Solved: Disabling the BitLocker Service via GPP Fails

Permissions
Published Apr 17, 2012 Updated Apr 16, 2012

If you want to disable the BitLocker service via Group Policy Preferences, you will find that you cannot. The service’s startup mode stays at “manual” and the following event is logged to the application event log:

Type:     Warning
Source:   Group Policy Services
Event ID: 4098
User:     SYSTEM
Text:     ... error code 0x80070005 access denied ...

Other services can be disabled without any problems.

Analysis

The “access denied” message points to a problem related to permissions. Looking at the BitLocker service’s permissions in SetACL Studio, we see:

When we compare that with some other service’s permissions, we notice that other services have a much simpler permission setup, where Administrators simply have full control:

Solution

Once Administrators have full access, disabling the BitLocker service works flawlessly. Service permissions changes can be automated easily with SetACL. To grant Administrators full access to the BitLocker service use the following command:

SetACL -on BDESVC -ot srv -actn ace -ace n:Administrators;p:full

BitLocker Group Policy Preferences SetACL Studio

Comments

Comments are powered by Giscus. Please enable JavaScript to view them, or view discussions directly on GitHub.

Latest Posts

Fast & Silent 5 Watt PC: Minimizing Idle Power Usage

This micro-series explains how to turn the Lenovo ThinkCentre M90t Gen 6 into a smart workstation that consumes only 5 Watts when idle but reaches top Cinebench scores while staying almost imperceptibly silent. In the first post, I showed how to silence the machine by replacing and adding to Lenovo’s CPU cooler. In this second post, I’m listing the exact configuration that achieves the lofty goal of combining minimal idle power consumption with top Cinebench scores.

Hardware

Feb 7, 2026

Fast & Silent 5 Watt PC: Lenovo ThinkCentre M90t Modding

This micro-series explains how to turn the Lenovo ThinkCentre M90t Gen 6 into a smart workstation that consumes only 5 Watts when idle but reaches top Cinebench scores while staying almost imperceptibly silent. In this first post, I’m showing how to silence the machine by replacing and adding to Lenovo’s CPU cooler. In a second post, I’m listing the exact configuration that achieves the lofty goal of combining minimal idle power consumption with top Cinebench scores.

Hardware

Jan 31, 2026

Scripted WordPress to Hugo Migration

After having published in WordPress for almost 20 years, it was time for a change. This site is now rendered by Hugo, a static website generator built for Markdown content hosted in a Git repository. The migration from WordPress (HTML) to Hugo (Markdown) was far from trivial. Since I couldn’t find any tool for the job, I developed my own set of migration scripts that fully automate the migration process. You can find them on GitHub along with extensive documentation.

Website

Jan 25, 2026

Mitsubishi Heat Pump Data in Home Assistant via Modbus

This article shows how to get detailed information about your Mitsubishi heat pump’s status and operations into Home Assistant. Prerequisites You’ll need a Mitsubishi Modbus interface, either the older A1M (serial Modbus/RTU via RS-485 only) or the newer A1M+ (Modbus/TCP via Ethernet in addition to Modbux/RTU). I’m using the Ethernet variant.

Home Automation, Networking & Self-Hosting

Dec 27, 2025

Solved: Disabling the BitLocker Service via GPP Fails

Analysis

Solution

Comments

Related Posts

Delprof2 & SetACL Studio Free for Commercial Use

Access Based Enumeration on Windows 7

How Group Policy Impacts Logon Performance #2: Internals

What's Wrong with Group Policy

Latest Posts

Fast & Silent 5 Watt PC: Minimizing Idle Power Usage

Fast & Silent 5 Watt PC: Lenovo ThinkCentre M90t Modding

Scripted WordPress to Hugo Migration

Mitsubishi Heat Pump Data in Home Assistant via Modbus