[Editor’s note: This content was written to highlight a particular event or moment in time. Although that moment has passed, we’re republishing it here so you can see what our thinking and experience was like at the time.]
Improvements to Windows 11—including the major Windows 11 2022 update from late last year—are making it faster and simpler for our internal IT team at Microsoft to roll out Windows updates to our employees.
New tools and practices at Microsoft have made it easier to transform a multi-step and months-long process into something more centralized.
“Given how different teams manage our infrastructure, I didn’t always have direct admin access for deploying updates and making policy changes as required, so I relied heavily on admins in different organizations to make those changes,” says Markus Gonis, a service engineer and deployment lead with Microsoft Digital Employee Experience, our internal organization with an IT role that powers, protects, and transforms the company.
That took additional coordination. First, we had to plan out a deployment strategy for the update based on our environment and different types of device management (e.g., Domain-joined AD, Hybrid Domain-joined AD, and Azure AD-joined), including the creation and management of multiple deployment rings with thousands of devices and adjusting policy values to support each deployment. Timing for the deployment rings had to be carefully orchestrated so that they did not overlap and disrupt each other.
“We had to set up meetings, talk through the plan, and then coordinate with different people in several organizations to make things happen,” Gonis says. “It was a massive juggling effort.”
That’s all changed now.
“Now—to deliver an update to the entire company—all we have to do is set up Windows Update for Business deployment service,” Gonis says. “We add start and end dates, duration, and security groups for devices to be included and excluded from the deployment. Finally, we just need to add devices to their appropriate security groups based on the deployment plan, and we’re all set. This lets me deploy major updates centrally to the entire company with greater accuracy, speed, and efficiency.”
At a high level, Windows 11 enforces sets of functionalities that drive the environment to be secure by default. Windows 10 could do a lot by configuration, but not by default. Windows 11 starts us on that journey, and each release adds more protections.
—Carmichael Patton, security architect, Microsoft Digital Security and Resilience team
Given the size and distribution of Microsoft, streamlining deployment updates into a single service has substantially transformed what used to be a cumbersome process. As a result, we can now get the latest experience and security features to our employees fast and with minimal effort.
[Check out the latest features available in the Windows 11 2022 Update. Discover the new Windows 11 security features designed for hybrid work. Find out how Microsoft was able to quickly upgrade to Windows 11.]
New Windows, same great experience
The Windows team’s move to bring continuous innovation to Windows 11 is enabling Microsoft to deliver organizations, including Microsoft’s internal IT team, new value on a more frequent basis.
However, the product team also understands the need for organizations like ours to have a stable environment and control. The Windows team has established a client policy to control select features introduced via servicing until they are released as part of the next annual feature update. The most recent February update to Windows 11 focuses on improving search in Windows, and the 2022 update from last year concentrates heavily on empowering users with the latest security features and configurations.
“At a high level, Windows 11 enforces sets of functionalities that drive the environment to be secure by default,” says Carmichael Patton, a security architect with Microsoft Digital Security and Resilience team, the group responsible for protecting Microsoft so that we can deliver and operate secure products and services to our customers. “Windows 10 could do a lot by configuration, but not by default. Windows 11 starts us on that journey, and each release adds more protections.”
These new features include Windows Defender App Control (WDAC), which gives Microsoft, individuals, and businesses the ability to prevent scripting attacks while protecting users from running untrusted applications associated with malware.
Additional protections against malware, like hypervisor-protected code integrity (HVCI) and the Microsoft vulnerable driver block list, ensure that only validated code can be executed. This prevents cybercriminals from injecting malicious code or exploiting known vulnerable drivers.
The Windows 11 2022 Update adds several enabled-by-default identity and password protections to further enable hybrid work. This includes several hardware-backed protections to guard identities, protect against phishing, and further enhance single-sign on (SSO) password-less authentication using Windows Hello for Business.
The update also includes features that improve IT policy and compliance as well, including config lock: a feature that monitors and prevents configuration drift from occurring when users with local admin rights change settings.
All of this is great news internally at Microsoft, where keeping everyone safe and empowered is a top priority.
Deploying the Windows 11 2022 update at Microsoft
While a lot of attention is directed towards search improvements for users, the Windows 11 2022 update transformed things in a big way for our IT admins.
“By the end of the deployment in fall 2022, we reached 225,000 eligible devices or about 90 percent of the devices in our environment,” Gonis says. “We were able to get the update on all those devices in a little under five weeks.”
We’re still adding new devices all the time, but as of March 2023, we now have 97 percent of all eligible devices at Microsoft loaded with Windows 11 and the 2022 update.
“There’s a lot of excitement around our progress with Windows 11 and the update,” Gonis says.
From an IT perspective, the entire deployment is now easier using Windows Update for Business polices in conjunction with the deployment service. It’s very smooth.
—Markus Gonis, service engineer and deployment lead, Microsoft Digital Employee Experience
As with the initial deployment of Windows 11, the update downloads and installs in the background without interrupting our employees. Once installed, employees are prompted to restart or schedule a restart usually within 7 days to complete their update.
The background download and install phases have shortened to an average of 60 minutes for major updates. The restart phase, which is the part that actually impacts our employees, now averages around 20 minutes, a range that is shorter for smaller releases.
“From an IT perspective, the entire deployment is now easier using Windows Update for Business polices in conjunction with the deployment service,” Gonis says.
Before having access to this more modern approach using Windows Update for Business policies and the deployment service, which only requires devices connected to the internet, Windows feature updates used a traditional on-premises deployment. We deployed across eight deployment rings starting on specific days and with longer duration. This necessitated more testing both with the update’s final build and the overall process while also requiring about a week to publish packages to distribution points around the world. Being more infrastructure intensive, this could potentially impact performance when too many devices were downloading an update locally depending on location.
The Windows Update for Business deployment service has an easy-to-use interface to set deployment start and end times including the duration for when devices will be offered the update. The service makes device calculations based on these variables and the total number of devices in the deployment. This has made it simple for us to quickly set up multiple deployments (e.g., updating Windows 11 and Windows 10 devices concurrently to their latest versions). After adding devices to security groups as appropriate, the service takes over.
Instead of updating many devices at once for each deployment wave (traditionally up to 50k devices two times a week), Windows Update for Business deployment service allows for an efficient, steady release. For the 2022 Update we chose a faster duration, which offered a random number of devices the update every 2 days based on the start and end dates of the deployment and total number of devices. This allowed for fewer devices to be offered the update more often and increased adoption by giving employees a larger window to install it based on the Windows Update for Business policies. The deployment service creates deployment rings for you, and that gives our Microsoft Digital Employee Experience team flexibility to address any issues if needed.
Furthermore, devices required to be exempt from an update, such as a device required for testing or development, are easily omitted without users continuously getting update notices.
“It’s very smooth,” Gonis says. “We really appreciate how much better all of this works now.”
Having the right tools for the job
In just under five short weeks, Microsoft was able deploy the Windows 11 2022 Update to most users with Windows 11-eligible devices across the company. Aided by new tools, the update was the smoothest deployment in the history of the company, and it’s only going to get more efficient.
“The next step is using Windows Update for Business deployment service as a single deployment strategy,” Gonis says. “In the past, we needed to setup two different deployments based on device management: one for domain-joined devices in Active Directory and one for devices in Azure Active Directory.”
Today, since most devices at Microsoft are Azure AD-joined and the remaining domain-joined devices are Hybrid AD or co-managed, both sets of devices can take advantage of Windows Update for Business deployment service for deployments.
“We no longer have to plan for multiple update strategies,” Gonis says.
This will be further aided by other services, including Windows Update for Business reports, which will give more information about individual device state and whether a device is ready to update. This culminates in using data to make better decisions and be more prescriptive.
If you take a step back, the big-picture benefit is that our employees now have a much-improved experience while also getting the latest security features and protections by default.
“The biggest uplift isn’t from Windows 11 to the 2022 Update; it’s from Windows 10 to Windows 11, which was relatively easy too,” Patton says. “Everything that comes after that is just part of the journey to protect users.”
- Find and manage device exclusions as early as possible. Once they’ve been added to an exclusion list through Windows Update for Business deployment service, they will no longer receive notifications to update. These devices can easily be added back to the deployment later.
- Clean user data makes it easy to build security groups and know where the devices are. If you do need to exclude any devices, it’ll also be easier to find them.
- Windows Update for Business deployment service is easy to configure with start and stop dates for a deployment. You can also set a duration so that the offer to update begins every few days to a certain number of devices based on the overall number of devices in the deployment. The devices are then governed by the Windows Update for Business policies such as Commercial Deadline and Grace Period to enforce a specific number of days before being forced to restart to complete the update.
- Windows 11’s secure by default features are enabled by specific hardware requirements. This gives Microsoft and other companies a baseline level of security across the board.