I guess this is the case for most environments. The computer should not have a smart card reader or users don’t have smart card. With the trick I describe now, BitLocker will essentially be disabled from the command prompt. Advanced users could still open a command prompt and encrypt drives with the manage-bde command. The above two configurations only hide BitLocker from users. Disable BitLocker for fixed data drives ^ Note that no corresponding Computer Configuration exists for this policy. Hide BitLocker Drive Encryption from Control Panel with Group Policy After you enable the policy, you have to change the “List of disallowed Control Panel items” and add “BitLocker Drive Encryption.” Navigate to User Configuration > Policies > Administrative Templates > Control Panel and edit the “Hide specified Control Panel items” policy. You can easily remove BitLocker Drive Encryption from the Control Panel with Group Policy. More experienced users might know that they can also encrypt drives with BitLocker through the corresponding Control Panel applet. Note that if you want to restore the context menu later, you have to restore the entire encrypt-bde key with its sub keys. Remove Turn on BitLocker from File Explorer with Group Policy Preferences Which option is better? It depends on your environment. Registry settings can also be configured for users and computers with Group Policy Preferences. To do so, select Delete as the action, HKEY_CLASSES_ROOT as the hive, and Drive\shell\encrypt-bde as the key path. You can remove the BitLocker context menu across your entire network with the help of Group Policy Preferences. I suggest that you first back up the key to a REG file in the Registry editor (right-click the key and select Export). This can be done by deleting the “encrypt-bde” Registry key with its sub keys under HKEY_CLASSES_ROOT > Drive > shell. Thus, a simple way to prevent users from encrypting a drive with BitLocker is to remove this menu entry. I think most users stumble across BitLocker when they right-click a drive letter in File Explorer. Remove “Turn on BitLocker” context menu ^ You can, at least, decrease the likelihood that end users who just have admin rights for practical reasons are encouraged to turn on BitLocker. The tricks below help prevent admins from using BitLocker however, you should be aware that a capable admin will always be able to bypass your configuration.
Of course, if you have users with administrator rights in your network, you have to take into account that they also can encrypt system drives with BitLocker. If you want to completely disable BitLocker, fixed data drives are your main concern because Microsoft does not offer a simple switch to turn off BitLocker for those media. Thus, no (official) Group Policy setting exists that would allow admins to prevent users from encrypting fixed drives with BitLocker. The policy to allow BitLocker drive encryption without TPM is only needed for boot drives. This also works if the computer lacks a TPM chip. Every standard user can turn on BitLocker for those drives. For instance, SATA drives with AHCI that support hot swapping might be considered as removable drives by BitLocker even if they are internal drives.īitLocker treats fixed drives that are not system drives differently. Note that sometimes it is unclear what counts as “removable” and what is considered a “fixed” drive. You can turn off this feature in your network with the Group Policy setting “Control use of BitLocker on removable drives,” which you can find under Computer Configuration > Policies > Administrative Templates > Windows Components > BitLocker Drive Encryption > Removable Data Drives.ĭisable BitLocker on removable drives with Group Policy In contrast, standard users have the right to encrypt removable drives.