Unfortunately it is not possible to have MNE enforce an Enabled BitLocker policy when MDE is installed (even if not active) this is done to mitigate possibilities of accidental encryption by both MDE and BitLocker.
There are some options that you may be able to take:
- The MDE product guide has a section on manually uninstalling Drive Encryption from the client system with the optional command prompt parameters to prevent a restart after uninstalling. You could write and deploy a script to perform this task before activating with MNE.
- Activating MNE should only require a restart if the policy option "Enable hardware test" is enabled. In MNE 4.1 this policy option is under the BitLocker advanced settings section. Turning this off would allow BitLocker to activate without a restart. Note: The policy suggests that hardware test should be enabled when enabling enhanced PIN support when authenticating with TPM and PIN.
I did try disabling the "enable hardware test" option, but when I did, many of the systems that had MDE using the TPM prompted for Bitlocker recovery at the next reboot. I had to re-enable that option to avoid having to do Bitlocker recoveries, but that added an extra reboot.
There seems to be an issue with switching TPM from MDE to MNE without doing the hardware test.
Is there anything that can been done to force MDE to give up or reset the TPM during the deactivation process so it is fully available when MNE starts re-encrypting the drive?