Coming to MDOP: Microsoft BitLocker Administration and Monitoring

This morning on the Windows for your Business blog, we announced a new product that will come to MDOP in a future release called Microsoft BitLocker Administration and Monitoring (MBAM).  MBAM will be available through the Microsoft Desktop Optimization Pack at a future date.  A beta version will be available in March 2011. 

Microsoft BitLocker Administration and Monitoring builds on BitLocker in Windows 7 and offers an enterprise solution for BitLocker provisioning, monitoring and key recovery.  MBAM will help:

 Simplify Provisioning and Deployment

·         Integrates into existing Windows 7 deployment process: Organizations can integrate the MBAM client into their task sequence setup in System Center Configuration Manager/ Microsoft Deployment Toolkit or their other Windows 7 deployment tools.  The client then automates the encryption process as part of the deployment.

·         End Users Can Start the Encryption Process: For organizations that deploy MBAM after they have deployed Windows 7, the MBAM agent provides a standard user the ability to start the encryption process.   This enhances the BitLocker out of box experience where the end user must have administrative rights to accomplish this.

·         Target only the hardware you want to encrypt: IT Professionals can exclude hardware by make and model, making sure that only machines capable of meeting the encryption policy are encrypted.

Improve Compliance and Reporting

·         Know how compliant the organization is: Security administrators and IT Professionals can understand which machines are encrypted and meet the organizational policy through out of the box reports.

·         More secure recovery key storage: IT Professionals have an alternative to storing BitLocker recovery key information in Active Directory.  Machines with the MBAM client will send BitLocker recovery key information to an encrypted Microsoft SQL Server database.

Reduce Support Costs

·         Streamline key recovery for the help desk:  MBAM provides a web page that allows the help desk to quickly get the user’s recovery key if they get into BitLocker recovery mode.  The help desk no longer needs access to Active Directory to access BitLocker recovery keys when the organization is using MBAM.

·         Use a recovery key only once: When a recovery key is retrieved and used, the MBAM client will automatically generate a new recovery key for that PC so that the original key cannot be used to gain access to the machine again

·         Empower end users to do the basics:  MBAM allows an end user with standard user rights to perform basic BitLocker tasks like changing their PIN or start the encryption process which saves them from calling the help desk.

If you want to be notified when the MBAM beta is available, you can sign up here (Windows Live ID required).  You can also learn more about MBAM by visiting the Springboard Blog where we have posted Q&A between Stephen Rose and I where we go into more details about the product.

Comments (4)
  1. AJ,

    I'm trying to implement MBAM in my organization. I dont see to find any information perterning to MBAM hardware requirement on a Windows 2008 R2. I can go with the O/S hardware requirement but what about the database space requirement. i will really appricite if you can redirect me to the proper site or provide specs



  2. Chris Hallum says:

    Hello Angel, you’ll be happy to know that MBAM scales well and requires little disk space for storage. We document the details in the MBAM Scalability white paper which can be found at:


    Chris Hallum

    Microsoft Corporation

    Windows Client Security

  3. ML49448 says:

    I have recently been involved in having to install MBAM.  I come from a datbase perspective and was surpised to see that the installation of the databases actually stops for a period of time  the SQL Server and SQL Server Agent services during installation.   It does however restart them later on.  Why does the installed actually stop the services?  For deployment into production this could have caused a major outage if being installed on a shared database instance or service.  

    Are there any guidelines on what versions of SQL Server MBAM is supported on?

  4. Chris Hallum says:

    Hello Michael, in MBAM 1.0 setup creates a certificate such that it can encrypt the recovery DB using SQL TDE. To take advantage of this new certificate the MBAM setup implementation needed to restart the services.

    In MBAM 2.0 the design has been changed such that the services no longer need to be restarted.  

    MBAM 1.0 and 2.0 support use of the Enterprise, Datacenter, Developer editions of SQL Server 2008 and 2008 R2.


    Chris Hallum

    Microsoft Corporation

    Windows Client Security

Comments are closed.

Skip to main content