Best Practices in Migrating to Cloud Native Endpoint Management with Microsoft Intune
Simplify endpoint management and security with a single, connected experience with the Microsoft Intune Suite.
In this article series Jason Roszak, Chief Product Officer, Microsoft Intune, describes how the adoption of Intune has evolved to a full Cloud-based service model.
Example customers are cited, such as Ericsson, who employ over 100,000 staff across 180 countries:
“We’ve gained control, security, and efficiency all while allowing us to remove costly on-premises infrastructure. Rapid policy deployment, enhanced application management, and remote device control have reduced risks and boosted productivity. This transformation has led to substantial cost reduction and streamlined operations.” — Nickolaj Andersen, Senior Architect End User Computing at Ericsson.
The pure Cloud Native model for Intune adoption is defined as:
- Using pure cloud-based user identity.
- Devices are cloud managed exclusively and receive apps and configurations dynamically, reset, or restored from the cloud.
- Using Windows Autopilot or zero-touch deployment for all your Windows devices.
- In-depth security solutions are applied at scale through cloud integrated solutions.
Reducing Costs and Improving Efficiency
Pure cloud endpoint management lowers the chance of a security breach and the costs associated with that.
It enables patches and policies to be delivered in a timelier manner to employee devices, lowering the length of time a device may be vulnerable. It allows customers to utilize the full scope and scale of Microsoft’s cloud to detect threat signals from ever more sophisticated attackers and react accordingly.
The other part of the business case is reducing support costs for legacy on-premises solutions. These solutions require more staff, especially difficult in short-staffed areas such as security. And the best employees will want to work on forward-facing technologies that keep their skills current.
Another customer example is HP, who recently implemented Microsoft Intune for Mobile Application Management, for Windows mobile device management and Windows Autopilot, and used Windows Update to help ensure up-to-date devices during its ongoing Windows 11 migration.
Using the fully cloud-based solution, HPE has enjoyed many benefits, including a 60% reduction in endpoint patch adoption time and the ability for existing IT staff to focus on more strategic issues than before. Windows Autopilot has also helped reduce device set up time for newly hired employees.
Adopting Cloud Native Intune – Best Practices
Jason provides a comprehensive walk through of the process to follow to achieve this migration.
In short:Â First, modernize all management workloads by moving them from on premises to Intune. Second, hybrid Entra join and enroll your existing PCs in Intune. Third, for new Windows devices, go straight to cloud native.
Policy Migration
Enabling all management workloads from the cloud is the fastest way to reduce the complexity and cost of current technology and get closer to a single pane of glass. When making the transition from Microsoft Configuration Manager (ConfigMgr) to Intune, there are two types of cloud workloads you will enable.
The first are management functions that you move from ConfigMgr to the cloud, such as updates, app deployment, and policy configuration. The second functions are net new capabilities only made possible by the cloud—such as automation, analytics, and generative AI related workloads.
For those existing workloads, a common approach is to start with compliance and security workloads, followed by policy. This helps with Zero Trust initiatives, and ensures you have strong security policies in place during the transition. With security policies in place customers then move updates (patch) workloads to the cloud to take advantage of the Microsoft modern approach to updating devices on any network, anywhere in the world.
“Windows 10 was the catalyst for retooling our environment and getting to where we are today, moving patch compliance from 60% to 97% across 45,000 endpoints.”
—Andrew Zahradka, Head of Workplace Compute Technology at National Australia Bank
Application Modernization
Apps are often the last workload migrated, as there is frequently an advantage to rationalizing application estates before migrating them.
When migrating apps Microsoft don’t recommend migrating all apps like-for-like from on-premises to the cloud. Instead, they recommend reviewing the apps and removing unused applications prior to migration, often resulting in organizations dropping from thousands of applications to hundreds that need to be migrated.
There may be one or two workloads that can’t immediately be moved to the cloud, and their recommendation here is not to let one or two laggard workloads stop you from gaining the rest of the benefits from moving to the cloud. Instead, try to manage all workloads natively in the cloud everywhere possible, and use ConfigMgr as a side car helper until you can modernize the laggard workloads.
Entra Identity
The next step is to begin to enroll devices—enroll your clients managed by ConfigMgr into Intune and hybrid join them to Microsoft Entra ID (previously Azure Active Directory).
This is a transitory step, not the end game. It takes time to transition to the cloud and modernize your directory and management solutions. By taking this first step of enrollment and hybrid Entra join, you receive the benefits of the cloud workloads and can transition away from dual management—such as existing devices receiving workloads from on-premise ConfigMgr, and new devices from the cloud.
For identity management Microsoft recommend you hybrid join your existing devices with Entra ID while new devices are joined directly or natively with Entra ID.
Hybrid join is the interim step, specifically for your existing Active Directory joined devices. It brings you the benefits of cloud without resetting and reprovisioning the device and disrupting the user. Hybrid devices will then age out of your environment as they are replaced with cloud-native, Entra join new devices through the natural lifecycle at refresh, or opportunistically if there’s an event, such as break-fix, that requires a device be reimaged.
Windows 11
Lastly, customers have asked whether they should delay their Windows 11 upgrades if they are not ready to move ahead with management modernization.
The guidance here is clear: prioritize rolling out Windows 11 with the management tools and processes you already have in place today, such as ConfigMgr. Or if you have non-Windows 11 capable devices but would like to leverage Windows 11 features and capabilities, you can do so with Windows 365 Cloud PC, until new capable devices have been acquired.
As you refresh or reset Windows devices, their recommendation is to manage them as fully cloud native. This represents an opportunity to reimagine what Windows management should look like in your organization. This greenfield approach sets a North Star for your organization’s transition and reduces the risk of recreating outdated legacy approaches in the cloud.
