Encryption of windows 10 pc's and Server 2012 (onwards) servers

We would like to introduce encryption across our clients PC's/server by default.
I was wondering:
Are there any downsides to this?
Is using bitlocker with TPM enabled devices good enough?
Are there any other 'encryption' based measures that I can take?
Is using bitlocker for Windows Server (2012 and above) recommended?
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

If you trust Microsoft (and obviously you do, or you wouldn't use their OS), you can trust bitlocker. BL is "good enough", in fact, it offers a lot compared to some competitors that are not free. You can very well use it on servers as well as clients. For the server hardware, you should see if a TPM chip is already installed or, if not, can be bought and seated.

"good enough" - please specify what you mean. I don't miss any features with bitlocker.
"Are there any other 'encryption' based measures that I can take?" - what should be encrypted? Data in transit? E-Mails? Removable devices, floppies...? There's a solution for anything.

"Are there any downsides to this?" - not really. The performance impact for writes (only writes, not reads), can be up to 25%, but you will only notice that if you do excessive writing.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
leo135Author Commented:
Thaks McKnife, that's a really helpful answer!

I guess when I refer to other measures, I mean emails (Office 365) and removable devices. Are there any measures you can suggest for these?
For removable devices as in USB sticks, you can use bitlocker2go. It can be read on any windows OS from xp onwards and can be written to again on windows 7 (ultimate or enterprise), win8 pro/enterprise or win10 pro/enterprise.
Mails: that's a huge topic. Short advice: for those users that send encrypted content once in a while, I would strongly recommend to use an attachment encrypter like the free 7zip. For those that send mails regularly encrypted: sit down with your partners (the recipients) and discuss it with their admins since the best solution on your side will not guarantee that the recipients are happy with it.
We use sophos' secure e-mail gateway.
leo135, any more questions? Else please return and close this question.
As indicated by the author, the comment was helpful.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.