Microsoft BitLocker Administration and Monitoring (MBAM) Part 2 – Requirements

Welcome to part two of my multi-part blog regarding MBAM. Today I’ll discuss hardware and software requirements.

I’m going to start with the software requirements. If you can run the correct OS and SQL versions on your physical and/or virtual machines then you can run MBAM.

The minimum operating system for the servers is Windows Server 2008 SP2 (x86 and 64-bit) or higher. At the time of this blog Windows Server 2008 R2 64-bit is higher and currently supported. Keep in mind the other piece of software you need is Microsoft SQL Server 2008 R2 Enterprise, Datacenter, or Developer edition. Notice how I didn’t say Microsoft SQL Server 2008 R2 Standard. This is because the compliance/audit reports server and the recovery/hardware database servers needs Enterprise, Datacenter, or Developer. There is one database that will run on SQL 2008 R2 Standard and that’s the compliance status database server. Most organizations will combine the database servers so I recommend just using Microsoft SQL Server 2008 R2 Enterprise, Datacenter, or Developer. As for the clients they need to be Microsoft Windows 7 Enterprise or Ultimate with a Trusted Platform Module (TPM) v1.2 chip turned on and resettable from the OS.

The hardware requirements for MBAM are pretty low if you ask me. I mean it really doesn’t use much processing power, memory, or even disk space. According to the MBAM scalability and high-availability guide ( http://bit.ly/Ms9Ovy ) a single server(not supported in production but can be used for testing) that has two dual core XEON 2.4 GHz chips and 12GB of RAM will support an upper limit of about 21,000 clients. A two-computer installation or at times called a three-computer installation is supported by Microsoft in production (IIS on one box, SQL on another, and of course the DC is separate). Using the same configuration for the IIS server but upgrading the RAM to 16GB on the SQL server MBAM will support an upper limit client load of about 55,000 clients. If you want more than that look at the MBAM scalability and high-availability guide for more information.

As for the IO of the databases the MBAM scalability and high-availability guide says using the default timers the key and hardware database will be the component under the most strain. At around 100,000 clients that database sustains about 150 transactions a second. The compliance status database sustains about 10% of the key and hardware database but every six hours there is an update from the compliance status database to the reports database that produces a short spike of about 200 transactions a second. As for the size of the databases an environment with 10,000 clients would use about 250 MB so that should make your DBAs happy.

Since the server components are supported by Microsoft in a virtual environment it’s completely reasonable to have your entire MBAM environment on VMs. In fact Microsoft decided to virtualize their MBAM environment ( http://bit.ly/LA7Gop ).

The next part of this blog will be planning the server environment. Be on the lookout for that soon.

Microsoft BitLocker Administration and Monitoring (MBAM) Part 1

I recently completed a project working with MBAM. I really don’t understand why more companies don’t use it to encrypt the fixed and removable disks of notebooks running Windows 7 Enterprise and Ultimate. I mean it’s basically BitLocker but it’s much easier to use in an enterprise environment than the older methods Microsoft had to back up the recovery keys to Active Directory. It also can interact with the end user in setting up and managing their PIN if BitLocker will be used with multi-factor authentication (TPM and PIN).

MBAM is part of the Microsoft Desktop Optimization Pack (MDOP). It’s a suite of technologies (App-V, UE-V, MED-V, AGPM, DaRT, and MBAM) available as a subscription for Software Assurance customers ( http://bit.ly/O4gDr8 ). MBAM basically has three components.

· SQL Server (s)

· Web Server (s)

· Client software

Setting everything up really isn’t difficult but since not a lot of people don’t work with MBAM I thought it would be beneficial to have a multi-part blog series reviewing MBAM and most of its features. Below are the upcoming blogs to be on the lookout for. The goal is to make you feel more comfortable using MBAM. For detailed information I suggest you download and read the MBAM technical documentation ( http://bit.ly/O4jL6d ).

· Introduction (This blog)

· Requirements (hardware and software)

· Planning

· Installing the SQL server(s)

· Installing the Web server(s)

· Planning for redundancy, backups, and disaster recovery

· Modifying the GPOs

· Deploying the client

· What the end client will see, if anything

· Troubleshooting

· Reports

· Wrap up