Event banner
Event details
Joe_Lurie
Microsoft
MicrosoftR D When we say Windows 11 is the most secure OS, we mean by default on a new installation. If you have a Windows 10 device with all of the security features disabled, we will not automatically enable them in an IPU scenario. So to answer your question, yes there will be a difference in an IPU vs fresh install, based on what's installed and enabled on the Windows 10 device prior to IPU.
is there a list of these features that we can review and is there anything prohibiting certain features from being enabled after the upgrade?
- Joe_Lurie
R D I'm not sure we document all of the features, but on a managed device we should not be automatically enabling any features that have been disabled by policy.
- Thanks, yeah my question wasn't really concerning settings that are disabled by policy. I'm just trying to get a handle on anything we miss out on unintentionally with IPU vs new install.
- When considering new devices vs. on-place updates for existing devices, the real consideration is that the hardware on the new devices will enable the "on by default" protections, whereas on an existing device, as Joe mentioned, we will not automatically enable anything with the exception of Credential Guard on Windows 11 22H2. Reference: https://learn.microsoft.com/en-us/windows/security/identity-protection/credential-guard/credential-guard-manage. Note however, if you set the policy to disable it, we will NOT enable it on the update. You can enable all of the other Windows 11 features or protections after an in-place update, assuming you have the appropriate settings configured in your UEFI, etc. The one feature you may have heard about that has to be done on a clean installation is Smart App Control, which is application control for consumers. Smart App Control is based on WDAC, so if you are an IT managed enterprise customer, you can enable WDAC controls. Read more on App Control here: https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control. The advantage of doing in-place updates is typically going to be a lot less user downtime as you do not need to reimage and then reprovision and things like recently used files lists will still be there, as well as any application specific configurations and settings that do not roam across devices. If your device is hybrid joined and co-managed you can also continue any management modernization efforts even for your in-place updated devices. The only other real consideration I can think of for reimaging to get from Windows 10 to Windows 11 is if you want to make the jump to an Azure AD only join device in the transition. Note though that there is a decent interruption to the user though, as you would have to reimage and then reprovision the device to do this and ensure all of your policies, applications and settings have been completely configured in the cloud. As you know, the time to reinstall all of your applications can be a big part of the downtime you will incur in this flow. If this is an objective you have, I'd recommend looking into an Autopilot Reset flow for these devices, but again, this is not necessary to continue modernization efforts and you can move everything to the cloud and wait for hardware refresh to officially jump from Hybrid AD to Azure AD join. It simply becomes a business decision more than a technical decision.
