-1

I've the script and gpo for the bit-locker drive encryption and it successfully writing the encryption key to the AD object.

Now what I can't find anywhere to test is what will happen in case the PC get rename (reassigning to new user) or if the PC being removed from the domain ?

How do we track those scenarios ?

Any recommendation pls ?

SamCook
  • 1
  • 2
  • 3
    "What will happen"? This seems like something you could test in a few minutes. If you need a solution that ensures the current recovery password is escrowed, that would need to be a separate product such as MBAM, SCCM, or Intune. Some endpoint security products also provide this capability. – Greg Askew May 05 '20 at 16:31

1 Answers1

0

If the client is renamed, the computer object is renamed - all keys will remain accessible and valid. If the client is deleted from AD, the recovery key gets deleted as well, meaning, you will need to print it or save it before you do that. of course, the computer will still accept the key after domain removal.

Bernd Schwanenmeister
  • 482
  • 2
  • 5