Chat now with support
Chat with Support

On Demand Migration Current - Active Directory Entra-Joined Devices Quick Start Guide

Introduction Requirements Preparing the Environment Preparing the Provisioning Package Preparing ODMAD for Device Migration Migrating your Device Validating your Device After Microsoft Entra ID Join Frequently Asked Questions

After Cutover, why is the Windows screen flickering or displaying a black screen on some devices?

After a successful cutover and when the target user logs onto to the device, Windows is unusable. For a Windows 10 device, the windows task bar just flickers. For a Windows 11 device, the screen is black but after about 10 minutes, the windows task bar is displayed but does not function correctly.

This is only occurring in the unique situation where the On Premise user object is being synced to the source tenant user object using Entra Connect and then the same On Premise user object is then synced to the target tenant user object also using Entra Connect.

In this situation the following registry keys are locking the profile to the source tenant account and these keys must be removed before logging on with the target account.

HKLM:\Software\Microsoft\IdentityStore\Cache - subfolders

And

HKLM:\Software\Microsoft\IdentityStore\LogonCache - subfolders:

 

1 - This can be done manually on the device.

 

  1. Download and extract PSEXEC.

  2. Open a cmd prompt as admin.

  3. Change location to folder where PSEXEC have been extracted and run

    "psexec -s -i cmd.exe"

    It will open a new cmd with system admin permission and run regedit:

    This will open a cmd prompt as a local system account

  4. Run regedit from this new window.

  5. Perform the registry removal as mentioned above.

  6. Reboot device.

 

2 - Create a custom task in On Demand Migration Active Directory that will run PowerShell scripts to remove these registry keys.

This custom task can be added to a custom Entra Cutover action or be added to a new Action and run as required.

The following are SAMPLE scripts to remove these registry keys.

Note that these scripts are provided as-is for example purposes only, and you may need to modify them to work for your specific project.

If required to be amended, this will need to be done by you or with assistance from Quest’s Professional Services Team.

DeleteCache Script

# Define the registry path
$registryPath = "HKLM:\Software\Microsoft\IdentityStore\Cache"
# Check if the registry path exists
if (Test-Path $registryPath) {
    # Get all subkeys of the specified registry path
    $subkeys = Get-ChildItem -Path $registryPath 
    
    # Loop through each subkey and delete it
    foreach ($subkey in $subkeys) {
        try {
            Remove-Item -Path $subkey.PSPath -Recurse -Force
            Write-Output "Deleted: $($subkey.PSPath)"
        } catch {
            Write-Output "Failed to delete: $($subkey.PSPath)"
        }
    }
} else {
    Write-Output "Registry path does not exist: $registryPath"
}

DeleteLogonCache Script

# Define the registry path
$registryPath = "HKLM:\Software\Microsoft\IdentityStore\LogonCache"
# Check if the registry path exists
if (Test-Path $registryPath) {
    # Get all subkeys of the specified registry path
    $subkeys = Get-ChildItem -Path $registryPath 
    
    # Loop through each subkey and delete it
    foreach ($subkey in $subkeys) {
        try {
            Remove-Item -Path $subkey.PSPath -Recurse -Force
            Write-Output "Deleted: $($subkey.PSPath)"
        } catch {
            Write-Output "Failed to delete: $($subkey.PSPath)"
        }
    }
} else {
    Write-Output "Registry path does not exist: $registryPath"
}

Can I migrate to and from GCC/GCCH tenants?

Active Directory supports GCC and GCCH as target environments, in addition to Commercial tenants. Only Commercial and GCC are supported as source environments. To enable GCC/GCCH Device Migration, please contact Quest Support for additional configuration described in the following article: Update GCC/GCCH tenant object's RID value for ReACL. This configuration is required for successfully switching the user profile during cutover.

Can I provision a local administrator for my devices during Microsoft Entra ID Join process?

For Microsoft Entra ID Devices, an optional local administrator account can be configured via the Microsoft Entra ID Join Provisioning Package.  Additional detail can be found at this Link.

 

Can I provision additional applications and adding a certificate for my devices during Microsoft Entra ID Join process?

For Microsoft Entra ID Devices, applications and certificate account can be configured via the Microsoft Entra ID Join Provisioning Package.  Additional detail can be found at this Link.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating