Microsoft IT Deploys Microsoft BitLocker Administration and Monitoring

Technical Case Study

Published: October 2011

Introduction

Microsoft BitLocker Administration and Monitoring (MBAM) is part of the Microsoft Desktop Optimization Pack (MDOP), a suite of technologies available as a subscription for Microsoft Software Assurance customers.

MBAM is designed to facilitate simplified BitLocker provisioning, key recovery, and compliance and audit reporting. MBAM accomplishes this by providing a simple administrative interface to BitLocker Drive Encryption (BDE), which in turn enables administrators to configure BitLocker encryption policies that meet the requirements of their organization. MBAM provides the ability to monitor compliance with established BitLocker policies, and access recovery key information in the event that either the user forgets their personal identification number (PIN) or password, or when system configuration affecting BitLocker prevents the user from using his or her computer.

Situation

When Microsoft IT began to install Windows Vista® in their client computer environment in late 2006 and early 2007, part of that implementation included the new BitLocker Drive Encryption technology. BitLocker technology required a level of integration with the Trusted Platform Module (TPM) that was not built into many hardware platforms used within Microsoft. TPM is an important part of an effective enterprise BitLocker implementation, as it is the preferred mechanism for securing BitLocker encryption keys.

Because of the early implementation and the deployment scenario, BitLocker-enabled clients required a certain amount of intervention and assistance from Microsoft IT support staff. Microsoft IT quickly discovered that managing multiple implementations of BitLocker in an enterprise environment involved significant troubleshooting and administrative resources. Microsoft IT had a limited set of tools to accomplish tasks such as implementing the encryption process, obtaining recovery keys, and ensuring compliance of BitLocker encrypted systems. These tools did not fulfill the Microsoft IT enterprise requirements. The result was that BitLocker administration was manual, tedious, and costly.

A Custom-Developed Solution

Microsoft IT decided that a new tool for managing the BDE environment was necessary. Working with developers, Microsoft IT created an administrative toolset made up of three tools that would provision and manage their BitLocker deployment, and provide some level of enterprise support for their BitLocker clients. These three new tools were BitLocker Automated System Enablement (BASE), BitLocker Drive Encryption Vault (BDEVault), and a reporting and monitoring tool:

• BASE. BASE is a client-based tool that is deployed to BitLocker-capable computers. BASE enforces BitLocker policies by ensuring that BitLocker clients are properly configured and provisioned.

• BDEVault. BDEVault both assists in the recovery key retrieval process, and provides for centralized, controlled storage of recovery keys across the enterprise. BDEVault was implemented as a solution to frequent requests by end users for BitLocker recovery keys

• Reporting and monitoring tool. The reporting and monitoring tool is a scanning tool that assesses and records the encryption state and compliance information from BitLocker clients managed by BASE and BDEVault. This third tool is required because neither BASE nor BDEVault contained any native functionality for reporting or monitoring.

Together, these three tools were implemented to provide an acceptable level of manageability for the Microsoft IT BitLocker environment.

Challenges of a Custom-Designed Solution and the Evolution of MBAM

While the implementation of BASE and BDEVault enabled Microsoft IT to gain a certain level of control over their BitLocker environment, the tools also provided significant challenges themselves. The tools were all built around BitLocker integration with Active Directory Domain Services, but there was no unified management interface for the entire solution. BDEVault was a server software-based solution that required server-level hardware, and was administered by a group separate from the one that was responsible for BASE, which was a client-software based solution. Furthermore, the Microsoft IT scanning tool was designed to scan the state of Bitlocker and collect pertinent information, but it was primarily designed to check for BitLocker compliance only, and was not an enterprise-level reporting tool.

The following diagram outlines the key components of the pre-existing BitLocker management environment at Microsoft.

Figure 1. An overview of the Microsoft IT pre-existing BitLocker management infrastructure

Supporting and Maintaining a Custom-Developed Solution

In addition to the separation of management components, the BASE and BDEVault management solution also had some support issues that are commonly found in a custom-developed solution. Managing the development process required a significant time investment. The process of identifying and resolving bugs, maintaining consistencies between components, and coordinating this information between the development and support teams was a complex process. Microsoft IT did not want to continue to invest in the development effort required by BASE and BDEVault.

Evaluating MBAM

MBAM was created to provide a BitLocker management solution that would address the top manageability requirements for provisioning, maintaining, and supporting a BitLocker-encrypted environment.

The following is a list of the three MBAM primary functions, and how they would potentially affect the Microsoft IT proposed MBAM implementation:

• Enforce and maintain BitLocker drive encryption policies. MBAM provides multiple BitLocker implementation methods that enable administrators to choose exactly when and where to implement BitLocker. The BitLocker provisioning process can be included as either part of the Windows 7 imaging and deployment process for newly deployed computers, or it can be deployed to computers after Windows 7 has already been installed and configured. MBAM also enables an additional set of Group Policy controls, making it easier to configure the BitLocker environment to an organization's needs.

• Provide usage and compliance reporting. MBAM contains out-of-the-box reports that provide information regarding BitLocker environment compliance with established BitLocker policies. MBAM also enables visibility into the BitLocker environment to determine which client computers have BitLocker enabled, and whether a computer is compliant with BitLocker encryption policies. The MBAM reporting engine is built on Microsoft SQL Server® 2008 R2 Reporting Services, which enables administrators to create and configure their own custom reports that can be scheduled and retrieved from an integrated management console.

• Provide for centralized management of key storage and recovery. To ease administrative burden, MBAM stores BitLocker recovery keys in an encrypted database with granular access controls. MBAM also protects recovery key information by enabling only authorized people within the organization to access the information, and then creates an audit trail of individuals who exercise access rights. The Recovery key data is located within a SQL Server 2008 R2 database.

Recovery keys can also be managed from the centralized management console, so Microsoft IT Helpdesk staff can assist users with BitLocker key recovery.

Anticipated Benefits with MBAM

As part of the initial MBAM evaluation, Microsoft IT established specific criteria to outline the benefits that they hoped to gain:

• Simplified Provisioning and Management. Microsoft IT anticipated that MBAM would greatly streamline the BitLocker deployment process, and would provide a more robust and integrated provisioning and management process for Microsoft IT Helpdesk staff:

  • The BitLocker deployment process would be automated for both new and existing computers.

  • BitLocker encryption policies would be included in Active Directory® Domain Services (AD DS) Group Policy, which could then be applied across the corporation using the AD DS structure.

  • The recovery key storage and retrieval process would be centralized and easy to access by Helpdesk staff.

• Improved Compliance and Reporting. The refined and customizable MBAM reporting structure would be a significant improvement over the custom-developed, ad-hoc data collection methods used in the pre-existing BitLocker management environment.

  MBAM enforcement methods are server-side and policy-based, providing Microsoft with a way to enforce BitLocker compliance without having to depend solely on client-based software that was installed on BitLocker-enabled computers.

• Reduced Support Costs. Moving from supporting a completely un-managed BitLocker environment to MBAM represents a significant change in support infrastructure and time involved. Microsoft IT anticipated that moving to MBAM from their pre-existing environment would provide cost-savings in the following support and maintenance areas:

  • The MBAM centralized management interface would provide for a more streamlined administrative process.

  • Microsoft IT would no longer have to support and maintain their custom-developed applications, resulting in additional cost savings.

Solution

MBAM was considered and approved as the replacement for the Microsoft IT pre-existing BitLocker management environment. Next, the design and planning phase began to determine the MBAM implementation direction and requirements.

Design Goals

Microsoft IT set several important design goals to govern the overall design of the MBAM implementation.

• Eliminate development efforts. BASE and BDEVault were a custom designed solution, requiring development staff and processes. By implementing MBAM, Microsoft IT hoped to completely remove BASE and BDEVault, along with their development-related requirements.

• Reduce administrative effort. The new BDE management environment would have to improve both administration methods and reduce administrative effort and cost.

• Ensure maximum compatibility with client computers. Microsoft IT wanted to ensure that client computer hardware platforms were compatible with the MBAM client. They wanted to establish a testing process to ensure that BitLocker implementations would be successful on client computers.

• Replace BASE and BDEVault with minimal user impact. Microsoft IT did not want MBAM and BASE co-managing the BitLocker environment. They were aware that this scenario would cause conflict and undesirable results. However, Microsoft IT did not want a gap between the two management applications that could potentially leave its BitLocker environment open to security risks.

Implementation Planning and Scope

Microsoft IT supports over 340,000 computers worldwide. The MBAM deployment process was to be carried out across the entire organization.

For the first phase of implementation, Microsoft IT set an organization-wide goal of 60,000 MBAM-provisioned and managed BitLocker-enabled computers. These 60,000 computers were to be broken down into two different sections: a beta section consisting of 5,000 to 10,000 BitLocker-enabled computers, and a final section consisting of the remaining 50,000 to 55,000 computers.

Additional phases and increased coverage throughout the organization were anticipated after the first phase was completed.

Infrastructure Design

The MBAM core design principles encouraged a much more centralized infrastructure than that provided by BDEVault and BASE. Microsoft IT had to evaluate these core MBAM infrastructure components, and then determine how they would implement them into the new environment.

MBAM Core Server Components

Each of the core MBAM server roles provides the storage and management components for a specific piece of MBAM functionality:

• Administration and Monitoring Server. This server role hosts the Management Console and monitoring web services. The Management Console is used to determine enterprise compliance status and audit activity, manage hardware capability, and access recovery data (for example, BitLocker recovery keys).

• Compliance and Reports Server. This server role uses SQL Server Reporting Services (SSRS) to provide MBAM reports. These reports can be accessed either from the Management Console, or directly from the SSRS server.

• Recovery and Hardware Database Server. This server role stores recovery data and hardware information that is collected from MBAM-monitored client computers.

• Compliance and Audit Database Server. This server role stores compliance data for MBAM client computers. This data is used primarily for reports hosted by SSRS.

MBAM also utilizes AD DS to provide both the security context and the Group Policy application environment within which MBAM runs.

The following figure illustrates the core MBAM components, and how they interact.

Figure 2. An overview of the MBAM infrastructure

The Microsoft IT MBAM Server Infrastructure Design

Microsoft IT elected to deploy their MBAM server infrastructure using a two-server model. The division of services was applied as follows:

• The Administration server would host the following component:

  • Admin and Monitoring server

• The Database server would host the remaining server-based components:

  • Recovery and Hardware database

  • Compliance and Audit database

  • Compliance and Audit Reports (SSRS)

This implementation required only one SQL Server computer, as all sever roles that required SQL Server were installed on a server separate from the Admin and Monitoring server. This was done for performance purposes and some security-related benefits such as separating web services from SQL databases.

Infrastructure Design Challenges

Some aspects of the infrastructure design process provided a challenge for Microsoft IT. They would have to overcome or address the following challenges before continuing with the implementation process:

• User-directed key recovery. With BDEVault, users were able to retrieve recovery keys without Microsoft IT Helpdesk assistance. This option was an important part of easing BitLocker administration. The MBAM architecture provides interaction through the MBAM Administration Windows Communication Foundation (WCF) application programming interface API interface. Microsoft IT could use the MBAM API interface to create a user-targeted recovery environment that would enable user-directed retrieval of MBAM and BitLocker key information.

• Integration with AD DS recovery key storage. MBAM provides for the storage of BitLocker recovery keys in a centralized database. However, these keys are stored only for BitLocker-enabled clients that also have the MBAM client installed. For BitLocker-enabled computers without the MBAM client installed, MBAM administrators can leverage an API that is designed to extract recovery keys that are stored in AD DS and transition them to storage in the MBAM database. If the MBAM client is installed on all BDE-enabled computers, use of this API is not required.

Virtualizing the MBAM Server Environment

One key aspect that Microsoft IT examined was hosting the MBAM server components within a virtual machine environment.

Initially, both servers hosting MBAM components were implemented as physical machines. Once the implementation was underway, however, Microsoft IT decided to migrate the components to a virtual environment under Hyper-V™, a virtual machine hosting server role built in to the Windows Server 2008 operating system. This process was expedited by using Microsoft System Center Virtual Machine Manager to perform a live migration of the operating systems, transitioning them from the physical servers directly into virtual machines.

Using the same previously referenced two-server configuration, Microsoft IT hosted each server in its own virtual machine, with both virtual machines hosted by the same physical server.

This process allowed Microsoft IT to consolidate their server environment and make effective use of their server resources, as outlined in one of the implementation design goals. It also decreased the amount of network bandwidth used by the two servers, as they existed on the same physical server and required no outside network connection to communicate with each other.

Deployment

With an infrastructure in place, Microsoft IT was ready to begin the MBAM client deployment process to client computers.

Installing the MBAM Client

The first consideration for deployment was the methods used to install the MBAM client software on client machines.

For new machines or machines being imaged, the MBAM client can be built into the installation image, leaving the client ready for interaction with MBAM servers immediately following the Windows installation process.

For existing machines, Microsoft IT decided to use the existing Microsoft System Center Configuration Manager infrastructure to create a deployment package that would be deployed automatically to clients that needed to have their BitLocker functionality managed by MBAM. Next, Microsoft placed target computers into specifically created AD DS security groups. Microsoft IT then deployed the System Center Configuration Manager package in a staged manner to the clients. The staging order was based on common properties, functionality, or location.

Using Group Policy to Implement and Configure MBAM

The MBAM client is configured though a set of Group Policy object (GPO) settings installed as part of the MDOP Administrative Templates. These GPO settings govern the behavior of BitLocker on a client computer, as controlled by the MBAM client software.

When designing the MBAM GPO settings, Microsoft IT established a GPO for each separate group of BDE-capable computers to which MBAM client software was deployed.

One of the most important aspects of the client application was that BitLocker would not be enabled, and the MBAM client software would not become active until configured to do so by settings in an applied GPO. This allowed Microsoft IT to ensure first the client was prepared for BitLocker, then deploy the client software, and then apply the necessary GPO to enable MBAM and perform the applicable configuration on the BitLocker environment.

Deployment Challenges

During the deployment phase, Microsoft encountered some challenges that needed to be addressed and planned for in future implementations:

• Deploying MBAM side-by-side with BASE. Microsoft IT simultaneously implemented GPO settings that suppressed the existing BASE software at the same time as the MBAM GPO settings. This enabled Microsoft IT to implement MBAM while deferring the BASE removal process until after the MBAM implementation was complete.

• Deploying separate policies for TPM only, and TPM + PIN protectors. In the Microsoft environment, several policies govern encryption requirements for client computers. These policies directly affect the BitLocker encryption method on a client computer. Microsoft IT implemented two separate GPOs to apply the required encryption settings to BitLocker clients. One GPO configured the BitLocker encryption process to require TPM authentication only. The other GPO was for clients that required high security precautions, and configured BitLocker to use TPM authentication and a user PIN.

• Windows 7 DirectAccess client management. Microsoft IT currently implements a custom deployment of DirectAccess for their Windows 7 client computers. Previously, the DirectAccess client had been integrated with BASE in the prior Bitlocker management environment. The same type of integration was designed and implemented with MBAM.

Benefits

Microsoft IT now realizes several benefits from implementing MBAM in their enterprise environment, both from the administrative and end-user perspective, and from establishing best practices.

Administrative and End-User Benefits

• Simplified Provisioning and Management. MBAM provides a streamlined process for both provisioning new BitLocker clients, and for administering clients with BitLocker already enabled. The recovery key storage and retrieval process is now centralized and easy to access by Helpdesk staff, and the entire BitLocker environment is manageable from one console.

• Improved Compliance and Reporting.Perhaps one of the greatest advantages MBAM has over the pre-existing BASE and BDEVault tools is its centralized, refined, and customizable reporting structure. This structure enables administrators to gain insight into the current state of the enterprise BitLocker environment at any time. Microsoft IT can now generate accurate computer compliance reports, and ensure the safety and compliance of its BitLocker-enabled client computers.

• Reduced Support Costs.The MBAM centralized management console provides a quick and easy way for administrators to monitor and interact with the BitLocker environment. This single point of reference—along with tools like user key recovery and automated BDE provisioning—have significantly reduced support time and effort required to maintain the BDE environment. The move to MBAM will also enable Microsoft IT to remove both BASE and BDEVault from its environment, thereby realizing cost savings from having no longer to support or maintain a custom-developed application.

Learnings and Best Practices

Microsoft IT established several best practices while implementing MBAM within their enterprise environment:

• Use a managed change review process. When implementing a solution that affects multiple clients in your enterprise, it is critical that proper change management processes are observed to minimize user impact and unnecessary troubleshooting.

• Implement a measured rollout. Use a measured rollout process to allow for adjustments and improvements to be made to the deployment process before a large number of clients are affected. By using a measured rollout, Microsoft IT was able to apply the process to a small number of clients in a beta environment, and make any changes necessary before beginning group-by-group implementation for the remaining users. .

• Provide appropriate user notification. Always ensure that users who will be affected by a deployment are notified of any potential impact to their operating environment. This process prevents unnecessary calls to helpdesk and support staff during the implementation.

• Establish an exemption process. With an implementation such as the one Microsoft IT used for MBAM, there may be clients in the environment that are not part of the implementation scope. It is important to document the technical and business reasons for these exemptions and incorporate them into the implementation process.

Conclusion

With the implementation of MBAM in its enterprise environment, Microsoft IT has found a centralized, manageable, integrated replacement for its own custom-developed BitLocker management environment. Microsoft IT has realized significant reductions in support requests and hours invested in the management of the BitLocker environment, and gained reusable best practices for the continuation of the BitLocker deployment and rollout phase.

For More Information

For more information about Microsoft products or services, call the Microsoft Sales Information Center at (800) 426-9400. In Canada, call the Microsoft Canada information Centre at (800) 563-9048. Outside the 50 United States and Canada, please contact your local Microsoft subsidiary. To access information via the World Wide Web, go to:

http://www.microsoft.com

http://www.microsoft.com/technet/itshowcase

© 2011 Microsoft Corporation. All rights reserved.

This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY. Microsoft, SQL Server, System Center Configuration Manager, BitLocker, Windows, Windows 7 and Windows Server are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective owners.