With the many improvements to BitLocker in Windows 8, Microsoft further lowers the bar of using BitLocker. For centralized administration and monitoring, Microsoft released the Microsoft BitLocker Administration and Monitoring (MBAM) tool. With Windows 8, Microsoft will release version 2.0 of the tool.
Microsoft BitLocker Administration and Monitoring is part of the Microsoft Desktop Optimization Pack and will be shipped with Windows 8 version 2.0. It is currently only available as a beta. You must have a running Software Assurance subscription to use Microsoft Desktop Optimization Pack.
The tool is a client/server application. Its main purpose is to ease BitLocker deployment and management by providing a Self-Service Portal for key recovery, with reporting capabilities. Some additional features are included with version 2.0 and Windows 8. As I don’t give an in-depth description of the tool, you might want to refresh your memory about version 1.0 by reading this article about Microsoft BitLocker Administration and Monitoring.
One of BitLocker’s new features is the support of hardware encryption. If BitLocker supports the hard disk with encryption hardware, the encryption task is handled by the hard disk’s hardware and not by the host’s CPU. Although BitLocker moves the workload to the hard disk, it can still be managed centrally by the Microsoft BitLocker Administration and Monitoring tool.
One major improvement of the new version is the Self-Service Portal. The days when your service desk had to support your users when one of their BitLocker-secured drives needed recovery are over. Users can simply request their recovery key by visiting the Self-Service Portal. The portal guides them through the whole recovery process and should make support from the service desk obsolete. This will help to reduce the maintenance costs of using BitLocker.
Version 2.0 of BitLocker Administration and Monitoring improves compliance in three ways. First, it can prohibit the use of weak PINs. Second, it prevents devices from deviating from a desired state. Previously, this could happen when the user or administrator suspended the protection or postponed the encryption process. Now, the encryption process will automatically restart after a reboot if it was turned off by a user or an administrator. Last, but not least, BitLocker Administration and Monitoring now supports devices configured in the FIPS compliant mode.
You can easily select which features of BitLocker Administration and Monitoring are installed on a server
Another improvement of version 2.0 is that it is fully integrated in System Center Configuration Manager 2007 R3 and 2012. For this purpose, a new Configuration Pack installs three new items: Desired Configuration Management (DCM) Components (Configuration Items and a Baseline), a collection, and reports.
The DCM installs two configuration items and a baseline. These components are used to gather details necessary for BitLocker from deployed computers. The collection checks if the client’s OS is supported—if on a physical computer (virtual machines are not supported)—and whether a TMP module is available. With this information, it creates a list of BitLocker-compatible computers, which are the basis for compliance reporting. Four different compliance reports are included: BitLocker Computer Compliance, BitLocker Enterprise Compliance Dashboard, BitLocker Enterprise Compliance Details, and BitLocker Enterprise Compliance Summary.
To use Microsoft BitLocker Administration and Monitoring, your clients must run Windows 7 Enterprise and Ultimate or the Release Preview of Windows 8. The server component requires at least a Windows 2008 R2 Server and a MSSQL Server 2008 R2.
This post is based on the beta of Microsoft BitLocker Administration and Monitoring. You can download it from this Connect site.