6000012a – GUI instructions to disable Bitlocker

Topic

New Reply

[Susan Bradley]

Windows 10/11 Professional

Open the Start menu and type “manage BitLocker.”

Open the “Manage BitLocker” option and expand the drive you want to decrypt.

Click “Turn off BitLocker.”

For Windows 11 Home do the following:

To disable BitLocker on “Windows 11 Home,” open Settings > Privacy & Security > Device Encryption, and slide the “Device Encryption” toggle switch.

Slide the toggle button to off.

For Windows 10 Home check if Drive encryption is supported:

To see if you can use Windows device encryption
In the search box on the taskbar, type System Information, right-click System Information in the list of results, then select Run as administrator. Or you can select the Start button, and then under Windows Administrative Tools, select System Information.

At the bottom of the System Information window, find Device Encryption Support. If the value says Meets prerequisites, then device encryption is available on your device.

To turn off Windows device encryption
Sign in to Windows with an administrator account.

Select the Start button, then select Settings > Update & Security > Device encryption. If Device encryption doesn’t appear, it isn’t available.

If device encryption is turned on, select Turn off.

Susan Bradley Patch Lady/Prudent patcher

• This topic was modified 10 months ago by Susan Bradley.
• This topic was modified 10 months ago by Susan Bradley.
• This topic was modified 10 months ago by Susan Bradley.

4 users thanked author for this post.

paulyboi, lorenzok1, Phthorgwurt, Geo

Reply | Quote

Replies

A bit confusing:

Susan Bradley wrote:

To disable BitLocker … turn on the “Device Encryption” toggle switch.
…
Slide the toggle button to off.

1 user thanked author for this post.

Bob99

Reply | Quote

Susan Bradley wrote:

For Windows 11 Home do the following: To disable BitLocker on “Windows 11 Home,”…

Great, but what about those running Windows 10 Home, do they follow the steps described for Windows 11 Home, or the instructions under “Windows 10/11 Professional“?

Reply | Quote

Usually Windows 10 Home doesn’t run Bitlocker.
To check type ‘Bitlocker’ in search and select ‘Manage Bitlocker’

Reply | Quote

I’ll get a screen shot.  I don’t see it as often on Windows 10 home.

Susan Bradley Patch Lady/Prudent patcher

1 user thanked author for this post.

Bob99

Reply | Quote

I’ve turned Device encryption off.  Once I install this latest update, if I turn Device encryption back on, will I be prompted for a BitLocker key?  If so, will the prompt be at the point that I turn it back on, or will it be when I reboot?

Reply | Quote

funhitman wrote:

Once I install this latest update, if I turn Device encryption back on, will I be prompted for a BitLocker key?

No; but if you turn it off and on again the disk will be unencrypted and then re-encrypted (taking some time for both operations).

You can instead suspend Bitlocker during updates (which does not unencrypt/re-encrypt):

Suspend keeps the data encrypted but encrypts the BitLocker volume master key with a clear key. The clear key is a cryptographic key stored unencrypted and unprotected on the disk drive. By storing this key unencrypted, the Suspend option allows for changes or upgrades to the computer without the time and cost of decrypting and re-encrypting the entire drive. After the changes are made and BitLocker is again enabled, BitLocker will reseal the encryption key to the new values of the measured components that changed as a part of the upgrade, the volume master key is changed, the protectors are updated to match and the clear key is erased.

Suspend or Resume BitLocker Protection for Drive in Windows 11 [ElevenForum Tutorial]

1 user thanked author for this post.

funhitman

Reply | Quote

I’m glad I read these questions and answers because I was about to disable Bit Locker in Windows 11 Home Edition but then I got a message that it would take a while to unencrypt the data so I didn’t.  Accordidng to this response I should be able to just suspend Bit Locker and then at some point in the future I can just reset it to “on”.  I assume I will have to expect a decent wait time (how long?) for it to encrypt anything that has been added since I turned it off.

Marti

Reply | Quote

OK – here’s what it looks like when I open Manage Bitlocker:

So that means it is OK to install the July updates and it won’t cause any issues if it was never activated?

Thanks!

LH

Reply | Quote

Bitlocker is suspended but apparently was never activated. In this case, the key to decrypt the volume isn’t secure. Prior to any updates, you should proceed with turning Bitlocker on so that the activation process can first decrypt the drive, then allow backup of the secure recovery key, and finally encrypt the drive.

Once Bitlocker is on and the secure recovery key backed up, you can either turn Bitlocker off if you don’t need protection or decide whether or not to suspend Bitlocker protection before updates. If you do choose to suspend protection, don’t forget to subsequently resume protection.

1 user thanked author for this post.

LHiggins

Reply | Quote

[LHiggins]

anonymous wrote:

Bitlocker is suspended but apparently was never activated. In this case, the key to decrypt the volume isn’t secure. Prior to any updates, you should proceed with turning Bitlocker on so that the activation process can first decrypt the drive, then allow backup of the secure recovery key, and finally encrypt the drive.

Thanks, but I guess I don’t understand. If I don’t want/need Bitlocker or encryption, why would I need to activate it and then later turn it off? If it was never activated, why should I do it now?

I have a Thinkpad running Win 10 Pro, if that makes any difference.

Thanks again!

ETA: In my Settings>Device Encryption, it shows this:

I don’t have a Microsoft Account, and not sure why it says Turn Off when it isn’t turned on.

• This reply was modified 9 months, 3 weeks ago by LHiggins. Reason: added info

Reply | Quote

See #2692446.

Reply | Quote

Bitlocker is suspended but not disabled. In addition, the key to decrypt the suspended protection isn’t secure until you complete the activation. I realize it doesn’t sound intuitive but, in its present state, activation can only be completed by resuming Bitlocker so that a secure key can be generated and backed up.

Once you turn on Bitlocker, choose the option to let Bitlocker automatically unlock the drive. Then, choose one of the options offered for backing up the recovery key. Once the key is backed up, you should be able to leave Bitlocker off since you “don’t want/need Bitlocker.

Reply | Quote

Further to my last reply, I missed the screenshot you provided. If you don’t want Device Encryption (Bitlocker), just click Turn off.” Keep in mind that the drive will be decrypted and that could take some time.

Reply | Quote

Running Win 10 home on 3 desktops and two laptops so I have to check all. Main one I use daily I just checked under systems settings and got this:

“device encryption support: elevation required to view”

Then under Device and Security – Device Encryption I took this screen shot

 

"An analog kid in a digital world"

Win7 Ultimate home built desktop Running 0patch Pro

Two former 8.1 Laptops & two desktops now running Win 10

Win 10 Dell desktop

Reply | Quote

Click “Update info”.

Reply | Quote

(I assume that was in response to my post) I clicked Update Info and it says

 

"An analog kid in a digital world"

Win7 Ultimate home built desktop Running 0patch Pro

Two former 8.1 Laptops & two desktops now running Win 10

Win 10 Dell desktop

Reply | Quote

Click “Verify”.

Reply | Quote

In order to check under System Information, you must choose to run it as an Administrator even when logged in as an Admin. That is why it tells you “elevation required to view.”

Also, apparently you need to address a MS Account issue. It looks like you can turn off Device Encryption though if that’s what you are looking to do.

1 user thanked author for this post.

analogkid

Reply | Quote

When I clicked to turn it encryption off this came up, figured it was best to get some advice before I “mess” something up

"An analog kid in a digital world"

Win7 Ultimate home built desktop Running 0patch Pro

Two former 8.1 Laptops & two desktops now running Win 10

Win 10 Dell desktop

Reply | Quote

All it is telling you is that Device Encryption will be off and that it MAY take some time to complete since it must decrypt the drive. If you want to turn off Device Encryption, then do so when you have time to let it complete.

1 user thanked author for this post.

analogkid

Reply | Quote

I’m still trying to get my arms around the “Bitlocker vs Encryption” thing. I am running Win 10 Home, 22H2. I don’t remember turning drive encryption on, but when I checked, it was on. I did turn it off, and it has finished de-encrypting. I checked my Microsoft account for a Bitlocker key, but the account said there was none. Is that because encryption does not require a key? If so, during an update, I presumably wont be asked for a key?

Thanks for your help. I appreciate Analog Kid’s signature. I think I’m more like a stone age tablet cutter in a digital world.

1 user thanked author for this post.

analogkid

Reply | Quote

Did anyone else set your computer up for you?

Susan Bradley Patch Lady/Prudent patcher

Reply | Quote

Windows 11 Home,  23H2, no “Device Encryption” control in Privacy and Securty.

Reply | Quote

Are you logged in as an administrator?

Reply | Quote

rrufener wrote:

I’m still trying to get my arms around the “Bitlocker vs Encryption” thing. I am running Win 10 Home, 22H2. I don’t remember turning drive encryption on, but when I checked, it was on. I did turn it off, and it has finished de-encrypting. I checked my Microsoft account for a Bitlocker key, but the account said there was none. Is that because encryption does not require a key? If so, during an update, I presumably wont be asked for a key?

Thanks for your help. I appreciate Analog Kid’s signature. I think I’m more like a stone age tablet cutter in a digital world.

This is an excellent question. I never thought about Bitlocker vs Encryption.

I’m going to go ahead and turn off encryption now, fingers crossed

 

"An analog kid in a digital world"

Win7 Ultimate home built desktop Running 0patch Pro

Two former 8.1 Laptops & two desktops now running Win 10

Win 10 Dell desktop

Reply | Quote

rrufener wrote:

I’m still trying to get my arms around the “Bitlocker vs Encryption” thing

https://windowsreport.com/device-encryption-vs-bitlocker-windows-11/

1 user thanked author for this post.

rrufener

Reply | Quote

Alex5723 wrote:

rrufener wrote:

I’m still trying to get my arms around the “Bitlocker vs Encryption” thing

https://windowsreport.com/device-encryption-vs-bitlocker-windows-11/

It looks like device encryption is still going to need a key, which I don’t have…but I really don’t need or really want encryption.

Reply | Quote

Every encryption method need a key.

1 user thanked author for this post.

rrufener

Reply | Quote

Alex5723 wrote:

Every encryption method need a key.

That makes sense, but where would I find the key? MS says it’s not in my account there.

Reply | Quote

Susan Bradley wrote:

Did anyone else set your computer up for you?

I bought it from Dell. No one else has touched it. I may have turned on some security setting that started encryption, but I don’t remember doing it. I have no record of a key.

Reply | Quote

Dell has been activating Device Encryption automatically on new PCs for several years now. That’s why you found yours encrypted, even you did not do so yourself.

1 user thanked author for this post.

rrufener

Reply | Quote

PKCano wrote:

Dell has been activating Device Encryption automatically on new PCs for several years now. That’s why you found yours encrypted, even you did not do so yourself.

Thanks for the info. Any idea on how/where to find the key? Maybe it’s my CDO (that is OCD so bad that the letters have to be in alphabetical order), I probably will not encrypt the drive in the future, but would like to have the key anyway, if there is one. Perhaps I get a new key if I decide to encrypt?

Reply | Quote

There is no key when encryption is turned OFF.
If you turn it ON, then you need to locate the key on an MS account if you have logged in with the MS ID to “Finish setting up Bitlocker” OR on the Local Device in plain text if the Device Encription has not been associated with an MS account setting up as Bitlocker.

1 user thanked author for this post.

rrufener

Reply | Quote

PKCano wrote:

There is no key when encryption is turned OFF.
If you turn it ON, then you need to locate the key on an MS account if you have logged in with the MS ID to “Finish setting up Bitlocker” OR on the Local Device in plain text if the Device Encription has not been associated with an MS account setting up as Bitlocker.

I checked my MS account before turning off encryption- it reported no key had been registered. If Dell did it, where would the key be? You mentioned the key would be “in plain text if the Device Encription has not been associated with an MS account setting up as Bitlocker”. Where would I find that?

Thanks again for your help.

Reply | Quote

There is NO key (1) if Bitlocker has not finished setting up with an MS ID and turned ON, and (2) Device Encryption has been turned OFF.
When Dell set up Device Encryption up automatically, the key was stored locally on the PC. When you turned OFF Device Encryption, there is no longer a key. If you turn ON Device Encryption again, be sure to record the key created. If you “finish setting up” encryption by associating it with an MD ID online (as Bitlocker), you need to access the key on the MS account.

3 users thanked author for this post.

Bob99, analogkid, rrufener

Reply | Quote

PKCano wrote:

There is NO key (1) if Bitlocker has not finished setting up with an MS ID and turned ON, and (2) Device Encryption has been turned OFF.
…
If you “finish setting up” encryption by associating it with an MD ID online (as Bitlocker), you need to access the key on the MS account.

Bitlocker doesn’t require a Microsoft account, but automatic Device Encryption does.

Reply | Quote

b wrote:

Bitlocker doesn’t require a Microsoft account, but automatic Device Encryption does.

???
“Finish setting up Bitlocker” requires logging in with an MS ID.
Device Encryption turned on by OEMs on a new PC does not require a MS ID. The encryption is present on a new PC with a Local ID (and according to the posts here, without the User’s knowledge)

Reply | Quote

PKCano wrote:

“Finish setting up Bitlocker” requires logging in with an MS ID.

That’s for Automatic Device Encryption. There’s no intermediate step for Bitlocker Drive Encryption.

PKCano wrote:

Device Encryption turned on by OEMs on a new PC does not require a MS ID. The encryption is present on a new PC with a Local ID (and according to the posts here, without the User’s knowledge)

!Note

BitLocker automatic device encryption starts during Out-of-box (OOBE) experience. However, protection is enabled (armed) only after users sign in with a Microsoft Account or an Azure Active Directory account. Until that, protection is suspended and data is not protected. BitLocker automatic device encryption is not enabled with local accounts, in which case BitLocker can be manually enabled using the BitLocker Control Panel.

BitLocker automatic device encryption [for OEMs]

Reply | Quote

1 user thanked author for this post.

LHiggins

Reply | Quote

PKCano wrote:

I don’t understand the significance of that screenshot, as it confirms what I just posted.

I guess you’re making a point about “encryption is present on a new PC with a Local ID” as distinct from being activated/protected and requiring a recovery key.

This is true:

b wrote:

Bitlocker doesn’t require a Microsoft account, but automatic Device Encryption does.

But this is not:

PKCano wrote:

Device Encryption turned on by OEMs on a new PC does not require a MS ID.

Reply | Quote

b wrote:

But this is not:
PKCano wrote: Device Encryption turned on by OEMs on a new PC does not require a MS ID.

THIS is true:
More than once, I have created a Local ID on a new PC that had Device Encryption automatically turned on by the OEM (NOT turned on by by me. NO MS ID created). The device IS encrypted. (I have clicked “Turn off” and watched the decryption process proceed.)

If I do NOT “Turn off” Device Encryption (or I didn’t know it is encrypted as many here have said they do not), Device Encryption remains. There is NO MS ID required/involved. I have read the procedure (not quoted here) for finding the key that is stored in plain text on the Local PC. If I do not look for and find (or know to do so) the key, I do not have the key.
If I DO “Turn off” Device Encryption in this case, there is no longer a key.

I cannot speak for “finishing the encryption” by logging in and associating the key with a MS ID because I have never done it for myself.
And I have NEVER left Device Encryption activated on ANY (new or otherwise) PC, with a Local ID only, I have set up/worked on for an average, unknowing User.
And I have NEVER had to create an MS ID to finish setting up the encryption, just to turn around and turn off the encryption that was never wanted in the first place.

You cannot say this is not my experience, no matter how much you try.

 

Reply | Quote

And I have NEVER had to create an MS ID to finish setting up the encryption, just to turn around and turn off the encryption that was never wanted in the first place.

In the cases you reference, is it possible they were all Pro versions?

I believe the confusion that MS has created between encryption for Home and Pro versions leads to concern among many users that, it might be better to have a key backup and not need it than to need it but not have it, regardless of their version and ultimate Encryption preference.

Especially for Home versions, the only choice for “finishing the encryption,” when required, is to “Turn on BitLocker” and then choose either “Turn off” or “Sign In” with a MS account. The latter is so the resulting secure recovery key can be backed up.

Reply | Quote

I have seen Device Encryption turned on automatically by OEMs on both Home and Pro Editions.
Most of the average Users that buy their PC’s from brick and mortar stores get Home Editions by default. That’s what’s on the shelf. But it even goes for many of them that order from the OEM and don’t really know what to look for.

I do not want an MS ID, all my PCs are Local IDs only. It is a question I always ask of the User when I set up a new PC. But I have never had to create an MS ID because the PC was had OEM Device Encryption turned on, just to turn around and turn off the the encryption.
Just click the “Turn off” encryption button.

1 user thanked author for this post.

analogkid

Reply | Quote

PKCano wrote:

More than once, I have created a Local ID on a new PC that had Device Encryption automatically turned on by the OEM (NOT turned on by by me. NO MS ID created). The device IS encrypted. (I have clicked “Turn off” and watched the decryption process proceed.)

Encrypted, but not activated/protected:

b wrote:

“encryption is present on a new PC with a Local ID” as distinct from being activated/protected and requiring a recovery key.

PKCano wrote:

If I do NOT “Turn off” Device Encryption (or I didn’t know it is encrypted as many here have said they do not), Device Encryption remains. There is NO MS ID required/involved.

Encrypted, but not activated/protected without an MS account.

PKCano wrote:

And I have NEVER left Device Encryption activated on ANY (new or otherwise) PC, with a Local ID only,

It’s not possible to do so; it was never activated because a Microsoft account was never used for Windows sign-in:

Reply | Quote

PKCano wrote:

You cannot say this is not my experience, no matter how much you try.

Reply | Quote

I don’t disagree with your experience, only your interpretation of it.

But you’ve never actually used Device Encryption or Bitlocker and I’ve used both extensively.

Neither of us are helped by Microsoft’s terminology (sometimes Device Encryption is called Bitlocker, but mostly it’s not).

Reply | Quote

PKCano wrote:

There is NO key (1) if Bitlocker has not finished setting up with an MS ID and turned ON, and (2) Device Encryption has been turned OFF.
When Dell set up Device Encryption up automatically, the key was stored locally on the PC. When you turned OFF Device Encryption, there is no longer a key. If you turn ON Device Encryption again, be sure to record the key created. If you “finish setting up” encryption by associating it with an MD ID online (as Bitlocker), you need to access the key on the MS account.

Got it. Thanks again.

Reply | Quote

I checked all five PC’s, only the newest one, a Dell about 5 years old, had encryption turned on. I turned shut it off and it took about 8 hours to “decrypt” my files.

One PC, a very old Dell I bought off ebay many years ago installed Win 10 Pro when I switched from Win 8.1 so Bitlocker was there but not turned on.

On those three PC’s there was no encryption option.

I checked their System Info and it  says :Device Encryption:Reasons For Failed Automatic Device Encryption: TPM not usable, PCR7 binding is not supported, Hardware Security Test Interface failed and device is not Modern Standby, Un-allowed DMA capable bus/device detected, Disabled by policy, TPM is not usable.

On those three PC’s there was no encryption option

"An analog kid in a digital world"

Win7 Ultimate home built desktop Running 0patch Pro

Two former 8.1 Laptops & two desktops now running Win 10

Win 10 Dell desktop

2 users thanked author for this post.

jburk07, SauceMan64

Reply | Quote

We have 2 laptops and 1 desktop.  1 laptop is Windows 11 Home; the others are Windows 10.  I’m looking at the win11 laptop to start with.  It is an ROG by ASUS.  I searched the start menu for BitLocker, Manage BitLocker, encryption, drive encryption and all I get are web links–nothing on the computer.  I looked at the referenced URL (https://windowsreport.com/device-encryption-vs-bitlocker-windows-11/) and compared my laptop’s Privacy & Security screen to those in the web article…my win11 laptop only shows two entries under “Security” (Windows Security and Find My Device).  The next level on that screen is “Windows Permissions”.  When I open Device Security, it says “secure boot is on” and “your security processor, called the trusted platform module (TPM), is providing additional encryption for your device.”  But I cannot find any way to turn on or off encryption or BitLocker.

Reply | Quote

Open “System Information” with elevated privileges and scroll to the bottom. What value is given for Device Encryption?

Reply | Quote

Sorry if this is already answered.

We have three Win 10 Pro 64-bit machines that we activated locally WITHOUT a MS account.  (I vaguely recall that maybe BitLocker is on as originally set by Dell but never actually activated or used to encrypt the disk.)

In any case, without a MS Account for these machines, where would I find the recovery key (if it exists)?  I want to make a copy right away.  Just in case.

And in case I have Device Encryption, where would I find THAT key?

Also, if each PC has two users, is there only one key for the PC or a key for each user?

Thanks.

Reply | Quote

Try Control Panel\Bitlocker Drive Encryption

1 user thanked author for this post.

jburk07

Reply | Quote

PK – Thanks.  And in case I have Device Encryption, where would I find THAT key?

Reply | Quote

Mine is turned off, so there is no key. But there should be a link to find the key if encryption is turned on. It’s supposed to be in plain text, but I don’t have the exact info in front of on the Mac I’m on.

Reply | Quote

glnz wrote:

Also, if each PC has two users, is there only one key for the PC or a key for each user?

Only one. If you ever need a recovery key, it’s requested after boot but before Windows startup/sign-in; so it applies to everyone.

1 user thanked author for this post.

jburk07

Reply | Quote

Well – looks like I turned off Bitlocker when we first got these PCs two years ago.  I knew I didn’t want it in the first place and was really annoyed that Dell shipped them with BL on, and so I must have done the right thing when I set them up for my wife’s small office and her then three staffers.

Whew!

It is entirely MS’s fault that the settings are so complicated.  I hope those with local accounts who got locked our of their PCs due to this update get together and SUE THEM.

It is hard to tell, but one one of the PCs that I checked today, Device Encryption might be some type of option, but it seems that also was turned off.  Will double-check next weekend.

Reply | Quote

HP desktop, Win11 Pro, Local ID only, Bitlocker turned OFF.
To verify, in an elevated Command Prompt, run

manage-bde -status

See screenshot for results – also includes connected drives (my backup drive and a USB flash drive)

1 user thanked author for this post.

jburk07

Reply | Quote

ok, maybe I’m not very bright but it seems like this thread is going in circles. I have a Dell laptop with two HD’s. I ran the command

manage-bde -status

and my result was:

Volume D: [DATA]
[Data Volume]

Size: 931.39 GB
BitLocker Version: 2.0
Conversion Status: Used Space Only Encrypted
Percentage Encrypted: 100.0%
Encryption Method: XTS-AES 128
Protection Status: Protection Off
Lock Status: Unlocked
Identification Field: Unknown
Automatic Unlock: Disabled
Key Protectors: None Found

Volume C: [OS]
[OS Volume]

Size: 103.71 GB
BitLocker Version: None
Conversion Status: Fully Decrypted
Percentage Encrypted: 0.0%
Encryption Method: None
Protection Status: Protection Off
Lock Status: Unlocked
Identification Field: None
Key Protectors: None Found

The bit locker control panel says that the drive D is waiting for activation. I don’t need drive D to be encrypted, so how do I turn it off forever?

Reply | Quote

Settings, Privacy & Security, Device Encryption, Off

Reply | Quote

turbo930-44 wrote:

The bit locker control panel says that the drive D is waiting for activation.

This seems very clear, but I haven’t actually had to apply the steps yet so I have no hands on experience.

https://www.diskpart.com/articles/bitlocker-waiting-for-activation-how-to-turn-off-1796-gc.html

Desktop mobo Asus TUF X299 Mark 1, CPU: Intel Core i7-7820X Skylake-X 8-Core 3.6 GHz, RAM: 32GB, GPU: Nvidia GTX 1050 Ti 4GB. Display: Four 27" 1080p screens 2 over 2 quad.

Reply | Quote

Thank you, that worked. There is so much info available on the net, I have a hard time wording a search to get to what i am looking for.

 

1 user thanked author for this post.

TechTango

Reply | Quote