SCCM-to-Intune Migration: The Cloud Apocalypse Survival Checklist

🎯 Objective:

Migrate a massive hybrid infrastructure (15,000+ endpoints, some in Azure, some on-premises) from System Center Configuration Manager (SCCM) to Microsoft Intune. Mission: avoid catastrophe, retain control, secure everything, handle scale, and stay (mostly) sane.

Step 0: Mental Prep

β˜‘ Accept that Intune β‰  SCCM

  • SCCM is centralized, on-prem, stateful, agent-based.

  • Intune is cloud-native, policy-based, stateless, powered by Azure AD, MDM and Graph API.

  • No PXE, no Task Sequences, no classic OSD in Intune.

β˜‘ Team Readiness

  • Assign leads: Identity, Device Enrollment, App Packaging, Compliance, Support.

  • Get an Azure architect, an SCCM veteran, and someone who can read logs without blinking.

Step 1: Audit & Inventory

β˜‘ Devices:

  • Use SCCM / CMPivot to collect hardware inventory.

  • Map device join types: AD-only, Hybrid AAD, AAD Join.

  • Segment by model, OS version, region, connectivity type.

β˜‘ Applications:

  • Export all deployed apps from SCCM.

  • Classify by type: MSI, EXE, Script, Store, LOB.

  • Flag apps needing admin rights or lacking silent install.

  • Build a critical apps list.

β˜‘ SCCM Workload Map:

  • What’s running: Updates? Task Sequences? CI/CD?

  • Identify Custom Baselines and dynamic/static collections.

β˜‘ Identify Tech Debt:

  • Legacy VPNs? POS terminals? Print drivers from 2009?

  • Local shares, registry-tied apps, GPO-bound configs?

  • Anything non-silent is a red flag.

Step 2: Azure Infrastructure Readiness

β˜‘ Azure AD:

  • AAD Connect healthy and syncing.

  • All devices Hybrid Joined or better.

  • Validate with dsregcmd /status.

β˜‘ Dynamic Groups:

  • Create AAD dynamic device groups:

    • By OS type, ownership, department, region.

    • Use filters like: (device.deviceOSType -eq \"Windows\") and (device.deviceOwnership -eq \"Company\")

β˜‘ Conditional Access:

  • Enforce MFA, block risky countries.

  • Add exclusions for pilot groups to prevent self-lockouts.

β˜‘ Endpoint Security:

  • Hook up Microsoft Defender for Endpoint.

  • Configure ASR, Defender AV, BitLocker, firewall.

Step 3: App Packaging & Testing

β˜‘ Conversion:

  • Use IntuneWinAppUtil.exe to package all installables.

  • Store source folders, install scripts, dependencies.

β˜‘ Detection Rules:

  • File: C:\\Program Files\\App\\app.exe

  • Registry: HKLM\\Software\\Vendor\\Product\\Installed = 1

β˜‘ Return Codes:

  • Success: 0, Reboot: 3010, Retry: 1618

  • Remediation scripts for anything weird

β˜‘ Testing:

  • Manual install on clean non-SCCM device

  • Log all outcomes: success / fail / stuck

  • Record detection, timing, reboots

Step 4: Co-Management Setup

β˜‘ Cloud Attach via SCCM Console

  • Enable CMG (Cloud Management Gateway)

  • Move workloads step-by-step:

    1. Compliance Policies

    2. Device Configuration

    3. Updates

    4. Endpoint Security

    5. App Deployment

    6. Client Management

β˜‘ Monitor Everything:

  • Watch workload transition

  • Review client logs

  • Use the Co-Management Dashboard to track

Step 5: Enrollment & Autopilot

β˜‘ Device Hash Collection

  • Run Get-WindowsAutopilotInfo.ps1

  • Import CSV to Intune

β˜‘ Enrollment Status Page (ESP)

  • Set to Full Blocking Mode

  • Link to required policies and apps

β˜‘ OEM Provisioning

  • Arrange factory provisioning with Group Tags

  • Use pre-staged Autopilot profiles

Step 6: Pilot Launch

β˜‘ Build Your Pilot Group

  • 50–200 diverse users

  • Include regional variance and edge cases

β˜‘ Tracking Tools:

  • Endpoint Analytics: boot time, crash ratio, user sentiment

  • Compliance results: pass / fail / not evaluated

  • Application install logs & dashboards

β˜‘ Support Flow:

  • Set up a fast-lane escalation team

  • Distribute FAQ, survival guide, Teams channel

  • Enable Remote Help / Quick Assist

Step 7: Mass Rollout & SCCM Shutdown

β˜‘ Scale Up with Logic

  • Expand AAD groups for phased rollout

  • Assign baselines and apps by region or device type

β˜‘ Uninstall SCCM Cleanly

  • Use: ccmsetup.exe /uninstall

  • Confirm all workloads moved

  • Validate in reporting & analytics

β˜‘ Infra Decommissioning

  • Shut down DPs, MPs, SUPs

  • Backup and archive SQL and reports

  • Toast your old WSUS with a glass of whiskey

Step 8: Post-Migration & Quality Review

β˜‘ Documentation

  • Record changes, pain points, success metrics

  • Archive all scripts, configs, architecture

β˜‘ Lessons Learned

  • Build feedback loops

  • Automate discovered manual steps

  • Plan Phase 2: advanced analytics, role-based access, EPM

πŸš€ You Made It

You didn’t just migrate β€” you survived.
Your infra’s alive, your logs are humming, and your apps are still installing.
You’ve turned Microsoft Intune from a glorified phone manager into a global enterprise beast.

And now… go tell the others.
Or sleep. You’ve earned it.