MBAM, Bitlocker and Compliance

A couple of months ago I was involved in a divestiture project where we used MBAM from the MDOP suite to manage the Bitlocker disk encryption deployment across the company laptops.

It’s a great product that has gotten less attention than it deserves due to it being bundled and buried deep inside the MDOP suite but there are two thorns that stick out like rusty nails in it.

  1. Cumbersome initial installation requiring a lot of manual steps
  2. Limited options for filtering out specific types of machines (i.e. portables vs. non-portables when you’re only interested in the portables)

#1 – Redmond, please!! Do better, don’t be evil 🙂

#2 Fortunately, one of my colleagues is a Reporting Services wizard and we were able to modify the compliance reports to include some more useful fields for filtering than the defaults – as seen below where we added a Computer Type field and filter out everything but laptops (Portable/Non-Portable, Non-TPM).


With these additional hacks the MBAM product works wonders and would be worth a separate purchase but consider that with the MDOP package you get AGPMC, DART and Med-V and you have a killer deal. Did I mention that it also has a Self-Service portal for Helpdesk and Users?

The one remaining concern is that MBAM doesn’t have any automatic pruning of stale records. That concern is however addressed by the add-on MBAM Data Compliance Cleanup Tool. The latest update to the tool makes it compatible with MBAM 2.5.