Intune Consulting That Starts with Your Pain Points, Not a Feature List
Every IT team has a version of the same story: ConfigMgr served you well for years, but the world moved to cloud-managed endpoints, and now you’re straddling two management planes — neither fully committed to, neither fully effective.
Big Hat Group helps organizations move from that awkward middle ground to a clean, documented, cloud-native Intune environment — whether that means full migration, strategic co-management, or rescuing a tenant that grew organically and nobody wants to touch.
The Problems We Solve
Most Intune engagements start with one of these conversations:
🔄 ConfigMgr-to-Intune Migration Complexity
Your organization decided to “move to Intune” — but nobody scoped what that actually means. Task sequences, OSD, software update groups, compliance baselines, and collections all need equivalents in Intune, and the mapping isn’t straightforward. Meanwhile, ConfigMgr still runs critical workloads, and you can’t just turn it off.
📋 Policy Sprawl and Conflicting Configurations
Profiles created by different admins, at different times, for different purposes — some targeting the same devices with conflicting settings. Intune doesn’t merge conflicting policies; it flags them as “Not applicable” or “Error,” and suddenly devices aren’t getting the configuration you intended. Nobody knows which profile “wins.”
🤝 Co-Management Confusion
Which workloads stay in ConfigMgr? Which move to Intune? What happens to devices that report to both? Co-management is a transition strategy, not a permanent architecture — but many organizations get stuck in co-management indefinitely without a clear exit plan.
🛡️ Compliance Gaps and Reporting Blind Spots
Compliance policies exist, but they don’t cover the controls your security team actually cares about. Reporting shows green dashboards because the baselines are too permissive. When audit time comes, you can’t prove your endpoints meet CIS benchmarks or your own security standards.
📦 App Deployment Challenges
Win32 apps, LOB apps, MSIX, Microsoft Store apps — each has different packaging requirements, detection rules, and deployment behaviors in Intune. Legacy installers that worked fine in ConfigMgr need repackaging. Your application catalog has 200 entries, and you’re not sure which deployment method fits each one.
💻 Autopilot Deployment Friction
Windows Autopilot promises zero-touch provisioning, but the reality involves hardware hash collection, OEM coordination, ESP timeouts, and enrollment status page configurations that don’t work the way documentation suggests. Devices get stuck, users call the help desk, and the “zero-touch” promise evaporates.
What You Get
We don’t hand you a recommendations deck and walk away. Every engagement delivers working infrastructure and documentation your team can maintain.
✅ Clean Intune Tenant with Documented Policies
Configuration profiles, compliance policies, and security baselines — organized by purpose, documented with scope and intent, free of conflicts and orphaned assignments. Every policy has a name that tells you what it does and a description that tells you why.
✅ Windows Autopilot Deployment Workflow
End-to-end device provisioning: hardware registration, deployment profiles, enrollment status page configuration, and first-run experience. Tested with your apps, your policies, your network — not a lab demo.
✅ Compliance Baselines Aligned to CIS / Microsoft Security Benchmarks
Compliance policies mapped to the controls your security team and auditors require. Clear documentation showing which CIS benchmark control each policy addresses, with gap analysis for controls that Intune can’t enforce natively.
✅ Application Packaging and Deployment
Your application catalog assessed, packaged, and deployed through Intune with proper detection rules, requirement rules, and assignment groups. Win32, MSIX, web apps, and Microsoft Store apps — each using the right deployment method.
✅ Co-Management Roadmap
If you’re running ConfigMgr today, a phased plan for workload migration with clear milestones, rollback procedures, and success criteria for each phase. Not a mandate to rip and replace — a pragmatic sequence based on your environment.
✅ Runbook and Knowledge Transfer
Operational documentation for day-2 management: how to add new policies, onboard new apps, troubleshoot enrollment failures, and read compliance reports. Your team owns this — we make sure they can run it.
Engagement Models
🔍 Assessment — 2-Week Intune Health Check
For organizations that have Intune deployed but aren’t confident it’s configured correctly. We audit your tenant, identify policy conflicts, compliance gaps, and configuration drift, and deliver a prioritized remediation plan.
Deliverables: Assessment report, policy conflict analysis, remediation roadmap, executive summary.
🚀 Migration — ConfigMgr to Intune
Full migration planning and execution: workload assessment, co-management configuration, phased migration with pilot rings, application repackaging, and Autopilot deployment setup.
Deliverables: Migration plan, co-management exit roadmap, repackaged applications, Autopilot profiles, compliance baselines, operational runbook.
🔧 Managed Services — Ongoing Advisory
For organizations that want ongoing Intune expertise without hiring a full-time specialist. Monthly reviews, policy updates for new OS releases, application packaging, and escalation support.
Deliverables: Monthly health reports, policy updates, packaging requests, architecture guidance.
Why Big Hat Group for Intune Consulting
Kevin Kaminski brings 25 years of Microsoft endpoint management expertise — from SMS 2003 through ConfigMgr to cloud-native Intune.
We've migrated environments from 200 to 5,000+ devices, including complex ConfigMgr estates with hundreds of applications and custom task sequences.
Endpoint management deployments for lululemon, Suncor, TELUS, RBC, TransAlta, and Alberta Health Services.
Intune doesn't exist in isolation. We design endpoint management alongside Azure infrastructure, Windows 365, and identity — so the layers actually work together.
Intune Consulting FAQ
What is Microsoft Intune?
Microsoft Intune is Microsoft’s cloud-based endpoint management platform. It handles device enrollment, compliance policies, configuration profiles, app deployment, and security baselines across Windows, macOS, iOS, and Android.
How does Intune work with Windows 365?
Intune is the primary management plane for Windows 365 Cloud PCs. It handles provisioning policies, compliance checks, app deployment, and security baselines — the same way it manages physical devices. Learn more in our Windows 365 training course.
What is Intune Suite?
Intune Suite bundles advanced capabilities including remote help, endpoint privilege management, advanced analytics, and Microsoft Tunnel for MAM. As of late 2025, these features are included in Microsoft 365 E3/E5 licensing — read our blog post on the budget approval roadblock disappearing.
Do you help with Intune migrations from ConfigMgr?
Yes. We help organizations transition from Configuration Manager to cloud-native Intune management, including co-management strategies, workload migration sequencing, and phased rollouts that minimize disruption.
How long does an Intune migration take?
It depends on environment size and complexity. A straightforward migration for 500 devices typically takes 8–12 weeks. Larger environments with complex ConfigMgr task sequences, extensive application catalogs, or compliance requirements can take 4–6 months. We always start with a scoping assessment.
Can we keep ConfigMgr during migration?
Absolutely. Co-management lets you run ConfigMgr and Intune side by side, migrating workloads incrementally. Most organizations keep ConfigMgr for OS deployment and complex task sequences while moving compliance, app deployment, and device configuration to Intune first.
What about our existing GPOs?
We audit your existing Group Policy Objects, identify which ones have Intune equivalents (Settings Catalog, security baselines, or configuration profiles), and create a migration map. Not every GPO maps 1:1 — we document gaps and recommend alternatives.
Do you support GCC/GCC High environments?
Yes. We have experience with commercial, GCC, and GCC High tenants. GCC High has specific endpoint requirements and feature availability differences that we account for in architecture and migration planning.
What Intune licensing do we need?
Intune is included in Microsoft 365 E3/E5, EMS E3/E5, and available as a standalone Plan 1 or Plan 2 license. Intune Suite add-on (now included in E3/E5) unlocks remote help, endpoint privilege management, and advanced analytics. We help you map your feature requirements to the right licensing tier.
How do you handle application repackaging?
We assess your application portfolio, convert legacy installers to Win32 app format (.intunewin), configure detection rules and requirements, and test deployment in a pilot ring before production rollout. For complex LOB apps, we work with your application owners to validate packaging.
What does Intune consulting cost?
Engagements are scoped based on your environment size and complexity. A 2-week Intune health check is our most common starting point. Contact us for a discovery call to discuss your specific needs.
Trusted by Leading Organizations
Start Your Intune Engagement
👉 Azure Consulting — the Azure foundation your Intune environment runs on
👉 OpenClaw Enterprise Deployment — AI agents managed through Intune on Windows 365
👉 OpenClaw Consulting — architecture, security, and managed hosting
👉 Windows 365 & Intune Training — hands-on Cloud PC deployment and Intune management