BitLocker Drive Encryption (BDE) is a Windows security feature used by enterprise customers to secure their data on corporate assets – particularly portable devices. BDE allows you to encrypt all of the data stored on the Windows operating system volume and configured data volumes (fixed and removable). It also ensures the integrity of early boot components by using a Trusted Platform Module (TPM). Traditionally, BDE stored encryption keys in a removable drive (such as a USB flash drive) or it would store the recovery keys in Active Directory. Though effective, these storage mechanisms had flaws and as a solution Microsoft created a product called Bitlocker Administration and Monitoring (MBAM).
MBAM provides additional features to manage BitLocker encryption of computers in an enterprise beyond the traditional models. MBAM does not store recovery keys in AD or removable storage devices, but instead MBAM stores the keys in a secured SQL database and allows users and help desk staff to recover those keys based on the workstation or the user’s ID, while also restricting access of those keys to the proper personnel. It can allow users to perform their own basic functions without requiring assistance from IT staff. It can also provide compliance reporting which can be a critical feature for companies that require strong security reporting features.
To provide these features for BDE Microsoft created an MBAM client, which in turn communicates to the MBAM Administration server and manages the BitLocker encryption while providing an interface for users to manage their encryption needs. Because there is a client to manage BDE, additional features and policies can be incorporated into the BDE. You configure the MBAM client by using Group Policy by creating and configuring a GPO containing MBAM policy settings. Of course, you must have permission to create and edit GPOs in the domain.
The MBAM client reviews the computer and user BitLocker policies that are assigned via those GPOs, and executes those policies while keeping the MBAM Administration server updated during the process. The process structure is similar in nature to the SCCM client model where the local client communicates and manages policies that have been assigned to users and computers and executes those policies. And just like an SCCM client, the MBAM client will report compliance status to the MBAM systems. If the MBAM servers are unavailable, the MBAM client is smart enough to hold on executing those policies until it can report effectively. This prevents a machine from performing an encryption during a period it can’t submit the keys.
The client can be deployed using SCCM or as a part of a deployment process. Integration into an MDT or SCCM OSD Task Sequence is a little different than traditional BitLocker processes. This will be described in my next article.
Users do not have to be administrators to encrypt drives. Even with standard user accounts, they can encrypt fixed and removable drives. They can even perform basic tasks, such as resetting their BitLocker PINs. When MBAM policy requires encryption of a PC‟s operating-system drive, it prompts users to begin the process. They have three choices:
– Request Exemption to request exemption from encryption. MBAM will provide the user a link for sending an email, opening a web page, or displaying a
custom message to request an exemption. Administrators can then Deny that exemption, or Grant the exemption to either the User of the PC.
– Postpone to postpone encryption. You can use Group Policy to configure the maximum period of time that users can continue postponing encryption.
– Start to begin the encryption process immediately. The MBAM client first takes ownership of the TPM and reboots the PC, if necessary, and then prompts the user for a PIN (if the policy requires it). The user can continue working as encryption progresses.
Once encryption is complete, users can still use the MBAM client to perform basic operations. For example, they can encrypt removable drives or manage their PINs and the client will update the Administration server as required.
The MBAM architecture simplifies and streamlines the support model for BitLocker encryption. If a user requires assistance, an administrator uses the Drive Recovery page in the Management Console to look up a drive’s recovery key based on its recovery key ID as well as the user‟s ID and domain. As an example, assume a user is traveling and forgets his BitLocker Pin. When he starts his PC, he sees the BitLocker Recovery Console instead of the glowing Windows flag that he is used to seeing and calls the help desk. The help desk asks for the first eight digits of the recovery key ID, which the user can see on the BitLocker Recovery Console, and types it in to the Drive Recovery page on the Management Console. The help desk also types the user domain and user ID and chooses a reason for unlocking the drive. In this case, the user simply forgot his PIN. The Drive Recovery page displays the drive recovery key, and the help desk instructs the user on how to unlock the drive by using the recovery key. Staff granted proper access to MBAM do not have to provide a user ID or domain when looking up a recovery key like the help desk provided in the above example. For example, if an IT pro finds a laptop PC in the closet, a member of the MBAM Advanced Helpdesk Users group can look up its recovery key by using MBAM.
After unlocking the drive by using the recovery key, the MBAM client automatically generates a new recovery key for the drive and reports it to the Administration and Monitoring Server. Single-use keys help prevent their misuse and adds another level of security.
MBAM is a part of MDOP and is available to Volume Licensing customers, Microsoft Developer Network (MSDN, https://msdn.microsoft.com/) subscribers, and Microsoft TechNet (https://technet.microsoft.com/) subscribers.