Skip navigation
Deploying BitLocker? Here’s What You Need to Know about MBAM

Deploying BitLocker? Here’s What You Need to Know about MBAM

Over the course of the past 12 months, unsuspecting organizations across all industries have fallen victim to a targeted attack – the majority of which have resulted in significant data breaches, comprising sensitive customer and employee information. Data encryption is a comprehensive method to secure data that combats many internal and external threats by way of key management and endpoint security. As with all solutions – security-related or other – the issue with the solution does not lie in its effectiveness but rather the way in which it can be managed.

Tech giant Microsoft offers a software encryption method in its BitLocker offering.  BitLocker is a good, robust encryption engine and it is “free” with some operating system bundles, which significantly increases its widespread adoption among end-users.  However, it follows a freemium model, requiring an upcharge for the Microsoft BitLocker Administration and Monitoring (MBAM) to effectively manage it in an enterprise. 

However, IT pros warn MBAM is more trouble than it is worth, and the amount of time spent on preparatory and training tasks skew the total cost of ownership. For example, IT pros overlook that MBAM requires understanding of a slew of corollary programs—including SQL server, System Center Configuration Manager, Active Directory, Group Policy Object and Internet Information Services. 

There are three major limitations to MBAM that IT pros should be aware of before deploying it to manage BitLocker encryption:

1. Key Management

The main limitation with MBAM is its lack of key management capabilities.  MBAM’s key management is device-based and does not have a common central console for all encrypted end points. This affects password-retrieval capabilities and policy management for removable media, folders and files.

Furthermore, MBAM also does not mandate user-based authentication at pre-boot, which presents not only a security vulnerability but a drawback for remote management.  

2. Authentication

MBAM offers a secure network auto unlock for the encryption engine; however, this protection is not comprehensive, as it does not include single and multi-factor user based authentication measures such as tokens, smartcards and biometrics.

More effective management solutions allow the administrator to set and enforce policies relatively independent of the actual encryption engine on the endpoint. This includes provisioning of user access or helping users recover from lost passwords. 

If necessary, additional user capabilities range from sending the device the credentials (or keys) to automatically unlock without user intervention, to sending a kill pill to the device and triggering a crypto erase.  More often, if the policy was set to allow a particular user access, the central key manager would send the credentials (or keys) required to decrypt or unlock the drive protected by the user’s password or smart card. User authentication would then occur locally.

To do all this, IT pros might consider a management solution that uses pre-boot network-based authentication to communicate with a central key manager or Active Directory to authenticate the keys and stored credentials, both locally and remotely.

3. Agnosticism

Lastly, MBAM is exclusive to Microsoft OS, so it will not be interoperable with other systems. It doesn’t manage Apple FileVault2, Linux, or even self-encrypting drives in Windows 7.


Microsoft BitLocker is a good, robust, encryption engine for Windows but the Microsoft management solution for BitLocker, MBAM, can be more trouble than it is worth. If in reading this article, concerns about MBAM pain points and limitations outlined strike a chord, consider the features above when searching for an encryption management solution to get the most out of BitLocker with the least total cost of ownership.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.