PowerSyncPro Migration Agent Known Issues and Limitations

Known Issues and Limitations

Admin Fallback Account Password

The password complexity that you use here must match any policy requirements on the device, otherwise you will see an event log error like: The password does not meet the password policy requirements. Check the minimum password length, password complexity and password history requirements and will not be created.

BitLocker

PowerSyncPro agent can migrate workstations that have been encrypted with BitLocker by suspending and re-enabling the BitLocker protectors.

However, if the use of an additional PIN is a mandated configuration on a workstation, then PowerSyncPro cannot continue its runbook phases after the 1st reboot (or subsequent reboots) until the PIN has been entered.

Office

• Office Recent Files and Pinned files and folders are not migrated
• Office preferences are not migrated
• 3rd party plugins for Office Applications may not function correctly

OneDrive for Business

• OneDrive for Business will be available for log on for the primary user after migration.
• All previously connected / linked sites are removed including syncing of additional SharePoint and Microsoft Teams document libraries for any nominated tenants.
• OneDrive may prompt the user to use an existing folder on the workstation when reconfiguring.  This is expected behaviour due to the target folder being created in advance.

OneDrive Lists

• The OneDrive Lists Desktop Application is not reconfigured.

Outlook

• Outlook Additional mailboxes and PSTs previously connected to Outlook profiles will need to be reattached / reconnected.
• Outlook Preferences that are stored in the Outlook profile or in the cloud are not migrated.
• 3^rd party plugins may need to be reconfigured.

Microsoft Teams

• Any Microsoft Teams' preferences that are stored in the cloud are not migrated.

Azure Information Protection

• AIP encrypted files will only open again from the target tenant providing they have been migrated correctly and that the AIP keys from the Source tenant have been added to the target tenant.
• The Windows workstation will be bootstrapped by PowerSyncPro to get the new keys/policies from the new tenant.

Microsoft Edge

• Migration/reconfiguration of Microsoft Edge Profiles requires the user to sign out once and then sign in again with their target account to refresh the profile and re-enable syncing and have the user opt to merge bookmarks.

Google Chrome

• The Windows Accounts extension for Google Chrome Profile requires the user to sign out once and sign in again to refresh the profile and reenable syncing.

User Profile in Use

Users MUST not log in before the migration process has completed.

Currently there is a limitation where if a process has a User Profile open after a reboot, then that User Profile and associate applications cannot be reconfigured/repermissioned.

An event log error like: The process cannot access the file because it is being used by another process will be seen.

You should undertake thorough testing in advance on representative workstations to understand any background tasks, services or applications that may be running in the user context.  Typically this might a a Windows Service with log on permissions set to the user account.

Entra Join

The setting in Entra:  Require Multifactor Authentication to register or join devices with Microsoft Entra must be set to No for automated Entra join with PowerSyncPro to correctly execute.

Owner of Entra Joined devices

The Owner of devices will appear as the Bulk Enrollment Token.  This cannot be changed in the Entra ID UI, but can be changed via PowerShell.  See this article: https://kb.powersyncpro.com/en_US/migration-agent/bprt-is-the-owner-workstation-in-entra

Intune Enrollment

Allow enrollment of personally owned devices under Device Platform Restrictions is a requirement for Intune Enrollment to succeed.

In Entra Id, under Mobility (MDM and WIP) the Microsoft Intune Enrollment setting must be correctly configured/scoped to the migrating users and devices

The Microsoft Intune Enrollment Enterprise Application must be excluded on Conditional Access policies that require MFA

Intune Installed Applications

If a Migration Runbook is configured to remove the device from Entra or All Directories, then any applications that are “push installed” from Intune and are set to REQUIRED will be uninstalled from the Windows Workstation when the migration agent runs.  That is because “dsregcmd /leave” is executed and this command initiates the removal of source tenant deployed software that is listed in :

HKLM:\SOFTWARE\Microsoft\EnterpriseDesktopAppManagement

If the workstation re-joins the same tenant, and that software is still required on that device, it will be re-installed but this might not happen in a timely fashion to satisfy your users.  Please test thoroughly the migration process.

If this is likely to be an issue please contact PowerSyncPro support for a Pre-Migration script that can be configured to block this from happening.

General

PowerSyncPro Migration Agent is a Workstation reconfiguration tool designed to primarily disjoin and join devices between Active Directory or Entra ID.  It will repermission Windows Profiles and reconfigure the baseline Microsoft Office Suite of applications to the fresh start experiences where necessary.

macOS

PowerSyncPro Migration Agent is not currently supported on macOS.

Testing

Proof of concept testing should be conducted in advance against as many representative workstations as possible to ensure the greatest level of success.  Especially around critical applications and particularly 3^rd party and in-house custom applications including VPNs.

Network

• For all migrations the workstation needs persistent network access to the PowerSyncPro Server for the duration of the migration event, typically over TCP Port 5000 or port 443 depending on your configuration.
• For Active Directory Join and Hybrid Entra Join, the workstation needs network access to a target Domain Controller.
• For Entra Join and Hybrid Entra Join the workstation needs network access to Azure.
• For Offline domain join, the PowerSyncPro server requires a persistent connection to a target Domain Controller
• Offline domain join works without workstation connectivity to a Domain Controller providing the user has cached their target credentials in advance, but the workstations will not start the Hybrid Join process until a Domain Controller is available.

Hybrid Entra Join

Hybrid Entra Join requires client environmental configurations for Entra Connect and Group Policy applied to Workstations.

Entra Join

Entra Join is achieved by using a bulk enrollment token created within PowerSyncPro.  MFA should be excluded as a requirement to Entra Join to a tenant.

Conditional Access Restrictions

Conditional Access policies that immediately require a Hybrid Joined Device or Compliant Device may fail to allow workstation and user access to Azure and Microsoft 365 until Hybrid Entra Join completes or the device becomes compliant.

Applications

The PowerSyncPro Migration Agent will only reconfigure, remediate, and set the following applications to their fresh start status aka "Out of the Box Experience".

• Microsoft Outlook (legacy and new)
• Microsoft Teams
• Microsoft OneDrive for Business
• Microsoft OneNote / OneNote for Windows 10
• Microsoft Office Core Applications e.g. Word, Excel, PowerPoint
• Microsoft Office licence
• Microsoft Edge signed in primary browser profile

End-Point Protection Tools

The PowerSyncPro Workstation Migration Agent may need to be excluded from End-Point Protection tools that may block its ability to execute runbook phases.