BitLocker encryption can be an effective way to protect sensitive data on a desktop, yet implementing Microsoft BitLocker in the enterprise is no small undertaking. Managing encryption on multiple systems can be a complex process that leaves users intimidated and confused, leading to a variety of problems, management tasks and support calls.
Microsoft BitLocker Administration and Monitoring (MBAM) promises to change all that. The tool simplifies the tasks associated with managing BitLocker on Windows 7 and Windows 8 computers, including Windows To Go clients. It can also help desktop administrators enforce policy compliance and reduce the amount of resources needed to support BitLocker users.
BitLocker is a full disk encryption feature integrated into the Ultimate and Enterprise editions of Windows 7 and the Pro and Enterprise editions of Windows 8, as well as other versions of Windows. BitLocker lets admins encrypt the Windows system volume and any configured data volumes to prevent unauthorized data access.
First released in 2011, MBAM simplified the BitLocker provisioning process and delivered reports on BitLocker client compliance, in general making it easier to manage and monitor those desktops. Even so, the tool was somewhat limited in scope.
To address those limitations, Microsoft released MBAM 2.0, which adds a self-service portal for users and provides improved enforcement capabilities. MBAM 2.0 also takes advantage of new security features in Windows 8 and can now be integrated into System Center Configuration Manager.
More recently, Microsoft released the first MBAM 2.0 service pack, which further streamlines BitLocker provisioning and simplifies management.
MBAM 2.0 is part of the Microsoft Desktop Optimization Pack (MDOP), a suite of tools to help IT admins manage and control Windows desktop environments. MDOP is available as a subscription for Software Assurance customers. Microsoft provides more information about MDOP and details on how to download the software.
Understanding the MBAM components
You can install MBAM as either a standalone solution or integrated into Configuration Manager 2007 or 2012. Regardless of the installation type, the components that make up the topology are much the same, although the location of some components varies.
At the heart of an MBAM installation is the administration and monitoring server. Here you'll find the Help Desk Portal, an administration and monitoring website where you can perform a number of management tasks.
The server also hosts a self-service portal that lets users retrieve their own recovery keys. In addition, the monitoring Web services run on this server and interface with the client computers.
In a Configuration Manager installation, the hardware compliance features are hosted on a Configuration Manager primary site server, rather than the administration and monitoring server. The primary site server gathers hardware inventory information from the Microsoft BitLocker client computers into an MBAM-specific collection.
In addition, the server contains a configuration baseline for evaluating the compliance status of those computers.
Another important component in the MBAM topology is the database server, a SQL Server instance that contains the recovery and audit databases. The recovery database stores recovery data collected from the MBAM clients, and the audit database stores activity data collected from client computers accessing recovery data.
In a standalone installation, the database server also hosts compliance data about the client computers, along with Reporting Services reports that use the data. In a Configuration Manager installation, the data and reports are integrated into the Configuration Manager environment.
MBAM also includes a management workstation to host the Policy Template, a collection of Group Policy settings used to define the MBAM options that will be applied to the BitLocker clients. The management workstation does not have to be a dedicated computer; it can also be used to access the help desk portal.
Finally, the MBAM topology includes the BitLocker clients themselves. Each client is a Windows desktop configured with an MBAM agent that applies the BitLocker Group Policy settings to the computer and collects recovery and computer information, including the recovery key associated with the encrypted disk drive.
In my next tip, we'll look at deploying and administering MBAM for Windows BitLocker.
This was first published in February 2014