Brad Anderson: Ignite 2015

Remarks by Brad Anderson, corporate vice president, Enterprise Client & Mobility, on May 4, 2015.

ANNOUNCER:  Ladies and gentlemen, please welcome Corporate Vice President Brad Anderson.  (Applause.)

BRAD ANDERSON:  All right.  Good morning, good morning.  How you doing?  (Crowd responds.)  Hey, it’s been a great morning.  We’ve seen what the future of end-user computing looks like and what that experience is going to be like.

Imagine if you had all those tools and capabilities that Gurdeep and Julia just demoed in your offices today, how much more productive would they be?

Well, I’m going to spend some time talking about what the future of IT looks like and answer that question that many of you asked me, which is in this mobile-first, cloud-first world, how does the enterprise architecture that we deliver have to transform?

You know, every business in the world is transforming right now.  We’ve talked about our ambitions.  We’ve talked about our areas of focus.  And the key thing to remember here and where we view on this is you are at the center of all this innovation.  You are how it gets out to the users.  You enable this.  You empower.

So what I’m going to talk about is the work that we’re doing that builds the intelligent cloud and how this comes together in a way that really allows IT to drive the transformation.

I’ll tell you, I believe right now is the best time ever in our history to be in IT because it’s you who are going to lead this transformation in this new world of cloud first and mobile first.

Now, as we’ve been working on how we build the intelligent cloud, there are a set of attributes that we think are just fundamental and core to this: Got to be trustworthy, got to be flexible, it’s got to be integrated, and of course it’s got to be intelligent.  It has to deliver insight to you on a continual basis.

So let’s look through each one of these one by one and talk about the innovation and the things we’re doing in the area specifically.

Now, it’s interesting, security is the No. 1 concern in enterprises today, No. 1.  The attacks we’ve all read about have certainly elevated this conversation up in the board rooms of every single company.

And you know what’s interesting?  More than 75 percent of all these attacks come down to weak credentials or compromised identities.

And these attacks are morphing, they’re changing.  They began with basically a world where individuals were trying to just create mischief.  Then it became about creating profit.

Today, the attacks that we are seeing are all about causing disruption, IP theft and damage.  And, certainly, as we all watched what happened with Sony where the employees and the customers were threatened, it turned into terrorism.

And so as we think about where this goes and what our users are doing, our users are working in a world that is rapidly expanding.  They’re working on more devices, they’re using more applications, they’re interacting with more people.  And you know what?  This is good for business, but it also comes with risk because a compromise anywhere in that network could actually compromise a significant portion of the network.

So one of the challenges that all of us have as IT professionals is how do we create this environment that is empowering for our users?  It’s rich, it’s engaging, it’s empowering.  And at the same time, balance that with the security and protection that we’re chartered with.

This is a place we’ve got to get the balance right.  And as we think about what the modern architecture is that all of you have to have implemented, it has to focus on this specific area of balancing empowerment with security and protection.

So as we think about what your modern architecture should look like, let me describe to you what I think it looks like on endpoint enablement and on user enablement.  It all begins with the devices that your users are using.

From those devices, as your users go to access corporate content, that should all be governed and managed through your identity solution, which is Azure Active Directory.  And with Azure Active Directory, we enable you to stretch that identity that you’ve invested in for years with Active Directory out to the cloud.

That then also gives you the way to also be able to authenticate and manage the core applications you use from us, your internal applications, from our partners.

Then the Enterprise Mobility Suite comes in, and EMS gives you that way to manage all your devices, all your applications, do it in a way that is empowering to your end users, but delivering for you the security and protection that you’re chartered with.

Ladies and gentlemen, this is the modern architecture for enabling your users on modern devices and giving your users that work environment they’re looking for in this cloud-first, mobile-first world.

Now, this is how you’re going to deliver that rich, engaging experience.  Let’s go into details now about what we’re doing to help you protect it and secure it.  We believe in a defense-in-depth model where you want to protect in as many layers as you can, while at the same time assuming that you’ve been breached.

And so we’re going to walk through these details, but you need to protect your devices.  You also need to protect your applications, OK?  The market refers to these as mobile device management, mobile application management.  You have to do both.  But you can’t stop here.  You have to protect your files, and really, MDM and MAM is all about data protection.  And most importantly, you have to protect your identities.

So these four layers of protection — device, apps, files and identity — have got to be an area of focus that you’re going to spend on, and what we’re going to deliver you is an integrated way to give you a view of all four of these.

So let’s spend some time drilling into each one of them.  Let’s start with the devices and let’s start with Windows 10.

Windows 10 has been designed for the enterprise and it’s been designed for the kinds of attacks that we see today.  Throughout the event, you’re going to learn about capabilities in Windows 10 like Secure Boot, Device Guard, Passport and Hello Windows.

This enables you to be able to ensure that your devices are secure.  And with these capabilities, you can actually eliminate the need to even have your users use passwords any longer.

But you get this incredible experience now where your users get all the things that Joe showed you with all the benefits and all of the applications and capabilities that Gurdeep and Julia showed you, and then you have a way to manage it.

And so let’s actually start taking a look at some of these pieces.  Now, as I set up some of these demonstrations here, the first thing that I want to talk to you is the fact that Windows is using an incredible diverse set of scenarios from your Windows Phone that’s being used as a personal device, all the way to a device that’s used on an assembly line or in an operating room.  And in some of these environments, you want to have a lot of control over these devices.

So let me introduce you to Device Guard in Windows 10.  Now, what Device Guard allows us to do is actually set policies about what software is allowed to run on a particular device.

For example, you may say that only applications that come from the Windows Store are authorized to run on my device.

So what you’re looking at here is a Windows 7 device.  And I’m going to go actually walk through a common attack that we see.  I’ve received this email, it looks like it’s from my IT department, and it’s announcing there’s a new expense app.

When I go click on that, it looks all legit to me.  Now, what I want you to watch on the right-hand side in Action Center, when I click on this download now, what’s actually going to happen is there’s going to be some code execute, and I want you to watch what happens on the right-hand side as this code executes.

My firewall was just turned off, my anti-malware was just turned off, this device is now vulnerable.  This happens in your organization every day today.

Now, let’s actually show you this on Windows 10.  Same exact scenario.  I click on “download now.”  Run.  Watch the right-hand side.  What has happened here is Windows 10 has actually come back and said this is not code that’s authorized, this is not code that’s approved, this is not from an approved vendor.  And it actually never allows the code to run, keeping your devices secure.  That’s Device Guard in Windows 10.  Do you like it?  (Applause.)

Now, also coming in Windows 10, you’ve got a full mobile device management set of capabilities that will cover all of your devices from your phone to that large screen that Julia showed you, and of course all this integrates with the Enterprise Mobility Suite and Intune as well as Config Manager.

OK, so we talked about mobile device management.  Let’s move up one layer and now talk about application management.

And on these mobile devices, mobile application management is really about being able to separate your corporate things from personal things on these mobile devices, and then apply policy protection to your corporate assets.

Now, over the last couple of months, we’ve been releasing updates to all of the Office Mobile Applications.  So today you’ve got Word, Excel, PowerPoint, OneDrive for Business and OneNote that have all been integrated with the conditional access capabilities of the Enterprise Mobility Suite, as well as the mobile application management capabilities.

Now, one of the things that has been very consistent with your feedback, you’ve loved what we’ve done in terms of providing that data leakage protection, but there’s one app every single customer has asked about.  What’s that app?  It’s Outlook.  Every customer that is using these capabilities has said, “When are you going to release the new Outlook that has been MAM-enabled and conditional-access-enabled for the Enterprise Mobility Suite?”

Well, here it is, let’s take a look at it.  So what you’re looking at right now is I’ve got an iPad.  And on my iPad, I’m just going to go ahead, I’m going to bring up Outlook.

So as I bring up Outlook here, this is just a version of Outlook that’s coming through your enterprise store.  Let’s see here, we’re having a hard time getting it to come up.  Let’s see if we can fix this, everybody.  Let’s see if this brings it up.

OK, we’re going to come back to this, it looks like.  If in the back you figure out why we’re not being able to project it.  If you want, we can switch over to the backup if you want.

OK, well, I’m going to go ahead and move on, and we’re going to see if we can get back to that.  Or we can bring the camera up on stage here.

So let me describe to you what we’re going to show you here.  The Outlook application has now been updated to embed the mobile application management capabilities of Intune.  What that allows us to do is put policies that allow us to protect the data.

So watch what I’m going to do here.  I’ve got this email that has now come into my inbox from Brian.  There’s a paragraph there that I actually want to be able to reuse.  So I’m going to copy that.

I’m now going to move over to Word.  Word is also a corporate application.  And when I go to do the typical things that I do, like for example go paste that in, you’re going to see that, sure enough, paste works.  It’s just like I would expect it to work.

But now I’m going to go, I’m going to move to a personal application like Twitter.  And as I go and create a new tweet here, when I go to paste, notice what happens here.  When I go to paste, the paste option is never shown to me because what’s happening is it’s actually protecting the data and saying, “I’m going to contain the corporate data to only be used inside of corporate applications.”

Now, if I go back to Outlook, I’m going to go back in and show you one of the new things that we’ve added.  So I’m able to provide data leakage protection, but Office and all the Office Mobile Applications are one of these applications that gets use both in my personal life as well as in my corporate life.

And so what every one of you have asked us as you’ve started to use these capabilities is:  How can you enable your users to use Word, Excel, PowerPoint, Outlook, all the mobile applications from Office in both their personal life and in their corporate life?

Well, we’ve also updated the capabilities in Intune to now be multiuser aware.  So let me show you what that looks like.  I’m going to go here in Outlook and I can actually now switch between my personal email and my corporate email.

So I’m going to go to personal email.  And when I go and create an email, and I go to paste the content, what you’ll see here is paste is not allowed to happen because that’s my personal email and the data leakage protection capabilities are preventing that.

But if I come back in and switch back into my corporate email and do the exact same process, I create that email, I go to paste.  And what you’ll see here is because it’s a corporate application, I see paste, and I’m able to paste that content in.  OK?  Data leakage protection with Outlook.  (Applause.)  Yeah, thank you, thank you very much.

So what that gives you now is that ability to be able to have that rich, engaging Outlook experience.  And your feedback on this Outlook application has been phenomenal with quotes like this where you have The Verge saying it’s the best Gmail app.  The best Gmail app is from Microsoft.  And I love it.

So with Microsoft, you get all the mobile applications now enabled to participate in this data leakage protection solution, being able to separate your corporate content from your personal content.

The next question you’re going to have is:  When is Skype for Business coming?  Q3, OK.  So it’s coming soon.

Now, I want to show you this exact same experience on a Windows 10 device because Windows 10 has done some phenomenal work to integrate data leakage protection just natively into the operating system.

So I’m working on the exact same document here that Joe showed you a couple of minutes ago.  And I’m just going to copy some of this information here.  I’m going to copy a sentence and show you the data leakage protection capabilities of Windows 10 in action.

So I’m able to take this.  I’m now going to go right into Twitter as well.  And I create that tweet.  But when I go to paste, look at what happens?  And this error message is being worked on, but what’s unique about Windows 10 is it comes back and says, listen, the operation that you’re trying to do is prohibited, it’s not allowed because we don’t allow sharing between personal applications or corporate applications and personal applications.

But what I love about what we’ve done in Windows 10 is it’s empowering and it’s given me guidance, it’s helping me.

So it says, listen, if you actually have a business need and need to override this policy, you can click on “audit” and it will actually allow the operation, but it will be logged for audit purposes.

And so you have this fantastic data leakage protection natively in Windows 10 that you can policy-enable, but you get that right balance of empowerment with security and with protection.

The other thing that’s fantastic about this shipping in the operating system is the applications, Win32 applications as well as modern, universal applications can all participate in this DLP solution without having to be wrapped and without having to have any work done with an SDK, they all just natively work with it.

The data leakage protection in Windows 10, ladies and gentlemen.  (Applause.)

All right, now, I want to show you one additional kind of tool that you have in your tool belt here for application management.  Now, as we get to Windows 10, we’re going to encourage you to distribute your applications through the Windows Store and the integration that we’ll do with tools like Config Manager.

But you may have some applications, maybe they were written a long time ago and you’re not going to update it and you have applications you’ve historically used Remote Desktop Services for.

What I wanted to give you a view here is a completely redesigned Remote Desktop Services that’s being delivered from the cloud.  This is called Azure RemoteApp.  And what this gives you is the ability to be able to upload any Windows application up into Azure and then remote it down to your users anywhere in the world.

So what I’m going to do here is I’m actually going to launch — this is a Windows application.  This is actually the CFO dashboard from Dynamics, which is a Windows-only application.  It’s all touch-enabled now.  I get this beautiful experience.  It’s all rich and alive.  I can click on the pie chart and everything adjusts for me.

But this gives you that tool now to be able to deliver all your Windows applications to all your users anywhere in the world without building out an infrastructure and a pay-as-you-go model, leveraging the global infrastructure of Azure.  OK?  Highly recommend you go check that out, Azure RemoteApp.

So we’ve now talked about devices and applications.  And one of the things to make sure you understand is Microsoft is the only organization in the world that can deliver you this rich, engaging experience for your content creation, your collaboration, all your communications and have that all secured through this data leakage protection across Windows, iOS and Android.

But now let’s transition to files.  And, really, MDM and MAM is all about data protection.  And we’ve got a view here that data and files should actually be self-protecting, that files should actually inherently be aware of who has rights to open them and what rights they have.

So let me show you how this actually works.  So I’m sitting here, I’m just going to walk through an everyday process and show you how it’s been uplifted to now help the user protect.

So I’m going to send an email to Bob, OK?  Bob, if you notice here, is outside my organization, so Bob’s a partner.

Now, when I go to send this email, I’m going to click on this bar here in the toolbar, share protected.  And I’m going to share this in a protected manner.  So it’s just right in the flow of how users do it.

So what I’m going to do is, I’m going to say Bob has viewer rights only.  I want to get an email any time Bob opens that file.  And I want the ability to be able to instantly revoke access if need be.

Now, when I click on “send now” something really fascinating is happening.  That metadata is now being written into the file and will now travel with the file.

And you’ve got data that could be useful, really has to travel, has to be mobile, has to be shared.  But now with the fact that we can embed the access privileges into the file itself, the file becomes self-protecting.

Now, let’s walk through and show you what it actually looks like now.  So I’m going to go over to Bob’s PC here.  And what you’ll see happen here is over on Bob’s PC, I’m going to get an email.

And as I get this email, it’s going to give me a link to where I can open that file.  And someone send an email from the audience, I love it.  (Laughter.)  Love it, love it.  You’ve got to love technology, you’ve got to love people in the audience.

Now, for some reason, that — there we go, just took a little while to come through.  So it’s come through.  I’m going to go ahead and open up that document.  And what’s happening when it’s opening is it actually is actually verifying that I’m a valid user and that I’m actually authenticated to Azure Active Directory.

If I come here and click on “view permissions” you can see that, in fact, I’m a reviewer, everything looks fantastic.

But what else happens when that file is open, it actually sent data, telemetry back to the service that I can now use.

So let’s go back into my email.  And what you’re going to see here — love it — (Laughter.) is I have this link in an email.  If I click on this link, it takes us to what is new today, which is this document tracking site that allows you to actually track how the documents I share are used.

So I can see here that this document was viewed seconds ago by Bob.  So it’s just fantastic.  Let me show you a document that I shared a while ago.

So if I come and take a look at this, you know, last week I shared an early view of some of our quarterly reports.  I can see here that that document’s been opened 40 times.  And if I look down here, the names all look familiar to me, I recognize those names.

But somehow, this individual, Brian, and I’ve never heard of Brian before, has tried to open this document nine times unsuccessfully.  Let’s see what else this gives me.

I can take a look at this from a timeline view.  So I can actually get a view of, you know, the days, successful, unsuccessful and all this is real-time information for me.  I can get a view of this as a map.  So I can actually see where in the world green successful open, that red unsuccessful open, and I can actually now drill in and actually see exactly where in the world individuals trying to access my documents are and when they tried to access it.  (Applause.)

As we think about providing data protection, this is the way it has to be.  For your most-secure, most-sensitive data, you want to have the file be self-protecting.  And in the case where I need to revoke it, you know, I’m actually confident that Brian is never going to be able to see the contents of that document because the document knows who is able to open it.

But if for some reason I actually have the need to be able to open that document, I can come back to here and I can just really click on “revoke access.”  And when I click on “revoke access” when I hit “confirm” nobody else in the world will ever be able to open that document again.  I retain control of the sensitive information within my company.

Azure RemoteApp — I’m sorry, Azure Rights Management Services, the new capabilities, that document tracking side that went into general availability this morning.

Now, let’s transition and talk about identity.  We’ve talked about device, apps, files, let’s talk about identity for a minute.  And as we talk about identity, the first thing I want to talk about here is how you’ve used Active Directory for years and years in your organizations.  You’ve used it to give that great single-sign-on experience to your end users.  But then you’ve also used it for how you govern and manage access to all your applications.

What you’re looking at here today is what we call Cloud App Discovery.  And what it allows us to do is go get a view of all the SaaS apps that are being used in your company by your employees.

If I were to ask you today, how many of you, with confidence, could tell exactly the number of SaaS apps you’re using, which SaaS apps are used within your organization today?  You can do it today.  You can now do it with the general availability of Cloud App Discovery.

So in this environment, 452 users — excuse me — there are 452 SaaS apps that are being used by 8,131 users.

I can click into any one of these SaaS apps, see the number of users that are using it, as well as the amount of data that’s being shared up and down with the application.

I can then actually drill in and see a per-user view that gives me that view of every user and how much data they’re sharing with these SaaS apps.

Now, it’s fantastic to be able to see that, but what you really want to do is you want to bring them under management.  So let’s show you how that works.

We’ve done the work now to where we’ve integrated right here, look at this, 2,477 SaaS apps with the Enterprise Mobility Suite and what we call Azure Active Directory Premium.

And what that allows me to do is I can go bring these SaaS apps under management.  So when I click, for example, here on Dropbox for Business, I can configure it for single sign-on, I can also configure it for automated user provisioning.

What that means is a user account is created and appears in Azure Active Directory.  We can automatically create the user in the SaaS apps that need to be used for business.

Maybe more importantly, if that user ever leaves the organization, we can also disable their access to all the SaaS apps that are being used in business.  It’s the exact same thing you’ve been doing with Active Directory for years, now in the world of the cloud.

Now, let’s got a little deeper on this identity management.  The other piece I want to show you here is you can also configure this for things like conditional access.  So you can actually go in and say I’m going to require a multifactor authentication, and the conditional access capabilities that are built into the Enterprise Mobility Suite give you that additional layer of management and security to access this.

Now, one of the things about the intelligent cloud is it brings insights to you like this.  Across Microsoft, we do some amazing amount of research and bring telemetry back like no other company in the world.  For example, our Security Response Center gets telemetry back from 4 billion devices around the world on a regular basis.  We get a million new pieces of malware reported to us every single day.

We take all that data, feed it into Azure and the machine learning capability, and now give you a set of reports that help you understand and see what is happening with the identities in your environment.

So I’m going to click on reports here, and I’m going to just show you a couple of these reports.  And I would encourage you to go look at these because it is amazing what you can see.

This right here is my favorite report.  I call it the “impossible travel report.”  What it gives me is, again, using the machine learning capabilities of Azure, I can see things like John Smith logged in in Chicago and then 34 minutes later logged in in North Korea.  (Laughter.)

We know that this user account has been compromised.  So I can come down here on the bottom, I can reset the password, I can challenge the user with a multifactor authentication, but I have the ability now to get insights brought to me, what’s happening to my identities, happening to these attacks.

I want to give you one other view of something that’s in our pre-production service today that will be rolling out over the next few weeks.  As part of our research, we’re constantly looking in kind of the darker parts of the Web for things that would give us signs of what’s happening.

If we find any of your user accounts are up for sale, we’re going to be able to surface that to you and give you an example like Robbie’s user account went up for sale on April 24th.  You have identities right now up for sale on the Web and you’re going to be able to do things like disable those, challenge them with a multifactor authentication, but you get the data that you need on identities to identify these attacks and prevent them before they get out of hand like we’ve seen across the industry.  (Applause.)

All right, but wait, there’s a little more.  Everybody that’s seen this has had two questions.  They’ve said, first, “How fast can I get using this?”  And second, “Can you deliver these capabilities for me to use with my on-premises Active Directory?”

You want to see it?  OK.  Last fall, we acquired this hot little startup named Aorato.  What Aorato is is a solution that watches your network and your environment and builds a graph of interactions between users, devices and resources.

And then in near-real time, it gives you a view of what has happened.  So let me walk your through this set of reports and walk you through what you’re going to be able to do with this.  Oh, and incidentally, this went into general preview this morning.

So the first thing I see here is it creates this graph.  And it says Michael normally works from two devices, but Michael now is working from seven devices we’ve not seen yet.

Michal is also accessing a set of six resources that are a little abnormal.  Now, look, Michael is a program manager in the engineering team, and all of a sudden Michael is now accessing servers or trying to access servers in finance, legal and HR.  Something just doesn’t make sense here.  Something seems to me to be wrong.

So I can go take a look at the devices that Michael is actually using to try to access this content.  And I can see here that these actually don’t meet my naming criteria.  So I’m going to go drill into one of these.  And as I drill into one of these devices, it actually is going to give me a timeline view of what is happening.

And I can click on this tab here called suspicious activities and now scroll through and actually get a view of what has been happening.

So, first of all, I see here that this piece here, this device from Mike is actually trying to remotely execute some code on a domain controller.  OK?  So now my guard is way up.  I know there’s something wrong here.

And as I continue to scroll down here, I can see that six minutes before that, this device attempted to launch what’s called a “pass the ticket” attack.  Now I absolutely know that there is something wrong.  As I come down here even more, I can see that there was a brute force attack that happened on the network, and it looks like Michael’s user account was actually compromised and the attacker was able to get his password.

So now I see where the breach started.  Michael had his username and password compromised.  Now, somebody is on a device that’s authenticated as Michael trying to access content and trying to now attack the organization.

How useful would this be for you inside your organizations?  (Cheers, applause.)

This is called Microsoft Advanced Threat Analytics, entered general preview today.  One of those things as soon as you get back in your environments, back to your hotel rooms tonight, download this and start looking at how you could take advantage of this.  It is a phenomenal way for you to help secure and protect your environment.

All right, now, let’s talk a little bit about a point of view specifically that we’ve learned over the past couple of years.  As we’ve built these incredible services and we get this telemetry back, one thing that we’ve learned for sure is as we get more closely connected with you, we’re able to better service you.

And so we have a point of view that we’ll do all these things where we’re protecting you at the device, app, file and identity layer.  But one of the most important things that you can do to make sure your devices are more secure, more compatible and more productive is to keep them updated with us.

So we wanted to give you a view of some of the things we’re going to do differently in Windows 10 and Office 2016.  And it’s a pleasure to actually have the head of Windows with us today.  Please give a warm welcome to Terry Myerson, who is going to give you a view of how we’re going to help you here.  (Applause.)

TERRY MYERSON:  Hello, Ignite.  So Brad talked about the changes in today’s security landscape and the defenses we’ve built into Windows 10 to respond.

But we all know the most important thing we can do to keep any device secure or to keep any business secure is to keep the devices always up to date with the latest software, including the latest security updates.

At Microsoft, we take our responsibility to keep you secure very seriously.  We’re investigating, following up on every single reported security issue.  We’re continuously testing our software, the software you’re running today and the new software we’re building to look for new security issues.  And when we find something, we’re updating our software to give you a defense against that issue.  We’re proactively helping you deliver that update to all of your Windows devices.

So how do these updates get deployed today to devices?  In the enterprise, you’re likely using update management software like System Center Config Manager or the Enterprise Mobility Suite.

These systems let you choose which patches to apply to which systems in which timeframe.  This is a critical business process, but it’s expensive and thankless.  I mean, when was the last time an end user reached out to you and said, “Thank you for that critical update”?  (Laughter.)

Now, with consumers, we run Windows Update.  Windows Update delivers the same updates that you’re distributing inside the enterprise to 858 million Windows consumers on the second Tuesday of every month.

Next Tuesday, 858 million Windows devices, diverse Windows devices all across the planet will be updated by Windows Update.

Let’s take a second and discuss Android, where Google takes no responsibility to update their customers’ devices, refuses to take responsibility to update their devices, leaving end users and businesses increasingly exposed every day they use an Android device.

Google just shipped a big pile of code.  (Laughter.)  And then leaves your phones with no commitment to update your device.

Well, with Windows 10, we want to improve further the way we think about consumer and enterprise updates.  In the enterprise, you’ve been giving us a lot of feedback.  For years you’ve been saying you have these mission-critical devices where reliability is paramount.  You want to minimize code churn to just security updates.

Well, with Windows 10, we’re introducing long-term servicing branches which will give you just that.  Only security updates will be integrated into the long-term servicing branches, giving you the perfect solution for devices where reliability is paramount, those mission-critical devices inside the enterprise.  Industrial devices, embedded devices, devices all about reliability.

And with consumers, we will also be evolving.  We’ve talked about Windows as a service.  Continuously delivering Windows innovation to our Windows devices.  So with Windows 10, with Windows Update, we will not just be delivering security updates, but now Windows consumers connected to Windows Update will be receiving a steady stream of innovation over time every month.

Another big change, we’re not going to be delivering all of the updates to all of these consumers on one day of the month.  (Applause.)

With Windows Update and Windows 10, we have distribution rings.  We have this today in the Windows Inside program where the insiders get to decide, am I in the slow or the fast ring?  We’ve seen some people want the software right after it finishes our testing.  They don’t want to wait a second.  And then we have people that are stepping back and saying, “Hey, work out some of those kinks, I want to make sure there are no app compat issues, I want to make sure there are no functional issues.”

And this is great.  We let the user choose, and Windows Update for consumers, Windows 10, they will get to choose as well which distribution ring would they like to be part of.

With this, we’ll have confidence we have the highest-quality patches, testing them with this incredibly broad population.  But with these two approaches, we’re not addressing the needs of some of the most important Windows devices.  And these are end-user devices at work.

People at work are seeking the same innovations that we deliver to consumers.  But you have IT responsibility for those devices.

Now, we take a step back and consider what the right approach is for these end-user devices at work, we also want to address some of the other issues with selective patching that takes place today with enterprise update management software.

We test Windows for end users as an integrated whole.  With selective patching, we sometimes have these customer-specific quality risks because not all the patches are deployed.

Likewise, selective patching can introduce platform fragmentation, which creates quality risks and complications for developers, impeding innovation and causing some customer-specific issues.

And updating all of these end-user systems is still a thankless and tiresome task.  So with Windows 10, we need a new approach for end-user devices at work.  So today we’re announcing Windows Update for Business.

With Windows Update for Business, we want to give you the best of both worlds.  Ongoing innovation and security updates, while also giving you IT control over the automated process.

So how does this work?  Well, the devices connect to Windows Update for business.  They receive the same ongoing innovation and security updates.  But as an IT professional, you have control.  You can decide what distribution ring is any Windows device in.

I know there are some people probably in this room that say, “I want to be in the fastest ring.  Get me out there with the fastest consumer.”  At the same time, there will be new rings specifically for enterprises, for businesses that want to be in slower rings to make sure all the kinks are worked out in any updates before it gets applied to their system.

Likewise, Windows Update for Business will include maintenance windows where you can specify for any device when it should not be updated or when it should be updated.  We know there are devices that should never be updated during the day.  There are devices that should never be updated at night.  We know there are devices that should never be updated the last week of the quarter.

As an IT professional, with Windows Update for Business, you are in control.  With Windows 10, Windows Update has peer-to-peer update distribution capabilities, enabling the most efficient update distribution ever.

We’ve designed this for people all over the planet.  And for the enterprise, this means incredibly efficient distribution of updates to remote offices or remote sites for low-bandwidth connections.  You can opt into this as an IT professional for your devices.

And we’re going to integrate Windows Update for Business with System Center Config Manager and other update management software so that you can maintain a single pane of glass to manage your business.

And best of all, using Windows Update for Business to keep your end-user devices current will be free for all Windows 10 Pro and Windows 10 Enterprise devices.  (Applause.)

So in the process of developing Windows Update for Business, we’ve been working with so many of you to get your feedback and design this new approach for the modern workplace.

I thought this quote from Dorothy at Kimberly-Clark really captured the essence of what we’re trying to do here.  As you roll out Windows 10, start thinking about segmenting your devices, which ones truly are mission-critical, and then which ones are end-user devices.  And then start a pilot of Windows Update for Business.  Together, as partners in the innovation of IT, let’s shape this service from our intelligent cloud to meet the needs of your business.

Thank you.  (Applause.)

BRAD ANDERSON:  Thanks, Terry.  Now, I’ve got to tell you, it’s been remarkable watching the Windows 10 organization just kind of reimagine what the world looks like in this new world.

Now, let’s go back and I’ll give you a quick summary of what you saw in that kind of like 15-minute demo section.  We talked about the general availability of the EMS-enabled Outlook coming in Q2 as well as the EMS-enabled Skype for Business coming in Q3.

We talked about the document tracking site from AzureRMS, another EMS component that is in preview today.

We talked about the general availability of App Discovery in the Enterprise Mobility Suite, general available today.

And then we talked about the new Advanced Threat Analytics that went into general preview today.  So incredible amounts of things for you to be able to look at and see.

And then Terry just announced Windows Update for Business and how that’s going to integrate with the tools that many of you use today like Config Manager.

Now, I’ll tell you just an insight as one of the organizations that is working heavily with Windows 10, the team has done a phenomenal job.  It’s incredibly compatible.  Today, we are also announcing updates to System Center 2012 that allow you to be able to use Config Manager in a Windows 10 environment.

Let’s now transition and talk about flexible for a minute.  And in flexible, one of the most interesting data points that I’ve read recently is 40 percent of IT spend is now happening outside of IT.  It’s happening in the business.

So how do we enable organizations to really partner more with the business as more of this spend is happening in SaaS apps and in the public cloud?

Well, the way we think about this, we think about your cloud and our cloud as one.  We don’t think about these things as separate, so our engineers work in a model where we ask ourselves:  What can we do to harness the power of both of these?  And we literally consider our cloud as your edge and your servers as our edge.

Now, our point of view here, our architecture is fundamentally different from everybody else in the industry.  We innovate rapidly in the public cloud, and then we deliver you all of that innovation, all of that learning, and you run the same bits inside of your datacenter that we run.

We’re one of only a handful of organizations running at hyper scale with numbers like for the fact there’s more than a million servers in the Microsoft Cloud, 50 trillion storage objects, 425 million active Azure Active Directory users, and we have more than 1.4 million instances of SQL running in Azure.

Now, why are these numbers important to you?  You know, we talk as an industry about software-defined datacenter.  I can tell you, we live it every single day in Azure.  With this kind of scale, with this kind of just incredible capacity, everything has to be automated, everything has to be driven through software.  And where we are unique is we bring all of that for you to run in your datacenters.

Now, let’s talk about a couple new products that we’re announcing today and how they’ve benefited from this model of innovate in the cloud and deliver to all of you.

We announced SQL Server 2016 this morning.  The preview will be available in the summer.  You’re getting that same mission-critical, tier-one scale that we deliver to all of our customers from Azure because it’s the same bits.

You get enhanced analytics, including R integration.  There’s some incredible hybrid cloud scenarios that are enabled.  And, of course, all of this is done with the fact that it’s all secure at rest, it’s all secure in transit, everything is encrypted, but the keys all remain in your datacenter.

Now, let me give you one of my most favorite scenarios in SQL Server 2016, and this is something that I bet most of you have in your environment today.

You’ve got an application and in that application you’ve got tables with the product that you sell, your customers, and then the order history.  These tables can get huge.  You know, you think about all the order history for a very active website.

Well, now because it’s the same bits running in our datacenter and in your datacenter, we have what is called the database stretch.  And what the database stretch allows us to do is take a table and actually stretch part of that table up into the cloud.  You can take all your cold data, all the order history that you access on a very infrequent basis, and have that table now straddle multiple clouds.

The only reason this is possible is because we have the same bits running in our datacenter that you run in your datacenter.

Now, let’s talk a little bit about Windows Server and System Center.  Ground that in what we’re doing in Azure.  So as you think about Azure, there’s all the infrastructure that I’m sure you’re aware of, the networking, storage, then the compute.  There’s a set of services like IaaS and PaaS that we deliver, and then there’s all your applications.  And that really is what Azure is.

Now, two years ago, we announced that we were going to bring portions of this to your datacenter, and we called this the Azure Pass.  And what this gave you was a consistent IaaS environment and compatibility in that great self-service experience for your IaaS environment.

But you’ve been really clear in your feedback, you love it, but you want more.  So you want to be able to even take your born-in-the-cloud applications and host those in your environment.  You’ve told us you want Azure, all of Azure in your datacenters.

That’s what we’re announcing today.  And it’s called the Microsoft Azure Stack.  This is literally us giving you all of Azure for you to run in your datacenters.

So what this brings you is you get that great IaaS and PaaS environment in your datacenters.  You have incredible capability like a unified application model that gives you a one-click deployment experience for even the most complex, multitier applications.

And then you get that cloud-inspired infrastructure.  We’re giving you the same software controller that we built for our network, the name is the same, network controller.  We’re giving you our load balancing.  We’re giving you all the storage innovation.  We’ve published all of our designs of our service to Open Compute.  In fact, we are the largest contributor to Open Compute.

All of that being delivered to you for you to go run in your datacenters so you can literally have Azure in your datacenter.

Closely aligned with this is Windows Server 2016 and System Center 2016.  Today, we released preview No. 2 of Windows Server 2016, next week you’ll see preview No. 2 of System Center 2016.  These have been designed to host these modern, micro-services applications, including containers.

In the server preview today, you’re actually going to see something called Nano Server.  What Nano Server is is just a very, very small footprint of Windows Server that is optimized for hosting that cloud infrastructure, apps as well as containers.

So let’s talk for a minute about containers.  Containers is a concept that was pioneered in Linux and really made popular by Docker.  But what containers give you, it gives developers the ability to create this incredibly portable application packet that they can run anywhere.

Dev and IT professionals love it because it just gives you this contained, self-contained capability to be able to rapidly deploy, update and scale applications on demand.  That capability, Containers for Windows Server, will ship in preview No. 3 this summer.

We’ve also done work, we’ve significantly enhanced our Linux management capabilities.  Desired configuration management now on Linux.

We’ve done work like in the LAMP stack where we can better manage, and of course we’re managing SQL, SharePoint, Exchange and Office 365 better from the new System Center.

Let’s actually take a look at it.  Give a welcome to Jeff.  He’s going to give you a view of Azure running in your datacenter.  (Applause.)

JEFF WOOLSEY:  How’s everybody doing?  (Crowd responds.)  Awesome.  Well, last week at Build, Mark Russinovich demonstrated the new cloud application model in Azure for developers.  But he didn’t entirely tell you everything.  We kept a bunch of surprises for you this week here at Ignite.  Let’s take a look at the new cloud application model, this time from an IT perspective.

Here, you can see I’m logged into Azure.  And, in fact, I’m going to go take a look at one of those new cloud applications.  Here’s my Contoso expenses report.

As you can see, at a high level, this expenses application consists of some IaaS virtual machines, Web app and more.

Well, if we drill in even further, whoa, take a look at all of the resources here that have been templated and are being managed as a single cloud application.  You’ve got IaaS virtual machine, network interfaces, public IP addresses, virtual networks, a PaaS SQL database, storage account, Web app, all of this managed as a single cloud application.

Well, let’s drill into storage real quick.  And you can see that this storage actually can consist of blobs, tables, queues and more.  In fact, I’m going to drill into blobs, and you can see, in fact, here’s the blob service end point.  This is running in Azure, and in fact, you can see this is running in the eastern United States.

Now, since this application has already been deployed, what we want to do is we want to make sure that the right people have the appropriate access.  The way to do that is through role-based access control.  So let me show you exactly how we’re going to do that.

Back here, let’s take a look at some of the roles that are available.  You can see here we’ve got owners, contributors, we’ve got readers, we’ve got a variety of contributors from BizTalk to SQL to MySQL to application insights.

Folks, think about what’s really happening here.  Again, I’m going to go back to this application model for a second.  When you configure role-based access control, it means it’s managing the entire cloud application, all of these resources.  I don’t have to go in here and configure permissions for virtual machines or set ACLs on files or blobs or anything.  This is all being managed as a single entity.

How cool is this?  (Applause.)  Now, we’re just getting started, though, folks.  Wouldn’t it be great if I could take this cloud application with all of these resources, this blob storage, this easy, role-based authentication, wouldn’t it be great if I could actually run this in your datacenter as well?

Well, let me show you exactly how we would deploy that application.  I’m going to switch on over here to PowerShell.  Now, the first thing I want to point out is, folks, this is four lines of PowerShell.  With these four lines, I can deploy that expenses application either to an Azure datacenter or to Azure Stack running in your datacenter.  In fact, in this case, you can see we’ve set the location variable to Chicago.  That’s the one difference that’s telling me that this is going to Azure Stack running in your datacenter in Chicago.

Now, I could deploy this, literally with a mouse click.  But this takes about a minute, which I don’t have.  We’ve actually already done the deployment and, folks, for the very first time, I present to you the Microsoft Azure Stack.  Take a very good look here.  Looks just like Azure, doesn’t it?  That’s because it is.

This is the Azure portal.  And, in fact, the background we changed to black just so we could contrast the difference between Azure Stack and Azure.  But you can see here from the address bar, this is clearly not running in an Azure datacenter.  And, remember, that application that I just showed you, that cloud application, well, guess what?  Let’s go take a look at this in Azure Stack.

In fact, we’re going to go into split-screen mode right now so you can see for yourself.  Take a good look, folks.  What do you see?  You see the same IaaS virtual machines, the same network interfaces, the same public IP addresses, the same blob storage, the same SQL, the same role-based access control both in Azure and in Azure Stack.

We’re giving you exactly what you asked for.  We’re bringing Azure to your datacenter.  What do you think, guys?  (Applause.)

Now, so far, everything I’ve shown you has been from the cloud tenant standpoint.  Let me show you what this looks like from the cloud admin standpoint as you manage this in your environment.

You can see here, I’m logged into Azure Stack this time as the admin.  Now, one of the jobs you want to do, of course, is you want to provide services to your infrastructure.  And you’re going to do that by creating plans.

Now, plans consists of resources, services, and quotas.  In fact, you can see here I’ve already got a bunch of plans.  And, in fact, let’s create one together.

I’m going to go in here into plans, I’m going to create a new one, and in fact, I’m sure a popular one will be IaaS.  So let’s do that right now.

Now we’re going to choose a resource group.  And we are going to associate services along with that.  You can see I can do networking, compute and storage.  And, folks, surprise, up in Azure, we’ve got software load balancers.  We’ve got network controllers.  We’ve got a distributed firewall that’s been running in Azure literally for years running at global scale powering some of the largest events in the world like the Sochi Olympics.

We’ve packaged those up and put those in the Azure Stack for you so you’re getting those same software-defined networking capabilities.  All very cool.

Now, let’s go ahead and configure some quotas for compute.  In fact, I’m going to deploy this to actually both Paris and Chicago simultaneously.  And I’m going to set the quotas for compute here for this plan.

In fact, I’m feeling kind of generous today.  This plan is going to get 100 virtual machines with unlimited memory and unlimited CPU cores.  And in just a couple of clicks, folks, we are now deploying this plan concurrently to both Paris and Chicago.

Now, while that’s happening, one of the things I want to do is take a look at some of the stores that we’ve already deployed.  In fact, here’s a storage in Chicago.  Woops.  There we go.  Here is a store in Chicago.

And I’m going to drill into the stores that, again, I’m being provided through Azure Stack.  You can see, I have my API requests for the last hour, availability, nodes, file shares, tables, queues, blobs and more.  And, in fact, if I click on file share, there you can see the back end.  And in case you’re wondering what’s backing this, it’s the same scale-out file server you already know, you’re already deploying today.

Think about what you’ve just seen.  You’ve just seen the ability to deploy the same cloud application in Azure or in your datacenter with Azure Stack.  You’ve seen easy, role-based authentication and control, and you’ve seen a sophisticated templating engine for multiresource life-cycle management.  Microsoft Azure Stack, bringing Azure to your datacenter.

Now, if you’d like to know more, Mark Russinovich and Jeffrey Snow will be doing a session right after the keynote that talks more about Azure Stack coming to your datacenter.  Thank you very much.  (Applause.)

BRAD ANDERSON:  All right, thanks, Jeffrey.  Long time in the making, it’s phenomenal capabilities.  And, again, we’re unique in our view of giving you everything that we’re running inside of our datacenter.

OK, let’s spend a few minutes on integrated now.  And if you think about integrated, it’s all about choice.  You know, 74 percent, that’s the number of enterprises that in a recent Gartner Research report stated that multicloud, hybrid-cloud environments is going to be important to enabling business growth.

So you think about your world today.  It’s becoming more diverse and what we believe is an organization where all of you can ask IT to help bring some governance to this.  So what you have to be able to do is enable your users to use any app on any OS in any cloud.

This is how many of our organizations look today.  You’ve got an existing set of investments in your datacenters.  More and more of your applications are running in Azure, whether you’re lifting and shipping up there, or whether you’re consuming services like Office 365 or building new applications, as well as applications coming from other clouds like Amazon and Rackspace.

What is needed is one single way that allows you to be able to manage Windows, Linux, public cloud, private cloud, Hyper-V, VMware, physical, virtual, all of that through one pane of glass.

We’re announcing something new this morning, an Azure-based service called the Microsoft Operations Management Suite, or OMS.  And what OMS is going to deliver, it gives you that any cloud, any OS, any application, and you get orchestration.  You get application availability.  You get disaster recovery and backup.  And you get all of that capability, again, virtual, physical, public cloud, private cloud, VMware, Hyper-V, all in one pane of glass.

And it’s fascinating, you know, the way you should think about this is OMS is the equivalent of EMS, but in your datacenter.  EMS gives you that full suite for what you need to manage, secure and protect all your endpoint devices and users on the front end.  OMS gives you that in the back end.

You want to take a look at OMS?  (Crowd responds.)  All right, let’s get Jeffrey back.

JEFF WOOLSEY:  Thanks, Brad.  Now, one of the challenges we’ve heard from you is how do you manage the modern datacenter?  The modern datacenter probably has multiple locations, multiple cloud resources, and you somehow want to bring all of this under some management, provide analytics, so that you can run your hybrid cloud better.

Well, good luck with that, because trying to correlate all of that data, bringing all of those log files together, trying to bring those in, people cobble those together, script those together, try and make this all happen.

Well, if you actually get all of that accomplished, then the hard work actually begins because then you have to go use analytics to mine that data to find the right things to do and bring that power and efficiency to your datacenter.  That’s what the Operations Management Suite is all about.

And, in fact, we want you to be able to start using it this week while you’re here at Ignite.  You can try it for free.  And, in fact, you get started with three easy steps.  Let me go ahead and show you.

First of all, to get started, No. 1, I’m going to determine which solution packs I want to use.  In fact, I want them all.  Malware assessment, system update, change tracking, automation and more.  So I’m going to add those selected solutions.

Next, I’m going to connect to data source.  I can connect servers individually, I can link with System Center Operations Manager, and I can also link my Azure storage account.

Finally, I can add custom logs as well.  For example, I really would like to be able to look through system logs as well.  So I’m going to add those custom logs.  In fact, I want to be able to look and determine which ones I want to view.  I want to see them all, click save.

Now, normally, this takes some time, obviously, as we collect and analyze and aggregate that data.  So through the power of cooking, of course, we’ve actually already done that.  I’m going to switch to this system.  And you can see what Operations Management Suite looks like populated with data.

First of all, take a look here at the overview.  You can see I’ve got Active Directory, I’ve got a malware assessment, capacity planning and much, much more here just in the overview, already aggregated and brought to me.

But more importantly, I want to be able to personalize this, customize this and even share my own personal dashboards with people on my team.  So I’ve got my own customized dashboard here as well.

Here are the things that are near and dear to my heart.  I want to look at critical alerts raised in the past 24 hours.  Good news, nothing there.  I want to look at CPU time, I want to look at services.  Actually, one thing that I do like to look at very often is the amount of change going on in specific systems.  And, in fact, here I can see that I’ve got some systems that have had 38 changes in the last 24 hours.  That, to me, is something I want to take a look at, so let’s drill in a little bit further.

Now, take a look here.  You can see I’ve got a list of systems.  And look at where those systems are coming from.  Azure, AWS, VMware, Linux, System Center.  All of this being serviced up in one location without me having to go look for this.

Now, you can see here my first one has 38 changes in the last 24 hours.  Now, normally, right about now you’re probably thinking, OK, he’s going to go RDP into that system and go trolling through log files.

Now, in fact, I’m going to click right here, and that information is immediately brought to me so I can now take a look at all of those changes.  And, in fact, I got the power of Hadoop behind me for this data analytics to make this easier than ever before.

I can save my most common search queries to the right-hand side, and again, share these with some of my colleagues.

Another thing to point out, capacity planning.  How do you know how much storage, compute, and memory you have?  When are you going to run out?  Well, we’re using historical data, your resource utilization that’s historical to give you an idea of when you think you’re going to run out and plan appropriately.  So to be proactive rather than reactive.

And as you saw Joe and Brad talk about, we want to make security management easy and ubiquitous.  So we’ve got security and auditing.  And you can immediately see here I go right to the things that are most important to me.

I can see my security posture.  Looking pretty good there.  My notable issues, actually, looking pretty fine there.  But I can see here that under context I’ve got some updates that I need to apply, I’ve got some work to do there in terms of bringing my systems up to date.

Finally, let’s go on over here to alert management.  When I set this up, you noticed that I mentioned also this can link with System Center.  Well, through alert management, it’s surfacing those alerts up through System Center and, again, from Azure, from AWS, all of these things, bringing it all together so now I can see all of these alerts in one single location from one pane of glass.

So think about what you’ve seen here.  Think about this power.  Whether you’re using Azure, Amazon, Windows, Linux, VMware, System Center, Hyper-V, we’re aggregating, collating that data, bringing the power of Hadoop insight to it to help you provide and run the most efficient hybrid cloud for your business.  Thank you very much.  (Applause.)

BRAD ANDERSON:  All right, thanks, Jeffrey.  Awesome.  OMS is going to be awesome.

You know, I’ll let you in on a little secret.  A year ago at TechEd, we actually gave a couple of customers access to an early preview of that.  And just a couple of days at TechEd, we had more than 10,000 servers up and being managed through that early prototype.

Now, one of the things that many of you actually have been tweeting this morning is how can I get more information on all these demos?  So if you go to this URL, you actually go take a look at noon, we’ll post a blog that goes through every one of those demos, information of how we build them, where they’re at, what you have to have.  But you can go up there and actually get a detailed view with links to help you understand exactly how to get that running in your own environment.

And, of course, the intelligent cloud has to be intelligent.  And throughout the entire morning, that’s what we’ve shown you.  We’ve shown you how we’re bringing all of our learning, all of our experience, all of our data, all of our telemetry and bringing it to you to help you in your environment.

So trustworthy, flexible, integrated and intelligent.  That’s what we’re working on as we build the intelligent cloud.

Now, I really encourage everyone to come back at 5:00 and listen to one of my favorite people, Harry Shum.  Harry leads the Microsoft Research organization, which is a global organization of some of the brightest minds across the industry.

And what they look at is, you know, the long-term horizon and where technology is going to be.  What’s that next generation of technology look like?  You’re going to see some amazing demonstrations and actually see some of the most stunning and some of the most bright computer scientists that the world has ever seen.

So Satya started with our ambitions.  The work that we’re doing as we make personal computing more personal, as we reinvent business productivity and process, and as we build the intelligent cloud.  And you, IT, are in the center of that.

I can tell you that every day we think about you.  Every day, we think about how we enable you, how we empower you.  We can’t even tell you how much we appreciate the opportunity to partner with you and your businesses.  And that’s a stewardship that we take incredibly seriously.

Let’s ignite the future, and let’s do it together.  Thank you, and have a fantastic conference.  (Applause.)