none
bit locker keys in AD RRS feed

  • Question

  • We currently encrypt all our notebooks using bit locker. All bit locker encryption keys are saved in Active Directory using Group Policy. Now that we are going through a domain migration where we are moving to a new forest, I need to know what is the best way to export the existing keys from the current domain and import them into the new forest.


    I know once we dejoin the workstation from the current domain and join it to the new domain, the keys that is currently used on the workstation is not going to automatically be backed up into the new domain even if we have it enabled and using the same GPO settings? Or maybe it will. Just wondering what is the easiest way to get this done.

    Friday, November 23, 2018 4:54 PM

All replies

  • Hi,

    It should but i am not fully sure, in that case you can turnoff bitlocker and re encrypt the workstations then it should definitely work that way, on the other hand try on two workstations first and see what happens. (just migrate to new domain and check if the recovery key information stored in the new domain and then go for large scale.

    Mark if this post is helpful

    Best regards,

    Rafiul Islam 

    Sunday, November 25, 2018 10:00 AM
  • Hello,

    Thank you for posting in forum.

    I know once we dejoin the workstation from the current domain and join it to the new domain, the keys that is currently used on the workstation is not going to automatically be backed up into the new domain even if we have it enabled and using the same GPO settings?

    From the official article Microsoft provided, yes the recovery information will not automatically backed up but we could set some group policy to require the computer to connect to a domain.

    Here is the link for your reference:

    https://docs.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-and-adds-faq

    And I also searched some instruction which would help you:

     https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-7/dd875529(v=ws.10)

    https://blog.ctglobalservices.com/windows-client/coretech/migrating-bitlocker-enabled-machines-to-another-domain/

    Please Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.

    Have a nice day!

    Best Regards,

    Roger



    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, November 26, 2018 3:28 AM
  • Hi,

    Just checking in to see if the information provided was helpful. Please let us know if you would like further assistance.

    Best Regards,

    Roger



    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, November 29, 2018 9:26 AM
  • Hi,

    As this thread has been quiet for a while, we will propose it as answer as the information provided should be helpful. If you need further help, please feel free to reply this post directly so we will be notified to follow it up. You can also choose to unmark the answer as you wish.

    If you need any further assistance, please feel free to post back.

    Best Regards,

    Roger

    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, December 3, 2018 9:34 PM
  • Easy: on the new domain, add a line to your domain startup script that backs up the keys and you are done.
    Monday, December 17, 2018 8:30 PM