|Manage full disk encryption / BitLocker Drive Encryption|
To be able to use logon methods TPM + PIN, TPM + Startup Key, Startup Key, or Password, the Group Policy Require additional authentication at startup either in Active Directory or on computers locally must be enabled. In the Local Group Policy Editor (gpedit.msc), the Group Policy can be found here:Local Computer Policy\Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drive.
To use Startup Key, you must activate Allow BitLocker without a compatible TPM in the Group Policy.
With the SGNState command line tool (administrative rights necessary), you can check whether the endpoint is prepared appropriately for BitLocker encryption. In some cases, the Windows BitLocker Drive Preparation Tool must be executed. For more information, see Sophos knowledgebase article 120819.