This SOP outlines the steps to migrate existing Windows devices managed by MECM to Intune using Windows Autopilot for existing devices. This method allows reimaging and provisioning devices in Autopilot user-driven mode via a Configuration Manager task sequence. The process results in a Windows device joined to either Microsoft Entra ID or a hybrid Microsoft Entra ID.

Prerequisites 

• Enrollment restrictions are not configured to block personal devices.
   

Step-by-Step Instructions

1. Enable Windows Automatic Enrollment 

• Configure the MDM user scope for some or all users.
  
  

2. Configure the Enrollment Status Page (ESP) (Optional) 

• Open the Microsoft Intune admin center. 

• Navigate to Devices > Device onboarding > Enrollment. 

• Ensure Windows is selected at the top. 

• Under Windows Autopilot, select Enrollment Status Page and configure the settings. 
  
  

3. Create a Windows Autopilot Deployment Profile

• In the Microsoft Intune admin center, go to Devices > Enrollment > Deployment Profiles. 

• Click on + Create Profile and select Windows PC. 

• Fill in the profile details and ensure you check the option to convert devices to Autopilot during enrollment. 
  
  
• Windows Autopilot Deployment Profile:

4. Install Required PowerShell Modules

• On an internet-connected Windows PC or server, open an elevated Windows PowerShell command window. 

• Run the following commands to install and import the necessary modules: 
  
  

Powershell:

Install-PackageProvider -Name NuGet -MinimumVersion 2.8.5.201 -Force
Install-Module -Name WindowsAutopilotIntune -MinimumVersion 5.4.0 -Force
Install-Module -Name Microsoft.Graph.Groups -Force
Install-Module -Name Microsoft.Graph.Authentication -Force
Install-Module -Name Microsoft.Graph.Identity.DirectoryManagement -Force

• Import the Installed Modules:
  
  Powershell: 

Import-Module -Name WindowsAutopilotIntune -MinimumVersion 5.4
Import-Module -Name Microsoft.Graph.Groups
Import-Module -Name Microsoft.Graph.Authentication
Import-Module -Name Microsoft.Graph.Identity.DirectoryManagement

• Enter the following command to connect to Microsoft Graph and provide Intune administrative credentials: 
  
  

Powershell:

Connect-MgGraph -Scopes "Device.ReadWrite.All", "DeviceManagementManagedDevices.ReadWrite.All", "DeviceManagementServiceConfig.ReadWrite.All", "Domain.ReadWrite.All", "Group.ReadWrite.All", "GroupMember.ReadWrite.All", "User.Read" 

• Approve any permission requests. 
  
  

5. Get Autopilot Profiles for Existing Devices

• Run the following command to retrieve all Autopilot profiles in JSON format: 
  
  

Powershell:

Get-AutopilotProfile | ConvertTo-AutopilotConfigurationJSON
 

• Examine the output, which displays each profile within braces {}. 
  
  

6.Create the JSON File

• Save the Autopilot profile as a JSON file in ASCII or ANSI format. 

• Use the following PowerShell script as an example: 
  
  

Powershell:

Connect-MgGraph -Scopes "Device.ReadWrite.All", "DeviceManagementManagedDevices.ReadWrite.All", "DeviceManagementServiceConfig.ReadWrite.All", "Domain.ReadWrite.All", "Group.ReadWrite.All", "GroupMember.ReadWrite.All", "User.Read" 
$AutopilotProfile = Get-AutopilotProfile 
$targetDirectory = "C:\Autopilot" 
$AutopilotProfile | ForEach-Object { 
New-Item -ItemType Directory -Path "$targetDirectory\$($_.displayName)" 
$_ | ConvertTo-AutopilotConfigurationJSON | Set-Content -Encoding Ascii "$targetDirectory\$($_.displayName)\AutopilotConfigurationFile.json" }
 

Important: The filename must be AutopilotConfigurationFile.json and encoded as ASCII or ANSI. 

• The file can also be created manually. In Notepad, when choosing Save as, select the save as type: All Files, and then select ANSI for the Encoding. 

• Move the JSON file to a network location accessible by Configuration Manager. 

Important: The configuration file can only contain one profile. To use more than one Autopilot profile, create separate Configuration Manager packages. 
 

7. Create a Package Containing the JSON File

• In the Configuration Manager console, go to the Software Library workspace, expand Application Management, and select the Packages node. 

• On the ribbon, select Create Package. 

• Enter the following details: 

• • For the program, select the Program Type: Don't create a program. 

• Complete the wizard. 

Note: If the user-driven Autopilot profile settings in Intune are changed, recreate and update the JSON file, then redistribute the Configuration Manager package. 

8. Create a Target Collection

• In the Configuration Manager console, go to the Assets and Compliance workspace, and select the Device Collections node. 

• On the ribbon, select Create, and then select Create Device Collection. (Alternatively, an existing collection can be used.) 

• Enter the following details: 

• On the Membership Rules page, select Add Rule to add target devices using either a direct or query-based collection rule. 

9. Create a Task Sequence

• In the Configuration Manager console, go to the Software Library workspace, expand Operating Systems and select the Task Sequences node. 

• On the ribbon, select Create Task Sequence. 

• Select the option to Deploy Windows Autopilot for existing devices. 
  
  

• Specify the following information: A name for the task sequence (e.g., Autopilot for Existing Devices). 

• In the Install Windows page, select the Windows Image package. Then configure the following settings:  

• Image index: 

Select an option to configure the local administrator account in Windows:  

• • Randomly generate the local administrator password and disable the account on all support platforms (recommended).  

• • Enable the account and specify the local administrator password. 

• In the Install the Configuration Manager client page, add any necessary Configuration Manager client installation properties for the environment. 

• The Include updates page selects by default the option to Do not install any software updates. 

• In the Install Applications page, select the applications to install during the task sequence. However, Microsoft recommends that apply all applications and configurations from Microsoft Intune or Configuration Manager co-management. 
• Complete the wizard. 
  
  
• Autopilot for Existing Devices Task Sequence: 
  
  

• Remove Redundant Task Sequence Groups: 
  
  In Configuration Manager console: 

• • Navigate to Software Library > Operating Systems > Task Sequences 

• • Right-click your Autopilot task sequence > Edit 

• • Open Task Sequence Editor and delete: 

• • "Prepare device for Windows Autopilot" group 

• • "Setup Operating System" group 

• • Any additional tasks after "Setup Windows and Configuration Manager" 
    
    

• Add Cleanup Command: 
  
  

• • Select last task > Add > General > Run Command Line 

• • Add new "Run Command Line" task as final step: 

• • Name: Remove unattend.xml from Panther 

• • Command:  

cmd.exe /c del %OSDTargetSystemDrive%\Windows\Panther\unattend.xml /s

• • Save the changes to the task sequence. 

11. Distribute Content to Distribution Points

• Select task sequence > Ribbon > Distribute Content 

• Add Distribution Points/Groups: 

• Ensure coverage for all target devices 

•  Verify content distribution: 

• Monitor via "Content Status" in Monitoring workspace 

12. Deploy the Task Sequence

• In the Configuration Manager console, go to the Software Library workspace, expand Operating Systems and select the Task Sequences node. 

• Select the task sequence created, and then select Deploy. 

• Choose the target devices collection as the target collection. 

• Configure the deployment settings as needed. 

• Complete the deployment wizard. 

Client-Side Steps:

Post-Migration Steps 

• Monitor the task sequence deployment in Configuration Manager. 

• After the task sequence completes, the device will go through the Autopilot enrollment process. 

• Verify the device is enrolled in Intune and is compliant with configured policies. 

• Remove the device from the MECM management. 
   

Conclusion