Symptom

After a successful migration the user endpoint is left with the “Migration in Progress” lock screen, migration legal notice, or local login restrictions still in place.  This could have the impact of preventing a user from logging into their workstation after the migration.

• User endpoint still has the “Migration in Progress” lock screen present after PowerSyncPro reports “Runbook complete” in the logs.
• User endpoint still has the “Migration in Progress” legal notice present after PowerSyncPro reports “Runbook complete” in the logs.
• User endpoint is still blocking user login for users that are in-scope of the migration after PowerSyncPro reports “Runbook complete” in the logs.
• A combination of the above symptoms.

Cause

There are situations where these settings might not be cleared, typically if a migration is stopped mid-migration and restarted by deleting the Migration Agent data folder.  The Migration Agent uses the following logic when starting a migration:

• Backup current lock screen and replace with “Migration in Progress” lock screen.
• Backup current legal notice and replace with “Migration in Progress” legal notice.
• Backup current local GPO for “Deny Local / RDP Login” and replace with the GPO for the migration duration (e.g. block users in scope of migration).
• Complete migration.
• Restore original values for the three settings outlined above.

In situations where the Migration Agent data directory on the user endpoint is deleted mid migration for troubleshooting - the Migration Agent may “backup” a setting that has already been changed by the migration agent.  This leaves the system in a state where the migration has completed, but the lock screen, legal notice, or local deny login GPO are left behind.

Solution

The settings for lock screen, legal notice, and deny login GPO can be rolled back manually using a local admin account, or a script can be used to rollback all settings and restore the machine to a clean state.

Script Solution

Download CompletionCleanup.ps1 from the PowerSyncPro GitHub here https://github.com/PowerSyncPro/MigrationAgent/blob/main/CompletionCleanup.ps1

Run the script as a local administrator.  The script will attempt to rollback startup changes made during a migration including:

• Lock Screen
• Legal Notice
• GPO Deny-Logon Permissions

Once complete the endpoint should be ready for login by the affected user.

Manual Solution

Perform the following tasks to clear out the required customizations:

Lock Screen

Remove keys present in the Windows Registry at:

HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\PersonalizationCSP

Keys: LockScreenImagePath, LockScreenImageStatus and LockScreenImageUrl

Remove the keys, reboot the machine, and the lock screen should be returned to defaults.

Legal Notice

Remove keys present in the Windows Registry at:

HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

Keys: LegalNoticeCaption, LegalNoticeText

Remove the keys, reboot the machine, and the legal notice text should now be removed.

Local GPO Deny-Logon

Deny log on policies can be edited through the Local Security Policy MMC panel.

• Login as a Local Administrator
• Launch Local Security Policy (secpol.msc)
• Security Settings → Local Policies → User Rights Assessment
• Remove in-scope users from the following policies:
  • Deny log on locally
  • Deny log on through Remote Desktop Services
• Reboot the workstation and try log on for the affected user again.

This will remove the user from the local GPO deny logon policies and allow them to logon.