BitLocker: Is there a GPO option to forbid decryption/re-encryptio

G

Guest

I see GPO settings to set options for BitLocker, such as mandating recovery
keys into AD or the level of encryption, but is there an option to keep a
user from decrypting the drive once it has been deployed to them as encrypted?

This applies to the case where a company policy deploys all laptops with
encryption, and doesn't want users to decrypt or re-encrypt the drive
themselves.

Thanks!
 
J

Jamie Hunter [MS]

There is currently no GPO to block this.
You can catch this with a 'health check' script, in particular to
(a) make sure the backup key is backed up (you can set a GPO to require that
this key is always backed up, which will block encryption if the AD is not
available)
(b) make sure the volume is encrypted, and to begin encrypting if the user
manually decrypted it / paused it.

Or, our more preferred approach, is to not allow the user to be able to log
on as an Administrator :).

-
Jamie Hunter [MS]
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

How to Confirm BitLocker is off 4
Bitlocker requests recovery key every boot 4
Creating a PIN after Bitlocker is already activated 1
VISTA: BitLocker Blob Location & Backup 9
Vista: Understanding the merit of VMK 1
Using bitlocker to isolate users' data 1
UAC: Is there a GPO option to disable/enable UAC? 3
program when decrypting XML - Unable to retrieve the decryption key 1

Top