This blog series advocates for the adoption of cloud-native device management, with this installment focusing on accelerating the transition. It follows a previous post detailing success stories of organisations benefiting from cloud-native management, citing improved security, cost efficiency, and future readiness.
The blog highlights increased customer adoption of cloud-only management and Microsoft Intune's investment in cloud-native scenarios. It addresses common customer inquiries regarding transitioning to the cloud and proposes a three-phase approach. Firstly, modernize all management workloads by migrating them to Intune from on-premises systems. Secondly, implement hybrid Azure Active Directory join and enroll existing PCs into Intune. Finally, for new Windows devices, advocate for direct adoption of cloud-native management. This phased approach aims to simplify the transition process for organisations seeking fully cloud-based management solutions.
Enabling workloads in Intune
Enabling all management workloads from the cloud is the fastest way to reduce the complexity and cost of current technology and get closer to a single pane of glass. When making the transition from Microsoft Configuration Manager (ConfigMgr) to Intune, there are two types of cloud workloads you will enable. The first are management functions that you move from ConfigMgr to the cloud, such as updates, app deployment, and policy configuration. The second functions are net new capabilities only made possible by the cloud—such as automation, analytics, and generative AI related workloads.
Given the benefits, all workloads should be moved as soon as you are able, but moving them step-by-step can make sense to align with business goals. In general, you should start by enabling the net new cloud workloads discussed above, then move the existing workloads from ConfigMgr.
For those existing workloads, a common approach is to start with compliance and security workloads, followed by policy. This helps with Zero Trust initiatives, and ensures you have strong security policies in place during the transition.
When migrating apps, we don’t recommend migrating all apps like-for-like from on-premises to the cloud. Instead, we recommend reviewing the apps and removing unused applications prior to migration. We have seen this result in organisations dropping from thousands of applications to hundreds that need to be migrated.
Enroll existing Windows devices in Intune
The next step is to begin to enroll devices—enroll your clients managed by ConfigMgr into Intune and hybrid join them to Microsoft Entra ID (previously Azure Active Directory).
This is a transitory step, not the end game. It takes time to transition to the cloud and modernize your directory and management solutions. By taking this first step of enrollment and hybrid Entra join, you receive the benefits of the cloud workloads and can transition away from dual management—such as existing devices receiving workloads from on-premise ConfigMgr, and new devices from the cloud. For identity management, we recommend you hybrid join your existing devices with Entra ID while new devices are joined directly or natively with Entra ID. Hybrid join is the interim step, specifically for your existing Active Directory joined devices. It brings you the benefits of cloud without resetting and reprovisioning the device and disrupting the user. Hybrid devices will then age out of your environment as they are replaced with cloud-native, Entra join new devices through the natural lifecycle at refresh, or opportunistically if there’s an event, such as break-fix, that requires a device be reimaged.
Microsoft has many partners with deep expertise in migrating Windows to the cloud who have seen success using this approach. They recently held a discussion on some of the lessons they’ve learned in cloud migrations, which I would encourage you to view.
With new Windows deployments, go direct to cloud native
As you refresh or reset Windows devices, our recommendation is to manage them as fully cloud native. This represents an opportunity to reimagine what Windows management should look like in your organization. This greenfield approach sets a North Star for your organization’s transition and reduces the risk of recreating outdated legacy approaches in the cloud.
This is especially true for Windows 11 devices. As the best version of Windows, it makes sense to use Windows 11 for any new devices, regardless of the provisioning method.
Many customers opt to skip the co-management phase of migration completely, bringing new devices on as cloud native. These customers use their hardware refresh cycle as the catalyst to move to cloud native. Existing devices remain with on-premises management while new devices are deployed as fully cloud native. After a full hardware refresh cycle over 2-3 years, all Windows devices will eventually be managed exclusively in the cloud. For example, Cognizant empowers all its employees to implement new device setup remotely without any intervention from IT.
Lastly, customers have asked whether they should delay their Windows 11 upgrades if they are not ready to move ahead with management modernization. The guidance here is clear: prioritize rolling out Windows 11 with the management tools and processes you already have in place today, such as ConfigMgr. Or if you have non-Windows 11 capable devices but would like to leverage Windows 11 features and capabilities, you can do so with Windows 365 Cloud PC, until new capable devices have been acquired.
Next Steps
- Learn more about Microsoft Intune.
- Watch our Intune Technical Fundamentals videos
- Empower your workforce with modern endpoints