Category filter
How to force BitLocker decryption on drives?
BitLocker is a built-in encryption feature in Windows that helps protect sensitive data on devices by encrypting the contents of the drives. Even if a device is lost or stolen, the encrypted data stays protected, as access to the drive requires a password or recovery key.
Decryption is the process of removing BitLocker protection from a drive, effectively converting the encrypted drive back to its original, unprotected state. While BitLocker encryption is essential for security, there are scenarios where decryption becomes necessary.
There are cases where encryption may need to be removed — for instance, when a device is being reassigned, repurposed, or retired. Decrypting the drive ensures that BitLocker protection doesn’t interfere with OS reinstallation or hardware changes that could otherwise prompt recovery key requirements or restrict access to the drive’s data.
Executing the Force BitLocker Decryption action remotely turns off BitLocker and begin decrypting the OS, fixed, or removable drives, making the data accessible without BitLocker protection.
Decrypting a drive removes BitLocker protection, making data accessible without encryption. It is recommended to decrypt drives only when necessary and to re-enable BitLocker once the intended task is complete.
Force BitLocker Decryption on Windows drive
You can follow the steps below to force decrypt the drives on the Windows device:
- Log into Hexnode UEM portal.
- Navigate to the Manage tab and select your device.
- Click on Actions > Force BitLocker Decryption.
- In the Force BitLocker Decryption dialog box, configure the required settings:
- Decrypt all drives – Decrypts all fixed and removable drives. If not selected, choose from:
- Decrypt fixed drives
- Decrypt removable drives
- Decrypt specific drives – Enter drive names separated by commas.
- Clear auto-unlock – Auto-unlock is a feature in BitLocker that enables drives to automatically unlock when the operating system drive is unlocked. The keys required for this automatic unlocking are stored on the OS drive. As a result, decryption of the OS drive cannot occur while these keys are present. By selecting the “Clear auto-unlock” option, the automatic unlocking keys are removed from the OS drive, enabling the decryption process to proceed. This option is only applicable for OS drive.
- The action works only if the drive is in unlocked state.
- When auto-unlock is enabled for the drives, the OS drive stores all automatic unlocking keys. In this case, ensure the Clear auto-unlock option is enabled when attempting to decrypt the OS drive.
Notes: - Decrypt all drives – Decrypts all fixed and removable drives. If not selected, choose from:
- Click on Proceed.
What happened at the device end?
When the action is executed, BitLocker is immediately disabled on the specified drive(s), removing all key protectors (password or recovery key), and the decryption process begins for the drive’s contents.
Once the action is successfully executed, the Device Summary page under Hardware Info will show the BitLocker Encryption Status as “Decrypting” for the specified drive.
After decryption is complete, the status will change to Not Encrypted.
You can also check the decryption status directly from the device by navigating to
Control Panel > System and Security > BitLocker Drive Encryption.
