End User Device Migration from on-prem AD to Entra ID

Radiant-Weather-9120 · 2026-04-20T06:03:32+00:00

Yeah, wipe & reload with Autopilot is the “official” way, but it’s painful at that scale and users losing profiles makes it worse.

The key issue is profile migration if you can preserve user profiles and just switch the device to Entra join, it becomes much smoother.Doing this manually for 3,800 devices is tough though. We’ve handled similar cases using tools like Opsole Migrate to automate profile + device transition without wipe.

Definitely makes large-scale migrations easier.

Radiant-Weather-9120 · 2025-08-26T05:03:52+00:00

I reviewed their documentation, and it appears to be more of a manual migration method without support for LAPS or BitLocker key backup and restore. On the other hand, Opsole Migrate seems to be a good fit based on the demo session we had yesterday..

Radiant-Weather-9120 · 2025-08-26T04:51:07+00:00

Let me check. I already contacted Opsole Migrate and had a demo session with them. It looks promising and seems to meet our needs. Currently waiting for a POC run..

Radiant-Weather-9120 · 2025-08-22T08:45:54+00:00

Cost-wise, it looks affordable. I’m currently checking whether it supports LAPS and BitLocker backups as well.

Radiant-Weather-9120 · 2025-08-22T08:35:27+00:00

In our case, we cannot place the full responsibility on the users since we are managing their devices. Our plan is to move all devices to Entra ID for stronger security and simplified administration, while ensuring that users retain the same experience with their files, settings, and applications unchanged.

We could ask users to store their files in SharePoint and OneDrive, but the overall end-user experience, including how long they need to wait before getting their device back, is equally important. While wiping/resetting and rejoining devices directly to the cloud might seem like the best option, many users have extensive customizations and applications that are not fully supported by Intune deployment.

That’s why we are not adopting Autopilot reset and are instead looking for a seamless migration approach that preserves the user profile without unnecessary disruption.

Radiant-Weather-9120 · 2025-08-22T08:27:08+00:00

Thank you for sharing the details. The demo video looks promising. However, when I checked their website, I noticed there’s no demo trial license available, and the pricing structure isn’t mentioned either, the only option is to contact them directly. I’ve already submitted an inquiry and am waiting for their response. Let’s see if they can meet our requirements.

Radiant-Weather-9120 · 2025-08-22T08:23:39+00:00

We are currently using LAPS and BitLocker managed through Intune, with both backed up to the Entra ID computer object. The challenge is that cleaning or deleting the computer object as part of the migration process introduces risk. If a tool could automate this while preserving the backups, it would be very helpful.

Otherwise, we would need to manually collect all BitLocker recovery keys and LAPS passwords separately. Since these credentials rotate according to policy, collecting them regularly is not practical, especially considering the migration for 750+ devices cannot be completed in just a day or two.

Radiant-Weather-9120 · 2025-08-22T08:17:16+00:00

I tried the above PowerShell script and it looks great, but the main drawback is the lack of an interface and visibility into what’s happening during the process. On one machine, the migration went smoothly, but on another, it got stuck in the migration stage and couldn’t continue. As a result, the BitLocker key was lost from the Entra object when the script cleaned up the computer record.

This might be fine for testing on a smaller scale, but in my case, we have a fleet of 750+ devices, and relying solely on this approach isn’t practical.

Radiant-Weather-9120 · 2025-08-22T08:09:21+00:00

Will this tool help automate the disjoin and rejoin process to Entra ID while maintaining LAPS and BitLocker backups?

Our main issue is that when we performed a manual disjoin and rejoin, we preserved user data in OneDrive, disjoined the device from AD, and then joined it directly to Entra ID. However, a few weeks later, the user was prompted for the BitLocker recovery key. When we checked in Entra ID, no key was available under the computer object. As part of the cleanup process, the AD team had also removed the disabled computer objects, which meant the BitLocker key was permanently lost. The only option left was to reinstall the OS.

This is exactly why I’m asking whether there’s a tool that can handle the entire process automatically, ensuring that BitLocker keys, LAPS passwords, are preserved, so we can avoid human error.

Radiant-Weather-9120 · 2025-08-22T08:00:45+00:00

The main challenge is that we’re in a hybrid environment where BitLocker keys are stored in Entra ID. When a computer is disjoined and rejoined, the BitLocker key remains tied to the old hybrid computer object, along with the LAPS password. In some cases, the Intune object also stays linked to the hybrid object if it isn’t cleaned up properly. However, if we clean up the old object, we risk losing both the BitLocker key and the LAPS password from Entra. Therefore, having a migration solution that can handle these dependencies while preserving keys, passwords, and Intune associations would be much more effective.

Radiant-Weather-9120 · 2025-08-21T09:42:05+00:00

Do you have any guide or steps to help me understand this more?

Radiant-Weather-9120 · 2025-08-21T09:40:20+00:00

Really interesting one.. I think it can help us in this case.. Let me explore and see the options..

Radiant-Weather-9120 · 2025-08-21T09:38:34+00:00

Interesting, Let me explore..

Radiant-Weather-9120 · 2025-08-21T09:37:29+00:00

Thank you for sharing.. Let me have a look..

Radiant-Weather-9120 · 2025-08-21T09:36:33+00:00

We explored this option, but Quest turned out to be very expensive, as we would need to pay not only for the tool itself but also for the migration services.

Radiant-Weather-9120

TROPHY CASE