Planning for MBAM 2.0 Group Policy Requirements

  • Article

To manage Microsoft BitLocker Administration and Monitoring (MBAM) client computers, you need to consider the types of BitLocker protectors that you want to support in your organization, and then configure the corresponding Group Policy settings that you want to apply. This topic describes the Group Policy settings that are available for use when you are using Microsoft BitLocker Administration and Monitoring to manage BitLocker Drive Encryption in the enterprise.

MBAM supports the following types of BitLocker protectors for operating system drives: Trusted Platform Module (TPM), TPM + PIN, TPM + USB key, and TPM + PIN + USB key, password, numerical password, and Data Recovery Agent. The password protector is supported only for Windows To Go devices and for Windows 8 devices that do not have a TPM. MBAM supports the TPM + USB key and the TPM + PIN + USB key protectors only when the operating system volume is encrypted before MBAM is installed.

MBAM supports the following types of BitLocker protectors for fixed data drives: password, auto-unlock, numerical password, and Data Recovery Agent.

The numeric password protector is applied automatically as part of volume encryption and does not need to be configured.

Important
The default Windows BitLocker drive encryption Group Policy Object (GPO) settings are not used by MBAM and can cause conflicting behavior if they are enabled. To enable MBAM to manage BitLocker, you must define the MBAM Group Policy settings only after installing the MBAM Group Policy template.

Enhanced startup PINs can contain characters, such as uppercase and lowercase letters, and numbers. Unlike BitLocker, MBAM does not support the use of symbols and spaces for enhanced PINs.

Install the MBAM Group Policy template on a computer that is capable of running the Group Policy Management Console (GPMC) or the Advanced Group Policy Management (AGPM) MDOP technology. To edit the GPO settings that enable MBAM functionality, you must first install the MBAM Group Policy template, open the GPMC or AGPM to edit the applicable GPO, and then navigate to the following GPO node: Computer Configuration\Policies\Administrative Templates\Windows Components\MDOP MBAM (BitLocker Management).

The MDOP MBAM (BitLocker Management) GPO node contains four global policy settings and four child GPO settings nodes: Client Management, Fixed Drive, Operating System Drive, and Removable Drive. The following sections provide policy definitions and suggested policy settings to assist you in planning for MBAM GPO policy setting requirements.

Note
For more information about configuring the minimum, recommended GPO settings to enable MBAM to manage BitLocker encryption, see How to Edit MBAM 2.0 GPO Settings.

Global Policy Definitions

This section describes MBAM Global policy definitions found at the following GPO node: Computer Configuration\Policies\Administrative Templates\Windows Components\MDOP MBAM (BitLocker Management).

Policy Name Overview and Suggested Policy Setting

Choose drive encryption method and cipher strength

Suggested Configuration: Not Configured

Configure this policy to use a specific encryption method and cipher strength.

When this policy is not configured, BitLocker uses the default encryption method of AES 128-bit with Diffuser or the encryption method specified by the setup script.

Prevent memory overwrite on restart

Suggested Configuration: Not Configured

Configure this policy to improve restart performance without overwriting BitLocker secrets in memory on restart.

When this policy is not configured, BitLocker secrets are removed from memory when the computer restarts.

Validate smart card certificate usage rule

Suggested Configuration: Not Configured

Configure this policy to use smartcard certificate-based BitLocker protection.

When this policy is not configured, a default object identifier 1.3.6.1.4.1.311.67.1.1 is used to specify a certificate.

Provide the unique identifiers for your organization

Suggested Configuration: Not Configured

Configure this policy to use a certificate-based data recovery agent or the BitLocker To Go reader.

When this policy is not configured, the Identification field is not used.

If your company requires higher security measurements, you may want to configure the Identification field to make sure that all USB devices have this field set and that they are aligned with this Group Policy setting.

Client Management Policy Definitions

This section describes Client Management policy definitions for Microsoft BitLocker Administration and Monitoring found at the following GPO node: Computer Configuration\Policies\Administrative Templates\Windows Components\MDOP MBAM (BitLocker Management)\Client Management.

Policy Name Overview and Suggested Policy Settings

Configure MBAM Services

Suggested Configuration: Enabled

  • MBAM Recovery and Hardware service endpoint. Use this setting to enable MBAM Client BitLocker encryption management. Enter an endpoint location that is similar to the following example: http://<MBAM Administration and Monitoring Server Name>:<port the web service is bound to>/MBAMRecoveryAndHardwareService/CoreService.svc.

  • Select BitLocker recovery information to store. This policy setting lets you configure the key recovery service to back up BitLocker recovery information. It also lets you configure status reporting service for collecting compliance and audit reports. The policy provides an administrative method of recovering data encrypted by BitLocker to prevent data loss due to the lack of key information. Status report and key recovery activity will automatically and silently be sent to the configured report server location.

    If you do not configure or if you disable this policy setting, the Key recovery information will not be saved, and status report and key recovery activity will not be reported to server. When this setting is set to Recovery Password and key package, the recovery password and key package will be automatically and silently backed up to the configured key recovery server location.

  • Enter client checking status frequency in minutes. This policy setting manages how frequently the client checks the BitLocker protection policies and status on the client computer. This policy also manages how frequently the client compliance status is saved to the server. The client checks the BitLocker protection policies and status on the client computer and also backs up the client recovery key at the configured frequency.

    Set this frequency based on the requirement set by your company on how frequently to check the compliance status of the computer, and how frequently to back up the client recovery key.

  • MBAM Status reporting service endpoint. You must configure this setting to enable MBAM Client BitLocker encryption management. Enter an endpoint location that is similar to the following example: http://<MBAM Administration and Monitoring Server Name>:<port the web service is bound to>/MBAMComplianceStatusService/StatusReportingService.svc.

Configure user exemption policy

Suggested Configuration: Not Configured

This policy setting lets you configure a web site address, email address, or phone number that will instruct a user to request an exemption from BitLocker encryption.

If you enable this policy setting and provide a web site address, email address, or phone number, users will see a dialog that gives them instructions on how to apply for an exemption from BitLocker protection. For more information about enabling BitLocker encryption exemptions for users, see How to Manage User BitLocker Encryption Exemptions.

If you either disable or do not configure this policy setting, the exemption request instructions will not be presented to users.

Note

User exemption is managed per user, not per computer. If multiple users log on to the same computer and any one user is not exempt, the computer will be encrypted.

Configure customer experience improvement program

This policy setting lets you configure how MBAM users can join the Customer Experience Improvement Program. This program collects information about computer hardware and how users use MBAM without interrupting their work. The information helps Microsoft to identify which MBAM features to improve. Microsoft will not use this information to identify or contact MBAM users.

If you enable this policy setting, users will be able to join the Customer Experience Improvement Program.

If you disable this policy setting, users will not be able to join the Customer Experience Improvement Program.

If you do not configure this policy setting, users will have the option to join the Customer Experience Improvement Program.

Fixed Drive Policy Definitions

This section describes Fixed Drive policy definitions for Microsoft BitLocker Administration and Monitoring found at the following GPO node: Computer Configuration\Policies\Administrative Templates\Windows Components\MDOP MBAM (BitLocker Management)\Fixed Drive.

Policy Name Overview and Suggested Policy Setting

Fixed data drive encryption settings

Suggested Configuration: Enabled

This policy setting let you manage whether fixed drives must be encrypted.

If the operating system volume is required to be encrypted, select the Enable auto-unlock fixed data drive option.

When enabling this policy, you must not disable the Configure use of password for fixed data drives policy unless the use of Auto-Unlock for fixed data drives is allowed or required.

If you require the use of Auto-Unlock for fixed data drives, you must configure operating system volumes to be encrypted.

If you enable this policy setting, users are required to put all fixed drives under BitLocker protection, and the drives will be encrypted.

If you do not configure this policy setting, users are not required to put fixed drives under BitLocker protection. If you apply this policy after fixed data drives are encrypted, the MBAM agent decrypts the encrypted fixed drives.

If you disable this policy setting, users will not be able to put their fixed data drives under BitLocker protection.

Deny write access to fixed drives not protected by BitLocker

Suggested Configuration: Not Configured

This policy setting determines whether BitLocker protection is required for fixed drives to be writable on a computer. This policy setting is applied when you turn on BitLocker.

When the policy is not configured, all fixed data drives on the computer are mounted with read and write access.

Allow access to BitLocker-protected fixed drives from earlier versions of Windows

Suggested configuration: Not Configured

Enable this policy to let fixed drives with the FAT file system be unlocked and viewed on computers that are running Windows Server 2008, Windows Vista, Windows XP with SP3, or Windows XP with SP2.

When the policy is enabled or not configured, fixed drives formatted with the FAT file system can be unlocked and their content can be viewed on computers that are running Windows Server 2008, Windows Vista, Windows XP with SP3, or Windows XP with SP2. These operating systems have read-only access to BitLocker-protected drives.

When the policy is disabled, fixed drives formatted with the FAT file system cannot be unlocked and their content cannot be viewed on computers that are running Windows Server 2008, Windows Vista, Windows XP with SP3, or Windows XP with SP2.

Configure use of password for fixed drives

Suggested configuration: Not Configured

Use this policy to specify whether a password is required to unlock BitLocker-protected fixed data drives.

If you enable this policy setting, users can configure a password that meets the requirements you define. BitLocker will allow users to unlock a drive with any of the protectors that are available on the drive.

These settings are enforced when turning on BitLocker, not when unlocking a volume.

If you disable this policy setting, users are not allowed to use a password.

When the policy is not configured, passwords are supported with the default settings, which do not include password complexity requirements and which require only eight characters.

For higher security, enable this policy and select Require password for fixed data drive, select Require password complexity, and set the desired minimum password length.

If you disable this policy setting, users are not allowed to use a password.

If you do not configure this policy setting, passwords will be supported with the default settings, which do not include password complexity requirements and which require only eight characters.

Choose how BitLocker-protected fixed drives can be recovered

Suggested Configuration: Not Configured

Configure this policy to enable the BitLocker data recovery agent or to save BitLocker recovery information to Active Directory Domain Services (AD DS).

When the policy is not configured, the BitLocker data recovery agent is allowed, and recovery information is not backed up to AD DS. MBAM does not require recovery information to be backed up to AD DS.

Operating System Drive Policy Definitions

This section describes Operating System Drive policy definitions for Microsoft BitLocker Administration and Monitoring found at the following GPO node: Computer Configuration\Policies\Administrative Templates\Windows Components\MDOP MBAM (BitLocker Management)\Operating System Drive.

Policy Name Overview and Suggested Policy Setting

Operating system drive encryption settings

Suggested configuration: Enabled

This policy setting lets you manage whether the operating system drive must be encrypted.

For higher security, consider disabling the following policy settings in System/Power Management/Sleep Settings when you enable them with TPM + PIN protector:

  • Allow Standby States (S1-S3) When Sleeping (Plugged In)

  • Allow Standby States (S1-S3) When Sleeping (On Battery)

If you are running Microsoft Windows 8 or later, and you want to use BitLocker on a computer without a TPM, select the Allow BitLocker without a compatible TPM check box. In this mode, a password is required for startup. If you forget the password, you have to use one of the BitLocker recovery options to access the drive.

On a computer with a compatible TPM, two types of authentication methods can be used at startup to provide added protection for encrypted data. When the computer starts, it can use only the TPM for authentication, or it can also require the entry of a personal identification number (PIN).

If you enable this policy setting, users have to put the operating system drive under BitLocker protection, and the drive will be encrypted.

If you disable this policy, users will not be able to put the operating system drive under BitLocker protection. If you apply this policy after the operating system drive is encrypted, the drive will be decrypted.

If you do not configure this policy, the operating system drive is not required to be placed under BitLocker protection.

Configure TPM platform validation profile

Suggested Configuration: Not Configured

This policy setting lets you configure how the TPM security hardware on a computer secures the BitLocker encryption key. This policy setting does not apply if the computer does not have a compatible TPM or if BitLocker has already been turned on with TPM protection.

When this policy setting is not configured, the TPM uses the default platform validation profile or the platform validation profile that is specified by the setup script.

Choose how BitLocker-protected operating system drives can be recovered

Suggested Configuration: Not Configured

Configure this policy to enable the BitLocker data recovery agent or to save BitLocker recovery information to Active Directory Domain Services (AD DS).

When this policy is not configured, the data recovery agent is allowed, and recovery information is not backed up to AD DS.

MBAM operation does not require recovery information to be backed up to AD DS.

Removable Drive Policy Definitions

This section describes Removable Drive Policy definitions for Microsoft BitLocker Administration and Monitoring found at the following GPO node: Computer Configuration\Policies\Administrative Templates\Windows Components\MDOP MBAM (BitLocker Management) \ Removable Drive.

Policy Name Overview and Suggested Policy Setting

Control use of BitLocker on removable drives

Suggested configuration: Enabled

This policy controls the use of BitLocker on removable data drives.

Enable the Allow users to apply BitLocker protection on removable data drives option to allow users to run the BitLocker setup wizard on a removable data drive.

Enable the Allow users to suspend and decrypt BitLocker on removable data drives option to allow users to remove BitLocker drive encryption from the drive or to suspend the encryption while maintenance is performed.

When this policy is enabled and the Allow users to apply BitLocker protection on removable data drives option is selected, the MBAM Client saves the recovery information about removable drives to the MBAM key recovery server and allows users to recover the drive if the password is lost.

Deny write access to removable drives not protected by BitLocker

Suggested Configuration: Not Configured

Enable this policy to allow only write access to BitLocker protected drives.

When this policy is enabled, all removable data drives on the computer require encryption before write access is allowed.

Allow access to BitLocker-protected removable drives from earlier versions of Windows

Suggested Configuration: Not Configured

Enable this policy to allow fixed drives with the FAT file system to be unlocked and viewed on computers that are running Windows Server 2008, Windows Vista, Windows XP with SP3, or Windows XP with SP2.

When this policy is not configured, removable data drives formatted with the FAT file system can be unlocked on computers that are running Windows Server 2008, Windows Vista, Windows XP with SP3, or Windows XP with SP2, and their content can be viewed. These operating systems have read-only access to BitLocker-protected drives.

When the policy is disabled, removable drives formatted with the FAT file system cannot be unlocked and their content cannot be viewed on computers that are running Windows Server 2008, Windows Vista, Windows XP with SP3, or Windows XP with SP2.

Configure use of password for removable data drives

Suggested configuration: Not Configured

Enable this policy to configure password protection on removable data drives.

When this policy is not configured, passwords are supported with the default settings, which do not include password complexity requirements and which require only eight characters.

For increased security, you may enable this policy and check Require password for removable data drive, select Require password complexity, and set the preferred minimum password length.

Choose how BitLocker-protected removable drives can be recovered

Suggested Configuration: Not Configured

Configure this policy to enable the BitLocker data recovery agent or to save BitLocker recovery information to Active Directory Domain Services (AD DS).

When set to Not Configured, the data recovery agent is allowed and recovery information is not backed up to AD DS.

MBAM operation does not require recovery information to be backed up to AD DS.

MBAM 2.0 Deployment Prerequisites