I have two ePO environments running, A and B.  Both are running 5.10 Update 3.  I migrated systems from A to B by deploying the framepkg from B.  I enabled Drive Encryption system transfer using the webAPI per PD27693. 

I have a particular client that after migrating to server B needed a recovery operation (user forgot DE password).  I entered the challenge code into the console on server B, and user recovery is greyed out and machine recovery says "No recovery keys found for this machine! "  So I end going back to server A and could perform the recovery from there.

What I don't understand is that this particular client was clearly communicating with server B.  The encryption user list was present and appeared to be valid.  I could also perform an export recovery information operation from the system tree but the challenge response failed, almost like it never transferred its keys to the new server.  The DE: Client system transfer failure  indicates None on both server A and server B.  And the DE: Systems reporting a failed ePO system transfer report on server B shows that none of my ~500 DE clients failed.

Now we have successfully performed recovery of systems that were transferred from A to B but my concern is we have no way of knowing what other machines may have the same problem as this one.  We don't want to keep server A around any longer than necessary.  Any ideas of what might be happening here and how we might go about troubleshooting?

Thanks