[Editor’s note: This content was written to highlight a particular event or moment in time. Although that moment has passed, we’re republishing it here so you can see what our thinking and experience was like at the time.]

Microsoft’s upgrade to Windows 11 was the smoothest in company history. The Microsoft Digital team was able to upgrade 190,000 employee devices in just five weeks. And we learned a lot! Here are our key learnings to help with your own deployment journey.

Why did we succeed?

• Fewer app compatibility challenges
• No need for complex disk images
• Delivery processes and tools that were already optimized during the rollout of Windows 10.

We divided our upgrade into three stages: plan, prepare, and deploy.

Check out the entire Moving Microsoft to Windows 11 series:

• Insights you can use: Microsoft’s internal upgrade to Windows 11 (this blog post)
• Microsoft tries Windows 11 on for size and likes the fit
• Unpacking Microsoft’s speedy upgrade to Windows 11
• Windows 11 boosts employee engagement at Microsoft
• Employees are at the heart of Microsoft’s internal Windows 11 upgrade
• Five key learnings from Microsoft’s Windows 11 upgrade

Start with a good plan

First, we determined which devices could be upgraded. Windows 11 has specific hardware requirements, and not all devices were eligible to be upgraded. Employees with these devices will continue to run Windows 10—when their current PC is ready for an upgrade, they’ll get a device that runs Windows 11. We used Update Compliance and Microsoft Endpoint Manager’s Endpoint analytics feature to evaluate our device population. In total, 190,000 devices qualified for the upgrade, and 99 percent of upgrades were successful.

Knowing which devices were upgradable enabled us to create a clear timeline, helping our communications team to land the upgrade with our employees. We used a ring-based approach to manage the upgrade, which allowed us to gradually release Windows 11 across the company.

Prepare readiness content

Past upgrades didn’t always go smoothly—system crashes, blue screens, incompatible hardware all led to communications challenges as we tried to mitigate upgrade issues. But with Windows 11, knowing that upgrades were mostly smooth, we were able to focus our communications on building excitement. The goal? Make readiness content easily digestible for everyone. We used Yammer, FAQs, Microsoft SharePoint, email, Microsoft Teams, our internal homepage, and digital signage to reach employees. We drove interest by focusing on Windows’ new look and feel, exciting new features, and by assuring users that the upgrade would be fast—and completed on their schedule.

Employees who were eager to upgrade were encouraged to use the PC Health Check app to test if their device qualified.

While our Support team didn’t get many tickets related to the upgrade process, they were still prepared—they were some of the first users of Windows 11 at Microsoft.

Test and measure

We used Microsoft Power BI to measure our success against our upgrade goals and to identify learnings along the way. We tracked the number of devices that we needed to upgrade by country and region, by eligibility, and by adoption. This allowed us to identify and communicate with those who didn’t qualify for an update.

Deploying Windows 11

We used Windows Update for Business deployment service to automate the upgrade. It helped us manage exclusions and opt outs, and, if needed, made it easy to rollback a device to Windows 10.

Our success hinged on setting up the right policies ahead of time. This allowed us to do things like:

• Minimize how many alerts an employee would receive before their device was upgraded.
• Reduce the number policies that the deployment team needed to manage during the upgrade.

Help from Windows Autopilot

We used Windows Autopilot to make sure all new devices come preloaded with Windows 11—a new device only needs to be turned on for Windows Autopilot to kick in and configure everything for the employee.

Succeeding with Windows 11

The upgrade to Windows 11 was a huge success. We had no increase in support tickets, we had broad adoption across the company, and it was the fastest operating system deployment in company history. We hope that sharing our story helps you tackle your Windows 11 upgrade.

• The disruption-free deployment of Windows 11 was powered by the same tools and practices Microsoft Digital used for Windows 10.
• Since Windows 10 and Windows 11 can be managed side-by-side, employees will use their current devices until it’s time for a refresh.
• Apps that work on Windows 10 work on Windows 11. An improved user interface improves employee productivity.
• As customer zero, Microsoft employees take on the role of providing feedback and suggesting improvements from an enterprise perspective. Listen to your own employees throughout the upgrade process to ensure your upgrade is as successful as ours!

• To learn about the business value of upgrading to Windows 11, read Microsoft tries Windows 11 on for size and likes the fit.
• To go deeper, read our technical case study: Unpacking Microsoft’s speedy upgrade to Windows 11.
• Want more information about our internal upgrade? Check out Moving Microsoft to Windows 11.
• Discover valuable insights you can use: Looking back at deployment of Windows 11 at Microsoft.

The post Insights you can use: Microsoft’s internal upgrade to Windows 11 appeared first on Inside Track Blog.

Microsoft’s cloud-first strategy enables most Microsoft employees to directly access applications and services via the internet, but remote workers still use the company’s virtual private network (VPN) to access some corporate resources and applications when they’re outside of the office.

This became increasingly apparent when Microsoft prepared for its employees to work remotely in response to the global pandemic. VPN usage increased by 70 percent, which coincides with the significant spike in users working from home daily.

So then, how is Microsoft ensuring that its employees can securely access the applications they need?

With split tunneling and a Zero Trust security strategy.

As part of the company’s Zero Trust security strategy, employees in Microsoft Digital redesigned the VPN infrastructure by adopting a split-tunneled configuration that further enables the company’s workloads moving to the cloud.

“Adopting split tunneling has ensured that Microsoft employees can access core applications over the internet using Microsoft Azure and Microsoft Office 365,” says Steve Means, a principal cloud network engineering manager in Microsoft Digital. “This takes pressure off the VPN and gives employees more bandwidth to do their job securely.”

Eighty percent of remote working traffic flows to cloud endpoints where split tunneling is enabled, but the rest of the work that employees do remotely—which needs to be locked down on the corporate network—still goes through the company’s VPN.

“We need to make sure our VPN infrastructure has the same level of corporate network security as applications in the cloud,” says Carmichael Patton, a principal security architect on Microsoft’s Digital Security and Resilience team. “We’re applying the same Zero Trust principles to our VPN traffic, by applying conditional access to each connection.”

[Learn how Microsoft rebuilt its VPN infrastructure. Learn how Microsoft transitioned to modern access architecture with Zero Trust. Read how Microsoft is approaching Zero Trust Networking.]
For a transcript, please view the video on YouTube: https://www.youtube.com/watch?v=bleFoL0NkVM, select the “More actions” button (three dots icon) below the video, and then select “Show transcript.”

Securing remote workers with device management and conditional access

Moving most of the work that employees require to the cloud only became possible after the company adopted modern security controls that focus on securing devices.

“We no longer rely solely on the network to manage firewalls,” Patton says. “Instead, each application that an employee uses enforces its own security management—this means employees can only use an app after it verifies the health of their device.”

To support this transformed approach to security, Microsoft adopted a Zero Trust security model, which manages risk and secures working remotely by managing the device an employee uses.

“Before an employee can access an application, they must enroll their device, have relevant security policies, and have their device health validated,” Patton says. “This ensures that only registered devices that comply with company security policies can access corporate resources, which reduces the risk of malware and intruders.”

The team also recommends using a dynamic and scalable authentication mechanism, like Azure Active Directory, to avoid the trouble of certificates.

While most employees rely on our standard VPN infrastructure, Microsoft has specific scenarios that call for additional security when accessing company infrastructure or sensitive data. This is the case for Microsoft Digital employees in owner and contributor roles that are configured on a Microsoft Azure subscription as well as employees who make changes to customer-facing production services and systems like firewalls and network gear. To access corporate resources, these employees use Privileged Access Workstations, a dedicated operating system for sensitive tasks, to access a highly secure VPN infrastructure.

Phil Suver, a principal PM manager in Microsoft Digital, says working remotely during the global pandemic gives employees a sense of what the Zero Trust experience will be like when they return to the office.

“Hardened local area networks that previously accessed internal applications are a model of the past,” Suver says. “We see split tunneling as a gateway to prepare our workforce for our Zero Trust Networking posture, where user devices are highly protected from vulnerability and employees use the internet for their predominant workload.”

It’s also important to review your VPN structure for updates.

“When evaluating your VPN configuration, identify the highest compliance risks to your organization and make them the priority for controls, policies, and procedures,” Patton says. “Understand the security controls you give up by not flowing the connections through your internal infrastructure. Then, look at the controls you’re able to extend to the clients themselves, and find the right balance of risk and productivity that fits your organization.”

Keeping your devices up-to-date with split tunneling

Enterprises can also optimize patching and manage update compliance using services like Microsoft Endpoint Manager, Microsoft Intune, and Windows Update for Business. At Microsoft, a split-tunneled VPN configuration allows these services to keep devices current without requiring a VPN tunnel to do it.

“With a split-tunneled configuration, update traffic comes through the internet,” says Mike Carlson, a principal service engineering manager in Microsoft Digital. “This improves the user experience for employees by freeing up VPN bandwidth during patch and release cycles.”

At Microsoft, device updates fall into two categories: feature updates and quality updates. Feature updates occur every six months and encompass new operating system features, functionality, and major bug fixes. In contrast, monthly quality updates include security and reliability updates as well as small bug fixes. To balance both user experience and security, Microsoft’s current configuration of Windows Update for Business prompts Microsoft employees to update within 48 hours for quality updates and 7 days for feature updates.

“Not only can Windows Update for Business isolate update traffic from the VPN connection, but it can also provide better compliance management by using the deadline feature to adjust the timing of quality and feature updates,” Carlson says. “We can quickly drive compliance and have more time to focus on employees that may need additional support.”

Evaluating your VPN configuration

When your enterprise evaluates which VPN configuration works best for your company and users, you must evaluate their workflows.

“Some companies may need a full tunnel configuration, and others might want something cloud-based,” Means says. “If you’re a Microsoft customer, you can work with your sales team to request a customer engagement with a Microsoft expert to better understand our implementation and whether it would work for your enterprise.”

Means also said that it’s important to assess the legal requirements of the countries you operate in, which is done at Microsoft using Azure Traffic Manager. For example, split tunneling may not be the right configuration for countries with tighter controls over how traffic flows within and beyond their borders.

Suver also emphasized the importance of understanding the persona of your workforce, suggesting you should assess the workloads they may need to use remotely and their bandwidth capacity. You should also consider the maximum number of concurrent connections your VPN infrastructure supports and think through potential seasonal disruptions.

“Ensure that you’ve built for a snow day or a pandemic of a global nature,” Suver says. “We’ve had to send thousands of customer support agents to work from home. Typically, they didn’t use VPN to have voice conversations with customers. Because we sized and distributed our infrastructure for a global workforce, we were able to quickly adapt to the dramatic shift in workloads that have come from our employees working from home during the pandemic. Anticipate some of the changes in workflow that might occur, and test for those conditions.”

It’s also important to collect user connection and traffic data in a central location for your VPN infrastructure, to use modern visualization services like Microsoft Power BI to identify hot spots before they happen, and to plan for growth.

Means’s biggest piece of advice?

Focus on what your enterprise needs and go from there.

“Identify what you want to access and what you want to protect,” he says. “Then build to that model.”

Tips for retooling VPN at your company

Azure offers a native, highly-scalable VPN gateway, and the most common third-party VPN and Software-Defined Wide Area Network virtual appliances in the Azure Marketplace.

For more information on these and other Azure and Office network optimizing practices, please see:

• Office Connectivity Principles
• Network considerations for Teams
• Azure OpenVPN client
• Azure VPN Gateways
• Azure Point-to-site VPN
• VPN Network Virtual Appliances in the Azure Marketplace
• Publishing web applications using Azure Active Directory’s Application Proxy
• VPN split tunneling for Office 365
• How-to guides for common VPN platforms
• Updates for improving work-from-home employee access

• Here are some alternative ways for security professionals and IT to achieve modern security controls in remote work scenarios.
• Check our best practices and guidelines for security professionals on how to work remotely and stay secure.

Here are additional resources to learn more about how Microsoft applies networking best practices and supports a Zero Trust security strategy:

• Learn how Microsoft rebuilt its VPN infrastructure.
• Learn how Microsoft transitioned to modern access architecture with Zero Trust.
• Read how Microsoft is approaching Zero Trust Networking.

The post Using a Zero Trust strategy to secure Microsoft’s network during remote work appeared first on Inside Track Blog.

Windows 365 Cloud PCs let you securely stream your Windows experience, including your personalized apps, content, and settings, from the Microsoft Cloud. Employees can access their personalized Cloud PC on any device.

At Microsoft Digital (MSD), the organization that supports, protects, and empowers Microsoft employees through technology, we’re discovering new and innovative ways we can use Windows 365 to improve the daily lives of employees across Microsoft.

“We see ourselves as the real Customer Zero,” says Carl McBain, director of IT service management for MSD. “So, we’re always looking for opportunities to use new Microsoft products and services as an internal support organization.”

For us, two key self-service use cases are emerging as big winners when it comes to deploying Windows 365 Cloud PCs:

• Our Techlink device loaner program provides temporary Cloud PCs when employees’ physical hardware is under repair.
• An alternative option for when employees replace their physical PCs as part of the device refresh cycle.

[Discover how Microsoft protects assets by shielding virtual machines. Unpack how MyWorkspace streamlines virtual software provisioning at Microsoft. Explore deploying a VWAN using infrastructure as code and CI/CD.]

With Windows 365, we have SaaS-ifed the power of Windows. Cloud PCs give organizations the benefit of elasticity across multiple dimensions—scale, power, security and flexibility.

—Scott Manchester, vice president, Windows Cloud products

An elastic PC that unlocks scale and flexibility

By securely streaming the Windows experience from the Microsoft Cloud to any device, Windows 365 unlocks flexibility, scalability, and ease of management while simplifying PC provisioning—regardless of an IT admin’s experience with virtualization.

Windows 365 is great for serving an immediate need for a dedicated PC. Employees can have a dedicated Cloud PC with all their Microsoft 365 apps ready to go, and if they’re an existing employee, their OneDrive data automatically syncs to the device, similar to how we provision a physical PC with Autopilot.

—Dave Rodriguez, principal product manager Frictionless Devices team, Microsoft Digital

“With Windows 365, we have SaaS-ifed the power of Windows,” says Scott Manchester, vice president of Windows Cloud products. “Cloud PCs give organizations the benefit of elasticity across multiple dimensions—scale, power, security and flexibility.”

That’s especially useful in hybrid work environments or settings where users have diverse or shifting device needs. Think contractors and interns, customer-facing agents moving from kiosk to kiosk, or frequent travelers.

In Microsoft Digital, we’re able to use Windows 365 Cloud PCs to quickly help our employees get up and running again when their primary PC stops working.

“Windows 365 is great for serving an immediate need for a dedicated PC,” says Dave Rodriguez, principal product manager on the Frictionless Devices team in MSD. “Employees can have a dedicated Cloud PC with all their Microsoft 365 apps ready to go, and if they’re an existing employee, their OneDrive data automatically syncs to the device, similar to how we provision a physical PC with Autopilot.”

From an operational standpoint, our goal is making things as simple as possible for our technicians and returning employees to productivity as soon as we can.

—Carl McBain, director of IT service management, Microsoft Digital

New approaches to PC provisioning for Microsoft employees

For us, Windows 365 doesn’t just simplify processes that have the potential for frustration and inefficiency. It also unlocks opportunities for self-service, giving employees the chance to choose the technology that meets their needs in the context that suits them best.

“From an operational standpoint, our goal is making things as simple as possible for our technicians and returning employees to productivity as soon as we can,” McBain says.

For our Techlink loaner program and device refresh alternative, we used the process automation capabilities of our ServiceNow enterprise installation to create a first-of-its-kind Windows 365 self-serve request solution. Powered by Microsoft Intune Endpoint Privilege Management, this solution has several benefits that include reducing operations overhead, improving user productivity, and enhancing device security by leaning into Zero Trust principles through the standard user profile for Windows 365.

Techlink loaner program

Like many processes, our Techlink reimaging, repair, and break-fix loaner services had to evolve rapidly because of COVID-19. Microsoft’s transition to a hybrid work model meant we needed to de-emphasize physical service locations and onsite, walk-up support.

The Windows Cloud product group and MSD partnered to present Windows 365 Cloud PCs as ideal alternatives to physical retrieval options like simplified Techlink dispatch locations or digital lockers. As a result, we launched Cloud PCs as a self-service request option within our IT service catalog and made 200 Windows 365 licenses available in our initial loaner pool.

When an employee experiences a device issue, they can initiate a service request within our standard Techlink support portal. The service request pushes them through a workflow that gathers all the necessary approvals and initiates Cloud PC provisioning. Less than an hour later, the employee receives access to a Windows 365 Cloud PC, allowing them to get to their personal files, apps, data, and settings from any device, whether it’s their own or a spare machine someone shares with them.

“Microsoft is a massive company with so many internal sites to access,” says Tony Bouker, solution delivery product manager for ServiceNow at Microsoft. “Self-service through our unified ServiceNow solution helps people find things more easily, and it also has the side effect of deflecting some requests that might otherwise come to MSD help desks.”

The result? Our Techlink support specialists save time by avoiding lengthy reimaging processes for physical loaner devices, and our employees get back to work faster.

Device refresh alternative

Providing Windows 365 Cloud PCs as an alternative to physical devices during the hardware refresh cycle follows a similar process, but it’s driven by different needs. Employees might love the layout or familiarity of their physical devices, but the hardware is outdated. More advanced users might want to pair their device’s local computing power with a Windows 365 Cloud PC that’s backed by Azure to boost productivity.

Whatever the reasons, spinning up a Cloud PC on one of your devices instead of buying a new one can have a positive impact on both operations and cost-savings.

When an employee discovers they’re eligible for a device refresh via their administrator or an automated invitation, they access our TechWeb service portal, where they learn about Windows 365. The portal directs them to a workflow where they can select the Cloud PC configuration and start the approval and provisioning process. After that process is complete, they’ll be provisioned with a new Cloud PC in less than an hour—a huge step up from the days or weeks getting a physical device replacement might take.

In our scenarios, the ServiceNow workflow launches after the employee makes their request through a questionnaire detailing parameters including device needs and region. We’ve configured the workflow to check things like Cloud PC eligibility before passing the request along to the employee’s approving manager and then to MSD for the provisioning stage.

—Tony Bouker, solution delivery product manager, ServiceNow at Microsoft

Linking self-service integration to PC provisioning simplicity

On our employee enablement journey, we’ve learned that choice and self-determination help drive effective self-service. So a tool like ServiceNow, which helps us realize the value of Windows 365 for employees quickly and painlessly, not only saves time and money but leads to better outcomes for employees.

“In our scenarios, the ServiceNow workflow launches after the employee makes their request through a questionnaire detailing parameters including device needs and region,” Bouker says. “We’ve configured the workflow to check things like Cloud PC eligibility before passing the request along to the employee’s approving manager and then to MSD for the provisioning stage.”

We built Windows 365 to integrate easily with traditional IT workflows, and we invest in APIs to ensure we can automate processes and deliver this IT service model effectively. It’s all about the simplicity of spinning Cloud PCs up and down so we can empower people who make device decisions but don’t have virtual desktop infrastructure (VDI) expertise.

—Scott Manchester, vice president, Windows Cloud products

After the workflow, ServiceNow’s integration with tools like Microsoft Entra ID, Microsoft Intune, and Microsoft 365 security features makes deployment simple. The requesting employee gets placed in a Microsoft Entra ID group, and that triggers a provisioning workflow, including the creation of the Cloud PC, a final MSD review, and a notification to the Cloud PC recipient that they’re all set.

Our self-service workflow for provisioning Windows 365 Cloud PCs.
(click on image to view a larger version)

“We built Windows 365 to integrate easily with traditional IT workflows, and we invest in APIs to ensure we can automate processes and deliver this IT service model effectively,” Manchester says. “It’s all about the simplicity of spinning Cloud PCs up and down so we can empower people who make device decisions but don’t have virtual desktop infrastructure (VDI) expertise.”

Windows 365 is our fastest-growing new service in MSD, with over 200 percent growth this fiscal year. We estimate that our support technicians are saving as many as three hours per request. And of course, with Cloud PCs spinning up within an hour of approval, our employees can get back to work much faster than ever before. That’s something everyone can get on board with.

—Dave Rodriguez, principal product manager Frictionless Devices team, Microsoft Digital

Many organizations don’t have Microsoft’s substantial IT resources or VDI experience. For those businesses, automating Windows 365 self-service Cloud PC provisioning through ServiceNow has enormous potential.

Accelerating the next phase of cloud transformation

Simplicity and value mean these kinds of programs are accelerating quickly. “Windows 365 is our fastest-growing new service in MSD, with over 200 percent growth this fiscal year,” Rodriguez says.

Within the Techlink loaner program, we’ve already reached our initial 200 Cloud PC loaner capacity, and demand remains high.

“We estimate that our support technicians are saving as many as three hours per request,” Rodriguez says. “And of course, with Cloud PCs spinning up within an hour of approval, our employees can get back to work much faster than ever before. That’s something everyone can get on board with.”

It’s about creating better experiences for our employees.

“It’s not just about making something IT loves,” Manchester says. “It’s about making something every employee loves.”

Here are some tips for getting started with Windows 365 at your company:

• Evaluate potential use cases where Windows 365 could transform your organization, where flexibility and scalability are table stakes.
• Use existing tools like Intune and Microsoft Entra ID to simplify desktop management and integrate with Windows 365 Cloud PCs.
• Consider implementing a self-serve request solution to enable on-demand access to Windows 365 Cloud PCs, reducing IT admin overhead and enhancing user choice and flexibility.
• Pilot, try the program out, and gather feedback as a gateway to general implementation.
• Measure the benefits of using Cloud PCs for different use cases. Those include improved user productivity, reduced operations overhead, and improved device security.
• Think through all the workflow permutations you might encounter to help capture edge cases and inefficiencies.
• Use automation and Zero Trust principles to ensure you’re capturing the benefits of Cloud PCs securely.

Sign up to try Windows 365 Cloud PCs: Share your info with us here if you’re an enterprise customer or sign up for a trial here if you’re a business customer.

• Discover how Microsoft protects assets by shielding virtual machines.
• Unpack how MyWorkspace streamlines virtual software provisioning at Microsoft.
• Explore deploying a VWAN using infrastructure as code and CI/CD.

Want more information? Email us and include a link to this story and we’ll get back to you.

Please share your feedback with us—take our survey and let us know what kind of content is most useful to you.

The post Unlocking employee self-service with Windows 365 Cloud PCs at Microsoft appeared first on Inside Track Blog.

Microsoft’s recent deployment of Windows 11 to 190,000 devices across the company is enabling its employees to work smarter and stay better connected.

Microsoft Digital, the organization that powers, protects, and transforms the company, completed the rollout in five weeks—the fastest deployment of an operating system in company history—without disruption.

“When you look at the data, our time to deploy and the number of support contacts, Windows 11 is the most successful Windows deployment in our history,” says Nathalie D’Hers, Microsoft’s corporate vice president of Microsoft Digital. “For a major release, it was so straightforward and fast that it was almost a non-event. Windows 11 raises the bar for all future deployments.”

Getting Windows 11 to employees in a fast, hassle-free way was crucial. Ensuring rollouts are free of disruption makes a big difference for Microsoft employees and—because employee feedback gets rolled into the products—for customers.

A device is your connection to your work experience, especially when you can’t go into the office. Your device shouldn’t get in the way of what you’re doing, so we wanted to make sure our employees had a good upgrade experience.

—Nathalie D’Hers, corporate vice president, Microsoft Digital

“Microsoft employees are very vocal when it comes to giving us feedback about our products and features and that’s a good thing,” D’Hers says. “If the product isn’t working well, we hear about it early on, and that wasn’t the case this time. When we deployed Windows 11, we received very few requests for support—that’s an important indicator of product quality for us.”

Making deployment seamless for employees

A good Windows deployment is frictionless, where employees are not inconvenienced or prohibited from using their devices, apps, or important features.

“A device is your connection to your work experience, especially when you can’t go into the office,” D’Hers says. “Your device shouldn’t get in the way of what you’re doing, so we wanted to make sure our employees had a good upgrade experience.”

The experience of moving from Windows 10 to Windows 11 was so smooth, it felt more like an update than an upgrade.

—Sean MacDonald, partner director of program management, Microsoft Digital

Check out the entire Moving Microsoft to Windows 11 series:

• Microsoft tries Windows 11 on for size and likes the fit (this blog post)
• Unpacking Microsoft’s speedy upgrade to Windows 11
• Windows 11 boosts employee engagement at Microsoft
• Employees are at the heart of Microsoft’s internal Windows 11 upgrade
• Five key learnings from Microsoft’s Windows 11 upgrade

The Microsoft Digital team knew improvements in Windows 11, including an intuitive and improved user interface, would help employees stay connected and work smarter. That made a straightforward deployment—where critical business applications weren’t risked and security wasn’t compromised—even more important.

“It always starts with the user, the employee, the person—that’s who we center around,” says Sean MacDonald, partner director of program management with the Microsoft Digital team who oversaw the deployment of Windows 11 at Microsoft. “Windows 11 does a great job of taking that perspective, it’s about the user, which is key to our employee experience.”

Helping to make this deployment frictionless were familiar processes that had been utilized for Windows 10 releases. “The experience of moving from Windows 10 to Windows 11 was so smooth, it felt more like an update than an upgrade,” MacDonald says.

There was no disruption to business, just a download that occurred in the background, an alert telling the employee that their device was ready, and a quick restart to finish installing the new operating system. As soon as 20 minutes later, the employee was up and running in Windows 11. The device owner could also schedule the upgrade to take place during non-work hours—when they logged in the next day, they were using the new operating system.

For a transcript, please view the video on YouTube: https://www.youtube.com/watch?v=40B99JJpaUo, select the “More actions” button (three dots icon) below the video, and then select “Show transcript.”

Connecting with employees

Communications played a key part in Microsoft’s disruption-free rollout.

Windows 11 has specific hardware requirements, which meant not every device at Microsoft would be part of the deployment.

“Most devices were eligible but letting everyone know about hardware requirements was an early step,” MacDonald says. “Since Windows 10 and Windows 11 work in tandem with no additional overhead, we’re able to seamlessly co-manage both upgraded and non-upgraded devices until all of our older Windows 10 devices are replaced.”

Sharing this fact with employees across Microsoft eased anxieties.

From that point on, it was about sharing clear and concise messaging that encouraged employees to upgrade and provide feedback. Communication plans emphasized empowering employees across Microsoft to submit comments through Feedback Hub, a tool where users can voice and upvote suggestions. Elsewhere, Microsoft support teams readied their own listening systems to resolve queries and to report feedback to the product group.

Even with many channels open, few issues were reported.

“We saw no uptick in support contacts,” MacDonald says. “If the only noise is people talking about features, that’s the sign of a good deployment.”

A better deployment experience

Microsoft Digital encounters many of the same challenges other IT organizations face. But with the deployment of Windows 11, an established playbook of trusted practices along with modern solutions, like Windows Update for Business, converged for a streamlined experience.

A large part of this is due to the Windows Update for Business deployment service.

“It’s truly Windows-as-a-Service,” MacDonald says. “Windows Update for Business deployment service is easy to control, highly compliant, and adoption is straightforward.”

Windows Update for Business deployment service combines two workstreams into one, which sped up Microsoft’s internal deployment of Windows 11. Instead of building separate deployment plans for Microsoft Azure Active Directory (AAD) devices, Windows Update for Business deployment service allowed the team to establish a single strategy for the entire environment. Within the service, Microsoft Digital was able to handle exclusions, automatically stage deployment waves, and bypass devices that were ineligible for the upgrade.

Other tools, like Windows Update for Business reports, further reduced the workload placed on the team. Using Update Compliance, the organization quickly and easily analyzed the device population for hardware eligibility. Data gathered from Update Compliance and Microsoft Endpoint Manager informed Microsoft Digital of a device’s deployment status, giving clear visibility to which ones had moved to Windows 11.

Over the course of five weeks, Microsoft Digital seamlessly rolled out Windows 11 to all eligible employee devices.

Success measured in outcomes

The deployment of Windows 11 represents the right chemistry of technology and expertise working together for a harmonious experience. Employees at Microsoft quickly and easily upgraded to Windows 11 on their schedules. Microsoft Digital utilized tools like Windows Update for Business deployment service to streamline familiar processes.

“We had to target the devices that could run Windows 11, but we have a plan to ramp up and refresh all devices as we go,” MacDonald says. “We have a path to Windows 11 for everyone.”

Windows 11 has done a good job of keeping the user in mind. The aesthetics are simple. The user experience is familiar but improved, making it easier to complete the common tasks and activities I do every day.

—Nathalie D’Hers, corporate vice president, Microsoft Digital

Thanks to its design, Microsoft Digital will be able to easily co-manage Windows 11 and Windows 10 side-by-side. Microsoft designed Windows 11 to ensure backward compatibility with Windows 10, so apps remain compatible, removing another challenge typically found during the release of new operating systems.

The transformation continues

The success of the deployment of Windows 11 validates Microsoft Digital’s approach to new features and product releases, which empowers people to succeed while minimizing disruption.

“Windows 11 has done a good job of keeping the user in mind,” D’Hers says. “The aesthetics are simple. The user experience is familiar but improved, making it easier to complete the common tasks and activities I do every day.”

With new functionality, like snap assist and docking, users can work more efficiently. Device hardware baselines, including a Trusted Platform Module 2.0 (TPM) requirement, enhance the security of devices and create better hardware-to-software integration in Windows 11. Transport Layer Security, an encryption protocol for transferring data over a network, empowers Microsoft Digital to perform IT functions remotely without fear of a compromise.

All of this improves how Microsoft employees can stay safe and productive.

“An important part of our Customer Zero role is to provide our employees and other internal users with the best products and services as early as possible,” D’Hers says.

• The disruption-free deployment of Windows 11 was powered by the same tools and practices Microsoft Digital uses for Windows 10 updates.
• Since Windows 10 and Windows 11 can be co-managed side-by-side, Microsoft intends to let users stay on their current devices until it is time for a refresh.
• Apps that work on Windows 10 work on Windows 11, and a better user interface improves employee experience.
• As customer zero, Microsoft employees take on the role of providing feedback and suggesting improvements from an enterprise perspective.

• Unpacking Microsoft’s speedy upgrade to Windows 11.
• Employees are at the heart of Microsoft’s internal Windows 11 upgrade.
• Windows 11 boosts employee engagement at Microsoft.
• Five key learnings from Microsoft’s Windows 11 upgrade.
• Find out how Microsoft is reinventing the employee experience for a hybrid world.
• Review Windows client documentation for IT Pros.
• Get insights into what the Microsoft Tech Community has to say about deploying Windows 11.
• Learn how to streamline upgrades with Windows Update for Business deployment services.
• Explore how Windows Update for Business keeps devices up to date.
• Discover how Update Compliance improves device configuration.

The post Microsoft tries Windows 11 on for size and likes the fit appeared first on Inside Track Blog.

Examining the device landscape at Microsoft

Our employees’ devices are their primary productivity tools. They use a wide variety of devices to access their work and succeed in their roles. Our responsibility in the Microsoft Digital organization is to ensure that each of our employees, regardless of the device they use or the location from which they connect, can be productive and connected to Microsoft tools and corporate data.

Across the landscape of more than 750,000 devices in use at Microsoft, we support Windows, Android, iOS, and macOS devices. Windows devices account for approximately 60 percent of the total employee-device population, while iOS, Android, and macOS account for the rest. Of these devices, approximately 45 percent are personally owned employee devices, including phones and tablets. Our employees are empowered to access Microsoft data and tools using managed devices that enable them to be their most productive.

[Discover how we’re verifying device health at Microsoft with Zero Trust. Unpack how we’re reducing friction throughout our device lifecycle at Microsoft. Explore how we’re using Microsoft Azure Multi-Factor Authentication at Microsoft to enhance our security.]

Migrating device management to the cloud

As hybrid work becomes the norm—and the expectation—for our employees, how we provide access to the tools they need to innovate, create, and collaborate successfully has evolved. Users want a dynamic, device-agnostic experience that focuses on providing them with the data and tools they need from almost any location, using a wide variety of devices, including PCs, laptops, tablets, and smartphones.

This model has largely replaced a traditional, Windows-based, local-network-focused model. The hybrid work experience centers on the employee and their device as the primary determinants of how they access Microsoft tools and data. It also enabled employee-directed tasks such as self-serve device setup and remediation for devices from any location. We’ve been building capabilities for the hybrid work model long before the COVID-19 pandemic made it necessary, and our investments in hybrid work have allowed us to react with agility to workplace challenges in the recent past.

A sizable portion of the devices that we support continue to be corporate-owned traditional laptops or PCs, but our device landscape also includes many personally owned devices. Our device management practices, and even what we define as a device, have changed. Many devices that our employees use to do their work are smartphones from a variety of manufacturers, and these devices use a range of operating systems. This shift in device demographics has necessitated a change in how we manage employee devices and a migration from traditional, on-premises management systems to modern, cloud-based management systems that effectively support and secure this new device demographic.

Our migration—and any migration—from traditional, on-premises management to modern management involves three key management models that play a role in how devices are managed:

• Traditional management. Microsoft Configuration Manager has been the on-premises management system of choice at Microsoft for decades. In a traditional management model, most managed devices are Windows-based, connected to a local network, and joined to an Active Directory Domain Services (AD DS) architecture. Devices in the traditional model are typically purchased, procured, and managed corporately. We use Configuration Manager to manage devices using previous versions of Windows that are not supported by Intune and to assist in Configuration Manager product development.
• Modern management. Microsoft Intune supports the modern management model at Microsoft. Intune provides cloud-based device management capabilities across Windows, Android, iOS, and macOS devices. Devices are registered in and authenticated by Microsoft Azure Active Directory. Because it’s cloud-based, Intune removes the dependency on the local network and managed devices can connect across the internet from anywhere. Modern management includes and supports both corporate and personally owned devices, including mobile devices.
• Co-management. Co-management uses a combination of traditional management and modern management techniques and tools, allowing traditional and modern management models to coexist within an organization. Microsoft Intune allows us to operate both models through a single interface and combined toolset.

In our adoption of modern management through Intune, Microsoft Azure Active Directory (Azure AD), and internet-focused connectivity, we’re adopting more standard practices for device management and the configuration of our device management systems. How we configure and operate our modern management environment is much more standardized than past solutions have been. We use native functionality extensively—the flexibility of the Microsoft cloud management toolset replaces many of the engineered customizations we have had to implement.

We use Microsoft Intune, Microsoft Azure AD, and the rest of the modern management tools the same way that any other organization would. We use procedures directly from the Microsoft documentation website, and we’re adopting documented general best practices and architectural designs that Microsoft recommends to customers. The following figure illustrates using co-management to enable the migration from traditional management to modern management.

Connecting traditional and modern models with co-management

Modern management is the goal for all client devices at Microsoft. However, moving from traditional device management to modern management is a journey, and it’s one that can’t be made overnight. Our journey to modern management began several years ago, and it’s ongoing.

We’ve embraced co-management as the first step in moving to modern management and as a long-term bridge between traditional management and modern management models. By using Microsoft Intune, we’ve been able to manage our traditional on-premises devices alongside newly deployed devices that are modern managed.

Addressing migration challenges

Microsoft Azure Active Directory is central to modern management. Azure AD is the first point of contact for most of our mobile devices and the default directory for new devices. Moving devices from AD DS to Azure AD is at the core of traditional-to-modern migration, as the two directory services provide identification, authentication, and authorization services for on-premises and cloud resources, respectively.

However, the AD DS-to-Azure AD-migration process isn’t simple on a device-to-device basis, and coordinating large-scale directory migration is time-consuming and potentially tedious. We’re using Hybrid Azure AD joined devices as a primary enabler of co-management to facilitate a smooth transition of devices from traditional to modern management. Hybrid-joined devices connect to both AD DS and Azure AD. This dual function lets us maintain existing on-premises Group Policy objects and settings for a device while we work to replicate those settings in modern management using Intune and Azure AD. We completed an analysis using the Intune Group Policy analyzer to determine which policies could be supported in Intune.

New devices are onboarded as modern-managed devices using Autopilot for Windows devices and Apple Business Manager for corporate-owned MacOS and iOS devices. However, we don’t prevent our users from joining AD DS domains if they require it. This strategy gets devices under the modern management model but allows us to continue using traditional management methods where necessary.

As old devices are replaced with new ones, traditionally managed devices decrease in number, and modern-managed devices increase. For large enterprises, a full-scale switch from traditional to modern management without co-management is almost impossible. The time it takes to migrate devices and support systems would severely reduce business efficiency and technical capability for any organization. Users must have uninterrupted access to tools and data from their devices. We anticipate that co-management will remain part of our management environment into the near future.

Supporting the Zero Trust model with verified devices

Based on the principle of verified trust—in order to trust, you must first verify—Zero Trust eliminates the inherent trust that is assumed inside the traditional corporate network. The ability to effectively verify devices is a critical part of the Zero Trust model, and management is mandatory for any device accessing corporate data.

The Microsoft Intune platform enables us to enroll devices, bring them to a managed state, monitor the devices’ health, and enforce compliance against a set of health policies before granting access to any corporate resources. Our device health policies verify all significant aspects of device state, including encryption, antimalware, minimum OS version, hardware configuration, and more. Microsoft Intune also supports internet-based device enrollment, which is a requirement for the internet-first network focus in the Zero Trust model.

We’re using Microsoft Intune to enforce health compliance across the various health signals and across multiple client device operating systems. Validating client device health isn’t a one-time process. Our policy verification processes confirm device health each time a device tries to access corporate resources, much in the same way that we confirm the other pillars, including identity, access, and services. We’re using modern Microsoft Intune protection configuration on every managed device, including pre-boot and post-boot protection and cross-platform coverage.

Managing the device experience in the cloud

Modern-managed devices at Microsoft fall under two main categories: corporate owned devices that our employees use for business purposes, and personally owned devices that our employees bring into the workplace and use to access Microsoft resources.

Corporate owned devices

Corporate owned devices at Microsoft are most commonly Windows devices that Microsoft purchases for our employees to use. Our corporate devices come from a specific set of Windows PCs, laptops, and tablets that our employees can select from a variety of manufacturers. In modern management, these are the devices that we exercise the most control over. All corporate devices in the modern management model are registered in Microsoft Azure AD and managed by Intune.

Microsoft Azure AD, Microsoft Intune, Windows Autopilot, and Windows Update for Business deployment services enable us to take a device from the manufacturer using a standard image and directly apply our policies and management measures without requiring direct interaction from our support personnel. The employee powers on their device, signs in with their Azure AD credentials using multifactor authentication, and the device is joined to Azure AD and enrolled in Intune. Corporate policies and apps specific to the user or department are automatically deployed to the device, and the device is always managed and kept up to date, throughout its entire life cycle.

We’re also using Apple Business Manager to directly manage corporate purchased macOS and iOS devices. Apple Business Manager interfaces with Intune and provides a fully managed experience like the one we have for our corporate owned Windows devices. We can control the Out Of Box experience (OOBE) for Apple devices, reducing the number of screens users need to go through during initial setup. When the user completes the OOBE, the device will already have Intune Company Portal, Microsoft Defender for Endpoint, and other device-related corporate apps installed, simplifying the setup process. We also have the capability to push additional applications or security patches using Intune and Apple Business Manager to devices in the future.

Personally owned devices

Bring your own device (BYOD) scenarios are commonplace in the hybrid work model. Personal devices enable flexibility in the hybrid workplace. Employees can enroll their own Windows, Android, iOS, and macOS devices in Intune using Azure AD Workplace Join. Workplace Join creates a device identity in Azure AD and Intune and enforces device state and configuration through native operating system methods and management apps.

Personally owned devices don’t experience the same level of control as corporate owned devices, but modern management using Intune and Workplace Join grants us the capability to restrict access to resources based on device state and health. With this level of control, we can safely manage access to corporate data and apps stored on the device based on the user of the device and the device operating system.

Next steps

We’re continuing to move toward modern management while using co-management as a bridge to traditionally managed devices. We’re working on several modernization efforts, including migrating our corporate wireless network to internet-first and reducing the number devices using virtual private network connections. We’re also consolidating device management controls to a single interface, improving migration capabilities for domain-joined devices, and hardening device health definitions with new compliance policies. As our migration continues and the modern management environment matures, our employees will be better enabled to be productive in the hybrid work model from anywhere and on any device.

• Modern management enables your organization to embrace hybrid work practices while helping to control access to tools, data, and the devices used to access them.
• Co-management offers a bridge between traditional and modern management that’s flexible and scales to your organization’s pace and structure.
• The move toward modern management empowers employees to be productive when using any device, whether it’s their personal device or corporate owned device, on a variety of operating system platforms.
• Modern management enables the Zero Trust model, which uses a multipronged approach to help detect, manage, and prevent security breaches from inside and outside an organization.
• Large enterprises such as Microsoft can use Microsoft Intune to implement modern management without requiring significant custom integrations and solutions.

• Discover how we’re verifying device health at Microsoft with Zero Trust.
• Unpack how we’re reducing friction throughout our device lifecycle at Microsoft.
• Explore how we’re using Microsoft Azure Multi-Factor Authentication at Microsoft to enhance our security.

The post Evolving the device experience at Microsoft appeared first on Inside Track Blog.

Like our customers, we at Microsoft have a strong business need to address the new challenges created by remote and hybrid work. The internal adoption of Windows 11 is helping our company meet those needs, while enabling our employees to work smarter and more securely, regardless of where they are.

Moving Microsoft to Windows 11

1. Microsoft tries Windows 11 on for size and likes the fit
2. Unpacking Microsoft’s speedy upgrade to Windows 11 (this story)
3. Windows 11 boosts employee engagement at Microsoft
4. Employees are at the heart of Microsoft’s internal Windows 11 upgrade
5. Five key learnings from Microsoft’s Windows 11 upgrade

Upgrading to Windows 11 at Microsoft

Our priority in rolling out Windows 11 internally was to provide employees uninterrupted access to a safe and productive workspace while giving them a chance to try out the new operating system.

Introducing a new operating system, especially across a distributed workforce, naturally led to questions about device downtime and app compatibility. However, with established practices and evolved solutions in hand, historical obstacles became just that—a thing of the past. The rollout of Windows 11 at Microsoft was our most streamlined to date, frictionlessly delivering employees the latest operating system in record time.

What made the deployment of Windows 11 a success?

Over the past decade, our Microsoft Digital Employee Experience team, the organization that powers, protects, and transforms employee experiences, has worked closely with teams such as the Windows product group to improve how it runs Microsoft’s updates, upgrades, and deployments.

Whereas significant time and resources were once dedicated to testing app compatibility, building out multiple disk images, and managing a complex delivery method, processes and tools introduced during Windows 10 have streamlined upgrades and enabled the transformation to a frictionless experience.

Data from App Assure, a Microsoft service available to all customers with eligible subscriptions, shows the company had 99.7 percent compatibility for all apps in Windows 11—that eliminated the need for extensive testing. It also meant that employees’ Windows 10 apps work seamlessly in Windows 11. Additionally, Microsoft Endpoint Manager and Windows Update for Business eliminated the need for using more than one disk image and made it easier for employees to get Windows 11.

Our Microsoft Digital Employee Experience team relied on the same familiar tools and process as a Windows 10 feature update to quickly deliver the upgrade to employees.

The upgrade was divided into three parts:

Plan: Identify an execution and communication plan, then develop a timeline

Prepare: Establish reporting systems, run tests, ready employees, and build backend services

Deploy: Deploy Windows 11 to eligible devices

It all starts with a good plan

We at Microsoft Digital Employee Experience have a successful history of deploying new services, apps, and operating systems to employees. And it all starts at the same place—creating a disruption-free strategy that enables employees to embrace the latest technology as soon as possible without sacrificing productivity.

Assess the environment

Before the deployment of Windows 11 could begin, we had to take a careful inventory of all devices at Microsoft and determine which they should target. Windows 11 has specific hardware requirements, and a percentage of employees running ineligible devices meant that not every device would be upgraded. Employees with these devices will upgrade to Windows 11 during their next device refresh.

To evaluate the device population, we used Update Compliance and Microsoft Endpoint Manager’s Endpoint analytics feature. This allowed our team to generate reports on devices that either met or failed to comply with minimum specifications. For example, certain devices, especially older desktops, lacked the Trusted Platform Module 2.0 (TPM) chipset requirements for security in Windows 11.

In the end, 190,000 devices were deemed eligible based on hardware and role requirements. Over the course of five weeks, our Microsoft Digital Employee Experience team deployed Windows 11 to 99 percent of qualifying devices.

Address ineligible devices and exclusions

After evaluating the broad population of devices, our team developed a plan for devices that would not receive a Windows 11 upgrade. Since Windows 10 and Windows 11 can be seamlessly managed side-by-side within the same management system, we only had to designate the number of devices that would not receive the upgrade. Using Update Compliance to inform deployment policies, we applied controls on ineligible devices, automatically skipping them during deployment. These measures made it easy to know why a device didn’t upgrade, but also assured a disruption-free experience for both employees and those on our team responsible for managing the upgrade.

These controls also allowed the company to bypass deployment on any device that had been incorrectly targeted for an upgrade.

Ineligible devices. Windows 10 and Windows 11 can be managed side-by-side and will be supported concurrently at Microsoft until all devices are upgraded or retired. As devices are refreshed, more and more of our employees will gain access to Windows 11.

Devices that should not receive the upgrade. Other devices, like servers and test labs—where we validate new products on previous operating systems—were issued controls and excluded from receiving Windows 11.

Establish a deployment timeline

Once upgradeable devices were identified, our team was able to create a clear timeline. From this schedule, our communications team developed an outreach plan, support teams readied the helpdesk, and the deployment team developed critical reporting mechanisms to track progress.

For the deployment itself, our team used a ring-based approach to segment the deployment into several waves. This allowed us to gradually release Windows 11 across the company, reducing the risk of disruption.

Create a rollback plan

Windows 11 has built-in support for rolling back to Windows 10 with a default window of 10 days after installation. If needed, our Microsoft Digital Employee Experience team could have revised this period via group policy or script using Microsoft Intune. Post-upgrade, there wasn’t much demand for a rollback, but the strategic release cadence that the team used, paired with the rollback capability, gave our team an easy way to quickly revert devices that might require going back to Windows 10 for a business need.

Preparing for success

Prior to starting the Windows 11 upgrade, we asked employees to complete pre-work needed for a successful upgrade. Because the upgrade was so smooth, only light readiness communications were needed. Instead, we focused on ensuring that employees were aware and excited about the benefits of Windows 11 and that they were ready to share their feedback on what it was like to use it.

Reach everyone

To maximize the impact of our communications, our team readied content that was digestible for every employee, regardless of role. Employees needed clear and concise messaging that would resonate, so that they could understand what Windows 11 would mean for them.

Our team in Microsoft Digital Employee Experience targeted a variety of established channels, including Yammer, FAQs on Microsoft SharePoint, email, Microsoft Teams, Microsoft’s internal homepage, and digital signage to promote Windows 11.

To generate interest, our materials focused on:

• The new look and features of Windows 11, designed for hybrid work and built on Zero Trust
• Flexible and easy upgrade options, including the ability to schedule upgrades at a time that worked best for the employee
• The speed at which employees could be up and running Windows 11, as quickly as 20 minutes
• New terms related to Windows 11 and where employees could go to learn more

An entire page on our company’s internal helpdesk site was dedicated to links related to the upgrade, including Microsoft Docs, where users could find a comprehensive library on new features.

Executive announcements from company leadership also conveyed the benefit of moving to Windows 11 and the ease with which it could be done.

Set expectations

Our team directed employees waiting to see if their device met Windows 11’s hardware requirements to the PC Health Check app. At an enterprise level, the team relied on Update Compliance to assess the device population.

We also used this opportunity to reinforce messaging to Windows 10 users—both operating systems would continue to operate side-by-side until all devices were refreshed. This helped ease concerns for employees who had to wait for an upgrade.

Ready support

Getting the deployment right wasn’t just about sending messages outward. Our team needed to receive and respond to employee questions before, during, and after the Windows 11 rollout.

Our support teams were given an opportunity to delve into Windows 11 prior to the deployment, which, based on experiences with previous upgrades, gave them time to categorize and group by severity any potential issues they might encounter. This familiarity not only helped them give employees informed answers, but also served as another feedback gathering mechanism.

Open for feedback

We run Microsoft on Microsoft technology and we encourage our employees to join the Windows Insider Program, where users are free to provide feedback directly to developers and product teams.

That’s why communications didn’t just focus on what was new with Windows 11, but on how feedback could be shared. If an employee had comments, they submitted them through a Feedback Hub where other employees could upvote tickets, giving visibility to our engineers in Microsoft Digital Employee Experience and the Windows product group.

Pre-work for deployment readiness

In addition to readying employees, we had to make sure all the backend services were in place prior to the deployment. This included building several processes, setting up analytics, and testing.

Establish analytics reports

Evolving beyond previous upgrades, the deployment of Windows 11 was the most data driven release we have ever done. Looking closer at diagnostic data and creating better adoption reporting gave our team clear data to look at throughout the deployment.

Using Microsoft Power BI, our team could share insights regarding the company’s environment. This better prepared everyone on the team and allowed us to monitor progress during deployment.

Our team captured the following metrics:

• Device population
• Devices by country
• Devices by region
• Eligibility
• Adoption

In addition to visibility into project status, access to this data empowered our team to engage employees whose eligible devices did not receive the upgrade.

Build an opt-out process

To accommodate users whose eligible devices might need to be excluded from the deployment, our team created a robust workback plan that included a request and approval process, a tracking system, and a set timeline for how long devices would be excluded from the upgrade.

Our Microsoft Digital Employee Experience team released communications specifying the timeframe for employees to opt out, including process steps. Employees who needed to remove their devices from the upgrade submitted their alias, machine name, and reason for exclusion. From there, our team evaluated their requests. Only users with a business reason were allowed to opt out. For example, Internet Explorer 11 requires Windows 10, so employees who need that browser for testing purposes were allowed to remove their devices from the deployment.

Once we had approved devices for exclusion, a block was put in place to remove them from the deployment. Data gathered during the opt-out process enabled us to follow up with these employees, upgrading them to Windows 11 at a more appropriate time.

Create a security model

At Microsoft, security is always top of mind for us. A careful risk assessment, including testing out a series of threat scenarios, was performed before Windows 11 was deployed across the company.

Our Microsoft Digital Employee Experience team built several specific Windows 11 security policies in a test environment and benchmarked them against policies built for Windows 10.

After testing the policies and scenarios to see if they would have any impact on employees, we found that devices with Windows 11 would meet Microsoft’s rigorous security thresholds without creating any disruptions. Just as importantly, users would experience the same behaviors in Windows 11 as they might expect from Windows 10.

The deployment

A decade ago, our efforts to deploy feature updates could be challenging, as we needed to account for different builds, languages, policies, and more. This required careful management of distribution points and VPNs prior to beginning deployment efforts in earnest.

When Windows 10 was released in 2015, our team used two deployment strategies: one for on-premises managed devices and one for cloud managed devices.

Today, the situation is much simpler.

Launched during the Windows 10 era, Windows Update for Business established some of the trusted practices that make product releases and feature updates a great experience for us here at Microsoft. Windows Update for Business deployment service introduces new efficiencies for our team, consolidating two deployment strategies into one.

For the deployment of Windows 11, our team had an advantage—Windows Update for Business deployment service.

Windows Update for Business deployment service enabled our Microsoft Digital Employee Experience team to grab device IDs from across the environment and use them to automate the deployment. Windows Update for Business deployment service handled all the backend processing and scheduling for us; all we needed to do was determine the start and end dates.

Our team easily managed exclusions and opt-outs with Windows Update for Business deployment service, and when a device needed to be upgraded, the service made it easier to remove and roll them back to Windows 10.

Importantly, Windows Update for Business deployment service provides a single deployment strategy for us moving forward. Deployment has been simplified, and the data loaded into Windows Update for Business deployment service for this upgrade will help speed up future releases.

Policies for success

We had to decide which policies they wanted to work with for the greatest outcome. This included how many alerts an employee would receive before receiving an upgrade to Windows 11.

Windows Update for Business deployment services reduced the long list of policies that our team needed to manage during deployment. This accelerated deployment without compromising security.

From pilot to global deployment

By structuring the deployment timeline to hit a small group of employees before incrementally moving on to a larger population, our Microsoft Digital Employee Experience team ensured Windows Update for Business deployment service ran as expected and that all required controls and permissions were set.

As our team used the Windows Update for Business deployment service to plot out upgrade waves, Windows 11 downloaded in the background and employees received pop-up alerts when their device was ready. The employee could restart at any time and would boot into Windows 11 after a few automated systems completed the installation. Employees could also schedule Windows 11 to upgrade overnight or during the weekend.

Onboarding OEMs

Working closely with Microsoft Surface and other Original Equipment Manufacturer (OEM) partners, the companies who supply Microsoft with new devices, our team was able to ensure that our employees had Windows 11 pre-loaded onto their PCs. This approach guaranteed that new devices complied with the hardware requirements of the new system.

A new device, straight out of the box, only needs to be powered on and connected to the internet before Windows Autopilot authenticates and configures everything for the user. Once initial setup is complete, Windows Autopilot ensures that new devices are equipped with Windows 11 and all the correct policies and settings.
For a transcript, please view the video on YouTube: https://www.youtube.com/watch?v=1d4z5N5XCsA, select the “More actions” button (three dots icon) below the video, and then select “Show transcript.”

Entering the next stage of Windows at Microsoft

The deployment of Windows 11 at Microsoft validates our team’s approach to product releases and upgrades. With no measured uptick in support tickets, the deployment of Windows 11 has been a frictionless experience for employees and the wide adoption of new features confirms the value of the effort. The speed at which the team completed the deployment—190,000 devices in five weeks—represents the fastest deployment of a new operating system in company history.

We credit the success of this deployment to good planning, tools, strong communication, and the positive upgrade experience Windows 11 provides.

Windows Update for Business deployment service proved to be a big step in the evolution of how employees get the latest version of Windows. The service’s ease of use meant the team had a higher degree of control, flexibility, and confidence.

The tighter hardware-to-software ecosystem that comes with Windows 11 means our employees and all users of the operating system benefit from richer experiences. This, along with integration to Microsoft Teams, are just a few examples of what users are seeing now that they’re empowered by Windows 11.

• Understand the hardware eligibility requirements for Windows 11.
• The better you understand your environment the easier it will be to create a timeline, a communication plan, and ultimately track the deployment.
• Messaging is key for leaders in the organization to share, especially for adoption.
• Run a pilot with a handful of devices before deploying company wide. This will allow you to check policies for consistent experiences. Then move on to a ring-based deployment to carefully manage everything.
• There’s no need to create multiple deployment plans with Windows Update for Business deployment service; it can automate the experience, streamlining the entire workflow. Instead of waiting until everyone is ready, consider running Windows 10 and Windows 11 side-by-side. Prepare today by deploying to those who are ready now.

• Discover how Microsoft employees are leveraging the cloud for file storage with OneDrive Folder Backup.
• Explore how Microsoft is reimagining meetings for a hybrid work world.
• Check out enhancing VPN performance at Microsoft.

The post Unpacking Microsoft’s speedy upgrade to Windows 11 appeared first on Inside Track Blog.

Layered on top of that, our need for device security exists within a complex matrix of software, hardware, and user interfaces. If our employees are running out-of-date software, they’re leaving their device and our network unsecured and vulnerable.

Every leader understands the extreme importance of keeping their data secure. No enterprise wants to be the next company that gets exposed by one of these hacks that has happened in the past and to lose sensitive business or customer data.

—Biswa Jaysingh, principal product manager, Microsoft Digital Employee Experience

This is especially true when developers use powerful first-party tools like Microsoft Visual Studio and developer platforms like .NET to build new software. With developer platforms like .NET, this becomes even more critical because .NET is not just deployed to developer machines, it is also installed on the computers where the developed application will run.

Here at Microsoft Digital Employee Experience, the organization that powers, protects, and transforms the company, we are committed to holistically improving patching compliance rates across the company. To ensure we are improving security at every level of Microsoft’s infrastructure, from software and devices to the networks themselves, we are utilizing new technology and new approaches that we develop internally within our organization and within our product group partners.

“Every leader understands the extreme importance of keeping their data secure,” says Biswa Jaysingh, a principal product manager with Microsoft Digital Employee Experience. “No enterprise wants to be the next company that gets exposed by one of these hacks that has happened in the past and to lose sensitive business or customer data.”

Recent innovations in first-party patching technology at Microsoft, including in Windows Update for Business, Microsoft Endpoint Manager, and Microsoft Defender for Endpoints, are allowing us to unlock unprecedented levels of security across our network while at the same time reducing costs and speeding the timeline of deployment. From consolidating multiple deployments to reducing the impact of reboots on users, our changes are producing efficiencies across the business.

Within the matrix of network security at Microsoft, there are several critical arenas for security admins to monitor, patch, and secure. Malicious actors are looking at the full tech stack for vulnerabilities, which means our teams must monitor, patch, and secure devices at every level from the operating system and first-party software to hardware and third-party software.

[Discover boosting Windows internally at Microsoft with a transformed approach to patching.]

Reacting to the growing threat to first-party software

In the modern cloud-connected world there is more surface area that we need our IT professionals to protect. With more and more devices, from Internet of Things devices to peripherals having internet access, there is much larger potential for bad actors to break in. It’s more important than ever to stay secure, which means update compliance must be as close to 100 percent as possible across all levels of a device.

“The last thing we want is for Microsoft to ship a fix for a vulnerability, but an enterprise isn’t able to adopt the update. That would leave them insecure,” says Christina Ruana, principal program manager for Microsoft Visual Studio who is responsible for enterprise deployments and updates of Visual Studio.

This passion for effectively securing networks led Microsoft leaders like Ruana to ensure they’re doing everything possible to ease the burden of patching on our teams here at Microsoft and for our external customers. “Visual Studio’s recent Administrator update solution makes it much easier for enterprises to deploy updates through Microsoft Endpoint Manager,” Ruana says.

At the start of the .NET journey we were seeing unacceptable compliance rates as developers were using the software in ways that we hadn’t anticipated. This increased the complexity for maintaining patching compliance. We had to create paths for updating both current builds of .NET through Visual Studio and for keeping older builds compliant through Microsoft Update. This has improved compliance rates considerably.

—Jamshed Damkewala, principal PM manager, Platforms and Languages team

We’re using Microsoft Defender for Endpoints to manage the health of our devices, which is helping us improve the security of our network while also improving the user experience for our employees and our admins. Every efficiency gained along the way makes it more likely for compliance rates to grow. Teams are working around the clock to identify and patch vulnerabilities, but this work is only as effective as the compliance rate is strong.

A better experience for admins and users alike

We in the Microsoft Digital Employee Experience organization began our journey to transform the way we do patching by making it easier for our IT admins to deploy patches across our network.

Until recently, the first-party patching regime at Microsoft required a slew of software solutions to be manually managed, including important software applications like Visual Studio and .NET. But in November 2022, we were able to migrate numerous critical patch deployments to Windows Update for Business, dramatically increasing the timeliness and accuracy of device patching.

“At the start of the .NET journey we were seeing unacceptable compliance rates as developers were using the software in ways that we hadn’t anticipated,” says Jamshed Damkewala, principal PM manager on the Platforms and Languages team responsible for .NET. “This increased the complexity for maintaining patching compliance. We had to create paths for updating both current builds of .NET through Visual Studio and for keeping older builds compliant through Microsoft Update. This has improved compliance rates considerably.”

We gain significant efficiencies as we eliminate manual deployments through automation and streamline the rollout of patches through Windows Update and Windows Update for Business. With these universal sources for patches, we simultaneously reduce time for testing while reducing errors in the deployments.

With more accurate updates meeting user devices more quickly and hitting all builds of first-party software that require patching, our networks are more secure than ever. The ease of patches deploying on devices also reduces the impact on users, so they are more likely to remain compliant while experiencing minimal disruption.

These innovations are not custom built for Microsoft. We are effectively leveraging technology that we already had to make it more efficient and effective for teams to patch their software.

—Harshitha Digumarthi, senior product manager responsible, Microsoft Digital Employee Experience

Furthermore, the technology within Microsoft Defender for Endpoints allows for thorough device scanning to provide effective telemetry for admins to react to, giving them better knowledge to engineer future patches and policies for Windows Update for Business, which further grows compliance rates. We use it to scan and report vulnerabilities, which empowers our admins to respond faster. Microsoft Endpoint Manager also allows our admins to better manage Windows Update for Business policies.

Providing the tools for teams to succeed

Internally here at Microsoft, our updated technology allows us to monitor our networks more efficiently, providing detailed telemetry about device health that we’ve never had before. This visibility allows us to develop new protocols for our networks, including complicated cases of end-of-life devices and end-of-service software.

But the true unlock-for-efficiency comes in how these systems were designed, constructed, and automated.

“These innovations are not custom built for Microsoft,” says Harshitha Digumarthi, a senior product manager responsible for improving the patching experience at Microsoft Digital Employee Experience. “We are effectively leveraging technology that we already had to make it more efficient and effective for teams to patch their software.”

This approach reduces cost, increases the speed of development, and fundamentally improves the efficiencies of teams deploying mission-critical patches for their software. Potential errors caused by manual deployment are eliminated and the single update source on a single day per month improves the user experience considerably. The result is a more secure network through increased device compliance.

These benefits are compounded when it comes to first-party software like Visual Studio and .NET. We’ve seen a rise in patching compliance for internal customers developing new solutions with these products, all attributable to improvements in Visual Studio and .NET. As a result, security dividends can exponentially grow through the company and to the ecosystem at large. Our networks, and yours, are more secure thanks to these developments.

• Ensure your software applications are kept up to date to remain secure. Follow this guidance for Visual Studio.
• By utilizing a common deployment solution in Windows Update for Business and Microsoft Endpoint Manager, efficiency is gained and potential errors from manual updating are mitigated.
• A single update source on a single day per month dramatically improves the user experience.
• Innovations in device scanning provides new telemetry, which leads to new solutions for rare-but-important use cases like end-of-life devices and end-of-service software.

• Unpack our Visual Studio administrator guide.
• Share your deployment experiences and challenges with Visual Studio engineering team.
• Explore .NET Automatic Updates for Server Operating Systems.
• Deploy Visual Studio updates to devices enrolled in Windows Update for Business.
• Discover boosting Windows internally at Microsoft with a transformed approach to patching.

The post Harnessing first-party patching technology to drive innovation at Microsoft appeared first on Inside Track Blog.

Watch as Dave Rodriguez interviews Trent Berghofer about using the Windows 365 Cloud PC platform to provide our employees with virtual loaner PCs when they need a backup machine to keep working.

Rodriguez is a principal product manager on the Frictionless Devices team in Microsoft Digital, the company’s IT organization. He talks with Berghofer about using the Windows 365 Cloud PC platform to provide employees with a low-touch, personalized, secure Windows experience hosted on Microsoft Azure.

“With Windows 365 Cloud PC, we’ve been able to accelerate our digital first support model for hybrid employees and deemphasize our reliance on walk up, in-person support at the on-site service locations,” says Berghofer, general manager of Field IT Management and leader of the Support team in Microsoft Digital.

Issuing Cloud PCs to our employees allows them to return to productivity on a machine they already own or have on their person because we don’t have to send them physical back up machines. This allows them to get back to productivity faster and reduces our costs.

Try the Microsoft Windows 365 Cloud PC platform at your company.

• Get more info on how we’re using the Windows 365 Cloud PC platform internally here at Microsoft.
• Learn how we’re reinventing our Employee Experience in our hybrid world.
• Check out how we’re running our customer service and support contact centers on Microsoft Azure.
• Find out how we’re boosting employee device procurement at Microsoft with better forecasting.

• Want more information? Email us and include a link to this story and we’ll get back to you.
• Please share your feedback with us—take our survey and let us know what kind of content is most useful to you.

The post Providing employees with virtual loaner devices with Windows 365 appeared first on Inside Track Blog.

“We’re transforming the experience our employees have when they first turn on their PCs,” says Sean MacDonald, a principal group program manager in Microsoft Digital. “Our employees expect a best-in-class experience and we’ve been working hard to deliver that to them. The best part is that all of our customers can have the exact same experience.”

It used to take up to an hour to get Windows 10 running on a new or rebuilt PC—that was before Microsoft Digital started using Windows Autopilot, a new deployment program that automates most of the setup process. With this new program developed in partnership with the Windows and Intune teams, the user receives a device with the latest image directly from the OEM and all the user needs to do is power on, connect to any internet connection, authenticate, and the rest is silently hydrated via Microsoft Intune.

“Now, with Autopilot, we’re seeing it take less than 10 minutes to set up a device,” MacDonald says. “We’ve reduced the user’s set up time by 90 percent.”

After piloting the technology, Microsoft Digital started a soft launch in October using Autopilot for select new devices, says Mina Aitelhadj, a program manager on Microsoft Digital’s Modern Device Platform Team.

Microsoft is using an OEM-developed (original equipment manufacturer) image on all devices where Autopilot is being used. The goal is for Microsoft Digital to evolve to the point where it is using Autopilot with Intune provisioning to image all new devices by January.

Microsoft is one of the first enterprises to use Autopilot in a full, modern management scenario.

“Our early testing and deployment inside of Microsoft will help us provide best practices and guidelines for our customers when they are ready to move onto a fully modern Azure platform,” Aitelhadj says.

Getting to this point has been challenging, she says.

Like any large enterprise, the Microsoft environment is complex. Company employees work in all kinds of different roles, and they rely on a wide variety of devices to support that work. This variety of device choices made it challenging to provide a consistent out-of-the-box experience for new employees (and for existing employees when issued new PCs).

Before Microsoft started using Autopilot internally, the team streamlined the imaging process as much as possible, but the company is so big (it literally offers employees hundreds of PC configurations to choose from) that speeding up how long it took an employee to get their new machine set up required that Microsoft Digital entirely rethink and redesign its approach, Aitelhadj says.

“Even though our custom imaging process was fine-tuned to its best, it was still process-intensive and wasn’t easy to manage across multiple OEMs and global regions,” she says. “To add to that, our devices needed to be connected to our corporate network to deploy our custom images.”

Now that Autopilot is handling all that work, the team can focus on fine tuning. “This is a big step up for us because we’re saving our team time and money and we’re getting critical work time back,” Aitelhadj says.

Are you interested in how Autopilot could work at your company? Windows Autopilot is available externally (click through here to learn more about it). It is available for Windows 10 users on Azure Active Directory and users of Windows Autopilot Hybrid Azure AD are able to use it to join Windows 10 devices to both Azure Active Directory and Active Directory.

How deploying an image with Autopilot works

Why has installing a new Windows image traditionally been so challenging?

Companies like Microsoft have had to continuously update their custom images to make sure they are current and secure, Aitelhadj says. Every month the Windows team issues patches and updates, and those have had to be woven into each image before it could be deployed.

Before the company started using Autopilot (and in cases where it’s not yet using the new tool), handling those month-to-month updates made deploying new images very challenging.

“Our engineers have had to build and maintain our image on a monthly basis for all devices in our global ecosystem,” she says. “They have had to send each image to the OEMs. Those images include our policies, certifications, profiles—everything needed to get the devices ready for one of our employees. We’ve streamlined how we create our custom image within Microsoft, and Autopilot streamlines that even further for both IT pro and users.”

Once Autopilot is deployed across the entire company, everything will get a lot simpler.

“Say I’m a company and I have 10 users coming onboard,” Aitelhadj says. “Instead of having an IT pro load our custom image onto those PCs, the OEM will preload the devices with a universal Commercial OEM Image, they will register those machines onto Autopilot, and everything will get loaded onto those machines automatically, once the user logs in.”

Using Autopilot, the OEM loads just the operating system and Microsoft Office onto a computer—just what the employee needs to be able to turn their machine on and get started. Once online, Autopilot guides the user through a nearly hands-off out-of-box experience in which it not only handles all custom configuration settings, but also downloads and installs all needed applications. The other benefit is that the user does not have to be on the company’s corporate network or in a campus building to setup the device—they can do it from any internet connection.

And the user experience?

Thanks to Autopilot, it has gone from a struggle to an easy first log in. The trick was to then make it easy and intuitive for the employee to download and set up all the applications they need to do their work.

“We make it as simple as possible by provisioning the device with all the policies, certs, and core apps,” Aitelhadj says. “It all loads in the background within a few minutes. We limit their interaction to just the stuff they need to click through—like security and a few other required things.”

And yes, the team wanted to give the IT pros who spend hours and hours updating images each month time back, but the bigger goal was to create a simpler, more user-guided, less error-prone experience for users, thereby reducing end user frustration and the need for IT support. All this needed to be done without a time gap—for security reasons, all current updates need to be made as the new employee’s PC is booted up and handed over to them.

“We’ve saved our pilot users hundreds of hours—we’re getting them productive faster,” Aitelhadj says. “It’s pretty awesome to have that kind of impact.”

The post Autopilot speeds up Windows 10 image deployment inside Microsoft appeared first on Inside Track Blog.

“We’ve made significant strides to create chip-to-cloud Zero Trust out of the box,” says David Weston, vice president of Enterprise and OS Security at Microsoft. “Windows 11 is redesigned for hybrid work and security with built-in hardware-based isolation, proven encryption, and our strongest protection against malware.”

This new baseline for protection is one of several reasons Microsoft upgraded to Windows 11.

In addition to a better user experience and improved productivity for hybrid work, the new hardware-backed security features create the foundation for new protections. This empowers us to not only protect our enterprise but also our customers.

[Discover how Microsoft uses Zero Trust to protect our users. Learn how new security features for Windows 11 help protect hybrid work. Find out about Windows 11 security by design from chip to the cloud. Get more information about how Secured-core devices protect against firmware attacks.]

How Windows 11 advanced our security journey

Security has always been the top priority here at Microsoft.

We process an average of 65 trillion signals per day, with 2.5 billion of them being endpoint queries, including more than 1,200 password attacks blocked per second. We can analyze these threats to get better at guarding our perimeter, but we can also put new protections in place to reduce the risk posed by persistent attacks.

In 2019, we announced Secured-core PCs designed to utilize firmware protections for Windows users. Enabled by Trusted Platform Module (TPM) 2.0 chips, Secured-core PCs protect encryption keys, user credentials, and other sensitive data behind a hardware barrier. This prevents bad actors and malware from accessing or altering user data and goes a long way in addressing the volume of security events we experience.

“Our data shows that these devices are more resilient to malware than PCs that don’t meet the Secured-core specifications,” Weston says. “TPM 2.0 is a critical building block for protecting user identities and data. For many enterprises, including Microsoft, TPM facilitates Zero Trust security by measuring the health of a device using hardware that is resilient to tampering common with software-only solutions.”

We’ve long used Zero Trust—always verify explicitly, offer least-privilege access, and assume breach—to keep our users and environment safe. Rather than behaving as though everything behind the corporate firewall is secure, Zero Trust reinforces a motto of “never trust, always verify.”

The additional layer of protection offered by TPM 2.0 makes it easier for us to strengthen Zero Trust. That’s why hardware plays a big part in Windows 11 security features. The hardware-backed features of Windows 11 create additional interference against malware, ransomware, and more sophisticated hardware-based attacks.

At a high level, Windows 11 enforced sets of functionalities that we needed anyway. It drove the environment to demonstrate that we were more secure by default. Now we can enforce security features in the Windows 11 pipeline to give users additional protections.

—Carmichael Patton, principal program manager, Digital Security and Resilience

Windows 11 is the alignment of hardware and software to elevate security capabilities. By enforcing a hardware requirement, we can now do more than ever to keep our users, products, and customers safe.

Setting a new baseline at Microsoft

While some security features were previously available via configuration, TPM 2.0 allows Windows 11 to protect users immediately, without IT admins or security professionals having to set specific policies.

“At a high level, Windows 11 enforced sets of functionalities that we needed anyway,” says Carmichael Patton, a principal program manager with Digital Security and Resilience, the organization responsible for protecting Microsoft and our products. “It drove the environment to demonstrate that we were more secure by default. Now we can enforce security features in the Windows 11 pipeline to give users additional protections.”

Thus, getting Windows 11 out to our users was a top priority.

Over the course of five weeks, we were able to deploy Windows 11 across 90 percent of eligible devices at Microsoft. Proving to be the least disruptive release to date, this effort assured our users would be immediately covered by baseline protections for a hybrid world.

We can now look across our enterprise and know that users running Windows 11 have a consistent level of protection in place.

The real impact of secure-by-default

Moving from configurable to built-in protection means that Windows 11 becomes the foundation for secure systems as you move up the stack.

It simplifies everything for everyone, including IT admins who may not also be security experts. You can change configurations and optimize Windows 11 protections based on your needs or rely on default security settings. Secure-by-default extends the same flexibility to users, allowing them to safely choose their own applications while still maintaining tight security.

—David Weston, vice president, Enterprise and OS Security

Applications, identity, and the cloud are able to build off the hardware root-of-trust that Windows 11 derives from TPM 2.0. Application security measures like Smart App Control and passwordless sign-in from Windows Hello for Business are all enabled due to hardware-backed protections in the operating system.

Secure-by-default does all of this without removing the important flexibility that has always been part of Windows.

“It simplifies everything for everyone, including IT admins who may not also be security experts,” Weston says. “You can change configurations and optimize Windows 11 protections based on your needs or rely on default security settings. Secure-by-default extends the same flexibility to users, allowing them to safely choose their own applications while still maintaining tight security.”

Going forward, IT admins working in Windows 11 no longer need to put extra effort in enabling and testing security features for performance compatibility. Windows 11 makes it easier for us to gain security value without extra work.

This is important when you consider productivity, one of the other drivers for Windows 11. We need to empower our users to stay productive wherever they are. These new security components go hand-in-hand with our productivity requirements. Our users stay safe without seeing any decline in quality, performance, or experience.

“With Windows 11, the focus is on productivity and thinking about security from the ground up,” Patton says. “We know we can do these amazing things, especially with security being front and center.”

Now that Windows 11 is deployed across Microsoft, we can take advantage of TPM 2.0 to bring even greater protections to our users, customers, and products. We’ve already seen this with the Windows 11 2022 update.

For example, Windows Defender App Control (WDAC) enables us to prevent scripting attacks while protecting users from running untrusted applications associated with malware. Other updates include improvements to IT policy and compliance through config lock: a feature that monitors and prevents configuration drift from occurring when users with local admin rights change settings.

These are the kinds of protections made possible with Windows 11.

“Future releases of Windows 11 will continue to add significant security updates that add even more protection from the chip to the cloud by combining modern hardware and software,” Weston says. “Windows 11 is a better way for everyone to collaborate, share, and present, all with the confidence of hardware-backed protections.”

• Learn about and upgrade to Windows 11.
• Learn more about the security benefits of Windows 11.

• Discover how Microsoft uses Zero Trust to protect our users.
• Learn how new security features for Windows 11 help protect hybrid work.
• Get more information about how Secured-core devices protect against firmware attacks.

The post Hardware-backed Windows 11 empowers Microsoft with secure-by-default baseline appeared first on Inside Track Blog.

It all started with a shift to remote work.

“New employees will always need a device on day one,” says Pandurang Kamath Savagur, a senior program manager with Microsoft Digital, the organization that powers, protects, and transforms the company. “But for the first time ever, we were also in an experience where people had to stay productive from home with only a single device. They couldn’t easily get into the offices for a secondary or loaner device.”

To anticipate demand and offset delays, Microsoft Digital built a platform where administrators across the company could project the number of devices they’d need. Simultaneously, the group took a deep dive look at the current device population to forecast the number of employees who would need a device refresh—all in time for the deployment of Windows 11.

[Discover how Microsoft quickly upgraded to Windows 11. Find out how Microsoft is reinventing the employee experience for a hybrid world. Learn more about verifying devices in a Zero Trust model.]

Getting better at predicting the future

Historically, Microsoft didn’t need to build up a large inventory of devices for employees; everything was made to order.

Business groups own the budget, so they know what the next six months will look like for their team. Microsoft onboards approximately 3,000 employees each month, and every employee needs to select and set up a device. We can’t just buy 3,000 devices a month—we need to know specifications about how it will be used.

—Pandurang Kamath Savagur, senior program manager, Microsoft Digital

It worked a little bit like this:

Procurement, having already certified devices and negotiated pricing and SLAs suitable for employees, enables administrators or direct employees to obtain a new employee device through our internal ProcureWeb tool. The tool places a purchase order directly to the OEM—the third-party manufacturer of the device—or a reseller who would then manufacture and ship the equipment out to the user.

But the shift in how people worked meant we’d need to be more proactive in procuring devices for employees. And to get there, we’d need a better picture of fluctuating demand.

“Business groups own the budget, so they know what the next six months will look like for their team,” Savagur says. “Microsoft onboards approximately 3,000 employees each month, and every employee needs to select and set up a device. We can’t just buy 3,000 devices a month—we need to know specifications about how it will be used.”

Everything from storage space, computing power, memory, and keyboard language to the number of units would need to be collected from business groups. Once that information came in, Procurement could work with OEMs to have machines ready and available to be delivered to administrators well in advance.

This new approach to device forecasting has streamlined the way Microsoft acquires devices, giving us adequate stock to ensure a good experience. We can now anticipate device purchases for new hires while also accounting for break fixes.

And the timing of this effort couldn’t have been better—Windows 11 was on the way, and we would need this new approach along with additional analysis to get the new operating system into the hands of employees.

Empowering Microsoft with Windows 11

Released in late 2021, Windows 11 gives us the enterprise-grade security that Microsoft requires. To achieve this secure-by-default state, we needed to replace older devices with equipment that met the Windows 11 hardware requirements.

But instead of issuing new devices to everyone at launch—something that would be both costly and logistically impossible—we took a strategic approach, using a combination of telemetry and machine learning to identify and prioritize devices for replacement.

“We have telemetry data, application usage, and warranty information, and that gives us a base to forecast from in Power BI,” says Neeti Sawant, a data engineer with Microsoft Digital who helped create a device forecasting dashboard as part of this effort. “It told us what we needed to monitor and forecast, which devices are aging out, and when they would be eligible for a refresh.”

But we weren’t just relying on warranty data alone.

Using Microsoft Azure Cosmos DB and Microsoft Azure DataBricks for machine learning, we are able to leverage the historical data for device population and apply survival modeling techniques, predicting how many ineligible primary devices would be active over the next few years towards the Windows 10 end of support.

Device forecasting has allowed us to work closely with OEMs so that devices are available on time and so that we’re not selecting on availability, but rather meeting all the performance, compliance, and security needs of our users. Satisfaction scores from employees have increased by 20 points since we started doing this.

—Pandurang Kamath Savagur, senior program manager, Microsoft Digital

“Not all users will replace their device at the end of warranty,” says Anqi Cheng, a data scientist with the W+D Data team at Microsoft. “Although many devices will naturally age out over time, many users hang on to their devices for an extended time. When combined with other device forecasting data, we had a holistic view of the landscape.”

This level of analysis ensured Microsoft would be able to quickly develop a roadmap for getting employees on Windows 11.

A bright forecast for Microsoft

Employees at Microsoft can—and should—expect to have a device that engages, protects, and empowers them. Device forecasting makes this possible.

“Device forecasting has allowed us to work closely with OEMs so that devices are not selected on availability, but rather meeting all the performance, compliance, and security needs of our users,” Savagur says. This effort has resulted in a better experience for employees. “Satisfaction scores from employees have increased by 20 points since we started doing this.”

Access to device forecasting information has also been helpful to admins and Finance, who now have a better idea as to which devices will need to be refreshed for Windows 11. Moving into the future, these same projections will make it easier for Procurement to put the right device into an employee’s hands.

“With the analysis provided to us by Microsoft Digital, we can now understand how many primary devices are in our environment and when we expect them to refresh,” says Colby McNorton, a senior program manager on the Microsoft Procurement team. “As we look forward, instead of the purchasing journey being reactive, we can proactively reach out to users and tell them that their device is at the end of its life and even recommend a device based on what we know about usage.”

Thanks to Windows Autopilot, new devices are automatically pre-configured with Windows 11. Windows Autopilot deploys an OEM-optimized version of the Windows client, so you don’t have to maintain custom images and drivers for every device model. This makes new devices business-ready faster, empowering employees to stay engaged and protected. Users can just switch on, sign in, and all policies and apps will be in place within a day.

• Be sure to get visibility into your device population. Find out what kinds of devices are on your network, where they’re located, who owns them, and what stage they’re at in their lifecycle. This gives you a lot of agility in a changing environment. You can do this using Microsoft Intune.
• Windows 10 and Windows 11 can be co-managed side by side using the same tools and processes, which makes it possible for Microsoft and other companies to be methodical about replacing devices.
• Spend time with team admins who understand user needs. This allows you to cultivate a short list of devices that are best suited for your employees and gives procurement clear priorities.

• Discover how Microsoft quickly upgraded to Windows 11.
• Find out how Microsoft is reinventing the employee experience for a hybrid world.
• Learn more about verifying devices in a Zero Trust model.
• Read about how Windows 11 helps businesses.

Want more information? Email us and include a link to this story and we’ll get back to you.

Please share your feedback with us—take our survey and let us know what kind of content is most useful to you.

The post Boosting employee device procurement at Microsoft with better forecasting appeared first on Inside Track Blog.

When we started rolling Microsoft 365 Copilot out across the company, our priority in Microsoft Digital was giving as many employees as possible the chance to explore this exciting new tool. In a sense, we gave everyone the keys to the car and invited them to drive AI’s open road.

It resulted in a lot of exploration, increased usage, and some very eager early adopters. To help as many people get up to speed with Copilot as possible, we focused our initial adoption efforts on a common professional persona: the modern information worker.

“This is the beginning of an entirely new meta-skill,” says Don Campbell, a senior director on Microsoft Digital’s Employee Experience Success team. “People are thinking through new habits and ways of working as they learn what Copilot is capable of enabling.”

Because of the excitement around AI, uptake was rapid and enthusiastic. Our next step was building on that initial surge of adoption and experimentation to drive more profound, targeted impact.

Actioning inspiration: Building a pathway to hero scenarios

As Microsoft 365 Copilot usage began to mature across the company, we saw opportunities to build on this momentum by presenting more contextual applications for AI. Within Microsoft Digital, we decided to create a standardized process for defining Copilot hero scenarios in roles where initial applications of AI could have the greatest impact. Concrete scenarios would resonate with those professionals by addressing real-world challenges they face every day, saving them time and bandwidth.

Ultimately, we had one goal: accelerating time to value for Copilot users.

“We wanted to explore how we could make Copilot more real to the individual,” Campbell says. “They’re asking how they can use this in ways that are specific to their role, in their function, in their organization.”

We identified five main objectives to help us get there:

• Understand the top responsibilities, challenges, needs, and wants of priority roles.
• Articulate and communicate hero scenarios for those roles and depict ways for Copilot to enable their work.
• Outline blockers and accelerators for Copilot adoption and hero scenarios. 
• Generate feedback for product groups to improve Copilot.
• Share playbook outputs with our product marketing group and post them in our Copilot Lab, our publicly available repository of Copilot prompts, to contribute value to external users.

“From the beginning, we set out to articulate our objectives and our deliverables, then worked back from there,” says Heather Layne, a director of program management on the Employee Experience Success team in Microsoft Digital. “When it came to research, we relied on our EX Studio for step-by-step guidance on purposeful engagement.”

That process unfolded in a layered approach. First, we identified the Microsoft organizations that were best positioned to receive our support. Thanks to strong interest and a robust cohort of early adopters, sales, HR, and finance were excellent candidates for our first efforts.

From there, we worked with stakeholders and AI adoption teams within each of those organizations to prioritize roles according to a rubric of criteria. Those criteria focused on enthusiasm for adoption, readiness for the next level of engagement, the number of people represented by that role within their organization, and Copilot’s applicability for their work—especially for repetitive, context-rich, or communication-intensive tasks.

“In HR, for example, we ensured there was complete thinking regarding a reimagination of our business functional architecture,” says Christopher Fernandez, corporate vice president in HR. “We identified key roles and corresponding workflows that could directly benefit from Microsoft 365 Copilot by removing mundane and repetitive tasks and providing insight to creative solutions needed to deliver business value.”

After we identified those roles, we moved into focus-group sessions with 10 to 20 participants, all selected because they had been actively using Copilot and could provide practical ideas and suggestions. It was an opportunity to tap into willing talent and let our leaders lead.

The output of those sessions came down to three hero scenarios per role, each with six steps and six Copilot prompts to propel those processes forward, as well as the relevant Microsoft tools where the prompts would apply. We also ensure these scenarios align with the company’s Responsible AI principles.

For example, our Finance team identified operations manager as a priority role. One of its key scenarios included managing contracts, and it demonstrates how prompts come together across several apps to create a process bolstered and streamlined by automation.

Finance operations | Contract management

“That output then served as an input in a few different places,” Campbell says. “We evangelized it out to the organization itself to help drive ideation, adoption, and usage, to our product marketing group for customer scenarios, and to our Copilot Lab to provide freely available examples of prompts.”

As a result, we’ve been able to boost Copilot adoption and usage across Microsoft, providing specific, concrete opportunities for people to apply this new way of working to their roles.

Crafting your own Microsoft 365 Copilot hero scenarios

This process has the benefit of being structurally simple, modular, and repeatable—so much so that we’ve made it freely available to any organization that’s using Microsoft 365 Copilot in the form of our Microsoft 365 Copilot Hero Scenario Playbook. Whether you’re adopting Copilot across your entire organization, a department, a business group, or a team, we strongly encourage you to work through this exercise.

“We want organizations to know that there are opportunities to keep this process controlled and standardized,” Layne says. “By aligning with rubrics and setting up standard practices, you know you’re not just putting in time to create something that isn’t helpful or impactful.”

Our playbook walks adoption leaders through a four-stage process that includes readiness, engagement, delivering an output, and sharing results with employees. To accelerate time to value, we’ve designed the process implementation across three weeks.

Microsoft 365 Copilot Hero Scenario Playbook

By following the playbook through four phases, you can accomplish what we’ve done at Microsoft: understanding what your priority roles need to be successful, articulating hero scenarios tailored to their work, and sharing the outputs with your organization to accelerate time to value for Copilot users.

Phase 1: Ready

This phase will help your organization, department, or team prepare for the process. It involves aligning with leadership and sponsors who will be accountable for driving Copilot value within their organization. It’s also where you’ll select the priority roles, draft outlines of those roles so you can clarify your understanding of their needs and wants, and seek out feedback from leaders, managers, and subject matter experts.

Phase 2: Engage

Engaging with employees delivers the core value of this exercise. In the engagement phase, you’ll identify participants from your priority roles who demonstrate enthusiasm and early aptitude with Copilot. From there, you choose an engagement approach that might include in-person group sessions, virtual Microsoft Whiteboard sessions, one-on-one interviews, Microsoft 365 Loop collaboration, or whatever modality works best, then communicate the process to participants and conduct your engagement.

Phase 3: Deliver

Ideating hero scenarios is how you discover value. The delivery phase defines that value and organizes it into a useful, consumable format. It starts with reviewing and analyzing the outcomes of your sessions to gain insights and identify themes. Now is the time to document your hero scenarios and the value they add, as well as blockers and accelerators. Finally, you’ll provide your output: a comprehensive deck that includes your priority roles, hero scenarios, next steps, and more.

Phase 4: Share

The final phase of this process involves socializing your scenarios across your team or organization to realize value. If you’re part of a large organization, it’s helpful to radiate these outputs beyond the target group as an opportunity for further Copilot momentum. This stage includes diving deeper into blockers and accelerators that can help your organization as a whole speed time to value.

“So much of adoption comes down to the question of ‘What’s in it for me?’” says Liz Friedman, a senior director of HR AI Transformation. “The ability to answer that question at the role level, at the level of fidelity that really resonates with what employees actually do, creates a strong bridge between the realm of possibility and day-to-day reality.”

Capturing the limitless value of AI

The shift to AI is about more than productivity. It’s about new ways of working and new ways of being.

Thanks to the modular nature of this framework, teams across Microsoft can now apply this process to their own professional needs. As time goes on, the goal is for different organizations and roles to uncover robust and efficient ways of working.

“With Copilot, we’re building new skillsets, but also new habits,” says Nathalie D’Hers, corporate vice president of Microsoft Digital. “That takes experimentation and learning, but the payoff is transformative.”

By learning from our experience and working through the Microsoft 365 Copilot Hero Scenario Playbook, your organization can execute best practices that will make the most of your AI investment, deliver value faster, manage change effectively, and scale across your organization.

Access the Microsoft 365 Copilot Hero Scenario Playbook here.

Here are some tips for getting started with developing persona-specific scenarios for priority roles at your company:

• Build strong organizational partnerships and add this process into AI efforts that teams already have underway. Identify the key AI leaders and champions on those teams.
• This process is additive and iterative, so don’t be married to the playbook. Start with the framework, then allow it to grow around organic efforts.
• Frame your scenarios around business processes, then layer on the technology.
• Validate your results through active communication, especially after you’ve socialized your hero scenarios. That ensures you sort the signal from the noise and capture even greater value moving forward.
• For your working groups, make sure you choose teams and people who have good engagement with the tool, especially enthusiasts and early adopters. This also gives people the chance to learn from each other and build on their colleagues’ ideas.
• Have a game plan about where to go next in terms of sharing and piloting. Include follow-ups and baselines so these outputs don’t just sit on the shelf.
• Get multiple perspectives. No role is exactly the same, even if the job title is. Bringing people who do similar work together and hearing commonalities and differences is very helpful and provides an opportunity to benefit from a diversity of perspectives.

New to Microsoft 365 Copilot? Get started today and see what’s possible.

• Learn more about deploying Microsoft 365 Copilot internally at Microsoft.
• Find out how we deployed Microsoft 365 Copilot with the help of—you guessed it—Copilot.
• Check out how we’re empowering our employees with AI while keeping the company secure.

• Want more information? Email us and include a link to this story and we’ll get back to you.
• Please share your feedback with us—take our survey and let us know what kind of content is most useful to you.

The post Unlocking the potential of Microsoft 365 Copilot at the role level appeared first on Inside Track Blog.