Planning for new capabilities in Windows 10

by Scott Muniz | Sep 17, 2020 | Uncategorized

This article is contributed. See the original author and article here.

If you’re looking or guidance on how to plan for new capabilities in Windows—and tie the benefits of staying up to date to real value for your end users and your business—this is the post for you.

Today I’m going to walk you through existing resources available from Microsoft to help you plan for new and improved capabilities in the Windows operating system. I’ll discuss best practices around notifying users, support teams, and business leaders depending on your deployment scenario—and offer tips on how to take advantage of the newest innovations.

As part of the Windows 10 update process, IT pros focus their planning and preparation efforts towards validating critical line-of-business (LoB) applications, updating supporting infrastructure, and, in some instances, updating deployment tools and third-party endpoint solutions. Focusing on these critical tasks can make it challenging to keep track of new capabilities or features in the OS.

Our vision for Windows as a service is to support IT pros to be more efficient with their approach to updates and enhance their end user’s experience. By staying current, customers can benefit from an agile deployment process, which allows IT pros to understand product improvements in each release more quickly and thoroughly. By adapting to the quicker cadence, IT pros can be more involved in the feature development process as they get access and testing capabilities of new features as soon as they are released. The impact on the end user’s experience becomes incremental, reducing the need for extensive employee retraining or IT resource effort.

For upcoming Windows 10 feature updates, our recommended process for identifying, validating, and amplifying new capabilities includes the following tasks:

1. Review what’s new in the most recent Windows 10 feature update by reading articles inside Windows 10 blogs (listed below) to identify the new capabilities or features applicable to your organization.
2. Categorize new features and capabilities across productivity, accessibility, and security to determine who benefits from the new features.
3. Validate new features and capabilities through a pilot deployment group.
4. Amplify the most relevant features and capabilities coming to Windows 10 by creating targeted or broad communications.
5. Use the Windows Insider for Business program to get an early look at what is coming in feature updates with Windows to assist with planning efforts for the next release.

Review what’s new in Windows 10

When a Windows 10 feature update is made available, several blogs and articles are released the same day to showcase new features and capabilities.

We suggest reviewing each of these articles to see what capabilities can be applied within your organization:

• What’s new in Windows 10
• Windows 10 Blogs in Windows 10
• Windows IT Pro Blog
• Windows 10 Accessibility Features
• Windows 10 Security Features

You should also examine the features and functionality that Microsoft removed in Windows 10, as well as the features that are no longer being developed to determine if there is any immediate or future impact on endpoints.

Categorize new features and capabilities

Once new capabilities are understood, the next step is to categorize these features across productivity, accessibility, and security, and separate them into two areas – the benefit to end users and the benefit to the enterprise.

Figure 1. List of highlighted capabilities with Windows updates

New capabilities in Windows 10 feature updates enhance the end user experience by improving performance, using existing device features to provide new or better experiences, providing new OS features, or unlocking new functionality when managed by supporting infrastructures such as Configuration Manager or Microsoft Intune.

Productivity

Platform productivity gains are typically made by leveraging the device’s full capabilities and taking advantage of multitasking improvements. As device hardware is refreshed, new working methods can be discovered through different form factors or input types such as touch or inking. Over the span of Throughout several Windows 10 feature updates, improvements were made in the following areas to support those goals:

• Ensure smooth running on your device with memory improvements – Beginning with the Windows 10 May 2020 Update, we aim to ensure Microsoft Edge on Chromium continues to serve as a trusted browser for compatibility and performance. For users on the Chromium version of Microsoft Edge, we have decreased Microsoft Edge’s memory usage to improve the experience of multi-taskers.
• Use Cortana to save time, in the way that seems most natural to you – Your productivity assistant now has an updated chat-based interface where you can type or speak requests in natural language to save time finding what you need and staying on track. Cortana helps you connect with people, check your schedule, add tasks, set reminders, and more. 
• Bring your smartphone and Windows PC closer together – Beginning with the Windows 10 May 2020 Update, you can now place, receive, or text replies to your incoming phone calls directly on your PC, reducing the need for switching context across multiple devices.

Some existing features that may also be useful to your environment include:

• Easily get back to what you were working on – First introduced in the Windows 10 April 2018 Update, Timeline enhances Task View to show you currently running apps and past activity to quickly help you remember and jump into what you were last doing.
• Record steps to reproduce a problem – Steps Recorder, a feature present in the OS since Windows 7, lets you troubleshoot a problem on your device by recording the exact steps you took when the problem occurred, so you can get help from a support professional and get back to work.

Accessibility

Everyone should be empowered to use their devices to create and consume content and collaborate with their teams. At Microsoft, we are committed to making sure those who can be supported by our accessibility improvements know what exists for them and know what developments are coming next. The release of quality and feature updates helps Microsoft provide improvements in accessibility to end users. Here are examples of what is included in the Windows 10 May 2020 Update:

• Make Windows easier to see – Resize icons, adjust text size and color, customize the mouse cursor, and more—our display and vision settings make it easy to personalize your viewing experience.
• Make Windows easier to use without sight – Narrator is improved to make reading and browsing in Edge and Outlook much more natural and efficient.
• Type what you want to do – Microsoft Search lets you quickly access commands in Microsoft 365 applications without navigating the command ribbon.

Security

Windows feature updates provide enhanced security and capabilities to simplify administration or reduce administrative effort. When looking at what is new in Windows 10, version 2004, approximately 70% of the improvements provide IT pros with options to use in their environment. Consider looking for capabilities recently unlocked by updates or investments in supporting infrastructure, and improvements that address gaps filled by third-party software to reduce cost or effort. If one or more Windows 10 feature updates have been skipped, review the improvements of those feature updates in addition to the latest feature updates.

The following sections highlight key security features enabled by Windows 10, versions 1809 to 2004 across that are selectively available in Windows 10 Enterprise E3 and in E5 licensing constructs that can provide additional benefit to your organization.

• Prevent, detect, investigate, and respond to advanced threats – Available since the Windows 10 Creators Update, Microsoft Defender Advanced Threat Protection allows you to discover vulnerabilities and misconfigurations in real-time, get expert-level threat monitoring and analysis, quickly move from alert to remediation, and block sophisticated threats and malware. This will be useful with the shift to a secure remote workforce that becomes more cloud capable. This feature requires Windows 10 Enterprise E5 licensing or other alternatives, as listed here.
• Safely run applications in isolation – Available since the April 2019 Update, Windows Sandbox is an isolated, temporary, desktop environment where you can run external software without the fear of the lasting impact on your PC. It ensures your host device remains secure and that everything is discarded once the application is closed. This can be useful during situations such as critical application testing for remote workers, or even everyday use when you are browsing through the web.
• Validate, protect, and maintain the integrity of Windows 10 – First introduced in the October 2018 Update, Secure Launch leverages Dynamic Root of Trust for Measurement to launch the OS into a trusted state. The May 2020 feature update provides increases in checks and measurements to allow you to reach further security hardening and to posture to protect sensitive resources.
• Open files more safely – Application Guard has been available since October 2017 to help protect your device from familiar and emerging threats by using containers to open files from potentially unsafe locations. With the May 2020 Update, Application Guard now provides support for Microsoft Edge on Chromium.

Validate selected features and capabilities

Once features and capabilities have been categorized, they can be presented to users during the Pilot Deployment phase of a feature update deployment. IT pros should include a mix of users who typically test devices and applications, as well as power users who are interested in supporting the new tools or features that will benefit the organization. This group’s feedback will help IT pros validate new features and capabilities and provide feedback on what additional context or ways of working can be included to show value in having the update deployed. This information can be included in broader communications discussed in the section below.

Amplify new features and capabilities

Once capabilities in the platform have been assessed and validated during pilot deployment, attention shifts to how to communicate these changes to users broadly. Factors that influence a company’s communication depend on the feature update deployment strategy and the time it takes to deploy the feature update to all devices. Typically, customers deploy feature updates using one of the following deployment strategies:

• Data-driven deployment (e.g. Desktop Analytics targeting deployment for defined audiences)
• Role-based deployment (e.g. updating devices for Finance teams during their off-peak times)
• Geography-based deployment (e.g. deploy by country or region)
• Company-wide deployment (e.g. if your organization is entirely ready for deployment all at once)

For each deployment strategy, the communication approach can change based on the organizational culture and time taken to deploy the feature update. For example, for customers that deploy feature updates in less than a month to their entire organization, a single communication leveraging collaboration tools such as Teams, Yammer, or email can be the most effective way of informing users. For customers who deploy feature updates over a 6-, 12-, or 18-month period, communicating once to all users will be less effective due to the length of time between the communication being sent and the device’s update. The communication methods below are discussed in terms of their effectiveness for the different deployment strategies and deployment duration:

• Landing page – A landing page is useful to provide an on-demand resource that users can pull from when needed and can be used to provide information on new features, future update plans, efforts to improve user experience, and reductions in deployment times. Landing pages can also open opportunities to highlight company performance with features such as Productivity Score and endpoint analytics. Here is an example of how a typical landing page might look:

  

  Figure 2. Example “What’s new in Windows 10” landing page

  This communication approach is recommended for all deployment types.

• Company email – Team, region, or organization-wide emails can be used to give your end users a heads up of an upcoming deployment, how it might impact their working environment, and the benefits that will come from deploying the update. When a new feature update is available, Microsoft uses a targeted company email to share how many devices are currently updated in the organization, explain the user experience that comes with the update, and how it will impact the user based on the deployment tool used to apply the feature update to the device. Deployment emails are useful when you know which team(s) you might want to target or when there is a large announcement you want to make to everyone in the organization. Here is an example of how this might look:
  
  

  Figure 3. Windows 10 update team announcement email sample

  Note that the longer a deployment of a Windows 10 feature update takes in an organization, the less effective a single email will be to reach users and amplify new features within.

Use Windows Insider for Business for an early look at new capabilities and features

For organizations interested in reviewing and shaping improvements of Windows 10 feature updates ahead of release, the Windows Insider Program for Business program gives you the opportunity to review and validate pre-release features and validate critical application. To provide this functionality for end users, consider using an opt-in program that enables users to receive early access to new products within the organization. Our Microsoft Elite program allows users to opt-in to the program to provide our Engineering teams with feedback to make our products and services better.

Summary

We want your organization to have the best possible experience with Windows 10. This post aims to help make this easier by providing a process that you can use to find and convey the value of Windows 10 feature updates to your business leadership and users.

I recommend that you consider using this process for each feature update planning cycle so that you can assess relevant features and engage more users at as faster cadence, which is even more possible when switching to cloud-based update management technologies. It is also useful to communicate with end users to continually gather feedback on what capabilities are working effectively for their environment and what needs improvements.

Let us know if you find this article helpful below, and what other best practices your organization uses to communicate value with your users.

What’s new: Office 365 Advanced Threat Protection connector in Public Preview

by Scott Muniz | Sep 17, 2020 | Uncategorized

This article is contributed. See the original author and article here.

There are some use cases in the SIEM (Security Information and Event Management) world that require correlation with alerts from an expert system like Office 365 Advanced Threat Protection (ATP). Now you can use the built-in data connector to collect alerts from Office 365 Advanced Threat Protection into Azure Sentinel.

Office 365 Advanced Threat Protection (ATP) safeguards your organization against malicious threats posed by email messages, links (URLs) and collaboration tools. By ingesting Office 365 ATP alerts into Azure Sentinel, you can incorporate information about email and URL based threats into your broader risk analysis and build response scenarios accordingly.

The following types of alerts are supported with the data collector:

• A potentially malicious URL click was detected
• Email messages containing malware removed after delivery
• Email messages containing phish URLs removed after delivery
• Email reported by user as malware or phish
• Suspicious email sending patterns detected
• User restricted from sending email

These alerts can be seen by Office 365 customers in the Office Security and Compliance Center as well.

The Office 365 ATP data connector in Azure Sentinel uses the Automated Investigation and Response API and ingest only alerts which are triggered by automatic investigation in Office 365 ATP.  

This blog post covers the required steps to ingest Office 365 ATP alerts into sentinel and how to use the ingested alerts.

How to Enable Office 365 ATP alert ingestion in Azure Sentinel

From the Azure Sentinel navigation menu, select Data connectors. 

Select Office 365 Advanced Threat Protection (Preview) data connector, and then select Open Connector Page on the preview pane.

On the Office 365 Advanced Threat Protection (Preview) page, under Configuration select Connect.

Select Next Steps and Create rule to enable and make adjustments for the relevant analytic rule template.

After successfully activation you will see the rule in your Active rules list in the Analytics page. This rule will make sure that all alerts generated by Office 365 ATP will also trigger an Incident in Azure Sentinel.

Now the Office 365 ATP alerts from your Office 365 tenant will be ingested into Azure Sentinel workspace and any generated alert in Office 365 ATP will also trigger an Incident in Azure Sentinel.

GIF Demonstration – How to enable the Office 365 ATP data connector

How to Use this Data

Once the data connector is functional you can query the Office 365 ATP alerts. The Office 365 ATP alerts will reside in the SecurityAlert table in Azure Sentinel workspace.

The following example query looks for the generated alerts for Office 365 ATP in Azure Sentinel.

SecurityAlert

| where ProviderName == “OATP”

| sort by TimeGenerated

GIF Demonstration – Query Office 365 ATP alerts in Azure Sentinel

GIF Demonstration – Sample Office 365 ATP Incident in Azure Sentinel

Summary

In this post I have shown how you can onboard Office 365 ATP alerts into Azure Sentinel and sample query how to use the data.

You can also contribute new connectors, workbooks, analytics and more in Azure Sentinel. Get started now by joining the Azure Sentinel Threat Hunters GitHub community and follow the guidance.