Documente Academic
Documente Profesional
Documente Cultură
Table of Contents
Microsoft Bitlocker Administration and Monitoring (MBAM) ................................................. 1
Exercise 1 Microsoft Bitlocker Administration and Monitoring Features .....................................................................2 Exercise 2 Provisioning Administration and Monitoring Policy .....................................................................................3 Exercise 3 Client Agent User Experience .......................................................................................................................5 Exercise 4 Compliance and Audit Reporting ..................................................................................................................9 Exercise 5 Key Recovery and TPM Management .........................................................................................................11 Exercise 6 Managing Hardware Compatibility .............................................................................................................14
Scenario
Microsoft BitLocker Administration and Monitoring (MBAM) provides a simplified administrative interface to BitLocker Drive Encryption (BDE). MBAM allows you to select BDE encryption policy options appropriate to your enterprise, monitor client compliance with those policies, generate reports on the encryption status of missing devices, and quickly provide BDE recovery keys to end users that have entered recovery mode. This hands-on lab will show you some of the management features available in MBAM. You will learn how to set enforcement and management policies, run compliance reports, and see how key recovery works using the Key Recovery Portal. 60 Minutes
NYC-DC1
NYC-SRV2
The password for the Administrator account on all computers in this lab is: Pa$$w0rd
Page 1 of 15
b. Open SQL Server Management Studio. c. On the Connect to SQL dialog, click Connect. d. In the Object Explorer, expand NYC-SVR2 | Databases.
Note: The two database components configured when installing Microsoft BitLocker Administration and Monitoring (MBAM) are the Compliance Status Database and the Recovery and Hardware Database. MBAM Compliance Status Database The MBAM Compliance Status Database stores the current Bitlocker enforcement status for each MBAM client MBAM Recovery and Hardware Database The MBAM Recovery and Hardware stores the recovery key information and hardware profiles from each computer with the MBAM client agent installed. The Microsoft BitLocker Administration and Monitoring (MBAM) database and reporting features require Microsoft SQL Server R2 or Microsoft SQL Server 2008 Database and Reporting Services on either the Standard, Developer, Enterprise or Datacenter editions.
e. In the Object Explorer, expand NYC-SVR2 | Security | Logins. f.
Under the Logins node, take note of the following access accounts: NYC-SVR2\MBAM Compliance Auditing DB Access NYC-SVR2\MBAM Recovery and Hardware DB Access
Note: MBAM installs two user groups with access to the Compliance Status and Recovery and Hardware databases.
g. Close SQL Server Management Studio.
Page 2 of 15
here.
e. In the New GPO dialog, enter a name of MBAM Configuration and click OK. f.
Policies | Administrative Templates | Windows Components and click MDOP MBAM (BitLocker Management). Note: The MDOP MBAM (Bitlocker Management) node represents a superset of the existing BitLocker Drive Encryption polices available in the Windows Server 2008 and Windows Server 2008 R2 schema, as well as the MBAM recovery and reporting policies. It is suggested that when implementing MBAM, administrators exclusively use the MDOP MBAM (BitLocker Management) node for all BitLocker policy.
h. In the console tree, expand MDOP MBAM (BitLocker Management) and click
Client Management.
i. j.
In the Configure MBAM services window, click to select the Enabled radio button and configure the following options: Note: Note that you can copy and edit the example URL text from the Help textbox to the right of the Options pane. MBAM Recovery and Hardware service endpoint: http://nycsvr2.contoso.com:2450/MBAMRecoveryandHardwareService/CoreService.svc MBAM Status reporting service endpoint: http://nycsvr2.contoso.com:2450/MBAMComplianceStatusService/StatusReportingServi ce.svc
On the Allow hardware compatibility checking page, click to select the Enabled radio button. Note: When this policy is enabled, the MBAM client agent will validate the computers model with the hardware compatibility list to ensure that the model is capable of Bitlocker Drive Encryption. We will look at this in more depth in Exercise 5.
l. m. Click Next Setting twice.
Page 3 of 15
and configure the following options: Select the method of contacting users with instructions: Provide an email address Enter the appropriate e-mail address: support@contoso.com
o. Click OK. p. Close Group Policy Management Editor. a. In the Group Policy Management Console, right-click the Marketing OU and click
Complete the following task on: NYC-SVR2 2. Configure BitLocker enforcement for Marketing Department
click OK.
c. In the console tree, expand the Marketing OU, right-click Marketing Bitlocker
In the details pane, double-click Operating system drive encryption settings. Select protector for operating system drive: TPM and PIN Allow enhanced PINs for startup: Disabled (default) Configure minimum PIN length for startup: 8 In the console tree, click Removable Drive. In the details pane, double-click Control use of BitLocker on removable drives. Click Next Setting. click to select the Enabled radio button.
g. Click to select the Enabled radio button and configure the following values:
i. j. l.
h. Click OK.
k. Click to select the Enabled radio button. m. On the Deny write access to removable drives not protected by BitLocker page, n. Click OK. o. Close Group Policy Management Editor.
Page 4 of 15
do not support Bitlocker encryption. Click-through steps will continue in the next exercise.
b. When a client logs on to a domain joined machine with the MBAM client agent
installed and the appropriate policies to enforce BitLocker encryption, the user will see the following wizard if their machine is not secured with BitLocker:
c. If the TPM needs to be cleared and ownership taken, the wizard will note that a
Page 5 of 15
d. After the user clicks Start, the wizard will perform a System Check to look for any
e. When the TPM needs to be cleared and ownership taken, the wizard will prompt
for a full shutdown and manual restart of the computer. After TPM ownership has been taken and the reboot performed, the wizard will continue with the encryption process.
Page 6 of 15
f.
If there are no issues or TPM configuration needed, the wizard will continue directly to the Create a new PIN page (if the policy is configured to require a PIN), where the user will be prompted to create a PIN according to the length specifications set in Group Policy:
g. If the PIN entered meets the policy requirements, the wizard will begin the
Page 7 of 15
h. The dialog can be closed while encryption takes place and users will be able to
work normally during the encryption process, otherwise the wizard will display a success status at the end of the encryption process:
Page 8 of 15
Note: The default home page will open to the BitLocker Administration & Monitoring page.
c. In the navigation pane, click Reports. d. In the details pane of the Reports page, click Enterprise Compliance Report.
Note: The Enterprise Compliance Report displays in a moment, showing the encryption compliance status of the entire enterprise.
e. Expand the Compliance Status drop-down and click to deselect the Compliant
check box. Note: The Compliance Status filtering can be used to quickly review which computers in the enterprise are in a non-compliant state. Click View Report. Note: The Report now shows all computers that are currently not in compliance with corporate Bitlocker policy.
f.
Complete the following task on: NYC-SVR2 2. Open Report Manager and view the Computer Compliance Report
a. On the Compliance and Audit Reports page, click Computer Compliance Report. b. In the device user or computer name field, type ACon and click View Report.
Note: The user Aaron Con has a variety of managed computers that he has logged on to, in various states of compliance with corporate encryption policy. In additional to the Computer Type and Operating system information, you can view the Manufacturer and Model of the computers Aaron has used, as well as information on the last time the client communicated with the reporting service.
c. Scroll down and click the + next to CLIENT7 and review the computer status
details. Note: The policies for both OS and non-OS drives can be viewed, as well as the protector and encryption state and compliance status for each available drive.
d. In the device user or computer name field, clear the field and type CLIENT14 and
Page 9 of 15
Microsoft Bitlocker Administration and Monitoring (MBAM) Tasks Detailed Steps Note: The same data is available in the computer name based reporting, along with information on the Device Users for that particular computer.
Page 10 of 15
Note: Without MBAM, typically a user will have to consult with the help desk who will in turn need to escalate to someone with access to the key recovery data stored in Active Directory (a feature that must be enabled in Group Policy).
a. Perform the following on NYC-SVR2. b. Click Start | Administrative Tools | Active Directory Users and Computers . c. In the console tree, click the Accounting OU. d. In the details pane, right-click CLIENT12 and click Properties. e. Click the Bitlocker Recovery tab.
Note: Traditionally security or IT administrators would need access to Active Directory to recover Bitlocker key recovery information.
Page 11 of 15
Microsoft Bitlocker Administration and Monitoring (MBAM) Tasks Complete the following task on: NYC-SVR2 2. Modify the MBAM Recovery page user groups Detailed Steps
f.
Note: Roles and permissions to the MBAM Key Recovery page are configured using local groups on the web server.
b. In the console tree, click Groups. c. In the details pane, double-click MBAM Advanced Helpdesk Users.
Note: This permission tier of the recovery website requires the Help Desk Administrator to retrieve recovery information without needing a User ID. This group is used to allow tier 2 support staff direct access to encrypted resources outside of typical user support scenarios.
d. Click Add. e. Type Contoso\ITAdmin and click Check Names. f.
Click OK twice.
Note: This permission tier of the recovery website requires Help Desk personnel to have a User ID and Key ID in order to retrieve recovery information. This group is used to authorize tier1 support who work directly with desktop users in recovery scenarios.
h. Right-click MBAM Helpdesk Users and click Add to Group. i. j. l.
Click Add. Type Contoso\ITHelpDesk and click Check Names. Close Local Users and Groups.
k. Click OK twice. m. Click Start and right click Computer. n. Select Properties and then click Remote Settings. o. Click Select Users and then click Add. p. Type Contoso\ITAdmin; Contoso\ITHelpDesk, Check Names and then click OK
three times. Complete the following task on: NYC-SVR2 3. Using the Drive Recovery page in the IT Help Desk role
a. Click Start | Log off. b. Right click NYC-SRV2 on the left hand Remote Desktops pane and log on as
Contoso\ITHelpDesk with a password of Pa$$w0rd. Note: In this context we will be logging on in the Help Desk role. The help desk personnel will require both a User ID and a Key ID from the desktop user in order to retrieve recovery information.
c. Launch the MBAM Administration website shortcut from the desktop.
Note: The default home page will open to the BitLocker Administration & Monitoring page.
d. In the navigation pane, click Drive Recovery.
Note: The BitLocker Drive Recovery page allows support staff to access key recovery information without the need to escalate to senior IT Administrators or exposing Active Directory to a broader set of users.
e. Enter the following information on the Unlock a Bitlocker Encrypted Drive page
and click Submit: User Domain: CONTOSO.COM User ID: ACon Key ID: 553c491c
Page 12 of 15
Click Submit. Note: The Drive Recovery Key will display below.
g. Close Internet Explorer.
Complete the following task on: NYC-SVR2 4. Using the Drive Recovery page in the IT Administrator role
Note: Here we are logged in as an IT administrator seeking recovery information outside of the context of user recovery. IT administrators only require a Key ID in order to retrieve recovery information.
c. Launch the MBAM Administration website shortcut from the desktop.
Note: The default home page will open to the BitLocker Administration & Monitoring page.
d. In the navigation pane, click Drive Recovery. e. Enter the following information on the Unlock a Bitlocker Encrypted Drive page:
f.
Key ID: 553c491c Reason for Drive Unlock: Operating System Boot Order changed Click Submit.
g. Click Save. h. At the Internet Explorer prompt, click the drop down and select Save As and save
the text file to the desktop. Note: This will create a recovery key text file that the help desk can send to the user via their email client so it can be read on their phone or another computer.
i. j.
k. At the Internet Explorer prompt, click Save As and save the key package file to the
desktop. Note: The Key Package can be used in conjunction with the BitLocker Repair Tool to recover data from a damaged volume. Administrators can use the repair-bde command with the KeyPackage option.
l.
Complete the following task on: NYC-SVR2 5. Using the Manage TPM page
Note: The Manage TPM form allows administrators to retrieve the TPM Owner Password File when a TPM has locked users out and no longer accepts user PINs.
b. Enter the following information on the Manage TPM page:
Computer Domain: Contoso Computer Name: CLIENT10 Reason for requesting TPM Owner Password File: Reset PIN lockout
c. Click Submit.
Note: The TPM Owner Password File will appear. Administrators can use this to reset a PIN lockout or perform TPM management tasks.
d. Click Save File. e. In the dialog, save the CLIENT10.TPM file to the Desktop. f.
Click Done.
Page 13 of 15
support status. Note: The Hardware Compatibility page displays all MBAM client reported models as well as hardware added manually by administrators. The MBAM agent will automatically recheck the hardware compatibility of a computer on a regular basis. The MBAM administrator must also manage the hardware compatibility list from the MBAM web service to ensure that newly discovered hardware models flagged as Unknown are set to Compatible or Incompatible. By default, Incompatible hardware will be rechecked for capability every 7 days, while Unknown and Compatible hardware compatibility will be checked every 24 hours.
f.
g. Click Change to Compatible. h. In the dialog, click OK to set the compatibility status.
Note: Compatibility status for new computers is by default set to Unknown. MBAM administrators can review new hardware specifications and then set the supportability status through Hardware Compatibility page. Click Add. Note: Hardware entries can also be manually added and Bitlocker capability set.
i. j.
Click Cancel.
Page 14 of 15
Microsoft Bitlocker Administration and Monitoring (MBAM) Tasks Detailed Steps Note: Thank you for taking the time to learn about Microsoft BitLocker Administration and Monitoring. More information on Microsoft BitLocker Administration and Monitoring (MBAM) can be found online: Microsoft BitLocker Administration and Monitoring (MBAM) on Microsoft: http://www.microsoft.com/windows/enterprise/products/mdop/mbam.aspx Windows Client TechCenter > Home > Microsoft Desktop Optimization Pack: http://technet.microsoft.com/en-us/windows/bb899442.aspx The Official MDOP Blog: http://blogs.technet.com/b/mdop
Page 15 of 15