In light of this priority, we have established a Microsoft Digital Data Council to help accelerate our companywide AI-powered transformation.

Our data council is a cross-functional team with representation from multiple domains within Microsoft, including Microsoft Digital, the company’s IT organization; Corporate, External, and Legal Affairs (CELA); and Finance.

“By championing robust data governance, literacy, and responsible data practices, our data council is a crucial part of our AI-powered transformation. It turns enterprise data into a strategic capability that fuels predictive insights and intelligent outcomes across the organization.”

Naval Tripathi, principal engineering manager, Microsoft Digital

Our data council’s mission is to drive transformative business impact by establishing a cohesive data strategy across Microsoft Digital, empowering interconnected analytics and AI at scale. Our vision is to guide our organization toward Frontier Firm maturity through a clear blueprint for high-quality, reliable, AI-ready data delivered on trusted, scalable platforms.

“By championing robust data governance, literacy, and responsible data practices, our data council is a crucial part of our AI-powered transformation,” says Naval Tripathi, principal engineering manager in Microsoft Digital. “It turns enterprise data into a strategic capability that fuels predictive insights and intelligent outcomes across the organization.”

Our evolving data strategy

Over the past two decades, we at Microsoft—along with other large enterprises—have continuously evolved our data strategies in search of the right balance between control and agility. Early approaches were highly decentralized, with different teams owning and managing their own data assets. While this enabled local optimization, it also resulted in inconsistent quality and limited enterprise-wide insight.

Our subsequent shift toward centralized data platforms brought much-needed standardization, security, and scalability. However, as data platforms grew more sophisticated, ownership often drifted away from the business domains closest to the data, slowing responsiveness and diluting accountability.

Today, we and other leading companies are embracing a more balanced, federated approach, often described as a data mesh. Rather than forcing all our data into a single centralized system or allowing unchecked decentralization, the data mesh formalizes domain ownership while embedding governance, quality, and interoperability directly into shared platforms.

With this approach, our domain teams publish data as well-defined, discoverable products, while common standards for security, metadata, and compliance are enforced through automation rather than manual processes. This model preserves enterprise trust and consistency without sacrificing speed or autonomy.

By adopting a data mesh mindset, we can scale analytics and AI more effectively across the organization while still keeping ownership closely connected to the business focus. The result is a system that supports innovation at the edges, strong governance at the core, and seamless collaboration across domains, enabling the transformation of data from a technical asset to a strategic, enterprise-wide capability.

Quality, accessibility, and governance

To scale enterprise data and AI, organizations must first ensure their data is trusted, discoverable, and responsibly governed. At Microsoft Digital, our data strategy is designed to create data foundations that power intelligent applications and effective decision making across the company.

“High-quality, well-governed data is essential to accelerate implementation and adoption of AI tools. Data quality, accessibility, and governance are imperatives for AI systems to function effectively, and recognizing that is propelling our data strategy.”

Miguel Uribe, principal PM manager, Microsoft Digital

By implementing a data mesh strategy at scale, we aim to unlock valuable data insights and analytics, enabling advanced AI scenarios. Our data council focuses on three core dimensions that make AI-ready data possible:

• Quality: Making sure enterprise data is reliable and complete
• Accessibility: Enabling secure and discoverable access to data
• Governance: Protecting and managing our data responsibly

Together, these dimensions form the foundation for scalable innovation and AI-powered data use. They connect data silos and ensure consistent, high‑quality access across the enterprise—enabling both humans and AI systems to work from the same trusted data foundation. As AI use cases mature, this foundation allows AI agents to retrieve and reason over data through enterprise endpoints, while supporting advanced analytics, data science, and broader technology.

“High-quality, well-governed data is essential to accelerate implementation and adoption of AI tools,” says Miguel Uribe, a principal PM manager in Microsoft Digital. “Data quality, accessibility, and governance are imperatives for AI systems to function effectively, and recognizing that is propelling our data strategy.”

Quality

AI-ready data is available, complete, accurate, and high-quality. By adopting this standard, our data scientists, engineers, and even our AI agents are better able to locate, process, and govern the information needed to drive our organization and maximize AI efficiencies.

By utilizing Microsoft Purview, our data council can oversee the monitoring of data attributes to ensure fidelity. It also monitors parameters to enforce standards for accuracy and completeness.

Accessibility

Ensuring that our employees get access to the information they need while prioritizing security is a foundational element of our enterprise data strategy. Microsoft Fabric allows us to unify our organization’s siloed data in a single “mesh” that enables advanced analytics, data science, data visualization and other connected scenarios.

Microsoft Purview then gives us the ability to democratize that data responsibly. By implementing a data mesh architecture, our employees can work confidently, unencumbered by siloed or inaccessible data, and with the assurance that the data they’re working with is secure.

The data mesh connects and distributes data products across domains, enabling shared data access and compute while scaling beyond centralized architectures.

Platform services are standardized blueprints that embed security, interoperability, policies, standards, and core capabilities—providing guardrails that enable speed without fragmentation.

Data management zones provide centralized governance capabilities for policy enforcement, lineage, observability, compliance, and enterprise-wide trust.  

Governance

As organizations scale AI capabilities, strong governance becomes essential to ensure security, compliance, and ethical data use. Data governance—which includes establishing data policies, ensuring data privacy and security, and promoting ethical AI usage—is critical, as is compliance with General Data Protection Regulation (GDPR) and Consumer Data Protection Act (CDPA) regulations, among others.

However, governance is not only a technical capability; it’s also a cultural commitment.

Responsible data use must be embedded into the way teams manage data and build AI solutions. Through Microsoft Purview, we implemented an end-to-end governance framework that automates the discovery, classification, and protection of sensitive data across the enterprise data landscape.

This unified approach allows teams to innovate confidently, knowing that the data powering their insights and AI systems is trusted and protected, as well as responsibly managed.

“AI systems are only as reliable as the data that powers them,” Uribe says. “By investing in trusted and well-managed data, we accelerate not only the adoption of AI tools but our ability to generate meaningful insights and intelligent outcomes.”

The data catalog as the discovery layer

By serving as a common discovery layer for humans and AI, the data catalog ensures that governance translates directly into speed, accuracy, and trust at scale.

A unified data strategy only succeeds if both people and AI systems can consistently find the right data. At Microsoft, this is enabled by our enterprise data catalog, which operationalizes the standards set by our data council. 

For business users, the catalog provides intuitive search, ownership transparency, and trust signals—enabling confident self‑service analytics. For AI agents, the same catalog exposes machine‑readable metadata, allowing agents to programmatically discover canonical datasets, validate schema and freshness, and respect governance constraints.

Our role as Customer Zero

In Microsoft Digital, we operate as Customer Zero for the company’s enterprise solutions, so that our customers don’t have to.

That means we do more than adopt new products early. We deploy them at enterprise-scale, operate them under real‑world constraints, and hold them to the same standards our customers expect. The result is more resilient, ready‑to‑use solutions and a higher quality bar for every enterprise customer we serve.

“When we engage product teams with real telemetry from how data is created, governed, and consumed at scale, we move the conversation from theory to execution. That’s how enterprise readiness becomes real.”

Diego Baccino, principal software engineering manager, Microsoft Digital

Our data council embodies this Customer Zero mindset through its Enterprise Readiness initiative. By engaging product engineering as a unified enterprise voice, the council drives strategic conversations that surface operational blockers, influence roadmap prioritization, and ensure new and existing data solutions are truly ready for enterprise use.

These learnings are then shared broadly across Microsoft Digital to accelerate adoption, reduce duplication, and scale proven patterns across teams.

“When we engage product teams with real telemetry from how data is created, governed, and consumed at scale, we move the conversation from theory to execution,” says Diego Baccino, a principal software engineering manager in Microsoft Digital and a member of the council. “That’s how enterprise readiness becomes real.”

This work is deeply integrated with our AI Center of Excellence (CoE), where Customer Zero principles are applied to accelerate AI outcomes responsibly. Together, the AI CoE and the data council focus on improving data documentation and quality—foundational capabilities that are required to make AI feasible, trustworthy, and scalable across the enterprise.

By grounding AI innovation in measurable data quality and governance standards, Microsoft Digital ensures that experimentation can safely mature into production‑ready solutions. The partnership between our data council, our AI CoE, and our Responsible AI (RAI) Council is essential to our broader data and AI strategy.

“AI readiness isn’t aspirational—it’s operational,” Baccino says. “By measuring the health of our data, setting clear quality baselines, and using those signals to guide product and platform decisions, we turn data into a strategic asset and AI into a repeatable capability.”

Together, these teams exemplify what it means to be Customer Zero: Transforming enterprise experience into action, governance into acceleration, and data into durable competitive advantage.

Learn more

Read about our AI Center of Excellence.

Advancing our data culture

Our data council plays a pivotal role in advancing the organization transition from data literacy to enterprise data and AI capability. In conjunction with our AI CoE, it creates curricula and sponsors learning pathways, operational practices, and community programs to equip our employees with the skills and mindset required to thrive in a data- and AI-centric world.

While early efforts focused on improving data literacy, our data council ’s mission has evolved to enable data and AI capability at scale together with our AI CoE—where employees not only understand data but can effectively apply it to build, operate, and govern intelligent solutions.

“Our focus is not just teaching our teams about data. It is enabling employees to apply data to create AI-driven outcomes. When teams understand how data powers AI systems, they can make better decisions, design better products, and build more responsible AI experiences.”

Miguel Uribe, principal product manager, Microsoft Digital

Our curriculum includes high-level courses on data concepts, applications, and extensibility of AI tools like Microsoft 365 Copilot, as well as data products like Microsoft Purview and Microsoft Fabric.

By facilitating AI and data training, offering internally focused data and AI certifications, and internal community engagement, our council ensures that employees develop the capabilities required to responsibly build and operate AI-powered solutions. Achieving data and AI certifications not only promotes career development through improved data literacy, it also enhances the broader data-driven culture within our organization.

“We recognize that AI capability is built when data skills are applied directly to real AI scenarios and business outcomes—not when learning exists in isolation,” Uribe says. “Our focus is not just teaching our teams about data; it is enabling employees to apply data to create AI‑driven outcomes. When teams understand how data powers AI systems, they can make better decisions, design better products, and build more responsible AI experiences.”

Find out more

Learn how a Copilot Expo helped us build interest in Microsoft 365 Copilot.

Lessons learned

Our data council was created to develop and execute a cohesive data strategy across Microsoft Digital and to foster a strong data culture within our organization. Over time, several critical lessons have emerged.

Executive sponsorship enables transformation

Executive sponsorship is a key element to ensure implementation and adoption of a data strategy. Our leaders are committed to delivering and sustaining a robust data strategy and culture and have been effective champions of the council’s work.

“Leadership provides support and reinforcement of the council’s mission, as well as guidance and clarity related to diverse organizational priorities,” Baccino says.

Cross-functional collaboration accelerates impact

Our council’s work has also benefited from the diverse representation offered by different disciplines across our organization. Embracing diverse perspectives and understanding various organizational priorities is critical to implementing a successful data strategy and culture in a large and complex organization like Microsoft Digital.

Modern platforms allow for scalable AI productivity

Technology and architecture also play a critical role in enabling enterprise data and AI capability. Platforms like Microsoft Purview and Microsoft Fabric provide the governance, discovery, and analytics infrastructure required to create trusted, AI-ready data ecosystems.

Combined with strong leadership support and community engagement, these platforms allow our organization to move beyond isolated data projects toward connected, enterprise-wide intelligence.

As our organization continues to evolve, our data council’s strategic work and valuable insights will be crucial in shaping the future of data-driven decision making and AI transformation at Microsoft.

Key takeaways

Here are some things to keep in mind as you contemplate forming a data council to help you manage and scale AI impacts responsibly at your own organization:

• A data mesh strikes the balance enterprises have been chasing. By formalizing domain ownership while enforcing standards through shared platforms, you avoid both chaotic decentralization and slow, over-centralized control.
• Governance is an accelerator when it’s automated and embedded. Using platforms like Microsoft Purview and Microsoft Fabric, governance shifts from a manual gatekeeping function to a built‑in capability that enables faster, trusted analytics and AI.
• AI systems are only as strong as their discovery layer. A unified enterprise data catalog allows both people and AI agents to find, trust, and use data consistently—turning standards into operational speed.
• Customer Zero turns theory into enterprise‑ready execution. By operating its own data and AI platforms at scale, Microsoft Digital provides real telemetry and practical feedback that directly shapes product readiness.
• Building AI capability is a cultural effort, not just a technical one. Our data council’s focus on applied learning, certification, and real-world AI scenarios ensures data skills translate into durable business outcomes.
• AI scale exposes the cost of fragmented data ownership. A data council cuts through silos by aligning priorities, resolving tradeoffs, and concentrating investment on the data assets that matter most for AI impact.
• Shared metrics create shared ownership. Publishing data quality and AI‑readiness scores at the leadership level reinforces accountability and positions data as a core enterprise asset.

Try it out

New to Microsoft 365 Copilot? Check it out!

Related links

• Learn more about the councils that are steering AI projects at Microsoft.
• See how we’re tackling Microsoft 365 Copilot governance internally at Microsoft.
• Explore how we’re unlocking enterprise AI extensibility at Microsoft with Microsoft Copilot Studio.
• See AI-powered agents in action: How we’re embracing this new ‘agentic’ moment at Microsoft.

We’d like to hear from you!

• Want more information? Email us and include a link to this story and we’ll get back to you.

The post Harnessing AI: How a data council is powering our unified data strategy at Microsoft appeared first on Inside Track Blog.

There was excitement, curiosity, skepticism, and no shortage of questions about what this technology meant for the future of IT.

At Microsoft Digital—the company’s IT organization—we didn’t start with a grand transformation plan. Instead, we started with a realization: AI wasn’t just another tool to roll out. It was a fundamental shift in how engineering work could happen.

For years, our IT teams have been focused on scale, reliability, and operational excellence. Those priorities didn’t change. What changed were the possibilities.

Suddenly, engineers could draft code in seconds, summarize complex systems instantly, or automate work that had once consumed hours or days. It was an opportunity to take the skills and capabilities of our people and amplify them with AI.

That realization forced us to step back and ask harder questions.

How do you help thousands of engineers understand what AI can actually do to impact their day-to-day work? How do you move from experimentation to trust? And how do you adopt AI in a way that strengthens engineering fundamentals instead of eroding them?

The answer came in the form of a phased journey grounded in people, culture, and continuous learning.

Phase 1: Awareness and access

It might sound surprising when speaking about engineering processes, but our first challenge wasn’t technology; it was understanding.

When generative AI entered the conversation, most engineers saw the headlines and dabbled in various tools, but few understood fully what it meant for their work. Some were excited, others were wary. Many simply didn’t know where to start. That gap between awareness and practical value was the first barrier we had to address.

We realized early that top-down mandates wouldn’t work. Telling engineers to “use AI” without context or relevance would only deepen skepticism. Instead, we focused on something both simpler and more difficult: Exposure.

We started by making AI visible and accessible in the tools engineers already used. GitHub Copilot. Microsoft 365 Copilot. Early copilots embedded directly into engineering workflows. The goal wasn’t immediate productivity gains. It was familiarity. Letting engineers see, firsthand, what AI could and couldn’t do.

“We encouraged tool usage and adoption so people would at least play around with AI. And once they did, they started seeing the value. That’s when the mindset shifted from ‘AI might replace me’ to ‘AI can be my companion.’”

Mukul Singhal, partner group engineering manager, Microsoft Digital

Just as important, we talked openly about limitations.

AI wasn’t perfect. It hallucinated. It made confident mistakes. And that honesty mattered. By framing AI as an assistant, we reinforced the role of engineering judgment. Engineers didn’t need to fear losing control. They needed to understand how to stay in control.

We also made experimentation safe.

No quotas. No forced adoption metrics. Engineers were encouraged to try AI on low‑risk tasks: summarizing documentation, generating test cases, or exploring unfamiliar codebases. Small wins built confidence, confidence built curiosity, and curiosity drove organic adoption.

As that experimentation took hold, the mindset began to shift.

“We encouraged tool usage and adoption so people would at least play around with AI,” says Mukul Singhal, a partner group engineering manager in Microsoft Digital. “And once they did, they started seeing the value. That’s when the mindset shifted from ‘AI might replace me’ to ‘AI can be my companion.’”

Over time, conversations changed from ‘Should we use AI?’ to ‘Where does AI help most?’

Engineers began sharing prompts, tips, and lessons learned with one another. What started as individual exploration turned into community learning. Awareness gave way to momentum.

Phase one was about providing access to explore, to question, and to learn. And that foundation made everything that followed possible.

Phase 2: Culture shift

Access created awareness and awareness created curiosity.

As more engineers began experimenting with AI, we noticed a pattern. Some teams were moving faster, learning faster, and reducing friction in their day‑to‑day work. Others stalled after initial trials. The difference wasn’t technical skill or capability, it was mindset.

“People started shifting from the mindset of ‘Will AI work?’ to ‘AI is working for me.’ I think that was a very transformational shift, to where I believe a lot of engineers in the organization started believing in AI.”

Veera Mamilla, principal group engineering manager, Microsoft Digital

To move forward, we had to shift how AI was perceived from something optional or experimental to something that was simply part of how modern engineering gets done.

That meant normalizing AI as a trusted partner in the engineering process.

Leaders played a critical role in that shift. Rather than positioning AI as a productivity shortcut, they framed it as a way to strengthen engineering fundamentals: clearer design discussions, better documentation, faster feedback loops, and more time for deep problem‑solving. The message was intentional and consistent. Using AI wasn’t about cutting corners, it was about reimagining how work gets done.

We also had to address a fear that surfaced early: that AI adoption was a signal of replacement rather than empowerment.

“People started shifting from the mindset of ‘Will AI work?’ to ‘AI is working for me,’” says Veera Mamilla, a principal group engineering manager in Microsoft Digital. “I think that was a very transformational shift, to where I believe a lot of engineers in the organization started believing in AI.”

That framing mattered.

As engineers incorporated AI into their workflows, success stopped being measured by output alone. The focus shifted to outcomes. Did AI help you understand a system faster? Did it surface risks earlier? Did it free up time to focus on higher‑value work?

Over time, AI stopped feeling like a novelty. It became part of the engineering fabric. We reinforced it through leadership modeling, peer learning, and shared success stories. Teams no longer asked whether AI belonged in their workflows. They asked how to use it responsibly and effectively.

Phase 3: Upskilling and role evolution

Once AI moved from curiosity to expectation, the challenge of skill building became unavoidable.

From the start, we made a deliberate choice: This would be an upskilling and reskilling journey, not a wholesale replacement of roles. The goal wasn’t a new workforce. It was an investment in the one we had.

That decision shaped everything that followed.

Early upskilling efforts focused on practical entry points. Prompt engineering. Tool literacy. Understanding how copilots and early agents behaved in real engineering workflows. We treated these as something every engineer needed to experiment with, regardless of discipline.

But it quickly became clear that skills alone weren’t the full story. Roles themselves were starting to evolve.

“Your title might still be software engineer or principal engineer. But if you’re acting like an AI engineer, what does that actually mean? That question helped us start defining how these roles were evolving.”

Ragini Singh, partner group engineering manager, Microsoft Digital

Across software development, service engineering, and cloud network engineering, the work was shifting from manual execution toward orchestration and oversight. Engineers were no longer expected to do every task end‑to‑end by hand. Instead, they were learning how to guide AI, review its output, and decide where automation made sense and where it didn’t.

As part of this shift, we began researching how the industry itself was redefining engineering roles. Leaders examined emerging job descriptions from across the market and compared them with Microsoft’s own role frameworks. At the time, there was no formal “AI engineer” role in the internal job library. Rather than creating a new title, the focus stayed on evolving expectations within existing roles.

The idea of an “AI‑native engineer” emerged not as a job description, but as a mindset.

An AI‑native engineer still understands systems, architecture, and risk. What’s different is how that expertise gets applied. Routine tasks are delegated to AI. Judgment, design, and accountability stay with the human. Engineers move from doing all the work themselves to supervising work done in partnership with AI.

“Your title might still be software engineer or principal engineer,” says Ragini Singh, a partner group engineering manager in Microsoft Digital. “But if you’re acting like an AI engineer, what does that actually mean? That question helped us start defining how these roles were evolving.”

This evolution looked different across disciplines. Software engineers focused on AI‑assisted coding, test generation, and spec‑driven development. Service engineers leaned into AI for incident response, knowledge capture, and operational decision support. Cloud network engineers began moving from manual intervention toward intelligent orchestration and agent‑assisted troubleshooting. The common thread wasn’t identical tooling, it was a shared shift toward higher‑order work and reduced toil.

Phase 4: Embedding AI across the engineering lifecycle

By this phase, we knew individual productivity gains were simply the starting point for larger and broader benefits.

Early on, most AI usage showed up in familiar places: Code suggestions, documentation summaries, quick answers. Useful, but fragmented. The bigger opportunity emerged when we stepped back and asked a harder question: What would it look like if AI were embedded across the entire engineering lifecycle, not just used at isolated moments?

We stopped thinking in terms of tools and started thinking in terms of flow. Design. Build. Test. Deploy. Operate. Improve. AI needed to show up across all of it, in ways that reinforced how engineers already worked.

“If AI is only showing up at one step, you don’t get the full value. The real impact comes when it’s integrated across the lifecycle, where engineers can design, build, operate, and learn faster as a system.”

Sudhakar Sadasivuni, principal group engineering manager, Microsoft Digital

In software engineering, that meant pulling AI earlier into the process. We began using it to help draft requirements, reason through design options, and review code with broader system context to accelerate how quickly we could get to informed decisions. Coding assistance mattered, but it was no longer the center of gravity.

Testing and quality followed a similar pattern. AI supported test generation, defect analysis, and code review, reducing repetitive effort and helping issues surface sooner. That gave engineers more time to focus on quality and architecture instead of cleanup.

In service engineering, we embedded AI into incident management and operational workflows. Engineers used it to summarize incidents, surface relevant knowledge, and analyze signals across systems. In cloud network engineering, AI helped shift work away from manual intervention toward orchestration and intelligent troubleshooting. Across disciplines, the principle stayed the same: AI should reduce friction, not introduce it.

As we scaled this approach, one thing became clear. Embedding AI wasn’t just a technical exercise. It was a systems change.

“If AI is only showing up at one step, you don’t get the full value,” says Sudhakar Sadasivuni, a principal group engineering manager in Microsoft Digital. “The real impact comes when it’s integrated across the lifecycle, where engineers can design, build, operate, and learn faster as a system.”

As AI became part of core workflows, engineers remained accountable for outcomes. AI output was reviewed, tested, and validated like any other engineering input. Embedding AI didn’t lower the bar for rigor. It raised expectations around judgment, oversight, and data quality. We became more deliberate about responsibility and governance.

Over time, these integrations created compound benefits.

Faster design cycles reduced downstream rework. Better testing lowered operational noise. Improved operational insight shortened recovery times. AI stopped being something we used occasionally and became something the engineering system itself was built around.

Phase 5: Eliminating toil and accelerating outcomes

At some point, every AI story hits the same test. Does it actually make engineers’ days better? For us, that proof showed up fastest in elimination of toil.

Across Microsoft Digital, engineers have always spent time on work that was necessary but draining. It included tasks such as manual troubleshooting, repetitive diagnostics, log analysis, and routine operational tasks that kept systems running but didn’t move the organization forward.

AI gave us a chance to change that.

“Toil reduction is the biggest thing. That’s where engineers’ eyes light up. If we can eliminate toil, people engineers will flock to use AI. I really believe it.”

Beth Garrison, principal cloud network engineer, Microsoft Digital

In cloud network engineering, for example, troubleshooting used to require manually reconstructing what happened, such as logging into devices, chasing configurations, and piecing together context after the fact. As we began introducing agents and machine learning into these workflows, that work shifted. Instead of spending time assembling the picture, engineers could generate the views they needed faster and focus on resolving issues.

The same shift showed up in how we used operational data.

Rather than reacting to incidents after impact, we started using machine learning to analyze logs, identify patterns, and surface anomalies earlier. That moved teams from reactive response toward proactive monitoring and prevention.

One thing became clear very quickly: Toil reduction wasn’t just a benefit; it was the catalyst for adoption.

“Toil reduction is the biggest thing. That’s where engineers’ eyes light up,” says Beth Garrison, a principal cloud network engineer at Microsoft Digital. “If we can eliminate toil, people engineers will flock to use AI. I really believe it.”

Service engineering followed a similar arc.

Across governance, operations, productivity, and cost management, we began applying agents and automation to simplify complex work and reduce manual review cycles. Governance and compliance workflows became faster and more consistent. Operational processes benefited from guided remediation and earlier insight. Knowledge capture improved as documentation and remediation guidance could be generated and updated automatically.

When we removed repetitive work such as manual triage, rote diagnostics, endless documentation cleanup, we transformed how engineers spent their time. More focus on design. More proactive problem‑solving. More energy directed toward improving systems instead of just maintaining them.

Toil reduction made the value of AI tangible. It’s the moment AI stopped being interesting and became indispensable, and our engineering teams started asking where else we can apply it next.

Measuring what matters

By the time AI was embedded across our engineering lifecycle, a new question came into focus: “How do we know it’s working?”

In the early days, we paid close attention to usage. Which tools engineers were trying, where adoption was growing, or where it stalled. Those signals mattered and adoption was the leading indicator that people were getting comfortable and starting to integrate AI into real work.

“Adoption was always the starting point. But we were clear from the beginning that usage isn’t the destination. The real goal is impact; more time for engineers to focus on the work that truly matters.”

Ullas Kumble, principal group software engineering manager, Microsoft Digital

But using AI doesn’t automatically mean better outcomes. So, we shifted the conversation and started asking, “What’s different now that our engineers are using AI?”

That change reframed how we thought about measurement. We began looking beyond tool activity to understand impact across the engineering system. Faster design cycles. Earlier defect detection. Reduced time spent on repetitive operational work. Shorter incident resolution. Clearer documentation. Fewer handoffs. Less rework.

These weren’t abstract metrics. They showed up in the flow of work.

We were intentional about not forcing a single definition of value across every role. Software engineers, service engineers, and cloud network engineers experience impact differently. What mattered was that each team could point to tangible improvements in how work moved through the system.

That perspective shaped how leadership talked about success.

“Adoption was always the starting point,” says Ullas Kumble, a principal group software engineering manager at Microsoft Digital. “But we were clear from the beginning that usage isn’t the destination. The real goal is impact; more time for engineers to focus on the work that truly matters.”

Over time, this approach changed the quality of our conversations. Instead of debating whether AI was worth the investment, teams talked about where it was removing friction and where it still wasn’t delivering enough value. Measurement became a tool for learning and prioritization.

Moving forward

Looking ahead, one lesson stands out: this journey isn’t complete.

AI tools will continue to evolve. Agents will become more capable. Roles will keep shifting. What it means to be an engineer will continue to change. And that means our approach must stay grounded in the same principles that guided us from the start: invest in people, reinforce fundamentals, embed AI into real workflows, and stay honest about what’s working and what isn’t.

We didn’t set out to build an AI‑driven engineering organization overnight, we built it phase by phase.

By meeting engineers where they were
By reshaping culture before redefining roles.
By embedding AI across the lifecycle, not bolting it on.
By reducing toil and measuring impact where it mattered most.

The result is better engineering: powered by AI, guided by human judgment, and built to keep evolving.

Key takeaways

Here’s a set of approaches you can take to establish AI-led engineering for your organization:

• Start with access and understanding. Give engineers safe, easy access to AI in the tools they already use so curiosity and confidence can develop organically before you push for outcomes.
• Frame AI as a partner, not a replacement. Position AI as an assistant that strengthens engineering judgment and fundamentals rather than a shortcut or a threat to roles.
• Normalize experimentation without pressure. Encourage low‑risk experimentation and peer sharing instead of mandates, allowing adoption to grow through visible, practical wins.
• Invest in upskilling. Focus on evolving skills and expectations within existing roles so engineers learn how to guide, review, and stay accountable for AI‑assisted work.
• Embed AI across the full engineering lifecycle. Look beyond isolated productivity gains and integrate AI into design, build, test, operate, and improve workflows to unlock system‑level impact.
• Measure impact where engineers feel it. Move past usage metrics and track outcomes like reduced toil, faster feedback, and improved flow so teams can see where AI is truly making work better.

Try it out

Try GitHub Copilot.

Related links

• Learn how an AI-led SDLC builds an end-to-end agentic software development lifecycle with Azure and GitHub.
• Discover why developers will lead AI transformation across the enterprise.

We’d like to hear from you!

• Want more information? Email us and include a link to this story and we’ll get back to you.

The post Powering the new age of AI-led engineering in IT at Microsoft appeared first on Inside Track Blog.

For years, we stitched together insights across multiple tools, wrote custom queries, and maintained fragile reports just to answer basic questions. This approach slowed investigations and delayed patch targeting.

We needed a faster, stronger, cloud-native path.

We’re investing in AI-powered predictive maintenance and intelligent troubleshooting to reduce friction in device management.”

Daniel Manalo, principal service engineer, Microsoft Digital

The advent of generative AI changed the way we manage our devices. Not only were we able to ask better questions and get targeted help right from the start, we also got faster and more relevant answers from across our entire device management estate.

It’s simpler. It’s faster. It scales with our environment. And we’re doing it natively in the cloud.

“We’re investing in AI-powered predictive maintenance and intelligent troubleshooting to reduce friction in device management,” says Daniel Manalo, a principal service engineer in Microsoft Digital, the company’s IT organization.

AI and machine learning help us find errors faster and fix them autonomously, in many cases. It reduces our downtime, prolongs lifespans of our devices, and ensures our employees have a consistent and productive experience with their devices.

Today, we’re applying this approach to everyday operations: Speeding investigations, simplifying updates, and tightening the loop from detection to remediation. The overarching goal remains consistent—reduce workloads, improve clarity, and move our discoveries to earlier in the risk window.

The role of Customer Zero in evolving modern device management

We serve as the company’s Customer Zero for our products here in Microsoft Digital. We run early capabilities in our own tenant, pressure‑test them at Microsoft scale, and feed what we learn straight back to engineering. The goal is simple: Turn good ideas into reliable features that any enterprise can use.

“We use our collective learnings from our internal deployments to improve our products, which makes them better for our employees and for our customers.”

 Senthil Selvaraj, principal group product manager, Microsoft Digital

Our Microsoft Digital teams work side-by-side with the Intune product group to modernize our device management approach. The Intune group builds and operates the platform, while we bring real‑world scenarios, signals, and guardrails. Together, we help develop, test, and deploy a better cloud-native product for our customers.

“We use our collective learnings from our internal deployments to improve our products, which makes them better for our employees and for our customers,” says Senthil Selvaraj, a principal group product manager in Microsoft Digital.

For the same reasons, we work hard to make sure that we deploy our tools and services in the same way our customers do.

“That enables everyone at the company to have good visibility into the experiences our customers will have when our products get to them,” Selvaraj says. “This makes us more accountable to our customers and helps us move quickly when improvements are needed.”

Customer Zero for device management spans more than Intune.

We partner across teams responsible for Microsoft Purview, Microsoft 365 Copilot, Microsoft Defender, Windows (Autopatch and Hotpatch), GitHub, and Microsoft Azure to produce comprehensive device management capabilities. These are the surfaces where we test, learn, and refine the end‑to‑end device management experience.

The loop is tight. We identify a need, prototype a solution with the product groups, roll it out to targeted rings, measure impact, and iterate. Those learnings inform what ships in Intune—from data-driven insights to built‑in prompts that surface device health data as a conversation, rather than a simple query.

“Using natural language reduces the time it takes us to figure out what’s going on. We are able to ask Security Copilot questions naturally, which allows us to hear the signals that need our immediate action faster.”

Mohit Malhotra, product manager, Microsoft Digital

The result is a safer, faster path to value with AI-driven device management, including clear ownership, faster remediation, and features that arrive tested against operational reality.

We’ve learned a lot as Customer Zero, and we’re passing those lessons on to you.

Modern device management: Seven tips

Here are seven important tips that we’ve compiled to help with your device management efforts.

Tip 1: Ask natural-language questions with Microsoft Security Copilot

We use the generative AI capabilities in Microsoft Security Copilot to query device and vulnerability data in plain language and get a unified answer that we can act on.

This allowed us to replace bespoke reports with targeted questions.

“Using natural language reduces the time it takes us to figure out what’s going on,” says Mohit Malhotra, a product manager in Microsoft Digital. “We are able to ask Security Copilot questions naturally, which allows us to hear the signals that need our immediate action faster.”

Security Copilot lets us ask about device posture, app versions, cybersecurity vulnerabilities (known as Common Vulnerabilities and Exposures, or CVEs), and exposure across Microsoft Defender and Intune, without stitching the data together by hand. We get the context we need and move faster from finding to fixing.

How we use it

• Scope impact: “List Windows devices running <app/version> that are vulnerable, with owners and deployment rings.”
• Prioritize work: “Group affected devices by business unit and model; show counts and severity.”
• Verify reach: “Confirm which devices received <policy/package> in the last 48 hours; flag failures.”

Prompts we rely on

• “Show devices affected by <CVE/app version> and summarize recommended remediation steps.”
• “Break down exposure by ring and list top 5 models with highest risk.”
• “Identify outliers that failed the last policy sync and provide reasons.”

Why it helps

• Less toil: No custom pipelines to maintain.
• Faster triage: Discovery and scoping happen in one interaction.
• Clear next steps: Results align to our Intune targeting and scheduling paths.

Best practices

• Start specific: Name the product, version, and time window, then broaden as needed.
• Keep follow‑ups short: Quick pivots like “group by region” or “add owner emails” maintain momentum.
• Act on the output: Use the device lists to target updates or policies in Intune, then validate results with a final check.

Note

• We align usage with least‑privilege access and established approval paths so insights come from authoritative sources and actions land through the right channel.

Tip 2: Find knowledge fast with Microsoft 365 Copilot

We use Microsoft 365 Copilot to pull device context from email, chats, and documents, allowing us to troubleshoot issues faster and easier using generative AI.

Incidents start with questions, not dashboards, e.g. “Who owns this package? When did we change that policy? Where did we discuss the driver rollback?”

The answers to those questions live in mail threads, Teams chats, and planning docs. Before Copilot, we were forced to sift through these materials manually, which cost us time. Now we ask one question and get a summary with sources, people, and links. That keeps the investigation moving and reduces handoffs.

“Copilot helps scan noisy logs and points us to likely causes. Our old process of opening logs, interpreting opaque error strings, and validating a hunch took too long. Getting faster answers matters when incidents stack up.”

Michael Griswold, principal service engineering manager, Microsoft Intune

This also helps us during the coordination phase. We can surface the approver for a change, the engineer who ran the last mitigation, and the runbook section that explains the rollback steps. We make better decisions because we see the history and the intent, not just the current state. Then we line up the action in Intune with the right stakeholders already looped in.

How we use it

• Asking for recent context on a device model, configuration, or app to see decisions and outcomes in one place.
• Retrieving owners, approvers, and on‑call contacts named in Outlook and Teams messages related to the issue.
• Pulling change notes and runbook updates tied to a policy or package before we request an update in Intune.

Prompts we rely on

• “Summarize recent emails and Teams messages about <device model/app version> and list owners mentioned.”
• “Find the change note or runbook update for <policy/package> from the last 14 days.”
• “Show known issues linked to <KB/app> and who resolved the last occurrence.”

Why it helps

• Less hunting: We replace ad hoc inbox and wiki searches with a single query.
• Faster coordination: We identify the right stakeholders and prior decisions immediately.
• Better decisions: We confirm history and context before proposing changes in Intune.

Best practices

• Keep prompts scoped. Include product, version, and a timeframe to focus your results.
• Respect boundaries. Align usage with least‑privilege access and existing approval and auditing paths.
• Capture outcomes. Link summaries, owners, and key docs back to the incident record so future searches return richer context.

Note

• Copilot gets better as more decisions and runbooks live in Microsoft 365, since that’s where the signals come from.

Tip 3: Accelerate log triage with GitHub Copilot, Visual Studio Code, and Log Analytics

We use GitHub Copilot in Visual Studio Code with Azure Monitor Log Analytics to explain errors, draft KQL, and shorten device log investigations.

“Copilot helps scan noisy logs and points us to likely causes,” says Michael Griswold, a principal service engineering manager with the Microsoft Intune product group. “Our old process of opening logs, interpreting opaque error strings, and validating a hunch took too long. Getting faster answers matters when incidents stack up.”

Now we keep the entire loop in one workspace. AI in GitHub Copilot interprets the event, proposes likely causes, and generates KQL to confirm or rule out scenarios. We move from symptom to validated pattern without bouncing across tools.

How we use it

• Connect VS Code to your Log Analytics workspace and load the tables you need (e.g., inventory and update events).
• Paste a minimal log sample with timestamps and device identifiers, so Copilot has context.
• Ask Copilot to summarize the error, suggest probable causes, and produce KQL to test each path.
• Run the query, review clusters and outliers, and request an alternate query or grouping if noise is high.

Prompts we rely on

• “Explain this error in a device‑management context and list three validation checks.”
• “Write KQL to find matching failures in the last 24 hours and group by model and policy.”
• “Join device inventory with update events for device and surface anomalies.”

Why it helps

• Faster pattern recognition: Proposed queries get us to evidence quickly.
• Less context switching: Analysis and validation happen inside VS Code.
• Cleaner handoff: Results map to our Intune actions for targeted remediation.

Best practices

• Keep inputs tight: Provide a small, representative log snippet, the affected device attributes, and a precise time window.
• Iterate on queries: Ask for different filters, joins, or time ranges when results are noisy.
• Close the loop: Use the device list to drive policy or update changes in Intune and confirm fixes with a final query.

Note

• This workflow is broadly repeatable with GitHub Copilot, Visual Studio Code, and Azure Monitor Log Analytics.

Tip 4: Keep firmware and drivers current with Intune update management

We use Intune firmware and driver update management to identify, approve, and deploy our OEM updates at scale.

“Staying current on firmware and drivers keeps devices stable and secure. With Intune, we stage updates, watch the rollout, and adjust before issues spread.”

Taqui Mohammad, senior service engineer, Microsoft Digital

Firmware and driver releases don’t land on a predictable schedule. Different vendors ship on different timelines, and a single environment can span hundreds of models.

Tracking this manually slows responses and leaves risk on the table. Intune centralizes the view so we can see what’s applicable, choose the right targets, and roll out updates with the same discipline we use for OS patches.

“Staying current on firmware and drivers keeps devices stable and secure,” says Taqui Mohammad, a senior service engineer in Microsoft Digital. “With Intune, we stage updates, watch the rollout, and adjust before issues spread.”

How we use it

• Review applicability: Open the firmware and driver updates view to see available updates grouped by make and model.
• Select a pilot: Target a small ring first (model, business unit, or region) and set short deadlines.
• Plan time windows and restarts: Align deployments with maintenance windows and communicate expected reboots.
• Monitor, then expand: Track success and failure signals, remediate issues, and scale to broader rings.

Configuration tips

• Standardize categories: Separate firmware from drivers in policies so reporting and rollbacks are clean.
• Use device tags consistently: Model, region, and business unit tags make scoping and expansion straightforward.
• Define rollback steps: Document how to revert a driver or hold firmware for a specific model when needed.

Success checks

• Compliance trend: Increased percentage of devices on the latest approved firmware and driver versions after each wave.
• Incident correlation: Fewer support tickets related to device stability and peripherals on updated models.
• Deployment reliability: Decreased failure rates as pilots catch issues before broad rollout.

Best practices

• Pair with risk signals: Prioritize models tied to active vulnerabilities or incident clusters before broad rollout.
• Keep rings small and fast: Validate quickly, then scale; long pilots hide issues and delay benefits.
• Document exceptions: If a model needs a temporary hold due to app or peripheral compatibility, record the reason and set a review date.
• Verify outcomes: Confirm update levels on target devices and scan for regressions in support queues.

Notes

• Expect uneven arrival patterns across vendors and models; a weekly review cadence helps catch new updates without creating noise.
• Treat firmware and drivers as first‑class updates; include them in regular compliance reports and reviews so they get consistent attention.

“Autopatch Update Readiness catches and resolves common blockers before deployment begins. What used to require manual checks and troubleshooting is now handled upfront, giving us smoother updates and a far more reliable experience for our employees.”

Dave Rodriguez, principal product manager, Microsoft Digital

Tip 5: Speed updates with Windows Autopatch, Hotpatch, and Auto Remediation Update Readiness

We use Windows Autopatch and Hotpatch to reduce disruptions and keep our devices current, and we pair them with automated readiness and remediation so our changes land safely and quickly.

Autopatch handles orchestration for quality updates and feature releases. We define rings that reflect business risk and user impact, then let the service pace deployments as health signals arrive.

“Autopatch Update Readiness catches and resolves common blockers before deployment begins,” says Dave Rodriguez, a principal product manager in Microsoft Digital. “What used to require manual checks and troubleshooting is now handled upfront, giving us smoother updates and a far more reliable experience for our employees.”

Where Hotpatch is available, we apply security updates without a reboot, which cuts downtime and helps us move faster on critical fixes. An automated readiness layer checks prerequisites, fixes common blockers, and confirms that devices are ready before rollout.

How we use it

• Enroll eligible devices in Autopatch and map them to the right scope so ownership, reporting, and break‑glass procedures are clear.
• Build rings that reflect business priority and user profiles (e.g., VIP laptops, frontline kiosks, engineering workstations, and lab devices).
• Enable Hotpatch on supported SKUs and confirm policy alignment so security updates apply without restarts where possible.
• Run readiness checks that verify update agent health, policy state, storage and battery requirements, VPN reachability, and available maintenance windows.
• Auto‑remediate common blockers such as stale update caches, missing prerequisites, paused services, or conflicting policies before a device enters the next ring.
• Start with small cohorts, monitor early signals like install rate and post‑update stability, validate rollback paths, then expand the scope deliberately.

Operational checks

• Ring coverage ensures eligible devices are actually assigned to a ring and not stranded outside the managed flow.
• App and driver smoke tests validate business‑critical apps, kernel drivers, and peripherals on pilot cohorts before broad rollout.
• Safeguard holds and known‑issue tracking are able to watch for vendor or service flags, which can pause or throttle a ring until a fix is available.
• Rollback readiness confirms who owns the decision, what steps they follow, and how telemetry proves the rollback succeeded on affected devices.

Why it helps

• Continuous movement shortens exposure windows because healthy rings advance without waiting for a fixed date.
• Fewer interruptions improve user experience, as Hotpatch removes the need for restarts on supported devices.
• Higher success rates come from automated readiness and remediation, removing predictable failures before deployment.

Best practices

• Use consistent device tags so rings map cleanly to models, regions, and business units, which keeps targeting and reporting trustworthy.
• Keep pilots small and fast to find issues quickly, then scale once success criteria are met and rollback is validated.
• Communicate maintenance expectations in plain language so users know timing, restart behavior, and how to report problems.
• Pace by risk rather than calendar, advancing rings when health metrics and support signal quality are within thresholds.
• Review deployment dashboards daily during rollout, adjust ring size or cadence when error rates rise, and capture lessons learned for the next wave.

Note

• Hotpatch availability depends on your Windows edition and configuration, so confirm support and prerequisites as part of your scoping work.

Tip 6: Keep third‑party apps current with Intune Enterprise App Management

We use Intune Enterprise App Management to keep third‑party apps current without constant packaging work.

“Third-party apps fall out of date fast, so we’re standardizing how they’re updated. We do that with Enterprise App Management, which gives us reliable packages and keeps us moving at a steady cadence.”

Humberto Arias, senior product manager, Microsoft Digital

Third‑party software drives real risk: version drift, silent installers change, and manual packaging pipelines break at the worst time.

With Enterprise App Management, we select from a managed catalog, set assignment and update rules, and let the service handle new versions as they ship. We spend our time on exceptions, not routine updates.

“Third-party apps fall out of date fast, so we’re standardizing how they’re updated,” says Humberto Arias, a senior product manager in Microsoft Digital. “We do that with Enterprise App Management, which gives us reliable packages and keeps us moving at a steady cadence.”

This approach also improves the user experience. Updates arrive in predictable windows and dependencies are handled in a timely manner. We avoid surprise prompts and failed installs that generate tickets. When we do need to pause or pin a version, we scope it cleanly and document the reason.

How we use it

• Build a standard catalog that covers the common apps our users need and assign clear ownership for each title.
• Configure update behavior to auto‑update.
• Use rollout rings so pilots validate the installation success rate and app behavior before expanding to broad audiences.
• Scope assignments with device tags such as model, region, or business unit to simplify targeting and reporting.
• Monitor install and update status, investigate failures, and retry with adjusted timing or requirements when needed.
• Capture exceptions for apps that need holds or custom steps and set review dates to revisit the decision.

Scenarios we run

• Rapid response when a high‑risk CVE drops by prioritizing affected apps and moving them to the front of the update queue.
• Version cleanup by removing outdated or duplicate installers so devices converge on a single approved release.
• Conditional deployment for specialized teams by offering an app as available instead of required while still tracking adoption.

Why it helps

• Less packaging toil because the catalog supplies current installers and metadata.
• Faster patching for common apps because updates flow as they publish.
• Better compliance reporting because versions and assignments are consistent across rings and groups.

Best practices

• Keep an authoritative list of approved apps with owners, support notes, and rollback steps.
• Coordinate maintenance windows for high‑impact apps so users can save work before enforced updates.
• Require pilots for any app with add‑ins or drivers and validate workflows with real users before scaling.
• Use uninstall assignments to remove unapproved or vulnerable software and block reinstallation where needed.
• Document app‑level exceptions, including the rationale and a date to re‑evaluate.

Notes

• Some apps need pre-install checks or post-install steps, so include scripts or detection rules where required.
• Track license terms and usage for commercial titles so updates do not outpace entitlements.

Tip 7: Close the loop with Defender Vulnerability Management and Intune security tasks

We use Microsoft Defender Vulnerability Management with Intune to turn exposure insights into targeted actions that close risk fast.

“The Intune Vulnerability Agent gives us a clear list of issues by device and owner. It shortens our path from finding a problem to fixing it.”

Harshitha Digumarthi, senior product manager, Microsoft Digital

Incidents don’t end when we spot a CVE. They end when devices are fixed and verified.

Vulnerability Management gives us an AI-powered live inventory of devices, software, and configurations, then connects that inventory to known threats. It shows which versions run where, highlights misconfigurations, and explains why a device is at risk. We see the problem and the cause, not just a risk score.

“The Intune Vulnerability Agent gives us a clear list of issues by device and owner,” says Harshitha Digumarthi, a senior product manager at Microsoft Digital. “It shortens our path from finding a problem to fixing it.”

It also ranks what to fix first. Factors like severity level, exploit availability, active attacks, and business context all feed into the priority list, so that commensurate effort goes where it’s needed most. The service recommends specific actions such as updating, uninstalling, reconfiguring, or applying a policy as appropriate.

From there, it pushes the work into our change tools. Tasks flow to Intune, Autopatch, and Enterprise App Management so the remediation is traceable. Exceptions are tracked, including data on owners, compensating controls, and review dates. Closure is verified by watching exposure decrease and confirming the fix landed with the intended devices.

How we use it

• Review exposure by CVE, software, and device group to see where risk concentrates.
• Prioritize based on business impact, internet exposure, and privilege level so high‑value targets move first.
• Select the fix that fits the issue, including app updates through Enterprise App Management, OS and quality updates through Autopatch or Hotpatch (where supported), firmware and drivers through Intune update management, or policy changes for configuration weaknesses.
• Target the right scope using tags for model, region, and business unit so remediation lands where it’s needed.
• Set deadlines and user experience settings that balance urgency with productivity.
• Validate closure by rechecking exposure, confirming install success, and watching support signals for regressions.

What we monitor

• Exposure trends over time, to prove that remediation is reducing risk.
• Top vulnerable apps and models, so effort tracks where it matters most.
• Noncompliant devices and owners, so follow‑ups are direct and accountable.
• Exceptions that need compensating controls, documented rationale, and a review date.

Why it helps

• Fewer handoffs because the same team that sees risk can initiate remediation.
• Measurable outcomes because exposure and deployment data live in connected systems.
• Consistent execution because rings, tags, and approvals follow the same patterns as other updates.

Best practices

• Keep device tags authoritative so targeting and reporting stay reliable.
• Use pilots even for urgent fixes to catch compatibility issues before broad rollout.
• Link vulnerability records to Intune assignments so audit and learning loops are clear.
• Communicate clearly with affected users about timing, restarts, and how to report problems.
• Document exceptions with owners and expiration dates so temporary holds don’t become permanent.

Notes

• Not every fix is an update, and some issues require a configuration change or feature disablement with clear rollback steps.
• Least‑privilege access and standard approvals keep remediation fast without expanding risk.

Key takeaways

Our approach for managing devices and updates has changed. We shifted device and update management from manual hunting and ad hoc remediation to a connected loop that starts with a question and ends with verified resolution—reducing investigation time and speeding recovery.

A few lessons stand out:

• Make natural language work by grounding it in trust. Natural language becomes a force multiplier when insights are drawn from authoritative data and access is tightly scoped.
• Keep pilots small, fast, and intentional. Focused pilots surface issues early without slowing momentum or introducing unnecessary risk.
• Standardize signals to build confidence. Consistent tagging and clear ownership make reports, deployment rings, and rollbacks easier to interpret and trust.
• Control exceptions with discipline. Every exception requires a written rationale and a review date, ensuring temporary holds don’t become permanent policy.
• Close the loop—every time. Verification matters as much as detection. We confirm outcomes and capture learnings to continuously improve the next cycle.

What we’re improving next:

• Strengthen question‑to‑action flows. We’re deepening prompts and playbooks that connect Security Copilot and Intune so operators can move from investigation to scoped change in a single flow.
• Expand Hotpatch adoption and measurement. As support broadens, we’re increasing usage and measuring the impact on downtime, reliability, and user experience.
• Grow app coverage with clearer stability rules. We’re expanding Enterprise App Management while enforcing stronger version‑pinning guidance where predictability is critical.
• Automate deployment decisions. Additional automation around ring placement, readiness checks, and rollback triggers will allow deployments to adapt to live health signals.
• Accelerate investigations with reusable telemetry. We’re developing richer telemetry patterns and reusable KQL in Visual Studio Code to reduce noise and speed repeat investigations.

It’s a continuing evolution of our awareness and capabilities in device management, and we’ll keep improving on it, one loop at a time.

Try it out

Manage and secure your devices with Microsoft Intune.

Related links

• Learn how Microsoft Security Copilot integrates with Microsoft Intune.
• Explore how we’re transforming security and compliance with Windows Hotpatch.
• Read more about Windows Autopatch.
• Discover how Microsoft Defender Vulnerability Management helps remediate device vulnerability.
• Find out how Intune Enterprise App Management enables app discovery and deployment

We’d like to hear from you!

• Want more information? Email us and include a link to this story and we’ll get back to you.

The post Read our seven tips for shifting to a ‘cloud native’ device management strategy appeared first on Inside Track Blog.

At Microsoft Digital, the company’s IT organization, we’re embracing this as Customer Zero for the company.

What does that mean?

It means that we’re testing and shaping new Windows 11 features before they ship to customers. And as such, we’re helping the company reimagine what the OS can do for enterprise users in an AI-first world. We’re also helping the company transform the tools and processes we and our customers use to manage the Windows devices that our employees use to do their work.

“Windows 11 is our foundation for the future of work. We’re helping to build an OS that’s not just reactive—it’s predictive. It understands context, adapts to users, and helps IT teams stay ahead of the curve.”

Sean MacDonald, partner director of product management, Microsoft Digital

When we rolled out Windows 11 across Microsoft in 2021, we wanted to modernize the Windows experience for our global workforce. That meant moving beyond the legacy of Windows 10 and building a platform that’s smarter, more secure, and easier to manage. It also meant working closely with engineering teams to ensure that what we deploy internally reflects what customers need externally.

“Windows 11 is our foundation for the future of work,” says Sean MacDonald, partner director of product management at Microsoft Digital. “We’re helping to build an OS that’s not just reactive—it’s predictive. It understands context, adapts to users, and helps IT teams stay ahead of the curve.”

This transformation isn’t happening in isolation. It’s part of a broader organizational commitment to AI across Microsoft. From the integration of Copilot into dozens of Microsoft products to intelligent device management, we’re aligning every layer of the stack to deliver smarter experiences.

And we’re doing it because the time is right. The end of Windows 10 support is here, and Windows 11 is the essential solution for organizations seeking the enhanced productivity, security, and personalized experiences that AI makes possible.

Embracing a secure and efficient update environment

Keeping Windows 11 secure and up-to-date has evolved into a streamlined, intelligent process.

With Windows Autopatch, we’ve automated the deployment of updates across our enterprise.

But automation doesn’t mean losing control. The management tools available across Microsoft Intune and Windows allow us to exercise complete control over updates. We can leave Autopatch to make patching decisions, or we can dictate how any part of the process works—evaluate and select which updates to perform, define the rollout structure and schedule, and monitor the updates.

“Autopatch update readiness takes us to a new level with Windows 11 updates. It allows us to be proactive, rather than reactive in ensuring our Windows devices are in a ready state to seamlessly update, which minimizes disruptions and distractions to our employees.”

Dave Rodriguez, principal product manager, Windows team, Microsoft Digital

Autopatch lets us tailor rollouts to match our business structure. We’ve created custom Autopatch groups of up to 50 rings so we can deploy updates to the right people at the right time.

This flexibility is critical. It means we can schedule around sensitive periods like year-end close, define grace periods, and even choose which updates to deploy—feature, driver, or quality.

But the real magic happens behind the scenes.

With Windows 11 and Autopatch, we’re not just reacting to issues—we’re anticipating them. That’s where the Autopatch update readiness (AUR) comes in. It adds a new layer of resilience to our update management strategy.

Update readiness continuously monitors device health and update compliance across the enterprise.

By analyzing real-time telemetry, update readiness flags irregularities early and recommends targeted fixes.

“Autopatch update readiness takes us to a new level with Windows 11 updates,” says Dave Rodriguez, a principal product manager on the Windows team in Microsoft Digital. “It allows us to be proactive, rather than reactive in ensuring our Windows devices are in a ready state to seamlessly update, which minimizes disruptions and distractions to our employees.”

“Hotpatching has been a game-changer for keeping our devices secure without disrupting work. Security updates take effect immediately—no reboot required. That’s a big deal.”

Harshitha Digumarthi, senior product manager, Windows team, Microsoft Digital

One of the biggest wins?

Hotpatch, which allows us to apply most of our monthly security updates without our employees needing to restart their devices, which has been huge for our productivity.

“Hotpatching has been a game-changer for keeping our devices secure without disrupting work,” says Harshitha Digumarthi, a senior product manager on the Windows team in Microsoft Digital. “Security updates take effect immediately—no reboot required. That’s a big deal.”

Hotpatch works by modifying in-memory code to silently apply updates in the background. It’s especially valuable for operations that require high availability.

“We’re seeing a shift from device-centric recovery to user-centric personalization. It’s not just about getting the machine back—it’s about getting the person back to work.”

Markus Gonis, senior service engineer, Microsoft Digital

Together, hotpatch, update readiness, and Autopatch are helping us transform how we manage updates. We’re not just deploying tools—we’re reshaping business critical processes.

Protecting data using Windows Backup and Restore for Organizations

With Windows 11, we’ve redefined what backup and restore means for enterprise users with Windows Backup and Restore for Organizations. It’s not just about getting a device back online—it’s about restoring the user’s experience.

When a user signs into a new device with their Entra ID, they can select a backup to automatically restore their Microsoft Store app configurations, settings, and preferences. It’s seamless. It’s secure. And it’s fast.

“We’re seeing a shift from device-centric recovery to user-centric personalization,” says Markus Gonis, a senior service engineer on the Windows team in Microsoft Digital. “It’s not just about getting the machine back—it’s about getting the person back to work.”

This matters. Especially in large organizations where device turnover is constant and downtime is costly.

With Entra ID, we can automatically enroll devices into Microsoft Intune for management. That means IT policies, security configurations, and compliance settings are applied instantly. No manual setup. No waiting.

And because the restore process is tied to the user’s identity, it works across devices. Whether it’s a laptop refresh, a lost device, or a hardware upgrade, users get their familiar environment back—apps, layout, even their desktop background.

“Windows 11 is designed for fast deployment and compatibility,” Gonis says. “We’ve seen up to 25 percent faster deployment times compared to Windows 10. That’s a huge win for IT teams.”

This isn’t just about convenience. It’s about resilience.

By combining Entra ID with modern device management, we’ve built a recovery system that’s secure by default. Data is encrypted. Access is conditional. And IT retains full control over who can restore what, when, and where.

Capturing the power of AI-enabled apps and experiences

Windows 11 is bringing intelligent experiences to the forefront, and we’re seeing it firsthand at Microsoft Digital. From productivity to security, AI is transforming how our people work.

Windows Recall is an opt-in AI-powered feature built directly into Copilot+ PCs with Windows 11. It’s designed to solve a problem every person knows too well: Finding something you’ve already seen.

Recall allows you to search across time to find the content you need. Just describe how you remember it, and Recall retrieves the moment you saw it. Once opted-in snapshots are taken periodically while content on the screen is different from the previous snapshot. The snapshots of your screen are organized into a timeline. Snapshots are locally stored and locally analyzed on your PC. Recall’s analysis allows you to search for content, including both images and text, using natural language.

Here are its core capabilities:

• Semantic AI-powered search. No need to recall exact filenames. Just describe what you remember—like “blue sustainability slide from last meeting”—and Recall uses on-device AI to surface images or text that match the description.
• Full user control and privacy. IT admins have a full set of controls to manage security and privacy when enabling the Recall feature for the enterprise. Once enabled by enterprise admins, you as the end user then have the choice to opt in to enable snapshots on your machines.
• Explore content with a visual timeline. Recall periodically captures screenshots of your active window and displays them in an interactive, chronological timeline. When you need to revisit something, you can simply scroll through your past activity or jump directly to the specific moment you remember seeing it.
•  Granular snapshot management. You choose which apps and websites to include or exclude. You can pause snapshot capture, delete past captures, and set retention limits (e.g., 30, 60, 90, or 180 days) to manage storage and privacy. And IT admins can control how these capabilities work for the entire organization.
• All snapshots, indexing, and AI processing occur on-device. Recall runs completely locally—no data leaves your PC.It never shares your data with Microsoft or third parties, nor across different user accounts on the same device.

Recall doesn’t just remember—it protects. IT admins can control snapshot storage, retention policies, and even filter which apps and websites are recorded.

That’s where enterprise-scale controls come in.

“We helped define these controls. We tested them to validate they worked as expected.”

John Philpott, principal product manager at Microsoft Digital

Microsoft Digital partnered with the Purview and Intune product teams to help build a rich set of controls that give IT full visibility and governance over Recall’s data store. That includes sensitivity labels, data loss prevention (DLP) policies, and tenant trust reviews—all designed to keep enterprise data safe.

Purview and Intune provide the level of control that IT admins need to ensure that Recall respects the security and privacy concerns of the enterprise and the end user.

If a document is labeled “Highly Confidential,” Recall won’t index it. If a meeting is tagged “Recipients Only,” it won’t be captured. Purview admins can decide exactly which sensitivity levels are allowed in Recall and which are excluded.

Recall’s content redaction feature automatically detects and removes highly confidential information from screen snapshots based on Purview sensitivity labels. Users can work with both sensitive and non-sensitive documents on the same screen without risk of accidental exposure.

“We helped define these controls,” says John Philpott, a principal product manager within Microsoft Digital. “We tested them to validate they worked as expected.”

Implementing Windows 11 for the enterprise

Windows 10 support officially ended on October 14, 2025. Still, many companies have not yet made the needed move, something that Microsoft would like them to do as soon as possible.

At Microsoft Digital, we’ve already made the leap. We’ve deployed Windows 11 across our internal fleet, and we’ve learned what works and what doesn’t.

The most important thing? Have a plan and a phased approach.

“We didn’t try to do everything at once,” Digumarthi says. “We went slow, monitored help desk calls, and paused when needed. It wasn’t about speed—it was about getting it right.”

That phased approach helped us avoid surprises. We used security groups to segment users, deployed in waves, and ran parallel communication campaigns to keep everyone informed. “We built tech web pages, sent individual emails, and used Viva Engage for direct outreach,” Gonis says. “We wanted users to know what was coming and why.”

Organizations have options. They can upgrade to Windows Pro to Windows Enterprise. They can subscribe to Windows 365, which provides access to Windows 11 in the cloud. And they can extend the life of Windows 10 devices with Extended Security Updates (ESU).

Windows 365 lets you keep older hardware while giving users a modern experience. You get ESUs at no extra cost, and you don’t have to manage license keys or deploy images.

With tools like Autopatch and Intune, deployment is faster and easier. Compatibility is strong. And support is built in.

Looking ahead

We’re just getting started.

At Microsoft Ignite, we’re unveiling new capabilities that push the boundaries of what’s possible with AI and automation. Expect deeper integration between Windows and Microsoft Defender, new agentic workflows, and expanded support for AI-driven security operations.

We’re expanding the update readiness initiative, introducing carbon-aware updates in Autopatch, and expanding privacy capabilities in Recall.

Baseline Security Mode is growing, too, with more features, better reporting, and stronger baselines coming soon.

And we’ll keep telling the story. Start with the tools. Lean on the community. And let us help you make the leap to a more intelligent and secure enterprise powered by AI and Windows 11.

Key takeaways

Here are several practical steps you can take right now to maximize your transition to Windows 11 and harness the full potential of its AI-powered capabilities:

• Understand Windows 11’s AI-driven transformation. Learn how Windows 11 leverages artificial intelligence to enhance productivity, security, and user experiences across your organization.
• Discover new enterprise features and deployment strategies. Explore the latest tools and best practices for rolling out Windows 11 efficiently, including advanced management and security capabilities tailored for businesses.
• Learn from Microsoft Digital’s role as Customer Zero. Benefit from Microsoft Digital’s firsthand insights and lessons learned as the initial adopter of Windows 11 within a large enterprise environment.
• Explore migration options. Review your choices for upgrading to Windows 11, such as moving to Windows 11 Pro or Enterprise, subscribing to Windows 365, or leveraging Extended Security Updates for legacy devices.
• Prepare for what’s next. Stay ahead by planning for upcoming features, security enhancements, and innovations that will continue to shape the future of Windows in the enterprise.

Try it out

• Learn more about moving to Windows 11 and download our onboarding kit.
• Start using Windows Autopatch.

Related links

• Check our Microsoft Ignite Windows news announcements.
• Learn more about AI improvements to Windows that we’re announcing at Microsoft Ignite.
• Learn how we’re accelerating workplace productivity at Microsoft with Windows Recall.
• Find out more on how we’re transforming security and compliance at Microsoft with Windows Hotpatch.
• Check out how we’re hardening our defense at Microsoft with Baseline Security Mode.

We’d like to hear from you!

• Want more information? Email us and include a link to this story and we’ll get back to you.

The post Supercharging our enterprise with Windows 11 and AI PCs appeared first on Inside Track Blog.

Recall on Copilot+ PCs can help. It uses whatever details you remember about the missing item to find it for you.

Our team in Microsoft Digital, the company’s IT organization, has deployed Recall, giving our employees access to its AI-powered memory in a secure and managed environment. Recall now integrates with Microsoft Purview, which layers enterprise-grade security and compliance controls on top of Recall’s local AI capabilities.

How Windows Recall works

Windows Recall is an AI-powered feature built directly into Copilot+ PCs with Windows 11. It’s designed to solve a problem every person knows too well: Finding something you’ve already seen.

Here are its core capabilities:

• Explore content with a visual timeline. Recall captures periodic screenshots of your active window and visualizes them in an explorable, chronological timeline. When you need to revisit something, you can scroll through your activity or jump straight to the moment you remember seeing it.
• Semantic AI-powered search. No need to recall exact filenames. Just describe what you remember—like “blue sustainability slide from last meeting”—and Recall uses on-device AI to surface images or text that match the description.
• Full user control and privacy. IT admins have a full set of controls to manage security and privacy when enabling the Recall feature for the enterprise. Once enabled by enterprise admins, you as the end user then have the choice to opt in to enable snapshots on your machines. Only your device stores them, and they’re encrypted locally via BitLocker or Device Encryption. Access requires Windows Hello biometrics (your face or fingerprint), which ensures only you can view them.
•  Granular snapshot management. You choose which apps and websites to include or exclude. You can pause snapshot capture, delete past captures, and set retention limits (e.g., 30, 60, 90, or 180 days) to manage storage and privacy. And IT admins can control how these capabilities work for the entire organization.
• All snapshots, indexing, and AI processing occur on-device. Recall runs completely locally—no data leaves your PC.It never shares your data with Microsoft or third parties, nor across different user accounts on the same device.
• Jumping back in. Windows Recall doesn’t just help you find something you saw before, it helps you pick up where you left off, getting right back to the page, slide, or chat in Word, Excel, PowerPoint, and Teams, as well as in an app, document, or webpage.

It’s like having a photographic memory for your digital life. Recall is a productivity booster. But it’s also a security-first, enterprise-ready feature.

“We’ve been working for over a year with Microsoft Digital to understand how Windows Recall will function best in the enterprise environment. They helped us get it ready for our customers.”

Adam Wayment, principal product manager, Windows product team

To ensure security, privacy, and governance, the Windows product team turned to our team in Microsoft Digital, the company’s IT organization, to test Windows Recall. This happened after early users of the feature suggested that better controls needed to be put in place. Our team helped the product group design and deploy better enterprise controls.

This collaboration helped shape Recall into a feature that works for everyone—from individual users to global enterprises.

“We’ve been working for over a year with Microsoft Digital to understand how Windows Recall will function best in the enterprise environment,” says Adam Wayment, a principal program manager lead for Windows Recall. “They helped us get it ready for our customers.”

Establishing security and privacy for the enterprise

Recall doesn’t just remember what you’ve seen. It remembers what it should—and forgets what it shouldn’t.

That’s where enterprise-scale controls come in.

Comprehensive controls are at the center of deploying Recall to the enterprise.

Microsoft Digital partnered with the Purview and Intune product teams to help build a rich set of controls that give IT full visibility and governance over Recall’s data store. That includes sensitivity labels, data loss prevention (DLP) policies, and tenant trust reviews—all designed to keep enterprise data safe.

Purview and Intune provide the level of control that IT admins need to ensure that Recall respects the security and privacy concerns of the enterprise and the end user.

“We helped define these controls. We tested them to validate they worked as expected.”

John Philpott, principal product manager at Microsoft Digital

If a document is labeled “Highly Confidential,” Recall won’t index it. If a meeting is tagged “Recipients Only,” it won’t be captured. Purview admins can decide exactly which sensitivity levels are allowed in Recall and which are excluded.

That means no screenshots of HR portals. No copies of credentials. No risk of sensitive data lingering on a user’s device.

Recall’s content redaction feature automatically detects and removes highly confidential information from screen snapshots based on Purview sensitivity labels. Users can work with both sensitive and non-sensitive documents on the same screen without risk of accidental exposure. Only permitted content is captured during multitasking or collaborative activities. That Excel document with employee salary information? It never becomes part of the snapshot.

IT admins also have policy controls to manage access to Recall. They can set retention limits. They can restrict access by role, ensuring Recall is only available to the right people. And they can block specific apps and websites from being captured.

“We helped define these controls,” says John Philpott, a principal product manager within Microsoft Digital. “We tested them to validate they worked as expected.”

“Security is at the center—data is encrypted on the device. Recall uses the latest technology for security, from all the controls on the backend right up to user authentication, including Windows Hello with face or fingerprint recognition required to access the data.”

Adam Wayment, principal product manager, Windows product team

This wasn’t just about building features. It was about building trust.

We worked to identify the key scenarios and apps—including Word, Excel, PowerPoint, Outlook, Teams, and Edge—to prioritize what needed protection. We made sure Recall could handle the real-world complexity of enterprise data.

It was a massive undertaking, requiring collaboration between Microsoft Digital, the Recall product team, and the products teams from all the apps with which Recall interacts. It came down to creating useful functionality while protecting our data.

“Security is at the center—data is encrypted on the device,” Wayment says. “Recall uses the latest technology for security, from all the controls on the backend right up to user authentication, including Windows Hello with face or fingerprint recognition required to access the data.”

These controls were built in collaboration with the product team, with our Microsoft Digital team acting as Customer Zero. We helped define tenant trust requirements and test every scenario—credentials, certificates, internal portals, and more. And now Recall is stronger because of it.

Moving forward

Our team in Microsoft Digital learned a lot helping the Windows product team build and test Recall.

Some lessons were technical. Some were strategic. All of them made the product better.

One of the first challenges we tackled was credential protection. We wanted to make sure passwords, certificates, and other sensitive data wouldn’t be captured. The product team agreed, and we helped them build the exclusion logic that ensures Recall ignores credential-related content.

Another lesson came from deployment.

Recall is disabled by default in enterprise builds. That meant we had to work through IT policy hurdles to get it up and running. We hit race conditions. We found bugs. But we fixed them. And we made the deployment smoother for everyone.

We also learned the value of centering enterprise needs early in the deployment.

When Recall first launched, we focused on consumers. But customer feedback reinforced how powerful the tool could be for information workers in enterprises like ours. We built tenant trust requirements. We ran evaluations. We created a checklist of what needed to be done. And we did it.

That process changed the conversation, and we’re not done. We’re still listening, still improving, still building.

Key takeaways

Here are four actions you can take right away as you consider deploying Windows Recall in your organization:

• Test at scale. Roll out Windows Recall to a wide group to uncover complex issues—especially those that don’t show up in smaller test environments.
• Start with enterprise needs and roles. Engage enterprise stakeholders early review which roles should have access and shape feature requirements such as tenant trust and data-handling policies.
• Collaborate for improvement. Test controls early to ensure that they are configured to provide the level of security and privacy required by your organization.
• Build confidence for adoption. Use thorough evaluations and checklists to ensure readiness, leading to greater trust among users, partners, and teams.

Try it out

Retrace your steps with Windows Recall.

Related links

• Learn more about Windows Recall.
• ‘Click to Do’ in Recall: find out how to do more with what’s on your screen.
• Ensure privacy and control over your Windows Recall experience.
• Learn how the NPU is paving the way toward a more intelligent Windows.
• Learn how we’re supercharging our enterprise with Windows 11 and AI.
• Check our Microsoft Ignite Windows news announcements.
• Learn more about AI improvements to Windows that we’re announcing at Microsoft Ignite.  
• Find out more about our Microsoft Purview-related news from Microsoft Ignite. 

We’d like to hear from you!

• Want more information? Email us and include a link to this story and we’ll get back to you.

The post Accelerating workplace productivity at Microsoft with Windows Recall appeared first on Inside Track Blog.

As threats grow more varied, widespread, and sophisticated, enterprises need to rethink how they protect their environments. That’s why we, in Microsoft Digital, the company’s IT organization, took a necessary step forward and deployed Microsoft Baseline Security Mode internally across the company.

Baseline Security Mode is a new approach to endpoint protection that enforces secure-by-default configurations across our enterprise. And it’s not just about locking things down—it’s about doing so in a way that’s scalable, manageable, and respectful of user experience.

This is a story for every organization trying to balance usability with security. Baseline Security Mode is designed to help IT teams enforce protections without breaking productivity. It’s a shift toward proactive defense with standardized secure settings.

Understanding the need for Microsoft Baseline Security Mode

Security must evolve with the environment.

At Microsoft Digital, we’ve built a strong foundation of endpoint protection over the years. But as our ecosystem expanded—more devices, more workloads, more diverse user needs—we saw an opportunity to take our security posture to the next level.

Our existing configurations were effective, but they reflected the natural complexity of a large enterprise. Different teams had different requirements. Some relied on legacy technologies that had served them well. Others needed flexibility to support specialized workflows. Over time, this led to variation in how security policies were applied.

We wanted to unify that approach.

Baseline Security Mode emerged as a way to streamline and strengthen our defenses. It was about building on what worked. We started by identifying areas where legacy protocols and configurations could be modernized. That included technologies like ActiveX controls and older authentication flows, which we carefully evaluated and phased out where appropriate.

We also improved how we gather and use telemetry. Initially, we had limited visibility into how certain features were used. That made it harder to predict the impact of changes. So, we ran pilots, collected feedback, and refined our approach. Baseline Security Mode was a game changer here, providing built-in reports that gave us the visibility we needed to observe the impact of applying settings in our environment. For example, when we reviewed blocking legacy file formats, we discovered that some workflows depended on them. We responded quickly, offering alternatives and guiding users through the transition.

Ease of use was a priority.

We built intuitive controls into the Microsoft 365 admin center, allowing IT admins to manage policies with just a few clicks. No more manual scripts. No more guesswork. We also introduced exception handling to support specialized needs, ensuring that security didn’t come at the cost of productivity.

We worked closely with internal stakeholders, including compliance teams and work councils, to validate every step and build trust. We made sure the experience was smooth, the tools were reliable, and the changes were clearly communicated.

This wasn’t just a technical upgrade—it was a cultural shift.

Baseline Security Mode gave us a way to unify our security posture while honoring the diversity of our environment. It’s a smarter, more scalable way to protect our endpoints, and it reflects everything we’ve learned from years of experience.

Putting consistent security configuration into practice

Baseline Security Mode establishes a new standard, enabling organizations to be secure by default.

It is the result of a collaborative effort of multiple product teams at Microsoft, building on their security and incident-handling expertise.  It’s designed to simplify and strengthen endpoint protection across Windows and Microsoft 365. The feature lives in the Microsoft 365 admin center, where IT admins can enforce modern security policies with just a few clicks.

“When we blocked certain file formats, users were confused by the error messages and thought they were blocked from saving the file. So, we ran pilots, gathered feedback, and helped the product team build an improved error experience to save blocked formats to safe, newer formats.”

Harshitha Digumarthi, senior product manager, Microsoft Digital

The product teams delivered 20 features across five workloads: Office, OneDrive and SharePoint, Teams, Substrate, and Identity. Each one targets a specific risk—blocking legacy authentication, disabling insecure protocols, restricting ActiveX, and more.

When we deployed Baseline Security Mode as Customer Zero at Microsoft Digital, our job was to validate these features and controls in real-world enterprise conditions.

We pushed for exception handling.

Some users still relied on legacy formats or protocols. Certain teams, for example, needed access to older Office features. So, we worked with the product team to ensure exceptions could be built into the UI.

That flexibility was key. We knew from experience that without it, customers might hesitate to adopt the feature.

“When we blocked certain file formats, users were confused by the error messages and thought they were blocked from saving the file,” says Harshitha Digumarthi, a senior product manager at Microsoft Digital. “So, we ran pilots, gathered feedback, and helped the product team build an improved error experience to save blocked formats to safe, newer formats.”

We also pushed for better telemetry.

“When we heard about Baseline Security Mode, it was still in ideation. There were no tools in the Microsoft 365 admin center yet. We had to figure out how to enable this internally while the product team built the capabilities in parallel.”

Markus Gonis, senior service engineer, Microsoft Digital

At first, we had only a few days of data. That wasn’t enough to understand how features were used or what impact they would have. So we worked with the product team to expand telemetry, improve error reporting, and reduce false positives, including identifying bugs that skewed metrics and made troubleshooting harder.

We ran the deployment through our Tenant Trust Program and work council reviews to ensure global compliance. That gave us—and our customers—confidence.

Baseline Security Mode isn’t just a feature. It’s a shift in how we think about security, and we’re proud to have helped shape it.

Deploying Baseline Security Mode at Microsoft Digital

Rolling out Baseline Security Mode wasn’t just a technical exercise—it was a cross-team effort that demanded precision, patience, and partnership.

Microsoft Digital took the lead on deployment. We acted as Customer Zero, testing every feature in real-world conditions before it reached customers. That meant working closely with the product team to validate functionality, identify bugs, and shape the user experience.

“When we heard about Baseline Security Mode, it was still in ideation,” Gonis says. “There were no tools in the Microsoft 365 admin center yet. We had to figure out how to enable this internally while the product team built the capabilities in parallel.”

Telemetry was limited. We had only 30 days of data to work with. That made it hard to predict how changes would affect users, so we ran pilots with internal user acceptance testing cohorts and we deployed in phases.

“It was a great Customer Zero experience. Our security teams stood to benefit from Baseline Security Mode features, and we helped the product team find bugs and the issues that just hadn’t come up in early testing or at a large scale. It was a win-win situation”

John Philpott, principal product manager at Microsoft Digital

For some legacy protocols, usage was low. In these cases, the features being deployed made removing these protocols seamless. Where usage was higher or unclear, a more detailed approach was required.

First, a few thousand users. Then 50,000. Then 100,000. Eventually, the entire Microsoft tenant. We paused between each wave to monitor help desk tickets, gather feedback, and confirm that our mitigation strategies were working.

Communication was critical.

We ran targeted campaigns, sent individual emails, and published technical reports explaining what was changing, why it mattered, and how users could adapt. We even used Viva Engage to notify users directly. It was important to explain to users why longstanding functionalities were being removed. We had to explain what we were doing and how to mitigate any impact.

We did a lot of work with the product team to ensure the user experience and the IT pro experience both exceeded expectations.

“It was a great Customer Zero experience,” says John Philpott, principal product manager within Microsoft Digital. “Our security teams stood to benefit from Baseline Security Mode features, and we helped the product team find bugs and the issues that just hadn’t come up in early testing or at a large scale. It was a win-win situation.”

We flagged inconsistencies in policy syntax, pushed for better error handling, and worked with the product team to align deployment tools across workloads.

But we didn’t stop at deployment. We tracked progress, validated telemetry, and signed off on each feature before it moved into broader rollout. We even helped pave the way for the next iterations, identifying features that needed more design work or deeper telemetry before they could be deployed.

This was a true partnership. The product team built the features. We tested them, validated them, and helped make them better.

Baseline Security Mode is now live across Microsoft. And it’s ready for the world.

Capturing real benefits

Baseline Security Mode is more than a set of policies—it’s a platform for proactive defense.

The product team built it to reduce legacy risks and enforce modern security standards across Microsoft 365 workloads. Microsoft Digital validated it in production, surfacing bugs, shaping telemetry, and confirming that the features worked as intended.

We tested 22 features across Office, OneDrive & SharePoint, Substrate, Identity, and Teams. Each one targeted a specific vulnerability—like blocking ActiveX controls, disabling Exchange Web Services, or enforcing phishing-resistant authentication for admins.

We flagged critical ActiveX dependencies in third-party apps —something the product group hadn’t found—which enabled them to initiate removal. That kind of early detection helped fix issues before the features reached customers.

We found regressions in PowerShell and legacy authentication flows. The OneDrive and SharePoint team caught a high-impact bug and worked with the product team to resolve it.

That validation mattered.

We also helped shape the admin experience.

Exception handling was built into the UI. Admins could create security groups, assign users, and manage exclusions directly in the Microsoft 365 admin center.

“There’s no need to handle everything manually,” Philpott says. “Simply click here and then here to disable. It’s a much simpler process.”

Extending benefits to Microsoft customers

Baseline Security Mode is ready for enterprise.

We’ve tested it. We’ve hardened it. And we’ve made it easier to adopt.

Microsoft Digital’s deployment journey helped shape the product into something customers can trust. We didn’t just validate features—we made sure they worked in real-world environments, across diverse teams, and under the pressure of scale.

 The product team designed the features to be enterprise-ready. We ran them through our Tenant Trust Program and work council reviews to ensure compliance across global regions. That gave us confidence—and gave customers confidence too.

The benefits are clear. We’ve reduced our attack surface. We’ve improved compliance. We’ve made it easier for IT teams to enforce security without disrupting workflows. And we’ve laid the groundwork for secure-by-default computing across Microsoft.

 Customers can do the same.

Start small. Run pilots. Monitor impact. Use the tools in the Microsoft 365 admin center to deploy policies, manage exceptions, and guide users through the change. And don’t be afraid to ask for help—our journey has shown that collaboration between deployment teams and product teams makes all the difference.

Baseline Security Mode is ready, and we’re ready to help others adopt it.

Looking ahead

The first wave of Baseline Security Mode—BSM 2025—delivered 22 features across five major workloads. Microsoft Digital helped validate and deploy those features across the enterprise. And the next wave of features is already in motion.

And it’s bigger, with 46 features, more than double what we had in the first round. The product team is expanding coverage to include deeper protocol restrictions, broader app controls, and more granular authentication policies.

We’re also preparing for broader industry adoption.  

Governments, regulators, and enterprise customers are asking for secure-by-default configurations. Baseline Security Mode is our answer. And the next version will make it even easier to adopt.

We’ll continue to lead as Customer Zero. We’ll test new features, validate insights surfaced by telemetry, and share feedback with the product team. We’ll run pilots, monitor impact, and guide users through the change. And we’ll keep pushing for simplicity, scalability, and trust.

Because security isn’t a one-time project— It’s a mindset, and it’s Microsoft’s highest priority.

Key takeaways

Ready to adopt Baseline Security Mode? Here’s some actions we recommend based on our deployment experience:

• Start with a pilot: Test Baseline Security Mode with a small group of users to identify legacy dependencies and gather feedback before scaling.
• Use the Microsoft 365 admin center for deployment: Apply policies and manage exceptions directly through the UI—no scripting required.
• Identify and plan for exceptions early: Work with business units to understand where legacy formats or protocols are still needed and create security groups for exclusions.
• Communicate proactively with users: Launch campaigns to explain upcoming changes, their impact, and how users can adapt.
• Validate telemetry and error reporting: Ensure your environment captures enough data to monitor the impact of new policies and troubleshoot effectively.
• Engage your compliance and governance stakeholders: Review new policies with internal governance teams to ensure alignment with organizational and regional standards.
• Treat security as an ongoing journey: Continue to monitor, iterate, and evolve your security posture as new threats and features emerge.

Try it out

Learn more about Baseline Security Mode.

Related links

• Learn how we’re supercharging our enterprise with Windows 11 and AI.
• Find out how we’re accelerating workplace productivity at Microsoft with Windows Recall.

We’d like to hear from you!

• Want more information? Email us and include a link to this story and we’ll get back to you.

The post Hardening our digital defenses with Microsoft Baseline Security Mode appeared first on Inside Track Blog.

Reboots mean interrupted productivity and downtime for users.

For us at Microsoft Digital, Microsoft’s internal IT organization, Windows Hotpatch changes the equation.

It’s a new way to deliver critical Windows updates without rebooting. That means faster compliance, less downtime, and happier users.

We’re using it across Microsoft and it’s already transforming how we think about security and productivity.

“Hotpatch is helping Microsoft reach compliance faster than ever—no reboots, no delays, secure systems at scale, and a seamless experience that keeps users more productive. The risk exposure window is reduced drastically, making our environment safer and more resilient,” says Harshitha Digumarthi, a senior program manager within Microsoft Digital.

Hotpatch installs updates while the system is running—no reboot required. That means we can patch faster, stay compliant, and keep users happy.

And it’s not just us.

Microsoft enterprise customers are already scaling deployments to millions of devices. We’re seeing a shift in how organizations think about patching and how they can expedite the patch time. Hotpatch is here to help. It’s no longer a disruption, it’s just part of the flow.

Increasing productivity and security with Hotpatch

Hotpatch is a servicing technology that delivers cumulative security updates—released on Patch Tuesday, the second Tuesday of each month—without requiring a system reboot. Instead of replacing binaries on disk and restarting the system, Hotpatch modifies in-memory code while the system is running.

This means updates take effect immediately, with no downtime, no maintenance windows, and no disruption to users.

Hotpatch payloads are small by design. Smaller updates mean faster downloads, quicker installs, and minimal impact on performance. CPU usage stays low. No spikes. No slowdowns. Just updates that run in the background and finish silently.

“The experience is so seamless you don’t even know what happened,” says Nevine Geissa, a partner group program manager within the Windows product team. “There are no process restarts, no logging out, no performance impact. No glitch in the video playing or transaction dropping. Everything just works as if nothing has happened.”

Because hotpatch updates happen so painlessly in the background, IT administrators may want to understand how the process works and what validation steps are involved. That’s why we test hotpatch updates with the same rigorous standards we apply to all our security updates.

“Hotpatch updates go through the exact same validation and rigor that a standard security update goes through. There is no compromise on quality whatsoever. Your device is always as secure as your non-hotpatch device.”

Nevine Geissa, partner group program manager, Windows Servicing and Delivery

Even in cases of zero-day vulnerabilities, Hotpatch can deliver out-of-band updates to enrolled devices without requiring a reboot.

Hotpatch is available for Windows 11 version 24H2 or later, Windows 365, Azure Virtual Desktop, Windows Server 2022/2025 Azure Edition, and Azure Arc connected Windows Server 2025 Datacenter and Standard editions.

The technology has matured over years of internal development.

“Hotpatch updates go through the exact same validation and rigor that a standard security update goes through,” Geissa says. “There is no compromise on quality whatsoever. You will always be at the exact same level of security.”

Hotpatch has evolved and grown.

“It started as internal server capability in Azure and then expanded to our Windows Server 2022 customers,” says Nikita Deshpande, a senior customer experience program manager within the Windows Servicing and Delivery product team at Microsoft. “The tooling and OS support have matured such that now we can offer Hotpatch to AMD64 and Arm64 client machines now too.”

Hotpatch integrates seamlessly with Autopatch, a cloud-based service from Microsoft that automates the process of keeping Windows devices up to date. Designed for enterprise environments, and powered by Microsoft Intune, Autopatch manages updates for Windows, Microsoft 365 Apps for enterprise, Microsoft Edge, and Microsoft Teams, reducing the manual effort required by IT administrators.

Any new policy in our environment created with Autopatch automatically enables Hotpatch—if the device meets requirements. Admins can set up rings, monitor compliance, and roll out updates with just a few clicks.

“It’s the better together story,” Deshpande says. “Autopatch streamlines everything. Add Hotpatch, and it takes Windows Update to a whole new level.”

Implementing Windows Hotpatch internally at Microsoft

The implementation of Hotpatch at Microsoft Digital involved developing and deploying a feature, as well as establishing trust for customers.

The journey started years ago in Azure with virtual machines, then to Windows Server across physical and virtual instances. Now, it’s on Windows 11 clients and scaling fast, but getting here took deep collaboration.

Our team in Microsoft Digital partnered with the product team from the start. We were co-designers with experience in this space. We helped shape the rollout, validate the experience, and make sure Hotpatch was ready for enterprise scale.

Then we scaled. We expanded to 40,000, then 80,000, then 120,000 devices. We’re on track to reach 450,000 devices at Microsoft in the next four months.

We also wanted a great admin experience enabled for the product. The features help with smooth rollout and the visibility helps admins monitor rollouts and measure impact. We’re continually collaborating with the Windows product team to equip administrators with comprehensive insights and actionable recommendations with Hotpatch.

“We worked closely with the product team to make sure admins had the right metrics to measure the success,” Digumarthi says. “It’s not just about implementation—it’s about knowing it worked.”

We ran early adopter programs and insider rings to gather feedback from across Microsoft. That feedback loop helped refine the experience, improve reporting, and ensure the rollout was smooth.

Achieving security without compromising on productivity

Hotpatching is changing how we think about security.

“With Hotpatch, we’re seeing 81% of Microsoft’s enrolled devices become compliant within 24 hours of Patch Tuesday and 90% of enrolled devices are patched within five days.”

Harshitha Digumarthi, senior program manager, Microsoft Digital

Before, it took our team up to nine months to reach 95% compliance for security patching.

That’s nine months of exposure and nine months of risk.

With Hotpatch, we’re achieving 95% compliance in less than three weeks.

“With Hotpatch, we’re seeing 81% of Microsoft’s enrolled devices become compliant within 24 hours of Patch Tuesday, and 90% of enrolled devices are compliant within five days,” Digumarthi says.

That’s not just faster. It’s safer.

“We’re reducing the risk window,” Digumarthi says. “From vulnerability discovery to patch deployment, we’re closing the gap—without disrupting users.”

And it’s not just internal. Since general availability in April, Hotpatch has scaled to over 4.5 million devices globally. That growth shows trust and momentum.

It also shows value. Admins spend less time chasing updates. End users stay productive. And security teams get the compliance they need—without the friction.

“Hotpatching eliminates the trade-off between security and productivity,” Deshpande says. “You don’t have to choose anymore.”

Improving the user experience

Hotpatching doesn’t just improve security—it transforms the user experience.

For end users, it’s invisible.

Updates happen in the background.

No pop-ups. No restarts. No performance hits.

“It’s so seamless,” Geissa says. “There’s no bubble. No prompt. It just works.”

Even the first few times, users might see a green banner letting them know they’ve been hotpatched.

“It’s really helpful as an end user; I feel more secure. I don’t need to keep checking and making sure my device is up to date. It just is.”

Senthil Selvaraj, principal group product manager, Microsoft Digital

It’s subtle. It’s clean.

It’s so effective that it’s become a kind of badge among Microsoft insiders.

“It’s really helpful as an end user—I feel more secure,” says Senthil Selvaraj, a principal group product manager at Microsoft Digital. “I don’t need to keep checking and making sure my device is up to date. It just is.”

That’s the magic.

Hotpatching doesn’t interrupt work—it protects it.

It helps other systems stay current too. When the OS is secure, dependent apps and services can update more reliably. That ripple effect improves the overall health of the device.

Admins also see the benefits. Intune reporting shows which devices are ready, which have updated, and which need attention. That visibility helps IT teams track compliance without chasing down machines or relying on manual checks.

For enterprises, it means fewer help desk calls. Fewer complaints. Fewer delays.

Looking forward

Hotpatching is just getting started.

At Microsoft Digital, we’re expanding from 100K to 450K devices in the next four months. That’s nearly every eligible device in our fleet.

Externally, adoption is accelerating. We’ve gone from zero to almost 4.5 million devices since private preview in November 2024. That includes Microsoft and customer fleets, and the number keeps growing.

But scale is just the beginning.

The product team is exploring ways to improve compliance visibility—giving admins deeper insights into patch status, readiness, and impact. That means better reporting, smarter dashboards, and tighter integration with compliance tools.

We’re also working to make adoption easier.

Documentation is improving, Intune reporting is evolving, and we’re building clearer guidance for customers to validate their environments, understand their risk posture, and deploy Hotpatch confidently.

The vision is simple: secure every device, without disruption.

Key takeaways

Here are several key actions you can take to successfully implement Windows Hotpatch in your organization:

• Check your eligibility and prerequisites. Understand your eligibility and set up the prerequisites in your environment to be hotpatch-capable.
• Monitor devices and report compliance. Use Intune and other reporting tools to track device readiness, update status, and compliance, even for unmanaged environments.
• Communicate the benefits to users. Inform users that hotpatching maintains their ability to reboot while enhancing device security with minimal disruption.
• Deliver a seamless update experience. Emphasize the uninterrupted, restart-free, and performance-neutral nature of updates for users.

Try it out

Learn more about implementing Windows Hotpatch updates.

Related links

• Check out this blog post on Hotpatch readiness and enabling VBS at scale.
• Learn how we’re transforming our approach to patch management at Microsoft.
• Find out how we’re harnessing first-party patching technology to drive innovation at Microsoft.
• Discover how we’re managing our Windows patching internally at Microsoft.

We’d like to hear from you!

• Want more information? Email us and include a link to this story and we’ll get back to you.

The post Transforming security and compliance at Microsoft with Windows Hotpatch appeared first on Inside Track Blog.

Like most aspects of our IT services journey, our security and patch management story is deeply connected with cloud computing, automation, and, most recently, AI technology. It’s a story that embraces continuous improvement and innovations that are saving our IT admins and users time and hassle while deterring attacks and enhancing security across the organization.

With the development of services like Windows Update client policies (formerly known as Windows Update for Business), Azure Update Manager, and Intune Enterprise Application Management, we’re leading the way in offering best-of-breed security solutions that help organizations stay compliant and safe in an increasingly perilous digital world.

The growing threat landscape

As the developer and provider of Windows, Microsoft 365, Microsoft Azure cloud services, and other widely used software technologies, we’re in a unique position to influence and protect the computer systems used by billions of people around the world. And these systems have never been under greater threat by bad actors and cybercriminals than they are today.

“Our customers face more than 600 million cybercriminal and nation-state attacks every day, ranging from ransomware to phishing to identity attacks,” states our 2024 Digital Defense Report. “Microsoft’s unique, expansive, and global vantage point gives us unprecedented insight into key trends in cybersecurity affecting everyone from individuals to nations.”

The report also notes that we’ve made digital security our top corporate priority, with more than 34,000 dedicated security engineers across the company.

“The malign actors of the world are becoming better resourced and better prepared, with increasingly sophisticated tactics, techniques, and tools that challenge even the world’s best cybersecurity defenders,” Tom Burt, corporate vice president of customer security and trust, says in the report. “We all can, and must, do better, hardening our digital domains to protect our networks, data, and people at all levels.”

With such an unprecedented number of threats, one of our major priorities at Microsoft Digital, the company’s IT organization, is making sure our global network infrastructure and the more than 750,000 devices accessing our network are always up to date and compliant with the latest software patches. As Customer Zero for our software products, we strive to remain on the cutting edge of the latest cybersecurity innovations. That means taking advantage of the latest Microsoft tools and processes on server-side and client-side patching.

The world as it was: On-premises IT and manual updates

A decade or so ago, much of the world’s computer networks were still being run primarily via on-premises servers and other onsite hardware. Maintaining these systems mostly relied on manual updates by IT administrators, which was a huge drain on time and resources.

“Our patch-management systems back then included Microsoft System Center Configuration Manager (SCCM) and Windows Server Update Services,” says Senthil Selvaraj, a principal group project manager at Microsoft Digital. “We were doing everything on-premises, managed within the Microsoft tenant onsite.”

Patching product history at Microsoft

This meant that simply downloading and installing the routine security patches that were released each month was a major task for the company’s thousands of IT admins.

“The admins used to have to download the updates, validate them, approve them, and then push them out to devices,” says Harshitha Digumarthi, a senior product manager with Microsoft Digital. “It used to take a considerable amount of time each month for these processes. There was no proper automation in place.”

As the IT world shifted to cloud solutions and more modern software management approaches, the patching process needed to shift with it, Selveraj notes.

“As we moved everything to the cloud, we leveraged modern Microsoft tools such as Intune, OneDrive for Business, SharePoint, etc.,” he says. “And we were also helping our customers move through that process as well. This is in keeping with the overall Microsoft vision of continuous improvement.”

The journey to modern patch management on Windows

In 2018, we introduced Windows Update for Business (WUFB), a major milestone on the patch management migration journey. The service is now called Windows Update client policies.

“We have established programs to pre-validate updates, allowing us to deploy them automatically and simultaneously across all devices, significantly accelerating compliance.”

Harshitha Digumarthi, senior product manager, Microsoft Digital

Of course, like any story of technological progress, nothing happens overnight or in a straight line. As Digumarthi explains, we in Microsoft Digital went through a patch management transition phase, marked by a hybrid systems approach.

“We didn’t immediately shift everything from SCCM to Windows Update for Business and Microsoft Intune,” she says. “There is transitionary stage—known as hybrid AD—where the client devices still have SCCM on them, with Intune running parallel on those devices.”

WUFB ushered in a more efficient and modern approach to patch management.

“It’s an automated, intelligent service which can identify what updates the device needs, find the applicable updates, and automatically push those updates onto the devices,” Digumarthi says.  

She notes that IT admins at other organizations might push these updates out to their devices in phases, often called deployment rings. But at Microsoft, we do them all at once for the entire company, in a program popularly called Patch Tuesday.

“We have established programs to pre-validate updates, allowing us to deploy them automatically and simultaneously across all devices, significantly accelerating compliance,” Digumarthi says.

This control is enabled through Windows Update policies, which allow administrators to manage key actions such as reboot timing. As a result, vulnerabilities are addressed quickly, and all devices are brought into compliance with the latest secure Windows updates.

After establishing a more efficient approach to Windows security patching, we rolled out WUFB Deployment Services in 2021. This process, which brought similar gains in efficiency and automation, handles new Windows features, which are typically released on six-month cycles.

“When vulnerabilities are exploited by malicious actors, even a single compromised bug can cascade rapidly, potentially impacting millions of users. Anticipating and mitigating these risks early is essential to maintaining trust and security.”

Humberto Arias, senior product manager, Microsoft Digital

According to Digumarthi, a major challenge to patch management for Windows is the number of different versions, including the .Net Framework, .Net Core, Visual Studio, Visual Studio Code, SQL, and more. Over the last few years, we have developed a unified internal-to-Microsoft patching solution to handle all of these various updates.

“These are extremely different streams, so we’ve worked closely with these product groups to bring them all into one update, which we call the unified update,” Digumarthi says. “This way, the IT admin doesn’t need to deploy all these different updates individually. It’s also completely automated, so it’s much easier for both admins and users to stay up to date and compliant. It’s a huge achievement.”

Other important patch automation issues are firmware and driver updates. These updates used to be deployed manually by admins every month, but that changed in 2024.

“We now have a new feature, in partnership with Windows and the Intune team, called the Intune Driver and Firmware updates,” Digumarthi says. “It gives admins a portal where they can simply click a button and approve whatever the latest firmware and driver updates are; no need to manually download, package, and deploy the updates. It’s easier for them to understand, and we’ve seen great patch compliance improvement in this area.”

Patch management on the server side

While Windows Update client policies handles the client-side updates for the more than 750,000 devices on our corporate network, we also needed a modern solution for patch management on our roughly 50,000 network servers.

Keeping network servers compliant with the latest security updates is extremely important.

“We must proactively safeguard our development environments,” says Humberto Arias, senior product manager in Microsoft Digital. “When vulnerabilities are exploited by malicious actors, even a single compromised bug can cascade rapidly, potentially impacting millions of users. Anticipating and mitigating these risks early is essential to maintaining trust and security.”

The solution is Azure Update Manager (AUM), a product that enables network administrators to deploy and manage all their server security update packages in one stream. AUM also supports hybrid (on-premises and cloud) network environments, which is a competitive advantage.

 “A lot of customers like the flexibility and redundancy of multi-cloud environments,” Arias says. “AUM is our one-stop solution for patching all your servers, regardless of where they reside—on-premises, in the cloud, or in hybrid environments. It’s a great advantage of using AUM.”

Patching with Azure Update Manager

The challenge of patching non-Windows devices

Microsoft believes in empowering our employees to do their job on the device that works best for them (sometimes called Bring Your Own Device, or BYOD). But that policy opens up the challenge of making sure all those devices meet our security standards, including those running on the MacOS, iOS, and Android platforms.

“People do a lot more work on their mobile devices than they used to; we have about 80,000 Android devices and about 150,000 iOS devices that our employees connect to our network with,” says John Philpott, a senior product manager in Microsoft Digital. “We need to make sure that all these devices have the latest OS security patches, or it puts our network at risk.”

The tricky part is that because Microsoft doesn’t make the operating systems, we can’t consistently manage the device environment or the patches themselves. Instead, the common approach in this situation is to make sure that employees know about the latest patches for their device and enforce compliance by controlling their access to the Microsoft corporate network. Getting employees to voluntarily keep their devices up to date is critically important.

“We want to make sure all the Microsoft apps are up to date on mobile, but we’re also making a big push to enforce third-party app patching as well. If someone exploits an app like Adobe Acrobat that can be a threat to our security, so we want users running the latest versions of all the major apps.”

John Philpott, senior product manager, Microsoft Digital

The frequency and requirements for installing the updates depends on the platform.

“For Android, how often your phone is updated varies, depending on the manufacturer and model; this makes developing a consistent patching experience a challenge,” Philpott says. “It’s a balancing act, but we’ve gradually tightened our patch requirements and are educating employees on the best Android devices to choose to meet patching requirements.

Patch enforcement for Apple devices is much tighter, according to Philpott.

“If there’s a security threat, Apple will quickly make a patch available,” he says. “We have a standard process of enforcing compliance within 14 days. We tell our users that if they haven’t installed the update after 12 days, we’ll install the patch and enforce a reboot. If the device has not been patched after 14 days, we’ll remove their network access.”

The other area of mobile device patching that has received increased scrutiny in recent years is applications, both our first-party apps and third-party apps. We work closely with the Microsoft Intune product group to make sure that these apps are patched as frequently as possible.

“We do a lot of discussions with the Intune team about how we can enforce these updates,” Philpott says. “We want to make sure all the Microsoft apps are up to date on mobile, but we’re also making a big push to enforce third-party app patching as well. If someone exploits an app like Adobe Acrobat that can be a threat to our security, so we want users running the latest versions of all the major apps.”

Autopatch and hotpatching

Our patch management journey is one of helping develop solutions that automate security and feature updates as much as possible, reducing the strain on IT resources. As part of these efforts, we work closely with the Microsoft product groups as Customer Zero for their update offerings. One prominent step on this journey was the introduction of Windows Autopatch in 2022.

Windows Autopatch is a cloud service for enterprise customers that automates the updates to Windows, Microsoft 365, Microsoft Edge, and Microsoft Teams. It also offers greater control for patching different groups of devices on different schedules.

“Autopatch offers admins a single-pane view where they can manage the patches across their organization, from the same perspective,” says Katie Yao, a senior product manager on the Autopatch team. “And with Autopatch Groups, they can dynamically assign users to different groups, which gives them a lot of flexibility on how and when devices are updated.”

Another innovation that the Autopatch service offers is hotpatching. This feature helps IT teams keep devices secure without the usual disruption of monthly reboots. Security updates are applied immediately in the background. This means fewer interruptions for users and less coordination effort for admins—especially in environments where uptime is critical.

“Customers were telling us that rebooting all devices every month was too much in some cases. So, we’ve moved to a process where they get the updates every month, but they only need to reboot the machines once every three months. This way they get the latest security and feature updates, but they don’t need to reboot their devices as often.”

Katie Yao, senior product manager, Autopatch

For IT admins managing a large volume of devices, this is a big win. Hotpatching reduces the amount of time it takes to achieve security compliance across the whole environment, with no delays or deferrals.

“Customers were telling us that rebooting all devices every month was too much in some cases,” Yao explains. “So, we’ve moved to a process where they get the updates every month, but they only need to reboot the machines once every three months. This way they get the latest security and feature updates, but they don’t need to reboot their devices as often.”

The future of patch management

Our patch management story continues to evolve as we apply the latest tools and technologies to our processes at Microsoft Digital.

“AI tools are the next stage in our continuous improvement process for patch management. We’re currently working on a new solution called Device Care, which is a tool that leverages AI to monitor, predict, and resolve device and infrastructure issues for admins and employees.”

Senthil Selvaraj, principal group project manager, Microsoft Digital

We see great opportunities for industry-wide improvements, such as with application patching.

“The Intune Enterprise Application Management solution is a huge opportunity for us,” Selvaraj says. “Right now, there’s a gap in how applications are managed across large organizations—are they healthy? Are they vulnerable? Are they up to date? We hope that this solution will address these needs.”

Of course, just as with many aspects of today’s software development, the future of patching will be greatly impacted by AI innovations.

“AI tools are the next stage in our continuous improvement process for patch management,” Selvaraj notes. “We’re currently working on a new solution called Device Care, which is a tool that leverages AI to monitor, predict, and resolve device and infrastructure issues for admins and employees. Another AI tool in this space is Microsoft Security Copilot, which helps with daily security operations.”

And as the computer security landscape evolves, with more frequent and more sophisticated attacks coming every day, we’ll continue to refine and develop our patching tools and strategies. It’s the only way to ensure that our networks and devices—and those of our customers—remain as secure as possible.

Key takeaways

Here are some tips to help guide your own organization’s patch management approach:

• Stay alert to risk. The rapidly increasing size and scale of the cybersecurity threat landscape has intensified the need for more sophisticated patching solutions.
• Educate your employees. Making sure that everyone in your organization is aware of the importance of keeping devices up to date with the latest patches is a key part of your overall security strategy.
• Save time and resources with automated updates. Windows Update client policies (formerly WUFB) offers automated patching, which can greatly reduce the amount of time your IT admins must spend identifying, configuring, and deploying updates.
• Update your infrastructure where it lives. Azure Update Manager provides a powerful, flexible patching solution that works for on-cloud, on-premises, and hybrid network infrastructures.
• Adapt to a flexible device environment. Mobile-device patching can be a complex challenge, especially if your organization embraces a Bring Your Own Device philosophy. Services like Microsoft Intune can ensure that devices are well-managed and kept up to date on the latest security fixes.
• Maintain availability. If you have critical servers and devices that you don’t want to reboot every month, consider a hotpatching approach that keeps your devices updated without rebooting.
• Take advantage of intelligent patching solutions. AI advances promise even greater innovation to come in the patching space, including services like Microsoft Device Care, Security Copilot, and Enterprise Application Management.

Try it out

Sign up for a free trial of Azure Update Manager and explore Windows Update client policies.

Related links

• Check out our approach to changing security and compliance at Microsoft with Windows Hotpatch.
• Learn how we’re harnessing first-party patching technology at Microsoft.
• Read about our experience migrating from Microsoft Monitoring Agent to Microsoft Azure Arc and Azure Update Manager.
• Discover how we’re protecting Microsoft from ransomware attacks.
• Find out how we’re transitioning to modern access architecture with our Zero Trust principles.

We’d like to hear from you!

• Want more information? Email us and include a link to this story and we’ll get back to you.

The post Transforming our approach to patch management at Microsoft appeared first on Inside Track Blog.

At Microsoft, Windows 11 has been powering the 225,000 devices our employees and vendors use to do their work since it was released in the fall of 2021. Since then, the addition of many new features and the integration of AI have made it even more useful to us.

Like other enterprises, we’re benefitting from how AI is being woven into every part of the technology sector, including with Windows, where we’re using Copilot+ PCs, Microsoft 365 Copilot, and the rest of the broad range of AI-powered tools and features that we’re using across the company to get more out of our longtime, signature operating system today, while also preparing for how it will continue to power everything we do in the future.

According to our 2024 Work Trend Index (WTI) annual report, 79% of US business leaders believe their company needs to adopt AI to remain competitive. Yet, the numbers suggest that those that are just now starting to get ready for AI are already behind. Users say AI is saving them time now (90%), allowing them to focus on their work (85%, be more creative (84%), and enjoy their work more (83%).

The AI era is already here, and organizations must seize every opportunity to catch up and get ready for the future.

At Microsoft Digital, our internal IT organization, we’re harnessing Windows 11 and Copilot+ PCs to give our business and our employees a foundation to build on for future developments in AI. AI interactions are happening at the desktop, in the browser, across apps, and, with Windows 11 and Copilot+ PCs, right in the local operating system.

With Windows 10 end-of-support approaching in October 2025, every organization needs to assess their PC inventory and create a plan to move forward. Outdated PCs put users and businesses at risk, and the security and functionality updates that come with Windows 11 provide the best protection and productivity for Microsoft customers.

Learning from our own deployment of Windows 11

Our own first internal rollout of Windows 11 was the smoothest and quickest operating system upgrade in the history of the company. During the key phase of the rollout, we deployed Microsoft 11 to more than 190,000 devices in five weeks.

Starting small and growing from there is an essential part of the way we deploy any solution or tool, Windows 11 included.

“We followed a ring-based approach, which is pretty typical,” says Markus Gonis, a service engineer and deployment lead with Microsoft Digital. “The initial feature testing happened with a small group of Microsoft Digital users who were close to the feature sets and understood their key implications.”

The testing team subjected Windows 11 to an initial test process to ensure it met our organization’s internal standards, the same standards that we apply to any new software or solution, whether it was developed by Microsoft or by another provider.

Following initial testing, we deployed Windows 11 to a small, specifically selected proof of concept group to ensure that its overall functionality met our expectations and requirements. Pilot-testing followed, and then full implementation. This phased approach ensured that any potential issues were identified and addressed early, and that we could perform the majority of the deployment with few issues.

“We had a minimal number of standard incidents, and no major incidents reported through support channels directly related to the Windows 11 update nor the deployment itself,” Gonis says. “Despite the complexities of hardware eligibility and app compatibility with a new operating system being a typical challenge, we were able to execute the deployment with minimal disruption.”

Moving forward with deploying subsequent versions of Windows 11, we have refined the deployment process to include many more devices, now exceeding 225,000 with the 24H2 update, both by having users update their devices on their own and through pushed deployment.

Improving deployment with Windows Autopatch

The deployment process used several new features, including Windows Autopatch (which now includes Windows Update for Business).

“Windows Autopatch has been a game-changer for us,” says Harshitha Digumarthi, a senior product manager at Microsoft Digital. “It allows us to manage our updates more effectively and to ensure our devices are running the latest and most secure versions of Windows.”

Digumarthi’s team used Windows Autopatch to manage and control Windows 11 updates throughout the deployment. By using device group membership and a few deployment parameters, they had full control over when and how they deployed major updates to the entire organization. This approach allowed for a more streamlined and efficient update process, ensuring our devices received the updates without causing disruptions.

The team also integrated Windows Autopatch into the deployment process to further enhance the efficiency of updates. This feature keeps our devices patched and up to date, reducing the need for manual intervention as it reinforces our security posture and Zero Trust strategy.

Deploying Windows 11 with security and compliance

Feature testing, especially new features included in later builds, is an important part of the ongoing security and compliance practices at Microsoft Digital.

“When a new feature comes out, we need to ensure that we can deploy and govern it securely,” says Yulia Evgrafova, a principal security engineer with Microsoft Digital. Her team helps to ensure new features are ready for enterprise deployment at Microsoft.

Evgrafova points out the extra responsibility and privilege that comes with testing Microsoft products.

“With Windows 11, it’s a Microsoft product, but we’re also using that product as a customer,” Evgrafova says. “We call ourselves Customer Zero.”

Our Customer Zero relationship at Microsoft is a special one.

We in Microsoft Digital usually adopt products like Windows 11 before any other customer. Then, as part of the relationship, we test, use, and offer feedback on the product. It’s an internal feedback mechanism that we use for most of our products, and it leads to better, more complete products that are enterprise tested and enterprise ready.

“Our feature testing is comprehensive,” Evgrafova says. “We start with the basics: what is the scope of this feature and what’s the enterprise readiness of this feature for the rollout? Our goal is to understand not only the immediate risks that a feature might pose, but also the potential risks of that feature as it matures.”

However, deploying Windows 11 wasn’t simply testing and upgrading the operating system on existing hardware.

Windows 11 has specific hardware requirements, which meant not every device at Microsoft would be part of the deployment. Most of our devices were eligible, but communicating hardware requirements was an early step.

“Communicating with our employees about the requirements and how we would handle new devices was important,” Gonis says. “Since Windows 10 and Windows 11 can be managed side-by-side with no additional overhead, we could co-manage both upgraded and non-upgraded devices until all the older Windows 10 devices were replaced.”

Replacing Windows 10 devices with new hardware created an opportunity for us to examine our hardware refresh policy, assess the hardware options, and finally make Copilot+ PCs our device refresh of choice.

Turning to Copilot+ PCs

Integrating Copilot+ PCs into the mix was a very natural next step for us.

“Copilot+ PCs were the obvious choice to replace unsupported Windows 10 hardware,” says Pandurang Savagur, a senior product manager with Microsoft Digital. “Copilot+ PCs bring an entirely new level of hardware support and acceleration of Windows 11 capabilities, in AI and beyond.”

Copilot+ PCs offer a new hardware feature set that goes beyond the traditional PC. Those features are headlined by the neural processing unit (NPU) present in every Copilot+ PC.

Neural Processing Units (NPUs) have become a crucial component in modern computing, especially with the advent of AI-driven applications. Initially, devices like the Microsoft Surface Laptop Studio Two were introduced with NPUs primarily for Windows Studio effects. These NPUs offloaded processing tasks from the CPU, enhancing device performance and battery life.

With the introduction of Copilot+ PCs, the role of NPUs has expanded significantly. Copilot+ PCs can run AI features and processing locally on the device, using the NPU. The NPUs in these devices enable faster and more efficient on-device AI processing (they support over 40 TOPS, which means they can perform more than 40 trillion operations per second). For instance, tasks like natural language translation and generative AI features can be processed locally, reducing the need for cloud-based processing and accelerating processing times.

Built-in features that support NPU offloading are coming to Windows 11, including improved Windows search, across local and cloud-based files. With improved Windows search, Windows 11 will be able to use NPU-powered search capabilities to understand the context of each file, including contents, and return more accurate and complete results.

There is now no need to remember file names, settings locations, or even worry about spelling; just type your thoughts to find what you need on a Copilot+ PC. You can even locate photos in OneDrive by describing their content in the same way. With the over 40 TOPS NPU in Copilot+ PCs, it works even when you’re not connected to the internet. Improved search will initially be available in File Explorer and will later extend to Windows Search and Windows Settings. This means searches in Windows 11 for files will become faster and more intelligent.

Copilot+ PCs also will make Microsoft 365 Copilot better. Microsoft 365 apps will soon be able to use the NPU for AI-based tasks, so the same Microsoft 365 Copilot capabilities that work in the cloud also will be available offline and with lower latency.

This also happens in apps that might surprise you. For example, Microsoft Teams has several AI-based features including face tracking and voice isolation that can use the NPU directly, freeing up CPU resources, increasing performance, and improving battery life.

Boosting ARM-based Windows 11 mobility

We’ve found significant performance improvements from NPU integration, especially from ARM Copilot+ PCs. The reduction in CPU usage has provided significantly better overall performance across Windows 11. Many of our users with ARM-based Windows 11 devices are reporting battery life exceeding 20-22 hours of active usage.

Other benefits of the ARM-based Windows 11 Copilot+ PCs include cellular data connection, providing continuous network connectivity for a new generation of ultra mobile Windows laptops. ARM-based Windows 11 devices also support instant-on power capability, just like your mobile phone or tablet.

Our employees are seeing huge benefits.

“Windows 11 Copilot+ PCs have been a huge difference-maker for our employees,” Gonis says. “Their laptops have become truly mobile devices, and it changes how they use them and where they can take them.”

The deployment of Copilot+ PCs has also highlighted the importance of app compatibility. While many apps that we use run natively on ARM-based devices—including Microsoft 365 and a large percentage of our first party apps—some still use x64 emulation. We’re working to achieve 100 percent compatibility by the end of 2025, ensuring that all our tools can fully take advantage of the capabilities of NPUs and the ARM platform.

It’s a bright feature for hybrid AI, and we’re ready for it with Windows 11 Copilot+ PCs.

Looking forward

We’re continually evaluating and implementing new Windows 11 features as they come available in each release. We’re currently testing hotpatching in Windows 11 to allow updates without system reboots. We aim to reduce the number of required reboots to one per quarter, improving efficiency and maintaining system stability.

We’re also testing the Recall experience. Recall creates an explorable timeline of a Windows 11 PC’s past using snapshots and natural language queries. It helps users find past content on their PC by responding to natural language prompts with images, text, or even the exact location of the item you’re searching for.

Of course, we’re excited about the next generation of Copilot+ PCs and the hardware and software improvements coming to Windows 11. As AI continues its rapid evolution, we’ll be working alongside the Windows 11 team to bring advancements in productivity, accessibility, and security.

We believe that hybrid AI is the future and Windows 11 with Copilot+ PCs is the platform that will support it.

Here are some tips on getting started evolving your Windows ecosystem with Copilot+ PCs:

• Adopt Copilot+ PCs as the hardware platform of choice for Windows 11 devices.
• Explore the enhanced performance and battery life of ARM-based Windows 11 Copilot+ PCs.
• Use Windows Autopatch to manage your Windows 11 deployment.
• Consider the benefits of upcoming Windows 11 features, such as Hotpatch for Windows and Recall for improved efficiency and user experience.

Prepare to deploy Windows 11 at your company.

• Learn how we’re using AI to redefine how we work in Microsoft Outlook.
• Read our four-part deployment guide for Microsoft 365 Copilot.
• See how we’re rethinking device management internally at Microsoft using AI.
• Check out how we’re boosting Microsoft 365 Copilot Chat with smart enterprise content management.

• Want more information? Email us and include a link to this story and we’ll get back to you.

The post AI in action: Unpacking our internal journey with Windows 11 and Copilot+ PCs appeared first on Inside Track Blog.

As organizations grow and transform their IT infrastructures, maintaining consistency in patch management across various environments and cloud architectures has become a priority here at Microsoft and at companies elsewhere.

A recent shift from Microsoft Monitoring Agent (MMA) to Microsoft Azure Arc and Microsoft Azure Update Manager (AUM) offers us and others a unified solution for both on-premises and cloud resources. This transition is improving our patch orchestration while offering our IT leaders more robust control of our diverse systems internally here in Microsoft Digital, the company’s IT organization.  

Moving to Azure Arc

Using MMA and shifting to AUM with Microsoft Azure Arc integration requires using Azure Arc as a bridge, enabling management of both on-premises and cloud-based resources under a single source.

Historically, the MMA allowed for “dual homing,” where IT teams could connect machines to multiple Microsoft Azure subscriptions with ease. This flexibility streamlined patch management and reporting across different environments.

This feature is particularly useful for us and other large organizations with multiple Azure environments, says Cory Granata, a senior site reliability engineer on the Microsoft Digital Security and Compliance team in Microsoft Digital. However, the newer Azure Arc-based AUM only allows machines to report into one subscription and resource group at a time.

This limitation required some coaching for teams accustomed to MMA’s dual-homing capabilities.

“It wasn’t really an issue or a challenge—just coaching and getting other teams in the mindset that this is how the product was developed,” Granata says.

Azure Arc’s streamlined approach offers an efficient path for IT teams like ours looking to centralize patch management, especially for diverse infrastructures that include cloud and on-premises assets.

Centralizing patch orchestration

One of the standout advantages of Azure Update Manager with Azure Arc is its ability to support patch orchestration across a wide range of environments.

“You have the ability to patch on-premises, off-premises, Azure IaaS, and other resources,” Granata says. “This flexibility extends beyond Azure to cover machines hosted on other platforms, and on-premises Hyper-V servers.”

For organizations with complex infrastructures like ours, this unified approach simplifies operations, reducing the need for multiple tools and platforms to handle updates. Whether managing physical servers in data centers, virtual machines across different cloud providers, or edge computing devices, Azure Arc ensures that patch management is consistent and reliable.

These changes have been very helpful internally here at Microsoft.

“The AUM is our one-stop solution for patching all these different inventories of devices, regardless of where they reside—on-premises, in the cloud, or in hybrid environments,” says Humberto Arias, a senior product manager in Microsoft Digital.

This multi-cloud and edge computing capability offers IT leaders here and elsewhere the flexibility to scale their patch management efforts without being tied to a specific platform.

Migration challenges

While the transition to Azure Arc and AUM has brought us significant benefits, there have been some challenges, particularly around managing expectations for dual-homing capabilities.

The key thing we had to work through was that Azure Arc could only connect to one Azure subscription and resource group at a time. This required additional training for us—we needed to shift our mindset and adopt new workflows. However, after our people understood this limitation, the migration process was smooth.

“Fortunately, it only phones into one subscription and one resource group,” Granata says. “So, wherever it phones in is where all of your patch orchestration logs and everything must go as well, and it can’t connect into another subscription. This centralized approach simplifies reporting and patch management, but it did require some initial adjustments for teams accustomed to multi-subscription environments.”

Through coaching and training, our teams were able to adapt, and the long-term benefits of a more streamlined system quickly became apparent.

Azure Arc and AUM benefits

Following our migration, our teams began to realize the true benefits of using Azure Arc and AUM for their patch orchestration needs.

“The neat thing about using AUM with patch management and patch orchestration is the centralized control it provides,” Granata says.

For IT teams managing both internal IT assets and lab environments, the ability to oversee patching across a diverse range of systems from one location was a game-changer.

Additionally, the new system provided enhanced reporting and visibility.

While MMA offered flexibility in terms of connecting to multiple subscriptions, Azure Arc’s centralized model makes it easier to manage logs, reports, and patch statuses from a single dashboard.

“We’ve really enjoyed the increased visibility and ease of use that this has given us,” Arias says. “This is particularly valuable for large organizations like ours with distributed environments, where maintaining visibility across multiple systems can be a challenge.”

The integration with Azure Arc also extends your platform’s reach to non-Azure environments, including AWS and other cloud providers. This means that organizations running multi-cloud or hybrid cloud strategies can benefit from a unified patch management system, regardless of where their machines are hosted.

For IT leaders here and elsewhere, these improvements represent a significant step forward in our operational efficiency and security. By centralizing patch management under Azure Arc and AUM, we can ensure that our systems are up-to-date, secure, and compliant, without the need for multiple tools or platforms. We hope sharing our story helps you do the same at your company.

Here are some tips for getting started at your company:

• Azure Arc allows for a centralized management approach, providing IT leaders with a comprehensive view of their infrastructure.
• Azure Update Manager offers improved patch orchestration and update management, leveraging the latest Azure technologies.
• While the transition to Azure Arc brings numerous benefits, it also necessitates adjustments, particularly for teams accustomed to dual homing with the Microsoft Monitoring Agent.
• With some light coaching, teams can easily learn the new system’s capabilities and limitations.

Discover more about Azure Arc from the Microsoft Azure product group, including About Azure Arc, Azure Arc for servers, and the Azure Cloud Adoption Framework.

• Learn more about management and monitoring for Azure Arc-enabled servers.
• Find out how we’re transforming our approach to patch management at Microsoft.
• Discover our strategies for reinventing network security with AI.
• Check out how we’re running our customer service and support contact centers on Microsoft Azure.

• Want more information? Email us and include a link to this story and we’ll get back to you.

The post Migrating from Microsoft Monitoring Agent to Azure Arc and Azure Update Manager at Microsoft appeared first on Inside Track Blog.

Watch the video below to see Dave Rodriguez interview Trent Berghofer about how we use the Windows 365 Cloud PC platform to provide our employees with virtual loaner PCs when they need a backup machine to keep working.

Rodriguez is a principal product manager on the Frictionless Devices team in Microsoft Digital, the company’s IT organization. He talks with Berghofer about using the Windows 365 Cloud PC platform to provide employees with a low-touch, personalized, secure Windows experience hosted on Microsoft Azure.

“With Windows 365 Cloud PC, we’ve been able to accelerate our digital-first support model for hybrid employees and de-emphasize our reliance on walk-up, in-person support at the on-site service locations,” says Berghofer, general manager of Field IT Management and leader of the Support team in Microsoft Digital.

Issuing Cloud PCs to our employees allows them to return to productivity on a machine they already own or have on their person because we don’t have to send them physical back up machines. This allows them to get back to productivity faster and reduces our costs.

Try the Microsoft Windows 365 Cloud PC platform at your company.

• Get more info on how we’re using the Windows 365 Cloud PC platform internally here at Microsoft.
• Learn how we’re reinventing our employee experience in this AI-driven, hybrid world of work.
• Learn how we’re rethinking device management at Microsoft with AI.

• Want more information? Email us and include a link to this story and we’ll get back to you.

The post Providing employees with virtual loaner devices with Windows 365 appeared first on Inside Track Blog.

AI is helping us to simplify and improve the experience our employees have with their devices by predicting and auto-remediating issues, supporting proactive solutions, and enhancing the operating system’s look and feel.

As hybrid work becomes the norm—and the expectation—for our employees, how we in Microsoft Digital, the company’s IT organization, give them access to the tools they need to successfully innovate, create, and collaborate has evolved. Employees want a dynamic, device-agnostic experience that focuses on providing them with the data and tools that they need from almost any location, using a wide variety of devices, including PCs, laptops, tablets, and smartphones.

“We’re investing in AI-powered predictive maintenance and intelligent troubleshooting to reduce friction in device management,” says Daniel Manalo, a principal service engineer at Microsoft Digital. “We’re using AI and machine learning to help us schedule essential maintenance tasks and fix errors and performance issues autonomously. This is reducing downtime, prolonging device lifespans, and ensuring our employees have a consistent and productive experience by avoiding problems and errors.”

Manalo and his team are investigating ways to use AI to analyze device settings, network activity, vulnerabilities, and user behavior, enhanced with demographic data and location metadata to offer relevant solutions for common and emerging device problems.

While device management focuses on the employee experience, Manalo reminds us that Microsoft Digital support teams can benefit greatly as well.

“We want to help our support team be more productive through quicker decisions about device replacement, software updates, capacity increases, and other common support scenarios,” Manalo says.

Using AI to reduce friction in device management

Our employees use a wide variety of devices as their primary productivity tools to access their work and succeed in their roles. Our responsibility at Microsoft Digital is to ensure that each of our employees can be productive and connected to Microsoft tools and corporate data, regardless of the device they use.

There are more than 750,000 devices in use at Microsoft including Windows, Android, iOS, macOS, and Linux devices. Approximately 60% of these are Windows devices, while iOS, Android, and macOS account for the rest. Of these devices, approximately 45% are personally owned employee devices, including phones and tablets. Microsoft empowers employees to use the managed devices that enable them to be their most productive.

“The goal is to make the device smarter. We want the device—and the services that support it—to be intelligent and able to predict or detect issues on the device and self-remediate.”

Senthil Selvaraj, principal group product manager, Microsoft Digital

Microsoft Intune supports the modern management model at Microsoft. Intune provides cloud-based device management capabilities across Windows, Android, iOS, macOS, and Linux devices. Devices are registered in and authenticated by Microsoft Entra ID. Because it’s cloud-based, Intune removes the dependency on the local network, and managed devices can connect across the internet from anywhere. Modern management includes and supports both corporate and personally owned devices, including mobile devices.

However, even with the benefits of modern management, we recognize that there’s room for improvement.

Employee productivity and sentiment are directly affected when the condition of their device and the underlying infrastructure deteriorates. Unexpected reboots, application crashes, emerging vulnerabilities, and compatibility problems all negatively affect the employee experience. The situation is further aggravated by potentially long wait times with Helpdesk to resolve support tickets. And not all issues are reported by employees.

Our support teams spend large amounts of time manually pulling together data and insights to make long-term preventative decisions about device replacement, software upgrades, capacity increases, and more. They don’t have aggregated views with device health insights and the toolsets to analyze patterns and trends to reduce their decision-making time or increase their confidence that they made the right choices.

Put simply, we understand that our modern management processes have gaps, and we’re filling those gaps with AI-powered tools and services.

“The goal is to make the device smarter,” says Senthil Selvaraj, a principal group product manager at Microsoft Digital. “We want the device—and the services that support it—to be intelligent and able to predict or detect issues on the device and self-remediate.”

Selvaraj’s team is focusing on using AI to provide detection and remediation in a way that prioritizes and respects the employee experience. “We don’t want our tools to consume a lot of local resources when the employee might need those resources for other tasks,” he says. 

Selvaraj says the focus is on creating a productive and frictionless device experience at all times. “We don’t want additional load on the device, so we want to make sure we’re running automated remediations at the right time without any impact to users,” he says.

Integrating AI for proactive maintenance and issue resolution

Disruptions in our enterprise device and infrastructure environment increase support costs and reduce employee productivity.

“We’re developing an AI and automation solution that monitors, predicts, and resolves device and infrastructure issues for employees and IT admins.”

Dave Rodriguez, principal product manager, Microsoft Digital

When employees encounter an issue, they must stop whatever they’re doing and either fix the issue or report it to the IT helpdesk. Long resolution times for support tickets and lack of detailed insights for IT administrators further impact employee productivity and increase our support costs.

As Customer Zero for Microsoft, we’re developing and implementing AI-powered solutions that will simplify and improve the employee device experience.

“We’re developing an AI and automation solution that monitors, predicts, and resolves device and infrastructure issues for employees and IT admins,” says Dave Rodriguez, a principal product manager on the Frictionless Devices team in Microsoft Digital. “The solution uses data from our enterprise devices—laptops, network devices, sensors, and meeting room equipment—to find and fix problems before they impact the users.”

The team is building capabilities that will actively solve IT challenges and lighten our employees’ cognitive load by proactively delivering solution-focused notifications and recommendations, while also addressing their queries about their device experiences.

“Using generative AI and natural language understanding, we’re providing IT administrators with a conversational AI experience,” says Pandurang Kamath Savagur, a senior program manager with Microsoft Digital. “This is enabling them to query patterns, observe analytics, and get recommendations across the device and infrastructure environment to manage and prevent disruptions.”

Specifically, our new solution provides an automated, AI-driven device experience by:

• Mining the vast telemetry that we capture across our devices and infrastructure to ground AI-based remediation and automation.
• Aggregating and collating the anomalies detected across devices and infrastructure to identify root causes of issues and impacted areas.
• Combining near real-time telemetry and historical anomalies and issues to predict and fix issues across the enterprise device landscape before they start negatively impacting employee productivity.
• Providing IT administrators with deep insights into the health and performance of enterprise devices by analyzing signals and demographic data to detect anomalies and proactively identify issues.
• Integrating with existing Microsoft products such as Microsoft Intune and Microsoft Teams that support and supply the employee device experience.

We’re excited to realize the potential of this solution for device support as we extend implementation and roll out to the larger device community at Microsoft.

Improving device security results with Microsoft Security Copilot

Our security and IT teams are using Microsoft Security Copilot to protect at the speed and scale of AI, while remaining compliant to responsible AI principles.

Security Copilot integrates directly with Microsoft Defender XDR, Microsoft Sentinel, Microsoft Intune, and many other security-relevant data sources to create a unified experience for large language model (LLM)-powered prompting, grounded in the data from integrated solutions.

We’re moving toward a holistic approach in which we enhance common use cases with Security Copilot capabilities, including:

• Incident summarization. Security Copilot is helping us gain context for incidents and improve communication across our organization by using generative AI to swiftly distill complex security alerts into concise, actionable summaries to enable quicker response times and streamlined decision-making.
• Impact analysis. Security Copilot uses AI-driven analytics to assess the potential impact of security incidents, offering insights into affected systems and data to prioritize response efforts effectively.
• Reverse engineering of scripts. It helps us simplify malware investigation with automated reverse engineering for scripts so every analyst can understand the actions executed by attackers. It also analyzes complex command-line scripts and translates them into natural language with clear explanations of actions.
• Guided response. We receive actionable step-by-step guidance for incident response, including directions for triage, investigation, containment, and remediation. Our support team also receives relevant deep links to recommended actions that allow for quicker response.

Copilot in Windows and Copilot for Microsoft 365

Windows PCs are still the primary working environment for our employees. and are critical to our business. Copilot in Windows is an AI-powered assistant that’s built into the Windows operating system and uses advanced machine learning and natural language processing to provide intelligent suggestions, automate tasks, and integrate seamlessly with Microsoft services. 

“Microsoft 365 Copilot provides the most productive integration for our employees.”

Harshitha Digumarthi, senior product manager, Microsoft Digital

Copilot in Windows brings Copilot to the taskbar, providing a natural-language companion ready to assist our employees. It’s transforming how Microsoft employees work, allowing them to focus on strategic and creative tasks. 

Integration with Microsoft 365 Copilot is at the core of our Copilot in Windows deployment at Microsoft Digital. 

“Microsoft 365 Copilot provides the most productive integration for our employees,” says Harshitha Digumarthi, a senior product manager at Microsoft Digital.

Integrating Microsoft 365 Copilot with Copilot in Windows ensures adherence to enterprise security, governance, and trust standards. It also gives Microsoft employees a generative AI tool grounded in our enterprise data to get relevant, authoritative, and helpful answers and content directly from the Copilot in Windows interface.

Digumarthi’s team is also dedicated to understanding how updates influence user productivity and experience.

“We’re asking the important questions,” Digumarthi says. “How can Copilot in Windows and Microsoft 365 Copilot enhance productivity? Will it introduce any changes that might lead to confusion?” 

Looking forward

We’re constantly examining new ways to use AI to extend our device management capabilities and are working toward integrating Microsoft Security Copilot more deeply into our device management and security practices. We’re also deploying our automated AI device management solution to a wider set of devices as we continue to refine existing features and develop new ones.

AI is making us rethink device management at Microsoft Digital. We’re using AI to enhance the user experience, predict and resolve issues, support proactive solutions, and improve security outcomes. This integration spans the entire device spectrum, from the employee experience to the services and tools that facilitate device management.

We’re only just starting to uncover the possibilities in AI to simplify and improve device management and empower our employees to work from anywhere, on any device. We look forward to growing our device management capabilities alongside AI advancements in the future.

Key takeaways

You can start your company’s path to AI-powered device management practices with the following key takeaways:

• Consider AI-supported tools. Explore how AI-powered predictive maintenance and intelligent troubleshooting can reduce friction and downtime in device management.
• Capture the power of generative AI. Use AI-driven analytics and generative AI to gain insights, recommendations, and guidance for device security and incident response.
• Implement Copilot in Windows. Use Copilot in Windows and Microsoft 365 Copilot to access an AI-powered assistant that can provide intelligent suggestions, automate tasks, and integrate with Microsoft services.
• Learn and adapt. Learn from the Customer Zero experience of Microsoft Digital and how they’re using AI to enhance the device and user experience across different platforms and devices.

Try it out

Here’s how to get started with Copilot on Windows.

Related links

• Find out how we’re supercharging our enterprise with Windows 11 and AI PCs. 
• Learn how we’re accelerating workplace productivity at Microsoft with Windows Recall.
• Read our guide for deploying and driving adoption of Microsoft 365 Copilot at your company. 
• Explore our playbook for becoming a frontier firm in the age of AI.

We’d like to hear from you!

• Want more information? Email us and include a link to this story and we’ll get back to you.

The post Rethinking device management internally at Microsoft with AI appeared first on Inside Track Blog.