Microsoft BitLocker Administration and Monitoring (MBAM) provides a simplified administrative interface that you can use to manage BitLocker Drive Encryption. In this guide, you will learn How to correctly disable MBAM-encrypted devices. Please see how to clear, enable or disable TPM in Windows via the BIOS or UEFI, how to enable Bitlocker Pre-Boot Authentication via the Group Policy, and BitLocker Drive Encryption architecture and implementation types on Windows.
MBAM / BitLocker Group Policy Templates enable you to set BitLocker Drive Encryption policy options that are appropriate for your enterprise, and then use them to monitor client compliance with those policies.
You can also report on the encryption status of an individual computer and on the enterprise as a whole. In addition, you can access recovery key information when users forget their PIN or password or when their BIOS or boot record changes.
Kindly refer to these related guides: How to enable or disable BitLocker Drive Encryption on Windows 10 and Virtual Machines, how to uninstall your current version of MBAM and run setup again,
What is Microsoft Desktop Optimization Pack (MDOP)?
Microsoft Desktop Optimization Pack (MDOP) is a suite (portfolio) of technologies available to Software Assurance customers through an additional subscription.
The following components are included in the MDOP suite: Microsoft Application Virtualization (App-V), Microsoft User Experience Virtualization (UE-V), Microsoft Advanced Group Policy Management (AGPM), Microsoft Diagnostics & Recovery Toolset (DaRT), and Microsoft BitLocker Administration and Monitoring (MBAM).
These steps have been discussed in this guide previously, “How to enable or disable BitLocker Drive Encryption on Windows 10 and Virtual Machines“, but I decided to show you the difference between decrypting a BitLocker only protected device and a device encrypted with MBAM.
This is because the steps are part of disabling MBAM (BitLocker) encryption on these drives. As you can see below.
Disable Microsoft BitLocker Administration and Monitoring (MBAM) protected devices
To decrypt a device that is protected (encrypted) with Microsoft BitLocker Administration and Monitoring (MBAM), you will need to perform these vital steps. This is the same process to disable MBAM encrypted devices. But the differences (steps) are outlined here.
- Unlink (remove) the object from the MBAM policy in AD (That is, remove the object from the OU or security group).
- Uninstall MDOP MBAM Agent. Please see this guide “” on how this can be achived.
- Then you should run the GPO Switch
gpupdate /forceor have yourdevice restarted. You may want to see this guide: GPUpdate Switches: GPUpdate vs GPUpdate /force. - Launch Control Panel,
Navigate to System and Security and then click on BitLocker Drive Encryption. Click on disable BitLocker.
As you can see below, the Drive has been unencrypted.
Disable BitLocker on a Single Volume via PowerShell
Now let see how decryption works in PowerShell. This command disables BitLocker for the specified BitLocker volume. BitLocker begins decrypting data on C: immediately.
PS C:\> Disable-BitLocker -MountPoint "C:"Disable BitLocker for all volumes
This example disables BitLocker encryption for all volumes. The first command uses Get-BitLockerVolume to get all the BitLocker volumes for the current computer and store them in the $BLV variable.
The second command disables BitLocker encryption for all the BitLocker volumes stored in the $BLV variable. BitLocker begins decrypting data on the volume.
PS C:>$BLV = Get-BitLockerVolume
PS C:>Disable-BitLocker -MountPoint $BLVDisable BitLocker via the Command Prompt
You can execute a single command to quickly disable BitLocker in Windows 10. This will decrypt the drive and turn off BitLocker. All key protectors will be removed when decryption is complete. You may want to learn more about the manage-bde commands.
manage-bde -off C:MBAM takes BitLocker to the next level by simplifying deployment and key recovery, centralizing compliance monitoring and reporting, enforcing drives encryption, preventing simple PIN usage, supporting enhanced PINs, and also providing a grace period for encryption postponement, etc.
Please see the following comprehensive guide on how to enable Bitlocker Pre-Boot Authentication via the Group Policy, and BitLocker PIN bypass: How to configure Network Unlock.
I hope you found this blog post on how to correctly disable MBAM-encrypted devices helpful. If you have any questions, please let me know in the comment session.
