3 Replies Latest reply on Aug 24, 2016 2:51 PM by web1b

    Convert MDE Systems To  MNE?

    web1b

      Due to the amount of hands on labor it will take to upgrade Windows 10 systems from November Update to Anniversary Update this year and to upgrade again to all the future Windows 10 upgrades next year, we have found that MDE will no longer be a workable solution for us.

      We will either move to McAfee MNE or manage systems via Microsoft's MBAM or maybe use both if they can work together.

       

      What is the most efficient way to migrate away from MDE 7.1.3?

      My guess would be change MDE policies to decrypt drives, then after drives are all decrypted, push deployment tasks to uninstall all MDE-related apps and deploy MNE with a Bitlocker encryption policy.

      Does uninstalling MDE require a restart and, if so, can a single restart handle both uninstalling MDE and getting MNE ready to start encrypting with Bitlocker?

        • 1. Re: Convert MDE Systems To  MNE?
          davei

          Sounds about right.

           

          We can use tags (assess at each ASCI) to apply tags to machines which are at certain stages of the whole process, to automate the changing of policy and task assignments.

           

          eg. Change policy to decrypt.

           

          Then auto-tag Win10 laptops with MDE installed, but disks decrypted - this tag can be used in task assignment for a deployment task to uninstall MDE.

           

          Then eg. auto-tag a Win10 laptop with no MDE, to catch an assignment of deployment task for MNE.

           

          Then obv when MNE installed, the MNE policies will take effect.

          • 2. Re: Convert MDE Systems To  MNE?
            dwebb

            Note that MBAM requires that you setup and manage multiple servers for different facets of the MBAM solution.  By contrast, simply use ePO for MNE to provide a streamlined management experience.

            • 3. Re: Convert MDE Systems To  MNE?
              web1b

              For a small environment, MBAM can be set up on a single physical server or virtual machine.

              With MBAM, you can easily suspend and reenable  Bitlocker.

              MNE has no practical way to suspend Bitlocker. It requires a very convoluted process of copying files to each system and running scripts manually to temporarily disable Bitlocker for any OS upgrades and firmware updates.