MBAM (Microsoft Bitlocker Administration & Monitoring) is one of those tools that I recommend to clients by default. MBAM is bundled with MDOP (Microsoft Desktop Optimisation Pack).
MBAM extends Bitlocker and adds additional features such as:
- Secure key escrow to SQL
- Key rotation
- Helpdesk/self-service portal (although self-service is rarely used)
- PIN prompt (users can are prompted to set their own pins)
Unfortunately, Microsoft recently set the mainstream support end date for MBAM to July 2019. ‘Extended support’ is set to expire in 2024. MBAM should continue to get critical security patches until the end of extended support, but will not get new features after July 2019. This may present an issue with new releases of Windows 10 / Windows Server coming twice per year.
If you have MBAM in place now, you should be fine for quite a while. However if you are planning to deploy MBAM soon, you may want to reconsider. Without MBAM, you will need to utilise Active Directory or Azure Active Directory for key escrow.
“Enterprises can use Microsoft BitLocker Administration and Management (MBAM) to manage client computers with BitLocker that are domain-joined on-premises until mainstream support ends in July 2019 or they can receive extended support until July 2024. Thus, over the next few years, a good strategy for enterprises will be to plan and move to cloud-based management for BitLocker. Refer to the PowerShell examples to see how to store recovery keys in Azure Active Directory (Azure AD).”