How to correctly disable BitLocker on Windows Server
In this article, I will show you how to disable BitLocker on Windows Server. BitLocker is a Windows security feature that enables encryption for entire volumes. It addresses the threats of data theft or exposure from lost, stolen, or inappropriately decommissioned devices. BitLocker provides maximum protection when used with a Trusted Platform Module (TPM), which is a common hardware component installed on Windows devices. The TPM works with BitLocker to ensure that a device hasn’t been tampered with while the system is offline. Please see how to Disable BitLocker on Windows 10, and how to Change BitLocker Password in Windows.
Data on a lost or stolen device is vulnerable to unauthorized access. Either by running a software attack tool against it or by transferring the device’s hard drive to a different device. BitLocker helps mitigate unauthorized data access by enhancing file and system protections. Thereby rendering data inaccessible when BitLocker-protected devices are decommissioned or recycled.
Note: When BitLocker is enabled on Windows Server. BitLocker can lock the normal startup process until the user supplies a personal identification number (PIN) or inserts a removable USB device that contains a startup key. These extra security measures provide multifactor authentication. They also make sure that the computer doesn’t start or resume from hibernation until the correct PIN or startup key is presented.
Why disable BitLocker?
Considering all the pros above, why would a user want to disable BitLocker? There are quite a few reasons and one of them is PoC in a test environment. You do not want to be prompted every now and then to enter a PIN or Password to unlock the start-up process. Other reasons are as follows below.
Maintenance and Upgrades
BitLocker may need to be temporarily disabled during certain system updates or upgrades, especially those involving changes to the system’s boot process or disk configuration such as UEFI/BIOS updates. But on a DELL device, you do not need to disable BitLocker to apply these updates.
Device Troubleshooting
When Hardware changes are made to the PC such as upgrading or changing the motherboard. BitLocker may need to be disabled to avoid issues during the boot process. This also includes certain disk operations or changes, such as resizing partitions which often require BitLocker to be turned off temporarily.
Also, see how to perform Backup of existing and new BitLocker Recovery Keys to Active Directory, and Fix no BitLocker Recovery tab in Active Directory.
Step 1: Disable BitLocker on Windows Server
To do this, we will have to click on Manage BitLocker by right-clicking on the volume.
Click on Turn off BitLocker as shown below.
In the confirmation window, click on “Turn off BitLocker”.
As you can see, the volume is being decrypted.
You can check the status via PowerShell. This process can take a while depending on the size of the volume etc.
We have successfully decrypted BitLocker on this drive.
Because we have not removed the BitLocker features, you still have the possibility to enable BitLocker on Windows Server. I do not want this. So let’s remove it in the next step.
You may want to see how to Disable BitLocker: How to correctly disable MBAM-encrypted devices, and How to Create Hyper-V Virtual Switch.
Part 2: Remove the BitLocker feature via the Server Manager
Launch the server Manager if not launched automatically. Click on “Remove Roles and Features”
On the Before you Begin page, click on Next.
I only have one server in my server pool, so I am fine.
Skip through the server roles as we have no business with it.
Uncheck BitLocker and Enhanced Storage
Ensure both of these features are removed.
Remove features that require BitLocker. Click remove when prompted.
Do the same for the Enhanced Storage
Now that both are unchecked, click on continue
Please remove selected features but select restart destination server if required
Click on Yes to confirm the restart.
Finally, click on Remove as shown below.
While the features are being removed. It is safe to close this wizard.
In between, your device will restart and the feature removal progress bar (wizard) Window will be displayed. Click on close
Process completed for the removal of BitLocker features on Windows Server. You can no longer manage BitLocker except you re-install the BitLocker features etc.
FAQs on BitLocker
Can I generate multiple (different) startup keys for the same computer?
Generating different startup keys for the same computer can be done through scripting. However, for computers that have a TPM, creating different startup keys prevents BitLocker from using the TPM’s system integrity check
Can I generate multiple PIN combinations?
Generating multiple PIN combinations can’t be done.
Where are the encryption keys stored?
The full volume encryption key is encrypted by the volume master key and stored in the encrypted drive. The volume master key is encrypted by the appropriate key protector and stored in the encrypted drive. If BitLocker has been suspended, the clear key that is used to encrypt the volume master key is also stored in the encrypted drive, along with the encrypted volume master key.
This storage process ensures that the volume master key is never stored unencrypted and is protected unless BitLocker is disabled. The keys are also saved to two additional locations on the drive for redundancy. The keys can be read and processed by the boot manager.
Can I save the startup key on multiple USB flash drives?
computer’s startup key can be saved on multiple USB flash drives. Right-clicking a BitLocker-protected drive and selecting Manage BitLocker will provide the option to save the recovery keys on additional USB flash drives as needed.
What happens during the BIOS/UEFI update if BitLocker is not suspended?
If BitLocker is not suspended, the next time you reboot the system it will not recognize the BitLocker key. You will then be prompted to enter the recovery key to progress.
I hope you found this blog post helpful on how to disable BitLocker on Windows Server. If you have any questions, please let me know in the comment section.
