CUMC Home | Columbia University | Jobs at CUMC | Contact CUMC | Find People
For support: call extension 5-Help (212-305-4357) or email us
Student Computing

Set BitLocker to Use AES-256 Encryption on Student Computers

IMPORTANT: BitLocker on workforce computers must be set up by the department or division's Certified IT Group. Do not use student instructions or the computer will not be complying with University Policy and CUMC Information Security Procedures. Instructions for students are provided as a courtesy only.

BitLocker has default encryption settings that do not meet University requirements. Once you've completed Initial Preparation, follow the steps below to set BitLocker to use an approved encryption level called AES-256.
If a computer already has BitLocker enabled you can check the encryption level and follow instructions to correct it if needed.
  1. You must be logged in to the computer with Administrative rights, and the computer cannot be joined to a domain.
  2. Launch the Run program.
    • Windows 10 and 8.1: press the Windows and r keys on the keyboard
    • Windows 7: select the Start icon - All Programs - Accessories - Run
  3. In the Open field, type gpedit.msc and click OK.

    Run command with gpedit.msc typed in

  4. The Local Group Policy Editor window will open. Select/expand the following under the Computer Configuration heading in the left: Administrative Templates - Windows Components - BitLocker Drive Encryption.

    BitLocker Drive Encryption policy
    Click the image for a larger view

  5. Double-click on the Choose drive encryption method and cipher strength option in the right pane.
  6. In the next window select Enabled near the upper left.

    Enable BitLocker cipher strength and select AES-256

  7. Under the Select the encryption method drop down menu choose AES 256-bit with Diffuser. NOTE: in some versions of Windows the "with Diffuser" option may not be available, if so it is fine to select AES-256 only. On Windows 10 you may need to select XTS-AES 256-bit.
  8. Click the Apply button in the lower right, then OK
  9. Click the red X n the upper right to corner to close the Local Group Policy Editor window. BitLocker will now use AES-256 when encrypting the full operating system disk.
Once AES-256 is selected (and all other preparation steps completed) you can enable BitLocker.

| TOP |

Last updated 10/10/2018