BitLocker Encryption

1. While booting, tap the F2 key (Dell machines) to enter BIOS.
2. Navigate to “Security”, then select “TPM Security“.
3. Ensure that “TPM Security” is checked, and “Activated”.
4. Save any changes you made and reboot the machine.

NOTE: You must shut down the computer separately after enabling TPM and after activating TPM.

We are using the Microsoft BitLocker Administration and Monitoring software to provide additional capabilities for our clients and support staff. Machines imaged with LiteTouch will install the MBAM client automatically.

1. Login to the machine using DOMAIN credentials. Local account credentials will not work.
2. The MBAM client is available at the following UNC path: \\files.uvm.edu\shared\software\management\BitLocker\MBAMClient
3. Install the 32-bit or 64-bit version as appropriate. When the installer completes, reboot the machine.
4. Make sure the machine has an active network connection. Within 90 minutes of reboot, you should be prompted to encrypt your drive.

   If you want to jump-start the process, navigate to “C:\Program Files\Microsoft\MDOP MBAM\”, and launch the “MBAMClientUI.exe” program.

5. Accept the licensing terms.
6. “Start” the encryption process.
7. The drive will begin encrypting and display the progress. This window may be closed without disrupting the encrypting process.
8. Once encryption has begun, you can put your computer to sleep, shut it down, or restart it; the encryption process will resume when you restart or wake the device. When encryption has finished, the icon for the encrypted volume will change in Windows Explorer:

Starting with Windows 10 version 1909 and later, a MBAM client patch is required for it to work correctly. If you are consistently getting a message stating that your drive failed to encrypt, follow the instructions below.

1. Login to the machine using DOMAIN credentials. Local account credentials will not work.
2. The MBAM patch is available at the following UNC path: \\files.uvm.edu\shared\software\management\BitLocker\May 2019 Servicing Release
3. Install the 32-bit or 64-bit version as appropriate. When the installer completes, reboot the machine.

UVM has deployed a self-service key recovery portal that people can use to obtain a recovery key for their system if needed. Recovery keys may also be obtained by contacting UVM Identity and Account Management (iam@uvm.edu).

1. Visit https://bitlocker.uvm.edu and sign-in with your UVM NetID and password.
2. After login, accept the policy notice.
3. On the machine you’re requesting a recovery key for, note the 8-digit Recovery Key ID.
4. Enter the 8-digit Key Recovery ID in the appropriate field, and select a reason for requesting a BitLocker Recovery Key.
5. You’ll receive a 48-character BitLocker Recovery Key. Enter this key at the BitLocker screen on your machine. This will unlock your disk, allowing the operating system to boot.
   

It is recommended that you backup data before attempting BIOS updates. Please ensure data has been backed up before proceeding.

1. Login to the machine as an administrator. (Use your -tech or -adm accounts)
2. Open a Powershell window as Administrator.
3. Disable BitLocker protectors with the following command:

   manage-bde -protectors c: -disable

4. Install the BIOS update.
5. When the BIOS update completes, login to the machine as an administrator and run the following command to re-enable the BitLocker protectors:

   manage-bde -protectors c: -enable

6. You can confirm that the protectors have been re-enabled by running:

   manage-bde –protectors c: -get