Kurt Shintaku's Blog

Microsoft is pleased to introduce^[1] Windows Autopatch as a feature of Windows Enterprise E3^[2], enabling IT pros to do more for less.

This service will keep Windows and Office software on enrolled endpoints up-to-date automatically, at no additional cost. IT admins can gain time and resources to drive value. The second Tuesday of every month will be ‘just another Tuesday’.

HOW DOES IT SELECT ON WHAT DEVICES TO DEPLOY?
The services gradually deploys patches in 4 distinct “rings” of devices, which you determine:

• Test – Minimum; maybe 5-10 initial workstations
• First – A pilot group of workstations representing 1% of all devices
• Fast – A wider group 9%
• Broad – Every remaining device

HOW DOES IT KNOW WHEN TO MOVE ON TO ANOTHER RING?
The rate at which deployment progresses depends on the success of the patch deployment on a given ring, which is based on AI & signals we get from each patched system.

The rate of deployment also depends on the type of patch. 

• “Quality Updates” (Security, firmward) are deployed quickly. 
• “Feature Updates” take 30 days per ring at minimum.

WHAT IF THINGS GO WRONG WITH A DEVICE(S)?

• HALT
  Autopatch will halt the deployment if devices have issues – and IT administrators can manually halt roll outs as well.
• ROLLBACK
  Updates are undone automatically if devices are detected to have problems.
• SELECTIVITY
  Partial updates are pushed out, problematic parts of updates are left behind.  Portions of an update package will be deployed if parts of an update are unsuccessful to maximize deployment effectiveness.

HOW DO WE KNOW HOW WELL A DEPLOYMENT IS GOING?
Windows Autopatch reports update deployment status, device health, and compliance progress for audit purposes – all through the Endpoint Manager/Intune console.

Autopatch Message Center will provide on-going details of schedules, current status – directly from the Autopatch team.

For applications or devices that have issues with an Update Package, issues are automatically forwarded to the AppAssure team to provide you with the expertise to fix the issue.

WHAT DOES AUTOPATCH REQUIRE?
Customers need to have Windows Enterprise E3, Microsoft Intune or Endpoint Manager Co-management & Azure AD.

A “readiness assessment” will be run before you can proceed with Windows Autopatch.

Watch the video below for more information:

• INFO: Get current and stay current with Windows Autopatch
  https://techcommunity.microsoft.com/t5/windows-it-pro-blog/get-current-and-stay-current-with-windows-autopatch/ba-p/3271839

The following guide should be the IT administrator’s & Identity Architect’s bible for any organizations using Azure Active Directory to ensure the robustness of their identity security posture 

The Azure AD SecOps Guide is intended for enterprise IT identity and security operations teams and managed service providers that need to counter threats through better identity security configuration and monitoring profiles. This guide is especially relevant for IT administrators and identity architects advising Security Operations Center (SOC) defensive and penetration testing teams to improve and maintain their identity security posture.

…

Read the SecOps guide here:

• Azure Active Directory security operations guide
  https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-introduction

Trying to prop up your legacy on-prem SIEM for hybrid, multi-cloud environments is a mistake.

Here’s some things to consider when looking at SIEM solutions for your new hybrid infrastructure.

• BLOG: "Legacy vs Cloud-native SIEM" – Misconfig
  https://misconfig.io/legacy-cloud-native-siem/

I’ve gotten many requests for MFA for Active Directory on-prem. While Microsoft’s Azure AD MFA can be applied to on-prem solutions, some customers sadly refuse to move forward with cloud based identities.

If required, this 3rd party (paid) solution, “UserLock” will provide on-prem MFA for Domain Controller-based authentication.

“UserLock” supports MFA using authenticator applications which include Google Authenticator, Microsoft Authenticator and LastPass Authenticator, or programmable hardware tokens such as YubiKey and Token2.

Relying on cryptographic algorithms for Time-based and HMAC-based One-Time Passwords (TOTP and HOTP), all options offer strong and simple two-factor authentication to better protect access across an entire organization.

For more information, visit:

• “UserLock”: Multi-Factor Authentication for Active Directory (isdecisions.com)
  https://www.isdecisions.com/products/userlock/multi-factor-authentication-mfa-active-directory.htm

Building a Zero Trust Security framework with 20+ vendors has zero chance of success. This is why budgeting for Microsoft Defender XDR for Zero Trust Security must be at the forefront of a modern cybersecurity strategy for organizations of any size that are running Microsoft Windows or Office 365.

Microsoft Defender XDR allows you to consolidate over 27 security vendors into one integrated platform. That means one vendor for support calls, one single pane of glass to perform digital forensic analysis, and the entire suite is connected via the Microsoft Intelligent Security Graph. (Not to mention seamlessly built-in to the productivity suite that millions of you use every day.)

…

Read more at the blog post:

• Budgeting For Microsoft Defender XDR And Zero Trust Security – Infused Innovations
  https://www.infusedinnovations.com/blog/secure-intelligent-workplace/budgeting-for-microsoft-defender-xdr-and-zero-trust-security

If you’re using Microsoft Sentinel and are interested in saving on ingestion & storage costs for log data, this 15min video may be just what you need to see:

In this episode, we talk to Julian Gonzalez about several new features that provide cheaper ways to ingest and retain your data in Microsoft Sentinel. For more information visit:

Blog post:
https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/ingest-archive-search-and-restore-data-in-microsoft-sentinel/ba-p/3195126

FAQ:
https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/faq-search-basic-ingestion-archive-and-data-restoration/ba-p/3205600

View the video here:

• Ingest and retain your data at cheaper rates – Microsoft Sentinel in the Field #5
  https://www.youtube.com/watch?v=cX6NL_s5P_w&feature=youtu.be

In the fifth annual Barron’s ranking of America’s Most Sustainable Companies, shares of the 100 companies on out list returned 34.4% on averages, in 2021, besting the S&P 500 index’s 28.7%.  Overall 47 of the companies beat the index.

Microsoft jumped up to #35 for 2022, rising from #75 last year.

• NEWS: Barron’s 100 Most Sustainable Companies
  https://webreprints.djreprints.com/58833.html

I joined Microsoft in 1995 (Los Angeles) but I actually interviewed for positions in 1989 (Redmond) & 1992 (Irvine) coming out of high school & college respectively. Each involved 6 interviews & lasted all day & while my persistence was what eventually got me into Microsoft, I kinda always wondered what would have happened had I’d gotten one of the other jobs I interviewed for.

I stole the following guidance from Microsoft’s South Regional VP Mary Carol Alexander because it was so good. I wish these resources had been around in the late 80’s.

Calling all soon or recent graduates… sharing some awesome resources if you’re interested in a career with Microsoft. I made the leap 7 years ago and always wish I had done it sooner.

• Attend an upcoming Microsoft Virtual Recruiting Event: https://lnkd.in/dnS2vZ-S
• Leverage prep resources such as How to prepare for Microsoft technical interviews: https://lnkd.in/dqmdTW8z and Resume and Personal Branding Workshop: https://lnkd.in/d89YU5m6
• Connect with recruiters via our Microsoft University Recruiting LinkedIn Group: https://lnkd.in/dnk_2YGY
• LinkedIn Student Profile Checklist from our partners at LinkedIn: https://lnkd.in/dfE4f7dB
• Ultimately students who are interested in career opportunities at MSFT should start here Students and Graduates at Microsoft: https://lnkd.in/dbg-p3_3 and for info on specific programs and opportunities in the US, they can look here: https://lnkd.in/dp5JkVrn

From Mark Kashman:

Here is the deck used to present the "What’s new for File Experiences in OneDrive, SharePoint, and MicrosoftTeams in @Microsoft365" – session (MS37) this week in Vegas:

1. File Experiences in Microsoft 365 (Windows, Teams, MacOS, Web)
2. Collaboration (Year of Sharing, Teams meeting recordings)
3. Compliance & Protection (Sync Admin, Reports updates, Sync Ideal State in Windows 365)

• DOWNLOAD: “What’s New for File Experiences in OneDrive, SharePoint & Microsoft Teams”
  https://aka.ms/M365Conf/OneDriveFiles

We often asked the question:

“Why’d we call it Cloud PC? Why not just call it VDI?”

The reason is simple: There are some amazing new features that differentiate Windows 365 Cloud PCs from legacy VDI solutions:

Windows 365 is now in a category of its own with:

• Windows 365 app, providing a direct path to Windows 365 from the Task Bar or Start menu with a personal, customized experience that can be tailored to each individual.
• Windows 365 Switch providing the ability to easily move between the Cloud PC and the local desktop using familiar keyboard commands, as well as a mouse-click or a swipe gesture
• Windows 365 Boot enabling you to log directly into your Cloud PC and designate it as the primary Windows experience on the device. This is a great solution for shared devices, where logging in with a unique user identity takes you to your own personal and secure Cloud PC
• Windows 365 Offline, which will enable work in Windows 365 even when disconnected. When connectivity is restored, the Cloud PC will automatically resync with the service without data loss, so your experience and workflow are persistent.

Read more here:

• What’s next in Windows 365 for hybrid work
  https://techcommunity.microsoft.com/t5/windows-it-pro-blog/what-s-next-in-windows-365-for-hybrid-work/ba-p/3276122