By Donald D. Hook — Former CTO & CIO, Full On Consulting | May 2026 | 14 min read
About the Client
The client is a large, global technical professional organization and public charity dedicated to advancing technology for the benefit of humanity. With a worldwide membership base and a complex, distributed IT environment spanning multiple platforms, the organization's technology initiatives demand precision, accountability, and deep technical expertise. Their technology footprint includes a broad mix of enterprise systems, endpoint devices, and cloud services — making device management and security a critical operational capability.
The Vision: Zero-Touch Device Provisioning
the client set out to modernize how it managed, deployed, and secured laptops across its organization. The CTO's vision was ambitious but achievable: a zero-touch experience for IT — where a new employee could unbox a laptop, connect to the internet, and have their device automatically configured, enrolled, secured, and ready to use without IT staff ever physically touching it.
The project objectives were clear:
Modernize Device Management
Implement Microsoft Intune and Windows Hello to replace legacy device management processes with a modern, cloud-native platform.
Enhance Device Management
Improve visibility, control, and security across all the client devices — Windows and Mac — through a unified management console.
Zero-Touch Provisioning
Streamline new laptop deployment to eliminate the burden on IT staff — from unboxing to fully configured in a single step, from anywhere.
The Engagement: A Well-Known National Consulting Firm
The client engaged a well-known, national technology and business consulting firm to deliver the implementation. The firm brought a full project team: a project manager, two technical resources, a Microsoft Security Architect, a Microsoft Intune Architect and project lead, and a change management leader.
The scope was well-defined. The firm was responsible for the complete Intune deployment and configuration, defining the new enrollment and provisioning process, and delivering five key documents covering implementation, change management, employee communications, and HR onboarding materials. The project plan consisted of four phases: Planning & Design, Implementation, Deployment, and Adoption/Change.
From the outset, there were concerns about the quality of the project plan. It lacked the depth and specificity required for an engagement of this complexity — milestones were broadly defined, dependencies were not mapped, and there was no clear risk register or contingency framework. A rigorous project plan would have identified the client's existing endpoint security tools, mapped integration dependencies, and established clear go/no-go criteria before implementation began. Instead, the team proceeded into execution with a plan that gave the appearance of structure without the substance of it.
Full On Consulting served as the client-side liaison — ensuring the client's teams were engaged, providing what the consulting firm needed, and maintaining oversight of delivery accountability. What followed was a textbook case of consulting firm failure.
How It Unraveled: A Timeline
The project started well. Teams were engaged. The consulting firm conducted planning and design activities to understand the client's environment — the tools, technologies, configurations, and IT processes that would need to be integrated with the new Intune platform. Status reports were green. Optimism was high.
Technical issues emerged and persisted. Symantec Endpoint Encryption was conflicting with Intune enrollment. Certificates were not being downloaded to laptops for provisioning. Mac devices were not working at all. The consulting firm spent two months attempting to diagnose and resolve these issues — while the project manager continued to report green status. Testing and deployment timelines slipped quietly, without formal acknowledgment of the severity of the problems.
It came to light that the client's internal security team needed to be more actively involved to update security configurations and processes on the client side. This dependency — which should have been mapped during the Planning & Design phase — had not been surfaced. The security team's involvement added further delay to an already struggling implementation.
As the holiday season approached, the consulting firm's resources took approximately three weeks of vacation. The project stopped entirely. No contingency. No handoff. No progress. For an engagement already behind schedule, a three-week shutdown was a critical blow.
After the new year, the consulting firm returned — but barely. Their engagement was minimal and it became clear they had transitioned their attention to a new client. The original issues remained unresolved. Repeated pressure, including escalating to the consulting firm's management, was required to get any meaningful response. Full On Consulting elevated the project to yellow status. The consulting firm's project manager continued to report green.
In an issue resolution meeting with approximately two weeks left in the engagement, the consulting firm's project lead made a stunning admission: Microsoft Intune cannot work with Symantec Endpoint Encryption. He indicated that the client would need to find another solution — effectively declaring the project undeliverable and placing the burden of resolution on the client. This was a direct indictment of the Planning & Design phase. The entire purpose of that phase was to identify exactly this type of incompatibility before implementation began.
What the Consulting Firm Got Wrong
This was not a case of an unusually complex technical problem. It was a case of fundamental consulting failures compounded over time.
✗ A Project Plan That Looked Like Structure Without the Substance
The consulting firm's project plan was a significant early warning sign that went unaddressed. Milestones were broadly defined, critical dependencies were not mapped, existing endpoint security tools were not inventoried, and there was no risk register or contingency framework. A project plan of this nature creates the illusion of governance while providing none of its protections. When the inevitable technical conflicts emerged, the team had no documented contingency path — because they had never built one into the plan.
✗ Failed Planning & Design Phase
The Planning & Design phase exists for one reason: to discover incompatibilities, dependencies, and risks before implementation begins. A Symantec Endpoint Encryption conflict with Intune is a known, documented issue. A competent architect conducting proper discovery would have identified this dependency in the first two weeks. Discovering it in the final two weeks — after months of failed implementation attempts — is a planning and design failure of the highest order.
✗ Misrepresented Project Status
The consulting firm's project manager reported green status throughout the period when the project was clearly in trouble. Green status while Symantec conflicts were unresolved, Mac devices weren't working, certificates weren't deploying, and timelines were slipping is not optimism — it is a misrepresentation of facts to a client paying for accurate information. Status reporting exists to enable decision-making. False status reporting eliminates that capability entirely.
✗ Abandoned the Client for Another Engagement
The most damaging failure was the gradual disengagement that began after the new year. The consulting firm's team had clearly moved on to a new client. Their availability, responsiveness, and engagement quality all dropped simultaneously — the classic signature of a team that has been redeployed. the client was no longer their priority. Their project was still on the clock.
✗ Change Management Was Theater
The consulting firm's change management resource attended five meetings. In every meeting, the conversation was about defining what needed to be done — not doing it. After five sessions with no deliverables produced, the decision was made to direct the resource to create the five required documents and close out the workstream. The documents were delivered. The actual change management value was not.
✗ Refused to Own the Resolution
When the Symantec conflict was finally surfaced, the consulting firm's position was that the client needed to resolve it. This is the vendor accountability gap in its starkest form: a firm that was engaged and paid to deliver a solution, acknowledging in the final two weeks that the solution wouldn't work — and pointing at the client to fix it. That is not consulting. That is abdication.
The Recovery: Doing What the Consulting Firm Should Have Done
After releasing the consulting firm, Full On Consulting worked directly with the client's internal teams to resolve the technical issues and deliver what the engagement had originally promised.
The resolution centered on a new cloud-based architecture: Microsoft Entra ID Join with Windows Hello for Business and macOS Platform SSO. This approach:
✓ Eliminated the Symantec Conflict
By moving to an Entra ID Join strategy, the dependency on legacy pre-boot authentication was resolved. BitLocker managed through Intune replaced Symantec Endpoint Encryption, removing the root cause of the original implementation failure.
✓ Enabled True Zero-Touch Provisioning
Devices can now be provisioned from any internet connection — no VPN, no domain controller, no IT physical touch required. A new employee unboxes a laptop, connects to the internet, and the device configures itself.
✓ Replaced Passwords with Hardware-Backed Authentication
Windows Hello for Business and macOS Platform SSO replace traditional passwords with hardware-backed biometric or PIN authentication, integrated with PingFederate for single sign-on. Security improved. User experience improved.
✓ Worked for Both Windows and Mac
The original consulting firm never got Mac devices working at all. The recovered solution handles both platforms — a fundamental requirement that the original engagement failed to deliver in months of trying.
Within approximately six weeks of taking over, a working solution was demonstrated to the client's CTO — who was impressed with the outcome and is reviewing it with the Chief Digital Officer for full organizational rollout. The CTO's original vision of a zero-touch IT experience is being realized. It just required releasing the firm that was supposed to deliver it and doing the work ourselves.
What This Engagement Teaches About Consulting Firm Accountability
Planning & Design is not administrative overhead — it is risk prevention
The Symantec conflict was not an unknowable surprise. It was a discoverable dependency that a thorough planning phase would have surfaced before a single line of configuration was written. When consulting firms rush through planning to get to billable implementation hours, clients pay the price.
Green status is not a data point — it is an opinion
Project status should be based on objective criteria: milestone completion, deliverable quality, risk register, and schedule variance. When status is determined by the person whose contract depends on the client staying calm, it is not a reliable indicator of project health. Independent oversight changes this dynamic.
Disengagement is rarely announced — it is observed
No consulting firm tells a client they have moved on. They become harder to reach. Meeting preparation declines. Responses slow. Deliverables get vaguer. The pattern is consistent and recognizable — if you know what to watch for.
Escalation to firm management is always an option — use it early
Escalating to the consulting firm's leadership is not a last resort — it is a governance tool. Client-side project managers should not hesitate to escalate when delivery falls below the contracted standard. Waiting until the final weeks of a project to escalate forfeits the window in which recovery is still possible.
Sometimes releasing the vendor is faster than recovering them
Organizations often hold on to underperforming vendors because changing course feels expensive and disruptive. In this case, the decision to release the firm and bring in recovery expertise — while disruptive — produced a working solution in six weeks. Months of pressure on the original firm had not.
Is Your IT Project in Trouble?
Full On Consulting specializes in IT project recovery — stepping in when a vendor has failed to deliver, stabilizing the situation, and finishing what the original firm should have done. We have recovered programs across SAP, Salesforce, ServiceNow, Microsoft, and infrastructure platforms. If your project is in yellow or red status and your vendor is telling you green — let's talk.
Project Health CheckSchedule a Recovery CallFrequently Asked Questions
What are the warning signs that a consulting firm is failing on your project?
Key warning signs include: the project manager reporting green status while timelines are slipping; technical issues that go unresolved for weeks without a documented remediation plan; consultants becoming hard to reach or visibly distracted by other clients; deliverables being redefined in every meeting rather than produced; and the firm blaming the client's environment for problems that should have been discovered in the planning phase. When a vendor's project status and your internal assessment diverge significantly, trust your internal read.
What should you do when a consulting firm stops delivering mid-project?
First, document the gap between contracted deliverables and actual delivery in writing. Escalate formally to the consulting firm's senior management — not just the project manager. Set a hard deadline for recovery with specific deliverables. If recovery is not achieved, engage an independent advisor to assess options. In some cases, releasing the firm and bringing in a recovery specialist is faster and less expensive than continuing to pressure a disengaged vendor. Preserve all project documentation, access credentials, and work products before releasing any vendor.
What is zero-touch device provisioning with Microsoft Intune?
Zero-touch device provisioning allows new employees to unbox a laptop and have it automatically configured, enrolled in the organization's device management platform, and ready to use — without IT staff physically touching the device. Microsoft Intune, combined with Windows Autopilot and Microsoft Entra ID Join, enables this by enrolling devices over the internet, applying security policies, installing applications, and authenticating users through passwordless methods like Windows Hello for Business. The result is a dramatically reduced burden on IT staff and a faster, more consistent onboarding experience.
Why did Symantec Endpoint Encryption conflict with the Intune deployment?
Symantec Endpoint Encryption uses a pre-boot authentication mechanism that intercepts the Windows boot process before Intune can manage device enrollment and certificate deployment. This conflict should have been identified during the planning and design phase of the project through a thorough discovery of existing endpoint security tools and configurations. When this conflict is discovered late — after implementation has begun — it typically requires either replacing the encryption solution with BitLocker managed through Intune, or redesigning the enrollment process to accommodate the pre-boot agent. A competent consulting firm conducting proper discovery would identify this dependency within the first two weeks of a project.
What is Microsoft Entra ID Join and how does it differ from traditional domain join?
Microsoft Entra ID Join (formerly Azure AD Join) enrolls devices directly into Microsoft's cloud identity platform rather than an on-premise Active Directory domain. Unlike traditional domain join, which requires a VPN or line-of-sight to a domain controller, Entra ID Join works from any internet connection — making it ideal for remote and hybrid workforces. Combined with Windows Hello for Business, it replaces passwords with hardware-backed biometric or PIN authentication, significantly improving both security and user experience. For organizations with a cloud-first strategy, Entra ID Join is the modern replacement for legacy domain join architectures.