Wondering how/what is the best way to decrypt a computer (Encrypted with McAfee Drive Encryption) and then removing the product from the machine. Either manually or through ePO.
McAfee Drive Encryption 7.1.3
McAfee Agent 5.0.1
I create 2 folders in the system tree, 1 to deactivate with the MDE policy set to deactivate any devices placed in there ( This needs to be done before you can decrypt)
The the 2 folder is used to decrypt, with a policy set to decrypt the machine.
So if I need to decrypt a device I place it into the deactivate folder first, Perform a wake up call, once I confirm that MDE is deactivated I then move it to the Decrypt folder, perform a wake up call to start the decryption process
Set this in the decrpyt policy (Product Settings)
Then set the following in the Deactivate policy (Product Setting)
Once done you can remove MDE. Please note make sure you do not have any deployment task set that could deploy MDE at any point. Hope that helps
Sorry for the late reply. I'm just now getting around to try this. How do I confirm when MDE is deactivated before I can start decrypting it?
I believe Steve means Disable when he is saying Deactivate Policy.
The policy is disabled by deselecting in the policy under the General tab, the check box next to Enable Policy:
I use only one policy with the policy disabled under the General tab ↑
And None selected under the Encryption tab ↓
I apply the policy to the system from the ePO with a Tag and associated Policy Assignment Rule
once the Machine is decrypted I remove the DE software and when it is removed I remove the Decrypt policy Tag.
I was able to decrypt the machine after applying those settings. After, I ran a task to remove the MDE Go/Agent/Windows - But it keeps on failing on removing MDE Windows?
Are you removing MDE windows before the Agent, I believe it is best practice to remove DE Windows then remove DE Agent.
I have my system automated to not apply the Remove DE Agent tag until it sees that the machine no longer has DE Windows.