How to Manage MBAM Administrator Roles
Applies To: Microsoft BitLocker Administration and Monitoring
After Microsoft BitLocker Administration and Monitoring (MBAM) setup is complete for all server components, administrative users will have to be granted access to one or more features. As a best practice, administrators who will manage or use MBAM features should be assigned to Active Directory groups.
How to Modify MBAM Administrator Role Memberships
Assign administrative users to groups in Active Directory Domain Services.
Add security groups to the roles for MBAM on the Microsoft BitLocker Administration and Monitoring server for the respective features.
MBAM System Administrators have access to all Microsoft BitLocker Administration and Monitoring features in the MBAM Management Console
MBAM Hardware Users have access to the Hardware Compatibility features in the MBAM Management Console
MBAM Helpdesk Users have access to the Manage TPM and Drive Recovery options in the MBAM Management Console, but must fill in all fields when they use either option
MBAM Report Users have access to the Compliance and Audit reports in the MBAM Management Console
MBAM Advanced Helpdesk Uses have access to the Manage TPM and Drive Recovery options in the MBAM Management Console but are not required to fill in all fields when they use either option
For more information about roles for Microsoft BitLocker Administration and Monitoring, see Planning the Server Infrastructure for MBAM.