Disable User's Ability to Export Bitlocker Keys

Question

We have Win10/11 devices managed via Intune. The Bitlocker key is stored in Intune. Is there a way for us to prevent our user's from going into their laptop control panel and exporting their Bitlocker key? We don't want our users to pull the SSD from their work laptop and move it to a personal device.

Answer 1

Hello Blake,

You can try hiding Bitlocker Management from Control Panel via GPO:

Navigate to User Configuration > Policies > Administrative Templates > Control Panel and edit the “Hide specified Control Panel items” policy. After you enable the policy, you have to change the “List of disallowed Control Panel items” and add “BitLocker Drive Encryption.”

Cited from https://4sysops.com/archives/how-to-disable-bitlocker/

---

If this is helpful please accept answer.

Answer 2

@BlakeV, Thanks for posting in Q&A.

For the group policy Dillon mentioned, you can configure the similar one under Settings Catalog policy in Intune. Here are the detailed steps for your reference:

1. Go to Devices->Configuration profiles, create profile.
2. Platform: Windows 10 and later. Profile Type: Settings Catalog.
3. Select the "Hide specific Control Panel items (User) under administrative Templates\Control Panel and set "Bitlocker Drive Encrption".

Hope it can help.

---

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.