2 Replies Latest reply on Feb 6, 2017 8:34 AM by web1b

    MDE 7.1.3 to MNE 4.1 with only one system restart?


      I'm trying to migrate MDE 7.1.3 encrypted systems to MNE 4.1.

      Removal of MDE requires a restart and MNE encryption also requires a restart.

      I want to avoid having to restart systems twice.  Is there some way to coordinate this so that a single system restart handles both?


      For instance, can I change the product settings policy for MDE to decrypt the drives, then have have a client task automatically run to install MNE and uninstall MDE on systems where MDE is installed, but drive is decrypted and then  restart the computer to complete removal of MDE?

      When I have installed MNE 4.1 in the past, it always asks for a system reboot before it will begin encryption.

      I need MNE to "use" the restart that was done to complete the MDE 7.1.3 removal so that it doesn't ask to restart again before it begins Bitlocker encryption.

        • 1. Re: MDE 7.1.3 to MNE 4.1 with only one system restart?

          Unfortunately it is not possible to have MNE enforce an Enabled BitLocker policy when MDE is installed (even if not active) this is done to mitigate possibilities of accidental encryption by both MDE and BitLocker.

          There are some options that you may be able to take:

          1. The MDE product guide has a section on manually uninstalling Drive Encryption from the client system with the optional command prompt parameters to prevent a restart after uninstalling. You could write and deploy a script to perform this task before activating with MNE.
          2. Activating MNE should only require a restart if the policy option "Enable hardware test" is enabled. In MNE 4.1 this policy option is under the BitLocker advanced settings section. Turning this off would allow BitLocker to activate without a restart. Note: The policy suggests that hardware test should be enabled when enabling enhanced PIN support when authenticating with TPM and PIN.
          • 2. Re: MDE 7.1.3 to MNE 4.1 with only one system restart?

            I did try disabling the "enable hardware test" option, but when I did, many of the systems that had MDE using the TPM prompted for Bitlocker recovery at the next reboot.  I had to re-enable that option to avoid having to do Bitlocker recoveries, but that added an extra reboot.

            There seems to be an issue with switching TPM from MDE to MNE without doing the hardware test.

            Is there anything that can been done to force MDE to give up or reset the TPM during the deactivation process so it is fully available when MNE starts re-encrypting the drive?