[Editor’s note: This content was written to highlight a particular event or moment in time. Although that moment has passed, we’re republishing it here so you can see what our thinking and experience was like at the time.]
Like our customers, we at Microsoft have a strong business need to address the new challenges created by remote and hybrid work. The internal adoption of Windows 11 is helping our company meet those needs, while enabling our employees to work smarter and more securely, regardless of where they are.
Upgrading to Windows 11 at Microsoft
Our priority in rolling out Windows 11 internally was to provide employees uninterrupted access to a safe and productive workspace while giving them a chance to try out the new operating system.
Introducing a new operating system, especially across a distributed workforce, naturally led to questions about device downtime and app compatibility. However, with established practices and evolved solutions in hand, historical obstacles became just that—a thing of the past. The rollout of Windows 11 at Microsoft was our most streamlined to date, frictionlessly delivering employees the latest operating system in record time.
What made the deployment of Windows 11 a success?
Over the past decade, our Microsoft Digital Employee Experience team, the organization that powers, protects, and transforms employee experiences, has worked closely with teams such as the Windows product group to improve how it runs Microsoft’s updates, upgrades, and deployments.
Whereas significant time and resources were once dedicated to testing app compatibility, building out multiple disk images, and managing a complex delivery method, processes and tools introduced during Windows 10 have streamlined upgrades and enabled the transformation to a frictionless experience.
Data from App Assure, a Microsoft service available to all customers with eligible subscriptions, shows the company had 99.7 percent compatibility for all apps in Windows 11—that eliminated the need for extensive testing. It also meant that employees’ Windows 10 apps work seamlessly in Windows 11. Additionally, Microsoft Endpoint Manager and Windows Update for Business eliminated the need for using more than one disk image and made it easier for employees to get Windows 11.
Our Microsoft Digital Employee Experience team relied on the same familiar tools and process as a Windows 10 feature update to quickly deliver the upgrade to employees.
The upgrade was divided into three parts:
Plan: Identify an execution and communication plan, then develop a timeline
Prepare: Establish reporting systems, run tests, ready employees, and build backend services
Deploy: Deploy Windows 11 to eligible devices
It all starts with a good plan
We at Microsoft Digital Employee Experience have a successful history of deploying new services, apps, and operating systems to employees. And it all starts at the same place—creating a disruption-free strategy that enables employees to embrace the latest technology as soon as possible without sacrificing productivity.
Assess the environment
Before the deployment of Windows 11 could begin, we had to take a careful inventory of all devices at Microsoft and determine which they should target. Windows 11 has specific hardware requirements, and a percentage of employees running ineligible devices meant that not every device would be upgraded. Employees with these devices will upgrade to Windows 11 during their next device refresh.
To evaluate the device population, we used Update Compliance and Microsoft Endpoint Manager’s Endpoint analytics feature. This allowed our team to generate reports on devices that either met or failed to comply with minimum specifications. For example, certain devices, especially older desktops, lacked the Trusted Platform Module 2.0 (TPM) chipset requirements for security in Windows 11.
In the end, 190,000 devices were deemed eligible based on hardware and role requirements. Over the course of five weeks, our Microsoft Digital Employee Experience team deployed Windows 11 to 99 percent of qualifying devices.
Address ineligible devices and exclusions
After evaluating the broad population of devices, our team developed a plan for devices that would not receive a Windows 11 upgrade. Since Windows 10 and Windows 11 can be seamlessly managed side-by-side within the same management system, we only had to designate the number of devices that would not receive the upgrade. Using Update Compliance to inform deployment policies, we applied controls on ineligible devices, automatically skipping them during deployment. These measures made it easy to know why a device didn’t upgrade, but also assured a disruption-free experience for both employees and those on our team responsible for managing the upgrade.
These controls also allowed the company to bypass deployment on any device that had been incorrectly targeted for an upgrade.
Ineligible devices. Windows 10 and Windows 11 can be managed side-by-side and will be supported concurrently at Microsoft until all devices are upgraded or retired. As devices are refreshed, more and more of our employees will gain access to Windows 11.
Devices that should not receive the upgrade. Other devices, like servers and test labs—where we validate new products on previous operating systems—were issued controls and excluded from receiving Windows 11.
Establish a deployment timeline
Once upgradeable devices were identified, our team was able to create a clear timeline. From this schedule, our communications team developed an outreach plan, support teams readied the helpdesk, and the deployment team developed critical reporting mechanisms to track progress.
For the deployment itself, our team used a ring-based approach to segment the deployment into several waves. This allowed us to gradually release Windows 11 across the company, reducing the risk of disruption.
Create a rollback plan
Windows 11 has built-in support for rolling back to Windows 10 with a default window of 10 days after installation. If needed, our Microsoft Digital Employee Experience team could have revised this period via group policy or script using Microsoft Intune. Post-upgrade, there wasn’t much demand for a rollback, but the strategic release cadence that the team used, paired with the rollback capability, gave our team an easy way to quickly revert devices that might require going back to Windows 10 for a business need.
Preparing for success
Prior to starting the Windows 11 upgrade, we asked employees to complete pre-work needed for a successful upgrade. Because the upgrade was so smooth, only light readiness communications were needed. Instead, we focused on ensuring that employees were aware and excited about the benefits of Windows 11 and that they were ready to share their feedback on what it was like to use it.
Reach everyone
To maximize the impact of our communications, our team readied content that was digestible for every employee, regardless of role. Employees needed clear and concise messaging that would resonate, so that they could understand what Windows 11 would mean for them.
Our team in Microsoft Digital Employee Experience targeted a variety of established channels, including Yammer, FAQs on Microsoft SharePoint, email, Microsoft Teams, Microsoft’s internal homepage, and digital signage to promote Windows 11.
To generate interest, our materials focused on:
- The new look and features of Windows 11, designed for hybrid work and built on Zero Trust
- Flexible and easy upgrade options, including the ability to schedule upgrades at a time that worked best for the employee
- The speed at which employees could be up and running Windows 11, as quickly as 20 minutes
- New terms related to Windows 11 and where employees could go to learn more
An entire page on our company’s internal helpdesk site was dedicated to links related to the upgrade, including Microsoft Docs, where users could find a comprehensive library on new features.
Executive announcements from company leadership also conveyed the benefit of moving to Windows 11 and the ease with which it could be done.
Set expectations
Our team directed employees waiting to see if their device met Windows 11’s hardware requirements to the PC Health Check app. At an enterprise level, the team relied on Update Compliance to assess the device population.
We also used this opportunity to reinforce messaging to Windows 10 users—both operating systems would continue to operate side-by-side until all devices were refreshed. This helped ease concerns for employees who had to wait for an upgrade.
Ready support
Getting the deployment right wasn’t just about sending messages outward. Our team needed to receive and respond to employee questions before, during, and after the Windows 11 rollout.
Our support teams were given an opportunity to delve into Windows 11 prior to the deployment, which, based on experiences with previous upgrades, gave them time to categorize and group by severity any potential issues they might encounter. This familiarity not only helped them give employees informed answers, but also served as another feedback gathering mechanism.
Open for feedback
We run Microsoft on Microsoft technology and we encourage our employees to join the Windows Insider Program, where users are free to provide feedback directly to developers and product teams.
That’s why communications didn’t just focus on what was new with Windows 11, but on how feedback could be shared. If an employee had comments, they submitted them through a Feedback Hub where other employees could upvote tickets, giving visibility to our engineers in Microsoft Digital Employee Experience and the Windows product group.
Pre-work for deployment readiness
In addition to readying employees, we had to make sure all the backend services were in place prior to the deployment. This included building several processes, setting up analytics, and testing.
Establish analytics reports
Evolving beyond previous upgrades, the deployment of Windows 11 was the most data driven release we have ever done. Looking closer at diagnostic data and creating better adoption reporting gave our team clear data to look at throughout the deployment.
Using Microsoft Power BI, our team could share insights regarding the company’s environment. This better prepared everyone on the team and allowed us to monitor progress during deployment.
Our team captured the following metrics:
- Device population
- Devices by country
- Devices by region
- Eligibility
- Adoption
In addition to visibility into project status, access to this data empowered our team to engage employees whose eligible devices did not receive the upgrade.
Build an opt-out process
To accommodate users whose eligible devices might need to be excluded from the deployment, our team created a robust workback plan that included a request and approval process, a tracking system, and a set timeline for how long devices would be excluded from the upgrade.
Our Microsoft Digital Employee Experience team released communications specifying the timeframe for employees to opt out, including process steps. Employees who needed to remove their devices from the upgrade submitted their alias, machine name, and reason for exclusion. From there, our team evaluated their requests. Only users with a business reason were allowed to opt out. For example, Internet Explorer 11 requires Windows 10, so employees who need that browser for testing purposes were allowed to remove their devices from the deployment.
Once we had approved devices for exclusion, a block was put in place to remove them from the deployment. Data gathered during the opt-out process enabled us to follow up with these employees, upgrading them to Windows 11 at a more appropriate time.
Create a security model
At Microsoft, security is always top of mind for us. A careful risk assessment, including testing out a series of threat scenarios, was performed before Windows 11 was deployed across the company.
Our Microsoft Digital Employee Experience team built several specific Windows 11 security policies in a test environment and benchmarked them against policies built for Windows 10.
After testing the policies and scenarios to see if they would have any impact on employees, we found that devices with Windows 11 would meet Microsoft’s rigorous security thresholds without creating any disruptions. Just as importantly, users would experience the same behaviors in Windows 11 as they might expect from Windows 10.
The deployment
A decade ago, our efforts to deploy feature updates could be challenging, as we needed to account for different builds, languages, policies, and more. This required careful management of distribution points and VPNs prior to beginning deployment efforts in earnest.
When Windows 10 was released in 2015, our team used two deployment strategies: one for on-premises managed devices and one for cloud managed devices.
Today, the situation is much simpler.
Launched during the Windows 10 era, Windows Update for Business established some of the trusted practices that make product releases and feature updates a great experience for us here at Microsoft. Windows Update for Business deployment service introduces new efficiencies for our team, consolidating two deployment strategies into one.
For the deployment of Windows 11, our team had an advantage—Windows Update for Business deployment service.
Windows Update for Business deployment service enabled our Microsoft Digital Employee Experience team to grab device IDs from across the environment and use them to automate the deployment. Windows Update for Business deployment service handled all the backend processing and scheduling for us; all we needed to do was determine the start and end dates.
Our team easily managed exclusions and opt-outs with Windows Update for Business deployment service, and when a device needed to be upgraded, the service made it easier to remove and roll them back to Windows 10.
Importantly, Windows Update for Business deployment service provides a single deployment strategy for us moving forward. Deployment has been simplified, and the data loaded into Windows Update for Business deployment service for this upgrade will help speed up future releases.
Policies for success
We had to decide which policies they wanted to work with for the greatest outcome. This included how many alerts an employee would receive before receiving an upgrade to Windows 11.
Windows Update for Business deployment services reduced the long list of policies that our team needed to manage during deployment. This accelerated deployment without compromising security.
From pilot to global deployment
By structuring the deployment timeline to hit a small group of employees before incrementally moving on to a larger population, our Microsoft Digital Employee Experience team ensured Windows Update for Business deployment service ran as expected and that all required controls and permissions were set.
As our team used the Windows Update for Business deployment service to plot out upgrade waves, Windows 11 downloaded in the background and employees received pop-up alerts when their device was ready. The employee could restart at any time and would boot into Windows 11 after a few automated systems completed the installation. Employees could also schedule Windows 11 to upgrade overnight or during the weekend.
Onboarding OEMs
Working closely with Microsoft Surface and other Original Equipment Manufacturer (OEM) partners, the companies who supply Microsoft with new devices, our team was able to ensure that our employees had Windows 11 pre-loaded onto their PCs. This approach guaranteed that new devices complied with the hardware requirements of the new system.
A new device, straight out of the box, only needs to be powered on and connected to the internet before Windows Autopilot authenticates and configures everything for the user. Once initial setup is complete, Windows Autopilot ensures that new devices are equipped with Windows 11 and all the correct policies and settings.
For a transcript, please view the video on YouTube: https://www.youtube.com/watch?v=1d4z5N5XCsA, select the “More actions” button (three dots icon) below the video, and then select “Show transcript.”
Entering the next stage of Windows at Microsoft
The deployment of Windows 11 at Microsoft validates our team’s approach to product releases and upgrades. With no measured uptick in support tickets, the deployment of Windows 11 has been a frictionless experience for employees and the wide adoption of new features confirms the value of the effort. The speed at which the team completed the deployment—190,000 devices in five weeks—represents the fastest deployment of a new operating system in company history.
We credit the success of this deployment to good planning, tools, strong communication, and the positive upgrade experience Windows 11 provides.
Windows Update for Business deployment service proved to be a big step in the evolution of how employees get the latest version of Windows. The service’s ease of use meant the team had a higher degree of control, flexibility, and confidence.
The tighter hardware-to-software ecosystem that comes with Windows 11 means our employees and all users of the operating system benefit from richer experiences. This, along with integration to Microsoft Teams, are just a few examples of what users are seeing now that they’re empowered by Windows 11.
- Understand the hardware eligibility requirements for Windows 11.
- The better you understand your environment the easier it will be to create a timeline, a communication plan, and ultimately track the deployment.
- Messaging is key for leaders in the organization to share, especially for adoption.
- Run a pilot with a handful of devices before deploying company wide. This will allow you to check policies for consistent experiences. Then move on to a ring-based deployment to carefully manage everything.
- There’s no need to create multiple deployment plans with Windows Update for Business deployment service; it can automate the experience, streamlining the entire workflow. Instead of waiting until everyone is ready, consider running Windows 10 and Windows 11 side-by-side. Prepare today by deploying to those who are ready now.