Comment by pnw
1 day ago
You can turn it off without resorting to a local account, although it's non-obvious.
GPEdit -> Computer Configuration → Administrative Templates → Windows Components → BitLocker Drive Encryption → Operating System Drives → “Choose how BitLocker-protected operating system drives can be recovered”
Repeat for other drives.
I imagine you have to re-encrypt the drive after that, though, for it to have some real effect
No, the actual data encryption key doesn't need to change unless you're very paranoid. The backup key and your normal key is just to decrypt the data encryption key.