Cross Tenant Computer Migration Consideration

-

Computer Migration in parallel with User Migration is not an optimal approach!

Why is this so and what are the impacts:

-          It will extend your migration time line

-          It might affect the Licensing Grace Period with Microsoft (becoming more expensive due to double licensing)

-          Computer Migration and Profile Migration will take time (approx. 1-5 hours)

-          3rd party tools are required for migration

-          Computers must be online during the device migration

-          If Intune is used for management solutions, a reimaging might be required

 

Azure AD joined

 For Azure AD joined Windows 10 devices, the issue is that there is no local admin on the device. Without a local admin, as soon as the Azure AD (AAD) account gets removed, you no longer have access to the device or it’s contents.



You must remove the device from Azure AD prior to your migration. If you are in hybrid AD, you can simply unjoin/ remove the device from Azure AD and leave the device in the On-Premises AD only. Here a migration is handle with a 3rd party tool, like Quest MMAD/ RUM (Resource Update Manager)

Nevertheless, in any cases, the user profile must be migrated, else the user starts with an empty/ fresh user profile. This is an unacceptable user experience.

There is an option, but with limited user experience too. You can prior to migration, if not already done, redirect know folders to OneDrive. Those folder e.g. are, Document, Videos, Downloads, Favourites,…
After migration and users OneDrive migration, the know folder can be synced again.

But note: other applications might not work any longer, testing, intense testing is required.
Office/ M365 application can be reinitiated, or a tools can switch those to the new tenant target.

Another recommendation is to treat a tenant to tenant migration as if your users were getting a new device. Make sure they back everything up and schedule a time for them to reset the device and set up the “new” one. Unfortunately, USMT (user state migration tool) doesn’t support Azure AD account migrations.

 

Migration of Autopilot devices

 

Upon you reset the device and it’s in (Out-of-Box-Experience) OOBE, it will discovering for an Autopilot profile. Ensure the hardware hash is removed from the source tenant, else If the hardware hash for the device is still into your old tenant, it will be prompted to re-enroll into the source tenant

Device must be unenrolled prior to deletion. You need to schedule this process accordingly in your migration plan.

In the Microsoft Endpoint Manager admin centre, make sure to export and then delete all the devices you plan on to migrate:


Export Autopilot dev



Delete Autopilot devices

 

Enable Enterprise State Roaming

 

Enterprise State Roaming is a more sophisticated solution compared to OneDrive know folder sync. You can managed which users are enabled for Enterprise State Roaming.

Upon have their users AAD account synced, they begin syncing Windows 10/11 settings, such as desktop background, theme, language preferences, and other.


Enterprise State Roaming setting

Intune tenant settings export/ import into the new environment

 

If this will be a completely new Intune environment, one way to save time would be to import your old settings. This won’t import the assignments, but at least all of your configurations will be the same. 
In case of this is a merger, this option is NOT available.

  

SCCM

This is the most complex migration you could initiate. But lets focus on the Device/ Computer migration itself. Remember, in SCCM you will have to repackage the software packages into the target SCCM.

If your computers are Azure AD joined, remove them from there and leave those in on-premises AD only.

Than follow those steps:

1. Enrol the target root certificate

2. Enrol the device certificate

3. Ensure the CMG is ready if in use

4. Uninstall the SCCM source agent

5. Migrate the computer AD to AD

6. Ensure the computer is either in the LAN or VPN

7. Execute the target SCCM agent (e.g. via GPO, logon script, ..)

8. Run the Profile Migration Wizard (3rd party tool)

9. Optional, run the Desktop Update Agent (redirect the O365 Application to target tenant)

 

Conclusion and Advice Computer Migration

Best is NOT migrating computers during the user T2T migration !

But if this is required, make sure the migration scheduling matches the availability of users, help desk capacity and migration team schedule.

You need a strong team with enough manpower handing those migrations. 



Comments

Post a Comment

Popular posts from this blog

How to hide users from GAL if they are AD Connect synchronized

-
Image
How to hide and un-hide users from Global Address List (GAL) in Exchange Online if they are AD Connect synchronized Hiding User from GAL isn't possible if those are synchronized form On-Premises Active Directory. The local AD is the leading system for all important attributes, like SMTP, UPN and hiding from GAL. Especially during a cross-tenant migration, you do not want to see not migrated user in the GAL. Those User aren't actively working until their cut-over day. Since the Exchange Online attribute  msExchHideFromAddressList s is an AD on-premises parameter, we have two possible ways hiding user in BME from GAL.   Modify the AD Connect for your teant with a custom rule, by using a extensionAttribute to set the HidefromGAL. In this rule, for users which have an entry in the extensionAttribute, hiding / un-hiding will be controlled by AD Connect This is the best option for Cross-Tenant Migration, if you run 2 or more AD Connect system We direct modify the AD hide at
Read more

Cannot join external Lync Meeting: Lync Edge Server Single IP Address (Lync Edge Server Single IP Web Conferenceing Problem)

-
Image
Lync Edge Server FQDN and IP PORTS (Version 1.2, Update 26.11.2014) As we all know, we can configure Lync Edge Server in several way. 1) Single Edge Server with a SINGLE IP ADDRESS 2) Single Edge Server with MULTIPLE IP ADDRESSES (3x IPs) 3) Multiple Edge Server in a Pool, with MULTIPLE IP ADDRESSES (Zx 3 IPs) Regardless what we are going to configure, there are common / well-known TCP Port necessary making Lync work, which are: Access: Port: 443 and 5061 Conferencing: Port: 443 and (444) AV: Port: 443 (I have not listed other ports, e.g. STUN or the dynamic port range. This is not required for the topic discussed here) External FQDN with single IP address: What can we see here? If we are going to choose a single IP address, we would have TCP Port overlapping. Therefore the only way avoiding this is assigning other ports. Additionally we will also see and are reminded that Lync highly depends on DNS. If we have single IP, we must have use single, unique FQDN fo
Read more

MFA with Guest Access and different tenants settings

-
Image
There is an update regarding MFA Multi Factor Authentication. If you are guest with a different Tenant, the MFA Settings are now reflecting the settings of all tenants in a different way. Each MFA setting is reflected and you can setup your MFA device as per tenant and the admin settings allow. Login to your Profile in Office 365/ Azure AD: https://account.activedirectory.windowsazure.com/r/#/profile or https://myapps.microsoft.com Go to your PROFILE: Sign in to https://myapps.microsoft.com Select your account name in the top right, then select profile. Select Additional security verification. If might be happen, your admin hast configured MFA, so you wouldn't see this menu. Simply switch the tenant to the guest tenant where you need to configure MFA. Once you go back to your profile and you will find the MFA device and other settings a usual:
Read more