Every Intune migration I've walked into has the same pattern: a fleet of machines managed by a mix of GPO, legacy MDM, hand-rolled scripts, and tribal knowledge — and a deadline. The goal isn't to flip a switch. It's to move workloads gradually, keep the audit trail intact, and leave the internal team something they can actually operate.

The premise

You're not migrating endpoints. You're migrating policy. The devices will follow. If you start with the endpoints, you'll spend three months arguing about enrollment states. If you start with policy — what compliant means, what conditional access must enforce, which apps are in scope — the rest is mechanics.

Staged enrollment, not big bang

I bucket fleets into four waves:

  • Wave 0 — IT only. The team that supports the rollout dogfoods it for two weeks. Bugs surface here, not in production.
  • Wave 1 — volunteers. 20–50 users who opt in. Their feedback drives the ESP policy and Autopilot profile.
  • Wave 2 — a department. One business unit, end to end. This is where you find the legacy app nobody documented.
  • Wave 3 — the rest. At this point the runbook is boring, which is the goal.

ESP policy that doesn't time out

The Enrollment Status Page is where most complaints originate. A few rules that hold up:

  • Block device use until required apps install — but keep "required" to under six apps. Everything else goes in the post-ESP category.
  • Set a 60-minute timeout, not the default 90. Users who aren't done in an hour will need hand-holding anyway; a shorter timeout fails fast and visibly.
  • Exclude LOB Win32 apps from the blocking set unless they're required for first login. They're the most likely cause of ESP hangs.

Co-management as a fallback, not a goal

Co-management is a bridge, not a destination. I configure workloads to move to Intune one at a time — compliance first, then resource access, then device configuration, then Windows Update — with each step followed by a week of telemetry review before the next. When something misbehaves you can swing the workload pointer back to SCCM in minutes.

Field note

Keep SCCM clients installed but healthy for at least one full patch cycle after the last workload moves. You will need them for forensic lookups when someone asks "when was this machine last compliant in 2024?" and the Intune reports only go back 90 days.

Handoff and documentation

The runbook I leave behind has five sections: enrollment, compliance, app deployment, break-glass, and "what to do when it's on fire." The last section is the one the internal team reads; the first four are the ones an auditor reads. Write both audiences, not one.