DC-B312 What is Microsoft BitLocker Administration and Monitoring? MBAM 1.0 objectives: Simplify provisioning and deployment Provide reporting (e.g.: compliance & audit) Reduce costs (e.g.: Simplified Recovery) “We can use MBAM.

Download Report

Transcript DC-B312 What is Microsoft BitLocker Administration and Monitoring? MBAM 1.0 objectives: Simplify provisioning and deployment Provide reporting (e.g.: compliance & audit) Reduce costs (e.g.: Simplified Recovery) “We can use MBAM.

DC-B312

What is Microsoft BitLocker Administration and Monitoring?

MBAM 1.0 objectives: Simplify provisioning and deployment Provide reporting ( e.g.: compliance & audit ) Reduce costs ( e.g.: Simplified Recovery ) “ We can use MBAM v1.0 to get greater value from BitLocker. We can ensure that BitLocker is enabled and that we are compliant with corporate encryption mandates without taxing our employees or IT staff.” Bob Johnson Director of IT, BT U.S. and Canada MBAM 2.0 improved 1.0 functionality and adds additional focus on: Improving compliance and security Integrating with existing systems ( e.g.: SCCM ) Reducing costs ( e.g.: Self Service, Simplified Deployment )

Configuration Manager Integration Windows 8 Support Self Service Customer Feedback Compliance reporting integrated to CM environment Hardware compatibility & targeting via CM collections Offload MBAM client reporting workload to CM client Windows 8 Enterprise support Non-TPM / Windows To Go Support Bitlocker Pre-Provisioning support Information Worker able to retrieve Recovery Key via Portal Recovery Keys protected with Access Control Auditing of all Recovery Key access More pre-req flexibility (TDE, SPNs, SQL Server) Improved encryption flow & Smarter compliance calculation Improved scalability and performance

MBAM 2.0 improvements

Server configurations recommended for 1.0 ranged from single to five server Performance and scalability improvements allows simpler configurations Improved performance: A 2 box set up with recommended specs can support a 200k+ environment without issues. MSIT is using that configuration for all Microsoft SQL Standard Support : TDE is not a requirement anymore so SQL Standard can be used Improved VSSWriter: New implementation supports backups without impacting availability

One Box (standalone and CM) topology for Lab Testing only: Hardware Component Processor RAM Free disk space Minimum Requirement 2.33 GHz 4 GB 5 GB Recommended Requirement 2.33 GHz or greater 8 GB 5 GB or greater 2-server standalone topology to support at least 200,000 clients: Web server: SQL Server: Hardware Component Minimum Requirement Recommended Requirement Hardware Component Processor 2.33 GHz 2.33 GHz or greater Processor RAM 8 GB 12 GB RAM Free disk space 1 GB 2 GB Free disk space Minimum Requirement 2.33 GHz 8 GB 5 GB Recommended Requirement 2.33 GHz or greater 12 GB 5 GB or greater 3-server CM integrated topology to support at least 200,000 clients: Web server: SQL Server : Hardware Component Minimum Requirement Recommended Requirement Hardware Component Processor 2.33 GHz 2.33 GHz or greater Processor RAM Free disk space 4 GB 1 GB 8 GB 2 GB RAM Free disk space Minimum Requirement 2.33 GHz 4 GB 5 GB Recommended Requirement 2.33 GHz or greater 8 GB 5 GB or greater

Two deployment modes available

Stand Alone Configuration Manager Integrated Stand alone mode Similar to MBAM v1 model – SQL Server Database contains databases for Recovery Keys and Audit/Compliance Configuration manager integrated mode Compliance DB and Reporting are integrated to CM infrastructure Compliance information is reported via CM Agent/DCM Agent distribution is facilitated via out of the box collection Key Recovery and Audit DB remain in SQL similar to Stand Alone

MBAM 1.0 (RTM, R1 and Hotfix) to 2.0

Stand Alone to Stand Alone Stand Alone to Configuration Manager Mode Upgrade process keeps Recovery Keys intact Compliance data is kept in existing MBAM 1.0 database but not ported to CM

Update Servers • Uninstall server bits and keep databases • Install new server bits pointing to existing databases • For CM mode this includes importing MOF file and verifying that agent collection meets your environment Deploy new Agent • For CM mode this includes deploying DCM • Compliance will use 2.0 logic Update group policy • Choose protectors and related options using MBAM templates • Define server locations, intervals and exemption policy

Key Recovery during Upgrade Compliance information New functionality might impact end users

Compliance calculation Encryption flow Windows 8 Non-TPM machines

Support for end to end encryption (client -> database) Before Deployment During Deployment Post Deployment

• • • Standard Users Can: Encrypt Computers Change PIN Change Passwords • • Control Panel Applet: PINs and Passwords Consider hiding original BitLocker Control Panel to make it difficult to: • • Decrypt devices Suspend encryption

Enhanced Compliance and Security MBAM prevents reuse of BitLocker recovery keys

Recovery keys are marked for reset after they’re exposed Client periodically checks to see if key reset is required Recovery keys reset after client obtains network connectivity

Need to know the last known state of a lost computer?

Need to know how effective your rollout is, or how compliant your company is?

Who and when recovery keys have been accessed and by whom?