Windows 10, AD & SCCM migration to Windows 11, Intune & AAD for a global multinational.

Objectives:

1. Migrate to latest Windows: All clients transitioned from Windows 10 to Windows 11.
2. Fully cloud managed: Achieve a modern, cloud-managed IT ecosystem. Transition from on-prem Active Directory with SCCM to a cloud-only environment Azure Active Directory and Intune.
3. Improve user experience and streamline operations: Enable user self-service for computer provisioning and computer setup to avoid costs of traditional engineer-led hardware refreshes.
4. Enhance security: Review and improve all client security standards and change Antivirus to Microsoft Defender, where possible.
5. Reduce costs: Reduce infrastructure costs and operational complexities while maintaining a seamless end-user experience. Simple and stable solutions fit for the business needs.
6. No impact to networks: Ensure no impact to network performance when transitioning to the cloud with no on-prem infrastructure, especially in locations with extremely low bandwidth (2 Mbps).
7. Reduce demand on IT support: Where possible, create reliable and well-performing solutions and user self-service options to help reduce support levels.
8. Improve IT’s reputation: Ensure a smooth deployment with no unplanned disruption resulting in users that are impressed and able to work within 30 minutes of receiving their new computer. 

Implementation:

Pre-migration work was carried out seamlessly with no disruption to users or the business: 

1. Awareness and training: Engaged early with all technology teams and stakeholders to raise awareness and ensure their future planning was aligned. Worked with teams to identify knowledge gaps, provided training and create any required documentation, support articles, etc.  
2. Deployed Microsoft OneDrive and redirected Windows known folders to ensure all user data migrated to cloud. Verified using OneDrive sync health dashboard in Microsoft 365.  
3. Computer settings: Recreated over 600 Group Policy Objects (GPOs) in Intune.
4. Hybrid co-management: Introduced Intune alongside SCCM in co-management mode.
5. App readiness for AAD only: Identified 700 business apps and built a testing environment. Carried out all activities (scheduling, UAT, engagement, etc.) to ensure apps were tested and remediated, where necessary.
6. Managed Mac: Fully Microsoft Intune manged offering with required bespoke scripts to keep parity with Windows configuration and standards. 

Migration to Windows 11

1. Deployed Windows 11 AAD only configuration using Autopilot pre-provisioning, enabling self-service ordering with delivery direct to users' home address.
2. Custom user setup wizard to guide through final steps so their computer was fully configured and ready for use within 25 minutes.
3. Full device management using Intune for settings, reporting, compliance, apps, etc.
4. All 700 apps repackaged and moved to the Intune Company Portal.
5. Office 64-bit as the default with a custom self-service user downgrade package to 32-bit if needed.  

Enhanced security and compliance:

1. Data loss protection: Implemented Microsoft Defender for Cloud Apps (MDCA) and Conditional Access (CA) policies preventing data sync to untrusted computers. 
2. BitLocker cloud management: Transitioned encryption keys and management from legacy MBAM servers to Entra.  
3. BYOD enablement: Offered a formal Windows and Mac Bring Your Own Device (BYOD) solution with Intune enrolment for remote security standards compliance checks. 
4. Moved antivirus from McAfee to Microsoft Defender ATP with full integration with SOC. 
5. Configured Windows Update for Business with MS Delivery Optimisation to protect low bandwidth networks and achieved 97% compliance for Windows and Office in 21 days. For non-compliant devices we created a fully automated quarantine process. 
6. Developed a bespoke Dell BIOS update solution. 
7. Deployed security best practices allowing us to pass external PEN tests and gain Cyber Essentials Plus accreditation. 
8. App control which reduced the number of apps from 12K apps to 3.5K through the careful deployment of Windows Defender Application Control (WDAC). 

Operational optimisation:

1. Saved over $27 million by introducing self-service provisioning, eliminating 150 SCCM servers, cutting hardware and maintenance costs. 
2. Reduced downtime: Introduced Windows Reset for instant self-service device restoration from the cloud. 
3. Revised multiple MS license bundles against identified needs resulting in reduce costs. 
4. Reduced IT support needs by implementing stable and secure solutions. 

Key results:

• Fully cloud managed: All users’ data moved to cloud, GPOs to Intune, SCCM to Intune and Windows 11 AAD only deployed with Autopilot. SS direct 
• Repackaged all apps in Intune for the company portal and ensured compatibility with AAD. 
• Consistently achieved 97% Windows and Office patching levels. 
• Customer satisfaction and NPS scores improved. 
• Saved over $27 million by transitioning to a cloud-first model and implementing a fully user self-service model eliminating the need for large, engineer-lead migration projects.

We completed this complex transition over three years for a large-scale global enterprise by adopting a considered, correctly ordered, phased approach, which leveraged modern cloud technologies with a team of just eight people.