Is it possible to disable Bitlocker from prompting where to save the recovery key when you are using the MBAM client? Previously we had done so when we were using AD as the storage location. But now if I leave the Recovery Agents or AD unchecked and select just removal of recovery key options I get an error on the client saying I need to have either AD or Recovery Agent enabled. I don't want the tech's to need save a recovery key somewhere if it's pushing to the SQL server. Anyone using the Client + storing the keys in AD as a backup?

Yes, you can have only GPO to backup recovery keys in MBAM and not in AD. Do not configure the GPO to backup recovery information in AD for bitlocker under Operating system drive. Can you send me which GPOs are configured for MBAM under the Operating System Drive.Manoj Sehgal

Hi, I am not very familar with MBAM product, so I will involve a colleague to help you. Regards, Juke TechNet Subscriber Support in forum If you have any feedback on our support, please contact tnmff@microsoft.com. Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Administrative Templateshide Policy definitions (ADMX files) retrieved from the local machine. Windows Components/BitLocker Drive Encryption/Operating System Driveshide Policy Setting Comment Require additional authentication at startup Enabled Allow BitLocker without a compatible TPM Disabled (requires a startup key on a USB flash drive) Settings for computers with a TPM: Configure TPM startup: Do not allow TPM Configure TPM startup PIN: Require startup PIN with TPM Configure TPM startup key: Do not allow startup key with TPM Configure TPM startup key and PIN: Do not allow startup key and PIN with TPM Windows Components/MDOP MBAM (BitLocker Management)/Client Managementhide Policy Setting Comment Allow hardware compatibility checking Disabled Configure MBAM services Enabled MBAM Recovery and Hardware service endpoint: http://servername/MBAMRecoveryAndHardwareService/CoreService.svc Select BitLocker recovery information to store: Recovery password and key package Enter client checking status frequency in (minutes): 90 MBAM Status reporting service endpoint: http://servername/MBAMComplianceStatusService/StatusReportingService.svc Enter status report frequency in (minutes): 720 Windows Components/MDOP MBAM (BitLocker Management)/Fixed Drivehide Policy Setting Comment Fixed data drive encryption settings Enabled This policy setting allows you to manage the fixed data drive must be encrypted or not. Enable auto-unlock fixed data drive Enabled Windows Components/MDOP MBAM (BitLocker Management)/Operating System Drivehide Policy Setting Comment Operating system drive encryption settings Enabled Select protector for operating system drive: Allow enhanced PINs for startup Enabled Configure minimum PIN length for startup 6

With these GPO settings we will backup keys only in MBAM and not in AD. Manoj Sehgal

Is your issue resolved or do you want more help? If your issue is resolved, then please close this thread. Thanks,Manoj Sehgal

Hi Richard/Manoj, This is really a helpful post regarding the GPO settings for MBAM. Configure TPM startup PIN: Require startup PIN with TPM This will prompt the user for PIN before starting the encryption process. But only if the OS has already been deployed. These GPO's works well on a Running OS. But what if one wants to implement bitlocker through MBAM with the OSD through SCCM. I had tried the step with the GPO setting "TPM only" and it worked for me. The machine gets encrypted with the image captured with all the GPO settings (As GPO's will not get applied during the OSD until and unless the machine gets logged in). What I want to ask is how can I set the PIN for the Bitlocker scenario with MBAM during OSD. We can reset the GPO's to "TPM and PIN" after OSD, but how the encryption process will proceed as the machine has already been encrypted with the GPO "TPM only" during OSD. Does the machine has to go under the process of decryption first then it will get encrypted with the new GPO settings or there is some other alternative? Thanks Gaurav Ranjan

Gaurav, Once you change the GPO to TPM + PIN, we will prompt the user to enter the PIN and once he clicks Next, we change the protector from TPM to TPM + PIN. In this case we do not have to do any encryption as volume was already encrypted with TPM. I hope this helps.Manoj Sehgal