Sarah Young from Microsoft joins us again to talk about Azure Sentinel. We run through what it is and why you should be using it to protect your IT environments. Brenton joins us as well to cover off the latest news and certifications he has achieved. Listen in for all the details.
This episode was recorded using Microsoft Teams and produced with Camtasia 2020
In this episode Brenton reports back on his encounters with the AZ-900 certification exam. Spoiler alert – he passed! Congrats. I also speak with Nicki Borell all about information protection and labelling in Microsoft 365. of course Brenton and I bring you up to date with everything in the Microsoft Cloud. We hope you enjoy the listen.
This episode was recorded using Microsoft Teams and produced with Camtasia 2020
Mark O returns! Brenton returns! it’s the come back show, just in time for the end of COVID lock down. Mark O’Shea and I talk about the swag or recent changes to the Microsoft 365 Business suite of products. Brenton and I also bring you up to date with all the very latest Microsoft Cloud news as well. What a return it is!
This episode was recorded using Microsoft Teams and produced with Camtasia 2020
Robert Crane 0:00
Welcome to the Need to Know podcast. My name is Robert Crane and this is a shorter FAQ episode. These episodes are brought to you by the CIA ops patron community which you can sign up email@example.com ops patron.com. Now I’ve done a number of these FA Q’s, while I thought that one of the topics we really haven’t covered in any depth or started to cover is around security. So I thought that there are going to be lots of FAQs and lots of stories we can talk about with security when it comes to Microsoft Cloud. So I thought I’d kick that off with maybe starting with a discussion to help you get a starting point and all this now, the idea with security is that it’s going to be about defense in depth. Now that means there are going to be multiple systems or multiple configurations to put in place to effectively improve the security and reduce the risk. Now we can never eliminate the risk, right there’s always going to be some sort of risk but
Our job as IT professionals is going to be to minimize this to the best of our capabilities. And that’s going to mean implementing a number of systems to provide that Microsoft gives us lots and lots of options, which I hope to be able to run through over the course of upcoming FAQs. But the way I like to think about it is we need a systematic approach. Now good security is going to be about having a system doing things in a systematic way, and making sure that doesn’t leave any holes, we miss something. And we can repeat that over and over again. Now, the system I would suggest you adopt is one of working from the outside, it’s what’s the furthest point on the defense of our tenant that we can look to secure first and then once we’ve done that successfully, we can then move our way further and further inside the tenant. Now in the Microsoft space, probably the point that is furthest
From the tenant is actually something Microsoft generally won’t handle. That will be your DNS records. Now, there are three major DNS records when you look at security that are very, very important. Now, the first one of these is called the SPF record. Now most people will have to set that up when they’ve configured their tenant. That means that it will already be in place before they even got the tenant up and running. Now, the idea with SPF is for it to basically be a record or a match between the IP address or the actual physical server that is sending mail and the domain that it claims to come from. So basically, the SPF record is going to provide that match to let other people know that the email being sent by your custom domain is authorized to come from the server. Now, what we find is that many customers need the ability to send from multi service
Some might send a bulk email or maybe on prem and also in the cloud. So again, there are the option to you to have multiple servers configured an SPF now, the simply you could have this the better. So if you’ve only got office 365 as the way to send emails, then that’s gonna make it very simple. But if you do have some of the other configurations, then you’re gonna have to make sure that you add those in appropriately. And the idea is, is you’re going to make sure that the syntax is correct. Now, it is very easy to make a simple mistake formatting mistake when it comes to formatting these records. So my advice is even if you have an SPF record in and up and running already, make sure that you go in and double check it now. There are lots of tools out on the internet that will do this for you. mx toolbox.com is a great place that I use, just go in there and you can run a DNS query across all your records, but then focusing on
The ones we’ll be talking about here and SPF the first one. So most people will have SPF in, make sure that it is correct. It is correctly formatted has the right configuration before you go too much further. Now, after you’ve got your SPF, and you’ve verified that go and have a look at Deacon, right, so the idea with DKM is that DKM is a dentist’s record, that will basically provide the key to unlock a cryptographic key that is put into or sent with every email. So the idea is, is that when an email is sent out from the domain, it will include a short cryptographic header. And then when the receiving party gets that they can go back to the DNS record, get the decryption key from the DNS record which has been set up and that will then be used to decrypt the header from the email that was received and I can then verify that that is expected.
And indeed that email did come from that originator. So again, DKM requires typically two DNS records very simple. You only have to put them in do them once. And again, you can use something like MX toolbox to go in and check to see whether you had decom in place. There’s also plenty of places to read up on how Deacon needs to be configured. There is some articles around office 365. Now, office 365 does use a form of dynamic DKM. But it’s always better to go in and have a static version. So once you’ve got your Deacon records in, you can go into the Exchange Online configuration, you’ll find a decom option under protection, and then you can basically ensure sure that it’s working, verify that DKM is correctly configured. And then basically make sure that it’s turned on going forward. So the second thing I get you to check is that make sure that you have a DKM record and
Make sure that he’s set up correctly. And if you are using a Microsoft 365 tenant, you can go into Exchange Online config under decom. And you can make sure that that is set to on. So again, that’s going to provide you additional layer of protection when it comes to your emails. Now the third DNS record is something called demark. Now demark basically does an evaluation on the success of both the SPF and Deacon record. Now it is basically something that you can configure to initially just report you can also configure the situation’s of files demark
A can then quarantine the email and you can then get quite aggressive if you want to insert it to actually reject if it fails demark. So, in summary, the demark is that evaluation of the success of DKM and SPF together and then what action will be taken based on the success or failure of that evaluation.
Now demark, again, is something I would suggest that perhaps you start off with just reporting and there are tools out there that can send you the demark reports to let you know what’s failing and what’s happening. Generally, I would suggest that you move from reporting to at least quarantine so that again, that means that if there is a failure of demark, then we basically look at quarantine in the email rather than accepting it into the system. Now demark, again, is a single DNS record that you put inside your environment, to basically let people know that when they receive an email, they want to evaluate demark and come back to your DNS records and then they can look at what the settings are and then help them make a evaluation based on those settings.
Now, the reality is, is those three DNS records are typically outbound, so they’re typically more important for the
mouths that are being sent to another organization. So to be a good internet citizen, make sure that you do have those records set up correctly and configured appropriately. Now, you can also use that technology to assess inbound emails as well. So basically what we can say is okay, do records that are coming into our environment. If they do not, basically have success with SPF, we can then treat them or mark them as more likely to be spent, which they are. And then we can also do the same with D. Kim and demark. So there are a number of settings inside Exchange Online, particularly that you can go in and modify or set up policies that take different actions depending on the success or failure of what these records replicated for inbound emails. Now, the idea here is is that there is an area that you can go in and sit down
He’s up, we can do this via the web interface. We can also do this with PowerShell. And for example, when emails come in to Exchange Online, they are evaluated, using it what’s called an SEO level. So the spam confidence level. And things like a failure of SPF will generally add to the fact that it’s probably more likely to be spam or not. And then you can set a threshold to determine Okay, well, when it gets over, when the threshold gets over, say seven, which is the default option, then we will treat it as being spam and then you can determine what action you want to take once that evaluation has been made, but the important thing is, is to think about this starting as far out from the tenant as possible. Make sure that your DNS records are correct, especially for the SPF D Kim and demark. You can use tools like MX toolbox calm to evaluate your records.
You can also use that tool to evaluate other records, other tenants other domains as well, because the DNS records are effectively public so you can go out and again, have a look and see how many people have set up SPF have set up things like DKM, and demark. Now a couple of other tools I’d recommend that will help you in this assessment is what’s called the exchange message. analyzer header analyzer. So what it allows you to do, it’s a free tool that you can download from Microsoft is typically an add on for Outlook. So you go and do a search for exchange message analyzer, you can then add that into Outlook. And then when an email is received, you can use that to drill in and report on the message header. So typically, the stuff you don’t see in normal outlook will tell you whether there has been SPF you know, success on the email that you’re looking at. Whether
decom is assessing whether demark is a success. But also lets you know, for example, which servers, the email has come through lots and lots of really good detail in there. And I would certainly recommend that add on as a standard. Now remember, we can load that individually onto a single Outlook client, if you want also works in our the Outlook Web Access as well. And if you’re an administrator, you can add that to the admin area of your Microsoft 365. And then push it out to all your clients. And it’s a recommended option because most clients probably won’t. Customers won’t use it themselves. But if you ever need to troubleshoot Why did this email end up being spam? Or why did this email end up in junk? This message header analyzer is going to allow you to be able to debug and it has a number of links in there that will take you directly to the relevant
articles from Microsoft to let you know how the settings are and where you can make changes. So I would strongly recommend that if you are curious or you’re really wanting to tweak your settings or you want to analyze why emails are ending up in places like junk mail folders, then use this message head analyzer ad in. And you can go and evaluate and see much more detail what the actual message headers how the internet’s rather this, what the actual
process that has taken place, moving this email between servers. So hopefully that’s given you a bit of a start coming to think about security. Good security, like I said, is done in layers. The outermost layer, I believe, is to look at the DNS records. So make sure you have your SPF, your decom and your demark configured and correctly set up. You can evaluate that with a number of tools. Once you’ve got those set up correctly. There are a number of options inside Microsoft 365 to make sure
They that is turned on Microsoft 365 is taking advantage of the signals that are coming from those DNS records. And to do a bit of evaluation and look at those headers in more detail for inbound emails, you can use the free message header analyzer plugin from Microsoft in your outlook that will give you the ability to drill into that if you want to get some more details. So I think very much for taking the time listening to this episode, hopefully we’ll be able to, again, do a number of the dive sessions into specific areas in security down the track. If you do have any suggestions, we do want to hear a topic in more detail, please don’t hesitate to contact me you can do that via director at CIAops dot com. And I’ll take this opportunity once again to thank you very much for listening to this episode.
Brenton talks to Steve Hoskins about a variety of topics but focused on endpoint management, especially Intune. I provide you with a quick on everything that’s happening in teh Microsoft Cloud as usual. So tune in and enjoy.
This episode was recorded using Microsoft Teams and produced with Camtasia 2019
Robert Crane 0:02
This is Episode 238 and my name is Robert Crane and I’m flying solo for this episode. So I’ll give you a quick number of updates on what’s happening the Microsoft Cloud then we can throw over to an in depth interview further along. Now there is a little
Bit of a slowdown, I think in the news cycle from Microsoft, we are approaching build a virtual build that we’ll be having in May. And we’ve also got the Microsoft inspire, which has also gone, basically to a virtual conference. So I think Microsoft’s holding some of these things back to release them, although they did release a range of updates or new releases on this surface range. So we sort of don’t know, it’s like everything else these days. It’s always a bit we don’t quite know what’s going on. So one of the updates that has happened, there has been some news around Microsoft Teams. So Microsoft Teams now is moving into a environment shortly that will allow you to have nine people a Brady Bunch style Hollywood Squares style option to see all the people in the meeting. So let’s move on from the normal four, two by two to a three by three arrangement. Now also teams is
including the ability now to raise hands, I think that’s gonna be a fantastic option to prevent people you know, talking over each other. We’ve also now got background effects. If you haven’t seen that there are the ability to put some background effects behind you to obviously cut out distractions and also minimise or maximise your own privacy. We’ve got some background blur for iOS as well now, and we’ve had some limits increased on the live events as well. So plenty of news coming out of Microsoft Teams as you would expect, at this point in time. So I’ll make sure we put the blog post in there for you to go and have a look at there’s lots and lots to reading. There’s a lot happening with the Microsoft team’s environment. Now one of the other things that caught my eye was some updates around project cortex. Project cortex, again, is coming hopefully very soon, that allow us to manage our information and use AI to aggregate all the
Some webcasts, their webinars that recommended that you probably go and have a look at as well. Some updates around OneDrive for Business, not a huge amount here some updates around the sensitivity, and some version labelling in the desktop, which is a handy feature now so we can get to our version histories directly from our desktop, we used to be able to get to that via the web. But now we can do that directly on the desktop. We’ve also got the ability to delete any locked files there as well. Now, not to be outdone, we’ve also got some improvements in the planet experience in a mobile environment. So planner to do teams all of that is becoming more tightly integrated, so we’ll make sure again that the link to the articles in the show notes so you can have a look at the new options that are available in planner on the mobile environment. And some interesting news also that Microsoft has announced new data centres
In New Zealand and in Poland, so for those people not too far from Australia will see some data centres in New Zealand, the understanding I have, it’s going to take them probably a couple of years to spin those up as good to see, Microsoft continues to grow its footprint there in the options for those around the world to make it much better for people in those localities. Now, probably the biggest thing that’s grabbed my attention of like is the update to the windows virtual desktop. So this is now becoming an arm based model. So this has moved very much a PowerShell environment of being far more integrated with the Azure portal. So you can now spin up your host pools, you can serve your hosts, you can do all that sort of stuff basically, without needing to do everything in PowerShell, which used to be the old way of doing it. So different model, you can see that this product is maturing very quickly. So if you haven’t had a look at windows virtual desktop, I’ll certainly recommend that you go and have a look at it.
claim that quite regularly now, and would recommend that you have a deeper look at it because it’s a very, very important part of Microsoft technology stack going forward. Now with this, with that said that Microsoft has also announced that Defender ATP is in preview for these multi session environments. So that means we can bring out Defender ATP clients into monitor and manage these VDI environments for us as well when it comes to security. Now, also speaking of security, there is a good practical guide here that Microsoft has released about securing remote work with your Microsoft 365 business premium. So some options in there. It’s all pretty much common sense, but it’s good to have it all laid out. It comes down to multi factor authentication, securing your tenant correctly, making sure that your users are doing things in the right way and you have the devices locked in you use your office 365 at
policies but it’s a very good article to go in unless it basically build yourself a bit of a checklist, make sure that you are covering off all those items that they do this there. Another one he for Microsoft stream. So Microsoft stream now gives us the ability to actually capture or record stuff directly on your desktop. That is a really handy little feature for creating how to videos or even doing short informational clips for workers to share and maybe even post up to YouTube. So it’s really simple, really quick and easy to do that’s rolling out as well. Again, have a look at the show notes for more details around that. Now, the other thing that we’ve got he also is some of the security stuff around Defender ATP, I found a really good article here from Microsoft again, that basically shows you how to gain a 24 by seven detection and response coverage using Defender ATP. Now it sort of outlines how
You can just maybe kick off or stop this just via email. So maybe if you’re in a small provider, just do everything by email. And then it does have the ability to look at integrating with things like API’s, and so on. And there’s a lot of really good information in there. And hopefully, it’s pitched at different levels, but we’ll put it in the show notes so that you can go and have a look at that and do a bit of review and and see what Microsoft basically has on offer as well. So there are some articles that we recommend that you go and take a look at. If you’ve got the time. We think that there’s plenty in value there is still not happening out there in the space, maybe not as much is being revealed as yet because I think his builds coming up, not too far away. And we do have some, you know, big expectations around what they may be announcing there as well. Don’t forget there’s also the new Surface devices to go out and have a look at as well. Hopefully they’ll pique your interest there. Another iteration on
arrangement for Microsoft. And I think I’ve covered everything I need to in this short and quick update. So why don’t we get straight into the interview for this episode?
Brenton Johnson 8:12
I have Steve Hosking here from, he is now a Microsoft employee as of next week, and has extensive experience and knowledge around the Intune platform. He’s been doing a series of videos, which I mentioned a few weeks in the podcast, which was, you know, very good, very useful for me, as far as, you know, getting a bit more of a feel for the sorts of things that I can do. Certainly since last time I looked at it, it’s changed significantly, are remember when it was back in Silverlight. It’s, I don’t even recognise it anymore. And yeah, just the things that are coming out. So I thought, I know what I’ll do. I’ll reach out to Steve and ask him if he’ll come up with
In the podcast, and thankfully for us, he agreed. So welcome, Steve. Brendan.
Steve Hoskins 9:08
It’s great to have you on the podcast. So I might start by asking you, what is that? They
Brenton Johnson 9:17
say, what’s your background? How did you get here? You know, what, How’d you end up here? Alright, so my background is around Device Management. I’ve spent the last 20 years ish. I feel old now, but
Steve Hoskins 9:33
almost 20 years doing and use compute and various different
situations. So I’ve started my career as a first and second level support to an end use compute fund. Everybody’s been there, everybody’s enjoyed that.
But rather than going into that whole data centre infrastructure space, which is the typical journey, I’ve stepped into the infinite CEO of the SME development space. And that’s where I specialised in doing device provisioning device OS and managing that OS layer and being a very specialised person and doing that. And then yes, so that then I spent 10 years literally going from organisation to organisation, rolling out XP, Windows seven, Windows 10, Windows 8.1 and stepping through all of those different technologies and using what SMS 2003 and I still remember the feature pack 1.0 the difference between that and 1.1, which was the big one was that they changed the Wim format in the beta from Longhorn to Vista. And it caused a whole heap of problems with the actual
how you actually decompiled it and you had to change the executable to use it. So I’ve got a bit of history.
Brenton Johnson 10:52
You’ve got your stripes, so to speak.
Steve Hoskins 10:54
Yeah. And then we stepped through into like CMOS seven and cM 12 And then we’ve played a lot of fun with that. So for last five, five and a half years, I’ve been working for a company called vigil and it is a partner. And then in the last, what, three, four years, we started moving across and very much specialising in that insurance space. So since 2017, that has been our core direction from my practice. And we worked extensively with Microsoft on that. So over those three years, I’ve been Microsoft MVP, very lucky in being in that situation, have had a lot of fun with that, and given me access to be able to go in and understand all of the new technologies as they’ve been coming up.
Brenton Johnson 11:43
Yeah, that’s, that’s,
that’s really cool. So you’ve got a fair bit of experience in it. You’ve obviously jumped onto the chain thing quite early. You know, it wasn’t much of a product back in the day. Days compared to alternatives out there. So can you walk me through a little bit about the evolution of Intune? And where it’s come from and what the ideas behind it was? And, you know, how, how we should be thinking about it?
Unknown Speaker 12:14
Brenton Johnson 15:38
said I in the video, so yeah, yeah, like,
Unknown Speaker 15:41
it’s still like, it hasn’t been expanded out. But the whole packaging of applications and this is where it allows you to start building standardised installation media for all of your small business customers. And you can start building out your automated configuration for All of your customers. So if you’ve got multiple environments where you need to make sure that they’ve got a consistent BitLocker configuration, which is pretty standard, you’re going to sit there and say, I want to have BitLocker turned on, I want non admins to be able to BitLocker. And I want it done solidly. And there’s no third party encryption already on that. These are like this four settings that you set, you can export that out using Microsoft graph with PowerShell, scary word PowerShell. And export it out into a JSON object. And then you can go and import that into any other customers you need. Once you spend a bit of time playing around with this, you learn that you have the ability then to start using that same authentication token and going in across all of your customers. So one of the one of the last projects I’ve worked on it, vigilant for an internal reporting scenario is we step into each one of our customers tenants and we check to see what the state of have applications installation of the compliance of the Windows updates. And then we return it back into teams into a channel for our support guys to go and look at. So you can go in there and go, Oh, this is what’s going on. And we can actually go from there. And one of the things that we’ve added in there is then the ability to add chicken portal. So you click on the button, and it goes to the portal page for that problem. As well as Go on, look at the video. And there’s a video on how to fix that problem.
Brenton Johnson 17:31
Unknown Speaker 17:33
All right. pointed guidance. And it’s that scalability of being that this is all just powered on graph. And Azure Automation. Like there’s no real huge trickery around it. But once you start talking around that sort of technology you go, huh, interesting.
Brenton Johnson 17:53
Steve Hoskins 19:33
Exactly. And positive to go back from what you’re saying is
we’ve spent the last eight weeks six No, six weeks working on this UI, getting it all into teams, on a team of three people. Yeah, amazing. Right. We’ve had one guy that’s been probably 60% of his time, and that’s the priority that that is the most amount of time that we’re putting on Right, and we start breaking it down and go more, where’s their return on investment that is worth saving having each one of us, first of all support guys going into each one of our customers tenants, and finding out status of that configuration.
Brenton Johnson 20:17
And a huge time saver.
Unknown Speaker 20:19
And then from a training point of view, it gives us the ability to turn around and go, Well, look, I need to bring on a new resource, I don’t need to sit them down to teach them one on one how to do mention. I’m just going to point them at these videos. So we’ve spent time recording videos recording content, so that at the end of the day, once I’ve left, as I have now the organisation, people can still go in and learn that content. Whereas if I sit there and do a one on one, it’s dead time. It’s not reasonable. So it becomes not valuable. So this is part of that whole Change your paradigm of thinking, especially most, most organisations and most partners, you guys are going to have an f5 licence as part of your internal usage rights. Go and use it for strength. So there are video up there, capture, do whatever you need to do, it doesn’t need to be perfect. Like, one of the biggest barriers that I’ve found with this resource getting him involved, is I just want to perfect I’m gonna go in and modify the script in order the closed captions in such stream, I’m going to do this, I’m going to do that, like, why more important to have the content there. It doesn’t even need to be perfect. It just needs to be there so people can use it. And you stop talking through that story and people go, Oh, okay.
Brenton Johnson 21:51
And it’s your maximum, isn’t it? Perfect. That’s right. And I think what you’re you’re really talking about is you’re looking at the stuff That really brings value for you guys and your customers, and you’re building and prioritising around that. And because you know, it’s an eye, it’s a REST API. It’s not like you have to really build a whole, you know, million dollar build around it, you can just build into the parts you want. Once you both indicated, you can go to the API endpoint that you want, and, you know, retrieve the data, send the data, um, you know, probably sound a bit, not developer enough. But that’s essentially all it is. Right? It’s, you know, there’s like four major functions in a REST API, right from, like, you know,
Unknown Speaker 22:39
that the time it’s taken us to build our tool sets to export that content. It’s probably been five days. Yeah, development time. And the most of it, the bulk of it is just sitting there and making sure it’s consistent. But we’re now to the point where we can, we can export and import whole configuration We’ve spent the time to understand the toolset. So if you’re using PowerShell, go and use Visual Studio code, commit your code, do version control, and then start looking into tasks. So my colleague at vigilant, Ben Rader, who he appears on, on the intern training session quite often. He’s done some really awesome stuff around tasks and in 32 apps, where we have the ability just to hit f1. go build, and we’ll go and build the app and then go publish and like, okay, it’s already up there. I’m going to go and get a coffee. You just fill it all out as the MLM wallets doing while it’s doing the folk up. You can walk away, don’t have to think about it.
Brenton Johnson 23:47
Hackensack put your feet up. Yep. And not harder, right? Yeah,
Unknown Speaker 23:51
exactly. That, oh, there’s a new version of zoom. All right? Get the MSI good. Put it into the file, build and publish. It’s good. But, yeah. So it’s, it’s about making your life easier. And that’s where you start building that automation process it. And that’s, I think, a big value point that most organisations are still grappling with. It’s it’s one of those big changes in mindset. Once you’ve gone cloud cool, what’s next? Well, how do I make it consistent? And look, look, you’re never going to have consistency for all of your customers.
Brenton Johnson 24:35
different requirements, you know, some, some requirements, customers require certain things and other customers require other things a term but i think is across the board stuff, luckier. BitLocker example where you deploy BitLocker regardless of the customer, I’ve never had a situation where deploying BitLocker hasn’t been a good idea. Sure, I’m sure you’ve probably come across A few where they use the third party tool or something but her.
Unknown Speaker 25:04
Oh, my customers, I walk in there and go, we’re doing BitLocker and we’re doing Defender ATP and they would go okay.
Brenton Johnson 25:15
Honestly, I bet everyone wishes their customers were just like,
Unknown Speaker 25:18
yep. Well, this is where you if they say no, I’ve had. So we’ve been doing Intune deployment full time for three years now. And
Steve Hoskins 25:33
two customers where we have not used the default defender. The first one, where and that was our first full autopilot before his pay on 709. And we’re sitting there so 1607 1609 we’re sitting there with the old build and ah, it was it was chaos. But that was and then that was so close. And actually, I don’t think we’ve done another one without always just done Defender ATP of defender. Because why make the effort? Why? Why pay for a consultant to come in and do that change for you? Yeah. And BitLocker it’s a no brainer. Well, let me just turn around.
Brenton Johnson 26:25
Yeah, like there’s nothing in the Snowden papers about it so it’s probably our that’s my that’s my opinion on everything. Like if it’s not in the Snowden papers, if it didn’t come in hack that. Shadow brokers did a while back. Probably okay. You know, like, is cold boot attacks and those sorts things we get nation states after, then you might want to look at how you store your information. But you know, 99.9% of people or threats out there, exactly. It’s not gonna it’s the best thing. You can do it’s better than not doing it.
Steve Hoskins 27:02
Essential. And that’s it. Right. It’s about to turn. It’s not about it’s impregnable. Because it’s not knowing corruption is impregnable. If you throw enough cycles at it, yeah. Simple as that. So, look, I, I make my life easy because I sit there and I just go, well, we’re doing it this way. And if you don’t like it, we’ll let’s see how we do it my way. Well, budget Great.
Brenton Johnson 27:32
So do you want to spend your money going and getting an incremental benefit of point 000 1%? That, you know, may or may not be that because you have no idea because joining something signed on standard or do you want to stay in the safety of numbers? Where you know, if anything does happen in that situation, there’s going to be advice coming out. There’s going to be help. There’s going to be PowerShell scripts. There’s going to be all this sort of stuff. stuff. And I think this is a sort of interesting conversation and I might work might go into a little bit about back onto the chain a little bit around use cases for different sized companies. So say if you had say a five c company at 25, a company 50 or 100, say company, like how would you go about? Because, you know, in tunes a bit like the REST API example is saying you don’t have to deploy everything in Intune. You can just say what policies you want. So, as a baseline, what do you think is probably the most important policies that all organisations should have under that hundred seat, Mark?
Steve Hoskins 28:41
That the simplest ones that I’d be sitting there and saying is make sure you have office 365 going out, but make sure you have Windows Update for Business turned on and ideally with a pilot rang good. If you’re small enough, just send it out and turn on The drivers and other Microsoft product updates in Microsoft apply for business or Windows business. Because that’s going to make your life so much easier. I have a number of people that have turned around I’ve actually been to a couple of recent customers we like all we need to have the Dell support command or on our computer because we want to have all the drivers being installed from Dell. So why I couldn’t get them directly from Microsoft. And they just get pushed straight down and oh, yeah, but it’s not doing firmware. It’s like no, it is doing firmware. It’s doing everything you want it to be doing. But you don’t have to think about it. You don’t have another tool, another agent on your computer taking these cycles. And then we go across into right we’ll make sure you have BitLocker turn on BitLocker is important. Or apart, turn it on. cetera. Love it. Get new computers with it. It is one of those things where I don’t want local admin on my computers. I don’t know about you, but I don’t want local admins on my computers. That’s the simple fact. And my my end users, they’re not local admins. They’re not going to be local admins, my whole organisation a visual on it. We’re not local admins, they had the ability to go and get global admin, or device admin or whatever was relevant to their level in the organisation, but they had to be on request with him. But from a security point of view, we didn’t have local user accounts, local user accounts, and not required in any organisation anymore.
Brenton Johnson 30:40
Yeah, and I think this is an interesting distinguishing feature when we’re talking about the videos. And you talking about like, you know, if the computers messing up and we don’t know what’s wrong with it, we just blow it up. Now memory started, we just gotten a new engine, and it just resets the device. So moving Enable from having this sort of idea that they have to spend hours and hours setting up a device, the way they like it, all of that sort of thing. A lot of those configurations can be done with watching. So when people log in 90% of it’s done, what I would say is look into and we’ll do a good percentage of it. But it doesn’t need to, you don’t need to auto Configure. Your staff are smarter than what they were 10 to 15 years ago when it comes to it. When we were doing so is for XP.
Steve Hoskins 31:33
It was a hard, hard, hard learning curve, because you’d have people coming in and I’ve never used a computer. This isn’t just like people in their 50s and 60s at that point. This was people coming out of high school I still remember in 2000 when I was 2001 when I went to uni, and one of the light one of the girls that she turns around to one of the other guys can you Come and show me how to actually use a floppy disk and so farms. So you’ve just gotten into uni. It’s like, Yeah, I was never shown in high school. I don’t know. So, oh, whereas that’s not the case anymore. And that’s the that’s that whole change of mentality. But the other the other setting that I highly recommend to just turn off it’s not even a conversation just turn on is enterprise state roaming. Enterprise state roaming gives you that whole common experience across all your computers. And then OneDrive known folder move like, I can’t go on enough about this product. It is going to make your life easier. You don’t even need to think about it. It just works.
Brenton Johnson 32:44
Episode Six for everyone listening.
Steve Hoskins 32:48
Brenton Johnson 32:50
Yeah, scenario that was one of the things that we looked at. One of the first videos I watched, I’m like, Oh, this is awesome. I’m loving this. So I wrote up a whole policy around was deployed and, you know, why are we why things would on the way that they are? And yeah, it’s just like that sort of thing because we always have, it’s always senior management because snowflakes or whatever. And if they lose one file on their desktop, even if they just moved it to a different space on their desktop, and they just can’t find it anymore, and he’s opened up OneDrive, you’re like, oh, there it is. Oh, ha, cool. You backed it up. I’m like, No, no, it’s still on your desktop. You just moved it. Oh, did I? Oh, okay. Well, you know, if you have all of that stuff, then you can start thinking okay, I’ve got enterprise state roaming, again, as long as you have Microsoft 365 business, or one of the, you know, proper skews day one in it, you’ll be fine. If you try to do a lot of stuff on business premium, you’re gonna have a pretty,
Steve Hoskins 33:49
that’s just regretful that didn’t.
Brenton Johnson 33:52
Well, yeah, I should, I shouldn’t age the podcast too much. So what I meant to say is, if you are using Microsoft 365 business or Microsoft 365 Essentials, those are not good skis for doing look, you know, device and user management with the office and email and SharePoint and OneDrive. But they’re not management skews the management excuse, or self tracing small business and enterprise equivalents of those.
Steve Hoskins 34:22
That the simple fact is, and I know I’m going to oversimplify it when it comes to licencing and everything associated, but think of it the same as getting insurance going and paying that little bit of extra is that insurance for you on your at a point of view. It’s going to save you in the long run. Yeah.
It’s it’s gonna an extra $5 a week, a month, or $50 a month
could break the company maybe but it’s something to look at and go what happens if I Don’t do it. I know one of the big conversations I’ve had recently with guys at Microsoft is, alright. We’re wanting to put these companies into spaces because of the coverts. And and everything associated with like, how do I make sure that I don’t lose all of my content, all my configuration and everything associated? When we spin up at the end of the cycle? It’s like, wow, that’s that’s a great question. Because you can’t just pause payment. Soon as you pause payment on your subscription, you’re sitting there and go hang on. All of my mailboxes disappear. All of my data starts disappearing. Yeah, and I will what we’ll do is we’ll just back it all up into a storage like cool, but how do we bring it back? Yeah, we and you start talking as well. If you’re sitting on the the bare minimum price point today I can’t help you Yeah, there’s no step back. But if you’re sitting on, say an f5 or an a three and you need to are out also we’re going to money. You can step it back. But it’s it’s tough. I understand. But all of these technologies, they’re there for a really good reason. Defender ATP, that is such a, I can’t go on enough about why that is such an important product for your platform, like security centre, staff, all of that information that you can pull back around. Are you compliant? Do you have any risks in your environment? Do you have all of your applications not just the Microsoft applications, but all of your applications patched
Brenton Johnson 36:50
these are really key and core things that a lot of organisations are missing. Its and then they’re looking at third party products. Like, why you already got it and use it? So yeah, I think that goes back to our original conversation around. You don’t have to use the third party products, if you have the correct tooling for the size of the organisation you are, if you’re Coca Cola, and you have a huge IT team and one tenant to manage, you know, it’s it’s a different compensation to someone who might have, you know, 12 or 15 customers varying in size from five to 50 or 100 stuff. But then you go well, or at will, that’s what we that’s the environment that we’re in, how we’re gonna, how we’re gonna manage that. So I think it’s, it’s gonna be an interesting thing is RMM tools. Most of the MSP world or the managed service provider world will live and die by their RMM tool. There’s a lot of automation built into it. It does a lot of this stuff for them in a slightly different Why, but then you have security experts running around saying it’s the most dangerous tool ever invented is the RMM tool. There’s nothing more dangerous than an RMM tool as well, they’re actually use code Configuration Manager.
Steve Hoskins 38:19
So no, no, I this is all seriousness like you go to the, the blackhat conferences and things like that, and like half ago on hacker con and things like that. They talk about Config Manager. Like security in your config manager environment is so important. But there’s so many organisations that are out there and just say I, I’m just going to run it as HTTP. I’m not going to worry about it, because it’s just just corporate data doesn’t matter. So talk computer data. And so yeah, yeah, cool. That’s one way of going the other way, is the ability to reset your computer, the ability to go in take from it change permissions on everything in your system. So yeah, these these systems are super powerful. And
Unknown Speaker 39:10
you’ve got to be careful.
Brenton Johnson 39:12
Why are you familiar with the 10 immutable laws of IoT security that was published back in 2000, and then updated again, I think about 2013. I got one of the MVPs are Microsoft and it’s probably still there, they probably moved over from TechNet. And like, one of them is if a bad guy has access to your PC, it’s not your PC anymore. Security is not a panacea. You know, it’s like all of this stuff that was written it’s all getting a bit aged, you know, but the principles are pretty, you know, they pretty rotten with the immutable laws. I was pretty impressed. Yeah, all I learned about them probably like 2007. And we’re talking about servers and, and you know, all of this sort of stuff, and, you know, but that one always sticks with me if a bad guy has access to your PCs. your PC anymore. I’m like, Oh, it’s true. And you know, Windows credential manager is not the most secure thing in the world. Uh huh. I remember at the cybersecurity conference in Melbourne, they had a presenter there showing how she could get every single credential ever saved in Microsoft by doing all this crazy stuff on the computer shows you know a very dangerous individual if you’re on a bad side. Luckily, she’s one of the good guys but you know what I mean? Like it’s it’s probably it’s not good enough to sit back and go, you know, I it’s fine. You know, such and such RMM tool we won’t name any of the five names of RMM tools out there is fine because we’re consistently saying and it’s generally not their fault To be honest, usually password spray attacks guys. You know, these are the sorts of things the breakdowns your customers, don’t use your company name in the past Good.
Welcome along to this episode of The Need to Know podcast My name is Robert Crane and we are at Episode 235 and four to 35. We are going to do a FAQ so there’s we FAQ number eight FAQs are shorter deep dive look into technology. processes, and so on rather than our extended format of news and interviews. So hopefully, I’ll be able to get across my intention here in about 15 minutes or so. So as always, appreciate any feedback, any comments that you have what you’d like me to present in these shorter areas. And if you haven’t heard an FAQ, go back and have a look at the previous episodes. So what I’m going to talk about in this FAQ is a rule of thumb or is a number of rules of thumb that you should have, when you look about moving to the cloud. Now, Robert has a rule of three, my rule of three basically is a governing rule, other use in many, many circumstances. So let me give you an example of way. So when you do adoption, or when you work with users my experience is is that most users struggle to manage any more than three changes at a time. So for example, if you implement Microsoft 365 for a customer, and you introduced them to OneDrive, you introduced them to teams you introduced them. to SharePoint and then you try and introduce something else, maybe the email move to the cloud as well, you’re gonna have a lot of them. Now as soon as you overload them, what happens is there is catastrophic failure. So think of it like juggling balls, if you’ve got one ball easy to do two bit challenging three, yes, this is probably the limit. When I give the person four balls to juggle, they don’t just reject the fourth ball I throw at them, they will drop all the others as well. So this is what we see when we do adoption is that people, when they’re overloaded, they basically have catastrophic failure. And they reject everything. So once you start overloading and those are not at all bad, I don’t want to hear about it. I just want to take it back to the way it used to be. So again, my advice is that when you’re looking at adoption, think about the number of changes that you bring to people to again, allow them to digest it, and move on to start with three maybe that’s in my case, OneDrive. Yammer, and then maybe potentially start talking to them about teams, and then leave it let it settle down. Let them get familiar with Understand the tools, then come back, and then maybe look at doing communication sites, or then Power BI or power automate, and they leave it and then go on to the next three. So you need to look at this as an extended process because people just cannot digest the amount of change in such a short period of time generally. So Robert’s rule of three is don’t overload your users with too much change to quickly look at it as a process of small bites incrementing and improving over time, to allow users to build on that knowledge so they can move forward easily and competently without feeling that it’s too much for them to head on. They don’t understand it before moving to the next step. Now, where else can the rule of three be applied? Well, basically, one of the other rules I like to try and achieve is to have a structure that is no more than three layers deep. So if you think about a team, so you will have a team that will be level one, a channel inside the team is level two, and then a folder or a subfolder within files within a team would be realise now, if you can avoid going deeper than that, that’s great. That should be the ultimate aim best practice to aim for that may not be possible 100% understand that. But the reason is, is that very deep structures, as I have spoken about before, become extremely difficult to navigate for many users who aren’t familiar with that structure. So they go into the location, they go up and down folders all day looking for files. So if we can keep these as flat as possible, and basically when I look at my file structure within a team, what I want to see is the files at that level or the folders and again, the folders need to be categorised in such a way that they’re obvious for me to see what they are. So again, if I have a folder within a folder, then at that top level, I can’t see what that sub folder is, again, all about so that makes it difficult means I have to go in and navigate in and then navigate out again, to see whether the information is there. I mean, obviously search is the way to do it. But again, if you can try And stick to some sort of rule about the maximum depth. Now the other advantage of setting a maximum depth level depth level is that you don’t exceed the URL limit. So as we go deeper and deeper and deeper into structures, obviously the URL, the length of the file path increases, increases, increases. And that becomes more and more difficult to work with it also becomes more difficult to Structure and Change if we need to. So again, Robert, rule three is try and as much as you can keep the depth of your structure to no more than three levels. All right, so that will should make things easy for people to work with. Now, if you’re out there with packages and you’re offering and you’re providing things to users, again, Robert’s rule three would apply as gold, silver, bronze or package one package to package three don’t overload people with too many options. So if we look at the Microsoft 365 environment, they have recently gone to a change And incorporated basically Microsoft 365, basic, Microsoft 365 standard and Microsoft 365.
Premium. Okay, so the idea here is, is that we now have business plans that are Business Standard, business, basic and also business premium. Now again, Robert’s rule of three applies here as well, we’ve seen that just keep it simple. So again, you can go to the user initial and say what about business? Basic, not good enough, doesn’t have the desktop implementations or we can go then up to Business Standard, or we can go up to business premium. So you’ll see a lot of this I think, in other strategies that larger businesses use because, again, we don’t want to overload customers with again, too much choice. They certainly need an amount of choice but I would suggest again, we get cognitive overload when we go beyond the normal three choices. So again, if you can try and keep your offerings to around Another one I’ve got for you is around bandwidth. Now one of the most important things that you can do when you go implement the cloud for customers or you’re looking to move to the cloud yourself is to estimate the bandwidth you’re going to need. Now, hopefully everybody appreciates that. ADSL basically, is isometric, which means the download limit is far greater than the upload limit. So typically ADSL uploads are about point five or point six of a meg up. And that really isn’t adequate for a large amount of users. So again, I’ve got a rule of thumb that basically says, I have low medium and high usages. So again, that sort of depends on if they’re using OneDrive extensively doing lots of sinking if they’re working totally in the cloud, or they do have some on prem. So Robert’s rule of thumb for this is basically you would need or you would estimate to need about half a meg per user for loads usage, one Meg per user for medium usage and to me per user for high usage. So if we take an average company that may be 10 employees, that would mean it would be half a meg times 10. So that will be a five Meg, link up. All right, so they have as much as they want down. That’s not a problem. But the most important thing when you’re looking at the cloud and cloud usage is that link the speed back up to the data centre. So importantly, the estimate that I have used as a rule of thumb is basically as I said, half a meg for low usage, typically, the majority is more on prem, a one Meg, per user, for a medium. So that’s going to be typical business that is moving a lot of their stuff to the cloud. They’re using OneDrive, they’re using SharePoint, they’re using teams, but maybe still have some on prem applications or data. And the final one would be at least two Meg per user, for basically everybody for everybody with everything in the cloud. So again, take that example with 10 users. Multiply that by two Make. So we’re going to need a 20 meg link up back into the internet to allow people to work effectively. Now, of course, you can vary that link those speeds, but it helps to have that rule of thumb so you can walk into a business. Or you can assess it and say, Okay, we’ve got 20 users, and we expect it to start out as low usage. But eventually we’re going to get up to high usage. So why don’t we go for a more powerful link to start off with? So the recommendation I’ve got here for you is that sit back and have a think based on your experience, you know, what sort of guiding principles or rules of thumb Can you give people to help them make estimations when moving to this cloud environment. So again, just in summary, minor, typically everything around a number three. So firstly, again, don’t overload people with more than three changes at a time look at it as a process of three changes, pause, three changes, pause, three changes, pause, and then also look at it as no more than three levels deep. That makes navigation much easier. Any offering any packaging, whatever. Again, gold, silver, bronze, three options again make it easy for people. And as I also said there with the bandwidth, three options there look at low, medium high, and it’s not perfect you can adjust it you can make whatever you want but it just gives you that ability to do the back of the envelope calculation or thought process when you’re working this sort of thing out rather than having to wonder about it. So hopefully, that’s given you some sort of guidance there. Remember, make up your own rule whatever works for you. But I have a rule for you which I generally apply in a lot of cases and I find that works very very well. So again, so if you do want to contact a stay with stay in tune with what’s happening on the podcast, make sure you visit at into k podcast on Twitter and Facebook. Feedback at need to know cloud. Again you can find me at director CIA welcome any comments, feedback or suggestions you may have for these sort of episodes that are a little A bit more in depth I suppose, but shorter lead to get through your drive and get through your day. So, with that, thank you very much for listening listening to this episode.