Skip to content
Follow
Windows

How to Enforce BitLocker Encryption Types on Windows 11 Drives

Richard
Written by
Richard
May 20, 2024 Updated Jun 19, 2026 3 min read
BitLocker drive encrytion featured image
BitLocker drive encrytion featured image

You enforce BitLocker encryption types on Windows 11 drives by configuring specific Group Policy settings to ensure consistent security for your fixed data drives.

BitLocker is a robust encryption feature built into Windows that protects your entire drive’s contents. For fixed drives, it supports two primary encryption methods: full drive encryption and used space-only encryption, with full encryption being the most secure option.

You can use the “Enforce drive encryption type on fixed data drives” Group Policy setting to mandate that all new BitLocker implementations on these drives use your chosen encryption method, for example, requiring full encryption for maximum data protection.

This policy is particularly useful in managed environments to maintain uniform security standards across multiple PCs, ensuring all fixed drives are encrypted with the same strength. Remember, you’ll need Windows 11 Pro or Enterprise editions to access this particular Group Policy setting.

⚡ Quick Answer

Enforce BitLocker encryption types by opening the Local Group Policy Editor and navigating to Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Fixed Data Drives, then double-clicking “Enforce drive encryption type on fixed data drives.” Select “Enabled” and choose your preferred encryption method.

Enforce Drive Encryption Type on Fixed Data Drives

You can force a specific encryption choice for fixed drives using the steps below.

Method 1Using Local Group Policy Editor

You can make sure all your Windows 11 drives use specific BitLocker encryption types by using the Local Group Policy Editor, which lets you set a rule for everyone on your computer.

What happens: BitLocker automatically uses the setting you choose. Users will not see a choice during setup.

  1. Search for “Edit group policy” in the Start menu and open it. ⚠️ Admin privileges required.
  2. Navigate through these folders:
  • Computer Configuration
  • Administrative Templates
  • Windows Components
  • BitLocker Drive Encryption
  • Fixed Data Drives

3. In the right window, double-click “Enforce drive encryption type on fixed data drives.”

enforce encryption type for fixed drives
enforce encryption type for fixed drives

4. Choose your setting:

  • Not Configured: This is the default. It works the same as Disabled.
  • Enabled: BitLocker will use the type you pick. Users won’t be asked to choose. Select “Full encryption” to lock the whole drive or “Use Space Only encryption” to lock only the data area.
  • Disabled: The setup wizard will ask users to pick their own type.

5. Click OK and restart your computer to finish. ⚠️ Admin privileges required.

enforce encryption type for fixed drives options
enforce encryption type for fixed drives options

Method 2Using Windows Registry Editor

If you can’t use the Group Policy Editor, you can still set specific BitLocker encryption types for your Windows 11 drives by changing settings in the Windows Registry Editor.

What happens: The computer saves your preference in the registry. BitLocker will check this whenever you turn it on.

  1. Open the Start menu, type regedit, and run it as an administrator. ⚠️ Admin privileges required.
  2. Navigate to this registry path: Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE
  3. Look for a value named FDVEncryptionType on the right. If you don’t see it, right-click an empty space, select “New,” then “DWORD (32-bit) Value,” and name it FDVEncryptionType.
  4. Double-click the value and enter:
  • 1 for full encryption.
  • 2 for used space-only encryption.

5. Click OK and restart your computer. ⚠️ Admin privileges required.

enforce encryption type for fixed drives registry
enforce encryption type for fixed drives registry

How to Remove the Encryption Type Setting

If you want to let users choose their own settings again, delete the FDVEncryptionType item you created in the registry and restart your computer.

Summary

You can enforce specific BitLocker encryption types on Windows 11 drives to keep your data secure and simplify setup for users, using either the Local Group Policy Editor or the Registry Editor.

What encryption does BitLocker use?

BitLocker secures your data using the AES encryption algorithm. By default on modern systems, this is AES-256 in XTS mode for greater protection of data at rest. This is very secure. Older systems may use a minimum of AES-128 in CBC mode .

We recommend using AES-XTS for all drive types.

Was this guide helpful?

Tags: #Windows 11
Was this helpful?
Richard

About the Author

Richard

Tech Writer, IT Professional

Richard, a writer for Geek Rewind, is a tech enthusiast who loves breaking down complex IT topics into simple, easy-to-understand ideas. With years of hands-on experience in system administration and enterprise IT operations, he’s developed a knack for offering practical tips and solutions. Richard aims to make technology more accessible and actionable. He's deeply committed to the Geek Rewind community, always ready to answer questions and engage in discussions.

📚 Related Tutorials

How to Choose BitLocker Encryption Type on Windows 11 Drives
Windows How to Choose BitLocker Encryption Type on Windows 11 Drives
How to Change BitLocker Encryption in Windows 11
Windows How to Change BitLocker Encryption in Windows 11
How to Enforce BitLocker Encryption on Removable Drives
Windows How to Enforce BitLocker Encryption on Removable Drives
How to View Local Group Policies that are Configured in Windows 11
Windows How to View Local Group Policies that are Configured in Windows 11

No comments yet — be the first to share your thoughts!

Leave a Comment

Your email address will not be published. Required fields are marked *