This document will outline two easy to use options for defining your AD and GPO Infrastructure for the deployment of MBAM Encryption Policies to your Windows Mobile Laptops.  This document can also be used for Windows Desktop computers as well but is not required by University Policy at this time.

Option 1:  Create an AD OU Hierarchy to limit MBAM GPOs to the correct AD Computer Objects

This option is best used for simple AD and GPO setups.  If you have a complex AD and GPO infrastructure with a lot of nested OUs and or nested GPO policies, please proceed to Option 2.

  1. Create a sub OU under your WS OU called MBAM with TPM
    sub OU - MBAM with TPM.png
  2. Create a sub OU under your WS OU called MBAM without TPM
    sub OU - MBAM without TPM
  3. Link _Public-MBAM (TPM Only) to your recently created MBAM with TPM OU
    GPO - sub OU MBAM with TPM
  4. Link _Public-MBAM (non-TPM) to your recently created MBAM without TPM OU
    GPO - sub OU MBAM without TPM
  5. Congratulations!  Your OU and GPO infrastructure is setup for MBAM now.  Just move the correct AD Computer objects into the correct MBAM OU to get the correct MBAM GPO to apply.

Option 2:  Utilize GPO Security filtering to limit the application of MBAM GPOs to the correct AD Computer Objects

This option is best used for complex AD and GPO setups as it allows you to apply both MBAM GPOs at the root of your WS OU folder without having to redesign your complex AD and GPO infrastructure.  The two MBAM GPOs will only apply to AD Computer Objects in the correct AD Security Group.  All AD Computer objects that are not in one of the two AD Security Groups will not get either GPO.  

  1. Create two AD Security Groups
    1. Create DEPTNAME-MBAM (TPM Enabled) Group
      TPM Enable AD Security Group
    2. Create DEPTNAME-MBAM (non-TPM) Group
      non-TPM AD Security Group
  2. Copy _Public-MBAM (TPM Only) GPO and security filter to DEPTNAME-MBAM (TPM Enabled)
    1. Copy and rename _Public-MBAM (TPM Only) GPO to DEPTNAME-MBAM (TPM Enabled)
    2. Remove Authenticated Users in Security Filter
      TPM Enabled - Remove Authenticated Users
    3. Add DEPTNAME-MBAM (TPM Enabled) AD Group to Security Filter
      TPM Enabled - add Deptname-mbam tpm enable
  3. Copy _Public-MBAM (non-TPM) GPO and security filter to DEPTNAME-MBAM (non-TPM)
    1. Copy and rename _Public-MBAM (non-TPM) GPO to DEPTNAME-MBAM (non-TPM)
    2. Remove Authenticated Users in Security Filter
      non-TPM - Remove Authenticated Users
    3. Add DEPTNAME-MBAM (non-TPM) AD Group to Security Filter
      non-TPM - add Deptname-mbam non-tpm
  4. Link both GPOs to your Department root WS OU
    GPO - Security Filtered
  5. Congratulations!  Your Active Directory OU and GPO infrastructure is setup for MBAM now.  Just add the correct AD Computer objects into the correct MBAM AD Security Group to get the correct MBAM GPO to apply.

How to Setup MBAM for a Department

Article number: 
103953
Last updated: 
May 23, 2016
Category: