BitLocker Deployment Using MBAM is a Snap! BRK2331 BitLocker Deployment Using MBAM is a Snap! Lance Crandall Program Manager Microsoft
Threats to your data are everywhere 4/16/2017 Threats to your data are everywhere ! © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Information protection continuum complete 4/16/2017 Information protection continuum complete DEVICE PROTECTION DATA PROTECTION SHARING PROTECTION Protect data when device is lost or stolen Accidental data leakage Protect data is shared © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Lost Laptops– ADDING TERROR TO PLAYBOOK 4/16/2017 Lost Laptops– ADDING TERROR TO PLAYBOOK “It’s staggering to learn that up to 600,000 laptops are lost in U.S. airports annually, many containing sensitive information that companies must account for.” Larry Ponemon Over 12,000 laptops lost in airports every week Source: ”New Study Reveals Up To 12,000 Laptop Computers Lost Weekly and up to 600,000 lost annually in U.S. Airports”, Ponemon.org, June 20, 2008 © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
BitLocker Overview 10,000 foot view
BitLocker Full volume Encryption Used Disk Space Recovery OS volumes Fixed data drives (like a separate hard drive or partition) Removable drives Recovery Recovery Keys DRA Used Disk Space Pre-provisioning Encrypts used disk space Pre-provisioning – speeds up encryption by turning on in WinPE TPM must be enabled and owned
BitLocker Protectors TPM TPM+PIN Password Auto-Unlock Password
TPM Overview Hardware based Prevents tampering TPM spec versions Protects BitLocker, virtual smart card, and other sensitive keys Enables Secure Boot by verifying platform integrity measurements Prevents tampering Moving to other machines causes keys to be inaccessible Anti-hammering logic Since hardware based, not subject to software attacks TPM spec versions TPM 1.2 – Main spec in use. Random lockout thresholds and attempts. TPM 2.0 – On by default. Consistent lock out. © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Preparing to Use the TPM TPM enablement TPM must be enabled and activated in the BIOS/UEFI (default in TPM 2.0) Must be visible and able to be managed by the OS Can be automated using tools from device manufacturers from within the full OS or WinPE Ownership TPM must be owned by Windows, MBAM, or something else. Creates TPM OwnerAuth password. Needed to reset TPM lockouts Scripts (MDT, SCCM, or other method) © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
BitLocker Management with MBAM
Microsoft BitLocker Administration and Monitoring Enterprise-class solution that streamlines management of BitLocker BitLocker Enactment Integrates into existing deployment tools Grace period for enactment Prompts for PIN or Password Escrows recovery information and TPM OwnerAuth Compliance Reporting Encryption status reporting per volume on each computer View overall compliance for your organization View reports standalone in System Center Configuration Manager Recovery Helpdesk recovery Self service recovery Retrieve TPM OwnerAuth to unlock TPM
Stand Alone Server Components Database Components Compliance and Audit Reports Recovery Database Compliance /Audit Database Reporting Web Service Reporting Web Site SSRS Self-Service Server Administration and Monitoring Server Self-Service Web Service Self-Service Web Site Admin Web Service Admin Web Site
CM Server Components Self-Service Server Administration and Monitoring Server / Audit Report Self-Service Web Service Self-Service Web Site Admin Web Service Admin Web Site Database Components Configuration Manager Components Recovery Database Audit Database Management Console CM Reports SSRS
GPO ADMX files downloadable from microsoft.com/downloads Allows MBAM settings configuration BitLocker settings MBAM policy settings Computer Configuration\Administrative Templates\Windows Components\MDOP MBAM User Configuration\Administrative Templates\Windows Components\MDOP MBAM (This is for user exemptions only)
ENACTS BITLOCKER REPORTS COMPLIANCE 4/16/2017 MBAM CLIENT FLOW: INSTALL MBAM CLIENT APPLY MBAM POLICY ENACTS BITLOCKER REPORTS COMPLIANCE © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Announcing MBAM 2.5 SP1 Deployment Management Industry Compat Customization Introduced scripts to support imaging Included prompting for PIN after imaging Improved TPM OwnerAuth Escrow Built cmdlets to import BitLocker and TPM data from AD Added automatic TPM unlock when BitLocker is recovered Consolidated and simplified server logging Added Windows 10 support Added Encrypted HDD Support Supported International Domain Names Supported Win7 FIPS Recovery Password Added ability to direct customers to SSP from BitLocker recovery screen Allowed SSP branding capability during setup Increased supported client languages to 23 Updated reports schema to allow customization using Report Builder Microsoft Cloud OS
What’s New With BitLocker Deployment Using MBAM
Enabling BitLocker During Imaging 4/16/2017 Enabling BitLocker During Imaging Previously MBAM 2.5 SP1 Process Written in PowerShell; compatible with PowerShell v2 Easy to use with MDT, SCCM, or standalone Manual process with reg keys, service restarts Non-supported scripts that only supported MDT/SCCM Volume Support Support for OS volumes No pre-provisioning support out of the box Supports OS volumes with TPM protector Fixed Data Drive support Handle pre-provisioned drives Prompt for PIN immediately after imaging Escrow/Reporting Does not escrow TPM OwnerAuth unless owned by MBAM Reporting could take up to 12 hours TPM OwnerAuth escrowed if pre- provisioned or not owned by MBAM (Win8+) Immediate compliance reporting Error Handling Limited error handling; depends on the script Robust error handling Writes to standard out, including BDD and SMSTS.logs. © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Under the covers New WMI methods PrepareTpmAndEscrowOwnerAuth EscrowRecoveryKey ReportStatus Returned error codes helpful for troubleshooting © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
MBAM Client Deployment Script Parameters Invoke-MbamClientDeployment.ps1 – The main script that your deployment system will call to configure MBAM and enable BitLocker. Parameter Description -RecoveryServiceEndpoint Required MBAM recovery service endpoint -StatusReportingServcieEndpoint Optional MBAM status reporting service endpoint -EncryptionMethod Encryption method (default: AES 128) -EncryptAndEscrowDataVolume Switch Specify to encrypt data volume(s) and escrow data volume recovery key(s) -WaitForEncryptionToComplete Specify to wait for the encryption to complete -IgnoreEscrowOwnerAuthFailure Specify to ignore TPM OwnerAuth escrow failure -IgnoreEscrowRecoveryKeyFailure Specify to ignore volume recovery key escrow failure -IgnoreReportStatusFailure Specify to ignore status reporting failure
Command Line Example Invoke-Mbam-ClientDeployment.ps1 –RecoveryServiceEndpoint https://mbam.contoso.com/MBAMRecoveryAndHardwareService/CoreService .svc -StatusReportingServiceEndpoint https://mbam.contoso.com/MBAMComplianceStatusService/StatusReportin gService.svc -EncryptAndEscrowDataVolume -EncryptionMethod AES256 - WaitForEncryptionToComplete
Integrating Into Deployment Processes 1 Add script to persist TPM OwnerAuth (WinPE) 2 (Full OS) Install MBAM Agent 3 Run MBAM PowerShell Script As Easy As 1…2…3!
Demo – Enabling BitLocker Using MDT and MBAM During Imaging
Enabling BitLocker on Existing Machines Apply MBAM policies to device Enable TPM Create BitLocker System Partition if needed Fix potential Win32_EncryptableVolume issues Install MBAM agent MBAM agent works its magic
Demo – Enabling BitLocker Using MDT and MBAM on Existing Machines
AD Recovery Data Migration
Migrating Existing Recovery Data to MBAM Challenges Enterprises have rolled out BitLocker without MBAM Recovery data is stored in AD TPM OwnerAuth may be stored in AD Machines may be offline/in storage Two places that techs have to go for recovery
Active Directory Recovery Data Migration 4 PowerShell cmdlets For Volume recovery keys and packages: Read-ADRecoveryInformation Write-MbamRecoveryInformation Add-ComputerUser.ps1 – match users to computers For TPM OwnerAuth information: Read-ADTpmInformation Write-MbamTpmInformation
Active Directory Recovery Data Migration Reads Recovery keys, packages, and TPM OwnerAuth from AD and writes to MBAM Does not write to AD Data integrity checks when writing to MBAM Advanced Helpdesk can recover Intermediary process that can match users to machines ManagedBy attribute in AD Custom CSV file Allows helpdesk and SSP recovery
Setup Grant rights in AD Create an AD group to grant writes to MBAM Open Web.config for recovery service Edit the <add key=”DataMigrationsUsersGroupName” value=””>
AD Recovery Data Migration Example Read-ADRecoveryInformation -Server contoso.com -Credential $cred -Recurse | Add-ComputerUser -FromComputerManagedBy| Write-MBAMRecoveryInformation -RecoveryServiceEndPoint https://mbam-iis.contoso.com/MBAMRecoveryAndHardwareService/CoreService.svc
AD TPM Data Migration Example Read-ADTpmInformation -Server contoso.com -Credential $cred -Recurse | Add-ComputerUser -FromComputerUserMapping (Import-Csv ComputerToUserMapping.csv) | Write-MBAMTpmInformation -RecoveryServiceEndPoint https://mbam-iis.contoso.com/MBAMRecoveryAndHardwareService/CoreService.svc
Demo – AD Recovery Data Migration
Custom Pre-boot Recovery
Recovery Experience Advanced Helpdesk Enters Recovery Key ID Helpdesk User domain and user name Self Service Logs into domain joined PC Windows Integrated Auth Provides Recovery Key ID
SSP Windows 10 Enhancements Want users to use the SSP – Cuts costs Users hit recovery screen Recovery screen tells them to go to OneDrive Key isn’t there! User calls the helpdesk You Can Now Customize the BitLocker Recovery Screen!
Windows 10 Custom Preboot URL Default Recovery Message Custom Recovery Message
Demo – Custom Preboot Recovery Message
Managing TPM Lockouts
TPM Lockouts TPM Anti-hammering Causes Incorrect PIN attempts Incorrect virtual Smart Card authentication attempts Invalid attempts to guess or change the TPM OwnerAuth Protection mechanism when using BitLocker Exponentially slower responses to authorization attempts Forces BitLocker recovery event - Have to enter 48 digit BitLocker key to unlock Lockout Duration TPM 1.2 – varies by manufacturer TPM 2.0 – 2 hours
Unlocking TPM Unlocking the TPM requires the TPM OwnerAuth MBAM escrowed TPM OwnerAuth Helpdesk could provide TPM OwnerAuth Requires admin rights to use on device
Managing TPM Lockouts – The Easy Way TPM 1.2 lockouts can be automatically resolved Not needed for TPM 2.0 Feature must be enabled on web server and in GPO TPM OwnerAuth must be in MBAM
TPM Auto-Unlock Process User hits BitLocker Recovery Screen Recovers key from SSP or helpdesk portal Key is marked as disclosed MBAM service wakes up and detects key was disclosed Checks if TPM is locked out Automatically unlocks if MBAM has TPM OwnerAuth Audited in client event log and MBAM audit reports TPM Auto-Unlock Process
Demo – TPM Auto-Unlock
Available With Windows 10
Conclusion New deployment scripts Easily migrate data from AD to MBAM TPM management enhancements Custom preboot URL in Win10 lowers support costs MBAM 2.5 SP1 makes it even easier to deploy and manage BitLocker on your devices
Related Sessions BRK3340 App-V 5.0 SP3: Advanced Connection Groups Thurs 17:00 BRK3317 Creating a Seamless User Experience with Microsoft UE-V and Windows 10 Fri 12:30 BRK3304 Managing Windows 10 Using Group Policy with In the Box, Microsoft and 3rd Party Tools Wed 9:00 BRK3144 Microsoft Office 365 ProPlus: Have It Your Way! BRK3868 Fundamentals of Microsoft Azure RemoteApp Management and Administration Tues 13:30
Please evaluate this session 4/16/2017 4:55 PM Please evaluate this session Your feedback is important to us! Visit Myignite at http://myignite.microsoft.com or download and use the Ignite Mobile App with the QR code above. © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
4/16/2017 4:55 PM © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.