![Page 1: MBAM (Microsoft BitLocker Administration and … · Web viewEnables administrators to automate the process of encrypting volumes on client computers across the enterprise. Enables](https://reader036.vdocument.in/reader036/viewer/2022062402/5afd5bc07f8b9a944d8d5dc9/html5/thumbnails/1.jpg)
Microsoft BitLocker Administration and Monitoring
(MBAM 2.5 SP1)
P a g e 1 | 49
![Page 2: MBAM (Microsoft BitLocker Administration and … · Web viewEnables administrators to automate the process of encrypting volumes on client computers across the enterprise. Enables](https://reader036.vdocument.in/reader036/viewer/2022062402/5afd5bc07f8b9a944d8d5dc9/html5/thumbnails/2.jpg)
MBAM (Microsoft BitLocker Administration and Monitoring)
Features:MBAM 2.5 has the following features:
Enables administrators to automate the process of encrypting volumes on client computers across the enterprise.
Enables security officers to quickly determine the compliance state of individual computers or even of the enterprise itself.
Provides centralized reporting and hardware management with Microsoft System Center Configuration Manager.
Reduces the workload on the Help Desk to assist end users with BitLocker PIN and recovery key requests.
Enables end users to recover encrypted devices independently by using the Self-Service Portal. Enables security officers to easily audit access to recover key information. Empowers Windows Enterprise users to continue working anywhere with the assurance that
their corporate data is protected.
MBAM enforces the BitLocker encryption policy options that you set for your enterprise, monitors the compliance of client computers with those policies, and reports on the encryption status of the enterprise’s and individual’s computers. In addition, MBAM lets you access the recovery key information when users forget their PIN or password, or when their BIOS or boot records change.
The following groups might be interested in using MBAM to manage BitLocker:
Administrators, IT security professionals, and compliance officers who are responsible for ensuring that confidential data is not disclosed without authorization
Administrators who are responsible for computer security in remote or branch offices Administrators who are responsible for client computers that are running Windows
P a g e 2 | 49
![Page 3: MBAM (Microsoft BitLocker Administration and … · Web viewEnables administrators to automate the process of encrypting volumes on client computers across the enterprise. Enables](https://reader036.vdocument.in/reader036/viewer/2022062402/5afd5bc07f8b9a944d8d5dc9/html5/thumbnails/3.jpg)
Architecture of MBAM service:
Pre- Requisites of MBAM:
1. SQL Server 2012 r2
SQL Server with:
Database engine
Reporting services (native)
Management tools complete
P a g e 3 | 49
![Page 5: MBAM (Microsoft BitLocker Administration and … · Web viewEnables administrators to automate the process of encrypting volumes on client computers across the enterprise. Enables](https://reader036.vdocument.in/reader036/viewer/2022062402/5afd5bc07f8b9a944d8d5dc9/html5/thumbnails/5.jpg)
In addition, MBAM Administration and Monitoring Server will be installed on the same server (SQL), so we need to install
IIS and some components of Windows Server:
2. NET Framework 3.5.1 features:
.NET Framework 3.5.1
WCF Activation
HTTP Activation
Non-HTTP Activation
3. NET Framework 4.5 features
WCF ServicesP a g e 5 | 49
![Page 6: MBAM (Microsoft BitLocker Administration and … · Web viewEnables administrators to automate the process of encrypting volumes on client computers across the enterprise. Enables](https://reader036.vdocument.in/reader036/viewer/2022062402/5afd5bc07f8b9a944d8d5dc9/html5/thumbnails/6.jpg)
TCP Activation
4. Windows Process Activation Service:
Process Model
.NET Environment
Configuration APIs
5. IIS:
Common HTTP Features:
Static Content
Default Document
Application Development:
ASP.NET
.NET Extensibility
ISAPI Extensions
ISAPI Filters
Security:
Windows Authentication
Request Filtering
P a g e 6 | 49
![Page 8: MBAM (Microsoft BitLocker Administration and … · Web viewEnables administrators to automate the process of encrypting volumes on client computers across the enterprise. Enables](https://reader036.vdocument.in/reader036/viewer/2022062402/5afd5bc07f8b9a944d8d5dc9/html5/thumbnails/8.jpg)
In addition, you need to install ASP.NET MVC 4:
P a g e 8 | 49
![Page 9: MBAM (Microsoft BitLocker Administration and … · Web viewEnables administrators to automate the process of encrypting volumes on client computers across the enterprise. Enables](https://reader036.vdocument.in/reader036/viewer/2022062402/5afd5bc07f8b9a944d8d5dc9/html5/thumbnails/9.jpg)
After that create user accounts and groups for MBAM:
P a g e 9 | 49
![Page 10: MBAM (Microsoft BitLocker Administration and … · Web viewEnables administrators to automate the process of encrypting volumes on client computers across the enterprise. Enables](https://reader036.vdocument.in/reader036/viewer/2022062402/5afd5bc07f8b9a944d8d5dc9/html5/thumbnails/10.jpg)
For the user, which will be used by the application pool for our web application, register SPN:
Setspn -S HTTP/sql.firma.com FIRMA\MBAM_HD_AppPool
Then check to see whether the registered SPN:
Setspn -L FIRMA\MBAM_HD_AppPool
After registering an SPN for this account, an additional Delegation tab is appeared. Activate the option Trust this user for delegation to any service (Kerberos only):
P a g e 10 | 49
![Page 12: MBAM (Microsoft BitLocker Administration and … · Web viewEnables administrators to automate the process of encrypting volumes on client computers across the enterprise. Enables](https://reader036.vdocument.in/reader036/viewer/2022062402/5afd5bc07f8b9a944d8d5dc9/html5/thumbnails/12.jpg)
On MBAM server mount image with Microsoft Desktop Optimization Pack 2014 R2 run MBAM server installation:
P a g e 12 | 49
![Page 16: MBAM (Microsoft BitLocker Administration and … · Web viewEnables administrators to automate the process of encrypting volumes on client computers across the enterprise. Enables](https://reader036.vdocument.in/reader036/viewer/2022062402/5afd5bc07f8b9a944d8d5dc9/html5/thumbnails/16.jpg)
SQL-Server will store the database MBAM, web-based application for managing keys and report BitLocker Recovery Audit Report and self-service portal for user:
P a g e 16 | 49
![Page 19: MBAM (Microsoft BitLocker Administration and … · Web viewEnables administrators to automate the process of encrypting volumes on client computers across the enterprise. Enables](https://reader036.vdocument.in/reader036/viewer/2022062402/5afd5bc07f8b9a944d8d5dc9/html5/thumbnails/19.jpg)
Set the FQDN database server and accounts that we created earlier:
P a g e 19 | 49
![Page 20: MBAM (Microsoft BitLocker Administration and … · Web viewEnables administrators to automate the process of encrypting volumes on client computers across the enterprise. Enables](https://reader036.vdocument.in/reader036/viewer/2022062402/5afd5bc07f8b9a944d8d5dc9/html5/thumbnails/20.jpg)
Specify the accounts to work with reports:
P a g e 20 | 49
![Page 21: MBAM (Microsoft BitLocker Administration and … · Web viewEnables administrators to automate the process of encrypting volumes on client computers across the enterprise. Enables](https://reader036.vdocument.in/reader036/viewer/2022062402/5afd5bc07f8b9a944d8d5dc9/html5/thumbnails/21.jpg)
Specify accounts and path for the web application files:
P a g e 21 | 49
![Page 25: MBAM (Microsoft BitLocker Administration and … · Web viewEnables administrators to automate the process of encrypting volumes on client computers across the enterprise. Enables](https://reader036.vdocument.in/reader036/viewer/2022062402/5afd5bc07f8b9a944d8d5dc9/html5/thumbnails/25.jpg)
The result is:
P a g e 25 | 49
![Page 26: MBAM (Microsoft BitLocker Administration and … · Web viewEnables administrators to automate the process of encrypting volumes on client computers across the enterprise. Enables](https://reader036.vdocument.in/reader036/viewer/2022062402/5afd5bc07f8b9a944d8d5dc9/html5/thumbnails/26.jpg)
Move on to a domain controller. Download the Microsoft Desktop Optimization Pack Group Policy Administrative Templates and unpack. We need two files .admx and two files .adml:
P a g e 26 | 49
![Page 27: MBAM (Microsoft BitLocker Administration and … · Web viewEnables administrators to automate the process of encrypting volumes on client computers across the enterprise. Enables](https://reader036.vdocument.in/reader036/viewer/2022062402/5afd5bc07f8b9a944d8d5dc9/html5/thumbnails/27.jpg)
Copy .admx files in %systemroot%\policyDefinitions and copy .adml files in a folder with the appropriate language version:
P a g e 27 | 49
![Page 28: MBAM (Microsoft BitLocker Administration and … · Web viewEnables administrators to automate the process of encrypting volumes on client computers across the enterprise. Enables](https://reader036.vdocument.in/reader036/viewer/2022062402/5afd5bc07f8b9a944d8d5dc9/html5/thumbnails/28.jpg)
Create OU with a test computer.
Create a group policy for this OU (attention, do not change the other group policies that apply to the BitLocker Drive Encryption, otherwise MBAM will not work properly):
P a g e 28 | 49
![Page 29: MBAM (Microsoft BitLocker Administration and … · Web viewEnables administrators to automate the process of encrypting volumes on client computers across the enterprise. Enables](https://reader036.vdocument.in/reader036/viewer/2022062402/5afd5bc07f8b9a944d8d5dc9/html5/thumbnails/29.jpg)
l
Add http(s)://<servername>:<port>/MBAMRecoveryAndHardwareService/CoreService.svc for MBAM Recovery service and disable MBAM Status reporting service.
P a g e 29 | 49
![Page 30: MBAM (Microsoft BitLocker Administration and … · Web viewEnables administrators to automate the process of encrypting volumes on client computers across the enterprise. Enables](https://reader036.vdocument.in/reader036/viewer/2022062402/5afd5bc07f8b9a944d8d5dc9/html5/thumbnails/30.jpg)
Turn on encryption policy for system disk and allow Bitlocker without Trusted Platform Module:
P a g e 30 | 49
![Page 32: MBAM (Microsoft BitLocker Administration and … · Web viewEnables administrators to automate the process of encrypting volumes on client computers across the enterprise. Enables](https://reader036.vdocument.in/reader036/viewer/2022062402/5afd5bc07f8b9a944d8d5dc9/html5/thumbnails/32.jpg)
Configure the password to the system drive:
P a g e 32 | 49
![Page 33: MBAM (Microsoft BitLocker Administration and … · Web viewEnables administrators to automate the process of encrypting volumes on client computers across the enterprise. Enables](https://reader036.vdocument.in/reader036/viewer/2022062402/5afd5bc07f8b9a944d8d5dc9/html5/thumbnails/33.jpg)
Set the number of days during which the user can postpone the application of policies MBAM system drive:
P a g e 33 | 49
![Page 34: MBAM (Microsoft BitLocker Administration and … · Web viewEnables administrators to automate the process of encrypting volumes on client computers across the enterprise. Enables](https://reader036.vdocument.in/reader036/viewer/2022062402/5afd5bc07f8b9a944d8d5dc9/html5/thumbnails/34.jpg)
Set Bitlocker settings on a removable drives:
P a g e 34 | 49
![Page 36: MBAM (Microsoft BitLocker Administration and … · Web viewEnables administrators to automate the process of encrypting volumes on client computers across the enterprise. Enables](https://reader036.vdocument.in/reader036/viewer/2022062402/5afd5bc07f8b9a944d8d5dc9/html5/thumbnails/36.jpg)
P a g e 36 | 49
![Page 37: MBAM (Microsoft BitLocker Administration and … · Web viewEnables administrators to automate the process of encrypting volumes on client computers across the enterprise. Enables](https://reader036.vdocument.in/reader036/viewer/2022062402/5afd5bc07f8b9a944d8d5dc9/html5/thumbnails/37.jpg)
Proceed to install the client MBAM.
Than wait automatic launch of MBAM client run MBAMClientUI.exe from C:\Program Files\Microsoft\MDOP MBAM:
P a g e 37 | 49
![Page 38: MBAM (Microsoft BitLocker Administration and … · Web viewEnables administrators to automate the process of encrypting volumes on client computers across the enterprise. Enables](https://reader036.vdocument.in/reader036/viewer/2022062402/5afd5bc07f8b9a944d8d5dc9/html5/thumbnails/38.jpg)
P a g e 38 | 49
![Page 39: MBAM (Microsoft BitLocker Administration and … · Web viewEnables administrators to automate the process of encrypting volumes on client computers across the enterprise. Enables](https://reader036.vdocument.in/reader036/viewer/2022062402/5afd5bc07f8b9a944d8d5dc9/html5/thumbnails/39.jpg)
P a g e 39 | 49
![Page 40: MBAM (Microsoft BitLocker Administration and … · Web viewEnables administrators to automate the process of encrypting volumes on client computers across the enterprise. Enables](https://reader036.vdocument.in/reader036/viewer/2022062402/5afd5bc07f8b9a944d8d5dc9/html5/thumbnails/40.jpg)
P a g e 40 | 49
![Page 41: MBAM (Microsoft BitLocker Administration and … · Web viewEnables administrators to automate the process of encrypting volumes on client computers across the enterprise. Enables](https://reader036.vdocument.in/reader036/viewer/2022062402/5afd5bc07f8b9a944d8d5dc9/html5/thumbnails/41.jpg)
P a g e 41 | 49
![Page 42: MBAM (Microsoft BitLocker Administration and … · Web viewEnables administrators to automate the process of encrypting volumes on client computers across the enterprise. Enables](https://reader036.vdocument.in/reader036/viewer/2022062402/5afd5bc07f8b9a944d8d5dc9/html5/thumbnails/42.jpg)
To obtain the recovery key you need to know first eight digits of ID:
Help Desk/Administration Portal
Open a web application and make a request for key recovery:
P a g e 42 | 49
![Page 43: MBAM (Microsoft BitLocker Administration and … · Web viewEnables administrators to automate the process of encrypting volumes on client computers across the enterprise. Enables](https://reader036.vdocument.in/reader036/viewer/2022062402/5afd5bc07f8b9a944d8d5dc9/html5/thumbnails/43.jpg)
Enter the key, press Enter and get access to the operating system:
P a g e 43 | 49
![Page 45: MBAM (Microsoft BitLocker Administration and … · Web viewEnables administrators to automate the process of encrypting volumes on client computers across the enterprise. Enables](https://reader036.vdocument.in/reader036/viewer/2022062402/5afd5bc07f8b9a944d8d5dc9/html5/thumbnails/45.jpg)
Manage TPM:
There is the only one report Recovery Audit Report in Microsoft BitLocker Administration and Monitoring:
P a g e 45 | 49
![Page 46: MBAM (Microsoft BitLocker Administration and … · Web viewEnables administrators to automate the process of encrypting volumes on client computers across the enterprise. Enables](https://reader036.vdocument.in/reader036/viewer/2022062402/5afd5bc07f8b9a944d8d5dc9/html5/thumbnails/46.jpg)
P a g e 46 | 49
![Page 47: MBAM (Microsoft BitLocker Administration and … · Web viewEnables administrators to automate the process of encrypting volumes on client computers across the enterprise. Enables](https://reader036.vdocument.in/reader036/viewer/2022062402/5afd5bc07f8b9a944d8d5dc9/html5/thumbnails/47.jpg)
P a g e 47 | 49
![Page 48: MBAM (Microsoft BitLocker Administration and … · Web viewEnables administrators to automate the process of encrypting volumes on client computers across the enterprise. Enables](https://reader036.vdocument.in/reader036/viewer/2022062402/5afd5bc07f8b9a944d8d5dc9/html5/thumbnails/48.jpg)
Self Service Portal:
P a g e 48 | 49
![Page 49: MBAM (Microsoft BitLocker Administration and … · Web viewEnables administrators to automate the process of encrypting volumes on client computers across the enterprise. Enables](https://reader036.vdocument.in/reader036/viewer/2022062402/5afd5bc07f8b9a944d8d5dc9/html5/thumbnails/49.jpg)
P a g e 49 | 49