Microsoft BitLocker Administration and Monitoring Planning, Deployment and Operations Guide

Beta Release

March 18, 2011

Copyright
This document is provided "as-is". Information and views expressed in this document, including URL and other Internet Web site references, may change without notice. You bear the risk of using it. Some examples depicted herein are provided for illustration only and are fictitious. No real association or connection is intended or should be inferred. This document does not provide you with any legal rights to any intellectual property in any Microsoft product. You may copy and use this document for your internal, reference purposes. You may modify this document for your internal, reference purposes. This document is confidential and proprietary to Microsoft. It is disclosed and can be used only pursuant to a non-disclosure agreement. 2011 Microsoft Corporation. All rights reserved. Microsoft, Active Directory, Bing, Internet Explorer, SQL Server, Visio, Win32, and Windows are trademarks of the Microsoft group of companies. All other trademarks are property of their respective owners. Portions of this documentation related to network monitoring are provided by EMC, and for those portions the following copyright notice applies 2010 EMC Corporation. All rights reserved.

Contents
Microsoft BitLocker Administration and Monitoring Planning, Deployment, and Operations Guide 5 In This Section ........................................................................................................................ 5 Related Sections ..................................................................................................................... 5 High-Level Architecture for MBAM .............................................................................................. 5 Architecture Overview ............................................................................................................. 6 About Microsoft BitLocker Administration and Monitoring ............................................................ 6 MBAM Supported Configurations ................................................................................................ 7 Server Operating System Requirements.................................................................................. 7 Prerequisites for BitLocker Administration and Monitoring Server Components ........................ 8 Prerequisites for Administration and Monitoring Server......................................................... 8 Prerequisites for the Compliance and Audit Reports Server.................................................. 8 Prerequisites for the Recovery and Hardware Database Server............................................ 9 Prerequisites for the Compliance Status Database Server .................................................... 9 MBAM Client Operating System Requirements........................................................................ 9 Planning for MBAM....................................................................................................................10 Planning and Configuring Group Policy for MBAM .....................................................................10 Group Policy Requirements ....................................................................................................10 Global Policy Definitions .........................................................................................................12 Data Recovery Policy Definitions.........................................................................................13 Operating System Drive Policy Definitions ...........................................................................13 Fixed Data Drive Policy Definitions ......................................................................................15 Removable Data Drive Policy Definitions.............................................................................17 Report Policy Definitions .....................................................................................................19 Client Management Policy Definition ...................................................................................20 User-Based Group Policy Definitions...................................................................................22 Planning Server Infrastructure for MBAM ...................................................................................22 Planning the Server Deployment ............................................................................................22 Planning for Administrator Roles.............................................................................................24 Planning Client Deployment for MBAM ......................................................................................25 Client System Requirements ..................................................................................................25 Computer Encryption before Distribution to the User...............................................................25 Computer Encryption after Distribution to the User .................................................................25 Planning Hardware Management for MBAM ..............................................................................26 Deploying MBAM.......................................................................................................................27

Deploying MBAM ...................................................................................................................27 Deploying MBAM Policies ..........................................................................................................27 How to Deploy MBAM Policy ..................................................................................................28 How to Deploy the MBAM Server Features ................................................................................29 Deploying the MBAM Server ..................................................................................................30 Validating the MBAM Server Feature Installations ..................................................................34 Deploying the MBAM Server......................................................................................................36 See Also ................................................................................................................................36 MBAM Supported Configurations ...............................................................................................36 Server Operating System Requirements.................................................................................36 Prerequisites for BitLocker Administration and Monitoring Server Components .......................37 Prerequisites for Administration and Monitoring Server........................................................37 Prerequisites for the Compliance and Audit Reports Server.................................................38 Prerequisites for the Recovery and Hardware Database Server...........................................38 Prerequisites for the Compliance Status Database Server ...................................................38 MBAM Client Operating System Requirements.......................................................................38 Deploying the MBAM Client .......................................................................................................39 How to Encrypt a Computer as part of Windows Deployment .....................................................40 Operations for MBAM ................................................................................................................42 In This Section .......................................................................................................................42 How to Determine the Compliance Status of the Enterprise and Computers...............................43 How to Determine BitLocker Encryption State of Lost Computers...............................................45 How to Recover an Encrypted Drive ..........................................................................................46 How to Manage Hardware Systems ...........................................................................................47 How to Manage Roles for MBAM ...............................................................................................47 How to Grant User Exemptions..................................................................................................48 Technical Reference for MBAM .................................................................................................49 MBAM Installation Checklists .....................................................................................................49 BitLocker Administration and Monitoring Installation Checklist ................................................49 List of Log Files for MBAM .........................................................................................................53 Setup .....................................................................................................................................53 Application and Monitoring .....................................................................................................53 Client .....................................................................................................................................53

Microsoft BitLocker Administration and Monitoring

Microsoft BitLocker Administration and Monitoring Planning, Deployment, and Operations Guide
Microsoft BitLocker Administration and Monitoring (MBAM) builds on BitLocker in Windows 7 and offers you an enterprise solution for BitLocker provisioning, monitoring and key recovery. MBAM will help you simplify BitLocker provisioning and deployment independent or as part of your Windows 7 migration, improving compliance and reporting of BitLocker, and reducing support costs. This document assumes that you already understand Bitlocker and group policies in general, and that you want a tool to more easily manage those security features. This guide provides background information about MBAM and describes how to install and use the product. The intended audience for the guide is MBAM administrators and IT personnel.

In This Section
This guide provides information on the following topics: Getting Started with MBAM About MBAM Planning for MBAM Deploying the MBAM Server Operations for MBAM Technical Reference for MBAM

Related Sections
For detailed information about Bitlocker, please see: BitLocker Drive Encryption.

High-Level Architecture for MBAM

Microsoft BitLocker Administration and Monitoring (MBAM) is a client/server data encryption solution that includes the following components: y y y Administration and monitoring server Compliance and status database Recovery and hardware database 5

[This document is pre-release documentation and is subject to change in future releases. Blank sections are included as placeholders.]

Microsoft BitLocker Administration and Monitoring

y y y

Compliance and audit reports Policy template BitLocker Administration and Monitoring client agent

Architecture Overview
The BitLocker Administration and Monitoring client agent performs the following tasks: y y y Uses Group Policy to enforce the BitLocker encryption of client computers in the enterprise Gathers the recovery key for the three BitLocker data drive types, operating system drives, fixed data drives, and removable data drives (that is, USB drives) Gathers compliance data for computer and passes the data to the reporting system

Administration and Monitoring Server Hosts the Management Console and monitoring web services. The Management Console is used to determine Enterprise Compliance status and audit activity, manage Hardware Capability, and access recovery data (for example, BitLocker Recovery Keys). Compliance and Audit Database Stores compliance data for BitLocker Administration and Monitoring client computers. Recovery and Hardware Database Stores recovery data that is collected from BitLocker Administration and Monitoring client computers Compliance and Audit Reports Uses SQL Server Reporting Services (SRS) to provide BitLocker Administration and Monitoring reports. These reports can be access from the Management Console or directly from the SRS server. Policy Template The Group Policy template that specifies the BitLocker Administration and Monitoring implementation of BitLocker drive encryption.

About Microsoft BitLocker Administration and Monitoring

Microsoft BitLocker Administration and Monitoring (MBAM)provides a simplified administrative interface to BitLocker drive encryption. MBAM allows you to select BitLocker encryption policy options appropriate to your enterprise, monitor client compliance with those policies, report on the encryption status of the enterprise as well as individual computers, and recover lost encryption keys. This document assumes that you already understand BitLocker and Group Policy administration. This Microsoft BitLocker Administration and Monitoring help guide provides background information about MBAM and describes how to install and use the product. An overview of MBAM
[This document is pre-release documentation and is subject to change in future releases. Blank sections are included as placeholders.]

Microsoft BitLocker Administration and Monitoring

architecture is provided in the MBAM Architecture Notes. The intended audience for the guide is MBAM administrators and technical personnel. For an overview of BitLocker, reference the BitLocker Drive Encryption article (http://technet.microsoft.com/en-us/library/cc731549(WS.10).aspx) on TechNet.

MBAM Supported Configurations

This topic specifies the supported configurations for Microsoft BitLocker Administration and Monitoring (MBAM) server and client computers. Note Microsoft provides support for the current service pack and, in some cases, the prior service pack. To find the support timelines for your product, see the Lifecycle Supported Service Packs (http://go.microsoft.com/fwlink/?LinkId=31975). For more information about Microsoft Support Lifecycle Policy, see Microsoft Support Lifecycle Support Policy FAQ (http://go.microsoft.com/fwlink/?LinkId=31976).

Server Operating System Requirements

The server roles required for BitLocker Administration and Monitoring are supported on the following operating systems:
Operating System Editions Service Pack System Architecture

Windows Server 2008

Standard, Enterprise, SP2 only Data Center, or Web Server Standard, Enterprise, Data Center or Web Server

x86 and x64

Windows Server 2008 R2

64-bit

This section contains configuration information that is specific to the website requirements for this release.

[This document is pre-release documentation and is subject to change in future releases. Blank sections are included as placeholders.]

Microsoft BitLocker Administration and Monitoring

Prerequisites for BitLocker Administration and Monitoring Server Components

Each of the BitLocker Administration and Monitoring feature servers has specific prerequisites that must be met before the MBAM features can be successfully installed. MBAM Setup will check that all prerequisites are met before installation starts.

Prerequisites for Administration and Monitoring Server

The following is a list of the prerequisites for the BitLocker Administration and Monitoring server: y y Windows Server Web Server Role Web Server Role Services Common HTTP Features: y y y y y y y y y y Static Content Default Document ASP.NET .NET Extensibility ISAPI Extensions ISAPI Filters Windows Authentication Request Filtering .NET Framework 3.5.1 features y y y .NET Framework 3.5.1 WCF Activation y y y HTTP Activation

Application Development:

Security:

Windows Server Features

Windows Process Activation Service Process Model .NET Environment Configuration APIs

Prerequisites for the Compliance and Audit Reports Server

The Compliance and Audit Reports Prerequisites include the Reporting Services feature from Microsoft SQL Server R2 Standard, Enterprise, Datacenter, Developer edition.
[This document is pre-release documentation and is subject to change in future releases. Blank sections are included as placeholders.]

Microsoft BitLocker Administration and Monitoring

Note Note that SQL Reporting Service must be running during installation.

Prerequisites for the Recovery and Hardware Database Server

The Recovery and Hardware Database Prerequisites: includes the following: y y Microsoft SQL Server R2 Standard, Enterprise, Datacenter or Developer edition. SQL Server must have Database Engine Services and Full-Text Search features installed. Note Be aware that prerequisite services must be running during installation. Note Enterprise, Datacenter, or Developer editions are required if you choose the Use certificates to encrypt database and network communication option when installing the Recovery and Hardware Database feature.

Prerequisites for the Compliance Status Database Server

The Compliance Status Database Prerequisites include: y y Microsoft SQL Server R2 Standard, Enterprise, Datacenter, Developer edition SQL Server must have Database Engine Services and Full-Text Search features installed.

MBAM Client Operating System Requirements

The following table lists the operating systems that are supported for BitLocker Administration and Monitoring client installation. You can install the BitLocker Administration and Monitoring client on any computer that meets the following requirements:
Operating System Edition Service Pack System Architecture

Windows 7 Windows 7 y y

Enterprise Edition Ultimate Edition

None, SP1 None, SP1

x86 or x64 x86 or x64

Trusted Platform Module (TPM) v1.2 capability The TPM chip must be turned on in the BIOS and be resettable from the operating system. Look in the BIOS documentation for more information. Warning

[This document is pre-release documentation and is subject to change in future releases. Blank sections are included as placeholders.]

Microsoft BitLocker Administration and Monitoring

Make sure that the keyboard, mouse and video are directly connected and not managed through a keyboard, video, mouse (KVM) switch. A KVM switch may interfere with the ability of the computer to detect the physical presence of hardware. There are no special RAM requirements that are specific to BitLocker Administration and Monitoring.

Planning for MBAM

Planning for the components of Microsoft BitLocker Administration and Monitoring (MBAM) allows you to encrypt client computers with BitLocker. Without a Group Policy template configured for your enterprise, as described in Planning and Configuring Group Policy for MBAM you cannot successfully deploy and monitor BitLocker encryption. Planning the server infrastructure, client deployment strategies, and hardware management are also necessary for success deployment. Be sure to keep track of all values you use to install each component and feature. MBAM requires you to use the same values for all components and features. The topics in this section allow you to prepare a computer in your organization to use MBAM so it will encrypt a client system. This is useful for deploying new systems that are encrypted according to your site policies.

Planning and Configuring Group Policy for MBAM

Before Microsoft BitLocker Administration and Monitoring (MBAM) can manage clients in the enterprise, you must define the Group Policy that identifies the encryption policies for your environment setting. Important BitLocker Administration and Monitoring will not work with policies for stand-alone BitLocker drive encryption. Group Policy must be defined for BitLocker Administration and Monitoring or BitLocker encryption and enforcement will fail. A Group Policy template for MBAM is set on a BitLocker Group Policies computer.

Group Policy Requirements

BitLocker Administration and Monitoring requires set policy for site components. This section describes the policies to use for setting up BitLocker Drive Encryption on:
[This document is pre-release documentation and is subject to change in future releases. Blank sections 10 are included as placeholders.]

Microsoft BitLocker Administration and Monitoring

How to Set up Group Policies for BitLocker Administration and Monitoring 1. Make sure that MBAM services are enabled on the BitLocker Group Policies computer. 2. Using the Group Policy Management Console (GPMC), the Advanced Group Policy Management (AGPM), or the Local Group Policy Editor on the BitLocker Group Policies computer, browse to Computer configuration, select Policies, select Administrative Templates, click Windows Components, and then select MDOP MBAM (BitLocker Management). 3. Select the Setting to edit. The settings for BitLocker Administration and Monitoring include the following: y y y y y y Client Management Data Recovery Fixed Drive Operating System Drive Removable Drive Reports

4. Edit the setting for your policy. Recommended policies for basic MBAM implementation include the following:
Policy Group Policy Setting

Data Recovery

Configure key recovery service

Enabled. Set Key recovery service endpoint and Key recovery information to backup Enabled. Set Status reporting service endpoint and Enter frequency status in (minutes). Enabled. Set Select protector for operating system drive. Required to save operating system drive data to the MBAM Key Recovery server. Enabled. Required if MBAM will save removable drive

Reports

Configure status reporting service

Operating System Drive

Enforce operating system drive encryption

Removable Drive

Control Use of BitLocker on removable drives

[This document is pre-release documentation and is subject to change in future releases. Blank sections 11 are included as placeholders.]

Microsoft BitLocker Administration and Monitoring

data to the MBAM Key Recovery server. Fixed Drive Control Use of BitLocker on fixed drives Enabled. Required if MBAM will save fixed drive data to the MBAM Key Recovery server.

Global Policy Definitions

This section describes Global Policy definitions for BitLocker Administration and Monitoring.
Policy Name Overview and Suggested Policy Setting

Prevent memory overwrite on restart

This policy setting is the same as the BitLocker policy. Configure this policy to improve restart performance without overwriting BitLocker secrets in memory on restart. Suggested Configuration: Not configured When the policy is not configured, BitLocker secrets are removed from memory when the computer restarts.

Validate smart card certificate usage rule

This policy setting is the same as the BitLocker policy. Configure this policy to use smartcard certificate-based BitLocker protection. Suggested Configuration: Not configured When policy is not configured, a default object identifier 1.3.6.1.4.1.311.67.1.1 is used to specify a certificate.

Provide the unique identifier for your organization

This policy setting is the same as the BitLocker policy. Configure this policy to use a certificate-based data recovery agent or the BitLocker To Go reader. Suggested Configuration: Not configured When policy is not configured, the

[This document is pre-release documentation and is subject to change in future releases. Blank sections 12 are included as placeholders.]

Microsoft BitLocker Administration and Monitoring

Policy Name

Overview and Suggested Policy Setting

Identification field is not used. Choose drive encryption method and cipher strength This policy setting is the same as the BitLocker policy. Configure this policy to use a specific encryption method and cipher strength. Suggested Configuration: Not configured When policy is not configured, BitLocker will use the default encryption method of AES 128bit with Diffuser or the encryption method specified by the setup script.

Data Recovery Policy Definitions

This section describes MBAM Data Recovery Policy Definitions
Policy Name Overview and Suggested Policy Setting

Configure key recovery service

This policy setting lets you manage the key recovery service to back up BitLocker recovery information. The setting provides an administrative method of recovering data encrypted by BitLocker to prevent data loss because of the lack of key information. Suggested Configuration: Enabled when Key recovery information to backup is set to Recovery Password and key package. When this policy setting is enabled, the recovery password and key package will be automatically and silently backed up to configured key recovery server location.

Operating System Drive Policy Definitions

This section describes MBAM Operating System Drive Policy Definitions.

[This document is pre-release documentation and is subject to change in future releases. Blank sections 13 are included as placeholders.]

Microsoft BitLocker Administration and Monitoring

Policy Name

Overview and Suggested Policy Setting

Operating system drive encryption settings

This policy setting determines whether the operating system drive will be encrypted. Configure this policy to do the following: Enforce BitLocker protection for the operating system drive. Configure PIN usage to use a TPM PIN for operating system protection. Configure enhanced startup PINs to allow the use of characters including uppercase and lowercase letters, symbols, numbers, and spaces.

y y y

If you enable this policy setting, the user will have to secure the operating system drive using BitLocker. If you do not configure or if you disable the setting, the user will not have to secure the operating system drive with BitLocker. Suggested configuration: Enabled When enabled, this policy setting requires that the user secures the operating system by using BitLocker protection and drive is encrypted. Based on your encryption requirements, you may select the method of protection for the operating system drive. For higher security requirements, use TPM + PIN, allow enhanced PINs, and set the minimum PIN length to 8. Choose how BitLocker-protected operating system drives can be recovered This policy setting is the same as the BitLocker policy. Configure this policy to enable the BitLocker data recovery agent or to save BitLocker recovery information to Active Directory Domain Services (AD DS).

[This document is pre-release documentation and is subject to change in future releases. Blank sections 14 are included as placeholders.]

Microsoft BitLocker Administration and Monitoring

Policy Name

Overview and Suggested Policy Setting

Suggested Configuration: Not configured When this policy is not configured, the data recovery agent is allowed, recovery information is not backed up to AD DS, and the recovery options, including the recovery password and recovery key, can be specified by the user. Configure TPM platform validation profile This policy setting is the same as the BitLocker policy. This policy setting lets you configure how the Trusted Platform Module (TPM) security hardware on a computer secures the BitLocker encryption key. This policy setting does not apply if the computer does not have a compatible TPM or if BitLocker has already been turned on with TPM protection. Suggested Configuration: Not configured When this policy is not configured, the TPM uses the default platform validation profile or the platform validation profile specified by the setup script.

Fixed Data Drive Policy Definitions

This section describes MBAM Fixed Data Drive Policy definitions.
Policy Name Overview and Suggested Policy Setting

Fixed data drive encryption settings

This policy setting let you manage whether the fixed data drive must be encrypted or not. When enabling this policy, you must not disable the Configure use of password for fixed data drives policy. If the Enable auto-unlock fixed data drive option is checked, the OS volume must be encrypted If you enable this policy setting, the user will have to put all fixed data drives under BitLocker

[This document is pre-release documentation and is subject to change in future releases. Blank sections 15 are included as placeholders.]

Microsoft BitLocker Administration and Monitoring

Policy Name

Overview and Suggested Policy Setting

protection and the drives will be encrypted. If you disable this policy setting, then it is not required to put fixed data drive under BitLocker protection. If you do not configure this policy setting, then it is not required to put fixed data drive under BitLocker protection. Suggested Configuration: Enabled; and check the Enable auto-unlock fixed data drive option. Deny write access to fixed drives not protected by BitLocker This policy setting is the same as the BitLocker policy. This policy setting determines whether BitLocker protection is required for fixed data drives to be writable on a computer. This policy setting is applied when you turn on BitLocker. Suggested Configuration: Not configured When the policy is not configured, all fixed data drives on the computer will be mounted with read and write access. Allow access to BitLocker-protected fixed data drive from earlier versions of Windows This policy setting is the same as the BitLocker policy. Enable this policy to allow fixed data drives with the FAT file system to be unlocked and viewed on Windows Server 2008 computers. Suggested configuration: Not configured When the policy is not configured, fixed data drives formatted with the FAT file system can be unlocked on computers that are running Windows Server 2008, Windows Vista, Windows XP with SP3, or Windows XP with SP2, and their content can be viewed. These operating systems have read-only access to BitLocker-protected drives. Configure use of password for fixed data drives This policy setting is the same as the BitLocker

[This document is pre-release documentation and is subject to change in future releases. Blank sections 16 are included as placeholders.]

Microsoft BitLocker Administration and Monitoring

Policy Name

Overview and Suggested Policy Setting

policy. Enable this policy to configure password protection on fixed data drives. Suggested configuration: Not configured When the policy is not configured, passwords will be supported with the default settings that do not include password complexity requirements and require only 8 characters. Choose how BitLocker-protected fixed drives can be recovered This policy setting is the same as the BitLocker policy. Configure this policy to enable the BitLocker data recovery agent or to save BitLocker recovery information to Active Directory Domain Services (AD DS). Suggested Configuration: Not configured When policy is not configured, the BitLocker data recovery agent is allowed, the recovery options, including the recovery password and recovery key, can be specified by the user, and recovery information is not backed up to AD DS

Removable Data Drive Policy Definitions

This section describes MBAM Removable Data Drive Policy definitions.
Policy Name Overview and Suggested Policy Setting

Control use of BitLocker on removable drives

This policy setting is the same as the BitLocker policy. This policy controls the use of BitLocker on removable data drives. Check the Allow users to apply BitLocker protection on removable data drives option to let the user run the BitLocker setup wizard on a removable data drive. Choose Allow users to suspend and decrypt

[This document is pre-release documentation and is subject to change in future releases. Blank sections 17 are included as placeholders.]

Microsoft BitLocker Administration and Monitoring

Policy Name

Overview and Suggested Policy Setting

BitLocker on removable data drives to permit the user to remove BitLocker drive encryption from the drive or suspend the encryption while maintenance is performed. Suggested configuration: Enabled Deny write access to removable drives not protected by BitLocker This policy setting is the same as the BitLocker policy. Enable this policy to only allow write access to BitLocker protected drives. Suggested Configuration: Not configured When this policy is not configured, all removable data drives on the computer will be mounted with read and writes access. Allow access to BitLocker-protected removable data drive from earlier versions of Windows This policy setting is the same as the BitLocker policy. Enable this policy to allow for fixed data drives with the FAT file system to be unlocked and viewed on Windows Server 2008 computers. Suggested Configuration: Not configured When this policy is not configured, removable data drives formatted with the FAT file system can be unlocked on computers that are running Windows Server 2008, Windows Vista, Windows XP with SP3, or Windows XP with SP2, and their content can be viewed. These operating systems have read-only access to BitLocker-protected drives. Configure use of password for removable data drives This policy setting is the same as the BitLocker policy Enable this policy to configure password protection on removable data drives. Suggested configuration: Not configured When this policy is not configured, passwords are supported with the default settings that do not include password complexity requirements
[This document is pre-release documentation and is subject to change in future releases. Blank sections 18 are included as placeholders.]

Microsoft BitLocker Administration and Monitoring

Policy Name

Overview and Suggested Policy Setting

and require only 8 characters. Choose how BitLocker-protected removable drives can be recovered This policy setting is the same as the BitLocker policy. Configure this policy to enable the BitLocker data recovery agent or to save BitLocker recovery information to Active Directory Domain Services (AD DS). Suggested Configuration: Not configured When not configured, the data recovery agent is allowed, the recovery options can be specified by the user including the recovery password and recovery key, and recovery information is not backed up to AD DS.

Report Policy Definitions

This section describes the MBAM Report Policy definitions.
Policy Name Overview and Suggested Policy Setting

Configure status reporting service

This policy setting establishes a location for collecting compliance status reports and sets the time between the generating of reports. If you enable this policy setting, status report and updated key recovery information will be automatically and silently send to configured report server location. If you do not configure or disable this policy setting, the status report and updated key recovery information will not be saved. Suggested Configuration: Enabled When it is enabled, this policy provides an administrative method of generating a compliance report. The default is set to every 720 minutes. Set this frequency based on the requirement

[This document is pre-release documentation and is subject to change in future releases. Blank sections 19 are included as placeholders.]

Microsoft BitLocker Administration and Monitoring

Policy Name

Overview and Suggested Policy Setting

set by your company on how frequently to check the compliance status of the computer.

Client Management Policy Definition

This section describes MBAM Client Management Policy definitions.
Policy Name Overview and Suggested Policy Setting

Configure client checking frequency in minutes

This policy setting manages how frequently the client checks the BitLocker protection policies and status on the client computer. If you enable this policy setting, the client will check the BitLocker protection policies and status on the client computer at the configured frequency. If you do not configure or disable this policy setting, the client checks the BitLocker protection policies and status on the client computer every 90 minutes. Suggested Configuration: Enabled The default is set to every 90 minutes. Set this frequency based on the requirement set by your company on how frequently to check the compliance status of the computer.

Allow hardware compatibility checking

This policy setting allows you to manage the checking of hardware compatibility before enabling BitLocker protection on drives of a computer. When enabling this policy, the administrator has to make sure that Microsoft BitLocker Administering and Monitoring service is installed with the Hardware Capability subfeature. When enabling this policy you must enable the Configure Key Recovery service policy and

[This document is pre-release documentation and is subject to change in future releases. Blank sections 20 are included as placeholders.]

Microsoft BitLocker Administration and Monitoring

Policy Name

Overview and Suggested Policy Setting

have it configured. If you enable this policy setting, the model of the computer will be validated against the hardware compatibility list before it enables BitLocker protection on drives of a computer to ensure the model is BitLocker-capable If you disable or do not configure this policy setting, the computer model will not be validated against the hardware compatibility list. Suggested Configuration: Enabled Enable this if your enterprise has older computer hardware or computers that do not support TPM. If this is the case, enable Hardware Compatibility checking to make sure that MBAM is only applied to computer models that support it. If all computers in your organization support BitLocker, you do not have to deploy the Hardware Compatibility, and you can set this policy to Not Configured. Configure user exemption policy This policy allows configuring a URL, email address, or telephone number that will instruct users how to request exemption from BitLocker protection. If you enable this policy setting and provide a URL, mailing address, or telephone number, the user will able to apply for exemption and see a dialog for instruction on how to apply exemption form the BitLocker protection. If you disable or do not configure this policy setting, the user will not see a message for instructions on how to apply for an exemption from BitLocker protection. The request exemption form will not be available to the user. Suggested Configuration: Not Configured Enable this policy if your organization wants to
[This document is pre-release documentation and is subject to change in future releases. Blank sections 21 are included as placeholders.]

Microsoft BitLocker Administration and Monitoring

Policy Name

Overview and Suggested Policy Setting

let a user or computer be exempted from BitLocker protection.

User-Based Group Policy Definitions

This section describes user-based MBAM Group Policy definitions.
Policy Name Overview and Suggested Policy Settings

Allow the user to be exempted from BitLocker encryption

This policy lets MBAM to be configured to exempt a user from BitLocker encryption. If you enable this policy setting, the specified user is exempted from BitLocker encryption. If you disable this policy setting, the specified user is denied exemption from BitLocker encryption. Also, the exemption is not available to the user. If you do not configure this policy setting, the user is not exempted from BitLocker encryption, and the exemption option is not available to the user. Suggested Configuration: Not configured

Planning Server Infrastructure for MBAM

The Microsoft BitLocker Administration and Monitoring (MBAM) server infrastructure depends on a set of server features that can be installed upon one or more server computers consistent with the requirements of the enterprise.

Planning the Server Deployment

The following BitLocker Administration and Monitoring features represent the sever infrastructure features for an MBAM server deployment: y y Recovery and Hardware Database Compliance Status Database

[This document is pre-release documentation and is subject to change in future releases. Blank sections 22 are included as placeholders.]

Microsoft BitLocker Administration and Monitoring

y y

Compliance and Audit Reports Administration and Monitoring Server

These features can be installed on a single server or distributed across multiple servers. In addition to the server related BitLocker Administration and Monitoring features, the server setup application includes a MBAM Group Policy template feature. This feature can be installed on any client able to run the Group Policy Management Console (GPMC) or Advanced Group Policy Management (AGPM). BitLocker Administration and Monitoring server components can be installed in one of three server configurations. y Single computer configuration All BitLocker Administration and Monitoring features are installed on a single server. This configuration is supported, but only recommended for testing purposes. Three-computer configuration Server features are installed in the following configuration y y y y Recovery and Hardware Database, Compliance and Audit Reports, and Compliance and Audit Reports features are installed on a server Administration and Monitoring Server feature is installed on a server Group Policy template is installed on a server or client computer.

y

Five-computer configuration Each server feature is installed on dedicated computers: y y y y y Recovery and Hardware Database Compliance Status Database Compliance and Audit Reports Administration and Monitoring Server Group Policy Template is installed on a server or client computer

Note A 3 or 5 computer configuration is recommended for production environments. BitLocker Administration and Monitoring server components must be installed in the following order: Order of Deployment of BitLocker Administration and Monitoring Server Components 1. Recovery and Hardware Database 2. Compliance Status Database 3. Compliance Audit and Reports 4. Administration and Monitoring Server 5. Policy Template
[This document is pre-release documentation and is subject to change in future releases. Blank sections 23 are included as placeholders.]

Microsoft BitLocker Administration and Monitoring

Each BitLocker Administration and Monitoring feature has specific prerequisites. For a full list of server component prerequisites, see MBAM Supported Configurations.

Planning for Administrator Roles

When planning for the BitLocker Administration and Monitoring infrastructure and policy, it is important to determine the roles and responsibilities of the BitLocker Administration and Monitoring administrators across the enterprise. These roles are managed by local groups that are created by BitLocker Administration and Monitoring Setup when you install the BitLocker Administration and Monitoring Server, the Compliance and Audit Reports, and Compliance Status Database features. The membership of BitLocker Administration and Monitoring roles can best be managed by creating security groups in Active Directory and then adding those security groups to the BitLocker Administration and Monitoring roles (that is, local groups). y y MBAM System Administrators have access to all BitLocker Administration and Monitoring features. The local group for this role is installed on the Administration and Monitoring Server. MBAM Hardware Users have access to the Hardware Capability features from BitLocker Administration and Monitoring. The local group for this role is installed on the Administration and Monitoring Server. MBAM Helpdesk Users have access to the Helpdesk features from BitLocker Administration and Monitoring. The local group for this role is installed on the Administration and Monitoring Server. MBAM Report Users have access to the Compliance and Audit reports from BitLocker Administration and Monitoring. The local group for this role is installed on the Administration and Monitoring Server, Compliance and Audit Reports Server, and Compliance Status Database Server. MBAM Advanced Helpdesk Uses have increased access to the Helpdesk features from BitLocker Administration and Monitoring. The local group for this role is installed on the Administration and Monitoring Server. Important To view reports an administrative user must be a member of the MBAM Report Users security group on the Administration and Monitoring Server. Compliance Status database server, and the server hosting the Compliance and Reports feature. As a best practice, create a security group in Active Directory with rights on these local MBAM Report Users security group on both the Administration and Monitoring Server and the server hosting the Compliance and Reports feature.

y

y

y

[This document is pre-release documentation and is subject to change in future releases. Blank sections 24 are included as placeholders.]

Microsoft BitLocker Administration and Monitoring

Planning Client Deployment for MBAM

There are two ways to encrypt a computer in your organization with Microsoft BitLocker Administration and Monitoring (MBAM): y y Encrypted by an administrator before the user receives the computer Encrypted by using Group Policy after the user receives the computer

You can use one or both methods in your organization. By using both methods, you can improve compliance, reporting, and key recovery support.

Client System Requirements

For a list of supported configurations for MBAM, see MBAM Supported Configurations.

Computer Encryption before Distribution to the User

In organizations where computers are received and configured centrally, you can encrypt each computer before any user data is written to the new computer. An additional benefit of this process is it means that every computer is compliant. This method does not rely on user action because the administrator has already encrypted the computer. A key assumption for this scenario is that the policy of the organization installs a corporate Windows image before it is delivered to the user. If your organization wants to use TPM and a PIN to encrypt computers, adding this protector type is completed in two phases. Phase one lets the administrator encrypt the operating system volume of the computer with TPM protector. Phase two happens after the user logs in for the first time. When the user logs in, BitLocker Administration and Monitoring prompts the user to provide a PIN or a PIN and password to be used on later computer restarts. Note In this approach, the administrator must accept the BIOS prompt to enable and initialize the TPM before delivering the computer to the user.

Computer Encryption after Distribution to the User

By configuring and distributing Group Policy and the BitLocker Administration and Monitoring Client Agent software by using either Active Directory or an enterprise software distribution system, users who have Windows computers are prompted to encrypt their computer. This lets
[This document is pre-release documentation and is subject to change in future releases. Blank sections 25 are included as placeholders.]

Microsoft BitLocker Administration and Monitoring

BitLocker Administration and Monitoring collect the data including the PIN and password and then begin the encryption process. Note In this approach, the user must accept the BIOS prompt to enable and initialize the TPM chip if it is required by the policy of the organization.

Planning Hardware Management for MBAM

Hardware Compatibility management of Microsoft BitLocker Administration and Monitoring (MBAM) enables members of the MBAM Hardware Users role to define the kinds of hardware (that is, manufacturer, model, or TPM chip) that are compatible with BitLocker technology and can be successfully encrypted by using BitLocker Administration and Monitoring. The administrator can also use Hardware Compatibility to exempt computer models from BitLocker protection if the model is not BitLocker compatible or is not supported by the organization. When you implement BitLocker Administration and Monitoring, consider whether your organization has older computer hardware or computers that do not support TPM. If this is the case, deploy Hardware Compatibility to make sure that BitLocker Administration and Monitoring is only applied to computer models that support it. If all computers in your organization will support BitLocker, you do not have to deploy the Hardware Compatibility. After you have enabled the Hardware Compatibility feature and created the BitLocker Administration and Monitoring agent Group Policy to check hardware compatibility, the BitLocker Administration and Monitoring agent collects the computer hardware information and saves all unique models. When new model information is collected from a computer, its Hardware Capability status will be set to Unknown. The BitLocker Administration and Monitoring administrator can then use the Hardware Compatibility web page to specify hardware models as either capable or unable to support BitLocker operation. When the capability status of a computer is set to Unknown or Unsupported, the BitLocker Administration and Monitoring agent will exempt the model from BitLocker protection and make its encryption status Hardware exempted. The BitLocker Administration and Monitoring agent will only enforce BitLocker protection policy if the hardware capability status is Supported or Group Policy is disabled for hardware compatibility checking. The BitLocker Administration and Monitoring agent will automatically recheck the hardware compatibility of a computer on a regular basis. The BitLocker Administration and Monitoring administrator must also manage the hardware compatibility list by using the web service to ensure that newly discovered hardware models flagged as Unknown are set to Supported or Unsupported.
[This document is pre-release documentation and is subject to change in future releases. Blank sections 26 are included as placeholders.]

Microsoft BitLocker Administration and Monitoring

Deploying MBAM
The topics in this section help you deploy and manage your Microsoft BitLocker Administration and Monitoring (MBAM) install.

Deploying MBAM
Deploying MBAM Policies
Describes the Group Policies used by MBAM and how to configure them

How to Deploy the MBAM Server Features

Describes how to install MBAM and its various server components

Deploying the MBAM Client

Describes how to install the MBAM client and manage its service

Deploying MBAM Policies

When you configure Microsoft BitLocker Administration and Monitoring (MBAM), you have to make decisions about what policies to set up on various site features. This section describes the policies to use for setting up BitLocker for the following: y y y y y y Client Management Data Recovery Fixed Drive Operating System Drive Removable Drive Reports

[This document is pre-release documentation and is subject to change in future releases. Blank sections 27 are included as placeholders.]

Microsoft BitLocker Administration and Monitoring

How to Deploy MBAM Policy

Before BitLocker Administration and Monitoring can manage clients in the enterprise, you must define the Group Policy setting that identifies the default policy setting, together with the effect when the policy is not configured, or is enabled or disabled. For a list of settings for BitLocker Group Policy for BitLocker Administration and Monitoring, see Planning and Configuring Group Policy for MBAM. For an organization that requires that all computers are managed by the MBAM service, the Group Policy object (GPO) must include settings for MBAM. Use the information that follows to create the settings for BitLocker Administration and Monitoring. How to Enable the MBAM Service on Client Machines 1. On a computer with the BitLocker Group Policies installed, make sure BitLocker Administration and Monitoring services are enabled. 2. Using the Group Policy Management Console (GPMC), the Advanced Group Policy Management (AGPM), or the Local Group Policy Editor on the BitLocker Group Policies computer, select Computer configuration, choose Policies, click Administrative Templates, select Windows Components, and then click MDOP MBAM (BitLocker Management). 3. Next, edit the setting for your BitLocker Administration and Monitoring policy. For each policy in the table that follows, select Policy Group, click the Policy, and then configure the Setting. The following table lists Group Policy settings that are required to enable BitLocker Administration and Monitoring services on client computers:
Policy Group Policy Setting

Data Recovery

Configure key recovery service

Enabled. Set Key recovery service endpoint and Key recovery information to backup Enabled. Set Status reporting service endpoint and Enter frequency status in (minutes). Enabled. Set Enter frequency in (minutes) Enabled. Set Select protector for operating

Reports

Configure status reporting service

Client Management

Configure client checking status frequency (minutes) Enforce operating system drive encryption

Operating System Drive

[This document is pre-release documentation and is subject to change in future releases. Blank sections 28 are included as placeholders.]

Microsoft BitLocker Administration and Monitoring

system drive. Required to save operating system drive data to the BitLocker Administration and Monitoring Key Recovery server. 4. Browse to User configuration, click Policies, select Administrative Templates, and then click Control Panel. 5. Double-click Hide specified Control Panel items in the details pane, and then select Enabled. 6. Click Show, and then type Microsoft.BitLockerDriveEncryption. This policy hides the Windows BitLocker Management console from the Windows control panel and lets the user open the BitLocker Management console from the Windows control panel. How to Enforce BitLocker Protection on Operating System Drives 1. On a computer with the BitLocker Group Policies installed, ensure BitLocker Administration and Monitoring services are enabled. 2. Using the Group Policy Management Console (GPMC), the Advanced Group Policy Management (AGPM), or the Local Group Policy Editor on the BitLocker Group Policies computer click Computer configuration, select Policies, click Administrative Templates, click Windows Components, select MDOP MBAM (BitLocker Management), click Operating System Drive, and then double-click Enforce operating system drive encryption. 3. Select the Select protector for operating system drive option and Configure minimum PIN length for startup. Note If this policy is not enabled, the operating system drive will not be BitLocker protected. For a list of settings for BitLocker Group Policy for BitLocker Administration and Monitoring, see Planning and Configuring Group Policy for MBAM.

How to Deploy the MBAM Server Features

The procedure describing installation includes the full installation of the Microsoft BitLocker Administration and Monitoring (MBAM) server Depending upon which BitLocker Administration and Monitoring features you select. Each server feature has certain prerequisites. Some features
[This document is pre-release documentation and is subject to change in future releases. Blank sections 29 are included as placeholders.]

Microsoft BitLocker Administration and Monitoring

also have additional information that must be provided to successfully deploy the component for the enterprise.

Deploying the MBAM Server

The following steps describe how to install general BitLocker Administration and Monitoring features. How to Deploy the MBAM Server Features 1. Start the BitLocker Administration and Monitoring installation wizard. 2. Read and accept the Microsoft Software License Terms, and click Next to continue the installation. 3. By default, all BitLocker Administration and Monitoring features are selected for installation. Clear features that you want to install elsewhere. BitLocker Administration and Monitoring components must be installed in the following order: y y y y y Recovery and Hardware Database Compliance Status Database Compliance Audit and Reports Administration and Monitoring Server Policy Template

For more information about how to plan the BitLocker Administration and Monitoring server infrastructure, see Planning Server Infrastructure for MBAM. For prerequisites of each MBAM server feature, see MBAM Supported Configurations. The installation wizard checks the prerequisites for your installation and displays prerequisites that are missing. If all the prerequisites are met, the installation continues. If a missing prerequisite is detected, you have to resolve the missing prerequisites, and then click Check prerequisites again. If all prerequisites are met this time, the installation will resume. 4. The BitLocker Administration and Monitoring Setup wizard will display installation pages for the selected features. The following sections describe installation procedures for each feature. Note The following instructions are based on the assumption that each feature will be installed on a separate server. If you are installing multiple features on a single server, some steps may be altered or eliminated. Recovery and Hardware Database Feature a. MBAM can optionally encrypt the communication between the Recovery and
[This document is pre-release documentation and is subject to change in future releases. Blank sections 30 are included as placeholders.]

Microsoft BitLocker Administration and Monitoring

Hardware Database and the Administration and Monitoring servers. If you choose to encrypt, you will be asked to select the Certificate Authority provisioned certificate that will be used for encryption. b. Click Next to continue. c. To configure access to the Recovery and Hardware Database, specify the names of the computers that will be running the Administration and Monitoring Server feature. Once the Administration and Monitoring Server feature is deployed it will connect to the database using its Network Service Account.

d. Click Next to continue. e. Specify the Database Configuration for the SQL Server database server instance that stores the recovery and hardware data. You must also specify both where the database will be located and where the log information will be located. f. Click Next to continue with the BitLocker Administration and Monitoring Setup wizard.

Compliance Status Database Feature a. MBAM can optionally encrypt the communication between the Recovery and Hardware Database and the Administration and Monitoring servers. If you choose to encrypt you will be asked to select the Certificate Authority provisioned certificate that will be used for encryption. b. Click Next to continue. c. To configure access to the Compliance Status Database, specify the computer names of the machines that will be running the Administration and Monitoring Server and Compliance and Audit Reports features. Once the Administration and Monitoring and Compliance and Audit Reports Server features are deployed they will connect to the databases using their Network Service Accounts.

d. Specify the Database Configuration for the SQL Server database server instance that will store the compliance and audit data. You must also specify where the database will be located and where the log information will be located. e. Click Next to continue. f. Click Next to continue with the BitLocker Administration and Monitoring Setup wizard.

[This document is pre-release documentation and is subject to change in future releases. Blank sections 31 are included as placeholders.]

Microsoft BitLocker Administration and Monitoring

Compliance and Audit Reports Feature a. Specify the remote SQL Server instance (for example: <ServerName\InstanceName>) where the Compliance Status Database was installed. b. Next specify where the name of the Compliance Status Database. By default the database name is MBAM Compliance Status however this can be altered when installing the Compliance Status Database feature. c. Click Next to continue. d. Select the SQL Server Reporting Services instance where the Compliance and Audit Reports will be installed. e. Click Next to continue with the BitLocker Administration and Monitoring Setup wizard.

Administration and Monitoring Server Feature a. MBAM can optionally encrypt the communication between the Recovery and Hardware Database and the Administration and Monitoring servers. If you choose to encrypt you will be asked to select the Certificate Authority provisioned certificate that will be used for encryption. b. Click Next to continue. c. Specify the remote SQL Server instance (for example: <ServerName\InstanceName>) where the Compliance Status Database was installed.

d. Next specify where the name of the Compliance Status Database. By default the database name is MBAM Compliance Status however this can be altered when installing the Compliance Status Database feature. e. Click Next to continue. f. Specify the remote SQL Server instance (for example: <ServerName\InstanceName>) where the Recovery and Hardware Database was installed.

g. Next, specify where the name of the Recovery and Hardware Database. By default the database name is MBAM Recovery and Hardware however this can be altered when installing the Recovery and Hardware Database feature. h. Click Next to continue. i. Specify the URL for the Home of the SQL Server Reporting Services (SRS) site. The Home location of a SQL Server Reporting Services site instance can be found at: http://<NameofMBAMReportsServer>/Reports

[This document is pre-release documentation and is subject to change in future releases. Blank sections 32 are included as placeholders.]

Microsoft BitLocker Administration and Monitoring

Note If SQL Server Reporting Services was configured as a named instance the URL will look like the following:http://<NameofMBAMReportsServer>/Reports_<SRSInstan ceName> j. k. Click Next to continue. Enter the Port Number, the Host Name (optional), and the Installation path for the MBAM Administration and Monitoring server Warning The port number that is specified must be an unused port number on the Web Sites and Services computer unless a unique host header name is specified. l. Click Next to continue with the BitLocker Administration and Monitoring Setup wizard.

5. Specify whether to use Microsoft Updates to help keep your computer secure, and then click Next. 6. Once the selected BitLocker Administration and Monitoring feature information is complete, the BitLocker Administration and Monitoring installation using the Setup wizard is ready to start. Click Back to navigate back through the wizard if you need to review or change your installation settings. Click Install to being the installation. Click Cancel to exit the Wizard. Setup installs the BitLocker Administration and Monitoring features that you have selected and notifies you that the installation is finished. 7. Click Finish to exit the wizard. 8. Although the BitLocker Administration and Monitoring server components have now been installed, users have to be added to the BitLocker Administration and Monitoring roles. For more information, see How to Manage Roles for MBAM. Post Installation Configuration 1. After setup completes, you must add users Roles before users will have access to features within the MBAM Management Console. On the Administration and Monitoring Server add users to the following local groups to enable them access the features in the Management Console. y MBAM Hardware Users Members of this local group will have access to the Hardware feature in the Management Console.
[This document is pre-release documentation and is subject to change in future releases. Blank sections 33 are included as placeholders.]

Microsoft BitLocker Administration and Monitoring

y

MBAM Helpdesk Users Members of this local group will have access to the Drive Recovery and Manage TPM features in the Management Console.

y

MBAM Advanced Helpdesk Users Members of this local group will have advanced access to the Drive Recovery and Manage TPM features in the Management Console.

2. On the Administration and Monitoring, Compliance Status Database, Compliance and Audit Reports Server and add users to the following local group to enable them access the Reports feature in the Management Console. y MBAM Report Users: Members of this local group will have access to the Reports features in the Management Console. Note Identical user or group membership of the MBAM Report Users local group must be maintained on all machines where the MBAM Administration and Monitoring, Compliance Status Database, Compliance and Audit Reports Server feature are installed.

Validating the MBAM Server Feature Installations

As soon as the BitLocker Administration and Monitoring installation is complete, we recommend that you validate the installation has successfully set up all the necessary features for BitLocker. Use the following procedure to confirm that the BitLocker Administration and Monitoring service is functional. How to Validate an MBAM Installation 1. On each server where a BitLocker Administration and Monitoring feature is deployed, open the Control Panel. Select Programs, and then select Programs and Features. Verify that Microsoft BitLocker Administration and Monitoring appears in the Programs and Features list. Note To validate the installation, you must use a Domain Account that has local computer administrative credentials on each server. 2. On the server where the Recovery and Hardware Database feature is installed, open SQL Server Management Studio and verify that the MBAM Recovery and Hardware database is installed.
[This document is pre-release documentation and is subject to change in future releases. Blank sections 34 are included as placeholders.]

Microsoft BitLocker Administration and Monitoring

3. On the server where the Compliance Status Database feature is installed, open SQL Server Management Studio and verify that the MBAM Compliance Status Database is installed. 4. On the server where the Compliance and Audit Reports feature is installed, open a web browser with administrative privileges and browse to the Home of the SQL Server Reporting Services site. The Home location of a SQL Server Reporting Services site instance can be found at: http:// <NameofMBAMReportsServer>/Reports Confirm that a reports folder named Malta Compliance Reports is listed and that it contains five Reports and one Data Source. Note If SQL Server Reporting Services was configured as a named instance, the URL will look like the following:http://<NameofMBAMReportsServer>/Reports_<SRSInstanceName> 5. On the server where the Administration and Monitoring feature is installed, run Server Manager and browse to Roles, select Web Server (IIS), and click Internet Information Services (IIS) Manager. In Connections browse to <machinename>, select Sites, and select Microsoft BitLocker Administration and Monitoring. Verify that MBAMAdministrationService, MBAMComplianceStatusService, and MBAMRecoveryAndHardwareService are listed. 6. On the server where the Administration and Monitoring feature is installed, open a web browser with administrative privileges and browse to the following locations within the MBAM web site to verify they load successfully: y y y y http://<machinname>:<port>/default.aspx and confirm each of the links for navigation and reports http://<machinname>:<port>/MBAMAdministrationService/AdministrationService.svc http://localhost/MBAMComplianceStatusService/StatusReportingService.svc http://<machinename>:<port>/MBAMRecoveryAndHardwareService/CoreService.svc Note This list assumes the services are installed on the default port 80. If the services were installed on a different port, change the URLs to include the appropriate port. For example, http://<machinname>:<port>/default.aspx or http://<hostheadername>/default.aspx Verify that each web page loads successfully.

[This document is pre-release documentation and is subject to change in future releases. Blank sections 35 are included as placeholders.]

Microsoft BitLocker Administration and Monitoring

Deploying the MBAM Server

This section of the Microsoft BitLocker Administration and Monitoring (MBAM) Deployment Guide provides information for new installations of MBAM Server components. To successfully install the BitLocker Administration and Monitoring server features, the features should be installed in the correct order as outlined later in this section. y y y y y Key Recovery Database Reporting Database Compliance Audit and Reports Web Sites and Services Policies

See Also
Microsoft BitLocker Administration and Monitoring Planning, Deployment, and Operations Guide

MBAM Supported Configurations

This topic specifies the supported configurations for Microsoft BitLocker Administration and Monitoring (MBAM) server and client computers. Note Microsoft provides support for the current service pack and, in some cases, the prior service pack. To find the support timelines for your product, see the Lifecycle Supported Service Packs (http://go.microsoft.com/fwlink/?LinkId=31975). For more information about Microsoft Support Lifecycle Policy, see Microsoft Support Lifecycle Support Policy FAQ (http://go.microsoft.com/fwlink/?LinkId=31976).

Server Operating System Requirements

The server roles required for BitLocker Administration and Monitoring are supported on the following operating systems:
Operating System Editions Service Pack System Architecture

Windows Server 2008

Standard, Enterprise, SP2 only Data Center, or Web Server

x86 and x64

[This document is pre-release documentation and is subject to change in future releases. Blank sections 36 are included as placeholders.]

Microsoft BitLocker Administration and Monitoring

Operating System

Editions

Service Pack

System Architecture

Windows Server 2008 R2

Standard, Enterprise, Data Center or Web Server

64-bit

This section contains configuration information that is specific to the website requirements for this release.

Prerequisites for BitLocker Administration and Monitoring Server Components

Each of the BitLocker Administration and Monitoring feature servers has specific prerequisites that must be met before the MBAM features can be successfully installed. MBAM Setup will check that all prerequisites are met before installation starts.

Prerequisites for Administration and Monitoring Server

The following is a list of the prerequisites for the BitLocker Administration and Monitoring server: y y Windows Server Web Server Role Web Server Role Services Common HTTP Features: y y y y y y y y y y Static Content Default Document ASP.NET .NET Extensibility ISAPI Extensions ISAPI Filters Windows Authentication Request Filtering .NET Framework 3.5.1 features y y .NET Framework 3.5.1 WCF Activation

Application Development:

Security:

Windows Server Features

[This document is pre-release documentation and is subject to change in future releases. Blank sections 37 are included as placeholders.]

Microsoft BitLocker Administration and Monitoring

y y y y

HTTP Activation

Windows Process Activation Service Process Model .NET Environment Configuration APIs

Prerequisites for the Compliance and Audit Reports Server

The Compliance and Audit Reports Prerequisites include the Reporting Services feature from Microsoft SQL Server R2 Standard, Enterprise, Datacenter, Developer edition. Note Note that SQL Reporting Service must be running during installation.

Prerequisites for the Recovery and Hardware Database Server

The Recovery and Hardware Database Prerequisites: includes the following: y y Microsoft SQL Server R2 Standard, Enterprise, Datacenter or Developer edition. SQL Server must have Database Engine Services and Full-Text Search features installed. Note Be aware that prerequisite services must be running during installation. Note Enterprise, Datacenter, or Developer editions are required if you choose the Use certificates to encrypt database and network communication option when installing the Recovery and Hardware Database feature.

Prerequisites for the Compliance Status Database Server

The Compliance Status Database Prerequisites include: y y Microsoft SQL Server R2 Standard, Enterprise, Datacenter, Developer edition SQL Server must have Database Engine Services and Full-Text Search features installed.

MBAM Client Operating System Requirements

The following table lists the operating systems that are supported for BitLocker Administration and Monitoring client installation. You can install the BitLocker Administration and Monitoring client on any computer that meets the following requirements:

[This document is pre-release documentation and is subject to change in future releases. Blank sections 38 are included as placeholders.]

Microsoft BitLocker Administration and Monitoring

Operating System

Edition

Service Pack

System Architecture

Windows 7 Windows 7 y y

Enterprise Edition Ultimate Edition

None, SP1 None, SP1

x86 or x64 x86 or x64

Trusted Platform Module (TPM) v1.2 capability The TPM chip must be turned on in the BIOS and be resettable from the operating system. Look in the BIOS documentation for more information. Warning Make sure that the keyboard, mouse and video are directly connected and not managed through a keyboard, video, mouse (KVM) switch. A KVM switch may interfere with the ability of the computer to detect the physical presence of hardware.

There are no special RAM requirements that are specific to BitLocker Administration and Monitoring.

Deploying the MBAM Client

The Microsoft BitLocker Administration and Monitoring (MBAM) (MBAM) client helps administrators enforce and monitor BitLocker drive encryption on computers within the enterprise. How to Deploy the MBAM Client to Desktop or Laptop Computers 1. Locate the BitLocker Administration and Monitoring client installation files (MBAMClient64bit.msi and MBAMClient-32bit.msi) provided with the MBAM software. 2. Use Active Directory or an enterprise software deployment tool to push the MSI to the target computers. 3. Configure the distribution process or Group Policy to run the client software file. Once installed, the client will read the Group Policy pushed from the Domain Controller. How to Stop or Start the MBAM Client Service 1. On a client with the MBAM Client installed, open the Run window and type services.msc to open the Services management console 2. Right-click the BitLocker Management Client service, and then select Stop or Start.

[This document is pre-release documentation and is subject to change in future releases. Blank sections 39 are included as placeholders.]

Microsoft BitLocker Administration and Monitoring

How to Encrypt a Computer as part of Windows Deployment

Microsoft BitLocker Administration and Monitoring (MBAM) is designed to be used with the tools your organization uses to deploy Windows client operating system images on new and existing computers. The following steps help you plan to encrypt computers using with BitLocker Administration and Monitoring. These are explained in more detail in later sections. How to Encrypt a Computer as part of Windows Deployment 1. Set the Trusted Platform Module (TPM) chip so that a reboot is not required later in the process. This must be set annually in the BIOS of the computer. Refer to the manufacturer documentation for more details on how to configure the TPM chip. a. Set TPM to ENABLED b. Set TPM to ACTIVE c. Set TPM to NOT OWNED 2. Install the BitLocker Administration and Monitoring client agent. 3. Join the computer to a domain (recommended). y If the computer is not joined to the domain, then the Recovery Password will not be stored in the MBAM Key Recovery Service. By default, MBAM will not allow encryption to occur unless the Recovery Key can be stored. If a computer starts up in recovery mode before the Recovery Key is stored to the MBAM server, the computer will need to be reimaged. No recovery method is available.

y

4. Run the command prompt as administrator and stop the MBAM service and set to manual or on demand start by typing the following: a. b.
Net stop maltaagent Sc config maltaagent start= demand

5. Set the registry settings to allow the MBAM agent to ignore Group Policy and execute the TPM for operating system only encryption by running regedit and then importing the registry key template from C:\Program Files\Microsoft\MDOP MBAM\MBAMDeploymentKeyTemplate.reg 6. From regedit, go to HKLM\SOFTWARE\Microsoft\MBAM and configure the settings used the following table:
Registry Entry Configuration Settings

DeploymentTime

0 = OFF

[This document is pre-release documentation and is subject to change in future releases. Blank sections 40 are included as placeholders.]

Microsoft BitLocker Administration and Monitoring

1 = Use deployment time policy settings (default) UseKeyRecoveryServi ce 0 = Do not escrow key ( the next two registry entries are not needed in this case) 1 = Escrow in Key Recovery system (default) Recommended: the computer needs to be able to communicate with Key Recovery Service. Verify the computer can communicate with the service before proceeding. KeyRecoveryOptions 0 = Uploads Recovery Key Only 1 = Uploads Recovery Key and Key Recovery Package (default) KeyRecoveryServiceE ndPoint Set this value to the URL for Key Recovery web server (for example, http://<machinename>/MBAMRecoveryAndHardwareService/ CoreService.svc).

Note MBAM policy or registry values can be set here to override previously set values. 7. The MBAM agent will reboot the system during MBAM client deployment. When you are ready for this reboot, run the following from a Command Prompt as administrator: a.
Net start MaltaAgent

8. The system should reboot. On restart the BIOS will prompt to accept a TPM change. Accept this change. 9. During the Windows client operating system imaging process, when you are ready to start encryption, restart the MBAM agent service and set start to automatic by running a Command Prompt as administrator and typing the following: a. b.
sc config maltaagent start= auto net start maltaagent

10. Remove the bypass registry values by running regedit and going to the HKLM\SOFTWARE\Microsoft registry entry. Delete the MBAM node by right-clicking it and selecting Delete.

[This document is pre-release documentation and is subject to change in future releases. Blank sections 41 are included as placeholders.]

Microsoft BitLocker Administration and Monitoring

Operations for MBAM

The operations and troubleshooting guide provides information about how to configure and use Microsoft BitLocker Administration and Monitoring (MBAM) for day-to-day tasks that you perform for your computers in your organization and user infrastructure. This section describes postinstallation configuration, management, and day-to-day operations tasks.

In This Section
How to Determine the Compliance Status of the Enterprise and Computers
Describes how to generate reports on enterprise compliance, individual computers, key recovery activity, and hardware compatibility.

How to Determine BitLocker Encryption State of Lost Computers

Describes how to determine if the volumes on a computer are encrypted in case of loss or theft.

How to Recover an Encrypted Drive

Describes to access the BitLocker key recovery data system, which can provide a recovery password for data recovery

How to Manage Hardware Systems

Describes how to manage BitLocker compatibility of computer models in an enterprise organization

How to Manage Roles for MBAM

Describes how to grant administrative users access to one or more MBAM features

How to Grant User Exemptions

Details situations in which an organization may use user exemption from MBAM protection

[This document is pre-release documentation and is subject to change in future releases. Blank sections 42 are included as placeholders.]

Microsoft BitLocker Administration and Monitoring

How to Determine the Compliance Status of the Enterprise and Computers

Microsoft BitLocker Administration and Monitoring (MBAM) lets you run a variety of reports to monitor BitLocker usage and compliance. The procedure that follows shows the steps needed to generate reports on enterprise compliance, individual computers, key recovery activity, and hardware compatibility. Note To run the reports, you must be a member of the Report Users Role on both the servers where the Administration and Monitoring Server, Compliance and Audit Reports, and Compliance Status Database features are installed. To Open the MBAM Management Console 1. Open a web browser and go to the BitLocker Administration and Monitoring web site. The default URL for the administration web site is http://<machinename>:<port> of the BitLocker Administration and Monitoring server. 2. In the left side pane, expand Reports and select the report you want to run. The following sections describe the MBAM Compliance and Auditing reports. Enterprise Compliance Report 1. From the Management Console, select the Reports node from the left side navigation pane, select the Enterprise Compliance Report, and select the filters that you want to use. The available filters for the Enterprise Compliance Report are the following. y y Compliance Status Use this filter to specify the compliance status types (for example, Compliant, or Non-Compliant) of the report Error State Use this filter to specify the Error State types (for example, No Error, or Error) of the report

2. Click View Report to display the selected report. 3. Results can be saved in a variety of formats, including HTML, Microsoft Word, and Microsoft Excel. 4. Select a computer name to view information about the computer in the Computer Compliance Report. 5. Select the plus sign (+) beside the computer name to view information about the volumes on the computer. Computer Compliance Report
[This document is pre-release documentation and is subject to change in future releases. Blank sections 43 are included as placeholders.]

Microsoft BitLocker Administration and Monitoring

1. In the Management Console, select the Report node from the left hand navigation pane, and then select the Computer Compliance Report. Use the Computer Compliance report to search for user name or computer name. 2. Click View Report to view the computer report. 3. Results can be saved in a variety of formats, including HTML, Microsoft Word, and Microsoft Excel. 4. Select a computer name to display the more information about the computer in the Computer Compliance Report. 5. Select the plus sign (+) beside the computer name to view information about the volumes on the computer. Recovery Key Audit Report 1. From the Management Console, select the Report node in the left hand navigation pane, and then select the Recovery Audit Report. Select the filters for your Recovery Key Audit report. The available filters for Recovery Key audits are the following: y y y Requestor This filter enables the user to specify the user name of the requestor. The requestor is the person in helpdesk who accessed the key on behalf of a user. Requestee This filter enables the user to specify the user name of the requestee. The requestee is the person who called helpdesk to acquire a recovery key. Request Result This filter enables the user to specify the request result types (for example: Success or Failed) that they want to base the report on. For instance the user may want to view failed key access attempts. Key Type This filter enables the user to specify the Key Type (for example: Recovery Key Password or TPM Password Hash) that they want to base the report on. Start Date This filter is used to define the Start Date part of the date range that they user want to report on. End Date This filter is used to define the End Date part of the date range that they user want to report on.

y

y y

2. Click View Report to view the report. 3. Results can be saved in a variety of formats, including HTML, Microsoft Word, and Microsoft Excel. Hardware Compatibility Audit Report 1. From the Management Console, select the Report node from the left navigation pane, and select the Hardware Audit Report. Select the appropriate filters for your Hardware Audit report. The available filters for Hardware Audits include the following: y User (Domain\User) This filter enables the user to specify the name of the user who made a change.

[This document is pre-release documentation and is subject to change in future releases. Blank sections 44 are included as placeholders.]

Microsoft BitLocker Administration and Monitoring

y y y

Change Type This filter enables the user to specify the type of changes they are looking for. Start Date This filter is used to define the Start Date part of the date range that they user want to report on. End Date This filter is used to define the End Date part of the date range that they user want to report on.

2. Click View Report to view the report. 3. Results can be saved in a variety of formats, including HTML, Microsoft Word, and Microsoft Excel.

How to Determine BitLocker Encryption State of Lost Computers

Microsoft BitLocker Administration and Monitoring (MBAM) includes the ability to track the last known encryption status of computers that were lost or stolen. The following procedure explains how to determine whether the volumes on a computer are encrypted if there is a loss or theft. How to Determine the BitLocker Encryption State of Lost Computers 1. Open a web browser and open the BitLocker Administration and Monitoring management console. Note Note: The default address for the BitLocker Administration and Monitoring management console is http:// <machinename>:<port>. 2. Selects the Report node from the navigation pane and select the Computer Compliance Report. 3. Use the filter fields in the right-side pane to narrow the search results, and then click Search. Results will be shown below your search query. 4. Take the appropriate action as determined by your policy regarding lost devices. Note Device compliance is determined by the deployed BitLocker policies, so verification of deployed policies is recommended when attempting to determine the BitLocker encryption state of the device.

[This document is pre-release documentation and is subject to change in future releases. Blank sections 45 are included as placeholders.]

Microsoft BitLocker Administration and Monitoring

How to Recover an Encrypted Drive

The Encrypted Drive Recovery features of Microsoft BitLocker Administration and Monitoring (MBAM) ensure the capture and storage of data and availability of tools required to access a BitLocker-protected volume when BitLocker goes into recovery mode. This document covers how to access the centralized key recovery data system that can provide a recovery password, as long as a recovery password ID and associated user identifier are supplied. How to Recover an Encrypted Drive 1. Open a web browser and browse to the BitLocker Administration and Monitoring website. 2. In the navigation pane on the left side, select Drive Recovery. This opens Unlock BitLocker Encrypted Drive page. 3. Enter the Window Logon domain and user name of the user to view recovery information and the first eight digits of the recovery key ID. Select one of the predefined options in the Reason for Drive Unlock drop-down menu. Click Submit. 4. BitLocker Administration and Monitoring will return the following: a. An error message if no matching recovery password is found b. Multiple possible matches if the user has multiple matching recovery passwords c. The recovery password and recovery package for the submitted user Note If you are an Advanced Helpdesk user, the user domain and user ID fields are not required. 5. After the recovery password and recovery package is retrieved, the recovery password is displayed. The password can be copied by clicking Copy Key, and then you can paste the recovery password into an email message. Or, you can save the recovery password to a file by clicking Save. 6. As soon as the user inputs the recovery password into their system or uses the recovery package, the drive will be unlocked. Note If a single-use recovery key is used to recover a system, that recovery key cannot be used again.

[This document is pre-release documentation and is subject to change in future releases. Blank sections 46 are included as placeholders.]

Microsoft BitLocker Administration and Monitoring

How to Manage Hardware Systems

After both the Microsoft BitLocker Administration and Monitoring (MBAM) client and Group Policy have been installed on a client computer, the BitLocker Administration and Monitoring agent will report the model information of the computer to the MBAM server. How to Manage Hardware Compatibility 1. Open a web browser and browse to the BitLocker Administration and Monitoring web site. This is http://<machinename> by default. Select Hardware in the left side pane. 2. In the right side pane, click Advanced Search and filter to display a list of all computer models with a Capability status of Unknown. A list of computer models matching the search criteria is returned. 3. Review each unknown hardware configuration to determine whether the configuration should be set to Supported or Unsupported. 4. Select one or more rows, and click either Set Supported or Set Unsupported to set the BitLocker compatibility, as appropriate, for the selected computer models. If set to Supported, BitLocker attempts to enforce drive encryption policy on computers that match the supported model. If set to Unsupported, BitLocker will not enforce drive encryption policy on those computers. 5. Administrators should monitor the hardware compatibility list on a regular basis to review new models discovered by the BitLocker Administration and Monitoring agent and then update their compatibility setting to Supported or Unsupported as appropriate.

How to Manage Roles for MBAM

After Microsoft BitLocker Administration and Monitoring (MBAM) setup is complete for all server components, administrative users will have to be granted access to one or more features. As a best practice, administrators who will manage or use MBAM features should be assigned to groups by using Active Directory. How to Grant Access to MBAM Roles 1. Assign administrative users to groups in Active Directory Domain Services. 2. Add security groups to the roles for MBAM on the BitLocker Administration and Monitoring server for the respective features. y MBAM System Administrators have access to all BitLocker Administration and Monitoring features in the MBAM Management Console

[This document is pre-release documentation and is subject to change in future releases. Blank sections 47 are included as placeholders.]

Microsoft BitLocker Administration and Monitoring

y y y y

MBAM Hardware Users have access to some of the Hardware Capability features in the MBAM Management Console MBAM Helpdesk Users have access to some of the Helpdesk features in the MBAM Management Console MBAM Report Users have access to the Compliance and Audit reports in the MBAM Management Console MBAM Advanced Helpdesk Uses have increased access to the Helpdesk features in the MBAM Management Console

For more information about roles for BitLocker Administration and Monitoring, see Planning Server Infrastructure for MBAM.

How to Grant User Exemptions

Microsoft BitLocker Administration and Monitoring (MBAM) can grant two forms of exemption from BitLocker protection, computer exemption and user exemption. Because BitLocker policy is applied to the computer, we recommend that you control BitLocker protection by exempting computers. Your organization can also manage BitLocker protection by exempting users. To exempt users from BitLocker protection, an exempt user is added to a security group for Group Policy. When members of this security group sign on to a computer, the user Group Policy shows that the user is exempted from BitLocker protection. The user policy overwrites the computer policy, and the computer will remain exempt from BitLocker protected. However, if the computer is already BitLocker-protected, the user exemption policy has no effect. The following table shows how BitLocker protection is applied based on how exemptions are set.
User Status Computer Not Exempt Computer exempt

User not exempt User exempt

BitLocker protection is enforced on computer BitLocker protection is not enforced on computer

BitLocker protection is not enforced on computer BitLocker protection is not enforced on computer

Note Shared computer scenarios require special consideration when using user exemption. If a non-exempt user logs on to a computer shared with an exempt user, the computer may be encrypted.
[This document is pre-release documentation and is subject to change in future releases. Blank sections 48 are included as placeholders.]

Microsoft BitLocker Administration and Monitoring

Technical Reference for MBAM

This section should contain sub-topics listing technical reference information that would be interesting to administrators. For example: all of the log file locations used by MBAM, additional deep technical information pulled from specs that customers might be interested in, programming reference, feature reference, tools reference, and glossary. Technical reference topics are also shared into this section from the deployment and operations sections.

MBAM Installation Checklists

The following checklist provides a high-level list of items to consider and outlines the steps that you should take to deploy Microsoft BitLocker Administration and Monitoring (MBAM). .

BitLocker Administration and Monitoring Installation Checklist

Note It is not required to extend the Active Directory schema as BitLocker recovery data (known as keys) are in stored in the Recovery and Hardware database for BitLocker Administration and Monitoring. Step Define the system architecture for BitLocker Administration and Monitoring that will support managing your environment. Provision the Windows Servers that will be used to host the following BitLocker Administration and Monitoring features within your environment: y y y MBAM Administration and Monitoring server MBAM Recovery and Hardware Database server MBAM Compliance Status Database Reference BitLocker Administration and Monitoring Deployment Guide: Planning for MBAM BitLocker Administration and Monitoring Deployment Guide: MBAM Supported Configurations

[This document is pre-release documentation and is subject to change in future releases. Blank sections 49 are included as placeholders.]

Microsoft BitLocker Administration and Monitoring

server y MBAM Compliance and Audit Reports server BitLocker Administration and Monitoring Deployment Guide: MBAM Supported Configurations

Install the required Windows Server Roles, Role Services, and features to the Windows Servers that will be used to host the following BitLocker Administration and Monitoring features within your environment y MBAM Administration and Monitoring server

Install any critical Windows updates on the following servers: y y y y MBAM Administration and Monitoring server MBAM Recovery and Hardware Database server MBAM Compliance Status Database server MBAM Compliance and Audit Reports server

http://go.microsoft.com/fwlink/?LinkId=105851

Provision the SQL Server Database Engine and other SQL features to the Windows Servers that will be used to host the following BitLocker Administration and Monitoring features within your environment y y MBAM Recovery and Hardware Database server MBAM Compliance Status Database server

BitLocker Administration and Monitoring Deployment Guide: MBAM Supported Configurations

Provision the SQL Server Reporting Services to the Windows Servers that will be used to host the following BitLocker Administration and Monitoring features within your environment y MBAM Compliance and Audit Reports server

BitLocker Administration and Monitoring Deployment Guide: MBAM Supported Configurations

Configure the SQL Server Reporting Services instance on the MBAM Compliance and Audit

BitLocker Administration and Monitoring Deployment Guide: MBAM Supported

[This document is pre-release documentation and is subject to change in future releases. Blank sections 50 are included as placeholders.]

Microsoft BitLocker Administration and Monitoring

Reports server such that it is operational and in Configurations a running state. Install any critical Microsoft SQL Server updates on the following servers: y y y MBAM Recovery and Hardware Database server MBAM Compliance Status Database server MBAM Compliance and Audit Reports server BitLocker Administration and Monitoring Deployment Guide: Planning for MBAM http://go.microsoft.com/fwlink/?LinkId=105851

Decide if you will choose to encrypt communication between BitLocker Administration and Monitoring features. If so initiate any processes necessary to ensure that an appropriate certificate have been provisioned to each server via your Public Key Infrastructure (PKI). In this case certificates should be provisioned to the following servers. y y y MBAM Recovery and Hardware Database server MBAM Compliance Status Database server MBAM Compliance and Audit Reports server Important Certificates must be provisioned to each server in advance of installing BitLocker Administration and Monitoring features. Run the BitLocker Administration and Monitoring setup from the MDOP installation media, from a copy of the installation media located on a network shared folder, or other storage media. Important When installing BitLocker Administration and Monitoring features

BitLocker Administration and Monitoring Deployment Guide: Deploying MBAM

[This document is pre-release documentation and is subject to change in future releases. Blank sections 51 are included as placeholders.]

Microsoft BitLocker Administration and Monitoring

across in multiple servers. Install the features in the following order: y y y y y MBAM Administration and Monitoring Server MBAM Recovery and Hardware Database server MBAM Compliance Status Database server MBAM Compliance and Audit Reports server MBAM Administration and Monitoring server BitLocker Administration and Monitoring Deployment Guide: How to Deploy the MBAM Server Features BitLocker Administration and Monitoring Deployment Guide: How to Deploy the MBAM Server Features BitLocker Administration and Monitoring Deployment Guide: How to Deploy the MBAM Server Features BitLocker Administration and Monitoring Deployment Guide: How to Deploy the MBAM Server Features

Verify that the BitLocker Administration and Monitoring features were successful deployed and are operational. Define and initiate a back-up policy for the MBAM Recovery & Hardware and Compliance Status databases. If you chose to encrypt the MBAM Recovery and Hardware Database feature create a backup the certificate that was used to encrypt the database. Add users to the BitLocker Administration and Monitoring Local Groups on the following servers: y y MBAM Administration and Monitoring server MBAM Compliance and Audit Reports server

Define the BitLocker Administration and Monitoring policies and provision them to Active Directory. Deploy the BitLocker Administration and Monitoring client to desktops on the network and any images that are used for provisioning new desktops.

BitLocker Administration and Monitoring Deployment Guide: How to Deploy the MBAM Server Features

[This document is pre-release documentation and is subject to change in future releases. Blank sections 52 are included as placeholders.]

Microsoft BitLocker Administration and Monitoring

List of Log Files for MBAM

The following article describes the locations for the log files used by Microsoft BitLocker Administration and Monitoring (MBAM) during setup and operation.

Setup
In order to get setup log files, you must install BitLocker Administration and Monitoring using msiexec package with the /L <location> option. Log files will be created in the location specified.

Application and Monitoring

BitLocker uses the IIS logs by default for its websites and services. These are located under $systemdrive$\inetpub\logs\w3svc

Client
For the BitLocker client, the Admin and Operational log files are located in Event Viewer, under Application and Services Logs / Microsoft / Windows / BitLockerManagement.

[This document is pre-release documentation and is subject to change in future releases. Blank sections 53 are included as placeholders.]