Coming in Windows 8: New Encryption Tool, Bitlocker Administration and Monitoring 2.0

Stephen L Rose writes on the Windows Team Blog:

We’re just a couple days into TechEd North America in Orlando and already there’s a tremendous amount of excitement in the air, particularly around new information that we’re sharing about the enterprise capabilities of Windows 8. A few months ago, Erwin started the conversation around what Windows 8 means for businesses at CeBIT in Hannover, Germany, and followed-up later with a post on Windows 8 enterprise edition. Last week, he began talking about the business value of Windows 8 Release Preview and today followed up with more details in his “How Windows 8 Will Work for Your Business” post. In this post, Erwin discusses the great things that enterprises are already doing with the Windows 8 Consumer and Release Previews, as well as a series of updates to the Microsoft Desktop Optimization Pack (MDOP) suite.

MDOP helps IT Pros manage Windows features, virtualize applications and user experience, as well as restore productivity after a system issue. One of the biggest MDOP updates discussed at TechEd is to Microsoft Bitlocker Administration and Monitoring (MBAM) 2.0, with the beta launching today. For this blog post, I’m going to do a deep dive into some of MBAM’s key features.

When MBAM 1.0 was released late last summer, our goal was to address the top three pain points customers experienced when attempting to manage and support BitLocker and BitLocker To Go on Windows 7. Customers asked us to simplify the provisioning process, provide compliance reporting and overall, help reduce the costs of supporting users with encrypted devices.

MBAM 1.0 was successful at addressing these top pain points, but as customers began using 1.0 we received some great feedback on how to make it even better. This feedback led us to examine the following priorities for MBAM 2.0:

Reduce overall customer costs by:

• Empowering end users to support themselves with a self-service recovery portal
• Taking advantage of Windows 8 functionality to reduce the time it takes to provision encryption to devices
• Help customers maintain compliance with improved enforcement capabilities
• Integrate MBAM with the tools that customers are already using

Reducing costs by creating self-service and faster provisioning tools

In MBAM 1.0, we helped reduce the costs of managing an encrypted environment by simplifying the process of provisioning BitLocker to devices, while also making it easier for IT help desks to assist users when they ran into trouble with an encrypted device. And with those scenarios addressed in 1.0, we asked ourselves: where could we further reduce costs? There were two big areas that we knew could greatly impact our customers in our next version of MBAM.

First, Windows 8 will help MBAM realize even greater results by reducing the time that it takes to provision BitLocker to devices. On traditional storage disks, BitLocker and MBAM can perform Used Disk Space Only Encryption, which means that rather than encrypting the entire disk, just the portions of the disk that contain data on them will be encrypted. This can reduce the time that it takes to provision encryption to a new device by many times.

However, we found that even with Used Disk Space Only Encryption, provisioning BitLocker can still take quite a bit of time. Windows 8 devices that are equipped with a new type of disk drive called an Encrypted Hard Drive can be provisioned with BitLocker protection within seconds, regardless of the disk size. In this case, Bitlocker offloads all of the encryption tasks to specialized hardware on the disk drive, while BitLocker will perform all of the key management functions. Essentially, Encrypted Hard Drives are effectively already encrypted from the moment they are turned on.

Another area where we can help drive down costs is with BitLocker recovery scenarios. Currently, when a user loses their PIN and goes into recovery mode, organizations have their user’s call the IT help desk to assist with the recovery process. With MBAM 2.0, we’re empowering the user to help themselves by equipping them with a self-service recovery portal that will walk them though the process. Here at Microsoft, we experience thousands of calls per year for recovery assistance and when you combine the cost of the call, plus the cost of lost productivity, were talking about a very large expense. With MBAM 2.0, we can help customers eliminate most of that burden.

Better maintaining and enforcing compliance

MBAM 1.0 helped organizations improve encryption policy compliance by providing them with two primary capabilities. First, we made it easier to encrypt new devices as part of the PC provisioning process. Second, we made it possible to encrypt PCs that were previously delivered to users in an unencrypted state. These capabilities were effective in driving increased compliance, but limited in their ability to maintain, force or prevent devices from drifting from the desired state.

To address this, in MBAM 2.0 we’re including the ability to automatically enforce encryption compliance for cases where users perpetually postpone encryption or when administrators decrypt or suspend protection. MBAM 2.0 will automatically bring the devices back to the desired state. Additionally, to protect machines during the pre-boot authentication process, we’re adding complex PIN support to address situations where users attempt to set a weak PIN. Common PIN sequences like 1111, 1234, and others like them can’t be used.

We also heard that more and more organizations are adopting the Federal Information Processing Standard (FIPS) standard. This standard was supported with Windows 7 and BitLocker, but MBAM couldn’t manage machines using this configuration. MBAM 2.0 brings management support to devices configured in FIPS compliant mode.

Integrating with existing management infrastructure

Our strategy for MBAM 1.0 was to deliver a product that could scale to the largest size organizations, require the least amount of infrastructure, and could be run in any organization. The latter requirement consequently meant that MBAM could not take a dependency on System Center Configuration Manager (SCCM), so management tasks – like compliance reporting of BitLocker protected devices – would need to occur in another console.

Our customers understood the rationale behind this strategy, but also expressed an expectation that SCCM integration should be on the product roadmap. In MBAM 2.0, we deliver on that expectation and have enabled MBAM management experiences, such as compliance reporting and hardware management, within the SCCM management console.

All of the additions mentioned above represent a significant set of improvements for MBAM and we’re really excited to deliver them to customers. We look forward to hearing your feedback on the beta and encourage you to download MBAM 2.0 from the MBAM site on Connect.

In addition to all the MBAM updates, there are some other announcements that I want to mention: the beta for Microsoft Advanced Group Policy Management (AGPM) and the release candidate (RC) for the Diagnostics and Recovery Toolset (DaRT) are available today and can both be downloaded from the AGPM and DART sites on Connect. Also, the new beta for User Experience Virtualization (UE-V) will be available at the end of the month and all will provide new functionality specific to Windows 8 Release Preview.

Please remember that we encourage your feedback to help make these products great. We encourage you to take the time to download and evaluate them as soon as possible and look forward to hearing from you and responding to your feedback on Connect. And for more information on MDOP, please visit www.microsoft.com/mdop.