I'm trying to migrate MDE 7.1.3 encrypted systems to MNE 4.1.
Removal of MDE requires a restart and MNE encryption also requires a restart.
I want to avoid having to restart systems twice. Is there some way to coordinate this so that a single system restart handles both?
For instance, can I change the product settings policy for MDE to decrypt the drives, then have have a client task automatically run to install MNE and uninstall MDE on systems where MDE is installed, but drive is decrypted and then restart the computer to complete removal of MDE?
When I have installed MNE 4.1 in the past, it always asks for a system reboot before it will begin encryption.
I need MNE to "use" the restart that was done to complete the MDE 7.1.3 removal so that it doesn't ask to restart again before it begins Bitlocker encryption.
Unfortunately it is not possible to have MNE enforce an Enabled BitLocker policy when MDE is installed (even if not active) this is done to mitigate possibilities of accidental encryption by both MDE and BitLocker.
There are some options that you may be able to take:
I did try disabling the "enable hardware test" option, but when I did, many of the systems that had MDE using the TPM prompted for Bitlocker recovery at the next reboot. I had to re-enable that option to avoid having to do Bitlocker recoveries, but that added an extra reboot.
There seems to be an issue with switching TPM from MDE to MNE without doing the hardware test.
Is there anything that can been done to force MDE to give up or reset the TPM during the deactivation process so it is fully available when MNE starts re-encrypting the drive?