1. Home
  2. Security
  3. BitLocker Encryption
  1. Home
  2. For IT Professionals
  3. BitLocker Encryption

BitLocker Encryption

BitLocker is a volume encryption feature of the Enterprise editions of Windows 7 and Windows 10. Paired with the Microsoft BitLocker Administration and Monitoring (MBAM) software, this feature meets the requirement of the UVM Information Security policy for encryption of all laptops.

Prerequisites

To use UVM’s BitLocker services, the device must meet the following requirements:

  • The computer must be joined to the Campus Active Directory domain.
  • The operating system must be Enterprise editions of Windows 7 or Windows 10.
  • Trusted Platform Module (TPM):
    • Windows 7 computers, a functional TPM is required.
    • Windows 10 systems, a functional TPM is preferred, but not required.

Enable/Activate TPM

  1. While booting, tap the F2 key (Dell machines) to enter BIOS.
  2. Navigate to “Security”, then select “TPM Security“.
  3. Ensure that “TPM Security” is checked, and “Activated”.
  4. Save any changes you made and reboot the machine.

tpm

NOTE: You must shut down the computer separately after enabling TPM and after activating TPM.

Install the MBAM client

We are using the Microsoft BitLocker Administration and Monitoring software to provide additional capabilities for our clients and support staff. Machines imaged with LiteTouch will install the MBAM client automatically.

  1. Login to the machine using DOMAIN credentials. Local account credentials will not work.
  2. The MBAM client is available at the following UNC path: \\files.uvm.edu\shared\software\management\BitLocker\MBAMClient
  3. Install the 32-bit or 64-bit version as appropriate. When the installer completes, reboot the machine.
  4. Make sure the machine has an active network connection. Within 90 minutes of reboot, you should be prompted to encrypt your drive.

    If you want to jump-start the process, navigate to “C:\Program Files\Microsoft\MDOP MBAM\”, and launch the “MBAMClientUI.exe” program.

  5. Accept the licensing terms.How-to - BitLocker installation1
  6. Start” the encryption process.How-to - BitLocker installation2
  7. The drive will begin encrypting and display the progress. This window may be closed without disrupting the encrypting process.How-to - BitLocker installation3
  8. Once encryption has begun, you can put your computer to sleep, shut it down, or restart it; the encryption process will resume when you restart or wake the device. When encryption has finished, the icon for the encrypted volume will change in Windows Explorer:How-to - BitLocker installation4

 

During the encryption process your hard drive may display as full. This is normal behavior, the available space of your hard drive will return to normal when the encryption process completes.

BitLocker Self-recovery Keys

UVM has deployed a self-service key recovery portal that people can use to obtain a recovery key for their system if needed. Recovery keys may also be obtained by contacting UVM Identity and Account Management (iam@uvm.edu).

  1. Visit https://bitlocker.uvm.edu and sign-in with your UVM NetID and password.How-to - BitLocker Self-Service Key Recovery1
  2. After login, accept the policy notice.How-to - BitLocker Self-Service Key Recovery2
  3. On the machine you’re requesting a recovery key for, note the 8-digit Recovery Key ID.How-to - BitLocker Self-Service Key Recovery3
  4. Enter the 8-digit Key Recovery ID in the appropriate field, and select a reason for requesting a BitLocker Recovery Key.How-to - BitLocker Self-Service Key Recovery4
  5. You’ll receive a 48-character BitLocker Recovery Key. Enter this key at the BitLocker screen on your machine. This will unlock your disk, allowing the operating system to boot.

BIOS updates on BitLocker Encrypted drives

It is recommended that you backup data before attempting BIOS updates. Please ensure data has been backed up before proceeding.

  1. Login to the machine as an administrator. (Use your -tech or -adm accounts)
  2. Open a Powershell window as Administrator.
  3. Disable BitLocker protectors with the following command:
    manage-bde -protectors c: -disable
  4. Install the BIOS update.
  5. When the BIOS update completes, login to the machine as an administrator and run the following command to re-enable the BitLocker protectors:
    manage-bde -protectors c: -enable
  6. You can confirm that the protectors have been re-enabled by running:
    manage-bde –protectors c: -get

Updated on June 29, 2018

Related Articles

Not the solution you were looking for?
Don’t worry we’re here to help!
Submit a Help Ticket