Posted by: kurtsh | February 24, 2020

PREVIEW: NEW Bitlocker Management settings in Endpoint Configuration Manager TP2002


[I totally stole this from Panu Saukko and I’m so sorry.]

But he’s totally right.  The new Microsoft Bitlocker Administration & Monitoring (MBAM) settings available in Microsoft Endpoint Manager Configuration Manager (MEMCM) TP2002 are CRAZY. 

The number of controls have skyrocketted in number.  This is a great time to investigate managing Bitlocker Enterprise wide with Config Manager!

Improvements to BitLocker management

The BitLocker management policy now includes additional settings, including policies for fixed and removable drives:

  • Global policy settings on the Setup page:

    • Prevent memory overwrite on restart
    • Validate smart card certificate usage rule compliance
    • Organization unique identifiers
  • OS drive settings:

    • Allow enhanced PINS for startup
    • Operating system drive password policy
    • Reset platform validation data after BitLocker recovery
    • Pre-boot recovery message and URL
    • Encryption policy enforcement settings
  • Fixed drive settings:

    • Fixed data drive encryption
    • Deny write access to fixed drives not protected by BitLocker
    • Allow access to BitLocker fixed data drives from earlier versions of Windows
    • Fixed data drive password policy
    • Encryption policy enforcement settings
  • Removable drive settings:

    • Removable drive data encryption
    • Deny write access to removable drives not protected by BitLocker
    • Allow access to BitLocker protected removable drives not protected by BitLocker
    • Removable drive password policy
  • Client management settings:

    • User exemption policy
    • Customer experience improvement program

For more information on these settings, see the MBAM documentation.

Read the following for docs on TP2002:


%d bloggers like this: