Windows 11 cloud-native migration with Microsoft Intune

Are you ready to migrate your Windows 10 domain-joined and co-managed devices to Windows 11 and cloud-native management with Microsoft Intune? Here’s a quick guide to Microsoft-supported scenarios and the steps you can take to ensure a secure, efficient, and seamless migration.

Note: By cloud-native management we mean managing Microsoft Entra joined devices with Microsoft Intune. As a result, the steps outlined here also apply if you’re transitioning away from hybrid joined Windows 11 devices.

Step 1: Prepare your environment

1. Verify hardware compatibility. Confirm that devices meet the Windows 11 requirements (TPM 2.0, Secure Boot, CPU, RAM, storage) using Microsoft Configuration Manager or Endpoint analytics in Microsoft Intune.
2. Update Windows 10 devices. To facilitate a smooth upgrade to Windows 11, first check that all your Windows 10 devices are on the latest supported release (Windows 10, version 22H2) and have all updates installed. Use existing update tools, such as Windows Autopatch, Microsoft Configuration Manager, or Windows Server Update Services (WSUS). To validate that the devices are on the latest cumulative update, use the Quality update status report.

Complete the following actions in any order:

• Synchronize identities. Install and configure Microsoft Entra Connect to synchronize users and devices from Active Directory to Microsoft Entra ID.
• Configure and validate hybrid join. Use Group Policy to enable automatic hybrid join for existing devices. See Configure Microsoft Entra hybrid join and Verify Microsoft Entra hybrid join state for detailed guidance.
• Prepare the Intune environment. Ensure proper licensing is in place and assign admin roles. Confirm that devices meet minimum requirements, including the steps required for a device to onboard to Microsoft Entra ID and Microsoft Intune via Windows Autopilot as detailed here: Enroll devices in Microsoft Intune.
• Confirm co-management. Confirm that devices report healthy status in both Configuration Manager and Intune. Move the following co-management workloads to Intune for targeted groups:

o   Windows update policies

o   Device configuration

o   Office click-to-run apps

Step 2: Transition Group Policy to Intune management

1. Optional: Inventory and rationalize Group Policy Objects (GPOs). A Windows 11 upgrade is an opportune time to start over with a clean sheet for device configuration. While this might seem like a monumental task, the increased stability and supportability of a clean configuration is immeasurable. To help you understand what you already have configured today, utilize Group Policy analytics in the Microsoft Intune portal.
2. Use co-management with Configuration Manager. Move compliance and device configuration workloads to targeted groups in Intune. Then you can target hybrid joined devices with both Intune policies and Group Policy. Double-check that Group Policy and Intune policies don’t conflict with each other. Use the built-in targeting constructs in each platform to avoid overlapping or conflicting policies.

   Note: We don’t recommend using the MDMWinsOverGP setting as it only applies to settings in the Policy CSP and can lead to difficulty in troubleshooting.

3. Consolidate and manage from the cloud. Remove redundant policies and replace unsupported settings with Intune configuration profiles, PowerShell scripts, or supported alternatives.
4. Adopt a phased deployment. Assign new Intune policies to pilot groups, validate results, then scale deployment organization wide.

Step 3: Upgrade devices to Windows 11

1. Use Windows Autopatch. Create and manage Windows Autopatch groups in the Intune admin center. Define deployment rings for phased rollout and leverage default schedules for staggered upgrades.
2. Monitor progress. Use Windows Autopatch reports in Intune to track update compliance, device health, and rollout status. Export data for further analysis and integration with existing dashboards as needed.

Step 4: Migrate applications from Microsoft Configuration Manager to Intune

1. Assess current applications
1. Export a list of all deployed applications, including versions, dependencies, and target collections.
2. Assess each app’s compatibility for Intune deployment (MSI, Win32, MSIX, Microsoft Store apps) and retire obsolete software.
2. Package and test applications:
1. Wrap application installers using the Microsoft Win32 Content Prep Tool, enabling them for deployment by Intune.
2. Document install/uninstall commands and detection methods. Test deployments on pilot devices.
3. If you run into Windows 11 related compatibility issues with applications, reach out to App Assure for help.
3. Publish and assign applications:
1. Upload packages to Intune, monitor deployment status, and assign to appropriate user or device groups.
2. Iterate based on feedback, expanding deployments in phases.
4. Decommission in Configuration Manager: Remove old deployments, back up, and decommission your Configuration Manager environment.
5. Update internal processes and documentation: After successfully completing your migration, update existing processes and documentation on how you manage and maintain your devices.

Step 5: Transition devices from domain-joined to Microsoft Entra ID joined

1. Leverage OneDrive known folder move to protect user data by automatically backing up desktop, documents, and pictures folders to OneDrive for Business. See if you qualify for Windows Backup for Organizations to more easily back up and restore user settings.
2. Monitor sync health. Use the OneDrive sync health report to ensure all devices are syncing successfully. Address issues proactively.
3. Migrate devices. We recommend you migrate to Microsoft Entra ID using device refresh as the most cost-effective and least disruptive approach. To learn more, see Myths and misconceptions: Windows 11 and cloud native. If you need to speed up your migration due to business needs, critical milestones (such as having less than 10% hybrid joined devices), or retiring key infrastructure, here are some alternative methods: 
   • Swap and go: Issue pre-configured Windows 11 devices joined to Microsoft Entra ID. This minimizes disruption and supports a seamless user transition.
   • Wipe and load: Reimage existing hardware to Windows 11. Join it to Microsoft Entra ID. Then restore user data and apps.
4. Coordinate business processes: Plan asset management and communicate migration steps. Ensure that all critical apps and data are present on new devices before handover.

Why move to cloud-native management with Windows 11 and Intune?

Migrating to Windows 11 and Microsoft Intune from Windows 10 domain-joined and co-managed environments positions your organization for future success. The benefits include:

• Centralized management: Intune streamlines device lifecycle management across your organization.
• Enhanced security: Windows 11 introduces advanced features like TPM 2.0 and Secure Boot, integrated with Microsoft security solutions.
• Optimized user experience: Deliver faster performance and modern features tailored for hybrid work.
• Future-ready operations: Align your organization with cloud-first strategies and reduce on-premises infrastructure dependencies.
• Reduced overhead: Decrease reliance on legacy infrastructure and manual processes.
• Copilot-powered productivity: Enable Microsoft 365 Copilot in Windows 11 to automate tasks, provide real-time insights, and offer proactive recommendations—empowering you and users to be more efficient and secure in the workplace. Use Microsoft Copilot in Intune to make everyday IT administration easier.

Embracing migration with the tools and workflows outlined here can put your organization on a path for more secure, simplified, and future-ready endpoint management. Looking for success stories from organizations like yours? See 3 reasons why now is the time to go cloud native for device management.

There are many resources to help you get started. Here are a few of our favorites:

• Need a more comprehensive guide to complete this migration? Follow the guide here: Update your workloads to support cloud-native endpoints.
• Skill up in 2-hour intervals with these skilling snacks: Go cloud first with Windows device management and From on premises to the cloud.
• Need help communicating the changes to your organization? Download Windows 11 Onboarding Kit.
• Once you migrate to Windows 11, stay up to date with the Windows release information toolbox.
• Consider enabling hotpatch updates for Windows client to reduce restarts and streamline monthly updates.

Continue the conversation. Find best practices. Bookmark the Windows Tech Community, then follow us @MSWindowsITPro on X and on LinkedIn. Looking for support? Visit Windows on Microsoft Q\&A.