Latest posts by Joseph Moody (see all)
- Active Directory, Group Policy, and certificates for Always On VPN - Tue, Nov 21 2017
- Always On VPN - DirectAccess+ for Windows 10 - Wed, Nov 15 2017
- SCCM and Group Policy update rings make updates easier - Wed, Sep 27 2017
BitLocker, introduced in Windows Vista/Server 2008, addressed the lack of hardware level encryption desired by many organizations. BitLocker initially proved valuable on laptops and tablets. As more devices became equipped with a TPM module, a chip required for BitLocker implementation, organizations began to enable BitLocker on a larger scale through the encryption of desktops. Hardware level encryption protects user created data, secures against boot sector viruses, and allows for machines to be decommissioned without formatting the hard drive first.
With the release of Windows 7/Server 2008 R2, Microsoft made strides in BitLocker implementation and administration. The deployment, management, and reporting features still lacked though. While BitLocker could easily be setup on a case by case basis, wide scale distribution was difficult. Microsoft’s BitLocker Administration and Monitoring tool (MBAM) addresses the three biggest pitfalls with a wide scale BitLocker implementation. These are: Deployment/Management, Reporting, and Cost of Support.
MBAM consist of a several server side pieces and a client side component. The sever side is made up of: the Recovery and Hardware Database, Compliance Status Database, Compliance Audit and Reports, Administration and Monitoring, and the policy templates. The features can be installed on one server or multiple servers but must be installed in the order listed above. When configuring MBAM, the server side install will default to all components on a single server.
When configuring the MBAM client, most organizations will choose to deploy the software before end users have access to the computer. This can be accomplished by including the client in an image or configuring the client for deployment during the imaging process by using Microsoft Deployment Toolkit or System Center Configuration Manager. A final option is to deploy the client using a Group Policy object. Because the client is an MSI and receives all configurations through Administrative Templates, this option is the easiest for new and existing machines. One important note is that any existing GPOs containing BitLocker configurations should be disabled as the MBAM client uses specific MBAM GPO component settings.
In the test environment above, the BitLocker GPO has been disabled. A new MBAM GPO has been created.
The MBAM configuration GPOs allow for granular control of BitLocker settings. The MBAM client is able to enforce BitLocker encryption methods (TPM Only, PIN, USB key, or a combination), recovery methods, backup locations, and reporting locations. The use of multiple MBAM GPOs allows for specific enforcement containing more rigorous standards. For example, desktops could be configured with BitLocker using just TPM enforcement while laptops containing sensitive data could require a complex PIN.
A sample of a MBAM configuration GPO
A big issue with deploying BitLocker on a wide scale was the cost of deployment. BitLocker keys could be stored manually, backed up to the Active Directory computer object, or saved locally. Automatically backing up to the AD computer object ensures a recovery key was always available but proved troublesome for some IT environments. The complexity of retrieving a recovery key and the delegation required to view it often proved too complex without the involvement of a system/server administrator.
The MBAM web interface allows for key recovery delegation and end user simplicity. When BitLocker locks a drive, a user can call a helpdesk technician and provide just the first 8 characters displayed. The technician can then retrieve the recovery key and document the reason the key was needed in one step.
A test recovery shows the recovery and documentation in a single page.
MBAM plugs the gaps that Windows Administrators face in their deployment of BitLocker. With the ability to encrypt machines before or after deployment, zero physical interaction is required. The MBAM client even provides the ability to manage the TPM chip directly! For all those considering a rollout of BitLocker in any sizable number, MBAM is a must for configuration and maintenance.