Knowledge Center

Statement regarding the migration of managed encrypted systems from one McAfee ePO server to another
Technical Articles ID:   KB83186
Last Modified:  1/15/2019


McAfee Drive Encryption (DE) 7.2.x

For details of DE supported environments, see KB79422.


This support statement is provided by the Product Management Team.

This article covers the scenario where customers have an existing McAfee ePO server that manages DE encrypted systems, and they want to migrate those systems to a different McAfee ePO server.
NOTE: DE 7.1 update 3 (7.1.3) and later provide the ePO Administrator with the capability to transfer systems from one McAfee ePO server to another while they preserve user assignments and user data. For more information, see the following documentation:
  • PD25905 - Drive Encryption 7.1 update 3 Client Transfer Migration Guide
  • PD26656 - Drive Encryption 7.2 Client Transfer Migration Guide
  • PD27693 - Drive Encryption 7.2.5 Client Transfer Migration Guide
  • To migrate the user details according to the process in this document, the McAfee ePO server must reside in the same domain.
  • If you need to move encrypted systems between McAfee ePO servers that reside in different domains, see KB83802.

The following information applies to releases before DE 7.1 update 3:

  • If the McAfee ePO server also managed DE systems, migration to the McAfee ePO server was not supported before DE 7.1.3 because of DE and ePO limitations.
  • With earlier releases, McAfee strongly recommends that you first try to repair the current McAfee ePO server or database if it has failed.
  • This statement applies to the ePO Transfer Systems feature, or the advice in KB79283, which covers how to transfer or move computers from one McAfee ePO server to another.
The following scenarios are often seen in ePO environments:
  • The McAfee ePO server hardware needs to be enhanced to manage more systems.
  • A later version of ePO is released and a fresh installation on a new server is preferred.
  • The current McAfee ePO server has issues that require a new McAfee ePO server to be built and the system data transferred.
Issues after migrating
An initial migration might not show any issues, but there are caveats to consider because of issues that can materialize after ePO migration:
  • Tags, policies, and tasks assigned to single system, audit and reporting information, and System Tree location are not transferred.
  • McAfee ePO server configurations are not transferred. Any values that have changed from the default would require update. For example:
    • Policy Assignment Rules
    • Server Tasks
    • LDAP attributes
    • PBFS size
    • Simple words
    • Custom themes
  • The Drive Encryption Product policy cannot be transferred from one McAfee ePO server to another because the policy contains the ePO Public Key for that specific McAfee ePO server. Transfer of the policy results in the computer and Recovery Key being encrypted with the wrong key, which removes the ability to perform a client-side recovery.

    NOTE: For information about an issue where the Admin Recovery challenge code input returns a node name from a different client, see KB82120.
  • The User Based Policy (UBP) setting in the DE: Users query must be reinforced for all users who need it.
  • User and Security Group assignments made at a Group level for Encryption Users need to be re-created.
  • The client computer must receive an Active/Encrypted policy when it connects to the new server, or it starts decrypting. McAfee does not recommend applying an active or encrypted policy to all systems in the environment to prevent accidental activation on unintended systems, such as servers.
After a client begins to communicate with the new McAfee ePO server, its Machine ID in the ePO database changes. When the system notes the change in DE, the client uploads its encryption key to the new McAfee ePO server.

IMPORTANT: None of the following data values are transferred from the original ePO to the new McAfee ePO server, which results in this migration being unsupported with the current ePO or DE releases:
  • User assignments
  • Token data
  • Single Sign On data
Add Local Domain Users (ALDU) assigns domain users only to the new machine object in ePO in one instance. That instance is if the client system or DE service restarts before the system receives and completes a policy enforcement from the new McAfee ePO server. ALDU runs a full ALDU only after a service restart. All other ALDU routines after the first ALDU post service restart are incremental. Only domain users that have never logged in to the system before are added. All users assigned directly to the system are removed.

Rate this document

Glossary of Technical Terms

 Highlight Glossary Terms

Please take a moment to browse our Glossary of Technical Terms.