Defender for Endpoint Web Filtering

A client rings up. Staff are burning half the day on betting sites, or someone clicked something they shouldn’t have, and now they want you to “lock down the web.”

So you go and price a web filter. Cisco Umbrella, DNSFilter, a firewall add-on. Another line item, another agent, another renewal to babysit.

Stop.

If that client is on Microsoft 365 Business Premium, you already sold them a web filter. It’s been sitting inside Defender, switched off, the whole time.

That’s not an upsell. That’s a setting.

What is web content filtering, really?

It watches where your devices go on the web and lets you block whole categories of sites by name. Gambling. Adult content. Peer-to-peer. Hacking. You tick a category, and people in the groups you choose stop being able to reach it, whether they’re in the office or working from a café.

Microsoft calls it web content filtering, and it rides on protection that’s already on the machine. In Edge, the blocks are enforced by SmartScreen. In Chrome, Firefox, Brave and Opera, they lean on network protection. Both of those have to be switched on, or nothing happens.

Here’s the part most people miss. Any category you don’t block gets audited automatically. So before you stop a single site, you get a report of exactly where your client’s staff have been going.

You can’t filter what you can’t see. So start by seeing.

Step-by-Step: turn it on, then point it at something

Switch on the feature

In the Microsoft Defender portal, go to Settings > Endpoints > Advanced features and flip Web content filtering to On. Save.

Create a policy and just watch

Go to Settings > Endpoints > Rules > Web content filtering and add a policy. Target a device group. Don’t block your client’s contentious categories yet. Let the audit data build.

Read the report

Open Reports > Web protection and look at the Web activity by category card. Give it time, there’s up to a 12-hour lag before activity shows up. This is the bit that changes the conversation. You’re no longer guessing what staff do online. You’re looking at it.

Block what actually matters

Now edit the policy and tick the categories the report told you to care about.

Microsoft Defender portal → Settings → Endpoints
   Advanced features → Web content filtering = On
   Rules → Web content filtering → + Add policy
Reports → Web protection → Web activity by category

Notice what’s missing? No PowerShell. No third agent. No new licence. Every step lives in a portal your client is already paying for.

Why this actually changes behaviour

Because you walk into the renewal with evidence, not a hunch.

“Here are 4,000 hits to gambling sites last month, off three machines.” That’s a discussion the business owner can act on. A quote for Umbrella is just a number they’ll push back on.

“But we already quoted them a web filter.” Fine. Now you can show them what they’d be paying for, and that they already own it.

A few things will bite you if you’re not watching for them:

Edge uses SmartScreen, everything else uses network protection. If network protection is in audit mode or off, your blocks are theatre. Lovely report, no enforcement.
Non-Microsoft browsers won’t honour HTTPS category blocks unless QUIC and Encrypted Client Hello are disabled. Leave them on and Chrome quietly routes around you.
Expect lag. Up to 12 hours before activity lands in the report, up to two hours before a block bites. Don’t test it in the first five minutes and declare it broken.

And when you genuinely need an exception, you don’t loosen the whole category. You carve out one site with a custom indicator, which sits above the filter in the order of precedence. Allow always wins over block. That’s your release valve when the boss insists on one specific site.

Run the audit, read the Web protection report, then block with proof in hand.

Web content filtering isn’t there to add a product to your stack. It’s there to delete one.

If you’re billing a client for a separate web filter on top of Business Premium, you’re charging them for something they already own. Show them the report instead.

That’s not filtering. That’s value you can prove.

Why "I Don’t Have a Good Idea" Is Almost Never the Real Problem

I have a conversation almost every week that goes the same way. Someone tells me they want to start their own thing. They want a bit more control over their time, a bit more income, a path that doesn’t rely on a payslip landing every fortnight. Then they sigh and say the same line: “I just don’t have a good idea.”

I used to nod along. Now I push back. Because in nearly every case, that’s not what’s actually going on.

The skills are already there

Sit with someone for half an hour and ask them what they’ve done in the last decade of work. You’ll hear about budgets they’ve cleaned up, teams they’ve coached, customers they’ve calmed down, processes they’ve quietly fixed without ever being asked. They’ve negotiated with suppliers, written training material on the fly, run projects with no formal authority, and kept things moving when the org chart said they shouldn’t have been able to.

That’s not a person without a good idea. That’s a person sitting on a stack of skills they’ve never priced.

The gap isn’t capability. The gap is translation — taking what they already do well and shaping it into something a stranger would happily pay for.

Why people freeze at the start

The freeze happens because “find an idea” is the wrong instruction. It sends people hunting for a thunderbolt — some clever niche nobody else has noticed, some product the world has never seen. So they wait. They scroll. They tell themselves they need to read another book or finish another course before they’re ready.

Meanwhile, the offer they could already build is sitting in plain sight: the thing colleagues keep asking them for help with, the problem they solved twice at their last job, the work they actually enjoy that most people genuinely struggle with.

The question isn’t “what’s a brilliant new idea?” The question is “what do I already do well that someone, somewhere, has a real problem paying to get done?”

Use the tools to pull the offer out of your head

This is where I think modern tooling — and Copilot in particular — earns its place for first-time business owners. Not because it hands you an idea, but because it pulls one out of you far faster than you could working alone with a blank notebook.

Open a fresh document in Word, switch on Copilot, and have it interview you. Ask it to walk you through your last five roles and pull out the recurring problems you solved. Ask it to draft three different one-page offers from those skills, each aimed at a different type of customer. Drop your LinkedIn profile into a Loop page and ask Copilot to suggest who would benefit most from the work you’ve already done. Then take the strongest lines into a Teams chat with someone whose judgement you trust and pressure-test them.

In an afternoon you can move from “I don’t have an idea” to three rough offers on a page. None of them have to be perfect. They just have to be concrete enough to test in a real conversation with a real person.

The shift that matters

Financial freedom rarely begins with a perfect idea. It begins with a good-enough offer, said out loud to the right person, then reshaped based on what they actually said back.

If you’ve been waiting for the lightning bolt, give yourself permission to stop. The idea you’re looking for is almost certainly already inside the experience you’ve already had. The job now is to get it out of your head, onto a page, and in front of someone who might say yes.

That’s a much smaller first step than most people think.

Defender for Endpoint device control (USB / removable media)

Walk into most small businesses and ask how they stop someone walking out the door with a USB stick full of client data. You’ll get one of two answers.

Either “we glued the ports shut” or “we don’t.”

Both are wrong. One is a sledgehammer. The other is a shrug. And the worst part? The tool that does this properly is already sitting in the licence they’re paying for every month.

If your clients are on Microsoft 365 Business Premium, they have Defender for Business. And device control comes with it. You’re not buying anything. You’re just not turning it on.

Let’s fix that.

What is device control, really?

Forget “blocking USB sticks.” That framing is what gets people stuck.

Device control isn’t a switch. It’s a set of rules about who can do what with which device. Read. Write. Execute. You can let the finance PC read a USB drive but never copy to it. You can allow one approved brand of encrypted stick and deny every other. You can leave Bluetooth alone and only police removable storage.

That’s the part people miss. It’s not on or off. It’s a dial.

And here’s the bit that actually matters for an SMB: it watches before it blocks. Every time someone plugs something in, Defender logs it — the device, the serial number, the user, the machine. You get a record without enforcing a single rule.

You can’t block what you can’t see. So start by looking.

Step-by-Step: turning it on without breaking anything

Open the right blade

Head to the Microsoft Intune admin center and go to Endpoint security > Attack surface reduction. That’s where device control lives. Not where you’d guess, I know.

Audit first, always

Don’t block anything yet. Enable device control in audit mode and leave enforcement alone. Let it run for a week or two across a pilot ring. You’re collecting evidence, not making arrests.

Read the report

In the Microsoft Defender portal, open the device control report and Advanced hunting. Here’s the query that tells you everything that’s been plugged in:

DeviceEvents
| where ActionType == "PnpDeviceConnected"
| extend parsed = parse_json(AdditionalFields)
| extend MediaClass = tostring(parsed.ClassName)
| extend MediaSerialNumber = tostring(parsed.SerialNumber)
| project Timestamp, DeviceName, AccountName, MediaClass, MediaSerialNumber
| order by Timestamp desc

Notice what’s missing? There’s no block in there. That’s a visibility query. You’ll be surprised what shows up — personal phones, dodgy giveaway sticks from a conference, the bookkeeper’s external drive.

Set the dial

Now you write the actual policy: default deny on removable storage, then carve out exceptions for the devices you trust. Scope it to removable media only so you don’t accidentally fight with printers or webcams.

Roll it in rings

Pilot group first. Then a wider ring. Then everyone. Same three-ring discipline you’d use for anything that touches the endpoint. Never enforce tenant-wide on day one.

Why this actually changes behaviour

Here’s the real win. It’s not the block. It’s the conversation the block lets you have.

When a client asks “can someone steal our data on a USB?”, “we glued the ports” sounds paranoid and “we don’t” sounds negligent. Neither builds trust.

“We allow encrypted drives, we log every device that connects, and we can show you exactly what plugged in last month” — that’s a different conversation. That’s the answer that wins the renewal.

Before: “USB is a risk we just live with.” After: “USB is a risk we measure, scope, and report on.”

And it costs nothing extra. You already sold them the licence. This is value you left in the box.

Device control isn’t there to lock the door. It’s there to tell you the door was open the whole time — and let you decide, device by device, who gets a key.

If you’re not showing your clients this, you’re leaving it on the table for someone else to find.

The Conversation I Keep Having About Copilot

Last week a manager asked me how to write the perfect prompt. She had a sticky note on her monitor with about thirty bracketed placeholders and a warning to always start with role, then context, then task. I asked her how often she actually used it. She laughed and said almost never — it felt like homework before the real work could start.

That moment captured something I’ve been thinking about for a while. The industry has spent two years training people to be better prompters, when the real productivity gains sit one layer up. With Copilot Cowork, the unit of leverage isn’t the prompt — it’s the skill.

Prompts Are Disposable. Skills Compound.

A prompt is a single instruction. You type it, you get something back, and then it’s gone. Tomorrow morning you start again. Even a brilliantly worded prompt only helps the person who wrote it, on the day they wrote it, for the task in front of them.

A Copilot Cowork skill is different. It’s a packaged way of working — a brief, a checklist, a structure, a tone — that anyone in your organisation can invoke by name. Once it exists, it doesn’t degrade. It doesn’t get lost in someone’s chat history. It runs the same way on a Tuesday morning as it does on a Friday afternoon, and it carries the thinking of whoever built it forward into every future use.

That is leverage. Prompt engineering is a craft. Skills are an asset.

Where the Productivity Actually Lives

The real productivity question in any business isn’t how do I get a better answer from Copilot today — it’s how do we stop solving the same problem from scratch every time. Skills are the answer to that question.

Think about what happens in a typical week. Someone needs to write a board update. Someone else has to brief a meeting. A third person is drafting a proposal that looks suspiciously like the last three proposals. In a prompt-engineering world, each of those people opens Copilot in Word or Outlook and tries to remember the magic incantation. In a skills world, they invoke a Board Update skill or a Meeting Brief skill and Copilot already knows the structure, the voice, the sources to pull from in SharePoint, and the people in Teams who usually need looping in.

The hours saved aren’t in the typing. They’re in not having to think the problem through again, hunt for the right template, or remember which version of the prompt actually worked last time.

The Shift Business Leaders Need to Make

If you’re leading a team, the question worth asking isn’t are my people good at prompts? It’s what work do we do over and over that should be a skill by now? The recurring report. The standard reply. The new-client onboarding sequence. The monthly review pack assembled from Excel, Outlook and a SharePoint folder no one can quite remember the path to.

Each of those is a skill waiting to exist. And the moment it does, the productivity gain isn’t a one-off — it accrues every time anyone in the business uses it.

What I’m Watching

I think the businesses that win the next stretch with Copilot won’t be the ones with the cleverest prompters. They’ll be the ones who treat their best ways of working as something to package, name, and share. Prompt engineering helps one person, once. A well-built skill helps the whole organisation, every time. That’s where the productivity actually shows up.

Need to Know podcast–Episode 366

Join me as I unpack the most impactful Microsoft Build 2026 announcements for SMBs, including Work IQ’s general availability, new autopilot and Scout agent features, enhanced agent security with Microsoft Execution Containers, and the latest MAI models for code, image, and voice. Discover how upcoming Work IQ APIs, OpenClaw integration with Windows, and the shift toward hybrid AI solutions are shaping the future of business technology, with practical insights on cost control, disaster recovery, and agentic security. Don’t miss this episode for actionable takeaways and expert analysis on the evolving AI landscape.

Brought to you by www.ciaopspatron.com

you can listen directly to this episode at:

https://ciaops.podbean.com/e/episode-366-build-2026/

Subscribe via iTunes at:

https://itunes.apple.com/au/podcast/ciaops-need-to-know-podcasts/id406891445?mt=2

or Spotify:

https://open.spotify.com/show/7ejj00cOuw8977GnnE2lPb

Don’t forget to give the show a rating as well as send me any feedback or suggestions you may have for the show

Resources

CIAOPS Need to Know podcast – CIAOPS – Need to Know podcasts | CIAOPS

X – https://www.twitter.com/directorcia

director@ciaops.com

CIAOPS Blog

Join my Teams Shared Channel – CIAOPS

CIAOPS Merch store – CIAOPS

Become a CIAOPS Patron

CIAOPS AI Dojo

CIAOPS weekly news update – CIA Brief – CIAOPS

CIAOPS Labs – The Special Activities Division of the CIAOPS

Support CIAOPS

Get your M365 questions answered via email

Join my email list

A special thanks to the CIAOPS Patron community for making this podcast possible. You can find the benefits of a subscription to the community and become a member at https://www.ciaopspatron.com

Microsoft Build 2026 blog – Be yourself at work

Developer-Tech – AI agents, Copilot, Windows developer tools

VentureBeat – AI agents and enterprise use cases

Thurrott – Scout personal work agent and AI models

VentureBeat – Data silos and Microsoft IQ

Windows Report – Securing code agents and AI models

Engadget – Build 2026 live blog

Microsoft Learn – Work IQ in Azure Foundry

Firstpost – MXC, OpenClaw, and OpenShell

Copilot in PowerPoint

Most people type “make me a presentation about cyber security” into Copilot, watch it spit out ten generic slides, and decide the whole thing is a gimmick.

I don’t blame them. That output is rubbish.

But that’s not Copilot failing. That’s Copilot doing exactly what you asked — building from nothing, with no source, no structure, no brand.

Garbage in, garbage slides out.

Here’s the shift. Copilot in PowerPoint isn’t a “write my deck” button. It’s a converter. You already have the content — a Word doc, a PDF proposal, last quarter’s report. The job isn’t inventing slides. It’s turning what you’ve already written into something you can stand up and present.

What is Copilot in PowerPoint, really?

Think of it as the worst part of your week, automated.

You know the drill. The thinking is done. The report is written. The client signed off on the wording. Now you’ve got two hours of copy-pasting into slides, fighting text boxes, and nudging the logo a pixel to the left.

Copilot eats that two hours.

You point it at a file. It reads the structure, pulls the key points, and drafts slides — text, layout, the lot. You’re not staring at a blank slide anymore. You’re editing a first draft.

That’s the whole game. Not creativity. Removal of drudgery.

Step-by-Step: building a deck that doesn’t look generic

Open your template first

This is the step everyone skips, and it’s the one that matters most.

Before you touch Copilot, open your organisation’s PowerPoint template — your branded .potx, your client’s deck, whatever carries the right fonts and colours. Microsoft is explicit about this: start from your template and Copilot keeps the theme and reuses your existing layouts.

Skip it, and you get Microsoft’s house style. Every. Single. Time.

Reference your file, don’t describe it

Open the Copilot pane, then reference a file — click the paperclip, or just type / and pick the document. Word, PDF, Excel, a Loop page. Now Copilot reads the actual content instead of guessing at it.

Write a prompt that points, not pleads

Don’t ask for a slide “about the project”. Tell it exactly where to look:

Create slides from the attached proposal.
Use the "Scope" and "Pricing" sections only.
One slide per phase. Key points, not full sentences.

Notice what’s missing? Any mention of colours, fonts, or design. You don’t ask Copilot for those — your template already decided them. Ask once, point clearly, and let the template do the rest.

Review, then refine in place

Copilot drafts. You read. Then you tell it what’s wrong — “tighten slide three”, “drop the jargon”, “add a summary slide” — in plain English, right there in the pane. No re-prompting from scratch.

A couple of traps before you sell this to clients

Two things will bite you.

First, dense slides. Copilot tends to lift whole paragraphs straight off the page. If your source doc reads like a report, your slides will too. Fix it in the prompt — “bullet points, not sentences” — or trim after.

Second, the file has to be readable. Text-based PDFs work. Scanned images and password-protected files don’t. And keep source files under 24MB, or the results get flaky.

Old thinking: “I’ll block out the afternoon to build the deck.” New thinking: “I’ll point Copilot at the doc and spend the afternoon making it good.”

That’s not a small change. That’s where your hours go back.

Why this actually changes behaviour

Here’s the real win for anyone running this in a business.

Your team already produces the content. Proposals, reports, meeting notes — the substance exists. What kills them is the packaging. The deck that has to look right for the board, the client, the pitch.

Copilot collapses the gap between “we’ve written it” and “we can present it”. The expensive part — the thinking — stays human. The tedious part disappears.

And be straight about the cost. The file-referencing piece sits behind the paid Microsoft 365 Copilot add-on, not the base subscription. For a lot of SMB clients, this is the use case that justifies the licence. Not chatbots. This.

Show a client how an afternoon of slide-building becomes ten minutes, and the conversation about value is over.

If you’re running Microsoft 365 for clients and you’re not showing them this, you’re leaving real money — theirs and yours — on the table.

Copilot in PowerPoint isn’t there to make your slides.

It’s there to delete the part of the job nobody ever wanted.

The Quietest Cancellation You’ll Never Hear

The hardest clients to keep are the ones who never tell you they’re leaving.

I’ve been turning this over for a while. The clients who churn loudly — the ones who ring up annoyed, send the sharp email, ask for a refund — those are actually the easy ones. You know where you stand. You can fix something, part ways cleanly, or at least learn from it.

It’s the silent ones that hurt. The ones who stop replying to your monthly check-ins. Skip the review. Renew once out of inertia, then quietly don’t renew the second time. And somewhere down the track, you’ll hear from a friend of a friend that they felt burned by your business.

Nobody robbed them. They just never really bought.

Sold isn’t the same as bought

There’s a real difference between a client who bought and a client who was sold. Small word, big gap.

A client who bought made the decision. They walked in with a problem, recognised what you offered, and chose it. They own the outcome. Even when things get bumpy, they stay engaged because it’s their decision to defend.

A client who was sold went along with it. Maybe you were persuasive. Maybe they didn’t want to look uncertain in front of their team. Maybe the proposal looked sharp and they signed before they’d really thought it through. They never crossed the line from interested to committed — but on paper, the deal got done.

The first kind tells their friends about you. The second kind tells their friends about the business that talked them into something.

Where I see it most in MSP land

I see this constantly with Copilot rollouts right now. An MSP gets excited, runs a slick pitch, the client nods along, the licences get assigned in the Microsoft 365 admin centre, and then… nothing. Six months later the usage reports look flat. Nobody has Copilot pinned in Outlook. Nobody is asking it to summarise a Teams meeting they missed. Nobody is in Word using it to redraft a proposal or in Excel asking it to explain a column of numbers.

That client didn’t buy Copilot. They bought the meeting being over.

The same pattern shows up with backup uplifts, security stack changes, anything that lives behind a quote. If the conversation was about us getting the agreement signed instead of them understanding what changes on a Tuesday morning, the meter starts ticking on a quiet exit.

The signal isn’t loud. It’s a slower email reply. A “we’ll think about adoption training next quarter.” A skipped quarterly business review. By the time it shows up in your churn report, the relationship was over months ago.

Make them buy, don’t sell them

The fix isn’t softer language or better slides. It’s slowing the conversation down before the contract goes out. The best deals I’ve seen lately are the ones where the close was almost anticlimactic — because the buying decision had already been made out loud, by the client, weeks earlier.

I want the client describing the problem in their own words. I want them telling me what their inbox looks like on a bad day. I want them booking the adoption sessions before the deal is signed, not after. If they won’t put time in their calendar to actually use the thing, that’s the answer — and it’s better to hear it now than read it in a Google review later.

Selling closes a deal. Buying starts a relationship. One of those keeps the lights on this quarter; the other builds the kind of business worth referring.

Defender Vulnerability Management

Most people treat Defender Vulnerability Management like a weather report. They glance at the exposure score, nod, and close the tab.

That’s a waste.

The score isn’t the point. The workflow behind it is. And the part almost nobody uses — the bit that actually moves the needle — is the security baselines assessment sitting right next to it.

Here’s the thing. Patching tells you whether software is current. A baseline tells you whether it’s configured the way it’s supposed to be. Those are two completely different questions, and the second one is where most SMB environments quietly fall apart.

What are security baselines, really?

A baseline is a benchmark of configuration settings — things like password policy, BitLocker, account lockout, audit logging — measured against an industry profile.

In Defender, you assess your devices against the CIS or STIG benchmarks, pick a level (L1 is sensible-default, L2 is locked-down), and the tool tells you, device by device, setting by setting, where you comply and where you don’t.

Not “you’re missing 14 patches.” More like “BitLocker isn’t enforced on 9 machines and your audit policy is wide open.” That’s the stuff attackers love and scanners ignore.

The security baselines assessment documentation walks through the profile options if you want the full menu.

Step-by-Step: Build a baseline profile

You’ll need Defender for Endpoint Plan 2 with the MDVM add-on, or the MDVM Standalone licence. Then head to the Microsoft Defender portal → Exposure management → Baselines assessment.

Create the profile

Give it a name, choose your benchmark (CIS or STIG), choose your OS, choose your level. Start at L1. You can tighten later — leading with L2 just buries you in red.

Scope it to a device group

Don’t boil the ocean. Point it at one group — a handful of servers, or the managed laptops — and let it run.

Read the results by setting, not by score

Open the profile and sort by compliance. Each failing setting lists exactly which devices miss it. This is your work queue.

Now the part that earns its keep: exceptions

Here’s the reality every MSP knows. Some findings you can’t fix. The line-of-business app needs that legacy setting. The client won’t approve the downtime. The vendor says “don’t touch it.”

So what do most people do? Nothing. The finding sits there, red, forever — and after a while everyone stops looking because the dashboard is always angry.

That’s the trap. A permanently-red dashboard is the same as no dashboard.

The fix is the exception workflow. When you genuinely can’t remediate something, you file an exception — with a justification and an expiry date — and that finding drops out of your active exposure number. It doesn’t vanish. It’s parked, documented, and time-boxed.

Request the remediation first

For anything you can fix, connect Defender to Intune (it’s a toggle in the portal) and raise a remediation request straight from the recommendation. It lands in Intune as a tracked task instead of a Post-it note. The remediation request process covers the Intune connection.

File an exception for the rest

For the genuine “we can’t touch that,” create an exception with a real reason and a review date. The exceptions overview explains the justification types and how exceptions affect your exposure score.

“Doesn’t an exception just hide the problem?”

No. Hiding is when you ignore the red and hope. An exception is a decision — recorded, owned, and due for review. The difference is accountability.

Why this actually changes behaviour

Once you’re running baselines plus a disciplined exception workflow, “we can’t patch that one” stops being a silent gap. It becomes a documented, time-boxed choice with someone’s name on it.

That’s not a security feature. That’s a governance habit.

And it’s the exact thing that turns a vague “yeah, we’re secure” into a report you can hand a client.

If you’re not showing your clients their baseline posture and the exceptions you’ve signed off on, you’re leaving value — and trust — on the table.

The exposure score was never the deliverable. The conversation it lets you have is.