none
Prevent user's from suspending Bitlocker RRS feed

  • Question

  • Hi Everyone,

    We use Bitlocker on our devices connected to our company domain. When we add the employee's account to the computer, we add them as an admin in case they need to install software that is needed to do their job.

    Is it possible to prevent users from "Suspending Bitlocker" or changing their PIN?

    It's strange that such options aren't easy to find (or if they even exist).

    Thanks

    Tuesday, May 12, 2015 6:33 PM

Answers

  • CL

    You made them Admin.  A better path might be to create a group who have some selective elevated perms that are not Admins.


    Wanikiya and Dyami--Team Zigzag

    Tuesday, May 12, 2015 6:39 PM
    Moderator
  • Hi,

    Yes, there is no way to achieve it if the users are administrators .The only way of doing this is to remove their administrative privilege. And distribute software via domain.


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Wednesday, May 13, 2015 5:30 AM
    Moderator
  • Hi.

    Don't offer admin status to inexperienced users. Find other solutions for software distribution.

    Changing the PIN can be prevented by GPO at least in win8.x, look at your bitlocker GPOs. Suspending BL cannot be prevented when users are admins. There's no GPO for that because if admins would want to do that, they would do that offline, so there's no effective way.What you could do is monitor the encryption status with MBAM (if you have access to it) or scripts (if not).

    Saturday, May 16, 2015 9:47 AM

All replies

  • CL

    You made them Admin.  A better path might be to create a group who have some selective elevated perms that are not Admins.


    Wanikiya and Dyami--Team Zigzag

    Tuesday, May 12, 2015 6:39 PM
    Moderator
  • Hi,

    Yes, there is no way to achieve it if the users are administrators .The only way of doing this is to remove their administrative privilege. And distribute software via domain.


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Wednesday, May 13, 2015 5:30 AM
    Moderator
  • Hi.

    Don't offer admin status to inexperienced users. Find other solutions for software distribution.

    Changing the PIN can be prevented by GPO at least in win8.x, look at your bitlocker GPOs. Suspending BL cannot be prevented when users are admins. There's no GPO for that because if admins would want to do that, they would do that offline, so there's no effective way.What you could do is monitor the encryption status with MBAM (if you have access to it) or scripts (if not).

    Saturday, May 16, 2015 9:47 AM