The Channel logo


By | Tim Anderson 7th October 2016 17:05

Windows updates? Just trust us, says Microsoft executive

'Rather than you approving which patches you want, we are saying let them all flow'

Interview At Microsoft's recent Ignite event in Atlanta, The Reg sat down with Brad Anderson, Corporate Vice President of Enterprise Client and Mobility.

Brad Anderson is a Microsoft veteran who oversees how Windows and mobile devices are managed in business. A decade ago it was simple: firewall-protected network, Windows PCs, and System Center, Microsoft's suite of IT administration tools, managing those PCs through mechanisms like Group Policy, which lets you set PC configuration centrally and have it enforced on all PCs in the organisation.

Things look different today. "Now I have got my cloud services outside of the perimeter and that network-based perimeter is no longer effective," says Anderson.

Microsoft is pursuing an alternative idea, which it calls identity-based security. This is based on Azure Active Directory (AAD), as used by Office 365. Businesses using Active Directory on-premises can set up synchronisation with AAD using various tools.

"All of our cloud services build on top of Azure Active Directory for authentication and access," says Anderson. "We do more than 45 billion authentications every month through AAD, which is largely driven by usage of office 365.

"What we have been building is this concept of what we call the Microsoft security graph. With these cloud services, there are signals or telemetry that comes back, that allows us to see what is working, what is not working, what is being used. We have taken all that signal and we call that the intelligent security graph.

"We know that more than 75 per cent of breaches come from compromised user credentials. So one of the core things that organisations have to do is to ensure that when someone presents a set of credentials it actually is who the person says they are.

"We now have the ability to be able to assess risk based upon a whole list of factors. So we can take a look at the user’s identity, the device they are working on, the app that they are using on the device. We can also take a look at telemetry coming in from our partner ecosystem. You can now build a conditional access policy that says when you will allow access based upon all those risk factors.

"If we think that there is something suspicious we can automatically pop up a multi-factor authentication challenge which then blocks any attacks that are coming in through compromised user credentials.

A feature of Microsoft's Enterprise Mobility Suite, called Azure AD Application Proxy, lets businesses use this same mechanism for on-premises web applications, while still having them authenticate using Active Directory. A partnership with Ping Identity announced in September 2016 further extends the range of legacy applications that can be covered.

Group Policy, or Mobile Device Management?

Today most PCs are managed using a traditional approach based on Group Policy, whereas mobile devices use a more generic method called Mobile Device Management (MDM) which can be delivered from the cloud. Windows 10 can be managed using either technique, but does Microsoft see Group Policy declining in favour of MDM?

“Our long term vision on Windows 10 management is that organisations should rely on Microsoft to do more for them on their behalf. Let us worry about your images. Let us keep your devices updated through Windows Update for Business. Rather than you approving which patches you want, we are saying let them all flow because the way organisations get the most secure, the most compliant, the most reliable and most performance devices is to stay updated with all of our updates,” says Anderson.

What about when an update breaks compatibility?

“There is years of experience that IT pros have, sometimes we release updates that break something. As we build confidence with IT pros around the world that our updates are solid they will get more comfortable with just letting the patches go through,” Anderson says, though he adds that “in Windows Update for Business you have the ability to say, I want to delay these updates, so you have some level of control. You don’t have the degree where you can say I want to deploy these three but not these 10.”

Anderson says that System Center’s Configuration Manager offers a path towards this approach via its auto-approve setting. “What we are telling people is, as you get confident with us turn on auto-approve, let all the updates flow down because that is the way that you are going to have the most predictable, the most secure, the most reliable, the most compatible devices. Then as we continue to enrich that MDM layer, organisations will move to that model of management, but that is going to take them some time. There is a bit of a cultural change there. Because you can’t control the same number of settings that you can with Group Policy and Config Manager.”

When Microsoft introduced management of iOS and Android devices in its Enterprise Mobility Suite, eyebrows were raised, but Anderson says take-up is substantial. “Of all the mobile devices that we manage 55% are iOS, 35% are android and 10 per cent are windows,” he told The Reg.

Is Microsoft frustrated by the continuing love for Windows 7 in business, with many PCs still being delivered with Windows 7 pre-installed? If it is, Anderson will not admit it. “We are very pleased with the rate of adoption that we are seeing, it is the fastest that we have ever seen,” he said.

The overall picture is confused though, because the figures Microsoft releases cover both consumer and business, and the consumer upgrade was both free and heavily promoted by the company. At Ignite, Microsoft refused to give the press numbers for Windows 10 Enterprise take-up alone.

Anderson says there are strong reasons to upgrade. “Enterprises want the security. With things like Windows Hello you can eliminate passwords. Credential Guard stores your credentials in a way that it is impossible for an attacker to get credentials. There are things like secure boot, which as device comes up checks that something has not been injected into the boot sequence. The form factors are also driving a lot of it. Two-in-ones, Surface Pro, Surface Book, users want to have these modern touch devices.”®

comment icon Read 153 comments on this article or post a comment alert Send corrections


Frank Jennings

What do you do? Use manual typwriters or live in a Scottish croft? Our man advises
A rusty petrol pump at an abandoned gas station. Pic by Silvia B. Jakiello via shutterstock

Trevor Pott

Among other things, Active Directory needs an overhaul
Baby looks taken aback/shocked/affronted. Photo by Shutterstock

Kat Hall

Plans for 2 million FTTP connections in next four years 'not enough'
Microsoft CEO Satya Nadella


League of gentlemen poster - Tubbs and Edward at the local shop. Copyright BBC
One reselling man tells his tale of woe