Windows Laptop Encryption

Overview

The purpose of Laptop Encryption is to ensure that in the event of theft, the data stored on a University owned laptop is not accessible by external parties. 

Scope

  • All Windows laptops purchased under the current OGP/HEAnet procurement framework, including laptops purchased using external research funding
  • Existing University owned Windows laptops currently in use on campus
  • The policy applies to Windows 7* and Windows 10 only. 

Pre-requisites

The laptop must be connected to University of Galway’s Active Directory service. This is normally done as part of the Node Registration process.

How to encrypt your laptop

 New Laptops

All Dell laptops ordered from the current supplier will be encrypted. The process is as follows:

  • A laptop will be ordered directly by a unit or by ISS under the Registrars Staff PC Scheme
  • The supplier will deliver the laptop directly to ISS
  • ISS will inform the contract on the Purchase Order that the laptop has arrived on-site, and request them to inform the intended recipient of the laptop to raise a Service Desk ticket to request a new node connection. The laptop will be encrypted as part of this process
  • Once encrypted, the used will be asked to assign a unique PIN number to their laptop
  • A Master Encryption key will be stored in Active Directory. This is to ensure the device can be recovered by ISS in the event of a PIN been forgotten by the system owner

 Existing Laptops

Existing laptops can be encrypted on request. To do so, the following steps must be performed:

  • The user must raise a service desk ticket under the following category:
    • 03 Desktop/Laptop Support - Laptop Encryption
    • The user will be asked to bring the laptop to ISS where the encryption will be done
    • The user will also be asked to choose an initial PIN for the laptop. They will be given instructions on how to can change this later, if required
    • Please ensure that you have a good backup of your exisiting data saved to an external drive or network share prior to presenting the laptop to ISS
    • Depending on the condition of the laptop and amount of data on the laptop, the process may take up to 2 days to complete. Part of the process includes updating all Windows updates and also all local firmware/BIOS on the device to ensure that it is Bitlocker compliant
    • Data taken off the laptop is NOT encrypted when emailed/moved to another computer. Data is only encrypted whilst on the actual laptop
  • NB: If you laptop is encrypted and subsequently suffers an error with the operating system (Windows 7/10) OR the laptop hard drive fails, ISS CANNOT recover any data on the laptop due to its encrypted state. It is vitially important that any local data on the laptop is frequently backed up to another source

Exceptions

  • ISS will not encrypt laptops purchased outside of the OGP/Heanet framework
  • ISS cannot encrypt older models where the BIOS/OS does not support Bitlocker encryption
  • ISS will not encrypt Linux laptops or dual-boot laptops
  • In the event of any of the above exceptions, it is the responsibility of the user to ensure that no sensitive data is stored locally on the device

*Windows 7 is no longer supported and is a security risk -  it is strongly recommended that the device is reimaged to Windows 10 (if compatible) or you purchase a new replacement device that will have a University approved/supported configuration. Please contact the Service Desk if you wish to get more information on this.