This tutorial will show you how to require using full encryption or used space only encryption with BitLocker on fixed data drives for all users in Windows 10 and Windows 11.
BitLocker Drive Encryption is a data protection feature that integrates with the operating system and addresses the threats of data theft or exposure from lost, stolen, or inappropriately decommissioned drives and computers. You can turn on BitLocker protection for operating system drives, fixed data drives, and removable data drives.
When users turn on BitLocker for fixed data drives, the BitLocker setup wizard will ask by default to choose either the encrypt used disk space only (faster and best for new PC's and drives) or encrypt entire drive (slower but best for PC's and drives already in use) encryption type for how much of the drive to encrypt before turning on BitLocker.
You can use the Enforce drive encryption type on fixed data drives policy setting to control the use of BitLocker on fixed data drives.
When you enable this policy setting, the encryption type option isn't offered in the BitLocker setup wizard:
- Choose full encryption to require that the entire drive be encrypted when BitLocker is turned on
- Choose used space only encryption to require that only the portion of the drive used to store data is encrypted when BitLocker is turned on
Changing the encryption type has no effect if the drive is already encrypted or if encryption is in progress.
This policy is ignored when shrinking or expanding a volume, and the BitLocker driver uses the current encryption method. For example, when a drive that is using Used Space Only encryption is expanded, the new free space isn't wiped like a drive that uses Full encryption. The user could wipe the free space on a Used Space Only drive by using the following command: manage-bde.exe -w
. If the volume is shrunk, no action is taken for the new free space.
You must be signed in as an administrator to enforce or unforce the encryption type on fixed data drives.
- Option One: Enforce or Unforce BitLocker Encryption type on Fixed Data Drives in Local Group Policy Editor
- Option Two: Enforce or Unforce BitLocker Encryption type on Fixed Data Drives using REG file
EXAMPLE: BitLocker setup wizard asking to choose encryption type on fixed data drive
Enforce or Unforce BitLocker Encryption type on Fixed Data Drives in Local Group Policy Editor
The Local Group Policy Editor is only available in the Windows 10/11 Pro, Enterprise, and Education editions.
All editions can use Option Two to configure the same policy.
1 Open the all users, specific users or groups, or all users except administrators Local Group Policy Editor for how you want this policy applied.
2 Navigate to the policy location below in the left pane of the Local Group Policy Editor. (see screenshot below)
3 In the right pane of Fixed Data Drives in the Local Group Policy Editor, double click/tap on the Enforce drive encryption type on fixed data drives policy to edit it. (see screenshot above)
4 Do step 5 (full), step 6 (used space only), or step 7 (default) below for what you want.
This is the default setting.
8 You can now close the Local Group Policy Editor if you like.
1 Do step 2 (full), step 3 (used space only), or step 4 (default) below for the encryption method you want to use for all drives.
(Contents of REG file for reference)
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE]
"FDVEncryptionType"=dword:00000001
(Contents of REG file for reference)
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE]
"FDVEncryptionType"=dword:00000002
This is the default setting to undo the policy.
(Contents of REG file for reference)
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE]
"FDVEncryptionType"=-
5 Save the REG file to your desktop.
6 Double click/tap on the downloaded REG file to merge it.
7 When prompted, click/tap on Run, Yes (UAC), Yes, and OK to approve the merge.
8 You can now delete the downloaded REG file if you like.
That's it,
Shawn Brink