BitLocker is a volume encryption feature of the Enterprise editions of Windows 7 and Windows 10. Paired with the Microsoft BitLocker Administration and Monitoring (MBAM) software, this feature meets the requirement of the UVM Information Security policy for encryption of all laptops.
To use UVM’s BitLocker services, the device must meet the following requirements:
- The computer must be joined to the Campus Active Directory domain.
- The operating system must be Enterprise editions of Windows 7 or Windows 10.
- Trusted Platform Module (TPM):
- Windows 7 computers, a functional TPM is required.
- Windows 10 systems, a functional TPM is preferred, but not required.
- While booting, tap the F2 key (Dell machines) to enter BIOS.
- Navigate to “Security”, then select “TPM Security“.
- Ensure that “TPM Security” is checked, and “Activated”.
- Save any changes you made and reboot the machine.
NOTE: You must shut down the computer separately after enabling TPM and after activating TPM.
Install the MBAM client
We are using the Microsoft BitLocker Administration and Monitoring software to provide additional capabilities for our clients and support staff. Machines imaged with LiteTouch will install the MBAM client automatically.
- Login to the machine using DOMAIN credentials. Local account credentials will not work.
- The MBAM client is available at the following UNC path: \\files.uvm.edu\shared\software\management\BitLocker\MBAMClient
- Install the 32-bit or 64-bit version as appropriate. When the installer completes, reboot the machine.
- Make sure the machine has an active network connection. Within 90 minutes of reboot, you should be prompted to encrypt your drive.
- Accept the licensing terms.
- “Start” the encryption process.
- The drive will begin encrypting and display the progress. This window may be closed without disrupting the encrypting process.
- Once encryption has begun, you can put your computer to sleep, shut it down, or restart it; the encryption process will resume when you restart or wake the device. When encryption has finished, the icon for the encrypted volume will change in Windows Explorer:
BitLocker Self-recovery Keys
UVM has deployed a self-service key recovery portal that people can use to obtain a recovery key for their system if needed. Recovery keys may also be obtained by contacting UVM Identity and Account Management (firstname.lastname@example.org).
- Visit https://bitlocker.uvm.edu and sign-in with your UVM NetID and password.
- After login, accept the policy notice.
- On the machine you’re requesting a recovery key for, note the 8-digit Recovery Key ID.
- Enter the 8-digit Key Recovery ID in the appropriate field, and select a reason for requesting a BitLocker Recovery Key.
- You’ll receive a 48-character BitLocker Recovery Key. Enter this key at the BitLocker screen on your machine. This will unlock your disk, allowing the operating system to boot.
BIOS updates on BitLocker Encrypted drives
It is recommended that you backup data before attempting BIOS updates. Please ensure data has been backed up before proceeding.
- Login to the machine as an administrator. (Use your -tech or -adm accounts)
- Open a Powershell window as Administrator.
- Disable BitLocker protectors with the following command:
manage-bde -protectors c: -disable
- Install the BIOS update.
- When the BIOS update completes, login to the machine as an administrator and run the following command to re-enable the BitLocker protectors:
manage-bde -protectors c: -enable
- You can confirm that the protectors have been re-enabled by running:
manage-bde –protectors c: -get