Week by week, including the week where the project actually dies.
Week by week, including the week where the project actually dies.
Endpoint management migrations have a reputation for being straightforward, and the reputation is half earned. The tenant configuration genuinely is a few weeks of work for someone who has done it before.
The project still routinely runs six months over. Not because the technology is hard, but because of a single phase that nobody budgets for and everybody hits.
Here is the honest schedule.
Nothing gets configured this week. The work is inventory, and it is unglamorous enough that people skip it, which is why so many of these projects discover their blocker in month four.
The output is a list of applications and a list of constraints. Everything downstream is scheduling.
Now you build, but nothing touches a user.
Set the MDM authority. Configure enrollment restrictions so that only the platforms you intend to support can enroll, because the alternative is discovering someone's personal Android tablet in your compliance report. Configure Windows Autopilot profiles and Company Portal branding.
Confirm licensing actually covers what you are about to do. Intune is included in the common Microsoft 365 enterprise and business premium bundles, but the assumption is worth five minutes of verification rather than a surprise in week six.
Build the compliance policies now, and set them to report only. You want the data before you want the enforcement.
Five to ten users. Choose them badly on purpose.
Do not pilot with the IT team. They will work around every problem instinctively and report that everything went fine. Pilot with:
Enroll them and watch. What breaks, in our experience, is rarely Intune. It is the VPN client that needs to install a driver, the printer that wants a legacy driver package, the research application whose installer expects to write to a directory it no longer has rights to, and the trading application that the vendor supports only under a configuration you have just made impossible.
This is the phase.
Every application on the week-0 list has to be packaged as a Win32 app with an install command, an uninstall command, a detection rule, and any dependencies declared. The well-behaved ones take twenty minutes. The badly behaved ones take a day each, and every firm has more of them than they think.
The pathological cases, and every firm has at least one:
This work is not intellectually difficult. It is simply a volume of small, fiddly, unavoidable tasks, and it is the difference between a migration that lands in six weeks and one that lands in six months.
The single best thing you can do for the timeline is start it in week 1, in parallel, rather than discovering it in week 4.
Not big bang. Ever.
Move in cohorts, sized so that if a cohort goes badly, you can support every affected person personally in an afternoon. Start with the group whose work is most tolerant of disruption and end with the trading desk.
Only when enrollment and compliance are consistently above 95 percent do you flip the Conditional Access policy that requires a compliant device. Flipping it early is how you lock out the people you can least afford to lock out.
Permanent co-management purgatory. The firm stands up Intune alongside its existing tooling, moves a few workloads, and then stops. Two years later they are paying for and maintaining both, and neither is authoritative. Co-management is a bridge. Decide when you are getting off it, and write the date down.
Enrolling without Autopilot. You can enroll existing machines and get most of the management benefit, and many firms stop there. But the actual prize, the one you promised the CFO, is that the next new hire's laptop ships directly from the vendor to their apartment, and they turn it on and are working in forty minutes with nobody touching it. That requires Autopilot registration and the hardware relationship to support it. If you skip it, you have bought management and not bought the thing that was supposed to pay for it.
Hybrid join by default. Hybrid Entra join exists to support genuine on-premises Active Directory dependencies. If you have those, use it. Many firms do not, and they choose hybrid anyway because it feels like the safe, familiar option. It is neither. It is more moving parts, more failure modes, and a decision you will pay for at every subsequent step.
Confusing configuration profiles with compliance policies. A configuration profile sets a setting. A compliance policy evaluates a state and reports it to Conditional Access. They are different objects with different purposes, and treating them as interchangeable produces environments where devices are configured correctly and reported as non-compliant, or the reverse, which is worse.
At the end, a new hire's laptop arrives at their home, they sign in, and forty minutes later they are working on a machine that is encrypted, patched, monitored, and compliant, and nobody in your firm touched it.
That is the deliverable. Everything above is the price.
Planning an Intune migration?
KYA Consulting runs endpoint management migrations for firms that cannot afford a bad Tuesday. Get in touch with us to roadmap your endpoint modernizations.
Get in Touch