Protect data is shared SHARING PROTECTION DEVICE PROTECTION Protect data when device is lost or...
-
Upload
shonda-boyd -
Category
Documents
-
view
237 -
download
0
Transcript of Protect data is shared SHARING PROTECTION DEVICE PROTECTION Protect data when device is lost or...
Spark the future.
May 4 – 8, 2015Chicago, IL
BitLocker Deployment Using MBAM is a Snap! Lance CrandallProgram ManagerMicrosoft
BRK2331
Threats to your data are everywhere
Protect data is shared
SHARINGPROTECTION
DEVICE PROTECTION
Protect data when device is lost or stolen
Information protection continuum complete
DATA PROTECTION
Accidental data leakage
Source: ”New Study Reveals Up To 12,000 Laptop Computers Lost Weekly and up to 600,000 lost annually in U.S. Airports”, Ponemon.org, June 20, 2008
Over 12,000 laptops lost in airports every week
“It’s staggering to learn that up to 600,000 laptops are lost in U.S. airports annually, many containing sensitive information that companies must account for.” Larry Ponemon
Lost Laptops– ADDING TERROR TO PLAYBOOK
BitLocker Overview 10,000 foot view
BitLocker
Full volume Encryption
• OS volumes• Fixed data drives
(like a separate hard drive or partition)
• Removable drives
Recovery
• Recovery Keys• DRA
Used Disk SpacePre-provisioning• Encrypts used
disk space• Pre-provisioning –
speeds up encryption by turning on in WinPE
• TPM must be enabled and owned
BitLocker Protectors
TPMTPM+PINPassword
Auto-UnlockPassword
TPM OverviewHardware basedProtects BitLocker, virtual smart card, and other sensitive keysEnables Secure Boot by verifying platform integrity measurements
Prevents tamperingMoving to other machines causes keys to be inaccessibleAnti-hammering logicSince hardware based, not subject to software attacks
TPM spec versionsTPM 1.2 – Main spec in use. Random lockout thresholds and attempts.TPM 2.0 – On by default. Consistent lock out.
Preparing to Use the TPMTPM enablementTPM must be enabled and activated in the BIOS/UEFI (default in TPM 2.0)Must be visible and able to be managed by the OSCan be automated using tools from device manufacturers from within the full OS or WinPE
OwnershipTPM must be owned by Windows, MBAM, or something else.
Creates TPM OwnerAuth password. Needed to reset TPM lockoutsScripts (MDT, SCCM, or other method)
BitLocker Management with MBAM
Integrates into existing deployment tools Grace period for enactment Prompts for PIN or Password Escrows recovery information and TPM OwnerAuth
Encryption status reporting per volume on each computer View overall compliance for your organization View reports standalone in System Center Configuration Manager
Helpdesk recovery Self service recovery Retrieve TPM OwnerAuth to unlock TPM
Compliance Reporting
Recovery
BitLocker Enactment
Microsoft BitLocker Administration and MonitoringEnterprise-class solution that streamlines management of BitLocker
Database Components
Stand Alone Server Components
RecoveryDatabase
Compliance /Audit
Database
Self-Service Server
Self-Service
Web Service
Self-Service Web Site
Administration and Monitoring Server
Admin Web
Service
Admin Web Site
Compliance and Audit Reports
ReportingWeb
Service
ReportingWeb Site
SSRS
Database Components
CM Server Components
RecoveryDatabase
Self-Service Server
Self-Service
Web Service
Self-Service Web Site
Administration and Monitoring Server / Audit Report
Admin Web
Service
Admin Web Site
Configuration Manager Components
Management Console
CM Reports SSRSAudit
Database
ADMX files downloadable from microsoft.com/downloads
Allows MBAM settings configuration BitLocker settings MBAM policy settings
Computer Configuration\Administrative Templates\Windows Components\MDOP MBAM User Configuration\Administrative Templates\Windows Components\MDOP MBAM (This is for user
exemptions only)
GPO
MBAM CLIENT FLOW:
INSTALL MBAM CLIENT
APPLY MBAM POLICY
ENACTS BITLOCKER REPORTS
COMPLIANCE
Announcing MBAM 2.5 SP1
Deployment ManagementIndustry Compat
Built cmdlets to import BitLocker and TPM data from ADAdded automatic TPM unlock when BitLocker is recoveredConsolidated and simplified server logging
Added Windows 10 supportAdded Encrypted HDD SupportSupported International Domain NamesSupported Win7 FIPS Recovery Password
Introduced scripts to support imaging
Included prompting for PIN after imagingImproved TPM OwnerAuth Escrow
Customization
Added ability to direct customers to SSP from BitLocker recovery screenAllowed SSP branding capability during setupIncreased supported client languages to 23Updated reports schema to allow customization using Report Builder
What’s New With BitLocker Deployment Using MBAM
Enabling BitLocker During Imaging
Volume Support
Process
Escrow/Reporting
Error Handling
Previously MBAM 2.5 SP1
• Manual process with reg keys, service restarts
• Non-supported scripts that only supported MDT/SCCM
• Written in PowerShell; compatible with PowerShell v2
• Easy to use with MDT, SCCM, or standalone
• Support for OS volumes• No pre-provisioning support out
of the box
• Supports OS volumes with TPM protector
• Fixed Data Drive support• Handle pre-provisioned drives• Prompt for PIN immediately after
imaging• Does not escrow TPM OwnerAuth unless owned by MBAM
• Reporting could take up to 12 hours
• TPM OwnerAuth escrowed if pre-provisioned or not owned by MBAM (Win8+)
• Immediate compliance reporting
• Limited error handling; depends on the script
• Robust error handling• Writes to standard out, including
BDD and SMSTS.logs.
Under the coversNew WMI methodsPrepareTpmAndEscrowOwnerAuthEscrowRecoveryKeyReportStatus
Returned error codes helpful for troubleshooting
MBAM Client Deployment Script Parameters
Parameter Description
-RecoveryServiceEndpoint Required MBAM recovery service endpoint
-StatusReportingServcieEndpoint Optional MBAM status reporting service endpoint
-EncryptionMethod Optional Encryption method (default: AES 128)
-EncryptAndEscrowDataVolume Switch Specify to encrypt data volume(s) and escrow data volume recovery key(s)
-WaitForEncryptionToComplete Switch Specify to wait for the encryption to complete
-IgnoreEscrowOwnerAuthFailure Switch Specify to ignore TPM OwnerAuth escrow failure
-IgnoreEscrowRecoveryKeyFailure Switch Specify to ignore volume recovery key escrow failure
-IgnoreReportStatusFailure Switch Specify to ignore status reporting failure
Invoke-MbamClientDeployment.ps1 – The main script that your deployment system will call to configure MBAM and enable BitLocker.
Command Line Example
Invoke-Mbam-ClientDeployment.ps1 –RecoveryServiceEndpoint
https://mbam.contoso.com/MBAMRecoveryAndHardwareService/CoreService.svc
-StatusReportingServiceEndpoint https://
mbam.contoso.com/MBAMComplianceStatusService/StatusReportingService.svc
-EncryptAndEscrowDataVolume -EncryptionMethod AES256 -
WaitForEncryptionToComplete
As Easy As 1…2…3!
Integrating Into Deployment Processes
• Add script to persist TPM OwnerAuth (WinPE)
1• Install MBAM
Agent • (Full OS)
2
• Run MBAM PowerShell Script
• (Full OS)
3
Demo – Enabling BitLocker Using MDT and MBAM During Imaging
Apply MBAM policies to device Enable TPM Create BitLocker System Partition if needed Fix potential Win32_EncryptableVolume
issues Install MBAM agent
MBAM agent works its magic
Enabling BitLocker on Existing Machines
Demo – Enabling BitLocker Using MDT and MBAM on Existing Machines
AD Recovery Data Migration
Challenges Enterprises have rolled out BitLocker
without MBAM Recovery data is stored in AD TPM OwnerAuth may be stored in AD Machines may be offline/in storage Two places that techs have to go for
recovery
Migrating Existing Recovery Data to MBAM
4 PowerShell cmdlets For Volume recovery keys and packages:
Read-ADRecoveryInformation Write-MbamRecoveryInformation Add-ComputerUser.ps1 – match users to computers
For TPM OwnerAuth information: Read-ADTpmInformation Write-MbamTpmInformation
Active Directory Recovery Data Migration
Reads Recovery keys, packages, and TPM OwnerAuth from AD and writes to MBAM
Does not write to AD Data integrity checks when writing to
MBAM Advanced Helpdesk can recover Intermediary process that can match users
to machines ManagedBy attribute in AD Custom CSV file Allows helpdesk and SSP recovery
Active Directory Recovery Data Migration
Grant rights in AD Create an AD group to grant writes to
MBAM Open Web.config for recovery service Edit the <add
key=”DataMigrationsUsersGroupName” value=””>
Setup
AD Recovery Data Migration Example
Read-ADRecoveryInformation -Server contoso.com -Credential $cred -Recurse | Add-ComputerUser -FromComputerManagedBy| Write-MBAMRecoveryInformation -RecoveryServiceEndPoint https://mbam-iis.contoso.com/MBAMRecoveryAndHardwareService/CoreService.svc
AD TPM Data Migration Example
Read-ADTpmInformation -Server contoso.com -Credential $cred -Recurse | Add-ComputerUser -FromComputerUserMapping (Import-Csv ComputerToUserMapping.csv) | Write-MBAMTpmInformation -RecoveryServiceEndPoint https://mbam-iis.contoso.com/MBAMRecoveryAndHardwareService/CoreService.svc
Demo – AD Recovery Data Migration
Custom Pre-boot Recovery
Recovery Experience
Advanced Helpdesk Enters Recovery Key ID
HelpdeskUser domain and
user nameEnters Recovery Key
ID
Self Service Logs into domain joined PC
Windows Integrated Auth
Provides Recovery Key ID
Want users to use the SSP – Cuts costs Users hit recovery screen Recovery screen tells them to go to
OneDrive Key isn’t there! User calls the helpdesk
SSP Windows 10 Enhancements
You Can Now Customize the BitLocker Recovery Screen!
Default Recovery Message
Custom Recovery Message
Windows 10 Custom Preboot URL
Demo – Custom Preboot Recovery Message
Managing TPM Lockouts
TPM Anti-hammering Causes
Incorrect PIN attempts Incorrect virtual Smart Card authentication attempts Invalid attempts to guess or change the TPM OwnerAuth
Protection mechanism when using BitLocker Exponentially slower responses to authorization attempts Forces BitLocker recovery event - Have to enter 48 digit BitLocker key
to unlock
Lockout Duration TPM 1.2 – varies by manufacturer TPM 2.0 – 2 hours
TPM Lockouts
Unlocking the TPM requires the TPM OwnerAuth
MBAM escrowed TPM OwnerAuth Helpdesk could provide TPM OwnerAuth
Requires admin rights to use on device
Unlocking TPM
TPM 1.2 lockouts can be automatically resolved
Not needed for TPM 2.0 Feature must be enabled on web server and
in GPO TPM OwnerAuth must be in MBAM
Managing TPM Lockouts – The Easy Way
TPM Auto-Unlock Process
User hits BitLocker Recovery Screen
Recovers key from SSP or
helpdesk portal
Key is marked
as disclosed
MBAM service
wakes up and
detects key was disclosed
Checks if TPM is locked
out
Automatically
unlocks if MBAM
has TPM OwnerAu
th
Audited in client
event log and
MBAM audit
reports
Demo – TPM Auto-Unlock
Available With Windows 10
New deployment scripts Easily migrate data from AD to MBAM TPM management enhancements Custom preboot URL in Win10 lowers
support costs
MBAM 2.5 SP1 makes it even easier to deploy and manage BitLocker on your devices
Conclusion
Related SessionsBRK3340
App-V 5.0 SP3: Advanced Connection Groups Thurs 17:00
BRK3317
Creating a Seamless User Experience with Microsoft UE-V and Windows 10
Fri 12:30
BRK3304
Managing Windows 10 Using Group Policy with In the Box, Microsoft and 3rd Party Tools
Wed 9:00
BRK3144
Microsoft Office 365 ProPlus: Have It Your Way! Fri 12:30
BRK3868
Fundamentals of Microsoft Azure RemoteApp Management and Administration
Tues 13:30
Visit Myignite at http://myignite.microsoft.com or download and use the Ignite Mobile App with the QR code above.
Please evaluate this sessionYour feedback is important to us!
© 2015 Microsoft Corporation. All rights reserved.