Today’s post is from Chris Hallum- Windows Security Product Manager

Today’s an exciting day for us here at the annual Microsoft Management Summit (MMS) in Las Vegas, as we just announced the general availability of the Microsoft Desktop Optimization Pack (MDOP) 2013 for Software Assurance, which includes a major update to Microsoft BitLocker Administration and Monitoring (MBAM) as well as a series of Service Pack updates for APP-V, UE-V, DART, and AGPM. As mentioned in our announcement on the Windows For Your Business blog the big star in the MDOP 2013 release is MBAM 2.0 which is designed to help you make significant costs reductions when it comes to provisioning, managing and supported encrypted devices (running Windows 7, Windows 8, and Windows To Go) within your environment.

For those of you that have been following our previous MBAM posts here on Springboard or have participated in the MBAM 2.0 beta program,  you’re likely already familiar with the feature set and I’d wager that you’re eager to learn more about how to deploy the final build within your environment. For those of you new to MBAM 2.0, or for anyone who may need a quick refresh, I’d like to quickly point out the key features that you will find in this release:

  • Self-Service Portal: The Self-Service Portal helps end users perform the most common support tasks without need of help desk assistance.
  • System Center Configuration Manager Integration: Integration with System Center Configuration Manager (SCCM) 2007 and 2012 enables organizations to integrate MBAM’s compliance management and reporting capabilities within your existing SCCM infrastructure.
  • Windows 8 Support: Support for managing Bitlocker on Windows 8 and Windows to Go devices has been included along with the ability to take advantage of new WinPE capabilities that will dramatically reduce encryption times.
  • Compliance reporting calculation improvements: Reporting has been updated so that devices are only marked as non-compliant when they’re in a state that is less secure than the minimum requirements defined in policy. This differs from MBAM 1.0 where compliance was based on strict adherence to policy and resulted in devices appearing non-complaint even when they were in a more secure configuration than policy required.

Each of these features were present in the MBAM 2.0 Beta 2 release and have since been improved, however, please note that a number of all new features have been added to the final release which include:

  • Support for managing Windows to Go devices
  • BitLocker pre-provisioning with WinPE including the use of Used Disk Space Only Encryption on Windows 8 devices
  • Windows 8 Operating System Drives can now be protected with the Password protector
  • Improved scalability and performance will enable you to deploy MBAM with less infrastructure
  • Devices left in “protection suspended” mode will automatically resume protection after reboot
  • MBAM can take ownership of the TPM without requiring a reboot (if TPM turned on in BIOS)

That covers the key new features but you’re looking for more details please take a look at our Announcing Microsoft BitLocker Administration and Monitoring (MBAM) 2.0 - Beta 2 blog post from last November.

Now with the preamble behind us let’s quickly overview how you can approach deploying MBAM 2.0 within you’re environment. The first thing that you will need to consider is which of the two topology options you want to use which include:

  • Stand-alone
  • System Center Configuration Manager integrated

Stand-alone mode was available in MBAM 1.0 and in 2.0 it’s fundamentally the same. This means that you’ll need to plan to deploy the following components across one or more servers:

  • ·Administration and Monitoring Server
  • Self-Service Server
  • Recovery Database
  • Compliance and Audit Database
  • Compliance and Audit Reports
  • Policy Template

The following architectural diagram depicts a typical configuration where the server components are deployed across two servers while the policy template is deployed to a workstation that is used for policy authoring. This type of configuration can scale to ~200,000 managed devices.

MDOP - MBAM v2.0 - Blog - RTM - Springboard - Announcing RTM - Image 1 - Stand Alone - v1.0

Figure 1: Stand-Alone Topology

If you’re using SCCM within your environment, we recommend that you take a serious look at the SCCM integrated mode as this will offer you a number of benefits including the ability for you to:

  • Deploy several MBAM components within the SCCM infrastructure that you already have deployed
  • Consolidated the MBAM compliance reporting within the SCCM desktop reporting system
  • Scale out to 200,000+ managed devices

The SCCM integrated mode enables you to deploy the following MBAM components on your Configuration Manager Primary Site Server:

  • Compliance Reports
  • Compliance Database

Please note that a new database will not be created for the Compliance Reports and instead the Configuration Manager site database will be used to store all MBAM compliance data. The Compliance Reports themselves will be deployed to the Configuration Manager reporting service point and the Configuration Manager client will perform all compliance related data collection. The MBAM client will still need to be deployed but it will scale back is responsibilities such that it will just manage recovery data collection and compliance enforcement.

The remaining MBAM components can are essentially deployed as if they’re in Stand-Alone mode configuration. The components that you will deploy outside of the SCCM infrastructure include:

  • Administration and Monitoring Server
  • Self-Service Server
  • Recovery Database
  • Audit Database
  • Audit Reports
  • Policy Template

The following architectural diagram depicts a typical configuration where the server components are deployed across three servers while the policy template is deployed to a workstation that is typically used for policy authoring.

MDOP - MBAM v2.0 - Blog - RTM - Springboard - Announcing RTM - Image 2 - Integrated - v1.0

Figure 2: System Center Configuration Manager integrated mode

Once you’ve decided which topology mode is best for your environment the next step is to determine how to get there from your current state. The list of potential options include:

  • Fresh Install of MBAM 2.0 in Stand Alone mode; Previous version of MBAM not Deployed
  • Fresh Install of MBAM 2.0 in SCCM Integrated mode; Previous version of MBAM not Deployed
  • MBAM 1.0 deployed; Upgrade to 2.0 in Stand Alone mode
  • MBAM 1.0 deployed; Upgrade to 2.0 in SCCM integrated mode

The sections that follow will provide you with a brief overview of the server deployment process for each of these options.

Fresh Install of MBAM 2.0 in Stand-Alone mode; Previous version of MBAM not Deployed

If you’re deploying MBAM into your environment for the very first time you’ll find the process quite easy as the MBAM server setup will walk you through the experience and it will flag any pre-requisites that you need before you start the installation.

To deploy MBAM in the stand-alone topology, perform the following steps:

  1. Determine where you will deploy each MBAM component. A common deployment configuration is one where the IIS related MBAM components are deployed to one server while the SQL components are deploy to another.
  2. Deploy SQL Server, SQL Reporting Services, and an instance of the IIS Server Role on the applicable servers.
  3. Configure SQL Server to support encrypted connections to the SQL Server Database Engine (optional).
  4. Provision a certificate suitable for encrypting communication (SSL) between the MBAM client and the IIS server that will host the MBAM Administration and Monitoring Server component (optional).
  5. Install the MBAM server components. The pre-requisite checker will help insure that the servers meet all pre-requisites before attempting the install.

Once these steps are complete the MBAM server infrastructure should be fully operational.

Fresh Install of MBAM 2.0 in SCCM Integrated mode; Previous version of MBAM not Deployed

If you’re deploying MBAM into your environment for the very first time you’ll find the process quite easy as the MBAM server setup will walk you through the experience and will flag any pre-requisites before you start the actual installation.

To deploy MBAM in the Configuration Manager integrated mode, perform the following steps:

  1. Determine where you will deploy each MBAM component. A common deployment configuration is one where the IIS related MBAM components are deployed to one server, the SQL components are deploy to another, and in this case the compliance related components will be installed on the Configuration Manager server.
  2. Deploy SQL Server, SQL Reporting Services, and an instance of the IIS Server Role on the applicable servers.
  3. Configure SQL Server to support encrypted connections to the SQL Server Database Engine (optional).
  4. Provision a certificate suitable for encrypting communication (SSL) between the MBAM client and the IIS server that will host the MBAM Administration and Monitoring Server component (optional).
  5. Configure the SCCM permissions required to install MBAM.
  6. Edit and import the configuration.mof file.
  7. Edit and import the sm_def.mof file.

8. Install the MBAM server components. The pre-requisite checker will help insure that the servers meet all pre-requisites before attempting the install.

Once these steps are complete the MBAM server infrastructure should be fully operational.

Note: When setting up the “Configure MBAM Services” policy for SCCM integrated mode you do not need to configure the MBAM Compliance service endpoint setting as Configuration Manager will automatically collect all compliance information.

MBAM 1.0 deployed; Upgrade to 2.0 in Stand Alone mode

If you’ve already deployed MBAM 1.0 and want to upgrade to 2.0 in stand-alone mode you can easily do so using the process described below. Using this process will enable you to maintain all existing recovery and compliance and audit reporting data:

  1. Uninstall the MBAM 1.0 server components from each server that is participating in the MBAM server infrastructure. Please note that the Recovery and Compliance databases will not be deleted and can be used when you deploy the MBAM 2.0 components.
  2. If not previously configured in the MBAM 1.0 deployment consider setting up the SQL Server to support encrypted connections to the applicable SQL Server Database Engine (optional).
  3. If not previously configured in the MBAM 1.0 deployment consider provisioning a certificate suitable for encrypting communication (SSL) between the MBAM client and the IIS server that will host the MBAM Administration and Monitoring Server component (optional).
  4. Install the MBAM server components. The pre-requisite checker will help insure that the servers meet all pre-requisites before attempting the install. During setup you will able to use the Recovery and Compliance and Audit databases from the previous 1.0 deployment

Once these steps are complete the MBAM server infrastructure should be fully operational.

Note: When installing the database components please make sure to use the same database names as you used for the 1.0 deployment as in this case setup will use the existing databases. If not new compliance and recovery database will be created.

MBAM 1.0 deployed; Upgrade to 2.0 in SCCM integrated mode

If you already deployed MBAM 1.0 and want to upgrade to 2.0 in System Center Configuration Manager integrated mode you can easily get there using the process described below. Using this process will enable you to keep all existing recovery data and audit reporting data however new compliance information will need to be collected from the managed devices. This process occurs automatically as managed devices start communicating with the new MBAM infrastructure. We recommend that you maintain a copy of the MBAM 1.0 compliance database for scenarios where the compliance status of a device that never makes contact with the new infrastructure must be determined.

To deploy MBAM in the Configuration Manager integrated mode, perform the following steps:

  1. Uninstall the MBAM 1.0 server components from each server that is participating in the MBAM server infrastructure. Please note that:
    • Recovery and Compliance and Audit databases will not deleted.
    • The previous Recovery database can be used when you deploy the MBAM 2.0 components
    • The previous Compliance and Audit database can be used when you deploy the MBAM 2.0 components however it will just be used for auditing.
    • All compliance related data will need to be recollected from the managed nodes as the data is not migrated
  2. If not previously configured in the MBAM 1.0 deployment, consider configuring the SQL Server to support encrypted connections to the applicable SQL Server Database Engine (optional).
  3. If not previously configured in the MBAM 1.0 deployment consider provisioning a certificate suitable for encrypting communication (SSL) between the MBAM client and the IIS server that will host the MBAM Administration and Monitoring Server component (optional).
  4. Configure the SCCM permissions required to install MBAM.
  5. Edit and import the configuration.mof file.
  6. Edit and import the sm_def.mof file.
  7. Install the MBAM server components. The pre-requisite checker will help insure that the servers meet all pre-requisites before attempting the install. During setup you will able to use the Recovery and Compliance and Audit databases from the previous 1.0 deployment
  8. Update the “Configure MBAM Services” policy such that it no longer defines a MBAM Compliance service endpoint as Configuration Manager will automatically collect all compliance information.

Once these steps are complete the MBAM server infrastructure should be fully operational.

Note: When installing the Recovery and Audit database components please make sure to use the same database names as you used for the 1.0 deployment as in this case setup will use the existing databases. If not a new audit and recovery database will be created.

There’s obviously a far more detailed set of procedures and information that you’ll need to get MBAM 2.0 fully deployed, but I hope that this post gives you enough information to make a few of the key decisions such that you can enjoy accelerated progress when the time comes. The key documents that you’ll want to use for planning and deployment include the Microsoft BitLocker Administration and Monitoring Deployment Guide which can be found in the Download Center, and the Microsoft BitLocker Administration and Monitoring 2 Administrator’s Guide which is available on the Springboard Series on TechNet.