Tech Talk Live Blog

MBAM Tips and Tricks

Dave Light

Setting up MBAM (Microsoft BitLocker Administration and Monitoring) appears daunting at the beginning, but proved to be relatively straightforward to set up.  Preparation and planning helps immensely.  Microsoft provides a nice planning checklist that aids in preparing the deployment.

When creating the required security groups, it helps to make note of the purpose for the account in the AD description field.  I also found that naming the groups with their purpose aided in the final setup.

If you have not deployed BitLocker to computers in your organization previously, you are already a step ahead.  Any computer that is manually enabled with BitLocker will need to be decrypted and have BitLocker turned off.  MBAM will not work with computers previously enabled with BitLocker.  In our case, only a few required BitLocker being turned off.

We chose the recommended topology for using MBAM with Configuration Management as we already use this for Windows deployments, inventory, reporting, etc.  When choosing this setup, make sure to complete the prerequisites that only apply to a Configuration Management deployment.

Once the prerequisites are completed, it is time to run through the steps for configuring the MBAM server features.  This includes configuring the databases, reports, web applications, and Configuration Manager Integration steps.  When setting up multiple MBAM servers, choosing to export the steps to PowerShell scripts is extremely helpful.  This makes deploying additional servers quick and painless.

If you are using a different SQL instance than the default instance to host your databases, you may need to configure an alias so that the MBAM server deployment wizard is able to find the path.  Open an Explorer window, navigate to C:\Windows\System32, and launch cliconfig.exe.  Click Add and select TCP/IP.  In the server alias field, enter the server name with the instance name of where the databases are located, for example, sqlserver001.yourdomain.local\mbam.  In the server name field, enter only the server name, for example, sqlserver001.yourdomain.local.  If you are using a specific port number, make sure to enter it before saving the configuration.

Once everything is set up, staff are able to sign in to the self-service portal in case they run in to an issue that requires recovering the drive.

MBAM Self Service Portal

The second part of MBAM is the helpdesk website.  Any technician or help desk staff responsible for assisting with a drive recovery will use this website.  This site allows technicians to recover drives, manage the TPM of corporate computers, and view reports if needed.  I think this portion of the site will be used more than the self-service portal.  If BitLocker locks out a staff member’s computer and they need to recover the machine, I think they are more likely to call the helpdesk, as they may not have access to another computer to use the self-service portal.

The reporting feature looks especially useful, as it will allow the IT staff to keep an eye on who is requesting a recovery unlock and how many times they have requested an unlock.

HelpDesk Reports

Tech Talk Live Blog Comment Guidelines:

One of our main goals at Tech Talk Live is to build a community. It is our hope that this blog can be a forum for discussion around our content. We see commenting as an integral part of this community. It allows everyone to participate, contribute, connect, and share relevant personal experience that adds value to the conversation. Respect counts. We believe you can disagree without being disagreeable. Please refrain from personal attacks, name calling, libel/defamation, hate speech, discriminatory or obscene/profane language, etc. Comments should keep to the topic at hand, and not be promotional or commercial in nature. Please do not link to personal blog posts, websites, or social media accounts that are irrelevant to the conversation. This is considered self-promotion. We welcome links that help further the conversation and reserve the right to delete those we deem unnecessary. The appearance of external links on this site does not constitute official endorsement on behalf of Tech Talk Live or Lancaster-Lebanon Intermediate Unit 13. You are solely responsible for the content that you post – please use your best judgment. We reserve the right to remove posts that do not follow these guidelines.

Leave a Reply

Your email address will not be published. Required fields are marked *


Tech Talk Live is the only conference of its kind in the region specifically designed for IT pros in education.

1020 New Holland Avenue, Lancaster, PA 17601

(717) 606-1770