Microsoft Windows provides a method to encrypt storage disks on a computer in order to protect the data against physical theft or loss. This full-disk encryption technology is named BitLocker and it can be used to protect sensitive data stored on local disks. BitLocker protects data when the computer is powered off or hibernating and to a lesser degree when the computer is sleeping.
Before enabling Microsoft BitLocker, ensure the computer is logged in with administrative rights. Access to a printer will allow the printing of the recovery key and documentation that encryption was performed. Consider backing up important documents before you begin. Additionally, the device to be encrypted must meet the two requirements below:
- Operating System
- Windows 7 Ultimate or Enterprise
- Windows 8 Professional or Enterprise
- Windows 10 Professional or Enterprise
- Trusted Platform Module (TPM) chip
- First ensure that you have TPM setup and have taken ownership please visit https://technet.microsoft.com/en-us/library/cc754524%28v=ws.11%29.aspx for more information on turning on TPM.
- Download FVE.zip, a file containing UNC’s BitLocker configuration.
- Extract or open the zipped file. Right-click on the file and ‘Run as administrator’. This will apply the University’s BitLocker configuration.
Note, it will execute quickly but you may see a black box briefly.
- Type ‘bitlocker’ into the search box, then click Manage BitLocker from the results as shown below.
- For your local drives such as “C:” and “D:” click “Turn On BitLocker”.
- A window will appear describing the steps needed to enable BitLocker protection. Click “Next” to continue in this process.
- Next you will be prompted to save a PIN.
- You will be prompted to save the recovery key in case your forget your PIN. Print the recovery key and store it safely and do not lose it. If you lose this key, IT staff will not be able to recover your data in the event of a problem. Consider utilizing this form: encryptionchecklist_template to document the encryption of your device.
- Choose how to encrypt the drive as shown below.
- Make sure to choose to encrypt the entire drive unless this computer is brand new and it is being configured for use.
- Leave the default setting for encryption mode unless using external drives.
- A window will ask you if you are ready to proceed with the encryption of the drive. Click “Continue” to proceed and run a system check.
- You will be notified that BitLocker will begin after the computer is restarted.
- After restarting, login using your PIN as shown in the next section.
With BitLocker enabled with a PIN, the computer will utilize a different method for startup. When the PC is powered on or restarted, a Microsoft BitLocker prompt will appear and ask for the PIN.
If you have forgotten your PIN, you will need a BitLocker recovery password in order to log in to the computer. You should retrieve the document you printed earlier from the Enabling BitLocker section. If you have lost this document, you will not be able to recover your data. If your computer is managed by Information Technology Services or another University organization, contact that organization for assistance.