The MBAM setup puts down a group policy template on your MBAM server which allows to configure the settings for your environment. So let’s go through some of the more important settings to get you started with a base MBAM setup.
First an overview of the different types of setup you can have. MBAM gives you a lot of flexibility. You can use a 128-bit encryption algorithm, a 256-bit algorithm. You can store your recovery keys in your Active Directory or save them onto a share or removable media etc. You can configure the use of a password, so when a user tries to startup a machine they are first prompted for their TPM Pin. Or if that doesn’t jive with you, you can set it up so there’s no pin but it will still use the TPM chip for authentication. Bitlocker will store the recovery key on a chip in your computer called the TPM chip, the key will live there, any time the machine boots up it will look at the TPM chip to ensure the recovery key is there.
Why would you only use the TPM? Maybe you have maintenance tasks that require your desktop team to reboot machines and not get locked out by not having the correct pin.
Surely it’s less secure that way? It’s not quite as secure in terms of being in the office. If a user in the office wanted to they could startup the machine and log in without issue. However if your fear is somebody stealing data and bringing it outside the office it is safe as with decent security an outsider should not be able to login to get to the data. If they try to take the drive out and use it as a slave to get the info out, they will not be allowed by Bitlocker because the TPM will not be found. If the person tries to boot Windows and overwrite the drive again they will not be allowed. Bitlocker will stop them it won’t allow the drive to be wiped without a valid recovery key being provided.
Here I’ll detail some of the most important ones. Honestly I’ve just copied and pasted the descriptions from the template itself and will give a one liner for each.
choose drive encryption method and cipher strength
This option allows you set the level of encryption used. Default is 128-bit with Diffuser. It can go up to 256-bit DiffUser. Set with whatever you like.
This policy setting allows you to configure the algorithm and cipher strength used by BitLocker Drive Encryption. This policy setting is applied when you turn on BitLocker. Changing the encryption method has no effect if the drive is already encrypted or if encryption is in progress. Consult the BitLocker Drive Encryption Deployment Guide on Microsoft TechNet for more information about the encryption methods available.
If you enable this policy setting you will be able to choose an encryption algorithm and key cipher strength for BitLocker to use to encrypt drives.
If you disable or do not configure this policy setting, BitLocker will use the default encryption method of AES 128-bit with Diffuser or the encryption method specified by the setup script.
Configure MBAM Services (point to DBs and set intervals)
This option points to the reporting sites set up on the Bitlocker application server and also sets what interval the clients update to the server with their compliance info.
This policy setting allows you to manage the key recovery service backup of BitLocker Drive Encryption recovery information. This provides an administrative method of recovering data encrypted by BitLocker to prevent data loss due to lack of key information.
The URL for MBAM Recovery and Hardware service endpoint is
http(s)://<servername>:<port>/
http(s)://<servername>:<port>/
BitLocker recovery information includes the recovery password and some unique identifier data. You can also select to include a package that contains a BitLocker protected drive’s encryption key. This key package is secured by one or more recovery passwords and may help perform specialized recovery when the disk is damaged or corrupted.
This policy setting manages how often the client will check the BitLocker protection policies and status on the client machine.
This policy setting allows you to manage the compliance and status information to be saved at report server location. This provides an administrative method of generating a compliance and status report.
This policy setting allows you to manage the frequency of the compliance and status information to be reported to the report service.
The frequency is between every 90 minutes to 2880 minutes (48 hours).
If you enable this policy setting, key recovery info will be automatically and silently backed up to the configured key recovery server location and status report will be automatically and silently sent to configured report server location.
If you disable or do not configure this policy setting, the key recovery and the status report information will not be saved.
Allow Hardware Compatibility Checking
This policy setting allows you to manage the checking of hardware compatibility before enabling BitLocker protection on drives of a computer.When enabling this policy, the administrator needs to ensure Microsoft BitLocker Administering and Monitoring service is installed with the “Hardware capability” sub feature.
When enabling this policy you must enable the “Configure MBAM services” policy and configure the MBAM Recovery and Hardware service endpoint.
If you enable this policy setting, before enabling BitLocker protection on drives of a computer, the computer’s model will be validated with the hardware compatibility list, to ensure computer’s model is one of the IT supported model that is capable to perform BitLocker Drive Encryption.
If you disable this policy setting, the computer’s model will not be validated against IT supported hardware compatibility list.
If you do not configure this policy setting, the computer’s model will not be validated against IT supported hardware compatibility list.
Fixed Data Drive Encryption Settings
This policy setting allows you to manage the fixed data drive must be encrypted or not.
When enable this policy, you must not disable “Configure use of password for fixed data drives” policy.
When enable Auto-unlock fixed data drive, the OS volume must be encrypted
If you enable this policy setting, the user will have to put all fixed data drives under the BitLocker protection, and drive will be encrypted.
If you disable this policy setting, then it is not required to put fixed data drive under the BitLocker protection.
If you do not configure this policy setting, then it is not required to put fixed data drive under the BitLocker protection.
Deny Write Access to fixed drives not protected by Bitlocker
This policy setting determines whether BitLocker protection is required for fixed data drives to be writable on a computer. This policy setting is applied when you turn on BitLocker.
If you enable this policy setting, all fixed data drives that are not BitLocker-protected will be mounted as read-only. If the drive is protected by BitLocker, it will be mounted with read and write access.
If you disable or do not configure this policy setting, all fixed data drives on the computer will be mounted with read and write access.
Configure use of password for fixed data drive
Set’s a password policy for any fixed drives. Set this if you’d like.This policy setting specifies whether a password is required to unlock BitLocker-protected fixed data drives. If you choose to permit the use of a password, you can require that a password be used, enforce complexity requirements on the password, and configure a minimum length for the password. For the complexity requirement setting to be effective the Group Policy setting “Password must meet complexity requirements” located in Computer Configuration\Windows Settings\Security Settings\Account Policies\Password Policy\ must be also enabled.
Note: These settings are enforced when turning on BitLocker, not when unlocking a volume. BitLocker will allow unlocking a drive with any of the protectors available on the drive.
If you enable this policy setting, users can configure a password that meets the requirements you define. To require the use of a password, select “Require password for fixed data drive”. To enforce complexity requirements on the password, select “Require complexity”.
When set to “Require complexity” a connection to a domain controller is necessary when BitLocker is enabled to validate the complexity the password. When set to “Allow complexity” a connection to a domain controller will be attempted to validate the complexity adheres to the rules set by the policy, but if no domain controllers are found the password will still be accepted regardless of actual password complexity and the drive will be encrypted using that password as a protector. When set to “Do not allow complexity”, no password complexity validation will be done.
Passwords must be at least 8 characters. To configure a greater minimum length for the password, enter the desired number of characters in the “Minimum password length” box.
If you disable this policy setting, the user is not allowed to use a password.
If you do not configure this policy setting, passwords will be supported with the default settings, which do not include password complexity requirements and require only 8 characters.
Note: Passwords cannot be used if FIPS-compliance is enabled. The “System cryptography: Use FIPS-compliant algorithms for encryption, hashing, and signing” policy setting in Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options specifies whether FIPS-compliance is enabled.
Choose how Bitlocker-Protected Fixed drives can be recovered
You can choose to allow a data recovery agent be it a smart card or USB key etc. Or just enable recovery with the standard recovery keyThis policy setting allows you to control how BitLocker-protected fixed data drives are recovered in the absence of the required credentials. This policy setting is applied when you turn on BitLocker.
The “Allow data recovery agent” check box is used to specify whether a data recovery agent can be used with BitLocker-protected fixed data drives. Before a data recovery agent can be used it must be added from the Public Key Policies item in either the Group Policy Management Console or the Local Group Policy Editor. Consult the BitLocker Drive Encryption Deployment Guide on Microsoft TechNet for more information about adding data recovery agents.
In “Configure user storage of BitLocker recovery information” select whether users are allowed, required, or not allowed to generate a 48-digit recovery password or a 256-bit recovery key.
Select “Omit recovery options from the BitLocker setup wizard” to prevent users from specifying recovery options when they enable BitLocker on a drive. This means that you will not be able to specify which recovery option to use when you enable BitLocker, instead BitLocker recovery options for the drive are determined by the policy setting.
In “Save BitLocker recovery information to Active Directory Doman Services” choose which BitLocker recovery information to store in AD DS for fixed data drives. If you select “Backup recovery password and key package”, both the BitLocker recovery password and key package are stored in AD DS. Storing the key package supports recovering data from a drive that has been physically corrupted. If you select “Backup recovery password only,” only the recovery password is stored in AD DS.
Select the “Do not enable BitLocker until recovery information is stored in AD DS for fixed data drives” check box if you want to prevent users from enabling BitLocker unless the computer is connected to the domain and the backup of BitLocker recovery information to AD DS succeeds.
Note: If the “Do not enable BitLocker until recovery information is stored in AD DS for fixed data drives” check box is selected, a recovery password is automatically generated.
If you enable this policy setting, you can control the methods available to users to recover data from BitLocker-protected fixed data drives.
If this policy setting is not configured or disabled, the default recovery options are supported for BitLocker recovery. By default a DRA is allowed, the recovery options can be specified by the user including the recovery password and recovery key, and recovery information is not backed up to AD DS
When using ‘BitLocker Management Solution’, the key recovery information is saved at the key recovery server location that is configured using the server location policy in the Data Recovery category.
Operating System Drive encryption settings
We covered all fixed drives but you may also want to ensure all Operating System drives require encryption. You can set that here.This policy setting allows you to manage whether the operating system drive must be encrypted or not.
For higher security, when enabled with TPM + PIN protector, you may consider disable the following policies in System/Power Management/Sleep Settings:
Allow Standby States (S1-S3) When Sleeping (Plugged In)
Allow Standby States (S1-S3) When Sleeping (On Battery)
If you enable this policy setting, the user will have to put the operation system drive under BitLocker protection and drive will be encrypted.
If you disable or do not configure this policy setting, then it is not required to put the operation system drive under the BitLocker protection.
Choose how Bitlocker protected OS drives can be recovered
Again. Use the recovery key to recover or maybe use a recovery agent. It’s up to youThis policy setting allows you to control how BitLocker-protected operating system drives are recovered in the absence of the required startup key information. This policy setting is applied when you turn on BitLocker.
The “Allow certificate-based data recovery agent” check box is used to specify whether a data recovery agent can be used with BitLocker-protected operating system drives. Before a data recovery agent can be used it must be added from the Public Key Policies item in either the Group Policy Management Console or the Local Group Policy Editor. Consult the BitLocker Drive Encryption Deployment Guide on Microsoft TechNet for more information about adding data recovery agents.
In “Configure user storage of BitLocker recovery information” select whether users are allowed, required, or not allowed to generate a 48-digit recovery password or a 256-bit recovery key.
Select “Omit recovery options from the BitLocker setup wizard” to prevent users from specifying recovery options when they enable BitLocker on a drive. This means that you will not be able to specify which recovery option to use when you enable BitLocker, instead BitLocker recovery options for the drive are determined by the policy setting.
In “Save BitLocker recovery information to Active Directory Domain Services”, choose which BitLocker recovery information to store in AD DS for operating system drives. If you select “Backup recovery password and key package”, both the BitLocker recovery password and key package are stored in AD DS. Storing the key package supports recovering data from a drive that has been physically corrupted. If you select “Backup recovery password only,” only the recovery password is stored in AD DS.
Select the “Do not enable BitLocker until recovery information is stored in AD DS for operating system drives” check box if you want to prevent users from enabling BitLocker unless the computer is connected to the domain and the backup of BitLocker recovery information to AD DS succeeds.
Note: If the “Do not enable BitLocker until recovery information is stored in AD DS for operating system drives” check box is selected, a recovery password is automatically generated.
If you enable this policy setting, you can control the methods available to users to recover data from BitLocker-protected operating system drives.
If this policy setting is disabled or not configured, the default recovery options are supported for BitLocker recovery. By default a DRA is allowed, the recovery options can be specified by the user including the recovery password and recovery key, and recovery information is not backed up to AD DS.
When using ‘BitLocker Management Solution’, the key recovery information is saved at the key recovery server location that is configured using the server location policy in the Data Recovery category.
