I highly doubt you could place one encryption on top of other. You should first deactive and decrypt existing cryption mechanizm and then push another. Easier would be just leave old encryption (if licenses makes this possible for you) and later recycle that hardware, and new hardware for users would be encrypted with Bitlocker. Unless you have a good automated mechanizm with Symantec to decrypt the drivers with scripts.
Replacing third party encryption with bitlocker.
Hello All, I wanted to know if possible to use double encryption i.e. deploy bitlocker while having a third party encryption for drives enabled already.
The idea is to deploy bitlocker for devices with third party encryption such as symantecs drive encryption then phasing out symantecs encryption later. Is that supported and if so, How do we go about it?
We have tested already using bitlocker while symantecs is enabled and after restarting, as soon as we get past the symantecs login screen, Bitlocker recovery screen is shown and we have to use the key.
Also D drive does not seem to get encrypted even though full disk encryption is on in the policy and D is not a system drive. maybe because Symantecs encryption is still enabled? or pending decryption?
The settings mainly used are for silent enablement(allow third party warning: disabled).
I would appreciate if you have the best practice for similar scenarios.
-
Pavel yannara Mirochnitchenko 12,781 Reputation points MVP
2024-05-22T17:26:09.91+00:00
2 additional answers
Sort by: Most helpful
-
Hania Lian 21,171 Reputation points Microsoft Vendor
2024-05-24T07:56:58.54+00:00 Hello,
Double encryption isn’t typically recommended because it may create conflicts or slow down your system due to the overhead of encrypting and decrypting data twice. BitLocker not encrypting the D drive could indeed be due to Symantec’s encryption. It is recommended to fully decrypt the drive with the third-party encryption tool before initiating BitLocker encryption.
you can consider the following steps before phasing out Symantec drive encryption:
Verify that the third-party encryption, Symantec, has completely and correctly encrypted the drive before initiating BitLocker.If you still decide to proceed with double encryption, backup important data then test on a group firstly.
Best Regards,
Hania Lian
============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.
-
Ahmed Sh 80 Reputation points
2024-05-27T06:47:41.3966667+00:00 Regarding D drive encryption, Was getting the error below:
Error: Group Policy prevents you from backing up your recovery password to Active Directory for this drive type. For more info. contact your system administrator.
It did not work until I created a GPO for Fixed Data drives as mentioned in the below article.
https://www.burgerhout.org/the-bitlocker-haadj-nightmare/
-Had to later on add another to avoid the error above
Do not forcefully unload the user registry at user logoff
- Logon to the application server as an administrator
- Run gpedit.msc
- Navigate to Computer Configuration | Administrative Templates | System | UserProfiles
- Double-click on "Do not forcefully unload the user registry at user logoff" and change the setting from “Not Configured” to “Enabled”
- Reboot the server