Encryption Process

Owned by James Andrews
Last updated: Mar 07, 2023 by Jamison Smith
3 min read

Encryption process


This is the information for Bitlocker encryption, procedure, link to use for recovery information and future tasks.

 

About Microsoft BitLocker Drive Encryption


BitLocker is a native encryption feature available on the Enterprise editions of Windows Operating Systems.  Microsoft BitLocker Administration and Monitoring (MBAM) software is the application Florida Polytechnic uses to centrally monitor compliance and simplify the deployment and storage of recovery keys for all encrypted devices.


Bitlocker System Requirements


  • Operating System must be Windows 7 or above
  • The computer must be joined to Florida Polytechnic's Active Directory Domain.
  • Trust Platform Module 1.2 (TPM)

o    For Windows 7, a functional TPM is required

o    Windows 8 and above, a functional TPM is preferred, but not required

o    NOTE: The TPM must be enabled, activated and the Operating System must be allowed to take ownership of the TPM in the BIOS (If option available. Not all computer models have this as an option in BIOS)


Procedure to Encrypt a laptop already assigned to a user


Task

Responsible Group

Schedule a day with the end user to retrieve laptop to perform the encryption

Helpdesk

Backup user documents to protect data

Helpdesk

Update BIOS to latest version (varies by manufacturer and model)

Helpdesk

Enable and Activate TPM chip in BIOS (varies by manufacturer and model).  Please note to enable if the option is available for the OS to take ownership of the TPM.

Helpdesk

Install Microsoft Bitlocker & Administration Monitoring Agent (Performed via SCCM or Manually)

·         The helpdesk will need Systems group to add the computer to the "MBAM Agent Install" collection

·         The helpdesk can install the agent manually from the Helpdesk Archives\Client Applications\MBAM 2.5SP1 Agent

To Do:  The agent should be part of the base image or at least be available to all computers in SCCM

Helpdesk or Systems group

Verify MBAM MDOP Agent installed successfully (Check Add/Remove programs)

Helpdesk

Apply Group Policy for Microsoft Bitlocker Administration & Monitoring

·         Helpdesk will need to provide computer name to systems group

Systems Group

Start Encryption Process

·         The encryption process should start within 90 minutes of the group policy being applied

·         Alternatively, the helpdesk can manually start encrypting the Operating System drive by double clicking on the following file:

C:\Program Files\Microsoft\MDOP MBAM\MBAMClientUI.exe

Helpdesk

Confirm encryption process completes successfully

·         The process can take from 2 hours to a day to complete depending on the size of the Operating System hard drive.

·         The end user can't retrieve the laptop until the process is complete.

·         A notification indicating the encryption process is complete is displayed when

Helpdesk




Future Task Assignments


Task

Responsible Person or Group

Add MBAM Agent to base Image

William Powell

Setup SCCM Task Sequences to work with refresh of computers that are encrypted

William Powell

Setup SCCM Task Sequences for Encryption to run during imaging on new computers

William Powell & Luis Luque

Develop processes and documentation for Imaging & Refreshing of encrypted computers

Helpdesk


The link below allows the helpdesk (full time employees) to perform tasks required on occasions by Bitlocker by logging in with their NetID and Password.


https://ccc-mbamweb01.floridapoly.org/HelpDesk/default.aspx


Drive Recovery


The Drive Recovery option allows you retrieve drive recovery keys that can help users regain access to a computer or encrypted drives. A drive may go into Recovery mode because of a forgotten BitLocker PIN or password, an action from Windows Update, or a change to the BIOS settings of the computer.


Manage TPM


The Manage TPM Form can be used to help users who cannot unlock their computer because the TPM (Trusted Platform Module) will not accept their BitLocker PIN. First, use the Drive Recovery form to help the users regain access to their computer. Then, use this form to provide a TPM owner password file to help the users manage their TPM.


Filter by label

There are no items with the selected labels at this time.


Related issues