Merge pull request #244 from microsoft/fix-bootstrap-token-guards

CKunze-MSFT · web-flow · commit eef2d8ace10b · 2026-04-01T07:56:37.000-05:00
Fix bootstrap token check and secure token status guard logic
diff --git a/macOS/Config/Bootstrap Token/fixBootstrapToken.sh b/macOS/Config/Bootstrap Token/fixBootstrapToken.sh
@@ -41,7 +41,7 @@ function print_status {
 }
 
 # Check if the boostrap token was ever escrowed. If not, stop early as success.
-if echo "profiles status -type bootstraptoken" | grep -q "Bootstrap Token escrowed to server: NO"; then
+if profiles status -type bootstraptoken 2>&1 | grep -q "Bootstrap Token escrowed to server: NO"; then
     exit 0
 fi
 
@@ -50,6 +50,9 @@ if cat "$logdir/checkBootstrapEscrow.log" | grep -q "Bootstrap Token validated."
     exit 0
 fi
 
+# Check secure token status for the admin account
+SECURE_TOKEN_STATUS=$(sysadminctl -secureTokenStatus "$ADMIN_USERNAME" 2>&1)
+
 # Fail early if the account provided does not have secure token enabled
 if echo "$SECURE_TOKEN_STATUS" | grep -q "Secure token is DISABLED"; then
     echo "$(date) | Secure token is disabled for $ADMIN_USERNAME. Not proceeding."
