How to Manage MBAM Administrator Roles
After Microsoft BitLocker Administration and Monitoring (MBAM) Setup is complete for all server features, administrative users must be granted access to these server features. As a best practice, administrators who will manage or use MBAM server features, should be assigned to Active Directory security groups and then those groups should be added to the appropriate MBAM administrative local group.
To manage MBAM Administrator Role memberships
Assign administrative users to security groups in Active Directory Domain Services.
Add Active Directory Domain Services security groups to the roles for MBAM administrative local groups on the Microsoft BitLocker Administration and Monitoring server for the respective features. The user roles are as follows:
MBAM System Administrators have access to all Microsoft BitLocker Administration and Monitoring features in the MBAM administration website.
MBAM Hardware Users have access to the Hardware Compatibility features in the MBAM administration website.
MBAM Helpdesk Users have access to the Manage TPM and Drive Recovery options in the MBAM administration website, but must fill in all fields when they use either option.
MBAM Report Users have access to the Compliance and Audit reports in the MBAM administration website.
MBAM Advanced Helpdesk Uses have access to the Manage TPM and Drive Recovery options in the MBAM administration website. These users are not required to fill in all fields when they use either option.
For more information about roles for Microsoft BitLocker Administration and Monitoring, see Planning for MBAM 1.0 Administrator Roles.
Related topics
Administering MBAM 1.0 Features