The States of Guernsey has told staff that anyone who needs a laptop for their job will be issued a new machine if their existing device cannot run Windows 11, part of a wider, government‑wide upgrade to modernise endpoints and retire legacy systems — a move that coincides with the States’ post‑Agilisys reorganisation into a multi‑vendor IT model and a series of new supplier agreements to deliver hardware, hosting and helpdesk services.
The announcement follows months of visible churn in the States’ IT arrangements after a high‑profile decision to end the decade‑long Agilisys contract and move to a multi‑vendor approach intended to increase accountability and resilience. The switch away from a single large integrator has seen separate contracts awarded for helpdesk, hosting and hardware lifecycle management — moves explicitly linked to the current refresh programme. (bbc.co.uk, bailiwickexpress.com)
One immediate and publicised element of the refresh is the hardware replacement plan: the States’ new hardware supplier has a remit to modernise roughly 3,000 staff laptops during its contract, and States leadership has confirmed that laptops that are not compatible with Windows 11 will be replaced under the programme.
Windows 11, released in October 2021, is being positioned by Microsoft as the supported platform going forward — with a refreshed UI, productivity features, tighter integration with Microsoft services (including the company’s Copilot AI experiences) and a stronger baseline of hardware‑based security primitives. Those security and manageability improvements are core reasons many public bodies have set migration targets ahead of the Windows 10 end‑of‑support date. (blogs.windows.com, support.microsoft.com)
Because of the TPM, Secure Boot and approved CPU lists, many devices produced before roughly 2018–2019 cannot be upgraded in‑place. That forces a binary choice for organisations: extend legacy support via paid extended security updates or replace incompatible devices — or in some tightly controlled cases, adopt virtual/cloud desktop alternatives. The States’ decision to replace non‑compatible laptops reflects that reality. (support.microsoft.com, wired.com)
That distinction is important for public‑sector deployments: a standard Windows 11 upgrade may be sufficient to restore security patching, but delivering the highest levels of AI‑enabled productivity or advanced on‑device privacy features will typically require modern Copilot+‑capable hardware. Organisations should therefore treat security upgrades (Windows 11 compatibility) and AI‑enablement (Copilot+ readiness) as separate, but sometimes overlapping, procurement decisions. (blogs.windows.com, learn.microsoft.com)
The practical upshot is that hardware lifecycle, endpoint security, device provisioning and user support are now delivered by different vendors who must coordinate closely. That model can reduce single‑point failure risk and encourage sharper service level agreements, but it also demands strong vendor orchestration from the States’ internal IT team. (bailiwickexpress.com, guernseypress.com)
Supply chain delays remain a risk for large purchases; locking in staged deliveries and agreeing to local depot repair support reduces the chance that a late shipment cripples a migration wave. Where hardware refreshes are politically or environmentally sensitive, trade‑in and recycling programmes can reduce net costs and demonstrate sustainability commitments.
However, simply installing Windows 11 is not a panacea. Security configuration, endpoint protection stacks, identity governance (MFA, conditional access), and network segmentation must be coordinated with the OS refresh. In particular, devices left as exceptions become high‑value targets and require continuous monitoring and limited network reach until retired.
That said, the programme carries meaningful risks that demand active mitigation: cost and supply pressures, the operational complexity of coordinating multiple suppliers, the need to protect legacy or specialised workloads, and the governance challenge of ensuring tight oversight. To be successful, the States will need robust inventory data, staged deployment pilots, firm vendor orchestration, and clear policies on AI and data handling for Copilot features. (bailiwickexpress.com, blogs.windows.com)
If those controls are applied and the rollout is executed in waves with tight monitoring and user support, the outcome will be a materially more secure and future‑ready workplace. If not, the programme risks the classic pitfalls of large IT change: cost overruns, user disruption, and persistent legacy gaps that undermine the security gains the upgrade is intended to deliver.
Source: Bailiwick Express States staff to get new laptops - Bailiwick Express News Guernsey
Background
The announcement follows months of visible churn in the States’ IT arrangements after a high‑profile decision to end the decade‑long Agilisys contract and move to a multi‑vendor approach intended to increase accountability and resilience. The switch away from a single large integrator has seen separate contracts awarded for helpdesk, hosting and hardware lifecycle management — moves explicitly linked to the current refresh programme. (bbc.co.uk, bailiwickexpress.com)One immediate and publicised element of the refresh is the hardware replacement plan: the States’ new hardware supplier has a remit to modernise roughly 3,000 staff laptops during its contract, and States leadership has confirmed that laptops that are not compatible with Windows 11 will be replaced under the programme.
Why this matters now: the Windows lifecycle deadline and why Windows 11
Microsoft’s mainstream support for Windows 10 ends on October 14, 2025. After that date Windows 10 will no longer receive security updates or technical assistance, leaving devices on the old platform exposed to new vulnerabilities and compliance gaps unless compensating mitigations are in place. For organisations that manage sensitive citizen data and regulated services, that exposure is not academic: continuing on an unsupported OS increases operational risk and potential liabilities. (support.microsoft.com, microsoft.com)Windows 11, released in October 2021, is being positioned by Microsoft as the supported platform going forward — with a refreshed UI, productivity features, tighter integration with Microsoft services (including the company’s Copilot AI experiences) and a stronger baseline of hardware‑based security primitives. Those security and manageability improvements are core reasons many public bodies have set migration targets ahead of the Windows 10 end‑of‑support date. (blogs.windows.com, support.microsoft.com)
What Windows 11 requires — and why some laptops must be replaced
Windows 11 tightened the baseline hardware requirements compared to Windows 10. The published minimums include a 64‑bit, 1 GHz or faster CPU with two or more cores, 4 GB RAM, 64 GB storage, UEFI firmware with Secure Boot, and a Trusted Platform Module (TPM) 2.0. Microsoft also restricts supported processors to approved families — which has left a portion of older fleets ineligible for upgrade without hardware changes. These requirements are not arbitrary; they underpin several of Windows 11’s security features such as virtualization‑based security (VBS) and modern firmware protections. (support.microsoft.com, wired.com)Because of the TPM, Secure Boot and approved CPU lists, many devices produced before roughly 2018–2019 cannot be upgraded in‑place. That forces a binary choice for organisations: extend legacy support via paid extended security updates or replace incompatible devices — or in some tightly controlled cases, adopt virtual/cloud desktop alternatives. The States’ decision to replace non‑compatible laptops reflects that reality. (support.microsoft.com, wired.com)
Copilot, AI and the new "Copilot+ PC" class: why hardware matters beyond the OS
Windows 11’s roadmap has increasingly centred on AI integration through Microsoft Copilot. Microsoft has been rolling Copilot features into Windows — from a system‑wide assistant to more recent functions such as semantic file search and Copilot Vision, which can process images and guide users within applications. Some of the most advanced Copilot experiences (labelled “Copilot+ PC” features) require dedicated on‑device Neural Processing Units (NPUs) and higher‑spec hardware (for example, 16 GB+ RAM and more robust storage) to run locally and accelerate AI tasks. (blogs.windows.com, support.microsoft.com)That distinction is important for public‑sector deployments: a standard Windows 11 upgrade may be sufficient to restore security patching, but delivering the highest levels of AI‑enabled productivity or advanced on‑device privacy features will typically require modern Copilot+‑capable hardware. Organisations should therefore treat security upgrades (Windows 11 compatibility) and AI‑enablement (Copilot+ readiness) as separate, but sometimes overlapping, procurement decisions. (blogs.windows.com, learn.microsoft.com)
The States’ procurement and multi‑vendor strategy: what changed
Following a critical review and the decision to terminate the Agilisys contract, the States of Guernsey adopted a multi‑vendor model. The stated goals are greater supplier accountability, access to specialised expertise, and improved resilience — replacing the single‑supplier dependency with smaller, contractually distinct arrangements for hosting, helpdesk, hardware supply and other functions. Early contract awards include a helpdesk provider and separate hosting/network support, and a hardware supply contract that explicitly covers the planned laptop replacements. (bbc.co.uk, bailiwickexpress.com)The practical upshot is that hardware lifecycle, endpoint security, device provisioning and user support are now delivered by different vendors who must coordinate closely. That model can reduce single‑point failure risk and encourage sharper service level agreements, but it also demands strong vendor orchestration from the States’ internal IT team. (bailiwickexpress.com, guernseypress.com)
Strengths of the States’ approach
- Security‑first timing: Moving staff to supported Windows 11 machines ahead of Windows 10 end of support is the right high‑level decision from a security and compliance perspective. It reduces the attack surface and keeps critical public services eligible for vendor fixes.
- Vendor specialisation: The multi‑vendor model allows the States to pick best‑of‑breed suppliers for hosting, helpdesk and hardware lifecycle. Early signs show local and specialised firms being engaged, which can help with responsiveness and on‑island continuity. (bailiwickexpress.com, channeleye.media)
- Clear replacement policy for incompatible devices: The States has framed the hardware replacement as part of a structured programme rather than ad hoc patches, which helps with budgeting and operational planning. The hardware contract explicitly mentions a large‑scale laptop refresh.
Risks and operational challenges
- Replacement scale and cost pressure: Replacing thousands of devices is expensive and logistically complex. Beyond device unit costs, organisations must budget for docking stations, peripherals, warranties, deployment services, recycling and data migration. Public bodies with tight budgets risk under‑provisioned rollouts or stretched timelines. This challenge is visible in many public and academic transitions to Windows 11.
- Supplier coordination and integration testing: Splitting services across vendors reduces single‑supplier risk but increases the need for clear interfaces, shared playbooks for incidents, and integration testing (e.g., imaging, management agents, and access to internal services). Without robust vendor orchestration and contractual SLAs, handoffs can become failure points. (guernseypress.com, bailiwickexpress.com)
- Legacy applications and specialised devices: Some departmental apps or lab equipment may depend on older drivers or 32‑bit stacks and won’t work on Windows 11 without remediation. Those exceptions must be identified early and have compensating controls (network segmentation, restricted access) if replacement is impossible.
- User experience and training: Windows 11 has visual and workflow differences from Windows 10. Large‑scale rollouts require training, updated support documentation and an easy path for users to get help; otherwise helpdesk ticket volumes and user frustration will spike.
- Privacy and AI governance: Copilot’s local and cloud features raise legitimate questions about which data is processed locally, what is uploaded to Microsoft services, and how consent is obtained. Organisations must set firm policy guardrails and permissions so Copilot features don’t inadvertently expose sensitive data. Microsoft’s guidance and preview notes emphasise user permissions and opt‑in behaviours, but public sector deployments demand explicit policies and audits.
Practical checklist for States IT and other public bodies planning a similar transition
- Inventory and categorise every managed endpoint: record CPU, TPM presence, Secure Boot support, RAM and storage, plus attached peripherals and any specialised hardware dependencies. This is the single most valuable dataset to run an efficient refresh.
- Split the fleet into three buckets: (A) compatible for in‑place upgrade to Windows 11; (B) upgradeable with modest hardware changes; (C) must be replaced. Prioritise mission‑critical users and systems in the earliest waves.
- Define exception governance: clarify how legacy or specialist devices will be handled, what compensating controls are required, and timeboxed exception approvals. Where possible, use virtualised or isolated environments to host legacy workloads.
- Procurement for lifecycle, not just devices: award contracts that include imaging, asset tagging, secure data wipe and recycling, warranty/repair SLAs, and spare‑unit logistics. Negotiate accelerated lead times and depot repair windows.
- User onboarding and training plan: publish simple guides, run short hands‑on sessions, and create triage flows for the helpdesk to reduce ticket churn at cutover.
- Test staging and pilot: deploy to a small cross‑section of users (helpdesk, finance, operations) and validate application compatibility, identity/auth flows and printing/network access before broader rollout.
- AI and Copilot policy: decide which Copilot features will be allowed, set defaults to conservative privacy settings, and document the process for handling any uploaded files or sensitive queries. Ensure legal and data protection teams sign off.
- Post‑deployment monitoring: use endpoint management and EDR telemetry to verify feature flags, update compliance, hotpatching status, and to quickly isolate non‑compliant devices.
Costs, timelines and procurement realities
Device unit costs vary widely by specification. Basic business laptops capable of running Windows 11 often start in the mid‑range, but Copilot+‑ready or high‑availability models cost materially more because of greater RAM, faster storage, and NPUs or specialised silicon. Procurement should therefore capture both the immediate minimum‑compliance baseline and optional higher‑spec configurations for power users. Contract structures that guarantee price protection, spare pools and phased financing (multi‑year) will smooth budgetary impact.Supply chain delays remain a risk for large purchases; locking in staged deliveries and agreeing to local depot repair support reduces the chance that a late shipment cripples a migration wave. Where hardware refreshes are politically or environmentally sensitive, trade‑in and recycling programmes can reduce net costs and demonstrate sustainability commitments.
Security posture: immediate gains and medium‑term considerations
A baseline Windows 11 fleet brings immediate security benefits: continued security updates, enforcement of firmware‑level protections (TPM, Secure Boot), and a greater ability to deploy features such as virtualization‑based isolation and hotpatching that reduce downtime for emergency fixes. These capabilities materially raise the bar against firmware‑level attacks and many classes of modern ransomware.However, simply installing Windows 11 is not a panacea. Security configuration, endpoint protection stacks, identity governance (MFA, conditional access), and network segmentation must be coordinated with the OS refresh. In particular, devices left as exceptions become high‑value targets and require continuous monitoring and limited network reach until retired.
Governance and public accountability
Large public IT programmes require clear transparency: itemised budgets, published timelines, risk registers and clear performance metrics for new suppliers. The Agilisys experience in Guernsey showed how governance gaps and underestimated in‑house capability can magnify vendor performance issues; the multi‑vendor approach only delivers improvement if the principal authority retains the right technical oversight, contract management and escalation teeth. The States has already signalled increased in‑house capability and a different contracting posture — but the programme’s success will hinge on the quality of that governance in practice. (bbc.co.uk, guernseypress.com)Final assessment and practical verdict
The States’ plan to replace devices that cannot run Windows 11 is pragmatic and aligned with good security practice: it closes the impending Windows 10 unsupported window, brings endpoints under patchable and auditable control, and positions the government to leverage modern productivity and security features. The concurrent move to a multi‑vendor delivery model is sensible on principle — it can increase supplier accountability and enable targeted specialisation. (support.microsoft.com, bailiwickexpress.com)That said, the programme carries meaningful risks that demand active mitigation: cost and supply pressures, the operational complexity of coordinating multiple suppliers, the need to protect legacy or specialised workloads, and the governance challenge of ensuring tight oversight. To be successful, the States will need robust inventory data, staged deployment pilots, firm vendor orchestration, and clear policies on AI and data handling for Copilot features. (bailiwickexpress.com, blogs.windows.com)
If those controls are applied and the rollout is executed in waves with tight monitoring and user support, the outcome will be a materially more secure and future‑ready workplace. If not, the programme risks the classic pitfalls of large IT change: cost overruns, user disruption, and persistent legacy gaps that undermine the security gains the upgrade is intended to deliver.
Practical takeaway for IT managers and policy teams
- Prioritise a complete, validated inventory before procurement decisions.
- Treat operating system migration and AI enablement as two related but separate procurement problems.
- Build a conservative Copilot governance policy and default Copilot privacy settings to off by default for sensitive user groups.
- Require vendor commitments for staging, imaging, warranty and recycling in any hardware contract.
- Staff the central IT function for vendor oversight and contract management — multi‑vendor models only work if the principal party can coordinate effectively. (support.microsoft.com, bailiwickexpress.com)
Source: Bailiwick Express States staff to get new laptops - Bailiwick Express News Guernsey