Cannot Perform Challenge/Response Recovery After Transfer To New ePO Server
I have two ePO environments running, A and B. Both are running 5.10 Update 3. I migrated systems from A to B by deploying the framepkg from B. I enabled Drive Encryption system transfer using the webAPI per PD27693.
I have a particular client that after migrating to server B needed a recovery operation (user forgot DE password). I entered the challenge code into the console on server B, and user recovery is greyed out and machine recovery says "No recovery keys found for this machine! " So I end going back to server A and could perform the recovery from there.
What I don't understand is that this particular client was clearly communicating with server B. The encryption user list was present and appeared to be valid. I could also perform an export recovery information operation from the system tree but the challenge response failed, almost like it never transferred its keys to the new server. The DE: Client system transfer failure indicates None on both server A and server B. And the DE: Systems reporting a failed ePO system transfer report on server B shows that none of my ~500 DE clients failed.
Now we have successfully performed recovery of systems that were transferred from A to B but my concern is we have no way of knowing what other machines may have the same problem as this one. We don't want to keep server A around any longer than necessary. Any ideas of what might be happening here and how we might go about troubleshooting?