Privacy and Security Change BitLocker Drive Encryption Method in Windows 11


  • Staff
BitLocker_drive_banner.png

This tutorial will show you how to change the default encryption method used for BitLocker and Device Encryption in Windows 10 and Windows 11.

Device Encryption is a Windows feature that provides a simple way for some devices to enable BitLocker encryption automatically. Device encryption is available on all Windows versions, and it requires a device to meet either Modern Standby or HSTI security requirements. Device Encryption is only available for the operating system drive.

BitLocker Drive Encryption is a data protection feature that integrates with the operating system and addresses the threats of data theft or exposure from lost, stolen, or inappropriately decommissioned drives and computers. You can turn on BitLocker protection for operating system drives, fixed drives, and removable drives.

BitLocker and Device Encryption uses the XTS-AES 128-bit encryption method, by default.

You can select one of the following encryption methods with a 128-bit or 256-bit (stronger) cipher key length for fixed data drives, operating system drives, and removable data drives:

Encryption Method​
Description​
AES-CBC 128-bitDefault. Compatible mode (AES-CBC) 128-bit encryption that is compatible with older versions of Windows (ex: 7 or 8.1). Good for removable drives that will be connected to older versions of Windows.
AES-CBC 256-bitCompatible mode (AES-CBC) 256-bit encryption that is compatible with older versions of Windows (ex: 7 or 8.1). Good for removable drives that will be connected to older versions of Windows.
XTS-AES 128-bitNew encryption mode (XTS-AES) 128-bit encryption that provides additional integrity support than AES-CBC, but is not compatible with older versions of Windows (ex: 7 or 8.1). Good for drives that will only be connected to Windows 10 and/or Windows 11.
XTS-AES 256-bitStrongest. New encryption mode (XTS-AES) 256-bit encryption that provides additional integrity support than AES-CBC, but is not compatible with older versions of Windows (ex: 7 or 8.1). Good for drives that will only be connected to Windows 10 and/or Windows 11.

References:

You must be signed in as an administrator to be able to change the encryption method and cipher strength.

If a drive is already encrypted by BitLocker or Device Encryption, it will not automatically change the encryption method for it. You will need to turn off encryption for the drive first, and turn back on encryption for the drive again for it to use the new encryption method.



Contents

  • Option One: Change BitLocker Drive Encryption Method in Local Group Policy Editor
  • Option Two: Change BitLocker Drive Encryption Method using REG file
  • Option Three: Change BitLocker Drive Encryption Method in Registry Editor





Option One

Change BitLocker Drive Encryption Method in Local Group Policy Editor


The Local Group Policy Editor is only available in the Windows 10/11 Pro, Enterprise, and Education editions.

All editions can use Option Two or Option Three to configure the same policy.


1 Open the all users, specific users or groups, or all users except administrators Local Group Policy Editor for how you want this policy applied.

2 Navigate to the policy location below in the left pane of the Local Group Policy Editor. (see screenshot below)

Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption

BitLocker_encryption_method_and_cipher_strength_gpedit-1.png

3 In the right pane of BitLocker Drive Encryption in the Local Group Policy Editor, double click/tap on the Choose drive encryption method and cipher strength (Windows 10 (Version 1511) and later) policy to edit it. (see screenshot above)

4 Do step 5 (default) or step 6 (change) below for what you want.

5 Use Default Drive Encryption Method

This is the default setting to use the XTS-AES 128-bit encryption method by default for fixed data drives, operating system drives, and removable data drives.


A) Select (dot) Not Configured. (see screenshot below)​

B) Click/tap on OK, and go to step 7.​

BitLocker_encryption_method_and_cipher_strength_gpedit-2.png

6 Change Drive Encryption Method

A) Select (dot) Not Configured. (see screenshot below)​

B) Under "Options", select the AES-CBC 128-bit, AES-CBC 256-bit, XTS-AES 128-bit, or XTS-AES 256-bit encryption method you want to use in each drop menu for operating system drives, fixed data drives, and removable data drives.​

C) Click/tap on OK, and go to step 7.​

BitLocker_encryption_method_and_cipher_strength_gpedit-3.png

7 You can now close the Local Group Policy Editor if you like.




Option Two

Change BitLocker Drive Encryption Method using REG file


1 Do step 2 (AES-CBC 256-bit), step 3 (XTS-AES 256-bit), or step 4 (default) below for the encryption method you want to use for all drives.

2 Use AES-CBC 256-bit Encryption Method by default for All Drives

A) Click/tap on the Download button below to download the file below, and go to step 5 below.​

Use_AES-CBC_256-bit_encryption_method_for_all_drives.reg


(Contents of REG file for reference)
Code:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE]
"EncryptionMethodWithXtsOs"=dword:00000004
"EncryptionMethodWithXtsFdv"=dword:00000004
"EncryptionMethodWithXtsRdv"=dword:00000004

3 Use XTS-AES 256-bit Encryption Method by default for All Drives

A) Click/tap on the Download button below to download the file below, and go to step 5 below.​

Use_XTS-AES_256-bit_encryption_method_for_all_drives.reg


(Contents of REG file for reference)
Code:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE]
"EncryptionMethodWithXtsOs"=dword:00000007
"EncryptionMethodWithXtsFdv"=dword:00000007
"EncryptionMethodWithXtsRdv"=dword:00000007

4 Use Default XTS-AES 128-bit Encryption Method by default for All Drives

This is the default setting to undo the policy.


A) Click/tap on the Download button below to download the file below, and go to step 5 below.​

Undo_policy_to_use_default_XTS-AES_128-bit_encryption_method_for_all_drives.reg


(Contents of REG file for reference)
Code:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE]
"EncryptionMethodWithXtsOs"=-
"EncryptionMethodWithXtsFdv"=-
"EncryptionMethodWithXtsRdv"=-

5 Save the REG file to your desktop.

6 Double click/tap on the downloaded REG file to merge it.

7 When prompted, click/tap on Run, Yes (UAC), Yes, and OK to approve the merge.

8 You can now delete the downloaded REG file if you like.




Option Three

Change BitLocker Drive Encryption Method in Registry Editor


1 Open Registry Editor (regedit.exe).

2 Navigate to the key below in the left pane of Registry Editor. (see screenshot below)

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE

BitLocker_encryption_method_and_cipher_strength_regedit-1.png

3 Do step 4 (change OS drives), step 5 (change fixed drives), and/or step 6 (change removable drives) below for what you would like to do.


 4. Change Encryption Method for Operating System Drives

A) In the right pane of the FVE key, double click/tap on the EncryptionMethodWithXtsOs DWORD to modify it. (see screenshot below step 2)​

If you don't have the EncryptionMethodWithXtsOs DWORD, then right click or press and hold on an empty area in the right pane of the FVE key, click/tap on New, click/tap on DWORD (32-bit) Value, type EncryptionMethodWithXtsOs, and press Enter.

Deleting the EncryptionMethodWithXtsOs DWORD will undo the policy to use the default XTS-AES 128-bit encryption method.


B) Type the value data in the table below for the encryption method you want for operating system drives, and click/tap on OK. (see screenshot and table below)​

BitLocker_encryption_method_and_cipher_strength_regedit-3.png

Value Data​
Description​
3AES-CBC 128-bit
4AES-CBC 256-bit
6XTS-AES 128-bit (default)
7XTS-AES 256-bit


 5. Change Encryption Method for Fixed Data Drives

A) In the right pane of the FVE key, double click/tap on the EncryptionMethodWithXtsFdv DWORD to modify it. (see screenshot below step 2)​

If you don't have the EncryptionMethodWithXtsFdv DWORD, then right click or press and hold on an empty area in the right pane of the FVE key, click/tap on New, click/tap on DWORD (32-bit) Value, type EncryptionMethodWithXtsFdv, and press Enter.

Deleting the EncryptionMethodWithXtsFdv DWORD will undo the policy to use the default XTS-AES 128-bit encryption method.


B) Type the value data in the table below for the encryption method you want for fixed data drives, and click/tap on OK. (see screenshot and table below)​

BitLocker_encryption_method_and_cipher_strength_regedit-2.png

Value Data​
Description​
3AES-CBC 128-bit
4AES-CBC 256-bit
6XTS-AES 128-bit (default)
7XTS-AES 256-bit


 6. Change Encryption Method for Removable Data Drives

A) In the right pane of the FVE key, double click/tap on the EncryptionMethodWithXtsRdv DWORD to modify it. (see screenshot below step 2)​

If you don't have the EncryptionMethodWithXtsRdv DWORD, then right click or press and hold on an empty area in the right pane of the FVE key, click/tap on New, click/tap on DWORD (32-bit) Value, type EncryptionMethodWithXtsRdv, and press Enter.

Deleting the EncryptionMethodWithXtsRdv DWORD will undo the policy to use the default XTS-AES 128-bit encryption method.


B) Type the value data in the table below for the encryption method you want for removable data drives, and click/tap on OK. (see screenshot and table below)​

BitLocker_encryption_method_and_cipher_strength_regedit-4.png

Value Data​
Description​
3AES-CBC 128-bit
4AES-CBC 256-bit
6XTS-AES 128-bit (default)
7XTS-AES 256-bit

7 When finished, you can close Registry Editor if you like.


That's it,
Shawn Brink


 

Attachments

  • Undo_policy_to_use_default_XTS-AES_128-bit_encryption_method_for_all_drives.reg
    708 bytes · Views: 6
  • Use_AES-CBC_256-bit_encryption_method_for_all_drives.reg
    786 bytes · Views: 9
  • Use_XTS-AES_256-bit_encryption_method_for_all_drives.reg
    786 bytes · Views: 9
Last edited:
Why would one use proprietary drive encryption software? Just use the free and open VeraCrypt.
 

My Computer

System One

  • OS
    Windows 11 Pro x64
    Computer type
    PC/Desktop
    Manufacturer/Model
    Dell Precision 7875
    CPU
    AMD Ryzen Threadripper Pro 7955WX, 4.5 GHz, 16c 32t
    Motherboard
    Dell Precision 7875 System Board
    Memory
    64GB DDR5 4800 ECC Registered, Quad channel
    Graphics Card(s)
    NVIDIA GeForce RTX 4070 Ti Super Inno3D
    Sound Card
    Creative X-Fi Titanium Fatal1ty Professional Series
    Monitor(s) Displays
    Dell UltraSharp U3415W
    Screen Resolution
    3440x1440
    Hard Drives
    SK hynix PC801 PCIe Gen4 x4 NVMe M.2 2280 SSD 1TB first SSD
    Corsair MP600 Pro NH PCIe Gen4 x4 NVMe M.2 2280 SSD 8TB second SSD
    PSU
    Dell 1350 Power Supply for Precision 7875
    Case
    Dell Precision 7875
    Cooling
    Air
    Keyboard
    Microsoft Natural Ergonomic Keyboard 4000 (Qwerty US)
    Mouse
    3M EM500GPL
    Internet Speed
    150mbit down, 15mbit up
    Browser
    Firefox
    Antivirus
    Eset
    Other Info
    Full specs
    https://tweakers.net/gallery/23645/inventaris/?inv_id=3451440
Why would one use proprietary drive encryption software? Just use the free and open VeraCrypt.
Huh - Bitlocker is not proprietary - it is native Windows. Why would you use veracryt - it is not even fully supported.

Bitlocker is used by many corporations. I think Dave's pal down the pub uses Veracypt.
 

My Computer

System One

  • OS
    Windows 10 Pro + others in VHDs
    Computer type
    Laptop
    Manufacturer/Model
    ASUS Vivobook 14
    CPU
    I7
    Motherboard
    Yep, Laptop has one.
    Memory
    16 GB
    Graphics Card(s)
    Integrated Intel Iris XE
    Sound Card
    Realtek built in
    Monitor(s) Displays
    N/A
    Screen Resolution
    1920x1080
    Hard Drives
    1 TB Optane NVME SSD, 1 TB NVME SSD
    PSU
    Yep, got one
    Case
    Yep, got one
    Cooling
    Stella Artois
    Keyboard
    Built in
    Mouse
    Bluetooth , wired
    Internet Speed
    72 Mb/s :-(
    Browser
    Edge mostly
    Antivirus
    Defender
    Other Info
    TPM 2.0
BitLocker is proprietary, it's Windows encryption product. Non-Windows systems can't open BitLocker volumes.
Open source vs. closed is a different argument.
 

My Computer

System One

  • OS
    Windows 7
BitLocker uses AES 128-bit encryption and that is NOT proprietary. Microsoft does add their own setup, open, and close algorithms. I suppose that might be considered proprietary. But AES 128-bit encryption itself is NOT proprietary.
 

My Computers

System One System Two

  • OS
    Windows 11 Pro
    Computer type
    Laptop
    Manufacturer/Model
    Dell XPS 15 9510 OLED
    CPU
    11th Gen i9 -11900H
    Memory
    32 GB 3200 MHz DDR4
    Graphics Card(s)
    NVIDIA® GeForce® RTX 3050Ti
    Monitor(s) Displays
    15.6" OLED Infinity Edge Touch
    Screen Resolution
    16:10 Aspect Ratio (3456 x 2160)
    Hard Drives
    1 Terabyte M.2 PCIe NVMe SSD
    2 Thunderbolt™ 4 (USB Type-C™)
    1 USB 3.2 Gen 2 (USB Type-C™)
    SD Card Reader (SD, SDHC, SDXC)
    Internet Speed
    900 Mbps Netgear Orbi + 2 Satellites
    Browser
    Microsoft Edge (Chromium) + Bing
    Antivirus
    Microsoft Windows Security (Defender)
    Other Info
    Microsoft 365 subscription
    Microsoft OneDrive 1TB Cloud
    Microsoft PowerToys
    Microsoft Visual Studio
    Microsoft Visual Studio Code
    Macrium Reflect
    Dell Support Assist
    Dell Command | Update
    LastPass Password Manager
    Amazon Kindle
    Interactive Brokers Trader Workstation
    Lightroom/Photoshop subscription
    CoPilot
    BitLocker
  • Operating System
    Windows 11 Pro
    Computer type
    Tablet
    Manufacturer/Model
    Microsoft Surface Pro 7
    CPU
    i5
    Memory
    8 GB
    Hard Drives
    256GB SSD
    Internet Speed
    900 Mbps Netgear Orbi + 2 Satellites
    Browser
    Microsoft Edge (Chromium) + Bing
    Antivirus
    Microsoft Windows Security (Defender)
    Other Info
    Microsoft 365 subscription (Office)
    Microsoft OneDrive 1TB Cloud
    Microsoft Visual Studio
    Amazon Kindle
    Interactive Brokers Trader Workstation
    Lightroom/Photoshop subscription
    CoPilot
    BitLocker
Can you open a locked BitLocker volume without using Windows features? So far, no. That meets most definitions of "proprietary".
 

My Computer

System One

  • OS
    Windows 7
BitLocker is proprietary, it's Windows encryption product. Non-Windows systems can't open BitLocker volumes.
Open source vs. closed is a different argument.
semantics - proprietary usually refers to paid versions by 3rd parties. It is bollards calling a windows native app proprietary.

Pointless arguing over semantics.

Have the last word by all means if it makes you feel super smug.
 

My Computer

System One

  • OS
    Windows 10 Pro + others in VHDs
    Computer type
    Laptop
    Manufacturer/Model
    ASUS Vivobook 14
    CPU
    I7
    Motherboard
    Yep, Laptop has one.
    Memory
    16 GB
    Graphics Card(s)
    Integrated Intel Iris XE
    Sound Card
    Realtek built in
    Monitor(s) Displays
    N/A
    Screen Resolution
    1920x1080
    Hard Drives
    1 TB Optane NVME SSD, 1 TB NVME SSD
    PSU
    Yep, got one
    Case
    Yep, got one
    Cooling
    Stella Artois
    Keyboard
    Built in
    Mouse
    Bluetooth , wired
    Internet Speed
    72 Mb/s :-(
    Browser
    Edge mostly
    Antivirus
    Defender
    Other Info
    TPM 2.0
@garlin, you are correct. You can't open a BitLocker volume without using Windows features. I would agree that the Windows features are proprietary. In Windows 11, Microsoft holds the encryption key in the TPM Module. However the AES 128-bit encryption itself is not proprietary. So I suppose you and I are both right. :-)
 

My Computers

System One System Two

  • OS
    Windows 11 Pro
    Computer type
    Laptop
    Manufacturer/Model
    Dell XPS 15 9510 OLED
    CPU
    11th Gen i9 -11900H
    Memory
    32 GB 3200 MHz DDR4
    Graphics Card(s)
    NVIDIA® GeForce® RTX 3050Ti
    Monitor(s) Displays
    15.6" OLED Infinity Edge Touch
    Screen Resolution
    16:10 Aspect Ratio (3456 x 2160)
    Hard Drives
    1 Terabyte M.2 PCIe NVMe SSD
    2 Thunderbolt™ 4 (USB Type-C™)
    1 USB 3.2 Gen 2 (USB Type-C™)
    SD Card Reader (SD, SDHC, SDXC)
    Internet Speed
    900 Mbps Netgear Orbi + 2 Satellites
    Browser
    Microsoft Edge (Chromium) + Bing
    Antivirus
    Microsoft Windows Security (Defender)
    Other Info
    Microsoft 365 subscription
    Microsoft OneDrive 1TB Cloud
    Microsoft PowerToys
    Microsoft Visual Studio
    Microsoft Visual Studio Code
    Macrium Reflect
    Dell Support Assist
    Dell Command | Update
    LastPass Password Manager
    Amazon Kindle
    Interactive Brokers Trader Workstation
    Lightroom/Photoshop subscription
    CoPilot
    BitLocker
  • Operating System
    Windows 11 Pro
    Computer type
    Tablet
    Manufacturer/Model
    Microsoft Surface Pro 7
    CPU
    i5
    Memory
    8 GB
    Hard Drives
    256GB SSD
    Internet Speed
    900 Mbps Netgear Orbi + 2 Satellites
    Browser
    Microsoft Edge (Chromium) + Bing
    Antivirus
    Microsoft Windows Security (Defender)
    Other Info
    Microsoft 365 subscription (Office)
    Microsoft OneDrive 1TB Cloud
    Microsoft Visual Studio
    Amazon Kindle
    Interactive Brokers Trader Workstation
    Lightroom/Photoshop subscription
    CoPilot
    BitLocker

Latest Support Threads

Back
Top Bottom