Replacing third party encryption with bitlocker.

Ahmed Sh 60 Reputation points
2024-05-22T12:40:56.4366667+00:00

Hello All, I wanted to know if possible to use double encryption i.e. deploy bitlocker while having a third party encryption for drives enabled already.

The idea is to deploy bitlocker for devices with third party encryption such as symantecs drive encryption then phasing out symantecs encryption later. Is that supported and if so, How do we go about it?

We have tested already using bitlocker while symantecs is enabled and after restarting, as soon as we get past the symantecs login screen, Bitlocker recovery screen is shown and we have to use the key. 

Also D drive does not seem to get encrypted even though full disk encryption is on in the policy and D is not a system drive. maybe because Symantecs encryption  is still enabled? or pending decryption?

The settings mainly used are for silent enablement(allow third party warning: disabled).

I would appreciate if you have the best practice for similar scenarios.

Windows 10
Windows 10
A Microsoft operating system that runs on personal computers and tablets.
10,932 questions
Windows 11
Windows 11
A Microsoft operating system designed for productivity, creativity, and ease of use.
8,602 questions
Microsoft Intune
Microsoft Intune
A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.
4,570 questions
0 comments No comments
{count} votes

Accepted answer
  1. Pavel yannara Mirochnitchenko 12,371 Reputation points MVP
    2024-05-22T17:26:09.91+00:00

    I highly doubt you could place one encryption on top of other. You should first deactive and decrypt existing cryption mechanizm and then push another. Easier would be just leave old encryption (if licenses makes this possible for you) and later recycle that hardware, and new hardware for users would be encrypted with Bitlocker. Unless you have a good automated mechanizm with Symantec to decrypt the drivers with scripts.

    0 comments No comments

2 additional answers

Sort by: Most helpful
  1. Hania Lian 9,691 Reputation points Microsoft Vendor
    2024-05-24T07:56:58.54+00:00

    Hello,

    Double encryption isn’t typically recommended because it may create conflicts or slow down your system due to the overhead of encrypting and decrypting data twice. BitLocker not encrypting the D drive could indeed be due to Symantec’s encryption. It is recommended to fully decrypt the drive with the third-party encryption tool before initiating BitLocker encryption.

    you can consider the following steps before phasing out Symantec drive encryption:

    Verify that the third-party encryption, Symantec, has completely and correctly encrypted the drive before initiating BitLocker.If you still decide to proceed with double encryption, backup important data then test on a group firstly.

    Best Regards,

    Hania Lian

    ============================================

    If the Answer is helpful, please click "Accept Answer" and upvote it.

    0 comments No comments

  2. Ahmed Sh 60 Reputation points
    2024-05-27T06:47:41.3966667+00:00

    Regarding D drive encryption, Was getting the error below:

    Error: Group Policy prevents you from backing up your recovery password to Active Directory for this drive type. For more info. contact your system administrator.

    It did not work until I created a GPO for Fixed Data drives as mentioned in the below article.

    https://www.burgerhout.org/the-bitlocker-haadj-nightmare/

    -Had to later on add another to avoid the error above

    Do not forcefully unload the user registry at user logoff

    1. Logon to the application server as an administrator
    2. Run gpedit.msc
    3. Navigate to  Computer Configuration | Administrative Templates | System | UserProfiles
    4. Double-click on "Do not forcefully unload the user registry at user logoff" and change the setting from “Not Configured” to “Enabled”
    5. Reboot the server
    0 comments No comments