Love it. Great work Steve and co.

Does this support Windows 10. Looking at maybe this is the route we can go to get our migration to intune and use it to do feature update to win11

I tried this but somehow it is not detecting the personal teams therefore it is not running the remediation. Manually it is detecting that teams is installed.

How can i remove Teams personal during autopilot setup, also from existing devices... I just want to keep corporate Teams installed...

Does GPO stay affected to the machine when Entra joined, same for mapped network drives?

Fantastic Job Steve!

Amazing Video, now I could implement this in our environment and users can access file share without a password entering

what would be the Enrollment profile name under Hardware ? Can we set the profile and Tag details as well ? Thanks.

Niceee. But if source user has OneDrive with backup activated so he has many files on desktop but they are on demand. Is this will be a issue¿ how do you see this done ? Should I unlink the OneDrive prior to the script? Is not an option to set OneDrive to keep on device because is over the hdd size. I have much to think about 😂

Does this solution take a device from Entra Hybrid Domain Join to Entra Join?

Is there configuration needed in the script? I don't understand how it auto detects the entra ID settings to join to intune... Does it need an account hard-coded to do the join or does it use some service account

Does this tool work for Hybrid to Cloud?

would this take a device from hybrid to entra joined?

Hello, thank you for the video. was the part two relised ?

if i remember correctly, Microsoft don't support to remove device from domain and then join to Entra ID.

This is exactly what I need for a few of my clients as wiping and restoring is not an option. What are the gotchas for this use case since the script is meant for tenant to tenant migration?

Thanks, dude. This really helped.

Is this a free tool from MS?

Is there an option to assign a group tag in the migration script?

This looks awesome. Just a question, what happens to any local user data? Desktop, pictures, documents. I assume if it’s the same profile this will still reside in the original places?

Hi Steve, our organization uses OneDrive KFM. Will this still work OK with profiles that have OneDrive backup enabled?

Good stuff. Do you disable hello or keep it?

would it take care of the autopilot enrollment mfa prompt as well?

Excellent. Looking forward to what comes next. 🙃

Nice one!

Excellent Steven, looking forward to the hybrid!

You are just a MAGICIAN. I look forward to your new videos every day! Thank you very much for this and your time!

Thank you so much for making appliation packaging smooth.

Any options to move from hybrid with co-managed ....to Entra Joined with Intune ... retaining user profile ?

My client side script will not write to registry when ran from intune

Can the background music be removed/or muted???

is it applicable for new device setup or existing devices too?

When I saw this pop up I thought it was an official MS thing that was being enabled in Intune. It's still odd that there isn't a proper supported method. I'm very impressed that you've been able to get this to work so well though. I will be eagerly following this to see about going from hybrid to cloud native. Thank you!

I have the similiar issue following the process. Can you help me fixing this issue on priority plz. Hi, I have followed the instructions and tried to block the MS store block on windows 11 pro, however after applying OMA URI I got an error code (Policy [./Vendor/MSFT/AppLocker/ApplicationLauncherRestrictions/storerule001/StoreApps/Policy] Error -2016345707) Kindly suggest if you have some remediation suggestions on priority.

I’m excited to see version 7…. I had some occasions with 6.2 that left the pc in limbo if the user authentication to the destination tenant failed.

Thank you so much for this amazingly detailed video!!! I guess I am still stuck in the "OG" Autopilot mindset, because I am confused as to how will Autopilot V2 know to enroll my new device to the correct device group (W2), withOUT me uploading the hardware hash and assigning it to a device group in order for the policies and profiles to attach to it. How will this "Intune Autopilot Confidential client" Know how to recognize my brand new laptop, apply the apps and policies to it without knowing its Identification(hardware hash)? This is where Im still lost

Appreciate all the info about V2! Couple of questions - We really like having the device name template with V1, which I know isn't available in V2. There a way to set this via Intune or suppose could come up with a PS script for this? Secondly, for the corporate identifiers, appreciate the info on the automation for importing exiting devices but wondering if OEMs could automatically add devices you purchase to this, as they do for V1?

Hi @getrubix, another fantastic post! Since we rotate the keys every 30 days, the outdated ones continue to populate on the Microsoft page. Can the outdated Bitlocker keys be cleared from Microsoft Portal via the script? When the end user is redirected to verify the Bit-locker keys when necessary, this could cause confusion with seeing a lot of them listed on the page.

Hi, I have followed the instructions and tried to block the MS store block on windows 11 pro, however after applying OMA URI I got an error code (Policy [./Vendor/MSFT/AppLocker/ApplicationLauncherRestrictions/storerule001/StoreApps/Policy] Error -2016345707) Kindly suggest if you have some remediation suggestions on priority.

I used the intune remediation to remove personal teams ,but the user who has logged in will still exist teams personal, new user signing in the teams personal doesn't appearr anymore. it seems that Teams Personal under the user cannot be deleted? The detection script has always been able to detect the presonal Teams .

Nice video! Thank you.

This is a great script, but I have a question: is it reliable to compare the Event Time created and look for Event ID 845 in the Win-Eventlog for the "Microsoft-Windows-BitLocker-API" to see if it was successfully backed up to Microsoft? Instead of using the Registry setting. $EventProviderName = "Microsoft-Windows-BitLocker-API" $startDate = (Get-Date -Year 2022 -Month 7 -Day 20).Date $EventMessage = "BitLocker Drive Encryption recovery information for volume C: was backed up successfully to your Azure AD." $EventID = (Get-WinEvent -ProviderName $EventProviderName -ErrorAction 'SilentlyContinue' | Where-Object {($_.TimeCreated -gt $startDate) -and ($_.Message -match $EventMessage)}).id | Sort-Object -Unique

Please share the script

Thanks for the pod! These are good tools & techniques. A great resource for sure! I just get the feeling that for this particular scenario, there are simpler ways to get it done, like Maxime says. A runbook could do all devices at once, whether online or offline.

Hey, I have set this up with AddDAys(1) so I can force a rotation of all keys. The runbook runs and says the key has been rotated but it's not changing. Is there a time on this or should it be instant? I'm using V2 of the scripts. Thanks

Is this really working? I have tired to add my VM and the VMs identifier is uploaded. Maybe I am just missing something, getting the same error as if its a personal device.

Question for you. We already have devices in production. Does turning on "Await final configuration" and setting up "local Primary account", have an effect on already set-up devices?

Hey Great insights like always !! Really like the client authentication to the function app. My only question in this case why would use a remediation script on the client that calls the function app and not run a run book that does graph api calls to intune to check if the device is win 11 or win 10 and based on that information update the group tag if required. Or am i missing something here ? regards maxime

Ok, a couple questions that I have not yet been able to resolve. Certain parts appear to no longer be working. The right click contextual menu doesn't seem to work, I have gotten it worken but by deploying to the current user not via this default user, which is a bit annoying! The other thing that doesn't appear to be working via this method is the Search Taskbar doesn't appear to be amending. Again ive got that working by editing the Current user but wondered if there was any advice you could give for running in this way now?

Hello, for the local test why did you use SYSTEM account please ?