HomeBuild items › Migration co existence
Build items · Migrate

Migration & co-existence

Most Intune projects inherit an estate that already works — Group Policy, a domain, years of local decisions. This section is how Decolla brings that estate in without breaking it, and without pretending co-existence is the destination.

Why this matters

The riskiest phase of an Intune adoption is not provisioning new devices. It is the window where Group Policy and MDM both believe they own the same machine. Settings fight, and the loser is usually a user's mapped drive, proxy configuration or sign-in experience. MDMWinsOverGP looks like the switch that resolves this — but flipped fleet-wide without a conflict map, it turns a quiet estate into a ticket generator.

Meanwhile the AD side rots quietly: computer objects sitting in the wrong OUs, device policies still targeted at user groups that stopped being accurate years ago, local admin passwords that have never been rotated. And underneath all of it sits user data — one lost desktop folder during a refresh costs more goodwill than the rest of the project earns.

What a good build does

Discovery happens before the build, not partway through it. The evidence-gathering is read-only, so it runs in Assessment & posture readiness — migration decisions rest on a conflict map, not hope.

Decolla then treats co-existence as a ladder of commitment rather than a leap: tenant attach first (visibility only, the lowest-risk step), co-management with guidance for each workload slider, and hybrid join strictly as a bridge for domain-bound fleets. MDMWinsOverGP ships default OFF and is applied only where Policy-CSP conflicts have actually been identified.

User data gets the same staging: a verified backup before provisioning touches anything, and a single in-use machine converted to a managed pilot before the estate follows. Every step lands in the written, itemised plan with a delivery and reversibility class, irreversible steps flagged, and per-item rollback of Decolla's own changes — which, stated honestly, covers what Decolla changed, not what your domain did before it arrived. One item here, WhatsApp encrypted backup provisioning, carries single-client provenance and is flagged client-SOP tier rather than dressed up as core catalogue. The doctrine underneath is blunt: rebuild bottom-up from a clean baseline. Co-existence is a bridge, not a place to live.

Where it bites people

Two gotchas recur in almost every co-existence project.

What's in this section (24 items)

ItemTierDeliveryReversibility
MDMWinsOverGP (Policy-CSP conflicts ONLY - default OFF)RecommendedsettingsCatalogauto
Tenant attach (visibility only, lowest risk)Optionalmanualauto
Co-management workload-slider guidance (7 areas)Optionalmanualauto
Entra hybrid join (existing domain-fleet bridge)Optionalmanualauto
Prune stale USER-group assignments from device policiesOptionalmanualreverse
Rename tenant-default Firewall + NGP policiesOptionalmanualreverse
User data & profile migration stage (refresh-only)Recommendedmanualreverse
Back up existing user data before provisioningRecommendedmanualauto
Convert existing in-use machine to managed pilotOptionalmanualreverse
Cross-platform old->new device migration SOPOptionalmanualreverse
Existing-user iCloud->Exchange contacts migrationOptionalmanualirreversible
WhatsApp encrypted daily backup provisioningOptionalmanualreverse
Stamp AD computer Description with hardware identityOptionalplatformScriptreverse
Move computer AD object into correct OUOptionalplatformScriptreverse
Rename computer to standard asset name + labelOptionalplatformScriptreverse
Create standardised local account across machine listOptionalplatformScriptreverse
Rotate local admin (itfadmin) password, no-expireOptionalplatformScriptreverse
WhatsApp restore on new/replacement iPhone (same number + iCloud)Recommendedmanualirreversible
WhatsApp restore on new/replacement Android (same number + Google account)Recommendedmanualirreversible
WhatsApp end-to-end backup key/password custodyRecommendedmanualreverse
WhatsApp iOS↔Android switch — cross-platform transfer caveatAdvancedmanualirreversible
Samsung Smart Switch device-to-device migrationRecommendedmanualirreversible
Pre-migration mobile data checklist (gate before any phone swap)Recommendedmanualauto
Authenticator / 2FA migration pre-checkRecommendedmanualirreversible

Reversibility: auto reverses when unassigned · reverse reversible with a documented step · irreversible flagged before you approve the plan.

See it on a real device.

Decolla is in private build — early-access members see a build defined, deployed and rolled back first.

Get early access