Hide Default BitLocker Drive Encryption item in Windows
Microsoft BitLocker Administration and Monitoring (MBAM) provides a simplified administrative interface that you can use to manage BitLocker Drive Encryption. With the MBAM, you can configure Group Policies that enable you to set BitLocker Drive Encryption policy options that are appropriate for your enterprise and then use them to monitor client compliance with those policies. Please see BitLocker Drive Encryption architecture and implementation types on Windows, how to fix missing BitLocker Recovery Tab in Active Directory Users and Computers, and how to enable or disable BitLocker Drive Encryption on Windows 10 and Virtual Machines.
You can also report on an individual computer’s and the enterprise’s encryption status. In addition, you can access recovery key information when users forget their PIN or password or when their BIOS or boot record changes.
Kindly refer to the following similar guides on BitLocker. How to view BitLocker disk encryption status in Windows, and how to backup existing and new BitLocker recovery keys to Active Directory.
If you have implemented MBAM in your environment, there isn’t a need to have the default BitLocker exposed to users. In this guide, I will be describing how to hide the BitLocker Drive Encryption Control Panel item, which appears by default on the Control Panel as part of the Windows operating system
Enhanced Control Panel Functions with MBAM Implementation
When MBAM is implemented as described in this guide, “How to deploy Microsoft BitLocker Administration and Monitoring Tool.” Furthermore, Microsoft BitLocker Administration and Monitoring (MBAM) creates an additional, custom Control Panel item, called BitLocker Encryption Options.
It enables end-users to manage their PIN and password, turn on BitLocker for a drive, and check the encryption. The table outlines tasks for each Control Panel item and explains their creation process.
BitLocker Encryption Options (MBAM) | BitLocker Drive Encryption (Windows) | |
|---|---|---|
| Tasks you can do | – Change your PIN or password – Check encryption status for a drive – Open the TPM Management console – Turn on BitLocker | – Suspend protection for a drive – Back up your recovery key – Change your PINTurn off BitLocker for a drive – Turn on BitLocker for a drive – Open the TPM Management console – Decrypt a drive (appears only if the MBAM Client is NOT installed) |
| How the Control Panel item is created | Created in Control Panel when you install the MBAM Client. This item cannot be hidden. Note: This item appears in addition to, but does not replace, the default BitLocker Drive Encryption Control Panel item. | Appears by default in Control Panel as part of the Windows operating system, but you can hide it. |
Because the BitLocker Encryption Options do not replace BitLocker Drive Encryption, I will show you how to disable it via GPO quickly.
You may want to see the following articles as well. Why use RSAT? How to Install RSAT on Windows 10, Remote Server Administration Tools: To install RSAT on Windows Server, what is Group Policy Object and how can it be launched in Windows.
Hide the default BitLocker Drive Encryption item in the Control Panel.
Launch the Server Manager and click on Tools and Group Policy Management, as shown below.
Opening the Group Policy Management snap-in (console) provides access to the pre-created Group Policy Object designed for MBAM. We’ll modify the existing Group Policy Object to hide the Default BitLocker Drive Encryption.
In the “Group Policy Management Editor” or “Advanced Group Policy Management” or the Local Group Policy Editor on the BitLocker Group Policies computer.
Then browse to the following locations below. Expand the User configuration, and click on Policies,
– Click on Administrative Templates
– Click on Control Panel
In the Details pane, double-click and select Hide specified Control Panel items, and then click on Enabled.
Click Show, click Add, and then type Microsoft.BitLockerDriveEncryption
However, Click on OK to complete the entire process.
Nonetheless, This policy hides the default Windows BitLocker Management tool from the Windows Control Panel. Furthermore, It allows the user to open the updated MBAM BitLocker Encryption Options tool from the Windows Control Panel.
See the hyperlink for the difference between GPUpdate and GPUpdate /force if you wish the policy to take effect immediately.
Do not change the Group Policy settings in the BitLocker Drive Encryption node. If you do, MBAM will not work correctly. When you configure the Group Policy settings in the MDOP MBAM (BitLocker Management) node, MBAM automatically configures the BitLocker Drive Encryption settings for you.
FAQs to Hiding BitLocker/MBAM UI on Windows
How can you launch the MBAM Client that has been hidden by Group Policy manually?
Launch the MBAM UI directly from “C:\Program files\Microsoft\MDOP MBAM\MBAMClientUI.exe”
How can I export MBAM reports?
You can export MBAM reports to various formats, including PDF, Excel, and Word. After generating the report, use the export options available in the report viewer to choose your desired format as discussed here “mbamreports Email notifications for MBAM Enterprise and Compliance and Recovery Audit reports“. Also, see “Query MBAM to display the BitLocker Recovery report“.
If you’re interested in learning more about how to hide the Default BitLocker Drive Encryption, don’t hesitate to explore the content further. Your feedback is greatly appreciated.
I trust you’ve found value in this blog post on “Hide Default BitLocker Drive Encryption item in Windows”. If you have any inquiries, please ask in the comments section.
