Enforce drive encryption type on fixed data drives

Supported OS tags: Windows8, WindowsServer2012

This policy setting allows you to configure the encryption type used by BitLocker Drive Encryption. This policy setting is applied when you turn on BitLocker. Changing the encryption type has no effect if the drive is already encrypted or if encryption is in progress. Choose full encryption to require that the entire drive be encrypted when BitLocker is turned on. Choose used space only encryption to require that only the portion of the drive used to store data is encrypted when BitLocker is turned on. If you enable this policy setting the encryption type that BitLocker will use to encrypt drives is defined by this policy and the encryption type option will not be presented in the BitLocker setup wizard. If you disable or do not configure this policy setting, the BitLocker setup wizard will ask the user to select the encryption type before turning on BitLocker.

No explicit registry values are set for enabled or disabled states.

• Computer
  Allow access to BitLocker-protected fixed data drives from earlier versions of Windows

  At least Windows Server 2008 R2 or Windows 7 through Windows Server 2022 or Windows 11 Version 22H2
• Computer
  Choose how BitLocker-protected fixed drives can be recovered

  At least Windows Server 2008 R2 or Windows 7
• Computer
  Configure use of hardware-based encryption for fixed data drives

  At least Windows Server 2012 or Windows 8
• Computer
  Configure use of passwords for fixed data drives

  At least Windows Server 2008 R2 or Windows 7
• Computer
  Configure use of smart cards on fixed data drives

  At least Windows Server 2008 R2 or Windows 7
• Computer
  Deny write access to fixed drives not protected by BitLocker

  At least Windows Server 2008 R2 or Windows 7