Step 2: Remove the Encryption Key from TPM
To prevent reactivation via TPM-stored key:
- Open Command Prompt as Administrator
- Run:
manage-bde -protectors -delete C: -type TPM
This removes the TPM-bound protector from the volume.
- Optionally, clear TPM entirely (if you're not using it for other features):
- Run:
tpm.msc
- Choose Clear TPM (requires reboot and confirmation)
This ensures no residual key material remains in TPM that BitLocker or Device Encryption could reuse.
Well I never signed into an account on this machine, so if it created a key, it was without my knowledge.
Are there any ramifications towards doing this with TPM?
Step 3: Set Registry Flag to Block Re-encryption
This is the permanent prevention step:
reg add hklm\system\currentcontrolset\control\bitlocker /v PreventDeviceEncryption /t reg_dword /d 1 /f
This registry key tells Windows to never auto-enable Device Encryption again, even after updates or hardware changes.
Yeah, but I heard a future update could possibly remove that key, so it's
semi-permanent I guess...
Optional: Remove Encryption-Related Services
If you're going full scorched-earth:
- Disable the Device Encryption Service:
Code:
sc config "DeviceEncryptionService" start= disabled
sc stop "DeviceEncryptionService"
- Disable BitLocker Drive Encryption Service (if present):
Code:
sc config "BDESVC" start= disabled
sc stop "BDESVC"
Yeah, I read about this one somewhere else. I don't know how permanent that would be, either.
Verify Status
Run:
manage-bde -status
You should see:
- Conversion Status: Fully Decrypted
- Protection Status: Protection Off
- Key Protectors: None
If you're curious whether orphaned protection keys are still hanging around in the cloud, you can check here:
Thanks for the info but I removed OneDrive immediately using Revo, so no cloud there. Not to mention, I never signed in and I have not moved any personal files over to My Documents, Video, Downloads folders, etc... Those folders contain nothing.
This page shows any BitLocker recovery keys tied to your account. If you see one listed for your device, it means the key was backed up to the cloud during the encryption.
When I first started up the machine, I immediately went to BitLocker and it was already turned off by default. I did have to manually turn off
file encryption, though. I never did click on the option to create a key.
Even if the registry setting gets accidentally removed and Device Encryption gets silently re-enabled somehow, the actual encryption doesn't begin before a proper backup of the key is made. Immediately as soon as Device Encryption is enabled/re-enabled, a new key protector is created and stored in the TPM, as old key protectors aren't reused. Next, if you log in with a Microsoft account, a new backup of the key is made but any existing backups aren't automatically removed. So, turning Device Encryption off causes existing backups to be orphaned immediately, regardless of whether you run the command from Step 2.2 above, and regardless of whether the backups are in the cloud or are stored elsewhere—or both.
The TPM option looks the most promising. Yes?
I'd also look at going into
services.msc as an administrator and see what services are running for it in the background and disable anything in there as well, although some future update my turn it back on. Even in Windows 10, I occasionally would pop in to services.msc and see what was turning itself back on since I can't fully trust Microsoft with their updates. However, for the last year or so, I haven't found anything in there that was reversed.
This whole thing should be an
option for people. I believe in choice. For some who want it, go for it. For those that don't, they shouldn't have to put up with it. Where there's a will, there's a way.
- I learned about Winaero Tweaker here in this forum. Never heard of it before then.
