Archive

Archive for the ‘Windows 8.1’ Category

On-premises BitLocker management using System Center Configuration Manager

May 13, 2019 Leave a comment

Beginning in June 2019, System Center Configuration Manager (SCCM) will release a product preview for BitLocker management capabilities, followed by general availability later in 2019.

Configuration Manager will support BitLocker for Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education editions. It will also support Windows 7, Windows 8, and Windows 8.1 during their respective support lifecycles.

SCCM will provide the following BitLocker management capabilities:

Provisioning
Our provisioning solution will ensure that BitLocker will be a seamless experience within the SCCM console while also retaining the breadth of MBAM.

Prepare Trusted Platform Module (TPM)
Admins can open the TPM management console for TPM versions 1.2 and 2.0. Additionally, SCCM will support TPM+PIN for log in. For those devices without a TPM, we also permit USBs to be used as authenticators on boot.

Setting BitLocker Configuration
All MBAM configuration specific values that you set will be available through the SCCM console, including: choose drive encryption and cipher strength, configure user exemption policy, fixed data drive encryption settings, and more.

Encryption
Encryption allows admins to determine the algorithms with which to encrypt the device, the disks that are targeted for encryption, and the baselines users must provide in order to gain access to the disks.

Policy enactment / remediation on device
Admins can force users to get compliant with new security policies before being able to access the device.

New user can set a pin / password on TPM & non-TPM devices
Admins can customize their organization’s security profile on a per device basis.

Auto unlock
Policies to specify whether to unlock only an OS drive, or all attached drives, when a user unlocks the OS drive.

Helpdesk portal with auditing
A helpdesk portal allows other personas in the organization outside of the SCCM admin to provide help with key recovery, including key rotation and other MBAM-related support cases that may arise.

Key rotation
Key rotation allows admins to use a single-use key for unlocking a BitLocker encrypted device. Once this key is used, a new key will be generated for the device and stored securely on-premises.

Compliance reporting
SCCM reporting will include all reports currently found on MBAM in the SCCM console. This includes key details like encryption status per volume, per device, the primary user of the device, compliance status, reasons for non-compliance, etc.

If you are familiar with Microsoft BitLocker Administration and Monitoring (MBAM), you probably noticed that above listed BitLocker-related SCCM improvements to come look a lot like MBAM features – and you would be correct to think that. The reason for that is in Microsoft’s announcement for the MBAM support – MBAM will end mainstream support on July 9, 2019 and will enter extended support until July 9, 2024.

Regardless of the MBAM situation, I sure am happy to see this new feature set is coming to SCCM.

More info at: Microsoft expands BitLocker management capabilities for the enterprise

Categories: BitLocker, Microsoft, SCCM, Security, System Center, Windows, Windows 10, Windows 7, Windows 8.1 Tags: , , ,

AaronLocker – automate AppLocker configuration

February 25, 2019 Leave a comment

AppLocker is application whitelisting security feature that became available in Windows 7 and Windows Server 2008 R2. With Windows 10 and Windows Server 2016 Microsoft decided to rebrand it to Windows Defender Application Control or WDAC for short. Other than rebranding it, AppLocker didn’t receive any major improvements. In most of the management tools you will still find it under AppLocker name.

If you want to learn more about it, I would recommend you to check out official documentation.

If you or your company is using Windows Enterprise or Education client operating system, then you should look at setting up AppLocker. The implementation itself doesn’t take much time but it can drastically improve overall security of Windows environment. In Windows 10 and Windows Server 2016 AppLocker represents one part of multi-layer defense strategy.

To ease the implementation, Aaron Margosis put together set of PowerShell scripts including detailed documentation called AaronLocker. What AaronLocker helps you do is automate most of the tasks needed to implement and maintain AppLocker.

Few of the nice to have features are:

– Selective scan of any folder and subfolders with rule merge
– Additional rules for domain-joined PCs
– Find user writable paths and set exclusions
– Exclude sensitive build-in Windows programs, that are rarely used by non-admins
– Policy report in Excel
– Audit and Enforce policy
– Audit/Enforce summary reporting from AppLocker Logs in Event Viewer
– Reporting supports forwarded events with Event Forwarding (How-to in the documentation)
– Detailed documentation including how to implement Pilot / Broad / Production phases

You can learn more about AaronLocker from the documentation available on the GitHub portal. If you prefer or like video content, you can also check two YouTube videos, first one introducing the solution and second one quick start.

Categories: AppLocker, GPO, Microsoft, PowerShell, Security, Server 2016, Windows, Windows 10, Windows 7, Windows 8.1 Tags: , , ,

SCCM 2012 R2 With BitLocker Network Unlock

July 4, 2016 Leave a comment

I’ve read and followed MS documentation available at:
– BitLocker: How to enable Network Unlock
– Bitlocker: Network Unlock (PFE Blog post)

  • Client/Server configuration:
    • Clients: Windows 8.1 and up on isolated VLAN
    • SCCM Servers: 2012 R2 SP1
    • SCCM distribution point: dedicated server for network unlock and client deployment
    • change to certificate template used for network unlock: Certification Authority and Certificate recipient fields are Windows Server 2012 R2 and Windows 8.1 respectively

After some initial testing I’ve successfuly deployed this configuration at one of our customer’s sites.
Not sure if it is fully supported from MS side but I didn’t do any “funny” customization to get it working – based on this I would guess it should be supported.

Second link is really useful for understanding how the whole thing works – it even has few screenshots of network trace (good reference for troubleshooting).

Good to know:
– Network unlock by itself doesn’t do PXE boot – unlock happens before that with special DHCP packet (provided, that LAN boot is not first BOOT option – which it shouldn’t be). Check second link for more info.
– This change to BitLocker OS drive unlock process will add few seconds to boot process. Why? Before Windows can successfully start and unlock drive with certificate, boot manager has to get valid IP DHCP address (or not if timeout happens). Only after this happens BootRequest packet is send to WDS server which replies with BootReply. How big can this delay be probably depends on usual network-related configuration.

Categories: BitLocker, Microsoft, SCCM 2012 R2, Windows 8.1