I wanted my drive to be protected from anyone but me, but as long as your computer is part of the domain every domain admin can logon and look at your data. So I used manage-bde.exe to encrypt my disk.
Putted the protector key on a USB-drive (As would have been the case if your computer did not have a supported TPM chip). Also was sure that the recovery-key did not ended up in AD as a attribute on the computer object.
From now (hopfully) I’am the only one that can access my folders on this disk ( Of couse you need to block any access to your drive from the network – firewall and block any policies).
Manage-bde.exe -status can tell you how or if your disk is protected.