1. TechReady 16
5/22/2018
© 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

2. TechReady 16
5/22/2018
WCA-B209
What's new with Windows 8 BitLocker and Microsoft BitLocker Administration and Monitoring 2.0
Lance Crandall
Microsoft
© 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

3. Session Objectives And Takeaways
Tech Ready 15
5/22/2018
Session Objectives And Takeaways
Session Objective(s):
Overview the top feature additions to BitLocker in Windows 8
Describe MBAM 2.0’s features that will reduce TCO and improve compliance and enforcement
Educate you on how to deploy MBAM 2.0 in a variety configurations
Go through new features that impact the end user experience
BitLocker in Windows 8 is easier to provision and manage
MBAM 2.0 solves key pain points in BitLocker and MBAM 1.0
© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

4. Agenda BitLocker Improvements in Windows 8
TechReady 16
5/22/2018
Agenda
BitLocker Improvements in Windows 8
MBAM 2.0 Investment Areas and Key New Features
MBAM 2.0 Stand Alone and Config Manager Modes
MBAM 2.0 End User Experience
© 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

5. April 8, 2014

6. Why Are Customers Moving To BitLocker?
TechReady 16
5/22/2018
Why Are Customers Moving To BitLocker?
Cost Savings
Simplicity
© 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

7. BitLocker Improvements in Windows 8
TechReady 16
5/22/2018
BitLocker Improvements in Windows 8
© 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

8. Provisioning Enhancements
TechReady 16
5/22/2018
Provisioning Enhancements
Provisioning is the top pain point for encrypting devices:
Provisioning is challenging regardless of vendor
TPM provisioning is complex for IT and end users
Encryption take too much time
Solutions in Windows 8 make BitLocker the best choice:
Auto Provisioning solves most TPM related provisioning issues
Instant on BitLocker protection with Encrypted Hard Drive
Fast encryption on traditional storage devices with Used Disk Space Only Encryption
Encrypt new devices in parallel with imaging rather than after
© 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

9. Improved Experience & Security
TechReady 16
5/22/2018
Improved Experience & Security
Improving the IT and End-user Experience on Windows 8
Eliminating the need for Pre-Boot Authentication (Connected Standby devices)
Fewer support issues on Windows 8 Certified devices
Device Encryption automatically provisioned from factory on Windows RT devices
Users and IT no longer involved in the complexity of TPM provisioning process
Improved Security with Windows BitLocker
Improved anti-hammering for Windows sign-in on BitLocker protected devices
Automatic resume of BitLocker protection when device is left in suspended mode
Use EAS to enforce BitLocker protection in non-domain joined and BYOD
© 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

10. Improved Enterprise Readiness
TechReady 16
5/22/2018
Improved Enterprise Readiness
Support for Server and Server Class Storage Scenarios
Storage Area Networks (SAN) Support
Windows Server Cluster Support
Multi-factor authentication works in unattended scenarios
Network protector leverages WDS for 2nd factor
Enables 2nd factor authentication in Server scenarios
Simplifies patching process on unattended devices
© 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

11. MBAM 2.0 Investment Areas and Features
TechReady 16
5/22/2018
MBAM 2.0 Investment Areas and Features
© 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

12. What is Microsoft BitLocker Administration and Monitoring?
MBAM 1.0 objectives:
Simplify provisioning and deployment
Provide reporting (e.g.: compliance & audit)
Reduce costs
(e.g.: Simplified Recovery)
“We can use MBAM v1.0 to get greater value from BitLocker. We can ensure that BitLocker is enabled and that we are compliant with corporate encryption mandates without taxing our employees or IT staff.”
Bob Johnson Director of IT, BT U.S. and Canada
MBAM 2.0 improved 1.0 functionality and adds additional focus on:
Improving compliance and security
Integrating with existing systems (e.g.: SCCM)
Reducing costs
(e.g.: Self Service, Simplified Deployment)

13. Configuration Manager Integration
TechReady 16
5/22/2018
MBAM 2.0 Release Pillars
Configuration Manager Integration
Windows 8 Support
Self Service
Customer Feedback
© 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

14. MBAM 2.0 – Two Deployment Options
TechReady 16
5/22/2018
MBAM 2.0 – Two Deployment Options
Stand alone mode
Similar to v1 model: SQL Database contains Recovery Keys and Audit/Compliance
Configuration manager integrated mode
Compliance data and reports are integrated with Config Manager
MBAM Agent distribution is facilitated via out of the box collection
Key Recovery and Audit data remain in SQL Server as in Stand Alone
© 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

15. Server Improvements 2 / 3 box set up recommended
TechReady 16
5/22/2018
Server Improvements
Performance and Scalability
2 / 3 box set up recommended
Deployment Flexibility
TDE is not a requirement anymore SPNs can be set outside of Setup
Improved Availability
New VSSWriter implementation
© 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

16. Supported Software Stand Alone Mode Configuration Mode
TechReady 16
5/22/2018
Supported Software
Stand Alone Mode
Configuration Mode
Server OS (x64):
Windows Server 2008 SP2 Standard/Enterprise/Datacenter
Windows Server 2008 R2 SP1 Standard/Enterprise/Datacenter
Windows Server 2012 Standard/Enterprise/Datacenter
System Center Configuration Manager:
Configuration Manager 2007 w/SP2 (x64 OS and SQL)
Configuration Manager 2012 w/SP1
Client OS:
Windows 7 Ultimate, Enterprise w/SP1 (x86/x64 )
Windows 8 Enterprise (x86/x64 )
Windows 8 Windows to Go
SQL Server (x64):
SQL 2008 R2 Standard edition or greater w/SP1
SQL 2012 Standard edition or greater RTM / SP1
© 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

17. Hardware Configurations
TechReady13
5/22/2018
Hardware Configurations
One Box (standalone and CM) topology for Lab Testing only:
Hardware Component
Minimum Requirement
Recommended Requirement
Processor
2.33 GHz
2.33 GHz or greater
RAM
4 GB
8 GB
Free disk space
5 GB
5 GB or greater
2-server standalone topology to support at least 200,000 clients:
Web server:  SQL Server:
Hardware Component
Minimum Requirement
Recommended Requirement
Processor
2.33 GHz
2.33 GHz or greater
RAM
8 GB
12 GB
Free disk space
1 GB
2 GB
Hardware Component
Minimum Requirement
Recommended Requirement
Processor
2.33 GHz
2.33 GHz or greater
RAM
8 GB
12 GB
Free disk space
5 GB
5 GB or greater
3-server CM integrated topology to support at least 200,000 clients:
Web server: SQL Server:
Hardware Component
Minimum Requirement
Recommended Requirement
Processor
2.33 GHz
2.33 GHz or greater
RAM
4 GB
8 GB
Free disk space
1 GB
2 GB
Hardware Component
Minimum Requirement
Recommended Requirement
Processor
2.33 GHz
2.33 GHz or greater
RAM
4 GB
8 GB
Free disk space
5 GB
5 GB or greater
© 2011 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

18. Standalone Architecture
Active Directory Domain Services & Group Policy Infrastructure
Portals
Web Services
SQL
Database
Compliance Reports
HelpDesk Portal
Admin
Web Service
Reporting Web Site
Self-service Portal
Self-service Web Service
Recovery
Audit & Compliance
GPO
Recovery
Web Service
MBAM Client
and BitLocker
Reporting Web Service
SSRS
Portals
Web Services
SQL Database
Compliance Reports
Client Computer

19. Demo MBAM 2.0 in Stand Alone Mode Green Field Deployment TechReady 16
5/22/2018
Demo
MBAM 2.0 in Stand Alone Mode Green Field Deployment
© 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

20. Configuration Manager Integrated Architecture
Active Directory Domain Services & Group Policy Infrastructure
GPO
Recovery
Web Service
Web Services
Audit & Compliance
SQL Database
HelpDesk Portal
Client Computer
Self-service Portal
Portals
Self-service Web Service
MBAM Client
and BitLocker
Admin
Configuration Manager
Management Console
ConfigMgr
Database
Compliance
SSRS
ConfigMgr Agent

21. Demo MBAM 2.0 in Config Manager Mode Green Field Deployment
TechReady 16
5/22/2018
Demo
MBAM 2.0 in Config Manager Mode Green Field Deployment
© 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

22. Upgrading MBAM 1.0 to 2.0 MBAM 1.0 (RTM, R1 and Hotfix) to 2.0
TechReady 16
5/22/2018
Upgrading MBAM 1.0 to 2.0
MBAM 1.0 (RTM, R1 and Hotfix) to 2.0
Uninstall existing version and re-install MBAM 2.0 pointing to existing databases
Stand Alone to Stand Alone
Upgrade process works without any data loss
Recovery keys and Compliance information kept throughout process
Stand Alone to Configuration Manager Mode
Upgrade process keeps Recovery Keys intact
Compliance data is kept in existing MBAM 1.0 database but not ported to CM
© 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

23. TechReady 16
5/22/2018
MBAM 1.0 to 2.0 – Upgrade Flow
Update Servers
Uninstall server bits and keep databases
Install new server pointing to existing databases
For CM import MOF and verify agent collection
Update group policy
Choose protectors using MBAM templates
Define server locations, intervals and exemption policy
Deploy new Agent
For CM deploy DCM
Compliance will use 2.0 logic
© 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

24. Upgrade Considerations
TechReady 16
5/22/2018
Upgrade Considerations
Key Recovery during Upgrade
Databases should be available throughout process
Front end access (Helpdesk Portal or Self Service Portal) is main concern
Compliance information
Compliance history is maintained in Stand Alone to Stand Alone
CM Mode deployments might take a while to populate compliance information
New functionality might impact end users
Deploy lab environment and make sure to test new policy options
Compliance calculation is different – may prompt after upgrade to become compliant
© 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

25. MBAM 2.0 End User Experience What to expect
TechReady 16
5/22/2018
MBAM 2.0 End User Experience What to expect
© 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

26. MBAM Agent Overview MBAM Agent MBAM Control Panel
TechReady 16
5/22/2018
MBAM Agent Overview
MBAM Agent
Enforces Policy and ensures key escrow and compliance reporting
No action is taken until group policy is deployed
Silent install follows Configuration Manager Agent model
MBAM Control Panel
Complements Bitlocker Control Panel (non-Admin scenarios)
Bitlocker UI is managed independently
Enhancements to Bitlocker
Agent complements Bitlocker pre-provisioning
Bitlocker suspended mode is resumed after reboot
© 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

27. End User Experience Compliance Flexibility Encryption Flow
TechReady 16
5/22/2018
End User Experience
Compliance Flexibility
MBAM Agent enforces ‘minimum bar’
End-users can add protectors if policy allows
WMI component allows easy debug experience
Encryption Flow
Improvements to Agent UI decrease end-user resistance to encryption
Volumes are handled one at a time
Windows to Go Support
Support for Password protector similar to FDD counterpart
© 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

28. Demo MBAM Agent and compliance TechReady 16 5/22/2018
© 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

29. In Review: Session Objectives And Takeaways
Tech Ready 15
5/22/2018
In Review: Session Objectives And Takeaways
Session Objective(s):
Overview the top feature additions to BitLocker in Windows 8
Describe MBAM 2.0’s features that will reduce TCO and improve compliance and enforcement
Educate you on how to deploy MBAM 2.0 in a variety configurations
Go through new features that impact the end user experience
BitLocker in Windows 8 is easier to provision and manage
MBAM 2.0 solves key pain points in BitLocker and MBAM 1.0
© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

30. Related content Breakout Sessions (session codes and titles) MDC-B343
5/22/2018 6:17 AM
Related content
Breakout Sessions (session codes and titles)
MDC-B343
Top 5 Server Application Deployment and Servicing Problems Addressed by Server App-V and System Center 2012 SP1 - Virtual Machine Manager
Tuesday 13:30 -14:45
WCA-B203
Microsoft Application Virtualization 5.0 and Microsoft Office: Better Together
Tuesday 16:45-18:00
WCA-B208
Microsoft Application Virtualization 5.0 Migration and Co-Existence with 4.6
Tuesday 13:15-14:30
WCA-B206
The Replaceable PC
Wednesday 10:15-11:30
WCA-B319
Implementing Microsoft Application Virtualization 5.0: Lessons Learned from a Production Rollout
WCA-B209
What's New with Windows 8 BitLocker and Microsoft BitLocker Administration and Management (MBAM) 2.0
Wednesday 13:30-14:45
WCA-B325
Making PC Recovery Easier with the Microsoft Diagnostics and Recovery Toolset (DaRT)
Thursday 15:15-16:30
WCA-B359
Microsoft User Experience Virtualization (UE-V): How to Manage and Deploy UE-V across an Enterprise
Thursday 10:15-11:30
WCA-B324
Integrating the New Microsoft Application Virtualization 5.0 with other Virtualization Solutions
Friday 10:15-11:30
© 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

31. Resources Learning TechNet msdn http://channel9.msdn.com/Events/TechEd
5/22/2018 6:17 AM
Resources
Learning
Sessions on Demand
Microsoft Certification & Training Resources
TechNet
msdn
Resources for IT Professionals
Resources for Developers
© 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

32. Evaluate this session Scan this QR code to evaluate this session.
5/22/2018 6:17 AM
Required Slide
*delete this box when your slide is finalized
Your MS Tag will be inserted here during the final scrub.
Evaluate this session
Scan this QR code to
evaluate this session.
© 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

33. 5/22/2018 6:17 AM
© 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
© 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

34. TechReady 16
5/22/2018
Appendix
© 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

35. MDT Deployment Steps Pre-Deployment Steps Install the MBAM agent
TechReady 16
5/22/2018
MDT Deployment Steps
Pre-Deployment Steps
Enable TPM in the BIOS
Run the Enable BitLocker (Offline) step
Install the OS
Join the domain
Import the registry key template from: “c:\Program Files\Microsoft\MDOP\MBAM\MBAMDeploymentKeyTemplate.reg”, edited with your information
Add NoStartupDelay key
Install the MBAM agent
Key will be escrowed and TPM protector will be enabled
Post-Deployment Steps
Remove MBAM reg keys
Stop the MBAM client
Start MBAM Client
GPO applies and user prompted for PIN if applicable
© 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

36. MDT Deployment Steps – Existing OS
TechReady 16
5/22/2018
MDT Deployment Steps – Existing OS
Pre-Deployment Steps
Enable TPM in the BIOS
BdeHDCfg.exe –target default –quiet
Join the domain
Import the registry key template from: “c:\Program Files\Microsoft\MDOP\MBAM\MBAMDeploymentKeyTemplate.reg”, edited with your information
Set NoStartupDelay reg key
Install the MBAM agent
Wait for encryption to begin and escrow the key
Post-Deployment Steps
Remove MBAM reg keys
Run GPUpdate /force to get existing MBAM GPO’s
Stop the MBAM client
Start MBAM Client
GPO applies and user prompted for PIN if applicable
© 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

37. Secured Communications and Data
TechReady 16
5/22/2018
Secured Communications and Data
Support for end to end encryption (client -> database)
Before Deployment
Configure SQL Database Engine’s Protocol to Force Encryption
Configure the Web Service URL for SQL Reporting Services to use SSL
Provision a Certificate to the Administration and Monitor server
During Deployment
Select “Use a certificate to encrypt the network communication”
Select the appropriate certificate
Database is automatically encrypted
Post Deployment
Backup the Certificate named “MBAM Recovery Encryption Certificate”
© 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

38. Enforcing Compliance Using Policy
TechReady 16
5/22/2018
Enforcing Compliance Using Policy
Compliance enforced using Group Policy
A superset of BitLocker policies
New MBAM Policies
Policy for Fixed Disk Volume Auto-unlock
Hardware capability check before encryption
Allow user to request an exemption
Interval client verifies policy compliance (default = 90 min)
Policy location:
Computer Configuration > Administrative Templates > Windows Components > MDOP MBAM (BitLocker Management)
© 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

39. Options for Enforcing Compliance
TechReady 16
5/22/2018
Options for Enforcing Compliance
Enforce compliance BEFORE a user receives the computer
Works with Windows 7 and 8 deployment tools (MDT/SCCM)
Manage TPM initialization and reboot process
Support for user supplied PIN (e.g.: user provides PIN at first logon)
Recovery key escrow can be bypassed and then escrowed when user first logs on
Enforce compliance AFTER a user receives a computer
User is provided with guided Policy Driven Experience
Provides postpone capability
Automatically enforce compliance when suspended or device is not encrypted after reboot
© 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

40. Empowering Windows Standard Users
Standard Users Can:
Control Panel Applet:
Encrypt Computers
Change PIN
Change Passwords
PINs and Passwords
Consider hiding original BitLocker Control Panel to make it difficult to:
Decrypt devices
Suspend encryption

41. Enhanced Compliance and Security
MBAM prevents reuse of BitLocker recovery keys
Recovery keys are marked for reset after they’re exposed
Client periodically checks to see if key reset is required
Recovery keys reset after client obtains network connectivity

42. Compliance and Audit Reporting
Enterprise Compliance Report
Determine the compliance status of the entire organization
Computer Compliance Report
Determine the compliance status of an individual computer
Recovery Audit Report
Used to determine who accessed a recovery key and when
Need to know the last known state of a lost computer?
Need to know how effective your rollout is, or how compliant your company is?
Who and when recovery keys have been accessed and by whom?

43. Improved Recovery Experience Driving Down Costs
MBAM provides a recovery option alternative to Active Directory
Recovery Keys
TPM Unlock Package
Access to recovery data is audited
Self Service and Help Desk based options
Role based authorization model for Help Desk Portal
Tier 1: Helpdesk needs to have person/key match
Tier 2: Key ID is sufficient (limited role)
Create your own custom page leveraging web service layer
Systems with UEFI + Windows 8 eliminate most recovery scenarios

44. For More Information System Center 2012 Configuration Manager
us/evalcenter/hh aspx?wt.mc_id=TEC_105_1_33
Windows Intune
Windows Server 2012
Windows Server 2012 VDI and Remote Desktop Services
us/evalcenter/hh aspx?ocid=&wt.mc_id=TEC_108_1_33
desktop-infrastructure.aspx
More Resources:
microsoft.com/workstyle microsoft.com/server-cloud/user-device-management

45. Windows Track Resources
5/22/2018 6:17 AM
Windows Track Resources
Windows Enterprise: windows.com/enterprise
Windows Springboard: windows.com/ITpro
Microsoft Desktop Optimization Package (MDOP): microsoft.com/mdop
Desktop Virtualization (DV): microsoft.com/dv
Windows To Go: microsoft.com/windows/wtg
Outlook.com: tryoutlook.com
© 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.