This part three of our three part series on MBAM from AJ Smith.
In recent blog posts, I’ve described how Microsoft BitLocker Administration and Management (MBAM) simplifies BitLocker Drive Encryption provisioning and provides compliance reporting that can help you quickly determine the status of the entire organization or a single computer. This is my last blog post in the series, and I’m going to use it to describe how MBAM can simplify BitLocker support.
Before describing specific capabilities, an important detail is that MBAM provides an alternative to storing BitLocker recovery data in Active Directory Domain Services (AD DS), which all AD DS administrators can see. Also, some organizations do not want to store recovery data in AD DS because they don’t want to grant the Helpdesk access to it, and AD DS stores recovery data in clear text. Instead, MBAM stores BitLocker recovery data in an encrypted Microsoft SQL Server database. Only authorized users can access this data. Recovery data is more secure by limiting access to it.
The most obvious way MBAM can simplify BitLocker support is by streamlining drive recovery for the Helpdesk. Figure 1 shows the Drive Recovery webpage in MBAM. If a user calls the Helpdesk because he is in BitLocker recovery mode, the Helpdesk doesn’t look up the drive’s recovery key in AD DS. Instead, the Helpdesk uses MBAM to quickly look up the recovery key based on its ID
Figure 1. Drive Recovery Webpage
Staying with the theme that limited access to recovery data is a good thing, MBAM enables single-use recovery keys. When the Helpdesk retrieves and uses a recovery key, the MBAM client automatically generates a new recovery key for the computer. The original recovery key can’t be used again to recover the computer’s hard drive. Why? What if the user decides to jot down the recovery key and stuff it in his computer bag in case he ever needs it again? The hard drive might as well be unencrypted. Single-use recovery keys help prevent unauthorized users from gaining access to the hard drive even if they get access to a previously used recovery key.
Drive recovery is the most exciting way that MBAM streamlines BitLocker support. A less dramatic but no less effective way it reduces support costs is by empowering users to do basic tasks without calling the Helpdesk. For example, they can encrypt their hard drives or change their PINs. Users can be more self-sufficient, and they can do it with standard user accounts.
There you have it. By using MBAM, the Helpdesk can spend less time supporting BitLocker. Users can do more without calling the Helpdesk, and when the Helpdesk does receive calls, it can resolve them more quickly. I encourage you to test MBAM in your own lab. See my previous blog post to learn more about where you can go to get the MBAM beta.
For more information on MBAM or all of our MDOP products, make sure to visit the MDOP Zone on the Springboard Series on TechNet.
Stephen, BitLocker can be implemented in a FIPS compliant mode however it can’t be done using a recovery key password. The recovery options that you can use for FIPS mode include: Recovery key (this is different than the Recovery Key Password) or Data recovery agent.
More info on can be found:
Senior Product Manager
Windows Client - Security
Zafar, BitLocker can be implemented without MBAM however you will miss out on a number of important capabilities including:
Centralized compliance reporting
Improved key recovery (permanent storage of keys, sql DB as opposed to AD, improved access control)
The ability easily provision encryption to devices that appear on your network
There are many more features but these are the top 3.
"BitLocker™ will not allow creation or use of a recovery password in FIPS mode as FIPS 140-2
prohibits using password deriving keys for data encryption/decryption.
A “recovery password” is a 48 digit value that can be used to recover an encrypted volume,
in the event that the main authentication keys are lost, stolen or unusable."
So from my understanding this contradicts your statement about FIPS compliance. Please correct me if my understanding is wrong.
Moreover a 48 digit password is +/- 128 bit so if you're using 256 bit encryption with MBAM, you're be just wasting CPU cycles and ...electricity.
Can you let us know whether BitLocker can be implemented without MBAM. If it is done so what capabilties admins will miss out?
MBAM does not change the FIPS compliance status of BitLocker. To meet FIPS compliance, users cannot create recovery passwords which is what is what is stored in the encrypted database. For more details on BitLocker and FIPS compliance check out the BitLocker Drive Encryption Design Guide for Windows 7.
Is the MBAM SQL server based process FIPS compliant?
Anything that will improve the ease of management and key recovery processes of FIPS compliant bitlocker would be appreciated!
I honestly think BitLocker should be included with Windows 7 Professional :( I mean businesses use Windows 7 Professional and BitLocker would be best suited for a business. Students get a huge discount on Windows 7 Professional as well (I am a student), and I think they also could benefit from BitLocker. I guess when I get my Lenovo ThinkPad this Wednesday I'll have to upgrade to 7 Pro and then fork out another who knows how much to go to Ultimate just for this one feature. Really sucks.