The PowerSyncPro Migration Agent requires extensive, system-level access to execute its runbooks successfully. During a migration, the agent runs as a system service to perform highly privileged actions, such as disjoining and joining directories, modifying registry keys, re-permissioning local user profiles, and reconfiguring core application workloads.

Because of the nature of these deep system changes, Endpoint Detection and Response (EDR), Antivirus (AV), and Application Whitelisting platforms may occasionally misidentify the agent's normal activities as malicious behaviour and block its executables or background processes.

When a security suite interferes with the Migration Agent, it can result in a variety of failure conditions—ranging from the agent service crashing on startup to migrations stalling mid-process.

This article outlines known symptoms of EDR and Antivirus interference encountered in the field and provides the necessary resolutions to ensure a successful migration. We will continue to update this document as new scenarios are identified.

Symptom: Agent Service Stops During Re-Permissioning (ReACL)

Indicators:

• The migration begins successfully, and the device correctly joins the target directory.
• When the agent reaches the Re-Permissioning (ReACL) phase, the PowerSyncPro Migration Agent service unexpectedly stops.
• The agent logs may hang or stop updating at the line: "Processing Volume [C:\]".
• Logging into the system with a local account shows the machine is online, but the service is in a stopped state.
• Manually restarting the service works temporarily, but it quickly crashes or returns to a non-running state as soon as it resumes processing.

Cause: During the Re-Permissioning phase, the Migration Agent must rapidly update Access Control Lists (ACLs) across the local file system, registry, and user profiles to assign ownership to the new Target identities. Many modern EDR and Antivirus platforms interpret this mass, rapid modification of file permissions across the root C:\ volume as ransomware-like or malicious behaviour. As a protective measure, the security software forcefully terminates or suspends the agent's background process.

Resolution: To resolve this issue, you must configure your EDR/Endpoint Security platform to explicitly trust the PowerSyncPro Migration Agent's activities. We recommend implementing the following exclusions:

1. Whitelist by Publisher Certificate (Highly Recommended): If your EDR platform supports it, add a global trusted publisher exclusion for the code-signing certificate issued to Declaration Software Limited which is used to sign the PowerSyncPro Migration Agent executable.
2. Whitelist the Executable and Installation Directory: If certificate whitelisting is not available or supported by your platform, ensure that the agent executable (DeclarationSoftware.PowerSyncPro.MigrationAgent.exe) and the entire source installation folder (C:\Program Files\Declaration Software\PSP MA) are fully whitelisted in your security platform.
3. Adjust Behavioural Exclusions: Check your EDR's "Behavioural Analysis," "Ransomware Protection," or "Tamper Protection" modules. You may need to specifically exclude the PowerSyncPro publisher, executable, or directory from behavioural rules that block mass file system or registry modifications.
4. Resume the Migration: Once the exclusions have propagated to the endpoint, manually restart the PowerSyncPro Migration Agent service via services.msc (or simply reboot the workstation). The agent will check in with the server and automatically resume the runbook from where it was terminated.

Symptom: Agent Loses Server Communication After Initial Reboot

Indicators:

• The migration begins successfully, and the device correctly disjoins and leaves the source domain.
• Following the first reboot—when the machine attempts to join the target domain—the Migration Agent loses all ability to communicate with the central PowerSyncPro server.
• Logging into the machine with local admin credentials confirms the workstation is online and has full internet access, but the agent remains disconnected.
• Temporarily disabling the EDR/Endpoint Security software or applying an exclusion immediately restores the agent's communication with the server.

Cause: Endpoint security platforms frequently utilize network threat protection or custom firewall filter drivers. When a workstation successfully leaves its source Active Directory domain, Windows typically shifts the active network profile from a trusted "Domain" network to an untrusted "Public" or "Private" network. In response to this sudden shift to an untrusted network state, the EDR aggressively locks down outbound traffic, blocking unrecognized background services (like the Migration Agent) from reaching out to the internet (TCP 443) to contact the PowerSyncPro server.

Resolution: To resolve this issue, you must ensure your EDR platform allows the agent to communicate outbound, regardless of the active Windows Network Profile:

1. Implement Core Exclusions: Ensure the foundational exclusions are in place. This includes whitelisting the Declaration Software Limited Publisher Certificate (Highly Recommended), the agent executable (DeclarationSoftware.PowerSyncPro.MigrationAgent.exe), and the source installation directory (C:\Program Files\Declaration Software\PSP MA).
2. Review Network / Firewall Modules: Specifically inspect your EDR's "Network Protection," "Host Firewall," or "Web Control" modules. You must ensure the PowerSyncPro Migration Agent executable is explicitly permitted to make outbound HTTPS connections (TCP 443) across all network profiles (Domain, Private, and Public).
3. Bypass SSL Inspection: Ensure your security software's web-filtering module is not attempting to perform deep packet SSL inspection or SSL termination on traffic destined for your PowerSyncPro Server URL, as modifying the certificate chain can disrupt the agent's secure API communication.
4. Resume the Migration: Once the network exclusions have been synced to the endpoint, the agent will automatically re-establish communication with the PowerSyncPro server and proceed with the target domain join.

Symptom: Agent Fails to Install (Error 0x800700e1)

Indicators:

• When attempting to deploy the PSPMigrationAgentInstaller.msi (whether manually, via Intune, or via SCCM), the installation immediately fails.
• You receive error code 0x800700e1 with a message stating: "Operation did not complete successfully because the file contains a virus or potentially unwanted software."

Cause: This occurs when your EDR or Antivirus (such as Windows Defender) intercepts the MSI file during the initial download or execution phase. Because the Migration Agent is designed to perform highly privileged system-level tasks, the security software may flag the installer's payload as a Potentially Unwanted Program (PUP). As a result, the AV immediately quarantines the file and blocks msiexec.exe from running it.

Resolution: For a detailed breakdown of how to whitelist the installer and bypass this specific security block, please review our dedicated troubleshooting guide: Migration Agent fails to install - File contains a virus or potentially unwanted software (0x800700E1)