This tutorial will show you how to change the default encryption method used for BitLocker and Device Encryption in Windows 10 and Windows 11.
Device Encryption is a Windows feature that provides a simple way for some devices to enable BitLocker encryption automatically. Device encryption is available on all Windows versions, and it requires a device to meet either Modern Standby or HSTI security requirements. Device Encryption is only available for the operating system drive.
BitLocker Drive Encryption is a data protection feature that integrates with the operating system and addresses the threats of data theft or exposure from lost, stolen, or inappropriately decommissioned drives and computers. You can turn on BitLocker protection for operating system drives, fixed drives, and removable drives.
BitLocker and Device Encryption uses the XTS-AES 128-bit encryption method, by default.
You can select one of the following encryption methods with a 128-bit or 256-bit (stronger) cipher key length for fixed data drives, operating system drives, and removable data drives:
Encryption Method | Description |
---|---|
AES-CBC 128-bit | Default. Compatible mode (AES-CBC) 128-bit encryption that is compatible with older versions of Windows (ex: 7 or 8.1). Good for removable drives that will be connected to older versions of Windows. |
AES-CBC 256-bit | Compatible mode (AES-CBC) 256-bit encryption that is compatible with older versions of Windows (ex: 7 or 8.1). Good for removable drives that will be connected to older versions of Windows. |
XTS-AES 128-bit | New encryption mode (XTS-AES) 128-bit encryption that provides additional integrity support than AES-CBC, but is not compatible with older versions of Windows (ex: 7 or 8.1). Good for drives that will only be connected to Windows 10 and/or Windows 11. |
XTS-AES 256-bit | Strongest. New encryption mode (XTS-AES) 256-bit encryption that provides additional integrity support than AES-CBC, but is not compatible with older versions of Windows (ex: 7 or 8.1). Good for drives that will only be connected to Windows 10 and/or Windows 11. |
References:

Configure BitLocker

BitLocker FAQ

BitLocker overview
You must be signed in as an administrator to be able to change the encryption method and cipher strength.
If a drive is already encrypted by BitLocker or Device Encryption, it will not automatically change the encryption method for it. You will need to turn off encryption for the drive first, and turn back on encryption for the drive again for it to use the new encryption method.
- Option One: Change BitLocker Drive Encryption Method in Local Group Policy Editor
- Option Two: Change BitLocker Drive Encryption Method using REG file
- Option Three: Change BitLocker Drive Encryption Method in Registry Editor
The Local Group Policy Editor is only available in the Windows 10/11 Pro, Enterprise, and Education editions.
All editions can use Option Two or Option Three to configure the same policy.
1 Open the all users, specific users or groups, or all users except administrators Local Group Policy Editor for how you want this policy applied.
2 Navigate to the policy location below in the left pane of the Local Group Policy Editor. (see screenshot below)
3 In the right pane of BitLocker Drive Encryption in the Local Group Policy Editor, double click/tap on the Choose drive encryption method and cipher strength (Windows 10 (Version 1511) and later) policy to edit it. (see screenshot above)
4 Do step 5 (default) or step 6 (change) below for what you want.
This is the default setting to use the XTS-AES 128-bit encryption method by default for fixed data drives, operating system drives, and removable data drives.
7 You can now close the Local Group Policy Editor if you like.
1 Do step 2 (AES-CBC 256-bit), step 3 (XTS-AES 256-bit), or step 4 (default) below for the encryption method you want to use for all drives.
(Contents of REG file for reference)
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE]
"EncryptionMethodWithXtsOs"=dword:00000004
"EncryptionMethodWithXtsFdv"=dword:00000004
"EncryptionMethodWithXtsRdv"=dword:00000004
(Contents of REG file for reference)
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE]
"EncryptionMethodWithXtsOs"=dword:00000007
"EncryptionMethodWithXtsFdv"=dword:00000007
"EncryptionMethodWithXtsRdv"=dword:00000007
This is the default setting to undo the policy.
(Contents of REG file for reference)
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE]
"EncryptionMethodWithXtsOs"=-
"EncryptionMethodWithXtsFdv"=-
"EncryptionMethodWithXtsRdv"=-
5 Save the REG file to your desktop.
6 Double click/tap on the downloaded REG file to merge it.
7 When prompted, click/tap on Run, Yes (UAC), Yes, and OK to approve the merge.
8 You can now delete the downloaded REG file if you like.
1 Open Registry Editor (regedit.exe).
2 Navigate to the key below in the left pane of Registry Editor. (see screenshot below)
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE
3 Do step 4 (change OS drives), step 5 (change fixed drives), and/or step 6 (change removable drives) below for what you would like to do.
If you don't have the EncryptionMethodWithXtsOs DWORD, then right click or press and hold on an empty area in the right pane of the FVE key, click/tap on New, click/tap on DWORD (32-bit) Value, type EncryptionMethodWithXtsOs, and press Enter.
Value Data | Description |
---|---|
3 | AES-CBC 128-bit |
4 | AES-CBC 256-bit |
6 | XTS-AES 128-bit (default) |
7 | XTS-AES 256-bit |
If you don't have the EncryptionMethodWithXtsFdv DWORD, then right click or press and hold on an empty area in the right pane of the FVE key, click/tap on New, click/tap on DWORD (32-bit) Value, type EncryptionMethodWithXtsFdv, and press Enter.
Value Data | Description |
---|---|
3 | AES-CBC 128-bit |
4 | AES-CBC 256-bit |
6 | XTS-AES 128-bit (default) |
7 | XTS-AES 256-bit |
If you don't have the EncryptionMethodWithXtsRdv DWORD, then right click or press and hold on an empty area in the right pane of the FVE key, click/tap on New, click/tap on DWORD (32-bit) Value, type EncryptionMethodWithXtsRdv, and press Enter.
Value Data | Description |
---|---|
3 | AES-CBC 128-bit |
4 | AES-CBC 256-bit |
6 | XTS-AES 128-bit (default) |
7 | XTS-AES 256-bit |
7 When finished, you can close Registry Editor if you like.
That's it,
Shawn Brink
- Turn On or Off Device Encryption in Windows 11
- Turn On BitLocker for Operating System Drive in Windows 11
- Turn On BitLocker for Fixed Data Drive in Windows 11
- Turn On BitLocker for Removable Data Drive in Windows 11
- Turn Off BitLocker for Drive in Windows 11
- Check BitLocker Drive Encryption Status of Drive in Windows 11