If your encrypted systems are currently connected to ePO, you can upgrade the current Agent to version 5.0.5.
This way you will have a control of the systems so that they do not move of container in the tree of systems.
I hope it helps.
So the encrypted systems will not care if the GUID changes.
I was under the impression an upgrade preserves the GUID and only a full reinstall or forceinstall would generate new GUIDs
This snippet from McAfee Corporate KB - How to install McAfee Agent 4.x to systems using the "Force Install" command KB77876 had me concerned
"NOTE: If you have Endpoint Encryption for PC (EEPC) installed on your systems, contact Technical Support before using this option. Using this option can lead to duplicate entries and result in EEPC users unable to log on to Preboot (Unknown users). This issue can happen if MAC address check is disabled (or excluded)."
You can perform a McAfee Agent update from ePO with an installation task.
In order for you to be sure that this works, first test on a test system.
The correct steps for it to work perfect, first would be to decrypt the systems, second install new agent and third to re-encrypt.
You asked a few questions of your own and I will pose the questions you indirectly referred to.
So lets look at each of them.
>> Sequence errors can be seen when virtual machines are used and snapshots are reinstated. Every system that is managed by ePO must be unique in terms of it's GUID. Much like your Social Security Number is unique to you and nobody else. The ePO versions of today allow you address sequence errors in a few ways. When you run a query pertaining to sequence errors it reports on those systems that may be experiencing issues.
You can remedy the sequence error counts by using Clear Agent GUID Sequence Error Count from the menu shown below. You should determine when the sequence errors occurred as they may have been months ago. If that is the case you can clear them out or create a new line in the sand going forward. The second part is you can instruct the system to "Move GUID to Duplicate list....". That will remove the system from your system tree and tell the remote system to regenerate its GUID. When it has completed the client will have a brand new GUID and typically remedies the situation. The system is not likely to return to the original tree location and may be relocated to lost and found. Depending on your AD sync or sorting schedule should return them to their locations if configured correctly to begin with.
Note: If your system is not communicating well or has any trouble, or is in transit and is talking then off the wire you may not see that system again so go slow and be deliberate. I do not like deleting systems out of ePO unless I have a good process for getting them back if need be.
2. If host has drive encryption deployed will this still work after a new GUID has been generated.
<< You are working with the McAfee Agent GUID not the MDE keys.
3. After a new GUID has been generated will the host within ePO stay in it's current located within the systems tree or will it effectively become a new host and get placed in the lost & found.
>> If you use the Move GUID... approach probably not. If you attempt a new agent install it probably will. You could try a new agent install over the previous and measure if the sequence errors go away. In this way, you are more likely to have it remain in the same location and become updated. Look for duplicate systems as well before you start.
You could always consult support if your are unsure and have them take a look at it.