How to disable Bitlocker via Group Policies
Reboot Restore and RollBack cannot be installed on a drive with Bitlocker enabled. Here's how to disable Bitlocker prior to deploying.
Step 1: Update the Group Policy (GPO)
First, you must ensure the policy is not actively forcing encryption or requiring specific protectors.
-
Open the Group Policy Management Console (GPMC).
-
Create a new GPO (e.g., "BitLocker Deactivation Policy") and link it to the target Organizational Unit (OU).
-
Navigate to:
Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Fixed Data Drives(and Operating System Drives). -
Set "Choose how BitLocker-protected drives can be recovered" to Disabled or Not Configured.
-
Specifically, ensure any policy that says "Enforce drive encryption type" is set to Disabled.
Step 2: Push a Decryption Script
Group Policy defines the "law," but it doesn't execute the "action" of decrypting a drive. You will need to deploy a startup script or use a management tool (like Intune or SCCM) to run a PowerShell command.
The PowerShell Command:
You can deploy a script that checks for encryption and disables it:
PowerShell
$BLV = Get-BitLockerVolume
foreach ($volume in $BLV) {
if ($volume.VolumeStatus -eq 'FullyEncrypted') {
Disable-BitLocker -MountPoint $volume.MountPoint
}
}
Step 3: Monitoring the Progress
Decryption is a resource-heavy process that can take hours depending on drive size and speed (HDD vs. SSD). You can monitor the status across the network using the following command in your management console:
|
Command |
Purpose |
|
|
Checks the percentage of decryption completed. |
|
|
Provides a detailed object-oriented view of encryption status in PowerShell. |