Register today for Zero Trust World 2026!
Contact us
833-292-7732
BACK TO BLOGS Back to Press Releases
Enable BitLocker with XTS-AES 256-bit encryption for stronger security
June 25, 2025

Enable BitLocker with XTS-AES 256-bit encryption for stronger security

Written by:

Table of contents

Text Link

NOTE: Some Group Policy settings might require the necessary ADMX to appear in Group Policy Management Editor. You can download them here.

BitLocker is a built-in Windows feature designed to protect data by encrypting entire drives, helping to safeguard against data theft or exposure from lost or stolen devices. While essential for securing sensitive information, organizations must carefully configure BitLocker policies—such as encryption strength, authentication methods, and recovery key management—to ensure both security and usability. These configurations can be managed via Microsoft Intune and Group Policy.

Below are the steps to deploy this configuration across your organization depending on your preference for enforcement:

Group Policy (Windows Server Active Directory)

Steps for configuring BitLocker drive encryption settings via Group Policy:

Step One: Navigate to Group Policy Management, then Group Policy Management Editor.

Step Two: On the lefthand navigation pane, select Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption.

Example

Step Three: Under BitLocker Drive Encryption, enable the Choose drive encryption method and cipher strength (Windows 10 [Version 1511] and later) policy.

  • Under Select encryption method for fixed data drives, and operating system drives, choose XTS-AES 256-bit for all encryption methods. Removable data drives can remain as default settings unless needed by your organization.

Step Four: Under Operating System Drives, configure the following:  

  • Enable Enforce drive encryption type on operating system drives policy.
    - In the policy settings, under Select the encryption type, choose Full encryption.
  • Enable Require additional authentication at startup and configure the following:
    - Uncheck Allow BitLocker without a compatible TPM (requires a password or a startup key on a USB flash drive).
    - Configure TPM startup key: Do not allow startup key with TPM.
    - Configure TPM startup key: Do not allow startup key with TPM.
    - Configure TPM startup PIN: Do not allow startup key with TPM.
    - Configure TPM startup: Allow TPM.
  • Under Choose how BitLocker-protected operating system drives can be recovered, select Enabled, and configure the following:
    - Uncheck Allow data recovery agent.
    - Enable Configure storage of BitLocker recovery information to AD DS.
    - Choose Store recovery passwords only.
    - Enable Do not enable BitLocker until recovery information is stored to AD DS for operating system drives.
    - Enable Omit recovery options from the BitLocker setup wizard.
    - Enable Save BitLocker recovery information to AD DS for operating system drives.

Step Five: Under Fixed Data Drives, configure the following:

  • Enable Enforce drive encryption type on operating system drives policy. In the policy settings, under Select the encryption type, choose Full encryption.
  • Under Choose how BitLocker-protected operating system drives can be recovered, select Enabled, and configure the following:
    - Uncheck Allow data recovery agent.
    - Enable Configure storage of BitLocker recovery information to AD DS.
    - Choose Store recovery passwords only.
    - Enable Do not enable BitLocker until recovery information is stored to AD DS for operating system drives.
    - Enable Omit recovery options from the BitLocker setup wizard.
    - Enable Save BitLocker recovery information to AD DS for operating system drives.

NOTE: We recommend disabling removable data drives altogether. If necessary, configure the following:

Step Six: Optional - Under the Removable Data Drives drop down list, configure the following:

  • Enable Enforce drive encryption type on removable data drives.
  • In the policy settings, under Select the encryption type, choose Allow user to choose (default).

Step Seven: In Group policy Management, under scope choose the applicable devices or device groups. It is recommended to pilot this configuration with a test group first.

Microsoft Intune (from intune.microsoft.com)

Steps for configuring BitLocker Drive Encryption via cloud policy:

Step one: Navigate to intune.microsoft.com and login.

Step two: On the lefthand navigation pane, select Endpoint security > Disk encryption.

Step three: Create a new policy, select Windows as the platform and BitLocker as the profile.

Step four: Name the policy, then navigate to Configuration Settings.

Example

Step five: Under Configuration settings, configure the following:

Under the BitLocker drop down list, enable Require Device Encryption.

Under the BitLocker Drive Encryption drop down list, enable Choose drive encryption method and cipher strength.

  • Under the Operating System Drives drop down list, enable Enforce drive encryption type on the operating system drives.

Under Select encryption type: (Device) choose Full encryption.

  • Under Require additional authentication at startup, select Enabled to allow for TPM authentication.
  • Under Configure TPM Startup key and PIN, configure the following:
  • Configure TPM startup key: Do not allow startup key with TPM.
  • Configure TPM startup key: Do not allow startup key with TPM.
  • Configure TPM startup PIN: Do not allow startup key with TPM.
  • Configure TPM startup: Allow TPM.

Under Choose how BitLocker-protected operating system drives can be recovered, select Enabled, and configure the following:

  • Enable Configure storage of BitLocker recovery information to AD DS.
  • Enable Do not enable BitLocker until recovery information is stored to AD DS for operating system drives.
  • Enable Omit recovery options from the BitLocker setup wizard.
  • Enable Save BitLocker recovery information to AD DS for operating system drives.

Under the Fixed Data Drives drop down list, enable Enforce drive encryption type on fixed data drives.

  • Under Select the encryption type: (Device), choose Full encryption.
  • Enable Choose how BitLocker-protected fixed drives can be recovered.
  • Enable Configure storage of BitLocker recovery information to AD DS.
  • Enable Do not enable BitLocker until recovery information is stored to AD DS for operating system drives.
  • Enable Omit recovery options from the BitLocker setup wizard.
  • Enable Save BitLocker recovery information to AD DS for operating system drives.

NOTE: We recommend to disable removable data drives altogether. If necessary, configure the following:

Step six (optional): Under the Removable Data Drives drop down list, configure the following:

  • Enable Enforce drive encryption type on removable data drives.
  • In the policy settings, under Select the encryption type, choose Allow user to choose (default).

Step seven: In Group policy Management, under scope choose the applicable devices or device groups. It is recommended to pilot this configuration with a test group first.

BitLocker recovery key retrieval (Group Policy and Intune)

Below are steps for retrieving a BitLocker recovery key in both Group Policy and Intune:

Intune BitLocker recovery key retrieval:

  • In the left-hand menu, click Devices.
  • Select All devices.
  • Find and click on the device you need the BitLocker recovery key for.
  • In the device overview, click on Recovery keys (sometimes under Monitor or directly visible).
  • You will see the BitLocker recovery key ID and the full recovery key displayed.

On-premises AD DS (Group Policy) BitLocker recovery key retrieval:

  • Open the Active Directory Users and Computers (ADUC) console on a domain-joined computer with the necessary permissions.
  • In the ADUC console, enable Advanced Features:
  • Click View > Advanced Features (this shows additional tabs).
  • Find the computer object for the device you want the recovery key for:
  • Navigate through the Organizational Units (OUs) or use the search function.
  • Right-click the computer object and select Properties.
  • Go to the BitLocker Recovery tab (visible only if your AD schema is extended for BitLocker).
  • You will see one or more recovery passwords listed with their ID and password.
  • Select the appropriate recovery password and copy it to use for unlocking the device.

Follow the steps above to harden your environment even further with BitLocker Drive Encryption.

Like what you see? There's more.

Register for the no-cost ThreatLocker webinar series 100 days to secure your environment today.

ABOUT THE AUTHOR

Adam Fuller is an IT generalist with expertise ranging from server administration, Microsoft 365, Identity and Access Management (IAM) tools, and network infrastructure. His career began in Orlando as a help-desk technician, where he worked his way up into system and network administrator roles in Tampa, Florida. During his time at a Tampa-based MSP, his technical skills were refined, and he served a wide range of businesses, gaining insight into the challenges they face and the tools they use to meet those challenges. Adam is dedicated to learning and sharing that knowledge with other IT professionals to help them understand the current trends and strategies in the industry.

TAKE CONTROL OF YOUR ORGANIZATION'S SECURITY

Request your 30-day trial to the entire ThreatLocker platform today.

Try ThreatLocker

Ready to try out the ThreatLocker® platform?

Request a free 30-day trial today and see how ThreatLocker can take your organization's security to the next level.

Click X to close