Get Modern

Deploy, Maintain,
and Manage
Windows 10/11 and
Microsoft 365 Apps
Deployment Guidance
Workshop
Microsoft FastTrack
 Windows 10/11 and Microsoft 365 Apps deployment guidance

Upgrade to Windows 10/11 and Microsoft 365 Apps

1a 1b 1c 1d
Upgrade Windows and Deploy 
Upgrade to 
Deploy

Configuration Microsoft 365 Microsoft 365

Manager to  Windows 10 and Apps with
Apps
Windows 11 Configuration
Current Branch  compatibility
assessment Manager

More info More info (Windows) More info More info

More info (Microsoft 36
5 Apps)

Update Windows 10/11 and Microsoft 365

Apps
2c 2b 2a Optimize
Microsoft 365 Apps Windows 10/11 Windows 10/11
Maintain

phased phased deployments  and 

deployments  Microsoft 365
With Configuration
with Configuration Manager Apps update
Manager delivery with
Configuration
More info
Manager
More info More info
 Cloud-attach and cloud-only guidance
Attach to the cloud for complementary value

3a 3b 3c 3d 3e
Deploy Enable
Cloud-attach

Cloud-attach Windows Conditional

Preparing Windows 10/11 10/11 devices Adopt cloud
your Access to extend workloads as
clients to Azure Windows using Windows
infrastructure Active Directory the security needed for your
Autopilot Autopilot to
for cloud- (Azure AD) and join into Azure
perimeter for organization
attach Microsoft Intune for AD and co- Windows devices
immediate cloud management in your Zero-
value Trust network
More info More info More info More info More info

Cloud-only

4a 4b 4c
Cloud-managed

Deploy
Windows 10/11
devices using Manage your
Prepare your full Windows
cloud Windows cloud
Autopilot to
environment Autopilot join into Azure environment
AD and co-
management

More info More info More info

1a
To use Configuration Manager to upgrade Windows devices to the current version, you need to be on the Current Branch of
Configuration Manager. If a Configuration Manager upgrade is required, perform an in-place upgrade. See
Upgrade to Configuration Manager for details on running an in-place upgrade.
Upgrade Configuration
Manager to Current
Branch

Upgrade checklist:  The following checklist helps you plan a successful upgrade to Configuration Manager. For more information, please visit Upgrade Checklists.

Before you upgrade:

1. Review your System Center 2012 R2 Configuration Manager environment to resolve any issues as described in the following KB4018655 article:
Configuration Manager clients reinstall every five hours because of a recurring retry task and may cause an inadvertent client upgrade.

2. Review required prerequisites for each computer that hosts a site system role. For example, to deploy an OS, Configuration Manager uses the Windows
Assessment and Deployment Kit (Windows ADK). Before running Setup.exe, you must download and install Windows ADK on the primary site server running an
instance of the SMS Provider.

3. Ensure that your computing environment meets the supported configurations required for upgrading Configuration Manager. See this
checklist for installing the latest version of Configuration Manager. To help customize Configuration Manager for your organization's needs, you must
understand your server and client architecture. See this architectural overview.

4. Review the server OSs in use to host site system roles

• Some older OSs supported by System Center 2012 R2 Configuration Manager aren’t supported by Configuration Manager. Site system roles on those OSs
must be relocated or removed before the upgrade. Review Supported operating systems for Configuration Manager site system servers for more
information. 
• The Prerequisite Checker for Configuration Manager doesn’t verify the prerequisites for site system roles on the site server or on remote site systems
automatically. 

For important information about supported platforms and prerequisite configurations, see Supported configurations for Configuration Manager. 
1b App and device upgrade readiness are critical steps in the pre-deployment process to mitigate potential impacts from app and hardware
incompatibility. Begin with an inventory of your devices and apps, identify ownership, prioritize what to test according to the following app
assessment strategy, and remediate what’s needed to be ready for deployment. 
Windows and Microsoft
365 Apps compatibility The idea is to rationalize all your apps: Categorize those that are mission critical, important, or widely used, and those that aren’t. From
assessment there, prioritize testing those apps that matter to ensure they are compatible with the version you are upgrading to.
For more details on creating your app compatibility strategy, see Windows 11 app compatibility strategy.

Perform an apps assessment leveraging current Configuration Manager processes and tools. Microsoft recommends leveraging App Assure for app compatibility
assistance. App Assure helps fulfills the commitment from Microsoft that apps that run on Windows 7 and Windows 8.1 will also run on Windows 10 and Windows
11. App assure will help with the remediation of line-of-business apps, as well as engage with 3 rd party ISVs to address issues.
Keep in mind that as you assign app owners and carry out testing, this work should lay the operational foundation for managing future Windows 10 and
Windows 11 and Microsoft 365 Apps updates, reducing risk and increasing testing efficiency. 

App assessment strategy

As you begin this process, we recommend identifying your managed apps, namely the apps the IT department takes on accountability for tracking, testing,
servicing, and upgrading over time. 
You can further segment these apps by their risk for app compatibility failure and value to the business using the following taxonomy:
• Always test: Smallest group with the highest risk, where there’s no room for failure
• Canary test: Intermediate group utilizing app tranches to efficiently test similar apps
• Pilot test: Largest group with the lowest risk that can wait until first phased deployment
To assist moving to Microsoft 365 Apps, use the Readiness Toolkit for Office to test the compatibility of your add-ins and Microsoft Visual Basic for Applications
(VBA) macros. You should avoid deploying Office 2019 as there are no upgrade options. We recommend deploying Microsoft 365 Apps to ensure you always have
the most up-to-date modern productivity tools from Microsoft.

App compatibility support

More than 99 percent of apps work on Windows 10/11 and Microsoft 365 Apps, but if you run into issues, Microsoft helps you fix them at no additional cost.
App Assure is a no-cost application remediation service for customers moving to Windows 10 and Windows 11 and Microsoft 365 Apps. It supports customer,
third-party software vendor apps, and Microsoft-developed apps.
For more information, visit App Assure. To get help, complete the App Assure service request or email achelp@microsoft.com.
1c
To Upgrade your Windows 7 and Windows 8.1 devices to Windows 10, we recommend utilizing existing processes to maintain
consistency and predictability.
Upgrade from Windows 7 If you don’t have an existing process, the recommended path for deploying Windows 10 uses the Windows installation program
and Windows 8.1 to (Setup.exe) to perform an in-place upgrade. This preserves all data, settings, apps, and drivers from the existing OS version. This
Windows 10 requires the least IT effort, with no need for a complex deployment infrastructure.

NOTE: You should NOT include Microsoft 365 Apps or other apps in your images. Keep it as simple as possible to maintain focus on the
in-place upgrade process. 

The in-place upgrade scenario features the following: 

• Upgrades the OS on devices that currently run Windows 7, Windows 8, or Windows 8.1.  
• Retains the apps, settings, and user data on these computers. 
• Has no external dependencies, like the Windows ADK. 
• Is faster and more resilient than traditional OS deployments. 
1. Plan the task sequence
Simplify your task sequence to upgrade the OS as much as possible while still meeting your business needs. For example, only add task sequence steps
that are related to the core task of upgrading the OS. These steps primarily include installing packages, apps, or updates. Where possible, use specific
steps that run command lines, PowerShell, or set dynamic variables. 
2. Configure upgrade conditions
• Prepare the OS upgrade package. The Windows 10 upgrade package contains the source files necessary to upgrade the OS on the destination
computer. The upgrade package must be the same edition, architecture, and language as the clients you upgrade. For more information, see
Manage OS upgrade packages with Configuration Manager.
• Prepare a task sequence to upgrade the OS. Use the steps in Create a task sequence to upgrade an OS in Configuration Manager to automate upgrade
of the OS. 
3. Deployment options
To deploy the OS, use one of the following deployment methods: 
• Use Configuration Manager to deploy Windows over the network.
• Use stand-alone media to deploy Windows without using the network.
4. Monitor deployment
To monitor the OS upgrade task sequence deployment, see Create a task sequence to upgrade an OS in Configuration.
1c
To Upgrade your Windows 10 devices to Windows 11, we recommend utilizing existing processes to maintain consistency and
predictability.
Upgrade From Windows If you don’t have an existing process, the recommended path for deploying Windows 10 uses
10 to Windows 11 Windows Update for Business via Intune to perform an in-place upgrade. This preserves all data, settings, apps, and drivers from
the existing OS version. This requires the least IT effort, with no need for a complex deployment infrastructure.

NOTE: You should NOT include Microsoft 365 Apps or other apps in your images. Keep it as simple as possible to maintain focus on the
in-place upgrade process. 
The in-place upgrade scenario features the following: 
• Upgrades the OS on devices that currently run Windows 10.  
• Retains the apps, settings, and user data on these computers. 
• Has no external dependencies, like the Windows ADK. 
• Is faster and more resilient than traditional OS deployments. 
1. Choose Deployment options
To deploy the OS, use one of the following deployment methods: 
• Use Windows Update for Business via Intune over the internet.
• Use Configuration Manager to deploy Windows over the network.
• Use stand-alone media to deploy Windows without using the network.
2. Plan the deployment
• Using Windows Update for Business, use polices upgrade some or all qualified devices via feature updates policy.
• With Configuration Manager - simplify your task sequence to upgrade the OS as much as possible while still meeting your business needs. For
example, only add task sequence steps that are related to the core task of upgrading the OS. These steps primarily include installing packages, apps, or
updates. Where possible, use specific steps that run command lines, PowerShell, or set dynamic variables. 
3. Configure upgrade conditions
• Windows Update for Business – No package preparation or task sequence necessary. Use WUFB policies to control the timing of upgrade.
• Configuration Manager – Prepare the Windows 11 OS upgrade package. The Windows 11 upgrade package contains the source files necessary to
upgrade the OS on the destination computer. The upgrade package must be the same edition, architecture, and language as the clients you upgrade.
For more information, see Manage OS upgrade packages with Configuration Manager.
• Prepare a task sequence to upgrade the OS. Use the steps in Create a task sequence to upgrade an OS in Configuration Manager to automate
upgrade of the OS. 
4. Monitor Deployment
To monitor the OS upgrade task sequence deployment, see Create a task sequence to upgrade an OS in Configuration.
To monitor OS Upgrade via Windows Update for Business use Update Compliance
1c Deploying Windows 10 and Windows 11 (continued)

Clean image install

There are situations where it doesn’t make sense to use an in-place upgrade. For the following scenarios, we recommend deploying a clean image using
wipe-and-load using Configuration Manager. Before you perform wipe-and-load, create a task sequence which facilitates running the steps for wipe-and-
load.
• Keep data with OneDrive for Business. We recommend customers use OneDrive for Business to back up their users’ data during the upgrade
process. This can be done with your FastTrack team.
• Changing from Windows 7, Windows 8, and Windows 8.1 to Windows 11. The Windows 11 upgrade process does not support direct upgrades
Windows 7, Windows 8 or Windows 8.1. If you need to upgrade to preserve apps and settings, you must upgrade to Windows 10 first.
• Changing from Windows 7/8.1 x86 to Windows 10 x64 OR from Windows 10 x86 to Windows 11 x64. The upgrade process can’t change a 32-
bit OS to a 64-bit OS because of possible complications with installed apps and drivers.
• Updating existing images. While it can be tempting to try to upgrade existing Windows 7, Windows 8, and Windows 8.1 images to newer Windows
version by installing the old image, upgrading it, and then recapturing the new Windows 10/11image, this isn’t supported. Preparing an upgraded OS
for imaging (using Sysprep.exe) isn’t supported and doesn’t work when it detects the upgraded OS.

Windows Autopilot 
You can also use Windows Autopilot to upgrade your devices to Windows 10/11 using Configuration Manager. However, there are prerequisites you need
to review, including assigned Intune and Azure Active Directory (Azure AD) Premium licenses. Additionally, you can
create a task sequence to speed up the process to only boot into Windows 10/11 once. 

BitLocker 
We suggest you include using BitLocker Drive Encryption in Windows 10/11 as part of your overall security configuration framework even if you haven’t
enabled it with previous versions of Windows. There are prerequisites you need to review as part of your assessment, including hardware compatibility and
support of the Trusted Platform Module (TPM), that your devices have sufficient hard drive space, and any firmware updates required by your OEM device
provider to support BitLocker have been installed. A Configuration Manager task sequence can be used to enable BitLocker on new Windows 10/11 PCs. 

Windows Defender for Endpoint

A critical component in security strategy is using endpoint protection on your Windows 10/11 devices. Windows Defender Antivirus is built-in antimalware
in Windows 10/11. You can configure, manage, and monitor Windows Defender using Configuration Manager or with Group Policies. If you use third-
party antivirus products for Windows 10/11 endpoints, review Windows Defender Antivirus compatibility to understand how these apps coexist.

NOTE: When deploying a current version of Windows 10/11, third-party antivirus solutions may not yet be supported and won’t function properly,
1d
Configuration Manager scales for large environments and provides extensive control over installation, updates, and settings. It
also has built-in features to make it easier and more efficient to deploy and manage Microsoft 365 Apps.  
Deploy Microsoft 365
Apps with When deploying with the Office Client Management dashboard and Microsoft 365 Apps Installer, you can manage updates
Configuration Manager with Configuration Manager. For more details, see Manage Microsoft 365 Apps with Configuration Manager. 

1. Prepare and plan

When deploying Microsoft 365 Apps, you can install different versions for different groups of users and control how frequently they receive feature
updates. To do this, choose one of these update channels for your users:
• Monthly Channel: Provides users with the newest features as soon as they're available.
• Semi-Annual Channel: Provides users with new features every six months, in January and July.
• Semi-Annual Targeted: Provides pilot users and app compatibility testers the opportunity to test the next Semi-Annual Channel every six months, in
March and September.
Using Configuration Manager and the Microsoft 365 Apps Installer, you can define settings for these deployment groups.

2. Review your collections

The deployment groups defined in your deployment plan are represented as collections in Configuration Manager. For each deployment group, make
sure you have a specific collection. For more information, see Introduction to collections in Configuration Manager.

3. Create and deploy the apps to the pilot group

The installation packages are represented as apps in Configuration Manager. For each collection defined in your deployment plan, you create a unique
app.

4. Create and deploy the apps to the broad group

After you've finished testing with the pilot group, you can repeat these steps to create and deploy an app to the broad group. When defining the app,
include the same options selected for the pilot group but choose Semi-Annual Channel. Specify the version as needed.

5. Review exit criteria

To make sure you have deployed the correct package to your client devices, use the Office 365 Client Management dashboard. For more information,
see Deploy Microsoft 365 Apps with Microsoft Endpoint Configuration Manager (Current Branch).

Follow the steps listed in Deploy Microsoft 365 Apps from the cloud to deploy Microsoft 365 Apps to client computers from the Office Content Delivery
Network (CDN) by using the Office Deployment Tool (ODT).
2a
A successful path to getting and staying up-to-date with Windows 10 and Microsoft 365 Apps starts with a good content
distribution strategy. Microsoft has invested significantly to address concerns about the size of updates.
Optimize Windows 10
and Microsoft 365 Apps There are several technologies available to help reduce bandwidth and network load to optimize update delivery. This slide
update delivery with explains these technologies, compares them, and provides recommendations to help you decide which one to use. 
Configuration Manager

Express update delivery

For smaller downloads and faster installation times on clients, Configuration Manager supports express installation files for Windows 10 updates. With
express installation files, clients download only the changes between the current month's Windows 10 cumulative quality update and the previous
month's update rather than the full Windows 10 cumulative update each month. For more information, see
Manage express installation files for Windows 10 updates.

Peer-to-peer content distribution

Only one peer is needed to download update content from the cloud before making it available to other devices. Configuration Manager supports
multiple peer-to-peer technologies, including:
• Windows Delivery Optimization. Source content from other devices on their local network that have already downloaded the updates or from peers
over the internet (requires connectivity to the Delivery Optimization cloud service).
Note: Currently, Delivery Optimization is only available for express updates (which only supports quality updates) when using Configuration Manager.
• Configuration Manager peer cache. Help manage deployment of content to clients in remote locations with limited or no internet connectivity.

To help guide your decision, review the peer-to-peer decision tree on the following slide.

Microsoft 365 Apps update delivery

When Microsoft publishes a new client update to the Office Content Delivery Network (CDN), Microsoft simultaneously publishes an update package to
Windows Server Update Services (WSUS). Then, Configuration Manager synchronizes the client update from the WSUS catalog to the site server.
Configuration Manager can then download the update and distribute it to distribution points you’ve selected. The Configuration Manager desktop client
then tells the Office client where to get the update and when to start the update installation process.
2a Peer-to-peer technology decision tree
Do you have existing
Start distribution points local YES
to all your clients

NO

Have you recently Did you encounter

done a network-based YES network bandwidth NO
upgrade to issues?
Windows 10?

YES

Did you deploy peer

NO caching or Delivery YES
Optimization?

NO

Do the network Do your network Configure Delivery

boundaries in Do your clients have boundaries in Optimization using your
NO YES YES
Configuration Manager internet connectivity? Configuration Manager Configuration Manager
match your network match your network boundaries?
NO topology? topology?

YES
Either update your
Update your Configuration Manager
Configure peer boundaries or configure
Configuration
caching using your NO Delivery Optimization
Manager boundaries
Configuration groups based on DHCP
then configure peer
Manager boundaries subnets, then deploy
caching
Delivery Optimization

END
2b One of the benefits of Microsoft 365 Apps is that Microsoft can provide new features for apps on a regular basis through
monthly updates. For you to have more control over how often your users get these new features, Semi-Annual Channels (see
1d) are an option to provide users new features twice a year. For customers able to receive only one update annually, we
Windows 10/11 phased recommend the second update of the year as it contains more feature enhancements.
deployments with
Windows Update for For more details, see Learn about using Windows Update for Business in Microsoft Intune.
Business

1. Prepare for phased deployments 

Your Windows 10 and Windows 11 servicing process begins by creating update rings in your environment. Rings determine when Windows 10/11
devices in your environment receive OS updates. Begin with a targeted set of devices and apps that mirror your larger portfolio and grow to cover
more devices and use cases until the entire organization is represented. You then confirm readiness for broad deployment. For more information, see
Learn about using Windows Update for Business in Microsoft Intune.

For some targeted devices, you can use the Windows Insiders Program, which enables early adopters to use and provide feedback on new and
improved features, gaining early insight and experience into the latest feature updates. 

2. Deploy feature updates with servicing plans

We recommend using Windows servicing plans to deploy feature updates, providing an automated method to update devices consistently in their
respective rings, like using Features updates policy to set the baseline Windows 10 or Windows 11 feature for devices. Depending on the complexity
of your environment, there may be instances when you consider using deferral dates. For more information, see Policy types to manage updates

3. Validate your apps

Microsoft has committed to application compatibility in Windows 11( Windows 11 app compatibility strategy). In the event you do encounter issues
with any apps, you can use the App Assure program at no additional cost. 

4. Inform your users

Make sure users are informed about new experiences and new ways of working as you move their device OS to Windows 10 or Windows 11. If you
already have pre-existing Microsoft 365 processes and communications for Microsoft 365 Apps updates, you can use these for Windows. This helps
align messaging across products while minimizing additional change efforts.

5. Monitor your deployments

The Update Compliance servicing dashboard gives you a quick-reference view of your active servicing plans, compliance for servicing plan
deployment, and other key information about Windows 10 and Windows 11 servicing. For more information, see
Get started with Update Compliance - Windows Deployment.
2b One of the benefits of Microsoft 365 Apps is that Microsoft can provide new features for apps on a regular basis through
monthly updates. For you to have more control over how often your users get these new features, Semi-Annual Channels (see
1d) are an option to provide users new features twice a year. For customers able to receive only one update annually, we
Windows 10/11 phased recommend the second update of the year as it contains more feature enhancements.
deployments with
Configuration Manager For more details, see Manage Windows as a service using Configuration Manager.

1. Prepare for phased deployments 

Your Windows 10 and Windows 11 servicing process begins by creating collections in your environment. Collections determine when Windows 10/11
devices in your environment receive OS updates. Begin with a targeted set of devices and apps that mirror your larger portfolio and grow to cover
more devices and use cases until the entire organization is represented. You then confirm readiness for broad deployment. For more information, see
Create phased deployments with Configuration Manager.

For some targeted devices, you can use the Windows Insiders Program, which enables early adopters to use and provide feedback on new and
improved features, gaining early insight and experience into the latest feature updates. 

2. Deploy feature updates with servicing plans

We recommend using Windows servicing plans to deploy feature updates, providing an automated method to update devices consistently in their
respective collections, like Automatic Deployment Rules for software updates. Depending on the complexity of your environment, there may be
instances when you consider using task sequences. For more information, see Use a task sequence to deploy Windows updates.

3. Validate your apps

The compatibility assessment conducted during the Windows 7 and Windows 8.1 to Windows 10 upgrade allows you to use a data-driven app
validation process (Windows 10 app compatibility strategy) and Microsoft has committed to application compatibility in Windows 11(
Windows 11 app compatibility strategy). which becomes faster and more efficient with each feature update. In the event you do encounter issues with
any apps, you can use the App Assure program at no additional cost. 

4. Inform your users

Make sure users are informed about new experiences and new ways of working as you move their device OS to Windows 10 or Windows 11. If you
already have pre-existing Microsoft 365 processes and communications for Microsoft 365 Apps updates, you can use these for Windows. This helps
align messaging across products while minimizing additional change efforts.

5. Monitor your deployments

The Windows 10 servicing dashboard gives you a quick-reference view of your active servicing plans, compliance for servicing plan deployment, and
other key information about Windows 10 servicing. For more information, see Manage Windows as a service using Configuration Manager.
2c
Software updates in Configuration Manager provide a set of tools and resources that can help manage the complex task of
tracking and applying software updates to client devices in the enterprise. An effective software update management process is
Microsoft 365 Apps necessary to maintain operational efficiency, overcome security issues, and maintain stability of the network infrastructure.
phased deployments 
with Configuration
Manager

Servicing model
In order to effectively manage releases of Microsoft 365 Apps to your organization, you need to understand this servicing model and how you can
manage the releases while your organization takes advantage of new functionality. This includes time for organizations to test and validate releases
before adopting them. For more information, see Overview of update channels for Microsoft 365 Apps.

Phased deployments
We recommend you manage and deploy updates using a phased approach and use the collections created during initial deployment of Microsoft 365
Apps. Aligning this approach with your Windows 10 deployments allows for consistency and predictability across products. For more information, see
Create phased deployments with Configuration Manager.

Enable Configuration Manager to manage client updates:

• Review the requirements.
• Enable Configuration Manager to receive client package notifications.
• There are two options to enable clients to receive updates from Configuration Manager:
• Use the ODT to enable clients to receive updates.
• Use Group Policy to enable clients to receive updates.
• After enabling clients to receive updates., use the software update management capabilities of Configuration Manager to deploy the updates. For
more information, see Deploy software updates.
In the event you encounter issues with any of your apps, add-ins, or macros, you can use the App Assure program at no additional cost.

Follow the steps in Deploying Microsoft 365 Apps from the cloud to deploy Microsoft 365 Apps to client devices from the Office CDN by using the ODT.
FAQ
Stage Question
Can FastTrack help us upgrade
our Configuration Manager
1a
environment to the current
branch?
How and where should I store
the information that I collect
1b
during the app assessment
process?
How long will or should app
1b
testing take?
Can Microsoft provide any
assistance or guidance with
1b apps we need to migrate to
Windows 10/11 and Microsoft
365 Apps?
Answer
No, assisting with Configuration Manager upgrade isn’t currently supported. If you need assistance with this, we
recommend that you engage with your Microsoft account team or a Microsoft Partner for assistance.
We recommend using your existing configuration management database (CMDB) and related processes. If you don’t
have a process, you can export the data from Configuration Manager into Microsoft Excel. For more information on what
information to record, see How Detailed is Your Enterprise Application Catalog?
There’s no single answer for the time required for testing. It’s likely to be unique to each organization preparing to
upgrade to Windows 10/11 as well as updating between Windows 10/11 versions. It’s because of this that we
recommend that you either: 
a) Use the assessment and testing processes you already have in place since you understand how they work and their
duration; or
b) Use the app assessment strategy we presented.
If your current app assessment strategy won’t allow you to quickly move to Windows 10 or Windows 11, we suggest that
you consider adopting our process to help accelerate your efforts. This also helps set the foundation for how you
manage future Windows 10/11 and Microsoft 365 Apps updates.
Yes, the FastTrack Center Benefit for Windows 10/11 provides access to App Assure, a new service designed to address
issues with app compatibility. When you request the App Assure service, a FastTrack Specialist works with you
throughout your migration to Windows 10/11 and Microsoft 365 Apps and when you consume feature updates.
A Microsoft engineer works with you to address valid app issues at no additional cost with an eligible subscription. We
also provide guidance to customers who face compatibility issues transitioning from Office clients to Microsoft 365 Apps.
FAQ continued
Stage Question
Does this upgrade process
1c support Windows To Go and
boot from a virtual hard disk
(VHD) installations?
Do you support dual-boot
1c
and multi-boot systems?
Does the FastTrack team
provide guidance or
assistance with the User
1c  State Migration Tool
(USMT), hard links, and data
retention during the
migration process?
Why use BitLocker instead of
1c a third-party encryption
system?
Answer
No, the upgrade process can’t upgrade these installations. New installations need to be performed. 
No, the upgrade process is designed for devices running a single OS. If using dual-boot or multi-boot systems with multiple
OSs (not using virtual machines for the second and subsequent OSs), additional care should be taken. This isn’t currently
supported. If you need assistance with this, we recommend that you engage your Microsoft account team or a Microsoft
Partner for assistance.
No, these more complex scenarios aren’t currently supported. For assistance beyond what is described in the in-place
upgrade from Windows 7 and Windows 8.1 to Windows 10/11 we recommend that you engage with your Microsoft account
team or a Microsoft Partner for assistance.
We recommend that customers consider using their OneDrive for Business subscription in order to back up their user’s data
during the upgrade process. Configuring this can be done with the assistance of your FastTrack team.
BitLocker is ready to be used from the time Windows 10/11 is installed. With all other third-party encryption technologies
used with your Windows 10/11 devices, we recommend that you consult your vendor to understand any limitations or issues
and how they may impact your Windows servicing strategy. 
Microsoft 365 unified endpoint management
Converged management cross-platform service

Mobile security with minimal impact to user productivity

Configuration Manager intelligent edge plus Intune intelligent

cloud

Deep integration with the Microsoft security suite

Microsoft 365 cloud
Streamlined security operations (SecOps) to IT pro workflows
Intune
Best for Windows and Microsoft 365 Apps adoption and currency
plus
Unified console for IT, common portal for information workers Windows Autopilot

Seamless transformation without complex migration plus

Configuration Manager
Recognized as a leader in the Gartner Magic Quadrant for unified
plus
endpoint management tools
Analytics
 Cloud-attach and co-management benefits

Risk-based Immediate Zero Touch Advanced Telemetry- Complete app Full stack
access actions Deployment security driven policy management integration

Multi-factor Windows Autopilot Windows Autopilot Windows Hello Security baselines Microsoft 365 Apps Analytics
authentication reset
(MFA) Knox Mobile Attestation Guided deployments Stores Graph
Remote wipe, lock, Enrollment
Compliance and restart Microsoft Defender Software as a service Audit
(SaaS)
Conditional Access Remove company Secure Score Security
data Content Delivery
Network (CDN),
Windows Defender delivery optimization,
update and scan and peer-to-peer
 Cloud-attach guidance

Attach to the cloud for complementary value

3a 3b 3c 3d 3e
Deploy Enable
Cloud-attach

Cloud-attach Windows Conditional

Preparing Windows 10/11 10/11 devices Adopt
Adoptcloud
Cloud
your Access to extend
clients to Azure Windows using
the security workloads
Workloadsasas
infrastructure AD and Autopilot Windows needed for your
Appropriate for
perimeter for
for cloud- Microsoft Intune Autopilot to
Windows devices organization
Your
attach for immediate join into Azure
cloud value AD and co- in your Zero-Trust Organization
management network
More info More info More info More info More info
3a
Before you can start realizing the value of cloud-attached Windows 10/11 clients, there are some prerequisites you’ll need to
complete, like setting up Azure AD for your organization, enabling automatic enrollment (auto-enrollment) into Intune through
Azure AD Premium, enabling co-management in a supported version of Configuration Manager, and upgrading to Windows 10
Preparing Your Version 1709 onward.
infrastructure for
cloud-attach
Cloud-attach prerequisite checklist: The following checklist can help you plan a successful co-management deployment. In addition, Configuration Manager’s mana
gement insights for cloud services provide a guided assessment on co-management readiness and direction on what steps remain to be able to enable it.

Before you upgrade:

1. Verify licensing: Ensure all users are assigned licenses for Intune and Azure AD Premium.

2. Set up hybrid identity with Active Directory and Azure AD: Hybrid Azure AD join of your Windows 10/11 devices is the first step required to enable co-management
and get the value of cloud-attach. First you need to connect your Active Directory environment to Azure AD. Then you need to use hybrid Azure AD join for your
Windows 10/11 clients by registering your domain-joined devices with Azure AD.

3. Perform auto-enrollment into Intune through Azure AD Premium: Azure AD needs to be configured to auto-enroll devices into Intune. This assures that as you go
through the steps to enable hybrid Azure AD join, your Windows 10/11 clients automatically enroll into Intune at the same time.
You can also enable auto-enrollment into Intune using Group Policy.

4. Validate permissions and roles: Ensure that permissions and roles are properly configured. Configuration Manager Full Administrator with All scope permissions is
required to enable co-management.

5. Enable co-management in a supported version of Configuration Manager: Co-management is a foundational piece of your cloud-attach strategy. Microsoft
recommends upgrading to the latest version of Configuration Manager to benefit from the latest co-management features. Starting with Just4Clicks and then following
the steps outlined in How to enable co-management in Configuration Manager, you can start attaching Windows 10 Version 1709-onward clients to the cloud for
immediate cloud value at the pace you choose. There is zero user impact of attaching to the cloud through co-management and you can start consuming cloud value
immediately.

6. Upgrade to Windows 10 1709 onward: Use the guidance found in Stages 1 and 2 of this guide to help you get to the latest version of Windows 10/11.

7. Enable Configuration Manager cloud-based services like cloud management gateway (CMG) and cloud distribution points. This allows you to easily extend the
perimeter of your Configuration Manager environment to reach clients on the internet. Note: A CMG isn’t required for co-management but is required to be able to
3b The next step in the journey is cloud-attaching all Windows 10 Version 1709-onward clients using Configuration Manager and Just4Clicks to
enable immediate cloud value.
Customers can immediately register a domain joined client with Azure AD and Intune-enroll a client managed with the Configuration Manager
Cloud-attach Windows 10 agent. On the management side, customers concurrently co-manage using both Configuration Manager and Intune to get value like
clients to Azure AD and Configuration Manager client health monitoring through Intune and remote actions like wiping a PC anywhere on the internet. For more
Intune for immediate details, see How to enable co-management in Configuration Manager and
cloud value
Tutorial: Enable co-management for existing Configuration Manager clients.
This section contains the steps to attach your Windows 10/11 client to Azure AD and Intune. The immediate benefits of co-management include:
• Compliance policies and Conditional Access
• Real-time actions from Intune
• Enhanced Configuration Manager client health insights from Intune
• Extending your identity and security boundary with hybrid Azure AD join
• Modern provisioning through Windows Autopilot

There are four easy steps to enable co-management. To begin, in the latest version of Configuration Manager, go to the Administration workspace in the console,
expand Cloud Services, and select the Co-management node. Select Configure co-management in the ribbon to open the Co-management Onboarding Wizard.
For directions on how to enable co-management on Configuration Manager versions earlier than 1906, see How to enable co-management in Configuration Manager.
1. Intune sign in: On the tenant onboarding page, select the Azure environment you will use. Then, select Sign In. Sign in to your Intune tenant, and then select Next.
Make sure that the account used to sign in to your tenant has an Intune license assigned. Otherwise it fails with the error message: User not recognized.
2. Automatic enrollment: On the Enablement page, choose Automatic enrollment into Intune > Pilot or All. If choosing Pilot, select a device collection containing
the devices. Note: Automatic enrollment isn't immediate for all clients. This behavior helps enrollment scale better for large environments. Configuration Manager
randomizes enrollment based on the number of clients. For example, if your environment has 100,000 clients, when you enable this setting, enrollment occurs over
several days.
3. Device groups: On the Workloads page, you can choose workloads for a pilot group or for full management with Intune. You can specify a device collection for each
pilot group on the next page. Note: This isn’t required to enable co-management. You can proceed with the wizard and switch workloads over later at a time of your
choosing.
4. Pilot collection: On the Staging page, select a device collection to be the pilot group of each individual workload. Verify your selections on the Summary page and
complete the wizard to enable co-management.
Upgrade to Windows 10/11 current version: If you haven’t done so already, use the guidance found in phases 1 and 2 of this overview to help you get to the latest
version of Windows 10/11 (although co-management requires version 1709 onward, we recommend upgrading to the latest version of Windows 10/11). 
3c Windows Autopilot is a collection of technologies used to both set up and pre-configure new devices, as well as reset, repurpose, and
Windows
recover devices with little to no infrastructure to manage, with a process that's easy and simple.
Autopilot
With Autopilot, a new device can be provisioned into a hybrid Azure AD-joined state, mobile device management (MDM)-enrolled into
Deploy Windows 10/11 devices Intune, and have the Configuration Manager agent installed, leaving the device in the same state as your existing co-managed devices.
using Autopilot to join into
Azure AD and co-management For more information, see: How to prepare internet-based devices for co-management and
Tutorial: Enable co-management for new internet-based devices.
There are three different scenarios for using Windows Autopilot to get Windows 10/11 devices into a co-managed state: 
• User-driven mode: For devices to be set up by a member of the organization and configured for that person.
• Self-deploying mode: For devices to be automatically configured for shared use, like a kiosk, or as a digital signage device.
• Reset: To re-deploy a device in a business-ready state.
Plan
• You can configure Azure AD custom branding to display your company’s imagery during the Windows Autopilot process.
• Use Intune and Windows Autopilot to set up the ability to hybrid Azure AD-join or Azure AD-join Windows 10/11 devices based on your business requirements. 
• Set up Windows 10/11 Automatic Enrollment for devices based on your choice from above: hybrid Azure AD-join or Azure AD-join.
• If your organization requires hybrid Azure AD-joined devices, install the Intune Connector for Active Directory.
• Create and deploy the Configuration Manager Agent as an app in Intune (this step applies to both scenarios).
Configure
• Create profiles: For each device that has been defined to the Windows Autopilot deployment service, a profile of settings needs to be applied that specifies the
exact behavior of that device when it’s deployed.
• Create Windows Autopilot device groups: Once you’ve created deployment profiles, you’ll assign these profiles to device groups.
Deploy
• Register devices with the Windows Autopilot deployment service: Ideally this step is completed by whomever you purchased your devices from (like the original
equipment manufacturer (OEM) or reseller) but can also be done by collecting the hardware IDs and uploading them to Intune.
• Assign a profile of settings to each device.
• Boot the device.
Monitor
• Once you’ve deployed devices using Windows Autopilot, you can choose to manage them in Intune and Configuration Manager.
3d Conditional Access is a perpetual-motion machine which ensures that corporate resources are only accessed by trusted users on trusted
devices and apps. It has been built from scratch in the cloud and, whether you’re managing devices with Intune or extending your
Configuration Manager deployment with co-management, it works the same way. One of the great near-term benefits of cloud-attach
Enable Conditional Access to with co-management is the ability to extend your security perimeter to the cloud for Windows 10/11 much like how you’re controlling
extend the security perimeter access on iOS and Android with Intune today. Adding Conditional Access through Azure AD and Intune with co-management doesn’t
for Windows devices in your require you to change anything about how you’re managing Windows today with Active Directory and Configuration Manager—it’s
Zero-Trust network purely additive cloud value. Conditional Access is the foundational building block of how you can build a Zero-
Trust network with Microsoft 365.
Configuring Conditional Access for co-managed devices:

1. Preparing your end users for the Conditional Access experience: Before enabling Conditional Access in your organizations, you’ll need to understand what
the end user experience will be across platforms and prepare them for the experience. While the experience is built to be intuitive and self-serviceable by the end
user without additional IT help, it’s obviously good to understand what the experience will be before piloting. Here’s a good overview of both the admin and end
user experiences with Conditional Access.

2. Configuring Azure AD and Intune for Conditional Access and compliance policies: Before turning on Conditional Access from Configuration Manager for
either a pilot or production group, you’ll need to configure Conditional Access and compliance policies in Azure AD and Intune.
Details on enabling Conditional Access are here and Windows 10-specific policies are here. Learn more about
protecting email, Microsoft 365, and other services here. Additionally, the Conditional Access model for Windows 10 is integrated into
threat signals from Microsoft Defender, which provides an additional layer of protection and trust for accessing key business resources.

3. Integrating Configuration Manager-managed apps into your Intune compliance policies: Organizations often require that a specific app is installed or that
an app is on a specific version for both security and productivity reasons. For cloud-attached devices, the existence or version of an app managed and
inventoried by Configuration Manager can be used as part of the Intune compliance policy and Conditional Access models. Using this, organizations can assure
that their users have the most up-to-date app version before being allowed access to key resources. Learn more about implementing this
rich addition to Conditional Access here.

4. Enabling cloud-based Conditional Access and compliance policies on co-managed PCs: Enabling Conditional Access on your cloud-attached, co-managed
PCs is as simple as moving the workload in Configuration Manager (starting with a pilot group) and then moving to Production. Details on
moving the compliance policy workload to Intune and enabling Conditional Access for your cloud-attached Windows 10 PCs can be found here.
3e The next stop in your journey is looking at the workloads you deliver from Configuration Manager and determining if there’s
value in moving the control plane to the cloud using Intune. Workload transitions aren’t required—if you’re happy with how
you’re managing them now you don’t have to change anything.
Adopt cloud workloads
as needed for your
The value of workload transition also varies by organizations. The key to being successful with workload transitions is analyzing
organization what benefits you can get from a partial or full transition of each available workload. There’s no one-size fits all guidance here—
it’s variable by each organization’s needs.
1.Analyze workloads that can be transitioned and assess value to your organization
Cloud-attach was built with the flexibility to individually move workloads per pilot group of users to test out the transition before committing to
production. The workloads can easily be moved back if the transition to the cloud didn’t work out as planned. Here is a complete
list of supported workloads in Intune. The strategy for prioritizing workloads should depend upon the needs of your organization.

2. Monitor co-management
After you enable co-management, you can monitor co-managed devices, including leveraging the co-management dashboard in Configuration Manager.
The dashboard helps you review co-managed machines as well as help identify devices that might need attention.

3. Check compliance for co-managed devices

Users can use Software Center to check the compliance of their co-managed Windows 10 devices regardless of whether Configuration Manager or Intune
manages Conditional Access. Users can also check compliance by using the Company Portal app when Intune manages Conditional Access.

4. Next steps − Migrate any workloads (either partially through pilot or fully to production) as needed
Workloads can easily be moved to a pilot state before moved to production and can easily be moved back. Try them out and see which ones work for your
organization. Use the following resources to help you manage the workloads that you switch to Intune:
• Compliance policies
• Windows Update policies
• Resource access policies
• Endpoint protection
• Device configuration
• Office Click-to-Run apps
• Client apps
 Cloud-only guidance

Cloud-only

4a 4b 4c
Cloud-managed

Deploy
Windows
10/11 devices
Prepare your full using Windows Manage your
cloud Windows cloud
Autopilot to
environment Autopilot environment
join into Azure
AD and co-
management
More info More info More info
4a For organizations not on Configuration Manager or ready to move to a full cloud model for both identity and management, Intune and Azure
AD provide the foundational features to support that transition. Intune also provides enterprise features like security baselines, Administrative
Template (ADMX) files, and rich Win32 app support for customers looking to make the full switch. Additionally,
Conditional Access and compliance policies provide a cloud-centric security perimeter to control access to both on-premises and cloud
Prepare your full
cloud services.
environment

The next cloud-only stop to consider is removing the Active Directory domain-join tether and going with full Azure AD join for cloud management through Intune.

Update your Windows 10/11 provisioning process to Azure AD join through Autopilot. A best practice approach is to go directly to an Azure AD joined state, bypassing
Active Directory domain join altogether.
Azure AD join is intended for organizations that want to be cloud-first or cloud-only. It provides you with single-sign-on (SSO), enterprise compliant roaming, access to
Windows Store for Business, Windows Hello, restriction of access, and seamless access to on-premise resources. Before you make the move to full cloud, there are some
things you should keep in mind:
1. Automatic enrollment in Azure AD Premium: Automatic enrollment lets users enroll their Windows 10/11 and Windows 11 devices in Intune. To enroll, users add their
work account to their personally owned devices or join corporate-owned devices to Azure AD. In the background, the device registers and joins Azure AD. Once
registered, the device is managed with Intune.
2. Security baselines: As you onboard Azure AD, we recommend that you implement an industry-standard configuration that’s broadly known and well-tested like
Microsoft security baselines for Windows and Microsoft 365. These recommendations are aligned with Microsoft Secure Score as well as identity score in Azure AD and
increase these scores for your organization. These recommendations also help you implement these five steps to securing your identity infrastructure.
3. Policies and settings for cloud management:
• Transform from Group Policy to MDM policies delivered through Intune: With ADMX and Windows security baselines, you can ensure you aren’t
compromising the security of your devices as you move to Intune. You can use Microsoft Endpoint Manager Group Policy Analytics or the
MDM Migration Analysis Tool (MMAT) to help you rationalize and compare what’s available in MDM policies relative to the Group Policies you currently use. For
more granular control, you can leverage ADMX-backend policies, which are Group Policy administrative templates for Windows devices that can be accessed using
the Policy configuration service provider (Policy CSP) and can be deployed using Intune. See Enable ADMX-backed policies in MDM for more information.
• Validate capabilities and prepare your apps in Intune: As you move workloads from Configuration Manager to pilot groups and add apps to Intune, you’ll need
to validate capabilities in Intune. Keep in mind that once you move to Intune standalone, you’ll lose the functionality and capability of Configuration Manager.
4. Federated identity: You can leverage federated identity to persist traditional authentication (like NTLM and Kerberos) for Azure AD joined Windows 10 and Windows 11
clients. Pilot devices in an Azure AD joined configuration to identify early any issues for your organization. Keep in mind that in
most federated environments, SSO works for both cloud-based on on-premises authentication. 
4b Windows Autopilot is a collection of technologies used to both set up and pre-configure new devices, as well as reset, repurpose,
Windows and recover devices with little-to-no infrastructure to manage with a process that's easy and simple.
Autopilot
Using Intune, Windows Autopilot enables locking the device until policies and settings are provisioned, thereby ensuring that by
Deploy Windows 10/11 the time the user gets to it, the device is secured and configured correctly.
devices using Autopilot to
join into Azure AD and
Intune For more information, see: Enroll Windows devices in Intune by using the Windows Autopilot.
There are four different scenarios for deploying Autopilot including:
• User-driven mode: For devices that are set up by a member of the organization and configured for that person.
• Self-deploying mode: For devices that are automatically configured for shared use, like a kiosk or a digital signage device.
• Reset: To redeploy a device in a business-ready state.
• Existing devices: To deploy Windows 10 and Windows 11 on an existing Windows 7 or Windows 8.1 device (using Configuration Manager).
Plan
• You can configure Azure AD custom branding to display your company’s imagery during the Windows Autopilot process.
• Update your Windows 10/11 provisioning process to Azure AD join through Windows Autopilot. 
• Before deploying to your live environment, we recommend you test Windows Autopilot out on a virtual machine using Hyper-V to ensure readiness.
Configure
• Create profiles: For each device that has been defined to the Windows Autopilot deployment service, a profile of settings needs to be applied that
specifies the exact behavior of that device when it’s deployed.
• Create Windows Autopilot device groups: Once you’ve created deployment profiles, you’ll assign these profiles to device groups.
Deploy
• Register devices with the Windows Autopilot deployment service: Ideally this step is completed by whomever you purchased your devices from (like the
OEM or reseller) but can also be done manually by collecting the hardware identity and uploading.
• Assign a profile of settings to each device.
• Boot the device.
Monitor
• Once you have deployed devices using Windows Autopilot, you can manage them in Intune.
• To manage devices through Microsoft Store for Business and Education, you'll need a CSV file that contains specific information about the devices. You
should be able to get this from your Microsoft account contact or the store where you purchased the devices.
4c For organizations not using Configuration Manager or ready to move to a full cloud model for both identity and management,
Intune and Azure AD provide the foundational features to support that transition.

The identity foundations through Azure AD were covered in the previous section, and Intune has added enterprise features like
Manage your
cloud security baselines, ADMX, and rich Win32 app support for customers looking to make the full switch.
environment

In order to effectively manage your cloud-only environment, there are some key concepts and tools you’ll need to understand going forward:
• Windows as a Service (WaaS): In order to manage your devices from the cloud, you’ll need to understand the WaaS model including
Overview of update channels for Microsoft 365 Apps and phased deployment of updates. Like collections in Configuration Manager, Intune provides
you with the option to create deployment rings.
• Windows Update for Business (WUfB): When deploying updates from the cloud, you’ll now leverage WUfB, which controls how and when your
Windows 10/11 devices are updated. WUfB allows for the creation of deployment rings, inclusion and exclusion of drivers, integration with existing
management tools, peer-to-peer delivery of updates, and control over diagnostic-level data.
• User communications and training: As you transition your users to the modern experience, it’s important that you inform and prepare your users
across both Windows and Microsoft 365. To help minimize the risk associated with the changes in user experience, we recommend proactive
communication to your users and use of deployment rings to control the rate of deployment.
• Transition to the Microsoft 365 security stack: The final step in moving to the full Modern Workplace on the Microsoft 365 solution is transitioning to
Microsoft’s security solution, Microsoft Defender for Endpoint which includes attack surface reduction, endpoint detection and response, automated
investigation and remediation, Secure Score, and advanced hunting, all delivered from cloud to client through Microsoft’s security stack.

Managing and deploying Win32 apps from Intune: Intune has added native support for Win32 app delivery and management, which support the
foundational needs of many organizations and their Win32 app estates. Additionally, you can pilot Win32 app delivery in a co-management configuration
to further validate that this app management model works for your organization’s app estate.