On Demand Migration for Active Directory (ODMAD) supports Microsoft Entra ID Join device migration for devices running Windows 10 or Windows 11 while preserving the User Profiles and File/Folder Security Permissions.
ODMAD successfully migrates these devices to the target Microsoft Entra ID using the default ODMAD settings, including migrating devices that are already Intune-enrolled and devices that were originally provisioned using Autopilot. In addition to migrating the devices to Microsoft Entra ID, a best practice is to also clear previous Autopilot and Intune settings to allow successful Intune enrollment and management in the target.
This step-by-step guide walks through how to perform Intune managed device migration between two Microsoft Entra ID (Cloud Only) tenants.
This guide is a supplementary document to the Microsoft Entra ID Device Join Quick Start Guide.
This guide covers the following topics:
The high-level process requires the modification of the Default Microsoft Entra ID Cutover action in ODMAD. There are additional tasks that need to be added:
-
BT-EntraIDCutoverPreflight – Default Task
-
BT-DownloadReACLConfig – Default Task
-
BT-ReACLPrepareWin10Profiles – Default Task
-
Autopilot Cleanup – Removes the Autopilot registry keys from the workstation. Should be done after the workstation has been removed from Enrolled Devices in the source tenant.
-
Intune Cleanup – Removes the Registry keys and associated scheduled tasks from the workstation related to source tenant Intune Enrollment.
-
SetUserEmailValues - Post migration, the UserEmail Registry value is automatically set to the Bulk Enrollment package, which can prevent the workstation from enrolling into the target Intune. This task creates a PowerShell script on the workstation and creates a Scheduled Task that will run the script after the user has logged on post migration. The script will set the registry value to the target user account.
-
BitlockerBackupToEntraID (Only required if source workstations are BitLocker Enabled) – If the workstation is BitLocker enabled in the source, the Recovery key is not automatically transferred to the target Microsoft Entra ID. This task creates a PowerShell script on the workstation and creates a Scheduled Task that will run the script after the user has logged on post migration. The script will escrow the existing recovery key from workstation and write it to the target Microsoft Entra ID account.
-
SetPrimaryUser (Optional) – Post migration, the Primary User field in the target Intune will be blank. This task creates a PowerShell script on the workstation and creates a Scheduled Task that will run the script after the user has logged on post migration. The script will set the Primary User value to the target user account. This script requires an additional Enterprise Application to be created and requires ODMAD Global Variables to be configured.
-
CleanupLocalAdministratorsGroup (Optional) – If the source user was an Administrator on the machine, the Re-ACL process will put the target user in the Administrators group. This task will remove users from the Local Administrator Group.
-
BT-EntraIDCutover – Default Task