Chatta subito con l'assistenza
Chat con il supporto

On Demand Migration Current - Active Directory Microsoft Entra ID Intune Device Migration Quick Start Guide

BitlockerBackupToAAD (Optional)

BitlockerBackupToEntraID (Optional)

When a machine is BitLocker enabled in the source Environment, the key is stored in the source Microsoft Entra ID. During the Workstation migration process the BitLocker key is not automatically migrated into the target Environment. To ensure that the recovery key is stored in the target tenant, this task will escrow the BitLocker key from the workstation and push into the target tenant post migration.

This script creates a separate PowerShell script on the workstation called BackupBitlockerKeyToADD.ps1 in the ODMAD agent folder and creates a Scheduled Task to execute BackupBitlockerKeyToADD.ps1 when the first target user logs on.

When the BackupBitlockerKeyToADD script runs during the first login post-migration, it will escrow the BitLocker recovery keys from the machine and store them in the Microsoft Entra ID object of the logged-on user and become viewable in the target Intune tenant.

The script will also create a log file in the ODM agent Files folder and then perform cleanup to remove the Scheduled Task and remove the script itself.

BackupBitlockerKeytoAAD.txt

Param (
)
 
$output = New-Object BinaryTree.ADM.Agent.PSHelpers.PSOutput
 
 
$ScriptName = "BackupBitlockerKeyToADD.ps1"
 
$BacktoAAD = @"
 
ITry{
   `$ODMADService = Get-Service -Name ODMActiveDirectory
   }
Catch{
     Write-Output "Error Retrieving Service Status...Terminating with error: `$(`$Error)"
     Exit 1
     {
If(`$ODMADService){
    Write-Output "ODM AD Agent Service Found...Finding ODM AD Agent Service Path"
    `$ODMADServicePath = (Get-ItemProperty -Path HKLM:SYSTEM\CurrentControlSet\Services\ODMActiveDirectory).ImagePath
    `$ODMAgentPath = Split-Path `$ODMADServicePath
    `$ODMAgentPath = `$ODMAgentPath.Trim("``"")
    Write-Output "ODM AD Service Path: `$(`$ODMAgentPath)"
}
Else{
    Write-Output "No ODM Agent Service Found...Terminating"
    Exit 1
    }
 
`$TranscriptFile = "`$(`$ODMAgentPath)\Files\PowerShell-`$(Get-Date -f yyyyMMdd-HHMM)-BackupBitlockerKeyToAAD.log"
Start-Transcript -Path `$TranscriptFile
 
`$DriveLetter = `$env:SystemDrive
 
#endregion declarations
 
#region functions
 
function Test-Bitlocker (`$BitlockerDrive) {
    #Tests the drive for existing Bitlocker keyprotectors
    try {
        Get-BitLockerVolume -MountPoint `$BitlockerDrive -ErrorAction Stop
    } catch {
        Write-Output "Bitlocker was not found protecting the `$BitlockerDrive drive. Terminating script!"
        exit 0
    }
}
 
function Get-KeyProtectorId (`$BitlockerDrive) {
    #fetches the key protector ID of the drive
    `$BitLockerVolume = Get-BitLockerVolume -MountPoint `$BitlockerDrive
    `$KeyProtector = `$BitLockerVolume.KeyProtector | Where-Object { `$_.KeyProtectorType -eq 'RecoveryPassword' }
    return `$KeyProtector.KeyProtectorId
}
 
function Invoke-BitlockerEscrow (`$BitlockerDrive,`$BitlockerKey) {
    #Escrow the key into Azure AD
    try {
        BackupToAAD-BitLockerKeyProtector -MountPoint `$BitlockerDrive -KeyProtectorId `$BitlockerKey -ErrorAction SilentlyContinue
        Write-Output "Attempted to escrow key in Azure AD - Please verify manually!"
        exit 0
    } catch {
        Write-Error "Error Occurred"
        exit 1
    }
}
 
#endregion functions
 
#region execute
 
Test-Bitlocker -BitlockerDrive `$DriveLetter
`$KeyProtectorId = Get-KeyProtectorId -BitlockerDrive `$DriveLetter
Invoke-BitlockerEscrow -BitlockerDrive `$DriveLetter -BitlockerKey `$KeyProtectorId
 
#endregion execute
 
 
Remove-Item -path "`$ODMAgentPath\$($ScriptName)" -Force
 
Unregister-ScheduledTask -TaskName "$($TaskName)" -Confirm:`$false
 
Stop-Transcript
 
"@
 
#$output = New-Object BinaryTree.ADM.Agent.PSHelpers.PSOutput
 
### Get ODMAD Agent Information to determine path
Try{
   $ODMADService = Get-Service -Name ODMActiveDirectory -ErrorAction SilentlyContinue
   }
Catch{
    Write-Output "Error Retrieving Service Status...Terminating with error: $($Error)"
    Exit 1
    }
If($ODMADService){
    Write-Output "ODM AD Agent Service Found...Finding ODM AD Agent Service Path"
    $ODMADServicePath = (Get-ItemProperty -Path HKLM:SYSTEM\CurrentControlSet\Services\ODMActiveDirectory).ImagePath
    $ODMAgentPath = Split-Path $ODMADServicePath
    $ODMAgentPath = $ODMAgentPath.Trim("`"")
    Write-Output "ODM AD Service Path: $($ODMAgentPath)"
}
Else{
    Write-Output "No ODM Agent Service Found...Terminating"
    Exit 1
    }
 
$AgentPath = "$ODMAgentPath\"
$ScriptFullName = $AgentPath+$ScriptName
If(!(Test-Path $ScriptFullName)) {
    New-item -path $ODMAgentPath -Name $ScriptName -Type "File" -Value $BacktoAAD
}
 
# Create Scheduled Task
$TaskName = "Backup Bitlocker Key"
$Argument = "-ExecutionPolicy Bypass -File `"$($ODMAgentPath)\$($ScriptName)`""
$Action = New-ScheduledTaskAction -Execute "PowerShell.exe" -Argument $Argument
$Settings = New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries
$Principal = New-ScheduledTaskPrincipal -UserId "LOCALSERVICE" -LogonType ServiceAccount
$Trigger = New-ScheduledTaskTrigger -Atlogon
$Trigger.Delay = "PT20M"
$ScheduledTask = New-ScheduledTask -Action $Action -Trigger $Trigger -Settings $Settings
# Register Scheduled Task 
Register-ScheduledTask -TaskName $TaskName -InputObject $ScheduledTask -User "NT AUTHORITY\SYSTEM" -Force
 
return ($output)

SetPrimaryUser (Optional)

SetPrimaryUser (Optional)

The Primary User value is automatically set in the target Microsoft Entra ID when performing a Microsoft Entra ID join. The product also provides the ability to set this value again via a default system action “Set Intune Primary User”. The default system action will set the last logon target user as the device Primary Intune User.

Implementation Process

Refer to the below steps to configure the Optional BitlockerBackupToEntraID task to the custom EntraID Cutover action we are about to create.

1. Copy the Default EntraIDCutover Action

  1. In ODMAD using Select CONFIGURATIONS from the main ODMAD Menu.

  2. Select ACTIONS.

  3. In the ACTIONS section select click SHOW SYSTEM.

  4. Find the EntraIDCutoverAction and select it.

  5. Click COPY, which will open the Edit a Custom Action dialog window. Configure the action as follows:

    1. ACTION NAME: IntuneMicrosoftEntraIDCutover

    2. ACTION DISPLAY NAME: Intune Microsoft Entra ID Cutover

    3. DESCRIPTION: Process to join an Intune/Autopilot workstation to an Microsoft Entra ID

    4. ACTION TARGET: Computer

    5. ACTION TYPE: Microsoft Entra ID Cutover

  6. Click the SAVE button to continue.

2. Add BitlockerBackupToEntraID Task (Optional: Only required if source workstations are Bitlockered)

  1. Scroll down to the TASKS section of the Action window and click NEW.

  2. The ADD A Custom Task window will appear. Configure this as follows:

    1. TASK NAME: BitlockerBackupToEntraID    

    2. DESCRIPTION: Backups the Bitlocker key from the Workstation to Entra ID user that logged on to the workstation

    3. TASK TYPE: PowerShell Script

  3. Click NEXT to Continue.

  4. Copy the BackupBitlockerToAAD Script into the SCRIPT Section.

    Note: There is no need to click the LOAD SCRIPT FRAMWORK button as this is included in the PS1 file.

    BackupBitlockerKeytoAAD.txt

  5. Leave all other settings as default and click the SAVE button.

  6. Select the Task just created and select the IntuneMicrosoftEntraIDCutover Action that was created earlier. Click the ADD TO button to add this task to the action.

  7. Scroll up the ACTIONS section and expand the IntuneMicrosoftEntraIDCutover Action. The task just added will appear as the last step of the action, click+hold on the task and drag to correct position in the script (after the SetUserEmailValues task, but before the BT-EntraIDCutover task). The change will be saved automatically.

3. Add CleanupLocalAdministratorsGroup Task (Optional)

  1. Scroll down to the TASKS section of the Action window and click NEW.

  2. The ADD A Custom Task window will appear. Configure this as follows:

    1. TASK NAME: CleanupLocalAdministratorsGroup    

    2. DESCRIPTION: Removes Microsoft Entra ID Domain users from the local Administrators group before cutover.

    3. TASK TYPE: PowerShell Script

  3. Click NEXT to Continue.

  4. Copy the CleanupLocalAdministratorsGroup Script into the SCRIPT Section.

    Note: There is no need to click the LOAD SCRIPT FRAMWORK button as this is included in the PS1 file.

    CleanUp Local Administrators Group.txt

  5. Leave all other settings as default and click the SAVE button.

  6. Select the Task just created and select the IntuneMicrosoftEntraIDCutover Action that was created earlier. Click the ADD TO button to add this task to the action.

  7. Scroll up the ACTIONS section and expand the IntuneMicrosoftEntraIDCutover Action. The task just added will appear as the last step of the action, click+hold on the task and drag to correct position in the script (after the SetUserEmailValues task, but before the BT-EntraIDCutover task). The change will be saved automatically.

Intune Cutover Run Book

This runbook assumes that the computer had been read in to On Demand and the workstation has the agent installed, configured, and registered.

1. Run Re-ACL Process

  1. In On Demand, navigate to Devices and Servers.

  2. Select the Device and from the drop-down menu select Re-ACL.

  3. Select the Re-ACL profile and follow the on-screen prompts.

2. Run Cutover Process

2a. Remove Workstation from Source Autopilot

This process must be completed manually and will remove the serial number from the source tenant.  If the device is not removed from the source Autopilot, any attempt to run Autopilot on the device in the future will result in it being auto-deployed to the source tenant again.

  1. In On Demand, navigate to Devices and Servers.

  2. Select the Device(s) to be cutover and from the drop-down menu select “Autopilot Cleanup”.

  3. Once the job is completed, move to the next step.

2b. Cutover the Device using ODMAD

  1. In On Demand, navigate to Devices and Servers.

  2. Select the Device(s) to be cutover and from the drop-down menu select Intune Microsoft Entra ID Cutover.

  3. Select the Microsoft Entra ID Cutover Profile and follow the on-screen prompts.

Related Documents

The document was helpful.

Seleziona valutazione

I easily found the information I needed.

Seleziona valutazione