Windows BitLocker Encryption

ITS uses Windows native Bitlocker encryption with recovery management through Sophos SafeGuard for Windows 10 and Windows 7 Enterprise computers. Bitlocker encryption is applied to most Windows computers on campus but if you have Windows 7 Professional please visit our encryption support page -  Windows 7 Professional Encryption.

Why encrypt? By encrypting the data on your computer, you are preventing someone from accessing your data without your password. Unencrypted computers can easily be accessed by removing the hard drive and attaching it to another computer. After the quick process of encrypting your hard drive through ITS, this is no longer a possiblity. 

Index:

Changes to your computer with Windows Bitlocker Encryption

Once your computer has been encrypted with Bitlocker, you may notice some minor changes to the way things look on your computer.

New Windows Login with circular SafeGuard logo (white)

login window

login_provider

New Sophos SafeGuard icon in your taskbar (bottom right side of screen)

taskbar_windows_safeguard

New Hard Drive icon with lock in This PC/My Computer explorer window

My Computer Windows 10 Bitlocker

 

BitLocker Recovery

If you power on your computer and you're presented with a screen similar to the one below, you need to follow the Bitlocker recovery process below.

Can't boot computer, stuck at Bitlocker recovery

Recovery via Bitlocker Recovery Key

If you're presented with a screen similar to the one above asking for a "recovery key". Please contact your local support technician or email help@ucsc.edu including the keywords "bitlocker recovery key". A support technician will confirm your identity over the phone and provide you the Bitlocker recovery key so you can continue to log in to your computer.

Recovery via Bitlocker Challenge/Response

Challenge/Response recovery

Some Windows computers support Bitlocker Challenge/Response so the recovery screen will instead ask for a USB drive to perform the recovery. To get to challenge response screen, restart the computer and during boot it will ask you to hit any key to enter Challenge/Response. You will then be shown a "Challenge" string of characters and a support technician can assist you providing a "Response" string of characters that will unlock your PC and allow you to log in normally. 

Please contact your local support technician or email help@ucsc.edu including the keywords "bitlocker recovery challenge/response". A techncian will then contact your over the phone or schedule a visit to your computer. Follow the directions below right before you get in contact with a technician to access the Bitlocker Challenge/Response recovery screen. 

Accessing Bitlocker Challenge/Response for Recovery

If your computer supports recovery via Bitlocker Challenge/Response then you will see some text on a black screen while your computer boots up. 

"Press any key in 3 seconds to start C/R for Bitlocker Recovery."

If you are presented the blue screen above asking for a USB drive and Bitlocker recovery, then you need to restart and press any key during the presentation of the above message while your computer is starting to enter Bitlocker C/R. You will then be brought to the Bitlocker Challenge/Response recovery screen where you will read the "Challenge" code to a technician.

Making a Backup of your Recovery Key / Check the status of Bitlocker

If you are concerned about not having a backup of your recovery key you can make a copy for yourself. This process requires that you have the ability to be an admin on your computer. You will know if you are or not based on the options presented to you in the instructions below.

Security Warning: We recommend you store your recovery key in a password manager, do not leave it out in the open as it allows access to your data, and remember -- you should never give your recovery to anyone else (ITS will never ask for your recovery key).

Create Bitlocker Recovery Key Backup Process:

  1. Select the Windows start button
  2. Type "Bitlocker", if you get no results, erase what you just typed and type it again (issue with Windows indexing)
  3. Select "Manage Bitlocker"
    •  Use search by clicking start, and type "bitlocker", and select manage bitlocker
  4. Select "Back up your recovery key" from the Manage Bitlocker options (you won't see these options if you're not an admin)
    • manage_bitlocker.png
  5. Select key export option:
    • Save to USB flash drive: You can use this method temporarily but once you have your recovery key we recommend you transfer the key to a password manager. If you lose your key please contact ITS as we can cycle your encryption key. 
    • Save to a file: We do not recommend this option. You will not be able to save to the local encrypted system drive.
    • Print the recovery key: With this method you can either print your recovery key to a printer or pdf to your local system hard drive. If you print to a physical printer do not leave your recovery key out in the open, be ready at the printer, transfer the key to a password manager, and securely shred your printed key. PDF - save key to desktop, transfer key to password manager, delete the pdf key, and empty your trash in Windows. 
  6. If you ever ever go into Bitlocker Recovery and use this recovery key, the key will be swapped and you'll have to complete this process again for the new key. Once you login, after Bitlocker Recovery, you must suspend Bitlocker encryption from the same menu as above and restart once. This will assure your system will not lock up again in the immediate time period. If you have any questions, please contact help@ucsc.edu with subject "backup bitlocker recovery key". 

Get SafeGuard Version and Sync

Sync Sophos SafeGuard on Windows

  1. View your Windows desktop and browse to the SafeGuard taskbar icon and right-click
  2. Select "Synchronize"
  3. From the same menu, select "Status..." to confirm the sync completed successfully

safeguard windows taskbar menu

safeguard sync information

Get Sophos SafeGuard Version Information on Windows

  1. View your Windows desktop and browse to the SafeGuard taskbar icon and right-click (images above)
  2. Select "About Sophos SafeGuard..."

 

Troubleshooting BitLocker Encryption

After campus computer encryption has been installed, you may, on rare occassions, get error messages. Please check out this section to attempt resolving the issue before creating a help ticket.

Second Login after Windows login

sophos-log-in-screen.jpg

After logging in through the Windows login screen, you have to login again. With SafeGuard message, "Please enter your password to complete login." To fix, logoff of your account or restart, and make sure to login through the SafeGuard branded login. It should nearly match the login screen above at the top this page with the shield. If not, please select either "switch user" or "other user" to reveal additional login screens.

Pop-up after login - Provide your old password

please provide old password windows sophos safeguard

After logging in through the Windows login screen, you have to login again. With SafeGuard message, "Sophos SafeGuard was unable to complete your login. If you have recently changed your Windows password, please enter the "OLD" password now." This issue occurs when your password was changed outside of the local computer you are working on (e.g. you had your AD password reset). Please contact your local support technician or email help@ucsc.edu including the keywords "safeguard needs old password"

TPM error

BitLockerError.PNG

Possible Solution: Please check Bigfix Self-Service to see if there are any updates for Sophos SafeGuard to install. Please contact your local support technician or email help@ucsc.edu including the keywords "bitlocker could not be enabled"

Key Ring cannot be opened

keychain_cannot_be_accessed.png

When logging in this error may pop-up. This occurs when you're signing into an encrypted computer for the first time. No action is necessary, the following day after a restart you will not longer get this error when logging in.