2024 High Level Planning Guide to Move to Cloud-Native Endpoints

Introduction

In the modern workplace, hybrid and remote work models are becoming more prevalent. As organizations adapt, migrating to cloud-native endpoints can provide numerous benefits, including improved security, flexibility, and user experience. However, the transition is not without challenges. This comprehensive guide aims to equip administrators with the knowledge and strategies needed to plan, deploy, and manage cloud-native endpoints effectively. Specifically, we'll delve into Microsoft Intune, Group Policy migration, Windows Autopilot, and more. By the end, you'll be well-prepared to embark on your journey to a fully cloud-native infrastructure.

Manage Devices Using a Cloud-Native MDM Provider

Set Up Automatic Enrollment for Windows Devices

Automatic enrollment simplifies device management by ensuring that new devices are immediately enrolled into your organization's Microsoft Intune environment. This process can be applied to both personal and corporate-owned devices and works seamlessly with Microsoft Entra ID.

Steps to Enable Automatic Enrollment

1. Microsoft Entra ID Integration: Ensure that all devices are joined to Microsoft Entra ID. This is crucial as it serves as the identity platform for automatic enrollment.
2. Intune Configuration:
   • Navigate to the Microsoft Endpoint Manager admin center.
   • Select Devices > Windows > Windows Enrollment > Automatic Enrollment.
   • Configure the settings to enable automatic enrollment.
3. Group Policy Configuration: For domain-joined devices, use Group Policy to auto-enroll them into Intune.

Applies to Windows 10 and Windows 11

Both Windows 10 and Windows 11 support automatic enrollment, making it easier for organizations to manage devices running either operating system.

Review Your Endpoint and User Workloads

Inventory and Analyze Current Workloads

1. Identify Critical Workloads: Determine which workloads are essential for day-to-day operations.
2. Analyze Compatibility: Check if these workloads are compatible with cloud-native environments. This helps in understanding the scope and identifying any potential blockers.
3. Vendor Collaboration: Work with service vendors to address any compatibility issues.

Update Workloads for Cloud-Native Support

1. Adopt Modern Management Solutions: Use Microsoft Intune for device and app management.
2. Migrate Identity Management: Shift from on-premises Active Directory to Microsoft Entra ID.
3. Data and App Modernization: Ensure that all applications and data are accessible from the cloud.

Transition Your Workloads in Phases

Phase 1: Information Gathering

1. Inventory All Workloads: List all services, products, and applications involved with each workload.
2. Verify End-States: Identify the final goal for each workload and the potential blockers.
3. Coordinate with Service Owners: Ensure all stakeholders are on board.

Phase 2: Prioritize and Resolve Blockers

1. Evaluate Each Blocker: Determine the criticality of each blocker and prioritize accordingly.
2. Pilot Program: Conduct a pilot program to test the transition on a smaller scale.

Phase 3: Implement Changes

1. Gradual Rollout: Move workloads to cloud-native solutions in small, manageable phases.
2. Monitor and Adjust: Continuously monitor the transition and make necessary adjustments.

Phase 4: User Preparation

1. Education and Training: Inform users about the changes and provide training.
2. Update Documentation: Ensure all procedural documents are updated.
3. Feedback Mechanism: Establish a system for collecting user feedback.

Transition Your Organization in Phases

Define Endpoints, Dependencies, and Milestones

1. Identify Cloud-Ready Endpoints: Determine which devices need cloud identities and those that don’t.
2. Dependencies Mapping: Understand the technical and non-technical requirements.
3. Set Milestones: Define milestones and success criteria for each phase.

Enable Endpoint Cloud Hybrid Identity

1. Enable Hybrid Microsoft Entra Join: For a phased transition, start with a hybrid model.
2. Reset Existing Endpoints: Reset and redeploy devices to Microsoft Entra for a fully cloud-native environment.

Cloud Attach Configuration Manager

1. Move to Microsoft Intune: If you are using Configuration Manager, consider attaching it to Microsoft Intune.
2. Remote Management: Use cloud attach to manage endpoints remotely and co-manage with Configuration Manager.

Deploy a Microsoft Entra Joined Proof of Concept

1. Implement Baseline Configurations: Use Microsoft Intune for initial configurations.
2. Use Windows Autopilot: Provision new and existing devices quickly.
3. Deploy and Test: Conduct a proof of concept to validate functionality.

Microsoft Entra Join Your Existing Windows Endpoints

1. Device Replacement or Reset: Replace outdated devices or reset existing ones to join Microsoft Entra.
2. Final Transition: Move all remaining devices to Microsoft Entra.

Move from Group Policy Objects (GPOs)

Manage Settings Using Intune

1. Create New Policies:

   • Start Fresh: Create new policies in Intune to manage devices.
   • Use Built-in Templates: Use Intune's built-in templates for common settings.

2. Migrate Existing Policies:

   • Analyze and Import GPOs: Use Intune’s Group Policy analytics to import and analyze existing GPOs.
   • Verify and Deploy: Verify the policies and deploy them to cloud-native endpoints.

Intune Features to Know

1. Group Policy Analytics: Import GPOs and see how they map to Intune settings.
2. Settings Catalog: Access a comprehensive list of settings that can replace GPOs.
3. Administrative Templates: Use these templates to easily apply settings similar to ADMX templates.
4. Security Baselines: Apply pre-configured settings recommended by experts.

Use Windows Autopilot to Provision New or Existing Windows Endpoints

Key Benefits of Windows Autopilot

1. Simplified Setup Process: Offers a branded, user-friendly setup experience.
2. Direct Drop-Ship: Devices can be shipped directly to users, who can set them up themselves.
3. Self-Service Reset: Allows users to reset their devices, reducing IT overhead.

External Link: Learn More About Windows Autopilot Scenarios

Follow the Cloud-Native Endpoints Guidance

1. Understand Cloud-Native Endpoints: Read the overview of cloud-native endpoints.
2. Get Started with Windows Endpoints: Follow the tutorial to begin your transition.
3. Learn About Microsoft Entra Join: Understand the differences between Microsoft Entra and hybrid join.
4. Access On-Premises Resources: Learn how to manage on-premises resources with cloud-native endpoints.

Set Up Automatic Enrollment for Windows Devices

Applies to Windows 10 and Windows 11

Simplifying device enrollment is crucial in streamlining IT operations and enhancing user experience. By enabling automatic enrollment, devices can register themselves in Microsoft Intune as soon as they join or register in Microsoft Entra ID. This method is particularly beneficial in scenarios such as BYOD (Bring Your Own Device), bulk enrollment, and Windows Autopilot deployments.

Setup Steps for Automatic Enrollment

1. Microsoft Entra Integration:
   • Ensure that all devices are joined to Microsoft Entra ID.
2. Configuring Intune:
   • Go to the Microsoft Endpoint Manager admin center.
   • Navigate to Devices > Windows > Windows Enrollment > Automatic Enrollment.
   • Enable automatic enrollment by configuring the necessary settings.
3. Using Group Policy:
   • For domain-joined devices, apply Group Policy to automatically enroll them into Intune.
4. Using Windows Autopilot:
   • Configure Windows Autopilot profiles to include Intune enrollment.
5. Co-Management with Configuration Manager:
   • Utilize co-management settings to manage devices with both Configuration Manager and Intune.

Prerequisites for Automatic Enrollment

1. Microsoft Entra ID P1 or P2 Subscription: Ensures the necessary functionalities for automatic MDM enrollment.
2. Microsoft Intune Subscription: Provides the management platform for enrolled devices.
3. Global Administrator Permissions: Required for configuring and managing enrollment policies.

Best Practices and Troubleshooting

1. Edge for Company Portal: Device users should access the Company Portal website through Microsoft Edge for optimal performance.

2. Avoid Duplicate Records: Ensure proper configuration to avoid duplicate device records in the Microsoft Intune admin center.

Conclusion

Transitioning to a cloud-native infrastructure is a strategic move that offers long-term benefits such as increased flexibility, enhanced security, and improved user experience. This guide provides a comprehensive roadmap for managing devices, updating workloads, and transitioning to cloud-native endpoints. By following these steps and leveraging tools like Microsoft Intune and Windows Autopilot, organizations can successfully navigate the complexities of modern device management. Whether you're enabling automatic enrollment for Windows devices or migrating from Group Policy Objects, you'll be well-equipped to make informed decisions that drive your organization forward.

For more information go to : https://github.com/MicrosoftDocs/memdocs/blob/main/memdocs/solutions/cloud-native-endpoints/cloud-native-endpoints-planning-guide.md