From 9b4e86cdfc28ed99e798d3003ff3718536492f12 Mon Sep 17 00:00:00 2001 From: Mike Swanson Date: Mon, 15 Jun 2026 14:43:19 -0700 Subject: [PATCH] sync: auto-sync from GURU-5070 at 2026-06-15 14:43:03 Author: Mike Swanson Machine: GURU-5070 Timestamp: 2026-06-15 14:43:03 --- ...e-sp-sharonw11-entra-to-local-migration.md | 143 ++++++++++++++++++ 1 file changed, 143 insertions(+) create mode 100644 clients/starr-pass/session-logs/2026-06/2026-06-15-mike-sp-sharonw11-entra-to-local-migration.md diff --git a/clients/starr-pass/session-logs/2026-06/2026-06-15-mike-sp-sharonw11-entra-to-local-migration.md b/clients/starr-pass/session-logs/2026-06/2026-06-15-mike-sp-sharonw11-entra-to-local-migration.md new file mode 100644 index 0000000..539c52b --- /dev/null +++ b/clients/starr-pass/session-logs/2026-06/2026-06-15-mike-sp-sharonw11-entra-to-local-migration.md @@ -0,0 +1,143 @@ +## User +- **User:** Mike Swanson (mike) +- **Machine:** GURU-5070 +- **Role:** admin + +## Session Summary + +Decommissioned the Microsoft 365 (Entra) account binding on Sharon Shinn-Smith's laptop +**SP-SharonW11** (Win11 Pro 25H2, GuruRMM agent `86de13d7-0f81-43ac-85d9-1d52855c805d`, client +"Shinn, Sharon" / related to Starr Pass Realty) and converted her to a standalone local Windows +account, preserving her full profile. She is leaving Starr Pass; the `sss@starrpass.com` account +is being decommissioned (it had been deleted 2026-06-10, then re-enabled to keep her login working +during this work). + +Diagnosed state via read-only GuruRMM PowerShell + the M365 remediation tooling (Graph, Starr Pass +tenant `222450dd-141f-435f-87b8-cec719aac99e`): the PC was **Azure AD Joined** (not Intune-managed, +`MdmUrl` empty), she logged in as `AzureAD\SharonShinn-Smith` (profile `C:\Users\SharonShinn-Smith`, +~32.5 GB, **0 online-only OneDrive placeholders** so all data local), and she was a local admin. +BitLocker was on (TPM + RecoveryPassword, C: fully encrypted). Captured the BitLocker recovery key +and vaulted it before touching anything, then suspended BitLocker for the migration. + +Prep (RMM, while she was still logged in): suspended BitLocker (`-RebootCount 3`), set the existing +`localadmin` to a known password (no prior copy was vaulted) as the fallback admin, and created a +new local admin account `Sharon` (SID `S-1-5-21-1582313589-3677914524-862139451-1004`). All +passwords vaulted. Researched the migration tool: ForensiT **User Profile Wizard Professional** +(per-technician, unlimited machines, $149.95 perpetual) is the correct edition (Azure-AD source is +a paid-edition feature; the free Personal edition cannot). The user purchased it and installed it +on the box; its deployment package lives at +`C:\ProgramData\ForensiT\User Profile Wizard Professional\Deployment Files`. Rather than run the +interactive `Save-AzureADUser.ps1` (needs Microsoft.Graph + a browser login), generated +`ForensiTAzureID.xml` directly from our remediation Graph access and staged it in the deployment +folder (verified Sharon's Azure ObjectId `4563c56e-...` matches her on-disk S-1-12-1 profile SID). + +Force-logged-off Sharon (authorized) to free the profile. The tech ran ProfWiz Pro (GUI, the one +step Pro can't automate). Verified the outcome: profile migrated to `C:\Users\Sharon` owned by +local `SP-SharonW11\Sharon`; ProfWiz also left the Entra tenant (`AzureAdJoined: NO`, workgroup); +"Migration Complete!" in its log. Sharon logged into the local account successfully (her password +`398Montero` + Windows Hello PIN, set by the user, vaulted). Resumed BitLocker (back On). Removed +ForensiT entirely afterward (MSI uninstall + deleted `C:\ProgramData\ForensiT` incl. the staged +tenant-data XML/logs/license, and `Program Files (x86)\ForensiT`). Updated Syncro ticket **#32410** +with an internal work note (Winter handles billing). The M365 license removal / account deletion / +Entra device-object cleanup was **deferred to end of week (Fri 2026-06-19)** per the user (she keeps +Office through the week) and filed as coord todo `79d291db-...`. + +## Key Decisions + +- **Re-point the profile in place (ForensiT UPW Pro), not a Fab's backup/restore.** Preserves the + 32.5 GB profile in place; Fab's copy-based restore was the heavier fallback, not needed. +- **Professional edition, not Corporate.** Per-tech/unlimited-machines fits ACG (reusable for all + future migrations); Azure-AD source is supported in Pro. Corporate's only delta is zero-touch + silent deployment, which we don't need for one machine. +- **Generated `ForensiTAzureID.xml` from our Graph access** instead of running ForensiT's + `Save-AzureADUser.ps1` on the box — avoids installing the Microsoft.Graph module and an + interactive Graph login on the client machine. +- **Captured + vaulted the BitLocker recovery key before any change.** Entra escrow ends when the + device leaves the tenant; the vaulted key is the only recovery copy afterward. +- **Established a known `localadmin` before the Entra leave.** No local-admin password was vaulted; + a known fallback admin is mandatory before stripping the cloud identity. +- **Office reduced-functionality accepted** (new employer provides a license) — so the plan is to + pull the M365 license, not reassign one. +- **Deferred the M365 decommission to EOW** per the user; tracked as a coord todo so it isn't lost. +- **Did NOT run ProfWiz headless/blind.** Pro has no silent mode and our case is a rename + (`sss` -> local `Sharon`); a guessed config could target the wrong account. The GUI run made the + source/target explicit and correct. + +## Problems Encountered + +- **ProfWiz Pro is GUI-only on this edition** (silent = Corporate). The actual re-point had to be a + tech GUI run via ScreenConnect; everything else (prep, AzureID staging, post-steps) was automated + via RMM. +- **forensit.com is Cloudflare-403** to both our WebFetch and the client machine's + `Invoke-WebRequest` — the attempted silent download/install of the installer failed + (`C:\IT-Migration` never created; logged to errorlog.md). The installer was brought to the box by + the user instead. +- **BitlockerKey.Read.All not in our app suite** — Graph call for Entra-escrowed BitLocker keys + returned 403 (tenant-admin tier). Moot: the key was pulled directly from the device. +- **Sharon logged back in mid-process** (session 2 at 2:12 PM) after being logged out, re-blocking + the migration. Resolved with an authorized force-logoff (resolved her session by username so only + hers was killed); confirmed her profile hive unloaded before the run. +- **ProfWiz logged "Leaving Azure AD Tenant... Done with error"** but the end state was correct + (`AzureAdJoined: NO`, workgroup). The "error" is the Entra-side device-object removal it couldn't + perform; that cleanup is part of the deferred EOW task. + +## Configuration Changes + +Created (vault, all pushed): +- `clients/starr-pass/sp-sharonw11-bitlocker.sops.yaml` — BitLocker recovery key. +- `clients/starr-pass/sp-sharonw11-localadmin.sops.yaml` — `localadmin` pw + Sharon's local pw/PIN. +- `msp-tools/forensit-user-profile-wizard.sops.yaml` — ForensiT UPW Professional license blob. + +SP-SharonW11 (via RMM): BitLocker suspended then resumed; `localadmin` password set; local `Sharon` +admin created; `ForensiTAzureID.xml` staged then removed with the rest of ForensiT; ForensiT UPW Pro +installed (by user) then uninstalled; device moved AzureAD-joined -> workgroup. + +Syncro: ticket #32410 internal comment `419136986` added (hidden, Mike user_id 1735). +Coord: todo `79d291db-6461-4b9d-9bc1-823b9edd880d` (EOW M365 decommission). +errorlog.md: one entry (ProfWiz silent-install RMM failure). + +## Credentials & Secrets + +- **SP-SharonW11 BitLocker recovery (C:)** — ID `{5B729537-6A45-42F5-BE21-DFB854188710}`, key + `477840-518793-492481-104819-612018-532235-224532-011033`. Vault `clients/starr-pass/sp-sharonw11-bitlocker`. +- **SP-SharonW11 local `Sharon`** — password `398Montero`, Windows Hello PIN `722222` (set by user; + supersedes the random pw generated at account creation). Vault `clients/starr-pass/sp-sharonw11-localadmin`. +- **SP-SharonW11 `localadmin`** — known pw set this session; in the same vault entry (`localadmin_password`). +- **ForensiT UPW Professional license** — `` blob; vault `msp-tools/forensit-user-profile-wizard` + (per-tech, reusable on all future ACG migrations). + +## Infrastructure & Servers + +- **SP-SharonW11** — Win11 Pro 25H2 (10.0.26200), GuruRMM agent `86de13d7-0f81-43ac-85d9-1d52855c805d`, + RMM client "Shinn, Sharon" / site "Home". Now workgroup, local `Sharon` (SID `...-1004`). +- **Starr Pass M365 tenant** — `222450dd-141f-435f-87b8-cec719aac99e` (Starr Pass Realty). User + `sss@starrpass.com` id `4563c56e-9cf8-4079-8f7c-04797e4951f6`, licensed O365_BUSINESS_PREMIUM + (M365 Business Standard). Entra device object `SP-SharonW11` = `3eadf830-f070-4126-9179-d83413a71f55` + (still to remove). Other tenant users: `cansley@starrpass.com` `7ef84dbb-...`, `sysadmin@starrpass.com` `9a2fc5d6-...`. + +## Commands & Outputs + +- RMM dispatch pattern: resolve agent by id, `command_type:"powershell"`, poll `/api/commands/{id}`. +- Profile owner verify: `Get-Acl C:\Users\Sharon` -> `SP-SharonW11\Sharon`; ProfileList SID `...-1004` + -> `C:\Users\Sharon`. dsregcmd: `AzureAdJoined : NO`. +- ProfWiz log `C:\ProgramData\ForensiT\Logs\Profwiz_SP-SHARONW11_..._Sharon.log`: "Setting Profile + ACL... Done (22s) / Leaving Azure AD Tenant... Done with error / Joining workgroup WORKGROUP... + Done / Migration Complete!" +- ForensiT uninstall: MSI `{EBB35A92-355F-4818-BBF0-CFB6A5C33612}`; dirs removed; verified absent. + +## Pending / Incomplete Tasks + +- **EOW Fri 2026-06-19 (coord todo `79d291db-...`):** remove M365 Business Standard license from + `sss@starrpass.com`; then unlicense + delete the account (recycle bin, 30-day); remove stale Entra + device object `3eadf830-...`. Device side already complete. +- Ticket #32410: billing is **Winter's** (do not add line items). +- Optional: `/wiki-compile client:starr-pass` to fold this into the wiki. + +## Reference Information + +- Syncro ticket: https://computerguru.syncromsp.com/tickets/112539597 (#32410, customer Sharon Shinn + Smith id 35953489); internal comment id `419136986`. +- Bot alert: #bot-alerts message `1516195810956804327`. +- ForensiT: User Profile Wizard Professional, https://shop.forensit.com/products/user-profile-wizard-professional-edition +- Migration method: ForensiT deployment = `Profwiz.exe` + `ForensiTAzureID.xml` (Azure user map) in + `C:\ProgramData\ForensiT\User Profile Wizard Professional\Deployment Files`.