Opsole Home

Knowledge Base

Troubleshooting reference for errors and issues encountered during device migration.

Network Connectivity Failures — Opsole API and Microsoft Endpoints

KB 022202

Description

Opsole Migrate requires outbound HTTPS (port 443) connectivity to Opsole API and Microsoft cloud endpoints during migration. If any of these endpoints are unreachable, the affected operation fails and migration cannot continue.

The following error messages indicate a network connectivity issue. The specific message depends on which endpoint or operation is affected.

Error Messages:

Opsole API unreachable:

The remote server returned an error: (404) Not Found.

Microsoft Identity or Graph endpoints unreachable:

Authentication with the identity service failed. Error: Unable to connect to the remote server
Error contacting Microsoft Graph API to validate user
Error occurred while querying Autopilot object
Failed to delete Autopilot object
Failed to fetch source user Entra details or no user found
Failed to retrieve LAPS information
Failed to delete device from Entra

Required Endpoints

All endpoints require outbound HTTPS (port 443). If any of these are blocked, the corresponding operation will fail.

#EndpointPurpose
1*.opsole.comOpsole Migrate API — configuration and migration status
2login.microsoftonline.comMicrosoft Entra ID authentication — token acquisition
3graph.microsoft.comMicrosoft Graph API — user lookup, Autopilot, LAPS, device management
4enterpriseregistration.windows.netEntra ID device registration
5device.login.microsoftonline.comDevice authentication and Entra Join

Cause

#CauseDetails
1Firewall or Proxy BlockOutbound HTTPS (port 443) to one or more required endpoints is blocked by firewall rules, web proxy, or network security appliance.
2SSL/TLS InspectionSSL inspection or certificate interception by a proxy or security appliance is breaking the Microsoft or Opsole certificate chain, causing connection failures.
3DNS Resolution FailureThe device cannot resolve one or more required endpoints due to DNS misconfiguration, split DNS, or DNS filtering.
4No Internet ConnectivityThe device has no active internet connection or is on a restricted network segment (e.g., quarantine VLAN, guest network).
5Opsole Backend OutageThe Opsole API service is temporarily unavailable due to a backend disruption. This applies only to errors referencing the Opsole API endpoint.

Resolution

  1. Verify connectivity to all required endpoints. Run the following commands from an elevated PowerShell prompt on the affected device:

    Test-NetConnection opsole.com -Port 443
Test-NetConnection login.microsoftonline.com -Port 443
Test-NetConnection graph.microsoft.com -Port 443
Test-NetConnection device.login.microsoftonline.com -Port 443

    If any test returns TcpTestSucceeded : False, the endpoint is blocked and must be allowed through the firewall or proxy.

  2. Verify DNS resolution. If connectivity tests fail, confirm the device can resolve the endpoints:

    Resolve-DnsName opsole.com
Resolve-DnsName login.microsoftonline.com
Resolve-DnsName graph.microsoft.com

    If resolution fails, check DNS server configuration, DNS filtering policies, and split DNS rules.

  3. Check proxy and SSL inspection. If the device uses a web proxy, ensure the required endpoints are allowed and not subject to SSL inspection. Verify proxy configuration:

    netsh winhttp show proxy

    If SSL inspection is in use, add exceptions for the endpoints listed above. SSL inspection that breaks the Microsoft certificate chain will cause authentication failures even when connectivity is confirmed.

  4. Confirm Opsole API backend status. If all Microsoft endpoint tests succeed but the Opsole API test fails with TcpTestSucceeded : True, the issue may be an Opsole backend disruption. Contact Opsole Support and provide the migration logs for further investigation.

  5. Retry the operation. After restoring connectivity, retry the operation.

Authentication Failed — AADSTS7000215 Invalid Client"

KB 022203

Description

This error occurs when Opsole Migrate attempts to authenticate with Microsoft Entra ID (Azure AD) to acquire an access token, but the App Registration credentials are invalid, expired, or misconfigured. Migration cannot continue without a valid access token.

Error Message:

Error:"invalid_client","error_description":"AADSTS7000215: Invalid client secret provided."

Cause

#CauseDetails
1Client Secret ExpiredThe client secret configured for the App Registration has expired. Secrets have a defined expiry date and must be rotated before they expire.
2Wrong Secret ValueThe client secret ID was copied instead of the client secret value. The secret value is only displayed once at the time of creation.
3App Registration DisabledThe App Registration has been disabled in the Entra admin portal, preventing authentication.
4Wrong Application (Client) IDThe Application (Client) ID configured in the Opsole Migrate portal does not match the App Registration in Entra ID.
5Wrong Tenant IDThe Tenant ID configured in the Opsole Migrate portal does not match the Entra ID tenant where the App Registration exists. This is common in multi-tenant environments.
6App Deleted and RecreatedThe original App Registration was deleted and recreated with the same name but a new Client ID. The old configuration is still in use.
7Conditional Access Policy BlockA Conditional Access policy is blocking non-interactive authentication for the service principal associated with the App Registration.

Resolution

  1. Verify client secret expiry. In the Entra admin portal, navigate to: App registrations > [Your App] > Certificates & secrets > Client secrets. Check the expiry date of the configured secret. If expired, generate a new client secret and update the value in the Opsole Migrate portal.

    The client secret value is only displayed once at the time of creation. Copy and store it securely immediately after generating.

  2. Confirm secret value vs secret ID. Verify that the value stored in the Opsole Migrate portal is the client secret value, not the client secret ID. These are two different fields in the Entra portal. The secret ID is a GUID identifier; the secret value is the actual credential string.

  3. Verify Application (Client) ID. Confirm the Application (Client) ID configured in the Opsole Migrate portal matches the App Registration in Entra ID: App registrations > [Your App] > Overview > Application (client) ID.

  4. Verify Tenant ID. Confirm the Tenant ID configured in the Opsole Migrate portal matches the correct Entra ID tenant: App registrations > [Your App] > Overview > Directory (tenant) ID.

  5. Confirm App Registration is enabled. In the Entra admin portal, navigate to: App registrations > [Your App] > Properties. Ensure Enabled for users to sign-in is set to Yes.

  6. Check Conditional Access policies. Verify that no Conditional Access policy is blocking authentication for the App Registration service principal. Review policies under: Entra admin center > Protection > Conditional Access > Policies. Look for policies targeting workload identities or service principals that may block the app.

  7. Re-run validation. After updating the configuration, re-run the App Registration validation to confirm that access token acquisition is successful.

If this error occurs immediately after a working migration, the most likely cause is an expired client secret (Cause #1). If this is a new deployment, verify Causes #2 through #5 first.

Failed to retrieve LAPS information

KB 022204

Description

This error occurs when Opsole Migrate is unable to retrieve the Local Administrator Password Solution (LAPS) information for the device from Microsoft Graph. LAPS retrieval is performed to back up the local administrator credentials before migration.

Error Message:

Failed to retrieve LAPS Informations, Error:

Cause

#CauseDetails
1Missing Graph API PermissionsThe App Registration does not have the DeviceLocalCredential.Read.All permission required to read LAPS credentials from Microsoft Graph.
2Admin Consent Not GrantedThe required Graph permission is assigned to the App Registration but Admin Consent has not been granted by a Global Administrator or Privileged Role Administrator.
3Windows LAPS Not EnabledWindows LAPS is not configured on the device or not deployed via Intune or Group Policy. Without an active LAPS policy, no credentials are escrowed to Entra ID.
4LAPS Password Not Yet EscrowedWindows LAPS is enabled but no password has been generated or escrowed to Entra ID yet. This can occur if the LAPS policy was recently applied and the device has not completed a password rotation cycle.
5Legacy LAPS in UseThe environment is using legacy Microsoft LAPS (on-premises AD based) instead of Windows LAPS (Entra ID based). Microsoft Graph only supports Windows LAPS. Legacy LAPS stores passwords in Active Directory, not in Entra ID.
6Network or Authentication FailureThe device cannot reach Microsoft Graph or the authentication token acquisition failed.

Resolution

  1. Verify Graph API permissions. In the Entra admin portal, navigate to: App registrations > [Your App] > API permissions. Confirm that DeviceLocalCredential.Read.All (Application type) is listed. If missing, add the permission.

  2. Grant Admin Consent. On the same API permissions page, verify that the Status column shows Granted for [tenant]. If not, click Grant admin consent and confirm. This requires Global Administrator or Privileged Role Administrator privileges.

  3. Confirm Windows LAPS is enabled. Verify that Windows LAPS is deployed to the device. For Intune-managed devices, check: Intune admin center > Endpoint security > Account protection > LAPS policies. For Group Policy-managed devices, verify the LAPS CSP or GPO is applied:

    Get-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Policies\LAPS" -ErrorAction SilentlyContinue

    If no LAPS policy exists, Windows LAPS must be configured before LAPS retrieval will work.

  4. Check if LAPS password has been escrowed. Verify a LAPS password exists for the device in Entra ID: Entra admin center > Devices > All devices > [Device] > Local administrator password recovery. If no password is listed, the device has not yet completed a LAPS password rotation. Trigger a manual rotation:

    Reset-LapsPassword

  5. Confirm Windows LAPS vs Legacy LAPS. If the environment uses legacy Microsoft LAPS (passwords stored in Active Directory ms-Mcs-AdmPwd attribute), Microsoft Graph cannot retrieve these credentials. The environment must be migrated to Windows LAPS (Entra ID based) for Graph API retrieval to work. To check which LAPS is in use:

    # Check for Windows LAPS
Get-LapsAADPassword -DeviceIds <device-object-id> -ErrorAction SilentlyContinue

# Check for Legacy LAPS (AD attribute)
Get-ADComputer -Identity <hostname> -Properties ms-Mcs-AdmPwd | Select ms-Mcs-AdmPwd

  6. Verify network connectivity and authentication. If none of the above apply, the issue may be network or authentication related. See:

  7. Retry the operation. After completing the above checks, retry the operation.

If LAPS is not deployed in the environment and there is no plan to enable it, contact Opsole Support to discuss whether LAPS retrieval can be skipped for this migration.

Legacy Microsoft LAPS and Windows LAPS are not the same. Microsoft Graph only supports Windows LAPS. If the environment uses legacy LAPS, passwords must be retrieved directly from Active Directory, not via Graph API.

Failed to Update, Retrieve, or Modify Operations

KB 022205

Description

Opsole Migrate performs several local system operations during migration including registry read/write, scheduled task creation, certificate store management, user profile enumeration, SID resolution, and BitLocker queries. If any of these operations are blocked or fail, the affected step fails and migration cannot continue.

The following error messages indicate a local operation failure. The specific message depends on which operation is affected.

Error Messages:

Registry operations:

Failed to update the following Device entries
User profile registry entry not found
Multi-profile write failed for SID
Critical failure during multi-profile collection
Error during MDM cleanup

Scheduled task:

Error creating InterMigrate task

Certificate store:

Failed to remove MDM certificate

User and system queries:

Failed to resolve SID for user
Failed to retrieve BitLocker recovery key

Cause

#CauseDetails
1EDR or Antivirus BlockingEndpoint Detection and Response (EDR) or antivirus software is intercepting and blocking registry modifications, scheduled task creation, certificate store changes, or process execution by Opsole Migrate.
2Endpoint Hardening PoliciesAttack Surface Reduction (ASR) rules, Tamper Protection, Windows Defender Application Control (WDAC), or AppLocker policies are restricting one or more local operations.
3Registry Corruption or LockThe target registry hive or key is corrupted, locked by another process, or inaccessible due to OS corruption.
4Temporary or Corrupted User ProfileThe user session is running under a temporary profile, the profile is not fully loaded, or the profile container (e.g., FSLogix) is not mounted.
5Insufficient PermissionsThe process context does not have the required permissions to perform the operation. This can occur if local administrator rights have been removed or restricted by policy.
6WMI Repository CorruptionThe WMI repository is corrupted, causing system queries to fail.

Resolution

  1. Whitelist Opsole Migrate in EDR and antivirus. Add the following folder and all its contents to the EDR and antivirus exclusion list:

    C:\ProgramData\OpsoleMigrate\

    Additionally, whitelist Opsole Migrate using the Opsole code-signing certificate, which can be downloaded from the Opsole Migrate portal.

  2. Review endpoint hardening policies. Check if any of the following are blocking Opsole Migrate operations:

    • ASR rules — Check for rules blocking registry writes or process creation from untrusted sources
    • Tamper Protection — May prevent registry or system modifications
    • WDAC / AppLocker — May block execution of Opsole Migrate executables or PowerShell operations

    To check ASR rules in effect:

    Get-MpPreference | Select-Object -ExpandProperty AttackSurfaceReductionRules_Ids

  3. Repair WMI repository (if system queries fail). If the error is related to SID resolution or system information queries, the WMI repository may be corrupted:

    winmgmt /verifyrepository

    If verification reports inconsistency:

    winmgmt /salvagerepository

  4. Retry the operation. After completing the above checks, retry the operation.

The most common cause of these errors is EDR or antivirus software blocking Opsole Migrate operations. Always verify whitelisting and code-signing certificate trust (Step 1) before investigating other causes.

If the same error occurs across multiple devices in the environment, it is likely caused by a centrally managed EDR policy or endpoint hardening baseline. Work with the security team to add the required exclusions.

Failed to install provisioning package

KB 022206

Description

This error occurs when Opsole Migrate locates the provisioning package (PPKG) but installation fails and the device is not joined to Entra ID. The provisioning package contains the bulk enrollment token required for automated Entra ID Join during migration. Migration cannot continue without a successful Entra Join.

Error Message:

Failed to install provisioning package

Cause

#CauseDetails
1Conditional Access Blocking — MFAA Conditional Access policy is enforcing multi-factor authentication (MFA) on device registration. The bulk enrollment token in the provisioning package cannot satisfy MFA non-interactively, causing registration to be blocked.
2Conditional Access Blocking — LocationA Conditional Access policy with named or trusted location restrictions is blocking device registration from the device's current network or IP address.
3Provisioning Package ExpiredThe bulk enrollment token embedded in the provisioning package has expired. Bulk tokens have a defined expiry period (typically 30–180 days) and must be regenerated before they expire.
4Provisioning Package CorruptedThe PPKG file was corrupted during download, or EDR/antivirus software quarantined or modified the file.
5Device Already Entra JoinedThe device is already joined to Entra ID or another tenant. The existing join state conflicts with the new provisioning package installation.
6Device Registration Limit ReachedThe provisioning account has reached the Entra ID device registration limit. The default limit is 50 devices per user, but this may be further restricted by tenant-level settings.
7Entra ID Device Registration DisabledThe tenant setting "Users may join devices to Entra ID" is set to None or restricted to specific users/groups, and the provisioning account is not included.
8MDM Auto-Enrollment Not ConfiguredIntune MDM auto-enrollment scope is not configured or the provisioning account is not in scope. The Entra Join may partially succeed but the enrollment step fails.
9EDR Blocking PPKG ExecutionEndpoint security software is blocking the provisioning package runtime or the PPKG file execution.
10Network Connectivity FailureRequired Microsoft endpoints for device registration are unreachable.

Resolution

  1. Verify Conditional Access exclusions. In the Entra admin center, navigate to: Protection > Conditional Access > Policies. Ensure the provisioning account used for bulk enrollment is excluded from any Conditional Access policies enforcing MFA or location-based restrictions on device registration. Specifically check policies targeting:

    • All cloud apps or Microsoft Intune Enrollment
    • Register or join devices action
    • All users grant controls requiring MFA

  2. Check provisioning package expiry. Verify the provisioning package was generated recently and the bulk token has not expired. If expired, regenerate the provisioning package from the Opsole Migrate portal and redeploy to the device.

  3. Verify provisioning package integrity. Install the provisioning package manually on a test device and confirm the device is able to complete Entra ID Join. This will confirm whether the PPKG file itself is valid and working. If the test device joins successfully, the issue is environment-specific to the affected device.

  4. Check Entra ID device registration settings. In the Entra admin center, navigate to: Devices > Device settings.

    • Confirm "Users may join devices to Microsoft Entra ID" is set to All or includes the provisioning account.
    • Check "Maximum number of devices per user" and confirm the provisioning account has not reached the limit.

  5. Verify device is not already Entra Joined. Check the current join state on the device:

    dsregcmd /status

    If AzureAdJoined : YES is already showing, the device is already joined. If it is joined to a different tenant, the existing join must be removed before the provisioning package can be installed.

  6. Verify MDM auto-enrollment configuration. In the Entra admin center, navigate to: Mobility (MDM and WIP) > Microsoft Intune. Confirm the MDM user scope is set to All or includes the provisioning account user group.

  7. Verify network connectivity. Ensure the device can reach the required Microsoft endpoints for device registration. See KB 022233 — Network Connectivity Failures for the full endpoint list and validation commands.

  8. Retry the operation. After completing the above checks, regenerate the provisioning package if needed and retry the operation.

The most common cause of this error is a Conditional Access policy blocking the bulk enrollment token from completing device registration. Always check CA exclusions (Step 1) first.

If the provisioning account has been used across many migrations, check the device registration limit (Step 4). The default is 50 devices per user. If the limit is reached, either increase the limit or use a different provisioning account.

Domain Unjoin Operation Failed — Access Is Denied

KB 022208

Description

This error occurs when Opsole Migrate attempts to unjoin the device from Active Directory using the configured domain disjoin account, but the operation fails with an "Access is denied" error. Migration is rolled back and cannot continue.

Error Message:

Operation encountered a critical failure in module Remove-Computer. Recent actions have been reverted. StatusCode: False
Failed to unjoin <HOSTNAME> from domain gracefully. Error: Failed to unjoin computer '<HOSTNAME>' from domain '<DOMAIN>' with the following error message: Access is denied.

Cause

#CauseDetails
1Incorrect CredentialsThe domain disjoin account password is incorrectly configured in the Opsole Migrate portal, or the password has expired.
2Account Locked OutThe disjoin account is locked out in Active Directory due to repeated failed authentication attempts from previous migration runs.
3Insufficient OU PermissionsThe disjoin account does not have the required permissions (Delete Computer Objects or Remove Workstation from Domain) on the Organizational Unit (OU) where the target device resides.
4Endpoint Security BlockEndpoint protection software (EDR, antivirus, or hardening policies) is intercepting and blocking the domain unjoin operation.
5GPO RestrictionA Group Policy Object restricts which accounts can remove workstations from the domain, and the disjoin account is not included in the allowed list.

Resolution

  1. Verify domain disjoin account credentials. Confirm the account credentials configured in the Opsole Migrate portal are correct and current. To validate, attempt a manual unjoin from an elevated PowerShell prompt on the test device:.
  Remove-Computer -UnjoinDomainCredential (Get-Credential) -Force -Verbose

If this succeeds, the issue is specific to the credential stored in the portal. If it fails with the same error, the issue is at the AD or GPO level.

  1. Check account lockout status. Verify the disjoin account is not locked out in Active Directory:

    Get-ADUser -Identity <disjoin_account> -Properties LockedOut | Select LockedOut

    If locked, unlock the account and investigate the source of the lockouts.

  2. Verify OU-level permissions. Confirm the disjoin account has Delete Computer Objects permission on the OU where the target device resides. If permissions are scoped to specific OUs, verify the device has not been moved to a different OU.

  3. Review endpoint security controls. Ensure endpoint security or hardening policies do not block domain unjoin operations. Allow-list Opsole Migrate if applicable.

  4. Review Group Policy restrictions. Check the effective GPO on the device for restrictions under: Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > User Rights Assignment > Remove computer from docking station. Ensure the disjoin account or its group is included.

  5. Retry the operation. After completing the above checks, retry the operation.

If this error occurs across multiple devices in the same domain, it is most likely a credential or permission issue at the domain level rather than a per-device issue.

Failed to unjoin from domain — NTLM Authentication Disabled

KB 022209

Description

This error occurs when Opsole Migrate attempts to unjoin the device from Active Directory, but the operation fails because NTLM authentication is disabled or blocked on the device. Migration is rolled back and cannot continue.

Error Messages:

Failed to unjoin <HOSTNAME> from domain. Error: Failed to unjoin computer '<HOSTNAME>' from domain '<DOMAIN>' with the following error message: Authentication failed because NTLM authentication has been disabled., Terminating Migration process.....

Cause

Remove-Computer relies on NTLM authentication internally. If NTLM is restricted or blocked at the device level, the unjoin fails regardless of whether the credentials are correct. NTLM restriction policies applied via Group Policy remain cached locally on the device even when it is offline and no longer receiving GPO updates.

#CauseDetails
1Incorrect CredentialsAn incorrect or expired domain disjoin account password can surface as an NTLM error instead of a standard authentication failure.
2NTLM Disabled by Cached GPONTLM authentication was disabled via Group Policy while the device was connected to the domain. These policies remain cached locally and continue to enforce even when the device is offline. Changing the GPO on the domain controller will not take effect on a device that has no line of sight to AD.
3Security Baseline HardeningA security baseline (CIS, STIG, or Microsoft Security Baseline) has applied local NTLM restrictions at the device level.
4Endpoint Security BlockEndpoint protection software (EDR, antivirus, or hardening agent) is actively blocking NTLM negotiation at the OS or network layer.

Resolution

  1. Verify domain disjoin account credentials. Confirm the account credentials configured in the Opsole Migrate portal are correct and current. To validate, attempt a manual unjoin from an elevated PowerShell prompt on the test device:

    Remove-Computer -UnjoinDomainCredential (Get-Credential) -Force -Verbose

    If this succeeds with the correct credentials, update the credentials in the portal and retry.

  2. Enable NTLM locally via registry. If credentials are confirmed correct, or the device has no line of sight to AD, remove the NTLM restriction locally on the device:

    Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0" -Name "RestrictSendingNTLMTraffic" -Value 0

    Retry the migration after applying this change.

  3. Check NTLM restriction policies. Verify whether NTLM is restricted by Group Policy or local security policy:

    Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Security Options

    To check the effective setting:

    gpresult /h gpresult.html

  4. Review endpoint security controls. Ensure endpoint security tools or hardening agents are not blocking NTLM authentication at the OS layer.

  5. Retry the operation. After completing the above checks, retry the operation.

If the device has no line of sight to Active Directory, GPO changes on the domain controller will not reach the device. The NTLM restriction must be removed locally using Step 2.

Troubleshooting and Recovery

KB 022210

Description

During migration, certain failures may require manual intervention or a recovery procedure to restore the device to a working state. These situations typically occur when a migration phase fails partway through execution, leaving the device in an intermediate state such as a locked screen, a missing login prompt, or an incomplete Entra Join.

This article provides a quick reference to common recovery scenarios and links to the detailed step-by-step troubleshooting and recovery guide.

Common Recovery Scenarios

#ScenarioSymptomRelated KB
1Migration failed with no logs in portalMigration fails silently, no migration log appears in the Opsole portal, or an Error 500 is displayedKB 022233 — Network Connectivity Failures
2Entra Join failed during migrationDevice is not joined to Entra ID after Phase 1, or Entra Join failure screen appears after rebootKB 022206 — Failed to Install Provisioning Package
3Device stuck at "Migration in Process" after rebootPhase 2 did not start, device is locked on the migration screen and the user cannot log inKB 022234 — Failed to Update, Retrieve, or Modify Operations
4Old profile is loadedMigration cannot proceed because the user profile being migrated is still loaded or in use after rebootSee recovery procedure in troubleshooting guide
5Domain unjoin failed — NTLM disabledDomain unjoin operation fails with NTLM authentication errorKB 022232 — Failed to Unjoin from Domain — NTLM Authentication Disabled
6PostMigrate window does not appear after loginPhase 3 did not start after logging in with Entra ID credentials, PostMigrate window is missingKB 022234 — Failed to Update, Retrieve, or Modify Operations

Troubleshooting and Recovery Guide

For detailed step-by-step recovery procedures with screenshots for each scenario listed above, refer to the full troubleshooting guide:

OpsoleMigrate — Troubleshooting Guide

Most recovery scenarios require logging in with a local administrator account. Ensure a local administrator account is available on the device before starting migration.

If Opsole Migrate files or scheduled tasks are missing from the device, it is likely that EDR or antivirus software has quarantined or removed them. Review EDR logs, update exclusions as per KB 022234, reinstall Opsole Migrate, and then run Patch.exe to resume.

How is this guide?

Version History & Release Notes

Detailed release history and feature evolution of the Opsole Migrate platform.

On this page

KB 022202DescriptionRequired EndpointsCauseResolutionKB 022203DescriptionCauseResolutionKB 022204DescriptionCauseResolutionKB 022205DescriptionCauseResolutionKB 022206DescriptionCauseResolutionKB 022208DescriptionCauseResolutionKB 022209DescriptionCauseResolutionKB 022210DescriptionCommon Recovery ScenariosTroubleshooting and Recovery Guide