Planning for MBAM 1.0 Group Policy Requirements

  • Article

Microsoft BitLocker Administration and Monitoring (MBAM) Client management requires custom Group Policy settings to be applied. This topic describes the available policy options for Group Policy Object (GPO) when you use MBAM to manage BitLocker Drive Encryption in the enterprise.

Important
MBAM does not use the default GPO settings for Windows BitLocker drive encryption. If the default settings are enabled, they can cause conflicting behavior. To enable MBAM to manage BitLocker, you must define the GPO policy settings after you install the MBAM Group Policy Template.

After you install the MBAM Group Policy template, you can view and modify the available custom MBAM GPO policy settings that enable MBAM to manage the enterprise BitLocker encryption. The MBAM Group Policy template must be installed on a computer that is capable of running the Group Policy Management Console (GPMC) or the Advanced Group Policy Management (AGPM) MDOP technology. Next, to edit the applicable GPO, open the GPMC or AGPM, and then navigate to the following GPO node: Computer Configuration\Administrative Templates\Windows Components\MDOP MBAM (BitLocker Management).

The MDOP MBAM (BitLocker Management) GPO node contains four global policy settings and four child GPO setting nodes, respectively. The four GPO global policy settings are: Client Management, Fixed Drive, Operating System Drive, and Removable Drive. The following sections provide policy definitions and suggested policy settings to help you plan for the MBAM GPO policy setting requirements.

Note
For more information about configuring the minimum suggested GPO settings to enable MBAM to manage BitLocker encryption, see How to Edit MBAM 1.0 GPO Settings.

Global policy definitions

This section describes the MBAM Global policy definitions, which can be found at the following GPO node: Computer Configuration\Administrative Templates\Windows Components\MDOP MBAM (BitLocker Management).

Policy Name Overview and Suggested Policy Setting

Choose drive encryption method and cipher strength

Suggested Configuration: Not Configured

Configure this policy to use a specific encryption method and cipher strength.

When this policy is not configured, BitLocker uses the default encryption method of AES 128-bit with Diffuser or the encryption method specified by the setup script.

Prevent memory overwrite on restart

Suggested Configuration: Not Configured

Configure this policy to improve restart performance without overwriting BitLocker secrets in memory on restart.

When this policy is not configured, BitLocker secrets are removed from memory when the computer restarts.

Validate smart card certificate usage rule

Suggested Configuration: Not Configured

Configure this policy to use smartcard certificate-based BitLocker protection.

When this policy is not configured, a default object identifier 1.3.6.1.4.1.311.67.1.1 is used to specify a certificate.

Provide the unique identifiers for your organization

Suggested Configuration: Not Configured

Configure this policy to use a certificate-based data recovery agent or the BitLocker To Go reader.

When this policy is not configured, the Identification field is not used.

If your company requires higher security measurements, you may want to configure the Identification field to make sure that all USB devices have this field set and that they are aligned with this Group Policy setting.

Client Management policy definitions

This section describes the Client Management policy definitions for MBAM, found at the following GPO node: Computer Configuration\Administrative Templates\Windows Components\MDOP MBAM (BitLocker Management) \ Client Management.

Policy Name Overview and Suggested Policy Settings

Configure MBAM Services

Suggested Configuration: Enabled

  • MBAM Recovery and Hardware service endpoint. This is the first policy setting that you must configure to enable the MBAM Client BitLocker encryption management. For this setting, enter the endpoint location similar to the following example: http://<MBAM Administration and Monitoring Server Name>:<port the web service is bound to>/MBAMRecoveryAndHardwareService/CoreService.svc.

  • Select BitLocker recovery information to store. This policy setting lets you configure the key recovery service to back up the BitLocker recovery information. It also lets you configure the status reporting service for collecting compliance and audit reports. The policy provides an administrative method of recovering data encrypted by BitLocker to help prevent data loss due to the lack of key information. Status report and key recovery activity will automatically and silently be sent to the configured report server location.

    If you do not configure or if you disable this policy setting, the key recovery information will not be saved, and status report and key recovery activity will not be reported to server. When this setting is set to Recovery Password and key package, the recovery password and key package will be automatically and silently backed up to the configured key recovery server location.

  • Enter the client checking status frequency in minutes. This policy setting manages how frequently the client checks the BitLocker protection policies and the status on the client computer. This policy also manages how frequently the client compliance status is saved to the server. The client checks the BitLocker protection policies and status on the client computer, and it also backs up the client recovery key at the configured frequency.

    Set this frequency based on the requirement established by your company on how frequently to check the compliance status of the computer, and how frequently to back up the client recovery key.

  • MBAM Status reporting service endpoint. This is the second policy setting that you must configure to enable MBAM Client BitLocker encryption management. For this setting, enter the endpoint location by using the following example: http://<MBAM Administration and Monitoring Server Name>:<port the web service is bound to>/MBAMComplianceStatusService/StatusReportingService. svc.

Allow hardware compatibility checking

Suggested Configuration: Enabled

This policy setting lets you manage the verification of hardware compatibility before you enable BitLocker protection on drives of MBAM client computers.

You should enable this policy option if your enterprise has older computer hardware or computers that do not support Trusted Platform Module (TPM). If either of these criteria is true, enable the hardware compatibility verification to make sure that MBAM is applied only to computer models that support BitLocker. If all computers in your organization support BitLocker, you do not have to deploy the Hardware Compatibility, and you can set this policy to Not Configured.

If you enable this policy setting, the model of the computer is validated against the hardware compatibility list once every 24 hours, before the policy enables BitLocker protection on a computer drive.

Note

Before enabling this policy setting, make sure that you have configured the MBAM Recovery and Hardware service endpoint setting in the Configure MBAM Services policy options.

If you either disable or do not configure this policy setting, the computer model is not validated against the hardware compatibility list.

Configure user exemption policy

Suggested Configuration: Not Configured

This policy setting lets you configure a web site address, email address, or phone number that will instruct a user to request an exemption from BitLocker encryption.

If you enable this policy setting and provide a web site address, email address, or phone number, users will see a dialog with instructions on how to apply for an exemption from BitLocker protection. For more information about how to enable BitLocker encryption exemptions for users, see How to Manage User BitLocker Encryption Exemptions.

If you either disable or do not configure this policy setting, the instructions about how to apply for an exemption request will not be presented to users.

Note

User exemption is managed per user, not per computer. If multiple users log on to the same computer and one user is not exempt, the computer will be encrypted.

Fixed Drive policy definitions

This section describes the Fixed Drive policy definitions for MBAM, which can be found at the following GPO node: Computer Configuration\Administrative Templates\Windows Components\MDOP MBAM (BitLocker Management) \ Fixed Drive.

Policy Name Overview and Suggested Policy Setting

Fixed data drive encryption settings

Suggested Configuration: Enabled, and select the Enable auto-unlock fixed data drive check box if the operating system volume is required to be encrypted.

This policy setting lets you manage whether or not to encrypt the fixed drives.

When you enable this policy, do not disable the Configure use of password for fixed data drives policy.

If the Enable auto-unlock fixed data drive check box is selected, the operating system volume must be encrypted.

If you enable this policy setting, users are required to put all fixed drives under BitLocker protection, which will encrypt the drives.

If you do not configure this policy or if you disable this policy, users are not required to put fixed drives under BitLocker protection.

If you disable this policy, the MBAM agent decrypts any encrypted fixed drives.

If encrypting the operating system volume is not required, clear the Enable auto-unlock fixed data drive check box.

Deny “write” permission to fixed drives that are not protected by BitLocker

Suggested Configuration: Not Configured

This policy setting determines if BitLocker protection is required for fixed drives on a computer so that they are writable. This policy setting is applied when you turn on BitLocker.

When the policy is not configured, all fixed drives on the computer are mounted with read/write permissions.

Allow access to BitLocker-protected fixed drives from earlier versions of Windows

Suggested configuration: Not Configured

Enable this policy to unlock and view the fixed drives that are formatted with the file allocation table (FAT) file system on computers that are running Windows Server 2008, Windows Vista, Windows XP with SP3, or Windows XP with SP2.

These operating systems have read-only permissions to BitLocker-protected drives.

When the policy is disabled, fixed drives formatted with the FAT file system cannot be unlocked and their content cannot be viewed on computers that are running Windows Server 2008, Windows Vista, Windows XP with SP3, or Windows XP with SP2.

Configure use of password for fixed drives

Suggested configuration: Not Configured

Enable this policy to configure password protection on fixed drives.

When the policy is not configured, passwords will be supported with the default settings, which do not include password complexity requirements and require only eight characters.

For higher security, enable this policy and select Require password for fixed data drive, select Require password complexity, and set the desired minimum password length.

Choose how BitLocker-protected fixed drives can be recovered

Suggested Configuration: Not Configured

Configure this policy to enable the BitLocker data recovery agent or to save BitLocker recovery information to Active Directory Domain Services (AD DS).

When this policy is not configured, the BitLocker data recovery agent is allowed, and recovery information is not backed up to AD DS. MBAM does not require the recovery information to be backed up to AD DS.

Operating System Drive policy definitions

This section describes the Operating System Drive policy definitions for MBAM, found at the following GPO node: Computer Configuration\Administrative Templates\Windows Components\MDOP MBAM (BitLocker Management) \ Operating System Drive.

Policy Name Overview and Suggested Policy Setting

Operating system drive encryption settings

Suggested configuration: Enabled

This policy setting determines if the operating system drive will be encrypted.

Configure this policy to do the following:

  • Enforce BitLocker protection for the operating system drive.

  • Configure PIN usage to use a Trusted Platform Module (TPM) PIN for operating system protection.

  • Configure enhanced startup PINs to permit characters such as uppercase and lowercase letters, and numbers. MBAM does not support the use of symbols and spaces for enhanced PINs, even though BitLocker supports symbols and spaces.

If you enable this policy setting, users are required to secure the operating system drive by using BitLocker.

If you do not configure or if you disable the setting, users are not required to secure the operating system drive by using BitLocker.

If you disable this policy, the MBAM agent decrypts the operating system volume if it is encrypted.

When it is enabled, this policy setting requires users to secure the operating system by using BitLocker protection, and the drive is encrypted. Based on your encryption requirements, you may select the method of protection for the operating system drive.

For higher security requirements, use TPM + PIN, allow enhanced PINs, and set the minimum PIN length to eight characters.

When this policy is enabled with the TPM + PIN protector, you can consider disabling the following policies under System / Power Management / Sleep Settings:

  • Allow Standby States (S1-S3) When Sleeping (Plugged In)

  • Allow Standby States (S1-S3) When Sleeping (On Battery)

Configure TPM platform validation profile

Suggested Configuration: Not Configured

This policy setting lets you configure how the TPM security hardware on a computer secures the BitLocker encryption key. This policy setting does not apply if the computer does not have a compatible TPM or if BitLocker already has TPM protection enabled.

When this policy is not configured, the TPM uses the default platform validation profile or the platform validation profile specified by the setup script.

Choose how to recover BitLocker-protected operating system drives

Suggested Configuration: Not Configured

Configure this policy to enable the BitLocker data recovery agent or to save BitLocker recovery information to Active Directory Domain Services (AD DS).

When this policy is not configured, the data recovery agent is allowed, and the recovery information is not backed up to AD DS.

MBAM operation does not require the recovery information to be backed up to AD DS.

Removable Drive policy definitions

This section describes the Removable Drive Policy definitions for MBAM, found at the following GPO node: Computer Configuration\Administrative Templates\Windows Components\MDOP MBAM (BitLocker Management) \ Removable Drive.

Policy Name Overview and Suggested Policy Setting

Control the use of BitLocker on removable drives

Suggested configuration: Enabled

This policy controls the use of BitLocker on removable data drives.

Enable the Allow users to apply BitLocker protection on removable data drives option, to allow users to run the BitLocker setup wizard on a removable data drive.

Enable the Allow users to suspend and decrypt BitLocker on removable data drives option to allow users to remove BitLocker drive encryption from the drive or to suspend the encryption while maintenance is performed.

When this policy is enabled and the Allow users to apply BitLocker protection on removable data drives option is selected, the MBAM Client saves the recovery information about removable drives to the MBAM key recovery server, and it allows users to recover the drive if the password is lost.

Deny the “write” permissions to removable drives that are not protected by BitLocker

Suggested Configuration: Not Configured

Enable this policy to allow write-only permissions to BitLocker protected drives.

When this policy is enabled, all removable data drives on the computer require encryption before write permissions are allowed.

Allow access to BitLocker-protected removable drives from earlier versions of Windows

Suggested Configuration: Not Configured

Enable this policy to unlock and view the fixed drives that are formatted with the (FAT) file system on computers that are running Windows Server 2008, Windows Vista, Windows XP with SP3, or Windows XP with SP2.

These operating systems have read-only permissions to BitLocker-protected drives.

When the policy is disabled, removable drives formatted with the FAT file system cannot be unlocked and their content cannot be viewed on computers that are running Windows Server 2008, Windows Vista, Windows XP with SP3, or Windows XP with SP2.

Configure the use of password for removable data drives

Suggested configuration: Not Configured

Enable this policy to configure password protection on removable data drives.

When this policy is not configured, passwords are supported with the default settings, which do not include password complexity requirements and require only eight characters.

For increased security, you can enable this policy and select Require password for removable data drive, select Require password complexity, and then set the preferred minimum password length.

Choose how BitLocker-protected removable drives can be recovered

Suggested Configuration: Not Configured

You can configure this policy to enable the BitLocker data recovery agent or to save BitLocker recovery information to Active Directory Domain Services (AD DS).

When the policy is set to Not Configured, the data recovery agent is allowed and recovery information is not backed up to AD DS.

MBAM operation does not require the recovery information to be backed up to AD DS.

Preparing your Environment for MBAM 1.0