We are in the business of building the future of technology. And more often than not, our software is built using Microsoft Azure DevOps.

Microsoft is undergoing a mission to transform the way we work. There are three key pillars to this strategy: tools, processes, and people.

—Heather Pfluger, general manager of Infrastructure & Engineering Services in Microsoft Digital Employee Experience

Microsoft Azure DevOps was designed to support enterprise teams who need a collaboration and product management tool with organizational structures and robust security controls that meet the real world of how teams are actually run. With Microsoft Azure DevOps we can smartly plan our projects, improve collaboration, and ship our products faster with increased visibility, security, and efficiency.

“Microsoft is undergoing a mission to transform the way we work. There are three key pillars to this strategy: tools, processes, and people,” says Heather Pfluger, general manager of Infrastructure & Engineering Services in Microsoft Digital Employee Experience (MDEE), the company’s IT organization. “But the operative change is to our culture.”

We take pride in developing our software through the real-world use of our global teams. We refer to ourselves in these cases as “Customer Zero,” where we effectively are the launch customer for our product engineering teams. This allows our employees to use leading-edge solutions before our customers to improve our products based on our real-world usage.

Shifting left: building a tool for the modern engineering environment

This story begins with the launch of Windows Azure in 2008, which became Microsoft Azure in 2010 and really started to come of age by 2014. That’s when MDEE, and nearly every other team at Microsoft, began migrating their legacy workloads to Azure. The team that became MDEE team was faced with a momentous leap forward due to the cloud, enabling an opportunity to revolutionize our engineering processes.

One way that we describe this culture shift internally is “shifting left.” We are moving our engineering focus closer to our dev teams by giving them more tools and more power to efficiently drive their progress right at the early stage of development.

They have what they need to do their job at hand while at the same time introducing efficiencies in team structure, organization, and security. What used to take a large team of engineers and testers to accomplish is now taken care of by leaner, more agile developer teams themselves with the aid of automations and Microsoft Azure’s inherent security features.

Microsoft Azure DevOps is all about productivity for developers, and over many years of refining our processes we’ve increased both the quality and velocity of our output. We have the entire MDEE organization running on a single Azure DevOps instance, which gives unprecedented visibility and accountability for our processes.

In an organization our size, which has been creating software for as long as we have, a recurring concern is the long-term traceability and maintenance of our code. Today, we have new processes in place to better organize our output and make it easier for future Microsoft engineers to understand what we’ve built.

“Using area paths, we mapped out the entire organization and created a hard chain of custody for every line of code, in every repo,” says Martin O’Flaherty, principal PM manager of the MDEE Engineering Systems team. “If you create something, it will be tied to a repo, which will be tied to a team. No longer will there be code that can’t be accounted for – it’s all hard-wired in the backend. If something goes wrong, we immediately have a point of contact for the person who is accountable to remediate the issue.”

[However] the journey never ends, as technology is always evolving.

—Martin O’Flaherty, principal PM manager of the MDEE Engineering Systems team

On our single Microsoft Azure DevOps instance, we have thousands of daily active users, thousands of repos, and more than 20,000 build and release pipelines. We’ve shown that Azure DevOps, right out of the box, can not only handle our scale but it excels at it. Azure DevOps is propelling us forward and accelerating our progress.

Get clean and stay clean

A significant opportunity we had with moving our entire engineering team to a common deployment of Microsoft Azure DevOps was cataloging and consolidating all our services. This process, which started five years ago, led to the retirement of nearly 30 percent of our legacy applications, while enabling us to deploy what remained rest to the cloud. By carefully selecting the applications and processes to continue and others to sunset, we quickly improved our security posture. We refer to this era as “getting clean.”

“[However] the journey never ends, as technology is always evolving,” O’Flaherty says. “What we considered secure in 2017 is so rudimentary to how we approach things now. This is why we must ‘stay clean’ by continually monitoring the guardrails we put in place for our developers.”

Pursuing the mission of maintaining a strong security posture throughout our Microsoft Azure DevOps instance supports a simple imperative: if our primary tool for developing code isn’t secure, nothing we produce will be secure.

To accomplish “staying clean,” we have designed, enacted, and maintained a clear security and compliance framework within Microsoft Azure DevOps. We’ve streamlined our pipelines and deployed common protocols to all our teams, which ensures all our releases are held to the same high security standards.

Security, across the board

We have also “shifted left” our application security posture. We’ve moved our security focus closer to the developer by utilizing breakthroughs in technology and strategy like GitHub Advanced Security for Microsoft Azure DevOps. This new tool, currently in public preview, automatically scans new code to ensure there are no secret leaks or exposures in your Microsoft Azure repos.

This is a powerful advance in security technology that pushes the boundary of our security posture to the code itself, right as it is being written. It alerts the developer in real time to potential errors or security concerns. By moving security and testing earlier in the development process we further enhance security during product development and reduce the risk of errors being released.

The security revolution powered by Microsoft Azure DevOps and running on a single instance is paying dividends for MDEE. Now, we universally apply and monitor security policies rather than relying on each team to set their own parameters. By utilizing common guardrails, we are able to monitor and apply policies across the board. We’ve baked in security early in the development cycle, and it’s done automatically and consistently.

Mature software that is enterprise ready

New customers to Microsoft Azure DevOps gain from all of the efficiencies and learnings MDEE has pioneered as customer zero. It’s now a mature product with a lengthy track record, and it works right out of the box.

“If I was advising a new enterprise just starting out with Azure DevOps, I would tell them to not just copy our way of doing things,” says Damon Gray, principal group engineering manager for Optimization, Engineering & Networking Services in MDEE. “They can smartly set up their instance themselves and add the guardrails that fit their organization over time. Within the day, right out of the box, they’ll be securely submitting and releasing code to the cloud.”

Companies of our scale require robust and customizable solutions to allow teams to build with the freedom to push the envelope of what’s possible. Microsoft Azure DevOps was designed, built, tested, and optimized to make our teams as efficient and secure as they need to be. We build the future of software at Microsoft, and this software is built with Azure DevOps.

“Azure DevOps is the tool that we utilize company-wide to allow our teams to build the future, wherever in the world they are working,” Pfluger says.

Here are some tips you can use to help you get started with Microsoft Azure DevOps:

• Azure DevOps is a powerful productivity and security tool right out of the box. You can release code the same day you set up your instance and you will be able to dial in your security guardrails over time.
• Azure DevOps scales with you, whether you’re a small team or a large enterprise, or a small team with dreams of becoming much larger. Build with confidence.
• “Get Clean/Stay Clean” is an operative philosophy that produced immediate security gains for our team.

Try Microsoft Azure DevOps by signing up for a Microsoft or GitHub account.

• Explore the learnings, pitfalls, and compromises of Microsoft’s expedition to the cloud.
• Discover transforming modern engineering at Microsoft.
• Unpack Microsoft’s Zero Trust networking lessons for leaders.

The post Streamlining engineering at Microsoft with Azure DevOps appeared first on Inside Track Blog.

Like our customers, we at Microsoft have a strong business need to address the new challenges created by remote and hybrid work. The internal adoption of Windows 11 is helping our company meet those needs, while enabling our employees to work smarter and more securely, regardless of where they are.

Moving Microsoft to Windows 11

1. Microsoft tries Windows 11 on for size and likes the fit
2. Unpacking Microsoft’s speedy upgrade to Windows 11 (this story)
3. Windows 11 boosts employee engagement at Microsoft
4. Employees are at the heart of Microsoft’s internal Windows 11 upgrade
5. Five key learnings from Microsoft’s Windows 11 upgrade

Upgrading to Windows 11 at Microsoft

Our priority in rolling out Windows 11 internally was to provide employees uninterrupted access to a safe and productive workspace while giving them a chance to try out the new operating system.

Introducing a new operating system, especially across a distributed workforce, naturally led to questions about device downtime and app compatibility. However, with established practices and evolved solutions in hand, historical obstacles became just that—a thing of the past. The rollout of Windows 11 at Microsoft was our most streamlined to date, frictionlessly delivering employees the latest operating system in record time.

What made the deployment of Windows 11 a success?

Over the past decade, our Microsoft Digital Employee Experience team, the organization that powers, protects, and transforms employee experiences, has worked closely with teams such as the Windows product group to improve how it runs Microsoft’s updates, upgrades, and deployments.

Whereas significant time and resources were once dedicated to testing app compatibility, building out multiple disk images, and managing a complex delivery method, processes and tools introduced during Windows 10 have streamlined upgrades and enabled the transformation to a frictionless experience.

Data from App Assure, a Microsoft service available to all customers with eligible subscriptions, shows the company had 99.7 percent compatibility for all apps in Windows 11—that eliminated the need for extensive testing. It also meant that employees’ Windows 10 apps work seamlessly in Windows 11. Additionally, Microsoft Endpoint Manager and Windows Update for Business eliminated the need for using more than one disk image and made it easier for employees to get Windows 11.

Our Microsoft Digital Employee Experience team relied on the same familiar tools and process as a Windows 10 feature update to quickly deliver the upgrade to employees.

The upgrade was divided into three parts:

Plan: Identify an execution and communication plan, then develop a timeline

Prepare: Establish reporting systems, run tests, ready employees, and build backend services

Deploy: Deploy Windows 11 to eligible devices

It all starts with a good plan

We at Microsoft Digital Employee Experience have a successful history of deploying new services, apps, and operating systems to employees. And it all starts at the same place—creating a disruption-free strategy that enables employees to embrace the latest technology as soon as possible without sacrificing productivity.

Assess the environment

Before the deployment of Windows 11 could begin, we had to take a careful inventory of all devices at Microsoft and determine which they should target. Windows 11 has specific hardware requirements, and a percentage of employees running ineligible devices meant that not every device would be upgraded. Employees with these devices will upgrade to Windows 11 during their next device refresh.

To evaluate the device population, we used Update Compliance and Microsoft Endpoint Manager’s Endpoint analytics feature. This allowed our team to generate reports on devices that either met or failed to comply with minimum specifications. For example, certain devices, especially older desktops, lacked the Trusted Platform Module 2.0 (TPM) chipset requirements for security in Windows 11.

In the end, 190,000 devices were deemed eligible based on hardware and role requirements. Over the course of five weeks, our Microsoft Digital Employee Experience team deployed Windows 11 to 99 percent of qualifying devices.

Address ineligible devices and exclusions

After evaluating the broad population of devices, our team developed a plan for devices that would not receive a Windows 11 upgrade. Since Windows 10 and Windows 11 can be seamlessly managed side-by-side within the same management system, we only had to designate the number of devices that would not receive the upgrade. Using Update Compliance to inform deployment policies, we applied controls on ineligible devices, automatically skipping them during deployment. These measures made it easy to know why a device didn’t upgrade, but also assured a disruption-free experience for both employees and those on our team responsible for managing the upgrade.

These controls also allowed the company to bypass deployment on any device that had been incorrectly targeted for an upgrade.

Ineligible devices. Windows 10 and Windows 11 can be managed side-by-side and will be supported concurrently at Microsoft until all devices are upgraded or retired. As devices are refreshed, more and more of our employees will gain access to Windows 11.

Devices that should not receive the upgrade. Other devices, like servers and test labs—where we validate new products on previous operating systems—were issued controls and excluded from receiving Windows 11.

Establish a deployment timeline

Once upgradeable devices were identified, our team was able to create a clear timeline. From this schedule, our communications team developed an outreach plan, support teams readied the helpdesk, and the deployment team developed critical reporting mechanisms to track progress.

For the deployment itself, our team used a ring-based approach to segment the deployment into several waves. This allowed us to gradually release Windows 11 across the company, reducing the risk of disruption.

Create a rollback plan

Windows 11 has built-in support for rolling back to Windows 10 with a default window of 10 days after installation. If needed, our Microsoft Digital Employee Experience team could have revised this period via group policy or script using Microsoft Intune. Post-upgrade, there wasn’t much demand for a rollback, but the strategic release cadence that the team used, paired with the rollback capability, gave our team an easy way to quickly revert devices that might require going back to Windows 10 for a business need.

Preparing for success

Prior to starting the Windows 11 upgrade, we asked employees to complete pre-work needed for a successful upgrade. Because the upgrade was so smooth, only light readiness communications were needed. Instead, we focused on ensuring that employees were aware and excited about the benefits of Windows 11 and that they were ready to share their feedback on what it was like to use it.

Reach everyone

To maximize the impact of our communications, our team readied content that was digestible for every employee, regardless of role. Employees needed clear and concise messaging that would resonate, so that they could understand what Windows 11 would mean for them.

Our team in Microsoft Digital Employee Experience targeted a variety of established channels, including Yammer, FAQs on Microsoft SharePoint, email, Microsoft Teams, Microsoft’s internal homepage, and digital signage to promote Windows 11.

To generate interest, our materials focused on:

• The new look and features of Windows 11, designed for hybrid work and built on Zero Trust
• Flexible and easy upgrade options, including the ability to schedule upgrades at a time that worked best for the employee
• The speed at which employees could be up and running Windows 11, as quickly as 20 minutes
• New terms related to Windows 11 and where employees could go to learn more

An entire page on our company’s internal helpdesk site was dedicated to links related to the upgrade, including Microsoft Docs, where users could find a comprehensive library on new features.

Executive announcements from company leadership also conveyed the benefit of moving to Windows 11 and the ease with which it could be done.

Set expectations

Our team directed employees waiting to see if their device met Windows 11’s hardware requirements to the PC Health Check app. At an enterprise level, the team relied on Update Compliance to assess the device population.

We also used this opportunity to reinforce messaging to Windows 10 users—both operating systems would continue to operate side-by-side until all devices were refreshed. This helped ease concerns for employees who had to wait for an upgrade.

Ready support

Getting the deployment right wasn’t just about sending messages outward. Our team needed to receive and respond to employee questions before, during, and after the Windows 11 rollout.

Our support teams were given an opportunity to delve into Windows 11 prior to the deployment, which, based on experiences with previous upgrades, gave them time to categorize and group by severity any potential issues they might encounter. This familiarity not only helped them give employees informed answers, but also served as another feedback gathering mechanism.

Open for feedback

We run Microsoft on Microsoft technology and we encourage our employees to join the Windows Insider Program, where users are free to provide feedback directly to developers and product teams.

That’s why communications didn’t just focus on what was new with Windows 11, but on how feedback could be shared. If an employee had comments, they submitted them through a Feedback Hub where other employees could upvote tickets, giving visibility to our engineers in Microsoft Digital Employee Experience and the Windows product group.

Pre-work for deployment readiness

In addition to readying employees, we had to make sure all the backend services were in place prior to the deployment. This included building several processes, setting up analytics, and testing.

Establish analytics reports

Evolving beyond previous upgrades, the deployment of Windows 11 was the most data driven release we have ever done. Looking closer at diagnostic data and creating better adoption reporting gave our team clear data to look at throughout the deployment.

Using Microsoft Power BI, our team could share insights regarding the company’s environment. This better prepared everyone on the team and allowed us to monitor progress during deployment.

Our team captured the following metrics:

• Device population
• Devices by country
• Devices by region
• Eligibility
• Adoption

In addition to visibility into project status, access to this data empowered our team to engage employees whose eligible devices did not receive the upgrade.

Build an opt-out process

To accommodate users whose eligible devices might need to be excluded from the deployment, our team created a robust workback plan that included a request and approval process, a tracking system, and a set timeline for how long devices would be excluded from the upgrade.

Our Microsoft Digital Employee Experience team released communications specifying the timeframe for employees to opt out, including process steps. Employees who needed to remove their devices from the upgrade submitted their alias, machine name, and reason for exclusion. From there, our team evaluated their requests. Only users with a business reason were allowed to opt out. For example, Internet Explorer 11 requires Windows 10, so employees who need that browser for testing purposes were allowed to remove their devices from the deployment.

Once we had approved devices for exclusion, a block was put in place to remove them from the deployment. Data gathered during the opt-out process enabled us to follow up with these employees, upgrading them to Windows 11 at a more appropriate time.

Create a security model

At Microsoft, security is always top of mind for us. A careful risk assessment, including testing out a series of threat scenarios, was performed before Windows 11 was deployed across the company.

Our Microsoft Digital Employee Experience team built several specific Windows 11 security policies in a test environment and benchmarked them against policies built for Windows 10.

After testing the policies and scenarios to see if they would have any impact on employees, we found that devices with Windows 11 would meet Microsoft’s rigorous security thresholds without creating any disruptions. Just as importantly, users would experience the same behaviors in Windows 11 as they might expect from Windows 10.

The deployment

A decade ago, our efforts to deploy feature updates could be challenging, as we needed to account for different builds, languages, policies, and more. This required careful management of distribution points and VPNs prior to beginning deployment efforts in earnest.

When Windows 10 was released in 2015, our team used two deployment strategies: one for on-premises managed devices and one for cloud managed devices.

Today, the situation is much simpler.

Launched during the Windows 10 era, Windows Update for Business established some of the trusted practices that make product releases and feature updates a great experience for us here at Microsoft. Windows Update for Business deployment service introduces new efficiencies for our team, consolidating two deployment strategies into one.

For the deployment of Windows 11, our team had an advantage—Windows Update for Business deployment service.

Windows Update for Business deployment service enabled our Microsoft Digital Employee Experience team to grab device IDs from across the environment and use them to automate the deployment. Windows Update for Business deployment service handled all the backend processing and scheduling for us; all we needed to do was determine the start and end dates.

Our team easily managed exclusions and opt-outs with Windows Update for Business deployment service, and when a device needed to be upgraded, the service made it easier to remove and roll them back to Windows 10.

Importantly, Windows Update for Business deployment service provides a single deployment strategy for us moving forward. Deployment has been simplified, and the data loaded into Windows Update for Business deployment service for this upgrade will help speed up future releases.

Policies for success

We had to decide which policies they wanted to work with for the greatest outcome. This included how many alerts an employee would receive before receiving an upgrade to Windows 11.

Windows Update for Business deployment services reduced the long list of policies that our team needed to manage during deployment. This accelerated deployment without compromising security.

From pilot to global deployment

By structuring the deployment timeline to hit a small group of employees before incrementally moving on to a larger population, our Microsoft Digital Employee Experience team ensured Windows Update for Business deployment service ran as expected and that all required controls and permissions were set.

As our team used the Windows Update for Business deployment service to plot out upgrade waves, Windows 11 downloaded in the background and employees received pop-up alerts when their device was ready. The employee could restart at any time and would boot into Windows 11 after a few automated systems completed the installation. Employees could also schedule Windows 11 to upgrade overnight or during the weekend.

Onboarding OEMs

Working closely with Microsoft Surface and other Original Equipment Manufacturer (OEM) partners, the companies who supply Microsoft with new devices, our team was able to ensure that our employees had Windows 11 pre-loaded onto their PCs. This approach guaranteed that new devices complied with the hardware requirements of the new system.

A new device, straight out of the box, only needs to be powered on and connected to the internet before Windows Autopilot authenticates and configures everything for the user. Once initial setup is complete, Windows Autopilot ensures that new devices are equipped with Windows 11 and all the correct policies and settings.
For a transcript, please view the video on YouTube: https://www.youtube.com/watch?v=1d4z5N5XCsA, select the “More actions” button (three dots icon) below the video, and then select “Show transcript.”

Entering the next stage of Windows at Microsoft

The deployment of Windows 11 at Microsoft validates our team’s approach to product releases and upgrades. With no measured uptick in support tickets, the deployment of Windows 11 has been a frictionless experience for employees and the wide adoption of new features confirms the value of the effort. The speed at which the team completed the deployment—190,000 devices in five weeks—represents the fastest deployment of a new operating system in company history.

We credit the success of this deployment to good planning, tools, strong communication, and the positive upgrade experience Windows 11 provides.

Windows Update for Business deployment service proved to be a big step in the evolution of how employees get the latest version of Windows. The service’s ease of use meant the team had a higher degree of control, flexibility, and confidence.

The tighter hardware-to-software ecosystem that comes with Windows 11 means our employees and all users of the operating system benefit from richer experiences. This, along with integration to Microsoft Teams, are just a few examples of what users are seeing now that they’re empowered by Windows 11.

• Understand the hardware eligibility requirements for Windows 11.
• The better you understand your environment the easier it will be to create a timeline, a communication plan, and ultimately track the deployment.
• Messaging is key for leaders in the organization to share, especially for adoption.
• Run a pilot with a handful of devices before deploying company wide. This will allow you to check policies for consistent experiences. Then move on to a ring-based deployment to carefully manage everything.
• There’s no need to create multiple deployment plans with Windows Update for Business deployment service; it can automate the experience, streamlining the entire workflow. Instead of waiting until everyone is ready, consider running Windows 10 and Windows 11 side-by-side. Prepare today by deploying to those who are ready now.

• Discover how Microsoft employees are leveraging the cloud for file storage with OneDrive Folder Backup.
• Explore how Microsoft is reimagining meetings for a hybrid work world.
• Check out enhancing VPN performance at Microsoft.

The post Unpacking Microsoft’s speedy upgrade to Windows 11 appeared first on Inside Track Blog.