Categories
Digital Transformation

Windows 11 – make the move!

As I hope ALL of you know, Windows 10 is reaching End of Service (EOS) on the 14th of October 2025. If you haven’t marked your calendars already, do so now! This date is even more important if you haven’t made the move over to Windows 11 yet. This does not affect the Windows 10 LTSC currently in support.

The path to reaching Windows 11 can vary, and it’s hard to say that “this is how you should do it”. Some decide to combine this with their cloud journey, some simply just upgrades, and some haven’t really thought about it yet. This blogpost is aimed to inspire those of you who haven’t made the move yet for different reasons. And those of you who help others and need inspiration. So, less focus on tech and more focus on the reasoning to make the move.

Why should you move to Windows 11?

To be honest, the reason to move to Windows 11 is simple. Windows 10 will no longer receive updates unless you decide to pay for the Extended Security Updates (ESU). This will be a fairly expensive way to tackle staying up to date. Microsoft announced back in April that the first year will cost $61 per device the first year. Given that the Windows 11 upgrade is free, there are few reasons to not move. We also see over 99% application compability between Windows 10 and Windows 11. Looking at customers I’ve helped and talked about this with, the issue is rarely the applications anymore.

If we disregard from that Windows 11 brings a whole lot of new security related features to the OS. But it also brings more simplicity to the end user. One thing I hear often is that “the start menu is in the middle, our users will never learn this”. It takes about a day to get used to it, so the problem is not really there. This has so far not been an issue with the customers I’ve helped. Howeber, IT has often thought this would be the number one support issue.

What does Windows 11 bring to the table?

What Windows 11 brings is, however, innovation. Like it or not, Copilot will be part of our everyday life. In Windows 11, you have it at your fingertips with the native Copilot app. Depending on where you live, the experience will vary. There is a native app, or you will have to get the app from the store. Since AI and Copilot are mentioned in almost every context and situation, giving your end users access to a powerful AI in Windows is a huge improvement.

What is important with Windows 11 upgrades is communication to end-users so they know whats going on. Un-announced upgrades are rarley a good idea since it can potentially mess with people flows initially, or unexpected reboots. Teaching your users to make use of all the new and improved features of Windows 11. This is a great way to give the feeling that you from IT are proactive and offering them the latest and greatest.

The downside of moving to Windows 11

To be fair, downside is the wrong word. There is one potential problem with moving to Windows 11, which is that older hardware is not supported. We are talking about things released prior to 2017, creating a huge amount of e-waste. For many companies, this would not be a problem given that you have proper lifecycle management of your devices. But it creates a huge amount of devices which will not be feasable to use any more.

However, there are some ways you can still make use of them. Being a Microsoft advocate, my favourite is running Windows 365 on them. If you run a Cloud PC from a Windows 10 machine, the ESU will be free of charge and you can keep using that machine going forward, but that means using it to access a Cloud PC which is running Windows 11. You can ofcourse also convert them to thin clients using something like IGEL and have their OS accessing the Cloud PC.

But going back to the topic of e-waste. This will be a huge challange, not only from a corporate and logistic perspecitve. But from en environmental perspective. There will be A LOT of devices which needs to be recylced, and we must really hope that they will be recycled and not just thrown away or shreded.

Get to Windows 11 fast

So what is the fastest path to Windows 11? A lot of times when we talk about moving to Windows 11, we talk about going cloud native.

I’m all for going cloud native and I would recomend it to everyone. But going cloud native if you are on-premises or hybrid today is timeconsuming, and not really needed.

If you listen carefully how Microsoft talked about the journey, it’s rarely stated that you should re-install every device as cloud native. What they are talking about is moving to Intune, and that is a different thing since you can be Intune only but still being hybrid.

So for most organisations, going hybrid for all exisiting devices is the fastest path to Intune only. But remeber that ALL new devices should be cloud native (since you wont really gain anything from new hybrid devices).

But looping back to Windows 11 and getting there fast.

Windows 10 have had a steady release cadence, even if it has shifted a bit over the years. You have moved from Windows 10 20h2, to Windows 10 21h2, to Windows 10 22h2 using either Windows Update or Configuration Manager. When looking to move to Windows 11, you can view this as “yet another update” and deploy it as such.

You hopefully already have a working process for this in place, and if you are doing custom images this would apply to you imaging lifecycling as well.

Since we have about a year left, this would be the fastest way to get there and move to Intune after that.

Take aways

The main take away from this is that dont make the Windows 11 journey harder than it has to be. Windows 11 is not that scary and it’s a great operating system regardless of what different internet forums says. From a business perspective, this shouldn’t be a discussion. Just a go do!

We never discuss or get stuck on iOS versions in the same way, not wanting to move to the next version.

A couple of years ago, in the begining of this blog, I wrote about consumerization of corporate IT and it’s still relevant. We as individuals are driving change. We are no longer in a world where IT can say “no, we wont give you the lastest version of this and that” since things will stop working. If you run an unsupported version of Windows you are not only facing potential security threats. You will also see that a lot of your business applications will stop working, since these has adapted to the Windows as a Service concept introduced with Windows 10.

What is the biggest take away from this blog? If you haven’t set the plan to migrate to Windows 11, start now! You have less than a year left.

Categories
Digital Transformation Modern Workplace

What is Windows Autopilot – management edition

There are A LOT of misconceptions what Windows Autopilot is. Today I will try to sort those misconceptions out.

You have already heard a lot of different presentations about Windows Autopilot, why you should use it and why it’s so great. Because of that, I’ll leave most of those things out. This wont a technical post about what Windows Autopilot is, this will be more of the management edition of this.

Windows Autopilot – the concept

The basic theory behind Windows Autopilot is to streamline and take away time-consuming phases in the setup process of a corporate computer.

In the “traditional world” you would need to be on the corporate network and press F12 on the computer to initiate the installation of your custom image, that your IT-guys built. This custom image of Windows contains all your customizations, drivers and settings are pushed through Group Policy Objects, also called GPO. Many companies requires the computer to be “known” before it’s installed and you do what is called a pre-stage where you create the computer account in the active directory (AD) and assign group memberships. This process can take from an hour up to a few hours based on your connection and size of image (it’s usually pretty big).

In the world of Windows Autopilot, you take advantage of that the hardware manufacturer has already put a Windows 10 installation on the computer, with drivers installed from the factory (this is actually how computers are shipped even if you don’t use Windows Autopilot). Your vendor/partner/IT-department registers the computer hardware ID, which is unique to each computer, with your Microsoft tenant. Computer can also be joined to Azure AD groups based on this hardware ID.

When the computer is launched the first time, the user will be greeted with “Welcome to Contoso” and then asked to sign in. When sign in is completed, the computer is registered in Microsoft Intune and settings and customizations are applied.

This process is A LOT faster than traditional OS-deployment. The entire process and the computer are ready to use in 30-60 minutes (based on connectivity). All traffic is routed through the internet during setup and any connectivity to the corporate infrastructure can be routed through VPN if needed.

If you do the math, you can deploy a whole lot of more computer for a lower cost using Windows Autopilot.

Windows Autopilot – the reality

This sounds pretty neat huh?

But what is Windows Autopilot? Is it a completely new tool? Will it replace Microsoft Intune? What will my IT-technicians do, they spend 80% of the time installing computers today?

Without getting to technical about this, Windows Autopilot is a new name on a bunch of things that has been around for a while. And some new features.

Windows Autopilot is utilizing a lot of different technologies and should be viewed more as a workflow or a process rather than a technical feature. It combines the power of Azure AD, Microsoft Intune, and Microsoft Store for Business to provide a streamlined process for installing new computers. That’s about it.

This means that Windows Autopilot is nothing else than an automated and standardized process of setting up computers for your company.

However, from a technical point of view, there is a lot more things going on though. But this is the simple version.

Key take-away

The key take-away, and the thing to consider, around Windows Autopilot is if you need all the fancy switches and total customization you have with the traditional approach. Or would a lighter weight management do the trick for you? It probably will…

There are of course some if’s and but’s around this, but in general there aren’t that much. Your users could get their computer delivered straight to them and set them up by login in, given that they have internet access at their location.

There are options to prepare the computer for the user by having a technician do half the registration and setup to then re-seal the computer and ship it off to the user, if you want to minimize the amount of work being done by the end-user. This way, initial setup will be shorter for the end-user.

If you view Windows Autopilot as an automated process to setup computers in your organization and not a technology, things get a lot easier. With that said, it won’t suite all your special situations for computers, but you will cover most cases for office-based work!

Categories
Intune Tips & Tricks

Silent Bitlocker in Windows Autopilot

When enrolling devices through Windows Autopilot and using Intune enabling Bitlocker without user interaction can be a little bit of a hassle since the default behavior is to ask the end-user to encrypt the device in runtime.

This pop-up can easily confuse end-users and the device is not really “ready to use” once the Enrollment Status Page (ESP) has closed.

There are several different solutions for this, where running a PowerShell-scrip as a Win32 app during enrollment is the most common one.

BUT I’ve found a way to skip this, but it does have some distinct limitations (except for all other Bitlocker requirements):

  • Use Intune for device management
  • Device can only be joined to the Azure AD
  • Running Windows 10 1809 or later
  • No third-party disk encryption services can be used

So how do you configure this?

In Microsoft Intune, go to Endpoint Security > Disk encryption and create a new profile:

Select “Windows 10 and later” as platform and choose the Bitlocker profile, then click create. Give your profile a name based on your naming convention and click next.

To enforce Bitlocker during enrollment, you need to

  • Set “Enable full disk encryption for OS and fixed drives” to Yes
  • Set “Hide prompt about third-party encryption” to Yes
  • Set “Allow standard users to enable encryption during Autopilot” to Yes

A heads up on these settings though, if you are using any third-party encryption, you might break the machine and you will have to re-install the machine. So be careful if applying to existing machines.

Then set your preferred settings for Bitlocker on OS and fixed drives, this is what I am running in this lab setup. One good setting to use is “Require device to back up recovery information to Azure AD” to ensure that you have the recovery information available for the machine. These settings might vary based on your organizational needs and requirements.

Click next until you end up on “Assignments” and select your targeted device group.

Click next and review your settings before hitting “Create” on the Review + Create page.

And that’s it! Your devices will now silently encrypt using Bitlocker during Autopilot enrollment.