Deploying Microsoft BitLocker Administration and Monitoring 2.0 at Microsoft
Technical Case Study
Published: June 2013
The following content may no longer reflect Microsoft’s current position or infrastructure. This content should be viewed as reference documentation only, to inform IT business decisions within your own company or organization.
Microsoft IT wanted to implement Microsoft BitLocker Administration and Monitoring (MBAM) 2.0 to reduce operational costs and take advantage of the increased functionality for provisioning, monitoring, reporting, and integration tasks. Microsoft IT planned and implemented MBAM 2.0 as an upgrade to their existing MBAM 1.0 infrastructure while maintaining service availability and BitLocker functionality. The MBAM 2.0 environment provides a more manageable and user-friendly BitLocker experience for both end users and Microsoft IT.
Products & Technologies
Technical Case Study, 406 KB, Microsoft Word file
Microsoft Information Technology (Microsoft IT) is responsible for the management of the internal Information Technology (IT) infrastructure at Microsoft. The global IT infrastructure at Microsoft covers a large technology and user scope:
- More than 190,000 users in 170 countries.
- 568 physical building locations.
- 47 percent of Microsoft users connect remotely.
- 300,000 client computers.
Microsoft BitLocker Administration and Monitoring (MBAM) is part of the Microsoft Desktop Optimization Pack (MDOP), a suite of technologies available as a subscription for Microsoft Software Assurance customers.
MBAM is designed to facilitate simplified Windows BitLocker Drive Encryption provisioning, key recovery, and compliance and audit reporting. MBAM accomplishes this by providing a simple administrative interface to BitLocker Drive Encryption, which in turn enables administrators to configure BitLocker encryption policies that meet the requirements of their organization. MBAM provides the ability to monitor compliance with established BitLocker policies, and access recovery key information in the event: the user forgets their personal identification number (PIN) or password, or when system configuration affecting BitLocker prevents the user from using his or her computer.
Microsoft deployed the first version of MBAM (MBAM 1.0) to replace pre-existing BitLocker management tools that were developed internally by Microsoft IT. MBAM 1.0 enabled Microsoft to provide a centralized, manageable, integrated replacement for its own custom-developed BitLocker management environment, and realize significant reductions in support requests and hours invested in the management of the BitLocker environment.
MBAM 1.0 was designed based on a stand-alone, scalable infrastructure that could leverage several pre-existing environments:
- Active Directory Domain Services (AD DS) to provide both the security context and the Group Policy application environment within which MBAM runs.
- Microsoft SQL Server, to store of MBAM databases and SQL Server Reporting Services (SSRS) to produce compliance and auditing reports.
- Internet Information Services (IIS) to provide a browser-based management console, reporting, and key recovery services to IT personnel who manage the BitLocker Drive Encryption environment.
The following figure illustrates the core MBAM 1.0 components, and how they interacted.
Figure 1. An overview of the MBAM 1.0 infrastructure
Benefits of MBAM 1.0
The implementation of MBAM 1.0 enabled Microsoft IT to realize several benefits within their BitLocker management environment. MBAM enabled a simplified provisioning and management environment. It providing centralized key storage and retrieval and a centralized management console for administering BitLocker across the enterprise. Centralized reporting capabilities enabled Microsoft IT to gain insight into the current state of the enterprise BitLocker environment at any time. Microsoft IT could generate accurate computer compliance reports, and ensure the safety and compliance of its BitLocker-enabled client computers. The MBAM 1.0 centralized management console provided a way for administrators to monitor and interact with the BitLocker environment. This single point of reference—along with tools such as user key recovery and automated BitLocker Drive Encryption provisioning—have significantly reduced support time and the effort required to maintain the BitLocker Drive Encryption environment. It also allowed Microsoft IT to decommission their pre-existing BitLocker Drive Encryption management environment, realizing cost savings associated with having to develop and maintain a custom solution.
MBAM 1.0 Areas for Improvement
While MBAM 1.0 provided many benefits to Microsoft IT in managing their BitLocker environment, some functional gaps existed between what MBAM 1.0 provided and what Microsoft IT required of their BitLocker environment.
- User-directed recovery solution. Microsoft IT supports a significant number of BitLocker recovery related Helpdesk calls per year for its 300,000 client computers. Users are empowered to help themselves solve IT-related issues wherever possible. In MBAM 1.0, the Recovery Portal was designed to be a tool used by Helpdesk to support end users who encountered BitLocker Drive Encryption recovery events. The solution worked well, but Microsoft saw an opportunity to empower their end users to resolve issues on their own without the assistance of Helpdesk.
- Support for the Windows 8 operating system. Windows 8 comprises over 90 percent of the managed Windows client environment at Microsoft. In order to provide a secured and manageable BitLocker experience for end-users, Microsoft needed Windows 8 support, which was not available in MBAM 1.0.
- Integration with existing management tools. MBAM 1.0 was designed as a standalone product. While the product had a simple architecture and was designed to scale on a minimal set infrastructure, it still represented yet another management system that Microsoft IT needed to deploy into their environment. Microsoft IT wanted to leverage the investment in the Microsoft System Center Configuration Manager to manage BitLocker using the Configuration Manager infrastructure that they had already deployed.
- Trusted Platform Module (TPM) provisioning capability. With MBAM 1.0 and Windows 7 clients, the provisioning process could be cumbersome. When making changes to TPM configuration, client computers often required one or more reboots. If Microsoft IT wanted to automate the process, they would often need to install special drivers that would facilitate BIOS and TPM management. In scenarios where end users are responsible for encrypting their own devices, the process often required instruction from Helpdesk personnel to complete the TPM configuration process. Microsoft IT recognized the increased TPM management capabilities of Windows 8 as an opportunity to improve TPM provisioning capability.
- Improved reporting and compliance capability. MBAM 1.0 compliance reporting was based on a strict set of policy comparisons that didn’t always provide true compliance information. A more flexible compliance reporting solution was needed to enable Microsoft IT to accurately determine compliance through the BitLocker Drive Encryption environment.
The release of MBAM 2.0 provided Microsoft IT an opportunity to address some of the identified gaps in functionality that they experienced with MBAM 1.0. MBAM 2.0 provided significant improvement in several areas, and Microsoft IT began to plan the migration process. Microsoft IT knew there were several areas where they wanted to leverage improved functionality or new features included in MBAM 2.0:
- Self-service portal.
- System Center Configuration Manager integration.
- Support for Windows 8.
- Increased BitLocker control, such as auto-unlock for fixed data drives.
- User-directed recovery key retrieval.
- Improved user experience and greater user-control over BitLocker Drive Encryption implementation.
- A built-in client upgrade process.
The migration from MBAM 1.0 to MBAM 2.0 required some important design decisions. The existing MBAM 1.0 infrastructure was in wide use throughout the Microsoft environment, and had become a critical piece of client computer security and compliance functionality for Microsoft IT. In order to provide the most robust environment and ensure end-user functionality and protection, Microsoft IT had to make important decisions in a number of areas:
- How to reconcile the stand-alone infrastructure model in MBAM 1.0 with the potential for a System Center Configuration Manager-integrated model in MBAM 2.0.
- How to ensure that the deployment of clients and policies happened in a way that suited several special use cases in the Microsoft environment.
Assessing Deployment Model Options
While MBAM 1.0 was based on – and available only in – a stand-alone model, MBAM 2.0 could be integrated with System Center 2012 Configuration Manager. Configuration Manager integration allows for the monitoring of BitLocker compliance by using the Configuration Manager reports. It also enables hardware compatibility checking using Configuration Manager’s built in client hardware inventory.
Microsoft IT had to make design decisions that were unique to their environment. Because Microsoft maintains the practice of being the first and best adopter of Microsoft products, the client infrastructure is frequently changing. Microsoft IT maintains specific requirements for retaining IT-related data that most organizations would not require. Microsoft IT made the design decision to run both a stand-alone infrastructure and a Configuration Manager-integrated infrastructure to support a maintainable historic log of MBAM and BitLocker Drive Encryption events. A relatively unique aspect of the Microsoft environment is that several teams need visibility into the MBAM and BitLocker environment. Each of these teams has different objectives and reporting needs, which makes running a single reporting structure difficult. To gain full visibility over an extended duration, the BitLocker support team needed to maintain a large reporting database that could not be viably stored in Configuration Manager, due to reporting policies and restrictions for Configuration Manager data in the environment. Running both modes enabled Microsoft IT to meet reporting needs, and ensure the most complete level of functionality. The two models for implementing MBAM 2.0 are described below:
MBAM 2.0 stand-alone model
In the stand-alone model, the MBAM 2.0 client provides all of the communication with the server-based management infrastructure. This model leaves MBAM operating the compliance reporting and inventory processes.
Figure 2. The MBAM 2.0 stand-alone model
MBAM 2.0 Configuration Manager-integrated model
In the Configuration Manager-integrated model, the MBAM 2.0 client combines with the Configuration Manager client on the client computer to perform reporting and inventory tasks. Viewing this information and performing client management takes place from the Configuration Manager console.
Figure 3. The MBAM 2.0 Configuration Manager integrated model
By running both models side-by-side, Microsoft IT was able not only to achieve the target level of integration and management using Configuration Manager, but also to retain the custom reporting components that they had established for MBAM 1.0.
Initial implementation of MBAM 2.0 required Microsoft IT to address several different parameters:
Client deployment planning. Deploying the MBAM client required two specific steps, and that they be performed separately to make sure that potential issues were easy to identify:
- Install or upgrade to the MBAM 2.0 client.
- Apply the Group Policy settings to configure the MBAM 2.0 client.
The two-stage nature of the initial client deployment meant that Microsoft IT had to time the implementation of each phase of the deployment specifically, so that client installation was performed prior to Group Policy application, and so that Group Policy application was applied as soon as possible after the MBAM 2.0 client was installed. Group Policy was a critical part of the deployment. The MBAM 2.0 client was installed based on Configuration Manager collections, and then Group Policy was used to push out all of the specific BitLocker Drive Encryption settings to individual domains. This order and process was important, because the policies that Microsoft IT used for MBAM 1.0 were different from the policies implemented the MBAM 2.0, and needed to be deployed separately from the client software itself.
Microsoft IT adopted a phased approach to deploying the MBAM 2.0 client and accompanying Group Policy settings. The original test group consisted of members of the BitLocker product group, early adopters, and other technically informed users. This initial group was able to provide valuable feedback on how the deployment process could be improved for the rest of the organization. For the official pilot of MBAM 2.0, Microsoft IT began with an individual AD DS domain, and deployed the MBAM 2.0 client in phases to pre-determined security groups. Once the pilot group was complete, with deployment processes tested and refined, Microsoft IT moved on to other parts of their environment.
- Determining client deployment methods. The MBAM 2.0 client was designed to automatically upgrade existing MBAM 1.0 installations, and was designed to be deployable as a package from Configuration Manager. While Microsoft saw the value in this deployment method, they also wanted to have a method for identifying failed installations or upgrades with the MBAM 2.0 client. The deployment team at Microsoft IT elected to use an application mode installation in Configuration Manager 2012 with the MBAM 2.0 client, which allowed them to more closely monitor the installation on a per-client basis, and gracefully remove and retry installation where a failure occurred.
During the implementation and deployment of MBAM 2.0, Microsoft IT encountered several challenges that required special consideration in the MBAM 2.0 migration process:
- Controlling client deployment. While Microsoft IT designed their BitLocker implementation to reach all targeted client computers, there were several exceptions in their environment that required BitLocker to not be implemented on certain client computers. Microsoft IT used their current AD DS infrastructure to create exceptions for those computers. Exclusion groups were created in Configuration Manager to prevent the deployment of the package. In addition, security group filters were implemented on the BitLocker and MBAM-related Group Policy Objects to prevent them from applying.
- Creating exceptions for devices. Virtual machines also provided an exception requirement for BitLocker. Due to TPM requirements in the BitLocker configuration policies, Microsoft IT decided that BitLocker would not be deployed to virtual machines. Microsoft IT used Configuration Manager to create dynamic-exclusion lists based on a client being a virtual machine to prevent the MBAM client from being installed.
- Managing configuration of non-keyboard devices. Devices that have no physical keyboard, like tablets, posed a specific deployment issue for Microsoft IT. With no physical keyboard, users of these devices are unable to enter their PIN in the pre-boot BitLocker environment. Since Windows 8 tablets in use at Microsoft have been designed to be immune to common-cold boot attacks such as DMA port and memory remnant attacks, Microsoft IT configured an alternate TPM Only policy for these devices. They were able to do it because these devices do not benefit from PIN or Password authentication during pre-boot.
Microsoft IT realized a large number of benefits from the implementation of MBAM 2.0, from technical and operational perspectives, as well as from business and cost-saving perspectives.
Microsoft IT used the new feature set in MBAM 2.0 to achieve improved functionality in several areas of the BitLocker Drive Encryption management environment:
- Self-service enablement for users. The new self-service portal contained in MBAM 2.0 enabled Microsoft to give their users the ability to solve their own BitLocker Drive Encryption-related problems, such as retrieving a lost recovery key. This was one of the most important benefits that Microsoft IT realized from the MBAM 2.0 deployment process.
- Windows 8 support. Windows 8 is the client operating system of choice at Microsoft. Having a BitLocker management tool that could effectively manage Windows 8 clients was a huge benefit to Microsoft IT.
- Improved user experience. Several components of MBAM 2.0 provided for significant improvements in the MBAM user experience. The Self-Service Portal provided an interface for end-users to retrieve lost recovery keys without requiring Helpdesk support. The improved TPM management features in Windows 8 meant less confusion over the TPM implementation process. User-driven encryption and visibility into the BitLocker Drive Encryption environment also gave users greater control over BitLocker on their computers.
- Greater control over commonly used BitLocker functionality. Support for BitLocker implementation on Windows To Go installations, the ability to encrypt and auto-unlock fixed data drives, and better visibility into BitLocker functionality enabled Microsoft IT to have more complete control over – and better visibility into – the BitLocker Drive Encryption environment.
- Ease of management. The improved MBAM console interface and Configuration Manager integration provide Microsoft IT with better control over and visibility into the BitLocker management environment.
Business Benefits and Cost Savings
In addition to operational benefits, migration to the new feature set in MBAM 2.0 helped Microsoft IT realize several benefits in the area of cost savings and general business process:
- Self-service cost savings. The BitLocker Self-Service Portal in MBAM 2.0 not only improves user experience, but it also provides a time savings in resolving lost recovery key issues. The end-user can now perform the entire recovery key retrieval process on their own, and Helpdesk calls for lost recovery keys have decreased significantly, saving both end-user and Helpdesk time. Microsoft IT has experienced a 60% reduction in call volume and has realized an IT operations cost savings of more than $250,000 USD per year.
- More efficient compliance reporting. The new Configuration Manager-integrated reporting system in MBAM 2.0 has enabled Microsoft IT to have a more accurate report of BitLocker compliance throughout the entire environment. In addition, reporting information is consolidated within the Configuration Manager console, providing more efficient access for Microsoft IT staff who need to view this information.
Learning and Best Practices
Throughout the MBAM 2.0 implementation process, Microsoft IT learned important lessons for deploying MBAM 2.0, and specifically for managing the migration process for clients from MBAM 1.0 to MBAM 2.0. These lessons include:
- Ensure readiness: communicate the migration progress to stakeholders. In an implementation as wide-spread as the MBAM 2.0 migration was at Microsoft, it is important to establish consistent communication with business stakeholders and involved business groups. A well-designed communication process can save considerable time spent on answering business process-related questions during implementation, and it can gain understanding and support from business groups.
- Migrate clients in a phased approach. Also relating to a large deployment like MBAM 2.0, ensure that you have established both a roll-out plan and a phased approach to client deployment. Select a pilot environment that represents common configuration and usage patterns in your environment.
- Apply and test policies and configuration changes one at a time to ensure proper functionality. Preferably in the test phase, ensure that your MBAM related policies and configuration changes are tested and applied individually to ensure proper functionality, and then that they are applied concurrently to test for possible policy conflicts.
- Partner with Helpdesk for end-user support. In a large BitLocker environment, it is important to partner with Helpdesk and desk-side support teams to expedite the process for solving end-user issues. Providing appropriate education and documentation to these teams will allow them to manage user support while implementation teams can focus on completing the rollout.
- Identify deployment exceptions and special case clients, and test them in advance. Document and test your BitLocker environment to identify special use cases where MBAM policies may need to be modified or circumvented.
The migration to MBAM 2.0 from their previous MBAM 1.0 environment enabled Microsoft IT to deploy a more cost-effective and better-managed BitLocker environment. The new features and improved functionality in MBAM 2.0 gave Microsoft IT greater control over their BitLocker environment, more usable reporting data and insight into BitLocker status, and support for their ever-increasing Windows 8 client infrastructure. MBAM 2.0 also provided Microsoft end-users a better experience using the BitLocker feature on their computers, and provided several improvements to management processes and Helpdesk support functions for the BitLocker environment.
For More Information
For more information about Microsoft products or services, call the Microsoft Sales Information Center at (800) 426-9400. In Canada, call the Microsoft Canada Order Centre at (800) 933-4750. Outside the 50 United States and Canada, please contact your local Microsoft subsidiary. To access information via the World Wide Web, go to:
© 2013 Microsoft Corporation. All rights reserved.
This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY. Microsoft, Active Directory, BitLocker, and Windows are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective owners.