Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

BitLocker To Go

Status
Not open for further replies.
disturbedone

disturbedone

Vendor
Sep 28, 2006
781
AU
I'm enabling BitLocker on enterprise laptops and that is working fine. I'm now testing BitLocker To Go and have spotted a permissions issue.

It appears that users can control their own BitLocker To Go settings. It is possible, via Group Policy, to enforce passwords on USB drives and the user can then use this to unlock the drive. They can even change the password if required (the Recovery Key is still stored in AD if they forget their password). But there is still the ability in 'Manage BitLocker' to turn off BitLocker To Go completely. This seems absurd! The idea of having BitLocker To Go on USB drives is to stop the theft of content if the drive is lost. Even if a password is on the drive the user could just decide to just turn it off and if the drive is lost then the content is accessible.

I can't find any GPO setting that would stop the ability for a user to turn this off. Nor can I find anything online about it. Surely I'm not the only one to have spotted this. Anyone thought about this and have a way to stop this?
 
Sort by date Sort by votes
Scratch that.....found the GPO setting.

Computer Configuration/Policies/Administrative Templates/Windows Components/BitLocker Drive Encryption/Removable Data Drives/Control use of BitLocker on removable drives/

Allow users to suspect and decrypt BitLocker protection on removable data drives - untick

It's a bit confusing because in Control Panel/Manage BitLocker it still shows the option to 'Turn off BitLocker' and when clicking it it still prompts if you want to do it and only then does it say that a GPO denies the ability.

Removing the ability to access Control Panel/Manage BitLocker is probably the best idea to stop users from even seeing this. Users put a USB drive in, it prompts to put a password on (or leave it read only) and that's it. From then on the drive is encrypted and can only be temporarily unlocked by the user with the password and also by admin using the recovery key.
 
Upvote 0 Downvote
Interestingly there's no such option for 'operating system drives'. The ability to turn off BitLocker is controlled by local administrative privileges.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Andrzejek
  • Locked
  • Question
How to Disable Google Chrome Password Manager 2
Replies
3
Views
424
combo
combo
acfreema
  • Locked
  • Question
Offline/standalone Google Chrome management
Replies
0
Views
200
acfreema
acfreema
pjw001
  • Locked
  • Question
How to configure Bookmarks in Chrome 2
Replies
4
Views
282
pjw001
pjw001
DTGMI
  • Locked
  • Question
WIN 10 Pro PC & Adding back to our Network
Replies
1
Views
368
pjw001
pjw001
Flinx
  • Locked
  • Question
the SAGA of trying to get a computer to sleep and wake up on a schedule
Replies
1
Views
656
Flinx
Flinx

Part and Inventory Search

Sponsor

Back
Top