Q. How can I stop local administrators from turning off BitLocker?

A. For the purposes of my answer, you can replace BitLocker with pretty much anything you can set with Group Policy (or any other setting). If you make users local administrators, they're effectively gods of their boxes. It's pretty much impossible to stop them from doing anything. Yes, you can hide Control Panel applets, but users can just try another method, such as PowerShell in BitLocker's case.

If you don't trust users not to cause self harm, they shouldn't be local administrators—it's really that simple. Trying to stop local admins from doing something is ultimately futile if they're determined enough.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.