Key Points
- BitLocker in Windows 11 supports multiple encryption algorithms (XTS-AES, AES-CBC) with 128-bit or 256-bit key lengths for customizable data protection.
- You can change the BitLocker encryption method before encrypting a drive using Group Policy Editor, Registry Editor, PowerShell, or a .reg file.
- XTS-AES 256-bit offers stronger security for fixed drives, while AES-CBC methods remain useful for legacy or removable devices.
- Changing encryption methods helps meet enterprise security standards, compliance requirements, and optimize performance.
- Only unencrypted drives can have their BitLocker encryption method modified; existing encrypted volumes remain unchanged.
Encryption is an essential security tool, especially in enterprise environments. BitLocker is a native Windows 11 feature that supports multiple encryption algorithms, including AES-CBC and AES-XTS, with 128-bit or 256-bit key lengths.
With BitLocker, you can change the encryption method to fit your needs. While XTS-AES 128-bit is the default encryption method, you might need an alternative method depending on your hardware or security needs.
Different ways to change BitLocker drive encryption methods
As an advanced power user, you can change the encryption method using the Local Group Policy Editor or Registry Editor. For managed environments, you can deploy a script using Windows PowerShell or create a .reg file.
📌 Prerequisites:
- This guide applies to Windows 11 Pro, Enterprise, and Education.
- You will need administrator access.
- This will only apply to new BitLocker volumes. The drive shouldn’t be encrypted yet.
- You will need access to the Group Policy Editor or the Windows Registry Editor.
⚠️ Important: If you’ve already turned on BitLocker on the target drive, you’ll need to turn off BitLocker (decrypt the drive) before these changes can take effect.
BitLocker encryption method settings only apply to new encryptions — existing volumes will continue using their current encryption algorithm until you decrypt and re-encrypt them.
📌 Recommended deployment strategies:
| Click to Choose a Method | 💻 Best for Individual Users | 💻💻💻 Best for Enterprises |
| Method 1: Set encryption method via Group Policy Editor | ✓ | ✓ |
| Method 2: Set encryption method via Registry Editor | ✓ | ✓ |
| Method 3: PowerShell script for automation | ✓ | |
| Method 4: Create a .reg file | ✓ |
Method 1: Set encryption method via Group Policy Editor
📌 Use Case: This method can be used in enterprise environments or by advanced users.
- Open the Start Menu and search for Edit group policy to open the program.
- Navigate to Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption.
- Double-click Choose drive encryption method and cipher strength (Windows 10 [Version 1511] and later).
- Select Enabled.
- Under the Options section, modify the settings according to your needs.
- You can change the encryption settings for Fixed Data Drives, Operating System Drives, and Removable Data Drives.
- It’s set to XTS-AES 128-bit by default. Your other options are the following:
- AES-CBC 128-bit
- AES-CBC 256-bit
- XTS-AES 256-bit
- Click Apply, then OK. You can now close the Group Policy Editor.
- Open the Start Menu and search for Command Prompt to open the program.
- Type gpupdate /force and press Enter. This will apply the changes you’ve made to the group policies.
Method 2: Set encryption method via Registry Editor
📌 Use Case: This method can be used in enterprise environments or by advanced users.
- Open the Start Menu and search for Registry Editor to open the program.
- Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE
- Select the value for the drive you need to modify:
- EncryptionMethodWithXtsOs (for OS drives)
- EncryptionMethodWithXtsFdv (for fixed data drives)
- EncryptionMethodWithXtsRdv (for removable drives)
- Change the value according to your needs.
- AES 128-bit (CBC) = 0
- AES 256-bit (CBC) = 1
- Hardware Encryption (if supported) = 2
- AES 128-bit (CBC – legacy) = 3
- AES 256-bit (CBC – legacy) = 4
- (Reserved/Not used) = 5
- XTS-AES 128-bit = 6
- XTS-AES 256-bit = 7
- Restart your computer to apply the changes.
Method 3: PowerShell script for automation
📌 Use Case: This is ideal for managed environments. You can remotely change these settings using Windows PowerShell.
- Open the Start Menu, search for Windows PowerShell, right-click, and select Run as administrator.
- Type the following command and press Enter. This will set the encryption method to XTS-AES 256-bit.
New-Item -Path "HKLM:\SOFTWARE\Policies\Microsoft\FVE" -Force | Out-Null
Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\FVE" -Name "EncryptionMethodWithXtsOs" -Value 5
Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\FVE" -Name "EncryptionMethodWithXtsFdv" -Value 5
Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\FVE" -Name "EncryptionMethodWithXtsRdv" -Value 5
If you only want to change a specific drive, remove the lines you don’t need.
- EncryptionMethodWithXtsOs – OS drives
- EncryptionMethodWithXtsFdv – Fixed data drives
- EncryptionMethodWithXtsRdv – Removable drives
If you want to set a different encryption method, change the value.
- AES 128-bit (CBC) = 0
- AES 256-bit (CBC) = 1
- Hardware Encryption (if supported) = 2
- AES 128-bit (CBC – legacy) = 3
- AES 256-bit (CBC – legacy) = 4
- (Reserved/Not used) = 5
- XTS-AES 128-bit = 6
- XTS-AES 256-bit = 7
- You can now close Windows PowerShell. Restart the computer to apply the changes.
Method 4: Create a .reg file
📌 Use Case: This method works best for enterprise environments. You can perform this using your preferred endpoint management tool.
- Open the Start Menu and search for Notepad to open the program.
- Type the following:
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE]
"EncryptionMethodWithXtsOs"=dword:00000005
"EncryptionMethodWithXtsFdv"=dword:00000005
"EncryptionMethodWithXtsRdv"=dword:00000005
If you only want to change a specific drive, delete the lines you don’t need.
- EncryptionMethodWithXtsOs – OS drives
- EncryptionMethodWithXtsFdv – Fixed data drives
- EncryptionMethodWithXtsRdv – Removable drives
If you want to set a different encryption method, change the dword value.
- AES 128-bit (CBC) = 0
- AES 256-bit (CBC) = 1
- Hardware Encryption (if supported) = 2
- AES 128-bit (CBC – legacy) = 3
- AES 256-bit (CBC – legacy) = 4
- (Reserved/Not used) = 5
- XTS-AES 128-bit = 6
- XTS-AES 256-bit = 7
- Click File > Save as.
- Name it BitLocker_EncryptionMethod.reg.
- Select the Save as type dropdown menu > All files.
- You can now close Notepad.
- Go to where you saved the .reg file and double-click it. This will run the .reg file and apply the changes to the Windows Registry.
- Restart your computer to apply the changes to the system.
⚠️ Things to look out for
| Risks | Potential Consequences | Reversals |
| A user sets a less secure encryption method than recommended. | This could open the drive to some security vulnerabilities. | Ensure that you are choosing the best encryption method according to your hardware. XTS-AES is the more secure option for fixed drives and is recommended. |
| A user makes incorrect changes to the Windows Registry. | This could lead to incorrect settings or system instability. | Create a backup of the Windows Registry before making any changes. You can use this to restore it to its previous state if unintended changes are made. |
Supported encryption combinations
BitLocker in Windows 11 supports the following encryption options:
- XTS-AES 128-bit (default)
- XTS-AES 256-bit
- AES-CBC 128-bit (used for removable drives only)
- AES-CBC 256-bit (used for removable drives only)
XTS-AES is more secure, and it’s the recommended option for fixed drives. AES-CBC, on the other hand, is compatible with legacy systems and can be used on USB drives.
Additional considerations before changing the BitLocker drive encryption method
- This can only be done before the drive is encrypted. You need to do this before activating BitLocker.
- Changing these settings will not affect existing volumes. If a drive has already been encrypted, it won’t be re-encrypted.
- A 256-bit encryption is more secure than a 128-bit encryption, but it will make your system slightly slower.
- To verify what encryption is currently in use, open Command Prompt, type
manage-bde -status, and press Enter.
Why change the BitLocker encryption method?
Changing the BitLocker encryption method ensures that all your managed devices comply with your organization’s security standards. It can also be done to match local laws and federal policies.
The encryption method can also affect device performance. Changing it may help optimize performance and ensure compatibility with external decryption or recovery tools.
Quick-Start Guide
NinjaOne does have a script called “Suspend BitLocker” that can:
- Suspends BitLocker Protection until after the next restart
- Can optionally restart the computer once suspended
- Must be run with administrative privileges
- Provides a way to temporarily disable BitLocker encryption protection
- Useful for scenarios where you need to make system changes that might be impacted by active BitLocker encryption
Enhance security by changing BitLocker encryption methods
You can change the BitLocker encryption method using the Local Group Policy Editor or Registry Editor. Administrators in enterprise environments can also utilizeWindows PowerShell scripts or create a .reg file.
Changing the encryption method can help you comply with your organization’s security standards as well as local laws and federal policies. You may also want to manage this setting, depending on your device hardware. However, it’s essential to remember that this can only be done on an unencrypted drive and cannot be changed on already encrypted devices.
Related Links:
- How to Turn On or Off Device Encryption in Windows 11
- How to Lock BitLocker Encrypted Drives in Windows
- How to Unlock an OS Drive Encrypted by BitLocker in Windows 10
- How to Find Your Windows BitLocker Recovery Key
- How to Unlock a BitLocker Drive (Fixed or Removable) in Windows
Consider watching this brief video guide: ‘How to Lock BitLocker Encrypted Drives in Windows’.
