How to Enforce BitLocker Encryption Types on Windows 11 Drives

BitLocker  helps protect your computer data. It makes sure only you can access your files. New files you create on a BitLocker-enabled drive will also be protected.

You can protect external, fixed, and operating system drives using BitLocker drives. When you turn on BitLocker for your main drive, it automatically unlocks the drive at startup using a TPM chip.

When users turn on BitLocker for fixed data drives, BitLocker asks them to choose between two types of encryption. The first type is full encryption. The second type is used space-only encryption.

Full encryption means the entire drive gets encrypted when you turn on BitLocker. Used space only encryption means only the part of the drive with your data gets encrypted.

You can use the Enforce drive encryption type on fixed data drives policy setting to control BitLocker on fixed data drives.

Enforce Drive Encryption Type on Fixed Data Drives

You can control BitLocker on fixed drives using the enforce drive encryption type policy. Here’s how to do it.

Method 1: Using Local Group Policy Editor

Why do this? This method lets you set encryption rules for all users on your computer.

What happens? BitLocker will use your chosen encryption type automatically. Users won’t see the encryption choice in the setup wizard.

1. Open the Local Group Policy Editor. Search for “Edit group policy” on the Start menu.
2. Go to these folders in order:
   • Computer Configuration
   • Administrative Templates
   • Windows Components
   • BitLocker Drive Encryption
   • Fixed Data Drives
3. In the right pane, find “Enforce drive encryption type on fixed data drives” and double-click it.

4. Choose one of these options:
   • Not Configured (default) – Same as Disabled.
   • Enabled – BitLocker will use your chosen encryption type. Users won’t be asked which type they want.
     • Choose “Full encryption” to encrypt the entire drive.
     • Choose “Use Space Only encryption” to encrypt only the used space.
   • Disabled – BitLocker setup will ask users which encryption type they want.
5. Click OK to save your changes.
6. You may need to restart your computer for the changes to take effect. ⚠️ Admin privileges required.

Method 2: Using Windows Registry Editor

Why do this? This method works if you can’t use Group Policy Editor. It gives you direct control over encryption settings.

What happens? The registry stores your encryption preference. BitLocker will follow this setting when you enable it.

1. Open Registry Editor as administrator. ⚠️ Admin privileges required. Search for “regedit” on the Start menu and run it as administrator.
2. Go to this location:
   
   Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE
3. Look for a value called FDVEncryptionType on the right side. Double-click it to open it.
4. Enter a value:
   • Enter 1 to enforce full encryption on fixed data drives.
   • Enter 2 to enforce used space only encryption on fixed data drives.
5. If you don’t see FDVEncryptionType, right-click a blank area and create a new DWORD 32-bit Value. Name it FDVEncryptionType. Then enter the value 1 or 2.
6. Click OK to save your changes.
7. Restart your computer for the changes to take effect. ⚠️ Admin privileges required.

How to Remove the Encryption Type Setting

If you want to go back to the default behavior and let users choose their encryption type again, delete the FDVEncryptionType item you created. Then restart your computer.

Summary

BitLocker protects your drive by encrypting your data. You can enforce a specific encryption type so users don’t have to choose. There are two ways to do this: using Local Group Policy Editor or Windows Registry Editor. Both methods require admin privileges. After you make changes, restart your computer. If you want users to choose their own encryption type again, simply delete the setting and restart.

Frequently Asked Questions