quarta-feira, 10 de junho de 2009 16:50Is it possible to completely disable the bit locker feature such as a Group Policy or some other way. I am looking for this feature for an Enterprise need. This is because we do not want people encrypting drives and then having the IT department locked out of the computer if they are forced to leave the company. We want a way that users will have no access to the Bitlocker application.
Todas as Respostas
quarta-feira, 10 de junho de 2009 17:04Hello Bubbatb007,
There are several GPOs in Windows Server 2008 related to BitLocker and user rights but a different suggestion would be to set a Data Recovery Agent such as the admins group. This would enable admins to decrypt data in a situation such as yours.
quinta-feira, 11 de junho de 2009 02:51
There is no GPO that specifically blocks access to enabling and disabling bitlocker as a whole, because:
1. It requires Administrator rights to start and configure.
2. If bitlocker were turned on by it, you would have thousands of users suddenly being forced to somehow use and configure bitlocker correctly.
Don't make your users administrators. If they are admins, a GP will not stop them from configuring bitlocker, regardless. And Samcp1123 is right, make sure that if anyone does use bitlocker that all key data is backed up in AD. That is definitely controlled through GP.
To find group policies that are possible to use in Vista or later, open a policy, right click an administrative templates node, and select 'filter options'. Then you can search for anything that might be in policy. This works in local policy with GPEDIT.MSC and domain GP through GPMC.
Ned Pyle [MSFT] - MS Enterprise Platforms Support - Beta Team