| Sıra | DOSYA ADI | Format | Bağlantı |
|---|---|---|---|
| 01. | Microsoft Customization Recovery Service | pptx | Sunumu İndir |
Transkript
Spark the future.May 4 – 8, 2015Chicago, IL
BitLocker Deployment Using MBAM is a Snap! Lance CrandallProgram ManagerMicrosoftBRK2331
Threats to your data are everywhere
Protect data is sharedSHARINGPROTECTIONDEVICE PROTECTIONProtect data when device is lost or stolenInformation protection continuum completeDATA PROTECTIONAccidental data leakage
Source: ”New Study Reveals Up To 12,000 Laptop Computers Lost Weekly and up to 600,000 lost annually in U.S. Airports”, Ponemon.org, June 20, 2008Over 12,000 laptops lost in airports every week“It’s staggering to learn that up to 600,000 laptops are lost in U.S. airports annually, many containing sensitive information that companies must account for.” Larry PonemonLost Laptops– ADDING TERROR TO PLAYBOOK
BitLocker Overview 10,000 foot view
BitLockerFull volume Encryption• OS volumes• Fixed data drives (like a separate hard drive or partition)• Removable drivesRecovery• Recovery Keys• DRAUsed Disk SpacePre-provisioning• Encrypts used disk space• Pre-provisioning – speeds up encryption by turning on in WinPE• TPM must be enabled and owned
BitLocker ProtectorsTPMTPM+PINPasswordAuto-UnlockPassword
TPM OverviewHardware basedProtects BitLocker, virtual smart card, and other sensitive keysEnables Secure Boot by verifying platform integrity measurementsPrevents tamperingMoving to other machines causes keys to be inaccessibleAnti-hammering logicSince hardware based, not subject to software attacksTPM spec versionsTPM 1.2 – Main spec in use. Random lockout thresholds and attempts.TPM 2.0 – On by default. Consistent lock out.
Preparing to Use the TPMTPM enablementTPM must be enabled and activated in the BIOS/UEFI (default in TPM 2.0)Must be visible and able to be managed by the OSCan be automated using tools from device manufacturers from within the full OS or WinPEOwnershipTPM must be owned by Windows, MBAM, or something else.Creates TPM OwnerAuth password. Needed to reset TPM lockoutsScripts (MDT, SCCM, or other method)
BitLocker Management with MBAM
Integrates into existing deployment tools Grace period for enactment Prompts for PIN or Password Escrows recovery information and TPM OwnerAuth Encryption status reporting per volume on each computer View overall compliance for your organization View reports standalone in System Center Configuration Manager Helpdesk recovery Self service recovery Retrieve TPM OwnerAuth to unlock TPMCompliance ReportingRecoveryBitLocker EnactmentMicrosoft BitLocker Administration and MonitoringEnterprise-class solution that streamlines management of BitLocker
Database ComponentsStand Alone Server ComponentsRecoveryDatabaseCompliance /AuditDatabaseSelf-Service ServerSelf-Service Web ServiceSelf-Service Web SiteAdministration and Monitoring ServerAdmin Web ServiceAdmin Web SiteCompliance and Audit ReportsReportingWeb ServiceReportingWeb SiteSSRS
Database ComponentsCM Server ComponentsRecoveryDatabaseSelf-Service ServerSelf-Service Web ServiceSelf-Service Web SiteAdministration and Monitoring Server / Audit ReportAdmin Web ServiceAdmin Web SiteConfiguration Manager ComponentsManagement ConsoleCM Reports SSRSAuditDatabase
ADMX files downloadable from microsoft.com/downloads Allows MBAM settings configuration BitLocker settings MBAM policy settings Computer Configuration\\Administrative Templates\\Windows Components\\MDOP MBAM User Configuration\\Administrative Templates\\Windows Components\\MDOP MBAM (This is for user exemptions only)GPO
MBAM CLIENT FLOW:INSTALL MBAM CLIENTAPPLY MBAM POLICYENACTS BITLOCKER REPORTS COMPLIANCE
Announcing MBAM 2.5 SP1Deployment ManagementIndustry CompatBuilt cmdlets to import BitLocker and TPM data from ADAdded automatic TPM unlock when BitLocker is recoveredConsolidated and simplified server loggingAdded Windows 10 supportAdded Encrypted HDD SupportSupported International Domain NamesSupported Win7 FIPS Recovery PasswordIntroduced scripts to support imaging Included prompting for PIN after imagingImproved TPM OwnerAuth EscrowCustomizationAdded ability to direct customers to SSP from BitLocker recovery screenAllowed SSP branding capability during setupIncreased supported client languages to 23Updated reports schema to allow customization using Report Builder
What’s New With BitLocker Deployment Using MBAM
Enabling BitLocker During ImagingVolume SupportProcessEscrow/ReportingError HandlingPreviously MBAM 2.5 SP1• Manual process with reg keys, service restarts• Non-supported scripts that only supported MDT/SCCM• Written in PowerShell; compatible with PowerShell v2• Easy to use with MDT, SCCM, or standalone• Support for OS volumes• No pre-provisioning support out of the box• Supports OS volumes with TPM protector• Fixed Data Drive support• Handle pre-provisioned drives• Prompt for PIN immediately after imaging• Does not escrow TPM OwnerAuth unless owned by MBAM• Reporting could take up to 12 hours • TPM OwnerAuth escrowed if pre-provisioned or not owned by MBAM (Win8+)• Immediate compliance reporting• Limited error handling; depends on the script• Robust error handling• Writes to standard out, including BDD and SMSTS.logs.
Under the coversNew WMI methodsPrepareTpmAndEscrowOwnerAuthEscrowRecoveryKeyReportStatusReturned error codes helpful for troubleshooting
MBAM Client Deployment Script ParametersParameter Description-RecoveryServiceEndpoint Required MBAM recovery service endpoint-StatusReportingServcieEndpoint Optional MBAM status reporting service endpoint-EncryptionMethod Optional Encryption method (default: AES 128)-EncryptAndEscrowDataVolume Switch Specify to encrypt data volume(s) and escrow data volume recovery key(s)-WaitForEncryptionToComplete Switch Specify to wait for the encryption to complete-IgnoreEscrowOwnerAuthFailure Switch Specify to ignore TPM OwnerAuth escrow failure-IgnoreEscrowRecoveryKeyFailure Switch Specify to ignore volume recovery key escrow failure-IgnoreReportStatusFailure Switch Specify to ignore status reporting failureInvoke-MbamClientDeployment.ps1 – The main script that your deployment system will call to configure MBAM and enable BitLocker.
Command Line ExampleInvoke-Mbam-ClientDeployment.ps1 –RecoveryServiceEndpoint https://mbam.contoso.com/MBAMRecoveryAndHardwareService/CoreService.svc -StatusReportingServiceEndpoint https://mbam.contoso.com/MBAMComplianceStatusService/StatusReportingService.svc -EncryptAndEscrowDataVolume -EncryptionMethod AES256 -WaitForEncryptionToComplete
As Easy As 1…2…3!Integrating Into Deployment Processes• Add script to persist TPM OwnerAuth (WinPE)1• Install MBAM Agent • (Full OS)2• Run MBAM PowerShell Script • (Full OS)3
Demo – Enabling BitLocker Using MDT and MBAM During Imaging
Apply MBAM policies to device Enable TPM Create BitLocker System Partition if needed Fix potential Win32_EncryptableVolume issues Install MBAM agentMBAM agent works its magicEnabling BitLocker on Existing Machines
Demo – Enabling BitLocker Using MDT and MBAM on Existing Machines
AD Recovery Data Migration
Challenges Enterprises have rolled out BitLocker without MBAM Recovery data is stored in AD TPM OwnerAuth may be stored in AD Machines may be offline/in storage Two places that techs have to go for recoveryMigrating Existing Recovery Data to MBAM
4 PowerShell cmdlets For Volume recovery keys and packages: Read-ADRecoveryInformation Write-MbamRecoveryInformation Add-ComputerUser.ps1 – match users to computers For TPM OwnerAuth information: Read-ADTpmInformation Write-MbamTpmInformationActive Directory Recovery Data Migration
Reads Recovery keys, packages, and TPM OwnerAuth from AD and writes to MBAM Does not write to AD Data integrity checks when writing to MBAM Advanced Helpdesk can recover Intermediary process that can match users to machines ManagedBy attribute in AD Custom CSV file Allows helpdesk and SSP recoveryActive Directory Recovery Data Migration
Grant rights in AD Create an AD group to grant writes to MBAM Open Web.config for recovery service Edit the <add key=”DataMigrationsUsersGroupName” value=””>Setup
AD Recovery Data Migration ExampleRead-ADRecoveryInformation -Server contoso.com -Credential $cred -Recurse | Add-ComputerUser -FromComputerManagedBy| Write-MBAMRecoveryInformation -RecoveryServiceEndPoint https://mbam-iis.contoso.com/MBAMRecoveryAndHardwareService/CoreService.svc
AD TPM Data Migration ExampleRead-ADTpmInformation -Server contoso.com -Credential $cred -Recurse | Add-ComputerUser -FromComputerUserMapping (Import-Csv ComputerToUserMapping.csv) | Write-MBAMTpmInformation -RecoveryServiceEndPoint https://mbam-iis.contoso.com/MBAMRecoveryAndHardwareService/CoreService.svc
Demo – AD Recovery Data Migration
Custom Pre-boot Recovery
Recovery ExperienceAdvanced Helpdesk Enters Recovery Key IDHelpdeskUser domain and user nameEnters Recovery Key IDSelf Service Logs into domain joined PCWindows Integrated AuthProvides Recovery Key ID
Want users to use the SSP – Cuts costs Users hit recovery screen Recovery screen tells them to go to OneDrive Key isn’t there! User calls the helpdesk SSP Windows 10 EnhancementsYou Can Now Customize the BitLocker Recovery Screen!
Default Recovery MessageCustom Recovery MessageWindows 10 Custom Preboot URL
Demo – Custom Preboot Recovery Message
Managing TPM Lockouts
TPM Anti-hammering Causes Incorrect PIN attempts Incorrect virtual Smart Card authentication attempts Invalid attempts to guess or change the TPM OwnerAuth Protection mechanism when using BitLocker Exponentially slower responses to authorization attempts Forces BitLocker recovery event - Have to enter 48 digit BitLocker key to unlock Lockout Duration TPM 1.2 – varies by manufacturer TPM 2.0 – 2 hoursTPM Lockouts
Unlocking the TPM requires the TPM OwnerAuth MBAM escrowed TPM OwnerAuth Helpdesk could provide TPM OwnerAuth Requires admin rights to use on deviceUnlocking TPM
TPM 1.2 lockouts can be automatically resolved Not needed for TPM 2.0 Feature must be enabled on web server and in GPO TPM OwnerAuth must be in MBAMManaging TPM Lockouts – The Easy Way
TPM Auto-Unlock ProcessUser hits BitLocker Recovery ScreenRecovers key from SSP or helpdesk portalKey is marked as disclosedMBAM service wakes up and detects key was disclosedChecks if TPM is locked outAutomatically unlocks if MBAM has TPM OwnerAuthAudited in client event log and MBAM audit reports
Demo – TPM Auto-Unlock
Available With Windows 10
New deployment scripts Easily migrate data from AD to MBAM TPM management enhancements Custom preboot URL in Win10 lowers support costsMBAM 2.5 SP1 makes it even easier to deploy and manage BitLocker on your devicesConclusion
Related SessionsBRK3340App-V 5.0 SP3: Advanced Connection Groups Thurs 17:00BRK3317Creating a Seamless User Experience with Microsoft UE-V and Windows 10Fri 12:30BRK3304Managing Windows 10 Using Group Policy with In the Box, Microsoft and 3rd Party ToolsWed 9:00BRK3144Microsoft Office 365 ProPlus: Have It Your Way! Fri 12:30BRK3868Fundamentals of Microsoft Azure RemoteApp Management and AdministrationTues 13:30
Visit Myignite at http://myignite.microsoft.com or download and use the Ignite Mobile App with the QR code above.Please evaluate this sessionYour feedback is important to us!
© 2015 Microsoft Corporation. All rights reserved.
Microsoft Customization Recovery Service
Yıl : 2020
Anahtar Kelimeler
Daha fazla görüntüle