Daily Archives: juni 13, 2012
AGPM Beta
A quick post regarding the new release beta release of AGPM 4.0 SP1
It is a part of the MDOP pack, along with Dart, MED-V, App-V, MBAM.
But what does it do? The name AGPM stands for Advanced Group Policy Management. It gives you an extension of the existing Group Policy Management and adds more features. Today if you want to create or edit a policy, well then you either have access to the policy or you don’t. And if youre not sure if your policy will work, wouldn’t you like to get a senior administrator to take a look at it before you deployed it?
And what if someone altered a policy, didnt take a copy before he/she altered it and you have no idea what was in the previous policy?
All of these problems are adressed with AGPM.
The features included are:
Offline Editing
If your central store is offline you have no way to edit your policies, since AGPM stores its policies in another sentral archive you can still edit your policies.
GPMC Integration
As I said before AGPM is just an extenstion to the group policy management console. Some people might be a bit confused and try to look for a AGPM console 
Change Control
In a typical ITIL world, no changes will be done unless they are approved by the “Change Manager” So AGPM adresses this issue by creating different roles where 1 can edit and request and another can approve the policies.
Role-Based Delegation
You have the ability to grant administrators different functionality within AGPM, either they have the full access, approval access, editor access, or reviewer.(Look at the different roles further down the post.
Cross-Forest Management
And yes you can use AGPM to control polies in different forests.
Overview of the services and roles:
AGPM Client: A computer that runs the AGPM snap-in for the Group Policy Management Console (GPMC) and from which Group Policy administrators manage GPOs.
AGPM snap-in: The software component of AGPM installed on AGPM Clients so that they can manage GPOs.
AGPM Server: A server that runs the AGPM Service and manages an archive. Each AGPM Server can manage only one archive, but one AGPM Server can manage archive data for multiple domains in one archive. An archive can be hosted on a computer other than an AGPM Server.
AGPM Service: The software component of AGPM that runs on an AGPM Server as a service. The service manages GPOs in the archive and in the production environment in that forest.Archive: In AGPM, a central store that contains the controlled GPOs that the associated AGPM Server manages, in addition to the history for each of those GPOs. This includes all previous controlled versions of each GPO. An archive consists of an archive index file and associated archive data that may include data for GPOs in multiple domains. An archive can be hosted on a computer other than an AGPM Server.
Controlled GPO: A GPO that is being managed by AGPM. AGPM manages the history and permissions of controlled GPOs, which it stores in the archive.
Uncontrolled GPO: A GPO in the production environment for a domain and not managed by AGPM.
AGPM comes with 4 access roles.
- AGPM Administrator: Gives the user full control and permission to delegate permissions to other Group Policy administrators.
- Approver: Group Policy administrators assigned the Approver role can deploy GPOs to the production environment for a domain. Approvers can also create and delete GPOs and approve or reject requests from Editors. Approvers can view the list of GPOs in a domain, view the policy settings in GPOs, and create and view reports of the policy settings in a GPO. They cannot edit the policy settings in GPOs unless they are also assigned the Editor role.
- Editor: Group Policy administrators assigned the Editor role can view the list of GPOs in a domain, view the policy settings in GPOs, edit the policy settings in GPOs, and create and view reports of the policy settings in a GPO. Unless they are also assigned the Approver role, Editors cannot create, deploy, or delete GPOs. However, they can request that GPOs be created, deployed, or deleted.
- Reviewer: Group Policy administrators assigned the Reviewer role can view the list of GPOs in a domain and create and view reports of the policy settings in a GPO. Unless they are also assigned the Editor role, they cannot edit policy settings in a GPO.
So how does a typical request go forth here?
User 1 is Editor
User 2 is a Approver
User 1 requests a new policy named “Test” send it to for approval. User 2 Approves the policy, and the policy will be created in the archive. User 1 then checks out the policy from the archive and starts editing the policy. When user 1 is finished with the policy he checks it in to the archive again, a send a request for approval to deploy the edited policy. User 2 again goes inn and approves the request and the policy is applied.
Now first we can download the beta client from connect.microsoft.com
This basicly contains a client and a server. For the purpose of this post, we will install both these roles on the same server.
NOTE: If you don’t have Group Policy Management Console installed, the installer will take care of this for you( And also installes other prerequistes as needed )
MBAM beta 2.0
This has been a very anticipated release, Microsoft has shown off some of the capabilities at Teched ( I haven’t been there, just following the twitter storm)
Today Microsoft released the beta 2.0 and it is public available, http://windowsteamblog.com/windows/b/springboard/archive/2012/06/12/introducing-microsoft-bitlocker-administration-2-0-beta.aspx
In order to download the Beta you have to register on connect.microsoft.com https://connect.microsoft.com/MDOPTAP
What is MBAM?
Microsoft Bit Locker Administration and Monitoring, which is included in the Microsoft Desktop Optimization Pack for Software Assurance, enhances Bit Locker by simplifying deployment and key recovery, centralizing provisioning, monitoring and reporting of encryption status for fixed and removable drives, and minimizing support costs.
What new?
* Integration of System Center Configuration Manager with MBAM (integrating with Configmgr 07 & 12) “I wish they could integrate the Help desk solution in Configuration Manager console”
– Desired Configuration Management (DCM) Components (Configuration Items and a Baseline)
– A Collection
– Reports
* Self-service Portal
Users can now use the Self-service Portal to recover their recovery keys
* Support for Windows 8 Release Preview
If you want to test this release, the following requirements needs to be in place.
ASP.NET MVC 2 (can be downloaded from http://go.microsoft.com/fwlink/?LinkID=248423)
Platform Support
The following platforms have been tested for this beta release
Windows Server:
| Version | Edition |
| - 2008 R2 | - Datacenter- Enterprise- Standard
- Web Server |
SQL Server:
| Version | Edition |
| - 2008 R2 SP1 CU6 | - Datacenter- Enterprise |
ConfigMgr:
| Version |
| - 2007 R3- 2012 |
MBAM client operating system:
| Operating System | Edition |
| - Windows 7 SP1 | UltimateEnterprise |
| - Windows 8- | Release Preview |
Note: Since I didn’t have the correct SQL server installed, I bypassed the installer by not adding the reports or the database. So therefore I also loose the ability to view the reports and store data. But I just want to give you a quick overview of what
this release has to offer in general. And Since this is a virtual environment I don’t have the ability to activate Bit locker since I don’t have TPM 
First of MBAM is split in two parts. 1 Client & 1 Server.
The Server consists of the following roles:
* Recovery Database
* Audit Database
* Audit Reports
* Self-Service server
* Administration and Monitoring server
* Policy Template (You will find the ADMX & ADM files in the C:\windows\policydefinitions\ after installation.
Since we want to integrate MBAM with SCCM we need to do some changes to configuration.mof and add a new sms_def.mof file to SCCM.
You need to download the MBAM Beta 2.0 ConfigMgr Scenarios documentation, the data you need is in the appendix part of the documentation.
1. Browse to the MOF file location on the ConfigMgr server (<CMInstallLocation>\Inboxes\clifiles.src\hinv\). On a default installation, the installation location is %systemdrive% \Program Files (x86)\Microsoft Configuration Manager.
2. Edit the configuration.mof file:
a. Append the MBAM classes (section found in the appendix ).
i. Create a text file called sms_def.mofand populate it with the sms_def.mof MBAM classes found in the appendix. Import that file by doing the following:
1. Open the ConfigMgr 12 Configuration Manager Console.
2. Select the Administrationtab.
3. Select Client Settings.
4. Right-click Default Client Settings and select Properties.
5. In the Default Settings window, select Hardware Inventory.
6. Click the Set Classes …button.
7. Click the Import button and select your .mof file in the browser that opens.
8. Click Open. An Import Summary window should open.
9. Make sure that the option to import both hardware inventory classes and class settings is selected, and then click Import.
10. Click OK on both the Hardware Inventory Classes window and the Default Settingswindow.
ii. Enable the Win32_Tpm class:
1. Open the ConfigMgr 12 Configuration Manager Console.
2. Select the Administrationtab.
3. Select Client Settings.
4. Right-click Default Client Settings and select Properties.
5. In the Default Settings window, select Hardware Inventory.
6. Click the Set Classes …button.
7. In the main window, scroll down and then select the TPM (Win32_Tpm)class.
8. Ensure that SpecVersionproperty under TPM is selected.
9. Click OK on both the Hardware Inventory Classes window and the Default Settings window.
You can also see the new inventory classes that come from MBAM.
After these steps are done, we can continue with the installation.
Click start
Accept the license terms and click next –>
Choose stand-alone or system Center integration. And click next –>
Now we need to choose the features we want, in my case I needed to remove all the DB related stuff in order to make it install since I didn’t meet the SQL requirements.
Click Next –>
Choose a certificate for encrypted communications (if you have an internal PKI) In my case I didn’t so I choose “Do not encrypt”
Remember thou that the traffic going between clients and the server is highly sensitive so for production environments I suggest using a certificate.
Click Next –> If all the prerequisites are meet the setup will install.
When installation is finished you will get this screen, just click Close.
First we check if the IIS setup is finished. Open a web browser and point to http://localhost:(portnr)/Helpdesk
And login in, this window should appear.
This is the Helpdesk portal that comes with MBAM you can here do a Drive recovery, view reports or manage TPM.
Now open the CM console and lets check that all the functions that the installer installed are in place.
Go to assets and compliance –> Device Collections.
You should see a new collection there called MBAM supported computers.
Lets take a look at the query that builds this collection.
This collection excludes virtual machines (Since they don’t have a TPM module ) so therefore our test machine will never appear in this collection.
We can also check under Compliance Settings –> And see that the CI and Baselines are there.
We can also see that the reports from MBAM are installed.
Now that MBAM with Configmgr integration is in place we can continue on with the rest of the setup.
Next thing we need before we deploy the clients is the group policy settings. As I wrote earlier the admx and adml files are located in C:\windows\policydefinitions of the MBAM server. Copy these over to the central policy store.
These two files are the ones you need. (Also the adml files of the two located in the en-us folder)
Then open group policy management console
From Group Policy Management editor, create a Group Policy Object,
Expand Administrative Template \ Windows Components \ MDOP MBAM (BitLocker Management).
Under Client Management, enable Configure MBAM services and:
· Author the MBAM Recovery and Hardware service endpoint. The URL format is
http://<hostname>/MBAMRecoveryAndHardwareService/CoreService.svc
This policy enables the client to point at the right server. (If you have integrated with ConfigMgr you don’t need to enter a reporting url since ConfigMgr takes care of the inventory)
Now that is done, we can install clients.
What you do is just run the MSI file, and the clients will install itself, you will not get any confirmation screen. The only way you can see that it is installed correctly is if you open up control panel and open
Microsoft BitLocker Administration and Monitoring.
If you wish to enable drive encryption (TPM + PIN) and Fixed Drive encryption (With Password) you can do this via the same policy.
Enable Choose drive encryption method and cipher strength. Select either AES 128-bit or AES 256-bit. Do not select either of the “with Diffuser” choices, as they are not supported on Windows 8 Release Preview.
Under Operating System Drive, enable Operating System drive encryption settings and select TPM and PIN as the protector.
Under Fixed Drive, enable Fixed data drive encryption settings and select Auto-Unlock.
Under Fixed Drive, enable Configure use of passwords for fixed data drives with Require password for fixed data drive, Allow password complexity and a minimum password length of 8.
So I haven’t tried the previous version of MBAM, but I can see the benefit of using this product.
With the Helpdesk and the Self-service solutions, and integration with ConfigMgr I can see this becoming a beneficial product.
I only wish that they would integrate the help desk solution as a View in the ConfigMgr Console so we would have 1 console to rule them all!
