Select the Security management → Encryption section.
The displayed Using encryption on devices window allows you to enable and disable encryption in security profiles, and to go to the list of reports.
Click the Enable encryption for Windows button.
The button is available only if there is at least one security profile in which encryption of devices running Windows has not yet been enabled.
The Enable Encryption Management for devices running Windows window opens.
Select the check boxes next to the names of the security profiles in which you want to enable encryption.
The list contains only those security profiles in which encryption has not yet been enabled.
Click the Enable Encryption Management button.
Define the encryption settings:
If you want to turn on the encryption module without sending the actual command to encrypt your users' devices, select the Decrypt devices option.
By default, the Encrypt devices option is selected.
If you want to use hardware encryption, enable the Hardware encryption toggle switch. If this toggle switch is disabled, software encryption is used.
Hardware encryption lets you increase the speed of encryption and use less computer resources.
If you want to enable authentication by using Trusted Platform Module (TPM), enable the Authentication by using Trusted Platform Module (TPM) toggle switch.
A microchip developed to provide basic functions related to security (for example, for storing encryption keys). A TPM is usually installed on the computer motherboard and interacts with all other system components through the hardware bus.
If you enabled the Authentication by using Trusted Platform Module (TPM) option during the previous step, click the Settings link below the Authentication by using Trusted Platform Module (TPM) section.
The Trusted Platform Module (TPM) authentication settings window opens.
If you want to set a PIN code that will be requested when the user attempts to gain access to an encryption key, enable the Use PIN where available option. In the Minimum PIN length (digits) field, you can specify the minimum number of digits that a PIN code must contain.
A PIN code will be used to gain access to encryption keys that are stored in TPM, if TPM is available on the device.
If you want to have access to encryption keys if TPM is not available on the device, enable the Authorization by using password option. In the Minimum password length (characters) field, you can specify the minimum number of characters that a password must contain.
Access to encryption keys will be protected by a password.
On devices running Windows 7 and Windows Server 2008 R2, only encryption that uses TPM is available. If the TPM module is not installed on such devices, they cannot be encrypted. Using a password is not supported on such devices.
If you want to enable BitLocker authentication in the preboot environment on tablet computers, enable the Enable the use of BitLocker authentication on Windows tablets toggle switch.
The touchscreen of tablet computers is not available in the preboot environment. To complete BitLocker authentication on tablet computers, the user must, for example, connect a USB keyboard.
Click Next to continue.
Check the list of security profiles in which you want to enable encryption, and the encryption settings that you defined.
Click the Apply button.
Encryption is enabled in the selected security profiles with the defined settings.
The encryption and decryption of devices may take a long time. You can use the Encryption status of devices report to see the current encryption status.