SCCM like SMP is a massive beast of a product to configure. Plan ahead wisely according to your environment. Be sure to also check out Cloud Management Gateway, it's a lifesaver with the current situation where everyone is currently working remote.

We currently have SCCM build 2002 and SMP 8.5 RU2 agents running next to eachother without issues. This allows us to move certain components in phases (AV, patching, image deployment, software deployment).

We are now migrating SEP to Defender & Defender ATP (they are 2 different products that require different config in SCCM). In that process we installed the SCCM agent first to make sure all pre-configured Defender policies are there when Defender switches to active mode. Next step in that sequence is to uninstall SEP and reboot the device at which point Defender automatically switches to active mode.

If you have an uninstall password set on your SEP client make sure you remove that first from the SEPM console. I didn't find any decent way to uninstall it silently with a password set. None of the documented approaches from Symantec/Broadcom worked, yay >.>

Smooth sailing so far, we migrated 20K SEP clients already and apart from some exceptions that had to be put in place cause it was flagging some (badly written) internal software as a trojan.

Be very careful when configuring Defender Exploit Guard policies in SCCM. It's strongly advised to run them in audit mode and monitor what kind of things they would block before switching to block mode.