lundi 4 avril 2016

[MDOP] Microsoft BitLocker Administration and Monitoring 2.5 SP1 released !

Microsoft published Microsoft Desktop Optimization Pack (MDOP) 2015 which bring Microsoft BitLocker Administration and Monitoring (MBAM) 2.5 Service Pack 1.
The main pillar of this version are:
Deployment Management Enterprise feature Customization
Introduced scripts to support imaging Built cmdlets to import BitLocker and TPM data from AD Added Windows 10 support Added ability to direct customers to SSP from BitLocker recovery screen
Included prompting for PIN after imaging Added automatic TPM unlock when BitLocker is recovered Added Encrypted HDD Support Allowed SSP branding capability during setup
Improved TPM OwnerAuth Escrow Consolidated and simplified server logging Supported International Domain Names Increased supported client languages to 23
Supported Win7 FIPS Recovery Password Updated reports schema to allow customization using Report Builder

I/ New powershell cmdlet

The following cmdlets have been implemented for MBAM 2.5 SP1:
  • Write-MbamTpmInformation
  • Write-MbamRecoveryInformation
  • Read-ADTpmInformation
  • Read-ADRecoveryInformation
  • Write-MbamComputerUser
The following parameters have been implemented in the Enable-MbamWebApplication and Test-MbamWebApplication cmdlets in order to manage the Web server roles of MBAM:
  • DataMigrationAccessGroup
  • TpmAutoUnlock
And finally a new "Invoke-MbamClientDeployment.ps1" PowerShell cmdlet is introduced, in order to make the deployment of the agent easier:
Parameter Description
-RecoveryServiceEndpoint Required MBAM recovery service endpoint
-StatusReportingServcieEndpoint Optional MBAM status reporting service endpoint
-EncryptionMethod Optional Encryption method (default: AES 128)
-EncryptAndEscrowDataVolume Switch Specify to encrypt data volume(s) and escrow data volume recovery key(s)
-WaitForEncryptionToComplete Switch Specify to wait for the encryption to complete
-IgnoreEscrowOwnerAuthFailure Switch Specify to ignore TPM OwnerAuth escrow failure
-IgnoreEscrowRecoveryKeyFailure Switch Specify to ignore volume recovery key escrow failure
-IgnoreReportStatusFailure Switch Specify to ignore status reporting failure

If you want to install the MBAM agent on existing machine, through a task sequence or manually, a script is provided in order to prompt immediately the PIN code: setFirstRunKey.ps1

II/ Active Directory data migration

Another painful situation I often meet, is when some companies deployed BitLocker without MBAM they decide to store all the required keys on Active Directory.
But in order to migrate these data the easiest way was to disable and fully unencrypt the disk and clear the TPM in order to migrate the data to MBAM, or to script an extract in order to inject them on MBAM.
MBAM 2.5 SP1 introduces 4 new powershell cmdlets in order to make easy the Active Directory datas migration to the MBAM database:
Scenario Cmdlet Description
For Volume recovery keys and packages Read-ADRecoveryInformation Reads Recovery keys, packages from AD
Does not write to AD
Write-MbamRecoveryInformation writes to MBAM Recovery keys, packages informations collected on AD
Data integrity checks when writing to MBAM
Add-ComputerUser.ps1 match users to computers :
ManagedBy attribute in AD
• Custom CSV file
For TPM OwnerAuth information Read-ADTpmInformation Reads TPM OwnerAuth from AD
Does not write to AD
Write-MbamTpmInformation writes to MBAM TPM OwnerAuth informations collected on AD
Data integrity checks when writing to MBAM
Add-ComputerUser.ps1 match users to computers :
ManagedBy attribute in AD
• Custom CSV file

Here’s an example of the CSV file:

In order to implement this migration, the following steps to follow are:
  • Grant rights in readonly to AD attributes
  • Create an AD group to grant writes to MBAM
  • Open Web.config of the recovery service
  • Edit <add key=”DataMigrationsUsersGroupName” value=””>

III/ New TPM features

Here’s a picture about the TPM behavior:
Before MBAM 2.5 SP1 With MBAM 2.5 SP1
Unlocking the TPM requires the TPM OwnerAuth TPM 1.2 lockouts can be automatically resolved
MBAM escrowed TPM OwnerAuth Not needed for TPM 2.0
Helpdesk could provide TPM OwnerAuth
Requires admin rights to use on device
• Feature must be enabled on web server and in GPO
• TPM OwnerAuth must be in MBAM DB

In addition keep in mind the following about the lockout duration:
  • TPM 1.2 – varies by manufacturer (every 30 secs and after 2h locked out)
  • TPM 2.0 – 2 hours

With Windows 8 and higher, MBAM 2.5 SP1 can escrow the OwnerAuth passwords without owning the TPM. Indeed on the startup, the MBAM agent check if the TPM is already owned and if it’s the case the passwords will be retrieved from the operating system and sent to the MBAM database. In addition, a new GPO must be set to prevent the OwnerAuth from being deleted locally.

For more information, you will found more details on the Configure MBAM to escrow the TPM and store OwnerAuth passwords article.

On computers running TPM 1.2, the main pain point was the unlock of the TPM chip in case of a lockout. Due to the several implementation of this specification this version allow us to handle it more easily without going through the vendor tools. If the TPM lockout auto reset feature is enabled, MBAM can detect that the TPM is locked out and then retrieve the OwnerAuth password from the MBAM database in order to automatically unlock the TPM on behalf of the user.

This feature must be enabled on both the server side and on the client side (Configure MBAM to automatically unlock the TPM after a lockout).

IV/ New FIPS feature

The support for Federal Information Processing Standard (FIPS)-compliant BitLocker recovery keys on devices running the Windows 8.1 operating system was now backported to Windows 7, these devices still required a Data Recovery Agent (DRA) protector for recovery.

V/ Pre-boot customisation

A new Group Policy setting, Configure pre-boot recovery message and URL, now allow a custom recovery message or specify a URL on the pre-boot BitLocker recovery screen when the OS drive is locked. But this functionality is available only for Windows 10.

It’s possible with this new feature to choose one of these options for the pre-boot recovery message:
  • Use custom recovery message
  • Use custom recovery URL
  • Use default recovery message and URL

For more information about this version:

More information about the upgrade process from 2.5:

Known issues:

How to download this version:

Aucun commentaire:

Enregistrer un commentaire