Bitlocker and MBAM Group Policy

Similar Messages

• MBAM Group Policy Problems

  I am trying to install and configure MBAM 2.0. I have installed all of the components on two separate servers. Server 1 has sccm 2012
  integration and gpo policy templates. Server two has the rest. When I load Group Policy Management the templates do not appear. I have manually extracted and copied the templates in the local policy definitions and still nothing. Any ideas?

  By default the Group Policy Management console will look for templates at a central SYSVOL location (a so called central store). Likely you have a PolicyDefinitions folder in
  \\domain.com\sysvol\domain.com\Policies and then you need to add the MBAM ADMX and ADML files to that location to be able to see those settings when managing group policies. The reason for this is
  that the central store has precedence over local group policy templates.
  Blogging about Windows for IT pros at
  www.theexperienceblog.com

• BitLocker - Conflict with Group Policy

  Hi;
  I am using Bitlocker on my Win 8.1 Pro, and it works ok when I encrypt my C: drive, I configured my computer to let it prompt for PIN number when I turn on my computer by using the following setting in Group Policy for "Require additional authentication
  at startup".
  Configure TPM startup: Allow TPM
  Configure TPM startup PIN: Require startup PIN with TPM
  Configure TPM startup key: Allow startup key with TPM
  Configure TPM startup key and PIN : Allow startup key and PIN with TPM
  I tried it and reboot my computer, it works fine and the computer prompt me for the PIN number after reboot.  However; when I tried to encrypt my USB key or another E: drive partition, I got the error below.  I tried to disable my group policy
  but no help.
  "the group policy settings for BitLocker startup options are in conflict and cannot be applied."
  KW - CNE,MCSE,VCP5

  Hi KANE.W,
  For BitLocker Group Policy settings, “Require additional authentication at startup” group policy has conflicts, if one authentication method is required, the other methods cannot be allowed.
  Based on your description, I am supposing that in “require additional authentication at startup”, If you choose to require an additional authentication method, other authentication methods cannot be allowed.
  For more information about conflicts of BitLocker group policy
  https://technet.microsoft.com/en-us/library/jj679890.aspx?f=255&MSPPError=-2147217396#BKMK_unlockpol1
  Regards
  D. Wu

• Can I make a wireless Windows domain? And does Group Policy work to limit domain accounts' capabilities?

  The first, most important question of this thread is if I can form a wireless domain or if I have to do it wired.
  If it matters, I have a Linksys E1200 router that does wireless and wired.
  My second question refers to Group Policy. Is this the way domains limit their user account's capabilities? Because I was planning on making a domain, so that I could have unified user accounts that I could control from the server, limiting what those accounts
  can access for further security. Is this what Group Policy does, and how would I move with starting that?

  Hi Adrian,
  >>The first, most important question of this thread is if I can form a wireless domain or if I have to do it wired.
  Just as Alan suggested, Active Directory domains support both wired and wireless connections.
  >>My second question refers to Group Policy. Is this the way domains limit their user account's capabilities?
  Group Policy is an infrastructure that allows you to implement specific configurations for users and computers. Group Policy settings are contained in Group Policy objects
  (GPOs), which are linked to the following Active Directory directory service containers: sites, domains, or organizational units (OUs). The settings within GPOs are then evaluated by the affected targets, using the hierarchical nature of Active Directory.
  Consequently, Group Policy is one of the top reasons to deploy Active Directory because it allows you to manage user and computer objects.
  Regarding group policy, the following link and articles can be referred to for more information.
  Group Policy for Beginners
  http://technet.microsoft.com/en-us/library/hh147307(v=WS.10).aspx
  Group Policy Planning and Deployment Guide
  http://technet.microsoft.com/en-us/library/cc754948(v=WS.10).aspx
  Group Policy
  http://technet.microsoft.com/en-us/windowsserver/bb310732.aspx
  Best regards,
  Frank Shen

• Mail for exchange and domain group policy removing...

  Hi,
  I currently administer 2 domains,  both server 2003 with exchange 2003.  On the one domain I can configure any of our e series ( e51/e71/e72/e6) via MFE and permanently accept the untrusted SSL certificate. When I configure MFE to our other domain the option to accept the untrusted certificate has vanished..!
  Anyone have any ideas?  I'm sure that it's a group policy setting but I cannot spot it!

  turbominor wrote:
  No certificates have been generated bar the ones that exchange installed by default
  Hmm, I don't recall ever realizing that.  Lol.  In that case, what are you using as a root certificate?  Nothing...which explains why the cert is untrusted?  (As connections to your first Exchange server work normally, apparently you don't need a root cert for a secure connection?)  I used to get mine from http://www.cacert.org/ and installed the root cert either manually or through a device management server.
  I wasn't completely sure where I was going with my question, but just did a few web searches.  Apparently Symbian phones don't like installing self-signed certificates. "Accepting a certificate permanently" does install the cert, although I'm not sure that's quite the same thing.  You might skim http://discussions.nokia.com/t5/Eseries-and-Communicators/E72-Email-Accept-Certificate-Permanently/m... in case any of that is relevant.

• SBL and Windows group policy user configuration preference

  We would like to have user connects to VPN via SBL and then login to the AD domain.  Ideally, the group policy user configuration preference, such as drive mapping, should be applied after successful AD login.  However, we are running into issue where the preferences are not being applied.  It appears the AnyConnect VPN tunnel is not completely established after the user login to AD; and hence the GPO preference was not able to apply.  It takes about 1 min.after the user's AD login before the VPN tunnel is completely established.
  Just want to find out if anyone is able to get SBL and AD GPO preference working successfully.

  Originally Posted by twiggy
  Tbreeden - thanks for ur note, yes I am aware of the apply button - but u r right, it's not really noticeable unless u know to look for it
  Rroncme - I am using 32bit. We don't have any vita machines but win7 is supposed to be supported. I've created other policies using win7 and the saved just fine/applied fine too. Thanks for ur thoughts, I appreciate it.
  Any one else haven success w 32 bit win7 -building ie policy?
  Well there is a TID 7005804 about IE policy failures but don't know if the bug applies to your situation...
  Policy failures in Terminal Sessions on Windows Server 2003 and Windows Server 2008
  Thomas

• ADM template for office and AD - Group policy

  Hi,
  I need to enforce English (UK) as the editing language in office application (2010 & 2013).
  I have downloaded the ADM template saved it on C drive on the AD server.
  Then I loaded the ADM template for office to a GOP which I created on test basis and added an AD user to it.
  On the template I enabled the setting for primary editing language as English (UK) .
  on the client side , when I open an office application eg outlook or word, I can still see English (US) as the set language.
  what am I doing wrong ?
  also how do I use the ADMX template ? because when from the GPO editor I try to browse add the its template the window show blank.

  Hi,
  From Windows 2008 R2, the current version of Administrative Template files are ADMX files. The GPMC displays these settings under the Administrative Templates node. 
  However, the GPMC still recognizes ADM files and displays these settings under the Classic Administrative Templates node, which is a child node to Administrative Templates .
  Checkout the below link on installing ADM files,
  Add or Remove Classic Administrative Templates
  Checkout the below on adding the Office 2010 ADMX files in to GPMC,
  Adding the admx files from Office 2010 admin templates into your GPMC
  Regards,
  Gopi
  JiJi
  Technologies

• Difference between domain controllers and group policy objects in GPMC

  Hello,
  Am in confusion, someone can tel me the difference between
  1.Domain controllers>default domain controller policy  and
  2.Group policy object>default domain controller policy
  In Group policy management console and also i would like know where to define these categories. I normally use second option.
  I have attached screenshot for your information.
   regards,
  Dharanesh,

  This first/upper item is a link to the GPO, the second/lower item is the actual GPO.
  (notice the link, has a shortcut arrow showing)
  by default, when you double-click on a link, a message will display which says "you have clicked on a link....." and the messagbox offers a checkbox for "do not display this message again..."
  Effectively they are equivalent to a shortcut-to-a-file vs. the actual file.
  Don
  (Please take a moment to "Vote as Helpful" and/or "Mark as Answer", where applicable.
  This helps the community, keeps the forums tidy, and recognises useful contributions. Thanks!)

• Windows 8.1 Group Policy based Wireless Profiles do not appear to be working

  I'm wondering if anyone else out there has run into the same issue as I am seeing.  The environment is all Server 2012(not R2), with Windows 8.1 clients.  
  I configure a GPO that is linked to the entire domain/authenticated users and contains a Windows Vista and Later wireless network profile.  Let's call it "GPO_Wireless.  It is configured to automatically connect it to a specific SSID, the
  encryption settings are unimportant, as I've tried numerous approaches.  In our case, we're trying to do EAP-TLS with the NPS role.  We have the CA rolled out, NPS has a proper cert, and the clients are auto-enrolling for both Computer and User certs.
   This is all verified as working.  We've also tried straight password authentication.
  I refresh group policy on a Windows 8.1 client and see that Computer Policy "GPO_Wireless" is being applied to the client.  I restart the computer, but it does not connect to the wireless network.
  I run "netsh wlan show profiles" and under "Group Policy Profiles(read only)" it is blank.
  I run gpresult /r /scope computer again, and it shows "GPO_Wireless" is being applied.
  The last note is that Windows 7 clients can connect to the wireless just fine.

  Hi，
  For the client side, I would like to know if the windows 7 as you mentioned used the same Group Police like Windows 8.1.
  Meanwhile, I suggest you try using script as a workaround.
  Regards,
  Kelvin hsu
  TechNet Community Support

• Windows 2008 R2 - Group Policy Preference - folder option "Open with" Access denied

  Similar to this post:
  social.technet.microsoft.com/Forums/en-US/d42a81bc-96de-4af3-bc41-079e88e6ea4a
  We have Citrix terminal servers running Windows 2008 R2 and attempting to force PDF files to open with Acrobat versus PDF editing software we have installed for a small subset of users.  So I created a Group Policy Preference and added a OpenWith item
  to the Folder Options to use Acrobat as the default and linked it to a Users OU.  However, if I run gpresult the OpenWith setting fails with error code 0x80070005.  You can change it to not run in the user's security context which eliminates the
  error but then it won't actually do anything.
  The problem seems to be that when a user sets another program as their default via Windows Explorer the permissions on HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\UserChoice get changed so that the user is specifically
  denied the ability to set that key.  Remove the special permissions added and the group policy succeeds and changes it back to the default ... until the user changes it back (intentionally or otherwise) and the permissions are changed again.
  Any ideas here?

  > Any ideas here?
  We use GPP Registry to achieve this goal, so we do not run into that
  issue (we unchecked "run in users context", so privs are not an issue)
  But I agree, this really should work as intended...
  Martin
  Mal ein
  GUTES Buch über GPOs lesen?
  NO THEY ARE NOT EVIL, if you know what you are doing:
  Good or bad GPOs?
  And if IT bothers me - coke bottle design refreshment :))

• Problem Pushing Printer Preferences through Group Policy

  Most of the time, networked printers that we push through group policy preferences show up just fine on our clients (Windows 7). About 1 in 10 computers fail however, and it's driving me up the wall! The computer that fails is not consistent, meaning I can
  reboot a computer and the printer then shows up correctly. It may not, however, a week later. Fairly random. Looking through the application event log, I uncovered this:
  The user 'myprinter' preference item in the 'mygrouppolicy {7EDE8A14-773C-4E43-93AE-050240E0B204}' Group Policy object did not apply because it failed with error code '0x800706ba The RPC server is unavailable.' This error was suppressed.
  Again, this error does not occur all the time, though if I reboot a large group of computers, it will definitely show up on 1 or 2 of them. At this point, I'm looking for any suggestions for a next step. Thanks!
  -Peter

  Hello Modab,
  If you reboot server the printer is redeployed properly. It is possible that when the printer is deployed the network is still not prepared properly so the RPC error
  is popped up.  Please try the following suggestions:
  1. Disable Fast Logon feature
  Enable the
  [Computer Configuration \ Administrative Templates \ System \ Logon \ Always wait for the network at computer startup and logon]
  group policy.
  Logon Optimization
  http://msdn.microsoft.com/en-us/library/aa374350(VS.85).aspx
  Description of the Windows XP Professional Fast Logon Optimization feature
  http://support.microsoft.com/kb/305293/en-us
  2. Group policy application issue may occur because of Gigabit NIC. Please try the suggestions in the following steps and KB.
  a.      
  To prevent your network adapter from detecting the link state(For Windows Vista/7):
  Run the following commands one by one:
  netsh interface ipv4 set global dhcpmediasense=disabled
  netsh interface ipv6 set global dhcpmediasense=disabled
  For Windows XP, you can see
  http://support.microsoft.com/kb/239924
  b.     
  Contact the vendor of the network card or visit their web site to obtain updated drivers for the Gigabit NIC.
  Examples of NICs known to exhibit this issue:
  - Broadcom Gigabit Adapter
  - Intel Gigabit Ethernet PRO Adapter, Intel Pro/1000
  - Intel 82544EI-based XT Gigabit Adapter (82540EM chipse)
  - Compaq/HP NIC dual interface 10/100/1000 doing teaming (HP NC7170)
  - Dell Inspiron laptops using an on-board Broadcom BCM4401 NIC
  c.      
  A sever may have a Dual Port NIC or multiple NIC's with one port or NIC set to Disabled. The disabled port or NIC should not be at the top of the binding order in the Network
  Advance Properties.
  1.      
  Click Start, point to Settings, and then click "Network and Dial-up Connection".
  2.      
  On the Advanced menu, click "Advanced Settings".
  3.      
  On the "Adapters and Bindings" tab, in the connections list, select the NIC that the clients use to connect to the server and move it to the top of the list.
  d.     
  Turning off STP can cause issues in your network if a loop ever develops. If you are running a Cisco Series switch or any other switch that runs Spanning Tree, it is best to
  leave spanning tree turned on, but enable PORTFAST on all the ports except uplink and fiber trunks.
  326152 Cannot connect to domain controller and cannot apply Group Policy with Gigabit Ethernet devices
  http://support.microsoft.com/default.aspx?scid=kb;EN-US;326152
  3.
   Remove all of 3rd-party software such as firewall software.
  4.  Set a registry value to delay the application of Group Policy.
  http://support.microsoft.com/kb/2421599
        http://support.microsoft.com/kb/840669
  Brent Hu,
  Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. ”

• How to control IE10's "Compatibility View settings" via Group Policy

  First
  of all thanks for taking the time to read this.  I must let you know that I have limited experience with Group Policy so here it goes...
  Domain Controllers are 2008 R2 Datacenter and client computers are Win7 Pro with IE10
  I need to add several sites to the "Compatibility View settings" in IE10 and have these pushed out via Group Policy.
  I followed this to enable the "Use Policy List of Internet Explorer 7 sites:"
  Use
  Policy List of Internet Explorer 7 sites
  I even added the settings to both User Configuration as well as Computer Configuration.  However the computers on the domain wouldn't show these sites in
  IE even after forcing a GP update (gpupdate /force)
  Yes I did use top level domain names.
  Next I installed the Administrative Templates for Windows Internet Explorer 10 on the DC:
  Administrative Templates for Windows Internet Explorer 10
  this gave me an Inetres.adm file while I put in the same location as my other .adm files that Group Policy Manager sees (located at C:\Windows\SYSVOL\domain\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\Adm)
  I do see a bunch of .ADMX files located at C:\Windows\PolicyDefinitions
  on the DC.  I also see a lot of .ADML files located at C:\Windows\PolicyDefinitions\en-US.
  Where is my Central Store located that my Group Policy references?  How do I know what location GP is reading from?
  Now I installed the Administrative Templates (ADMX) for Windows Server 2008 R2 and Windows 7 from here:
  Administrative Templates (ADMX) for Windows Server 2008 R2 and
  Windows 7
  This gave me a "Win7-2008R2-admx.msi" package that I installed.  I took the defaults and extracted contents to:
  C:\Windows\PolicyDefinitions\Server 2008 Win7\PolicyDefinitions
  Are all of these .ADMX files supposed to be placed into my Central Store?
  If I mouse-over "Administrative Templates" in Group Policy Manager is says that the policy definitions are retrieved from the local machine.
  I then right-clicked on top of "Administrative
  Templates" in Group Policy Manager and highlighted Inetres and selected Delete.
  While in Add/Remove Templates I click on Add and it defaults to looking for "Policy Templates" and will not let me select and .ADM/.ADML/.ADMX files.
  What am I doing wrong here?
  How do I know that I'm using the most recent Inetres file?
  How do I know which file Group Policy Manager is using to manage the IE settings that are in:
  User Configuration->Administrative Templates->Windows Components->Internet Explorer->Compatibility View->Use Policy List of Internet
  Explorer 7 sites
  or
  Computer Configuration->Administrative Templates->Windows Components->Internet Explorer->Compatibility View->Use Policy List of
  Internet Explorer 7 sites.
  Is there anything else you can suggest?
  Many, many thanks in advance for any response

  Hi,
  Regarding your question, usually we create a Central Store for Administrative Templates (Both .admx and .adml files), and create a folder that is named PolicyDefinitions in the following location:
  \\FQDN\SYSVOL\FQDN\policies. The .adml files on the Windows computer
  are stored in a language-specific folder. For example, English (United States) .adml files are stored in a folder that is named "en-US." When you have copied all .admx and .adml files, the PolicyDefinitions folder on the domain controller should contain the
  .admx files and one or more folders that contain language-specific .adml files.
  Please refer to the following articles. You will get more helpful details about the Central Store for Group Policy Administrative Template files.
  How to create the Central Store for Group Policy Administrative Template files in Windows Vista
  http://support.microsoft.com/kb/929841
  Windows 7, Windows Server 2008 R2 and the Group Policy Central Store
  http://blogs.technet.com/b/askds/archive/2009/12/09/windows-7-windows-server-2008-r2-and-the-group-policy-central-store.aspx
  Based on your description, I understand you enable the setting “Use Policy List of Internet Explorer 7 sites”. However, didn’t show any sites in IE in client even after forcing a GP update
  (gpupdate /force). Please use command “gpresult” in clients to collect the GPOs, and then check whether the GPO contain the setting “Use Policy List of Internet Explorer 7 sites” was applied to clients or wasn’t.
  In addition, you also can change the related setting by using registry directly.
  Follow the path of the registry:
  HKEY_CURRENT_USER->Software->Policies->Microsoft->Internet Explorer->BrowserEmulation->PolicyList. (Create registry folders
  manually if not present)
  Right Click
  PolicyList ->New->String Value->Enter the name of the website. (Both under ‘Name’ and ‘Data’. For example,
  Value name: example.com Value data: example.com)
  There is a similar question, please read as a reference.
  Add manually URL on Compatibility View List in IE10
  http://social.msdn.microsoft.com/Forums/ie/en-US/5a15e861-d106-471e-a968-fdea15e31c45/add-manually-url-on-compatibility-view-list-in-ie10
  Hope this helps.
  Best regards,
  Justin Gu

• Windows 2008 R2 group policy not applied on some of the computers

  Dear All,
  I have windows 2008 r2 as domain controller and configured group policy. when I am changing existing group policy most of the computers not affecting with update policy.
  is there any server or any other method required to configure?
  every time i need to update group policy manually on computers.
  pls help
  SUNIL PATEL SYSTEM ADMINISTRATOR

  You have an issue with AD DS replication.Ensure all domain controllers are in sync

• Adding Internet shortcut favourites using Server 2012 R2 Group Policy Manager

  Hi there,
  I wonder could someone help me!
  Up on to recently we have been using the User Policies/Windows Settings/Internet Explorer Maintenance/URLs/Favourites and Links Group policy in Windows Server 2008 R2 but now within Server 2012 R2 that option doesn’t seem to be available.
  If I however click on the GPO that is currently in place that has favourites specified and click on the Setting tab it generates the report showing the old /Internet Explorer Maintenance/URLs/Favourites and Links Group policy but with I click Edit on the
  GPO it doesn’t show me the /Internet Explorer Maintenance/URLs/Favourites and Links Group policy to allow me to add more favourites.
  From reading online I see that that /Internet Explorer Maintenance/URLs/Favourites and Links Group policy has been dropped in Server 2012 with the IEAK but this seems to need to be downloaded and installed I assume on a DC which I’m reluctant to do.
  I notice there something called the Policy Preferences Administrators tool that should allow me to set favourites but I’m not sure how to use that or even where to get it – it is a feature in Server 2012?
  Sorry for all of the info above!  All I want to do is within Server 2012 R2 edit an existing Windows 2008 R2 group policy and add new shortcuts to that policy so they are pushed out.
  Any help or guidance would be greatly appreciated!
  Thanks,
  Bonemister  

  Hi Frank,
  Thanks very much for your reply!
  Ok, method 1 seems to be a good way for what I am looking to achieve in terms of providing shortcuts, however, could you clarify a couple of things for me please: -
  Does method 1 create a shortcut within Internet Explorer that is accessible by all users when they click on the favourites tab or is it a desktop shortcut?
  At present there are no shortcuts specified within User Configuration -> Preferences -> Windows Settings -> Shortcuts so I presume the current shortcuts are currently still being delivered via the settings within IEM. 
  If that is the case I don’t then want to remove the IEM from the GP reporting tools. The question is, can I keep the current policy that seems to be delivering our shortcuts and just use
  User Configuration -> Preferences -> Windows Settings -> Shortcuts to add any new shortcuts that we need – would there be any issue with having both GPOs operating or would there be any issues introducing shortcuts alongside the IEM
  settings?
  Thanks again for your help!
  Bonemister
  Method #1, is more of a problem-fix, rather than a solution-for-how-to-do-it-from-now-on. This method would only really be needed, if you have a dysfunctional IEM-GPO, causing issues.
  GPP is the way you need to adopt, because even Windows7 is affected by the IEM-removal if you upgrade IE to IE10 or newer (regardless of the Windows Server version you are using).
  The recommendation is that you create some new GPOs for transitioning away from IEM over to GPP, test those, and then deploy those and remove your older GPOs that were using IEM, this would complete your transition away from IEM.
  Don
  (Please take a moment to "Vote as Helpful" and/or "Mark as Answer", where applicable.
  This helps the community, keeps the forums tidy, and recognises useful contributions. Thanks!)

• Multiple AD Group Policy Screen Lock Policies

  I am looking to have multiple screen lock policies one for X minutes and one for Y minutes, is this possiable, and how can I configure this?

  Yes you can do this. A few ways are possible. From memory the screen saver policy  is user based rather than computer based. 
  You can create two GPO's and configure the screensaver setting you want in both. Then you can do one of two things.
  1. apply each policy to a different OU where the users reside
  2. create two security groups - one for each GPO. Then remove the authenticated users group from the GPO security settings and add your new security group to the GPO and give it read and apply group policy. Then add your users to which ever group you want.
  Apply the GPOs to either a user OU, or domain level - which ever works best.
  Regards,
  Denis Cooper
  MCITP EA - MCT
  Help keep the forums tidy, if this has helped please mark it as an answer
  My Blog
  LinkedIn: