Hello all, Please accept my apology if this question is redundant however I have not been able to find the answer. Scenerio: computer account removed from domain, bitlockered (no TPM - key stored on removable media), rejoined, and Domain Admins removed from the local Admin group. Engineers later decide they want to get into your kit so they create a restricted group gpo that populates the local admin group with domain admins and assign it to your kit. Question: Can a DA then remotely do a "manage-bde disable" to essentially bypass bitlocker or could they could even do a decrypt? On a drive that has been BL'd out of band (off the domain) then rejoined, can it be overridden or superseded by an admin once the kit is rejoined? ~* 42024X7 *~

Jeffrey, If DA acoount is member of local admin group on client you can manage bitlocker from a client. You can suspend protection or turn of bitlocker. >manage-bde -off c: -cn "computername" If you want to prevent local admin to turn off bitlocker then check this blog which I wrote. http://blogs.technet.com/b/askcore/archive/2010/08/13/how-to-prevent-local-administrator-from-turning-off-bitlocker.aspx -Manoj (MSFT)Manoj Sehgal