This morning Brandon LeBlanc on announced the availability of the RTM for Windows 7 and Server 2008 R2 Service Pack 1 on his blog, Blogging Windows. In addition, Gavriella Schuster announced some great new business value motions as well as a new product beta, MBAM (Microsoft BitLocker Administration and Monitoring) on the Windows for your Business blog today.
This week I had a chance to sit down with Anthony (A.J.) Smith, the product manager for the new MBAM tool. As many IT Pro’s know, with Windows 7 Enterprise and Ultimate there is a security feature called BitLocker which focus on full volume encryption of operating system partitions, fixed data partitions, and removable drives. MBAM builds on BitLocker in Windows 7 and offers IT Pro’s an enterprise solution for BitLocker provisioning, monitoring and key recovery. MBAM will help them simplify BitLocker provisioning and deployment independent or as part of their Windows 7 migration, improves compliance and reporting of BitLocker, and reduces support costs.
Stephen – A.J., thanks for taking time to chat with me. Let’s jump right in. Many IT pros are looking to make BitLocker part of their deployment process. How does MBAM help simplify BitLocker provisioning and deployment.
A.J.- Let’s start with provisioning since IT Pro’s need to think about how they want to configure MBAM and BitLocker. Decisions like what level of encryption, what protectors to use, what volumes they want to protect, and many others should be considered. The Springboard Windows Client Security and Control page has some great BitLocker documentation to help with making the right choices for their organization. Once they understand how they want to configure BitLocker, they can use the additional group policies that MBAM provides to setup their BitLocker configuration.
If they are looking to rollout MBAM as part of their deployment process, they can easily integrate the deployment of the MBAM agent into their Windows 7 deployment task sequence in System Center Configuration Manager or Microsoft Deployment Toolkit, or other Windows 7 deployment tools. This light weight agent is used to read the policies that have been configured, and automate the encryption process.
Integrating MBAM into the deployment process can also help with one of the challenge we heard from IT Professionals around having a user created PIN when using the TPM and PIN as their protector. Using MBAM makes this easier. The IT Pro can configure MBAM to turn on the TPM as a protector and start encryption as part of the deployment process. When the machine is delivered to the end user, the MBAM agent completes the configuration by providing a user friendly interface that prompts the end user to create a PIN.
Stephen – Ok. So if an IT pro deployed Windows 7 but, BitLocker was not turned on, what does MBAM do in that case?
A.J. - If an IT Pro wants turn on BitLocker after they have deployed Windows 7, then MBAM can make this process much easier. Once the MBAM agent is installed, it will read the configured policies that the IT Pro setup using group policy and the end user is then prompted to start the encryption process. The MBAM agent guides an end user with standard user rights through the encryption process by prompting them for any information like the PIN they want to set, and then automates taking ownership of the TPM and starts the encryption process.
Stephen - One of the things I hear from IT Pro’s is around the amount of time they spend on the key recovery process when user forgets their PIN. Does MBAM make this process easier?
A.J. - Yes, MBAM provides a web page for help desks to easily access the BitLocker recovery keys which MBAM stores in an encrypted Microsoft SQL Server database. When the user calls because their machine is in BitLocker recovery mode, the help desk can enter the end user’s Windows user id, their domain, the first eight digits of the key id that is shown in the BitLocker recovery key entry page and choose a reason why the drive needs to be unlocked in the web page and quickly get the recovery key.
Stephen – What else does MBAM offer to help IT Pros make the process of supporting BitLocker easier?
A.J. - One of the things we hear from IT Pro’s is that they are trying to move more and more people out of the local administrators group and only giving them standard user rights. I think this is great, and to help IT Pro’s that are going down this path MBAM allows a standard user to perform basic BitLocker tasks like starting the encryption process and changing their PIN. This should help reduce the number of help desk call they get.
Stephen – Compliancy is an issue at the top of most IT pros minds. Does MBAM offer any support here as well?
A.J. - To improve compliance and reporting of BitLocker, MBAM has out of box reports that can show how compliant the machines in the organization are to the BitLocker policies defined. These reports leverage Microsoft SQL Server Reporting Services to show BitLocker policy details like compliance status, cipher strength, policy applied to O/S and fixed and removable data drives. They also provide some basic machine information like computer name, domain, manufacturer, model, device users, and computer type. The out of box reports also have the ability to filter on specific details like compliance status, computer type, and last contact date. If an IT Pro wants to create custom reports they can leverage the SQL Server Reporting Services tools.
Stephen – Ok. How do IT Pro’s get to see MBAM for themselves?
A.J. - MBAM is still in development, but we plan to have a beta available in March. If your readers want to be notified of when the beta version is available they can go here to sign up (Windows Live ID required). When the development of MBAM is complete we will make it available as part of the Microsoft Desktop Optimization Pack (MDOP).
IT pros can learn more about MBAM (content coming soon) as well as DaRT, AGPM, AIS and the rest of the tools in MDOP in the MDOP Zone on the Springboard Series on TechNet. Also to learn more about BitLocker Drive Encryption check out the 300-400 level content in the Manage Zone on Springboard.
P.S. – This post was published while flying at 30,000 feet. Thank you in-flight wireless.
More...