Resuming with Microsoft BitLocker Administration and Monitoring (MBAM)


It’s been few months since my last blog due to focusing on various health ICT activities at Microsoft.  During this time, I tried to send few updates on the Health ICT twitter feed #whealthict.  I am now back at a point where I can resume the updates on this blog, with sincere apologies to our readers for this long interruption.

Today we announced that we are in the development process (early beta) to provide Microsoft BitLocker Administration and Monitoring (MBAM).  I thought this would be a topic of great interest to ICT Professionals, ICT Compliance Managers and anyone working in the areas of security and compliance in the Health ICT world.  MBAM will help your health organization more efficiently and cost effectively control health data breaches resulting from exposed (lost, stolen, or misplaced) desktops, laptops, hard drives, USB storage keys, etc.

MBAM will build on BitLocker available in Windows 7 today and help simplify BitLocker provisioning and deployment, reduce costs while improving compliance and reporting of BitLocker. The MBAM beta is expected to be available in March and you can sign up here (Windows Live ID required) to be notified when it is released. MBAM will available through the Microsoft Desktop Optimization Pack (MDOP) at a future date.  Following is a summary of how MBAM can help you:

Integrates into existing Windows 7 deployment process: Organizations can integrate the MBAM client into their task sequence setup in System Center Configuration Manager/ Microsoft Deployment Toolkit or their other Windows 7 deployment tools.  The client then automates the encryption process as part of the deployment.

End Users Can Start the Encryption Process: For organizations that deploy MBAM after they have deployed Windows 7, the MBAM agent provides a standard user the ability to start the encryption process.   This enhances the BitLocker out of box experience where the end user must have administrative rights to accomplish this.

Target only the hardware you want to encrypt: ICT Professionals can exclude hardware by make and model, making sure that only machines capable of meeting the encryption policy are encrypted.

Improve Compliance and Reporting

Know how compliant the organization is: Security administrators and IT Professionals can understand which machines are encrypted and meet the organizational policy through out of the box reports.

More secure recovery key storage: ICT Professionals have an alternative to storing BitLocker recovery key information in Active Directory.  Machines with the MBAM client will send BitLocker recovery key information to an encrypted Microsoft SQL Server database.

Reduce Support Costs

Streamline key recovery for the help desk:  MBAM provides a web page that allows the help desk to quickly get the user’s recovery key if they get into BitLocker recovery mode.  The help desk no longer needs access to Active Directory to access BitLocker recovery keys when the organization is using MBAM.

Use a recovery key only once: When a recovery key is retrieved and used, the MBAM client will automatically generate a new recovery key for that PC so that the original key cannot be used to gain access to the machine again

Empower end users to do the basics:  MBAM allows an end user with standard user rights to perform basic BitLocker tasks like changing their PIN or start the encryption process which saves them from calling the help desk.

For more information on Bitlocker:

teddy bachour

director, worldwide health industry solutions

Comments (0)

Skip to main content