Re: Can You Turn Off Bitlocker In Windows 11
Tanja Freeze
If Bitlocker encryption is enabled, the storage location of the content present in the encrypted drive of the imaging computer cannot be identified. Hence, decrypting the contents of the bitlocker encrypted drive is essential for efficient imaging.
To disable bitlocker using command line, ensure that you have logged onto Admin user account to turn off bitlocker encryption. Follow the steps given below to turn off bitlocker encryption using Command Prompt.
You can ensure if the BitLocker encryption is removed by checking if the Bitlocker lock icon is removed in the particular drive and by accessing the particular drive. You can repeat the same steps to disable Bitllocker Encryption in other drives.
To disable Bitlocker encryption in Windows Powershell mode, Windows Power shell must be installed in your system. If not download & install proper Windows Powershell version from Microsoft website. Also check the Powershell System requirements before proceeding installation.
Note: If the partition with the operating system contains any automatic unlocking keys, the cmdlet to disable bitlocker encryption will not work. You can use the Clear-BitLockerAutoUnlock cmdlet in Powershell window to remove all automatic unlocking keys to disable BitLocker for the partition.
Hello,
I've read through all the material I can. I am struggling to understand what is supposed to happen when you have Bitlocker settings enabled for the system drive.
Here is our situation. We are not joining the computers to a domain and users do not have a microsoft account. When they log into windows GCPW gives them a standard user account. On my two test machines despite having the settings enabled nothing happens regarding Bitlocker. Coming from a domain encironment I am already fairly familiar with Bitlocker so I assume this is because there is nowhere to store the recovery key and likely because they are not an administrative user.
Should we just be enabling Bitlocker using the local admin account before distributing the computer?
Will it report in the admin console correctly if it is done this way?
What is everyone else doing in regards to Bitlocker?
If you are not seeing this, can you verify that the device is successfully enrolled with advanced Windows management? You can check if device is enrolled from the settings app. You can also create logs and look at bitlocker value. -us/windows/client-management/mdm-collect-logs
Would it prompt them if they are a standard user? Standard users normally can't enable bitlocker. I have an open ticket with support and am waiting to see what they say. In the meantime I added a second test computer, same behavior. Nothing happens all other policies seem to be working.
Ah that could be the problem. Just looking into Microsoft's documentation, there seems to be new settings enabled in the OS that can make this possible. Can you use Custom settings section of Admin console to enable these settings in addition to the bitlocker settings?
I don't mind turning bitlocker on with the local administrator account. However, on my test machine when I enable bitlocker with the local administrator account, the admin console still reports that the device is unencrypted.
From what I can tell If you enable bitlocker before enrolling the device to a user the admin portal will never correctly report the device as encrypted. This creates a catch 22. You have to enroll the device before the user gets it to enable bitlocker.
The policies you listed state that they are only for Azure Active Directory Joined devices.
the local Admin account, which is censused in the Admin console in the GCPW settings, have to enable Bitlocker manually and save elsewhere the recovery key.
The key can't be stored on the same drive, but a GDrive-enabled folder (Google Drive for Desktop) does the trick.
This guide is more of a reflection on the steps I took to publish the BitLocker recovery keys of machines deployed on an Active Directory domain. Microsoft has gobs and gobs of information on this subject which can be a tad overwhelming,...
I will do it via MDT for the new installations, however I have several existing Windows 10 laptops where bitlocker needs to be turned on and at the moment we are manually login as the local admin and turn on via control panel\bitlocker. Is there a better way of doing this ?
I tried that, so to speak, by removing all relevance except Windows of operating system and targeted a test group. It seemed to work but some enpoints reported back that a reboot was required and some of them came back in a bitlocker recovery state but the password that bigfix knew about (and which was correct) was not valid and we had to rebuild some systems. I may need to dig into it more but I am a novice when it comes to relevance.
The stuff you created is great but could be updated to target computers that are coming from the factory with all the pre-requisits in place and bitlocker already enabled but waiting to be turned on. I am not sure what that would look like but assuming it has been done.
Thanks.
I have seen the TPM fixlets you mentioned. I will see if I can get TPM activated using them on some of my endpoints that are reporting not activated or visible and then test the encryption fixlet on them.
The property Bitlocker - Recovery Password Enabled - Windows tells you whether there is even a recovery password at all. The property Bitlocker - Recovery Password - Windows tells you what the recovery password is.
I followed an article by Brad Sexton to get most of this setup in the first place. It references your content almost exclusivly. I will look at the implementation guide you mentioned and see if there is anything there that I appear to be missing.
When you pause Bitlocker, that key is then stored on the drive in an unencrypted fashion. This means that the data on the drive is still encrypted but the key to decrypt the data is available without needing the TPM or the recovery password. New data written to the disk is still encrypted.
The Invoke - Bitlocker Encrypt System Volume - Windows Fixlet starts bitlocker encryption for the drive.
The Invoke - Bitlocker Suspend System Drive Encryption - Windows Fixlet suspends/pauses bitlocker encryption
The Invoke - Bitlocker Resume System Drive Encryption 0 Windows Fixlet resumes bitlocker encryption.
My new HP Pavilion came with bitlocker enabled. I would like to disable it but there is no option to do so in the Control Panel. I do see the option in Settings. Is there anything I have to do other than select turn it off?
A few months ago I enabled Windows Bitlocker encryption on my ssd C drive. I did this because it was a requirement for win11. It was easy to do and only took about 15 minutes to complete. For more info on Bitlocker just do a bit of googling, for example;
Since I've decided that there is no really good reason to upgrade to win11 right now (and probably not for a year or two since win10 is supported till 2025 anyway) I thought I'd try turning Bitlocker off for now. One reason I did this was because when I wanted to go into win10 Safe Mode (say to run DDU) I always needed to enter my Bitlocker recovery code and I found this a bit of a pain in the a**. So, today I turned Bitlocker off and this took about 15 minutes to complete.
Most sources I've seen say that Bitlocker does not significantly effect performance but even Microsoft says is does increase disk read/write processes. After testing out a Oculus, Steam, and VivePort apps I gotta say that my Q2/rtx3090 with Air Link did seem to run a little better (smoother and was essentially stutter-free). I still have to test this out with my flight/racing sims but my early findings is that Bitlocker off seems to benefit my PCVR performance.
Might be the case mate but when I was getting ready to upgrade to Win11 I was informed from Microsoft that I needed to update my bios to TPM 2.0 which then told me I needed to use bitlocker. Maybe this was a Microsoft ploy or maybe just a requirement for the free win11 upgrade?
Win 10 Home Edition has something similar to Bitlocker called Device Encryption Support. I tried checking to see if it's enabled on my PC, thinking that might be needed before I finally get offered the Win 11 upgrade. Only it gave me the error message "Reasons for failed automatic device encryption: unallowed DMA capable bus/device(s) detected."
What does that even mean? How am I suppose to know what's needed to resolve that? I mean, from what I can find... It's looking like the issue is that I have RX 580 graphics cards. Assuming I am reading it right when the info I'm seeing is a "pci bridge".
If you read the thread I linked to earlier on the Win 11 forums I think it pretty much says no it is not enabled by default. At least that is what I got out of it. Have never seen anything that would lead me to believe my files are encrypted.
@Anonymous Maybe try starting windows in safe mode and see if you get a message telling you to enter a recovery code. Also, I think there are some command line things you can use to determine if encoding in on/off. Maybe google for these. Also, maybe something in windows device manager under security?
Edit; I just ran Microsoft PC health check and in now said that my pc was fine for win11. When I ran it late last year it said I needed tpm/bitlocker. Maybe just having tpm and safe bootup is all you need now. I've heard that Microsoft may even relax the tpm requirements for older pc's in the near future. Probably because very few users are upgrading to win11.
d3342ee215