Windows 11 24H2 is slowly starting it’s rollout, and you might be wondering if you should update yet. Here’s some high level information to help you decide, control rollout, and be kept up to date with any issues. For those who haven’t needed to keep across how Windows Updates work, you might be wondering what would be difficult about it. Read on and learn :)
This will show you what the current Generally Available (GA) version of Windows is (there’s sections for Windows 11, Windows 10, and Windows Server) along with relevant dates. 24H2 has only been GA for a few weeks, which is quite early in it’s cycle. If you’ve overseen the rollout of Windows Updates before, you want to understand and be across any potential issues before even piloting.
Although this has changed a few times over the last few years, right now we see an annual feature update which upgrades the Windows version released in the second half of the year. Each feature update/version has 3 years of support for Enterprise, and 2 years for Home/Pro as you can see in the table above.
To understand currently known issues in a feature update, you can use the same section of Microsoft Learn to jump to the Version 24H2 > Known issues and notifications which is kept up to date with statuses and details:
You can also see this same information in the Microsoft 365 admin center under Health > Windows release health:
The content is the same on both – but I’d suggest going to the Microsoft 365 admin center version to at least turn on ‘Send me email notifications about Windows release health’ which is under the ‘Preferences’ button in the above screenshot. Once enabling, you can decide which versions of Windows you want to be notified of, and to what email addresses it should be sent to.
This will keep you across any new issues that may arise which is always useful information to know when managing a Windows environment.
Assuming you’re now ready to start testing, the rollout process starts with what tool you’re currently using for update management. You could be using:
Native Windows Update unconfigured – this may make sense for small companies that don’t really have any management in place, and you’re at the mercy of when Microsoft’s services decide your devices should receive the update. Microsoft uses a lot of telemetry and device information to make that call, for example if a driver is detected on the device that has a known issue, Windows Update may block or hold back the install.
Feature update methods:
Windows Server Update Services (WSUS) – which despite getting some news lately, will still be around for probably 10+ years. This is the on-premises way of having a central point to download Windows Updates and has many inbuilt controls that let an administrator decide how they want to roll things out, which can either be automated or manual.
Servicing Channels – These options let you choose which channel a device sits in, which by default the General Availability channel. Unless you have a LTSC edition of Windows, your only other option is the Insider Program which will get feature updates ahead of general availability. Might be good to have a VM around enrolled in the Insider Program to get things early and have a play.
Windows Update for Business / Autopatch – these products have recently been joined together, to provide a cloud based way of controlling what updates go to a device.
Windows Update for Business uses policies (Group Policy/registry/Intune/third party) to set the rules for updates on a device, but still pulls the updates from the cloud (or from other peer devices using Delivery Optimization if enabled). These rules can include items such as
Whichever path you use, you should be incorporating Update Rings to stagger any update rollout and avoid any big bang issues from your entire fleet updating overnight and hitting a business-stopping issue.
To find out how your feature update rollout is going, each method has it’s own way of reporting:
Windows Update for Business also has it’s own reports which has a few options on how to present, including via the Microsoft 365 admin center Software Updates > Windows area. Alternatively, you can create an Azure workbook.
WSUS has inbuilt reporting options that can be built based on your requirements and can be exported, and supports using APIs if you want to roll your own solution there.
I’ve tried to give a high level overview of what’s involved and considerations on rolling out Windows versions, there’s a lot to it and many points depend on your approach.
Office365Concepts also has a great video on covering Feature Update Policies in Intune and how it fits in the larger picture of updates generally:
I’d also recommend these two articles on the deprecation of WSUS:
As part of the Microsoft 365 Copilot Wave 2 changes, Copilot in OneDrive became available for all commercial customers on 8th October 2024. Let’s check it out and see what it can do.
When first logging onto https://www.office.com/onedrive I was greeted with two prompts, the notice that Copilot is now there, as well as the reminder that you need to verify the results that Copilot provides – just like any LLM AI.
From the front Onedrive page, I do see the Copilot icon as indicated:
The Summarize option does as you’d expect, providing a less than 1 pager with key points that Copilot has found out from the document:
The ‘Ask a question’ button will break out a Copilot side window which will then provide answers based on the content of the document, and show the reference of the document itself as the source of the answers it generates:
‘Create an FAQ’ is quite a handy one-click option. I can see this being useful in many scenarios – any documentation being shared that could be a lot to take on, and the question/answer format can be a better way for people to absorb information compared to a summary.
If you select two files, Copilot in the top bar will have the option ‘Compare files’:
I made a copy of the above file and changed 3 words, let’s see if the changes are picked up when using the ‘Compare files’ option:
This is a good expectation setter. If you wanted to actually compare differences between two documents and see what’s exactly different, use Word’s native Compare option. Copilot on the other hand will give a summary. It’s picked up that there’s possibly minor differences in wording or formatting
If I make another copy of the original, make no changes, and run another ‘Compare files’, the results come back suggesting that the content is most likely identical:
I can see this contextual Copilot being useful when you target the file or files you want summarised, or want to ask questions about. Contextual questions relating to a project or a piece of work is where this would shine.
It’s still early days for Microsoft 365 Copilot, but it’s good to see the product’s feature set expand as we all learn what large language models can actually do and how they can help us be more efficient in our jobs and lives.
There’s several useful gestures you can use when you’re without a mouse and relying on a laptop’s touchpad. If you’re not on a touchpad all the time, you may not be aware of these methods of quickly performing functions – I know I wasn’t until I re-discovered one and then wanted to refresh myself on the lot!
Swiping down with 3 fingers will take you straight to the desktop, the same way WinKey + D does.
Swiping up with 3 fingers will bring back the minimised windows from the above command. If your windows are already on screen, you’ll instead see the task view (like holding alt-tab or pressing the task view button in the Windows bar) but it will stay on screen, so you can use 1 finger to move the cursor around to select the window you want.
Swiping left or right with 3 fingers will do the same as alt-shift-tab or alt-tab – toggling between open windows in the same direction you swiped.
There’s also a 4 finger gesture for those of you who use multiple desktops via the task bar – swipe left or right to switch between each one. If you don’t have a second desktop open then your whole screen will slide around a bit but it won’t do anything.
What’s even better is that these gestures are configurable in Windows 11. Under Settings > Bluetooth & Devices > Touchpad (which won’t show if you don’t have a Touchpad!) you’ll have a three-finger gestures section. The defaults are as I described above:
You can change these defaults so left and right switch desktops rather than apps:
Or if you’re not an app/desktop switcher, change the lot to control audio:
There’s also the option to change what the Three-finger tap does:
If you don’t like the out of the box options, you can go into the ‘Advanced gestures’ section and under ‘Configure three-finger gestures’ change it to any key combination you like:
And you can configure the 4 swipe directions to perform one of the listed functions:
If you’re like me and feel much less productive when using a trackpad compared to a proper mouse, then spend a bit of time looking at what you can do and change with three-fingered and even four-fingered gestures in Windows 11.
The idea of taking a Microsoft exam can be quite daunting. Self doubt creeps in, and it’s easy to talk yourself out of putting yourself through a stressful situation that you could just avoid. But, taking a Microsoft exam and passing is a great feeling, and qualifies your understanding of the topic.
I’m hoping I can convince you – the ones out there who have wondered if they should try working towards a Microsoft Certification – to give it a shot.
Let’s work through the fundamentals. There’s Microsoft Exams, and Microsoft Certifications. Often there’s a 1 to 1 relationship – pass an exam, get a certification. Some certifications have prerequisites that you’re already holding other Microsoft Certifications. Exams normally have a code such as AZ-104 where the certification doesn’t. For a nice 1 pager of all the Credentials and exams, have a look at the Certifications Poster.
For your first exam and certification, focus on choosing one that’s at the fundamentals level. These exams all end in 9xx, such as MS-900 for Microsoft 365 Fundamentals. A full list of these fundamentals I have listed on MSPortals.io with a few handy links on each.
You’ll also see a section called ‘Study resources‘. This will contain links such as the ‘Get trained‘ area, which jumps to the certification itself and lists ways to prepare and practise for the exam.
Preparing for the exam is usually an online self-paced course, and this is worth going through to understand the topics and areas that will be covered in the exam. Practice for the exam will take you to a set of multiple choice questions, which is a good test of your knowledge to see if you’re ready to book.
Microsoft exams need a 700/1000 score to pass – which is the equivalent of 70%. For 50 questions, you should be getting at least 35 right, but that’s still cutting it a bit close. You have the luxury of time, being able to look things up and check your answer as you go so I’d be aiming more for getting >45 out of the 50 right.
You can also run an Exam Sandbox, which is just running the actual exam software with unrelated questions just to get a feel of how it’ll be when you actually sit your exam.
Fundamental exams are shorter than the more in-depth exams, and last for roughly 65 minutes with 35-50 questions. Of that hour and a bit, there’s still 15-20 minutes expected of set up and wind down.
There is a cost associated with taking a Microsoft Exam, and on the 1st November 2024 these prices have just changed. The cost is region dependant, but ranges from $44USD to $99USD for the fundamentals.
The certification page will have an area to let you ‘Take the exam‘ which is where you schedule it. Sometimes you might be able to book it for the same day, other times you may need to look a few days or weeks forward to book in an available slot. You’ll have the option of testing the software and making sure everything works as a part of this. Exams used to be in-person only, but now you can do them remote.
On the day of the exam, log in ~15 minutes early and follow the instructions you were emailed – go through the tests again, and there’s a bit of an onboarding and verification process to go through. You may need to take photos of your identity and your work area to show you’re the right person taking the exam and don’t have access to any items that would be considered cheating. You’ll be on camera and open microphone the entire exam, and have a host in the background monitoring you.
Fundamental exams are NOT open book, but other exams are (for those, you can access content on learn.microsoft.com during the exam).
Once you’re in the exam, take your time. You’ll see how long you have to go, and mostly can go back to previous questions or skip questions to answer later (when this isn’t possible, you’ll be prompted – read all screens carefully!).
If you happen to fail, don’t be disheartened. You’ll see your score, how well you did in each area, and you can take the exam again. The first time you can take it again after waiting 24 hours. Further retake policies are available here. Plenty of people fail (including me!) and just treat it as more practise – taking the exam a second time is less stressful than the first as you’ve got a much better idea on what you’re in for. The questions the second time and beyond may not be exactly the same, normally you get a random subset from a larger pool of questions – but you’ll probably see a few that aren’t new.
If you pass well done! The panic of taking the exam should be over, you’ll get a congratulations email and can take the satisfaction of posting about your achievement on LinkedIn.
If you want to check your exam/certification status, log into your Learn Profile https://aka.ms/LearnProfile but don’t expect this to fully update immediately after the exam, some of the information can take a day or two to update.
I’ve also collected a lot of Microsoft exam and certification related links and created a ‘Training’ section on MSPortals.io: https://msportals.io/training?search=
If you have any questions or want any advice, drop a comment below. If you pass an exam, post it on LinkedIn and tell me about it so I can congratulate you! https://www.linkedin.com/in/adamfowlerit/
Word, Excel, PowerPoint, Outlook, OneNote, and Teams (unless you’re in the EU) are some of the apps that make up the Microsoft 365 Apps suite. We don’t call it Office 365 anymore, and they’ve been around for a very long time. Despite the name change, ‘Office’ is used across Microsoft documentation, the Essential Eight, Windows Registry settings etc so I will use also use it for the rest of this article.
Unsurprisingly, there’s both a lot of flexibility in configuration options for these apps, as well as many settings that have security considerations. As with my other blog posts of late, I wanted to have a look at the Center for Internet Security’s (CIS) Microsoft Intune for Office Benchmark 1.0 and pick my favourite 5 recommendations; ones that I think have a high impact, aren’t on by default, and/or ones you may not have considered.
As with other Intune benchmarks, you don’t have to use Microsoft Intune (you can use Group Policy/registry) but these options are natively supported via Intune. To create these policies via Intune from the Microsoft Intune admin center go to Apps > Policy > Policies for Office apps.
…so if you aren’t doing the above (or if you’re not sure) – go sort that out first before you worry about these extra ones!
Alright, let’s get on with my 5 picks:
#1 – 2.3.23.2 Ensure ‘Block signing into Office’ is set to ‘Enabled: Org ID only’
Official description of the setting: This policy setting controls whether users can provide credentials to Office using either their Microsoft Account or the user ID assigned by your organization for accessing Office 365. If you enable this policy setting, you can specify one of the following options: – If you select “Both IDs allowed”, users can sign in and access Office content by using either ID – If you select “Microsoft Account only”, users can sign in only by using their Microsoft Account. – If you select “Organization only”, users can sign in only by using the user ID assigned by your organization for accessing Office 365. – If you select “None allowed”, users cannot sign in by using either ID. If you disable or do not configure this policy setting, users can sign in by using either ID.
Note: This policy does not apply to licensing. A user can license their product using any applicable ID if they have a valid license associated with that account. Providing credentials for licensing purposes when that ID type has been disabled, however, will not affect the signed in state of Office.
This setting controls whether a consumer Microsoft Account can be used to sign into the Office suite. By default, both a work account and a Microsoft Account can be signed in, so changing it to Org ID only prevents that. This prevents a user either accidentally or wilfully saving and opening files from their personal OneDrive and anywhere else the Microsoft Account may have access to. You can imagine a user not realising they’ve been saving their last year of work on their personal unprotected OneDrive, or doing so because it made it easier to continue working on documents via their home computer. There should be no legitimate business need for this setting to be allowed, so change it.
#2 – 2.3.38.1.1 Ensure ‘Improve Proofing Tools’ is set to ‘Disabled’
This setting controls whether data learnt from Office Proofing Tools (such as spell check) is sent back to Microsoft. This option is enabled by default. It will include information such as additions to the dictionary (maybe you keep writing Project Phoenixx but that’s actually the ‘correct’ spelling’) or maybe your drivers license combination of letters and numbers, or credit card. Here’s the actual description of the setting:
This policy setting controls whether the Help Improve Proofing Tools feature sends usage data to Microsoft. The Help Improve Proofing Tools feature collects data about use of the Proofing Tools, such as additions to the custom dictionary, and sends it to Microsoft. After about six months, the feature stops sending data to Microsoft and deletes the data collection file from the user’s computer. If you enable this policy setting, this feature is enabled if users choose to participate in the Customer Experience Improvement Program (CEIP). If your organization has policies that govern the use of external resources such as the CEIP, allowing the use of the Help Improve Proofing Tools feature might cause them to violate these policies. If you disable this policy setting, the Help Improve Proofing Tools feature does not collect proofing tool usage information and transmit it to Microsoft. If you do not configure this policy setting, the behavior is the equivalent of setting the policy to “Enabled”.
Beyond this data going back to Microsoft, it’s also saving it on your computer in a secondary data collection file. Quite simply, it’s introducing extra risk in both a second location of data + sending off to Microsoft, with no direct immediate user benefit, and no obvious method of showing what data it’s transmitting so should be disabled. On this point, this isn’t questioning how much you trust Microsoft or not – you’re probably using their operating system, software, cloud storage, search results and AI – risk is risk and you reduce it wherever you can that makes sense, and this is one of those scenarios.
#3. Modern Office File Formats: 2.11.8.6.1 Ensure ‘Default file format’ is set to ‘Enabled: Word Document (.docx)’ 2.2.4.6.1 Ensure ‘Default file format’ is set to ‘Enabled: Excel Workbook (*.xlsx)’ 2.6.6.5.1 Ensure ‘Default file format’ is set to ‘Enabled: PowerPoint Presentation (*pptx)’
These are all the same but each application needs it’s own setting enabled. Worth noting is the same setting exists for Access – ideally you don’t have that anywhere, but if you do, change that setting too. It’s also actually two settings – enabling it, then setting the ‘Save x files as’ and choosing the above listed options, e.g. PowerPoint Presentation (*pptx).
Although this setting doesn’t block the older default Office document types (.doc, .xls, .ppt), it makes sure the default format for saving is the newer .docx, .xlsx, pptx. The older formats were the default up to Office 2003, and in Office 2007 onward is where the ‘x’ version (which is based on XML and if you rename any of these documents to .ZIP, you can check out what’s inside!) was introduced. Although I can’t find much officially around the differences, the general takes are that the newer format is less prone to corruption, more secure, better organised internally, and more open for other programs to be able to read the data inside.
Most companies will have the older file formats floating around still, but this setting works towards encouraging the new (and 16 years since release, it’s hard to still call it ‘new’!) file format.
Setting description from Word: This policy setting determines the default file format for saving files in Word.
If you enable this policy setting, you can set the default file format from among the following options:
– Word Document (*.docx): This option is the default configuration in Word. – Single Files Web Page (*.mht) – Web Page (*.htm; *.html) – Web Page, Filtered (*.htm, *.html) – Rich Text Format (*.rtf) – Plain Text (*.txt) – Word 6.0/95 (*.doc) – Word 6.0/95 – Chinese (Simplified) (*.doc) – Word 6.0/95 – Chinese (Traditional) (*.doc) – Word 6.0/95 – Japanese (*.doc) – Word 6.0/95 – Korean (*.doc) – Word 97-2002 and 6.0/95 – RTF – Word 5.1 for Macintosh (*.mcw) – Word 5.0 for Macintosh (*.mcw) – Word 2.x for Windows (*.doc) – Works 4.0 for Windows (*.wps) – WordPerfect 5.x for Windows (*.doc) – WordPerfect 5.1 for DOS (*.doc) – Word Macro-Enabled Document (*.docm) – Word Template (*.dotx) – Word Macro-Enabled Template (*.dotm) – Word 97 – 2003 Document (*.doc) – Word 97 – 2003 Template (*.dot) – Word XML Document (*.xml) – Strict Open XML Document (*.docx) – OpenDocument Text (*.odt)
Users can choose to save presentations or documents in a different file format than the default.
If you disable or do not configure this policy setting, Word saves new files in the Office Open XML format: Word files have a .docx extension. For users who run recent versions of Word, Microsoft offers the Microsoft Office Compatibility Pack, which enables them to open and save Office Open XML files. If some users in your organization cannot install the Compatibility Pack, or are running versions of Word older than Microsoft Office 2000 with Service Pack 3, they might not be able to access Office Open XML files.
This policy setting is often set in combination with the “Save As Open XML in Compatibility Mode” policy setting.
The 4 settings in Intune are below, and the Group Policy/Registry settings are here: WordAccessExcelPowerPoint
#4. 2.3.23.3 Ensure ‘Control Blogging’ is set to ‘Enabled: All Blogging Disabled’
I partly like this one because not many people know this is even a thing. Description: This policy setting controls whether users can compose and post blog entries from Word. If you enable this policy setting, you can choose from three options for controlling blogging:
* Enabled – Users may compose and post blog entries from Word to any available blog provider. This is the default configuration in Word.
* Only SharePoint blogs allowed – Users can only post blog entries to SharePoint sites.
* Disabled – The blogging feature in Word is disabled entirely.
If you disable or do not configure this policy setting, the behavior is the equivalent of setting the policy to Enabled-Enabled.
Word can send off contents of documents to certain blogging platforms via a direct connection from inside the application, and is enabled by default. Although the amount of your user base that would even consider this is quite low, all it takes is for one person to decide to do it, then publish the wrong document to a public site.
As usual, there’s usually no great reason to allow this at all, so disable it – even restricting to SharePoint sites doesn’t mean it’s restricted to the SharePoint sites you control.
Intune setting is Control Blogging, which you need to Enable and set to All blogging disabled, or Group Policy/Registry settings here.
5. 2.5.14.3.4 Ensure ‘Outlook Security Mode’ is set to ‘Enabled’
There’s an Outlook Security Mode? Sounds like something that should be enabled! Description: This policy setting controls which set of security settings are enforced in Outlook.
If you enable this policy setting, you can choose from four options for enforcing Outlook security settings:
* Outlook Default Security – This option is the default configuration in Outlook. Users can configure security themselves, and Outlook ignores any security-related settings configured in Group Policy.
* Use Security Form from ‘Outlook Security Settings’ Public Folder – Outlook uses the settings from the security form published in the designated public folder.
* Use Security Form from ‘Outlook 10 Security Settings’ Public Folder – Outlook uses the settings from the security form published in the designated public folder.
* Use Outlook Security Group Policy – Outlook uses security settings from Group Policy.
Important – You must enable this policy setting if you want to apply the other Outlook security policy settings mentioned in this guide.
If you disable or do not configure this policy setting, Outlook users can configure security for themselves, and Outlook ignores any security-related settings that are configured in Group Policy.
Note – In previous versions of Outlook, when security settings were published in a form in Exchange Server public folders, users who needed these settings required the HKEY_CURRENT_USER\Software\Policies\Microsoft\Security\CheckAdminSettings registry key to be set on their computers for the settings to apply. In Outlook, the CheckAdminSettings registry key is no longer used to determine users’ security settings. Instead, the Outlook Security Mode setting can be used to determine whether Outlook security should be controlled directly by Group Policy, by the security form from the Outlook Security Settings Public Folder, or by the settings on users’ own computers.
If you need to change any of those related settings from the default, you instead need to change this from ‘Microsoft recommended baseline’ to Manually configured, and ‘Use Outlook Security Group Policy’ – and then ensure all related policies are configured the way you want.
The CIS benchmark documentation also mentions: Note: This setting is essential for ensuring that the other Outlook security settings mentioned in this baseline are applied as suggested.
So, what all this means is the CIS benchmark overall has different configuration recommendations compared to the Microsoft recommended baseline, but in doing this option it’s worth assessing all the settings that the baseline would do!
Intune setting is ‘Outlook Security Mode’ and Group Policy/Registry settings here
I hope you found the above options interesting, and as always this is designed to grow awareness of what you need to consider in managing an environment, and always have that security mindset. These options are not set and forget either – you need frequent checks to make sure no gaps have been created either by reconfiguration or new settings coming in.