Is there a way to completely disable the bitlocker options through

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

We do not want to use bit locker in our company, and don't want the rogue
person to setup bitlocker and us not be able to recover data for them.

Is there a way to completly disable the bitlocker options though a GPO?

Thank you
 
Search Microsoft's TechNet and MSDN resources for Active Directory and
BitLocker - there are many documents available on this subject including a
guide to configuring BitLocker through Active Directory.

--
Richard G. Harper [MVP Shell/User] (e-mail address removed)
* NEW! Catch my blog ... http://msmvps.com/blogs/rgharper/
* PLEASE post all messages and replies in the newsgroups
* The Website - http://rgharper.mvps.org/
* HELP us help YOU ... http://www.dts-l.org/goodpost.htm
 
I have seen quite a few posts regarging configuring it, but not disabling it
completely, so i was hoping someone might have a few ideas of pieces of it
that i could block or disable that would make the process difficult to
implement.

Thanks

Richard G. Harper said:
Search Microsoft's TechNet and MSDN resources for Active Directory and
BitLocker - there are many documents available on this subject including a
guide to configuring BitLocker through Active Directory.

--
Richard G. Harper [MVP Shell/User] (e-mail address removed)
* NEW! Catch my blog ... http://msmvps.com/blogs/rgharper/
* PLEASE post all messages and replies in the newsgroups
* The Website - http://rgharper.mvps.org/
* HELP us help YOU ... http://www.dts-l.org/goodpost.htm


Whitefearn said:
We do not want to use bit locker in our company, and don't want the rogue
person to setup bitlocker and us not be able to recover data for them.

Is there a way to completly disable the bitlocker options though a GPO?

Thank you
 
I didn't have time to read all the documents I found, but in general if you
can configure it via Active Directory, that includes the ability to disable
it.

--
Richard G. Harper [MVP Shell/User] (e-mail address removed)
* NEW! Catch my blog ... http://msmvps.com/blogs/rgharper/
* PLEASE post all messages and replies in the newsgroups
* The Website - http://rgharper.mvps.org/
* HELP us help YOU ... http://www.dts-l.org/goodpost.htm


Whitefearn said:
I have seen quite a few posts regarging configuring it, but not disabling
it
completely, so i was hoping someone might have a few ideas of pieces of it
that i could block or disable that would make the process difficult to
implement.

Thanks

Richard G. Harper said:
Search Microsoft's TechNet and MSDN resources for Active Directory and
BitLocker - there are many documents available on this subject including
a
guide to configuring BitLocker through Active Directory.

--
Richard G. Harper [MVP Shell/User] (e-mail address removed)
* NEW! Catch my blog ... http://msmvps.com/blogs/rgharper/
* PLEASE post all messages and replies in the newsgroups
* The Website - http://rgharper.mvps.org/
* HELP us help YOU ... http://www.dts-l.org/goodpost.htm


Whitefearn said:
We do not want to use bit locker in our company, and don't want the
rogue
person to setup bitlocker and us not be able to recover data for them.

Is there a way to completly disable the bitlocker options though a GPO?

Thank you
 
Whitefearn--

No, there is no specific GPO for preventing the use of BitLocker.

If user's aren't running as local administrators, then they can't enable
BitLocker anyway, so there's one way to prevent it. A more complicated way
would be to configure the group policy that requires backing up keys to
Active Directory but then don't do AD setup required for this -- thus
guaranteeing BitLocker installation failure.

I am curious, though -- why do you not want to take advantage of one of the
most important features available for protecting mobile data on laptops?

--
Steve Riley
(e-mail address removed)
http://blogs.technet.com/steriley
http://www.protectyourwindowsnetwork.com


Richard G. Harper said:
I didn't have time to read all the documents I found, but in general if
you can configure it via Active Directory, that includes the ability to
disable it.

--
Richard G. Harper [MVP Shell/User] (e-mail address removed)
* NEW! Catch my blog ... http://msmvps.com/blogs/rgharper/
* PLEASE post all messages and replies in the newsgroups
* The Website - http://rgharper.mvps.org/
* HELP us help YOU ... http://www.dts-l.org/goodpost.htm


Whitefearn said:
I have seen quite a few posts regarging configuring it, but not disabling
it
completely, so i was hoping someone might have a few ideas of pieces of
it
that i could block or disable that would make the process difficult to
implement.

Thanks

Richard G. Harper said:
Search Microsoft's TechNet and MSDN resources for Active Directory and
BitLocker - there are many documents available on this subject including
a
guide to configuring BitLocker through Active Directory.

--
Richard G. Harper [MVP Shell/User] (e-mail address removed)
* NEW! Catch my blog ... http://msmvps.com/blogs/rgharper/
* PLEASE post all messages and replies in the newsgroups
* The Website - http://rgharper.mvps.org/
* HELP us help YOU ... http://www.dts-l.org/goodpost.htm


We do not want to use bit locker in our company, and don't want the
rogue
person to setup bitlocker and us not be able to recover data for them.

Is there a way to completly disable the bitlocker options though a
GPO?

Thank you
 
Most of it's internal politics.

We are in the Medical Industry (HIPPA is a huge concern) and chose Safeboot
as our encryption solution last year. So there is a "we already spent the
time and money to do this...." mentality.

Also, there are folks who think because it is Microsoft, there will be
security holes in it. Couple that with it being the "first model year" of the
product they don't feel we should jump on that bandwagon untill it is proven.

Steve Riley said:
Whitefearn--

No, there is no specific GPO for preventing the use of BitLocker.

If user's aren't running as local administrators, then they can't enable
BitLocker anyway, so there's one way to prevent it. A more complicated way
would be to configure the group policy that requires backing up keys to
Active Directory but then don't do AD setup required for this -- thus
guaranteeing BitLocker installation failure.

I am curious, though -- why do you not want to take advantage of one of the
most important features available for protecting mobile data on laptops?

--
Steve Riley
(e-mail address removed)
http://blogs.technet.com/steriley
http://www.protectyourwindowsnetwork.com


Richard G. Harper said:
I didn't have time to read all the documents I found, but in general if
you can configure it via Active Directory, that includes the ability to
disable it.

--
Richard G. Harper [MVP Shell/User] (e-mail address removed)
* NEW! Catch my blog ... http://msmvps.com/blogs/rgharper/
* PLEASE post all messages and replies in the newsgroups
* The Website - http://rgharper.mvps.org/
* HELP us help YOU ... http://www.dts-l.org/goodpost.htm


Whitefearn said:
I have seen quite a few posts regarging configuring it, but not disabling
it
completely, so i was hoping someone might have a few ideas of pieces of
it
that i could block or disable that would make the process difficult to
implement.

Thanks

:

Search Microsoft's TechNet and MSDN resources for Active Directory and
BitLocker - there are many documents available on this subject including
a
guide to configuring BitLocker through Active Directory.

--
Richard G. Harper [MVP Shell/User] (e-mail address removed)
* NEW! Catch my blog ... http://msmvps.com/blogs/rgharper/
* PLEASE post all messages and replies in the newsgroups
* The Website - http://rgharper.mvps.org/
* HELP us help YOU ... http://www.dts-l.org/goodpost.htm


We do not want to use bit locker in our company, and don't want the
rogue
person to setup bitlocker and us not be able to recover data for them.

Is there a way to completly disable the bitlocker options though a
GPO?

Thank you
 
Well, let me assure you, the BitLocker code underwent serious scrutiny
before we released it. Also, to allay another worry your organization might
have, there are no back doors, period:
http://blogs.technet.com/steriley/archive/2007/07/13/the-bad-guys-will-use-bitlocker-too.aspx

Do your users run as local admin? If not, then as I wrote before, they can't
enable BitLocker anyway, so no worries.

--
Steve Riley
(e-mail address removed)
http://blogs.technet.com/steriley
http://www.protectyourwindowsnetwork.com


Whitefearn said:
Most of it's internal politics.

We are in the Medical Industry (HIPPA is a huge concern) and chose
Safeboot
as our encryption solution last year. So there is a "we already spent the
time and money to do this...." mentality.

Also, there are folks who think because it is Microsoft, there will be
security holes in it. Couple that with it being the "first model year" of
the
product they don't feel we should jump on that bandwagon untill it is
proven.

Steve Riley said:
Whitefearn--

No, there is no specific GPO for preventing the use of BitLocker.

If user's aren't running as local administrators, then they can't enable
BitLocker anyway, so there's one way to prevent it. A more complicated
way
would be to configure the group policy that requires backing up keys to
Active Directory but then don't do AD setup required for this -- thus
guaranteeing BitLocker installation failure.

I am curious, though -- why do you not want to take advantage of one of
the
most important features available for protecting mobile data on laptops?

--
Steve Riley
(e-mail address removed)
http://blogs.technet.com/steriley
http://www.protectyourwindowsnetwork.com


Richard G. Harper said:
I didn't have time to read all the documents I found, but in general if
you can configure it via Active Directory, that includes the ability to
disable it.

--
Richard G. Harper [MVP Shell/User] (e-mail address removed)
* NEW! Catch my blog ... http://msmvps.com/blogs/rgharper/
* PLEASE post all messages and replies in the newsgroups
* The Website - http://rgharper.mvps.org/
* HELP us help YOU ... http://www.dts-l.org/goodpost.htm


I have seen quite a few posts regarging configuring it, but not
disabling
it
completely, so i was hoping someone might have a few ideas of pieces
of
it
that i could block or disable that would make the process difficult to
implement.

Thanks

:

Search Microsoft's TechNet and MSDN resources for Active Directory
and
BitLocker - there are many documents available on this subject
including
a
guide to configuring BitLocker through Active Directory.

--
Richard G. Harper [MVP Shell/User] (e-mail address removed)
* NEW! Catch my blog ... http://msmvps.com/blogs/rgharper/
* PLEASE post all messages and replies in the newsgroups
* The Website - http://rgharper.mvps.org/
* HELP us help YOU ... http://www.dts-l.org/goodpost.htm


We do not want to use bit locker in our company, and don't want the
rogue
person to setup bitlocker and us not be able to recover data for
them.

Is there a way to completly disable the bitlocker options though a
GPO?

Thank you
 
Back
Top