Share via

Protection off & Encryption method in Bitlocker

ASZ 0 Reputation points
May 8, 2023, 7:27 AM

Hi,

On one computer with Win10 21H2 Enterprise (from a local domain, with some GP) I had 2 encrypted drives (C: & D:):

Bitlocker - 1

I decided to change the capacity of those drives, so i deleted the D: drive, shrink the C: drive, created the new D: drive and then encrypted it (using cmd manage-bde -on D:).

Bitlocker - 2

I have some issues and i don't know how to fix them:

  1. On D: drive, the Protection is Off .. can i turn it back to On ? (maybe using a command ?)
  2. The Encryption method on D: drive is XTS-AES 128 .. Can i change it into XTS-AES 256 ?
  3. Is it possible to select the Encryption method when i'm using the manage-bde command ?

I'm using that manage-bde command, because in our network i haven't access to other options (the app for recovery key is managed by other dept.)

Windows 10
Windows 10
A Microsoft operating system that runs on personal computers and tablets.
12,077 questions
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. MTG 1,241 Reputation points
    May 10, 2023, 8:36 AM

    Hania's remark "you can only use manage-bde to view the encryption method, but you cannot select the encryption method" is incorrect. Manage-bde knows the parameter -em (encryption method)

    manage-bde -on d: -em xts_aes256 -rp -pw

    would be the command to turn on encryption on d: with XTS_AES256 and set a numerical recovery password and a password as well.

    You didn't set any protectors, yet (no password, no recovery password) - that's why windows didn't enable Bitlocker protection on its own.

    1 person found this answer helpful.
    0 comments No comments

  2. Hania Lian 21,196 Reputation points Microsoft Vendor
    May 9, 2023, 6:37 AM

    Hi.

    1.O****n D: drive, the Protection is Off .. can i turn it back to On ? (maybe using a command ?)

    Yes, of course.

    The steps to enable disk protection are as follows:

    Open in turn: Control Panel > All Control Panel Items > System > System Protection > Under "Protection Settings", select the D drive, click "Configure", select "Turn on system protection", and click "OK".

    2.T****he Encryption method on D: drive is XTS-AES 128 .. Can i change it into XTS-AES 256 ?

    You cannot switch the encryption method of an existing Bitlocker volume. You can only decrypt the drive first, then re-encrypt it with Bitlocker. Before that, you need to setup Bitlocker to use XTS-AES 256
    For setup steps, please refer to:

    https://www.howtogeek.com/193649/how-to-make-bitlocker-use-256-bit-aes-encryption-instead-of-128-bit-aes/#:~:text=Navigate%20to%20Computer%20Configuration%5CAdministrative,and%20select%20AES%20256%2Dbit.

    3. Is it possible to select the Encryption method when i'm using the manage-bde command?

    You can only use manage-bde to view the encryption method, but you cannot select the encryption method.

    Hope the information is helpful.

    ============================================
    If the Answer is helpful, please click "Accept Answer" and upvote it.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.