Microsoft BitLocker Administration and Monitoring (MBAM) Beta Now Available at Microsoft Connect

Microsoft BitLocker Administration and Monitoring (MBAM) beta, builds on BitLocker Drive Encryption by offering an enterprise solution for provisioning, monitoring, and supporting BitLocker.By using MBAM, you can centrally provision BitLocker and enforce BitLocker policies across the organization. After deploying the MBAM infrastructure (the MBAM beta includes deployment guidance), provisioning BitLocker by using MBAM is a […]

Microsoft BitLocker Administration and Monitoring (MBAM) beta, builds on BitLocker Drive Encryption by offering an enterprise solution for provisioning, monitoring, and supporting BitLocker.

By using MBAM, you can centrally provision BitLocker and enforce BitLocker policies across the organization. After deploying the MBAM infrastructure (the MBAM beta includes deployment guidance), provisioning BitLocker by using MBAM is a two-step process:

"The client is the centerpiece of MBAM. It enforces MBAM policy settings, stores recovery key data in an encrypted MBAM database, and reports its compliance status to MBAM. In addition to walking the user through the encryption process, it can also prompt the user for a PIN, if required, addressing an aspect of BitLocker deployment that has challenged IT," informs Microsoft.

"MBAM client integrates easily into existing deployment systems. It's a standard Windows Installer (.msi) file that you can deploy using any electronic software distribution (ESD) or Windows image deployment system. Group Policy Software Installation, MDT 2010, SCCM 2007, and System Center Essentials 2010 are examples of tools that you can use to deploy the client."

Once you've deployed the client, you configure it by using Group Policy. MBAM includes a Group Policy administrative template (.admx) file that defines about 20 new Group Policy settings for MBAM. Typically, you'll install the administrative template on each management workstation, but you can also copy this file to your Group Policy central store to make it available to all Group Policy administrators.

MBAM also offers the ability to exclude computers from encryption by make and model. If you enable hardware compatibility checking, the MBAM client will check the computer model against the hardware compatibility list. You edit the list in the MBAM management console to indicate whether each computer model is compatible or not. With hardware compatibility checking enabled, the MBAM client will not attempt to enable BitLocker on computers that have an Incompatible or Unknown status.

MBAM provides the following reports in the MBAM management console:

  • Enterprise Compliance Report. This report can tell you at a glance the BitLocker compliance status of your entire organization. Figure 1 shows an example. In this case, about half the computers are compliant, one fourth are not compliant, and another fourth are exempt.
  • Computer Compliance Report. This report indicates whether a specific computer or a specific user's computers are compliant with BitLocker policy. In the scenario where a user loses his laptop computer, you would use this report to determine its status.
  • Recovery Audit Report. This report indicates who has accessed recovery key information, successfully or not.
  • Hardware Audit Report. This report indicates who has changed the hardware compatibility list and when the MBAM client discovers new hardware. When you enable hardware compatibility checking, the MBAM client uses the hardware compatibility list to determine whether each computer model supports BitLocker.

You can download the MBAM beta at Microsoft Connect.

[Source: Springboard Series blog]