Before Device migration approach

Question

Before Device migration approach

Prabhjot Singh 255

Hi Team,

In prospective of Hybrid Entra joined devices, what should be the recommended approach, should we first unenroll device from MDM and then we should disconnect or unregister or else disconnect and then unregister device from Azure AD before across forest device migration?

How to automate the process for above to make smooth transition? Any script is available?

Rahul Jindal [MVP] 10,911 Reputation points MVP

2024-04-20T21:01:09.4433333+00:00

You are looking at re-enrollment here. Disjoin the device in AD and then join to the target domain. Delete objects from Entra ID and Intune. Configure the target forest and the tenant for hybrid join and automatic Intune enrollment. Some parts of the process can be automated, but due to sync tasks involved, you may not be able to automate the entire process.
Prabhjot Singh 255 Reputation points

2024-04-22T05:13:52.1966667+00:00

Thansks @Rahul Jindal [MVP] for reply. I have also seen when device is Hybrid Entra join, for disjoining from Hybrid which command should be suitable, dsregcmd /leave or Remove-AzureADDevice? Which of these should be used for unjoin and unregister from Azure AD?
Rahul Jindal [MVP] 10,911 Reputation points MVP

2024-04-22T08:24:44.5033333+00:00

Recommended way is to use dsregcmd /leave

Accepted answer

1 additional answer

Your answer

Rahul Jindal [MVP] 10,911 Reputation points MVP

2024-04-20T21:01:09.4433333+00:00

You are looking at re-enrollment here. Disjoin the device in AD and then join to the target domain. Delete objects from Entra ID and Intune. Configure the target forest and the tenant for hybrid join and automatic Intune enrollment. Some parts of the process can be automated, but due to sync tasks involved, you may not be able to automate the entire process.
Prabhjot Singh 255 Reputation points

2024-04-22T05:13:52.1966667+00:00

Thansks @Rahul Jindal [MVP] for reply. I have also seen when device is Hybrid Entra join, for disjoining from Hybrid which command should be suitable, dsregcmd /leave or Remove-AzureADDevice? Which of these should be used for unjoin and unregister from Azure AD?
Rahul Jindal [MVP] 10,911 Reputation points MVP

2024-04-22T08:24:44.5033333+00:00

Recommended way is to use dsregcmd /leave

Answer 1

ZhoumingDuan-MSFT 17,165 Microsoft External Staff

@Prabhjot Singh, Thanks for posting in Q&A.

For your issue, it is suggested that you first unenroll from Intune, which ensures that the device is no longer managed by MDM, next you can disconnect the device from Azure AD using command dsregcmd /leave, and then you can migration to another AD.

For re-Hybird Entra join, GPO enrollment will be a faster way, and you can refer method @xenia mentioned.

Hope it will help.

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Prabhjot Singh 255 Reputation points

2024-04-22T06:34:22.57+00:00

@ZhoumingDuan-MSFT , in this scenario, are multiple reboots required for device? If required, then in which step?
ZhoumingDuan-MSFT 17,165 Reputation points Microsoft External Staff

2024-04-22T07:23:23.52+00:00

@Prabhjot Singh, Thanks for your update.

This requires rebooting the device two times, when you unenroll from Intune and disconnected from Azure AD, you need to reboot the device. When you connect with Azure AD and enroll in Intune, you need to reboot the device.
Prabhjot Singh 255 Reputation points

2024-04-24T05:12:30.5733333+00:00

@ZhoumingDuan-MSFT , thanks for your reply, to unenroll device from Intune, is there any PowerShell script to automate the process for unenrolling device from Intune?
ZhoumingDuan-MSFT 17,165 Reputation points Microsoft External Staff

2024-04-24T06:34:48.72+00:00
@Prabhjot Singh, Thanks for your confirmation.

To remove the device from Intune via PowerShell script, we can run the following script. For the script, it deletes the device in Intune portal. After the deletion, the device will not be managed by Intune.

https://www.fisontech.net/p/day-57-remove-intune-devices-with-powershell/

Note: Non-Microsoft link, just for the reference.

But the account on the device side will be still kept. To remove it, you can run the following command to remove the account information.

Get-ItemProperty -Path "C:\Users\*\AppData\Local\Packages" | ForEach-Object { Remove-Item -Path "$_\Microsoft.AAD.BrokerPlugin*" -Recurse -Force | Out-Null }

https://answers.microsoft.com/en-us/windows/forum/all/how-do-i-remove-a-work-or-school-account-from-my/58c72151-87e7-4f21-a41f-1cb59728f3d3

Hope it will help.
Prabhjot Singh 255 Reputation points

2024-04-25T06:22:02.1733333+00:00

@ZhoumingDuan-MSFT , if we simply run this command only -

"Get-ItemProperty -Path "C:\Users*\AppData\Local\Packages" | ForEach-Object { Remove-Item -Path "$_\Microsoft.AAD.BrokerPlugin*" -Recurse -Force | Out-Null } "

Without removing the device object from Intune. Does this unenroll the device from Intune, as we have retention policy in place in our environment and we don't want to delete the device object.
ZhoumingDuan-MSFT 17,165 Reputation points Microsoft External Staff

2024-04-25T07:09:18.3433333+00:00

@Prabhjot Singh, Thanks for your reply.

In General, unenroll the device completely means the device enrollment information remove on device side and also it is removed in Intune portal.

When the account removed by the PowerShell command on device side, it will lose connection to Microsoft Intune. But the device record still exists in Intune portal. You can choose to configure Device cleanup rules to remove these inactive, stale, or unresponsive device records. Or you can choose the PowerShell script we mentioned before to remove the records immediately. This depends on you.

https://learn.microsoft.com/en-us/mem/intune/remote-actions/devices-wipe#automatically-delete-devices-with-cleanup-rules

In addition, please also ensure the registry keys related with enrollment under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Enrollments\GUID also be deleted to avoid any issue in future when you want to enroll this device into MDM.

Hope the above information can help.
ZhoumingDuan-MSFT 17,165 Reputation points Microsoft External Staff

2024-04-30T06:37:50.57+00:00

@Prabhjot Singh, Hope you have a good day.

If the answer is helpful, please click "Accept Answer" and kindly upvote it to help others with the same problem as soon as possible.

Answer 2

xenia 391

@Prabhjot Singh Honestly, I haven't seen a script can do the entire process. Generally, we will remove the device from intune and Entra ID, then join the device to a local AD and use GPO enrollment method to make the device Hybrid Entra joined. In GPO enrollment, we can configure the autoenrollment for a group of devices.

https://learn.microsoft.com/en-us/windows/client-management/enroll-a-windows-10-device-automatically-using-group-policy

Share via

Before Device migration approach

1 additional answer

Your answer