Hybrid Autopilot as a Transition Strategy Toward Cloud-Native Endpoint Deployment

christiandominguezjp​, the "controlled stepping stone" framing matches how I run these programs too, and Microsoft's own positioning has landed in the same place.

The Learn page for Hybrid Autopilot now opens with a direct line: deploying new devices as Entra hybrid joined isn't recommended, including through Autopilot (learn.microsoft.com/en-us/autopilot/windows-autopilot-hybrid). It's still fully supported, and the direction is set.

A few things that make the cloud-native side genuinely viable for large enterprise rollouts now:

• Autopilot device preparation (Autopilot v2) is Entra-only by design. That tells you where new tooling investment is going.
• Cloud Kerberos Trust covers most on-prem file share and Kerberos line-of-business scenarios from Entra-joined devices, with documented caveats on high-privilege accounts and RDP/RemoteApp SSO.
• Microsoft Entra Private Access ships a Private Access Sensor that applies Conditional Access policy to Kerberos pre-auth on the DC. Useful for the "we still need VPN" objection.
• Group Policy analytics + Settings Catalog in Intune lets you phase out GPOs systematically through the migration wave.

Your country-based tagging and OEM hardware-hash pre-registration pattern applies just as cleanly to Entra-only deployments. Same Zero Trust posture, less complexity.

Given your global-rollout experience and the pre-registration model you've already built, what's holding you back from piloting a wave of cloud-native Entra-joined endpoints in one region as the next step? Curious which dependency is the deciding factor in your environment.