Microsoft MBAM Client Implementation Best Practices

Microsoft BitLocker Administration and Monitoring (MBAM) is part of Microsoft Desktop Optimization Pack suite (MDOP) which contain other important and business enabling tools available for Software Assurance Customers. MBAM is used to simplify and control the Bitlocker implementation (Windows 7 Machine encryption), deployment, help desk support as well as providing rich compliance reports. In this article I would like to share some of the best practices that I passed by recently while implementing MBAM.

MBAM is implemented via Group Policies on your specified Windows 7 Laptops OU under Computer configuration - Policies - Administrative Templates - Windows Components - MDOP MBAM. This folder contain 4 main categories (check below image)

1. Client Management
2. Fixed Drive (Enable Password Protection)
3. Operating System Drive (Enable PIN protection)
4. Removable Drive

Normally we would enable the Client services and enforce the Fixed drive and OS drive encryption (PIN+Password). Depending on your Company policy you may enable or disable the Removable drive encryption (USB thumb drive). Under the Client Management category you can enable Hardware compatibility checking, this feature can be used to identify BitLocker-capable computers and exclude specific hardware that you don’t want encrypted. Only Laptops that are approved and turned to compatible (Hardware TAB in the MBAM admin site) will get encrypted.

The Key steps for successful Bitlocker/MBAM client implementation are as follows:

1. Enable TPM from the Laptop BIOS (check your Laptop Manufacturer BIOS settings)
2. Activate the TPM from BIOS
3. Install the MBAM client on the Laptop (32 bit or 64 bit client). Both are available in the MBAM source files.
4. In many cases MBAM fails to take ownership of the TPM and its recommended to install this fix http://support.microsoft.com/kb/2640178
5. By default the MBAM client will wait for 90 minutes random time delay before reporting to the MBAM server with any status, to overcome this default setting you need to add the DWORD key NoStartupDelay to the HKLM\Software\Microsoft\MBAM with value of 1 on each client. For more information about MBAM registry and Timers please check this link http://www.css-security.com/blog/mbam-real-world-information/
6. If you enabled the Hardware Compatibility checking policy (mentioned above), the MBAM administrator need to to approve the devices to get encrypted and change their status to compatible from the MBAM admin site. There is a 24 hr check delay when you turn the machine compatible from the MBAM console. To overcome this you need to remove the following two keys from your client machines then restart the MBAM agent service
• HKLM\software\microsoft\MBAM\HWExemptionTimer
• HKLM\software\microsoft\MBAM\HWExemptionType

       

MBAM Technical Documents:

• Planning Guide: http://onlinehelp.microsoft.com/en-us/mdop/hh285653.aspx
• Deployment Guide: http://onlinehelp.microsoft.com/en-us/mdop/hh285644.aspx
• Operations Guide: http://onlinehelp.microsoft.com/en-us/mdop/hh285664.aspx
• Troubleshooting MBAM: http://onlinehelp.microsoft.com/en-us/mdop/hh352745.aspx
• MBAM Scalability and High-Availability: http://go.microsoft.com/fwlink/?LinkId=229025
• MBAM Data Retention and Consistency Strategies: http://go.microsoft.com/fwlink/?LinkId=229052
• Using MBAM Data Encryption With MDT: http://go.microsoft.com/fwlink/?LinkId=229053
• MBAM Self-Help Portal: http://go.microsoft.com/fwlink/?LinkId=229054

Microsoft BitLocker Administration and Monitoring (MBAM) Documentation Resources Download Page

http://www.microsoft.com/download/en/details.aspx?id=27555

MBAM Videos and Tutorials: http://technet.microsoft.com/en-us/windows/ff383366.aspx#MBAM