8 Replies Latest reply on Aug 24, 2015 8:30 AM by SafeBoot

    Encryption client upgradation/migration


      Hello Techies,


      One of our customer have old ePO configuration (4.6.2) with 6.1.3 Encryption installed. Now customer wants to upgrade the complete ePO architecture.

      The new ePO build with all latest extension including Drive Encryption, File and Folder , DLP, VSE, HIPS etc.


      Now is there any way to migrate the 6.1.3 systems to new 7.1.1 version without loosing encryption status?

        • 1. Re: Encryption client upgradation/migration
          Sathish L

          Please refer the following information :


          McAfee Drive Encryption latest Release build –

          McAfee Drive Encryption 7.1.3 release Notes : PD25903


          This release was developed for use with:

          McAfee ePolicy Orchestrator 4.6.7, 4.6.8, 4.6.9

          McAfee ePolicy Orchestrator 5.1, 5.1.1, 5.1.2, 5.3


          Supported EEPC to DE upgrade paths : KB79422

          • 2. Re: Encryption client upgradation/migration

            I have tried the below and surprisingly it's working for some around 9 systems and counting more around 90 almost done..


            I had 2 ePo server - 1. ePO 4.6.2 with drive encryption 6.1.3

                                          2. ePO 5.1.2 with drive encryption version 7.1.2 (ePO extension) and client package 7.1.1


            I have take 1 system from Old ePO and just install ePO agent from new server, this system moved to new ePO and uploaded all the required information to new ePO server with encryption status. I have check the encryption logs from client system and it says that encryption key info send to new ePO server..

            I am surprise with this and tried diffrent systems and it's working fine.


            After that I have run the Drive Encryption 7.1.1 client task and systems got upgraded to latest version.

            One info would like to share that 6.1.3 client have $autoboot$ enabled they have enabled this option some time ago while diffrent vendor was working with them. But in new ePO I have set ALDU option so I am not sure will this Autoboot option make any diffrence here..


            Unfortunetly I have tried this before 7.1.3 release.


            I am still surprise with this but it's working....


            Thanks Satish

            • 3. Re: Encryption client upgradation/migration
              Sathish L

              McAfee Drive Encryption 7.1.2 does not support migration of managed encrypted systems from one ePolicy Orchestrator server to another because the reason is that an encryption key will not be transferred to the new epo server, since it is a product limitation till the version MDE 7.1.2 (client version 7.1.1).


              I would like to inform you that after moving an encrypted system from one ePolicy Orchestrator server to another an existing encryption key will never be moved to the new epo server, rather it will get re-populated from an encrypted client machine to the next successful Agent to Server Communication Interval (ASCI) and technically its not possible to move the drive encryption users along with their passwords.

              However, Drive Encryption 7.1.3 (and above) provides the McAfee ePO administrator with a new capability to allow systems to be transferred from one McAfee ePO server to another whilst preserving user assignments and user data. If the feature is enabled, a system installed with Drive Encryption 7.1.3 (or above) will detect a server change, and request that the new Drive Encryption 7.1.3 (or above) managing server automatically assigns users to the system within the context of the new managing server. Once the assignment is successful, the system will send its user token data up to the new managing server.


              I would request you to refer the following information :


              Statement regarding the migration of managed encrypted systems from one ePolicy Orchestrator server to another - KB83186

              The client transfer between ePO servers guide for McAfee Drive Encryption 7.1.3 - PD25905






              • 4. Re: Encryption client upgradation/migration

                Correct Satish.

                Still I haven't test 7.1.3 but will try and update.

                But the fact is that this scenario is working on our client side describing as follows.


                1. Older version have autoboot option and users not getting prompted for PBA but after deploying the new version with ALDU option enabled, users are getting prompted and able to login.


                2. I have not done any System transfer by registering 2 ePOs, it's just new installation of ePO agent and then MDE client task to upgrade 6.1.3 to 7.1.1


                I will put result of 7.1.3 migration here.


                Thank you.

                • 5. Re: Encryption client upgradation/migration

                  Updates for "Still I haven't test 7.1.3 but will try and update."


                  The client migration working fine with 7.1.3 version as well, almost migrate 90 systems and seems to be fine.

                  • 6. Re: Encryption client upgradation/migration

                    Actually, you are right that Migration does not support moving the key between servers, but as bhautik found, the machines will auto-populate the key if it's missing.


                    The risk is that window between migrating and the key being sent - the machine is irrecoverable from the new EPO server until that happens (but you still have the old server?)


                    You are right that user migration is not possible, but since they are not using users, they are storing the encryption key on the drive itself - that's not a problem.

                    • 7. Re: Encryption client upgradation/migration

                      Thank you Simon.


                      One more thing would like to share as recently we have got some projects to migrate 5.x version to 7.1.3 and I have did the same exercise with little bit extra care and steps and it results in successful migration of the systems. We need to be careful at the restart point and then as you said system will auto-populate the key.


                      Thank you.

                      • 8. Re: Encryption client upgradation/migration

                        Yup. Should work fine - just be really careful about partially encrypted machines - I'm not sure if 7 takes that into account.


                        Luckily v5 lets you get at the crypt info using the API so you can easily script some protection.