Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations IamaSherpa on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

BitLocker To Go

Status
Not open for further replies.

disturbedone

Vendor
Sep 28, 2006
781
AU
I'm enabling BitLocker on enterprise laptops and that is working fine. I'm now testing BitLocker To Go and have spotted a permissions issue.

It appears that users can control their own BitLocker To Go settings. It is possible, via Group Policy, to enforce passwords on USB drives and the user can then use this to unlock the drive. They can even change the password if required (the Recovery Key is still stored in AD if they forget their password). But there is still the ability in 'Manage BitLocker' to turn off BitLocker To Go completely. This seems absurd! The idea of having BitLocker To Go on USB drives is to stop the theft of content if the drive is lost. Even if a password is on the drive the user could just decide to just turn it off and if the drive is lost then the content is accessible.

I can't find any GPO setting that would stop the ability for a user to turn this off. Nor can I find anything online about it. Surely I'm not the only one to have spotted this. Anyone thought about this and have a way to stop this?
 
Scratch that.....found the GPO setting.

Computer Configuration/Policies/Administrative Templates/Windows Components/BitLocker Drive Encryption/Removable Data Drives/Control use of BitLocker on removable drives/

Allow users to suspect and decrypt BitLocker protection on removable data drives - untick

It's a bit confusing because in Control Panel/Manage BitLocker it still shows the option to 'Turn off BitLocker' and when clicking it it still prompts if you want to do it and only then does it say that a GPO denies the ability.

Removing the ability to access Control Panel/Manage BitLocker is probably the best idea to stop users from even seeing this. Users put a USB drive in, it prompts to put a password on (or leave it read only) and that's it. From then on the drive is encrypted and can only be temporarily unlocked by the user with the password and also by admin using the recovery key.
 
Interestingly there's no such option for 'operating system drives'. The ability to turn off BitLocker is controlled by local administrative privileges.
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top