I'm currently scoping out a project that may result in doing a full bottom-up upgrade of our security solution.
Currently we have ePO 5.1.1 and FDE 7.1.1 running on a Win2k8 box, looking after a relatively modest <300 endpoints.
The suggestion at the moment is we go to Win2016, ePO 5.3 and FDE 7.1.3.
My question is around the practicality of upgrade with minimal disruption to the endpoints.
Is it best to do an in-place upgrade of the current server to the latest versions? Or better to build a new server with the latest software versions/config, decrypt all systems and then re-register them on the new server?
Or is it better to do a half-way of both; build a new server, export settings and encryption keys from the old system and then import them to the new ePO?
By far it is easier to upgrade rather than migrate from one ePO to another new ePO (new Database) with MDE installed. MDE did not support migration from one server to another until MDE 7.1.3 and all clients must be running 7.1.3 in order for the functionality to work.
Currenlty no version of ePO supports Server 2016. For the list of supported OS's, please review KB51569.
If you wish to migrate to a new server, you can follow the guidance in KB66616 which will allow you to move to a new server while maintaining the current database. If this is a 32 bit server (Which isn't supported with ePO 5.1) additional steps need to be taken to migrate from 32 bit to 64 bit (KB82808).
Before you upgrade, I would reccomending reviewing the ePO Upgrade checklist in KB71825.
Edit: You cannot export and import encryption keys. While a tool exists here on planet to do a bulk export, there is no supported method to import them. Systems will automatically upload the keys after they are transferred but this assumes the transfer is successful. Unless there is a business justification such as the company is splitting divisions apart or something along those lines, under typical situations, I have never nor will I ever recommend spinning up a new ePO to facilitate an upgrade.