Like its customers, Microsoft has a strong business need to address the new challenges created by remote and hybrid work. The internal adoption of Windows 11 is helping the company meet those needs, while enabling its employees to work smarter and more securely, regardless of where they are.
Upgrading to Windows 11 at Microsoft
Microsoft’s priority in rolling out Windows 11 internally was to provide employees uninterrupted access to a safe and productive workspace while giving them a chance to try out the new operating system.
Introducing a new operating system, especially across a distributed workforce, naturally led to questions about device downtime and app compatibility. However, with established practices and evolved solutions in hand, historical obstacles became just that—a thing of the past. The rollout of Windows 11 at Microsoft was the most streamlined to date, frictionlessly delivering employees the latest operating system in record time.
What made the deployment of Windows 11 a success?
Over the past decade, Microsoft Digital Employee Experience, the organization that powers, protects, and transforms employee experiences, has worked closely with teams such as the Windows product group to improve how it runs Microsoft’s updates, upgrades, and deployments.
Whereas significant time and resources were once dedicated to testing app compatibility, building out multiple disk images, and managing a complex delivery method, processes and tools introduced during Windows 10 have streamlined upgrades and enabled the transformation to a frictionless experience.
Data from App Assure, a Microsoft service available to all customers with eligible subscriptions, shows the company had 99.7 percent compatibility for all apps in Windows 11—that eliminated the need for extensive testing. It also meant that employees’ Windows 10 apps work seamlessly in Windows 11. Additionally, Microsoft Endpoint Manager and Windows Update for Business eliminated the need for using more than one disk image and made it easier for employees to get Windows 11.
Microsoft Digital Employee Experience relied on the same familiar tools and process as a Windows 10 feature update to quickly deliver the upgrade to employees.
The upgrade was divided into three parts:
Plan: Identify an execution and communication plan, then develop a timeline
Prepare: Establish reporting systems, run tests, ready employees, and build backend services
Deploy: Deploy Windows 11 to eligible devices
It all starts with a good plan
Microsoft Digital Employee Experience has a successful history of deploying new services, apps, and operating systems to employees. And it all starts at the same place—creating a disruption-free strategy that enables employees to embrace the latest technology as soon as possible without sacrificing productivity.
Assess the environment
Before the deployment of Windows 11 could begin, Microsoft Digital Employee Experience had to take a careful inventory of all devices at Microsoft and determine which they should target. Windows 11 has specific hardware requirements, and a percentage of employees running ineligible devices meant that not every device would be upgraded. Employees with these devices will upgrade to Windows 11 during their next device refresh.
To evaluate the device population, Microsoft Digital Employee Experience used Update Compliance and Microsoft Endpoint Manager’s Endpoint analytics feature. This allowed the team to generate reports on devices that either met or failed to comply with minimum specifications. For example, certain devices, especially older desktops, lacked the Trusted Platform Module 2.0 (TPM) chipset requirements for security in Windows 11.
In the end, 190,000 devices were deemed eligible based on hardware and role requirements. Over the course of five weeks, Microsoft Digital Employee Experience deployed Windows 11 to 99 percent of qualifying devices.
Address ineligible devices and exclusions
After evaluating the broad population of devices, the team developed a plan for devices that would not receive a Windows 11 upgrade. Since Windows 10 and Windows 11 can be seamlessly managed side-by-side within the same management system, Microsoft only had to designate the number of devices that would not receive the upgrade. Using Update Compliance to inform deployment policies, Microsoft Digital Employee Experience applied controls on ineligible devices, automatically skipping them during deployment. These measures made it easy to know why a device didn’t upgrade, but also assured a disruption-free experience for both employees and those in Microsoft Digital Employee Experience responsible for managing the upgrade.
These controls also allowed the company to bypass deployment on any device that had been incorrectly targeted for an upgrade.
Ineligible devices. Windows 10 and Windows 11 can be managed side-by-side and will be supported concurrently at Microsoft until all devices are upgraded or retired. As devices are refreshed, more and more employees at Microsoft will gain access to Windows 11.
Devices that should not receive the upgrade. Other devices, like servers and test labs—where Microsoft validates new products on previous operating systems—were issued controls and excluded from receiving Windows 11.
Establish a deployment timeline
Once upgradeable devices were identified, the team was able to create a clear timeline. From this schedule, Microsoft Digital Employee Experience’s communications team developed an outreach plan, support teams readied the helpdesk, and the deployment team developed critical reporting mechanisms to track progress.
For the deployment itself, the team used a ring-based approach to segment the deployment into several waves. This allowed the team to gradually release Windows 11 across the company, reducing the risk of disruption.
Create a rollback plan
Windows 11 has built-in support for rolling back to Windows 10 with a default window of 10 days after installation. If needed, Microsoft Digital Employee Experience could have revised this period via group policy or script using Microsoft Intune. Post-upgrade, there wasn’t much demand for a rollback, but the strategic release cadence that the team used, paired with the rollback capability, gave the team an easy way to quickly revert devices that might require going back to Windows 10 for a business need.
Preparing for success
Prior to starting the Windows 11 upgrade, Microsoft Digital Employee Experience asked employees to complete pre-work needed for a successful upgrade. Because the upgrade was so smooth, only light readiness communications were needed. Instead, the team focused on ensuring that employees were aware and excited about the benefits of Windows 11 and that they were ready to share their feedback on what it was like to use it.
To maximize the impact of its communications, the team readied content that was digestible for every employee, regardless of role. Employees needed clear and concise messaging that would resonate, so that they could understand what Windows 11 would mean for them.
Microsoft Digital Employee Experience targeted a variety of established channels, including Yammer, FAQs on Microsoft SharePoint, email, Microsoft Teams, Microsoft’s internal homepage, and digital signage to promote Windows 11.
To generate interest, materials focused on:
- The new look and features of Windows 11, designed for hybrid work and built on Zero Trust
- Flexible and easy upgrade options, including the ability to schedule upgrades at a time that worked best for the employee
- The speed at which employees could be up and running Windows 11, as quickly as 20 minutes
- New terms related to Windows 11 and where employees could go to learn more
An entire page on the company’s internal helpdesk site was dedicated to links related to the upgrade, including Microsoft Docs, where users could find a comprehensive library on new features.
Executive announcements from company leadership also conveyed the benefit of moving to Windows 11 and the ease with which it could be done.
Microsoft Digital Employee Experience directed employees waiting to see if their device met Windows 11’s hardware requirements to the PC Health Check app. At an enterprise level, the team relied on Update Compliance to assess the device population.
The team also used this opportunity to reinforce messaging to Windows 10 users—both operating systems would continue to operate side-by-side until all devices were refreshed. This helped ease concerns for employees who had to wait for an upgrade.
Getting the deployment right wasn’t just about sending messages outward. The team needed to receive and respond to employee questions before, during, and after the Windows 11 rollout.
Support teams were given an opportunity to delve into Windows 11 prior to the deployment, which, based on experiences with previous upgrades, gave them time to categorize and group by severity any potential issues they might encounter. This familiarity not only helped them give employees informed answers, but also served as another feedback gathering mechanism.
Open for feedback
Microsoft runs on Microsoft technology and encourages its employees to join the Windows Insider Program, where users are free to provide feedback directly to developers and product teams.
That’s why communications didn’t just focus on what was new with Windows 11, but on how feedback could be shared. If an employee had comments, they submitted them through a Feedback Hub where other employees could upvote tickets, giving visibility to engineers in Microsoft Digital Employee Experience and the Windows product group.
Pre-work for deployment readiness
In addition to readying employees, Microsoft Digital Employee Experience had to make sure all the backend services were in place prior to the deployment. This included building several processes, setting up analytics, and testing.
Establish analytics reports
Evolving beyond previous upgrades, the deployment of Windows 11 was the most data driven release Microsoft has ever done. Looking closer at diagnostic data and creating better adoption reporting gave the team clear data to look at throughout the deployment.
Using Microsoft Power BI, the team could share insights regarding the company’s environment. This better prepared the team and allowed them to monitor progress during deployment.
The team captured the following metrics:
- Device population
- Devices by country
- Devices by region
In addition to visibility into project status, access to this data empowered the team to engage employees whose eligible devices did not receive the upgrade.
Build an opt-out process
To accommodate users whose eligible devices might need to be excluded from the deployment, the team created a robust workback plan that included a request and approval process, a tracking system, and a set timeline for how long devices would be excluded from the upgrade.
Microsoft Digital Employee Experience released communications specifying the timeframe for employees to opt out, including process steps. Employees who needed to remove their devices from the upgrade submitted their alias, machine name, and reason for exclusion. From there, the team evaluated their requests. Only users with a business reason were allowed to opt out. For example, Internet Explorer 11 requires Windows 10, so employees who need that browser for testing purposes were allowed to remove their devices from the deployment.
Once the team had approved devices for exclusion, a block was put in place to remove them from the deployment. Data gathered during the opt-out process enabled the team to follow up with these employees, upgrading them to Windows 11 at a more appropriate time.
Create a security model
At Microsoft, security is always top of mind. A careful risk assessment, including testing out a series of threat scenarios, was performed before Windows 11 was deployed across the company.
Microsoft Digital Employee Experience built several specific Windows 11 security policies in a test environment and benchmarked them against policies built for Windows 10.
After testing the policies and scenarios to see if they would have any impact on employees, the team found that devices with Windows 11 would meet Microsoft’s rigorous security thresholds without creating any disruptions. Just as importantly, users would experience the same behaviors in Windows 11 as they might expect from Windows 10.
A decade ago, efforts to deploy feature updates could be challenging, as the organization needed to account for different builds, languages, policies, and more. This required careful management of distribution points and VPNs prior to beginning deployment efforts in earnest.
When Windows 10 was released in 2015, the team used two deployment strategies: one for on-premises managed devices and one for cloud managed devices. Today, the situation is much simpler.
Launched during the Windows 10 era, Windows Update for Business established some of the trusted practices that make product releases and feature updates a great experience at Microsoft. Windows Update for Business deployment service introduces new efficiencies for Microsoft Digital Employee Experience, consolidating two deployment strategies into one.
For the deployment of Windows 11, the team had an advantage—Windows Update for Business deployment service.
Windows Update for Business deployment service enabled Microsoft Digital Employee Experience to grab device IDs from across the environment and use them to automate the deployment. Windows Update for Business deployment service handled all the backend processing and scheduling for Microsoft Digital Employee Experience; all the team needed to do was determine the start and end dates.
The team easily managed exclusions and opt-outs with Windows Update for Business deployment service, and when a device needed to be upgraded, the service made it easier to remove and roll them back to Windows 10.
Importantly, Windows Update for Business deployment service provides a single deployment strategy for Microsoft Digital Employee Experience moving forward. Deployment has been simplified, and the data loaded into Windows Update for Business deployment service for this upgrade will help speed up future releases.
Policies for success
Microsoft Digital Employee Experience had to decide which policies they wanted to work with for the greatest outcome. This included how many alerts an employee would receive before receiving an upgrade to Windows 11.
Windows Update for Business deployment services reduced the long list of policies that the team needed to manage during deployment. This accelerated deployment without compromising security.
From pilot to global deployment
By structuring the deployment timeline to hit a small group of employees before incrementally moving on to a larger population, Microsoft Digital Employee Experience ensured Windows Update for Business deployment service ran as expected and that all required controls and permissions were set.
As the team used the Windows Update for Business deployment service to plot out upgrade waves, Windows 11 downloaded in the background and employees received pop-up alerts when their device was ready. The employee could restart at any time and would boot into Windows 11 after a few automated systems completed the installation. Employees could also schedule Windows 11 to upgrade overnight or during the weekend.
Working closely with Microsoft Surface and other Original Equipment Manufacturer (OEM) partners, the companies who supply Microsoft with new devices, the team was able to ensure that employees had Windows 11 pre-loaded onto their PCs. This approach guaranteed that new devices complied with the hardware requirements of the new system.
A new device, straight out of the box, only needs to be powered on and connected to the internet before Windows Autopilot authenticates and configures everything for the user. Once initial setup is complete, Windows Autopilot ensures that new devices are equipped with Windows 11 and all the correct policies and settings.
Biswa Jaysingh shares five key learnings from releasing Windows 11 across Microsoft. Jaysingh is a principal group program manager on the Microsoft Digital Employee Experience team.
Entering the next stage of Windows at Microsoft
The deployment of Windows 11 at Microsoft validates Microsoft Digital Employee Experience’s approach to product releases and upgrades. With no measured uptick in support tickets, the deployment of Windows 11 has been a frictionless experience for employees and the wide adoption of new features confirms the value of the effort. The speed at which the team completed the deployment—190,000 devices in five weeks—represents the fastest deployment of a new operating system in company history.
The team credits the success of this deployment to good planning, tools, strong communication, and the positive upgrade experience Windows 11 provides.
Windows Update for Business deployment service proved to be a big step in the evolution of how employees get the latest version of Windows. The service’s ease of use meant the team had a higher degree of control, flexibility, and confidence.
The tighter hardware-to-software ecosystem that comes with Windows 11 means Microsoft employees and all users of the operating system benefit from richer experiences. This, along with integration to Microsoft Teams, are just a few examples of what users are seeing now that they’re empowered by Windows 11.
- Understand the hardware eligibility requirements for Windows 11.
- The better you understand your environment the easier it will be to create a timeline, a communication plan, and ultimately track the deployment.
- Messaging is key for leaders in the organization to share, especially for adoption.
- Run a pilot with a handful of devices before deploying company wide. This will allow you to check policies for consistent experiences. Then move on to a ring-based deployment to carefully manage everything.
- There’s no need to create multiple deployment plans with Windows Update for Business deployment service; it can automate the experience, streamlining the entire workflow. Instead of waiting until everyone is ready, consider running Windows 10 and Windows 11 side-by-side. Prepare today by deploying to those who are ready now.
© 2022 Microsoft Corporation. This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY. The names of actual companies and products mentioned herein may be the trademarks of their respective owners.