Deploying MBAM Group Policies

Article
07/27/2011

Applies To: Microsoft BitLocker Administration and Monitoring

To successfully deploy Microsoft BitLocker Administration and Monitoring (MBAM), you first have to determine the Group Policies that you will use in your implementation of MBAM. See Planning and Configuring Group Policy for MBAM for more information on the different policies that are available. As soon as you have determined the policies that you are going to use, you then must create one or more Group Policy objects (GPO) that include the policy settings for MBAM.

Deploying MBAM Group Policy Settings

After you create the necessary GPOs, use the following steps to deploy the MBAM group policy settings to your organization’s client computers.

To edit MBAM client GPO settings

On a computer that has Group Policy settings for BitLocker installed, make sure Microsoft BitLocker Administration and Monitoring services are enabled.
Using the Group Policy Management Console (GPMC.msc), the Advanced Group Policy Management (AGPM), or the Local Group Policy Editor (GPEDIT.msc) on the BitLocker Group Policies computer, select Computer configuration, choose Policies, click Administrative Templates, select Windows Components, and then click MDOP MBAM (BitLocker Management).

Next, edit the setting for the Microsoft BitLocker Administration and Monitoring policy. For each policy in the table that follows, select Policy Group, click the Policy, and then configure the Setting. The following table lists Group Policy settings that are required to enable Microsoft BitLocker Administration and Monitoring services on client computers:

Policy Group Policy Setting

Policy Group	Policy	Setting
Client Management </p> </td> <td rowspan="1"> <p>Configure MBAM Services</p> </td> <td rowspan="1"> <p>Enabled. Set <strong>MBAM Recovery and Hardware service endpoint</strong> and <strong>Select BitLocker recovery information to store</strong></p> <p>Set <strong>MBAM compliance service endpoint</strong> and <strong>Enter status report frequency in (minutes)</strong>.</p> </td> </tr> <tr> <td> <p>Allow hardware compatibility checking</p> </td> <td> <p>Disabled. This policy is enabled by default, but is not needed for a basic MBAM implementation.</p> </td> </tr> <tr> <td> <p>Operating System Drive</p> </td> <td> <p>Operating system drive encryption settings</p> </td> <td> <p>Enabled. Set <strong>Select protector for operating system drive</strong>. Required to save operating system drive data to the MBAM Key Recovery server.</p> </td> </tr> <tr> <td rowspan="1"> <p>Removable Drive</p> </td> <td rowspan="1"> <p>Control Use of BitLocker on removable drives</p> </td> <td rowspan="1"> <p>Enabled. Required if MBAM will save removable drive data to the MBAM Key Recovery server.</p> <p> </p> </td> </tr> <tr> <td> <p>Fixed Drive</p> </td> <td> <p>Control Use of BitLocker on fixed drives</p> </td> <td> <p>Enabled. Required if MBAM will save fixed drive data to the MBAM Key Recovery server.</p> <p>Set <strong>Choose how BitLocker-protected drives can be recovered</strong> and <strong>Allow data recovery agent</strong>.</p> </td> </tr> </table> Important Depending on the policies that your organization decides to deploy, you may have to configure additional policies. See Planning and Configuring Group Policy for MBAM for Group Policy configuration details for all MBAM policies. Hide Windows BitLocker Control Panel Microsoft BitLocker Administration and Monitoring offers a customized MBAM control panel that can replace the default Windows BitLocker control panel when it is configured. The updated BitLocker Encryption Options control panel lets users manage their PIN and passwords and unlock drives. The control panel also hides the interface that lets administrators decrypt a drive or to suspend or resume BitLocker encryption. To hide BitLocker Control Panel in Windows Browse to User configuration by using the Group Policy Management Console (GPMC), the Advanced Group Policy Management (AGPM), or the Local Group Policy Editor on the BitLocker Group Policies computer. Next, click Policies, select Administrative Templates, and then click Control Panel. Double-click Hide specified Control Panel items in the details pane, and then select Enabled. Click Show, and then type Microsoft.BitLockerDriveEncryption. This policy hides the default Windows BitLocker Management tool from the Windows control panel and lets the user open the updated BitLocker Encryption Options tool from the Windows control panel. See Also Concepts Deploying MBAM Other Resources Planning and Configuring Group Policy for MBAM

Client Management

            </p>
          </td>
          <td rowspan="1">
            <p>Configure MBAM Services</p>
          </td>
          <td rowspan="1">
            <p>Enabled. Set <strong>MBAM Recovery and Hardware service endpoint</strong> and <strong>Select BitLocker recovery information to store</strong></p>
            <p>Set <strong>MBAM compliance service endpoint</strong> and <strong>Enter status report frequency in (minutes)</strong>.</p>
          </td>
        </tr>
        <tr>
          <td>
            <p>Allow hardware compatibility checking</p>
          </td>
          <td>
            <p>Disabled. This policy is enabled by default, but is not needed for a basic  MBAM implementation.</p>
          </td>
        </tr>
        <tr>
          <td>
            <p>Operating System Drive</p>
          </td>
          <td>
            <p>Operating system drive encryption settings</p>
          </td>
          <td>
            <p>Enabled. Set <strong>Select protector for operating system drive</strong>. Required to save operating system drive data to the MBAM Key Recovery server.</p>
          </td>
        </tr>
        <tr>
          <td rowspan="1">
            <p>Removable Drive</p>
          </td>
          <td rowspan="1">
            <p>Control Use of BitLocker on removable drives</p>
          </td>
          <td rowspan="1">
            <p>Enabled. Required if MBAM will save removable drive data to the MBAM Key Recovery server.</p>
            <p>

            </p>
          </td>
        </tr>
        <tr>
          <td>
            <p>Fixed Drive</p>
          </td>
          <td>
            <p>Control Use of BitLocker on fixed drives</p>
          </td>
          <td>
            <p>Enabled. Required if MBAM will save fixed drive data to the MBAM Key Recovery server.</p>
            <p>Set <strong>Choose how BitLocker-protected drives can be recovered</strong> and <strong>Allow data recovery agent</strong>.</p>
          </td>
        </tr>
      </table>

Important

Depending on the policies that your organization decides to deploy, you may have to configure additional policies. See Planning and Configuring Group Policy for MBAM for Group Policy configuration details for all MBAM policies.

Hide Windows BitLocker Control Panel

Microsoft BitLocker Administration and Monitoring offers a customized MBAM control panel that can replace the default Windows BitLocker control panel when it is configured. The updated BitLocker Encryption Options control panel lets users manage their PIN and passwords and unlock drives. The control panel also hides the interface that lets administrators decrypt a drive or to suspend or resume BitLocker encryption.

To hide BitLocker Control Panel in Windows

Browse to User configuration by using the Group Policy Management Console (GPMC), the Advanced Group Policy Management (AGPM), or the Local Group Policy Editor on the BitLocker Group Policies computer. Next, click Policies, select Administrative Templates, and then click Control Panel.
Double-click Hide specified Control Panel items in the details pane, and then select Enabled.
Click Show, and then type Microsoft.BitLockerDriveEncryption. This policy hides the default Windows BitLocker Management tool from the Windows control panel and lets the user open the updated BitLocker Encryption Options tool from the Windows control panel.

Share via

Deploying MBAM Group Policies

Deploying MBAM Group Policy Settings

To edit MBAM client GPO settings

Hide Windows BitLocker Control Panel

To hide BitLocker Control Panel in Windows

See Also

Concepts

Other Resources

Additional resources