Share via


About MBAM 2.0 SP1

This topic describes the changes in Microsoft BitLocker Administration and Monitoring (MBAM) 2.0 Service Pack 1 (SP1). For a general description of MBAM, see Getting Started with MBAM 2.0.

What’s new in MBAM 2.0 SP1

This version of MBAM provides the following new features and functionality.

Support for Windows 8.1, Windows Server 2012 R2, and System Center 2012 R2 Configuration Manager

Microsoft BitLocker Administration and Monitoring (MBAM) 2.0 Service Pack 1 (SP1) adds support for Windows 8.1, Windows Server 2012 R2, and System Center 2012 R2 Configuration Manager.

Support for Microsoft SQL Server 2008 R2 SP2

Microsoft BitLocker Administration and Monitoring (MBAM) 2.0 Service Pack 1 (SP1) adds support for Microsoft SQL Server 2008 R2 SP2. You must use Microsoft SQL Server 2008 R2 or higher if you are running Microsoft System Center Configuration Manager 2007 R2.

Customer feedback rollup

MBAM 2.0 SP1 includes a rollup of fixes to address issues that were found since the Microsoft BitLocker Administration and Monitoring (MBAM) 2.0 release. As part of these changes, the Computer Name field now appears in the BitLocker Computer Compliance and BitLocker Enterprise Compliance Details reports when you run MBAM with Microsoft System Center Configuration Manager 2007.

Firewall exception must be set on ports for the Self-Service Portal and the Administration and Monitoring website

When you configure the Self-Service Portal and the Administration and Monitoring website, you must set a firewall exception to enable communication through the specified ports. Previously, the MBAM server installation opened the ports automatically in Windows Firewall.

Location of MBAM reports has changed in Configuration Manager

MBAM reports for the Configuration Manager integrated topology are now available under subfolders within the MBAM node. The subfolder names represent the language of the reports within the subfolder.

Ability to install MBAM on a primary site server when you install MBAM with Configuration Manager

You can install MBAM on a primary site server or a central administration site server when you install MBAM with the Configuration Manager integrated topology. Previously, you were required to install MBAM on a central administration site server.

Important The server on which you install MBAM must be the top-tier server in your hierarchy.

The MBAM installation works differently for Microsoft System Center Configuration Manager 2007 and Microsoft System Center 2012 Configuration Manager as follows:

  • Configuration Manager 2007 : If you install MBAM on a primary site server that is part of a larger Configuration Manager hierarchy and has a central site parent server, MBAM resolves the central site parent server and performs all of the installation actions on that parent server. The installation actions include checking prerequisites and installing the Configuration Manager objects and reports. For example, if you install MBAM on a primary site server that is a child of a central site parent server, MBAM installs all of the Configuration Manager objects and reports on the parent server. If you install MBAM on the parent server, MBAM performs all of the installation actions on that parent server.

  • System Center 2012 Configuration Manager : If you install MBAM on a primary site server or on a central administration server, MBAM performs all of the installation actions on that site server.

Configuration Manager Console must be installed on the computer on which you install the MBAM Server

When you install MBAM with the Configuration Manager integrated topology, you must install the Configuration Manager Console on the same computer on which MBAM will be installed. If you use the recommended architecture, which is described in Getting Started - Using MBAM with Configuration Manager, you would install MBAM on the Configuration Manager Primary Site Server.

New setup command-line parameters for the Configuration Manager integrated topology

Command-Line Parameter Description Example

CM_SSRS_REMOTE_SERVER_NAME

Enables you to install the Configuration Manager reports on a remote SQL Server Reporting Services (SSRS) server that is part of the same Configuration Manager site to which MBAM is installed. You can set the value to the fully qualified domain name of the remote SSRS point role server.

MbamSetup.exe CM_SSRS_REMOTE_SERVER_NAME=ssrsServer.Contoso.com

CM_REPORTS_ONLY

Enables you to install only the Configuration Manager reports, without other Configuration Manager objects, such as the baseline, collection, and configuration items.

Note

You must combine this parameter with the CM_REPORTS_COLLECTION_ID parameter.

Valid parameter values:

  • True

  • False

You can combine this parameter with the CM_SSRS_REMOTE_SERVER_NAME parameter if you want to install the reports only to a remote SSRS point role server.

If you do not set the parameter or if you set it to False, MBAM Setup installs all of the Configuration Manager objects, including the reports.

MbamSetup.exe CM_REPORTS_ONLY=True

CM_REPORTS_COLLECTION_ID=SMS00001

CM_REPORTS_COLLECTION_ID

An existing collection ID that identifies the collection for which reporting compliance data will be displayed. You can specify any collection ID. You are not required to use the “MBAM Supported Computers” collection ID.

MbamSetup.exe CM_REPORTS_ONLY=True

CM_REPORTS_COLLECTION_ID=SMS00001

Ability to turn Self-Service Portal notice text on or off

MBAM 2.0 SP1 enables you to turn off the notice text on the Self-Service Portal. Previously, the notice text displayed by default, and you could not turn it off.

To turn off the notice text

  1. On the server where you installed the Self-Service Portal, open Internet Information Services (IIS) and browse to Sites > Microsoft BitLocker Administration and Monitoring > SelfService > Application Settings.

  2. From the Name column, select DisplayNotice, and set the value to false.

Ability to localize the HelpdeskText statement that points users to more Self-Service Portal information

You can configure a localized version of the Self-Service Portal “HelpdeskText” statement, which tells end users how to get additional help when they are using the Self-Service Portal. If you configure localized text for the statement, as described in the following instructions, MBAM will display the localized version. If MBAM does not find the localized version, it displays the value that is in the HelpdeskText parameter.

To display a localized version of the HelpdeskText statement

  1. On the server where you installed the Self-Service Portal, open IIS and browse to Sites > Microsoft BitLocker Administration and Monitoring > SelfService > Application Settings.

  2. In the Actions pane, click Add to open the Add Application Setting dialog box.

  3. In the Name field, type HelpdeskText_<language>, where <language> is the appropriate language code for the text. For example, to create a localized HelpdeskText statement in Spanish, you would name the parameter HelpdeskText_es-es. For a list of the valid language codes that you can use, see National Language Support (NLS) API Reference.

  4. In the Value field, type the localized text that you want to display to end users.

Ability to localize the Self-Service Portal HelpdeskURL

You can configure a localized version of the Self-Service Portal HelpdeskURL to display to end users by default. If you create a localized version, as described in the following instructions, MBAM finds and displays the localized version. If MBAM does not find a localized version, it displays the URL that is configured for the HelpDeskURL parameter.

To display a localized HelpdeskURL

  1. On the server where you installed the Self-Service Portal, open IIS and browse to Sites > Microsoft BitLocker Administration and Monitoring > SelfService > Application Settings.

  2. In the Actions pane, click Add to open the Add Application Setting dialog box.

  3. In the Name field, type HelpdeskURL_<language>, where <language> is the appropriate language code for the URL. For example, to create a localized HelpdeskURL in Spanish, you would name the parameter HelpdeskURL_es-es. For a list of the valid language codes you can use, see National Language Support (NLS) API Reference.

  4. In the Value field, type the localized HelpdeskURL that you want to display to end users.

Ability to localize the Self-Service Portal notice text

You can configure localized notice text to display to end users by default in the Self-Service Portal. The notice.txt file, which displays the notice text, is located in the following root directory:

<MBAM Self-Service Install Directory>\Self Service Website\

To display localized notice text, you create a localized notice.txt file and save it under a specific language folder in the following directory:

<MBAM Self-Service Install Directory>\Self Service Website\

MBAM displays the notice text, based on the following rules:

  • If you create a localized notice.txt file in the appropriate language folder, MBAM displays the localized notice text.

  • If MBAM does not find a localized version of the notice.txt file, it displays the text in the default notice.txt file.

  • If MBAM does not find a default notice.txt file, it displays the default text in the Self-Service Portal.

Note If an end user’s browser is set to a language that does not have a corresponding language subfolder or notice.txt, the text that is in the notice.txt file in the following root directory is displayed:

<MBAM Self-Service Install Directory>\Self Service Website\

To create a localized notice.txt file

  1. On the server where you installed the Self-Service Portal, create a <language> folder in the following directory, where <language> represents the name of the localized language:

    <MBAM Self-Service Install Directory>\Self Service Website\

    Note Some language folders already exist, so you may not have to create one. If you do need to create a language folder, see National Language Support (NLS) API Reference for a list of the valid names that you can use for the <language> folder.

  2. Create a notice.txt file that contains the localized notice text.

  3. Save the notice.txt file in the <language> folder. For example, to create a localized notice.txt file in Spanish, you would save the localized notice.txt file in the following folder:

    <MBAM Self-Service Install Directory>\Self Service Website\es-es

Upgrading to MBAM 2.0 SP1

You can upgrade to MBAM 2.0 SP1 from any previous version of MBAM.

Upgrading the MBAM infrastructure

You can upgrade the MBAM Server infrastructure to MBAM 2.0 SP1 as follows:

Manual in-place server replacement: You must manually uninstall the existing MBAM Server infrastructure, and then install the MBAM 2.0 SP1 Server infrastructure. You do not have to remove the databases to do the upgrade. Instead, you select the existing databases, which the previous version of MBAM created. The MBAM 2.0 SP1 upgrade installation then migrates the existing databases to MBAM 2.0 SP1.

Distributed client upgrade: If you are using the Stand-alone MBAM topology, you can upgrade the MBAM Clients gradually after you install the MBAM 2.0 SP1 Server infrastructure.

After you upgrade the MBAM Server infrastructure, MBAM 1.0 or 2.0 Clients will report to the MBAM 2.0 SP1 Server successfully and will store the recovery data, but compliance will be based on the policies available for the MBAM Client version that is currently installed. To enable reporting against MBAM 2.0 SP1 policies, you must upgrade client computers to MBAM 2.0 SP1. You can upgrade the client computers to the MBAM 2.0 SP1 Client without uninstalling the previous Client, and the Client will start to apply and report, based on the MBAM 2.0 SP1 policies.

For more information about upgrading the MBAM servers, see Upgrading from Previous Versions of MBAM.

Upgrading the MBAM Client to MBAM 2.0 SP1

To upgrade end-user computers to the MBAM 2.0 SP1 Client, run MbamClientSetup.exe on each client computer. The installer automatically updates the Client to the MBAM 2.0 SP1 Client. After the installation, client computers do not have to be rebooted, and the MBAM 2.0 SP1 Client starts to apply and report against MBAM 2.0 SP1 policies.

If you are using MBAM with Configuration Manager, you must upgrade the MBAM client computers to MBAM 2.0 SP1.

For more information about upgrading the MBAM client computers, see Upgrading from Previous Versions of MBAM.

Installing or upgrading to MBAM 2.0 SP1 with Configuration Manager

This section describes the requirements when you are installing MBAM 2.0 SP1 as a new installation or as an upgrade to a previous MBAM 2.0 SP1 installation.

Required files for installing MBAM 2.0 SP1 if you are using MBAM with Configuration Manager

If you are installing MBAM for the first time and you are using MBAM 2.0 SP1 with System Center Configuration Manager, you must create or edit mof files to enable MBAM to work correctly with Configuration Manager.

  • configuration.mof file

    • If you are using Configuration Manager 2007, you must edit the configuration.mof file by completing step 3 from the item Update the configuration.mof file if you upgrade to MBAM 2.0 SP1 and you are using MBAM with Configuration Manager 2007, which follows this item.

    • If you are using System Center 2012 Configuration Manager, edit the configuration.mof file by following the instructions in Edit the Configuration.mof File.

  • sms_def.mof file – follow the instructions in Create or Edit the Sms_def.mof File.

Update the configuration.mof file if you upgrade to MBAM 2.0 SP1 and you are using MBAM with Configuration Manager 2007

If you are upgrading to MBAM 2.0 SP1 and you are using MBAM with Configuration Manager 2007, you must update the configuration.mof file to ensure that MBAM 2.0 SP1 works correctly.

To update the configuration.mof file:

  1. On the Configuration Manager Server, browse to the location of the Configuration.mof file:

    <CMInstallLocation>\Inboxes\clifiles.src\hinv\

    On a default installation, the installation location is %systemdrive%\Program Files (x86)\Microsoft Configuration Manager.

  2. Review the block of code that you appended to the configuration.mof file, and delete it. The block of code will be similar to the one shown in the following step.

  3. Copy the following block of code, and then append it to the configuration.mof file to add the following required MBAM classes to the file:

    //===================================================
    // Microsoft BitLocker Administration and Monitoring
    //===================================================
    
    # pragma namespace ("\\\\.\\root\\cimv2")
    # pragma deleteclass("Win32_BitLockerEncryptionDetails", NOFAIL)
    
    [Union, ViewSources{"select DeviceId, BitlockerPersistentVolumeId, BitLockerManagementPersistentVolumeId, BitLockerManagementVolumeType, DriveLetter, Compliant, ReasonsForNonCompliance, KeyProtectorTypes, EncryptionMethod, ConversionStatus, ProtectionStatus, IsAutoUnlockEnabled from Mbam_Volume"}, ViewSpaces{"\\\\.\\root\\microsoft\\mbam"}, dynamic, Provider("MS_VIEW_INSTANCE_PROVIDER")]
    class Win32_BitLockerEncryptionDetails
    {
        [PropertySources{"DeviceId"},key]
        String     DeviceId;
        [PropertySources{"BitlockerPersistentVolumeId"}]
        String     BitlockerPersistentVolumeId;
        [PropertySources{"BitLockerManagementPersistentVolumeId"}]
        String     MbamPersistentVolumeId;
        //UNKNOWN = 0, OS_Volume = 1, FIXED_VOLUME = 2, REMOVABLE_VOLUME = 3
        [PropertySources{"BitLockerManagementVolumeType"}]
        SInt32     MbamVolumeType;
        [PropertySources{"DriveLetter"}]
        String     DriveLetter;
        //VOLUME_NOT_COMPLIANT = 0, VOLUME_COMPLIANT = 1, NOT_APPLICABLE = 2
        [PropertySources{"Compliant"}]
        SInt32     Compliant;
        [PropertySources{"ReasonsForNonCompliance"}]
        SInt32     ReasonsForNonCompliance[];
        [PropertySources{"KeyProtectorTypes"}]
        SInt32     KeyProtectorTypes[];
        [PropertySources{"EncryptionMethod"}]
        SInt32     EncryptionMethod;
        [PropertySources{"ConversionStatus"}]
        SInt32     ConversionStatus;
        [PropertySources{"ProtectionStatus"}]
        SInt32     ProtectionStatus;
        [PropertySources{"IsAutoUnlockEnabled"}]
        Boolean     IsAutoUnlockEnabled;
    };
    
    # pragma namespace ("\\\\.\\root\\cimv2")
    # pragma deleteclass("Win32Reg_MBAMPolicy", NOFAIL)
     [DYNPROPS]
    Class Win32Reg_MBAMPolicy
    {
        [key]
        string KeyName;
    
        //General encryption requirements
        UInt32    OsDriveEncryption;
        UInt32    FixedDataDriveEncryption;
        UInt32    EncryptionMethod;
    
        //Required protectors properties
        UInt32    OsDriveProtector;
        UInt32    FixedDataDriveAutoUnlock;
        UInt32    FixedDataDrivePassphrase;
    
        //MBAM agent fields
        Uint32    MBAMPolicyEnforced;
        string    LastConsoleUser;
        datetime  UserExemptionDate;
        UInt32    MBAMMachineError;
    
        // Encoded computer name
        string    EncodedComputerName;
    };
    
     [DYNPROPS]
    Instance of Win32Reg_MBAMPolicy
    {
        KeyName="BitLocker policy";
    
        //General encryption requirements
        [PropertyContext("Local|HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\FVE\\MDOPBitLockerManagement|ShouldEncryptOsDrive"),Dynamic,Provider("RegPropProv")]
        OsDriveEncryption;
        [PropertyContext("Local|HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\FVE\\MDOPBitLockerManagement|ShouldEncryptFixedDataDrive"),Dynamic,Provider("RegPropProv")]
        FixedDataDriveEncryption;
        [PropertyContext("Local|HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\FVE|EncryptionMethod"),Dynamic,Provider("RegPropProv")]
        EncryptionMethod;
    
        //Required protectors properties
        [PropertyContext("Local|HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\MBAM|OSVolumeProtectorPolicy"),Dynamic,Provider("RegPropProv")]
        OsDriveProtector;
        [PropertyContext("Local|HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\FVE\\MDOPBitLockerManagement|AutoUnlockFixedDataDrive"),Dynamic,Provider("RegPropProv")]
        FixedDataDriveAutoUnlock;
        [PropertyContext("Local|HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\FVE|FDVPassphrase"),Dynamic,Provider("RegPropProv")]
        FixedDataDrivePassphrase;
    
        //MBAM agent fields
        [PropertyContext("Local|HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\MBAM|MBAMPolicyEnforced"),Dynamic,Provider("RegPropProv")]
        MBAMPolicyEnforced;
        [PropertyContext("Local|HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\MBAM|LastConsoleUser"),Dynamic,Provider("RegPropProv")]
        LastConsoleUser;
        [PropertyContext("Local|HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\MBAM|UserExemptionDate"),Dynamic,Provider("RegPropProv")]
        UserExemptionDate; //Registry value should be string in the format of yyyymmddHHMMSS.mmmmmmsUUU
        [PropertyContext("Local|HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\MBAM|MBAMMachineError"),Dynamic,Provider("RegPropProv")]
        MBAMMachineError;
        [PropertyContext("Local|HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\MBAM|EncodedComputerName"),Dynamic,Provider("RegPropProv")]
        EncodedComputerName;
    };
    
    # pragma namespace ("\\\\.\\root\\cimv2")
    # pragma deleteclass("Win32Reg_MBAMPolicy_64", NOFAIL)
    [DYNPROPS]
    Class Win32Reg_MBAMPolicy_64
    {
        [key]
        string KeyName;
    
        //General encryption requirements
        UInt32    OsDriveEncryption;
        UInt32    FixedDataDriveEncryption;
        UInt32    EncryptionMethod;
    
        //Required protectors properties
        UInt32    OsDriveProtector;
        UInt32    FixedDataDriveAutoUnlock;
        UInt32    FixedDataDrivePassphrase;
    
        //MBAM agent fields
        Uint32    MBAMPolicyEnforced;
        string    LastConsoleUser;
        datetime  UserExemptionDate; //Registry value should be string in the format of yyyymmddHHMMSS.mmmmmmsUUU
        UInt32    MBAMMachineError;
    
        // Encoded computer name
        string    EncodedComputerName;
    };
    
    [DYNPROPS]
    Instance of Win32Reg_MBAMPolicy_64
    {
        KeyName="BitLocker policy 64";
    
        //General encryption requirements
        [PropertyContext("Local|HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\FVE\\MDOPBitLockerManagement|ShouldEncryptOsDrive"),Dynamic,Provider("RegPropProv")]
        OsDriveEncryption;
        [PropertyContext("Local|HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\FVE\\MDOPBitLockerManagement|ShouldEncryptFixedDataDrive"),Dynamic,Provider("RegPropProv")]
        FixedDataDriveEncryption;
        [PropertyContext("Local|HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\FVE|EncryptionMethod"),Dynamic,Provider("RegPropProv")]
        EncryptionMethod;
    
        //Required protectors properties
        [PropertyContext("Local|HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\MBAM|OSVolumeProtectorPolicy"),Dynamic,Provider("RegPropProv")]
        OsDriveProtector;
        [PropertyContext("Local|HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\FVE\\MDOPBitLockerManagement|AutoUnlockFixedDataDrive"),Dynamic,Provider("RegPropProv")]
        FixedDataDriveAutoUnlock;
        [PropertyContext("Local|HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\FVE|FDVPassphrase"),Dynamic,Provider("RegPropProv")]
        FixedDataDrivePassphrase;
    
        //MBAM agent fields
        [PropertyContext("Local|HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\MBAM|MBAMPolicyEnforced"),Dynamic,Provider("RegPropProv")]
        MBAMPolicyEnforced;
         [PropertyContext("Local|HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\MBAM|LastConsoleUser"),Dynamic,Provider("RegPropProv")]
        LastConsoleUser;
        [PropertyContext("Local|HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\MBAM|UserExemptionDate"),Dynamic,Provider("RegPropProv")]
        UserExemptionDate; //Registry value should be string in the format of yyyymmddHHMMSS.mmmmmmsUUU
        [PropertyContext("Local|HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\MBAM|MBAMMachineError"),Dynamic,Provider("RegPropProv")]
        MBAMMachineError;
        [PropertyContext("Local|HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\MBAM|EncodedComputerName"),Dynamic,Provider("RegPropProv")]
        EncodedComputerName;
    };
    
    # pragma namespace ("\\\\.\\root\\cimv2")
    # pragma deleteclass("CCM_OperatingSystemExtended", NOFAIL)
    [Union, ViewSources{"select Name,OperatingSystemSKU from Win32_OperatingSystem"}, ViewSpaces{"\\\\.\\root\\cimv2"},
    dynamic,Provider("MS_VIEW_INSTANCE_PROVIDER")]
    class CCM_OperatingSystemExtended
    {
        [PropertySources{"Name"},key]
        string     Name;
        [PropertySources{"OperatingSystemSKU"}]
        uint32     SKU;
    };
    
    # pragma namespace ("\\\\.\\root\\cimv2")
    # pragma deleteclass("CCM_ComputerSystemExtended", NOFAIL)
    [Union, ViewSources{"select Name,PCSystemType from Win32_ComputerSystem"}, ViewSpaces{"\\\\.\\root\\cimv2"},
    dynamic,Provider("MS_VIEW_INSTANCE_PROVIDER")]
    class CCM_ComputerSystemExtended
    {
        [PropertySources{"Name"},key]
        string     Name;
        [PropertySources{"PCSystemType"}]
        uint16     PCSystemType;
    };
    
    //=======================================================
    // Microsoft BitLocker Administration and Monitoring end
    //=======================================================
    
    

Translation of MBAM 2.0 SP1

MBAM 2.0 SP1 is now available in the following languages:

  • English (United States) en-US
  • French (France) fr-FR
  • Italian (Italy) it-IT
  • German (Germany) de-DE
  • Spanish, International Sort (Spain) es-ES
  • Korean (Korea) ko-KR
  • Japanese (Japan) ja-JP
  • Portuguese (Brazil) pt-BR
  • Russian (Russia) ru-RU
  • Chinese Traditional zh-TW
  • Chinese Simplified zh-CN

How to Get MDOP Technologies

MBAM 2.0 SP1 is a part of the Microsoft Desktop Optimization Pack (MDOP). MDOP is part of Microsoft Software Assurance. For more information about Microsoft Software Assurance and acquiring MDOP, see How Do I Get MDOP (https://go.microsoft.com/fwlink/?LinkId=322049).

Release Notes for MBAM 2.0 SP1