Bitlocker is a Windows feature that encrypts data on disks. At DTU Compute only local (internal) disks will be encrypted (i.e. C :). Encryption protects your data against unauthorized access in the event of theft or loss of hardware.

Which computers are encrypted with Bitlocker?

Only laptops installed at DTU Compute IT support will have Bitlocker enabled. Laptops installed before March 3, 2021 will not automatically have Bitlocker enabled.

If "DTU Software Center" is found in the Start menu, Bitlocker can be manually enabled by IT support on demand. If there is no "DTU Software Center", the laptop must be reinstalled before Bitlocker can be enabled.

How to check if Bitlocker is enabled or encrypting?

If the Bitlocker encryption has not been completed when the laptop is received from the IT support staff, the encryption should start within 2 hours, but only if you log in on campus or connect to the DTU network via VPN.

The encryption process starts automatically without user interaction. You should not experience any changes, but you may see a temporary message in a pop-up window or in the Message Center.

The encryption does not require the laptop to be connected to the network once it has started.

During Bitlocker encryption, you will be able to work normally. If the computer is powered off or enters sleep mode during the encryption process, the next time you turn on the computer and log in, the process will resume.

If you don't know if Bitlocker is already enabled on your laptop, you can open "This PC" and check the padlock icon on the C: drive. If it exists, it means the drive is encrypted.

You can check the status of the encryption process in Control Panel → "Bitlocker Encryption Options" (and overall status in "Bitlocker Drive Encryption")

Bitlocker recovery screen

If when you start your laptop, you are prompted with the "Bitlocker Recovery" screen and the message "Enter the recovery key for this drive" is displayed, then you need to contact IT support to obtain the recovery password.

After entering the password, you should be able to boot normally. After booting and logging in, the computer should be restarted to ensure that the Bitlocker Recovery screen does not appear the second time.

If it does, this could indicate a problem with your laptop's configuration that should be addressed by IT support.

Recovery screen instructions

1. Contact DTU Compute IT support from another device or phone. You will be asked to provide the first 8 characters of the Recovery Key ID displayed on the screen and your DTU login name.
2. IT support will retrieve the 48-character recovery key, which must be typed in the text box on the "Recovery" screen.
3. You should be able to start Windows. Restart the laptop to ensure that the Bitlocker recovery screen does not appear a second time.

In some cases, these steps are also required, but it's best to follow them every time just to be sure:

1. After logon go to Control Panel → BitLocker Drive Encryption
2. Click on "Suspend Protection"
3. Click "Yes" to the "Do you want to suspend BitLocker protection?" Now wait a few minutes
4. Click on "Resume protection" to update BitLocker TPM.

What causes Bitlocker to request the recovery key?

There may be many reasons, such as hardware changes, BIOS changes (i.e. disabling secure boot), motherboard replacement, malware attacks, hard drive crashes, system crashes, or the program believes that data may be attacked.

When should Bitlocker be suspended?

Suspension of Bitlocker does not mean that Bitlocker decrypts data on the volume. Instead, suspension makes key used to decrypt the data available to everyone in the clear. New data written to the disk is still encrypted.

You should suspend BitLocker protection for firmware and BIOS upgrades, or when changing any hardware, or when you need to temporarily remove the disk from your laptop.

Suspending Bitlocker can be done in 2 ways:

Method 1 (using the GUI):

1. After logon go to Control Panel → BitLocker Drive Encryption
2. Click on "Suspend Protection" (NB: Please note that Bitlocker suspension is only effective until the next restart)

Method 2 (using Powershell with admin rights):

1. Open Powershell with administrator rights
2. Run this command:

Suspend-BitLocker -MountPoint "C:" -RebootCount 0

"RebootCount" can be set between 0-15. 0 means indefinitely and must be resumed with

Resume-BitLocker -MountPoint "C:"

...