BitLocker Decryption Keys

NavyMooseCCNANavyMooseCCNA Stand-up PhilosopherZZ9ZZAPosts: 501Registered Members ■■■□□□□□□□
Good Afternoon,

My company does not have an AD controller, but we do use Office365. I was tasked to build several laptops and when prompted I told the OS that these PCs are being used at work. I was prompted for my user name and password and everything installed fine. I did see in various places AzureAD\username that showed my user name. I did a little reading and I saw that even though we don't have our own AD per-say, all Office365 customers do have a stripped down AD provided by Azure. My manager tells me it isn't configured. Each user has a local account they login to their PC with that is in the local administrators group.

I am currently working on a document detailing the procedure to recover the contents of our PCs, which have BitLocker running. I have printed the recovery keys for all the PCs and they are stored in a safe location.

When I configured BitLocker on these PCs I was not asked to create a PIN or a password to unlock the PC. My local PC, which is one of the ones I configured is telling me there are settings for BitLocker which are managed by the SysAdmin. My manager doesn't know what this might be, since we don't have AD running.

I am asking if anyone has any suggestions on how to do the actual decryption with the backup keys I have? All the documentation I have been finding talks about an AD environment.

In addition, can anyone tell me what the AzureAD can actually do? Even a link showing at the Dummies level what this can do. I have a little familiarity with "real" AD, I'm more of a Cisco guy than I am a Windows guy and never got any training or experience with anything other than adding users in AD.

Thank you!

'My dear you are ugly, but tomorrow I shall be sober and you will still be ugly' Winston Churchil


  • SteveLavoieSteveLavoie Posts: 547Registered Members ■■■■□□□□□□
    In your situation, just a printout, and a copy of the file on 2 USB stick stored in a secure way is enough to meet basic security principle.

    If you transfer your hard drive in another PC, it won't boot up because of the encryption key missing, it will offer you to enter the decryption key.

    For AzureAD, unless you are running Win10 1709, you won't be able to "join" the domain if managed by Azure AD. However even joined, there is not much feature.. no GPO etc. For now, it is quite useless outside O365 context and few other web application.
  • NavyMooseCCNANavyMooseCCNA Stand-up Philosopher ZZ9ZZAPosts: 501Registered Members ■■■□□□□□□□
    We are running Win10, all these PCs are brand new and have a TPM chip. I did find a local policy setting to configure use of the TPM and telling the chip to allow a PIN or now. It is located at Computer Configuration>Administrative Templates>Windows Components>BitLocker Drive Encryption>Operating System Drives.

    'My dear you are ugly, but tomorrow I shall be sober and you will still be ugly' Winston Churchil

  • NavyMooseCCNANavyMooseCCNA Stand-up Philosopher ZZ9ZZAPosts: 501Registered Members ■■■□□□□□□□
    I found that you can change the encryption strength to AES-256 via a different local policy. This article gave me the steps, will this change the BitLocker Drive Encryption Recovery Key that I generated earlier?

    'My dear you are ugly, but tomorrow I shall be sober and you will still be ugly' Winston Churchil

Sign In or Register to comment.