Windows 10 uses 128-bit XTS-AES default for operating system drives as well as fixed data drives – and AES-CBC 128 bit default for removable data drives. In this article, we will show you how to set a default value. encryption method (XTS-AES or AES-CBC) and encryption strength (128-bit or 256-bit) that you want to use by BitLocker in Windows 10.
Windows 10 introduces a new disk encryption mode (XTS-AES). This mode offers additional integrity support – but is not compatible with older versions of Windows. You can choose to use disk encryption Compatible Mode (AES-CBC) compatible with older versions of Windows. If you are encrypting a removable drive that you will use under an older version of Windows, you must use AES-CBC.
The two BitLocker Drive Encryption modes described above support the use of 128 bits or 256 bits Encryption strength
Note: BitLocker Drive Encryption is only available in Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education editions.
Change the BitLocker encryption method and encryption strength
The BitLocker encryption method and encryption strength that you set by default are applied only when you enable BitLocker for a drive. Changes you make will not affect a player already encrypted by BitLocker, unless you disable Bitlocker for the drive and re-enable BitLocker for it.
Note: You must be logged in as administrator to be able to choose the encryption method of the drive and the strength of the encryption.
Open the local Group Policy Editor and, in the left pane of the Local Group Policy Editor, navigate to the following location:
Computer Configuration> Administrative Templates> Windows Components> BitLocker Drive Encryption.
On the right pane of BitLocker Drive Encryption, double-click Choose the drive encryption method and encryption strength (Windows 10 (version 1511) and later) policy to change it.
This policy setting allows you to configure the algorithm and encryption strength used by BitLocker Drive Encryption. This policy setting is applied when you enable BitLocker. Changing the encryption method has no effect if the drive is already encrypted or encryption is in progress.
If you enable this policy setting, you can individually configure an encryption algorithm and key encryption level for fixed data drives, operating system drives, and removable data drives. For fixed drives and operating systems, we recommend using the XTS-AES algorithm. For removable drives, you must use AES-CBC 128-bit or AES-CBC 256-bit if the drive is used on other devices that are not running Windows 10 (version 1511).
If you disable or do not configure this policy setting, BitLocker will use AES with the same bit strength (128-bit or 256-bit) as the drive-encryption choice method and encryption strength (Windows Vista, Windows Server 2008, Windows 7). "And" Choose the drive encryption method and the encryption strength "policy settings (in that order), if they are defined. If none of the policies are set, BitLocker will use the 128-bit XTS-AES default encryption method or the encryption method specified by the configuration script. "
As shown in the screenshot above, follow these steps:
To use the default BitLocker Drive Encryption method and encryption strength
- Select the radio button for Not configured or disabled, Click on D & # 39; agreement. You can now exit the Group Policy Editor.
To choose BitLocker Drive Encryption Method and Encryption Strength
- Select the radio button for enabled, select the desired encryption method for operating system drives, fixed data drives, and removable data drives, click D & # 39; agreement.
You can now exit the Group Policy Editor.