Share via

BitLocker locking many Domain computers

Jose Velez 0 Reputation points
2026-04-30T16:34:12.1233333+00:00

Due to a recent Windows update, many computers in our school domain are getting locked by BitLocker.

This requires me to enter the 48 digits Recovery key on every computer with the issue.

Given the fact that we don't need BitLocker activated in our computers; Is it OK to Turn it off on all computers?

Windows for business | Windows Client for IT Pros | User experience | Other

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Harry Phan 19,975 Reputation points Independent Advisor
    2026-05-01T01:16:58.33+00:00

    Hi Jose,

    Yes, you can disable BitLocker across your domain if your security posture does not require it. BitLocker is not mandatory for Windows to function, and if recovery keys are becoming an operational burden, turning it off is a valid option. The proper way to do this is through Group Policy or Intune by setting Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Control use of BitLocker on removable drives/operating system drives/fixed data drives to “Disabled.” This prevents BitLocker from being automatically enabled after future updates. For machines already encrypted, you’ll need to run manage-bde -off C: to decrypt the drive, which can take time depending on disk size. Make sure you confirm that no compliance requirements mandate encryption before disabling it, as removing BitLocker reduces protection against data theft in case of lost or stolen devices. If your environment does not need that layer of security, disabling it centrally is the cleanest solution.

    If the above response helps answer your question, please hit "Accept Answer" so that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.

    Harry.

    Was this answer helpful?

    0 comments

  2. AI answer

    2026-04-30T16:34:31.7733333+00:00

    Turning off BitLocker on all domain computers is technically possible but has important security and operational implications.

    Key points from the provided information:

    1. Why the devices are locking
    • BitLocker enters recovery mode when it detects changes it interprets as possible attacks, such as certain firmware, hardware, or software changes (including some updates). In that case, it requires the 48‑digit recovery key to unlock the drive.
    • For Microsoft updates (Windows quality and feature updates), no user action is normally required; BitLocker is designed to work with these updates without needing to be suspended.
    • For some non‑Microsoft updates (for example, certain TPM firmware, BIOS/UEFI, or Secure Boot database changes), BitLocker should be suspended beforehand. If not, devices can boot into recovery and require the recovery key.
    1. Managing the current issue
    • The immediate way out of recovery is to enter the 48‑digit recovery key so the device can boot.
    • For affected devices, BitLocker can be temporarily suspended before applying problematic updates so they do not repeatedly enter recovery.
    • In domain or Microsoft Entra ID environments, BitLocker recovery information (48‑digit recovery password and key package) can be centrally backed up and managed via policy, which reduces the burden of manually tracking keys.
    1. Impact of turning BitLocker off
    • BitLocker protects data at rest by encrypting the drive; without it, if a drive is removed or a device is lost/stolen, data can be accessed without the decryption key.
    • Disabling BitLocker on all devices removes this protection and may conflict with organizational or regulatory security requirements, especially in a school or enterprise environment.
    • Once BitLocker is turned off and the drive is decrypted, the data is no longer protected by BitLocker; if later re‑enabled, the drives must be re‑encrypted.
    1. Recommended direction
    • Instead of broadly turning BitLocker off, consider:
      • Ensuring recovery keys are centrally backed up (for example, to Microsoft Entra ID or AD DS) so IT can retrieve them easily.
      • Adjusting processes so that any non‑Microsoft firmware/BIOS/TPM updates are applied with BitLocker properly suspended, as documented.
      • Using policy to control how BitLocker‑protected operating system drives can be recovered and to ensure recovery information is stored centrally.

    If the school’s risk posture and policies explicitly allow unencrypted devices, BitLocker can be disabled, but this should be a deliberate security decision rather than just a workaround for the current update issue.

    References:

    AI-generated content may be incorrect. Read our transparency notes for more information.

    Was this answer helpful?

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.