Setting up MBAM (Microsoft BitLocker Administration and Monitoring) appears daunting at the beginning, but proved to be relatively straightforward to set up. Preparation and planning helps immensely. Microsoft provides a nice planning checklist that aids in preparing the deployment.
When creating the required security groups, it helps to make note of the purpose for the account in the AD description field. I also found that naming the groups with their purpose aided in the final setup.
If you have not deployed BitLocker to computers in your organization previously, you are already a step ahead. Any computer that is manually enabled with BitLocker will need to be decrypted and have BitLocker turned off. MBAM will not work with computers previously enabled with BitLocker. In our case, only a few required BitLocker being turned off.
We chose the recommended topology for using MBAM with Configuration Management as we already use this for Windows deployments, inventory, reporting, etc. When choosing this setup, make sure to complete the prerequisites that only apply to a Configuration Management deployment.
Once the prerequisites are completed, it is time to run through the steps for configuring the MBAM server features. This includes configuring the databases, reports, web applications, and Configuration Manager Integration steps. When setting up multiple MBAM servers, choosing to export the steps to PowerShell scripts is extremely helpful. This makes deploying additional servers quick and painless.
If you are using a different SQL instance than the default instance to host your databases, you may need to configure an alias so that the MBAM server deployment wizard is able to find the path. Open an Explorer window, navigate to C:\Windows\System32, and launch cliconfig.exe. Click Add and select TCP/IP. In the server alias field, enter the server name with the instance name of where the databases are located, for example, sqlserver001.yourdomain.local\mbam. In the server name field, enter only the server name, for example, sqlserver001.yourdomain.local. If you are using a specific port number, make sure to enter it before saving the configuration.
Once everything is set up, staff are able to sign in to the self-service portal in case they run in to an issue that requires recovering the drive.
The second part of MBAM is the helpdesk website. Any technician or help desk staff responsible for assisting with a drive recovery will use this website. This site allows technicians to recover drives, manage the TPM of corporate computers, and view reports if needed. I think this portion of the site will be used more than the self-service portal. If BitLocker locks out a staff member’s computer and they need to recover the machine, I think they are more likely to call the helpdesk, as they may not have access to another computer to use the self-service portal.
The reporting feature looks especially useful, as it will allow the IT staff to keep an eye on who is requesting a recovery unlock and how many times they have requested an unlock.
Tech Talk Live is the only conference of its kind in the region specifically designed for IT pros in education.
1020 New Holland Avenue, Lancaster, PA 17601