But they don’t have to make any OS “office-wide”. All they have to do is

1. move from a centralized micro-management of every workstation to a scenario where users can be provided a prepared workstation, but may configure one themselves
2. transition to a security policy that assumes every single workstation is insecure, and regulate the network traffic to allow only those protocols that are required for the business, protecting each machine from the next (this would prevent so many major security incidents where a single machine gets compromised and then the whole network is affected)
3. provide central infrastructure as open protocols - IMAP (or POP3/SMTP), HTTPS, FTPS + file & printer sharing as desired
4. enforce open formats within the enterprise

If necessary (assuming you have really irresponsible users), before authorizing users to set up their own machine, they can do a qualification check - or have the user’s line manager approve the “individual setup”.

This would enable power users productivity and even if you don’t change anything for the vast amount of users, it would pay off rapidly. If you can move regular workstations away from the bloatware that is Windows, you would boost the overall productivity immensely.

Specifically, what I am arguing against is:

• locking users into an eco-system for any kind of service (e.g. MS Exchange servers, MS Active Directory)
• outsourcing your IT competences to Microsoft (because let’s be real, that’s the actual reason IT departments go for Microsoft: corporate IT is outsourced as a service, this means lowest bidder, and the lowest bidder will happily take Microsoft’s offer to take care of any “real” issues and only provide a really, really dumb and helpless first level support)
• having tons of services listening on every workstation that no one ever needs (just open your windows control panel (while it’s still around) and check out all the running services, of which you could disable > 50% if Windows would let you, without impacting the operational state of your machine) and each one presenting a vulnerable interface to the network