Event details
14 Comments
Is there any way to migrate an existing ‘Entra hybrid joined’ device to ‘Entra joined’ without having to reset the device?
Autopilot is suitable for new devices or devices that need to be reconfigured for some reason, but having to reset all the company’s devices just to make them cloud-native is madness.
- Jason_Sandys
Microsoft
Why do you need them to be Entra-joined overnight? What's forcing this or why is this a requirement? Or, asked another way, why is waiting for them to be replaced by the hardware refresh cycle not acceptable?
Hi Jason, hardware refresh is fine, and that is what we will do, any new PC, or any PC that needs to be reset for any reason, will be set up on Entra straight away.
If we had a migration method, we wouldn’t have to wait – in our case, four years – for all devices to be on Entra, thereby avoiding having two "types" of PCs.
It also affects our plans to phase out the local infrastructure, as we’ll have to keep AD running for longer.
No path from Hybrid to Entra join that Microsoft provides or supports, but there are third-party/community tools available that many of us use and have had success with.
https://www.youtube.com/watch?v=tijnTNRif98
https://powersyncpro.com/
And I agree that nuking your endpoint to make it cloud-native is in fact madness. Are you listening Microsoft?
Thanks JoeITGuy for your comments.
I already know Rubix, and I can say that it works. I tested it some time ago and all test migrations worked fine. It's a pity that it is an unsupported process.
BTW... what do you mean with "Are you listening Microsoft?" ?
The biggest issue that I have with Autopilot Device Preparation is that the hardware isn't tied to our tenant by uploading a hash.
There is nothing to prevent a use setting up a device with a personal account, e.g. they have left the business & not returned the equipment or setting it up with another tenant.
Traditional Autopilot locks the device to our tenant as long as it can access the appropriate Microsoft endpoints.Device Association sounds like it may resolve that, any vague ideas on timeline?
- Jason_Sandys
Hi BillGallop,
A couple of notes here.
- We are working on a method to associate a device with a tenant when using Windows Autopilot device preparation. This is in the later stages of development and will serve a similar purpose as device registration in Windows Autopilot. No commitment on timeline.
- Even with device registration, devices were never truly "locked" to a tenant and users could still set up devices in their possession for personal (or other) use. Locking devices to a tenant (thus barring them from any other use) is not the intent or purpose of registration (or the yet to be released association feature).
We accept the feedback that some organizations would like this type of locking but with a software only solution, this is not truly possible. Many hardware vendors have solutions that may work for you depending on your exact requirements.
We will not make Company Portal the default until it is installed on our co-mgmt devices, but have been unable to create a dependable app/package in SCCM. We haven't moved the workload slider for Device Configuration for multiple reasons so this isn't an option. The Company Portal files obtained from winget are imported as an appx package but installations aren't consistent. I eventually tracked down the SC errors to the appx installation not finding registry keys and certain files. I haven't been able to determine any pattern. I attempted to just use PSADT and install with add-appxpackage (user and all) but this also didn't work.
Anything I find online is outdated- most suggest WS4B. Any suggestions to how we can get Company Portal onto our co-mgmt devices? Thanks
- Jason_Sandys
Hi sundi2019,
Moving the device configuration workload to Intune is not required for this. Have you considered moving the apps workload to Intune and deploying the Company Portal app from Intune to these devices? Moving this workload to Intune does not change app delivery from ConfigMgr in any way and merely enables app delivery from Intune.
- Heather_Poulsen
Community Manager
Thanks for joining today’s session on “Why smarter Windows management starts with Intune” at Microsoft Technical Takeoff. Q&A will remain open through Friday so keep your comments and questions coming! Up next: Reporting at scale with Windows Autopatch update readiness.
Is there a way to prevent users from accessing the desktop until they enroll in Windows Hello during OOBE? There's a known bypass where the user can close the prompt which causes an error and the user can click on a button that says "continue anyway". The Windows Hello enrollment won't appear again until the device reboots and the user signs in again.
- Maggie_Dakeva
Thank you for the feedback. There is no way currently to configure this as a blocking experience. We'll look into how we can improve this experience during onboarding.
- Heather_Poulsen
Welcome to “Why smarter Windows management starts with Intune” at Microsoft Technical Takeoff. Q&A is open now and throughout the week. Please post any questions or feedback here in the Comments. [Note: If your organization’s policies prevent you from seeing the video on this page, you can also tune in on LinkedIn.]
