Microsoft BitLocker Administration and Monitoring (MBAM) is the ability to have a client agent (the MDOP MBAM agent) on your Windows devices (7,8 10) to enforce BitLocker encryption including algorithm type, and to store the recovery keys in your database, securely. It includes reporting, key rotation and more.
This is something that has been around for quite some years now and is working great, however, MBAM is currently it’s own separate solution. The following blog post from Microsoft details their future direction with regard to BitLocker Management and is a must read.
The purpose of this blog post is to gather together previous guides (and videos) I’ve created since MBAM’s first release in Configuration Manager Technical Preview version 1905.
This will help you understand how to get started with MBAM integrated within Configuration Manager, what to expect on the client computers, using help desk functionality, key rotation, self service (for the end user) and finally running reports to get an overview of your compliance.
- MBAM BitLocker management – Part 1
- MBAM BitLocker management – Part 2
- MBAM BitLocker management – Part 3
- Getting started with On-premises BitLocker management using SCCM
- How does Key Rotation work in MBAM integrated with SCCM ?
- How can you use the Self Service feature when MBAM is integrated within SCCM?
- How can you use the Help Desk feature when MBAM is integrated within SCCM?
- A quick look at reporting in MBAM integrated within Microsoft Endpoint Manager Configuration Manager
- How can I get BitLocker Recovery Keys from the ConfigMgr database
- How to fix: “Unable to find suitable Recovery Service MP. Marking policy non-compliant”
- What’s new in 1910 – https://docs.microsoft.com/en-us/configmgr/core/plan-design/changes/whats-new-in-version-1910
- Plan – https://docs.microsoft.com/en-us/configmgr/protect/plan-design/bitlocker-management
- Deploy – https://docs.microsoft.com/en-us/configmgr/protect/deploy-use/bitlocker/deploy-management-agent
- Encrypt recovery data – https://docs.microsoft.com/en-us/configmgr/protect/deploy-use/bitlocker/encrypt-recovery-data
- Install the MBAM portals – https://docs.microsoft.com/en-us/configmgr/protect/deploy-use/bitlocker/setup-websites
- Migration – https://docs.microsoft.com/en-us/configmgr/protect/deploy-use/bitlocker/deploy-management-agent#migration-considerations
Note: MBAM integrated in 1910 requires a https enabled management point (see below). If you’d like help to configure PKI then see my links at the bottom of this blog post.
Setting up PKI in a lab
- Part 1 – Introduction and server setup
- Part 2 – Install and do initial configuration on the Standalone Offline Root CA
- Part 3 – Prepare the HTTP Web server for CDP and AIA Publication
- Part 4 – Post configuration on the Standalone Offline Root CA
- Part 5 – Installing the Enterprise Issuing CA
- Part 6 – Perform post installation tasks on the Issuing CA
- Part 7 – Install and configure the OCSP Responder role service
- Part 8 – Configure AutoEnroll and Verify PKI health
Convert Configuration Manager from HTTP to HTTPS (PKI)
- How can I configure System Center Configuration Manager in HTTPS mode (PKI) – Part 1
- How can I configure System Center Configuration Manager in HTTPS mode (PKI) – Part 2