All case studies
Cloud SolutionsIntuneAutopilotUS

On-premises Active Directory to Microsoft Intune and Autopilot migration for a US company

0
On-prem DCs remaining
Autopilot
Zero-touch provisioning
Intune
All devices cloud-managed
Services:Cloud SolutionsInfrastructure & NetworkingManaged IT Services

The Challenge

A US company was running on a single ageing on-premises Active Directory domain controller: old server hardware approaching end of support, no offsite redundancy, and a growing number of remote staff who struggled to access resources tied to the office network. Group Policy had accumulated years of inconsistent configurations, with many GPOs no longer applying to the devices they targeted. The business had adopted Microsoft 365 but device management had never moved to the cloud. The domain controller was a single point of failure the business had been tolerating for too long, and a hardware failure would have taken the entire environment with it.

Our Approach

BPro IT began with a full Active Directory audit covering active user accounts, security group memberships, all applied Group Policy Objects, and legacy application dependencies. Every GPO was mapped to its Microsoft Intune Configuration Profile equivalent before any migration work began, confirming cloud policy coverage on paper first. Microsoft Entra Connect Sync was configured as a bridge during the transition, synchronising identities to Entra ID while existing devices were progressively migrated. New and replacement devices were enrolled directly through Windows Autopilot: provisioning profiles configured, Enrollment Status Page tuned to apply all compliance and configuration policies before handing the device to the user. Existing in-service machines were migrated to Intune management during scheduled maintenance windows. Conditional Access policies were configured to require MFA for all cloud resource access and to block legacy authentication protocols entirely. Windows Update rings were established in Intune with a staged rollout: a pilot group deferring quality updates by seven days for validation, followed by broad deployment with a thirty-day deferral window. Once all devices were confirmed enrolled, compliant, and operating under cloud-managed policy, the on-premises domain controller was decommissioned.

The Outcome

The on-premises domain controller was decommissioned at project close with no remaining on-premises identity dependency. All devices are enrolled in Intune with enforced compliance policies. Windows Autopilot handles zero-touch provisioning for any new or replacement hardware going forward. Remote staff access Microsoft 365 and company resources directly through Entra ID without requiring VPN or office connectivity. Staged Update Rings are in place to validate patches before broad rollout.

  • On-premises domain controller decommissioned at project close
  • All devices enrolled in Intune with enforced compliance policies
  • Windows Autopilot live for zero-touch provisioning on new hardware
  • Conditional Access enforcing MFA and blocking legacy authentication
  • Staged Windows Update rings configured to validate patches before broad rollout
Service used:Cloud Solutions

Facing a similar challenge? Let's talk.

Tell us what you're dealing with. We'll come back with a clear picture of how we'd approach it and what it would take.

Cookie Preferences

We use cookies to enhance your browsing experience and analyze site traffic. By clicking “Accept All”, you consent to our use of cookies.