After a successful cutover and when the target user logs onto to the device, Windows is unusable. For a Windows 10 device, the windows task bar just flickers. For a Windows 11 device, the screen is black but after about 10 minutes, the windows task bar is displayed but does not function correctly.
This is only occurring in the unique situation where the On Premise user object is being synced to the source tenant user object using Entra Connect and then the same On Premise user object is then synced to the target tenant user object also using Entra Connect.
In this situation the following registry keys are locking the profile to the source tenant account and these keys must be removed before logging on with the target account.
HKLM:\Software\Microsoft\IdentityStore\Cache - subfolders
And
HKLM:\Software\Microsoft\IdentityStore\LogonCache - subfolders:
1 - This can be done manually on the device.
-
Download and extract PSEXEC.
-
Open a cmd prompt as admin.
-
Change location to folder where PSEXEC have been extracted and run
"psexec -s -i cmd.exe"
It will open a new cmd with system admin permission and run regedit:
This will open a cmd prompt as a local system account
-
Run regedit from this new window.
-
Perform the registry removal as mentioned above.
-
Reboot device.
2 - Create a custom task in On Demand Migration Active Directory that will run PowerShell scripts to remove these registry keys.
This custom task can be added to a custom Entra Cutover action or be added to a new Action and run as required.
The following are SAMPLE scripts to remove these registry keys.
Note that these scripts are provided as-is for example purposes only, and you may need to modify them to work for your specific project.
If required to be amended, this will need to be done by you or with assistance from Quest’s Professional Services Team.
DeleteCache Script
# Define the registry path |
$registryPath = "HKLM:\Software\Microsoft\IdentityStore\Cache" |
# Check if the registry path exists |
if (Test-Path $registryPath) { |
# Get all subkeys of the specified registry path |
$subkeys = Get-ChildItem -Path $registryPath |
# Loop through each subkey and delete it |
foreach ($subkey in $subkeys) { |
try { |
Remove-Item -Path $subkey.PSPath -Recurse -Force |
Write-Output "Deleted: $($subkey.PSPath)" |
} catch { |
Write-Output "Failed to delete: $($subkey.PSPath)" |
} |
} |
} else { |
Write-Output "Registry path does not exist: $registryPath" |
} |
DeleteLogonCache Script
# Define the registry path |
$registryPath = "HKLM:\Software\Microsoft\IdentityStore\LogonCache" |
# Check if the registry path exists |
if (Test-Path $registryPath) { |
# Get all subkeys of the specified registry path |
$subkeys = Get-ChildItem -Path $registryPath |
# Loop through each subkey and delete it |
foreach ($subkey in $subkeys) { |
try { |
Remove-Item -Path $subkey.PSPath -Recurse -Force |
Write-Output "Deleted: $($subkey.PSPath)" |
} catch { |
Write-Output "Failed to delete: $($subkey.PSPath)" |
} |
} |
} else { |
Write-Output "Registry path does not exist: $registryPath" |
} |