Migrate Intune Hybrid-Joined to Entra-Joined devices

When the Cloud became a thing, Microsoft pushed hard for us to do Hybrid Join on our workstations, as it was a gateway to get the device cloud-managed. Unfortunately, once Hybrid-joined, the only supported way out from Hybrid to Cloud Native (EntraID-Joined) is to wipe the device and re-stage it using Autopilot or AP Device Preparation.

If you’ve already got some Entra-joined devices in your organization and wish to convert your existing Hybrid devices to EntraID using a supported method with minimal pain, this post is for you.

The only supported way still is to do a Wipe & Load scenario, but with the introduction of Windows Backup for Organizations recently, this adds a big missing piece to the puzzle and makes this solution much more viable. If you implement Backups, OneDrive KFM, have a solid Autopilot setup with most apps being deployed automatically, and robust Intune configuration profiles, the Wipe & Load is as seamless to the user as resetting or upgrading their phone. The better news is: this process also works for delivering a new computer to the user, making hardware refreshes a breeze.

The process – Migrate Intune Hybrid-Joined to Entra-Joined

Requirements:

• Have an EntraID Autopilot profile/ GroupTag assigned to the device
• Enable OneDrive Known Folder Move (KFM)
• Enable Windows Backup for Organizations
  • Source device must be running one of the following OS Builds:
    • Windows 10 22H2 with CU of August 2025 or more recent
    • Windows 11 22H2, 23H2, 24H2 with CU of August 2025 or more recent
    • Windows 11 25H2
  • Destination device must be running one of the following OS Builds:
    • Windows 11 22H2, 23H2, 24H2 with CU of July 2024 or more recent
    • Windows 11 25H2
  • The destination device must be Entra-Joined.

Conversion process:

• Wipe the device from Intune
• Restore the user’s data from the wiped device during OOBE
• Go through the Autopilot process
• Reinstall missing apps from Company portal/manually

Things that will be lost forever (list may not be exhaustive):

• Any files the users may have placed outside their KFM folders (example, c:\temp, c:\Users\Username\MyLostFiles.txt)
• Win32 apps that are not deployed as required; Whether they were installed manually, from Software Center or Company Portal
• Registry modifications in user profiles

Getting the environment ready

If you’re already deploying EntraID devices for new computers, then most of these should already be in place. Either way, you’ll want to make sure you have these items in place before you attempt your first conversion:

• An Autopilot profile that will do EntraID
  • if you had a hybrid profile assigned to the devices to convert, don’t forget to change the assignment!
• Windows Hello with Cloud Kerberos Trust (to be able to connect seamlessly to on-prem resources)
• All important GPOs created in Intune as configuration profiles or scripts
  • WiFi profiles
  • PKI Certificates for client auth
    • If needed, configure the Intune certificate connector so your internal PKI can issue certs
  • Drive mappings
  • Printer mappings
  • Local admin rights management
  • Any other policy that is important in your environment
• Win32 apps packaged in intune and deployed as either required or available for users to reinstall
• If still using Configuration Manager, you can deploy the SCCM Agent to the devices for Co-Management (HTTPS strongly recommended)
• A policy for OneDrive that allows automatic login, and enables backup of KFM folders
• Enable Windows Backup for Organization tenant-wide and assign a settings catalog policy to enable it on all devices
• Ensure the devices are registered for Autopilot with the proper group tag assigned
• Users must have an Intune license assigned so they can do Autopilot and MDM Registration
• Allow users to register their devices in Intune (Devices->Enrollment->Automatic Enrollment, MDM Scope)

Making sure the device is ready

Since we will wipe the user’s device in the process, we must ensure all the requirements are in place before we hit that Wipe button. You’ll want to make sure:

• The policies for OneDrive KFM and Windows Backup for Organizations have been applied to the device for a few days
  • The only way to confirm the backup exists for the device is to open the “Windows Backup” application on the user’s device and confirm the backup has succeeded:

• Note apps that may need to be reinstalled manually
• Ensure the user didn’t put important documents in locations that are not backed up by OneDrive KFM

Converting the device to EntraID

When you’re ready to migrate a device and the user is aware of the upcoming change, it’s as simple as hitting the Wipe button in Intune, and don’t select any of the checkboxes:

The device should reboot and reset itself at this point. Once the reset is complete, the user will be prompted for the Autopilot provisioning steps, such as OS Language, keyboard layout, Wifi, and then they will be asked to login with their corporate account.

Once they’re logged in, the Windows Backup restore window will appear and will present the latest backup option by default:

If the most recent backup presented isn’t the one you want to restore from, select “More options” to list all available backups:

Following the backup selection, the standard Autopilot process begins:

The end result – Migrate Intune Hybrid-Joined to Entra-Joined

Once Autopilot completes :

• The user will be presented with the Lock screen
• They will need to log in with their e-mail address and password. The short name (SAM account name) is no longer an option with EntraID.
• They will then be prompted to enroll in Windows Hello by setting up their PIN and biometrics.
• When they reach the desktop
• Their configurations will have been restored from the backup (desktop background, explorer settings, Windows Store apps, etc…), personal files will be restored from OneDrive, and required apps that were not set as blocking in the ESP will gradually come down to the device.

At this point, all there’s left to do for the user is to reinstall their Win32 apps from the company portal, or place a service request to have the software installed manually if it was not published in the company portal.

Final thoughts – Migrate Intune Hybrid-Joined to Entra-Joined

While this process has the drawback of needing to be coordinated with the user, as it will interrupt their workday for about an hour, it’s very simple and efficient. Windows Backups for Organizations adds the major benefit of restoring all the user’s preferences without having to place a support call if they don’t know how to configure these by themself, and it also makes the experience much more enjoyable.

The key in the process is really setting all the bits and pieces together in the back end. It’s when all these options and configurations are put together that it makes it feel like magic, whether you’re converting a device from Hybrid-joined to Entra-Joined, or shipping a new device to the user, this can all be done from the user’s home as long as they have an internet connection.