Microsoft MBAM

About MBAM

The Microsoft product called MBAM (Microsoft BitLocker Administration and Monitoring) can be used to manage BitLocker within the enterprise. However, Microsoft is retiring MBAM. Here is a statement to this effect from Microsoft: Enterprises can use Microsoft BitLocker Administration and Monitoring (MBAM) to manage client computers with BitLocker that are domain-joined on-premises until mainstream support ends in July 2019 or they can receive extended support until April 2026“. Details referenced at the end of this document.

For enterprises that wish to continue with MBAM, below are suggestions for the implementation of MBAM and how it compares to an implementation with TruGrid.

  • MBAM requires licensed versions of MS SQL Server Standard or above (see database server requirements here). TruGrid does not require any additional infrastructure be implemented or supported.
  • MBAM requires machines be joined to AD (Active Directory); MBAM does not support non-AD joined machines. TruGrid supports both AD and non-AD joined machines.
  • MBAM requires enterprise-level planning, preparation and deployment of new infrastructure and configurations. MBAM Getting Started is over 80 pages thick. MBAM requires weeks of planning before implementation. MBAM implementation and infrastructure cost alone can range between $25K to $75K, depending on the level of redundancy required and machines to be supported. TruGrid can be deployed immediately to Windows computers without any additional infrastructure. MSI packages are automatically generated and can be silently installed onto Windows computers (via your favorite deployment technology).
  • MBAM requires that computers are joined to AD in order to enforce MBAM related Group Policies. For computers not on the network or WAN, this often occurs via VPN connections. Therefore, if a managed remote computer does not connect over VPN, it may not check in for days or weeks at a time and therefore not get new Group Policy updates and will not reflect accurately on compliance reports. TruGrid does not require machines to check into AD to be managed. TruGrid also does not require machines to check into AD in order to accurately report on them within compliance reports. Any Windows computer with Internet access can be managed by TruGrid.
  • MBAM requires having sufficient technical support staff with the skills necessary to support the following infrastructure: AD, SCCM, Group Policies, Microsoft SQL, IIS Web Server, MBAM. Additionally, they should be able to manage the lifecycle of all these products, including upgrades, patching, and migration. IT labor costs to manage MBAM, assuming shared IT service labor, can range between $100K and $180K per year.
  • To enable geo-redundancy and failover, MBAM would require SQL Clusters and load-balanced IIS servers. TruGrid provides all of this with scalable cloud services and no additional infrastructure on-premise.
  • MBAM does not support multiple tenants due to its Active Directory dependency. TruGrid natively supports multi-tenancy. This is important for Service Providers managing many customer environments, or for large corporations with independently managed corporations. TruGrid multitenant console can also simplify compliance when large companies acquire new organizations.
  • MBAM requires an MBAM specific client be installed onto each machine that is to be managed via MBAM. TruGrid also requires a client and the MSI file takes under 30 seconds to install and has auto update technology built into it.

Read more about TruGrid BitLocker Management. Register for a DEMO, or, sign up for a free trial of TruGrid BitLocker Management.

Here is more about Microsoft’s announcement regarding MBAM.