Microsoft Ignite day 5

As you know by now (by reading my previous blog posts), I focus mostly on Information Protection and compliance from a technical point of view and this blog post will cover a lot regarding that. Today, I wasn’t able to visit as many sessions as the last four days because I need a plane to catch in a few hours, but I still got a few interesting things to share.


  1. Security and Compliance center
  2. Service Encryption
  3. Advanced E-Discovery
  4. Windows Virtual Desktop, RDMI & Windows 10 Multi-User

Security and Compliance center

Microsoft covers a big part protecting us from malicious tools and attackers, but there is still a part that we must do. And I can tell you that it is the most important part, like activating MFA, encrypting sensitive data etc. This slides covers what Microsoft does and what you have to do.

So about the part that we are responsible of, Microsoft provides us multiple tools. How do AIP and OME help with compliance? Check this slide.

There are certain scenario’s that you don’t want that Microsoft manages your key. Some regulatory reasons might require you to manage your key so the security is end-to-end. BYOK might be sufficient since you can store your own key in Azure Key Vault. If that isn’t even good enough you have the HYOK where you store it on-premises. Keep in mind that this option is much less flexible. You only have access to your secured documents as long as you can reach the on-premises key for decryption. Here is an overview of licensing.

Here is a great overview of BYOK. It makes clear that it is as flexible as the Microsoft-managed keys, but it does give you more overhead since you need to manage the key now.


Some good insights when using BYOK.

Service Encryption

Some good news, if we use the Microsoft-managed keys or BYOK, we will have service encryption in Exchange Online, starting to rollout in January 2019 (already available in SharePoint). Once we create a Data Encryption Policy (DEP), It will encrypt our data at storage level. This is required if you want to meet compliance.


Advanced E-Discovery

With the advanced E-Discovery set in Office 365 by using the analytics, we can further minimize the data. It will deduplicate data for example and only present us with relevant data. We are also presented now with a much better E-Discovery dashboard. We see what kind of data the hold holds, but we are also able to communicate with the persons in a specific hold, make searches in it etc. Great improvement!


Now creating a Legal Hold is doable, but not that easy. But it will be! Here is a great overview of how it is now and how it will be very soon.

So these are some great new features! For sure you will see a more in-depth bog when it’s available.


Windows Virtual Desktop, RDMI & Windows 10 Multi-User

Now also a little bit of info about Windows Virtual Desktop, as I can imagine you want to see some updates about this as well. One of the bigger announcements is Windows 10 Multi-User within Windows Virtual Desktop, so you will connect to shared hardware. If you spin up a Windows Virtual Desktop, you can decide how many users you want to connect to that VM which makes it a lot cheaper. There will be a Windows Desktop Calculator soon which gives some recommendations of this, based on the chosen size.

Automatic scaling will be available as well. You can auto scale based on two methods: Breath Mode and Depth Mode. The Breath Mode needs reserved instances so turning off a Virtual Desktop doesn’t help you. However, this can still be cheaper, that’s something you need to calculate. The Depth Mode is based on activity. If no users are logged in anymore in a Virtual Desktop, it will automatically turn off the VM and it will save you money. On the other hand if it’s too busy, it will spin up some new VM’s.

Windows Virtual Desktop will be available through the Azure Marketplace.