In the SCCM Admins guide to preparing your environment for Bitlocker Drive Encryption post series, I walked you through how to prepare your environment for Bitlocker in order to enable the backup of the Bitlocker recovery password and the TPM owner password hash, to Active Directory.

But what will happen if:

1. You join a stand-alone machine which already had Bitlocker enabled before the domain-join

2. You unjoin a Bitlocker enabled machine from one domain and join it to another domain, which could be a domain in the same forest or another forest.

3. You migrate the computer account of a Bitlocker enabled machine to another domain using Active Directory Migratíon Tool 3.2 (ADMT 3.2)

Okay – let´s set up a few ground rules for this this. You have already prepared your environment for Bitlocker so that Bitlocker recovery passwords and TPM owner password hashes are backup to Active Directory. This is setup for both the old domain (source) and the new domain (target).

This will happen:

1. When you join the stand-alone machine which already had Bitlocker enabled to a domain, the Bitlocker recovery password and the TPM owner password hash will NOT automatically be backed up to Active Directory.

2. When you unjoin a Bitlocker enabled machine from one domain and join it to another domain, the Bitlocker recovery password and the TPM owner password hash will NOT automatically be backed up to Active Directory.

3. When you migrate the computer account of a Bitlocker enabled machine to another domain using Active Directory Migratíon Tool 3.2 (ADMT 3.2), the Bitlocker recovery password will NOT automatically be backed up to Active Directory but the TPM owner password will.

In order to get the Bitlocker recovery password backed up to the new Active Directory domain we need to use the manage-bde.exe command-line. It is included with Windows 7 and can be found %systemdrive%\Windows\System32 folder.

First we need to get the ID for the key protectors. In an elevated command-prompt type: manage-bde –protectors –get C:image

 

When we have the protector IDs we can use the following command to backup the Bitlocker recovery information to Active Directory: manage-bde –protectors –adbackup C: –id {Protector ID found in the above step}

image

 

You can now use the Bitlocker Recovery Password Viewer for Active Directory tool and verify that the Bitlocker recovery password was successfully backed up to the “new” Active Directory domain.

image

If we are only talking a handfull of machines this could be done manually but what if you have 1000 of machines. It would not be feasible to go to every mahine and run those two commands manually.

Well – use Configuration Manager to execute a script on your Bitlocker enabled machines after they have been joined or migrated to a new domain. You could use this script found on the Configuration Manager forum: http://social.technet.microsoft.com/Forums/pl-PL/w7itprosecurity/thread/73c11263-da07-4141-be83-dcda4af0ca32.

The script will automatically get the protectors guids of the machine, which is required and then backup the Bitlocker recovery information to Active Directory using the protectors guids.

As always remember to test intensively, before implementing this into your production environment.