Larger organizations have been aggressively moving towards cloud-based computer management solutions to simplify deployment tasks and enforce consistency among device configurations. They are able to achieve greater security, cost savings, and readiness for the future through their cloud transformations. One popular solution being used in this space is Microsoft Intune.  

In this blog, I will focus on some best practices for cloud native endpoint management, so SMBs can accelerate their digital transformation. With the Enterprise space having developed many best practices, it’s time for SMBs to follow suit using lessons learned at scale. Many of my customer conversations are centered on how best to transition, with the value of a cloud first approach already understood. In many cases, there is a strong desire to move to the cloud, but lack of a step-by-step plan to make the move a reality. It might not be as complicated or as daunting as you think. I detail below a three-phase approach that simplifies the process of getting to fully cloud-based management:

• First, modernize all management workloads by moving them from on premises to Intune.
• Second, hybrid Entra join and enroll your existing PCs in Intune.
• Third, for new Windows devices, go straight to cloud native.

This three-phase approach enables you to achieve faster time to value, lessen the experience impact to your users, and finally, simplify your architecture and reduce your total cost of ownership. 

Enabling workloads in Intune

Enabling all management workloads from the cloud is the fastest way to reduce the complexity and cost of current technology and get closer to a single pane of glass. By management workloads, I mean Windows and Software updates, app deployment and patching, and policy configuration. This is where most SMBs are going to find the most value – keeping up with the constant need to update machines and keep them current. Inertia (or the lack of it) makes it easier to just patch systems when your IT staff has eyeballs on the computer, such as a help desk ticket, a computer repair, or an upgrade. But it’s just not a great security posture to take.

If you want to stay ahead of the curve, you can also look at new capabilities that cloud based management makes possible – automation, analytics, and AI related workloads. Related to this class of cloud-based systems management, we’re seeing more focus around security and compliance initiatives. ZeroTrust computing is becoming a bigger thing and workers disperse into hybrid work arrangements, and we’re seeing more and more insurance carriers demand more active management of systems and even formal security awareness training programs for employees to reduce their exposure to cybersecurity related risks.

For example, Petrobras, the Brazilian energy company that moved to a cloud-native strategy with Intune, saw better policy enforcement for remote devices.

“Despite the increased access by our remote workforce, our recent audits have quite surprisingly revealed that we haven’t had any security incidents or data leakage.” 

—Alexandre Ribeiro Dantas, Information Security Manager at Petrobras

With security policies in place, we often see customers next move updates (patch) workloads to the cloud to take advantage of the Microsoft modern approach to updating devices on any network, anywhere in the world. National Australia Bank (NAB) is a great example of this. Their goal was to adopt a modern approach to patching, and thanks to automation and policy they were able to significantly increase patching across the enterprise.

“Windows 10 was the catalyst for retooling our environment and getting to where we are today, moving patch compliance from 60% to 97% across 45,000 endpoints.”

—Andrew Zahradka, Head of Workplace Compute Technology at National Australia Bank

Apps are often the last workload migrated, as there is frequently an advantage to rationalizing application estates before migrating them. When migrating apps, we don’t recommend migrating all apps like-for-like from on-premises to the cloud. Instead, we recommend reviewing the apps and removing unused applications prior to migration. We have seen this result in organizations dropping legacy applications and reducing the number of apps that need to be migrated.   This makes a lot of sense – a lot of time organizations develop workflows and solutions and stick with them “because we’ve always done it that way.” But times change and needs change. During the course of a digital transformation initiative, it makes a lot of sense to re-imagine how your organization might better operate tomorrow. Simplification of the computing environment saves time and attention that can lead to investing in better processes and people. For SMBs, simple, reliable IT Solutions are key to keeping everyone productive and happy.

Of course, in some instances, there may be one or two workloads that can’t immediately be moved to the cloud. Our recommendation here is not to let one or two laggard workloads stop you from gaining the rest of the benefits from moving to the cloud. Instead, try to manage all workloads natively in the cloud everywhere possible.  

Enroll existing Windows devices in Intune 

The next step is to begin to enroll devices—enroll your clients that are not managed into Intune and hybrid join them to Microsoft Entra ID (previously Azure Active Directory). 

This is a transitory step, not the end game. It takes time to transition to the cloud and modernize your directory and management solutions. By taking this first step of enrollment and hybrid Entra join, you receive the benefits of the cloud workloads and can transition away from dual management.  For identity management, we recommend you hybrid join your existing devices with Entra ID while new devices are joined directly or natively with Entra ID.

Hybrid join is the interim step, specifically for your existing Active Directory joined devices. It brings you the benefits of cloud without resetting and reprovisioning the device and disrupting the user. Hybrid devices will then age out of your environment as they are replaced with cloud-native, Entra join new devices through the natural lifecycle at refresh, or opportunistically if there’s an event, such as break-fix, that requires a device be reimaged. 

For smaller organizations of a couple dozen users, you might want to phase your current devices into Entra over the course of a couple months, as simplicity and consistency are higher priorities and the workload is smaller. Managing one solution is easier than managing two.

Microsoft has many partners with deep expertise in migrating Windows to the cloud who have seen success using this approach. They recently held a discussion on some of the lessons they’ve learned in cloud migrations, which I would encourage you to view. Peter Klapwijk, an Infrastructure Engineer, best sums up this stage.

“If a company has the Intune licenses, they should definitely start switching on co-management, to make use of the benefits [of which a single portal, remote actions, and endpoint analytics were mentioned]“

—Peter Klapwijk, Infrastructure Engineer at NN Group

With new Windows deployments, go direct to cloud native

As you refresh or reset Windows devices, our recommendation is to manage them as fully cloud native. This represents an opportunity to reimagine what Windows management should look like in your organization. This greenfield approach sets a North Star enforces your new standard moving forward reduces the risk of recreating outdated legacy approaches in the cloud. 

This is especially true for Windows 11 devices. As the best version of Windows, it makes sense to use Windows 11 for any new devices, regardless of the provisioning method.

“Windows 11 Enterprise with Microsoft Intune has streamlined device provisioning, updates, security configurations, and troubleshooting processes. By centralizing these tasks, we’ve been able to achieve operational efficiencies, optimize resource allocation, and effectively manage our technology environment with a lean IT team.“

—Blake T. Lunsford, Director of IT, Alabama Appellate Court System

Many customers opt to skip the co-management phase of migration completely, bringing new devices on as cloud native. These customers use their hardware refresh cycle as the catalyst to move to cloud native. Existing devices remain with on-premises management while new devices are deployed as fully cloud native. After a full hardware refresh cycle over 2-3 years, all Windows devices will eventually be managed exclusively in the cloud. For example, Cognizant empowers all its employees to implement new device setup remotely without any intervention from IT.

“Day one productivity was never the plan. This was a big project that was supposed to be completed over a two-year period. Yet, within a week, we started delivering a successful Autopilot Intune migration. From then on, we delivered laptops from our suppliers directly to employees at home.“

—Ramesh Gopalakrishnan, Cognizant’s Director for Digital Workplace Services

Lastly, customers have asked whether they should delay their Windows 11 upgrades if they are not ready to move ahead with management modernization. The guidance here is clear: prioritize rolling out Windows 11 with the management tools and processes you already have in place today. You’ll enjoy benefits of Windows 11 right away, and have the infrastructure in place to migrate into cloud native endpoint management when you’re ready.

Next steps

We are excited to be seeing more and more companies move to a fully cloud native approach for endpoint management. Hopefully, this post helps you identify the proper steps to get there. No matter where you are on the journey, we encourage you to learn more and get your plans set in 2024!

If you need help with cloud based computing initiatives in the SMB space, including computer management and Microsoft 365 deployment, we’d love to lend a hand. We’re one of the larger Microsoft Partners in the Mid-Atlantic, and we’ve been valued partners for organizations from a handful to several thousand users. IT Management and network administrators love to work with us, as we help set the foundation for a successful computing initiative and we help to empower IT staff to use the systems and manage it over time. We also offer free email migrations to Microsoft 365 to help jumpstart your own digital transformation. Just give us a call at 410.543.8200 and let’s see if we’re a good fit to work together.