Manage Learn to apply best practices and optimize your operations.

Ensure compliance with Windows BitLocker encryption using MBAM 2.0

Before you can use MBAM 2.0 to manage Windows BitLocker encryption across multiple computers, follow these tips on deploying and administering it.

In my previous article on Microsoft BitLocker Administration and Monitoring, we looked at how MBAM can help with managing encryption across multiple systems. Once you understand the basic components of Windows BitLocker and MBAM 2.0, you can move on to deployment and using it to enforce desktop security policies.

Deploying MBAM

Before you jump into an MBAM installation, you should do a little planning. First, you'll need to decide whether to perform a standalone installation or use Configuration Manager. The advantage of Configuration Manager is that it lets you install MBAM within an already deployed infrastructure.

In addition, you can take advantage of Configuration Manager's ability to allow or prohibit certain hardware types. That said, if your only reason for implementing Configuration Manager is to support MBAM, you'll likely want to do a standalone installation.

Regardless of which installation type you decide on, you can provision BitLocker as part of your Windows installation on a client computer or configure BitLocker to be provisioned after Windows is installed. You can also select from a variety of options, such as the type of drive protection to implement or whether a recovery key can be used more than once.

For Windows 8 computers, you can also take advantage of new security-related features, such as choosing to encrypt only used space, that can reduce the time necessary to provision BitLocker.

Before installing MBAM, make sure that the enterprise network contains the components necessary to support the MBAM installation. That means an established Active Directory domain, Internet Information Services, SQL Server, and other hardware and software requirements.

An MBAM installation has numerous dependencies and can be a time-consuming process. It can also be risky if not done right. Be sure to carefully review the MBAM Administrator's Guide before getting started.

In addition to installing MBAM, you must configure the Group Policy settings that define how BitLocker should be implemented on client computers. You can configure options for both operating system drives and fixed data drives. However, you should use only the Policy Template to configure these options. Microsoft BitLocker Administration and Monitoring does not use the default BitLocker policies, and enabling them could cause conflicting behavior with the MBAM settings.

Administering MBAM

Once you've set up MBAM and configured the Group Policy settings, you're ready to administer the system. The main tool for doing so is the Help Desk Portal, which lets you perform a number of management tasks. For example, you can use the Drive Recovery feature to access an encrypted drive when BitLocker goes into recovery mode. From there, you can take the steps necessary to recover that drive. You can also use the website to recover moved or corrupted drives.

More on BitLocker and MBAM

Use BitLocker To Go to manage client encryption

BitLocker To Go helps lock down removable drives

Comparing BitLocker with third-party options for full system encryption

BitLocker gains improvements in Windows 7

Configure BitLocker to secure Windows systems

Another great feature of the Help Desk Portal is the ability to generate reports in order to monitor usage and compliance. The information in the reports is based on data that MBAM collects from Active Directory and Windows clients.

You can create three different types of reports. The enterprise compliance report provides information about overall BitLocker compliance across your organization. The computer compliance report, which is specific to a user or computer, includes details about each encrypted drive on a computer, such as the policy cipher strength and compliance status. The recovery audit report shows details related to the users who have requested access to recovery keys, including the time and date of each request, as well as a reason for that request.

In addition to the Help Desk Portal, MBAM provides the Self-Service Portal, a service that lets end users retrieve their own recovery keys. This can be useful if BitLocker locks users out of Windows because they forgot their passwords or PINs or they changed operating system files, the BIOS or the Trusted Platform Module.

To retrieve a recovery key, a user needs to enter only the first eight digits of his recovery key ID. The Self-Service Portal will then return the actual 48-digit recovery key, which the user then enters in the BitLocker recovery screen.

Working with MBAM

In addition to what we've discussed, MBAM includes a number of other features. For example, if an administrator suspends a BitLocker drive, MBAM re-enables the drive automatically when the computer is rebooted.

In addition, MBAM periodically checks the policy controls on a Windows BitLocker drive and restores the device to a proper state if it's noncompliant. In addition, users can put a device into a compliant state without the help of an administrator.

Clearly, MBAM has much to offer. If you're looking at BitLocker to protect your enterprise desktops, you should also be considering MBAM.

Dig Deeper on Endpoint security management tools