Instructions here are provided as a courtesy only for students to set up BitLocker in compliance with CUIMC requirements.
IMPORTANT: Computers used for work - including any personally owned - must have BitLocker set up by the department or division's Certified IT Group as per CUIMC Information Security Requirements.
Initial Preparation
Please complete all steps to avoid issues including permanent corruption of files and data on the computer.
- You must have Administrative rights on the computer.
- Verify that the computer is compatible:
- It runs Windows 10 or 8.1 Pro or Enterprise
- It cannot be joined to a domain
- It must have TPM 1.2 or higher. Instructions below will help you check for and activate TPM if needed.
- Have a secure place to store the Recovery key, created when BitLocker is first enabled as a way to access the drive if a password is forgotten or other issues occur. Options are:
- Printing the key - requires a working printer connection. You should also make sure that the printout cannot be intercepted by others and won't be stored in the printer's memory.
- Saving to a file or USB flash drive - a digital copy that can't be stored on the computer. A small flash drive kept in a locked drawer and not used for other files is recommended.
- Make sure the computer is not already encrypted; if so you must fully decrypt it.
- Run a full backup of your data in the event that the initial encryption causes any corruption.
- Make sure all other University requirements are met including use of a strong password to login to the computer, an automatic password protected screensaver, with updated anti-virus/anti-malware programs running and critical Windows Updates applied.
- BitLocker's default setting must be changed to AES-256.
- The computer must be plugged in while BitLocker performs initial encryption.
Run BitLocker to Check Your PC's Configuration
If preferred you can use BitLocker's initial configuration check to verify that your computer meets system requirements, then cancel BitLocker setup if needed. For more help see instructions for running the configuration check. Note that you will still need to perform a backup and other steps above before enabling BitLocker to comply with University requirements and avoid possible loss of data.
Checking and Activating TPM
If you need to check for TPM on your computer or activate it, please follow the instructions below.
TPM is a microchip that validates early "boot" or start-up components on the computer to prevent unauthorized access, and store a master key for BitLocker. TPM version 1.2 or higher is required for these instructions. While other methods are possible they are not recommended for use on CUIMC student owned computers.
WARNING: You will need to enter the computer's BIOS settings, the software that runs an initial hardware check and allows Windows to start. Be very careful when making changes in BIOS and do not adjust other settings without being sure of what you are doing!
- Enter the computer's BIOS settings by pressing the appropriate key(s) on the keyboard when the computer is first starting up.
The key(s) vary by make and model. Most computers will briefly display a message near the corner or bottom of the screen such as "Press F1 to enter setup" or "BIOS settings: Esc". If you do not see it try restarting again, or look up instructions for your model on the manufacturer's website. - In the BIOS settings navigate to TPM. It may be under a Security heading.
If TPM is not listed, the computer does not have a TPM chip. - In the TPM settings make sure the option to Activate is selected.
- Follow instructions in the BIOS settings to save your changes and exit. The computer will finish starting up as usual
Once TPM is activated, make sure you have completed all preparation steps on this page and have changed the default BitLocker settings to use AES-256 encryption before enabling it.