Olav Tvedt

Chief Consultant

MVP – Software Packaging, Deployment & Servicing (SPD&S)

Twitter: @olavtwitt – Blog: http://olavtvedt.blogspot.com

And InTune

Michael Wilcox

MIS Client Services Supervisor

Forsyth County

“Advanced Group Policy Management has been

like a magic bullet for us. Its automated change

management and workflow-enabled delegation

capabilities are impressive. I wouldn't be able to

manage GPOs without it.”

Advanced Group Policy Management (AGPM)Enhancing group policy through change management

Simon Boxall

Active Directory Infrastructure Engineer,

London Borough of Camden

“We have increased control of Group Policy

Objects (GPOs) and cut downtime previously

linked to improperly configured GPOs.”

Versioning, history, and rollback of Group Policy changes

Role-based administration and templates

Flexible delegation model

Enables Group Policy change management

Provides granular administrative control

Reduces risk of widespread failure

Forsyth

County

Architecture

Administrative

Desktop

AGPM Server XML File of

backups

GPO 1Backups of

GPO 1

Backups of

GPO 2Direct Link

Domain Controller

GPO 2

Dire

ct L

inkAdmin Component

Server Component

Delegation - Roles

Define granular control without making everyone a Domain Admin

Reviewer

Full Control

EditorApprover

7

What is Microsoft BitLocker Administration and Monitoring (MBAM)?

MBAM builds on the BitLocker data protection offering in Windows 7 & 8 by

providing IT professionals with an enterprise-grade solution for BitLocker

provisioning, monitoring, and key recovery.

GOALS ARE:

1 Simplify provisioning

and deployment2 Provide reporting

(e.g.: compliance & audit)

3 Reduce support costs

(e.g.: improved recovery)

MBAM Client

Encrypt volumes BEFORE a user receives the computero Works with Windows 7 deployment tools (MDT/SCCM)o Client can:

– Manage TPM reboot process

– Be configured with TPM first and PIN later (e.g.: user provides PIN at first logon)

– Recovery key escrow can be bypassed and then escrowed when user first logs on

o Best Practice

Encrypt volumes AFTER a user receives a computero Client is provides a Policy Driven Experienceo Client will manage TPM reboot processo Standard or Admin users can encrypto Only use when unencrypted machines appear on the network

MBAM Policy Settings

A superset of BitLocker policies

New MBAM Policieso Policy for Fixed Disk Volume Auto-unlock

o Hardware capability check before

encryption

o Allow user to request an exemption

o Interval client verifies policy compliance

(default = 90 min)

Policy location: o Computer Configuration > Administrative

Templates > Windows Components >

MDOP MBAM (BitLocker Management)

Hardware Capability Management

Some older computers may not properly support TPM

To ensure those computers aren’t encrypted, a feature is included that can be used to

define which computers are BitLocker capable

How you turn it on:o Group Policy setting so client checks before encryption starts

o From Central Console, define computers that are capable or not

HOW IT WORKS:

1

Before MBAM starts encryption, it verifies the

computer is capable (make/model)

2

As new computers are identified in the org, they are added to a central HW

list

3

Website allows IT pros to move computers from

unknown to a capable or not-capable state

4

When this feature is ON, only computers that are

‘capable’ will be encrypted

Compliance and Reporting

MBAM agent collects and passes data to reporting servero All clients pass this up, encrypted or not

o IT can clarify WHY a computer is not compliant

Built on SQL Server® Reporting Services (SSRS), it gives you

flexibility to add your own reports

Need to know the

last known state of a

lost computer?

Need to know how effective

your rollout is, or how

compliant your company is?

Who and when keys have

been accessed and when

new hardware has been

added?

Central Storage of Recovery Key

Recovery Key(s) are Escrowedo Operating System Volume

o Fixed Data Volumes

o Removable Data Volumes

o Stored outside of Microsoft Active Directory®

3-Tier Architectureo DB encrypted with SQL Server’s Transparent

Data Encryption

o Web Service API to build org-specific solutions

o All logging and authorization are done at web service layer to ensure

parity for custom apps

Helpdesk Key Recovery UI

MBAM provides a web page for helpdesk functionalityo Provide BitLocker Recovery Key for authorized userso Provide TPM unlock package for authorized userso All requests (successful or not) are logged:

who, when, which volume

Role based authorization model to get recovery infoo Tier 1: Helpdesk needs to have

person/key matcho Tier 2: Key ID is sufficient (limited role)

Create your own custom page leveraging web service layer

Single Use Recovery Keys

Once a BitLocker Recovery key has been exposed , the

client will create a new oneo As part of regular client/server communication, client checks to

see if Recovery Key has been exposed

o MBAM client will create new one

o Transparent to user

Recovery Keys are created once a volume is unlocked

Client Experience

What is Microsoft BitLocker Administration and Monitoring?

MBAM 2.0 improved 1.0 functionality and adds additional focus on:

MBAM 1.0 objectives:

MBAM 2.0 Release Pillars

MBAM 2.0 – Two Deployment Options

Similar to v1 model: SQL Database contains Recovery Keys

and Audit/Compliance

Stand alone mode

Configuration manager integrated mode

Compliance data and Reports are integrated to Config Manager

MBAM Agent distribution is facilitated via out of the box collection

Key Recovery and Audit data remain in SQL Server as in Stand Alone

Server Improvements

System Center Configuration Manager:

Configuration Manager 2007 w/SP2

Configuration Manager 2012 w/SP1

Configuration Manager Mode

Stand Alone Mode

Supported Software

SQL Server:

SQL 2008 R2 Standard edition or greater w/SP1

SQL 2012 Standard edition or greater RTM / SP1

Server OS:

Windows Server 2008 SP2 Standard/Enterprise/Datacenter

Windows Server 2008 R2 SP1 Standard/Enterprise/Datacenter

Windows Server 2012 Standard/Enterprise/Datacenter

Client OS:

Windows 7 Ultimate, Enterprise w/SP1 (x86/x64 )

Windows 8 Enterprise (x86/x64 )

Windows 8 Windows to Go

Hardware Configurations

Microsoft Application Virtualization (App-V)Dynamically streaming software as a centrally managed service

“By using App-V, we’’ll be

able to shrink the entire

application deployment

timeframe – from request

through delivery – by more

than 80 percent, from 30

days to just five days.”

Stephen Dula

IT Staff Engineer

Qualcomm

Streams applications to users

Centralizes permissions

Eliminates application installation

Isolates applications

Provides real-time metering

Readily accessible applications

Accelerate Windows deployment

Reduced application conflict

Minimize regression testing

Leverage existing Management systems

Microsoft Diagnostics & Recovery ToolsetDaRT offers 14 powerful tools to accelerate

desktop repair on site and remotely

“This toolset enables us to

restore clients instantly

without rebuilding them -

saving up to six hours per

instance.”

David Smith

Technical Support Center,

UMC Health System

Recover unbootable PC

Access deleted files, manipulate services, reset passwords, and more

Detect and remove malware while the PC is offline

Accelerate TCO savings by minimizing recovery time

Recover instead of reloading Windows

Make PCs safer to use

Customer wants to donate PCs to charity and needs to make sure data is wiped off hard disks

Customer has malware on system and real-time scanning

doesn’t work

Customer needs to troubleshoot and repair unbootable PCs

Customer uses Windows BitLocker® encryption and needs access to encrypted drive on unbootable PC

Customer needs to reset local passwords on servers

Customer needs to troubleshoot and repair servers in datacenter

Customer needs to locate a file that was deleted from the hard drive

Customer needs to access a file on unbootable / unrepairable PC

Microsoft Diagnostics & Recovery ToolsetCustomer scenarios

DaRT Disk Wipe tool

DaRT Standalone System Sweeper

DaRT Crash Analyzer and DaRT tools

DaRT tools

DaRT Locksmith

DaRT Crash Analyzer and DaRT tools

DaRT File Restore

DaRT File Explorer

WinRE Management Commands

3

4

3

7