Skip to content
Pro IT NW

Industries / Manufacturing

Microsoft 365 and infrastructure for manufacturing.
VMware exits. Server 2019 EOL. Plant-floor reality.

Mid-market discrete and process manufacturers — 100 to 1,500 employees, often with OT/ICS adjacent to IT. We engineer the M365 hardening, the VMware exit, the M&A tenant work, and the NIST 800-171 boundary for defense-adjacent suppliers. Vendor-neutral on every infrastructure decision.

Scope a manufacturing engagement → See methodology

Server 2019 reached extended support in January 2024 — security-only updates with no new features and no platform improvements. VMware's post-Broadcom pricing has multiplied 3–5x for many mid-market shops. The combined cost of staying put now exceeds the cost of moving for most plant footprints.

Why labor-only matters in manufacturing

The destination-platform decision is the highest-leverage choice in the project.

A VMware exit can land on Hyper-V, Azure, Azure Stack HCI, Nutanix, or Scale Computing. A storage refresh can go Pure, NetApp, Dell, HPE, or Lenovo. The right answer depends on plant-floor latency, OT adjacency, M&A pipeline, and existing skills — not on which vendor pays the consulting firm a margin.

Mid-market manufacturing IT is dominated by reseller-led firms whose engineering recommendation moves with their margin. That model has merit on day-to-day operations — the day someone needs a hand replacing a firewall, the reseller relationship is real value. The friction shows up on the project layer: a destination- platform recommendation is structurally more credible from an engineering firm with no resale skin in the game.

We don't carry partner badges. We don't resell licenses or hardware. We don't subcontract offshore. The work happens in your environment, under your controls, with engineering accounts you provision and revoke. Most engagements run alongside an existing MSP or internal IT team — we come in for the project, hand documented operational keys back, and exit.

Three project shapes

Where we typically engage in manufacturing.

Most engagements draw from one or two of these. The VMware exit and server EOL work is concentrated in 2026–2027; the NIST 800-171 work is rolling; the M&A integration is event-driven.

Project shape 01

VMware exit and server modernization

Broadcom's pricing changes hit manufacturing harder than almost any other vertical because of the on-prem footprint: factory data centers, edge compute at every plant, MES and historian servers running on locked vSphere stacks. Most mid-market manufacturers we talk to have multiplied their VMware spend 3–5x in the last 18 months. The exit is real engineering work — but the math has cleared.

  • Workload inventory with OT-adjacency and licensing-constraint flagging
  • Destination platform selection — Hyper-V / Azure / Azure Stack HCI / Nutanix / Scale Computing — vendor-neutral
  • Phased migration with plant-floor downtime windows aligned to production schedule
  • Storage and backup re-architecture (Pure / NetApp / Dell / HPE — labor-only assessment)
  • Server 2019 / 2016 EOL upgrades coincident with the hypervisor migration
  • OT-segmentation review at the migration boundary — IEC 62443 awareness

Project shape 02

NIST 800-171 readiness for defense-adjacent suppliers

Tier-2 and tier-3 defense-supply-chain manufacturers — precision machining, aerospace components, specialty materials, electronics assembly — increasingly find DFARS flow-downs in their prime contracts. The work is the same as it would be for a direct contractor; the operating reality is different because most of these firms aren't primarily defense suppliers. Scope discipline is critical: classify the CUI exposure first, build only the boundary you need.

  • CUI / ITAR exposure assessment — where it actually lives in your environment
  • Tenant decision: M365 commercial / GCC moderate / GCC High enclave (see Defense Contractors page)
  • File-share carve-out for engineering drawings and export-controlled technical data
  • Identity hardening — phishing-resistant MFA for engineering and quality roles
  • Conditional Access tuned for OT-adjacent and engineering staff workflows
  • Audit logging, retention, and POAM (Plan of Actions and Milestones) for assessor-facing evidence

Project shape 03

M&A tenant integration and plant-floor IT consolidation

Acquisitive manufacturers — especially private-equity-backed roll-ups — accumulate tenants the way they accumulate plants. Each acquisition arrives with its own M365 instance, its own identity model, its own file-share architecture, and its own ad-hoc remote-access patchwork. The integration work isn't glamorous; it's what determines whether the synergy thesis actually shows up.

  • Tenant-to-tenant migration of the acquired entity's M365 footprint
  • Plant-floor file share modernization — SharePoint / OneDrive consolidation
  • Identity rebuild with proper role-segregation across plants
  • Teams Phone consolidation — distributed-plant call routing on a single platform
  • Intune deployment for shared shop-floor and field-service devices
  • VPN and remote-access cleanup — replacing per-plant patchwork with Conditional Access + Entra Private Access

Compliance frameworks we engineer to

From defense-supply-chain to OT-adjacent reality.

Manufacturing compliance varies by what you make and who you sell to. Most mid-market manufacturers we work with carry a mix — some defense work, some commercial, sometimes export-controlled, sometimes not. The framework set on this page is the typical scope; the actual scope of an engagement is whatever maps to your operating reality.

NIST SP 800-171 (DFARS-driven)

Required for any non-federal system handling Controlled Unclassified Information — including defense-supply-chain manufacturers receiving CUI through DFARS flow-down. We map the M365 control configurations to the 110 controls and document evidence packets for assessor or self-attestation review.

ITAR (22 CFR §120-130)

If your shop fabricates, machines, or assembles items on the U.S. Munitions List — or handles technical data subject to ITAR — the export-control regime layers on top of DFARS / 800-171. The technical implication is GCC High and personnel-screening discipline. We assess the actual ITAR exposure first; not every defense-adjacent shop has it.

EAR (Export Administration Regulations)

Commerce-controlled dual-use technology and software. Many electronics, instruments, and specialty-materials manufacturers have EAR exposure they haven't fully classified. The technical controls overlap with ITAR; the licensing and end-use rules differ. We engineer the data-segregation boundary; the export-classification work belongs to your trade-compliance team or counsel.

IEC 62443 (industrial cybersecurity)

The dominant framework for OT / ICS cybersecurity. We don't implement 62443 directly — that's the OT team's domain — but the IT/OT boundary we engineer is shaped by 62443 zone-and-conduit thinking. Identity, segmentation, and remote-access design at the boundary are where IT consulting touches OT reality.

CMMC L2 (where applicable)

If your firm handles CUI as a defense-supply-chain participant, CMMC 2.0 L2 self-assessment becomes required for new CUI-handling contracts beginning Phase 2 (Nov 10, 2026). Most mid-market defense-adjacent manufacturers are L2. The full deep-dive lives on the Defense Contractors page.

Customer-imposed security questionnaires

Tier-1 customers — large OEMs, government primes, healthcare manufacturers — flow detailed security questionnaires to suppliers. CMMC, ISO 27001-aligned, NIST CSF, sometimes one-off custom. We engineer the underlying controls so the answers are honest and the documentation is real.

What we don't do

The IT / OT boundary is real. We engineer up to it, not past it.

Manufacturing is the one vertical where consulting-firm scope creep can quietly damage production. Boundary discipline is the work.

No PLC, SCADA, or MES configuration changes.

The plant-floor control systems are operated by your OT team or the equipment OEM. We don't reconfigure them. We engineer the IT-side identity, segmentation, and integration boundary that touches them.

No hardware or licensing resale.

Server, storage, networking, and Microsoft licensing flow through your existing channels. We make vendor-neutral recommendations and engineer the deployment. The procurement margin lives elsewhere on purpose.

No export-classification opinions.

Whether a specific drawing, alloy, or software falls under ITAR or EAR is a trade-compliance call belonging to your trade counsel or empowered official. We engineer the data-segregation boundary; we don't classify the items inside.

No CMMC C3PAO assessment.

We get you ready for an assessment. The third-party assessment itself is performed by an authorized C3PAO firm, and that's a separate engagement with separate independence requirements.

Recent manufacturing references

Anonymized engagement profiles.

No client names. Sector + size + scope. The full engagement notes are on /work/.

350-person aerospace components supplier

Commercial → GCC High migration with CMMC L2 readiness. ITAR-tagged engineering drawings, hardware MFA tokens for engineering and quality, 16-week project.

5-plant precision machining roll-up, ~600 employees

VMware exit on factory data centers + tenant consolidation across acquired plants. Phased plant-by-plant cutover with production-window discipline.

Specialty chemicals manufacturer, ~900 employees, 3 sites

Server 2019 EOL upgrade coincident with VMware-to-Hyper-V migration. M365 hardening on top — MFA, Conditional Access, Defender baseline.

Electronics assembly contract manufacturer, ~250 employees

Tenant-to-tenant migration following PE acquisition. Plant-floor file share modernization. Teams Phone deployment replacing aging on-prem PBX.

See all anonymized engagement notes

Where to go next

Read the related work.

Service pillar

VMware Exit & Server Modernization

Hyper-V, Azure, Azure Stack HCI, Nutanix, Scale Computing. Vendor-neutral destination-platform engineering.

Read more

Industry

Defense Contractors

If your shop is squarely in the defense-supply-chain bucket — GCC High, CMMC L2, NIST 800-171 deep-dive.

Read more

Field notes

VMware after Broadcom — exit options

Hyper-V, Azure, Nutanix, Scale Computing — comparative tradeoffs for mid-market manufacturing footprints.

Read more

FAQ

Common questions from manufacturing buyers.

We're not a defense contractor — do we still need NIST 800-171?

Maybe. The 800-171 control set was authored for non-federal systems handling Controlled Unclassified Information, which puts every DoD-supplier subcontractor in scope through DFARS flow-down. If you supply a tier-1 prime — even three contracts deep — your prime may be flowing the requirement to you. Manufacturing is also where ITAR exposure quietly creeps in: a single export-controlled drawing in a SharePoint site can change your compliance posture overnight. We map your CUI / ITAR exposure first, then advise. If you're a pure commercial manufacturer with no DoD or export-controlled work, 800-171 isn't required — but a hardened M365 baseline still pays off.

What's the realistic timeline for a VMware exit on plant infrastructure?

12–28 weeks for a typical mid-market manufacturer, depending on scale. The drivers are not the hypervisor migration itself — that's the easy part. The drivers are: validating which workloads have hardware-affinity or licensing constraints (MES platforms, historian databases, SCADA integration servers); coordinating plant-floor downtime windows that don't disrupt production; and making sure the destination platform (Hyper-V, Azure, Azure Stack HCI, Nutanix, Scale Computing) is appropriately sized for OT-adjacent latency requirements. Broadcom's pricing changes hit manufacturing especially hard — many shops are now paying 3–5x for the same VMware footprint. The exit is rarely a question of if anymore.

Do you touch the OT / ICS side or just IT?

We engineer the IT side, with deliberate awareness of where IT and OT meet. The plant-floor PLC, the SCADA system, the historian database, and the MES platform are operated by the OT team or the equipment OEM. We don't reconfigure them. What we do engineer is the boundary: identity for the OT-adjacent admin accounts, segmentation for the OT VLAN as it touches the corporate network, file-share architecture for engineering drawings and quality records, and Conditional Access for the engineering staff who move between corporate IT and plant-floor systems. IEC 62443 awareness shapes the boundary design even when we're not implementing 62443 directly.

We're growing through acquisitions — how does the tenant strategy work?

Most acquisitive manufacturers we work with land in one of three patterns. (1) Roll-up to the parent tenant: clean for similar-sized acquisitions, slow for very different cultures or core systems. (2) Carve-out: keep the acquired plant on its own tenant for 12–24 months while integration plans clarify; works when the acquired entity has its own IT competence. (3) Hybrid: parent tenant for back-office, plant tenant for plant-floor identity. Each has tradeoffs. We assess the M&A pipeline cadence, the IT team capacity, and the operational complexity tolerance, then recommend a tenant pattern. Most engagements end up as some flavor of phased roll-up.

Why labor-only for manufacturing — most of our peers use a reseller-led MSP.

Reseller-led MSPs are the dominant model in mid-market manufacturing IT, and many do solid work. The friction shows up at the project layer: a VMware exit recommendation is more credible from a firm whose margin doesn't move with which destination platform you pick. Same for storage refresh, server refresh, and Microsoft licensing. We don't carry partner badges and we don't resell. The day-to-day MSP keeps running its model; we come in for the project decisions where the conflict matters. The two models coexist on most engagements.

VMware bill went up 3x? Server 2019 EOL on the calendar?

Tell us the plant footprint, the workloads, and the timeline pressure. Two-business-day response with destination-platform recommendation and migration scope.

Start a project →