Reimagining IT to support the hybrid workforce: five months later


As I sit here in my home office, eight months into this new normal…wait, check that, that’s how I started the first in this series of blogs on Reimaging IT to support the hybrid workforce…five months ago. I have to admit that, as remote work scenarios have evolved over time, it would be a disservice if I didn’t discuss how things have evolved when it comes to supporting a hybrid workforce, or even my own remote work situation.

Like many of you, I thought my remote work situation was temporary. I set up a makeshift office in my bonus room, which is now a permanent fixture. I thought I had a good work-life balance that included plans to get off the laptop periodically, but it just wasn’t enough. After five months of working from home, it was also evident that I was getting a little too sedentary, which caused some back issues.

Fast forward to today. I now have a standing desk, something which I recently discovered, thanks to a team all-hands meeting, is a hot topic of discussion and has become the norm for many. I’m forcing myself to get outside on a more regular basis. I’ve also turned my dining room into a recording studio for the various presentations and sessions I deliver on a regular basis.

In my first blog, I outlined Microsoft's internal business continuity framework, with its first two phases focused on “react” and “recover.” Based on customer engagements and conversations over the last three months, I can see that many organizations are starting to enter the final phase of the framework, or what we call “re-imagining IT.” I’ve received a lot of requests from customers to help address specific pain points, around patching and updating Windows, for example. From a timing perspective, I believe our first virtual Microsoft Ignite was a factor in organizations starting the process of moving into that final phase given all the announcements and discussions around embracing the hybrid workforce of the future.

While Microsoft Ignite was a fantastic forum for new announcements, and there were many, each session was very solution-centric. I didn’t see anything pulling together a holistic and strategic discussion on supporting the hybrid workforce. With that in mind, my focus here will be on pulling together that holistic vision alongside recent announcements and new resources. Below you will find a high-level architectural view of how I see IT re-imagined and progress on the move towards cloud and modern management to support the hybrid workforce, which is what we’re doing today here at Microsoft.

As a recap, whether it is an on-premises or remote worker endpoint, the goal is to keep devices in your organization safe, secure, and productive with minimal user impact. To achieve that goal, IT organizations need:

  • Efficiency and regular rhythm when applying drivers and firmware
  • Rhythm when deploying quality updates and OS feature updates
  • Management and protection protocols when protecting data at rest and in transit
  • Efficiency when access to Office, productivity tools, and updates
  • Hands-off provisioning of hardware for remote workers and even internals
  • Securing browser access by using the new Microsoft Edge
  • Prioritization of security and compliance
  • Management of line-of-business (LOB) and other applications, including secure connectivity for mobile iOS and Android devices

The foundation and success of this cloud and modern approach hinges on a zero-trust network and split tunnel capability to direct mission critical business traffic via VPN, all while pushing all other non-essential traffic directly to the internet, including Office and Windows updates coming from the Microsoft infrastructure, network, and CDNs. A recent blog on the Microsoft 365 Connectivity principles does a great job in outlining this recommended approach of managing the split tunnel concepts while the zero trust model and assessment tool can assist companies in adopting the concept. Certainly securing devices is at the core, but it’s also inclusive of securing and protecting the users identities. Hot off the presses from Ignite, we also announced the Microsoft Tunnel Gateway, which closes the gap around secure LOB connectivity from your iOS and Android devices.

While addressing the security topic, check out the latest release of the Digital Defense Report, which outlines the latest threat intelligence and guidance, with a special section dedicated to securing the remote worker and endpoints. With security architecture in place, it covers the need to protect your company’s IP and data while in transit and at rest, assuming Microsoft Defender for Endpoint and a hearty DLP are in place on the end point. As the Defense Report calls out, it’s important to realize that as company data is being stored off premises, a heightened awareness on endpoints is critical.

I also recommend leveraging the security baselines that get published with every Windows 10 update and other solution releases to ensure that as they’re deployed, your policies either remain active or are incremental with the new feature and capabilities. Further, leverage the Microsoft Compliance Manager to ensure security and compliance requirements are met within SLAs across the application portfolio. By leveraging Update Compliance, it also gives you insights into our safeguard holds to assist you in place to minimizing user impacts to devices that may experience compatibility issues which may elicit an update failure.

The other benefit of deploying split tunnel VPN for Windows is that it provides you flexibility of leveraging a number of different update solutions, whether it be Windows Update, Microsoft Intune, Windows Update for Business or a combination of solutions that meet your needs and requirements. Split tunnel VPN for Office also offers the same benefits as Windows and still allows for some configuration flexibility to meet your requirements. In addition, by leveraging Windows Update to manage Edge browser updates, you can also bypass the corporate VPN and push those updates directly to the internet as well.

Making the move to the cloud

Now that we’ve discussed the foundation of a rock solid security approach, and one that can minimize bandwidth impacts on a corporate VPN solution, let’s look deeper at a model of modern and cloud management capabilities that allows everything to be managed on a remote endpoint. A good reference model would be our own internal IT approach to endpoint management, as shown here:


Internally, it starts with the Microsoft Endpoint Manager solution. Microsoft Endpoint Manager brings that concept of a single pane of management glass to life. Not only does it fully integrate with your on-prem deployment of configuration manager so you can continue to leverage it to manage on-prem devices if you so choose, it also fully integrates with Intune for remote worker endpoint scenarios. Further, while it provides management capabilities, it also becomes that all important dashboard to help drive compliance, as well as provide you endpoint data that allow you to make data-driven decisions around improving device productivity via endpoint analytics, device health and upgrade readiness via Desktop Analytics, and more.

With Microsoft Endpoint Manager, you can then start managing remote worker scenario’s and endpoints via Intune as long as the devices are Azure AD joined. In our scenario, we manage the device policies via Intune but leverage Windows Update for Business to manage the actual deployments of Windows 10 feature updates and quality updates, with all still managed via Microsoft Endpoint Manager. This configuration keeps all the update traffic internet-centric, and pulls the content directly from the Microsoft Content Delivery Network (CDNs), thus eliminating impact on any corporate VPN solution. As a side note, the feature updates do not include the Windows 10 optional content such as features on demand (FODs), language packs (LPs) or the local experience packs (LXPs). In order to address that capability, a great post on Acquiring optional content was recently published that includes a highly comprehensive guide and how-to.

The overall goal of this process is to ensure compliance, keep users and their devices secure and productive as possible. This requires setting up Windows Update for Business and optimizing updates in order to achieve the stated goals during any deployment to the remote worker. In the near future, we should be seeing more improvements in the ability to better support and deployments with greater granularity.

This defined approach is great for supporting existing endpoints that are part of the estate. What it doesn’t do is address one of the biggest challenges of managing and supporting the hybrid workforce: the hands-off provisioning and deployment of newly purchased devices. Having said that, the foundation of supporting Windows Autopilot is already in place via Microsoft Endpoint Manager, Intune and Azure AD. Windows Autopilot is exactly how we here at Microsoft address hands-off provisioning for newly purchased devices. Devices are purchased and shipped directly to end users, who can connect to the internet, log into the machine and be fully functioning in roughly 10 minutes with out any intervention from IT. Certainly, having a light device footprint and primarily pushing down GPOs improves the user experience, so the balance becomes a decision on how many applications you may or may not want to include as part of the process. More apps mean more data to be pushed, and the greater the impact to getting the users into productive state.

This segues into the application deployment discussion and challenge of how you can deploy LOB applications and manage updates to your applications. In many ways it boils down to approach: you can use a push or end user pull model. The push model is certainly one that’s supported by the aforementioned architecture, anchoring on Intune as the deployment mechanism. At the enterprise SKU level, Intune supports a broad array of supported application packaging technologies that organizations can package up and push to remote worker endpoints efficiently with the new MSIX packaging format being the recommended approach based on its flexibility. Given Intune is capable of supporting Android and iOS devices, in conjunction with MSIX, you can also deploy LOB to mobile devices. If you layer in the previously mentioned Microsoft Tunnel Gateway solution, you can also provide secure mobile connectivity to those LOB applications.

For the pull model, organizations have a number of options for users to pull applications including the Store for Business, a company supported portal that is externally facing. From my perspective, I would consider avoiding application deployment in the remote worker scenario, and instead leverage Windows Virtual Desktop as the most secure, robust and scalable approach that provides LOB application owners 100% control of delivery and support of applications in Windows Virtual Desktop including secure delivery, protecting data at rest and in transit.

Optimizing delivery mechanisms

With the technology foundation and architecture discussion under our belts, there is one final topic of supporting the hybrid workforce which is probably the most important: optimization of the deployment of Windows updates. This goes beyond the technology necessary to drive deployment success, and instead covers other critical pieces of information you need to consider in the process.

The first piece is to understand the best practices and considerations for the Microsoft-recommended policy considerations feature set over feature set. These are all outlined in the Windows 10 Update Baseline, which, like the security baselines, represents a set of tools and guidelines that assist you in making important policy decisions to ensure deployments are optimized to their fullest.

Next, ensuring the tools and guidelines for optimizing both feature updates and quality updates will ensure efficient delivery of the bits, minimize bandwidth impact and provide the greatest level of user experience. It is also important for any one in the position of deploying Windows updates, that you are fully educated on any issues Microsoft has surfaced during our normal course of business in servicing more than one billion devices worldwide via the Windows 10 release notes. Finally, leverage the Video Hub for technical deep dives on all of the aforementioned tech by leveraging the filters on your solution area of interest.


In closing, I hope this helps tie all of our solutions and services together into a cohesive storyline that provides you with that longer term, more strategic, and holistic picture of what it takes to “re-imagine IT” support for the hybrid workforce. At the end of the day, it’s all about embracing digital transformation in order to go towards cloud and modern management.

This is not a technology discussion given that I believe this post shows that the technology is viable, but instead a cultural paradigm shift for many organizations with the current situation serving as a forcing function. Use the time to explore new opportunities in your estate that unlock new ways of servicing your remote endpoints and drive change in your organization that embrace service management maturity for the hybrid workforce, as it appears to be the new normal moving forward.

0 Replies