Data on a lost or stolen computer is vulnerable to unauthorized access, either by running a software-attack tool against it or by transferring the computer's hard disk to a different computer. BitLocker drive encryption is a data protection feature that integrates with the operating system and addresses the threats of data theft or exposure from lost, stolen, or inappropriately decommissioned computers.
To provide additional security for sensitive data stored on your University-owned Windows 10 computer, I.T. Services can assist you with enabling BitLocker drive encryption. Click here to submit your request.
Prerequisites
- For best results, your computer should be equipped with a Trusted Platform Module (TPM) chip. This is a special microchip that enables your device to support advanced security features. TPM chip works with BitLocker to help protect user data and to ensure that a computer has not been tampered with while the system was offline.
- Your computer must be running Windows 10 Pro or Enterprise editions. If needed, we will upgrade it from Windows 7 as long as it is a University-owned device.
- Your computer must be joined to Azure Active Directory (AAD) and enrolled in a device management system called Intune, which means some of its settings will be managed by I.T. Services.
- You will need a USB flash drive to save a copy of your BitLocker recovery key. This key can be used to access your files on encrypted drive if you're having problems unlocking your PC. A copy of this key will also be stored in your account profile in Azure AD.
Enabling Encryption
Once the encryption policy will be assigned to your device in Intune, the following message to be displayed on your computer until BitLocker encryption is physically enabled:
Encryption needed - Your work or school requires this device to be encrypted.
Select this notification to encrypt this device.
Turning on the BitLocker
During the final step of this process, your computer will perform the following:
- Prepare your device for Bitlocker
- Turn on the TPM security hardware, if not already turned on.
- Encrypt your operating system drive.
1. Click on the Encryption needed message, to be redirected to BitLocker setup wizard.
2. On the Are you ready to start encryption? screen, you have to confirm that you do not have any other encryption software installed on your computer. You will not be able to proceed unless you check the box next to I don't have any other disk encryption software installed. Click Yes to continue.
3. If your TPM hardware is not turned on, you will see a message displayed that says "Turn on the TPM security hardware." Click Restart to proceed. Your computer will reboot. Sign back into Windows and wait for the BitLocker setup wizard to resume. Click Next to continue.
4. On How do you want to back up your recovery key screen, click on Save to USB flash drive and click Next. Insert your USB flash drive, select it on the list and click on Save.
5. On the next screen you will be asked to choose How much of your drive you want to encrypt. Select Encrypt entire drive and click Next.
6. Click on Start encrypting on the next screen. You will be able to use your computer while your drive is being encrypted; a progress bar will be displayed on the screen. The exact amount of time required to complete this step depends on the size of your drive, and speed of your computer. Your computer must remain powered on during this process.