Your SlideShare is downloading. ×
0
Managing Bitlocker With Microsoft Desktop Optimization           Pack(MDOP) For Software Assurance’s (SA)Microsoft Bitlock...
OROlav TvedtConsiglierEDB ErgogroupMVP Setup & DeploymentBlog: olavtvedt.blogspot.comTwitter: @olavtwitt
MBWMDOPFSAMBAAMOTCEEGMS&D
Among friends just called...Olav TvedtConsiglierEDB ErgogroupMVP Setup & DeploymentBlog: olavtvedt.blogspot.comTwitter: @o...
Managing Bitlocker With MBAMOlav TvedtConsigliereEDB ErgogroupMVP Setup & DeploymentBlog: olavtvedt.blogspot.comTwitter: @...
AGENDA•   What Is Bitlocker•   Why Use Disk Encryption•   Bitlocker News In Windows 8•   Bitlocker Without MBAM•   Bitlock...
What Is Bitlocker
What Is Bitlocker• Encrypts  • Operating System Drive  • Fixed Data Drive  • Removable Data Drive• Checks After Changes  •...
Why Use Disk Encryption?
Category             Name                         Model                    Office       DateComputer equipment   Computer ...
Bitlocker Modes• Basic Mode:  - TPM only• Advanced Modes:  - TPM + PIN  - TPM + USB Dongle  - USB Dongle  - TPM + PIN + US...
Windows 8 And Bitlocker• Pre-encrypt, ask for pin on first logon• Only encrypt sectors with data• Bitlocker Network Unlock
Bitlocker Are Vulnerable When:• The Disk Have Not Yet Been Totally Encrypted• You Don’t Use Pin  • Especial If The Compute...
Important To Do•   Use Bitlocker•   Use Pin•   Change Pin•   Disable Possibility to use    - Firewire    - Thunderbolt
If You Can’t Use Bitlocker Yet
Bitlocker Requirements• A computer running:  • Windows 7 Enterprise (x86/x64)  • Windows 7 Ultimate (x86/x64)  • Windows S...
Enable Bitlocker On A Virtual Machine For TESTING:1. Set “Allow Bitlocker without compatible TPM” In a GPO2. Create a virt...
http://olavtvedt.blogspot.com/2012/01/running-bitlocker-on-virtual-computer.htmlhttp://vninja.net/virtualization/creating-...
THE VANILA TASTEBITLOCKE WITHOUTMBAMM
Enabling Bitlocker Server Side• On The Schema Master:  - C:TempBitlocker Scrip>ldifde -i -v -f  BitLockerTPMSchemaExtensio...
Enabling Bitlocker Client Side• During Deployment  • Best way, but some «challenges»• After Deployment  • Manual or script
Management•   Script•   Active Directory User And Computer•   ADSI Edit•   No Feedback•   No Reporting
And Always Remember!!!
Bitlocker Links•   BitLocker Drive Encryption Step-by-Step Guide for Windows 7    http://technet.microsoft.com/en-us/libra...
Microsoft BitLockerAdministration and Monitoring           (MBAM)BITLOCKER WITH MBAM
Application Virtualization (App-V)             Asset Inventory Service (AIS)                 Turns applications into centr...
What is Microsoft BitLocker Administrationand Monitoring (MBAM)?•   MBAM builds on the BitLocker data protection offering ...
Prerequisites For Server• Operation System:  Windows Server 2008 SP2 (x86/x64)  Windows Server 2008 R2• Database:  • Compl...
Installing Mbam•   Single computer configuration    •   Everything on a single server.        Supported, but only recommen...
Installing Mbam• Or In Most Cases 2 Computer   • 1 Sql   • 1 Mbam w/Group Policy Template      • Need To Have GPMC Install...
Prerequisites For Clients• A computer running:  • Windows 7 Enterprise (x86/x64)  • Windows 7 Ultimate (x86/x64)• A Truste...
MBAM Client•   Encrypt volumes BEFORE a user receives the computer    •   Works with Windows 7 deployment tools (MDT/SCCM)...
MBAM Policy Settings• A superset of BitLocker policies• New MBAM Policies   •   Policy for Fixed Disk Volume Auto-unlock  ...
Client Experience
Client TroubleshootingBdeHdCfg.exe -target c: shrink -size 300 -quiet –restart http://support.microsoft.com/kb/933246
Hardware Capability Management• Some older computers may not properly support  TPM• To ensure those computers aren’t encry...
How It Works•1 New Computer Discovered, Info Added To  Central HW List2 State Need To be Modified On Website By•  Operator...
Troubleshooting: • “HKLMSoftwareMicrosoftMBAM”       Create Dword “NoStartupDelay” value=1       Create Dword “DisableMach...
Compliance and Reporting                         Need to know how effective     Who and when keys   Need to know the      ...
Troubleshooting/Speeding Up Reporting:http://support.microsoft.com/default.aspx?scid=kb;EN-US;2620269
Central Storage of Recovery Key• Recovery Key(s) are Escrowed  •   Operating System Volume  •   Fixed Data Volumes  •   Re...
Helpdesk Key Recovery UI• MBAM provides a web page for helpdesk functionality   • Provide BitLocker Recovery Key for autho...
Single Use Recovery Keys• Once a BitLocker Recovery key has been  exposed , the client will create a new one  • As part of...
MBAM Links• Getting Started With MBAM  http://onlinehelp.microsoft.com/mdop/hh285638.aspx• Deploying MBAM  http://onlinehe...
Friday16:25 : EDB Ergogroup StandSaturday10:05 :Windows 8, what’s The Fuzz All About, Auditorium 615:05 : DaRT Flash Talk,...
Managing bitlocker with mbam
Managing bitlocker with mbam
Managing bitlocker with mbam
Managing bitlocker with mbam
Upcoming SlideShare
Loading in...5
×

Managing bitlocker with mbam

3,665

Published on

My presentation from NIC2012 about Bitlocker

Published in: Technology, Travel
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
3,665
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
145
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide

Transcript of "Managing bitlocker with mbam"

  1. 1. Managing Bitlocker With Microsoft Desktop Optimization Pack(MDOP) For Software Assurance’s (SA)Microsoft Bitlocker Administration And Monitoring (MBAM)Olav TvedtConsiglierEDB ErgogroupMVP Setup & DeploymentBlog: olavtvedt.blogspot.comTwitter: @olavtwitt
  2. 2. OROlav TvedtConsiglierEDB ErgogroupMVP Setup & DeploymentBlog: olavtvedt.blogspot.comTwitter: @olavtwitt
  3. 3. MBWMDOPFSAMBAAMOTCEEGMS&D
  4. 4. Among friends just called...Olav TvedtConsiglierEDB ErgogroupMVP Setup & DeploymentBlog: olavtvedt.blogspot.comTwitter: @olavtwitt
  5. 5. Managing Bitlocker With MBAMOlav TvedtConsigliereEDB ErgogroupMVP Setup & DeploymentBlog: olavtvedt.blogspot.comTwitter: @olavtwitt
  6. 6. AGENDA• What Is Bitlocker• Why Use Disk Encryption• Bitlocker News In Windows 8• Bitlocker Without MBAM• Bitlocker With MBAM
  7. 7. What Is Bitlocker
  8. 8. What Is Bitlocker• Encrypts • Operating System Drive • Fixed Data Drive • Removable Data Drive• Checks After Changes • Bios • System/Startup Files
  9. 9. Why Use Disk Encryption?
  10. 10. Category Name Model Office DateComputer equipment Computer Macbook ARLANDA 23.Dec.2011Computer equipment Computer Apple ARLANDA 23.Dec.2011Computer equipment Computer Lenovo ARLANDA 23.Dec.2011Computer equipment Computer Dell E6400 ARLANDA 25.Dec.2011Computer equipment Computer Ipad ARLANDA 26.Dec.2011Computer equipment Computer Lenovo ThinkPad GARDERMOEN 23.Dec.2011Computer equipment Computer Acer GARDERMOEN 23.Dec.2011Computer equipment Computer emachines GARDERMOEN 24.Dec.2011Computer equipment Computer Apple GARDERMOEN 25.Dec.2011Computer equipment Computer Dell Adamo XPS Laptop HEATHROW 23.Dec.2011Computer equipment Computer Dell Latitude E6410 HEATHROW 23.Dec.2011Computer equipment Computer iPad2 HEATHROW 23.Dec.2011Computer equipment Computer Dell HEATHROW 23.Dec.2011Computer equipment Computer HP laptop HEATHROW 23.Dec.2011Computer equipment Computer Sony vaio HEATHROW 24.Dec.2011Computer equipment Computer Sony vaio HEATHROW 24.Dec.2011Computer equipment Computer MacBook Air HEATHROW 24.Dec.2011Computer equipment Computer Apple MacBook Pro HEATHROW 24.Dec.2011Computer equipment Computer HP HEATHROW 24.Dec.2011Computer equipment Computer Acer HEATHROW 26.Dec.2011Computer equipment Computer Apple MacBook Air HEATHROW 26.Dec.2011Computer equipment Computer equipment/Various iPad HEATHROW 23.Dec.2011Computer equipment Computer equipment/Various Lenovo T400 HEATHROW 23.Dec.2011Computer equipment Computer equipment/Various iPad HEATHROW 24.Dec.2011Computer equipment Computer equipment/Various iPad HEATHROW 24.Dec.2011Computer equipment Computer equipment/Various Logitech HEATHROW 24.Dec.2011Computer equipment Computer equipment/Various Padini HEATHROW 24.Dec.2011Computer equipment Computer equipment/Various HP Compaq 2510p HEATHROW 24.Dec.2011Computer equipment Computer equipment/Various Macbook pro HEATHROW 24.Dec.2011Computer equipment Computer equipment/Various Sony HEATHROW 24.Dec.2011Computer equipment Computer equipment/Various Amazon Kinldle HEATHROW 26.Dec.2011Computer equipment Computer equipment/Various Eee PC 1000H HEATHROW 26.Dec.2011Computer equipment Computer equipment/Various Ipad HEATHROW 26.Dec.2011Computer equipment Computer equipment/Various Targus HEATHROW 26.Dec.2011Computer equipment Computer equipment/Various Samsung NP-N145_JP03UK HEATHROW 26.Dec.2011
  11. 11. Bitlocker Modes• Basic Mode: - TPM only• Advanced Modes: - TPM + PIN - TPM + USB Dongle - USB Dongle - TPM + PIN + USB Dongle
  12. 12. Windows 8 And Bitlocker• Pre-encrypt, ask for pin on first logon• Only encrypt sectors with data• Bitlocker Network Unlock
  13. 13. Bitlocker Are Vulnerable When:• The Disk Have Not Yet Been Totally Encrypted• You Don’t Use Pin • Especial If The Computer Have Or Might Get: • Firewire • Thunderbolt• Fake Bios Startup (To Get Pin)
  14. 14. Important To Do• Use Bitlocker• Use Pin• Change Pin• Disable Possibility to use - Firewire - Thunderbolt
  15. 15. If You Can’t Use Bitlocker Yet
  16. 16. Bitlocker Requirements• A computer running: • Windows 7 Enterprise (x86/x64) • Windows 7 Ultimate (x86/x64) • Windows Server 2008 R2• With TPM • A Trusted Computing Group (TCG)-compliant BIOS • TPM microchip version 1.2 (turned on) • TPM must be resettable from the operating system• Removable Storage • USB • Floppy • Memory Card
  17. 17. Enable Bitlocker On A Virtual Machine For TESTING:1. Set “Allow Bitlocker without compatible TPM” In a GPO2. Create a virtual floppy disk3. Enable bitlocker with «manage-bde» cscript c:WindowsSystem32manage-bde.wsf -on C: -rp -sk A:4. Restart and it will start to encrypt
  18. 18. http://olavtvedt.blogspot.com/2012/01/running-bitlocker-on-virtual-computer.htmlhttp://vninja.net/virtualization/creating-virtual-floppy-vsphere/
  19. 19. THE VANILA TASTEBITLOCKE WITHOUTMBAMM
  20. 20. Enabling Bitlocker Server Side• On The Schema Master: - C:TempBitlocker Scrip>ldifde -i -v -f BitLockerTPMSchemaExtension.ldf -c "DC=X" "DC=DomainName,DC=com" -k -j .• On Any DC - cscript Add-TPMSelfWriteACE.vbs
  21. 21. Enabling Bitlocker Client Side• During Deployment • Best way, but some «challenges»• After Deployment • Manual or script
  22. 22. Management• Script• Active Directory User And Computer• ADSI Edit• No Feedback• No Reporting
  23. 23. And Always Remember!!!
  24. 24. Bitlocker Links• BitLocker Drive Encryption Step-by-Step Guide for Windows 7 http://technet.microsoft.com/en-us/library/dd835565(WS.10).aspx• Using the BitLocker Repair Tool to Recover a Drive http://technet.microsoft.com/en-us/library/ee523219(WS.10).aspx• BitLocker Deployment Sample Resources http://archive.msdn.microsoft.com/bdedeploy• BitLocker Drive Encryption Configuration Guide: Backing Up BitLocker and TPM Recovery Information to Active Directory http://technet.microsoft.com/en-us/library/cc766015(WS.10).aspx• Windows Trusted Platform Module Management Step-by-Step Guide http://technet.microsoft.com/en-us/library/cc749022(WS.10).aspx• BitLocker Drive Encryption Deployment Guide for Windows 7 http://technet.microsoft.com/en-us/library/dd875547(WS.10).aspx
  25. 25. Microsoft BitLockerAdministration and Monitoring (MBAM)BITLOCKER WITH MBAM
  26. 26. Application Virtualization (App-V) Asset Inventory Service (AIS) Turns applications into centrally A hosted service that collects software managed services that are never inventory data and translates it into installed, never conflict, and are actionable business intelligence. streamed on-demand to end users. Diagnostics and Recovery Microsoft Enterprise Desktop Toolset (DaRT) Virtualization (MED-V) MDOP supporting Provides application continuity during Reduces downtime by accelerating the Flexible Workstyle Windows migrations, allowing legacy troubleshooting, repair, and datarecovery of unbootable Windows-based applications to run in virtual machine- desktops. based compatibility workspaces. Advanced Group Policy BitLocker Administration Management (AGPM) and Monitoring (MBAM) Enhances governance and control over Makes BitLocker easier and more cost-effective Group Policy through robust change to manage by simplifying deployment and management, versioning, and role- provisioning, improving compliance, and based administration. minimizing support efforts.
  27. 27. What is Microsoft BitLocker Administrationand Monitoring (MBAM)?• MBAM builds on the BitLocker data protection offering in Windows 7 by providing IT professionals with an enterprise-grade solution for BitLocker provisioning, monitoring, and key recovery. GOALS ARE: Simplify provisioning Provide reporting Reduce support costs 1 and deployment 2 (e.g.: compliance 3 (e.g.: improved & audit) recovery)
  28. 28. Prerequisites For Server• Operation System: Windows Server 2008 SP2 (x86/x64) Windows Server 2008 R2• Database: • Compliance and Audit Report Server • Microsoft Sql Server 2008 R2 Std/Ent/Dev • Recovery and Hardware Database Server • Microsoft Sql Server 2008 R2 Enterprise Only • Security reason: Transparent Data Encryption (TDE)
  29. 29. Installing Mbam• Single computer configuration • Everything on a single server. Supported, but only recommended for testing purposes.• Three-computer configuration • Recovery and Hardware Database, Compliance and Audit Reports, and Compliance and Audit Reports features are installed on a server • Administration and Monitoring Server feature is installed on a server • Group Policy template is installed on a server or client computer.• Five-computer configuration • Each server feature is installed on dedicated computers: • Recovery and Hardware Database • Compliance Status Database • Compliance and Audit Reports • Administration and Monitoring Server • Group Policy Template is installed on a server or client computer
  30. 30. Installing Mbam• Or In Most Cases 2 Computer • 1 Sql • 1 Mbam w/Group Policy Template • Need To Have GPMC InstalledGroup Policy Template Server?
  31. 31. Prerequisites For Clients• A computer running: • Windows 7 Enterprise (x86/x64) • Windows 7 Ultimate (x86/x64)• A Trusted Computing Group (TCG)-compliant BIOS• TPM microchip version 1.2 (turned on)• TPM must be resettable from the operating system
  32. 32. MBAM Client• Encrypt volumes BEFORE a user receives the computer • Works with Windows 7 deployment tools (MDT/SCCM) • Client can: • Manage TPM reboot process • Be configured with TPM first and PIN later (e.g.: user provides PIN at first logon) • Recovery key escrow can be bypassed and then escrowed when user first logs on • Best Practice• Encrypt volumes AFTER a user receives a computer • Client is provides a Policy Driven Experience • Client will manage TPM reboot process • Standard or Admin users can encrypt • Only use when unencrypted machines appear on the network
  33. 33. MBAM Policy Settings• A superset of BitLocker policies• New MBAM Policies • Policy for Fixed Disk Volume Auto-unlock • Hardware capability check before encryption • Allow user to request an exemption • Interval client verifies policy compliance (default = 90 min)• Policy location: • Computer Configuration > Administrative Templates > Windows Components > MDOP MBAM (BitLocker Management)
  34. 34. Client Experience
  35. 35. Client TroubleshootingBdeHdCfg.exe -target c: shrink -size 300 -quiet –restart http://support.microsoft.com/kb/933246
  36. 36. Hardware Capability Management• Some older computers may not properly support TPM• To ensure those computers aren’t encrypted, a feature is included that can be used to define which computers are BitLocker capable• How you turn it on: • Group Policy setting so client checks before encryption starts • From Central Console, define computers that are capable or not
  37. 37. How It Works•1 New Computer Discovered, Info Added To Central HW List2 State Need To be Modified On Website By• Operator With Permissions3 When Feature Is Enabled Only Compatible• Computers Will Be Encrypted4 Mbam Client Check Compatibility Before• Encrypting (Make/Model/Bios Version)
  38. 38. Troubleshooting: • “HKLMSoftwareMicrosoftMBAM” Create Dword “NoStartupDelay” value=1 Create Dword “DisableMachineVerification” value=1 • Prevent Delay Of Hardware Compatibility Checking delete this 2 keys and restart the MBAM agent: HKLMsoftwaremicrosoftMBAMHWExemptionTimer HKLMsoftwaremicrosoftMBAMHWExemptionType HWExemptionType are 0=unknown,1=incompatible,2=compatible • Mbam Fails To Start Encrypt Disk %windir%system32bdeHdCfg.exe -target default -size 300 -quiethttp://social.technet.microsoft.com/Forums/en/w7itprosecurity/thread/9e6dc763-03e5-421c-b0c5-33ca89477880http://social.technet.microsoft.com/Forums/en-US/w7itprosecurity/thread/ecd17002-0f06-4a62-845c-920442adb2b5http://social.technet.microsoft.com/Forums/en/w7itprosecurity/thread/0f62a250-2eb7-4e9a-aab8-bc4cafb6f71a
  39. 39. Compliance and Reporting Need to know how effective Who and when keys Need to know the your rollout is, or how have been accessed and last known state of a compliant your company is? when new hardware has lost computer? been added?• MBAM agent collects and passes data to reporting server • All clients pass this up, encrypted or not • IT can clarify WHY a computer is not compliant• Built on SQL Server® Reporting Services (SSRS), it gives you flexibility to add your own reports
  40. 40. Troubleshooting/Speeding Up Reporting:http://support.microsoft.com/default.aspx?scid=kb;EN-US;2620269
  41. 41. Central Storage of Recovery Key• Recovery Key(s) are Escrowed • Operating System Volume • Fixed Data Volumes • Removable Data Volumes • Stored outside of Microsoft Active Directory®• 3-Tier Architecture • DB encrypted with SQL Server’s Transparent Data Encryption • Web Service API to build org-specific solutions • All logging and authorization are done at web service layer to ensure parity for custom apps
  42. 42. Helpdesk Key Recovery UI• MBAM provides a web page for helpdesk functionality • Provide BitLocker Recovery Key for authorized users • Provide TPM unlock package for authorized users • All requests (successful or not) are logged: who, when, which volume• Role based authorization model to get recovery info • Tier 1: Helpdesk needs to have person/key match • Tier 2: Key ID is sufficient (limited role)• Create your own custom page leveraging web service layer
  43. 43. Single Use Recovery Keys• Once a BitLocker Recovery key has been exposed , the client will create a new one • As part of regular client/server communication, client checks to see if Recovery Key has been exposed • MBAM client will create new one • Transparent to user• Recovery Keys are created once a volume is unlocked
  44. 44. MBAM Links• Getting Started With MBAM http://onlinehelp.microsoft.com/mdop/hh285638.aspx• Deploying MBAM http://onlinehelp.microsoft.com/mdop/hh285644.aspx• Operations for MBAM http://onlinehelp.microsoft.com/mdop/hh285664.aspx• Troubleshooting MBAM http://onlinehelp.microsoft.com/mdop/hh352745.aspx• Downloadable MBAM technical documentation http://www.microsoft.com/download/details.aspx?id=27555
  45. 45. Friday16:25 : EDB Ergogroup StandSaturday10:05 :Windows 8, what’s The Fuzz All About, Auditorium 615:05 : DaRT Flash Talk, Microsoft/HP Stand16:25 : EDB Ergogroup Stand Blog: olavtvedt.blogspot.com Twitter: @olavtwitt
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×