defender for Endpoint capabilities. Microsoft makes the following security recommendations for users of Windows 365 Enterprise:

Users should stick to standard Windows 10 security practices. This also means restricting access to your Cloud PC using local administrator privileges.
You need to deploy Windows 365 security baselines to your Cloud PC from MEM. Furthermore, you should utilize Microsoft Defender to protect your endpoints, especially all Cloud PCs.
Taking advantage of Azure AD conditional access is a must. With features such as MFA and user/sign-in risk mitigation, you can significantly reduce the risk of unauthorized access to your Cloud PC.

Wrap up about Cloud PC

There has been a lot of talk about remote work and hybrid work environments in recent years. And with the growing interest, a product like Windows 365 is perfec to meet the needs of most organizations. The flexibility and scalability of the platform offer an endless list of benefits. And it makes it valuable to users both at home and in the office.

Additionally, Microsoft built the product to be simple to configure. It’s additionally easy for businesses that don’t have specialist IT professionals on staff. All of these benefits, among many others, combine to give you an incredible virtual experience that runs on the highly secure Microsoft Cloud.

What You Need To Know About Windows 365 Lifecycle

Posted on December 15, 2022 by Thomas.Marcussen

Organizations have countless products that they have to enable them to optimize the productivity of staff members. These products can come from different vendors and so it’s extremely important to guarantee the quality of these tools. And when there is a lifecycle policy available, like with Windows 365 lifecycle, organizations are confident. They can be certain that the products they are purchasing have been rigorously tested, are built extremely securely, and will meet any necessary compliance and security regulations. With Windows 365, clients know that they are using a product that meets all of the above and can perform to very high standards.

Windows 365 Lifecycle Policies

Microsoft gives its customers products that come with industry-leading lifecycle policies. These ensure that when purchasing a product, you’ll be receiving something with consistent, transparent, and predictable guidelines for software support and servicing.

And these policies are valid for all Microsoft customers regardless of where they are across the globe. However, it’s important to remember that how these policies are used will depend on the regulatory requirements in other countries. Also, the application of these policies may differ according to the industry sector.

The level of quality that customers get is a result of the development process. Microsoft puts into high-quality methods into these Windows 365 lifecycle policies. In addition to the specialists at Microsoft, the process also involves customers, partners, and analysts to produce a policy that meets all expectations.

Because of this, customers can plan better and manage their support requirements effectively. Microsoft provides Fixed Lifecycle policies for products that have defined end-of-support dates at the time of release. Then, for products that will receive continuous support and servicing, there are Modern Lifecycle Policies.

Fixed Windows 365 Lifecycle Policy

This type of policy is aimed at plenty of commercial and some consumer products. Customers can acquire through retail purchase and/or volume licensing. It is a policy that offers:

Defined support and servicing Lifecycle timeline at the time of product launch.

A minimum of five years of Mainstream Support which is the first phase of the product lifecycle.
An additional period of Extended Support for some products.

Receiving the support may possibly require you to deploy the latest Service Pack or update.

Modern Windows 365 Lifecycle Policy

This type of policy is designed for products that will be serviced and supported continuously. However, there are certain conditions that need to be met for products and services to remain in support. These requirements are as follows:

It will be the customer’s responsibility to ensure that they stay current. This includes servicing and system requirements that are defined for a particular service or product.
Customers also need to verify that they are licensed to use the service or product.
It’s again necessary to check that Microsoft currently offers support for that service or product.

Microsoft provides a modern lifecycle policy for Windows 365. This ensures Cloud PC users will have a great product that has continuous support.

The Cloud PC lifecycle

Microsoft has developed a setup whereby Windows 365 will coordinate and manage the lifecycles of all Cloud PCs. And due to the fact that Cloud PCs exist only in the cloud, the management of their lifecycles will be significantly easier than that of physical Windows devices. The lifecycle of the Cloud PC comprises 5 stages which are:

Provision
Configure
Protect
Monitor
Deprovision

Provision

In keeping in line with the goal of making things simple, Windows 365 provides clients with an optimized experience for Cloud PC deployment. Microsoft has integrated the admin experience for setting up deployments into the MEM admin center.

The provisioning process will prove to be easier than one may imagine because it is an automated one. All you need to do is assign a Windows 365 license to a user. Then, add them to a group targeted with a provisioning policy, and the provisioning of the user’s Cloud PC will proceed automatically. The process will:

create a Cloud PC virtual machine.
set it up for the end-user.
perform any other necessary tasks to ready the Cloud PC for use.
send access information to the user.

A simplified admin experience

What Microsoft has done is create a simplified admin experience that makes the provisioning much simpler and more straightforward. Once you’ve finished providing a few configuration details, Cloud PCs will be automatically provisioned for all users who have a Windows 365 license and matching configuration details.

Because this process is a one-time per user and per license process, a user and license pair can only have a single Cloud PC provisioned for them. The complete process is going to follow the steps below:

Starts with the creation of a provisioning policy to manage access to the Cloud PCs. Provisioning policies are key to the entire process as they are responsible for building, configuring, and availing Cloud PCs to end-users. Each policy requires you to provide details regarding the on-premises network connection, the image used to create each Cloud PC, and an Azure AD user group.
Assignment of a Windows 365 license to users in the Azure AD user group will begin the provisioning process. And the provisioning of the Cloud PC will be carried out automatically by Windows 365. After which it will then send the necessary access information to the user. The automation is going to proceed in 3 phases that will be invisible to the administrator.
The last part of the process involves the end-user receiving the necessary access information. This will allow them to sign in to the Windows Cloud PC from anywhere.

Configure

As for Cloud PCs, they need to be configured and secured similarly to any other endpoint in your environment. Microsoft integrates configuration into the provisioning process thus making it simpler. Every Windows 365 Cloud PC will either be:

Azure AD joined or
Hybrid Azure AD joined.

Azure AD joined devices can be deployed by any organization regardless of the size or sector of a business. Moreover, Azure AD join will work in hybrid environments. This gives you access to both cloud and on-premises apps and resources. These devices can be signed into using an organizational Azure AD account.

To enhance the security of corporate resources, access can be controlled depending on the Azure AD account as well as the Conditional Access policies that govern the device. You also get Mobile Device Management (MDM) tools. These include Microsoft Intune or Microsoft Endpoint Configuration Manager. Both allow admins can use to enhance security and establish greater control over Azure AD joined devices.

Great for hybrid organizations

Hybrid Azure AD joined devices are joined to your on-premises Active Directory and registered with Azure Active Directory. This scenario can be a good option for hybrid organizations that already have on-premises AD infrastructure. The hybrid Azure AD joined devices can be signed into with organizational accounts. This works by using a password or Windows Hello for Business for Win10 and above. The key capabilities available include:

Configuration Manager standalone or co-management with Microsoft Intune
SSO to both cloud and on-premises resources
Conditional Access through Domain join or through Intune if co-managed
Self-service password reset and Windows Hello PIN reset on lock screen.

Once the Cloud PCs have been joined they will then be enrolled into Microsoft Endpoint Manager. Because of this enrollment, every Cloud PC will be instantly ready for Azure AD Conditional Access. And management through Microsoft Endpoint Manager granted. And this also includes co-management if necessary.

Microsoft Endpoint Manager plays the vital role of using compliance policies. They enable you to verify that your Cloud PCs are compliant. Understandably, when it comes to cloud computing, security is of very great concern. Windows 365 does a great job of addressing that through the optimized security baseline that is available for Cloud PCs. Leveraging this baseline would be a good way to securely configure your Cloud PCs with minimal overhead.

However, in case you have concerns, the baseline is optional. Additionally, you’ll find that these baselines have been optimized to ensure that remote connectivity won’t be affected.

Protect

The integration between Windows 365 and the rest of Microsoft 365 intends to ensure that you can secure your Cloud PCs to meet your standards. Similar to physical devices that come with Microsoft Defender for Endpoint, the Windows 365 environment will also get the same security.

Because of Microsoft Endpoint Manager’s integration with Microsoft Defender for Endpoint, your Cloud PCs will get instant protection as soon as they provision occur. As a result, Cloud PCs get excellent security measures in place from the first-run experience.

Gallery imagery

Also, it’s worth noting that the provisioning of Cloud PCs uses a gallery image. And to further strengthen your security, the image will have the latest updates for Windows 10 through Windows Update for Business. Among the available features include the ability to use the endpoint detection and response capabilities of Microsoft Defender for Endpoint to determine device risk.

Similarly, you can also get protection for your Windows 365 environment through Azure AD Conditional Access. This protection comes with an option that would be of great interest to certain users whereby you can exclude Windows 365 itself from device compliance policies.

The advantage that this has is that it allows your end users access to their Cloud PCs from any supported device they choose. However, to ensure that those users are securely authenticated, Windows 365 offers multi-factor authentication, sign-in risk, and various other controls.

Updates are another key element in ensuring a highly secure Cloud PC environment. With that in mind, Windows 365 will carry out the installation of the latest quality updates using the Windows Update auto-scan ability.

It’s important to verify that your end users sign in to their newly provisioned Cloud PCs as soon as possible so that the necessary updates can install swiftly. Another thing that you can do to strengthen security is to disable the clipboard and drive redirection so that you optimize data loss prevention. By disabling this feature, users won’t be able to:

Copy or paste information from their Cloud PCs to other unmanaged locations.
Save files to their personal devices from Cloud PCs.

Monitor

For Windows 365 to work effectively for its users, it’s extremely important to verify that the end user gets a virtual machine that can adequately meet their needs. To aid in this operation, Windows 365 integrates with the Endpoint analytics in Microsoft Productivity Score.

These analytics are important for providing you with insights that allow you to measure how your organization is working as well as the quality of the experience that you are delivering to your users.

Leveraging the data on offer can help you identify policies or hardware issues that are causing problems for end users such as long boot times or other disruptions. All of this generally stems from IT not having enough feedback or visibility into the end user experience.

So to resolve this, Endpoint analytics aim to improve user productivity while simultaneously reducing IT support costs thanks to the provision of insights into the user experience.

Additionally, Endpoint analytics gives you a measurement of the compute and memory load on your Cloud PCs. Following this, you can use Windows 365 to resize those Cloud PCs so that they can meet the needs of different users and their apps.

A seamless experience

Along with other device actions, the resize is available in Microsoft Endpoint Manager. And setting it up this way allows you to have a seamless experience between your Cloud PCs and other endpoints.

Another tool that you can use to enhance Cloud PC monitoring and remediation is Proactive Remediation. These remediations are script packages that can detect and fix common support issues on a user’s device before users even realize there’s a problem.

By using these remediations, you can vastly improve the end user experience as well as reduce the load on support staff. They are also very flexible so you can schedule them to run hourly, daily, etc. Not only that but you can create your own script packages to perfectly meet your requirements.

Alternatively, you can deploy one of the provided script packages that should help you in reducing support tickets. Ultimately, by using Proactive Remediation, you can extend the built-in Microsoft 365 optimizations that are provided by Windows 365. Among these optimizations include those for a heterogenous IT environment.

Deprovision

Now and again a situation may arise that may require you to revoke a user’s Cloud PC access. And Windows 365 provides you with a couple of remedies. You can use these to remove anyone’s access.

The first method you can use involves removing the user’s license or targeted provisioning following which the Cloud PC will transition into a seven-day grace period. The potential benefit of this option is that it allows for errors and reinstatement in a way that does not affect the user.

Alternatively, if you need to block access immediately, you can disable the user account in the on-premises Active Directory. You can additionally revoke the user’s refresh tokens in Microsoft Azure Active Directory.

So, at the expiration of the seven-day grace period, Windows 365 will then deprovision the Cloud PC and its storage completely. The encryption of Windows 365 Cloud PCs using server-side encryption in Azure Disk Storage (platform-managed keys) helps to ensure that the devices deprovision securely.

However, if you find yourself in a situation whereby you determine that removing a user’s license was the right course of action and not a mistake, then you don’t need to wait out the seven days.

Windows 365 allows you to proceed with your action by clicking on the In Grace Period state and then selecting End Grace Period. Consequently, this will transition the Cloud PC to the state of Deprovisioning while the Cloud PC is deleted.

Cloud PC operating systems

As I’ve already gone over above, Windows 365 lifecycle policies govern operating systems’ servicing and support. And this also includes end of support. When we talk of lifecycle we are referring to the period during which Microsoft provides support for the operating system as well as releases regular security updates.

Also, we find that not all products share the same lifecycle timeline. The lifecycle timeline of each product will be determined by its respective lifecycle policy. And this will also be consistent by product family for new and future versions. With the older products, however, lifecycle timelines may differ so there will be a need to verify the necessary information.

Windows 365 Cloud PCs run on the Windows OS and are therefore governed by the Microsoft 365 Lifecycle Policy. When the operating system on a Cloud PC eventually reaches the end of support, it will no longer receive security updates, non-security updates, and assisted support.

Image status

Windows 365 keeps up to date of all necessary end of support information in Microsoft Endpoint Manager. There the information will be located on the Provisioning policies page under Image status. Below is information you can use to verify whether the OS on the image within each provisioning policy is supported or not.

Image status	Gallery image	Custom image
Supported	This lets you know that the Cloud PCs that have been created using this policy have a Windows operating system that is supported by Microsoft and can thus receive updates.	Same as gallery image.
Warning	In this scenario, the OS would have expired within the previous six months. So the Cloud PCs that were created using this policy have an OS that is no longer supported. Because of this, those Cloud PCs are extremely vulnerable and don’t benefit from security updates.	Same as gallery image.
Unsupported	The Cloud PCs created using this policy would be running a Windows operating system that hasn’t been supported for over six months. So this is a policy that can no longer be assigned to any users. Consequently, you will need to resolve the issue by updating the OS image in the provisioning policy to an image with a supported OS. All Cloud PCs that were created using this policy are vulnerable and no longer receive security updates. Furthermore, they cannot be provisioned or reprovisioned. If you were to attempt to provision a Cloud PC using this policy you would not be successful and face a Windows Image out of Support message.	Not applicable.

You can also find the status values for custom images under the OS support status column on the Device images page. Once we get to the end of support date, you’ll no longer be able to select gallery images that use the expired OS for newly created provisioning policies. In addition, those images also won’t be available for use when editing existing provisioning policies.

Wrap Up on Windows 365 Lifecycle

As with all Microsoft products and services, Windows 365 is governed by a Lifecycle policy enabling the delivery of industry-leading service to clients. In a world of rapidly increasing cybercrime, organizations are looking for products and services that get excellent support and regular security updates.

And as more and more organizations are migrating to the cloud and adopting Windows 365, the modern lifecycle policy that governs Windows 365 takes on even greater importance. It gives you a clear picture of what to expect from the provisioning of your Cloud PCs all the way to the deprovisioning protocols.

Leveraging the support that Microsoft provides will help your organization to run a more streamlined IT environment. Coupled with the ease with which you can deploy Cloud PCs to your users, this clearly highlights the principle of simplicity that Windows 365 is known for most. So, for any organizations that are considering a cloud computing environment, one such as Windows 365 would be a great option to consider.