Body
Bitlocker is Microsoft's tool for encrypting the data on your device. The UT System is requiring all Windows PCs to have Bitlocker enabled. This is a short process that just requires the completion of a few prompts. Encryption helps keep your device safe from Ransomware, and is an essential tool to help protecting UTM data. This article will show the process of accepting the prompts and getting Bitlocker enabled on your device.
Bitlocker will not be noticeable for you on a day-to-day basis and after the process is complete, and, in most cases, you should never have to think about it again.
it is important to note that this Bitlocker policy will not encrypt your device until it has stored a recovery key in a Microsoft tool called Azure AD, which is a cloud based management tool that keeps information about your device. A recovery key is important because if your PC detects unusual behavior that could indicate an attempt to make malicious changes to your device, it will prompt you for a Bitlocker recovery key to ensure you are trusted to make those changes. Without the key, the PC becomes locked to prevent an attacker from stealing information or doing other damage to your system.
First, the Bitlocker policy will be coming from a Cloud-based management solution from Microsoft named Intune. In order to receive this Bitlocker policy, your computer must be syncing to Intune. Most computers on Campus already sync to Intune, but some will need to be manually synced in order to receive this policy. If you have been told that Bitlocker should be prompting you to be enabled on your device but that has not happened, we can check a setting in Windows to see if your device is syncing or not. This step is only necessary if you have not received the prompt after a full 24 hours of it being communicated that you would see the prompt.
Search Access Work or school in your windows search bar on the bottom left or bottom center of your screen and then hit Enter or click the Access work or school icon
You should see a screen that looks similar to this. Click the down arrow to the right of utm.edu, right under the connect button. Then click the Info button that expands below the down arrow
You will see a long page appear that has a sync button near the bottom. Click the sync button, and if it is successful initially, then you should be good to go and the Bitlocker policy should be syncing to your policy soon and you will see the prompts to enable it after the policy finishes syncing. It may prompt you to sign in to sync properly please do so.
If after you have hit the sync button and signed in if prompted, you receive an error, then please give the HelpDesk a call at 731 881 7900 and they will assist you in getting synced properly, and with the rest of the Bitlocker process.
Once you have synced to Intune, you will start receiving policy, and Bitlocker should prompt you to be enabled. The policy being delivered to your computer could take up to 24 hours from when you begin syncing with Intune, it may not be immediate.
Below will detail what options to choose when enabling Bitlocker.
This prompt will state that Encryption is needed and when clicking on this notification, you will see options to enable Bitlocker and some explanation about the process.
It is important to remember that the Bitlocker policy will not allow your device to be encrypted unless the recovery key is already stored in Azure AD, which is another cloud-based solution from Microsoft. Without a recovery key, Bitlocker will not be able to be removed and you will lose access to your data on the PC, but we will have already stored the recovery key prior to Bitlocker encryption being possible on your device. This is how Bitlocker helps us protect against cyberattacks that would harm your computer. Some cyberattacks seek to encrypt your data and then force you to pay for access to it again. If we have already encrypted the data with Bitlocker, then an attacker will not be able to lock you out of your device in the same way.
After clicking on this notification, you will be prompted to start the process and will be asked if you have already encrypted your device or not. ITS has not previously enabled drive-level encryption on UTM devices, so your device will not already be encrypted unless you made a manual attempt to do so with a tool that is not Bitlocker or a windows device encryption tool. If you believe you may have already encrypted your device. Please contact ITS so we can verify this and remove the previous encryption before you proceed
To check if your device is encrypted, open File Explorer and navigate to This PC.
If your device has encryption on a drive, it will be indicated by a padlock icon as shown on this OSDisk C: drive
If your device is not encrypted, click the top box labeled: I don't have any other disk encryption software installed, encrypt all my disks, then hit yes
You will next be prompted to choose where to save your recovery key. By default, and without exception, your recovery key will be saved to your Device's Azure AD account. You should also click the Save to your Azure AD account option to be able to continue forward with the prompts. If you ever need your key in the future. Please contact ITS at 731 881 7900 to receive it.
You will now be asked what part of the drive should be encrypted. You should always select Encrypt entire drive unless you have just received a new PC and have not yet used it.
The next prompt will be your final prompt before encryption starts. Hit Start Encrypting to begin the process, which can take around 30 minutes depending on how much data you have. You will still be able to use your device while it is being encrypted.
The final prompt will be a progress bar showing how much of your device is being encrypted, which will eventually change to say encryption complete and have a finish option. Please do not hit the close button during encryption, or the process will have to be started again
After this, you are done, and your device is encrypted. You make check the status of your Bitlocker encryption by searching for Bitlocker in your windows search bar where you can see a few different options.
In certain circumstances, typically when a drive is going to be temporarily removed from the device (this would be done by IT) we may suspend the protection in order to service your device. You can also choose to backup your recovery key again in this menu, with the same options as prior, such as Azure AD account or a USB drive.
If you have additional question or concerns, please reach out to the Helpdesk at 731-881-7900.