BitLocker (Desktop)

Use this dialog box to configure BitLocker encryption on Windows Desktop devices when:


Require Device Encryption When enabled, the user will be prompted to turn on device encryption.
Encryption by Drive Type This option enables you to select the default encryption method for each of the different drive types.
System Drive Encryption Method Select the encryption method for system drives.
Fixed Drive Encryption Method Select the encryption method for fixed drives.
Removable Drive Encryption Method Select the encryption method for removable drives.

System Drives

Minimum PIN Length for Startup Configure a minimum length for a Trusted Platform Module (TPM) startup PIN. The startup PIN must have a minimum length of 6 digits and can have a maximum length of 20 digits.
Require Additional Authentication Configure whether BitLocker requires additional authentication each time the computer starts and whether BitLocker should be used with or without a Trusted Platform Module (TPM).
Non-TPM Startup Allow BitLocker without a compatible TPM (requires a password or a startup key on a USB flash drive).
TPM Startup Configure TPM startup key for computers with TPM.
TPM Startup PIN When the computer starts, it can require the entry of a 6-digit to 20-digit personal identification number (PIN).
TPM Startup Key and PIN When the computer starts, it can require insertion of a USB flash drive containing a startup key, and the entry of a 6-digit to 20-digit personal identification number (PIN).
System Drives Recovery Select whether to enable recovery of encrypted system drives.
Allow Certificate-based DRA Select this option to enable a certificate-based data recovery agent (DRA) to be used with BitLocker-protected operating system drives.
Recovery Password Select whether users are allowed, required, or not allowed to generate a 48-digit recovery password.
Recovery Key Select whether users are allowed, required, or not allowed to generate a 256-bit recovery key.
Hide Recovery Options Omit operating system drives recovery options from the BitLocker setup wizard.
Backup to Active Directory Save BitLocker recovery information to Active Directory Domain Services for operating system drives.
Require Active Directory Backup Do not enable BitLocker until recovery information is stored to Active Directory Domain Services for operating system drives.
Active Directory Storage Configure storage of BitLocker information to Active Directory Domain Services for operating system drives.
Pre-boot Recovery Message Configure whether a pre-boot recovery message and URL are enabled.
Pre-boot Recovery Information Select whether to use the default recovery message and URL, a custom recovery message, or a custom recovery URL.
Pre-boot Custom Recovery Message Enter a custom pre-boot recovery message. The maximum message length is 900 characters.
Pre-boot Custom Recovery URL Enter a custom pre-boot recovery URL.

Fixed Drives

Fixed Drives Require Encryption When enabled, encryption must to turned on to write data to a fixed drive.
Fixed Drives Recovery Select whether to enable recovery of encrypted fixed drives.
Allow Data Recovery Agent Specify whether a data recovery agent can be used with encrypted fixed data drives.
Recovery Password Specify whether users are allowed, required, or not allowed to generate a 48-digit recovery password.
Recovery Key Specify whether users are allowed, required, or not allowed to generate a 256-digit recovery key.
Hide Recovery Options Omit fixed-drive recovery options from the BitLocker setup wizard.
Backup to Active Directory Save BitLocker recovery information to Active Directory Domain Services for fixed data drives.
Require Active Directory Backup Do not enable BitLocker until recovery information is stored to Active Directory Domain Services.
Active Directory Storage Configure storage of BitLocker information to Active Directory Domain Services for fixed drives.

Removable Drives

Require Removable Drive Encryption When enabled, encryption must be turned on to write data to a removable drive.