Categories
Microsoft365 Windows 11

Summary Post: How Windows Device Check-in Works With Intune

I don’t blog about Intune nearly as much as I used to, now that I no longer work for Microsoft and have a greater focus on the Apple ecosystem (which, to be fair, Intune still plays a pretty significant role with iPad/iPhone management).

However, I like to keep across what is happening in this space and I saw a great tweet earlier this week that touched on one of the age old complaints about Intune – the perceived slowness of policy synchronisation (especially compared to other MDM such as Jamf). The tweet came from Rudy Ooms who describes himself as:

Content Creator at Patch My PC | Reverse engineering Intune and Windows internals. Sharing what actually happens under the hood.

Back in 2019 I shared a similar blog post from Oliver Kieselbach entitled New To Intune As An MDM? Read This Blog Post First! – SamuelMcNeill.com (which is still a good read), where Oliver dived into how policy syncs work. In this newer post from Rudy, he tackles similar ground but with a view 6yrs on (wow, time flies!) and as always, I encourage you to read the original post in full:

Intune Sync and Policy Delivery: Debunking the 8 Hour Myth

Rudy does have a video overview of this topic if you’re more into listening and watching than reading:

I’ll share a few highlights from the post that are pertinent in my view, starting with:

Microsoft has documented this first enrollment sync behavior: during the Intune/MDM enrollment, devices check in more frequently to PULL down configuration profiles, certificates, and policies.

  • Every 3 minutes for the first 15 minutes
  • Then every 15 minutes for the next 2 hours
  • And only after that, it shifts to the ~8-hour cycle

Those first two bullet points are generally pretty well understood and most IT Pros will have seen this frequent sync and update during the first OOBE workflow (Out Of Box Experience).

Rudy correctly focuses on “Change Based Check-ins” with Intune and has even created a great diagram to help explain that:

To expand on that, he talks about the role of the Windows Notification Service (WNS) which functions in a similar fashion to Apple’s own Push Notification Service (APN – Configure devices to work with APNs – Apple Support (NZ)). As explained by Rudy:

That push message travels over the Windows Notification Service (WNS) and tells the device to check in. These are the triggers that make Intune notify devices:

  1. Changing targeting (adding or removing a device or user group)
  2. Editing a payload (changing/adding a new Intune policy or updating app assignment)
  3. Entra group membership changes
  4. Store app version updates released by the vendor

In practice, the first policy change is usually pushed down within a few minutes. From there, Intune enforces a quiet period/throttle (roughly 30 minutes per device) before sending another push. So, while it’s not instant like a remote wipe (which must always be immediate), it’s still far faster than waiting for the full 8-hour maintenance cycle. Let me zoom in on the push message itself a bit more.

The blog includes some interesting testing data showing that the WNS is somewhat of a ‘black box’ in terms of how it operates and where buffers can come into play between a push of a policy change and execution on the device (again, read the full blog on Rudy’s site).

But What About Throttling, You Say?

Something that many frustrated IT Admins have suspected and/or complained about is the preception Microsoft throttles Intune changes to reduce load (either for the Azure cloud or the endpoint). Rudy’s post goes into this in some detail, explaining how the first changes are almost immediate and then subsequent rapid changes are bundled together and throttled:

  • Change #1 → WNS push almost immediate
  • Change #2 and #3 (<30 min later) → bundled, resolved when device responds to the same notification
  • Change #4 (>30 min later) → new WNS push delivered

Whilst this may make a lot of sense for Microsoft, for IT Admins that are perhaps making rapid changes to configurations it can be a source of intense frustration. Of course, in a perfect world IT Admins are cool, calm and collected at all times and make all of their policy configuration changes with a single update. However, that rarely matches the often frenetic pace which busy IT Admins are required to work at and knowing that changes are being bundled and throttled is often a suboptimal experience.

It does sound like there is some work being done by Microsoft to redesign this with something called “Fast Lane” that is broken down in the blog – check it out.

Final Thoughts

It can be very hard to change perceptions and the old adage of “perception vs reality” is very real when it comes to Intune sync speed. Dealing far more regularly with Jamf and macOS/iPadOS these days than Intune and Windows, I can say that in terms of speed of policy sync and responsiveness it really does feel like Jamf is a Ferarri and Intune can be a Bambina stuck in rush hour traffic.

However, Rudy’s blog goes a long way to showing that perception is often just that: perception. (Again, read the original post in its entirety – it’s definitely worth it)

Ultimately, it’s a great thing if Windows and Intune become increasingly more responsive as managing endpoints from the cloud is a good thing for everyone. With that, a final graphic from Rudy’s blog to visualise timings:

Categories
General

The Perfect Storm: Lessons from critical outages at Microsoft and CrowdStrike in July 2024

A short note before this post starts: I’ve not been blogging recently due to a major knee injury sustained falling off my mountain bike over Easter 2024. This required two reconstructive surgeries and has restricted my time for blogging. I’m mostly over this now and plan to write blogs more regularly again. With that, on with the post!

In July 2024, CrowdStrike experienced a significant global outage that left many businesses unable to access critical security services. For several hours, their endpoint detection and response (EDR) tools were unavailable, sparking concerns about the impact of cybersecurity tool downtime on business continuity. This incident was further compounded by outages in Microsoft’s Azure data centres leading to more outages and confusion over the root causes of the problems being experienced by businesses globally. In both instances, these outages were not the result of a cyber attack but instead the consequence of software updates gone wrong. Given that a February 2023 report from IDC placed CrowdStrike at the number one spot when it comes to endpoint security, with a 17.7% market share and Microsoft’s own endpoint security solutions a close second with a 16.4%, these outages caused significant business disruption.

Understanding The Root Causes

As is often the case with critical outages, there was not one single cause, but instead a cascading effect of a combination of factors, including a software update error that propagated across CrowdStrike’s global infrastructure, compounded by issues with their cloud provider. Endpoint Detection and Response (EDR) platforms like CrowdStrike or Microsoft Defender do present security teams with a dilemma. Starting too late in the Windows boot sequence leaves them susceptible to missing detection of malware running at the lowest level of the Windows operating system, or being disabled by it. But being given boot priority is a privilege and not a right, and developers of Windows kernel drivers are required to uphold extremely high quality-assurance standards (this video from a former Microsoft Windows developer explains it well).

In this instance, the dependency on a single cloud provider which experienced failover protocols magnified the problem. This underscores the importance of both rigorous testing of updates in isolated environments and having diverse, redundant infrastructure to mitigate cloud-based risks. Similar causal issues affected Microsoft’s Azure outage: a misconfigured software update led to network routing issues and widespread unavailability of cloud services to customers. The extent of these networking issues, prevented or delayed the automated failover to redundant data centres, leaving services offline for an extended period.

Business Impacts For Affected Customers

The CrowdStrike outage, affecting only Windows devices, led to numerous challenging situations:

  • Device Outages: Windows devices crashed with Blue Screens of Death (BSOD) and required a manually intensive process to restore to operational usage
  • Disruption to Security Monitoring: Companies were left unable to detect potential threats on their networks in real time. For some, this created a dangerous blind spot, leaving them vulnerable to attacks during the outage period. Security operations centers (SOCs) relying on CrowdStrike tools had to operate without their primary line of defense.
  • Operational Downtime: Beyond the security implications, the outage had an operational impact. Without access to critical cybersecurity infrastructure, some organizations had to suspend or reduce operations, leading to potential financial losses. The dependence on third-party services without adequate contingency measures proved costly.

Companies depending on Azure for cloud computing, storage, and application hosting also faced significant challenges.

  • Interruption of Security Services and Related Tools: Some businesses using Azure for hosting security monitoring tools or third-party cybersecurity services  experienced an operational security gap. The inability to monitor network activity or respond to threats due to cloud downtime posed an additional layer of risk.
  • Disruption to Business-Critical Applications: Many organizations rely on Azure to host critical applications, from enterprise resource planning (ERP) systems to customer relationship management (CRM) platforms. The outage caused widespread disruption, with companies unable to access or run key business operations
  • Data Access and Storage Issues: Azure’s storage services, such as Azure Blob Storage, were also impacted. For organizations storing large volumes of data in the cloud, the inability to access or update this data during the outage caused operational delays and concerns over data integrity. In some cases, businesses were unable to retrieve time-sensitive information, disrupting decision-making and service delivery.

Lessons For Business Leaders

  • Build Redundancy into Critical Systems: Organizations should ensure that their key services have backup systems in place—whether by using multiple vendors, redundant cloud platforms, or hybrid cloud environments.
  • Develop (and test!) Strong Incident Response Plans: Businesses need a plan for when their critical cybersecurity tools go down. This includes backup solutions, alternative threat detection methods, and robust communication protocols to ensure that the security team can respond effectively even when primary systems are offline.
  • Vendor Accountability and Transparency: While businesses rely on vendors like CrowdStrike and Microsoft for critical functions, it’s important to demand transparency in service level agreements (SLAs) and contingency plans.
  • Multi-Cloud and Hybrid Cloud Strategies: One of the biggest lessons from the Azure outage is the need for organizations to diversify their cloud infrastructure. Relying solely on one provider can lead to significant downtime when outages occur. Adopting a multi-cloud or hybrid cloud approach—where critical workloads are distributed across multiple cloud providers or a mix of cloud and on-premise environments—can mitigate the impact of a single provider’s outage.
  • Prepare for Worst-Case Scenarios: Outages like the CrowdStrike and Azure incidents highlight the importance of contingency planning. Businesses should conduct regular risk assessments of their cloud dependencies, implement offline backups for critical data, and ensure that their internal teams are trained to handle extended cloud outages. This preparation can limit operational downtime and keep security and business operations running during disruptions.

No business is immune to these disruptions: in late August Cyclone (the company where I work) experienced a complete outage of internet connectivity in our Christchurch office after a misconfigured routing update between our ISP and fibre provider, causing a 12hr outage. Critical services that were hosted on-premise were failed over to Azure cloud instances as part of our redundancy and business continuity plan, ensuring staff around New Zealand could continue to work and support our customers. Whilst time intensive and costly to perform, having confidence in redundancy systems to ensure business continuity is critical in today’s technology reliant world.

Categories
Apple Security

WWDC24 – Reflections From Apple’s Event

Introduction

Apple have concluded their annual WWDC event and there was, as always, a lot to take in. For those short of time, the video above summarising 18 things is worth a watch and I’m going to attempt to unpack a few of the other features in more detail below in terms of their relevance for education or commercial customers. I’ll have separate sections for Apple’s take on Artificial Intelligence (they’re labelling it Apple Intelligence) as well as a section on Privacy and Security (given Apple’s historically strong focus in these areas) but first a few hyperlinks into the post below for quicker navigation:

With that done, I want to share a few key take away thoughts that have stuck out to me.

Firstly, it’s evident to me that Apple are looking to move their Vision Pro headset beyond a consumer product and into something targeted at Enterprise and Education customers as it will now have enrolment and MDM management features on par with other Apple devices. This is a logical extension for me given we have seen Microsoft attempt to do this with HoloLens 2 and Meta with the Oculus/Quest AR headsets as well. Whilst these devices remain expensive, the developer community will no doubt welcome the opportunity to build industry specific applications for the Vision Pro, and IT managers will feel more comfortable onboarding these onto their networks if they can be managed and updated centrally from their MDM of choice. I would not be surprised at all to see a world class educational app debut for the Vision Pro in the coming months, showcasing the best of the hardware and software that Apple have created.

Secondly, it’s evident Apple is continuing their long support of education with some additional features coming to SchoolWork and Assessment Mode. SchoolWork looks like it will benefit from the AI enhancements (see below for more) that are landing across many EduTech offerings now, allowing teachers to quickly see trends in student homework, set personalised practice sets and even auto-grade assessments more quickly. Assessment Mode has been extended and developers will now be able to leverage “multi app” functionality which will mean use of approved secondary apps to students during assessment e.g. calculator support, whilst the rest of the device is locked down for the test:

Whilst a native calculator app on the iPad has been a long time coming, this new one (AI powered) can be controlled via your MDM of choice during assessment mode. This means that ahead of high stakes assessment the more powerful features such as scientific mode and the newly announced “Math Notes” can be disabled if the teacher or school wishes.

Lastly, it appears that Apple are transitioning away from the terminology of “Apple ID” and moving to “Apple Accounts” – although the documentation does not appear to have caught up yet (Managed Apple IDs for Apple devices – Apple Support (AU)). There was a renewed push for Managed Apple Accounts at WWDC24 (What’s new in device management – WWDC24 – Videos – Apple Developer) and some announcements on how to migrate personal Apple ID/Accounts into a managed environment (more on this below).

I expect the ability to easily migrate personal Apple ID/Accounts that use an education/work email address into a managed Apple ID/Account will be a big deal for IT Admins who wish to control those more effectively.

As other commentators have pointed out, Apple waited a while to announce their take on AI and, when they did, used the phrase Apple Intelligence instead of Artificial Intelligence, so I’ll drop a few thoughts below.

Apple Intelligence (AI)

The Writing Tools (Rewrite / Proofreading) will be welcomed by teachers and students who struggle with formal writing and this highlights the speed with which Generative AI is being added into more products to accelerate content creation and improve readability (see here on other thoughts I’ve shared). There are, of course, some cautions that come with this: how do educators know how much of what a student writes is their own content vs AI generated? Are students grasping key concepts of punctuation or are they totally reliant on a tool to check / correct for them?

This touches on the larger question of the extent to which technology reduces the need for individuals to ‘know’ things (are times tables critical to memorise if you have access to a calculator all the time?) but also highlights the need for schools and organisations to have their own AI Policy of when and how to use AI tools (our engagements with customers show that over 75% of users are already leveraging AI in day to day work, even though less than 40% had an AI policy they were aware of).

Create a company / school AI policy is critical before large scale adoption of these tools.

Jamf have provided some good questions for educators to prompt critical thinking ahead of wide scale deployment and use of these tools:

  • How do tools like Math Notes and the handwriting enhancements impact on the purpose behind the deployment to have that broad impact on learning and teaching?
  • How do these enhancements, specifically Apple intelligence, lend themselves to a more personalized approach to learning for students?
  • How might the new AI features be supported where they can have a positive impact or be switched off if they provide too much assistance when the focus should be on the student’s own ability?
Education Takeaways from WWDC 2024 (jamf.com)

Beyond the Rewrite and Proofreading, I think it was the Math Notes that captured the most attention in the area of Apple Intelligence:

Again, the ability to see this as a gamechanger built into the device for a personalised tutor to help solve complex math equations may be something schools, students and parents wish to embrace. Certainly, other platforms have had similar functionality for a while (Math Assistant in OneNote) but the difference here is this is being made available in a native app on all Apple devices meaning there is no further action required for a student access it.

In the end, whilst adding a native calculator to iPad was long overdue, I’m pleased to see that Apple added considerably more functionality to it when they did eventually launch it and the Math Note is an excellent AI powered extension. Building on this, it’s great to see Apple’s “Smart Script” feature use AI to improve the legibility of handwriting, they describe it as:

With the power of Apple Pencil, Smart Script makes handwritten notes fluid, flexible, and easier to read, all while maintaining the look and feel of a user’s personal handwriting. Smart Script allows users to write quickly without sacrificing legibility by smoothing and straightening handwritten text in real time.

iPadOS 18 introduces powerful intelligence features and apps for Apple Pencil – Apple (NZ)

My handwriting is not amazing, and my son has dysgraphia meaning his handwriting is often slow, messy and at times difficult for others to read easily. Leveraging Smart Script with an Apple Pencil means notes written with Apple Markup (digital ink) can be automatically enhanced for legibility, spacing and even converted into typed text if required. From an accessibility perspective, this is something many students and educators will be keen to experience so that the best ideas of students are not ‘lost’ behind illegible handwriting.

Lastly, one of the other cool features announced at WWDC24 that will likely resonate with educators and students is some of the custom image generation functionality that is going to be built right into the device – Apple call this “Image Playground”. In a recent AI workshop I ran, I created a bunch of images generated by AI using a third party tool to add some pop and sizzle to my presentation and tweak the images specifically for the themes I was wanting to convey. Now, students and teachers will be able to do this directly from their Apple device which will:

  • Allow them to use hardware/software they’re already familiar with / own so it will be a quicker task to generate the images
  • Reduce the need for additional usernames/passwords on third party tools, thereby reducing complexity but also removing risk of student information being compromised if the third party had a security breach

With AI generated images I can see creative writing tasks flourishing as students are prompted and inspired with very bespoke images created for that specific writing task. It will also allow students to illustrate their writing with custom images that will not have any copyright concerns on them.

There were a lot of additional announcements of features in the Apple Intelligence section of WWDC24 which I won’t cover here, however I would make one final caution in this space. It’s evident that all vendors are going to be scouring the cloud and on-device content for ‘context’ to make their AI offerings very smart and useful – this is called ‘grounding’ in an AI context. In many cases this is very helpful and welcomed by the end user. However, It is worth considering when this could go wrong e.g. a teacher using their work iPad for personal usage as well, a student on a shared iPad getting contextual AI info based on the work of another student who used that iPad etc.

This is the world we will all need to navigate as to be effective, AI will need to “know” as much as possible about individuals to deliver the most value.

This seems like a good time to move to Security and Privacy Considerations.

Security & Privacy Considerations

One of the biggest announcements in my mind was the partnership between OpenAI and Apple. For those unaware, OpenAI is the company behind ChatGPT and also the underlying Large Language Models (LLM) that Microsoft rely on with their Copilot AI products. It is the ChatGPT functionality that powers both the Writing Tools and Image Playgrounds mentioned above and both OpenAI and Apple have been quick to talk up the privacy considerations here:

Privacy protections are built in when accessing ChatGPT within Siri and Writing Tools—requests are not stored by OpenAI, and users’ IP addresses are obscured. Users can also choose to connect their ChatGPT account, which means their data preferences will apply under ChatGPT’s policies.

OpenAI and Apple announce partnership | OpenAI

I’ve spoken with many businesses, schools and universities about the privacy features (or not) of various AI products and so it is good to see that Apple have proactively addressed this, stating that user requests will not be stored by OpenAI (and thus used to train the underlying LLM) and a further step being taken to obscure a user’s IP address making it harder (or perhaps impossible) for OpenAI to correlate queries for the same user.

These types of privacy considerations will be increasingly a ‘default consideration’ in education contexts I believe, as well as in other highly regulated industries. Again, a company / organization wide AI policy is critical here to guide users on when and how they can use AI in their work or studies. There has been some high profile criticism of this partnership, notably from Elon Musk (who may have some bias here given his own development of Grok AI on the Twitter/X platform):

For now, I think it would be prudent for education institutes and businesses to be keeping a close eye on developments in this space.

For me, the fact that Apple devices will prompt the user every time it will go to OpenAI/ChatGPT for help with a user query is a good level of transparency. It indicates to the user that Apple’s own onboard AI requires assistance or additional information to provide a good answer to the user and, at that point, the user can decide if they want their query to go to the internet.

Sam McNeill, Cyclone Technology Strategist and Apple Business Lead

Another important announcement from Apple was the enhanced and dedicated Passwords app with syncing across all devices. New Zealand’s CERT NZ highly recommend the use of Password Managers as part of their “Top 10 Critical Controls”

Even with multi-factor in place, a strong unique password is still important. Giving your people the tools to make this easy increases the likelihood of them using strong passwords that are different for each system. It also makes it easier to manage shared passwords such as your business’ social media accounts.

The important point of this control is that your organisation should be providing your staff with a password manager tool that works for them. Without the right tools, your staff won’t be able to make strong passwords.

CERT NZ’s Critical Controls | CERT NZ

For organisations prioritising security, this will be a welcome addition and for users with access to an iPhone, iPad or Mac device this will allow them stronger unique passwords for the various apps and services they use. Given Apple’s focus and investment in this area, as the The Verge has pointed out, users may have a higher degree of confidence in using this:

With the backing of Apple, it may seem like a safer option for people spooked by security breaches suffered by others like LastPass.

Apple’s standalone Passwords app syncs across iOS, iPad, Mac, and Windows – The Verge

I have been using DropBox.com’s Password Manager which is excellent and integrates nicely across my Apple devices and Edge browser extension, but will now seriously look at Apple’s Passwords app and see how it compares.

Another announcement from WWDC24 that enhances the privacy and security inside the Apple ecosystem is improvements to Platform SSO on macOS with announcements of IdP integration with FileVault unlock, and stronger security options where developers can sync more services back to the password managed by the Identity Provider. Here’s one example provided:

In this example, the policy states an attempt should be made to authenticate against an IdP before unlocking FileVault. However, a more restrictive policy is applied against the Screensaver unlock where an authentication is required and not just attempted.

Reducing the need for continuous entry of passwords to different platforms is important and more educational and commercial organisations will be looking to embrace Platform SSO as part of their Zero Trust approach (more on this here) – I’m personally really happy to see Apple’s increasing focus on this level of enterprise integration as it will help mainstream the adoption of macOS alongside Windows 11. Further evidence of embracing enterprise device management requirements and support for heavily regulated industries was Apple’s callout for the new external Disk Management Configuration policy, which will now allow configurability of mount policy to be defined as:

  • Allowed
  • Disallowed
  • Read Only

Finally, a comment on the updates to Apple Activation Lock – if you’re unfamiliar a device can be placed into Activation Lock to prevent an unauthorised user from accessing it (usually this is done when a device is lost or stolen). At WWDC24 Apple announced that organisation owned devices in Apple Business Manager or Apple School Manager can now turn off Activation Lock for these org-owned devices. I’d imagine this is a huge relief for schools where a teacher or student has placed a school owned device into Activation Lock based on their personal Apple ID/Account.

I have heard horror stories of schools trying to unlock a device they own when a teacher has left the employment of the school but have locked the device using their personal Apple ID/Account. Thankfully, with this update to ABM/ASM this will be a problem no longer.

Closing Thoughts

There is a lot to process here from WWDC24 and I am sure that over the coming weeks and months more insight and information will be released from Apple themselves and also from the developer community as they start to get hands on with these new features announced from Apple.

As always, education is a large winner here given they get access to industry leading technologies often at a fraction of the price of commercial orgs. However, if you work in a highly regulated industry you will no doubt welcome the continued focus on security and privacy alongside ever-expanding enterprise integration capabilities that Apple have announced at WWDC24.

Many people remain highly excited about the capabilities of Generative AI and Apple’s announcement of their take on GAI, named Apple Intelligence and powered (in part) by a new partnership with OpenAI’s ChatGPT means they are keeping abreast of their competitors in this space and like Microsoft have done with Copilot on Windows 11, it appears that Apple are keen to deeply integrate this into the hardware/OS experience for Apple users.

Categories
General Microsoft365

Goodbye 2023 & Top 5 Posts Of The Year

2023 is nearly done and it has been quite the year for me!

I started the year with my longest ever bikepacking trip (at the time) and longest single day on a bike (192km), before returning to work at Microsoft and being made redundant in March – a first time experience for me. The silver lining was a chance to have a break from work for a couple of months, a 10 day bikepacking “redundancy ride” and then quickly into a new job. This afternoon I’m hopping on a flight to Glasgow, Scotland to spend three weeks in Europe with my daughter who has been studying there for the last four months.

I’ll share the Top 5 Blogs of 2023 below, but first a slightly more detailed recap of the year.

New Experiences – Bikepacking Far From Home

On Siberia Bridge, suspended high above a gorge north of Wellington

I started 2023 as I finished out 2022 – riding my bike ~100km/day and pitching my tent where I ended up. I’d had a custom bikepacking bike built in October and had tested it out before Christmas over 6 days of riding and camping. I resumed this in early January at the top of the South Island where I completed my longest ever day on a bike – 192km. I was really proud of this achievement and the whole ride is documented here:

Tour Aotearoa: 6 Days 5 Nights In Lower North Island – December 2022 (+ bonus 2 days in South Island!) – SamuelMcNeill.com

Having loved this so much, I followed it up with a weekend ride in early February:

West Coast Wilderness Trail – Bikepacking Adventure – February 2023 – SamuelMcNeill.com

Back To Work …. Then A Redundancy

Energised from an incredible break, I hit the ground running, only to learn in late February my role was being dis-established. It took about a month to play out, but I posted a reflection about the initial experience and feelings here:

Therefore, Send Not To Know For Whom The Bell Tolls, It Tolls For Thee – SamuelMcNeill.com

It was an unusual experience and one that I could not say I enjoyed, although I learnt a lot about myself and also my friends. A lot of men in particular went out of their way to connect with me, check in and make sure I was doing alright. Many shared their own redundancy experiences. It was humbling to see the care and willingness to support me from others who had insight into my experience.

I was very fortunate to receive a generous redundancy package from Microsoft and also receive a number of job offers, before accepting a role to join Cyclone as their Technology Strategist.

Silver Linings

Parking up at Lake Tekapo after a long bike from Geraldine

With some time on my hands and the seasons changing into deep Autumn (my favourite) we had a family holiday in the North Island before I embarked on my #RedundancyRide:

Redundancy Ride + Alps 2 Ocean – May 2023 – SamuelMcNeill.com

This was a time of pure joy, cathartic and healing after losing my job and a chance to reflect, process, unwind and reset. I met some interesting characters across ten days of cycling and camping and when I reached the end I desperately wished I could just keep going. I had agreed to a delayed start date with Cyclone but that was fast approaching and I could not put it off.

This was a special time in my life and I’m deeply grateful to my wife who encouraged me to get out and do this.

Back Working

I was straight into it at Cyclone and was loving visiting customers in person for a change after most of my work had been remote due to COVID19. I was fortunate to be able to head over to Melbourne to attend EduTech 2023, the largest EduTech conference in the southern hemisphere. I wrote up my reflections here:

Reflections on EduTechAU 2023 Day 1 – SamuelMcNeill.com

Over the first six months of my time at Cyclone I’ve continued to engage with Microsoft, this time as a partner, worked more closely than ever before with Apple which has been both fun and interesting to learn how they operate, and also partnered with key customers like the Ministry of Education. I’ve delivered webinars on modern management of devices, experimented with Virtual Labs in the Azure cloud as well as running my own Win11 CloudPC in a browser on my Mac, shared tips on securing cloud identities, securing your digital data estate, and some thoughts on digital citizenship and promoting best practice in IT teams.

Of course, with the emergence of generative AI this had to get a discussion as well, and I shared some best practice tips and considerations in relation to Microsoft Copilot in an Education context.

Suffice to say, I’m looking forward to getting to the airport, putting my feet up and winging my way to Europe to see my daughter. It’s been a crazy old year.

So with that, here are the top 5 most popular blog posts I wrote this year:

#1 Microsoft Copilot Considerations in Education

Microsoft Copilot Considerations In Education – SamuelMcNeill.com

This was only written in October 2023 but clearly tapped into the zeitgeist, garnering the top number of views for a blog post I wrote this year. I attempted to provide a quick overview of some of the considerations education customers would need to make before going ‘all in’ on Copilot, as well as explaining the various versions of Copilot.

UPDATE 15/12/23: Microsoft has announced this morning that Copilot for M365 will be available to education customers as of 1/1/24 – the same baseline requirements apply as Enterprise: minimum 300 seat count and $30/u/m pricing.

#2 Therefore, Send Not to Know For Whom The Bell Tolls, It Tolls For Thee

Therefore, Send Not To Know For Whom The Bell Tolls, It Tolls For Thee – SamuelMcNeill.com

Tapping into my love of literature, this quote from the famous John Donne poem was a reflection on my redundancy from Microsoft. I was humbled by the outpouring of support and job offers I received after finding myself unemployed.

#3 Extending Shared PC Mode with OneDrive Sync

Extending Shared PC Mode With OneDrive Sync – SamuelMcNeill.com

This was actually the first blog post I wrote in January 2023, not knowing I would be let go by Microsoft a couple of months later. Like many of my blogs, it was more technical in nature and designed to help busy IT administrators learn how to add value to student lab computers or other shared devices.

#4 Reflections on EduTechAU 2023 Day 1

Reflections on EduTechAU 2023 Day 1 – SamuelMcNeill.com

This was a reflection during my first overseas trip/conference since joining my new company, Cyclone. It was also the first major education conference I’d attended in over six years where I was merely a delegate, free to take in the sessions and not work a booth or be presenting myself. Unsurprisingly, it was AI heavy in themes and this post was a good recap of the first day.

#5 How To: Creating Local Users on Windows 11 Home and Windows 11 Pro During OOBE Startup

How To: Creating Local Users on Windows 11 Home & Windows 11 Pro During OOBE Startup – SamuelMcNeill.com

Another technical post, I wrote this one after working with the Ministry of Education to solve some issues around their Windows devices for Teacher Laptops. It was a bit topsy turvy re-engaging with the MoE who had been my customer for the first 3-4years of my time at Microsoft, and now I was supporting them again but for a different company. There are some really good tips in this one.

Bonus Post: Redundancy Ride + Alps 2 Ocean – May 2023

Redundancy Ride + Alps 2 Ocean – May 2023 – SamuelMcNeill.com

This actually came in as the 6th most viewed blog post of the year and was a visual and written record of my bike trip that I referred to as my #RedundancyRide at the time. Some cool photos and videos of the beautiful South Island of New Zealand.

That’s A Wrap

Closing out another year of life, work and blogging. Thanks for your support, the reading of the blog, the comments, the Tweets (or should that be “posts” on X now!).

I wish you and your family and friends a restful festive season ahead.

Categories
Windows 11

Experimenting With Azure Virtual Machines Part 2 – Windows 365

Back in June I wrote about experimenting with Azure Virtual Labs service as part of a multi blog series on virtual machines hosted in Azure.

In this multi-part blog series, I’m going to explore different flavours of Azure Virtual Machines, so buckle up and enjoy:

Hybrid Working & The Role Of CloudPC

This morning I’m writing this blog as I work from home on my MacBook Pro as I need to take my son to a doctors appointment over lunch. It’s this sort of hybrid/flexible working situation that has become increasingly common over the last few years and I’m fortunate that I have both a supportive employer that allows this, as well as technology that makes it possible for me to work seamlessly from my home.

My MacBook Pro is managed by Intune, my default browser is Microsoft Edge with an Entra ID (formerly AzureAD) work profile on it securing access to work resources in M365 and most importantly for this blog post, I also have a Windows 365 CloudPC accessible through my work browser on my Mac:

A screenshot of my MacBook showing my Windows 365 CloudPC running in a tab of Microsoft Edge giving me a full, native Windows 11 experience when I need it.

Most recently, I’ve been using Hyper-V virtual machines hosted on my Windows 365 CloudPC for customer testing:

I’ve blogged previously about my Hyper-V set up, and it was easier for me to continue that on a Windows 11 device than replicating it locally on my MacBook. When working with customers more familiar with a Windows 11 environment, having immediate access to the same OS on my primary machine is incredibly helpful and also means I can run Windows only applications when required securely on my CloudPC. The specs for this CloudPC are:

Just as my MacBook is, this Windows 365 CloudPC is configured and managed by Intune meaning the same corporate baselines are applied protecting both the OS and the content stored on it. I’m heading to Europe at the end of the year for a holiday and whilst I don’t intend to do any work (and won’t be taking my work MacBook with me) if something critical happened and I needed access to work resources I know I could access this Windows 365 CloudPC from a device and have a secured experience to complete any work necessary and my employer could have confidence I was not using a local device from a friend or internet cafe with possible data leaks or compromise risks.

The Windows 365 eBook

This morning I received a copy of the Windows 365 eBook from Microsoft that reminded me of this series of Azure virtual desktop blogs I’m writing and prompted this blog post. You can read a copy of it below in full. I thought I’d share a few take away thoughts from this short document (it’s a 6 minute read).

The Changing Landscape of Work

Microsoft’s messaging to IT Decision Makers (ITDM) is that in a world of increased uncertainty and change, you need to have technology that can support remote/hybrid working effectively in any location and on any device. They share some research data that over half of fully remote employees are considering a shift to a more hybrid work setup and that similarly over half of hybrid employees are considering going fully remote:

In my view this is not going to work for every industry, but certainly many information workers are able to work effectively from various locations and it becomes an increasing consideration for employers how they can deliver that flexibility whilst still meeting their security and compliance requirements around access to sensitive corporate data (see this blog post for more thoughts). I lived through the devastating Christchurch earthquakes of of 2010-11 when much of the central city was laid waste and know first hand how disruptive it was for many businesses, including schools and universities, that could not get physical access to their work locations.

A photo showing the dust rising over Christchurch immediately after the February 22nd 2011 earthquake – Image Credit.

Things had clearly moved forward significantly in the following decade as workplaces shut down again with the global Covid19 pandemic but I still know of large businesses and Government departments that had not fully implemented an effective remote workplace strategy or lacked sufficient numbers of laptops to give to staff who primarily used desktops in their workplace to complete their work. It’s in these scenarios that a secure CloudPC would shine. While I referenced information workers above, Microsoft has a grander vision of where the Windows 365 CloudPC can support a spectrum of roles:

The Only Constant Is Change

Windows 365 helps organisations provision secure Cloud PCs for a variety of job types – including full-time employees, consultants, temporary workers (like product-testers and interns) and mobile teams – no matter if they’re remote or in-person. Windows 365 can be effectively deployed to information workers just as easily as it is to frontline service workers and shift workers.

Security Will Be A Key Determining Factor For ITDM Whether To Embrace CloudPC

I recognised the convenience of having a virtual CloudPC on Windows 365 earlier in my blog post in terms of working from home, running Hyper-V or using Windows-only applications, but I believe one of the key considerations ITDM will have in mind with this type of solution is security, something outlined in the eBook as follows:

Saving Time & Gaining Efficiencies Through CloudPC Deployments

The other core benefit I see here is the ease and efficiency of deploying larger volumes of devices – using Microsoft Intune to configure the specs and settings of Windows 365, an IT Administrator can use the tools they already know for managing their existing physical devices to easily deploy Windows 365 devices, be it a single device for a temporary contractor, or hundreds of CloudPC for every staff member in an organisation if an emergency necessitated working from home on their personal PC or tablet. I acknowledge the eBook is Microsoft marketing material so take the following numbers as you will, but they suggest efficiencies gained are:

  • 40% cost savings when using Windows 365 compared to on-premise VDI or Desktop as a Service (DaaS) offerings
  • 75% reduction in endpoint configuration times
  • 25% reduction in new software deployment times

The Differences Between Windows 365 & Azure Virtual Desktop

A number of customers have asked me about the difference between Windows 365 (W365) and Azure Virtual Desktop (AVD) and at the most simplistic level, it’s helpful to understand that W365 is a subscription based license with fixed monthly costs, no matter how much you use it but with correspondingly less configuration options over the virtual device. On the other hand, AVD is a consumption based model with almost endless configuration options and you pay for what you consume.

Beyond that simple difference, the eBook does provide a helpful comparison chart which was one of the more useful things in the eBook:

Closing Thoughts

After nearly seven years running Windows 10 and Windows 11 devices as my primary working machine, I’m enjoying being back on macOS with my MacBook Pro and experiencing the changes that have happened to the OS since I last used it regularly. However, I use my Windows 365 CloudPC almost every other day for various tasks related to my work and having the flexibility to work across OS is very empowering.

I have talked with a number of CIO in organisations who are actively evaluating the role of CloudPC in their device fleet strategy, with some running pilots with identified users already. I don’t see this trend changing as long as there are requirements for mobile, hybrid and remote working scenarios for employees.

Drop me a line if you’d like to talk more about this or check out https://www.windows365.com to see Microsoft’s information on CloudPC.

Read The Entire Windows 365 eBook – Embedded

Categories
Microsoft365

Microsoft Copilot Considerations In Education

Image Credit

UPDATE 17th October: I’ve learnt that Bing Chat Enterprise (BCE) is going to be included for faculty who have M365 A3 or A5 licenses (h/t Amit Pawar, as per this link: Bing Chat Enterprise is in preview for Microsoft 365 A3 and A5 licenses for faculty users – Microsoft Edge Blog (windows.com). There are some caveats around this currently whilst in preview:

For users with Microsoft 365 A3 and A5 licenses for faculty, the Bing Chat Enterprise service plan isn’t yet available. See the following sections for specific instructions related to these licenses

Manage Bing Chat Enterprise | Microsoft Learn

Interestingly, this is going to be turned ON by default for tenants and you can turn it off by going to https://www.aka.ms/TurnOffBCE. If you’ve already turned it off and wish to turn it back on, then you can do so at https://aka.ms/TurnOnBCE – this change may take up to 48hrs to take effect. Given the enhanced benefits of using Bing Chat Enterprise, you may wish to turn off access to the consumer Bing Chat, with instructions on how to do that listed here. Microsoft shares a few ideas on what employees may wish to do with Bing Chat Enterprise such as:

Image Credit

If you would like to guide your teachers through some training on using Bing Chat Enterprise, there is a course on Microsoft Learn you can access here: Enhance teaching and learning with Bing Chat – Training | Microsoft Learn

UPDATE 3rd October: Within a couple of hours of writing this blog post I’ve see Microsoft has released a series of prompts for education audiences to improve their experience interacting with generative AI such as ChatGPT and Bing Chat I’ve added a section below to include this. Click here to skip straight to it.

Like many of the large technology organisations, Microsoft has made numerous recent announcements of AI powered offerings across their popular Windows and Microsoft 365 products. The umbrella product name Microsoft is using for their generative AI solutions is Copilot. This blog has four sections:

Introduction

As of September 2023, there are two primary ways this could be accessed by customers:

  • Windows Copilot: arriving as part of the Windows 11 23H2 update, starting September 26th 2023 via Microsoft’s rolling updates to Windows customers
  • Microsoft 365 Copilot: arriving as a paid SKU on 1st November 2023 that customers would need to purchase and assign to designated users.

Given the associated licensing costs for Microsoft 365 Copilot, most education customers are likely to experience the Windows Copilot features first. Outlined in detail in this blog from Microsoft, there are numerous enhancements to familiar applications in Windows that will be AI-powered. Before sharing some more details on this below, it is important for educational institutions to understand that they can delay/block these features if they wish for devices in their organisation if they are managed by Intune or other means that can deploy policy updates to Windows devices.

The Windows CSP for turning off access to Copilot is hereif this is not utilised then devices will receive the Copilot functionality automatically when they update to Windows 11 23H2. If you wish to pause/delay devices updating to Windows 11 23H2 altogether, the Windows CSP for controling feature updates is here.

What will Windows Copilot bring?

The Windows 11 23H2 feature update will bring over 150 updates to the OS, many of which will support Copilot and generative AI. There will be a Copilot icon on the taskbar by default, and it can be automatically activated by the pressing Win+C keyboard shortcut. Three of the feature applications that will integrate Copilot are in the area of creativity (example video here):

  • Paint: clever new functionality will allow for AI drawing and digital creation, along with intelligent removal of backgrounds and adding layers (something typically found in more advanced image editing applications)
  • Photos: enhanced image editing and powerful new searches if you’re using OneDrive Personal, where you can search for photos with natural language queries based on content inside them (e.g. ‘find photos with bikes in them’)
    • It’s worth understanding that for this to happen OneDrive images will be searched and indexed automatically.
  • Snipping Tool: Copilot will add the ability to extract text visible in images, as well as redact sensitive information such as names or email addresses. Users will also be able to add audio to images/videos created using the Snipping Tool
    • While undeniably convenient, keep in mind this ability is likely based on Optical Character Recognition (OCR) functionality scanning and processing images and extracting text from them automatically (something many smartphones are doing already with photos taken). Take some time to understand any potential privacy concerns this functionality may create.

Windows Copilot will also bring enhancements to Outlook for Windows with support to write emails along with intelligently attaching documents from OneDrive. As part of Microsoft’s continuing commitment to accessibility, Copilot will add further enhancements to voice commands for controlling your PC.

The Windows 11 23H2 feature update will also bring enhancements to the Bing Copilot functionality. An example provided by Microsoft to showcase how this might work included if you’ve been following the progress of a soccer team through Bing and you then plan a trip to a city it will automatically check if that team is playing in the city during the time of your visit. Users can optionally turn off the ability for Bing to leverage chat history (this needs to be done per user, per device – there does not appear to be an organisational configuration for this at this time).

Another creative feature that will be unlocked is the Bing Image Creator, leveraging the OpenAI DALLE 3 generative AI functionality for original image creation. Interestingly, Microsoft is introducing Content Credentials, an invisible watermark showing when the image was first created (example video here).

A final note on security – this feature update will introduce the ability to use Passkeys for Windows users, a more secure and arguably faster way to log into websites and apps that support these. With passkeys, a user can use Windows Hello to sign in with a PIN, facial recognition, or fingerprint instead of entering a username and password each time.

Microsoft 365 Copilot

As mentioned earlier, this will be a paid SKU and launching on November 1st 2023 and before rushing out to purchase a few licenses for earlier adopters.

It’s worth noting that Microsoft 365 Chat combs across your entire universe of data at work, including emails, meetings, chats, documents and more, plus the web. Therefore, it’s worth considering how prepared your organisation is from a data sharing and restriction perspective before simply turning this on and giving it a try.

With Copilot, Microsoft is also introducing new capabilities in Outlook, Word, Excel, Loop, OneNote, OneDrive and Bing Chat Enterprise (example video here).

The requirements for accessing this new functionality include:

  • Microsoft 365 E3/E5 licenses
  • AzureAD accounts for users
  • M365 Apps set to ‘Current Channel’ if users want to experience Copilot in the desktop apps (instead of just the Office Online apps)
  • To leverage cross-app intelligence experiences in Teams, you’ll need to enable plugins using the Teams admin center.

A critical consideration for organisations is the current state of their M365 tenant sharing and permissions. If these are too lenient, Copilot will trawl and index content that will be surfaced up to users in ways the institution may not want creating challenges around oversharing and data governance. Therefore, I suggest you watch this video, and read this article to get details on how to adopt content management best practices as the full breadth of data sources Copilot will draw include the organizational content in your Microsoft 365 tenant, including users’ calendars, emails, chats, documents, meetings, contacts, and more.

Ultimately, the richness of the Microsoft 365 Copilot experience depends on the volume of data that is accessible in the tenant, so there is a balancing act between restricting access to content through appropriate sharing permissions and opening up contact to Copilot to add value and save time.

A couple of points of clarification: Copilot does not use the organisational data or user prompts to train the foundational AI model and nor does it use the public OpenAI services that power the free functionality found in Bing Chat. Instead, all processing is achieved using Azure OpenAI services.

Prompts for Education: Enhancing Productivity & Learning

I see that the Microsoft Education team have released as series of prompts to help the education community engage more effectively with generative AI such as ChatGPT and Bing Chat – you can find the link to the prompts here. If you’re wondering what these are, the GitHub repository describes them as follows:

Welcome to the Prompts for Education repository! Our mission is to transform the way students, educators, and staff in K-12 and higher education institutions interact with generative AI technology like ChatGPT and Bing Chat. By using these prompts, staff can save time and work more efficiently, and students can explore new and exciting learning opportunities.

Whether you’re a student, a third-grade teacher, a college professor, or a school administrator, this collection is designed with you in mind. No technical expertise required!

GitHub – microsoft/prompts-for-edu

If you’re still wondering precisely what a prompt is, then here’s the definition:

Think of a prompt as a special question or statement that you can give to an artificial intelligence model like GPT. It’s designed to provide you with information, insights, or even creative ideas tailored to your needs. It’s like having a knowledgeable assistant at your fingertips!

GitHub – microsoft/prompts-for-edu

These prompts have been refined by role in the school:

From what I see and read, the key to using generative AI effectively is to use intelligent prompts to get the most useful answers back (the old adage of ‘garbage in, garbage out’ still applies!).

Conclusion

In conclusion, Microsoft Copilot appears to replace much of the functionality previously offered by Cortana (a service that is now discontinued) but do it in a more intelligent way by accessing an organisation’s content in the paid Microsoft 365 Copilot, and user input and OpenAI models in the free Windows Copilot version coming in the Windows 11 23H2 feature update. Educational institutes should be actively considering how this technology may impact users and take necessary steps to provide guidance if allowing these features to roll out to users, or consider pausing them until the impact is more fully evaluated.

Furthermore, seeing Microsoft release prompts to help educators and students engage more effectively with generative AI is a helpful thing and I can imagine educators will leap on this and help refine these further and share with the broader education community.