July 1, 2011 9:46 am

Simplify BitLocker Support with MBAM

This part three of our three part series on MBAM from AJ Smith.

In recent blog posts, I’ve described how Microsoft BitLocker Administration and Management (MBAM) simplifies BitLocker Drive Encryption provisioning and provides compliance reporting that can help you quickly determine the status of the entire organization or a single computer. This is my last blog post in the series, and I’m going to use it to describe how MBAM can simplify BitLocker support.

Before describing specific capabilities, an important detail is that MBAM provides an alternative to storing BitLocker recovery data in Active Directory Domain Services (AD DS), which all AD DS administrators can see. Also, some organizations do not want to store recovery data in AD DS because they don’t want to grant the Helpdesk access to it, and AD DS stores recovery data in clear text. Instead, MBAM stores BitLocker recovery data in an encrypted Microsoft SQL Server database. Only authorized users can access this data. Recovery data is more secure by limiting access to it.

The most obvious way MBAM can simplify BitLocker support is by streamlining drive recovery for the Helpdesk. Figure 1 shows the Drive Recovery webpage in MBAM. If a user calls the Helpdesk because he is in BitLocker recovery mode, the Helpdesk doesn’t look up the drive’s recovery key in AD DS. Instead, the Helpdesk uses MBAM to quickly look up the recovery key based on its ID


Figure 1. Drive Recovery Webpage

Staying with the theme that limited access to recovery data is a good thing, MBAM enables single-use recovery keys. When the Helpdesk retrieves and uses a recovery key, the MBAM client automatically generates a new recovery key for the computer. The original recovery key can’t be used again to recover the computer’s hard drive. Why? What if the user decides to jot down the recovery key and stuff it in his computer bag in case he ever needs it again? The hard drive might as well be unencrypted. Single-use recovery keys help prevent unauthorized users from gaining access to the hard drive even if they get access to a previously used recovery key.

Drive recovery is the most exciting way that MBAM streamlines BitLocker support. A less dramatic but no less effective way it reduces support costs is by empowering users to do basic tasks without calling the Helpdesk. For example, they can encrypt their hard drives or change their PINs. Users can be more self-sufficient, and they can do it with standard user accounts.

There you have it. By using MBAM, the Helpdesk can spend less time supporting BitLocker. Users can do more without calling the Helpdesk, and when the Helpdesk does receive calls, it can resolve them more quickly. I encourage you to test MBAM in your own lab. See my previous blog post to learn more about where you can go to get the MBAM beta.

For more information on MBAM or all of our MDOP products, make sure to visit the MDOP Zone on the Springboard Series on TechNet.

Updated November 8, 2014 1:52 am

Join the conversation