Spark the future.

May 4 – 8, 2015Chicago, IL

BitLocker Deployment Using MBAM is a Snap! Lance CrandallProgram ManagerMicrosoft

BRK2331

Threats to your data are everywhere

Protect data is shared

SHARINGPROTECTION

DEVICE PROTECTION

Protect data when device is lost or stolen

Information protection continuum complete

DATA PROTECTION

Accidental data leakage

Source: ”New Study Reveals Up To 12,000 Laptop Computers Lost Weekly and up to 600,000 lost annually in U.S. Airports”, Ponemon.org, June 20, 2008

Over 12,000 laptops lost in airports every week

“It’s staggering to learn that up to 600,000 laptops are lost in U.S. airports annually, many containing sensitive information that companies must account for.” Larry Ponemon

Lost Laptops– ADDING TERROR TO PLAYBOOK

BitLocker Overview 10,000 foot view

BitLocker

Full volume Encryption

• OS volumes• Fixed data drives

(like a separate hard drive or partition)

• Removable drives

Recovery

• Recovery Keys• DRA

Used Disk SpacePre-provisioning• Encrypts used

disk space• Pre-provisioning –

speeds up encryption by turning on in WinPE

• TPM must be enabled and owned

BitLocker Protectors

TPMTPM+PINPassword

Auto-UnlockPassword

TPM OverviewHardware basedProtects BitLocker, virtual smart card, and other sensitive keysEnables Secure Boot by verifying platform integrity measurements

Prevents tamperingMoving to other machines causes keys to be inaccessibleAnti-hammering logicSince hardware based, not subject to software attacks

TPM spec versionsTPM 1.2 – Main spec in use. Random lockout thresholds and attempts.TPM 2.0 – On by default. Consistent lock out.

Preparing to Use the TPMTPM enablementTPM must be enabled and activated in the BIOS/UEFI (default in TPM 2.0)Must be visible and able to be managed by the OSCan be automated using tools from device manufacturers from within the full OS or WinPE

OwnershipTPM must be owned by Windows, MBAM, or something else.

Creates TPM OwnerAuth password. Needed to reset TPM lockoutsScripts (MDT, SCCM, or other method)

BitLocker Management with MBAM

Integrates into existing deployment tools Grace period for enactment Prompts for PIN or Password Escrows recovery information and TPM OwnerAuth

Encryption status reporting per volume on each computer View overall compliance for your organization View reports standalone in System Center Configuration Manager

Helpdesk recovery Self service recovery Retrieve TPM OwnerAuth to unlock TPM

Compliance Reporting

Recovery

BitLocker Enactment

Microsoft BitLocker Administration and MonitoringEnterprise-class solution that streamlines management of BitLocker

Database Components

Stand Alone Server Components

RecoveryDatabase

Compliance /Audit

Database

Self-Service Server

Self-Service

Web Service

Self-Service Web Site

Administration and Monitoring Server

Admin Web

Service

Admin Web Site

Compliance and Audit Reports

ReportingWeb

Service

ReportingWeb Site

SSRS

Database Components

CM Server Components

RecoveryDatabase

Self-Service Server

Self-Service

Web Service

Self-Service Web Site

Administration and Monitoring Server / Audit Report

Admin Web

Service

Admin Web Site

Configuration Manager Components

Management Console

CM Reports SSRSAudit

Database

ADMX files downloadable from microsoft.com/downloads

Allows MBAM settings configuration BitLocker settings MBAM policy settings

Computer Configuration\Administrative Templates\Windows Components\MDOP MBAM User Configuration\Administrative Templates\Windows Components\MDOP MBAM (This is for user

exemptions only)

GPO

MBAM CLIENT FLOW:

INSTALL MBAM CLIENT

APPLY MBAM POLICY

ENACTS BITLOCKER REPORTS

COMPLIANCE

Announcing MBAM 2.5 SP1

Deployment ManagementIndustry Compat

Built cmdlets to import BitLocker and TPM data from ADAdded automatic TPM unlock when BitLocker is recoveredConsolidated and simplified server logging

Added Windows 10 supportAdded Encrypted HDD SupportSupported International Domain NamesSupported Win7 FIPS Recovery Password

Introduced scripts to support imaging

Included prompting for PIN after imagingImproved TPM OwnerAuth Escrow

Customization

Added ability to direct customers to SSP from BitLocker recovery screenAllowed SSP branding capability during setupIncreased supported client languages to 23Updated reports schema to allow customization using Report Builder

What’s New With BitLocker Deployment Using MBAM

Enabling BitLocker During Imaging

Volume Support

Process

Escrow/Reporting

Error Handling

Previously MBAM 2.5 SP1

• Manual process with reg keys, service restarts

• Non-supported scripts that only supported MDT/SCCM

• Written in PowerShell; compatible with PowerShell v2

• Easy to use with MDT, SCCM, or standalone

• Support for OS volumes• No pre-provisioning support out

of the box

• Supports OS volumes with TPM protector

• Fixed Data Drive support• Handle pre-provisioned drives• Prompt for PIN immediately after

imaging• Does not escrow TPM OwnerAuth unless owned by MBAM

• Reporting could take up to 12 hours

• TPM OwnerAuth escrowed if pre-provisioned or not owned by MBAM (Win8+)

• Immediate compliance reporting

• Limited error handling; depends on the script

• Robust error handling• Writes to standard out, including

BDD and SMSTS.logs.

Under the coversNew WMI methodsPrepareTpmAndEscrowOwnerAuthEscrowRecoveryKeyReportStatus

Returned error codes helpful for troubleshooting

MBAM Client Deployment Script Parameters

Parameter Description

-RecoveryServiceEndpoint Required MBAM recovery service endpoint

-StatusReportingServcieEndpoint Optional MBAM status reporting service endpoint

-EncryptionMethod Optional Encryption method (default: AES 128)

-EncryptAndEscrowDataVolume Switch Specify to encrypt data volume(s) and escrow data volume recovery key(s)

-WaitForEncryptionToComplete Switch Specify to wait for the encryption to complete

-IgnoreEscrowOwnerAuthFailure Switch Specify to ignore TPM OwnerAuth escrow failure

-IgnoreEscrowRecoveryKeyFailure Switch Specify to ignore volume recovery key escrow failure

-IgnoreReportStatusFailure Switch Specify to ignore status reporting failure

Invoke-MbamClientDeployment.ps1 – The main script that your deployment system will call to configure MBAM and enable BitLocker.

Command Line Example

Invoke-Mbam-ClientDeployment.ps1 –RecoveryServiceEndpoint

https://mbam.contoso.com/MBAMRecoveryAndHardwareService/CoreService.svc

-StatusReportingServiceEndpoint https://

mbam.contoso.com/MBAMComplianceStatusService/StatusReportingService.svc

-EncryptAndEscrowDataVolume -EncryptionMethod AES256 -

WaitForEncryptionToComplete

As Easy As 1…2…3!

Integrating Into Deployment Processes

• Add script to persist TPM OwnerAuth (WinPE)

1• Install MBAM

Agent • (Full OS)

2

• Run MBAM PowerShell Script

• (Full OS)

3

Demo – Enabling BitLocker Using MDT and MBAM During Imaging

Apply MBAM policies to device Enable TPM Create BitLocker System Partition if needed Fix potential Win32_EncryptableVolume

issues Install MBAM agent

MBAM agent works its magic

Enabling BitLocker on Existing Machines

Demo – Enabling BitLocker Using MDT and MBAM on Existing Machines

AD Recovery Data Migration

Challenges Enterprises have rolled out BitLocker

without MBAM Recovery data is stored in AD TPM OwnerAuth may be stored in AD Machines may be offline/in storage Two places that techs have to go for

recovery

Migrating Existing Recovery Data to MBAM

4 PowerShell cmdlets For Volume recovery keys and packages:

Read-ADRecoveryInformation Write-MbamRecoveryInformation Add-ComputerUser.ps1 – match users to computers

For TPM OwnerAuth information: Read-ADTpmInformation Write-MbamTpmInformation

Active Directory Recovery Data Migration

Reads Recovery keys, packages, and TPM OwnerAuth from AD and writes to MBAM

Does not write to AD Data integrity checks when writing to

MBAM Advanced Helpdesk can recover Intermediary process that can match users

to machines ManagedBy attribute in AD Custom CSV file Allows helpdesk and SSP recovery

Active Directory Recovery Data Migration

Grant rights in AD Create an AD group to grant writes to

MBAM Open Web.config for recovery service Edit the <add

key=”DataMigrationsUsersGroupName” value=””>

Setup

AD Recovery Data Migration Example

Read-ADRecoveryInformation -Server contoso.com -Credential $cred -Recurse | Add-ComputerUser -FromComputerManagedBy| Write-MBAMRecoveryInformation -RecoveryServiceEndPoint https://mbam-iis.contoso.com/MBAMRecoveryAndHardwareService/CoreService.svc  

AD TPM Data Migration Example

Read-ADTpmInformation -Server contoso.com -Credential $cred -Recurse | Add-ComputerUser -FromComputerUserMapping (Import-Csv ComputerToUserMapping.csv) | Write-MBAMTpmInformation -RecoveryServiceEndPoint https://mbam-iis.contoso.com/MBAMRecoveryAndHardwareService/CoreService.svc   

 

Demo – AD Recovery Data Migration

Custom Pre-boot Recovery

Recovery Experience

Advanced Helpdesk Enters Recovery Key ID

HelpdeskUser domain and

user nameEnters Recovery Key

ID

Self Service Logs into domain joined PC

Windows Integrated Auth

Provides Recovery Key ID

Want users to use the SSP – Cuts costs Users hit recovery screen Recovery screen tells them to go to

OneDrive Key isn’t there! User calls the helpdesk

SSP Windows 10 Enhancements

You Can Now Customize the BitLocker Recovery Screen!

Default Recovery Message

Custom Recovery Message

Windows 10 Custom Preboot URL

Demo – Custom Preboot Recovery Message

Managing TPM Lockouts

TPM Anti-hammering Causes

Incorrect PIN attempts Incorrect virtual Smart Card authentication attempts Invalid attempts to guess or change the TPM OwnerAuth

Protection mechanism when using BitLocker Exponentially slower responses to authorization attempts Forces BitLocker recovery event - Have to enter 48 digit BitLocker key

to unlock

Lockout Duration TPM 1.2 – varies by manufacturer TPM 2.0 – 2 hours

TPM Lockouts

Unlocking the TPM requires the TPM OwnerAuth

MBAM escrowed TPM OwnerAuth Helpdesk could provide TPM OwnerAuth

Requires admin rights to use on device

Unlocking TPM

TPM 1.2 lockouts can be automatically resolved

Not needed for TPM 2.0 Feature must be enabled on web server and

in GPO TPM OwnerAuth must be in MBAM

Managing TPM Lockouts – The Easy Way

TPM Auto-Unlock Process

User hits BitLocker Recovery Screen

Recovers key from SSP or

helpdesk portal

Key is marked

as disclosed

MBAM service

wakes up and

detects key was disclosed

Checks if TPM is locked

out

Automatically

unlocks if MBAM

has TPM OwnerAu

th

Audited in client

event log and

MBAM audit

reports

Demo – TPM Auto-Unlock

Available With Windows 10

New deployment scripts Easily migrate data from AD to MBAM TPM management enhancements Custom preboot URL in Win10 lowers

support costs

MBAM 2.5 SP1 makes it even easier to deploy and manage BitLocker on your devices

Conclusion

Related SessionsBRK3340

App-V 5.0 SP3: Advanced Connection Groups Thurs 17:00

BRK3317

Creating a Seamless User Experience with Microsoft UE-V and Windows 10

Fri 12:30

BRK3304

Managing Windows 10 Using Group Policy with In the Box, Microsoft and 3rd Party Tools

Wed 9:00

BRK3144

Microsoft Office 365 ProPlus: Have It Your Way! Fri 12:30

BRK3868

Fundamentals of Microsoft Azure RemoteApp Management and Administration

Tues 13:30

Visit Myignite at http://myignite.microsoft.com or download and use the Ignite Mobile App with the QR code above.

Please evaluate this sessionYour feedback is important to us!

© 2015 Microsoft Corporation. All rights reserved.