ControlUp Migrate for Windows 365: Free Azure to Cloud PC migration tool

ControlUp’s new migration utility promises to convert what has often been a slow, error-prone Azure desktop migration into an automated, governed pipeline — and it is being offered at no charge to organizations that want to move Azure Virtual Desktop (AVD) or other Azure VMs into Windows 365 Cloud PCs. The announcement frames the product as a labor- and risk-reduction tool that performs disk-level compatibility checks, orchestrates snapshot uploads using Microsoft’s Windows 365 migration API, and re-integrates resulting Cloud PCs into ControlUp’s Digital Employee Experience (DEX) management plane.

Background​

Many enterprise customers have built Azure-hosted desktop estates over the past decade using Azure Virtual Desktop or general-purpose Azure VMs. As Windows 365 adoption increases, IT teams are re-evaluating whether to standardize on Cloud PCs for personal, persistent desktops rather than continuing to operate AVD collections or bespoke Azure VM fleets. Microsoft exposed a migration path — a snapshot-based import model surfaced through the Windows 365 migration API — to ease that transition, but the API comes with strict technical rules and operational steps that commonly trip teams up. ControlUp’s new offering positions itself as an automation layer over that migration path, reducing manual imaging work, surfacing compatibility issues earlier, and integrating the targets back into an existing DEX toolset.

What ControlUp announced​

ControlUp launched “ControlUp Migrate for Windows 365,” a free tool intended to automate the end‑to‑end process of converting Azure-hosted OS disks into Windows 365 Cloud PCs. The company says the product:

• Runs pre-migration compatibility validation directly on VM disks to check for things such as fixed-VHD format, Gen2 VM generation, Windows 10+ OS version, and the presence of incompatible third‑party agents.
• Orchestrates snapshot creation, page-blob uploads to customer-owned Azure Storage via SAS URIs, and Cloud PC creation via the Windows 365 migration API and Microsoft Graph.
• Integrates provisioned Cloud PCs back into an organization’s ControlUp environment so monitoring, alerts, and remediation workflows remain intact.

ControlUp framed the release as a way to reduce the typical manual labor of image conversion and packaging, speed time-to-production, and lower the failure rates of desktop migration projects. Microsoft’s Windows 365 product group is quoted as supportive of the partner-built solution, describing partner tools as part of the migration ecosystem.

---

Why this matters: the operational problem being solved​

Migrating an enterprise desktop fleet is not just a systems task; it is a program with cross-team dependencies. Manual image conversion workflows typically include:

• Verifying OS and driver compatibility across thousands of unique images.
• Removing or replacing endpoint agents that interfere with provisioning.
• Converting disk formats (VHDX → fixed VHD) or rebuilding Gen1 images into Gen2 where needed.
• Packaging OS-only disks and ensuring the infrastructure can accept and provision them into Cloud PCs.

These manual touchpoints consume engineering hours, increase the risk of failed imports, and often lead teams to delay migration projects or adopt conservative, staged approaches that take months. ControlUp’s automation directly targets those pain points by codifying checks and orchestration steps into a single workflow that maps to Microsoft’s documented migration model.

How the migration workflow works (technical breakdown)​

The product builds on Microsoft’s documented snapshot-based import flow. Key technical stages are:

• Discovery and selection — The tool identifies candidate VMs: AVD personal desktop instances, standalone Azure VMs, or curated custom images.
• Disk-level validation — Before any snapshot is taken, the tool inspects the OS disk to validate format (fixed VHD), VM generation (Gen2), OS compatibility (Windows 10+), and agent health. This disk-level pre-validation is the claim ControlUp emphasizes as a differentiator.
• Snapshot and upload — If validation passes, the tool orchestrates a snapshot and uploads the VHD page blob to a customer-owned Azure Storage account, exposing it via a secure SAS URI as required by the Windows 365 import pipeline.
• Provisioning via Graph / Migration API — The tool calls Microsoft Graph/Windows 365 migration endpoints to create the target Cloud PC for the specified user and policy, monitoring Graph provisioning status and error messages.
• Post-provision integration — Newly provisioned Cloud PCs are automatically added to the customer’s ControlUp organization for monitoring, alerting, and lifecycle management.

This sequence mirrors Microsoft’s published requirements while abstracting the operational orchestration into a guided, repeatable flow. The key technical dependencies are the Windows 365 migration API, Azure Storage access patterns (SAS URIs or managed identity), and tenant-level Graph permissions for the migrating application.

---

Verified prerequisites and limitations​

The Windows 365 migration API and ControlUp’s support documentation make several non-negotiable requirements explicit. These are important for planning and change control:

• Fixed-format VHD only; VHDX and dynamically expanding disks are unsupported without conversion.
• Generation 2 (Gen2) virtual machines are required to import images for Windows 11 compatibility; Gen1 images must be converted to a Gen2-compliant image before use.
• Only OS disks are supported; data disks and attached peripherals are excluded from the snapshot import path. Migration of user data therefore requires a separate plan.
• Azure VM agent must be healthy and responsive; certain third‑party agents must be removed prior to snapshot creation.
• Tenant-level application permissions and admin consent are required (for example, Directory.ReadWrite.All, CloudPC.ReadWrite.All, User.Read.All), and the service principal must be granted at least Reader role on the subscription containing the source VMs.

ControlUp explicitly marks this capability as beta in its documentation and urges pilots before large-scale projects. That beta status is operationally meaningful: API behavior, error handling, and UI workflows may evolve as both Microsoft and partners mature the migration experience.

---

Benefits — what IT teams stand to gain​

ControlUp’s automation promises concrete operational advantages when the prerequisites align with fleet realities:

• Time savings and predictable throughput: By automating discovery, validation, and provisioning, teams can migrate many images in parallel and compress timelines that previously required hands-on image rework.
• Lower failure rates: Disk-level validation and agent detection reduce trial-and-error import failures, lowering re-work and support escalations during migration waves.
• Preservation of operational tooling and SLAs: Cloud PCs are integrated back into the ControlUp DEX platform, preserving existing monitoring, alerting, and remediation processes without forcing a fork in operations.
• No software acquisition cost for the tool itself: ControlUp states the migration utility will be available free to both customers and non‑customers, removing an immediate licensing hurdle for trials and pilots.

These benefits are strongest when the target environment already conforms closely to Microsoft’s supported migration model, and where ControlUp is already part of the IT toolchain.

---

Costs and hidden operational impacts​

The tool is free, but migration programs carry real costs. Important cost factors to budget and plan for include:

• Azure compute and storage costs — snapshot creation, temporary page blob storage, and repeated uploads for failed attempts consume billable Azure resources.
• License costs — each resulting Cloud PC requires a Windows 365 Enterprise license; licensing must be procured and assigned for each migrated user.
• Engineering and admin time — pre-migration cleanup work (third‑party agent removal, disk conversions, OS updates) can be substantial and often requires subject-matter resources across endpoint, app, and security teams.
• Support and SLA considerations — beta-grade tooling may require additional internal support, testing, and contingency plans to meet business SLAs.

Enterprises should treat the free tool as a catalyst to reduce labor hours, but not as a replacement for investment in pilot automation, governance, and cloud run-rate modeling.

---

Security, governance, and compliance considerations​

Automating tenant-level operations introduces several governance challenges that must be planned and mitigated:

• Elevated Graph permissions and admin consent — The migration app needs high-privilege Graph scopes to create Cloud PCs and manage users. These must be governed via approval workflows, limited-lifetime credentials, managed identities where possible, and conditional access.
• Service principal lifecycle and secrets — Use short-lived client secrets, certificate-based credentialing, or managed identity patterns to avoid long-lived secrets. Monitor and rotate credentials as part of the migration runbook.
• Storage access and SAS tokens — Page blobs must be secured with tightly-scoped SAS URIs and short lifetimes; operations teams must log and audit access to storage containers to support compliance and data residency obligations.
• Data exclusion and eDiscovery — Since only OS disks are imported, user data and certain application artifacts will not be preserved by the snapshot import. Migrations that must maintain eDiscovery, retention, or legal hold constraints require separate processes to extract and restore user files.

A governance checklist and explicit approvals are essential before granting the tool the permissions needed to operate at scale.

---

Risks and caveats — where the automation may not be a silver bullet​

ControlUp’s offering is pragmatic, but it is not without constraints:

• Strict Microsoft constraints — Fleet heterogeneity is the primary blocker: Gen1 VMs, VHDX/dynamic disks, machines with attached data disks, or VMs with stubborn third‑party agents will require conversion or rebuilds. Those conversions can be significant projects in their own right.
• Beta maturity — Parts of ControlUp’s migration experience are still in beta; enterprises should expect UI and API behavior to shift and plan pilots accordingly.
• No automated data-disk migration — The tool won’t move user data attached to secondary disks, so a comprehensive migration must account for file sync, OneDrive/FSLogix strategies, or separate data migration tooling.
• Over-privileged service principals — If admin consent and broad Graph scopes are granted without compensating controls, the tenant exposure surface increases; enterprises must enforce least privilege where possible.
• Hidden cloud costs — Repeated snapshot uploads, temporary storage charges, and provisioned Cloud PC runtime hours can add up if pilots are not carefully instrumented and optimized.

These risk factors argue for a structured pilot, detailed runbooks, and cross-functional readiness reviews before a widespread cutover.

---

Practical rollout playbook — recommended steps for IT teams​

• Inventory and classify your estate
• Create a granular inventory of candidate VMs (Gen1 vs Gen2, VHD vs VHDX vs dynamic, installed agents, attached data disks, OS build).
• Define pilot cohorts
• Select a representative pilot group that captures edge cases: one business-critical user, one standard knowledge worker, and one legacy image with known agent dependencies.
• Prepare tenant and permissions
• Register a migration application in Azure AD, grant required Graph application permissions, obtain admin consent, and assign Reader role to the app’s service principal on the source subscription.
• Secure storage and SAS patterns
• Provision customer-owned Azure Storage for page blobs, create short-lived SAS tokens, and validate cross-subscription access if needed.
• Run disk-level scans and resolve blockers
• Use ControlUp’s pre-validation to detect agent conflicts, format issues, or OS compatibility problems and resolve them before snapshot attempts.
• Execute a small pilot and measure everything
• Track provisioning success rates, time per migrated image, Azure costs for snapshot/upload operations, and end-user experience metrics once Cloud PCs are provisioned.
• Iterate, automate remediation, and scale in waves
• Build remediation automation for common failures (agent uninstall scripts, fixed-VHD conversion pipelines) and scale the migration in controlled waves while monitoring cost and support loads.

This playbook balances speed with control and is grounded in the documented technical requirements and practical constraints imposed by Microsoft’s migration API.

---

Alternatives and complementary approaches​

ControlUp’s automation is one of several migration patterns organizations can adopt:

• Native DIY with Microsoft Graph — Build custom scripts and automation that call the Windows 365 migration API. This offers maximum control but higher engineering overhead.
• Rebuild and reprovision — Create clean Cloud PC images and use profile/data migration strategies (OneDrive, FSLogix, or third-party tools) to recreate user environments. This avoids snapshot constraints but increases application packaging work.
• Partner or managed services — Engage ISVs or managed service providers that offer full-service migration, including agent remediation, app packaging, and end-user support.

Choosing a path depends on risk appetite, engineering capacity, licensing timelines, and the heterogeneity of the current VM estate.

---

Final assessment — where ControlUp fits and how organizations should treat the tool​

ControlUp Migrate for Windows 365 addresses a real operational gap: turning a multi-step manual migration into a repeatable, API-driven pipeline that surfaces compatibility issues early and integrates the results into an existing management fabric. For organizations already invested in ControlUp for monitoring and DEX, the integration benefits and the reduction in manual imaging work are meaningful immediate wins. The fact the tool is available free lowers the barrier to trial and pilot. However, the tool is not a magic bullet. Microsoft’s migration model enforces technical constraints that remain the most common blockers in migration projects. The missing pieces — disk conversions, secondary data migration, and governance for tenant-level permissions — require disciplined planning and investment. Enterprises should therefore treat ControlUp’s tool as a catalytic accelerator that reduces operational friction where the estate already aligns with migration prerequisites, not as a single-step solution for every migration scenario.

---

Conclusion​

ControlUp’s announcement is significant because it pairs a practical automation solution with Microsoft’s sanctioned migration pathway, and because the vendor has chosen to offer the tool free to the market. The combination of disk-level validation, snapshot orchestration, and reintegration into a DEX platform will likely speed successful migrations where prerequisites are met. Yet the hard realities of heterogeneous VM estates, tenant governance, and cloud consumption costs remain unchanged. The most sensible approach for enterprises is a staged program: inventory, pilot, remediate, and scale — using ControlUp’s automation to remove repetitive work and Microsoft’s migration API to ensure a supported provisioning path. Treat the tool as an enabler that reduces friction, but continue to plan for conversion work, data migration, and governance controls that the automation cannot and must not bypass.

---

Source: IT Brief UK ControlUp launches tool to speed Azure to Windows 365 move