Microsoft BitLocker Administration and Monitoring (MBAM) provides a simplified administrative interface that you can use to manage BitLocker Drive Encryption. With the MBAM, you can configure Group Policies that enable you to set BitLocker Drive Encryption policy options that are appropriate for your enterprise, and then use them to monitor client compliance with those policies. You can also report on the encryption status of an individual computer and on the enterprise as a whole. In addition, you can access recovery key information when users forget their PIN or password or when their BIOS or boot record changes. Kindly refer to the following similar guides on BitLocker. How to view BitLocker disk encryption status in Windows, how to backup existing and new BitLocker recovery keys to Active Directory, BitLocker Drive Encryption architecture and implementation types on Windows, how to fix missing BitLocker Recovery Tab in Active Directory Users and Computers, and how to enable or disable BitLocker Drive Encryption on Windows 10 and Virtual Machines.
If you have implemented MBAM in your environment, there isn’t a need to have the default BitLocker exposed to users. In this guide, I will be describing how to hide the BitLocker Drive Encryption Control Panel item, which appears by default on the Control Panel as part of the Windows operating system
When MBAM is implemented as described in this guide “How to deploy Microsoft BitLocker Administration and Monitoring Tool“, Microsoft BitLocker Administration and Monitoring (MBAM) creates an additional, custom Control Panel item, called BitLocker Encryption Options, which enables end-users to manage their PIN and password, turn on BitLocker for a drive, and check the encryption. The following table lists the tasks you can perform from each Control Panel item and describes how these items are created.
BitLocker Encryption Options (MBAM) | BitLocker Drive Encryption (Windows) | |
|---|---|---|
| Tasks you can do | – Change your PIN or password – Check encryption status for a drive – Open the TPM Management console – Turn on BitLocker | – Suspend protection for a drive – Back up your recovery key – Change your PINTurn off BitLocker for a drive – Turn on BitLocker for a drive – Open the TPM Management console – Decrypt a drive (appears only if the MBAM Client is NOT installed) |
| How the Control Panel item is created | Created in Control Panel when you install the MBAM Client. This item cannot be hidden. Note: This item appears in addition to, but does not replace, the default BitLocker Drive Encryption Control Panel item. | Appears by default in Control Panel as part of the Windows operating system, but you can hide it. |
Because the BitLocker Encryption Options do not replace BitLocker Drive Encryption, I will be showing you how to quickly disable it via GPO. You may want to see the following articles as well. Why use RSAT? How to Install RSAT on Windows 10, Remote Server Administration Tools: To install RSAT on Windows Server, and what is Group Policy Object and how can it be launched in Windows.
Hide the default BitLocker Drive Encryption item in Control Panel
Launch the Server Manager and click on Tools and then on Group Policy Management as shown below
This will open the Group Policy Management snap-in (console). I already have a Group Policy Object Created for MBAM. I will be editing this
In the “Group Policy Management Editor” or in “Advanced Group Policy Management”, or the Local Group Policy Editor on the BitLocker Group Policies computer. Then browse to the following locations below.
– Expand the User configuration
– Click on Policies,
– Click on Administrative Templates
– Click on Control Panel
In the Details pane, double-click and select Hide specified Control Panel items, and then
– Click on Enabled.
Click Show, click Add, and then type Microsoft.BitLockerDriveEncryption
Click on OK to complete the entire process.
This policy hides the default Windows BitLocker Management tool from the Windows Control Panel and allows the user to open the updated MBAM BitLocker Encryption Options tool from the Windows Control Panel. See the hyperlink for the difference between GPUpdate and GPUpdate /force if you wish the policy to take effect immediately.
Do not change the Group Policy settings in the BitLocker Drive Encryption node. If you do, MBAM will not work correctly. When you configure the Group Policy settings in the MDOP MBAM (BitLocker Management) node, MBAM automatically configures the BitLocker Drive Encryption settings for you.
I hope you found this blog post helpful. If you have any questions, please let me know in the comment session.