In part 4 here ,we have installed the MBAM components on our MBAM server (MBAM01) . In this part 5 of this MBAM 2.5 SP1 series guide,we will configure the prerequisites required for windows clients using Group Policy objects before we deploy MBAM Agent and drive encryption.
Before we Configure and deploy MBAM 2.5 SP1 Agent settings using Group policy to our client computers,lets have a look at, what types of Bitlocker that MBAM supports.
Types of BitLocker protectors that MBAM supports:
In MBAM 2.5 SP1, if you enable Used Space Encryption via BitLocker Group policy, the MBAM Client honors it.It also have new feature that support for windows 10 is Configure pre-boot recovery message and URL (More will see while doing Demo’s).
Next ,we will download the latest MBAM 2.5 SP1 Group policy templates from here to our workstation and copy it to our Domain controller.if you are trying to create these group policy objects on your workstations (meaning you have installed the GPMC) then you can copy these templates to your workstation folder (you can find the location in the below post).
After you downloaded the cab file,you must extract it .I have used free unzip tool 7-Zip to extract it. This cab file consists of templates for MDOP components like App-v,UE-V,MBAM all versions. So we will try to copy only the MBAM 2.5 SP1 templates to our Domain controller.
Copy the two .admx files (BitLockerManagement.admx and (BitLockerUserManagement.admx) and 2 .adml files (BitLockerManagement.adml and BitLockerUserManagement.adml) from en-us folder to below locations.
Local files. To configure Group Policy settings from the local device, copy template files to the following locations:
Group Policy template (.admx) : %systemroot%\policyDefinitions
Group Policy language file (.adml) : %systemroot%\policyDefinitions\[MUIculture]
Domain central store. To enable Group Policy settings configuration by a Group Policy administrator from any computer on the domain, copy files to the following locations on the domain controller:
Group Policy template (.admx) : %systemroot%\sysvol\domain\policies\PolicyDefinitions
Group Policy language file (.adml) : %systemroot%\sysvol\domain\policies\PolicyDefinitions\[MUIculture]\[MUIculture]
For example, the U.S. English ADML language-specific file will be stored in %systemroot%\sysvol\domain\policies\PolicyDefinitions\en-us.
Login to our Domain controller (DC01) using an account that has enough permissions to create Group policy ,Copy the .admx and .adml files to %systemroot%\policyDefinitions and %systemroot%\policyDefinitions\en-US respectively.
.admx templates:
.adml templates:
Next , we will create group policy objects with MBAM 2.5 SP1 Bitlocker settings and deploy to workstation OU.
I already have OU called ‘Workstations’ in my Domain .If you don’t have ,create one like MBAM or something and move the workstation’s to it for MBAM testing.
Note:Do not change the Group Policy settings in the BitLocker Drive Encryption node, or MBAM will not work correctly. When you configure the Group Policy settings in the MDOP MBAM (BitLocker Management)node, MBAM automatically configures the BitLocker Drive Encryption settings for you.
On your domain controller,you can search with Group policy ,open Group policy Management or go to control panel –>Administrative Templates—>Group Policy Management OR from run command ,type GPMC.msc
From your forest ,domain—>Group policy Objects ,create New ,give it name ‘MBAM 2.5 SP1 Client Settings’ ,click Ok
Edit the Group policy by right click on the object and select ‘Edit’ .This is our GPO with all the MBAM 2.5 SP1 Bitlocker settings and will be applied to our Workstation OU later.
Navigate to Computer configuration > Policies > Administrative Templates > Windows Components > MDOP MBAM (BitLocker Management).
We will be configuring these policy groups for our Bitlocker drive Encryption .
Client Management : Configure MBAM Services
Operating System Drive: Operating system drive encryption settings
Removable Drive : Control use of BitLocker on removable drives
Fixed Drive :Control use of BitLocker on fixed drives
Complete description of these policy groups and what each group policy setting does can be found from Technet guide https://technet.microsoft.com/en-us/library/dn645338.aspx.
As we are running our client Operating system in Virtual ,we will be configuring the settings that supports for VM bitlocker encryption.For you,the settings may be different in production with your requirements.
Lets start with Client Management Group to Configure the MBAM services.
MBAM Recovery and Hardware service endpoint : http(s)://<MBAM Administration and Monitoring Server Name>:<the port the web service is bound to>/MBAMRecoveryAndHardwareService/CoreService.svc.
For our Lab,the setting looks like: http://MBAM01.corp.eskonr.com/MBAMRecoveryAndHardwareService/CoreService.svc
MBAMRecoveryAndHardwareService: is our IIS website name from our MBAM01 server
Select BitLocker recovery information to store : 90 (default)
MBAM Status reporting service endpoint : Disable ---As we have integrated MBAM with Configuration manager 2012. If you are running standalone, You must configure this setting to enable MBAM Client BitLocker encryption management.
For Standalone ,setting would be : http(s)://<MBAM Administration and Monitoring Server Name>:<the port the web service is bound to>/MBAMComplianceStatusService/StatusReportingService.svc
In production,you may have to look at other policy settings to configure but for now in my virtual lab,I leave the other settings to be as it is.
In MBAM 2.5 SP1,there is new setting added called ‘Configure Automatically resetting TPM Lockouts’ : This policy setting lets MBAM automatically reset TPM lockouts. During normal policy enactment cycles, MBAM checks the TPM to determine whether it is in a lockout mode. MBAM contacts the MBAM services to retrieve the TPM password hash that is associated with the client machine. MBAM attempts to reset the TPM lockout counter only if the BitLocker Recovery Key for the OS volume has been disclosed by the MBAM services. MBAM checks if any TPM protectors enabled such as TPM or TPM and PIN before resetting the TPM lockout counter.
If you enable this policy setting, MBAM will attempt to automatically reset the TPM lockout counter on client machines if the TPM is in a lockout mode.
If you disable or do not configure this policy setting, MBAM will not attempt to automatically reset the TPM lockout counter.
Note: This policy setting has no effect on computers with TPM version 2.0 and above.
Next Policy Group we look at is Fixed Drive Group:
Encryption Policy Enforcement Settings: Use this policy setting to configure the number of days that fixed data drives can remain noncompliant until they are forced to comply with MBAM policies. Users cannot postpone the required action or request an exemption from it after the grace period. The grace period starts when the fixed data drive is determined to be noncompliant. However, the fixed data drive policy is not enforced until the operating system drive is compliant.
Specifying a grace period of 0 will enforce the policy immediately after the operating system drive becomes compliant.
Next Policy group we look at is Operating System Drive Group:
Operating system drive encryption settings :This policy setting lets you manage whether the operating system drive must be encrypted.
As I am running Windows 8 Operating System (later) and I do not have TPM chipset (Client is VM ) ,I will select the Allow BitLocker without a compatible TPM check box. In this mode, a password is required for startup. If you forget the password, you have to use one of the BitLocker recovery options to access the drive.
On a computer with a compatible TPM (production Environment), two types of authentication methods can be used at startup to provide added protection for encrypted data. When the computer starts, it can use only the TPM for authentication, or it can also require the entry of a personal identification number (PIN).
Configure use of passwords for operating system drives: By default ,the domain controller has the ‘Password must meet complexity requirements’ enabled so we can enable this setting to unlock BitLocker-protected operating system drives with ‘Allow password complexity’
Password must meet complexity requirements :
Setting that I choose is do not enable password complexity as am running in lab and I want to have simple password for testing .In Production,you may have to choose the password complexity.
Encryption Policy Enforcement Settings: Use this policy setting to configure the number of days that users can postpone complying with MBAM policies for their operating system drive. The grace period begins when the operating system is first detected as noncompliant. After this grace period expires, users cannot postpone the required action or request an exemption from it.
Specifying a grace period of 0 will enforce the policy immediately on the operating system drive.
Enforce drive encryption type on operating system drives (new in MBAM 2.5 SP1):This policy setting allows you to configure the encryption type used by BitLocker Drive Encryption. This policy setting is applied when you turn on BitLocker. Changing the encryption type has no effect if the drive is already encrypted or if encryption is in progress. Choose full encryption to require that the entire drive be encrypted when BitLocker is turned on. Choose used space only encryption to require that only the portion of the drive used to store data is encrypted when BitLocker is turned on.
Configure pre-boot recovery message and URL: This is is new feature in MBAM 2.5 SP1 and Enable this policy setting to configure a custom recovery message or to specify a URL that is then displayed on the pre-boot BitLocker recovery screen when the OS drive is locked. This setting is only available on client computers running Windows 10. (will see this in the Demo on Windows 10 Client).
Use custom recovery message: Use this link to recover the Key
Use custom recovery URL:: http://mbam01.corp.eskonr.com/SelfService/Recovery/Index
This URL is selfservice URL from my MBAM01 server to recover the Key.
The remaining settings are upto you and depends on your organization requirement.Go through them and enable if required.
Summary of Group Policies settings that we configured for MBAM 2.5 SP1 Bitlocker encryption in our Lab:
Client Management:
Configure MBAM Services
Fixed Drive:
Encryption Policy Enforcement Settings
Operating System Drive:
Operating system drive encryption settings
Configure use of passwords for operating system drives
Encryption Policy Enforcement Settings
Enforce drive encryption type on operating system drives
Configure pre-boot recovery message and URL.
Now ,lets link this Group policy to our Workstation OU.
Close the Group policy setting window and go back to our Group policy management console.
Forest—>domain—OU called eskonr—workstation OU ,right click on it and select Link an Existing GPO.
select the newly created GPO ‘MBAM 2.5 SP1 Client Settings’ ,Click ok
You will see the GPO linked to our Workstation OU.
With this ,we have completed the Group policy settings required to enable the bitlocker drive encryption on our clients and deployed to Workstations OU.
In the next part (part 6) ,we will deploy MBAM 2.5 SP1 agent using System center configuration manager 2012 R2 (SCCM 2012 R2 SP1) with application deployment method.