Lance Crandall Program Manager Microsoft BRK2331 Threats to your data are everywhere Protect data is shared SHARING PROTECTION DEVICE PROTECTION Protect data when device is lost or stolen ID: 488862
Download Presentation The PPT/PDF document "BitLocker Deployment Using MBAM is a Sna..." is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1Slide2
BitLocker Deployment Using MBAM is a Snap!
Lance CrandallProgram ManagerMicrosoft
BRK2331Slide3
!
Threats to your data are everywhereSlide4
Protect data is shared
SHARING
PROTECTION
DEVICE PROTECTION
Protect data when device is lost or stolen
Information
protection
continuum complete
DATA PROTECTION
Accidental data leakageSlide5
Source: ”New Study Reveals Up To 12,000 Laptop Computers Lost Weekly and up to 600,000 lost annually in U.S. Airports”, Ponemon.org, June 20, 2008
Over 12,000 laptops lost in airports every week
“It’s staggering to learn that up to 600,000 laptops are lost in U.S. airports annually, many containing sensitive information that companies must account for.” Larry
Ponemon
Lost Laptops
– ADDING TERROR TO PLAYBOOKSlide6
BitLocker Overview
10,000 foot viewSlide7
BitLocker
Full volume Encryption
OS volumes
Fixed data drives
(like a separate hard drive or partition)
Removable drives
Recovery
Recovery Keys
DRA
Used Disk Space
Pre-provisioning
Encrypts used
disk space
Pre-provisioning – speeds up encryption by turning on in WinPE
TPM must be enabled and ownedSlide8
BitLocker Protectors
TPM
TPM+PIN
Password
Auto-Unlock
PasswordSlide9
TPM Overview
Hardware basedProtects BitLocker, virtual smart card, and other sensitive keys
Enables Secure Boot by verifying platform integrity measurements
Prevents tampering
Moving to other machines causes keys to be inaccessible
Anti-hammering logicSince hardware based, not subject to software attacksTPM spec versionsTPM 1.2 – Main spec in use. Random lockout thresholds and attempts.TPM 2.0 – On by default. Consistent lock out.Slide10
Preparing to Use the TPM
TPM enablementTPM must be enabled and activated in the BIOS/UEFI (default in TPM 2.0)
Must be visible and able to be managed by the OS
Can be automated using tools from device manufacturers from within
the full
OS or WinPEOwnershipTPM must be owned by Windows, MBAM, or something else. Creates TPM OwnerAuth password. Needed to reset TPM lockouts Scripts (MDT, SCCM, or other method)Slide11
BitLocker Management with MBAMSlide12
Integrates into existing deployment tools
Grace period for enactment
Prompts for PIN or Password
Escrows recovery information and TPM
OwnerAuth
Encryption status reporting per volume on each computer
View overall compliance for your organization
View reports standalone in System Center Configuration ManagerHelpdesk recovery
Self service recovery
Retrieve TPM OwnerAuth to unlock TPM
Compliance Reporting
Recovery
BitLocker Enactment
Microsoft BitLocker Administration and Monitoring
Enterprise-class solution that streamlines management of BitLockerSlide13
Database Components
Stand Alone Server Components
Recovery
Database
Compliance /Audit
Database
Self-Service Server
Self-Service
Web Service
Self-Service
Web Site
Administration and Monitoring Server
Admin
Web Service
Admin
Web Site
Compliance and Audit Reports
Reporting
Web Service
Reporting
Web Site
SSRSSlide14
Database Components
CM Server Components
Recovery
Database
Self-Service Server
Self-Service
Web Service
Self-Service
Web Site
Administration and Monitoring Server / Audit Report
Admin
Web Service
Admin
Web Site
Configuration Manager Components
Management Console
CM Reports
SSRS
Audit
DatabaseSlide15
ADMX files downloadable from microsoft.com/downloads
Allows MBAM settings configurationBitLocker settingsMBAM policy settingsComputer Configuration\Administrative Templates\Windows Components\MDOP MBAM
User Configuration\Administrative Templates\Windows Components\MDOP MBAM (This is for user exemptions only)
GPOSlide16
MBAM CLIENT FLOW:
INSTALL MBAM CLIENT
APPLY MBAM POLICY
ENACTS BITLOCKER REPORTS COMPLIANCESlide17
Announcing MBAM 2.5 SP1
Deployment
Management
Industry Compat
Built
cmdlets
to import BitLocker
and TPM data
from AD
Added automatic TPM unlock when BitLocker is recoveredConsolidated and simplified server logging
Added Windows 10 support
Added
Encrypted HDD Support
Supported International Domain Names
Supported Win7 FIPS Recovery Password
Introduced scripts to support imaging
Included prompting
for PIN after
imaging
Improved TPM OwnerAuth Escrow
Customization
Added ability to direct customers to SSP from BitLocker recovery screen
Allowed SSP
branding capability
during setup
Increased supported client languages to 23
Updated reports schema to allow
customization using Report BuilderSlide18
What’s New With BitLocker Deployment Using MBAMSlide19
Enabling BitLocker During Imaging
Volume Support
Process
Escrow/Reporting
Error Handling
Previously
MBAM
2.5 SP1
Manual process with
reg
keys, service restarts
Non-supported scripts that only supported MDT/SCCM
Written in PowerShell; compatible with PowerShell v2
Easy to use with MDT, SCCM, or standalone
Support for OS volumes
No pre-provisioning support out of the box
Supports OS volumes with TPM protector
Fixed Data Drive support
Handle pre-provisioned drives
Prompt for PIN immediately after imaging
Does not escrow TPM
OwnerAuth
unless owned by MBAM
Reporting could take up to 12 hours
TPM
OwnerAuth
escrowed if pre-provisioned or not owned by MBAM (Win8+)
Immediate compliance reporting
Limited error handling; depends on the script
Robust error handling
Writes to standard out, including BDD and
SMSTS.logs
.Slide20
Under the covers
New WMI methodsPrepareTpmAndEscrowOwnerAuth
EscrowRecoveryKey
ReportStatus
Returned error codes helpful for troubleshootingSlide21
MBAM Client Deployment Script Parameters
Parameter
Description
-
RecoveryServiceEndpoint
Required
MBAM recovery service
endpoint-StatusReportingServcieEndpointOptional
MBAM status reporting service endpoint
-EncryptionMethodOptional
Encryption method (default: AES 128)
-
EncryptAndEscrowDataVolume
Switch
Specify to encrypt data volume(s) and escrow data volume recovery key(s)
-
WaitForEncryptionToComplete
Switch
Specify to wait for the encryption to complete
-
IgnoreEscrowOwnerAuthFailure
Switch
Specify to ignore TPM OwnerAuth escrow failure
-
IgnoreEscrowRecoveryKeyFailure
Switch
Specify to ignore volume recovery key escrow failure
-
IgnoreReportStatusFailure
Switch
Specify to ignore status
reporting failure
Invoke-MbamClientDeployment.ps1
– The main script that your deployment system will call to configure MBAM and enable BitLocker.Slide22
Command Line Example
Invoke-Mbam-ClientDeployment.ps1 –
RecoveryServiceEndpoint
https://mbam.contoso.com/MBAMRecoveryAndHardwareService/CoreService.svc
-StatusReportingServiceEndpoint https://mbam.contoso.com/MBAMComplianceStatusService/StatusReportingService.svc -EncryptAndEscrowDataVolume
-EncryptionMethod AES256 -WaitForEncryptionToComplete Slide23
As Easy As 1…2…3!
Integrating Into Deployment ProcessesSlide24
Demo – Enabling BitLocker Using MDT and MBAM During ImagingSlide25
Apply MBAM policies to device
Enable TPMCreate BitLocker System Partition if neededFix potential Win32_EncryptableVolume issuesInstall MBAM agent
MBAM agent works its magic
Enabling BitLocker on Existing MachinesSlide26
Demo
– Enabling BitLocker Using MDT and MBAM on Existing MachinesSlide27
AD Recovery Data MigrationSlide28
Challenges
Enterprises have rolled out BitLocker without MBAMRecovery data is stored in ADTPM OwnerAuth
may be stored in AD
Machines may be offline/in storage
Two places that techs have to go for recovery
Migrating Existing Recovery Data to MBAMSlide29
4 PowerShell
cmdletsFor Volume recovery keys and packages:
Read-
ADRecoveryInformation
Write-
MbamRecoveryInformationAdd-ComputerUser.ps1 – match users to computersFor TPM OwnerAuth information:Read-ADTpmInformationWrite-MbamTpmInformationActive Directory Recovery Data MigrationSlide30
Reads Recovery keys, packages, and TPM
OwnerAuth from AD and writes to MBAMDoes not write to ADData integrity checks when writing to MBAM
Advanced Helpdesk can recover
Intermediary process that can match users to machines
ManagedBy
attribute in ADCustom CSV fileAllows helpdesk and SSP recoveryActive Directory Recovery Data MigrationSlide31
Grant
rights in ADCreate an AD group to grant writes to MBAMOpen
Web.config
for recovery service
Edit the <add key=”DataMigrationsUsersGroupName
” value=””>SetupSlide32
AD Recovery Data Migration Example
Read-
ADRecoveryInformation
-Server contoso.com -Credential $cred -
Recurse
| Add-
ComputerUser -FromComputerManagedBy
| Write-MBAMRecoveryInformation -RecoveryServiceEndPoint
https://mbam-iis.contoso.com/MBAMRecoveryAndHardwareService/CoreService.svc
Slide33
AD TPM Data Migration Example
Read-
ADTpmInformation
-Server contoso.com -Credential $cred -
Recurse
| Add-
ComputerUser -FromComputerUserMapping (Import-Csv ComputerToUserMapping.csv) | Write-
MBAMTpmInformation -RecoveryServiceEndPoint https://mbam-iis.contoso.com/MBAMRecoveryAndHardwareService/CoreService.svc
Slide34
Demo – AD Recovery Data MigrationSlide35
Custom Pre-boot RecoverySlide36
Recovery ExperienceSlide37
Want users to use the SSP – Cuts costs
Users hit recovery screenRecovery screen tells them to go to OneDriveKey isn’t there!User calls the helpdesk
SSP Windows 10 Enhancements
You Can Now Customize the BitLocker Recovery Screen!Slide38
Default Recovery Message
Custom
Recovery Message
Windows 10 Custom
Preboot
URLSlide39
Demo – Custom
Preboot Recovery MessageSlide40
Managing TPM LockoutsSlide41
TPM Anti-hammering
CausesIncorrect PIN attemptsIncorrect virtual Smart Card authentication attemptsInvalid attempts to guess or change the TPM
OwnerAuth
Protection mechanism when using BitLocker
Exponentially slower responses to authorization attempts
Forces BitLocker recovery event - Have to enter 48 digit BitLocker key to unlockLockout DurationTPM 1.2 – varies by manufacturerTPM 2.0 – 2 hoursTPM LockoutsSlide42
Unlocking the TPM requires the TPM
OwnerAuthMBAM escrowed TPM OwnerAuthHelpdesk could provide TPM
OwnerAuth
Requires admin rights to use on device
Unlocking TPMSlide43
TPM 1.2 lockouts can be automatically resolved
Not needed for TPM 2.0Feature must be enabled on web server and in GPOTPM OwnerAuth
must be in MBAM
Managing TPM Lockouts – The Easy WaySlide44
TPM Auto-Unlock ProcessSlide45
Demo – TPM Auto-UnlockSlide46
Available With Windows 10Slide47
New deployment scripts
Easily migrate data from AD to MBAMTPM management enhancementsCustom preboot URL in Win10 lowers support costs
MBAM
2.5 SP1 makes
it even easier to deploy and manage BitLocker on your devices
ConclusionSlide48
Related Sessions
BRK3340
App-V 5.0 SP3: Advanced Connection Groups
Thurs 17:00
BRK3317
Creating a Seamless User Experience with Microsoft UE-V and Windows 10
Fri 12:30
BRK3304Managing Windows 10 Using Group Policy with In the Box, Microsoft and 3rd Party Tools
Wed 9:00
BRK3144Microsoft Office 365 ProPlus: Have It Your Way!
Fri 12:30
BRK3868
Fundamentals of Microsoft Azure RemoteApp Management and Administration
Tues 13:30Slide49
Visit
Myignite
at
http://myignite.microsoft.com
or download and use the
Ignite
Mobile App
with the QR code above.
Please evaluate
this
session
Your feedback is
important to us!Slide50