Moving 25,000 devices from MECM to fully cloud-native Intune management — while upgrading to Windows 11 at the same time — is as much about discipline as it is about technology.
Translate policy, don’t just copy it
The biggest single piece of work was translating 300+ Group Policy Objects into Intune configuration profiles and the Settings Catalogue. Resist the urge to recreate every legacy GPO. Many no longer apply, conflict with cloud-native defaults, or duplicate a Microsoft Security Baseline you should be adopting anyway.
Anchor to a security baseline early
Layering CIS benchmarking and the Microsoft Security Baseline into the SOE from the start avoids painful retrofitting. It also gives you a defensible, auditable configuration rather than a pile of one-off settings.
Co-management is a bridge, not a destination
Co-management lets you shift workloads to Intune gradually and de-risk the transition. The goal, though, is cloud-only — so keep moving workloads across rather than settling into a permanent hybrid state.
Done well, an MECM-to-Intune migration removes a whole layer of on-premises infrastructure and unlocks genuinely location-independent management. The technology is the easy part; the planning is where programmes are won or lost.
