Instructions here are provided as a courtesy only for students to set up BitLocker in compliance with CUIMC requirements.
IMPORTANT: Computers used for work  - including any personally owned - must have BitLocker set up by the department or division's Certified IT Group as per CUIMC Information Security Requirements.

Instructions

Before enabling BitLocker please complete all preparation steps and change the default encryption method to AES-256 to meet University requirements.

1. Make sure the computer is plugged in to a power source rather than running off of the battery. The initial full disk encryption may take a long time to complete. It is ok to work on the computer though it may run slower than usual.
2. Sign in to the computer using an account with Administrative rights.
3. Open the Control Panel: right-click on the Start button in the lower left and select Control Panel from the menu that appears, or type "Control Panel" into the Search box.
4. Select the BitLocker Drive Encryption link. You may need to select a System and Security link first.
   
5. Select the Turn On BitLocker link to the right of your computer's operating system drive, usually labeled as (C:).
   
6. BitLocker will run a check of the computer to make sure it meets system requirements.
   
   
   • If your computer meets the requirements it will display the next steps, which can include drive preparation, turning on the TPM, and encrypting the drive.
   • If you see a message that A compatible Trusted Platform Module (TPM) Security Device must be present on this computer, but a TPM was not found, please click the Cancel button to exit BitLocker and follow instructions to Check and Activate TPM at the bottom of the Prepare a computer for BitLocker article.
   • Any other message indicating that BitLocker is not compatible should include specifics with a link to help files on why BitLocker could not be enabled.
7. Follow prompts in the BitLocker Drive Encryption wizard for additional steps. Some may require restarting the computer; always login using an account with Administrative rights.
   • Prepare your drive for BitLocker is needed to create a separate area or "partition" on the hard drive to store files used for boot up that cannot be encrypted. The partition will not be given a drive letter or shown when browsing the computer to prevent storing other data.
   • Turn on the TPM security hardware may include restarting the computer and following instructions to modify the TPM before Windows starts up. This is necessary even if you have already activated the TPM.
     Example of prompt to modify TPM.  Your computer's instructions may be different.
8. Before encrypting, BitLocker will prompt you to Save or Print the recovery key. The recovery key will be needed if the computer's login password is forgotten or other issues arise that prevent access to the encrypted drive.
   • Print the key - if possible make sure the printout cannot be intercepted by others or stored in the printer's memory. Keep the print in a safe place you will remember.
   • Save to a file or USB memory stick - a digital copy that cannot be saved on the hard drive. Choose a secure location such as a small flash drive that can be kept in a locked drawer and not used for other files.
   IMPORTANT: BitLocker will test the Recovery key after restart, so if it needs to be accessed over a network connection, or is on an encrypted memory stick or other method that the computer cannot access when it first starts up (before Windows loads), print a copy or open the file and write down the key so you can type it in instead.
   • If there is an option to Save to your Microsoft account do not select this; general Microsoft accounts are not covered by a required Business Associate Agreement with CUIMC to store keys or information.
   Click the Next button when you have successfully printed and/or saved the key.
9. If you are prompted to Choose how much of your drive to encrypt, select the option to Encrypt entire drive.
10. At the Are you ready to encrypt this drive? prompt, check the option to Run BitLocker system check and click Continue. This verifies that encryption, startup and recovery keys can be read by BitLocker and will help prevent issues including permanent data corruption that might occur during initial encryption.
    
11. Follow prompts to restart. After the system check passes, BitLocker will begin encrypting and display a message in the System Tray (near the clock in the lower right corner of the screen) regarding progress. To view continued status, click on the message or padlock icon in the System Tray to open the progress window.
    It is ok to work on the computer while it is encrypting, though it may run slower than normal.
    
12. When finished, the progress window will show a message that Encryption is complete.

Your BitLocker encrypted hard drive is indicated when browsing the computer by an icon with a padlock. When you sign in to the computer with a valid account and password, you will not notice any change; files are automatically decrypted and re-encrypted as you work.

• Files that are moved or saved to another location (USB key, network drive, CD/DVD, etc.) are no longer encrypted. To protect them use another Approved Encryption method.
• If there are attempts to bypass the operating system (i.e. starting up the computer from a disk instead of the operating system drive, attaching the hard drive to another computer, changing the TPM or other system files) it will go into recovery mode and cannot be accessed without the Recovery key created in step 8.
• IMPORTANT: changes to the computer's hardware, BIOS, and some Windows Updates may cause it to start in BitLocker Recovery mode, requiring the Recovery key. To avoid this:
  1. Select the Suspend link in Control Panel - BitLocker Drive Encryption (steps 3 and 4 above) before making the changes or updates.
  2. When the changes/updates are done, go back into BitLocker Drive Encryption and select Resume BitLocker.
• Be sure to verify BitLocker's encryption strength once the initial encryption is completed to ensure you are complying with University requirements.