Apr 05 2022 04:00 PM
I promise I've Googled as hard as I can and can't find the answers to what seem like some pretty simple questions...
I've got a bunch of digital signage and point-of-sale devices that I want to migrate from AD/SCCM to AD/Intune. They log in with local accounts. I don't want to mess around with hybrid, I just want to cut them straight over with as little effort as possible.
Manual method I'm pretty sure will work:
1. RDP into each one
2. Disjoin it from AD (have to enter a domain account with disjoin privs)
3. Uninstall the SCCM client
4. Use a bulk enrollment provisioning package to join to AAD
5. AAD automatic enrollment to Intune
6. Done
This will be a pain though, so I'd like to automate it. I think I can use SCCM to install the AD-join bulk enrollment provisioning package and it shouldn't be a problem using SCCM to uninstall itself and I should be able to configure SCCM's AD discovery to exclude these devices so SCCM doesn't try to re-absorb them while I'm working on disjoining them. Then, finally, I think I can use some powershell remoting and the remove-Computer cmdlet to disjoin the devices and pass in the creds that have privileges. I'd disjoin with SCCM but I don't want to put those disjoin creds in a script.
Question:
1. Can I join an AD-joined device to AAD? Can they exist simultaneously for a few days without any hybrid configuration?
2. Is there a better way to do this?
Thanks,
Dan
Apr 06 2022 12:16 AM
Apr 07 2022 02:57 PM - edited Apr 07 2022 02:58 PM
@365vCloudas mentioned, I want to avoid hybrid. I don't want to connect anything that I'll have to disconnect and tear down later when on-prem gets taken out back.
FWIW - I do have a working model for automated AD disjoin and AAD re-join. Basically, I'm doing an invoke-command and a script block to send a few commands to the device which builds a scheduled task to join AAD on next reboot via a bulk deploy provisioning package then a remove-computer command with domain creds to remove the device. I'd do all this with SCCM but I don't want to put any credentials in the script or pipeline for this.
So on migration night, I run this script on each device which sets up the scheduled task to join AAD after it disjoins AD and reboots. I had to use the scheduled task because it's really hard to do any kind of powershell remoting once it's disjoined from the domain... lots of WinRM errors that got ugly trying to work past.
Apr 12 2022 01:41 PM
I swear there's not enough documentation out there and whatever bits there are, it's mostly only very specific to that one step and not as a whole migration. To answer your questions:
This is the method that I've used on a few environments and works well: