MBAM, Bitlocker and Compliance

A couple of months ago I was involved in a divestiture project where we used MBAM from the MDOP suite to manage the Bitlocker disk encryption deployment across the company laptops.

It’s a great product that has gotten less attention than it deserves due to it being bundled and buried deep inside the MDOP suite but there are two thorns that stick out like rusty nails in it.

  1. Cumbersome initial installation requiring a lot of manual steps
  2. Limited options for filtering out specific types of machines (i.e. portables vs. non-portables when you’re only interested in the portables)

#1 – Redmond, please!! Do better, don’t be evil 🙂

#2 Fortunately, one of my colleagues is a Reporting Services wizard and we were able to modify the compliance reports to include some more useful fields for filtering than the defaults – as seen below where we added a Computer Type field and filter out everything but laptops (Portable/Non-Portable, Non-TPM).

mbam

With these additional hacks the MBAM product works wonders and would be worth a separate purchase but consider that with the MDOP package you get AGPMC, DART and Med-V and you have a killer deal. Did I mention that it also has a Self-Service portal for Helpdesk and Users?

The one remaining concern is that MBAM doesn’t have any automatic pruning of stale records. That concern is however addressed by the add-on MBAM Data Compliance Cleanup Tool. The latest update to the tool makes it compatible with MBAM 2.5.

See http://blogs.windows.com/itpro/2014/05/01/mdop-2014-delivers-improved-bitlocker-management-with-mbam-2-5/

The Missing Lync

How present are you?

Office applications that integrate with IM applications and generate a presence accomplish this by contacting the IM application that is listed as the default as per the corresponding registry key (DefaultIMApp).
This is frequently populated with the name of the last IM application that was installed on the machine.

In some cases the IM application even monitors the registry key and overrides any changes made to the default IM application by other IM applications (shades of IE/Firefox/Chrome default browser ping-pong).

From the perspective of the IM application this may sound like a perfectly logical idea as it is making sure it is the default. If you are trying to either integrate several different IM applications on the same workstation or you want to select a specific application yourself to be the default for any presence information in Sharepoint, Outlook, etc. then it becomes a real headache when one application insists on setting itself as the default regardless of your wishes.

The net effect will be that only the default IM application will count as a valid Presence for the user, if the user isn’t active in that application then the user doesn’t generate any presence in Sharepoint or Office.

I.e.

  • the user will be signed in to one IM application on the workstation (f.x. Lync 2013 or Skype for Business)
  • another IM application has overwritten the HKCU\Software\IM Providers\DefaultIMApp registry key (f.x. Jabber or Communicator 2007)
  • that IM application isn’t currently active on the workstationEnd result: The user doesn’t generate a presence even if he or she is active on the Lync or Skype application

 

HKCU\Software\IM Providers\DefaultIMApp

This key specifies the IM application Office integrates with when it starts up

MSDN1

(From https://msdn.microsoft.com/en-us/library/jj900715(v=office.15).aspx#off15_IMIntegration_SetRegistry)

How Office integrates with an IM client application


When an Office 2013 application starts, it goes through the following process to integrate with the default IM client application:

  1. It checks the registry to discover the default IM client application and then connects to it.
  2. It authenticates with the IM client application.
  3. It connects to specific interfaces that are exposed by the IM client application.
  4. It determines the capabilities of the currently signed-in user (local user), including getting the user’s contacts, determining the user’s presence, and determining the user’s IM capabilities (instant messaging, video chat, VOIP, and so on).
  5. It gets presence information for the local user’s contacts.
  6. When the IM client application shuts down, the Office 2013 application silently disconnects.

 

Further reading:

http://blogs.msdn.com/b/dvespa/archive/2014/08/06/im-presence-provider-outlook-handbook.aspx

https://support.microsoft.com/en-us/kb/2794968

https://supportforums.cisco.com/discussion/12361916/jabber-phone-mode-breaks-lync-presence-outlook

http://blogs.msdn.com/b/rathomas/archive/2012/12/04/outlook-2013-users-are-unable-to-see-the-presence-info-in-outlook.aspx

 

MSDN2