Jump to content


smaunsell

BitLocker To Go

Recommended Posts

I'm enabling BitLocker on enterprise Dell laptops and that is working fine. I'm now testing BitLocker To Go and have spotted a permissions issue.

It appears that users can control their own BitLocker To Go settings. It is possible, via Group Policy, to enforce passwords on USB drives and the user can then use this to unlock the drive. They can even change the password if required (the Recovery Key is still stored in AD using a GPO if they forget their password). But there is still the ability in 'Manage BitLocker' to turn off BitLocker To Go completely. This seems absurd! The idea of having BitLocker To Go on USB drives is to stop the theft of content if the drive is lost. Even if a password is on the drive the user could just decide to just turn it off and if the drive is lost then the content is accessible.

I can't find any GPO setting that would stop the ability for a user to turn this off. Nor can I find anything online about it. Surely I'm not the only one to have spotted this. Anyone thought about this and have a way to stop this?

Share this post


Link to post
Share on other sites

Scratch that.....found the GPO setting.

 

Computer Configuration/Policies/Administrative Templates/Windows Components/BitLocker Drive Encryption/Removable Data Drives/Control use of BitLocker on removable drives/

 

Allow users to suspect and decrypt BitLocker protection on removable data drives - untick

 

It's a bit confusing because in Control Panel/Manage BitLocker it still shows the option to 'Turn off BitLocker' and when clicking it it still prompts if you want to do it and only then does it say that a GPO denies the ability.

 

Removing the ability to access Control Panel/Manage BitLocker is probably the best idea to stop users from even seeing this. Users put a USB drive in, it prompts to put a password on (or leave it read only) and that's it. From then on the drive is encrypted and can only be temporarily unlocked by the user with the password and also by admin using the recovery key.

Share this post


Link to post
Share on other sites

Interestingly there's no such option for 'operating system drives'. The ability to turn off BitLocker is controlled by local administrative privileges.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...

×
×
  • Create New...