Solved: Disabling the BitLocker Service via GPP Fails

Permissions
Published Apr 17, 2012 Updated Apr 16, 2012

If you want to disable the BitLocker service via Group Policy Preferences, you will find that you cannot. The service’s startup mode stays at “manual” and the following event is logged to the application event log:

Type:     Warning
Source:   Group Policy Services
Event ID: 4098
User:     SYSTEM
Text:     ... error code 0x80070005 access denied ...

Other services can be disabled without any problems.

Analysis

The “access denied” message points to a problem related to permissions. Looking at the BitLocker service’s permissions in SetACL Studio, we see:

When we compare that with some other service’s permissions, we notice that other services have a much simpler permission setup, where Administrators simply have full control:

Solution

Once Administrators have full access, disabling the BitLocker service works flawlessly. Service permissions changes can be automated easily with SetACL. To grant Administrators full access to the BitLocker service use the following command:

SetACL -on BDESVC -ot srv -actn ace -ace n:Administrators;p:full

BitLocker Group Policy Preferences SetACL Studio

Comments

Comments are powered by Giscus. Please enable JavaScript to view them, or view discussions directly on GitHub.

Latest Posts

Scripted WordPress to Hugo Migration

After having published in WordPress for almost 20 years, it was time for a change. This site is now rendered by Hugo, a static website generator built for Markdown content hosted in a Git repository. The migration from WordPress (HTML) to Hugo (Markdown) was far from trivial. Since I couldn’t find any tool for the job, I developed my own set of migration scripts that fully automate the migration process. You can find them on GitHub along with extensive documentation.

Website

Jan 25, 2026

Mitsubishi Heat Pump Data in Home Assistant via Modbus

This article shows how to get detailed information about your Mitsubishi heat pump’s status and operations into Home Assistant. Prerequisites You’ll need a Mitsubishi Modbus interface, either the older A1M (serial Modbus/RTU via RS-485 only) or the newer A1M+ (Modbus/TCP via Ethernet in addition to Modbux/RTU). I’m using the Ethernet variant.

Home Automation, Networking & Self-Hosting

Dec 27, 2025

GitHub: Authenticated Access via SSH

This article describes how to set up authenticated access to a (private or public) GitHub repository from Linux. Create & Set Up an SSH Key SSH Key Creation Create a new SSH key:

Software development

Dec 6, 2025

Fixing IPv6 Intermittent Packet Loss Caused by Windows Firewall

This article shows a simple solution to a weird networking problem that plagued me for hours: IPv6 packets were sometimes lost; IPv4 was not affected. Problem: IPv6 Ping Timeouts and Packet Losses Symptom: Teams Issues I noticed the problem first when there were intermittent connectivity issues in Teams during a meeting.

Networking

Oct 16, 2025

Solved: Disabling the BitLocker Service via GPP Fails

Analysis

Solution

Comments

Related Posts

What's Wrong with Group Policy

Windows 7 Default File System Permissions Listing

Windows 7 Default HKCU Registry Permissions

How to Determine the Size of the System Volume Information Directory

Latest Posts

Scripted WordPress to Hugo Migration

Mitsubishi Heat Pump Data in Home Assistant via Modbus

GitHub: Authenticated Access via SSH

Fixing IPv6 Intermittent Packet Loss Caused by Windows Firewall