One other thing to be aware of, is that some enterprises want to have up-to-date information and control on which machines are encrypted, which portable drives are encrypted (if forcing Bitlocker to go on USB devices), allow help-desk or admin staff to be able to access and provide recovery keys in the event of someone forgetting their TPM PIN or of disk failure, and more targeted enforcement. To give Bitlocker real enterprise-grade manageability and address these issues (and more), you also want to think about adding MBAM
as your management and key escrow (in addition to AD) location. However, as you can see, MBAM requires access to MDOP, access to which you may or may not have already acquired from Microsoft as part of your volume licensing agreement and software assurance. Bitlocker + MBAM is really powerful though (and scales to tens or even hundreds of thousands of endpoints quite well), so it is worth it.
Also, one other security caveat is that you generally want to force TPM + PIN (or at least USB key if a v1.2 TPM isn't available), as well as disabling hybrid sleep. Bitlocker only protects data at rest, so if the machine is sleeping (and not hibernated or off), the security keys used to unlock the volume that are stored in RAM can be brute-forced if given enough physical time with the machine in a powered-on (sleep) state as RAM is not cleared (for obvious reasons - it's sleep!
). This is true of any volume or disk encryption software, but it still bears repeating as some admins forget about disabling hybrid sleep when they start encrypting volumes.