Windows BitLocker Encryption
ITS uses Windows native Bitlocker encryption with recovery management through Sophos SafeGuard for Windows 10 and Windows 7 Enterprise computers. Bitlocker encryption is applied to most Windows computers on campus but if you have Windows 7 Professional please visit our encryption support page - Windows 7 Professional Encryption.
Why encrypt? By encrypting the data on your computer, you are preventing someone from accessing your data without your password. Unencrypted computers can easily be accessed by removing the hard drive and attaching it to another computer. After the quick process of encrypting your hard drive through ITS, this is no longer a possiblity.
Index:
- Changes to your computer with Bitlocker
- Bitlocker Recovery
- Making a backup of your recovery key / Checking Bitlocker Status
- Get SafeGuard Version and How to sync to our servers
- Troubleshooting Bitlocker Encryption
Changes to your computer with Windows Bitlocker Encryption
Once your computer has been encrypted with Bitlocker, you may notice some minor changes to the way things look on your computer.
New Windows Login with circular SafeGuard logo (white)
New Sophos SafeGuard icon in your taskbar (bottom right side of screen)
New Hard Drive icon with lock in This PC/My Computer explorer window
BitLocker Recovery
If you power on your computer and you're presented with a screen similar to the one below, you need to follow the Bitlocker recovery process below.
Recovery via Bitlocker Recovery Key
If you're presented with a screen similar to the one above asking for a "recovery key". Please contact your local support technician or email help@ucsc.edu including the keywords "bitlocker recovery key". A support technician will confirm your identity over the phone and provide you the Bitlocker recovery key so you can continue to log in to your computer.
Recovery via Bitlocker Challenge/Response
Some Windows computers support Bitlocker Challenge/Response so the recovery screen will instead ask for a USB drive to perform the recovery. To get to challenge response screen, restart the computer and during boot it will ask you to hit any key to enter Challenge/Response. You will then be shown a "Challenge" string of characters and a support technician can assist you providing a "Response" string of characters that will unlock your PC and allow you to log in normally.
Please contact your local support technician or email help@ucsc.edu including the keywords "bitlocker recovery challenge/response". A techncian will then contact your over the phone or schedule a visit to your computer. Follow the directions below right before you get in contact with a technician to access the Bitlocker Challenge/Response recovery screen.
Accessing Bitlocker Challenge/Response for Recovery
If your computer supports recovery via Bitlocker Challenge/Response then you will see some text on a black screen while your computer boots up.
"Press any key in 3 seconds to start C/R for Bitlocker Recovery.
"
If you are presented the blue screen above asking for a USB drive and Bitlocker recovery, then you need to restart and press any key during the presentation of the above message while your computer is starting to enter Bitlocker C/R. You will then be brought to the Bitlocker Challenge/Response recovery screen where you will read the "Challenge" code to a technician.
Making a Backup of your Recovery Key / Check the status of Bitlocker
If you are concerned about not having a backup of your recovery key you can make a copy for yourself. This process requires that you have the ability to be an admin on your computer. You will know if you are or not based on the options presented to you in the instructions below.
Security Warning: We recommend you store your recovery key in a password manager, do not leave it out in the open as it allows access to your data, and remember -- you should never give your recovery to anyone else (ITS will never ask for your recovery key).
Create Bitlocker Recovery Key Backup Process:
- Select the Windows start button
- Type "Bitlocker", if you get no results, erase what you just typed and type it again (issue with Windows indexing)
- Select "Manage Bitlocker"
-
- Select "Back up your recovery key" from the Manage Bitlocker options (you won't see these options if you're not an admin)
- Select key export option:
- Save to USB flash drive: You can use this method temporarily but once you have your recovery key we recommend you transfer the key to a password manager. If you lose your key please contact ITS as we can cycle your encryption key.
- Save to a file: We do not recommend this option. You will not be able to save to the local encrypted system drive.
- Print the recovery key: With this method you can either print your recovery key to a printer or pdf to your local system hard drive. If you print to a physical printer do not leave your recovery key out in the open, be ready at the printer, transfer the key to a password manager, and securely shred your printed key. PDF - save key to desktop, transfer key to password manager, delete the pdf key, and empty your trash in Windows.
- If you ever ever go into Bitlocker Recovery and use this recovery key, the key will be swapped and you'll have to complete this process again for the new key. Once you login, after Bitlocker Recovery, you must suspend Bitlocker encryption from the same menu as above and restart once. This will assure your system will not lock up again in the immediate time period. If you have any questions, please contact help@ucsc.edu with subject "backup bitlocker recovery key".
Get SafeGuard Version and Sync
Sync Sophos SafeGuard on Windows
- View your Windows desktop and browse to the SafeGuard taskbar icon and right-click
- Select "Synchronize"
- From the same menu, select "Status..." to confirm the sync completed successfully
Get Sophos SafeGuard Version Information on Windows
- View your Windows desktop and browse to the SafeGuard taskbar icon and right-click (images above)
- Select "About Sophos SafeGuard..."
Troubleshooting BitLocker Encryption
After campus computer encryption has been installed, you may, on rare occassions, get error messages. Please check out this section to attempt resolving the issue before creating a help ticket.
Second Login after Windows login
After logging in through the Windows login screen, you have to login again. With SafeGuard message, "Please enter your password to complete login." To fix, logoff of your account or restart, and make sure to login through the SafeGuard branded login. It should nearly match the login screen above at the top this page with the shield. If not, please select either "switch user" or "other user" to reveal additional login screens.
Pop-up after login - Provide your old password
After logging in through the Windows login screen, you have to login again. With SafeGuard message, "Sophos SafeGuard was unable to complete your login. If you have recently changed your Windows password, please enter the "OLD" password now." This issue occurs when your password was changed outside of the local computer you are working on (e.g. you had your AD password reset). Please contact your local support technician or email help@ucsc.edu including the keywords "safeguard needs old password"
TPM error
Possible Solution: Please check Bigfix Self-Service to see if there are any updates for Sophos SafeGuard to install. Please contact your local support technician or email help@ucsc.edu including the keywords "bitlocker could not be enabled"
Key Ring cannot be opened
When logging in this error may pop-up. This occurs when you're signing into an encrypted computer for the first time. No action is necessary, the following day after a restart you will not longer get this error when logging in.