Let’s not focus on Microsoft365 security for a moment…Let’s focus on the user

When you think about End User Computing, the Modern Workplace, which companies would you relate that to? VMware with their Horizon/Workspace ONE proposition? Citrix, with XenApp and XenDesktop? Both companies even having their proposition coming out of the cloud (Azure and AWS). I bet many people would answer that question with yes, and not a lot of people would mention Microsoft and I cannot blame them. Some people might mention Microsoft’s O365.

Microsoft does have a Modern Workplace unit, which I am part of. Within that unit, there are specialties, like Windows 10, Office/collaboration, Identity & Information Protection, Thread Management and Voice. All of those components make up the Modern Workplace so I fully get that. However, Windows 10, Thread Management, Identity & Information Protection are very security focussed, and so is in general the Microsoft’s Modern Workplace approach.

In my (humble) opinion, Microsoft is not focussing enough on the “other side” of the balance: the end user and the end user experience. In my opinion regarding the Workplace, you need to balance IT/management/security with the end user (experience). IT/Security/Management is the cost side, the “boring (controlling the user, restrictions)” part. The end user side is the “sexy” side- giving users a smooth experience, multiple devices, being more productive etc.

I fully understand why Microsoft is taking the security approach though: their layered Identity, Apps, Data and Devices security approach. It is very solid! I truly like Azure AD’s Conditional Access possibilities- checking on the Identity, sign in risc, device compliance, trusted IP’s, countries etc and securing (granting with MFA or blocking access) applications based on those conditions. I also like Azure Information Protection for securing documents. However, when a customer is asking what’s in it for a user if going for Microsoft365…….I am afraid Microsoft is falling back to the security story again.

And that is unfortunate because the end user experience story with M365 is great! Windows 10 Auto Pilot, Azure AD join, Single Sign on to apps, automatic enrolment into Intune and getting your required apps, the Company Portal giving you optional/additional MSI apps, cloud storage with OneDrive, cross device experiences and device independencies are there!

In this post I would like to show you a couple of short videos showing the end user experience- from onboarding a device, to accessing apps, using a personal iPad, cross device having a meeting etc. It is my goal to show you Microsoft365 can be as “sexy” as other solutions from an end user perspective. That the onboarding of devices is easy, self service, smooth and personal. That M365 does offer great BYO possibilities with the Office apps and also being secure and that it can be very smooth regarding cross device workloads.

1. Windows Auto Pilot: a very quick and easy way of getting a user up and running. From unwrapping the new Windows device, turning it on and moving into Windows. Also with Multi Factor being setup in a very easy way as well:

2. From the moment the user is logged in, the machine is AAD joined, enrolled into Intune and receiving policies (and let’s be quiet about them for now : ) and apps. In this case, Office Pro Plus is being pushed by Intune and so is the Microsoft Company Portal (CC). The CC is giving users additional apps to install. Before everything is downloaded and installed in the background, the user can SSO into O365 and already be productive. Also, when starting the new Office desktop apps, all is very smooth as well- no user names, server names etc:

3. Now, I would like to show you what M365 can do in a BYO(iPad) scenario. Intune is able to control the Windows desktop- and mobile Office apps so users can have the same universal experience across devices- Office apps everywhere. In the next 2 videos it is about using the Office apps on a BYO device- with security measures like allowing copy/paste to the managed Office apps but not allowing it to native apps. Also, allowing company content being saved to the company’s OneDrive but not locally:

 

 

4. Working cross devices with, in this example, OneNote. In this case a user starts a meeting on an iPad, types meeting notes and moves, later on to a Windows 10 device, continuing in OneNote with Ink:

5. Lastly, a nice gadget which can make your life a bit easier: Continue on PC. Just a step back, Microsoft is a huge IOS and Android app maker. Search the Apple Store for example and see how many Microsoft apps are on there. One of the “cool” apps is to make it very easy to start reading the news, Twitter etc on your mobile device, and send that article, or link, to your Windows device. No more copying the link, emailing it and opening the article from your email:

I hope you have discovered the smooth, easy, quick onboarding and access to apps with M365. It is a great story and we should mention it more. Combined with the more talked about security story, M365 is a very solidModern Workplace proposition.

Windows AutoPilot: Add Devices and go for it!

A lot of information has been published around Microsoft’s Windows AutoPilot. Very briefly, Windows AutoPilot is a cloud service and aims for a zero touch, personally customized experience when deploying new Windows 10 devices. Below you will find 2 video’s which explains AutoPilot:

A more detailed video can be found here.

An important step, a requirement for AutoPilot is to add the devices, pre-deployment, to the customer’s Microsoft Store for Business. The idea is that the hardware manufacturer will do this step for customers but to be able, right now, to test AutoPilot, you need to upload a .csv file with details about the hardware, like: Device Serial Number, Windows Product ID and Hardware Hash. This part took me a couple of hours to figure out. I’m not a Powershell guru and you need Powershell to get the required info. Below the steps to make the magic happen! And, you can test AutoPilot with VM’s!

  1. Firstly, there are a couple of requirements: You need a Azure tenant, Intune, a Microsoft Store for Business linked to it and Windows 10 devices, 1703 of higher and the devices can be VM’s,
  2. Create 1 or 2 Windows 10 VM’s. Install them, update them, shut them down and take a snapshot,
  3. Start the VM again and create a folder in the root: c:\temp, as an example,
  4. On your host machine- not VM, open Notepad and type the following:
  5. On your VM, start Powershell, Run as Administrator, and go to your folder:
  6. In the Poweshell Gallery, there is a script to get all the required info you need for your .csv file. More details here,
  7. To get the script, run the following command- enter “y” 3 times to accept: 
  8. In my case, to execute the script (you only downloaded and installed it), I needed to adjust the Execution Policy on my VM. You can use the following command to do that- also here, enter “y” 1 time to accept,
  9. Now, execute the script. In the follwing command, you will execute the script, and save the outcome to a .txt file with a specific width. The width makes sure you will see the complete Hash,
  10. Output text file contains the Hash, Windows Product ID and Serial, in that order,
  11. Copy/paste the info in your Notepad document, like the example above,
  12. Save the document as a .csv file and open your Microsoft Store for Business,
  13. Under “Manage” you will see “Devices-Add Devices”,
  14. Import your .csv file,
  15. Create a new AutoPilot Profile:
  16. Attach it to your machine,
  17. If you haven’t already done so, Sysprep your VM, snapshot it and turn it on. You will see a customized login prompt with your tenant name. AutoPilot is working!

Windows 10 Creators update: Office Mobile App Management happiness!

In my previous post, I discussed one of the great possibilities in Intune: managing the mobile Microsoft Office apps on Android and IOS. I truly like this feature and immediately I was thinking; what if….what if this would be possible on Windows 10 as well?! What I totally missed was an official blog post from Microsoft discussing the Windows 10 Creators update. Among many cool updates, there will be a great new feature: Mobile App Management for the Office apps on Windows 10. All the features I discussed i the previous post for IOS and Android will apply for Windows 10 as well. You won’t need to enroll your personal Windows machine anymore to access corporate resources/data in a secure way. The MAM policies will give you a great experience, setting up the apps and accessing emails and data and providing security for corporate data. Do check out the clip.