Thursday 4 August 2011

Microsoft BitLocker Administration and Monitoring (MBAM)

On the 1st of August, Microsoft officially released the MDOP 2011 R2 suite.

As well as the usual App-V, Med-V DaRT etc updates this R2 release also sees MBAM join the suite.

For those of you unfamiliar with MBAM, it builds on BitLocker Drive Encryption by offering an enterprise solution for provisioning, monitoring, and supporting BitLocker.

By using MBAM, you can centrally provision BitLocker and enforce BitLocker policies across the organization.
Provisioning BitLocker by using MBAM is a two-step process:
  1. Deploy the MBAM client to each computer (SCCM would be the preferred option here)
  2. Configure policy settings that MBAM enforces.
The client enforces MBAM policy settings, stores recovery key data in an encrypted MBAM database, and reports its compliance status to MBAM.
In addition to walking the user through the encryption process, it can also prompt the user for a PIN, if required, addressing an aspect of BitLocker deployment that has challenged IT.
The most obvious way MBAM can simplify BitLocker support is by streamlining drive recovery for the Service Desk.  The picture below shows the Drive Recovery webpage in MBAM. If a user calls the Service Desk because they are in BitLocker recovery mode, the Service Desk doesn’t look up the drive’s recovery key in AD DS. Instead, the Service Desk uses MBAM to quickly look up the recovery key based on its ID.
MBAM also introduces single-use recovery keys. When the Service Desk retrieves and uses a recovery key, the MBAM client automatically generates a new recovery key for the computer. The original recovery key can’t be used again to recover the computer’s hard drive.
This is vitally important as users are known for jotting down things like the recovery key and keepin it near their device in-case they ever need it again. The hard drive might as well be unencrypted.
Single-use recovery keys help prevent unauthorized users from gaining access to the hard drive even if they get access to a previously used recovery key.
While MBAM does a great job of helping you provision BitLocker, one of the areas it shines the most in is compliance reporting. The reports it includes can help you quickly determine the status of the entire organization or a single computer. They can also help you monitor access to the MBAM databases.
Imagine that a user loses their laptop computer, and it contains confidential data. With MBAM, you can quickly look up the computer to determine whether it was compliant with BitLocker policy. You will know immediately whether the loss represents any risk.
MBAM provides the following reports in the MBAM management console:
  • Enterprise Compliance Report. This report can tell you at a glance the BitLocker compliance status of your entire organization. 
  • Computer Compliance Report. This report indicates whether a specific computer or a specific user’s computers are compliant with BitLocker policy.
  • Recovery Audit Report. This report indicates who has accessed recovery key information, successfully or not.
  • Hardware Audit Report. This report indicates who has changed the hardware compatibility list and when the MBAM client discovers new hardware. When you enable hardware compatibility checking, the MBAM client uses the hardware compatibility list to determine whether each computer model supports BitLocker.

Two useful videos to watch on MBAM:


Wayne Robinson said...

Very nice Steve, I will check this out as I would love to replace our current encryption software! ;)

Steve Beaumont said...

Bear in mind, MBAM is part of the MDOP suite which is an optional purchase available to Volume Licensing customers with Active SA.

Cathi said...

Where is there a forum to ask for support in troubleshooting issues with MBAM?

Steve Beaumont said...

While there isn't an official MBAM only forum, most BitLocker and MBAM questions seem to get asked in the Win 7 Security Forum so I would try there first.


Anonymous said...

Did anybody tried ? Any experiences?

Achim Thielmann said...

I know it's a bit late but I stumbled over this.
We're using BitTruster already since 3 years for about 2500 clients.
At that time there had been no one else around except Wave.
We decided to go with BitTruster because there was no need to install any client software.