Workplace Ninja Summit 2022 report

Bram De Corte & Dirk Mampaey

From September 12 to 14, me and my colleague Dirk went to the beautiful Lucerne in Switzerland to get a knowledge update around workplace, security and CloudPC/AVD from Microsoft. Straight from the horse’s mouth. The horse in this case: leading community experts! So strap in for some interesting takeaways from this 3-day event.


How about I don’t try to fit 30 some sessions about MEM in a blog article? Let me rather give the overall consensus here.

Microsoft Endpoint Manager

Microsoft Endpoint Manager is a great product. However, it is managed and developed by different teams. That leads to some quirky behavior and inconsistency across the portal sometimes. Most of these quirks you may not run into. Nonetheless, Panu Saukko and Gerry Hampson did a real good job of listing all these quirks. I’ll give a hint for one of them: try sorting different tables across the portal.

Microsoft Intune

Another great session covered all the tools that the community experts build and what they do. The Microsoft development team provided us with a deep dive into how profiles work. I have to say they succeeded at blowing my mind at times. Due to nondisclosure agreements, I can’t really say much more. However, I can make a very useful suggestion: watch Microsoft Ignite. It will cover a feature to handle admin privilege escalation for users in Intune.

Intune Tips and tricks

Hosted by a fellow countryman and a Dutch guy, this session revolved around useful tools for Intune in 10 bulletpoints. Here are a few that could constitute my top 3:

  1. Use the Powershell App deployment toolkit to install Windows applications. It gives you a standard deployment tool which can be used for Intune and for SCCM.
  2. Use custom compliance policies to get a more granular way of verifying your devices are compliant. And you can add settings specific to your situation. It is still in preview though.
  3. Use filters for your assignments wherever you can.

Intune Proactive Remediations

One last Intune insight for the modern workplace enthusiasts. Proactive remediations will allow you to automatically detect and remediate common issues on the endpoints. It’s composed of two PowerShell script packages. With the first, you’ll scan the endpoints based on a schedule. The second package can remediate the endpoint if required.

Some use cases:

  • Remove unwanted local admin accounts
  • Check battery health of endpoints
  • Detect and remove vulnerable and/or unwanted applications


Monday morning to Wednesday evening, I bathed in exactly 29 sessions about security. Again, I’ll highlight a few of the sessions that really caught my attention for you.

What’s new in Microsoft 365 Defender?

A session hosted by Microsoft regarding what is new and in development for M365D.
Some of the features presented are already released, like this one:

  • Guided hunting:
    Microsoft has provided a query builder to simplify the hunting experience. A security administrator can use it to create a query without knowing KQL (Kusto Query language). The query builder allows you to filter and search for specific events, applications, files, etc. throughout your environment. Hunting can reveal if any of those endpoints have a vulnerability, whether they have all required updates, and more. It can also be used to find out which endpoints have been infected when an attack is discovered. For custom queries, such as looking for a specific zero day detection, KQL can be used.

Some other interesting features that are on the roadmap:

  • Automatic Attack disruption:
    This is the ability to isolate endpoints that are unmanaged or are showing suspicious behavior by instructing the other endpoints not to communicate with those anymore. When a breach is detected on an endpoint, this can help to prevent the infection from spreading.
  • Convergence of the security portals:
    MS is working on getting all Defender services into one portal. That should improve and simplify the experience of the security admins. And it’s not hard to understand that when it gets easier to administer

Lessons learned: implementing MS Defender for Endpoint

A great session by our former Xylos colleague Kim Heyrman pointing out the lessons learned during the implementation of Defender for Endpoint at a customer.
Here are some key takeaways that I could very much relate to:

  • Get a good grip on the customer’s environment before you start the implementation. It always pays off to have a detailed view on what you will run in to.
  • Have a tested and verified deployment plan. It will help you complete the implementation without leaving any holes in the protection.
  • Make sure you document your implementation very well. That will save your life when something goes wrong.

Come to think of it, these can be used for other projects as well. On top of that, we got some neat tips and tricks on getting MDE up and running quickly, as well as a few things to watch out for.

Implementing Privileged Access Workstations (PAW)

This is not so much a real (or new) feature as it is a guideline one can follow to improve security. Originally intended for the good old days when all IT was on-prem, but it‘s valid for a cloud approach too. It all starts with this question: Would it be a good idea to let an administrator manage critical resources from the same workstation that he uses daily, for instance to check his social media accounts?

The idea is to use a separate workstation that is heavily secured and doesn’t have internet access to access those critical resources. A separate workstation is also preferred over a jump server that is accessed over RDP. As we all know, RDP or “Ransomware Deployment Protocol”, isn’t really that secure. Also, it limits you to two concurrent connections. Not really what you want when you’re IT team is bigger than two individuals.

Conditional Access: The good, the bad and the ugly

A session where we did get a review on how conditional access can be used, what’s good about it, what’s less good and what’s down right ugly. A short recap:

  • Good: CA rules are great to protect user identities and company data. They provide a high security with a low impact on productivity.
  • Bad: There are a lot of rules you can configure, with a lot of options. That means it’s very easy to make mistakes and misconfigurations. Which brings us to …
  • Ugly: There’s no overview on the rules that have been configured. Which is alright if you only have like ten rules or fewer. But these rules tend to multiply rapidly once the environment gets a bit more complex. And all of a sudden you’re lost in a jungle, trying to figure out which rules apply to what resources and which users.

Luckily, there are some best practices to use. The same things as mentioned before are repeated: Make sure you have a decent design before starting and document the rules you are implementing in full detail.

Issuing your own Microsoft Entra Verified ID

This was a very interesting session about how Microsoft sees the use of Verified ID by making use of DIDs (decentralized identifiers). Since the digital world becomes an ever bigger part of our life, a secure and safe digital identity gets more important every day. The Verified ID is based on open standards and will be owned by the user itself, independently of company, organization or government.

Instead of having different ID silo’s (company, bank, school, …), a single ID can be used for all. The so-called ‘Issuer’ can add certain credentials, such as academic achievements or a library pass, to the Verified ID. A ‘Verifier’ can then request those credentials to verify and use them to allow access to entitlements. That can be access to a company network, but also access to government resources or a verification to open a bank account.

It is still a work in progress. Interoperability is crucial, and specifications need to be defined to enable this and make sure it is indeed safe and secure. But it’s an interesting evolution we may well see a lot more of in the coming years.

CloudPC and AVD

So, let’s start with CloudPC also known as Windows365. This is a service from Microsoft which gives u an easy manageable windows10/11 computer in the cloud. It is provided by a monthly subscription and deployed through the office portal (with Windows 365 Business) or Microsoft Endpoint Manager (with Windows 365 Enterprise).

This solution is built behind the scenes with Azure Virtual Desktop, so as an Azure Virtual Desktop architect/engineer I have always had the idea we can do the same with more flexibility – with regard to compute power. However, this will change in the very nearby future as, since Microsoft is bringing more features to Windows365 that extends user experience beyond a simple cloud pc:

  • Windows 365 boot:
    This feature allows a user to directly boot into the CloudPC on a physical device from the login screen, no need to go first into a client or browser.
  • Windows 365 offline access:
    A feature that will not be for this year, but you could continue working in your CloudPC when your physical device has lost connection to internet.
  • Windows 365 switch:
    Switch between your desktop and CloudPC from the Windows 11 task view.
  • Windows 365 App:
    An app to manage your Windows 365 differently from the AVD remote desktop client or web client
  • And also… new license options. Be sure to watch out for more details about these features during Microsoft Ignite.

To close: two sessions stood out about Azure Virtual Desktop for me

AVD without a golden image:

During this session we got some insight on how AVD was deployed for 5000 devices in combination with SCCM for multiuser sessions host. The combination of AVD with SCCM is one that we used in the past ourselves mainly with personal or pooled desktop, but not really with multi users. Markus Lintuala created an azure function to release the session host so users can login mimicking auto scale as auto scale and MEMSCCM aren’t really friends

Running AVD onPrem made easy using Azure Stack HCI. Or is it?:

This session is running Azure Virtual Desktop on premise with Azure HCI and Azure Stack. To my surprise it isn’t that complicated to set up. And not to my surprise its work like a charm with almost no latency, however since its still in Public Preview it isn’t recommended for production environment and an additional cost for running on Azure HCI and Azure Stack is required. But once this is released for production, it will be a Citrix/Horizon killer.

Want to get inspired about Microsoft Workplace and Security technology?

Well, it’s great that you’ve found your way to Xylos, then. We are a recognized Microsoft Solutions partner in both domains.
Check out our services, or contact us directly with your questions.

How to keep your cloud costs from spiralling out of control?
3 steps to optimize your capacity planning

Community event - 17/10/2023
Back-up & Disaster recovery: Uitdagingen en oplossingen