This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(156.8, 59%, 25%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EI%3C/text%3E%3C/svg%3E)
I have deployed a BitLocker policy from Intune to the device.
The device gets successfully encrypted.
However, I can manually turn off bitlocker and de-crypt the device. Post that, Intune does not re-encrypt my device again.
Is there any way from Intune to prevent users from manually turning off BitLocker on their devices ?
Hi there,
You can achieve this by BitLocker group policy settings. This policy setting is used to prevent users from turning BitLocker on or off on removable data drives.BitLocker Group Policy settings can be accessed using the Local Group Policy Editor and the Group Policy Management Console (GPMC) under Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption.
Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives
You can select property settings that control how users can configure BitLocker.
BitLocker group policy settings
I hope this information helps. If you have any questions please let me know and I will be glad to help you out.
--------------------------------------------------------------------------------------------------------------------------------
--If the reply is helpful, please Upvote and Accept it as an answer--
Hi @Limitless Technology , thanks a lot for your response.
The article provided states only about Removable Data Drives.
However, I guess users can still manipulate BitLocker settings on OS System drives and Fixed Data drive.
Is there any way to prevent users to manage BitLocker settings for OS System drives and Fixed Data drives also ?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(108.80000000000001, 77%, 20%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EM%3C/text%3E%3C/svg%3E)
As long as your users are admins, you cannot limit their actions without using 3rd party products.
As admin, I can revert any GPO restriction in seconds, so it's useless to look for ways, unless you hope for "security by obscurity".
Local admins need to be trusted, else, make them restricted users.
Standard users cannot decrypt. Only admins can decrypt, which makes me wonder if your users are admins.
Hello @MTG , thanks a lot for your response.
Yes, my users are local admins on their device.
Is there any configuration settings which can be applied from Intune by which we could block decrypting of the device/turning off BitLocker ?