I was asked to complete a Task that I thought wasn’t possible, my client wanted to do an upgrade of a Windows 7 machine that was encrypted with McAfee to a Windows 10 machine that was encrypted with BitLocker.
No problem, until I was told the requirements.
- Has to be Zero Touch
- Decryption of the machine, then removing McAfee was not an option, there couldn’t be a long period of time that the machine wasn’t encrypted.
In-Place Upgrade was not an option as we can not change from McAfee to BitLocker with encrypting first, then encrypting with BitLocker, which would not meet the requirements from the client.
So I found a great article and process from Mike Terrill, Unloading a Disk Filter Driver in WinPE, which described a process that I would allow me to remove McAfee encryption inside of WinPE, which would let me wipe the drives and move forward with a Bare Metal build.
1. Preparing the Windows PE images (Boot image) – From McAfee PDF
The Windows PE environment is used for installing or refreshing operating systems. The McAfee Drive Encryption driver has to be included within the Windows PE image so the encrypted drive can be accessed by the installer. If you are planning to refresh for both 32‐bit and 64‐bit systems, then you will require two independent PE images, one for 64‐bit and one for 32‐bit respectively. To do this the procedure is the same as injecting the McAfee Drive Encryption drivers and registry amendments into an Operating System WIM file.
Prior to running the EpeWinUpgrade Tool extract the following files from the MfeEEPC32.msi (for 32bit systems) or the MfeEEPC64.msi (for 64bit systems).
Note: The drivers are the same for both the Operating System injection and the Boot Image injection:
Place these files within a folder located in a convenient location.
Example – C:\Drivers
From a command line run the following command for x64 architecture:
Example – EpeWinUpgradeTool64.exe –inject C:\drivers C:\BOOTWIMFILE.wim
This will inject the McAfee Drive Encryption drivers and make the necessary registry amendments in the target WIM file. Once complete the WIM file can either be imported into the SCCM/MDT environment or have its contents re‐distributed to the distribution points within SCCM/MDT.
It is also required to place a copy of the EpeWinUpgradeTool into the boot image. If the image is 32‐bit use the EpeWinUpgradeTool.exe if the image is 64‐bit use the EpeWinUpgradeTool64.exe.
2. Update your Task Sequence to Temporarily Unlock McAfee Encryption
Update your Task Sequence to include the options to temporary unlock McAfee Encryption in WinPE. For MBR systems you will need to run a set of commands in Windows prior to rebooting to WinPE, for GPT systems this is not required.
Create Steps to Copy the required Registry files and the EpeWinUpgradeTool64.exe tool to the root of the C Drive. I create a package that contained the required files and used the following steps to copy the files to the correct location:
Task Sequence Group: Prepare MBR Drive
Task Sequence Group: Copy EEP Files to C (MBR)
- Copy Reg Files to C (MBR)
- Copy WinUpgrade Tool to C
Task Sequence Group: Prepare Drive (MBR)
- Shutdown McAfee EEPC Service
Commandline: SC Stop “McAfee Endpoint Encryption Agent”
- Save EEPC MFBCommandline: c:\EpeWinUpgradeTool64.exe -SaveMBR C:\EpeMBR.dat
- Unlock the MBRCommandline: c:\EpeWinUpgradeTool64.exe -setfilelocks unlock
- Unhide Safeboot FilesCommandline: Attrib -r -s -h c:\safeboot.*
- Force-Restore MBRCommandline: c:\EpeWinUpgradeTool64.exe -forceMBR c:\EpeMBR.dat
Task Sequence Group: Restart Computer
- Restart Computer
3. Remove McAfee Encryption in WinPE
Task Sequence Group: Install Operating System
Task Sequence Group: Update WinPE
- Copy Devcon x64 and Scripts to WinPE
Task Sequence Group: McAfee Removal
Task Sequence Group: Take Disk Offline
- Diskpart Offline
Contents of takeonffline.txt
Task Sequence Group: Remove McAfee Filter
- Remove McAfee DiskFilter
- Restart IDE Drives
- Restart SCSI Drives
Task Sequence Group: Take Disk Online
- Diskpart Online
Contents of takeonline.txt
Task Sequence Group: Partition Disk
- Partition Disk 0 – BIOS
- Partition Disk 0 – UEFI
Task Sequence Step: Pre-provision BitLocker
Task Sequence Group: Apply Image and Settings
Add your steps of applying your Windows Image and all of the settings, configurations, applications, etc.
Task Sequence Step: Enable BitLocker
FULL TASK SEQUENCE