Microsoft Desktop Optimization PackCustomer Solution Case Study

Services Firm to Ease Encryption Rollout and Compliance with Better Administration

OverviewCountry or Region: United StatesIndustry: IT services

Customer ProfileBT Global Services is a managed networked IT services business that operates globally and delivers locally to help customers succeed. For more than 20 years, it has been bringing communications and networked IT products and services together securely and efficiently for customers in the United States and Canada.

Business SituationBT wanted an easier way to set up the BitLocker Drive Encryption feature in the Windows 7 Enterprise operating system and verify BitLocker compliance of employee portable computers.

SolutionBT in the United States and Canada plans to use Microsoft BitLocker Administration and Monitoring to automate BitLocker setup steps and enhance compliance.

Benefits Simplify deployment, ease burden on

employees Improve accuracy of compliance

reporting Enhance security

“We can use MBAM to get greater value from BitLocker. We can ensure that BitLocker is enabled and that we are compliant with corporate encryption mandates without taxing our employees or IT staff.”

Bob Johnson, Director of IT, BT in the United States and Canada

To safeguard sensitive data on its portable computers, BT in the United States and Canada deployed the BitLocker Drive Encryption feature in the Windows 7 Enterprise operating system. However, some employees had difficulties enabling BitLocker, and the company’s compliance reports did not always reflect true compliance status. With a new corporate mandate to encrypt all employee devices, the IT team wanted an easier way to provision BitLocker and verify its use. BT joined the Technology Adoption Program for Microsoft BitLocker Administration and Monitoring (MBAM) and plans to roll out MBAM when it becomes publicly available. It expects to use MBAM to simplify deployment and reduce the time that the IT staff spends helping employees set up BitLocker, while making compliance reports fully accurate and enhancing key recovery.

SituationBT provides managed networked IT services to enterprises in industries ranging from manufacturing, pharmaceutical, and financial services to retail, healthcare, and government. With its United States headquarters in El Segundo, California, the organization, which is part of BT Group Plc., boasts expertise in networking, security, unified communications, and business and sector solutions.

In February 2010, when BT was refreshing portable computers for approximately 800 employees in the United States and Canada, it decided to upgrade from the Windows XP operating system to Windows 7 Enterprise. “In our organization, it’s critical that our consultants are current on the latest technologies. And because our employees often work at client offices, we wanted to ensure that our portable computers were as secure as possible. We knew that Windows 7 Enterprise was a much more secure operating system, and the timing coincided nicely with our refresh schedule as it would enable us to deploy the new computers with Windows 7 already installed,” says Bob Johnson, Director of IT at BT in the United States and Canada.

One of the features of Windows 7 Enterprise that BT found most compelling was BitLocker Drive Encryption. “Confidentiality and security are critical to our clients, particularly those in highly regulated industries. And because there is always a chance of losing portable computers and exposing their data, we wanted to encrypt the hard drives. We believed that BitLocker would be a great encryption solution and because it is part of Windows 7, there is no additional cost

for the feature, which makes it even more attractive,” says Johnson.

In the United States and Canada, BT Global Services had deployed the new portable computers with Windows 7 to 800 employees and was evaluating BitLocker when a global mandate was issued that all employee computers had to be encrypted by September 2010. With the deadline looming, it needed a way to streamline BitLocker provisioning and verify that employees had turned it on so that they were compliant. “At the time, there was no software that could help us with this, so we developed our own agent that would monitor BitLocker compliance through a report tied to our asset database. To help employees activate BitLocker, we wrote and provided instructions on how to start the encryption process and manage the PIN, which would be required for recovery. Our technology consultants generally had no problem enabling BitLocker, but many of our less tech-savvy workers needed our help,” Johnson says. It typically took an IT team member about 30 to 60 minutes to walk an employee through the BitLocker setup process.

The BitLocker compliancy reports that the IT team ran sometimes mistakenly indicated that employees had not turned on BitLocker. In some cases, employees had encrypted their computers but had forgotten to install the internally developed agent that would verify compliance. In other cases, if workers had encrypted their hard drives but not their portable USB drives, the report might indicate they were not compliant even though the company had only mandated that fixed hard drives had to be encrypted.

26

“MBAM can certainly help us enhance security by simplifying BitLocker deployment and improving compliance reporting.”

Bob Johnson, Director of IT, BT in the United States and Canada

“We wanted to ease activation of BitLocker, especially for nontechnical employees, figure out a more accurate way to verify compliance, and simplify the overall way we handle BitLocker administration,” says Johnson. He adds that, although BT has fully deployed BitLocker for 800 employees in the United States and Canada, it still needs to simplify provisioning. For instance, replacing hardware such as the motherboard requires BitLocker to be reprovisioned. Also, employees—who have administrator rights to their computers—could accidentally disable the feature and then need to reconfigure it. And workers who require replacement computers or receive new devices during refresh cycles would also need an easy way to set up BitLocker.

SolutionIn August 2010, When BT was initially looking for a way to ease BitLocker provisioning and reporting so that it could meet its encryption mandate, the IT team had contacted Microsoft to explore potential solutions. “Microsoft didn’t have a production offering that could help us meet our September 2010 deadline, which is why we developed our agent and provided configuration instructions to employees. However, our Microsoft Services Premier Support representative told us about Microsoft BitLocker Administration and Monitoring, which seemed like it would address our provisioning and compliance verification needs and help us with future BitLocker use. When Microsoft invited us to join the Technology Adoption Program, we readily accepted,” says Johnson.

BT wanted to test Microsoft BitLocker Administration and Monitoring (MBAM) because it takes BitLocker to the next level by simplifying deployment and key recovery; centralizing provisioning, monitoring, and reporting of encryption status for fixed and removable drives; and minimizing support costs. MBAM is part of the Microsoft Desktop Optimization Pack.

BT joined the Technology Adoption Program (TAP) for MBAM in August 2010. The IT team installed pre-beta versions of MBAM on six computers in its lab. In March 2011, BT downloaded the beta version of MBAM and installed it on the lab computers the following month.

“We’ve been pleased with the results of our MBAM testing and feel that MBAM can certainly help us enhance security by simplifying BitLocker deployment and improving compliance reporting,” says Johnson. During the TAP, the IT team discovered additional capabilities of MBAM that could help with post-deployment tasks, such as the one-time-use recovery key that automatically generates a new key after an employee has used an existing key, thereby adding a layer of security.

BT plans to roll out MBAM to about 100 employee computers when the product is publicly available and hopes to eventually extend MBAM to all employee computers that use BitLocker.

BenefitsBy using Microsoft BitLocker Administration and Monitoring, BT expects to simplify BitLocker deployment and reduce the time that employees spend provisioning BitLocker, while boosting the accuracy of its

36

“The whole deployment process will be simpler and our workers and help-desk staff can save the 30 to 60 minutes they used to spend walking through the BitLocker setup.”

Bob Johnson, Director of IT, BT in the United States and Canada

compliance reporting. The company also anticipates that processes for recovery keys will be easier and more secure.

“We can use MBAM to get greater value from BitLocker. We can ensure that BitLocker is enabled and that we are compliant with corporate encryption mandates without taxing our employees or IT staff,” says Johnson.

46

Simplify Deployment, Ease Burden on Employees and Help Desk By using MBAM to automate BitLocker setup steps and prompt users to enter information, such as their PIN, BT will make administration easier for employees and IT staff. “We won’t have to worry about employees having difficulties with our configuration instructions or not correctly enabling BitLocker. The whole deployment process will be simpler and our workers and help-desk staff can save the 30 to 60 minutes they used to spend walking through the BitLocker setup,” says Johnson.

BT can ease the burden on IT staff by using MBAM to automate pre-BitLocker setup steps and make it simple for employees to perform basic tasks, such as starting the encryption process and managing their BitLocker PIN.

Improve Accuracy of Compliance Reporting BT expects to reduce the number of false positives generated by its compliance reports. “Using MBAM will help us boost the accuracy of our reports and verify which devices are encrypted without having to manually check the computers. Because all encrypted devices are automatically captured, we won’t have to depend on employees to turn on an agent that records the encryption status,” says Johnson.

Also, because the IT team can set more detailed policies, including different ones for fixed and removable hard drives BT can use Group Policy settings to control what drives need to be encrypted. That will help ensure that compliance report parameters are aligned with corporate encryption requirements.

56

“By automating recovery key storage, we can eliminate problems that can stem from user error and make sure that our computers are not in a state where they’re unrecoverable.”

Bob Johnson, Director of IT, BT in the United States and Canada

Enhance SecurityBefore using MBAM, the 800 employees had to copy their recovery keys to a file share. However, if employees did not do this, there was no way for them to obtain the key and recover their computer data. Because MBAM stores recovery keys automatically in a Microsoft SQL Server database that BT can encrypt, the company will be able to eliminate this problem. “Manual processes are prone to human error. By automating recovery key storage, we can eliminate problems that can stem from user error and make sure that our computers are not in a state where they’re unrecoverable,” says Johnson.

BT also sees value in the MBAM one-time-use recovery key capability. “Anything that MBAM can help us do to enhance security, such as changing the recovery key after it has been used so that no one can reuse the original key, is a great advantage,” notes Johnson.Microsoft Desktop OptimizationMicrosoft Desktop Optimization Pack (MDOP) for Software Assurance makes it easy for an organization to administer its applications, offering tools for virtualizing and inventorying software installations, for managing Group Policy settings, and for system repair and data recovery. For more information about MDOP, go to: www.microsoft.com/mdop

66

For More InformationFor more information about Microsoft products and services, call the Microsoft Sales Information Center at (800) 426-9400. In Canada, call the Microsoft Canada Information Centre at (877) 568-2495. Customers in the United States and Canada who are deaf or hard-of-hearing can reach Microsoft text telephone (TTY/TDD) services at (800) 892-5234. Outside the 50 United States and Canada, please contact your local Microsoft subsidiary. To access information using the World Wide Web, go to: www.microsoft.com

For more information about BT products and services, call (888) 767-2988 or visit the website at:www.bt.com/globalservices

This case study is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.

Document published May 2011

Software and Services Microsoft Desktop Optimization Pack− Microsoft BitLocker Administration

and Monitoring

Windows 7 Enterprise Technologies− BitLocker