Simplify BitLocker Administration and Monitoring with MBAM (beta)

Written by Mark Farrugia, Senior Microsoft Premier Field Engineer.

MBAM Logo Please note that the following post is all based on beta software, and all features are subject to possible change upon official release.

I have done a number of posts around BitLocker, and today I would like to add one more.  Some of my previous articles include:

I have spoken about BitLocker, The Trusted Platform Module and managing BitLocker through Active Directory group policy.  The one component we have not spoken about is compliance reporting and operations of BitLocker.

Microsoft BitLocker Administration and Monitoring (MBAM)

An enterprise needs a method to report on the status of BitLocker at any given time for compliance auditing, and the helpdesk team needs an easy interface for BitLocker recovery.  Microsoft recognized that there was a gap in its offering, and has stepped up with the Microsoft BitLocker Administration & Monitoring (MBAM).  MBAM is a client server application that eases the deployment and provisioning of BitLocker on Windows 7 machines, stores the recovery key in an encrypted SQL Server table and provides regular timed updates for compliance reporting.

There are five major components to the architecture for MBAM which are:

  • Administration and Monitoring Server
  • Compliance and Audit Reports Server
  • Recovery and Hardware Database Server
  • Compliance Status Database Server

MBAM Client Software (x86 and x64)Architectural and sizing guidance for this product is still forthcoming, but in early builds like this one it is recommended that separate servers are deployed for each server role.  As the number of clients connecting to any given role increases into the thousands, scaling out each role begins to make a lot of sense.

The MBAM Interface

The interface that operational staff and report users will use is web based, and will use Windows Integrated Authentication to provide a seamless single sign on experience for the user.

 BitLocker Administration & Monitoring main page

The interface made up of four tasks along the left pane allow for Reports, Drive Recovery, Manage TPM and Hardware management.  Each of these tasks can be delegated through the following local security groups:

MBAM task delegation security groups

Each of the tasks above can be mapped as follows:

    Task Security Group
Reports MBAM Report Users
Drive Recovery MBAM Helpdesk Users, MBAM Advanced Helpdesk Users
Manage TPM MBAM Helpdesk Users, MBAM Advanced Helpdesk Users
Hardware MBAM Hardware Users


It is recommended that similar Active Directory Groups be created and nested within the local groups for easier enterprise management.

The interface for each task is just as simple to use as the tool itself.

MBAM Reports

Reports contains the four out of box reports, and provides a starting point for the reporting any enterprise needs to get itself going.  Since the reports are built on SQL Server Reporting Services, you can also create your own custom reports that show you just the information you need.

Compliance and Audit Reports


MBAM Drive Recovery

Drive Recovery will allow MBAM to retrieve the drive recovery key based on the first eight digits of the recovery key ID that will be displayed when BitLocker cannot unlock the system volume.  The helpdesk  will also need to input the domain and username alias of the user requesting the recovery key.

 MBAM Drive Recovery


MBAM:  Managing TPM Nodes

The Manage TPM node option will allow the operations team to quickly provide a TPM owner file to the user after they have unlocked their volume, and allow them to manage their TPM chip locally.

Manage TPM Node

MBAM: Managing Hardware

The Hardware node option will list all discovered hardware that has been reported back by the deployed MBAM agents.  It will list make, model, BIOS make, BIOS level, TPM chip manufacturer and TPM chip type.  The hardware administrator will have the option to state whether or not a specific make and model type is BitLocker capable based on the data gathered by the MBAM agent software.

How to get the MBAM beta software

MBAM is estimated to be released in the third quarter of 2011, but  If you are interested in trying out the product sooner, download the beta today at (Windows Live ID required).

    Comments (0)

    Skip to main content