Product guide
node does not have any users assigned to the client system. The administrator must therefore assign
users to allow login, or enable the Add local domain user option in the Product Setting Policy. Also, the
administrator must configure the required policies in ePolicy Orchestrator.
The next data channel communication after adding the users and configuring the policies will make sure:
• The Machine Key is re-associated with the client system and the recovery key is available.
When the associated Machine Key is not present with the new node, ePolicy Orchestrator sends a
Machine Key request. If the user is logged on to the client system, an agent to server
communication between the client and the McAfee ePO server ensures the Machine Key is updated
in ePolicy Orchestrator and the users are updated on the client. Thereafter, the Machine Key will be
available and admin recovery and policy enforcement will work.
• The users are assigned to the client system. Therefore, these users can straightaway log on to the
client system.
You cannot log on to the client system before a proper agent to server communication occurs. In this
situation, the re-association of the Machine Key can be performed using EETools . The recovery key
will also be available; this can be used with the EETech tool to recover the client system.
For EETool details and procedures, refer to the HotFix Release Notes (Readme_HF 582699).
What happens to Machine Keys when transferring a client system from one McAfee
ePO server to another?
The Machine Key remains in the ePolicy Orchestrator database, however, the key association with the
client system is lost when the client system is transferred from another McAfee ePO server.
When a transferred client system reports back to ePolicy Orchestrator during the next ASCI, it will
appear as a new node and will therefore not have any users assigned to it. The administrator must
assign users to allow login, or, enable the Add local domain user option in the Product Setting Policy. The
administrator must also configure the required policies in ePolicy Orchestrator.
To transfer all systems between McAfee ePO servers, the best process is to follow the ePO Disaster
Recovery process. For more information, refer to the KnowledgeBase article https://kc.mcafee.com/
corporate/index?page=content&id=KB66616.
The next data channel communication after adding the users and configuring the policies will ensure:
• The Machine Key is re-associated with the client system and the recovery key is available.
When the associated Machine Key is not present with the new node, ePolicy Orchestrator sends a
Machine Key request. If the user is logged on to the client system, an agent to server
communication between the client and the McAfee ePO server ensures the Machine Key is updated
in ePolicy Orchestrator and the users are updated on the client. Thereafter, the Machine Key will be
available and admin recovery and policy enforcement will work.
• The users are assigned to the client system. Therefore, these users can straight away log on to the
client system.
You cannot log on to the client system before a proper agent to server communication occurs. In this
situation, the re-association of the Machine Key can be performed using EETools . The recovery key
will also be available; this can be used with the EETech tool to recover the client system.
For EETool details and procedures, refer to the HotFix Release Notes (Readme_HF 582699).
To export old machine (dissociated) keys from McAfee ePO 4.5 use EETools, and from McAfee ePO 4.6
use the ePO Scripting API.
Operations and maintenance
Manage Machine Keys
5
McAfee Endpoint Encryption for PC 6.2 Software Best Practices Guide
37