sync: auto-sync from GURU-5070 at 2026-06-15 14:43:03

Author: Mike Swanson Machine: GURU-5070 Timestamp: 2026-06-15 14:43:03
2026-06-15 14:43:19 -07:00
parent 20d8b29a36
commit 9b4e86cdfc
1 changed files with 143 additions and 0 deletions
--- a/clients/starr-pass/session-logs/2026-06/2026-06-15-mike-sp-sharonw11-entra-to-local-migration.md
+++ b/clients/starr-pass/session-logs/2026-06/2026-06-15-mike-sp-sharonw11-entra-to-local-migration.md
@@ -0,0 +1,143 @@
 ## User
 - **User:** Mike Swanson (mike)
 - **Machine:** GURU-5070
 - **Role:** admin
 ## Session Summary
 Decommissioned the Microsoft 365 (Entra) account binding on Sharon Shinn-Smith's laptop
 **SP-SharonW11** (Win11 Pro 25H2, GuruRMM agent `86de13d7-0f81-43ac-85d9-1d52855c805d`, client
 "Shinn, Sharon" / related to Starr Pass Realty) and converted her to a standalone local Windows
 account, preserving her full profile. She is leaving Starr Pass; the `sss@starrpass.com` account
 is being decommissioned (it had been deleted 2026-06-10, then re-enabled to keep her login working
 during this work).
 Diagnosed state via read-only GuruRMM PowerShell + the M365 remediation tooling (Graph, Starr Pass
 tenant `222450dd-141f-435f-87b8-cec719aac99e`): the PC was **Azure AD Joined** (not Intune-managed,
 `MdmUrl` empty), she logged in as `AzureAD\SharonShinn-Smith` (profile `C:\Users\SharonShinn-Smith`,
 ~32.5 GB, **0 online-only OneDrive placeholders** so all data local), and she was a local admin.
 BitLocker was on (TPM + RecoveryPassword, C: fully encrypted). Captured the BitLocker recovery key
 and vaulted it before touching anything, then suspended BitLocker for the migration.
 Prep (RMM, while she was still logged in): suspended BitLocker (`-RebootCount 3`), set the existing
 `localadmin` to a known password (no prior copy was vaulted) as the fallback admin, and created a
 new local admin account `Sharon` (SID `S-1-5-21-1582313589-3677914524-862139451-1004`). All
 passwords vaulted. Researched the migration tool: ForensiT **User Profile Wizard Professional**
 (per-technician, unlimited machines, $149.95 perpetual) is the correct edition (Azure-AD source is
 a paid-edition feature; the free Personal edition cannot). The user purchased it and installed it
 on the box; its deployment package lives at
 `C:\ProgramData\ForensiT\User Profile Wizard Professional\Deployment Files`. Rather than run the
 interactive `Save-AzureADUser.ps1` (needs Microsoft.Graph + a browser login), generated
 `ForensiTAzureID.xml` directly from our remediation Graph access and staged it in the deployment
 folder (verified Sharon's Azure ObjectId `4563c56e-...` matches her on-disk S-1-12-1 profile SID).
 Force-logged-off Sharon (authorized) to free the profile. The tech ran ProfWiz Pro (GUI, the one
 step Pro can't automate). Verified the outcome: profile migrated to `C:\Users\Sharon` owned by
 local `SP-SharonW11\Sharon`; ProfWiz also left the Entra tenant (`AzureAdJoined: NO`, workgroup);
 "Migration Complete!" in its log. Sharon logged into the local account successfully (her password
 `398Montero` + Windows Hello PIN, set by the user, vaulted). Resumed BitLocker (back On). Removed
 ForensiT entirely afterward (MSI uninstall + deleted `C:\ProgramData\ForensiT` incl. the staged
 tenant-data XML/logs/license, and `Program Files (x86)\ForensiT`). Updated Syncro ticket **#32410**
 with an internal work note (Winter handles billing). The M365 license removal / account deletion /
 Entra device-object cleanup was **deferred to end of week (Fri 2026-06-19)** per the user (she keeps
 Office through the week) and filed as coord todo `79d291db-...`.
 ## Key Decisions
 - **Re-point the profile in place (ForensiT UPW Pro), not a Fab's backup/restore.** Preserves the
  32.5 GB profile in place; Fab's copy-based restore was the heavier fallback, not needed.
 - **Professional edition, not Corporate.** Per-tech/unlimited-machines fits ACG (reusable for all
  future migrations); Azure-AD source is supported in Pro. Corporate's only delta is zero-touch
  silent deployment, which we don't need for one machine.
 - **Generated `ForensiTAzureID.xml` from our Graph access** instead of running ForensiT's
  `Save-AzureADUser.ps1` on the box — avoids installing the Microsoft.Graph module and an
  interactive Graph login on the client machine.
 - **Captured + vaulted the BitLocker recovery key before any change.** Entra escrow ends when the
  device leaves the tenant; the vaulted key is the only recovery copy afterward.
 - **Established a known `localadmin` before the Entra leave.** No local-admin password was vaulted;
  a known fallback admin is mandatory before stripping the cloud identity.
 - **Office reduced-functionality accepted** (new employer provides a license) — so the plan is to
  pull the M365 license, not reassign one.
 - **Deferred the M365 decommission to EOW** per the user; tracked as a coord todo so it isn't lost.
 - **Did NOT run ProfWiz headless/blind.** Pro has no silent mode and our case is a rename
  (`sss` -> local `Sharon`); a guessed config could target the wrong account. The GUI run made the
  source/target explicit and correct.
 ## Problems Encountered
 - **ProfWiz Pro is GUI-only on this edition** (silent = Corporate). The actual re-point had to be a
  tech GUI run via ScreenConnect; everything else (prep, AzureID staging, post-steps) was automated
  via RMM.
 - **forensit.com is Cloudflare-403** to both our WebFetch and the client machine's
  `Invoke-WebRequest` — the attempted silent download/install of the installer failed
  (`C:\IT-Migration` never created; logged to errorlog.md). The installer was brought to the box by
  the user instead.
 - **BitlockerKey.Read.All not in our app suite** — Graph call for Entra-escrowed BitLocker keys
  returned 403 (tenant-admin tier). Moot: the key was pulled directly from the device.
 - **Sharon logged back in mid-process** (session 2 at 2:12 PM) after being logged out, re-blocking
  the migration. Resolved with an authorized force-logoff (resolved her session by username so only
  hers was killed); confirmed her profile hive unloaded before the run.
 - **ProfWiz logged "Leaving Azure AD Tenant... Done with error"** but the end state was correct
  (`AzureAdJoined: NO`, workgroup). The "error" is the Entra-side device-object removal it couldn't
  perform; that cleanup is part of the deferred EOW task.
 ## Configuration Changes
 Created (vault, all pushed):
 - `clients/starr-pass/sp-sharonw11-bitlocker.sops.yaml` — BitLocker recovery key.
 - `clients/starr-pass/sp-sharonw11-localadmin.sops.yaml` — `localadmin` pw + Sharon's local pw/PIN.
 - `msp-tools/forensit-user-profile-wizard.sops.yaml` — ForensiT UPW Professional license blob.
 SP-SharonW11 (via RMM): BitLocker suspended then resumed; `localadmin` password set; local `Sharon`
 admin created; `ForensiTAzureID.xml` staged then removed with the rest of ForensiT; ForensiT UPW Pro
 installed (by user) then uninstalled; device moved AzureAD-joined -> workgroup.
 Syncro: ticket #32410 internal comment `419136986` added (hidden, Mike user_id 1735).
 Coord: todo `79d291db-6461-4b9d-9bc1-823b9edd880d` (EOW M365 decommission).
 errorlog.md: one entry (ProfWiz silent-install RMM failure).
 ## Credentials & Secrets
 - **SP-SharonW11 BitLocker recovery (C:)** — ID `{5B729537-6A45-42F5-BE21-DFB854188710}`, key
  `477840-518793-492481-104819-612018-532235-224532-011033`. Vault `clients/starr-pass/sp-sharonw11-bitlocker`.
 - **SP-SharonW11 local `Sharon`** — password `398Montero`, Windows Hello PIN `722222` (set by user;
  supersedes the random pw generated at account creation). Vault `clients/starr-pass/sp-sharonw11-localadmin`.
 - **SP-SharonW11 `localadmin`** — known pw set this session; in the same vault entry (`localadmin_password`).
 - **ForensiT UPW Professional license** — `<licensing>` blob; vault `msp-tools/forensit-user-profile-wizard`
  (per-tech, reusable on all future ACG migrations).
 ## Infrastructure & Servers
 - **SP-SharonW11** — Win11 Pro 25H2 (10.0.26200), GuruRMM agent `86de13d7-0f81-43ac-85d9-1d52855c805d`,
  RMM client "Shinn, Sharon" / site "Home". Now workgroup, local `Sharon` (SID `...-1004`).
 - **Starr Pass M365 tenant** — `222450dd-141f-435f-87b8-cec719aac99e` (Starr Pass Realty). User
  `sss@starrpass.com` id `4563c56e-9cf8-4079-8f7c-04797e4951f6`, licensed O365_BUSINESS_PREMIUM
  (M365 Business Standard). Entra device object `SP-SharonW11` = `3eadf830-f070-4126-9179-d83413a71f55`
  (still to remove). Other tenant users: `cansley@starrpass.com` `7ef84dbb-...`, `sysadmin@starrpass.com` `9a2fc5d6-...`.
 ## Commands & Outputs
 - RMM dispatch pattern: resolve agent by id, `command_type:"powershell"`, poll `/api/commands/{id}`.
 - Profile owner verify: `Get-Acl C:\Users\Sharon` -> `SP-SharonW11\Sharon`; ProfileList SID `...-1004`
  -> `C:\Users\Sharon`. dsregcmd: `AzureAdJoined : NO`.
 - ProfWiz log `C:\ProgramData\ForensiT\Logs\Profwiz_SP-SHARONW11_..._Sharon.log`: "Setting Profile
  ACL... Done (22s) / Leaving Azure AD Tenant... Done with error / Joining workgroup WORKGROUP...
  Done / Migration Complete!"
 - ForensiT uninstall: MSI `{EBB35A92-355F-4818-BBF0-CFB6A5C33612}`; dirs removed; verified absent.
 ## Pending / Incomplete Tasks
 - **EOW Fri 2026-06-19 (coord todo `79d291db-...`):** remove M365 Business Standard license from
  `sss@starrpass.com`; then unlicense + delete the account (recycle bin, 30-day); remove stale Entra
  device object `3eadf830-...`. Device side already complete.
 - Ticket #32410: billing is **Winter's** (do not add line items).
 - Optional: `/wiki-compile client:starr-pass` to fold this into the wiki.
 ## Reference Information
 - Syncro ticket: https://computerguru.syncromsp.com/tickets/112539597 (#32410, customer Sharon Shinn
  Smith id 35953489); internal comment id `419136986`.
 - Bot alert: #bot-alerts message `1516195810956804327`.
 - ForensiT: User Profile Wizard Professional, https://shop.forensit.com/products/user-profile-wizard-professional-edition
 - Migration method: ForensiT deployment = `Profwiz.exe` + `ForensiTAzureID.xml` (Azure user map) in
  `C:\ProgramData\ForensiT\User Profile Wizard Professional\Deployment Files`.