From within GPME, select Computer Configuration > Policies > Administrative Templates > Windows Components > BitLocker Drive Encryption.
You can now go through the available policies and configure them to meet the requirements of your environment. Some useful policy setting that you may wish to adjust include:
1.Store BitLocker recovery information in Active Directory: With this policy enabled it will only be possible to enable BitLocker if an Active Directory domain controller is available so that the recovery key can be stored there. If a domain controller is not available, BitLocker will not enable. This allows you to centrally manage BitLocker recovery keys as they will be stored in Active Directory.
2.Choose drive encryption method and cipher strength: By default for Windows 10 this will set XTS-AES 128-bit encryption, this can be modified to XTS-AES 256-bit instead for higher protection.
3.Require additional authentication at startup: Rather than only using one authentication method such as TPM, this policy can be enabled to instead require both TPM and a PIN, TPM and a startup key, or TPM with a startup key and PIN.
4.Allow enhanced PINs for startup: Enhanced PINs allow you to use additional characters such as uppercase, lowercase, numbers and symbols and should be turned on by default. It allows for stronger PINs to be set.
5.Configure minimum PIN length for startup: This allows you to configure the minimum PIN length, which can ensure that your users are forced to set strong BitLocker PINs.
About your concern: When the Pin is typed in incorrectly to many times it locks out the user until they get the Recovery Key from us in IT.
It doesn’t need to worry, after too many PIN entry attempts, TPM chip thinks it’s being threatened and therefore has locked itself, preventing the PIN entry (which you’re most likely typing in correctly) from unlocking the drive.
-------------------------------------------------------------------------------------
If the Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.