Microsoft Bitlocker Administration And Monitoring-PDF Free Download

Transcription

MBAM DEPLOYMENT GUIDE INTRODUCTION 1, Introduction. Organizations rely on BitLocker Drive Encryption and BitLocker To Go to protect data on. computers running the Windows 8 1 Windows 8 or Windows 7 operating systems Windows to. Go fixed data drives and removable drives Microsoft BitLocker Administration and Monitoring. MBAM version 2 5 which is included in the Microsoft Desktop Optimization Pack MDOP for. Microsoft Software Assurance makes BitLocker implementations easier to deploy and manage. and allows administrators to provision and monitor encryption for operating system and fixed. data drives, For BitLocker To Go protected removable drives BitLocker stores the. recovery keys but does not monitor or enforce encryption. The key benefits of using MBAM to manage BitLocker technologies are. Simplified provisioning and management BitLocker deployment is easier with MBAM. because MBAM can be integrated with existing automated provisioning and deployment. processes to ensure that existing and new devices are protected You can provision. BitLocker as a part of or after operating system deployment then use Group Policy. settings for ongoing BitLocker management and compliance enforcement If drives were. already encrypted with BitLocker prior to deploying MBAM MBAM will escrow the. recovery keys and report compliance, Improved compliance and reporting Encryption and protection of sensitive. information are essential to organizational compliance programs MBAM includes built. in reports that provide the current BitLocker encryption status of devices MBAM also. audits access to BitLocker recovery keys and can provide reports on who accessed. specific recovery key information, Reduced support effort A customized MBAM Control Panel app replaces the default. BitLocker Control Panel item and allows users to manage local MBAM and BitLocker. MBAM DEPLOYMENT GUIDE INTRODUCTION 2, configuration Secure web based recovery key management portals allow help desk staff.
and users recover BitLocker enabled devices Together the customized Control Panel. app and these portals allow users and IT staff to perform common tasks such managing. the BitLocker PIN without you having to grant administrative rights to the managed. devices Enabling self service support helps reduce BitLocker related help desk tickets by. enabling users to reset their own PINs and recover their own BitLocker protected drives. To learn more about taking advantage of MBAM in your business see the Microsoft BitLocker. Administration and Monitoring content on the Microsoft Desktop Optimization Pack website. This guide describes how to deploy MBAM including the server architecture with a focus on. automating the deployment and configuration of the MBAM client to managed devices It first. describes the MBAM components Then it shows you how to prepare for deployment and. provides step by step instructions for deploying the MBAM client by using the following tools. and technologies, Group Policy software installation. Microsoft Deployment Toolkit MDT 2013, Microsoft System Center 2012 R2 Configuration Manager. Scripted installation e g command prompt, MBAM DEPLOYMENT GUIDE MBAM COMPONENTS 3. MBAM components, MBAM uses a client server model to manage BitLocker You can deploy MBAM in either a. stand alone or System Center Configuration Manager Integration topology The following. sections describe each, MBAM Stand alone topology, You use the MBAM Stand alone topology illustrated in Figure 1 when your organization does.
not have an existing System Center Configuration Manager infrastructure In this topology. MBAM and Microsoft SQL Server provide all the necessary components You can use the MBAM. Stand alone topology even if your organization uses System Center Configuration Manager. However if your organization has a System Center Configuration Manager infrastructure and. you want to use the MBAM with it see MBAM Configuration Manager Integration topology. Figure 1 MBAM Stand alone topology, Table 1 describes the computers and devices in this topology and provides a brief description of. MBAM components and the role of each computer and device The components in Table 1 are. logical and you can define your topology in many ways e g putting the MBAM databases on. different servers, MBAM DEPLOYMENT GUIDE MBAM COMPONENTS 4. Table 1 Computers in the MBAM Stand alone topology. Computer or device Description, Administration and The following features are installed on this server. Monitoring Server, Administration and Monitoring Server The. Administration and Monitoring Server feature is, installed on a computer running the Windows Server.
operating system and consists of the Administration. and Monitoring website which includes the reports, and the Help Desk Portal and the monitoring web. Self Service Portal The Self Service Portal is, installed on a computer running Windows Server The. portal enables users on client computers to, independently obtain a key to recover a locked. BitLocker volume, MBAM DEPLOYMENT GUIDE MBAM COMPONENTS 5. Computer or device Description, Database Server The following features are installed on this server.
Recovery Database The Recovery Database is, installed on a computer running Windows Server and. a supported instance of SQL Server This database, stores recovery data collected from MBAM client. Compliance and Audit Database The Compliance, and Audit Database is installed on a computer. running Windows Server and a supported instance of. SQL Server This database stores compliance data for. MBAM client computers which is used primarily for, reports that Microsoft SQL Server Reporting Services. Compliance and Audit Reports The Compliance, and Audit Reports are installed on a computer.
running Windows Server and a supported instance of. SQL Server that has the SQL Server Reporting Services. feature installed They provide MBAM reports that, you can access from the Administration and. Monitoring website or directly from the SQL Server. Reporting Services server, MBAM DEPLOYMENT GUIDE MBAM COMPONENTS 6. Computer or device Description, Management workstation The following can be downloaded and installed on the. Management workstation which can be a computer, running Windows Server or a client operating system. Policy Template The Policy Template consists of, Group Policy settings that define MBAM.
implementation settings for BitLocker You can install. the Policy Template on any server or workstation but. it is commonly installed on a management, workstation which is a supported Windows Server. machine or client computer The workstation does not. have to be a dedicated computer For more, information see the section Deploying the MBAM. Group Policy settings, Managed device The MBAM client is installed on the managed Windows. device and has the following characteristics, Uses Group Policy to enforce the BitLocker encryption. of client computers in the enterprise, Collects the recovery key for the three BitLocker data.
drive types operating system drives fixed data drives. and removable data USB drives, Collects compliance data for the computer and. passes the data to the reporting system, MBAM DEPLOYMENT GUIDE MBAM COMPONENTS 7. Computer or device Description, Active Directory Domain The following can be downloaded and installed on the. Services AD DS domain domain controller, controller. Policy Template The Policy Template consists of, Group Policy settings that define MBAM.
implementation settings for BitLocker You can install. the Policy Template on a domain controller so that it. is available to administrators on all management, computers For more information see the section. Deploying the MBAM Group Policy settings, MBAM Configuration Manager Integration topology. Use the MBAM Configuration Manager Integration topology illustrated in Figure 2 when your. organization has an existing System Center Configuration Manager infrastructure In this. topology the MBAM components are distributed across the MBAM Administration and. Monitoring Server SQL Server and System Center Configuration Manager In this topology. System Center Configuration Manger runs some of the MBAM components MBAM supports. System Center 2012 R2 Configuration Manager System Center 2012 Configuration Manager. with Service Pack 1 SP1 and Microsoft System Center Configuration Manager 2007 with SP1. infrastructures, Windows to Go is not supported when you install the System Center. Configuration Manager Integration topology with System Center. Configuration Manager 2007, If your organization does not have a System Center Configuration Manager infrastructure see. MBAM Stand alone topology, MBAM DEPLOYMENT GUIDE MBAM COMPONENTS 8.
Figure 2 MBAM Configuration Manager Integration topology. The placement of the MBAM components in the MBAM Configuration Manager Integration. topology is similar to the MBAM Stand alone topology. Table 2 describes the computers and devices in the MBAM Configuration Manager Integration. topology illustrated in Figure 2 and provides a brief description of the MBAM components and. role of each computer and device, MBAM DEPLOYMENT GUIDE MBAM COMPONENTS 9. Table 2 Computers in the MBAM Configuration Manager Integration. Computer or device Description, Administration and The following features are installed on this server. Monitoring Server, Administration and Monitoring Server The. Administration and Monitoring Server feature is, installed on a computer running Windows Server and. consists of the Administration and Monitoring, website which includes the audit reports the Help.
Desk Portal and the monitoring web services, Self Service Portal The Self Service Portal is. installed on a computer running Windows Server It, enables users on client computers to independently. obtain a key to recover a locked BitLocker volume, Database Server The following features are installed on this server. Recovery Database The Recovery Database is, installed on a computer running Windows Server and. a supported instance of SQL Server This database, stores recovery data collected from MBAM client.
Audit Database The Audit Database is installed on a. computer running Windows Server and a supported, instance of SQL Server This database stores audit. details about recovery data access, Audit Reports The Audit Reports are installed on a. computer running Windows Server and a supported, instance of SQL Server that has the SQL Server. Reporting Services feature installed They provide, MBAM reports that you can access from the. Administration and Monitoring website or directly, from the SQL Server Reporting Services server.
MBAM DEPLOYMENT GUIDE MBAM COMPONENTS 10, Computer or device Description. Configuration Manager The Configuration Manager Site Server collects the. Primary Site Server hardware inventory information from client computers. and is used to report the BitLocker compliance of client. computers The following features are installed on this. Compliance Reports The Compliance Reports are, installed on the computer running the Reporting. Services point site system role They provide MBAM, reports that you can access from the Configuration. Manager console or directly from the SQL Server, Reporting Services server on the Reporting Services. Management workstation The following can be installed on the Management. workstation which can be a client computer running. Windows Server or a client operating system, Policy Template The Policy Template consists of.
Group Policy settings that define MBAM, implementation settings for BitLocker You can install. the Policy Template on any server or workstation but. it is commonly installed on a management, workstation which is a supported Windows Server. computer or client computer The workstation does, not have to be a dedicated computer For more. information see the section Deploying the MBAM, Group Policy settings. Configuration Manager console The Configuration, Manager console is used to view MBAM reports.
MBAM DEPLOYMENT GUIDE MBAM COMPONENTS 11, Computer or device Description. Managed device The MBAM client and Configuration Manager client are. installed on the managed Windows device and have the. following characteristics, Use Group Policy to enforce the BitLocker encryption. of client computers in the enterprise, Collect the recovery key for the three BitLocker data. drive types operating system drives fixed data drives. and removable data USB drives, Enable System Center Configuration Manager to. collect hardware compatibility data about client, Enable System Center Configuration Manager to.
report compliance information, AD DS domain controller The following can be downloaded and installed on the. domain controller, Policy Template The Policy Template consists of. Group Policy settings that define MBAM, implementation settings for BitLocker You can install. the Policy Template on a domain controller so that it. is available to administrators on all management, computers For more information see the section. Deploying the MBAM Group Policy settings, MBAM DEPLOYMENT GUIDE PREPARING FOR DEPLOYMENT 12.
Preparing for deployment, MBAM requires the following services and features for both the stand alone and Configuration. Microsoft BitLocker Administration and Monitoring MBAM version 2 5 which is included in the Microsoft Desktop Optimization Pack MDOP for Microsoft Software Assurance makes BitLocker implementations easier to deploy and manage