1. And InTune
Olav Tvedt
Chief Consultant
MVP – Software Packaging, Deployment & Servicing (SPD&S)
Twitter: @olavtwitt – Blog: http://olavtvedt.blogspot.com

4. Advanced Group Policy Management (AGPM)
Enhancing group policy through change management
Versioning, history, and rollback of Group Policy
changes
Enables Group Policy change management
Role-based administration and templates
Reduces risk of widespread failure
Flexible delegation model
“We have increased control of Group Policy
Objects (GPOs) and cut downtime previously
linked to improperly configured GPOs.”
Simon Boxall
Active Directory Infrastructure Engineer,
London Borough of Camden
Provides granular administrative control
“Advanced Group Policy Management has been
like a magic bullet for us. Its automated change
management and workflow-enabled delegation
capabilities are impressive. I wouldn't be able to
manage GPOs without it.”
Michael Wilcox
Forsyth
County
MIS Client Services Supervisor
Forsyth County

5. Architecture
Server Component
AGPM Server
XML File of Backups of
backups
GPO 1
Backups of
GPO 2
Domain Controller
GPO 1
Direct Link
GPO 2
Direct Link
Admin Component
Administrative
Desktop

6. Delegation - Roles
Full
Control
Approver
Editor
Reviewer
Define granular control without making everyone a Domain Admin

7. 7

9. What is Microsoft BitLocker Administration
and Monitoring (MBAM)?
MBAM builds on the BitLocker data protection offering in Windows 7 & 8 by
providing IT professionals with an enterprise-grade solution for BitLocker
provisioning, monitoring, and key recovery.
GOALS ARE:
1
Simplify provisioning
and deployment
2
Provide reporting
(e.g.: compliance &
audit)
3
Reduce support costs
(e.g.: improved
recovery)

10. MBAM Client
Encrypt volumes BEFORE a user receives the computer
o Works with Windows 7 deployment tools (MDT/SCCM)
o Client can:
– Manage TPM reboot process
– Be configured with TPM first and PIN later (e.g.: user provides PIN at first logon)
– Recovery key escrow can be bypassed and then escrowed when user first logs on
o Best Practice
Encrypt volumes AFTER a user receives a computer
o
o
o
o
Client is provides a Policy Driven Experience
Client will manage TPM reboot process
Standard or Admin users can encrypt
Only use when unencrypted machines appear on the network

11. MBAM Policy Settings
A superset of BitLocker policies
New MBAM Policies
o Policy for Fixed Disk Volume Auto-unlock
o Hardware capability check before
encryption
o Allow user to request an exemption
o Interval client verifies policy compliance
(default = 90 min)
Policy location:
o Computer Configuration > Administrative
Templates > Windows Components >
MDOP MBAM (BitLocker Management)

12. Hardware Capability Management
Some older computers may not properly support TPM
To ensure those computers aren’t encrypted, a feature is included that can be used to
define which computers are BitLocker capable
How you turn it on:
o
o
Group Policy setting so client checks before encryption starts
From Central Console, define computers that are capable or not
HOW IT WORKS:
1
2
3
4
As new computers are
identified in the org, they
are added to a central HW
list
Website allows IT pros to
move computers from
unknown to a capable or
not-capable state
When this feature is ON,
only computers that are
‘capable’ will be
encrypted
Before MBAM starts
encryption, it verifies the
computer is capable
(make/model)

13. Compliance and Reporting
Need to know the
last known state of a
lost computer?
Need to know how effective
your rollout is, or how
compliant your company is?
Who and when keys have
been accessed and when
new hardware has been
added?
MBAM agent collects and passes data to reporting server
o All clients pass this up, encrypted or not
o IT can clarify WHY a computer is not compliant
Built on SQL Server® Reporting Services (SSRS), it gives you
flexibility to add your own reports

14. Central Storage of Recovery Key
Recovery Key(s) are Escrowed
o
o
o
o
Operating System Volume
Fixed Data Volumes
Removable Data Volumes
Stored outside of Microsoft Active Directory®
3-Tier Architecture
o DB encrypted with SQL Server’s Transparent
Data Encryption
o Web Service API to build org-specific solutions
o All logging and authorization are done at web service layer to ensure
parity for custom apps

15. Helpdesk Key Recovery UI
MBAM provides a web page for helpdesk
functionality
o Provide BitLocker Recovery Key for authorized users
o Provide TPM unlock package for authorized users
o All requests (successful or not) are logged:
who, when, which volume
Role based authorization model to
get recovery info
o Tier 1: Helpdesk needs to have
person/key match
o Tier 2: Key ID is sufficient (limited role)
Create your own custom page
leveraging web service layer

16. Single Use Recovery Keys
Once a BitLocker Recovery key has been exposed , the
client will create a new one
o As part of regular client/server communication, client checks to
see if Recovery Key has been exposed
o MBAM client will create new one
o Transparent to user
Recovery Keys are created once a volume is unlocked

17. Client Experience

18. What is Microsoft BitLocker Administration and Monitoring?
MBAM 1.0 objectives:
MBAM 2.0 improved 1.0 functionality and adds additional focus on:

19. MBAM 2.0 Release Pillars

20. MBAM 2.0 – Two Deployment Options
Stand alone mode
Similar to v1 model: SQL Database contains Recovery Keys
and Audit/Compliance
Configuration manager integrated mode
Compliance data and Reports are integrated to Config Manager
MBAM Agent distribution is facilitated via out of the box collection
Key Recovery and Audit data remain in SQL Server as in Stand Alone

21. Server Improvements

22. Supported Software
Stand Alone Mode
Server OS:
Configuration
Manager Mode
Windows Server 2008 SP2 Standard/Enterprise/Datacenter
System Center Configuration Manager:
Windows Server 2008 R2 SP1 Standard/Enterprise/Datacenter
Configuration Manager 2007 w/SP2
Windows Server 2012 Standard/Enterprise/Datacenter
Configuration Manager 2012 w/SP1
Client OS:
Windows 7 Ultimate, Enterprise w/SP1 (x86/x64 )
Windows 8 Enterprise (x86/x64 )
Windows 8 Windows to Go
SQL Server:
SQL 2008 R2 Standard edition or greater w/SP1
SQL 2012 Standard edition or greater RTM / SP1

23. Hardware Configurations

26. Microsoft Application Virtualization (App-V)
Dynamically streaming software as a centrally managed service
Streams applications to users
Centralizes permissions
Eliminates application installation
Isolates applications
Provides real-time metering
Readily accessible applications
Accelerate Windows deployment
Reduced application conflict
Minimize regression testing
Leverage existing Management systems
“By using App-V, we’’ll be
able to shrink the entire
application deployment
timeframe – from request
through delivery – by more
than 80 percent, from 30
days to just five days.”
Stephen Dula
IT Staff Engineer
Qualcomm

28. Microsoft Diagnostics & Recovery Toolset
DaRT offers 14 powerful tools to accelerate
desktop repair on site and remotely
Recover unbootable PC
Access deleted files, manipulate services, reset passwords,
and more
Detect and remove malware while the PC is offline
Accelerate TCO savings by minimizing recovery time
Recover instead of reloading Windows
Make PCs safer to use
“This toolset enables us to
restore clients instantly
without rebuilding them saving up to six hours per
instance.”
David Smith
Technical Support Center,
UMC Health System

29. Microsoft Diagnostics & Recovery Toolset
Customer scenarios
Customer wants to donate PCs to charity and needs to
make sure data is wiped off hard disks
DaRT Disk Wipe tool
Customer has malware on system and real-time scanning
doesn’t work
DaRT Standalone System Sweeper
Customer needs to troubleshoot and repair unbootable PCs
DaRT Crash Analyzer and DaRT tools
Customer uses Windows BitLocker® encryption and needs
access to encrypted drive on unbootable PC
DaRT tools
Customer needs to reset local passwords on servers
DaRT Locksmith
Customer needs to troubleshoot and repair servers
in datacenter
DaRT Crash Analyzer and DaRT tools
Customer needs to locate a file that was deleted from the
hard drive
DaRT File Restore
Customer needs to access a file on unbootable /
unrepairable PC
DaRT File Explorer

31. WinRE Management Commands

32. 3
4

35. 3
7