AI acceleration, cloud adoption, and rapid growth of enterprise apps have dramatically expanded the attack surface. Every new app introduces a new identity. Every identity carries permissions. Over time, those permissions accumulate, often without clear ownership or regular review.

“An app is another form of identity. In a cloud-first, Zero Trust world, identity becomes the primary security perimeter, and access is governed by the principle of least privilege. Whether it is a user, an app, or an agent, when permissions are overly broad or elevated the blast radius expands dramatically, increasing risk exponentially.”

B. Ganti, principal architect, Microsoft Digital

Inside Microsoft Digital—the company’s IT organization—we recognized this early. Many of our highest‑risk security scenarios didn’t start with malware or phishing. They started with access. Specifically, apps running with permissions beyond what they required.

“An app is another form of identity,” says B. Ganti, principal architect in Microsoft Digital. “In a cloud-first, Zero Trust world, identity becomes the primary security perimeter, and access is governed by the principle of least privilege. Whether it is a user, an app, or an agent, when permissions are overly broad or elevated the blast radius expands dramatically, increasing risk exponentially.”

Traditional security approaches such as periodic reviews, best‑practice guidance, and point‑in‑time hardening weren’t enough in an environment that changes daily. Configurations drift, new apps appear, and risk grows quietly in places that are hard to see at scale.

That reality forced a mindset shift internally here at Microsoft. Security couldn’t be optional. It couldn’t be advisory. And it couldn’t be static.

Our team operates one of the largest enterprise environments in the world, with tens of thousands of apps and a culture built on self‑service and autonomy. That scale drives innovation, but it also amplifies risk.

Our application identities became one of the most complex governance challenges we faced. Our ownership wasn’t always clear. Our permissions were often granted broadly to avoid disruption. And once approved, access rarely came under scrutiny again.

“As a self‑service organization, we empower people to move fast,” Ganti says. “But that also means apps get created, permissions get granted, and not everyone always remembers why.”

The rise of AI‑powered apps and agents—often requiring access to large volumes of data—increased our risk further.

“We’re using Microsoft Baseline Security Mode to move security from guidance to enforcement. It establishes secure‑by‑default configurations that scale across our environment, so teams can innovate quickly without inheriting unnecessary risk.”

Brian Fielder, vice president, Microsoft Digital

We needed a system to reduce that risk systematically, not one app at a time.

Microsoft Baseline Security Mode (BSM) became that system—a prescriptive, enforceable baseline that defines what “secure” means and keeps it that way.

“We’re using Microsoft Baseline Security Mode to move security from guidance to enforcement,” says Brian Fielder, vice president of Microsoft Digital. “It establishes secure‑by‑default configurations that scale across our environment, so teams can innovate quickly without inheriting unnecessary risk.”

Defining Microsoft Baseline Security Mode

BSM is more than just a checklist of recommended settings. It’s an enforced security baseline built directly into the Microsoft 365 admin center, designed to reduce attack surface by default across core Microsoft 365 workloads.

It was developed and then deployed internally at Microsoft, with our team in Microsoft Digital serving as a close design and deployment partner throughout the process.

“The settings in the Microsoft Baseline Security Mode were informed by years of experience in running our planet-scale services, and by analyzing historical security incidents across Microsoft to harden the security posture of tenants. The team identified concrete security settings that would prevent or significantly reduce known security vulnerabilities.”

Adriana Wood, principal product manager, Microsoft 365 security

At a technical level, BSM establishes a minimum required security posture by applying Microsoft‑managed policies and configuration states across services including Exchange Online, SharePoint Online, OneDrive, Teams, and Entra ID. The focus is on eliminating common misconfigurations, rather than theoretical or edge‑case risks.

“The settings in the Microsoft Baseline Security Mode were informed by years of experience in running our planet-scale services, and by analyzing historical security incidents across Microsoft to harden the security posture of tenants,” says Adriana Wood, a principal product manager for Microsoft 365 security. “The team identified concrete security settings that would prevent or significantly reduce known security vulnerabilities. The resulting mitigation controls were implemented and validated in Microsoft’s enterprise tenant, with Microsoft Digital evaluating operational impact, rollout characteristics, and failure modes before making it more broadly available to our customers.”

Legacy baselines rely on documentation and manual implementation. Administrators interpret guidance, apply settings where feasible, and revisit them periodically. In dynamic cloud environments, that model breaks down fast. Configurations drift, exceptions accumulate, and security degrades.

“Before enforcement, administrators can use reporting and simulation tools to understand how a baseline will affect users, apps, and workflows. That visibility allows teams to identify noncompliant assets, prioritize remediation by risk, and avoid unexpected disruptions.”

Keith Bunge, principal software engineer, Microsoft Digital

BSM replaces that approach with policy‑driven enforcement.

Now our controls are applied consistently across the tenant and continuously validated. When our configurations fall out of compliance, our risk surfaces immediately—it’s not discovered months later in an audit. The model is simple: get clean, stay clean.

Another key capability of BSM is impact awareness.

“Before enforcement, administrators can use reporting and simulation tools to understand how a baseline will affect users, apps, and workflows,” says Keith Bunge, a principal software engineer in Microsoft Digital. “That visibility allows teams to identify noncompliant assets, prioritize remediation by risk, and avoid unexpected disruptions. Our team in Microsoft Digital partnered closely with the product group to ensure these capabilities were practical for real enterprise deployments, not just greenfield environments.”

BSM is also not static.

The baseline evolves on a regular cadence to reflect changes in the threat landscape, new Microsoft 365 capabilities, and lessons learned from operating at scale.

From our perspective, BSM is not just a feature. It’s a security operating model. It shifts the default from “secure if configured correctly” to “secure by default.” Security decisions move out of individual teams and into a consistent, centrally enforced baseline. The question is no longer whether a control should be applied, but whether an exception is truly necessary—and how the associated risk will be mitigated.

That shift is what makes BSM sustainable at scale. And it’s why apps—where identities, permissions, and data access converge—became the next focus area for us in Microsoft Digital.

Addressing apps and high-risk surfaces

When we evaluated risk across our environment, one pattern was clear: Our apps represented both our most concentrated and least governed attack surface.

Apps are identities. They authenticate. They’re granted permissions. And unlike human users, they often operate continuously, without reassessment or visibility.

In a large, self‑service environment like ours, apps are created constantly by engineering teams, business groups, and automation workflows. Over time, many of those apps could accumulate permissions beyond what they actually needed, particularly within our Microsoft Graph. Our delegated permissions were especially risky, because they allow apps to act on our employees’ behalf at machine speed across massive data sets.

“As a user, I might not know where all my data lives,” Ganti says. “But an app with delegated permissions doesn’t have that limitation. It can search everything, everywhere, all at once.”

The challenge wasn’t just volume—it was inconsistency.

Our ownership was often unclear. Our permission reviews were infrequent or manual. And once we granted elevated access, we had few systemic controls in place requiring it to be revisited.

Microsoft Baseline Security Mode addresses this directly by treating apps explicitly as identities that must conform to least‑privilege principles.

We started with visibility. We inventoried apps and analyzed permission scopes, authentication models, and potential blast radius. Our apps with broad Microsoft Graph permissions, access to large volumes of unstructured data, or unclear ownership were prioritized. In some cases, we reduced permissions to more granular scopes. In others, we rearchitected apps to use delegated access more safely—or we retired them altogether.

This work was intentionally structured as a burndown, not a one‑time cleanup.

Removing our excess permissions was only half the equation. Preventing them from coming back was just as critical. BSM introduced guardrails earlier in the app lifecycle, to surface and control elevated permission requests before they reached production. New or updated apps requesting high‑risk permissions now trigger consistent review, and in many cases are blocked outright unless they meet strict criteria.

Moving from ‘get clean’ to ‘stay clean’

Reducing risk once is hard. Keeping it reduced is harder.

After our initial application burndown, we quickly learned that cleanup alone wouldn’t scale. Even as we reduced permissions and remediated high‑risk apps, new apps continued to appear. Existing apps evolved, teams changed, and without structural controls, the same risks would inevitably return.

BSM enabled us to shift from remediation to sustainability.

It started with visibility.

We needed a reliable way to detect when apps drifted out of compliance. That meant continuously monitoring permission changes, new consent grants, and scope expansions across our tenant. Instead of periodic reviews, we moved to continuous validation tied directly to the baseline.

Next came risk‑based prioritization.

Not every noncompliance carries equal impact. Our apps with broad Microsoft Graph permissions, access to large volumes of data, or unclear ownership were surfaced first. This ensured our security teams focused on material risk, rather than treating every deviation as equal.

It was equally important for us to control how new risk entered the system.

BSM introduces guardrails earlier in the application lifecycle. Our elevated permission requests are surfaced sooner and reviewed more consistently. In many cases, high‑risk permissions are blocked by default unless clear justification and mitigation are in place. Known‑bad patterns are stopped before our teams build or update apps.

Over time, this enforcement model fundamentally changed the operating posture.

Instead of recurring cleanup campaigns, we moved to continuous alignment. Our environment stays closer to the baseline by default. Our deviations are treated as exceptions that require explicit action, not silent drift.

This “stay clean” capability also reduced operational overhead.

As enforcement and validation moved into Microsoft Baseline Security Mode, we retired custom scripts, dashboards, and manual review processes that were difficult to maintain at scale. Our baseline became the source of truth for application security posture, not a snapshot taken after the fact.

Most importantly, we proved that BSM could scale.

“This isn’t limited to Microsoft 365. This is Microsoft, and it expands over time as more services come into scope.”

Jeff McDowell, principal program manager, OneDrive and SharePoint product group

By combining continuous validation, risk‑based prioritization, and enforced guardrails, we established a repeatable model for sustaining security improvements over time.

That model now serves as our foundation for extending BSM to additional workloads and security surfaces across the enterprise.

“This isn’t limited to Microsoft 365,” says Jeff McDowell, a principal program manager in the OneDrive and SharePoint product group. “This is Microsoft, and it expands over time as more services come into scope.”

Operationalizing Microsoft Baseline Security Mode

Defining a baseline is only the first step. Making it work day‑to‑day is the real challenge.

For us in Microsoft Digital, operationalizing BSM meant embedding it directly into how we run security. That required clear ownership, repeatable processes, and tight integration with our existing workflows.

Governance came first.

BSM creates a clear line between what is centrally enforced and what individual teams can influence. The baseline is owned and managed centrally to ensure consistency across the tenant. Our application owners and engineering teams still make design decisions, but within defined guardrails aligned to enterprise risk tolerance.

This clarity reduces friction.

Instead of debating security settings app by app, our teams start from a shared default. Our security conversations shift away from “Can we make an exception?” to “How do we meet the baseline with the least disruption?”

Operationally, BSM is integrated into our application lifecycle.

New apps are evaluated against baseline requirements early, before permissions are broadly granted or dependencies are established. Changes to existing apps, such as new permission requests or expanded scopes, are surfaced automatically and reviewed in context, rather than discovered months later during audits.

In an environment where apps are constantly being created, updated, and retired, automation is essential. Without policy‑driven enforcement, our security teams would be managing a perpetual backlog of reviews. BSM allows us to focus on true exceptions instead of revalidating the baseline itself.

That baseline is also embedded into our ongoing operations.

Our security posture is monitored continuously, not through periodic snapshots. When our configurations drift or new risks appear, we identify them early and address them while the blast radius is still small. Over time, this reduces both our operational effort and incident response overhead.

Perhaps our most important change was cultural.

BSM normalizes the idea that security defaults are foundational. Our teams still innovate and move quickly—but they do so in an environment where secure is expected, enforced, and sustained.

Embracing the feedback loop as Customer Zero

From the start, our team in Microsoft Digital deployed Microsoft Baseline Security Mode as Customer Zero: We applied early versions in our live, large‑scale enterprise environment, where we fed our real‑world learnings back to the product group. That feedback loop became central to how the platform evolved.

Running BSM at Microsoft scale quickly exposed challenges that don’t appear in smaller tenants. Visibility was one of the first. With thousands of apps and constantly changing permissions, it was difficult to pinpoint which apps violated least‑privilege principles and where security teams should focus first.

Those gaps directly shaped the product. Reporting and analytics were refined to better surface elevated permissions, risky scopes, and noncompliant apps, helping teams move from investigation to action more quickly.

Scalability was another critical lesson.

Controls that worked for dozens of apps didn’t automatically work for thousands. Our team needed policies that were opinionated, enforceable, and operationally sustainable without constant adjustment. That pushed BSM toward clearer defaults and stronger enforcement boundaries.

“What made the collaboration work is that Microsoft Digital was deploying this in a real tenant with real consequences,” Wood says. “Their feedback helped us understand what enterprises actually need to adopt these controls successfully, not just what looks good on paper.”

Over time, this became a virtuous cycle. Our team surfaced friction and risk through deployment. The product group translated those insights into product improvements. We then adopted those same improvements to replace custom tooling and manual processes.

For customers, this matters. The controls in BSM are shaped by operational reality, tested under scale and refined so other organizations don’t have to learn the same lessons the hard way.

What’s next for Microsoft Baseline Security Mode

Future iterations of BSM will expand coverage beyond traditional collaboration services to additional platforms and services, while maintaining the same opinionated approach. The goal is not to restrict environments indiscriminately, but to ensure new capabilities are introduced with security baked in from the start.

As compliance requirements grow more complex and more global, organizations need a consistent, defensible security baseline. BSM provides a Microsoft‑managed standard informed by real‑world attack patterns and enterprise deployment realities.

Controls evolve. Scope expands. Feedback loops remain active. As new risks emerge, the baseline adapts, without requiring organizations to redefine their security posture from scratch.

It’s a foundation designed to support whatever comes next.

Key takeaways

If you’re ready to strengthen your organization’s security posture with Microsoft Baseline Security Mode, consider these immediate actions:

• Establish clear ownership. Assign responsibility for baseline security management to ensure consistency and accountability.
• Implement repeatable processes. Develop standardized procedures to evaluate and enforce baseline requirements throughout the app lifecycle.
• Integrate with existing workflows. Embed security controls into daily operations to reduce friction and streamline compliance.
• Prioritize automation and monitoring. Use automated enforcementand continuous validation for early risk detection and response.
• Foster a security-first culture. Normalize secure defaults and encourage teams to innovate within defined guardrails.
• Design for evolution. Design your baseline to adapt as new services, platforms, and compliance needs arise.

Try it out

Learn how to access and implement Microsoft Baseline Security Mode.

Related links

• Read more about how we’re hardening our digital defenses with Microsoft Baseline Security Mode.
• Announcing Microsoft Baseline Security Mode.
• Increase application security with the principle of least privilege.

We’d like to hear from you!

• Want more information? Email us and include a link to this story and we’ll get back to you.

The post Deploying Microsoft Baseline Security Mode at Microsoft: Our virtuous learning cycle appeared first on Inside Track Blog.

At an organization the size of ours—with a global workforce, massive cloud footprint, and millions of identities to protect—relying on passwords wasn’t a sustainable security posture. We needed something stronger, simpler, and more secure.

This led to the introduction of Windows Hello for Business, which was first built into Windows 10 and then Windows 11. Windows Hello for Business replaces traditional passwords with hardware‑backed keys tied to a user’s device.

So, instead of typing a “secret phrase” that can be phished or leaked, our employees authenticate with biometrics or a PIN that never leaves the device. It’s fast, intuitive, and—most importantly—resistant to the kinds of attacks that plague password‑based systems.

“This wasn’t just a technology shift—it was a structural change in how we establish trust across the organization. The lessons we learned offer a practical blueprint for any organization looking to strengthen their security while also reducing friction for their workforce.”

Abu Kabir, director of IT service management, Microsoft Digital

Rolling out passwordless authentication at a large company like ours took more than just introducing new technology. It also required that we come up with a new way to onboard our employees securely, no matter where they work.  

The first step we took toward passwordless credentials was to create Identity Pass, which included an emphasis on Day 1 authentication (on a new employee’s first day at Microsoft). By combining strong identity proofing, a Temporary Access Pass (TAP), and automated onboarding workflows, we forged an identification system where employees could unbox their device, sign in securely, and register their credentials without ever needing a password.

The result wasn’t just a smoother user experience.

“This wasn’t just a technology shift—it was a structural change in how we establish trust across the organization,” says Abu Kabir, a director of IT service management in Microsoft Digital, the company’s IT organization. “The lessons we learned offer a practical blueprint for any organization looking to strengthen their security while also reducing friction for their workforce.”

How we launched passwordless authentication

To understand how we worked through the details of passwordless authentication, it’s helpful to explain how it was implemented in the first place.

Our passwordless security system includes several components, including face or fingerprint, a PIN tied to their device, and a physical security key (like a YubiKey), but this story focuses these on two:

• Identity Pass: the internal system for secure, passwordless onboarding and recovery
• Windows Hello for Business: the phishing‑resistant credential that Identity Pass helps users register

Identity Pass

Identity Pass, which is only used internally here at Microsoft, uses several tools to “bootstrap” the user, which is the first step in establishing trust among a user, a device, and an identity system. It’s the moment when you go from “nothing trusted” to “something trusted.” Everything that happens afterward depends on getting that moment right.

Identity Pass relies on three core elements:

• Verified ID is what we use internally to establish proof of identity. It’s an initial step and is valid for 30 days.
• Temporary Access Pass (TAP) establishes authentication.
• Conditional access enforces policy.

Identity Pass is where risk signals matter most, because onboarding and recovery are the moments when identity assurance is weakest. Those risk signals include:

• Authentication behavior detection: If a user tries to redeem a TAP or Verified ID from an unusual location, device, or pattern, Authentication Behavior Detection can flag a sign in as risky. Identity Pass can then require stronger identity proofing or block the flow.
• Global high‑risk detection: If our threat intelligence determines the user is likely compromised, Identity Pass will not allow TAP issuance or passwordless registration until the risk is remediated.
• Strong fraud indicators: If the user’s session or token shows signs of fraud (token replay, hijacking, malicious infrastructure), Identity Pass will force remediation and block bootstrap flows.
• Risk‑based identity assurance: This is the decision engine that takes security signals and determines what level of assurance is required. For example:
  • Low risk = allow TAP issuance
  • Medium risk = require Verified ID reproofing
  • High risk = block and escalate

Identity Pass is essentially the front door where these signals decide whether a user can even begin the passwordless journey.

Windows Hello for Business

Windows Hello for Business is the strong, phishing‑resistant credential that Identity Pass helps users register. Once this is in place, the risk signals listed above continue to influence authentication.

• Authentication behavior detection: Windows Hello for Business sign‑ins are evaluated like any other. If the user suddenly authenticates from an impossible location or unusual device, this system flags it as a sign‑in risk.
• Global high‑risk detection: If our detects a high‑confidence compromise, Windows Hello for Business sessions can be revoked via Continuous Access Evaluation. The user then reregisters through Identity Pass.
• Strong fraud indicators: If a Windows Hello for Business token is replayed or misused, this system triggers immediate revocation and forces secure recovery.
• Risk‑based identity assurance: This determines whether Windows Hello for Business alone is sufficient, or whether the user must step up to a stronger method based on risk.

Windows Hello for Business is the credential, but the risk signals determine whether that credential is trusted at any given moment.

What we learned: Rollout and implementation

While our toolsets and protocols offer a clear path for any organization moving toward passwordless authentication, transferring users from a typical user/password security setup can have a variety of challenges—especially at the outset.

Devices, environments, and remote work all matter

When an organization adopts identity‑based, passwordless authentication, one of the first realities it confronts is that the onboarding experience isn’t uniform. Employees don’t all show up with the same hardware, the same operating system version, or the same security capabilities. That diversity has a direct impact on how smoothly a user can complete the initial Day 1 setup and register a strong, phishing‑resistant credential.

“It’s not one-size-fits-all. The onboarding experience can be different by platform, version, and device. The further away you get from a homogenized environment, the more complexity you introduce.”

Matt Scott, senior IT service manager, Microsoft Digital

Device and platform diversity is one of the defining factors in designing a successful passwordless onboarding experience. Any organization adopting identity‑based authentication needs an onboarding system that can adapt to a wide range of hardware, OS versions, and security capabilities while still enforcing a consistent, high‑assurance security model.

Identity proofing and credential registration don’t look the same across platforms. A laptop might support credential setup directly at the login screen, while a mobile device might require an app‑based flow, and a non‑traditional platform might rely entirely on browser‑based enrollment. The underlying model stays consistent, but the user experience varies depending on where the user begins.

“It’s not one-size-fits-all,” says Matt Scott, a senior IT service manager in Microsoft Digital. “The onboarding experience can be different by platform, version, and device. The further away you get from a homogenized environment, the more complexity you introduce.”

Support volume

With Identity Pass in place, we have seen dramatic reductions in password reset volume (80%), onboarding delays, and help desk tickets related to account access. At the initial rollout stage, however, most organizations should anticipate a temporary spike in support needs.

“We expected an increase in volume, because we had recently gotten to 99% in terms of users being identified through Phish-Resistant Multi-Factor Authentication,” Scott says. “In reality, what’s happening is you have a lot of users who are unhappy with the experience as part of the move to a passwordless environment.”

No matter how solid the argument is for a passwordless approach or how cleanly an organization implements it, our experience shows that organizations should expect initial confusion from employees and increased pressure on support teams.

“Moving into a passwordless environment is obviously good for everyone, but we needed to make it easier for users to get the information they needed,” Scott says. “It’s not just one fell swoop of moving from password to passwordless. It’s truly a journey. And it’s very important that change management is part of that journey.”

Helping employees help themselves

Another key learning during our implementation of passwordless authentication was the importance of accessible documentation. This gives users who have yet to establish their identity credentials a way to get unblocked without having to immediately call IT support.

That documentation must stay accurate over time, so it’s crucial to build a governance strategy that ensures updates are made quickly as new devices, platforms, and scenarios emerge.

“During onboarding, if there’s a problem and a user is locked out, they may not have access to the corporate network,” Kabir says. “Having a site that they could access, with actual instruction based on which device they’re using and that shows them how to get past key blockers, was very helpful.”

Maintaining a direct line to leadership in order to help unblock lingering change requests also proved to be essential. In one case, bugs lingered in the engineering queue for days, even weeks, because the escalation path was limited (by design).

“Approval requests were blocked, and so approvals needed to be accelerated to the skip-level approver,” Kabir says. “We were able to move fast to fix that, because we had a clear understanding of the pain that folks were feeling on our side and could effectively communicate that to leadership.”

Short-term pain, long-term gain

The impact has been significant. Instead of spending long cycles troubleshooting forgotten passwords or manually verifying user identities, IT teams can focus on higher‑value work: strengthening identity protection, refining automation, and improving the user experience. This shift not only reduces operational overhead, it also aligns with our Zero Trust principles by removing weak authentication steps from the identity lifecycle.

For employees, the experience is equally transformative. New hires can unbox a device, authenticate using a TAP delivered through a secure Verified ID workflow, and immediately register passwordless methods like Windows Hello for Business. Although the onboarding journey may vary across platforms and devices, the process is fast and intuitive.

For existing users who lose access—whether due to a forgotten PIN, a lost device, or a credential reset—Identity Pass provides a self‑service recovery path that avoids the delays and security risks of traditional reset processes.

Our experience demonstrates that when these processes are redesigned around strong, hardware‑backed, phishing‑resistant credentials, organizations gain both security and efficiency. The result is a more resilient identity foundation that supports the realities of modern work.

Key takeaways

Here are some suggestions for getting started with Windows Hello for Business and Day 1 onboarding:

• Passwordless authentication start with strong identity proofing. Establishing user identity up front is essential to creating a secure foundation for all future authentication.
• Day 1 onboarding is the riskiest moment. The initial bootstrap step is where trust is first established, and risk signals matter most.
• Temporary Access Pass replaces temporary passwords. TAP provides a secure, time‑bound way for users to authenticate and register passwordless credentials without exposing the network to attack.
• Device and platform diversity shapes the user experience. Different hardware, operating systems, and compute environments require flexible onboarding paths that still enforce consistent security.
• Support demand spikes before it drops. Organizations should expect short‑term confusion and increased help‑desk volume before passwordless security benefits fully materialize.
• Long‑term gains are significant. Once deployed, passwordless authentication reduces operational overhead, strengthens security, and improves the user experience across the identity lifecycle.

Try it out

• Explore Windows Hello for Business.
• Check out Microsoft identity and access management services.

Related links

• Learn more about implementing strong user authentication with Windows Hello for Business.
• Read about phishing-resistant authentication with Microsoft Entra ID.
• See how Microsoft is using AI to reinvent network security.
• Discover how we developed a Zero Trust security model at Microsoft.
• Find out how Windows Hotpatch transformed security and compliance at Microsoft.
• Learn how Microsoft hardened our defenses with Microsoft Baseline Security Mode.

We’d like to hear from you!

• Want more information? Email us and include a link to this story and we’ll get back to you.

The post Getting started with Windows Hello for Business and Day 1 authentication at Microsoft appeared first on Inside Track Blog.

At Microsoft Digital, the company’s IT organization, we’re embracing this as Customer Zero for the company.

What does that mean?

It means that we’re testing and shaping new Windows 11 features before they ship to customers. And as such, we’re helping the company reimagine what the OS can do for enterprise users in an AI-first world. We’re also helping the company transform the tools and processes we and our customers use to manage the Windows devices that our employees use to do their work.

“Windows 11 is our foundation for the future of work. We’re helping to build an OS that’s not just reactive—it’s predictive. It understands context, adapts to users, and helps IT teams stay ahead of the curve.”

Sean MacDonald, partner director of product management, Microsoft Digital

When we rolled out Windows 11 across Microsoft in 2021, we wanted to modernize the Windows experience for our global workforce. That meant moving beyond the legacy of Windows 10 and building a platform that’s smarter, more secure, and easier to manage. It also meant working closely with engineering teams to ensure that what we deploy internally reflects what customers need externally.

“Windows 11 is our foundation for the future of work,” says Sean MacDonald, partner director of product management at Microsoft Digital. “We’re helping to build an OS that’s not just reactive—it’s predictive. It understands context, adapts to users, and helps IT teams stay ahead of the curve.”

This transformation isn’t happening in isolation. It’s part of a broader organizational commitment to AI across Microsoft. From the integration of Copilot into dozens of Microsoft products to intelligent device management, we’re aligning every layer of the stack to deliver smarter experiences.

And we’re doing it because the time is right. The end of Windows 10 support is here, and Windows 11 is the essential solution for organizations seeking the enhanced productivity, security, and personalized experiences that AI makes possible.

Embracing a secure and efficient update environment

Keeping Windows 11 secure and up-to-date has evolved into a streamlined, intelligent process.

With Windows Autopatch, we’ve automated the deployment of updates across our enterprise.

But automation doesn’t mean losing control. The management tools available across Microsoft Intune and Windows allow us to exercise complete control over updates. We can leave Autopatch to make patching decisions, or we can dictate how any part of the process works—evaluate and select which updates to perform, define the rollout structure and schedule, and monitor the updates.

“Autopatch update readiness takes us to a new level with Windows 11 updates. It allows us to be proactive, rather than reactive in ensuring our Windows devices are in a ready state to seamlessly update, which minimizes disruptions and distractions to our employees.”

Dave Rodriguez, principal product manager, Windows team, Microsoft Digital

Autopatch lets us tailor rollouts to match our business structure. We’ve created custom Autopatch groups of up to 50 rings so we can deploy updates to the right people at the right time.

This flexibility is critical. It means we can schedule around sensitive periods like year-end close, define grace periods, and even choose which updates to deploy—feature, driver, or quality.

But the real magic happens behind the scenes.

With Windows 11 and Autopatch, we’re not just reacting to issues—we’re anticipating them. That’s where the Autopatch update readiness (AUR) comes in. It adds a new layer of resilience to our update management strategy.

Update readiness continuously monitors device health and update compliance across the enterprise.

By analyzing real-time telemetry, update readiness flags irregularities early and recommends targeted fixes.

“Autopatch update readiness takes us to a new level with Windows 11 updates,” says Dave Rodriguez, a principal product manager on the Windows team in Microsoft Digital. “It allows us to be proactive, rather than reactive in ensuring our Windows devices are in a ready state to seamlessly update, which minimizes disruptions and distractions to our employees.”

“Hotpatching has been a game-changer for keeping our devices secure without disrupting work. Security updates take effect immediately—no reboot required. That’s a big deal.”

Harshitha Digumarthi, senior product manager, Windows team, Microsoft Digital

One of the biggest wins?

Hotpatch, which allows us to apply most of our monthly security updates without our employees needing to restart their devices, which has been huge for our productivity.

“Hotpatching has been a game-changer for keeping our devices secure without disrupting work,” says Harshitha Digumarthi, a senior product manager on the Windows team in Microsoft Digital. “Security updates take effect immediately—no reboot required. That’s a big deal.”

Hotpatch works by modifying in-memory code to silently apply updates in the background. It’s especially valuable for operations that require high availability.

“We’re seeing a shift from device-centric recovery to user-centric personalization. It’s not just about getting the machine back—it’s about getting the person back to work.”

Markus Gonis, senior service engineer, Microsoft Digital

Together, hotpatch, update readiness, and Autopatch are helping us transform how we manage updates. We’re not just deploying tools—we’re reshaping business critical processes.

Protecting data using Windows Backup and Restore for Organizations

With Windows 11, we’ve redefined what backup and restore means for enterprise users with Windows Backup and Restore for Organizations. It’s not just about getting a device back online—it’s about restoring the user’s experience.

When a user signs into a new device with their Entra ID, they can select a backup to automatically restore their Microsoft Store app configurations, settings, and preferences. It’s seamless. It’s secure. And it’s fast.

“We’re seeing a shift from device-centric recovery to user-centric personalization,” says Markus Gonis, a senior service engineer on the Windows team in Microsoft Digital. “It’s not just about getting the machine back—it’s about getting the person back to work.”

This matters. Especially in large organizations where device turnover is constant and downtime is costly.

With Entra ID, we can automatically enroll devices into Microsoft Intune for management. That means IT policies, security configurations, and compliance settings are applied instantly. No manual setup. No waiting.

And because the restore process is tied to the user’s identity, it works across devices. Whether it’s a laptop refresh, a lost device, or a hardware upgrade, users get their familiar environment back—apps, layout, even their desktop background.

“Windows 11 is designed for fast deployment and compatibility,” Gonis says. “We’ve seen up to 25 percent faster deployment times compared to Windows 10. That’s a huge win for IT teams.”

This isn’t just about convenience. It’s about resilience.

By combining Entra ID with modern device management, we’ve built a recovery system that’s secure by default. Data is encrypted. Access is conditional. And IT retains full control over who can restore what, when, and where.

Capturing the power of AI-enabled apps and experiences

Windows 11 is bringing intelligent experiences to the forefront, and we’re seeing it firsthand at Microsoft Digital. From productivity to security, AI is transforming how our people work.

Windows Recall is an opt-in AI-powered feature built directly into Copilot+ PCs with Windows 11. It’s designed to solve a problem every person knows too well: Finding something you’ve already seen.

Recall allows you to search across time to find the content you need. Just describe how you remember it, and Recall retrieves the moment you saw it. Once opted-in snapshots are taken periodically while content on the screen is different from the previous snapshot. The snapshots of your screen are organized into a timeline. Snapshots are locally stored and locally analyzed on your PC. Recall’s analysis allows you to search for content, including both images and text, using natural language.

Here are its core capabilities:

• Semantic AI-powered search. No need to recall exact filenames. Just describe what you remember—like “blue sustainability slide from last meeting”—and Recall uses on-device AI to surface images or text that match the description.
• Full user control and privacy. IT admins have a full set of controls to manage security and privacy when enabling the Recall feature for the enterprise. Once enabled by enterprise admins, you as the end user then have the choice to opt in to enable snapshots on your machines.
• Explore content with a visual timeline. Recall periodically captures screenshots of your active window and displays them in an interactive, chronological timeline. When you need to revisit something, you can simply scroll through your past activity or jump directly to the specific moment you remember seeing it.
•  Granular snapshot management. You choose which apps and websites to include or exclude. You can pause snapshot capture, delete past captures, and set retention limits (e.g., 30, 60, 90, or 180 days) to manage storage and privacy. And IT admins can control how these capabilities work for the entire organization.
• All snapshots, indexing, and AI processing occur on-device. Recall runs completely locally—no data leaves your PC.It never shares your data with Microsoft or third parties, nor across different user accounts on the same device.

Recall doesn’t just remember—it protects. IT admins can control snapshot storage, retention policies, and even filter which apps and websites are recorded.

That’s where enterprise-scale controls come in.

“We helped define these controls. We tested them to validate they worked as expected.”

John Philpott, principal product manager at Microsoft Digital

Microsoft Digital partnered with the Purview and Intune product teams to help build a rich set of controls that give IT full visibility and governance over Recall’s data store. That includes sensitivity labels, data loss prevention (DLP) policies, and tenant trust reviews—all designed to keep enterprise data safe.

Purview and Intune provide the level of control that IT admins need to ensure that Recall respects the security and privacy concerns of the enterprise and the end user.

If a document is labeled “Highly Confidential,” Recall won’t index it. If a meeting is tagged “Recipients Only,” it won’t be captured. Purview admins can decide exactly which sensitivity levels are allowed in Recall and which are excluded.

Recall’s content redaction feature automatically detects and removes highly confidential information from screen snapshots based on Purview sensitivity labels. Users can work with both sensitive and non-sensitive documents on the same screen without risk of accidental exposure.

“We helped define these controls,” says John Philpott, a principal product manager within Microsoft Digital. “We tested them to validate they worked as expected.”

Implementing Windows 11 for the enterprise

Windows 10 support officially ended on October 14, 2025. Still, many companies have not yet made the needed move, something that Microsoft would like them to do as soon as possible.

At Microsoft Digital, we’ve already made the leap. We’ve deployed Windows 11 across our internal fleet, and we’ve learned what works and what doesn’t.

The most important thing? Have a plan and a phased approach.

“We didn’t try to do everything at once,” Digumarthi says. “We went slow, monitored help desk calls, and paused when needed. It wasn’t about speed—it was about getting it right.”

That phased approach helped us avoid surprises. We used security groups to segment users, deployed in waves, and ran parallel communication campaigns to keep everyone informed. “We built tech web pages, sent individual emails, and used Viva Engage for direct outreach,” Gonis says. “We wanted users to know what was coming and why.”

Organizations have options. They can upgrade to Windows Pro to Windows Enterprise. They can subscribe to Windows 365, which provides access to Windows 11 in the cloud. And they can extend the life of Windows 10 devices with Extended Security Updates (ESU).

Windows 365 lets you keep older hardware while giving users a modern experience. You get ESUs at no extra cost, and you don’t have to manage license keys or deploy images.

With tools like Autopatch and Intune, deployment is faster and easier. Compatibility is strong. And support is built in.

Looking ahead

We’re just getting started.

At Microsoft Ignite, we’re unveiling new capabilities that push the boundaries of what’s possible with AI and automation. Expect deeper integration between Windows and Microsoft Defender, new agentic workflows, and expanded support for AI-driven security operations.

We’re expanding the update readiness initiative, introducing carbon-aware updates in Autopatch, and expanding privacy capabilities in Recall.

Baseline Security Mode is growing, too, with more features, better reporting, and stronger baselines coming soon.

And we’ll keep telling the story. Start with the tools. Lean on the community. And let us help you make the leap to a more intelligent and secure enterprise powered by AI and Windows 11.

Key takeaways

Here are several practical steps you can take right now to maximize your transition to Windows 11 and harness the full potential of its AI-powered capabilities:

• Understand Windows 11’s AI-driven transformation. Learn how Windows 11 leverages artificial intelligence to enhance productivity, security, and user experiences across your organization.
• Discover new enterprise features and deployment strategies. Explore the latest tools and best practices for rolling out Windows 11 efficiently, including advanced management and security capabilities tailored for businesses.
• Learn from Microsoft Digital’s role as Customer Zero. Benefit from Microsoft Digital’s firsthand insights and lessons learned as the initial adopter of Windows 11 within a large enterprise environment.
• Explore migration options. Review your choices for upgrading to Windows 11, such as moving to Windows 11 Pro or Enterprise, subscribing to Windows 365, or leveraging Extended Security Updates for legacy devices.
• Prepare for what’s next. Stay ahead by planning for upcoming features, security enhancements, and innovations that will continue to shape the future of Windows in the enterprise.

Try it out

• Learn more about moving to Windows 11 and download our onboarding kit.
• Start using Windows Autopatch.

Related links

• Check our Microsoft Ignite Windows news announcements.
• Learn more about AI improvements to Windows that we’re announcing at Microsoft Ignite.
• Learn how we’re accelerating workplace productivity at Microsoft with Windows Recall.
• Find out more on how we’re transforming security and compliance at Microsoft with Windows Hotpatch.
• Check out how we’re hardening our defense at Microsoft with Baseline Security Mode.

We’d like to hear from you!

• Want more information? Email us and include a link to this story and we’ll get back to you.

The post Supercharging our enterprise with Windows 11 and AI PCs appeared first on Inside Track Blog.

Recall on Copilot+ PCs can help. It uses whatever details you remember about the missing item to find it for you.

Our team in Microsoft Digital, the company’s IT organization, has deployed Recall, giving our employees access to its AI-powered memory in a secure and managed environment. Recall now integrates with Microsoft Purview, which layers enterprise-grade security and compliance controls on top of Recall’s local AI capabilities.

How Windows Recall works

Windows Recall is an AI-powered feature built directly into Copilot+ PCs with Windows 11. It’s designed to solve a problem every person knows too well: Finding something you’ve already seen.

Here are its core capabilities:

• Explore content with a visual timeline. Recall captures periodic screenshots of your active window and visualizes them in an explorable, chronological timeline. When you need to revisit something, you can scroll through your activity or jump straight to the moment you remember seeing it.
• Semantic AI-powered search. No need to recall exact filenames. Just describe what you remember—like “blue sustainability slide from last meeting”—and Recall uses on-device AI to surface images or text that match the description.
• Full user control and privacy. IT admins have a full set of controls to manage security and privacy when enabling the Recall feature for the enterprise. Once enabled by enterprise admins, you as the end user then have the choice to opt in to enable snapshots on your machines. Only your device stores them, and they’re encrypted locally via BitLocker or Device Encryption. Access requires Windows Hello biometrics (your face or fingerprint), which ensures only you can view them.
•  Granular snapshot management. You choose which apps and websites to include or exclude. You can pause snapshot capture, delete past captures, and set retention limits (e.g., 30, 60, 90, or 180 days) to manage storage and privacy. And IT admins can control how these capabilities work for the entire organization.
• All snapshots, indexing, and AI processing occur on-device. Recall runs completely locally—no data leaves your PC.It never shares your data with Microsoft or third parties, nor across different user accounts on the same device.
• Jumping back in. Windows Recall doesn’t just help you find something you saw before, it helps you pick up where you left off, getting right back to the page, slide, or chat in Word, Excel, PowerPoint, and Teams, as well as in an app, document, or webpage.

It’s like having a photographic memory for your digital life. Recall is a productivity booster. But it’s also a security-first, enterprise-ready feature.

“We’ve been working for over a year with Microsoft Digital to understand how Windows Recall will function best in the enterprise environment. They helped us get it ready for our customers.”

Adam Wayment, principal product manager, Windows product team

To ensure security, privacy, and governance, the Windows product team turned to our team in Microsoft Digital, the company’s IT organization, to test Windows Recall. This happened after early users of the feature suggested that better controls needed to be put in place. Our team helped the product group design and deploy better enterprise controls.

This collaboration helped shape Recall into a feature that works for everyone—from individual users to global enterprises.

“We’ve been working for over a year with Microsoft Digital to understand how Windows Recall will function best in the enterprise environment,” says Adam Wayment, a principal program manager lead for Windows Recall. “They helped us get it ready for our customers.”

Establishing security and privacy for the enterprise

Recall doesn’t just remember what you’ve seen. It remembers what it should—and forgets what it shouldn’t.

That’s where enterprise-scale controls come in.

Comprehensive controls are at the center of deploying Recall to the enterprise.

Microsoft Digital partnered with the Purview and Intune product teams to help build a rich set of controls that give IT full visibility and governance over Recall’s data store. That includes sensitivity labels, data loss prevention (DLP) policies, and tenant trust reviews—all designed to keep enterprise data safe.

Purview and Intune provide the level of control that IT admins need to ensure that Recall respects the security and privacy concerns of the enterprise and the end user.

“We helped define these controls. We tested them to validate they worked as expected.”

John Philpott, principal product manager at Microsoft Digital

If a document is labeled “Highly Confidential,” Recall won’t index it. If a meeting is tagged “Recipients Only,” it won’t be captured. Purview admins can decide exactly which sensitivity levels are allowed in Recall and which are excluded.

That means no screenshots of HR portals. No copies of credentials. No risk of sensitive data lingering on a user’s device.

Recall’s content redaction feature automatically detects and removes highly confidential information from screen snapshots based on Purview sensitivity labels. Users can work with both sensitive and non-sensitive documents on the same screen without risk of accidental exposure. Only permitted content is captured during multitasking or collaborative activities. That Excel document with employee salary information? It never becomes part of the snapshot.

IT admins also have policy controls to manage access to Recall. They can set retention limits. They can restrict access by role, ensuring Recall is only available to the right people. And they can block specific apps and websites from being captured.

“We helped define these controls,” says John Philpott, a principal product manager within Microsoft Digital. “We tested them to validate they worked as expected.”

“Security is at the center—data is encrypted on the device. Recall uses the latest technology for security, from all the controls on the backend right up to user authentication, including Windows Hello with face or fingerprint recognition required to access the data.”

Adam Wayment, principal product manager, Windows product team

This wasn’t just about building features. It was about building trust.

We worked to identify the key scenarios and apps—including Word, Excel, PowerPoint, Outlook, Teams, and Edge—to prioritize what needed protection. We made sure Recall could handle the real-world complexity of enterprise data.

It was a massive undertaking, requiring collaboration between Microsoft Digital, the Recall product team, and the products teams from all the apps with which Recall interacts. It came down to creating useful functionality while protecting our data.

“Security is at the center—data is encrypted on the device,” Wayment says. “Recall uses the latest technology for security, from all the controls on the backend right up to user authentication, including Windows Hello with face or fingerprint recognition required to access the data.”

These controls were built in collaboration with the product team, with our Microsoft Digital team acting as Customer Zero. We helped define tenant trust requirements and test every scenario—credentials, certificates, internal portals, and more. And now Recall is stronger because of it.

Moving forward

Our team in Microsoft Digital learned a lot helping the Windows product team build and test Recall.

Some lessons were technical. Some were strategic. All of them made the product better.

One of the first challenges we tackled was credential protection. We wanted to make sure passwords, certificates, and other sensitive data wouldn’t be captured. The product team agreed, and we helped them build the exclusion logic that ensures Recall ignores credential-related content.

Another lesson came from deployment.

Recall is disabled by default in enterprise builds. That meant we had to work through IT policy hurdles to get it up and running. We hit race conditions. We found bugs. But we fixed them. And we made the deployment smoother for everyone.

We also learned the value of centering enterprise needs early in the deployment.

When Recall first launched, we focused on consumers. But customer feedback reinforced how powerful the tool could be for information workers in enterprises like ours. We built tenant trust requirements. We ran evaluations. We created a checklist of what needed to be done. And we did it.

That process changed the conversation, and we’re not done. We’re still listening, still improving, still building.

Key takeaways

Here are four actions you can take right away as you consider deploying Windows Recall in your organization:

• Test at scale. Roll out Windows Recall to a wide group to uncover complex issues—especially those that don’t show up in smaller test environments.
• Start with enterprise needs and roles. Engage enterprise stakeholders early review which roles should have access and shape feature requirements such as tenant trust and data-handling policies.
• Collaborate for improvement. Test controls early to ensure that they are configured to provide the level of security and privacy required by your organization.
• Build confidence for adoption. Use thorough evaluations and checklists to ensure readiness, leading to greater trust among users, partners, and teams.

Try it out

Retrace your steps with Windows Recall.

Related links

• Learn more about Windows Recall.
• ‘Click to Do’ in Recall: find out how to do more with what’s on your screen.
• Ensure privacy and control over your Windows Recall experience.
• Learn how the NPU is paving the way toward a more intelligent Windows.
• Learn how we’re supercharging our enterprise with Windows 11 and AI.
• Check our Microsoft Ignite Windows news announcements.
• Learn more about AI improvements to Windows that we’re announcing at Microsoft Ignite.  
• Find out more about our Microsoft Purview-related news from Microsoft Ignite. 

We’d like to hear from you!

• Want more information? Email us and include a link to this story and we’ll get back to you.

The post Accelerating workplace productivity at Microsoft with Windows Recall appeared first on Inside Track Blog.

As threats grow more varied, widespread, and sophisticated, enterprises need to rethink how they protect their environments. That’s why we, in Microsoft Digital, the company’s IT organization, took a necessary step forward and deployed Microsoft Baseline Security Mode internally across the company.

Baseline Security Mode is a new approach to endpoint protection that enforces secure-by-default configurations across our enterprise. And it’s not just about locking things down—it’s about doing so in a way that’s scalable, manageable, and respectful of user experience.

This is a story for every organization trying to balance usability with security. Baseline Security Mode is designed to help IT teams enforce protections without breaking productivity. It’s a shift toward proactive defense with standardized secure settings.

Understanding the need for Microsoft Baseline Security Mode

Security must evolve with the environment.

At Microsoft Digital, we’ve built a strong foundation of endpoint protection over the years. But as our ecosystem expanded—more devices, more workloads, more diverse user needs—we saw an opportunity to take our security posture to the next level.

Our existing configurations were effective, but they reflected the natural complexity of a large enterprise. Different teams had different requirements. Some relied on legacy technologies that had served them well. Others needed flexibility to support specialized workflows. Over time, this led to variation in how security policies were applied.

We wanted to unify that approach.

Baseline Security Mode emerged as a way to streamline and strengthen our defenses. It was about building on what worked. We started by identifying areas where legacy protocols and configurations could be modernized. That included technologies like ActiveX controls and older authentication flows, which we carefully evaluated and phased out where appropriate.

We also improved how we gather and use telemetry. Initially, we had limited visibility into how certain features were used. That made it harder to predict the impact of changes. So, we ran pilots, collected feedback, and refined our approach. Baseline Security Mode was a game changer here, providing built-in reports that gave us the visibility we needed to observe the impact of applying settings in our environment. For example, when we reviewed blocking legacy file formats, we discovered that some workflows depended on them. We responded quickly, offering alternatives and guiding users through the transition.

Ease of use was a priority.

We built intuitive controls into the Microsoft 365 admin center, allowing IT admins to manage policies with just a few clicks. No more manual scripts. No more guesswork. We also introduced exception handling to support specialized needs, ensuring that security didn’t come at the cost of productivity.

We worked closely with internal stakeholders, including compliance teams and work councils, to validate every step and build trust. We made sure the experience was smooth, the tools were reliable, and the changes were clearly communicated.

This wasn’t just a technical upgrade—it was a cultural shift.

Baseline Security Mode gave us a way to unify our security posture while honoring the diversity of our environment. It’s a smarter, more scalable way to protect our endpoints, and it reflects everything we’ve learned from years of experience.

Putting consistent security configuration into practice

Baseline Security Mode establishes a new standard, enabling organizations to be secure by default.

It is the result of a collaborative effort of multiple product teams at Microsoft, building on their security and incident-handling expertise.  It’s designed to simplify and strengthen endpoint protection across Windows and Microsoft 365. The feature lives in the Microsoft 365 admin center, where IT admins can enforce modern security policies with just a few clicks.

“When we blocked certain file formats, users were confused by the error messages and thought they were blocked from saving the file. So, we ran pilots, gathered feedback, and helped the product team build an improved error experience to save blocked formats to safe, newer formats.”

Harshitha Digumarthi, senior product manager, Microsoft Digital

The product teams delivered 20 features across five workloads: Office, OneDrive and SharePoint, Teams, Substrate, and Identity. Each one targets a specific risk—blocking legacy authentication, disabling insecure protocols, restricting ActiveX, and more.

When we deployed Baseline Security Mode as Customer Zero at Microsoft Digital, our job was to validate these features and controls in real-world enterprise conditions.

We pushed for exception handling.

Some users still relied on legacy formats or protocols. Certain teams, for example, needed access to older Office features. So, we worked with the product team to ensure exceptions could be built into the UI.

That flexibility was key. We knew from experience that without it, customers might hesitate to adopt the feature.

“When we blocked certain file formats, users were confused by the error messages and thought they were blocked from saving the file,” says Harshitha Digumarthi, a senior product manager at Microsoft Digital. “So, we ran pilots, gathered feedback, and helped the product team build an improved error experience to save blocked formats to safe, newer formats.”

We also pushed for better telemetry.

“When we heard about Baseline Security Mode, it was still in ideation. There were no tools in the Microsoft 365 admin center yet. We had to figure out how to enable this internally while the product team built the capabilities in parallel.”

Markus Gonis, senior service engineer, Microsoft Digital

At first, we had only a few days of data. That wasn’t enough to understand how features were used or what impact they would have. So we worked with the product team to expand telemetry, improve error reporting, and reduce false positives, including identifying bugs that skewed metrics and made troubleshooting harder.

We ran the deployment through our Tenant Trust Program and work council reviews to ensure global compliance. That gave us—and our customers—confidence.

Baseline Security Mode isn’t just a feature. It’s a shift in how we think about security, and we’re proud to have helped shape it.

Deploying Baseline Security Mode at Microsoft Digital

Rolling out Baseline Security Mode wasn’t just a technical exercise—it was a cross-team effort that demanded precision, patience, and partnership.

Microsoft Digital took the lead on deployment. We acted as Customer Zero, testing every feature in real-world conditions before it reached customers. That meant working closely with the product team to validate functionality, identify bugs, and shape the user experience.

“When we heard about Baseline Security Mode, it was still in ideation,” Gonis says. “There were no tools in the Microsoft 365 admin center yet. We had to figure out how to enable this internally while the product team built the capabilities in parallel.”

Telemetry was limited. We had only 30 days of data to work with. That made it hard to predict how changes would affect users, so we ran pilots with internal user acceptance testing cohorts and we deployed in phases.

“It was a great Customer Zero experience. Our security teams stood to benefit from Baseline Security Mode features, and we helped the product team find bugs and the issues that just hadn’t come up in early testing or at a large scale. It was a win-win situation”

John Philpott, principal product manager at Microsoft Digital

For some legacy protocols, usage was low. In these cases, the features being deployed made removing these protocols seamless. Where usage was higher or unclear, a more detailed approach was required.

First, a few thousand users. Then 50,000. Then 100,000. Eventually, the entire Microsoft tenant. We paused between each wave to monitor help desk tickets, gather feedback, and confirm that our mitigation strategies were working.

Communication was critical.

We ran targeted campaigns, sent individual emails, and published technical reports explaining what was changing, why it mattered, and how users could adapt. We even used Viva Engage to notify users directly. It was important to explain to users why longstanding functionalities were being removed. We had to explain what we were doing and how to mitigate any impact.

We did a lot of work with the product team to ensure the user experience and the IT pro experience both exceeded expectations.

“It was a great Customer Zero experience,” says John Philpott, principal product manager within Microsoft Digital. “Our security teams stood to benefit from Baseline Security Mode features, and we helped the product team find bugs and the issues that just hadn’t come up in early testing or at a large scale. It was a win-win situation.”

We flagged inconsistencies in policy syntax, pushed for better error handling, and worked with the product team to align deployment tools across workloads.

But we didn’t stop at deployment. We tracked progress, validated telemetry, and signed off on each feature before it moved into broader rollout. We even helped pave the way for the next iterations, identifying features that needed more design work or deeper telemetry before they could be deployed.

This was a true partnership. The product team built the features. We tested them, validated them, and helped make them better.

Baseline Security Mode is now live across Microsoft. And it’s ready for the world.

Capturing real benefits

Baseline Security Mode is more than a set of policies—it’s a platform for proactive defense.

The product team built it to reduce legacy risks and enforce modern security standards across Microsoft 365 workloads. Microsoft Digital validated it in production, surfacing bugs, shaping telemetry, and confirming that the features worked as intended.

We tested 22 features across Office, OneDrive & SharePoint, Substrate, Identity, and Teams. Each one targeted a specific vulnerability—like blocking ActiveX controls, disabling Exchange Web Services, or enforcing phishing-resistant authentication for admins.

We flagged critical ActiveX dependencies in third-party apps —something the product group hadn’t found—which enabled them to initiate removal. That kind of early detection helped fix issues before the features reached customers.

We found regressions in PowerShell and legacy authentication flows. The OneDrive and SharePoint team caught a high-impact bug and worked with the product team to resolve it.

That validation mattered.

We also helped shape the admin experience.

Exception handling was built into the UI. Admins could create security groups, assign users, and manage exclusions directly in the Microsoft 365 admin center.

“There’s no need to handle everything manually,” Philpott says. “Simply click here and then here to disable. It’s a much simpler process.”

Extending benefits to Microsoft customers

Baseline Security Mode is ready for enterprise.

We’ve tested it. We’ve hardened it. And we’ve made it easier to adopt.

Microsoft Digital’s deployment journey helped shape the product into something customers can trust. We didn’t just validate features—we made sure they worked in real-world environments, across diverse teams, and under the pressure of scale.

 The product team designed the features to be enterprise-ready. We ran them through our Tenant Trust Program and work council reviews to ensure compliance across global regions. That gave us confidence—and gave customers confidence too.

The benefits are clear. We’ve reduced our attack surface. We’ve improved compliance. We’ve made it easier for IT teams to enforce security without disrupting workflows. And we’ve laid the groundwork for secure-by-default computing across Microsoft.

 Customers can do the same.

Start small. Run pilots. Monitor impact. Use the tools in the Microsoft 365 admin center to deploy policies, manage exceptions, and guide users through the change. And don’t be afraid to ask for help—our journey has shown that collaboration between deployment teams and product teams makes all the difference.

Baseline Security Mode is ready, and we’re ready to help others adopt it.

Looking ahead

The first wave of Baseline Security Mode—BSM 2025—delivered 22 features across five major workloads. Microsoft Digital helped validate and deploy those features across the enterprise. And the next wave of features is already in motion.

And it’s bigger, with 46 features, more than double what we had in the first round. The product team is expanding coverage to include deeper protocol restrictions, broader app controls, and more granular authentication policies.

We’re also preparing for broader industry adoption.  

Governments, regulators, and enterprise customers are asking for secure-by-default configurations. Baseline Security Mode is our answer. And the next version will make it even easier to adopt.

We’ll continue to lead as Customer Zero. We’ll test new features, validate insights surfaced by telemetry, and share feedback with the product team. We’ll run pilots, monitor impact, and guide users through the change. And we’ll keep pushing for simplicity, scalability, and trust.

Because security isn’t a one-time project— It’s a mindset, and it’s Microsoft’s highest priority.

Key takeaways

Ready to adopt Baseline Security Mode? Here’s some actions we recommend based on our deployment experience:

• Start with a pilot: Test Baseline Security Mode with a small group of users to identify legacy dependencies and gather feedback before scaling.
• Use the Microsoft 365 admin center for deployment: Apply policies and manage exceptions directly through the UI—no scripting required.
• Identify and plan for exceptions early: Work with business units to understand where legacy formats or protocols are still needed and create security groups for exclusions.
• Communicate proactively with users: Launch campaigns to explain upcoming changes, their impact, and how users can adapt.
• Validate telemetry and error reporting: Ensure your environment captures enough data to monitor the impact of new policies and troubleshoot effectively.
• Engage your compliance and governance stakeholders: Review new policies with internal governance teams to ensure alignment with organizational and regional standards.
• Treat security as an ongoing journey: Continue to monitor, iterate, and evolve your security posture as new threats and features emerge.

Try it out

Learn more about Baseline Security Mode.

Related links

• Learn how we’re supercharging our enterprise with Windows 11 and AI.
• Find out how we’re accelerating workplace productivity at Microsoft with Windows Recall.

We’d like to hear from you!

• Want more information? Email us and include a link to this story and we’ll get back to you.

The post Hardening our digital defenses with Microsoft Baseline Security Mode appeared first on Inside Track Blog.

Reboots mean interrupted productivity and downtime for users.

For us at Microsoft Digital, Microsoft’s internal IT organization, Windows Hotpatch changes the equation.

It’s a new way to deliver critical Windows updates without rebooting. That means faster compliance, less downtime, and happier users.

We’re using it across Microsoft and it’s already transforming how we think about security and productivity.

“Hotpatch is helping Microsoft reach compliance faster than ever—no reboots, no delays, secure systems at scale, and a seamless experience that keeps users more productive. The risk exposure window is reduced drastically, making our environment safer and more resilient,” says Harshitha Digumarthi, a senior program manager within Microsoft Digital.

Hotpatch installs updates while the system is running—no reboot required. That means we can patch faster, stay compliant, and keep users happy.

And it’s not just us.

Microsoft enterprise customers are already scaling deployments to millions of devices. We’re seeing a shift in how organizations think about patching and how they can expedite the patch time. Hotpatch is here to help. It’s no longer a disruption, it’s just part of the flow.

Increasing productivity and security with Hotpatch

Hotpatch is a servicing technology that delivers cumulative security updates—released on Patch Tuesday, the second Tuesday of each month—without requiring a system reboot. Instead of replacing binaries on disk and restarting the system, Hotpatch modifies in-memory code while the system is running.

This means updates take effect immediately, with no downtime, no maintenance windows, and no disruption to users.

Hotpatch payloads are small by design. Smaller updates mean faster downloads, quicker installs, and minimal impact on performance. CPU usage stays low. No spikes. No slowdowns. Just updates that run in the background and finish silently.

“The experience is so seamless you don’t even know what happened,” says Nevine Geissa, a partner group program manager within the Windows product team. “There are no process restarts, no logging out, no performance impact. No glitch in the video playing or transaction dropping. Everything just works as if nothing has happened.”

Because hotpatch updates happen so painlessly in the background, IT administrators may want to understand how the process works and what validation steps are involved. That’s why we test hotpatch updates with the same rigorous standards we apply to all our security updates.

“Hotpatch updates go through the exact same validation and rigor that a standard security update goes through. There is no compromise on quality whatsoever. Your device is always as secure as your non-hotpatch device.”

Nevine Geissa, partner group program manager, Windows Servicing and Delivery

Even in cases of zero-day vulnerabilities, Hotpatch can deliver out-of-band updates to enrolled devices without requiring a reboot.

Hotpatch is available for Windows 11 version 24H2 or later, Windows 365, Azure Virtual Desktop, Windows Server 2022/2025 Azure Edition, and Azure Arc connected Windows Server 2025 Datacenter and Standard editions.

The technology has matured over years of internal development.

“Hotpatch updates go through the exact same validation and rigor that a standard security update goes through,” Geissa says. “There is no compromise on quality whatsoever. You will always be at the exact same level of security.”

Hotpatch has evolved and grown.

“It started as internal server capability in Azure and then expanded to our Windows Server 2022 customers,” says Nikita Deshpande, a senior customer experience program manager within the Windows Servicing and Delivery product team at Microsoft. “The tooling and OS support have matured such that now we can offer Hotpatch to AMD64 and Arm64 client machines now too.”

Hotpatch integrates seamlessly with Autopatch, a cloud-based service from Microsoft that automates the process of keeping Windows devices up to date. Designed for enterprise environments, and powered by Microsoft Intune, Autopatch manages updates for Windows, Microsoft 365 Apps for enterprise, Microsoft Edge, and Microsoft Teams, reducing the manual effort required by IT administrators.

Any new policy in our environment created with Autopatch automatically enables Hotpatch—if the device meets requirements. Admins can set up rings, monitor compliance, and roll out updates with just a few clicks.

“It’s the better together story,” Deshpande says. “Autopatch streamlines everything. Add Hotpatch, and it takes Windows Update to a whole new level.”

Implementing Windows Hotpatch internally at Microsoft

The implementation of Hotpatch at Microsoft Digital involved developing and deploying a feature, as well as establishing trust for customers.

The journey started years ago in Azure with virtual machines, then to Windows Server across physical and virtual instances. Now, it’s on Windows 11 clients and scaling fast, but getting here took deep collaboration.

Our team in Microsoft Digital partnered with the product team from the start. We were co-designers with experience in this space. We helped shape the rollout, validate the experience, and make sure Hotpatch was ready for enterprise scale.

Then we scaled. We expanded to 40,000, then 80,000, then 120,000 devices. We’re on track to reach 450,000 devices at Microsoft in the next four months.

We also wanted a great admin experience enabled for the product. The features help with smooth rollout and the visibility helps admins monitor rollouts and measure impact. We’re continually collaborating with the Windows product team to equip administrators with comprehensive insights and actionable recommendations with Hotpatch.

“We worked closely with the product team to make sure admins had the right metrics to measure the success,” Digumarthi says. “It’s not just about implementation—it’s about knowing it worked.”

We ran early adopter programs and insider rings to gather feedback from across Microsoft. That feedback loop helped refine the experience, improve reporting, and ensure the rollout was smooth.

Achieving security without compromising on productivity

Hotpatching is changing how we think about security.

“With Hotpatch, we’re seeing 81% of Microsoft’s enrolled devices become compliant within 24 hours of Patch Tuesday and 90% of enrolled devices are patched within five days.”

Harshitha Digumarthi, senior program manager, Microsoft Digital

Before, it took our team up to nine months to reach 95% compliance for security patching.

That’s nine months of exposure and nine months of risk.

With Hotpatch, we’re achieving 95% compliance in less than three weeks.

“With Hotpatch, we’re seeing 81% of Microsoft’s enrolled devices become compliant within 24 hours of Patch Tuesday, and 90% of enrolled devices are compliant within five days,” Digumarthi says.

That’s not just faster. It’s safer.

“We’re reducing the risk window,” Digumarthi says. “From vulnerability discovery to patch deployment, we’re closing the gap—without disrupting users.”

And it’s not just internal. Since general availability in April, Hotpatch has scaled to over 4.5 million devices globally. That growth shows trust and momentum.

It also shows value. Admins spend less time chasing updates. End users stay productive. And security teams get the compliance they need—without the friction.

“Hotpatching eliminates the trade-off between security and productivity,” Deshpande says. “You don’t have to choose anymore.”

Improving the user experience

Hotpatching doesn’t just improve security—it transforms the user experience.

For end users, it’s invisible.

Updates happen in the background.

No pop-ups. No restarts. No performance hits.

“It’s so seamless,” Geissa says. “There’s no bubble. No prompt. It just works.”

Even the first few times, users might see a green banner letting them know they’ve been hotpatched.

“It’s really helpful as an end user; I feel more secure. I don’t need to keep checking and making sure my device is up to date. It just is.”

Senthil Selvaraj, principal group product manager, Microsoft Digital

It’s subtle. It’s clean.

It’s so effective that it’s become a kind of badge among Microsoft insiders.

“It’s really helpful as an end user—I feel more secure,” says Senthil Selvaraj, a principal group product manager at Microsoft Digital. “I don’t need to keep checking and making sure my device is up to date. It just is.”

That’s the magic.

Hotpatching doesn’t interrupt work—it protects it.

It helps other systems stay current too. When the OS is secure, dependent apps and services can update more reliably. That ripple effect improves the overall health of the device.

Admins also see the benefits. Intune reporting shows which devices are ready, which have updated, and which need attention. That visibility helps IT teams track compliance without chasing down machines or relying on manual checks.

For enterprises, it means fewer help desk calls. Fewer complaints. Fewer delays.

Looking forward

Hotpatching is just getting started.

At Microsoft Digital, we’re expanding from 100K to 450K devices in the next four months. That’s nearly every eligible device in our fleet.

Externally, adoption is accelerating. We’ve gone from zero to almost 4.5 million devices since private preview in November 2024. That includes Microsoft and customer fleets, and the number keeps growing.

But scale is just the beginning.

The product team is exploring ways to improve compliance visibility—giving admins deeper insights into patch status, readiness, and impact. That means better reporting, smarter dashboards, and tighter integration with compliance tools.

We’re also working to make adoption easier.

Documentation is improving, Intune reporting is evolving, and we’re building clearer guidance for customers to validate their environments, understand their risk posture, and deploy Hotpatch confidently.

The vision is simple: secure every device, without disruption.

Key takeaways

Here are several key actions you can take to successfully implement Windows Hotpatch in your organization:

• Check your eligibility and prerequisites. Understand your eligibility and set up the prerequisites in your environment to be hotpatch-capable.
• Monitor devices and report compliance. Use Intune and other reporting tools to track device readiness, update status, and compliance, even for unmanaged environments.
• Communicate the benefits to users. Inform users that hotpatching maintains their ability to reboot while enhancing device security with minimal disruption.
• Deliver a seamless update experience. Emphasize the uninterrupted, restart-free, and performance-neutral nature of updates for users.

Try it out

Learn more about implementing Windows Hotpatch updates.

Related links

• Check out this blog post on Hotpatch readiness and enabling VBS at scale.
• Learn how we’re transforming our approach to patch management at Microsoft.
• Find out how we’re harnessing first-party patching technology to drive innovation at Microsoft.
• Discover how we’re managing our Windows patching internally at Microsoft.

We’d like to hear from you!

• Want more information? Email us and include a link to this story and we’ll get back to you.

The post Transforming security and compliance at Microsoft with Windows Hotpatch appeared first on Inside Track Blog.

Like most aspects of our IT services journey, our security and patch management story is deeply connected with cloud computing, automation, and, most recently, AI technology. It’s a story that embraces continuous improvement and innovations that are saving our IT admins and users time and hassle while deterring attacks and enhancing security across the organization.

With the development of services like Windows Update client policies (formerly known as Windows Update for Business), Azure Update Manager, and Intune Enterprise Application Management, we’re leading the way in offering best-of-breed security solutions that help organizations stay compliant and safe in an increasingly perilous digital world.

The growing threat landscape

As the developer and provider of Windows, Microsoft 365, Microsoft Azure cloud services, and other widely used software technologies, we’re in a unique position to influence and protect the computer systems used by billions of people around the world. And these systems have never been under greater threat by bad actors and cybercriminals than they are today.

“Our customers face more than 600 million cybercriminal and nation-state attacks every day, ranging from ransomware to phishing to identity attacks,” states our 2024 Digital Defense Report. “Microsoft’s unique, expansive, and global vantage point gives us unprecedented insight into key trends in cybersecurity affecting everyone from individuals to nations.”

The report also notes that we’ve made digital security our top corporate priority, with more than 34,000 dedicated security engineers across the company.

“The malign actors of the world are becoming better resourced and better prepared, with increasingly sophisticated tactics, techniques, and tools that challenge even the world’s best cybersecurity defenders,” Tom Burt, corporate vice president of customer security and trust, says in the report. “We all can, and must, do better, hardening our digital domains to protect our networks, data, and people at all levels.”

With such an unprecedented number of threats, one of our major priorities at Microsoft Digital, the company’s IT organization, is making sure our global network infrastructure and the more than 750,000 devices accessing our network are always up to date and compliant with the latest software patches. As Customer Zero for our software products, we strive to remain on the cutting edge of the latest cybersecurity innovations. That means taking advantage of the latest Microsoft tools and processes on server-side and client-side patching.

The world as it was: On-premises IT and manual updates

A decade or so ago, much of the world’s computer networks were still being run primarily via on-premises servers and other onsite hardware. Maintaining these systems mostly relied on manual updates by IT administrators, which was a huge drain on time and resources.

“Our patch-management systems back then included Microsoft System Center Configuration Manager (SCCM) and Windows Server Update Services,” says Senthil Selvaraj, a principal group project manager at Microsoft Digital. “We were doing everything on-premises, managed within the Microsoft tenant onsite.”

Patching product history at Microsoft

This meant that simply downloading and installing the routine security patches that were released each month was a major task for the company’s thousands of IT admins.

“The admins used to have to download the updates, validate them, approve them, and then push them out to devices,” says Harshitha Digumarthi, a senior product manager with Microsoft Digital. “It used to take a considerable amount of time each month for these processes. There was no proper automation in place.”

As the IT world shifted to cloud solutions and more modern software management approaches, the patching process needed to shift with it, Selveraj notes.

“As we moved everything to the cloud, we leveraged modern Microsoft tools such as Intune, OneDrive for Business, SharePoint, etc.,” he says. “And we were also helping our customers move through that process as well. This is in keeping with the overall Microsoft vision of continuous improvement.”

The journey to modern patch management on Windows

In 2018, we introduced Windows Update for Business (WUFB), a major milestone on the patch management migration journey. The service is now called Windows Update client policies.

“We have established programs to pre-validate updates, allowing us to deploy them automatically and simultaneously across all devices, significantly accelerating compliance.”

Harshitha Digumarthi, senior product manager, Microsoft Digital

Of course, like any story of technological progress, nothing happens overnight or in a straight line. As Digumarthi explains, we in Microsoft Digital went through a patch management transition phase, marked by a hybrid systems approach.

“We didn’t immediately shift everything from SCCM to Windows Update for Business and Microsoft Intune,” she says. “There is transitionary stage—known as hybrid AD—where the client devices still have SCCM on them, with Intune running parallel on those devices.”

WUFB ushered in a more efficient and modern approach to patch management.

“It’s an automated, intelligent service which can identify what updates the device needs, find the applicable updates, and automatically push those updates onto the devices,” Digumarthi says.  

She notes that IT admins at other organizations might push these updates out to their devices in phases, often called deployment rings. But at Microsoft, we do them all at once for the entire company, in a program popularly called Patch Tuesday.

“We have established programs to pre-validate updates, allowing us to deploy them automatically and simultaneously across all devices, significantly accelerating compliance,” Digumarthi says.

This control is enabled through Windows Update policies, which allow administrators to manage key actions such as reboot timing. As a result, vulnerabilities are addressed quickly, and all devices are brought into compliance with the latest secure Windows updates.

After establishing a more efficient approach to Windows security patching, we rolled out WUFB Deployment Services in 2021. This process, which brought similar gains in efficiency and automation, handles new Windows features, which are typically released on six-month cycles.

“When vulnerabilities are exploited by malicious actors, even a single compromised bug can cascade rapidly, potentially impacting millions of users. Anticipating and mitigating these risks early is essential to maintaining trust and security.”

Humberto Arias, senior product manager, Microsoft Digital

According to Digumarthi, a major challenge to patch management for Windows is the number of different versions, including the .Net Framework, .Net Core, Visual Studio, Visual Studio Code, SQL, and more. Over the last few years, we have developed a unified internal-to-Microsoft patching solution to handle all of these various updates.

“These are extremely different streams, so we’ve worked closely with these product groups to bring them all into one update, which we call the unified update,” Digumarthi says. “This way, the IT admin doesn’t need to deploy all these different updates individually. It’s also completely automated, so it’s much easier for both admins and users to stay up to date and compliant. It’s a huge achievement.”

Other important patch automation issues are firmware and driver updates. These updates used to be deployed manually by admins every month, but that changed in 2024.

“We now have a new feature, in partnership with Windows and the Intune team, called the Intune Driver and Firmware updates,” Digumarthi says. “It gives admins a portal where they can simply click a button and approve whatever the latest firmware and driver updates are; no need to manually download, package, and deploy the updates. It’s easier for them to understand, and we’ve seen great patch compliance improvement in this area.”

Patch management on the server side

While Windows Update client policies handles the client-side updates for the more than 750,000 devices on our corporate network, we also needed a modern solution for patch management on our roughly 50,000 network servers.

Keeping network servers compliant with the latest security updates is extremely important.

“We must proactively safeguard our development environments,” says Humberto Arias, senior product manager in Microsoft Digital. “When vulnerabilities are exploited by malicious actors, even a single compromised bug can cascade rapidly, potentially impacting millions of users. Anticipating and mitigating these risks early is essential to maintaining trust and security.”

The solution is Azure Update Manager (AUM), a product that enables network administrators to deploy and manage all their server security update packages in one stream. AUM also supports hybrid (on-premises and cloud) network environments, which is a competitive advantage.

 “A lot of customers like the flexibility and redundancy of multi-cloud environments,” Arias says. “AUM is our one-stop solution for patching all your servers, regardless of where they reside—on-premises, in the cloud, or in hybrid environments. It’s a great advantage of using AUM.”

Patching with Azure Update Manager

The challenge of patching non-Windows devices

Microsoft believes in empowering our employees to do their job on the device that works best for them (sometimes called Bring Your Own Device, or BYOD). But that policy opens up the challenge of making sure all those devices meet our security standards, including those running on the MacOS, iOS, and Android platforms.

“People do a lot more work on their mobile devices than they used to; we have about 80,000 Android devices and about 150,000 iOS devices that our employees connect to our network with,” says John Philpott, a senior product manager in Microsoft Digital. “We need to make sure that all these devices have the latest OS security patches, or it puts our network at risk.”

The tricky part is that because Microsoft doesn’t make the operating systems, we can’t consistently manage the device environment or the patches themselves. Instead, the common approach in this situation is to make sure that employees know about the latest patches for their device and enforce compliance by controlling their access to the Microsoft corporate network. Getting employees to voluntarily keep their devices up to date is critically important.

“We want to make sure all the Microsoft apps are up to date on mobile, but we’re also making a big push to enforce third-party app patching as well. If someone exploits an app like Adobe Acrobat that can be a threat to our security, so we want users running the latest versions of all the major apps.”

John Philpott, senior product manager, Microsoft Digital

The frequency and requirements for installing the updates depends on the platform.

“For Android, how often your phone is updated varies, depending on the manufacturer and model; this makes developing a consistent patching experience a challenge,” Philpott says. “It’s a balancing act, but we’ve gradually tightened our patch requirements and are educating employees on the best Android devices to choose to meet patching requirements.

Patch enforcement for Apple devices is much tighter, according to Philpott.

“If there’s a security threat, Apple will quickly make a patch available,” he says. “We have a standard process of enforcing compliance within 14 days. We tell our users that if they haven’t installed the update after 12 days, we’ll install the patch and enforce a reboot. If the device has not been patched after 14 days, we’ll remove their network access.”

The other area of mobile device patching that has received increased scrutiny in recent years is applications, both our first-party apps and third-party apps. We work closely with the Microsoft Intune product group to make sure that these apps are patched as frequently as possible.

“We do a lot of discussions with the Intune team about how we can enforce these updates,” Philpott says. “We want to make sure all the Microsoft apps are up to date on mobile, but we’re also making a big push to enforce third-party app patching as well. If someone exploits an app like Adobe Acrobat that can be a threat to our security, so we want users running the latest versions of all the major apps.”

Autopatch and hotpatching

Our patch management journey is one of helping develop solutions that automate security and feature updates as much as possible, reducing the strain on IT resources. As part of these efforts, we work closely with the Microsoft product groups as Customer Zero for their update offerings. One prominent step on this journey was the introduction of Windows Autopatch in 2022.

Windows Autopatch is a cloud service for enterprise customers that automates the updates to Windows, Microsoft 365, Microsoft Edge, and Microsoft Teams. It also offers greater control for patching different groups of devices on different schedules.

“Autopatch offers admins a single-pane view where they can manage the patches across their organization, from the same perspective,” says Katie Yao, a senior product manager on the Autopatch team. “And with Autopatch Groups, they can dynamically assign users to different groups, which gives them a lot of flexibility on how and when devices are updated.”

Another innovation that the Autopatch service offers is hotpatching. This feature helps IT teams keep devices secure without the usual disruption of monthly reboots. Security updates are applied immediately in the background. This means fewer interruptions for users and less coordination effort for admins—especially in environments where uptime is critical.

“Customers were telling us that rebooting all devices every month was too much in some cases. So, we’ve moved to a process where they get the updates every month, but they only need to reboot the machines once every three months. This way they get the latest security and feature updates, but they don’t need to reboot their devices as often.”

Katie Yao, senior product manager, Autopatch

For IT admins managing a large volume of devices, this is a big win. Hotpatching reduces the amount of time it takes to achieve security compliance across the whole environment, with no delays or deferrals.

“Customers were telling us that rebooting all devices every month was too much in some cases,” Yao explains. “So, we’ve moved to a process where they get the updates every month, but they only need to reboot the machines once every three months. This way they get the latest security and feature updates, but they don’t need to reboot their devices as often.”

The future of patch management

Our patch management story continues to evolve as we apply the latest tools and technologies to our processes at Microsoft Digital.

“AI tools are the next stage in our continuous improvement process for patch management. We’re currently working on a new solution called Device Care, which is a tool that leverages AI to monitor, predict, and resolve device and infrastructure issues for admins and employees.”

Senthil Selvaraj, principal group project manager, Microsoft Digital

We see great opportunities for industry-wide improvements, such as with application patching.

“The Intune Enterprise Application Management solution is a huge opportunity for us,” Selvaraj says. “Right now, there’s a gap in how applications are managed across large organizations—are they healthy? Are they vulnerable? Are they up to date? We hope that this solution will address these needs.”

Of course, just as with many aspects of today’s software development, the future of patching will be greatly impacted by AI innovations.

“AI tools are the next stage in our continuous improvement process for patch management,” Selvaraj notes. “We’re currently working on a new solution called Device Care, which is a tool that leverages AI to monitor, predict, and resolve device and infrastructure issues for admins and employees. Another AI tool in this space is Microsoft Security Copilot, which helps with daily security operations.”

And as the computer security landscape evolves, with more frequent and more sophisticated attacks coming every day, we’ll continue to refine and develop our patching tools and strategies. It’s the only way to ensure that our networks and devices—and those of our customers—remain as secure as possible.

Key takeaways

Here are some tips to help guide your own organization’s patch management approach:

• Stay alert to risk. The rapidly increasing size and scale of the cybersecurity threat landscape has intensified the need for more sophisticated patching solutions.
• Educate your employees. Making sure that everyone in your organization is aware of the importance of keeping devices up to date with the latest patches is a key part of your overall security strategy.
• Save time and resources with automated updates. Windows Update client policies (formerly WUFB) offers automated patching, which can greatly reduce the amount of time your IT admins must spend identifying, configuring, and deploying updates.
• Update your infrastructure where it lives. Azure Update Manager provides a powerful, flexible patching solution that works for on-cloud, on-premises, and hybrid network infrastructures.
• Adapt to a flexible device environment. Mobile-device patching can be a complex challenge, especially if your organization embraces a Bring Your Own Device philosophy. Services like Microsoft Intune can ensure that devices are well-managed and kept up to date on the latest security fixes.
• Maintain availability. If you have critical servers and devices that you don’t want to reboot every month, consider a hotpatching approach that keeps your devices updated without rebooting.
• Take advantage of intelligent patching solutions. AI advances promise even greater innovation to come in the patching space, including services like Microsoft Device Care, Security Copilot, and Enterprise Application Management.

Try it out

Sign up for a free trial of Azure Update Manager and explore Windows Update client policies.

Related links

• Check out our approach to changing security and compliance at Microsoft with Windows Hotpatch.
• Learn how we’re harnessing first-party patching technology at Microsoft.
• Read about our experience migrating from Microsoft Monitoring Agent to Microsoft Azure Arc and Azure Update Manager.
• Discover how we’re protecting Microsoft from ransomware attacks.
• Find out how we’re transitioning to modern access architecture with our Zero Trust principles.

We’d like to hear from you!

• Want more information? Email us and include a link to this story and we’ll get back to you.

The post Transforming our approach to patch management at Microsoft appeared first on Inside Track Blog.

At Microsoft, Windows 11 has been powering the 225,000 devices our employees and vendors use to do their work since it was released in the fall of 2021. Since then, the addition of many new features and the integration of AI have made it even more useful to us.

Like other enterprises, we’re benefitting from how AI is being woven into every part of the technology sector, including with Windows, where we’re using Copilot+ PCs, Microsoft 365 Copilot, and the rest of the broad range of AI-powered tools and features that we’re using across the company to get more out of our longtime, signature operating system today, while also preparing for how it will continue to power everything we do in the future.

According to our 2024 Work Trend Index (WTI) annual report, 79% of US business leaders believe their company needs to adopt AI to remain competitive. Yet, the numbers suggest that those that are just now starting to get ready for AI are already behind. Users say AI is saving them time now (90%), allowing them to focus on their work (85%, be more creative (84%), and enjoy their work more (83%).

The AI era is already here, and organizations must seize every opportunity to catch up and get ready for the future.

At Microsoft Digital, our internal IT organization, we’re harnessing Windows 11 and Copilot+ PCs to give our business and our employees a foundation to build on for future developments in AI. AI interactions are happening at the desktop, in the browser, across apps, and, with Windows 11 and Copilot+ PCs, right in the local operating system.

With Windows 10 end-of-support approaching in October 2025, every organization needs to assess their PC inventory and create a plan to move forward. Outdated PCs put users and businesses at risk, and the security and functionality updates that come with Windows 11 provide the best protection and productivity for Microsoft customers.

Learning from our own deployment of Windows 11

Our own first internal rollout of Windows 11 was the smoothest and quickest operating system upgrade in the history of the company. During the key phase of the rollout, we deployed Microsoft 11 to more than 190,000 devices in five weeks.

Starting small and growing from there is an essential part of the way we deploy any solution or tool, Windows 11 included.

“We followed a ring-based approach, which is pretty typical,” says Markus Gonis, a service engineer and deployment lead with Microsoft Digital. “The initial feature testing happened with a small group of Microsoft Digital users who were close to the feature sets and understood their key implications.”

The testing team subjected Windows 11 to an initial test process to ensure it met our organization’s internal standards, the same standards that we apply to any new software or solution, whether it was developed by Microsoft or by another provider.

Following initial testing, we deployed Windows 11 to a small, specifically selected proof of concept group to ensure that its overall functionality met our expectations and requirements. Pilot-testing followed, and then full implementation. This phased approach ensured that any potential issues were identified and addressed early, and that we could perform the majority of the deployment with few issues.

“We had a minimal number of standard incidents, and no major incidents reported through support channels directly related to the Windows 11 update nor the deployment itself,” Gonis says. “Despite the complexities of hardware eligibility and app compatibility with a new operating system being a typical challenge, we were able to execute the deployment with minimal disruption.”

Moving forward with deploying subsequent versions of Windows 11, we have refined the deployment process to include many more devices, now exceeding 225,000 with the 24H2 update, both by having users update their devices on their own and through pushed deployment.

Improving deployment with Windows Autopatch

The deployment process used several new features, including Windows Autopatch (which now includes Windows Update for Business).

“Windows Autopatch has been a game-changer for us,” says Harshitha Digumarthi, a senior product manager at Microsoft Digital. “It allows us to manage our updates more effectively and to ensure our devices are running the latest and most secure versions of Windows.”

Digumarthi’s team used Windows Autopatch to manage and control Windows 11 updates throughout the deployment. By using device group membership and a few deployment parameters, they had full control over when and how they deployed major updates to the entire organization. This approach allowed for a more streamlined and efficient update process, ensuring our devices received the updates without causing disruptions.

The team also integrated Windows Autopatch into the deployment process to further enhance the efficiency of updates. This feature keeps our devices patched and up to date, reducing the need for manual intervention as it reinforces our security posture and Zero Trust strategy.

Deploying Windows 11 with security and compliance

Feature testing, especially new features included in later builds, is an important part of the ongoing security and compliance practices at Microsoft Digital.

“When a new feature comes out, we need to ensure that we can deploy and govern it securely,” says Yulia Evgrafova, a principal security engineer with Microsoft Digital. Her team helps to ensure new features are ready for enterprise deployment at Microsoft.

Evgrafova points out the extra responsibility and privilege that comes with testing Microsoft products.

“With Windows 11, it’s a Microsoft product, but we’re also using that product as a customer,” Evgrafova says. “We call ourselves Customer Zero.”

Our Customer Zero relationship at Microsoft is a special one.

We in Microsoft Digital usually adopt products like Windows 11 before any other customer. Then, as part of the relationship, we test, use, and offer feedback on the product. It’s an internal feedback mechanism that we use for most of our products, and it leads to better, more complete products that are enterprise tested and enterprise ready.

“Our feature testing is comprehensive,” Evgrafova says. “We start with the basics: what is the scope of this feature and what’s the enterprise readiness of this feature for the rollout? Our goal is to understand not only the immediate risks that a feature might pose, but also the potential risks of that feature as it matures.”

However, deploying Windows 11 wasn’t simply testing and upgrading the operating system on existing hardware.

Windows 11 has specific hardware requirements, which meant not every device at Microsoft would be part of the deployment. Most of our devices were eligible, but communicating hardware requirements was an early step.

“Communicating with our employees about the requirements and how we would handle new devices was important,” Gonis says. “Since Windows 10 and Windows 11 can be managed side-by-side with no additional overhead, we could co-manage both upgraded and non-upgraded devices until all the older Windows 10 devices were replaced.”

Replacing Windows 10 devices with new hardware created an opportunity for us to examine our hardware refresh policy, assess the hardware options, and finally make Copilot+ PCs our device refresh of choice.

Turning to Copilot+ PCs

Integrating Copilot+ PCs into the mix was a very natural next step for us.

“Copilot+ PCs were the obvious choice to replace unsupported Windows 10 hardware,” says Pandurang Savagur, a senior product manager with Microsoft Digital. “Copilot+ PCs bring an entirely new level of hardware support and acceleration of Windows 11 capabilities, in AI and beyond.”

Copilot+ PCs offer a new hardware feature set that goes beyond the traditional PC. Those features are headlined by the neural processing unit (NPU) present in every Copilot+ PC.

Neural Processing Units (NPUs) have become a crucial component in modern computing, especially with the advent of AI-driven applications. Initially, devices like the Microsoft Surface Laptop Studio Two were introduced with NPUs primarily for Windows Studio effects. These NPUs offloaded processing tasks from the CPU, enhancing device performance and battery life.

With the introduction of Copilot+ PCs, the role of NPUs has expanded significantly. Copilot+ PCs can run AI features and processing locally on the device, using the NPU. The NPUs in these devices enable faster and more efficient on-device AI processing (they support over 40 TOPS, which means they can perform more than 40 trillion operations per second). For instance, tasks like natural language translation and generative AI features can be processed locally, reducing the need for cloud-based processing and accelerating processing times.

Built-in features that support NPU offloading are coming to Windows 11, including improved Windows search, across local and cloud-based files. With improved Windows search, Windows 11 will be able to use NPU-powered search capabilities to understand the context of each file, including contents, and return more accurate and complete results.

There is now no need to remember file names, settings locations, or even worry about spelling; just type your thoughts to find what you need on a Copilot+ PC. You can even locate photos in OneDrive by describing their content in the same way. With the over 40 TOPS NPU in Copilot+ PCs, it works even when you’re not connected to the internet. Improved search will initially be available in File Explorer and will later extend to Windows Search and Windows Settings. This means searches in Windows 11 for files will become faster and more intelligent.

Copilot+ PCs also will make Microsoft 365 Copilot better. Microsoft 365 apps will soon be able to use the NPU for AI-based tasks, so the same Microsoft 365 Copilot capabilities that work in the cloud also will be available offline and with lower latency.

This also happens in apps that might surprise you. For example, Microsoft Teams has several AI-based features including face tracking and voice isolation that can use the NPU directly, freeing up CPU resources, increasing performance, and improving battery life.

Boosting ARM-based Windows 11 mobility

We’ve found significant performance improvements from NPU integration, especially from ARM Copilot+ PCs. The reduction in CPU usage has provided significantly better overall performance across Windows 11. Many of our users with ARM-based Windows 11 devices are reporting battery life exceeding 20-22 hours of active usage.

Other benefits of the ARM-based Windows 11 Copilot+ PCs include cellular data connection, providing continuous network connectivity for a new generation of ultra mobile Windows laptops. ARM-based Windows 11 devices also support instant-on power capability, just like your mobile phone or tablet.

Our employees are seeing huge benefits.

“Windows 11 Copilot+ PCs have been a huge difference-maker for our employees,” Gonis says. “Their laptops have become truly mobile devices, and it changes how they use them and where they can take them.”

The deployment of Copilot+ PCs has also highlighted the importance of app compatibility. While many apps that we use run natively on ARM-based devices—including Microsoft 365 and a large percentage of our first party apps—some still use x64 emulation. We’re working to achieve 100 percent compatibility by the end of 2025, ensuring that all our tools can fully take advantage of the capabilities of NPUs and the ARM platform.

It’s a bright feature for hybrid AI, and we’re ready for it with Windows 11 Copilot+ PCs.

Looking forward

We’re continually evaluating and implementing new Windows 11 features as they come available in each release. We’re currently testing hotpatching in Windows 11 to allow updates without system reboots. We aim to reduce the number of required reboots to one per quarter, improving efficiency and maintaining system stability.

We’re also testing the Recall experience. Recall creates an explorable timeline of a Windows 11 PC’s past using snapshots and natural language queries. It helps users find past content on their PC by responding to natural language prompts with images, text, or even the exact location of the item you’re searching for.

Of course, we’re excited about the next generation of Copilot+ PCs and the hardware and software improvements coming to Windows 11. As AI continues its rapid evolution, we’ll be working alongside the Windows 11 team to bring advancements in productivity, accessibility, and security.

We believe that hybrid AI is the future and Windows 11 with Copilot+ PCs is the platform that will support it.

Here are some tips on getting started evolving your Windows ecosystem with Copilot+ PCs:

• Adopt Copilot+ PCs as the hardware platform of choice for Windows 11 devices.
• Explore the enhanced performance and battery life of ARM-based Windows 11 Copilot+ PCs.
• Use Windows Autopatch to manage your Windows 11 deployment.
• Consider the benefits of upcoming Windows 11 features, such as Hotpatch for Windows and Recall for improved efficiency and user experience.

Prepare to deploy Windows 11 at your company.

• Learn how we’re using AI to redefine how we work in Microsoft Outlook.
• Read our four-part deployment guide for Microsoft 365 Copilot.
• See how we’re rethinking device management internally at Microsoft using AI.
• Check out how we’re boosting Microsoft 365 Copilot Chat with smart enterprise content management.

• Want more information? Email us and include a link to this story and we’ll get back to you.

The post AI in action: Unpacking our internal journey with Windows 11 and Copilot+ PCs appeared first on Inside Track Blog.

Watch the video below to see Dave Rodriguez interview Trent Berghofer about how we use the Windows 365 Cloud PC platform to provide our employees with virtual loaner PCs when they need a backup machine to keep working.

Rodriguez is a principal product manager on the Frictionless Devices team in Microsoft Digital, the company’s IT organization. He talks with Berghofer about using the Windows 365 Cloud PC platform to provide employees with a low-touch, personalized, secure Windows experience hosted on Microsoft Azure.

“With Windows 365 Cloud PC, we’ve been able to accelerate our digital-first support model for hybrid employees and de-emphasize our reliance on walk-up, in-person support at the on-site service locations,” says Berghofer, general manager of Field IT Management and leader of the Support team in Microsoft Digital.

Issuing Cloud PCs to our employees allows them to return to productivity on a machine they already own or have on their person because we don’t have to send them physical back up machines. This allows them to get back to productivity faster and reduces our costs.

Try the Microsoft Windows 365 Cloud PC platform at your company.

• Get more info on how we’re using the Windows 365 Cloud PC platform internally here at Microsoft.
• Learn how we’re reinventing our employee experience in this AI-driven, hybrid world of work.
• Learn how we’re rethinking device management at Microsoft with AI.

• Want more information? Email us and include a link to this story and we’ll get back to you.

The post Providing employees with virtual loaner devices with Windows 365 appeared first on Inside Track Blog.

Windows 365 Cloud PCs let you securely stream your Windows experience, including your personalized apps, content, and settings, from the Microsoft Cloud. Employees can access their personalized Cloud PC on any device.

At Microsoft Digital (MSD), the organization that supports, protects, and empowers Microsoft employees through technology, we’re discovering new and innovative ways we can use Windows 365 to improve the daily lives of employees across Microsoft.

“We see ourselves as the real Customer Zero,” says Carl McBain, director of IT service management for MSD. “So, we’re always looking for opportunities to use new Microsoft products and services as an internal support organization.”

For us, two key self-service use cases are emerging as big winners when it comes to deploying Windows 365 Cloud PCs:

• Our Techlink device loaner program provides temporary Cloud PCs when employees’ physical hardware is under repair.
• An alternative option for when employees replace their physical PCs as part of the device refresh cycle.

[Discover how Microsoft protects assets by shielding virtual machines. Unpack how MyWorkspace streamlines virtual software provisioning at Microsoft. Explore deploying a VWAN using infrastructure as code and CI/CD.]

With Windows 365, we have SaaS-ifed the power of Windows. Cloud PCs give organizations the benefit of elasticity across multiple dimensions—scale, power, security and flexibility.

—Scott Manchester, vice president, Windows Cloud products

An elastic PC that unlocks scale and flexibility

By securely streaming the Windows experience from the Microsoft Cloud to any device, Windows 365 unlocks flexibility, scalability, and ease of management while simplifying PC provisioning—regardless of an IT admin’s experience with virtualization.

Windows 365 is great for serving an immediate need for a dedicated PC. Employees can have a dedicated Cloud PC with all their Microsoft 365 apps ready to go, and if they’re an existing employee, their OneDrive data automatically syncs to the device, similar to how we provision a physical PC with Autopilot.

—Dave Rodriguez, principal product manager Frictionless Devices team, Microsoft Digital

“With Windows 365, we have SaaS-ifed the power of Windows,” says Scott Manchester, vice president of Windows Cloud products. “Cloud PCs give organizations the benefit of elasticity across multiple dimensions—scale, power, security and flexibility.”

That’s especially useful in hybrid work environments or settings where users have diverse or shifting device needs. Think contractors and interns, customer-facing agents moving from kiosk to kiosk, or frequent travelers.

In Microsoft Digital, we’re able to use Windows 365 Cloud PCs to quickly help our employees get up and running again when their primary PC stops working.

“Windows 365 is great for serving an immediate need for a dedicated PC,” says Dave Rodriguez, principal product manager on the Frictionless Devices team in MSD. “Employees can have a dedicated Cloud PC with all their Microsoft 365 apps ready to go, and if they’re an existing employee, their OneDrive data automatically syncs to the device, similar to how we provision a physical PC with Autopilot.”

From an operational standpoint, our goal is making things as simple as possible for our technicians and returning employees to productivity as soon as we can.

—Carl McBain, director of IT service management, Microsoft Digital

New approaches to PC provisioning for Microsoft employees

For us, Windows 365 doesn’t just simplify processes that have the potential for frustration and inefficiency. It also unlocks opportunities for self-service, giving employees the chance to choose the technology that meets their needs in the context that suits them best.

“From an operational standpoint, our goal is making things as simple as possible for our technicians and returning employees to productivity as soon as we can,” McBain says.

For our Techlink loaner program and device refresh alternative, we used the process automation capabilities of our ServiceNow enterprise installation to create a first-of-its-kind Windows 365 self-serve request solution. Powered by Microsoft Intune Endpoint Privilege Management, this solution has several benefits that include reducing operations overhead, improving user productivity, and enhancing device security by leaning into Zero Trust principles through the standard user profile for Windows 365.

Techlink loaner program

Like many processes, our Techlink reimaging, repair, and break-fix loaner services had to evolve rapidly because of COVID-19. Microsoft’s transition to a hybrid work model meant we needed to de-emphasize physical service locations and onsite, walk-up support.

The Windows Cloud product group and MSD partnered to present Windows 365 Cloud PCs as ideal alternatives to physical retrieval options like simplified Techlink dispatch locations or digital lockers. As a result, we launched Cloud PCs as a self-service request option within our IT service catalog and made 200 Windows 365 licenses available in our initial loaner pool.

When an employee experiences a device issue, they can initiate a service request within our standard Techlink support portal. The service request pushes them through a workflow that gathers all the necessary approvals and initiates Cloud PC provisioning. Less than an hour later, the employee receives access to a Windows 365 Cloud PC, allowing them to get to their personal files, apps, data, and settings from any device, whether it’s their own or a spare machine someone shares with them.

“Microsoft is a massive company with so many internal sites to access,” says Tony Bouker, solution delivery product manager for ServiceNow at Microsoft. “Self-service through our unified ServiceNow solution helps people find things more easily, and it also has the side effect of deflecting some requests that might otherwise come to MSD help desks.”

The result? Our Techlink support specialists save time by avoiding lengthy reimaging processes for physical loaner devices, and our employees get back to work faster.

Device refresh alternative

Providing Windows 365 Cloud PCs as an alternative to physical devices during the hardware refresh cycle follows a similar process, but it’s driven by different needs. Employees might love the layout or familiarity of their physical devices, but the hardware is outdated. More advanced users might want to pair their device’s local computing power with a Windows 365 Cloud PC that’s backed by Azure to boost productivity.

Whatever the reasons, spinning up a Cloud PC on one of your devices instead of buying a new one can have a positive impact on both operations and cost-savings.

When an employee discovers they’re eligible for a device refresh via their administrator or an automated invitation, they access our TechWeb service portal, where they learn about Windows 365. The portal directs them to a workflow where they can select the Cloud PC configuration and start the approval and provisioning process. After that process is complete, they’ll be provisioned with a new Cloud PC in less than an hour—a huge step up from the days or weeks getting a physical device replacement might take.

In our scenarios, the ServiceNow workflow launches after the employee makes their request through a questionnaire detailing parameters including device needs and region. We’ve configured the workflow to check things like Cloud PC eligibility before passing the request along to the employee’s approving manager and then to MSD for the provisioning stage.

—Tony Bouker, solution delivery product manager, ServiceNow at Microsoft

Linking self-service integration to PC provisioning simplicity

On our employee enablement journey, we’ve learned that choice and self-determination help drive effective self-service. So a tool like ServiceNow, which helps us realize the value of Windows 365 for employees quickly and painlessly, not only saves time and money but leads to better outcomes for employees.

“In our scenarios, the ServiceNow workflow launches after the employee makes their request through a questionnaire detailing parameters including device needs and region,” Bouker says. “We’ve configured the workflow to check things like Cloud PC eligibility before passing the request along to the employee’s approving manager and then to MSD for the provisioning stage.”

We built Windows 365 to integrate easily with traditional IT workflows, and we invest in APIs to ensure we can automate processes and deliver this IT service model effectively. It’s all about the simplicity of spinning Cloud PCs up and down so we can empower people who make device decisions but don’t have virtual desktop infrastructure (VDI) expertise.

—Scott Manchester, vice president, Windows Cloud products

After the workflow, ServiceNow’s integration with tools like Microsoft Entra ID, Microsoft Intune, and Microsoft 365 security features makes deployment simple. The requesting employee gets placed in a Microsoft Entra ID group, and that triggers a provisioning workflow, including the creation of the Cloud PC, a final MSD review, and a notification to the Cloud PC recipient that they’re all set.

Our self-service workflow for provisioning Windows 365 Cloud PCs.
(click on image to view a larger version)

“We built Windows 365 to integrate easily with traditional IT workflows, and we invest in APIs to ensure we can automate processes and deliver this IT service model effectively,” Manchester says. “It’s all about the simplicity of spinning Cloud PCs up and down so we can empower people who make device decisions but don’t have virtual desktop infrastructure (VDI) expertise.”

Windows 365 is our fastest-growing new service in MSD, with over 200 percent growth this fiscal year. We estimate that our support technicians are saving as many as three hours per request. And of course, with Cloud PCs spinning up within an hour of approval, our employees can get back to work much faster than ever before. That’s something everyone can get on board with.

—Dave Rodriguez, principal product manager Frictionless Devices team, Microsoft Digital

Many organizations don’t have Microsoft’s substantial IT resources or VDI experience. For those businesses, automating Windows 365 self-service Cloud PC provisioning through ServiceNow has enormous potential.

Accelerating the next phase of cloud transformation

Simplicity and value mean these kinds of programs are accelerating quickly. “Windows 365 is our fastest-growing new service in MSD, with over 200 percent growth this fiscal year,” Rodriguez says.

Within the Techlink loaner program, we’ve already reached our initial 200 Cloud PC loaner capacity, and demand remains high.

“We estimate that our support technicians are saving as many as three hours per request,” Rodriguez says. “And of course, with Cloud PCs spinning up within an hour of approval, our employees can get back to work much faster than ever before. That’s something everyone can get on board with.”

It’s about creating better experiences for our employees.

“It’s not just about making something IT loves,” Manchester says. “It’s about making something every employee loves.”

Here are some tips for getting started with Windows 365 at your company:

• Evaluate potential use cases where Windows 365 could transform your organization, where flexibility and scalability are table stakes.
• Use existing tools like Intune and Microsoft Entra ID to simplify desktop management and integrate with Windows 365 Cloud PCs.
• Consider implementing a self-serve request solution to enable on-demand access to Windows 365 Cloud PCs, reducing IT admin overhead and enhancing user choice and flexibility.
• Pilot, try the program out, and gather feedback as a gateway to general implementation.
• Measure the benefits of using Cloud PCs for different use cases. Those include improved user productivity, reduced operations overhead, and improved device security.
• Think through all the workflow permutations you might encounter to help capture edge cases and inefficiencies.
• Use automation and Zero Trust principles to ensure you’re capturing the benefits of Cloud PCs securely.

Sign up to try Windows 365 Cloud PCs: Share your info with us here if you’re an enterprise customer or sign up for a trial here if you’re a business customer.

• Discover how Microsoft protects assets by shielding virtual machines.
• Unpack how MyWorkspace streamlines virtual software provisioning at Microsoft.
• Explore deploying a VWAN using infrastructure as code and CI/CD.

Want more information? Email us and include a link to this story and we’ll get back to you.

Please share your feedback with us—take our survey and let us know what kind of content is most useful to you.

The post Unlocking employee self-service with Windows 365 Cloud PCs at Microsoft appeared first on Inside Track Blog.

Search is part of our everyday life. It’s useful—we all know that—but how can you quantify that impact?

That was the challenge faced by Dodd Willingham, principal program manager and internal search administrator in Microsoft Digital. “There’s an obvious value, we can see that by the existence of Bing,” Willingham says. “But how do you put it in numbers?”

Lots of searches happen in a company, but when asked to demonstrate the business impact as part of justifying more investment, Willingham had an epiphany. He could use telemetry to make the argument for him.

Click the image to learn how Microsoft is using Microsoft Search internally to dramatically improve the finding experience for company employees.

Microsoft Search is unifying search for Microsoft 365 customers across Microsoft Outlook, Microsoft 365 apps on Windows, Microsoft OneDrive for Business, Microsoft SharePoint, and Microsoft Bing. More specifically, the Microsoft Search team strives to bring complete, company-wide results to each individual, no matter where they’re searching from. No longer should they need to search in separate products to ensure that they search all possible content.

Internally at Microsoft, this shift is proving to be very powerful.

“Employees no longer need to change platforms to get the results they’re looking for,” Willingham says. “They do a single search and get all the results they need.”

Within the company, Microsoft Digital manages the internal deployment of search across the company. “The purpose of active search administration is to deliver the most complete search results, with good relevancy and good quality,” Willingham says. “These improvements to search are helping us do that.”

One crucial way that Willingham and his team help deliver better search results is through corporate bookmarks that allow internal teams like Corporate Communications and Human Resources to select the top results employees get when they search specific sets of keywords.

These bookmarks aren’t the kind used to save your favorite sites—they’re curated results that search administrators can use to point people to content located someplace that can’t be indexed. They highlight authoritative sources of content, and ensure popular content is accessible.

Bookmarks boost employee productivity because they get employees the right results very quickly.

Dodd Willingham, principal program manager and internal search administrator in Microsoft Digital

And they’re fast.

“Bookmarks boost employee productivity because they get employees the right results very quickly,” Willingham says.

The business value of search

Including telemetry in the overall improvements to internal corporate searching—a feature built into Microsoft Enterprise SharePoint—allowed Willingham and his team to measure how much time employees spend on a search.

And what story is the data telling?

“We found that bookmarks net a direct benefit of 6,250 hours a month and 17,160 hours in indirect benefits,” Willingham says. “Combined, 23,410 hours of benefits are being realized each month.”

How did Willingham come to these numbers?

“Forty-five percent of all searches click on a bookmark,” Willingham says. That percentage is across the 1.6 million monthly searches that take place internally at Microsoft within Microsoft Bing and Microsoft SharePoint Enterprise Search.

Scaled to an enterprise level, the business value of bookmarks quickly became apparent.

“Conservatively, our basic measurement of search success was yielding results of 60 seconds per search using a bookmark versus an average of 115 seconds across all searches,” Willingham says. “That’s one whole minute of productivity re-captured for every bookmark-backed search.”

Multiplied across Microsoft’s population and search usage, that one minute of search time netted 6,250 hours a month in productivity. But it’s not just time gained from quick search results, it’s also about getting the right answers.

There’s a measurement based on telemetry of whether a search succeeded or failed to find useful content. Using that metric, Willingham found that a person who uses a bookmark appears to be successful 98 percent of the time. By contrast, searches without a bookmark average 72 percent for the same calculation.

“The absolute calculation [of search success] is kind of meaningless; what’s important is that it moved by a significant margin,” Willingham says. “It suggests that with bookmarks, more people find the content they need faster.”

In direct benefits, you’re gaining 6,000 hours at the cost of 300. When you include indirect, you can triple that. The return on investment is 2,000 percent, and that’s using conservative estimates.

Dodd Willingham, principal program manager and internal search administrator in Microsoft Digital

Faster is a direct productivity gain. Getting the right content to the right person at the right time is an indirect benefit. But the biggest insight is that delivering these benefits only requires investing less than 300 hours per month, spread across several staff.

“In direct benefits, you’re gaining 6,000 hours at the cost of 300. When you include indirect, you can triple that,” Willingham says. “The return on investment is 2,000 percent, and that’s using conservative estimates.”

How Microsoft uses bookmarks

With new practices in hand and telemetry to chart impact, Willingham and his team set out to optimize using bookmarks in search.

“Over the course of three years, we took the volume of bookmarks from around 1,100 to a peak of 1,800,” he says. “We’re currently sitting at around 1,200.”

Bookmarks were already being used before Microsoft Search was rolled out.

“We didn’t do anything revolutionary, we just opened up the guidelines so that more bookmarks could be added when appropriate,” Willingham says. “We then tuned them based on actual usage so that only those being used were kept.”

The technology for bookmarks had previously been part of Microsoft SharePoint and Microsoft OneDrive, made visible in the employee portal for Microsoft SharePoint Enterprise, MSW. Bookmarks had a set of configuration rules and standards for what could and couldn’t be a bookmark, but that’s it.

Librarians from the Microsoft Library Services team create and manage the company’s search bookmarks.

“It’s a multifaceted role,” says Beck Keller, also a member of the Microsoft Digital Enterprise Search team. “My responsibilities as a librarian at the Microsoft Library are far broader—bookmarks are just a small part of my job. This doesn’t take up my entire work week.”

What does she do for search administration?

Every month, Keller pulls search query metrics and analyzes them for areas of interest that currently lack a bookmark or good naturalized results. From this analysis, Keller can update the enterprise bookmarks across Microsoft.

“Sometimes this means removing or changing bookmarks that don’t currently meet our standards,” Keller says. “I also review proposed bookmarks and offer guidance to Microsoft teams looking to create bookmarks for their own sites, outside of Enterprise Search.”

This is the administrative work Willingham is talking about—bookmarks can be added, removed, or updated with ease. But the impact can be bigger than recapturing lost productivity.

“A year ago, there were no searches for COVID-19,” Willingham says. “We now get hundreds and thousands of searches a month. We went from zero to around 200 [between October and February]. There was no way to surface relevant results about COVID-19 because there were so few of them.”

But this was the trait the administrative search team was looking for—how to get better and proactive insights on Microsoft Search. Informed by current events, the team sought to anticipate which results users would be looking for.

“We asked if there should be a bookmark for the right COVID-19 link,” Keller says.

Willingham and Keller reached out to Corporate Communications about where to direct Microsoft users searching for information on COVID-19. That team was putting together a landing page for employees dedicated to content on the topic, including a FAQ. The bookmark was quickly built and deployed.

This was February 2020.

“The next month, the volume of searches for COVID-19 went up 40-fold,” Willingham says. “Maybe users would have found the info on their own, but as search volume was growing, 8,000 times a month they would nearly always find what they were looking for quickly, thanks to the bookmark.”

That’s the main goal of a search administrator.

Bright future for bookmarks

So, what’s next for Microsoft Search and bookmarks?

“More telemetry,” Willingham says. “The custom telemetry that we created is something any customer can do. It’s a capability within SharePoint.”

Having even more metrics will also help to further quantify Willingham’s findings.

“We erred on the low side for our productivity numbers, but it shows what’s possible for a medium or large company.”

Both Willingham and Keller are excited to see others adopt bookmarks as a way of improving Microsoft Search.

“Bookmarks are easy to put in,” Keller says. “The owner of the content tells us what the URL is, and some basic info such as a preliminary title and description. We figure out the appropriate keywords, update the basic info where needed, and then say ‘Go.’”

It all adds up to a better experience for employees when they need to go looking for something.

“The same tools we use to optimize bookmarks are available to everyone,” Willingham says. “That’s why they’re so useful for productivity. When combined with telemetry, you can really gain some unexpected insights into the productivity of your organization.”

• Read this guide on how to create and manage bookmarks at your company.
• Getting to ‘search completeness’ internally at Microsoft.

Please share your feedback with us—take our survey and let us know what kind of content is most useful to you.

The post Internal search bookmarks boost productivity at Microsoft appeared first on Inside Track Blog.

In short, the point at which our administrator responsibilities intersect with the experience our employees have with their devices has historically been full of friction.

We are in a moment of massive transition. We went from everyone in the office to everyone remote, and now everyone is hybrid. Our expectation and goal is that every user can work from whichever device they want from wherever in the world they want. But we must accomplish this while fending off thousands of attacks every day on our devices around the globe.

—Senthil Selvaraj, principal product manager, Frictionless Devices, Microsoft Digital Employee Experience

For years, we at Microsoft have been transforming the way we manage our company––a long road of good work that has led us to where we are today that’s enabling our employees to access their information whenever and wherever they need it.

Our continued shift towards empowering our employees to work anywhere enabled them to stay engaged and productive during the pandemic. Now that a new era of hybrid work has emerged, the necessity for seamless access to company resources is more important than ever, and the challenges of maintaining security in this new paradigm are ever-present.

“We are in a moment of massive transition. We went from everyone in the office to everyone remote, and now everyone is hybrid,” says Senthil Selvaraj, principal product manager of the Frictionless Devices team within Microsoft Digital Employee Experience, the company’s IT organization. “Our expectation and goal are that every user can work from whichever device they want from wherever in the world they want. But we must accomplish this while fending off thousands of attacks every day on our devices around the globe.”

Microsoft’s approach to the frictionless device initiative is multi-faceted and has required us to update our thinking on how we approach procurement of hardware and software, our help desk solutions, and utilization of advances in AI technology.

We divide this approach into three primary pillars: device experience, vulnerability management, and device lifecycle. Our mission is to produce efficiencies for our admins and business while demonstrably improving the experience of our employees across the globe.

[Unpack how we’re evolving the device experience at Microsoft. Discover how we’re verifying device health at Microsoft with Zero Trust. Explore how we’re harnessing first-party patching technology to drive innovation at Microsoft.]

Self-managed help desk

At Microsoft Digital Employee Experience, the organization that powers, protects, and transforms the company, we oversee the IT function for the whole company. This includes managing the help desk experience for our employees, which is a common touchpoint for all users seeking help with their devices.

However, the help desk is a key driver of financial and opportunity cost. In the traditional model, we would have one support person helping one user with an issue at a time. This approach is inefficient and often misses out on the network effects that can be gained with sharing solutions not just with a single user but with the whole community. Why help one person at a time when you can help the whole community at once?

We found that 40 percent of all helpdesk tickets, especially from non-Windows devices, required user education rather than a hardware or software fix. So we have built a SharePoint site that contains all the information users need to set up their applications on their own.

We see a compounded effect of savings: employees are not losing productive time while waiting for the help desk to assist them, and we reduce helpdesk costs by reducing the overall number of tickets. We can reallocate our resources to the true issues that need fixing.

In the very near future, we will see even further gains in efficiency and cost reduction by utilizing the latest generation of AI automations at Microsoft. We anticipate that tools like a Helpdesk Copilot will enable employees to access information that enable them to solve device problems without needing to escalate to a help desk engineer. This will decrease the amount of time they use searching for solutions and the amount of time our help desk engineers will need to spend working on common solutions.

The benefits of native Zero Trust and virtualization

The hybrid work environment requires us to provide flexibility to our employees who may be logging in to company resources from any number of locations. Our security needs to flexibly and securely meet employees wherever they are. Zero Trust architecture is our modern approach to this device environment that allows us to effectively secure our devices and our networks. And virtualization of devices is the next frontier for ease of use.

By centralizing and simplifying security in the cloud we are saving money and becoming more secure than ever. No longer are we relying on a castle-and-moat strategy whereby once you are logged in you’ll have free access to all resources on the network. We’re now limiting users and accounts by a concept called least-privileged access. Your login is verified at each step and each resource is thus secured individually.

A great example of this Zero Trust initiative appearing in the device management role are the peripherals that we use in our joint conference rooms. Alongside devices like printers, conference rooms are extremely common touchpoints for employees coming into a Microsoft office. We need and want their experience in using these resources to be as seamless as possible, but––because they’re shared resources––they remain a security vulnerability. Now, users are accessing these resources under their own credentials on a Zero Trust protocol.

“If you’re looking for security, speed, and ease of access, your answer is the cloud,” Selvaraj says. “The ultimate expression of this modern security posture will be coming through opportunities in virtualized devices.”

The problem and opportunity of software management is two fold: How do we provide ease of access to users while reducing friction for our security and support teams? We are moving the goal posts to make sure all apps are pre-approved and are known entities before being installed.

—Sean Cottrille, senior product manager, Frictionless Devices

We recently announced new ways of delivering employees’ desktop experiences with virtualization solutions such as Windows 365 and Microsoft Dev Box. With Windows 365 Cloud PCs, users can access their personalized Windows apps, settings, desktop, and data—securely hosted in the Microsoft Cloud and accessible on any device—wherever and whenever they work. Cloud-based solutions like these aligned to Microsoft Zero Trust principles are key in reducing friction for everyone in the modern flexible workplace.

Maintaining the approved software Rolodex

Modern software like Microsoft Teams is incredibly powerful and enables a new world of collaboration through its associated apps and APIs. However, each of these exit points where one piece of software or hardware connects with another is a vulnerability. One approach we are taking to more effectively secure this software ecosystem is by centralizing permissions for all applications.

We have effectively created an internal database of known and trusted apps. These are software applications that our IT team can, to a certain degree, guarantee will work and be secure. Previous generations of application management were extremely open. Each user had nearly complete access to installing new applications. Obviously, while this approach may be popular with users who can use whatever software they wish, if paired with the pre-Zero Trust security environment, we would face greater risk to the network.

“The problem and opportunity of software management is twofold: How do we provide ease of access to users while reducing friction for our security and support teams?” says Sean Cottrille, senior product manager on the Frictionless Devices team. “We are moving the goal posts to make sure all apps are pre-approved and are known entities before being installed.”

This new approach to applications ensures that we have a structure in place that answers the questions and needs of the user in advance. Now we can provide a solution to the user more quickly than ever before.

When you’re making a change to the user experience, you must make sure it’s well communicated. If we see problems with the rollout of a new feature, it’s usually because we haven’t communicated enough or in the right channels. You need to go to multiple places where employees gather information to make sure the correct information is meeting them.

—John Philpott, senior product manager for seamless access, Microsoft Digital Employee Experience

Managing expectations and building for success

Any change to how an employee gets their daily work done requires clear communication about expectations and flexibility from all involved. Employees rely on their hardware and software to work correctly to be able to get work done and quickly become frustrated if there is an unexpected change to their workflow.

“When you’re making a change to the user experience, you must make sure it’s well communicated,” says John Philpott, a senior product manager for seamless access in Microsoft Digital Employee Experience. “If we see problems with the rollout of a new feature, it’s usually because we haven’t communicated enough or in the right channels. You need to go to multiple places where employees gather information to make sure the correct information is meeting them.”

We always test and analyze changes before implementing them, and we are sure of the worth of these updates and upgrades before we roll them out broadly. With this confidence we can go to our team, clearly communicate what the changes are going to be while knowing that the effort of the transition period will be worth it.

The overall benefit of our frictionless devices initiative is that our employees are more connected and enjoy a more seamless device experience. We have developed disruption free updates and ensuring seamless access to the tools and services that users need to get their work done wherever they’re working, whether at home, at the office, or on the road. We are doing all of this while gaining time and financial efficiencies by centralizing procurement, optimizing automation, and improving the virtualization technology.

“Our goal with device management is to make the whole experience frictionless and to help our employees remain productive with less downtime,” Selvaraj says. “This doesn’t have to conflict with our parallel mission of keeping our company safe. We’re making the employee and admin experience easy but secure.”

• Adapting your IT approach to the modern hybrid work environment means flexibly adjusting your security and device management protocols to account for the new ways your employees are accessing company data. You need to balance your approach to security concerns with a desire to make accessing the information and tools they need as frictionless as possible.
• Zero Trust security architecture is enhancing security and flexibility, and new efforts on virtualization of devices will provide further opportunity for efficiency, security, and ease of use.
• Rationalizing procurement of hardware and software and rolling out new automations and efficiencies in help desk solutions are further speeding up our employees’ experience of getting new tools up and running while reducing overall IT expenditure.

Try Microsoft Intune at no cost.

• Unpack how we’re evolving the device experience at Microsoft.
• Discover how we’re verifying device health at Microsoft with Zero Trust.
• Explore how we’re harnessing first-party patching technology to drive innovation at Microsoft.

The post Make it easy but secure: Our journey to frictionless device management at Microsoft appeared first on Inside Track Blog.