This is part one of a three part series from Sr Product Manager, AJ Smith.
A little while back, we announced that the Microsoft BitLocker Administration and Monitoring (MBAM) beta was available. You can read my blog post here.
For those of you unfamiliar with MBAM, it builds on BitLocker Drive Encryption by offering an enterprise solution for provisioning, monitoring, and supporting BitLocker. As the beta moves along, I’m going to describe each of those capabilities in more detail. In this post, I’ll start with provisioning.
By using MBAM, you can centrally provision BitLocker and enforce BitLocker policies across the organization. After deploying the MBAM infrastructure (the MBAM beta includes deployment guidance), provisioning BitLocker by using MBAM is a two-step process:
The client is the centerpiece of MBAM. It enforces MBAM policy settings, stores recovery key data in an encrypted MBAM database, and reports its compliance status to MBAM. In addition to walking the user through the encryption process, it can also prompt the user for a PIN, if required, addressing an aspect of BitLocker deployment that has challenged IT.
- Deploy the MBAM client to each computer.
- Configure policy settings that MBAM enforces.
The MBAM client integrates easily into existing deployment systems. It’s a standard Windows Installer (.msi) file that you can deploy using any electronic software distribution (ESD) or Windows image deployment system. Group Policy Software Installation, Microsoft Deployment Toolkit (MDT) 2010, System Center Configuration Manager 2007, and System Center Essentials 2010 are examples of tools that you can use to deploy the client.
Once you’ve deployed the client, you configure it by using Group Policy. MBAM includes a Group Policy administrative template (.admx) file that defines about 20 new Group Policy settings for MBAM. Typically, you’ll install the administrative template on each management workstation, but you can also copy this file to your Group Policy central store to make it available to all Group Policy administrators.
Figure 1 shows a Group Policy Object (GPO) that includes the MBAM policy settings. These include settings to configure the MBAM client; configure the addresses of service endpoints; and configure rules for fixed, operating system, and removable drives. The MBAM policy settings provide extensive help text, and the MBAM Beta Planning, Deployment, and Operations Guide recommends specific settings that you should configure. The MBAM beta includes this document.
Figure 1. MBAM Group Policy Settings
MBAM also offers the ability to exclude computers from encryption by make and model. If you enable hardware compatibility checking, the MBAM client will check the computer model against the hardware compatibility list. You edit the list in the MBAM management console to indicate whether each computer model is compatible or not. With hardware compatibility checking enabled, the MBAM client will not attempt to enable BitLocker on computers that have an Incompatible or Unknown status.
That’s a high-level overview of provisioning BitLocker by using MBAM. If you’re interested in learning more, I encourage you to download the MBAM beta at Microsoft Connect. The MBAM beta includes guidance that can help you install and evaluate MBAM in a lab environment. In my next blog post, I’ll focus on monitoring compliance.
For more information on MBAM or all of our MDOP products, make sure to visit the MDOP Zone on the Springboard Series on TechNet.
More...