Upload
olav-tvedt
View
1.495
Download
2
Embed Size (px)
DESCRIPTION
Citation preview
Olav Tvedt
Chief Consultant
MVP – Software Packaging, Deployment & Servicing (SPD&S)
Twitter: @olavtwitt – Blog: http://olavtvedt.blogspot.com
And InTune
Michael Wilcox
MIS Client Services Supervisor
Forsyth County
“Advanced Group Policy Management has been
like a magic bullet for us. Its automated change
management and workflow-enabled delegation
capabilities are impressive. I wouldn't be able to
manage GPOs without it.”
Advanced Group Policy Management (AGPM)Enhancing group policy through change management
Simon Boxall
Active Directory Infrastructure Engineer,
London Borough of Camden
“We have increased control of Group Policy
Objects (GPOs) and cut downtime previously
linked to improperly configured GPOs.”
Versioning, history, and rollback of Group Policy changes
Role-based administration and templates
Flexible delegation model
Enables Group Policy change management
Provides granular administrative control
Reduces risk of widespread failure
Forsyth
County
Architecture
Administrative
Desktop
AGPM Server XML File of
backups
GPO 1Backups of
GPO 1
Backups of
GPO 2Direct Link
Domain Controller
GPO 2
Dire
ct L
inkAdmin Component
Server Component
Delegation - Roles
Define granular control without making everyone a Domain Admin
Reviewer
Full Control
EditorApprover
7
What is Microsoft BitLocker Administration and Monitoring (MBAM)?
MBAM builds on the BitLocker data protection offering in Windows 7 & 8 by
providing IT professionals with an enterprise-grade solution for BitLocker
provisioning, monitoring, and key recovery.
GOALS ARE:
1 Simplify provisioning
and deployment2 Provide reporting
(e.g.: compliance & audit)
3 Reduce support costs
(e.g.: improved recovery)
MBAM Client
Encrypt volumes BEFORE a user receives the computero Works with Windows 7 deployment tools (MDT/SCCM)o Client can:
– Manage TPM reboot process
– Be configured with TPM first and PIN later (e.g.: user provides PIN at first logon)
– Recovery key escrow can be bypassed and then escrowed when user first logs on
o Best Practice
Encrypt volumes AFTER a user receives a computero Client is provides a Policy Driven Experienceo Client will manage TPM reboot processo Standard or Admin users can encrypto Only use when unencrypted machines appear on the network
MBAM Policy Settings
A superset of BitLocker policies
New MBAM Policieso Policy for Fixed Disk Volume Auto-unlock
o Hardware capability check before
encryption
o Allow user to request an exemption
o Interval client verifies policy compliance
(default = 90 min)
Policy location: o Computer Configuration > Administrative
Templates > Windows Components >
MDOP MBAM (BitLocker Management)
Hardware Capability Management
Some older computers may not properly support TPM
To ensure those computers aren’t encrypted, a feature is included that can be used to
define which computers are BitLocker capable
How you turn it on:o Group Policy setting so client checks before encryption starts
o From Central Console, define computers that are capable or not
HOW IT WORKS:
1
Before MBAM starts encryption, it verifies the
computer is capable (make/model)
2
As new computers are identified in the org, they are added to a central HW
list
3
Website allows IT pros to move computers from
unknown to a capable or not-capable state
4
When this feature is ON, only computers that are
‘capable’ will be encrypted
Compliance and Reporting
MBAM agent collects and passes data to reporting servero All clients pass this up, encrypted or not
o IT can clarify WHY a computer is not compliant
Built on SQL Server® Reporting Services (SSRS), it gives you
flexibility to add your own reports
Need to know the
last known state of a
lost computer?
Need to know how effective
your rollout is, or how
compliant your company is?
Who and when keys have
been accessed and when
new hardware has been
added?
Central Storage of Recovery Key
Recovery Key(s) are Escrowedo Operating System Volume
o Fixed Data Volumes
o Removable Data Volumes
o Stored outside of Microsoft Active Directory®
3-Tier Architectureo DB encrypted with SQL Server’s Transparent
Data Encryption
o Web Service API to build org-specific solutions
o All logging and authorization are done at web service layer to ensure
parity for custom apps
Helpdesk Key Recovery UI
MBAM provides a web page for helpdesk functionalityo Provide BitLocker Recovery Key for authorized userso Provide TPM unlock package for authorized userso All requests (successful or not) are logged:
who, when, which volume
Role based authorization model to get recovery infoo Tier 1: Helpdesk needs to have
person/key matcho Tier 2: Key ID is sufficient (limited role)
Create your own custom page leveraging web service layer
Single Use Recovery Keys
Once a BitLocker Recovery key has been exposed , the
client will create a new oneo As part of regular client/server communication, client checks to
see if Recovery Key has been exposed
o MBAM client will create new one
o Transparent to user
Recovery Keys are created once a volume is unlocked
Client Experience
What is Microsoft BitLocker Administration and Monitoring?
MBAM 2.0 improved 1.0 functionality and adds additional focus on:
MBAM 1.0 objectives:
MBAM 2.0 Release Pillars
MBAM 2.0 – Two Deployment Options
Similar to v1 model: SQL Database contains Recovery Keys
and Audit/Compliance
Stand alone mode
Configuration manager integrated mode
Compliance data and Reports are integrated to Config Manager
MBAM Agent distribution is facilitated via out of the box collection
Key Recovery and Audit data remain in SQL Server as in Stand Alone
Server Improvements
System Center Configuration Manager:
Configuration Manager 2007 w/SP2
Configuration Manager 2012 w/SP1
Configuration Manager Mode
Stand Alone Mode
Supported Software
SQL Server:
SQL 2008 R2 Standard edition or greater w/SP1
SQL 2012 Standard edition or greater RTM / SP1
Server OS:
Windows Server 2008 SP2 Standard/Enterprise/Datacenter
Windows Server 2008 R2 SP1 Standard/Enterprise/Datacenter
Windows Server 2012 Standard/Enterprise/Datacenter
Client OS:
Windows 7 Ultimate, Enterprise w/SP1 (x86/x64 )
Windows 8 Enterprise (x86/x64 )
Windows 8 Windows to Go
Hardware Configurations
Microsoft Application Virtualization (App-V)Dynamically streaming software as a centrally managed service
“By using App-V, we’’ll be
able to shrink the entire
application deployment
timeframe – from request
through delivery – by more
than 80 percent, from 30
days to just five days.”
Stephen Dula
IT Staff Engineer
Qualcomm
Streams applications to users
Centralizes permissions
Eliminates application installation
Isolates applications
Provides real-time metering
Readily accessible applications
Accelerate Windows deployment
Reduced application conflict
Minimize regression testing
Leverage existing Management systems
Microsoft Diagnostics & Recovery ToolsetDaRT offers 14 powerful tools to accelerate
desktop repair on site and remotely
“This toolset enables us to
restore clients instantly
without rebuilding them -
saving up to six hours per
instance.”
David Smith
Technical Support Center,
UMC Health System
Recover unbootable PC
Access deleted files, manipulate services, reset passwords, and more
Detect and remove malware while the PC is offline
Accelerate TCO savings by minimizing recovery time
Recover instead of reloading Windows
Make PCs safer to use
Customer wants to donate PCs to charity and needs to make sure data is wiped off hard disks
Customer has malware on system and real-time scanning
doesn’t work
Customer needs to troubleshoot and repair unbootable PCs
Customer uses Windows BitLocker® encryption and needs access to encrypted drive on unbootable PC
Customer needs to reset local passwords on servers
Customer needs to troubleshoot and repair servers in datacenter
Customer needs to locate a file that was deleted from the hard drive
Customer needs to access a file on unbootable / unrepairable PC
Microsoft Diagnostics & Recovery ToolsetCustomer scenarios
DaRT Disk Wipe tool
DaRT Standalone System Sweeper
DaRT Crash Analyzer and DaRT tools
DaRT tools
DaRT Locksmith
DaRT Crash Analyzer and DaRT tools
DaRT File Restore
DaRT File Explorer
WinRE Management Commands
3
4
3
7