Simplifying BitLocker management
BitLocker it’s a feature introduced by Microsoft since Windows Vista as a free alternative to other disk encryption software on the market.
In Windows 7 just the Enterprise and Ultimate flavors of the O.S. has the option to active BitLocker and this happens mainly because it’s the enterprises that use it most.
Although a lot of configurations regarding BitLocker can easily be done using Local/Domain Group Policies there’s a wide lack of options that can just be done directly on a machine.
Also, the task regarding to passwords recoveries, resets, are also a huge problem for everyone except domain administrators on a enterprise environment.
With all this in mind, Microsoft decided to create a new product that unfortunately, I may say, it’s only available through Microsoft Desktop Optimization Pack (MDOP).
As you may know, MDOP it’s only available for enterprises that has a Software Assurance agreement with Microsoft which although has a lot of good things, it’s still a bit expensive in this complicated times we’re living.
Now…about Microsoft BitLocker Administration and Monitoring that I’ll call MBAM from now on, it really is a ‘nice to have’ feature on a corporation.
Well, first things first. One of the best additions to an enterprise using MBAM it’s the ability have a webpage where the Helpdesk Department can go and do most the the work that otherwise could only be accomplished using Active Directory or an MMC, like password recovery, reset TPM, etc.
MBAM Agent
For MBAM to work, there’s the need to install an agent to enforce BitLocker policies so you need to deploy it or add it to your reference image.
GPO Extensions
- MBAM extends the group policies and adds features to control the MBAM agent installed on the machines.
- One of the nice things is that you can configure the policy in such manner that if there’s a drive that is not encrypted and it should, during boot, a popup appears to the user to encrypt the drive. The encryption in this case can be made using standard user privileges.
Compliance Reports
- Through the Enterprise Compliance Report you can have a view of all the machines on the organization and if they are compliance or not with the defined policy for BitLocker,
- There also a view to a single PC where you can get the information about its compliance with the Bitlocker GPO; the main user of the PC; Manufacturer/Model; and also the last time the computer communicated with the Compliance Server
- It’s also possible to create custom reports the SQL Reporting Services tool
Key Recovery Website
- This is one of my favorite tool in MBAM. You can give the Key Recovery Website to your helpdesk which allows them to give the recovery password to users with no need to have “special permissions” to read from the Active Directory
- After give a recovery key to the user, the MBAM Agent contacts the MBAM server and generates a new recovery key. This enhances the security of Bitlocker because, even if the user writes down the recovery password on a paper and put it on his bag, and the bag gets stolen, that recovery password is no more helpful.
So, this is a really nice tool and a one more good reason to get Microsoft Desktop Optimization Pack (MDOP) in your enterprise.
To learn more about Microsoft Bitlocker Administration and Monitoring take a look at:
Microsoft Desktop Optimization Pack