You'll start by simply enabling more data being synced from your on-premises Active Directory to Azure AD. That won't affect user experience in any way. Just set aside time to enroll a few test or pilot machines with Endpoint Manager and give them a few weeks of normal use. Try to bake in some test plans during that pilot period. Find out what happens during events such as:
- You need to decrypt a drive
- You need to re-encrypt a drive
- A user needs self-service help with their BitLocker PIN/password
- Online unlock vs offline unlock
- Pushing management policies to the devices
- Changing and removing management policies from devices
- How you handle a lost/stolen device (wipe, etc)
- And more
Endpoint Manager documentation probably lays out more things to plan for and test during a deployment. This would also be a good time to review your current authentication configuration. (ie: Are you using password hash sync, federation and SSO, password write-back, etc?)
In the end, the impact of switching from a "registered devices" (BYOD) approach hinges on any changes that will add more security restrictions to what might be a personal device. Users will notice changes that require them to have a stronger PIN, policies that prevent them from uploading data to cloud storage, or policies that disable certain features on their phone. Thankfully, these are things that you can test in detail by creating a test group of devices to preview these policies before applying them to everyone.
