I suggest you ...

Create a computer exemption policy.

Microsoft BitLocker Administration and Monitoring (MBAM) enables you to exempt users from BitLocker Drive Encryption requirements.

This makes no sense - users are not encrypted, computers are encrypted. We need a way to exempt a computer from encryption, regardless of the user logged in.

16 votes
Vote
Sign in
Check!
(thinking…)
Reset
or sign in with
  • facebook
  • google
    Password icon
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    Robert Stein shared this idea  ·   ·  Admin →

    2 comments

    Sign in
    Check!
    (thinking…)
    Reset
    or sign in with
    • facebook
    • google
      Password icon
      Signed in as (Sign out)
      Submitting...
      • Kim Huartson commented  · 

        I agree 100% with Robert. We encrypt computers, not users. I would like more information on exactly which policy settings Jack is referring to when he says to set it to opposite. Is it just the settings that require drive encryption? I have tried doing that and the problem is that systems in that group show up as non-compliant in the MBAM reports. The only way to get the to show up as exempt is through the user policy, as far as I can see. But we only use computer level GPOs in our organization. There should be a computer level GPO that exempts computers from encryption and shows them as exempt in the MBAM reports.

      • Jack Fetter commented  · 

        You can already do this; simply create a GPO with the opposite (disable) settings as your existing MBAM GPO and apply AFTER (place higher in the list of applied GPO's for each applicable OU) applying the standard GPO. This new GPO is assigned (filtering) to a new AD Security Group (name it something like "BitLocker Encryption Exclude") populated by the computer accounts that you want to exclude. These machines will then be exempt from MBAM encryption policy and/or decrypt if already encrypted...

      Feedback and Knowledge Base