Countdown to Deploy Windows 11

0
0
0
0
Days
0
0
Hours
0
0
Minutes
0
0
Seconds

Windows 10 reaches end of life (EOL) on October 14th 2025. Yikes!  This is an important date for many businesses and will shape their IT priorities, capital budget and security agenda in 2025.

As of today, there are approximately 69 million Windows machines in the US enterprise market with 61% still on Windows 10.  Windows 10 has been in the market since 2015 and has become a workhorse of enterprise productivity worldwide.

Microsoft announced the EOL date on June 15th 2021, effectively giving clients 4 years and 4 months to prepare. Despite that long notice period, some businesses may not be able to move to Windows 11. Reasons will vary by industry, just like many businesses were unable to move off Windows 7 when it reached EOL in January 2020.

Options to get ready include upgrading the hardware, paying for extended support, hardware refresh or leveraging AVD / Windows 365. We outline each of those options in detail in this guide.

Rather than viewing EOL of Windows 10 as a problem, we like to think of it as a compelling event, an exciting opportunity to embrace cloud native management. This improves security, delivers a modern employee experience, and lowers the TCO (total cost of ownership) for businesses.

Let’s unpack this together.

Evolution of the Windows Management Toolset

Windows 10 is not alone with this EOL decision, and as Microsoft pursues a relentless agenda to become the world’s leading cloud-based security and AI vendor, we can expect to see many more EOL announcements of their legacy products. This is especially true of the tools that have been carried forward from the last century. Notable examples include SCCM, CMG and AD.

Doing Nothing is Not an Option in 2025

Some businesses managed to extend the life of their AD, SCCM, CMG and WSUS architecture way beyond expectations and years have gone by without needing to make changes. However, doing nothing is no longer an option, and 2025 will be the year for change.

To be clear, Microsoft has NOT announced EOL dates for any of these 3 products… so we are speculating. But hear us out:

SCCM / MECM / System Center

SCCM was launched in 1994 (exactly 30 years ago). This means the engineers who built SCCM are probably in their mid-fifties now, and their managers are probably in their sixties. Microsoft happens to have a great retirement program that kicks in at the age of 55. So, if those original engineers are still working at Microsoft, they must be very close to retirement. However, it is more likely that most of them have indeed retired or moved to other products or management roles.

Also consider that SCCM, WSUS and AD are on-prem server platforms. Microsoft has been on a steady march to the cloud since 2012, making massive investments in Azure, data centers and a raft of cloud platforms. Priorities have changed and all the big investments and the best technical talent is focused on cloud, security and AI.

For clarity, legacy on-prem platforms like SCCM are still being maintained and receive updates from time to time, but we should expect that updates will become less frequent, and more expensive.

Microsoft recently announced that the price of SCCM will increase 10% in 2025 and personally I would expect to see price increases each year as the user community diminishes, and the product become less viable.

WSUS / Windows Server Update Service

WSUS was launched in 2003 and contrary to SCCM, Microsoft has announced their decision to deprecate WSUS in 2025. Fortunately, Autopatch is a great alternative for managing OS updates and also takes care of firmware, drivers and the core Office 365 application patching. Autopatch used to be a separate SKU for a while but now it is included in the Intune license.

CMG / Cloud Management Gateway

Microsoft already retired the classic deployment model of the Cloud Management Gateway (CMG) on August 31st 2024. This required clients still using CMG to migrate services to a new cloud service with extended support.

This legacy toolset (AD, SCCM, WSUS and CMG) was designed for Windows machines that were in an office environment, joined to a domain with Active Directory, connected to a secure corporate network and relied on GPOs. That model worked well for decades until Covid made everyone a mobile worker, and every Windows machine effectively became a mobile device.

Businesses that upgrade from Windows 10 to 11 with this legacy toolset are typically spending 3-6 hours per machine, compared to 20-30 minutes for those with Intune

All Roads Lead to Intune

The good news is that the end of Windows 10 is a perfect opportunity to change every aspect of Windows management. Fortunately, Intune has been in the market since 2010 and has become the leading platform worldwide for managing Windows, Macs, iPads, iPhones and Android devices. Read about the incredible history of Intune here.

Intune also includes Autopilot, Autopatch and what could be considered ‘Autosync’. Autosync is not actually a Microsoft product name, rather it is the ability to use role-based bundles to selectively sync the relevant applications and OneDrive folders and files for a specific user, right down to the level of placing icons in specific locations on the desktop screen.

Cloud Native Management

The combination of Entra ID, Conditional Access policies, Intune, Autopilot and Autopatch gives us the cloud native management and complete automation of the 5 lifecycle processes:

  1. New devices are provisioned out-of-box with Autopilot
  2. Security settings, applications and OneDrive content are deployed to each user
  3. Windows OS, firmware, drivers and Office 365 applications are kept up to date
  4. Users can be supported remotely and have their permissions elevated as needed
  5. Devices can be reprovisioned or retired at end of life with a single click

All this means we can automate the ‘plumbing’, the day-to-day processes of managing a Windows fleet. No more images to maintain, no more repackaging of application, no manual patching, no passwords to reset, no domain to join, no device rebuilding at end of life.

Migrate to Windows 11

Here are the 3 recommended high-level steps for a successful migration to Windows 11:

  1. Set-up Intune as the future platform with cloud native / modern management
  2. Perform in-place upgrades of all compatible Windows 10 machines
  3. Replace all incompatible Windows 10 devices, or use Windows 365, or pay for ESU

Sounds simple, right? Well it’s not, and there could be several FTE’s of work in each of these 3 steps so let’s break them down.

1. Set up Intune

Intune is a huge platform with over 10,000 settings and many integrations to other parts of the Microsoft 365 ecosystem; however, we have compiled a list of 10 steps to success.

  1. Deploy Intune with a best practice set of security policies, profiles, compliance rules
  2. Configure Conditional Access policies and self-service password reset in Entra ID
  3. Integrate Autopilot with a preferred hardware vendor and validate new provisioning process
  4. Create dynamic assignment groups to deploy applications and OneDrive content
  5. Configure BitLocker, certificates, EDR agent(s) and Endpoint Privilege Management
  6. Configure Edge browser settings in Intune for extensions, password blocking and TLS
  7. Configure Autopatch with deployment rings for OS, firmware, driver and O365 updates
  8. Setup a tool for 3rd party application patching (e.g. Microsoft EAM, or PatchMyPC)
  9. Setup Company Portal, Endpoint Analytics and Remote Help tools
  10. Create a profile for Windows 365 cloud PC (for unmanaged devices and frontline workers)

2. In-place Upgrades for Windows 10 to 11

Here’s a checklist to help you perform in-place upgrades of all compatible Windows 10 machines:


Pre-Upgrade Preparation

  1. Backup Data: Ensure all important data is backed up (synchronized) to OneDrive / SharePoint.
  2. Check Hardware Compatibility: Verify that all existing hardware models are compatible with Windows 11 (8th Gen processor, TPM 2.0 and a Secure Core Profile) Budget will need to be assigned for hardware upgrades in the first half of 2025.
  3. Verify Application Compatibility: Test line of business applications to ensure they work as expected on Windows 11. Applications in compatibility mode with Edge or other browsers will be available until 2029. Applications that rely on IE will not be supported.
  4. Refactor Policies: Update security policies to leverage new features in Windows 11 and deprecate features from Windows 10. Some security features that were optional in Windows 10 are now set as the default in Windows 11.
  5. Update Drivers: Ensure all device drivers are up-to-date.
  6. Free Disk Space: Ensure there is sufficient disk space for the upgrade (at least 20 GB for 64-bit systems).
  7. Disable Security Software: Temporarily disable third-party antivirus and security software to prevent conflicts.
  8. Draft Comms: Brief users in advance as the look, feel, navigation and functionality is different. There are some useful resources in Windows 11 itself, as well as on LinkedIn and YouTube.
  9. Develop Support Resources: Prepare knowledge base articles and FAQs for the upgrade.
  10. Train the Service Desk: Equip desktop technicians with the tools and knowledge to resolve end user issues promptly.


Upgrade Process

  1. Download Media Creation Tool: Obtain the Windows 11 Media Creation Tool from the official Microsoft website and create a Win32 App Package to deploy via Intune
  2. Run the Tool: Launch the Media Creation Tool and select “Upgrade this PC now.”
  3. Follow Prompts: Follow the on-screen instructions to complete the upgrade process.
  4. Monitor Progress: Keep an eye on the upgrade process to address any prompts or issues that arise.


Post-Upgrade Tasks

  1. Re-enable Security Software: Turn on any antivirus or security software that was disabled.
  2. Check for Updates: Run Windows Update to ensure all the latest updates and patches are installed.
  3. Verify Applications: Ensure all applications are functioning correctly and update them if necessary.
  4. Restore Data: Restore any backed-up data if needed.
  5. Check System Settings: Verify system settings and configurations to ensure they are as expected.


Additional Recommendations

  • Battery and Network Checks: Ensure the device is plugged in and connected to a stable network.
  • Remove Incompatible Applications: Uninstall any applications that are known to be incompatible with the new Windows version.
  • Driver and Firmware Updates: Check for any additional driver or firmware updates post-upgrade.

Options For Existing Incompatible Devices

Option 1 – Extended Security Updates

Extended Security Updates will be available for Windows 10, albeit at a cost that doubles each year. ESU will start at $61 in year 1, $122 in year 2 and $244 in year 3. The combined cost of ESU over 3 years is $427 per device. For comparison, this works out to be about 50% of the mean cost of a replacement Windows device (currently about US$900).

Kicking the can down the road and staying on Windows 10 without extended security support is an option in theory, but it is not a risk worth taking in this climate of rampant cyber-crime.

Option 2 – Hardware Refresh

Many businesses will need to refresh a portion of their Windows devices due to hardware incompatibility for Windows 11 e.g. the need for TPM chips. This is actually a golden opportunity to ensure that Intune is configured with best practices and Autopilot in the default method and the business is embracing zero-touch provisioning for the new machines.

When done correctly, with a cloud-native / modern configuration, employees have an empowering OOBE (out of box experience) and the new Windows device will self-configure and typically load all the applications and OneDrive content in 20-30 minutes.

However, some businesses may not be able to fully embrace zero-touch provisioning due to large applications or complexities in the build process. A great alternative is the service where the device is pre-provisioned at a warehouse prior to shipping to the end user. During pre-provisioning, the OS is updated, Office applications are deployed, and the Intune base profile is configured. This service can be provided by most hardware providers such as Dell, SHI or CDW.


Avoiding Future Technical Debt

We recommend a company-wide mandate for TPM 2.0, and an infrared camera in every new Windows device. These two features are critical to using biometrics through Windows Hello giving your business a clear pathway for a passwordless sign-in experience in the future. Any new device that does not have TPM 2.0 and infrared camera creates future technical debt.

Same concept applies for new SaaS applications coming into the business, it is important to mandate SAML 2.0, or OIDC to facilitate SSO (single sign-on) with Entra ID. This eliminates the need for manual authentication and forcing employees to manage multiple passwords and authenticator apps, or worse, the need for a 3rd party SSO broker like Okta. This might look like a good idea in the short term but it will inevitably become future technical debt that will need to removed at some point.


Central Purchasing via Autopilot

We highly recommend central purchasing for all new Windows devices using Autopilot-enabled hardware vendors. This ensures that every device is correctly configured with security policies, profiles and compliance rules. Businesses that allow departments to purchase their own Windows devices from different suppliers are inevitably going to have different configurations, including some that may not meet minimum standards (e.g., TPM chip). They will also have different security policies, including some conflicting policies that compromise the user experience.

However, the biggest benefit of central purchasing is the ability to completely automate the provisioning of each new machine and automatically deploy the appropriate applications and OneDrive resources to the user based on dynamic assignment groups.

Option 3 – Windows in the Cloud

The third alternative is to move the Windows experience to the cloud.

This can be done using products called Windows 365 or Azure Virtual Desktop. With both options, users can login to a Windows desktop from any machine (e.g. could be a MacBook, iPad, or an out-of-date Windows device) and access all their applications and services securely.

This may be an attractive option for businesses that have critical applications that require Windows 10. Rather than paying for ESU for Windows 10 on incompatible hardware, they can choose to use Win 365 or AVD to access those critical applications, running on Windows 10 in the cloud. This can be done from any machine, and an additional benefit is that ESU is included in the cost of both Windows 365 and AVD.

The Reward Justifies the Work

Windows 11 is not an update, it is an upgrade! Windows 11 is the most secure, reliable and intelligent version of Windows ever.

Windows 11 contains dozens of new security features that are turned ON by default. It also includes Hotpatch, the ability to push Windows updates without requiring a restart, resulting in 65% less restarts. Hotpatch is only available in Windows 11.

Windows 11 also includes some AI capabilities with “Circle to Search”, “Click to Do”, Super Resolution on photos and intelligent search.

According to Forrester research, businesses are receiving 80% less helpdesk tickets, 62% less security incidents and a 25% increase in productivity. Their analysis concludes a 250% ROI over 3 years.

We want you to be successful

Upgrading from Windows 10 to 11 is a mammoth project with an immoveable date. There is also a large change management component as it takes 3 hours to do the upgrade with the legacy toolset mentioned above. The impact to end users and the business’s productivity is enormous.

This upgrade will consume some IT teams in 2025, and I predict that some IT directors will be promoted for their success with this change. Likewise, some will be fired for underestimating the effort, starting too late and subjecting their end users to massive pain and inconvenience.

We want to help our clients be successful, get ahead of the curve and avoid hardware shortages, resource bottlenecks, complaints from end users and downtime for the business.

Mobile Mentor is hyper focused on the endpoint ecosystem. We live and breathe endpoints, and we are proud to be awarded Microsoft global partner of the year for our work with Intune.

We accelerate clients on their journey to cloud native / modern management so please reach out to one of our team and we will start with a complimentary assessment and roadmap to show you how to be successful with Windows 11 in 2025.

Discover How much value are your business is getting from your M365 licenses compared to your peers.

Discover:

  • Overlapping security tools can you retire

  • Business processes can you automate

  • IT functions can you modernize

Apply for the Capability & Capacity Assessment 

Denis O'Shea