Like our customers, we at Microsoft have a strong business need to address the new challenges created by remote and hybrid work. The internal adoption of Windows 11 is helping our company meet those needs, while enabling our employees to work smarter and more securely, regardless of where they are.

Moving Microsoft to Windows 11

1. Microsoft tries Windows 11 on for size and likes the fit
2. Unpacking Microsoft’s speedy upgrade to Windows 11 (this story)
3. Windows 11 boosts employee engagement at Microsoft
4. Employees are at the heart of Microsoft’s internal Windows 11 upgrade
5. Five key learnings from Microsoft’s Windows 11 upgrade

Upgrading to Windows 11 at Microsoft

Our priority in rolling out Windows 11 internally was to provide employees uninterrupted access to a safe and productive workspace while giving them a chance to try out the new operating system.

Introducing a new operating system, especially across a distributed workforce, naturally led to questions about device downtime and app compatibility. However, with established practices and evolved solutions in hand, historical obstacles became just that—a thing of the past. The rollout of Windows 11 at Microsoft was our most streamlined to date, frictionlessly delivering employees the latest operating system in record time.

What made the deployment of Windows 11 a success?

Over the past decade, our Microsoft Digital Employee Experience team, the organization that powers, protects, and transforms employee experiences, has worked closely with teams such as the Windows product group to improve how it runs Microsoft’s updates, upgrades, and deployments.

Whereas significant time and resources were once dedicated to testing app compatibility, building out multiple disk images, and managing a complex delivery method, processes and tools introduced during Windows 10 have streamlined upgrades and enabled the transformation to a frictionless experience.

Data from App Assure, a Microsoft service available to all customers with eligible subscriptions, shows the company had 99.7 percent compatibility for all apps in Windows 11—that eliminated the need for extensive testing. It also meant that employees’ Windows 10 apps work seamlessly in Windows 11. Additionally, Microsoft Endpoint Manager and Windows Update for Business eliminated the need for using more than one disk image and made it easier for employees to get Windows 11.

Our Microsoft Digital Employee Experience team relied on the same familiar tools and process as a Windows 10 feature update to quickly deliver the upgrade to employees.

The upgrade was divided into three parts:

Plan: Identify an execution and communication plan, then develop a timeline

Prepare: Establish reporting systems, run tests, ready employees, and build backend services

Deploy: Deploy Windows 11 to eligible devices

It all starts with a good plan

We at Microsoft Digital Employee Experience have a successful history of deploying new services, apps, and operating systems to employees. And it all starts at the same place—creating a disruption-free strategy that enables employees to embrace the latest technology as soon as possible without sacrificing productivity.

Assess the environment

Before the deployment of Windows 11 could begin, we had to take a careful inventory of all devices at Microsoft and determine which they should target. Windows 11 has specific hardware requirements, and a percentage of employees running ineligible devices meant that not every device would be upgraded. Employees with these devices will upgrade to Windows 11 during their next device refresh.

To evaluate the device population, we used Update Compliance and Microsoft Endpoint Manager’s Endpoint analytics feature. This allowed our team to generate reports on devices that either met or failed to comply with minimum specifications. For example, certain devices, especially older desktops, lacked the Trusted Platform Module 2.0 (TPM) chipset requirements for security in Windows 11.

In the end, 190,000 devices were deemed eligible based on hardware and role requirements. Over the course of five weeks, our Microsoft Digital Employee Experience team deployed Windows 11 to 99 percent of qualifying devices.

Address ineligible devices and exclusions

After evaluating the broad population of devices, our team developed a plan for devices that would not receive a Windows 11 upgrade. Since Windows 10 and Windows 11 can be seamlessly managed side-by-side within the same management system, we only had to designate the number of devices that would not receive the upgrade. Using Update Compliance to inform deployment policies, we applied controls on ineligible devices, automatically skipping them during deployment. These measures made it easy to know why a device didn’t upgrade, but also assured a disruption-free experience for both employees and those on our team responsible for managing the upgrade.

These controls also allowed the company to bypass deployment on any device that had been incorrectly targeted for an upgrade.

Ineligible devices. Windows 10 and Windows 11 can be managed side-by-side and will be supported concurrently at Microsoft until all devices are upgraded or retired. As devices are refreshed, more and more of our employees will gain access to Windows 11.

Devices that should not receive the upgrade. Other devices, like servers and test labs—where we validate new products on previous operating systems—were issued controls and excluded from receiving Windows 11.

Establish a deployment timeline

Once upgradeable devices were identified, our team was able to create a clear timeline. From this schedule, our communications team developed an outreach plan, support teams readied the helpdesk, and the deployment team developed critical reporting mechanisms to track progress.

For the deployment itself, our team used a ring-based approach to segment the deployment into several waves. This allowed us to gradually release Windows 11 across the company, reducing the risk of disruption.

Create a rollback plan

Windows 11 has built-in support for rolling back to Windows 10 with a default window of 10 days after installation. If needed, our Microsoft Digital Employee Experience team could have revised this period via group policy or script using Microsoft Intune. Post-upgrade, there wasn’t much demand for a rollback, but the strategic release cadence that the team used, paired with the rollback capability, gave our team an easy way to quickly revert devices that might require going back to Windows 10 for a business need.

Preparing for success

Prior to starting the Windows 11 upgrade, we asked employees to complete pre-work needed for a successful upgrade. Because the upgrade was so smooth, only light readiness communications were needed. Instead, we focused on ensuring that employees were aware and excited about the benefits of Windows 11 and that they were ready to share their feedback on what it was like to use it.

Reach everyone

To maximize the impact of our communications, our team readied content that was digestible for every employee, regardless of role. Employees needed clear and concise messaging that would resonate, so that they could understand what Windows 11 would mean for them.

Our team in Microsoft Digital Employee Experience targeted a variety of established channels, including Yammer, FAQs on Microsoft SharePoint, email, Microsoft Teams, Microsoft’s internal homepage, and digital signage to promote Windows 11.

To generate interest, our materials focused on:

• The new look and features of Windows 11, designed for hybrid work and built on Zero Trust
• Flexible and easy upgrade options, including the ability to schedule upgrades at a time that worked best for the employee
• The speed at which employees could be up and running Windows 11, as quickly as 20 minutes
• New terms related to Windows 11 and where employees could go to learn more

An entire page on our company’s internal helpdesk site was dedicated to links related to the upgrade, including Microsoft Docs, where users could find a comprehensive library on new features.

Executive announcements from company leadership also conveyed the benefit of moving to Windows 11 and the ease with which it could be done.

Set expectations

Our team directed employees waiting to see if their device met Windows 11’s hardware requirements to the PC Health Check app. At an enterprise level, the team relied on Update Compliance to assess the device population.

We also used this opportunity to reinforce messaging to Windows 10 users—both operating systems would continue to operate side-by-side until all devices were refreshed. This helped ease concerns for employees who had to wait for an upgrade.

Ready support

Getting the deployment right wasn’t just about sending messages outward. Our team needed to receive and respond to employee questions before, during, and after the Windows 11 rollout.

Our support teams were given an opportunity to delve into Windows 11 prior to the deployment, which, based on experiences with previous upgrades, gave them time to categorize and group by severity any potential issues they might encounter. This familiarity not only helped them give employees informed answers, but also served as another feedback gathering mechanism.

Open for feedback

We run Microsoft on Microsoft technology and we encourage our employees to join the Windows Insider Program, where users are free to provide feedback directly to developers and product teams.

That’s why communications didn’t just focus on what was new with Windows 11, but on how feedback could be shared. If an employee had comments, they submitted them through a Feedback Hub where other employees could upvote tickets, giving visibility to our engineers in Microsoft Digital Employee Experience and the Windows product group.

Pre-work for deployment readiness

In addition to readying employees, we had to make sure all the backend services were in place prior to the deployment. This included building several processes, setting up analytics, and testing.

Establish analytics reports

Evolving beyond previous upgrades, the deployment of Windows 11 was the most data driven release we have ever done. Looking closer at diagnostic data and creating better adoption reporting gave our team clear data to look at throughout the deployment.

Using Microsoft Power BI, our team could share insights regarding the company’s environment. This better prepared everyone on the team and allowed us to monitor progress during deployment.

Our team captured the following metrics:

• Device population
• Devices by country
• Devices by region
• Eligibility
• Adoption

In addition to visibility into project status, access to this data empowered our team to engage employees whose eligible devices did not receive the upgrade.

Build an opt-out process

To accommodate users whose eligible devices might need to be excluded from the deployment, our team created a robust workback plan that included a request and approval process, a tracking system, and a set timeline for how long devices would be excluded from the upgrade.

Our Microsoft Digital Employee Experience team released communications specifying the timeframe for employees to opt out, including process steps. Employees who needed to remove their devices from the upgrade submitted their alias, machine name, and reason for exclusion. From there, our team evaluated their requests. Only users with a business reason were allowed to opt out. For example, Internet Explorer 11 requires Windows 10, so employees who need that browser for testing purposes were allowed to remove their devices from the deployment.

Once we had approved devices for exclusion, a block was put in place to remove them from the deployment. Data gathered during the opt-out process enabled us to follow up with these employees, upgrading them to Windows 11 at a more appropriate time.

Create a security model

At Microsoft, security is always top of mind for us. A careful risk assessment, including testing out a series of threat scenarios, was performed before Windows 11 was deployed across the company.

Our Microsoft Digital Employee Experience team built several specific Windows 11 security policies in a test environment and benchmarked them against policies built for Windows 10.

After testing the policies and scenarios to see if they would have any impact on employees, we found that devices with Windows 11 would meet Microsoft’s rigorous security thresholds without creating any disruptions. Just as importantly, users would experience the same behaviors in Windows 11 as they might expect from Windows 10.

The deployment

A decade ago, our efforts to deploy feature updates could be challenging, as we needed to account for different builds, languages, policies, and more. This required careful management of distribution points and VPNs prior to beginning deployment efforts in earnest.

When Windows 10 was released in 2015, our team used two deployment strategies: one for on-premises managed devices and one for cloud managed devices.

Today, the situation is much simpler.

Launched during the Windows 10 era, Windows Update for Business established some of the trusted practices that make product releases and feature updates a great experience for us here at Microsoft. Windows Update for Business deployment service introduces new efficiencies for our team, consolidating two deployment strategies into one.

For the deployment of Windows 11, our team had an advantage—Windows Update for Business deployment service.

Windows Update for Business deployment service enabled our Microsoft Digital Employee Experience team to grab device IDs from across the environment and use them to automate the deployment. Windows Update for Business deployment service handled all the backend processing and scheduling for us; all we needed to do was determine the start and end dates.

Our team easily managed exclusions and opt-outs with Windows Update for Business deployment service, and when a device needed to be upgraded, the service made it easier to remove and roll them back to Windows 10.

Importantly, Windows Update for Business deployment service provides a single deployment strategy for us moving forward. Deployment has been simplified, and the data loaded into Windows Update for Business deployment service for this upgrade will help speed up future releases.

Policies for success

We had to decide which policies they wanted to work with for the greatest outcome. This included how many alerts an employee would receive before receiving an upgrade to Windows 11.

Windows Update for Business deployment services reduced the long list of policies that our team needed to manage during deployment. This accelerated deployment without compromising security.

From pilot to global deployment

By structuring the deployment timeline to hit a small group of employees before incrementally moving on to a larger population, our Microsoft Digital Employee Experience team ensured Windows Update for Business deployment service ran as expected and that all required controls and permissions were set.

As our team used the Windows Update for Business deployment service to plot out upgrade waves, Windows 11 downloaded in the background and employees received pop-up alerts when their device was ready. The employee could restart at any time and would boot into Windows 11 after a few automated systems completed the installation. Employees could also schedule Windows 11 to upgrade overnight or during the weekend.

Onboarding OEMs

Working closely with Microsoft Surface and other Original Equipment Manufacturer (OEM) partners, the companies who supply Microsoft with new devices, our team was able to ensure that our employees had Windows 11 pre-loaded onto their PCs. This approach guaranteed that new devices complied with the hardware requirements of the new system.

A new device, straight out of the box, only needs to be powered on and connected to the internet before Windows Autopilot authenticates and configures everything for the user. Once initial setup is complete, Windows Autopilot ensures that new devices are equipped with Windows 11 and all the correct policies and settings.
For a transcript, please view the video on YouTube: https://www.youtube.com/watch?v=1d4z5N5XCsA, select the “More actions” button (three dots icon) below the video, and then select “Show transcript.”

Entering the next stage of Windows at Microsoft

The deployment of Windows 11 at Microsoft validates our team’s approach to product releases and upgrades. With no measured uptick in support tickets, the deployment of Windows 11 has been a frictionless experience for employees and the wide adoption of new features confirms the value of the effort. The speed at which the team completed the deployment—190,000 devices in five weeks—represents the fastest deployment of a new operating system in company history.

We credit the success of this deployment to good planning, tools, strong communication, and the positive upgrade experience Windows 11 provides.

Windows Update for Business deployment service proved to be a big step in the evolution of how employees get the latest version of Windows. The service’s ease of use meant the team had a higher degree of control, flexibility, and confidence.

The tighter hardware-to-software ecosystem that comes with Windows 11 means our employees and all users of the operating system benefit from richer experiences. This, along with integration to Microsoft Teams, are just a few examples of what users are seeing now that they’re empowered by Windows 11.

• Understand the hardware eligibility requirements for Windows 11.
• The better you understand your environment the easier it will be to create a timeline, a communication plan, and ultimately track the deployment.
• Messaging is key for leaders in the organization to share, especially for adoption.
• Run a pilot with a handful of devices before deploying company wide. This will allow you to check policies for consistent experiences. Then move on to a ring-based deployment to carefully manage everything.
• There’s no need to create multiple deployment plans with Windows Update for Business deployment service; it can automate the experience, streamlining the entire workflow. Instead of waiting until everyone is ready, consider running Windows 10 and Windows 11 side-by-side. Prepare today by deploying to those who are ready now.

• Discover how Microsoft employees are leveraging the cloud for file storage with OneDrive Folder Backup.
• Explore how Microsoft is reimagining meetings for a hybrid work world.
• Check out enhancing VPN performance at Microsoft.

The post Unpacking Microsoft’s speedy upgrade to Windows 11 appeared first on Inside Track Blog.

Layered on top of that, our need for device security exists within a complex matrix of software, hardware, and user interfaces. If our employees are running out-of-date software, they’re leaving their device and our network unsecured and vulnerable.

Every leader understands the extreme importance of keeping their data secure. No enterprise wants to be the next company that gets exposed by one of these hacks that has happened in the past and to lose sensitive business or customer data.

—Biswa Jaysingh, principal product manager, Microsoft Digital Employee Experience

This is especially true when developers use powerful first-party tools like Microsoft Visual Studio and developer platforms like .NET to build new software. With developer platforms like .NET, this becomes even more critical because .NET is not just deployed to developer machines, it is also installed on the computers where the developed application will run.

Here at Microsoft Digital Employee Experience, the organization that powers, protects, and transforms the company, we are committed to holistically improving patching compliance rates across the company. To ensure we are improving security at every level of Microsoft’s infrastructure, from software and devices to the networks themselves, we are utilizing new technology and new approaches that we develop internally within our organization and within our product group partners.

“Every leader understands the extreme importance of keeping their data secure,” says Biswa Jaysingh, a principal product manager with Microsoft Digital Employee Experience. “No enterprise wants to be the next company that gets exposed by one of these hacks that has happened in the past and to lose sensitive business or customer data.”

Recent innovations in first-party patching technology at Microsoft, including in Windows Update for Business, Microsoft Endpoint Manager, and Microsoft Defender for Endpoints, are allowing us to unlock unprecedented levels of security across our network while at the same time reducing costs and speeding the timeline of deployment. From consolidating multiple deployments to reducing the impact of reboots on users, our changes are producing efficiencies across the business.

Within the matrix of network security at Microsoft, there are several critical arenas for security admins to monitor, patch, and secure. Malicious actors are looking at the full tech stack for vulnerabilities, which means our teams must monitor, patch, and secure devices at every level from the operating system and first-party software to hardware and third-party software.

[Discover boosting Windows internally at Microsoft with a transformed approach to patching.]

Reacting to the growing threat to first-party software

In the modern cloud-connected world there is more surface area that we need our IT professionals to protect. With more and more devices, from Internet of Things devices to peripherals having internet access, there is much larger potential for bad actors to break in. It’s more important than ever to stay secure, which means update compliance must be as close to 100 percent as possible across all levels of a device.

“The last thing we want is for Microsoft to ship a fix for a vulnerability, but an enterprise isn’t able to adopt the update. That would leave them insecure,” says Christina Ruana, principal program manager for Microsoft Visual Studio who is responsible for enterprise deployments and updates of Visual Studio.

This passion for effectively securing networks led Microsoft leaders like Ruana to ensure they’re doing everything possible to ease the burden of patching on our teams here at Microsoft and for our external customers. “Visual Studio’s recent Administrator update solution makes it much easier for enterprises to deploy updates through Microsoft Endpoint Manager,” Ruana says.

At the start of the .NET journey we were seeing unacceptable compliance rates as developers were using the software in ways that we hadn’t anticipated. This increased the complexity for maintaining patching compliance. We had to create paths for updating both current builds of .NET through Visual Studio and for keeping older builds compliant through Microsoft Update. This has improved compliance rates considerably.

—Jamshed Damkewala, principal PM manager, Platforms and Languages team

We’re using Microsoft Defender for Endpoints to manage the health of our devices, which is helping us improve the security of our network while also improving the user experience for our employees and our admins. Every efficiency gained along the way makes it more likely for compliance rates to grow. Teams are working around the clock to identify and patch vulnerabilities, but this work is only as effective as the compliance rate is strong.

A better experience for admins and users alike

We in the Microsoft Digital Employee Experience organization began our journey to transform the way we do patching by making it easier for our IT admins to deploy patches across our network.

Until recently, the first-party patching regime at Microsoft required a slew of software solutions to be manually managed, including important software applications like Visual Studio and .NET. But in November 2022, we were able to migrate numerous critical patch deployments to Windows Update for Business, dramatically increasing the timeliness and accuracy of device patching.

“At the start of the .NET journey we were seeing unacceptable compliance rates as developers were using the software in ways that we hadn’t anticipated,” says Jamshed Damkewala, principal PM manager on the Platforms and Languages team responsible for .NET. “This increased the complexity for maintaining patching compliance. We had to create paths for updating both current builds of .NET through Visual Studio and for keeping older builds compliant through Microsoft Update. This has improved compliance rates considerably.”

We gain significant efficiencies as we eliminate manual deployments through automation and streamline the rollout of patches through Windows Update and Windows Update for Business. With these universal sources for patches, we simultaneously reduce time for testing while reducing errors in the deployments.

With more accurate updates meeting user devices more quickly and hitting all builds of first-party software that require patching, our networks are more secure than ever. The ease of patches deploying on devices also reduces the impact on users, so they are more likely to remain compliant while experiencing minimal disruption.

These innovations are not custom built for Microsoft. We are effectively leveraging technology that we already had to make it more efficient and effective for teams to patch their software.

—Harshitha Digumarthi, senior product manager responsible, Microsoft Digital Employee Experience

Furthermore, the technology within Microsoft Defender for Endpoints allows for thorough device scanning to provide effective telemetry for admins to react to, giving them better knowledge to engineer future patches and policies for Windows Update for Business, which further grows compliance rates. We use it to scan and report vulnerabilities, which empowers our admins to respond faster. Microsoft Endpoint Manager also allows our admins to better manage Windows Update for Business policies.

Providing the tools for teams to succeed

Internally here at Microsoft, our updated technology allows us to monitor our networks more efficiently, providing detailed telemetry about device health that we’ve never had before. This visibility allows us to develop new protocols for our networks, including complicated cases of end-of-life devices and end-of-service software.

But the true unlock-for-efficiency comes in how these systems were designed, constructed, and automated.

“These innovations are not custom built for Microsoft,” says Harshitha Digumarthi, a senior product manager responsible for improving the patching experience at Microsoft Digital Employee Experience. “We are effectively leveraging technology that we already had to make it more efficient and effective for teams to patch their software.”

This approach reduces cost, increases the speed of development, and fundamentally improves the efficiencies of teams deploying mission-critical patches for their software. Potential errors caused by manual deployment are eliminated and the single update source on a single day per month improves the user experience considerably. The result is a more secure network through increased device compliance.

These benefits are compounded when it comes to first-party software like Visual Studio and .NET. We’ve seen a rise in patching compliance for internal customers developing new solutions with these products, all attributable to improvements in Visual Studio and .NET. As a result, security dividends can exponentially grow through the company and to the ecosystem at large. Our networks, and yours, are more secure thanks to these developments.

• Ensure your software applications are kept up to date to remain secure. Follow this guidance for Visual Studio.
• By utilizing a common deployment solution in Windows Update for Business and Microsoft Endpoint Manager, efficiency is gained and potential errors from manual updating are mitigated.
• A single update source on a single day per month dramatically improves the user experience.
• Innovations in device scanning provides new telemetry, which leads to new solutions for rare-but-important use cases like end-of-life devices and end-of-service software.

• Unpack our Visual Studio administrator guide.
• Share your deployment experiences and challenges with Visual Studio engineering team.
• Explore .NET Automatic Updates for Server Operating Systems.
• Deploy Visual Studio updates to devices enrolled in Windows Update for Business.
• Discover boosting Windows internally at Microsoft with a transformed approach to patching.

The post Harnessing first-party patching technology to drive innovation at Microsoft appeared first on Inside Track Blog.

“We’re transforming the experience our employees have when they first turn on their PCs,” says Sean MacDonald, a principal group program manager in Microsoft Digital. “Our employees expect a best-in-class experience and we’ve been working hard to deliver that to them. The best part is that all of our customers can have the exact same experience.”

It used to take up to an hour to get Windows 10 running on a new or rebuilt PC—that was before Microsoft Digital started using Windows Autopilot, a new deployment program that automates most of the setup process. With this new program developed in partnership with the Windows and Intune teams, the user receives a device with the latest image directly from the OEM and all the user needs to do is power on, connect to any internet connection, authenticate, and the rest is silently hydrated via Microsoft Intune.

“Now, with Autopilot, we’re seeing it take less than 10 minutes to set up a device,” MacDonald says. “We’ve reduced the user’s set up time by 90 percent.”

After piloting the technology, Microsoft Digital started a soft launch in October using Autopilot for select new devices, says Mina Aitelhadj, a program manager on Microsoft Digital’s Modern Device Platform Team.

Microsoft is using an OEM-developed (original equipment manufacturer) image on all devices where Autopilot is being used. The goal is for Microsoft Digital to evolve to the point where it is using Autopilot with Intune provisioning to image all new devices by January.

Microsoft is one of the first enterprises to use Autopilot in a full, modern management scenario.

“Our early testing and deployment inside of Microsoft will help us provide best practices and guidelines for our customers when they are ready to move onto a fully modern Azure platform,” Aitelhadj says.

Getting to this point has been challenging, she says.

Like any large enterprise, the Microsoft environment is complex. Company employees work in all kinds of different roles, and they rely on a wide variety of devices to support that work. This variety of device choices made it challenging to provide a consistent out-of-the-box experience for new employees (and for existing employees when issued new PCs).

Before Microsoft started using Autopilot internally, the team streamlined the imaging process as much as possible, but the company is so big (it literally offers employees hundreds of PC configurations to choose from) that speeding up how long it took an employee to get their new machine set up required that Microsoft Digital entirely rethink and redesign its approach, Aitelhadj says.

“Even though our custom imaging process was fine-tuned to its best, it was still process-intensive and wasn’t easy to manage across multiple OEMs and global regions,” she says. “To add to that, our devices needed to be connected to our corporate network to deploy our custom images.”

Now that Autopilot is handling all that work, the team can focus on fine tuning. “This is a big step up for us because we’re saving our team time and money and we’re getting critical work time back,” Aitelhadj says.

Are you interested in how Autopilot could work at your company? Windows Autopilot is available externally (click through here to learn more about it). It is available for Windows 10 users on Azure Active Directory and users of Windows Autopilot Hybrid Azure AD are able to use it to join Windows 10 devices to both Azure Active Directory and Active Directory.

How deploying an image with Autopilot works

Why has installing a new Windows image traditionally been so challenging?

Companies like Microsoft have had to continuously update their custom images to make sure they are current and secure, Aitelhadj says. Every month the Windows team issues patches and updates, and those have had to be woven into each image before it could be deployed.

Before the company started using Autopilot (and in cases where it’s not yet using the new tool), handling those month-to-month updates made deploying new images very challenging.

“Our engineers have had to build and maintain our image on a monthly basis for all devices in our global ecosystem,” she says. “They have had to send each image to the OEMs. Those images include our policies, certifications, profiles—everything needed to get the devices ready for one of our employees. We’ve streamlined how we create our custom image within Microsoft, and Autopilot streamlines that even further for both IT pro and users.”

Once Autopilot is deployed across the entire company, everything will get a lot simpler.

“Say I’m a company and I have 10 users coming onboard,” Aitelhadj says. “Instead of having an IT pro load our custom image onto those PCs, the OEM will preload the devices with a universal Commercial OEM Image, they will register those machines onto Autopilot, and everything will get loaded onto those machines automatically, once the user logs in.”

Using Autopilot, the OEM loads just the operating system and Microsoft Office onto a computer—just what the employee needs to be able to turn their machine on and get started. Once online, Autopilot guides the user through a nearly hands-off out-of-box experience in which it not only handles all custom configuration settings, but also downloads and installs all needed applications. The other benefit is that the user does not have to be on the company’s corporate network or in a campus building to setup the device—they can do it from any internet connection.

And the user experience?

Thanks to Autopilot, it has gone from a struggle to an easy first log in. The trick was to then make it easy and intuitive for the employee to download and set up all the applications they need to do their work.

“We make it as simple as possible by provisioning the device with all the policies, certs, and core apps,” Aitelhadj says. “It all loads in the background within a few minutes. We limit their interaction to just the stuff they need to click through—like security and a few other required things.”

And yes, the team wanted to give the IT pros who spend hours and hours updating images each month time back, but the bigger goal was to create a simpler, more user-guided, less error-prone experience for users, thereby reducing end user frustration and the need for IT support. All this needed to be done without a time gap—for security reasons, all current updates need to be made as the new employee’s PC is booted up and handed over to them.

“We’ve saved our pilot users hundreds of hours—we’re getting them productive faster,” Aitelhadj says. “It’s pretty awesome to have that kind of impact.”

The post Autopilot speeds up Windows 10 image deployment inside Microsoft appeared first on Inside Track Blog.

“We’ve made significant strides to create chip-to-cloud Zero Trust out of the box,” says David Weston, vice president of Enterprise and OS Security at Microsoft. “Windows 11 is redesigned for hybrid work and security with built-in hardware-based isolation, proven encryption, and our strongest protection against malware.”

This new baseline for protection is one of several reasons Microsoft upgraded to Windows 11.

In addition to a better user experience and improved productivity for hybrid work, the new hardware-backed security features create the foundation for new protections. This empowers us to not only protect our enterprise but also our customers.

[Discover how Microsoft uses Zero Trust to protect our users. Learn how new security features for Windows 11 help protect hybrid work. Find out about Windows 11 security by design from chip to the cloud. Get more information about how Secured-core devices protect against firmware attacks.]

How Windows 11 advanced our security journey

Security has always been the top priority here at Microsoft.

We process an average of 65 trillion signals per day, with 2.5 billion of them being endpoint queries, including more than 1,200 password attacks blocked per second. We can analyze these threats to get better at guarding our perimeter, but we can also put new protections in place to reduce the risk posed by persistent attacks.

In 2019, we announced Secured-core PCs designed to utilize firmware protections for Windows users. Enabled by Trusted Platform Module (TPM) 2.0 chips, Secured-core PCs protect encryption keys, user credentials, and other sensitive data behind a hardware barrier. This prevents bad actors and malware from accessing or altering user data and goes a long way in addressing the volume of security events we experience.

“Our data shows that these devices are more resilient to malware than PCs that don’t meet the Secured-core specifications,” Weston says. “TPM 2.0 is a critical building block for protecting user identities and data. For many enterprises, including Microsoft, TPM facilitates Zero Trust security by measuring the health of a device using hardware that is resilient to tampering common with software-only solutions.”

We’ve long used Zero Trust—always verify explicitly, offer least-privilege access, and assume breach—to keep our users and environment safe. Rather than behaving as though everything behind the corporate firewall is secure, Zero Trust reinforces a motto of “never trust, always verify.”

The additional layer of protection offered by TPM 2.0 makes it easier for us to strengthen Zero Trust. That’s why hardware plays a big part in Windows 11 security features. The hardware-backed features of Windows 11 create additional interference against malware, ransomware, and more sophisticated hardware-based attacks.

At a high level, Windows 11 enforced sets of functionalities that we needed anyway. It drove the environment to demonstrate that we were more secure by default. Now we can enforce security features in the Windows 11 pipeline to give users additional protections.

—Carmichael Patton, principal program manager, Digital Security and Resilience

Windows 11 is the alignment of hardware and software to elevate security capabilities. By enforcing a hardware requirement, we can now do more than ever to keep our users, products, and customers safe.

Setting a new baseline at Microsoft

While some security features were previously available via configuration, TPM 2.0 allows Windows 11 to protect users immediately, without IT admins or security professionals having to set specific policies.

“At a high level, Windows 11 enforced sets of functionalities that we needed anyway,” says Carmichael Patton, a principal program manager with Digital Security and Resilience, the organization responsible for protecting Microsoft and our products. “It drove the environment to demonstrate that we were more secure by default. Now we can enforce security features in the Windows 11 pipeline to give users additional protections.”

Thus, getting Windows 11 out to our users was a top priority.

Over the course of five weeks, we were able to deploy Windows 11 across 90 percent of eligible devices at Microsoft. Proving to be the least disruptive release to date, this effort assured our users would be immediately covered by baseline protections for a hybrid world.

We can now look across our enterprise and know that users running Windows 11 have a consistent level of protection in place.

The real impact of secure-by-default

Moving from configurable to built-in protection means that Windows 11 becomes the foundation for secure systems as you move up the stack.

It simplifies everything for everyone, including IT admins who may not also be security experts. You can change configurations and optimize Windows 11 protections based on your needs or rely on default security settings. Secure-by-default extends the same flexibility to users, allowing them to safely choose their own applications while still maintaining tight security.

—David Weston, vice president, Enterprise and OS Security

Applications, identity, and the cloud are able to build off the hardware root-of-trust that Windows 11 derives from TPM 2.0. Application security measures like Smart App Control and passwordless sign-in from Windows Hello for Business are all enabled due to hardware-backed protections in the operating system.

Secure-by-default does all of this without removing the important flexibility that has always been part of Windows.

“It simplifies everything for everyone, including IT admins who may not also be security experts,” Weston says. “You can change configurations and optimize Windows 11 protections based on your needs or rely on default security settings. Secure-by-default extends the same flexibility to users, allowing them to safely choose their own applications while still maintaining tight security.”

Going forward, IT admins working in Windows 11 no longer need to put extra effort in enabling and testing security features for performance compatibility. Windows 11 makes it easier for us to gain security value without extra work.

This is important when you consider productivity, one of the other drivers for Windows 11. We need to empower our users to stay productive wherever they are. These new security components go hand-in-hand with our productivity requirements. Our users stay safe without seeing any decline in quality, performance, or experience.

“With Windows 11, the focus is on productivity and thinking about security from the ground up,” Patton says. “We know we can do these amazing things, especially with security being front and center.”

Now that Windows 11 is deployed across Microsoft, we can take advantage of TPM 2.0 to bring even greater protections to our users, customers, and products. We’ve already seen this with the Windows 11 2022 update.

For example, Windows Defender App Control (WDAC) enables us to prevent scripting attacks while protecting users from running untrusted applications associated with malware. Other updates include improvements to IT policy and compliance through config lock: a feature that monitors and prevents configuration drift from occurring when users with local admin rights change settings.

These are the kinds of protections made possible with Windows 11.

“Future releases of Windows 11 will continue to add significant security updates that add even more protection from the chip to the cloud by combining modern hardware and software,” Weston says. “Windows 11 is a better way for everyone to collaborate, share, and present, all with the confidence of hardware-backed protections.”

• Learn about and upgrade to Windows 11.
• Learn more about the security benefits of Windows 11.

• Discover how Microsoft uses Zero Trust to protect our users.
• Learn how new security features for Windows 11 help protect hybrid work.
• Get more information about how Secured-core devices protect against firmware attacks.

The post Hardware-backed Windows 11 empowers Microsoft with secure-by-default baseline appeared first on Inside Track Blog.

It all started with a shift to remote work.

“New employees will always need a device on day one,” says Pandurang Kamath Savagur, a senior program manager with Microsoft Digital, the organization that powers, protects, and transforms the company. “But for the first time ever, we were also in an experience where people had to stay productive from home with only a single device. They couldn’t easily get into the offices for a secondary or loaner device.”

To anticipate demand and offset delays, Microsoft Digital built a platform where administrators across the company could project the number of devices they’d need. Simultaneously, the group took a deep dive look at the current device population to forecast the number of employees who would need a device refresh—all in time for the deployment of Windows 11.

[Discover how Microsoft quickly upgraded to Windows 11. Find out how Microsoft is reinventing the employee experience for a hybrid world. Learn more about verifying devices in a Zero Trust model.]

Getting better at predicting the future

Historically, Microsoft didn’t need to build up a large inventory of devices for employees; everything was made to order.

Business groups own the budget, so they know what the next six months will look like for their team. Microsoft onboards approximately 3,000 employees each month, and every employee needs to select and set up a device. We can’t just buy 3,000 devices a month—we need to know specifications about how it will be used.

—Pandurang Kamath Savagur, senior program manager, Microsoft Digital

It worked a little bit like this:

Procurement, having already certified devices and negotiated pricing and SLAs suitable for employees, enables administrators or direct employees to obtain a new employee device through our internal ProcureWeb tool. The tool places a purchase order directly to the OEM—the third-party manufacturer of the device—or a reseller who would then manufacture and ship the equipment out to the user.

But the shift in how people worked meant we’d need to be more proactive in procuring devices for employees. And to get there, we’d need a better picture of fluctuating demand.

“Business groups own the budget, so they know what the next six months will look like for their team,” Savagur says. “Microsoft onboards approximately 3,000 employees each month, and every employee needs to select and set up a device. We can’t just buy 3,000 devices a month—we need to know specifications about how it will be used.”

Everything from storage space, computing power, memory, and keyboard language to the number of units would need to be collected from business groups. Once that information came in, Procurement could work with OEMs to have machines ready and available to be delivered to administrators well in advance.

This new approach to device forecasting has streamlined the way Microsoft acquires devices, giving us adequate stock to ensure a good experience. We can now anticipate device purchases for new hires while also accounting for break fixes.

And the timing of this effort couldn’t have been better—Windows 11 was on the way, and we would need this new approach along with additional analysis to get the new operating system into the hands of employees.

Empowering Microsoft with Windows 11

Released in late 2021, Windows 11 gives us the enterprise-grade security that Microsoft requires. To achieve this secure-by-default state, we needed to replace older devices with equipment that met the Windows 11 hardware requirements.

But instead of issuing new devices to everyone at launch—something that would be both costly and logistically impossible—we took a strategic approach, using a combination of telemetry and machine learning to identify and prioritize devices for replacement.

“We have telemetry data, application usage, and warranty information, and that gives us a base to forecast from in Power BI,” says Neeti Sawant, a data engineer with Microsoft Digital who helped create a device forecasting dashboard as part of this effort. “It told us what we needed to monitor and forecast, which devices are aging out, and when they would be eligible for a refresh.”

But we weren’t just relying on warranty data alone.

Using Microsoft Azure Cosmos DB and Microsoft Azure DataBricks for machine learning, we are able to leverage the historical data for device population and apply survival modeling techniques, predicting how many ineligible primary devices would be active over the next few years towards the Windows 10 end of support.

Device forecasting has allowed us to work closely with OEMs so that devices are available on time and so that we’re not selecting on availability, but rather meeting all the performance, compliance, and security needs of our users. Satisfaction scores from employees have increased by 20 points since we started doing this.

—Pandurang Kamath Savagur, senior program manager, Microsoft Digital

“Not all users will replace their device at the end of warranty,” says Anqi Cheng, a data scientist with the W+D Data team at Microsoft. “Although many devices will naturally age out over time, many users hang on to their devices for an extended time. When combined with other device forecasting data, we had a holistic view of the landscape.”

This level of analysis ensured Microsoft would be able to quickly develop a roadmap for getting employees on Windows 11.

A bright forecast for Microsoft

Employees at Microsoft can—and should—expect to have a device that engages, protects, and empowers them. Device forecasting makes this possible.

“Device forecasting has allowed us to work closely with OEMs so that devices are not selected on availability, but rather meeting all the performance, compliance, and security needs of our users,” Savagur says. This effort has resulted in a better experience for employees. “Satisfaction scores from employees have increased by 20 points since we started doing this.”

Access to device forecasting information has also been helpful to admins and Finance, who now have a better idea as to which devices will need to be refreshed for Windows 11. Moving into the future, these same projections will make it easier for Procurement to put the right device into an employee’s hands.

“With the analysis provided to us by Microsoft Digital, we can now understand how many primary devices are in our environment and when we expect them to refresh,” says Colby McNorton, a senior program manager on the Microsoft Procurement team. “As we look forward, instead of the purchasing journey being reactive, we can proactively reach out to users and tell them that their device is at the end of its life and even recommend a device based on what we know about usage.”

Thanks to Windows Autopilot, new devices are automatically pre-configured with Windows 11. Windows Autopilot deploys an OEM-optimized version of the Windows client, so you don’t have to maintain custom images and drivers for every device model. This makes new devices business-ready faster, empowering employees to stay engaged and protected. Users can just switch on, sign in, and all policies and apps will be in place within a day.

• Be sure to get visibility into your device population. Find out what kinds of devices are on your network, where they’re located, who owns them, and what stage they’re at in their lifecycle. This gives you a lot of agility in a changing environment. You can do this using Microsoft Intune.
• Windows 10 and Windows 11 can be co-managed side by side using the same tools and processes, which makes it possible for Microsoft and other companies to be methodical about replacing devices.
• Spend time with team admins who understand user needs. This allows you to cultivate a short list of devices that are best suited for your employees and gives procurement clear priorities.

• Discover how Microsoft quickly upgraded to Windows 11.
• Find out how Microsoft is reinventing the employee experience for a hybrid world.
• Learn more about verifying devices in a Zero Trust model.
• Read about how Windows 11 helps businesses.

Want more information? Email us and include a link to this story and we’ll get back to you.

Please share your feedback with us—take our survey and let us know what kind of content is most useful to you.

The post Boosting employee device procurement at Microsoft with better forecasting appeared first on Inside Track Blog.

Deploying Windows Hello for Business internally here at Microsoft has significantly increased our security when our employees and vendors access our corporate resources. This feature offers a streamlined user sign-in experience—it replaces passwords with strong two-factor authentication by combining an enrolled device with a PIN or biometric user input for sign in. Windows Hello was easy to implement within our existing identity infrastructure and is compatible for use within our remote access solution.

The Windows Hello for Business feature can replace passwords with strong two-factor authentication that combines an enrolled device with a PIN or biometric (fingerprint or facial recognition) user input to sign in. We—the Microsoft Digital Employee Experience team—streamlined the deployment of this feature as an enterprise credential to improve our user sign-in experience and to increase the security of accessing corporate resources.

Using this feature, users can authenticate to a Microsoft account, an Active Directory account, or a Microsoft Azure Active Directory (Azure AD) account.

The Windows Hello for Business feature is a public key or certificate-based authentication approach that goes beyond passwords. This form of authentication relies on key pairs that can replace passwords and are resistant to breaches, thefts, and phishing.

Other benefits of this feature include:

• It supports our Zero Trust security model. Emphasizes an identity-driven security solution by centering on securing user identity with strong authentication as well as eliminating passwords.
• It uses existing infrastructure. We configured Windows Hello to support smart card–like scenarios by using a certificate-based deployment. Our security policies already enforced secure access to corporate resources with two-factor authentication, including smart cards and Microsoft Azure Multi-Factor Authentication. Windows Hello is currently enabled, and we anticipate an increase in usage as more biometric-capable devices become available in the market.
• It uses a PIN. Replace passwords with a stronger authentication. Users can now sign in to a device using a PIN that could be backed by a trusted platform module (TPM) chip.
• It provides easy certificate renewal. Certificate renewals automatically occur when a user signs in with their PIN before the lifetime threshold is reached.
• It permits single sign on. After a user signs in with their PIN, the user has access to email, SharePoint sites, when using the latest Office 365 versions, and business applications without being asked for credentials again.
• It is compatible with remote access. When using a certificate-based PIN, users can connect remotely using a Microsoft Digital Employee Experience VPN without the need for multi-factor authentication with phone verification.
• It supports Windows Hello. If users have compatible biometric hardware, they can set up biometrics sign-in to swipe their finger or a take a quick look at the device camera.

Our deployment environment for the Windows Hello for Business feature include:

• Server: Microsoft Azure AD subscription and Microsoft Azure AD Connect to extend on-premises directory to Azure AD:
  • For certificate-based: Active Directory Certificate Services (AD CS), Active Directory Federation Services (AD FS) Network Device Enrollment Service (NDES), and Microsoft Intune
• Client: A device, preferably with an initialized and owned TPM.

For more information about integrating on-premises identities with Microsoft Azure AD, see Integrating your on-premises identities with Microsoft Azure Active Directory.
For a transcript, please view the video on YouTube: https://www.youtube.com/watch?v=3k4Mduc9eUQ, select the “More actions” button (three dots icon) below the video, and then select “Show transcript.”

Enrollment and setup

Windows Hello for Business user enrollment steps vary, based on our deployed scenarios. For all scenarios, users will need to use their smart card or multi-factor authentication with a verification option—such as a phone call or verification on a mobile app, such as Microsoft Authenticator, in addition to their user name and password—to complete the enrollment.

The Windows Hello for Business feature supports the following enrollment scenarios:

• On-premises Active Directory domain–joined devices. Users sign in with their domain account, the Group Policy is applied, the device is registered with Microsoft Azure Active Directory, and then the user creates a PIN.
• Microsoft Azure AD–joined devices managed by Microsoft Intune. Users must enroll in device management (or add a work account) through Microsoft Intune. After their device is enrolled and the policies are applied, the PIN credential provisioning process begins and users receive the prompt to create their PIN.

Requirements

• Two-factor authentication is required for PIN creation using one of the existing methods (virtual smart card, physical smart card, or multi-factor authentication with phone verification).
• A PIN that is at least six characters long.
• A connection to the internet or Microsoft corporate network.

Physical architecture

Our Windows domain-joined devices were already synchronized with Microsoft Azure AD through Microsoft Azure AD Connect, and we already had a public key infrastructure (PKI) in place. Already having PKI reduced the amount of change required in our environment to enable the Windows Hello for Business feature.

To deploy user certificates based on Windows Hello keys, we used AD FS, AD CS, and Group Policy.

Server roles and services

In our implementation, the following servers and roles work together to enable Windows Hello as a corporate credential:

• Microsoft Azure AD subscription with Microsoft Azure Active Directory Device Registration Service to register devices with Azure Active Directory.
• Microsoft Intune is used to enroll devices joined to Microsoft Azure Active Directory.
• AD FS is used for federated identities and Microsoft Azure AD Application Proxy for secure remote access of web applications hosted on-premises. AD FS Registration Authority is used to handle certificate issuances and renewals for devices that are joined to the domain.
• PKI includes NDES servers (with policy module) and certificate authorities (with smart card EKU—enhanced key usage—template), used for the issuance, renewal, and revocation of Windows Hello for Business certificates.

Domain-joined service workflow

The following workflow applies to any Windows 10 computers joined to our AD DS domain.

• Our domain-joined devices pull a Group Policy object that configures certificate enrollment, PIN-enablement, and notification tasks.
• After users sign out and sign in again, or if they select the pop-up notification when it displays, a PIN creation workflow runs, and they must configure their new PIN.
• During the next sign-in, the user is prompted to configure Windows Hello for Business, confirm their identity using multifactor authentication, and create a PIN. A private key is created and registered in Microsoft Azure AD. The user can also initiate the Windows Hello setup process from the Settings app at any time.
  • If the client and infrastructure support Instant-On, a key-receipt verification package is downloaded and a certificate request is sent to the AD FS registration authority. AD FS confirms valid key ownership and submits the request on behalf of the user to an AD CS certification authority.
• The certificate is delivered to the computer.

Microsoft Azure Active Directory–joined service workflow

• Windows Intune pushes a device policy to Microsoft Azure Active Directory devices that contains the URL of the NDES server and the challenge generated by Intune. A policy has already been pushed to the device by the Intune service. This policy contains the URL of the NDES server and the challenge generated by Intune.
• During the next sign-in, the user is prompted to configure Windows Hello for Business, confirm their identity using multifactor authentication, and create a PIN. A private key is created and registered in Microsoft Azure AD. The user can also initiate the Windows Hello setup process from the Settings app at any time.
• The device contacts the internet-facing NDES server using the URL from the NDES server and provides the challenge response. The NDES server validates the challenge with the CRP and receives a “true” or “false” to challenge verification.
  • If the challenge response is “true,” the NDES server communicates with the certificate authority (CA) to get a certificate for the device. Appropriate ports need to be open between the NDES server and the CA for this to happen.
• The NDES server delivers the certificate to the computer.

Setting policies

Our Microsoft Digital Employee Experience team used domain-based Group Policies to push out policy-based settings to configure our Windows 10 domain-joined devices to provision Windows Hello user credentials when users sign in to Windows. Non-domain joined devices receive their policies from Intune. We also used these settings to define the complexity and length of the PIN that our users generate at registration and to control whether Windows Hello was enabled.

We had the option to configure whether we would accept certificate-based Windows Hello for Business with PIN as a software-backed credential. We chose to enable Windows Hello for Business with a hardware-required option, which means that keys are generated on the TPM.

Policies for Microsoft Active Directory domain–joined clients

You must create and deploy a Group Policy object using the settings found under User Configuration > Administrative Templates > Windows Components Windows Hello for Business.

The Group Policy object contains the policy settings needed to trigger Windows Hello for Business provisioning and to ensure Windows Hello for Business authentication certificates are automatically renewed. Both the Enable Windows Hello for Business setting and the Use certificate for on-premises authentication setting must be enabled.

Windows 10 also provides PIN complexity settings for control over PIN creation and management. Beginning with Windows 10 version 1703, the policy settings are found under Computer Configuration > Administrative Templates System > PIN Complexity.

Policies for Microsoft Azure Active Directory–joined clients

To use the Windows Hello/Windows Hello for Business certificate-based sign-in, configure the certificate profile (Assets & Compliance > Compliance Settings > Company Resource Access > Certificate Profiles). Select a template that has smart card sign-in extended key usage. Note that to set the minimum key size set, this certificate template should be configured in the Simple Certificate Enrollment Protocol (SCEP) Enrollment page—then you can use the Windows Hello for Business and Certificate Properties page to set the minimum key size set to 2048.

To set up the desired policy, we also need to create a new Windows Hello for Business profile (Assets & Compliance > Compliance Settings > Company Resource Access > Windows Hello for Business profiles) and specify the following required options:

• Use Windows Hello for Business
• Use a hardware security device
• Use biometrics
• PIN Complexity

User enrollment experience

When a domain-joined computer running Windows 10 Anniversary Update or later pulls Group Policy settings from a domain controller, certificate enrollment policies and the Windows Hello for Business policies are applied to the Windows 10 computer, provided all the criteria for policy application are met.

Client signs out and signs in (and unlocks) the device

The user unlocks their device, and the certificate enrollment process is triggered.

Certificate enrollment process

After a PIN is successfully created, the scheduled task runs (triggered by Event ID 300, which is “Key registration was successful.”). It checks for an existing certificate. If the user doesn’t have one, the task sends the requests for a new challenge.

At this point, Windows 10 calls on the specified Certificate Services server through AD FS and requests a challenge with an expiration time. If the PIN is cached, the certificate enrollment is triggered.

Certificate renewal behavior

We have configured PIN credential certificates to have a lifetime of 90 days from when they are issued. Renewals will happen approximately 30 days before they expire. When a user next enters their Windows Hello for Business PIN within the 30 days prior to its expiration, a new certificate will be automatically provisioned on their device.

Certificate renewal is governed by Group Policy settings for auto-enrollment. The system checks for certificate lifetime percentage and compares it against the renewal threshold. If it’s beyond the set threshold, a certificate renewal starts.

Microsoft Intune specifics

The Open Mobile Alliance Device Management client talks to the Microsoft Intune mobile device management server using SyncML. Policies are routed, and then the user receives the Simple Certificate Enrollment Protocol profile, as configured in our hybrid environment, deployed through Microsoft Intune. Within 10 minutes, the user should receive a certificate. If that fails, the user needs to manually sync.

Service management

We manage identity as a service at Microsoft and are responsible for deciding when to bring in new types of credentials and when to phase out others. When we were considering adding the Windows Hello for Business feature, we had to figure out how to introduce the new credential to our users, and to explain to them why they should use it.

Measuring service health

We’re in the process of creating end-to-end telemetry to measure the service health of Windows Hello for Business. For now, we’re monitoring the performance and status of all our servers. We’re also expanding the service, so adoption and usage numbers are very important metrics that demonstrate the success of our service. We also track the number and types of help desk issues that we see.

We use custom reports created from certificate servers and custom telemetry service metrics to collect prerequisites, and key and certificate issuance times for troubleshooting. Detailed reports about other aspects of the service can also be generated from Microsoft Intune.

We configure a user’s certificate to expire, and certificate renewals are issued with the same key. When necessary, the certificates can be revoked directly though Microsoft Intune, which provides easier administration.

TPM issues

OEM BIOS initialization instructions and TPM lockout policies are OEM-specific. We performed steps to identify and document the potential issues for each hardware provider. We also communicated to our users that clearing a TPM will cause their private key to not work in Windows Hello for Business.

Preventing PIN enrollment problems

Some of the common issues we saw with users creating their PINs could have been avoided with better communication. These issues include users not understanding the prerequisites, or the expected delays in onboarding scenarios. To help avoid this issue, we created a productivity guide to walk users through the steps.

Monitoring end-to-end service health

Windows Hello for Business relies on several underlying services: Microsoft Azure AD, AD FS, Microsoft Intune, NDES, and CA. All of these services need to be healthy and available. Certificate issuance delays can be hard to troubleshoot, but monitoring the health and performance of the supporting services can help.

• Unpack verifying identity in a Zero Trust model internally at Microsoft.
• Discover enabling a modern support experience at Microsoft.
• Explore improving security by protecting elevated-privilege accounts at Microsoft.

Active Directory and Microsoft Azure Active Directory

• Integrating your on-premises identities with Azure Active Directory
• Connect domain-joined devices to Azure AD for Windows 10 experiences
• Azure AD Join on Windows 10 devices

Management

• Network Device Enrollment Service (NDES) in Active Directory Certificate Services (AD CS)
• PART 2 – SCEP certificate enrolling using ConfigMgr 2012, CRP, NDES and Windows Intune

Policy Management

• Using a Policy Module with the Network Device Enrollment Service

Want more information? Email us and include a link to this story and we’ll get back to you.

Please share your feedback with us—take our survey and let us know what kind of content is most useful to you.

The post Implementing strong user authentication with Windows Hello for Business appeared first on Inside Track Blog.

Microsoft Digital is transforming the way that we manage devices for Microsoft employees. We’re embracing modern device management principles and practices to provide a frictionless, productive device experience for Microsoft employees and a seamless and effective management environment for the Microsoft Digital teams that manage these devices. We’re using Windows 10, Microsoft Intune, Azure Active Directory (Azure AD), and a wide range of associated features to better manage our devices in an internet-first, cloud-focused environment. The move to modern management has begun our transition to Microsoft Endpoint Manager, the convergence of Intune and System Center Configuration Manager functionality and data into a unified, end-to-end management solution.

Addressing the need for modern management

Microsoft Digital is responsible for managing more than 264,000 Windows 10 devices that Microsoft employees around the world use daily. Historically, our management methods have been based primarily on the network and infrastructure on which these devices reside. The corporate network has been the functional foundation of Microsoft operations for more than 30 years. Our technical past was built on Active Directory Domain Services (AD DS) and the accompanying identity and access management principles that work well within a tightly controlled and regulated on-premises network. With this model, Microsoft Digital has been able to manage devices connected within a protected and insulated digital ecosystem.

However, the ways that our devices are being used have changed significantly over the past 10 years and continue to evolve. The corporate network is no longer the default security perimeter or environment for on-premises computing for many companies, and the cloud is quickly becoming the standard platform for business solutions. At Microsoft, we’ve been continually embracing this new model, engaging in a digital transformation that examines our technology and reimagines it as an enabler of greater business productivity.

As a result, the devices that our employees use are increasingly internet focused and interconnected. Our digital transformation entails removing solutions and services from the corporate network and redeploying them in the cloud on Microsoft Azure, Office 365, and other Microsoft cloud platforms.

Assessing device management at Microsoft

Our Windows devices have been managed by System Center Configuration Manager and AD DS for many years. To be our first and best customer and to support a modern device experience, we’ve started transitioning to Microsoft Endpoint Manager by enabling co-management with Intune and Configuration Manager. Our device management team identified several aspects of the device management experience that needed to be changed to better support our devices and users. Some of the most important aspects included:

• Device deployment effort. Our device deployment strategy has been based largely on operating system (OS) images that are heavily customized and geared to specific device categories. As a result, we managed a large number of OS images. Each of these images required maintenance and updating as our environment and requirements changed, which resulted in Microsoft Digital employees investing significant time and effort to maintain those images.
• Management scope. Image deployment relied primarily on a device connecting to the corporate network and the Configuration Manager and AD DS infrastructure that supported the deployment mechanisms. Devices connected outside the corporate network did not have the same experience or deployment and management capabilities as those connected to the corporate network.
• User experience. All these issues had implications for the user experience. If an employee was connected primarily to the internet and not the corporate network, user experience suffered. Policy application and updates were not applied consistently, and many management and support tools, including remote administration, were not available. We had to implement workarounds for these employees, such as establishing virtual private network (VPN) connections back to the corporate network to facilitate more robust device management. Even with VPN, the internet-first experience was not ideal.

Moving to modern device management

To facilitate a modern device experience for our users and better support our digital transformation, we’ve begun the process of adopting modern device management for all Windows 10 devices at Microsoft. Modern device management focuses on an internet-first device connection, an agile, flexible management and deployment model, and a scalable, cloud-based infrastructure to support the mechanisms that drive device management.

Establishing internet and cloud focus

Our modern device management approach begins with and on the internet. The internet offers the most universal and widely available network for our clients. Our modern management methods are built with internet connectivity as the default, which means using internet-based management tools and methods. To enable this, we used Intune and Azure AD to create a cloud-based infrastructure that supports internet-first devices and offers a universally accessible infrastructure model.

Moving from traditional to modern with co-management

The move to modern management necessitates migrating from our traditional methods of device management rooted in Configuration Manager and AD DS. To enable a smooth transition, we decided to adopt a co-management model that enables side-by-side functionality of both traditional and modern infrastructure. This model was critical to ensuring a smooth transition and it enabled us to take a more gradual, phased approach to adopting modern management. Some advantages of the co-management model include:

• Conditional access with device compliance.
• Intune-based remote actions such as restart, remote control, and factory reset.
• Centralized visibility of device health.
• The ability to link users, devices, and apps with Azure AD.
• Modern provisioning with Windows Autopilot.

Adopting a phased approach

We developed a phased approach to moving to modern management. This approach allowed us to adequately test and incorporate modern methods. It also enabled us to choose a transition pace that best suited our business. We outlined three primary phases:

• Phase one: Establishing the foundation for modern management
• Phase two: Simplifying device onboarding and configuration
• Phase three: Moving from co-management to modern management

In each phase, we implemented one of the primary building blocks that would lead us to a fully modern, internet-first, cloud-based device management environment that supported our digital transformation and created the optimal device experience for our employees.

Phase one: Establishing the foundation for modern management

We began by establishing the core of our modern management infrastructure. We determined how it would function and how we would support the transition to modern management from our traditional model. A significant portion of the overall effort was invested in phase one, which established the basis for our entire modern management environment going forward. Our primary tasks during phase one included:

• Configuring Azure Active Directory. Azure AD provides the identity and access functionality that Intune and the other cloud-based components of our modern management model, including Office 365, Dynamics 365, and many other Microsoft cloud offerings.
• Deploying and configuring Microsoft Intune. Intune provides the mechanisms to manage configuration, ensure compliance, and support the user experience. Two Intune components were considered critical to modern management:
  • Policy-based configuration management
  • Application control
• Establishing co-management between Intune and Configuration Manager. We configured Configuration Manager and Intune to support co-management, enabling both platforms to run in parallel and configuring support for Intune and Configuration Manager on every Windows 10 device. We also deployed Cloud Management Gateway to enable connectivity for Configuration Manager clients back to our on-premises Configuration Manager infrastructure without the need for a VPN connection.
• Translating Group Policy to mobile device management (MDM) policy. Policy-based configuration is the primary method for ensuring that devices have the appropriate settings to help keep the enterprise secure and enable productivity-enhancement features. We started with a blank slate, electing to forgo a lift-and-shift approach to migrating Group Policy settings into MDM policy. Instead, we evaluated which settings were needed for our devices within an internet-first context and built our MDM policy configuration from there, using Group Policy settings as a reference. This approach allowed us to ensure a complete and focused approach while avoiding bringing over any preexisting issues that might have resided in the Group Policy environment.
• Configuring Windows Update for Business. Windows Update for Business was configured as the default for operating system and application updates for our modern-managed devices.
• Configuring Windows Defender and Microsoft Defender Advanced Threat Protection (ATP). We configured Windows Defender and Microsoft Defender ATP to protect our devices, send compliance data to Intune Conditional Access, and provide event data to our security teams. This was a critical step, considering the internet-first nature of our devices and the removal of the closed corporate network structure.
• Establishing dynamic device and user targeting for MDM policy. Dynamic device and user targeting enabled us to provide a more flexible and resilient environment for MDM policy application. It allowed us to start with a smaller standard set of policy settings and then roll out more specific and customized settings to users and devices as required. It also enables us to flexibly apply policies to devices if the devices move into different policy scopes.

Phase two: Simplifying device onboarding and configuration

Our process for device onboarding to modern management is relatively simple. As new devices are purchased and brought into the environment, they are deployed and managed by using the modern management model. This is our approach for the entire device-rollout process; it enables us to gradually onboard devices in a relatively controlled manner and avoid the extra effort required to create in-place migration paths for existing devices. We anticipate that this strategy will result in a complete transition to modern management within three years, according to our device purchase and refresh policies.

Simplifying with Windows Autopilot

We’re using Windows Autopilot as the vehicle for simplifying the user experience and ensuring better corporate asset management. Autopilot allows us to greatly simplify operating system deployment for our users and the Microsoft Digital employees who support the process. Autopilot provides several critical enablers to the deployment process, including:

• Automatically join devices to Azure Active Directory.
• Auto-enroll devices into Intune.
• Restrict Administrator account creation.
• Create and auto-assign devices to configuration groups based on a device’s profile.
• Simplify the out-of-box experience (OOBE) and reduce user involvement in the deployment process.

These capabilities allow us to create a simplified user experience and greatly reduce the time required for Microsoft Digital support staff to configure and deploy images to devices.

Phase three: Moving from co-management to modern management

The final phase in our transition to modern management is ongoing. With our current trajectory, we estimate that 99 percent of our devices will be managed under the fully modern model within three years. We’re working within the co-management model and moving toward a fully modern-managed environment. Our next steps include:

• Decommissioning non-modern infrastructure for Windows 10 management when Endpoint Manager and our business are ready for transition.
• Transitioning clients from AD DS to Azure AD and moving to a 100-percent internet-first model for client connectivity.

We’re still on the road to modern device management, but we’ve learned several lessons along the way. These learning experiences have helped us to better enable modern management now and prepare for the future at Microsoft. Some of the most important lessons include:

• Build for the cloud and start fresh. We found that the extra time required to start fresh in areas like policies and deployment planning was well worth the investment. A fresh start allowed us to plan for exactly what our users and business need, rather than trying to restructure an old model to fit a new reality.
• Go at the speed of your business. The transition to modern device management is not a one-click process. It has wide-ranging implications for an organization, and it needs to be approached intentionally and gradually. We found that large-scale, bulk migration simply didn’t provide enough benefit in relation to the effort and planning required to implement it.

Conclusion

Our transition to modern device management will continue over the next few years as we onboard devices and refine our Microsoft Endpoint Manager platform and methods. Microsoft Endpoint Manager gives Microsoft Digital a platform that enables simplified and efficient management and configuration for our devices in an environment that supports and drives our digital transformation. Our planned refinements to modern management will improve the user experience, reduce the time it takes to get reliable, fully functioning devices into our users’ hands, and create cost savings and greater efficiencies in device management for Microsoft Digital.

• Verifying device health at Microsoft with Zero Trust.
• Explore improving security by protecting elevated-privilege accounts at Microsoft.
• Unpack evolving the device experience at Microsoft.
• Keeping Windows 10 devices up to date with Microsoft Intune and Windows Update for Business.
• Migrating mobile device management to Intune in the Azure portal.

Want more information? Email us and include a link to this story and we’ll get back to you.

Please share your feedback with us—take our survey and let us know what kind of content is most useful to you.

The post Managing Windows 10 devices with Microsoft Intune appeared first on Inside Track Blog.

When we started rolling Microsoft 365 Copilot out across the company, our priority in Microsoft Digital was giving as many employees as possible the chance to explore this exciting new tool. In a sense, we gave everyone the keys to the car and invited them to drive AI’s open road.

It resulted in a lot of exploration, increased usage, and some very eager early adopters. To help as many people get up to speed with Copilot as possible, we focused our initial adoption efforts on a common professional persona: the modern information worker.

“This is the beginning of an entirely new meta-skill,” says Don Campbell, a senior director on Microsoft Digital’s Employee Experience Success team. “People are thinking through new habits and ways of working as they learn what Copilot is capable of enabling.”

Because of the excitement around AI, uptake was rapid and enthusiastic. Our next step was building on that initial surge of adoption and experimentation to drive more profound, targeted impact.

Actioning inspiration: Building a pathway to hero scenarios

As Microsoft 365 Copilot usage began to mature across the company, we saw opportunities to build on this momentum by presenting more contextual applications for AI. Within Microsoft Digital, we decided to create a standardized process for defining Copilot hero scenarios in roles where initial applications of AI could have the greatest impact. Concrete scenarios would resonate with those professionals by addressing real-world challenges they face every day, saving them time and bandwidth.

Ultimately, we had one goal: accelerating time to value for Copilot users.

“We wanted to explore how we could make Copilot more real to the individual,” Campbell says. “They’re asking how they can use this in ways that are specific to their role, in their function, in their organization.”

We identified five main objectives to help us get there:

• Understand the top responsibilities, challenges, needs, and wants of priority roles.
• Articulate and communicate hero scenarios for those roles and depict ways for Copilot to enable their work.
• Outline blockers and accelerators for Copilot adoption and hero scenarios. 
• Generate feedback for product groups to improve Copilot.
• Share playbook outputs with our product marketing group and post them in our Copilot Lab, our publicly available repository of Copilot prompts, to contribute value to external users.

“From the beginning, we set out to articulate our objectives and our deliverables, then worked back from there,” says Heather Layne, a director of program management on the Employee Experience Success team in Microsoft Digital. “When it came to research, we relied on our EX Studio for step-by-step guidance on purposeful engagement.”

That process unfolded in a layered approach. First, we identified the Microsoft organizations that were best positioned to receive our support. Thanks to strong interest and a robust cohort of early adopters, sales, HR, and finance were excellent candidates for our first efforts.

From there, we worked with stakeholders and AI adoption teams within each of those organizations to prioritize roles according to a rubric of criteria. Those criteria focused on enthusiasm for adoption, readiness for the next level of engagement, the number of people represented by that role within their organization, and Copilot’s applicability for their work—especially for repetitive, context-rich, or communication-intensive tasks.

“In HR, for example, we ensured there was complete thinking regarding a reimagination of our business functional architecture,” says Christopher Fernandez, corporate vice president in HR. “We identified key roles and corresponding workflows that could directly benefit from Microsoft 365 Copilot by removing mundane and repetitive tasks and providing insight to creative solutions needed to deliver business value.”

After we identified those roles, we moved into focus-group sessions with 10 to 20 participants, all selected because they had been actively using Copilot and could provide practical ideas and suggestions. It was an opportunity to tap into willing talent and let our leaders lead.

The output of those sessions came down to three hero scenarios per role, each with six steps and six Copilot prompts to propel those processes forward, as well as the relevant Microsoft tools where the prompts would apply. We also ensure these scenarios align with the company’s Responsible AI principles.

For example, our Finance team identified operations manager as a priority role. One of its key scenarios included managing contracts, and it demonstrates how prompts come together across several apps to create a process bolstered and streamlined by automation.

Finance operations | Contract management

“That output then served as an input in a few different places,” Campbell says. “We evangelized it out to the organization itself to help drive ideation, adoption, and usage, to our product marketing group for customer scenarios, and to our Copilot Lab to provide freely available examples of prompts.”

As a result, we’ve been able to boost Copilot adoption and usage across Microsoft, providing specific, concrete opportunities for people to apply this new way of working to their roles.

Crafting your own Microsoft 365 Copilot hero scenarios

This process has the benefit of being structurally simple, modular, and repeatable—so much so that we’ve made it freely available to any organization that’s using Microsoft 365 Copilot in the form of our Microsoft 365 Copilot Hero Scenario Playbook. Whether you’re adopting Copilot across your entire organization, a department, a business group, or a team, we strongly encourage you to work through this exercise.

“We want organizations to know that there are opportunities to keep this process controlled and standardized,” Layne says. “By aligning with rubrics and setting up standard practices, you know you’re not just putting in time to create something that isn’t helpful or impactful.”

Our playbook walks adoption leaders through a four-stage process that includes readiness, engagement, delivering an output, and sharing results with employees. To accelerate time to value, we’ve designed the process implementation across three weeks.

Microsoft 365 Copilot Hero Scenario Playbook

By following the playbook through four phases, you can accomplish what we’ve done at Microsoft: understanding what your priority roles need to be successful, articulating hero scenarios tailored to their work, and sharing the outputs with your organization to accelerate time to value for Copilot users.

Phase 1: Ready

This phase will help your organization, department, or team prepare for the process. It involves aligning with leadership and sponsors who will be accountable for driving Copilot value within their organization. It’s also where you’ll select the priority roles, draft outlines of those roles so you can clarify your understanding of their needs and wants, and seek out feedback from leaders, managers, and subject matter experts.

Phase 2: Engage

Engaging with employees delivers the core value of this exercise. In the engagement phase, you’ll identify participants from your priority roles who demonstrate enthusiasm and early aptitude with Copilot. From there, you choose an engagement approach that might include in-person group sessions, virtual Microsoft Whiteboard sessions, one-on-one interviews, Microsoft 365 Loop collaboration, or whatever modality works best, then communicate the process to participants and conduct your engagement.

Phase 3: Deliver

Ideating hero scenarios is how you discover value. The delivery phase defines that value and organizes it into a useful, consumable format. It starts with reviewing and analyzing the outcomes of your sessions to gain insights and identify themes. Now is the time to document your hero scenarios and the value they add, as well as blockers and accelerators. Finally, you’ll provide your output: a comprehensive deck that includes your priority roles, hero scenarios, next steps, and more.

Phase 4: Share

The final phase of this process involves socializing your scenarios across your team or organization to realize value. If you’re part of a large organization, it’s helpful to radiate these outputs beyond the target group as an opportunity for further Copilot momentum. This stage includes diving deeper into blockers and accelerators that can help your organization as a whole speed time to value.

“So much of adoption comes down to the question of ‘What’s in it for me?’” says Liz Friedman, a senior director of HR AI Transformation. “The ability to answer that question at the role level, at the level of fidelity that really resonates with what employees actually do, creates a strong bridge between the realm of possibility and day-to-day reality.”

Capturing the limitless value of AI

The shift to AI is about more than productivity. It’s about new ways of working and new ways of being.

Thanks to the modular nature of this framework, teams across Microsoft can now apply this process to their own professional needs. As time goes on, the goal is for different organizations and roles to uncover robust and efficient ways of working.

“With Copilot, we’re building new skillsets, but also new habits,” says Nathalie D’Hers, corporate vice president of Microsoft Digital. “That takes experimentation and learning, but the payoff is transformative.”

By learning from our experience and working through the Microsoft 365 Copilot Hero Scenario Playbook, your organization can execute best practices that will make the most of your AI investment, deliver value faster, manage change effectively, and scale across your organization.

Access the Microsoft 365 Copilot Hero Scenario Playbook here.

Here are some tips for getting started with developing persona-specific scenarios for priority roles at your company:

• Build strong organizational partnerships and add this process into AI efforts that teams already have underway. Identify the key AI leaders and champions on those teams.
• This process is additive and iterative, so don’t be married to the playbook. Start with the framework, then allow it to grow around organic efforts.
• Frame your scenarios around business processes, then layer on the technology.
• Validate your results through active communication, especially after you’ve socialized your hero scenarios. That ensures you sort the signal from the noise and capture even greater value moving forward.
• For your working groups, make sure you choose teams and people who have good engagement with the tool, especially enthusiasts and early adopters. This also gives people the chance to learn from each other and build on their colleagues’ ideas.
• Have a game plan about where to go next in terms of sharing and piloting. Include follow-ups and baselines so these outputs don’t just sit on the shelf.
• Get multiple perspectives. No role is exactly the same, even if the job title is. Bringing people who do similar work together and hearing commonalities and differences is very helpful and provides an opportunity to benefit from a diversity of perspectives.

New to Microsoft 365 Copilot? Get started today and see what’s possible.

• Learn more about deploying Microsoft 365 Copilot internally at Microsoft.
• Find out how we deployed Microsoft 365 Copilot with the help of—you guessed it—Copilot.
• Check out how we’re empowering our employees with AI while keeping the company secure.

• Want more information? Email us and include a link to this story and we’ll get back to you.
• Please share your feedback with us—take our survey and let us know what kind of content is most useful to you.

The post Unlocking the potential of Microsoft 365 Copilot at the role level appeared first on Inside Track Blog.

At Microsoft Digital, the company’s IT organization, our adoption team worked to ensure we managed, communicated, and analyzed our Copilot rollout to produce the best results for every employee. Fortunately, we had a powerful sidekick in these efforts: Copilot itself.

This post shares how our Microsoft Digital adoption team benefited from early access to Copilot by using the tool to support its own deployment. If you’re planning on activating Copilot for your employees, our experience can provide inspiration for how you can launch your organization into a new era of AI assistance.

Deploying a new kind of productivity tool

As the first organization to deploy Microsoft 365 Copilot, we had an opportunity to learn firsthand how it could empower employees and enable productivity. We also got the chance to experiment with how it might make our work as an IT organization easier and more insightful.

“Because Copilot is such a new product and novel concept, we’re still testing it out ourselves,” says Jenny Goodwin, a UX researcher at Microsoft Digital. “Unlike other products like SharePoint, Teams, or Excel that operate as lone repositories or apps, we’re learning what it means to use a tool that permeates multiple apps while drawing from our massive pool of organizational data.”

There are many different disciplines at work on a deployment team, each with its own needs. They include project managers, communications and change management practitioners, and researchers. Copilot has something unique to offer each of them.

How different adoption disciplines are using Microsoft 365 Copilot

Project management

• Meeting and chat summaries through Copilot in Microsoft Teams
• Thought-starters, categorization, and task management using Copilot in Whiteboard

Communications and change management

• Content creation through generative AI composition
• Content editing and refinement in myriad Microsoft 365 apps
• Brainstorming, research and data compilation around content creation
• Multimodal media creation across Microsoft 365 apps
• Minimizing meeting burdens with recaps created by Copilot in Microsoft Teams

Listening and analytics

• Research call notetaking and summarization using Copilot in Microsoft Teams
• Assembling, translating, and collating qualitative data to identify trends and sentiments
• AI-assisted affinity mapping through Copilot in Whiteboard

Microsoft 365 Copilot was helpful to our Copilot deployment team across several different professional disciplines.

This post shares how members of our team who work in each of these roles used Microsoft 365 Copilot to help them power our internal deployment and adoption of Copilot.

Microsoft 365 Copilot keeps project management on track

In large organizations like Microsoft, there are a lot of moving pieces. That makes the project manager role exceptionally complex.

Tom Heath, a senior program manager leading global adoption efforts for Microsoft 365 Copilot, has to focus on a lot of moving parts to keep deployment on track. He’s responsible for coordinating a global virtual team and ensuring that a widely diverse set of stakeholders heads in the same direction while adapting the deployment to their individual regions.

Naturally, employees and teams are excited about bringing this new tool into their workstreams, so they want to initiate their adoption workflows as quickly as possible. Part of Heath’s role is to ensure an orderly rollout in the midst of all that excitement.

On top of these challenges, Copilot as a product is accelerating very quickly, with new features and improvements being released almost every week. Managing adoption for such a fast-moving product requires extra agility.

“From a project manager’s point of view, it’s a productivity driver,” Heath says. “Copilot brings people together more fluidly in Microsoft Teams, helps us catch up on actions and go-dos, and keeps us aligned across all of our different meetings.”

For example, a big part of Heath’s work is coordinating his virtual team of business program managers in different parts of the world. That involves numerous Teams chats occurring asynchronously across time zones.

Heath frequently finds himself asking Copilot, “What’s been happening in my Teams chats and channels over the last 24 hours?” Copilot efficiently assembles and summarizes any relevant conversations and gives him a foundation for the day’s follow-ups and action items.

Streamlining asynchronous communication and task management is just one example. Collaboration is also a large part of the role, and Copilot in Whiteboard has become a powerful tool for idea casting.

Heath’s virtual team will frequently kick-start their process by asking for suggestions, then using Copilot’s outputs as thought-starters. From there, they’ll assemble ideas into sticky notes, categorize them into themes, and then translate their results into go-do’s.

Perfecting the relationship with a digital assistant takes time and practice, but it’s a massive leg up in a task-oriented discipline like project management.

“I can prompt Copilot by saying, ‘Here are the kinds of information I need, here are the engagements I have internally, and I’d like you to tell me what I need to know about my upcoming week,’” Heath says. “A lot of it is about practicing how to speak to Copilot to get the information you want.”

Communicating and managing change with Microsoft 365 Copilot

Communications are an essential part of driving adoption forward. A modern approach includes multifaceted user communications that account for diverse employee preferences and where they spend their time, whether that’s email, community calls, or employee engagement platforms.

“The toughest job is providing the right level of information to excite and educate employees about a new tool without overcommunicating and causing people to disengage,” says Victoria Martinez, senior content program manager leading internal comms for Microsoft Digital. “Employees are here to do their work, not just manage communications.”

The speed of AI technology and Microsoft 365 Copilot means communication strategies need to be agile and flexible. Meanwhile, accommodating employees’ preferences means adoption leaders need to craft communications for the channels that meet their needs. That can be a time-consuming task.

Generative AI represents a quantum leap for communications work. When it came to our internal Copilot deployment, communicators leaned hard into experimenting with prompts.

The team found it easy to tell Copilot what they needed for any given communication, prompting it with a few key parameters: who’s speaking, what kind of communication they were trying to create, where they planned to post it, the value proposition for the audience, their reader’s persona, the message’s goal, and its context. From there, Copilot could create a series of communications to deploy via email, Microsoft Viva Engage, and any other relevant channels, all aligned with the core message.

With Copilot, communicators also found that they could rapidly accelerate other aspects of their work across everyday productivity apps. For example, when the team was building out documentation about their adoption strategy in Microsoft Word, they discovered that asking Copilot to create a presentation immediately led to a polished Microsoft PowerPoint they could use to outline that strategy internally. What was once a four-hour task had morphed into a two-minute workflow.

Those time savings aren’t just about speeding up core work. Copilot also minimizes meeting time to free up creative bandwidth.

“As communicators, we often need big chunks of dedicated focus time to think through strategy, build out a communications plan, or create quality content,” says Melissa Cafiero, communications and readiness lead for technology and experiences at Microsoft Digital. “The Copilot meeting recap feature in Teams would help me skip three meetings in a day and spend those three hours building out a comms bundle.”

Between logistical time savings and creative support, AI assistance has saved our internal communications team hours of time and expanded their efforts.

AI-driven insights for research and analytics

Understanding the user experience is a big part of driving adoption. By conducting research and analysis, we determine how to deepen engagement with the tool we’re deploying, provide valuable input for our product teams, and learn valuable lessons for future deployments.

UX research involves an enormous number of calls and interviews. Before Copilot, our researchers often operated in pairs, with one acting as a moderator and the other as a notetaker. Now, our researchers can rely on an AI-powered notetaker, reducing the need for multiple researchers on the same call. It’s like a digital research assistant with an impeccable memory. Also, having multiple observers and note-takers (i.e., a bigger audience) in a research interview can bias participant responses to be more scripted or guarded. So having fewer people in an interview is advised and beneficial.

“When Copilot in Microsoft Teams came out, I had it start taking care of my notetaking,” Goodwin says. “Now I can just ask my digital assistant direct questions about respondents’ responses, and that content streamlines my workflow and enhances efficiency for analyzing qualitative data.”

Sifting the signal from the noise isn’t easy. Aside from user interviews, a lot of listening happens through surveys and written feedback, which generates vast swaths of text that researchers need to process. To make matters more complicated, that feedback comes in multiple languages from employees all over the world.

“With every project, you have to sift through a lot of employee-generated feedback,” says Sandra Hausfelder, global listening lead for Microsoft 365. “By the time you’ve cleaned that up and assembled it into usable data, it can be outdated because of the velocity of change with AI tools.”

To deal with this influx of information at speed, our listening team has been experimenting with Copilot workflows that streamline data extraction from written feedback. After they’ve pasted those text inputs into a Microsoft Word document, they can ask Copilot to translate any non-English responses, generate an overview, sort different kinds of feedback into tables, and identify primary themes.

Our UX researchers use a similar process for affinity mapping using Copilot in Whiteboard. It’s a more visual and collaborative format to meet the needs of UX professionals, but Copilot’s ability to sort information and identify themes or trends remains the same.

With Copilot automating each of these workflows, the time to insight is accelerating. For our teams that conduct research and analytics work, it means the same number of people can perform faster and more extensive work to keep up with the velocity of change in the age of AI while still providing high-quality insights.

New technology drives new behaviors

Microsoft 365 Copilot is introducing new ways of doing work across all kinds of business functions, and deployment is no exception. Our Microsoft Digital adoption team has benefited from being the first on the planet to use this tool in their day-to-day work, and it’s driven powerful results so far.

Naturally, Copilot doesn’t replace people. It’s important to apply human instinct and insight to any results created by an AI-driven digital assistant. But our adoption teams are finding more and more ways to enact this new way of working.

“It’s changed my mindset, so I’m looking for opportunities in every step of the work I do on a daily basis,” Hausfelder says. “Now I’m always thinking about ways Copilot can help me with aspects of my job, and it’s leading to a constant evolution of processes.”

That might be the most important lesson our adoption team has learned as they’ve supported our Copilot deployment. Be willing to experiment, try new things, and explore opportunities to improve processes through automation.

The results will surprise you.

Here are some tips for getting started with Microsoft 365 Copilot at your company:

• Get a basic understanding of where Copilot comes alive in each app, then build skills around prompting to capture that value.
• Understand how Copilot manages data and documents.
• Have a dedicated space where people can come together and discuss learnings without risk.
• Encourage people to try prompts that aren’t work-related to help them get used to Copilot in a low-pressure environment.
• Suggest that your employees take time to learn about Copilot at launch and in an ongoing way.
• Use Copilot in Bing as a brainstorming partner to help you get past the blank page. From there, ask it to reframe ideas after they’re more fully formed.
• Prepare your team for a leap: Copilot takes generative AI beyond just creating text and into true digital assistance, so encourage them to flex those new muscles.

See what’s possible with Microsoft 365 Copilot today.

• Read our guide for deploying Microsoft 365 Copilot at your company—it’s based on what we learned deploying the tool internally here at Microsoft.
• Learn more about deploying Microsoft 365 Copilot internally at Microsoft.
• Explore getting the most out of generative AI at Microsoft with good governance.

• Want more information? Email us and include a link to this story and we’ll get back to you.
• Please share your feedback with us—take our survey and let us know what kind of content is most useful to you.

The post Deploying Microsoft 365 Copilot with the help of—you guessed it—Copilot appeared first on Inside Track Blog.

Examining the device landscape at Microsoft

Our employees’ devices are their primary productivity tools. They use a wide variety of devices to access their work and succeed in their roles. Our responsibility in the Microsoft Digital Employee Experience (MDEE) organization is to ensure that each of our employees, regardless of the device they use or the location from which they connect, can be productive and connected to Microsoft tools and corporate data.

Across the landscape of more than 750,000 devices in use at Microsoft, we support Windows, Android, iOS, and macOS devices. Windows devices account for approximately 60 percent of the total employee-device population, while iOS, Android, and macOS account for the rest. Of these devices, approximately 45 percent are personally owned employee devices, including phones and tablets. Our employees are empowered to access Microsoft data and tools using managed devices that enable them to be their most productive.

[Discover how we’re verifying device health at Microsoft with Zero Trust. Unpack how we’re reducing friction throughout our device lifecycle at Microsoft. Explore how we’re using Microsoft Azure Multi-Factor Authentication at Microsoft to enhance our security.]

Migrating device management to the cloud

As hybrid work becomes the norm—and the expectation—for our employees, how we provide access to the tools they need to innovate, create, and collaborate successfully has evolved. Users want a dynamic, device-agnostic experience that focuses on providing them with the data and tools they need from almost any location, using a wide variety of devices, including PCs, laptops, tablets, and smartphones.

This model has largely replaced a traditional, Windows-based, local-network-focused model. The hybrid work experience centers on the employee and their device as the primary determinants of how they access Microsoft tools and data. It also enabled employee-directed tasks such as self-serve device setup and remediation for devices from any location. We’ve been building capabilities for the hybrid work model long before the COVID-19 pandemic made it necessary, and our investments in hybrid work have allowed us to react with agility to workplace challenges in the recent past.

A sizable portion of the devices that we support continue to be corporate-owned traditional laptops or PCs, but our device landscape also includes many personally owned devices. Our device management practices, and even what we define as a device, have changed. Many devices that our employees use to do their work are smartphones from a variety of manufacturers, and these devices use a range of operating systems. This shift in device demographics has necessitated a change in how we manage employee devices and a migration from traditional, on-premises management systems to modern, cloud-based management systems that effectively support and secure this new device demographic.

Our migration—and any migration—from traditional, on-premises management to modern management involves three key management models that play a role in how devices are managed:

• Traditional management. Microsoft Configuration Manager has been the on-premises management system of choice at Microsoft for decades. In a traditional management model, most managed devices are Windows-based, connected to a local network, and joined to an Active Directory Domain Services (AD DS) architecture. Devices in the traditional model are typically purchased, procured, and managed corporately. We use Configuration Manager to manage devices using previous versions of Windows that are not supported by Intune and to assist in Configuration Manager product development.
• Modern management. Microsoft Intune supports the modern management model at Microsoft. Intune provides cloud-based device management capabilities across Windows, Android, iOS, and macOS devices. Devices are registered in and authenticated by Microsoft Azure Active Directory. Because it’s cloud-based, Intune removes the dependency on the local network and managed devices can connect across the internet from anywhere. Modern management includes and supports both corporate and personally owned devices, including mobile devices.
• Co-management. Co-management uses a combination of traditional management and modern management techniques and tools, allowing traditional and modern management models to coexist within an organization. Microsoft Intune allows us to operate both models through a single interface and combined toolset.

In our adoption of modern management through Intune, Microsoft Azure Active Directory (Azure AD), and internet-focused connectivity, we’re adopting more standard practices for device management and the configuration of our device management systems. How we configure and operate our modern management environment is much more standardized than past solutions have been. We use native functionality extensively—the flexibility of the Microsoft cloud management toolset replaces many of the engineered customizations we have had to implement.

We use Microsoft Intune, Microsoft Azure AD, and the rest of the modern management tools the same way that any other organization would. We use procedures directly from the Microsoft documentation website, and we’re adopting documented general best practices and architectural designs that Microsoft recommends to customers. The following figure illustrates using co-management to enable the migration from traditional management to modern management.

Connecting traditional and modern models with co-management

Modern management is the goal for all client devices at Microsoft. However, moving from traditional device management to modern management is a journey, and it’s one that can’t be made overnight. Our journey to modern management began several years ago, and it’s ongoing.

We’ve embraced co-management as the first step in moving to modern management and as a long-term bridge between traditional management and modern management models. By using Microsoft Intune, we’ve been able to manage our traditional on-premises devices alongside newly deployed devices that are modern managed.

Addressing migration challenges

Microsoft Azure Active Directory is central to modern management. Azure AD is the first point of contact for most of our mobile devices and the default directory for new devices. Moving devices from AD DS to Azure AD is at the core of traditional-to-modern migration, as the two directory services provide identification, authentication, and authorization services for on-premises and cloud resources, respectively.

However, the AD DS-to-Azure AD-migration process isn’t simple on a device-to-device basis, and coordinating large-scale directory migration is time-consuming and potentially tedious. We’re using Hybrid Azure AD joined devices as a primary enabler of co-management to facilitate a smooth transition of devices from traditional to modern management. Hybrid-joined devices connect to both AD DS and Azure AD. This dual function lets us maintain existing on-premises Group Policy objects and settings for a device while we work to replicate those settings in modern management using Intune and Azure AD. We completed an analysis using the Intune Group Policy analyzer to determine which policies could be supported in Intune.

New devices are onboarded as modern-managed devices using Autopilot for Windows devices and Apple Business Manager for corporate-owned MacOS and iOS devices. However, we don’t prevent our users from joining AD DS domains if they require it. This strategy gets devices under the modern management model but allows us to continue using traditional management methods where necessary.

As old devices are replaced with new ones, traditionally managed devices decrease in number, and modern-managed devices increase. For large enterprises, a full-scale switch from traditional to modern management without co-management is almost impossible. The time it takes to migrate devices and support systems would severely reduce business efficiency and technical capability for any organization. Users must have uninterrupted access to tools and data from their devices. We anticipate that co-management will remain part of our management environment into the near future.

Supporting the Zero Trust model with verified devices

Based on the principle of verified trust—in order to trust, you must first verify—Zero Trust eliminates the inherent trust that is assumed inside the traditional corporate network. The ability to effectively verify devices is a critical part of the Zero Trust model, and management is mandatory for any device accessing corporate data.

The Microsoft Intune platform enables us to enroll devices, bring them to a managed state, monitor the devices’ health, and enforce compliance against a set of health policies before granting access to any corporate resources. Our device health policies verify all significant aspects of device state, including encryption, antimalware, minimum OS version, hardware configuration, and more. Microsoft Intune also supports internet-based device enrollment, which is a requirement for the internet-first network focus in the Zero Trust model.

We’re using Microsoft Intune to enforce health compliance across the various health signals and across multiple client device operating systems. Validating client device health isn’t a one-time process. Our policy verification processes confirm device health each time a device tries to access corporate resources, much in the same way that we confirm the other pillars, including identity, access, and services. We’re using modern Microsoft Intune protection configuration on every managed device, including pre-boot and post-boot protection and cross-platform coverage.

Managing the device experience in the cloud

Modern-managed devices at Microsoft fall under two main categories: corporate owned devices that our employees use for business purposes, and personally owned devices that our employees bring into the workplace and use to access Microsoft resources.

Corporate owned devices

Corporate owned devices at Microsoft are most commonly Windows devices that Microsoft purchases for our employees to use. Our corporate devices come from a specific set of Windows PCs, laptops, and tablets that our employees can select from a variety of manufacturers. In modern management, these are the devices that we exercise the most control over. All corporate devices in the modern management model are registered in Microsoft Azure AD and managed by Intune.

Microsoft Azure AD, Microsoft Intune, Windows Autopilot, and Windows Update for Business deployment services enable us to take a device from the manufacturer using a standard image and directly apply our policies and management measures without requiring direct interaction from our support personnel. The employee powers on their device, signs in with their Azure AD credentials using multifactor authentication, and the device is joined to Azure AD and enrolled in Intune. Corporate policies and apps specific to the user or department are automatically deployed to the device, and the device is always managed and kept up to date, throughout its entire life cycle.

We’re also using Apple Business Manager to directly manage corporate purchased macOS and iOS devices. Apple Business Manager interfaces with Intune and provides a fully managed experience like the one we have for our corporate owned Windows devices. We can control the Out Of Box experience (OOBE) for Apple devices, reducing the number of screens users need to go through during initial setup. When the user completes the OOBE, the device will already have Intune Company Portal, Microsoft Defender for Endpoint, and other device-related corporate apps installed, simplifying the setup process. We also have the capability to push additional applications or security patches using Intune and Apple Business Manager to devices in the future.

Personally owned devices

Bring your own device (BYOD) scenarios are commonplace in the hybrid work model. Personal devices enable flexibility in the hybrid workplace. Employees can enroll their own Windows, Android, iOS, and macOS devices in Intune using Azure AD Workplace Join. Workplace Join creates a device identity in Azure AD and Intune and enforces device state and configuration through native operating system methods and management apps.

Personally owned devices don’t experience the same level of control as corporate owned devices, but modern management using Intune and Workplace Join grants us the capability to restrict access to resources based on device state and health. With this level of control, we can safely manage access to corporate data and apps stored on the device based on the user of the device and the device operating system.

Next steps

We’re continuing to move toward modern management while using co-management as a bridge to traditionally managed devices. We’re working on several modernization efforts, including migrating our corporate wireless network to internet-first and reducing the number devices using virtual private network connections. We’re also consolidating device management controls to a single interface, improving migration capabilities for domain-joined devices, and hardening device health definitions with new compliance policies. As our migration continues and the modern management environment matures, our employees will be better enabled to be productive in the hybrid work model from anywhere and on any device.

• Modern management enables your organization to embrace hybrid work practices while helping to control access to tools, data, and the devices used to access them.
• Co-management offers a bridge between traditional and modern management that’s flexible and scales to your organization’s pace and structure.
• The move toward modern management empowers employees to be productive when using any device, whether it’s their personal device or corporate owned device, on a variety of operating system platforms.
• Modern management enables the Zero Trust model, which uses a multipronged approach to help detect, manage, and prevent security breaches from inside and outside an organization.
• Large enterprises such as Microsoft can use Microsoft Intune to implement modern management without requiring significant custom integrations and solutions.

• Discover how we’re verifying device health at Microsoft with Zero Trust.
• Unpack how we’re reducing friction throughout our device lifecycle at Microsoft.
• Explore how we’re using Microsoft Azure Multi-Factor Authentication at Microsoft to enhance our security.

The post Evolving the device experience at Microsoft appeared first on Inside Track Blog.

Microsoft’s cloud-first strategy enables most Microsoft employees to directly access applications and services via the internet, but remote workers still use the company’s virtual private network (VPN) to access some corporate resources and applications when they’re outside of the office.

This became increasingly apparent when Microsoft prepared for its employees to work remotely in response to the global pandemic. VPN usage increased by 70 percent, which coincides with the significant spike in users working from home daily.

So then, how is Microsoft ensuring that its employees can securely access the applications they need?

With split tunneling and a Zero Trust security strategy.

As part of the company’s Zero Trust security strategy, employees in Microsoft Digital Employee Experience (MDEE) redesigned the VPN infrastructure by adopting a split-tunneled configuration that further enables the company’s workloads moving to the cloud.

“Adopting split tunneling has ensured that Microsoft employees can access core applications over the internet using Microsoft Azure and Microsoft Office 365,” says Steve Means, a principal cloud network engineering manager in MDEE. “This takes pressure off the VPN and gives employees more bandwidth to do their job securely.”

Eighty percent of remote working traffic flows to cloud endpoints where split tunneling is enabled, but the rest of the work that employees do remotely—which needs to be locked down on the corporate network—still goes through the company’s VPN.

“We need to make sure our VPN infrastructure has the same level of corporate network security as applications in the cloud,” says Carmichael Patton, a principal security architect on Microsoft’s Digital Security and Resilience team. “We’re applying the same Zero Trust principles to our VPN traffic, by applying conditional access to each connection.”

[Learn how Microsoft rebuilt its VPN infrastructure. Learn how Microsoft transitioned to modern access architecture with Zero Trust. Read how Microsoft is approaching Zero Trust Networking.]
For a transcript, please view the video on YouTube: https://www.youtube.com/watch?v=bleFoL0NkVM, select the “More actions” button (three dots icon) below the video, and then select “Show transcript.”

Securing remote workers with device management and conditional access

Moving most of the work that employees require to the cloud only became possible after the company adopted modern security controls that focus on securing devices.

“We no longer rely solely on the network to manage firewalls,” Patton says. “Instead, each application that an employee uses enforces its own security management—this means employees can only use an app after it verifies the health of their device.”

To support this transformed approach to security, Microsoft adopted a Zero Trust security model, which manages risk and secures working remotely by managing the device an employee uses.

“Before an employee can access an application, they must enroll their device, have relevant security policies, and have their device health validated,” Patton says. “This ensures that only registered devices that comply with company security policies can access corporate resources, which reduces the risk of malware and intruders.”

The team also recommends using a dynamic and scalable authentication mechanism, like Azure Active Directory, to avoid the trouble of certificates.

While most employees rely on our standard VPN infrastructure, Microsoft has specific scenarios that call for additional security when accessing company infrastructure or sensitive data. This is the case for MDEE employees in owner and contributor roles that are configured on a Microsoft Azure subscription as well as employees who make changes to customer-facing production services and systems like firewalls and network gear. To access corporate resources, these employees use Privileged Access Workstations, a dedicated operating system for sensitive tasks, to access a highly secure VPN infrastructure.

Phil Suver, a principal PM manager in MDEE, says working remotely during the global pandemic gives employees a sense of what the Zero Trust experience will be like when they return to the office.

“Hardened local area networks that previously accessed internal applications are a model of the past,” Suver says. “We see split tunneling as a gateway to prepare our workforce for our Zero Trust Networking posture, where user devices are highly protected from vulnerability and employees use the internet for their predominant workload.”

It’s also important to review your VPN structure for updates.

“When evaluating your VPN configuration, identify the highest compliance risks to your organization and make them the priority for controls, policies, and procedures,” Patton says. “Understand the security controls you give up by not flowing the connections through your internal infrastructure. Then, look at the controls you’re able to extend to the clients themselves, and find the right balance of risk and productivity that fits your organization.”

Keeping your devices up-to-date with split tunneling

Enterprises can also optimize patching and manage update compliance using services like Microsoft Endpoint Manager, Microsoft Intune, and Windows Update for Business. At Microsoft, a split-tunneled VPN configuration allows these services to keep devices current without requiring a VPN tunnel to do it.

“With a split-tunneled configuration, update traffic comes through the internet,” says Mike Carlson, a principal service engineering manager in MDEE. “This improves the user experience for employees by freeing up VPN bandwidth during patch and release cycles.”

At Microsoft, device updates fall into two categories: feature updates and quality updates. Feature updates occur every six months and encompass new operating system features, functionality, and major bug fixes. In contrast, monthly quality updates include security and reliability updates as well as small bug fixes. To balance both user experience and security, Microsoft’s current configuration of Windows Update for Business prompts Microsoft employees to update within 48 hours for quality updates and 7 days for feature updates.

“Not only can Windows Update for Business isolate update traffic from the VPN connection, but it can also provide better compliance management by using the deadline feature to adjust the timing of quality and feature updates,” Carlson says. “We can quickly drive compliance and have more time to focus on employees that may need additional support.”

Evaluating your VPN configuration

When your enterprise evaluates which VPN configuration works best for your company and users, you must evaluate their workflows.

“Some companies may need a full tunnel configuration, and others might want something cloud-based,” Means says. “If you’re a Microsoft customer, you can work with your sales team to request a customer engagement with a Microsoft expert to better understand our implementation and whether it would work for your enterprise.”

Means also said that it’s important to assess the legal requirements of the countries you operate in, which is done at Microsoft using Azure Traffic Manager. For example, split tunneling may not be the right configuration for countries with tighter controls over how traffic flows within and beyond their borders.

Suver also emphasized the importance of understanding the persona of your workforce, suggesting you should assess the workloads they may need to use remotely and their bandwidth capacity. You should also consider the maximum number of concurrent connections your VPN infrastructure supports and think through potential seasonal disruptions.

“Ensure that you’ve built for a snow day or a pandemic of a global nature,” Suver says. “We’ve had to send thousands of customer support agents to work from home. Typically, they didn’t use VPN to have voice conversations with customers. Because we sized and distributed our infrastructure for a global workforce, we were able to quickly adapt to the dramatic shift in workloads that have come from our employees working from home during the pandemic. Anticipate some of the changes in workflow that might occur, and test for those conditions.”

It’s also important to collect user connection and traffic data in a central location for your VPN infrastructure, to use modern visualization services like Microsoft Power BI to identify hot spots before they happen, and to plan for growth.

Means’s biggest piece of advice?

Focus on what your enterprise needs and go from there.

“Identify what you want to access and what you want to protect,” he says. “Then build to that model.”

Tips for retooling VPN at your company

Azure offers a native, highly-scalable VPN gateway, and the most common third-party VPN and Software-Defined Wide Area Network virtual appliances in the Azure Marketplace.

For more information on these and other Azure and Office network optimizing practices, please see:

• Office Connectivity Principles
• Network considerations for Teams
• Azure OpenVPN client
• Azure VPN Gateways
• Azure Point-to-site VPN
• VPN Network Virtual Appliances in the Azure Marketplace
• Publishing web applications using Azure Active Directory’s Application Proxy
• VPN split tunneling for Office 365
• How-to guides for common VPN platforms
• Updates for improving work-from-home employee access

• Here are some alternative ways for security professionals and IT to achieve modern security controls in remote work scenarios.
• Check our best practices and guidelines for security professionals on how to work remotely and stay secure.

Here are additional resources to learn more about how Microsoft applies networking best practices and supports a Zero Trust security strategy:

• Learn how Microsoft rebuilt its VPN infrastructure.
• Learn how Microsoft transitioned to modern access architecture with Zero Trust.
• Read how Microsoft is approaching Zero Trust Networking.

The post Using a Zero Trust strategy to secure Microsoft’s network during remote work appeared first on Inside Track Blog.

Windows 11, built on the same foundation as Windows 10, came to us at a time when Microsoft needed to manage a distributed workforce. Historically speaking, it’s not easy to roll out a new operating system across an enterprise as large and complex as ours, but the similarities to Windows 10 meant Windows 11 could leverage existing deployment capabilities, scenarios, and tools. Utilizing these familiar tools and processes allowed us to deploy to 90 percent of eligible devices in five weeks, making the Windows 11 deployment the easiest and least disruptive release experienced to date.

“In nearly every way, Windows 11 Enterprise deploys just like any other Windows 10 feature update,” says Nathalie D’Hers, corporate vice president of Microsoft Digital Employee Experience, the organization that powers, protects, and transforms the company. “When you look at the data, our time to deploy, and the number of support contacts, Windows 11 is the most successful Windows deployment in our history.”

We’ve had a great experience with Windows 11. Our migration was smooth and keeping it up to date has been even easier.

—Nathalie D’Hers, corporate vice president, Microsoft Digital Employee Experience

It took our Microsoft Digital Employee Experience team fewer IT resources than ever to move to Windows 11. Most importantly, it wasn’t a burden on our employees. Our Windows 11 deployment enabled us to protect our environment, empower our people, and do so without embarking on an expensive or complicated venture.

“We’ve had a great experience with Windows 11,” D’Hers says. “Our migration was smooth and keeping it up to date has been even easier.”

[Take a look at our rich set of content that chronicles our move to Windows 11. Learn more about Microsoft’s speedy upgrade to Windows 11. Discover the new Windows 11 security features are designed for hybrid work.]

Why was it so important for us to move to Windows 11?

It’s easy to look at Microsoft and say, “Sure, you’re a giant tech company, you have all these hardware and IT resources, it must be so easy for you to stay current!”

It’s not that simple.

In our attempt to become an evergreen platform, an operating system-as-a-service, we recognized a need to promote a hardware baseline that would ensure specific productivity and secure-by-default functions are available to users. These requirements meant that some devices running Windows 10 would not be eligible, thus a need to delineate products. Windows 11 would run side-by-side with Windows 10, albeit on devices that met the hardware requirements.

Still, when all is said and done, Windows 11 is based on all the same fundamentals as Windows 10.

And there are a lot of benefits to this.

It allows us to promote adoption without the risk of our apps suddenly breaking. App compatibility between Windows 10 and Windows 11 is more than 99 percent.

In fact, Windows 11 and Windows 10 are so similar, we can run them side-by-side with the same tools. That’s why we were able to manage the Windows 11 Enterprise deployment like previous Windows 10 updates using Windows Update for Business deployment service policies.

Windows 11 is definitely an upgrade from Windows 10, but rolled out and adopted like a typical update. The baseline hardware requirements enable us to provide our people with a more secure and productive environment. We quickly experienced the benefits of Windows 11 security enhancements and new productivity tools to enable exceptional work.

A more efficient experience

Prior to migrating to Windows Update for Business deployment service, deploying Windows feature updates would be a complicated, long-term project.

“We had to create multiple packages, both 64- and 32-bit versions and for each of the supported languages used in our environment,” says Markus Gonis, a service engineer and deployment lead with Microsoft Digital Employee Experience. “Each package was tested and then deployed to multiple distribution points globally for each update. The deployment also relied on a task sequence to download and install the updates on devices which could easily be disrupted.”

This effort could take weeks or even several months.

Furthermore, the process was costly, requiring physical infrastructure dependencies for hosting packages. Gearing up for a new release would also require additional augmented staffing to help run the deployments. To top it off, network and VPN bandwidth limitations could create frustrating delays and interruptions for employees trying to install an update depending on their location.

Moving to Windows Update for Business policies saved both time and money without hurting adoption. The first release to benefit, the Windows 10 October 2018 Update, saw 95 percent adoption within 10 weeks of a feature update being made available to devices. It’s only gotten better since then.

Windows Update for Business deployment service reduced administrative overhead considerably by eliminating the need to manually create deployment waves.

—Markus Gonis, service engineer and deployment lead, Microsoft Digital Employee Experience

The service eliminated the need for packaging, replication, and publishing activities. All in, Microsoft Digital Employee Experience saved 120 hours of work per deployment along with an additional 90 hours in testing. Further savings were achieved by reducing the reliance on augmented staff to support deployments.

By the time Windows 11 was ready for release in 2021, we had access to Windows Update for Business deployment service.

“This made setting up the deployment even easier,” Gonis says. “Windows Update for Business deployment service reduced administrative overhead considerably by eliminating the need to manually create deployment waves.”

Windows Update for Business deployment service calculates the number of devices based on the initial configuration and deploys more frequently and efficiently to the population. Supplementing this effort, Windows Update for Business reports show us what to target, making it easy to exclude ineligible devices.

A device is your connection to your work experience, especially when you can’t go into the office. Your device shouldn’t get in the way of what you’re doing, so we wanted to make sure our employees had a good upgrade experience.

—Nathalie D’Hers, corporate vice president, Microsoft Digital Employee Experience

Knowing that the Windows 11 Enterprise deployment would be managed by the same technology and processes we rely on for feature updates made it a safe decision. Knowing that it could be done without incurring significant costs made it an easy one.

A faster experience

There is another reason we were so confident in the Windows 11 Enterprise deployment. We knew users would benefit from new productivity features without having the upgrade cut into their day.

“A device is your connection to your work experience, especially when you can’t go into the office,” D’Hers says. “Your device shouldn’t get in the way of what you’re doing, so we wanted to make sure our employees had a good upgrade experience.”

We knew certain features in Windows 11—including an improved user interface, tighter integration of Microsoft Teams across apps, and snap layouts—would help our people stay engaged throughout their day. We also knew users would avoid the upgrade if it prevented them from doing their work or became a nuisance.

To create a disruption-free experience, Windows 11 simply downloads and installs in the background and alerts the user when the device is ready. A quick restart finishes the installation, which can be scheduled to take place during non-work hours. As soon as 20 minutes later, the employee is up and running in Windows 11.

The improved update experience, flexibility, and increased end-user control around the update was an enormous success with our people. User sentiment scores for the Windows 11 Enterprise deployment averaged a full 18 points higher than the latest Windows 10 release. This is the highest satisfaction score we have ever seen for a deployment, and it’s significantly higher than the highest score ever received pre-Windows Update for Business, which was 112.

”There were no major incidents reported through support channels directly related to the Windows 11 update nor the deployment,” Gonis says. “The overall incident count unique to Windows 11 was limited to 398 across the entire 225,000 device deployment, with any additional incidents associated with random infrastructure or device management issues that one typically experiences in an enterprise environment.”

Overall, this represents a 40 percent decrease in helpdesk incidents compared to pre-Windows Update for Business deployments.

Each successive version of Windows has brought refinement and optimization to the deployment process. Windows 11 built on this refinement to become the best experience to date. By making the deployment process quick and easy, users gain important productivity features while also taking advantage of new baseline protections.

Secure by default

Windows 11 is about security from the ground up.

“It’s strategic level-setting,” says Carmichael Patton, a principal program manager with Digital Security and Resilience, the division responsible for protecting the company and our products. “At a high level, Windows 11 enforces sets of functionalities we need to make the environment secure by default.”

Windows has always let you install whatever you want from wherever. We can now use hardware-backed features in Windows 11 to put policies in place that still enable users to have flexibility in choosing their own applications without compromising security.

—Carmichael Patton, principal program manager, Digital Security and Resilience

To be eligible for a Windows 11 upgrade, a device must meet certain hardware specifications, including TPM 2.0. Because of these new hardware requirements, encryption keys, user credentials, and other vital information are protected from unauthorized access and tampering.

As a result, we can take existing security features found in Windows and allow them to reach their full potential. Windows 11 empowers users to have the same great Windows experience they expect without concession.

“Windows has always let you install whatever you want from wherever,” Patton says, noting that this important level of control is also a way malware can get on your device. “We can now use hardware-backed features in Windows 11 to put policies in place that still enable users to have flexibility in choosing their own applications without compromising security.”

Windows 11 continually updates this app control policy so that common and known safe apps are permitted while dangerous, unknown, and potentially malicious apps are blocked.

The same hardware-backed protections extend to user identities. Windows Defender Credential Guard and credential isolation with Local Security Authority (LSA) protection are now enabled by default on Windows 11 Enterprise edition. Both protections make it harder for attackers to infiltrate devices and steal a user’s identity.

Microsoft Defender SmartScreen can detect and warn users who are about to enter passwords into an app or website that’s known to be compromised. The feature further improves user security by promoting good password hygiene and alerts users when they perform unsafe credential practices, like saving passwords in a text file.

Updating Windows 11 is getting even faster with the download and install phases shortening from 90 to an average of 60 minutes in the background and an average 20-minute final restart. Most people at Microsoft have a device that can run Windows 11 and, by March, we reached a 97 percent compliance rate.

—Markus Gonis, service engineer and deployment lead, Microsoft Digital Employee Experience

“Windows 10 could do a lot by configuration but not by default,” Patton says. “Windows 11 moved us to having more features be secure by default. Each new release adds more secure-by-default features.”

Now that we have this security baseline provided by hardware and software synergies, we can enforce security functions in the pipeline for Windows 11.

The Windows 11 experience

We’re now a year into Windows 11 including deploying its first major update, and we can see how deployments continue to become faster, more efficient, and less disruptive. This is in large part because we do not need to adopt any new device management tools or processes. We can run Windows 11 alongside Windows 10 using the same systems.

“Updating Windows 11 is getting even faster with the download and install phases shortening from 90 to an average of 60 minutes in the background and an average 20-minute final restart,” Gonis says. “Most people at Microsoft have a device that can run Windows 11 and, by March, we reached a 97 percent compliance rate.”

Deployment of the Windows 11 2022 Update was even faster than the original release, with over 90 percent adoption in just under five weeks. Excitement around the release resulted in a 50 percent increase in employees installing the update prior to its public release.

This means users are getting the security and productivity features they need to have the best experience possible now and in the future.

Modern hardware running a modern operating system will result in a better experience for everyone involved. Windows 11 serves as a baseline that allows us to easily see the state of security at Microsoft. By lifting the hardware floor, we can ensure users have consistent performance and protection in place.

• Windows 11 strengthens your security posture, allowing you to offload legacy security solutions and centralize administration.
• Consistency in system integrations and user experiences between Windows 10 and Windows 11 makes it easy to transition without having to adopt new applications or management solutions.
• Windows Autopilot allows OEMs to automatically register devices in Intune, avoiding manual steps and allowing an organization to preconfigure new devices before distributing them to employees.
• Windows Update for Business deployment service allows IT administrators to easily segment devices, organizations, and teams to better target deployments. This makes exceptions easier to manage.

• Take a look at our rich set of content that chronicles our move to Windows 11.
• Learn more about our internal deployment of the first major update to Windows 11.
• Read our initial story on upgrading to Windows 11.
• Discover the new Windows 11 security features are designed for hybrid work.
• Get the inside scoop on Microsoft’s app compatibility promise for Windows 11.

The post Looking back at deployment of Windows 11 at Microsoft appeared first on Inside Track Blog.