Planning and Configuring Group Policy for MBAM

Applies To: Microsoft BitLocker Administration and Monitoring

Before Microsoft BitLocker Administration and Monitoring (MBAM) can manage clients in the enterprise, you must define Group Policy for the encryption requirements of your environment.

Group Policy Requirements

Microsoft BitLocker Administration and Monitoring requires Group Policy to be set for MBAM features. This section describes the policies to use for setting up BitLocker Drive Encryption.

To set Group Policy for BitLocker Administration and Monitoring

1. Make sure that MBAM Group Policy feature is installed on the computer that is managing Group Policy settings for BitLocker.

2. Using the Group Policy Management Console (GPMC), the Advanced Group Policy Management (AGPM), or the Local Group Policy Editor on the computer that is managing Group Policy for BitLocker t, browse to Computer configuration, select Policies, select Administrative Templates, click Windows Components, and then select MDOP MBAM (BitLocker Management).

3. Select the policy setting to edit. The Group Policy settings for BitLocker Administration and Monitoring include the following:

   • Client Management

   • Operating System Drive

   • Fixed Drive

   • Removable Drive

4. Edit your policy settings. Recommended policy settings for basic MBAM implementation include the following:

   Policy Group	Policy	Setting
   Client Management	Configure MBAM Services	Enabled. Set MBAM Recovery and Hardware service endpoint and Select BitLocker recovery information to store Set MBAM compliance service endpoint and Enter status report frequency in (minutes).
   	Allow hardware compatibility checking	Disabled. This policy is enabled by default, but is not needed for a basic MBAM implementation.
   Operating System Drive	Operating system drive encryption settings	Enabled. Set Select protector for operating system drive. Required to save operating system drive data to the MBAM Key Recovery server.
   Removable Drive	Control Use of BitLocker on removable drives	Enabled. Required if MBAM will save removable drive data to the MBAM Key Recovery server. Check the Allow users to apply BitLocker protection on removable data drives option </p> </td> </tr> <tr> <td> <p>Fixed Drive</p> </td> <td> <p>Control Use of BitLocker on fixed drives</p> </td> <td> <p>Enabled. Required if MBAM will save fixed drive data to the MBAM Key Recovery server.</p> <p>Set <strong>Choose how BitLocker-protected drives can be recovered</strong> and <strong>Allow data recovery agent</strong>.</p> </td> </tr> </table> Global Policy Definitions This section describes Global Policy definitions for BitLocker Administration and Monitoring. Policy Name Overview and Suggested Policy Setting Prevent memory overwrite on restart Configure this policy to improve restart performance without overwriting BitLocker secrets in memory on restart. Suggested Configuration: Not configured When the policy is not configured, BitLocker secrets are removed from memory when the computer restarts. Validate smart card certificate usage rule Configure this policy to use smartcard certificate-based BitLocker protection. Suggested Configuration: Not configured When policy is not configured, a default object identifier “1.3.6.1.4.1.311.67.1.1” is used to specify a certificate. Provide the unique identifiers for your organization Configure this policy to use a certificate-based data recovery agent or the BitLocker To Go reader. Suggested Configuration: Not configured When policy is not configured, the Identification field is not used. If your company requires higher security measurements, you may want to configure the Identification field to make sure that all USB devices have this field set and aligned with this Group Policy setting. Choose drive encryption method and cipher strength Configure this policy to use a specific encryption method and cipher strength. Suggested Configuration: Not configured When policy is not configured, BitLocker will use the default encryption method of AES 128-bit with Diffuser or the encryption method specified by the setup script. Client Management Policy Definitions This section describes MBAM Client Management Policy definitions. Policy Name Overview and Suggested Policy Settings Configure MBAM Services This policy setting lets you configure key recovery service to back up BitLocker recovery information. It also lets you configure status reporting service for collecting compliance status reports. The policy provides an administrative method of recovering data encrypted by BitLocker to prevent data loss because of the lack of key information. Status report and key recovery activity will automatically and silently be sent to the configured report server location. If you do not configure or disable this policy setting, the Key recovery information will not be saved; status report and key recovery activity will not be reported to server. Suggested Configuration: Enabled When Select BitLocker recovery information to store is set to Recovery Password and key package, the recovery password and key package will be automatically and silently backed up to configured key recovery server location. This policy setting manages how frequently the client checks the BitLocker protection policies and status on the client computer. This policy also manages how frequently the client compliance status is saved to the server. The client will check the BitLocker protection policies and status on the client computer, and also back up the client recovery key at the configured frequency. Set these frequencies based on the requirement set by your company on how frequently to check the compliance status of the computer, and how frequently to back up the client recovery key. Allow hardware compatibility checking This policy setting lets you check hardware compatibility before you enable BitLocker protection on drives of a computer. When enabling this policy, the administrator has to make sure that Microsoft BitLocker Administering and Monitoring service is installed with the “Hardware Capability” feature. When enabling this policy, you can set the “Configure Key Recovery service”. If you enable this policy setting, once every 24 hours the model of the computer is validated against the hardware compatibility list before the policy enables BitLocker protection on drives of a computer. If you either disable or do not configure this policy setting, the computer model is not validated against the hardware compatibility list. Suggested Configuration: Enabled Enable this if your enterprise has older computer hardware or computers that do not support TPM. If this is the case, enable hardware compatibility checking to make sure that MBAM is only applied to computer models that support BitLocker. If all computers in your organization support BitLocker, you do not have to deploy the Hardware Compatibility, and you can set this policy to Not Configured. Configure user exemption policy By default, all computers that receive MBAM policy are BitLocker encrypted. To allow users to request exemption from BitLocker encryption, set AllowUserExemption = true, a per-machine policy. The UserExemptionMessage policy can specify instructions on how to request exemption from BitLocker encryption including a URL, email address, or telephone number. With AllowUserExemption policy enabled and UserExemptionMessage specified, the Microsoft BitLocker Administration and Monitoring client will display a Request Exemption button. If the user clicks that button then the Microsoft BitLocker Administration and Monitoring client displays the instructions to request exemption from BitLocker encryption. After clicking the Request Exemption button, encryption of the computer is deferred for a time defined by the MaxTimeToGetUserExemption policy. By default MaxTimeToGetUserExemption equals 7 days. If the user is not exempt after this time, then the computer is encrypted normally. To exempt a user, set IsUserExempted = 1 in the user policy template located at %windir%\PolicyDefinitions\BitLockerUserManagement.admx by default. This setting must be made using a process external to Microsoft BitLocker Administration and Monitoring. For more information about API’s for creating group policy objects and policy settings, see About Group Policy API (https://go.microsoft.com/fwlink/?LinkId=231446). For more information about how to manage group policy, see How To Use the Group Policy Editor to Manage Local Computer Policy in Windows XP (https://go.microsoft.com/fwlink/?LinkId=231447). > [!NOTE] > User exemption is managed per-user, not per-computer. If multiple users logon to the same computer and any one user is not exempt, then the computer will be encrypted. > Suggested Configuration: Not Configured Operating System Drive Policy Definitions This section describes MBAM Operating System Drive Policy Definitions. Policy Name Overview and Suggested Policy Setting Operating system drive encryption settings This policy setting determines whether the operating system drive will be encrypted. Configure this policy to do the following: Enforce BitLocker protection for the operating system drive. Configure PIN usage to use a TPM PIN for operating system protection. Configure enhanced startup PINs to permit characters such as uppercase and lowercase letters, symbols, numbers, and spaces. If you enable this policy setting, the user is required then to secure the operating system drive by using BitLocker. If you do not configure or if you disable the setting, the user is not required to secure the operating system drive by using BitLocker. If you disable this policy, the MBAM agent will decrypt the operating system volume if it is encrypted. Suggested configuration: Enabled When it is enabled, this policy setting requires the user to secure the operating system by using BitLocker protection, and the drive is encrypted. Based on your encryption requirements, you may select the method of protection for the operating system drive. For higher security requirements, use “TPM + PIN”, allow enhanced PINs, and set the minimum PIN length to 8. When this policy is enabled with the TPM + PIN protector, you can consider disabling the following policies under System / Power Management / Sleep Settings: Allow Standby States (S1-S3) When Sleeping (Plugged In) Allow Standby States (S1-S3) When Sleeping (On Battery) Choose how BitLocker-protected operating system drives can be recovered Configure this policy to enable the BitLocker data recovery agent or to save BitLocker recovery information to Active Directory Domain Services (AD DS). Suggested Configuration: Not configured When this policy is not configured, the data recovery agent is allowed, recovery information is not backed up to AD DS. MBAM operation does not require recovery information to be backed up to AD DS. Configure TPM platform validation profile This policy setting lets you configure how the Trusted Platform Module (TPM) security hardware on a computer secures the BitLocker encryption key. This policy setting does not apply if the computer does not have a compatible TPM or if BitLocker has already been turned on with TPM protection. Suggested Configuration: Not configured When this policy is not configured, the TPM uses the default platform validation profile or the platform validation profile specified by the setup script. Fixed Drive Policy Definitions This section describes MBAM Fixed Drive Policy definitions. Policy Name Overview and Suggested Policy Setting Fixed data drive encryption settings This policy setting let you manage whether fixed drives must be encrypted or not. When enabling this policy, you must not disable the “Configure use of password for fixed data drives” policy. If the Enable auto-unlock fixed data drive option is checked, the operating system volume must be encrypted If you enable this policy setting, the user will have to put all fixed drives under BitLocker protection and the drives will be encrypted. If you do not configure this policy or you disable this policy, then it is not required to put fixed drives under BitLocker protection. If you disable this policy, the MBAM agent will decrypt any encrypted fixed drives. Suggested Configuration: Enabled, and check the Enable auto-unlock fixed data drive option if the operating system volume is required to be encrypted. If encrypting the operating system volume is not required, clear the Enable auto-unlock fixed data drive checkbox. Deny write access to fixed drives not protected by BitLocker This policy setting determines whether BitLocker protection is required for fixed drives to be writable on a computer. This policy setting is applied when you turn on BitLocker. Suggested Configuration: Not configured When the policy is not configured, all fixed data drives on the computer will be mounted with read and write access. Allow access to BitLocker-protected fixed drives from earlier versions of Windows Enable this policy to let fixed drives with the FAT file system be unlocked and viewed on Windows Server 2008 computers. Suggested configuration: Not configured When the policy is not configured, fixed drives formatted with the FAT file system can be unlocked on computers that are running Windows Server 2008, Windows Vista, Windows XP with SP3, or Windows XP with SP2, and their content can be viewed. These operating systems have read-only access to BitLocker-protected drives. Configure use of password for fixed drives Enable this policy to configure password protection on fixed drives. Suggested configuration: Not configured When the policy is not configured, passwords will be supported with the default settings that do not include password complexity requirements and require only 8 characters. For higher security, enable this policy and check Require password for fixed data drive, select Require password complexity, and set the desired minimum password length. Choose how BitLocker-protected fixed drives can be recovered Configure this policy to enable the BitLocker data recovery agent or to save BitLocker recovery information to Active Directory Domain Services (AD DS). Suggested Configuration: Not configured When policy is not configured, the BitLocker data recovery agent is allowed, and recovery information is not backed up to AD DS. MBAM does not require recovery information to be backed up to AD DS. Removable Drive Policy Definitions This section describes MBAM Removable Drive Policy definitions. Policy Name Overview and Suggested Policy Setting Control use of BitLocker on removable drives This policy controls the use of BitLocker on removable data drives. Check the Allow users to apply BitLocker protection on removable data drives option to let the user run the BitLocker setup wizard on a removable data drive. Choose Allow users to suspend and decrypt BitLocker on removable data drives to permit the user to remove BitLocker drive encryption from the drive or suspend the encryption while maintenance is performed. Suggested configuration: Enabled When this policy is enabled and the Allow users to apply BitLocker protection on removable data drives option is checked, the MBAM agent saves the recovery information about removable drives to the MBAM key recovery server and lets a user recover the drive if the password is lost. Deny write access to removable drives not protected by BitLocker Enable this policy to only allow write access to BitLocker protected drives. Suggested Configuration: Not configured When this policy is enabled, all removable data drives on the computer require encryption before write access is allowed. Allow access to BitLocker-protected removable drives from earlier versions of Windows Enable this policy to allow fixed drives with the FAT file system to be unlocked and viewed on Windows Server 2008 computers. Suggested Configuration: Not configured When this policy is not configured, removable data drives formatted with the FAT file system can be unlocked on computers that are running Windows Server 2008, Windows Vista, Windows XP with SP3, or Windows XP with SP2, and their content can be viewed. These operating systems have read-only access to BitLocker-protected drives. Configure use of password for removable data drives Enable this policy to configure password protection on removable data drives. Suggested configuration: Not configured When this policy is not configured, passwords are supported with the default settings that do not include password complexity requirements and require only 8 characters. For increased security, you may enable this policy and check Require password for removable data drive, select Require password complexity, and set the preferred minimum password length. Choose how BitLocker-protected removable drives can be recovered Configure this policy to enable the BitLocker data recovery agent or to save BitLocker recovery information to Active Directory Domain Services (AD DS). Suggested Configuration: Not configured When set to Not Configured, the data recovery agent is allowed and recovery information is not backed up to AD DS. MBAM operation does not require recovery information to be backed up to AD DS. Windows Policies Microsoft BitLocker Administration and Monitoring offers a customized BitLocker control panel application that, when it is configured, replaces the default BitLocker control panel application in Windows. The updated BitLocker Encryption Options control panel application allows users to manage their PIN and passwords and unlock drives. The updated control panel application also hides the interface that lets administrators decrypt a drive or to suspend or resume BitLocker encryption. Important The customized MBAM control panel application is not deployed automatically. You must follow these steps to configure and deploy the MBAM control panel application: Hide BitLocker in Control Panel Using the Group Policy Management Console (GPMC), the Advanced Group Policy Management (AGPM), or the Local Group Policy Editor on the BitLocker Group Policies computer, browse to User configuration, click Policies, select Administrative Templates, and then click Control Panel. Double-click Hide specified Control Panel items in the details pane, and then select Enabled. Click Show, and then type Microsoft.BitLockerDriveEncryption. This policy hides the BitLocker Drive Encryption application in Control Panel and replaces it with the updated BitLocker Encryption Options tool in the Windows control panel. See Also Other Resources Planning for MBAM