- Poll: How reliable are ChatGPT and Bing Chat? - Tue, May 23 2023
- Pip install Boto3 - Thu, Mar 24 2022
- Install Boto3 (AWS SDK for Python) in Visual Studio Code (VS Code) on Windows - Wed, Feb 23 2022
First of all, I am absolutely pro BitLocker. In my view, in most corporate networks, all drives should be encrypted. However, environments exist where you want to disable BitLocker for end users. Perhaps you work with a third-party encryption solution. Or maybe you are not yet familiar with BitLocker’s recovery features and want to prevent users from losing data because they lost the recovery key or their password. And let’s not forget the employee who has just been fired and encrypts important data drives to receive a nice “lump sum settlement” after he’s left the company. (Yes, BitLocker can be used for ransom attacks.)
Default BitLocker settings
Before we look at the different options for disabling BitLocker, I want to outline the BitLocker default settings. Perhaps they are just fine for your network.
BitLocker distinguishes between three kinds of drives: system drives, fixed data drives, and removable drives. By default, standard users with no administrator privileges are not allowed to encrypt system drives (where Windows is installed) with BitLocker. If a standard user tries to turn on BitLocker for a system drive in File Explorer, a UAC prompt will pop up that prompts the user to enter administrator credentials.
BitLocker system drive encryption requires administrator rights by default
In contrast, standard users have the right to encrypt removable drives. You can turn off this feature in your network with the Group Policy setting “Control use of BitLocker on removable drives,” which you can find under Computer Configuration > Policies > Administrative Templates > Windows Components > BitLocker Drive Encryption > Removable Data Drives.
Disable BitLocker on removable drives with Group Policy
Note that sometimes it is unclear what counts as “removable” and what is considered a “fixed” drive. For instance, SATA drives with AHCI that support hot swapping might be considered as removable drives by BitLocker even if they are internal drives.
BitLocker treats fixed drives that are not system drives differently. Every standard user can turn on BitLocker for those drives. This also works if the computer lacks a TPM chip. The policy to allow BitLocker drive encryption without TPM is only needed for boot drives.
Thus, no (official) Group Policy setting exists that would allow admins to prevent users from encrypting fixed drives with BitLocker. If you want to completely disable BitLocker, fixed data drives are your main concern because Microsoft does not offer a simple switch to turn off BitLocker for those media.
Of course, if you have users with administrator rights in your network, you have to take into account that they also can encrypt system drives with BitLocker. The tricks below help prevent admins from using BitLocker; however, you should be aware that a capable admin will always be able to bypass your configuration. You can, at least, decrease the likelihood that end users who just have admin rights for practical reasons are encouraged to turn on BitLocker.
Remove “Turn on BitLocker” context menu
I think most users stumble across BitLocker when they right-click a drive letter in File Explorer. Thus, a simple way to prevent users from encrypting a drive with BitLocker is to remove this menu entry.
Turn on BitLocker has been removed
This can be done by deleting the “encrypt-bde” Registry key with its sub keys under HKEY_CLASSES_ROOT > Drive > shell. I suggest that you first back up the key to a REG file in the Registry editor (right-click the key and select Export).
Export Registry key
You can remove the BitLocker context menu across your entire network with the help of Group Policy Preferences. To do so, select Delete as the action, HKEY_CLASSES_ROOT as the hive, and Drive\shell\encrypt-bde as the key path. Registry settings can also be configured for users and computers with Group Policy Preferences. Which option is better? It depends on your environment.
Remove Turn on BitLocker from File Explorer with Group Policy Preferences
Note that if you want to restore the context menu later, you have to restore the entire encrypt-bde key with its sub keys. So keep the REG file.
Hide BitLocker Control Panel applet
More experienced users might know that they can also encrypt drives with BitLocker through the corresponding Control Panel applet. You can easily remove BitLocker Drive Encryption from the Control Panel with Group Policy.
No BitLocker applet in Control Panel
Navigate to User Configuration > Policies > Administrative Templates > Control Panel and edit the “Hide specified Control Panel items” policy. After you enable the policy, you have to change the “List of disallowed Control Panel items” and add “BitLocker Drive Encryption.”
Hide BitLocker Drive Encryption from Control Panel with Group Policy
Note that no corresponding Computer Configuration exists for this policy.
Disable BitLocker for fixed data drives
The above two configurations only hide BitLocker from users. Advanced users could still open a command prompt and encrypt drives with the manage-bde command. With the trick I describe now, BitLocker will essentially be disabled from the command prompt. However, there is one requirement. The computer should not have a smart card reader or users don’t have smart card. I guess this is the case for most environments.
In Group Policy Editor, navigate to Computer Configuration > Administrative Templates > Windows Components > Fixed Data Drives. Enable the “Require use of smart cards on fixed data drives” policy.
Require use of smart cards on fixed data drives
If you enable “Require use of smart cards on fixed data drives” in your network through Group Policy, users will get the error message “A smart card wasn’t detected. Insert your smart card and try again” if they try to encrypt a fixed data drive. The policy is enabled if the “Use my smart card to unlock the drive” check box is set and locked.
A smart card wasn't detected
How not to disable BitLocker
If you google the topic, you’ll find other suggestions for how to disable BitLocker. Some sites recommend enabling the Group Policy setting “Store BitLocker recovery information in Active Directory Domain Services.” If your Active Directory isn’t prepared to store BitLocker recovery information, then users can’t encrypt their drives. However, this trick only works for Windows Server 2008 and Windows Vista.
In some forums, users suggested disabling the BitLocker Drive Encryption service. Unfortunately, this doesn’t prevent users from encrypting drives. The service is only responsible for various BitLocker–related features such as automatic unlocking.
Summary
If you only want to prevent standard users from using BitLocker, you can use the corresponding Group Policy setting for removable drives, and ensure that smart cards are required to encrypt fixed drives. In addition, you can avoid help desk calls by hiding the BitLocker context menu and the BitLocker Control Panel applet.
What policy does your organization have? Are users allowed to encrypt with BitLocker?
Hi,
We are facing an issue hoping to get some help.
Our laptops (Windows 7) are enabled with BitLocker.
and now, we are looking at disable Startup repair via GPO from all the Windows 7 PC, including laptop.
Upon received the DisableStartupRepair GPO, when restart, the laptop will ask for BitLocker recovery key.
We have thousands of laptops out there and not possible to enter key for each.
What could be the workaround for this scenario?
If we 1. disable Bitzlocker (temporary) > and then 2. push out the DisableStartupRepair > and then 3. Renable Bitzlocker? Is this achievable and how to disable and re-enable Bitzlocker organizational?
Or are there any other workarounds. thank you
Individual results may vary, but I found that the registry key “encrypt-bde-elev” also needed to be removed to prevent the context menu. (As with the other, export it and save it in case it must be restored.)
Maybe it depends on the Windows version. This article is more than two years and was based on Windows 8.1. Did you try it in Windows 10?
Questions:
1. how do you decrypt a drive and remove bitlocker policies from a Laptop thats added to a domain.
2. why does bitlocker display recovery option after a machine has been recovered, it keeps going into recovery mode, is there a way we can fix this?
Please assit.
Thanks
Kunal
You can turn off BitLocker in the Control Panel > System and Security > BitLocker Drive Encryption. If the machine is a domain member, you have to edit the corresponding policies on the domain controller. If you just want to temporary disable the policies so you can fix the machine, you can remove the computer from its container.
I didn’t have your second problem. I would turn off BitLocker, reboot and then encrypt the drive again.
The article was great and I took advantage of most of the steps in it; great post! I’ve added the below for those of you that would like to ban your Green Administrators from ever running BitLocker in your environment. Or at least slow them way down. 😉
This method strips privileges away from all users on the manage-bde.exe and adds another group you can add an Active Directory group; event you need to use it.
You can also run the following after each major Windows Redstone upgrade:
$file = “C:\Windows\System32\manage-bde.exe”
$NewGroup = New-LocalGroup -Name “Bitlocker-Admin” -Description “Provides Administrative Access to Bitlocker.”
$permission = “Bitlocker-Admin”,”FullControl”,”Allow”
$accessRule = New-Object System.Security.AccessControl.FileSystemAccessRule $permission
$ACL = Get-acl $file
$ACL | Convertto-json > manage-bde.acl
$Group = New-Object System.Security.Principal.NTAccount(“Builtin”, “Administrators”)
$ACL.SetOwner($Group)
$ACL.SetAccessRule($accessRule)
Set-Acl -Path $file -AclObject $ACL
If the user turns on the laptop and does not remember the PIN, the following should happen:
• Start the laptop
• Press ESC in the Bitlocker screen
• Search for: Location XXXXXXXXXX for the correct recovery file
• Open this file (TEXT editor)
• Read the “Recovery key” that is in the file and let the user enter it on the laptop
• The laptop will restart
• User can log in
• Go to "Manage Bitlocker"
• Select: Change PIN code
• Select: Recover forgotten PIN code
• HOW TO CHANGE YOUR PIN IF YOU ARE NOT ADMIN? Can I indicate in Group Policy that if you forget your PIN, don't ask for the Administrator password
Is there a way I can prevent users from using "Suspend BitLocker" or "Turn Off BitLocker" from control panel applet?
Only users with local administrator rights can disable or turn off BitLocker. Of course the best practice about end users is not give them local admin permissions.
Bitlocker || Recover forgotten pin code
If the user turns on the laptop and does not remember the PIN, the following should happen:
Start the laptop
Press ESC in the Bitlocker screen
Search for: Location XXXXXXXXXX for the correct recovery file
Open this file (TEXT editor)
Read the “Recovery key” that is in the file and let the user enter it on the laptop
The laptop will restart
User can log in
Go to "Manage Bitlocker"
Select: Change PIN code
Select: Recover forgotten pin code
HOW TO CHANGE YOUR PIN IF YOU ARE NOT ADMIN? How Can I indicate in Group Policy that if I forget to ask for a PIN, don't ask for my administrator password?
For windows 10 laptops which come from the factory, they have bitlocker encryption enabled by default (128 bit).
We have our own MBAM solution (256bit) which when we push to the client, it fails as the drives are already encrypted.
Is there an automated way to find and decrypt all drives in the domain through a policy before we push our MBAM solution ?
TIA
I have an external hddwhich is 2TB. I ahve partitioned it into two 1.03TB and 800GB. I have used bitlocker for the 800GB part. I have been decrypting with correct password all the time. Only yesterday, when i enter the correct password the password box freezes with the cursor blinking at the last password character. If i put in a wrong password, it tells me the password isincorrect. So what cani do, I know my recovery code too.