Embed Size (px)
DESCRIPTION
A look on Microsoft Desktop optimization Pack's MBAM for administration and management of Bitlocker computers
Citation preview
Managing BitLocker With MBAM
Olav Tvedt
Consigliore
STEP Member, MVP Setup & Deployment
Reidar Johansen
Senior Infrastructur Consultant
AGENDA
• What Is Bitlocker
• Why Use Disk Encryption
• Bitlocker News In Windows 8
• Bitlocker With MBAM
• Bitlocker With MBAM And SCCM
What Is Bitlocker
What Is Bitlocker
Encrypts • Operating System Drive
• Fixed Data Drive
• Removable Data Drive
Checks After Changes • Bios
• System/Startup Files
Why Use Disk Encryption?
Bitlocker Modes
Basic Mode:
• TPM only
• Password Mode (Windows 8)
Advanced Modes:
• TPM + PIN
• TPM + USB Dongle
• USB Dongle
• TPM + PIN + USB Dongle
BitLocker Are Vulnerable When:
• The Disk Have Not Yet Been Totally Encrypted
• You Don’t Use Pin Especial If The Computer Have Or Might Get: - Firewire - Thunderbolt
• Fake Bios Startup (To Get Pin)
BitLocker Requirements
• A computer running: • Windows 7 Enterprise/Ultimate • Windows 8 Pro/Enterprise • Windows Server 2008 R2 • Windows Server 2012
• With TPM • A Trusted Computing Group (TCG)-compliant BIOS • TPM microchip version 1.2 (turned on) • TPM must be resettable from the operating system
• Removable Storage • USB • Floppy • Memory Card
Enable Bitlocker On A Virtual Machine For TESTING:
1. Set “Allow Bitlocker without compatible TPM” In a GPO
2. Create a virtual floppy disk
3. Enable bitlocker with «manage-bde» cscript c:\Windows\System32\manage-bde.wsf -on C: -rp -sk A:
4. Restart and it will start to encrypt
Window 8 Can run with Password directly in a virtual environment
http://olavtvedt.blogspot.com/2012/01/running-bitlocker-on-virtual-computer.html
http://vninja.net/virtualization/creating-virtual-floppy-vsphere/
BitLocker News In Windows 8 Overview
• Support for failover cluster and SAN storage.
• BitLocker pre-provisioning
• Used disk space-only encryption
• Standard user PIN and password selection
• Bitlocker Network Unlock
BitLocker News In Windows 8 BitLocker pre-provisioning
• Enable BitLocker before OS is installed
• Random encryption key stored unprotected
• Needs to be activated to protect key
BITLOCKER WITH MBAM
Microsoft BitLocker Administration and Monitoring (MBAM)
What is Microsoft BitLocker Administration and Monitoring (MBAM)?
MBAM builds on the BitLocker data protection offering in Windows 7 by providing IT professionals with an enterprise-grade solution for BitLocker provisioning, monitoring, and key recovery.
GOALS ARE:
1 Simplify provisioning
and deployment 2 Provide reporting
(e.g.: compliance & audit)
3 Reduce support costs
(e.g.: improved recovery)
Prerequisites For Server
Operation System: Windows Server 2008 SP2 (x86/x64) Windows Server 2008 R2
Windows Server 2012 (Some issues with web in beta)
Database:
Compliance and Audit Report Server Microsoft Sql Server 2008 R2 Std/Ent/Dev
Recovery and Hardware Database Server Microsoft Sql Server 2008 R2 Enterprise Only
Security reason: Transparent Data Encryption (TDE)
Installing Mbam
• Single computer configuration
- Everything on a single server. - Supported, but only recommended for testing purposes.
• Three-computer configuration
- Recovery and Hardware Database, Compliance and Audit Reports, and Compliance and Audit Reports features are installed on a server
- Administration and Monitoring Server feature is installed on a server
- Group Policy template is installed on a server or client computer.
• Five-computer configuration
Each server feature is installed on dedicated computers:
- Recovery and Hardware Database
- Compliance Status Database
- Compliance and Audit Reports
- Administration and Monitoring Server
- Group Policy Template is installed on a server or client computer
Prerequisites For Clients
• A computer running: - Windows 7 Enterprise/Ultimate - Windows 8 Enterprise (Pro will work but not covered with SA license)
• A Trusted Computing Group (TCG)-compliant BIOS
• TPM microchip version 1.2 (turned on)
• TPM must be resettable from the operating system
MBAM Client
Encrypt volumes BEFORE a user receives the computer Works with Windows 7 deployment tools (MDT/SCCM) Client can: Manage TPM reboot process
Be configured with TPM first and PIN later (e.g.: user provides PIN at first logon) Recovery key escrow can be bypassed and then escrowed when user first logs on
Best Practice
Encrypt volumes AFTER a user receives a computer Client is provides a Policy Driven Experience Client will manage TPM reboot process Standard or Admin users can encrypt Only use when unencrypted machines appear on the network
MBAM Policy Settings
A superset of BitLocker policies
New MBAM Policies Policy for Fixed Disk Volume Auto-unlock Hardware capability check before encryption Allow user to request an exemption Interval client verifies policy compliance (default = 90 min)
Policy location: Computer Configuration > Administrative Templates > Windows Components > MDOP MBAM (BitLocker Management)
Client Experience
Compliance and Reporting
• MBAM agent collects and passes data to reporting server (All clients pass this up, encrypted or not. IT can clarify WHY a computer is not compliant)
• Built on SQL Server® Reporting Services (SSRS), it gives you flexibility to add your own reports
Need to know the
last known state of a
lost computer?
Need to know how effective
your rollout is, or how
compliant your company is?
Who and when keys have
been accessed and when
new hardware has been
added?
Central Storage of Recovery Key
Recovery Key(s) are Escrowed Operating System Volume Fixed Data Volumes Removable Data Volumes Stored outside of Microsoft Active Directory®
3-Tier Architecture DB encrypted with SQL Server’s Transparent Data Encryption Web Service API to build org-specific solutions All logging and authorization are done at web service layer to ensure parity for custom apps
Helpdesk Key Recovery UI
MBAM provides a web page for helpdesk functionality Provide BitLocker Recovery Key for authorized users Provide TPM unlock package for authorized users All requests (successful or not) are logged: who, when, which volume
Role based authorization model to get recovery info Tier 1: Helpdesk needs to have person/key match Tier 2: Key ID is sufficient (limited role)
Create your own custom page leveraging web service layer
Single Use Recovery Keys
Once a BitLocker Recovery key has been exposed , the client will create a new one As part of regular client/server communication, client checks to see if Recovery Key has been exposed
MBAM client will create new one
Transparent to user
Recovery Keys are created once a volume is unlocked
BitLocker With MBAM And SCCM Overview
• Eliminates MBAM compliance infrastructure, view compliance status and reports in SCCM Console.
• Setup integrates three elements in SCCM:
Desired Configuration Management Components Two Configuration items / CIs
One Baseline
One Collection
Four Reports
BitLocker With MBAM And SCCM Integration Components explained
• Collection every 12 hours, finds computers with supported OS (Win7 ent/ult and Win8), is physical and has TPM 1.2 or higher.
• Configuration Baseline verifies compliance based on what is defined in Group Policy.
• The CIs collects details and evaluates compliance status for computers.
BitLocker With MBAM And SCCM Reports explained
• BitLocker Computer Compliance Look at individual computer status of compliance
• BitLocker Enterprise Compliance Dashboard Four views: Compliance status, Non-Compliant – error distribution, Compliance status by drive type, Top 10 non compliant hardware
• BitLocker Enterprise Compliance Details Compliance status of the Enterprise
• BitLocker Enterprise Compliance Summary Summary of each Computer’s state with drill-down based on state.
BitLocker With MBAM And SCCM Installation
• Make sure MBAM server and databases are in working order, then on SCCM server(s):
• Edit configuration.mof and import sms_def.mof Look at documentation here: https://connect.microsoft.com/MDOPTAP
• Enable the Win32_Tpm class
BitLocker With MBAM And SCCM Installation
• Start Server\MBAMsetup.exe, and after initial steps, choose Topology System Center Configuration Manager Integration:
BitLocker With MBAM And SCCM Installation
• Provided the other features are up and running on other servers, choose only System Center CM Integration feature:
BitLocker With MBAM And SCCM Task Sequence
• With SCCM SP1 BitLocker support for Windows 8 and Server 2012 has been added to the Task Sequence.
• In the Client Settings you can choose to Suspend BitLocker PIN entry on restart.
THE END!
Olav Tvedt
Consigliore
STEP Member, MVP Setup & Deployment
Reidar Johansen
Senior Infrastructur Consultant
