Visit our devolution and LGR hub for the latest information, support and resources
Tips on maximising existing cyber security features from our free webinar with Microsoft on Tuesday 15 November 2022. Chaired by Cliff Dean, CIO – ICT Shared Services Manager at North Kesteven District Council.
M: Morning everyone. Chris, do you wanna share the slides please, when you're ready?
M: Yeah, just doing that now.
M: Perfect, so as, Chris just does that, yes, hi everyone, thank you for your time this morning. So, as, Cliff mentioned, by way of introduction, I'm Arron Kerai. I am a Cybersecurity Specialist at Microsoft, and I'm joining with Chris today as Technical Security Specialist at Microsoft as well. And, you know, we've been working with local government over the, over many years now, and we've seen that many organisations, you know, take up some of the Microsoft technology portfolio, a lot of the stuff in the portfolio, to help them with their transformation, and to basically better serve citizens, right? But we acknowledge that, actually, a lot of that capability within that licencing stack can sometimes be overlooked, so we realise that and, and, you know, working with the LGA today, we'd like to basically break that down for you today around security and compliance, and really just paint a picture for you, right? Just to, to figure out what's most important from that, related to security and compliance. In terms of agenda, we've broken it down into four key pillars. So, that's identity and endpoints, it's threat protection, and it's compliance and governance as well. And, you know, we could spend many, many days on each of these topics, but we've tried to distil it as much as we can down to 25-minute chunks, which includes some time for some Q&A as well, because we're keen to hear your feedback, right? We'd like a discussion here.
We want you guys to get the most out of this session today. As Cliff mentioned in the beginning, if I could please ask a favour, as we only have some time for Q&A, if you could please hit the thumbs-up button in the chat if you'd like to see a question answered by us, that would help to prioritise what we can answer for you today, and basically make the best use of your time. So, before we dive into it properly, just wanted to quickly level set on Microsoft 365. So, there's a lot to it, and, you know, while it is a licencing model to basically enable a secure productivity for employees, it's basically a package, and there's a lot of technology capabilities within this that's there. You guys might be familiar with, with terms like E3 and E5, today is obviously gonna be around E3, and, and part of that journey is, is what you're seeing on the slide now. Again, there's a lot to it, there's a lot we can cover, but Chris and I have tried to focus this session on what we've seen through our experience. We're gonna focus on the key priority bits that we've seen in local regional government, so that we can discuss those and, and go there and help you that way. So, with that in mind, I'll pass over to Chris now and we'll go through the first section, which is identity.
M: Okay, yeah, so some of these things that I'm gonna be covering off are gonna be obvious things. I am gonna go things at very high level, I am gonna go things slightly more technical as well, and hopefully speak to everyone in the audience as well. Some things, as I said, they're gonna be obvious. So, what we're gonna do, as I say, just to-, just to reiterate, we're gonna go through some-, a quick presentations, a few demos if need be as well, but we're then gonna open up for a few minutes of Q&A. We are gonna be hard and fast on time, so we will say, 'Right, that's it, time off, next conversation.' We do carry on the conversation in the chat and we'll show you another way at the end on how you can continue the conversation after the call as well, just, those, extra bits and pieces. So, the first one, this is just the obvious one, I'm sure everyone's on page with this, but I just wanna say MFA! MFA! MFA! We still come across a few councils that are still having difficulty rolling this out or haven't quite done this yet. We cannot stress enough how important this is.
As the, the statistic we've got up on screen at the moment, it blocks 99.9% of identity-based attacks. No, it's not perfect. Yes, it has a user impact, but the impact otherwise of not having it is even greater. So, we have to stress that. So, there are different ways you can do multi-factor authentication, and we keep trying to work on that and make that better and better and make the end user experience better, and hopefully, reduce the amount of resistance that you have. So, then you've got the usual ways that we can push out, so it's, like, push notifications, soft tokens, things like that as well. So, the soft token would be the authenticator app, hard tokens would be, like, an RSA token or what we call an OATH token, we've got a little seed and, like, a number on there. We can also do SMS and voice messages and things like that as well. Now, what is worth pointing out is that not all MFA is created equal, and that basically means that some are actually susceptible to phishing. So, if you have a token, you know, just say I just wanted to agree and agree and agree and agree and agree and agree, the user's gonna get fatigue and eventually just agree to the MFA prompt and let that through. In the same way, SMS messages and things like that as well, although they do work and it's better than nothing, they can be phished as well, and obviously the one-time passcodes and things like that as well.
So, that then introduces a, a much more broad range of technology and a broad range of security that is all available to you under E3, and that's basically bringing in part of this technologies. Now, this will be the future, and this is the direction of travel for most identity providers and any, kind of, security organisation as well. Passwords were created originally with PCs, you know, so they, they are technology that is decades old. They can be used anywhere in the world. So, bringing things back to a passwordless (sic) technology, we can not only improve the end user experience, but we can also massively improve security as well. So, things like Windows Hello which we can touch on a little bit later on, but definitely things like the FIDO security keys, that's basically, so rather than having the user enrolled into an individual PC themselves to be able to sign in, we can have a FIDO key that can say, actually, you plug this, take this wherever you go. Appreciate there's currently costs associated with those, but they're great for dealing with users who go, 'Well, I don't wanna use my phone for, for MFA, I don't wanna use it for work, I don't wanna put anything, you know, work-related on my personal phone.' So, there's always an alternative method that we can actually use and, and help get that going basically. We'd love to have more feedback on there as well.
So, is there an option to have-, sorry, just pick-, we'll pick up the questions afterwards as well by the way, so do leave it in the chat, and if anyone's interested in more, we'll ask, ask more on that as well, we'll answer that later on. So, next bit I just wanna put into play as well, just, just to make sure, you know, it is a journey to passwordless, and a, a journey to, to get better security in place, so we still need to respect where people are at the moment, and making sure that people actually have better passwords. So, within Azure AD Premium P1, part of your E3 licence, you have access to Azure Password Protection, and what this basically does is, rather than saying-, we can do things like a soft extranet lock-out, similar to what you could do ADFS. But most importantly, we put in this banned password list, so we can put in words like, you know, we have common words like Winter2022!, which would be a really common password already, as well as other common words. You can put your own blacklist in there, so I've created a demo which I'll show you later on, and I've put in the words local, government and authority in there, so you can actually take a look at that and see how they're actually using and how that reacts to it.
But what this basically means is, is that users can actually set a stronger, more unique password, and when you couple this with strong authentication, i.e. MFA or Windows Hello or something like that as well, then, at that point, you can actually start to remove your need to reset passwords. We, at Microsoft, we used to have a 90-day, we took it to 180 days, we took it to a year, and now, we no longer need to change our passwords. And in fact, the way how we operate at the moment, and I appreciate we are talking a little bit from an ivory tower, the way we operate at the moment is, you know, you ask any Microsoft employee, they probably couldn't remember their password, because they haven't used it for, like, a year-and-a-half. Okay, and then that does cover on-prem, and I'll show you what that looks like later on as well. Of course, the other really important part, just, I know this is obvious, and again, hopefully everybody is using it, conditional access really need to put in play. This is gonna be your front line of defence. As users are remote and working everywhere, the network is no longer the perimeter, you know, your identity is the perimeter. So, we still need to make sure that we can protect that properly, and the conditional access is adaptive controls, and we-, yes, it can be enhanced to E5, but there's lots of good stuff that you can do with E3, to, to really make it effective, and be at your front door there.
So, there's a few bits that we wanna call out that are really relative to, to the UK public sector. So, the first one is actually using conditional access to restrict access beyond UK borders. So, as part of the conditional access policy, well settings, you can define regions, so-, and we've got country regions and as well as just ones that haven't been defined yet. And you can basically say, you know, if, if, if the region is not UK, then block the authentication unless the user is a member of an exceptions, and then you can use lots of good stuff to manage that exception list etc. as well. The next one is to make sure you're using conditional access now to actually enforce MFA, and this is-, some of this is obvious and I hope most people are doing this now, but I just really wanna call this out. And the reason that we do this, it's-, the, the reason we do this is to, to, to make MFA on a per-use basis as opposed to just all the time, basically. And then the last one is, if you have a, a policy that says, actually, when you're on-prem or in your offices, you've gone through physical security or something like that as well, to not require MFA to improve the end user experience. That doesn't fall in line with zero trust, so do make sure that you actually enforce other factors or other methods of gaining trust as well, such as, they need to be on a managed device, or something like that as well, and then you can MFA as a requirement to create that managed device as well, or to enrol or something like that as well if you're not doing it as part of your processes.
Okay, and the last one is, is something new that we've just brought in as well, and this is gonna be really important, is authentication strength. Now, as I pointed out earlier, not all MFA is created equal, so some is susceptible to phishing, some isn't. So, what you can actually say is actually, based on policy, or based on the nature of the data that people are accessing, and I'll go through in a demo to show what this looks like, you know, you can actually choose what level of multi-factor authentication they require. So, you-, are you fine with just having SMS messages or something like that as well, just for general access, but if they go to access some more secure app or more secure data, so potentially, you know, downloading data that's more sensitive, just somewhere, somewhere in SharePoint, so you can say, 'In SharePoint, I want SMS just to get in. If they go to download or access more sensitive data in SharePoint, at that point I want stronger MFA.' So, either the authenticator app or some form of passwordless token, like a FIDO token or something like that as well, which is far less susceptible to phishing, or in fact, is unphishable (sic). Yes, they can still be stolen, there's other bits and pieces, but it makes them unphishable. So, really important bits to put in there.
Right, next one, just an overall view of just what kind of stuff you could do with, with E3 as well and a good bit of security that's potentially easy joiners-movers-leavers process. So, everyone's got Active Directory, most people, I think everybody's got Active Directory in sync with Azure AD as well using AAD Connect or whatever else as well. So, what we really wanna start encouraging is the use of SaaS applications, you know, and the, the cloud-based applications or whatever else as well, and start creating that single sign-on. So, effectively, Azure AD becomes your federation hub, so you have one password, one user credential as far as the end user is concerned that can rule them all basically, which then helps improve things. In the same way, we can bring those controls and integrate into your on-prem services, so that could be your NetScalers, it could be your F5s or whatever else that might be as well, and again, create that single sign-on piece and actually have that single point of-, so, have a single identity, which basically means that, if you remove or change something in the identity, that can affect everything else they're actually working on. Again, when a user leaves the organisation, you don't have to worry about removing their password here and removing their password here, changing settings here, whatever else as well, you can have that all centrally automated and centrally controlled.
And we can also use the Azure AD app proxy as well to actually access on-premise applications. Currently, that's for web-based applications or something that's got a web front end, but what that basically means is, is rather than having a VPN to come in and have access to absolutely everything, we can say, 'Well, actually, we wanted to have this connection and have single sign-on to this application and this application and this application,' rather than having the whole lot at once. So, yes, we can make it seamless, but we're still verifying each connection, we're still putting the control in place, to get that-, to make sure the user is accessing the device. In turn, that could potentially start to reduce your VPN usage as well, and from our perspective, we see VPNs and passwords as the two biggest killers of security. Okay, so, of course Azure AD can also integrate with the HR systems. That could be something that integrates directly to your on-premise Active Directory and then syncs up to the cloud, but that basically says, as changes are made, you know who should be in your directory and who-, and who not. I do appreciate the joiners, movers, leavers process is not simple. It's a-, you know, there, there is no one-size-fits-all, and having a, a mythical unicorn that could be your single version of truth of who should be in your directory just simply doesn't exist.
So, there has to be ways of controlling this, and we can have a lot of other-, a lot of other things we can help, so things like Microsoft Identity Manager and things like that as well can help with that integration and start putting lots of workflows and automation around this whole process of controlling this access, far more effortlessly, and in an autonomous way. And of course, we do have our external identities coming into that as well, so that'd be other active directories, perhaps partners you're working with, and that could be things like, you know, what do you call it? Say, ICSs, so that could be people from the NHS or something like that, or NHS as well, coming in. As well as, of course, just other accounts from other services, but that does mean that you can say, 'Well, actually, this is external identity, we may not necessarily have to create an identity for them here, licence them, put all those kind of controls in place etc. as well, they can have their own identity and then you apply what they-, what they can and can't access, and what level of permission that they have. And we could even assign privilege to them if you wanted to as well. Okay. And just as a last bit, just as a few quick demos to put in place, so if I just go to the first thing around the-, your, your authentication (inaudible 13.35), it'll say self-service password reset, sorry, to start off with.
So, here, I've gone into my entry portal, we can get this from the Azure portal as well. We've gone into authentication methods then password protection, and underneath here, I've said, 1) I can enable the soft extranet lockout, and I've basically said the lockout threshold is ten, ten tries and then a 60-second wait. So, if somebody was trying to brute force the account, I could say after ten further attempts, they have to wait 60 seconds before they can try again, and obviously, an attacker of automation can probably put those ten attempts in, in, in a matter of, you know, in fractions of a second. So, that really slows them down. As I said, you can then also have a custom banned password list as well, there is a, a, a default blacklist anyway, that we put in, of easily guessable passwords and things like that as well that we block, but you can add your own ones in here as well. Now, any word that I put in here, you put them on individual line, we'll get every variation of that word. So, that could be lowercase G, you know, an O, V, number three, then an, an, a one, exclamation mark or something at the end. So, we'll put all that variation in there, you just need to put the words you want to protect. It's case insensitive, it's just force of habit to put it in a case to start off.
And of course, we can then bring it back to protecting your on-prem services as well, so we can actually do that on the old control delete screen. So, to give you an idea of what that looks like, we can apply that to, to servers, so here's one I've done earlier, and we can actually have that self-service password reset and the password protection under us as well, actually done at the logon screen. So, this is just my own home server, so we've got a machine here, it's also on a console on a Hyper-V Session, but what I can do directly from the logon screen, without actually being in the server, I've actually forgotten my password, and what this is gonna do is just spool up a temporary profile on the device, so it's used specifically for the password reset as well, and then with this-, just a second, so it's always, always the way with this in front of the demos, but with this, is you then have the, the standard logon. So, it's gonna say, 'This is the user you're trying to log in with,' and I can then follow through my usual flow to reset passwords and things like that as well using self-service password reset. And now the important thing is, here, is that I didn't actually need to call the help desk, I didn't need to do anything else to, to reset my password. Most importantly, I am actually validating that I am who I say I am.
So, I've got a-, I've got my authenticator app, I can do that and put that in place. So, if I just bring that up and just approve the authentication, just put that, and I, I've said I want two steps of verification to approve that, on my phone in just a second I get the-, I get the approval and say, 'Yep, I approve that,' job done, give my biometrics, and that's just gonna give the first one and then it's gonna ask me what do I want for my second one? And I will then say just send a text, so do bear with me, I, I put this on my signature anyway. Just put the number in place. And then I'll get a quick text message and put the code in, and so that code I then have is 321165, so 321165. And with that, I can now enter a password. So, if I actually put the code in, saying I'm going to put, 'Government,' so, G, capital G-O-V-E-R-N-M-E-N-T, an exclamation mark at the end as well. I'm gonna try that again, so just confirm that password. So-, 'cause I had that in my blocked password list, so now, when I go to reset that password, I don't know, your password gains a pattern or something that's easily guessable, so the user can't do that. In the same way, if I was to do something which wasn't in my list like, you know, password1234 as an example, so a-, again, a really easy and really guessable password, again, if I try that one, if I type it-, type it correctly, and then I can actually have that in play and that, that'll stop me being able to use that password as well.
I could also do that from the alt, control, delete screen as well, if, if I was on a hybrid domain joined computer or something like that as well, and again, that would just say, 'No, you can't use this password, it doesn't meet the complexity requirements,' and the user has to reset that. As another thing just worth pointing out as well, so we have this authentication context. What we can do-, so authentication strength and authentication context, so when I go to grant the control, depending on what I'm trying to access and what the control is, is that I can now require a password strength. So, I can say I want more phishing resistance, MFA or passwordless MFA or whatever else as well, to say actually, the more sensitive stuff that I'm actually accessing, I want to have better controls in place. And what you can do is actually tie this together with what we now call the authentication context. The authentication context, this is one I've just thrown together and just basically said I want this for any, kind of, sensitive data, basically, and I want to require strong authentication for this authentication context. That, that's my rules, I want this. And what I can do is, when I create my context, I can say I want to create a tag and it'd be C1 to C25, so context one, context two, etc. as well.
And then I can use that in my information protection labelling to say, 'This is actually related to C-, to the C1 tag or the C2 tag,' which basically means if anybody goes to access that data, we will request MFA again, and this time it will be a stronger form of authentication that will actually be required. So, you can really create that balance between, this is just what people can get into, this is the acceptable level, and once you start crossing a threshold of where damage can really be done, at that point, we want to step it up and make sure that they really validate that user and have a stronger form of authentication. Okay, so that is just what I wanted to whizz through for identity in the first place. Is that-, so, I'll, I'll take the questions that are in the chat to start off with. And the one-, there, there, there's a few threes in there, so, yeah, so the, the, the custom banned password list, yes, it does have a limit of 1000, 1000 words, but as I said, we put the, the common passwords that we see in there, and then the, the words that you put in, as I say, we put in every variation of that word. As I said, so government wouldn't just be G-O-V-E-R-N etc. as well, we could have capital G-O-V-E, you know, three, whatever else as well, and put numbers in there, whatever else it might be and put every variation of that word in.
Another one that's, like, 'How do you enable the password reset option on the Windows sign-in screen?' So I will just jump out of here and go into-, I've gone into my-, into Endpoints, and my Windows policy, so I'll just go to devices, Windows policies, my configuration policies, so I've created a, an IRM URI policy. So, this has enabled the SS-, SSPR on the desktop here. So, if I go to edit the configuration, I'll, I'll, I'll put a link in the chat for what this is afterwards as well. But to-, for this one, if I edit that, I've created a link. I've just given it my own name, I've given it my own description as well, but specifically, we have this policy here, and this basically refers to a registry key that we can have on a device as well. I can-, again, we can-, I can send you the links on where that is, I'll basically set that value as one, and that basically just turns it on on the desktop. So, as long as your Windows is reasonably up to date, and I think that's version 1709 and above, so that's-, 'cause that's-, you know, you have to be not, not too far out of date to still have it basically. That's how you turn it on. And then the other thing you actually need to do which is the most important thing, that's turning it on and making it-, and making it accessible, you also need to configure it on your domain controllers as well.
So, what I have, if I just go to another virtual machine here, bear with me for one second. So, what I've put on my domain control, I'm just, just showing you I've got my domain controller in place, is I've installed a binary. That binary did require a restart on the domain controller when I installed it as well, so just as a heads up on that side, but most importantly, there's a second component which is a proxy. So, obviously, it doesn't allow just outbound connectivity from the domain controller straight away or just out to the internet, so it has to be configured with a proxy which you just install on another device on your network. Communicates on port 135, don't, don't hold me accountable to that, but I, I ran up work. And it just detects that, that, that the proxy is available in the environment and it sends the traffic out, and the proxy then becomes essential along with your domain controllers to your password resets as well. And yes, you can install multiple proxies and yes they automatically load balance and all that kind of good stuff as well. But that, if you put-, once you've got this in place, those proxy servers have become essential to password reset, or anybody changing their passwords or anything like that as well, okay? I'll send through a link on how to actually do that and there's just a guide you can follow through to get that turned on. Cool.
So that-, yeah, so that's how-, that's how you turn that on. So, just going back to the next one as well, 'There's, there's an option to have a soft token using the authenticator app on multiple devices, having issues when, when changing phones.' So, yes, you can-, you can enrol MFA onto multiple phones. So, if you go-, if you-, if your end user or yourself goes to aka.ms/setupmfa, you'll then be able to add multiple tokens as well, or multiple devices in there as well. But fundamentally, I, I wouldn't be pushing down that route anyway. I know it's hassle setting things up as well, and actually getting things going and, you know, if you lose your phone or whatever else as well, and getting that set up again. So what you can look at as the simplest method of getting it going is using temporary access passwords. And temporary access passwords are gonna allow you to-, allow the end-, the, the-, your helpdesk, whoever else as well, to issue a password, this has a lifetime of between ten minutes and an hour. You can sign in with that, it is seen as an MFA sign-in, and then just set up your phone again or set up with your-, set up the authenticator app again, without having to go through the hassle of resetting all your MFA and getting it all going and just, you know, creating a bit of a headache for yourself. Okay.
We are running out of time on questions, and as I said, I wanna be hard and fast on timing, and make sure we stay on top of things. Aaron, is there anything else we wanna cover on time or are we-, just my timing, I think, we've got about two minutes left? Is that-, does that work for you as well? Okay, stay on mute, okay, cool, I was just checking. So, any pre-made tweakable templates with conditional access policies. So there's two ways you can look at this. One, we are looking to create some that are for, for a, a-, well, I am, sorry I should say, looking to create some that are for public sector specifically. That needs to be signed off and checked out and whether or not we can actually do that. If not, there is actually a baseline policies that you can put in place which effectively disables your configuration of conditional access, but puts other controls in place, and, and puts a baseline control in place. Typically, you'd want to configure it, and now we can do conditional access via PowerShell and things like that as well, means that we can create these templated policies that we can hand out. Kind of a work in progress for ones that are gonna be for LGA-, sorry, for, for, for local government specifically. Okay. Just checking is there any other questions? 'Can you use 2FA and additional authorisations for logging onto a remote desktop server?' Yes, you can.
So, what we would need to-, what you need to have in place is what's called an MPS server, which is just a Windows server-, a Windows server role, and with that, you can have the MFA extensions installed on that. So, it has your MFA extensions installed on there, and that effectively then becomes a radius server, and then your remote desktop environment, you, you configure with radius, basically, to say, 'Use radius authentication.' What you might have to do is just have an increased timeout on the authentication, 'cause it then may not be a, a, a GUI to give an MFA response. So, you may only be able to give approve or deny on the authenticator app to be able to get that in, if-, and-, but if you're using something like a Citrix universal gateway or something along those kinda lines which does support that GUI, and, you know, is, is a bit more of a mature software, then you can use whatever factor of authentication you want for, for the additional-, for, for the additional MFA there. Cool. Any other questions before we move on? If not, I'll, I'll move into the next, next stage of the-, which was this, move into the next stage of the demo. Take-, no one's-, I can-, I can't see anyone's typing, so I'll move into the next section. And the next bit was gonna be talking about endpoints.
So, of course, when we're talking here, I should have had this with-, I should have had it on my slide with Intune, at the side of this as well. So, it's important that for us-, Intune is very, very important to us because this is where the-, you know, we get the device health from, and I'll go over that in just a little bit more. But you could also use it as the MGM authority to push out apps, to do those kind of controls and figurations and patching and updates and all the rest as well. This is what we start calling the, the modern management basically, so moving away from using SCCM. SCCM will still have a place, but ultimately, we want to have-, to be, you know, ideally has your AD domain joined only and move away from hybrid domain join, and I'll go into a little bit more detail on that in just a sec. So, as the first thing-, as I said, so Intune is absolutely important for us because Intune is part of Azure AD in the same way an exchange server is part of Active Directory. So, what that means is, is when we have compliance policies and things like that on a device, if a device is not in compliance, i.e. the, the, the health status station of the device is not good, then we can tie that into authentication and say, 'Actually, the device is not compliant.' There may be a threat on there, whatever else as well.
So, at that point, we break the compliance and we, we won't allow a user to authenticate on that device. Yes, it's an inconvenience for the end user but it actually closes off a lot of risk and it stops bad things happening before-, you, you know, at the point that it's happening rather than just having a report or a log or something else afterwards. So again, although there's other MGM, sort of, authorities and things like that in play, and you may even have SCCM for your desktop devices, we heavily encourage the use of enrolling your desktop devices into Intune as well. And there are other advantages that we can give but most importantly, it gives that health attestation. So, as we come into this and start looking at them, those different types of join, the different way a device can appear in Intune, what we would have is you've got the, the hybrid domain join, the Azure AD domain join, you can just have an AD registered device, and that would be for your work-owned devices and that's, you know-, they could-, and, as I said, this is the type of device you'll typically have. But then, of course, for the personal devices, you may just-, you may register them, but you would have the MGM predominantly be MAM. Very rarely do we see it in the public sector, anyone actually enrolling devices.
But predominantly, though, when we look at this hybrid domain join and the Azure AD domain join, the hybrid domain join is basically-, you, you get trust by virtue basically. It's, it's joined to your domain so we assume it's got the controls that are being applied from your domain and all the rest as well that all the configuration, all those policies etc. are in place and they haven't been circumvented or whatever else as well. While if you actually do it through Azure AD domain joined, we actually directly trust the MDM (sic) and all that kinda good stuff as well and get that health attestation. Now, with the hybrid domain join, you can still have those devices enrolled in Intune and have compliancy (sic) from Intune as well, but hybrid domain join should be seen as a bridge from where you're at now, in that, you know, in that, that-, what's been that more traditional IT, moving into, you know, the modern management and actually, you know, moving away from on-prem deployments and things along those kind of lines. Now, as I said, I know, and just to contradict myself a little bit, SCCM will always have a place. You know, in doing those remote build-, sorry, doing wipe and reloads and things along those kind of lines, they're always gonna be important.
But there's-, it, it should be considered to actually move away from having, you know, domain-joined devices 'cause everyone works everywhere now. So, yes, you might have devices that are directly on-pem (sic)-, directly on-prem, and only on-prem, so great, work with them that way, but other devices might be-, they, they might be just remote entirely, and having them tied back to a domain means you've got to have VPN access and lots of other controls in place as well, which could potentially give them too much access. So, just to deal with a, a first bit, you know, the first blocker that we normally see is, like, can you actually use Azure AD domain join device only to actually, you know, access on-prem resources? So, yes, we can. So, I won't go through this in too much detail, but the gist of that is the-, it's still a-, it's still a computer, it's still connected to your LAN, it can still get DNS. It's still the same identity that the user is actually using, so all those GUIs and all that kinda good stuff all match up. So, they're still seen as the same user, but where we won't work is on machine-based authentication. So, if you're doing something that's got-, using kerberos constrained delegations or something like that as well, that may or may not work. So, just-, if they can do it as a user then fantastic, but anything that's machine-based won't work in that regard. But just to stress that final point, I appreciate I'm talking about perhaps an advanced state or, you know, talking from our ivory tower, so to speak. We do respect your journey.
But what this basically means is, is that users can actually set a stronger, more unique password, and when you couple this with strong authentication, i.e. MFA or Windows Hello or something like that as well, then, at that point, you can actually start to remove your need to reset passwords. We, at Microsoft, we used to have a 90-day, we took it to 180 days, we took it to a year, and now, we no longer need to change our passwords. And in fact, the way how we operate at the moment, and I appreciate we are talking a little bit from an ivory tower, the way we operate at the moment is, you know, you ask any Microsoft employee, they probably couldn't remember their password, because they haven't used it for, like, a year-and-a-half. Okay, and then that does cover on-prem, and I'll show you what that looks like later on as well. Of course, the other really important part, just, I know this is obvious, and again, hopefully everybody is using it, conditional access really need to put in play. This is gonna be your front line of defence. As users are remote and working everywhere, the network is no longer the perimeter, you know, your identity is the perimeter. So, we still need to make sure that we can protect that properly, and the conditional access is adaptive controls, and we-, yes, it can be enhanced to E5, but there's lots of good stuff that you can do with E3, to, to really make it effective, and be at your front door there.
So, there's a few bits that we wanna call out that are really relative to, to the UK public sector. So, the first one is actually using conditional access to restrict access beyond UK borders. So, as part of the conditional access policy, well settings, you can define regions, so-, and we've got country regions and as well as just ones that haven't been defined yet. And you can basically say, you know, if, if, if the region is not UK, then block the authentication unless the user is a member of an exceptions, and then you can use lots of good stuff to manage that exception list etc. as well. The next one is to make sure you're using conditional access now to actually enforce MFA, and this is-, some of this is obvious and I hope most people are doing this now, but I just really wanna call this out. And the reason that we do this, it's-, the, the reason we do this is to, to, to make MFA on a per-use basis as opposed to just all the time, basically. And then the last one is, if you have a, a policy that says, actually, when you're on-prem or in your offices, you've gone through physical security or something like that as well, to not require MFA to improve the end user experience. That doesn't fall in line with zero trust, so do make sure that you actually enforce other factors or other methods of gaining trust as well, such as, they need to be on a managed device, or something like that as well, and then you can MFA as a requirement to create that managed device as well, or to enrol or something like that as well if you're not doing it as part of your processes.
Okay, and the last one is, is something new that we've just brought in as well, and this is gonna be really important, is authentication strength. Now, as I pointed out earlier, not all MFA is created equal, so some is susceptible to phishing, some isn't. So, what you can actually say is actually, based on policy, or based on the nature of the data that people are accessing, and I'll go through in a demo to show what this looks like, you know, you can actually choose what level of multi-factor authentication they require. So, you-, are you fine with just having SMS messages or something like that as well, just for general access, but if they go to access some more secure app or more secure data, so potentially, you know, downloading data that's more sensitive, just somewhere, somewhere in SharePoint, so you can say, 'In SharePoint, I want SMS just to get in. If they go to download or access more sensitive data in SharePoint, at that point I want stronger MFA.' So, either the authenticator app or some form of passwordless token, like a FIDO token or something like that as well, which is far less susceptible to phishing, or in fact, is unphishable (sic). Yes, they can still be stolen, there's other bits and pieces, but it makes them unphishable. So, really important bits to put in there.
Right, next one, just an overall view of just what kind of stuff you could do with, with E3 as well and a good bit of security that's potentially easy joiners-movers-leavers process. So, everyone's got Active Directory, most people, I think everybody's got Active Directory in sync with Azure AD as well using AAD Connect or whatever else as well. So, what we really wanna start encouraging is the use of SaaS applications, you know, and the, the cloud-based applications or whatever else as well, and start creating that single sign-on. So, effectively, Azure AD becomes your federation hub, so you have one password, one user credential as far as the end user is concerned that can rule them all basically, which then helps improve things. In the same way, we can bring those controls and integrate into your on-prem services, so that could be your NetScalers, it could be your F5s or whatever else that might be as well, and again, create that single sign-on piece and actually have that single point of-, so, have a single identity, which basically means that, if you remove or change something in the identity, that can affect everything else they're actually working on. Again, when a user leaves the organisation, you don't have to worry about removing their password here and removing their password here, changing settings here, whatever else as well, you can have that all centrally automated and centrally controlled.
And we can also use the Azure AD app proxy as well to actually access on-premise applications. Currently, that's for web-based applications or something that's got a web front end, but what that basically means is, is rather than having a VPN to come in and have access to absolutely everything, we can say, 'Well, actually, we wanted to have this connection and have single sign-on to this application and this application and this application,' rather than having the whole lot at once. So, yes, we can make it seamless, but we're still verifying each connection, we're still putting the control in place, to get that-, to make sure the user is accessing the device. In turn, that could potentially start to reduce your VPN usage as well, and from our perspective, we see VPNs and passwords as the two biggest killers of security. Okay, so, of course Azure AD can also integrate with the HR systems. That could be something that integrates directly to your on-premise Active Directory and then syncs up to the cloud, but that basically says, as changes are made, you know who should be in your directory and who-, and who not. I do appreciate the joiners, movers, leavers process is not simple. It's a-, you know, there, there is no one-size-fits-all, and having a, a mythical unicorn that could be your single version of truth of who should be in your directory just simply doesn't exist.
So, there has to be ways of controlling this, and we can have a lot of other-, a lot of other things we can help, so things like Microsoft Identity Manager and things like that as well can help with that integration and start putting lots of workflows and automation around this whole process of controlling this access, far more effortlessly, and in an autonomous way. And of course, we do have our external identities coming into that as well, so that'd be other active directories, perhaps partners you're working with, and that could be things like, you know, what do you call it? Say, ICSs, so that could be people from the NHS or something like that, or NHS as well, coming in. As well as, of course, just other accounts from other services, but that does mean that you can say, 'Well, actually, this is external identity, we may not necessarily have to create an identity for them here, licence them, put all those kind of controls in place etc. as well, they can have their own identity and then you apply what they-, what they can and can't access, and what level of permission that they have. And we could even assign privilege to them if you wanted to as well. Okay. And just as a last bit, just as a few quick demos to put in place, so if I just go to the first thing around the-, your, your authentication (inaudible 13.35), it'll say self-service password reset, sorry, to start off with.
So, here, I've gone into my entry portal, we can get this from the Azure portal as well. We've gone into authentication methods then password protection, and underneath here, I've said, 1) I can enable the soft extranet lockout, and I've basically said the lockout threshold is ten, ten tries and then a 60-second wait. So, if somebody was trying to brute force the account, I could say after ten further attempts, they have to wait 60 seconds before they can try again, and obviously, an attacker of automation can probably put those ten attempts in, in, in a matter of, you know, in fractions of a second. So, that really slows them down. As I said, you can then also have a custom banned password list as well, there is a, a, a default blacklist anyway, that we put in, of easily guessable passwords and things like that as well that we block, but you can add your own ones in here as well. Now, any word that I put in here, you put them on individual line, we'll get every variation of that word. So, that could be lowercase G, you know, an O, V, number three, then an, an, a one, exclamation mark or something at the end. So, we'll put all that variation in there, you just need to put the words you want to protect. It's case insensitive, it's just force of habit to put it in a case to start off.
And of course, we can then bring it back to protecting your on-prem services as well, so we can actually do that on the old control delete screen. So, to give you an idea of what that looks like, we can apply that to, to servers, so here's one I've done earlier, and we can actually have that self-service password reset and the password protection under us as well, actually done at the logon screen. So, this is just my own home server, so we've got a machine here, it's also on a console on a Hyper-V Session, but what I can do directly from the logon screen, without actually being in the server, I've actually forgotten my password, and what this is gonna do is just spool up a temporary profile on the device, so it's used specifically for the password reset as well, and then with this-, just a second, so it's always, always the way with this in front of the demos, but with this, is you then have the, the standard logon. So, it's gonna say, 'This is the user you're trying to log in with,' and I can then follow through my usual flow to reset passwords and things like that as well using self-service password reset. And now the important thing is, here, is that I didn't actually need to call the help desk, I didn't need to do anything else to, to reset my password. Most importantly, I am actually validating that I am who I say I am.
So, I've got a-, I've got my authenticator app, I can do that and put that in place. So, if I just bring that up and just approve the authentication, just put that, and I, I've said I want two steps of verification to approve that, on my phone in just a second I get the-, I get the approval and say, 'Yep, I approve that,' job done, give my biometrics, and that's just gonna give the first one and then it's gonna ask me what do I want for my second one? And I will then say just send a text, so do bear with me, I, I put this on my signature anyway. Just put the number in place. And then I'll get a quick text message and put the code in, and so that code I then have is 321165, so 321165. And with that, I can now enter a password. So, if I actually put the code in, saying I'm going to put, 'Government,' so, G, capital G-O-V-E-R-N-M-E-N-T, an exclamation mark at the end as well. I'm gonna try that again, so just confirm that password. So-, 'cause I had that in my blocked password list, so now, when I go to reset that password, I don't know, your password gains a pattern or something that's easily guessable, so the user can't do that. In the same way, if I was to do something which wasn't in my list like, you know, password1234 as an example, so a-, again, a really easy and really guessable password, again, if I try that one, if I type it-, type it correctly, and then I can actually have that in play and that, that'll stop me being able to use that password as well.
I could also do that from the alt, control, delete screen as well, if, if I was on a hybrid domain joined computer or something like that as well, and again, that would just say, 'No, you can't use this password, it doesn't meet the complexity requirements,' and the user has to reset that. As another thing just worth pointing out as well, so we have this authentication context. What we can do-, so authentication strength and authentication context, so when I go to grant the control, depending on what I'm trying to access and what the control is, is that I can now require a password strength. So, I can say I want more phishing resistance, MFA or passwordless MFA or whatever else as well, to say actually, the more sensitive stuff that I'm actually accessing, I want to have better controls in place. And what you can do is actually tie this together with what we now call the authentication context. The authentication context, this is one I've just thrown together and just basically said I want this for any, kind of, sensitive data, basically, and I want to require strong authentication for this authentication context. That, that's my rules, I want this. And what I can do is, when I create my context, I can say I want to create a tag and it'd be C1 to C25, so context one, context two, etc. as well.
And then I can use that in my information protection labelling to say, 'This is actually related to C-, to the C1 tag or the C2 tag,' which basically means if anybody goes to access that data, we will request MFA again, and this time it will be a stronger form of authentication that will actually be required. So, you can really create that balance between, this is just what people can get into, this is the acceptable level, and once you start crossing a threshold of where damage can really be done, at that point, we want to step it up and make sure that they really validate that user and have a stronger form of authentication. Okay, so that is just what I wanted to whizz through for identity in the first place. Is that-, so, I'll, I'll take the questions that are in the chat to start off with. And the one-, there, there, there's a few threes in there, so, yeah, so the, the, the custom banned password list, yes, it does have a limit of 1000, 1000 words, but as I said, we put the, the common passwords that we see in there, and then the, the words that you put in, as I say, we put in every variation of that word. As I said, so government wouldn't just be G-O-V-E-R-N etc. as well, we could have capital G-O-V-E, you know, three, whatever else as well, and put numbers in there, whatever else it might be and put every variation of that word in.
Another one that's, like, 'How do you enable the password reset option on the Windows sign-in screen?' So I will just jump out of here and go into-, I've gone into my-, into Endpoints, and my Windows policy, so I'll just go to devices, Windows policies, my configuration policies, so I've created a, an IRM URI policy. So, this has enabled the SS-, SSPR on the desktop here. So, if I go to edit the configuration, I'll, I'll, I'll put a link in the chat for what this is afterwards as well. But to-, for this one, if I edit that, I've created a link. I've just given it my own name, I've given it my own description as well, but specifically, we have this policy here, and this basically refers to a registry key that we can have on a device as well. I can-, again, we can-, I can send you the links on where that is, I'll basically set that value as one, and that basically just turns it on on the desktop. So, as long as your Windows is reasonably up to date, and I think that's version 1709 and above, so that's-, 'cause that's-, you know, you have to be not, not too far out of date to still have it basically. That's how you turn it on. And then the other thing you actually need to do which is the most important thing, that's turning it on and making it-, and making it accessible, you also need to configure it on your domain controllers as well.
So, what I have, if I just go to another virtual machine here, bear with me for one second. So, what I've put on my domain control, I'm just, just showing you I've got my domain controller in place, is I've installed a binary. That binary did require a restart on the domain controller when I installed it as well, so just as a heads up on that side, but most importantly, there's a second component which is a proxy. So, obviously, it doesn't allow just outbound connectivity from the domain controller straight away or just out to the internet, so it has to be configured with a proxy which you just install on another device on your network. Communicates on port 135, don't, don't hold me accountable to that, but I, I ran up work. And it just detects that, that, that the proxy is available in the environment and it sends the traffic out, and the proxy then becomes essential along with your domain controllers to your password resets as well. And yes, you can install multiple proxies and yes they automatically load balance and all that kind of good stuff as well. But that, if you put-, once you've got this in place, those proxy servers have become essential to password reset, or anybody changing their passwords or anything like that as well, okay? I'll send through a link on how to actually do that and there's just a guide you can follow through to get that turned on. Cool.
So that-, yeah, so that's how-, that's how you turn that on. So, just going back to the next one as well, 'There's, there's an option to have a soft token using the authenticator app on multiple devices, having issues when, when changing phones.' So, yes, you can-, you can enrol MFA onto multiple phones. So, if you go-, if you-, if your end user or yourself goes to aka.ms/setupmfa, you'll then be able to add multiple tokens as well, or multiple devices in there as well. But fundamentally, I, I wouldn't be pushing down that route anyway. I know it's hassle setting things up as well, and actually getting things going and, you know, if you lose your phone or whatever else as well, and getting that set up again. So what you can look at as the simplest method of getting it going is using temporary access passwords. And temporary access passwords are gonna allow you to-, allow the end-, the, the-, your helpdesk, whoever else as well, to issue a password, this has a lifetime of between ten minutes and an hour. You can sign in with that, it is seen as an MFA sign-in, and then just set up your phone again or set up with your-, set up the authenticator app again, without having to go through the hassle of resetting all your MFA and getting it all going and just, you know, creating a bit of a headache for yourself. Okay.
We are running out of time on questions, and as I said, I wanna be hard and fast on timing, and make sure we stay on top of things. Aaron, is there anything else we wanna cover on time or are we-, just my timing, I think, we've got about two minutes left? Is that-, does that work for you as well? Okay, stay on mute, okay, cool, I was just checking. So, any pre-made tweakable templates with conditional access policies. So there's two ways you can look at this. One, we are looking to create some that are for, for a, a-, well, I am, sorry I should say, looking to create some that are for public sector specifically. That needs to be signed off and checked out and whether or not we can actually do that. If not, there is actually a baseline policies that you can put in place which effectively disables your configuration of conditional access, but puts other controls in place, and, and puts a baseline control in place. Typically, you'd want to configure it, and now we can do conditional access via PowerShell and things like that as well, means that we can create these templated policies that we can hand out. Kind of a work in progress for ones that are gonna be for LGA-, sorry, for, for, for local government specifically. Okay. Just checking is there any other questions? 'Can you use 2FA and additional authorisations for logging onto a remote desktop server?' Yes, you can.
So, what we would need to-, what you need to have in place is what's called an MPS server, which is just a Windows server-, a Windows server role, and with that, you can have the MFA extensions installed on that. So, it has your MFA extensions installed on there, and that effectively then becomes a radius server, and then your remote desktop environment, you, you configure with radius, basically, to say, 'Use radius authentication.' What you might have to do is just have an increased timeout on the authentication, 'cause it then may not be a, a, a GUI to give an MFA response. So, you may only be able to give approve or deny on the authenticator app to be able to get that in, if-, and-, but if you're using something like a Citrix universal gateway or something along those kinda lines which does support that GUI, and, you know, is, is a bit more of a mature software, then you can use whatever factor of authentication you want for, for the additional-, for, for the additional MFA there. Cool. Any other questions before we move on? If not, I'll, I'll move into the next, next stage of the-, which was this, move into the next stage of the demo. Take-, no one's-, I can-, I can't see anyone's typing, so I'll move into the next section. And the next bit was gonna be talking about endpoints.
So, of course, when we're talking here, I should have had this with-, I should have had it on my slide with Intune, at the side of this as well. So, it's important that for us-, Intune is very, very important to us because this is where the-, you know, we get the device health from, and I'll go over that in just a little bit more. But you could also use it as the MGM authority to push out apps, to do those kind of controls and figurations and patching and updates and all the rest as well. This is what we start calling the, the modern management basically, so moving away from using SCCM. SCCM will still have a place, but ultimately, we want to have-, to be, you know, ideally has your AD domain joined only and move away from hybrid domain join, and I'll go into a little bit more detail on that in just a sec. So, as the first thing-, as I said, so Intune is absolutely important for us because Intune is part of Azure AD in the same way an exchange server is part of Active Directory. So, what that means is, is when we have compliance policies and things like that on a device, if a device is not in compliance, i.e. the, the, the health status station of the device is not good, then we can tie that into authentication and say, 'Actually, the device is not compliant.' There may be a threat on there, whatever else as well.
So, at that point, we break the compliance and we, we won't allow a user to authenticate on that device. Yes, it's an inconvenience for the end user but it actually closes off a lot of risk and it stops bad things happening before-, you, you know, at the point that it's happening rather than just having a report or a log or something else afterwards. So again, although there's other MGM, sort of, authorities and things like that in play, and you may even have SCCM for your desktop devices, we heavily encourage the use of enrolling your desktop devices into Intune as well. And there are other advantages that we can give but most importantly, it gives that health at the station. So, as we come into this and start looking at them, those different types of join, the different way a device can appear in Intune, what we would have is you've got the, the hybrid domain join, the Azure AD domain join, you can just have an AD registered device, and that would be for your work-owned devices and that's, you know-, they could-, and, as I said, this is the type of device you'll typically have. But then, of course, for the personal devices, you may just-, you may register them, but you would have the MGM predominantly be MAM. Very rarely do we see it in the public sector, anyone actually enrolling devices.
But predominantly, though, when we look at this hybrid domain join and the Azure AD domain join, the hybrid domain join is basically-, you, you get trust by virtue basically. It's, it's joined to your domain so we assume it's got the controls that are being applied from your domain and all the rest as well that all the configuration, all those policies etc. are in place and they haven't been circumvented or whatever else as well. While if you actually do it through Azure AD domain joined, we actually directly trust the MDM (sic) and all that kinda good stuff as well and get that health at a station. Now, with the hybrid domain join, you can still have those devices enrolled in Intune and have compliancy (sic) from Intune as well, but hybrid domain join should be seen as a bridge from where you're at now, in that, you know, in that, that-, what's been that more traditional IT, moving into, you know, the modern management and actually, you know, moving away from on-prem deployments and things along those kind of lines. Now, as I said, I know, and just to contradict myself a little bit, SCCM will always have a place. You know, in doing those remote build-, sorry, doing wipe and reloads and things along those kind of lines, they're always gonna be important.
But there's-, it, it should be considered to actually move away from having, you know, domain-joined devices 'cause everyone works everywhere now. So, yes, you might have devices that are directly on-pem (sic)-, directly on-prem, and only on-prem, so great, work with them that way, but other devices might be-, they, they might be just remote entirely, and having them tied back to a domain means you've got to have VPN access and lots of other controls in place as well, which could potentially give them too much access. So, just to deal with a, a first bit, you know, the first blocker that we normally see is, like, can you actually use Azure AD domain join device only to actually, you know, access on-prem resources? So, yes, we can. So, I won't go through this in too much detail, but the gist of that is the-, it's still a-, it's still a computer, it's still connected to your LAN, it can still get DNS. It's still the same identity that the user is actually using, so all those GUIs and all that kinda good stuff all match up. So, they're still seen as the same user, but where we won't work is on machine-based authentication. So, if you're doing something that's got-, using kerberos constrained delegations or something like that as well, that may or may not work. So, just-, if they can do it as a user then fantastic, but anything that's machine-based won't work in that regard. But just to stress that final point, I appreciate I'm talking about perhaps an advanced state or, you know, talking from our ivory tower, so to speak. We do respect your journey. and this is achievable. So we have had organisations that have actually done away with their network entirely and had everything remote and mobile and true zero trust approach. You know, so basically they've shut down their surface area attack massively.
So just as some final points just to put in here, the enrolling into Intune as well will give you access to Windows Update for Business. So what that is, so rather than doing all your updates via a CCM. So what you might have is a WSUS server or something on bramsey. You bring all of your updates down from Microsoft to the WSUS server, you authorise and do whatever else you want to do and then drag them across the VPN to the end-user device and then do the updates and things like that as well. So what you can do with Windows Update for Business is actually say, 'Well actually, we're going to take those controls directly from Microsoft.' So yes you should be using split tunnelling if you are VPNs or anything like that as well but that will significantly reduce the load on the VPN. Better yet, you can put yourself in to very clearly defined update rings and we can say, right, these first few hundred devices-, and we can use end point analytics and things like that as well to say, 'Well actually, these hundred end point devices cover every single hardware type in our estate and cover every single app in our estate as well.'
So we update those first, update any changes on that, in that first ring, we know if it's going to have any impact on the rest of the estate as well. But then, most importantly, you can then define the next ring and the next ring but what that can then lead to is Autopatch. For those who haven't heard of Autopatch, this is a service that Microsoft's actually put in place. It's available to our Enterprise customers only, so that covers every single person on this call. What we can then do is, Microsoft will take care of the patching of Microsoft applications on the device. So that's Windows and basically Office. We will do the patching for you and we'll work in line with these update rings and things like that we have within Windows Update for Business. So we're not just gonna blindly go in and just update all the machines and break services and things like that as well but we can-, we'll make sure we work with you to make sure the right devices are in the right rings and the right updates are applied etc. as well. And what is also available with Autopatch as well is also something called Desktop App Assure. Well, Desktop App Assure is a stand alone service that goes hand in hand with Autopatch and what Desktop App Assure says is again, it's a Microsoft service we provide free of charge. It's effectively a fast-track service. If you apply a Windows Update and that may be coming from Windows 10 going to 11 or going from Windows 20 half one to 22 half two or something like that as well.
It breaks an application. What you can do is start a Desktop App Assure case and what we'll do is try and work with the vendor directly to see if we can create a patch with them, if they haven't done so already. The obvious caveat being if there is an updated version of the app, I'm afraid you need to go to it. But if not, we will fix Windows. That may just be a shoe-in Windows just to get something working temporarily but what we'll do is actually update Windows and say as part of these update rings, or as well as informing you, say, 'Don't go to 22 half two, go to 23 half one,' and at that point, we'll have a fix in there for Windows. Or maybe even 23 half two or whatever else it might be but we'll effectively fix Windows. So that is literally Microsoft putting its money where its mouth is and making sure there shouldn't be any fear to updating and there's blockers are remaining on really legacy applications because there's nothing else. We'll basically get it working for you, okay?
Of course Autopilot, yes you can do this from a Hybrid Domain Joins all of us as well, but the Autopilot process fundamentally is just, you know, enrolling the device into Azure AD and rolling your device into Intune and then Intune basically doing the rest of the job but autopilot basically means that yes, you own this device and the device is tied to yourself but most importantly you can completely rebuild a device no matter where it is and make it, you know, a device for your organisation. So no matter where it is. Yes, there's a lot of testing and lots of controls and fast-track can help you with this as well as our partner network as well but this is modernising it and it goes from that, from the SCCM build basically and the wipe and re-loads to actually a more modern way of doing it because it assumes Windows is already on the device. So just take into account, you know, just an SCCM and why you'd use Autopilot, just as a quick heads up. Typically, you get a device, it's got Windows and drivers and perhaps a bunch of bloatware on there so you wipe the device, you put Windows on there, you hope you get the drivers right and then you installed all your applications. So what if we just say, 'Well actually, Windows and Drivers are running on there, why don't we just take it back down to that clean slate and then just put your applications on top so we can remove the bloatware and that kind of stuff as well. It's also worth, when asking for builds from your suppliers such as, it'd be that Microsoft Surface or Lenovo or Dell or whatever else as well, they-, you can use what's called a signature build from them as well and that basically comes with no bloatware or anything along those kind of lines.
As a final part of the whole lot of this, it means that we significantly reduce complexity. You've got, you know, the identity provider in Azure AD and you've got the device. We don't have to worry so much about domain controllers, don't have to worry about certificates, don't have to worry about, yes, any other kind of controls. NO CCM, under management-based servers, all of that kind of good stuff as well. So we can just put it in the cloud, I appreciate I'm saying that very easily and quite callously but all of those controls can basically be put together basically and it significantly reduces your complexity and moves away from legacy and allows you to move forward in a much more consistent manner. Okay, right. Going on to any questions or anything like that as well. So Intune Microsoft Update, for any internally network devices, can they use peer-to-peer or an internal server which can host and serve the updates to reduce strain on internal bandwidth? Yes you can and basically we've got, we call dynamic updates. So what you have is the first device that basically brings down the update and it's like a buddy system basically. So when this is turned on, this is a Windows 10 feature and above as well and they'll look across the network, and look across the sub-network I should say, to see if there's any other devices that have got that update and then at that point, they can stream it directly from that local device without having to stream it across the network. So yes, you can very effectively control it.
It was predominantly designed for scenarios like oil rigs and things along those kind of lines where there is literally no bandwidth or the bandwidth is shockingly expensive, yeah and he can't just-, yes it's nice to ship out an update on a-, down a USB drive and take it from there but at the same time, you want to be able to have that central management or central control. So yes, if you look for dynamic updates, you can control it along those kind of lines and, you know, control that strain basically. Okay, hopefully that answers the question. Is there any other questions around end points? Or anything around Intune or around Hybrid Domain Join or not? Or Azure AD Domain Join? Appreciate maybe I'm a little bit of a can of worms on that side. Have we got time, an identity question here. Can you give a brief summary of how we might get a seamless Windows log-in experience for Office 365 apps and the browsers for users logged in to Windows on an internal work network. An example scenario would be open the Intranet and SharePoint online and SharePoint online, say Edge browser, where the user logs in to Windows without further authentication challenges. Now that's where the Hybrid Domain Join or Azure AD Domain Join is actually going to take care of it because basically what you'd have-, so actually if I go to-, gonna go to another machine here. So this machine I've got up at the moment is Hybrid Domain Join. So if I bring up just a little bit technical just to show you what's happening in the background. Oops, no I don't want it a-, I don't need it as elevated, just need a normal one. If I do DS Red CMD, this is all about registering the device for the Hybrid Domain Join etc. as well.
What we'll see with this device is it's both Azure AD domain joined and local domain joined as well and what I then get when I sign in with a synchronised user, and this is AAD Connect which is predominantly going to be doing this, is I can then have my SSI status saying I've actually got the Azure AD primary refresh token that's actually been provided to me already. Ultimately, the best way of doing it and probably the simpler way without going to the full Hybrid Domain Join is actually just having AAD Connect in place and with AAD Connect, you can have the option of enabling the seamless single sign on. I can probably set up another server but ultimately in the configuration of AAD connect, if you look at the authentication options, there is an option to turn on, literally a tick box that turns on seamless single sign on and what that does is when a user signs in-, they're in the presence of a domain controller when they sign in etc. as well. What it will do is it will look-, Azure AD will go, 'I can see this box is being ticked so rather than me questioning you for authentication, I'm going to question your tokens and what you've already done for, what you've already done to sign in already.' So it goes off to Azure, it goes back to the device. The device goes, 'I'll validate myself against your domain controller. That's proof that I am who I say I am,' and then I can go ahead and sign in. There's a few more flows to it, I'm over simplified it a bit there but that's how that can then work so if you're in the presence of a domain controller, it won't challenge you for authentication because you've already validated yourself. If you're not in the presence of a domain controller then it will ask for authentication at which point this is where the Hybrid Domain Join can then say, 'Well actually, if I'm not in the presence of a domain controller, I've also got my Azure AD sign in done at the same time so I've got that single sign on piece done as well.'
So it creates this wonderful user experience and trust in the device and all the rest as well. The other aspect of where that can come from is you might actually have MFA just enforced by default and rather than using conditional access to enforce MFA, you'd got the older method of enrolling what we used to do which may means that it's not a per use MFA and it's just been challenged all the time. One of the ways you can get around that, as I said, is to force the user to enrol in to MFA via conditional access or the other method is to use Windows Hello, and Windows Hello is effectively seen as an MFA sign in and when Microsoft pushed out Windows Hello we saw five times less security props when we first turned that on. We have further improved that and we've made it reasonably seamless now. So, okay, sorry next question just came up. So hopefully that answered your question there Jonathan as well. So, Gary's just put a question and it goes, 'I used Azure AD join on cancelled PCs without additional MFA challenges as long as the user is signed in. Is that strong enough if we don't allow BYOD?' Well Azure AD is actually giving the device trust because it's been part of Intune and you've got the MDM policies and all the rest as well. So you will have device compliance will actually go with that. I also assume-, what I'd also say the users just signing in with just username or password, all you're relying on there is device trust. I'd be looking for additional factors. So at that point, I'd be looking to something like either Passwordless or Windows Hello and Windows Hello in the shorter term. And again, Windows Hello is MFA sign in so they can obviously give the biometrics on the device so that's just look at the PC, if it's a surface or something like that as well, there can also be a pin. This is why we say a six digit pin is more secure than a 20 digit password is because that pin will only work on that device so when they're enrolled into Windows Hello the device has become the second factor authentication.
Okay? So, BYD-, from the BYD perspective, what you can then say, is actually, if they're not on a managed device or something like that as well-, yes, say-, sorry, just the next question. So yes, devices of Windows Hello too expensive, get that as well. Is Pin okay? Yes, pin is okay. As I said, you require MFA to set up Windows Hello so the user will need to be enrolled in to MFA and that kind of stuff to start off with and when they enrol the device, they have to give their password, then they give the MFA prompt and at that point we actually rely on the device having a TPM rather than actually having any kind of biometrics or anything like that as well. Asymmetric-, it's basically OAuth authentication at that point, which basically means there is a key stored on the device and a key stored on the cloud. A private key on the cloud, sorry, public key on the cloud and it all just works basically. We can go into a lot more detail and we can follow up in another chat on that side. Yes so obviously Imran needs to drop so we'll just get that side of things. Any other questions around devices or anything like that as well? Or end points, or Hybrid Domain Join or anything along those kind of lines or anything? Any questions around Intune, co-management, anything like that as well before I move on? I can't see if people are typing or not I'm afraid, questions are just appearing. Do leave it in the chat and I'll try-, if we've got time, I'll pick it up afterwards as well. Okay, so the next one, jumping into threat protection.
Moderator: Chris perhaps then we could arrange to just give people a chance to grab a coffee before we go on.
M: Oh, yes sorry. We're actually slightly ahead of schedule so if people want to take a five minute break, I was just gonna-, I just want to make sure there's lots of time for questions at the end as well.
But if people want to take a five minute breather now, that should keep us on schedule as well. If people can be back online at five to, just stay on mute or something and come online at five to. So we'll just pause for the time being.
M: Cool. Right. Diving in, just going to talk about threat protection. So, of course we always speak about Defender for Endpoints and this is an E5 technology but as of March this year, we released an E3 version which is basically a cut down model of the threat protection component. This basically fundamentally solves the biggest problem that we had with Microsoft Defender and that's centralised control, centralised reporting. So yes we were able to do it with a Skep agent but, you know, it's easy speaking as a Microsoft employee, the Skep agent was something. It may not have been the best option and there were definitely better things out there but with our next gen protection in the Attack Surface Reduction rules which I'll go into through this as well, you know, Microsoft is a legitimate player for security and we have gone from Windows 7 being like, 'Well, why are you looking at Microsoft for security?' To with the Windows 10 offering around this side to saying, 'Well why are you not looking at Microsoft for security?' and i'll detail how that security and the rest actually works but most importantly, you've got this in your E3 licencing. There is no additional cost for you so if your not using an EDR solution, or something like that, as well and you're also not using Defender, yes, I can say quite a controversial statement but there is a chance that you may be spending money for the sake of it so we are top of the-, the AD comparison tables all the rest as well, we're always on top of those tables, it is a very functional complete anti-virus and I'll tell you why shortly as well, as we detail how it actually works. Okay? But I just want to talk about threat protection as whole in what you have from an E3 prospective. So we take this from a pre-breach scenario.
So first up, we'll take things from off-machines. So we have Office 365 protections in place as well and that's predominantly reducing the e-mail attack vector as well of Exchange Online Protection. I would say the Exchange Online Protection on its own probably isn't adequate in today's world. I would be looking, even if it is not Defender for Office 365 which is obviously our more advanced version of it, I would be looking to make budget for another secure e-mail gateway. Basically, Exchange Online Protection is signature-based protection and in today's world, that's not enough. So the new threat came in, zero-day, or anything that's got a level of sophistication to it that can't even be detected as a threat without Sandbox or anything along those kind of lines, you need to make sure that you've got budget to look at those side of things as well. Again, Exchange Online Protection on its own is not enough. But in saying that, there are still some really cool features in Exchange Online Protection, predominately transport rules and the common attachment filter. So this allows you to actually understand, you know, what's actually coming into the environment and actually put some controls and flows around it, and all the rest, as well. for us as well. So you can say, 'We want to block known ransomware file types,' as an example, and that's both in-bound and out-bound because out-bound we want to block it from one-, you know, stop an attacker from actually stealing any data if the worst has happened and you have been ransomwared, stop them stealing it later and blackmailing you or somebody going, 'Oh I need this file,' and then forcing you to pay for the file or something along those kind of lines. Basically put that kind of stuff in place. So just something to put in place-,
Sorry just as another point on there as well, the protections you'll get with Office 365 for SharePoint, OneDrive etc. as well under E3 specifically, that isn't even reactive so basically it just runs periodic scans like every half hour, every hour or so or something along those kind of lines. So it doesn't even scan upon upload and again, that is signature-based detection. As we look up to the E5 stuff next week, we'll tell you how we actually deal with that properly with Defender for Office 365. The other side of it as well is, is looking at some stuff we can do with Edge and things like that as well and reputation based blocking so this is one of the few times when we would actually give you access to the intelligence security graph under E3 and the intelligence security graph is basically our huge threat intelligence and all the rest as well from what we have at the back end. So what we can take is using application control, we can say, 'Okay, if this app has a low reputation,' i.e. there's known vulnerabilities in there or it's been reported as being-, having malicious software or malicious code or it's actually failed our own tests or whatever with us as well, then we can stop that app from executing etc. as well. So lots of great controls we can actually do to make sure, you know, that malicious code does not actually reach the device in the first place. Then of course going on machine, we've got a whole bunch of controls we can put in place. So we can lock down devices entirely, this is not great for laptops but great for kiosk devices or perhaps if you had fixed desktops, so you still actually have work stations or whatever else as well. Then it's great to say, 'Right, Actually, we can use these kind of application controls and that blocker-,' that's not a blocker sorry, application guard alone with the Defender application control etc. as well to actually say, 'Only these apps can actually execute.'
Again, take that from not only happening in Edge but actually happening for applications as well. The Credential Guard side of things as well, for those who haven't got this turned on, this is a Windows feature. You don't have to have-, if you've got another anti-virus that's not Defender, fine, whatever else as well. Cannot recommend enough to get Credential Guard turned on. So just to give you an idea of what that goes hand in hand with System Guard as well. To give you an idea of what they do, System Guard effectively-, so Credential Guard basically takes stored credentials, of what we call the hashes of credentials, and takes those and stores them in a separate area on a device and what we call virtual secure motors. Something running parallel to the kernel, so it's isolated entirely from the rest of the computer. It basically means if an attacker gets on the machine, they use a tool to get hold of those hashes of credentials and that's what they do to jump on to the next computer and jump on to the next computer and try and find ways into your domain as well by using these hash credentials. It basically returns null results for them and they can't use that and it will heavily frustrate an attacker and make lateral movement incredibly difficult. On the same side, I have worked public sector for a very long time and I fully respect the legacy Apple state that a lot of councils still have. Practically every council still has actually, but they, so there will be just a bit of testing to make sure it doesn't break any application, things get in place and things like that as well. The app guard bit is we can do that for the Edge, that's actually-, that's what you can do under E3. So you can basically say any app that's not trusted, I say that sorry, any URL that's not trusted, we can force into an application guard window and that's effectively an isolated browser. Very important to note there is no single sign on or anything like that as well.
It is a completely isolated browser but it means if anything detonates in there, like some ransomware or whatever else as well, it detonates only in the browser. You close the browser, it's gone. It hasn't touched the machine. So, again, very powerful controls. I would consider your admins using that when they're doing their admin activity because that's all recorded at the back end but it means that there's noth-, if the machine is ever compromised, there's no tokens or anything else as well in those sessions that can be replayed and the attacker can then gain control. So just really powerful little controls you can put in place. But the most important one I'm going to talk about here is the Attack Surface Reduction rules and the Attack Surface Reduction rules, again, you can control these via Intune, via Group Policy or via a CCM. Fundamentally, they are a Windows feature and these, again, is one of the differences between pro and enterprise so you need to have enterprise to be able to use a Attack Surface Reduction rules. The best way I can articulate a Attack Surface Reduction rules is to use an analogy. So pre 911 we could take as many litres of fluid as we wanted on a plane. And, you know, We know nowadays that can do a lot of damage or whatever else it might be. Post 911, you can only take 100ml of liquid on a plane. So yes, something might still happen but the effect of that attack has either been completely muted entirely or just, you know, to the point where it's very containable at least anyway because it's such a small amount of liquid.
The exact same applies to the Attack Surface reduction rules. We're trying to stop the attack before it starts. So we're trying to wipe out entire classes of threats. No we're not going to do that 100% but we're going to frustrate attackers no end so we can say, 'Okay, in-, for macros, we will allow a macro to call upon Office applications but we won't allow it to call upon other applications such as power shell or some other random code that somebody might have put in that's actually malicious or whatever else as well.' And we can put all these into audit mode and, you know, controls in place and I'll tell you what that looks like as well. But one that's definitely worth calling out is Controlled Folder Access. Controlled Folder Access sits under our Attack Surface Reduction rules. What it basically says is that for the fine directories, only core apps or apps that you define can actually write into those directories. So you can say for my documents, for example, that the local documents or the OneDrive cash or whatever else it might be or, you know, a network share or something like that as well is that you-, I'll detail what that looks like later on but you basically say unless it's an app you've agreed to or is part of the core systems app, it simply can't write in. So if ransomware for example, the malicious code, the actual ransomware executable itself tries to write in to those directories, it's simply blocked from doing so because it's basically-, what Controlled Folder Access is doing is saying, 'You literally only have read access to directory, you have no write-access or any permissions at all,' and you basically do that on a reputation and trust and things along those kind of lines.
So basically again, from a ransomware perspective, if you say you've got your crown jewels, which is your actual data, that's what's gonna to be stored in your documents or in the OneDrives or anything else that's basically going back to the network, and then that sits within your castle and the castle is the end point. Yes, the end point might burn down with control folder access should it be hit with ransomware but your crown jewels are going to be safe. You can rebuild the castles, recovering your crown jewels is going to be impossible or at least very, very difficult especially if you're at the point of being hit with ransomware that they've probably affected your back ups and things along those kind of lines anyway. 'Kay, Cool. Next one is actually, I said, is the next gen AV and when we refer to a next generation I appreciate that sounds like a marketing buzz term and things like that as well. What we're effectively saying is this is actually pulling on the cloud. So we're going beyond the end point itself and we're not relying just on the computer what we see on the end point, we're actually bringing vast amount of computing resource and I go in to a moment of how that actually works and, you know, why it's so powerful as well but again, we're at the top for the tables for a reason now. We've gone from being, you know, 'Why are you using Defender?' To, 'Why are you not using Defender?' Okay, so the other side of it is, of course we've got the one plant, OneDrive, with versioning controls that you can put in place as well, but the versioning allows for one button restore as well. So, you can go, 'I just simply want to roll back to yesterday.'
So, if you were hit with ransomware, the worst has happened, we don't have any of these other controls in place, and it's actually got to the end of the line so to speak, then we can simply say we've resolved the threat and we just did a one button restore and it simply restores the, the OneDrive back to the previous day. So, so a simple click and just use version controls etc. to be able to do that. You can script that as well to do that for SharePoint etc. as well. I appreciate we're going to open up a can of worms around back ups and things along those kind of lines, but this is a way of saying, 'Well actually, with enough controls in place, you know, to actually have these kind of mitigations and still have the ability to roll back as well, you know, it's a cost versus risk versus effort conversation,' on, you know, do you want to put backs up in place, what's your SLA etc. as well to, to your end users, of how far you can go back with back ups and things along those kind of lines.
So, I just wanted to, to put that kind of stuff in place and let you know what you've got under E3. There is an extra bit in here and that's a post breach detection as well for EDR, but just to stress, that is not an E3 technology. So, if it comes up as Defender for Endpoints, plan one is your E3 is-, and plan two is your E5. Okay, just to really stress that. So, just to put into emphasis of how the email actually works, sorry, not email, sorry, how the attacks actually works. So, we have an email an example, a phishing email has come in, the phishing email has opened an attachment and malware has hit the PC basically. So, at point an infection is detected, so Defender for Endpoint has removed it on the Endpoint wherever possible and we have several ways of doing that, depending-, it also depends on the version of, of Defender for Endpoints as well, but under E3, first we're going to use signatures on a device. And they come down as part of Windows updates and we would install-, they come down twice a day, you don't have to install them twice a day, but they come down twice a day as well. But the-, so but, what it will also then do is some kind of scanning or something on the machine to see how it behaves, to see what we can deal with. As we go into plan two, we could do full sandboxing on the local device and actually do some-, deeper checking, and deeper heuristic scans and that kind of stuff, but we still do-, there is an element of that we do under E3.
But most importantly is that we don't rely on the Endpoint to actually be able to stop it. You know, and actually what the Endpoint actually knows about. So, what we have is the big cloud at the back end which we call the Intelligent Security Graph, and you are benefiting from every single Microsoft customer that is using the Intelligent Security Graph. So, we are pulling in data from all over the world, from literally billions, I mean billions of Endpoints, okay? So, of what we see and what we know is good, bad or otherwise. So, if something has hit the device and we've seen it and go, 'Right, I'm not quite sure, it looks bad, it's behaving in a bit of a bad way but I don't know if its bad or not, I can't make an informed decision.' So, first off it goes right to office Intelligent Security Graph and goes, 'Right, have you seen this before?' It goes, 'Yes, we have seen this, you just don't have the definition update for it yet, so this is how you stop it and we'll send down the definition for you specifically and kill it then and there.' So, definitions will kill it in milliseconds, this initial response will kill it in probably, like, one or two seconds, if you can't deal with it whatever else as well. Then it goes, 'Actually, we don't know about that, so it's completely new, so we're going to request the meta data of that file as well and a sample of it.'
So optionally, you can send the, the, the quarantined file up to the Endpoint and we then do a deep analysis on that, and we throw a vast amount of computer at it to work out if it's good, bad or otherwise. You know, we time warp one of the machines to see, you know, does that actually detonate at a later time, is it just sitting there inert to try and avoid detection? We do it in lots of different setups, physical and virtual machines as well to make sure, you know, it doesn't-, it's not trying to circumvent detection etc. as well. And at that point it's then checked and detonated and a new signature is generated to go, 'Right, that's how we stop it, and we know now what to do.' So, as soon as you're sent down to the Endpoint and go and go, 'Right, does this work, does it block it?' Yes, it blocks it, it's all good, file has been blocked. Next machine comes along, who's also happened to receive the same threat or whatever as well. So, it goes, 'Right, actually I can't deal with it locally because I don't have the definition update yet.' So right, let's take the meta data or the meta data of the file, meta data goes up and goes, 'Yes, we know about it,' stop it straight away. Done, like, literally a second or two, to have done this. So, we've gone from milliseconds to a second, this bit may take up to a minute, depending on the size of the file and on the bandwidth available to you, and obviously how, however long that updates, but as I said, the file is quarantined until it's actually dealt with or a proper verdict has been able to be made about that.
But this basically means, you know, all-, so all of that is then essentially reported etc. as well. So, this basically means as I said, just purposefully picking on New Zealand as it's the other side of the world, a zero minute threat, it protects them. The moment we've learned about it, you know, we replicate it and the Azure network is pretty quick, you're protected from it, without any updates, without any changes or anything else as well, you are protected from that-, from that-, from that malicious code basically, if you happen to be victim number two. You know, it's just as somebody goes, either side of the world. Not realistic but I'm just saying you've still got that amount, amount of protection anyway. And again this is why people have gone from why are you, you know, why are not using-, why are you using Microsoft for security to why are not using Microsoft for security basically. And it's this cloud power protection. So, this is in Windows 10 and above. For Windows 7, for those who still have the odd machine, there is-, if you use Defender for Cloud to protect it, there is an updated agent that we can put down that has to be Defender for Endpoints plan too as well, as part of that agent. But we will bring this control, this cloud powered antivirus back down to Windows 7 devices as well, along with attack surface reduction rules.
So, going into a quick demo, just going to go and cover off just a few things. First off, sorry, I'll move, move away from where I was as well. So, if I go into my Intune and I go into my-, going into Endpoint security in Intune, and then go into my attack surfaces reduction rules, so I'm just going to create a policy. I'm going to say it's for Windows 10 and above and I'm going to save as my attack surface reduction rules here. So, this is just going to be LGA demo, I can give that a description if I wanted to as well. Then I got my configuration settings, so this allows us to then put a-, we've got sixteen controls and then the bits for controller folder access. So, basically seventeen controls that we, we can put in place effectively. And what these can do, you can obviously-, they speak for themselves in what they do. You can learn more and, and dig up the information on them individually, but whenever we go to enable these, we can put them into several mounts. So, obviously off, you know, categorically you want it disabled, block audit or one, and we can do this for all of them. So, block obviously means that if this threat was met, so the Adobe Reader tries to create a chart process in this case, we can block it. We can also say audit it, so we don't block it, we don't affect the end user, we, we don't see what happens. So, we have visibility of what happens in reporting but the end user is not affected at all.
And of course the warn and alarm has an overrider going, 'Are you sure you want to allow this?' You know, and put that kind of control in place. Now, the audit control is where I would put all of these to start off with. If you haven't just started with attack surface reduction rules yet, and yes. So, so just a quick one for Gary, just, just to reiterate, I know I was going to answer questions later on, yes, you can control these by via group policy or via SSCM as well. This is effectively a Windows feature and you control exactly as you would do as a Windows feature. Basically I'm using Intune because that's what I've got available for demo, okay? And obviously I'm, I'm always going to show Intune anyway because that, that that is a feature. So, what I would recommend is getting all of these turned on in audit mode. So, because the, these can actually have far reaching impact, hopefully it will be minimal but they can have impact and you might have to deal with exceptions. So, kind of, controls that we get-, kind of, things that we would see in the public sector is to say, 'Okay, here's a, a very complex finance, finance macro for example,' and usually it will have to run overnight or something. And it calls on one sheet and it calls on another sheet and it calls on another sheet. So, if you said, 'Actually we want to block the macros, obviously you're going to break that,' off, on that device that so you want to have proper controls in place.
And if you put it in warn mode, then you want to say, 'Well actually, there's something else happening here.' You know, also it's going to interfere with the end user and they keep having to say, 'Yes, I agree to the next one, yes I agree to the next step, yes I agree to the next step.' And obviously you'll frustrate them no end at that point as well and probably really slow down the process. So, put these in audit mode and understand where there's going to be impact and then if you can't enable it on those devices specifically, so you have exception groups and things like that as well, just make sure there's proper controls or proper visibility or extra reporting or whatever it is for those devices because they're the ones that are potentially going to be susceptible to, to, to not have these kind of controls in place. And as I said, we can also have the-, you can also put the control folder access in place as well, and we enable that. We can say we want to protect these folders, so I can put in, you know, CR2, you know, folder. Whatever else as well. And I can also have my G drive or whatever else as well. Now, what is really worth pointing out here and and the way how control folder access works is effectively what you're creating here is your blacklist. So, if I put in C path to folder, that would block it. If I went back, back to this local host, C dollar path to folder, that isn't in my blacklist.
So, there's a way, you know, that would be a circumvented control, so to speak. So, just make sure you put in the variations of the paths as well. So, just to make sure that someone else doesn't try to circumvent it, especially for the most important-, the more important data. So, people try and use the, the admin dollar shares and things like that as well, just make sure that they're added into here as well for the actual blocklist as well. But as I said, the control folder access for me is probably one of the-, it's your last line of defence in ransomware. Because what you're basically saying is, is I, I want to stop the ransomware just writing in there, to the directory. Yes, my machine's hit but I don't want it to actually take any further, I don't want to do it any more damage basically. So, big controls and things like that as well. And then you say what folders, so what applications are then allowed to write into that, and I put in the C, in this case, it would be CR2.exe, you know? The .exe or whatever else as well. But that, that's basically how I control that and put those, kind of, controls in place. A lot of testing required with these things, but as I said, we can potentially wipe out entire classes of threats. We can make, you know, the, the, you know, the most common vectors of attack via macros or whatever else as well.
We can make them very hard to actually use, we can make the user scripting in that lot very hard, or scripted based attacks to be very hard for an attacker, if not impossible. I'll never say truly impossible, because, you know, where there's a will, there's a way, but at least you're going to frustrate the attacker to the point that it's just not worth their time, you know, to try and do this, and put something else in place, whatever else as well. Which again, makes sure you've got other bits to circumvent it, so you've got alternatives, as I said, you can do backslash backslash, you know, local host, backslash C dollar, you know, R. Oh, make sure all of that kind of stuff is actually in place, to make sure you're properly protected basically. And you can obviously import a list or whatever else is as well. It's worth pointing out the core system folders and that lot are, are automatically protected, and it, it cores apps or Windows apps are also allowed to write in as well. And if you do put control folder access in some places as well, that may break scripting into that directory as well. So, if you're trying to use PowerShell, something like that as well to update a directory or do some changes or whatever else as well, you may-, control folder access may block that from happening, okay?
So, just, just be aware of the controls and limitations, but I would rather have the little workarounds and slight admin headache, rather than actually having to deal with ransomware, should I be hit. And the aftermath of ransomware as well, okay? So, just want to put that in place as a-, just as another quick thing to call out as well, and again, a new feature that we put in, I've now gone into the security console and I am looking at these enforcement scopes. So I've, I've-, so I've gone into settings, gone into end points of these enforcements scopes, and what I can do is start applying policy that I've defined in Intune, so my security policies specifically. So-, one sec, cancel that, so my security policy specifically, so I've got my file with exceptions or other exclusions and other things, bits and pieces I want to put in here. I can say I want Defender for Endpoints to actually be the enforcement agent on that device. So, let's take a look at library computers as an example, that might be a separate network. They're not controlled via your SSCM, there may be licencing issues around Intune or something along those kind of lines or some other controls. So, what we can say is actually we can use-, we can use Defender for Endpoints to actually enforce the security controls. Which basically means your, you're bringing everything back to a single pane of glass. And what you may notice is that we've also got Windows servers here as well.
So, we can actually apply those security controls which are typically managed by a SSCM or something separate as well and literally we have a single pane of glass to actually develop all our controls. So, this is where we actually apply our controls in one location, and this is where we can enforce it. And we've also got to say we want to take that, that config management control as well and apply it to, to these other devices. So, we can create policies and say these are for config manager and then I can scope which devices this actually affects and things like that as well. So, it's very powerful and obviously the tags would be the tags that I've got in Defender for Endpoints, okay? So, just a really powerful control. Cool, so just before I go into demo then, go into questions, sorry, just come back on here. Let's just leave that on there, and leave the, the questions up on the screen there. Goes, as well as blocking folder right access to prevention extortion by way of encryption of deletion of data, is it possible to strict read access in order to prevent unauthorised release of data, threats or extortion? That's going to be your, just permissions and ACLs that you apply to the directorate I'm afraid. We can go another step and actually start applying for that more sensitive data, that's when we'd be looking at Microsoft information protection and potentially doing individual document encryption.
I appreciate that's a big headache and a big change for a lot of organisations, but if that-, if your data is that, that much of a concern for you, I would heavily recommend having controls and all the DLB controls etc. that goes into that. And as I said, this is your, you're at the point of-, if you're at the point of people being able to-, an attacker being able to do reconnaissance and read data and do, you know, directory renumeration and things along those kind of lines as well, you're already in a little bit of a world of hurt as it is. And we can talk about more of that with E5 I'm afraid next week, as we look into things like Defender for identity and things like that, what's actually happening. But the short term and the quick fix is going to be your ACLs and making sure they're correct. And then the medium term bit under E3 would be individual document encryption basically. So, even if the data is, it is taken, you know, or something could enumerate the directory, they, they wouldn't have authority to actually read into that file, okay? Is there any other questions we've got on here as well? So, so, yeah, already answered the attack surface reduction rules as well? Is there any other questions that people have? If not, I'll move on to the last section, and as we talk about controls in Compliance and Governance. Okay? So, first one, some terminology setting, just because there is some misdemeanours, I think, in some of our names. I just want to make sure they're down correctly. So, the first one is the sensitive information type, and what we mean by sensitive information type.
So, the name implies that it's directly related to sensitivity labelling, and yes, it can be used for that, but what the sensitive information type effectively is, is the pattern of information that we use to look for data. So, the example we always call out is because it's so easy for people to understand and very easy to articulate as well, is the credit card numbers. So, credit card numbers are typically fifteen or sixteen digits, depending on if it's Amex or Visa or whatever else as well. They're generated using a specific algorithm, which we can match to as well, and then, you are going to have other patterns around it, such as expiry date or the words Amex, Visa, or whatever else as well that might appear around it. So, what the sensitive information type is doing is actually looking for that pattern of data, and you get to define that, and under E3, we have a whole bunch of them that exist out of the box, and I can go into that in, in demo, to show you what they look like as well as the end, but we also have your own ones that you can define, and you can use that as just, basically, key words, but you can also put in regular expressions as well, and as the old saying goes, 'I had 99 problems, I used regex, I've now got 100,' but it's-, it allows you to define there, obviously, great patterns, patterns of data, however simple or otherwise.
The ones we have out the box are things, are, are, are most of the PII data. So, we can do things like full names, full addresses, as in, 'I live at, like, 123 some street, somewhere.' We can put in IP addresses, National Insurance numbers, we can put in, you know, all of your credit card numbers, driver licence, passports, loads. I mean, there's loads and loads and loads that we have out the box. I think there are 340 now, I think, or over 200 at least, anyway. Some of those affect other countries, or a lot of those affect other countries, but there's some that are going to be directly relevant there. The other thing you can do with a sensitive information type, and this is specifically for DLP as it currently stands, so you can put a control in at exchange or SharePoint under E3, is that we can do something called a document fingerprint, and a document fingerprint, basically, says we take the template of a file, such an invoice template or something like that as well, and we don't care about what data has been put into that invoice template, we care that it's been built on the template. So, we can then use that to say, if anyone tries to share this specific form, or whatever else that might be, whatever template-, whatever document's been built in that form, if it matches that, then you can apply appropriate control to it, i.e. it's not allowed to be emailed to anyone that's not got a .gov.uk address or it's not allowed to be sent externally or what, whatever it is, you know? You, you, you know your data and your appropriate control to apply to that as well. So, sort of, set that first bit of terminology. The sensitive information type is what we use to, to-, it's the pattern of information that we're looking for, basically.
The next bit is then going to be a sensitivity label. So, this is, basically, where we talk about classification labelling and protection. So, with a classification-, with a sensitivity label, what we're effectively doing is saying that this document is important. It has-, it has some form of sensitivity or we want to apply a control to that document. So, we would have things like, you know, we, we mark it as being confidential or something like that as well, and what that's going to do is stamp a bunch of-, stamp a bunch of method data into the document, I can show you what that looks like as well, into the document. You can then apply controls around that method data. So, even if it's coming from on-prem, it's not part of the Office 365 content index or anything like that as well, then we can put some great controls in place, and then, we also have the retention label, and the retention label does exactly what it says on the tin. It's there to retain your data, basically, and under E3, you can then say, 'I want to retain the data for this period of time, and at the end of that retention period, I either want to delete it or just maintain the document, or, or, you know, just maintain it, basically.' So, if it's deleted, it's deleted in the future, if not, I've retained it for as long as I need to. Just as a quick note on that retention labelling, please do not be afraid of the delete button. So many organisations we go to, and that's not just public sector,it's everywhere, I can make quite a broad, broad sweeping statement to say at least 80% of your data is just completely useless to you.
You've hoarded it, you've been afraid of the delete button, it's a just in case and, you know, that data risks becoming toxic as well, because someone does a-, does a DSAR or freedom of information request, like, fifteen years after they left, 'Why are you still holding that information on me?' and if you can't justify it, and there isn't a justifiable reason for you, that may be seen as breach of something like that by the ICO or something along those kind of lines. So, do be used-, be sure to use the delete functionality in retention labels as well, to keep you compliant as well. Okay, but just want to respect taking a step back, it's, obviously, great we've got the Office 365, the Microsoft 365 bits, but I just want to respect where people are in their journey and where they are today, basically. So, and that's, basically, still having a lot of data on-prem. There's still, generally, people have either started the journey, some in there-, across public sector, there is a, a varying, varying degrees of maturity. So, some people haven't even started this journey yet, other people are, are enjoying the benefits of actually doing away with their-, the on-prem file shares and things like that as well, and enjoying the cloud, and that side. So, there's some great tools that we have, and one of them's called the Microsoft per view labelling scanner. Formerly the unified labelling scan, formerly the AIP scanner, so sorry for all the rebrands, but it's all pretty much doing the same thing, just depends on the type of label that it works with. So, what we can do with the unified labelling scanner is actually map out your network. So, we can go and say, 'Right,' you, you give it repositories. So, you say, 'Right, this is the, you know, \\server\share\filepath,' or whatever else as well, but you can also go, 'Go and find any other shares that I don't know about.'
Yes, it won't be able to fund dollar shares, but it can still find other shares that you may not be aware of on your network, and if that, that share then contains sensitive data as well. What we will then do is inspect that document or inspect it to say, 'Right, does it actually meet-, does it contain any sensitive information types?' So, as we talked about earlier on, like, does it contain credit card numbers? Does it match-, you know, does it contain addresses or other, kind of, PII data?' whatever else that might be, and what you're able to do under E3 is say, 'Right, actually, tell me everywhere that data resides,' and we'll split it out into a CSV output that sits directly on the scanner. They can then say, 'Oh, actually, in this directory, this is all the data that we've got.' What you can then do is use that information to-, under E3, to manually classify the data. You can do the sledgehammer to crack a walnut and use Power Shell to, to classify it. If you use PowerShell to classify the data, that will update the, the last edited, well, last accessed marker on there. If you did have E5 and wanted to classify the document on-prem before sending it up as well, we'd honour the last access date and the last modified date, etc. as well and keep that in play, and of course, that then means that you can then protect the file as well and make sure that the right people have access to it. So, even-, so, basically, the-, because the protection is embedded into the document itself, it goes way beyond what an ACL can do, so even if that document is copied and pasted into another rive, you know, a, a-, if you allow access to USB or whatever else as well, and take that elsewhere in the world, that will allow you some very-, allow you to actually have control over that data, full-stop. So, it's all certificate driven, so you can block access to that file any time you see fit, and also, change access to it, etc. as well. Okay?
So, just as a quick bit on the-, just to go over that scanning bit as well. So, again, we can scan from prem. So, when we install the unified labelling scanner, it, basically, you ideally want to put it in the same subnet as the files you want to scan or the repositories you want to scan. It will drag the file across the network and analyse that file, and make sure-, and see if it meets any sensitive information types, and then, basically, under E3, it will just drop the file, and then, just, basically, record that it maps the sensitive information type. It's not going to map out every single file and folder that you've got, because if it doesn't contain it, it doesn't care about it. It doesn't contain sensitive information type, it doesn't care about it and just drops the file and doesn't even record that. So, you can't use it to map out-, you, you have to use other third party tools or something else as well to get all your files and folders, you want to do it based on history or length or whatever else as well but, basically, this really allows you to find where that sensitive data resides and then, again, you can then choose that to protect your data and put other controls in place, whatever else that might be as well, and that's, basically, you can do that via Office 365, directly to the-, to the Office app, and that includes the web apps as well, or use the native-, native labelling client, basically. So, that's a native client on unified labelling client, so that, that the, the Office client, under the native labelling, as we call it, so it's, basically, natively built into Office, that's our direction of travel, at the moment.
We'll keep the unified labelling client, because that allows you to do, you know, right-click and encrypt everything in a directory or something along those kind of lines, but that, basically, means that you just have to keep Office up-, reasonably up-to-date as well, new features for, for MIP, or Microsoft Information Protection, are going to come down directly into office directly, just to put that into place, but the really cool thing about the unified labelling scanner, especially where people are, at the moment, is there's that really big headache that everybody has to go through of, like, 'Well, what is my information architecture actually going to look like as I move into SharePoint, or to another platform? Well, I want to get off my on-prem file shares and I want to move into a document management system. What goes where? Where's my actual sensitive data reside? So, how can I actually do some form of analysis on that on-prem data, so I can then choose what goes elsewhere?' Yes, so I get-, so, I'll get to that multiple labelling scanners in just a minute as well. So, but what it will then do is-, so, so, what you can then do is understand everywhere that sensitive data resides and prioritise it. Again, going back to that comment I made about saying about, you know, at least 80% of your data being absolute garbage to you, because it's hoarded, I always equate the easy analogy, and anyone who's been in my meetings will know I use this all the time, it's basically like mud and gold nuggets. So, how can you sift through that mud and find those nuggets of gold?
How can you do that quickly and effectively? And the, the labelling scanner's a very effective way of doing that, of digging out the majority of that gold. Now, the, the gold that it finds is what you're telling it to find. Basically how good have you defined your sensitive information types? What you actually use and that's what is actually going to-, what-, that's what it's gonna go hunt off and find. If it doesn't know to look for it it's not gonna find it, basically. So, just, just be aware on that side of things. Now, the labelling scanner, yes there is a-, it, it auto load balances, so you, you can have multiple scanners. So, when you put the-, when you put the scanners together you group in the-, in the software at the back end and you say, 'All of these are part of the same group.' So, basically their nodes or whatever else as well.
So, what, what that'll then do is it, it works to actually give a repository to a group of-, sorry, group of scanners, and that group of scanners will then work out amongst themselves how they're gonna sort out the files and things like that as well, and, and what scans what and all the rest as well, be-, it'll be a single output. And yes there is a, a direct linear progression between the amount of nodes you actually put in versus how fast you can rinse through a, a directory basically, or rinse through a repository to actually find that data. So, the more-, i.e. the more resource you throw at it the faster you can go. Hidden in this-, hidden in this document, which we'll share afterward as well, I've put in some details around the, kind of, metrics that we see and the, kind of, speed at which it can do things etc. as well so you can gauge the performance etc. as well and how to optimise it etc. as well. So, the, the, the unified labelling scanner, so if I actually go into-, I'll, I'll go into-, I don't have-, so, I don't the scanner actually set up but I'll give you an idea of what it's actually doing. So, if I go into-, have I got my compliance open? Nope, don't have compliance centre open. Just bear with me a second.
So, the unified labelling scanner itself, I'll dig out an actual link for it. In fact I've, I've got this as part of my-, the dark to deployed work that I do as well. So, if I do this, so just bring up the, the right spreadsheet. So, what I've got-, so, this is-, we'll, we'll go through what this actually means shortly if anybody wants to know what I'm sifting through here but as part of that unified labelling scanner, that discovery piece, I've put the links in to how you actually get this turned on and how to get it deployed etc. as well. So, just opening up in another window here. This will tell you what it is, how it works, everywhere it's going, probably all the details you actually need to know, how you can get it to run autonomously and keep loop-, looping round etc. as well, but it then goes through the deployment prereqs and how to get it installed and set up and all that kind of good stuff as well. You might-, there-, this-, these are rabbit holes, by the way, so there is-, it, it can be a little complex in the initial setup but once it's done it's just easy to add more, more scope-, more scanners and more nodes etc. as well. Just something to be aware of there.
So, I'll, I'll drop that link in the chat right now just so people actually have that and they can take it and how to actually get it set up. Fundamentally you install a Windows server, you install some-, a pacific bit of software which happens to be the unified labelling agent and that, that also includes the scanner as well. You might wanna hook it up to a SQL server at the back end. It can use a SQL Express but you-, given the amount of files that non-public sector have you, you-, it's-, a proper SQL is gonna be required, or full SQL's gonna be required, i.e. not just Express. And at that point you can then give the repositories and get it all set up and go in whichever direction you need to go in as well, okay? So, so can the unified labelling scanner identify PII and Access databases? I don't think it goes into Access, I'd need to double check because-, I-, I'd have to double check that one, 'cause I know it definitely goes into Word, Excel and all the rest as well. I'm not sure what it actually does with Access. I'll get back to you on that one, but we-, we'll take that action offline. Cool. Is, is there any questions?
I, I appreciate the, the labelling, that side of things, and the, the maturity around labelling and getting started etc. as well is a big headache for everybody, you know, 'cause it's, it's such a big, complicated thing. I'm just checking is there any questions that people have on there? Is there anything that we can help with? Or any, any advice that people are looking with-, looking for help with? If anyone's typing into the chat, what I'll do in the meantime is just, sort of, show-, just, sort of, show you the dark to deployed stuff that we've got. This is a, a process that we've created to help people get the, the, the most value out of their Microsoft investment. We, we do-, we really do respect-, actually, so, so before I get back to that, that's actually a really good question, so, Sally's just brought up here. Examples of labels used by other local authorities? This is something I've got the bit between my teeth with and I would love to work perhaps via the LGA or anyone else as well to see if we can actually create a standard set of labels that'll work well for, for local regional governments. They can be based on official or whatever else as well.
We as Microsoft can obviously help with the technology and we can help being a forum to actually create that in place and take ownership of that forum, but ultimately it's you guys that are gonna be, you know, accountable and subject to regulation and subject to auditing and things like that as well, so it has to be agreed by government as well. So, if we can have anything that's peer reviewed we can also, on your behalf, take that to someone like the Home Office or something like that as well and actually say, 'Right, this is what we actually want to have.' Yes, LGA and C-TAG, there you go, so on that side. But we would love to work with you on that side, you know, because we, we really do respect it's a really ambiguous subject, you know, and it's very much open for interpretation. So, anything that we can do that's more prescriptive, you know, the more it's gonna help people, and the more prescriptive it is the more likely you are to implement it and then therefore the more protected you are, you know, and the more compliant you are etc. as well. So, again we as Microsoft we, we can potentially help with that but ultimately, you know, it needs to be peer reviewed and agreed by you guys, and I say you guys as in UK public sector, as to what that actually looks like.
So again, the LGA and C-TAG can help on that side and it should be really good. Yes, so from, from a labelling prescriptive, and as you're just saying from from the E5 side of things as well the-, where the E5 comes in is with automation around labelling. So, you can create the labels, you can push the labels out, but what you can't do is automatically label something. It's gonna be down to the end users to, to right click and-, oh, well-, when I say right click, or apply a label. So, if I go into Word as example-, sorry, just opening up work on another-, on another screen here. Bear with me for one sec. If I just do a blank document. So, this is obviously some of the Microsoft controls that we've got in place. First thing that we have is that can apply a sensitivity label manually in here. What we're also done is we put a sensitive-, the sensitivity label, so once I save that into, you know, I'm just gonna just put demoLGA in that side I can-, (1) I can force a sensitivity label on that. So, I'm gonna say this is non-business to start off with. I'm asking for a lower sensitivity to do this. I'm gonna say just doing blank document as part of a demo, 'cause obviously our, our teams will look at this.
Oh. So, I can change that and I can put that in place. So, once that's actually gone in and I've applied that I can now also do my sensitivity labelling up here as well. So, when I go to my varying controls and other bits around there so I don't have to always have it buried in here, it's always gonna be at the top basically. So, new controls you put in place, and you can see you can have it all nicely labelled and named and all the rest as well. What you also have as well is why, why would I chose this label? So, this has been defined by Microsoft as in our, our, our compliance people. So, as in for the Microsoft business not for the technology. So, I can chose, you know, what option I want to have in here, and as I put it in place it updates. So, not for public consumption or whatever else as well. So, lots of controls we can put in place there around those labels. So, I can do all of that under E3, those, those kind of controls, okay? But the really important thing, that, that unified labelling scanners I put in place, as, as I mentioned before getting that in place and understanding where your file shares are now or where the-, where the sensitive data is in your file shares for me that's the majority of the battle in actually getting this started.
What you could also do, if you are using Defender for Endpoints and things like that as well what you'll have is you can-, you can get access to Microsoft Defender for Cloud Apps as well for the Cloud App Discovery under E3 as well. So, if I take a look at this site I-, sorry, just gotta toolbar in the way, just get the way-, the right option here. Got my Cloud App Discovery here, and what I can do with my Cloud App Discovery is I can take a feed directly from Defender for Endpoints and going, 'Well, what devices are accessing what data?' So, I don't have much information here but I can see what machines have gone where, what transactions, what risky apps they've used, all that kind of good stuff as well and see where that data's going. The reason I put that together, and, you know, you can have this overall view of what risky sites-, so, if I take a look at discover apps and things like that as well there's gonna be some dodgy stuff that I put in here for demos and other bits and pieces that I can put in there.
I've unsanctioned MSN just for demo purposes as well, but the-, I can choose where data is going, how it's being used and all the rest as well and I can take a look at this from a risk report and say, you know, 'Based on this I can see these you're hosting here conforms to all of these-, all, all these standards that, that are gonna be important to me, and I can see which ones aren't.' So, if I do something as well, so I may have some very dodgy things that I've put in for demo purposes potentially. So, this goes down to a five at least anyway. Yeah, so I can take something like here, so I can take a look at eBay for example, just the controls I have in place says it doesn't conform to all of these pacific areas. So, they're, they're important to me, I can say, 'Well actually, I, I want to know about this,' or, 'I don't want to allow it,' whatever else as well. I can take this out into an executive summary report and if I couple that with where my sensitive data resides I can now quantify a problem that everybody knows that they had but didn't really know how to quantify. I.e. where does my sensitive data reside? Who has access to it? And how easily can it get out of my environment? You know, where's this data actually going?
So, when I actually put those two together it can really help build the business case to say, 'We need to solve this problem.' I, I know everyone's resource shy at the moment and budgets are tightening but it actually helps quantify saying, 'We need to solve this problem, otherwise it's just gonna-, it's just gonna lead to fines by the ICO,' or, 'It's gonna lead to an accidental data breach,' 'cause, you know, 'We just need to solve this problem.' And I appreciate they're not five-minute problems to fix, that is gonna, they're, they're multi-year journeys to actually solve that problem, okay? Cool. Final bit, as I said, I was just gonna talk about this dark to deployed. So, this is-, bit of a heads up at the moment, next month we have this cybersecurity awareness month, so it's something that we're just doing inside Microsoft, and there may be a few webinars and that lot to, kind of, come up. There'll be a companion guide to be able to go with this document, because it, it's quite a lot of information to run through, but basically what I've done is taken all the security compliance technologies across the entire Microsoft stack. So, that's E3, E5, Azure, stand-alone licences, all that kind of good stuff as well.
Broken it down into five main areas of high level prereqs, identity, endpoints, threat protection, compliance and governance. Kind of what we've gone through today. And then you've got the licencing and the, you know, what type it is, is a product or a feature, configuration, suggestion etc. as well. You've got the predecessors to work out, you know, what's-, what order to do some things in as well. So, for example to do self-service password reset I need to have done multi-, I need to have done multi-factor authentication, and in turn I need my identity in place and in turn I need identity object remediation. So, I've done this basically assuming a customer is entirely dark until they say otherwise, and what we wanna do is go down the list and fill in a priority, and as I've got the priorities at top here-, sorry, the priorities at the top here it's one, one, two, three, four, D and a W. So, D, it's done, it's deployed, you've got it sorted, W, work in progress, and then a one, two, three, four as your priority. So, one high, two medium, three low, can't-, four can't see a use for it.
And then you've got a, a finger in the air about the amount of time and effort it'll take to deploy, the impact it would have on the end user all explained in these notes at the top here. You know, take some comments etc., why you'll wanna use it etc. as well. What we really wanna encourage people to do is get the most value out of their E licencing, and we completely understand that not everyone understands what to search in the box 'cause it's a really big box. So, it'd be great to share this with you, or we'll run this through with pacific customers as well, whatever else one might work out, to make sure you're really getting value out of your licencing. So, we'll follow up on this next month, and this is a little bit of a preview on-, to give you the companion guides otherwise it's just way too much information to do it on your own, basically. I've also got other bits like maps out to maturity matrix and the summary to really understand how you're using your licencing etc. as well. We'll go into more detail on that later on. Do people see value and use in this as an exercise, either doing that internally or potentially us helping you with that as well?
Moderator: Yes, there's lots of positive feedback on that, Chris.
M: Yes? Okay. Awesome. We, we can share it out-, we'll share it next month. I appreciate it's a bit of a heads up but it, it's also that real bit to say, you know, we really do care about this deployment. It's not just we wanna sell you the licence and, 'See you later,' and leave you to it, you know, we, we really wanna take that emphasis of being a partner with you guys. So, this has been created to really help you maximise the value that you're getting out of your licencing, basically. Cool. Is there any other questions? I mean, it's open forum, whatever it is, you know, just please fire away and we'll see what we can answer. And yeah, yes, the, the, the spreadsheet, again, will be shared next month along with a companion guide.
I trust this has been a helpful exercise for everybody but we're more than happy to run this again or, or do something else. Again, we could do a session based on dark to deployed or something like that as well, and there is the E5 session next week as well.
M: Yeah, you did-, just wanna note a few-,
M: Yeah.
M: Quick bits on our next steps we've got up here as well just before people disappear?
M: Yeah, I'll just talk through these things, because these could be really useful for you guys. So, the first thing is the Enterprise Skills Initiative. So, this is a really good resource from Microsoft where if offers training courses and virtual classes and things like certifications for you guys. So, definitely worth, worth checking it out, we really recommend it. Helpful for training your, you know, your staff and your employees and yourselves as well. So, really worth doing. We also recommend to have a quick search for Microsoft FastTrack online. Now, this is going to help you to deploy some of the stuff that Chris has been talking about today. So, he's talked about the theory, how you can do it in a demo, but to get some actual support from Microsoft ourselves FastTrack is the mechanism. Really, really good at getting those things turned on with expert support for you.
The middle one is also a very, very good, I'd recommend it. It's a Microsoft-hosted group for local regional government. It's a Champions Group, and what we do is the aim is to connect all local authorities together, right? There is strictly no selling or no partners in this teams channel, this teams group. There's about 2,000 members of local authorities in there right now and the point is to share advice, share information, all that kind of good stuff just to have a-, have a discussion that way. And in fact if you have more questions from today that you may have-, may think of in the future feel free to join that group, I'll put the link in the chat, we can add you to that group and you can discuss with your colleagues and your peers across local authorities. And then lastly there is some Good, Better, Best guidance from the NCSC around Office 365, we really recommend looking at that as well. It breaks it down nicely and it even informs you on the licencing structure as well. So, worth having a look there. Brilliant, next week we'll have the call around E5, today was E3 obviously, so we'll go into more advanced technologies there, but aside from that all good from me. Thank you for joining.