How can I completely prevent the use of Bitlocker?
Our company has settled on using a third-party drive encryption tool. This tool will be the only allowed tool to encrypt drives according to our security policy. In order to comply, how can we completely block users from turning on bitlocker on their OS / Fixed Data drives. I can see a policy for disallowing bitlocker on Removable Drives, but not the other types. 90% of our users are standard users, and the other 10% are admins due to the nature of their jobs (programmers, developers, admins, etc). We're wanting to prevent these 10% of people from using bitlocker, so that we don't have trouble recovering information if they leave the company / don't save their key / etc. Can this be done?
June 22nd, 2010 8:23pm

Hi, I assume that those computers are in a AD domain. If that is the case, "Group Policy settings can be used to prevent BitLocker from being enabled if the keys cannot be backed up to Active Directory." you can check the following link: http://technet.microsoft.com/en-us/library/cc725719(WS.10).aspx Also, you can check Bitlocker requirement in the following link: http://windows.microsoft.com/en-us/windows-vista/Hardware-requirements-for-BitLocker-Drive-Encryption Hope this helps!Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
Free Windows Admin Tool Kit Click here and download it now
June 23rd, 2010 4:57am

Going on that theory: My workgroup computers can have a GPO set to back up to domain... and since that will fail it will cause setup of bitlocker to fail. DOWNSIDE: Local administrators have access to Local GPO and can remove that requirement. My current domain level is still 2003, which, in essence, stops the backup of keys unless I extend it's schema. This works for domain machines. DOWNSIDE: Only works FOR NOW. What if I upgrade my domain to 2008 R2 functional level? Then bitlocker key backup will work. Is my only REAL alternative to use Professional instead of Enterprise? I'd like to use Enterprise since we're entitled to it through SA... Why didn't Microsoft make a way to disable the feature through "Windows Features"? Any other suggestions?
June 24th, 2010 5:25am

you can use Group Policy to Hide the Bitlocker Control panel applet, but if the user logs on with a local account they would still be able to access it.
Free Windows Admin Tool Kit Click here and download it now
July 1st, 2010 7:58pm

That will only hide it from the control panel, and not from the right-click menu on a drive in explorer...
July 1st, 2010 8:13pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics