Support tip: How to transfer Windows Autopilot devices between tenants

Posted by

This post has been republished via RSS; it originally appeared at: Intune Customer Success articles.

By: Juanita Baptiste – Sr. Product Manager | Microsoft Intune


If you’re a customer who is going through a merger, acquisition, or divestiture scenario, you might be wondering how to move your users and Windows devices from one tenant to another. You might also be concerned about the cost and time involved in purchasing new Windows devices, re-imaging them, and shipping them to your users. In the Microsoft Intune 2307 release, we introduced new functionality to assist IT admins with removing devices from Windows Autopilot while maintaining device enrollment.


Tenant migration is not a supported scenario for Intune, so this document provides options to assist you when performing a tenant migration as well as helpful tips for migrating registered device hashes for Autopilot from one tenant to another. We’ll show you how Windows Autopilot can help you with tenant migration by allowing you to reuse your existing devices and letting your users reset them when they’re ready.


Note: Device compliance is an important factor to consider when transferring devices from one tenant to another as it impacts how the devices will be managed. To ensure the device is compliant with your policies, you may need to find an alternate targeting method to assign the policies.


How Windows Autopilot helps with tenant migration

There are two main ways that you can move a device from an old tenant (Tenant A) to a new tenant (Tenant B).


Method 1: Online migration

Online migration is a preferred tenant migration method for scenarios such as having short time frames (days versus weeks or months) between deleting and resetting devices or when you won’t have immediate access to the new tenant to add the offline Autopilot profile or assign a profile. To use this method, do the following:

  1. Collect the hardware hashes from the devices that you want to move to the new tenant. You can get the hashes by using the Get-WindowsAutoPilotInfo script or by using Configuration Manager. See Manually register devices with Windows Autopilot for more information.
  2. Remove the Autopilot registration from the old tenant (Tenant A). Once you have the hashes, delete the devices from Tenant A. You can use the Autopilot devices pane in Intune or the Remove-AutopilotDevice cmdlet to delete the devices. The devices will still be managed by Intune. Both Remove-AutopilotDevice and Import-AutopilotDevice (in step 3 below) come from the WindowsAutoPilotIntune module. For more information, see WindowsAutoPilotIntune in the PowerShell Gallery.
  3. Register the devices to the new tenant (Tenant B). After deleting the registration in Tenant A, re-register the device into Tenant B. You can use the Autopilot devices pane in the Intune admin center or the Import-AutopilotDevice cmdlet to register the devices. The devices will be assigned to Tenant B but still managed by Tenant A. If you receive an error when attempting to register in Tenant B, that may indicate the deletion was not fully completed in Tenant A.
  4. Reset the device. Once you have confirmed the device is registered in Tenant B and the desired profile is assigned, you can now reset the device to join the new tenant. Notify your users when you want them to reset and provide guidelines on how they can perform this step. You can use the Reset this PC option in the Settings app or the Reset feature in the Intune admin center. The devices will be re-provisioned and enrolled to the new tenant using Autopilot.

Note: Don’t use the Autopilot Reset function as it won’t initiate Autopilot on the device but will, instead, leave that device managed by the old tenant.


Method 1: Offline migration

The offline migration method allows more grace when migrating between old and new tenants since this uses a local Autopilot JSON-based configuration file already on the device instead of communicating with the Autopilot service to retrieve configuration information. When using this method, you won’t be able to pre-target policies to the device. Once you have completed the migration, remove the file for subsequent resets. To perform Offline Domain Join migration, do the following:


  1. Devices should first be removed from any assignments for Autopilot profiles where the Convert existing devices setting is enabled.
  2. Devices can be deregistered from Autopilot in batches using existing graph APIs. We recommend performing a full device sync for every 2,000 devices deregistered.
    1. You can create a script to allow AP deregistration without deleting the Intune managed device object using the new (as of 2108) one-step removal function.
  3. Create an offline Autopilot JSON file for the new tenant (Tenant B) devices. See Windows Autopilot deployment for existing devices: Create JSON file for Autopilot profile(s) for more information.
  4. Using the old tenant (Tenant A), deploy a PowerShell script that copies the offline Autopilot profile for Tenant B to the desired devices, use this exact path: %windir%\provisioning\autopilot\AutoPilotConfigurationFile.json
  5. Initiate a full wipe of the device (no user data or apps). This can be a local or remote reset.
  6. Once the reset is complete, be aware that:
    1. The AP profile from Tenant A registration is wiped, and the device is no longer registered with Autopilot, so no new profile is downloaded.
    2. The JSON file (from step 4) will persist across all future resets and should be removed if this isn’t desired.
  7. The device user sets up the Windows device with the new Tenant B Autopilot experience.
  8. Create a default Autopilot profile to assign to the All Devices virtual group with the setting “Convert existing devices” enabled. This step automatically registers all devices into Autopilot during the devices’ lifetime. Devices can be targeted with default profile to automatically register the device to Tenant B in Autopilot.

For more information about creating the JSON file, see Windows Autopilot deployment for existing devices.



While the new feature to remove an Autopilot registered device while keeping it managed is helpful, there are some things to be aware of before you use it.


Delete with certainty

There is no undo button for the deletion. If you delete a device from Autopilot by mistake, and you need to reregister it to the same tenant, you may be able to use the Autopilot for existing devices feature. However, this may not work for all scenarios (like when the device doesn’t exist in the tenant anymore and is deleted) and you may need to re-enroll the device manually.


Time between removal and registration

Leaving too much time between removal of the device from Tenant A to Tenant B can be a challenge. The user may experience issues and need to reset the device. If the device is reset before it’s registered to the new tenant, it may become an unmanaged device and lose its configuration and policies. To avoid this, make sure you have the hardware hashes of the devices that you want to move and register them to the new tenant as soon as possible after deleting them from the old tenant.


Policies and configurations tied to registration

If you have policies targeted based on Autopilot profiles or attributes like "group tag," they won’t be applied to the newly deregistered, managed device. For example, if you have a policy to block USB devices on Autopilot devices, this policy will not affect the device after you delete it from Autopilot.



Windows Autopilot can help you with tenant migration, by allowing you to reuse your existing devices and letting your users reset them when they’re ready to. This can reduce the hardware cost, user downtime, and complexity of moving your users and Windows devices from one tenant to another. To learn more about the one step removal of a device from Windows Autopilot, see our What’s New page.


If you have questions or comments for the Intune team, reply to this post or reach out to @IntuneSuppTeam on Twitter.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.