Preventing BitLocker from being Weaponized

3 min. readlast update: 06.09.2025

Table of Contents

Stop PowerShell from interacting with the BitLocker Application | Removing PowerShell's access to the BitLocker Module

Bitlocker can be used to encrypt your drives from PowerShell, leaving you unable to access them after a reboot. 

Stop PowerShell from interacting with the BitLocker Application

Through our Suggested Policies, you can prevent PowerShell from calling the BitLocker application. 

Navigate to the ‘Modules’ dropdown, then select ‘Application Control’. 

 

 Select the ‘Policies’ tab in the top right corner of the page. 

Picture 

From within the policies page, navigate to the hamburger menu on the top left side of the page. This can be found to the right of the ‘New Tag’ button. Once this button is selected, a ‘Policy Management’ menu will open. From here, select the option labeled ‘ThreatLocker Suggested Policies’. 

Picture

Selecting this will open a pop-up window with all the ThreatLocker Recommended policies. 

Picture

To apply a policy to a specific group, select the dropdown at the top of the page titled ‘Select target Organizations or Groups to insert selected policies’. For this example, we will be applying it to the entire organization. Select the dropdown, then select the desired organization(s) to apply this to. 

Picture

Note: You can also select the dropdown arrows to the left of the organization names to select individual Computer Groups, or type the name of the individual workstation to apply the policy to only one machine. 

Select the ‘filter By’ dropdown and select ‘Ringfence Templates, then select ‘PowerShell (Ringfenced)' from the list of suggested policies. Once done, select the ‘Add 1 Suggested Policy’ button above the list of Ringfenced templates. This will create a new policy for the organization, computer group, or computer under which you choose to permit the policy 

Picture

After this, use the 'Deploy Policies' button at the top-right portion of the page to deploy your policies.

Picture 

This will prevent PowerShell from calling the Application and running the manage-bde.exe commands. 

Removing PowerShell's access to the BitLocker Module 

In addition to the above Ringfencing policy, you must create a Storage Policy to remove access to the Bitlocker PowerShell module and the Enable-Bitlocker commands. 

Navigate to the ‘Modules’ dropdown, then select ‘Storage Control’. 

Picture   

Select the ‘New Policy’ button at the top left corner of the page to create a new policy. 

Picture 

This will open a ‘Create Storage Policy’ side panel. 

Picture 

Navigate to the ‘Details’ section and name your Storage Policy. 

Picture 

By default, the Storage Policy is set at the Entire Organization level; however, you can change it to apply to a global group, computer group, or individual computer.

Picture 

Within the conditions section, confirm that it is set to ‘Read/Write’, then select the ‘Selected File Paths’ option so that specific file paths can be entered. 

Picture 

When ‘Selected File Paths’ is chosen, an area to enter specific file paths will appear. Enter the following into the text box and select 'Add': 

c:\windows\system32\windowspowershell\v1.0\modules\bitlocker\* 

Picture 

Picture 

Within the ‘Actions’ section, be sure to switch the policy from ‘Permit’ to ‘Deny’. Once this has been changed, select ‘Create’ at the bottom of the page. 

Picture 

Deploy policies once this is completed. 

Picture 

This will now prevent PowerShell from gaining access to the BitLocker module.

Was this article helpful?