Security technologies on Microsoft & Mix Reality environnement: [MDOP] Microsoft BitLocker Administration and Monitoring 2.5 SP1 released !

Microsoft published Microsoft Desktop Optimization Pack (MDOP) 2015 which bring Microsoft BitLocker Administration and Monitoring (MBAM) 2.5 Service Pack 1.
The main pillar of this version are:

Deployment	Management	Enterprise feature	Customization
Introduced scripts to support imaging	Built cmdlets to import BitLocker and TPM data from AD	Added Windows 10 support	Added ability to direct customers to SSP from BitLocker recovery screen
Included prompting for PIN after imaging	Added automatic TPM unlock when BitLocker is recovered	Added Encrypted HDD Support	Allowed SSP branding capability during setup
Improved TPM OwnerAuth Escrow	Consolidated and simplified server logging	Supported International Domain Names	Increased supported client languages to 23
		Supported Win7 FIPS Recovery Password	Updated reports schema to allow customization using Report Builder

I/ New powershell cmdlet

The following cmdlets have been implemented for MBAM 2.5 SP1:

Write-MbamTpmInformation
Write-MbamRecoveryInformation
Read-ADTpmInformation
Read-ADRecoveryInformation
Write-MbamComputerUser

The following parameters have been implemented in the Enable-MbamWebApplication and Test-MbamWebApplication cmdlets in order to manage the Web server roles of MBAM:

DataMigrationAccessGroup
TpmAutoUnlock

And finally a new "Invoke-MbamClientDeployment.ps1" PowerShell cmdlet is introduced, in order to make the deployment of the agent easier:

Parameter		Description
-RecoveryServiceEndpoint	Required	MBAM recovery service endpoint
-StatusReportingServcieEndpoint	Optional	MBAM status reporting service endpoint
-EncryptionMethod	Optional	Encryption method (default: AES 128)
-EncryptAndEscrowDataVolume	Switch	Specify to encrypt data volume(s) and escrow data volume recovery key(s)
-WaitForEncryptionToComplete	Switch	Specify to wait for the encryption to complete
-IgnoreEscrowOwnerAuthFailure	Switch	Specify to ignore TPM OwnerAuth escrow failure
-IgnoreEscrowRecoveryKeyFailure	Switch	Specify to ignore volume recovery key escrow failure
-IgnoreReportStatusFailure	Switch	Specify to ignore status reporting failure

If you want to install the MBAM agent on existing machine, through a task sequence or manually, a script is provided in order to prompt immediately the PIN code: setFirstRunKey.ps1

II/ Active Directory data migration

Another painful situation I often meet, is when some companies deployed BitLocker without MBAM they decide to store all the required keys on Active Directory.

But in order to migrate these data the easiest way was to disable and fully unencrypt the disk and clear the TPM in order to migrate the data to MBAM, or to script an extract in order to inject them on MBAM.

MBAM 2.5 SP1 introduces 4 new powershell cmdlets in order to make easy the Active Directory datas migration to the MBAM database:

Scenario	Cmdlet	Description
For Volume recovery keys and packages	Read-ADRecoveryInformation	Reads Recovery keys, packages from AD Does not write to AD
	Write-MbamRecoveryInformation	writes to MBAM Recovery keys, packages informations collected on AD Data integrity checks when writing to MBAM
	Add-ComputerUser.ps1	match users to computers : • ManagedBy attribute in AD • Custom CSV file
For TPM OwnerAuth information	Read-ADTpmInformation	Reads TPM OwnerAuth from AD Does not write to AD
	Write-MbamTpmInformation	writes to MBAM TPM OwnerAuth informations collected on AD Data integrity checks when writing to MBAM
	Add-ComputerUser.ps1	match users to computers : • ManagedBy attribute in AD • Custom CSV file

Here’s an example of the CSV file:
Computer,user
Mycomp.snh.lab,myuser@snh.lab

In order to implement this migration, the following steps to follow are:

Grant rights in readonly to AD attributes
Create an AD group to grant writes to MBAM
Open Web.config of the recovery service
Edit <add key=”DataMigrationsUsersGroupName” value=””>

III/ New TPM features

Here’s a picture about the TPM behavior:

Before MBAM 2.5 SP1	With MBAM 2.5 SP1
Unlocking the TPM requires the TPM OwnerAuth	TPM 1.2 lockouts can be automatically resolved
MBAM escrowed TPM OwnerAuth	Not needed for TPM 2.0
Helpdesk could provide TPM OwnerAuth Requires admin rights to use on device	• Feature must be enabled on web server and in GPO • TPM OwnerAuth must be in MBAM DB

In addition keep in mind the following about the lockout duration:

TPM 1.2 – varies by manufacturer (every 30 secs and after 2h locked out)
TPM 2.0 – 2 hours

With Windows 8 and higher, MBAM 2.5 SP1 can escrow the OwnerAuth passwords without owning the TPM. Indeed on the startup, the MBAM agent check if the TPM is already owned and if it’s the case the passwords will be retrieved from the operating system and sent to the MBAM database. In addition, a new GPO must be set to prevent the OwnerAuth from being deleted locally.

For more information, you will found more details on the Configure MBAM to escrow the TPM and store OwnerAuth passwords article.

On computers running TPM 1.2, the main pain point was the unlock of the TPM chip in case of a lockout. Due to the several implementation of this specification this version allow us to handle it more easily without going through the vendor tools. If the TPM lockout auto reset feature is enabled, MBAM can detect that the TPM is locked out and then retrieve the OwnerAuth password from the MBAM database in order to automatically unlock the TPM on behalf of the user.

This feature must be enabled on both the server side and on the client side (Configure MBAM to automatically unlock the TPM after a lockout).

IV/ New FIPS feature

The support for Federal Information Processing Standard (FIPS)-compliant BitLocker recovery keys on devices running the Windows 8.1 operating system was now backported to Windows 7, these devices still required a Data Recovery Agent (DRA) protector for recovery.

V/ Pre-boot customisation

A new Group Policy setting, Configure pre-boot recovery message and URL, now allow a custom recovery message or specify a URL on the pre-boot BitLocker recovery screen when the OS drive is locked. But this functionality is available only for Windows 10.

It’s possible with this new feature to choose one of these options for the pre-boot recovery message: