Windows 7 Ultimate - X 64 - Bitlocker on non-domain joined machine
Hello all,
Please accept my apology if this question is redundant however I have not been able to find the answer. Scenerio: computer account removed from domain, bitlockered (no TPM - key stored on removable media), rejoined, and Domain Admins removed from
the local Admin group. Engineers later decide they want to get into your kit so they create a restricted group gpo that populates the local admin group with domain admins and assign it to your kit.
Question: Can a DA then remotely do a "manage-bde disable" to essentially bypass bitlocker or could they could even do a decrypt? On a drive that has been BL'd out of band (off the domain) then rejoined, can it be overridden or superseded by
an admin once the kit is rejoined? ~* 42024X7 *~
March 25th, 2011 7:35pm
Jeffrey,
If DA acoount is member of local admin group on client you can manage bitlocker from a client.
You can suspend protection or turn of bitlocker.
>manage-bde -off c: -cn "computername"
If you want to prevent local admin to turn off bitlocker then check this blog which I wrote.
http://blogs.technet.com/b/askcore/archive/2010/08/13/how-to-prevent-local-administrator-from-turning-off-bitlocker.aspx
-Manoj (MSFT)Manoj Sehgal
Free Windows Admin Tool Kit Click here and download it now
May 17th, 2011 12:40pm