Windows 365 Flexible Pricing – Control Your IT Costs

Cloud computing has been evolving at a very impressive rate over the last few decades. It is now becoming an integral part of how a lot of businesses perform their operations. As you would expect, tech giant Microsoft has contributed a lot to the development that we have witnessed.

More recently, we have seen this with Windows 365, which is a virtual desktop service that Microsoft introduced a few years back. This solution gives businesses the ability to offer their employees desktops that run in the cloud and are always available. Having an option like this allows employees to remain productive wherever they may be.

And one of the best things about Windows 365 is that it offers flexible pricing terms that make it accessible to businesses both large and small. In this article, we’ll be discussing these flexible terms that Microsoft offers and how your business can benefit.

Flexible Pricing Features of Windows 365

To attract large numbers of businesses, Microsoft has had to ensure that Windows 365 has several flexible pricing features that you will find appealing. These features allow you to select the computing resources you need that will fit your unique business strategy. So, let’s take a look at some of these features.

Monthly Subscription

The flexibility that users get from their Windows 365 Cloud PCs does not only apply to how and where they can use their virtual desktops. It also applies to the subscription terms that are available to your organization. Clients that use Windows 365 get to pay for the service on a month-to-month basis.

As you can imagine, this gives you the advantage of not having to make a longer-term commitment that you may not be willing to make. You get to assess the benefits that Windows 365 gives your business every month and make adjustments to your strategies as you need.

Additionally, this also helps you to more efficiently manage your computing resources based on your changing needs. Therefore, if you need to increase or decrease the computing resources that you are using, Windows 365 allows you to do so without any problems. And all of this you can do quickly and seamlessly without having to commit to a long-term subscription that may not suit your business strategy.

Customizable Plans

Within your organization, employees working in different departments can have different computing resource needs. For example, individuals working in human resources departments are unlikely to need the same computing power as people working in an engineering department.

And fortunately for Windows 365 clients, Microsoft appreciates this and enables you to select a plan that can be uniquely tailored to precisely fit your specific computing requirements. That way, you don’t need to worry about getting more or less than your business needs.

Right at the beginning, there are two subscription options available depending on the size of your business. If you are a relatively smaller organization requiring less than 300 Cloud PCs, then you have the Windows 365 Business Edition.

Larger enterprises with employees that require a greater number of Cloud PCs have the option of Windows 365 Enterprise. The great thing about all this, however, is that these options all offer the same range of features. Therefore, small businesses get to have a similar Windows 365 experience to the larger businesses without having to break the bank.

Pay-As-You-Go

This next feature provides businesses with a lot of flexibility relevant to how they can manage their budgets. With a pay-as-you-go arrangement in place, plenty of businesses, especially the smaller ones, will find it a bit easier to take advantage of what Windows 365 can offer without compromising their budget structures.

As already mentioned before, for some businesses, long-term commitments may not currently be financially viable, so having a service that allows you to only pay for what you are using can be a great solution.

One of the most obvious differences between Windows 365 and Azure Virtual Desktop (AVD) is the payment structure. AVD offers its services on a consumption-based model, whereas Windows 365 uses a fixed per-month/per-user licensing arrangement.

The benefit that Windows 365 clients get from this is that it allows them to plan long-term, knowing exactly what their IT expenditure will be. And in the case of changing computing resource needs, they can easily scale up or down to meet demand without being worried about having to face massive costs to do so.

Self-Service Portal

Windows 365 prides itself on being a service that is easy to deploy and use for any business. By designing it this way, Microsoft has been able to offer clients a product that doesn’t require any additional financial investment to set up and use.

According to Microsoft, you should not need additional IT resources to help you set up your Windows 365 environment. And this is clearly something that is meant to help your business reduce expenditure. But, it’s not only setting up the Cloud PCs that is meant to be simple, but maintaining the environment should be as well.

Hence the availability of a self-service portal. This feature is perfect for helping your IT staff maintain your Windows 365 environment without needing to be dependent on support services. Moreover, if your business needs to add or remove virtual desktops, then your IT admins can leverage the self-service portal to do so easily and securely.

Ultimately, what Microsoft is giving you with this feature is a tool that enables you to adjust your computing resources as your business continues to evolve. Most importantly, you can do this in-house without needing to invest in additional IT resources.

Benefits of Windows 365’s Flexible Pricing

The various features that we have gone over above have several benefits that they can offer your business. In this section, we’ll be looking at some of those benefits.

Cost Control

Having effective cost control measures is essential for any business to minimize the progressive growth of expenses. Implementing such measures can help your business grow with minimal issues. One of the biggest things that a lot of businesses see as a great cost control measure is cloud computing.

Not only is this something that will help your employees remain productive from remote locations, but it can reduce IT expenses. If you consider setting up an on-premises infrastructure, you’ll quickly realize how costly an undertaking that would be. And that’s before considering the additional expenses for maintaining and potentially scaling the environment.

With Windows 365’s flexible pricing options, Microsoft wants businesses to have a virtual desktop service that can help to keep their IT expenses manageable. By signing up for only the computing resources that you need, you avoid having to overpay, especially for unnecessary resources.

This also gives you the advantage of planning an accurate budget well in advance. Moreover, you can also make allowances in your budget that will enable you to scale your computing resources if necessary.

Scalability

Windows 365 offers two subscription plans to businesses, the Enterprise 365 edition and the Business 365 edition. As mentioned already, this gives large and small businesses options that can meet their unique needs.

Within these two editions of Windows 365, you’ll also find several different options offering different levels of computing resources. This allows businesses to subscribe to options that will suit their needs without being concerned about potentially costly, long-term commitments.

In addition to this, as the needs of your business continually evolve, Windows 365 allows you to easily and quickly adapt to those changes. If your business is experiencing significant growth, you can scale your computing resources accordingly without incurring significant costs to do so.

The pay-as-you-go model that Windows 365 uses gives your IT staff the flexibility to adapt to the business environment when the need arises. Because of this, you can operate at optimal efficiency levels with exactly the computing resources you need at any given time.

Reduced Overhead

Another massive benefit that Windows 365 provides is the ease with which you can deploy, use, and maintain your virtual desktop environment. This gives businesses an excellent cloud computing service that doesn’t require you to bring in additional or specialized IT professionals.

The simplicity of Windows 365 is meant to enable your in-house IT staff to easily set up Cloud PCs for all employees that need them without necessarily bringing in external support. As you can imagine, the potential reduction in overhead can be massive.

By leveraging Windows 365, you already have plenty of benefits gained by providing employees with the flexibility to work from any remote location. And then, the reduced demands on IT admins will also free them up to dedicate more time to essential value creation for the organization. All of this, when put together, provides an excellent foundation for improving the efficiency of the business, increasing productivity, and ultimately keeping your expenses down.

Improved Productivity

Windows 365 can provide greater security for their clients’ virtual desktop environment because of the measures that are in place in the Microsoft Cloud to safeguard data. This will have an additional positive impact on productivity because of how employees can do their work securely regardless of where they are. And unlike with on-premises systems, where you may occasionally have hardware issues, the redundancies in place for Windows 365 Cloud PCs are designed to keep your data accessible at all times.

The flexible pricing terms that you get with Windows 365 are what make this a great productivity tool for a lot of businesses. It’s especially advantageous when you consider that plenty of businesses, particularly the smaller ones, may otherwise find it financially difficult to offer employees this level of flexibility in their work conditions with the security that Microsoft provides. In addition, your Cloud PC environment is regularly updated so that you always have the best features available without the need to increase your IT expenditure.

Customizable Plans

A small startup company is going to have significantly different needs to those of a massive Fortune 500 company, for example. However, that is not to say that Windows 365 can’t be as equally beneficial to the business operations of both.

It’s this need to avail virtual desktops to all who need them that has led Microsoft to allow businesses to pay monthly subscriptions for only the computing resources that they’ll be using. So, businesses can choose between Windows 365 Enterprise and Windows 365 Business, depending on their various computing resource needs.

And within these two editions, you get several customizable and flexible plans that can be tailored to your unique needs and pocket. Therefore, all you have to do is determine the number of Cloud PCs you want and the amount of storage you’ll need. This is all you have to pay for, no more, no less.

Furthermore, having a pay-as-you-go model in place also makes it a lot easier for your business to adapt to a changing business environment. Thus, if the need arises, you can scale up or down with little to no trouble, and this increased control over computing resources will help improve your efficiency.

Conclusion

Most people will probably agree that there has been a massive increase in the acceptance of cloud computing by all businesses, both large and small. It’s not surprising as we have come to realize all the benefits that our businesses stand to gain. Not to mention the work that Microsoft has put into services like Windows 365 to improve security and reliability.

Although not the first of its kind, Windows 365 has been a game-changer for businesses because of its ease of use and favorable payment terms. Having access to a cloud computing environment that can potentially lower your IT expenses while boosting productivity is a great solution for any enterprise. And with all the development efforts that Microsoft continues to pour in, the Windows 365 Cloud PC will only get better.

Windows 365 – Always Up-to-Date Computing for Your Business

Over the last few years, we have witnessed an alarming increase in cybercrime across the globe. Attacks are becoming more sophisticated, and businesses are suffering massive losses. As we take all of this into consideration, it makes us realize the importance of maintaining a secure and always up-to-date environment. Microsoft’s latest cloud computing platform, named Windows 365, is a solution that is meant to provide businesses with a flexible computing environment that adheres to the strictest security measures available.

By providing clients with excellent always-up-to-date features, Microsoft can ensure that clients always have the latest security updates and software versions.

So, in this article, we want to go over the various always-up-to-date features that you get with Windows 365 and why this cloud computing service can give your business the necessary security and reliability.

What Is an Always-up-to-date Computing Environment?

Malicious actors out there are constantly coming up with new tricks. They’re always looking to perpetrate data breaches, hacks, cyber attacks, and identity theft. They are always looking to exploit any potential vulnerabilities that may exist in your network. So, to counter this threat, one of the best tools that services like Windows 365 can offer clients is an always-up-to-date computing environment. This is something that allows businesses to run Cloud PCs that are always up-to-date with not only the latest features but important security patches as well.

Most of us have already experienced the challenges that one can face when trying to maintain an up-to-date computing environment. Although various updates and security patches are regularly availed, it can still prove to be a challenging task.

Hence the need for a system that provides an always-up-to-date environment. It ensures that your business is running the software versions you need to maximize productivity. Additionally, this also enhances organizational security in a way that reduces the risk of successful attacks.

Windows 365 Always-up-to-date Features

To ensure that businesses will consistently have a computing environment that is running on the latest updates, Windows 365 takes advantage of several features. Combining these features helps to ensure that businesses will get an effective and comprehensive updating system. In this section, we’ll take a look at those various features.

Automated Updates

Chances are high that for most people when you encounter that “would you like to update now” prompt, you’ll click on “no.” No one wants the disruption to their workday, especially not knowing how long this update process could take. Even being aware of the security risks of ignoring updates, people will regularly continue without installing them. Actions like this are the reason behind the need for automated updates. Windows 365 can ensure that your devices are updated at a time that is convenient and doesn’t affect any ongoing work.

This gives you the scheduling flexibility to plan for the installation of automated updates. It works for both the operating system and applications on your Cloud PCs to be done during non-working hours. And since these updates are applied automatically, it helps reduce the workload for your IT staff by eliminating some of those sometimes daunting manual tasks. All of this while your business gets to use the latest features and maintain high-security levels.

Patch Management

Patch management involves the scanning and detection of security patches before they can be downloaded and installed. Using this tool helps IT admins to keep the devices that are under their control constantly up-to-date with the latest security patches. Leverage the patch management capabilities that Windows 365 provides. And eliminate the need for IT admins to manually check each virtual device to see if it has the necessary patches applied.

Having feature updates and security patches applied automatically means that you reduce the risk of hackers getting sufficient time to exploit any known vulnerabilities and security threats. This helps your business significantly reduce attack surfaces and keep employee productivity levels unaffected by potential security breaches. Moreover, businesses will also get to reap the benefits from reduced expenses for device lifecycle management as well as repairs.

Centralized Management

Centralized management can play a key role in simplifying your organization’s IT operations. It can help to make user access and data storage easier. It additionally contributes to saving IT admins plenty of time that could be used more productively.

As a result, your security posture can be expected to improve because of how admins can monitor the entire network from a single console. Doing this allows them to quickly detect any issues that may arise and implement the necessary solutions without delay.

This is particularly important in the area of updates and security patches. As already mentioned, manually updating devices can often be a nightmare of a task. So automated updates will come as a welcome relief. Having an always-up-to-date environment means IT admins will get their desired secure computing environments. It also allows the freeing up some of their time. All in all, taking advantage of centralized management for your Cloud PCs gives you a more secure and stable environment from top to bottom.

Integration with Microsoft Azure

One of the things that Microsoft was keen to highlight when it first introduced Windows 365 was this new product’s foundation of existing Azure infrastructure. As such, it could benefit from the tools and features that Microsoft clients would already be familiar with. This means that Windows 365 clients have access to the excellent computing resources that Azure infrastructure can provide.

And we cannot talk about these resources without mentioning security. This includes the highly reliable security measures of the Azure cloud infrastructure. It also includes the identity management protocols that significantly reduce the chances of unauthorized access to devices and, by extension, to your organization’s network.

Industry-leading security is what makes Azure such a great and reliable product. This ensures the protection of all your virtual machines and sensitive data. Most importantly, by keeping the environment always up-to-date, businesses will have any of their security concerns alleviated.

Role-based Access Control

Role-based access control (RBAC) is a method that improves your organization’s security by restricting network access based on the roles and unique responsibilities of employees within your organization. Using this tool helps your business by seeing to it that employees can only access what they need to perform their duties and no more. In addition, it doesn’t just regulate what resources an individual can access. It also determines what they can do with those resources.

By providing Windows 365 users with RBAC, Microsoft enables IT admins to assign permissions to users based on the needs of their duties within the organization. Restricting access to critical software and data is important for protecting the integrity of your network. Moreover, IT admins can enforce compliance especially concerning updates and security patches. And it ensures the organization is operating at optimal efficiency.

Benefits of Windows 365 Always-up-to-date Features

The features that we discuss above are integral to ensuring that your computing environment is kept up-to-date at all times. The benefits of this are several, and we’ll be exploring them below.

Enhanced Security

Cyber attacks have been a thorn in the backside of a lot of businesses in recent years. Take eyewear giant Luxottica as an example, a business that suffered a data breach that exposed the information of over 70 million clients. This kind of attack will be very damaging to any business, and others may not recover from the consequences. As we consider incidences like these, it becomes abundantly clear why businesses must try, by all means, to implement the best security measures available.

A big part of that is maintaining an always-up-to-date computing environment. The features that Windows 365 gives you to achieve this will provide you with security against known security threats. Malicious actors are constantly searching for vulnerabilities, so it’s important to apply the latest security patches and updates. Moreover, having these updates and security patches installed as soon as they become available is important. It will significantly reduce your risk of suffering at the hands of hackers.

Improved Productivity

Anyone who remembers using older devices or any device with older software will probably also notice that they are not as efficient as one would like. They will often run slower than is ideal, and applications may crash far too many times. Undoubtedly, this can be a very frustrating experience for anyone simply trying to get their work done.

As a business, this is something that will cause a noticeable drop in the efficiency of your employees. Individuals cannot be as productive as they want when they have to waste time dealing with software bugs.

The Windows 365 always-up-to-date features are designed to provide your virtual devices with the best available updates. With the improvements that you get from these updates, employees can work better and more efficiently. In some cases, applications will stop working entirely without the necessary updates. Furthermore, the application of security patches reduces your chances of downtime that may be caused by cyber-attacks.

Reduced IT Overhead

Microsoft has designed Windows 365 to be a service that is available to both big and small enterprises. As such, the cost of using the service is meant to be affordable enough to potentially lower your IT expenditure. To begin with, setting up and deploying Cloud PCs is simple enough for you not to require additional IT personnel. So you immediately have fewer costs to worry about. Because of the benefits of features like automated updates and centralized management, maintaining your IT environment is a lot less complex.

The tasks that your IT staff needs to perform become simpler. And they no longer have to spend as much time with manual updates and security patches. As a result, there is a lot more time available to dedicate to better value creation for your business.

Not only that, but with an always-up-to-date environment, IT admins will know that organizational security will significantly improve. This is something that will help them by also reducing the time that could potentially be spent dealing with software bugs or security breaches.

Scalability

Every business needs to ensure that they have the necessary tools to scale as and when necessary. If your business experiences a sudden surge in customer interest, you need to be well-placed to adequately deal with the traffic. Windows 365 has several tools available that enable businesses to scale up quickly and seamlessly without compromising service delivery. And one of the biggest advantages of this process is that the tools you use are the same ones you’re already familiar with. So the process is a relatively straightforward one.

Most importantly, however, is that this task can be carried out very securely, and your IT environment will remain well-protected. So, utilizing the always-up-to-date features means that your business will always have the best tools for your computing environment. Although we mostly talk about expanding a business, the same also applies to scaling down operations.

If the need arises to reduce the computing resources you are using, then you can scale down just as easily and securely, as well. Microsoft provides a service that can accommodate the needs of your business in a way that allows you to operate under ideal conditions.

Wrap-Up About Windows 365

The security of your computing environment is not something that you can afford to take lightly. As we have discussed in this article, several businesses have been breached. The result is the compromising of information of millions of clients. Windows 365 provides you with a cloud computing platform with the objective to adapt to your organization’s needs. And it simultaneously offers you industry-leading security measures.

With the always-up-to-date features that you get, your computing environment can perform with optimal efficiency. Not to mention the enhanced security posture you’ll benefit from because of the automated security patches available. So, if you’re looking for a cloud computing solution that is secure, won’t break the bank, and is relatively easy to maintain, then Windows 365 deserves consideration.

Understanding the Requirements of Windows Autopatch

Most IT pros are fully aware of how challenging it can be to manage the update process for all the devices in their organization. It can be an incredibly complex and time-consuming task that takes away time from engaging your efforts in work that could be considered more productive for the business.

Fortunately, Microsoft knows about this challenge and offers you Windows Autopatch to help businesses with this process. With this service, your organization will get a product that can help you to “streamline updating operations and create new opportunities for IT pros.” By enabling organizations to automate tasks such as these, Windows Autopatch will help you to minimize the security and performance issues that can sometimes be encountered because of inefficient update processes.

What is Windows Autopatch?

In case you may not as yet be familiar with Windows Autopatch, let me start by going over a few things your teams should know. Released in 2022, Autopatch is a cloud-based service that is designed to automatically manage the updates for Windows, Microsoft 365 Apps for enterprise, Microsoft Edge, and Microsoft Teams.

As I’m sure you can imagine, a service like this can vastly improve the efficiency of your IT operations. Not only that but this will tighten your organization’s security, it will improve productivity, and it will enhance device management among other things.

Consequences of Poor Update Processes

Research done by Google has shown that 66% of users don’t automatically or immediately apply updates. And most of us can relate to the reasons given such as not wanting the unwelcome interruption, not seeing the need, worrying about the time it could take, and so on.

Unfortunately, though the consequences of not applying updates may not be immediate they can eventually be very damaging. It’s important to know that updates are critical for device performance and security. Malicious actors are constantly searching for vulnerabilities in your network and occasionally they find them. So, if security patches are made available and you ignore them it will leave your business exposed to all manner of cyber attacks.

In addition to that, hackers can potentially access organizational data and infect your network with malware. Not so long ago in 2017, Equifax was the victim of a brutal cyber attack that exposed the personal information of close to 150 million people. This kind of attack would be very damaging to an organization and as we saw in this case it cost the company over half a billion dollars in settlement. Clearly, this kind of situation needs to be avoided whenever possible. Furthermore, security concerns are not the only thing to worry about with neglecting updates. It can also result in your organization using poorly performing devices and not having access to the best and latest features. Obviously, this can cost you significantly especially if other businesses are gaining an advantage over you.

Before You Get Started

Just like any other service you would want to use, Windows Autopatch has some requirements you would need to meet before you can get started. There are several areas that you will have to consider if you want to deploy Autopatch.

Licensing

The most obvious starting point is going to be the licensing requirements for Autopatch. You’re going to need to assign Windows 10/11 Enterprise E3 (or higher) to all the various users who will require the service. Fortunately, users that already have Windows 10/11 Enterprise E3 or higher (user-based only), get Windows Autopatch with their licenses. There are several service plan SKUs that are eligible for Autopatch and they are given in the table below:

LicenseID
Microsoft 365 E3SPE_E3
Microsoft 365 E3 (500 seats minimum_HUB)Microsoft_365_E3Microsoft_365_E3
Microsoft 365 E3 – Unattended LicenseSPE_E3_RPA1
Microsoft 365 E5SPE_E5
Microsoft 365 E5 (500 seats minimum)_HUBMicrosoft_365_E5
Microsoft 365 E5 with calling minutesSPE_E5_CALLINGMINUTES
Microsoft 365 E5 without audio conferencingSPE_E5_NOPSTNCONF
Microsoft 365 E5 without audio conferencing (500 seats minimum)_HUBMicrosoft_365_E5_without_Audio_Conferencing
TEST – Microsoft 365 E3SPE_E3_TEST
TEST – Microsoft 365 E5 without audio conferencingSPE_E5_NOPSTNCONF_TEST
Windows 10/11 Enterprise E3WIN10_VDA_E3
Windows 10/11 Enterprise E5WIN10_VDA_E5
Windows 10/11 Enterprise VDAE3_VDA_only

You’ll also find there are a few Windows 10, build versions and architectures that are eligible for registration with Windows Autopatch. These are as follows:

  • Windows 10 (1809+)/11 Pro
  • Windows 10 (1809+)/11 Enterprise
  • Windows 10 (1809+)/11 Pro for Workstations

In addition to the licensing requirements given above, these users will also need to have Azure Active Directory Premium and Microsoft Intune.

Network configuration

The next area to review is the connectivity to multiple Microsoft service endpoints from the corporate network which will be needed. Autopatch being a cloud service means that for the service’s different elements to work properly there is a set of endpoints that Autopatch should be able to reach.

The network optimization for these can be done by using their firewalls or proxies to send all trusted Microsoft 365 network requests. Doing this allows you to bypass authentication, and all additional packet-level inspection or processing.

As a result, you can expect to directly benefit from less latency and reduced perimeter capacity requirements. The required proxy or firewall will need to support TLS 1.2. If it doesn’t, you might need to disable protocol detection.

REQUIRED WINDOWS AUTOPATCH ENDPOINTS FOR PROXY AND FIREWALL RULES

The allowed list for your proxy and firewall needs to contain certain URLs if Autopatch devices are to be able to communicate with Microsoft services. The Windows Autopatch URL is necessary for anything that the service runs on client APIs. Therefore, it’s important to verify that this URL remains consistently available on your corporate network. The URLs required on the allowed list are given below:

  • mdcustomer.microsoft.com
  • mmdls.microsoft.com
  • logcollection.mmd.microsoft.com
  • support.mmd.microsoft.com

REQUIRED MICROSOFT PRODUCT ENDPOINTS

The allowed list will also need to contain certain URLs from several Microsoft products if Autopatch devices are to be able to communicate with these Microsoft services. The table below shows the Microsoft services as well as the corresponding URLs.

Microsoft ServiceURLs required on Allowlist
Windows 10/11 Enterprise including Windows Update for BusinessManage connection endpoints for Windows 10 Enterprise, version 1909   Manage connection endpoints for Windows 10 Enterprise, version 2004   Connection endpoints for Windows 10 Enterprise, version 20H2   Manage connection endpoints for Windows 10 Enterprise, version 21H1   Manage connection endpoints for Windows 10 Enterprise, version 21H2   Manage connection endpoints for Windows 11 Enterprise
Microsoft 365Microsoft 365 URL and IP address ranges Hybrid identity required ports and protocols
Azure Active DirectoryActive Directory and Active Directory Domain Services Port Requirements
Microsoft IntuneIntune network configuration requirements   Network endpoints for Microsoft Intune
Microsoft EdgeAllowlist for Microsoft Edge Endpoints
Microsoft TeamsOffice 365 URLs and IP address ranges
Windows Update for Business (WUfB)Windows Update for Business firewall and proxy requirements

DELIVERY OPTIMIZATION

One of the recommendations made by Windows Autopatch during your enrollment into the Autopatch service is that you configure and validate Delivery Optimization. Doing so will provide access to a P2P distribution technology that is offered in Windows 10 and Windows 11.

And the key advantage of this is that you get a service that enables devices to share content, such as updates, that the devices downloaded from Microsoft over the internet. Another core benefit of using this technology is that it can also reduce network bandwidth since portions of the update will already be available to the device from another device sharing the same local network. So, there won’t be an additional need to perform a complete update download from Microsoft.

Azure Active Directory

When it comes down to identifying the source of authority for all user accounts then Azure Active Directory would arguably be the most ideal. If not, however, you will need to ensure that all user accounts are synchronized from on-premises Active Directory. And this will have to be done using the latest supported version of the Azure Active Directory Connect so that Hybrid Azure Active Directory join can be enabled.

Azure AD Connect is a  Microsoft service that your organization will receive as part of your Azure subscription. This tool is something that will help you to manage the synchronization of identity data between your on-premises Active Directory environment and Azure AD. So, users will benefit from the convenience of being able to use the same credentials to access on-premises applications and cloud services.

Hybrid Azure AD join, in its simplest terms, means having a device that is available in both the on-premises Active Directory and the Azure AD environments. Therefore, this tool can simplify device management because of how a ‘hybrid-joined’ device is visible on both platforms.

Before registration with Windows Autopatch can proceed, all the concerned devices will need to be enrolled with Intune. Furthermore, Intune should be set as the Mobile Device Management authority. Alternatively, you’ll need to ensure that you turn on and enable co-management on the target devices. In addition, you are required to set to Pilot Intune or Intune the apps workloads for the Windows Update, Device configuration, and Office Click-to-Run. And then don’t forget to verify that the devices you want to bring to Windows Autopatch are in the targeted device collection.

Device Management

The device management requirements for Windows Autopatch are given below:

  • All devices that you are going to use will need to be corporate-owned. This is because Windows bring-your-own-devices (BYOD) are not eligible and will therefore not pass the device registration prerequisite checks.
  • Devices should be under Configuration Manager or Intune co-management. So, any devices that are only under Configuration Manager management will not be eligible.
  • Registration with Windows Autopatch is only possible if a device has been in communication with Microsoft Intune in the last 28 days.
  • It goes without saying that internet connectivity is required for the devices.
  • Lastly, devices need to have a serial number, model, and manufacturer. Therefore, any device emulators that don’t provide this information will not pass the Intune or Cloud-attached prerequisite check.

A few things to note

Based on the aforementioned requirements, there are a few other things that we should be aware of. One of these issues involves the registration of devices that don’t meet the minimum Windows OS required.

Although these devices can be registered with Windows Autopatch, after that process is complete they will be offered the minimum Windows OS version. You’ll need to make the necessary changes concerning the minimum Windows OS version. From there, you’ll receive monthly security updates that maintain the health and security of your devices.

Furthermore, Windows Autopatch allows you to register Windows 10 Long-Term Servicing Channel (LTSC) devices. These devices are being currently serviced by the Windows LTSC. However, only devices that are currently serviced by the LTSC can have their Windows quality updates workloads managed by the service.

So, any devices that are part of the LTSC are not eligible for Windows feature updates from both the Windows Autopatch and Windows Update for Business services. In the case of Windows devices that are part of the LTSC, you’ll need to use either the Configuration Manager Operating System Deployment capabilities or LTSC media to carry out an in-place upgrade.

Configuration Manager Co-management Requirements

We’ve already gone through some of the information concerning co-management and Windows Autopatch. Since co-management is fully supported, you need to know what the requirements are:

Switch Configuration Manager Workloads to Intune

Among the additional requirements for devices managed by Configuration Manager is the need to switch Configuration Manager workloads to Intune. This is something that can present a significant issue for a lot of people. Fortunately,  however, you’ll still be able to switch workloads back to Configuration Manager if you later decide that’s what you want.

Different pilot collections can be configured for all of the co-management workloads. The benefit of using various pilot collections is the ability to leverage a more granular approach during the shifting of workloads. So, workloads can be switched at your convenience, meaning you can do so once you enable co-management. Rr you can postpone it until a later time. At this point, if you haven’t yet enabled co-management that’s what you’ll need to do first. And once done, you can proceed to modify the settings in the co-management properties.

Modify

  1. Head over to the Configuration Manager console and go to the Administration workspace.  Next, you need to expand Cloud Services and then select the Cloud Attach node. If the version is 2103 or earlier, then select the Co-management node.
  2. Select the co-management object, and then choose Properties in the ribbon.
  3. Next, you need to switch to the Workloads tab. Take note that all workloads are by default set to the Configuration Manager setting. So, to switch a workload you must move the slider control for that workload to the desired setting. If you keep the slider where it is then Configuration Manager will continue to manage the workload. Moving the slider to Pilot Intune should only be done if the devices are in the pilot collection. And if you want to change the Pilot collections, you can do so by going to the Staging tab of the co-management properties page. And then lastly, move the slider to Intune for all Windows devices enrolled in co-management.
  4. If necessary, you can now go to the Staging tab and change the Pilot collection for any of the workloads you want.

NOTE: Always verify that any workloads you would like to switch, the corresponding workloads in Intune have been configured and deployed. In addition, workloads should always be managed by one of the available management tools for your devices. Furthermore, whenever you switch to a co-management workload, there will be an automatic synchronization of the MDM policy from Intune by the co-managed devices.

Data and Privacy

The administration of enrolled devices requires Windows Autopatch to use data from various sources. These sources, which include Intune, Azure AD, and Windows 10/11, are going to provide a comprehensive view of the devices under Autopatch management. Below is a helpful table containing a list of the various data sources. Also outlined is the intended purpose of the information:

Data SourcePurpose
Windows 10/11 EnterpriseHandles the management of device setup experience, connections to other services, and operational support for IT pros.
Windows Update for BusinessLeverages diagnostic data collected from Windows 10/11 Enterprise to provide additional information on Windows 10/11 update.
Microsoft IntuneHandles device management and plays a key role in maintaining device security. It makes use of a couple of endpoint management data sources:   Microsoft Azure Active Directory: Authentication and identification of all user accountsMicrosoft Intune: Distributing device configurations, device management, and application management
Windows AutopatchData provided by the customer or generated by the service during the running of the service.
Microsoft 365 Apps for EnterpriseManagement of Microsoft 365 Apps.

Effective Service

Also, to effectively provide service to enterprise clients, Autopatch needs data from multiple Microsoft products and services. This data must be processed and copied from these services to Autopatch. This allows enrolled devices to be maintained and protected. The processor duties undertaken by Autopatch include maintaining security, confidentiality, and resilience. All this is done to ensure that Autopatch can offer clients high-level security in the handling of all personally identifiable data.

The vast amounts of data that Autopatch handles will be stored in Azure data centers depending on data residency. It’s also important to recognize that the data that is being accumulated is necessary for Autopatch to keep the service operational. If you decide to remove a device from Windows Autopatch, the data will be kept for no more than 30 days.

WINDOWS 10/11 DIAGNOSTIC DATA

To keep Windows secure, up to date, address any issues, and continuously make improvements, Autopatch leverages Windows 10/11 Enhanced diagnostic data. Within the enhanced diagnostic data setting, you’re going to find more comprehensive information concerning devices enrolled in Autopatch. Not only that but you also get detailed information about the devices’ health, capabilities, and settings.

So, when you select enhanced diagnostic data, data will be collected including the required diagnostic data. Because of how Autopatch only wants to process strictly necessary data, we can expect to see changes in the diagnostic data terminology in the future. The objective is to change the diagnostic level to Optional with Autopatch looking to implement the limited diagnostic policies to fine-tune the diagnostic data collection required for the service.

Not all system-level data from Windows 10/11 optional diagnostic data will be processed and stored by Windows Autopatch. It only caters to data obtained from enrolled devices such as application and device reliability, and performance information. Therefore, clients should know that their personal data such as chat and browser history, voice, text, or speech data will not be processed or stored by Autopatch.

Wrap up

All of us can benefit immensely from a service that can help us manage the update process a lot more efficiently. It can save us valuable time, minimize errors, and enable our businesses to be more productive. Microsoft has developed Windows Autopatch with all this and more in mind. Using this service is meant to help your IT staff by removing some of their burdens while simultaneously reducing the time taken by patching cycles. So, if you want a service that can add a lot of value to your business, then Autopatch is one that’s worth considering.

Setting up Windows Hello Cloud Kerberos Trust

One of the biggest challenges that organizations can face is how their employees handle security protocols. Many will admit that some of the greatest vulnerabilities can come from something as avoidable as simple reused passwords for multiple scenarios. By doing this, individuals will not only leave themselves exposed to attacks but will put the entire organization’s network at risk as well. 

This type of challenge is precisely what Microsoft is trying to address with Windows Hello. It gives individuals a simpler but significantly more secure option to access various platforms. In this particular blog, I want us to take a look at how Windows Hello and Cloud Kerberos Trust can provide organizations with better security solutions. 

Introducing Windows Hello

For the benefit of those who may not yet be familiar with this service, let’s start by going over what Windows Hello is. As already mentioned above, how users access various platforms is something that can create vulnerabilities in an organization’s network.

So, with Windows Hello, Microsoft is giving us a biometrics-based solution that gives Windows 10 or Windows 11 users the option to sign in to their devices, apps, and networks using a fingerprint, iris scan, or facial recognition. The great thing about this solution is that it gives users a more personal way to authenticate access and offers enterprise-grade security but eliminates the need to type in a password.

Expectedly, some users worry about access to their biometric data by third parties. Fortunately, Windows assures us that your data continues to be highly encrypted and secure. Also, it does not leave your device nor is it stored anywhere else. And as long as you have a compatible device with the necessary hardware, getting started is easy. This is because there is a wizard that will teach the device to recognize your biometric credentials. 

You will, however, need to set up a PIN as a backup in case any of the biometric authentication measures happen to fail. Simply put, Windows Hello provides a simple but highly secure authentication service that can also ease concerns about typing in passwords or using sign-in gestures in public.

Windows Hello for Business

Now that we’ve gone over what Windows Hello is, let’s take a look at how it differs from Windows Hello for Business (WHfB). In the simplest of terms, WHfB has all the features of Windows Hello as well as other more advanced ones. Whereas Windows Hello is more suited to the home environment, WHfB, as the name suggests, intends to suit businesses. 

For the configuration of WHfB, you can use either a GPO or MDM. Also, Windows Hello for Business uses a PIN backed by an asymmetric key pair or certificate-based authentication. Eliminating the use of use hashes and thus the transmission of passwords means that security is significantly better. And if you want to use the asymmetric key, you’ll require Azure AD or the implementation of a Windows Server 2016 domain controller.

What is Cloud Kerberos Trust?

With the development of Windows Hello for Business Cloud Kerberos Trust, Microsoft is aiming to provide Windows Hello for Business with a simple passwordless experience. The objective is to also avail the service to new or existing Windows Hello for Business deployments. One of the key things about Windows Hello for Business Cloud Kerberos Trust is that it leverages Azure AD Kerberos. Doing it this way means that you create a simpler deployment as compared to the key trust model:

  • In this scenario, the deployment of a public key infrastructure (PKI) or changing an existing PKI becomes unnecessary.
  • Additionally, synchronizing public keys between Azure AD and Active Directory for users to access on-premises resources also becomes unnecessary.
  • Lastly, the deployment of passwordless security key sign-in becomes something that you can do with very little extra setup.

Therefore, with all these potential benefits, Microsoft advises that Windows Hello for Business Cloud Kerberos Trust be the recommended deployment model when compared to the key trust model. And for clients that do not need to support certificate authentication scenarios, this is also the most recommended deployment model.

Azure AD Kerberos and Cloud Kerberos Trust authentication

When it comes to requesting Kerberos ticket-granting-tickets (TGTs) for on-premises authentication, we find that certificate authentication-based Kerberos features usage by both key trust and certificate trust. And when performing this type of authentication, there are two requirements to meet.

  • PKI for DC certificates,
  • End-user certificates for certificate trust.

In the case of Cloud Kerberos Trust, by using Azure AD Kerberos this negates the need for a PKI to request TGTs. Also, these TGTs can be issued for one or more AD domains by Azure AD for Azure AD Kerberos. And then as far as Windows is concerned, when authenticating with Windows Hello for Business it can request a TGT from Azure AD. 

Once a TGT has been returned, Windows can then use it for sign-in or to access AD-based resources. However, it’s worth noting that Kerberos service tickets and authorization will still remain under the control of on-premises domain controllers.

With an enabled Active Directory domain, an Azure AD Kerberos server object will then be created in the domain and it will:

  • Not associate with any physical servers but will, however, still appear as Read Only Domain Controller (RODC) object.
  • Be solely used by Azure AD to create TGTs for the Active Directory domain. Furthermore, the Azure AD Kerberos Server object must adhere to the same rules and restrictions applied to RODCs.

It’s important to note, though, that there is something to consider before implementing the Cloud Kerberos Trust deployment model. You have to first verify that each of the Active Directory sites where users will be authenticating with Windows Hello for Business has enough read-write domain controllers. 

Prerequisites

RequirementNotes
Multi-factor authenticationThere are a few options that you can use to meet this requirement. These include:

Ø  Azure AD multi-factor authentication

Ø  multi-factor authentication is provided through AD FS or any other comparable solution.
Windows 10, version 21H2, or Windows 11 and laterFor clients that are using Windows 10 21H2, they will need to check that they have KB5010415 installed.

And then those using Windows 11 21H2, need to have KB5010414 installed.

Also, when it comes to Azure AD-joined and Hybrid Azure AD-joined devices, expect to find no Windows version support difference.
Windows Server 2016 or later Domain ControllersFor clients that are using Windows Server 2016, they will need to check that they have KB3534307 installed.

And then for those using Windows Server 2019, KB4534321 must be installed.
Azure AD Kerberos PowerShell moduleThis is the module that will be necessary for the enabling and management of Azure AD Kerberos. You can find it through the PowerShell gallery.
Device managementThe management of Windows Hello for Business Cloud Kerberos Trust can be done in a couple of ways:

Ø  using group policy,

Ø  using mobile device management (MDM) policyYou will need to enable this feature using policy because it comes disabled by default. 

Authentication to on-premises resources

For authentication to on-premises resources to work properly, Cloud Kerberos Trust will need to be enabled for the concerned user. Once enabled, if you attempt to access domain resources, the process will begin with the device receiving a name hint from metadata in the PRT. Then, a DC locator will find a valid DC before a partial TGT from Azure AD Kerberos is sent with a TGS_REQ to this valid DC. After this, a partial TGT validates and then a TGT is returned. However, the user will still need to be synchronized from Active Directory. And this is an important step that allows us to find the domain name associated with the user, in the event of ticket requests from the KDC.

Azure Active Directory

When it comes to Azure AD-joined devices, authentication to Active Directory will only begin when a particular user tries to access a resource that requires Kerberos authentication. At this point, the Kerberos security support provider will then leverage metadata from the WHfB key in order to get a hint of the user’s domain. 

Once the hint is available, the provider can then use a DC locator to find a 2016 domain controller. A domain hint is absolutely necessary for the DC locator. And this will be obtained from the onpremisedomainname that you get with the PRT. Next, the client will get a Domain Controller returned for the continuation of normal service ticket issuance. 

The Kerberos provider will then forward a partial TGT,, obtained from Azure AD from a prior Azure AD authentication with the domain, controller once an active 2016 domain controller is found. On this partial TGT, signed by Azure AD Kerberos, all you will get is the user SID. It will be the role of the domain controller to check the validity of the partial TGT.  If the process has been successful, the KDC will then send a full TGT to the client after which the client can request service tickets.

Deployment process

To complete the deployment of Windows Hello for Business Cloud Kerberos Trust, there are two steps to follow:

  • Set up Azure AD Kerberos.
  • Configure a Windows Hello for Business policy and deploy it to the devices.

Deploy Azure AD Kerberos

For those who have already deployed on-premises SSO for passwordless security key sign-in, you should be aware that this means that Azure AD Kerberos is already deployed as well in your hybrid environment. So, this negates the need to redeploy or change your existing Azure AD Kerberos deployment to support Windows Hello for Business. If you haven’t done so, however, you can find the instructions in this section Enable passwordless security key sign-in to on-premises resources by using Azure AD.

Configure Windows Hello for Business policy

Once you have the Azure AD Kerberos object set up, you’ll need to enable Windows Hello for Business Cloud Kerberos Trust on your Windows devices. To configure your devices using Microsoft Intune you can follow the instructions below.

Intune policies can configure Windows Hello for Business if the devices are already under Intune management. You have several options available to you if you want to enable and configure Windows Hello for Business in Intune:

  • Devices enrolled in Intune can have a tenant-wide policy applied to them. However, this policy can only be applied at enrolment time. So any changes that are later made to its configuration will not apply to already enrolled devices. This is precisely why, most of the time, you’ll find this policy disabled. And then WHfB can be enabled using a policy targeted to a security group.
  • A device configuration policy can be applied as soon as the device is enrolled in Intune. If you make any changes to the policy, these will only apply to the devices during regular policy refresh intervals. You get several policy types that you can choose from:

Ø  Settings catalogue

Ø  Security baselines

Ø   Custom policy, via the PassportForWork CSP

Ø   Account protection policy

Ø   Identity protection policy template

Verify the tenant-wide policy

If you want to verify exactly which Windows Hello for Business policy was applied at enrollment you can follow the steps below:

  • Navigate to the Microsoft Intune admin center and sign in.
  • Select Devices > Windows > Windows Enrollment.
  • Select Windows Hello for Business.
  • Now you can check the status of Configure Windows Hello for Business as well as any other configurable settings.

Enable Windows Hello for Business

Windows Hello for Business is configurable using an account protection policy and to do so you can follow the steps below:

  • Navigate to the Microsoft Intune admin center and sign in.
  • Select Endpoint security > Account protection.
  • Select + Create Policy.
  • If you want to go with Platform then you should select Windows 10 and later. But if you want Profile then you should select Account protection.
  • Select Create.
  • Decide on a Name and then, optionally, a Description > Next.
  • If you go and select Disabled under Block Windows Hello for Business, you’ll be able to see multiple available policies.

It’s important to note that these policies are optional to configure, but the recommendation is to configure Enable to use a Trusted Platform Module (TPM) to Yes.

  • Under Enable to certificate for on-premises resources, select Not configured.
  • Select Next.
  • You’ll also have the option to add scope tags and select Next.
  • Assign the policy to a security group that contains as members the devices or users that you want to configure > Next.
  • Go over the policy configuration again and if satisfied select Create.

Configure the Cloud Kerberos Trust policy

If you want to configure the Cloud Kerberos Trust policy, you can do so using a custom template. Also, this configuration is done separately from enabling Windows Hello for Business. The configuration process should follow the steps below:

  • Navigate to the Microsoft Intune admin center and sign in.
  • Select Devices > Windows > Configuration Profiles > Create profile.
  • For Profile Type, select Templates and select the Custom Template.
  • Next, you need to provide a name for the profile. Ideally, this is something simple such as “Windows Hello for Business Cloud Kerberos Trust.
  • Then, head over to Configuration Settings where you’ll need to add a new configuration with these settings:

Ø  Name: Windows Hello for Business Cloud Kerberos Trust or something else similarly simple

Ø  Description (optional): Enable Windows Hello for Business Cloud Kerberos Trust for sign-in and on-premises SSO

Ø  OMA-URI: ./Device/Vendor/MSFT/PassportForWork/<tenant ID>/Policies/UseCloudTrustForOnPremAu

(This tenant ID will need to be replaced with the tenant ID for your Azure AD tenant)

Ø  Data type: Boolean

Ø  Value: True

Ø  The final step requires you to assign the policy to a security group whose members are the devices or users that you want to configure.

A very important thing that you need to be aware of is that you will first need to ensure that the Use certificate for on-premises authentication policy is not configured on all the machines that you want to enable Cloud Kerberos Trust. The reason for this is that if you enable this policy then certificate trust will take precedence over Cloud Kerberos Trust.

Provision Windows Hello for Business

When it comes to the provisioning of Windows Hello for Business, the process will begin once a user has signed in. That is, of course, if they meet all the prerequisites. In cases where Cloud Kerberos Trust is enabled by policy on Hybrid Azure AD-joined devices, then Windows Hello for Business Cloud Kerberos Trust will also perform a prerequisite verification. 

And if you want to view the status of the prerequisite check you can navigate to User Device Registration admin log under Applications and Services Logs > Microsoft > Windows. Alternatively, you can also view this information from a console by using the dsregcmd /status command.

During a Cloud Kerberos Trust prerequisite check, the system will be looking to pick up whether the user has a partial TGT before the provisioning process proceeds. And the importance of this check is to validate whether Azure AD Kerberos is set up for the user’s domain and tenant. 

Upon completion of the check and verification of the Azure AD Kerberos setup, the user can then receive a partial TGT during sign-in with one of their other unlock methods. There are three possible states that you can encounter during the check: Yes, No, and Not Tested. You will see the Not Tested state in a couple of situations:

  • Cloud Kerberos Trust is not being enforced by policy
  • The device is Azure AD joined

However, please note that Azure AD-joined devices will not have the Cloud Kerberos Trust prerequisite check performed on them. Users can still sign in on Azure AD-joined devices even if Azure AD Kerberos is not provisioned. But, they won’t have SSO to on-premises resources secured by Active Directory.

PIN setup

Once a user completes the sign-in process, the process for enrolling in Windows Hello for Business begins and happens as follows:

  • The user will see a full-screen page appear prompting them to use Windows Hello with the organization account. They can then proceed to select OK.
  • Next up in the process will be the multi-factor authentication portion of the enrollment. The user will then receive notification that the system is trying to contact them through their configured form of MFA. And without the success, failure, or timing out of the authentication, the provisioning process cannot proceed. If the MFA fails or times out, the user faces an error and see a request to retry.
  • Once there is a successful MFA, the user will then be asked to create and validate a PIN. This PIN needs to adhere to the complexity policies that may be set on the device.

Sign-in

Signing in can be done as soon as the user has finished setting up a PIN with Cloud Kerberos Trust. For those using Hybrid Azure AD joined devices there will need to be a line of sight to a DC when the PIN is first used. However, after this initial sign-in or unlocking with the DC, the system will leverage cached sign-in for subsequent unlocks without line of sight or network connectivity.

Migrate from key trust deployment model to Cloud Kerberos Trust

Occasionally, there may be situations where someone may have deployed Windows Hello for Business using the key trust model, but is now looking to migrate to the Cloud Kerberos Trust model. To do so you only need to follow a few simple steps:

  • Start by setting up Azure AD Kerberos in your hybrid environment.
  • Then you’ll need to enable Cloud Kerberos Trust via Group Policy or Intune.
  • Also, you’ll need to first sign out and sign in to the device using Windows Hello for Business when it comes to hybrid Azure AD joined devices.

When signing in for the first time, users of hybrid Azure AD joined devices must sign in with new credentials while having line of sight to a DC.

Migrate from certificate trust deployment model to Cloud Kerberos Trust

An important thing to note is that when moving from certificate trust deployment to a Cloud Kerberos Trust deployment, you’re not going to find a direct migration path. So, if you want to migrate to Cloud Kerberos Trust the Windows Hello container will first need to be deleted. For users that are interested in using the Cloud Kerberos Trust model but had initially deployed Windows Hello for Business using the certificate trust model, they will need to redeploy Windows Hello for Business. The steps to do that are given below:

  • To begin the process, the certificate trust policy will need to be disabled.
  • With that done you must then leverage either Group Policy or Intune to enable Cloud Kerberos Trust.
  • The next step involves the removal of the certificate trust credential using the command certutil -deletehellocontainer from the user context.
  • Sign out and sign back in.
  • Lastly, you can now provision Windows Hello for Business using the method that is best for you.

And similar to the previous scenario, when signing in for the first time, users of hybrid Azure AD joined devices must sign in with new credentials while having line of sight to a DC.

How Azure AD Kerberos enables access to on-premises resources

Kerberos TGTs can be issued for one or more of your Active Directory domains by Azure AD. The benefit of this feature is that it enables users to sign in to Windows with modern credentials, such as FIDO2 security keys, and then access traditional Active Directory-based resources. 

However, your on-premises Active Directory DCs will retain control over authorization as well as the Kerberos Service Tickets. It’s also going to be in your on-premises Active Directory instance where Azure AD Kerberos Server objects will be created and subsequently securely published to Azure AD. These objects have no links to any physical servers. They are only resources that can be used by Azure Active Directory to generate Kerberos TGTs for your Active Directory domain.

  • Users will first need to sign in to a Windows 10 device with a FIDO2 security key and authenticates to Azure AD.
  • Next, Azure AD will go through the directory looking for a Kerberos Server key that matches the user’s on-premises Active Directory domain.
  • At this point, a Kerberos TGT will then be generated by Azure AD for the user’s on-premises Active Directory domain. There’s no authorization data on this TGT, only the user’s SID.
  • The client will now receive the TGT as well as the user’s Azure AD Primary Refresh Token (PRT).
  • Then, an on-premises Active Directory DC will be contacted by the client machine in order to trade the partial TGT for a fully formed TGT.
  • The client machine is now able to access both cloud and on-premises resources because of the Azure AD PRT and full Active Directory TGT that it has obtained.

Requirements

There are a few prerequisites that need to be met if you are to proceed. And these are:

  • All concerned devices need to have Windows 10 version 2004 or later.
  • All Windows Servers will need to have Windows Server 2016 or later and have patches installed for Windows Server 2016 and Windows Server 2019.
  • AES256_HMAC_SHA1 must be enabled when Network security: Configure encryption types allowed for Kerberos policy is configured on domain controllers.
  • You need to have the necessary credentials to carry out the steps in the scenario:

Ø  an Active Directory user who is a member of the Domain Admins group for a domain and a member of the Enterprise Admins group for a forest. Referred to as $domainCred.

Ø  an Azure AD user who is a member of the Global Administrators role referred to as $cloudCred.

Supported scenarios

In this section, the scenario that we’ll be going over supports SSO in the situations below:

  • Cloud resources such as Microsoft 365 and other Security Assertion Markup Language (SAML)-enabled applications.
  • On-premises resources, and Windows-integrated authentication to websites. The resources can include websites and SharePoint sites that require IIS authentication and/or resources that use NTLM authentication.

Unsupported scenarios

The scenarios given below will not be supported:

  • Windows Server Active Directory Domain Services (AD DS)-joined (on-premises only devices) deployment.
  • Remote Desktop Protocol (RDP), virtual desktop infrastructure (VDI), and Citrix scenarios by using a security key.
  • S/MIME by using a security key.
  • Run as by using a security key.
  • Log in to a server by using a security key

Install the Azure AD Kerberos PowerShell module

Admins will be glad to know that there are FIDO2 management features provided for them by the Azure AD Kerberos PowerShell module.

  • To begin, you’re going to need to use the Run as administrator option to open a PowerShell prompt.
  • Next, you need to install the following Azure AD Kerberos PowerShell module:

# First, ensure TLS 1.2 for PowerShell gallery access.

[Net.ServicePointManager]::SecurityProtocol = [Net.ServicePointManager]::SecurityProtocol -bor [Net.SecurityProtocolType]::Tls12

# Install the Azure AD Kerberos PowerShell Module.

Install-Module -Name AzureADHybr

Something that you should be aware of is that the Azure AD Kerberos PowerShell module uses the AzureADPreview PowerShell module to provide advanced Azure AD management features. For those that already have the Azure AD PowerShell module installed on the local computer, there could be a conflict that would result in the failure of the installation. 

So, if you want to avoid any such conflicts then you need to include the “-AllowClobber” option flag. The Azure AD Kerberos PowerShell module can be installed on any computer from which you can access your on-premises Active Directory DC. And this can happen without having to depend on the Azure AD Connect solution.

Furthermore, you’ll find that the Azure AD Kerberos PowerShell module is distributed through the PowerShell Gallery. What this Gallery will provide is a central repository for PowerShell content. If you are looking for useful PowerShell modules containing PowerShell commands and Desired State Configuration (DSC) resources then this is the place to find them.

Create a Kerberos Server object

Once you have completed the installation of the Azure AD Kerberos PowerShell module, admins can now use it to create an Azure AD Kerberos Server object in their on-premises directory. You’ll now need to perform the following for each domain and forest in your organization that contains Azure AD users:

  • To begin, you’re going to need to use the Run as administrator option to open a PowerShell prompt.
  • Next, there will be some PowerShell commands that are used for creating a new Azure AD Kerberos Server object both in your on-premises Active Directory domain and in your Azure Active Directory tenant that you will need to run. You can find examples of these prompts on this page.

View and verify the Azure AD Kerberos Server

At this point, you may want to check that everything that you’ve done has come out the way it’s supposed to. So, to check out the Azure AD Kerberos Server that you’ve been working on, you can use this command:

Get-AzureADKerberosServer -Domain $domain -CloudCredential $cloudCred -DomainCredential $domainCred

By using this command, you’ll be able to see the properties of the Azure AD Kerberos Server. Doing so allows you to verify these properties and determine if this was the result you were looking for.

Running against another domain by supplying the credential will connect over NTLM, and then it fails. The issue can be resolved for users in the Protected Users security group in Active Directory by following these steps:

  • Navigate to ADConnect and sign in as another domain user
  • Don’t supply “-domainCredential”

The user that’s already signed in is the one whose Kerberos ticket is going to be used. However, you need to verify whether the user has the required permissions in Active Directory to execute the previous command and you can do so by executing whoami /groups.

VERIFYING PERMISSIONS

PropertyDescription
IDRefers to the unique ID of the AD DS DC object. Occasionally, you will find this ID called slot or its branch ID.
DomainDnsNameRefers to the Active Directory domain’s DNS domain name.
ComputerAccountThe computer account object of the Azure AD Kerberos Server object (the DC).
UserAccountRefers to the disabled user account object containing the Azure AD Kerberos Server TGT encryption key. The account’s domain name is given below:

CN=krbtgt_AzureAD,CN=Users,<Domain-DN>.
KeyVersionRefers to the key version of the Azure AD Kerberos Server TGT encryption key. The version can only be assigned after the creation of the key and will be incremented each time the key is rotated. Increments are based on replication metadata and are likely greater than one. Please note that you should always ensure that the KeyVersion for the on-premises object and the CloudKeyVersion for the cloud object are the same.
KeyUpdatedOnSimply refers to the date and time of the creation or update date and time of the Azure AD Kerberos Server TGT.
KeyUpdatedFromThe Domain Controller where the Azure AD Kerberos Server TGT encryption key was last updated.
CloudIdThis is the ID from the Azure AD object and it should also be the same as the ID from the first line of the table.
CloudDomainDnsNameRefers to the Azure AD object’s DomainDnsName and it should be the same as the DomainDnsName from the second line of the table.
CloudKeyVersionRefers to the KeyVersion from the Azure AD object which needs to be the same as the KeyVersion from the fifth line of the table.
CloudKeyUpdatedOnRefers to the KeyUpdatedOn from the Azure AD object and it should be the same as the KeyUpdatedOn from the sixth line of the table.

Rotate the Azure AD Kerberos Server key

Users are advised to regularly rotate the Azure AD Kerberos Server encryption krbtgt keys. And as far as what schedule to follow, it’s recommended that you use the same rotation schedule applied to all the other Active Directory DC krbtgt keys.

Remove the Azure AD Kerberos Server

In some cases, you may need to revert the scenario and remove the Azure AD Kerberos Server from both the on-premises Active Directory and Azure Active Directory. To do so, you can follow the command below: 

Set-AzureADKerberosServer -Domain $domain -CloudCredential $cloudCred -DomainCredential $domainCred -RotateServerKey

Multiforest and multidomain scenarios

We find that in Azure AD the Azure AD Kerberos Server object is represented as a KerberosDomain object. And each on-premises Active Directory domain will be represented as a single KerberosDomain object in Azure AD. 

Wrap up

Something that should be as simple as a password can create plenty of problems for businesses. If a user forgets a password this will hinder productivity and will cost the business as IT has to come in and resolve the issue. This is just one example of how issues with passwords can be problematic for businesses. And these situations can create vulnerabilities in an organization’s network that can leave them exposed to malicious actors.
As you go over these problems, it’s easy to see why Windows Hello for Business can be just the right tool to address these challenges. It’s a service that offers you a simple but secure way to authenticate identities and thus enhance your overall organizational security. With cyber-attacks becoming more prevalent and sophisticated, solutions like Windows Hello for Business look like the way to go for the future.

9 Things to Know About Windows Autopatch

The Microsoft ecosystem has a vast array of products and services that are integral to the operations of countless businesses across the globe. And it’s extremely important to ensure that your business can conduct affairs seamlessly without interruptions. 

This is why you cannot ignore the issue of updates. You need to make sure that everything is always up to date and in doing so you guarantee that your Microsoft services are running at optimum levels. 

But, keeping up with updates can be challenging at times and therefore, you can find some applications lacking the most recent updates. Fortunately, we now have Windows Autopatch to adequately deal with this task.

What is Windows Autopatch?

So, we’ll start by looking at what exactly Windows Autopatch is. This relatively new product is a cloud service that automates Windows, Microsoft 365 Apps for enterprise, Microsoft Edge, and Microsoft Teams updates to improve security and productivity across your organization. 

By automating the management and rolling out of updates, this service will make life easier for admins. Especially in larger organizations where admins can be responsible for large numbers of devices.

Although most would agree that the quality of Windows updates has improved in recent years, the updating process can still be rather challenging. Admins are still responsible for making sure that the process performs seamlessly and that new Windows patches are applied without issue. 

And when you consider the multitude of other tasks that admins need to manage, it’s easy to see how problems can arise. This is precisely why Windows Autopatch plays such a key role by automating this particular task and thus lightening the burden on admins.

Importance of updates

Another issue to look at it is why are updates so important. Why does it seem as though some people are always going on about updates? With the increasing threat of cybercrime, updates are one of the best ways to protect your organization against attacks. 

Nefarious actors are constantly looking for vulnerabilities in your system and if they find any it can be catastrophic for your business. Updates can address any existing bugs and vulnerabilities that may be in your system. By patching these security flaws, you can lower the risk of successful attacks against your system.

In addition, updates will also address bugs that affect performance.  As technology continues to evolve, organizations will also be improving their products and services. So, updates allow you to get the latest and best features for your applications. This will give you a better overall user experience and ultimately your business can run more efficiently. Furthermore, updates can help you get even better performances from your devices. We’ve all probably at one point or another had the frustrating experience of an application crashing. 

It’s never a pleasant experience and can cost you some work progress.  By updating your applications, you significantly reduce the chances of these occurrences. With that said, let’s take a look at some of the features that make Windows Autopatch such an amazing service. 

Comparison to Windows Update

One of the first things that people may be wondering is how does Windows Autopatch differ from Windows Update for Business? With Windows Autopatch what organizations are getting is a service that eliminates the need for manually planning and operating the update process. The goal is to give you an automated update system that becomes the responsibility of Microsoft and in doing so frees up your IT team from this task. 

So, when we look at Windows Update for Business, we find one of the components that Windows Autopatch uses for updating devices. And both Autopatch and Windows Update for Business are part of Windows Enterprise E3.

Therefore, we’re not talking about differences but rather how Windows Update for Business is one of the components that Autopatch uses. On the other hand, you also have the option to use ConfigMgr by adding a CMG if there’s an interest in adding a CMG. 

In addition, you may also enable co-management after which you can migrate the Windows Updates workload to Intune so that you can take advantage of Windows Update for Business. Simply put, the greatest benefits of Windows Autopatch are not about which components get the job done, but rather the automation provided. Microsoft takes over responsibility for your updates in a manner that intends to offer greater convenience and satisfaction. 

Requirements

The next thing you’ll need to know is what the requirements are to be eligible for Autopatch. Below you’ll find the requirements that you need to meet before proceeding:

§  Licensing – to use Autopatch, you need your end-users to have Windows 10 and Windows 11 E3 or higher. There are also some additional licensing requirements such as Azure Active Directory Premium and Microsoft Intune.

§  Connectivity – as one would expect, you are going to need connectivity to Microsoft update services endpoints. There are several endpoints on this list but below are some of them: 

  • mmdcustomer.microsoft.com
  • mmdls.microsoft.com
  • logcollection.mmd.microsoft.com
  • support.mmd.microsoft.com 

§  Azure Active Directory – when it comes to the requirements for Azure AD, you get two options. The first option allows you to use Azure Active Directory as the source of authority for all user accounts. And then for the second option, you can synchronize your users from the on-premises Active Directory Domain Services by leveraging the Hybrid Azure AD Domain join.

§  Device management – your devices will need to be under Intune management and therefore, Intune should be the Mobile Device Management (MDM) authority. If not, then you need to opt for co-management. Furthermore, all the devices must be corporate-owned and not in a BYOD scenario. All devices should also have internet connectivity and will need to have been in contact with Microsoft Intune in the last 28 days. Minimally, you’ll also be required to ensure the configuration of the following in Microsoft Intune:

  • Windows Update
  • Device configuration
  • Office click-to-run apps workloads

What does Autopatch update?

Thus far, we know that Windows Autopatch seeks and intends to manage your updates for you. But you still need to know what exactly Autopatch will be responsible for. To make the task easier, Windows Autopatch will place devices into groups based on their software and hardware configurations. Doing it this way enables suitable test machines to receive updates first and if all goes well, then broader deployments can proceed as well.

Below is a list of what Autopatch will be responsible for updating:

  • Windows 10 and Windows 11 quality updates
  • Windows 10 and 11 features
  • Windows 10 and 11 drivers
  • Windows 10 and 11 firmware
  • Microsoft 365 apps for enterprise updates

In addition to the above list, Windows Autopatch will also be responsible for patching drivers and firmware that are only published to Windows Update as automatic. Also, in terms of how Windows Autopatch operates, there are four deployment rings used, with the first one catering to a few of your company’s devices and the second one responsible for 1% of these devices. The third and fourth rings will contain 9% and then 90% of the organization’s devices respectively. 

Enhancing business operations

One of the biggest things that Autopatch offers businesses is that it helps to eliminate the need for complex IT infrastructure. Doing so allows organizations to focus a lot more on core business matters. Windows Autopatch will help you to address some of the challenges below: 

  • Close the security gap: keeping your software up to date means that you’ll always have all the latest security features, making any vulnerabilities addressable. As a result, you can reduce your risk of suffering successful attacks.
  • Close the productivity gap: getting all the latest productivity features as soon as they become available means that end-users can consistently perform at their best and improve creativity and overall productivity.
  • Optimize your IT admin resources: because Autopatch takes over responsibility for routine updates, your IT staff can dedicate significantly more effort towards tasks that will enhance your organization’s operations.
  • On-premises infrastructure: your organization can invest less in on-premises infrastructure by migrating to the cloud and adopting software-as-a-service solutions. And with updates delivering from the cloud, this can offer you an even more efficient system.  
  • Onboard new services: Windows Autopatch simplifies the addition of new services to your organization. By making the process easier, IT admins will no longer need to dedicate as much time to onboarding processes.
  • Minimize end-user disruption: the sequential deployment rings mentioned above, as well as the ability to respond to reliability and compatibility signals, is helpful. It means that end-users will face far fewer disruptions because of updates.

Ultimately, Windows Autopatch is a service that removes some of the burdens from your IT team. Taking over the planning and deployment of updates for Windows, Microsoft 365 Apps, Microsoft Edge, or Teams, means your IT staff can focus more on core business activities. 

Enrollment process

The enrollment process is going to begin with you navigating to Intune Portal > Tenant administration > Windows Autopatch Tenant enrollment where you’ll proceed to tick the box. Doing this will launch the readiness tool whose objective is to verify that all requirements have been met before enrolling your tenant. 

If the process fails, then you will see your status displayed as Not Ready. And you have an option to click on View Details so that you can get all the information regarding what requirements you’re missing. As soon as you address the relevant areas, you can click on Run Checks. From there, another verification will carry out to see if the issue has been resolved.

After addressing existing problems, you can now proceed to select Enroll. During this process, Microsoft will need you to provide consent to have certain access to your tenant. 

Providing this consent allows the process of setting up Windows Autopatch to proceed. And it will also be necessary in case there are any problems that the support team may need to deal with. In addition to giving consent, the setup process also requires you to provide the contact details of two administrators. 

It is necessary that these details be availed and that these admins be two separate individuals. Having completed this step, Autopatch will then proceed to set up the required policies, accounts, groups, and profiles. With all this done, Windows Autopatch will now be enabled for your tenant and available for use. However, you will still need to register the devices that you want for Autopatch.

Autopatch device registration

The device registration process will allow the devices that you want to be placed under the management of Windows Autopatch. It’s a relatively easy process that requires you to place devices in the Windows Autopatch Device Registration group. This happens to be an Azure AD group. There are two different pathways that you can utilize to register your devices. 

But the path you choose will depend on the type of the device. Windows 365 Cloud PCs will have their own path and then all other Windows devices will have to use another path. The registration with Autopatch will begin during Cloud PC provisioning for Windows 365 Cloud PCs. And this will happen as soon as the provisioning policy is set up with Autopatch enabled.

When it comes to all the other Windows devices, they will first need to be added to the Windows Autopatch Device Registration Azure AD group. Only then can the registration with Autopatch begin.

Note: An important thing that you need to be aware of is that if anything happens to a device that causes a new Azure AD device ID to be generated, that device will need reading to the Azure AD group. Furthermore, you can add devices to the Azure AD group via a direct membership, by using bulk import of group members. You can also do so by nesting various other Azure AD groups.

Update management

Another point that should be of interest is the areas of management that Windows Autopatch will handle for you. In the table below you’ll find detailed information concerning this:

Management areaService level objective
Windows quality updatesThe objective here is to ensure that at least 95% of eligible devices get to receive the latest Windows quality update 21 days after release.
Windows feature updatesIn this case, the goal is to ensure that at least 99% of eligible devices remain on a supported version of Windows to enable them to continue receiving Windows feature updates.
Microsoft 365 Apps for EnterpriseWindows Autopatch wants to ensure that at least 90% of eligible devices are kept on a supported version of the Monthly Enterprise Channel (MEC).
Microsoft EdgeAll eligible devices are going to be configured by Windows Autopatch so that they can leverage Microsoft Edge’s progressive rollouts on the Stable channel.
Microsoft TeamsFor this particular scenario, the benefit of Windows Autopatch is that it enables all eligible devices to take advantage of the standard automatic update channel.

More to know

However, users will need to be aware that for devices to receive specific updates, they will need to meet certain requirements for each management area. For instance, devices may need to have access to the required network endpoints for the Windows update. So, to avoid issues or unwanted disruptions, it’s best to ensure that you verify the eligibility of all devices for the various updates.

Also, all eligible devices will be tagged as either Healthy or Unhealthy. And doing so makes it possible to verify whether service level objectives are being met. Healthy devices are simply those that meet the eligibility criteria for a particular management area. Unhealthy devices are the opposite. So, you will find that an incident raises every time Windows Autopatch falls below any service level objective for a management area. 

Admin responsibilities

With all the benefits that come with using Windows Autopatch, we need to remember that IT staff will still retain certain responsibilities. As great a service as Autopatch may be, Microsoft does not intend for it to completely eliminate all human intervention in the process. Before applying patches, it would be wise for IT to look into them first. They need to check compatibility and stability. You can then avoid significant problems that may disrupt your organization’s operations. 

Also, when it comes to the application of patches, it’s important to learn to prioritize patches. Some patches may be urgently required to address pressing security issues. However, that’s not to say the other patches are not important. But IT has to perform a delicate balancing act to ensure that all updates are done in a manner that does not expose you to threats nor compromise operational efficiency.

Furthermore, simply because the goal of Autopatch is to make the update process easier, it does not mean IT admins can fold their hands and forget about it. It’s critical that IT keeps an eye on the update process to see that everything proceeds as planned. Not only that, but admins need to prepare to intervene in case of unexpected issues so that they address them in a timely fashion. 

Monitoring the system also allows the admins to periodically perform their own evaluations of the efficiency of the progress. This will ultimately help you pinpoint any areas of concern that need improving, so that the system can perform even better. Otherwise, if you don’t keep an eye on things, you may end up with security vulnerabilities that could prove very costly. 

How to deregister a device

Occasionally, you may find yourself in a situation where you need to deregister a device. And you will want to do this without causing the end-user unnecessary disruptions. To ensure that this happens, Windows Autopatch will only delete the Windows Autopatch device record itself. 

Also, device deregistration will not allow you to delete Microsoft Intune and/or the Azure Active Directory device records. This, therefore, means that the expectation is for you to continue managing those devices. However, please be aware that removing devices from the Windows Autopatch Device Registration Azure AD will not deregister devices from the Autopatch service. 

To deregister a device, you follow the steps given below:

  • Navigate to Intune admin center and sign in.
  • In the navigation menu that appears, select Windows Autopatch.
  • Select Devices.
  • Choose the device or devices that you want to deregister from the Ready or Not Ready tab.
  • After the device selection is done, select Device actions, then select Deregister device.

Excluded devices

If you have deregistered a device from the Autopatch service, it will then flag as excluded. This will ensure that Autopatch won’t attempt to reregister the device into the service again. It’s because the deregistration command does not cause device membership removal from the Windows Autopatch Device Registration Azure AD group. 

So, reregistration of a device that was previously deregistered from Autopatch will require the submission of a support request to the Windows Autopatch Service Engineering Team. The goal of this request is to ask that the excluded tag be removed during the deregistration process.

Wrap-Up

Organizations are constantly looking for services that can improve the way they operate from top to bottom. Especially when it comes to IT staff who can often be overburdened with the tasks at hand. This is precisely why Microsoft develops services like Windows Autopatch to simplify the patching process while simultaneously maintaining highly secure networks. It helps IT admins with task management by offering an extremely efficient service that automates the management of software updates and patches. 

And Autopatch does not completely remove admins from the process so they will retain overall control over their devices. This is something that will help to alleviate fears that admins may have about device management. When all is said and done, Windows Autopatch is a service that can bring a lot of efficiency and security to the patching process but the decision to use it remains yours to make.

Script to configure Azure AD Cloud Kerberos Trust

As businesses increasingly operate in hybrid environments spanning both on-premises and cloud infrastructure, the need for seamless authentication across multiple environments becomes paramount. To address this challenge, organizations are turning to automated processes for implementing and managing Cloud Kerberos Trust. This automated approach streamlines the integration of Kerberos-based authentication in diverse environments, ensuring efficient and secure access to cloud resources.

The PowerShell script Enable-CloudKerberosTrust.ps1 simplifies and automates the process of Configuring Azure AD Cloud Kerberos Trust.

To get a deeper understanding and a great story, You should also read to following article series by Ben Whitemore and Michael Mardahl who inspired the script.

1. Install Azure AD Kerberos PowerShell module
2. Prompt the user for domain admin credentials (if it detects it is not running as domain admin)
3. Create a Kerberos Server object
4. Verify a Kerberos Server object has been created successfully
5. Create "CKT-Policy" Intune configuration profile 
6. Create OMA-URI for Cloud Kerberos Trust enablement
7. Assign the configuration profile
1. Azure Active Directory global administrator.

2. Active Directory domain administrator.

3. Approve admin consent for the following permissions in Microsoft Graph application in Azure AD apps:
CloudPC.ReadWrite.All, DeviceManagementConfiguration.ReadWrite.All, DeviceManagementManagedDevices.ReadWrite.All, Directory.Read.All
.PARAMETER Domain
Specifies the on-premises Active Directory domain. A new Azure AD Kerberos Server object will be created in this Active Directory domain.
.PARAMETER UserName
Specifies the UPN of an Azure Active Directory global administrator.
.PARAMETER TenantID
Specifies the Azure AD tenant ID for the new Intune configuration policy.
.PARAMETER Group
Specifies the device group to assign the new Intune configuration policy.
.PARAMETER LogPath
Specifies path to save script output to.
.EXAMPLE
.\Enable-CloudKerberosTrust.ps1 -Domain xyz.com -UserName [email protected] -TenantID 0570e92c-8fb4-4775-9eb8-61f20dd2ce72 -Group Group1 -LogPath .\

Download the script: Enable-CloudKerberosTrust.ps1

NOTE: THIS SCRIPT IS CONTINUALLY BEING IMPROVED – If you would like to suggest additional checks or improvements, feel free to reach out with your input.

How Windows 365 Helps Achieve Sustainability

The need for greater focus on more sustainable practices is something that has become of significant importance to most nations. And it’s clear to see why as we look at our environment and see the danger for future generations. Microsoft takes this responsibility very seriously and considers sustainability as part of the organization’s culture. Therefore, it’s important to develop products and services with sustainability in mind. This is why a platform like Windows 365 is so great because of the potential it has. In this blog, I’ll be looking at just how Windows 365 can help in the development and implementation of more sustainable solutions. 

Importance of sustainable practices

Over the twentieth century, we witnessed incredible advances in technology and innovation. And no one can deny the benefits that humanity has reaped from all this development. However, a lot of the time these developments occur without any concern for the environment around us. All around us the results are evident in the depletion of natural resources, pollution, deforestation, poor air quality, etc. If we consider just the United States alone the CO2 emissions are already concerning and could potentially reach very dangerous levels in a few more decades.

Fortunately, over the last few decades, people have become increasingly aware of how terribly our planet has suffered. And now organizations like Microsoft are working tirelessly to develop sustainable technologies that can limit the negative impact that we humans have on the environment. Ideally, these technologies should limit environmental degradation during the manufacturing stage as well as during usage. Unfortunately, a lot of the environmental damage cannot be reversed. But with services like Windows 365, Microsoft is looking to protect our environment from further destruction.  

Impact of technology on the environment

For a lot of folks, when you think about technology what comes to mind are computers, cellphones, tablets, smart gadgets, and anything else that has become a must-have, integral part of our lives. Not many will consider the environmental impact of their cellphone or PC. But, the reality is that the devices we use all require various materials to make them and these include finite natural resources, precious metals, and more. 

MINING

Also, we cannot ignore the environmental impact of the mining process itself. It is responsible for deforestation, landscape destruction, and water pollution. And this is long before we even address the often incalculable loss suffered by entire communities that may face displacement.

GAS EMISSIONS

And then there is the colossal energy consumption and production of gas emissions that are involved. Unfortunately, this doesn’t end with the mining process. We find that manufacturers as well will require huge amounts of energy to turn the products of mining into the modern high-tech devices that end up in our homes. 

After the manufacturers are done, businesses will rely on vast transport networks to get the various products delivered to clients all across the globe. So, as we move along the chain, more and more energy is required and gas emissions keep increasing. To add to all of this, the cost to the environment will keep growing for the lifecycle of these gadgets. Because every time you plug a device into a non-renewable energy source there is a carbon cost incurred. 

ELECTRONIC WASTE

Unfortunately, however, the cycle doesn’t end once a device is no longer in use. Tens of billions of dollars (yes, billions) worth of electronic waste is thrown away annually, with most of its remains ending up in landfills or burned. As much as recycling may be gaining traction, not enough old electronic devices are being recycled. 

The carbon emissions from dumping electronics are massive. But we additionally have to worry about the leaching of chemicals which is going to worsen environmental degradation and potentially pollute water. This can be extremely frustrating especially when considering how beneficial it would actually be to the environment if we could reclaim valuable materials through recycling. Not to mention the potential employment creation and economic benefits. 

Why is Windows 365 important?

Windows 365 is a platform that Microsoft has designed to offer an innovative, virtualization service that can help minimize our negative impact on the environment. Announced in 2021, Windows 365 enables users to access Cloud PCs from anywhere.

As businesses increasingly continue to embrace the idea of a hybrid work environment, Windows 365 wants to be the solution and hybrid platform of choice for those workers looking to migrate to the cloud. By streaming Windows 10 or Windows 11 to almost any available device, Microsoft will offer users the ability to take their desktops anywhere. And Microsoft assures clients that Cloud PCs are highly secure so users can work remotely with greater peace of mind.

ENVIRONMENTAL ADVANTAGES

Immediately you begin to see how Windows 365 is hugely beneficial to the environment. Because all your computing needs are taken care of on the Microsoft Cloud, you don’t necessarily need a powerful device. As a result, it means that organizations may not need to keep purchasing devices for new employees. And they also won’t need to keep refreshing devices every few years. To make accessing Cloud PCs convenient and easy, Microsoft allows you to use most devices.

All you need is a decent internet connection and you’ll be able to operate a reasonably powerful Windows PC using just about any device. So, all Windows 10 and Windows 11 devices should be compatible with Windows 365. The best part, however, is that clients will be able to easily stream a Windows 365 session to hardware running macOS, iOS, Linux, and Android. Ultimately what this will mean is that businesses won’t need to be potentially throwing away PCs as often as they do now. In addition to the environmental benefits, the financial upside for businesses would be massive.

FOOTPRINT REDUCTION

Network servers are key infrastructure and have a tendency of taking up a lot of on-site space. That’s not all but the hassle of maintaining said servers including the security personnel to oversee and monitor them can drive costs sky high. Fortunately, Windows 365 has made it possible for organizations to reduce both this expenditure and the business’ physical footprint.

The fact of moving operations to the cloud means the amount of office space needed is significantly decreased. A modest business premise will probably be all that’s necessary instead of the vast swathes of corporal real estate typical of pre-pandemic offices. 

Furthermore, thanks to the remote working models adopted by companies during the pandemic and the flexibility Windows 365 affords, it may be possible for a sizable part of the workforce to continue working remotely full-time. 

Reducing consumption

One of the biggest selling points when it comes to Windows 365 is that you pay only for what you need. Organizations, both big and small, can pick the subscription model that best fits them.

The subscription models available are Windows 365 Business for smaller businesses and Windows 365 Enterprise for larger ones. Regardless of which you choose, you get the same range of features and an extensive 12 Cloud PC configurations from which to make your selection. For those looking for a bargain, the first configuration is worth considering. For just $20 you get 1vCPU, 2GB RAM, and 64GB storage. If your employees are frontline workers or only require access to basic CRM software then this configuration is ideal. For more demanding operations, the $158 option gives you access to 8 vCPUs, with 32GB RAM and 512GB storage. This setup works best for those dealing with heavy computing scenarios like software engineers. Whether you’re looking for a lightweight or heavy-duty option, there is a solution for you.

The reason why this is so important is that having access to the computing resources you need and no more can help to reduce electricity consumption. When you look at traditional data hardware systems, they require a consistent power supply to run the infrastructure efficiently. Not to mention things like cooling fans, alarm systems, etc. All these elements combined consume a significant amount of electricity. 

LARGE ENTERPRISES BENEFIT, TOO

And the bigger the organization, the larger the infrastructure will be, and consequently the greater the electricity consumption. Windows 365 offers organizations the option to migrate their operations to the cloud and start saving energy. Some reports have suggested that cloud migration has the potential to reduce energy consumption by up to 65%. If accurate this would undoubtedly be a great step towards achieving sustainability goals. And if you can reduce energy consumption by that much then that will also reflect very favorably in the organization’s finances.

STATS TO SUPPORT A REDUCTION IN ENERGY CONSUMPTION

In addition to the potential reduction in energy consumption, there is some research that appears to suggest that organizations can reduce their carbon emissions by 72 to 98% by moving their IT infrastructure from traditional data centers to the cloud. In this Microsoft white paper, we are told:

“Microsoft Cloud is between 22 and 93% more energy efficient than traditional enterprise data centers, depending on the specific comparison being made. When taking into account our renewable energy purchases, the Microsoft cloud is between 72 and 98% more carbon efficient.” 

Typically, we expect cloud data centers to help reduce carbon emissions because they will generally have newer, more efficient equipment and are increasingly relying on renewable energy. Although measuring and reducing carbon emissions presents significant challenges, a lot of research is still going on to aid the development of more sustainable solutions.   

Assessing your sustainability

With an increasing number of organizations being concerned about sustainability, it may be time for your business to start planning an assessment. Especially considering the public interest in sustainable businesses. Before you start looking at sustainable solutions and how to implement them, you need to do an assessment of your business operations and the impact on the environment. Once you have that information and a clear picture of your business’ operations, you can develop baselines that you can build on. There are various assessments that can be carried out and below are some of them.

EVALUATION OF ENERGY USAGE AND EFFICIENCY

Businesses often have massive energy consumption, although some will obviously utilize far more than others. By doing a thorough assessment, you can see how your business is operating and this will enable you to not only reduce energy consumption but greenhouse gas emissions as well, among other things. A good way to complete this assessment may include working alongside engineers and other experts in sustainable practices.

EVALUATION OF YOUR ORGANIZATION’S CARBON FOOTPRINT

When looking at how businesses emit greenhouse gases that list is often a very long one. The most obvious would be powering your premises, manufacturing processes, transportation of staff, distribution of products, etc. As we can see from the few listed examples, carrying out this assessment is far from a simple exercise. However, it’s an extremely important process if you want to see what your business carbon footprint looks like.

Unlike with the energy audit, measuring your carbon footprint requires the calculation of the greenhouse gases emitted by your business premises and the various operations. The energy audit and carbon footprint measurement work hand in hand since they expectedly affect each other. And similar to the energy audit, measuring your greenhouse gas emissions is easy when executed by a professional team/service.

Working remotely

A lot of businesses have been adopting hybrid working setups in the last few years. After the pandemic, as things slowly started to return to normal, businesses were discovering that some employees still preferred to work from home. And the great thing about the Windows 365 Cloud PC is that it allows users to work easily from anywhere without compromising the organization’s security. 

BENEFITS

But, the benefits of the Cloud PC go beyond the flexibility afforded to employees. If people are given the option to work from home, they will. And this reduces their need for commuting and consequently the demands on the transportation sector. In a report by The Global Workplace Analytics, they made the assessment that remote workers can contribute massively to the reduction in greenhouse gas emissions by removing over half a million cars from the road. In addition, they go on to state that even working from home half the week can see an emissions reduction of up to 54 million tons every year.

Something else that we could potentially benefit from is a cleaner atmosphere. There’s no denying that the fuel used by cars or the emissions from buses have played a massive role in the rapidly declining quality of the air we breathe. So sustainable solutions that can help improve the quality of air would be most welcome. 

At the height of the pandemic during the lockdowns, a lot of people would have noticed how the quality of air appeared to improve, albeit temporarily. Therefore, adopting platforms like Windows 365 could do a lot to mitigate the effects of environmental degradation. In addition to the environmental benefits, there’s plenty more to like when you look at the features of Windows 365.

ATTRACTIVE FEATURES

And it’s these features that enable this service to be an attractive option for organizations looking to minimize their environmental footprint.  Among these features we can list: 

  • Instant boot to a personal Cloud PC.
  • Clients get the full Windows experience in the cloud.
  • Clients can also stream various applications, tools, data, and settings directly from the Microsoft Cloud across any device.
  • You get a choice of running either Windows 10 or Windows 11.
  • Secure by design, and fully compliant with Microsoft’s Zero Trust principle.
  • Flexible per-user, per-month pricing plans at flat subscription rates.
  • A scalable set of virtual hardware parameters that lets you adjust to changing conditions whenever necessary.
  • Fully compliant with Azure AD and MEM.
  • Fast setup process that provisions your Cloud PC within minutes.

Sustainability solutions

Microsoft is clearly playing a significant role in trying to help businesses achieve their sustainability goals and accelerate that progress. And another key element is the Microsoft Cloud for Sustainability which combines environmental, social, and governance (ESG) capabilities across the Microsoft cloud portfolio to enhance the way businesses are operating. This is in addition to the solutions from Microsoft partners who they’re working with to enable organizations to get the necessary transparency and insights for the effective management of their environmental footprint.

These efforts should also allow organizations to implement sustainability throughout their entire organizations and value chains. As a result, businesses will be able to develop new value in this changing landscape. By leveraging Unify data intelligence, you’ll be able to get the visibility required for you to push business transformation, sustainability efforts, and sustainability reporting. What this means is that your organization can streamline data ingestion, integration, and calculations as well as analyze and report environmental impact and sustainability progress.

SOLUTION CAPABILITIES

Next, we can talk about how to build a sustainable IT infrastructure. This approach enables businesses to identify opportunities to swap out their existing suite of solutions for cleaner versions that increase the business’ overall value. Leveraging this option you can:

  • Establish carbon and energy efficiencies within cloud infrastructure.
  • Evaluate, track, and assist with enhancing compliance with international, regional, and industry policies and standards.
  • Incorporate sustainable technologies designed with environmental impact in mind.

Another key thing you’ll want to do is reduce environmental impact of operations. Businesses need to assess their operations, systems, tools, etc, to determine how they can reduce their environmental footprint. This is important so that you can:

  • Promote energy efficiencies and move towards renewable energy sources.
  • Upgrade transportation systems and improve fleets.
  • Minimize the environmental impact of buildings, spaces, and equipment.
  • Facilitate streamlined collaboration regarding targets and objectives.

Furthermore, we cannot ignore the issue of creating sustainable value chains. This is a critical area that allows you to put in place measures for transparency and accountability throughout the entire value chain. So that means from the businesses where you source your materials right through the end of use. Ultimately, this should enable you to optimize materials and thus create more sustainable products and services.

What else does Windows 365 offer?

Meeting sustainability goals is a wonderful target to have but organizations need to know what else Windows 365 can offer.

SECURE HYBRID WORK

As attractive as the idea of achieving sustainability is, without top-notch security migrating to the cloud would not be a good idea. So, Microsoft has enhanced security measures by implementing Zero Trust principles enabling each request to be fully authenticated, authorized, and encrypted before access is granted. Add to that the fact that data is not stored on the physical devices but on the cloud and you have even more protection around your data. These measures should help to assuage concerns about the security of remote work as well as the risk of security breaches. Not to forget as well that Windows 365 clients can benefit from the already existing solutions that are part of Microsoft Endpoint Manager.

SIMPLE TO USE

Microsoft boasts that the user-friendliness of this service means organizations won’t have to hire additional IT specialists to configure and supervise Cloud PCs. This effortless management model and instant start-up capacity means that even the less tech-savvy members of your team can perform their duties without too much trouble. This is something that may also help you to lower overall operating costs. Furthermore, your IT staff can manage, deploy, and configure the PC environment just as they have done all along.

Wrap up

Change is something that is rarely easy to accomplish but is often necessary. As our environment continues to suffer, individuals and organizations need to start working towards sustainable goals. And the IT sector can do a lot to help the cause of this planet. Microsoft has taken a huge interest in sustainable development and we see that with services like Windows 365. The solutions it offers can play a big role in reducing energy consumption, greenhouse gas emissions, and waste. Undoubtedly this will not be an overnight process but progress needs to be swift because of the situation we already find ourselves in. Fortunately, as the push for more eco-friendly products and services gathers momentum, we are seeing greater participation from all industries. And this can only be a good thing for the planet.

Introducing the Microsoft Inclusive Tech Lab

As we all know, over the years Microsoft has already put in a lot of work towards the development of more inclusive solutions for all its customers. So when we talk about the Microsoft Inclusive Tech Lab, we’re not talking about something new but rather a significant update on the lab that had previously been at the center of this work. 

According to Microsoft, this new lab which is designed “to learn and develop specifically for people with various types of disabilities” will provide a facility that can greatly enhance the work being done to provide more inclusive solutions. In this blog, I will take an in-depth look at this new Microsoft Inclusive Tech Lab and what it could mean for inclusivity going forward. 

Why we need inclusive solutions

In this modern era that we live in, no one can deny the significance of technology in all our lives. Regardless of which sector we can look at. Whether it’s the health sector, education, engineering, etc. The applications of various types of technology are limitless in any sector.

And this is exactly why it’s important to ensure that technology can be accessible to everyone. So what do we imply when we say “inclusive technology?” Simply put, all this refers to is ensuring that the technology available is accessible to everyone including groups that may previously have had difficulty accessing it such as those living with disabilities.  

By having facilities such as the Microsoft Inclusive Tech Lab, we will witness significant strides being made in providing inclusive technology solutions for everyone. And this is something that would be crucial not just in the work environment but beginning in early education. 

This will help to provide all students with a similar platform for engaging with learning material and enhancing the learning experience. With a setup like this in place, we can expect to see the benefits of this go beyond the educational phase and into the work environment.  

Introducing the Inclusive Tech Lab

Arguably the most important aspect of the Microsoft Inclusive Tech Lab is that it not only develops inclusive solutions but that these solutions are made by people living with disabilities. As such, the objective for Microsoft is to show just how great the potential can be when you bring in people with disabilities in the development process. 

The facility itself is a representation of how committed Microsoft is to developing inclusive solutions. Especially when considering how sensitive a lot of individuals may be to their environment. This then creates the ideal environment where introductory tours and collaborative workshops can be held to further the work being carried out.

The lab gives you an opportunity to view just how Microsoft’s products as well as those of its partners can work together to good effect. Therefore, this is the place to go when searching for the best assistive solutions that Microsoft and its partners are putting together. 

This kind of work clearly demonstrates how Microsoft and its partners are determined to ensure that the fruits of all their development work can benefit all who require access. Expanding the realm of possibilities can significantly alter what the future of the technology industry can look like.

According to Microsoft:

The space is purpose-built to continue this work. It is highly modular and will adapt to specific needs over time and across different projects, allowing discussion and design sessions on products and services intended for home, the workplace, schools, and remote connections. It is a place designed to demonstrate what is possible when you intentionally and proactively include people with disabilities in the product-making process and strive to build products that are genuinely inclusive by design.

The Inclusive Tech Lab is intended to be an embassy for people with disabilities, not a space about them. It will include a showcase of Microsoft’s accessible hardware, software, and services, as well as experiences created by our partners. Primarily, however, it is an inclusive design incubator where Microsoft and disability communities can ideate and evaluate product design and direction. It is a space where our designers can challenge assumptions while learning to recognize the exclusions and constraints faced by people with disabilities. We harness that understanding to create new ideas, designing for “one” and extending to many.”

Inclusive involvement

The teams of individuals working on various projects are encouraged to use the ideas they have received from people with disabilities and find ways to apply them to the technologies they are working on. By providing teams with this lab and all its capabilities, the people here literally have the sky as the limit. They can imagine and work on ideas that are driven toward making a fully accessible environment for everyone across the globe. 

The full involvement of people with disabilities means that the Microsoft Inclusive Tech Lab seeks to do more than just create a product. As good as that may be, the project wants those working on solutions to be able to relate on a deeper level to those who they are designing products for and how it will affect their lives.  

Principles of Inclusive Design

So now that we’ve looked at why seeking to develop inclusive solutions is such an important objective, we can consider the principles that Microsoft will lean on during this endeavor. Firstly, we can talk about the recognition of exclusion. What this simply refers to is the fact that all of us, regardless of where we’re from, have our own inherent biases that determine how we view the world and therefore live our lives. 

The key then at Microsoft is to acknowledge that these biases exist and this gives you an opportunity to explore these issues. As you recognize what they are and how detrimental they’ve been, you can start engaging the affected communities and coming up with inclusive solutions to bridge all the necessary gaps.

Learning from diversity

The next principle that Microsoft looks at is that of learning from diversity. This is because there is an appreciation of just how different and divergent perspectives can positively impact a learning or work environment. We actually find that in some schools of thought, it is believed that within diverse work and learning environments cognitive skills and critical thinking can improve. 

What causes this is that the interactions that go on in these diverse communities can challenge you as an individual with different views and perspectives that you might not have previously considered. 

Therefore, Microsoft wants to have its Inclusive Tech Lab be a place that will promote learning from diversity. Especially considering the wide reach of its products and services across all continents.  

The last principle I’ll talk about is that of trying to solve challenges for one in a way that will extend to others. When looking at developing solutions from this perspective, the idea is that most people have abilities but as human beings there will always be limitations to those abilities. 

So, when we start considering creating inclusive technology solutions what we can ultimately come up with are systems that will enhance accessibility for people living with disabilities. However, we can also expect to see other users of these products being able to benefit as well. 

Microsoft’s Adaptive Accessories

At the heart of the work that Microsoft is doing with inclusive technologies are the adaptive accessories. These accessories, which have significant input from disability communities, are highly adaptable and have been designed with the intention of making them customizable to suit individual needs. The product line features an Adaptive Mouse, Adaptive Hub, and Adaptive Buttons. 

All of the accessories can be configured as necessary and will support everything. And so this includes first-party add-ons such as Thumb Supports or Mouse Tails, as well as custom 3D-printed add-ons that enhance the various use cases. These devices leverage the foundation that was laid by the Xbox Adaptive Controller and aims to eliminate the challenges that the disability community has faced with the traditional mouse and keyboard setup. 

Adaptive Hub

This product is designed to enable users to turn traditional keyboards into a central hub with several wireless buttons. It is in the form of a small, box-shaped device that is meant to enable the devices to offer accessibility. What this entails is that users can augment traditional keyboards and create custom inputs. You’ll notice that the Adaptive Hub has five 3.5mm ports, three USB-C ports, as well as a Bluetooth pairing button. The aforementioned ports are where you connect the adaptive buttons and switches. Furthermore, it can connect to your current assistive technology, such as third-party digital buttons and switches, through the 3.5mm ports.

Adaptive Mouse

This adaptable mouse is built to be accessible. You can personalize the device by attaching the Microsoft Adaptive Mouse Tail and Thumb Support. By leveraging these attachable parts, Microsoft offers users the chance to have a mouse that is designed to fit their unique needs. Also, I’m sure users will gladly discover that the adaptable and customizable attachments help to make the device lighter and more portable. Unlike other accessories, the Adaptive Mouse will connect directly to your PC. The two buttons that it has are easily clickable which adds to the ease of use. And it also features a similarly clickable scroll wheel. In addition, you get the option to configure the buttons and scroll wheel for action/function shortcuts and for both short presses and long presses. 

Adaptive Button

With the Adaptive Button, users will get a small, square-shaped wireless button. It is designed to give you eight digital inputs that can be uniquely customized in the Microsoft Accessory Center and an easy-to-press design. And each Adaptive Hub can connect with up to four Adaptive Buttons. In addition, because of the partnership with Shapeways (which is a 3D-printing company that creates other 3D-printed toppers), users can customize their devices by custom-printing their own button toppers. So, if the button toppers that Microsoft can offer you out of the box are not suitable for you then you can get something more personalized. The design of the button including its small size means that it’s relatively easy to hold and place according to your usage needs. 

Inclusive Design for Gaming

As already mentioned above, a significant amount of the work being done at the Microsoft Inclusive Tech Lab has to do with gaming consoles. There has been a growing realization of just how much need there is for inclusive solutions for gaming systems. 

For instance, the typical controller that comes with the vast majority of consoles requires two hands, two thumbs, and fine motor control for you to operate comfortably. Quite simply, this will mean the exclusion of a significant number of people who are living with disabilities. 

With this in mind, the teams of individuals working on the development of inclusive solutions need to recognize the exclusion that has existed with gaming consoles in the past. We can appreciate that these devices’ designers worked with certain assumptions about the users of these devices and how they would be using them. 

Unfortunately, that has created a scenario where plenty of potential users can use these devices but with great difficulty or may not be able to use them at all. So, Microsoft now appreciates that if users can’t use their products because of how they were designed then that creates a massive barrier. And this is what a lot of the work at the Inclusive Tech Lab is based around, developing solutions that can eliminate these barriers. 

Learning from diversity

Another important key area for gaming is learning from diversity. Microsoft has been able to do this over the years by engaging with the various gaming communities to seek their insights on a variety of issues. The teams working on these products have received feedback on the functionality of the devices, their ease of use, and any changes that users may want to see to improve accessibility. 

And all of this feedback combined with the development work being done has been central to the creation of inclusive gaming solutions such as the Xbox Adaptive Controller. Products like these will mean that can be something all users can potentially enjoy even more. 

Creating solutions that enhance inclusivity can be of great benefit to all. Why should individuals living with disabilities be restricted from the gaming experience that countless others across all continents get to enjoy? As Microsoft was working on the adaptive controller, there was a need to take into consideration the unique ambulatory abilities of users in the targeted communities. 

Not only that but looking at people’s situations such as Gamer, CareGiver, Maker, etc, allowed for the development of a product that could be tailored to address various needs. Going forward, we would fully expect the Xbox Adaptive Controller to play a key role in shaping inclusive solutions and significantly enhance the ease of use for all users. 

Inclusive Solutions

Microsoft has been working on several inclusive technologies for a while now. In fact, the Inclusive Tech Lab isn’t exactly something completely new. It’s something that the Xbox team has had in place since 2017 as they were working on the Xbox Adaptive Controller

Now, Microsoft has provided a designated space, extended the lab, and is looking to develop integrative design by working closely with the disability community. The work being done in this environment is producing a great variety of accessibility tools. In the table below we’ll go over some of the possibilities available.

Vision

Adapt Windows to your vision

  • use the available color filters
  • change the color contrast
  • make Windows easier to see
  • use Magnifier to enhance the visibility of what’s on the screen
  • use color and contrast for accessibility in Microsoft 365

Listen instead of watch

  • use Narrator to hear text read aloud
  • use the screen reader with Microsoft 365 apps
  • listen to your Outlook email messages
  • listen to your Word documents
  • converting text to speech in Excel
  • seeing AI narration (hear descriptive audio everywhere)
  • Microsoft Soundscape (experience maps in 3D sound)

Use Immersive Reader

  • use Immersive Reader in Microsoft Edge
  • open Immersive Reader for Outlook
  • use Immersive Reader in Word
  • use Immersive Reader in Microsoft Teams
  • use Immersive Reader in PowerPoint
  • use Immersive Reader for OneNote
  • use Immersive Reader in Microsoft Forms

Improve the efficiency of keyboard use

  • take advantage of keyboard shortcuts for accessibility

Hearing

Adapt Windows to your hearing

  • with mono audio, you can hear all sounds in one channel
  • change caption settings
  • make notifications stick around longer
  • display audio alerts visually

Watch instead of listen

  • instead of listening to sounds you can use text or visual alternatives
  • you can autogenerate captions for videos
  • you can use captions and subtitles during Skype calls
  • in Microsoft Teams meetings you can make use of live captions
  • add closed captions and/or subtitles to media in PowerPoint

Improve the efficiency of keyboard use

  • take advantage of keyboard shortcuts for added accessibility
  • use the Search/Tell Me feature (find the command you want)

Neurodiversity

Adapt Windows to suit your needs

  • make the Start menu simpler
  • declutter your taskbar and make it clean
  • focus on a task by minimizing distractions
  • customize the taskbar

Improve reading comprehension and writing skills

  • enable text suggestions in Windows
  • make reading easier by downloading and using fluent fonts
  • customize text spacing
  • take advantage of learning tools in OneNote
  • use Microsoft Editor to polish grammar and more

Customize your reading experience and read without distractions

  • when using Microsoft Edge, take advantage of Immersive Reader
  • use Immersive Reader in Word
  • open Immersive Reader for Outlook
  • use Immersive Reader in PowerPoint
  • use Immersive Reader for OneNote

Maintain focus and organization

  • improve your PowerPoint slides
  • by keeping your Microsoft 365 files in OneDrive you can prevent the loss of your work
  • make use of the calendar board view to organize things according to your needs
  • go paperless with Microsoft Lens

Improve the efficiency of keyboard use

  • take advantage of keyboard shortcuts for added accessibility
  • use the Search/Tell Me feature (find the command you want)

Learning

Improve writing quality

  • you can use Microsoft Editor as your writing assistant in documents, mail, on the web, etc. Also, you can use it to check your grammar, spelling, and more in Word.
  • you can type with your voice to dictate documents, to talk instead of type on your PC, as well as for troubleshooting.

Reading comprehension and skills improvement

  • use the Immersive Reader
  • practice reading fluency with the Reading Progress tool
  • if you want to eliminate distracting content from the web you can make use of the Reading view
  • hear text read out loud

Improve math skills

  • you can benefit from inclusive math interactive training
  • you can use Microsoft 365 apps to write equations or formulas
  • use Microsoft Forms to create math quizzes
  • use OneNote to create math equations
  • use OneNote Math Assistant to help you solve equations, draw graphs, and more.
  • replay ink strokes in OneNote for Windows
  • draw straight lines or measure with the ruler in OneNote

Communicate confidently with inclusiveness

  • create an inclusive communication environment. You can do this with the use of Reflect in Microsoft Teams as well as live captions during Teams events.
  • create inclusive PowerPoint presentations. This can be done by doing this such as using the Accessibility Checker to enhance accessibility and making presentations with real-time, automatic captions or subtitles in PowerPoint, among others.
  • use Microsoft Translator

Configure Windows for effective learning

  • make the Start menu simpler
  • declutter your taskbar and make it clean
  • focus on a task by minimizing distractions (Turn off animation and transparency effects)
  • use Magnifier to enhance the visibility of what’s on the screen
  • customize the taskbar
  • block alerts and notifications by using Focus assist

Mobility

Configure Windows to meet your mobility needs

  • Make your keyboard, mouse, and other input devices easier to use. You can do this by controlling your mouse pointer with the numeric keypad or making use of the Filter Keys to set the sensitivity of the keyboard, among other things.
  • As an alternative to typing on the physical keyboard, you can use the on-screen keyboard.

Type and navigate with your voice

  • use voice recognition in Windows
  • Windows Speech Recognition commands
  • dictate your documents in Word

Control Windows and apps with your eyes

  • take advantage of eye control features to enhance ease of use

Improve the efficiency of keyboard use

  • take advantage of keyboard shortcuts for added accessibility
  • use the Search/Tell Me feature (find the command you want)

Mental health

Configure Windows to meet your needs

  • make the Start menu simpler
  • declutter your taskbar and make it clean
  • focus on a task by minimizing distractions (Turn off animation and transparency effects)
  • use Magnifier to enhance the visibility of what’s on the screen
  • customize the taskbar
  • block alerts and notifications by using Focus assist
  • enable text suggestions

Improve your focus

  • using Immersive Reader can help you work with fewer distractions
  • stay on track with your tasks by creating Outlook tasks in OneNote or using the Tasks app in Microsoft Teams.
  • customize the look and feel of Office to your liking
  • use Microsoft Viva Insights to help you develop more efficient work habits

Improve the efficiency of keyboard use

  • take advantage of keyboard shortcuts for added accessibility
  • use the Search/Tell Me feature (find the command you want)

Tactile Port Indicators

Having tactile indicators placed on devices can be a great feature that can enhance ease of use for countless people. And for an example of this, we can look at the work that Microsoft has put into devices such as the Xbox Series X game console, Microsoft Audio Dock, and the Surface Thunderbolt Dock among others to improve accessibility for the visually impaired. 

The reason this came about is that when we consider a lot of devices out there, ports like the USBA and the HDMI can feel pretty similar to the touch. And so people working at the Microsoft Inclusive Tech Lab have been seeking feedback from those who are visually impaired on how best to develop a system that can offer them greater ease of use.

How it works

So how does this work exactly? Well, what this new system is designed to do is provide little bumps over the various ports on these devices to aid with discerning what’s what without the need for sight. This means you will no longer have to feel for just the shape of the ports, but with this additional system, it should become easier to determine which port is which. As we can all imagine, the potential for what this could offer visually-impaired individuals across countless devices is massive.  

It’s no surprise when you consider the devices that Microsoft has been working on initially. Gaming is a huge part of the work that takes place at the Inclusive Lab.

However, this system is something that everyone out there should be looking at considering what it offers. The objective is for the idea to grow even more and become even better because it is not meant to work alone but help improve ease of use. And ideally, it would be great to see this applied to various other types of devices so they benefit as well. 

Surface Also Making Changes

The teams working on the various Surface products have also had to look at their products and consider how they could improve accessibility. Unfortunately, the reality is that a lot of products have been previously developed without any consideration of the needs of those living with disabilities. 

For example, on older Surface devices you’ll find that F4 and mute shared a key and the only indicator for FN lock was a light. When you consider the needs of those without sight you can quickly spot how this would present challenges. When screen reader users were trying to close an app, they could inadvertently mute their PCs and thereby leave them cut off from their devices. 

Fortunately, teams working on Surface products are now developing systems that will enhance the ease of use for visually-impaired individuals. By sitting down with the blind, listening to their experiences, and hearing their suggestions, Microsoft can now come up with more inclusive tech solutions for their products. 

Going forward, starting with the Surface Laptop 3, you will see changes such as the separation of mute and F4. Additionally, FN lock is going to be made accessible via Windows Narrator and tactile bumps will be added to the F4 and F8 keys to simplify keyboard navigation. These wonderful improvements will be made to all Surface keyboards in the future as part of an ongoing effort to provide better inclusive technology. 

More is yet to come and discussions with the visually-impaired community have also uncovered the need for customizable tactile indicators. With this in mind, Microsoft has been able to develop the Surface Adaptive Kit. This is something that should enable the development of even better solutions by looking to overcome the limitations on hardware with enhanced software, better accessories, and more. 

Wrap Up

For far too long technology did not do enough to address the needs of the disability community. Plenty of individuals faced significant barriers when it came to using technology comfortably. As a giant in the tech industry, Microsoft could not ignore the responsibility. Hence, we have the Microsoft Inclusive Tech Lab. This facility is doing phenomenal work that aims to take down barriers and provide solutions that are accessible to all. And the great thing about all this is that this is not a place that simply comes up with solutions for the disability community but it has members of the community greatly involved in development. Undoubtedly, the work going on here will massively enhance technology inclusiveness going forward.

Top 10 reasons Why Windows 365 is a great choice

Windows 365 is a great choice for your business. As the world becomes more digital, it is important to have the right tools to stay productive and competitive. Subsequently, with this Windows solution, you can take your desktop anywhere you go, work from any device, and access your files and apps from anywhere with an internet connection.
Here are the top 10 reasons why Windows 365 is a game changer for businesses of all sizes:

To expand on each topic, simply click on the item.

Each topic will be released over the next couple of weeks, stay tuned for updates

  1. Secure and reliable: Windows 365 is built on top of the Azure platform, which provides top-notch security and reliability for your business. Additionally, your data is stored in the cloud and protected by Microsoft’s advanced security protocols, so rest assured knowing your information is safe.
  2. Scalable: Windows 365 allows you to scale up or down your computing power as your business grows or changes. Consequently, this means you can quickly add or remove users, adjust your storage capacity, and scale your resources according to your needs.
  3. Always up-to-date: With Windows 365, you will always have the latest version of Windows and Office applications. Moreover, this means you won’t have to worry about updates, patches, or upgrades. You’ll always have access to the latest features and improvements.
  4. Flexible pricing: Windows 365 offers flexible pricing options that allow you to pay only for what you need. You can select different plans based on the number of users, the amount of storage, and the computing power you need.
  5. Accessible from anywhere: With Windows 365, you can access your desktop and files from anywhere with an internet connection. For example, you can work from home, on the go, or from a remote location without any interruptions.
  6. Easy to set up: Setting up Windows 365 is easy and straightforward. You can quickly provision virtual machines, assign users, and set up policies and permissions. Additionally, you don’t need any special skills or knowledge to get started.
  7. Simplified management: Windows 365 offers a centralized management console that allows you to manage all your users, devices, and applications in one place. You can easily monitor performance, track usage, and enforce security policies.
  8. Collaborative: Windows 365 makes it easy for your team to collaborate and share files. You can set up shared folders, access permissions, and collaborative tools that allow your team to work together in real-time.
  9. Support for legacy applications: Windows 365 supports legacy applications that may not be compatible with modern operating systems. For example, you can continue using your existing applications without any compatibility issues.
  10. Green computing: By using Windows 365, you can significantly reduce your company’s carbon footprint and contribute to a greener planet. Since your desktop is in the cloud, you don’t need to have a physical machine running all the time. This can help reduce your energy consumption and lower your carbon emissions.

Conclusion

In conclusion, Windows 365 offers a secure, scalable, and flexible solution for businesses of all sizes. Moreover, it allows you to work from anywhere, collaborate with your team, and stay up-to-date with the latest technology. If you’re looking for a more effective way to streamline your business operations, improve your productivity, and reduce your costs, it’s definitely worth considering.

Check Autopilot Prerequisites – first update

Autopilot is an indispensable tool for managing and deploying Windows devices in the enterprise. Before deploying Autopilot, it is crucial to ensure that your environment meets the necessary prerequisites. This process can be time-consuming and prone to errors, which is why the Autopilot Prerequisite Checker has been introduced to automate the prerequisite checking process.

The Autopilot Prerequisite Checker is a PowerShell script that validates whether your environment meets the requirements for deploying Autopilot. The updated script now checks for the following prerequisites:

Tenant checks:

Check license requirements
Automatic Windows enrollment (MDM authority is set)
DNS records
Check user can join device to Azure AD
Check Enrollment Status Page
Check Windows Autopilot Deployment Profile
Check company branding

Device checks:

Windows OS version
Hardware hash uploaded to Intune
Check Windows Autopilot Deployment Profile assignment status
Updated with more devices check in version 1.0.1:
 - Windows InstallDate
 - Bios Version
 - Bios Status
 - Bios Serialnumber
 - OS Serialnumber
 - Hostname
 - Keyboardlayout
 - Timezone
 - TPM present
 - TPM Enabled
 - TPM ready

User checks:

User is licensed correctly

Network checks:

Required communication for Intune Autopilot is allowed
Updated with multiple in version 1.0.1 with more URLs

Using the script is a breeze. It can be run on any machine with PowerShell installed. Simply download the script, execute it, and wait for the results. The output will indicate whether your environment meets the necessary prerequisites for Autopilot.

Download the updated script 1.0.1

The advantages of using the updated script are numerous. It saves time by automating the prerequisite checking process, allowing you to concentrate on more crucial tasks. Additionally, it minimizes the risk of errors, ensuring that your Autopilot deployment is successful on the first attempt. Ultimately, it provides peace of mind by confirming that your environment meets the requirements for deploying Autopilot.

In summary, the Autopilot Prerequisite Checker is a robust script that simplifies the process of verifying the prerequisites for deploying Autopilot. Whether you are an IT administrator or a consultant, the Autopilot Prerequisite Checker is an essential tool for ensuring the success of your Autopilot deployment.

NOTE: THIS SCRIPT IS CONTINUALLY BEING IMPROVED – If you would like to suggest additional checks or improvements, feel free to reach out with your input.