I am currently assisting a company that is being divested. We are migrating everything out of the parent company's AD into a new AD environment. The laptops are all currently encrypted with Bitlocker and the recovery information is stored in the parent company's AD. I've read this thread http://social.technet.microsoft.com/Forums/pl-PL/w7itprosecurity/thread/73c11263-da07-4141-be83-dcda4af0ca32 as to how we can restore the Bitlocker recovery information into the new AD; however, it does not mention anything about the TPM owner password. Is there a way for us to recover the TPM owner password into the new AD? I know the other option is to decrypt all laptops prior to changing domain, the re-encyrpting them; however, we are trying to avoid that if at all possible. Thanks!!

We have a power shell script which you can use to get BitLocker recovery information from AD. http://blog.powershell.no/2010/10/24/export-bitlocker-information-using-windows-powershell/ http://gallery.technet.microsoft.com/ScriptCenter/4231a8a1-cc60-4e07-a098-2844353186ad/Manoj Sehgal

Thank you for the link; however, the biggest issue is that we do not have access to the parent company domain. I am trying to find a way to somehow get this information into the new AD from the workstation. From what I'm reading, that may not be possible. If I was able to get a domain admin on the parent domain to run the script you provided, would I then be able to import that information into my new AD environment? If I found some other way to get a copy of all the TPM hashes in the parent AD, could I manually populate them into the new AD somehow? I know this isn't really a break/fix question, but more of a consultative nature. If anyone has any info on it, I'd love the assistance. Thanks!

If you do not have TPM hash information for your machines, then the only thing which you cannot do is upgrade TPM firmware. Without TPM password, you can still erase TPM information from TPM Management console. Also to unlock drives protected by bitlocker, you require the 48 digit recovery keys in AD and not TPM hash key. BitLocker use TPM to check for early boot components when machines boot. But for end-users 48 digit recovery keys are required to unlock the drives. If you use the powershell script then it can export information and then you can import it in your new AD domain. Manoj Sehgal

Also, I found another good article on how to do just what I'm trying and it doesn't mention recovering the TPM owner password either. Do I not really need the TPM owner password as long as I have the Bitlocker recovery keys? Here is the other article: http://blog.coretech.dk/mbu/migrating-bitlocker-enabled-machines-to-another-domain/

if you have bitlocker recovery keys then you can unlock an bitlocker encrypted drive. TPM hash password is only required to updtae TPM firmware. Also if you don;t have TPM password, you can erase TPM from TPM management console and reinitialize TPM, but if you do this process, make sure you have 48 digit bitlocker recovery password so that you can unlock the drive.Manoj Sehgal

if you have bitlocker recovery keys then you can unlock an bitlocker encrypted drive. TPM hash password is only required to updtae TPM firmware. Also if you don;t have TPM password, you can erase TPM from TPM management console and reinitialize TPM, but if you do this process, make sure you have 48 digit bitlocker recovery password so that you can unlock the drive.Manoj Sehgal

Hi, I am just writing to check the status of this thread. Was the information provided in previous reply helpful to you? Do you have any further questions or concerns? Please feel free to let us know. Regards, Alex Zhao TechNet Subscriber Support in forum If you have any feedback on our support, please contact tnmff@microsoft.com.Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.