One announcement that was made during MMS 2013 was the release of MDOP 2013 which includes MBAM 2.0. I’m not writing this blog to tell you about the features of MBAM 2.0, if you want that info you can get it here.
What I do want to discuss in this blog is compliance data retention. While the ConfigMgr integration in MBAM 2.0 is quite nice it comes at a price, compliance data is purged from the CM database according to your inventory retention settings (maintenance settings). Therefore you have two options, you can either keep all your inventory for way longer than you should which will wreak havoc during true-ups or you can keep compliance data for far too short a period of time which could result in an embarrassing press statement when you can’t prove a lost device was encrypted.
For me both options totally unacceptable. My first thought was “I just won’t use the CM integration” but I really didn’t like that idea at all so I started asking questions and found a quick solution to this potentially embarrassing problem. You must simply run MBAM 2.0 setup twice. Run it once with CM integration and again without. This should place the compliance data both in CM as well as the MBAM database.You can report in recent data from CM and historical data from MBAM.
For this to work properly the ConfigMgr integrated environment must be installed on the ConfigMgr server. The stand-alone environment must be installed on a separate server and there must be GPO’s in-place to point the MBAM agent to the stand-alone environments compliance web service.
This is not an elegant solution but it’s all that Microsoft has to offer at the moment. Enjoy!