MDOP 2014 delivers improved BitLocker management with MBAM

Today’s an exciting day for the Microsoft BitLocker Administration and Monitoring (MBAM) team, as we just announced general availability of the Microsoft Desktop Optimization Pack (MDOP) 2014 for Software Assurance, which includes a substantial set of improvements for MBAM. As mentioned in our announcement on the Windows for your Business blog the big star of the MDOP 2014 release is MBAM 2.5 which is designed to help further reduce the costs associated with provisioning, managing, and supporting BitLocker encrypted devices (Windows 7, Windows 8, and Windows To Go) within your environment.

MBAM 2.0, which was released about a year ago, represented the break through release for the product, and we’ve seen tremendous adoption within organizations of all shapes and sizes including Siemens, BT, General Mills, and Yes Prep Public Schools just to name a few. It’s inclusion of the following features made broad adoption and appeal possible:

  • Self-Service Portal: The Self-Service Portal helps end users recover devices (e.g.: lost PIN) without the need of help desk assistance
  • System Center Configuration Manager Integration: Integration with System Center Configuration Manager (ConfigMgr) 2007 and 2012 enables organizations to integrate MBAM’s compliance management and reporting capabilities within your existing ConfigMgr infrastructure.
  • Windows 8 Support: Support for managing BitLocker on Windows 8 and Windows to Go devices has been included along with the ability to take advantage of new Windows PE capabilities that dramatically reduce encryption times.

With the 2.0 release there seems to be consensus amongst customers that MBAM addresses the vast majority of their key requirements, however with that said there were a number of improvements that many customers were still waiting for us to prioritize. These included:

  • Support for Federal Information Processing Standard (FIPS 140-2)
  • Improved compliance and enforcement policies
  • Support for enterprise scenarios and topologies

Support for Federal Information Processing Standard (FIPS 140-2)

While BitLocker has a long history of FIPS support MBAM has not supported managing devices in this configuration. MBAM 2.5 changes that by adding support for the two most popular FIPS configuration options for BitLocker. The first option is with the Data Recovery Agent (DRA) protector option which uses a public key infrastructure (PKI) certificate to protect and recover volumes. This option is supported for Windows 7, 8, and 8.1 devices. The second option is specific to Windows 8.1 where the Windows team updated the Recovery Key Password protector to be FIPS compliant. The challenge in previous version of Windows was that the Recovery Key Password was generated using a non-FIPS compliant algorithm and in Windows 8.1 that was updated. This change makes achieving FIPS compliance in Windows 8.1 devices simple to provision and support.

Improved compliance and enforcement policies

MBAM 2.0 was effective at driving high levels of compliance when IT provisioned BitLocker encryption during the imaging process however when unencrypted devices appeared on the network IT’s ability to enforce and move devices into a compliant state was somewhat limited. The challenge was that IT lacked the ability to initiate the encryption process and users had the ability to postpone the encryption process to a later date.

To address this limitation in MBAM 2.5 we’ve included a grace period option that enables IT to define the amount of time that a user has to initiate the encryption process before MBAM will automatically enforce it. If the policy requires TPM-only protection the process will automatically initiate and run in the background, and since the process run as a low priority thread the user very likely won’t notice any performance degradation. If policy requires TPM + PIN protection the encryption process will initiate once the user completes the MBAM client wizard which will require them to provide a PIN before resuming their work. Organizations now also have the ability to prevent postponement of encryption.

Another feature customers had asked about was regarding the ability for users to create easily guessable BitLocker PIN’s. The MBAM 2.5 client now inherently prevents the use of PIN’s composed of sequenced or repetitive values like: 123456, 654321, 456789, 222111, etc. This capability is also supported for Enhanced PIN’s where alpha, numeric, and symbols can be used.

Support for enterprise scenarios and topologies


While MBAM has been deployed in some of the world’s largest and most complex environments there were some topologies and configurations that MBAM 2.5 didn’t support, at least ideally. The first was related to organizations that consisted of multiple forests. To support this type of network topology in MBAM 2.0 required separate MBAM infrastructures within each forest. In MBAM 2.5 we support the use of fully qualified domain names (FQDN) and a single MBAM infrastructure managing clients across two or more trusted forests.

In addition to cross forest support MBAM 2.5 now supports high availability configurations on Windows Server, IIS, and SQL Server. MBAM supports load balancing of its web components using software or hardware based load balancers and its databases can now be deployed to SQL Server failover clusters.

In the end MBAM 2.5 includes something for everyone and it addresses some of the top customer requests that we’ve received over the last year. It even ships with the localized versions on day one so customers no longer have to wait ~6 months for non-English builds! If you’re already running MBAM 1.0 or 2.0 in your environment moving to 2.5 is an easy transition that will provide many new benefits. If you’re not using BitLocker or MBAM today now is the perfect time to start evaluating it for your organization. To learn more about MBAM 2.5 please refer to the product documentation on TechNet.

Chris Hallum, Senior Product Marketing Manager, Windows Commercial

Source: MDOP 2014 delivers improved BitLocker management with MBAM 2.5
 

My Computer

System One

  • OS
    Windows 10 Education 64 Bit
    Computer type
    PC/Desktop
    System Manufacturer/Model
    Asus
    CPU
    AMD Phenom II X4 980 Black Edition Deneb 3.7GHz
    Motherboard
    ASUS M4N68T-M V2 µATX Motherboard
    Memory
    8GB 4GBx2 Kingston PC10600 DDR3 1333 Memory
    Graphics Card(s)
    NVIDIA Geforce GT640 2 Gig DDR3 PCIe
    Sound Card
    VIA VT1708s High Definition Audio 8-channel Onboard
    Monitor(s) Displays
    22" LG E2242 1080p and 2 19" I-INC AG191D
    Screen Resolution
    1280x1024 - 1920x1080 - 1280x1024
    Hard Drives
    Crucial MX100 256 GB SSD and 500 GB WD Blue SATA
    PSU
    Thermaltake TR 620
    Case
    Power Up Black ATX Mid-Tower Case
    Cooling
    Stock heatsink fan
    Keyboard
    Logitech Wireless K350 Wave
    Mouse
    Logitech M570 Trackball and T650 TouchPad
    Internet Speed
    80 Mbps Down 30 Mbps Up
    Browser
    Internet Explorer 11
    Antivirus
    Windows Defender
    Other Info
    HP DVD1040e Lightscribe - External USB2
The lack of FIPS 140-2 support for MBAM had limited using Bitlocker at healthinsurance companies, that had business relation with CMS. Most of these companies had already purchased third-party solutions and not likely to drop it in favor of MBAM/Bitlocker.

Does the MBAM 2.5/Bitlocker allow using the domain account and password to replace the PIN, or it still requires a separate PIN to be set by the end user?
 

My Computer

System One

  • OS
    Win 8.1
    Computer type
    PC/Desktop
    System Manufacturer/Model
    Dell Latitude
    CPU
    Intel i5-3350P (3.1 GHz)
    Motherboard
    Gigabyte
    Memory
    16 GBs
    Graphics Card(s)
    AMD Radeon HD7850
    Sound Card
    Built-in to MB
    Monitor(s) Displays
    2 x 24" Dell
    Screen Resolution
    3,840 x1,200
    Hard Drives
    128 GBs, OCZ Vertex, SATA III SSD
    256 GBs Intel SATA III SSD
    3 x Seagate 1 TBs HDD
    PSU
    Antec 750W
    Case
    Antec P185
    Internet Speed
    50 Gb/s
    Browser
    IE11, Firefox22.0
    Antivirus
    Vipre
    Other Info
    Works, most of the times unless Microsoft patches decide otherwise...
Back
Top