BitLocker Encryption for non-tpm laptops Contents 1.0 Introduction... 2 2.0 What is a TPM?... 2 3.0 Users of non-tpm University laptops... 2 3.1 Existing Windows 7 laptop users... 2 3.2 Existing Windows 8.1 laptop users... 2 3.3 New laptop users... 2 4.0 Enabling BitLocker... 2 5.0 Working with BitLocker... 5 5.1 Unlocking your drive... 5 5.2 Changing your BitLocker password... 5 6.0 BitLocker Recovery Key... 6 6.1 Retrieving your recovery key from the self-service portal... 6 1
1.0 Introduction To meet University security compliance all University owned laptops are to be encrypted using BitLocker and managed by our Microsoft BitLocker Administration and Monitoring (MBAM) server. BitLocker drive encryption is Microsoft s proprietary encryption program and is included with certain versions of Windows. BitLocker encrypts the data stored on the Windows operating system (OS) volume, ensuring your data is secure in the unlikely event your laptop is lost or stolen. 2.0 What is a TPM? A Trusted Platform Module (TPM) is a computer chip (microprocessor) dedicated to dealing with certain security related functions. These microprocessors are built into some, but not all, models of laptop used by the University. If your laptop does not have a TPM chip, some aspects of the encryption process are performed by software rather than the TPM hardware. Essentially this means non-tpm laptops will require the user to enter a password to unlock/decrypt the drive prior to logging in. This authentication could be handled by the TPM if present. 3.0 Users of non-tpm University laptops How we enable BitLocker on your University laptop will depend on its current setup. The process will be largely automated so please do not attempt to manually enable BitLocker as you would do at home. We will be managing this roll out to ensure your recovery keys are securely stored on our MBAM server and your compliance details are known. Please read the information below most relevant to your current setup to see how this process will begin. 3.1 Existing Windows 7 laptop users Although BitLocker is available for Windows 7, non-tpm laptops will need to be reimaged to Windows 8.1. This is required to ensure the best possible security for your laptop and to enable management via our MBAM server. Information Services will be contacting you to arrange your upgrade and will help take you through the encryption process described in section 4.0. 3.2 Existing Windows 8.1 laptop users Continue to use your laptop as normal. The BitLocker encryption process will begin automatically once we deploy the policy to your laptop. At this stage the dialog box shown in section 4.0 will automatically appear on your desktop. Follow the steps in section 4.0 to complete the encryption process. 3.3 New laptop users If you receive a new University (non-tpm) laptop it will come preinstalled with Windows 8.1. The encryption process will begin once you have logged in and the dialog box shown in section 4.0 automatically appears on your desktop. Follow the steps in section 4.0 to complete the encryption process. 4.0 Enabling BitLocker The following dialog box will automatically appear on your desktop. 2
1. Enter a strong password that meets the complexity policy. This password will be required to unlock/decrypt your drive. 2. Confirm your new password. 3. Click Please note: This is an additional password, it is not linked to or replaces your usual login/domain credentials. 4. Your disk will now begin encrypting. 5. Click the Close button to close the MBAM encryption wizard. 6. Click OK, your disk will continue to be encrypted in the background. 3
7. Continue to use your laptop as normal. You can also turn your laptop off, encryption will simply continue the next time your laptop is turned on. 8. You can monitor the encryption process by clicking the BitLocker icon in your system tray 9. When your disk has been successfully encrypted the below MBAM dialog box appears. Read the Things to remember bullet points and press Exit. 10. BitLocker is now enabled. Your operating system (OS) volume has been encrypted and a recovery key, unique to your OS volume, has been stored in the MBAM database. 4
5.0 Working with BitLocker BitLocker drive encryption will not affect the way you work on your laptop. Your drive and its contents are only encrypted when your laptop is turned off or in hibernation mode. It s best to think of BitLocker as offline protection for your data. 5.1 Unlocking your drive When you turn your laptop on a blue BitLocker password screen will appear. To unlock/decrypt your drive enter your password (created in section 4.0) and press the Enter key. 5.2 Changing your BitLocker password You can change your BitLocker password by following these steps: 1. Open Control Panel (icons view) Start > Settings > Control Panel 2. Select BitLocker Encryption Options 3. Under Fixed Disk Drives click Manage your password 4. Enter a new password, confirm your new password and click Reset Password. 5. Your new password will now be required to unlock your drive. 5
6.0 BitLocker Recovery Key Although very rare, some specific events may cause BitLocker to enter recovery mode when attempting to start your laptop. If you are unable to unlock your drive or your laptop enters BitLocker recovery mode you can retrieve your unique recovery key from our self-service portal. 6.1 Retrieving your recovery key from the self-service portal Steps to retrieving your recovery key: 1. If not at the BitLocker recovery screen press Esc to enter BitLocker recovery. 2. You will need to use your recovery key ID, highlighted below, to retrieve your recovery key from the self-service portal. 3. Open a web browser and navigate to: http://crwnmbam1.staff.staffs.ac.uk/selfservice 4. Enter your staff username and password to gain access to the portal. 6
5. Please read the policy notice page, tick the confirmation box and click continue. 6. You will now be directed to the self-service recovery key page. Follow the 3 steps as instructed using your recovery key ID from step 2. 7