I want to ask you if someone of you have any deeper experience with migration of encrypted machines between different versions of ePOs. We have 4.6.6 server with EEPC 7.0.2 and 5.1.0 server with MDE 7.1. Now by migration guide I will add extension 7.0.4 upgrade user data and after all I will migrate whole server to 4.6.7 then I migrate clients to MDE 7.1.0. Here is the moment of truth I want to migrate client machines from 4.6.7 to ePO 5.1.0. Does anyone has any experience with this? It is very sensitive when machines are encrypted so If someone has experince (exactly) with this procedure please let me know.
Yes I do. I will prepare assigned users on new ePO same way as it was on older server. Users will have to enter new passwords and sync SSO again. It will be possible to successfully migrate encryption keys between 4.6.7 and 5.1.0 ??
I've never heard of it being done - I have heard though of people just installing the new MA, and the key automatically repopulating in the new EPO server though.
You'd have to try it out I expect, or get some prof services from your McAfee reseller - what you are asking is a pretty uncommon thing to do.
So it means that I can just reinstall agent from new server and encryption key will be repopulated to new epo DB?? It will be the best way to do it.
I support mutiple ePO servers and have a need to migrate encrypted machines between the servers. We can export the password data from a Safeoot 5.x server and import it into ePO. It's not to much to expect the same type of functionality between ePO servers. This can be a huge headace for users. My 2 cents.
I have performed the transfer as a test (4.6.x > 4.6.x) on several machines.. it is not pretty and I did not expect it to be. Even if the transfer is between two epo servers and they both point to the same LDAP server, it is still a different user. Once the user is assigned in ePO, the endpoint removes the old and adds back the new.
However we have seen some challenges in getting this to start; we have noticed that the endpoint will not perform this task until the EEPC agent has recognized the new ePO server and sent the recovery keys to ePO. Sometimes this takes a reboot to engage; (we have attempted simply restarting the EEPC Agent service and had min. success) fortunately since user information has not been exchanged, the old user account (EEPC) carries over and they can still login. Once the assignment completes they are challenged for a new password at the next reboot. Hopefully enough time passes to allow the assignment to occur.
Do not transfer an encrypted client between servers as encryption keys are not moved from one server to the other. Doing so will disassociate the client from its keys, resulting in users being locked out.