Policy
Choose drive encryption method and cipher strength (Windows 10 [Version 1511] and later)
Windows 11 25H2
Policy overview
Key metadata and intent for this policy.
Supported OS tags: Windows10, Windows10RT, Windows11, WindowsServer2016
This policy setting allows you to configure the algorithm and cipher strength used by BitLocker Drive Encryption. This policy setting is applied when you turn on BitLocker. Changing the encryption method has no effect if the drive is already encrypted, or if encryption is in progress. If you enable this policy setting you will be able to configure an encryption algorithm and key cipher strength for fixed data drives, operating system drives, and removable data drives individually. For fixed and operating system drives, we recommend that you use the XTS-AES algorithm. For removable drives, you should use AES-CBC 128-bit or AES-CBC 256-bit if the drive will be used in other devices that are not running Windows 10 (Version 1511). If you disable or do not configure this policy setting, BitLocker will use AES with the same bit strength (128-bit or 256-bit) as the "Choose drive encryption method and cipher strength (Windows Vista, Windows Server 2008, Windows 7)" and "Choose drive encryption method and cipher strength" policy settings (in that order), if they are set. If none of the policies are set, BitLocker will use the default encryption method of XTS-AES 128-bit or the encryption method specified by the setup script.”
Registry values
How enabled and disabled states update the registry.
No explicit registry values are set for enabled or disabled states.
Policy elements
Inputs and configuration options exposed by this policy.
| Element | Type | Registry mapping | Constraints & behavior |
|---|---|---|---|
Select the encryption method for operating system drives: ID EncryptionMethodWithXtsOsDropDown_Name | enum | HKLM\SOFTWARE\Policies\Microsoft\FVE\EncryptionMethodWithXtsOs Type REG_DWORD | Options: AES-CBC 128-bit (3), AES-CBC 256-bit (4), XTS-AES 128-bit (default) (6), XTS-AES 256-bit (7) |
Select the encryption method for fixed data drives: ID EncryptionMethodWithXtsFdvDropDown_Name | enum | HKLM\SOFTWARE\Policies\Microsoft\FVE\EncryptionMethodWithXtsFdv Type REG_DWORD | Options: AES-CBC 128-bit (3), AES-CBC 256-bit (4), XTS-AES 128-bit (default) (6), XTS-AES 256-bit (7) |
Select the encryption method for removable data drives: ID EncryptionMethodWithXtsRdvDropDown_Name | enum | HKLM\SOFTWARE\Policies\Microsoft\FVE\EncryptionMethodWithXtsRdv Type REG_DWORD | Options: AES-CBC 128-bit (default) (3), AES-CBC 256-bit (4), XTS-AES 128-bit (6), XTS-AES 256-bit (7) |
Other policies in this category
Explore related policies at the same level.
- ComputerChoose default folder for recovery passwordAt least Windows Vista
- ComputerChoose drive encryption method and cipher strength (Windows 8, Windows Server 2012, Windows 8.1, Windows Server 2012 R2, Windows 10 [Version 1507])At least Windows Server 2012, Windows 8 or Windows RT
- ComputerChoose drive encryption method and cipher strength (Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2)Windows Server 2008, Windows 7, and Windows Vista
- ComputerChoose how users can recover BitLocker-protected drives (Windows Server 2008 and Windows Vista)Windows Server 2008 and Windows Vista
- ComputerDisable new DMA devices when this computer is lockedAt least Windows Server 2016, Windows 10 Version 1703
- ComputerPrevent memory overwrite on restartWindows Server 2012 R2, Windows 8.1, Windows Server 2012, Windows 8, Windows Server 2008, Windows 7, and Windows Vista
- ComputerProvide the unique identifiers for your organizationAt least Windows Server 2008 R2 or Windows 7
- ComputerStore BitLocker recovery information in Active Directory Domain Services (Windows Server 2008 and Windows Vista)Windows Server 2008 and Windows Vista
- ComputerValidate smart card certificate usage rule complianceAt least Windows Server 2008 R2 or Windows 7