Bitlocker ModesBasic Mode:• TPM only• Password Mode (Windows 8)Advanced Modes:• TPM + PIN• TPM + USB Dongle• USB Dongle• TPM + PIN + USB Dongle
BitLocker Are Vulnerable When:• The Disk Have Not Yet Been Totally Encrypted• You Don’t Use Pin Especial If The Computer Have Or Might Get: - Firewire - Thunderbolt• Fake Bios Startup (To Get Pin)
BitLocker Requirements• A computer running:• Windows 7 Enterprise/Ultimate• Windows 8 Pro/Enterprise• Windows Server 2008 R2• Windows Server 2012• With TPM• A Trusted Computing Group (TCG)-compliant BIOS• TPM microchip version 1.2 (turned on)• TPM must be resettable from the operating system• Removable Storage• USB• Floppy• Memory Card
Enable Bitlocker On A Virtual Machine For TESTING:1. Set “Allow Bitlocker without compatible TPM” In a GPO2. Create a virtual floppy disk3. Enable bitlocker with «manage-bde» cscript c:WindowsSystem32manage-bde.wsf -on C: -rp -sk A:4. Restart and it will start to encrypt Window 8 Can run with Password directly in a virtual environment
BitLocker News In Windows 8Overview• Support for failover cluster and SAN storage.• BitLocker pre-provisioning• Used disk space-only encryption• Standard user PIN and password selection• Bitlocker Network Unlock
BitLocker News In Windows 8BitLocker pre-provisioning• Enable BitLocker before OS is installed• Random encryption key stored unprotected• Needs to be activated to protect key
Microsoft BitLocker Administration and Monitoring (MBAM) BITLOCKER WITH MBAM
What is Microsoft BitLocker Administrationand Monitoring (MBAM)?MBAM builds on the BitLocker data protection offering in Windows 7 byproviding IT professionals with an enterprise-grade solution for BitLockerprovisioning, monitoring, and key recovery. GOALS ARE: Simplify provisioning Provide reporting Reduce support costs 1 and deployment 2 (e.g.: compliance & 3 (e.g.: improved audit) recovery)
Prerequisites For ServerOperation System:Windows Server 2008 SP2 (x86/x64)Windows Server 2008 R2Windows Server 2012 (Some issues with web in beta)Database:Compliance and Audit Report ServerMicrosoft Sql Server 2008 R2 Std/Ent/DevRecovery and Hardware Database ServerMicrosoft Sql Server 2008 R2 Enterprise OnlySecurity reason: Transparent Data Encryption (TDE)
Installing Mbam• Single computer configuration - Everything on a single server. - Supported, but only recommended for testing purposes.• Three-computer configuration - Recovery and Hardware Database, Compliance and Audit Reports, and Compliance andAudit Reports features are installed on a server - Administration and Monitoring Server feature is installed on a server - Group Policy template is installed on a server or client computer.• Five-computer configurationEach server feature is installed on dedicated computers:- Recovery and Hardware Database- Compliance Status Database- Compliance and Audit Reports- Administration and Monitoring Server- Group Policy Template is installed on a server or client computer
Prerequisites For Clients• A computer running: - Windows 7 Enterprise/Ultimate - Windows 8 Enterprise (Pro will work but not covered with SA license)• A Trusted Computing Group (TCG)-compliant BIOS• TPM microchip version 1.2 (turned on)• TPM must be resettable from the operating system
MBAM ClientEncrypt volumes BEFORE a user receives the computerWorks with Windows 7 deployment tools (MDT/SCCM)Client can:Manage TPM reboot processBe configured with TPM first and PIN later (e.g.: user provides PIN at first logon)Recovery key escrow can be bypassed and then escrowed when user first logs onBest PracticeEncrypt volumes AFTER a user receives a computerClient is provides a Policy Driven ExperienceClient will manage TPM reboot processStandard or Admin users can encryptOnly use when unencrypted machines appear on the network
MBAM Policy SettingsA superset of BitLocker policiesNew MBAM PoliciesPolicy for Fixed Disk Volume Auto-unlockHardware capability check before encryptionAllow user to request an exemptionInterval client verifies policy compliance(default = 90 min)Policy location:Computer Configuration > Administrative Templates > WindowsComponents > MDOP MBAM (BitLocker Management)
Compliance and Reporting• MBAM agent collects and passes data to reporting server (All clients pass this up, encrypted or not. IT can clarify WHY a computer is not compliant)• Built on SQL Server® Reporting Services (SSRS), it gives you flexibility to add your own reports Need to know how effective Who and when keys have Need to know the your rollout is, or how been accessed and when last known state of a compliant your company is? new hardware has been lost computer? added?
Central Storage of Recovery KeyRecovery Key(s) are EscrowedOperating System VolumeFixed Data VolumesRemovable Data VolumesStored outside of Microsoft Active Directory®3-Tier ArchitectureDB encrypted with SQL Server’s TransparentData EncryptionWeb Service API to build org-specific solutionsAll logging and authorization are done at web service layer to ensure parityfor custom apps
Helpdesk Key Recovery UIMBAM provides a web page for helpdesk functionalityProvide BitLocker Recovery Key for authorized usersProvide TPM unlock package for authorized usersAll requests (successful or not) are logged:who, when, which volumeRole based authorization model to get recovery infoTier 1: Helpdesk needs to haveperson/key matchTier 2: Key ID is sufficient (limited role)Create your own custom page leveraging web service layer
Single Use Recovery KeysOnce a BitLocker Recovery key has been exposed ,the client will create a new oneAs part of regular client/server communication, client checks tosee if Recovery Key has been exposedMBAM client will create new oneTransparent to userRecovery Keys are created once a volume is unlocked
BitLocker With MBAM And SCCMOverview• Eliminates MBAM compliance infrastructure, view compliance status and reports in SCCM Console.• Setup integrates three elements in SCCM: Desired Configuration Management Components Two Configuration items / CIs One Baseline One Collection Four Reports
BitLocker With MBAM And SCCMIntegration Components explained• Collection every 12 hours, finds computers with supported OS (Win7 ent/ult and Win8), is physical and has TPM 1.2 or higher.• Configuration Baseline verifies compliance based on what is defined in Group Policy.• The CIs collects details and evaluates compliance status for computers.
BitLocker With MBAM And SCCMReports explained• BitLocker Computer Compliance Look at individual computer status of compliance• BitLocker Enterprise Compliance Dashboard Four views: Compliance status, Non-Compliant – error distribution, Compliance status by drive type, Top 10 non compliant hardware• BitLocker Enterprise Compliance Details Compliance status of the Enterprise• BitLocker Enterprise Compliance Summary Summary of each Computer’s state with drill-down based on state.
BitLocker With MBAM And SCCMInstallation• Make sure MBAM server and databases are in working order, then on SCCM server(s):• Edit configuration.mof and import sms_def.mof Look at documentation here: https://connect.microsoft.com/MDOPTAP• Enable the Win32_Tpm class
BitLocker With MBAM And SCCMInstallation• Start ServerMBAMsetup.exe, and after initial steps, choose Topology System Center Configuration Manager Integration:
BitLocker With MBAM And SCCMInstallation• Provided the other features are up and running on other servers, choose only System Center CM Integration feature:
BitLocker With MBAM And SCCMT Sequence ask• With SCCM SP1 BitLocker support for Windows 8 and Server 2012 has been added to the Task Sequence.• In the Client Settings you can choose to Suspend BitLocker PIN entry on restart.