Select a language to translate this page!
Powered by Microsoft® Translator
This morning Brandon LeBlanc on announced the availability of the RTM for Windows 7 and Server 2008 R2 Service Pack 1 on his blog, Blogging Windows. In addition, Gavriella Schuster announced some great new business value motions as well as a new product beta, MBAM (Microsoft BitLocker Administration and Monitoring) on the Windows for your Business blog today.
This week I had a chance to sit down with Anthony (A.J.) Smith, the product manager for the new MBAM tool. As many IT Pro’s know, with Windows 7 Enterprise and Ultimate there is a security feature called BitLocker which focus on full volume encryption of operating system partitions, fixed data partitions, and removable drives. MBAM builds on BitLocker in Windows 7 and offers IT Pro’s an enterprise solution for BitLocker provisioning, monitoring and key recovery. MBAM will help them simplify BitLocker provisioning and deployment independent or as part of their Windows 7 migration, improves compliance and reporting of BitLocker, and reduces support costs.
Stephen – A.J., thanks for taking time to chat with me. Let’s jump right in. Many IT pros are looking to make BitLocker part of their deployment process. How does MBAM help simplify BitLocker provisioning and deployment.
A.J.- Let’s start with provisioning since IT Pro’s need to think about how they want to configure MBAM and BitLocker. Decisions like what level of encryption, what protectors to use, what volumes they want to protect, and many others should be considered. The Springboard Windows Client Security and Control page has some great BitLocker documentation to help with making the right choices for their organization. Once they understand how they want to configure BitLocker, they can use the additional group policies that MBAM provides to setup their BitLocker configuration.
If they are looking to rollout MBAM as part of their deployment process, they can easily integrate the deployment of the MBAM agent into their Windows 7 deployment task sequence in System Center Configuration Manager or Microsoft Deployment Toolkit, or other Windows 7 deployment tools. This light weight agent is used to read the policies that have been configured, and automate the encryption process.
Integrating MBAM into the deployment process can also help with one of the challenge we heard from IT Professionals around having a user created PIN when using the TPM and PIN as their protector. Using MBAM makes this easier. The IT Pro can configure MBAM to turn on the TPM as a protector and start encryption as part of the deployment process. When the machine is delivered to the end user, the MBAM agent completes the configuration by providing a user friendly interface that prompts the end user to create a PIN.
Stephen – Ok. So if an IT pro deployed Windows 7 but, BitLocker was not turned on, what does MBAM do in that case?
A.J. - If an IT Pro wants turn on BitLocker after they have deployed Windows 7, then MBAM can make this process much easier. Once the MBAM agent is installed, it will read the configured policies that the IT Pro setup using group policy and the end user is then prompted to start the encryption process. The MBAM agent guides an end user with standard user rights through the encryption process by prompting them for any information like the PIN they want to set, and then automates taking ownership of the TPM and starts the encryption process.
Stephen - One of the things I hear from IT Pro’s is around the amount of time they spend on the key recovery process when user forgets their PIN. Does MBAM make this process easier?
A.J. - Yes, MBAM provides a web page for help desks to easily access the BitLocker recovery keys which MBAM stores in an encrypted Microsoft SQL Server database. When the user calls because their machine is in BitLocker recovery mode, the help desk can enter the end user’s Windows user id, their domain, the first eight digits of the key id that is shown in the BitLocker recovery key entry page and choose a reason why the drive needs to be unlocked in the web page and quickly get the recovery key.
Stephen – What else does MBAM offer to help IT Pros make the process of supporting BitLocker easier?
A.J. - One of the things we hear from IT Pro’s is that they are trying to move more and more people out of the local administrators group and only giving them standard user rights. I think this is great, and to help IT Pro’s that are going down this path MBAM allows a standard user to perform basic BitLocker tasks like starting the encryption process and changing their PIN. This should help reduce the number of help desk call they get.
Stephen – Compliancy is an issue at the top of most IT pros minds. Does MBAM offer any support here as well?
A.J. - To improve compliance and reporting of BitLocker, MBAM has out of box reports that can show how compliant the machines in the organization are to the BitLocker policies defined. These reports leverage Microsoft SQL Server Reporting Services to show BitLocker policy details like compliance status, cipher strength, policy applied to O/S and fixed and removable data drives. They also provide some basic machine information like computer name, domain, manufacturer, model, device users, and computer type. The out of box reports also have the ability to filter on specific details like compliance status, computer type, and last contact date. If an IT Pro wants to create custom reports they can leverage the SQL Server Reporting Services tools.
Stephen – Ok. How do IT Pro’s get to see MBAM for themselves?
A.J. - MBAM is still in development, but we plan to have a beta available in March. If your readers want to be notified of when the beta version is available they can go here to sign up (Windows Live ID required). When the development of MBAM is complete we will make it available as part of the Microsoft Desktop Optimization Pack (MDOP).
IT pros can learn more about MBAM (content coming soon) as well as DaRT, AGPM, AIS and the rest of the tools in MDOP in the MDOP Zone on the Springboard Series on TechNet. Also to learn more about BitLocker Drive Encryption check out the 300-400 level content in the Manage Zone on Springboard.
P.S. – This post was published while flying at 30,000 feet. Thank you in-flight wireless.
Would you consider slightly changing the MBAM name? MBAM is the shortened name for Malwarebytes anti-malware product that is a great tool of removing malware www.bing.com/search So for someone who does care about security, those four letters already bingle up to another product.
I will make the MDOP team aware of this. Thanks Susan.
yet another agent - or will it leverage the SSCM or SCOM agents if installed? I suspect not. I recognise that agents are sometimes developed for specific purposes however I wouldl ike to see a trend where there is one modular agent. As additional functioanlity is required modules are added. So the MBAM agent is installed, (base agent plus MBAM mocule) then the client installs SCCM, which adds functionality to the base agent and so on.
I noticed that MBAM can store Bitlocker recovery keys in an encrypted Microsoft SQL Server database. Is this possible if you have the 'Use FIPS complaint algorithms for encryption, hashing, and signing' enabled. Would be great if you could be FIPS complaint and save the recovery keys in AD?
Thanks for the comment/feedback. We understand (and love) that many organization use System Center products to help manage their environment, but at the same time we know that there are other management products used in the market. For reasons like this and others, we decided to have MBAM leverage its own agent and not leverage or build on top of a System Center agent.
Thanks for the comment. MBAM is not changing the way the recovery password encyrption (the 48 digit value that is use to recover a machine) is generated by BitLocker. The recovery method does meet the FIPS 140-2 standard. MBAM will not change this even though the recovery key is stored in an encrypted Microsoft SQL database.
First off, I just want to say that as a company we are very excited to be using MBAM. We are researching and testing this product to be deployed to over 600 tablets that we have in the field. Using this product will help us guarantee the safety and security of all of our patient data and records. We had already been using Bitlocker on a small scale before the release of MBAM. The one question that I have currently is "Is it possible to use MBAM and still be able to secure a Bitlocker machine using TPM + PIN + USB Key?" I know that using bitlocker as a standalone encryption tool you can use this configuration, however you have to use the command line interface to do this as the GUI does not support it. Will this configuration be available while using MBAM, and if so how do I do it? Thanks Tony.
Hi Stephen L Rose,
I am trying to find some reference to confirm your statement that 'The recovery method does meet the FIPS 140-2 standard' for MBAM 1.0
Do you have a source?