Latest posts by Michael Pietroforte (see all)
- Author and member of the year 2019 – Why DevOps still doesn't rule the IT world - Wed, Jan 1 2020
- Results of the 4sysops member and author competition in 2018 - Tue, Jan 8 2019
- Why Microsoft is using Windows customers as guinea pigs - Reply to Tim Warner - Tue, Dec 18 2018
First of all, I am absolutely pro BitLocker. In my view, in most corporate networks, all drives should be encrypted. However, environments exist where you want to disable BitLocker for end users. Perhaps you work with a third-party encryption solution. Or maybe you are not yet familiar with BitLocker’s recovery features and want to prevent users from losing data because they lost the recovery key or their password. And let’s not forget the employee who has just been fired and encrypts important data drives to receive a nice “lump sum settlement” after he’s left the company. (Yes, BitLocker can be used for ransom attacks.)
Default BitLocker settings ^
Before we look at the different options for disabling BitLocker, I want to outline the BitLocker default settings. Perhaps they are just fine for your network.
BitLocker distinguishes between three kinds of drives: system drives, fixed data drives, and removable drives. By default, standard users with no administrator privileges are not allowed to encrypt system drives (where Windows is installed) with BitLocker. If a standard user tries to turn on BitLocker for a system drive in File Explorer, a UAC prompt will pop up that prompts the user to enter administrator credentials.
BitLocker system drive encryption requires administrator rights by default
In contrast, standard users have the right to encrypt removable drives. You can turn off this feature in your network with the Group Policy setting “Control use of BitLocker on removable drives,” which you can find under Computer Configuration > Policies > Administrative Templates > Windows Components > BitLocker Drive Encryption > Removable Data Drives.
Disable BitLocker on removable drives with Group Policy
Note that sometimes it is unclear what counts as “removable” and what is considered a “fixed” drive. For instance, SATA drives with AHCI that support hot swapping might be considered as removable drives by BitLocker even if they are internal drives.
BitLocker treats fixed drives that are not system drives differently. Every standard user can turn on BitLocker for those drives. This also works if the computer lacks a TPM chip. The policy to allow BitLocker drive encryption without TPM is only needed for boot drives.
Thus, no (official) Group Policy setting exists that would allow admins to prevent users from encrypting fixed drives with BitLocker. If you want to completely disable BitLocker, fixed data drives are your main concern because Microsoft does not offer a simple switch to turn off BitLocker for those media.
Of course, if you have users with administrator rights in your network, you have to take into account that they also can encrypt system drives with BitLocker. The tricks below help prevent admins from using BitLocker; however, you should be aware that a capable admin will always be able to bypass your configuration. You can, at least, decrease the likelihood that end users who just have admin rights for practical reasons are encouraged to turn on BitLocker.
Remove “Turn on BitLocker” context menu ^
I think most users stumble across BitLocker when they right-click a drive letter in File Explorer. Thus, a simple way to prevent users from encrypting a drive with BitLocker is to remove this menu entry.
Turn on BitLocker has been removed
This can be done by deleting the “encrypt-bde” Registry key with its sub keys under HKEY_CLASSES_ROOT > Drive > shell. I suggest that you first back up the key to a REG file in the Registry editor (right-click the key and select Export).
Export Registry key
You can remove the BitLocker context menu across your entire network with the help of Group Policy Preferences. To do so, select Delete as the action, HKEY_CLASSES_ROOT as the hive, and Drive\shell\encrypt-bde as the key path. Registry settings can also be configured for users and computers with Group Policy Preferences. Which option is better? It depends on your environment.
Remove Turn on BitLocker from File Explorer with Group Policy Preferences
Note that if you want to restore the context menu later, you have to restore the entire encrypt-bde key with its sub keys. So keep the REG file.
Hide BitLocker Control Panel applet ^
More experienced users might know that they can also encrypt drives with BitLocker through the corresponding Control Panel applet. You can easily remove BitLocker Drive Encryption from the Control Panel with Group Policy.
No BitLocker applet in Control Panel
Navigate to User Configuration > Policies > Administrative Templates > Control Panel and edit the “Hide specified Control Panel items” policy. After you enable the policy, you have to change the “List of disallowed Control Panel items” and add “BitLocker Drive Encryption.”
Hide BitLocker Drive Encryption from Control Panel with Group Policy
Note that no corresponding Computer Configuration exists for this policy.
Disable BitLocker for fixed data drives ^
The above two configurations only hide BitLocker from users. Advanced users could still open a command prompt and encrypt drives with the manage-bde command. With the trick I describe now, BitLocker will essentially be disabled from the command prompt. However, there is one requirement. The computer should not have a smart card reader or users don’t have smart card. I guess this is the case for most environments.
In Group Policy Editor, navigate to Computer Configuration > Administrative Templates > Windows Components > Fixed Data Drives. Enable the “Require use of smart cards on fixed data drives” policy.
Require use of smart cards on fixed data drives
If you enable “Require use of smart cards on fixed data drives” in your network through Group Policy, users will get the error message “A smart card wasn’t detected. Insert your smart card and try again” if they try to encrypt a fixed data drive. The policy is enabled if the “Use my smart card to unlock the drive” check box is set and locked.
A smart card wasn't detected
How not to disable BitLocker ^
If you google the topic, you’ll find other suggestions for how to disable BitLocker. Some sites recommend enabling the Group Policy setting “Store BitLocker recovery information in Active Directory Domain Services.” If your Active Directory isn’t prepared to store BitLocker recovery information, then users can’t encrypt their drives. However, this trick only works for Windows Server 2008 and Windows Vista.
In some forums, users suggested disabling the BitLocker Drive Encryption service. Unfortunately, this doesn’t prevent users from encrypting drives. The service is only responsible for various BitLocker–related features such as automatic unlocking.
If you only want to prevent standard users from using BitLocker, you can use the corresponding Group Policy setting for removable drives, and ensure that smart cards are required to encrypt fixed drives. In addition, you can avoid help desk calls by hiding the BitLocker context menu and the BitLocker Control Panel applet.
What policy does your organization have? Are users allowed to encrypt with BitLocker?