Looking back at deployment of Windows 11 at Microsoft

|

Six laptops from several different companies shown in a cluster.
Microsoft’s internal journey to upgrade to Windows 11 was smooth and fast.

Microsoft Digital technical stories[Editor’s note: This content was written to highlight a particular event or moment in time. Although that moment has passed, we’re republishing it here so you can see what our thinking and experience was like at the time.]

Windows 11, built on the same foundation as Windows 10, came to us at a time when Microsoft needed to manage a distributed workforce. Historically speaking, it’s not easy to roll out a new operating system across an enterprise as large and complex as ours, but the similarities to Windows 10 meant Windows 11 could leverage existing deployment capabilities, scenarios, and tools. Utilizing these familiar tools and processes allowed us to deploy to 90 percent of eligible devices in five weeks, making the Windows 11 deployment the easiest and least disruptive release experienced to date.

“In nearly every way, Windows 11 Enterprise deploys just like any other Windows 10 feature update,” says Nathalie D’Hers, corporate vice president of Microsoft Digital Employee Experience, the organization that powers, protects, and transforms the company. “When you look at the data, our time to deploy, and the number of support contacts, Windows 11 is the most successful Windows deployment in our history.”

We’ve had a great experience with Windows 11. Our migration was smooth and keeping it up to date has been even easier.

—Nathalie D’Hers, corporate vice president, Microsoft Digital Employee Experience

It took our Microsoft Digital Employee Experience team fewer IT resources than ever to move to Windows 11. Most importantly, it wasn’t a burden on our employees. Our Windows 11 deployment enabled us to protect our environment, empower our people, and do so without embarking on an expensive or complicated venture.

“We’ve had a great experience with Windows 11,” D’Hers says. “Our migration was smooth and keeping it up to date has been even easier.”

[Take a look at our rich set of content that chronicles our move to Windows 11. Learn more about Microsoft’s speedy upgrade to Windows 11. Discover the new Windows 11 security features are designed for hybrid work.]

Why was it so important for us to move to Windows 11?

It’s easy to look at Microsoft and say, “Sure, you’re a giant tech company, you have all these hardware and IT resources, it must be so easy for you to stay current!”

It’s not that simple.

In our attempt to become an evergreen platform, an operating system-as-a-service, we recognized a need to promote a hardware baseline that would ensure specific productivity and secure-by-default functions are available to users. These requirements meant that some devices running Windows 10 would not be eligible, thus a need to delineate products. Windows 11 would run side-by-side with Windows 10, albeit on devices that met the hardware requirements.

Still, when all is said and done, Windows 11 is based on all the same fundamentals as Windows 10.

And there are a lot of benefits to this.

It allows us to promote adoption without the risk of our apps suddenly breaking. App compatibility between Windows 10 and Windows 11 is more than 99 percent.

In fact, Windows 11 and Windows 10 are so similar, we can run them side-by-side with the same tools. That’s why we were able to manage the Windows 11 Enterprise deployment like previous Windows 10 updates using Windows Update for Business deployment service policies.

Windows 11 is definitely an upgrade from Windows 10, but rolled out and adopted like a typical update. The baseline hardware requirements enable us to provide our people with a more secure and productive environment. We quickly experienced the benefits of Windows 11 security enhancements and new productivity tools to enable exceptional work.

D’Hers smiles in a corporate photo.
Microsoft’s move to Windows 11 is the company’s most successful Windows upgrade in its history, says Nathalie D’Hers, corporate vice president of Microsoft Digital Employee Experience.

A more efficient experience

Prior to migrating to Windows Update for Business deployment service, deploying Windows feature updates would be a complicated, long-term project.

“We had to create multiple packages, both 64- and 32-bit versions and for each of the supported languages used in our environment,” says Markus Gonis, a service engineer and deployment lead with Microsoft Digital Employee Experience. “Each package was tested and then deployed to multiple distribution points globally for each update. The deployment also relied on a task sequence to download and install the updates on devices which could easily be disrupted.”

This effort could take weeks or even several months.

Furthermore, the process was costly, requiring physical infrastructure dependencies for hosting packages. Gearing up for a new release would also require additional augmented staffing to help run the deployments. To top it off, network and VPN bandwidth limitations could create frustrating delays and interruptions for employees trying to install an update depending on their location.

Moving to Windows Update for Business policies saved both time and money without hurting adoption. The first release to benefit, the Windows 10 October 2018 Update, saw 95 percent adoption within 10 weeks of a feature update being made available to devices. It’s only gotten better since then.

Windows Update for Business deployment service reduced administrative overhead considerably by eliminating the need to manually create deployment waves.

—Markus Gonis, service engineer and deployment lead, Microsoft Digital Employee Experience

The service eliminated the need for packaging, replication, and publishing activities. All in, Microsoft Digital Employee Experience saved 120 hours of work per deployment along with an additional 90 hours in testing. Further savings were achieved by reducing the reliance on augmented staff to support deployments.

By the time Windows 11 was ready for release in 2021, we had access to Windows Update for Business deployment service.

“This made setting up the deployment even easier,” Gonis says. “Windows Update for Business deployment service reduced administrative overhead considerably by eliminating the need to manually create deployment waves.”

Windows Update for Business deployment service calculates the number of devices based on the initial configuration and deploys more frequently and efficiently to the population. Supplementing this effort, Windows Update for Business reports show us what to target, making it easy to exclude ineligible devices.

A device is your connection to your work experience, especially when you can’t go into the office. Your device shouldn’t get in the way of what you’re doing, so we wanted to make sure our employees had a good upgrade experience.

—Nathalie D’Hers, corporate vice president, Microsoft Digital Employee Experience

Knowing that the Windows 11 Enterprise deployment would be managed by the same technology and processes we rely on for feature updates made it a safe decision. Knowing that it could be done without incurring significant costs made it an easy one.

A faster experience

Gonis smiles in a corporate photo.
The key to Microsoft’s successful move to Windows 11 was Windows Update for Business deployment service, says Markus Gonis, a service engineer and deployment lead with Microsoft Digital Employee Experience.

There is another reason we were so confident in the Windows 11 Enterprise deployment. We knew users would benefit from new productivity features without having the upgrade cut into their day.

“A device is your connection to your work experience, especially when you can’t go into the office,” D’Hers says. “Your device shouldn’t get in the way of what you’re doing, so we wanted to make sure our employees had a good upgrade experience.”

We knew certain features in Windows 11—including an improved user interface, tighter integration of Microsoft Teams across apps, and snap layouts—would help our people stay engaged throughout their day. We also knew users would avoid the upgrade if it prevented them from doing their work or became a nuisance.

To create a disruption-free experience, Windows 11 simply downloads and installs in the background and alerts the user when the device is ready. A quick restart finishes the installation, which can be scheduled to take place during non-work hours. As soon as 20 minutes later, the employee is up and running in Windows 11.

The improved update experience, flexibility, and increased end-user control around the update was an enormous success with our people. User sentiment scores for the Windows 11 Enterprise deployment averaged a full 18 points higher than the latest Windows 10 release. This is the highest satisfaction score we have ever seen for a deployment, and it’s significantly higher than the highest score ever received pre-Windows Update for Business, which was 112.

”There were no major incidents reported through support channels directly related to the Windows 11 update nor the deployment,” Gonis says. “The overall incident count unique to Windows 11 was limited to 398 across the entire 225,000 device deployment, with any additional incidents associated with random infrastructure or device management issues that one typically experiences in an enterprise environment.”

Overall, this represents a 40 percent decrease in helpdesk incidents compared to pre-Windows Update for Business deployments.

Each successive version of Windows has brought refinement and optimization to the deployment process. Windows 11 built on this refinement to become the best experience to date. By making the deployment process quick and easy, users gain important productivity features while also taking advantage of new baseline protections.

Secure by default

Windows 11 is about security from the ground up.

“It’s strategic level-setting,” says Carmichael Patton, a principal program manager with Digital Security and Resilience, the division responsible for protecting the company and our products. “At a high level, Windows 11 enforces sets of functionalities we need to make the environment secure by default.”

Windows has always let you install whatever you want from wherever. We can now use hardware-backed features in Windows 11 to put policies in place that still enable users to have flexibility in choosing their own applications without compromising security.

—Carmichael Patton, principal program manager, Digital Security and Resilience

Patton smiles in a corporate photo.
Windows 11 moved us to having more features be secure by default, says Carmichael Patton, a principal program manager with the Microsoft Digital Security and Resilience team.

To be eligible for a Windows 11 upgrade, a device must meet certain hardware specifications, including TPM 2.0. Because of these new hardware requirements, encryption keys, user credentials, and other vital information are protected from unauthorized access and tampering.

As a result, we can take existing security features found in Windows and allow them to reach their full potential. Windows 11 empowers users to have the same great Windows experience they expect without concession.

“Windows has always let you install whatever you want from wherever,” Patton says, noting that this important level of control is also a way malware can get on your device. “We can now use hardware-backed features in Windows 11 to put policies in place that still enable users to have flexibility in choosing their own applications without compromising security.”

Windows 11 continually updates this app control policy so that common and known safe apps are permitted while dangerous, unknown, and potentially malicious apps are blocked.

The same hardware-backed protections extend to user identities. Windows Defender Credential Guard and credential isolation with Local Security Authority (LSA) protection are now enabled by default on Windows 11 Enterprise edition. Both protections make it harder for attackers to infiltrate devices and steal a user’s identity.

Microsoft Defender SmartScreen can detect and warn users who are about to enter passwords into an app or website that’s known to be compromised. The feature further improves user security by promoting good password hygiene and alerts users when they perform unsafe credential practices, like saving passwords in a text file.

Updating Windows 11 is getting even faster with the download and install phases shortening from 90 to an average of 60 minutes in the background and an average 20-minute final restart. Most people at Microsoft have a device that can run Windows 11 and, by March, we reached a 97 percent compliance rate.

—Markus Gonis, service engineer and deployment lead, Microsoft Digital Employee Experience

“Windows 10 could do a lot by configuration but not by default,” Patton says. “Windows 11 moved us to having more features be secure by default. Each new release adds more secure-by-default features.”

Now that we have this security baseline provided by hardware and software synergies, we can enforce security functions in the pipeline for Windows 11.

The Windows 11 experience

We’re now a year into Windows 11 including deploying its first major update, and we can see how deployments continue to become faster, more efficient, and less disruptive. This is in large part because we do not need to adopt any new device management tools or processes. We can run Windows 11 alongside Windows 10 using the same systems.

“Updating Windows 11 is getting even faster with the download and install phases shortening from 90 to an average of 60 minutes in the background and an average 20-minute final restart,” Gonis says. “Most people at Microsoft have a device that can run Windows 11 and, by March, we reached a 97 percent compliance rate.”

Deployment of the Windows 11 2022 Update was even faster than the original release, with over 90 percent adoption in just under five weeks. Excitement around the release resulted in a 50 percent increase in employees installing the update prior to its public release.

This means users are getting the security and productivity features they need to have the best experience possible now and in the future.

Modern hardware running a modern operating system will result in a better experience for everyone involved. Windows 11 serves as a baseline that allows us to easily see the state of security at Microsoft. By lifting the hardware floor, we can ensure users have consistent performance and protection in place.

Key Takeaways

  • Windows 11 strengthens your security posture, allowing you to offload legacy security solutions and centralize administration.
  • Consistency in system integrations and user experiences between Windows 10 and Windows 11 makes it easy to transition without having to adopt new applications or management solutions.
  • Windows Autopilot allows OEMs to automatically register devices in Intune, avoiding manual steps and allowing an organization to preconfigure new devices before distributing them to employees.
  • Windows Update for Business deployment service allows IT administrators to easily segment devices, organizations, and teams to better target deployments. This makes exceptions easier to manage.

Related links

Recent