Migrating existing BitLocker encryption
Initial situation
If you have already encrypted Clients with BitLocker, for example because you previously used a different management system, you can migrate the existing BitLocker encryptions and manage them with ACMP. To do this, follow these steps:
Disable the previous management system
- Make sure that the old management system is no longer actively managing BitLocker.
Create Configuration Profiles
- Create a new Configuration Profile or open an existing one.
Warning:
The settings related to encryption (such as encryption method or encryption mode) cannot be easily adjusted if encryption is already in place. This is because ACMP does not automatically decrypt drives that are already encrypted. If there are differences between the target state and the actual state at the Client, these settings will not be adjusted automatically.
Assign Configuration Profile
- Assign the appropriate Configuration Profile.
Warning:
If there are differences between the target and actual state for the key protectors (e.g. system start PIN), the settings will be adjusted by ACMP in this case.
However, if there is no difference, existing key protectors will not be changed.
Once you have assigned a configuration profile to the Client, the existing recovery password will be scanned. This requires the hard drives to be unlocked. The operating system disks are always unlocked when the system is running, so the recovery password can be scanned directly for them.
Please note that fixed data drives sometimes need to be unlocked by the user first. This may take some time before the recovery password for the fixed data drives can be read.