Today’s an exciting day for the Microsoft BitLocker Administration and Monitoring (MBAM) team, as we just announced general availability of the Microsoft Desktop Optimization Pack (MDOP) 2014 for Software Assurance, which includes a substantial set of improvements for MBAM. As mentioned in our announcement on the Windows for your Business blog the big star of the MDOP 2014 release is MBAM 2.5 which is designed to help further reduce the costs associated with provisioning, managing, and supporting BitLocker encrypted devices (Windows 7, Windows 8, and Windows To Go) within your environment.
MBAM 2.0, which was released about a year ago, represented the break through release for the product, and we’ve seen tremendous adoption within organizations of all shapes and sizes including Siemens, BT, General Mills, and Yes Prep Public Schools just to name a few. It’s inclusion of the following features made broad adoption and appeal possible:
- Self-Service Portal: The Self-Service Portal helps end users recover devices (e.g.: lost PIN) without the need of help desk assistance
- System Center Configuration Manager Integration: Integration with System Center Configuration Manager (ConfigMgr) 2007 and 2012 enables organizations to integrate MBAM’s compliance management and reporting capabilities within your existing ConfigMgr infrastructure.
- Windows 8 Support: Support for managing BitLocker on Windows 8 and Windows to Go devices has been included along with the ability to take advantage of new Windows PE capabilities that dramatically reduce encryption times.
With the 2.0 release there seems to be consensus amongst customers that MBAM addresses the vast majority of their key requirements, however with that said there were a number of improvements that many customers were still waiting for us to prioritize. These included:
- Support for Federal Information Processing Standard (FIPS 140-2)
- Improved compliance and enforcement policies
- Support for enterprise scenarios and topologies
Support for Federal Information Processing Standard (FIPS 140-2)
While BitLocker has a long history of FIPS support MBAM has not supported managing devices in this configuration. MBAM 2.5 changes that by adding support for the two most popular FIPS configuration options for BitLocker. The first option is with the Data Recovery Agent (DRA) protector option which uses a public key infrastructure (PKI) certificate to protect and recover volumes. This option is supported for Windows 7, 8, and 8.1 devices. The second option is specific to Windows 8.1 where the Windows team updated the Recovery Key Password protector to be FIPS compliant. The challenge in previous version of Windows was that the Recovery Key Password was generated using a non-FIPS compliant algorithm and in Windows 8.1 that was updated. This change makes achieving FIPS compliance in Windows 8.1 devices simple to provision and support.
Improved compliance and enforcement policies
MBAM 2.0 was effective at driving high levels of compliance when IT provisioned BitLocker encryption during the imaging process however when unencrypted devices appeared on the network IT’s ability to enforce and move devices into a compliant state was somewhat limited. The challenge was that IT lacked the ability to initiate the encryption process and users had the ability to postpone the encryption process to a later date.
To address this limitation in MBAM 2.5 we’ve included a grace period option that enables IT to define the amount of time that a user has to initiate the encryption process before MBAM will automatically enforce it. If the policy requires TPM-only protection the process will automatically initiate and run in the background, and since the process run as a low priority thread the user very likely won’t notice any performance degradation. If policy requires TPM + PIN protection the encryption process will initiate once the user completes the MBAM client wizard which will require them to provide a PIN before resuming their work. Organizations now also have the ability to prevent postponement of encryption.
Another feature customers had asked about was regarding the ability for users to create easily guessable BitLocker PIN’s. The MBAM 2.5 client now inherently prevents the use of PIN’s composed of sequenced or repetitive values like: 123456, 654321, 456789, 222111, etc. This capability is also supported for Enhanced PIN’s where alpha, numeric, and symbols can be used.
Support for enterprise scenarios and topologies
While MBAM has been deployed in some of the world’s largest and most complex environments there were some topologies and configurations that MBAM 2.5 didn’t support, at least ideally. The first was related to organizations that consisted of multiple forests. To support this type of network topology in MBAM 2.0 required separate MBAM infrastructures within each forest. In MBAM 2.5 we support the use of fully qualified domain names (FQDN) and a single MBAM infrastructure managing clients across two or more trusted forests.
In addition to cross forest support MBAM 2.5 now supports high availability configurations on Windows Server, IIS, and SQL Server. MBAM supports load balancing of its web components using software or hardware based load balancers and its databases can now be deployed to SQL Server failover clusters.
In the end MBAM 2.5 includes something for everyone and it addresses some of the top customer requests that we’ve received over the last year. It even ships with the localized versions on day one so customers no longer have to wait ~6 months for non-English builds! If you’re already running MBAM 1.0 or 2.0 in your environment moving to 2.5 is an easy transition that will provide many new benefits. If you’re not using BitLocker or MBAM today now is the perfect time to start evaluating it for your organization. To learn more about MBAM 2.5 please refer to the product documentation on TechNet.
Chris Hallum, Senior Product Marketing Manager, Windows Commercial
Updated November 8, 2014 1:42 am