M&A: How do I migrate all these workstations into my environment?

M&A
Endpoint

You just found out that you have thousands of workstations (i.e., laptops/desktops) that you need to integrate into your existing environment. Some are out of warranty and should be replaced, but the majority of them are well within their refresh cycle. It can be a daunting task. How in the world am I going to integrate all of these devices?

Items to consider when planning a workstation migration

When migrating planning to migrate workstations across environments, there are quite a few things to consider, but we’ll boil it down to the top 4:

  1. User profile(s)
    • The user profile is the folder in C:\Users of the device that includes the logged in user’s data. The folder is security trimmed to the Active Directory domain, or Entra tenant that the user is associated with. This folder stores user data such as Desktop, Documents, etc., and some program settings (depending on the application)
    • Don’t forget that some workstations have more than one user that uses it, so there will be multiple user profiles to care for.
  2. Outlook email profile(s)
    • This is the OST file that can be found in Mail in Control Panel. It contains the configuration of which Exchange environment to reference.
  3. Microsoft 365 apps (Outlook, Word, Excel, etc.)
    • Users sign in to these apps using their Entra ID account. When migrating to a new tenant, we need to ensure that these applications are correctly configured to point to the new tenant.
  4. Applications
    • Installed applications
    • Cloud applications
  5. Browser favorites
  6. OneNote sync
  7. Cloud joined vs hybrid joined vs domain joined

Ways to migrate

So now that we know some of the things we need to consider, let’s discuss what options we have. There are essentially three ways to handle a device during an integration (whether that’s an acquisition or a merger; divestitures typically follow option 1). Each option has its respective pros/cons. In this article, we will call the company being bought the source company, and the company making the acquisition the target.

  1. Issue new hardware
  2. Wipe and reload
  3. Domain migration

You do have other options, but they are circumstantial and not as widely adopted, so we will not cover them here. These options include leaving users in the source environment, and having them use a VDI solution such as Windows 365 or Azure Virtual Desktop to use the acquirer’s domain.

Issue New Hardware

This is by far the easiest of the three options, but can be cost prohibitive if you are migrating thousands of workstations. In this scenario, the acquiring company issues new workstations to the acquired employees. The new hardware can be imaged using the target company’s existing imaging process (we recommend Autopilot). This solves the following challenges:

  • You do not need to “flip” the user profile
    • When the user signs in to the new hardware, it will create a new user profile associated to their account in the target environment. You will not need to worry about redirecting an existing user profile to the target.
  • You do not need to reconfigure the mail profile
    • A fresh mail profile will be built when launching Outlook that will point to the correct Exchange environment. Again, no need to worry about redirecting it to the correct location.
  • You do not need to relicense or reassign Microsoft 365 apps
    • The pattern continues with a fresh login. You don’t need to worry about signing out with the old credentials and signing in with the new ones. It’s all fresh!

The user’s data still needs to be migrated from their old workstation. This includes the files on their local disk, browser favorites, and applications they use. Here’s what we recommend for each:

  • Local data
    • Leverage OneDrive Known Folder redirection on the source machine and ensure communications are sent to users to place all of their files in one of these locations (Desktop, Documents, and Pictures)
    • From here, it’s a simple OneDrive to OneDrive migration between tenants
      • When they log in to the new device, they’ll see their same files in Desktop, Documents, and Pictures thanks to Files on Demand.
  • Browsers
    • Execute a script to export browser favorites to OneDrive at the source, and another script to import at the target
  • Applications
    • Ensure a comprehensive list of applications are collected from the source side and create application packages for the target side (⚠️ make sure the application data is accounted for!)

Pros/Cons

Pros:

  • Simpler migration path
  • Little to no down time (user’s just start using their new device after a migration cutover, for example, old workstation on Friday, new workstation on Monday)
  • Includes a rollback strategy; old machine is still in tact, so can be referenced for a period of time post migration
  • Ensures all machines in your environment are the same make/model

Cons:

  • Expensive to buy all new hardware
  • Can be difficult to coordinate collection of old machines (some of your end users will have a hard time letting go!)
    • Once collected, you’ll want to consider a recycling company such as Sprout

Wipe and Reload

What if the devices at the source side are relatively new and still under warranty? Buying new hardware for everyone would be great, but can be costly. In this scenario, the users will keep their existing devices, but will be wiped clean with a fresh OS image provided by the target company. This assumes that the target company has a standardized, mature, and repeatable machine imaging process. It also ensures that all machines are on your OS image, and you’re not assuming any technical debt (or potentially malware) from the source company. A nice clean slate.

The process for this is very similar to issuing new hardware, except that a system must be in place to reimagine each machine. The process is as such:

  1. Back up the user’s data (we recommend following the same OneDrive approach as before, however you can leverage USMT to export to an external hard drive)
  2. Install a fresh image on the existing hardware (we recommend initiating an Autopilot reset on the device)
  3. Migrate user data (using OneDrive to OneDrive, or USMT)
  4. Load applications

Pros/Cons

Pros:

  • Leverages existing hardware which reduces capital expenditures of new hardware
  • Less shipping costs
    • This depends however on your imaging strategy. If you do not have a remote imaging strategy, and require a local network connection to image the machine, you may still be shipping laptops around
  • Ensures all machines are using your standard OS image

Cons:

  • If you’re a Lenovo shop, and the acquired company uses Dells, now you have to account for device drivers, firmware, etc. which also means you’ll have a non-standardized environment
  • If you don’t have a remote imaging strategy, this could become a tedious manual-touch process
  • Down time will be incurred during the imaging process
  • No rollback strategy; if you don’t account for all the data that needs migrating, it’s gone when that device is wiped

Domain Migration

There may be a situation in which you are nervous to lose data and do not want to wipe anything, and you can’t justify the cost of all new hardware, so you decide to leave the devices as-is, but join them to the target domain. While possible, this is the most challenging of the three options. First, we’ll explain why this is the hardest, and then we’ll explain how we help companies achieve this.

Why is this so hard? Can’t we just go to Computer Properties, leave the old domain and join the new one? There are two big reasons why this is challenging, and we’ve lightly covered them earlier:

  1. The user profile of the machine is scoped to the SID (unique identifier of an object in Active Directory) of the user in the old domain, so when the user goes to log in with their new login in the target domain, a new profile is created instead of using the old one
    • We use tooling to change the Account Owner property of the user profile to the appropriate ID of the new environment at the same time we do a domain migration of the Computer in Active Directory or Entra. This way, when they login with the new ID, it points to the same user profile.
  2. After you solve #1, the Microsoft 365 apps are still logged in to the old tenant.

The Microsoft 365 apps are the bear here. Breaking this down, there are 2 main components of the suite we need to care for:

  1. Outlook mail profile
    • Assuming you do not have PSTs, it’s fairly simple to rebuild the mail profile. Depending on if you’re changing primary SMTP or not, AutoDiscover records help a lot here as well. You can manually delete the mail profile, and let Outlook build a new one.
  2. The rest of Microsoft 365 apps (Teams, OneDrive, Word, Excel, etc.)

As for the rest of the Microsoft 365 apps suite, this is where it gets complicated. Microsoft stores configuration information and credential information in a variety of places including the registry, file system, Windows Credential Manager, and Web Account Management (WAM) depending on device join type (domain, hybrid, or Entra).

Microsoft luckily does have an article that will walk you through this, but as soon as you dive in you’ll begin to understand the complexity. Some scripts must run as user, and others as account. The order is also important. Unless you have a very solid process for device automation, it’s easier to do this manually (aka babysit the scripts).

Why? Because, how likely are you to have the devices in the source environment onboarded in a way to ensure that you can automate against them efficiently?

Pros/Cons

Pros:

  • Very little will change from the end users perspective which greatly reduces change management and communication requirements. When executed well, this can be the most seamless login experience.
  • The risk of data loss is very low since it’s all staying on the machine
  • Applications will not need to be packaged or reconfigured on each machine

Cons:

  • This approach is extremely complex and can vary widely from environment to environment
  • Convincing Microsoft 365 apps to point to the new tenant is challenging, even in the most automated environments
  • End users will incur down time while their machine is being configured for the new environment
  • Technical debt is brought into the target company
    • Any malware, ransomware, or issues with existing machines will remain in tact (unless picked up by the target environments AV or EDR tools)
  • What you save in hardware costs, you may spend in consulting or time of your IT staff

Conclusion

As you may see, there are a lot of considerations when migrating devices across companies during a merger or acquisition. If you have any questions or concerns, please feel free to reach out to us for a quick whiteboard so that we can help!