This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(169.60000000000002, 67%, 26%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EPS%3C/text%3E%3C/svg%3E)
Hi Team,
In prospective of Hybrid Entra joined devices, what should be the recommended approach, should we first unenroll device from MDM and then we should disconnect or unregister or else disconnect and then unregister device from Azure AD before across forest device migration?
How to automate the process for above to make smooth transition? Any script is available?
You are looking at re-enrollment here. Disjoin the device in AD and then join to the target domain. Delete objects from Entra ID and Intune. Configure the target forest and the tenant for hybrid join and automatic Intune enrollment. Some parts of the process can be automated, but due to sync tasks involved, you may not be able to automate the entire process.
Thansks @Rahul Jindal [MVP] for reply. I have also seen when device is Hybrid Entra join, for disjoining from Hybrid which command should be suitable, dsregcmd /leave or Remove-AzureADDevice? Which of these should be used for unjoin and unregister from Azure AD?
Recommended way is to use dsregcmd /leave
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(188.79999999999998, 35%, 28%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EZM%3C/text%3E%3C/svg%3E)
@Prabhjot Singh, Thanks for posting in Q&A.
For your issue, it is suggested that you first unenroll from Intune, which ensures that the device is no longer managed by MDM, next you can disconnect the device from Azure AD using command dsregcmd /leave, and then you can migration to another AD.
For re-Hybird Entra join, GPO enrollment will be a faster way, and you can refer method @xenia mentioned.
Hope it will help.
If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
@ZhoumingDuan-MSFT , in this scenario, are multiple reboots required for device? If required, then in which step?
@Prabhjot Singh, Thanks for your update.
This requires rebooting the device two times, when you unenroll from Intune and disconnected from Azure AD, you need to reboot the device. When you connect with Azure AD and enroll in Intune, you need to reboot the device.
@ZhoumingDuan-MSFT , thanks for your reply, to unenroll device from Intune, is there any PowerShell script to automate the process for unenrolling device from Intune?
@Prabhjot Singh, Thanks for your confirmation.
To remove the device from Intune via PowerShell script, we can run the following script. For the script, it deletes the device in Intune portal. After the deletion, the device will not be managed by Intune.
https://www.fisontech.net/p/day-57-remove-intune-devices-with-powershell/
Note: Non-Microsoft link, just for the reference.
But the account on the device side will be still kept. To remove it, you can run the following command to remove the account information.
Get-ItemProperty -Path "C:\Users\*\AppData\Local\Packages" | ForEach-Object { Remove-Item -Path "$_\Microsoft.AAD.BrokerPlugin*" -Recurse -Force | Out-Null }
Hope it will help.
@ZhoumingDuan-MSFT , if we simply run this command only -
"Get-ItemProperty -Path "C:\Users*\AppData\Local\Packages" | ForEach-Object { Remove-Item -Path "$_\Microsoft.AAD.BrokerPlugin*" -Recurse -Force | Out-Null } "
Without removing the device object from Intune. Does this unenroll the device from Intune, as we have retention policy in place in our environment and we don't want to delete the device object.
@Prabhjot Singh, Thanks for your reply.
In General, unenroll the device completely means the device enrollment information remove on device side and also it is removed in Intune portal.
When the account removed by the PowerShell command on device side, it will lose connection to Microsoft Intune. But the device record still exists in Intune portal. You can choose to configure Device cleanup rules to remove these inactive, stale, or unresponsive device records. Or you can choose the PowerShell script we mentioned before to remove the records immediately. This depends on you.
In addition, please also ensure the registry keys related with enrollment under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Enrollments\GUID also be deleted to avoid any issue in future when you want to enroll this device into MDM.
Hope the above information can help.
@Prabhjot Singh, Hope you have a good day.
If the answer is helpful, please click "Accept Answer" and kindly upvote it to help others with the same problem as soon as possible.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(147.20000000000002, 96%, 24%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EX%3C/text%3E%3C/svg%3E)
@Prabhjot Singh Honestly, I haven't seen a script can do the entire process. Generally, we will remove the device from intune and Entra ID, then join the device to a local AD and use GPO enrollment method to make the device Hybrid Entra joined. In GPO enrollment, we can configure the autoenrollment for a group of devices.