Announcing Microsoft BitLocker Administration and Monitoring (MBAM) 2.0 – Beta 2

This post is from Chris Hallum, a Senior Product Marketing Manager on the Windows/MDOP team.

I talk to customers, the press, and analysts every week about Windows security and as we approached the public release of Windows 8 on October 26th the frequency of these conversations increased dramatically. It’s exciting to see so much interest in the Windows 8 security investments that we’ve been working so hard on since Windows 7 shipped back in the summer of 2009.

When we discuss protecting data from breaches I often hear that customers haven’t deployed, or have just partially deployed, drive encryption solutions within their organizations. Laptops are often prioritized within their plans, but desktops and servers are omitted in many, if not most cases. When I hear this there is always a temptation to be surprised, however, I’ve talked to enough people to understand that IT is increasing being asked to do more with less. This understanding drives many of the decisions that we make here at Microsoft and that thinking is clearly reflected in both Windows 8 and Microsoft BitLocker Administration and Monitoring (MBAM) which will enable you to deploy BitLocker more broadly while at the same time reducing overall costs to your organization.

When we announced MBAM 2.0 back in June we told you about a series of high level product goals including:

  • Empowering users to support themselves with a self-service recovery portal (e.g. Lost PIN)
  • Integrating MBAM with the System Center Configuration Manager 2007 or 2012
  • Simplifying provisioning and eliminating common support scenarios
  • Helping IT better report on and enforce compliance

Earlier this year, Microsoft furthered its commitment to data protection with the announcement of MBAM 2.0 Beta 1, and today, we are excited to announce MBAM 2.0 Beta 2 (also known as Beta Refresh) which is now available for download. The primary goals for version 2.0 include improving MBAM’s ability to help reduce the costs of provisioning and managing BitLocker, and with the recent release of Windows 8 on October 26th, you can probably imagine what the second goal is: securing data on the new operating system.

.Empower users to support themselves with a self-service recovery portal

In MBAM 1.0 we provided you with a Recovery Portal that was designed entirely around the scenario of end users calling into the helpdesk to get support when they run into BitLocker recovery issues such as when users lose their PIN. The solution worked well, but organizations are increasing looking for opportunities to empower their end users to resolve issues on their own without the assistance of the helpdesk. With MBAM 2.0 Beta 1 we addressed this need by shipping a Self Service Portal that does just that.

MDOP - MBAM v2.0 - Self Service

Figure 1: Users who forget their PIN can reset it on their own using the Self Service Portal.

During the Beta 1 process a number of customers asked us whether or not they can put the Self Service During the Beta 1 process a number of customers have asked us whether or not they can put the Self Service Portal on the edge of their networks so that the portal can be reached directly from the Internet. The answer to that question is: YES.

Integrating with existing management infrastructure

MBAM 1.0 was designed as a standalone product, and while the product had a simple architecture and was designed to scale on a minimal set infrastructure, it still represented yet another management system that need you needed to deploy into your environment. As a result, customers frequently asked us to bring that functionality into System Center Configuration Manager 2007 and 2012 so they could manage BitLocker using the Configuration Manager management console and infrastructure that they’ve already deployed.

To address these requests we’ve taken advantage of Configuration Manager’s extensibility capabilities which have enabled us to integrate all of the compliance reporting and data collection capabilities into Configuration Manager infrastructure. With this integration, you can deploy MBAM with reduced infrastructure while increasing its ability to scale from just over a hundred thousand devices to hundreds of thousands of devices. By the way, the ability to build customized reports, which many of you enjoyed in MBAM 1.0, is available in Configuration Manager integrated mode as well.

MDOP - MBAM v2.0 - SCCM - Reports List

Figure 2: When MBAM is integrated within Configuration Manager the reports can be viewed within the Configuration Manager Console

Simplifying provisioning and eliminating common support scenarios

One of the challenges that customers have given us quite a bit of feedback on in the past is related to TPM provisioning. The provisioning process could require one or more reboots, and if IT wanted to automate the process, they would often need to install special drivers that would facilitate BIOS and TPM management. In scenarios where end users are responsible for encrypting their own devices they were often intimidated by the process which reboots the PC and then displays the UI shown below.

MDOP - MBAM v2.0 - TPM

Figure 3: When Windows takes ownership of the TPM the system will often reboot and display the following UI

Often times, users wouldn’t know what to do with this rarely seen UI and they would call their helpdesk for advice. In other cases they would reject the TPM changes or turn off the PC hoping that the UI would never return.

In Windows 8 additional functionality has been added to the system that enables Windows to fully manage the TPM. It’s able to provision the TPM without reboots or user interaction. It just works behind the scenes. Beta 2 of MBAM 2.0 will enable you to take full advantage of this new capability.

Helping IT better report on and enforce compliance

Based on extensive MBAM 1.0 feedback, we have a number of exciting changes to announce specific to compliance reporting in MBAM 2.0 Beta 2. A few moments ago I talked about how we’ve integrated the compliance reports into Configuration Manager however there are two additional improvements that you’ll find in MBAM 2.0 Beta 2.

In MBAM 1.0 we calculated compliance based on a strict comparison of the MBAM encryption policies vs. the state of the device. If the policies and device’s state weren’t in perfect sync the machine was listed as non-compliant. At first this might sound reasonable, but what if the machine is actually in a more secure state than your encryption policies require? For instance what if the device was encrypted with 256 bit encryption rather than 128 bit, or the device was protected with TPM + PIN rather than just TPM. Do you really want this device to be listed as non-compliant (i.e.: not secure)? Many of you said “No,” and as a result we’ve updated the reports so that devices are only listed as non-compliant when they’re in a state that is less secure than what the encryption policies require.

In addition to providing a better way to calculate compliance, we’ve also made some improvements to that information that we render within the reports themselves. Most of these changes are incremental improvements that make things more clear or informative but there is one more significant change that is worth mentioning specify. This is the inclusion of a new dashboard view that will enable you to get a quick status view of your entire environment which you can see in the screen shot below.

MDOP - MBAM v2.0 - SCCM - Reports Dashboard

Figure 4 The new Dashboard provides organizational compliance status as well as information to help drive corrective actions.

As you can imagine we’re very excited to have shipped Beta 2 and I encourage you to download it and tell us what you think. For those of you using Beta 1, an in-place upgrade will make it easy to migrate to Beta 2, allowing you to install without removing the previous version.

To learn more about how Microsoft BitLocker Administration and Monitoring (MBAM) and other products from the Microsoft Desktop Optimization Pack (MDOP) can help your business, visit