none
MBAM :Exempt a user from Bitlocker settings for Removable Drive

    Question

  • I created a GPO called "BitLocker Settings" and configured MBAM Settings for Removable Drive and applied them to Computers in a test OU. As users insert any Flash Drive to these systems in test OU, the get prompted to Encrypt the Flash. This is the desired config I need.

    I now need to have the ability to "exempt" some users from this policy. I created another GPO - "BitLocker Exemptions" and enabled the user setting User Configuration/Polices/Administrative templates/Windows Components/MDOP MBAM (BitLocker Management)
    Allow the user to be exempted from BitLocker encryption Enabled . I applied security filtering to apply this setting to only the test group.

    It seemed to work the first time, but since then it keeps prompting me to encrypt the drive. I can see in registry and MBAM log that the "user is exempt from encryption". HKCU\Software\Policies\Microsoft\FVE\MDOPBitLockermanagement\IsUserExempted = 1

    Is there anything else I need to configure?

    Wednesday, March 13, 2013 9:05 PM

Answers

All replies

  • Hi,

    Please check the GPO.

    Client Management \ Enable Configure user exemption policy.

    Do gpupdate /force on client. Took gpreults /v on the client to verify the GPO for MBAM has been applied.

    Note: If the computer is already BitLocker-protected, the user exemption policy has no effect.

    More information, please see:

    How to Manage User BitLocker Encryption Exemptions


    Tracy Cai
    TechNet Community Support

    Thursday, March 14, 2013 3:03 AM
    Moderator
  • Hi Tracy,
    I have read the link. Allow "Configure User Exemption Policy" is Enabled. I need to point out that, I'm not using encryption of Hard Disk. I only enabled Removable Disk encryption ( this is for a VDI environment).
    I was hoping that User Exemption Policy will override the Computer policy. In page 20 of "MBAM Client Timers.pdf" document, it states that "Removable drives are only processed in the context of active user session".

    Am I missing something. Is User Exemption only for Fixed drive, and not for Removable drive??

    These are the MBAM registry settings for Computer and User

    Computer:
    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\FVE\MDOPBitLockerManagement]
    "ShouldEncryptOSDrive"=dword:00000000
    "AllowHardwareCompatibilityChecking"=dword:00000000
    "UseMBAMServices"=dword:00000001
    "UseKeyRecoveryService"=dword:00000001
    "UseStatusReportingService"=dword:00000001
    "KeyRecoveryServiceEndPoint"=hex(2):6.....
    "KeyRecoveryOptions"=dword:00000001
    "ClientWakeupFrequency"=dword:00000001
    "StatusReportingServiceEndpoint"=hex(2):68,....
    "StatusReportingFrequency"=dword:0000005a
    "AllowUserExemption"=dword:00000001
    "MaxTimeToGetUserExemption"=dword:00000001
    "UserExemptionMessageType"=dword:00000000
    "UserExemptionMessage"="mailto:test@abc.com?subject=Request exemption from BitLocker protection"

    User
    [HKEY_CURRENT_USER\Software\Policies\Microsoft\FVE\MDOPBitLockerManagement]
    "IsUserExempted"=dword:00000001 

     

    Thursday, March 14, 2013 2:18 PM
  • Hi, can anyone confirm if "User Exemption is only for Fixed drive, and not for Removable drive??" If it's also for Removable drive, what is the configuration.

    Thanks in advance
    Mano

    Friday, March 15, 2013 1:11 PM
    • Proposed as answer by yun24 Monday, March 18, 2013 6:46 AM
    • Marked as answer by tracycaiModerator Thursday, March 21, 2013 8:23 AM
    Monday, March 18, 2013 6:45 AM
  • Came across this site which gave me the registry keys that affect the removable drives.  Some of the entries were kind of dated but it gave me the gist of what was going on.

    https://blogs.technet.microsoft.com/askpfeplat/2013/06/09/how-to-enable-user-based-controlenforcement-of-bitlocker-on-removable-data-drives/

    What I ended up doing was this: Under the exemption GPO, under User Configuration I added two Registry DWORD Values under HKLM\System\CurrentControlSet\Policies\Microsoft\FVE
    RDVDenyWriteAccess and FDVDenyWriteAccess, both set as 0.  

    For clarity, the exemption GPO is USER configurations only, and is security filtered to my security group that has all of my exempted users in it.

    I know this is late, but it's working fantastic for me!

    Friday, August 5, 2016 6:43 PM