Known Issues and Limitations

This section outlines important considerations, limitations, and configuration requirements to be reviewed before initiating a migration using Opsole Migrate.

Multi-Factor Authentication (MFA) Requirements

The “Require MFA to register or join devices” setting in the Microsoft Entra ID Device settings must be set to No for automated Entra join to function correctly.
Any Conditional Access policies enforcing MFA for device registration or join must exclude the bulk provisioning (package) account used during migration.

Intune Enrollment & Configuration

Windows automatic MDM enrollment in Microsoft Intune must be set to All users or include the group containing migrating users.
Windows Information Protection (WIP) must be set to None in Intune auto-enrollment settings.
Devices previously enrolled with WIP may experience Intune enrollment or migration failures.
Ensure the device is either:
- Fully managed by Intune, or
- Not enrolled in Intune at all
  but not configured with WIP.

Conditional Access & Network Restrictions

If Conditional Access policies restrict device join or registration based on public IP locations, ensure the migrating device is connecting from an allowed IP address.
The bulk provisioning account created in Microsoft Entra ID must remain unchanged and unmodified throughout the entire migration window.

Testing and Proof of Concept (Recommended)

Conduct Proof of Concept (PoC) testing on as many representative workstations as possible prior to full rollout.
Special attention should be given to:
- Business-critical applications
- Third-party applications
- In-house or custom-developed software

This helps identify compatibility issues and background processes that may interfere with migration.

User Profile in Use (Known Limitation)

Currently, if a user profile remains loaded or in use after a reboot, that profile and its associated applications cannot be reconfigured or re-permissioned during migration.

In such cases, event log errors similar to the following may appear:

The process cannot access the file because it is being used by another process.

This condition typically occurs when:

A Windows service is configured to run under the user’s context
Scheduled tasks execute using the user account
Background agents or security tools preload the user profile

To mitigate this risk:

Perform thorough testing on representative devices
Identify and remediate any services, tasks, or applications that automatically load the user profile at startup
Ensure the profile is not loaded when the system reboots and the migration resumes

Supported Device States

Before starting migration, devices must be in one of the following supported states:

Hybrid Microsoft Entra joined
Active Directory joined with Entra registered
Microsoft Entra joined (applicable only for Tenant-to-Tenant migrations)

The following scenarios are not supported:

AD-joined devices with no Entra ID device object
Devices using local workstation accounts only

Opsole Migrate is designed for devices where users sign in using Active Directory–based identities synchronized to Entra ID.

Provisioning Package & Policy Restrictions

Installation of the bulk provisioning package must not be blocked by Intune policies, Group Policy Objects (GPO), or endpoint security controls.
Ensure the provisioning package has a sufficient expiration period to accommodate the full migration window, especially for phased or large-scale rollouts.

Active Directory Object Cleanup

After successful migration, the local Active Directory device object should be manually cleaned up to prevent conflicts with the newly Entra-joined device.

Third-Party MDM Limitations

Direct migration from third-party MDM platforms is not currently supported.
If devices are managed by a non-Microsoft MDM, engage Opsole Support in advance for guidance and custom recommendations based on your MDM provider.

Known Issues and Limitations

On this page