Zero Touch – McAfee to Bitlocker (Wipe and Load)


I was asked to complete a Task that I thought wasn’t possible, my client wanted to do an upgrade of a Windows 7 machine that was encrypted with McAfee to a Windows 10 machine that was encrypted with BitLocker. 

No problem, until I was told the requirements.

  1. Has to be Zero Touch
  2. Decryption of the machine, then removing McAfee was not an option, there couldn’t be a long period of time that the machine wasn’t encrypted.

In-Place Upgrade was not an option as we can not change from McAfee to BitLocker with encrypting first, then encrypting with BitLocker, which would not meet the requirements from the client.

So I found a great article and process from Mike Terrill, Unloading a Disk Filter Driver in WinPE, which described a process that I would allow me to remove McAfee encryption inside of WinPE, which would let me wipe the drives and move forward with a Bare Metal build.


1. Preparing the Windows PE images (Boot image)  – From McAfee PDF

The Windows PE environment is used for installing or refreshing operating systems. The McAfee Drive Encryption driver has to be included within the Windows PE image so the encrypted drive can be accessed by the installer. If you are planning to refresh for both 32‐bit and 64‐bit systems, then you will require two independent PE images, one for 64‐bit and one for 32‐bit respectively. To do this the procedure is the same as injecting the McAfee Drive Encryption drivers and registry amendments into an Operating System WIM file.

Prior to running the EpeWinUpgrade Tool extract the following files from the MfeEEPC32.msi (for 32bit systems) or the MfeEEPC64.msi (for 64bit systems).

Note: The drivers are the same for both the Operating System injection and the Boot Image injection:

▪ MfeEpePC.sys
▪ Mfeccde.sys
▪ MfeEpeOpal.sys

Place these files within a folder located in a convenient location.

Example – C:\Drivers

From a command line run the following command for x64 architecture:

Example – EpeWinUpgradeTool64.exe –inject C:\drivers C:\BOOTWIMFILE.wim

This will inject the McAfee Drive Encryption drivers and make the necessary registry amendments in the target WIM file. Once complete the WIM file can either be imported into the SCCM/MDT environment or have its contents re‐distributed to the distribution points within SCCM/MDT.

It is also required to place a copy of the EpeWinUpgradeTool into the boot image. If the image is 32‐bit use the EpeWinUpgradeTool.exe if the image is 64‐bit use the EpeWinUpgradeTool64.exe.

2. Update your Task Sequence to Temporarily Unlock McAfee Encryption


Update your Task Sequence to include the options to temporary unlock McAfee Encryption in WinPE.  For MBR systems you will need to run a set of commands in Windows prior to rebooting to WinPE, for GPT systems this is not required.

Create Steps to Copy the required Registry files and the EpeWinUpgradeTool64.exe tool to the root of the C Drive.  I create a package that contained the required files and used the following steps to copy the files to the correct location:

Task Sequence Group: Prepare MBR Drive


Task Sequence Group: Copy EEP Files to C (MBR)


  • Copy Reg Files to C (MBR)

    Commandline: cmd.exe /c xcopy “”lockedfiles.reg” c:\
  • Copy WinUpgrade Tool to C

    Commandline: cmd.exe /c xcopy “EpeWinUpgradeToo64.exe” c:\

Task Sequence Group: Prepare Drive (MBR)


  • Shutdown McAfee EEPC Service
    ShutdownEEPCServiceCommandline: SC Stop “McAfee Endpoint Encryption Agent”
  • Save EEPC MFBSaveEEPCMBRCommandline: c:\EpeWinUpgradeTool64.exe -SaveMBR C:\EpeMBR.dat
  • Unlock the MBRUnlockEPEFilesCommandline: c:\EpeWinUpgradeTool64.exe -setfilelocks unlock
  • Unhide Safeboot FilesUnhideEPEFIlesCommandline: Attrib -r -s -h c:\safeboot.*
  • Force-Restore MBRRestoreEPEMBRCommandline: c:\EpeWinUpgradeTool64.exe -forceMBR c:\EpeMBR.dat

Task Sequence Group: Restart Computer

  • Restart Computer


3. Remove McAfee Encryption in WinPE


Task Sequence Group: Install Operating System

Task Sequence Group: Update WinPE

  • Copy Devcon x64 and Scripts to WinPE
Commandline: xcopy *.* x:\windows\system32 /Q /Y /R

Task Sequence Group: McAfee Removal

Task Sequence Group: Take Disk Offline

  • Diskpart Offline
Commandline: xcopy *.* x:\windows\system32 /Q /Y /R

Contents of takeonffline.txt


Task Sequence Group: Remove McAfee Filter

  • Remove McAfee DiskFilter
Commandline: x:\windows\system32\devcon.exe classfilter diskdrive upper !MfeEpePc
  • Restart IDE Drives
Commandline: x:\windows\system32\devcon.exe restart ide\*



  • Restart SCSI Drives
Commandline: x:\windows\system32\devcon.exe restart scsi\*

Task Sequence Group: Take Disk Online

  • Diskpart Online
Commandline: These are the Default Settings, adjust to meet your environment

Contents of takeonline.txt


Task Sequence Group: Partition Disk

  • Partition Disk 0 – BIOS
These are the Default Settings, adjust to meet your environment
  • Partition Disk 0 – UEFI
These are the Default Settings, adjust to meet your environment

Task Sequence Step: Pre-provision BitLocker

These are the Default Settings, adjust to meet your environment

Task Sequence Group: Apply Image and Settings

Add your steps of applying your Windows Image and all of the settings, configurations, applications, etc.

Task Sequence Step: Enable BitLocker

These are the Default Settings, adjust to meet your environment




Download Sample Task Sequence


Mike Terrill | McAfee Documentation





Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s