- If your workstation has been bitlocked and displaying the following example screenshot below, the workstation has been locked for security reasons.
- Please contact Engineering Technical Services at
- Phone: (480) 965-2336
- Email: ETSClassroomSupport@asu.edu
- To unlock the workstation, please provide the first 8 digits of the recovery key ID (as shown “underlined in red” below):
- Once you have provided the first 8 digits of the recovery key ID, you will be given a “recovery key” to enter (as shown above with a red arrow) to unlock the workstation.
- You should be able to continue to use the workstation and login with your ASURite or ASUAD credentials.
The following system requirements will allow Windows-based computers to be secured using BitLocker disk encryption. All Windows-based computers should be specified to include these requirements.
- Trusted Platform Module (TPM) 1.2 or higher
- Note: Request that the vendor enable the TPM chip prior to delivery.
- Trusted Computing Group (TCG)-compliant BIOS
- Note: The BIOS should be updated with the latest firmware before using BitLocker.
- Windows 7 Enterprise or Ultimate, or Windows Server 2008 R2
- Note: The computer should conform to University and/or departmental minimum system requirements for the operating system installed.
BitLocker can encrypt partitions formatted using FAT, FAT32, exFAT, or NTFS. Any disk partition to be encrypted must be 64MB or larger.
When encrypting a disk with BitLocker, the computer must be connected to an ASU domain in order to store the recovery key in Active Directory. A USB drive or other external media should be available to store the recovery key locally.
Existing equipment can be encrypted with BitLocker after upgrading to a compatible version of Windows, provided the TPM 1.2 chip and TCG-compliant BIOS are present. Disk repartitioning may be required. The encryption process will repartition the disk as necessary.
For additional information, see the BitLocker hardware and software requirements published by Microsoft.
For additional technical information, see Disk encryption, technical information
BitLocker is one very effective part of an overall protection strategy. It doesn’t prevent hardware problems, malware, or accidental deletion of files. You should still use antivirus software, keep your computer patched, and always store ASU data on ASU servers whenever possible. But if your computer is lost or stolen, BitLocker will prevent an unauthorized person from gaining access to the data that is stored on your disk. That’s very important to ASU’s reputation and legal standing.
Why do I have to join my computer to the domain to use BitLocker?
BitLocker stores your recovery key in your computer’s object in Active Directory. This means your key will be stored centrally, backed up regularly, and kept safe in case you need it later.
I use my computer “in the field” and require a local login. How will joining my computer to the domain affect me?
It won’t. Your computer can be a member of the domain and still allow you to use your local login.
But won’t my computer have problems reading the encrypted disk if it can’t get to the domain?
Nope. The domain is used to store your BitLocker recovery key. That’s not needed for normal operation of your computer, only in case something goes wrong and you need to recover the disk with a technician’s help.
What could go wrong?
If the part of your disk that starts up your computer (known as the boot loader) becomes corrupt, Windows may not be able to read your encrypted disk without the recovery key. Certain viruses and other malware can cause this, as can physical damage. Or if you move an encrypted disk from one computer to another, Windows will require your recovery key in order to read the disk. This is why it’s important to store your BitLocker recovery key in the domain. If you need to enter Windows Safe Mode to uninstall software, run an anti-virus product, or repair your disk, BitLocker will again prompt for your recovery key.
Won’t it slow my computer down?
No. In our field test of 50 laptops in a variety of usage conditions, there was no noticeable effect on system performance at all. Microsoft says BitLocker adds approximately 1% overhead. If you have an older or lower-end system, talk to your technical support staff about using 128-bit encryption.
I’m told that BitLocker requires a TPM 1.2 chip. How can I find out whether I have one?
Models… Laptops: Dell Latitude D620 and newer, Dell Optiplex 745 and newer. Note that some of the Dell Vostro versions come without a TPM chip. Newer Thinkpads have TPM 1.2 chips. If your computer doesn’t have a TPM 1.2 chip, talk to your department’s technical support staff about possible alternatives.
I don’t have one of those computers. Do I have to replace mine?
No, not immediately. When your computer reaches the end of its usable life, you should replace it with a computer that meets the system requirements for BitLocker. Until then, there are other options that are a little less convenient but will meet ASU’s encryption guidelines for systems used to handle sensitive information. More information will be coming soon.
I have a Macintosh or Linux-based computer. What do I do?
Options exist for Macintosh and Linux-based computers, but some are still under development and they may be complex depending on what is installed on the computer. Talk to your department’s technical support staff to determine the best option for your needs.
Dell E6420 laptops – Bitlocker not working?
There are reports of issues with Dell E6420 laptops defaulting to an incorrect TPM chip driver, causing issues with BitLocker. To check and fix this issue:
- Open the Windows Device Manager
- Go to System devices (may be under Security Devices)
- Right click on the TPM device
- Select Update Driver Software…
- Select Browse my computer for driver software
- Select Let me pick from a list of device drivers on my computer
- Select “Broadcom Trusted Platform Module (A2), v1.2” (v1.2 is very important!)
How long will it take?
Typically two to four hours. Make sure the computer is plugged in. You can continue to use your computer while BitLocker is encrypting the disk, and you can even pause the process if you need to.
I have one of the computers you say is BitLockable, but it says I don’t have a TPM chip.
It’s probably disabled in your BIOS settings. The TPM chip must be activated before beginning the encryption process. See your department’s technical support staff for assistance.
Yikes! BitLocker is encrypting my disk and suddenly I have no disk space free. Is it going to fill up my disk completely?
No. During the encryption process, your disk will appear to be nearly full. This is normal, but your disk usage will drop back down to its previous level once the encryption process is complete.
Post-Deployment Support FAQ
Yikes! My computer is “bricked.” What now?
Contact your departmental tech support personnel. They’ll use your recovery key to try to help you get your data back.
My computer is lost or stolen! What now?
Report it as you normally would, but make sure to report that the computer was using whole disk encryption (assuming you had BitLocker running on it). And be happy that you protected critical information from compromise, prevented identities from being stolen, and helped to keep ASU’s good reputation intact!