+ Post New Thread
Results 1 to 6 of 6
Windows 7 Thread, bitlocker to go in Technical; is there any way to specifiy a group of users who can encrypt drives. So admin/staff put a non encrypted ...
  1. #1


    Join Date
    Mar 2009
    Location
    Leeds
    Posts
    6,579
    Thank Post
    228
    Thanked 853 Times in 732 Posts
    Rep Power
    294

    bitlocker to go

    is there any way to specifiy a group of users who can encrypt drives. So admin/staff put a non encrypted penstick in and get the do you want to encrypt this dialogue,students dont get any options for example (as otherwise seems a little less uesful as anyone could just find a pc some kid had left logged on and copy whatever the kid had access to)

  2. #2

    Steve21's Avatar
    Join Date
    Feb 2011
    Location
    Swindon
    Posts
    2,689
    Thank Post
    334
    Thanked 515 Times in 483 Posts
    Rep Power
    179
    Err honestly not used bitlocker to go in a long time, but if it still puts the .exe on the flashdrive for bitlocker to go, can't you just disable them running that exe via SRP/applocker? Blocked for students, allowed for teachers etc.

    Steve

  3. #3


    Join Date
    Mar 2009
    Location
    Leeds
    Posts
    6,579
    Thank Post
    228
    Thanked 853 Times in 732 Posts
    Rep Power
    294
    Quote Originally Posted by Steve21 View Post
    Err honestly not used bitlocker to go in a long time, but if it still puts the .exe on the flashdrive for bitlocker to go, can't you just disable them running that exe via SRP/applocker? Blocked for students, allowed for teachers etc.

    Steve
    pass i just set it up with gpo on my test pc. as soon as you put a non bitlockered disk in it asks if you want to encrypt it so no exe to block as such (unless theres say a bitlocker.exe in c:\windows or similar

  4. #4

    Steve21's Avatar
    Join Date
    Feb 2011
    Location
    Swindon
    Posts
    2,689
    Thank Post
    334
    Thanked 515 Times in 483 Posts
    Rep Power
    179
    Manage-bde is the commandline version of the system32 exe, but I thought by standard bitlocker required UAC access to encrypt it.

    What credentials are required to use BitLocker?

    To turn on, turn off, or change configurations of BitLocker on operating system and fixed data drives, membership in the local Administrators group is required. Standard users can turn on, turn off, or change configurations of BitLocker on removable data drives. Disable the Control use of BitLocker on removable drives policy setting (located in Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives) to restrict standard users from turning on or turning off BitLocker on removable data drives.
    Guessing it's that red bit you want to enable for students? :P

    Steve

  5. #5


    Join Date
    Mar 2009
    Location
    Leeds
    Posts
    6,579
    Thank Post
    228
    Thanked 853 Times in 732 Posts
    Rep Power
    294
    Quote Originally Posted by Steve21 View Post
    Manage-bde is the commandline version of the system32 exe, but I thought by standard bitlocker required UAC access to encrypt it.



    Guessing it's that red bit you want to enable for students? :P

    Steve
    Yeah but as its a pc policy hmm looks like it dosent quite do what i want though im not sure if thats because i want something daft (i suppose in the non educational world you ptrobably would want everyone, noone, or just admins doing btg) or its not quite the right fit which would be a shame as it seems to be easy and by storing keys in ad reasonably fool proof

    supose i could disallow users in general but change that on the staff laptops so they could create drives on their laptops
    Last edited by sted; 26th March 2014 at 02:42 PM.

  6. #6

    Steve21's Avatar
    Join Date
    Feb 2011
    Location
    Swindon
    Posts
    2,689
    Thank Post
    334
    Thanked 515 Times in 483 Posts
    Rep Power
    179
    I may be missing the obvious, but surely even if you stop students "making" encrypted drives, someone could still make one and load it on their computer? As it's only the "enabling/disabling" bit you're locking down, not the using it?

    Or did I miss something

    Steve

SHARE:
+ Post New Thread

Similar Threads

  1. Who to go with for web hosting...
    By _Bat_ in forum Web Development
    Replies: 18
    Last Post: 16th November 2006, 10:21 PM
  2. Online Magazine in TES to go?
    By GrumbleDook in forum IT News
    Replies: 1
    Last Post: 3rd July 2006, 09:51 PM
  3. Replies: 0
    Last Post: 5th June 2006, 09:02 AM
  4. STS-114: Discovery - Way To Go
    By zippy in forum General Chat
    Replies: 1
    Last Post: 26th July 2005, 08:16 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •