BitLocker: Is there a GPO option to forbid decryption/re-encryptio

[Guest]

I see GPO settings to set options for BitLocker, such as mandating recovery
keys into AD or the level of encryption, but is there an option to keep a
user from decrypting the drive once it has been deployed to them as encrypted?

This applies to the case where a company policy deploys all laptops with
encryption, and doesn't want users to decrypt or re-encrypt the drive
themselves.

Thanks!

 

[Jamie Hunter [MS]]

There is currently no GPO to block this.
You can catch this with a 'health check' script, in particular to
(a) make sure the backup key is backed up (you can set a GPO to require that
this key is always backed up, which will block encryption if the AD is not
available)
(b) make sure the volume is encrypted, and to begin encrypting if the user
manually decrypted it / paused it.

Or, our more preferred approach, is to not allow the user to be able to log
on as an Administrator .

-
Jamie Hunter [MS]