Friday, August 26, 2016

GPOs - Disabling BitLocker Service Fails via Group Policy Preferences [Solved]

Today I've came across a strange issue when trying to disable "BitLocker Drive Encryption Service" with Group Policy Preferences (GPP).

Thanks to Helge Klein - Tools for IT Pros website this was really quick to solve!

After some reading, it seems it's related with the service permissions. This can be proven if you navigate to event viewer and you'll see a warning in application event log with an "Access Denied" for the Group Policy Services source.

"Googling" a little more about this, I've found out a way to solve this one.

So, follow theses steps:
  1. First of all, download SetAcl from here
  2. Now run following from the command-line (elevated)
    SetACL -on BDESVC -ot srv -actn ace -ace n:Administrators;p:full's all done! Now just execute "gpupdate /force" or reboot and then BitLocker Drive Encryption Service will be in "Disabled" state.

No comments:

Post a Comment