Feb 10 2020
01:11 PM
- last edited on
Jan 14 2022
04:34 PM
by
TechCommunityAP
Feb 10 2020
01:11 PM
- last edited on
Jan 14 2022
04:34 PM
by
TechCommunityAP
Hello All,
We want to migrate our On-Prem AD devices to Azure AD and enroll into intune. We have Azure AD sync and all but needs to convert machine to Azure AD join only not Hybrid AD. So we would like to create new user profile on machine.
We have used two methods so far.
1) Reset the machine and use join to Azure AD from OOBE. ( Issue - This will make user a Administrator for that machine and we dont want that )
2) Unbind from on-prem AD, join to Azure AD manually but the same issue like number 1.
3) Using Hardware Hash, register devices to Autopilot and then reset all the machines. ( Issue - This will take too long to migrate 250 machines and helping remote workers are quite difficult )
Has anyone tried any different method or is there any expert suggestion ?
Thanks!
Feb 03 2022 01:36 PM
Quick input as we are in the process of migrating on-prem to native Azure AD.
At this point we have been doing the migration as devices get replaced, but for the rest here is our process.
Log into device with DC admin.
Create local admin user, no password.
Log out and into local user. Remove DC and reboot.
Connect to Azure AD with future user desired (user needs to be in azure/365 and licensed, whichever user you register it with will have admin on the pc).
Once joined, log out of local user and into future azure user (the one you registered with, or your Azure admin).
Remove local user.
Log into the employees account that was using the pc if you aren't already.
We use free profwiz to copy the profile data unattended.
Its not the fastest option, but it drags the old profile data across to the Azure AD profile and no wipe is needed. Total hands on time is about 20-30 minutes on average, can often times do 5-10 units at once by one guy.
Feb 06 2022 07:37 PM
Thank you for the reply.
I was able to silently migrate the devices to MDM, only issue was with windows hello fro business.
We did not want to create a new profile/break the user connection, as that would change the profile ID and break things for the user. At the end, we decided to stagger the deployment and work slowly by sending replacement laptops.
Apr 06 2022 07:27 AM
Apr 06 2022 03:58 PM
Hi,
I was able to join the systems to Intune MDM using the GPO. However, it chose to use AD authentication than windows Hello. So we dropped the plan.
Thanks
Apr 07 2022 05:00 AM
Oct 17 2022 11:54 AM
Oct 19 2022 07:16 AM
I understand and from the first post I see ask is to migrate your endpoint windows devices from local AD join to Azure AD join and most of the response are around enrollment and hybrid etc. which I are kind of not correct. I know the solution and you will need to leverage third-party which is in my view is not very expensive considering the value it brings.
1. For your machine to be able to fully Azure AD join, it needs to be disjoined from local AD and then join to Azure AD. If it is kept connected to local AD and synced to cloud, then it is hybrid join.
2. For larger scale deployment, it is not feasible and possible for admins to reach out to every user and disjoin the machine and manually join to Azure AD
3. If you do it manually you will lose the user profile and this will not be nice user experience.
So how do you solve this
Well, there is a tool from ForensIT that migrate your machine and its user profile residing on local machine from domain or local to Azure AD join. You will need to create a deployment package using the wizard it provides and at the end it will create .exe file. Deploy that exe file either through GPO or through SCCM whichever works for you. Now one of thing here is, if you create provisioning package (.pkgg) file that is ask at one point, this .pkgg file can be created using Windows Configuration designer tool. Basically you will be able to automate the whole process of even joining the machine to Azure AD. So download windows configuration design tool (its free from MS and available in Windows Store) and follow the wizard very easy. At the end you will have .pkgg file. Use this file in ForensIT tool when it ask you to provide this at somepoint in wizard. At the end, you will .exe and all good.
When this .exe is run.
it will migrate the domain profile to Azure AD user profile such that all the settings, apps, desktop data everything stay as-is
it will disjoin the machine from the local AD
it will auto join the machine to azure ad using the provisioning package you created using WCD
you will need to reboot machine twice
that's it and you will have your machine fully Azure AD joined and with user profile and data intact!
thank you.
Oct 19 2022 07:18 AM - edited Oct 19 2022 07:23 AM
I understand and from the first post I see ask is to migrate your endpoint windows devices from local AD join to Azure AD join and most of the response are around enrollment and hybrid etc. which I are kind of not correct. I know the solution and you will need to leverage third-party which is in my view is not very expensive considering the value it brings.
1. For your machine to be able to fully Azure AD join, it needs to be disjoined from local AD and then join to Azure AD. If it is kept connected to local AD and synced to cloud, then it is hybrid join.
2. For larger scale deployment, it is not feasible and possible for admins to reach out to every user and disjoin the machine and manually join to Azure AD
3. If you do it manually you will lose the user profile and this will not be nice user experience.
So how do you solve this
Well, there is a tool from ForensIT (Corporate Edition) that migrate your machine and its user profile residing on local machine from domain or local to Azure AD join. You will need to create a deployment package using the wizard it provides and at the end it will create .exe file. Deploy that exe file either through GPO or through SCCM whichever works for you. Now one of thing here is, if you create provisioning package (.ppkg) file that ForensIT tool ask at one point, this .pkgg file can be created using Windows Configuration designer tool (WCD). Basically, you will be able to automate the whole process of even joining the machine to Azure AD. So, download windows configuration design tool (its free from MS and available in Windows Store) and follow the wizard very easy. At the end you will have .ppkg file. Use this file in ForensIT tool when it ask you to provide this at somepoint in wizard. At the end, you will .exe and all good.
When this .exe is run.
it will migrate the domain profile to Azure AD user profile such that all the settings, apps, desktop data everything stay as-is
it will disjoin the machine from the local AD
it will auto join the machine to azure ad using the provisioning package you created using WCD
you will need to reboot machine twice
that's it and you will have your machine fully Azure AD joined and with user profile and data intact!
thank you.
Oct 19 2022 08:25 PM