How to correctly disable BitLocker on Windows Server

Posted on Christian By Christian No Comments on How to correctly disable BitLocker on Windows Server
BitLocker-removal-on-Windows-Server

In this article, I will show you how to disable BitLocker on Windows Server. BitLocker is a Windows security feature that enables encryption for entire volumes. It addresses the threats of data theft or exposure from lost, stolen, or inappropriately decommissioned devices. BitLocker provides maximum protection when used with a Trusted Platform Module (TPM), which is a common hardware component installed on Windows devices. The TPM works with BitLocker to ensure that a device hasn’t been tampered with while the system is offline. Please see how to Disable BitLocker on Windows 10, and how to Change BitLocker Password in Windows.

Data on a lost or stolen device is vulnerable to unauthorized access. Either by running a software attack tool against it or by transferring the device’s hard drive to a different device. BitLocker helps mitigate unauthorized data access by enhancing file and system protections. Thereby rendering data inaccessible when BitLocker-protected devices are decommissioned or recycled.

Note: When BitLocker is enabled on Windows Server. BitLocker can lock the normal startup process until the user supplies a personal identification number (PIN) or inserts a removable USB device that contains a startup key. These extra security measures provide multifactor authentication. They also make sure that the computer doesn’t start or resume from hibernation until the correct PIN or startup key is presented.

Why disable BitLocker?

Considering all the pros above, why would a user want to disable BitLocker? There are quite a few reasons and one of them is PoC in a test environment. You do not want to be prompted every now and then to enter a PIN or Password to unlock the start-up process. Other reasons are as follows below.

Maintenance and Upgrades

BitLocker may need to be temporarily disabled during certain system updates or upgrades, especially those involving changes to the system’s boot process or disk configuration such as UEFI/BIOS updates. But on a DELL device, you do not need to disable BitLocker to apply these updates.

Device Troubleshooting

When Hardware changes are made to the PC such as upgrading or changing the motherboard. BitLocker may need to be disabled to avoid issues during the boot process. This also includes certain disk operations or changes, such as resizing partitions which often require BitLocker to be turned off temporarily.

Also, see how to perform Backup of existing and new BitLocker Recovery Keys to Active Directory, and Fix no BitLocker Recovery tab in Active Directory.

Step 1: Disable BitLocker on Windows Server

To do this, we will have to click on Manage BitLocker by right-clicking on the volume.

Manage-BitLocker

Click on Turn off BitLocker as shown below.

Select Turn off BitLocker

In the confirmation window, click on “Turn off BitLocker”.

Yes-turn-off-BitLocker

As you can see, the volume is being decrypted.

Volume-is-decrypting

You can check the status via PowerShell. This process can take a while depending on the size of the volume etc.

Decrypting-drives

We have successfully decrypted BitLocker on this drive.

Fully-decrypted

Because we have not removed the BitLocker features, you still have the possibility to enable BitLocker on Windows Server. I do not want this. So let’s remove it in the next step.

Turn-on-BitLocker

You may want to see how to Disable BitLocker: How to correctly disable MBAM-encrypted devices, and How to Create Hyper-V Virtual Switch.

Part 2: Remove the BitLocker feature via the Server Manager

Launch the server Manager if not launched automatically. Click on “Remove Roles and Features”

Remove-features

On the Before you Begin page, click on Next.

Skip-before-you-begin-page

I only have one server in my server pool, so I am fine.

Select-server-from-the-server-pool

Skip through the server roles as we have no business with it.

Skip-server-role

Uncheck BitLocker and Enhanced Storage

Ensure both of these features are removed.

Uncheck-BitLocker-and-Enhanced-Storage

Remove features that require BitLocker. Click remove when prompted.

Remove-features-that-require-bitlocker

Do the same for the Enhanced Storage

Remove-enhanced-storage-feature

Now that both are unchecked, click on continue

click-on-Continue-to-remove-features

Please remove selected features but select restart destination server if required

Remove-selected-features-but-select-restart-destination-server-if-required

Click on Yes to confirm the restart.

Yes-to-restart

Finally, click on Remove as shown below.

click-on-Remove-features

While the features are being removed. It is safe to close this wizard.

BitLocker-feature-removal-in-progress-on-Windows-Server

In between, your device will restart and the feature removal progress bar (wizard) Window will be displayed. Click on close

Process-completed-for-the-removal-of-BitLocker-features-on-Windows-Server

Process completed for the removal of BitLocker features on Windows Server. You can no longer manage BitLocker except you re-install the BitLocker features etc.

No-longer-possible-to-manage-BitLocker

FAQs on BitLocker

Can I generate multiple (different) startup keys for the same computer?

Generating different startup keys for the same computer can be done through scripting. However, for computers that have a TPM, creating different startup keys prevents BitLocker from using the TPM’s system integrity check

Can I generate multiple PIN combinations?

Generating multiple PIN combinations can’t be done.

Where are the encryption keys stored?

The full volume encryption key is encrypted by the volume master key and stored in the encrypted drive. The volume master key is encrypted by the appropriate key protector and stored in the encrypted drive. If BitLocker has been suspended, the clear key that is used to encrypt the volume master key is also stored in the encrypted drive, along with the encrypted volume master key.

This storage process ensures that the volume master key is never stored unencrypted and is protected unless BitLocker is disabled. The keys are also saved to two additional locations on the drive for redundancy. The keys can be read and processed by the boot manager.

Can I save the startup key on multiple USB flash drives?

computer’s startup key can be saved on multiple USB flash drives. Right-clicking a BitLocker-protected drive and selecting Manage BitLocker will provide the option to save the recovery keys on additional USB flash drives as needed.

What happens during the BIOS/UEFI update if BitLocker is not suspended?

If BitLocker is not suspended, the next time you reboot the system it will not recognize the BitLocker key. You will then be prompted to enter the recovery key to progress.

I hope you found this blog post helpful on how to disable BitLocker on Windows Server. If you have any questions, please let me know in the comment section.

Rate this post
Windows Server Tags:,

Related Posts

More Related Articles

Modernstanby Modern Standby: PC is automatically encrypted Windows
Migrate from SQL Database Migrate Veeam One Database from SQL Server 2017 to 2025 Backup
Windows10 SCCM 20161 What is ADK, MDT, Microsoft Endpoint Configuration Manager (SCCM), Intune, Autopilot, and WSUS Windows Server
original Windows Deployment Services: WDSUTIL CommandLine Options on Windows Server 2019 Windows Server
FIX RDP Authentication Error Fix Remote Connection Issue: An Authentication Error Has Occurred with Code 0x80004005 Windows
windows 10 s wallpaper 800x450 1 How to remove WDS role via the GUI and PowerShell Windows Server

Leave a Reply