To enable 256-bit encryption with Windows Bitlocker you need to set it by Group Policy. If you are joined to domain, your domain admin might set these settings, but if you have a standalone computer or your domain admin doesn’t force these setting you need to use Local Group Policy Editor. Just put in your Windows Search field:
gpedit.msc
Under Computer Configuration browse down Administrative Templates – Windows Components – BitLocker Drive Encryption. In that folder you will find 3 settings that affect the encryption method for Bitlocker Drive Encryption method and cipher. We list the settings and the value we prefer below.
| Setting | Recommendation |
|---|---|
| Choose drive encryption method and cipher strength (Windows 8, Windows Server 2012, Windows 8.1, Windows Server 2012 R2, Windows 10 [Version 1507]) |
Enabled |
| Choose drive encryption method and cipher strength (Windows 10 [Version 1511] and later) |
Enabled |
| Choose drive encryption method and cipher strength (Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2) |
Enabled |
After setting these, just reboot your computer. Now you may enable the Bitlocker Drive Encryption.
If you had Bitlocker enabled on any of your drives before you made your choices here, you need to re-encrypt the drive. Just disable bitlocker and enable it again after it has completed decrypting the drive.
You may check your encryption method with the following command in elevated (Administrator) Command Prompt:
manage-bde -statusĀ
Recent Comments