Evaluating MBAM 1.0

  • Article

Before you deploy Microsoft BitLocker Administration and Monitoring (MBAM) into a production environment, you should evaluate it in a lab environment. You can use the information in this topic to set up MBAM in a single server lab environment for evaluation purposes only.

While the actual deployment steps are very similar to the scenario that is described in How to Install and Configure MBAM on a Single Server, this topic contains additional information to enable you to set up an MBAM evaluation environment in the least amount of time.

Set up the Lab Environment

Even when you set up a non-production instance of MBAM to evaluate in a lab environment, you should still verify that you have met the deployment prerequisites and the hardware and software requirements. For more information, see MBAM 1.0 Deployment Prerequisites and MBAM 1.0 Supported Configurations. You should also review Preparing your Environment for MBAM 1.0 before you begin the MBAM evaluation deployment.

Plan for an MBAM Evaluation Deployment

Task References Notes
Checklist box

Review the Getting Started information about MBAM to gain a basic understanding of the product before you begin your deployment planning.

Getting Started with MBAM 1.0

Checklist box

Prepare your computing environment for the MBAM installation. To do so, you must enable the Transparent Data Encryption (TDE) on the SQL Server instances that will host MBAM databases. To enable TDE in your lab environment, you can create a .sql file to run against the master database that is hosted on the instance of the SQL Server that MBAM will use.

Note

You can use the following example to create a .sql file for your lab environment to quickly enable TDE on the SQL Server instance that will host the MBAM databases. These SQL Server commands will enable TDE by using a locally signed SQL Server certificate. Make sure to back up the TDE certificate and its associated encryption key to the example local backup path of C:\Backup. The TDE certificate and key are required when recover the database or move the certificate and key to another server that has TDE encryption in place.

USE master;
GO
CREATE MASTER KEY ENCRYPTION BY PASSWORD = 'P@55w0rd';
GO
CREATE CERTIFICATE tdeCert WITH SUBJECT = 'TDE Certificate';
GO
BACKUP CERTIFICATE tdeCert TO FILE = 'C:\Backup\TDECertificate.cer'
   WITH PRIVATE KEY (
         FILE = 'C:\Backup\TDECertificateKey.pvk',
         ENCRYPTION BY PASSWORD = 'P@55w0rd');
GO

MBAM 1.0 Deployment Prerequisites

Database Encryption in SQL Server 2008 Enterprise Edition

Checklist box

Plan for and configure MBAM Group Policy requirements.

Planning for MBAM 1.0 Group Policy Requirements

Checklist box

Plan for and create the necessary Active Directory Domain Services security groups and plan for MBAM local security group membership requirements.

Planning for MBAM 1.0 Administrator Roles

Checklist box

Plan for MBAM Server feature deployment.

Planning for MBAM 1.0 Server Deployment

Checklist box

Plan for MBAM Client deployment.

Planning for MBAM 1.0 Client Deployment

Perform an MBAM Evaluation Deployment

After you complete the necessary planning and software prerequisite installations to prepare your computing environment for an MBAM installation, you can begin the MBAM evaluation deployment.

Checklist box

Review the MBAM supported configurations information to make sure that the selected client and server computers are supported for the MBAM feature installation.

MBAM 1.0 Supported Configurations

Checklist box

Run MBAM Setup to deploy MBAM Server features on a single server for evaluation purposes.

How to Install and Configure MBAM on a Single Server

Checklist box

Add the Active Directory Domain Services security groups that you created during the planning phase to the appropriate local MBAM Server feature local groups on the new MBAM server.

Planning for MBAM 1.0 Administrator Roles and How to Manage MBAM Administrator Roles

Checklist box

Create and deploy the required MBAM Group Policy Objects.

Deploying MBAM 1.0 Group Policy Objects

Checklist box

Deploy the MBAM Client software.

Deploying the MBAM 1.0 Client

Configure Lab Computers for MBAM Evaluation

You can change the frequency settings on the MBAM Client status reporting by using Registry Editor. However, these modifications should be used for testing purposes only.

Warning
This topic describes how to change the Windows registry by using Registry Editor. If you change the Windows registry incorrectly, you can cause serious problems that might require you to reinstall Windows. You should make a backup copy of the registry files (System.dat and User.dat) before you change the registry. Microsoft cannot guarantee that the problems that might occur when you change the registry can be resolved. Change the registry at your own risk.

Modify the Frequency Settings on MBAM Client Status Reporting

The MBAM Client wakeup and status reporting frequencies have a minimum value of 90 minutes when they are set to use Group Policy. You can change these frequencies on MBAM client computers by editing the Windows registry to lower values, which will help speed up the testing. To modify the frequency settings on MBAM Client status reporting, use a registry editor to navigate to HKLM\Software\Policies\FVE\MDOPBitLockerManagement, change the values for ClientWakeupFrequency and StatusReportingFrequency to 1 as the minimum client supported value, and then restart BitLocker Management Client Service. When you make this change, the MBAM Client will report every minute. You can set values this low only when you do so manually in the registry.

Modify the Startup Delay on MBAM Client Service

In addition to the MBAM Client wakeup and status reporting frequencies, there is a random delay of up to 90 minutes when the MBAM Client agent service starts on client computers. If you do not want the random delay, create a DWORD value of NoStartupDelay under HKLM\Software\Microsoft\MBAM, set its value to 1, and then restart BitLocker Management Client Service.

Getting Started with MBAM 1.0