Privacy and Security Enforce BitLocker Encryption Type on Fixed Data Drives in Windows 11


BitLocker_drive_banner.png

This tutorial will show you how to require using full encryption or used space only encryption with BitLocker on fixed data drives for all users in Windows 10 and Windows 11.

BitLocker Drive Encryption is a data protection feature that integrates with the operating system and addresses the threats of data theft or exposure from lost, stolen, or inappropriately decommissioned drives and computers. You can turn on BitLocker protection for operating system drives, fixed data drives, and removable data drives.

When users turn on BitLocker for fixed data drives, the BitLocker setup wizard will ask by default to choose either the encrypt used disk space only (faster and best for new PC's and drives) or encrypt entire drive (slower but best for PC's and drives already in use) encryption type for how much of the drive to encrypt before turning on BitLocker.

You can use the Enforce drive encryption type on fixed data drives policy setting to control the use of BitLocker on fixed data drives.

When you enable this policy setting, the encryption type option isn't offered in the BitLocker setup wizard:
  • Choose full encryption to require that the entire drive be encrypted when BitLocker is turned on
  • Choose used space only encryption to require that only the portion of the drive used to store data is encrypted when BitLocker is turned on
If you disable or don't configure this policy setting, the BitLocker setup wizard asks the user to select the encryption type before turning on BitLocker.

Changing the encryption type has no effect if the drive is already encrypted or if encryption is in progress.

This policy is ignored when shrinking or expanding a volume, and the BitLocker driver uses the current encryption method. For example, when a drive that is using Used Space Only encryption is expanded, the new free space isn't wiped like a drive that uses Full encryption. The user could wipe the free space on a Used Space Only drive by using the following command: manage-bde.exe -w. If the volume is shrunk, no action is taken for the new free space.


You must be signed in as an administrator to enforce or unforce the encryption type on fixed data drives.




Contents

  • Option One: Enforce or Unforce BitLocker Encryption type on Fixed Data Drives in Local Group Policy Editor
  • Option Two: Enforce or Unforce BitLocker Encryption type on Fixed Data Drives using REG file


EXAMPLE: BitLocker setup wizard asking to choose encryption type on fixed data drive

Choose_how_much_of_your_drive_to_encrypt_for_fixed_data_drives.png





Option One

Enforce or Unforce BitLocker Encryption type on Fixed Data Drives in Local Group Policy Editor


The Local Group Policy Editor is only available in the Windows 10/11 Pro, Enterprise, and Education editions.

All editions can use Option Two to configure the same policy.


1 Open the all users, specific users or groups, or all users except administrators Local Group Policy Editor for how you want this policy applied.

2 Navigate to the policy location below in the left pane of the Local Group Policy Editor. (see screenshot below)

Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Fixed Data Drives

Fixed_data_drives_encryption_type_gpedit-1.png

3 In the right pane of Fixed Data Drives in the Local Group Policy Editor, double click/tap on the Enforce drive encryption type on fixed data drives policy to edit it. (see screenshot above)

4 Do step 5 (full), step 6 (used space only), or step 7 (default) below for what you want.

5 Enforce "Full encryption" type on Fixed Data Drives

A) Select (dot) Enabled. (see screenshot below)​

B) Under "Options", select Full encryption in the "Select the encryption type" drop menu.​

C) Click/tap on OK, and go to step 8.​

Fixed_data_drives_encryption_type_gpedit-3.png

6 Enforce "Used Space Only encryption" type on Fixed Data Drives

A) Select (dot) Enabled. (see screenshot below)​

B) Under "Options", select Used Space Only encryption in the "Select the encryption type" drop menu.​

C) Click/tap on OK, and go to step 8.​

Fixed_data_drives_encryption_type_gpedit-4.png

7 Default User-choice for Encryption type on Fixed Data Drives

This is the default setting.


A) Select (dot) Not Configured. (see screenshot below)​

B) Click/tap on OK, and go to step 8.​

Fixed_data_drives_encryption_type_gpedit-2.png

8 You can now close the Local Group Policy Editor if you like.




Option Two

Enforce or Unforce BitLocker Encryption type on Fixed Data Drives using REG file


1 Do step 2 (full), step 3 (used space only), or step 4 (default) below for the encryption method you want to use for all drives.

2 Enforce "Full encryption" type on Fixed Data Drives

A) Click/tap on the Download button below to download the file below, and go to step 5 below.​

Always_encrypt_entire_fixed_data_drives_with_BitLocker.reg


(Contents of REG file for reference)
Code:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE]
"FDVEncryptionType"=dword:00000001

3 Enforce "Used Space Only encryption" type on Fixed Data Drives

A) Click/tap on the Download button below to download the file below, and go to step 5 below.​

Always_encrypt_used_disk_space_only_on_fixed_data_drives_with_BitLocker.reg


(Contents of REG file for reference)
Code:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE]
"FDVEncryptionType"=dword:00000002

4 Default User-choice for Encryption type on Fixed Data Drives

This is the default setting to undo the policy.


A) Click/tap on the Download button below to download the file below, and go to step 5 below.​

Default_user-choice_how_much_to_encrypt_on_fixed_data_drives_with_BitLocker.reg


(Contents of REG file for reference)
Code:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE]
"FDVEncryptionType"=-

5 Save the REG file to your desktop.

6 Double click/tap on the downloaded REG file to merge it.

7 When prompted, click/tap on Run, Yes (UAC), Yes, and OK to approve the merge.

8 You can now delete the downloaded REG file if you like.


That's it,
Shawn Brink


 

Attachments

Last edited:
Back
Top Bottom