There are number of organizations out there who are discussing or currently testing implementations of Microsoft’s BitLocker Administration and Monitoring (MBAM). There are a number of things that the recently released enterprise management of BitLocker does well, such as compliance reporting, single use key recovery, and trusted platform module (TPM) management. However, the deployment of MBAM does cause some issues for many and I will be discussing some topics in this blog that will hopefully provide some assistance to those currently testing or deploying.
Microsoft’s Desktop Optimization Pack (MDOP) online help webpage provides some key information to assist in the deployment; however, there are some missing pieces. Hopefully you will find some of this information useful.
Network Encryption Certificates
For some you who, like me, are not certificate gurus but know enough to grasp the general concept of requirements, you may notice that when looking over the MBAM information on the MDOP Online Help pages, no certificate requirements are listed. So in order to ease your process of installation I will give you some information that has worked for me while delivering MBAM engagements.
Basic Requirements
The requirements for the certificates relating to MBAM are straightforward and typically do not require significant modifications to an organization’s PKI. The Extended Key Usage (EKU) requirements of the certificates are as follows:
Client Authentication (1.3.6.1.5.5.7.3.2)
Server Authentication (1.3.6.1.5.5.7.3.1)
These two EKU’s are typically found together in the default Computer certificate template of an Enterprise CA, but can easily be added to any computer template you wish.
Two certificates should be issued for use with MBAM. The first certificate is used to encrypt the communication between the SQL Server hosting the databases and the Administration and Monitoring Server. The second certificate is used to encrypt the communication between the Administration and Monitoring server and the MBAM client agent.
Please note: In order for these two certificates to be useful, it is required that they chain up to a CA that that your computer trusts. If the Windows7 or Server2008 systems do not trust the CA that issued these certificates, you may need to add that CA, or its root CA, to the system’s Trusted Publishers Certificate Store.
Certificates not showing up…?
Some of you may have experienced nothing but blank space in the certificate pull down box when performing the installation of the MBAM components when you are at the “select the certificate to encrypt network communication page.” You may have your certificates successfully created, but in order for them to be available during installation they have to be manually installed to the personal certificate store of the local computer.
If you receive an error that makes reference to the certificate not meeting the necessary requirements, make sure that you have performed the actions listed in the previously mentioned note.
Policy Templates
The last component in the MBAM component installation list is the Policy Templates. While this item is listed as a component that gets installed, it in fact does not perform system changes of any kind. When checked, this step merely copies the ADMX and ADML files to the local policy definitions folder of the server on which the feature was “installed.” The files in question along with their respective file paths are listed below:
File Path Location | Filename |
%windir%\PolicyDefinitions | BitLockerManagement.admx |
BitLockerUserManagement.admx | |
%windir%\PolicyDefinitions\en-US | BitLockerManagment.adml |
BitLockerUserManagement.adml |
If your organization has a specific server or servers that are used to manage group policy then these files need to be copied to the local policy definitions folders on each server. However, if you have a central policy store within SYSVOL for policy management, copy all of the files to the appropriate locations to enable management of the MBAM policies.
If everything is copied to the correct locations when editing a GPO you should see the following:
MBAM Client Registry Information
There are several registry keys associated with the MBAM client that you can manipulate to force the client into action. These items are categorized below to be used as a reference guide.
Hardware Compatibility Checking Policy
When using Hardware Compatibility Checking with MBAM systems, validate their hardware profile against the policies within MBAM. This allows for control of encryption on system that may or may not meet your organization’s hardware standards for encryption. The downside to this is that when a system checks in and the hardware profile is listed as unknown, the system then waits 24 hours before checking in again. The registry keys listed here are responsible for these actions.
Registry Key Path | Key Name | Value | Description |
HKLM\Software\Microsoft\MBAM | HWExemptionTimer | Variable | This setting specifies the interval in which the MBAM client will re-check its hardware exemption status. |
HKLM\Software\Microsoft\MBAM | HWExpemtionType | 0 = unknown1 = incompatible2 = compatible | This setting determines the exemption status which is specified by the assigned hardware profile |
The client can be forced to check in prior to the 24 hour mark by deleting the above mentioned registry keys and performing a restart of the MBAM client.
Startup Delay
By default the MBAM client has a 90 minute random delay, upon startup, before communicating to the Administration and Monitoring server. This was designed to reduce the load on the MBAM server during the initial deployment of the MBAM client. However, this delay can be circumvented by adding the following registry key.
Registry Key Path | Key Name | Value | Description |
HKLM\Software\Microsoft\MBAM | NoStartUpDelay | 1 | Specifies the interval in which the client communicates to the MBAM server upon startup. |
If this setting is to be temporary it will be necessary to remove the registry key after the fact as none of the MBAM Group Policy settings will overwrite this key.
User Prompting
When configuring the MBAM services via Group Policy there are two policy timers that are configured.
Client Checking Status Frequency (Default: 90 Min)
Status Reporting Frequency (Default: 720 Min)
These timers have corresponding registry settings that can be manually changed to initiate their checks immediately when the MBAM client is restarted. This is generally performed to more quickly initiate the user prompt for starting the encryption process as well as forcing the status reporting to update. These keys and the values to which they should be changed to initiate their checks are listed below.
Registry Key Path | Key Name | Value | Description |
HKLM\Software\Policies\Microsoft\FVE
\MDOPBitLockerManagement |
ClientWakeupFrequency | 1 | This policy setting manages how often the client will check the BitLocker protection policies and status on the client machine. |
StatusReportingFrequency | 1 | This policy setting allows you to manage the frequency of the compliance and status information to be reported to the report service. |
Encryption during Operating System Deployment
The following registry keys are used to configure MBAM to initiate encryption during the deployment of the Windows 7 Operating System. This information can be referenced from the original source.
Registry Key Path | Key Name | Value | Description |
HKLM\Software\Microsoft\MBAM | DeploymentTime | 0 | OFF |
1 | Use deployment time policy settings (default) | ||
UseKeyRecoveryService | 0 | Do not use key escrow ( the next two registry entries are not required in this case) | |
1 | Use key escrow in Key Recovery system (default)Recommended: The computer must be able to communicate with the Key Recovery service. Verify that the computer can communicate with the service before you proceed. | ||
KeyRecoveryOptions | 0 | Uploads Recovery Key Only | |
1 | Uploads Recovery Key and Key Recovery Package (default) | ||
KeyRecoveryServiceEndPoint | URL | Set this value to the URL for the Key Recovery web server, for example, https://<computer name>/MBAMRecoveryAndHardwareService/CoreService.svc. |
Additional information regarding the encryption via MBAM during Operating System Deployment can be found here: https://onlinehelp.microsoft.com/en-us/mdop/hh285657.aspx
I hope that some or all of this information is useful in either your testing or deployment of Microsoft BitLocker Administration and Monitoring.
Please be sure to check out the Windows 7 Accelerate with System Center website at www.css-security.com/countdown for installation and tutorial videos on MBAM. You can also find additional resources, videos and datasheets on migrating from Windows XP and Deploying Windows 7.