Hello,
Can Windows 7 machines with unmanaged Bitlocker be migrated from one domain to another using ADMT?
Thanks!
Robert
ADMT and Unmanaged Bitlocker
July 9th, 2015 12:07am
Hi,
Thanks for your post.
I am not very clear about "unmanaged Bitlocker"? If possible, could you please describe more detailed.
According to my research, when we migrate the computer account of a Bitlocker enabled machine to another domain using Active Directory Migraton Tool ,the Bitlocker recovery password will not automatically be backed up to Active Directory but the TPM owner password will.
So we need to Back Up BitLocker and TPM Recovery Information to Active Directory
https://technet.microsoft.com/en-us/library/cc766015.aspx?f=255&MSPPError=-2147217396
Please remember to test intensively, before implementing this into your production environment.
Regards.
Free Windows Admin Tool Kit Click here and download it now
July 13th, 2015 2:11am
WS1 on the SOURCE domain is encrypted by Bitlocker which is not managed by MBAM or Group Policy. It is managed only on WS1. What happens if I try to use ADMT to migrate WS1 from the SOURCE domain to the TARGET domain. Is it possible or will the migration render WS1 inaccessible?
Thanks
July 14th, 2015 8:56pm
Hi,
Did you mean that the bitlocker is enabled before the domain-joined, right?
If BitLocker is enabled on a drive before Group Policy has been applied to enforce backup, the recovery information will not be automatically backed up to AD DS when the computer joins the domain or when Group Policy is subsequently applied.
Migrating bitlocker enabled machines to another domain
http://blog.coretech.dk/coretech/migrating-bitlocker-enabled-machines-to-another-domain/
Regards.
Free Windows Admin Tool Kit Click here and download it now
July 20th, 2015 12:31am
-
I just don't think you are understanding the question. This is NOT about migrating keys or backing up keys. Is there another Moderator who can help?
The SOURCE domain Bitlocker recovery passwords and TPM owner password hashes are NOT backed up to Active Directory and neither the SOURCE domain nor the TARGET domain are configured to back these up to AD.
WS1 is joined to SOURCE domain. Bitlocker/TPM is NOT backed up to AD.
If I use ADMT to migrate WS1 to TARGET, will WS1 still be accessible or do I need to decrypt prior to ADMT migration?
July 20th, 2015 12:42pm
Hi Robert,
So the WS1 is locally encrypted with Bitlocker. And there is no need to backup recovery information to AD.
If this is true, actually AD is not related to your Bitlocker encryption. All recovery/decryption information you got is a password or a USB card. In this situation, it will still work after the migration as the password or the USB card is the only option to decrypt.
By the way, please understand that Vivian is also trying to provide some help, unfortunately she misunderstood the part "using ADMT to do the migration". In her viewpoint, she considered that AD recovery is needed in target domain. Sorry for any inconvenience that caused and we will try our best to avoid such mistake in the future.
Thank you again for your time!
So the WS1 is locally encrypted with Bitlocker. And there is no need to backup recovery information to AD.
If this is true, actually AD is not related to your Bitlocker encryption. All recovery/decryption information you got is a password or a USB card. In this situation, it will still work after the migration as the password or the USB card is the only option to decrypt.
By the way, please understand that Vivian is also trying to provide some help, unfortunately she misunderstood the part "using ADMT to do the migration". In her viewpoint, she considered that AD recovery is needed in target domain. Sorry for any inconvenience that caused and we will try our best to avoid such mistake in the future.
Thank you again for your time!
- Edited by Shaon ShanMicrosoft contingent staff, Moderator 17 minutes ago
Free Windows Admin Tool Kit Click here and download it now
July 21st, 2015 1:59am
This topic is archived. No further replies will be accepted.
Other recent topics
