Showing posts with label MBAM. Show all posts
Showing posts with label MBAM. Show all posts

Tuesday, 12 June 2012

MBAM 2.0 plus other MDOP updates

The Redmond machine really is in high gear at the moment as lots of other products and solutions start to recieve tweaks and new features, mainly in preperation for Windows 8 and Server 2012.

One set of tools getting some love is the Microsoft Desktop Optimisation Pack (MDOP).

Microsoft had already previously announced that MDOP was seeing a new component being added called UE-V which along with App-V makes MDOP a desirable solution to have in any environment looking to have a fantastic dynamic desktop, but today MS announced MBAM will also be getting some new features.

The Microsoft Bitlocker Administration and Monitoring (MBAM) will be updated to include new options such as:
  • Used Space Only Encryption where only the part of the drive containing data will be encrypted instead of the full disk to save time
  • Integration with hardware encrypted hard disks
  • Complex PIN enforcement
  • Self Service Key Recovery (I would prefer to see some SCSM integration here)
  • Management of fully FIPS compliant configurations/designs
  • Some SC 2012 Configuration Manager integration for reporting
Microsoft have also promised another update to UE-V very soon but so far during my tests I've seen no issues other than some poor documentation around its setup/configuration (hint... watch out for Offline Files or rather the lack of...)

App-V 5 is in Beta with new features such as shared cache which is amazing for VDI infrastructure.

Advanced Group Policy Management (AGPM) 4.0 SP1 beta is also available with mainly bug fixes and Windows 8/Server 2012 support rather than new features.

DaRT is also getting an update, again mainly to support Windows 8.

Posted by at No comments:
Labels: , , , , , , ,

Thursday, 4 August 2011

Microsoft BitLocker Administration and Monitoring (MBAM)

On the 1st of August, Microsoft officially released the MDOP 2011 R2 suite.

As well as the usual App-V, Med-V DaRT etc updates this R2 release also sees MBAM join the suite.

For those of you unfamiliar with MBAM, it builds on BitLocker Drive Encryption by offering an enterprise solution for provisioning, monitoring, and supporting BitLocker.

By using MBAM, you can centrally provision BitLocker and enforce BitLocker policies across the organization.
Provisioning BitLocker by using MBAM is a two-step process:
  1. Deploy the MBAM client to each computer (SCCM would be the preferred option here)
  2. Configure policy settings that MBAM enforces.
The client enforces MBAM policy settings, stores recovery key data in an encrypted MBAM database, and reports its compliance status to MBAM.
In addition to walking the user through the encryption process, it can also prompt the user for a PIN, if required, addressing an aspect of BitLocker deployment that has challenged IT.
The most obvious way MBAM can simplify BitLocker support is by streamlining drive recovery for the Service Desk.  The picture below shows the Drive Recovery webpage in MBAM. If a user calls the Service Desk because they are in BitLocker recovery mode, the Service Desk doesn’t look up the drive’s recovery key in AD DS. Instead, the Service Desk uses MBAM to quickly look up the recovery key based on its ID.
MBAM also introduces single-use recovery keys. When the Service Desk retrieves and uses a recovery key, the MBAM client automatically generates a new recovery key for the computer. The original recovery key can’t be used again to recover the computer’s hard drive.
This is vitally important as users are known for jotting down things like the recovery key and keepin it near their device in-case they ever need it again. The hard drive might as well be unencrypted.
Single-use recovery keys help prevent unauthorized users from gaining access to the hard drive even if they get access to a previously used recovery key.
While MBAM does a great job of helping you provision BitLocker, one of the areas it shines the most in is compliance reporting. The reports it includes can help you quickly determine the status of the entire organization or a single computer. They can also help you monitor access to the MBAM databases.
Imagine that a user loses their laptop computer, and it contains confidential data. With MBAM, you can quickly look up the computer to determine whether it was compliant with BitLocker policy. You will know immediately whether the loss represents any risk.
MBAM provides the following reports in the MBAM management console:
  • Enterprise Compliance Report. This report can tell you at a glance the BitLocker compliance status of your entire organization. 
  • Computer Compliance Report. This report indicates whether a specific computer or a specific user’s computers are compliant with BitLocker policy.
  • Recovery Audit Report. This report indicates who has accessed recovery key information, successfully or not.
  • Hardware Audit Report. This report indicates who has changed the hardware compatibility list and when the MBAM client discovers new hardware. When you enable hardware compatibility checking, the MBAM client uses the hardware compatibility list to determine whether each computer model supports BitLocker.


Two useful videos to watch on MBAM:
Posted by at No comments:
Labels: , , , , ,
Subscribe to: Posts (Atom)