“We’re transforming the experience our employees have when they first turn on their PCs,” says Sean MacDonald, a principal group program manager in Microsoft Digital. “Our employees expect a best-in-class experience and we’ve been working hard to deliver that to them. The best part is that all of our customers can have the exact same experience.”

It used to take up to an hour to get Windows 10 running on a new or rebuilt PC—that was before Microsoft Digital started using Windows Autopilot, a new deployment program that automates most of the setup process. With this new program developed in partnership with the Windows and Intune teams, the user receives a device with the latest image directly from the OEM and all the user needs to do is power on, connect to any internet connection, authenticate, and the rest is silently hydrated via Microsoft Intune.

“Now, with Autopilot, we’re seeing it take less than 10 minutes to set up a device,” MacDonald says. “We’ve reduced the user’s set up time by 90 percent.”

After piloting the technology, Microsoft Digital started a soft launch in October using Autopilot for select new devices, says Mina Aitelhadj, a program manager on Microsoft Digital’s Modern Device Platform Team.

Microsoft is using an OEM-developed (original equipment manufacturer) image on all devices where Autopilot is being used. The goal is for Microsoft Digital to evolve to the point where it is using Autopilot with Intune provisioning to image all new devices by January.

Microsoft is one of the first enterprises to use Autopilot in a full, modern management scenario.

“Our early testing and deployment inside of Microsoft will help us provide best practices and guidelines for our customers when they are ready to move onto a fully modern Azure platform,” Aitelhadj says.

Getting to this point has been challenging, she says.

Like any large enterprise, the Microsoft environment is complex. Company employees work in all kinds of different roles, and they rely on a wide variety of devices to support that work. This variety of device choices made it challenging to provide a consistent out-of-the-box experience for new employees (and for existing employees when issued new PCs).

Before Microsoft started using Autopilot internally, the team streamlined the imaging process as much as possible, but the company is so big (it literally offers employees hundreds of PC configurations to choose from) that speeding up how long it took an employee to get their new machine set up required that Microsoft Digital entirely rethink and redesign its approach, Aitelhadj says.

“Even though our custom imaging process was fine-tuned to its best, it was still process-intensive and wasn’t easy to manage across multiple OEMs and global regions,” she says. “To add to that, our devices needed to be connected to our corporate network to deploy our custom images.”

Now that Autopilot is handling all that work, the team can focus on fine tuning. “This is a big step up for us because we’re saving our team time and money and we’re getting critical work time back,” Aitelhadj says.

Are you interested in how Autopilot could work at your company? Windows Autopilot is available externally (click through here to learn more about it). It is available for Windows 10 users on Azure Active Directory and users of Windows Autopilot Hybrid Azure AD are able to use it to join Windows 10 devices to both Azure Active Directory and Active Directory.

How deploying an image with Autopilot works

Why has installing a new Windows image traditionally been so challenging?

Companies like Microsoft have had to continuously update their custom images to make sure they are current and secure, Aitelhadj says. Every month the Windows team issues patches and updates, and those have had to be woven into each image before it could be deployed.

Before the company started using Autopilot (and in cases where it’s not yet using the new tool), handling those month-to-month updates made deploying new images very challenging.

“Our engineers have had to build and maintain our image on a monthly basis for all devices in our global ecosystem,” she says. “They have had to send each image to the OEMs. Those images include our policies, certifications, profiles—everything needed to get the devices ready for one of our employees. We’ve streamlined how we create our custom image within Microsoft, and Autopilot streamlines that even further for both IT pro and users.”

Once Autopilot is deployed across the entire company, everything will get a lot simpler.

“Say I’m a company and I have 10 users coming onboard,” Aitelhadj says. “Instead of having an IT pro load our custom image onto those PCs, the OEM will preload the devices with a universal Commercial OEM Image, they will register those machines onto Autopilot, and everything will get loaded onto those machines automatically, once the user logs in.”

Using Autopilot, the OEM loads just the operating system and Microsoft Office onto a computer—just what the employee needs to be able to turn their machine on and get started. Once online, Autopilot guides the user through a nearly hands-off out-of-box experience in which it not only handles all custom configuration settings, but also downloads and installs all needed applications. The other benefit is that the user does not have to be on the company’s corporate network or in a campus building to setup the device—they can do it from any internet connection.

And the user experience?

Thanks to Autopilot, it has gone from a struggle to an easy first log in. The trick was to then make it easy and intuitive for the employee to download and set up all the applications they need to do their work.

“We make it as simple as possible by provisioning the device with all the policies, certs, and core apps,” Aitelhadj says. “It all loads in the background within a few minutes. We limit their interaction to just the stuff they need to click through—like security and a few other required things.”

And yes, the team wanted to give the IT pros who spend hours and hours updating images each month time back, but the bigger goal was to create a simpler, more user-guided, less error-prone experience for users, thereby reducing end user frustration and the need for IT support. All this needed to be done without a time gap—for security reasons, all current updates need to be made as the new employee’s PC is booted up and handed over to them.

“We’ve saved our pilot users hundreds of hours—we’re getting them productive faster,” Aitelhadj says. “It’s pretty awesome to have that kind of impact.”

The post Autopilot speeds up Windows 10 image deployment inside Microsoft appeared first on Inside Track Blog.

That leaves enterprises like ours at risk when our employees don’t update to the latest software version on a timely basis. Bad actors are tirelessly pursuing the smallest of vulnerabilities, so responding quickly will always be essential when it comes securing your organization’s environment.

For us, secure and timely Windows patching is one of our first lines of defense. That’s why we’re using Windows Update for Business to transform how we deploy our updates.

“Securing data is an extremely important priority,” says Biswa Jaysingh, a principal product manager with our Microsoft Digital Employee Experience team, the organization that powers, protects, and transforms the company. “This means responding quickly to vulnerabilities, getting accurate patches out in a timely manner, and helping users install updates using a disruption-free method.”

By making deploying Windows patching updates a better experience for our employees and IT admins who own the process, we’ve decreased the amount of time it takes for us to respond to vulnerabilities, deploy patches, and reach target compliance rates. This approach has strengthened our overall security posture.

A single device left untouched causes the same amount of risk as not doing anything at all. It’s not a choice for the enterprise to patch some, but not all, of their vulnerabilities, and say “Let’s just hope that no one cracks open the one we didn’t patch.”

— Biswa Jaysingh, principal product manager, Microsoft Digital Employee Experience

A big part of our transformed experience is due to Windows Update for Business, which reduces the time and effort it takes us to configure our machines and deploy security updates, which in turn is leading to better, more secure outcomes.

[Take a look at our rich set of content that chronicles our move to Windows 11. Explore the opportunities of Windows Update for Business. Learn how to deploy Visual Studio updates through Windows Update for Business.]

The triple aims of patching

Patching has three parts: completeness, timeliness, and accuracy.

“A single device left untouched causes the same amount of risk as not doing anything at all,” Jaysingh says. “It’s not a choice for the enterprise to patch some, but not all, of their vulnerabilities, and say, ‘Let’s just hope that no one cracks open the one we didn’t patch.’”

That’s where patching compliance comes into play. The goal is always to have a vulnerability patched in the shortest amount of time possible across a large volume of user devices. The third leg, accuracy, is ensuring that all dependencies are also addressed for vulnerabilities.

Of course, a patch only works when correctly installed, which is why Microsoft sets aggressive internal timeliness standards to define how long users have to install the updates.

“We should reach 95 percent compliance within 30 days after a security update is released,” says Harshitha Digumarthi, a senior product manager responsible for improving the security patching experience on our Microsoft Digital Employee Experience team. “Users don’t always treat updates with the same degree of importance, especially if it disrupts their work. Making Windows patching a better experience improves our compliance significantly.”

Automatic forced reboots and a deluge of notifications were not a pleasant update experience. While effective from a brute-force perspective, they caused consternation among users who delayed or avoided updating their devices.

What if, for example, you were in a presentation when your machine automatically shut down for an update? This kind of disruption to productivity is the kind of experience we’re trying to avoid.

Providing a seamless patching experience

Our team in Microsoft Digital Employee Experience has implemented new recommendations which minimizes disruption for users while bolstering the Windows patching security posture. This process begins with adopting advances in Windows Update for Business.

Windows Update for Business automates a significant portion of the deployment process, eliminating the need for our IT admins to complete multiple builds and tests, now allowing them to work more efficiently and accurately.

Overall, this strategy reduces our operational costs and improves our speed of deployment and adoption.

In Windows Update for Business, we can expedite zero-day patching, communicate with users, and easily manage deployment deadlines and notifications. All of this used to be manual.

These efficiencies allow our admins to take on other tasks.

But it also ensures a better update experience for users by having predictable and accurate patches deployed at the same time each month.

“By utilizing Windows Update for Business, we are now routing all software updates for both Windows and other key Microsoft applications like Visual Studio to a single deployment on Patch Tuesday,” Digumarthi says. “This means that we have reduced the impact on users to only a single monthly reboot.”

Our employees appreciate the smoother, less invasive patching experience given by Windows Update for Business and are installing updates more quickly. More complete and timely update compliance means that Microsoft is more secure.

Driving compliance and security

Our Microsoft Digital Employee Experience team continues to make strides in improving our Windows update workflow, creating a better user and admin experience. Windows Update for Business empowers us to close vulnerabilities faster, achieving the triple aim of completeness, timeliness, and accuracy, all while reducing operational cost and achieving our security goals.

“The primary focus is creating a great user experience,” Digumarthi says. “After that it’s about improving operating costs and the admin experience. It’s very expensive to patch and meet compliance goals, but we’re finding ways to become more efficient with automation.”

Creating a predictable Windows update experience, where users know when they’re getting updates, has significantly improved compliance. Once everything is packaged into the smallest number of reboots possible, and notifications cease to be a disruption, patching becomes less of a hassle.

“We worked hard to minimize the impact that updates have on users and teams to encourage more timely compliance,” Jaysingh says. “We are seeing success on all fronts, and the proof is in our compliance rates. We are now more secure than ever.”

• With Windows Update for Business, everything becomes predictable for users: all updates are integrated on Patch Tuesday, and reboots are minimized. You can install the security updates to Windows alongside security updates to other Microsoft applications like Visual Studio, which aligns the timing for when your machines are secure.
• By batching Windows patches in Windows Update for Business, IT admins are seeing reduced workloads through automation.
• Deployment timeframes are compressed with this strategy as testing regimes are automated in Windows Update for Business, and users are adopting updates more quickly.
• Understanding your device population helps admins recognize why compliance rates might be low. If users do not have enough disk space for a patch, for example, they might be delaying and inhibiting your compliance goals.

If you’re looking to learn more about zero trust and how to manifest it in your own environments, check out:

• Windows 11 Pro for Business Security Book
• Advance your security posture with Microsoft Intune from chip to cloud

• Take a look at our rich set of content that chronicles our move to Windows 11.
• Explore the opportunities of Windows Update for Business.
• Learn how to deploy Visual Studio updates through Windows Update for Business.
• Give feedback on your deployment challenges to the Visual Studio team.
• Announcing the Windows Update for Business deployment service – Microsoft Community Hub

The post Boosting Windows internally at Microsoft with a transformed approach to patching appeared first on Inside Track Blog.