IT Services - BitLocker - Services & Support

Overview

BitLocker is a Windows security feature that provides drive encryption to help address threats of data theft or data exposure from lost, stolen, or inappropriately decommissioned devices. This article provides background on how BitLocker work as well as steps on:

How to Check if BitLocker is Enabled on your Device
How to Check for BitLocker Recovery Keys
How to Unlock a Device that has BitLocker Activated

Critical Concepts

In this article, the terms “enabled” or “encrypted” denote that a drive is protected by BitLocker. “Activation” refers to the state in which a device is locked and requires a BitLocker recovery key to unlock it.

Usually, BitLocker is manually enabled by the user of a device. However, there are some cases where BitLocker can be enabled without your knowledge:

You signed into your device using a Microsoft account, or you have your Microsoft account linked to your device. In this case, your BitLocker recovery key is automatically saved to your Microsoft account or work or school account, before protection is activated.
- You can check if your Microsoft account is linked to your device by navigating to “Settings” > “Accounts” > “Access work or school”.
You enrolled your device in the Intune Company Portal.
- Depending on the policies that your department applied to your account, enrollment in Intune can cause BitLocker to become enabled on your device.
An administrator on your device manually activated Device Encryption. In this case, the recovery key is automatically saved to their Microsoft account or work or school account, before protection is activated.
An administrator on your device manually activated BitLocker Drive Encryption. In this case, the administrator manually selected where to save the recovery key.

If you would like to disconnect your Microsoft account from your device or if you would like to unenroll your device from Intune Company Portal, please ensure you follow the steps below to check for BitLocker on your device and back up all of your BitLocker recovery keys prior to disconnection/unenrollment.

BitLocker typically activates when changes are made to your device that the device’s security system interprets as a potential security risk. A list of common events that can cause BitLocker to become activated can be found here: BitLocker recovery overview.

To ensure that you can regain access to your device if BitLocker activates, record your BitLocker recovery key for each encrypted drive on a device or medium separate from the device that has BitLocker enabled. Your BitLocker recovery key will be a unique 48-digit numerical password that corresponds to your BitLocker recovery key ID or UUID.

Steps to Take

How to Check if BitLocker is Enabled on your Device

Method 1:

Open the "Control Panel".
Select "System and Security" > "BitLocker Drive Encryption"
Under "Operating system drive", BitLocker is enabled if it says "BitLocker on" for at least one drive.

Method 2:

Open “File Explorer” > “This PC”.
If BitLocker is enabled on a device, you will see a lock next to the encrypted drive.

How to Check for BitLocker Recovery Keys

For each Bitlocker recovery key:

Open "File Explorer" > "This PC". Any drives that are encrypted by Bitlocker will have an image of a lock next to the drive name. Please note, if there is more than one drive encrypted, you will need to repeat steps 2 through 6 for each drive.
In the start menu, look up "Terminal", click on "Run as administrator" and click "Yes".
Copy and paste the following command into the prompter: manage-bde -protectors -get <drive letter>:
Replace <drive letter> with the letter of the drive that is encrypted. This letter is typically enclosed in parentheses next to the drive name in step 1. Then click ENTER on your keyboard.
The UUID will be located under "Numerical Password" as the "ID". The recovery key will be located under "Numerical Password" as the "Password". The recovery key will consist of 48 digits separated with some hyphens.
Copy down both your UUID and Bitlocker recovery key on a device or medium that is NOT the device you are removing the Intune Company Portal from.

You can also use the following Microsoft support article to find and back up your recovery keys: Back Up Your BitLocker Recovery Key.

How to Unlock a Device that has BitLocker Activated

If BitLocker becomes activated on your device, a screen that looks similar to the following will appear:

Screenshot of BitLocker recovery screen that appears when a device is locked due to BitLocker

Please note: your Recovery key ID will be different from the one shown in the image above. Your Recovery key ID is NOT the same as your recovery key. The Recovery key ID can be used to identify the recovery key needed to unlock your device.

Look for your BitLocker recovery key if you do not already have it recorded: Find your BitLocker recovery key. If possible, prior to a potential BitLocker activation, make sure to back up your recovery key to a device or storage medium that is not encrypted by BitLocker.
Enter the recovery key in the space under where it says “Enter the recovery key for this drive”. Once you have done so, either click on the “Continue” button, if available, or hit the “Enter” or “Return” key on your keyboard.
If the recovery key is correct, you will then be granted access to your device.
- In the event that you are unable to locate your recovery key, please contact your departmental IT team for assistance.

Additional Resources

If you need further assistance with BitLocker on your department computer, contact your department IT administrator. For further questions and support, please contact the ITS Service Desk. You can call us at (858) 246-4357, email us at support@ucsd.edu, or submit a ticket at support.ucsd.edu.