Planning for MBAM Administrator Roles
Microsoft BitLocker Administration and Monitoring (MBAM) administrator roles are managed by local groups that are created by Microsoft BitLocker Administration and Monitoring Setup when you install the BitLocker Administration and Monitoring Server, the Compliance and Audit Reports, and Compliance Status Database features.
The membership of Microsoft BitLocker Administration and Monitoring roles can best be managed by creating security groups in Active Directory, adding the appropriate administrator accounts to those groups, and then adding those security groups to the BitLocker Administration and Monitoring local groups. For more information, see How to Manage MBAM Administrator Roles.
Planning for Administrator Roles
List of available Administrator Roles in MBAM:
- MBAM System Administrators
Administrators in this role have access to all Microsoft BitLocker Administration and Monitoring features. The local group for this role is installed on the Administration and Monitoring Server.
- MBAM Hardware Users
Administrators in this role have access to the Hardware Capability features from Microsoft BitLocker Administration and Monitoring. The local group for this role is installed on the Administration and Monitoring Server.
- MBAM Helpdesk Users
Administrators in this role have access to the Helpdesk features from Microsoft BitLocker Administration and Monitoring. The local group for this role is installed on the Administration and Monitoring Server.
- MBAM Report Users
Administrators in this role have access to the Compliance and Audit reports from Microsoft BitLocker Administration and Monitoring. The local group for this role is installed on the Administration and Monitoring Server, Compliance and Audit Reports Server, and Compliance Status Database Server.
- MBAM Advanced Helpdesk Users
Administrators in this role have increased access to the Helpdesk features from Microsoft BitLocker Administration and Monitoring. The local group for this role is installed on the Administration and Monitoring Server. If a user is a member of both MBAM Helpdesk Users and MBAM Advanced Helpdesk Users, the MBAM Advanced Helpdesk Users permissions will overwrite the MBAM Helpdesk User permissions.
Important
To view reports an administrative user must be a member of the MBAM Report Users security group on the Administration and Monitoring Server. Compliance Status database server, and the server hosting the Compliance and Reports feature. As a best practice, create a security group in Active Directory with rights on these local MBAM Report Users security group on both the Administration and Monitoring Server and the server hosting the Compliance and Reports feature.