Why Postponing the Windows 11 Upgrade May Benefit Your Organization

Written by David Worthington on September 28, 2021

Share This Article

New Windows releases are guaranteed to accomplish two things: fuel endless commentary from pundits with effusive coverage of any droplet of information that trickles from Redmond, and trigger a prolonged planning period (and coping mechanisms) within IT teams everywhere. Windows 11 is slated to deliver a few very compelling changes to the user experience and some important upgrades to how it handles security at the boot sector: bravo. It feels important, and that upgrading is imperative as soon as it’s available, but you just may want to consider joining the party on a schedule that ensures that your organization avoids unwelcome disruptions; namely to people, hardware lifecycles, and policies.

Compatibility, training, and policy are all specific considerations for Windows 11; there’s also the inevitable shakedown of bugs that occurs with milestone builds that typically appear as a “fast follow” to the initial release. There could be ramifications to both your end users and the devices they use if you dive headlong into upgrading. This article delivers advice that will help you prepare for rolling it out across your inventory.

Change Can be Challenging for People

There were copious numbers of people who used different shells because they *hated* Windows 8 and a few folks within the IT community at large are having parallel discussions now about Windows 11. I think back to my time as an IT director where we had (i) office users who knew tech well, (ii) office users who only knew how to perform certain tasks and needed handholding, and (iii) users who were barely computer literate. Not everyone is going to welcome a major UI overhaul and that cannot be overstated. Before electing to upgrade to Windows 11 you may want to assess its impact on usability by designating test users that are representative of user personas throughout your departments. Microsoft could very well be iterating in a direction that could become more suitable for your organization next year.

I’m reminded of a dramatic example of this I faced a few years ago. I quickly observed that the IT team that was in place failed to appreciate the concept of permission creep shortly after I became responsible for the department. It might sound fantastical, but the CIFS file share was nearly fully open to everyone on the internal network, and the file server was primed for malware to come in and exact maximum harm. My team immediately sought to rectify it, but in our haste we lacked full awareness of how our actions would affect production. 

The corrective action entailed organizing and cleaning up the file share; folder names were modified in that process and a few folders supplanted a directory tagged “0PDF” that had always resided at the top of File Explorer. A different folder was there and that mattered. The capacity to look at a screen and identify where a folder has gone wasn’t a big hurdle to us, but folks on the production floor were accustomed to clicking on the top folder without regard to what it was called. The folder contained drawings that outlined how to make things, and making things is job #1 when you’re in manufacturing. 

Even minor changes can trigger major ripple effects. There are disparate technology skill levels and understanding in every organization, and the disruption caused by a reimagined UI was unexpectedly considerable. We (IT people) think differently than many end users and cannot pre-determine that everyone has the same comfort level. While some end users of yours may be fully prepared for a smooth and speedy transition to Windows 11, it’s more advantageous to account for those who need a more deliberate pace and to account for the particular requirements of each department. Similar to other technology rollouts, like multi-factor authentication implementation, a phased approach based on the “technical readiness” of your workforce can save you headaches down the line. Creating a persona for each department and conducting internal testing avoids surprises before updates enter production. You can establish that by configuring a separate device group for staging to pre-test any update, including Windows 11.

Revised Hardware Requirements

Some of your hardware may not be Windows 11 ready, even if your people are. Microsoft has established PC Health Check as an upgrade gatekeeper for security and compatibility reasons. A specific change that should be on your radar is that Windows 11 introduces TPM (Trusted Platform Module) 2.0, which you may have to take time to configure. TPM enables integrity and confidentiality by protecting system files as well as strengthening the mechanism that enables certificates, secure password storage, and encryption to operate. It specifies newer chipsets, which is a stringent requirement that narrows the PCs Windows 11 can run on, but this is done for good reason, as outlined below. The revised hardware requirements have still sparked some consternation within the IT admin community by reducing PC lifecycles and increasing e-waste.

Maximize Existing PCs but Still Consider Upgrading

Reality is that most organizations won’t rush to upgrade, and you may have bigger fish to fry. Initiatives such as Work From Anywhere (WFA), managing vulnerabilities, and improving IT hygiene are foremost on the minds of IT admins right now. There’s also a matter of time and budget. Ask IT admins how many Windows 7 PCs they had running within their organizations going into late 2019 (as it neared End of Life). New hires typically receive a laptop, and that’s theirs, unless it’s lost, stolen, or becomes too dated to effectively run key apps; for most organizations this initial device can last many years. As mentioned before, many end users don’t take to change well, especially in a workplace environment, and others are not as enamored with the “latest and greatest” as they are with the ease of getting their work done.

The Windows 10 support lifecycle extends well into late 2025 as of today. On the one hand, you could use this additional support window to tackle different initiatives, like investing in additional security functionality (such as Zero Trust Security for remote workers, EDR, or DLP systems) or policies for existing PCs to address your immediate priorities, versus immediately deploying Windows 11. Setting into place core Zero Trust Security best practices, like implementing application MFA, may prove to be a more impactful project at this time.

On the other hand, you may find that the security benefits of Windows 11 align with your current security priorities. Newer PC architectures prevent side channel CPU vulnerabilities that were disclosed circa 2018. Microsoft’s hardware requirement changes were sometimes viewed with derision in the past, but it’s not obligating upgrades to next generation CPUs to achieve performance gains this time. Having TPM 2.0 on by default is also a major shift toward more proactive security, but it’s also supported in the most recent Windows 10 build. You may want to consider fully utilizing the new OS’s security capabilities by ensuring that TPM 2.0 is enabled and deploying certificates for device trust (in staging with device groups) prior to a roll out to all employees. Having considered the human element, this decision should be based purely on the maturity of your security program. 

This is not to say that Windows 11 isn’t an important milestone release, but your leaders will likely desire gains in remote work support or security prior to updating anything that’s elective. Microsoft is itself citing the importance of security as the impetus behind its revised minimum hardware specs. It’s also pressing for Zero Trust Security in conjunction with the release of Windows 11 to address today’s more acute cyber threats that exist beyond the confines of individual machines and their operating systems. Zero trust is essentially the nexus of conditional access (ensuring PCs and accounts are secure) and Single Sign On (SSO). Microsoft is peddling those services, but many excellent alternatives exist.

Preparing for the Windows 11 Era With JumpCloud

It’s up to you to make that assessment and adequately prepare the ground for your organization to be aligned with the Windows 11 era from Windows itself through how remote workers access services. A new JumpCloud policy will ‘reclaim your time’ by easily blocking/deferring Windows 11 upgrades until you’ve prepared the ground for the upgrade from people to PCs and everything in between. This is an easy way to maintain stability across your Windows fleet while you test the new release, vet its effectiveness, and train your end users on the new UI and UX features.

You can try JumpCloud without cost for your first 10 users and 10 devices to see if it’s right for your organization to modernize IT alongside its Windows 11 deployments, or adopting zero trust access control to IT resources, as Microsoft now strongly recommends. You can test out the full functionality of the JumpCloud platform before committing with the option for 10 days of live chat support to help you along the way if you get stuck. 

The priorities you have set are unique to your organization, from foundation improvements to addressing security challenges that plague WFA, now that IT admins must support users and devices outside of the controlled confines of the office. Windows 11 may solve a problem you’re seeking to address, but it could rank lower on your priorities list than hardening existing systems by taking advantage of zero trust solutions (another major pillar of Microsoft’s Windows 11 era of computing). Or, you may want to avoid disruptions. Your judgment is more astute than following the release schedule of a software maker, regardless of the zeitgeist that’s revolving around it.

David Worthington

I'm the JumpCloud Champion for Product, Security. JumpCloud and Microsoft certified, security analyst, a one-time tech journalist, and former IT director.

Continue Learning with our Newsletter