Simplify BitLocker Administration and Monitoring with MBAM (beta)
Written by Mark Farrugia, Senior Microsoft Premier Field Engineer.
Please note that the following post is all based on beta software, and all features are subject to possible change upon official release.
I have done a number of posts around BitLocker, and today I would like to add one more. Some of my previous articles include:
- BitLocker – Windows 7’s Best Feature
- Managing the Trusted Platform Module with Windows
- Managing Microsoft BitLocker in the Enterprise
I have spoken about BitLocker, The Trusted Platform Module and managing BitLocker through Active Directory group policy. The one component we have not spoken about is compliance reporting and operations of BitLocker.
Microsoft BitLocker Administration and Monitoring (MBAM)
An enterprise needs a method to report on the status of BitLocker at any given time for compliance auditing, and the helpdesk team needs an easy interface for BitLocker recovery. Microsoft recognized that there was a gap in its offering, and has stepped up with the Microsoft BitLocker Administration & Monitoring (MBAM). MBAM is a client server application that eases the deployment and provisioning of BitLocker on Windows 7 machines, stores the recovery key in an encrypted SQL Server table and provides regular timed updates for compliance reporting.
There are five major components to the architecture for MBAM which are:
- Administration and Monitoring Server
- Compliance and Audit Reports Server
- Recovery and Hardware Database Server
- Compliance Status Database Server
MBAM Client Software (x86 and x64)Architectural and sizing guidance for this product is still forthcoming, but in early builds like this one it is recommended that separate servers are deployed for each server role. As the number of clients connecting to any given role increases into the thousands, scaling out each role begins to make a lot of sense.
The MBAM Interface
The interface that operational staff and report users will use is web based, and will use Windows Integrated Authentication to provide a seamless single sign on experience for the user.
The interface made up of four tasks along the left pane allow for Reports, Drive Recovery, Manage TPM and Hardware management. Each of these tasks can be delegated through the following local security groups:
Each of the tasks above can be mapped as follows:
| Task | Security Group |
| Reports | MBAM Report Users |
| Drive Recovery | MBAM Helpdesk Users, MBAM Advanced Helpdesk Users |
| Manage TPM | MBAM Helpdesk Users, MBAM Advanced Helpdesk Users |
| Hardware | MBAM Hardware Users |
It is recommended that similar Active Directory Groups be created and nested within the local groups for easier enterprise management.
The interface for each task is just as simple to use as the tool itself.
MBAM Reports
Reports contains the four out of box reports, and provides a starting point for the reporting any enterprise needs to get itself going. Since the reports are built on SQL Server Reporting Services, you can also create your own custom reports that show you just the information you need.
MBAM Drive Recovery
Drive Recovery will allow MBAM to retrieve the drive recovery key based on the first eight digits of the recovery key ID that will be displayed when BitLocker cannot unlock the system volume. The helpdesk will also need to input the domain and username alias of the user requesting the recovery key.
MBAM: Managing TPM Nodes
The Manage TPM node option will allow the operations team to quickly provide a TPM owner file to the user after they have unlocked their volume, and allow them to manage their TPM chip locally.
MBAM: Managing Hardware
The Hardware node option will list all discovered hardware that has been reported back by the deployed MBAM agents. It will list make, model, BIOS make, BIOS level, TPM chip manufacturer and TPM chip type. The hardware administrator will have the option to state whether or not a specific make and model type is BitLocker capable based on the data gathered by the MBAM agent software.
How to get the MBAM beta software
MBAM is estimated to be released in the third quarter of 2011, but If you are interested in trying out the product sooner, download the beta today at https://go.microsoft.com/fwlink/?LinkId=208999 (Windows Live ID required).