Bitlocker and MBAM Group Policy
I am in the process of setting up Bitlocker on all office computers, use an MBAM server to store the keys and to use group policy to manage it. I have setup a server with MBAM and installed MBAM client software on a test computer. But while configuring
group policy, I'm a little confused. Under Computer Configuration there are settings for both Bitlocker and MDOP MBAM and they are more or less the same. Which one do I use or do I use both?
Hi,
Please check out these links:
How to Edit MBAM 1.0 GPO Settings
http://technet.microsoft.com/en-us/library/jj571495.aspx
Planning for MBAM 1.0 Group Policy Requirements
http://technet.microsoft.com/en-us/library/jj571500.aspx
Tracy Cai
TechNet Community Support
Similar Messages
-
I am trying to install and configure MBAM 2.0. I have installed all of the components on two separate servers. Server 1 has sccm 2012
integration and gpo policy templates. Server two has the rest. When I load Group Policy Management the templates do not appear. I have manually extracted and copied the templates in the local policy definitions and still nothing. Any ideas?By default the Group Policy Management console will look for templates at a central SYSVOL location (a so called central store). Likely you have a PolicyDefinitions folder in
\\domain.com\sysvol\domain.com\Policies and then you need to add the MBAM ADMX and ADML files to that location to be able to see those settings when managing group policies. The reason for this is
that the central store has precedence over local group policy templates.
Blogging about Windows for IT pros at
www.theexperienceblog.com -
BitLocker - Conflict with Group Policy
Hi;
I am using Bitlocker on my Win 8.1 Pro, and it works ok when I encrypt my C: drive, I configured my computer to let it prompt for PIN number when I turn on my computer by using the following setting in Group Policy for "Require additional authentication
at startup".
Configure TPM startup: Allow TPM
Configure TPM startup PIN: Require startup PIN with TPM
Configure TPM startup key: Allow startup key with TPM
Configure TPM startup key and PIN : Allow startup key and PIN with TPM
I tried it and reboot my computer, it works fine and the computer prompt me for the PIN number after reboot. However; when I tried to encrypt my USB key or another E: drive partition, I got the error below. I tried to disable my group policy
but no help.
"the group policy settings for BitLocker startup options are in conflict and cannot be applied."
KW - CNE,MCSE,VCP5Hi KANE.W,
For BitLocker Group Policy settings, “Require additional authentication at startup” group policy has conflicts, if one authentication method is required, the other methods cannot be allowed.
Based on your description, I am supposing that in “require additional authentication at startup”, If you choose to require an additional authentication method, other authentication methods cannot be allowed.
For more information about conflicts of BitLocker group policy
https://technet.microsoft.com/en-us/library/jj679890.aspx?f=255&MSPPError=-2147217396#BKMK_unlockpol1
Regards
D. Wu -
The first, most important question of this thread is if I can form a wireless domain or if I have to do it wired.
If it matters, I have a Linksys E1200 router that does wireless and wired.
My second question refers to Group Policy. Is this the way domains limit their user account's capabilities? Because I was planning on making a domain, so that I could have unified user accounts that I could control from the server, limiting what those accounts
can access for further security. Is this what Group Policy does, and how would I move with starting that?Hi Adrian,
>>The first, most important question of this thread is if I can form a wireless domain or if I have to do it wired.
Just as Alan suggested, Active Directory domains support both wired and wireless connections.
>>My second question refers to Group Policy. Is this the way domains limit their user account's capabilities?
Group Policy is an infrastructure that allows you to implement specific configurations for users and computers. Group Policy settings are contained in Group Policy objects
(GPOs), which are linked to the following Active Directory directory service containers: sites, domains, or organizational units (OUs). The settings within GPOs are then evaluated by the affected targets, using the hierarchical nature of Active Directory.
Consequently, Group Policy is one of the top reasons to deploy Active Directory because it allows you to manage user and computer objects.
Regarding group policy, the following link and articles can be referred to for more information.
Group Policy for Beginners
http://technet.microsoft.com/en-us/library/hh147307(v=WS.10).aspx
Group Policy Planning and Deployment Guide
http://technet.microsoft.com/en-us/library/cc754948(v=WS.10).aspx
Group Policy
http://technet.microsoft.com/en-us/windowsserver/bb310732.aspx
Best regards,
Frank Shen -
Mail for exchange and domain group policy removing...
Hi,
I currently administer 2 domains, both server 2003 with exchange 2003. On the one domain I can configure any of our e series ( e51/e71/e72/e6) via MFE and permanently accept the untrusted SSL certificate. When I configure MFE to our other domain the option to accept the untrusted certificate has vanished..!
Anyone have any ideas? I'm sure that it's a group policy setting but I cannot spot it!turbominor wrote:
No certificates have been generated bar the ones that exchange installed by default
Hmm, I don't recall ever realizing that. Lol. In that case, what are you using as a root certificate? Nothing...which explains why the cert is untrusted? (As connections to your first Exchange server work normally, apparently you don't need a root cert for a secure connection?) I used to get mine from http://www.cacert.org/ and installed the root cert either manually or through a device management server.
I wasn't completely sure where I was going with my question, but just did a few web searches. Apparently Symbian phones don't like installing self-signed certificates. "Accepting a certificate permanently" does install the cert, although I'm not sure that's quite the same thing. You might skim http://discussions.nokia.com/t5/Eseries-and-Communicators/E72-Email-Accept-Certificate-Permanently/m... in case any of that is relevant. -
SBL and Windows group policy user configuration preference
We would like to have user connects to VPN via SBL and then login to the AD domain. Ideally, the group policy user configuration preference, such as drive mapping, should be applied after successful AD login. However, we are running into issue where the preferences are not being applied. It appears the AnyConnect VPN tunnel is not completely established after the user login to AD; and hence the GPO preference was not able to apply. It takes about 1 min.after the user's AD login before the VPN tunnel is completely established.
Just want to find out if anyone is able to get SBL and AD GPO preference working successfully.Originally Posted by twiggy
Tbreeden - thanks for ur note, yes I am aware of the apply button - but u r right, it's not really noticeable unless u know to look for it
Rroncme - I am using 32bit. We don't have any vita machines but win7 is supposed to be supported. I've created other policies using win7 and the saved just fine/applied fine too. Thanks for ur thoughts, I appreciate it.
Any one else haven success w 32 bit win7 -building ie policy?
Well there is a TID 7005804 about IE policy failures but don't know if the bug applies to your situation...
Policy failures in Terminal Sessions on Windows Server 2003 and Windows Server 2008
Thomas -
ADM template for office and AD - Group policy
Hi,
I need to enforce English (UK) as the editing language in office application (2010 & 2013).
I have downloaded the ADM template saved it on C drive on the AD server.
Then I loaded the ADM template for office to a GOP which I created on test basis and added an AD user to it.
On the template I enabled the setting for primary editing language as English (UK) .
on the client side , when I open an office application eg outlook or word, I can still see English (US) as the set language.
what am I doing wrong ?
also how do I use the ADMX template ? because when from the GPO editor I try to browse add the its template the window show blank.Hi,
From Windows 2008 R2, the current version of Administrative Template files are ADMX files. The GPMC displays these settings under the Administrative Templates node.
However, the GPMC still recognizes ADM files and displays these settings under the Classic Administrative Templates node, which is a child node to Administrative Templates .
Checkout the below link on installing ADM files,
Add or Remove Classic Administrative Templates
Checkout the below on adding the Office 2010 ADMX files in to GPMC,
Adding the admx files from Office 2010 admin templates into your GPMC
Regards,
Gopi
JiJi
Technologies -
Difference between domain controllers and group policy objects in GPMC
Hello,
Am in confusion, someone can tel me the difference between
1.Domain controllers>default domain controller policy and
2.Group policy object>default domain controller policy
In Group policy management console and also i would like know where to define these categories. I normally use second option.
I have attached screenshot for your information.
regards,
Dharanesh,This first/upper item is a link to the GPO, the second/lower item is the actual GPO.
(notice the link, has a shortcut arrow showing)
by default, when you double-click on a link, a message will display which says "you have clicked on a link....." and the messagbox offers a checkbox for "do not display this message again..."
Effectively they are equivalent to a shortcut-to-a-file vs. the actual file.
Don
(Please take a moment to "Vote as Helpful" and/or "Mark as Answer", where applicable.
This helps the community, keeps the forums tidy, and recognises useful contributions. Thanks!) -
Windows 8.1 Group Policy based Wireless Profiles do not appear to be working
I'm wondering if anyone else out there has run into the same issue as I am seeing. The environment is all Server 2012(not R2), with Windows 8.1 clients.
I configure a GPO that is linked to the entire domain/authenticated users and contains a Windows Vista and Later wireless network profile. Let's call it "GPO_Wireless. It is configured to automatically connect it to a specific SSID, the
encryption settings are unimportant, as I've tried numerous approaches. In our case, we're trying to do EAP-TLS with the NPS role. We have the CA rolled out, NPS has a proper cert, and the clients are auto-enrolling for both Computer and User certs.
This is all verified as working. We've also tried straight password authentication.
I refresh group policy on a Windows 8.1 client and see that Computer Policy "GPO_Wireless" is being applied to the client. I restart the computer, but it does not connect to the wireless network.
I run "netsh wlan show profiles" and under "Group Policy Profiles(read only)" it is blank.
I run gpresult /r /scope computer again, and it shows "GPO_Wireless" is being applied.
The last note is that Windows 7 clients can connect to the wireless just fine.Hi,
For the client side, I would like to know if the windows 7 as you mentioned used the same Group Police like Windows 8.1.
Meanwhile, I suggest you try using script as a workaround.
Regards,
Kelvin hsu
TechNet Community Support -
Windows 2008 R2 - Group Policy Preference - folder option "Open with" Access denied
Similar to this post:
social.technet.microsoft.com/Forums/en-US/d42a81bc-96de-4af3-bc41-079e88e6ea4a
We have Citrix terminal servers running Windows 2008 R2 and attempting to force PDF files to open with Acrobat versus PDF editing software we have installed for a small subset of users. So I created a Group Policy Preference and added a OpenWith item
to the Folder Options to use Acrobat as the default and linked it to a Users OU. However, if I run gpresult the OpenWith setting fails with error code 0x80070005. You can change it to not run in the user's security context which eliminates the
error but then it won't actually do anything.
The problem seems to be that when a user sets another program as their default via Windows Explorer the permissions on HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\UserChoice get changed so that the user is specifically
denied the ability to set that key. Remove the special permissions added and the group policy succeeds and changes it back to the default ... until the user changes it back (intentionally or otherwise) and the permissions are changed again.
Any ideas here?> Any ideas here?
We use GPP Registry to achieve this goal, so we do not run into that
issue (we unchecked "run in users context", so privs are not an issue)
But I agree, this really should work as intended...
Martin
Mal ein
GUTES Buch über GPOs lesen?
NO THEY ARE NOT EVIL, if you know what you are doing:
Good or bad GPOs?
And if IT bothers me - coke bottle design refreshment :)) -
Problem Pushing Printer Preferences through Group Policy
Most of the time, networked printers that we push through group policy preferences show up just fine on our clients (Windows 7). About 1 in 10 computers fail however, and it's driving me up the wall! The computer that fails is not consistent, meaning I can
reboot a computer and the printer then shows up correctly. It may not, however, a week later. Fairly random. Looking through the application event log, I uncovered this:
The user 'myprinter' preference item in the 'mygrouppolicy {7EDE8A14-773C-4E43-93AE-050240E0B204}' Group Policy object did not apply because it failed with error code '0x800706ba The RPC server is unavailable.' This error was suppressed.
Again, this error does not occur all the time, though if I reboot a large group of computers, it will definitely show up on 1 or 2 of them. At this point, I'm looking for any suggestions for a next step. Thanks!
-PeterHello Modab,
If you reboot server the printer is redeployed properly. It is possible that when the printer is deployed the network is still not prepared properly so the RPC error
is popped up. Please try the following suggestions:
1. Disable Fast Logon feature
Enable the
[Computer Configuration \ Administrative Templates \ System \ Logon \ Always wait for the network at computer startup and logon]
group policy.
Logon Optimization
http://msdn.microsoft.com/en-us/library/aa374350(VS.85).aspx
Description of the Windows XP Professional Fast Logon Optimization feature
http://support.microsoft.com/kb/305293/en-us
2. Group policy application issue may occur because of Gigabit NIC. Please try the suggestions in the following steps and KB.
a.
To prevent your network adapter from detecting the link state(For Windows Vista/7):
Run the following commands one by one:
netsh interface ipv4 set global dhcpmediasense=disabled
netsh interface ipv6 set global dhcpmediasense=disabled
For Windows XP, you can see
http://support.microsoft.com/kb/239924
b.
Contact the vendor of the network card or visit their web site to obtain updated drivers for the Gigabit NIC.
Examples of NICs known to exhibit this issue:
- Broadcom Gigabit Adapter
- Intel Gigabit Ethernet PRO Adapter, Intel Pro/1000
- Intel 82544EI-based XT Gigabit Adapter (82540EM chipse)
- Compaq/HP NIC dual interface 10/100/1000 doing teaming (HP NC7170)
- Dell Inspiron laptops using an on-board Broadcom BCM4401 NIC
c.
A sever may have a Dual Port NIC or multiple NIC's with one port or NIC set to Disabled. The disabled port or NIC should not be at the top of the binding order in the Network
Advance Properties.
1.
Click Start, point to Settings, and then click "Network and Dial-up Connection".
2.
On the Advanced menu, click "Advanced Settings".
3.
On the "Adapters and Bindings" tab, in the connections list, select the NIC that the clients use to connect to the server and move it to the top of the list.
d.
Turning off STP can cause issues in your network if a loop ever develops. If you are running a Cisco Series switch or any other switch that runs Spanning Tree, it is best to
leave spanning tree turned on, but enable PORTFAST on all the ports except uplink and fiber trunks.
326152 Cannot connect to domain controller and cannot apply Group Policy with Gigabit Ethernet devices
http://support.microsoft.com/default.aspx?scid=kb;EN-US;326152
3.
Remove all of 3rd-party software such as firewall software.
4. Set a registry value to delay the application of Group Policy.
http://support.microsoft.com/kb/2421599
http://support.microsoft.com/kb/840669
Brent Hu,
Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. ” -
How to control IE10's "Compatibility View settings" via Group Policy
First
of all thanks for taking the time to read this. I must let you know that I have limited experience with Group Policy so here it goes...
Domain Controllers are 2008 R2 Datacenter and client computers are Win7 Pro with IE10
I need to add several sites to the "Compatibility View settings" in IE10 and have these pushed out via Group Policy.
I followed this to enable the "Use Policy List of Internet Explorer 7 sites:"
Use
Policy List of Internet Explorer 7 sites
I even added the settings to both User Configuration as well as Computer Configuration. However the computers on the domain wouldn't show these sites in
IE even after forcing a GP update (gpupdate /force)
Yes I did use top level domain names.
Next I installed the Administrative Templates for Windows Internet Explorer 10 on the DC:
Administrative Templates for Windows Internet Explorer 10
this gave me an Inetres.adm file while I put in the same location as my other .adm files that Group Policy Manager sees (located at C:\Windows\SYSVOL\domain\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\Adm)
I do see a bunch of .ADMX files located at C:\Windows\PolicyDefinitions
on the DC. I also see a lot of .ADML files located at C:\Windows\PolicyDefinitions\en-US.
Where is my Central Store located that my Group Policy references? How do I know what location GP is reading from?
Now I installed the Administrative Templates (ADMX) for Windows Server 2008 R2 and Windows 7 from here:
Administrative Templates (ADMX) for Windows Server 2008 R2 and
Windows 7
This gave me a "Win7-2008R2-admx.msi" package that I installed. I took the defaults and extracted contents to:
C:\Windows\PolicyDefinitions\Server 2008 Win7\PolicyDefinitions
Are all of these .ADMX files supposed to be placed into my Central Store?
If I mouse-over "Administrative Templates" in Group Policy Manager is says that the policy definitions are retrieved from the local machine.
I then right-clicked on top of "Administrative
Templates" in Group Policy Manager and highlighted Inetres and selected Delete.
While in Add/Remove Templates I click on Add and it defaults to looking for "Policy Templates" and will not let me select and .ADM/.ADML/.ADMX files.
What am I doing wrong here?
How do I know that I'm using the most recent Inetres file?
How do I know which file Group Policy Manager is using to manage the IE settings that are in:
User Configuration->Administrative Templates->Windows Components->Internet Explorer->Compatibility View->Use Policy List of Internet
Explorer 7 sites
or
Computer Configuration->Administrative Templates->Windows Components->Internet Explorer->Compatibility View->Use Policy List of
Internet Explorer 7 sites.
Is there anything else you can suggest?
Many, many thanks in advance for any responseHi,
Regarding your question, usually we create a Central Store for Administrative Templates (Both .admx and .adml files), and create a folder that is named PolicyDefinitions in the following location:
\\FQDN\SYSVOL\FQDN\policies. The .adml files on the Windows computer
are stored in a language-specific folder. For example, English (United States) .adml files are stored in a folder that is named "en-US." When you have copied all .admx and .adml files, the PolicyDefinitions folder on the domain controller should contain the
.admx files and one or more folders that contain language-specific .adml files.
Please refer to the following articles. You will get more helpful details about the Central Store for Group Policy Administrative Template files.
How to create the Central Store for Group Policy Administrative Template files in Windows Vista
http://support.microsoft.com/kb/929841
Windows 7, Windows Server 2008 R2 and the Group Policy Central Store
http://blogs.technet.com/b/askds/archive/2009/12/09/windows-7-windows-server-2008-r2-and-the-group-policy-central-store.aspx
Based on your description, I understand you enable the setting “Use Policy List of Internet Explorer 7 sites”. However, didn’t show any sites in IE in client even after forcing a GP update
(gpupdate /force). Please use command “gpresult” in clients to collect the GPOs, and then check whether the GPO contain the setting “Use Policy List of Internet Explorer 7 sites” was applied to clients or wasn’t.
In addition, you also can change the related setting by using registry directly.
Follow the path of the registry:
HKEY_CURRENT_USER->Software->Policies->Microsoft->Internet Explorer->BrowserEmulation->PolicyList. (Create registry folders
manually if not present)
Right Click
PolicyList ->New->String Value->Enter the name of the website. (Both under ‘Name’ and ‘Data’. For example,
Value name: example.com Value data: example.com)
There is a similar question, please read as a reference.
Add manually URL on Compatibility View List in IE10
http://social.msdn.microsoft.com/Forums/ie/en-US/5a15e861-d106-471e-a968-fdea15e31c45/add-manually-url-on-compatibility-view-list-in-ie10
Hope this helps.
Best regards,
Justin Gu -
Windows 2008 R2 group policy not applied on some of the computers
Dear All,
I have windows 2008 r2 as domain controller and configured group policy. when I am changing existing group policy most of the computers not affecting with update policy.
is there any server or any other method required to configure?
every time i need to update group policy manually on computers.
pls help
SUNIL PATEL SYSTEM ADMINISTRATORYou have an issue with AD DS replication.Ensure all domain controllers are in sync
-
Adding Internet shortcut favourites using Server 2012 R2 Group Policy Manager
Hi there,
I wonder could someone help me!
Up on to recently we have been using the User Policies/Windows Settings/Internet Explorer Maintenance/URLs/Favourites and Links Group policy in Windows Server 2008 R2 but now within Server 2012 R2 that option doesn’t seem to be available.
If I however click on the GPO that is currently in place that has favourites specified and click on the Setting tab it generates the report showing the old /Internet Explorer Maintenance/URLs/Favourites and Links Group policy but with I click Edit on the
GPO it doesn’t show me the /Internet Explorer Maintenance/URLs/Favourites and Links Group policy to allow me to add more favourites.
From reading online I see that that /Internet Explorer Maintenance/URLs/Favourites and Links Group policy has been dropped in Server 2012 with the IEAK but this seems to need to be downloaded and installed I assume on a DC which I’m reluctant to do.
I notice there something called the Policy Preferences Administrators tool that should allow me to set favourites but I’m not sure how to use that or even where to get it – it is a feature in Server 2012?
Sorry for all of the info above! All I want to do is within Server 2012 R2 edit an existing Windows 2008 R2 group policy and add new shortcuts to that policy so they are pushed out.
Any help or guidance would be greatly appreciated!
Thanks,
BonemisterHi Frank,
Thanks very much for your reply!
Ok, method 1 seems to be a good way for what I am looking to achieve in terms of providing shortcuts, however, could you clarify a couple of things for me please: -
Does method 1 create a shortcut within Internet Explorer that is accessible by all users when they click on the favourites tab or is it a desktop shortcut?
At present there are no shortcuts specified within User Configuration -> Preferences -> Windows Settings -> Shortcuts so I presume the current shortcuts are currently still being delivered via the settings within IEM.
If that is the case I don’t then want to remove the IEM from the GP reporting tools. The question is, can I keep the current policy that seems to be delivering our shortcuts and just use
User Configuration -> Preferences -> Windows Settings -> Shortcuts to add any new shortcuts that we need – would there be any issue with having both GPOs operating or would there be any issues introducing shortcuts alongside the IEM
settings?
Thanks again for your help!
Bonemister
Method #1, is more of a problem-fix, rather than a solution-for-how-to-do-it-from-now-on. This method would only really be needed, if you have a dysfunctional IEM-GPO, causing issues.
GPP is the way you need to adopt, because even Windows7 is affected by the IEM-removal if you upgrade IE to IE10 or newer (regardless of the Windows Server version you are using).
The recommendation is that you create some new GPOs for transitioning away from IEM over to GPP, test those, and then deploy those and remove your older GPOs that were using IEM, this would complete your transition away from IEM.
Don
(Please take a moment to "Vote as Helpful" and/or "Mark as Answer", where applicable.
This helps the community, keeps the forums tidy, and recognises useful contributions. Thanks!) -
Multiple AD Group Policy Screen Lock Policies
I am looking to have multiple screen lock policies one for X minutes and one for Y minutes, is this possiable, and how can I configure this?
Yes you can do this. A few ways are possible. From memory the screen saver policy is user based rather than computer based.
You can create two GPO's and configure the screensaver setting you want in both. Then you can do one of two things.
1. apply each policy to a different OU where the users reside
2. create two security groups - one for each GPO. Then remove the authenticated users group from the GPO security settings and add your new security group to the GPO and give it read and apply group policy. Then add your users to which ever group you want.
Apply the GPOs to either a user OU, or domain level - which ever works best.
Regards,
Denis Cooper
MCITP EA - MCT
Help keep the forums tidy, if this has helped please mark it as an answer
My Blog
LinkedIn:
Maybe you are looking for
-
I have a lot of photo's and video's burnd on a DVD. When I put this Dvd into my Mac and open iPhoto I see all the pictures and video's with the normal dates. When I want to import this DVD it is not possible to import the video's. (wrong structure...
-
Hi, How to create more than one primary key in TT CREATE TABLE LOOKUP (KEY NUMBER NOT NULL PRIMARY KEY, VALUE CHAR (64)) In Oracle we can create Composite Primary key CREATE TABLE LOOKUP (KEY NUMBER NOT NULL , VALUE CHAR (64) , CONSTRAINT constraint_
-
Iphoto thumbnails disappear with each reboot
My iPhoto thumbnails disappear any time I reboot or log out of iPhoto. I use the rebuild command and get them back, but they don't stay. Is this a problem with iPhoto or the address where the thumbnails are stored?
-
I can't believe no one has asked about this, but my search came up empty. How does one change the tiny (16x16) image on the Web Part Title Bar? I see where to set the title, but not the image.
-
Calling an applet from servlet
Hi I'm devoloping a server side java software(on netbeans 6) and I want my gui classes(Designed as swing japplet application) to be executed on server side. I mean I have database operations on my applet and some logging functions and I want them to