Configure MBAM services
Note: If MBAM is configured to run with Microsoft Configuration Manager, disable the "MBAM Status reporting service" and leave the "MBAM Status reporting service end point" blank. This information is managed in Microsoft Configuration Manager.
This policy setting allows you to manage the key recovery service backup of BitLocker Drive Encryption recovery information. This provides an administrative method of recovering data encrypted by BitLocker to prevent data loss due to lack of key information.
The URL for MBAM Recovery service endpoint is
http(s)://
The URL for MBAM Status reporting service endpoint is
http(s)://
Replace the server name and port number on above URL based on the installation of the MBAM.
BitLocker recovery information includes the recovery password and some unique identifier data. You can also select to include a package that contains a BitLocker protected drive's encryption key. This key package is secured by one or more recovery passwords and may help perform specialized recovery when the disk is damaged or corrupted.
This policy setting manages how often the client will check the BitLocker protection policies and status on the client machine.
This policy setting allows you to manage the compliance and status information to be saved at report server location. This provides an administrative method of generating a compliance and status report.
This policy setting allows you to manage the frequency of the compliance and status information to be reported to the report service.
The frequency is every 1 minute to 2880 minutes (48 hours). The default for the client to check status is 90 minutes and the default for status reporting is 720 minutes. Frequency values smaller than the defaults will increase network and server utilization and could limit the number of clients MBAM can process.
If you enable this policy setting, key recovery info will be automatically and silently backed up to the configured key recovery server location and status report will be automatically and silently sent to configured report server location.
If you disable or do not configure this policy setting, the key recovery and the status report information will not be saved.
| Registry Hive | HKEY_LOCAL_MACHINE |
| Registry Path | SOFTWARE\Policies\Microsoft\FVE\MDOPBitLockerManagement |
| Value Name | UseMBAMServices |
| Value Type | REG_DWORD |
| Enabled Value | 1 |
| Disabled Value | 0 |
| Registry Hive | HKEY_LOCAL_MACHINE |
| Registry Path | Software\Policies\Microsoft\FVE\MDOPBitLockerManagement |
| Value Name | UseKeyRecoveryService |
| Value Type | REG_DWORD |
| Value | 1 |
| Registry Hive | HKEY_LOCAL_MACHINE |
| Registry Path | SOFTWARE\Policies\Microsoft\FVE\MDOPBitLockerManagement |
| Value Name | KeyRecoveryServiceEndPoint |
| Value Type | REG_EXPAND_SZ |
| Default Value |
- Recovery password only
Registry Hive HKEY_LOCAL_MACHINE Registry Path SOFTWARE\Policies\Microsoft\FVE\MDOPBitLockerManagement Value Name KeyRecoveryOptions Value Type REG_DWORD Value 0 - Recovery password and key package
Registry Hive HKEY_LOCAL_MACHINE Registry Path SOFTWARE\Policies\Microsoft\FVE\MDOPBitLockerManagement Value Name KeyRecoveryOptions Value Type REG_DWORD Value 1
| Registry Hive | HKEY_LOCAL_MACHINE |
| Registry Path | SOFTWARE\Policies\Microsoft\FVE\MDOPBitLockerManagement |
| Value Name | ClientWakeupFrequency |
| Value Type | REG_DWORD |
| Default Value | 90 |
| Min Value | 1 |
| Max Value | 2880 |
- Disabled
Registry Hive HKEY_LOCAL_MACHINE Registry Path SOFTWARE\Policies\Microsoft\FVE\MDOPBitLockerManagement Value Name UseStatusReportingService Value Type REG_DWORD Value 0 - Enabled
Registry Hive HKEY_LOCAL_MACHINE Registry Path SOFTWARE\Policies\Microsoft\FVE\MDOPBitLockerManagement Value Name UseStatusReportingService Value Type REG_DWORD Value 1
| Registry Hive | HKEY_LOCAL_MACHINE |
| Registry Path | SOFTWARE\Policies\Microsoft\FVE\MDOPBitLockerManagement |
| Value Name | StatusReportingServiceEndpoint |
| Value Type | REG_EXPAND_SZ |
| Default Value |
| Registry Hive | HKEY_LOCAL_MACHINE |
| Registry Path | Software\Policies\Microsoft\FVE\MDOPBitLockerManagement |
| Value Name | StatusReportingFrequency |
| Value Type | REG_DWORD |
| Default Value | 720 |
| Min Value | 1 |
| Max Value | 2880 |
bitlockermanagement.admx
- System
- App-V
- CEIP
- Client Coexistence
- Integration
- Publishing
- Reporting
- Scripting
- Streaming
- Allow First Time Application Launches if on a High Cost Windows 8 Metered Connection
- Certificate Filter For Client SSL
- Enable Support for BranchCache
- Location Provider
- Package Installation Root
- Package Source Root
- Reestablishment Interval
- Reestablishment Retries
- Require Publish As Admin
- Specify what to load in background (aka AutoLoad)
- Verify certificate revocation list
- Virtualization
- App-V
- Windows Components
- MDOP MBAM (BitLocker Management)
- Client Management
- Fixed Drive
- Allow access to BitLocker-protected fixed data drives from earlier versions of Windows
- Choose how BitLocker-protected fixed drives can be recovered
- Configure use of passwords for fixed data drives
- Deny write access to fixed drives not protected by BitLocker
- Encryption Policy Enforcement Settings
- Fixed data drive encryption settings
- Operating System Drive
- Allow enhanced PINs for startup
- Choose how BitLocker-protected operating system drives can be recovered
- Configure pre-boot recovery message and URL
- Configure TPM platform validation profile for BIOS-based firmware configurations
- Configure TPM platform validation profile for native UEFI firmware configurations
- Configure TPM platform validation profile
- Configure use of passwords for operating system drives
- Encryption Policy Enforcement Settings
- Operating system drive encryption settings
- Reset platform validation data after BitLocker recovery
- Use enhanced Boot Configuration Data validation profile
- Removable Drive
- Allow access to BitLocker-protected removable data drives from earlier versions of Windows
- Choose how BitLocker-protected removable drives can be recovered
- Configure use of passwords for removable data drives
- Control use of BitLocker on removable drives
- Deny write access to removable drives not protected by BitLocker
- Choose drive encryption method and cipher strength (Windows 10 [Version 1511] and later)
- Choose drive encryption method and cipher strength.
- Prevent memory overwrite on restart
- Provide the unique identifiers for your organization
- Validate smart card certificate usage rule compliance
- Microsoft User Experience Virtualization
- Applications
- Access 2013 backup only
- Calculator
- Common 2013 backup only
- Excel 2013 backup only
- InfoPath 2013 backup only
- Internet Explorer 8
- Internet Explorer 9
- Internet Explorer 10
- Internet Explorer 11
- Internet Explorer Common Settings
- Lync 2013 backup only
- Microsoft Access 2010
- Microsoft Access 2013
- Microsoft Excel 2010
- Microsoft Excel 2013
- Microsoft InfoPath 2010
- Microsoft InfoPath 2013
- Microsoft Lync 2010
- Microsoft Lync 2013
- Microsoft Office 365 Access 2013
- Microsoft Office 365 Common 2013
- Microsoft Office 365 Excel 2013
- Microsoft Office 365 InfoPath 2013
- Microsoft Office 365 Lync 2013
- Microsoft Office 365 OneNote 2013
- Microsoft Office 365 Outlook 2013
- Microsoft Office 365 PowerPoint 2013
- Microsoft Office 365 Project 2013
- Microsoft Office 365 Publisher 2013
- Microsoft Office 365 Visio 2013
- Microsoft Office 365 Word 2013
- Microsoft Office 2010 Common Settings
- Microsoft Office 2013 Common Settings
- Microsoft Office 2013 Upload Center
- Microsoft OneDrive for Business 2013
- Microsoft OneNote 2010
- Microsoft OneNote 2013
- Microsoft Outlook 2010
- Microsoft Outlook 2013
- Microsoft PowerPoint 2010
- Microsoft PowerPoint 2013
- Microsoft Project 2010
- Microsoft Project 2013
- Microsoft Publisher 2010
- Microsoft Publisher 2013
- Microsoft Visio 2010
- Microsoft Visio 2013
- Microsoft Word 2010
- Microsoft Word 2013
- Notepad
- OneNote 2013 backup only
- Outlook 2013 backup only
- PowerPoint 2013 backup only
- Project 2013 backup only
- Publisher 2013 backup only
- Visio 2013 backup only
- Word 2013 backup only
- WordPad
- Windows Apps
- Configure Sync Method
- Contact IT Link Text
- Contact IT URL
- Do not synchronize Windows Apps
- First Use Notification
- Ping the settings storage location before sync
- Settings package size warning threshold
- Settings storage path
- Settings template catalog path
- Synchronization timeout
- Synchronize Windows settings
- Sync settings over metered connections even when roaming
- Sync settings over metered connections
- Sync Unlisted Windows Apps
- Tray Icon
- Use User Experience Virtualization (UE-V)
- VDI Configuration
- Applications
- MDOP MBAM (BitLocker Management)
- Windows Components
- MDOP MBAM (BitLocker Management)
- Microsoft User Experience Virtualization
- Applications
- Access 2013 backup only
- Calculator
- Common 2013 backup only
- Excel 2013 backup only
- InfoPath 2013 backup only
- Internet Explorer 8
- Internet Explorer 9
- Internet Explorer 10
- Internet Explorer 11
- Internet Explorer Common Settings
- Lync 2013 backup only
- Microsoft Access 2010
- Microsoft Access 2013
- Microsoft Excel 2010
- Microsoft Excel 2013
- Microsoft InfoPath 2010
- Microsoft InfoPath 2013
- Microsoft Lync 2010
- Microsoft Lync 2013
- Microsoft Office 365 Access 2013
- Microsoft Office 365 Common 2013
- Microsoft Office 365 Excel 2013
- Microsoft Office 365 InfoPath 2013
- Microsoft Office 365 Lync 2013
- Microsoft Office 365 OneNote 2013
- Microsoft Office 365 Outlook 2013
- Microsoft Office 365 PowerPoint 2013
- Microsoft Office 365 Project 2013
- Microsoft Office 365 Publisher 2013
- Microsoft Office 365 Visio 2013
- Microsoft Office 365 Word 2013
- Microsoft Office 2010 Common Settings
- Microsoft Office 2013 Common Settings
- Microsoft Office 2013 Upload Center
- Microsoft OneDrive for Business 2013
- Microsoft OneNote 2010
- Microsoft OneNote 2013
- Microsoft Outlook 2010
- Microsoft Outlook 2013
- Microsoft PowerPoint 2010
- Microsoft PowerPoint 2013
- Microsoft Project 2010
- Microsoft Project 2013
- Microsoft Publisher 2010
- Microsoft Publisher 2013
- Microsoft Visio 2010
- Microsoft Visio 2013
- Microsoft Word 2010
- Microsoft Word 2013
- Notepad
- OneNote 2013 backup only
- Outlook 2013 backup only
- PowerPoint 2013 backup only
- Project 2013 backup only
- Publisher 2013 backup only
- Visio 2013 backup only
- Word 2013 backup only
- WordPad
- Windows Apps
- Configure Sync Method
- Do not synchronize Windows Apps
- Ping the settings storage location before sync
- Settings package size warning threshold
- Settings storage path
- Synchronization timeout
- Synchronize Windows settings
- Sync settings over metered connections even when roaming
- Sync settings over metered connections
- Use User Experience Virtualization (UE-V)
- VDI Configuration
- Applications