ASD's Blueprint for Secure Cloud

Windows Management

This section describes the design decisions associated with management of Windows 10 and 11 endpoints configured according to guidance in ASD's Blueprint for Secure Cloud.

Estimated reading time: 5 minutes

Windows 10 and 11 can be managed via Intune or Microsoft Endpoint Configuration Manager (MECM), or a combination of both. The configuration of Windows management will depend upon which technologies are available to organisations and whether a hybrid deployment is required.

Windows management options will be based on either a deployment which is cloud native or hybrid. This section provides detailed information on the different configuration options for Windows management.

Cloud native deployments provides the organisation the immediate benefits of working with Intune and Windows Autopilot while also integrating directly with other cloud services including Microsoft 365 and Azure Active Directory (AAD). Using Intune will simplify the overall deployment and management of Windows to a single console which is also shared with the mobile device management of iOS devices.

Hybrid deployments give the option of co-management which enables the organisation to manage Windows by using both MECM and Intune. Enabling co-management within MECM allows the organisation to utilise their investment in MECM and take advantage of additional cloud capabilities. This gives the organisation additional flexibility to use the technology solution that works best for them and facilitates a more gradual move to cloud native as the organisation can pilot test various workloads in Intune first.

Hybrid deployments can choose to enable MECM or Intune for client management depending on the cloud maturity level of the organisation or operational requirements. It is not a requirement of organisations undertaking hybrid implementations to use MECM. The Blueprint provides guidance on integration between MECM and Intune for hybrid deployments however organisations with existing infrastructure may alternatively elect to migrate device management from MECM to Intune, which will not affect cyber security postures.

Management methods that can be used to manage Windows in a Microsoft 365 environment.

Microsoft 365 ImplementationMECM ImplementationManagement Method for WindowsBenefits
Cloud nativeMECM is not possible with cloud nativeIntuneNo on-premises infrastructure required for management. Well suited for Microsoft Entra ID joined workstations for a full cloud solution.
Hybrid with Intune managementSuitable for:
* No MECM or
* MECM with co-management enabled and Workloads set to Intune
IntuneExisting on-premises MECM infrastructure with Hybrid Microsoft Entra ID joined workstation. Well suited for an organisation that does not have MECM or does not want to use MECM to manage workstations.
Hybrid with MECM managementMECM with co-management enabled and Workloads set to MECMMECMExisting on-premises MECM infrastructure with Hybrid Microsoft Entra ID joined workstations. Well suited for an organisation that has a significant investment in MECM and requires a more gradual migration to Intune. Individual Workloads can be targeted and pilot-tested in Intune.

With co-management enabled, the organisation can choose which workloads remain on-premises and which workloads are offloaded to Intune. The workloads are:

  • Compliance Policies – Compliance policies define the rules and settings that a device must comply with to be considered compliant by conditional access policies. Compliance policies will also monitor and remediate compliance issues with devices.
  • Device Configuration – The device configuration workload includes settings that are managed for devices in the organisation. Switching this workload also moves the Endpoint Protection and Resource Access workloads.
  • Endpoint Protection – The Endpoint Protection workload includes the Windows Defender suite of antimalware protection features including Defender Advanced Threat Protection.
  • Resource Access Policies – Resource access policies configure VPN, Wi-Fi, email, and certificate settings on devices.
  • Client Apps – Use Intune to manage client apps and PowerShell scripts on co-managed Windows devices. After transitioning this workload, any available apps deployed from Intune will be available in the Company Portal. Apps that are deployed from Configuration Manager are available in Software Centre.
  • Office Click-to-Run Apps – This workload manages Office 365 apps on co-managed devices.
  • Windows Update Policies – Windows Update for Business policies allow deferral policies for Windows feature updates or quality updates for Windows devices managed directly by Windows Update for Business.

With co-management disabled and no cloud integration, the organisation will rely on on-premises management of the Windows workstations. These could include utilising MECM task sequencing, MECM Compliance and Endpoint Protection policies, various scripting methods and Group Policy Preferences.

There are many benefits to going cloud native or hybrid co-management utilising workloads weighted to Intune. The workstations can be managed from any internet-connected location whether that be in the office or a remote location (home, client site etc).

Cloud native deployments

Hybrid deployments

Security & Governance



  • None identified


  • None identified

Do you have a suggestion on how the above page could be improved? Get in touch! ASD's Blueprint for Secure Cloud is an open source project, and we would love to get your input. Submit an issue on our GitHub, or send us an email at

Acknowledgement of Country icon

Acknowledgement of Country
We acknowledge the Traditional Owners and Custodians of Country throughout Australia and their continuing connections to land, sea and communities. We pay our respects to them, their cultures and their Elders; past, present and emerging. We also recognise Australia's First Peoples' enduring contribution to Australia's national security.

Authorised by the Australian Government, Canberra