by: Helge, published: Apr 17, 2012, in

Solved: Disabling the BitLocker Service via GPP Fails

If you want to disable the BitLocker service via Group Policy Preferences, you will find that you cannot. The service’s startup mode stays at “manual” and the following event is logged to the application event log:

Type:     Warning
Source:   Group Policy Services
Event ID: 4098
User:     SYSTEM
Text:     ... error code 0x80070005 access denied ...

Other services can be disabled without any problems.


The “access denied” message points to a problem related to permissions. Looking at the BitLocker service’s permissions in SetACL Studio, we see:

When we compare that with some other service’s permissions, we notice that other services have a much simpler permission setup, where Administrators simply have full control:


Once Administrators have full access, disabling the BitLocker service works flawlessly. Service permissions changes can be automated easily with SetACL. To grant Administrators full access to the BitLocker service use the following command:

SetACL -on BDESVC -ot srv -actn ace -ace n:Administrators;p:full
Previous Article Walkthrough: Creating a UE-V Settings Location Template
Next Article Removing "Eject VMware Virtual disk SCSI Disk Device"