IntuneToFleetMDM

0.4.0

en-US/about_IntuneToFleetMDM.help.txt

                                TOPIC

    about_IntuneToFleetMDM

SHORT DESCRIPTION

    Migrate Windows devices from Intune MDM to Fleet Windows MDM using supported Windows MDM APIs.

DESCRIPTION

    IntuneToFleetMDM uses mdmregistration.dll APIs:

      - UnregisterDeviceWithManagement(0) to remove the current MDM enrollment (e.g., Intune)

      - RegisterDeviceWithManagement(..., https://<fleet-host>/api/mdm/microsoft/discovery, <token>) to enroll into Fleet

    Enrollment is verified using OS state (Enrollments + OMADM registry), not only return codes.

    The migration flow uses preflight checks and polling to reduce timing issues:

      - Preflight runs before unenroll to avoid orphaned unenrolls when enrollment prerequisites are missing.

      - After unenroll/enroll calls, the module polls OS state until it confirms readiness (or times out).

COMMANDS

    Get-ITFMDMEnrollmentState

    Test-ITFMDMMigrationPrereqs

    Invoke-ITFMDMMigration

    Get-ITFMDMLogs

EXAMPLES

    # Check prereqs for a target Fleet instance

    Test-ITFMDMMigrationPrereqs -FleetHost '<fleet-host>'

    # Full migration

    Invoke-ITFMDMMigration -FleetHost '<fleet-host>'

    # Optional: install Fleet agent first if Orbit node key is missing

    Invoke-ITFMDMMigration -FleetHost '<fleet-host>' -Install true -EnrollSecret '<enroll-secret>'

    # Full migration with Slack notifications (optional)

    # Accepts either a full URL or a path-only value (T.../B.../W...)

    Invoke-ITFMDMMigration -FleetHost '<fleet-host>' -SlackWebhook '<TEAM_ID>/<CHANNEL_ID>/<WEBHOOK_TOKEN>'

    # Enroll-only retry (skip unenroll)

    Invoke-ITFMDMMigration -FleetHost '<fleet-host>' -SkipUnenroll

NOTES

    - Must run elevated (SYSTEM/Admin).

    - Some environments behave better in MTA; Invoke-ITFMDMMigration can relaunch in MTA when needed.

    - If a prereq fails before any unenroll/enroll calls are made, Slack notifications use type PreflightFailed.

    - If Fleet enrollment artifacts exist but OMADM is not yet healthy by the verification timeout, Invoke-ITFMDMMigration returns Status=InProgress (retry later; often ~30 minutes).

    - EnrollSecret is treated as a secret and is not logged, but is passed to msiexec as an MSI property when -Install is used.