Today’s post is from Chris Hallum- Windows Security Product Manager
Today’s an exciting day for us here at the annual Microsoft Management Summit (MMS) in Las Vegas, as we just announced the general availability of the Microsoft Desktop Optimization Pack (MDOP) 2013 for Software Assurance, which includes a major update to Microsoft BitLocker Administration and Monitoring (MBAM) as well as a series of Service Pack updates for APP-V, UE-V, DART, and AGPM. As mentioned in our announcement on the Windows For Your Business blog the big star in the MDOP 2013 release is MBAM 2.0 which is designed to help you make significant costs reductions when it comes to provisioning, managing and supported encrypted devices (running Windows 7, Windows 8, and Windows To Go) within your environment.
For those of you that have been following our previous MBAM posts here on Springboard or have participated in the MBAM 2.0 beta program, you’re likely already familiar with the feature set and I’d wager that you’re eager to learn more about how to deploy the final build within your environment. For those of you new to MBAM 2.0, or for anyone who may need a quick refresh, I’d like to quickly point out the key features that you will find in this release:
Each of these features were present in the MBAM 2.0 Beta 2 release and have since been improved, however, please note that a number of all new features have been added to the final release which include:
That covers the key new features but you’re looking for more details please take a look at our Announcing Microsoft BitLocker Administration and Monitoring (MBAM) 2.0 - Beta 2 blog post from last November.
Now with the preamble behind us let’s quickly overview how you can approach deploying MBAM 2.0 within you’re environment. The first thing that you will need to consider is which of the two topology options you want to use which include:
Stand-alone mode was available in MBAM 1.0 and in 2.0 it’s fundamentally the same. This means that you’ll need to plan to deploy the following components across one or more servers:
The following architectural diagram depicts a typical configuration where the server components are deployed across two servers while the policy template is deployed to a workstation that is used for policy authoring. This type of configuration can scale to ~200,000 managed devices.
Figure 1: Stand-Alone Topology
If you’re using SCCM within your environment, we recommend that you take a serious look at the SCCM integrated mode as this will offer you a number of benefits including the ability for you to:
The SCCM integrated mode enables you to deploy the following MBAM components on your Configuration Manager Primary Site Server:
Please note that a new database will not be created for the Compliance Reports and instead the Configuration Manager site database will be used to store all MBAM compliance data. The Compliance Reports themselves will be deployed to the Configuration Manager reporting service point and the Configuration Manager client will perform all compliance related data collection. The MBAM client will still need to be deployed but it will scale back is responsibilities such that it will just manage recovery data collection and compliance enforcement.
The remaining MBAM components can are essentially deployed as if they’re in Stand-Alone mode configuration. The components that you will deploy outside of the SCCM infrastructure include:
The following architectural diagram depicts a typical configuration where the server components are deployed across three servers while the policy template is deployed to a workstation that is typically used for policy authoring.
Figure 2: System Center Configuration Manager integrated mode
Once you’ve decided which topology mode is best for your environment the next step is to determine how to get there from your current state. The list of potential options include:
The sections that follow will provide you with a brief overview of the server deployment process for each of these options.
Fresh Install of MBAM 2.0 in Stand-Alone mode; Previous version of MBAM not Deployed
If you’re deploying MBAM into your environment for the very first time you’ll find the process quite easy as the MBAM server setup will walk you through the experience and it will flag any pre-requisites that you need before you start the installation.
To deploy MBAM in the stand-alone topology, perform the following steps:
Once these steps are complete the MBAM server infrastructure should be fully operational.
Fresh Install of MBAM 2.0 in SCCM Integrated mode; Previous version of MBAM not Deployed
If you’re deploying MBAM into your environment for the very first time you’ll find the process quite easy as the MBAM server setup will walk you through the experience and will flag any pre-requisites before you start the actual installation.
To deploy MBAM in the Configuration Manager integrated mode, perform the following steps:
8. Install the MBAM server components. The pre-requisite checker will help insure that the servers meet all pre-requisites before attempting the install.
Note: When setting up the “Configure MBAM Services” policy for SCCM integrated mode you do not need to configure the MBAM Compliance service endpoint setting as Configuration Manager will automatically collect all compliance information.
MBAM 1.0 deployed; Upgrade to 2.0 in Stand Alone mode
If you’ve already deployed MBAM 1.0 and want to upgrade to 2.0 in stand-alone mode you can easily do so using the process described below. Using this process will enable you to maintain all existing recovery and compliance and audit reporting data:
Note: When installing the database components please make sure to use the same database names as you used for the 1.0 deployment as in this case setup will use the existing databases. If not new compliance and recovery database will be created.
MBAM 1.0 deployed; Upgrade to 2.0 in SCCM integrated mode
If you already deployed MBAM 1.0 and want to upgrade to 2.0 in System Center Configuration Manager integrated mode you can easily get there using the process described below. Using this process will enable you to keep all existing recovery data and audit reporting data however new compliance information will need to be collected from the managed devices. This process occurs automatically as managed devices start communicating with the new MBAM infrastructure. We recommend that you maintain a copy of the MBAM 1.0 compliance database for scenarios where the compliance status of a device that never makes contact with the new infrastructure must be determined.
Note: When installing the Recovery and Audit database components please make sure to use the same database names as you used for the 1.0 deployment as in this case setup will use the existing databases. If not a new audit and recovery database will be created.
There’s obviously a far more detailed set of procedures and information that you’ll need to get MBAM 2.0 fully deployed, but I hope that this post gives you enough information to make a few of the key decisions such that you can enjoy accelerated progress when the time comes. The key documents that you’ll want to use for planning and deployment include the Microsoft BitLocker Administration and Monitoring Deployment Guide which can be found in the Download Center, and the Microsoft BitLocker Administration and Monitoring 2 Administrator’s Guide which is available on the Springboard Series on TechNet.