The MBAM Administration and Monitoring website, also referred to as the Help Desk Portal, is an administrative interface to BitLocker drive encryption that is installed as part of the Microsoft BitLocker Administration and Monitoring (MBAM) server infrastructure. The following sections describe how you can use this website to review reports, recover end users’ drives, and manage end users’ TPMs.
MBAM collects information from Active Directory and client computers, which enables you to run different reports to monitor BitLocker usage and compliance. Using the Reports section of the Administration and Monitoring website, you can generate reports on enterprise compliance, individual computers, and key recovery activity. For a description of each report, see Understanding MBAM Reports.
To access reports
- Open a web browser and navigate to the MBAM Administration and Monitoring website.
- Select Reports in the left pane.
- From the top menu bar, select the report type you want to generate. To save reports, click the Export button on the Reports menu bar.
For additional information about how to run MBAM reports, see How to Generate MBAM Reports.
The Drive Recovery feature of the Administration and Monitoring website allows users with specific administrator roles (for example, Help Desk Users) to access recovery key data that has been collected by the MBAM Client. This data can be used to access a BitLocker-protected drive when BitLocker goes into recovery mode. For instructions on how to recover a drive that is in recovery mode, see How to Recover a Drive in Recovery Mode.
You can also recover drives that have been moved or that are corrupted:
When you move an operating system drive that is encrypted by using Microsoft BitLocker Administration and Monitoring (MBAM), the drive will not accept the PIN that was used in a previous computer because of the change to the Trusted Platform Module (TPM) chip. To use the moved drive, you will need a way to obtain the recovery key ID to retrieve the recovery password. Use the following procedure to recover a drive that has moved.
To recover a moved drive
- On the computer that contains the moved drive, start the computer in Windows recovery environment (WinRE) mode, or start the computer by using the Microsoft Diagnostic and Recovery Toolset (DaRT).
- Once the computer has been started with WinRE or DaRT, Microsoft BitLocker Administration and Monitoring will treat the moved operating system drive as a data drive. MBAM will then display the drive’s recovery password ID and ask for the recovery password.
Note In some cases, you may be able to click I forgot the PIN during the startup process, and then enter the recovery mode to display the recovery key ID.
- Use the recovery key ID to retrieve the recovery password and unlock the drive from the Administration and Monitoring website.
- If the moved drive was configured to use a TPM chip on the original computer, you must take additional steps after unlocking the drive and completing the start process. In WinRE mode, open a command prompt and use the manage-bde tool to decrypt the drive. Using this tool is the only way to remove the TPM plus PIN protector without the original TPM chip.
- Once the removal is completed, start the computer normally. The MBAM agent will now enforce the policy to encrypt the drive with the new computer’s TPM plus PIN.
How to Recover a Corrupted Drive
To recover a corrupted drive protected by BitLocker, a Microsoft BitLocker Administration and Monitoring (MBAM) Help Desk user will need to create a recovery key package file. This package file can then be copied to the computer that contains the corrupted drive, and then used to recover the drive. Use the following procedure for the steps needed to do this.
Important To avoid a potential loss of data, it is strongly recommended that you read the “repair-bde” help and clearly understand how to use the command before completing the following instructions.
To recover a corrupted drive
- To create the recovery key package necessary to recover a corrupted drive, start a web browser and open the MBAM Administration and Monitoring website.
- Select Drive Recovery from the left navigation pane. Enter the user’s domain name, user name, reason for unlocking the drive, and the user’s recovery password ID.
Note If you are a member of the Help Desk Administrators role, you do not have to enter the user’s domain name or user name.
- Click Submit. The recovery key will be displayed.
- Click Save, and then select Recovery Key Package. The recovery key package will be created on your computer.
- Copy the recovery key package to the computer that has the corrupted drive.
- Open an elevated command prompt. To do this, click Start and type
cmd in the Search programs and files box. Right-click cmd.exe and select Run as Administrator.
- At the command prompt, type the following:
repair-bde <corrupted drive> <fixed drive> -kp <location of keypackage> -rp <recovery password>
Note Replace <fixed drive> with an available hard disk drive that has free space equal to or larger than the data on the corrupted drive. Data on the corrupted drive is recovered and moved to the specified hard disk drive.
For additional information about how to recover a BitLocker-protected drive, see Performing BitLocker Management with MBAM.
The Manage TPM feature of the Administration and Monitoring website gives users with certain administrator roles (for example, “MBAM Helpdesk Users”) access to TPM data that has been collected by the MBAM Client. In a TPM lockout, an administrator can use the Administration and Monitoring website to retrieve the necessary password file to unlock the TPM. For instructions on how to reset a TPM after a TPM lockout, see How to Reset a TPM Lockout.
MBAM Help Desk Tasks
You can use the Administration and Monitoring website for many administrative tasks, such as managing BitLocker-protected hardware, recovering drives, and running reports. By default, the URL for the Administration and Monitoring website is http://<MBAMAdministrationServername>, although you can customize it during the installation process.
Note To access the various features offered by the Administration and Monitoring website, you must have the appropriate roles associated with your user account. For more information about understanding user roles, see How to Manage MBAM Administrator Roles.
Was this article helpful?