Disabling BitLocker with Unattend.XML

Preventing BitLocker encryption during Windows 11 deployment can be essential, especially when Secure Boot and TPM are enabled, as BitLocker will activate automatically. To prevent BitLocker activation, you can add a command in the unattend.xml file.

Introduction

BitLocker is a robust encryption feature in Windows 11 that helps protect data by encrypting the entire drive. However, in some deployment scenarios, you might need to prevent BitLocker from automatically activating. This can be achieved by modifying the unattend.xml file used during Windows 11 installation.

Disabling BitLocker in Unattend.XML

To prevent BitLocker from activating, add the following command to the unattend.xml file:

xmlCopier le code<RunSynchronousCommand wcm:action="add">
    <Description>Disable BitLocker</Description>
    <Order>7</Order>
    <Path>reg add HKLM\SYSTEM\CurrentControlSet\Control\BitLocker /v PreventDeviceEncryption /t REG_DWORD /d 1 /f</Path>
</RunSynchronousCommand>

This command adds a registry entry that prevents BitLocker from encrypting the device automatically.

The Unattend.XML File

Here is an example of how the unattend.xml file would look with the added command:

xmlCopier le code<?xml version="1.0" encoding="utf-8"?>
<unattend xmlns="urn:schemas-microsoft-com:unattend">
    <settings pass="oobeSystem">
        <component name="Microsoft-Windows-Shell-Setup" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS">
            <OOBE>
                <HideEULAPage>true</HideEULAPage>
                <HideOEMRegistrationScreen>true</HideOEMRegistrationScreen>
                <HideOnlineAccountScreens>true</HideOnlineAccountScreens>
                <ProtectYourPC>1</ProtectYourPC>
            </OOBE>
            <UserAccounts>
                <LocalAccounts>
                    <LocalAccount wcm:action="add">
                        <Password>
                            <Value>Pa$$w0rd</Value>
                            <PlainText>true</PlainText>
                        </Password>
                        <Description>Local Administrator Account</Description>
                        <DisplayName>Admin</DisplayName>
                        <Group>Administrators</Group>
                        <Name>Admin</Name>
                    </LocalAccount>
                </LocalAccounts>
            </UserAccounts>
            <RunSynchronous>
                <RunSynchronousCommand wcm:action="add">
                    <Description>Disable BitLocker</Description>
                    <Order>7</Order>
                    <Path>reg add HKLM\SYSTEM\CurrentControlSet\Control\BitLocker /v PreventDeviceEncryption /t REG_DWORD /d 1 /f</Path>
                </RunSynchronousCommand>
            </RunSynchronous>
        </component>
    </settings>
    <settings pass="specialize">
        <component name="Microsoft-Windows-Shell-Setup" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS">
            <ComputerName>PC-%RAND%</ComputerName>
        </component>
    </settings>
</unattend>

Using the Unattend.XML File

1. Create the unattend.xml file:
   • Copy the above XML configuration into a file named unattend.xml.
2. Add the unattend.xml file to your Windows 11 image:
   • Use Windows System Image Manager (WSIM) to validate and customize the XML file if necessary.
   • Place the unattend.xml file in the \Sources folder of your Windows 11 installation media or deployment share.
3. Deploy Windows 11:
   • Boot the target machine using the Windows 11 installation media.
   • The setup process will automatically apply the settings specified in the unattend.xml file, including the command to prevent BitLocker activation.