Presentation is loading. Please wait.

Presentation is loading. Please wait.

BitLocker Deployment Using MBAM is a Snap!

Published byShonda Boyd Modified over 9 years ago

Similar presentations

Presentation on theme: "BitLocker Deployment Using MBAM is a Snap!"— Presentation transcript:

1

2 BitLocker Deployment Using MBAM is a Snap!
BRK2331 BitLocker Deployment Using MBAM is a Snap! Lance Crandall Program Manager Microsoft

3 Threats to your data are everywhere
4/16/2017 Threats to your data are everywhere ! © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

4 Information protection continuum complete
4/16/2017 Information protection continuum complete DEVICE PROTECTION DATA PROTECTION SHARING PROTECTION Protect data when device is lost or stolen Accidental data leakage Protect data is shared © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

5 Lost Laptops– ADDING TERROR TO PLAYBOOK
4/16/2017 Lost Laptops– ADDING TERROR TO PLAYBOOK “It’s staggering to learn that up to 600,000 laptops are lost in U.S. airports annually, many containing sensitive information that companies must account for.” Larry Ponemon Over 12,000 laptops lost in airports every week Source: ”New Study Reveals Up To 12,000 Laptop Computers Lost Weekly and up to 600,000 lost annually in U.S. Airports”, Ponemon.org, June 20, 2008 © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

6 BitLocker Overview 10,000 foot view

7 BitLocker Full volume Encryption Used Disk Space Recovery
OS volumes Fixed data drives (like a separate hard drive or partition) Removable drives Recovery Recovery Keys DRA Used Disk Space Pre-provisioning Encrypts used disk space Pre-provisioning – speeds up encryption by turning on in WinPE TPM must be enabled and owned

8 BitLocker Protectors TPM TPM+PIN Password Auto-Unlock Password

9 TPM Overview Hardware based Prevents tampering TPM spec versions
Protects BitLocker, virtual smart card, and other sensitive keys Enables Secure Boot by verifying platform integrity measurements Prevents tampering Moving to other machines causes keys to be inaccessible Anti-hammering logic Since hardware based, not subject to software attacks TPM spec versions TPM 1.2 – Main spec in use. Random lockout thresholds and attempts. TPM 2.0 – On by default. Consistent lock out. © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

10 Preparing to Use the TPM
TPM enablement TPM must be enabled and activated in the BIOS/UEFI (default in TPM 2.0) Must be visible and able to be managed by the OS Can be automated using tools from device manufacturers from within the full OS or WinPE Ownership TPM must be owned by Windows, MBAM, or something else. Creates TPM OwnerAuth password. Needed to reset TPM lockouts Scripts (MDT, SCCM, or other method) © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

11 BitLocker Management with MBAM

12 Microsoft BitLocker Administration and Monitoring Enterprise-class solution that streamlines management of BitLocker BitLocker Enactment Integrates into existing deployment tools Grace period for enactment Prompts for PIN or Password Escrows recovery information and TPM OwnerAuth Compliance Reporting Encryption status reporting per volume on each computer View overall compliance for your organization View reports standalone in System Center Configuration Manager Recovery Helpdesk recovery Self service recovery Retrieve TPM OwnerAuth to unlock TPM

13 Stand Alone Server Components
Database Components Compliance and Audit Reports Recovery Database Compliance /Audit Database Reporting Web Service Reporting Web Site SSRS Self-Service Server Administration and Monitoring Server Self-Service Web Service Self-Service Web Site Admin Web Service Admin Web Site

14 CM Server Components Self-Service Server
Administration and Monitoring Server / Audit Report Self-Service Web Service Self-Service Web Site Admin Web Service Admin Web Site Database Components Configuration Manager Components Recovery Database Audit Database Management Console CM Reports SSRS

15 GPO ADMX files downloadable from microsoft.com/downloads
Allows MBAM settings configuration BitLocker settings MBAM policy settings Computer Configuration\Administrative Templates\Windows Components\MDOP MBAM User Configuration\Administrative Templates\Windows Components\MDOP MBAM (This is for user exemptions only)

16 ENACTS BITLOCKER REPORTS COMPLIANCE
4/16/2017 MBAM CLIENT FLOW: INSTALL MBAM CLIENT APPLY MBAM POLICY ENACTS BITLOCKER REPORTS COMPLIANCE © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

17 Announcing MBAM 2.5 SP1 Deployment Management Industry Compat
Customization Introduced scripts to support imaging Included prompting for PIN after imaging Improved TPM OwnerAuth Escrow Built cmdlets to import BitLocker and TPM data from AD Added automatic TPM unlock when BitLocker is recovered Consolidated and simplified server logging Added Windows 10 support Added Encrypted HDD Support Supported International Domain Names Supported Win7 FIPS Recovery Password Added ability to direct customers to SSP from BitLocker recovery screen Allowed SSP branding capability during setup Increased supported client languages to 23 Updated reports schema to allow customization using Report Builder Microsoft Cloud OS

18 What’s New With BitLocker Deployment Using MBAM

19 Enabling BitLocker During Imaging
4/16/2017 Enabling BitLocker During Imaging Previously MBAM 2.5 SP1 Process Written in PowerShell; compatible with PowerShell v2 Easy to use with MDT, SCCM, or standalone Manual process with reg keys, service restarts Non-supported scripts that only supported MDT/SCCM Volume Support Support for OS volumes No pre-provisioning support out of the box Supports OS volumes with TPM protector Fixed Data Drive support Handle pre-provisioned drives Prompt for PIN immediately after imaging Escrow/Reporting Does not escrow TPM OwnerAuth unless owned by MBAM Reporting could take up to 12 hours TPM OwnerAuth escrowed if pre- provisioned or not owned by MBAM (Win8+) Immediate compliance reporting Error Handling Limited error handling; depends on the script Robust error handling Writes to standard out, including BDD and SMSTS.logs. © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

20 Under the covers New WMI methods PrepareTpmAndEscrowOwnerAuth
EscrowRecoveryKey ReportStatus Returned error codes helpful for troubleshooting © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

21 MBAM Client Deployment Script Parameters
Invoke-MbamClientDeployment.ps1 – The main script that your deployment system will call to configure MBAM and enable BitLocker. Parameter Description -RecoveryServiceEndpoint Required MBAM recovery service endpoint -StatusReportingServcieEndpoint Optional MBAM status reporting service endpoint -EncryptionMethod Encryption method (default: AES 128) -EncryptAndEscrowDataVolume Switch Specify to encrypt data volume(s) and escrow data volume recovery key(s) -WaitForEncryptionToComplete Specify to wait for the encryption to complete -IgnoreEscrowOwnerAuthFailure Specify to ignore TPM OwnerAuth escrow failure -IgnoreEscrowRecoveryKeyFailure Specify to ignore volume recovery key escrow failure -IgnoreReportStatusFailure Specify to ignore status reporting failure

22 Command Line Example Invoke-Mbam-ClientDeployment.ps1 –RecoveryServiceEndpoint .svc -StatusReportingServiceEndpoint gService.svc -EncryptAndEscrowDataVolume -EncryptionMethod AES256 - WaitForEncryptionToComplete

23 Integrating Into Deployment Processes
1 Add script to persist TPM OwnerAuth (WinPE) 2 (Full OS) Install MBAM Agent 3 Run MBAM PowerShell Script As Easy As 1…2…3!

24 Demo – Enabling BitLocker Using MDT and MBAM During Imaging

25 Enabling BitLocker on Existing Machines
Apply MBAM policies to device Enable TPM Create BitLocker System Partition if needed Fix potential Win32_EncryptableVolume issues Install MBAM agent MBAM agent works its magic

26 Demo – Enabling BitLocker Using MDT and MBAM on Existing Machines

27 AD Recovery Data Migration

28 Migrating Existing Recovery Data to MBAM
Challenges Enterprises have rolled out BitLocker without MBAM Recovery data is stored in AD TPM OwnerAuth may be stored in AD Machines may be offline/in storage Two places that techs have to go for recovery

29 Active Directory Recovery Data Migration
4 PowerShell cmdlets For Volume recovery keys and packages: Read-ADRecoveryInformation Write-MbamRecoveryInformation Add-ComputerUser.ps1 – match users to computers For TPM OwnerAuth information: Read-ADTpmInformation Write-MbamTpmInformation

30 Active Directory Recovery Data Migration
Reads Recovery keys, packages, and TPM OwnerAuth from AD and writes to MBAM Does not write to AD Data integrity checks when writing to MBAM Advanced Helpdesk can recover Intermediary process that can match users to machines ManagedBy attribute in AD Custom CSV file Allows helpdesk and SSP recovery

31 Setup Grant rights in AD Create an AD group to grant writes to MBAM
Open Web.config for recovery service Edit the <add key=”DataMigrationsUsersGroupName” value=””>

32 AD Recovery Data Migration Example
Read-ADRecoveryInformation -Server contoso.com -Credential $cred -Recurse | Add-ComputerUser -FromComputerManagedBy| Write-MBAMRecoveryInformation -RecoveryServiceEndPoint

33 AD TPM Data Migration Example
Read-ADTpmInformation -Server contoso.com -Credential $cred -Recurse | Add-ComputerUser -FromComputerUserMapping (Import-Csv ComputerToUserMapping.csv) | Write-MBAMTpmInformation -RecoveryServiceEndPoint

34 Demo – AD Recovery Data Migration

35 Custom Pre-boot Recovery

36 Recovery Experience Advanced Helpdesk Enters Recovery Key ID Helpdesk
User domain and user name Self Service Logs into domain joined PC Windows Integrated Auth Provides Recovery Key ID

37 SSP Windows 10 Enhancements
Want users to use the SSP – Cuts costs Users hit recovery screen Recovery screen tells them to go to OneDrive Key isn’t there! User calls the helpdesk  You Can Now Customize the BitLocker Recovery Screen!

38 Windows 10 Custom Preboot URL
Default Recovery Message Custom Recovery Message

39 Demo – Custom Preboot Recovery Message

40 Managing TPM Lockouts

41 TPM Lockouts TPM Anti-hammering Causes
Incorrect PIN attempts Incorrect virtual Smart Card authentication attempts Invalid attempts to guess or change the TPM OwnerAuth Protection mechanism when using BitLocker Exponentially slower responses to authorization attempts Forces BitLocker recovery event - Have to enter 48 digit BitLocker key to unlock Lockout Duration TPM 1.2 – varies by manufacturer TPM 2.0 – 2 hours

42 Unlocking TPM Unlocking the TPM requires the TPM OwnerAuth
MBAM escrowed TPM OwnerAuth Helpdesk could provide TPM OwnerAuth Requires admin rights to use on device

43 Managing TPM Lockouts – The Easy Way
TPM 1.2 lockouts can be automatically resolved Not needed for TPM 2.0 Feature must be enabled on web server and in GPO TPM OwnerAuth must be in MBAM

44 TPM Auto-Unlock Process
User hits BitLocker Recovery Screen Recovers key from SSP or helpdesk portal Key is marked as disclosed MBAM service wakes up and detects key was disclosed Checks if TPM is locked out Automatically unlocks if MBAM has TPM OwnerAuth Audited in client event log and MBAM audit reports TPM Auto-Unlock Process

45 Demo – TPM Auto-Unlock

46 Available With Windows 10

47 Conclusion New deployment scripts Easily migrate data from AD to MBAM
TPM management enhancements Custom preboot URL in Win10 lowers support costs MBAM 2.5 SP1 makes it even easier to deploy and manage BitLocker on your devices

48 Related Sessions BRK3340 App-V 5.0 SP3: Advanced Connection Groups
Thurs 17:00 BRK3317 Creating a Seamless User Experience with Microsoft UE-V and Windows 10 Fri 12:30 BRK3304 Managing Windows 10 Using Group Policy with In the Box, Microsoft and 3rd Party Tools Wed 9:00 BRK3144 Microsoft Office 365 ProPlus: Have It Your Way! BRK3868 Fundamentals of Microsoft Azure RemoteApp Management and Administration Tues 13:30

49 Please evaluate this session
4/16/2017 4:55 PM Please evaluate this session Your feedback is important to us! Visit Myignite at or download and use the Ignite Mobile App with the QR code above. © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

50 4/16/2017 4:55 PM © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Download ppt "BitLocker Deployment Using MBAM is a Snap!"

Similar presentations

Microsoft ® Official Course First Look Clinic Overview of Windows 8 By Ragowo Riantory, S.Kom, MCP.

Microsoft ® Official Course First Look Clinic Overview of Windows 8 By Ragowo Riantory, S.Kom, MCP.
People Centric IT Unified Device Management with SCCM + Windows Intune

People Centric IT Unified Device Management with SCCM + Windows Intune
Bug Fixes Reduce costs (e.g.: Self Service) Reduce costs (e.g.: Simplified Recovery) Integrating with existing systems (e.g.: SCCM) Provide.

Bug Fixes Reduce costs (e.g.: Self Service) Reduce costs (e.g.: Simplified Recovery) Integrating with existing systems (e.g.: SCCM) Provide.
Securing. Agenda  Hard Drive Encryption  User Account Permissions  Root Level Access  Firewall Protection  Malware Protection.

Securing. Agenda  Hard Drive Encryption  User Account Permissions  Root Level Access  Firewall Protection  Malware Protection.
WCL317 Disclaimer The information in this presentation relates to a pre-released product which may be substantially modified before it’s commercially.

WCL317 Disclaimer The information in this presentation relates to a pre-released product which may be substantially modified before it’s commercially.
Windows 8: Windows To Go Overview Zvezdan PavkovicTanya Koval Senior ConsultantArchitect WCL333.

Windows 8: Windows To Go Overview Zvezdan PavkovicTanya Koval Senior ConsultantArchitect WCL333.
Chapter 9 Chapter 9: Managing Groups, Folders, Files, and Object Security.

Chapter 9 Chapter 9: Managing Groups, Folders, Files, and Object Security.
Configuring Windows Vista Security Chapter 3. IE7 Pop-up Blocker Pop-up Blocker prevents annoying and sometimes unsafe pop-ups from web sites Can block.

Configuring Windows Vista Security Chapter 3. IE7 Pop-up Blocker Pop-up Blocker prevents annoying and sometimes unsafe pop-ups from web sites Can block.
STANFORD UNIVERSITY INFORMATION TECHNOLOGY SERVICES Windows Encryption File System (EFS) Tech Briefing July 18 th 2008

STANFORD UNIVERSITY INFORMATION TECHNOLOGY SERVICES Windows Encryption File System (EFS) Tech Briefing July 18 th 2008
Ran Oelgiesser, Sr. Product Manager Praveen Vijayaraghavan, Program Manager (Virtual PC) Yigal Edery, Group Program Manager (MED-V)

Ran Oelgiesser, Sr. Product Manager Praveen Vijayaraghavan, Program Manager (Virtual PC) Yigal Edery, Group Program Manager (MED-V)
Virtual techdays Desktop Security with Windows 7 AppLocker & BitLocker to Go Aviraj Ajgekar│ Technology Evangelist │Microsoft Corporation Blog: http://blogs.technet.com/aviraj.

Virtual techdays Desktop Security with Windows 7 AppLocker & BitLocker to Go Aviraj Ajgekar│ Technology Evangelist │Microsoft Corporation Blog:
VMWare Workstation Installation. Starting Vmware Workstation Go to the start menu and start the VMware Workstation program. *Note: The following instructions.

VMWare Workstation Installation. Starting Vmware Workstation Go to the start menu and start the VMware Workstation program. *Note: The following instructions.
Using Mobile Computers Lesson 12. Objectives Understand wireless security Configure wireless networking Use Windows mobility controls Synchronize data.

Using Mobile Computers Lesson 12. Objectives Understand wireless security Configure wireless networking Use Windows mobility controls Synchronize data.
Hands-On Microsoft Windows Server 2008 Chapter 1 Introduction to Windows Server 2008.

Hands-On Microsoft Windows Server 2008 Chapter 1 Introduction to Windows Server 2008.
1 Managed Security. 2 Managed Security provides a comprehensive suite of security services to manage and protect your network assets –Managed Firewall.

1 Managed Security. 2 Managed Security provides a comprehensive suite of security services to manage and protect your network assets –Managed Firewall.
Module 9 Configuring Server Security Compliance. Module Overview Securing a Windows Infrastructure Overview of EFS Configuring an Audit Policy Overview.

Module 9 Configuring Server Security Compliance. Module Overview Securing a Windows Infrastructure Overview of EFS Configuring an Audit Policy Overview.
1 Objectives Windows Firewalls with Advanced Security Bit-Lock Update and maintain your clients using Windows Server Update Service Microsoft Baseline.

1 Objectives Windows Firewalls with Advanced Security Bit-Lock Update and maintain your clients using Windows Server Update Service Microsoft Baseline.
Chapter-4 Windows 2000 Professional Win2K Professional provides a very usable interface and was designed for use in the desktop PC. Microsoft server system.

Chapter-4 Windows 2000 Professional Win2K Professional provides a very usable interface and was designed for use in the desktop PC. Microsoft server system.
Hands-On Microsoft Windows Server 2008

Hands-On Microsoft Windows Server 2008
© 2012 The McGraw-Hill Companies, Inc. All rights reserved. 1 Third Edition Chapter 6 Today’s Windows Windows Vista and Windows 7 McGraw-Hill.

© 2012 The McGraw-Hill Companies, Inc. All rights reserved. 1 Third Edition Chapter 6 Today’s Windows Windows Vista and Windows 7 McGraw-Hill.

Similar presentations

Ads by Google