MBAM beta 2.0

This has been a very anticipated release, Microsoft has shown off some of the capabilities at Teched ( I haven’t been there, just following the twitter storm)
Today Microsoft released the beta 2.0 and it is public available, http://windowsteamblog.com/windows/b/springboard/archive/2012/06/12/introducing-microsoft-bitlocker-administration-2-0-beta.aspx
In order to download the Beta you have to register on connect.microsoft.com https://connect.microsoft.com/MDOPTAP

What is MBAM?
Microsoft Bit Locker Administration and Monitoring, which is included in the Microsoft Desktop Optimization Pack for Software Assurance, enhances Bit Locker by simplifying deployment and key recovery, centralizing provisioning, monitoring and reporting of encryption status for fixed and removable drives, and minimizing support costs.

What new?
* Integration of System Center Configuration Manager with MBAM (integrating with Configmgr 07 & 12) “I wish they could integrate the Help desk solution in Configuration Manager console”
      – Desired Configuration Management (DCM) Components (Configuration Items and a Baseline)
– A Collection
– Reports

* Self-service Portal
Users can now use the Self-service Portal to recover their recovery keys

* Support for Windows 8 Release Preview

If you want to test this release, the following requirements needs to be in place.

ASP.NET MVC 2 (can be downloaded from http://go.microsoft.com/fwlink/?LinkID=248423)

Platform Support

The following platforms have been tested for this beta release

Windows Server:

Version Edition
– 2008 R2 – Datacenter– Enterprise– Standard

– Web Server

SQL Server:

Version Edition
– 2008 R2 SP1 CU6 – Datacenter– Enterprise

ConfigMgr:

Version
– 2007 R3– 2012

MBAM client operating system:

Operating System Edition
– Windows 7 SP1 UltimateEnterprise
– Windows 8 Release Preview

Note: Since I didn’t have the correct SQL server installed, I bypassed the installer by not adding the reports or the database. So therefore I also loose the ability to view the reports and store data. But I just want to give you a quick overview of what
this release has to offer in general. And Since this is a virtual environment I don’t have the ability to activate Bit locker since I don’t have TPM Smile

First of MBAM is split in two parts. 1 Client & 1 Server.
The Server consists of the following roles:

* Recovery Database
* Audit Database
* Audit Reports
* Self-Service server
* Administration and Monitoring server
* Policy Template (You will find the ADMX & ADM files in the C:windowspolicydefinitions after installation.

Since we want to integrate MBAM with SCCM we need to do some changes to configuration.mof and add a new sms_def.mof file to SCCM.
You need to download the MBAM Beta 2.0 ConfigMgr Scenarios documentation, the data you need is in the appendix part of the documentation.

1. Browse to the MOF file location on the ConfigMgr server (<CMInstallLocation>Inboxesclifiles.srchinv). On a default installation, the installation location is %systemdrive% Program Files (x86)Microsoft Configuration Manager.

2. Edit the configuration.mof file:

4

a. Append the MBAM classes (section found in the appendix ).

i. Create a text file called sms_def.mofand populate it with the sms_def.mof MBAM classes found in the appendix. Import that file by doing the following:

1. Open the ConfigMgr 12 Configuration Manager Console.

2. Select the Administrationtab.

3. Select Client Settings.
5

4. Right-click Default Client Settings and select Properties.

5. In the Default Settings window, select Hardware Inventory.

6. Click the Set Classes …button.

7. Click the Import button and select your .mof file in the browser that opens.
7

8. Click Open. An Import Summary window should open.

9. Make sure that the option to import both hardware inventory classes and class settings is selected, and then click Import.

10. Click OK on both the Hardware Inventory Classes window and the Default Settingswindow.

ii. Enable the Win32_Tpm class:

1. Open the ConfigMgr 12 Configuration Manager Console.

2. Select the Administrationtab.

3. Select Client Settings.

4. Right-click Default Client Settings and select Properties.

5. In the Default Settings window, select Hardware Inventory.

6. Click the Set Classes …button.

7. In the main window, scroll down and then select the TPM (Win32_Tpm)class.

8. Ensure that SpecVersionproperty under TPM is selected.

8

9. Click OK on both the Hardware Inventory Classes window and the Default Settings window.

You can also see the new inventory classes that come from MBAM.

9

After these steps are done, we can continue with the installation.

1

Click start

2

Accept the license terms and click next –>

3

Choose stand-alone or system Center integration. And click next –>
Now we need to choose the features we want, in my case I needed to remove all the DB related stuff in order to make it install since I didn’t meet the SQL requirements.

10

11

Click Next –>

12

Choose a certificate for encrypted communications (if you have an internal PKI) In my case I didn’t so I choose “Do not encrypt”
Remember thou that the traffic going between clients and the server is highly sensitive so for production environments I suggest using a certificate.
Click Next –> If all the prerequisites are meet the setup will install.

When installation is finished you will get this screen, just click Close.

14

First we check if the IIS setup is finished. Open a web browser and point to http://localhost:(portnr)/Helpdesk
And login in, this window should appear.

This is the Helpdesk portal that comes with MBAM you can here do a Drive recovery, view reports or manage TPM.

15

Now open the CM console and lets check that all the functions that the installer installed are in place.
Go to assets and compliance –> Device Collections.
You should see a new collection there called MBAM supported computers.

13

Lets take a look at the query that builds this collection.

16

This collection excludes virtual machines (Since they don’t have a TPM module ) so therefore our test machine will never appear in this collection.
We can also check under Compliance Settings –> And see that the CI and Baselines are there.

18

19

We can also see that the reports from MBAM are installed.

20

Now that MBAM with Configmgr integration is in place we can continue on with the rest of the setup.
Next thing we need before we deploy the clients is the group policy settings. As I wrote earlier the admx and adml files are located in C:windowspolicydefinitions of the MBAM server. Copy these over to the central policy store.
21

These two files are the ones you need. (Also the adml files of the two located in the en-us folder)
Then open group policy management console

From Group Policy Management editor, create a Group Policy Object,
Expand Administrative Template Windows Components MDOP MBAM (BitLocker Management).
Under Client Management, enable Configure MBAM services and:
· Author the MBAM Recovery and Hardware service endpoint. The URL format is
http://<hostname>/MBAMRecoveryAndHardwareService/CoreService.svc

This policy enables the client to point at the right server. (If you have integrated with ConfigMgr you don’t need to enter a reporting url since ConfigMgr takes care of the inventory)

ad-gpo1

Now that is done, we can install clients.
What you do is just run the MSI file, and the clients will install itself, you will not get any confirmation screen. The only way you can see that it is installed correctly is if you open up control panel and open
Microsoft BitLocker Administration and Monitoring.

1-client

If you wish to enable drive encryption (TPM + PIN) and Fixed Drive encryption (With Password) you can do this via the same policy.

Enable Choose drive encryption method and cipher strength. Select either AES 128-bit or AES 256-bit. Do not select either of the “with Diffuser” choices, as they are not supported on Windows 8 Release Preview.
Under Operating System Drive, enable Operating System drive encryption settings and select TPM and PIN as the protector.
Under Fixed Drive, enable Fixed data drive encryption settings and select Auto-Unlock.
Under Fixed Drive, enable Configure use of passwords for fixed data drives with Require password for fixed data drive, Allow password complexity and a minimum password length of 8.

So I haven’t tried the previous version of MBAM, but I can see the benefit of using this product.
With the Helpdesk and the Self-service solutions, and integration with ConfigMgr I can see this becoming a beneficial product.

I only wish that they would integrate the help desk solution as a View in the ConfigMgr Console so we would have 1 console to rule them all!

0 thoughts on “MBAM beta 2.0”

  1. Pingback: The CM12 BitLocker FrontEnd HTA | just another windows noob

Leave a Reply

Scroll to Top