Overview

During my time as lead Program Manager on Application Control tooling, I drove holistic product and process improvements such as building cross-team partnerships, leading a major documentation overhaul, and generating insights from co-design sessions with customers to inform feature work.

Timeline

2 years

Role

lead PM & researcher

Team

3 primary engineers

Key Skills

strategy, service design, HCI research

Gaining Context


Understanding The Product

My first goal upon being assigned to work as a PM on Windows Defender Application Control (WDAC) was simply to understand how it functioned. WDAC is a set of Operating Systems-level tooling that can be used to dictate which files are allowed to execute on a device. It works by setting up a policy which can specify what is allowed and what is specifically blocked, and then either be set to audit (record events without preventing anything from running) or block (actually prevent files from executing). It is inherently both a strong protection and a restrictive one: anything not explicitly allowed to run will be blocked.

I began by trying to use the tooling myself, but quickly hit a wall. I found the documentation hard to navigate, with no clear tutorials to guide a basic policy setup. Even after I did find the content I was looking for, I often ran into issues making sense of the instructions for how to activate my policy and see its results.

I wondered whether my difficulties were caused by being so new to the space, or if users were also running into this level of frustration. Unfortunately, my secondary research into technical blogs advising how to use WDAC revealed that I was not alone in my struggles. Various IT Professionals who had tried to use this product reported investing substantial time, only to end up unable to deploy it in block mode (required for preventative protection).

I quickly realized that the challenges with this product went much deeper than feature gaps, so I switched to using a broader lens.

Screenshot of

Above: Screen capture of a blogger detailing challenges deploying WDAC

Understanding The System

  • people currently and previously involved
  • stakeholders, primary and secondary
  • current systems for conducting user research

Insights

After conducting desk research and talking with teammates, we identified three major challenges.

1. limited understanding of user needs
  • no UX research support
  • mostly pursuing features based on internal understanding of cababilities
  • under-utilizing existing channel of communication (mailing list)
2. cross-product fragmentation
  • need to manage policies across multiple platforms (no way to deploy custom policies via MEM Intune)
  • adjacent security team had an in-progress plan to develop a competing app control product
  • outdated app control tech still in use
3. high barrier, low support
  • technically complicated
  • feature set had known gaps that were outside our scope to address
  • incomplete & outdated documentation

2. Transformation Design


1. understanding user needs
  • Set up recurring co-design workshop with core set of customers and two partner teams
  • Designed new pop-up which provides more information for end-users and creates a channel for IT pros to get their feedback
2. creating cross-product consistency
  • set up partnership with adjacent teams (MEM & Defender ATP)
  • supported MEM to ship various components of WDAC integration: including default policies to lower barrier to entry, deploying custom policies, policy signing
  • supported ATP in shipping reputation updates that WDAC could consume
3. reducing complexity & adding support
  • Documentation overhaul: comprehensive documentation for new features, feature availability comparison, plan to redo information architecture
  • Monthly newsletter (to support staff and enrolled enterprise customers)

3. Results


COMING SOON


4. Reflection


unresolved challenges

  • inherent technical complexity
  • prioritization (ex. research plan)
  • quant measure of success (most security-conscious orgs turn off data reporting back to MSFT)