Part 12 - Join Entra

Once we are off the old domain we can join the device into Entra ID.

  • Login to the device using a local admin account
  • Open Settings
  • Select Accounts
  • Select Access work or school
  • Select Connect
  • Select Join this device to Microsoft Entra ID
  • Enter a user id to join the device. The users email account should work for this, otherwise a tenant admin account can be used
  • Select Join on the pop up window after confirming the organisation was correct
  • Once successful you will see a You're all set! window.

Select Done


Part 11 - Disconnect machine from the old domain

Now to remove the device from the current domain controller.

  • Open settings on the device you are using
  • Select Accounts
  • Select Access work or schools
  • You should see the domain in there which the machine is joined to, select that domain so you see a drop down menu
  • Under the domain name, select Disconnect
  • Agree to leave the domain
  • You maybe asked to enter an account to confirm removal, you can use a local admin account

Part 10 - Logon as domain admin

Once the machine has rebooted, log in to the device using either a local admin account or domain admin account.


Part 9 - Reboot into normal mode

Next, reboot the machine into normal mode.

This enables us to have network connectivity again which we will need to join Entra.

  • Open task manager and select Run
  • Open MSCONFIG
  • Select the Boot tab
  • Untick Safe boot
  • Click OK and restart the device

Part 8 - Rename the CSC Folder

In this step we rename the CSC folder.

The CSC folder has a security setting that needs changing before you can rename the CSC folder. This video demonstrates where to find the CSC folder, how to change the permissions and how to rename.

 

  • Open windows explorer.
  • Open C:\Windows
  • Find the CSC folder and right click, select Properties
  • Select the Security tab
  • Select Advanced at the bottom of the tab
  • Under Owner select Change
  • In the search box, enter Administrators
  • Click OK
  • Select Replace Owner on sub containers and objects
  • Click OK
  • Windows will now go through changing the permissions. You may see some errors appear, click Continue/Skip or Ignore to continue changing the rest of the permissions
  • Once completed, right click the CSC folder and rename it to _OldCSC

Part 7 - Rename and move users folders

In this step, we rename and move the current user folders.

We do this, as we do not like to delete user profiles in case we come across any issues after migration with possible missing data.

 

  • Open Windows Explorer
  • Navigate to C:\Users
  • Create a new folder, _OldProfiles
  • You will see many profile folders in C:\Users folder
  • We recommend leaving any Admin/Administrator accounts in place, but move any named accounts or generic accounts to _OldProfiles.
  • Where possible rename the user profile of the user who has this assigned laptop with an _ in front of the profile name. This just makes it easier for you to identify later.

Part 6 - Login Safe Mode

Now, you need to log in to the laptop in Safe Mode.

To do this you will need to use a local administrator account, either one you created earlier or one that has been supplied by the school.

 


Part 5 - Restart in Safe Mode

We now need to reboot the laptop into Safe Mode.

We need to do this to remove the old CSC files and move the users profile folders, as we do not delete these files.

What are CSC Files? CSC files are the local cache files for the users redirected and synced My Documents. We will not be needing these going forward but we do not delete the CSC folder.

  • Open MSConfig on the laptop you are working on
  • Select the Boot tab from the window that pops up
  • Under Boot Options, select Safe Boot
  • Click OK
  • Now restart the laptop

Part 4 - Disable Bitlocker

We now need to disable Bitlocker before we move into safe mode.

You may not need to complete this step if Bitlocker is not enabled.

  • Click the start menu and search for Bitlocker. If you dont see Bitlocker, you may have to login in as a local administrator to find this setting.
  • Open Bitlocker
  • If Bitlocker is enabled you should see an option to Suspend bitlocker. Choose to suspend Bitlocker. DO NOT DISABLE BITLOCKER as this will slow you down waiting for the laptop to decrypt.

Part 3 - Check the local admin account

This step is to confirm that you have a local admin account on the machine. This will enable us to access the computer when we reboot into safe mode later on.

In our video I am logging off as a user as I am not a local admin. If your user has local admin rights you will be able to complete this step without logging off and back on again.

 

  • Within Windows open "Computer Management" MMC
  • Select "Local Users and Groups"
  • Select "Users"
  • Look for any user accounts that could be local admin accounts. Double click them and check they are members of the administrators group and they are enabled.
  • If there is no account, we recommend creating a standard EICT account with the password quest. Don't forget to add the new account to the local administrators group.

We are now ready to move onto the next module.