Comment by pnw

1 day ago

You can turn it off without resorting to a local account, although it's non-obvious.

GPEdit -> Computer Configuration → Administrative Templates → Windows Components → BitLocker Drive Encryption → Operating System Drives → “Choose how BitLocker-protected operating system drives can be recovered”

Repeat for other drives.

3 comments

pnw

g-b-r 1 day ago

I imagine you have to re-encrypt the drive after that, though, for it to have some real effect

smileybarry 3 hours ago

No, you can just revoke and regenerate the recovery key with `manage-bde`.
vel0city 20 hours ago

No, the actual data encryption key doesn't need to change unless you're very paranoid. The backup key and your normal key is just to decrypt the data encryption key.