5 Things To Check In Your Intune for Windows 11 Configuration

After receiving a lot of great feedback on my post 5 Things To Check In Your Microsoft 365 Tenant, I thought I’d do another post, picking my top 5 items from the Center for Internet Security’s (CIS) benchmark Microsoft Intune for Windows 11 Benchmark v3.0.1

This is a really big list to pick from, much bigger than the Microsoft 365 one – the document is over 1000 pages! Also you may look at this list and say ‘What has this got to do with Intune, I can apply these settings to any Windows 11 PC?’ – This is true, but the options CIS has laid out are ones that are natively available in Intune and therefore easily deployable. I’m also going to spend more time explaining the meaning behind the setting rather than telling you how to do it, as the CIS documentation (again freely avaialable for non-commerical use) clearly explains the setting and how to configure it.

Again these 5 things are important and I’ve tried to pick items that aren’t in the secure state by default, so I hope you find something new (or at least reassured!).

1. Ensure ‘Turn off access to the Store’ is set to ‘Enabled’

By default, any Windows 11 PC has the Microsoft Store enabled, the app installed, and a user can use it to obtain any software available in the store. I’ll avoid the whole ‘are Microsoft Store apps safe’ as I’m not privy to Microsoft’s application monitoring regime, just like Google’s Google Play or Apple’s App Store – but just like blocking users from installing software from other sources and methods, the Microsoft Store should be controlled in a corporate environment. There’s an entire history behind the Microsoft Store for Business and Microsoft Store for Education which is being replaced by packaging the apps in Intune for Microsoft Store which is still a work in progress with original retirement planned for 2023 being postponed.

All this leads to this one setting, which is just preventing the user being prompted the Windows Store as an option to find a program to open a file or protocol that currently has no association (for example, a user found a data.db file and tries to open it). They’ll see this dialog:

Either enable the confusingly named Intune setting ‘Turn off access to the Store’ (due to it only doing the below, which it describes in the details of the setting) or use this registry setting to remove the Microsoft Store option for any ‘open with’ dialog – Turn off access to the Store (admx.help)

Simple, but it ticks the box of a user complaining that they just followed what the computer told them to do when they end up with some wacky or weird solution obtained from the Microsoft Store that they start entering company data into. It also ties into a bigger piece around how you handle the Microsoft Store as a whole. I also found this blog post which goes into great detail about the Microsoft Store and how to control it, including the above setting: Restricting or blocking access to the Microsoft Store (call4cloud.nl)

2. Ensure ‘Backup Directory’ is set to ‘Backup the password to Azure AD only’

LAPS (Local Administrator Password Solution) is an incredibly important solution to prevent lateral movement between devices. At the high level, it is designed to automatically manage the local administrator password on each device, and make it unique. This means if someone was able to obtain the password on a single device, they can’t then use that same account against every other device in an organisation. More details: https://learn.microsoft.com/en-us/windows-server/identity/laps/laps-overview (and back in 2017 I was going on about it too https://www.adamfowlerit.com/2017/02/havent-deployed-laps-yet/)

Up until October 2023, this was only an on-premises natively supported solution; but now Intune supports it too. If you haven’t looked into LAPS or didn’t realise you could now do it in a cloud only environment, then put it at the top of your list.

Assuming you are now living with LAPS, the option Backup Directory controls where the LAPS password for each device goes. Apart from the default disabled option, this can either be ‘Backup the password to Active Directory only’ or ‘Backup the password to Azure AD only’ (yes I know it’s now Entra ID, nobody’s updated this name yet).

If you’re cloud only (Entra ID Joined) or cloud first, then this option should be ‘Backup the password to Azure AD only’ – your Entra ID should be more secure than your Active Directory, and this decision should really be a part of whatever system you’re putting first. It’s also a bit neater to view/report on events where any account is looking at the LAPS password value of a device in Entra ID, compared to on-premises Active Directory where you may have many different AD domain controllers and hopefully good monitoring/reporting of events across the entire environment – but more room for error there.

Creating a policy for this is quite a simple process from the Microsoft Intune Admin Center:

3. Ensure ‘Allow Cross Device Clipboard’ is set to ‘Block’

I am a huge fan of Clipboard in Windows and use it many times every single day. If you aren’t aware of this feature, press Winkey + V on your keyboard and it’ll pop up, asking if you want to enable it. It keeps a history of your clipboard contents – whatever you Ctrl + X or right click > copy. This is really handy when you’re copying all the time, but want to paste/recall anything beyond the absolute last thing you copied. It supports both text and pictures. Of course, this means it will copy things like passwords and other data you probably don’t want floating around. One feature of Clipboard in Windows is the ability to enable ‘Clipboard history across your devices’ which sounds somewhat handy, but drastically increases the risk of data leakage when you’re syncing that information to your account (if a work account, then should sit securely in your M365 tenant/Entra ID) or Microsoft consumer account. It’s just an unnecessary risk for little benefit – the clipboard history should stay local and be cleared on logoff/reboot. It will purely sit in memory and be lost afterwards when Clipboard sync is disabled.

Please start or keep using Clipboard in Windows but turn off Clipboard sync. It’s enabled by default.

Here’s the registry setting: Allow Clipboard synchronization across devices (admx.help)

4. Ensure ‘Notify Unsafe App’ is set to ‘Enabled’

Another setting disabled by default. Instead of explaining, I’ll just quote directly from the Group Policy setting:

This policy setting determines whether Enhanced Phishing Protection in Microsoft Defender SmartScreen warns your users if they type their work or school passwords in Notepad, Winword, or M365 Office apps like OneNote, Word, Excel, etc.

If you enable this policy setting, Enhanced Phishing Protection in Microsoft Defender SmartScreen warns your users if they store their password in text editor apps.

If you disable or don’t configure this policy setting, Enhanced Phishing Protection in Microsoft Defender SmartScreen will not warn users if they store their password in text editor apps.

This one sounds pretty reasonable right? If a user types their password into a program being monitored by Enhanced Phishing Protection, it’ll pop up and tell you:

Note that with my testing, this doesn’t apply to Microsoft Edge, nor does it apply if you paste your password, it has to be typed – but still a pretty good user reminder on something they shouldn’t be doing!

Interestingly I couldn’t find the registry value on GetADMX but the ‘Notify Unsafe App’ setting is available in Group Policy, and in Intune – create a Settings catalog policy, and use the settings listed under the category SmartScreen > Enhanced Phishing Protection: Notify Unsafe App. Further information here: https://learn.microsoft.com/en-us/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/enhanced-phishing-protection?tabs=intune

Also worth calling out checking out the other Enhanced Phishing Protection settings at the same time: Automatic Data Collection, Service Enabled, Notify Malicious. Notify Password Reuse.

5. Ensure ‘Turn off toast notifications on the lock screen (User)’ is set to ‘Enabled’

This final one is pretty obvious. When a PC is locked, you don’t want notifications popping up that may contain sensitive information and be visible by anyone that can see the screen. This is a feature that I don’t think should even exist… but it does and it’s on by default. You want to enable the setting to disable the feature (yes this is a dig at the inconsistent state of settings and enabling/disabling!).

Easily done via Turn off toast notifications on the lock screen (admx.help) or enable the Turn off toast notifications on the lock screen via Intune via a Configuration Profile. A full guide is available here: Disable Toast Notifications From Lock Screen Using Intune HTMD Blog (anoopcnair.com)

That’s it for the list – as always I hope you found it interesting and love hearing any feedback (including constructive criticism), and hope it helps people out there to always be thinking security.

5 Things To Check In Your Microsoft 365 Tenant

I’ve been diving into the Center for Internet Security’s (CIS) benchmarks lately – which are a set of benchmarks to use against different technologies (including Microsoft 365 and freely available for non-commercial use). They are a good set of checks to go through in a tenant to review configuration with a security focus; including how to remediate.

There is of course a lot more to it than reading a document and configuring items the way it says to; you need to understand what you’re changing, and what impact that may have to the business and it’s end users. For example; blocking the ability to share anonymous links from SharePoint/OneDrive is generally ‘a good idea’ security wise, but if your users are actually doing that you probably don’t want to just shut that off. You need to assess what’s being used and how, and have a strategy to get to a more secure point.

Anyway, I’ve picked my favourite 5 settings from their comprehensive list that I feel people could miss; I may have missed these myself when I used to be a Microsoft 365 administrator.

For PowerShell commands, if you’re not sure how to get to the right module (e.g. Exchange Online from my first example) then check out msshells.net which will show you how to install and connect.

The headings are quoted from CIS, but the rest of the material is my own:

1 – 3.1.1 Ensure Microsoft 365 audit log search is Enabled
If you’re a Microsoft 365 focused admin, Azure and log search may not be a front of mind for you unless you go looking to solve a problem that arises.

This should be enabled in new tenants, but older ones may not have it. First check it’s status with the PowerShell command in Exchange Online:

Get-AdminAuditLogConfig | Select UnifiedAuditLogIngestionEnabled

This will show a True or Fasle value – if it’s True, it’s on. If it’s off/false, enable it with this command:

Set-AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled $true

This should have no user impact and just enables the ingestion of the Audit Logs.

To view these logs you can use PowerShell commands, but this is generally one I’d rather use a GUI for – go to the Microsoft Purview portal and the Audit section, and trigger a search. Without getting into too much detail, there’s two tiers of Audit – Standard and Premium. Read further information here.

2. Ensure modern authentication for SharePoint applications is required

This is another that many old tenants may have disabled. SharePoint has ‘legacy authentication’ similar to other services that are planning or already deprecated legacy auth – Exchange Online being the common one most people know about.

To check if you have this disabled, connect via PowerShell to SharePoint Online and run the command:

Get-SPOTenant | ft LegacyAuthProtocolsEnabled

True means it’s enabled, False means disabled – and we want it to be False. The command to enable it is:

Set-SPOTenant -LegacyAuthProtocolsEnabled $false

Entra ID’s Conditional Access should be configured to block all Legacy Auth requests also, but this is an extra layer to make sure SharePoint won’t work that way anyway (plus holes are poked through Conditional Access all the time!). There seems to be very little official public documentation about this option from Microsoft – I could find this example where they show how to set it to $true to avoid some login issues which is a bit concerning.

This is one that may have some user impact or application impact if systems are connecting to SharePoint Online in legacy ways. Users should be used to modern auth and match their experiences in other Microsoft 365 services – applications however would need to be redesigned or updated to accommodate this. You can search the Entra ID authentication logs for any attempts to connect to SharePoint Online using legacy authentication over as long as possible before changing this setting.

3. Ensure sign-in to shared mailboxes is blocked (Automated)

Shared Mailboxes are both a delight for having a central area for emails to go to, and multiple staff having access to them, but also a dismay in user expectations of being able to send as the account, and potentially log in as it. A reception desk or similar may have multiple people jumping in and out of the location, but they want to access the same contents without the time-taking task of logging in and out of the computer each time. Regardless – security wise each user should have a unique login, and all their actions performed under that login.

Although it can be a fight and go way beyond a technical issue – shared mailboxes should be disabled from logging in. A disabled from login shared mailbox can still send and receive emails; you’re only disabling the ability to log in using that account itself, and the mailbox can still be accessed as a delegate.

As this is a per account setting, you’ll need to check all shared mailboxes. As per Microsoft Learn, you can block a single account from the Microsoft 365 Admin Center and go to Users > Active Users, select a Shared Mailbox, and click the ‘Block Sign-In’ option:

… but this doesn’t really scale to check all Shared Mailboxes and change the setting. Instead, as per Microsoft Learn, we have to use Exchange Online PowerShell to find the shared mailboxes, then we can use Microsoft Graph PowerShell SDK to disable them. After connecting to Exchange Online and Microsoft Graph with the below scope:

Connect-Graph -Scopes User.ReadWrite.All

You can then run the one command to use Exchange Online to find all Shared mailboxes and then use Microsoft Graph to set the account to disabled:

Get-EXOMailbox -RecipientTypeDetails "SharedMailbox" | ForEach {Update-MgUser -UserId $_.ExternalDirectoryObjectId -AccountEnabled:$false}

You could also do the same for Room and Equipment mailboxes if they don’t need to sign in:

Get-EXOMailbox -RecipientTypeDetails "RoomMailbox","EquipmentMailbox" | ForEach {Update-MgUser -UserId $_.ExternalDirectoryObjectId -AccountEnabled:$false}

Also note that Exchange Online has it’s own ‘AccountDisabled’ variable which you could set to true, but this blocks sign in to the mailbox, and not the entire account to any M365 service/Entra ID authentication.

User impact on this needs to be assessed by again checking the Entra ID logs against each Shared Mailbox, and working out how to set systems up to avoid the shared account login. There may be some user resistance to this, but one argument could be ‘what if someone sent a nasty email to your boss under the account and they thought it was you – you couldn’t prove it wasn’t easily if others are also using that same account’.

4. Ensure ‘Per-user MFA’ is disabled

This is the ‘old’ MFA before Conditional Access was around. This only suported the MFA methods of ‘Call to phone, Text message to phone, Notification through mobile app, and Verification code deom mobile app or hardware token’.

You can check if any users have this enabled by going to https://account.activedirectory.windowsazure.com/usermanagement/multifactorverification.aspx and ensuring all users show as ‘disabled’ for the ‘MULTI-FACTOR AUTHENTICATION STATUS’ column.

If you see any users enabled, then you should ensure Conditional Access is set up and ready to go, then change the users to disabled. You also shouldn’t be using this function at all when Conditional Access is enabled. A few warnings from Microsoft:

More details here: https://learn.microsoft.com/en-us/entra/identity/authentication/howto-mfa-userstates

5. Ensure a dynamic group for guest users is created

I quite like this one. Yes, you can reasonably easily determine if an account is a guest account or not, but having an automated group means it’s easy to point other Conditional Access policies, or other monitoring, on what these accounts are doing in your tenant. It’s very little effort to create, doesn’t need maintenance, and can help in other scenarios when you want to review what guest accounts are around.

How to do this is well documented by Microsoft but you do need an Entra ID Plan 1 or Plan 2 license to create dynamic groups.

Simply create a New Group in the Entra Admin Center https://entra.microsoft.com/#view/Microsoft_AAD_IAM/AddGroupBlade

and after selecting a Group Name and choosing Memebership type: Dynamics user, click ‘add dynamic query’:

Use the filters Property = userType, Operator = Equals, Value = Guest, and click ‘Save’, then ‘Create’.

Note that it can take a minute for the group to initially populate. You can now use this group to block from certain things as an extra layer of protection against accidental permissions, or have extra Conditional Access policies that always require certain MFA methods.

If you don’t have Entra ID Plan 2 to be able to have guest reviews, you could use the membership of this group as a simple way to review the guest accounts in your tenant.

That’s my top 5 picks – check out the CIS Benchmark for Microsoft 365 yourself along with their other benchmarks as there’s a lot to learn and check through. It’s also not a one-time thing, settings change, the benchmark itself grows (currently at v3.1 at the time of writing), plus there’s more security to check beyond this!

Hands on with Microsoft’s own PC Cleaner and Utility Toolkit – Microsoft PC Manager

Microsoft PC Manager isn’t an overly well known tool. It came out in 2022 and according to the offical website it will “Safeguard your PC in a quiet and reliable way”. It’s not included in Windows, instead needs to be downloaded and installed… and it sounds like the many other tools (both well meaning and malicious) that have been around for many years; so what’s the deal with PC Manager?

The app downloads via the Microsoft Store and has a 4.5 rating from 22 reviews. Or, it has a 4.2 rating from 402 ratings depending which PC I checked from. A few clicks and you’ll have it installed on your Windows 10 or Windows 11 device.

I’ll take you through a bit of a journey on using the app. There is some good stuff in here, but at the same time a lot of it seems quite puzzling in what they’re trying to achieve and who the target audience is. I’ve been running Microsoft PC Manager for a while, but when I open it up, here’s what the home area looks like:

There’s a few things going on, but I do like the overall dashboard, and the reminder of what Windows Phone used to look like before it’s untimely demise. Let’s go through some of the options to see what’s going on.

PC Manager suggests that I have a lot of temporary files and should clean them up. The Deep Cleanup link scans the computer and offers up suggestions on what to delete. Not all options are ticked by default.

Options include areas like Windows Update files, Edge Cache, temporary files etc. For me, it skipped Windows Update files as they were in use. Unsure why, as I have no pending installs or reboots. Going back to the home screen, we see a new suggestion around making the PC more accessible.

The ‘Discover more tips’ takes me to a website that also calls out I can do these accessibility functions, with a button to tell Edge to go back to my Windows desktop and open the accessibility settings. Doing this doesn’t clear this home page ‘tip’ and there’s no way to close it, so I guess it’s stuck there until Microsoft decide to change what that banner is. The most ironic part is that after adjusting the text size, PC Manager becomes unusable. You can’t resize the PC Manager app – it’s stuck at it’s small size and can’t click on a corner to expand, and there’s no maximise window:

Moving down, we’ve got a giant Boost button. Clicking it generates a little rocket ship flying through that same button, and within a few seconds my memory usage has gone down from 68% to 53%, and all temporary files removed. Why those temporary files weren’t removed on the first step where I cleaned up unused files, I do not know.

Moving to the Health check, which I’ve never run before, it suggests two types of things, cleaning up files (again??) which this time are all ticked by default, and shows startup apps that can be disabled. For items to clean up, it shows the size – and for startup apps, it just says ‘High’ or ‘Unknown’ with no indicator on what that means. If you’re familiar with Task Manager through, you’ll probably know that’s the startup impact. Task Manager will also let you go straight to the executable in case you want to know more, but that’s not possible here.

I was about to click ‘Proceed’ but noticed the ‘Reset Edge defaults’ option – hovering over the question mark reveals that it will ‘Restore Search Engine to Bing’. So is it restoring multiple default options, as the plural suggests – or is it just changing my search engine back to Bing? Who knows, but it definitely does change the search engine to Bing. Recently, PC Manager was prompting with the suggestion to change the search engine to Bing https://www.theregister.com/2024/05/16/microsoft_pc_manager_bing/ – maybe there’s an argument to say Bing is safer with your data than Google (one that Google would dispute I’m sure) but it’s another layer of the confusing goal of this tool.

Moving on to ‘Process’, it purely shows the same applications I’d see in Task Manager, again with less details. It suggests to terminate application processes to speed up your computer, and also end these apps if needed. This must be confusing to someone who doesn’t know better – is it teaching people to end every app thinking their PC will be sped up? What defines an app needing to be ended? There is no indication on the impact of an app beyond it’s memory usage, and if I’m only now using 53% because of the magical Boost button, there’s no need to even do this.

The ‘Deep Cleanup’ area is the same as what was suggested at the start, so we’ll jump to the Startup area instead. Alright, now we’re seeing the same information that was in the Health Check area, except it does say that it’s a Startup Impact. Why did we even have the other area?

Jumping to System Protection, we have a big blue ‘Scan’ button for ‘Virus & threat protection’. This opens the same named area of Windows Security and triggers a quick scan.

Windows Update however triggers the update process from inside the app, and shows the progress there. There’s a lot of blank space on this page, so a tiny Windows Tip is used in that space.

‘Default browser settings’ shows a single setting that shows you your current browser, and a Change button. The resulting screen really makes me think this isn’t a polished product.

‘Taskbar repair’ feels like it’s two options aimed at a hijacked computer that’s had a bunch of taskbar settings modified. For me, I had nothing to repair.

‘Restore default apps’ is a bit of a weird one – again, I feel like this may be targeted at a hijacked PC. The ‘Change’ button next to PDF documents just takes me to the Windows Settings Default apps page, and that’s for me to work out what to do from there. It does the exact same thing as the ‘Set defaults for applications’ link below it, which for some reason doesn’t appear as a button.

‘Pop-up management’ sounds interesting – I haven’t blocked any pop-ups yet, but hopefully one day I will. ‘Custom block’ I can’t really work out what it is from that name, and the information for it says ‘The shortcut key is , you can change it in the settings’. I get a feeling the shortcut key isn’t actually a comma, but isn’t set. The first time I clicked the ‘Select on-screen’ button , a message popped up about joining a program. I closed that to come back to it, but the next time I clicked the same button, it instead started functioning and wanted me to select a window to block. After checking from another PC, it was a feedback program where you could provide extra information to help improve PC Manager in the future around this feature. From what I can gather, you can pick whatever window that pops up to block that popping up in the future. Again, this feels like it’s targeted at a compromised computer, and I’m not sure hiding popups is a safe and secure solution when there’s malicious code running on the device, but maybe there’s more to it.

Moving onto the ‘Storage’ area, we again have that ‘Deep cleanup’ option that was on the home page. Makes sense to have it here too, so let’s check the other options.

‘Downloaded Files’, ‘Large Files’, and ‘Duplicate Files’ all open another PC Manager window which has tabs for the three functions. This one’s actually pretty neat. Although ‘Downloaded Files’ just takes you to your Download folder, it sorts by size, you can pick what sort of file such as Video, Audio, Picture etc. Large Files just looks for big files anywhere on your PC and sorts by size, with you being able to specify what a Large File is (default is >10MB, but you can change it to >50MB, >100MB, and >1GB ). You can’t be more specific on the location beyond which disk you want to check. Duplicate Files is the same, where it’ll scan one ore or more disks for identical files. There is a little ‘Smart select’ link you can click which choose which of the duplicate files to delete which is a bit hidden, and I could see someone accidently deleting both duplicate files for the results and being left with nothing.

The last option under ‘Storage’ is ‘Storage Sense’ which just takes you to the same named Settings page, but I already had the option enabled.

Next up is ‘Apps’. In this area, ‘Process management’ is the same as the ‘Process’ button, and ‘Startup apps’ is the ‘Startup’ button that both were on the ‘Home’ area. ‘Manage apps’ just takes you to the ‘Installed apps’ section of Windows Settings, and ‘Microsoft Store’ opens Microsoft Store. Microsoft Store excluded, the naming of pages and areas of PC Manager is a bit all over the place.

‘Toolbox’ is a bit more interesting. From first glance, it looks like it is a bunch of tools, which is a bit different from what the rest of the PC Manager app has been focusing on:

If you like little programs that hover over everything you’ve got open, then ‘Show toolbar on the desktop’ is the option for you. It contains the same links as per the six Windows Tools in this section, and you can choose which of the six you see as buttons. The 66% below is the available memory, and clicking it appears to do what that original ‘Boost’ button did. I am sure there’s some use case for wanting to see what your memory usage is all the time, but not care about other data like CPU usage, but I feel like that’s an edge case and maybe it’s time to get some more RAM.

The six Windows tools just open the relevant programs. Once I hadn’t realised was in Windows now, is Captions – and after testing a few Australian YouTube clips, I was impressed by it’s accuracy – worth checking out.

The ‘Web tools ‘ section has ‘Edge Quick Links’ are the same quick links you’d see when opening Edge, and ‘Bing Translator’ opens your browser to the same Bing Translator page. ‘Currency Converter’ just does a text search on Bing of that term, so you can use the inbuilt converter. Finally, the ‘Custom Links’ section is just an area you can add your own URLs into and display extra buttons for those links.

Going further down the menu list, the ‘Restore’ button appears to look for default settings that have been changed, and lets you reset them back. In this case it’s detected that after testing a previous option’s tickbox of setting Bing as my search engine, “someone” has changed it away from that. This is yet another option that feels like it’s trying to remediate something malicious, but not actually fixing whatever caused it.

Last on the list is ‘Settings’. In here we have ‘Boost setting’ which is a Smart boost option – instead of having to click that Boost button, it will trigger a Boost when either 1GB of temporary files are detected, or high usage of RAM.

We also have “Shortcuts setting’ which while grammatically I can’t accept, the option also can’t accept Ctrl+F2 as being the shortcut combo for that previous ‘Custom block of pop-up management’ which raises two points: I knew it wasn’t a comma, and why is the word ‘of’ in that sentence? Strangely, clicking the box and pressing Ctrl-F2 made the error go away, and that key combo now works for ‘Custom block’.


That took a lot longer than I thought to go through all the options, but it brings me to a bit of a conclusion. I don’t know who this tool is for, or what it’s really trying to be. There’s elements that are aimed at your standard home user that maybe has a PC not running too well, and they can manage some bits and pieces themselves to try to improve their experience. But, there’s not really any safety rails in the potential mess they can cause by stopping all apps from starting up, deleting a duplicate file that might really need to be in the location it was in, or constantly killing off processes because they think that’s required to use their PC.

The toolbox function doesn’t need to exist – it could be in it’s own program, and be a lot more useful. The protection area does very little protection wise beyond triggering a virus scan, which should trigger regularly anyway.

The idea of what problems Microsoft PC Manager was built to solve I can see – that all in one PC cleanup/improvement program – but it’s partially black box, partially missing things like ‘What program is using all my CPU’. It feels like a side project that someone made which then lost momentum from what the end goal should be, and tried to do a bunch of things that were easier. The other question is, why isn’t this functionality built into Windows itself if it’s needed? I would rather see the core cleanup and repair type actions just be a part of Windows, than need to download an extra program to do it.

Microsoft Copilot for Microsoft 365 Enablement Experience

I’ve recently purchased Copilot for Microsoft 365 to play with on my own tenant, and wanted to share my experience. No, I did not use Copilot or any other AI to write this post :) Some of the below may sound picky, but I’m trying to be clear around names and functions as I found a lot of it hard to correctly define as I went. You’re going to see the word ‘Copilot’ a lot – sorry.

First, I’ll attempt to clarify that I’m only looking at Copilot for Microsoft 365. What is “Microsoft Copilot” is a harder question to get your head around, because Bing Chat for Enterprise/Bing Chat Enterprise is now just called Copilot. Copilot for Microsoft 365 is Copilot integrated into the Microsoft 365 apps – so think of Copilot as the AI solution itself, and “Copilot for X ” as anything else as Copilot being integrated with, and able to use some of the data in it, as well as giving answers more contextual to that solution (but not limited to!).

I found this really good graphic of Microsoft Copilot but can’t find the original source!

Alright, so looking at the options below we have Copilot which is free, Copilot for Microsoft 365 which you pay for per user and integrates into Microsoft 365 apps… and there’s also Copilot Pro which gives you integration with some of the Microsoft 365 apps and a few extra base Copilot perks. Copilot Pro is for consumers and targeted at individuals, you can’t buy this against a business account.

In my own tenant of 1 active user, I purchased Copilot for Microsoft 365. I had to do this for a year because it was either that, or 3 years. My tenant is quite old, US based, and also has some trial/unique test licenses applied from Microsoft.

Just for reference too, Copilot for Microsoft 365 data and processing stays within the service boundary, and is not read or used by Microsoft in any other way.

Source: https://learn.microsoft.com/en-us/microsoft-365-copilot/extensibility/ecosystem

Note that despite the official diagram above’s title is “Microsoft 365 Copilot”, that was the name at launch and it is now “Microsoft Copilot for Microsoft 365”

The purchasing and assigning of Copilot for Microsoft 365 is somewhat of a non-event like most other licenses. I was able to buy a single license, as Microsoft reduced the 300 minimum requirement in December 2023. From the Microsoft 365 admin center, you have the following subservices available:

From the user side, I just noticed the Copilot options turn up as soon as I went to check them. The first thing I wanted to work out, was how do I interface with Copilot when it’s app agnostic? Here’s where the fun started;

https://copilot.microsoft.com, https://www.microsoft365.com/chat/, and https://bing.com/chat look pretty much the same, two have a ‘work’ option to make sure you’re processing data in your own tenant and not giving sensitive information back to Microsoft in other ways… and the third requires a work login to access – so what’s the difference?

Honestly I’m not sure. I tried working this out but failed – maybe there isn’t one? It will save what you searched, and that history will be visible across all three chat solutions:

I was going to use this example question of ‘how many emails did I get yesterday’ as my next point of frustration – when I have been testing this for the last few days, it’s incorrectly told me each time that I’ve received just 1 email. Then when asking it about another email I received in that yesterday timeframe, agreeing that also was received yesterday. When questioning it around the discrepancy, it stopped the conversation.

However, it looks like that’s already been resolved:

I am glad it’s now not giving an incorrect answer, but I did expect it to be able to actually answer this question with a correct number. We’ll move on to finding some information I know is in there:

I asked to see ALL the emails where I’ve passed a Microsoft exam. It found one from 2008, something else irrelevant to exams, and then 6 other emails for me to check out.

Note that I have a bunch of emails that should quite clearly be picked up, such as this one from February this year and I found by doing a search of the word ‘Exam’ on my mailbox:

How about certifications then? For some reason it did find a much newer email about a Certification renewal (the word ‘Exam’ wasn’t on that one). When I asked to ‘show me more emails’ it proceeded to just do what I asked out of context, and showed me 5 example emails from my mailbox unrelated to the previous query.

These experiences are frustrating – partly because I can see the amazing potential Copilot has (honestly I can!), but also how it can consistently miss the mark of my expectations around it. It could be that my expectations are too high – but if they are, then it’s Copilot’s job to set them correctly as part of it’s answer system. And no, putting a label saying ‘AI-generated content may be incorrect’ at the bottom of everything doesn’t quite cut it.

OK, how about asking Copilot for Microsoft 365 about files? Asking it what I accessed last is correct, and matches what I see on the ‘My content > All’ section of Microsoft 365. However, that fell over quickly when I asked it was folders were in the root of my OneDrive – it claimed it’d have to do a search for that (why don’t you just go search then?), as well as showing me an ini file I’d opened 6 days ago for Diablo IV – and for reference, that was the 7th last file I’d accessed. Asking it to search for the folders resulted in it telling me that now it had done that search but couldn’t list the folders. Taking it’s next suggestion, I asked it to list the contents of a folder called Work – I’d created it a few days ago and it has only ever had 1 file in it. The results came back incorrect again, claiming the presentation2 file which as per the first result, was in a folder called ‘Documents’ and not in a folder called ‘Work’.

OK, enough digging for data.

My other surprise on purchasing the Copilot for Microsoft 365 license was receiving a call at about 5am, which although I woke up to, did not answer in time. I called it back, heard a recording saying it was Microsoft, and assumed it was a scam call. Checking my emails later, I noticed that a case had been logged in my name at 1:06am called “Getting started with Copilot, we’re here to help.”

I logged onto the support area of the Microsoft 365 Admin portal, and yes there was a ticket under my name, with my mobile phone number (including the +61 area code for Australia) that had been logged for me. Yes, I have notes on this experience:

  1. Although Microsoft Support can be used for both break/fix and advisory calls, it should not be used as a marketing tool to proactively ensure a customer is getting value from something they only just purchased. In other words, don’t shoehorn a solution to a problem you see, into a different system not designed for that.
  2. Don’t list it as the customer doing the action themselves if you automate something on their behalf.
  3. Don’t put down on my behalf that I’d like a phone call about the ticket you logged pretending to be me.
  4. Have a look at the customer’s timezone and call them during business hours.
  5. Who came up with the incident title? At least start with ‘Auto generated’ – you’ve used the title as a way to communicate to me when that’s very much not what the title of an incident is supposed to do.
  6. After calling me and waking me up, don’t send an email asking me to respond, but if I don’t you’ll call back again, but claim to do so ‘again’ during business hours.
  7. Don’t use the Status of ‘Feedback’ when it really isn’t – I’m probably not going to have feedback a few hours after enabling the service (but give me a few days to write up a blog post!).

Support also advised me that “A ticket is logged when copilot is purchased” and proceeded to give me a bunch of links about Copilot for Microsoft 365 anyway. Seems like that could have just been the email they sent without all the other noise.

There was one good link in there which was about Copilot prompts – worth a quick look but seriously, why isn’t this just linked at the top of the Copilot prompt area? There’s a lot of white space this link could go in.

I’ve had a few others claim similar experiences when enabling Copilot for Microsoft 365 including Microsoft MVP Karen Lopez:


I know I’ve banged on about frustrations here, but my general point is to try and set realistic expectations around the current state of Copilot for Microsoft 365. It is not a magical answer to doing most your work for you. It is really good at writing responses for you as either starters, frameworks, or mostly done content to fine tune. It’s really good at summarising emails. It’s really good at responding to something you don’t want to spend time on – I was ‘invited’ to attend free LinkedIn Workshops to help me put content on that platform, and clicking reply brings up a great Copilot experience – auto answer type buttons depending on the response I want to give, an area to get Copilot to help me draft a response, or I can just start typing and Copilot stays out of the way.

Although I can’t think of many situations that a poem would be my response, it’s one of those options you have to try:

So yes, these sorts of functions are hugely valuable just for these sort of use cases on email. It also does a lot of great stuff in Word, PowerPoint, and Excel, along with Outlook as above – but those deserve their own posts. Copilot, and in turn Copilot for Microsoft 365 is going to get better at a hugely accelerated rate, and the items that are less focused on purely the language side of LLM and a bit more data based will be valuable. And, despite my criticisms above, I still think everyone should buy or at least try this to learn, get ready, and understand what is actually possible right now in our era of AI – just make sure your environment is ready for it with the right controls, processes, and security in place.

Lenovo Go Wireless ANC Headset Review

New job = new headset. I’m fussy about headsets and comfort, and I find many headsets I’ve tried give me earaches. Actual pain from those irregular ovals that stick out your head (a.k.a ears). I also wanted a quality headset with good noise cancellation, so I can focus without hearing those annoying sounds of the world around me, like birds chirping or the man next door who uses his blower vac for a few hours every single day.

Anyway, looking at how much a headset would cost that are Microsoft Teams certified, are wireless, have a proper mic boom (I’ve had less than great experiences with several headsets that don’t have the boom, they always pick up way too much background noise) and have decent noise cancelling (ANC) abilities. Pretty much every option I could find was somewhere between $300-$500AU. There was a standout exception to this, Lenovo’s Go Wireless ANC Headset.

The price of the headset on Lenovo’s AU website at the time of writing is $229AU, so I ordered one. A few days later it turned up. The box itself is pretty well presented, with that modern expectation of the unboxing being a good experience (thanks Steve Jobs). Inside the box is the headset itself, a dongle, and a 1.3 m USB-C to USB-C cable. I thought that was it, until I decided to check under the plastic mould…

and behind the plastic mould was a sleeve for the headset! Always check behind the plastic mould :)

Let’s check out the specs of the Lenovo Go Wireless ANC Headset:

Tech Specs (from Lenovo AU)

Capacity610 mAh
ColorStorm Grey
Cable Length/Type1.3 m
Weight230 g
Warranty TypeCRU
ControlsPower/Bluetooth, Volume + / -, ANC on/off, Teams button, Mute / Unmute, Call control
Distortion< 3%
Driver40 mm
Frequency Range20 Hz – 20 kHz
Impedance32 Ohm
Power Requirement5V, 1A
Sensitivity107 +- 3 dB
Audio InputBluetooth 5.0, USB digital audio
BrandLenovo Go
OS RequirementsWindows 10
Packed Weight762 g
Package TypeRetail
Packed Dimensions (L x D x H)227 mm x 87 mm x 255 mm / 8.94″ x 3.42″ x 10.04″
Warranty PeriodOne Year
Maximum Operating Temperature40° C
Minimum Operating Temperature0℃
Maximum Relative Humidity (%)90%
Battery Charging Time1.5 hours
Included AccessoryLenovo USB-A Bluetooth Audio Receiver, USB-C to USB-C cable, Pouch
Microphone2 microphones for ENC, 4 microphones for ANC
Play Time35 hours
Wireless Operating Distance10 m
Connection TypeBluetooth 5.0, Wired USB-C Cable, USB Receiver

Calling out some of the more important specs – up to 35 hours play time is pretty good. The box calls out a 22 hour talk time, but you’re way over a full working day on the phone which is the important part – plus the USB-C connector means it should be the same plug as everything else you’ve bought in the last few years.

The USB receiver is USB-A which is probably best for most laptops, you’ve got 1 or 2 USB-C ports that will either be used for power or a full dock, and usually at least one spare USB-A if not more. Or, go Bluetooth if you’d rather not use the receiver, but I find an office full of Bluetooth devices can cause interference on any Bluetooth headset and the connection over the dongle more reliable.

Something I need to get in the habit of, is putting the mic boom up to mute. The headset will announce when you do this, and to me this is a better way of doing it rather than a keyboard shortcut or trying to accurately click on the ‘mute’ option in Microsoft Teams if you’re about to cough or sneeze on a call.

Let’s check out the buttons:

Source: https://www.lenovo.com/au/en/p/accessories-and-software/audio/headsets/gxd1c99239?orgRef=https%253A%252F%252Fwww.google.com%252F#tech_specs

All pretty standard buttons here – I can honestly say I’ve never used the Microsoft Teams button but I probably should. If you were wondering what this button does like I was have a read of this guide: https://support.microsoft.com/en-au/office/use-the-microsoft-teams-button-on-your-certified-teams-device-ed5ec8f0-6f09-46aa-b80c-3372de084a98
TL;DR version – button is contextual. It’ll bring Teams to the front window if it’s not, it’ll join a meeting if you just had an alert come up saying one started, and if you hold it down during a meeting, it’ll raise your hand.

The ANC mode works quite well for a headset that’s on the ear rather than over the ear, and the ability to toggle this to talk-through mode with the ANC button means you can switch from focusing on work, to clearly having a chat with someone who walks up to you. It also makes you feel like a spy when noises are amplified and you can hear someone across the room talking. There’s a third option of plain ‘noise cancellation off’ which I’d probably rather as a separate button, as you have to pass this option each time you want to go back to ‘noise cancellation on’. You also can’t rapidly press the button twice to skip, and instead have to wait until it starts announcing what the new mode is before you can press it again.

The headset itself is very comfortable to wear – when I first put it on I thought it was slightly too tight for my head but after a few days use it doesn’t feel like it’s squeezing me anymore, and more just sitting snugly.

I’m available at a headset model – here’s just a taste

The headset itself feels like it’s made of high-quality components – the ear pads are a very soft leather-like substance, and has a general sturdiness to the entire device. The metal extenders go a fair way out so this should accommodate the largest of heads too.

Sound quality wise it’s crystal clear to me – but I’m also not an audiophile so couldn’t judge how good the music playing abilities of the headset are, beyond also sounding good to me.

All in all, it’s a good headset that will live in my work bag and get used when I’m not WFH – it connects up quickly when I need it to, and should last a long time.