Skip to content

Encryption for you Windows device


Without disk encryption, the person who has physical access to a computer can get access to all the data stored on this computer’s fixed (HDD or SSD) disks, including documents and emails stored in the local copy of the users’ mailbox. This is particularly relevant to portable computers in case they are lost or stolen.

Windows 10 and later operating systems have a full disk encryption technology called BitLocker built into the operating system. This document presents the configuration steps to enable BitLocker to encrypt the fixed disks in your Windows computer. Before deciding whether to encrypt the disk or not, please note the following side effects of disk encryption.

Side effects of disk encryption

Disk encryption makes it impossible to access the data on the disk without first decrypting it. This has the following side effects:

  • Neither you nor the Service Desk personnel will be able to access the data on your disk without the recovery key in case:

    • You forget your PIN

    • Your computer hardware is damaged

    • Your BIOS is updated

    • You want to access your disk from a different computer

  • In case of physical damage to the disk, it may be impossible to recover the data even with the recovery key.

  • An unsuccessful attempt to encrypt the disk could result in data loss.

On the other hand, the recovery key enables anyone to decrypt the disk.


It is essential to save the recovery key, store the recovery key it in a secure place. It is also essential to properly back up the data.

If you are using a NICE Windows PC your data (My Documents, Desktop, etc.) is normally synchronized with your personal DFS space or your CERNBox space. Any document saved in another local folder should be backed up before proceeding.

You should not install the Bitlocker CMF package if you use multiple operating systems.

Maximising the protection provided by BitLocker on Windows BitLocker provides the strongest protection when:

  • A PIN is required on computer start-up and

  • When not used, your computer is shut down or hibernated rather than put to sleep.

Once the operating system is running, the encryption key is loaded in the memory and the computer can be vulnerable to other types of security attacks.

By default the CMF Bitlocker packages encrypts your hard drive without PIN.

How to install the package

Go on the “Add and Remove CMF Packages” page.

Tick the package MS Bitlocker for W8 or MS Bitlocker for W10 depending on your operating system and then click on save.

After a short while CMF should start blinking.

The installation process will ask you to restart, so preferably close any other open application before starting the installation. You will be asked to confirm the modification of TPM ownership by pressing F1 or F10 (depending on your hardware).

If your computer is less than 2 years old and the package is not available on CMF you first have to enable TPM in your computer’s BIOS. If the package fails, please open tpm.msc and click on "Initialize TPM" and try to install the package again.

After the second restart the encryption process will start in the backbround. You then can work normally and stop or restart your computer whenever you want.

Additional settings

If you want to add a startup PIN, please follow those configuration steps: - Right click on Command Prompt and “Run as administrator”.
- Then type in
manage-bde -protectors -add c: -TPMAndPIN
- Type your PIN when asked and validate by pressing “Enter”.

Post-installation information

Once the package is installed, your hard drive contains a new partition which is not visible in Windows Explorer.

In case of reinstallation of your operating system you first need to clean the complete disk by clicking on Disk 0 on the left part and then on “Clean Complete Disk” before installing Windows again.

If you need the recovery key, you can find it on this page