Starting from Windows Vista, Windows has a native encryption utility named BitLocker, that allows users to encrypt their entire OS drive, as well as partitions and removable media such as USB flash drives. This prevents unauthorized access to sensitive data stored on the drives. This also means that anyone with physical access to the PC, can encrypt the drive(s) and lock the rightful owner out of their very own device. In this tutorial, I will show you how to securely disable BitLocker on every drive.
If you're serious about protecting your sensitive data from falling Into the hands of the unknown, disk encryption Is certainly the best option to protect It. BitLocker does the job with Incredible ease, all within the Windows environment without the aid of third-party tools.
Simply put, once you encrypt a drive, In order to view It's contents, BitLocker will prompt for an unlock method (that you've set during the encryption) such as a password or a PIN. Once you authenticate, your files can be accessed.
The problem Is, those who share your PC or perhaps someone who gains unauthorized access, remotely or otherwise, can also use BitLocker to encrypt your computer's hard disk, hence lock you out of your own PC. Similar to how Ransomware operates- without a decryption key, you cannot access your files. As such, I will demonstrate how to securely prevent anyone from encrypting your computer's hard disk and other storage drives.
To achieve this, I will be using the good old Group Policy Editor, that's native to the Windows 10 Pro, Enterprise and Education editions. The same applies to BitLocker- only the Pro, Enterprise and Education editions are supported. If you're running Windows 10 Home, you're out of luck. So without further delay, let's rip Into this tutorial.
To access the Group Policy Editor, open the Run menu, enter gpedit.msc and hit OK.
The Group Policy Editor will now open, so navigate to the following directory.
Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption
Just under BitLocker Drive Encryption, you will see Fixed Data Drives, Operating System Drives and Removable Data Drives. Select the drive(s) that you want to prevent BitLocker from encrypting. For the purpose of this guide, I've selected Fixed Data Drives.
Then on the right pane, double-click on Choose how BitLocker-protected fixed drives can be recovered. If you've selected a drive different to this, double-click on It's respective option.
To the left of the window, click the Enabled radio button. Then toward the bottom under Backup recovery passwords and key packages, select the checkbox as Illustrated. In simple terms, this option waits for recovery Information to be stored before a disk can be encrypted. Given there's no recovery Info, BitLocker cannot encrypt a disk! Hit OK to finalize the process.
Here's an example of how BitLocker works before the above setting Is applied. I can use a password to unlock my drive, and follow the prompts until completion.
Just after applying the above setting, let's try and encrypt my hard disk with BitLocker. I've right-clicked my drive and selected Turn on BitLocker as arrowed below.
BitLocker Is now attempting to encrypt my hard disk. Let's see what happens next.
As you can see, BitLocker has failed performing It's task. Perfect! This clearly demonstrates that my selected drive cannot be encrypted.
I strongly suggest protecting your drives and partitions with BitLocker encryption, but If you're the type of user who's not comfortable with this, then applying the above setting will certainly prevent anyone from using BitLocker on your computer.
To reverse the change and have It functioning as per It's original state, go back to Step Three above, select the Not Configured radio button and hit OK.