Microsoft Ignite 2018 – Day 3 Summary

The only problem I have with coming to the Microsoft conferences is deciding which sessions to attend as there are so many great things to go and hear about. I had quite a few sessions planned for today so it was always going to be a tiring day! I have provided some key takeaways with photos and links where appropriate.

Home and Roadmap: Part of the new Microsoft Project

The first session of the day was focused on Project Home and Roadmap following on from the announcement on Monday. I won’t go into detail as my brother Paul Mather has already blogged a summary of the session here: Please do take a look.

What’s new in Windows 10 mobile device management

As mentioned before, I have an interest in device management so wanted to see what’s new!

  • How close are MDM policies compared to GPO? Microsoft carried out some analysis and have the following results:
    • 17% of customers today have parity with GPO and MDM.
    • 28% of customers have IE management capabilities. The recommendation is to move to Edge to have better control via MDM.
    • 28% of customers have a small gap where limited settings are missing in MDM.
    • 27% of customers have a large footprint of GPO settings that are missing in MDM.


  • The recommendation is to connect your on-premises systems to the cloud rather than a full on lift and shift migration. This is for the better user experience.
    • Active Directory + Azure Active Directory
    • SCCM + Microsoft Intune


  • Cloud attached / co-management is a recommendation if you have already invested in the on-premises infrastructure. This will allow for a smoother transition to cloud only in the future should you wish to. The last image highlights some of the benefits of co-management and cloud only.


  • Co-management Security baseline policies should ideally be set using the MDM security baseline for better compliance reporting and the ATP integration. If GPO Security baseline and MDM Security baseline policies are in place it’s recommended that the settings align.


  • If looking at moving away from GPO to MDM polices please take a look here for the migration analysis tool (MMAT) . The tool can be run on a domain joined device and will output a report showing the mappings to MDM.


Comprehensive endpoint protection with Windows Defender ATP

Windows Defender ATP should definitely be implemented to complement any security solution that you have in place.  Windows Defender ATP is a platform designed to help enterprise networks prevent, detect, investigate, and respond to advanced threats. Windows Defender ATP is agentless and built into Windows 10 for deep insights. More information on Windows Defender ATP can be found here:

  • Product updates that will be released soon include:


  • Windows Defender ATP integrates into Azure ATP and Office 365 Threat Intelligence


Combat advanced cyber attacks with Microsoft Cloud App Security

  • Cloud app security protects from threats and can be used for 3rd party applications as well as Office 365


  • Attackers will target across any workloads including IaaS, PaaS and SaaS


  • Smart filtering options can help search the audit logs
    • Username, IP Address, Location, App and Activity Type.
  • You can also show similar activities from the same IP, by the same user, country and time.


  • The current detections that are available today are as follows:


  • Enterprise integration
    • Add information from Cloud App Security to your SIEM solution


  • Cloud App Security provides you with the ability to ban apps from accessing users data in Office 365.
    • Filter options are available to sort for apps that require the highest permissions to help analyse those with the highest privileges


Control and protect your data through privileged access management capabilities in Microsoft 365

Privileged Access Management (PAM) allows granular access control to Office 365 tasks. After enabling privileged access management, users will need to request just-in-time access to complete elevated and privileged tasks through an approval workflow that is highly scoped and time-bound. This gives users just-enough-access to perform the task at hand, without risking exposure of sensitive data or critical configuration settings. Global Admins are still required to request access to tasks included in any PAM policies. PAM is available to Office E5 Advanced Compliance SKUs. More information can be found here:

  • Microsoft has a zero-standing access policy
    • Data centre lockbox – request for restarting servers, services etc. Very specific tasks. Just enough access is granted and timed.
    • Customer lockbox – customer has final say about accessing customer content


  • PAM has been built from the ground up with zero-standing access. Just in time access is granted that is scoped to a particular task.


  • PAM and PIM (Privileged Identity Management) work together to better protect the environment


  • PAM policies can be set to manual or auto approval. If manual approval is set, a mail enabled group is required. Auto policies are still audited for full traceability.


More updates to follow tomorrow. Check out my twitter for the latest –


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s