How to disable BitLocker and avoid ransomware attacks?

Question

Hi everyone!

Is there a command to disable BitLocker from Windows stations and servers? We would like to prevent any kind of user or ransomware attacks.

Thanks.

Answer 1

Hi Doria.

There is no way to remove Bitlocker capabilities from Windows.
Since Ransomware would need to run under a certain account, all you can do is set the following policies, which will make it impossible to encrypt:
->require keys to be saved to AD prior to encrypting
->disallow anyone to save such a key to AD

If you need more input in order to get this done, please feel free to ask. It will work.

However, since there is so many ransomware around which doesn't care whether BL is functional or not, this will not be all you need to do to feel safer.

Answer 2

Thanks for your answer.

It seems more like an workaround solution. What about the option for GPO "Deny write access to fixed drives not protected by BitLocker". Wouldn't that solve it?

Regards.

Answer 3

It's not clear how your Policy suggestion should help yourself.
That policy disallows write access to drives that are not bitlocked. I think you don't want to give an attacker a way to use bitlocker in order to encrypt, or am I mistaken?

Answer 4

Thanks for your answer!

You're right! This directive was recommended to me and I also found it strange. In fact, after verifying that BitLocker is a feature that is NOT installed by default on Windows servers, I think it is unnecessary to create any GPO for this purpose. My biggest concern against ransomware attacks is on servers (VMs) and not workstations.

Anyway, thanks for the information and policy suggestion.

Regards.