CleanUpLocalAdministratorsGroup (Optional)
If the ReACL profile is configured to process local users & groups, the ReACL process will add the target user’s Microsoft Entra ID account to the local Administrators group if the source user is a member of that group. If this is not allowed by target security policies, then the target user accounts should be removed from the local Administrators group before migration, as local groups can be managed in the Target Intune environment post-migration.
This script will check the Local Administrators group (identified by SID in case the group has been renamed) and will remove any users where the domain portion of their username matches “Microsoft Entra ID”
CleanUp Local Administrators Group.ps1
Param ( |
) |
|
$output = New-Object BinaryTree.ADM.Agent.PSHelpers.PSOutput |
|
$CleanUnresolvedSIDS = $false |
If($CleanUnresolvedSIDS -eq $true){Write-Output "Clean up of unresolved SIDs is Enabled"} |
Else{Write-Output "Clean up of unresolved SIDs is Disabled"} |
|
|
### Get Local Administrators Group |
$Get_Local_AdminGroup = Get-WmiObject win32_group -Filter "Domain='$env:computername' and SID='S-1-5-32-544'" |
$Get_Local_AdminGroup_Name = $Get_Local_AdminGroup.Name |
Write-Output "Administrators group name is: $($Get_Local_AdminGroup_Name)" |
|
## Get Local Administrators group owners |
$group = [ADSI]"WinNT://$env:COMPUTERNAME/$($Get_Local_AdminGroup_Name)" |
$admins = $group.Invoke('Members') | % { |
$path = ([adsi]$_).path |
[pscustomobject]@{ |
Computer = $env:COMPUTERNAME |
Domain = $(Split-Path (Split-Path $path) -Leaf) |
User = $(Split-Path $path -Leaf) |
} |
} |
|
### Filter for AzureAD Acounts only - Ignore all other accounts |
|
foreach($admin in $admins){ |
If($admin.Domain -eq "AzureAD"){ |
Write-Output "Removing AzureAD Users from Local Administrators Group" |
Write-Output " Removing AzureAD User: $($admin.User)" |
Try{ |
Remove-LocalGroupMember -Group $Get_Local_AdminGroup_Name -Member "$($admin.domain)\$($admin.user)" |
} |
Catch{ |
Write-Output "Error occured removing $($admin.user) from $($Get_Local_AdminGroup_Name) group" |
} |
} |
|
} |
|
### OPTIONAL: Clean up unresolved SIDs - Controled by status of the $CleanUnresvoldeSIDS Variable ($True=Enabled, $False=Disabled) |
|
If($CleanUnresolvedSIDS -eq $True){ |
Write-Output "Removing unresolved SIDs from Group" |
foreach($admin in $admins){ |
$admin |
#### Check if SID starts with S-1-12-1 (AzureAD objects) -If Yes then ignore |
If($admin.user.StartsWith('S-1-12-1')){ |
Write-Output "AzureAD User Found - Ignoring unresolved SID" |
Continue |
} |
ElseIf($admin.Domain -eq "WinNT:\"){ |
Write-Output " Removing unresolved SID: $($admin.User) from $($Get_Local_AdminGroup_Name)" |
Try{ |
Remove-LocalGroupMember -Group $Get_Local_AdminGroup_Name -Member $admin.user |
} |
Catch{ |
Write-Output "Error occured removing $($admin.user) from $($Get_Local_AdminGroup_Name) group" |
} |
} |
} |
} |
|
|
return ($output) |
SetPrimaryUser (Optional)
The Primary User value is automatically set in the target Microsoft Entra ID when performing a Microsoft Entra ID join. The product also provides the ability to set this value again via a default system action “Set Intune Primary User”. The default system action will set the last logon target user as the device Primary Intune User.
Implementation Process
Refer to the below steps to configure the Optional BitlockerBackupToEntraID task to the custom EntraID Cutover action we are about to create.
Step 1. Copy the Default EntraIDCutover Action
- In ODMAD using Select CONFIGURATIONS from the main ODMAD Menu.
- Select ACTIONS.
- In the ACTIONS section select click SHOW SYSTEM.
- Find the EntraIDCutoverAction and select it.
- Click COPY, which will open the Edit a Custom Action dialog window. Configure the action as follows:
- ACTION NAME- IntuneMicrosoftEntraIDCutover
- ACTION DISPLAY NAME- Intune Microsoft Entra ID Cutover
- DESCRIPTION - Process to join an Intune/Autopilot workstation to an Microsoft Entra ID
- ACTION TARGET - Computer
- ACTION TYPE - Microsoft Entra ID Cutover
- Click the SAVE to continue.
Step 2. Add BitlockerBackupToEntraID Task
(Optional: Only required if source workstations are BitLockered)
- Scroll down to the TASKS section of the Action window and click NEW.
- The ADD A Custom Task window will appear. Configure this as follows:
- TASK NAME: BitlockerBackupToEntraID
- DESCRIPTION: Backups the Bitlocker key from the Workstation to Entra ID user that logged on to the workstation
- TASK TYPE: PowerShell Script
- Click NEXT to Continue.
- Copy the BackupBitlockerKeytoAAD.ps1 script into the SCRIPT section. There is no need to click the LOAD SCRIPT FRAMWORK as this is included in the PS1 file.
- Run the PowerShell script
- Leave all other settings as default and click the SAVE.
- Select the Task just created and select the IntuneMicrosoftEntraIDCutover Action that was created earlier. Click the ADD TO to add this task to the action.
- Scroll up the ACTIONS section and expand the IntuneMicrosoftEntraIDCutover Action. The task just added will appear as the last step of the action, click+hold on the task and drag to correct position in the script (after the SetUserEmailValues task, but before the BT-EntraIDCutover task). The change will be saved automatically.
Step 3. Add CleanupLocalAdministratorsGroup Task
(Optional: Only required if source administrator must be removed from the target Local Administrator Group. )
- Scroll down to the TASKS section of the Action window and click NEW.
- The ADD A Custom Task window will appear. Configure this as follows:
- TASK NAME - CleanupLocalAdministratorsGroup
- DESCRIPTION - Removes Microsoft Entra ID Domain users from the local Administrators group before cutover.
- TASK TYPE - PowerShell Script
- Click NEXT to continue.
- Copy the CleanUp Local Administrators Group.ps1 script into the SCRIPT section. There is no need to click the LOAD SCRIPT FRAMEWORK as this is included in the PS1 file.
- Run the PowerShell script
- Leave all other settings as default and click the SAVE.
- Select the Task just created and select the IntuneMicrosoftEntraIDCutover Action that was created earlier. Click the ADD TO to add this task to the action.
- Scroll up the ACTIONS section and expand the IntuneMicrosoftEntraIDCutover Action. The task just added will appear as the last step of the action, click+hold on the task and drag to correct position in the script (after the SetUserEmailValues task, but before the BT-EntraIDCutover task). The change will be saved automatically.
Intune Cutover Run Book
This run book assumes that the computer had been read in to On Demand and the workstation has the agent installed, configured, and registered.
Step 1. Run Re-ACL Process
- In On Demand, navigate to Devices and Servers.
- Select the Device and from the drop-down menu select Re-ACL.
- Select the Re-ACL profile and follow the on-screen prompts.
Step 2. Run Cutover Process
a. Remove Workstation from Source Autopilot
The Autopilot Clean action must be completed and On Demand Migration Active Directory will automatically remove the serial number from the source tenant.
- In On Demand, navigate to Devices and Servers.
- Select the Device(s) to be cutover and from the drop-down menu select Autopilot Cleanup.
- Once the job is completed, move to the next step.
b. Cutover the Device using ODMAD
- In On Demand, navigate to Devices and Servers.
- Select the Device(s) to be cutover and from the drop-down menu select Intune Microsoft Entra ID Cutover.
- Select the Microsoft Entra ID Cutover Profile and follow the on-screen prompts.
