Windows 8 and 8.1 Forums

MDOP 2014 delivers improved BitLocker management with MBAM

  1. #1

    Posts : 22,582
    64-bit Windows 10

    MDOP 2014 delivers improved BitLocker management with MBAM

    Todayís an exciting day for the Microsoft BitLocker Administration and Monitoring (MBAM) team, as we just announced general availability of the Microsoft Desktop Optimization Pack (MDOP) 2014 for Software Assurance, which includes a substantial set of improvements for MBAM. As mentioned in our announcement on the Windows for your Business blog the big star of the MDOP 2014 release is MBAM 2.5 which is designed to help further reduce the costs associated with provisioning, managing, and supporting BitLocker encrypted devices (Windows 7, Windows 8, and Windows To Go) within your environment.

    MBAM 2.0, which was released about a year ago, represented the break through release for the product, and weíve seen tremendous adoption within organizations of all shapes and sizes including Siemens, BT, General Mills, and Yes Prep Public Schools just to name a few. Itís inclusion of the following features made broad adoption and appeal possible:

    • Self-Service Portal: The Self-Service Portal helps end users recover devices (e.g.: lost PIN) without the need of help desk assistance
    • System Center Configuration Manager Integration: Integration with System Center Configuration Manager (ConfigMgr) 2007 and 2012 enables organizations to integrate MBAMís compliance management and reporting capabilities within your existing ConfigMgr infrastructure.
    • Windows 8 Support: Support for managing BitLocker on Windows 8 and Windows to Go devices has been included along with the ability to take advantage of new Windows PE capabilities that dramatically reduce encryption times.

    With the 2.0 release there seems to be consensus amongst customers that MBAM addresses the vast majority of their key requirements, however with that said there were a number of improvements that many customers were still waiting for us to prioritize. These included:

    • Support for Federal Information Processing Standard (FIPS 140-2)
    • Improved compliance and enforcement policies
    • Support for enterprise scenarios and topologies

    Support for Federal Information Processing Standard (FIPS 140-2)

    While BitLocker has a long history of FIPS support MBAM has not supported managing devices in this configuration. MBAM 2.5 changes that by adding support for the two most popular FIPS configuration options for BitLocker. The first option is with the Data Recovery Agent (DRA) protector option which uses a public key infrastructure (PKI) certificate to protect and recover volumes. This option is supported for Windows 7, 8, and 8.1 devices. The second option is specific to Windows 8.1 where the Windows team updated the Recovery Key Password protector to be FIPS compliant. The challenge in previous version of Windows was that the Recovery Key Password was generated using a non-FIPS compliant algorithm and in Windows 8.1 that was updated. This change makes achieving FIPS compliance in Windows 8.1 devices simple to provision and support.

    Improved compliance and enforcement policies

    MBAM 2.0 was effective at driving high levels of compliance when IT provisioned BitLocker encryption during the imaging process however when unencrypted devices appeared on the network ITís ability to enforce and move devices into a compliant state was somewhat limited. The challenge was that IT lacked the ability to initiate the encryption process and users had the ability to postpone the encryption process to a later date.

    To address this limitation in MBAM 2.5 weíve included a grace period option that enables IT to define the amount of time that a user has to initiate the encryption process before MBAM will automatically enforce it. If the policy requires TPM-only protection the process will automatically initiate and run in the background, and since the process run as a low priority thread the user very likely wonít notice any performance degradation. If policy requires TPM + PIN protection the encryption process will initiate once the user completes the MBAM client wizard which will require them to provide a PIN before resuming their work. Organizations now also have the ability to prevent postponement of encryption.

    Another feature customers had asked about was regarding the ability for users to create easily guessable BitLocker PINís. The MBAM 2.5 client now inherently prevents the use of PINís composed of sequenced or repetitive values like: 123456, 654321, 456789, 222111, etc. This capability is also supported for Enhanced PINís where alpha, numeric, and symbols can be used.

    Support for enterprise scenarios and topologies

    While MBAM has been deployed in some of the worldís largest and most complex environments there were some topologies and configurations that MBAM 2.5 didnít support, at least ideally. The first was related to organizations that consisted of multiple forests. To support this type of network topology in MBAM 2.0 required separate MBAM infrastructures within each forest. In MBAM 2.5 we support the use of fully qualified domain names (FQDN) and a single MBAM infrastructure managing clients across two or more trusted forests.

    In addition to cross forest support MBAM 2.5 now supports high availability configurations on Windows Server, IIS, and SQL Server. MBAM supports load balancing of its web components using software or hardware based load balancers and its databases can now be deployed to SQL Server failover clusters.

    In the end MBAM 2.5 includes something for everyone and it addresses some of the top customer requests that weíve received over the last year. It even ships with the localized versions on day one so customers no longer have to wait ~6 months for non-English builds! If youíre already running MBAM 1.0 or 2.0 in your environment moving to 2.5 is an easy transition that will provide many new benefits. If youíre not using BitLocker or MBAM today now is the perfect time to start evaluating it for your organization. To learn more about MBAM 2.5 please refer to the product documentation on TechNet.

    Chris Hallum, Senior Product Marketing Manager, Windows Commercial
    Source: MDOP 2014 delivers improved BitLocker management with MBAM 2.5

      My System SpecsSystem Spec

  2. #2

    Sydney, Nova Scotia, Canada
    Posts : 6,490
    Windows 10 Education 64 Bit

    Downloaded it earlier today. There is a new ADK for 8.1 too. I do believe its required if you want to run DaRT. What's New in the Windows ADK for Windows 8.1
      My System SpecsSystem Spec

  3. #3

    The lack of FIPS 140-2 support for MBAM had limited using Bitlocker at healthinsurance companies, that had business relation with CMS. Most of these companies had already purchased third-party solutions and not likely to drop it in favor of MBAM/Bitlocker.

    Does the MBAM 2.5/Bitlocker allow using the domain account and password to replace the PIN, or it still requires a separate PIN to be set by the end user?
      My System SpecsSystem Spec

MDOP 2014 delivers improved BitLocker management with MBAM
Related Threads
Solved MBAM right click broken? in System Security
I just reinstalled the latest MBAM free since that was the suggestion on the MBAM forum. However that made no difference. What happens is, I try to scan a single file using the right click menu. Even if I have previously opened MBAM, updated the database, then closed it, when I use it through...
PIA, MBAM, TAP Nightmare in Software and Apps
Running win 8.1 with KIS & MBAM PRO. Wanted to try a VPN. Private Internet Access was highly recommended but appears to have a conflict with MBAM PRO. Also, Keep getting Reinstall TAP Driver message. Rebooted without MBAM loading, installed TAP update they recommended but still can't connect and...
Source Supported Operating System Windows 8.1, Windows Server 2012 R2 Windows Server 2012 R2 Windows 8.1 Pro
I turned on Bitlocker on three new Windows 8.1 laptops and saved the 48-digit recovery keys and associated identifiers, but I forgot to indicate which laptops they are associated with. Is there any way to find the identifiers/recovery keys on my laptops so I can document this? Or do I have to...
SAS and MBAM in System Security
I noticed that SUPER Anti Spyware finds a lot of tracking cookies and pups . MBAM no longer has a quick scan but when it runs the threat 5 minute one it too finds some pups and a cookie here and there. If I remove a detection and it is a false positive isn't that losing a file I should not have...
The Microsoft Desktop Optimization Pack 2013 R2 (x86 and x64) dated 12/2/2013 is now up for download on TechNet and MSDN for anyone with a subscription. This will let you create DaRT 8.1 bootable media. I was not able to do this with the previous version. This is just a FYI post. ;)
MDOP/DaRT for Windows 8.1 in Software and Apps
I was wanting to make a DaRT thumb drive for my Windows 8.1 install. I found the ADK for 8.1 but the 2013 MDOP won't make a DaRT drive when run in Windows 8.1. I get a you must be running Windows 8 message. I assume that's because of the kernel number change from 6.2 to 6.3. Is there a newer...
Eight Forums Android App Eight Forums IOS App Follow us on Facebook