Defender for Endpoint device control (USB / removable media)

Walk into most small businesses and ask how they stop someone walking out the door with a USB stick full of client data. You’ll get one of two answers.

Either “we glued the ports shut” or “we don’t.”

Both are wrong. One is a sledgehammer. The other is a shrug. And the worst part? The tool that does this properly is already sitting in the licence they’re paying for every month.

If your clients are on Microsoft 365 Business Premium, they have Defender for Business. And device control comes with it. You’re not buying anything. You’re just not turning it on.

Let’s fix that.

What is device control, really?

Forget “blocking USB sticks.” That framing is what gets people stuck.

Device control isn’t a switch. It’s a set of rules about who can do what with which device. Read. Write. Execute. You can let the finance PC read a USB drive but never copy to it. You can allow one approved brand of encrypted stick and deny every other. You can leave Bluetooth alone and only police removable storage.

That’s the part people miss. It’s not on or off. It’s a dial.

And here’s the bit that actually matters for an SMB: it watches before it blocks. Every time someone plugs something in, Defender logs it — the device, the serial number, the user, the machine. You get a record without enforcing a single rule.

You can’t block what you can’t see. So start by looking.

Step-by-Step: turning it on without breaking anything

Open the right blade

Head to the Microsoft Intune admin center and go to Endpoint security > Attack surface reduction. That’s where device control lives. Not where you’d guess, I know.

Audit first, always

Don’t block anything yet. Enable device control in audit mode and leave enforcement alone. Let it run for a week or two across a pilot ring. You’re collecting evidence, not making arrests.

Read the report

In the Microsoft Defender portal, open the device control report and Advanced hunting. Here’s the query that tells you everything that’s been plugged in:

DeviceEvents
| where ActionType == "PnpDeviceConnected"
| extend parsed = parse_json(AdditionalFields)
| extend MediaClass = tostring(parsed.ClassName)
| extend MediaSerialNumber = tostring(parsed.SerialNumber)
| project Timestamp, DeviceName, AccountName, MediaClass, MediaSerialNumber
| order by Timestamp desc

Notice what’s missing? There’s no block in there. That’s a visibility query. You’ll be surprised what shows up — personal phones, dodgy giveaway sticks from a conference, the bookkeeper’s external drive.

Set the dial

Now you write the actual policy: default deny on removable storage, then carve out exceptions for the devices you trust. Scope it to removable media only so you don’t accidentally fight with printers or webcams.

Roll it in rings

Pilot group first. Then a wider ring. Then everyone. Same three-ring discipline you’d use for anything that touches the endpoint. Never enforce tenant-wide on day one.

Why this actually changes behaviour

Here’s the real win. It’s not the block. It’s the conversation the block lets you have.

When a client asks “can someone steal our data on a USB?”, “we glued the ports” sounds paranoid and “we don’t” sounds negligent. Neither builds trust.

“We allow encrypted drives, we log every device that connects, and we can show you exactly what plugged in last month” — that’s a different conversation. That’s the answer that wins the renewal.

Before: “USB is a risk we just live with.” After: “USB is a risk we measure, scope, and report on.”

And it costs nothing extra. You already sold them the licence. This is value you left in the box.

Device control isn’t there to lock the door. It’s there to tell you the door was open the whole time — and let you decide, device by device, who gets a key.

If you’re not showing your clients this, you’re leaving it on the table for someone else to find.

The Conversation I Keep Having About Copilot

Last week a manager asked me how to write the perfect prompt. She had a sticky note on her monitor with about thirty bracketed placeholders and a warning to always start with role, then context, then task. I asked her how often she actually used it. She laughed and said almost never — it felt like homework before the real work could start.

That moment captured something I’ve been thinking about for a while. The industry has spent two years training people to be better prompters, when the real productivity gains sit one layer up. With Copilot Cowork, the unit of leverage isn’t the prompt — it’s the skill.

Prompts Are Disposable. Skills Compound.

A prompt is a single instruction. You type it, you get something back, and then it’s gone. Tomorrow morning you start again. Even a brilliantly worded prompt only helps the person who wrote it, on the day they wrote it, for the task in front of them.

A Copilot Cowork skill is different. It’s a packaged way of working — a brief, a checklist, a structure, a tone — that anyone in your organisation can invoke by name. Once it exists, it doesn’t degrade. It doesn’t get lost in someone’s chat history. It runs the same way on a Tuesday morning as it does on a Friday afternoon, and it carries the thinking of whoever built it forward into every future use.

That is leverage. Prompt engineering is a craft. Skills are an asset.

Where the Productivity Actually Lives

The real productivity question in any business isn’t how do I get a better answer from Copilot today — it’s how do we stop solving the same problem from scratch every time. Skills are the answer to that question.

Think about what happens in a typical week. Someone needs to write a board update. Someone else has to brief a meeting. A third person is drafting a proposal that looks suspiciously like the last three proposals. In a prompt-engineering world, each of those people opens Copilot in Word or Outlook and tries to remember the magic incantation. In a skills world, they invoke a Board Update skill or a Meeting Brief skill and Copilot already knows the structure, the voice, the sources to pull from in SharePoint, and the people in Teams who usually need looping in.

The hours saved aren’t in the typing. They’re in not having to think the problem through again, hunt for the right template, or remember which version of the prompt actually worked last time.

The Shift Business Leaders Need to Make

If you’re leading a team, the question worth asking isn’t are my people good at prompts? It’s what work do we do over and over that should be a skill by now? The recurring report. The standard reply. The new-client onboarding sequence. The monthly review pack assembled from Excel, Outlook and a SharePoint folder no one can quite remember the path to.

Each of those is a skill waiting to exist. And the moment it does, the productivity gain isn’t a one-off — it accrues every time anyone in the business uses it.

What I’m Watching

I think the businesses that win the next stretch with Copilot won’t be the ones with the cleverest prompters. They’ll be the ones who treat their best ways of working as something to package, name, and share. Prompt engineering helps one person, once. A well-built skill helps the whole organisation, every time. That’s where the productivity actually shows up.

Need to Know podcast–Episode 366

Join me as I unpack the most impactful Microsoft Build 2026 announcements for SMBs, including Work IQ’s general availability, new autopilot and Scout agent features, enhanced agent security with Microsoft Execution Containers, and the latest MAI models for code, image, and voice. Discover how upcoming Work IQ APIs, OpenClaw integration with Windows, and the shift toward hybrid AI solutions are shaping the future of business technology, with practical insights on cost control, disaster recovery, and agentic security. Don’t miss this episode for actionable takeaways and expert analysis on the evolving AI landscape.

Brought to you by www.ciaopspatron.com

you can listen directly to this episode at:

https://ciaops.podbean.com/e/episode-366-build-2026/

Subscribe via iTunes at:

https://itunes.apple.com/au/podcast/ciaops-need-to-know-podcasts/id406891445?mt=2

or Spotify:

https://open.spotify.com/show/7ejj00cOuw8977GnnE2lPb

Don’t forget to give the show a rating as well as send me any feedback or suggestions you may have for the show

Resources

CIAOPS Need to Know podcast – CIAOPS – Need to Know podcasts | CIAOPS

X – https://www.twitter.com/directorcia

director@ciaops.com

CIAOPS Blog

Join my Teams Shared Channel – CIAOPS

CIAOPS Merch store – CIAOPS

Become a CIAOPS Patron

CIAOPS AI Dojo

CIAOPS weekly news update – CIA Brief – CIAOPS

CIAOPS Labs – The Special Activities Division of the CIAOPS

Support CIAOPS

Get your M365 questions answered via email

Join my email list

A special thanks to the CIAOPS Patron community for making this podcast possible. You can find the benefits of a subscription to the community and become a member at https://www.ciaopspatron.com

Microsoft Build 2026 blog – Be yourself at work

Developer-Tech – AI agents, Copilot, Windows developer tools

VentureBeat – AI agents and enterprise use cases

Thurrott – Scout personal work agent and AI models

VentureBeat – Data silos and Microsoft IQ

Windows Report – Securing code agents and AI models

Engadget – Build 2026 live blog

Microsoft Learn – Work IQ in Azure Foundry

Firstpost – MXC, OpenClaw, and OpenShell

Copilot in PowerPoint

Most people type “make me a presentation about cyber security” into Copilot, watch it spit out ten generic slides, and decide the whole thing is a gimmick.

I don’t blame them. That output is rubbish.

But that’s not Copilot failing. That’s Copilot doing exactly what you asked — building from nothing, with no source, no structure, no brand.

Garbage in, garbage slides out.

Here’s the shift. Copilot in PowerPoint isn’t a “write my deck” button. It’s a converter. You already have the content — a Word doc, a PDF proposal, last quarter’s report. The job isn’t inventing slides. It’s turning what you’ve already written into something you can stand up and present.

What is Copilot in PowerPoint, really?

Think of it as the worst part of your week, automated.

You know the drill. The thinking is done. The report is written. The client signed off on the wording. Now you’ve got two hours of copy-pasting into slides, fighting text boxes, and nudging the logo a pixel to the left.

Copilot eats that two hours.

You point it at a file. It reads the structure, pulls the key points, and drafts slides — text, layout, the lot. You’re not staring at a blank slide anymore. You’re editing a first draft.

That’s the whole game. Not creativity. Removal of drudgery.

Step-by-Step: building a deck that doesn’t look generic

Open your template first

This is the step everyone skips, and it’s the one that matters most.

Before you touch Copilot, open your organisation’s PowerPoint template — your branded .potx, your client’s deck, whatever carries the right fonts and colours. Microsoft is explicit about this: start from your template and Copilot keeps the theme and reuses your existing layouts.

Skip it, and you get Microsoft’s house style. Every. Single. Time.

Reference your file, don’t describe it

Open the Copilot pane, then reference a file — click the paperclip, or just type / and pick the document. Word, PDF, Excel, a Loop page. Now Copilot reads the actual content instead of guessing at it.

Write a prompt that points, not pleads

Don’t ask for a slide “about the project”. Tell it exactly where to look:

Create slides from the attached proposal.
Use the "Scope" and "Pricing" sections only.
One slide per phase. Key points, not full sentences.

Notice what’s missing? Any mention of colours, fonts, or design. You don’t ask Copilot for those — your template already decided them. Ask once, point clearly, and let the template do the rest.

Review, then refine in place

Copilot drafts. You read. Then you tell it what’s wrong — “tighten slide three”, “drop the jargon”, “add a summary slide” — in plain English, right there in the pane. No re-prompting from scratch.

A couple of traps before you sell this to clients

Two things will bite you.

First, dense slides. Copilot tends to lift whole paragraphs straight off the page. If your source doc reads like a report, your slides will too. Fix it in the prompt — “bullet points, not sentences” — or trim after.

Second, the file has to be readable. Text-based PDFs work. Scanned images and password-protected files don’t. And keep source files under 24MB, or the results get flaky.

Old thinking: “I’ll block out the afternoon to build the deck.” New thinking: “I’ll point Copilot at the doc and spend the afternoon making it good.”

That’s not a small change. That’s where your hours go back.

Why this actually changes behaviour

Here’s the real win for anyone running this in a business.

Your team already produces the content. Proposals, reports, meeting notes — the substance exists. What kills them is the packaging. The deck that has to look right for the board, the client, the pitch.

Copilot collapses the gap between “we’ve written it” and “we can present it”. The expensive part — the thinking — stays human. The tedious part disappears.

And be straight about the cost. The file-referencing piece sits behind the paid Microsoft 365 Copilot add-on, not the base subscription. For a lot of SMB clients, this is the use case that justifies the licence. Not chatbots. This.

Show a client how an afternoon of slide-building becomes ten minutes, and the conversation about value is over.

If you’re running Microsoft 365 for clients and you’re not showing them this, you’re leaving real money — theirs and yours — on the table.

Copilot in PowerPoint isn’t there to make your slides.

It’s there to delete the part of the job nobody ever wanted.

The Quietest Cancellation You’ll Never Hear

The hardest clients to keep are the ones who never tell you they’re leaving.

I’ve been turning this over for a while. The clients who churn loudly — the ones who ring up annoyed, send the sharp email, ask for a refund — those are actually the easy ones. You know where you stand. You can fix something, part ways cleanly, or at least learn from it.

It’s the silent ones that hurt. The ones who stop replying to your monthly check-ins. Skip the review. Renew once out of inertia, then quietly don’t renew the second time. And somewhere down the track, you’ll hear from a friend of a friend that they felt burned by your business.

Nobody robbed them. They just never really bought.

Sold isn’t the same as bought

There’s a real difference between a client who bought and a client who was sold. Small word, big gap.

A client who bought made the decision. They walked in with a problem, recognised what you offered, and chose it. They own the outcome. Even when things get bumpy, they stay engaged because it’s their decision to defend.

A client who was sold went along with it. Maybe you were persuasive. Maybe they didn’t want to look uncertain in front of their team. Maybe the proposal looked sharp and they signed before they’d really thought it through. They never crossed the line from interested to committed — but on paper, the deal got done.

The first kind tells their friends about you. The second kind tells their friends about the business that talked them into something.

Where I see it most in MSP land

I see this constantly with Copilot rollouts right now. An MSP gets excited, runs a slick pitch, the client nods along, the licences get assigned in the Microsoft 365 admin centre, and then… nothing. Six months later the usage reports look flat. Nobody has Copilot pinned in Outlook. Nobody is asking it to summarise a Teams meeting they missed. Nobody is in Word using it to redraft a proposal or in Excel asking it to explain a column of numbers.

That client didn’t buy Copilot. They bought the meeting being over.

The same pattern shows up with backup uplifts, security stack changes, anything that lives behind a quote. If the conversation was about us getting the agreement signed instead of them understanding what changes on a Tuesday morning, the meter starts ticking on a quiet exit.

The signal isn’t loud. It’s a slower email reply. A “we’ll think about adoption training next quarter.” A skipped quarterly business review. By the time it shows up in your churn report, the relationship was over months ago.

Make them buy, don’t sell them

The fix isn’t softer language or better slides. It’s slowing the conversation down before the contract goes out. The best deals I’ve seen lately are the ones where the close was almost anticlimactic — because the buying decision had already been made out loud, by the client, weeks earlier.

I want the client describing the problem in their own words. I want them telling me what their inbox looks like on a bad day. I want them booking the adoption sessions before the deal is signed, not after. If they won’t put time in their calendar to actually use the thing, that’s the answer — and it’s better to hear it now than read it in a Google review later.

Selling closes a deal. Buying starts a relationship. One of those keeps the lights on this quarter; the other builds the kind of business worth referring.

Defender Vulnerability Management

Most people treat Defender Vulnerability Management like a weather report. They glance at the exposure score, nod, and close the tab.

That’s a waste.

The score isn’t the point. The workflow behind it is. And the part almost nobody uses — the bit that actually moves the needle — is the security baselines assessment sitting right next to it.

Here’s the thing. Patching tells you whether software is current. A baseline tells you whether it’s configured the way it’s supposed to be. Those are two completely different questions, and the second one is where most SMB environments quietly fall apart.

What are security baselines, really?

A baseline is a benchmark of configuration settings — things like password policy, BitLocker, account lockout, audit logging — measured against an industry profile.

In Defender, you assess your devices against the CIS or STIG benchmarks, pick a level (L1 is sensible-default, L2 is locked-down), and the tool tells you, device by device, setting by setting, where you comply and where you don’t.

Not “you’re missing 14 patches.” More like “BitLocker isn’t enforced on 9 machines and your audit policy is wide open.” That’s the stuff attackers love and scanners ignore.

The security baselines assessment documentation walks through the profile options if you want the full menu.

Step-by-Step: Build a baseline profile

You’ll need Defender for Endpoint Plan 2 with the MDVM add-on, or the MDVM Standalone licence. Then head to the Microsoft Defender portal → Exposure management → Baselines assessment.

Create the profile

Give it a name, choose your benchmark (CIS or STIG), choose your OS, choose your level. Start at L1. You can tighten later — leading with L2 just buries you in red.

Scope it to a device group

Don’t boil the ocean. Point it at one group — a handful of servers, or the managed laptops — and let it run.

Read the results by setting, not by score

Open the profile and sort by compliance. Each failing setting lists exactly which devices miss it. This is your work queue.

Now the part that earns its keep: exceptions

Here’s the reality every MSP knows. Some findings you can’t fix. The line-of-business app needs that legacy setting. The client won’t approve the downtime. The vendor says “don’t touch it.”

So what do most people do? Nothing. The finding sits there, red, forever — and after a while everyone stops looking because the dashboard is always angry.

That’s the trap. A permanently-red dashboard is the same as no dashboard.

The fix is the exception workflow. When you genuinely can’t remediate something, you file an exception — with a justification and an expiry date — and that finding drops out of your active exposure number. It doesn’t vanish. It’s parked, documented, and time-boxed.

Request the remediation first

For anything you can fix, connect Defender to Intune (it’s a toggle in the portal) and raise a remediation request straight from the recommendation. It lands in Intune as a tracked task instead of a Post-it note. The remediation request process covers the Intune connection.

File an exception for the rest

For the genuine “we can’t touch that,” create an exception with a real reason and a review date. The exceptions overview explains the justification types and how exceptions affect your exposure score.

“Doesn’t an exception just hide the problem?”

No. Hiding is when you ignore the red and hope. An exception is a decision — recorded, owned, and due for review. The difference is accountability.

Why this actually changes behaviour

Once you’re running baselines plus a disciplined exception workflow, “we can’t patch that one” stops being a silent gap. It becomes a documented, time-boxed choice with someone’s name on it.

That’s not a security feature. That’s a governance habit.

And it’s the exact thing that turns a vague “yeah, we’re secure” into a report you can hand a client.

If you’re not showing your clients their baseline posture and the exceptions you’ve signed off on, you’re leaving value — and trust — on the table.

The exposure score was never the deliverable. The conversation it lets you have is.

CIAOPS AI Dojo 13

What’s the session about?

This month we will be focusing on new Copilot features and updates as well as optimising AI for Small Business.

Who should attend?

This session is perfect for:

IT administrators and support staff
Business owners
People looking to get more done with Microsoft 365
Anyone looking to automate their daily grind

Save the Date

Date: Friday the 26th of June 2026

Time: 9:30 AM Sydney AU time

Location: Online (link will be provided upon registration)

Cost: $80 per attendee (free for Dojo subscribers)

CIA Brief 20260606

Events — Microsoft Build 2026

Build 2026: Furthering Windows as the trusted platform for development(opens in new window) At Build 2026, Microsoft laid out a wave of developer-focused Windows updates aimed at reducing setup friction and making Windows the place to build and run AI agents. Highlights include Coreutils for Windows, WSL containers, one-command Windows Developer Configurations, and a new security layer called Microsoft Execution Containers (MXC) that lets developers tightly control what an AI agent can access. It matters because it signals Microsoft’s push to fold secure, on-device AI agents directly into the Windows developer experience.

Announcements — New Products

Introducing Microsoft Scout: Your always-on personal agent(opens in new window) Microsoft unveiled Scout, an “always-on” personal agent that works in the background across your Microsoft 365 apps, holding your priorities and acting on your behalf rather than just answering one-off questions. Scout is part of a new category Microsoft calls “Autopilots” — agents that run autonomously with their own identity, within the permissions you and your organisation set. (Shared as a video; full write-up is on the Microsoft 365 Blog(opens in new window).)

Industry News — Security

The next frontier in endpoint security: Securing local AI agents with Microsoft Defender(opens in new window) Tied to Build 2026, Microsoft extended its Agent 365 and Defender protections to cover AI agents running locally on a device, not just cloud-based ones. The idea is to give security and IT teams the same visibility, governance, and threat protection over local agents that they already have over human users, helping prevent these autonomous agents from becoming a new enterprise risk.

AI

Announcements & Product Launches

Introducing Microsoft Scout (video) — A companion video walkthrough showing Scout in action as a personal agent. It’s a visual introduction to the same Scout launch covered in the blog. https://www.youtube.com/watch?v=3ff6UtpPQv8(opens in new window)
Announcing the new Work IQ APIs — Microsoft announced new Work IQ APIs that let developers and agents tap into real Microsoft 365 work context. This extends Work IQ beyond the CLI/MCP preview into a programmable platform. https://www.microsoft.com/en-us/microsoft-365/blog/2026/06/02/announcing-the-new-work-iq-apis/(opens in new window)
Learning Agent now generally available — Microsoft’s Learning Agent reached general availability, offering personalized AI-driven upskilling for every employee. It aims to help workers build skills directly within their Microsoft 365 experience. https://techcommunity.microsoft.com/blog/microsoft365copilotblog/learning-agent-now-generally-available-%E2%80%94-personalized-ai-upskilling-for-every-em/4524571(opens in new window)

AI Models & Research

Building a hill-climbing machine: Launching seven new MAI models — Microsoft AI announced a set of seven new in-house MAI models, framed as part of an iterative “hill-climbing” approach to model improvement. The post covers the new model lineup and the strategy behind it. https://microsoft.ai/news/building-a-hillclimbing-machine-launching-seven-new-mai-models/(opens in new window)
Frontier Tuning: Teaching AI to work the way you do — A developer-focused post on “Frontier Tuning,” a technique for adapting AI to match individual and organizational working styles. It’s aimed at developers building more personalized agent experiences. https://devblogs.microsoft.com/microsoft365dev/frontier-tuning-teaching-ai-to-work-the-way-you-do/(opens in new window)
OpenClaw + Windows: Microsoft Build 2026 (video) — A Build 2026 session video covering OpenClaw and its integration with Windows. https://www.youtube.com/watch?v=J7ol1VDkg7w(opens in new window)

Events

Frontier Transformation Engineer Summit — An event listing for the Frontier Transformation Engineer Summit, part of Microsoft’s FY26 skilling program. https://www.skilling-hub.com/listing/o::fy26-fps-06(opens in new window)

Productivity & Copilot Tips

Find skill-building volunteer opportunities with Microsoft Copilot — A how-to post showing how Copilot can help you discover volunteer opportunities that also build your skills. It’s a practical tip for using Copilot beyond day-to-day work tasks. https://techcommunity.microsoft.com/blog/Microsoft365InsiderBlog/find-skill-building-volunteer-opportunities-with-microsoft-copilot/4423657

After hours

Microsoft Build 2026: See All the Highlights in 15 Minutes – https://www.youtube.com/watch?v=1PSHObgyJpw

Editorial

If you found this valuable, the I’d appreciate a ‘like’ or perhaps a donation at https://ko-fi.com/ciaops. This helps me know that people enjoy what I have created and provides resources to allow me to create more content. If you have any feedback or suggestions around this, I’m all ears. You can also find me via email director@ciaops.com and on X (Twitter) at https://www.twitter.com/directorcia.

If you want to be part of a dedicated Microsoft Cloud community with information and interactions daily, then consider becoming a CIAOPS Patron – www.ciaopspatron.com.

Watch out for the next CIA Brief next week