Microsoft has made its direction clear: Intune is the future of endpoint management, and SCCM (now Microsoft Configuration Manager) is in maintenance mode. If you are still running ConfigMgr as your primary device management tool, the migration clock is ticking. Here is a practical, step-by-step checklist to plan and execute the move.
Phase 1: Discovery and assessment
Before you touch a single policy, you need a complete picture of what you are managing today.
- Inventory all SCCM-managed devices. Export your device list including OS version, hardware model, domain join state, and client health status. You need to know how many devices are Windows 10, Windows 11, and whether any are running unsupported OS versions that Intune will not manage.
- Catalog all deployed applications. Pull a report of every application and package deployed through SCCM. Categorize them: which are MSI packages, which are scripts, which are SCCM task sequences? This determines your repackaging effort.
- Document all configuration baselines and compliance policies. SCCM configuration baselines do not translate 1:1 to Intune compliance policies. You need to understand every setting you are enforcing today.
- Map your collections to Entra ID groups. SCCM collections based on AD queries will need equivalent dynamic groups in Entra ID. Plan these mappings now.
- Identify SCCM-only features you depend on. Task sequences, OS deployment (OSD), and some software metering features do not have direct Intune equivalents. Decide how you will handle these gaps.
Phase 2: Licensing and infrastructure
- Verify Intune licensing. Every user who will have a managed device needs an Intune license. Check whether your current M365 plan includes Intune or if you need standalone licenses.
- Set up Entra ID Connect (if not already). Hybrid environments need Entra ID Connect to sync on-premises identities. Verify it is healthy and syncing all required OUs.
- Configure Intune tenant settings. MDM authority, enrollment restrictions, device categories, and scope tags should all be configured before you start enrolling devices.
- Plan your network. Intune communicates over HTTPS to Microsoft endpoints. Make sure your firewall allows traffic to the required Intune, Entra ID, and Windows Update endpoints. Microsoft publishes this list and updates it regularly.
Phase 3: Enable co-management
Co-management is the bridge between SCCM and Intune. It lets you run both management authorities simultaneously and shift workloads one at a time.
- Install the co-management configuration in SCCM. This is a one-time setup that enrolls your SCCM-managed devices into Intune automatically.
- Start with low-risk workloads. Move compliance policies and device configuration to Intune first. These are well-supported and easy to validate.
- Shift resource access profiles next. Wi-Fi, VPN, and certificate profiles can move to Intune with minimal disruption.
- Move Windows Update management. Transition from SCCM Software Update Point (SUP) to Windows Update for Business policies in Intune. This is a significant operational change, so test thoroughly with a pilot group.
- Migrate application deployment last. This is the heaviest lift. Repackage SCCM applications as Win32 apps (.intunewin format) and set up new deployment assignments.
Phase 4: Application repackaging
This is where most migrations stall. SCCM supports a wide variety of deployment types that do not all work in Intune.
- Convert MSI apps. These are the easiest. Wrap them with the IntuneWinAppUtil tool and create detection rules using the MSI product code.
- Convert script-based deployments. Rewrite SCCM scripts as Win32 app install/uninstall commands. Test detection rules carefully.
- Handle task sequence dependencies. SCCM task sequences that install multiple apps in sequence need to be broken into individual Intune app deployments with dependency chains.
- Test every app on a clean device. Do not assume that an app packaged for SCCM will behave identically when deployed through Intune. The execution context and timing can differ.
Phase 5: Pilot and validate
- Enroll a pilot group of 10-20 devices. Choose a mix of hardware models and user roles.
- Validate every policy and app deployment. Check compliance status, app installation status, and configuration profile application for each pilot device.
- Monitor for 2 weeks minimum. Look for issues with Windows Update delivery, app update cycles, and compliance drift.
- Gather user feedback. Ask pilot users about any changes to their experience. Performance, login time, and app availability are the most common concerns.
Phase 6: Full migration and SCCM decommission
- Roll out in waves. Migrate 50-100 devices at a time, validating after each wave before proceeding.
- Shift all co-management workloads to Intune. Once validated, set every workload slider to "Intune" in the co-management configuration.
- Uninstall the SCCM client. After confirming Intune management is stable, remove the ConfigMgr client from devices. This can be done as a Win32 app deployment through Intune itself.
- Decommission SCCM infrastructure. Remove site servers, distribution points, and management points once all devices are migrated and stable for 30+ days.
BluetechGreen has completed SCCM to Intune migrations for organizations with 50 to 3,000 devices. If you want help with any phase of this checklist, from initial assessment through SCCM decommission, our team can run the project end-to-end or support your internal IT staff at specific phases.