[I totally stole this from Panu Saukko and I’m so sorry.]
But he’s totally right. The new Microsoft Bitlocker Administration & Monitoring (MBAM) settings available in Microsoft Endpoint Manager Configuration Manager (MEMCM) TP2002 are CRAZY.
The number of controls have skyrocketted in number. This is a great time to investigate managing Bitlocker Enterprise wide with Config Manager!
Improvements to BitLocker management
The BitLocker management policy now includes additional settings, including policies for fixed and removable drives:
Global policy settings on the Setup page:
- Prevent memory overwrite on restart
- Validate smart card certificate usage rule compliance
- Organization unique identifiers
OS drive settings:
- Allow enhanced PINS for startup
- Operating system drive password policy
- Reset platform validation data after BitLocker recovery
- Pre-boot recovery message and URL
- Encryption policy enforcement settings
Fixed drive settings:
- Fixed data drive encryption
- Deny write access to fixed drives not protected by BitLocker
- Allow access to BitLocker fixed data drives from earlier versions of Windows
- Fixed data drive password policy
- Encryption policy enforcement settings
Removable drive settings:
- Removable drive data encryption
- Deny write access to removable drives not protected by BitLocker
- Allow access to BitLocker protected removable drives not protected by BitLocker
- Removable drive password policy
Client management settings:
- User exemption policy
- Customer experience improvement program
For more information on these settings, see the MBAM documentation.
Read the following for docs on TP2002:
- Features in Configuration Manager technical preview version 2002
https://docs.microsoft.com/en-us/configmgr/core/get-started/2020/technical-preview-2002
kurtsh
Kurt Shintaku's Blog 