Endpoint Encryption Forum

Project Engineer (Engineer II) at a energy/utilities company with 1,001-5,000 employees
Apr 29 2021

Hi, we're planning to replace PGP with Microsoft BitLocker for our endpoints. What aspects should we take into consideration during this move? 

Thank you!

reviewer1308339Beware to make backup of useful data, then use reverse decryption policy from Symantec panel/McAfee ePO to decrypt the DE partitions while it is sometimes more straightforward and faster to reinstall the machine(s) all over from scratch (especially for mechanical hard drives taking one day or two if being decrypted). For uninstallation of the McAfee Agent and Encryption modules, it is advisable to use the McAfeeEndpointProductRemoval tool for greater ease and GUI simplicity as compared to batch command lines. When using Bitlocker, make sure all your partitions per machine are encrypted respectively with reference to a single unlock password of C: drive and do keep an offline record of recovery key(s) for emergency purpose. Your replacement is a smart move because Windows Bitlocker seldom or never requires any version control and product upgrades, but then it misses out the functionality of centralized control as in Symantec panel or ePO Orchestrator.
James OConnorFrom a licensing perspective, you will want to have management over BitLocker.   With PGP you have a management tool to manage the encryption, but you are using a non-native product to encrypt your devices and may slow the device down or create other management issues.   If you are in a regulated industry like Healthcare or just want more control over BitLocker, management is critical.  BitLocker is native to the operating system and an individual can encrypt their machine but then the keys are not secure so you have less protection from regulators.   There are a few ways to manage BitLocker. MBM or Microsoft BitLocker manager is part of some on-premise Microsoft licensing for Windows as well as Microsoft 365 Business Premium and Microsoft 365 E3/E5 (Not part of Office 365 E3/E5).  With MBM your keys are encrypted and reporting will show that the device is encrypted or unencrypted if lost.  That is very important with Healthcare Laptops, since a lost laptop can cost a healthcare organization $Millions depending on what the Healthcare Org can prove what was or was not on the laptop to the Federal Govt. "Office of Civil Rights"... Sophos is another product that will manage BitLocker and encrypt the keys. Trend Micro is another that will also manage BitLocker and encrypt the keys.