sync: auto-sync from GURU-5070 at 2026-06-15 14:43:03

Author: Mike Swanson
Machine: GURU-5070
Timestamp: 2026-06-15 14:43:03

clients/starr-pass/session-logs/2026-06/2026-06-15-mike-sp-sharonw11-entra-to-local-migration.md

@@ -0,0 +1,143 @@
+## User
+- **User:** Mike Swanson (mike)
+- **Machine:** GURU-5070
+- **Role:** admin
+
+## Session Summary
+
+Decommissioned the Microsoft 365 (Entra) account binding on Sharon Shinn-Smith's laptop
+**SP-SharonW11** (Win11 Pro 25H2, GuruRMM agent `86de13d7-0f81-43ac-85d9-1d52855c805d`, client
+"Shinn, Sharon" / related to Starr Pass Realty) and converted her to a standalone local Windows
+account, preserving her full profile. She is leaving Starr Pass; the `sss@starrpass.com` account
+is being decommissioned (it had been deleted 2026-06-10, then re-enabled to keep her login working
+during this work).
+
+Diagnosed state via read-only GuruRMM PowerShell + the M365 remediation tooling (Graph, Starr Pass
+tenant `222450dd-141f-435f-87b8-cec719aac99e`): the PC was **Azure AD Joined** (not Intune-managed,
+`MdmUrl` empty), she logged in as `AzureAD\SharonShinn-Smith` (profile `C:\Users\SharonShinn-Smith`,
+~32.5 GB, **0 online-only OneDrive placeholders** so all data local), and she was a local admin.
+BitLocker was on (TPM + RecoveryPassword, C: fully encrypted). Captured the BitLocker recovery key
+and vaulted it before touching anything, then suspended BitLocker for the migration.
+
+Prep (RMM, while she was still logged in): suspended BitLocker (`-RebootCount 3`), set the existing
+`localadmin` to a known password (no prior copy was vaulted) as the fallback admin, and created a
+new local admin account `Sharon` (SID `S-1-5-21-1582313589-3677914524-862139451-1004`). All
+passwords vaulted. Researched the migration tool: ForensiT **User Profile Wizard Professional**
+(per-technician, unlimited machines, $149.95 perpetual) is the correct edition (Azure-AD source is
+a paid-edition feature; the free Personal edition cannot). The user purchased it and installed it
+on the box; its deployment package lives at
+`C:\ProgramData\ForensiT\User Profile Wizard Professional\Deployment Files`. Rather than run the
+interactive `Save-AzureADUser.ps1` (needs Microsoft.Graph + a browser login), generated
+`ForensiTAzureID.xml` directly from our remediation Graph access and staged it in the deployment
+folder (verified Sharon's Azure ObjectId `4563c56e-...` matches her on-disk S-1-12-1 profile SID).
+
+Force-logged-off Sharon (authorized) to free the profile. The tech ran ProfWiz Pro (GUI, the one
+step Pro can't automate). Verified the outcome: profile migrated to `C:\Users\Sharon` owned by
+local `SP-SharonW11\Sharon`; ProfWiz also left the Entra tenant (`AzureAdJoined: NO`, workgroup);
+"Migration Complete!" in its log. Sharon logged into the local account successfully (her password
+`398Montero` + Windows Hello PIN, set by the user, vaulted). Resumed BitLocker (back On). Removed
+ForensiT entirely afterward (MSI uninstall + deleted `C:\ProgramData\ForensiT` incl. the staged
+tenant-data XML/logs/license, and `Program Files (x86)\ForensiT`). Updated Syncro ticket **#32410**
+with an internal work note (Winter handles billing). The M365 license removal / account deletion /
+Entra device-object cleanup was **deferred to end of week (Fri 2026-06-19)** per the user (she keeps
+Office through the week) and filed as coord todo `79d291db-...`.
+
+## Key Decisions
+
+- **Re-point the profile in place (ForensiT UPW Pro), not a Fab's backup/restore.** Preserves the
+  32.5 GB profile in place; Fab's copy-based restore was the heavier fallback, not needed.
+- **Professional edition, not Corporate.** Per-tech/unlimited-machines fits ACG (reusable for all
+  future migrations); Azure-AD source is supported in Pro. Corporate's only delta is zero-touch
+  silent deployment, which we don't need for one machine.
+- **Generated `ForensiTAzureID.xml` from our Graph access** instead of running ForensiT's
+  `Save-AzureADUser.ps1` on the box — avoids installing the Microsoft.Graph module and an
+  interactive Graph login on the client machine.
+- **Captured + vaulted the BitLocker recovery key before any change.** Entra escrow ends when the
+  device leaves the tenant; the vaulted key is the only recovery copy afterward.
+- **Established a known `localadmin` before the Entra leave.** No local-admin password was vaulted;
+  a known fallback admin is mandatory before stripping the cloud identity.
+- **Office reduced-functionality accepted** (new employer provides a license) — so the plan is to
+  pull the M365 license, not reassign one.
+- **Deferred the M365 decommission to EOW** per the user; tracked as a coord todo so it isn't lost.
+- **Did NOT run ProfWiz headless/blind.** Pro has no silent mode and our case is a rename
+  (`sss` -> local `Sharon`); a guessed config could target the wrong account. The GUI run made the
+  source/target explicit and correct.
+
+## Problems Encountered
+
+- **ProfWiz Pro is GUI-only on this edition** (silent = Corporate). The actual re-point had to be a
+  tech GUI run via ScreenConnect; everything else (prep, AzureID staging, post-steps) was automated
+  via RMM.
+- **forensit.com is Cloudflare-403** to both our WebFetch and the client machine's
+  `Invoke-WebRequest` — the attempted silent download/install of the installer failed
+  (`C:\IT-Migration` never created; logged to errorlog.md). The installer was brought to the box by
+  the user instead.
+- **BitlockerKey.Read.All not in our app suite** — Graph call for Entra-escrowed BitLocker keys
+  returned 403 (tenant-admin tier). Moot: the key was pulled directly from the device.
+- **Sharon logged back in mid-process** (session 2 at 2:12 PM) after being logged out, re-blocking
+  the migration. Resolved with an authorized force-logoff (resolved her session by username so only
+  hers was killed); confirmed her profile hive unloaded before the run.
+- **ProfWiz logged "Leaving Azure AD Tenant... Done with error"** but the end state was correct
+  (`AzureAdJoined: NO`, workgroup). The "error" is the Entra-side device-object removal it couldn't
+  perform; that cleanup is part of the deferred EOW task.
+
+## Configuration Changes
+
+Created (vault, all pushed):
+- `clients/starr-pass/sp-sharonw11-bitlocker.sops.yaml` — BitLocker recovery key.
+- `clients/starr-pass/sp-sharonw11-localadmin.sops.yaml` — `localadmin` pw + Sharon's local pw/PIN.
+- `msp-tools/forensit-user-profile-wizard.sops.yaml` — ForensiT UPW Professional license blob.
+
+SP-SharonW11 (via RMM): BitLocker suspended then resumed; `localadmin` password set; local `Sharon`
+admin created; `ForensiTAzureID.xml` staged then removed with the rest of ForensiT; ForensiT UPW Pro
+installed (by user) then uninstalled; device moved AzureAD-joined -> workgroup.
+
+Syncro: ticket #32410 internal comment `419136986` added (hidden, Mike user_id 1735).
+Coord: todo `79d291db-6461-4b9d-9bc1-823b9edd880d` (EOW M365 decommission).
+errorlog.md: one entry (ProfWiz silent-install RMM failure).
+
+## Credentials & Secrets
+
+- **SP-SharonW11 BitLocker recovery (C:)** — ID `{5B729537-6A45-42F5-BE21-DFB854188710}`, key
+  `477840-518793-492481-104819-612018-532235-224532-011033`. Vault `clients/starr-pass/sp-sharonw11-bitlocker`.
+- **SP-SharonW11 local `Sharon`** — password `398Montero`, Windows Hello PIN `722222` (set by user;
+  supersedes the random pw generated at account creation). Vault `clients/starr-pass/sp-sharonw11-localadmin`.
+- **SP-SharonW11 `localadmin`** — known pw set this session; in the same vault entry (`localadmin_password`).
+- **ForensiT UPW Professional license** — `<licensing>` blob; vault `msp-tools/forensit-user-profile-wizard`
+  (per-tech, reusable on all future ACG migrations).
+
+## Infrastructure & Servers
+
+- **SP-SharonW11** — Win11 Pro 25H2 (10.0.26200), GuruRMM agent `86de13d7-0f81-43ac-85d9-1d52855c805d`,
+  RMM client "Shinn, Sharon" / site "Home". Now workgroup, local `Sharon` (SID `...-1004`).
+- **Starr Pass M365 tenant** — `222450dd-141f-435f-87b8-cec719aac99e` (Starr Pass Realty). User
+  `sss@starrpass.com` id `4563c56e-9cf8-4079-8f7c-04797e4951f6`, licensed O365_BUSINESS_PREMIUM
+  (M365 Business Standard). Entra device object `SP-SharonW11` = `3eadf830-f070-4126-9179-d83413a71f55`
+  (still to remove). Other tenant users: `cansley@starrpass.com` `7ef84dbb-...`, `sysadmin@starrpass.com` `9a2fc5d6-...`.
+
+## Commands & Outputs
+
+- RMM dispatch pattern: resolve agent by id, `command_type:"powershell"`, poll `/api/commands/{id}`.
+- Profile owner verify: `Get-Acl C:\Users\Sharon` -> `SP-SharonW11\Sharon`; ProfileList SID `...-1004`
+  -> `C:\Users\Sharon`. dsregcmd: `AzureAdJoined : NO`.
+- ProfWiz log `C:\ProgramData\ForensiT\Logs\Profwiz_SP-SHARONW11_..._Sharon.log`: "Setting Profile
+  ACL... Done (22s) / Leaving Azure AD Tenant... Done with error / Joining workgroup WORKGROUP...
+  Done / Migration Complete!"
+- ForensiT uninstall: MSI `{EBB35A92-355F-4818-BBF0-CFB6A5C33612}`; dirs removed; verified absent.
+
+## Pending / Incomplete Tasks
+
+- **EOW Fri 2026-06-19 (coord todo `79d291db-...`):** remove M365 Business Standard license from
+  `sss@starrpass.com`; then unlicense + delete the account (recycle bin, 30-day); remove stale Entra
+  device object `3eadf830-...`. Device side already complete.
+- Ticket #32410: billing is **Winter's** (do not add line items).
+- Optional: `/wiki-compile client:starr-pass` to fold this into the wiki.
+
+## Reference Information
+
+- Syncro ticket: https://computerguru.syncromsp.com/tickets/112539597 (#32410, customer Sharon Shinn
+  Smith id 35953489); internal comment id `419136986`.
+- Bot alert: #bot-alerts message `1516195810956804327`.
+- ForensiT: User Profile Wizard Professional, https://shop.forensit.com/products/user-profile-wizard-professional-edition
+- Migration method: ForensiT deployment = `Profwiz.exe` + `ForensiTAzureID.xml` (Azure user map) in
+  `C:\ProgramData\ForensiT\User Profile Wizard Professional\Deployment Files`.