It has been said on a few occasions that users are not transferable and i have found this to be the case. I've tried to move clients between two ePO 4.6.7 servers and i need to manually re-assign the users and they need to login with the default password again.
i don't use add local domain users so don't know how that would work.
I'm sure i have seen the key transfer to the new server once it starts its communications, but the only real way to test is to export the key from ePO and test decrypt/ authorise etc to check it does resend the key.
I would manually export the key for each machine out of your old server before transferring them as a precaution while testing.
However, i think if you are going to immediately upgrade then possibly the process of upgrading EEPC to a new version may also re-send the key to the server.
Check the mfeepe.log as the process is happening to confirm.
We have done this recently, transferred from one ePO server (4.6.6) to a new ePO server (5.1 hotfix 1). Machines were encrypted with EEPC 6.2, 7.0.2, and 7.0.3. New ePO server has DE 7.1.
We used the "Transfer Systems" option, which worked well. We were not using the "add local domain users" option on the old server, but we turned it on (on the new server) for the migration, and this maintained the users and passcodes/tokens.
The DE 7.1 on the new ePO server can manage the older versions of EEPC with no trouble. We are slowly upgrading the machines to DE 7.1 now. We found that some machines need a BIOS upgrade before the new version (7.1) will work properly.
Hope this helps!
That's very interesting info- thanks.
Is there any chance you could list what models and BIOS version you had to upgrade to and how did you find out they needed upgraded - pre-boot smart check or just be deploying? (Last time i upgraded the BIOS's of our encrypted machines was when we initially deployed 6.0.2 (?) and i'm concerned as some are quite old)
Thanks very much.
We found issues with the Dell Latitude E6410, anything lower than BIOS A11 had issues. We were upgrading them from EEPC 6.2 to EEPC 7.0.3, and then to DE 7.1. The issue occurred when we went from 6.2 to 7.0.3.
i had a similar scenario, like the documents state it is not supported. What I had noticed is that ePO and the clients will not process user assignments for a few agent server communications. The device will retain the current assignments in the PBFS until a user assignments are processed between ePO and the client.
here is one way to validate.
- assign 4 users to a system in server 1
- make sure the assignments get to the client
- transfer the endpoint to server 2
- now that the system is now homed to server 2, look at the assigned users in ePO.
- review assignments on client.
- allow for a few agent server communications and review the assignments in ePO.
what what I have found is since it is a new system, there are no users natively assigned to new systems. If you policy is set to auto assign, that is another story.
remember, users are assigned from server to client, not client to server.
also, keep in mind the user token. Once users are re-assigned, since this is a new epo server their token data does not carry over. This means users will end to recreate passwords and recovery options.
Thanks for that info. Much appreciated
Thanks all for your reply’s.
Some with very similar circumstances and very helpful answers and tips.