MBAM 2.0 SP1 and Bitlocker
In this latest episode of The Device Pros Frank and Alfred come to grips with Microsoft Bitlocker Administration and Monitoring (MBAM) as the administration layer to manage an enterprise utilising Microsoft Bitlocker.
BitLocker Drive Encryption is a data protection feature which Microsoft introduced as an integrated whole disk encryption product with Windows Vista. With each iteration of Windows an updated
Bitlocker has been integrated into the OS. Having BitLocker integrated with the operating system addresses the threats of data theft or exposure from lost, stolen, or inappropriately decommissioned
computers.BitLocker provides the most protection when used with a Trusted Platform Module (TPM) version 1.2. The TPM is a hardware component installed in many newer computers by the computer manufacturers. It works with BitLocker to help protect user data and to ensure that a computer has not been tampered with while the system was offline.
On computers that do not have a TPM version 1.2, you can still use BitLocker to encrypt the Windows operating system drive. However, this implementation will require the user to insert a USB startup key to start the computer or resume from hibernation, and it does not provide the pre-startup system integrity verification offered by BitLocker with a TPM.
In addition to the TPM, BitLocker offers the option to lock the normal startup process until the user supplies a personal identification number (PIN) or inserts a removable device, such as a USB flash drive, that contains a startup key. These additional security measures provide multifactor authentication and assurance that the computer will not start or resume from hibernation until the correct PIN or startup key is presented.
Microsoft BitLocker Administration and Monitoring 2.0 – from the Microsoft Desktop Optimization Pack (MDOP) for Software Assurance – takes BitLocker to the next level by simplifying deployment and key recovery, centralizing compliance monitoring and reporting, and minimizing the costs associated with provisioning and supporting encrypted drives within your organization. Some of the key benefits of MBAM are:
Simplified BitLocker Deployment: Microsoft BitLocker Administration and Monitoring lets you choose the deployment scenario that makes the most sense for your business. You can provision BitLocker as part of your Windows 7, Windows 8, or Windows To Go deployment or you can configure BitLocker encryption to be provisioned after the operating system is installed. Using the additional Group Policy controls in MBAM, it’s easier for IT to provision BitLocker in a way that meets your business needs. The controls are checked periodically and if a device is detected as non-compliant, MBAM will help put it back into the desired state.
Increased compliance: With out-of-box reports you can get a better view of your compliance status, enabling you to easily determine if lost or stolen devices were encrypted. IT staff can also create custom compliance reports using built-in SQL Server Reporting Services tools to show them just the information that they need to see. MBAM also provides you the ability to store BitLocker recovery keys in an encrypted database with granular access controls and creates an audit trail of who has accessed recovery key information, keeping this information protected and only accessible to the right people in the organization.
Reduce support costs: By making it easier for end users to quickly support themselves MBAM will reduce costs by minimizing the burden on IT and support staff. Using the Self Service and Helpdesk recovery portal, users and authorized help-desk staff will find it easy to support recovery scenarios if they run into issues. Also by automating pre-BitLocker setup steps and making it easy for end users to perform basic tasks such as starting the encryption process and managing their BitLocker PIN, your IT staff has more time to help drive your business forward. MBAM’s integration into System Center Configuration Manager also helps reduce costs by enabling you to deploy MBAM within the infrastructure that you’ve already deployed.