Week by week, including the week where the project actually dies.

Endpoint management migrations have a reputation for being straightforward, and the reputation is half earned. The tenant configuration genuinely is a few weeks of work for someone who has done it before.

The project still routinely runs six months over. Not because the technology is hard, but because of a single phase that nobody budgets for and everybody hits.

Here is the honest schedule.


Week 0: discovery, and resisting the urge to build

Nothing gets configured this week. The work is inventory, and it is unglamorous enough that people skip it, which is why so many of these projects discover their blocker in month four.

  • What devices exist, physically. Not what the asset spreadsheet says. What is actually signing in.
  • Who owns each one. Corporate, personal, contractor, that one machine in the server room that runs the reconciliation job.
  • What manages them today. Group Policy, a legacy MDM, nothing at all, or the worst case: a half-finished co-management setup from a previous attempt.
  • Every application, and how it installs. Write this list. It is the project.
  • Who cannot be interrupted, and when. On a trading desk, this is not a soft constraint.

The output is a list of applications and a list of constraints. Everything downstream is scheduling.


Week 1: tenant foundations

Now you build, but nothing touches a user.

Set the MDM authority. Configure enrollment restrictions so that only the platforms you intend to support can enroll, because the alternative is discovering someone's personal Android tablet in your compliance report. Configure Windows Autopilot profiles and Company Portal branding.

Confirm licensing actually covers what you are about to do. Intune is included in the common Microsoft 365 enterprise and business premium bundles, but the assumption is worth five minutes of verification rather than a surprise in week six.

Build the compliance policies now, and set them to report only. You want the data before you want the enforcement.


Week 2: baseline configuration

  • Security baselines. Start from Microsoft's published Windows baseline and deviate deliberately, documenting each deviation. A baseline you have modified without recording why becomes unmaintainable within a year.
  • BitLocker, with recovery keys escrowed to Entra. This is non-negotiable and it is also the control most likely to generate your first support ticket, so get the recovery workflow tested before anyone needs it at 6am.
  • Defender configuration. Attack surface reduction rules in audit mode first. Some of them will break a legitimate line-of-business application, and you want to know which in a controlled way.
  • Update rings. At minimum: a test ring, a broad ring, and a deferred ring for the machines you cannot afford to have reboot unexpectedly. A single ring is how you patch the entire trading desk on a Tuesday morning.
  • Local administrator password solution, so that the local admin account is unique per device and rotated, rather than being the same password everyone has known since 2019.

Week 3: the pilot

Five to ten users. Choose them badly on purpose.

Do not pilot with the IT team. They will work around every problem instinctively and report that everything went fine. Pilot with:

  • One executive, because their tolerance for friction is the real acceptance criterion
  • One person who is openly skeptical of the project, because they will tell you the truth
  • One person with the most unusual application stack in the firm
  • One person who works primarily from home on a residential connection

Enroll them and watch. What breaks, in our experience, is rarely Intune. It is the VPN client that needs to install a driver, the printer that wants a legacy driver package, the research application whose installer expects to write to a directory it no longer has rights to, and the trading application that the vendor supports only under a configuration you have just made impossible.


Week 4: application packaging, where projects die

This is the phase.

Every application on the week-0 list has to be packaged as a Win32 app with an install command, an uninstall command, a detection rule, and any dependencies declared. The well-behaved ones take twenty minutes. The badly behaved ones take a day each, and every firm has more of them than they think.

The pathological cases, and every firm has at least one:

  • The vendor ships an installer that requires interactive input
  • The application checks for a specific legacy runtime
  • The licensing is tied to a machine identifier that changes on reimage
  • The vendor's official support position is "install it as local administrator and do not manage it"
  • Nobody knows who the vendor is anymore, and the person who did has left

This work is not intellectually difficult. It is simply a volume of small, fiddly, unavoidable tasks, and it is the difference between a migration that lands in six weeks and one that lands in six months.

The single best thing you can do for the timeline is start it in week 1, in parallel, rather than discovering it in week 4.


Weeks 5 onward: rollout by cohort

Not big bang. Ever.

Move in cohorts, sized so that if a cohort goes badly, you can support every affected person personally in an afternoon. Start with the group whose work is most tolerant of disruption and end with the trading desk.

Only when enrollment and compliance are consistently above 95 percent do you flip the Conditional Access policy that requires a compliant device. Flipping it early is how you lock out the people you can least afford to lock out.


The four mistakes we see most

Permanent co-management purgatory. The firm stands up Intune alongside its existing tooling, moves a few workloads, and then stops. Two years later they are paying for and maintaining both, and neither is authoritative. Co-management is a bridge. Decide when you are getting off it, and write the date down.

Enrolling without Autopilot. You can enroll existing machines and get most of the management benefit, and many firms stop there. But the actual prize, the one you promised the CFO, is that the next new hire's laptop ships directly from the vendor to their apartment, and they turn it on and are working in forty minutes with nobody touching it. That requires Autopilot registration and the hardware relationship to support it. If you skip it, you have bought management and not bought the thing that was supposed to pay for it.

Hybrid join by default. Hybrid Entra join exists to support genuine on-premises Active Directory dependencies. If you have those, use it. Many firms do not, and they choose hybrid anyway because it feels like the safe, familiar option. It is neither. It is more moving parts, more failure modes, and a decision you will pay for at every subsequent step.

Confusing configuration profiles with compliance policies. A configuration profile sets a setting. A compliance policy evaluates a state and reports it to Conditional Access. They are different objects with different purposes, and treating them as interchangeable produces environments where devices are configured correctly and reported as non-compliant, or the reverse, which is worse.


What this actually buys

At the end, a new hire's laptop arrives at their home, they sign in, and forty minutes later they are working on a machine that is encrypted, patched, monitored, and compliant, and nobody in your firm touched it.

That is the deliverable. Everything above is the price.


Planning an Intune migration?

KYA Consulting runs endpoint management migrations for firms that cannot afford a bad Tuesday. Get in touch with us to roadmap your endpoint modernizations.

Get in Touch