Mdop session from Microsoft partner boot camp


Published on

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Mdop session from Microsoft partner boot camp

  1. 1. And InTune Olav Tvedt Chief Consultant MVP – Software Packaging, Deployment & Servicing (SPD&S) Twitter: @olavtwitt – Blog:
  2. 2. Advanced Group Policy Management (AGPM) Enhancing group policy through change management Versioning, history, and rollback of Group Policy changes Enables Group Policy change management Role-based administration and templates Reduces risk of widespread failure Flexible delegation model “We have increased control of Group Policy Objects (GPOs) and cut downtime previously linked to improperly configured GPOs.” Simon Boxall Active Directory Infrastructure Engineer, London Borough of Camden Provides granular administrative control “Advanced Group Policy Management has been like a magic bullet for us. Its automated change management and workflow-enabled delegation capabilities are impressive. I wouldn't be able to manage GPOs without it.” Michael Wilcox Forsyth County MIS Client Services Supervisor Forsyth County
  3. 3. Architecture Server Component AGPM Server XML File of Backups of backups GPO 1 Backups of GPO 2 Domain Controller GPO 1 Direct Link GPO 2 Direct Link Admin Component Administrative Desktop
  4. 4. Delegation - Roles Full Control Approver Editor Reviewer Define granular control without making everyone a Domain Admin
  5. 5. 7
  6. 6. What is Microsoft BitLocker Administration and Monitoring (MBAM)? MBAM builds on the BitLocker data protection offering in Windows 7 & 8 by providing IT professionals with an enterprise-grade solution for BitLocker provisioning, monitoring, and key recovery. GOALS ARE: 1 Simplify provisioning and deployment 2 Provide reporting (e.g.: compliance & audit) 3 Reduce support costs (e.g.: improved recovery)
  7. 7. MBAM Client Encrypt volumes BEFORE a user receives the computer o Works with Windows 7 deployment tools (MDT/SCCM) o Client can: – Manage TPM reboot process – Be configured with TPM first and PIN later (e.g.: user provides PIN at first logon) – Recovery key escrow can be bypassed and then escrowed when user first logs on o Best Practice Encrypt volumes AFTER a user receives a computer o o o o Client is provides a Policy Driven Experience Client will manage TPM reboot process Standard or Admin users can encrypt Only use when unencrypted machines appear on the network
  8. 8. MBAM Policy Settings A superset of BitLocker policies New MBAM Policies o Policy for Fixed Disk Volume Auto-unlock o Hardware capability check before encryption o Allow user to request an exemption o Interval client verifies policy compliance (default = 90 min) Policy location: o Computer Configuration > Administrative Templates > Windows Components > MDOP MBAM (BitLocker Management)
  9. 9. Hardware Capability Management Some older computers may not properly support TPM To ensure those computers aren’t encrypted, a feature is included that can be used to define which computers are BitLocker capable How you turn it on: o o Group Policy setting so client checks before encryption starts From Central Console, define computers that are capable or not HOW IT WORKS: 1 2 3 4 As new computers are identified in the org, they are added to a central HW list Website allows IT pros to move computers from unknown to a capable or not-capable state When this feature is ON, only computers that are ‘capable’ will be encrypted Before MBAM starts encryption, it verifies the computer is capable (make/model)
  10. 10. Compliance and Reporting Need to know the last known state of a lost computer? Need to know how effective your rollout is, or how compliant your company is? Who and when keys have been accessed and when new hardware has been added? MBAM agent collects and passes data to reporting server o All clients pass this up, encrypted or not o IT can clarify WHY a computer is not compliant Built on SQL Server® Reporting Services (SSRS), it gives you flexibility to add your own reports
  11. 11. Central Storage of Recovery Key Recovery Key(s) are Escrowed o o o o Operating System Volume Fixed Data Volumes Removable Data Volumes Stored outside of Microsoft Active Directory® 3-Tier Architecture o DB encrypted with SQL Server’s Transparent Data Encryption o Web Service API to build org-specific solutions o All logging and authorization are done at web service layer to ensure parity for custom apps
  12. 12. Helpdesk Key Recovery UI MBAM provides a web page for helpdesk functionality o Provide BitLocker Recovery Key for authorized users o Provide TPM unlock package for authorized users o All requests (successful or not) are logged: who, when, which volume Role based authorization model to get recovery info o Tier 1: Helpdesk needs to have person/key match o Tier 2: Key ID is sufficient (limited role) Create your own custom page leveraging web service layer
  13. 13. Single Use Recovery Keys Once a BitLocker Recovery key has been exposed , the client will create a new one o As part of regular client/server communication, client checks to see if Recovery Key has been exposed o MBAM client will create new one o Transparent to user Recovery Keys are created once a volume is unlocked
  14. 14. Client Experience
  15. 15. What is Microsoft BitLocker Administration and Monitoring? MBAM 1.0 objectives: MBAM 2.0 improved 1.0 functionality and adds additional focus on:
  16. 16. MBAM 2.0 Release Pillars
  17. 17. MBAM 2.0 – Two Deployment Options Stand alone mode Similar to v1 model: SQL Database contains Recovery Keys and Audit/Compliance Configuration manager integrated mode Compliance data and Reports are integrated to Config Manager MBAM Agent distribution is facilitated via out of the box collection Key Recovery and Audit data remain in SQL Server as in Stand Alone
  18. 18. Server Improvements
  19. 19. Supported Software Stand Alone Mode Server OS: Configuration Manager Mode Windows Server 2008 SP2 Standard/Enterprise/Datacenter System Center Configuration Manager: Windows Server 2008 R2 SP1 Standard/Enterprise/Datacenter Configuration Manager 2007 w/SP2 Windows Server 2012 Standard/Enterprise/Datacenter Configuration Manager 2012 w/SP1 Client OS: Windows 7 Ultimate, Enterprise w/SP1 (x86/x64 ) Windows 8 Enterprise (x86/x64 ) Windows 8 Windows to Go SQL Server: SQL 2008 R2 Standard edition or greater w/SP1 SQL 2012 Standard edition or greater RTM / SP1
  20. 20. Hardware Configurations
  21. 21. Microsoft Application Virtualization (App-V) Dynamically streaming software as a centrally managed service Streams applications to users Centralizes permissions Eliminates application installation Isolates applications Provides real-time metering Readily accessible applications Accelerate Windows deployment Reduced application conflict Minimize regression testing Leverage existing Management systems “By using App-V, we’’ll be able to shrink the entire application deployment timeframe – from request through delivery – by more than 80 percent, from 30 days to just five days.” Stephen Dula IT Staff Engineer Qualcomm
  22. 22. Microsoft Diagnostics & Recovery Toolset DaRT offers 14 powerful tools to accelerate desktop repair on site and remotely Recover unbootable PC Access deleted files, manipulate services, reset passwords, and more Detect and remove malware while the PC is offline Accelerate TCO savings by minimizing recovery time Recover instead of reloading Windows Make PCs safer to use “This toolset enables us to restore clients instantly without rebuilding them saving up to six hours per instance.” David Smith Technical Support Center, UMC Health System
  23. 23. Microsoft Diagnostics & Recovery Toolset Customer scenarios Customer wants to donate PCs to charity and needs to make sure data is wiped off hard disks DaRT Disk Wipe tool Customer has malware on system and real-time scanning doesn’t work DaRT Standalone System Sweeper Customer needs to troubleshoot and repair unbootable PCs DaRT Crash Analyzer and DaRT tools Customer uses Windows BitLocker® encryption and needs access to encrypted drive on unbootable PC DaRT tools Customer needs to reset local passwords on servers DaRT Locksmith Customer needs to troubleshoot and repair servers in datacenter DaRT Crash Analyzer and DaRT tools Customer needs to locate a file that was deleted from the hard drive DaRT File Restore Customer needs to access a file on unbootable / unrepairable PC DaRT File Explorer
  24. 24. WinRE Management Commands
  25. 25. 3 4
  26. 26. 3 7