Device Encryption – Microsoft BitLocker
Laptops
Laptops are more vulnerable to theft and loss due to their portability, which increases the risk of sensitive data falling into unauthorized users. If the data drive is removed from a laptop, the data can be easily read and accessed. “Full Disk Encryption” prevents unauthorized access, as the data is encrypted and requires a password or recovery key to decrypt the data on ICTO-managed laptops. This significantly reduces the risk of compromised sensitive data in case of loss or theft of a laptop.
Desktops
The administrative staff handles a large amount of sensitive data on a daily basis, including staff and student data, financial reports, and confidential documents. To effectively prevent sensitive data leakage, ICTO will enable “Removable Drive Encryption” to protect removable devices. Administrative Staff should encrypt removable devices to obtain write permissions. Otherwise, you are unable to save any new data to it until it has been encrypted. Administrative staff can consider using UMDrive for data storage and for file sharing.
BitLocker User Guide
- What is BitLocker Drive Encryption?
- How to use BitLocker on removable drives?
- How to enable Auto Unlock with your Removable drives encrypted by BitLocker?
- How to backup BitLocker Recovery Key?
BitLocker Encryption Q&As
All ICTO-provided laptops will gradually enable “Full Disk Encryption” to reduce the risk of sensitive data being compromised in the event of a lost or stolen laptop.
All the desktops used by administrative staff have “Removable Drive Encryption” enabled to reduce the risk of sensitive data being compromised in the event of a lost or stolen removable device.
Laptops: “Full Disk Encryption” will be enabled on laptops upon replacement.
Desktops: “Removable Drive Encryption” will be enabled on desktops by phase.
When attaching a USB drive to ICTO-managed Desktops with “Removable Drive Encryption” enabled, you will be automatically prompted to encrypt the drive. When you choose to encrypt, you will be asked to create a password that will be required to access the drive when attached to another computer. Please note that if you choose not to encrypt the USB drive when prompted, you will be able to read data but unable to save any new data to it until it has been encrypted.
If you have already encrypted your removable device prior to this encryption rollout, you do not need to encrypt it again. Your encrypted removable device will continue to function as before and will not be affected by this encryption rollout. However, please ensure that you have properly stored your password or recovery key, as your BitLocker Recovery Key is not stored on our server. If you want to store it on ICTO’s server, you need to decrypt (Turn off BitLocker) your removable device and then encrypt it again. Please make sure that you are using ICTO managed computer and using UM campus network to do the encryption. This is so we can ensure that the BitLocker Recovery key is saved to ICTO’s server. If you forget the password and lost the recovery key, please go to https://helpdesk.icto.um.edu.mo/ to fill out and submit the “Request BitLocker Recovery Key” request form.
This measure only applies to laptops and desktops provided by ICTO and will not affect your personal computer. We are implementing new security measures to enhance the protection of ICTO-provided laptops by enabling full disk encryption. In addition, we will enable removable device encryption for the administrative desktops provided by ICTO. If you would like to secure data on your personal computer, you can enable BitLocker yourself. However, please note that the BitLocker Recovery Key for your personal computer will not be backed up to ICTO’s server. Please refer to FAQ for instructions on how to back up your BitLocker Recovery Key.
If you forgot the BitLocker password, you can go to https://helpdesk.icto.um.edu.mo/ to fill out and submit the “Request BitLocker Recovery Key” request form.
Yes, you can copy files to another location, but the files won’t be encrypted unless they are stored on a drive that has BitLocker enabled. Your files are only secure if they are stored on the drive with BitLocker enabled.
Yes, you can encrypt your USB off campus. Please make sure that you are using an ICTO-managed computer and connecting to the UM campus network (or using SSL VPN if off-campus) to perform the encryption. This is to ensure that the BitLocker Recovery Key is saved to ICTO’s server.
“Full Disk Encryption” is already enabled by default on new laptops, so there is no action required. For existing laptops, you can contact ICTO Help Desk to determine if it is possible to enable “Full Disk Encryption“.
“Removable Drive Encryption” will be enabled on desktops by phase. Users are responsible for encrypting their own removable drives. Please refer to the FAQ section about “How to use BitLocker on removable drives?”