Ignite Fall 2021 Recap: Security, Endpoint Manager, Azure (and More Security)

Paul details his personal, totally subjective highlights of the recent conference, which he found to be more substantial than some predecessors.

Microsoft's recent Ignite virtual conference featured some interesting releases and announcements this time around, unlike some earlier incarnations of the bi-annual event. In this article I'll cover my personal, totally subjective highlights. And don't worry -- I won't wax lyrically about expanding the metaverse into Teams through Mesh and appearing as a cartoon avatar instead of as my unshaven self on video. While that's cool, it's still some time off before it's a reality for most of us.

Security -- Security -- Security
To paraphrase Steve Ballmer, there's a lot of security services and products coming from Microsoft. The recently announced in preview -- and now in General Availability Plan 1 -- of Defender for Endpoint joins the OG Defender for Endpoint, which is now renamed to Plan 2. Plan 1 is part of Microsoft 365 E3 but misses out on Linux support (while still covering Android, iOS, macOS and Windows), and Threat and Vulnerability Management (inventorying all installed applications and prioritizing the ones you should upgrade due to known risks). The younger sibling also doesn't offer Endpoint Detection and Response (EDR), nor Automated Investigation and Response (AIR), Microsoft Threat Experts or Advanced Hunting.

At Ignite a third relative was announced, Defender for Business, to be part of Microsoft 365 Business Premium (max 300 users) and also available standalone for $3 per user per month. This version also skips Linux support but only trims Advanced Hunting and Threat Experts, making it a very attractive option for small and mid-size businesses (SMBs), particularly as it's going to be part of a license many businesses already pay for.

The famous Microsoft "let's rename everything yearly to confuse everyone and keep our marketing department busy" approach struck this time as well, as Microsoft Cloud App Security is now Defender for Cloud Apps. Furthermore, Azure Defender (paid cloud workload protection) and Azure Security Center (free cloud workload security posture analysis) are now Defender for Cloud with the paid-for part known as Advanced Security. This rename does make some sense, as Defender for Cloud also can manage security for AWS and GCP in multi-cloud deployments, so the name Azure Defender didn't quite work.

Microsoft Endpoint Manager
MEM came to Ignite with quite a few new tricks, some focused on work from home / hybrid scenarios.

In news that would have had the aforementioned Steve apoplectic, Linux desktops will be able to be managed by MEM (preview coming in "early 2022", Ubuntu only at first), and you can use Conditional Access policies to control access. Again, coming soon will be the ability to write your own compliance checks for devices to verify a BIOS version for example, using PowerShell.

You'll also be able to manage security settings (public preview rolling out now) for devices that can't be enrolled in MEM -- Windows Servers for instance -- through Endpoint Manager.

In a boon for larger organizations that use Configuration Manager on-premises, Microsoft Connected Cache is now GA in version 2111. You add this cache to your Distribution Points, and they automatically start downloading updates. Organizations that tested this in preview saw savings up to 98 percent downloaded bytes through this cache and the native Windows 10 update bits sharing. Speaking of updates, if you want to get out of them altogether, there's now a Microsoft Managed Desktop Plan 1 service that hands that task to Microsoft engineers.

You can now deploy DMG apps to Macs through MEM, and a simplified setup assistant is coming for iOS/iPadOS in the first half of 2022. Data Loss Prevention (DLP) is now in public preview on MacOS, so you can block printing, copying to USB drives and other actions for sensitive documents, just like you can on Windows. MEM has also been extended with more Endpoint analytics reports for hybrid scenarios, including the new Work from anywhere report.

But by far the biggest MEM news for me at Ignite is the new Remote Help. It's been a glaring omission for many years, one that most other endpoint management solution have built in. Now help desk staff can connect to devices (including those where staff are working from home) and see their screens. True to form, Microsoft provides strong RBAC permissions around who can connect, and administrators can also control which actions can be taken during a remote help session.

Remote Help Permissions
[Click on image for larger view.] Remote Help Permissions (source: Microsoft).

Finally, Microsoft has added support for Android Open-Source Project (AOSP) to MEM (public preview). This OS -- often used in purpose-built devices -- initially will work with RealWear devices, but this will expand to others. AOSP devices don't have access to Google services such as the Play store and thus require some special attention to work well with MDM.

There was plenty of Azure news, my favorite being the new Chaos Studio. Pioneered by Netflix, Chaos engineering is the concept of randomly turning off or "messing with" components in your infrastructure to ensure that architects and engineers truly build in resiliency and also test it in production. This public preview comes with an Experiment designer where you can add multiple steps and branches and inject one or more faults. Faults include turning off VMs or VM Scale Sets, failing over a CosmosDB, altering a Network Security Group (NSG) rule, eight different Azure Kubernetes Services (AKS) faults, adding CPU/physical memory/virtual memory/disk I/O pressure just to mention a few. The designer also lets you add delays between actions to test different scenarios.

Azure Chaos Studio Experiment Designer Adding a Fault
[Click on image for larger view.] Azure Chaos Studio Experiment Designer Adding a Fault

While few enterprises will be ready to start turning off VMs (or services inside those VMs) in their legacy, migrated cloud infrastructure, Chaos Studio will be a great addition for those times when you want to load test an architecture before the production phase. It'll also be useful for cloud-native workloads to increase confidence in their resiliency.

As you might imagine there are strict controls around Chaos Studio. For example, only resources that have explicitly been onboarded can be targeted and then only by staff with specific RBAC permissions. Chaos Studio also has a managed system identity in Azure AD, and unless that's been given access to the resources, the experiments won't run. And you can stop an experiment in progress if it all goes horribly wrong. Chaos Studio is free during the public preview (GA planned for April 2022), after which there will be price-per-minute costs for an experiment that runs, but this is reportedly just to cover Microsoft's costs.

Until Ignite, if you were running a third-party Network Virtual Appliance (NVA) in a high-availability mode with multiple instances, you had to configure and maintain your own load balancer in front of it. The new Azure Gateway Load Balancer is a fully managed service that hides that complexity and you simply define the network functionality you require and it takes care of it.

If you want to run applications in containers in Azure there a few options. On one hand there's Azure Container Instances (ACI) where you get one or a few managed containers and simply deploy your code, with very few configuration options. On the other end of the spectrum is AKS, with a full-blown Kubernetes environment. And while it's being managed by Microsoft, there is a lot of configuration and ongoing maintenance for you to do. In between sits the new Azure Container Apps, which is a serverless, application-centric hosting service where you deploy your application code in containers and rely on Kubernetes Event Driven Autoscaling (KEDA), Distributed Application Runtime (Dapr) and Envoy for auto scaling, microservices integration and proxying.

Microsoft 365
For SMBs, Microsoft is simplifying the admin console to show only the most common tasks to make it less overwhelming. It's not only an SMB feature however, because large enterprises can also use Administrative Units to group objects together and present a trimmed view, where UK administrators only see user accounts and devices under their control in the UK, for example.

Assigning a User Administrator to an Administrative Unit
[Click on image for larger view.] Assigning a User Administrator to an Administrative Unit

And here's an example of the simplified interface.

Simplified Admin Center
[Click on image for larger view.] Simplified Admin Center (source: Microsoft).

There were quite a few announcements this time around, unusual for the cloud development world we live in where new features are added daily, but some of the announcements were for features that were already released or already in public preview. Yet others are yet to come in the new year.

I hope you find something interesting in this collection of news -- please explore further with the links in each section.


Subscribe on YouTube