Move from McAfee Disk Encryption to Bitlocker

Question

We have been tasked to switch from McAfee to Bitlocker. For any new machines this will be fairly straightforward. However, we have to complete this with active machines with the following stipulations:

1. Machines are outside the walls of the business connected via VPN; they cannot be brought in
2. Machines must be decrypted for the least amount of time possible, no time at all if possible

What are the possibilities for solutions here? Has anyone done this transition in the field?

Answer 1

Hello there,

Done that 4 years ago for ~4000 remote laptops.

On a high level, the task sequence looks like this:

1. Prepare the windows environment for bitlocker. Be sure not to assign any configuration profiles (MEM) or GPOs (if controlled via GPO) to the endpoints just yet. Follow this post https://learn.microsoft.com/en-us/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies
2. Using McAfee EPO, create a decryption policy - you can check this post on actions to perform: https://communitym.trellix.com/t5/ePolicy-Orchestrator-ePO/Decrypt-Laptops-via-an-policy-on-the-ePO-Server/td-p/447965
3. Once a batch of laptops is decrypted (and rebooted), you can then assign the configuration profile (MEM) or GPO to the batch.
4. Verify the disks are encrypted via your endpoint management utility, verify the recovery keys are synced to AD or AAD (whatever you configured).

As for speed, unfortunately you will be limited by the size of the encrypted drives and the CPU/disk speeds. This will take hours, but users can still work/use their laptops while the operation completes. Normal shutdowns (user initiated, scheduled, updated, etc) do not affect this. The decryption will be paused and resumed when the system is operational again.

Before doing this en masse, test the task sequence with few test laptops to ensure that there is nothing preventing you from completing the process.

Regards,

Rosen

Answer 2

Hi @Eric Welshons

This is only a suggestion as it may make managing your Bitlocker environment a lot easier.

Quite honestly, I would wait until you have decided to move to managing devices through Intune MEM/AutoPilot. The reason I say this is because MEM has a nice integration with Bitlocker and managing Bitlocker keys.

Example of MEM and Bitlocker Recovery Keys:

I understand this isn't what you are exactly looking for but it may assist with your push to MEM vs SCCM.

----------------------------------

Your alternative is to disable mcafee encryption across your environment and push a PowerShell script via SCCM to encrypt your drives:

Create and run PowerShell scripts from the Configuration Manager console

https://learn.microsoft.com/en-us/mem/configmgr/apps/deploy-use/create-deploy-scripts

manage-bde

https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/manage-bde

-------------------------------------

If this is helpful please feel free to accept answer.

Answer 3

Managing Bitlocker won't be the issue, but I thank you for your response. Our problem is the decrypt-encrypt phase in a way that makes our security team satisfied.

Answer 4

I had investigated this and done some testing. McAfee (now Trelix) offers a path to migrate to their Management of Native Encryption (Bitlocker) product.
KB82544 give some information. That document states "MNE can't enable BitLocker on a client system if DE is installed" that was overcome by upgrading MDE clients to v7.2.10.64 of MDE.
So that was the idea of getting them converted with least amount of decryted time. I did not get past this point to test moving the management of bitlocker out of epo.