6- GROUP POLICY CONFIGURATION
First we need to download and add the latest MBAM/Bitlocker Group Policy ADMX template and install it .
Download Template:– https://www.microsoft.com/en-us/download/details.aspx?id=55531
For Best practice please follow Microsoft MBAM/Bitlocker Group Policy Settings as follow:
Link to GPO Settings: https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/mdop/mbam-v25/planning-for-mbam-25-group-policy-requirements.md
Global Group Policy definitions
This section describes MBAM Global Group Policy definitions at the following GPO node: Computer Configuration > Policies> Administrative Templates > Windows Components > MDOP MBAM (BitLocker Management).
Policy name | Overview and suggested Group Policy settings |
---|---|
Choose drive encryption method and cipher strength | Suggested configuration: Enabled
Configure this policy to use a specific encryption method and cipher strength. When this policy is not configured, BitLocker uses the default encryption method: AES 128-bit with Diffuser. NoteAn issue with the BitLocker Computer Compliance report causes it to display “unknown” for the cipher strength, even if you are using the default value. To work around this issue, make sure you enable this setting and set a value for cipher strength.
|
Prevent memory overwrite on restart | Suggested configuration: Not Configured
Configure this policy to improve restart performance without overwriting BitLocker secrets in memory on restart. When this policy is not configured, BitLocker secrets are removed from memory when the computer restarts. |
Validate smart card certificate usage rule | Suggested configuration: Not Configured
Configure this policy to use smartcard certificate-based BitLocker protection. When this policy is not configured, the default object identifier 1.3.6.1.4.1.311.67.1.1 is used to specify a certificate. |
Provide the unique identifiers for your organization | Suggested configuration: Not Configured
Configure this policy to use a certificate-based data recovery agent or the BitLocker To Go reader. When this policy is not configured, the Identification field is not used. If your company requires higher security measurements, you can configure the Identification field to make sure that all USB devices have this field set and that they are aligned with this Group Policy setting. |
Client Management Group Policy definitions
This section describes Client Management policy definitions for MBAM at the following GPO node: Computer Configuration> Policies >Administrative Templates > Windows Components > MDOP MBAM (BitLocker Management) > Client Management.
You can set the same Group Policy settings for the Stand-alone and System Center Configuration Manager Integration topologies, with one exception: Disable the Configure MBAM Services > MBAM Status reporting service endpoint setting if you are using the Configuration Manager Integration topology, as indicated in the following table.
Policy name | Overview and suggested Group Policy settings |
---|---|
Configure MBAM Services | Suggested configuration: Enabled
|
Configure user exemption policy | Suggested configuration: Not Configured
This policy setting lets you configure a website address, email address, or phone number that instructs a user to request an exemption from BitLocker encryption. If you enable this policy setting and provide a website address, email address, or phone number, users see a dialog box with instructions on how to apply for an exemption from BitLocker protection. For more information about enabling BitLocker encryption exemptions for users, see [How to Manage User BitLocker Encryption Exemptions](how-to-manage-user-bitlocker-encryption-exemptions-mbam-25.md). If you either disable or do not configure this policy setting, the exemption request instructions are not displayed to users. NoteUser exemption is managed per user, not per computer. If multiple users log on to the same computer and any one user is not exempt, the computer is encrypted. |
Configure customer experience improvement program | Suggested configuration: Enabled
This policy setting lets you configure how MBAM users can join the Customer Experience Improvement Program. This program collects information about computer hardware and how users use MBAM without interrupting their work. The information helps Microsoft to identify which MBAM features to improve. Microsoft does not use this information to identify or contact MBAM users. If you enable this policy setting, users can join the Customer Experience Improvement Program. If you disable this policy setting, users cannot join the Customer Experience Improvement Program. If you do not configure this policy setting, users have the option to join the Customer Experience Improvement Program. |
Provide the URL for the Security Policy link | Suggested configuration: Enabled
Use this policy setting to specify a URL that is displayed to end users as a link named “Company Security Policy.” The link points to your company’s internal security policy and provides end users with information about encryption requirements. The link appears when users are prompted by MBAM to encrypt a drive. If you enable this policy setting, you can configure the URL for the Security Policy link. If you disable or do not configure this policy setting, the Security Policy link is not displayed to users. |
Fixed Drive Group Policy definitions
This section describes Fixed Drive policy definitions for Microsoft BitLocker Administration and Monitoring at the following GPO node: Computer Configuration > Policies > Administrative Templates > Windows Components > MDOP MBAM (BitLocker Management) > Fixed Drive.
Policy name | Overview and suggested Group Policy settings |
---|---|
Fixed data drive encryption settings | Suggested configuration: Enabled
This policy setting lets you manage whether fixed data drives must be encrypted. If the operating system volume is required to be encrypted, click Enable auto-unlock fixed data drive. When you enable this policy, you must not disable the Configure use of password for fixed data drives policy unless you are enabling or requiring the use of auto-unlock for fixed data drives. If you have to use auto-unlock for fixed data drives, you must configure operating system volumes to be encrypted. If you enable this policy setting, users are required to put all fixed data drives under BitLocker protection, and the data drives are then encrypted. If you do not configure this policy setting, users are not required to put fixed data drives under BitLocker protection. If you apply this policy after fixed data drives are encrypted, the MBAM agent decrypts the encrypted fixed data drives. If you disable this policy setting, users cannot put their fixed data drives under BitLocker protection. |
Deny write access to fixed drives not protected by BitLocker | Suggested configuration: Not Configured
This policy setting determines whether BitLocker protection is required for fixed data drives to be writable on a computer. This policy setting is applied when you turn on BitLocker. When the policy is not configured, all fixed data drives on the computer are mounted with read/write permission. |
Allow access to BitLocker-protected fixed drives from earlier versions of Windows | Suggested configuration: Not Configured
Enable this policy so that fixed drives with the FAT file system can be unlocked and viewed on computers that are running Windows Server 2008, Windows Vista, Windows XP with SP3, or Windows XP with SP2. When the policy is enabled or not configured, fixed drives that are formatted with the FAT file system can be unlocked and their content can be viewed on computers that are running Windows Server 2008, Windows Vista, Windows XP with SP3, or Windows XP with SP2. These operating systems have read-only permission to BitLocker-protected drives. When the policy is disabled, fixed drives that are formatted with the FAT file system cannot be unlocked and their content cannot be viewed on computers that are running Windows Server 2008, Windows Vista, Windows XP with SP3, or Windows XP with SP2. |
Configure use of password for fixed drives | Suggested configuration: Not Configured
Use this policy to specify whether a password is required to unlock BitLocker-protected fixed data drives. If you enable this policy setting, users can configure a password that meets the requirements that you define. BitLocker enables users to unlock a drive with any of the protectors that are available on the drive. These settings are enforced when you turn on BitLocker, not when you unlock a volume. If you disable this policy setting, users are not allowed to use a password. When the policy is not configured, passwords are supported with the default settings, which do not include password complexity requirements and which require only eight characters. For higher security, enable this policy, and then select Require password for fixed data drive, click Require password complexity, and set the minimum password length that you want. If you disable this policy setting, users are not allowed to use a password. If you do not configure this policy setting, passwords are supported with the default settings, which do not include password complexity requirements and which require only eight characters. |
Choose how BitLocker-protected fixed drives can be recovered | Suggested configuration: Not Configured
Configure this policy to enable the BitLocker data recovery agent or to save BitLocker recovery information to Active Directory Domain Services (AD DS). When the policy is not configured, the BitLocker data recovery agent is allowed, and recovery information is not backed up to AD DS. MBAM does not require recovery information to be backed up to AD DS. |
Encryption Policy Enforcement Settings | Suggested configuration: Enabled
Use this policy setting to configure the number of days that fixed data drives can remain noncompliant until they are forced to comply with MBAM policies. Users cannot postpone the required action or request an exemption from it after the grace period. The grace period starts when the fixed data drive is determined to be noncompliant. However, the fixed data drive policy is not enforced until the operating system drive is compliant. If the grace period expires and the fixed data drive is still not compliant, users do not have the option to postpone or to request an exemption. If the encryption process requires user input, a dialog box appears that users cannot close until they provide the required information. Enter 0 in the Configure the number of noncompliance grace period days for fixed drives to force the encryption process to begin immediately after the grace period expires for the operating system drive. If you disable or do not configure this setting, users are not forced to comply with MBAM policies. If no user interaction is required to add a protector, encryption begins in the background after the grace period expires. |
Operating System Drive Group Policy definitions
This section describes Operating System Drive policy definitions for Microsoft BitLocker Administration and Monitoring at the following GPO node: Computer Configuration > Policies > Administrative Templates > Windows Components > MDOP MBAM (BitLocker Management) > Operating System Drive.
Policy name | Overview and suggested Group Policy settings |
---|---|
Operating system drive encryption settings | Suggested configuration: Enabled
This policy setting lets you manage whether the operating system drive must be encrypted. For higher security, consider disabling the following policy settings in System > Power Management > Sleep Settings when you enable them with TPM + PIN protector:
If you are running Microsoft Windows 8 or later, and you want to use BitLocker on a computer without a TPM, select the Allow BitLocker without a compatible TPM check box. In this mode, a password is required for startup. If you forget the password, you have to use one of the BitLocker recovery options to access the drive. On a computer with a compatible TPM, two types of authentication methods can be used at startup to provide added protection for encrypted data. When the computer starts, it can use only the TPM for authentication, or it can also require the entry of a personal identification number (PIN). If you enable this policy setting, users have to put the operating system drive under BitLocker protection, and the drive is then encrypted. If you disable this policy, users cannot put the operating system drive under BitLocker protection. If you apply this policy after the operating system drive is encrypted, the drive is then decrypted. If you do not configure this policy, the operating system drive is not required to be placed under BitLocker protection. |
Allow enhanced PINs for startup | Suggested configuration: Not Configured
Use this policy setting to configure whether enhanced startup PINs are used with BitLocker. Enhanced startup PINs permit the use of characters including uppercase and lowercase letters, symbols, numbers, and spaces. This policy setting is applied when you turn on BitLocker. If you enable this policy setting, all new BitLocker startup PINs set will enable end user to create enhanced PINs. However, not all computers can support enhanced PINs in the pre-boot environment. We strongly recommend that administrators evaluate whether their systems are compatible with this feature before enabling its use. Select the Require ASCII-only PINs check box to help make enhanced PINs more compatible with computers that limit the type or number of characters that can be entered in the pre-boot environment. If you disable or do not configure this policy setting, enhanced PINs are not used. |
Choose how BitLocker-protected operating system drives can be recovered | Suggested configuration: Not Configured
Configure this policy to enable the BitLocker data recovery agent or to save BitLocker recovery information to Active Directory Domain Services (AD DS). When this policy is not configured, the data recovery agent is allowed, and recovery information is not backed up to AD DS. MBAM operation does not require recovery information to be backed up to AD DS. |
Configure use of passwords for operating system drives | Suggested configuration: Not Configured
Use this policy setting to set the constraints for passwords that are used to unlock BitLocker-protected operating system drives. If non-TPM protectors are allowed on operating system drives, you can provision a password, enforce complexity requirements on the password, and configure a minimum length for the password. For the complexity requirement setting to be effective, you must also enable the Group Policy setting “Password must meet complexity requirements” located in Computer Configuration > Windows Settings > Security Settings > Account Policies > Password Policy. NoteThese settings are enforced when you turn on BitLocker, not when you unlock a volume. BitLocker lets you unlock a drive with any of the protectors that are available on the drive. If you enable this policy setting, users can configure a password that meets the requirements that you define. To enforce complexity requirements on the password, click Require password complexity. |
Configure TPM platform validation profile for BIOS-based firmware configurations | Suggested configuration: Not Configured
This policy setting allows you to configure how the computer’s Trusted Platform Module (TPM) security hardware secures the BitLocker encryption key. This policy setting does not apply if the computer does not have a compatible TPM or if BitLocker has already been turned on with TPM protection. ImportantThis Group Policy setting applies only to computers with BIOS configurations or to computers with UEFI firmware with a Compatibility Service Module (CSM) enabled. Computers that use a native UEFI firmware configuration store different values into the Platform Configuration Registers (PCRs). Use the “Configure TPM platform validation profile for native UEFI firmware configurations” Group Policy setting to configure the TPM PCR profile for computers that use native UEFI firmware. If you enable this policy setting before you turn on BitLocker, you can configure the boot components that the TPM validates before you unlock access to the BitLocker-encrypted operating system drive. If any of these components change while BitLocker protection is in effect, the TPM does not release the encryption key to unlock the drive and the computer instead displays the BitLocker Recovery console and requires that you provide either the recovery password or recovery key to unlock the drive. If you disable or do not configure this policy setting, BitLocker uses the default platform validation profile or the platform validation profile that is specified by the Setup script. |
Configure TPM platform validation profile | Suggested configuration: Not Configured
This policy setting enables you to configure how the computer’s Trusted Platform Module (TPM) security hardware secures the BitLocker encryption key. This policy setting does not apply if the computer does not have a compatible TPM or if BitLocker has already been turned on with TPM protection. If you enable this policy setting before you turn on BitLocker, you can configure the boot components that the TPM validates before you unlock access to the BitLocker-encrypted operating system drive. If any of these components change while BitLocker protection is in effect, the TPM does not release the encryption key to unlock the drive and the computer instead displays the BitLocker Recovery console and requires that you provide either the recovery password or recovery key to unlock the drive. If you disable or do not configure this policy setting, BitLocker uses the default platform validation profile or the platform validation profile that is specified by the setup script. |
Configure TPM platform validation profile for native UEFI firmware configurations | Suggested configuration: Not Configured
This policy setting allows you to configure how the computer’s Trusted Platform Module (TPM) security hardware secures the BitLocker encryption key. This policy setting does not apply if the computer does not have a compatible TPM or if BitLocker has already been turned on with TPM protection. ImportantThis Group Policy setting applies only to computers with a native UEFI firmware configuration. If you enable this policy setting before you turn on BitLocker, you can configure the boot components that the TPM validates before unlocking access to the BitLocker-encrypted operating system drive. If any of these components change while BitLocker protection is in effect, the TPM does not release the encryption key to unlock the drive and the computer instead displays the BitLocker Recovery console and requires that you provide either the recovery password or recovery key to unlock the drive. If you disable or do not configure this policy setting, BitLocker uses the default platform validation profile or the platform validation profile that is specified by the setup script. |
Reset platform validation data after BitLocker recovery | Suggested configuration: Not Configured
Use this policy setting to control whether platform validation data is refreshed when Windows is started after BitLocker recovery. If you enable this policy setting, platform validation data are refreshed when Windows is started after BitLocker recovery. If you disable this policy setting, platform validation data are not refreshed when Windows is started after BitLocker recovery. If you do not configure this policy setting, platform validation data are refreshed when Windows is started after BitLocker recovery. |
Use enhanced Boot Configuration Data validation profile | Suggested configuration: Not Configured
This policy setting allows you to choose specific Boot Configuration Data (BCD) settings to verify during platform validation. If you enable this policy setting, you can add additional settings, remove the default settings, or both. If you disable this policy setting, the computer reverts to a BCD profile similar to the default BCD profile that is used by Windows 7. If you do not configure this policy setting, the computer verifies the default Windows BCD settings. NoteWhen BitLocker uses Secure Boot for platform and Boot Configuration Data (BCD) integrity validation, as defined by the “Allow Secure Boot for integrity validation” policy, the “Use enhanced Boot Configuration Data validation profile” policy is ignored. The setting that controls boot debugging (0x16000010) is always validated and has no effect if it is included in the provided fields. |
Encryption Policy Enforcement Settings | Suggested configuration: Enabled
Use this policy setting to configure the number of days that users can postpone complying with MBAM policies for their operating system drive. The grace period begins when the operating system is first detected as noncompliant. After this grace period expires, users cannot postpone the required action or request an exemption from it. If the encryption process requires user input, a dialog box appears that users cannot close until they provide the required information. If you disable or do not configure this setting, users are not forced to comply with MBAM policies. If no user interaction is required to add a protector, encryption begins in the background after the grace period expires. |
Configure pre-boot recovery message and URL | Suggested configuration: Not Configured
Enable this policy setting to configure a custom recovery message or to specify a URL that is then displayed on the pre-boot BitLocker recovery screen when the OS drive is locked. This setting is only available on client computers running Windows 10. When this policy is enabled, you can select one of these options for the pre-boot recovery message:
NoteNot all characters and languages are supported in pre-boot. We recommend that you test that the characters you use for the custom message or URL appear correctly on the pre-boot BitLocker recovery screen. |
Removable Drive Group Policy definitions
This section describes Removable Drive Group Policy definitions for Microsoft BitLocker Administration and Monitoring at the following GPO node: Computer Configuration > Policies > Administrative Templates > Windows Components > MDOP MBAM (BitLocker Management) > Removable Drive.
Policy name | Overview and suggested Group Policy settings |
---|---|
Control use of BitLocker on removable drives | Suggested configuration: Enabled
This policy controls the use of BitLocker on removable data drives. Click Allow users to apply BitLocker protection on removable data drives to allow users to run the BitLocker setup wizard on a removable data drive. Click Allow users to suspend and decrypt BitLocker on removable data drives to enable users to remove BitLocker drive encryption from the drive or to suspend the encryption while maintenance is performed. When this policy is enabled, and you click Allow users to apply BitLocker protection on removable data drives, the MBAM Client saves the recovery information about removable drives to the MBAM key recovery server and allows users to recover the drive if the password is lost. |
Deny write access to removable drives not protected by BitLocker | Suggested configuration: Not Configured
Enable this policy to allow only write permission to BitLocker-protected drives. When this policy is enabled, all removable data drives on the computer require encryption before write permission is allowed. |
Allow access to BitLocker-protected removable drives from earlier versions of Windows | Suggested configuration: Not Configured
Enable this policy to allow fixed drives with the FAT file system to be unlocked and viewed on computers that are running Windows Server 2008, Windows Vista, Windows XP with SP3, or Windows XP with SP2. When this policy is not configured, removable drives that are formatted with the FAT file system can be unlocked on computers that are running Windows Server 2008, Windows Vista, Windows XP with SP3, or Windows XP with SP2, and their content can be viewed. These operating systems have read-only permission to BitLocker-protected drives. When the policy is disabled, removable drives formatted with the FAT file system cannot be unlocked and their content cannot be viewed on computers that are running Windows Server 2008, Windows Vista, Windows XP with SP3, or Windows XP with SP2. |
Configure use of password for removable data drives | Suggested configuration: Not Configured
Enable this policy to configure password protection on removable data drives. When this policy is not configured, passwords are supported with the default settings, which do not include password complexity requirements and which require only eight characters. For increased security, you can enable this policy and select Require password for removable data drive, click Require password complexity, and set the preferred minimum password length. |
Choose how BitLocker-protected removable drives can be recovered | Suggested configuration: Not Configured
Configure this policy to enable the BitLocker data recovery agent or to save BitLocker recovery information to Active Directory Domain Services (AD DS). When set to Not Configured, the data recovery agent is allowed, and recovery information is not backed up to AD DS. MBAM operation does not require recovery information to be backed up to AD DS. |
CONTINUE TO PART 4