MBAM (Microsoft Bitlocker Administration & Monitoring) is one of those tools that I recommend to clients by default. MBAM is bundled with MDOP (Microsoft Desktop Optimisation Pack).
MBAM extends Bitlocker and adds additional features such as:
- Secure key escrow to SQL
- Key rotation
- Reporting/Auditing
- Helpdesk/self-service portal (although self-service is rarely used)
- PIN prompt (users can are prompted to set their own pins)
Unfortunately, Microsoft recently set the mainstream support end date for MBAM to July 2019. ‘Extended support’ is set to expire in 2024. MBAM should continue to get critical security patches until the end of extended support, but will not get new features after July 2019. This may present an issue with new releases of Windows 10 / Windows Server coming twice per year.
If you have MBAM in place now, you should be fine for quite a while. However if you are planning to deploy MBAM soon, you may want to reconsider. Without MBAM, you will need to utilise Active Directory or Azure Active Directory for key escrow.
“Enterprises can use Microsoft BitLocker Administration and Management (MBAM) to manage client computers with BitLocker that are domain-joined on-premises until mainstream support ends in July 2019 or they can receive extended support until July 2024. Thus, over the next few years, a good strategy for enterprises will be to plan and move to cloud-based management for BitLocker. Refer to the PowerShell examples to see how to store recovery keys in Azure Active Directory (Azure AD).”
Regards,
Dan
None of the pertinent links go anywhere. Can you please update with links to the official confirmation on this?
LikeLike
The links work fine I just tested them.
LikeLike
Just get this:
[cid:image002.jpg@01D445C3.48D820D0]
And the Search doesnât go any further.
LikeLike
Apologies, missed the the part at the bottom of the page!
LikeLike
Air gapped businesses cannot use Azure so cloud anything is out of the window/question. What are people meant to do in that case?
LikeLike
Hi Mike,
On prem AD will be your only way forward for now. This is what the majority of companies do with no MBAM deployed .
LikeLike
Air gapped systems cannot use cloud anything so that idea is out of the question. What are the options in this case?
LikeLike
On premise AD storage
LikeLike
Though, this leaves no solution for reporting, correct?
LikeLike
Correct, no native reporting.
LikeLike