I have setup Bitlocker for my AD Domain joined Windows 10 Pro laptop clients to turn on Bitlocker.

I have even configured the recovery key to be stored against the machine name in ADUC.

However, I have noticed, there is nothing to stop local admins of the laptop from stopping Bitlocker.

Has anyone come across this as once stopped , my GPO doesn't seem to force it back on.

Any advice would be helpful.