AOMEI Partition Assistant
How to Fix Task Sequence Fails to Turn off BitLocker
If you have a problem that task sequence fails to turn off BitLocker, how do you turn off BitLocker in another way? In this post, we'll show you how to fix task sequence and how to turn off BitLocker via another tool.
By Lucas / Updated on September 4, 2024
Scenario: Task sequence fails to turn off BitLocker
“The initial action in the task sequence is to disable Bitlocker. We observed that the initial phase fails, resulting in an error code of 0x000000032, during the testing process. There is no purpose to this phase, which is a component of the SCCM task sequence. Has anyone previously encountered this problem?”
--User from Reddit
Overview of task sequence & BitLocker
A task sequence in the context of a Windows system, particularly when using Microsoft's System Center Configuration Manager (SCCM) or Microsoft Deployment Toolkit (MDT), is a series of steps or tasks that are executed in a specific order to automate various actions such as deploying operating systems, installing applications, applying updates, and configuring settings. Task sequences are a core feature in SCCM and MDT and are used to streamline and automate the deployment process, ensuring consistency and efficiency.
▍Typical usage of task sequence:
Operating System Deployment (OSD): Installing or upgrading Windows operating systems on multiple machines.
Application Deployment: Installing required applications as part of the OS deployment process.
Configuration: Applying system and security configurations, such as joining a domain or setting up network settings.
Patching and Updates: Applying the latest updates and patches to the OS and installed applications.
As the scenario shows, the user wish to disable BitLocker in task sequence but he confronts the error code of 0x000000032. The error code 0x00000032 in a task sequence typically indicates an issue related to the deployment process, often specifically tied to the Windows Deployment Services (WDS) or the Preboot Execution Environment (PXE) boot process. This error can be caused by several factors, such as network issues, incorrect configuration of WDS, or problems with the boot image.
Guide to fix task sequence fails to turn off BitLocker
In this part, we’ll show how to solve error code 0x00000032 of which task sequence fails to turn off BitLocker for turning off BitLocker.
Step 1. Verify TPM and BitLocker Status
Ensure the Trusted Platform Module (TPM) and BitLocker are functioning correctly on the device. And as per Microsoft’s recommendation, TPM version 2.0 or later is required. All Bitlocker functionality may not support in the TPM chip version 1.2.
1. Open Command Prompt as an administrator.
2. Run manage-bde -status to check BitLocker status.
3. Run tpm.msc to verify TPM is enabled and ready.
Step 2. Suspend BitLocker in the Task Sequence
1. Ensure the task sequence includes a step to suspend BitLocker before performing operations that require BitLocker to be off.
2. Add a “Run Command Line” step in the task sequence.
3. Use the command: manage-bde -protectors -disable C: to suspend BitLocker.
Step 3. Check permissions
Make sure the account running the task sequence has sufficient permissions to manage BitLocker.
1. Ensure the task sequence is executed under an account with administrative privileges.
2. Check group policies related to BitLocker management and ensure they are not restricting the task sequence actions.
Step 4. Update BIOS/UEFI Firmware
Outdated BIOS/UEFI firmware can cause issues with BitLocker and TPM.
1. Check the manufacturer’s website for the latest BIOS/UEFI updates.
2. Apply the update following the manufacturer’s instructions.
Step 5. Update BitLocker Management Tools
Ensure you are using the latest versions of BitLocker management tools and SCCM/MDT.
1. Open the SCCM console.
2. Go to Administration > Overview > Updates and Servicing.
3. If the latest update is not listed, click Check for Updates.Install any available updates for MDT.
Step 6. Review Task Sequence Logs
Check the logs to identify where the failure occurs.
1. Review the smsts.log file located in C:\Windows\CCM\Logs\ or X:\Windows\Temp\SMSTSLog\ during WinPE.
2. Look for errors related to BitLocker and investigate the specific error codes.
Step 7. Disable BitLocker before Deployment
As a temporary workaround, manually disable BitLocker before starting the task sequence.
1. Open Command Prompt as an administrator.
2. Run manage-bde -off C: to disable BitLocker encryption.
Now you can try to turn off BitLocker in task sequence again.
Alternative tool to task sequence to turn off BitLocker
As you see, fixing the task sequence fails to turn off BitLocker, so it may be a little difficult for normal users. If you just want to turn off BitLocker, you can try AOMEI Partition Assistant Professional.
This comprehensive encryption program is compatible with all versions of Windows 11/10/8/7, enabling you to effortlessly administer your BitLocker drive. It includes drive encryption/decryption, recovery key backup, password modification, and drive locking/unlocking.
100% SecureStep 1. Find the encrypted drive you would like to decrypt and click the option "Turn off BitLocker".
Step 2. There are 2 ways available to decrypt the drive: Use password to decrypt the drive and Use recovery key to decrypt the drive. Please select either way as per your need.
If you select "Use a password to decrypt the drive", please enter the right password and then click the "Decrypt" button.
If you select "Use a recovery key to decrypt the drive", please enter the recovery key saved in the TXT file or printed when you encrypted the drive, and then click the "Decrypt" button.
Step 3. Then, the decryption process will start and it might take time to decrypt the drive. Once the decryption process is finished, please click "Completed". Finally, the BitLocker on the drive is decrypted.
Bonus tips: How to disable BitLocker service
In addition to employing the "Turn off BitLocker" option to decrypt the drive, if you don't need BitLocker service for the long term, there is a permanent solution: the encryption of BitLocker can be disabled. After disabling BitLocker, all encrypted data drives on the computer will be mounted with read and write access, eliminating the necessity to individually deactivate BitLocker for specified drives.
Option 1. Using Local Services
Step 1. Press the Windows + R keys at the same time to open Run dialog. Type services.msc and press "Enter" or click on "OK" to continue.
Step 2. When the Services window opens, locate and double-click on "BitLocker Drive Encryption Service".
Step 3. Set the Startup type to Disabled and click on "Apply" and "OK" to save changes.
Option 2. Using Local Group Policy Editor
Step 1. Type Group Policy in the Search bar, then select "Edit Group Policy" from the list.
Step 2. From here, navigate using the left-hand side menu to Computer Configuration -> Administrative Templates -> Windows Components – > BitLocker Drive Encryption -> Fixed Data Drives and select the Deny write access to fixed drives not protected by BitLocker option and double click it.
Step 3. Click Not Configured or Disabled, and click on "Apply" and "OK" to save changes.
To sum up
Although task sequences can solve many issues like deploying operating systems, installing applications, applying updates, and configuring settings, however, when it has some glitches, not all users can fix them because most solutions require complex command orders. If you also meet the problem that task sequence fails to turn off BitLocker, you can use another tool, like AOMEI Partition Assistant Professional to turn off BitLocker at first.
Besides managing BitLocker, this practical tool can also help you perform disk/partition clone, installed App transferring, OS migration, clean disks, etc. And there is the Server edition for Windows Server users to efficiently organize the PC resources.
