Microsoft BitLocker Administration and Monitoring

(MBAM 2.5 SP1)

P a g e 1 | 49

MBAM (Microsoft BitLocker Administration and Monitoring)

Features:MBAM 2.5 has the following features:

Enables administrators to automate the process of encrypting volumes on client computers across the enterprise.

Enables security officers to quickly determine the compliance state of individual computers or even of the enterprise itself.

Provides centralized reporting and hardware management with Microsoft System Center Configuration Manager.

Reduces the workload on the Help Desk to assist end users with BitLocker PIN and recovery key requests.

Enables end users to recover encrypted devices independently by using the Self-Service Portal. Enables security officers to easily audit access to recover key information. Empowers Windows Enterprise users to continue working anywhere with the assurance that

their corporate data is protected.

MBAM enforces the BitLocker encryption policy options that you set for your enterprise, monitors the compliance of client computers with those policies, and reports on the encryption status of the enterprise’s and individual’s computers. In addition, MBAM lets you access the recovery key information when users forget their PIN or password, or when their BIOS or boot records change.

The following groups might be interested in using MBAM to manage BitLocker:

Administrators, IT security professionals, and compliance officers who are responsible for ensuring that confidential data is not disclosed without authorization

Administrators who are responsible for computer security in remote or branch offices Administrators who are responsible for client computers that are running Windows

P a g e 2 | 49

Architecture of MBAM service:

Pre- Requisites of MBAM:

1. SQL Server 2012 r2

SQL Server with:

Database engine

Reporting services (native)

Management tools complete

P a g e 3 | 49

P a g e 4 | 49

In addition, MBAM Administration and Monitoring Server will be installed on the same server (SQL), so we need to install

IIS and some components of Windows Server:

2. NET Framework 3.5.1 features:

.NET Framework 3.5.1

WCF Activation

HTTP Activation

Non-HTTP Activation

3. NET Framework 4.5 features

WCF ServicesP a g e 5 | 49

TCP Activation

4. Windows Process Activation Service:

Process Model

.NET Environment

Configuration APIs

5. IIS:

Common HTTP Features:

Static Content

Default Document

Application Development:

ASP.NET

.NET Extensibility

ISAPI Extensions

ISAPI Filters

Security:

Windows Authentication

Request Filtering

P a g e 6 | 49

P a g e 7 | 49

In addition, you need to install ASP.NET MVC 4:

P a g e 8 | 49

After that create user accounts and groups for MBAM:

P a g e 9 | 49

For the user, which will be used by the application pool for our web application, register SPN:

Setspn -S HTTP/sql.firma.com FIRMA\MBAM_HD_AppPool

Then check to see whether the registered SPN:

Setspn -L FIRMA\MBAM_HD_AppPool

After registering an SPN for this account, an additional Delegation tab is appeared. Activate the option Trust this user for delegation to any service (Kerberos only):

P a g e 10 | 49

P a g e 11 | 49

On MBAM server mount image with Microsoft Desktop Optimization Pack 2014 R2 run MBAM server installation:

P a g e 12 | 49

P a g e 13 | 49

P a g e 14 | 49

P a g e 15 | 49

SQL-Server will store the database MBAM, web-based application for managing keys and report BitLocker Recovery Audit Report and self-service portal for user:

P a g e 16 | 49

P a g e 17 | 49

P a g e 18 | 49

Set the FQDN database server and accounts that we created earlier:

P a g e 19 | 49

Specify the accounts to work with reports:

P a g e 20 | 49

Specify accounts and path for the web application files:

P a g e 21 | 49

P a g e 22 | 49

P a g e 23 | 49

P a g e 24 | 49

The result is:

P a g e 25 | 49

Move on to a domain controller. Download the Microsoft Desktop Optimization Pack Group Policy Administrative Templates and unpack. We need two files .admx and two files .adml:

P a g e 26 | 49

Copy .admx files in %systemroot%\policyDefinitions and copy .adml files in a folder with the appropriate language version:

P a g e 27 | 49

Create OU with a test computer.

Create a group policy for this OU (attention, do not change the other group policies that apply to the BitLocker Drive Encryption, otherwise MBAM will not work properly):

P a g e 28 | 49

l

Add http(s)://<servername>:<port>/MBAMRecoveryAndHardwareService/CoreService.svc for MBAM Recovery service and disable MBAM Status reporting service.

P a g e 29 | 49

Turn on encryption policy for system disk and allow Bitlocker without Trusted Platform Module:

P a g e 30 | 49

P a g e 31 | 49

Configure the password to the system drive:

P a g e 32 | 49

Set the number of days during which the user can postpone the application of policies MBAM system drive:

P a g e 33 | 49

Set Bitlocker settings on a removable drives:

P a g e 34 | 49

P a g e 35 | 49

P a g e 36 | 49

Proceed to install the client MBAM.

Than wait automatic launch of MBAM client run MBAMClientUI.exe from C:\Program Files\Microsoft\MDOP MBAM:

P a g e 37 | 49

P a g e 38 | 49

P a g e 39 | 49

P a g e 40 | 49

P a g e 41 | 49

To obtain the recovery key you need to know first eight digits of ID:

Help Desk/Administration Portal

Open a web application and make a request for key recovery:

P a g e 42 | 49

Enter the key, press Enter and get access to the operating system:

P a g e 43 | 49

P a g e 44 | 49

Manage TPM:

There is the only one report Recovery Audit Report in Microsoft BitLocker Administration and Monitoring:

P a g e 45 | 49

P a g e 46 | 49

P a g e 47 | 49

Self Service Portal:

P a g e 48 | 49

P a g e 49 | 49