Before diving into the details, let me clarify: I do not recommend disabling BitLocker or operating with unencrypted drives in a production environment. BitLocker is valuable and should be maintained. However, there are instances where clients have specific requirements that we must accommodate. They may be transitioning to a different encryption solution or wish to re-encrypt their devices with a stronger method. Regardless of the scenario, this blog provides a step-by-step guide on using a script and Win32 application to disable BitLocker on your devices.
The script is quite straightforward and can be found on GitHub. For this particular client, we focused exclusively on system drives. If you also need to manage data disks, adjustments are necessary to account for additional drives. Initially, the script checks the encryption status of the drive. If it indicates that the disk is fully encrypted, BitLocker will be disabled. The script continues to execute and loops every 15 seconds to monitor the decryption status. This is essential to prevent the detection script from running before the decryption is finished. If you execute this manually, you’ll also view the ongoing percentage as output. In case the system is rebooted during the decryption process, it will resume from where it stopped after rebooting.
$DriveStatus = Get-BitlockerVolume -MountPoint C:
If ($DriveStatus.VolumeStatus -eq "FullyEncrypted") {
Write-Host "C Volume is fully encrypted. Disabling bitlocker and decrypting volume"
Try {
Disable-Bitlocker -MountPoint "C:"
}
Catch {
Write-Host -ForegroundColor Red $_
Write-Host "There was an issue disabling bitlocker"
}
}
$Loop = $true
while($Loop){
$DecryptStatus = Get-BitlockerVolume -MountPoint C: | Select -expandproperty VolumeStatus
$DecryptPercentage = Get-BitlockerVolume -MountPoint C: | Select -expandproperty EncryptionPercentage
if($DecryptStatus -eq "FullyDecrypted") {
Write-Host -ForegroundColor Green "Volume has been fully decrypted"
$Loop = $false
}
Else {
Write-Host "Waiting for decryption. Current encryption percentage is $DecryptPercentage"
Start-Sleep -Seconds 15
}
}Here’s an example of how to manually run the script, allowing you to visualize its background processes:
For the detection script, we are simply verifying if the C volume is encrypted:
$DriveStatus = Get-BitlockerVolume -MountPoint C:
If ($DriveStatus.VolumeStatus -eq "FullyEncrypted") {
Write-Output "C Volume is fully encrypted"
exit 1
}
Else {
Write-Output "Detected. Volume is not encrypted"
Exit 0
}The Win32 application should be created like any other, using the decryption script as the installation file. Afterwards, deploy it to your target groups.
