With more than 200,000 employees each utilizing a handful of work and personal devices to get work done, the device management landscape at Microsoft is immense, complicated, and fraught with security risk.
In short, the point at which our administrator responsibilities intersect with the experience our employees have with their devices has historically been full of friction.
We are in a moment of massive transition. We went from everyone in the office to everyone remote, and now everyone is hybrid. Our expectation and goal is that every user can work from whichever device they want from wherever in the world they want. But we must accomplish this while fending off thousands of attacks every day on our devices around the globe.
—Senthil Selvaraj, principal product manager, Frictionless Devices, Microsoft Digital Employee Experience
For years, we at Microsoft have been transforming the way we manage our company––a long road of good work that has led us to where we are today that’s enabling our employees to access their information whenever and wherever they need it.
Our continued shift towards empowering our employees to work anywhere enabled them to stay engaged and productive during the pandemic. Now that a new era of hybrid work has emerged, the necessity for seamless access to company resources is more important than ever, and the challenges of maintaining security in this new paradigm are ever-present.
“We are in a moment of massive transition. We went from everyone in the office to everyone remote, and now everyone is hybrid,” says Senthil Selvaraj, principal product manager of the Frictionless Devices team within Microsoft Digital Employee Experience, the company’s IT organization. “Our expectation and goal are that every user can work from whichever device they want from wherever in the world they want. But we must accomplish this while fending off thousands of attacks every day on our devices around the globe.”
Microsoft’s approach to the frictionless device initiative is multi-faceted and has required us to update our thinking on how we approach procurement of hardware and software, our help desk solutions, and utilization of advances in AI technology.
We divide this approach into three primary pillars: device experience, vulnerability management, and device lifecycle. Our mission is to produce efficiencies for our admins and business while demonstrably improving the experience of our employees across the globe.
[Unpack how we’re evolving the device experience at Microsoft. Discover how we’re verifying device health at Microsoft with Zero Trust. Explore how we’re harnessing first-party patching technology to drive innovation at Microsoft.]
Self-managed help desk
At Microsoft Digital Employee Experience, the organization that powers, protects, and transforms the company, we oversee the IT function for the whole company. This includes managing the help desk experience for our employees, which is a common touchpoint for all users seeking help with their devices.
However, the help desk is a key driver of financial and opportunity cost. In the traditional model, we would have one support person helping one user with an issue at a time. This approach is inefficient and often misses out on the network effects that can be gained with sharing solutions not just with a single user but with the whole community. Why help one person at a time when you can help the whole community at once?
We found that 40 percent of all helpdesk tickets, especially from non-Windows devices, required user education rather than a hardware or software fix. So we have built a SharePoint site that contains all the information users need to set up their applications on their own.
We see a compounded effect of savings: employees are not losing productive time while waiting for the help desk to assist them, and we reduce helpdesk costs by reducing the overall number of tickets. We can reallocate our resources to the true issues that need fixing.
In the very near future, we will see even further gains in efficiency and cost reduction by utilizing the latest generation of AI automations at Microsoft. We anticipate that tools like a Helpdesk Copilot will enable employees to access information that enable them to solve device problems without needing to escalate to a help desk engineer. This will decrease the amount of time they use searching for solutions and the amount of time our help desk engineers will need to spend working on common solutions.
The benefits of native Zero Trust and virtualization
The hybrid work environment requires us to provide flexibility to our employees who may be logging in to company resources from any number of locations. Our security needs to flexibly and securely meet employees wherever they are. Zero Trust architecture is our modern approach to this device environment that allows us to effectively secure our devices and our networks. And virtualization of devices is the next frontier for ease of use.
By centralizing and simplifying security in the cloud we are saving money and becoming more secure than ever. No longer are we relying on a castle-and-moat strategy whereby once you are logged in you’ll have free access to all resources on the network. We’re now limiting users and accounts by a concept called least-privileged access. Your login is verified at each step and each resource is thus secured individually.
A great example of this Zero Trust initiative appearing in the device management role are the peripherals that we use in our joint conference rooms. Alongside devices like printers, conference rooms are extremely common touchpoints for employees coming into a Microsoft office. We need and want their experience in using these resources to be as seamless as possible, but––because they’re shared resources––they remain a security vulnerability. Now, users are accessing these resources under their own credentials on a Zero Trust protocol.
“If you’re looking for security, speed, and ease of access, your answer is the cloud,” Selvaraj says. “The ultimate expression of this modern security posture will be coming through opportunities in virtualized devices.”
The problem and opportunity of software management is two fold: How do we provide ease of access to users while reducing friction for our security and support teams? We are moving the goal posts to make sure all apps are pre-approved and are known entities before being installed.
—Sean Cottrille, senior product manager, Frictionless Devices
We recently announced new ways of delivering employees’ desktop experiences with virtualization solutions such as Windows 365 and Microsoft Dev Box. With Windows 365 Cloud PCs, users can access their personalized Windows apps, settings, desktop, and data—securely hosted in the Microsoft Cloud and accessible on any device—wherever and whenever they work. Cloud-based solutions like these aligned to Microsoft Zero Trust principles are key in reducing friction for everyone in the modern flexible workplace.
Maintaining the approved software Rolodex
Modern software like Microsoft Teams is incredibly powerful and enables a new world of collaboration through its associated apps and APIs. However, each of these exit points where one piece of software or hardware connects with another is a vulnerability. One approach we are taking to more effectively secure this software ecosystem is by centralizing permissions for all applications.
We have effectively created an internal database of known and trusted apps. These are software applications that our IT team can, to a certain degree, guarantee will work and be secure. Previous generations of application management were extremely open. Each user had nearly complete access to installing new applications. Obviously, while this approach may be popular with users who can use whatever software they wish, if paired with the pre-Zero Trust security environment, we would face greater risk to the network.
“The problem and opportunity of software management is twofold: How do we provide ease of access to users while reducing friction for our security and support teams?” says Sean Cottrille, senior product manager on the Frictionless Devices team. “We are moving the goal posts to make sure all apps are pre-approved and are known entities before being installed.”
This new approach to applications ensures that we have a structure in place that answers the questions and needs of the user in advance. Now we can provide a solution to the user more quickly than ever before.
When you’re making a change to the user experience, you must make sure it’s well communicated. If we see problems with the rollout of a new feature, it’s usually because we haven’t communicated enough or in the right channels. You need to go to multiple places where employees gather information to make sure the correct information is meeting them.
—John Philpott, senior product manager for seamless access, Microsoft Digital Employee Experience
Managing expectations and building for success
Any change to how an employee gets their daily work done requires clear communication about expectations and flexibility from all involved. Employees rely on their hardware and software to work correctly to be able to get work done and quickly become frustrated if there is an unexpected change to their workflow.
“When you’re making a change to the user experience, you must make sure it’s well communicated,” says John Philpott, a senior product manager for seamless access in Microsoft Digital Employee Experience. “If we see problems with the rollout of a new feature, it’s usually because we haven’t communicated enough or in the right channels. You need to go to multiple places where employees gather information to make sure the correct information is meeting them.”
We always test and analyze changes before implementing them, and we are sure of the worth of these updates and upgrades before we roll them out broadly. With this confidence we can go to our team, clearly communicate what the changes are going to be while knowing that the effort of the transition period will be worth it.
The overall benefit of our frictionless devices initiative is that our employees are more connected and enjoy a more seamless device experience. We have developed disruption free updates and ensuring seamless access to the tools and services that users need to get their work done wherever they’re working, whether at home, at the office, or on the road. We are doing all of this while gaining time and financial efficiencies by centralizing procurement, optimizing automation, and improving the virtualization technology.
“Our goal with device management is to make the whole experience frictionless and to help our employees remain productive with less downtime,” Selvaraj says. “This doesn’t have to conflict with our parallel mission of keeping our company safe. We’re making the employee and admin experience easy but secure.”
- Adapting your IT approach to the modern hybrid work environment means flexibly adjusting your security and device management protocols to account for the new ways your employees are accessing company data. You need to balance your approach to security concerns with a desire to make accessing the information and tools they need as frictionless as possible.
- Zero Trust security architecture is enhancing security and flexibility, and new efforts on virtualization of devices will provide further opportunity for efficiency, security, and ease of use.
- Rationalizing procurement of hardware and software and rolling out new automations and efficiencies in help desk solutions are further speeding up our employees’ experience of getting new tools up and running while reducing overall IT expenditure.