Planning for MBAM 2.5 Group Policy Requirements

Use the following information to determine the types of BitLocker protectors that you can use to manage the Microsoft BitLocker Administration and Monitoring (MBAM) client computers in your enterprise.

Types of BitLocker protectors that MBAM supports

MBAM supports the following types of BitLocker protectors.

Type of drive or volume Supported BitLocker protectors

Operating system volumes

  • Trusted Platform Module (TPM)

  • TPM + PIN

  • TPM + USB key – supported only when the operating system volume is encrypted before MBAM is installed

  • TPM + PIN + USB key - supported only when the operating system volume is encrypted before MBAM is installed

  • Password - supported only for Windows To Go devices, fixed data drives, and Windows 8, Windows 8.1, and Windows 10 devices that don't have a TPM

  • Numerical password - applied automatically as part of volume encryption and doesn't need to be configured except in FIPS mode on Windows 7

  • Data recovery agent (DRA)

Fixed data drives

  • Password

  • Auto-unlock

  • Numerical password - applied automatically as part of volume encryption and doesn't need to be configured except in FIPS mode on Windows 7

  • Data recovery agent (DRA)

Removable drives

  • Password

  • Auto-unlock

  • Numerical password - applied automatically as part of volume encryption and doesn't need to be configured

  • Data recovery agent (DRA)

Support for the Used Space Encryption BitLocker policy

In MBAM 2.5 SP1, if you enable Used Space Encryption via BitLocker Group policy, the MBAM Client honors it.

This Group Policy setting is called Enforce drive encryption type on operating system drives and is located in the following GPO node: Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives. If you enable this policy and select the encryption type as Used Space Only encryption, MBAM will honor the policy and BitLocker will only encrypt disk space that is used on the volume.

How to get the MBAM Group Policy Templates and edit the settings

When you're ready to configure the MBAM Group Policy settings you want, do the following:

Steps to follow Where to get instructions

Copy the MBAM Group Policy Templates from MDOP Group Policy templates and install them on a computer that is capable of running the Group Policy Management Console (GPMC) or Advanced Group Policy Management (AGPM).

Copying the MBAM 2.5 Group Policy Templates

Configure the Group Policy settings that you want to use in your enterprise.

Editing the MBAM 2.5 Group Policy Settings

Descriptions of the MBAM Group Policy settings

The MDOP MBAM (BitLocker Management) GPO node contains four global policy settings and four child GPO nodes: Client Management, Fixed Drive, Operating System Drive, and Removable Drive. The following sections describe and suggest settings for the MBAM Group Policy settings.

Important

Don't change the Group Policy settings in the BitLocker Drive Encryption node, or MBAM won't work correctly. MBAM automatically configures the settings in this node for you when you configure the settings in the MDOP MBAM (BitLocker Management) node.

Global Group Policy definitions

This section describes MBAM Global Group Policy definitions at the following GPO node: Computer Configuration > Policies > Administrative Templates > Windows Components > MDOP MBAM (BitLocker Management).

Policy name Overview and suggested Group Policy settings

Choose drive encryption method and cipher strength

Suggested configuration: Enabled

Configure this policy to use a specific encryption method and cipher strength.

When this policy isn't configured, BitLocker uses the default encryption method: AES 128-bit with Diffuser.

Note

An issue with the BitLocker Computer Compliance report causes it to display "unknown" for the cipher strength, even if you're using the default value. To work around this issue, make sure you enable this setting and set a value for cipher strength.

  • AES 128-bit with Diffuser – for Windows 7 only

  • AES 128 for Windows 8, Windows 8.1, Windows 10, and Windows 11

Prevent memory overwrite on restart

Suggested configuration: Not Configured

Configure this policy to improve restart performance without overwriting BitLocker secrets in memory on restart.

When this policy isn't configured, BitLocker secrets are removed from memory when the computer restarts.

Validate smart card certificate usage rule

Suggested configuration: Not Configured

Configure this policy to use smartcard certificate-based BitLocker protection.

When this policy isn't configured, the default object identifier 1.3.6.1.4.1.311.67.1.1 is used to specify a certificate.

Provide the unique identifiers for your organization

Suggested configuration: Not Configured

Configure this policy to use a certificate-based data recovery agent or the BitLocker To Go reader.

When this policy isn't configured, the Identification field isn't used.

If your company requires higher security measurements, you can configure the Identification field to make sure that all USB devices have this field set and that they're aligned with this Group Policy setting.

Client Management Group Policy definitions

This section describes Client Management policy definitions for MBAM at the following GPO node: Computer Configuration > Policies >Administrative Templates > Windows Components > MDOP MBAM (BitLocker Management) > Client Management.

You can set the same Group Policy settings for the Stand-alone and System Center Configuration Manager Integration topologies, with one exception: Disable the Configure MBAM Services > MBAM Status reporting service endpoint setting if you're using the Configuration Manager Integration topology, as indicated in the following table.

Policy name Overview and suggested Group Policy settings

Configure MBAM Services

Suggested configuration: Enabled

  • MBAM Recovery and Hardware service endpoint. Use this setting to enable MBAM Client BitLocker encryption management. Enter an endpoint location that is similar to the following example: http(s)://<MBAM Administration and Monitoring Server Name>:<the port the web service is bound to>/MBAMRecoveryAndHardwareService/CoreService.svc.

  • Select BitLocker recovery information to store. This policy setting lets you configure the key recovery service to back up BitLocker recovery information. It also lets you configure a status reporting service for collecting reports. The policy provides an administrative method of recovering data encrypted by BitLocker to prevent data loss due to the lack of key information. The status report and key recovery activity are automatically and silently sent to the configured report server location.

    If you don't configure this policy setting or if you disable it, the key recovery information isn't saved, and the status report and key recovery activity aren't reported to the server. When this setting is set to Recovery Password and key package, the recovery password and key package are automatically and silently backed up to the configured key recovery server location.

  • Enter client checking status frequency in minutes. This policy setting manages how frequently the client checks the BitLocker protection policies and status on the client computer. This policy also manages how frequently the client compliance status is saved to the server. The client checks the BitLocker protection policies and status on the client computer and also backs up the client recovery key at the configured frequency.

    Set this frequency based on the requirement set by your company on how frequently to check the compliance status of the computer and how frequently to back up the client recovery key.

  • MBAM Status reporting service endpoint:

    For MBAM in a Stand-alone topology: You must configure this setting to enable MBAM Client BitLocker encryption management.

    Enter an endpoint location that is similar to the following example:

    http(s)://<MBAM Administration and Monitoring Server Name>:<the port the web service is bound to>/MBAMComplianceStatusService/StatusReportingService.svc

    For MBAM in the Configuration Manager Integration topology: Disable this setting.

Configure user exemption policy

Suggested configuration: Not Configured

This policy setting lets you configure a website address, email address, or phone number that instructs a user to request an exemption from BitLocker encryption.

If you enable this policy setting and provide a website address, email address, or phone number, users see a dialog box with instructions on how to apply for an exemption from BitLocker protection. For more information about enabling BitLocker encryption exemptions for users, see How to Manage User BitLocker Encryption Exemptions.

If you either disable or don't configure this policy setting, the exemption request instructions aren't displayed to users.

Note

User exemption is managed per user, not per computer. If multiple users log on to the same computer and any one user isn't exempt, the computer is encrypted.

Configure customer experience improvement program

Suggested configuration: Enabled

This policy setting lets you configure how MBAM users can join the Customer Experience Improvement Program. This program collects information about computer hardware and how users use MBAM without interrupting their work. The information helps Microsoft to identify which MBAM features to improve. Microsoft doesn't use this information to identify or contact MBAM users.

If you enable this policy setting, users can join the Customer Experience Improvement Program.

If you disable this policy setting, users can't join the Customer Experience Improvement Program.

If you don't configure this policy setting, users have the option to join the Customer Experience Improvement Program.

Provide the URL for the Security Policy link

Suggested configuration: Enabled

Use this policy setting to specify a URL that is displayed to end users as a link named "Company Security Policy." The link points to your company’s internal security policy and provides end users with information about encryption requirements. The link appears when users are prompted by MBAM to encrypt a drive.

If you enable this policy setting, you can configure the URL for the Security Policy link.

If you disable or don't configure this policy setting, the Security Policy link isn't displayed to users.

Fixed Drive Group Policy definitions

This section describes Fixed Drive policy definitions for Microsoft BitLocker Administration and Monitoring at the following GPO node: Computer Configuration > Policies > Administrative Templates > Windows Components > MDOP MBAM (BitLocker Management) > Fixed Drive.

Policy name Overview and suggested Group Policy settings

Fixed data drive encryption settings

Suggested configuration: Enabled

This policy setting lets you manage whether fixed data drives must be encrypted.

If the operating system volume is required to be encrypted, click Enable auto-unlock fixed data drive.

When you enable this policy, you must not disable the Configure use of password for fixed data drives policy unless you're enabling or requiring the use of auto-unlock for fixed data drives.

If you have to use auto-unlock for fixed data drives, you must configure operating system volumes to be encrypted.

If you enable this policy setting, users are required to put all fixed data drives under BitLocker protection, and the data drives are then encrypted.

If you don't configure this policy setting, users aren't required to put fixed data drives under BitLocker protection. If you apply this policy after fixed data drives are encrypted, the MBAM agent decrypts the encrypted fixed data drives.

If you disable this policy setting, users can't put their fixed data drives under BitLocker protection.

Deny write access to fixed drives not protected by BitLocker

Suggested configuration: Not Configured

This policy setting determines whether BitLocker protection is required for fixed data drives to be writable on a computer. This policy setting is applied when you turn on BitLocker.

When the policy isn't configured, all fixed data drives on the computer are mounted with read/write permission.

Allow access to BitLocker-protected fixed drives from earlier versions of Windows

Suggested configuration: Not Configured

Enable this policy so that fixed drives with the FAT file system can be unlocked and viewed on computers that are running Windows Server 2008, Windows Vista, Windows XP with SP3, or Windows XP with SP2.

When the policy is enabled or not configured, fixed drives that are formatted with the FAT file system can be unlocked and their content can be viewed on computers that are running Windows Server 2008, Windows Vista, Windows XP with SP3, or Windows XP with SP2. These operating systems have read-only permission to BitLocker-protected drives.

When the policy is disabled, fixed drives that are formatted with the FAT file system can't be unlocked and their content can't be viewed on computers that are running Windows Server 2008, Windows Vista, Windows XP with SP3, or Windows XP with SP2.

Configure use of password for fixed drives

Suggested configuration: Not Configured

Use this policy to specify whether a password is required to unlock BitLocker-protected fixed data drives.

If you enable this policy setting, users can configure a password that meets the requirements that you define. BitLocker enables users to unlock a drive with any of the protectors that are available on the drive.

These settings are enforced when you turn on BitLocker, not when you unlock a volume.

If you disable this policy setting, users aren't allowed to use a password.

When the policy isn't configured, passwords are supported with the default settings, which don't include password complexity requirements and which require only eight characters.

For higher security, enable this policy, and then select Require password for fixed data drive, click Require password complexity, and set the minimum password length that you want.

If you disable this policy setting, users aren't allowed to use a password.

If you don't configure this policy setting, passwords are supported with the default settings, which don't include password complexity requirements and which require only eight characters.

Choose how BitLocker-protected fixed drives can be recovered

Suggested configuration: Not Configured

Configure this policy to enable the BitLocker data recovery agent or to save BitLocker recovery information to Active Directory Domain Services (AD DS).

When the policy isn't configured, the BitLocker data recovery agent is allowed, and recovery information isn't backed up to AD DS. MBAM doesn't require recovery information to be backed up to AD DS.

Encryption Policy Enforcement Settings

Suggested configuration: Enabled

Use this policy setting to configure the number of days that fixed data drives can remain noncompliant until they're forced to comply with MBAM policies. Users can't postpone the required action or request an exemption from it after the grace period. The grace period starts when the fixed data drive is determined to be noncompliant. However, the fixed data drive policy isn't enforced until the operating system drive is compliant.

If the grace period expires and the fixed data drive is still not compliant, users don't have the option to postpone or to request an exemption. If the encryption process requires user input, a dialog box appears that users can't close until they provide the required information.

Enter 0 in the Configure the number of noncompliance grace period days for fixed drives to force the encryption process to begin immediately after the grace period expires for the operating system drive.

If you disable or don't configure this setting, users aren't forced to comply with MBAM policies.

If no user interaction is required to add a protector, encryption begins in the background after the grace period expires.

Operating System Drive Group Policy definitions

This section describes Operating System Drive policy definitions for Microsoft BitLocker Administration and Monitoring at the following GPO node: Computer Configuration > Policies > Administrative Templates > Windows Components > MDOP MBAM (BitLocker Management) > Operating System Drive.

Policy name Overview and suggested Group Policy settings

Operating system drive encryption settings

Suggested configuration: Enabled

This policy setting lets you manage whether the operating system drive must be encrypted.

For higher security, consider disabling the following policy settings in System > Power Management > Sleep Settings when you enable them with TPM + PIN protector:

  • Allow Standby States (S1-S3) When Sleeping (Plugged In)

  • Allow Standby States (S1-S3) When Sleeping (On Battery)

If you're running Microsoft Windows 8 or later, and you want to use BitLocker on a computer without a TPM, select the Allow BitLocker without a compatible TPM check box. In this mode, a password is required for startup. If you forget the password, you have to use one of the BitLocker recovery options to access the drive.

On a computer with a compatible TPM, two types of authentication methods can be used at startup to provide added protection for encrypted data. When the computer starts, it can use only the TPM for authentication, or it can also require the entry of a personal identification number (PIN).

If you enable this policy setting, users have to put the operating system drive under BitLocker protection, and the drive is then encrypted.

If you disable this policy, users can't put the operating system drive under BitLocker protection. If you apply this policy after the operating system drive is encrypted, the drive is then decrypted.

If you don't configure this policy, the operating system drive isn't required to be placed under BitLocker protection.

Allow enhanced PINs for startup

Suggested configuration: Not Configured

Use this policy setting to configure whether enhanced startup PINs are used with BitLocker. Enhanced startup PINs permit the use of characters including uppercase and lowercase letters, symbols, numbers, and spaces. This policy setting is applied when you turn on BitLocker.

If you enable this policy setting, all new BitLocker startup PINs set will enable end user to create enhanced PINs. However, not all computers can support enhanced PINs in the pre-boot environment. We strongly recommend that administrators evaluate whether their systems are compatible with this feature before enabling its use.

Select the Require ASCII-only PINs check box to help make enhanced PINs more compatible with computers that limit the type or number of characters that can be entered in the pre-boot environment.

If you disable or don't configure this policy setting, enhanced PINs aren't used.

Choose how BitLocker-protected operating system drives can be recovered

Suggested configuration: Not Configured

Configure this policy to enable the BitLocker data recovery agent or to save BitLocker recovery information to Active Directory Domain Services (AD DS).

When this policy isn't configured, the data recovery agent is allowed, and recovery information isn't backed up to AD DS.

MBAM operation doesn't require recovery information to be backed up to AD DS.

Configure use of passwords for operating system drives

Suggested configuration: Not Configured

Use this policy setting to set the constraints for passwords that are used to unlock BitLocker-protected operating system drives. If non-TPM protectors are allowed on operating system drives, you can provision a password, enforce complexity requirements on the password, and configure a minimum length for the password. For the complexity requirement setting to be effective, you must also enable the Group Policy setting "Password must meet complexity requirements" located in Computer Configuration > Windows Settings > Security Settings > Account Policies > Password Policy.

Note

These settings are enforced when you turn on BitLocker, not when you unlock a volume. BitLocker lets you unlock a drive with any of the protectors that are available on the drive.

If you enable this policy setting, users can configure a password that meets the requirements that you define. To enforce complexity requirements on the password, click Require password complexity.

Configure TPM platform validation profile for BIOS-based firmware configurations

Suggested configuration: Not Configured

This policy setting allows you to configure how the computer's Trusted Platform Module (TPM) security hardware secures the BitLocker encryption key. This policy setting doesn't apply if the computer doesn't have a compatible TPM or if BitLocker has already been turned on with TPM protection.

Important

This Group Policy setting applies only to computers with BIOS configurations or to computers with UEFI firmware with a Compatibility Service Module (CSM) enabled. Computers that use a native UEFI firmware configuration store different values into the Platform Configuration Registers (PCRs). Use the "Configure TPM platform validation profile for native UEFI firmware configurations" Group Policy setting to configure the TPM PCR profile for computers that use native UEFI firmware.

If you enable this policy setting before you turn on BitLocker, you can configure the boot components that the TPM validates before you unlock access to the BitLocker-encrypted operating system drive. If any of these components change while BitLocker protection is in effect, the TPM doesn't release the encryption key to unlock the drive and the computer instead displays the BitLocker Recovery console and requires that you provide either the recovery password or recovery key to unlock the drive.

If you disable or don't configure this policy setting, BitLocker uses the default platform validation profile or the platform validation profile that is specified by the Setup script.

Configure TPM platform validation profile

Suggested configuration: Not Configured

This policy setting enables you to configure how the computer's Trusted Platform Module (TPM) security hardware secures the BitLocker encryption key. This policy setting doesn't apply if the computer doesn't have a compatible TPM or if BitLocker has already been turned on with TPM protection.

If you enable this policy setting before you turn on BitLocker, you can configure the boot components that the TPM validates before you unlock access to the BitLocker-encrypted operating system drive. If any of these components change while BitLocker protection is in effect, the TPM doesn't release the encryption key to unlock the drive and the computer instead displays the BitLocker Recovery console and requires that you provide either the recovery password or recovery key to unlock the drive.

If you disable or don't configure this policy setting, BitLocker uses the default platform validation profile or the platform validation profile that is specified by the setup script.

Configure TPM platform validation profile for native UEFI firmware configurations

Suggested configuration: Not Configured

This policy setting allows you to configure how the computer's Trusted Platform Module (TPM) security hardware secures the BitLocker encryption key. This policy setting doesn't apply if the computer doesn't have a compatible TPM or if BitLocker has already been turned on with TPM protection.

Important

This Group Policy setting applies only to computers with a native UEFI firmware configuration.

If you enable this policy setting before you turn on BitLocker, you can configure the boot components that the TPM validates before unlocking access to the BitLocker-encrypted operating system drive. If any of these components change while BitLocker protection is in effect, the TPM doesn't release the encryption key to unlock the drive and the computer instead displays the BitLocker Recovery console and requires that you provide either the recovery password or recovery key to unlock the drive.

If you disable or don't configure this policy setting, BitLocker uses the default platform validation profile or the platform validation profile that is specified by the setup script.

Reset platform validation data after BitLocker recovery

Suggested configuration: Not Configured

Use this policy setting to control whether platform validation data is refreshed when Windows is started after BitLocker recovery.

If you enable this policy setting, platform validation data are refreshed when Windows is started after BitLocker recovery. If you disable this policy setting, platform validation data aren't refreshed when Windows is started after BitLocker recovery. If you don't configure this policy setting, platform validation data are refreshed when Windows is started after BitLocker recovery.

Use enhanced Boot Configuration Data validation profile

Suggested configuration: Not Configured

This policy setting allows you to choose specific Boot Configuration Data (BCD) settings to verify during platform validation.

If you enable this policy setting, you can add additional settings, remove the default settings, or both. If you disable this policy setting, the computer reverts to a BCD profile similar to the default BCD profile that is used by Windows 7. If you don't configure this policy setting, the computer verifies the default Windows BCD settings.

Note

When BitLocker uses Secure Boot for platform and Boot Configuration Data (BCD) integrity validation, as defined by the "Allow Secure Boot for integrity validation" policy, the "Use enhanced Boot Configuration Data validation profile" policy is ignored.

The setting that controls boot debugging (0x16000010) is always validated and has no effect if it's included in the provided fields.

Encryption Policy Enforcement Settings

Suggested configuration: Enabled

Use this policy setting to configure the number of days that users can postpone complying with MBAM policies for their operating system drive. The grace period begins when the operating system is first detected as noncompliant. After this grace period expires, users can't postpone the required action or request an exemption from it.

If the encryption process requires user input, a dialog box appears that users can't close until they provide the required information.

If you disable or don't configure this setting, users aren't forced to comply with MBAM policies.

If no user interaction is required to add a protector, encryption begins in the background after the grace period expires.

Configure pre-boot recovery message and URL

Suggested configuration: Not Configured

Enable this policy setting to configure a custom recovery message or to specify a URL that is then displayed on the pre-boot BitLocker recovery screen when the OS drive is locked. This setting is only available on client computers running Windows 11 and Windows 10.

When this policy is enabled, you can select one of these options for the pre-boot recovery message:

  • Use custom recovery message: Select this option to include a custom message in the pre-boot BitLocker recovery screen. In the Custom recovery message option box, type the message that you want displayed. If you also want to specify a recovery URL, include it as part of your custom recovery message.

  • Use custom recovery URL: Select this option to replace the default URL that is displayed in the pre-boot BitLocker recovery screen. In the Custom recovery URL option box, type the URL that you want displayed.

  • Use default recovery message and URL: Select this option to display the default BitLocker recovery message and URL in the pre-boot BitLocker recovery screen. If you previously configured a custom recovery message or URL and want to revert to the default message, you must enable this policy and select the Use default recovery message and URL option.

Note

Not all characters and languages are supported in pre-boot. We recommend that you test that the characters you use for the custom message or URL appear correctly on the pre-boot BitLocker recovery screen.

Removable Drive Group Policy definitions

This section describes Removable Drive Group Policy definitions for Microsoft BitLocker Administration and Monitoring at the following GPO node: Computer Configuration > Policies > Administrative Templates > Windows Components > MDOP MBAM (BitLocker Management) > Removable Drive.

Policy name Overview and suggested Group Policy settings

Control use of BitLocker on removable drives

Suggested configuration: Enabled

This policy controls the use of BitLocker on removable data drives.

Click Allow users to apply BitLocker protection on removable data drives to allow users to run the BitLocker setup wizard on a removable data drive.

Click Allow users to suspend and decrypt BitLocker on removable data drives to enable users to remove BitLocker drive encryption from the drive or to suspend the encryption while maintenance is performed.

When this policy is enabled, and you click Allow users to apply BitLocker protection on removable data drives, the MBAM Client saves the recovery information about removable drives to the MBAM key recovery server and allows users to recover the drive if the password is lost.

Deny write access to removable drives not protected by BitLocker

Suggested configuration: Not Configured

Enable this policy to allow only write permission to BitLocker-protected drives.

When this policy is enabled, all removable data drives on the computer require encryption before write permission is allowed.

Allow access to BitLocker-protected removable drives from earlier versions of Windows

Suggested configuration: Not Configured

Enable this policy to allow fixed drives with the FAT file system to be unlocked and viewed on computers that are running Windows Server 2008, Windows Vista, Windows XP with SP3, or Windows XP with SP2.

When this policy isn't configured, removable drives that are formatted with the FAT file system can be unlocked on computers that are running Windows Server 2008, Windows Vista, Windows XP with SP3, or Windows XP with SP2, and their content can be viewed. These operating systems have read-only permission to BitLocker-protected drives.

When the policy is disabled, removable drives formatted with the FAT file system can't be unlocked and their content can't be viewed on computers that are running Windows Server 2008, Windows Vista, Windows XP with SP3, or Windows XP with SP2.

Configure use of password for removable data drives

Suggested configuration: Not Configured

Enable this policy to configure password protection on removable data drives.

When this policy isn't configured, passwords are supported with the default settings, which don't include password complexity requirements and which require only eight characters.

For increased security, you can enable this policy and select Require password for removable data drive, click Require password complexity, and set the preferred minimum password length.

Choose how BitLocker-protected removable drives can be recovered

Suggested configuration: Not Configured

Configure this policy to enable the BitLocker data recovery agent or to save BitLocker recovery information to Active Directory Domain Services (AD DS).

When set to Not Configured, the data recovery agent is allowed, and recovery information isn't backed up to AD DS.

MBAM operation doesn't require recovery information to be backed up to AD DS.

Preparing your Environment for MBAM 2.5

MBAM 2.5 Deployment Prerequisites

Got a suggestion for MBAM?

For MBAM issues, use the MBAM TechNet Forum.