By default, you can’t prevent users from encrypting fixed data drives with BitLocker. However, a few tricks exist that allow you to essentially disable BitLocker in your network.

Michael Pietroforte

Michael Pietroforte is the founder and editor in chief of 4sysops. He has more than 35 years of experience in IT management and system administration.

First of all, I am absolutely pro BitLocker. In my view, in most corporate networks, all drives should be encrypted. However, environments exist where you want to disable BitLocker for end users. Perhaps you work with a third-party encryption solution. Or maybe you are not yet familiar with BitLocker’s recovery features and want to prevent users from losing data because they lost the recovery key or their password. And let’s not forget the employee who has just been fired and encrypts important data drives to receive a nice “lump sum settlement” after he’s left the company. (Yes, BitLocker can be used for ransom attacks.)

Default BitLocker settings ^

Before we look at the different options for disabling BitLocker, I want to outline the BitLocker default settings. Perhaps they are just fine for your network.

BitLocker distinguishes between three kinds of drives: system drives, fixed data drives, and removable drives. By default, standard users with no administrator privileges are not allowed to encrypt system drives (where Windows is installed) with BitLocker. If a standard user tries to turn on BitLocker for a system drive in File Explorer, a UAC prompt will pop up that prompts the user to enter administrator credentials.

BitLocker system drive encryption requires administrator rights by default

BitLocker system drive encryption requires administrator rights by default

In contrast, standard users have the right to encrypt removable drives. You can turn off this feature in your network with the Group Policy setting “Control use of BitLocker on removable drives,” which you can find under Computer Configuration > Policies > Administrative Templates > Windows Components > BitLocker Drive Encryption > Removable Data Drives.

Disable BitLocker on removable drives

Disable BitLocker on removable drives with Group Policy

Note that sometimes it is unclear what counts as “removable” and what is considered a “fixed” drive. For instance, SATA drives with AHCI that support hot swapping might be considered as removable drives by BitLocker even if they are internal drives.

BitLocker treats fixed drives that are not system drives differently. Every standard user can turn on BitLocker for those drives. This also works if the computer lacks a TPM chip. The policy to allow BitLocker drive encryption without TPM is only needed for boot drives.

Thus, no (official) Group Policy setting exists that would allow admins to prevent users from encrypting fixed drives with BitLocker. If you want to completely disable BitLocker, fixed data drives are your main concern because Microsoft does not offer a simple switch to turn off BitLocker for those media.

Of course, if you have users with administrator rights in your network, you have to take into account that they also can encrypt system drives with BitLocker. The tricks below help prevent admins from using BitLocker; however, you should be aware that a capable admin will always be able to bypass your configuration. You can, at least, decrease the likelihood that end users who just have admin rights for practical reasons are encouraged to turn on BitLocker.

Remove “Turn on BitLocker” context menu ^

I think most users stumble across BitLocker when they right-click a drive letter in File Explorer. Thus, a simple way to prevent users from encrypting a drive with BitLocker is to remove this menu entry.

Turn on BitLocker Turn on BitLocker has been removed

Turn on BitLocker has been removed

This can be done by deleting the “encrypt-bde” Registry key with its sub keys under HKEY_CLASSES_ROOT > Drive > shell. I suggest that you first back up the key to a REG file in the Registry editor (right-click the key and select Export).

Export Registry key

Export Registry key

You can remove the BitLocker context menu across your entire network with the help of Group Policy Preferences. To do so, select Delete as the action, HKEY_CLASSES_ROOT as the hive, and Drive\shell\encrypt-bde as the key path. Registry settings can also be configured for users and computers with Group Policy Preferences. Which option is better? It depends on your environment.

Remove Turn on BitLocker from File Explorer with Group Policy Preferences

Remove Turn on BitLocker from File Explorer with Group Policy Preferences

Note that if you want to restore the context menu later, you have to restore the entire encrypt-bde key with its sub keys. So keep the REG file.

Hide BitLocker Control Panel applet ^

More experienced users might know that they can also encrypt drives with BitLocker through the corresponding Control Panel applet. You can easily remove BitLocker Drive Encryption from the Control Panel with Group Policy.

BitLocker Drive Encryption in Control PanelNo BitLocker applet in Control Panel

No BitLocker applet in Control Panel

Navigate to User Configuration > Policies > Administrative Templates > Control Panel and edit the “Hide specified Control Panel items” policy. After you enable the policy, you have to change the “List of disallowed Control Panel items” and add “BitLocker Drive Encryption.”

Hide BitLocker Drive Encryption from Control Panel with Group Policy

Hide BitLocker Drive Encryption from Control Panel with Group Policy

Note that no corresponding Computer Configuration exists for this policy.

Disable BitLocker for fixed data drives ^

The above two configurations only hide BitLocker from users. Advanced users could still open a command prompt and encrypt drives with the manage-bde command. With the trick I describe now, BitLocker will essentially be disabled from the command prompt. However, there is one requirement. The computer should not have a smart card reader or users don’t have smart card. I guess this is the case for most environments.

In Group Policy Editor, navigate to Computer Configuration > Administrative Templates > Windows Components > Fixed Data Drives. Enable the “Require use of smart cards on fixed data drives” policy.

Require use of smart cards on fixed data drives

Require use of smart cards on fixed data drives

If you enable “Require use of smart cards on fixed data drives” in your network through Group Policy, users will get the error message “A smart card wasn’t detected. Insert your smart card and try again” if they try to encrypt a fixed data drive. The policy is enabled if the “Use my smart card to unlock the drive” check box is set and locked.

A smart card wasn't detected

A smart card wasn't detected

How not to disable BitLocker ^

If you google the topic, you’ll find other suggestions for how to disable BitLocker. Some sites recommend enabling the Group Policy setting “Store BitLocker recovery information in Active Directory Domain Services.” If your Active Directory isn’t prepared to store BitLocker recovery information, then users can’t encrypt their drives. However, this trick only works for Windows Server 2008 and Windows Vista.

In some forums, users suggested disabling the BitLocker Drive Encryption service. Unfortunately, this doesn’t prevent users from encrypting drives. The service is only responsible for various BitLocker–related features such as automatic unlocking.

Summary ^

If you only want to prevent standard users from using BitLocker, you can use the corresponding Group Policy setting for removable drives, and ensure that smart cards are required to encrypt fixed drives. In addition, you can avoid help desk calls by hiding the BitLocker context menu and the BitLocker Control Panel applet.

What policy does your organization have? Are users allowed to encrypt with BitLocker?

Are you an IT pro? Apply for membership!

Your question was not answered? Ask in the forum!

2+
Share
10 Comments
  1. MingN 4 years ago

    Hi,

    We are facing an issue hoping to get some help.

    Our laptops (Windows 7) are enabled with BitLocker.

    and now, we are looking at disable Startup repair via GPO from all the Windows 7 PC, including laptop.

    Upon received the DisableStartupRepair GPO, when restart, the laptop will ask for BitLocker recovery key.

    We have thousands of laptops out there and not possible to enter key for each.

    What could be the workaround for this scenario?

    If we 1. disable Bitzlocker (temporary) > and then 2. push out the DisableStartupRepair > and then 3. Renable Bitzlocker?  Is this achievable and how to disable and re-enable Bitzlocker organizational?

    Or are there any other workarounds. thank you

     

    1+

  2. Jim 3 years ago

    Individual results may vary, but I found that the registry key "encrypt-bde-elev" also needed to be removed to prevent the context menu. (As with the other, export it and save it in case it must be restored.)

    3+

    • Author
      Michael Pietroforte 3 years ago

      Maybe it depends on the Windows version. This article is more than two years and was based on Windows 8.1. Did you try it in Windows 10?

      1+

  3. Kunal 3 years ago

    Questions:
    1. how do you decrypt a drive and remove bitlocker policies from a Laptop thats added to a domain.

    2. why does bitlocker display recovery option after a machine has been recovered, it keeps going into recovery mode, is there a way we can fix this?

    Please assit.

    Thanks
    Kunal

    1+

  4. Author
    Michael Pietroforte 3 years ago

    You can turn off BitLocker in the Control Panel > System and Security > BitLocker Drive Encryption. If the machine is a domain member, you have to edit the corresponding policies on the domain controller. If you just want to temporary disable the policies so you can fix the machine, you can remove the computer from its container.

    I didn't have your second problem. I would turn off BitLocker, reboot and then encrypt the drive again.

    3+

  5. Ehren Schlueter 1 year ago

    The article was great and I took advantage of most of the steps in it; great post! I've added the below for those of you that would like to ban your Green Administrators from ever running BitLocker in your environment. Or at least slow them way down. 😉

    This method strips privileges away from all users on the manage-bde.exe and adds another group you can add an Active Directory group; event you need to use it.

    You can also run the following after each major Windows Redstone upgrade:

    $file = "C:\Windows\System32\manage-bde.exe"

    $NewGroup = New-LocalGroup -Name "Bitlocker-Admin" -Description "Provides Administrative Access to Bitlocker."
    $permission = "Bitlocker-Admin","FullControl","Allow"
    $accessRule = New-Object System.Security.AccessControl.FileSystemAccessRule $permission

    $ACL = Get-acl $file
    $ACL | Convertto-json > manage-bde.acl
    $Group = New-Object System.Security.Principal.NTAccount("Builtin", "Administrators")
    $ACL.SetOwner($Group)
    $ACL.SetAccessRule($accessRule)
    Set-Acl -Path $file -AclObject $ACL

    0

  6. imaad 6 months ago

    If the user turns on the laptop and does not remember the PIN, the following should happen:

    • Start the laptop

    • Press ESC in the Bitlocker screen

    • Search for: Location XXXXXXXXXX for the correct recovery file

    • Open this file (TEXT editor)

    • Read the “Recovery key” that is in the file and let the user enter it on the laptop

    • The laptop will restart

    • User can log in

    • Go to "Manage Bitlocker"

    • Select: Change PIN code

    • Select: Recover forgotten PIN code
    • HOW TO CHANGE YOUR PIN IF YOU ARE NOT ADMIN? Can I indicate in Group Policy that if you forget your PIN, don't ask for the Administrator password

    0

  7. jyoti prakash 5 months ago

    Is there a way I can prevent users from using "Suspend  BitLocker" or "Turn Off BitLocker" from control panel applet?

    0

    • Paolo Maffezzoli 5 months ago

      Only users with local administrator rights can disable or turn off BitLocker. Of course the best practice about end users is not give them local admin permissions.

      1+

      Users who have LIKED this comment:

      • avatar
  8. imaad1900 5 months ago

    Bitlocker || Recover forgotten pin code
                   
    If the user turns on the laptop and does not remember the PIN, the following should happen:

    Start the laptop

    Press ESC in the Bitlocker screen

    Search for: Location XXXXXXXXXX for the correct recovery file

    Open this file (TEXT editor)

    Read the “Recovery key” that is in the file and let the user enter it on the laptop

    The laptop will restart

    User can log in

    Go to "Manage Bitlocker"

    Select: Change PIN code

    Select: Recover forgotten pin code

    HOW TO CHANGE YOUR PIN IF YOU ARE NOT ADMIN? How Can I indicate in Group Policy that if I forget to ask for a PIN, don't ask for my administrator password?

    0

Leave a reply

Your email address will not be published. Required fields are marked *

*

© 4sysops 2006 - 2019

CONTACT US

Please ask IT administration questions in the forums. Any other messages are welcome.

Sending

Log in with your credentials

or    

Forgot your details?

Create Account