none
Bitlocker - Computer migration considerations RRS feed

  • Question

  • One of our client has around 15000 computers in Forest A. these computer objects will be migrated to Forest B using Quest Migration Manager. In Forest A - bitlocker has been enabled in Forest A computers. What are the things we have to consider in BitLocker perspective before migration of Compuers from Forest A to Forest B.

    - We  are thinking about the backup of Recovery key to Active Directory is the only consideration, please expects share your inputs on this.

    Forest A domain Controllers are in Windows 2012 and Forest B are in Windows 2016. All the computers are running in Windows 10.

    Thanks and Regards,

    Hariharan

    Wednesday, September 11, 2019 1:41 PM

Answers

  • My intent here is to tell you that if you want to do this right then you need to implement MBAM as AD key storage is not sufficient.

    Jason | https://home.configmgrftw.com | @jasonsandys

    • Marked as answer by hariharanss Thursday, September 19, 2019 8:18 AM
    Monday, September 16, 2019 2:52 PM

All replies

  • You will need to reforce the storage of the BitLocker recovery key in the new forest using a script. Or, better yet, use a real key escrow tool like MBAM that actually provides real key management.

    Jason | https://home.configmgrftw.com | @jasonsandys

    Wednesday, September 11, 2019 2:12 PM
  • Thanks Jason.

    We are using Queste Migration Manager to migrate the compute objects. We performed migration with couple of test device, we can see automatically the Target domain ADDS gets the bit locker key in the device attribute.

    Does it sufficient or we have to perform the script again.

    Thanks and Regards,

    Hariharan

    Thursday, September 12, 2019 8:13 AM
  • Does it sufficient or we have to perform the script again.

    That's for you to determine. If the key is being uploaded for all of your systems without running the script, then there you go. Although, the real answer here is that saving the BitLocker key to AD in the first place is not sufficient.


    Jason | https://home.configmgrftw.com | @jasonsandys

    Thursday, September 12, 2019 3:48 PM
  • Thanks Again Jason!!!

    "Although, the real answer here is that saving the BitLocker key to AD in the first place is not sufficient."

    I'm new to bitlocker . I took your words as running a script also would be a recommended approach.

    Monday, September 16, 2019 2:09 PM
  • My intent here is to tell you that if you want to do this right then you need to implement MBAM as AD key storage is not sufficient.

    Jason | https://home.configmgrftw.com | @jasonsandys

    • Marked as answer by hariharanss Thursday, September 19, 2019 8:18 AM
    Monday, September 16, 2019 2:52 PM