It all started with a shift to remote work.

“New employees will always need a device on day one,” says Pandurang Kamath Savagur, a senior program manager with Microsoft Digital, the organization that powers, protects, and transforms the company. “But for the first time ever, we were also in an experience where people had to stay productive from home with only a single device. They couldn’t easily get into the offices for a secondary or loaner device.”

To anticipate demand and offset delays, Microsoft Digital built a platform where administrators across the company could project the number of devices they’d need. Simultaneously, the group took a deep dive look at the current device population to forecast the number of employees who would need a device refresh—all in time for the deployment of Windows 11.

[Discover how Microsoft quickly upgraded to Windows 11. Find out how Microsoft is reinventing the employee experience for a hybrid world. Learn more about verifying devices in a Zero Trust model.]

Getting better at predicting the future

Historically, Microsoft didn’t need to build up a large inventory of devices for employees; everything was made to order.

Business groups own the budget, so they know what the next six months will look like for their team. Microsoft onboards approximately 3,000 employees each month, and every employee needs to select and set up a device. We can’t just buy 3,000 devices a month—we need to know specifications about how it will be used.

—Pandurang Kamath Savagur, senior program manager, Microsoft Digital

It worked a little bit like this:

Procurement, having already certified devices and negotiated pricing and SLAs suitable for employees, enables administrators or direct employees to obtain a new employee device through our internal ProcureWeb tool. The tool places a purchase order directly to the OEM—the third-party manufacturer of the device—or a reseller who would then manufacture and ship the equipment out to the user.

But the shift in how people worked meant we’d need to be more proactive in procuring devices for employees. And to get there, we’d need a better picture of fluctuating demand.

“Business groups own the budget, so they know what the next six months will look like for their team,” Savagur says. “Microsoft onboards approximately 3,000 employees each month, and every employee needs to select and set up a device. We can’t just buy 3,000 devices a month—we need to know specifications about how it will be used.”

Everything from storage space, computing power, memory, and keyboard language to the number of units would need to be collected from business groups. Once that information came in, Procurement could work with OEMs to have machines ready and available to be delivered to administrators well in advance.

This new approach to device forecasting has streamlined the way Microsoft acquires devices, giving us adequate stock to ensure a good experience. We can now anticipate device purchases for new hires while also accounting for break fixes.

And the timing of this effort couldn’t have been better—Windows 11 was on the way, and we would need this new approach along with additional analysis to get the new operating system into the hands of employees.

Empowering Microsoft with Windows 11

Released in late 2021, Windows 11 gives us the enterprise-grade security that Microsoft requires. To achieve this secure-by-default state, we needed to replace older devices with equipment that met the Windows 11 hardware requirements.

But instead of issuing new devices to everyone at launch—something that would be both costly and logistically impossible—we took a strategic approach, using a combination of telemetry and machine learning to identify and prioritize devices for replacement.

“We have telemetry data, application usage, and warranty information, and that gives us a base to forecast from in Power BI,” says Neeti Sawant, a data engineer with Microsoft Digital who helped create a device forecasting dashboard as part of this effort. “It told us what we needed to monitor and forecast, which devices are aging out, and when they would be eligible for a refresh.”

But we weren’t just relying on warranty data alone.

Using Microsoft Azure Cosmos DB and Microsoft Azure DataBricks for machine learning, we are able to leverage the historical data for device population and apply survival modeling techniques, predicting how many ineligible primary devices would be active over the next few years towards the Windows 10 end of support.

Device forecasting has allowed us to work closely with OEMs so that devices are available on time and so that we’re not selecting on availability, but rather meeting all the performance, compliance, and security needs of our users. Satisfaction scores from employees have increased by 20 points since we started doing this.

—Pandurang Kamath Savagur, senior program manager, Microsoft Digital

“Not all users will replace their device at the end of warranty,” says Anqi Cheng, a data scientist with the W+D Data team at Microsoft. “Although many devices will naturally age out over time, many users hang on to their devices for an extended time. When combined with other device forecasting data, we had a holistic view of the landscape.”

This level of analysis ensured Microsoft would be able to quickly develop a roadmap for getting employees on Windows 11.

A bright forecast for Microsoft

Employees at Microsoft can—and should—expect to have a device that engages, protects, and empowers them. Device forecasting makes this possible.

“Device forecasting has allowed us to work closely with OEMs so that devices are not selected on availability, but rather meeting all the performance, compliance, and security needs of our users,” Savagur says. This effort has resulted in a better experience for employees. “Satisfaction scores from employees have increased by 20 points since we started doing this.”

Access to device forecasting information has also been helpful to admins and Finance, who now have a better idea as to which devices will need to be refreshed for Windows 11. Moving into the future, these same projections will make it easier for Procurement to put the right device into an employee’s hands.

“With the analysis provided to us by Microsoft Digital, we can now understand how many primary devices are in our environment and when we expect them to refresh,” says Colby McNorton, a senior program manager on the Microsoft Procurement team. “As we look forward, instead of the purchasing journey being reactive, we can proactively reach out to users and tell them that their device is at the end of its life and even recommend a device based on what we know about usage.”

Thanks to Windows Autopilot, new devices are automatically pre-configured with Windows 11. Windows Autopilot deploys an OEM-optimized version of the Windows client, so you don’t have to maintain custom images and drivers for every device model. This makes new devices business-ready faster, empowering employees to stay engaged and protected. Users can just switch on, sign in, and all policies and apps will be in place within a day.

• Be sure to get visibility into your device population. Find out what kinds of devices are on your network, where they’re located, who owns them, and what stage they’re at in their lifecycle. This gives you a lot of agility in a changing environment. You can do this using Microsoft Intune.
• Windows 10 and Windows 11 can be co-managed side by side using the same tools and processes, which makes it possible for Microsoft and other companies to be methodical about replacing devices.
• Spend time with team admins who understand user needs. This allows you to cultivate a short list of devices that are best suited for your employees and gives procurement clear priorities.

• Discover how Microsoft quickly upgraded to Windows 11.
• Find out how Microsoft is reinventing the employee experience for a hybrid world.
• Learn more about verifying devices in a Zero Trust model.
• Read about how Windows 11 helps businesses.

Want more information? Email us and include a link to this story and we’ll get back to you.

Please share your feedback with us—take our survey and let us know what kind of content is most useful to you.

The post Boosting employee device procurement at Microsoft with better forecasting appeared first on Inside Track Blog.

Deploying Windows Hello for Business internally here at Microsoft has significantly increased our security when our employees and vendors access our corporate resources. This feature offers a streamlined user sign-in experience—it replaces passwords with strong two-factor authentication by combining an enrolled device with a PIN or biometric user input for sign in. Windows Hello was easy to implement within our existing identity infrastructure and is compatible for use within our remote access solution.

The Windows Hello for Business feature can replace passwords with strong two-factor authentication that combines an enrolled device with a PIN or biometric (fingerprint or facial recognition) user input to sign in. We—the Microsoft Digital Employee Experience team—streamlined the deployment of this feature as an enterprise credential to improve our user sign-in experience and to increase the security of accessing corporate resources.

Using this feature, users can authenticate to a Microsoft account, an Active Directory account, or a Microsoft Azure Active Directory (Azure AD) account.

The Windows Hello for Business feature is a public key or certificate-based authentication approach that goes beyond passwords. This form of authentication relies on key pairs that can replace passwords and are resistant to breaches, thefts, and phishing.

Other benefits of this feature include:

• It supports our Zero Trust security model. Emphasizes an identity-driven security solution by centering on securing user identity with strong authentication as well as eliminating passwords.
• It uses existing infrastructure. We configured Windows Hello to support smart card–like scenarios by using a certificate-based deployment. Our security policies already enforced secure access to corporate resources with two-factor authentication, including smart cards and Microsoft Azure Multi-Factor Authentication. Windows Hello is currently enabled, and we anticipate an increase in usage as more biometric-capable devices become available in the market.
• It uses a PIN. Replace passwords with a stronger authentication. Users can now sign in to a device using a PIN that could be backed by a trusted platform module (TPM) chip.
• It provides easy certificate renewal. Certificate renewals automatically occur when a user signs in with their PIN before the lifetime threshold is reached.
• It permits single sign on. After a user signs in with their PIN, the user has access to email, SharePoint sites, when using the latest Office 365 versions, and business applications without being asked for credentials again.
• It is compatible with remote access. When using a certificate-based PIN, users can connect remotely using a Microsoft Digital Employee Experience VPN without the need for multi-factor authentication with phone verification.
• It supports Windows Hello. If users have compatible biometric hardware, they can set up biometrics sign-in to swipe their finger or a take a quick look at the device camera.

Our deployment environment for the Windows Hello for Business feature include:

• Server: Microsoft Azure AD subscription and Microsoft Azure AD Connect to extend on-premises directory to Azure AD:
  • For certificate-based: Active Directory Certificate Services (AD CS), Active Directory Federation Services (AD FS) Network Device Enrollment Service (NDES), and Microsoft Intune
• Client: A device, preferably with an initialized and owned TPM.

For more information about integrating on-premises identities with Microsoft Azure AD, see Integrating your on-premises identities with Microsoft Azure Active Directory.

Enrollment and setup

Windows Hello for Business user enrollment steps vary, based on our deployed scenarios. For all scenarios, users will need to use their smart card or multi-factor authentication with a verification option—such as a phone call or verification on a mobile app, such as Microsoft Authenticator, in addition to their user name and password—to complete the enrollment.

The Windows Hello for Business feature supports the following enrollment scenarios:

• On-premises Active Directory domain–joined devices. Users sign in with their domain account, the Group Policy is applied, the device is registered with Microsoft Azure Active Directory, and then the user creates a PIN.
• Microsoft Azure AD–joined devices managed by Microsoft Intune. Users must enroll in device management (or add a work account) through Microsoft Intune. After their device is enrolled and the policies are applied, the PIN credential provisioning process begins and users receive the prompt to create their PIN.

Requirements

• Two-factor authentication is required for PIN creation using one of the existing methods (virtual smart card, physical smart card, or multi-factor authentication with phone verification).
• A PIN that is at least six characters long.
• A connection to the internet or Microsoft corporate network.

Physical architecture

Our Windows domain-joined devices were already synchronized with Microsoft Azure AD through Microsoft Azure AD Connect, and we already had a public key infrastructure (PKI) in place. Already having PKI reduced the amount of change required in our environment to enable the Windows Hello for Business feature.

To deploy user certificates based on Windows Hello keys, we used AD FS, AD CS, and Group Policy.

Server roles and services

In our implementation, the following servers and roles work together to enable Windows Hello as a corporate credential:

• Microsoft Azure AD subscription with Microsoft Azure Active Directory Device Registration Service to register devices with Azure Active Directory.
• Microsoft Intune is used to enroll devices joined to Microsoft Azure Active Directory.
• AD FS is used for federated identities and Microsoft Azure AD Application Proxy for secure remote access of web applications hosted on-premises. AD FS Registration Authority is used to handle certificate issuances and renewals for devices that are joined to the domain.
• PKI includes NDES servers (with policy module) and certificate authorities (with smart card EKU—enhanced key usage—template), used for the issuance, renewal, and revocation of Windows Hello for Business certificates.

Domain-joined service workflow

The following workflow applies to any Windows 10 computers joined to our AD DS domain.

• Our domain-joined devices pull a Group Policy object that configures certificate enrollment, PIN-enablement, and notification tasks.
• After users sign out and sign in again, or if they select the pop-up notification when it displays, a PIN creation workflow runs, and they must configure their new PIN.
• During the next sign-in, the user is prompted to configure Windows Hello for Business, confirm their identity using multifactor authentication, and create a PIN. A private key is created and registered in Microsoft Azure AD. The user can also initiate the Windows Hello setup process from the Settings app at any time.
  • If the client and infrastructure support Instant-On, a key-receipt verification package is downloaded and a certificate request is sent to the AD FS registration authority. AD FS confirms valid key ownership and submits the request on behalf of the user to an AD CS certification authority.
• The certificate is delivered to the computer.

Microsoft Azure Active Directory–joined service workflow

• Windows Intune pushes a device policy to Microsoft Azure Active Directory devices that contains the URL of the NDES server and the challenge generated by Intune. A policy has already been pushed to the device by the Intune service. This policy contains the URL of the NDES server and the challenge generated by Intune.
• During the next sign-in, the user is prompted to configure Windows Hello for Business, confirm their identity using multifactor authentication, and create a PIN. A private key is created and registered in Microsoft Azure AD. The user can also initiate the Windows Hello setup process from the Settings app at any time.
• The device contacts the internet-facing NDES server using the URL from the NDES server and provides the challenge response. The NDES server validates the challenge with the CRP and receives a “true” or “false” to challenge verification.
  • If the challenge response is “true,” the NDES server communicates with the certificate authority (CA) to get a certificate for the device. Appropriate ports need to be open between the NDES server and the CA for this to happen.
• The NDES server delivers the certificate to the computer.

Setting policies

Our Microsoft Digital Employee Experience team used domain-based Group Policies to push out policy-based settings to configure our Windows 10 domain-joined devices to provision Windows Hello user credentials when users sign in to Windows. Non-domain joined devices receive their policies from Intune. We also used these settings to define the complexity and length of the PIN that our users generate at registration and to control whether Windows Hello was enabled.

We had the option to configure whether we would accept certificate-based Windows Hello for Business with PIN as a software-backed credential. We chose to enable Windows Hello for Business with a hardware-required option, which means that keys are generated on the TPM.

Policies for Microsoft Active Directory domain–joined clients

You must create and deploy a Group Policy object using the settings found under User Configuration > Administrative Templates > Windows Components Windows Hello for Business.

The Group Policy object contains the policy settings needed to trigger Windows Hello for Business provisioning and to ensure Windows Hello for Business authentication certificates are automatically renewed. Both the Enable Windows Hello for Business setting and the Use certificate for on-premises authentication setting must be enabled.

Windows 10 also provides PIN complexity settings for control over PIN creation and management. Beginning with Windows 10 version 1703, the policy settings are found under Computer Configuration > Administrative Templates System > PIN Complexity.

Policies for Microsoft Azure Active Directory–joined clients

To use the Windows Hello/Windows Hello for Business certificate-based sign-in, configure the certificate profile (Assets & Compliance > Compliance Settings > Company Resource Access > Certificate Profiles). Select a template that has smart card sign-in extended key usage. Note that to set the minimum key size set, this certificate template should be configured in the Simple Certificate Enrollment Protocol (SCEP) Enrollment page—then you can use the Windows Hello for Business and Certificate Properties page to set the minimum key size set to 2048.

To set up the desired policy, we also need to create a new Windows Hello for Business profile (Assets & Compliance > Compliance Settings > Company Resource Access > Windows Hello for Business profiles) and specify the following required options:

• Use Windows Hello for Business
• Use a hardware security device
• Use biometrics
• PIN Complexity

User enrollment experience

When a domain-joined computer running Windows 10 Anniversary Update or later pulls Group Policy settings from a domain controller, certificate enrollment policies and the Windows Hello for Business policies are applied to the Windows 10 computer, provided all the criteria for policy application are met.

Client signs out and signs in (and unlocks) the device

The user unlocks their device, and the certificate enrollment process is triggered.

Certificate enrollment process

After a PIN is successfully created, the scheduled task runs (triggered by Event ID 300, which is “Key registration was successful.”). It checks for an existing certificate. If the user doesn’t have one, the task sends the requests for a new challenge.

At this point, Windows 10 calls on the specified Certificate Services server through AD FS and requests a challenge with an expiration time. If the PIN is cached, the certificate enrollment is triggered.

Certificate renewal behavior

We have configured PIN credential certificates to have a lifetime of 90 days from when they are issued. Renewals will happen approximately 30 days before they expire. When a user next enters their Windows Hello for Business PIN within the 30 days prior to its expiration, a new certificate will be automatically provisioned on their device.

Certificate renewal is governed by Group Policy settings for auto-enrollment. The system checks for certificate lifetime percentage and compares it against the renewal threshold. If it’s beyond the set threshold, a certificate renewal starts.

Microsoft Intune specifics

The Open Mobile Alliance Device Management client talks to the Microsoft Intune mobile device management server using SyncML. Policies are routed, and then the user receives the Simple Certificate Enrollment Protocol profile, as configured in our hybrid environment, deployed through Microsoft Intune. Within 10 minutes, the user should receive a certificate. If that fails, the user needs to manually sync.

Service management

We manage identity as a service at Microsoft and are responsible for deciding when to bring in new types of credentials and when to phase out others. When we were considering adding the Windows Hello for Business feature, we had to figure out how to introduce the new credential to our users, and to explain to them why they should use it.

Measuring service health

We’re in the process of creating end-to-end telemetry to measure the service health of Windows Hello for Business. For now, we’re monitoring the performance and status of all our servers. We’re also expanding the service, so adoption and usage numbers are very important metrics that demonstrate the success of our service. We also track the number and types of help desk issues that we see.

We use custom reports created from certificate servers and custom telemetry service metrics to collect prerequisites, and key and certificate issuance times for troubleshooting. Detailed reports about other aspects of the service can also be generated from Microsoft Intune.

We configure a user’s certificate to expire, and certificate renewals are issued with the same key. When necessary, the certificates can be revoked directly though Microsoft Intune, which provides easier administration.

TPM issues

OEM BIOS initialization instructions and TPM lockout policies are OEM-specific. We performed steps to identify and document the potential issues for each hardware provider. We also communicated to our users that clearing a TPM will cause their private key to not work in Windows Hello for Business.

Preventing PIN enrollment problems

Some of the common issues we saw with users creating their PINs could have been avoided with better communication. These issues include users not understanding the prerequisites, or the expected delays in onboarding scenarios. To help avoid this issue, we created a productivity guide to walk users through the steps.

Monitoring end-to-end service health

Windows Hello for Business relies on several underlying services: Microsoft Azure AD, AD FS, Microsoft Intune, NDES, and CA. All of these services need to be healthy and available. Certificate issuance delays can be hard to troubleshoot, but monitoring the health and performance of the supporting services can help.

• Unpack verifying identity in a Zero Trust model internally at Microsoft.
• Discover enabling a modern support experience at Microsoft.
• Explore improving security by protecting elevated-privilege accounts at Microsoft.

Active Directory and Microsoft Azure Active Directory

• Integrating your on-premises identities with Azure Active Directory
• Connect domain-joined devices to Azure AD for Windows 10 experiences
• Azure AD Join on Windows 10 devices

Management

• Network Device Enrollment Service (NDES) in Active Directory Certificate Services (AD CS)
• PART 2 – SCEP certificate enrolling using ConfigMgr 2012, CRP, NDES and Windows Intune

Policy Management

• Using a Policy Module with the Network Device Enrollment Service

Want more information? Email us and include a link to this story and we’ll get back to you.

Please share your feedback with us—take our survey and let us know what kind of content is most useful to you.

The post Implementing strong user authentication with Windows Hello for Business appeared first on Inside Track Blog.

Microsoft Digital is transforming the way that we manage devices for Microsoft employees. We’re embracing modern device management principles and practices to provide a frictionless, productive device experience for Microsoft employees and a seamless and effective management environment for the Microsoft Digital teams that manage these devices. We’re using Windows 10, Microsoft Intune, Azure Active Directory (Azure AD), and a wide range of associated features to better manage our devices in an internet-first, cloud-focused environment. The move to modern management has begun our transition to Microsoft Endpoint Manager, the convergence of Intune and System Center Configuration Manager functionality and data into a unified, end-to-end management solution.

Addressing the need for modern management

Microsoft Digital is responsible for managing more than 264,000 Windows 10 devices that Microsoft employees around the world use daily. Historically, our management methods have been based primarily on the network and infrastructure on which these devices reside. The corporate network has been the functional foundation of Microsoft operations for more than 30 years. Our technical past was built on Active Directory Domain Services (AD DS) and the accompanying identity and access management principles that work well within a tightly controlled and regulated on-premises network. With this model, Microsoft Digital has been able to manage devices connected within a protected and insulated digital ecosystem.

However, the ways that our devices are being used have changed significantly over the past 10 years and continue to evolve. The corporate network is no longer the default security perimeter or environment for on-premises computing for many companies, and the cloud is quickly becoming the standard platform for business solutions. At Microsoft, we’ve been continually embracing this new model, engaging in a digital transformation that examines our technology and reimagines it as an enabler of greater business productivity.

As a result, the devices that our employees use are increasingly internet focused and interconnected. Our digital transformation entails removing solutions and services from the corporate network and redeploying them in the cloud on Microsoft Azure, Office 365, and other Microsoft cloud platforms.

Assessing device management at Microsoft

Our Windows devices have been managed by System Center Configuration Manager and AD DS for many years. To be our first and best customer and to support a modern device experience, we’ve started transitioning to Microsoft Endpoint Manager by enabling co-management with Intune and Configuration Manager. Our device management team identified several aspects of the device management experience that needed to be changed to better support our devices and users. Some of the most important aspects included:

• Device deployment effort. Our device deployment strategy has been based largely on operating system (OS) images that are heavily customized and geared to specific device categories. As a result, we managed a large number of OS images. Each of these images required maintenance and updating as our environment and requirements changed, which resulted in Microsoft Digital employees investing significant time and effort to maintain those images.
• Management scope. Image deployment relied primarily on a device connecting to the corporate network and the Configuration Manager and AD DS infrastructure that supported the deployment mechanisms. Devices connected outside the corporate network did not have the same experience or deployment and management capabilities as those connected to the corporate network.
• User experience. All these issues had implications for the user experience. If an employee was connected primarily to the internet and not the corporate network, user experience suffered. Policy application and updates were not applied consistently, and many management and support tools, including remote administration, were not available. We had to implement workarounds for these employees, such as establishing virtual private network (VPN) connections back to the corporate network to facilitate more robust device management. Even with VPN, the internet-first experience was not ideal.

Moving to modern device management

To facilitate a modern device experience for our users and better support our digital transformation, we’ve begun the process of adopting modern device management for all Windows 10 devices at Microsoft. Modern device management focuses on an internet-first device connection, an agile, flexible management and deployment model, and a scalable, cloud-based infrastructure to support the mechanisms that drive device management.

Establishing internet and cloud focus

Our modern device management approach begins with and on the internet. The internet offers the most universal and widely available network for our clients. Our modern management methods are built with internet connectivity as the default, which means using internet-based management tools and methods. To enable this, we used Intune and Azure AD to create a cloud-based infrastructure that supports internet-first devices and offers a universally accessible infrastructure model.

Moving from traditional to modern with co-management

The move to modern management necessitates migrating from our traditional methods of device management rooted in Configuration Manager and AD DS. To enable a smooth transition, we decided to adopt a co-management model that enables side-by-side functionality of both traditional and modern infrastructure. This model was critical to ensuring a smooth transition and it enabled us to take a more gradual, phased approach to adopting modern management. Some advantages of the co-management model include:

• Conditional access with device compliance.
• Intune-based remote actions such as restart, remote control, and factory reset.
• Centralized visibility of device health.
• The ability to link users, devices, and apps with Azure AD.
• Modern provisioning with Windows Autopilot.

Adopting a phased approach

We developed a phased approach to moving to modern management. This approach allowed us to adequately test and incorporate modern methods. It also enabled us to choose a transition pace that best suited our business. We outlined three primary phases:

• Phase one: Establishing the foundation for modern management
• Phase two: Simplifying device onboarding and configuration
• Phase three: Moving from co-management to modern management

In each phase, we implemented one of the primary building blocks that would lead us to a fully modern, internet-first, cloud-based device management environment that supported our digital transformation and created the optimal device experience for our employees.

Phase one: Establishing the foundation for modern management

We began by establishing the core of our modern management infrastructure. We determined how it would function and how we would support the transition to modern management from our traditional model. A significant portion of the overall effort was invested in phase one, which established the basis for our entire modern management environment going forward. Our primary tasks during phase one included:

• Configuring Azure Active Directory. Azure AD provides the identity and access functionality that Intune and the other cloud-based components of our modern management model, including Office 365, Dynamics 365, and many other Microsoft cloud offerings.
• Deploying and configuring Microsoft Intune. Intune provides the mechanisms to manage configuration, ensure compliance, and support the user experience. Two Intune components were considered critical to modern management:
  • Policy-based configuration management
  • Application control
• Establishing co-management between Intune and Configuration Manager. We configured Configuration Manager and Intune to support co-management, enabling both platforms to run in parallel and configuring support for Intune and Configuration Manager on every Windows 10 device. We also deployed Cloud Management Gateway to enable connectivity for Configuration Manager clients back to our on-premises Configuration Manager infrastructure without the need for a VPN connection.
• Translating Group Policy to mobile device management (MDM) policy. Policy-based configuration is the primary method for ensuring that devices have the appropriate settings to help keep the enterprise secure and enable productivity-enhancement features. We started with a blank slate, electing to forgo a lift-and-shift approach to migrating Group Policy settings into MDM policy. Instead, we evaluated which settings were needed for our devices within an internet-first context and built our MDM policy configuration from there, using Group Policy settings as a reference. This approach allowed us to ensure a complete and focused approach while avoiding bringing over any preexisting issues that might have resided in the Group Policy environment.
• Configuring Windows Update for Business. Windows Update for Business was configured as the default for operating system and application updates for our modern-managed devices.
• Configuring Windows Defender and Microsoft Defender Advanced Threat Protection (ATP). We configured Windows Defender and Microsoft Defender ATP to protect our devices, send compliance data to Intune Conditional Access, and provide event data to our security teams. This was a critical step, considering the internet-first nature of our devices and the removal of the closed corporate network structure.
• Establishing dynamic device and user targeting for MDM policy. Dynamic device and user targeting enabled us to provide a more flexible and resilient environment for MDM policy application. It allowed us to start with a smaller standard set of policy settings and then roll out more specific and customized settings to users and devices as required. It also enables us to flexibly apply policies to devices if the devices move into different policy scopes.

Phase two: Simplifying device onboarding and configuration

Our process for device onboarding to modern management is relatively simple. As new devices are purchased and brought into the environment, they are deployed and managed by using the modern management model. This is our approach for the entire device-rollout process; it enables us to gradually onboard devices in a relatively controlled manner and avoid the extra effort required to create in-place migration paths for existing devices. We anticipate that this strategy will result in a complete transition to modern management within three years, according to our device purchase and refresh policies.

Simplifying with Windows Autopilot

We’re using Windows Autopilot as the vehicle for simplifying the user experience and ensuring better corporate asset management. Autopilot allows us to greatly simplify operating system deployment for our users and the Microsoft Digital employees who support the process. Autopilot provides several critical enablers to the deployment process, including:

• Automatically join devices to Azure Active Directory.
• Auto-enroll devices into Intune.
• Restrict Administrator account creation.
• Create and auto-assign devices to configuration groups based on a device’s profile.
• Simplify the out-of-box experience (OOBE) and reduce user involvement in the deployment process.

These capabilities allow us to create a simplified user experience and greatly reduce the time required for Microsoft Digital support staff to configure and deploy images to devices.

Phase three: Moving from co-management to modern management

The final phase in our transition to modern management is ongoing. With our current trajectory, we estimate that 99 percent of our devices will be managed under the fully modern model within three years. We’re working within the co-management model and moving toward a fully modern-managed environment. Our next steps include:

• Decommissioning non-modern infrastructure for Windows 10 management when Endpoint Manager and our business are ready for transition.
• Transitioning clients from AD DS to Azure AD and moving to a 100-percent internet-first model for client connectivity.

We’re still on the road to modern device management, but we’ve learned several lessons along the way. These learning experiences have helped us to better enable modern management now and prepare for the future at Microsoft. Some of the most important lessons include:

• Build for the cloud and start fresh. We found that the extra time required to start fresh in areas like policies and deployment planning was well worth the investment. A fresh start allowed us to plan for exactly what our users and business need, rather than trying to restructure an old model to fit a new reality.
• Go at the speed of your business. The transition to modern device management is not a one-click process. It has wide-ranging implications for an organization, and it needs to be approached intentionally and gradually. We found that large-scale, bulk migration simply didn’t provide enough benefit in relation to the effort and planning required to implement it.

Conclusion

Our transition to modern device management will continue over the next few years as we onboard devices and refine our Microsoft Endpoint Manager platform and methods. Microsoft Endpoint Manager gives Microsoft Digital a platform that enables simplified and efficient management and configuration for our devices in an environment that supports and drives our digital transformation. Our planned refinements to modern management will improve the user experience, reduce the time it takes to get reliable, fully functioning devices into our users’ hands, and create cost savings and greater efficiencies in device management for Microsoft Digital.

• Verifying device health at Microsoft with Zero Trust.
• Explore improving security by protecting elevated-privilege accounts at Microsoft.
• Unpack evolving the device experience at Microsoft.
• Keeping Windows 10 devices up to date with Microsoft Intune and Windows Update for Business.
• Migrating mobile device management to Intune in the Azure portal.

Want more information? Email us and include a link to this story and we’ll get back to you.

Please share your feedback with us—take our survey and let us know what kind of content is most useful to you.

The post Managing Windows 10 devices with Microsoft Intune appeared first on Inside Track Blog.

Copilot for Microsoft 365 Deployment and Adoption Guide

Read our step-by-step guide on deploying Copilot for Microsoft 365 at your company. It’s based on our experience deploying it here at Microsoft:

• Full version
• eBook version
• Version for executives
• eBook version for executives

There’s no question: Copilot for Microsoft 365 is changing how work gets done here at Microsoft and beyond. An intelligent digital assistant with access to any company data you need that can process and accomplish requests using natural language—that’s a powerful productivity booster.

But how do you zero in on the scenarios and use cases that matter most to individual employees?

At Microsoft Digital, our company’s IT organization, we’re helping our employees get the most value out of this powerful new tool by identifying the roles where AI assistance can drive the most upfront impact, then developing hero scenarios to help them start using Copilot. The result is our Copilot for Microsoft 365 Hero Scenario Playbook, a functional framework that helps teams discover ways that specific roles can adopt Copilot into their work and drive value.

When we started rolling Copilot for Microsoft 365 out across the company, our priority in Microsoft Digital was giving as many employees as possible the chance to explore this exciting new tool. In a sense, we gave everyone the keys to the car and invited them to drive AI’s open road.

This is the beginning of an entirely new meta-skill. People are thinking through new habits and ways of working as they learn what Copilot is capable of enabling.

— Don Campbell, senior director, Employee Experience Success, Microsoft Digital

Download our new
Copilot for Microsoft 365
Hero Scenario Playbook
We’ve created a step-by-step guide for you to get the most out of your investment in Copilot for Microsoft 365.

It resulted in a lot of exploration, increased usage, and some very eager early adopters. To help as many people get up to speed with Copilot as possible, we focused our initial adoption efforts on a common professional persona: the modern information worker.

“This is the beginning of an entirely new meta-skill,” says Don Campbell, a senior director on Microsoft Digital’s Employee Experience Success team. “People are thinking through new habits and ways of working as they learn what Copilot is capable of enabling.”

Because of the excitement around AI, uptake was rapid and enthusiastic. Our next step was building on that initial surge of adoption and experimentation to drive more profound, targeted impact.

We wanted to explore how we could make Copilot more real to the individual. They’re asking how they can use this in ways that are specific to their role, in their function, in their organization.

— Don Campbell, senior director, Employee Experience Success, Microsoft Digital

Actioning inspiration: Building a pathway to hero scenarios

As Copilot for Microsoft 365 usage began to mature across the company, we saw opportunities to build on this momentum by presenting more contextual applications for AI. Within Microsoft Digital, we decided to create a standardized process for defining Copilot hero scenarios in roles where initial applications of AI could have the greatest impact. Concrete scenarios would resonate with those professionals by addressing real-world challenges they face every day, saving them time and bandwidth.

Ultimately, we had one goal: accelerating time to value for Copilot users.

“We wanted to explore how we could make Copilot more real to the individual,” Campbell says. “They’re asking how they can use this in ways that are specific to their role, in their function, in their organization.”

From the beginning, we set out to articulate our objectives and our deliverables, then worked back from there. When it came to research, we relied on our EX studio for step-by-step guidance on purposeful engagement.

— Heather Layne, director of program management, Employee Experience Success, Microsoft Digital

We identified five main objectives to help us get there:

• Understand the top responsibilities, challenges, needs, and wants of priority roles.
• Articulate and communicate hero scenarios for those roles and depict ways for Copilot to enable their work.
• Outline blockers and accelerators for Copilot adoption and hero scenarios.
• Generate feedback for product groups to improve Copilot.
• Share playbook outputs with our product marketing group and post them in our Copilot Lab, our publicly available repository of Copilot prompts, to contribute value to external users.

“From the beginning, we set out to articulate our objectives and our deliverables, then worked back from there,” says Heather Layne, a director of program management on the Employee Experience Success team in Microsoft Digital. “When it came to research, we relied on our EX Studio for step-by-step guidance on purposeful engagement.”

That process unfolded in a layered approach. First, we identified the Microsoft organizations that were best positioned to receive our support. Thanks to strong interest and a robust cohort of early adopters, sales, HR, and finance were excellent candidates for our first efforts.

In HR, for example, we ensured there was complete thinking regarding a reimagination of our business functional architecture. We identified key roles and corresponding workflows that could directly benefit from Copilot for Microsoft 365 by removing mundane and repetitive tasks and providing insight to creative solutions needed to deliver business value.

— Christopher Fernandez, corporative vice president, Microsoft HR

From there, we worked with stakeholders and AI adoption teams within each of those organizations to prioritize roles according to a rubric of criteria. Those criteria focused on enthusiasm for adoption, readiness for the next level of engagement, the number of people represented by that role within their organization, and Copilot’s applicability for their work—especially for repetitive, context-rich, or communication-intensive tasks.

“In HR, for example, we ensured there was complete thinking regarding a reimagination of our business functional architecture,” says Christopher Fernandez, corporate vice president in HR. “We identified key roles and corresponding workflows that could directly benefit from Copilot for Microsoft 365 by removing mundane and repetitive tasks and providing insight to creative solutions needed to deliver business value.”

After we identified those roles, we moved into focus-group sessions with 10 to 20 participants, all selected because they had been actively using Copilot and could provide practical ideas and suggestions. It was an opportunity to tap into willing talent and let our leaders lead.

The output of those sessions came down to three hero scenarios per role, each with six steps and six Copilot prompts to propel those processes forward, as well as the relevant Microsoft tools where the prompts would apply. We also ensure these scenarios align with the company’s Responsible AI principles.

For example, our Finance team identified operations manager as a priority role. One of its key scenarios included managing contracts, and it demonstrates how prompts come together across several apps to create a process bolstered and streamlined by automation.

“That output then served as an input in a few different places,” Campbell says. “We evangelized it out to the organization itself to help drive ideation, adoption, and usage, to our product marketing group for customer scenarios, and to our Copilot Lab to provide freely available examples of prompts.”

As a result, we’ve been able to boost Copilot adoption and usage across Microsoft, providing specific, concrete opportunities for people to apply this new way of working to their roles.

We want organizations to know that there are opportunities to keep this process controlled and standardized. By aligning with rubrics and setting up standard practices, you know you’re not just putting in time to create something that isn’t helpful or impactful.

— Heather Layne, director of program management, Employee Experience Success, Microsoft Digital

Crafting your own Copilot for Microsoft 365 hero scenarios

This process has the benefit of being structurally simple, modular, and repeatable—so much so that we’ve made it freely available to any organization that’s using Copilot for Microsoft 365 in the form of our Copilot for Microsoft 365 Hero Scenario Playbook. Whether you’re adopting Copilot across your entire organization, a department, a business group, or a team, we strongly encourage you to work through this exercise.

“We want organizations to know that there are opportunities to keep this process controlled and standardized,” Layne says. “By aligning with rubrics and setting up standard practices, you know you’re not just putting in time to create something that isn’t helpful or impactful.”

Our playbook walks adoption leaders through a four-stage process that includes readiness, engagement, delivering an output, and sharing results with employees. To accelerate time to value, we’ve designed the process implementation across three weeks.

By following the playbook through four phases, you can accomplish what we’ve done at Microsoft: understanding what your priority roles need to be successful, articulating hero scenarios tailored to their work, and sharing the outputs with your organization to accelerate time to value for Copilot users.

Phase 1: Ready

This phase will help your organization, department, or team prepare for the process. It involves aligning with leadership and sponsors who will be accountable for driving Copilot value within their organization. It’s also where you’ll select the priority roles, draft outlines of those roles so you can clarify your understanding of their needs and wants, and seek out feedback from leaders, managers, and subject matter experts.

Phase 2: Engage

Engaging with employees delivers the core value of this exercise. In the engagement phase, you’ll identify participants from your priority roles who demonstrate enthusiasm and early aptitude with Copilot. From there, you choose an engagement approach that might include in-person group sessions, virtual Microsoft Whiteboard sessions, one-on-one interviews, Microsoft 365 Loop collaboration, or whatever modality works best, then communicate the process to participants and conduct your engagement.

So much of adoption comes down to the question of ‘What’s in it for me?’ The ability to answer that question at the role level, at the level of fidelity that really resonates with what employees actually do, creates a strong bridge between the realm of possibility and day-to-day reality.

— Liz Friedman, senior director of HR AI Transformation, Microsoft HR

Phase 3: Deliver

Ideating hero scenarios is how you discover value. The delivery phase defines that value and organizes it into a useful, consumable format. It starts with reviewing and analyzing the outcomes of your sessions to gain insights and identify themes. Now is the time to document your hero scenarios and the value they add, as well as blockers and accelerators. Finally, you’ll provide your output: a comprehensive deck that includes your priority roles, hero scenarios, next steps, and more.

Phase 4: Share

The final phase of this process involves socializing your scenarios across your team or organization to realize value. If you’re part of a large organization, it’s helpful to radiate these outputs beyond the target group as an opportunity for further Copilot momentum. This stage includes diving deeper into blockers and accelerators that can help your organization as a whole speed time to value.

“So much of adoption comes down to the question of ‘What’s in it for me?’” says Liz Friedman, a senior director of HR AI Transformation. “The ability to answer that question at the role level, at the level of fidelity that really resonates with what employees actually do, creates a strong bridge between the realm of possibility and day-to-day reality.”

With Copilot, we’re building new skillsets, but also new habits. That takes experimentation and learning, but the payoff is transformative.

— Nathalie D’Hers, corporate vice president, Microsoft Digital

Capturing the limitless value of AI

The shift to AI is about more than productivity. It’s about new ways of working and new ways of being.

Thanks to the modular nature of this framework, teams across Microsoft can now apply this process to their own professional needs. As time goes on, the goal is for different organizations and roles to uncover robust and efficient ways of working.

“With Copilot, we’re building new skillsets, but also new habits,” says Nathalie D’Hers, corporate vice president of Microsoft Digital. “That takes experimentation and learning, but the payoff is transformative.”

By learning from our experience and working through the Copilot for Microsoft 365 Hero Scenario Playbook, your organization can execute best practices that will make the most of your AI investment, deliver value faster, manage change effectively, and scale across your organization.

Access the Copilot for Microsoft 365 Hero Scenario Playbook here.

Here are some tips for getting started with developing persona-specific scenarios for priority roles at your company:

• Build strong organizational partnerships and add this process into AI efforts that teams already have underway. Identify the key AI leaders and champions on those teams.
• This process is additive and iterative, so don’t be married to the playbook. Start with the framework, then allow it to grow around organic efforts.
• Frame your scenarios around business processes, then layer on the technology.
• Validate your results through active communication, especially after you’ve socialized your hero scenarios. That ensures you sort the signal from the noise and capture even greater value moving forward.
• For your working groups, make sure you’re choosing teams and people who have good engagement with the tool, especially enthusiasts and early adopters. This also gives people the chance to learn from each other and build on their colleagues’ ideas.
• Have a game plan about where to go next in terms of sharing and piloting. Include follow-ups and baselines so these outputs don’t just sit on the shelf.
• Get multiple perspectives. No role is exactly the same, even if the job title is. Bringing people who do similar work together and hearing commonalities and differences is very helpful and provides an opportunity to benefit from a diversity of perspectives.

New to Copilot for Microsoft 365? Get started today and see what’s possible.

• Deploying Copilot for Microsoft 365 internally at Microsoft
• Deploying Copilot for Microsoft 365 with the help of—you guessed it—Copilot
• Empowering our employees with generative AI while keeping the company secure

Want more information? Email us and include a link to this story and we’ll get back to you.

Please share your feedback with us—take our survey and let us know what kind of content is most useful to you.

The post Unlocking the potential of Copilot for Microsoft 365 at the role level appeared first on Inside Track Blog.

Copilot for Microsoft 365 Deployment and Adoption Guide

Read our step-by-step guide on deploying Copilot for Microsoft 365 at your company. It’s based on our experience deploying it here at Microsoft:

• Full version
• eBook version
• Version for executives
• eBook version for executives

Now that we’ve deployed Copilot for Microsoft 365 internally here at Microsoft, it’s helping our employees save time and focus on the things that matter most. But like any new tool, adopting Copilot required careful planning, strategy, and attention to our organization’s needs.

At Microsoft Digital (MSD), the company’s IT organization, our adoption team worked to ensure we managed, communicated, and analyzed our Copilot rollout to produce the best results for every employee. Fortunately, we had a powerful sidekick in these efforts: Copilot itself.

This post shares how our MSD adoption team benefited from early access to Copilot by using the tool to support its own deployment. If you’re planning on activating Copilot for your employees, our experience can provide inspiration for how you can launch your organization into a new era of AI assistance.

Because Copilot is such a new product and novel concept, we’re still testing it out ourselves. Unlike other products like SharePoint, Teams, or Excel that operate as lone repositories or apps, we’re learning what it means to use a tool that permeates multiple apps while drawing from our massive pool of organizational data.

— Jenny Goodwin, UX researcher, Microsoft Digital

Deploying a new kind of productivity tool

As the first organization to deploy Copilot for Microsoft 365, we had an opportunity to learn firsthand how it could empower employees and enable productivity. We also got the chance to experiment with how it might make our work as an IT organization easier and more insightful.

“Because Copilot is such a new product and novel concept, we’re still testing it out ourselves,” says Jenny Goodwin, a UX researcher at MSD. “Unlike other products like SharePoint, Teams, or Excel that operate as lone repositories or apps, we’re learning what it means to use a tool that permeates multiple apps while drawing from our massive pool of organizational data.”

There are many different disciplines at work on a deployment team, each with its own needs. They include project managers, communications and change management practitioners, and researchers. Copilot has something unique to offer each of them.

How different adoption disciplines are using Copilot for Microsoft 365

Project management

• Meeting and chat summaries through Copilot in Microsoft Teams
• Thought-starters, categorization, and task management using Copilot in Whiteboard

Communications and change management

• Content creation through generative AI composition
• Content editing and refinement in myriad Microsoft 365 apps
• Brainstorming, research and data compilation around content creation
• Multimodal media creation across Microsoft 365 apps
• Minimizing meeting burdens with recaps created by Copilot in Microsoft Teams

Listening and analytics

• Research call notetaking and summarization using Copilot in Microsoft Teams
• Assembling, translating, and collating qualitative data to identify trends and sentiments
• AI-assisted affinity mapping through Copilot in Whiteboard

Copilot for Microsoft 365 was helpful to our Copilot deployment team across several different professional disciplines.

Copilot for Microsoft 365 keeps project management on track

In large organizations like Microsoft, there are a lot of moving pieces. That makes the project manager role exceptionally complex.

Tom Heath, a senior program manager leading global adoption efforts for Copilot for Microsoft 365, has to focus on a lot of moving parts to keep deployment on track. He’s responsible for coordinating a global virtual team and ensuring that a widely diverse set of stakeholders heads in the same direction while adapting the deployment to their individual regions.

Naturally, employees and teams are excited about bringing this new tool into their workstreams, so they want to initiate their adoption workflows as quickly as possible. Part of Heath’s role is to ensure an orderly rollout in the midst of all that excitement.

On top of these challenges, Copilot as a product is accelerating very quickly, with new features and improvements being released almost every week. Managing adoption for such a fast-moving product requires extra agility.

“From a project manager’s point of view, it’s a productivity driver,” Heath says. “Copilot brings people together more fluidly in Microsoft Teams, helps us catch up on actions and go-dos, and keeps us aligned across all of our different meetings.”

For example, a big part of Heath’s work is coordinating his virtual team of business program managers in different parts of the world. That involves numerous Teams chats occurring asynchronously across time zones.

Heath frequently finds himself asking Copilot, “What’s been happening in my Teams chats and channels over the last 24 hours?” Copilot efficiently assembles and summarizes any relevant conversations and gives him a foundation for the day’s follow-ups and action items.

Streamlining asynchronous communication and task management is just one example. Collaboration is also a large part of the role, and Copilot in Whiteboard has become a powerful tool for idea casting.

I can prompt Copilot by saying, ‘Here are the kinds of information I need, here are the engagements I have internally, and I’d like you to tell me what I need to know about my upcoming week,’ A lot of it is about practicing how to speak to Copilot to get the answers you want.

— Tom Heath, senior program manager, Microsoft Digital

Heath’s virtual team will frequently kick-start their process by asking for suggestions, then using Copilot’s outputs as thought-starters. From there, they’ll assemble ideas into sticky notes, categorize them into themes, and then translate their results into go-do’s.

Perfecting the relationship with a digital assistant takes time and practice, but it’s a massive leg up in a task-oriented discipline like project management.

“I can prompt Copilot by saying, ‘Here are the kinds of information I need, here are the engagements I have internally, and I’d like you to tell me what I need to know about my upcoming week,’” Heath says. “A lot of it is about practicing how to speak to Copilot to get the information you want.”

The toughest job is providing the right level of information to excite and educate employees about a new tool without overcommunicating and causing people to disengage. Employees are here to do their work, not just manage communications.

— Victoria Martinez, senior content program manager, Microsoft Digital

Communicating and managing change with Copilot for Microsoft 365

Communications are an essential part of driving adoption forward. A modern approach includes multifaceted user communications that account for diverse employee preferences and where they spend their time, whether that’s email, community calls, or employee engagement platforms.

“The toughest job is providing the right level of information to excite and educate employees about a new tool without overcommunicating and causing people to disengage,” says Victoria Martinez, senior content program manager leading internal comms for MSD. “Employees are here to do their work, not just manage communications.”

The speed of AI technology and Copilot for Microsoft 365 means communication strategies need to be agile and flexible. Meanwhile, accommodating employees’ preferences means adoption leaders need to craft communications for the channels that meet their needs. That can be a time-consuming task.

Generative AI represents a quantum leap for communications work. When it came to our internal Copilot deployment, communicators leaned hard into experimenting with prompts.

The team found it easy to tell Copilot what they needed for any given communication, prompting it with a few key parameters: who’s speaking, what kind of communication they were trying to create, where they planned to post it, the value proposition for the audience, their reader’s persona, the message’s goal, and its context. From there, Copilot could create a series of communications to deploy via email, Microsoft Viva Engage, and any other relevant channels, all aligned with the core message.

As communicators, we often need big chunks of dedicated focus time to think through strategy, build out a communications plan, or create quality content. Summarization features for Copilot in Teams would help me skip three meetings in a day and spend those three hours building out a comms bundle.

— Melissa Cafiero, communications and readiness lead, Microsoft Digital

With Copilot, communicators also found that they could rapidly accelerate other aspects of their work across everyday productivity apps. For example, when the team was building out documentation about their adoption strategy in Microsoft Word, they discovered that asking Copilot to create a presentation immediately led to a polished Microsoft PowerPoint they could use to outline that strategy internally. What was once a four-hour task had morphed into a two-minute workflow.

Those time savings aren’t just about speeding up core work. Copilot also minimizes meeting time to free up creative bandwidth.

“As communicators, we often need big chunks of dedicated focus time to think through strategy, build out a communications plan, or create quality content,” says Melissa Cafiero, communications and readiness lead for technology and experiences at MSD. “The Copilot meeting recap feature in Teams would help me skip three meetings in a day and spend those three hours building out a comms bundle.”

Between logistical time savings and creative support, AI assistance has saved our internal communications team hours of time and expanded their efforts.

AI-driven insights for research and analytics

Understanding the user experience is a big part of driving adoption. By conducting research and analysis, we determine how to deepen engagement with the tool we’re deploying, provide valuable input for our product teams, and learn valuable lessons for future deployments.

UX research involves an enormous number of calls and interviews. Before Copilot, our researchers often operated in pairs, with one acting as a moderator and the other as a notetaker. Now, our researchers can rely on an AI-powered notetaker, reducing the need for multiple researchers on the same call. It’s like a digital research assistant with an impeccable memory. Also, having multiple observers and note-takers (i.e., a bigger audience) in a research interview can bias participant responses to be more scripted or guarded. So having fewer people in an interview is advised and beneficial.

“When Copilot in Microsoft Teams came out, I had it start taking care of my notetaking,” Goodwin says. “Now I can just ask my digital assistant direct questions about respondents’ responses, and that content streamlines my workflow and enhances efficiency for analyzing qualitative data.”

With every project, you have to sift through a lot of employee-generated feedback. By the time you’ve cleaned that up and assembled it into usable data, it can be outdated because of the velocity of change with AI tools.

— Sandra Hausfelder, global listening lead, Microsoft Digital

Sifting the signal from the noise isn’t easy. Aside from user interviews, a lot of listening happens through surveys and written feedback, which generates vast swaths of text that researchers need to process. To make matters more complicated, that feedback comes in multiple languages from employees all over the world.

“With every project, you have to sift through a lot of employee-generated feedback,” says Sandra Hausfelder, global listening lead for Microsoft 365. “By the time you’ve cleaned that up and assembled it into usable data, it can be outdated because of the velocity of change with AI tools.”

To deal with this influx of information at speed, our listening team has been experimenting with Copilot workflows that streamline data extraction from written feedback. After they’ve pasted those text inputs into a Microsoft Word document, they can ask Copilot to translate any non-English responses, generate an overview, sort different kinds of feedback into tables, and identify primary themes.

Our UX researchers use a similar process for affinity mapping using Copilot in Whiteboard. It’s a more visual and collaborative format to meet the needs of UX professionals, but Copilot’s ability to sort information and identify themes or trends remains the same.

With Copilot automating each of these workflows, the time to insight is accelerating. For our teams that conduct research and analytics work, it means the same number of people can perform faster and more extensive work to keep up with the velocity of change in the age of AI while still providing high-quality insights.

New technology drives new behaviors

Copilot for Microsoft 365 is introducing new ways of doing work across all kinds of business functions, and deployment is no exception. Our MSD adoption team has benefited from being the first on the planet to use this tool in their day-to-day work, and it’s driven powerful results so far.

It’s changed my mindset, so I’m looking for opportunities in every step of the work I do on a daily basis. Now I’m always thinking about ways Copilot can help me with aspects of my job, and it’s leading to a constant evolution of processes.

— Sandra Hausfelder, global listening lead, Microsoft Digital

Naturally, Copilot doesn’t replace people. It’s important to apply human instinct and insight to any results created by an AI-driven digital assistant. But our adoption teams are finding more and more ways to enact this new way of working.

“It’s changed my mindset, so I’m looking for opportunities in every step of the work I do on a daily basis,” Hausfelder says. “Now I’m always thinking about ways Copilot can help me with aspects of my job, and it’s leading to a constant evolution of processes.”

That might be the most important lesson our adoption team has learned as they’ve supported our Copilot deployment. Be willing to experiment, try new things, and explore opportunities to improve processes through automation.

The results will surprise you.

Here are some tips for getting started with Copilot for Microsoft 365 at your company:

• Get a basic understanding of where Copilot comes alive in each app, then build skills around prompting to capture that value.
• Understand how Copilot manages data and documents.
• Have a dedicated space where people can come together and discuss learnings without risk.
• Encourage people to try prompts that aren’t work-related to help them get used to Copilot in a low-pressure environment.
• Suggest that your employees take time to learn about Copilot at launch and in an ongoing way.
• Use Copilot in Bing as a brainstorming partner to help you get past the blank page. From there, ask it to reframe ideas after they’re more fully formed.
• Prepare your team for a leap: Copilot takes generative AI beyond just creating text and into true digital assistance, so encourage them to flex those new muscles.

See what’s possible with Copilot for Microsoft 365 today.

• Read our guide for deploying Copilot for Microsoft 365 at your company—it’s based on what we learned deploying the tool internally here at Microsoft.
• Learn more about deploying Copilot for Microsoft 365 internally at Microsoft.
• Explore getting the most out of generative AI at Microsoft with good governance.

Want more information? Email us and include a link to this story and we’ll get back to you.

Please share your feedback with us—take our survey and let us know what kind of content is most useful to you.

The post Deploying Copilot for Microsoft 365 with the help of—you guessed it—Copilot appeared first on Inside Track Blog.

Examining the device landscape at Microsoft

Our employees’ devices are their primary productivity tools. They use a wide variety of devices to access their work and succeed in their roles. Our responsibility in the Microsoft Digital Employee Experience (MDEE) organization is to ensure that each of our employees, regardless of the device they use or the location from which they connect, can be productive and connected to Microsoft tools and corporate data.

Across the landscape of more than 750,000 devices in use at Microsoft, we support Windows, Android, iOS, and macOS devices. Windows devices account for approximately 60 percent of the total employee-device population, while iOS, Android, and macOS account for the rest. Of these devices, approximately 45 percent are personally owned employee devices, including phones and tablets. Our employees are empowered to access Microsoft data and tools using managed devices that enable them to be their most productive.

[Discover how we’re verifying device health at Microsoft with Zero Trust. Unpack how we’re reducing friction throughout our device lifecycle at Microsoft. Explore how we’re using Microsoft Azure Multi-Factor Authentication at Microsoft to enhance our security.]

Migrating device management to the cloud

As hybrid work becomes the norm—and the expectation—for our employees, how we provide access to the tools they need to innovate, create, and collaborate successfully has evolved. Users want a dynamic, device-agnostic experience that focuses on providing them with the data and tools they need from almost any location, using a wide variety of devices, including PCs, laptops, tablets, and smartphones.

This model has largely replaced a traditional, Windows-based, local-network-focused model. The hybrid work experience centers on the employee and their device as the primary determinants of how they access Microsoft tools and data. It also enabled employee-directed tasks such as self-serve device setup and remediation for devices from any location. We’ve been building capabilities for the hybrid work model long before the COVID-19 pandemic made it necessary, and our investments in hybrid work have allowed us to react with agility to workplace challenges in the recent past.

A sizable portion of the devices that we support continue to be corporate-owned traditional laptops or PCs, but our device landscape also includes many personally owned devices. Our device management practices, and even what we define as a device, have changed. Many devices that our employees use to do their work are smartphones from a variety of manufacturers, and these devices use a range of operating systems. This shift in device demographics has necessitated a change in how we manage employee devices and a migration from traditional, on-premises management systems to modern, cloud-based management systems that effectively support and secure this new device demographic.

Our migration—and any migration—from traditional, on-premises management to modern management involves three key management models that play a role in how devices are managed:

• Traditional management. Microsoft Configuration Manager has been the on-premises management system of choice at Microsoft for decades. In a traditional management model, most managed devices are Windows-based, connected to a local network, and joined to an Active Directory Domain Services (AD DS) architecture. Devices in the traditional model are typically purchased, procured, and managed corporately. We use Configuration Manager to manage devices using previous versions of Windows that are not supported by Intune and to assist in Configuration Manager product development.
• Modern management. Microsoft Intune supports the modern management model at Microsoft. Intune provides cloud-based device management capabilities across Windows, Android, iOS, and macOS devices. Devices are registered in and authenticated by Microsoft Azure Active Directory. Because it’s cloud-based, Intune removes the dependency on the local network and managed devices can connect across the internet from anywhere. Modern management includes and supports both corporate and personally owned devices, including mobile devices.
• Co-management. Co-management uses a combination of traditional management and modern management techniques and tools, allowing traditional and modern management models to coexist within an organization. Microsoft Intune allows us to operate both models through a single interface and combined toolset.

In our adoption of modern management through Intune, Microsoft Azure Active Directory (Azure AD), and internet-focused connectivity, we’re adopting more standard practices for device management and the configuration of our device management systems. How we configure and operate our modern management environment is much more standardized than past solutions have been. We use native functionality extensively—the flexibility of the Microsoft cloud management toolset replaces many of the engineered customizations we have had to implement.

We use Microsoft Intune, Microsoft Azure AD, and the rest of the modern management tools the same way that any other organization would. We use procedures directly from the Microsoft documentation website, and we’re adopting documented general best practices and architectural designs that Microsoft recommends to customers. The following figure illustrates using co-management to enable the migration from traditional management to modern management.

Connecting traditional and modern models with co-management

Modern management is the goal for all client devices at Microsoft. However, moving from traditional device management to modern management is a journey, and it’s one that can’t be made overnight. Our journey to modern management began several years ago, and it’s ongoing.

We’ve embraced co-management as the first step in moving to modern management and as a long-term bridge between traditional management and modern management models. By using Microsoft Intune, we’ve been able to manage our traditional on-premises devices alongside newly deployed devices that are modern managed.

Addressing migration challenges

Microsoft Azure Active Directory is central to modern management. Azure AD is the first point of contact for most of our mobile devices and the default directory for new devices. Moving devices from AD DS to Azure AD is at the core of traditional-to-modern migration, as the two directory services provide identification, authentication, and authorization services for on-premises and cloud resources, respectively.

However, the AD DS-to-Azure AD-migration process isn’t simple on a device-to-device basis, and coordinating large-scale directory migration is time-consuming and potentially tedious. We’re using Hybrid Azure AD joined devices as a primary enabler of co-management to facilitate a smooth transition of devices from traditional to modern management. Hybrid-joined devices connect to both AD DS and Azure AD. This dual function lets us maintain existing on-premises Group Policy objects and settings for a device while we work to replicate those settings in modern management using Intune and Azure AD. We completed an analysis using the Intune Group Policy analyzer to determine which policies could be supported in Intune.

New devices are onboarded as modern-managed devices using Autopilot for Windows devices and Apple Business Manager for corporate-owned MacOS and iOS devices. However, we don’t prevent our users from joining AD DS domains if they require it. This strategy gets devices under the modern management model but allows us to continue using traditional management methods where necessary.

As old devices are replaced with new ones, traditionally managed devices decrease in number, and modern-managed devices increase. For large enterprises, a full-scale switch from traditional to modern management without co-management is almost impossible. The time it takes to migrate devices and support systems would severely reduce business efficiency and technical capability for any organization. Users must have uninterrupted access to tools and data from their devices. We anticipate that co-management will remain part of our management environment into the near future.

Supporting the Zero Trust model with verified devices

Based on the principle of verified trust—in order to trust, you must first verify—Zero Trust eliminates the inherent trust that is assumed inside the traditional corporate network. The ability to effectively verify devices is a critical part of the Zero Trust model, and management is mandatory for any device accessing corporate data.

The Microsoft Intune platform enables us to enroll devices, bring them to a managed state, monitor the devices’ health, and enforce compliance against a set of health policies before granting access to any corporate resources. Our device health policies verify all significant aspects of device state, including encryption, antimalware, minimum OS version, hardware configuration, and more. Microsoft Intune also supports internet-based device enrollment, which is a requirement for the internet-first network focus in the Zero Trust model.

We’re using Microsoft Intune to enforce health compliance across the various health signals and across multiple client device operating systems. Validating client device health isn’t a one-time process. Our policy verification processes confirm device health each time a device tries to access corporate resources, much in the same way that we confirm the other pillars, including identity, access, and services. We’re using modern Microsoft Intune protection configuration on every managed device, including pre-boot and post-boot protection and cross-platform coverage.

Managing the device experience in the cloud

Modern-managed devices at Microsoft fall under two main categories: corporate owned devices that our employees use for business purposes, and personally owned devices that our employees bring into the workplace and use to access Microsoft resources.

Corporate owned devices

Corporate owned devices at Microsoft are most commonly Windows devices that Microsoft purchases for our employees to use. Our corporate devices come from a specific set of Windows PCs, laptops, and tablets that our employees can select from a variety of manufacturers. In modern management, these are the devices that we exercise the most control over. All corporate devices in the modern management model are registered in Microsoft Azure AD and managed by Intune.

Microsoft Azure AD, Microsoft Intune, Windows Autopilot, and Windows Update for Business deployment services enable us to take a device from the manufacturer using a standard image and directly apply our policies and management measures without requiring direct interaction from our support personnel. The employee powers on their device, signs in with their Azure AD credentials using multifactor authentication, and the device is joined to Azure AD and enrolled in Intune. Corporate policies and apps specific to the user or department are automatically deployed to the device, and the device is always managed and kept up to date, throughout its entire life cycle.

We’re also using Apple Business Manager to directly manage corporate purchased macOS and iOS devices. Apple Business Manager interfaces with Intune and provides a fully managed experience like the one we have for our corporate owned Windows devices. We can control the Out Of Box experience (OOBE) for Apple devices, reducing the number of screens users need to go through during initial setup. When the user completes the OOBE, the device will already have Intune Company Portal, Microsoft Defender for Endpoint, and other device-related corporate apps installed, simplifying the setup process. We also have the capability to push additional applications or security patches using Intune and Apple Business Manager to devices in the future.

Personally owned devices

Bring your own device (BYOD) scenarios are commonplace in the hybrid work model. Personal devices enable flexibility in the hybrid workplace. Employees can enroll their own Windows, Android, iOS, and macOS devices in Intune using Azure AD Workplace Join. Workplace Join creates a device identity in Azure AD and Intune and enforces device state and configuration through native operating system methods and management apps.

Personally owned devices don’t experience the same level of control as corporate owned devices, but modern management using Intune and Workplace Join grants us the capability to restrict access to resources based on device state and health. With this level of control, we can safely manage access to corporate data and apps stored on the device based on the user of the device and the device operating system.

Next steps

We’re continuing to move toward modern management while using co-management as a bridge to traditionally managed devices. We’re working on several modernization efforts, including migrating our corporate wireless network to internet-first and reducing the number devices using virtual private network connections. We’re also consolidating device management controls to a single interface, improving migration capabilities for domain-joined devices, and hardening device health definitions with new compliance policies. As our migration continues and the modern management environment matures, our employees will be better enabled to be productive in the hybrid work model from anywhere and on any device.

• Modern management enables your organization to embrace hybrid work practices while helping to control access to tools, data, and the devices used to access them.
• Co-management offers a bridge between traditional and modern management that’s flexible and scales to your organization’s pace and structure.
• The move toward modern management empowers employees to be productive when using any device, whether it’s their personal device or corporate owned device, on a variety of operating system platforms.
• Modern management enables the Zero Trust model, which uses a multipronged approach to help detect, manage, and prevent security breaches from inside and outside an organization.
• Large enterprises such as Microsoft can use Microsoft Intune to implement modern management without requiring significant custom integrations and solutions.

• Discover how we’re verifying device health at Microsoft with Zero Trust.
• Unpack how we’re reducing friction throughout our device lifecycle at Microsoft.
• Explore how we’re using Microsoft Azure Multi-Factor Authentication at Microsoft to enhance our security.

The post Evolving the device experience at Microsoft appeared first on Inside Track Blog.

Microsoft’s cloud-first strategy enables most Microsoft employees to directly access applications and services via the internet, but remote workers still use the company’s virtual private network (VPN) to access some corporate resources and applications when they’re outside of the office.

This became increasingly apparent when Microsoft prepared for its employees to work remotely in response to the global pandemic. VPN usage increased by 70 percent, which coincides with the significant spike in users working from home daily.

So then, how is Microsoft ensuring that its employees can securely access the applications they need?

With split tunneling and a Zero Trust security strategy.

As part of the company’s Zero Trust security strategy, employees in Microsoft Digital Employee Experience (MDEE) redesigned the VPN infrastructure by adopting a split-tunneled configuration that further enables the company’s workloads moving to the cloud.

“Adopting split tunneling has ensured that Microsoft employees can access core applications over the internet using Microsoft Azure and Microsoft Office 365,” says Steve Means, a principal cloud network engineering manager in MDEE. “This takes pressure off the VPN and gives employees more bandwidth to do their job securely.”

Eighty percent of remote working traffic flows to cloud endpoints where split tunneling is enabled, but the rest of the work that employees do remotely—which needs to be locked down on the corporate network—still goes through the company’s VPN.

“We need to make sure our VPN infrastructure has the same level of corporate network security as applications in the cloud,” says Carmichael Patton, a principal security architect on Microsoft’s Digital Security and Resilience team. “We’re applying the same Zero Trust principles to our VPN traffic, by applying conditional access to each connection.”

[Learn how Microsoft rebuilt its VPN infrastructure. Learn how Microsoft transitioned to modern access architecture with Zero Trust. Read how Microsoft is approaching Zero Trust Networking.]

Securing remote workers with device management and conditional access

Moving most of the work that employees require to the cloud only became possible after the company adopted modern security controls that focus on securing devices.

“We no longer rely solely on the network to manage firewalls,” Patton says. “Instead, each application that an employee uses enforces its own security management—this means employees can only use an app after it verifies the health of their device.”

To support this transformed approach to security, Microsoft adopted a Zero Trust security model, which manages risk and secures working remotely by managing the device an employee uses.

“Before an employee can access an application, they must enroll their device, have relevant security policies, and have their device health validated,” Patton says. “This ensures that only registered devices that comply with company security policies can access corporate resources, which reduces the risk of malware and intruders.”

The team also recommends using a dynamic and scalable authentication mechanism, like Azure Active Directory, to avoid the trouble of certificates.

While most employees rely on our standard VPN infrastructure, Microsoft has specific scenarios that call for additional security when accessing company infrastructure or sensitive data. This is the case for MDEE employees in owner and contributor roles that are configured on a Microsoft Azure subscription as well as employees who make changes to customer-facing production services and systems like firewalls and network gear. To access corporate resources, these employees use Privileged Access Workstations, a dedicated operating system for sensitive tasks, to access a highly secure VPN infrastructure.

Phil Suver, a principal PM manager in MDEE, says working remotely during the global pandemic gives employees a sense of what the Zero Trust experience will be like when they return to the office.

“Hardened local area networks that previously accessed internal applications are a model of the past,” Suver says. “We see split tunneling as a gateway to prepare our workforce for our Zero Trust Networking posture, where user devices are highly protected from vulnerability and employees use the internet for their predominant workload.”

It’s also important to review your VPN structure for updates.

“When evaluating your VPN configuration, identify the highest compliance risks to your organization and make them the priority for controls, policies, and procedures,” Patton says. “Understand the security controls you give up by not flowing the connections through your internal infrastructure. Then, look at the controls you’re able to extend to the clients themselves, and find the right balance of risk and productivity that fits your organization.”

Keeping your devices up-to-date with split tunneling

Enterprises can also optimize patching and manage update compliance using services like Microsoft Endpoint Manager, Microsoft Intune, and Windows Update for Business. At Microsoft, a split-tunneled VPN configuration allows these services to keep devices current without requiring a VPN tunnel to do it.

“With a split-tunneled configuration, update traffic comes through the internet,” says Mike Carlson, a principal service engineering manager in MDEE. “This improves the user experience for employees by freeing up VPN bandwidth during patch and release cycles.”

At Microsoft, device updates fall into two categories: feature updates and quality updates. Feature updates occur every six months and encompass new operating system features, functionality, and major bug fixes. In contrast, monthly quality updates include security and reliability updates as well as small bug fixes. To balance both user experience and security, Microsoft’s current configuration of Windows Update for Business prompts Microsoft employees to update within 48 hours for quality updates and 7 days for feature updates.

“Not only can Windows Update for Business isolate update traffic from the VPN connection, but it can also provide better compliance management by using the deadline feature to adjust the timing of quality and feature updates,” Carlson says. “We can quickly drive compliance and have more time to focus on employees that may need additional support.”

Evaluating your VPN configuration

When your enterprise evaluates which VPN configuration works best for your company and users, you must evaluate their workflows.

“Some companies may need a full tunnel configuration, and others might want something cloud-based,” Means says. “If you’re a Microsoft customer, you can work with your sales team to request a customer engagement with a Microsoft expert to better understand our implementation and whether it would work for your enterprise.”

Means also said that it’s important to assess the legal requirements of the countries you operate in, which is done at Microsoft using Azure Traffic Manager. For example, split tunneling may not be the right configuration for countries with tighter controls over how traffic flows within and beyond their borders.

Suver also emphasized the importance of understanding the persona of your workforce, suggesting you should assess the workloads they may need to use remotely and their bandwidth capacity. You should also consider the maximum number of concurrent connections your VPN infrastructure supports and think through potential seasonal disruptions.

“Ensure that you’ve built for a snow day or a pandemic of a global nature,” Suver says. “We’ve had to send thousands of customer support agents to work from home. Typically, they didn’t use VPN to have voice conversations with customers. Because we sized and distributed our infrastructure for a global workforce, we were able to quickly adapt to the dramatic shift in workloads that have come from our employees working from home during the pandemic. Anticipate some of the changes in workflow that might occur, and test for those conditions.”

It’s also important to collect user connection and traffic data in a central location for your VPN infrastructure, to use modern visualization services like Microsoft Power BI to identify hot spots before they happen, and to plan for growth.

Means’s biggest piece of advice?

Focus on what your enterprise needs and go from there.

“Identify what you want to access and what you want to protect,” he says. “Then build to that model.”

Tips for retooling VPN at your company

Azure offers a native, highly-scalable VPN gateway, and the most common third-party VPN and Software-Defined Wide Area Network virtual appliances in the Azure Marketplace.

For more information on these and other Azure and Office network optimizing practices, please see:

• Office Connectivity Principles
• Network considerations for Teams
• Azure OpenVPN client
• Azure VPN Gateways
• Azure Point-to-site VPN
• VPN Network Virtual Appliances in the Azure Marketplace
• Publishing web applications using Azure Active Directory’s Application Proxy
• VPN split tunneling for Office 365
• How-to guides for common VPN platforms
• Updates for improving work-from-home employee access

• Here are some alternative ways for security professionals and IT to achieve modern security controls in remote work scenarios.
• Check our best practices and guidelines for security professionals on how to work remotely and stay secure.

Here are additional resources to learn more about how Microsoft applies networking best practices and supports a Zero Trust security strategy:

• Learn how Microsoft rebuilt its VPN infrastructure.
• Learn how Microsoft transitioned to modern access architecture with Zero Trust.
• Read how Microsoft is approaching Zero Trust Networking.

The post Using a Zero Trust strategy to secure Microsoft’s network during remote work appeared first on Inside Track Blog.

Windows 11, built on the same foundation as Windows 10, came to us at a time when Microsoft needed to manage a distributed workforce. Historically speaking, it’s not easy to roll out a new operating system across an enterprise as large and complex as ours, but the similarities to Windows 10 meant Windows 11 could leverage existing deployment capabilities, scenarios, and tools. Utilizing these familiar tools and processes allowed us to deploy to 90 percent of eligible devices in five weeks, making the Windows 11 deployment the easiest and least disruptive release experienced to date.

“In nearly every way, Windows 11 Enterprise deploys just like any other Windows 10 feature update,” says Nathalie D’Hers, corporate vice president of Microsoft Digital Employee Experience, the organization that powers, protects, and transforms the company. “When you look at the data, our time to deploy, and the number of support contacts, Windows 11 is the most successful Windows deployment in our history.”

We’ve had a great experience with Windows 11. Our migration was smooth and keeping it up to date has been even easier.

—Nathalie D’Hers, corporate vice president, Microsoft Digital Employee Experience

It took our Microsoft Digital Employee Experience team fewer IT resources than ever to move to Windows 11. Most importantly, it wasn’t a burden on our employees. Our Windows 11 deployment enabled us to protect our environment, empower our people, and do so without embarking on an expensive or complicated venture.

“We’ve had a great experience with Windows 11,” D’Hers says. “Our migration was smooth and keeping it up to date has been even easier.”

[Take a look at our rich set of content that chronicles our move to Windows 11. Learn more about Microsoft’s speedy upgrade to Windows 11. Discover the new Windows 11 security features are designed for hybrid work.]

Why was it so important for us to move to Windows 11?

It’s easy to look at Microsoft and say, “Sure, you’re a giant tech company, you have all these hardware and IT resources, it must be so easy for you to stay current!”

It’s not that simple.

In our attempt to become an evergreen platform, an operating system-as-a-service, we recognized a need to promote a hardware baseline that would ensure specific productivity and secure-by-default functions are available to users. These requirements meant that some devices running Windows 10 would not be eligible, thus a need to delineate products. Windows 11 would run side-by-side with Windows 10, albeit on devices that met the hardware requirements.

Still, when all is said and done, Windows 11 is based on all the same fundamentals as Windows 10.

And there are a lot of benefits to this.

It allows us to promote adoption without the risk of our apps suddenly breaking. App compatibility between Windows 10 and Windows 11 is more than 99 percent.

In fact, Windows 11 and Windows 10 are so similar, we can run them side-by-side with the same tools. That’s why we were able to manage the Windows 11 Enterprise deployment like previous Windows 10 updates using Windows Update for Business deployment service policies.

Windows 11 is definitely an upgrade from Windows 10, but rolled out and adopted like a typical update. The baseline hardware requirements enable us to provide our people with a more secure and productive environment. We quickly experienced the benefits of Windows 11 security enhancements and new productivity tools to enable exceptional work.

A more efficient experience

Prior to migrating to Windows Update for Business deployment service, deploying Windows feature updates would be a complicated, long-term project.

“We had to create multiple packages, both 64- and 32-bit versions and for each of the supported languages used in our environment,” says Markus Gonis, a service engineer and deployment lead with Microsoft Digital Employee Experience. “Each package was tested and then deployed to multiple distribution points globally for each update. The deployment also relied on a task sequence to download and install the updates on devices which could easily be disrupted.”

This effort could take weeks or even several months.

Furthermore, the process was costly, requiring physical infrastructure dependencies for hosting packages. Gearing up for a new release would also require additional augmented staffing to help run the deployments. To top it off, network and VPN bandwidth limitations could create frustrating delays and interruptions for employees trying to install an update depending on their location.

Moving to Windows Update for Business policies saved both time and money without hurting adoption. The first release to benefit, the Windows 10 October 2018 Update, saw 95 percent adoption within 10 weeks of a feature update being made available to devices. It’s only gotten better since then.

Windows Update for Business deployment service reduced administrative overhead considerably by eliminating the need to manually create deployment waves.

—Markus Gonis, service engineer and deployment lead, Microsoft Digital Employee Experience

The service eliminated the need for packaging, replication, and publishing activities. All in, Microsoft Digital Employee Experience saved 120 hours of work per deployment along with an additional 90 hours in testing. Further savings were achieved by reducing the reliance on augmented staff to support deployments.

By the time Windows 11 was ready for release in 2021, we had access to Windows Update for Business deployment service.

“This made setting up the deployment even easier,” Gonis says. “Windows Update for Business deployment service reduced administrative overhead considerably by eliminating the need to manually create deployment waves.”

Windows Update for Business deployment service calculates the number of devices based on the initial configuration and deploys more frequently and efficiently to the population. Supplementing this effort, Windows Update for Business reports show us what to target, making it easy to exclude ineligible devices.

A device is your connection to your work experience, especially when you can’t go into the office. Your device shouldn’t get in the way of what you’re doing, so we wanted to make sure our employees had a good upgrade experience.

—Nathalie D’Hers, corporate vice president, Microsoft Digital Employee Experience

Knowing that the Windows 11 Enterprise deployment would be managed by the same technology and processes we rely on for feature updates made it a safe decision. Knowing that it could be done without incurring significant costs made it an easy one.

A faster experience

There is another reason we were so confident in the Windows 11 Enterprise deployment. We knew users would benefit from new productivity features without having the upgrade cut into their day.

“A device is your connection to your work experience, especially when you can’t go into the office,” D’Hers says. “Your device shouldn’t get in the way of what you’re doing, so we wanted to make sure our employees had a good upgrade experience.”

We knew certain features in Windows 11—including an improved user interface, tighter integration of Microsoft Teams across apps, and snap layouts—would help our people stay engaged throughout their day. We also knew users would avoid the upgrade if it prevented them from doing their work or became a nuisance.

To create a disruption-free experience, Windows 11 simply downloads and installs in the background and alerts the user when the device is ready. A quick restart finishes the installation, which can be scheduled to take place during non-work hours. As soon as 20 minutes later, the employee is up and running in Windows 11.

The improved update experience, flexibility, and increased end-user control around the update was an enormous success with our people. User sentiment scores for the Windows 11 Enterprise deployment averaged a full 18 points higher than the latest Windows 10 release. This is the highest satisfaction score we have ever seen for a deployment, and it’s significantly higher than the highest score ever received pre-Windows Update for Business, which was 112.

”There were no major incidents reported through support channels directly related to the Windows 11 update nor the deployment,” Gonis says. “The overall incident count unique to Windows 11 was limited to 398 across the entire 225,000 device deployment, with any additional incidents associated with random infrastructure or device management issues that one typically experiences in an enterprise environment.”

Overall, this represents a 40 percent decrease in helpdesk incidents compared to pre-Windows Update for Business deployments.

Each successive version of Windows has brought refinement and optimization to the deployment process. Windows 11 built on this refinement to become the best experience to date. By making the deployment process quick and easy, users gain important productivity features while also taking advantage of new baseline protections.

Secure by default

Windows 11 is about security from the ground up.

“It’s strategic level-setting,” says Carmichael Patton, a principal program manager with Digital Security and Resilience, the division responsible for protecting the company and our products. “At a high level, Windows 11 enforces sets of functionalities we need to make the environment secure by default.”

Windows has always let you install whatever you want from wherever. We can now use hardware-backed features in Windows 11 to put policies in place that still enable users to have flexibility in choosing their own applications without compromising security.

—Carmichael Patton, principal program manager, Digital Security and Resilience

To be eligible for a Windows 11 upgrade, a device must meet certain hardware specifications, including TPM 2.0. Because of these new hardware requirements, encryption keys, user credentials, and other vital information are protected from unauthorized access and tampering.

As a result, we can take existing security features found in Windows and allow them to reach their full potential. Windows 11 empowers users to have the same great Windows experience they expect without concession.

“Windows has always let you install whatever you want from wherever,” Patton says, noting that this important level of control is also a way malware can get on your device. “We can now use hardware-backed features in Windows 11 to put policies in place that still enable users to have flexibility in choosing their own applications without compromising security.”

Windows 11 continually updates this app control policy so that common and known safe apps are permitted while dangerous, unknown, and potentially malicious apps are blocked.

The same hardware-backed protections extend to user identities. Windows Defender Credential Guard and credential isolation with Local Security Authority (LSA) protection are now enabled by default on Windows 11 Enterprise edition. Both protections make it harder for attackers to infiltrate devices and steal a user’s identity.

Microsoft Defender SmartScreen can detect and warn users who are about to enter passwords into an app or website that’s known to be compromised. The feature further improves user security by promoting good password hygiene and alerts users when they perform unsafe credential practices, like saving passwords in a text file.

Updating Windows 11 is getting even faster with the download and install phases shortening from 90 to an average of 60 minutes in the background and an average 20-minute final restart. Most people at Microsoft have a device that can run Windows 11 and, by March, we reached a 97 percent compliance rate.

—Markus Gonis, service engineer and deployment lead, Microsoft Digital Employee Experience

“Windows 10 could do a lot by configuration but not by default,” Patton says. “Windows 11 moved us to having more features be secure by default. Each new release adds more secure-by-default features.”

Now that we have this security baseline provided by hardware and software synergies, we can enforce security functions in the pipeline for Windows 11.

The Windows 11 experience

We’re now a year into Windows 11 including deploying its first major update, and we can see how deployments continue to become faster, more efficient, and less disruptive. This is in large part because we do not need to adopt any new device management tools or processes. We can run Windows 11 alongside Windows 10 using the same systems.

“Updating Windows 11 is getting even faster with the download and install phases shortening from 90 to an average of 60 minutes in the background and an average 20-minute final restart,” Gonis says. “Most people at Microsoft have a device that can run Windows 11 and, by March, we reached a 97 percent compliance rate.”

Deployment of the Windows 11 2022 Update was even faster than the original release, with over 90 percent adoption in just under five weeks. Excitement around the release resulted in a 50 percent increase in employees installing the update prior to its public release.

This means users are getting the security and productivity features they need to have the best experience possible now and in the future.

Modern hardware running a modern operating system will result in a better experience for everyone involved. Windows 11 serves as a baseline that allows us to easily see the state of security at Microsoft. By lifting the hardware floor, we can ensure users have consistent performance and protection in place.

• Windows 11 strengthens your security posture, allowing you to offload legacy security solutions and centralize administration.
• Consistency in system integrations and user experiences between Windows 10 and Windows 11 makes it easy to transition without having to adopt new applications or management solutions.
• Windows Autopilot allows OEMs to automatically register devices in Intune, avoiding manual steps and allowing an organization to preconfigure new devices before distributing them to employees.
• Windows Update for Business deployment service allows IT administrators to easily segment devices, organizations, and teams to better target deployments. This makes exceptions easier to manage.

• Take a look at our rich set of content that chronicles our move to Windows 11.
• Learn more about our internal deployment of the first major update to Windows 11.
• Read our initial story on upgrading to Windows 11.
• Discover the new Windows 11 security features are designed for hybrid work.
• Get the inside scoop on Microsoft’s app compatibility promise for Windows 11.

The post Looking back at deployment of Windows 11 at Microsoft appeared first on Inside Track Blog.

The importance of employee engagement can’t be overstated.

In the wake of the pandemic, the world saw an unprecedented shift in employee behavior and loyalty resulting in a record number of people leaving their jobs. Initially coined as “The Great Resignation” or “Big Quit,” these voluntary resignations were first believed to be a result of companies not meeting tangible employee engagement demands such as wages or working conditions. When leaders took a deeper look, they soon realized that The Great Reshuffle was more about employees rethinking how and if the employee experience aligns with their individual goals and core values.

Now, more than ever, the employee experience is top of mind for business leaders. Employees are one of an organization’s most significant competitive advantages, and today they are cautiously choosing the level of engagement they want to have with their employer.

We are stewards of the employee experience, so we have to obsess over every detail of the online and in-person experience for our employees.

—Nathalie D’Hers, corporate vice president, Microsoft Digital Employee Experience

Like any other company, at Microsoft, we keep learning, adapting, and adopting new ways to approach employee engagement. This includes a laser focus on the tools and technology available to ensure an empowering workplace experience, all while navigating the ongoing challenges of the pandemic and the new normal that hybrid work presents.

Windows 11—with its redesigned experience that puts users at its center—is just one way we’re transforming how we engage with our employees.

Nathalie D’Hers, corporate vice president of the Microsoft Digital Employee Experience team, says it’s about empowering everyone to do their best work. As she puts it, “We are stewards of the employee experience, so we have to obsess over every detail of the online and in-person experience for our employees.”

Obsessing means enabling a secure, collaborative, and personalized work environment both at the individual and collective level. On October 7, 2021, we deployed Windows 11 to 190,000 employee devices worldwide to lead the hybrid work transformation and inspire both employees and customers.

Check out the entire Moving Microsoft to Windows 11 series:

• Microsoft tries Windows 11 on for size and likes the fit
• Unpacking Microsoft’s speedy upgrade to Windows 11
• Windows 11 boosts employee engagement at Microsoft (this blog post)
• Employees are at the heart of Microsoft’s internal Windows 11 upgrade
• Five key learnings from Microsoft’s Windows 11 upgrade

At Microsoft, our Customer Zero approach means testing our own technologies and solutions first so we can learn, validate, and scale in the market. We’re six months into internal adoption, and employees are already seeing the benefits and improvements offered by Windows 11. Early adoption can also come with challenges, so sharing our Customer Zero experiences —the good and the bad—with customers is part of the journey.

Employee experience in action

Windows is and always has been the place for people to “do great things.” From its inception, Windows 11 has been a familiar and trusted companion, and one of the most secure platforms ever with built-in and turned-on security by design. You can read more about how Windows 11 enables security by design here.

When Windows 11 became available to the public, Panos Panay, Microsoft’s chief product officer of Windows and Devices, called it “a place that feels like home” and a technology that “provides a sense of calm and openness.”

Some of our employees couldn’t agree more.

Daniel Hidalgo, product marketing manager for the Microsoft Modern Work team, found himself in a disheartening situation last year when he visited his family in Ecuador and his father fell ill.

To me, beyond being productive, feeling present as a remote worker during this time was extremely important. Being able to take a Teams call from the hospital made all the difference in the world. I felt connected and appreciated.

—Daniel Hidalgo, product marketing manager, Microsoft Modern Work

“It was supposed to be a two-week trip,” he tells me. “Unfortunately, my dad ended up hospitalized and this changed plans for me.”

His new plans included working remotely and during odd hours of the day to help care for his family through his father’s recovery. “Being the oldest of four children, I knew there was no other choice for me but to stay and see it through,” Daniel says.

Daniel was able to navigate his family circumstances and stay securely connected to work while being almost five thousand miles away from his physical office in Seattle. However, being able to work remotely in a secure manner is not all that mattered to him.

“To me, beyond being productive, feeling present as a remote worker during this time was extremely important. Being able to take a Teams call from the hospital made all the difference in the world. I felt connected and appreciated.”

What Daniel is describing is that sense of home.

Learning how employees like Daniel want to interact and engage in the workplace influenced many innovations and features of Windows 11. We take great pride in creating human connectedness across every touchpoint we have with our employees in ways that enable them to have positive experiences at work. We listen to their feedback and take their insights to our product groups, which makes our products better.

Smooth Windows 11 upgrade

Our Employee Experience engineering team loves how easy and fast the deployment of Windows 11 was and how few people it took to roll it out.

“Our support channels were quiet,” recalls Biswa Jaysingh, a principal group program manager whose team’s main goal is to ensure that there is no user disruption during operating system updates. “We didn’t see major issues reported. There were no spikes or trends during deployment.”

Windows 11 implementation is fast and easy to scale.

—Sean MacDonald, partner director of program management, Microsoft Digital Employee Experience

Every successful deployment is a result of early planning, good preparation, and a solid deployment plan. However, one thing that made this latest deployment such a swift operation was that the same trusted practices used to install Windows 10 could also be used to install Windows 11. This ensured a smooth rollout.

Employee and customer experiences will always continue to evolve, and it’s paramount that Windows continues to do the same. Meeting the most critical needs of our global users is at the forefront of everything we do, and the intent of Windows 11 is to fulfill those all-important needs.

• Preparing your teams ahead of time will lead to fast and easy implementation: Windows 11 implementation is fast and easy to scale. But as you take inventory of devices and prepare the infrastructure, you may find that there are teams that need to be excluded from the deployment for specific reasons. Prepare ahead of time for this type of scenario to accommodate those exclusions.
• Build listening systems: Ensure your communications plan includes listening systems where your employees can share their experience and perspectives. While there was not a lot of noise in our support channels, our support teams did see a lot of questions and fan conversations related to new features on social channels like Yammer.
• Be transparent in your deployment path: Some devices may not be immediately eligible or ready for deployment. This can create frustration for employees who are eager to upgrade. Sharing the deployment methodology with your employees, including what they can expect based on their device eligibility, will build trust and foster patience as you navigate toward 100 percent adoption.

• Unpacking Microsoft’s speedy upgrade to Windows 11.
• Microsoft tries Windows 11 on for size and likes the fit.
• Employees are at the heart of Microsoft’s internal Windows 11 upgrade.
• Five key learnings from Microsoft’s Windows 11 upgrade.
• Read a blog post by Panos Panay, Microsoft’s chief product officer in Windows + Devices, introducing Windows 11.
• Learn more about Windows 365 Enterprise.

The post Windows 11 boosts employee engagement at Microsoft appeared first on Inside Track Blog.

Windows 365 Cloud PCs let you securely stream your Windows experience, including your personalized apps, content, and settings, from the Microsoft Cloud. Employees can access their personalized Cloud PC on any device.

At Microsoft Digital (MSD), the organization that supports, protects, and empowers Microsoft employees through technology, we’re discovering new and innovative ways we can use Windows 365 to improve the daily lives of employees across Microsoft.

“We see ourselves as the real Customer Zero,” says Carl McBain, director of IT service management for MSD. “So, we’re always looking for opportunities to use new Microsoft products and services as an internal support organization.”

For us, two key self-service use cases are emerging as big winners when it comes to deploying Windows 365 Cloud PCs:

• Our Techlink device loaner program provides temporary Cloud PCs when employees’ physical hardware is under repair.
• An alternative option for when employees replace their physical PCs as part of the device refresh cycle.

[Discover how Microsoft protects assets by shielding virtual machines. Unpack how MyWorkspace streamlines virtual software provisioning at Microsoft. Explore deploying a VWAN using infrastructure as code and CI/CD.]

With Windows 365, we have SaaS-ifed the power of Windows. Cloud PCs give organizations the benefit of elasticity across multiple dimensions—scale, power, security and flexibility.

—Scott Manchester, vice president, Windows Cloud products

An elastic PC that unlocks scale and flexibility

By securely streaming the Windows experience from the Microsoft Cloud to any device, Windows 365 unlocks flexibility, scalability, and ease of management while simplifying PC provisioning—regardless of an IT admin’s experience with virtualization.

Windows 365 is great for serving an immediate need for a dedicated PC. Employees can have a dedicated Cloud PC with all their Microsoft 365 apps ready to go, and if they’re an existing employee, their OneDrive data automatically syncs to the device, similar to how we provision a physical PC with Autopilot.

—Dave Rodriguez, principal product manager Frictionless Devices team, Microsoft Digital

“With Windows 365, we have SaaS-ifed the power of Windows,” says Scott Manchester, vice president of Windows Cloud products. “Cloud PCs give organizations the benefit of elasticity across multiple dimensions—scale, power, security and flexibility.”

That’s especially useful in hybrid work environments or settings where users have diverse or shifting device needs. Think contractors and interns, customer-facing agents moving from kiosk to kiosk, or frequent travelers.

In Microsoft Digital, we’re able to use Windows 365 Cloud PCs to quickly help our employees get up and running again when their primary PC stops working.

“Windows 365 is great for serving an immediate need for a dedicated PC,” says Dave Rodriguez, principal product manager on the Frictionless Devices team in MSD. “Employees can have a dedicated Cloud PC with all their Microsoft 365 apps ready to go, and if they’re an existing employee, their OneDrive data automatically syncs to the device, similar to how we provision a physical PC with Autopilot.”

From an operational standpoint, our goal is making things as simple as possible for our technicians and returning employees to productivity as soon as we can.

—Carl McBain, director of IT service management, Microsoft Digital

New approaches to PC provisioning for Microsoft employees

For us, Windows 365 doesn’t just simplify processes that have the potential for frustration and inefficiency. It also unlocks opportunities for self-service, giving employees the chance to choose the technology that meets their needs in the context that suits them best.

“From an operational standpoint, our goal is making things as simple as possible for our technicians and returning employees to productivity as soon as we can,” McBain says.

For our Techlink loaner program and device refresh alternative, we used the process automation capabilities of our ServiceNow enterprise installation to create a first-of-its-kind Windows 365 self-serve request solution. Powered by Microsoft Intune Endpoint Privilege Management, this solution has several benefits that include reducing operations overhead, improving user productivity, and enhancing device security by leaning into Zero Trust principles through the standard user profile for Windows 365.

Techlink loaner program

Like many processes, our Techlink reimaging, repair, and break-fix loaner services had to evolve rapidly because of COVID-19. Microsoft’s transition to a hybrid work model meant we needed to de-emphasize physical service locations and onsite, walk-up support.

The Windows Cloud product group and MSD partnered to present Windows 365 Cloud PCs as ideal alternatives to physical retrieval options like simplified Techlink dispatch locations or digital lockers. As a result, we launched Cloud PCs as a self-service request option within our IT service catalog and made 200 Windows 365 licenses available in our initial loaner pool.

When an employee experiences a device issue, they can initiate a service request within our standard Techlink support portal. The service request pushes them through a workflow that gathers all the necessary approvals and initiates Cloud PC provisioning. Less than an hour later, the employee receives access to a Windows 365 Cloud PC, allowing them to get to their personal files, apps, data, and settings from any device, whether it’s their own or a spare machine someone shares with them.

“Microsoft is a massive company with so many internal sites to access,” says Tony Bouker, solution delivery product manager for ServiceNow at Microsoft. “Self-service through our unified ServiceNow solution helps people find things more easily, and it also has the side effect of deflecting some requests that might otherwise come to MSD help desks.”

The result? Our Techlink support specialists save time by avoiding lengthy reimaging processes for physical loaner devices, and our employees get back to work faster.

Device refresh alternative

Providing Windows 365 Cloud PCs as an alternative to physical devices during the hardware refresh cycle follows a similar process, but it’s driven by different needs. Employees might love the layout or familiarity of their physical devices, but the hardware is outdated. More advanced users might want to pair their device’s local computing power with a Windows 365 Cloud PC that’s backed by Azure to boost productivity.

Whatever the reasons, spinning up a Cloud PC on one of your devices instead of buying a new one can have a positive impact on both operations and cost-savings.

When an employee discovers they’re eligible for a device refresh via their administrator or an automated invitation, they access our TechWeb service portal, where they learn about Windows 365. The portal directs them to a workflow where they can select the Cloud PC configuration and start the approval and provisioning process. After that process is complete, they’ll be provisioned with a new Cloud PC in less than an hour—a huge step up from the days or weeks getting a physical device replacement might take.

In our scenarios, the ServiceNow workflow launches after the employee makes their request through a questionnaire detailing parameters including device needs and region. We’ve configured the workflow to check things like Cloud PC eligibility before passing the request along to the employee’s approving manager and then to MSD for the provisioning stage.

—Tony Bouker, solution delivery product manager, ServiceNow at Microsoft

Linking self-service integration to PC provisioning simplicity

On our employee enablement journey, we’ve learned that choice and self-determination help drive effective self-service. So a tool like ServiceNow, which helps us realize the value of Windows 365 for employees quickly and painlessly, not only saves time and money but leads to better outcomes for employees.

“In our scenarios, the ServiceNow workflow launches after the employee makes their request through a questionnaire detailing parameters including device needs and region,” Bouker says. “We’ve configured the workflow to check things like Cloud PC eligibility before passing the request along to the employee’s approving manager and then to MSD for the provisioning stage.”

We built Windows 365 to integrate easily with traditional IT workflows, and we invest in APIs to ensure we can automate processes and deliver this IT service model effectively. It’s all about the simplicity of spinning Cloud PCs up and down so we can empower people who make device decisions but don’t have virtual desktop infrastructure (VDI) expertise.

—Scott Manchester, vice president, Windows Cloud products

After the workflow, ServiceNow’s integration with tools like Microsoft Entra ID, Microsoft Intune, and Microsoft 365 security features makes deployment simple. The requesting employee gets placed in a Microsoft Entra ID group, and that triggers a provisioning workflow, including the creation of the Cloud PC, a final MSD review, and a notification to the Cloud PC recipient that they’re all set.

Our self-service workflow for provisioning Windows 365 Cloud PCs.
(click on image to view a larger version)

“We built Windows 365 to integrate easily with traditional IT workflows, and we invest in APIs to ensure we can automate processes and deliver this IT service model effectively,” Manchester says. “It’s all about the simplicity of spinning Cloud PCs up and down so we can empower people who make device decisions but don’t have virtual desktop infrastructure (VDI) expertise.”

Windows 365 is our fastest-growing new service in MSD, with over 200 percent growth this fiscal year. We estimate that our support technicians are saving as many as three hours per request. And of course, with Cloud PCs spinning up within an hour of approval, our employees can get back to work much faster than ever before. That’s something everyone can get on board with.

—Dave Rodriguez, principal product manager Frictionless Devices team, Microsoft Digital

Many organizations don’t have Microsoft’s substantial IT resources or VDI experience. For those businesses, automating Windows 365 self-service Cloud PC provisioning through ServiceNow has enormous potential.

Accelerating the next phase of cloud transformation

Simplicity and value mean these kinds of programs are accelerating quickly. “Windows 365 is our fastest-growing new service in MSD, with over 200 percent growth this fiscal year,” Rodriguez says.

Within the Techlink loaner program, we’ve already reached our initial 200 Cloud PC loaner capacity, and demand remains high.

“We estimate that our support technicians are saving as many as three hours per request,” Rodriguez says. “And of course, with Cloud PCs spinning up within an hour of approval, our employees can get back to work much faster than ever before. That’s something everyone can get on board with.”

It’s about creating better experiences for our employees.

“It’s not just about making something IT loves,” Manchester says. “It’s about making something every employee loves.”

Here are some tips for getting started with Windows 365 at your company:

• Evaluate potential use cases where Windows 365 could transform your organization, where flexibility and scalability are table stakes.
• Use existing tools like Intune and Microsoft Entra ID to simplify desktop management and integrate with Windows 365 Cloud PCs.
• Consider implementing a self-serve request solution to enable on-demand access to Windows 365 Cloud PCs, reducing IT admin overhead and enhancing user choice and flexibility.
• Pilot, try the program out, and gather feedback as a gateway to general implementation.
• Measure the benefits of using Cloud PCs for different use cases. Those include improved user productivity, reduced operations overhead, and improved device security.
• Think through all the workflow permutations you might encounter to help capture edge cases and inefficiencies.
• Use automation and Zero Trust principles to ensure you’re capturing the benefits of Cloud PCs securely.

Sign up to try Windows 365 Cloud PCs: Share your info with us here if you’re an enterprise customer or sign up for a trial here if you’re a business customer.

• Discover how Microsoft protects assets by shielding virtual machines.
• Unpack how MyWorkspace streamlines virtual software provisioning at Microsoft.
• Explore deploying a VWAN using infrastructure as code and CI/CD.

Want more information? Email us and include a link to this story and we’ll get back to you.

Please share your feedback with us—take our survey and let us know what kind of content is most useful to you.

The post Unlocking employee self-service with Windows 365 Cloud PCs at Microsoft appeared first on Inside Track Blog.

Microsoft’s upgrade to Windows 11 was the smoothest in company history. The Microsoft Digital Employee Experience team was able to upgrade 190,000 employee devices in just five weeks. And we learned a lot! Here are our key learnings to help with your own deployment journey.

Why did we succeed?

• Fewer app compatibility challenges
• No need for complex disk images
• Delivery processes and tools that were already optimized during the rollout of Windows 10.

We divided our upgrade into three stages: plan, prepare, and deploy.

Check out the entire Moving Microsoft to Windows 11 series:

• Insights you can use: Microsoft’s internal upgrade to Windows 11 (this blog post)
• Microsoft tries Windows 11 on for size and likes the fit
• Unpacking Microsoft’s speedy upgrade to Windows 11
• Windows 11 boosts employee engagement at Microsoft
• Employees are at the heart of Microsoft’s internal Windows 11 upgrade
• Five key learnings from Microsoft’s Windows 11 upgrade

Start with a good plan

First, we determined which devices could be upgraded. Windows 11 has specific hardware requirements, and not all devices were eligible to be upgraded. Employees with these devices will continue to run Windows 10—when their current PC is ready for an upgrade, they’ll get a device that runs Windows 11. We used Update Compliance and Microsoft Endpoint Manager’s Endpoint analytics feature to evaluate our device population. In total, 190,000 devices qualified for the upgrade, and 99 percent of upgrades were successful.

Knowing which devices were upgradable enabled us to create a clear timeline, helping our communications team to land the upgrade with our employees. We used a ring-based approach to manage the upgrade, which allowed us to gradually release Windows 11 across the company.

Prepare readiness content

Past upgrades didn’t always go smoothly—system crashes, blue screens, incompatible hardware all led to communications challenges as we tried to mitigate upgrade issues. But with Windows 11, knowing that upgrades were mostly smooth, we were able to focus our communications on building excitement. The goal? Make readiness content easily digestible for everyone. We used Yammer, FAQs, Microsoft SharePoint, email, Microsoft Teams, our internal homepage, and digital signage to reach employees. We drove interest by focusing on Windows’ new look and feel, exciting new features, and by assuring users that the upgrade would be fast—and completed on their schedule.

Employees who were eager to upgrade were encouraged to use the PC Health Check app to test if their device qualified.

While our Support team didn’t get many tickets related to the upgrade process, they were still prepared—they were some of the first users of Windows 11 at Microsoft.

Test and measure

We used Microsoft Power BI to measure our success against our upgrade goals and to identify learnings along the way. We tracked the number of devices that we needed to upgrade by country and region, by eligibility, and by adoption. This allowed us to identify and communicate with those who didn’t qualify for an update.

Deploying Windows 11

We used Windows Update for Business deployment service to automate the upgrade. It helped us manage exclusions and opt outs, and, if needed, made it easy to rollback a device to Windows 10.

Our success hinged on setting up the right policies ahead of time. This allowed us to do things like:

• Minimize how many alerts an employee would receive before their device was upgraded.
• Reduce the number policies that the deployment team needed to manage during the upgrade.

Help from Windows Autopilot

We used Windows Autopilot to make sure all new devices come preloaded with Windows 11—a new device only needs to be turned on for Windows Autopilot to kick in and configure everything for the employee.

Succeeding with Windows 11

The upgrade to Windows 11 was a huge success. We had no increase in support tickets, we had broad adoption across the company, and it was the fastest operating system deployment in company history. We hope that sharing our story helps you tackle your Windows 11 upgrade.

• The disruption-free deployment of Windows 11 was powered by the same tools and practices Microsoft Digital used for Windows 10.
• Since Windows 10 and Windows 11 can be managed side-by-side, employees will use their current devices until it’s time for a refresh.
• Apps that work on Windows 10 work on Windows 11. An improved user interface improves employee productivity.
• As customer zero, Microsoft employees take on the role of providing feedback and suggesting improvements from an enterprise perspective. Listen to your own employees throughout the upgrade process to ensure your upgrade is as successful as ours!

• To learn about the business value of upgrading to Windows 11, read Microsoft tries Windows 11 on for size and likes the fit.
• To go deeper, read our technical case study: Unpacking Microsoft’s speedy upgrade to Windows 11.
• Want more information about our internal upgrade? Check out Moving Microsoft to Windows 11.
• Discover valuable insights you can use: Looking back at deployment of Windows 11 at Microsoft.

The post Insights you can use: Microsoft’s internal upgrade to Windows 11 appeared first on Inside Track Blog.

Like our customers, we at Microsoft have a strong business need to address the new challenges created by remote and hybrid work. The internal adoption of Windows 11 is helping our company meet those needs, while enabling our employees to work smarter and more securely, regardless of where they are.

Moving Microsoft to Windows 11

1. Microsoft tries Windows 11 on for size and likes the fit
2. Unpacking Microsoft’s speedy upgrade to Windows 11 (this story)
3. Windows 11 boosts employee engagement at Microsoft
4. Employees are at the heart of Microsoft’s internal Windows 11 upgrade
5. Five key learnings from Microsoft’s Windows 11 upgrade

Upgrading to Windows 11 at Microsoft

Our priority in rolling out Windows 11 internally was to provide employees uninterrupted access to a safe and productive workspace while giving them a chance to try out the new operating system.

Introducing a new operating system, especially across a distributed workforce, naturally led to questions about device downtime and app compatibility. However, with established practices and evolved solutions in hand, historical obstacles became just that—a thing of the past. The rollout of Windows 11 at Microsoft was our most streamlined to date, frictionlessly delivering employees the latest operating system in record time.

What made the deployment of Windows 11 a success?

Over the past decade, our Microsoft Digital Employee Experience team, the organization that powers, protects, and transforms employee experiences, has worked closely with teams such as the Windows product group to improve how it runs Microsoft’s updates, upgrades, and deployments.

Whereas significant time and resources were once dedicated to testing app compatibility, building out multiple disk images, and managing a complex delivery method, processes and tools introduced during Windows 10 have streamlined upgrades and enabled the transformation to a frictionless experience.

Data from App Assure, a Microsoft service available to all customers with eligible subscriptions, shows the company had 99.7 percent compatibility for all apps in Windows 11—that eliminated the need for extensive testing. It also meant that employees’ Windows 10 apps work seamlessly in Windows 11. Additionally, Microsoft Endpoint Manager and Windows Update for Business eliminated the need for using more than one disk image and made it easier for employees to get Windows 11.

Our Microsoft Digital Employee Experience team relied on the same familiar tools and process as a Windows 10 feature update to quickly deliver the upgrade to employees.

The upgrade was divided into three parts:

Plan: Identify an execution and communication plan, then develop a timeline

Prepare: Establish reporting systems, run tests, ready employees, and build backend services

Deploy: Deploy Windows 11 to eligible devices

It all starts with a good plan

We at Microsoft Digital Employee Experience have a successful history of deploying new services, apps, and operating systems to employees. And it all starts at the same place—creating a disruption-free strategy that enables employees to embrace the latest technology as soon as possible without sacrificing productivity.

Assess the environment

Before the deployment of Windows 11 could begin, we had to take a careful inventory of all devices at Microsoft and determine which they should target. Windows 11 has specific hardware requirements, and a percentage of employees running ineligible devices meant that not every device would be upgraded. Employees with these devices will upgrade to Windows 11 during their next device refresh.

To evaluate the device population, we used Update Compliance and Microsoft Endpoint Manager’s Endpoint analytics feature. This allowed our team to generate reports on devices that either met or failed to comply with minimum specifications. For example, certain devices, especially older desktops, lacked the Trusted Platform Module 2.0 (TPM) chipset requirements for security in Windows 11.

In the end, 190,000 devices were deemed eligible based on hardware and role requirements. Over the course of five weeks, our Microsoft Digital Employee Experience team deployed Windows 11 to 99 percent of qualifying devices.

Address ineligible devices and exclusions

After evaluating the broad population of devices, our team developed a plan for devices that would not receive a Windows 11 upgrade. Since Windows 10 and Windows 11 can be seamlessly managed side-by-side within the same management system, we only had to designate the number of devices that would not receive the upgrade. Using Update Compliance to inform deployment policies, we applied controls on ineligible devices, automatically skipping them during deployment. These measures made it easy to know why a device didn’t upgrade, but also assured a disruption-free experience for both employees and those on our team responsible for managing the upgrade.

These controls also allowed the company to bypass deployment on any device that had been incorrectly targeted for an upgrade.

Ineligible devices. Windows 10 and Windows 11 can be managed side-by-side and will be supported concurrently at Microsoft until all devices are upgraded or retired. As devices are refreshed, more and more of our employees will gain access to Windows 11.

Devices that should not receive the upgrade. Other devices, like servers and test labs—where we validate new products on previous operating systems—were issued controls and excluded from receiving Windows 11.

Establish a deployment timeline

Once upgradeable devices were identified, our team was able to create a clear timeline. From this schedule, our communications team developed an outreach plan, support teams readied the helpdesk, and the deployment team developed critical reporting mechanisms to track progress.

For the deployment itself, our team used a ring-based approach to segment the deployment into several waves. This allowed us to gradually release Windows 11 across the company, reducing the risk of disruption.

Create a rollback plan

Windows 11 has built-in support for rolling back to Windows 10 with a default window of 10 days after installation. If needed, our Microsoft Digital Employee Experience team could have revised this period via group policy or script using Microsoft Intune. Post-upgrade, there wasn’t much demand for a rollback, but the strategic release cadence that the team used, paired with the rollback capability, gave our team an easy way to quickly revert devices that might require going back to Windows 10 for a business need.

Preparing for success

Prior to starting the Windows 11 upgrade, we asked employees to complete pre-work needed for a successful upgrade. Because the upgrade was so smooth, only light readiness communications were needed. Instead, we focused on ensuring that employees were aware and excited about the benefits of Windows 11 and that they were ready to share their feedback on what it was like to use it.

Reach everyone

To maximize the impact of our communications, our team readied content that was digestible for every employee, regardless of role. Employees needed clear and concise messaging that would resonate, so that they could understand what Windows 11 would mean for them.

Our team in Microsoft Digital Employee Experience targeted a variety of established channels, including Yammer, FAQs on Microsoft SharePoint, email, Microsoft Teams, Microsoft’s internal homepage, and digital signage to promote Windows 11.

To generate interest, our materials focused on:

• The new look and features of Windows 11, designed for hybrid work and built on Zero Trust
• Flexible and easy upgrade options, including the ability to schedule upgrades at a time that worked best for the employee
• The speed at which employees could be up and running Windows 11, as quickly as 20 minutes
• New terms related to Windows 11 and where employees could go to learn more

An entire page on our company’s internal helpdesk site was dedicated to links related to the upgrade, including Microsoft Docs, where users could find a comprehensive library on new features.

Executive announcements from company leadership also conveyed the benefit of moving to Windows 11 and the ease with which it could be done.

Set expectations

Our team directed employees waiting to see if their device met Windows 11’s hardware requirements to the PC Health Check app. At an enterprise level, the team relied on Update Compliance to assess the device population.

We also used this opportunity to reinforce messaging to Windows 10 users—both operating systems would continue to operate side-by-side until all devices were refreshed. This helped ease concerns for employees who had to wait for an upgrade.

Ready support

Getting the deployment right wasn’t just about sending messages outward. Our team needed to receive and respond to employee questions before, during, and after the Windows 11 rollout.

Our support teams were given an opportunity to delve into Windows 11 prior to the deployment, which, based on experiences with previous upgrades, gave them time to categorize and group by severity any potential issues they might encounter. This familiarity not only helped them give employees informed answers, but also served as another feedback gathering mechanism.

Open for feedback

We run Microsoft on Microsoft technology and we encourage our employees to join the Windows Insider Program, where users are free to provide feedback directly to developers and product teams.

That’s why communications didn’t just focus on what was new with Windows 11, but on how feedback could be shared. If an employee had comments, they submitted them through a Feedback Hub where other employees could upvote tickets, giving visibility to our engineers in Microsoft Digital Employee Experience and the Windows product group.

Pre-work for deployment readiness

In addition to readying employees, we had to make sure all the backend services were in place prior to the deployment. This included building several processes, setting up analytics, and testing.

Establish analytics reports

Evolving beyond previous upgrades, the deployment of Windows 11 was the most data driven release we have ever done. Looking closer at diagnostic data and creating better adoption reporting gave our team clear data to look at throughout the deployment.

Using Microsoft Power BI, our team could share insights regarding the company’s environment. This better prepared everyone on the team and allowed us to monitor progress during deployment.

Our team captured the following metrics:

• Device population
• Devices by country
• Devices by region
• Eligibility
• Adoption

In addition to visibility into project status, access to this data empowered our team to engage employees whose eligible devices did not receive the upgrade.

Build an opt-out process

To accommodate users whose eligible devices might need to be excluded from the deployment, our team created a robust workback plan that included a request and approval process, a tracking system, and a set timeline for how long devices would be excluded from the upgrade.

Our Microsoft Digital Employee Experience team released communications specifying the timeframe for employees to opt out, including process steps. Employees who needed to remove their devices from the upgrade submitted their alias, machine name, and reason for exclusion. From there, our team evaluated their requests. Only users with a business reason were allowed to opt out. For example, Internet Explorer 11 requires Windows 10, so employees who need that browser for testing purposes were allowed to remove their devices from the deployment.

Once we had approved devices for exclusion, a block was put in place to remove them from the deployment. Data gathered during the opt-out process enabled us to follow up with these employees, upgrading them to Windows 11 at a more appropriate time.

Create a security model

At Microsoft, security is always top of mind for us. A careful risk assessment, including testing out a series of threat scenarios, was performed before Windows 11 was deployed across the company.

Our Microsoft Digital Employee Experience team built several specific Windows 11 security policies in a test environment and benchmarked them against policies built for Windows 10.

After testing the policies and scenarios to see if they would have any impact on employees, we found that devices with Windows 11 would meet Microsoft’s rigorous security thresholds without creating any disruptions. Just as importantly, users would experience the same behaviors in Windows 11 as they might expect from Windows 10.

The deployment

A decade ago, our efforts to deploy feature updates could be challenging, as we needed to account for different builds, languages, policies, and more. This required careful management of distribution points and VPNs prior to beginning deployment efforts in earnest.

When Windows 10 was released in 2015, our team used two deployment strategies: one for on-premises managed devices and one for cloud managed devices.

Today, the situation is much simpler.

Launched during the Windows 10 era, Windows Update for Business established some of the trusted practices that make product releases and feature updates a great experience for us here at Microsoft. Windows Update for Business deployment service introduces new efficiencies for our team, consolidating two deployment strategies into one.

For the deployment of Windows 11, our team had an advantage—Windows Update for Business deployment service.

Windows Update for Business deployment service enabled our Microsoft Digital Employee Experience team to grab device IDs from across the environment and use them to automate the deployment. Windows Update for Business deployment service handled all the backend processing and scheduling for us; all we needed to do was determine the start and end dates.

Our team easily managed exclusions and opt-outs with Windows Update for Business deployment service, and when a device needed to be upgraded, the service made it easier to remove and roll them back to Windows 10.

Importantly, Windows Update for Business deployment service provides a single deployment strategy for us moving forward. Deployment has been simplified, and the data loaded into Windows Update for Business deployment service for this upgrade will help speed up future releases.

Policies for success

We had to decide which policies they wanted to work with for the greatest outcome. This included how many alerts an employee would receive before receiving an upgrade to Windows 11.

Windows Update for Business deployment services reduced the long list of policies that our team needed to manage during deployment. This accelerated deployment without compromising security.

From pilot to global deployment

By structuring the deployment timeline to hit a small group of employees before incrementally moving on to a larger population, our Microsoft Digital Employee Experience team ensured Windows Update for Business deployment service ran as expected and that all required controls and permissions were set.

As our team used the Windows Update for Business deployment service to plot out upgrade waves, Windows 11 downloaded in the background and employees received pop-up alerts when their device was ready. The employee could restart at any time and would boot into Windows 11 after a few automated systems completed the installation. Employees could also schedule Windows 11 to upgrade overnight or during the weekend.

Onboarding OEMs

Working closely with Microsoft Surface and other Original Equipment Manufacturer (OEM) partners, the companies who supply Microsoft with new devices, our team was able to ensure that our employees had Windows 11 pre-loaded onto their PCs. This approach guaranteed that new devices complied with the hardware requirements of the new system.

A new device, straight out of the box, only needs to be powered on and connected to the internet before Windows Autopilot authenticates and configures everything for the user. Once initial setup is complete, Windows Autopilot ensures that new devices are equipped with Windows 11 and all the correct policies and settings.

Entering the next stage of Windows at Microsoft

The deployment of Windows 11 at Microsoft validates our team’s approach to product releases and upgrades. With no measured uptick in support tickets, the deployment of Windows 11 has been a frictionless experience for employees and the wide adoption of new features confirms the value of the effort. The speed at which the team completed the deployment—190,000 devices in five weeks—represents the fastest deployment of a new operating system in company history.

We credit the success of this deployment to good planning, tools, strong communication, and the positive upgrade experience Windows 11 provides.

Windows Update for Business deployment service proved to be a big step in the evolution of how employees get the latest version of Windows. The service’s ease of use meant the team had a higher degree of control, flexibility, and confidence.

The tighter hardware-to-software ecosystem that comes with Windows 11 means our employees and all users of the operating system benefit from richer experiences. This, along with integration to Microsoft Teams, are just a few examples of what users are seeing now that they’re empowered by Windows 11.

• Understand the hardware eligibility requirements for Windows 11.
• The better you understand your environment the easier it will be to create a timeline, a communication plan, and ultimately track the deployment.
• Messaging is key for leaders in the organization to share, especially for adoption.
• Run a pilot with a handful of devices before deploying company wide. This will allow you to check policies for consistent experiences. Then move on to a ring-based deployment to carefully manage everything.
• There’s no need to create multiple deployment plans with Windows Update for Business deployment service; it can automate the experience, streamlining the entire workflow. Instead of waiting until everyone is ready, consider running Windows 10 and Windows 11 side-by-side. Prepare today by deploying to those who are ready now.

• Discover how Microsoft employees are leveraging the cloud for file storage with OneDrive Folder Backup.
• Explore how Microsoft is reimagining meetings for a hybrid work world.
• Check out enhancing VPN performance at Microsoft.

The post Unpacking Microsoft’s speedy upgrade to Windows 11 appeared first on Inside Track Blog.