Users
| Tasks | Deliverables |
|---|---|
| - Implement user communication plan. - Review user identity. - Sign off and update procedural documentation. |
• Communications plan completed • Updated list of identity components and configurations • Procedural documentation of testing, remediation, and results |
Implement user communication plan
In the Prepare phase, you created a communications schedule and a set of draft emails that you'll now use to inform your users of the upcoming changes that they can expect to see as they're migrated to Windows 11, and how they can reach out for help if necessary.
Now is the time to send those communications and ensure that your users are informed and prepared.
Tip
Recommended deliverable:
Communications delivered to users.
Review user identity requirements
In the Plan phase, you identified any changes to user identity that were needed to support your security and resource access requirements. As the deployment phases progress, you should regularly review and validate that identity controls are correctly configured and actively enforced for users.
Use Microsoft Entra monitoring and health to review identity related activity, sign-in behavior, and tenant health signals, and to help detect issues that could affect access or user experience.
Review your Identity Secure Score to assess how closely your identity configuration aligns with Microsoft’s recommended security practices and to track improvements over time.
Validate that authentication behavior aligns with your design by reviewing the Microsoft Entra authentication overview, including configured authentication methods and sign in flows.
You might also consider reviewing key identity and device controls, such as:
Authentication/identity controls:
- Windows Hello for Business: secure passwordless authentication
- FIDO2 Security Keys: passwordless, hardware-based authentication
- Microsoft Entra Conditional Access policies: enforce device and identity access requirements
- Authentication Strength Policies: configure and enforce strong authentication
- Protected Users Security Group: enforce enhanced protections for high-risk accounts
Device/platform security controls:
- Local Security Authority (LSA) Protection: protects credentials in memory
- Windows Defender Credential Guard: hardware-isolated credential protection
- Remote Credential Guard: protects credentials during remote desktop sessions
- Trusted Platform Module (TPM) 2.0: hardware root of trust
- Secure Boot: ensures only trusted OS loads
- Virtualization-Based Security (VBS): isolates sensitive parts of the OS
- Memory Integrity (HVCI): protects kernel memory from tampering
Implement and document any changes that are required. Check whether stakeholder approval is needed before applying identity-related changes.
Tip
Recommended deliverable:
Updated list of identity components and configurations.
Sign off and update procedural documentation
As you make decisions throughout this stage, document them in an easily shareable format for tracking, reporting, and continuity purposes. Get approvals of these deliverables from all the people identified in your RACI matrix connected to user readiness. Seek help and address any gaps before moving to the next deployment phase.
| Tasks | Deliverables |
|---|---|
| - Implement user communication plan. - Review user identity. - Sign off and update procedural documentation. |
• Communications plan completed • Updated list of identity components and configurations • Procedural documentation of testing, remediation, and results |