Q&A: VUMC IT Leader on What It Takes to Migrate to Windows 11

Here is what higher education institutions can learn from VUMC’s Windows 11 migration project:

EDTECH: Can you explain VUMC’s approach to the Windows 11 migration project?

ARNOLD: We started our evaluation in 2021 by looking at our base images and making sure they would work for our administrative workstations. Starting in April 2022, we mandated that any new device being implemented should be shipped from the manufacturer with Windows 11. We allowed that to go for about two years as part of our device refresh cycle.

We still have devices that have applications on them that are not Windows 11–certified. So, we are going to have to keep Windows 10 extended support for a small set of devices. We’re trying to minimize that as much as we can until either the application gets certified or gets upgraded to a version that is certified. We’ve got a number of those. I think we’ve got around 1,200 devices on our exception list.

In September 2024, we started the actual automated push for the feature update to Windows 11 on all of our administrative devices and workstations. We did a push on our clinical devices and workstations at the end of 2024 where we upgraded the 10,000 clinical workstations in our inventory to Windows 11. That went off without a hitch. About 1% of the devices have an application that is not certified, but those applications are supposed to be upgraded in the next couple of months, and then we’ll have 100% of our clinical workstations updated.

RELATED: Build a foundation for smarter device management with Windows 11 Pro.

We are right at 92% of having all of our administrative workstations migrated to Windows 11, with 3% of devices on the exception list and another 5.5% of devices that either can’t take the upgrade, don’t have the processor, don’t have the disk space or don’t have the other requirements that Microsoft put in place. So, we are looking to start sending out and doing a device replacement for those devices as well, probably in July. Hopefully by the time October and November come around, when Windows 10 standard support is no longer available, we’ll have as few devices as possible for which we’ll need to buy Windows 10 extended support. We know that we’re going to have a group of devices that need it, but we need to minimize that so that we reduce the cost.

EDTECH: How did you go about getting executive buy-in on this initiative?

ARNOLD: We did our due diligence with testing on our administrative workstations. We also did a lot of prep work with our health IT organization. We sent forms to every app owner that we could find, asking them to give us their devices and certification update. We went to them and gathered that information before we started the major device push. We also created a process for new builds. If you needed a new build that was on Windows 10, that application had to be on the list, or you did not get a Windows 10–built device.

If somebody required or stated that they required a Windows 10 device, we put in some checkpoints up front to ensure we listed the application, tracked that application and checked in with those end users or app owners to verify their current time frame. We are also going to go back as we get closer to the October deadline and validate a plan to have them put all those devices with our cybersecurity team as an exception to remain on Windows 10. That way it can be formally tracked through our cybersecurity team as well as our IT team because — especially now with the cost and hours being spent — the fewer dollars that I spend on this, the more I can spend somewhere else.

EDTECH: Is there anything else you want to add about the preparation that was required ahead of the migration?

ARNOLD: At VUMC, we’ve got three internal organizations within IT. We’ve got VUMC IT, which is basically central IT that handles infrastructure, app management, data, networks, IT service management and bi-organizational workplace services, which is the service and support piece of that. Then we’ve got Vanderbilt enterprise cybersecurity. They handle all the cybersecurity pieces for identity, firewalls and access. Then we’ve got health IT, which is all of our clinical app management and all of our application tools from Epic, all the way down to an individual app on that may be on 10 devices in our eye institute.

We worked with those teams to find the tools and the apps that were not certified. We did extensive work across all the different app groups to verify and collect that data to make sure we did not force an upgrade.

We gathered the data and worked with the app owners who were concerned to test the Windows 11 update or devices with them, rather than just forcing that update. We had them get comfortable with their application working on the device before we did a mass upgrade. It was a lot of good work and took a lot of collaboration and cooperation with the other organizations to make that happen.

EDTECH: How did VUMC handle the disposal process for noncompatible devices?

ARNOLD: We don’t want to put things in the landfill, so we use an external company. We’ll manage the reclaim, but then we’ll send it off for the shredding of drives and parts that would potentially have sensitive information. They will recycle and reuse parts if possible. We want to make sure that we’re being as sustainable as we can while maintaining security.

EDTECH: How did the Windows 11 migration project fit with VUMC’s overall digital transformation strategy?

ARNOLD: What VUMC is really trying to do is modernize and standardize where we can. With Windows 11, we’re putting processes in place for now and for the future, because at some point, Windows 11 will go away, and we’ll have to do this all again. We want to make sure that our application owners are thinking about these things, because they generally don’t. They don’t consider the compliance with a Microsoft OS on their device. However, if they can budget that into their software and updates, it will be a smoother transition.

Looking overall at our digital transformation, we’re focused on keeping devices up and working at a higher percentage. We’ve got some other tools that we’ve implemented as well to track that. What Windows 11 can do really helps with the security posture, not only from patching, but with some of the new processes and tools within Microsoft Intune that I can use on Windows 11 versus Windows 10. So, I have some additional capabilities once I’m on to newer equipment.

We may have some Windows 10 machines around for years and years; however, we do have security protocols in place to make sure that, if that’s the case, we put them on a secure network that doesn’t have outside access, to reduce vulnerability. We lock down those types of networks and, again, that’s why we bring our cybersecurity team in to consult on every exception and every device.

LEARN MORE: Windows Autopilot supports Microsoft device management.

EDTECH: What are the IT benefits for VUMC from this Windows 11 migration?

ARNOLD: There are some changes in some of the security features and what we can do with Microsoft Intune. It also made us look at our hardware to ensure that we were addressing those concerns and needs, because Windows 11 just takes a little bit more processing power, but so does every application update. This really helped drive us to get better processors and bigger hard drives, not only for Windows but also for all those other apps when they upgrade. This upgrade helped us keep up with the hardware technology.

EDTECH: What lessons have you learned from this process that would be useful for other organizations to know?

ARNOLD: Continue close coordination. Make sure that instead of IT and cybersecurity coming in and saying, “Well, this is what we’re doing,” they should be having those conversations and explaining the “why” to owners of both clinical and standard applications.

We’re also moving toward standardized application management from an asset standpoint, so that I don’t have 15 different departments ordering the exact same software. Now, I can get discounts associated with volume. I can also track and manage the vulnerabilities of specific applications to make sure they are getting the updates they need, because a lot of times, an organization will pay for an app that they’ll use for 20 years without going to the next version. However, if we centralize the management of those applications, then we can keep those applications managed and secure.

EDTECH: Is there anything else you want to add?

ARNOLD: I’ve been here for almost four years, and VUMC has made a great deal of updates and process tooling to drive standards and centralization. We’re working with our different suppliers, such as Microsoft, on how we can stay up to date. I don’t think we want to be a very early adopter whenever Windows 12 comes out, but it will be important for app owners to keep that in mind and have discussions with their vendors rather than waiting until four years after it comes out to even start. So, put that in the forefront of your discussions and planning as well.