Tips for migrating Intune managed Windows 10 devices to a new tenant

Let’s start with the bad news up front – if you need to migrate devices to a new tenant you’ll basically need to reset and re-enroll every device.

Why is that? For Azure AD joined Windows 10 devices, the issue is that there is no local admin on the device. Without a local admin, as soon as the Azure AD (AAD) account gets removed, you no longer have access to the device or it’s contents.

You can test this fairly easily – if you open AAD and delete the record of a device, you will no longer be able to sign in to it. Or on the flip side, if you try to disconnect the account on the device itself, it will prompt you to create a local admin:

Disconnect from organization prompt

Since we’re unable to automate the creation of local admins on AADJ devices, we’re left with resetting the device and reenrolling from the out of box experience. (I will admit there are some blog posts about creating local admins via Intune, but you really should avoid doing that unless you’ve somehow rebuilt LAPS for AADJ’d devices)

My personal recommendation is to treat a tenant to tenant migration as if your users were getting a new device. Make sure they back everything up and schedule a time for them to reset the device and set up the “new” one. Unfortunately, USMT (user state migration tool) doesn’t support Azure AD account migrations, so we need to get creative.

Here are some tips to help this process along:

1. If your organization is using OneDrive, enable the “Important PC Folders” backup:

Important PC Folders backup

To automate this process somewhat, consider pushing the following settings via Administrative Template:

  • Silently move Windows known folders to OneDrive
    • Enabled
    • Tenant ID (from Azure Active Directory > Properties > Tenant ID)
    • Show notification to users that folders have been redirected: No
  • Silently sign in users to the OneDrive sync app with their Windows credentials
    • Enabled
  • Use OneDrive Files On-Demand
    • Enabled
  • Prevent users from moving their Windows known folders to OneDrive
    • Enabled
OneDrive settings in Administrative Templates
Automatic sync to OneDrive for Desktop, Documents, and Pictures folders

With this setting in place, we have a good amount of data local to the device synced up to OneDrive. Unfortunately, this data is synced to the wrong OneDrive tenant. Migrating OneDrive content should be handled by a larger M365 ( previously O365) migration plan, since that is a common and supported scenario. For general guidance for doing a tenant to tenant M365 migration, take a look at this link: Microsoft 365 tenant-to-tenant migrations. If you’re interested in a step-by-step guide, comment below!

2. Migrate your Autopilot devices to your new tenant

Remember – once you reset the device and it’s in OOBE, it will go looking for an Autopilot profile. If the hardware hash for the device is still imported into your old tenant, then it’ll be prompted to re-enroll into the old tenant, and you’re back to square one!

And there’s a second catch – you can only delete devices after they are unenrolled, so you’ll need to time this process accordingly in your migration plan.

In the Microsoft Endpoint Manager admin center, make sure to export and then delete all the devices you plan on migrating:

Export Autopilot devices
Delete Autopilot devices

3. Enable Enterprise State Roaming

Enterprise State Roaming isn’t frequently discussed, but it can help in this situation. And it’s also incredibly easy to enable. Head over to the Azure Portal > Azure Active Directory > Devices > Enterprise State Roaming. Here, you can target which users are enabled for Enterprise State Roaming. Once the users syncs their AAD account they’ll begin syncing a bunch of Windows 10 settings, such as desktop background, theme, language preferences, and more.

Enterprise State Roaming setting

4. Export your Intune tenant settings and import into the new environment

If this will be a net new Intune environment, one way to save time would be to import your old settings. This won’t import the assignments, but at least all of your configurations will be the same. We wrote a detailed guide on this process in a previous blog post: Export & import your Intune tenant settings – Device Advice

Device Advice blog post for exporting and importing Intune tenant settings

I’ll be on the lookout for more tips to simplify an Intune tenant-to-tenant migration and be sure to keep this post updated. If you have any, please comment below!

As always, happy migrating! 🚀

You may also like...

1 Response

  1. patrick yore says:

    It is possible to add a local admin to an AAD joined device using the command ….
    “net localgroup administrators AzureAD\JohnDoe /add” without the quotes.

Leave a Reply

Your email address will not be published. Required fields are marked *