Deploy and Manage BitLocker using MBAM Microsoft Ignite 2016 4/21/2018 5:12 AM BRK3100 Deploy and Manage BitLocker using MBAM Tanner Slayton Sr. Consultant – Cyber Security © 2016 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

4/21/2018 5:12 AM TPM 101 © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

TPM 101 Beginning Current Time Main Function Physical Device Only 4/21/2018 5:12 AM TPM 101 Beginning Physical Device Only Disabled by default Current Time Still physical but also Virtual Enabled by default Main Function Protect sensitive cryptographic key material Maintain boot measurements, virtual smartcard private key, fingerprint authentication, credentials © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Trusted Computing Windows Investments 4/21/2018 Trusted Computing Windows Investments BitLocker Measured Boot Virtual Smartcards BitLocker Health Attestation Microsoft Passport Credential Guard Device Guard Measured Boot Virtual Smartcards BitLocker Windows 7 Windows 8.1 Windows 10 © 2015 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

4/21/2018 5:12 AM BITLOCKER 101 © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Bitlocker 101 New in Windows 10 Data at rest encryption 4/21/2018 5:12 AM Bitlocker 101 New in Windows 10 Build 1511 - XTS encryption Customize recovery screen message Data at rest encryption With MBAM can have TPM, TPM+PIN, and Password Without can have all the above plus Smartcard, AD Group, AD User (Data Drives only) USB startup key © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

4/21/2018 5:12 AM MBAM 101 © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

MBAM 101 Microsoft Bitlocker Administration and Monitoring What it can do Enforce encryption of domain joined systems Ensure protectors are correct Backup recovery key Give compliance status and reports for client devices What it can’t do Force users to change PIN at XX days Force a change to the recovery key at XX days Decrypt systems and re-encrypt with correct algorithm © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

4/21/2018 5:12 AM Future of MBAM © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

What to expect short-term 4/21/2018 5:12 AM What to expect short-term Hotfix release for client to support XTS encryption September 2016 Rollup for MDOP Suite – Released 27-Sept (3168628) What will the hotfix enable? Client side only Escrow, Compliance Reporting, and Enactment will work Have to have same encryption strength for OS and Data Drives Compliance flag will be calculated properly What the hotfix will not fix Encryption strength on the reports will be blank © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

What to expect long-term 4/21/2018 5:12 AM What to expect long-term We want your feedback blignite2016@Microsoft.com © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

4/21/2018 5:12 AM Setup of MBAM © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Server Setup Two server setup Order of installation 4/21/2018 5:12 AM Server Setup Two server setup SSRS / SQL on one server (can be shared) Web portal (IIS) on another Order of installation AD Users & Groups (Including PKI SSL certificates) Databases and Reports Web Portal Group Policies Client Deployment © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

PowerShell Scripts 4/21/2018 5:12 AM © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Client Setup Deploy via SCCM / MDT Deploy via GPO Manual installation 4/21/2018 5:12 AM Client Setup Deploy via SCCM / MDT Deployment method (Altiris, etc…) Most preferred Deploy via GPO Can accomplish the task if desired Ideally do not install software via GPO Manual installation Least preferred © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Client Deployment - Scripts 4/21/2018 5:12 AM Client Deployment - Scripts Microsoft designed PowerShell and Scripts https://www.microsoft.com/en-us/download/details.aspx?id=48698 Invoke-MBAMClientDeployment.ps1 Used for MDT or SCCM deployment to start encryption SaveWinPETpmOwnerAuth.wsf Only works if TPM is not previously owned and ownership is taken via WinPE Log File: %TEMP%\SaveWinPETpmOwnerAuth.log Key Name: OwnerAuthFull © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Troubleshooting MBAM 4/21/2018 5:12 AM © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Client and Server Troubleshooting 4/21/2018 5:12 AM Client and Server Troubleshooting How to determine if a client is having a problem Windows Event Forwarding Monitor – Microsoft-Windows-MBAM/Admin SCCM – Configuration Baselines Custom script How can to determine if manage-bde is executed AppLocker – Audit Mode – Deny for manage-bde.exe Event Logs Microsoft / Windows / MBAM (Operational and Admin) Bitlocker Event Logs © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Client and Server Troubleshooting 4/21/2018 5:12 AM Client and Server Troubleshooting Can you talk to the Web Services Recycle AppPool and check for errors (MBAM-Web) Client able to talk to recovery and compliance web portals Group policy applied Registry Key (HKLM\Policies\Microsoft\FVE) WMI namespace Win32_EncryptableVolume Query with WMI Explorer © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Client and Server Troubleshooting 4/21/2018 5:12 AM Client and Server Troubleshooting Lots of places to look Not an expert on SSRS or SQL And….. I wrote a script for that too  (At least on the client side) © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Demo

4/21/2018 5:12 AM TPM 201 © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

What is Health Attestation? Health Attestation is a Windows security feature that was released as part of Windows 8 release: -TPM creates a tamper resistant audit log (as it is measuring/monitoring the boot) - It can be validated locally and remotely Windows Kernel & Boot Drivers Early Launch Anti-Malware Boot Loaders UEFI Secure Boot OS Loader TPM Boot Log Platform Configuration Registers (PCRs) EK Cert AIK Cert TPM

TPM Secrets & Certificates 4/21/2018 5:12 AM TPM Secrets & Certificates 8- Device sends the EK_CERT and EK_PUB to AIK provisioning service 9- AIK Provisioning service issues a challenge: Verifies the EK_CERT Issues a challenge: Generates a random value Encrypts it with EK_PUB Sends the encrypted challenge to the device 1- Fuse EK Seed 2- Generate EK Key Pairs (EK_PRIV, EK_PUB) and AIK key Pairs 7- User purchases the device, turns the device on 3- Send EK_PUB to signing server 10- Device decrypts the challenge with EK_PRIV, forward the following to the AIK provisioning service - Challenge data in clear format - Hash of AIK_PUB to 4- Sign the EK_PUB, issue an EK_CERT 5- Store the EK_CERT on the device 11- AIK provision service, gets the data: - validates if the challenge data are correct - Issues a 6- Ship the device © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Windows 10 Device Health Attestation (DHA) 4/21/2018 5:12 AM Windows 10 Device Health Attestation (DHA) Device Health Attestation (DHA) is a new Windows 10 feature that was released in June 2015 as part of the initial Windows 10 RTM release: Integrates with Windows 10 Mobile Device Management (MDM) framework Designed to work on devices that support Trusted Module Platform (TPM) in firmware or discrete formats (TPM 2.0 and 1.2 in Redstone release) Enables enterprises to raise the security bar of their organization to hardware monitored and attested security © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Windows 10 Device Health Attestation (DHA) 4/21/2018 5:12 AM Windows 10 Device Health Attestation (DHA) Before Windows 10 DHA release: Device health was assumed © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Windows 10 Device Health Attestation (DHA) 4/21/2018 5:12 AM Windows 10 Device Health Attestation (DHA) After Windows 10 DHA release: Device health assessed based on hardware measured state © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Windows 10 Device Health Attestation (DHA) 4/21/2018 5:12 AM Windows 10 Device Health Attestation (DHA) Sample use case scenarios: Data Collection (i.e. Anomaly analysis, Audit) Compliance Reporting ( i.e. On demand, Scheduled) Live Monitoring (i.e. Continuous diagnostics) Zero Day Incident Response (Incident Response Agility) Online Enforcement (i.e. Conditional Access) Out of band enforcement (i.e. Alert, notification, expiring access tokens..) © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Lessons learned from the Field 4/21/2018 5:12 AM Lessons learned from the Field © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

What to do and not to do in a deployment 4/21/2018 5:12 AM What to do and not to do in a deployment Customer with HIPAA requirements Deployed SCCM Integration Deleted computer objects within SCCM removed compliance data Faced a failed audit for compliance data Customer with hardening requirements Deployed with HTTPS on the web server HTTP on SSRS / SQL Clients getting access denied on endpoint (SPN Registration) Customer without a mature deployment infrastructure Tried to deploy to computers with local policy Inconsistent environment and compliance status Unable to sustain long term © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Previous questions emailed to me 4/21/2018 5:12 AM Previous questions emailed to me Any changes between 2012 R2 / 2016 to hold off deployment Internal versus External access for the SSP How secure are the keys in the DB When should I use TPM or TPM+PIN © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Please evaluate this session 4/21/2018 5:12 AM Please evaluate this session Your feedback is important to us! From your PC or Tablet visit MyIgnite at http://myignite.microsoft.com From your phone download and use the Ignite Mobile App by scanning the QR code above or visiting https://aka.ms/ignite.mobileapp © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

4/21/2018 5:12 AM © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.