GOL Airlines Modernizes Airport Endpoints with Intune, Entra ID, and Autopilot

On July 2, 2026, Microsoft published a customer story detailing how Brazil’s GOL Airlines moved airport device management to Microsoft Intune, Microsoft Entra ID, and Windows Autopilot across 84 operational bases. The case study is not just another cloud-migration victory lap. It is a useful snapshot of where enterprise endpoint management is heading when the endpoint sits at a boarding gate, not on a corporate desk. For airlines, the modern workplace is not a laptop in a hybrid office; it is a fragile chain of counters, tablets, shared workstations, identity prompts, biometric sign-ins, radio calls, and operational systems that have to behave as if failure is not an option.

Airport staff use interactive digital screens showing global operations and identity access metrics.GOL’s Real Upgrade Wasn’t the Cloud — It Was Removing Distance​

The central problem GOL faced was not unusual for a large distributed enterprise: too many devices, too many sites, too much manual intervention, and too much dependence on network paths that were never designed for constant operational urgency. What makes the airline example sharper is the consequence of failure. A broken workstation at a remote office is an annoyance; a broken workstation at an airport counter can become a line, a missed boarding window, and then a delayed flight.
GOL operates across 84 bases, with more than 16,000 employees and about 11,000 devices spanning airport gates, cockpits, maintenance operations, check-in counters, stores, and administrative teams. Before the modernization effort, software updates could take weeks to reach the full fleet, airport system updates could drag across months, and devices that missed VPN connectivity could fall behind on security baselines. The old model assumed that physical distance could be managed with enough process. The new model assumes distance should be designed out.
That is why Intune and Entra ID matter here less as brand names than as architectural choices. Cloud device management means the airline no longer has to treat every airport as a miniature IT island. Identity, policy, provisioning, and support can follow the device and user through the internet rather than waiting for a technician, a local network, or a VPN session to line up perfectly.
The airline’s reported improvements are striking: full software fleet updates reduced from three months to three days, critical airport updates reduced from 45 days to three days, help desk tickets down 20 percent, team efficiency up 30 percent, provisioning time cut in half, and outages that once lasted more than a day resolved in as little as 10 minutes. Those are vendor-supplied figures, so they deserve the usual caution. But even with that caveat, the direction of travel is clear: endpoint modernization is becoming operational modernization.

The Airport Counter Is the Harshest Test of Endpoint Management​

Most corporate endpoint stories are told through the language of knowledge work: laptops, remote employees, conditional access, productivity suites, and policy compliance. GOL’s environment is different. Airport IT is messy, shared, time-sensitive, and physically distributed. Devices are touched by rotating crews. Shifts change. Counters open and close. Tablets move through gates. A workstation may be mission-critical for a few intense hours and then become someone else’s starting point.
That is a brutal test for a management platform because it exposes every assumption hidden inside a tidy corporate architecture. If the device requires a local technician, the architecture is too slow. If the update process requires a maintenance window that does not fit flight operations, the process is too fragile. If user identity is shared casually across shifts, the security model is too soft. If operational data refreshes once a day, the business is being asked to fly with yesterday’s picture.
Microsoft’s customer story emphasizes that GOL used Intune and Entra ID Shared Device Mode to support shared airport workstations running tools such as Outlook and Teams across rotating frontline shifts. That detail is more important than it sounds. Shared devices are where good identity theory often goes to die, because the real world pressures people toward convenience. If the system makes sign-in painful, crews will find shortcuts. If the system makes accountability impossible, administrators lose visibility.
The promise of a shared-device model is that each employee can have an individual session without turning every shift change into a mini help-desk event. For airlines, hospitals, warehouses, retail stores, and factories, that balance matters. The endpoint is not personal in the white-collar sense, but accountability still has to be personal.

VPN Was the Bottleneck Masquerading as Security​

For years, VPN access was treated as the safe default for distributed enterprise management. It gave remote machines a way back into the trusted network, and it gave IT teams a familiar control point. But the GOL case shows the downside of that model in a particularly unforgiving setting: if policy depends on devices reliably phoning home through a VPN, then missed connections become missed controls.
That is the quiet security story inside this modernization. GOL’s older environment depended on on-premises infrastructure and VPN connectivity. When devices missed VPN sessions, security baselines could drift. When a machine failed at a remote base, technicians sometimes needed local network access or physical presence. The result was an operational and security model that looked centralized on paper but became fragmented in practice.
Moving management to Intune and identity to Entra ID reframes the control plane. A device does not need to be “inside” the old network to be visible, governed, or reset. A user does not need to inherit trust from a location just because they are standing behind a counter. The internet becomes the access path, while identity and device compliance become the enforcement layer.
That shift is part of the broader zero-trust migration happening across enterprise IT, though the phrase itself has been beaten nearly meaningless by marketing. In practice, the important idea is simpler: stop assuming the network is the boundary. For a company with airport bases spread across a continent-sized country, that is not ideology. It is logistics.

Autopilot Turns Hardware Into a Consumable Operational Asset​

Windows Autopilot is easy to underestimate because its best trick is making setup boring. In traditional endpoint management, a new device often arrives as raw material. IT images it, configures it, joins it to the domain, installs applications, applies policies, checks compliance, and ships it out. That process is familiar, but it is also a tax on every expansion, refresh, failure, and emergency replacement.
GOL’s reported move to Autopilot changes the device lifecycle. Hardware from the manufacturer can be made ready for the user’s first login without the same pre-configuration burden. In the airline’s telling, opening a new airport base no longer requires local network infrastructure to be in place first. What once took days can be done in hours over a standard internet connection.
That is not just an IT convenience. It changes the economics of resilience. If a broken device can be replaced and re-provisioned quickly, the company can think differently about spares, remote sites, and support staffing. If device setup is standardized through cloud policy rather than artisan imaging, the organization reduces variation. Variation is where outages hide.
The point is not that Autopilot magically solves endpoint management. It still depends on licensing, network availability, device registration, application readiness, and disciplined policy design. But in a distributed operational business, the ability to turn a new Windows device into a governed endpoint without a technician touching it is a material advantage.

Frontline Workers Don’t Need More Apps; They Need Fresher Reality​

The most revealing part of the GOL story is not the update metric. It is the change in operational visibility. The airline describes frontline teams moving away from paper-based processes and delayed communications toward tablets and systems that refresh operational data every 5 to 10 minutes instead of every 24 hours.
That difference is profound. A daily data refresh may be acceptable for a report. It is absurd for live airport operations. Gates change, crews shift, boarding priorities move, passenger flows fluctuate, and disruptions cascade. If employees are working from stale spreadsheets or radio calls, the technology stack is not helping them manage reality; it is making them reconcile reality after the fact.
GOL’s Operational Boarding Coordinator Janaína Oliveira describes the device as an accelerator inside operations. That is the kind of line vendors love, but it also points to a real distinction. Digitization is not modernization if it simply replaces paper with static screens. The operational gain comes when data becomes current enough to change decisions while those decisions still matter.
The airline is also testing a Power Automate-backed chat-style assistant tied to flight schedule files, intended to replace large spreadsheets used during live operations. That is a small but telling example of where Microsoft wants these customer stories to point next. First, move identity and devices into the cloud. Then, wire workflows into automation. Then, add conversational interfaces over the operational substrate.
There is risk there. Chat interfaces can obscure data quality problems, and “ask the assistant” workflows are only as good as their underlying sources, permissions, and auditability. But the direction is hard to ignore. Once frontline devices are managed, authenticated, and current, they become a delivery channel for automation and AI-adjacent workflows that were previously trapped behind desktops, shared files, or local habits.

Microsoft’s Stack Wins When Complexity Looks Like Integration​

This is also a Microsoft platform story, and it should be read as one. GOL was already using Microsoft 365, which made Intune, Entra ID, Windows Autopilot, Teams, Outlook, Windows Hello, and Power Automate a natural extension rather than a greenfield decision. That is Microsoft’s enterprise strategy in miniature: make the next operational improvement look like the next logical tile in the existing stack.
There is nothing inherently wrong with that. Integration has real value, especially when an organization is trying to manage devices, identity, collaboration, security, and automation across thousands of employees. Fewer seams can mean fewer failures. A single administrative plane can mean faster policy rollout and clearer accountability.
But integration is also a form of gravity. Once endpoint management, identity, shared device workflows, automation, collaboration, and authentication are all tied into the same ecosystem, switching costs rise. The customer may get speed and simplicity, but it also becomes more dependent on Microsoft’s roadmap, licensing model, service availability, and administrative assumptions.
For WindowsForum readers, that tradeoff is familiar. Microsoft’s enterprise tools are often strongest when deployed as a system, not as isolated products. The question for IT leaders is whether the system’s advantages outweigh the risks of consolidation. In GOL’s case, the operational pain appears to have been acute enough that the answer was yes.

The Numbers Are Impressive Because the Baseline Was Unsustainable​

The headline improvements in Microsoft’s case study read like a cloud-modernization checklist: updates faster by orders of magnitude, tickets down, efficiency up, provisioning faster, outages shorter. The temptation is to treat these as proof that every distributed enterprise should follow the same path. That would be too easy.
The better reading is that GOL’s prior operating model had reached the end of its useful life. A three-month update cycle across airport machines is not merely slow; it is strategically incompatible with modern security and operational demands. A 45-day cycle for critical airport updates is hard to square with the pace at which vulnerabilities, application changes, and operational requirements move. A device outage lasting more than 24 hours at an airport base is not an endpoint issue; it is an availability issue.
So yes, the gains are large. But they are large partly because the old model created so much drag. Moving from manual, on-premises, VPN-dependent support to cloud-managed endpoints is not a marginal improvement when the environment is large, distributed, and always on. It is a change in operating assumptions.
That matters for other organizations evaluating similar projects. The ROI is not just in fewer tickets or faster provisioning. It is in reducing the number of times the business has to wait for IT physics: someone traveling to a site, a VPN connecting, a device receiving a policy, a spreadsheet refreshing, a local network being ready. The business case gets stronger when those waits map directly to customer experience.

Security Gets Better Only If Identity Discipline Gets Better​

It would be comforting to say that moving to Intune and Entra ID automatically makes a distributed airline environment secure. It does not. Cloud management improves reach, consistency, and speed, but it also raises the stakes for identity governance. If identity becomes the new perimeter, then identity compromise becomes the shortest path to operational disruption.
That is where Windows Hello and individual sign-ins on shared devices become more than convenience features. Biometric or PIN-based authentication can reduce reliance on weak passwords and shared credentials, especially in frontline settings. Individual sessions on shared devices can help preserve accountability across rotating crews. Conditional access policies can make compliance part of the sign-in path rather than an afterthought.
Still, the hard work is in the policy design. Administrators must decide which devices can access which systems, what happens when compliance fails, how shared devices are wiped between users, how emergency access works, and how to avoid locking out frontline workers during live operations. A security policy that strands a gate crew at boarding time will be weakened or bypassed. A policy that never blocks anything is theater.
The GOL story suggests a maturing balance: use cloud identity and device management to keep controls current without making frontline work impossible. That is the enterprise endpoint challenge of the next decade. Security has to be close enough to the workflow to matter and invisible enough not to be routed around.

The Lesson for Windows IT Is Bigger Than Aviation​

Airlines are extreme, but they are not unique. Many Windows-heavy organizations now look more like GOL than like the old corporate-office archetype. Healthcare systems have shared clinical workstations. Retailers have point-of-sale terminals, tablets, and back-office PCs. Manufacturers have line-side devices and maintenance stations. Logistics firms have depots, handhelds, shared kiosks, and branch offices. Public agencies have field workers and aging infrastructure spread across wide geographies.
The common thread is that the endpoint is no longer just an employee productivity tool. It is part of the service delivery mechanism. If it fails, customers feel it. If it drifts out of compliance, risk accumulates. If it cannot be updated quickly, the organization becomes slower than the threats and processes surrounding it.
That is why modern endpoint management has moved from a background IT discipline to a board-level resilience issue. Patch velocity, device recovery, identity assurance, and real-time data are not glamorous, but they determine whether a large organization can keep operating under pressure. The Windows endpoint estate is still everywhere; what is changing is the expectation that it should behave like a cloud-managed utility rather than a collection of locally tended machines.
For sysadmins, this shift can feel like both progress and loss. The hands-on craft of imaging, local troubleshooting, and site-specific work gives way to policy, automation, telemetry, and vendor consoles. The job becomes less about touching machines and more about designing systems that rarely require touch. That is a healthier model for the business, but it demands different skills from the people running it.

GOL’s Airport Modernization Leaves a Flight Plan for Everyone Else​

The most concrete lesson from GOL’s rollout is that endpoint modernization succeeds when it is tied to operational pain rather than abstract transformation language. The airline was not modernizing because “cloud-first” sounded good. It was modernizing because delayed updates, remote-site failures, stale data, and VPN-dependent controls were colliding with punctuality, customer satisfaction, and frontline work.
  • GOL’s move to Intune, Entra ID, and Windows Autopilot reduced the need for local technicians and VPN-dependent management across remote airport bases.
  • The airline reports that full software fleet updates dropped from three months to three days, while critical airport updates fell from 45 days to three days.
  • Shared Device Mode and individual sign-ins matter because airport workstations are used by rotating frontline teams, not single assigned users.
  • Faster data refreshes changed the value of frontline devices by giving airport workers information while it was still operationally useful.
  • The project shows Microsoft’s enterprise advantage: endpoint management, identity, collaboration, authentication, and automation become more compelling when adopted as an integrated stack.
  • The same model applies beyond aviation wherever Windows devices are tied directly to customer-facing operations.
The case for cloud-managed Windows endpoints has often been framed around remote work, but GOL’s story points to a more durable argument: the endpoint estate has become part of the machinery of real-time operations. For airlines and every other organization with distributed frontline work, the future is not simply fewer technicians touching PCs. It is a world where devices arrive ready, identity carries the control plane, updates move at operational speed, and the old distance between headquarters IT and the edge of the business finally starts to collapse.

References​

  1. Primary source: Microsoft
    Published: 2026-07-02T19:10:10.107423
 

Back
Top