Product guide
Table Of Contents
What happens to the Machine Key when you delete an Endpoint Encryption active
system from ePolicy Orchestrator?
The Machine Key remains in the ePolicy Orchestrator database; however, the key association with the
client system is lost when the client system is deleted from ePolicy Orchestrator. When the client
system reports back to ePolicy Orchestrator during the next ASCI, it will appear as a new node. A new
node does not have any users assigned to the client system. The administrator must therefore assign
users to allow login, or enable the Add local domain user option in the Product Setting Policy. Also, the
administrator must configure the required policies in ePolicy Orchestrator.
The next data channel communication after adding the users and configuring the policies will make
sure:
• The Machine Key is re‑associated with the client system and the recovery key is available.
When the associated Machine Key is not present with the new node, ePolicy Orchestrator sends a
Machine Key request. If the user is logged on to the client system, an agent to server
communication between the client and the McAfee ePO server ensures the Machine Key is updated
in ePolicy Orchestrator and the users are updated on the client. Thereafter, the Machine Key will be
available and admin recovery and policy enforcement will work.
• The users are assigned to the client system. Therefore, these users can straightaway log on to the
client system.
What happens to Machine Keys when transferring a client system from one McAfee
ePO server to another?
The Machine Key remains in the ePolicy Orchestrator database, however, the key association with the
client system is lost when the client system is transferred from another McAfee ePO server.
When a transferred client system reports back to ePolicy Orchestrator during the next ASCI, it will
appear as a new node and will therefore not have any users assigned to it. The administrator must
therefore assign users to allow logon, assign administrative users to the McAfee ePO branch where the
systems are added (by default Lost&Found), or enable the Add local domain user option in the Product Setting
Policy. The administrator must also configure the required policies in ePolicy Orchestrator.
To transfer all systems between McAfee ePO servers, the best process is to follow the ePO Disaster
Recovery process. For more information, refer to the KnowledgeBase article https://kc.mcafee.com/
corporate/index?page=content&id=KB66616.
The next data channel communication after adding the users and configuring the policies will ensure:
• The Machine Key is re‑associated with the client system and the recovery key is available.
When the associated Machine Key is not present with the new node, ePolicy Orchestrator sends a
Machine Key request. If the user is logged on to the client system, an agent to server
communication between the client and the McAfee ePO server ensures the Machine Key is updated
in ePolicy Orchestrator and the users are updated on the client. Thereafter, the Machine Key will be
available and admin recovery and policy enforcement will work.
• The users are assigned to the client system. Therefore, these users can straight away log on to the
client system.
What happens to Machine Keys when moving systems from one branch to another
in ePolicy Orchestrator?
The LeafNode is not deleted from ePolicy Orchestrator database when a system is moved from one
branch to another in ePolicy Orchestrator, hence the Machine Key is available for the particular client
system.
Operations and maintenance
Manage Machine Keys
5
McAfee Endpoint Encryption 7.0 Patch 1 Software Best Practices Guide
47