Version

This document is relevant to PowerSyncPro Workstation Migration Agent version 3.2.x

General

PowerSyncPro Migration Agent is a Workstation reconfiguration tool designed to primarily disjoin and join devices between Active Directory or Entra ID.  It will repermission Windows Profiles and reconfigure the baseline Microsoft Office Suite of applications to the fresh start experiences where necessary.

macOS

PowerSyncPro Migration Agent is not currently supported on macOS.

Testing

Proof of concept testing should be conducted in advance against as many representative workstations as possible to ensure the greatest level of success.  Especially around critical applications and particularly 3^rd party and in-house custom applications.  En-point protections tools like CarbonBlack and CrowdStrike etc should be thoroughly tested.  Also check that VPN are still functional post-migration.

Network

For all migrations the workstation needs persistent network access to the PowerSyncPro Server for the duration of the migration event, typically over TCP Port 5000 or port 443 depending on your configuration.

For Active Directory Join (without ODJ) and Hybrid Entra Join, the workstation needs network access to a target Domain Controller.

For Entra Join and Hybrid Entra Join the workstation needs network access to Entra.

Offline Domain Join

For Offline domain join, the PowerSyncPro server requires a persistent connection to a target Domain Controller.

Offline domain join works without workstation connectivity to a Domain Controller - providing the user has cached their target credentials in advance.  NOTE:  After an Offline Domain Join AD to AD migration, the workstation must connect with a Domain Controller to initiate and complete the Hybrid Entra Join process.  Workstations will not start the Hybrid Join process until a Domain Controller is available.

Hybrid Entra Join

Hybrid Entra Join of devices generally requires client environmental configurations for Entra Connect and Group Policy applied to Workstations.  PowerSyncPro can leverage Controlled Domain Join "CDJ" where a device is not changing its Active Directory join state but needs to Hybrid Entra Join to a different tenant to which the home AD is currently syncing.  A second Entra connect instance is required to sync in the devices from the source AD to the target tenant.

Entra Join

Entra Join is achieved by using a bulk enrollment token created within PowerSyncPro.  MFA should be excluded as a requirement to Entra Join to a tenant on Conditional Access policies.  The setting in Entra:  Require Multifactor Authentication to register or join devices with Microsoft Entra must be set to No for automated Entra join with PowerSyncPro to correctly execute.

Intune Enrollment

Allow enrollment of personally owned devices is a requirement for Intune Enrollment.

Intune Deployed Applications

Applications that were deployed from a source tenant, that were set to REQUIRED in Intune, will be uninstalled when a device "leaves" the source Intune. A workaround can be provided – please contact support.

NOTE:  This issue does NOT exist for PowerSyncPro Migration Agent when deployed via Intune as a required application.

Conditional Access Restrictions

Conditional Access policies that immediately require a Hybrid Joined Device or Compliant Device may fail to allow workstation and user access to Entra and Microsoft 365 until Hybrid Entra Join completes or the device becomes compliant.  Consider using a grace period.

Applications

The PowerSyncPro Migration Agent will only reset the following applications to their fresh start status aka "Out of the Box Experience".

Outlook

Microsoft Teams

OneDrive for Business

OneNote / OneNote for Windows 10

Microsoft Office Core Applications e.g. Word, Excel, PowerPoint

Microsoft Office licence activation

Edge signed in primary browser profile

End Point Protection Tools

The PowerSyncPro Workstation Migration Agent may need to be excluded from End Point Protection tools that may block its ability to execute runbook phases.  Tools such as: CrowdStrike Falcon, VMWare CarbonBlack, SentinelOne, Zscaler, Symantec.

VPNs

VPN clients can fail after workstation identity migration because they rely on certificates, machine identity, domain trust, device compliance, or management-delivered profiles that are removed when the device leaves the source environment. These dependencies can create circular connectivity challenges where the device requires VPN access to obtain new credentials or policies needed for the VPN to function.

VPN connections should be thoroughly tested on a production build test workstation.

WORKGROUP computers

Currently, WORKGROUP (no domain joined) Windows computers cannot be fully orchestrated from withing the PowerSyncPro console.  Additional manual steps are required to register the device so that it maybe be scoped into Batches.

Admin Fallback Account Password

The password complexity that you use here must match any policy requirements on the device, otherwise you will see an event log error like: The password does not meet the password policy requirements. Check the minimum password length, password complexity and password history requirements and will not be created.

User Profile in Use

Currently there is a limitation where if a process has a User Profile open after a reboot, then that User Profile and associate applications cannot be reconfigured. An event log error like: The process cannot access the file because it is being used by another process will be seen. You should undertake thorough testing in advance on representative workstations to understand any background tasks, services or applications that may be running in the user context.

Prevent Login

We strongly recommend using the "Prevent Login" feature that will prohibit in scope users from logging in before the migration is complete.  This will not prevent local admin accounts from logging in.

BitLocker

PowerSyncPro agent can migrate workstations that have been encrypted with BitLocker by suspending and re-enabling the BitLocker protectors.  However, if the use of a PIN is a mandated configuration on a workstation, then PowerSyncPro cannot continue its runbook phases after the 1^st reboot (or subsequent reboots) until the PIN has been entered.

Windows Services

Windows Services with saved credentials cannot always be fully migrated.  Windows Services that leverage non-local credentials will need to be updated. If during and AD to AD migration the User for services will be translated and if the passwords are identical, they will continue to run.

Scheduled Tasks

Scheduled tasks with saved credentials cannot be fully migrated.  Scheduled Tasks that leverage non-local credentials will need to be updated manually.

SQL Server

SQL Server logins cannot be migrated / translated from Active Directory accounts to Entra accounts.

Office

Office Recent Files and Pinned files and folders are not migrated

Office preferences are not migrated

3^rd party plugins for Office Applications may not function correctly

OneDrive for Business

OneDrive for Business will be available for log on for the primary user after migration.

All previously connected / linked sites are removed including syncing of additional SharePoint and Microsoft Teams document libraries for any nominated tenants.

OneDrive may prompt the user to use an existing folder on the workstation when reconfiguring.  This is expected behaviour due to the target folder being created in advance by the PSPMA Agent to retain non dehydrated files.

OneDrive Lists

The OneDrive Lists Desktop Application is not reconfigured.

Outlook

Outlook Additional mailboxes and PSTs previously connected to Outlook profiles will need to be reattached / reconnected.

Outlook Preferences that are stored in the Outlook profile or in the cloud are not migrated.

3^rd party plugins may need to be reconfigured.

Microsoft Teams

Any Microsoft Teams' preferences that are stored in the cloud are not migrated.

Azure Information Protection

AIP encrypted files will only open again from the target tenant providing they have been migrated correctly and that the AIP keys from the Source tenant have been added to the target tenant.

The Windows workstation will be bootstrapped by PowerSyncPro to get the new keys/policies from the new tenant.

Microsoft Edge

If you are migrating between tenants

Microsoft Edge signed in Profiles – requires the user to sign out once and sign in again.  Users will have the option to merge data to refresh the profile and then begin syncing to the target tenant.

Saved Passwords are not preserved / migrated

Local Edge profiles will lose passwords in all migrations where re-permissioning a windows profile occurs.

If you are migrating AD to Entra Joined – same tenant, then signed in Edge browser profiles are untouched and bookmarks and passwords are preserved

Google Chrome

The Windows Accounts extension "Microsoft Single Sign-On" for Google Chrome Profile requires the user to sign out once and sign in again to refresh the profile and reenable syncing.

Saved Passwords are not preserved / migrated

If you are using Chrome local profiles, that are not signed in with a Goole account and Google Password Manager enabled, then those passwords will not be preserved / migrated.

Multiple Migrations of the same Computer

A PowerSyncPro Migration Agent licence is tied to the device.  A device can be migrated as many times as required.  E.g. Apps only re-configuration, then AD to AD and then AD to Entra, however the following issues should be understood.

Currently scoping a device for migration is always done from the directory where the agent was first registered.  E.g. If you are migrating AD to AD from Contoso to Fabrikam and then AD to Entra Joined Fabrikam to "Entra Fabrikam" your Runbook and Batches will need to include the Contoso AD as a source directory for your 2^nd pass migration, and the computer should be selected from the Contoso AD when adding to a batch.

Deleting Computers in the source directory.

Currently, if you delete a computer from the source AD post migration, that deletion will sync to the PSP Database and it will no longer be available for scoping.  If this is a use case for you then you should consider deferring your source AD computer clean-up.

When migrating from Entra joined state.  The device is always deleted from Entra ID during the migration phase.  If you need to do a 2^nd pass migration, then currently you will not be able to scope the device.  In this instance, you will need to uninstall the PSP Agent from the device and the associated registry keys and then re-deploy the PSP Migration Agent.  It will still be licensed for its next migration.