This post is from Chris Hallum, a Senior Product Marketing Manager on the Windows/MDOP team. I talk to customers, the press, and analysts every week about Windows security and as we approached the public release of Windows 8 on October 26th the frequency of these conversations increased dramatically. It’s exciting to see so much interest in the Windows 8 security investments that we’ve been working so hard on since Windows 7 shipped back in the summer of 2009.
When we discuss protecting data from breaches I often hear that customers haven’t deployed, or have just partially deployed, drive encryption solutions within their organizations. Laptops are often prioritized within their plans, but desktops and servers are omitted in many, if not most cases. When I hear this there is always a temptation to be surprised, however, I’ve talked to enough people to understand that IT is increasing being asked to do more with less. This understanding drives many of the decisions that we make here at Microsoft and that thinking is clearly reflected in both Windows 8 and Microsoft BitLocker Administration and Monitoring (MBAM) which will enable you to deploy BitLocker more broadly while at the same time reducing overall costs to your organization.
When we announced MBAM 2.0 back in June we told you about a series of high level product goals including:
Earlier this year, Microsoft furthered its commitment to data protection with the announcement of MBAM 2.0 Beta 1, and today, we are excited to announce MBAM 2.0 Beta 2 (also known as Beta Refresh) which is now available for download. The primary goals for version 2.0 include improving MBAM’s ability to help reduce the costs of provisioning and managing BitLocker, and with the recent release of Windows 8 on October 26th, you can probably imagine what the second goal is: securing data on the new operating system.
.Empower users to support themselves with a self-service recovery portal
In MBAM 1.0 we provided you with a Recovery Portal that was designed entirely around the scenario of end users calling into the helpdesk to get support when they run into BitLocker recovery issues such as when users lose their PIN. The solution worked well, but organizations are increasing looking for opportunities to empower their end users to resolve issues on their own without the assistance of the helpdesk. With MBAM 2.0 Beta 1 we addressed this need by shipping a Self Service Portal that does just that.
Figure 1: Users who forget their PIN can reset it on their own using the Self Service Portal.
During the Beta 1 process a number of customers asked us whether or not they can put the Self Service During the Beta 1 process a number of customers have asked us whether or not they can put the Self Service Portal on the edge of their networks so that the portal can be reached directly from the Internet. The answer to that question is: YES.
Integrating with existing management infrastructure
MBAM 1.0 was designed as a standalone product, and while the product had a simple architecture and was designed to scale on a minimal set infrastructure, it still represented yet another management system that need you needed to deploy into your environment. As a result, customers frequently asked us to bring that functionality into System Center Configuration Manager 2007 and 2012 so they could manage BitLocker using the Configuration Manager management console and infrastructure that they’ve already deployed.
To address these requests we’ve taken advantage of Configuration Manager’s extensibility capabilities which have enabled us to integrate all of the compliance reporting and data collection capabilities into Configuration Manager infrastructure. With this integration, you can deploy MBAM with reduced infrastructure while increasing its ability to scale from just over a hundred thousand devices to hundreds of thousands of devices. By the way, the ability to build customized reports, which many of you enjoyed in MBAM 1.0, is available in Configuration Manager integrated mode as well.
Figure 2: When MBAM is integrated within Configuration Manager the reports can be viewed within the Configuration Manager Console
Simplifying provisioning and eliminating common support scenarios
One of the challenges that customers have given us quite a bit of feedback on in the past is related to TPM provisioning. The provisioning process could require one or more reboots, and if IT wanted to automate the process, they would often need to install special drivers that would facilitate BIOS and TPM management. In scenarios where end users are responsible for encrypting their own devices they were often intimidated by the process which reboots the PC and then displays the UI shown below.
Figure 3: When Windows takes ownership of the TPM the system will often reboot and display the following UI
Often times, users wouldn’t know what to do with this rarely seen UI and they would call their helpdesk for advice. In other cases they would reject the TPM changes or turn off the PC hoping that the UI would never return.
In Windows 8 additional functionality has been added to the system that enables Windows to fully manage the TPM. It’s able to provision the TPM without reboots or user interaction. It just works behind the scenes. Beta 2 of MBAM 2.0 will enable you to take full advantage of this new capability.
Helping IT better report on and enforce compliance
Based on extensive MBAM 1.0 feedback, we have a number of exciting changes to announce specific to compliance reporting in MBAM 2.0 Beta 2. A few moments ago I talked about how we’ve integrated the compliance reports into Configuration Manager however there are two additional improvements that you’ll find in MBAM 2.0 Beta 2.
In MBAM 1.0 we calculated compliance based on a strict comparison of the MBAM encryption policies vs. the state of the device. If the policies and device’s state weren’t in perfect sync the machine was listed as non-compliant. At first this might sound reasonable, but what if the machine is actually in a more secure state than your encryption policies require? For instance what if the device was encrypted with 256 bit encryption rather than 128 bit, or the device was protected with TPM + PIN rather than just TPM. Do you really want this device to be listed as non-compliant (i.e.: not secure)? Many of you said “No,” and as a result we’ve updated the reports so that devices are only listed as non-compliant when they’re in a state that is less secure than what the encryption policies require.
In addition to providing a better way to calculate compliance, we’ve also made some improvements to that information that we render within the reports themselves. Most of these changes are incremental improvements that make things more clear or informative but there is one more significant change that is worth mentioning specify. This is the inclusion of a new dashboard view that will enable you to get a quick status view of your entire environment which you can see in the screen shot below.
Figure 4 The new Dashboard provides organizational compliance status as well as information to help drive corrective actions.
As you can imagine we’re very excited to have shipped Beta 2 and I encourage you to download it and tell us what you think. For those of you using Beta 1, an in-place upgrade will make it easy to migrate to Beta 2, allowing you to install without removing the previous version.
To learn more about how Microsoft BitLocker Administration and Monitoring (MBAM) and other products from the Microsoft Desktop Optimization Pack (MDOP) can help your business, visit http://www.microsoft.com/mdop.
Is there any new function for OPAL 2 compliant SED drives?
I don't get it. I spent a month working on a MBAM deployment with the Beta version and felt like the only support I had was from the forums and via Google. Microsoft has kept so tight lipped on the final release which didn't allow any business planning. Unfortunately we were forced to renew our McAfee Endpoint Encryption but this turned out to be a blessing. As clunky and as unintuitive as McAfee is, MBAM 2.0 was difficult to deploy, offers no control other than storing encryption keys, and the support is almost non existent. This product has a long way to go before it can be competitive with other solutions. Very disappointing Microsoft! Score one for MacAfee!
Does this mean that MBAM is looking likley to be released in April (everything else being equal) ?
Hello Corey, our test team hasn’t run any tests on 1.0 w/ SQL 2012 compatibility and thus that scenario is technically not supported. It’s quite possible it will work just fine but it’s also possible that you could run into issues with the setup pre-req checker or even other things. I think the best approach would be to setup a supported instance of 2008 R2 for the short term and then migrate the system to 2.0 and SQL 2012 when we can support you in that configuration. Our April release isn’t that far away so I hope this will work for you as a decent stop gap.
Senior Product Manager
Windows Client - Security
Stephen, I know that you don't know for sure when the official release date will be, and I know that we'll have an "upgrade" option from 1.0 to 2.0. But I'm more concerned with setup. I've read that MBAM 2.0 is completely compatible with SQL 2012, which is what I'd like to use; but if I were to start using MBAM 1.0 as we wait for MBAM 2.0 to be released...can I install/use MBAM 1.0 utilizing SQL 2012? If so, or in consideration of, do I have to change the compatibility mode of that database to 2008?
I spoke with the product management team for MBAM today. Here was the response- "We hoped to release public info as indicated earlier but it was later decided that we’d just release info to a specific set of customers under NDA. If you have signed NDA filed with us your account team contact will be able to share some additional information with you. Please note that the exact date of the release is not part information set that they’ll be sharing."
I have the same question as Phil from the 22/1 (avoinding MBAM 1 or an easy parth to MBAM 2 afterwards or better wait alternatively can MBAM2 Refresh be used and smootly upgraded to final version when it comes ?) - where you answer:
"Hello Phil, at this point we haven’t disclosed any future milestones or the final release date however we’re getting prepared to reveal more information in the next few weeks. I think this information will give you what you need to make the 1.0 vs 2.0 decison."
Where do I find that info as a few weeks have passed by, so i supose it have been released !!
At this point we don’t have any release date news to share. Thanks for your continued patience.
Any news on release date or something ?
We'll have more details on SQL as we get closer to release.
What type of SQL with MBAM need to run the necessary reports to administer users when a passcode is forgotten? In the past I know it was SQL Enterprise. Is this the case for MBAM 2.0?
Hello Phil, at this point we haven’t disclosed any future milestones or the final release date however we’re getting prepared to reveal more information in the next few weeks. I think this information will give you what you need to make the 1.0 vs 2.0 decison.
I'm about to perform a large scale Windows 8 roll out and want to use MBAM 2 is possible - do you have a ballaprk date for when MBAM 2 will be released or is it the case that we should install MBAM 1 and then update ? I'm trying to avoid deploying MBAM 1 and then having to go through an upgrade afetr a relatively short period so I am trying to work out if it makes sense waiting for MBAM 2 or whether to deploy now with limited functionality and integration.
If you have an idea of when this is likley to be released (this quarter, next quarter, not until 2014) then that would be great.
hi Stephen - sorry to nag but any closer to an idea when the official release is likely to be?
Sure. Just email it to me directly at email@example.com.
Stephan, is there a good way to send very simple feedback about something new I discoverd with MBAM 2.0? I did the survey some time ago, this is something new since then.
Hello Paul, we will support upgrade from 1.0 to 2.0. You can find this functionality in Beta 2/Refresh which is available on the Connect site.
Hi Stephen - is there likely to be an upgrade path from MBAM 1.0 to MBAM 2.0? - I'd like to use Bitlocker but have a deadline to meet - and might have to use an alternative product. I think we can live with Bitlocker 1.0 for a short period but it wouldn't do for all of our users.
The release date for the MBAM is based on a number of factors one of which is the successful inclusion of feedback from the Beta program. Since we can’t predict how much feedback we will receive or the difficulty in including it within the product we’re not able to provide a release timeline at this time.
Any idea when MBAM 2.0 is expected to be oficially released out of Beta?