Migrate a fleet of Windows 11 laptops from on-prem SCCM management to Intune Autopilot
Tag each laptop with a department or business unit through a single popup during OOBE
Register devices in Intune Autopilot via Microsoft Graph using the hardware hash already in firmware
Auto remove the temporary SCCM client after Autopilot enrollment via SetupComplete.cmd
Requires an Azure AD app registration with specific Graph permissions, dynamic device groups, and a working SCCM task sequence before the framework can be wired in.
This is a PowerShell toolkit aimed at large IT departments that are moving their fleet of Windows laptops away from on-premises management with Microsoft SCCM and over to cloud management with Microsoft Intune. In that kind of migration, machines often arrive in a state where they are no longer joined to a corporate domain, which makes them awkward to set up using the traditional process. The author reports that without this framework, each laptop takes around six and a half hours of technician time, or three to four hours if they use a manual USB reimage. With this framework the figure drops to about thirty minutes per laptop, with only a single thirty-second interaction by a technician. The work is split across five stages. First an SCCM task sequence lays down a Windows 11 image, installs drivers, installs a temporary SCCM client, and reboots the laptop into the Out-of-Box Experience (the screens you see the first time a new Windows machine starts). Second, a small popup appears in front of the technician asking them to pick which department or business unit the laptop belongs to. Third, the script calls the Microsoft Graph API to register the device in Intune Autopilot using the hardware hash it has already collected from the firmware. Fourth, a SetupComplete.cmd script automatically uninstalls the temporary SCCM client after the next reboot. Fifth, the device joins an Azure AD dynamic group based on the chosen group tag, and Intune pushes down the right apps and policies. The README highlights several technical tricks. ServiceUI.exe from the Microsoft Deployment Toolkit is used to bridge between the background Windows session that SCCM runs in and the foreground session that the technician sees. Win32 API calls are used to keep the cursor visible across odd USB and touchpad driver timing and to pull the registration window above the SCCM progress bar. To use the framework, an IT administrator needs to create an Azure AD app registration with specific Graph permissions, set up dynamic device groups in Azure AD, distribute the script package through SCCM, and add a Run Command Line step to the task sequence after Sysprep. The repository contains the PowerShell popup script, the cleanup batch file, a task sequence design note, a setup guide, troubleshooting notes, and an architecture document. The code is released under the MIT licence by Narasimha Rao Alugoju.
Generated 2026-05-22 · Model: sonnet-4-6 · Verify against the repo before relying on details.