Enterprise Device Migration to Microsoft Entra ID - Without Wipe or Reimage

Opsole Migrate is a purpose-built endpoint modernization solution that transitions Windows devices to Microsoft Entra ID joined in-place - without destructive resets, profile loss, or on-premises migration infrastructure.

The platform is designed for enterprise-scale device modernization projects including Active Directory decommissioning, Hybrid Microsoft Entra ID exit strategies, and cross-tenant device migrations during mergers, acquisitions, and divestitures. The migration process executes directly on the endpoint, preserving the existing user profile, device configuration, and management posture while transitioning the device to a new Microsoft Entra identity.

Opsole Migrate not only preserves the existing Windows user environment, but also restores Intune primary user assignment, preserves cloud group targeting, supports post-migration group automation, backs up BitLocker and LAPS data, and cleanly transitions device management state to the target tenant.

Whether you are converting thousands of domain-joined devices to cloud-native endpoints or consolidating tenants after an acquisition, Opsole Migrate enables enterprise-scale in-place device migration with minimal end-user disruption.

---

Applies To

Opsole Migrate applies to enterprise Windows endpoint migration scenarios where existing devices must be transitioned to Microsoft Entra ID without wiping or reimaging the operating system.

---

Intended Audience

This documentation is intended for:

• Endpoint and desktop engineering teams
• Microsoft Intune administrators
• Microsoft Entra ID administrators
• Migration project teams
• Security, compliance, and risk reviewers
• Service desk and endpoint support teams preparing for migration rollout

---

How Opsole Migrate Compares

Many reset-based Microsoft-native migration approaches require rebuilding the user environment, including removal of locally installed applications, user settings, and personal files. Manual unjoin and rejoin approaches can avoid a full reset, but typically create a new Windows profile and require significant manual remediation. Agent-based migration tools may introduce additional infrastructure or operational dependencies. Opsole Migrate is designed to avoid these outcomes through an in-place endpoint migration workflow.

---

Why Organizations Choose Opsole Migrate

• Migrate existing Windows devices to Microsoft Entra ID without wipe or reimage
• Preserve the existing user profile and working environment without device migration losing user profile data
• Maintain management continuity across Intune, Autopilot, BitLocker, and LAPS
• Preserve cloud group targeting and automate post-migration policy assignment
• Execute migrations remotely without VPN or Active Directory line-of-sight
• Scale migrations across global enterprise fleets using existing deployment tools
• Migrate domain-joined devices to Microsoft Entra ID without reimaging

---

Supported Device Migration Scenarios

Opsole Migrate supports every common device identity transition scenario. Each path executes in-place on the device without reimaging or wiping the operating system.

---

Supported and Not Supported Summary

For full details, see Known Behaviors & Considerations.

---

Prerequisites Snapshot

Before running Opsole Migrate, confirm that the following are prepared:

• Microsoft Intune and Microsoft Entra ID licensing is assigned and active
• Target devices are in a supported Windows and identity state
• Microsoft Entra device join and Intune automatic enrollment are configured
• Required Microsoft Graph application permissions are granted with admin consent
• The Opsole Migrate Entra application registration and client secret are configured
• A valid provisioning package is created and tested for the correct tenant
• An Active Directory disjoin account is prepared for AD Joined or Hybrid Joined devices
• Required Microsoft and Opsole service endpoints are reachable over HTTPS 443
• EDR, antivirus, application control, and hardening policies allow Opsole Migrate execution

For the complete prerequisite procedure, see Migration prerequisites overview.

---

Security and Privacy Summary

Opsole Migrate operates at the device identity and system configuration layer. It does not scan, read, copy, upload, or inspect user documents, emails, browser history, or file contents.

The platform uses limited operational metadata to support licensing, migration status, diagnostics, and recovery workflows. Optional recovery data, such as BitLocker recovery keys and LAPS passwords, is handled as sensitive recovery information and is used only for supportability and break-glass recovery scenarios.

Microsoft Graph access is performed through a customer-controlled Microsoft Entra application registration, with permissions granted by the customer tenant administrator.

---

Migrate Windows Devices Without Resetting the Operating System

Most Microsoft guidance requires resetting or reimaging devices when converting to Microsoft Entra ID. Opsole Migrate provides an alternative approach that converts the device identity in place without resetting Windows.

The device operating system, applications, files, and user configuration remain unchanged while the identity transition is completed. There is no device reset, no factory restore, and no Autopilot reprovisioning required. Users experience only brief, automated reboots during the transition - not hours of downtime rebuilding their environment.

This allows organizations to modernize device identity without disrupting the end-user environment.

---

Alternative to Autopilot Reset

Microsoft Autopilot Reset rebuilds the device from scratch, requiring users to reinstall applications and restore their environment. This process typically results in hours of user downtime and loss of the existing user environment, including application settings and local profile state.

Opsole Migrate provides an alternative by converting the device identity in place without resetting Windows or rebuilding the user profile. The existing Windows user environment is preserved and remapped to the new identity - making it a direct replacement for Autopilot reset when migrating existing managed devices.

---

User Profile Preservation During Domain Migration

The existing Windows user profile is preserved in-place during the identity transition - no copying, no rebuilding, no new profile creation. Opsole Migrate maps the existing profile to the new Microsoft Entra ID identity, ensuring users return to the same working environment after migration.

Profile preservation includes:

• User profile mapping to the new Microsoft Entra ID identity
• Desktop layout and icon arrangement
• Application configuration and preferences
• Browser profile and saved state
• Local user files retained without copying or transferring
• Existing profile settings, application state, cached configurations, and local policy artifacts retained as they exist on the device
• Multi-user profile migration for shared devices - all profiles migrated independently

The system does not copy, scan, or extract user files during migration. Opsole Migrate performs profile reassociation at the identity and permissions layer so the existing profile, data, settings, cached configurations, and locally retained policy state remain in place.

After migration, new or updated policies are controlled by the target Microsoft Entra ID and Intune environment. Any existing cached settings remain on the device until they are replaced, removed, or superseded by the organization's target management policies.

---

Policy Targeting Continuity

Many device migration approaches cause policy drift because devices lose their original cloud group memberships during the identity transition.

Opsole Migrate preserves policy targeting by restoring the device's cloud security group memberships after migration.

This ensures that:

• Conditional Access policies remain enforced
• Intune configuration profiles remain assigned
• Security baselines continue to apply
• Compliance policies remain intact

Devices continue receiving the same policies immediately after migration with no manual remediation required.

---

Intune Primary User Retrieval and Reassignment

Opsole Migrate retrieves the existing Intune primary user assignment before migration and automatically restores it after the device joins the new tenant.

This preserves the device ownership relationship in both Microsoft Entra ID and Microsoft Intune, ensuring that:

• User-targeted Intune policies and application assignments continue to apply correctly
• Device ownership records are maintained for compliance and auditing
• IT administrators do not need to manually identify and reassign primary users across potentially thousands of devices

Without this capability, organizations face significant operational overhead re-establishing user-device relationships after migration.

---

Cloud Device Group Membership Restoration

The device's Microsoft Entra ID cloud security group memberships are captured before migration and automatically restored after the device joins the target tenant. This preserves Conditional Access policies, compliance policies, configuration profiles, and application assignments that are targeted via group membership - preventing the policy drift that commonly occurs when devices lose their group associations during identity transitions.

No manual remediation is required after migration.

---

Post-Migration Group Automation

Opsole Migrate can automatically manage device group membership during and after migration.

Post-Migration Group Auto-Assignment

A designated cloud group can be configured in the Opsole Migrate portal so that migrated devices are automatically added after migration completes.

Use case: Create a "Migrated Devices" security group containing the required Intune security baselines, configuration profiles, and compliance policies. Every device that completes migration is automatically added - policies apply immediately with no manual IT action required across the entire fleet.

This removes the need for manual device-by-device group assignment after migration.

Group Exclusion

Specific groups can be excluded from the restoration process, preventing devices from being re-added to groups that are no longer applicable in the target environment. This ensures clean group hygiene and avoids policy conflicts from legacy group memberships.

---

Custom Device Attribute Assignment

Opsole Migrate allows administrators to assign a custom device attribute during migration. The attribute is automatically applied to the Microsoft Entra ID device object after the device joins the target tenant.

This enables:

• Device classification and tagging for migrated devices
• Dynamic group membership based on custom attributes
• Policy targeting based on migration status
• Automation workflows and reporting based on device metadata

---

Intune, Autopilot, and Device Management Continuity

Opsole Migrate automates the full device management lifecycle during cross-tenant Windows device migration, ensuring the device is cleanly transitioned to the target tenant's management stack.

• Microsoft Entra device and Intune device object cleanup - existing device registrations, MDM enrollment records, and MDM certificates are removed from the source tenant
• Intune enrollment switch - the device is cleanly deregistered from the source Intune tenant and enrolled in the target tenant, avoiding policy tattooing and stale compliance states
• Autopilot registration - the device is registered in Windows Autopilot in the target tenant after migration, enabling device lifecycle management and Zero Touch provisioning
• SCCM client removal - the Microsoft Configuration Manager (SCCM/MECM) client is removed during migration to prevent management conflicts with Intune
• Microsoft Entra registered (Workplace Join) cleanup - stale Workplace Join registrations are cleaned up to prevent join state conflicts

These capabilities prevent common migration issues including:

• Duplicate device records in Microsoft Entra ID and Intune
• Enrollment conflicts during re-registration
• Policy targeting failures due to orphaned objects
• Compliance drift from stale MDM state

---

BitLocker Recovery Key Backup to Microsoft Entra ID

BitLocker recovery keys are automatically backed up and escrowed to the target Microsoft Entra ID tenant during migration. This ensures that recovery keys are never lost during the identity transition - a critical security requirement that is commonly overlooked during domain unjoin operations.

Without automated BitLocker key migration, organizations risk permanent data loss if a device requires recovery after the identity transition.

---

LAPS Password Backup and Continuity

Local Administrator Password Solution (LAPS) credentials are backed up during migration, maintaining IT administrative access to the device throughout the identity transition.

When a device leaves its source domain or tenant, LAPS passwords stored in Active Directory or the source Microsoft Entra tenant become inaccessible. Opsole Migrate preserves these credentials, ensuring IT never loses local administrator access - even during the transition window between source and target environments.

This capability is not commonly available in traditional profile migration tools or reset-based approaches, leaving organizations with a critical administrative access gap during migration.

---

Migration Safety and Validation

Opsole Migrate performs automated validation checks before migration begins to ensure the device environment is ready.

Validation checks include:

• Device join state verification
• Graph API permission validation
• Provisioning package readiness
• BitLocker and LAPS status validation
• Network connectivity verification
• Microsoft Entra ID authentication and token acquisition
• Detection of configuration blockers that could cause migration failure

These checks reduce migration failure rates and prevent devices from entering inconsistent identity states.

---

Lightweight Endpoint Architecture

Opsole Migrate uses a lightweight endpoint execution model designed for enterprise environments.

The migration executes locally on the device through a controlled endpoint workflow designed to complete the identity transition without requiring persistent on-premises infrastructure.

This architecture eliminates the need for:

• Persistent endpoint agents
• On-premises migration servers
• Domain controller agents
• Directory synchronization infrastructure

Organizations can deploy the migration using their existing endpoint management platform without introducing additional infrastructure.

---

Enterprise Deployment - No Servers, No VPN, No Agents

• Deployment via Microsoft Intune, Group Policy (GPO), or any MDM - the migration package is deployed as a standard MSI or Win32 application through your existing endpoint management platform
• No on-premises migration servers - the solution operates locally on each device and communicates with the Opsole cloud portal and Microsoft Entra ID endpoints over standard HTTPS (port 443)
• No VPN required - devices can be migrated remotely without line of sight to Active Directory domain controllers, enabling migration of remote and distributed workforces without requiring devices to be shipped to IT staging locations
• No persistent agents - Opsole Migrate executes the migration and completes; it does not install a permanent background service or agent on the device
• Code-signed executables - all Opsole Migrate binaries are signed with the Opsole code-signing certificate for EDR and security policy compatibility

---

Migration Execution Options

• User-initiated self-service migration - end users can initiate the migration through a guided interface, reducing IT coordination overhead
• IT-scheduled silent migration - migrations can be deployed and triggered silently at scale via Intune or GPO, supporting automated bulk migration of thousands of devices without user interaction
• Migration waves - devices can be migrated in planned waves aligned with organizational change management for controlled enterprise rollout
• Remote workforce migration - devices are migrated in place, wherever they are, without requiring users to visit an office or connect to a corporate VPN

---

Operational Expectations

During a standard migration, administrators and users should expect the following behavior:

• The Opsole Migrate MSI is deployed to target devices through Intune, GPO, another endpoint management platform, or manual installation
• Migration can be initiated by the user or triggered silently depending on the deployment model
• The device performs automated migration phases with controlled reboots
• A migration banner is displayed during the protected migration stage
• Users must not sign in while the migration-in-progress banner is displayed
• After the device is joined to Microsoft Entra ID, the user signs in with their Entra ID credentials
• Migration status is available in the Opsole Migrate portal and through local Windows event logs
• Recovery procedures are available through the Troubleshooting Guide and Knowledge Base

---

Monitoring, Telemetry, and Diagnostics

The Opsole Migrate portal provides centralized visibility into migration progress across the device fleet.

• Per-device migration status tracking - completed, in-progress, and failed migrations are visible in the portal with detailed status for each device
• Real-time migration progress telemetry - live progress updates are streamed during execution, providing visibility into each step as it completes
• Central reporting - migration execution data is available for reporting, auditing, and project tracking
• Event log integration - migration events are written to the Windows Event Log on each device, enabling integration with existing monitoring, SIEM, and IT operations tooling
• Knowledge Base and troubleshooting documentation - a comprehensive Knowledge Base and Troubleshooting Guide are available for error resolution and recovery procedures

---

Enterprise Use Cases

Opsole Migrate is designed for several common enterprise device modernization scenarios.

Active Directory Decommissioning

Organizations retiring on-premises Active Directory infrastructure can convert existing domain-joined devices directly to Microsoft Entra ID joined without reimaging or rebuilding user environments.

Hybrid Identity Exit Strategy

Enterprises moving from Hybrid Microsoft Entra ID joined to a fully cloud-native endpoint architecture can transition devices without resetting them, enabling a clean break from on-premises domain controllers.

Mergers and Acquisitions

During mergers and acquisitions, devices can be moved from one Microsoft 365 tenant to another without wiping the device, preserving user productivity and reducing M&A integration timelines.

Divestitures

When business units are separated into new tenants, devices can be migrated without requiring employees to rebuild their environments, enabling rapid organizational separation.

Remote Workforce Modernization

Devices can be migrated remotely without requiring VPN connectivity or Active Directory line-of-sight, enabling organizations to modernize their entire distributed workforce without hardware shipping or on-site IT presence.

---

Enterprise Scale

Opsole Migrate is built for large-scale enterprise device modernization projects involving thousands of endpoints.

• Large enterprise migration waves - phased rollout aligned with organizational change management
• Automated bulk migrations - deploy and execute migrations across thousands of devices simultaneously
• Global remote workforce - migrate devices wherever they are, without VPN, hardware shipping, or on-site IT presence
• Hardware lifecycle extension - move existing Windows 10 and Windows 11 devices to modern cloud management without premature hardware refreshes
• Minimal end-user interaction - the migration process requires only brief automated reboots, keeping downtime to minutes rather than hours

---

Pilot and Wave Planning

Enterprise migrations should be executed in controlled phases.

Before broad deployment:

• Run a pilot with representative devices, users, applications, and network locations
• Validate provisioning package behavior on test devices
• Confirm Microsoft Entra ID, Intune, Conditional Access, and EDR/AV settings
• Brief the service desk on expected migration behavior and recovery steps
• Define migration success criteria, rollback ownership, and escalation paths
• Schedule production rollout in waves aligned to business units, locations, or user groups

A controlled pilot helps identify environment-specific blockers before large-scale migration.

---

What Opsole Migrate Does and Does Not Do

Opsole Migrate DOES:

• Migrate the device identity from source to target directory
• Preserve and remap the local user profile to the new Microsoft Entra ID identity
• Back up BitLocker recovery keys and LAPS passwords to the target tenant
• Clean up source tenant device objects, MDM enrollment, and Autopilot registrations
• Restore cloud group memberships and apply custom device attributes
• Retrieve and reassign Intune primary user ownership
• Operate using minimal, scoped Microsoft Graph API permissions

Opsole Migrate DOES NOT:

• Scan, index, extract, or store user files, emails, documents, or personal data
• Copy or transfer user files to Opsole systems or any external location
• Inspect mailbox, browser, or application content
• Require persistent agents installed on devices
• Require on-premises migration servers or domain controller agents
• Leave orphaned device objects or tattooed policies in the source tenant

---

Compliance and Security Posture

Opsole Migrate is designed to align with enterprise security and compliance expectations.

• Code-signed executables with Opsole certificate
• Minimal, scoped Microsoft Graph API permissions
• No persistent agents installed on devices
• No user data scanning or extraction
• Shared responsibility model documented in Security and Privacy

---

Prerequisites

For supported device states, licensing requirements, network configuration, and Graph API permissions, see the Migration prerequisites overview guide.

---

Frequently Asked Questions

Does Opsole Migrate require a device reset or reimage?

No. The migration executes in-place on the device. The operating system, user profile, applications, files, and settings are preserved throughout the transition.

How is Opsole Migrate different from Autopilot reset?

Autopilot reset wipes the device and rebuilds it from scratch, typically causing hours of user downtime and loss of the existing user environment. Opsole Migrate transitions the device identity without touching user data or applications, keeping downtime to minutes.

Does it support cross-tenant device migration for M&A?

Yes. Opsole Migrate supports cross-tenant Windows device migration, cleanly handling Intune deregistration, Microsoft Entra device cleanup, Autopilot re-registration, and profile preservation across different Microsoft Entra ID tenants.

What happens to the user's files and desktop?

The existing Windows user environment is preserved and remapped to the new identity. No files are moved, copied, or deleted.

Are BitLocker recovery keys preserved?

Yes. BitLocker recovery keys are automatically backed up and escrowed to the target Microsoft Entra ID tenant during migration.

Is LAPS password continuity maintained?

Yes. LAPS credentials are backed up during migration, ensuring IT administrative access is never lost during the identity transition.

Does it preserve Intune primary user assignment?

Yes. The Intune primary user is retrieved from the source tenant and automatically reassigned in the target tenant after migration, preserving device ownership in both Microsoft Entra ID and Intune.

Does it preserve cloud group memberships?

Yes. Cloud security group memberships are backed up before migration and restored after the device joins the target tenant, preserving policy targeting and compliance state.

Can we automatically add devices to a group after migration?

Yes. A post-migration group can be configured so that all migrated devices are automatically added, enabling immediate policy application without manual group assignment.

Can we exclude devices from specific groups during migration?

Yes. Specific groups can be excluded from the restoration process to prevent legacy group memberships from carrying over to the target environment.

Can we assign custom attributes to devices after migration?

Yes. A custom device attribute can be configured and automatically applied to the Microsoft Entra ID device object after migration for identification, dynamic groups, or policy targeting.

Do we need on-premises migration servers?

No. Opsole Migrate operates locally on each device and communicates with cloud endpoints over HTTPS. No on-premises servers, domain controller agents, or VPN connectivity is required.

Can it be deployed remotely via Intune?

Yes. The migration package is deployed as a standard MSI or Win32 application through Microsoft Intune, Group Policy, or any MDM solution. Devices can be migrated silently without user interaction.

Does Opsole Migrate scan or access user files?

No. Opsole Migrate does not scan, index, extract, or store any user files, emails, documents, or personal data. It operates exclusively on device identity configuration.

Does it support Windows 10 and Windows 11?

Yes. Opsole Migrate fully supports Windows 10 and Windows 11 endpoints.

How long does the migration take?

The automated process requires only brief reboots. End-user interruption is measured in minutes, not hours.