DEVICE PROTECTION DATA PROTECTION Protect data when device

DEVICE PROTECTION DATA PROTECTION Protect data when device is lost or stolen Accidental data leakage SHARING PROTECTION Protect data is shared

Lost Laptops– ADDING TERROR TO PLAYBOOK Over 12, 000 laptops lost in airports every week “It’s staggering to learn that up to 600, 000 laptops are lost in U. S. airports annually, many containing sensitive information that companies must account for. ” Larry Ponemon Source: ”New Study Reveals Up To 12, 000 Laptop Computers Lost Weekly and up to 600, 000 lost annually in U. S. Airports”, Ponemon. org, June 20, 2008

Full volume Encryption • OS volumes • Fixed data drives (like a separate hard drive or partition) • Removable drives Recovery • Recovery Keys • DRA Used Disk Space Pre-provisioning • Encrypts used disk space • Pre-provisioning – speeds up encryption by turning on in Win. PE • TPM must be enabled and owned

TPM 1. 2 – Main spec in use. Random lockout thresholds and attempts. TPM 2. 0 – On by default. Consistent lock out.

§ Integrates Bit. Locker Enactment into existing deployment tools § Grace period for enactment § Prompts for PIN or Password § Escrows recovery information and TPM Owner. Auth § Encryption Compliance Reporting status reporting per volume on each computer § View overall compliance for your organization § View reports standalone in System Center Configuration Manager § Helpdesk Recovery recovery § Self service recovery § Retrieve TPM Owner. Auth to unlock TPM

MBAM CLIENT FLOW: INSTALL MBAM CLIENT APPLY MBAM POLICY ENACTS BITLOCKER REPORTS COMPLIANCE

Deployment Management Industry Compat Introduced scripts to support imaging Built cmdlets to import Bit. Locker and TPM data from AD Added automatic TPM unlock when Bit. Locker is recovered Consolidated and simplified server logging Added Windows 10 support Added Encrypted HDD Supported International Domain Names Supported Win 7 FIPS Recovery Password Included prompting for PIN after imaging Improved TPM Owner. Auth Escrow Customization Added ability to direct customers to SSP from Bit. Locker recovery screen Allowed SSP branding capability during setup Increased supported client languages to 23 Updated reports schema to allow customization using Report Builder

Process • • Volume Support Escrow/Reporting Error Handling Written in Power. Shell; compatible with Power. Shell v 2 Easy to use with MDT, SCCM, or standalone

Invoke-Mbam. Client. Deployment. ps 1 – The main script that your deployment system will call to configure MBAM and enable Bit. Locker. Parameter Description -Recovery. Service. Endpoint Required MBAM recovery service endpoint -Status. Reporting. Servcie. Endpoint Optional MBAM status reporting service endpoint -Encryption. Method Optional Encryption method (default: AES 128) -Encrypt. And. Escrow. Data. Volume Switch Specify to encrypt data volume(s) and escrow data volume recovery key(s) -Wait. For. Encryption. To. Complete Switch Specify to wait for the encryption to complete -Ignore. Escrow. Owner. Auth. Failure Switch Specify to ignore TPM Owner. Auth escrow failure -Ignore. Escrow. Recovery. Key. Failure Switch Specify to ignore volume recovery key escrow failure -Ignore. Report. Status. Failure Switch Specify to ignore status reporting failure

Invoke-Mbam-Client. Deployment. ps 1 –Recovery. Service. Endpoint https: //mbam. contoso. com/MBAMRecovery. And. Hardware. Service/Core. Service. svc -Status. Reporting. Service. Endpoint https: //mbam. contoso. com/MBAMCompliance. Status. Service/Status. Reporting Service. svc -Encrypt. And. Escrow. Data. Volume -Encryption. Method AES 256 Wait. For. Encryption. To. Complete

As Easy As 1… 2… 3!

§ § § MBAM agent works its magic

§ § rights

Read-ADRecovery. Information -Server contoso. com -Credential $cred -Recurse | Add-Computer. User -From. Computer. Managed. By| Write. MBAMRecovery. Information -Recovery. Service. End. Point https: //mbamiis. contoso. com/MBAMRecovery. And. Hardware. Service/Core. Service. svc

Read-ADTpm. Information -Server contoso. com -Credential $cred Recurse | Add-Computer. User -From. Computer. User. Mapping (Import-Csv Computer. To. User. Mapping. csv) | Write-MBAMTpm. Information Recovery. Service. End. Point https: //mbamiis. contoso. com/MBAMRecovery. And. Hardware. Service/Core. Service. svc

Advanced Helpdesk Enters Recovery Key ID Helpdesk User domain and user name Enters Recovery Key ID Self Service Logs into domain joined PC Windows Integrated Auth Provides Recovery Key ID

User hits Bit. Locker Recovery Screen Recovers key from SSP or helpdesk portal Key is marked as disclosed MBAM service wakes up and detects key was disclosed Checks if TPM is locked out Automatically unlocks if MBAM has TPM Owner. Auth Audited in client event log and MBAM audit reports

§ § MBAM 2. 5 SP 1 makes it even easier to deploy and manage Bit. Locker on your devices

BRK 3340 App-V 5. 0 SP 3: Advanced Connection Groups Thurs 17: 00 BRK 3317 Creating a Seamless User Experience with Microsoft UE-V and Windows 10 Fri 12: 30 BRK 3304 Managing Windows 10 Using Group Policy with In the Box, Microsoft and 3 rd Party Tools Wed 9: 00 BRK 3144 Microsoft Office 365 Pro. Plus: Have It Your Way! Fri 12: 30 BRK 3868 Fundamentals of Microsoft Azure Remote. App Management and Tues 13: 30 Administration

http: //myignite. microsoft. com