Prevent Local Administrators from managing BitLocker with the manage-bde command

Posted on Christian By Christian 2 Comments on Prevent Local Administrators from managing BitLocker with the manage-bde command
Prevent-Local-Administrators-from-turning-off-BitLocker-1

BitLocker is the Windows encryption technology that protects your data from unauthorized access by encrypting your drive and requiring one or more factors of authentication before it will unlock it. In this blog post, we shall discuss how to Prevent Local Admins from managing BitLocker with manage-bde command. Please see how to correctly disable BitLocker on Windows Server, How to Set up an Amazon Web Services (AWS) Account, and Hide Windows Updates: How to Hide or Fix HP Printer Windows Updates Error 0x800f020b.

As you can see below. I just recently enabled BitLocker on this server just to show you the steps. Also, it is possible to turn off BotLocker now as a Local Administrator. When we are done creating the AppLocker rules, this will no longer be possible.

Program blocked

Why Should I Prevent Local Administrators From Disabling BitLocker?

Preventing local administrators from disabling BitLocker is crucial to maintaining robust security measures. Disabling BitLocker, if in the hands of local administrators, poses a significant risk by potentially exposing sensitive data to unauthorized access or tampering.

Restricting this capability ensures the consistent enforcement of encryption protocols, safeguarding the integrity and confidentiality of the system’s contents against potential threats or breaches.

Please see how to fix this computer is a domain controller: The snap-in cannot be used on a domain controller, how to save and stop modification to Microsoft Management Console, and how to Disable BitLocker on Windows 10.

Disallow Administrators from Turning Off BitLocker

To restrict Administrators from disabling BitLocker in your domain environment. You will have to implement a group policy that explicitly denies the “Manage BitLocker” right to local administrators. This will prevent them from altering BitLocker settings.

Group Policy is a hierarchical infrastructure that allows a network administrator in charge of Microsoft’s Active Directory to implement specific configurations for users and computers. Group Policy is primarily a security tool, and can be used to apply security settings to users and computers.

Below are the steps to do this locally on your Windows Client PC or Windows server. Remember, BitLocker is not available by default on a Windows Server. You have to enable BitLocker via the Server Manager (Add Roles and Features), and how to Change BitLocker Password in Windows.

What is AppLocker?

AppLocker is an application allowlisting technology introduced with Microsoft’s Windows 7 operating system. It helps you control which apps and files users can run. These include executable files, scripts, Windows Installer files, and dynamic-link.

What is Manage-BDE Command?

The manage-bde-status provides information about all drives on your windows computer. Whether or not they are BitLocker-protected, including the, Size, BitLocker version, Conversion status, Percentage encrypted, Encryption method, Protection status, Lock status, identification field, and Key protectors

Step 1: Access the Services Manager

Open Services snap-in by running services.msc command. In Services snap-in, ensure the Application Identity service is running. You can right-click on this service and select Start if it isn’t running.

Start Application Identity service

The service is running now.

Identity service

Sep 2: Security Policy Policy

You will have to launch the secpol. You can do this by pressing Win + R and enter secpol.msc in Run dialog box to open the Security Policy snap-in. Or from the Windows search button. Click OK.

secpol.msc

Next, in the Security Policy snap-in window, navigate to Security Settings > Application Control Policies > AppLocker > Executable Rules.

Right click on Executable Rules, select Create New Rule.
Create-New-Rule

Click Next to continue

Before you begin - AppLocker

On the Permissions tab, select Action Deny.

AppLocker-Deny Action

Select the administrator accounts or users which you want to prevent turning off BitLocker. Click Next. Select Applicable users or groups to block

See this video showing the steps to Disable Touchpad on Windows 11, and the video on how to use the Reliability Monitor in Windows

Check Names

Object found

Click Next

Permission-Applocker

 On the next section, select Publisher and click Next.

Publishers-AppLocker

Under Publisher, select browse

Reference file

browse to C:\Windows\System32 and select manage-bde.exe file.

Manage BitLocker

Click Next to continue with the rule set up.

Publisher settings for BitLocker

 On the Exception Tab, I will have to click Next as I do not want to add an exception.

Exception AppLocker

Under Name, provide a description and click Create.

Create AppLockewr Rule for Blogpost

On the AppLocker warning prompt, click Yes.

warning AppLocker prompt

Here are the created rules to prevent administrators from turning off BitLocker.

Rues to prevent admins from disabling BitLocker

Close the Security Policy snap-in and run gpupdate /force command to update machine policies on the client PC. You may want to learn about Group Policy GPUpdate Commands.

GP update

Now let’s test. Run “manage-bde -status, you will see the program has been blocked.

Cannot enable or disable BitLocker via th manage-bde command

If you wish to do this also for the BitLocker Drive Encryption Wizard. Please create a rule to deny these executables.

BitLocker Drive Encryption

FAQs

What Steps Can I Take to Ensure BitLocker Persistence Against Local Administrator Disabling?

Configure BitLocker policies through Group Policy Objects (GPOs) to enforce specific settings, ensuring that even local administrators cannot easily disable BitLocker protection.

How Can I Secure BitLocker Settings to Resist Local Administrator Changes?

With the above solution via GPOs or use the Microsoft Endpoint Manager Configuration Manager to deploy and enforce BitLocker policies to safeguarde against unauthorized changes by local administrators

What Measures Should I Take to Harden BitLocker Against Local Administrator Tampering?

Regularly audit and monitor BitLocker settings using tools such as PowerShell scripts or security information and event management (SIEM) solutions, promptly identifying and rectifying any unauthorized changes.

Are There Specific Group Policy Configurations to Prevent Local Administrators from Disabling BitLocker?

Leveraging the Group Policy settings such as “Deny write access to removable drives not protected by BitLocker” to restrict local administrators from disabling BitLocker on removable drives, bolstering overall security.

I hope you found this blog post on how to Prevent Local Admins from managing BitLocker with manage-bde command useful. Please feel free to leave a comment below.

5/5 - (1 vote)
Windows, Windows Server Tags:, , , ,

Related Posts

More Related Articles

filezilla 1 Connect to a FileZilla Server: How to install and configure a FileZilla Server on Windows Windows Server
hero windowsadmincenter How to schedule and run update via Windows Admin Center Windows Server
cimInstance wmi How to fix Get-CimInstance Access PermissionDenied Windows
WinPE How to uninstall and upgrade ADK, WinPE, and MDT Windows Server
Featured image WSL2 installation How to install WSL2 on Windows Server Linux
Windows 10 1024x683 1 ADK|WinPE|MDT: Deploy Windows with WDS Windows Server

Comments (2) on “Prevent Local Administrators from managing BitLocker with the manage-bde command”

Leave a Reply