UU and SURF prompt Microsoft to make global adaptation in Windows disk encryption

Utrecht University (UU) and SURF led Microsoft to make a fundamental change to Windows security worldwide. The trigger was an unwanted operation of BitLocker, the disk encryption in Windows that automatically encrypts data on a device or disk to protect it from unauthorised access. In 2023, BitLocker was activated at UU. For students who used the university's Microsoft licence on their private laptops, BitLocker was also automatically turned on, without UU's opting in. When the students wanted to use their encrypted PCs again, they had to bring them to the university. Because, as the licensee, it had the digital key to restore access.

A student puts its finger on the sore spot

In summer 2023, a UU student contacted the IT service desk for this problem. The university concluded that it was fundamentally wrong for private laptops to be blocked by an institution's security. After all, it has no control over students' private data. Moreover, the situation causes a lot of annoyance and inconvenience as long as the data lock is in operation.

Microsoft finally fixed the problem last October in the 24H2 version of Windows. When a student uses a local Microsoft account and then connects the laptop to a school or organisation, BitLocker is no longer automatically enabled. Students can enable BitLocker themselves, but in that case Microsoft stores the recovery code in the personal account, i.e. no longer with the educational organisation.

According to Folkers, this success would never have been achieved if he had raised the issue with Microsoft as a representative of a single educational organisation. "Colleagues from other institutions recognised the problem. As a result, it felt very natural to escalate to SURF. I did have an entry point to Microsoft myself through our customer relations manager, but then, I think, the complaint would have been taken less seriously and it would have taken longer to find a solution."

Global impact and industry-wide dilemma

The update does not only apply to the Netherlands. With Windows update 24H2, users of the education version benefit from this improvement worldwide. However, the situation raises questions. Are education organisations doing the right thing to potentially further strengthen the position of a vendor with great market power by proposing such product improvements? And how does this relate to the industry's long-term desire to invest precisely in developing a market for alternative providers?

"In terms of time and money, it is more effective, especially for the short term, to invest in a Microsoft-like product," Folkers argues. "I absolutely understand the dilemma that we are basically giving free advice to US parties, perhaps stifling the flowering of European alternatives." He does stress, however, that educational institutions cannot afford dropouts or delays. Moreover, switching can be very difficult technically and organisationally. "We do almost all our work with Microsoft products: mail, SharePoint, Teams," he says.

He sees opportunities in setting up sandbox environments, for example under the SURF banner. "By this I do not mean that everything is possible and legislation no longer applies. I'm thinking more of a testbed." This would allow us to gain experience with the services of new providers in the limited context of research, for example, without immediately taking all the risks.

The education sector has its own responsibility

Domingus also reminds education organisations of their own responsibility for the emerging situation. "We used to just have local mail servers and support. We got rid of all those at some point because we wanted to be unburdened . But now we are still in worry."

Invest more in governance; complain less without taking action yourself. That would do educational organisations credit, Domingus believes.

Text: Thijs Doorenbosch