7. Bitlocker Modes
Basic Mode:
• TPM only
• Password Mode (Windows 8)
Advanced Modes:
• TPM + PIN
• TPM + USB Dongle
• USB Dongle
• TPM + PIN + USB Dongle
8. BitLocker Are Vulnerable When:
• The Disk Have Not Yet Been Totally Encrypted
• You Don’t Use Pin
Especial If The Computer Have Or Might Get:
- Firewire
- Thunderbolt
• Fake Bios Startup (To Get Pin)
9. BitLocker Requirements
• A computer running:
• Windows 7 Enterprise/Ultimate
• Windows 8 Pro/Enterprise
• Windows Server 2008 R2
• Windows Server 2012
• With TPM
• A Trusted Computing Group (TCG)-compliant BIOS
• TPM microchip version 1.2 (turned on)
• TPM must be resettable from the operating system
• Removable Storage
• USB
• Floppy
• Memory Card
10. Enable Bitlocker On A Virtual Machine For TESTING:
1. Set “Allow Bitlocker without compatible TPM” In a GPO
2. Create a virtual floppy disk
3. Enable bitlocker with «manage-bde»
cscript c:WindowsSystem32manage-bde.wsf -on C: -rp -sk A:
4. Restart and it will start to encrypt
Window 8 Can run with Password directly in a virtual environment
12. BitLocker News In Windows 8
Overview
• Support for failover cluster and SAN storage.
• BitLocker pre-provisioning
• Used disk space-only encryption
• Standard user PIN and password selection
• Bitlocker Network Unlock
13. BitLocker News In Windows 8
BitLocker pre-provisioning
• Enable BitLocker before OS is installed
• Random encryption key stored unprotected
• Needs to be activated to protect key
15. What is Microsoft BitLocker Administration
and Monitoring (MBAM)?
MBAM builds on the BitLocker data protection offering in Windows 7 by
providing IT professionals with an enterprise-grade solution for BitLocker
provisioning, monitoring, and key recovery.
GOALS ARE:
Simplify provisioning Provide reporting Reduce support costs
1 and deployment 2 (e.g.: compliance & 3 (e.g.: improved
audit) recovery)
16. Prerequisites For Server
Operation System:
Windows Server 2008 SP2 (x86/x64)
Windows Server 2008 R2
Windows Server 2012 (Some issues with web in beta)
Database:
Compliance and Audit Report Server
Microsoft Sql Server 2008 R2 Std/Ent/Dev
Recovery and Hardware Database Server
Microsoft Sql Server 2008 R2 Enterprise Only
Security reason: Transparent Data Encryption (TDE)
17. Installing Mbam
• Single computer configuration
- Everything on a single server.
- Supported, but only recommended for testing purposes.
• Three-computer configuration
- Recovery and Hardware Database, Compliance and Audit Reports, and Compliance and
Audit Reports features are installed on a server
- Administration and Monitoring Server feature is installed on a server
- Group Policy template is installed on a server or client computer.
• Five-computer configuration
Each server feature is installed on dedicated computers:
- Recovery and Hardware Database
- Compliance Status Database
- Compliance and Audit Reports
- Administration and Monitoring Server
- Group Policy Template is installed on a server or client computer
18. Prerequisites For Clients
• A computer running:
- Windows 7 Enterprise/Ultimate
- Windows 8 Enterprise (Pro will work but not covered with SA license)
• A Trusted Computing Group (TCG)-compliant BIOS
• TPM microchip version 1.2 (turned on)
• TPM must be resettable from the operating system
19. MBAM Client
Encrypt volumes BEFORE a user receives the computer
Works with Windows 7 deployment tools (MDT/SCCM)
Client can:
Manage TPM reboot process
Be configured with TPM first and PIN later (e.g.: user provides PIN at first logon)
Recovery key escrow can be bypassed and then escrowed when user first logs on
Best Practice
Encrypt volumes AFTER a user receives a computer
Client is provides a Policy Driven Experience
Client will manage TPM reboot process
Standard or Admin users can encrypt
Only use when unencrypted machines appear on the network
20. MBAM Policy Settings
A superset of BitLocker policies
New MBAM Policies
Policy for Fixed Disk Volume Auto-unlock
Hardware capability check before encryption
Allow user to request an exemption
Interval client verifies policy compliance
(default = 90 min)
Policy location:
Computer Configuration > Administrative Templates > Windows
Components > MDOP MBAM (BitLocker Management)
22. Compliance and Reporting
• MBAM agent collects and passes data to reporting server
(All clients pass this up, encrypted or not. IT can clarify WHY a computer is not compliant)
• Built on SQL Server® Reporting Services (SSRS), it gives
you
flexibility to add your own reports
Need to know how effective Who and when keys have
Need to know the
your rollout is, or how been accessed and when
last known state of a
compliant your company is? new hardware has been
lost computer?
added?
23. Central Storage of Recovery Key
Recovery Key(s) are Escrowed
Operating System Volume
Fixed Data Volumes
Removable Data Volumes
Stored outside of Microsoft Active Directory®
3-Tier Architecture
DB encrypted with SQL Server’s Transparent
Data Encryption
Web Service API to build org-specific solutions
All logging and authorization are done at web service layer to ensure parity
for custom apps
24. Helpdesk Key Recovery UI
MBAM provides a web page for helpdesk functionality
Provide BitLocker Recovery Key for authorized users
Provide TPM unlock package for authorized users
All requests (successful or not) are logged:
who, when, which volume
Role based authorization model to get recovery info
Tier 1: Helpdesk needs to have
person/key match
Tier 2: Key ID is sufficient (limited role)
Create your own custom page leveraging web service layer
25. Single Use Recovery Keys
Once a BitLocker Recovery key has been exposed ,
the client will create a new one
As part of regular client/server communication, client checks to
see if Recovery Key has been exposed
MBAM client will create new one
Transparent to user
Recovery Keys are created once a volume is unlocked
26.
27. BitLocker With MBAM And SCCM
Overview
• Eliminates MBAM compliance infrastructure, view
compliance status and reports in SCCM Console.
• Setup integrates three elements in SCCM:
Desired Configuration Management
Components
Two Configuration items / CIs
One Baseline
One Collection
Four Reports
28. BitLocker With MBAM And SCCM
Integration Components explained
• Collection every 12 hours, finds computers with
supported OS (Win7 ent/ult and Win8), is physical
and has TPM 1.2 or higher.
• Configuration Baseline verifies compliance based
on what is defined in Group Policy.
• The CIs collects details and evaluates compliance
status for computers.
29. BitLocker With MBAM And SCCM
Reports explained
• BitLocker Computer Compliance
Look at individual computer status of compliance
• BitLocker Enterprise Compliance Dashboard
Four views: Compliance status, Non-Compliant – error distribution,
Compliance status by drive type, Top 10 non compliant hardware
• BitLocker Enterprise Compliance Details
Compliance status of the Enterprise
• BitLocker Enterprise Compliance Summary
Summary of each Computer’s state with drill-down based on state.
30. BitLocker With MBAM And SCCM
Installation
• Make sure MBAM server and databases are in
working order, then on SCCM server(s):
• Edit configuration.mof and import sms_def.mof
Look at documentation here:
https://connect.microsoft.com/MDOPTAP
• Enable the Win32_Tpm class
31. BitLocker With MBAM And SCCM
Installation
• Start ServerMBAMsetup.exe, and after initial steps,
choose Topology System Center Configuration
Manager Integration:
32. BitLocker With MBAM And SCCM
Installation
• Provided the other features are up and running on
other servers, choose only System Center CM
Integration feature:
33. BitLocker With MBAM And SCCM
T Sequence
ask
• With SCCM SP1 BitLocker support for Windows 8
and Server 2012 has been added to the Task
Sequence.
• In the Client Settings you can choose to Suspend
BitLocker PIN entry on restart.
34. THE END!
Olav Tvedt Reidar Johansen
Consigliore Senior Infrastructur Consultant
STEP Member, MVP Setup & Deployment