Even corporate IT suffers. At my job, we have to apply updates pretty quickly. If Microsoft pushes a bad update, it’ll probably affect a lot of us. Or when they add a new feature like Copilot, they ship it without any administrative controls to turn it off.
I won’t deny it’s godawful to have shit split across AD, Group Policy, Regedit, and Azure/Entra/Intune.
But they very much still have controls for all this shit, almost always available before the feature rolls out. I’ve literally never seen this shit make it through to our end user devices in an un-intended fashion.
Hell, just hold non-security updates for a period of time for review before pushing it to your entire environment if this (not actually happening) issue is a concern. That’s like basic table stakes for Windows environment administration: update cadence management and pilot machines.
Please don’t claim to speak from a place of authority on this and then spread falsehoods. There’s plenty of shit to hate without making things up.
Like the third party app approvals in Azure and Teams defaulting to allow any non-admin user to be able to approve any azure app access to all of their data with no oversight. You can (and should) lock that the fuck down. It’s a batshit default, not a lack of controls.
The problem is Microsoft is trying to push the corporate environment away from on-prem infrastructure and into the cloud. There is less and less you can do from Active Directory and Group Policy, more and more of it gets moved to InTune everyday.
Microsoft is pushing Azure Arc as well, which is intended to let you manage your on-prem resources using your cloud management interfaces.
Even corporate IT suffers. At my job, we have to apply updates pretty quickly. If Microsoft pushes a bad update, it’ll probably affect a lot of us. Or when they add a new feature like Copilot, they ship it without any administrative controls to turn it off.
I won’t deny it’s godawful to have shit split across AD, Group Policy, Regedit, and Azure/Entra/Intune.
But they very much still have controls for all this shit, almost always available before the feature rolls out. I’ve literally never seen this shit make it through to our end user devices in an un-intended fashion.
Hell, just hold non-security updates for a period of time for review before pushing it to your entire environment if this (not actually happening) issue is a concern. That’s like basic table stakes for Windows environment administration: update cadence management and pilot machines.
Please don’t claim to speak from a place of authority on this and then spread falsehoods. There’s plenty of shit to hate without making things up.
Like the third party app approvals in Azure and Teams defaulting to allow any non-admin user to be able to approve any azure app access to all of their data with no oversight. You can (and should) lock that the fuck down. It’s a batshit default, not a lack of controls.
I thought one of the saving grace of windows corporate was having finer control?
I don’t know what this guy is smoking. Copilot had administrative controls before it rolled out, through Intune and Group Policy.
The problem is Microsoft is trying to push the corporate environment away from on-prem infrastructure and into the cloud. There is less and less you can do from Active Directory and Group Policy, more and more of it gets moved to InTune everyday.
Microsoft is pushing Azure Arc as well, which is intended to let you manage your on-prem resources using your cloud management interfaces.