To enable 256-bit encryption with Windows Bitlocker you need to set it by Group Policy. If you are joined to domain, your domain admin might set these settings, but if you have a standalone computer or your domain admin doesn’t force these setting you need to use Local Group Policy Editor. Just put in your Windows Search field:


Under Computer Configuration browse down Administrative Templates – Windows Components – BitLocker Drive Encryption. In that folder you will find 3 settings that affect the encryption method for Bitlocker Drive Encryption method and cipher. We list the settings and the value we prefer below.

Setting Recommendation
Choose drive encryption method and cipher strength (Windows 8, Windows Server 2012, Windows 8.1, Windows Server 2012 R2, Windows 10 [Version 1507])

AES 265-bit

Choose drive encryption method and cipher strength (Windows 10 [Version 1511] and later)

XTS-AES 256-bit
XTS-AES 256-bit
AES CBC 256-bit

Choose drive encryption method and cipher strength (Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2)

AES 265-bit with Diffuser

After setting these, just reboot your computer. Now you may enable the Bitlocker Drive Encryption.

If you had Bitlocker enabled on any of your drives before you made your choices here, you need to re-encrypt the drive. Just disable bitlocker and enable it again after it has completed decrypting the drive.

You may check your encryption method with the following command in elevated (Administrator) Command Prompt:

manage-bde -statusĀ