MBAM Step by Step ( BitLocker Administration and Monitoring )

July 1st, 2011

 

one of the most common comments I receive in bitlocker deployments is how to enforce it on all systems with zero touch ?

MBAM fix this issue Smile

Overview

Microsoft BitLocker Administration and Monitoring (MBAM) builds on BitLocker in Windows 7 and offers you an enterprise solution for BitLocker provisioning, monitoring and key recovery. MBAM will help you simplify BitLocker provisioning and deployment independent or as part of your Windows 7 migration, improving compliance and reporting of BitLocker, and reducing support costs. This document assumes that you already understand Bitlocker and group policies in general, and that you want a tool to more easily manage those security features.

Microsoft BitLocker Administration and Monitoring (MBAM) provides a simplified administrative interface to BitLocker drive encryption. MBAM allows you to select BitLocker encryption policy options appropriate to your enterprise, monitor client compliance with those policies, report on the encryption status of the enterprise as well as individual computers, and recover lost encryption keys.

if you feel lost please review my post regarding bitlocker

Architecture Overview

The BitLocker Administration and Monitoring client agent performs the following tasks:

  • Uses Group Policy to enforce the BitLocker encryption of client computers in the enterprise
  • Gathers the recovery key for the three BitLocker data drive types, operating system drives, fixed data drives, and removable data drives (that is, USB drives)
  • Gathers compliance data for computer and passes the data to the reporting system

Administration and Monitoring Server :Hosts the Management Console and monitoring web services. The Management Console is used to determine Enterprise Compliance status and audit activity, manage Hardware Capability, and access recovery data (for example, BitLocker Recovery Keys).

Compliance and Audit Database : Stores compliance data for BitLocker Administration and Monitoring client computers.

Recovery and Hardware Database :Stores recovery data that is collected from BitLocker Administration and Monitoring client computers

Compliance and Audit Reports :Uses SQL Server Reporting Services (SRS) to provide BitLocker Administration and Monitoring reports. These reports can be access from the Management Console or directly from the SRS server.

Policy Template :The Group Policy template that specifies the BitLocker Administration and Monitoring implementation of BitLocker drive encryption.

 

Prerequisites

 

Server Operating System Requirements :2008 sp2 or above

 

Prerequisites for Administration and Monitoring Server

The following is a list of the prerequisites for the BitLocker Administration and Monitoring server:

  • · Windows Server Web Server Role
  • · Web Server Role Services

Common HTTP Features:

  • · Static Content
  • · Default Document

Application Development:

  • · ASP.NET
  • · .NET Extensibility
  • · ISAPI Extensions
  • · ISAPI Filters

Security:

  • · Windows Authentication
  • · Request Filtering
  • · Windows Server Features
  • · .NET Framework 3.5.1 features
  • · .NET Framework 3.5.1
  • · WCF Activation
  • · HTTP Activation
  • · Windows Process Activation Service
  • · Process Model
  • · .NET Environment Configuration APIs

Prerequisites for the Compliance and Audit Reports Server

The Compliance and Audit Reports Prerequisites include the Reporting Services feature from Microsoft SQL Server R2 Standard, Enterprise, Datacenter, Developer edition.

Prerequisites for the Recovery and Hardware Database Server

The Recovery and Hardware Database Prerequisites: includes the following:

· Microsoft SQL Server R2 Standard, Enterprise, Datacenter or Developer edition.

· SQL Server must have Database Engine Services and Full-Text Search features installed.

Prerequisites for the Compliance Status Database Server

The Compliance Status Database Prerequisites include:

· Microsoft SQL Server R2 Standard, Enterprise, Datacenter, Developer edition

· SQL Server must have Database Engine Services and Full-Text Search features installed.

 

MBAM Client Operating System Requirements

Operating System Edition Service Pack System Architecture
Windows 7 Enterprise Edition None, SP1 x86 or x64
Windows 7 Ultimate Edition None, SP1 x86 or x64

· Trusted Platform Module (TPM) v1.2 capability

· The TPM chip must be turned on in the BIOS and be resettable from the operating system. Look in the BIOS documentation for more information.

BitLocker Administration and Monitoring server components can be installed in one of three server configurations.

· Single computer configuration
All BitLocker Administration and Monitoring features are installed on a single server. This configuration is supported, but only recommended for testing purposes.

· Three-computer configuration
Server features are installed in the following configuration

  • · Recovery and Hardware Database, Compliance and Audit Reports, and Compliance and Audit Reports features are installed on a server
  • · Administration and Monitoring Server feature is installed on a server
  • · Group Policy template is installed on a server or client computer.

· Five-computer configuration
Each server feature is installed on dedicated computers:

  • · Recovery and Hardware Database
  • · Compliance Status Database
  • · Compliance and Audit Reports
  • · Administration and Monitoring Server
  • · Group Policy Template is installed on a server or client computer

A 3 or 5 computer configuration is recommended for production environments.

 

now lets install

image

accept

image

I will be using one server to hold all roles in it

image

the wizard will make sure that everything its needs are installed

image

ofcource in production you will need to encrypt it

image

select the recovery and hardware  database

image

Compliance audit database

image

 

select your reporting server

image

select the website for MBAM

image

if you having a website using the same port it will not accept

image

select if you want update or not

image

ready

image

you can setup one by one if your setup failed

image

now lets set the needed users roles

  • MBAM System Administrators have access to all BitLocker Administration and Monitoring features. The local group for this role is installed on the Administration and Monitoring Server.
  • · MBAM Hardware Users have access to the Hardware Capability features from BitLocker Administration and Monitoring. The local group for this role is installed on the Administration and Monitoring Server.
  • · MBAM Helpdesk Users have access to the Helpdesk features from BitLocker Administration and Monitoring. The local group for this role is installed on the Administration and Monitoring Server.
  • · MBAM Report Users have access to the Compliance and Audit reports from BitLocker Administration and Monitoring. The local group for this role is installed on the Administration and Monitoring Server, Compliance and Audit Reports Server, and Compliance Status Database Server.
  • · MBAM Advanced Helpdesk Uses have increased access to the Helpdesk features from BitLocker Administration and Monitoring. The local group for this role is installed on the Administration and Monitoring Server.

 

image

MBAM create all below user groups

image

now for the configuration .

MBAM integrates with the Group policy as you see below

image

now test the following to see if its working or not

http://<machinname&gt;:<port>/default.aspx and confirm each of the links for navigation and reports

· http://<machinname&gt;:<port>/MBAMAdministrationService/AdministrationService.svc

· http://localhost/MBAMComplianceStatusService/StatusReportingService.svc

·:/MBAMRecoveryAndHardwareService/CoreService.svc”>:/MBAMRecoveryAndHardwareService/CoreService.svc”>:/MBAMRecoveryAndHardwareService/CoreService.svc”>:/MBAMRecoveryAndHardwareService/CoreService.svc”>:/MBAMRecoveryAndHardwareService/CoreService.svc”>:/MBAMRecoveryAndHardwareService/CoreService.svc”>:/MBAMRecoveryAndHardwareService/CoreService.svc”>:/MBAMRecoveryAndHardwareService/CoreService.svc”>http://<machinename>:<port>/MBAMRecoveryAndHardwareService/CoreService.svc

the expected results should be

image

 

image

 

image

as you can see you

image

 

now to deploy the client we will be deploying it through the GPO  (just like any MSI ) and the configuration will be received through the group policy

so we create a share and place both clients in it

  • MBAMClient-32bit.msi
  • MBAMClient-64bit.msi

 

now under software installation we add both clients

image

now we rename them and remove the ability to install x86 application on x64 bit OS because we have client for x64

image

click advanced

image

remove make this 32bit …etc.

image

 

after agent installation you should find the following service up and running

image

now back to the GPO lets set basic configuration

Under MDOP MBAM under data recovery

enable and configure MBAM backend services

image

the backend URL

http://mbam01:8080/MBAMRecoveryAndHardwareService/CoreService.svc

now under reports

enable the reporting URL

image

 

image

http://mbam01:8080/MBAMComplianceStatusService/StatusReportingService.svc

now lets have an over view about the policy options

image

image

image

image

image

image

image

 

Global Policy Definitions

This section describes Global Policy definitions for BitLocker Administration and Monitoring.

Policy Name Overview and Suggested Policy Setting
Prevent memory overwrite on restart This policy setting is the same as the BitLocker policy.

Configure this policy to improve restart performance without overwriting BitLocker secrets in memory on restart.

Suggested Configuration: Not configured

When the policy is not configured, BitLocker secrets are removed from memory when the computer restarts.

Validate smart card certificate usage rule This policy setting is the same as the BitLocker policy.

Configure this policy to use smartcard certificate-based BitLocker protection.

Suggested Configuration: Not configured When policy is not configured, a default object identifier “1.3.6.1.4.1.311.67.1.1” is used to specify a certificate.

Provide the unique identifier for your organization This policy setting is the same as the BitLocker policy.

Configure this policy to use a certificate-based data recovery agent or the BitLocker To Go reader.

Suggested Configuration: Not configured

When policy is not configured, the Identification field is not used.

Choose drive encryption method and cipher strength This policy setting is the same as the BitLocker policy.

Configure this policy to use a specific encryption method and cipher strength.

Suggested Configuration: Not configured

When policy is not configured, BitLocker will use the default encryption method of AES 128-bit with Diffuser or the encryption method specified by the setup script.

Data Recovery Policy Definitions

This section describes MBAM Data Recovery Policy Definitions

Policy Name Overview and Suggested Policy Setting
Configure key recovery service This policy setting lets you manage the key recovery service to back up BitLocker recovery information. The setting provides an administrative method of recovering data encrypted by BitLocker to prevent data loss because of the lack of key information.

Suggested Configuration: Enabled when Key recovery information to backup is set to Recovery Password and key package.

When this policy setting is enabled, the recovery password and key package will be automatically and silently backed up to configured key recovery server location.

Operating System Drive Policy Definitions

This section describes MBAM Operating System Drive Policy Definitions.

Policy Name Overview and Suggested Policy Setting
Operating system drive encryption settings This policy setting determines whether the operating system drive will be encrypted.

Configure this policy to do the following:

· Enforce BitLocker protection for the operating system drive.

· Configure PIN usage to use a TPM PIN for operating system protection.

· Configure enhanced startup PINs to allow the use of characters including uppercase and lowercase letters, symbols, numbers, and spaces.

If you enable this policy setting, the user will have to secure the operating system drive using BitLocker.

If you do not configure or if you disable the setting, the user will not have to secure the operating system drive with BitLocker.

Suggested configuration: Enabled

When enabled, this policy setting requires that the user secures the operating system by using BitLocker protection and drive is encrypted. Based on your encryption requirements, you may select the method of protection for the operating system drive. For higher security requirements, use “TPM + PIN”, allow enhanced PINs, and set the minimum PIN length to 8.

Choose how BitLocker-protected operating system drives can be recovered This policy setting is the same as the BitLocker policy.
Configure this policy to enable the BitLocker data recovery agent or to save BitLocker recovery information to Active Directory Domain Services (AD DS).
Suggested Configuration: Not configured
When this policy is not configured, the data recovery agent is allowed, recovery information is not backed up to AD DS, and the recovery options, including the recovery password and recovery key, can be specified by the user.
Configure TPM platform validation profile This policy setting is the same as the BitLocker policy.

This policy setting lets you configure how the Trusted Platform Module (TPM) security hardware on a computer secures the BitLocker encryption key. This policy setting does not apply if the computer does not have a compatible TPM or if BitLocker has already been turned on with TPM protection.

Suggested Configuration: Not configured

When this policy is not configured, the TPM uses the default platform validation profile or the platform validation profile specified by the setup script.

Fixed Data Drive Policy Definitions

This section describes MBAM Fixed Data Drive Policy definitions.

Policy Name Overview and Suggested Policy Setting
Fixed data drive encryption settings This policy setting let you manage whether the fixed data drive must be encrypted or not.

When enabling this policy, you must not disable the “Configure use of password for fixed data drives” policy.

If the Enable auto-unlock fixed data drive option is checked, the OS volume must be encrypted

If you enable this policy setting, the user will have to put all fixed data drives under BitLocker protection and the drives will be encrypted.

If you disable this policy setting, then it is not required to put fixed data drive under BitLocker protection.

If you do not configure this policy setting, then it is not required to put fixed data drive under BitLocker protection.

Suggested Configuration: Enabled; and check the Enable auto-unlock fixed data drive option.

Deny write access to fixed drives not protected by BitLocker This policy setting is the same as the BitLocker policy.

This policy setting determines whether BitLocker protection is required for fixed data drives to be writable on a computer. This policy setting is applied when you turn on BitLocker.

Suggested Configuration: Not configured

When the policy is not configured, all fixed data drives on the computer will be mounted with read and write access.

Allow access to BitLocker-protected fixed data drive from earlier versions of Windows This policy setting is the same as the BitLocker policy.

Enable this policy to allow fixed data drives with the FAT file system to be unlocked and viewed on Windows Server 2008 computers.

Suggested configuration: Not configured

When the policy is not configured, fixed data drives formatted with the FAT file system can be unlocked on computers that are running Windows Server 2008, Windows Vista, Windows XP with SP3, or Windows XP with SP2, and their content can be viewed. These operating systems have read-only access to BitLocker-protected drives.

Configure use of password for fixed data drives This policy setting is the same as the BitLocker policy.

Enable this policy to configure password protection on fixed data drives.

Suggested configuration: Not configured

When the policy is not configured, passwords will be supported with the default settings that do not include password complexity requirements and require only 8 characters.

Choose how BitLocker-protected fixed drives can be recovered This policy setting is the same as the BitLocker policy.

Configure this policy to enable the BitLocker data recovery agent or to save BitLocker recovery information to Active Directory Domain Services (AD DS).

Suggested Configuration: Not configured

When policy is not configured, the BitLocker data recovery agent is allowed, the recovery options, including the recovery password and recovery key, can be specified by the user, and recovery information is not backed up to AD DS

Removable Data Drive Policy Definitions

This section describes MBAM Removable Data Drive Policy definitions.

Policy Name Overview and Suggested Policy Setting
Control use of BitLocker on removable drives This policy setting is the same as the BitLocker policy.

This policy controls the use of BitLocker on removable data drives.

Check the Allow users to apply BitLocker protection on removable data drives option to let the user run the BitLocker setup wizard on a removable data drive.

Choose Allow users to suspend and decrypt BitLocker on removable data drives to permit the user to remove BitLocker drive encryption from the drive or suspend the encryption while maintenance is performed.

Suggested configuration: Enabled

Deny write access to removable drives not protected by BitLocker This policy setting is the same as the BitLocker policy.

Enable this policy to only allow write access to BitLocker protected drives.

Suggested Configuration: Not configured

When this policy is not configured, all removable data drives on the computer will be mounted with read and writes access.

Allow access to BitLocker-protected removable data drive from earlier versions of Windows This policy setting is the same as the BitLocker policy.

Enable this policy to allow for fixed data drives with the FAT file system to be unlocked and viewed on Windows Server 2008 computers.

Suggested Configuration: Not configured

When this policy is not configured, removable data drives formatted with the FAT file system can be unlocked on computers that are running Windows Server 2008, Windows Vista, Windows XP with SP3, or Windows XP with SP2, and their content can be viewed. These operating systems have read-only access to BitLocker-protected drives.

Configure use of password for removable data drives This policy setting is the same as the BitLocker policy

Enable this policy to configure password protection on removable data drives.

Suggested configuration: Not configured

When this policy is not configured, passwords are supported with the default settings that do not include password complexity requirements and require only 8 characters.

Choose how BitLocker-protected removable drives can be recovered This policy setting is the same as the BitLocker policy.

Configure this policy to enable the BitLocker data recovery agent or to save BitLocker recovery information to Active Directory Domain Services (AD DS).

Suggested Configuration: Not configured

When not configured, the data recovery agent is allowed, the recovery options can be specified by the user including the recovery password and recovery key, and recovery information is not backed up to AD DS.

Report Policy Definitions

This section describes the MBAM Report Policy definitions.

Policy Name Overview and Suggested Policy Setting
Configure status reporting service This policy setting establishes a location for collecting compliance status reports and sets the time between the generating of reports.

If you enable this policy setting, status report and updated key recovery information will be automatically and silently send to configured report server location.

If you do not configure or disable this policy setting, the status report and updated key recovery information will not be saved.

Suggested Configuration: Enabled

When it is enabled, this policy provides an administrative method of generating a compliance report.

The default is set to every 720 minutes.

Set this frequency based on the requirement set by your company on how frequently to check the compliance status of the computer.

Client Management Policy Definition

This section describes MBAM Client Management Policy definitions.

Policy Name Overview and Suggested Policy Setting
Configure client checking frequency in minutes This policy setting manages how frequently the client checks the BitLocker protection policies and status on the client computer.

If you enable this policy setting, the client will check the BitLocker protection policies and status on the client computer at the configured frequency.

If you do not configure or disable this policy setting, the client checks the BitLocker protection policies and status on the client computer every 90 minutes.

Suggested Configuration: Enabled

The default is set to every 90 minutes.

Set this frequency based on the requirement set by your company on how frequently to check the compliance status of the computer.

Allow hardware compatibility checking This policy setting allows you to manage the checking of hardware compatibility before enabling BitLocker protection on drives of a computer.

When enabling this policy, the administrator has to make sure that Microsoft BitLocker Administering and Monitoring service is installed with the “Hardware Capability” sub-feature.

When enabling this policy you must enable the “Configure Key Recovery service” policy and have it configured.

If you enable this policy setting, the model of the computer will be validated against the hardware compatibility list before it enables BitLocker protection on drives of a computer to ensure the model is BitLocker-capable

If you disable or do not configure this policy setting, the computer model will not be validated against the hardware compatibility list.

Suggested Configuration: Enabled

Enable this if your enterprise has older computer hardware or computers that do not support TPM. If this is the case, enable Hardware Compatibility checking to make sure that MBAM is only applied to computer models that support it. If all computers in your organization support BitLocker, you do not have to deploy the Hardware Compatibility, and you can set this policy to Not Configured.

Configure user exemption policy This policy allows configuring a URL, email address, or telephone number that will instruct users how to request exemption from BitLocker protection.

If you enable this policy setting and provide a URL, mailing address, or telephone number, the user will able to apply for exemption and see a dialog for instruction on how to apply exemption form the BitLocker protection.

If you disable or do not configure this policy setting, the user will not see a message for instructions on how to apply for an exemption from BitLocker protection. The request exemption form will not be available to the user.

Suggested Configuration: Not Configured

Enable this policy if your organization wants to let a user or computer be exempted from BitLocker protection.

User-Based Group Policy Definitions

This section describes user-based MBAM Group Policy definitions.

Policy Name Overview and Suggested Policy Settings
Allow the user to be exempted from BitLocker encryption This policy lets MBAM to be configured to exempt a user from BitLocker encryption.

If you enable this policy setting, the specified user is exempted from BitLocker encryption.

If you disable this policy setting, the specified user is denied exemption from BitLocker encryption. Also, the exemption is not available to the user.

If you do not configure this policy setting, the user is not exempted from BitLocker encryption, and the exemption option is not available to the user.

Suggested Configuration: Not configured

 

How to Grant User Exemptions

Microsoft BitLocker Administration and Monitoring (MBAM) can grant two forms of exemption from BitLocker protection, computer exemption and user exemption. Because BitLocker policy is applied to the computer, we recommend that you control BitLocker protection by exempting computers. Your organization can also manage BitLocker protection by exempting users.

To exempt users from BitLocker protection, an exempt user is added to a security group for Group Policy. When members of this security group sign on to a computer, the user Group Policy shows that the user is exempted from BitLocker protection. The user policy overwrites the computer policy, and the computer will remain exempt from BitLocker protected. However, if the computer is already BitLocker-protected, the user exemption policy has no effect.

The following table shows how BitLocker protection is applied based on how exemptions are set.

User Status Computer Not Exempt Computer exempt
User not exempt BitLocker protection is enforced on computer BitLocker protection is not enforced on computer
User exempt BitLocker protection is not enforced on computer BitLocker protection is not enforced on computer

List of Log Files for MBAM

The following article describes the locations for the log files used by Microsoft BitLocker Administration and Monitoring (MBAM) during setup and operation.

Setup

In order to get setup log files, you must install BitLocker Administration and Monitoring using msiexec package with the /L <location> option. Log files will be created in the location specified.

Application and Monitoring

BitLocker uses the IIS logs by default for its websites and services. These are located under $systemdrive$\inetpub\logs\w3svc

Client

For the BitLocker client, the Admin and Operational log files are located in Event Viewer, under Application and Services Logs / Microsoft / Windows / BitLockerManagement.

this is the final look of the console

if you found something missing make sure you are in the users group

image

image

 

image

image

 

one of the reports

image

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: