Your SlideShare is downloading. ×
0
Managing BitLocker With MBAMOlav Tvedt                                           Reidar JohansenConsigliore               ...
AGENDA•   What Is Bitlocker•   Why Use Disk Encryption•   Bitlocker News In Windows 8•   Bitlocker With MBAM•   Bitlocker ...
What Is Bitlocker
What Is BitlockerEncrypts• Operating System Drive• Fixed Data Drive• Removable Data DriveChecks After Changes• Bios• Syste...
Why Use Disk Encryption?
Bitlocker ModesBasic Mode:• TPM only• Password Mode (Windows 8)Advanced Modes:• TPM + PIN• TPM + USB Dongle• USB Dongle• T...
BitLocker Are Vulnerable When:• The Disk Have Not Yet Been Totally Encrypted• You Don’t Use Pin  Especial If The Computer ...
BitLocker Requirements• A computer running:•   Windows 7 Enterprise/Ultimate•   Windows 8 Pro/Enterprise•   Windows Server...
Enable Bitlocker On A Virtual Machine For TESTING:1. Set “Allow Bitlocker without compatible TPM” In a GPO2. Create a virt...
http://olavtvedt.blogspot.com/2012/01/running-bitlocker-on-virtual-computer.htmlhttp://vninja.net/virtualization/creating-...
BitLocker News In Windows 8Overview•   Support for failover cluster and SAN storage.•   BitLocker pre-provisioning•   Used...
BitLocker News In Windows 8BitLocker pre-provisioning• Enable BitLocker before OS is installed• Random encryption key stor...
Microsoft BitLocker Administration and         Monitoring (MBAM) BITLOCKER WITH MBAM
What is Microsoft BitLocker Administrationand Monitoring (MBAM)?MBAM builds on the BitLocker data protection offering in W...
Prerequisites For ServerOperation System:Windows Server 2008 SP2 (x86/x64)Windows Server 2008 R2Windows Server 2012 (Some ...
Installing Mbam• Single computer configuration - Everything on a single server. - Supported, but only recommended for test...
Prerequisites For Clients• A computer running:  - Windows 7 Enterprise/Ultimate  - Windows 8 Enterprise (Pro will work but...
MBAM ClientEncrypt volumes BEFORE a user receives the computerWorks with Windows 7 deployment tools (MDT/SCCM)Client can:M...
MBAM Policy SettingsA superset of BitLocker policiesNew MBAM PoliciesPolicy for Fixed Disk Volume Auto-unlockHardware capa...
Client Experience
Compliance and Reporting• MBAM agent collects and passes data to reporting server  (All clients pass this up, encrypted or...
Central Storage of Recovery KeyRecovery Key(s) are EscrowedOperating System VolumeFixed Data VolumesRemovable Data Volumes...
Helpdesk Key Recovery UIMBAM provides a web page for helpdesk functionalityProvide BitLocker Recovery Key for authorized u...
Single Use Recovery KeysOnce a BitLocker Recovery key has been exposed ,the client will create a new oneAs part of regular...
BitLocker With MBAM And SCCMOverview• Eliminates MBAM compliance infrastructure, view  compliance status and reports in SC...
BitLocker With MBAM And SCCMIntegration Components explained• Collection every 12 hours, finds computers with  supported O...
BitLocker With MBAM And SCCMReports explained• BitLocker Computer Compliance   Look at individual computer status of compl...
BitLocker With MBAM And SCCMInstallation• Make sure MBAM server and databases are in  working order, then on SCCM server(s...
BitLocker With MBAM And SCCMInstallation• Start ServerMBAMsetup.exe, and after initial steps,    choose Topology System Ce...
BitLocker With MBAM And SCCMInstallation• Provided the other features are up and running on    other servers, choose only ...
BitLocker With MBAM And SCCMT Sequence ask• With SCCM SP1 BitLocker support for Windows 8  and Server 2012 has been added ...
THE END!Olav Tvedt                                                 Reidar JohansenConsigliore                             ...
Managing bitlocker with MBAM
Managing bitlocker with MBAM
Upcoming SlideShare
Loading in...5
×

Managing bitlocker with MBAM

8,290

Published on

A look on Microsoft Desktop optimization Pack's MBAM for administration and management of Bitlocker computers

Published in: Technology
2 Comments
2 Likes
Statistics
Notes
  • hi
    I tested MBAM and my tables in Computer compliance status are empty. I don't have any reports. please help me!
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • nice Slideshare :)
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
No Downloads
Views
Total Views
8,290
On Slideshare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
201
Comments
2
Likes
2
Embeds 0
No embeds

No notes for slide

Transcript of "Managing bitlocker with MBAM"

  1. 1. Managing BitLocker With MBAMOlav Tvedt Reidar JohansenConsigliore Senior Infrastructur ConsultantSTEP Member, MVP Setup & Deployment
  2. 2. AGENDA• What Is Bitlocker• Why Use Disk Encryption• Bitlocker News In Windows 8• Bitlocker With MBAM• Bitlocker With MBAM And SCCM
  3. 3. What Is Bitlocker
  4. 4. What Is BitlockerEncrypts• Operating System Drive• Fixed Data Drive• Removable Data DriveChecks After Changes• Bios• System/Startup Files
  5. 5. Why Use Disk Encryption?
  6. 6. Bitlocker ModesBasic Mode:• TPM only• Password Mode (Windows 8)Advanced Modes:• TPM + PIN• TPM + USB Dongle• USB Dongle• TPM + PIN + USB Dongle
  7. 7. BitLocker Are Vulnerable When:• The Disk Have Not Yet Been Totally Encrypted• You Don’t Use Pin Especial If The Computer Have Or Might Get: - Firewire - Thunderbolt• Fake Bios Startup (To Get Pin)
  8. 8. BitLocker Requirements• A computer running:• Windows 7 Enterprise/Ultimate• Windows 8 Pro/Enterprise• Windows Server 2008 R2• Windows Server 2012• With TPM• A Trusted Computing Group (TCG)-compliant BIOS• TPM microchip version 1.2 (turned on)• TPM must be resettable from the operating system• Removable Storage• USB• Floppy• Memory Card
  9. 9. Enable Bitlocker On A Virtual Machine For TESTING:1. Set “Allow Bitlocker without compatible TPM” In a GPO2. Create a virtual floppy disk3. Enable bitlocker with «manage-bde» cscript c:WindowsSystem32manage-bde.wsf -on C: -rp -sk A:4. Restart and it will start to encrypt Window 8 Can run with Password directly in a virtual environment
  10. 10. http://olavtvedt.blogspot.com/2012/01/running-bitlocker-on-virtual-computer.htmlhttp://vninja.net/virtualization/creating-virtual-floppy-vsphere/
  11. 11. BitLocker News In Windows 8Overview• Support for failover cluster and SAN storage.• BitLocker pre-provisioning• Used disk space-only encryption• Standard user PIN and password selection• Bitlocker Network Unlock
  12. 12. BitLocker News In Windows 8BitLocker pre-provisioning• Enable BitLocker before OS is installed• Random encryption key stored unprotected• Needs to be activated to protect key
  13. 13. Microsoft BitLocker Administration and Monitoring (MBAM) BITLOCKER WITH MBAM
  14. 14. What is Microsoft BitLocker Administrationand Monitoring (MBAM)?MBAM builds on the BitLocker data protection offering in Windows 7 byproviding IT professionals with an enterprise-grade solution for BitLockerprovisioning, monitoring, and key recovery. GOALS ARE: Simplify provisioning Provide reporting Reduce support costs 1 and deployment 2 (e.g.: compliance & 3 (e.g.: improved audit) recovery)
  15. 15. Prerequisites For ServerOperation System:Windows Server 2008 SP2 (x86/x64)Windows Server 2008 R2Windows Server 2012 (Some issues with web in beta)Database:Compliance and Audit Report ServerMicrosoft Sql Server 2008 R2 Std/Ent/DevRecovery and Hardware Database ServerMicrosoft Sql Server 2008 R2 Enterprise OnlySecurity reason: Transparent Data Encryption (TDE)
  16. 16. Installing Mbam• Single computer configuration - Everything on a single server. - Supported, but only recommended for testing purposes.• Three-computer configuration - Recovery and Hardware Database, Compliance and Audit Reports, and Compliance andAudit Reports features are installed on a server - Administration and Monitoring Server feature is installed on a server - Group Policy template is installed on a server or client computer.• Five-computer configurationEach server feature is installed on dedicated computers:- Recovery and Hardware Database- Compliance Status Database- Compliance and Audit Reports- Administration and Monitoring Server- Group Policy Template is installed on a server or client computer
  17. 17. Prerequisites For Clients• A computer running: - Windows 7 Enterprise/Ultimate - Windows 8 Enterprise (Pro will work but not covered with SA license)• A Trusted Computing Group (TCG)-compliant BIOS• TPM microchip version 1.2 (turned on)• TPM must be resettable from the operating system
  18. 18. MBAM ClientEncrypt volumes BEFORE a user receives the computerWorks with Windows 7 deployment tools (MDT/SCCM)Client can:Manage TPM reboot processBe configured with TPM first and PIN later (e.g.: user provides PIN at first logon)Recovery key escrow can be bypassed and then escrowed when user first logs onBest PracticeEncrypt volumes AFTER a user receives a computerClient is provides a Policy Driven ExperienceClient will manage TPM reboot processStandard or Admin users can encryptOnly use when unencrypted machines appear on the network
  19. 19. MBAM Policy SettingsA superset of BitLocker policiesNew MBAM PoliciesPolicy for Fixed Disk Volume Auto-unlockHardware capability check before encryptionAllow user to request an exemptionInterval client verifies policy compliance(default = 90 min)Policy location:Computer Configuration > Administrative Templates > WindowsComponents > MDOP MBAM (BitLocker Management)
  20. 20. Client Experience
  21. 21. Compliance and Reporting• MBAM agent collects and passes data to reporting server (All clients pass this up, encrypted or not. IT can clarify WHY a computer is not compliant)• Built on SQL Server® Reporting Services (SSRS), it gives you flexibility to add your own reports Need to know how effective Who and when keys have Need to know the your rollout is, or how been accessed and when last known state of a compliant your company is? new hardware has been lost computer? added?
  22. 22. Central Storage of Recovery KeyRecovery Key(s) are EscrowedOperating System VolumeFixed Data VolumesRemovable Data VolumesStored outside of Microsoft Active Directory®3-Tier ArchitectureDB encrypted with SQL Server’s TransparentData EncryptionWeb Service API to build org-specific solutionsAll logging and authorization are done at web service layer to ensure parityfor custom apps
  23. 23. Helpdesk Key Recovery UIMBAM provides a web page for helpdesk functionalityProvide BitLocker Recovery Key for authorized usersProvide TPM unlock package for authorized usersAll requests (successful or not) are logged:who, when, which volumeRole based authorization model to get recovery infoTier 1: Helpdesk needs to haveperson/key matchTier 2: Key ID is sufficient (limited role)Create your own custom page leveraging web service layer
  24. 24. Single Use Recovery KeysOnce a BitLocker Recovery key has been exposed ,the client will create a new oneAs part of regular client/server communication, client checks tosee if Recovery Key has been exposedMBAM client will create new oneTransparent to userRecovery Keys are created once a volume is unlocked
  25. 25. BitLocker With MBAM And SCCMOverview• Eliminates MBAM compliance infrastructure, view compliance status and reports in SCCM Console.• Setup integrates three elements in SCCM:  Desired Configuration Management Components  Two Configuration items / CIs  One Baseline  One Collection  Four Reports
  26. 26. BitLocker With MBAM And SCCMIntegration Components explained• Collection every 12 hours, finds computers with supported OS (Win7 ent/ult and Win8), is physical and has TPM 1.2 or higher.• Configuration Baseline verifies compliance based on what is defined in Group Policy.• The CIs collects details and evaluates compliance status for computers.
  27. 27. BitLocker With MBAM And SCCMReports explained• BitLocker Computer Compliance Look at individual computer status of compliance• BitLocker Enterprise Compliance Dashboard Four views: Compliance status, Non-Compliant – error distribution, Compliance status by drive type, Top 10 non compliant hardware• BitLocker Enterprise Compliance Details Compliance status of the Enterprise• BitLocker Enterprise Compliance Summary Summary of each Computer’s state with drill-down based on state.
  28. 28. BitLocker With MBAM And SCCMInstallation• Make sure MBAM server and databases are in working order, then on SCCM server(s):• Edit configuration.mof and import sms_def.mof Look at documentation here: https://connect.microsoft.com/MDOPTAP• Enable the Win32_Tpm class
  29. 29. BitLocker With MBAM And SCCMInstallation• Start ServerMBAMsetup.exe, and after initial steps, choose Topology System Center Configuration Manager Integration:
  30. 30. BitLocker With MBAM And SCCMInstallation• Provided the other features are up and running on other servers, choose only System Center CM Integration feature:
  31. 31. BitLocker With MBAM And SCCMT Sequence ask• With SCCM SP1 BitLocker support for Windows 8 and Server 2012 has been added to the Task Sequence.• In the Client Settings you can choose to Suspend BitLocker PIN entry on restart.
  32. 32. THE END!Olav Tvedt Reidar JohansenConsigliore Senior Infrastructur ConsultantSTEP Member, MVP Setup & Deployment
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×