Hello, my name is Manoj Sehgal. I am a Support Escalation Engineer in the Windows group and today’s blog will cover “How to Prevent Local Administrators from turning OFF bitlocker”.
In an organization, some users are part of the local administrator group so that they can install some applications. By default members of local admin group have rights to Turn OFF or Suspend bitlocker.
If we want to prevent local admins not to turn OFF or Suspend bitlocker, we can achieve this easily by implementing the below 2 steps.
- Configure a GPO to remove the Bitlocker Icon from Control Panel.
- Configure Application Control Policies (Applocker) to block manage-bde.exe.
Step 1: How to remove Bitlocker Icon from Control Panel
1. We will need to create a User Group Policy to disable bitlocker icon from Control Panel.
2. Open Group Policy Management Editor and expand User configuration.
3. Under Administrative Templates à Click Control Panel.
4. Click on Hide Specified Control Panel items and Enable this policy (see below).
Figure 1: Group Policy Editor to configure the Policy
5. Click on Show “List of disallowed Control Panel Items”.
6. Add the Canonical Name for Bitlocker which is Microsoft.BitLockerDriveEncryption
See link below to get Canonical Names of Control Panel Items.
http://msdn.microsoft.com/en-us/library/ee330741(v=VS.85).aspx
Figure 2: Enable the “Hide Specified Control Panel Items” Policy.
Figure 3: Add Value as Microsoft.BitLockerDriveEncryption
7. After you have created the group policy, on the client machine, run gpupdate /force.
8. The above steps will remove Bitlocker Drive Encryption Icon from Control Panel.
Step 2: How to use Application Control Policies (Applocker) to block manage-bde
1. If we want to use Application Locker, we have to make sure that Application Identity Service is running on the client machine.
We can also use a Group Policy object (GPO) setting that configures the Application Identity service Startup type to Automatic. For information about using Group Policy, see Planning and Deploying Group Policy (http://go.microsoft.com/fwlink/?LinkId=143689).
2. Open Service control panel and start the Application Identity Service.
3. On the computer, open the local security policy (secpol.msc).
In the console tree, double-click Application Control Policies, and then double-click AppLocker.
5. Expand Application Control Policies and Right click on Executable rules.
6. Create a New Rule to Deny access to manage-bde.exe to all users.
Figure 4: Applocker rule to Deny Access to manage-bde
7. See the figure 6, 7 and 8 to create the rule and enforce it.
Figure 5: Deny Properties with the Path for manage-bde.
Figure 6: Path to manage-bde.exe
Figure 8: Enforcement of the policy.
8. Enforce the rules and then we are set with the policy.
9. On the client machine, run gpupdate /force.
10. Now if you open a command prompt and try to run manage-bde.exe you will get access denied and it will say that this policy is controlled by GPO.
If you open Windows Explorer, you can still Turn ON BitLocker or Manage BitLocker.
To disable this setting, please make the below Registry Change on the computer.
For Operating System Drives:
Open registry and browse to
[HKEY_CLASSES_ROOT\Drive\shell\encrypt-bde-elev
Change the "AppliesTo"="None"
For USB drives and Fixed Data drives, do as mentioned below:
[HKEY_CLASSES_ROOT\Drive\shell\encrypt-bde
“AppliesTo”=None.
For more information on Group Policies for Bitlocker, see my blogs below.
Cannot Save Recovery Information for Bitlocker in Windows 7
http://blogs.technet.com/askcore/archive/2010/02/16/cannot-save-recovery-information-for-Bitlocker-in-windows-7.aspxBitlocker Policies for Windows 7 on Windows Server 2003 or Windows Server 2008
http://blogs.technet.com/b/askcore/archive/2010/07/02/bitlocker-policies-for-windows-7-on-windows-server-2003-or-windows-server-2008.aspxHow to backup recovery information in AD after Bitlocker is turned ON in Windows 7
http://blogs.technet.com/b/askcore/archive/2010/04/06/how-to-backup-recovery-information-in-ad-after-bitlocker-is-turned-on-in-windows-7.aspx
Manoj Sehgal
Support Escalation Engineer
Microsoft Enterprise Platforms Support