managing bitlocker with mbam
DESCRIPTION
A look on Microsoft Desktop optimization Pack's MBAM for administration and management of Bitlocker computersTRANSCRIPT
![Page 1: Managing bitlocker with MBAM](https://reader033.vdocuments.mx/reader033/viewer/2022061300/54c8f3fc4a795901418b459b/html5/thumbnails/1.jpg)
Managing BitLocker With MBAM
Olav Tvedt
Consigliore
STEP Member, MVP Setup & Deployment
Reidar Johansen
Senior Infrastructur Consultant
![Page 2: Managing bitlocker with MBAM](https://reader033.vdocuments.mx/reader033/viewer/2022061300/54c8f3fc4a795901418b459b/html5/thumbnails/2.jpg)
AGENDA
• What Is Bitlocker
• Why Use Disk Encryption
• Bitlocker News In Windows 8
• Bitlocker With MBAM
• Bitlocker With MBAM And SCCM
![Page 3: Managing bitlocker with MBAM](https://reader033.vdocuments.mx/reader033/viewer/2022061300/54c8f3fc4a795901418b459b/html5/thumbnails/3.jpg)
What Is Bitlocker
![Page 4: Managing bitlocker with MBAM](https://reader033.vdocuments.mx/reader033/viewer/2022061300/54c8f3fc4a795901418b459b/html5/thumbnails/4.jpg)
What Is Bitlocker
Encrypts • Operating System Drive
• Fixed Data Drive
• Removable Data Drive
Checks After Changes • Bios
• System/Startup Files
![Page 5: Managing bitlocker with MBAM](https://reader033.vdocuments.mx/reader033/viewer/2022061300/54c8f3fc4a795901418b459b/html5/thumbnails/5.jpg)
Why Use Disk Encryption?
![Page 6: Managing bitlocker with MBAM](https://reader033.vdocuments.mx/reader033/viewer/2022061300/54c8f3fc4a795901418b459b/html5/thumbnails/6.jpg)
![Page 7: Managing bitlocker with MBAM](https://reader033.vdocuments.mx/reader033/viewer/2022061300/54c8f3fc4a795901418b459b/html5/thumbnails/7.jpg)
Bitlocker Modes
Basic Mode:
• TPM only
• Password Mode (Windows 8)
Advanced Modes:
• TPM + PIN
• TPM + USB Dongle
• USB Dongle
• TPM + PIN + USB Dongle
![Page 8: Managing bitlocker with MBAM](https://reader033.vdocuments.mx/reader033/viewer/2022061300/54c8f3fc4a795901418b459b/html5/thumbnails/8.jpg)
BitLocker Are Vulnerable When:
• The Disk Have Not Yet Been Totally Encrypted
• You Don’t Use Pin Especial If The Computer Have Or Might Get: - Firewire - Thunderbolt
• Fake Bios Startup (To Get Pin)
![Page 9: Managing bitlocker with MBAM](https://reader033.vdocuments.mx/reader033/viewer/2022061300/54c8f3fc4a795901418b459b/html5/thumbnails/9.jpg)
BitLocker Requirements
• A computer running: • Windows 7 Enterprise/Ultimate • Windows 8 Pro/Enterprise • Windows Server 2008 R2 • Windows Server 2012
• With TPM • A Trusted Computing Group (TCG)-compliant BIOS • TPM microchip version 1.2 (turned on) • TPM must be resettable from the operating system
• Removable Storage • USB • Floppy • Memory Card
![Page 10: Managing bitlocker with MBAM](https://reader033.vdocuments.mx/reader033/viewer/2022061300/54c8f3fc4a795901418b459b/html5/thumbnails/10.jpg)
Enable Bitlocker On A Virtual Machine For TESTING:
1. Set “Allow Bitlocker without compatible TPM” In a GPO
2. Create a virtual floppy disk
3. Enable bitlocker with «manage-bde» cscript c:\Windows\System32\manage-bde.wsf -on C: -rp -sk A:
4. Restart and it will start to encrypt
Window 8 Can run with Password directly in a virtual environment
![Page 11: Managing bitlocker with MBAM](https://reader033.vdocuments.mx/reader033/viewer/2022061300/54c8f3fc4a795901418b459b/html5/thumbnails/11.jpg)
http://olavtvedt.blogspot.com/2012/01/running-bitlocker-on-virtual-computer.html
http://vninja.net/virtualization/creating-virtual-floppy-vsphere/
![Page 12: Managing bitlocker with MBAM](https://reader033.vdocuments.mx/reader033/viewer/2022061300/54c8f3fc4a795901418b459b/html5/thumbnails/12.jpg)
BitLocker News In Windows 8 Overview
• Support for failover cluster and SAN storage.
• BitLocker pre-provisioning
• Used disk space-only encryption
• Standard user PIN and password selection
• Bitlocker Network Unlock
![Page 13: Managing bitlocker with MBAM](https://reader033.vdocuments.mx/reader033/viewer/2022061300/54c8f3fc4a795901418b459b/html5/thumbnails/13.jpg)
BitLocker News In Windows 8 BitLocker pre-provisioning
• Enable BitLocker before OS is installed
• Random encryption key stored unprotected
• Needs to be activated to protect key
![Page 14: Managing bitlocker with MBAM](https://reader033.vdocuments.mx/reader033/viewer/2022061300/54c8f3fc4a795901418b459b/html5/thumbnails/14.jpg)
BITLOCKER WITH MBAM
Microsoft BitLocker Administration and Monitoring (MBAM)
![Page 15: Managing bitlocker with MBAM](https://reader033.vdocuments.mx/reader033/viewer/2022061300/54c8f3fc4a795901418b459b/html5/thumbnails/15.jpg)
What is Microsoft BitLocker Administration and Monitoring (MBAM)?
MBAM builds on the BitLocker data protection offering in Windows 7 by providing IT professionals with an enterprise-grade solution for BitLocker provisioning, monitoring, and key recovery.
GOALS ARE:
1 Simplify provisioning
and deployment 2 Provide reporting
(e.g.: compliance & audit)
3 Reduce support costs
(e.g.: improved recovery)
![Page 16: Managing bitlocker with MBAM](https://reader033.vdocuments.mx/reader033/viewer/2022061300/54c8f3fc4a795901418b459b/html5/thumbnails/16.jpg)
Prerequisites For Server
Operation System: Windows Server 2008 SP2 (x86/x64) Windows Server 2008 R2
Windows Server 2012 (Some issues with web in beta)
Database:
Compliance and Audit Report Server Microsoft Sql Server 2008 R2 Std/Ent/Dev
Recovery and Hardware Database Server Microsoft Sql Server 2008 R2 Enterprise Only
Security reason: Transparent Data Encryption (TDE)
![Page 17: Managing bitlocker with MBAM](https://reader033.vdocuments.mx/reader033/viewer/2022061300/54c8f3fc4a795901418b459b/html5/thumbnails/17.jpg)
Installing Mbam
• Single computer configuration
- Everything on a single server. - Supported, but only recommended for testing purposes.
• Three-computer configuration
- Recovery and Hardware Database, Compliance and Audit Reports, and Compliance and Audit Reports features are installed on a server
- Administration and Monitoring Server feature is installed on a server
- Group Policy template is installed on a server or client computer.
• Five-computer configuration
Each server feature is installed on dedicated computers:
- Recovery and Hardware Database
- Compliance Status Database
- Compliance and Audit Reports
- Administration and Monitoring Server
- Group Policy Template is installed on a server or client computer
![Page 18: Managing bitlocker with MBAM](https://reader033.vdocuments.mx/reader033/viewer/2022061300/54c8f3fc4a795901418b459b/html5/thumbnails/18.jpg)
Prerequisites For Clients
• A computer running: - Windows 7 Enterprise/Ultimate - Windows 8 Enterprise (Pro will work but not covered with SA license)
• A Trusted Computing Group (TCG)-compliant BIOS
• TPM microchip version 1.2 (turned on)
• TPM must be resettable from the operating system
![Page 19: Managing bitlocker with MBAM](https://reader033.vdocuments.mx/reader033/viewer/2022061300/54c8f3fc4a795901418b459b/html5/thumbnails/19.jpg)
MBAM Client
Encrypt volumes BEFORE a user receives the computer Works with Windows 7 deployment tools (MDT/SCCM) Client can: Manage TPM reboot process
Be configured with TPM first and PIN later (e.g.: user provides PIN at first logon) Recovery key escrow can be bypassed and then escrowed when user first logs on
Best Practice
Encrypt volumes AFTER a user receives a computer Client is provides a Policy Driven Experience Client will manage TPM reboot process Standard or Admin users can encrypt Only use when unencrypted machines appear on the network
![Page 20: Managing bitlocker with MBAM](https://reader033.vdocuments.mx/reader033/viewer/2022061300/54c8f3fc4a795901418b459b/html5/thumbnails/20.jpg)
MBAM Policy Settings
A superset of BitLocker policies
New MBAM Policies Policy for Fixed Disk Volume Auto-unlock Hardware capability check before encryption Allow user to request an exemption Interval client verifies policy compliance (default = 90 min)
Policy location: Computer Configuration > Administrative Templates > Windows Components > MDOP MBAM (BitLocker Management)
![Page 21: Managing bitlocker with MBAM](https://reader033.vdocuments.mx/reader033/viewer/2022061300/54c8f3fc4a795901418b459b/html5/thumbnails/21.jpg)
Client Experience
![Page 22: Managing bitlocker with MBAM](https://reader033.vdocuments.mx/reader033/viewer/2022061300/54c8f3fc4a795901418b459b/html5/thumbnails/22.jpg)
Compliance and Reporting
• MBAM agent collects and passes data to reporting server (All clients pass this up, encrypted or not. IT can clarify WHY a computer is not compliant)
• Built on SQL Server® Reporting Services (SSRS), it gives you flexibility to add your own reports
Need to know the
last known state of a
lost computer?
Need to know how effective
your rollout is, or how
compliant your company is?
Who and when keys have
been accessed and when
new hardware has been
added?
![Page 23: Managing bitlocker with MBAM](https://reader033.vdocuments.mx/reader033/viewer/2022061300/54c8f3fc4a795901418b459b/html5/thumbnails/23.jpg)
Central Storage of Recovery Key
Recovery Key(s) are Escrowed Operating System Volume Fixed Data Volumes Removable Data Volumes Stored outside of Microsoft Active Directory®
3-Tier Architecture DB encrypted with SQL Server’s Transparent Data Encryption Web Service API to build org-specific solutions All logging and authorization are done at web service layer to ensure parity for custom apps
![Page 24: Managing bitlocker with MBAM](https://reader033.vdocuments.mx/reader033/viewer/2022061300/54c8f3fc4a795901418b459b/html5/thumbnails/24.jpg)
Helpdesk Key Recovery UI
MBAM provides a web page for helpdesk functionality Provide BitLocker Recovery Key for authorized users Provide TPM unlock package for authorized users All requests (successful or not) are logged: who, when, which volume
Role based authorization model to get recovery info Tier 1: Helpdesk needs to have person/key match Tier 2: Key ID is sufficient (limited role)
Create your own custom page leveraging web service layer
![Page 25: Managing bitlocker with MBAM](https://reader033.vdocuments.mx/reader033/viewer/2022061300/54c8f3fc4a795901418b459b/html5/thumbnails/25.jpg)
Single Use Recovery Keys
Once a BitLocker Recovery key has been exposed , the client will create a new one As part of regular client/server communication, client checks to see if Recovery Key has been exposed
MBAM client will create new one
Transparent to user
Recovery Keys are created once a volume is unlocked
![Page 26: Managing bitlocker with MBAM](https://reader033.vdocuments.mx/reader033/viewer/2022061300/54c8f3fc4a795901418b459b/html5/thumbnails/26.jpg)
![Page 27: Managing bitlocker with MBAM](https://reader033.vdocuments.mx/reader033/viewer/2022061300/54c8f3fc4a795901418b459b/html5/thumbnails/27.jpg)
BitLocker With MBAM And SCCM Overview
• Eliminates MBAM compliance infrastructure, view compliance status and reports in SCCM Console.
• Setup integrates three elements in SCCM:
Desired Configuration Management Components Two Configuration items / CIs
One Baseline
One Collection
Four Reports
![Page 28: Managing bitlocker with MBAM](https://reader033.vdocuments.mx/reader033/viewer/2022061300/54c8f3fc4a795901418b459b/html5/thumbnails/28.jpg)
BitLocker With MBAM And SCCM Integration Components explained
• Collection every 12 hours, finds computers with supported OS (Win7 ent/ult and Win8), is physical and has TPM 1.2 or higher.
• Configuration Baseline verifies compliance based on what is defined in Group Policy.
• The CIs collects details and evaluates compliance status for computers.
![Page 29: Managing bitlocker with MBAM](https://reader033.vdocuments.mx/reader033/viewer/2022061300/54c8f3fc4a795901418b459b/html5/thumbnails/29.jpg)
BitLocker With MBAM And SCCM Reports explained
• BitLocker Computer Compliance Look at individual computer status of compliance
• BitLocker Enterprise Compliance Dashboard Four views: Compliance status, Non-Compliant – error distribution, Compliance status by drive type, Top 10 non compliant hardware
• BitLocker Enterprise Compliance Details Compliance status of the Enterprise
• BitLocker Enterprise Compliance Summary Summary of each Computer’s state with drill-down based on state.
![Page 30: Managing bitlocker with MBAM](https://reader033.vdocuments.mx/reader033/viewer/2022061300/54c8f3fc4a795901418b459b/html5/thumbnails/30.jpg)
BitLocker With MBAM And SCCM Installation
• Make sure MBAM server and databases are in working order, then on SCCM server(s):
• Edit configuration.mof and import sms_def.mof Look at documentation here: https://connect.microsoft.com/MDOPTAP
• Enable the Win32_Tpm class
![Page 31: Managing bitlocker with MBAM](https://reader033.vdocuments.mx/reader033/viewer/2022061300/54c8f3fc4a795901418b459b/html5/thumbnails/31.jpg)
BitLocker With MBAM And SCCM Installation
• Start Server\MBAMsetup.exe, and after initial steps, choose Topology System Center Configuration Manager Integration:
![Page 32: Managing bitlocker with MBAM](https://reader033.vdocuments.mx/reader033/viewer/2022061300/54c8f3fc4a795901418b459b/html5/thumbnails/32.jpg)
BitLocker With MBAM And SCCM Installation
• Provided the other features are up and running on other servers, choose only System Center CM Integration feature:
![Page 33: Managing bitlocker with MBAM](https://reader033.vdocuments.mx/reader033/viewer/2022061300/54c8f3fc4a795901418b459b/html5/thumbnails/33.jpg)
BitLocker With MBAM And SCCM Task Sequence
• With SCCM SP1 BitLocker support for Windows 8 and Server 2012 has been added to the Task Sequence.
• In the Client Settings you can choose to Suspend BitLocker PIN entry on restart.
![Page 34: Managing bitlocker with MBAM](https://reader033.vdocuments.mx/reader033/viewer/2022061300/54c8f3fc4a795901418b459b/html5/thumbnails/34.jpg)
THE END!
Olav Tvedt
Consigliore
STEP Member, MVP Setup & Deployment
Reidar Johansen
Senior Infrastructur Consultant