Below are some frequently asked questions regarding a newer way to protect the data stored on your laptop or notebook computer. This is also referred to as TPM-only BitLocker and is a convenient and easy way to protect your important documents and other information.
Q: Why should Microsoft BitLocker be enabled on my computer?
A: Microsoft has made it easier than ever to protect data that is at rest on a computer running Microsoft Windows. Encryption at rest protects the data in the event of loss or theft. Using encryption to protect computers, smartphones, and other devices has become commonplace. Additionally, it is required if you work with Tier2/Tier3 data and it is recommended for all other data classifications.
Q: Can I delay the encryption process?
A: Yes, you can delay the initial encryption process by up to ten days if you see a prompt. Otherwise, a silent installation will occur once the deadline is reached.
Q: Can I start the encryption at the best time for me?
A: Yes, you can start the bitlocker drive encryption process at a time that is convenient to you. In the bottom-left search pane of your desktop search for 'bitlocker' and press enter. At the BitLocker management screen click 'Turn on BitLocker' next to each drive. Additional details can be found in KB0010618.
Q: What if I install an update and the computer no longer boots to Windows?
A: Please put in a Service Now request. Let them know the computer name and that it has BitLocker enabled via SCCM. ITS can provide an escrowed key that can unlock BitLocker.
Q: Will I need to enter in a PIN to logon?
A: No, we are using the hardware module inside the computer (TPM) to transparently handle encryption and decryption at boot up.
Q: If my computer has been enrolled and I see the notification, can I request an exemption?
A: Yes, but please speak with your supervisor first. An exemption can be evaluated by your supervisor.
Q: My computer already has BitLocker enabled, what will happen?
A: In that case, no change will occur and the process described will not start as the computer is already protected from theft/loss.
Q: Should I encrypt my desktop?
A: It depends. If there is a reasonable chance of loss or theft then it is a good idea to enable BitLocker. We recommend encrypting new devices by default.
Q: Will Apple devices such as a MacBook be encrypted?
A: Not through this process. Please contact your IT support to discuss JAMF.
Q: Should I keep the computer plugged in while the encryption is in progress?
A: Yes, that will let the encryption process finish sooner. Additionally, you may want to review your battery/power settings to make sure the device does not turn off disks or hibernate for the day.
Q: Can I use my computer while the disk initially encrypts?
A: Yes, you should be able to use the computer normally. However, keep in mind that a significant amount of resources such as CPU are consumed during initial encryption. This process typically completes in one day. We recommend starting the process towards the end of your workday and keeping the computer plugged in and on the VPN.
Q: I am using Remote Desktop and I do not see the BitLocker prompt, why is this?
A: Please use the /admin switch to connect using Remote Desktop, for example run the command ‘MSTSC /v:mycompname.unc.edu /f /admin’
Q: Do I need to be on the VPN for this to work?
A: No, but it can help with the backend key escrow process.
Q: Will this process work on any computer?
A: You will need a computer with a TPM security chip, UEFI configured as the boot mode, and Secure Boot configured. Most of this information can be found in your BIOS settings or by your IT support.
Q: What is the performance impact?
A: After the initial encryption completes the performance impact is typically quite small, on the order of 5% or less. However, as always, it depends on the specific hardware in use. Computers with older or slower magnetic hard disks will likely see a larger impact.
Q: What about locking the screen when I am away?
A: It is important to ensure that the computer prompts for credentials after it has been idle for a period of time. The best way to accomplish this is to configure a screen saver timeout.