Windows PC, encryption and backup of the key

To encrypt your computer, it must be backed up, registered and the hard disk encrypted.

  1. Backup of the computer with Lina must be enabled and tested
  2. Registering the computer
  3. Computer encryption

B. Registering the computer

Steps to register your Windows 10 laptop:

  • The OS must be at least Windows 10
  • All drivers and firmware must be up-to-date
  • The hard disk boot must be first in the boot order(if possible only the hard disk must be able to boot)
  • The laptop must be in Active Directory *
  • It must have a TPM chip enabled *
  • The volume must be encoded *

The installation process checks some parameters *, please make sure that all the preliminary steps are made.

C. Computer encryption

The steps “A. Computer backup with InSync must be enabled and tested” and “B. Computer registration” must be performed.

Warning, any BIOS changes after encoding will enable disk recovery with the backup key.

Warning, any change to the TPM chip setting will result in data loss if the hard disk is encrypted.

Warning, do not delete the corresponding computer object in Active Directory.

Faculty Active Directory Managers must connect to the share \\stisrv.epfl.ch\app
The encoding process is started by encrypt.cmd in the encrypt folder (\\stisrv.epfl.ch\app\encrypt\encrypt.cmd)
n elevation of privilege is automatically achieved with a check of certain preliminary steps *.
The computer restarts automatically.

You can check that the encoding of the hard disk is realized by the presence of an open padlock icon on the hard disk c:\

FAQ

  • I lost my Windows laptop with the encoded hard drive.
    The data is physically encoded, if your password is not available, it is not possible to access the data of this one./li>
  • When I start my laptop, a recovery window appears.
    A modification of the integrity of the laptop has been detected, for example a modification of the start order.
    The computer requests a recovery key available from the STI Active Directory Administrators.
    After decoding the hard disk, it will be necessary to re-encode it.
  • How to check that the hard disk is encoded?
    Start, cmd, run as Administrator, manage-bde -status
  • Why disk encryption failed?

    The most likely reason is that your TPM chip is not properly initialized.
    To verify this hypothesis:

    • Start, tpm
    • Open “Device Security”, click on “Security Processor” link
    • Both statuses must be ready::
      • Certification ready
      • Storage ready
  • How to correct the problem of the TPM chip?
    It is sometimes possible to take a less secure version of the chip (TPM 1.2).
  • How to correct the problem of the TPM 2 chip?
    It is necessary to restore all the conditions of activation of the TPM 2 chip:

    • Enable in BIOS the TPM 2 mode
    • Check that UEFI boot is enabled
    • Reinstall Windows 10