bitlocker there gpo option forbid decryption re enc

I see GPO settings to set options for BitLocker, such as mandating recovery keys into AD or the level of encryption, but is there an option to keep a user from decrypting the drive once it has been deployed to them as encrypted?
This applies to the case where a company policy deploys all laptops with encryption, and doesn't want users to decrypt or re-encrypt the drive themselves.
Thanks!

There is currently no GPO to block this. You can catch this with a 'health check' script, in particular to (a) make sure the backup key is backed up (you can set a GPO to require that this key is always backed up, which will block encryption if the AD is not available) (b) make sure the volume is encrypted, and to begin encrypting if the user manually decrypted it / paused it.
Or, our more preferred approach, is to not allow the user to be able to log on as an Administrator :).
- Jamie Hunter [MS]
"tavis" wrote in message

I see GPO settings to set options for BitLocker, such as mandating recovery keys into AD or the level of encryption, but is there an option to keep a user from decrypting the drive once it has been deployed to them as encrypted?
This applies to the case where a company policy deploys all laptops with encryption, and doesn't want users to decrypt or re-encrypt the drive themselves.
Thanks!