Chatee ahora con Soporte
Chat con el soporte

On Demand Migration Current - Active Directory Intune, Autopilot and BitLocker Cleanup Quick Start Guide

Autopilot Cleanup

This task must be submitted by the migration administrator for the auto-pilot device to remove the autopilot object in Entra ID.

To allow enrolling the workstation into the target Intune, it is important to remove the source Auto-Pilot Enrollment information. Otherwise, the workstation thinks that it is already part of an Intune/Auto-Pilot Enrollment and will not try to enroll in the target.

First, the AutoPilot Cleanup Action must be submitted by the migration administrator, prior to performing the cutover event, to remove the autopilot object in Entra ID. Additionally, the Auto-Pilot Cleanup option must be selected in the Entra ID Join Profile so the cutover process can clean up the Autopilot registry keys on the device.

Intune Registry Cleanup

To allow enrolling the workstation into the target Intune, it is important to remove the source Intune Enrollment information. Otherwise, the workstation thinks that it is already part of an Intune Enrollment and will not try to enroll in the target. To accomplish this, the Intune Cleanup option must be selected in the Entra ID Join Profile.

SetUserEmailValues

When the machine enrolls in the target Intune, it will look for an Intune Licensed user in M365 using the UserEmail value found in the workstation registry. By default, this value is set to the Bulk Enrollment user, which does not have the relevant license, and prevents the Intune service from running correctly.

The product performs this automatically during Entra ID Device Join when the Enroll into Intune Management option is selected in EntraID Device Join Profile. The product will update the UserEmail value in the following registry key, setting it to the UPN of the logged-on target user.

  • HKLM:\System\CurrentControlSet\Control\CloudDomainJoin\JoinInfo

BitlockerBackupToEntraID (Optional)

When a machine is BitLocker enabled in the source Environment, the key is stored in the source Microsoft Entra ID. During the Workstation migration process the BitLocker key is not automatically migrated into the target Environment. To ensure that the recovery key is stored in the target tenant, this task will escrow the BitLocker key from the workstation and push into the target tenant post migration.

This script creates a separate PowerShell script on the workstation called BackupBitlockerKeyToADD.ps1 in the ODMAD agent folder and creates a Scheduled Task to execute BackupBitlockerKeyToADD.ps1 when the first target user logs on.

When the BackupBitlockerKeyToADD script runs during the first login post-migration, it will escrow the BitLocker recovery keys from the machine and store them in the Microsoft Entra ID object of the logged-on user and become viewable in the target Intune tenant.

The script will also create a log file in the ODM agent Files folder and then perform cleanup to remove the Scheduled Task and remove the script itself.

BackupBitlockerKeytoAAD
Param (
)
 
$output = New-Object BinaryTree.ADM.Agent.PSHelpers.PSOutput
 
 
$ScriptName = "BackupBitlockerKeyToADD.ps1"
 
$BacktoAAD = @"
 
Try{
   `$ODMADService = Get-Service -Name ODMActiveDirectory
   }
Catch{
     Write-Output "Error Retrieving Service Status...Terminating with error: `$(`$Error)"
     Exit 1
     }
If(`$ODMADService){
    Write-Output "ODM AD Agent Service Found...Finding ODM AD Agent Service Path"
    `$ODMADServicePath = (Get-ItemProperty -Path HKLM:SYSTEM\CurrentControlSet\Services\ODMActiveDirectory).ImagePath
    `$ODMAgentPath = Split-Path `$ODMADServicePath
    `$ODMAgentPath = `$ODMAgentPath.Trim("``"")
    Write-Output "ODM AD Service Path: `$(`$ODMAgentPath)"
}
Else{
    Write-Output "No ODM Agent Service Found...Terminating"
    Exit 1
    }
 
`$TranscriptFile = "`$(`$ODMAgentPath)\Files\PowerShell-`$(Get-Date -f yyyyMMdd-HHMM)-BackupBitlockerKeyToAAD.log"
Start-Transcript -Path `$TranscriptFile
 
`$DriveLetter = `$env:SystemDrive
 
#endregion declarations
 
#region functions
 
function Test-Bitlocker (`$BitlockerDrive) {
    #Tests the drive for existing Bitlocker keyprotectors
    try {
        Get-BitLockerVolume -MountPoint `$BitlockerDrive -ErrorAction Stop
    } catch {
        Write-Output "Bitlocker was not found protecting the `$BitlockerDrive drive. Terminating script!"
        exit 0
    }
}
 
function Get-KeyProtectorId (`$BitlockerDrive) {
    #fetches the key protector ID of the drive
    `$BitLockerVolume = Get-BitLockerVolume -MountPoint `$BitlockerDrive
    `$KeyProtector = `$BitLockerVolume.KeyProtector | Where-Object { `$_.KeyProtectorType -eq 'RecoveryPassword' }
    return `$KeyProtector.KeyProtectorId
}
 
function Invoke-BitlockerEscrow (`$BitlockerDrive,`$BitlockerKey) {
    #Escrow the key into Azure AD
    try {
        BackupToAAD-BitLockerKeyProtector -MountPoint `$BitlockerDrive -KeyProtectorId `$BitlockerKey -ErrorAction SilentlyContinue
        Write-Output "Attempted to escrow key in Azure AD - Please verify manually!"
        exit 0
    } catch {
        Write-Error "Error Occurred"
        exit 1
    }
}
 
#endregion functions
 
#region execute
 
Test-Bitlocker -BitlockerDrive `$DriveLetter
`$KeyProtectorId = Get-KeyProtectorId -BitlockerDrive `$DriveLetter
Invoke-BitlockerEscrow -BitlockerDrive `$DriveLetter -BitlockerKey `$KeyProtectorId
 
#endregion execute
 
 
Remove-Item -path "`$ODMAgentPath\$($ScriptName)" -Force
 
Unregister-ScheduledTask -TaskName "$($TaskName)" -Confirm:`$false
 
Stop-Transcript
 
"@
 
#$output = New-Object BinaryTree.ADM.Agent.PSHelpers.PSOutput
 
### Get ODMAD Agent Information to determine path
Try{
   $ODMADService = Get-Service -Name ODMActiveDirectory -ErrorAction SilentlyContinue
   }
Catch{
    Write-Output "Error Retrieving Service Status...Terminating with error: $($Error)"
    Exit 1
    }
If($ODMADService){
    Write-Output "ODM AD Agent Service Found...Finding ODM AD Agent Service Path"
    $ODMADServicePath = (Get-ItemProperty -Path HKLM:SYSTEM\CurrentControlSet\Services\ODMActiveDirectory).ImagePath
    $ODMAgentPath = Split-Path $ODMADServicePath
    $ODMAgentPath = $ODMAgentPath.Trim("`"")
    Write-Output "ODM AD Service Path: $($ODMAgentPath)"
}
Else{
    Write-Output "No ODM Agent Service Found...Terminating"
    Exit 1
    }
 
$AgentPath = "$ODMAgentPath\"
$ScriptFullName = $AgentPath+$ScriptName
If(!(Test-Path $ScriptFullName)) {
    New-item -path $ODMAgentPath -Name $ScriptName -Type "File" -Value $BacktoAAD
}
 
# Create Scheduled Task
$TaskName = "Backup Bitlocker Key"
$Argument = "-ExecutionPolicy Bypass -File `"$($ODMAgentPath)\$($ScriptName)`""
$Action = New-ScheduledTaskAction -Execute "PowerShell.exe" -Argument $Argument
$Settings = New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries
$Principal = New-ScheduledTaskPrincipal -UserId "LOCALSERVICE" -LogonType ServiceAccount
$Trigger = New-ScheduledTaskTrigger -Atlogon
$Trigger.Delay = "PT20M"
$ScheduledTask = New-ScheduledTask -Action $Action -Trigger $Trigger -Settings $Settings
# Register Scheduled Task 
Register-ScheduledTask -TaskName $TaskName -InputObject $ScheduledTask -User "NT AUTHORITY\SYSTEM" -Force
 
return ($output)
Documentos relacionados

The document was helpful.

Seleccionar calificación

I easily found the information I needed.

Seleccionar calificación