BitLocker Drive Encryption (BDE) – Misconceptions

1. BDE requires TPM version 1.2: On computers that do not have a TPM version 1.2, you can still use BitLocker to encrypt the Windows operating system drive. However, this implementation will require the user to insert a USB start-up key to start the computer or resume from hibernation, and it does not provide the pre-start-up system integrity verification offered by BitLocker with a TPM. The TPM-only authentication mode is easiest to deploy, manage, and use. It might also be more appropriate for computers that are unattended or must restart while unattended. However, the TPM-only mode offers the least amount of data protection. If parts of your organization have data that is considered highly sensitive on mobile computers, consider deploying BitLocker with multifactor authentication on those computers.
2. PIN or USB Start-up disk is required for starting computers protected with BDE: Usage of a personal identification number (PIN) or removable start-up disk is an optional way of deploying BDE. These additional security measures provide multifactor authentication and assurance that the computer will not start or resume from hibernation until the correct PIN or start-up key is presented.
3. BDE is possible only on client computers such as Windows Vista/7/8: This is again not true. BitLocker can be enabled on servers as well, this feature is turned off by default. For servers in a shared or potentially non-secure environment, such as a branch office location, BitLocker can be used to encrypt the operating system drive and additional data drives on the same server. Please note that BitLocker does not support cluster configurations.