Preventing Bitlocker from being Weaponized
Bitlocker can be used to encrypt your drives from PowerShell, leaving you unable to access them after a reboot.
Stop PowerShell from interating with the Bitlocker Application
Through our Suggested Policies, you can prevent PowerShell from calling the Bitlocker Application.
Navigate to Application Control > Policies
Select the desired level from the Applies To dropdown menu on the top right.
Select the 'Add Suggested Policies' button.
Click to Deploy Policies.
This will prevent PowerShell from calling the Application and running the manage-bde.exe commands.
Removing PowerShell's access to the Bitlocker Module
In addition to the above Ringfencing policy, you need to create a Storage Policy to remove access to the Bitlocker PowerShell module and the Enable-Bitlocker commands.
Navigate to Storage Control > Policies
Select the desired group from the Applies To dropdown menu on the top right.
Select 'New Storage Policy'.
Enter a name for the Policy and change 'Permit' to 'Deny Read & Write'.
Under the 'What paths should this apply to (e.g. '\\server1\share\*", "*.jpg" or "regex:[0-9]abc")? ' section, check 'Let me select file paths', then input the following into the text box and select 'Add':
Then Click to Deploy Policies.