Microsoft O.S. Security

Understanding The Product

Upon beginning work on Application Control, I first tried learning to use the product myself in order to get a handle on its current state and figure out what to prioritize in the existing list of potential feature changes. I quickly experienced firsthand how challenging it was to implement, even in a test use case. During set up, I ran into incomplete, outdated, and incorrect documentation that frequently left me relying on the expertise of my teammates. When I was finally ready to deploy it to my test device, I discovered that I had to do so using outdated technologies which relied on text rather than visual UI. My teammates informed me that there was not yet any integration with Microsoft's newer and more popular management systems, like Microsoft Endpoint Manager.

Understanding user feedback systems

After gaining a handle on the basics of Application Control, I began sorting through our backlog of potential feature changes. When I asked my manager and teammates how we knew what was important to customers so we could determine prioritization, I found out that we had basically no feedback channel. While quantitative data around security features is a known issue (security-conscious enterprises are unlikely to allow Microsoft to collect telemetry data), I was surprised to learn that we had minimal ongoing relationships with customers to gain qualitative data.
To get a sense of what our users were saying online, I looked into a number of security IT blogs that covered Microsoft Application Control. I saw common complaints of usability and documentation issues, including one IT pro who in 2018 said “whenever a new Windows build is released, I diff the Windows Defender Application Control [...] code integrity policy schema [...] to see if there are any new, interesting features. I resort to doing this because new WDAC features are seldom documented.”

I realized that by focusing on feature work, we were trying to fix symptoms instead of causes.
To build a high-quality product, we first needed to address the deeper issues by redesigning our internal processes.

I led a three-pronged approach to improvements on my team's processes surrounding Microsoft Application Control:

• Co-created a cross-team partnership to support seamless integration of application control into other security offerings
• Advocated for standardizing documentation best practices across my PM team
• Supported the creation of a recurring participatory design series with a core set of enterprise users

Cross-Team Partnership

No matter how much our team perfected Microsoft's Application Control tooling, it wouldn't work in a silo.

This tooling is intended to allow enterprises to build lists of allowed and blocked applications, thereby creating strong security guarantees. However, it relies on management tooling to be deployed, and cloud-based intelligence to make sense of what is actually happening in the enterprise's device ecosystem.

Because these integration points were almost entirely nonexistent when I started, building a relationship with Microsoft's enterprise device management and cloud-based security teams was the first area that my team and I needed to target. No matter how good WDAC is, won’t work in a silo Joined mid-cycle for a product improvement (LOB sideloading), started asking why this got prioritized and why our integration with MEM wasn’t deeper Also found out that Defender ATP (cloud-based) was building their own version of app control Broken line of communication Luckily, both of the PMs on these teams had recently taken over this area and quickly understood how fragmented this story was

Documentation Best Practices

todo

Recurring User Feedback Sessions

todo

COMING SOON

unresolved challenges

• inherent technical complexity
• prioritization (ex. research plan)
• quant measure of success (most security-conscious orgs turn off data reporting back to MSFT)