University Managed PCs - BitLocker Encryption
The University Information Security Project Board has requested a default security setting for all University managed devices to have hard disk drive (hdd) encryption enabled. The Directorate of Academic Support has commissioned an enterprise standard hard disk drive encryption tool for all devices using Microsoft Windows operating system.
The term BitLocker Encryption refers to the Microsoft BitLocker hdd encryption technology. From June 2016 this technology will be deployed to all University Windows managed devices as a continuing programme of installations.
The delivery of the BitLocker Encryption technology marks the start of a comprehensive Information Security (InfoSec) improvement programme for the University of Wolverhampton. The InfoSec programme aims to deliver the following which will provide enhanced data processing capacity and security for all staff:·
- New security information tools
- Staff training opportunities
Device Encryption – Microsoft BitLocker
BitLocker Encryption will be enabled on all staff University Windows desktops and laptops through an automated network profile update. This action is triggered when a university device is connected to the network. The deployment of Microsoft BitLocker has been targeted to managed staff laptops for which we have successfully encrypted nearly 90% of our managed laptop estate. The Microsoft BitLocker encryption rollout for Desktops will commence from January 2017.
Maintaining Business Continuity – User Deployment Options
Users can implement the encryption process themselves. Users may postpone the encryption process for a period of up to 21 days. This deployment option is provided to ensure that the encryption process is completed with minimal impact on critical business use of the device.
Desktop encryption will not require a PIN, users will be prompted to encrypt their devices at logon following deployment of the software to desktops.
BitLocker User Guide
The BitLocker User Guide (PDF 1,802K, Downloads file) provides the following instructions:
- How to encrypt a device
- How to logon onto a device which has been encrypted
- What to do if you forget your PIN for laptops
BitLocker Encryption Q&As
Yes, the current policy is that all staff University managed devices require hdd encryption to be enabled in order to comply with the current Information Commissioner Office guidance regarding enterprise device management. Confidential data may only be stored on devices which comply with the provisions of the Information Governance Policy.
Encrypting the hdd will usually take between 1-2 hours depending on the amount of data already stored on the hdd and the available space to complete the process. More data and less space means encryption time will increase.
No, the encryption does not require the device to the connected to the network once it has commenced, so you can start the process on the University network, disconnect the device and the process will continue when the device is next repowered – at home, travelling etc.
Yes, you can shut down your desktop device at any point during encryption the process will resume when the device is powered back up again.
Yes, you can continue using the device whilst encryption is taking place. If this is interrupted (e.g. you have switched off your device) the encryption process will carry on.
You need to keep the device connected to the mains power supply during the encryption process.
A PIN is a Personal Identification Number, which is required to open your laptop and access data from the encrypted hdd. You will need to select a numeric PIN for the laptop, this has to be at least 4 digits long.
PLEASE NOTE: A PIN will only be used for laptop encryption, desktops will not require a PIN at logon.
No, shared laptops will not require a PIN, users will be prompted to encrypt their devices at logon following deployment of the software.
PLEASE NOTE: Users are reminded that in no circumstances should personal or commercial sensitive data be stored on shared laptops. Storage of such data on shared devices is a breach of University policy.
There are two options for recovering a PIN for your device:
BITLOCKER ENCRYPTION - SELF SERVICE PORTAL
The BitLocker Self Service Portal provides an online tool where you can gain access to an encrypted device without the need to contact the IT Service Desk.
IT SERVICE DESK RESET
If for whatever reason you are unable to access the BitLocker Self Service Portal you can contact the ITS Service Desk via ext.2000 / firstname.lastname@example.org, who can assist you to regain access to your device.
IMPORTANT NOTE – BITLOCKER SELF SERVICE PORTAL
The BitLocker Self Service Portal recovery process is only available to those users who have already successfully accessed the device. In all other circumstances you will need to contact the IT Service Desk (ext.2000) for assistance.
Your BitLocker encryption password (or PIN).
All University staff devices are protected by a feature called encryption. In simple terms this adds an extra layer of security onto your device so that in the event of theft or cybercrime activity, your laptop is protected by another password, as well as the one you use to log-in to University systems and services.
When you first start using your laptop you will be prompted on screen to set up your BitLocker encryption. This is a process that can take a couple of hours, but you can work while doing this and involves creating a PIN or password of your choice. Your device does need to be plugged into the power mains before you start the process.
We strongly recommend using a different password to your main University account password.
After set up, every time you shut down your device and fire it up again, you will be asked to enter your BitLocker PIN or password, before signing into your University account. Your PIN or password can be a mixture of characters with a minimum of 4 and maximum of 20.
What do I do if I lose my BitLocker password?
If you lose or forget your BitLocker PIN or password, you can recover it by doing either of the following (your device should be in “Recovery mode” by this point which means it should display its BitLocker key ID) :
- Emaling the Service Desk using email@example.com, quoting your BitLocker key ID (first eight characters will suffice) to the Service Desk Advisor along with any other information requested. You will then be required to enter a 64-character code (“the recovery key”) in the field on your laptop which will unlock your drive
- Self-service portal available on any web-connected device using this address: https://mblweb.unv.wlv.ac.uk/SelfService/ You will need to log in to the portal using your University username and password, accept the Terms and Conditions notice, and then follow the on-screen instructions to generate the 64-character recovery key.