# Comprehensive Guide to BitLocker Management Deciding whether to focus on endpoint protection or the data it contains is crucial. Given the increasing value and regulatory focus on data, comprehensive protection is vital. Encryption remains a fundamental safeguard for enterprise data. This document outlines best practices for implementing robust encryption across network endpoints. 1. **Check off all the BitLocker encryption pre-requisites** [BitLocker encryption pre-requisites](https://www.manageengine.com/products/desktop-central/help/bitlocker-management/bitlocker-pre-requisites.html) are criteria a computer must satisfy to be encryption ready. Meet every encryption pre-requisite before planning the deployment of an encryption policy. 2. **Encrypt every endpoint irrespective of TPM presence** If a device is unencrypted, its data is prone to unauthorized access. In the event of loss, theft, or hacking, sensitive information can be easily accessed and potentially misused. Therefore, it is critical to ensure encryption across your network, including devices with and without TPM chips. Please [refer to this page](https://www.manageengine.com/products/desktop-central/help/bitlocker-management/bitlocker-policy-creation.html#settings) to learn more about the encryption settings in Endpoint Central. For computers with TPM - enable enhanced PIN in addition to TPM For computers without TPM - a passphrase is the only solution **Enhanced PIN with TPM** is the ideal choice for computers equipped with TPM. However, users must manually enter the Enhanced PIN during every boot, which can be cumbersome. As an alternative, you can opt for **TPM alone**, though this is not recommended for optimal security resilience. 3. **Always go for full disk encryption** Full disk encryption encrypts all data on a drive, including unused drive space where traces of deleted data remain, which can be retrieved. It is the safest option, though it can impact performance. If performance is a concern, choose **Used Disk Space Only encryption**. Kindly [refer to this page](https://www.manageengine.com/products/desktop-central/help/bitlocker-management/bitlocker-policy-creation.html) to know more about configuring encryption policies. 4. **Ensure to encrypt all drives** Ensure that all drives, not just the operating system drive, are encrypted. Other volumes may also store valuable data. 5. **Use the default encryption method** Stick with the default encryption method recommended by Microsoft for your Windows version. Stronger methods can be configured by a manual policy for compliance or audits. But they may reduce performance, hence not recommended. To know more about the encryption algorithms, [refer to this page](https://www.manageengine.com/products/desktop-central/help/bitlocker-management/bitlocker-policy-creation.html#algorithm). 6. **Back up your BitLocker recovery key without fail** If unauthorized access is detected, Windows will require the [BitLocker recovery key](https://www.manageengine.com/products/desktop-central/help/bitlocker-management/recovery-key.html). Microsoft cannot recover this key if lost, so create a secure backup. Enable the **Update recovery key to domain controller** option to store it in Active Directory. 7. **Fasten up the security by periodically changing the recovery key** Enhance security by automatically changing the recovery key on a periodic basis. This periodic rotation of the recovery key can be configured in Endpoint Central when setting up BitLocker policies by enabling [periodic rotation of the recovery key](https://www.manageengine.com/products/desktop-central/help/bitlocker-management/bitlocker-policy-creation.html#rotation) option. 8. **Practice "a policy for a computer" approach** BitLocker is a hardware component and computer-specific, so associate policies with computers, not users. Also, ensure that only one policy—either encryption or decryption—is deployed to each computer.