I'm enabling BitLocker on enterprise Dell laptops and that is working fine. I'm now testing BitLocker To Go and have spotted a permissions issue.
It appears that users can control their own BitLocker To Go settings. It is possible, via Group Policy, to enforce passwords on USB drives and the user can then use this to unlock the drive. They can even change the password if required (the Recovery Key is still stored in AD using a GPO if they forget their password). But there is still the ability in 'Manage BitLocker' to turn off BitLocker To Go completely. This seems absurd! The idea of having BitLocker To Go on USB drives is to stop the theft of content if the drive is lost. Even if a password is on the drive the user could just decide to just turn it off and if the drive is lost then the content is accessible.
I can't find any GPO setting that would stop the ability for a user to turn this off. Nor can I find anything online about it. Surely I'm not the only one to have spotted this. Anyone thought about this and have a way to stop this?
We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.
I'm enabling BitLocker on enterprise Dell laptops and that is working fine. I'm now testing BitLocker To Go and have spotted a permissions issue.
It appears that users can control their own BitLocker To Go settings. It is possible, via Group Policy, to enforce passwords on USB drives and the user can then use this to unlock the drive. They can even change the password if required (the Recovery Key is still stored in AD using a GPO if they forget their password). But there is still the ability in 'Manage BitLocker' to turn off BitLocker To Go completely. This seems absurd! The idea of having BitLocker To Go on USB drives is to stop the theft of content if the drive is lost. Even if a password is on the drive the user could just decide to just turn it off and if the drive is lost then the content is accessible.
I can't find any GPO setting that would stop the ability for a user to turn this off. Nor can I find anything online about it. Surely I'm not the only one to have spotted this. Anyone thought about this and have a way to stop this?
Share this post
Link to post
Share on other sites